services:
 traefik:
   image: traefik:latest
   container_name: traefik
   env_file:
     - .env
   user: root # Ensure access to docker.sock
   command:
     - "--api.insecure=true"
     - "--providers.docker=true"
     - "--providers.docker.endpoint=unix:///var/run/docker.sock"
     - "--providers.docker.exposedbydefault=false"
     - "--entrypoints.web.address=:80"
     - "--entrypoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12"
     - "--entrypoints.websecure.address=:443"
     - "--entrypoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12"
     - "--log.level=DEBUG"
     - "--certificatesresolvers.cloudflare.acme.dnschallenge=true"
     - "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
     # - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
     - "--certificatesresolvers.cloudflare.acme.email=${ACME_EMAIL:-admin@kotori-waifu.cc}"
     - "--certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json"
   environment:
     - DOCKER_API_VERSION=1.44
     - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
   ports:
     - "80:80"
     - "443:443"
     - "8085:8080" # Traefik dashboard (moved from 8080)
   volumes:
     - /var/run/docker.sock:/var/run/docker.sock:ro
     - ./letsencrypt:/letsencrypt
   networks:
     - proxy_net
   restart: unless-stopped

networks:
 proxy_net:
   external: true