version: '3.8'

services:
  traefik:
    image: traefik:v3.0
    command:
      # API 和 Dashboard
      - --api.dashboard=true
      - --api.insecure=true
      
      # 入口点
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      
      # Docker Swarm Provider
      - --providers.swarm=true
      - --providers.swarm.endpoint=unix:///var/run/docker.sock
      - --providers.swarm.exposedByDefault=false
      - --providers.swarm.network=traefik-public
      
      # 日志
      - --log.level=INFO
      - --accesslog=true
      
      # 指标
      - --metrics.prometheus=true
      - --metrics.prometheus.addEntryPointsLabels=true
      - --metrics.prometheus.addServicesLabels=true
      
      # 证书解析器 (可选)
      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
      - --certificatesresolvers.letsencrypt.acme.email=admin@example.com
      - --certificatesresolvers.letsencrypt.acme.storage=/certificates/acme.json
    
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"  # Dashboard
    
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik-certificates:/certificates
    
    networks:
      - traefik-public
    
    deploy:
      mode: global
      placement:
        constraints:
          - node.role == manager
      labels:
        # Traefik Dashboard 路由
        - traefik.enable=true
        - traefik.http.routers.traefik-dashboard.rule=Host(`traefik.local`)
        - traefik.http.routers.traefik-dashboard.service=api@internal
        - traefik.http.services.traefik-dashboard.loadbalancer.server.port=8080
      update_config:
        parallelism: 1
        delay: 10s
      restart_policy:
        condition: on-failure

networks:
  traefik-public:
    external: true

volumes:
  traefik-certificates: