admin_jk/mapletree
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
mapletree/lxc1/p1-ingress/traefik.yml
admin 5fcd08d9c7
Some checks are pending
PVE2 Infrastructure Deploy / terraform (push) Waiting to run
Details
update traefik dns resolvers and wud names
2026-02-06 08:00:46 -07:00

60 lines
No EOL
3.1 KiB
YAML
Raw Blame History

services:
traefik:
image: traefik:latest
container_name: traefik-node${TRAEFIK_NODE_ID}
network_mode: host
extra_hosts:
- "host.docker.internal:host-gateway"
cpus: 1.0
mem_limit: "1024m"
mem_reservation: "128m"
restart: always
command:
# --- Core & API ---
- "--api.dashboard=true"
# REMOVED: --api.insecure=true (We will route the dashboard securely via Traefik labels instead)
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.network=${REQUIRED_NETWORKS}" # Ensure these are correct!
- "--providers.file.directory=/etc/traefik/dynamic"
- "--providers.file.watch=true"
# --- Entrypoints ---
- "--entrypoints.web.address=:80"
# Global Redirect: Force HTTP -> HTTPS for everyone
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.websecure.address=:443"
# WILDCARD BLANKET: This tells Traefik "Use deSEC to get a wildcard cert for EVERYTHING on port 443"
- "--entrypoints.websecure.http.tls.certresolver=desec"
- "--entrypoints.websecure.http.tls.domains[0].main=mapletree.email"
- "--entrypoints.websecure.http.tls.domains[0].sans=*.mapletree.email"
- "--entrypoints.websecure.http.tls.domains[0].sans=*.dev.mapletree.email" # Optional: Add your dev subdomain too
- "--entrypoints.websecure.http.tls.domains[0].sans=*.test.mapletree.email"
# --- One Resolver to Rule Them All (deSEC) ---
# I renamed this to 'desec' for clarity.
- "--certificatesresolvers.desec.acme.dnschallenge=true"
- "--certificatesresolvers.desec.acme.dnschallenge.provider=desec"
- "--certificatesresolvers.desec.acme.email=${ACME_EMAIL}"
- "--certificatesresolvers.desec.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.mysresolver.acme.dnschallenge=true"
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=desec"
- "--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.dns_resolver.acme.dnschallenge=true"
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.provider=desec"
- "--certificatesresolvers.dns_resolver.acme.email=${ACME_EMAIL}"
- "--certificatesresolvers.dns_resolver.acme.storage=/letsencrypt/acme.json"
# Optimization: deSEC is fast; we don't need massive delays or propagation checks
- "--certificatesresolvers.desec.acme.dnschallenge.delaybeforecheck=10"
- "--certificatesresolvers.desec.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
- "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
environment:
- DESEC_TOKEN=${DESEC_TOKEN}
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/docker/traefik/letsencrypt:/letsencrypt"
- "/docker/traefik/dynamic:/etc/traefik/dynamic"
Reference in a new issue View git blame Copy permalink