So, I'm starting to understand how Traefik works and I've got services working... sort of. For example, I've added Proxmox with the following config.yaml and https://box.domain.com does work with the cert, but is showing me "is functioning normally" instead of the desired log-in interface for Proxmox. I did see this topic discussing the situation as well, but as far as I can tell, things look just about the same, just very slight differences in terms of how one configures the middlewares.
http:
middlewares:
crowdsec-bouncer:
forwardauth:
address: http://bouncer-traefik:8080/api/v1/forwardAuth
trustForwardHeader: true
# https://github.com/goauthentik/authentik/issues/2366
middlewares-authentik:
forwardAuth:
address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
default-security-headers:
headers:
customBrowserXSSValue: 0 # X-XSS-Protection=1; mode=block
contentTypeNosniff: true # X-Content-Type-Options=nosniff
forceSTSHeader: true # Add the Strict-Transport-Security header even when the connection is HTTP
frameDeny: false # X-Frame-Options=deny
referrerPolicy: "strict-origin-when-cross-origin"
stsIncludeSubdomains: true # Add includeSubdomains to the Strict-Transport-Security header
stsPreload: true # Add preload flag appended to the Strict-Transport-Security header
stsSeconds: 3153600 # Set the max-age of the Strict-Transport-Security header (63072000 = 2 years)
contentSecurityPolicy: "default-src 'self'"
customRequestHeaders:
X-Forwarded-Proto: https
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
routers:
portainer:
entryPoints:
- "https"
rule: "Host(`portainer.domain.com`)"
middlewares:
- default-security-headers
- https-redirectscheme
tls: {}
service: portainer
proxmox:
entryPoints:
- "https"
rule: "Host(`box.domain.com`)"
middlewares:
- default-security-headers
- https-redirectscheme
tls: {}
service: proxmox
services:
portainer:
loadBalancer:
servers:
- url: "https://192.168.0.148:9443"
passHostHeader: true
proxmox:
loadBalancer:
servers:
- url: "https://192.168.0.2:8006"
passHostHeader: true
Hopefully eventually I'll get to the point where I can just easily throw things into Traefik and have it Just Work. Today is not that day, alas. But I am starting to really understand how things work.
Share your Traefik static config.
Have you tried without all the middlewares?
Hi,
Middlewares doesn't seem to do anything for accessing Proxmox, I think? As for static config...
I think you mean the following?:
cat ../docker/traefik/traefik.yaml
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
middlewares:
- crowdsec-bouncer@file
redirections:
entrypoint:
to: https
scheme: https
https:
address: ":443"
http:
middlewares:
- crowdsec-bouncer@file
tcp:
address: ":10000"
apis:
address: ":33073"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yaml
certificatesResolvers:
cloudflare:
acme:
caServer: https://acme-v02.api.letsencrypt.org/directory # production (default)
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging (testing)
email: example@gmail.com
storage: acme.json
dnsChallenge:
provider: cloudflare
# disablePropagationCheck: true # Some people using Cloudflare note this can solve DNS propagation issues.
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
log:
level: "INFO"
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"
If not, it's based on Jim's Garage's configs which actually works, aside from a couple missing settings I noted in his github when I realized what was going on and started understanding how to put together things. It gave me quite the headache but I learn by doing. Unfortunately. And yeah, I could've started with a base config and built up from there, but I find that oddly, that doesn't quite work as well for me when it comes to learning how things function.
RIP AND TEAR, basically.
Le docker-compose:
###############################################################################################################
###############################################################################################################
# TRAEFIK
# See video: https://youtu.be/CmUzMi5QLzI
# DUE TO COMPLEXITY, THIS WILL PULL A TEST CERTIFICATE. TO CHANGE, EDIT THE TRAEFIK.YAML FILE
###############################################################################################################
###############################################################################################################
secrets:
cf-token:
file: ./cf-token
services:
traefik:
image: traefik:v3.3 # or traefik:v3.3 to pin a version
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true # helps to increase security
env_file:
- .env # store other secrets e.g., dashboard password
networks:
proxy:
ports:
- 80:80
- 443:443
# - 10000:10000 # optional
# - 33073:33073 # optional
environment:
- TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS}
- CF_API_EMAIL=example@gmail.com # Cloudflare email
- CF_DNS_API_TOKEN=example # Damn token.
#- CF_API_EMAIL=example@gmail.com # Cloudflare email
#- CF_API_KEY=examples
#- CF_DNS_API_TOKEN=examples
#- CF_DNS_API_TOKEN_FILE=/run/secrets/cf-token # see https://doc.traefik.io/traefik/https/acme/#providers
# token file is the proper way to do it
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /home/systems/docker/traefik/traefik.yaml:/traefik.yaml:ro
- /home/systems/docker/traefik/acme.json:/acme.json
- /home/systems/docker/traefik/config.yaml:/config.yaml:ro
- /home/systems/docker/traefik/logs:/var/log/traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.domain.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.domain.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=domain.com"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.domain.com"
- "traefik.http.routers.traefik-secure.service=api@internal"
###############################################################################################################
###############################################################################################################
# CROWDSEC
# See video: https://youtu.be/bGOANkuxRNA
###############################################################################################################
###############################################################################################################
crowdsec:
image: crowdsecurity/crowdsec:latest
container_name: crowdsec
environment:
GID: "${GID-1000}"
COLLECTIONS: "crowdsecurity/traefik"
depends_on:
- 'traefik'
volumes:
- ./acquis.yaml:/etc/crowdsec/acquis.yaml
- ${WORKING_DIR}/crowdsec/db:/var/lib/crowdsec/data/
- ${WORKING_DIR}/crowdsec/config:/etc/crowdsec/
- ${WORKING_DIR}/traefik/logs:/var/log/traefik/:ro
networks:
- proxy
restart: unless-stopped
bouncer-traefik:
image: docker.io/fbonalair/traefik-crowdsec-bouncer:latest
container_name: bouncer-traefik
environment:
CROWDSEC_BOUNCER_API_KEY: blarpl # generate in crowdsec container - cscli bouncer add - then add here and redeploy
CROWDSEC_AGENT_HOST: crowdsec:8080
networks:
- proxy # same network as traefik + crowdsec
depends_on:
- crowdsec
restart: unless-stopped
###############################################################################################################
###############################################################################################################
# PIHOLE & CLOUDFLARED
# See video: https://youtu.be/mnry95ay0Bk
###############################################################################################################
###############################################################################################################
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
cloudflared:
container_name: cloudflared
# Restart on crashes and on reboots
restart: unless-stopped
image: cloudflare/cloudflared:latest
command: proxy-dns
environment:
- "TUNNEL_DNS_UPSTREAM=https://1.1.1.1/dns-query,https://1.0.0.1/dns-query,https://9.9.9.9/dns-query,https://149.112.112.9/dns-query"
# Listen on an unprivileged port
- "TUNNEL_DNS_PORT=5053"
# Listen on all interfaces
- "TUNNEL_DNS_ADDRESS=0.0.0.0"
# Attach cloudflared only to the private network
networks:
pihole_internal:
ipv4_address: 172.70.9.2
security_opt:
- no-new-privileges:true
pihole:
container_name: pihole
image: pihole/pihole:latest
ports:
# On Ubuntu port 53 is in use by resolved. Edit the file at /etc/systemd/resolved.conf and change the line DNSStubListener=yes to no, then use command sudo service systemd-resolved restart
- "53:53/tcp"
- "53:53/udp"
# - "67:67/udp" DHCP - uncomment if using it
- "500:80/tcp" # left port 500 open in case you need to connect via IP:500
# - "443:443/tcp"
networks:
pihole_internal:
ipv4_address: 172.70.9.3
proxy:
environment:
TZ: 'America/Phoenix'
# Set a password to access the web interface. Not setting one will result in a random password being assigned
FTLCONF_webserver_api_password: 'example'
# If using Docker's default `bridge` network setting the dns listening mode should be set to 'all'3
FTLCONF_dns_listeningMode: 'all'
FTLCONF_dns_upstreams: '172.70.9.2#5053'
# Volumes store your data between container upgrades
volumes:
- './custom.list:/etc/pihole/hosts/custom.list' # remember to add your domains to this
- '${WORKING_DIR}/pihole/:/etc/pihole/'
- '${WORKING_DIR}/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/'
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
cap_add:
- NET_ADMIN
restart: unless-stopped
depends_on:
- cloudflared
labels:
- "traefik.enable=true"
- "traefik.http.routers.pihole.entrypoints=http"
- "traefik.http.routers.pihole.rule=Host(`pihole.$DOMAIN`)"
- "traefik.http.middlewares.pihole-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.pihole.middlewares=pihole-https-redirect"
- "traefik.http.routers.pihole-secure.entrypoints=https"
- "traefik.http.routers.pihole-secure.rule=Host(`pihole.$DOMAIN`)"
- "traefik.http.routers.pihole-secure.tls=true"
- "traefik.http.routers.pihole-secure.service=pihole"
- "traefik.http.services.pihole.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
###############################################################################################################
###############################################################################################################
# AUTHENTIK
# See video: https://youtu.be/1bTSOdYiIOQ
###############################################################################################################
###############################################################################################################
postgresql:
image: docker.io/library/postgres:16-alpine
container_name: postgresql
restart: unless-stopped
networks:
proxy:
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${PG_PASS:?database password required}
POSTGRES_USER: ${PG_USER:-authentik}
POSTGRES_DB: ${PG_DB:-authentik}
env_file:
- .env
redis:
image: docker.io/library/redis:alpine
container_name: redis
command: --save 60 1 --loglevel warning
restart: unless-stopped
networks:
proxy:
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- redis:/data
server:
container_name: authentik-server
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.4}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
volumes:
- ${WORKING_DIR}/authentik/media:/media
- ${WORKING_DIR}/authentik/custom-templates:/templates
env_file:
- .env
#ports:
# - "${COMPOSE_PORT_HTTP:-9000}:9000"
# - "${COMPOSE_PORT_HTTPS:-9443}:9443"
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
networks:
proxy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.authentik.entrypoints=http"
- "traefik.http.routers.authentik.rule=Host(`authentik.$DOMAIN`)"
- "traefik.http.middlewares.authentik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.authentik.middlewares=authentik-https-redirect"
- "traefik.http.routers.authentik-secure.entrypoints=https"
- "traefik.http.routers.authentik-secure.rule=Host(`authentik.$DOMAIN`)"
- "traefik.http.routers.authentik-secure.tls=true"
- "traefik.http.routers.authentik-secure.service=authentik"
- "traefik.http.services.authentik.loadbalancer.server.scheme=https"
- "traefik.http.services.authentik.loadbalancer.server.port=9443"
- "traefik.docker.network=proxy"
worker:
container_name: authentik-worker
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.4}
restart: unless-stopped
command: worker
networks:
proxy:
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${WORKING_DIR}/authentik/media:/media
- ${WORKING_DIR}/authentik/certs:/certs
- ${WORKING_DIR}/authentik/custom-templates:/templates
env_file:
- .env
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
###############################################################################################################
###############################################################################################################
# PORTAINER
###############################################################################################################
###############################################################################################################
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
ports:
- 8000:8000
- 9443:9443
volumes:
- portainer_data:/data
- /var/run/docker.sock:/var/run/docker.sock
restart: unless-stopped
networks:
proxy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.entrypoints=http"
- "traefik.http.routers.portainer.rule=Host(`portainer.$DOMAIN`)"
- "traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.portainer.middlewares=portainer-https-redirect"
- "traefik.http.routers.portainer-secure.entrypoints=https"
- "traefik.http.routers.portainer-secure.rule=Host(`portainer.$DOMAIN`)"
- "traefik.http.routers.portainer-secure.tls=true"
- "traefik.http.routers.portainer-secure.service=portainer"
- "traefik.http.services.portainer.loadbalancer.server.scheme=https"
- "traefik.http.services.portainer.loadbalancer.server.port=9443"
- "traefik.docker.network=proxy"
###############################################################################################################
###############################################################################################################
# GOTIFY
# See video: https://youtu.be/Ft69PY7iitw
###############################################################################################################
###############################################################################################################
gotify:
image: gotify/server
container_name: gotify
volumes:
- ${WORKING_DIR}/gotify:/app/data
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
proxy:
environment:
- TZ=America/Phoenix
labels:
- "traefik.enable=true"
- "traefik.http.routers.gotify.entrypoints=http"
- "traefik.http.routers.gotify.rule=Host(`gotify.$DOMAIN`)"
- "traefik.http.middlewares.gotify-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.gotify.middlewares=gotify-https-redirect"
- "traefik.http.routers.gotify-secure.entrypoints=https"
- "traefik.http.routers.gotify-secure.rule=Host(`gotify.$DOMAIN`)"
- "traefik.http.routers.gotify-secure.tls=true"
- "traefik.http.routers.gotify-secure.service=gotify"
- "traefik.http.services.gotify.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
###############################################################################################################
###############################################################################################################
# HOMEPAGE
# See video: https://youtu.be/4AwUNy2eztA
###############################################################################################################
###############################################################################################################
homepage:
image: ghcr.io/benphelps/homepage:latest
container_name: homepage
# uncomment if you do not want to run as root
#user: 1000:1000
# uncomment if you are not using a reverse proxy
#ports:
# - 3000:3000
volumes:
- ${WORKING_DIR}/homepage/config:/app/config # Make sure your local config directory exists
- /var/run/docker.sock:/var/run/docker.sock # (optional) For docker integrations
networks:
proxy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.homepage.entrypoints=http"
- "traefik.http.routers.homepage.rule=Host(`homepage.$DOMAIN`)"
- "traefik.http.middlewares.homepage-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.homepage.middlewares=homepage-https-redirect"
- "traefik.http.routers.homepage-secure.entrypoints=https"
- "traefik.http.routers.homepage-secure.rule=Host(`homepage.$DOMAIN`)"
- "traefik.http.routers.homepage-secure.tls=true"
- "traefik.http.routers.homepage-secure.service=homepage"
- "traefik.http.services.homepage.loadbalancer.server.port=3000"
- "traefik.docker.network=proxy"
security_opt:
- no-new-privileges:true
###############################################################################################################
###############################################################################################################
# IT-TOOLS
# See video: https://youtu.be/CbIASgzUIUU
###############################################################################################################
###############################################################################################################
it-tools:
image: 'corentinth/it-tools:latest'
#ports:
# - '8080:80'
restart: unless-stopped
container_name: it-tools
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.routers.it-tools.entrypoints=http"
- "traefik.http.routers.it-tools.rule=Host(`it-tools.$DOMAIN`)"
- "traefik.http.middlewares.it-tools-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.it-tools.middlewares=it-tools-https-redirect"
- "traefik.http.routers.it-tools-secure.entrypoints=https"
- "traefik.http.routers.it-tools-secure.rule=Host(`it-tools.$DOMAIN`)"
- "traefik.http.routers.it-tools-secure.tls=true"
- "traefik.http.routers.it-tools-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.it-tools-secure.service=it-tools"
- "traefik.http.services.it-tools.loadbalancer.server.port=80"
###############################################################################################################
###############################################################################################################
# RESTIC
# See video: https://youtu.be/WBBTC5WfGis
###############################################################################################################
###############################################################################################################
backup:
image: mazzolino/restic
container_name: restic
hostname: server.domain.com
environment:
RUN_ON_STARTUP: "true" #change as you wish
BACKUP_CRON: "0 */12 * * *" #this is twice daily, i.e., every 12 hours
RESTIC_REPOSITORY: /restic
RESTIC_PASSWORD: example
RESTIC_BACKUP_SOURCES: /mnt/volumes
RESTIC_COMPRESSION: auto
RESTIC_BACKUP_ARGS: >-
--tag restic-docker
--verbose
RESTIC_FORGET_ARGS: >- #change as needed.
--keep-last 10
--keep-daily 7
--keep-weekly 5
--keep-monthly 12
TZ: America/Phoenix
volumes:
# this will store locally
- ${WORKING_DIR}/restic:/restic
- ${WORKING_DIR}/restic-restore:/tmp-for-restore
# recommend to store on a NAS or other device - uncomment below
# - /home/ubuntu/truenas/Restic-Proxmox-Backup:/restic #change the left hand side to where you want to store the backups. As you can see I'm storing it on my NAS that is mounted to the host /home/truenas
# - /home/ubuntu/truenas/Restic-Proxmox-Backup/tmp-for-restore:/tmp-for-restore #USE THIS FOLDER FOR RESTORE - CAN VIEW EACH CONTAINER
# The data of your existing containers (i.e., all of the containers in here /docker)
- ${WORKING_DIR}:/mnt/volumes:ro
security_opt:
- no-new-privileges:true
prune:
image: mazzolino/restic
container_name: restic-prune
hostname: server.domain.com
environment:
RUN_ON_STARTUP: "true"
PRUNE_CRON: "0 0 4 * * *"
RESTIC_REPOSITORY: /restic
RESTIC_PASSWORD: example
TZ: America/Phoenix
security_opt:
- no-new-privileges:true
check:
image: mazzolino/restic
container_name: restic-check
hostname: server.domain.com
environment:
RUN_ON_STARTUP: "false"
CHECK_CRON: "0 15 5 * * *"
RESTIC_CHECK_ARGS: >-
--read-data-subset=10%
RESTIC_REPOSITORY: /restic
RESTIC_PASSWORD: example
TZ: America/Phoenix
security_opt:
- no-new-privileges:true
###############################################################################################################
###############################################################################################################
# UPTIME_KUMA
# See video: https://youtu.be/0FId6vahLAI
###############################################################################################################
###############################################################################################################
uptime-kuma:
image: louislam/uptime-kuma:1
container_name: uptime-kuma
volumes:
- ${WORKING_DIR}/uptime-kuma:/app/data
- /var/run/docker.sock:/var/run/docker.sock
restart: unless-stopped
security_opt:
- no-new-privileges:true
dns:
- "192.168.0.148"
networks:
proxy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.uptime-kuma.entrypoints=http"
- "traefik.http.routers.uptime-kuma.rule=Host(`uptime.$DOMAIN`)"
- "traefik.http.middlewares.uptime-kuma-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.uptime-kuma.middlewares=uptime-kuma-https-redirect"
- "traefik.http.routers.uptime-kuma-secure.entrypoints=https"
- "traefik.http.routers.uptime-kuma-secure.rule=Host(`uptime.$DOMAIN`)"
- "traefik.http.routers.uptime-kuma-secure.tls=true"
- "traefik.http.routers.uptime-kuma-secure.service=uptime-kuma"
- "traefik.http.services.uptime-kuma.loadbalancer.server.port=3001"
- "traefik.docker.network=proxy"
###############################################################################################################
###############################################################################################################
# VAULTWARDEN
# See video: https://youtu.be/DnAOiYhdiII
###############################################################################################################
###############################################################################################################
vaultwarden:
container_name: vaultwarden
image: vaultwarden/server:latest
volumes:
- '${WORKING_DIR}/vaultwarden/:/data/'
restart: unless-stopped
networks:
proxy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.vaultwarden.entrypoints=http"
- "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.$DOMAIN`)"
- "traefik.http.middlewares.vaultwarden-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.vaultwarden.middlewares=vaultwarden-https-redirect"
- "traefik.http.routers.vaultwarden-secure.entrypoints=https"
- "traefik.http.routers.vaultwarden-secure.rule=Host(`vaultwarden.$DOMAIN`)"
- "traefik.http.routers.vaultwarden-secure.tls=true"
- "traefik.http.routers.vaultwarden-secure.service=vaultwarden"
- "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
security_opt:
- no-new-privileges:true
volumes:
portainer_data:
database:
driver: local
redis:
driver: local
networks:
proxy:
name: proxy
driver: bridge
ipam:
config:
- subnet: 10.8.250.0/24
pihole_internal:
name: pihole_internal
driver: bridge
ipam:
config:
- subnet: 172.70.9.0/29