services:
  traefik:
    image: "traefik:v3.6@sha256:aaf0f6185419a50c74651448c1a5bf4606bd2d2ddb7b8749eed505d55bf8b8ea"
    # container_name: "traefik"
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    command:
      - --log.level=DEBUG
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=proxy"
      - "--providers.docker.constraints=Label(`env`, `${ENV}`)"
      - "--entryPoints.web.address=:80"
      - "--entryPoints.https.address=:443"
      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
      - --certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
    ports:
      - "${PORT}:80"
      - "4443:443"
      - "8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./data/letsencrypt:/letsencrypt"

  whoami:
    image: "traefik/whoami@sha256:200689790a0a0ea48ca45992e0450bc26ccab5307375b41c84dfc4f2475937ab"
    restart: unless-stopped
    networks:
      - proxy
    labels:
      - "env=${ENV}"
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`test.staging.kovagoadi.hu`)"
      - "traefik.http.routers.https.rule=Host(`test.staging.kovagoadi.hu`)"
      - "traefik.http.routers.whoami.entrypoints=web"
      - traefik.http.routers.https.entrypoints=https
      - traefik.http.routers.https.tls=true
      - traefik.http.routers.https.tls.certresolver=letsencrypt
  catchall-shim:
    image: traefik/whoami
    labels:
      - "traefik.enable=true"

      # -------------------------------------------------------
      # 1. HTTPS Handling (TCP Passthrough) -> Port 443
      # -------------------------------------------------------

      # Use a TCP Router for Port 443
      - "traefik.tcp.routers.catchall-https.entrypoints=https"

      # Match Any Domain (Wildcard SNI)
      - "traefik.tcp.routers.catchall-https.rule=HostSNI(`*`)"

      # CRITICAL: Passthrough = true
      # Traefik will NOT decrypt. It passes the encrypted stream to Nginx.
      - "traefik.tcp.routers.catchall-https.tls.passthrough=true"

      # Low priority so other specific routes in Traefik override this
      # - "traefik.tcp.routers.catchall-https.priority=1"

      # Point to the Nginx service
      - "traefik.tcp.routers.catchall-https.service=nginx-backend-secure"

      # Define the destination IP for HTTPS (Note: 'server.address', not 'url')
      # Replace 192.168.1.100 with your Nginx IP
      - "traefik.tcp.services.nginx-backend-secure.loadbalancer.server.address=192.168.1.85:443"
      - "env=${ENV}"


      # -------------------------------------------------------
      # 2. HTTP Handling (Standard Proxy) -> Port 80
      # -------------------------------------------------------
      # Since HTTP is unencrypted, we can use a standard HTTP router.
      # This forwards the request to Nginx port 80 (for Certbot challenges/redirects).

      - "traefik.http.routers.catchall-http.entrypoints=web"
      - "traefik.http.routers.catchall-http.rule=PathPrefix(`/`)"
      # - "traefik.http.routers.catchall-http.priority=1"
      - "traefik.http.routers.catchall-http.service=nginx-backend-plain"

      # Define the destination IP for HTTP
      - "traefik.http.services.nginx-backend-plain.loadbalancer.server.url=http://192.168.1.85:80"
networks:
  proxy: