docker-apps/traefik/stacks/compose.yml

name: traefik

###############################################################
# Networks
###############################################################
networks:
  socket_proxy:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: "br-traefik_sx"
  traefik-net:
    external: true
  mariadb-net:
    external: true
    
###############################################################
# Docker Secrets
# Owner (default): root:root
# Recommend Set Owner to match container user Example: UID=1100, GID=1100
# Permissions of files & directory on host to: 0400 (-r--)
###############################################################
secrets:
  ## Cloudflare / Traefik
  cf_dns_api_token:
    file: ${SECRETSDIR}/cf_dns_api_token

###############################################################

services:
  traefik:
    image: traefik:v3.3.3  # v3.2.1  # v3.1.7   # 3.1.2   # v3.1.7-nanoserver-ltsc2022
    hostname: traefik
    restart: unless-stopped
    env_file: .traefik.env
    security_opt:
      - no-new-privileges=true
    depends_on:
      - socket-proxy  # Comment out if not using socket-proxy
    networks:
      - traefik-net
      - socket_proxy
      - mariadb-net
    command:
      - "--configFile=/config/traefik.yml"
    ports:
      - target: 80          # Container Port
        host_ip: 0.0.0.0    # All interfaces, not a specific one
        published: "80"     # STRING
        protocol: tcp       # tcp or udp
        mode: host          # or Ingress for load balancing
      - target: 443
        host_ip: 0.0.0.0
        published: "443"
        protocol: tcp
        mode: host
      - target: 51820       # wg-easy udp port
        published: "51820"
        protocol: udp
        mode: host
      - target: 32400       # plex remote access tcp port
        published: "32400"
        protocol: tcp
        mode: host
      - target: 1883        # mosquitto port
        published: "1883"
        protocol: tcp
        mode: host
      - target: 8883        # mosquitto secure port
        published: "8883"
        protocol: tcp
        mode: host
      - target: 9001        # mosquitto websocket port
        published: "9001"
        protocol: tcp
        mode: host
      - target: 19132       # minecraft-bedrock port
        published: "19132"
        protocol: udp
        mode: host
      - target: 25565       # minecraft-java port
        published: "25565"
        protocol: udp
        mode: host
      - target: 25575       # minecraft-java rcon port
        published: "25575"
        protocol: tcp
        mode: host
      - target: 8083        # ping port
        published: "8083"
        protocol: tcp
        mode: host
      - target: 8306        # mariadb port
        published: "8306"
        protocol: tcp
        mode: host
      - target: 9306        # mysql port
        published: "9306"
        protocol: tcp
        mode: host
      - target: 2022        # sftp port1
        published: "2022"
        protocol: tcp
        mode: host
      - target: 2023        # sftp port2
        published: "2023"
        protocol: tcp
        mode: host
      - target: 2024        # sftp port3
        published: "2024"
        protocol: tcp
        mode: host
      - target: 2025        # sftp port4
        published: "2025"
        protocol: tcp
        mode: host
      - target: 2026        # sftp port5
        published: "2026"
        protocol: tcp
        mode: host
      - target: 2027        # sftp port6
        published: "2027"
        protocol: tcp
        mode: host
      - target: 2028        # sftp port7
        published: "2028"
        protocol: tcp
        mode: host
      - target: 2029        # sftp port8
        published: "2029"
        protocol: tcp
        mode: host
    secrets:
      - cf_dns_api_token
    volumes:
      - "$STACKSDIR/config:/config" # traefik.yml
      - "$STACKSDIR/rules:/rules"   # Dynamic File Provider directory
      - "$STACKSDIR/users:/mnt/users"   # basic-auth username and password hashes
      - "$DATADIR/appdata:/data"     # acme.json defined in traefik.yaml
      - "$DATADIR/logs:/logs"
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      #
      # http basic-auth middlewares
      # ---------------------------
      - "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
      #
      # http routers
      # ------------
      # http
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`traefik.${DOMAINNAME}`)&& PathPrefix(`/`)"
      # attach middlewares to router
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-auth, http-mw-rateLimit-secureHeaders-compress-redirect@file"
      # assign svc target to router
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=api@internal"
      
      # https
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`traefik.${DOMAINNAME}`)&& PathPrefix(`/`)"
      # attach middlewares to routers
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth, http-mw-rateLimit-secureHeaders-compress@file"
      # tls
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
      # assign svc target to router
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=api@internal"
      
###############################################################
  socket-proxy:
    image: tecnativa/docker-socket-proxy:0.2.0 #0.1.2
    hostname: traefik_socket-proxy
    restart: unless-stopped
    env_file: .socket-proxy.env
    security_opt:
      - no-new-privileges=true
    networks:
      - socket_proxy
    privileged: true  # true for VM.  false for unprivileged LXC container.
    #depends_on:
    #  - traefik
    ports:
      - "127.0.0.1:2375:2375"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      # the following bind is to persist the non-zero setting of backend docker-events.timeout server
      - type: bind
        source: "${DATADIR}/haproxy/haproxy.cfg.template"
        target: /usr/local/etc/haproxy/haproxy.cfg.template
###############################################################
  whoami:
    image: traefik/whoami:latest
    container_name: whoami
    restart: unless-stopped
    security_opt:
      - no-new-privileges=true
    depends_on:
      - traefik
    networks:
      - traefik-net
    environment:
      - TZ
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.whoami-rtr.entrypoints=web"
      - "traefik.http.routers.whoami-rtr.rule=Host(`whoami.${DOMAINNAME}`)"
###############################################################