Skip to content

Instantly share code, notes, and snippets.

@amca01

amca01/docker-compose010918.yml

Last active April 9, 2020 08:36
Show Gist options
  • Save amca01/344f1103bde33b3b2430925505f8820b to your computer and use it in GitHub Desktop.
Save amca01/344f1103bde33b3b2430925505f8820b to your computer and use it in GitHub Desktop.
Download ZIP
traefik and docker files
Raw
docker-compose010918.yml
version: "3"
networks:
proxy:
external: true
internal:
external: false
services:
traefik:
image: traefik:1.6.0-alpine
container_name: traefik
restart: always
command: --web --docker --logLevel=DEBUG
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- $PWD/traefik.toml:/traefik.toml
- $PWD/acme.json:/acme.json
networks:
- proxy
ports:
- "80:80"
- "443:443"
labels:
- traefik.enable=true
- traefik.backend=traefik
- traefik.frontend.rule=Host:monitor.my.vps.net
- traefik.port=8080
- traefik.docker.network=proxy
mariadb:
image: mariadb
restart: always
environment:
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
networks:
- internal
labels:
- traefik.enable=false
webwork-db:
image: mariadb
volumes:
- "./.data/db:/var/lib/mysql"
restart: always
environment:
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
- MYSQL_DATABASE=webwork
- MYSQL_USER=webworkWrite
- MYSQL_PASSWORD:=${MYSQL_ROOT_PASSWORD}
networks:
- internal
labels:
- traefik.enable=false
adminer:
image: adminer:4.3.1-standalone
labels:
- traefik.enable=true
- traefik.backend=adminer
- traefik.frontend.rule=Host:adminer.my.vps.net
- traefik.docker.network=proxy
- traefik.port=8080
networks:
- internal
- proxy
depends_on:
- mariadb
portainer:
image: portainer/portainer
command: -H unix:///var/run/docker.sock
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- portainer_data:/data
labels:
- traefik.enable=true
- traefik.backend=portainer
- traefik.docker.network=proxy
- traefik.port=9000
- traefik.frontend.rule=Host:portainer.my.vps.net
networks:
- proxy
kanboard:
image: kanboard/kanboard:latest
volumes:
- kanboard_data:/var/www/app/data
- kanboard_plugins:/var/www/app/plugins
networks:
- proxy
labels:
- traefik.enable=true
- traefik.backend=kanboard
- traefik.docker.network=proxy
- traefik.port=80
- traefik.frontend.rule=Host:kanboard.my.vps.net
# blog:
# build: .
# image: blog:latest
# ports:
# - "1313:1313"
# command: hugo server --theme=blackburn --buildDrafts --watch
# volumes:
# - .:/src
# labels:
# - traefik.enable=true
# - traefik.backend=blog
# - traefik.docker.network=proxy
# - traefik.port=1313
# - traefik.frontend.rule=Host:blog.my.vps.net
volumes:
portainer_data:
kanboard_data:
kanboard_plugins:
Raw
docker-traefik
# This is the docker-compose.yml file
version: "3"
networks:
proxy:
external: true
internal:
external: false
services:
mariadb:
image: mariadb
environment:
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
networks:
- internal
labels:
- traefik.enable=false
adminer:
image: adminer:4.3.1-standalone
labels:
- traefik.enable=true
- traefik.backend=adminer
- traefik.frontend.rule=Host:adminer.my.vps.net
- traefik.docker.network=proxy
- traefik.port=8080
networks:
- internal
- proxy
depends_on:
- mariadb
portainer:
image: portainer/portainer
command: -H unix:///var/run/docker.sock
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- portainer_data:/data
labels:
- traefik.enable=true
- traefik.backend=portainer
- traefik.docker.network=proxy
- traefik.port=8080
- traefik.frontend.rule=Host:portainer.my.vps.net
volumes:
portainer_data:
Raw
traefik.toml
# New version as of August 13, 2018
defaultEntryPoints = ["http", "https"]
[api]
debug = true
address = ":8080"
# Don't know eher (if anywhere) to put authentication
# [web.auth.basic]
# users = ["admin:$apr1$v7kJtvT7$h0F7kxt.lAzFH4sZ8Z9ik."]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# Below here comes from www.smarthomebeginner.com/traefik-reverse-proxy-tutorial-for-docker/
# with values adjusted for local use, of course
# Let's encrypt configuration
[acme]
email="[email protected]"
storage="acme.json"
acmeLogging=true
caServer = "https://acme-v01.api.letsencrypt.org/directory"
onDemand = false #create certificate when container is created
onHostRule = true
# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "my.vps.net"
[[acme.domains]]
main = "portainer.my.vps.net"
[[acme.domains]]
main = "monitor.my.vps.net"
[[acme.domains]]
main = "adminer.my.vps.net"
# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "my.vps.net"
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false
Raw
traefik_010918.toml
defaultEntryPoints = ["http", "https"]
[web]
address = ":8080"
[web.auth.basic]
users = ["admin:$apr1$v7kJtvT7$h0F7kxt.lAzFH4sZ8Z9ik."]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[traefikLog]
filePath="./traefik.log"
format = "json"
# Below here comes from
# www.smarthomebeginner.com/traefik-reverse-proxy-tutorial-for-docker/
# with values adjusted for local use, of course
# Let's encrypt configuration
[acme]
email="[email protected]"
storage="acme.json"
# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
# caServer = "https://acme-v01.api.letsencrypt.org/directory"
acmeLogging=true
onDemand = true #create certificate when container is created
onHostRule = true
entryPoint = "https"
# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "my.vps.net"
sans = ["monitor.my.vps.net", "adminer.my.vps.net", "portainer.my.vps.net", "kanboard.my.vps.net", "webwork.my.vps.net",
"blog.my.vps.net"]
# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "my.vps.net"
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false
@br2490
Copy link

br2490 commented Aug 12, 2018
edited
Loading

Were you able to get this working @amca01?

Wildcard certs require DNS-01 challenge
https://docs.traefik.io/configuration/acme/#wildcard-domains
Try without the wildcard and see if you have Traefik ACME magic.

Some other notes if they're helpful
Double check perms on your acme.json -> chmod 600
Why does it have that path? acme.json should be in the root of the running Traefik container AFAIK. Change your mount ./somepath/acme.json:/acme.json

Don't get rate limited by LE!!! Use STAGING!
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

Deprecate [web] use [api]
https://docs.traefik.io/configuration/api/

create a new entrypoint for your API if you do not dashboard on port 9000 (edit: sorry, I'm drunk (not really), please ignore the port 9000, that's Portainers port IIRC.)

[entryPoints]
...[snip]...
  [entryPoints.dockerapi]
  address = ":8080"

[api]
  # Name of the related entry point
  #
  # Optional
  # Default: "traefik"
  #
  entryPoint = "dockerapi"

  # Enabled Dashboard
  #
  # Optional
  # Default: true
  #
  dashboard = true

  # Enable debug mode.
  # This will install HTTP handlers to expose Go expvars under /debug/vars and
  # pprof profiling data under /debug/pprof/.
  # Additionally, the log level will be set to DEBUG.
  #
  # Optional
  # Default: false
  #
  debug = true

Debug as usual, API (dashboard) should be a little more verbose.

And yes the documentation is ...challenging to say the least.

Best!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment