services:
  traefik:
    image: traefik:v3.6.4
    container_name: traefik
    restart: unless-stopped
    #env_file: [./.env]
    #env_file:
      #- /srv/traefik/secrets/cloudflare.env
    environment:
      - DOMAIN_BASE=${DOMAIN_BASE}
      #- CF_API_TOKEN=${CF_API_TOKEN} CLOUDFLARE_DNS_API_TOKEN
      - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_DNS_API_TOKEN} 
      - TRAEFIK_DASHBOARD_USER=${TRAEFIK_DASHBOARD_USER}
      - TRAEFIK_DASHBOARD_PASS=${TRAEFIK_DASHBOARD_PASS}  
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.file.directory=/etc/traefik/dynamic
      - --providers.file.watch=true
      - --api.dashboard=true
      - --ping
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./static/traefik.yml:/traefik.yml:ro
      - ./dynamic:/etc/traefik/dynamic:rw
     # - /srv/traefik/acme.json:/letsencrypt/acme.json
      - /srv/traefik/:/letsencrypt/
    security_opt: [ "no-new-privileges:true" ]
    read_only: true
    tmpfs: [ "/tmp" ]
    healthcheck:
      test: ["CMD", "traefik", "healthcheck", "--ping"]
      interval: 10s
      timeout: 3s
      retries: 3
    logging:
      options: { max-size: "10m", max-file: "3" }
    networks:
      - proxy

  cloudflared:
    image: cloudflare/cloudflared:2025.11.1
    restart: unless-stopped
#  env_file:
#      - /srv/traefik/secrets/cloudflared.env  # bevat TUNNEL_TOKEN
    command: ["tunnel","run"]                  # géén token in command
   # user: "65532:65532"                        # non-root (optioneel)
    environment:
      - TUNNEL_TOKEN=${TUNNEL_TOKEN}
      - TUNNEL_TRANSPORT_PROTOCOL=${TUNNEL_TRANSPORT_PROTOCOL}
      - NO_AUTOUPDATE=${NO_AUTOUPDATE}
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp
    networks:
      - proxy

networks:
  proxy:
    external: true