selfhosted-traefik/traefik/docker-compose.yml

networks:
  default:
    driver: bridge
    ipam:
      config:
        - subnet: 172.27.0.0/24
  socket_proxy:
      name: socket_proxy

services:
  # Only accept needed incoming docker API calls
  socket-proxy:
      container_name: socket-proxy
      environment:
        - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
        ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
        # 0 to revoke access.
        # 1 to grant access.
        ## Granted by Default
        - EVENTS=1
        - PING=1
        - VERSION=1
        ## Revoked by Default
        # Security critical
        - AUTH=0
        - SECRETS=0
        - POST=1 # Watchtower
        - DELETE=1 # Watchtower
        # GET Optons
        - BUILD=0
        - COMMIT=0
        - CONFIGS=0
        - CONTAINERS=1 # Traefik, portainer, etc.
        - DISTRIBUTION=0
        - EXEC=0
        - IMAGES=1 # Portainer, Watchtower
        - INFO=1 # Portainer
        - NETWORKS=1 # Portainer, Watchtower
        - NODES=0
        - PLUGINS=0
        - SERVICES=1 # Portainer
        - SESSION=0
        - SWARM=0
        - SYSTEM=0
        - TASKS=1 # Portaienr
        - VOLUMES=1 # Portainer
        # POST Options
        - CONTAINERS_CREATE=1 # WatchTower
        - CONTAINERS_START=1 # WatchTower
        - CONTAINERS_UPDATE=1 # WatchTower
        # DELETE Options
        - CONTAINERS_DELETE=1 # WatchTower
        - IMAGES_DELETE=1 # WatchTower
      image: tecnativa/docker-socket-proxy:latest
      labels:
        - "com.centurylinklabs.watchtower.enable=true"
      networks:
        - socket_proxy
      ports:
        - "127.0.0.1:2375:2375"
      # Always restart if server restart etc.
      restart: unless-stopped
      volumes:
        - "/var/run/docker.sock:/var/run/docker.sock"

  # watchtower keeps docker iamges automatically up to date
  watchtower:
      container_name: watchtower
      depends_on:
        - socket-proxy
      environment:
        WATCHTOWER_CLEANUP: "true"
        WATCHTOWER_REMOVE_VOLUMES: "true"
        WATCHTOWER_INCLUDE_STOPPED: "true"
        WATCHTOWER_NO_STARTUP_MESSAGE: "false"
        WATCHTOWER_SCHEDULE: "0 30 12 * * *" # Everyday at 12:30
        DOCKER_HOST: tcp://socket-proxy:2375
      image: containrrr/watchtower:latest
      labels:
        - "com.centurylinklabs.watchtower.enable=true"
      networks:
        - default
        - socket_proxy
      restart: unless-stopped

  traefik:
    depends_on:
      - watchtower
    # Always restart also at boot unless manually stopped
    restart: unless-stopped
    # The official v3 Traefik docker image
    image: traefik:3.0
    networks:
      default:
        ipv4_address: 172.27.0.100
      socket_proxy: null
    env_file: live.env
    container_name: "traefik"
    command:
      # logging settings
      # - "--log.filePath=/logs/traefik.log"
      # - "--log.format=json"
      - "--log.level=ERROR"
      # Enable API and Dashboard access
      #- "--api.insecure=true"
      - "--api=true"
      - "--api.dashboard=true"
      # Docker as provider
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      # Entrypoints (not HTTPS)
      - "--entrypoints.web.address=:80"
      # HTTPS (websecure entrypoint)
      - "--entrypoints.websecure.address=:443"
      # TS3 entrypoints
      - "--entrypoints.ts-udp.address=:9987/udp"
      - "--entrypoints.ts-tcp.address=:30033"
      # Use this CA server for testing
      # - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      # production Lets encrypt settings
      - "--certificatesresolvers.myresolver.acme.email=${EMAIL}"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      # Docker socket proxy cli commands
      - "--providers.docker.endpoint=tcp://socket-proxy:2375"
    labels:
      # enable watchtower for traefik
      - "com.centurylinklabs.watchtower.enable=true"
      # Dashboard basic auth and routing
      - "traefik.enable=true"
      - "traefik.http.routers.traefik-https.rule=Host(`traefik.${DOMAIN}`)"
      - "traefik.http.routers.traefik-https.entrypoints=websecure"
      - "traefik.http.routers.traefik-https.middlewares=auth"
      - "traefik.http.routers.traefik-https.service=api@internal"
      - "traefik.http.routers.traefik-https.tls=true"
      - "traefik.http.routers.traefik-https.tls.certresolver=myresolver"
      - "traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASSWORD_HASH}"
      # http to https redirect for all incoming http requests
      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
      - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
      - "traefik.http.routers.http_catchall.entrypoints=web"
      - "traefik.http.routers.http_catchall.middlewares=https-redirect"
    ports:
      # The HTTP port
      - "80:80"
      # The HTTPS port
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      #- "8080:8080"
      # TS3 ports
      - "9987:9987/udp"
      - "30033:30033"
    volumes:
      # For certificate
      - "./data/letsencrypt:/letsencrypt"
      # For logging
      - "./data/logs:/logs"
      # Docker socket
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  # Test container
  whoami:
      image: "traefik/whoami"
      container_name: "simple-service"
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`)"
        - "traefik.http.routers.whoami.entrypoints=websecure"
        - "traefik.http.routers.whoami.tls.certresolver=myresolver"