homelab/ansible/roles/swarm-bootstrap/templates/traefik/docker-stack.yml.j2

networks:
  traefik:
    driver: overlay
    attachable: true
    name: traefik

secrets:
  cf_dns_api_token:
    file: "{{nfs_mount_path}}/traefik/secrets/cf-dns-api-token.secret"

services:
  traefik:
    image: traefik:v3.3
    command:
      - "--log.level=DEBUG"
      - "--configFile=/data/config/traefik.yml"
    ports:
      - "80:80"
      - "443:443"
      - "{{traefik_admin_port}}:8080"
    secrets:
      - "cf_dns_api_token"
    environment:
      - "CLOUDFLARE_EMAIL={{cf_email}}"
      - "CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - {{nfs_mount_path}}/traefik:/data
    networks:
      - traefik
    deploy:
      labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`traefik.{{app_domain_name}}`)"
      - "traefik.http.routers.api.entrypoints=websecure"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.routers.api.tls.certresolver=letsencrypt"
      - "traefik.http.routers.api.tls.domains[0].main=mnke.org"
      - "traefik.http.routers.api.tls.domains[0].sans=*.mnke.org"
      - "traefik.http.routers.api.tls.domains[1].main=stingray.mnke.org"
      - "traefik.http.routers.api.tls.domains[1].sans=*.stingray.mnke.org"
      - "traefik.http.middlewares.auth.basicauth.users={{traefik_htpasswd}}"
      # Dummy service for Swarm port detection. The port can be any valid integer value.
      - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role == manager]

  whoami:
    image: "traefik/whoami"
    networks:
      - traefik
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.whoami.rule=Host(`whoami.stingray.mnke.org`)"
        - "traefik.http.routers.whoami.entrypoints=websecure"
        - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
        - "traefik.http.services.whoami.loadbalancer.server.port=80"
        - "traefik.swarm.network=traefik"