services: traefik: image: traefik:{{ traefik_version }} container_name: traefik restart: unless-stopped command: - "--api.dashboard=true" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--providers.docker.network={{ sovereign_network_name }}" - "--entrypoints.web.address=:80" - "--entrypoints.web.http.redirections.entrypoint.to=websecure" - "--entrypoints.web.http.redirections.entrypoint.scheme=https" - "--entrypoints.websecure.address=:443" - "--certificatesresolvers.letsencrypt.acme.email={{ traefik_acme_email }}" - "--certificatesresolvers.letsencrypt.acme.storage=/acme.json" - "--certificatesresolvers.letsencrypt.acme.tlschallenge=true" - "--log.level=INFO" ports: - "80:80" - "443:443" volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - {{ traefik_data_dir }}/acme.json:/acme.json labels: - "traefik.enable=true" - "traefik.http.routers.traefik-dashboard.rule=Host(`{{ traefik_domain }}`)" - "traefik.http.routers.traefik-dashboard.tls=true" - "traefik.http.routers.traefik-dashboard.tls.certresolver=letsencrypt" - "traefik.http.routers.traefik-dashboard.service=api@internal" - "traefik.http.routers.traefik-dashboard.middlewares=traefik-auth" - "traefik.http.middlewares.traefik-auth.basicauth.users={{ traefik_dashboard_password }}" - "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik" - "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true" - "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version" networks: - {{ sovereign_network_name }} logging: driver: gelf options: gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}" tag: "traefik" networks: {{ sovereign_network_name }}: external: true