api:
  dashboard: false
  debug: false  # never true in production
  insecure: false  # explicit

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true

  websecure:
    address: :443
    http:
      middlewares:
        - rate-limit@file  
        - crowdsec-bouncer@file
        - security-headers@file

providers:
  docker:
    endpoint: "tcp://socket-proxy:2375"  # not the unix socket
    exposedByDefault: false
  file:
    filename: /config.yaml
    watch: true

certificatesResolvers:
  cloudflare:
    acme:
      email: "noreply@gabesville.com"
      storage: /var/traefik/certs/cloudflare-acme.json
      caServer: 'https://acme-v02.api.letsencrypt.org/directory'
      keyType: EC256
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "9.9.9.9:53"

log:
  level: "INFO"
  filePath: "/var/log/traefik/traefik.log"
  maxSize: 100    # MB per file
  maxBackups: 3   # keep last 3 rotated files
  maxAge: 7       # days before deletion
  compress: true  # gzip rotated files
accessLog:
  filePath: "/var/log/traefik/access.log"
  bufferingSize: 100
  filters:
    statusCodes:
      - "400-599"  # only log errors — reduces volume significantly

global:
  checkNewVersion: false
  sendAnonymousUsage: false

experimental:
  plugins:
    crowdsec-bouncer:
      moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      version: "v1.5.1"