traefik.yml

1. version: "3.9"
2.  
3. ######### IMPORTANT #############
4. # This is my main docker-compose file with most of the apps. I run docker on other systems with smaller stacks (web and synology).
5. # You can copy-paste services from one docker-compose file in this repo to another to add other apps.
6.  
7. ########################### SYSTEM DESCRIPTION
8. # DOCKER-COMPOSE FOR HOME/MEDIA SERVER
9. # PROXMOX HOST: Dual Intel Xeon E3-1240 V2, 16 GB RAM, 480 GB SSD, and 4 TB HDD
10. # LXC: 2 CORES, 8 GB RAM, Ubuntu 20.04, and Docker
11. # 64 GB for / and 2 TB for non-critical data and rclone cache.
12. # Google Drive mounted using Rclone Docker for media and Proxmox backups
13.  
14. # Docker: 20.10.23
15. # Docker Compose: v2.15.1 (docker-compose-plugin for Docker)
16.  
17. ########################### NETWORKS
18. # There is no need to create any networks outside this docker-compose file.
19. # You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please.
20. # Docker Compose version 3.5 or higher required to define networks this way.
21.  
22. networks:
23.   default:
24.     driver: bridge
25.   t2_proxy:
26.     name: t2_proxy
27.     driver: bridge
28.     ipam:
29.       config:
30.         - subnet: 192.168.90.0/24
31.  
32. ########################### EXTENSION FIELDS
33. # Helps eliminate repetition of sections
34. # More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228
35.  
36. # Common environment values
37. x-environment: &default-tz-puid-pgid
38.  TZ: $TZ
39.  PUID: $PUID
40.  PGID: $PGID
41.  
42. # Keys common to some of the services in basic-services.txt
43. x-common-keys-core: &common-keys-core
44.  networks:
45.    - t2_proxy
46.  security_opt:
47.    - no-new-privileges:true
48.  restart: always
49.  # profiles:
50.  # - core
51.  
52. # Keys common to some of the services in basic-services.txt
53. x-common-keys-monitoring: &common-keys-monitoring
54.  networks:
55.    - t2_proxy
56.  security_opt:
57.    - no-new-privileges:true
58.  restart: always
59.  # profiles:
60.  # - monitoring
61.  
62. # Keys common to some of the dependent services/apps
63. x-common-keys-apps: &common-keys-apps
64.  networks:
65.    - t2_proxy
66.  security_opt:
67.    - no-new-privileges:true
68.  restart: unless-stopped
69.  # profiles:
70.  # - apps
71.  
72. # Keys common to some of the services in media-services.txt
73. x-common-keys-media: &common-keys-media
74.  networks:
75.    - t2_proxy
76.  security_opt:
77.    - no-new-privileges:true
78.  restart: "no"
79.  # profiles:
80.  # - media
81.  
82. ########################### SERVICES
83. services:
84.  ############################# FRONTENDS
85.  
86.  # Traefik 2 - Reverse Proxy
87.  # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
88.  # touch $DOCKERDIR/appdata/traefik2/acme/acme.json
89.  # chmod 600 $DOCKERDIR/appdata/traefik2/acme/acme.json
90.  # touch $DOCKERDIR/logs/cloudserver/traefik.log
91.  # touch $DOCKERDIR/logs/cloudserver/access.log
92.  
93.  traefik:
94.    <<: *common-keys-core # See EXTENSION FIELDS at the top
95.    container_name: traefik
96.    image: traefik:2.9.8
97.    command: # CLI arguments
98.      - --global.checkNewVersion=true
99.      - --global.sendAnonymousUsage=true
100.      - --entryPoints.http.address=:80
101.      - --entryPoints.https.address=:443
102.      # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
103.      - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
104.      - --entryPoints.traefik.address=:8080
105.      # - --entryPoints.ping.address=:8081
106.      - --api=true
107.      # - --api.insecure=true
108.      - --api.dashboard=true
109.      #- --ping=true
110.      # - --serversTransport.insecureSkipVerify=true
111.      - --log=true
112.      - --log.filePath=/logs/traefik.log
113.      - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
114.      - --accessLog=true
115.      - --accessLog.filePath=/logs/access.log
116.      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
117.      - --accessLog.filters.statusCodes=204-299,400-499,500-599
118.      - --providers.docker=true
119.      - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security
120.      #- --providers.docker.endpoint=tcp://socket-proxy:2375
121.      # Automatically set Host rule for services
122.      # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME_CLOUD_SERVER`)
123.      - --providers.docker.exposedByDefault=false
124.      # - --entrypoints.https.http.middlewares=chain-oauth@file
125.      - --entrypoints.https.http.tls.options=tls-opts@file
126.      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
127.      - --entrypoints.https.http.tls.certresolver=dns-cloudflare
128.      - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER
129.      - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER
130.      # - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME2 # Pulls main cert for second domain
131.      # - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME2 # Pulls wildcard cert for second domain
132.      - --providers.docker.network=t2_proxy
133.      - --providers.docker.swarmMode=false
134.      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
135.      # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file
136.      - --providers.file.watch=true # Only works on top level files in the rules folder
137.      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
138.      - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
139.      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
140.      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
141.      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
142.      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
143.      # - --metrics.prometheus=true
144.      # - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0
145.    networks:
146.      t2_proxy:
147.        ipv4_address: 192.168.90.254 # You can specify a static IP
148.    ports:
149.      - target: 80
150.        published: 80
151.        protocol: tcp
152.        mode: host
153.      - target: 443
154.        published: 443
155.        protocol: tcp
156.        mode: host
157.      # - target: 8080 # insecure api wont work
158.      #   published: 8080
159.      #   protocol: tcp
160.      #   mode: host
161.    volumes:
162.      - $DOCKERDIR/appdata/traefik2/rules/cloudserver:/rules # file provider directory
163.      # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security
164.      - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must create this emtpy file and change permissions to 600
165.      - $DOCKERDIR/logs/cloudserver/traefik:/logs # for fail2ban or crowdsec
166.    environment:
167.      - TZ=$TZ
168.      - CF_API_EMAIL_FILE=$CLOUDFLARE_EMAIL
169.      - CF_API_KEY_FILE=$CLOUDFLARE_API_KEY
170.      - HTPASSWD_FILE=$HTPASSWD # HTPASSWD_FILE can be whatever as it is not used/called anywhere.
171.      - DOMAINNAME_CLOUD_SERVER # Passing the domain name to traefik container to be able to use the variable in rules.
172.    labels:
173.      #- "autoheal=true"
174.      - "traefik.enable=true"
175.      # HTTP-to-HTTPS Redirect
176.      - "traefik.http.routers.http-catchall.entrypoints=http"
177.      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
178.      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
179.      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
180.      # HTTP Routers
181.      - "traefik.http.routers.traefik-rtr.entrypoints=https"
182.      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_CLOUD_SERVER`)"
183.      - "traefik.http.routers.traefik-rtr.tls=true" # Some people had 404s without this
184.      - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
185.      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER"
186.      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER"
187.      # - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$DOMAINNAME2" # Pulls main cert for second domain
188.      # - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$DOMAINNAME2" # Pulls wildcard cert for second domain
189.      ## Services - API
190.      - "traefik.http.routers.traefik-rtr.service=api@internal"
191.      ## Healthcheck/ping
192.      #- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME_CLOUD_SERVER`) && Path(`/ping`)"
193.      #- "traefik.http.routers.ping.tls=true"
194.      #- "traefik.http.routers.ping.service=ping@internal"
195.      ## Middlewares
196.      #- "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file" # For No Authentication
197.      - "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file" # For Basic HTTP Authentication
198.      #- "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file" # For Google OAuth
199.      #- "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file" # For Authelia Authentication
200.