selfhosted-traefik/traefik/docker-compose.yml
2021-03-25 14:44:16 +01:00

164 lines
5.4 KiB
YAML

version: '3.5'
networks:
default:
driver: bridge
socket_proxy:
external:
name: socket_proxy
services:
# Only accept needed incoming docker API calls
socket-proxy:
container_name: socket-proxy
environment:
- LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
# 0 to revoke access.
# 1 to grant access.
## Granted by Default
- EVENTS=1
- PING=1
- VERSION=1
## Revoked by Default
# Security critical
- AUTH=0
- SECRETS=0
- POST=1 # Watchtower
- DELETE=1 # Watchtower
# GET Optons
- BUILD=0
- COMMIT=0
- CONFIGS=0
- CONTAINERS=1 # Traefik, portainer, etc.
- DISTRIBUTION=0
- EXEC=0
- IMAGES=1 # Portainer, Watchtower
- INFO=1 # Portainer
- NETWORKS=1 # Portainer, Watchtower
- NODES=0
- PLUGINS=0
- SERVICES=1 # Portainer
- SESSION=0
- SWARM=0
- SYSTEM=0
- TASKS=1 # Portaienr
- VOLUMES=1 # Portainer
# POST Options
- CONTAINERS_CREATE=1 # WatchTower
- CONTAINERS_START=1 # WatchTower
- CONTAINERS_UPDATE=1 # WatchTower
# DELETE Options
- CONTAINERS_DELETE=1 # WatchTower
- IMAGES_DELETE=1 # WatchTower
image: fluencelabs/docker-socket-proxy
labels:
- "com.centurylinklabs.watchtower.enable=true"
networks:
- socket_proxy
ports:
- "127.0.0.1:2375:2375"
# Always restart if server restart etc.
restart: unless-stopped
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
# watchtower keeps docker iamges automatically up to date
watchtower:
container_name: watchtower
depends_on:
- socket-proxy
environment:
WATCHTOWER_CLEANUP: "true"
WATCHTOWER_REMOVE_VOLUMES: "true"
WATCHTOWER_INCLUDE_STOPPED: "true"
WATCHTOWER_NO_STARTUP_MESSAGE: "false"
WATCHTOWER_SCHEDULE: "0 30 12 * * *" # Everyday at 12:30
DOCKER_HOST: tcp://socket-proxy:2375
image: containrrr/watchtower
labels:
- "com.centurylinklabs.watchtower.enable=true"
networks:
- default
- socket_proxy
restart: unless-stopped
traefik:
depends_on:
# - dockerproxy
- watchtower
# Always restart also at boot unless manually stopped
restart: unless-stopped
# The official v2 Traefik docker image
image: traefik:v2.3
networks:
- socket_proxy
- default
env_file: live.env
container_name: "traefik"
# Enables the web UI and tells Traefik to listen to docker
command:
# logging
- "--log.filePath=/logs/traefik.log"
- "--log.level=DEBUG"
# API and Dashboard
#- "--api.insecure=true"
- "--api=true"
- "--api.dashboard=true"
# Docker as provider
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
# Entrypoints (not HTTPS)
- "--entrypoints.web.address=:80"
#- "--entrypoints.teamspeak.address=:9987/udp"
# HTTPS (websecure entrypoint)
- "--entrypoints.websecure.address=:443"
# SSH for Gitlab Entrypoint
- "--entrypoints.ssh.address=:2222"
# Use this CA server for testing
# - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=${EMAIL}"
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
# Docker socket proxy cli commands
- "--providers.docker.endpoint=tcp://socket-proxy:2375"
labels:
# enable watchtower for traefik
- "com.centurylinklabs.watchtower.enable=true"
# Dashboard stuff
- "traefik.enable=true"
- "traefik.http.routers.traefik-https.rule=Host(`traefik.${DOMAIN}`)"
- "traefik.http.routers.traefik-https.entrypoints=websecure"
- "traefik.http.routers.traefik-https.middlewares=auth"
- "traefik.http.routers.traefik-https.service=api@internal"
- "traefik.http.routers.traefik-https.tls=true"
- "traefik.http.routers.traefik-https.tls.certresolver=myresolver"
- "traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASSWORD_HASH}"
# http to https redirect
- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
- "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
- "traefik.http.routers.http_catchall.entrypoints=web"
- "traefik.http.routers.http_catchall.middlewares=https-redirect"
ports:
# The HTTP port
- "80:80"
# The HTTPS port
- "443:443"
# TH ssh port for Gitlab
- "2222:2222" # The SSH port
# The Web UI (enabled by --api.insecure=true)
#- "8080:8080"
# TS3 ports
#- "9987:9987/udp"
#- "10011:10011"
#- "30033:30033"
volumes:
# For certificate
- "./volumes/letsencrypt/acme.json:/letsencrypt/acme.json"
# For logging
- "./volumes/logs/traefik.log:/logs/traefik.log"