Untitled

#version: '3.8'

#docker network create traefik

#Traefik creates an acme.json file with 755 and then promptly complains about too wide permissions
#Hence need for below janky fixing permissions
#Need a chmod 600 on the acme.json

#Traefik reverse proxy creates the SSL cert with 755 and then bombs with an error because the permissions are too open.

services:
  fixpermissions:
    container_name: take-ownership
    image: traefik:v3.2.3
    command: >
      chmod -R 600 ./ssl_cert/
    volumes:
      - ./ssl_cert/:/ssl_cert/

  traefik:
    image: traefik:v3.2.3
    container_name: traefik
    depends_on:
      fixpermissions:
        condition: service_completed_successfully
    command:
#      - --log.level=DEBUG
      - --api.insecure=true
      - --providers.docker
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.cloudflare.acme.dnschallenge=true
      - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.cloudflare.acme.email=
      - --certificatesresolvers.cloudflare.acme.storage=/ssl_cert/acme.json
      #Staging server:
      #- --certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory

    environment:
      - DOMAINNAME=example.com
      - CLOUDFLARE_DNS_API_TOKEN=
      - CLOUDFLARE_ZONE_API_TOKEN=
    restart: always
    security_opt:
      - no-new-privileges:true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./ssl_cert/:/ssl_cert/
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.tls.certresolver=cloudflare"

      # Configure the Cloudflare DNS challenge
      #- "traefik.http.middlewares.secure-headers.headers.sslredirect=true"
      #- "entryPoints.web.http.redirections.entrypoint.permanent=true"
      # - "traefik.http.middlewares.secure-headers.headers.stsseconds=31536000"
      # - "traefik.http.middlewares.secure-headers.headers.stsincludesubdomains=true"
      # - "traefik.http.middlewares.secure-headers.headers.stspreload=true"
      # - "traefik.http.middlewares.secure-headers.headers.forceSTSHeader=true"

      # Enable HTTPS redirection
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"

      - "traefik.enable=true"
      - 'traefik.http.routers.wildcard-certs.tls.certresolver=cloudflare'
      - 'traefik.http.routers.wildcard-certs.tls.domains[0].main=example.com'
      - 'traefik.http.routers.wildcard-certs.tls.domains[0].sans=*.example.com'

  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.tls.certresolver=cloudflare"


networks:
  traefik:
    external: true