services:
  traefik:
    image: traefik:latest
    container_name: traefik-node${TRAEFIK_NODE_ID}
    network_mode: host
    extra_hosts:
      - "host.docker.internal:host-gateway"
    cpus: 1.0
    mem_limit: "1024m"
    mem_reservation: "128m"
    restart: always
    command:
      # --- Core & API ---
      - "--api.dashboard=true"
      # REMOVED: --api.insecure=true (We will route the dashboard securely via Traefik labels instead)
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=${REQUIRED_NETWORKS}" # Ensure these are correct!
      - "--providers.file.directory=/etc/traefik/dynamic"
      - "--providers.file.watch=true"

      # --- Entrypoints ---
      - "--entrypoints.web.address=:80"
      # Global Redirect: Force HTTP -> HTTPS for everyone
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      
      - "--entrypoints.websecure.address=:443"
      # WILDCARD BLANKET: This tells Traefik "Use deSEC to get a wildcard cert for EVERYTHING on port 443"
      - "--entrypoints.websecure.http.tls.certresolver=desec"
      - "--entrypoints.websecure.http.tls.domains[0].main=mapletree.email"
      - "--entrypoints.websecure.http.tls.domains[0].sans=*.mapletree.email"
      - "--entrypoints.websecure.http.tls.domains[0].sans=*.dev.mapletree.email" # Optional: Add your dev subdomain too
      - "--entrypoints.websecure.http.tls.domains[0].sans=*.test.mapletree.email"

      # --- One Resolver to Rule Them All (deSEC) ---
      # I renamed this to 'desec' for clarity.
      - "--certificatesresolvers.desec.acme.dnschallenge=true"
      - "--certificatesresolvers.desec.acme.dnschallenge.provider=desec"
      - "--certificatesresolvers.desec.acme.email=${ACME_EMAIL}"
      - "--certificatesresolvers.desec.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.mysresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=desec"
      - "--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.dns_resolver.acme.dnschallenge=true"
      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.provider=desec"
      - "--certificatesresolvers.dns_resolver.acme.email=${ACME_EMAIL}"
      - "--certificatesresolvers.dns_resolver.acme.storage=/letsencrypt/acme.json"
      # Optimization: deSEC is fast; we don't need massive delays or propagation checks
      - "--certificatesresolvers.desec.acme.dnschallenge.delaybeforecheck=10"
      - "--certificatesresolvers.desec.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
    environment:
      - DESEC_TOKEN=${DESEC_TOKEN}
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/docker/traefik/letsencrypt:/letsencrypt"
      - "/docker/traefik/dynamic:/etc/traefik/dynamic"