LBP
/
ChristianLempa_Boilerplates
Mirror von https://github.com/ChristianLempa/boilerplates.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162
							---
kind: compose
schema: "1.1"
metadata:
  name: Traefik
  description: >
    Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
    This template sets up Traefik with automatic HTTPS using Let's Encrypt and can be integrated with Authentik for SSO.


    Project: https://traefik.io/

    Documentation: https://doc.traefik.io/traefik/
  version: v3.5.3
  author: "Christian Lempa"
  date: "2025-10-02"
  tags:
    - traefik
    - authentik
    - swarm
  next_steps: |
    {% if swarm_enabled %}
    1. Deploy Traefik to Docker Swarm:
       docker stack deploy -c docker-compose.yaml traefik
    {% else %}
    1. Start Traefik with Docker Compose:
       docker compose up -d
    {% endif %}
spec:
  general:
    title: "General"
    required: true
    vars:
      service_name:
        default: "traefik"
      container_name:
        default: "traefik"
      container_hostname:
        default: "traefik"
  ports:
    needs: []
    vars:
      ports_http:
        type: "int"
        description: "HTTP port (external)"
        default: 80
        extra: "Maps to entrypoint 'web' (port 80)"
      ports_https:
        type: "int"
        description: "HTTPS port (external)"
        default: 443
        extra: "Maps to entrypoint 'websecure' (port 443)"
      ports_dashboard:
        type: "int"
        description: "Dashboard port (external)"
        default: 8080
        extra: "Only used when dashboard is enabled"
  traefik:
    title: "Settings"
    needs: []
    vars:
      traefik_network:
        type: "str"
        description: "Traefik network name"
        default: "traefik"
        extra: "Network that Traefik uses to connect to services"
      traefik_network_external:
        type: "bool"
        description: "Use existing Docker network (external)"
        default: false
      traefik_entrypoint:
        type: "str"
        description: "HTTP entrypoint (non-TLS)"
        default: "web"
      dashboard_enabled:
        type: "bool"
        description: "Enable Traefik dashboard"
        default: false
        extra: "WARNING: Don't use in production!"
      accesslog_enabled:
        type: "bool"
        description: "Enable Traefik access log"
        default: false
      prometheus_enabled:
        type: "bool"
        description: "Enable Prometheus metrics"
        default: false
        extra: "Exposes metrics on internal port 9090 (not publicly exposed)"
  traefik_tls:
    title: "TLS Settings"
    needs: []
    vars:
      traefik_tls_enabled:
        type: "bool"
        description: "Enable HTTPS/TLS with ACME"
        default: false
      traefik_tls_entrypoint:
        type: "str"
        description: "TLS entrypoint"
        default: "websecure"
      traefik_tls_certresolver:
        type: "str"
        description: "Traefik certificate resolver name"
        default: "cloudflare"
      traefik_tls_acme_provider:
        type: "enum"
        description: "ACME DNS challenge provider"
        default: "cloudflare"
        options:
          - "cloudflare"
        extra: "DNS provider for domain validation"
      traefik_tls_acme_token:
        type: "str"
        description: "DNS provider API token"
        sensitive: true
      traefik_tls_acme_email:
        type: "str"
        description: "Email address for ACME (Let's Encrypt) registration"
        default: "admin@example.com"
        extra: "Required for Let's Encrypt certificate requests"
      traefik_tls_redirect:
        type: "bool"
        description: "Redirect all HTTP traffic to HTTPS"
        default: true
      traefik_tls_min_version:
        type: "enum"
        description: "Minimum TLS version"
        default: "VersionTLS12"
        options:
          - "VersionTLS12"
          - "VersionTLS13"
        extra: "TLS 1.2 is recommended for compatibility, TLS 1.3 for maximum security"
      traefik_tls_secure_ciphers:
        type: "bool"
        description: "Enable strict cipher suites (recommended)"
        default: true
        extra: "Enforces modern, secure cipher suites"
      traefik_tls_skipverify:
        type: "bool"
        description: "Skip TLS verification for backend servers"
        default: false
        extra: "WARNING: Only enable for self-signed certificates in trusted environments"
  swarm:
    needs: []
    vars:
      traefik_tls_acme_secret_name:
        type: "str"
        description: "Docker Swarm secret name for API token"
        default: "cloudflare_api_token"
  authentik:
    title: Authentik Middleware
    description: Enable Authentik SSO integration for Traefik
    vars:
      authentik_outpost_url:
        type: "url"
        description: "Authentik outpost URL (e.g., http://authentik-outpost:9000)"
        default: "http://authentik-outpost:9000"
      traefik_authentik_middleware_name:
        type: "str"
        description: "Name of the Authentik middleware"
        default: "authentik"
        extra: "Reference this in router labels as '{name}@file'"