services:
  traefik:
    image: traefik:v3.6
    container_name: traefik
    depends_on:
      - crowdsec
    command:
      - "--api.dashboard=true"
      - "--api.insecure=false"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--experimental.plugins.crowdsec-bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      - "--experimental.plugins.crowdsec-bouncer.version=v1.4.2"
      - "--accesslog=true"
      - "--accesslog.filepath=/var/log/traefik/access.log"

#      - "--entrypoints.https.address=:443"

      # Entrypoints
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.mqtt-secure.address=:8883"
      - "--entrypoints.websecure.http.middlewares=crowdsec@docker"
      # Global HTTP -> HTTPS Redirection
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      # Certificates Resolution (Let's Encrypt)
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myresolver.acme.email=olivia@quangkhai.ch"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"   # Traefik Dashboard
      - "8883:8883"   # MQTT TLS
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
      - ./logs:/var/log/traefik
    networks:
      - proxy_tier
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "traefik", "healthcheck", "--ping"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 5s
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 512M
        reservations:
          cpus: '1'
          memory: 256M
    labels:
      # THE MIDDLEWARE DEFINITION
      - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/"
      - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.enabled=true"
      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.logLevel=INFO"
      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecMode=live"
      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiHost=crowdsec:8080"
      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiScheme=http"
      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiKey=${CROWDSEC_BOUNCER_KEY:-change-me}"

  crowdsec:
    image: crowdsecurity/crowdsec:latest
    container_name: crowdsec
    environment:
      - TZ=UTC
      - COLLECTIONS=crowdsecurity/traefik
      - BOUNCER_KEY_TRAEFIK=${CROWDSEC_BOUNCER_KEY:-change-me}
    volumes:
      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
      - ./logs:/var/log/traefik:ro
      - crowdsec-db:/var/lib/crowdsec/data
      - crowdsec-config:/etc/crowdsec
    networks:
      - proxy_tier
    restart: unless-stopped


networks:
  proxy_tier:
    name: proxy_tier
    external: true

volumes:
  crowdsec-db:
  crowdsec-config: