global:
  checkNewVersion: true
  sendAnonymousUsage: false

# 1. EntryPoints Definition
# We define the ports Traefik listens on.
# HTTP (80) automatically redirects to HTTPS (443).
# SMTP (25) is passthrough for Mailman.
entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true

  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letsencrypt

# 2. Providers
# Traefik watches the Docker socket to discover services.
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false # Containers are ignored unless they have "traefik.enable=true"
    network: proxy_net # Must match the network name in docker-compose.yml

  # # Optional: Watch a directory for dynamic config files (good for custom TLS certs or middlewares)
  # file:
  #   directory: /etc/traefik/dynamic
  #   watch: true

# 3. API & Dashboard
# The dashboard is enabled but "insecure" mode is OFF.
# Access is protected by the Basic Auth middleware defined in docker-compose.yml.
api:
  dashboard: true
  insecure: false
  debug: false

# Health check ping endpoint
ping:
  entryPoint: web

# 4. Certificate Resolver (Let's Encrypt)
# Uses the HTTP Challenge, which requires Port 80 to be open.
certificatesResolvers:
  letsencrypt:
    acme:
      email: info@jmpgames.it
      storage: /acme.json # This file is persisted via Docker volume
      httpChallenge:
        entryPoint: web

# 5. Logging
# Access logs are written to a file that Fail2Ban on the host will monitor.
accessLog:
  filePath: "/var/log/traefik/access.log"
  bufferingSize: 100 # Buffer lines slightly to reduce I/O, but keep low for Fail2Ban responsiveness
  filters:
    statusCodes:
      - "400-499"
      - "500-599"

log:
  level: INFO