Minimal Docker Swarm stack to run Traefik (v3.6) with ACME via Cloudflare DNS-01.
Files
- traefik-stack.yaml – stack definition (services, volumes, secrets, network).
Requirements
- Docker Engine with Swarm mode enabled
- An external overlay network named
traefik-public - One Docker secret:
cloudflare_dns_api_token(Cloudflare API token)
Quick setup
- Create the external network (if it doesn't already exist):
docker network create --driver overlay traefik-public- Create the required secret (example):
# Cloudflare token (pipe from printf to create secret from stdin)
printf "%s" "your_cloudflare_token_here" | docker secret create cloudflare_dns_api_token -
- Generate a basic auth password hash for the dashboard (example):
# Requires apache2-utils (or httpd-tools)
htpasswd -nbB admin "your_password_here"If you use Nix (flakes), you can run htpasswd without installing anything:
nix shell --experimental-features "nix-command flakes" nixpkgs#apacheHttpd -c htpasswd -nbB admin "your_password_here"- Deploy the stack:
docker stack deploy -c traefik-stack.yaml traefikNotes
- Traefik stores ACME data in the
traefik-acmevolume mounted at/acmeinside the container. - The stack expects the
traefik-publicnetwork to be created externally (not defined as internal in the compose file). - The ACME email is hardcoded in
traefik-stack.yamlasadmin@kluhan.dev. - The Traefik dashboard is enabled (
--api.dashboard=true) — ensure it is protected and not exposed publicly. - Adjust placement constraints in
traefik-stack.yamlif you need the service on a specific manager node. - Make sure to configure your DNS records in Cloudflare to point to your Traefik instance for the domains you want to manage.