version: '3.9'

services:
  traefik-test:
    image: traefik:v2.10  # Same as current for compatibility
    user: "0:0"  # Run as root for Docker socket access
    command:
      # Docker provider configuration
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.swarmMode=true
      - --providers.docker.network=traefik-public
      
      # Entry points on alternate ports
      - --entrypoints.web.address=:8081
      - --entrypoints.websecure.address=:8443
      - --entrypoints.traefik.address=:8082
      
      # API and Dashboard
      - --api.dashboard=true
      - --api.insecure=false
      
      # Logging
      - --log.level=INFO
      - --log.format=json
      - --log.filePath=/logs/traefik.log
      - --accesslog=true
      - --accesslog.format=json
      - --accesslog.filePath=/logs/access.log
      - --accesslog.filters.statuscodes=400-599
      
      # Metrics
      - --metrics.prometheus=true
      - --metrics.prometheus.addEntryPointsLabels=true
      - --metrics.prometheus.addServicesLabels=true
      - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0
      
      # Security headers
      - --global.checknewversion=false
      - --global.sendanonymoususage=false
      
      # Rate limiting (configured via middleware instead)
    
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik_test_logs:/logs
    
    networks:
      - traefik-public
    
    ports:
      - "8081:8081"   # HTTP test port
      - "8443:8443"   # HTTPS test port  
      - "8082:8082"   # API test port
    
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints:
          - node.role == manager
      
      resources:
        limits:
          cpus: '1.0'
          memory: 512M
        reservations:
          cpus: '0.5'
          memory: 256M
      
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s
      
      labels:
        # Enable Traefik for this service
        - traefik.enable=true
        - traefik.docker.network=traefik-public
        
        # Dashboard configuration with authentication
        - traefik.http.routers.test-dashboard.rule=Host(`traefik-test.localhost`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
        - traefik.http.routers.test-dashboard.service=api@internal
        - traefik.http.routers.test-dashboard.entrypoints=traefik
        - traefik.http.routers.test-dashboard.middlewares=test-auth,security-headers
        
        # Authentication middleware (same credentials as production)
        - traefik.http.middlewares.test-auth.basicauth.users=admin:$$2y$$10$$xvzBkbKKvRX.jGG6F7L.ReEMyEx.7BkqNGQO2rFt/1aBgx8jPElXW
        - traefik.http.middlewares.test-auth.basicauth.realm=Traefik Test Dashboard
        
        # Security headers middleware
        - traefik.http.middlewares.security-headers.headers.framedeny=true
        - traefik.http.middlewares.security-headers.headers.browserxssfilter=true
        - traefik.http.middlewares.security-headers.headers.contenttypenosniff=true
        - traefik.http.middlewares.security-headers.headers.forcestsheader=true
        
        # Dummy service for Swarm compatibility
        - traefik.http.services.dummy-test-svc.loadbalancer.server.port=9998
        
        # Health check
        - traefik.http.routers.test-ping.rule=Path(`/ping`)
        - traefik.http.routers.test-ping.service=ping@internal
        - traefik.http.routers.test-ping.entrypoints=traefik

    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8082/ping"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

volumes:
  traefik_test_logs:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: /opt/traefik-test/logs

networks:
  traefik-public:
    external: true