moved from static DNS provider to a dynamic Docker variable and env file

(see https://docs.docker.com/compose/compose-file/#version-top-level-element)

.gitignore

@@ -1,3 +1,2 @@
-.env
+/.env
-config
+/certs.json
-le-certs.json

README.md

@@ -1,3 +1,3 @@
-# traefik.bjphoster.com
+# Træfik Deployment
 
 Træfik deployment for reverse proxying all the infrastructure

config/tls.yml

@@ -0,0 +1,11 @@
+---
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+    mintls13:
+      minVersion: VersionTLS13
+    compatible:
+      minVersion: VersionTLS11
+    supercompatible:
+      minVersion: VersionTLS10

docker-compose.yml

@@ -1,5 +1,4 @@
-version: "3"
+---
-
 services:
   traefik:
     image: traefik:${TRAEFIK_VERSION}
@@ -11,11 +10,11 @@ services:
       # enable Træfik dashboard
       - --api.dashboard=true
       # configure Let's Encrypt automatic certificates
-      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
+      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge=true
-      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=hetzner
+      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.provider=${TRAEFIK_DNSPROVIDER}
-      - --certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL}
+      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.email=${LETSENCRYPT_EMAIL}
-      - --certificatesresolvers.letsencrypt.acme.keytype=RSA4096
+      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.keytype=RSA4096
-      - --certificatesresolvers.letsencrypt.acme.storage=/le-certs.json
+      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.storage=/certs.json
       # we listen on both HTTP and HTTPS
       - --entrypoints.http.address=:80
       - --entrypoints.https.address=:443
@@ -31,11 +30,11 @@ services:
       # should not need, but just in case, a folder for dynamic config files is also configured
       - --providers.file.directory=/config
       - --providers.file.watch=true
-    environment:
+    env_file:
-      - HETZNER_API_KEY=${HETZNER_API_KEY}
+      - ${TRAEFIK_DNSPROVIDER_ENVFILE}
     labels:
       # expose Træfik using Træfik (dashboard)
-      - traefik.enable=true
+      - traefik.enable=${TRAEFIK_ENABLED}
       # configure a global whitelist for my home
       - traefik.http.middlewares.dashboard-whitelist.ipwhitelist.sourcerange=${TRAEFIK_DASHBOARD_WHITELIST}
       # configure the global redirect middleware
@@ -57,8 +56,8 @@ services:
       - traefik.http.routers.https-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`)
       - traefik.http.routers.https-${TRAEFIK_ROUTER}.service=api@internal
       # of course, enable TLS and it's certificate provider
-      - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls=true
+      - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls=${TRAEFIK_TLSENABLED}
-      - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls.certresolver=letsencrypt
+      - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls.certresolver=${TRAEFIK_CERTRESOLVER}
     networks:
       - traefik
     ports:
@@ -67,7 +66,7 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./config:/config:ro
-      - ./le-certs.json:/le-certs.json
+      - ./certs.json:/certs.json
 
 networks:
   traefik:

env.dnsprovider.example

@@ -0,0 +1 @@
+HETZNER_API_KEY=

env.example

@@ -1,13 +1,18 @@
+# General environment
 TRAEFIK_VERSION=2.4
+TRAEFIK_CERTRESOLVER=letsencrypt
 TRAEFIK_CONTAINER_NAME=traefik.mydomain.com
+TRAEFIK_DASHBOARD_WHITELIST=1.2.3.4/24
+TRAEFIK_ENABLED=true
+TRAEFIK_NETWORK=traefik
 TRAEFIK_MATCHRULE=traefik.mydomain.com
 TRAEFIK_ROUTER=traefik_mydomain_com
-TRAEFIK_NETWORK=traefik-proxy
 TRAEFIK_PILOT_TOKEN=
-TRAEFIK_DASHBOARD_WHITELIST=1.2.3.4/24
+TRAEFIK_TLSENABLED=true
 
 # Certificate provider
-HETZNER_API_KEY=
+TRAEFIK_DNSPROVIDER=hetzner
+TRAEFIK_DNSPROVIDER_ENVFILE=./.env.dnsprovider
 LETSENCRYPT_EMAIL=admin@mydomain.com
 
 # Debugging