# =============================================================================
# 04_stack-traefik.yml  –  Phase 5 (separat, wenn bereit)
# =============================================================================
# WANN: Erst wenn Phase 1–4 stabil laufen.
# NICHT gleichzeitig mit der Netz-Migration starten.
#
# Voraussetzungen:
#   - Domain + DNS-Eintrag vorhanden
#   - Port 80 + 443 auf Router weitergeleitet
#   - ./traefik/traefik.yml angelegt (Vorlage unten)
#   - ./traefik/dynamic/middlewares.yml angelegt (Vorlage unten)
#
# Nach dem Start pro Container in 03_stack-frontend.yml:
#   - traefik.enable: "false" → "true"
#   - yourdomain.tld anpassen
#   - ports:-Block auskommentieren
#   - docker compose -f 03_stack-frontend.yml up -d --force-recreate <name>
# =============================================================================

networks:
  frontend_net:
    external: true

services:
  traefik:
    image: traefik:v3.3
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik_certs:/certs
      - ./traefik/traefik.yml:/etc/traefik/traefik.yml:ro
      - ./traefik/dynamic:/etc/traefik/dynamic:ro
    networks:
      frontend_net:
        ipv4_address: 172.20.0.2    # statische IP — Infrastrukturanker
    labels:
      traefik.enable: "true"
      traefik.http.routers.traefik-dash.rule: "Host(`traefik.yourdomain.tld`)"
      traefik.http.routers.traefik-dash.entrypoints: "websecure"
      traefik.http.routers.traefik-dash.tls.certresolver: "letsencrypt"
      traefik.http.routers.traefik-dash.service: "api@internal"
      traefik.http.routers.traefik-dash.middlewares: "auth@file"
      traefik.docker.network: "frontend_net"

volumes:
  traefik_certs:
    name: traefik_certs

# =============================================================================
# traefik/traefik.yml (Vorlage):
# =============================================================================
# api:
#   dashboard: true
# entryPoints:
#   web:
#     address: ":80"
#     http:
#       redirections:
#         entryPoint:
#           to: websecure
#           scheme: https
#   websecure:
#     address: ":443"
# certificatesResolvers:
#   letsencrypt:
#     acme:
#       email: deine@email.de
#       storage: /certs/acme.json
#       httpChallenge:
#         entryPoint: web
# providers:
#   docker:
#     exposedByDefault: false
#     network: frontend_net
#   file:
#     directory: /etc/traefik/dynamic
#     watch: true
#
# =============================================================================
# traefik/dynamic/middlewares.yml (Vorlage):
# =============================================================================
# http:
#   middlewares:
#     auth:
#       basicAuth:
#         users:
#           - "admin:$apr1$..."  # htpasswd generieren: htpasswd -nb admin passwort