services:
  traefik:
    image: traefik:${TRAEFIK_VERSION:-v3.1}
    container_name: traefik
    restart: unless-stopped
    extra_hosts:
      - "host.docker.internal:host-gateway"

    command:
      # Logs
      - "--log.level=${TRAEFIK_LOG_LEVEL:-INFO}"

      # Dashboard (por ahora solo interno)
      - "--api.dashboard=true"
      - "--api.insecure=false"

      # Entrypoints
      - "--entrypoints.web.address=:${TRAEFIK_HTTP_PORT:-80}"
      - "--entrypoints.websecure.address=:${TRAEFIK_HTTPS_PORT:-443}"

      # Redirección HTTP -> HTTPS
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"

      # Proveedor Docker
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=${TRAEFIK_DOCKER_NETWORK:-proxy}"

      # Proveedor de ficheros dinámicos
      - "--providers.file.directory=/dynamic"
      - "--providers.file.watch=true"

      # ACME / Let's Encrypt (resolver "letsencrypt" parametrizado)
      - "--certificatesresolvers.${TRAEFIK_ACME_RESOLVER:-letsencrypt}.acme.email=${TRAEFIK_ACME_EMAIL}"
      - "--certificatesresolvers.${TRAEFIK_ACME_RESOLVER:-letsencrypt}.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.${TRAEFIK_ACME_RESOLVER:-letsencrypt}.acme.httpchallenge=true"
      - "--certificatesresolvers.${TRAEFIK_ACME_RESOLVER:-letsencrypt}.acme.httpchallenge.entrypoint=web"

    ports:
      - "${TRAEFIK_HTTP_PORT:-80}:80"
      - "${TRAEFIK_HTTPS_PORT:-443}:443"

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${TRAEFIK_DYNAMIC_PATH:-/opt/traefik/dynamic}:/dynamic
      - ${TRAEFIK_LETSENCRYPT_PATH:-/opt/traefik/letsencrypt}:/letsencrypt

    networks:
      - proxy

networks:
  proxy:
    external: true
    name: ${TRAEFIK_DOCKER_NETWORK:-proxy}