Gurulandia/Homelab
1
0
Fork 0
Code Pull Requests Actions Wiki Activity
Files
352ddeb5fd5cabf924c571e770b82b21f982e67b
Homelab/docker/services/dc-traefik.yml
Gurulandia 352ddeb5fd Modify
2025-03-04 21:00:45 +02:00

146 lines
6.7 KiB
YAML
Raw Blame History

########################### SECRETS
secrets:
#cloudflare_email:
# file: ${SECRETSDIR}/cloudflare_email
#cloudflare_api_key:
# file: ${SECRETSDIR}/cloudflare_api_key
basic_auth_credentials:
file: $DOCKERDIR/secrets/basic_auth_credentials
cloudflare_api_token:
file: ${SECRETSDIR}/cloudflare_dns_api_token
services:
# Traefik 3 - Reverse Proxy
# Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
# touch $DOCKERDIR/traefik2/acme/acme.json
# chmod 600 $DOCKERDIR/traefik2/acme/acme.json
# touch $DOCKERDIR/traefik2/traefik.log
traefik:
container_name: ${TRAEFIK_CONTAINER_NAME}
image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
restart: ${TRAEFIK_RESTART_POLICY}
security_opt:
- no-new-privileges:true
networks:
proxy:
socket_proxy:
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
#- target: 465
# published: 465
# protocol: tcp
# mode: host
- target: 587
published: 587
protocol: tcp
mode: host
#- 465:465
#- 587:587
#env_file:
#- path: ./traefik.env
# required: true # default
#- path: ./override.env
# required: false
environment:
#- CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
#- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
- CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
- HTPASSWD_FILE=/run/secrets/basic_auth_credentials # HTTP Basic Auth Credentials
- DOMAINNAME0 # Passing the domain name to traefik container to be able to use the variable in rules.
- DOMAINNAME1
- DOMAINNAME2
- DOMAINNAME3
#- CF_API_EMAIL
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=false #true
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.traefik.address=:8080
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --api=true
- --api.dashboard=true
# - --serversTransport.insecureSkipVerify=true
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
- --log=true
- --log.filePath=/logs/traefik.log
- --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/logs/access.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=204-299,400-499,500-599
- --providers.docker=true
- --providers.docker.endpoint=${DOCKER_ENDPOINT} # Use Docker Socket Proxy instead for improved security
- --providers.docker.exposedByDefault=false
- --providers.docker.network=proxy
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.options=tls-opts@file
# Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
- --entrypoints.websecure.http.tls.certresolver=${CERTRESOLVER}
- --entrypoints.websecure.http.tls.domains[0].main=$DOMAINNAME0
- --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAINNAME0
- --entrypoints.websecure.http.tls.domains[1].main=$DOMAINNAME1
- --entrypoints.websecure.http.tls.domains[1].sans=*.$DOMAINNAME1
- --entrypoints.websecure.http.tls.domains[2].main=$DOMAINNAME2
- --entrypoints.websecure.http.tls.domains[2].sans=*.$DOMAINNAME2
- --entrypoints.websecure.http.tls.domains[3].main=$DOMAINNAME3
- --entrypoints.websecure.http.tls.domains[3].sans=*.$DOMAINNAME3
- --providers.file.directory=/config # Load dynamic configuration from one or more .toml or .yml files in a directory
- --providers.file.watch=true # Only works on top level files in the rules folder
- --certificatesResolvers.$CERTRESOLVER.acme.email=${CF_API_EMAIL}
- --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=${DNS_PROVIDER}
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0},${RESOLVER1}
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
# - --certificatesResolvers.$CERTRESOLVER.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
# - --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
- --entrypoints.mailsecure.address=:465
- --entrypoints.maildefault.address=:587
# - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file
# - --entryPoints.ping.address=:8081
# - --api.insecure=true)
# - --ping=true)
# - --providers.redis=true
# - --providers.redis.endpoints=redis:6379
# - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file
# healthcheck:
# test: ["CMD", "traefik", "healthcheck", "--ping"]
# interval: 5s
# retries: 3
volumes:
- /etc/localtime:/etc/localtime:ro
# - ${DOCKERDIR}/traefik/traefik.yml:/traefik.yml:ro
- ${DOCKERDIR}/traefik/config:/config:ro # file provider directory
- ${DOCKERDIR}/traefik/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
- ${DOCKERDIR}/traefik/logs:/var/log/traefik # for crowdsec - make sure to touch file before starting container
secrets:
#- cloudflare_email
#- cloudflare_api_key
- cloudflare_api_token
- basic_auth_credentials
labels:
traefik.enable: true
traefik.http.routers.traefik.entrypoints: http
traefik.http.routers.traefik.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
traefik.http.middlewares.traefik-auth.basicauth.users: ${BASICAUTHUSER}
traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme: https
traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto: https
traefik.http.routers.traefik.middlewares: traefik-https-redirect
traefik.http.routers.traefik-secure.entrypoints: https
traefik.http.routers.traefik-secure.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
traefik.http.routers.traefik-secure.middlewares: chain-no-auth@file
# traefik.http.routers.traefik-secure.middlewares: traefik-auth
traefik.http.routers.traefik-secure.service: api@internal
View Git Blame Copy Permalink