version: "3.3"

services:

  traefik:
    image: "traefik:v3.1"
    container_name: "traefik"
    command:
      - "--core.defaultRuleSyntax=v2"
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=dj@d-jorgensen.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acmewildcard.json"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53"
      - "--providers.file.filename=/traefik-provider.toml"
      - "--providers.file.watch=true"
    labels:
      #for proxy to jellyfin testing
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.tls.domains[0].main=djorgensen.com"
      - "traefik.http.routers.traefik.tls.domains[0].sans=*.djorgensen.com"
      - "traefik.http.routers.traefik.tls.certresolver=myresolver"
        #HTTP
      - "traefik.http.routers.jellyfin-web.entrypoints=web"
      - "traefik.http.routers.jellyfin-web.rule=Host(`jellyfintest.djorgensen.com`)"
      - "traefik.http.routers.jellyfin-web.middlewares=jellyfin-web-https-redirect"
      - "traefik.http.middlewares.jellyfin-web-https-redirect.redirectscheme.scheme=https"
      # Https
      - "traefik.http.routers.jellyfin-web-secure.entrypoints=websecure"
      - "traefik.http.routers.jellyfin-web-secure.rule=Host(`jellyfintest.djorgensen.com`)"
      - "traefik.http.routers.jellyfin-web-secure.tls=true"
      - "traefik.http.routers.jellyfin-web-secure.tls.certresolver=myresolver"
      #Middleware
      - 'traefik.http.routers.jellyfin-web-secure.middlewares=jellyfin-mw'
      #### The customResponseHeaders option lists the Header names and values to apply to the response.
      - 'traefik.http.middlewares.jellyfin-mw.headers.customResponseHeaders.X-Robots-Tag=noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex'
      #### The sslRedirect is set to true, then only allow https requests.
      - 'traefik.http.middlewares.jellyfin-mw.headers.SSLRedirect=true'
      #### The sslHost option is the host name that is used to redirect http requests to https.
      #### This is the exact URL that will be redirected to, so you can remove the :9999 port if using default SSL port
      - 'traefik.http.middlewares.jellyfin-mw.headers.SSLHost=jellyfintest.djorgensen.com'
      #### Set sslForceHost to true and set SSLHost to forced requests to use SSLHost even the ones that are already using SSL.
      #### Note that this uses SSLHost verbatim, so add the port to SSLHost if you are using an alternate port.
      - 'traefik.http.middlewares.jellyfin-mw.headers.SSLForceHost=true'
      #### The stsSeconds is the max-age of the Strict-Transport-Security header. If set to 0, would NOT include the header.
      - 'traefik.http.middlewares.jellyfin-mw.headers.STSSeconds=315360000'
      #### The stsIncludeSubdomains is set to true, the includeSubDomains directive will be
      #### appended to the Strict-Transport-Security header.
      - 'traefik.http.middlewares.jellyfin-mw.headers.STSIncludeSubdomains=true'
      #### Set stsPreload to true to have the preload flag appended to the Strict-Transport-Security header.
      - 'traefik.http.middlewares.jellyfin-mw.headers.STSPreload=true'
      #### Set forceSTSHeader to true, to add the STS header even when the connection is HTTP.
      - 'traefik.http.middlewares.jellyfin-mw.headers.forceSTSHeader=true'
      #### Set frameDeny to true to add the X-Frame-Options header with the value of DENY.
      - 'traefik.http.middlewares.jellyfin-mw.headers.frameDeny=true'
      #### Set contentTypeNosniff to true to add the X-Content-Type-Options header with the value nosniff.
      - 'traefik.http.middlewares.jellyfin-mw.headers.contentTypeNosniff=true'
      #### Set browserXssFilter to true to add the X-XSS-Protection header with the value 1; mode=block.
      - 'traefik.http.middlewares.jellyfin-mw.headers.customresponseheaders.X-XSS-PROTECTION=0'
      #### The customFrameOptionsValue allows the X-Frame-Options header value to be set with a custom value. This
            #### overrides the FrameDeny option.
      - "traefik.http.middlewares.jellyfin-mw.headers.customFrameOptionsValue='allow-from https://djorgensen.com'"
      ## HTTP Service
      # We define the port here as a port is required, but note that the service is pointing to the service defined in @file
      - 'traefik.http.routers.jellyfin-web-secure.service=jellyfin-svc@file'
      - 'traefik.http.services.jellyfin-svc@file.loadBalancer.server.port=8096'
      - 'traefik.http.services.jellyfin-svc@file.loadBalancer.passHostHeader=true'
       #for proxy to vault testing
        #HTTP
      - "traefik.http.routers.vault-web.entrypoints=web"
      - "traefik.http.routers.vault-web.rule=Host(`vault.djorgensen.com`)"
      - "traefik.http.routers.vault-web.middlewares=vault-web-https-redirect"
      - "traefik.http.middlewares.vault-web-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.vault-web-secure.middlewares=vault-web-ipallowlist"
      - "traefik.http.middlewares.vault-web-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.0/24"
      # Https
      - "traefik.http.routers.vault-web-secure.entrypoints=websecure"
      - "traefik.http.routers.vault-web-secure.rule=Host(`vault.djorgensen.com`)"
      - "traefik.http.routers.vault-web-secure.tls=true"
      - "traefik.http.routers.vault-web-secure.tls.certresolver=myresolver"
      ## HTTP Service
      # We define the port here as a port is required, but note that the service is pointing to the service defined in @file
      - "traefik.http.routers.vault-web-secure.service=vault-svc@file"
      - "traefik.http.services.vault-svc@file.loadBalancer.server.port=8000"
      - "traefik.http.services.vault-svc@file.loadBalancer.passHostHeader=true"
      - "traefik.http.services.vault-svc@file.loadbalancer.server.scheme=http"
    ports:
      - "80:80"
      - "443:443"
      - "8088:8080"
    environment:
      - CF_API_EMAIL=dj@d-jorgensen.com
      - CF_DNS_API_TOKEN=Uh69ING68kV9hfQDAXXBUUyo1PJrI9PNcjWrOQNq
    volumes:
      - "/docker/letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/docker/traefik/traefik-provider.toml:/traefik-provider.toml"
    networks:
      - traefik_proxy

  nginx:
    image: "nginx"
    container_name: "djorgensen.com"
    restart: "always"
    labels:
      - "traefik.enable=true"
      - "traefik.port=80"
      - "traefik.http.routers.nginx.rule=Host(`djorgensen.com`, `www.djorgensen.com`)"
      - "traefik.http.routers.nginx.tls=true"
      - "traefik.http.routers.nginx.tls.certresolver=myresolver"
      - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
      - "traefik.http.routers.http_catchall.entrypoints=web"
      - "traefik.http.routers.http_catchall.middlewares=https_redirect"
      - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"
      - "traefik.http.middlewares.non_www.redirectregex.regex=^https://(?:www\\.)?(.+)"
      - "traefik.http.middlewares.non_www.redirectregex.replacement=https://$${1}"
      - "traefik.http.middlewares.non_www.redirectregex.permanent=true"
      - "traefik.http.routers.nginx.middlewares=https_redirect@docker, non_www@docker"
    volumes:
      - "/var/www/html:/usr/share/nginx/html"
    networks:
      - traefik_proxy

networks:
  traefik_proxy:
    external: true