services:
  traefik:
   command:
      - "--configFile=/etc/traefik/traefik.yml"
      - "--log.level=INFO"
    environment:
      - DOCKER_API_VERSION=1.47
      # DOCKER_CLIENT_VERSION removed — not a valid Traefik env var

    image: traefik:3.6  # pinned version instead of :latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /mnt/traefik:/etc/traefik
    labels:
      - "traefik.enable=true"

      # Dashboard router
      - "traefik.http.routers.dashboard.rule=Host(`traefik.ljh31.de`)"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
      - "traefik.http.routers.dashboard.service=api@internal"
      # Apply only one auth middleware — use keycloak-oauth2 if SSO is desired,
      # or dashboard-auth for simple Basic Auth. Both are defined below; choose one.
      - "traefik.http.routers.dashboard.middlewares=dashboard-auth"

      # Basic Auth (fallback / alternative to Keycloak SSO)
      - "traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$$apr1$$xyz$$..."

      # Keycloak ForwardAuth middleware
      # Requires a running OAuth2 proxy (e.g. oauth2-proxy or traefik-forward-auth)
      # pointing at your Keycloak realm. Replace <OAUTH2_PROXY_URL> with its address.
      - "traefik.http.middlewares.keycloak-oauth2.forwardauth.address=http://<OAUTH2_PROXY_URL>/oauth2/auth"
      - "traefik.http.middlewares.keycloak-oauth2.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.keycloak-oauth2.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email"
      # Fixed: was 'traefak' (typo) and used non-existent 'oauth3' type

      # If switching to Keycloak SSO, change the router middleware line above to:
      # - "traefik.http.routers.dashboard.middlewares=keycloak-oauth2"
      # and configure your OAuth2 proxy with these Keycloak settings:
      #   provider: keycloak-oidc
      #   client-id: traefik
      #   client-secret: ${KEYCLOAK_SECRET}
      #   oidc-issuer-url: https://iam.ljh31.de/realms/traefik
      #   redirect-url: https://traefik.ljh31.de/oauth2/callback   # fixed: https, not http
      #   scope: openid profile email

    healthcheck:
      test: ["CMD", "traefik", "healthcheck"]
      interval: 10s
      timeout: 5s
      retries: 3
networks:
  traefik-net:
    driver: bridge
# Removed unused named volume 'traefik-acme' — the bind mount above is used instead.
# If you want a named Docker volume instead of a bind mount, replace the volume
# entry under traefik with:  - traefik-acme:/etc/traefik/acme
# and uncomment the block below:
# volumes:
#   traefik-acme: