variabilized more values, reorganized values in env.example file

actually that was a stupid idea, configs need to be tracked and version controlled

.gitignore

@@ -1 +1,2 @@
-.env
+/.env
+/certs.json

README.md

@@ -1,3 +1,3 @@
-# traefik.bjphoster.com
+# Træfik Deployment
 
 Træfik deployment for reverse proxying all the infrastructure

config/tls.yml

@@ -0,0 +1,11 @@
+---
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+    mintls13:
+      minVersion: VersionTLS13
+    compatible:
+      minVersion: VersionTLS11
+    supercompatible:
+      minVersion: VersionTLS10

docker-compose.yml

@@ -1,18 +1,22 @@
+---
 version: "3"
 
 services:
   traefik:
+    image: traefik:${TRAEFIK_VERSION}
+    container_name: ${TRAEFIK_CONTAINER_NAME}
+    restart: unless-stopped
     command:
       # when debugging is needed
       - --accesslog=${TRAEFIK_ACCESSLOG}
       # enable Træfik dashboard
       - --api.dashboard=true
       # configure Let's Encrypt automatic certificates
-      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
+      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge=true
-      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=hetzner
+      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.provider=hetzner
-      - --certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL}
+      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.email=${LETSENCRYPT_EMAIL}
-      - --certificatesresolvers.letsencrypt.acme.keytype=RSA4096
+      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.keytype=RSA4096
-      - --certificatesresolvers.letsencrypt.acme.storage=/le-certs.json
+      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.storage=/certs.json
       # we listen on both HTTP and HTTPS
       - --entrypoints.http.address=:80
       - --entrypoints.https.address=:443
@@ -25,50 +29,48 @@ services:
       # and we want to manually specify exposed containers
       - --providers.docker.exposedbydefault=false
       - --providers.docker.watch=true
-      # should not need, but just in case, a dynamic config file is also configured
+      # should not need, but just in case, a folder for dynamic config files is also configured
-      - --providers.file.directory=/dynamic-config
+      - --providers.file.directory=/config
       - --providers.file.watch=true
-    container_name: ${TRAEFIK_CONTAINER_NAME}
     environment:
       - HETZNER_API_KEY=${HETZNER_API_KEY}
-    image: traefik:${TRAEFIK_VERSION}
     labels:
       # expose Træfik using Træfik (dashboard)
-      - traefik.enable=true
+      - traefik.enable=${TRAEFIK_ENABLED}
       # configure a global whitelist for my home
       - traefik.http.middlewares.dashboard-whitelist.ipwhitelist.sourcerange=${TRAEFIK_DASHBOARD_WHITELIST}
       # configure the global redirect middleware
       - traefik.http.middlewares.http-to-https.redirectscheme.scheme=https
       - traefik.http.middlewares.http-to-https.redirectscheme.permanent=true
       ### Section HTTP
-      - traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.entrypoints=http
+      - traefik.http.routers.http-${TRAEFIK_ROUTER}.entrypoints=http
       # only some people can access the dashboard, hence protect it with it's whitelist
-      - traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.middlewares=dashboard-whitelist
+      - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=dashboard-whitelist
       # redirect Træfik dashboard to HTTPS only
-      - traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.middlewares=http-to-https
+      - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=http-to-https
-      - traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.rule=Host(`${TRAEFIK_MATCHRULE}`)
+      - traefik.http.routers.http-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`)
-      - traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.service=api@internal
+      - traefik.http.routers.http-${TRAEFIK_ROUTER}.service=api@internal
       ### Section HTTPS
-      - traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.entrypoints=https
+      - traefik.http.routers.https-${TRAEFIK_ROUTER}.entrypoints=https
       # only some people can access the dashboard, hence protect it with it's whitelist
-      - traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.middlewares=dashboard-whitelist
+      - traefik.http.routers.https-${TRAEFIK_ROUTER}.middlewares=dashboard-whitelist
       # configure Træfik dashboard to be the exposed service
-      - traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.rule=Host(`${TRAEFIK_MATCHRULE}`)
+      - traefik.http.routers.https-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`)
-      - traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.service=api@internal
+      - traefik.http.routers.https-${TRAEFIK_ROUTER}.service=api@internal
       # of course, enable TLS and it's certificate provider
-      - traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.tls=true
+      - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls=${TRAEFIK_TLSENABLED}
-      - traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.tls.certresolver=letsencrypt
+      - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls.certresolver=${TRAEFIK_CERTRESOLVER}
     networks:
-      - traefik-proxy
+      - traefik
     ports:
       - 80:80
       - 443:443
-    restart: unless-stopped
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./config:/dynamic-config:ro
+      - ./config:/config:ro
-      - ./le-certs.json:/le-certs.json
+      - ./certs.json:/certs.json
 
 networks:
-  traefik-proxy:
+  traefik:
     external: true
+    name: ${TRAEFIK_NETWORK}

env.example

@@ -1,10 +1,14 @@
+# General environment
 TRAEFIK_VERSION=2.4
+TRAEFIK_CERTRESOLVER=letsencrypt
 TRAEFIK_CONTAINER_NAME=traefik.mydomain.com
-TRAEFIK_MATCHRULE=traefik.mydomain.com
-TRAEFIK_ROUTER_NAME=traefik_mydomain_com
-TRAEFIK_LOGLEVEL=INFO
-TRAEFIK_PILOT_TOKEN=
 TRAEFIK_DASHBOARD_WHITELIST=1.2.3.4/24
+TRAEFIK_ENABLED=true
+TRAEFIK_NETWORK=traefik
+TRAEFIK_MATCHRULE=traefik.mydomain.com
+TRAEFIK_ROUTER=traefik_mydomain_com
+TRAEFIK_PILOT_TOKEN=
+TRAEFIK_TLSENABLED=true
 
 # Certificate provider
 HETZNER_API_KEY=
@@ -12,3 +16,4 @@ LETSENCRYPT_EMAIL=admin@mydomain.com
 
 # Debugging
 TRAEFIK_ACCESSLOG=false
+TRAEFIK_LOGLEVEL=INFO