leonjza/README.md

## README.md

      
    Raw
  

              README.md
            
          
    traefik service docker-compose example

Traefik docker-compose with Trauth, Wildcard Certs & Metrics
Ref: https://sensepost.com/blog/2020/building-a-hipster-aware-pi-home-server/

  
## cloudflare.env
CF_API_EMAIL=email
CF_API_KEY=key

## docker-compose.yml
version: '3'

services:
  traefik:
    image: traefik:2.3
    container_name: traefik
    command:
      - --log.level=INFO
      - --api.dashboard=true
      - --providers.docker
      - --providers.docker.exposedByDefault=false
      - --providers.file.filename=/static.yml
      - --providers.file.watch=true
      # Web UIs
      - --entryPoints.web-secure.address=:443
      # PiHole DNS
      - --entryPoints.53-tcp.address=:53
      - --entryPoints.53-udp.address=:53/udp
      # ACME
      - --certificatesResolvers.primary.acme.email=email
      - --certificatesResolvers.primary.acme.storage=acme.json
      - --certificatesResolvers.primary.acme.dnsChallenge=true
      - --certificatesResolvers.primary.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.primary.acme.dnsChallenge.delayBeforeCheck=0
      # Metrics
      - --metrics.influxdb=true
      - --metrics.influxdb.address=http://influxdb.stats:8086
      - --metrics.influxdb.protocol=http
      - --metrics.influxdb.pushInterval=30s
      - --metrics.influxdb.database=traefik
      - --metrics.influxdb.username=traefik
      - --metrics.influxdb.password=password
    env_file:
      - cloudflare.env  # check the cloudflare provider here: https://docs.traefik.io/v2.0/https/acme/#providers
    ports:
      - "443:443"
      - "53:53/udp"
      - "53:53"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/acme.json:/acme.json
      - ./config/static.yml:/static.yml
    restart: unless-stopped
    labels:
      - "com.ouroboros.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`traefik.internal.domain.com`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.entrypoints=web-secure"
      - "traefik.http.routers.api.tls.certResolver=primary"
      - "traefik.http.routers.api.middlewares=trauth"
      # wildcard certs
      - "traefik.http.routers.api.tls.domains[0].main=internal.domain.com"
      - "traefik.http.routers.api.tls.domains[0].sans=*.internal.domain.com"
      # middleware - sso basic auth using trauth
      - "traefik.http.middlewares.trauth.forwardauth.address=http://trauth.web:8080/"
    networks:
      - web
      - stats

  trauth:
    build:  # 'cause I don't have a multi-arch build on dockerhub
      context: https://github.com/leonjza/trauth.git
      dockerfile: Dockerfile
    image: trauth:local
    container_name: trauth
    environment:
      - TRAUTH_DOMAIN=internal.domain.com
      - TRAUTH_PASSWORD_FILE_LOCATION=/config/htpass
    volumes:
      - ./htpass:/config/htpass
    restart: unless-stopped
    networks:
      - web

networks:
  web:
    external: true
  stats:
    external: true

## static.yml
# file: config/static.yml

http:
  services:
    gateway-service:
      loadBalancer:
        passHostHeader: false
        servers:
        - url: "http://192.168.99.1/"
  routers:
    gateway:
      tls:
        certResolver: primary
      rule: "Host(`gateway.internal.domain.com`)"
      service: gateway-service
	version: '3'

	services:
	traefik:
	image: traefik:2.3
	container_name: traefik
	command:
	- --log.level=INFO
	- --api.dashboard=true
	- --providers.docker
	- --providers.docker.exposedByDefault=false
	- --providers.file.filename=/static.yml
	- --providers.file.watch=true
	# Web UIs
	- --entryPoints.web-secure.address=:443
	# PiHole DNS
	- --entryPoints.53-tcp.address=:53
	- --entryPoints.53-udp.address=:53/udp
	# ACME
	- --certificatesResolvers.primary.acme.email=email
	- --certificatesResolvers.primary.acme.storage=acme.json
	- --certificatesResolvers.primary.acme.dnsChallenge=true
	- --certificatesResolvers.primary.acme.dnsChallenge.provider=cloudflare
	- --certificatesResolvers.primary.acme.dnsChallenge.delayBeforeCheck=0
	# Metrics
	- --metrics.influxdb=true
	- --metrics.influxdb.address=http://influxdb.stats:8086
	- --metrics.influxdb.protocol=http
	- --metrics.influxdb.pushInterval=30s
	- --metrics.influxdb.database=traefik
	- --metrics.influxdb.username=traefik
	- --metrics.influxdb.password=password
	env_file:
	- cloudflare.env # check the cloudflare provider here: https://docs.traefik.io/v2.0/https/acme/#providers
	ports:
	- "443:443"
	- "53:53/udp"
	- "53:53"
	volumes:
	- /var/run/docker.sock:/var/run/docker.sock:ro
	- ./data/acme.json:/acme.json
	- ./config/static.yml:/static.yml
	restart: unless-stopped
	labels:
	- "com.ouroboros.enable=true"
	- "traefik.enable=true"
	- "traefik.http.routers.api.rule=Host(`traefik.internal.domain.com`)"
	- "traefik.http.routers.api.service=api@internal"
	- "traefik.http.routers.api.entrypoints=web-secure"
	- "traefik.http.routers.api.tls.certResolver=primary"
	- "traefik.http.routers.api.middlewares=trauth"
	# wildcard certs
	- "traefik.http.routers.api.tls.domains[0].main=internal.domain.com"
	- "traefik.http.routers.api.tls.domains[0].sans=*.internal.domain.com"
	# middleware - sso basic auth using trauth
	- "traefik.http.middlewares.trauth.forwardauth.address=http://trauth.web:8080/"
	networks:
	- web
	- stats

	trauth:
	build: # 'cause I don't have a multi-arch build on dockerhub
	context: https://github.com/leonjza/trauth.git
	dockerfile: Dockerfile
	image: trauth:local
	container_name: trauth
	environment:
	- TRAUTH_DOMAIN=internal.domain.com
	- TRAUTH_PASSWORD_FILE_LOCATION=/config/htpass
	volumes:
	- ./htpass:/config/htpass
	restart: unless-stopped
	networks:
	- web

	networks:
	web:
	external: true
	stats:
	external: true
	# file: config/static.yml

	http:
	services:
	gateway-service:
	loadBalancer:
	passHostHeader: false
	servers:
	- url: "http://192.168.99.1/"
	routers:
	gateway:
	tls:
	certResolver: primary
	rule: "Host(`gateway.internal.domain.com`)"
	service: gateway-service