operations/traefik-stack.yml at main · DarkFlorist/operations · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
version: '3'

services:
  traefik:
    deploy:
      labels:
        - 'traefik.enable=true'
        - 'traefik.http.routers.my-traefik-dashboard-router.tls=true'
        - 'traefik.http.routers.my-traefik-dashboard-router.rule=Host(`traefik.dark.florist`)'
        - 'traefik.http.routers.my-traefik-dashboard-router.service=api@internal'
        # - 'traefik.http.routers.my-traefik-dashboard-router.middlewares=my-traefik-middleware'
        # - 'traefik.http.middlewares.my-traefik-middleware.basicauth.usersfile=/run/secrets/traefik-users'
        # # Dummy service for Swarm port detection. The port can be any valid integer value.
        - 'traefik.http.services.dummy-svc.loadbalancer.server.port=9999'
      restart_policy:
        condition: 'any'
      placement:
        constraints:
          - 'node.role == manager'
    logging:
      driver: 'json-file'
      options:
        max-size: '10m'
        max-file: '3'
    image: 'traefik:v2.11@sha256:0a5157f742d2900389da6ce60ea80cc476801dc951917a993cd848d982f58265'
    command:
      - '--providers.docker=true'
      - '--providers.docker.swarmMode=true'
      - '--providers.docker.exposedByDefault=false'
      - '--providers.docker.network=traefik'
      - '--entryPoints.websecure.address=:443'
      - '--api.dashboard=true'
      # CLI or environment configuration is preferred, but traefik only lets you set the TLS certificate paths via file configurtion
      - '--providers.file.filename=/traefik-config.yml'
    networks:
      - 'traefik'
    ports:
      - target: 443
        published: 443
        protocol: 'tcp'
    volumes:
      - type: 'bind'
        source: '/var/run/docker.sock'
        target: '/var/run/docker.sock'
    configs:
      - source: 'traefik-config.yml'
        target: '/traefik-config.yml'
    secrets:
      - source: 'traefik-users'
        target: '/run/secrets/traefik-users'
      - source: 'dark.florist-private-key'
        target: '/run/secrets/dark.florist-private-key'
      - source: 'dark.florist-origin-certificate'
        target: '/run/secrets/dark.florist-origin-certificate'

networks:
  # note: published ports bypass any internal network restrictions
  # internal private network with services that traefik should route to
  traefik:
    external: true

configs:
  # keeping config in this YML file is preferable, but Traefik stupidly doesn't let you set certificate path via CLI config, so we have to put it in a file config
  traefik-config.yml:
    external: true

secrets:
  # TLS key
  dark.florist-private-key:
    external: true
  # TLS certificate
  dark.florist-origin-certificate:
    external: true
  # users that can login to the traefik UI
  traefik-users:
    external: true