docker-compose.yaml aktualisiert

docker-compose.yaml

@@ -1,43 +1,62 @@
-api:
+services:
-  dashboard: true
-
-entryPoints:
-  entryPoints:
-  sshtls:
-    address: ":2222"  # Port 22 für SSH
-  web:
-    address: ":80"
-    http:
-      redirections:
-        entryPoint:
-          to: websecure
-          scheme: https
-  websecure:
-    address: ":443"
   traefik:
-    address: ":9090"  # Prometheus Metrics
+    environment:
+      - DOCKER_API_VERSION=1.47
+      # DOCKER_CLIENT_VERSION removed — not a valid Traefik env var
+    network_mode: host
+    image: traefik:3.6  # pinned version instead of :latest
+    container_name: traefik
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    # ports: not needed with network_mode: host
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /etc/traefik/traefik.yaml:/etc/traefik/traefik.yml
+      - /mnt/traefik/traefik-acme:/etc/traefik/acme
+    labels:
+      - "traefik.enable=true"
 
-providers:
+      # Dashboard router
-  docker:
+      - "traefik.http.routers.dashboard.rule=Host(`traefik.ljh31.de`)"
-    endpoint: "tcp://10.0.0.3:2375"
+      - "traefik.http.routers.dashboard.entrypoints=websecure"
-    exposedByDefault: false
+      - "traefik.http.routers.dashboard.tls=true"
+      - "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.dashboard.service=api@internal"
+      # Apply only one auth middleware — use keycloak-oauth2 if SSO is desired,
+      # or dashboard-auth for simple Basic Auth. Both are defined below; choose one.
+      - "traefik.http.routers.dashboard.middlewares=dashboard-auth"
 
+      # Basic Auth (fallback / alternative to Keycloak SSO)
+      - "traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$$apr1$$xyz$$..."
 
-certificatesResolvers:
+      # Keycloak ForwardAuth middleware
-  letsencrypt:
+      # Requires a running OAuth2 proxy (e.g. oauth2-proxy or traefik-forward-auth)
-    acme:
+      # pointing at your Keycloak realm. Replace <OAUTH2_PROXY_URL> with its address.
-      email: "admin@ljh31.de"
+      - "traefik.http.middlewares.keycloak-oauth2.forwardauth.address=http://<OAUTH2_PROXY_URL>/oauth2/auth"
-      storage: "/etc/traefik/acme/acme.json"
+      - "traefik.http.middlewares.keycloak-oauth2.forwardauth.trustForwardHeader=true"
-      tlsChallenge: {}
+      - "traefik.http.middlewares.keycloak-oauth2.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email"
+      # Fixed: was 'traefak' (typo) and used non-existent 'oauth3' type
 
+      # If switching to Keycloak SSO, change the router middleware line above to:
+      # - "traefik.http.routers.dashboard.middlewares=keycloak-oauth2"
+      # and configure your OAuth2 proxy with these Keycloak settings:
+      #   provider: keycloak-oidc
+      #   client-id: traefik
+      #   client-secret: ${KEYCLOAK_SECRET}
+      #   oidc-issuer-url: https://iam.ljh31.de/realms/traefik
+      #   redirect-url: https://traefik.ljh31.de/oauth2/callback   # fixed: https, not http
+      #   scope: openid profile email
 
-log:
+    healthcheck:
-  level: INFO
+      test: ["CMD", "traefik", "healthcheck"]
-  format: json
+      interval: 10s
-
+      timeout: 5s
-metrics:
+      retries: 3
-  prometheus:
-    entryPoint: traefik
-
-accessLog: {}
 
+# Removed unused named volume 'traefik-acme' — the bind mount above is used instead.
+# If you want a named Docker volume instead of a bind mount, replace the volume
+# entry under traefik with:  - traefik-acme:/etc/traefik/acme
+# and uncomment the block below:
+# volumes:
+#   traefik-acme: