Skip to content

Seirian & James' Homelab

Traefik

traefik¶

This is the core proxy that protects my server. It handles SSL termination, routing, and the dashboard for monitoring. I use Traefik's Docker provider to automatically discover services and route traffic based on labels in their docker-compose.yml files.

Below are the configuration files for this service. For details on how to deploy or customize, refer to the README above or the official documentation for the service.

Docker Compose Configuration¶

services:
  traefik:
    image: traefik:v3.6
    container_name: traefik
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "${TRAEFIK_DASHBOARD_PORT}:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${STORAGE_PATH}/traefik/certs:/certs:rw
      - ./dynamic:/dynamic:ro
      - ${STORAGE_PATH}/traefik/letsencrypt:/letsencrypt
    networks:
      - web
    security_opt:
      - no-new-privileges:true
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.dashboard-auth.basicauth.users=${DASHBOARD_BASIC_AUTH}"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.middlewares=dashboard-auth@docker"
      - "traefik.http.routers.dashboard.rule=Host(`dashboard.${DOMAIN}`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
    command:
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=web"
      - "--api.dashboard=true"
      - "--api.insecure=false"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}"
      - "--certificatesresolvers.letsencrypt.acme.storage=/certs/acme.json"
      - "--metrics.prometheus=true"
      - "--accesslog=true"
      - "--providers.file.directory=/dynamic"
      - "--providers.file.watch=true"

    environment:
      - DOMAIN=${DOMAIN}

networks:
  web:
    external: true

Environment Variables (`.env.example`)¶

# traefik/.env
# Copy to .env and fill in real values. NEVER commit .env.

TRAEFIK_DASHBOARD_PORT=8080
ACME_EMAIL=letsencrypt@example.com
DASHBOARD_BASIC_AUTH=admin:$$apr1$$changeme$$REPLACE_WITH_HTPASSWD_HASH