# vi: ft=yaml version: "3.7" networks: traefik: external: true configs: services: external: true name: "{{ services.config_name }}" volumes: acme: driver_opts: type: "nfs" o: "addr=lewis.dmz,nolock,soft,rw" device: ":/mnt/data/nfs/traefik/acme" services: traefik: image: traefik:3.0.0-beta2 networks: - traefik ports: - mode: host protocol: tcp published: 443 target: 443 - mode: host protocol: tcp published: 80 target: 80 - mode: host protocol: tcp published: 444 target: 444 deploy: placement: constraints: - node.role == manager labels: - traefik.enable=true - traefik.http.routers.dashboard.entrypoints=localsecure - traefik.http.routers.dashboard.rule=Host(`traefik.kun.is`) - traefik.http.routers.dashboard.service=api@internal - traefik.http.services.dashboard.loadbalancer.server.port=8080 - traefik.http.routers.dashboard.tls=true - traefik.http.routers.dashboard.tls.certresolver=letsencrypt - traefik.docker.network=traefik - traefik.http.routers.esrom.entrypoints=websecure - traefik.http.routers.esrom.service=esrom@file - traefik.http.routers.esrom.rule=Host(`esrom.kun.is`) - traefik.http.routers.esrom.tls=true - traefik.http.routers.esrom.tls.certresolver=letsencrypt - traefik.http.routers.cyberchef.entrypoints=websecure - traefik.http.routers.cyberchef.service=k3s@file - traefik.http.routers.cyberchef.rule=Host(`cyberchef.kun.is`) - traefik.http.routers.cyberchef.tls=true - traefik.http.routers.cyberchef.tls.certresolver=letsencrypt - traefik.http.routers.freshrss.entrypoints=websecure - traefik.http.routers.freshrss.service=k3s@file - traefik.http.routers.freshrss.rule=Host(`rss.kun.is`) - traefik.http.routers.freshrss.tls=true - traefik.http.routers.freshrss.tls.certresolver=letsencrypt - traefik.http.routers.inbucket.entrypoints=localsecure - traefik.http.routers.inbucket.service=k3s@file - traefik.http.routers.inbucket.rule=Host(`inbucket.kun.is`) - traefik.http.routers.inbucket.tls=true - traefik.http.routers.inbucket.tls.certresolver=letsencrypt - traefik.http.routers.radicale.entrypoints=websecure - traefik.http.routers.radicale.service=k3s@file - traefik.http.routers.radicale.rule=Host(`dav.kun.is`) - traefik.http.routers.radicale.tls=true - traefik.http.routers.radicale.tls.certresolver=letsencrypt - traefik.http.routers.syncthing.entrypoints=localsecure - traefik.http.routers.syncthing.service=k3s@file - traefik.http.routers.syncthing.rule=Host(`sync.kun.is`) - traefik.http.routers.syncthing.tls=true - traefik.http.routers.syncthing.tls.certresolver=letsencrypt - traefik.http.routers.pihole.entrypoints=localsecure - traefik.http.routers.pihole.service=k3s@file - traefik.http.routers.pihole.rule=Host(`pihole.kun.is`) - traefik.http.routers.pihole.tls=true - traefik.http.routers.pihole.tls.certresolver=letsencrypt - traefik.http.routers.hedgedoc.entrypoints=websecure - traefik.http.routers.hedgedoc.service=k3s@file - traefik.http.routers.hedgedoc.rule=Host(`md.kun.is`) - traefik.http.routers.hedgedoc.tls=true - traefik.http.routers.hedgedoc.tls.certresolver=letsencrypt volumes: - type: bind source: /var/run/docker.sock target: /var/run/docker.sock - type: volume source: acme target: /acme volume: nocopy: true configs: - source: services target: /etc/traefik/services.yml command: - --providers.docker - --providers.docker.swarmmode - --providers.docker.watch - --providers.docker.exposedbydefault=false - --providers.file.filename=/etc/traefik/services.yml - --api - --api.insecure=false - --api.dashboard=true - --entrypoints.web.address=:80 - --entrypoints.web.http.redirections.entrypoint=true - --entrypoints.web.http.redirections.entrypoint.to=websecure - --entrypoints.web.http.redirections.entrypoint.scheme=https - --entrypoints.web.http.redirections.entrypoint.permanent=true - --entrypoints.websecure.address=:443 - --entrypoints.localsecure.address=:444 - --certificatesresolvers.letsencrypt.acme=true - --certificatesresolvers.letsencrypt.acme.email=pim@kunis.nl - --certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json - --certificatesresolvers.letsencrypt.acme.httpchallenge=true - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web - --serversTransport.insecureSkipVerify=true - --accesslog=true - --accesslog.fields.defaultmode=keep - --accesslog.fields.names.ClientUsername=drop - --accesslog.fields.headers.defaultmode=keep - --accesslog.fields.headers.names.User-Agent=keep - --accesslog.fields.headers.names.Authorization=drop - --accesslog.fields.headers.names.Content-Type=keep