traefik-stack/traefik-stack.yaml at main · kluhan/traefik-stack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
version: "3.8"

networks:
  traefik-public:
    external: true

volumes:
  traefik-acme:

configs:
  traefik-proxmox-config:
    file: /opt/stacks/traefik-stack/config/proxmox-config.yaml
  traefik-truenas-config:
    file: /opt/stacks/traefik-stack/config/truenas-config.yaml

services:
  traefik:
    image: traefik:v3.6
    networks:
      - traefik-public
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik-acme:/acme
    configs:
      - source: traefik-proxmox-config
        target: /etc/traefik/dynamic/proxmox.yml
      - source: traefik-truenas-config
        target: /etc/traefik/dynamic/truenas.yml
    secrets:
      - cloudflare_dns_api_token
    environment:
      # LEGO (ACME lib) Cloudflare Token:
      - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_dns_api_token
    command:
      - --log.level=INFO

      # Swarm provider (Traefik v3)
      - --providers.swarm=true
      - --providers.swarm.exposedbydefault=false
      - --providers.swarm.endpoint=unix:///var/run/docker.sock
      - --providers.swarm.network=traefik-public

      # EntryPoints
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443

      # Redirect HTTP -> HTTPS
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true

      # ACME DNS-01 via Cloudflare
      - --certificatesresolvers.letsencrypt.acme.email=admin@kluhan.dev
      - --certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json
      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare

      # API & Dashboard
      - --api.dashboard=true

      # Dynamic Configuration Files
      - --providers.file.directory=/etc/traefik/dynamic
      - --providers.file.watch=true

    deploy:
      placement:
        constraints:
          #- node.role == manager
          - node.hostname == polaris
      labels:
        - traefik.enable=true
        - traefik.http.routers.dashboard.rule=Host(`traefik.kluhan.dev`)
        - traefik.http.routers.dashboard.entrypoints=websecure
        # - traefik.http.routers.dashboard.tls=true
        - traefik.http.routers.dashboard.service=api@internal
        - traefik.http.routers.dashboard.tls.certresolver=letsencrypt
        - traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$$2y$$05$$wKVGDl4B06CQAY1nyOuUEOt05aINf6QriZXkJwQ/N4/uaRbLPvsRO
        - traefik.http.routers.dashboard.middlewares=dashboard-auth@swarm
        - traefik.http.services.traefik.loadbalancer.server.port=9999

  whoami:
    image: traefik/whoami
    networks: [traefik-public]
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.whoami.rule=Host(`whoami.kluhan.dev`)
        - traefik.http.routers.whoami.entrypoints=websecure
        - traefik.http.routers.whoami.tls=true
        - traefik.http.routers.whoami.tls.certresolver=letsencrypt
        - traefik.http.services.whoami.loadbalancer.server.port=80
secrets:
  cloudflare_dns_api_token:
    external: true