services:
  tunnel:
    image: cloudflare/cloudflared:2026.2.0@sha256:09b8ae19c02e44c075361a64094e6216421672705647b0e8d4ce8d1d8feea7ac
    restart: unless-stopped
    command: tunnel --no-autoupdate run
    environment:
      - TUNNEL_TOKEN_FILE=/run/secrets/tunnel_token
    networks:
      - homelab_proxy
    secrets:
      - tunnel_token

  traefik:
    image: traefik:v3.6.8@sha256:daf5df7f7b96cd34a1a499a275cb93c8dbc4ce58d49f98911e0583ba41cc4351
    restart: unless-stopped
    command:
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true

      - --certificatesresolvers.le.acme.email=${ACME_EMAIL}
      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.le.acme.dnschallenge=true
      - --certificatesresolvers.le.acme.dnschallenge.provider=cloudflare
    env_file:
      - .env
    environment:
      - CF_DNS_API_TOKEN_FILE=/run/secrets/cf_api_token
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt
    networks:
      - homelab_proxy
      - homelab_apps
    secrets:
      - cf_api_token

volumes:
  letsencrypt:
    driver: local

networks:
  homelab_proxy:
    external: true
  homelab_apps:
    external: true

secrets:
  tunnel_token:
    file: ./secrets/tunnel_token.txt
  cf_api_token:
    file: ./secrets/cf_api_token.txt