---
version: "3.3"

services:
  traefik:
    image: "traefik:v2.2"
    restart: "always"
    container_name: "traefik"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      # use https://github.com/Tecnativa/docker-socket-proxy later
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "./letsencrypt:/etc/letsencrypt"
      - "./traefik.yml:/etc/traefik/traefik.yml"
    networks:
      - proxy
    deploy:
      placement:
        constraints:
          - node.role == manager
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.traefik.loadbalancer.server.port=8080"
        - "traefik.http.routers.traefik.rule=Host(`traefik.swarm.autonomic.zone`)"
        - "traefik.http.routers.traefik.entrypoints=web-secured"
        - "traefik.http.routers.traefik.tls.certresolver=staging"
        - "traefik.http.routers.traefik.service=api@internal"
        # use docker secrets once things get stable
        - "traefik.http.routers.traefik.middlewares=traefik-auth"
        - "traefik.http.middlewares.traefik-auth.basicauth.users=autonomic:autonomic"

networks:
  proxy:
    external: true

volumes:
  letsencrypt: