From f43b8b5b73ea20c37bfa62a2ef7d66530f9bc79f Mon Sep 17 00:00:00 2001
From: Micha <michideheld@gmx.de>
Date: Sat, 28 Mar 2026 13:49:34 +0000
Subject: [PATCH] feat: add traefik stack

---
 traefik/docker-compose.yml | 60 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 traefik/docker-compose.yml

diff --git a/traefik/docker-compose.yml b/traefik/docker-compose.yml
new file mode 100644
index 0000000..a807114
--- /dev/null
+++ b/traefik/docker-compose.yml
@@ -0,0 +1,60 @@
+services:
+  traefik:
+    image: traefik:v3.6
+    container_name: traefik
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    command:
+      - --api.dashboard=true
+      - --api.insecure=false
+      - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
+      - --providers.docker.network=frontend_net
+      - --providers.file.directory=/dynamic
+      - --providers.file.watch=true
+      - --entrypoints.web.address=:80
+      - --entrypoints.web.http.redirections.entrypoint.to=websecure
+      - --entrypoints.web.http.redirections.entrypoint.scheme=https
+      - --entrypoints.web.http.redirections.entrypoint.permanent=true
+      - --entrypoints.websecure.address=:443
+      - --entrypoints.websecure.http.tls=true
+      - --certificatesresolvers.le.acme.email=mi.kaleschke@gmx.de
+      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
+      - --certificatesresolvers.le.acme.dnschallenge=true
+      - --certificatesresolvers.le.acme.dnschallenge.provider=cloudflare
+      - --accesslog=true
+      - --log.level=INFO
+    environment:
+      - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_dns_api_token
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /mnt/user/appdata/traefik/dynamic:/dynamic:ro
+      - /mnt/user/appdata/traefik/letsencrypt:/letsencrypt
+    secrets:
+      - cloudflare_dns_api_token
+    networks:
+      - frontend_net
+      - backend_net
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=frontend_net
+      - traefik.http.routers.traefik.rule=Host(`traefik.kaleschke.info`)
+      - traefik.http.routers.traefik.entrypoints=websecure
+      - traefik.http.routers.traefik.tls=true
+      - traefik.http.routers.traefik.tls.certresolver=le
+      - traefik.http.routers.traefik.service=api@internal
+      - traefik.http.routers.traefik.middlewares=dashboard-auth@file,secure-headers@file
+
+networks:
+  frontend_net:
+    external: true
+  backend_net:
+    external: true
+
+secrets:
+  cloudflare_dns_api_token:
+    file: /mnt/user/appdata/traefik/secrets/cloudflare_dns_api_token