67 lines
2.8 KiB
YAML
67 lines
2.8 KiB
YAML
services:
|
|
traefik:
|
|
environment:
|
|
- DOCKER_API_VERSION=1.47
|
|
# DOCKER_CLIENT_VERSION removed — not a valid Traefik env var
|
|
|
|
image: traefik:3.6 # pinned version instead of :latest
|
|
container_name: traefik
|
|
restart: unless-stopped
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- /etc/traefik/traefik.yaml:/etc/traefik/traefik.yml
|
|
- /mnt/traefik/traefik-acme:/etc/traefik/acme
|
|
labels:
|
|
- "traefik.enable=true"
|
|
|
|
# Dashboard router
|
|
- "traefik.http.routers.dashboard.rule=Host(`traefik.ljh31.de`)"
|
|
- "traefik.http.routers.dashboard.entrypoints=websecure"
|
|
- "traefik.http.routers.dashboard.tls=true"
|
|
- "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.dashboard.service=api@internal"
|
|
# Apply only one auth middleware — use keycloak-oauth2 if SSO is desired,
|
|
# or dashboard-auth for simple Basic Auth. Both are defined below; choose one.
|
|
- "traefik.http.routers.dashboard.middlewares=dashboard-auth"
|
|
|
|
# Basic Auth (fallback / alternative to Keycloak SSO)
|
|
- "traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$$apr1$$xyz$$..."
|
|
|
|
# Keycloak ForwardAuth middleware
|
|
# Requires a running OAuth2 proxy (e.g. oauth2-proxy or traefik-forward-auth)
|
|
# pointing at your Keycloak realm. Replace <OAUTH2_PROXY_URL> with its address.
|
|
- "traefik.http.middlewares.keycloak-oauth2.forwardauth.address=http://<OAUTH2_PROXY_URL>/oauth2/auth"
|
|
- "traefik.http.middlewares.keycloak-oauth2.forwardauth.trustForwardHeader=true"
|
|
- "traefik.http.middlewares.keycloak-oauth2.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email"
|
|
# Fixed: was 'traefak' (typo) and used non-existent 'oauth3' type
|
|
|
|
# If switching to Keycloak SSO, change the router middleware line above to:
|
|
# - "traefik.http.routers.dashboard.middlewares=keycloak-oauth2"
|
|
# and configure your OAuth2 proxy with these Keycloak settings:
|
|
# provider: keycloak-oidc
|
|
# client-id: traefik
|
|
# client-secret: ${KEYCLOAK_SECRET}
|
|
# oidc-issuer-url: https://iam.ljh31.de/realms/traefik
|
|
# redirect-url: https://traefik.ljh31.de/oauth2/callback # fixed: https, not http
|
|
# scope: openid profile email
|
|
|
|
healthcheck:
|
|
test: ["CMD", "traefik", "healthcheck"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 3
|
|
networks:
|
|
traefik_network:
|
|
external: true
|
|
# Removed unused named volume 'traefik-acme' — the bind mount above is used instead.
|
|
# If you want a named Docker volume instead of a bind mount, replace the volume
|
|
# entry under traefik with: - traefik-acme:/etc/traefik/acme
|
|
# and uncomment the block below:
|
|
# volumes:
|
|
# traefik-acme:
|