bryanpedini/.env Secret

## .env
# General environment
TRAEFIK_VERSION=2.11.0
TRAEFIK_CERTRESOLVER=letsencrypt
TRAEFIK_ENABLED=true
TRAEFIK_NETWORK=traefik
TRAEFIK_MATCHRULE=traefik.example.com
TRAEFIK_ROUTER=traefik_example_com

# Certificate provider
TRAEFIK_DNSPROVIDER_ENVFILE=./.env.dnsprovider

# Debugging
TRAEFIK_ACCESSLOG=false
TRAEFIK_LOGLEVEL=DEBUG

## .env.dnsprovider
HETZNER_API_KEY=

## config-entrypoints.yml
---
entrypoints:
  http:
    address: ":80"
    http:
      redirections:
        entrypoint:
          to: https
          scheme: https
  https:
    address: ":443"

## config-letsencrypt.yml
---
certificateresolvers:
  letsencrypt:
    acme:
      dnschallenge:
        provider: hetzner
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
      email: admin@example.com
      keytype: EC384
      storage: /certs.json

## config-middlewares.yml
---
http:
  middlewares:
    dashboard-whitelist:
      ipwhitelist:
        sourcerange:
          - "192.168.10.101"
          - "10.60.0.0/24"
    hsts:
      headers:
        stsSeconds: 15552000
        stsIncludeSubdomains: true
        stsPreload: true

## config-tls.yml
---
tls:
  options:
    default:
      minVersion: VersionTLS12
    mintls13:
      minVersion: VersionTLS13
    compatible:
      minVersion: VersionTLS11
    supercompatible:
      minVersion: VersionTLS10

## docker-compose.yml
---
services:
  traefik:
    image: traefik:${TRAEFIK_VERSION}
    restart: unless-stopped
    command:
      # when debugging is needed
      - --accesslog=${TRAEFIK_ACCESSLOG}
      # enable Træfik dashboard
      - --api.dashboard=true
      # logging level
      - --log.level=${TRAEFIK_LOGLEVEL}
      # folder for dynamic config files
      - --providers.file.directory=/config
      - --providers.file.watch=true
    env_file:
      - ${TRAEFIK_DNSPROVIDER_ENVFILE}
    labels:
      # expose Træfik using Træfik (dashboard)
      - traefik.enable=${TRAEFIK_ENABLED}
      # expose Træfik dashoboard via https
      - traefik.http.routers.${TRAEFIK_ROUTER}.entrypoints=https
      # protect the dashboard with it's ip whitelist and add HSTS for security
      - traefik.http.routers.${TRAEFIK_ROUTER}.middlewares=hsts,dashboard-whitelist
      # configure Træfik dashboard to be the exposed service
      - traefik.http.routers.${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`)
      - traefik.http.routers.${TRAEFIK_ROUTER}.service=api@internal
      # enable TLS and it's certificate provider
      - traefik.http.routers.${TRAEFIK_ROUTER}.tls=true
      - traefik.http.routers.${TRAEFIK_ROUTER}.tls.certresolver=${TRAEFIK_CERTRESOLVER}
    networks:
      - traefik
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config:/config:ro
      - ./certs.json:/certs.json

networks:
  traefik:
    external: true
    name: ${TRAEFIK_NETWORK}

## tree.txt
.
├── certs.json
├── config
│   ├── entrypoints.yml
│   ├── letsencrypt.yml
│   ├── middlewares.yml
│   └── tls.yml
├── docker-compose.yml
├── env.dnsprovider.example
├── env.example
├── LICENSE
└── README.md
	# General environment
	TRAEFIK_VERSION=2.11.0
	TRAEFIK_CERTRESOLVER=letsencrypt
	TRAEFIK_ENABLED=true
	TRAEFIK_NETWORK=traefik
	TRAEFIK_MATCHRULE=traefik.example.com
	TRAEFIK_ROUTER=traefik_example_com

	# Certificate provider
	TRAEFIK_DNSPROVIDER_ENVFILE=./.env.dnsprovider

	# Debugging
	TRAEFIK_ACCESSLOG=false
	TRAEFIK_LOGLEVEL=DEBUG
	---
	entrypoints:
	http:
	address: ":80"
	http:
	redirections:
	entrypoint:
	to: https
	scheme: https
	https:
	address: ":443"
	---
	certificateresolvers:
	letsencrypt:
	acme:
	dnschallenge:
	provider: hetzner
	resolvers:
	- "1.1.1.1:53"
	- "1.0.0.1:53"
	email: admin@example.com
	keytype: EC384
	storage: /certs.json
	---
	http:
	middlewares:
	dashboard-whitelist:
	ipwhitelist:
	sourcerange:
	- "192.168.10.101"
	- "10.60.0.0/24"
	hsts:
	headers:
	stsSeconds: 15552000
	stsIncludeSubdomains: true
	stsPreload: true
	---
	tls:
	options:
	default:
	minVersion: VersionTLS12
	mintls13:
	minVersion: VersionTLS13
	compatible:
	minVersion: VersionTLS11
	supercompatible:
	minVersion: VersionTLS10
	---
	services:
	traefik:
	image: traefik:${TRAEFIK_VERSION}
	restart: unless-stopped
	command:
	# when debugging is needed
	- --accesslog=${TRAEFIK_ACCESSLOG}
	# enable Træfik dashboard
	- --api.dashboard=true
	# logging level
	- --log.level=${TRAEFIK_LOGLEVEL}
	# folder for dynamic config files
	- --providers.file.directory=/config
	- --providers.file.watch=true
	env_file:
	- ${TRAEFIK_DNSPROVIDER_ENVFILE}
	labels:
	# expose Træfik using Træfik (dashboard)
	- traefik.enable=${TRAEFIK_ENABLED}
	# expose Træfik dashoboard via https
	- traefik.http.routers.${TRAEFIK_ROUTER}.entrypoints=https
	# protect the dashboard with it's ip whitelist and add HSTS for security
	- traefik.http.routers.${TRAEFIK_ROUTER}.middlewares=hsts,dashboard-whitelist
	# configure Træfik dashboard to be the exposed service
	- traefik.http.routers.${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`)
	- traefik.http.routers.${TRAEFIK_ROUTER}.service=api@internal
	# enable TLS and it's certificate provider
	- traefik.http.routers.${TRAEFIK_ROUTER}.tls=true
	- traefik.http.routers.${TRAEFIK_ROUTER}.tls.certresolver=${TRAEFIK_CERTRESOLVER}
	networks:
	- traefik
	ports:
	- 80:80
	- 443:443
	volumes:
	- /var/run/docker.sock:/var/run/docker.sock:ro
	- ./config:/config:ro
	- ./certs.json:/certs.json

	networks:
	traefik:
	external: true
	name: ${TRAEFIK_NETWORK}
	.
	├── certs.json
	├── config
	│ ├── entrypoints.yml
	│ ├── letsencrypt.yml
	│ ├── middlewares.yml
	│ └── tls.yml
	├── docker-compose.yml
	├── env.dnsprovider.example
	├── env.example
	├── LICENSE
	└── README.md