version: "3" services: traefik: image: traefik:${TRAEFIK_VERSION} container_name: ${TRAEFIK_CONTAINER_NAME} restart: unless-stopped command: # when debugging is needed - --accesslog=${TRAEFIK_ACCESSLOG} # enable Træfik dashboard - --api.dashboard=true # configure Let's Encrypt automatic certificates - --certificatesresolvers.letsencrypt.acme.dnschallenge=true - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=hetzner - --certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL} - --certificatesresolvers.letsencrypt.acme.keytype=RSA4096 - --certificatesresolvers.letsencrypt.acme.storage=/certs.json # we listen on both HTTP and HTTPS - --entrypoints.http.address=:80 - --entrypoints.https.address=:443 # logging level - --log.level=${TRAEFIK_LOGLEVEL} # Træfik Pilot token (of course retrieved from dotenv) - --pilot.token=${TRAEFIK_PILOT_TOKEN} # we only use Docker (for now) - --providers.docker=true # and we want to manually specify exposed containers - --providers.docker.exposedbydefault=false - --providers.docker.watch=true # should not need, but just in case, a folder for dynamic config files is also configured - --providers.file.directory=/config - --providers.file.watch=true environment: - HETZNER_API_KEY=${HETZNER_API_KEY} labels: # expose Træfik using Træfik (dashboard) - traefik.enable=true # configure a global whitelist for my home - traefik.http.middlewares.dashboard-whitelist.ipwhitelist.sourcerange=${TRAEFIK_DASHBOARD_WHITELIST} # configure the global redirect middleware - traefik.http.middlewares.http-to-https.redirectscheme.scheme=https - traefik.http.middlewares.http-to-https.redirectscheme.permanent=true ### Section HTTP - traefik.http.routers.http-${TRAEFIK_ROUTER}.entrypoints=http # only some people can access the dashboard, hence protect it with it's whitelist - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=dashboard-whitelist # redirect Træfik dashboard to HTTPS only - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=http-to-https - traefik.http.routers.http-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`) - traefik.http.routers.http-${TRAEFIK_ROUTER}.service=api@internal ### Section HTTPS - traefik.http.routers.https-${TRAEFIK_ROUTER}.entrypoints=https # only some people can access the dashboard, hence protect it with it's whitelist - traefik.http.routers.https-${TRAEFIK_ROUTER}.middlewares=dashboard-whitelist # configure Træfik dashboard to be the exposed service - traefik.http.routers.https-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`) - traefik.http.routers.https-${TRAEFIK_ROUTER}.service=api@internal # of course, enable TLS and it's certificate provider - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls=true - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls.certresolver=letsencrypt networks: - traefik ports: - 80:80 - 443:443 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./config:/config:ro - ./certs.json:/certs.json networks: traefik: external: true name: ${TRAEFIK_NETWORK}