services:
  app:
    image: traefik:{{ traefik_version }}
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
    environment:
#      - HETZNER_API_TOKEN={{ hetzner_api_key }}
      - DO_AUTH_TOKEN={{ do_api_key }}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - {{ data_dir }}/config:/etc/traefik
      - {{ data_dir }}/data/logs:/logs
      - {{ data_dir }}/data/acme.json:/acme.json
    # healthcheck:
    #   test: ["CMD", "traefik", "healthcheck", "--ping"]
    #   timeout: 1s
    #   interval: 10s
    #   retries: 3
    #   start_period: 10s
    networks:
      - {{ traefik_public_net }}
    # Global mode makes an instance of traefik listen on _every_ node, so that regardless of which
    # node the request arrives on, it'll be forwarded to the correct backend service.
    deploy:
      mode: global
      labels:
        - "traefik.enable=true"
        - "traefik.swarm.network={{ traefik_public_net }}"
        - "traefik.http.routers.api.rule=Host(`{{ subdomain }}.{{ main_domain }}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
        - "traefik.http.routers.api.entrypoints=https"
{% if use_authentik %}
        - "traefik.http.routers.api.middlewares=authentik@file"
{% endif %}
        - "traefik.http.routers.api.tls.domains[0].main={{ main_domain }}"
        - "traefik.http.routers.api.tls.domains[0].sans=*.{{ main_domain }}"
        - "traefik.http.routers.api.tls=true"
        - "traefik.http.routers.api.tls.certresolver=main"
        - "traefik.http.routers.api.service=api@internal"
        - "traefik.http.services.dummy.loadbalancer.server.port=9999"
      placement:
        constraints: [node.role == manager]

networks:
  {{ traefik_public_net }}:
    external: true