version: '3.3'


services:
  reverse-proxy:
    image: traefik:1.7
    command:
      - --defaultentrypoints=https,http
      - --api
      - --api.entryPoint=traefik
      - --api.dashboard=true
      - --debug=false
      - --entryPoints=Name:http Address::1380 Compress:true Redirect.EntryPoint:https
      - --entryPoints=Name:https Address::13443 TLS Compress:true TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - --entryPoints=Name:localhttp Address::80 Compress:true Redirect.EntryPoint:localhttps
      - --entryPoints=Name:localhttps Address::443 TLS Compress:true TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384      - --logLevel=INFO
      - --accessLog.format=json
      - --docker
      - --docker.endpoint=unix:///var/run/docker.sock
      - --docker.domain=${DOCKER_DOMAIN}
      - --docker.swarmmode=true
      - --docker.watch=true
      - --docker.exposedbydefault=false
      - --acme.email=${ACME_EMAIL}
      - --acme.storage=/acme/acme.json
      - --acme.entryPoint=https
      - --acme.onHostRule=true
      - --acme.httpChallenge.entryPoint=http
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 1380
        published: ${PUBLICHTTPPORT}
        protocol: tcp
        mode: host
      - target: 13443
        published: ${PUBLICHTTPSPORT}
        protocol: tcp
        mode: host
      - target: 8080
        published: ${ADMINPORT}
        protocol: tcp
        mode: host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - acmeData:/acme
      - tmp:/tmp
      - tlsData:/tls
    networks:
      - traefik-net
      - external
    deploy:
      mode: global
      placement:
        constraints:
          - node.role == manager
      restart_policy:
        condition: any
        delay: 5s
      labels:
        traefik.enable: "true"
        traefik.frontend.rule: "Host:traefik.lan"
        traefik.port: 8080
        traefik.frontend.entryPoints: localhttp,localhttps
        traefik.docker.network: traefik-net
        traefik.frontend.headers.STSSeconds: 63072000
        traefik.frontend.headers.STSIncludeSubdomains: "true"
        traefik.frontend.headers.STSPreload: "true"
        
networks:
  external:
  traefik-net:
    driver: overlay
    external: true

volumes:
  acmeData:
  tlsData:
  tmp:


### Environment variables
# ADMINPORT 8080
# PUBLICHTTPPORT    1380
# PUBLICHTTPSPORT   13443
# DOCKER_DOMAIN
# ACME_EMAIL