homeserver/docker-compose/traefik/docker-compose.yml.j2

version: '3'
services:
######## traefik ########
  traefik:
    container_name: traefik
    image: "traefik:v3.0.4"
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/etc/traefik/traefik.yml
      - ./file-provider.yml:/etc/traefik/file-provider.yml
      - acme_data:/etc/traefik/acme
    networks:
      - traefik
    ports:
      - "80:80" # HTTP
      - "8081:8080" # Web-GUI
      - "443:443" # HTTPS
      - "2222:2222" # SSH
    environment:
      TZ: Europe/Berlin
    healthcheck:
      test: ["CMD", "traefik", "healthcheck", "--ping"]
      interval: 30s
      timeout: 10s
      retries: 3

######## nforwardauth ########
  nforwardauth:
    restart: always
    image: "nosduco/nforwardauth:v1.4.0"
    container_name: traefik-nforwardauth
    environment:
      TOKEN_SECRET: "{{ lookup('viczem.keepass.keepass', 'nforwardauth_token_secret', 'password') }}"
      AUTH_HOST: auth.mgrote.net
    labels:
      traefik.enable: true
      traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`)

      traefik.http.middlewares.nforwardauth.forwardauth.address: http://nforwardauth:3000

      traefik.http.services.nforwardauth.loadbalancer.server.port: 3000
      traefik.http.routers.nforwardauth.tls: true
      traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt
      traefik.http.routers.nforwardauth.entrypoints: entry_https
    volumes:
      - "./passwd:/passwd:ro" # Mount local passwd file at /passwd as read only
    networks:
      - traefik
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://127.0.0.1:3000/login"]
      interval: 30s
      timeout: 10s
      retries: 3

######## Networks ########
networks:
  traefik:
    external: true
######## Volumes ########
volumes:
  acme_data:


# passwd
# echo "<user>:$(mkpasswd -m sha-512 <password>)"