services: traefik: # Use the latest v3.0.x Traefik image available image: traefik:latest ports: # - target: 53 # published: 53 # mode: host - target: 80 published: 80 mode: host - target: 443 published: 443 mode: host - target: 1883 published: 1883 mode: host - target: 5432 published: 5432 mode: host - target: 8083 published: 8083 mode: host - target: 8084 published: 8084 mode: host # - target: 8883 # published: 8883 # mode: host # - "8083:8083" # - "8084:8084" # - "7687:7687" deploy: placement: constraints: # Make the traefik service run only on the node with this label # as the node with it has the volume for the certificates - node.labels.traefik-public.traefik-public-certificates == true labels: # Enable Traefik for this service, to make it available in the public network - traefik.enable=true # Use the traefik-public network (declared below) - traefik.docker.network=traefik-public # Use the custom label "traefik.constraint-label=traefik-public" # This public Traefik will only use services with this label # That way you can add other internal Traefik instances per stack if needed - traefik.constraint-label=traefik-public # admin-auth middleware with HTTP Basic auth # Using the environment variables USERNAME and HASHED_PASSWORD - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set} - traefik.http.middlewares.csrf.headers.hostsProxyHeaders=["X-CSRF-Token"] - traefik.http.middlewares.no-www.redirectregex.regex=^https://www.(.*)$$ - traefik.http.middlewares.no-www.redirectregex.replacement=https://$$1 - traefik.http.middlewares.no-www.redirectregex.permanent=true - traefik.http.middlewares.sslheader.headers.sslProxyHeaders.X-Forwarded-Proto="https,wss" - traefik.http.middlewares.sslheader.headers.sslRedirect=true - traefik.http.middlewares.redirect-resume.redirectregex.regex=^https://resume.${DOMAIN?Variable not set}/(.*) - traefik.http.middlewares.redirect-resume.redirectregex.replacement=https://info.${DOMAIN?Variable not set}/resume/$$1 - traefik.http.middlewares.redirect-resume.redirectregex.permanent=true - traefik.http.middlewares.redirect-blog.redirectregex.regex=^https://blog.${DOMAIN?Variable not set}/(.*) - traefik.http.middlewares.redirect-blog.redirectregex.replacement=https://furyhawk.github.io/124c41/$$1 - traefik.http.middlewares.redirect-blog.redirectregex.permanent=true - traefik.http.middlewares.rate-limit.ratelimit.average=384 - traefik.http.middlewares.rate-limit.ratelimit.burst=128 - traefik.http.middlewares.rate-limit.ratelimit.period=10s - traefik.http.middlewares.xbot.headers.browserXssFilter=true - traefik.http.middlewares.xbot.headers.contentTypeNosniff=true - traefik.http.middlewares.xbot.headers.frameDeny=true - traefik.http.middlewares.xbot.headers.stsPreload=true - traefik.http.middlewares.xbot.headers.stsSeconds=31536000 - traefik.http.middlewares.xbot.headers.stsIncludeSubdomains=true - traefik.http.middlewares.xbot.headers.permissionsPolicy="accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), layout-animations=(), legacy-image-formats=(), magnetometer=(), microphone=(), midi=(), oversized-images=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), sync-xhr=(), usb=(), wake-lock=(), xr-spatial-tracking=()" - traefik.http.middlewares.xbot.headers.referrerPolicy="no-referrer" - treafik.http.middlewares.neo4j_strip.stripprefix.prefixes=/neo4j # traefik-https the actual router using HTTPS - traefik.http.routers.traefik-public-https.rule=Host(`dashboard.${DOMAIN?Variable not set}`) - traefik.http.routers.traefik-public-https.entrypoints=https - traefik.http.routers.traefik-public-https.tls=true # Use the "le" (Let's Encrypt) resolver created below - traefik.http.routers.traefik-public-https.tls.certresolver=le # Enable HTTP Basic auth, using the middleware created above - traefik.http.routers.traefik-public-https.middlewares=admin-auth # Use the special Traefik service api@internal with the web UI/Dashboard - traefik.http.routers.traefik-public-https.service=api@internal # Define the port inside of the Docker service to use - traefik.http.services.traefik-public.loadbalancer.server.port=8080 volumes: # Add Docker as a mounted volume, so that Traefik can read the labels of other services - /var/run/docker.sock:/var/run/docker.sock:ro # Mount the volume to store the certificates - traefik-public-certificates:/certificates # Mount the configuration file for Traefik - /var/data/config/traefik/services.yml:/etc/traefik/services.yml:ro command: # Enable Docker in Traefik, so that it reads labels from Docker services - --providers.docker # Add a constraint to only use services with the label "traefik.constraint-label=traefik-public" - --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`) # Do not expose all Docker services, only the ones explicitly exposed - --providers.docker.exposedbydefault=false - --providers.docker.endpoint=unix:///var/run/docker.sock # Enable Docker Swarm mode - --providers.swarm.exposedbydefault=false - --providers.swarm.endpoint=unix:///var/run/docker.sock - --providers.swarm.network=traefik-public - --providers.file.filename=/etc/traefik/services.yml # Create an entrypoint "http" listening on port 80 - --entrypoints.http.address=:80 # Create an entrypoint "https" listening on port 443 - --entrypoints.https.address=:443 # Redirect HTTP to HTTPS - --entrypoints.http.http.redirections.entrypoint.to=https - --entrypoints.http.http.redirections.entrypoint.scheme=https - --entrypoints.http.http.redirections.entrypoint.permanent=true # Create an entrypoint "dns" listening on port 53 # - --entrypoints.dns.address=:53 # Create an entrypoint "postgres-socket" listening on port 5432 - --entrypoints.postgres-socket.address=:5432 # Others entrypoints can be created, like a TCP entrypoint - --entrypoints.mqtt.address=:1883 - --entrypoints.web-socket.address=:8083 - --entrypoints.web-socket-secure.address=:8084 - --entrypoints.bolt-socket.address=:7687 # Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL - --certificatesresolvers.le.acme.email=${EMAIL?Variable not set} # Store the Let's Encrypt certificates in the mounted volume - --certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory - --certificatesresolvers.le.acme.storage=/certificates/acme.json # Use the TLS Challenge for Let's Encrypt - --certificatesresolvers.le.acme.tlschallenge=true # Enable the access log, with HTTP requests - --accesslog=true # Enable the Traefik log, for configurations and errors - --log=true - --log.level=INFO # Enable the Dashboard and API - --api=true networks: # Use the public network created to be shared between Traefik and # any other service that needs to be publicly available with HTTPS - traefik-public gantry: image: shizunge/gantry volumes: - /var/run/docker.sock:/var/run/docker.sock environment: - "GANTRY_NODE_NAME={{.Node.Hostname}}" # The gantry service is able to find the name of itself service. Use GANTRY_SERVICES_SELF when you want to set a different value. # - "GANTRY_SERVICES_SELF=${STACK}_gantry" - "GANTRY_SLEEP_SECONDS=0" deploy: replicas: 0 placement: constraints: - node.role==manager restart_policy: condition: none labels: - swarm.cronjob.enable=true - swarm.cronjob.schedule=45 23 0 * * * - swarm.cronjob.skip-running=true cronjob: image: crazymax/swarm-cronjob:latest volumes: - /var/run/docker.sock:/var/run/docker.sock deploy: placement: constraints: - node.role==manager volumes: # Create a volume to store the certificates, there is a constraint to make sure # Traefik is always deployed to the same Docker node with the same volume containing # the HTTPS certificates traefik-public-certificates: networks: # Use the previously created public network "traefik-public", shared with other # services that need to be publicly available via this Traefik traefik-public: external: true