docker-compose/proxy/compose.yaml

services:
  traefik:
    image: ${PROXY_DOCKER_IMAGE}
    container_name: ${PROXY_COMPOSE_PROJECT_NAME}_app
    restart: unless-stopped
    command:
      # API & Dashboard
      - '--api.dashboard=true'
      - '--api.insecure=false'

      # Logging
      - '--log.level=${PROXY_LOG_LEVEL:-INFO}'
      - '--accesslog=true'

      # Global
      - '--global.sendAnonymousUsage=false'
      - '--global.checkNewVersion=true'

      # Docker Provider
      - '--providers.docker=true'
      - '--providers.docker.exposedbydefault=false'
      - '--providers.docker.network=${NETWORK_NAME}'

      # File Provider for dynamic configuration
      - '--providers.file.directory=/etc/traefik/dynamic'
      - '--providers.file.watch=true'

      # Entrypoints
      - '--entrypoints.web.address=:${PROXY_PORT_HTTP:-80}'
      - '--entrypoints.web-secure.address=:${PROXY_PORT_HTTPS:-443}'

      # Global HTTP to HTTPS redirect
      - '--entrypoints.web.http.redirections.entryPoint.to=web-secure'
      - '--entrypoints.web.http.redirections.entryPoint.scheme=https'
      - '--entrypoints.web.http.redirections.entryPoint.permanent=true'

      # TLS Security Options
      - '--entrypoints.web-secure.http.tls.options=default@file'
      - '--entrypoints.web-secure.http.middlewares=security-headers@file'

      # Let's Encrypt
      - '--certificatesresolvers.resolver.acme.tlschallenge=true'
      - '--certificatesresolvers.resolver.acme.email=${ADMIN_EMAIL}'
      - '--certificatesresolvers.resolver.acme.storage=/letsencrypt/acme.json'

    healthcheck:
      test: ["CMD", "traefik", "healthcheck", "--ping"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s

    networks:
      - compose_network

    ports:
      - "${PROXY_PORT_HTTP:-80}:80"
      - "${PROXY_PORT_HTTPS:-443}:443"

    volumes:
      - letsencrypt_data:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./dynamic:/etc/traefik/dynamic:ro
      - ./auth/.htpasswd:/etc/traefik/.htpasswd:ro

    labels:
      - 'traefik.enable=true'
      # Dashboard router
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-dashboard.rule=Host(`${PROXY_TRAEFIK_HOST}`)'
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-dashboard.entrypoints=web-secure'
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-dashboard.tls.certresolver=resolver'
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-dashboard.service=api@internal'
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-dashboard.middlewares=dashboard-auth@file'
volumes:
  letsencrypt_data:
    name: ${PROXY_COMPOSE_PROJECT_NAME}_letsencrypt_data