Need help - Setting up Traefik with Lets Encrypt

Traefik Traefik v3 (latest)
1

Hello everyone,

I wanted to selfhost some applications (docker) for my family like nextcloud but I dont want to open a bunch of ports for that. So I found Traefik and I would like to route the requests from outside through Traefik. But no matter how many tutorials I watch or I look through the documentation of Traefik I can not wrap my head around it. My environment looks something along those lines:
Modem -> PfSense -> Raspberrypi (Pihole) -> Switch -> NAS QNAP

So I have Pihole on my Raspberrypi installed. Apart from that I am running a few Docker Containers on it (Dockge, Wordpress, Grafana etc Here I also want to run Traefik via Docker). On my NAS I am also running a few applications with docker. So I would like to have SSL certificates at least on those applications I would expose to the public. But before I do something I would bang my head agaist could you please look through my docker compose files and see if I made a mistake anywhere?

-) I pointed my private IP Adress to my domain via an A record (www and @)
-) Make a Docker Container with Docker-Compose for Traefik on my Raspberry

Traefik Docker Compose with Lets Encrypt. I changed the external port 8080 to 8084 because the webui of one of my applications is already using that port: docker-compose.yml 
version: "3.3"

services:

  traefik:
    image: "traefik:v3.1"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entryPoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=anonym@e-mailadress.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "443:443"
      - "80:80"
      - "8084:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/containers/traefik/acme.json:/acme.json
      - /opt/containers/traefik/routes:/routes
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=(Host(`pi.hole`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)))"
      - "traefik.http.routers.dashboard.service=api@internal"

-) Now I need to make a "routes" folder for those applications I am hosting. Here is an example route:

Route Nextcloud example: nextcloud.conf 
http:
  serversTransports:
    mytransport:
      insecureSkipVerify: true
  routers:
    nextcloud:
      entryPoints:
      - websecure
      service: nextcloud
      rule: Host(`nextcloud.mydomain.com`)
  services:
    nextcloud:
      loadBalancer:
        servers:
        - url: http://192.168.1.210:8082/
        passHostHeader: true

Is that even remotely correct? If not what would be a better and/or easier way?

2

For Traefik LetsEncrypt tlsChallenge to work, a request from the Internet to the domain IP needs to arrive at Traefik port 443. Domain configured correctly, router port-forwarding, too?

Note that you need a providers.file (doc) in Traefik static config (traefik.yml or command:) to read a Traefik dynamic config file with routers and services.

Note that you forward container port 80, but don't have a Traefik entrypoint defined for it. Maybe compare to simple Traefik example.

Maybe enable Traefik dashboard and debug log to access more information.