From fa893f8cba9c27425903c933fa33e8f4a337ee35 Mon Sep 17 00:00:00 2001 From: Jens Beckmann Date: Thu, 4 Jun 2026 18:13:11 +0000 Subject: [PATCH] docker-compose.yaml aktualisiert --- docker-compose.yaml | 91 +++++++++++++++++++++++++++------------------ 1 file changed, 55 insertions(+), 36 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 17c00e3..1b8a38f 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,43 +1,62 @@ -api: - dashboard: true - -entryPoints: - entryPoints: - sshtls: - address: ":2222" # Port 22 für SSH - web: - address: ":80" - http: - redirections: - entryPoint: - to: websecure - scheme: https - websecure: - address: ":443" +services: traefik: - address: ":9090" # Prometheus Metrics + environment: + - DOCKER_API_VERSION=1.47 + # DOCKER_CLIENT_VERSION removed — not a valid Traefik env var + network_mode: host + image: traefik:3.6 # pinned version instead of :latest + container_name: traefik + restart: unless-stopped + security_opt: + - no-new-privileges:true + # ports: not needed with network_mode: host + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - /etc/traefik/traefik.yaml:/etc/traefik/traefik.yml + - /mnt/traefik/traefik-acme:/etc/traefik/acme + labels: + - "traefik.enable=true" -providers: - docker: - endpoint: "tcp://10.0.0.3:2375" - exposedByDefault: false + # Dashboard router + - "traefik.http.routers.dashboard.rule=Host(`traefik.ljh31.de`)" + - "traefik.http.routers.dashboard.entrypoints=websecure" + - "traefik.http.routers.dashboard.tls=true" + - "traefik.http.routers.dashboard.tls.certresolver=letsencrypt" + - "traefik.http.routers.dashboard.service=api@internal" + # Apply only one auth middleware — use keycloak-oauth2 if SSO is desired, + # or dashboard-auth for simple Basic Auth. Both are defined below; choose one. + - "traefik.http.routers.dashboard.middlewares=dashboard-auth" + # Basic Auth (fallback / alternative to Keycloak SSO) + - "traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$$apr1$$xyz$$..." -certificatesResolvers: - letsencrypt: - acme: - email: "admin@ljh31.de" - storage: "/etc/traefik/acme/acme.json" - tlsChallenge: {} + # Keycloak ForwardAuth middleware + # Requires a running OAuth2 proxy (e.g. oauth2-proxy or traefik-forward-auth) + # pointing at your Keycloak realm. Replace with its address. + - "traefik.http.middlewares.keycloak-oauth2.forwardauth.address=http:///oauth2/auth" + - "traefik.http.middlewares.keycloak-oauth2.forwardauth.trustForwardHeader=true" + - "traefik.http.middlewares.keycloak-oauth2.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email" + # Fixed: was 'traefak' (typo) and used non-existent 'oauth3' type + # If switching to Keycloak SSO, change the router middleware line above to: + # - "traefik.http.routers.dashboard.middlewares=keycloak-oauth2" + # and configure your OAuth2 proxy with these Keycloak settings: + # provider: keycloak-oidc + # client-id: traefik + # client-secret: ${KEYCLOAK_SECRET} + # oidc-issuer-url: https://iam.ljh31.de/realms/traefik + # redirect-url: https://traefik.ljh31.de/oauth2/callback # fixed: https, not http + # scope: openid profile email -log: - level: INFO - format: json - -metrics: - prometheus: - entryPoint: traefik - -accessLog: {} + healthcheck: + test: ["CMD", "traefik", "healthcheck"] + interval: 10s + timeout: 5s + retries: 3 +# Removed unused named volume 'traefik-acme' — the bind mount above is used instead. +# If you want a named Docker volume instead of a bind mount, replace the volume +# entry under traefik with: - traefik-acme:/etc/traefik/acme +# and uncomment the block below: +# volumes: +# traefik-acme: