125 lines
3.8 KiB
YAML
125 lines
3.8 KiB
YAML
version: '3.8'
|
|
|
|
services:
|
|
traefik:
|
|
image: traefik:v3.0
|
|
command:
|
|
# API and dashboard
|
|
- --api.dashboard=true
|
|
- --api.insecure=false
|
|
|
|
# Docker provider
|
|
- --providers.docker.swarmMode=true
|
|
- --providers.docker.exposedbydefault=false
|
|
- --providers.docker.network=traefik-public
|
|
|
|
# Entry points
|
|
- --entrypoints.web.address=:80
|
|
- --entrypoints.websecure.address=:443
|
|
- --entrypoints.web.http.redirections.entrypoint.to=websecure
|
|
- --entrypoints.web.http.redirections.entrypoint.scheme=https
|
|
|
|
# SSL/TLS configuration
|
|
- --certificatesresolvers.letsencrypt.acme.email=admin@yourdomain.com
|
|
- --certificatesresolvers.letsencrypt.acme.storage=/certificates/acme.json
|
|
- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
|
|
|
|
# Security headers
|
|
- --entrypoints.websecure.http.middlewares=security-headers@file
|
|
- --entrypoints.websecure.http.middlewares=rate-limit@file
|
|
|
|
# Logging
|
|
- --log.level=INFO
|
|
- --accesslog=true
|
|
- --accesslog.filepath=/var/log/traefik/access.log
|
|
- --accesslog.format=json
|
|
|
|
# Metrics
|
|
- --metrics.prometheus=true
|
|
- --metrics.prometheus.addEntryPointsLabels=true
|
|
- --metrics.prometheus.addServicesLabels=true
|
|
|
|
# Health checks
|
|
- --ping=true
|
|
- --ping.entryPoint=web
|
|
|
|
# File provider for static configuration
|
|
- --providers.file.directory=/etc/traefik/dynamic
|
|
- --providers.file.watch=true
|
|
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
- "8080:8080" # Dashboard (internal only)
|
|
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- traefik-certificates:/certificates
|
|
- traefik-logs:/var/log/traefik
|
|
- ./dynamic:/etc/traefik/dynamic:ro
|
|
- ./traefik.yml:/etc/traefik/traefik.yml:ro
|
|
|
|
networks:
|
|
- traefik-public
|
|
|
|
deploy:
|
|
placement:
|
|
constraints:
|
|
- node.role == manager
|
|
preferences:
|
|
- spread: node.labels.zone
|
|
replicas: 2
|
|
resources:
|
|
limits:
|
|
memory: 512M
|
|
cpus: '0.5'
|
|
reservations:
|
|
memory: 256M
|
|
cpus: '0.25'
|
|
labels:
|
|
# Traefik dashboard
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.yourdomain.com`)"
|
|
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
|
|
- "traefik.http.routers.traefik-dashboard.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.traefik-dashboard.service=api@internal"
|
|
- "traefik.http.routers.traefik-dashboard.middlewares=auth@file"
|
|
|
|
# Health check
|
|
- "traefik.http.routers.traefik-health.rule=PathPrefix(`/ping`)"
|
|
- "traefik.http.routers.traefik-health.entrypoints=web"
|
|
- "traefik.http.routers.traefik-health.service=ping@internal"
|
|
|
|
# Metrics
|
|
- "traefik.http.routers.traefik-metrics.rule=Host(`traefik.yourdomain.com`) && PathPrefix(`/metrics`)"
|
|
- "traefik.http.routers.traefik-metrics.entrypoints=websecure"
|
|
- "traefik.http.routers.traefik-metrics.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.traefik-metrics.service=prometheus@internal"
|
|
- "traefik.http.routers.traefik-metrics.middlewares=auth@file"
|
|
|
|
restart_policy:
|
|
condition: on-failure
|
|
delay: 5s
|
|
max_attempts: 3
|
|
window: 120s
|
|
|
|
update_config:
|
|
parallelism: 1
|
|
delay: 10s
|
|
order: start-first
|
|
|
|
rollback_config:
|
|
parallelism: 1
|
|
delay: 5s
|
|
order: stop-first
|
|
|
|
volumes:
|
|
traefik-certificates:
|
|
driver: local
|
|
traefik-logs:
|
|
driver: local
|
|
|
|
networks:
|
|
traefik-public:
|
|
external: true
|