How to set up Traefik to route a custom domain to a service already up and running on your homelab

1. How to set up Traefik to route a custom domain to a service already up and running on your homelab.
2.  
3. 1. You only need to set up Traefik on your VPS, not your homelab. So begin by logging into your VPS.
4.  
5. 2. Let's install docker and docker compose. Start with "sudo apt update"
6.  
7. 3. Install prerequisite packages: "sudo apt install apt-transport-https ca-certificates curl software-properties-common"
8.  
9. 4. Add docker GPG key: "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -"
10.  
11. 5. Add docker APT repository: "sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable""
12.  
13. 6. Update package index again with: "sudo apt update"
14.  
15. 7. Install Docker CE with "sudo apt install docker-ce"
16.  
17. 8. Verify installation "sudo systemctl status docker"
18.  
19. 9. Download latest version of docker compose: "sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose"
20.  
21. 10. Set permissions to make it executable: "sudo chmod +x /usr/local/bin/docker-compose"
22.  
23. 11. Verify installation: "docker-compose --version"
24.  
25. 12. Optionally, you can add your user to the docker group so you can run commands without "sudo" in front: "sudo usermod -aG docker ${USER}"
26.  
27. 13. Log out and back in for the previous step to take effect.
28.  
29. Now we'll set up Traefik in a docker compose yml file. No need to install Traefik itself. Docker will do that for us later.
30.  
31. 1. Create a directory for Traefik. I chose /etc/traefik. "sudo mkdir -p /etc/traefik"
32.  
33. 2. Go to the directory with "cd /etc/traefik"
34.  
35. 3. Create a docker compose file with: "sudo nano docker-compose.yml" and add the following (spacing is important in yml files, so be sure to copy it exactly and add your email in the appropriate spot):
36.  
37. services:
38. traefik:
39. image: traefik:v3.0
40. restart: unless-stopped
41. ports:
42. - 80:80
43. - 443:443
44. networks:
45. - proxy
46. volumes:
47. - /var/run/docker.sock:/var/run/docker.sock
48. - letsencrypt:/letsencrypt
49. - /etc/traefik/dynamic:/etc/traefik/dynamic
50. command:
51. - --api.dashboard=true
52. - --log.level=INFO
53. - --providers.file.directory=/etc/traefik/dynamic
54. - --providers.file.watch=true
55. - --providers.docker.network=proxy
56. - --providers.docker.exposedByDefault=false
57. - --entrypoints.web.address=:80
58. - --entrypoints.web.http.redirections.entrypoint.to=websecure
59. - --entryPoints.web.http.redirections.entrypoint.scheme=https
60. - --entrypoints.websecure.address=:443
61. - --certificatesresolvers.myresolver.acme.email=<YOUREMAIL>@<MAILSERVICE>.com
62. - --certificatesresolvers.myresolver.acme.tlschallenge=true
63. - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
64.  
65. networks:
66. proxy:
67. name: proxy
68.  
69. volumes:
70. letsencrypt:
71. name: letsencrypt
72.  
73. 4. You may have noticed that this points to another yml file in "/etc/traefik/dynamic", so let's create that now. Make a directory called /etc/traefik/dynamic and "cd" into it.
74.  
75. 5. Create a yml file with "sudo nano dynamic.yml" and add the following, replacing "immich" with the name of whatever app is running on your homelab machine (same for "immich-service"):
76.  
77. http:
78. routers:
79. immich: # Name this after the app you're using
80. rule: "Host(`<YOURDOMAIN>.com`)"
81. entryPoints:
82. - websecure
83. service: immich-service # Call it whatever, just make sure it matches what's below
84. tls:
85. certResolver: myresolver
86.  
87. services:
88. immich-service: # Match this with the above
89. loadBalancer:
90. servers:
91. - url: "http://10.1.0.1:2283" # The Wireguard IP and specific port of your service on your homelab
92.  
93. 6. Now go to your domain website and add an 'A' record for your domain that points to the static IP address of your VPS. On some services like Cloudflare, you will also need to set your SSL/TLS encryption mode to "Full (strict)" in order for everything to work (now that you have all requests set up to go through a certificate from Let's Encrypt).
94.  
95. 7. Once your domain points to your VPS, go back to your VPS and into the traefik directory. Run docker compose with "sudo docker compose up -d" and watch to make sure Traefik starts up. You should now have it running in the background routing everything from your domain into the wireguard tunnel and to the port you specified, which should allow you to visit <YOURDOMAIN>.com and see the service itself from anywhere outside your local network.
96.  
97. 8. Probably smart to take some measures for security now, since you've opened up your homelab service to the internet. Crawlers, bots, and such will find your domain pretty quickly. Make sure your service requires a password and yours is random and secure. Don't use common words or personal info! There are other ways to lock down your service too. I used Cloudflare's security settings to automatically block all countries but my own, which reduces attacks by a lot. You could look into other tutorials to add additional walls in front of your service's login screen to prevent brute force attacks or add 2FA. I'm not the expert in that regard, so I'll leave it at that.