Cauen/gist:eab04bf191d0980f18f87cf865c71741

## gistfile1.txt
version: '3'

services:
  traefik:
    image: traefik:v2.0.0
    command:
      - --api.insecure=false # set to 'false' on production
      - --api.dashboard=true # see https://docs.traefik.io/v2.0/operations/dashboard/#secure-mode for how to secure the dashboard
      - --api.debug=true # enable additional endpoints for debugging and profiling
      - --log.level=DEBUG # debug while we get it working, for more levels/info see https://docs.traefik.io/observability/logs/
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker=true
      - --providers.docker.swarmMode=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=traefik-public
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.letsencryptresolver.acme.httpchallenge=true
      - --certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web
      - --certificatesresolvers.letsencryptresolver.acme.email=user@yourdomain.com
      - --certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json
    ports:
      - 80:80
      - 443:443
    volumes:
      # To persist certificates
      - traefik-certificates:/letsencrypt
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik-public
    deploy:
      labels:
        - traefik.enable=true
        # Dashboard
        - traefik.http.routers.traefik.rule=Host(`proxy.yourdomain.com`)
        - traefik.http.routers.traefik.service=api@internal
        - traefik.http.routers.traefik.tls.certresolver=letsencryptresolver
        - traefik.http.routers.traefik.entrypoints=websecure
        - traefik.http.routers.traefik.middlewares=authtraefik
        # user/password (https://www.web2generators.com/apache-tools/htpasswd-generator)
        # comma-separated users
        - traefik.http.middlewares.authtraefik.basicauth.users=user:$$apr1$$q8eZFHjF$$Fvmkk//V6Btlaf2i/ju5n/

        # global redirect to https
        - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
        - traefik.http.routers.http-catchall.entrypoints=web
        - traefik.http.routers.http-catchall.middlewares=redirect-to-https

        # middleware redirect
        - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
        - traefik.http.services.dummy-svc.loadbalancer.server.port=9999
      placement:
        constraints:
          - node.role == manager

  backend:
    image: cauen/cauenode_backend
    networks:
      - traefik-public
    deploy:
      mode: global
      placement:
        constraints:
          - node.role == worker
      labels:
        - traefik.enable=true
        # securing
        - traefik.http.routers.backend-secure.rule=Host(`yourdomain.com`)
        - traefik.http.routers.backend-secure.tls.certresolver=letsencryptresolver
        - traefik.http.routers.backend-secure.tls=true
        - traefik.http.routers.backend-secure.entrypoints=websecure
        # Service port
        - traefik.http.services.backend.loadbalancer.server.port=1234

  agent:
    image: portainer/agent
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/volumes:/var/lib/docker/volumes
    networks:
      - agent_network
      - traefik-public
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]

  helloworld:
    image: tutum/hello-world:latest
    networks:
      - traefik-public
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.helloworld-web-secure.rule=Host(`tutum.yourdomain.com`)
        - traefik.http.routers.helloworld-web-secure.tls.certresolver=letsencryptresolver
        - traefik.http.routers.helloworld-web-secure.tls=true
        - traefik.http.routers.helloworld-web-secure.entrypoints=websecure
        # if you have multiple ports exposed on the service, specify port in the web-secure service
        - traefik.http.services.helloworld-web-secure.loadbalancer.server.port=80

  portainer:
    image: portainer/portainer
    command: -H tcp://tasks.agent:9001 --tlsskipverify
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      - "8000:8000"
    volumes:
      - portainer_data:/data
    networks:
      - agent_network
      - traefik-public
    deploy:
      mode: replicated
      labels:
        - traefik.enable=true
        - traefik.docker.network=traefik-public
        - traefik.http.routers.portainer-web-secure.rule=Host(`portainer.yourdomain.com`)
        - traefik.http.routers.portainer-web-secure.tls.certresolver=letsencryptresolver
        - traefik.http.routers.portainer-web-secure.tls=true
        - traefik.http.routers.portainer-web-secure.entrypoints=websecure
        # if you have multiple ports exposed on the service, specify port in the web-secure service
        - traefik.http.services.portainer-web-secure.loadbalancer.server.port=9000
      replicas: 1
      placement:
        constraints: [node.role == manager]

volumes:
  traefik-certificates:
  portainer_data:

networks:
  traefik-public:
    external: true
  agent_network:
    driver: overlay
	version: '3'

	services:
	traefik:
	image: traefik:v2.0.0
	command:
	- --api.insecure=false # set to 'false' on production
	- --api.dashboard=true # see https://docs.traefik.io/v2.0/operations/dashboard/#secure-mode for how to secure the dashboard
	- --api.debug=true # enable additional endpoints for debugging and profiling
	- --log.level=DEBUG # debug while we get it working, for more levels/info see https://docs.traefik.io/observability/logs/
	- --providers.docker.endpoint=unix:///var/run/docker.sock
	- --providers.docker=true
	- --providers.docker.swarmMode=true
	- --providers.docker.exposedbydefault=false
	- --providers.docker.network=traefik-public
	- --entrypoints.web.address=:80
	- --entrypoints.websecure.address=:443
	- --certificatesresolvers.letsencryptresolver.acme.httpchallenge=true
	- --certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web
	- --certificatesresolvers.letsencryptresolver.acme.email=user@yourdomain.com
	- --certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json
	ports:
	- 80:80
	- 443:443
	volumes:
	# To persist certificates
	- traefik-certificates:/letsencrypt
	# So that Traefik can listen to the Docker events
	- /var/run/docker.sock:/var/run/docker.sock:ro
	networks:
	- traefik-public
	deploy:
	labels:
	- traefik.enable=true
	# Dashboard
	- traefik.http.routers.traefik.rule=Host(`proxy.yourdomain.com`)
	- traefik.http.routers.traefik.service=api@internal
	- traefik.http.routers.traefik.tls.certresolver=letsencryptresolver
	- traefik.http.routers.traefik.entrypoints=websecure
	- traefik.http.routers.traefik.middlewares=authtraefik
	# user/password (https://www.web2generators.com/apache-tools/htpasswd-generator)
	# comma-separated users
	- traefik.http.middlewares.authtraefik.basicauth.users=user:$$apr1$$q8eZFHjF$$Fvmkk//V6Btlaf2i/ju5n/

	# global redirect to https
	- traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
	- traefik.http.routers.http-catchall.entrypoints=web
	- traefik.http.routers.http-catchall.middlewares=redirect-to-https

	# middleware redirect
	- traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
	- traefik.http.services.dummy-svc.loadbalancer.server.port=9999
	placement:
	constraints:
	- node.role == manager

	backend:
	image: cauen/cauenode_backend
	networks:
	- traefik-public
	deploy:
	mode: global
	placement:
	constraints:
	- node.role == worker
	labels:
	- traefik.enable=true
	# securing
	- traefik.http.routers.backend-secure.rule=Host(`yourdomain.com`)
	- traefik.http.routers.backend-secure.tls.certresolver=letsencryptresolver
	- traefik.http.routers.backend-secure.tls=true
	- traefik.http.routers.backend-secure.entrypoints=websecure
	# Service port
	- traefik.http.services.backend.loadbalancer.server.port=1234

	agent:
	image: portainer/agent
	volumes:
	- /var/run/docker.sock:/var/run/docker.sock
	- /var/lib/docker/volumes:/var/lib/docker/volumes
	networks:
	- agent_network
	- traefik-public
	deploy:
	mode: global
	placement:
	constraints: [node.platform.os == linux]

	helloworld:
	image: tutum/hello-world:latest
	networks:
	- traefik-public
	deploy:
	labels:
	- traefik.enable=true
	- traefik.http.routers.helloworld-web-secure.rule=Host(`tutum.yourdomain.com`)
	- traefik.http.routers.helloworld-web-secure.tls.certresolver=letsencryptresolver
	- traefik.http.routers.helloworld-web-secure.tls=true
	- traefik.http.routers.helloworld-web-secure.entrypoints=websecure
	# if you have multiple ports exposed on the service, specify port in the web-secure service
	- traefik.http.services.helloworld-web-secure.loadbalancer.server.port=80

	portainer:
	image: portainer/portainer
	command: -H tcp://tasks.agent:9001 --tlsskipverify
	restart: unless-stopped
	security_opt:
	- no-new-privileges:true
	ports:
	- "8000:8000"
	volumes:
	- portainer_data:/data
	networks:
	- agent_network
	- traefik-public
	deploy:
	mode: replicated
	labels:
	- traefik.enable=true
	- traefik.docker.network=traefik-public
	- traefik.http.routers.portainer-web-secure.rule=Host(`portainer.yourdomain.com`)
	- traefik.http.routers.portainer-web-secure.tls.certresolver=letsencryptresolver
	- traefik.http.routers.portainer-web-secure.tls=true
	- traefik.http.routers.portainer-web-secure.entrypoints=websecure
	# if you have multiple ports exposed on the service, specify port in the web-secure service
	- traefik.http.services.portainer-web-secure.loadbalancer.server.port=9000
	replicas: 1
	placement:
	constraints: [node.role == manager]

	volumes:
	traefik-certificates:
	portainer_data:

	networks:
	traefik-public:
	external: true
	agent_network:
	driver: overlay