initial homelab structure from NAS

04_stack-traefik.yml

@@ -0,0 +1,93 @@
+# =============================================================================
+# 04_stack-traefik.yml  –  Phase 5 (separat, wenn bereit)
+# =============================================================================
+# WANN: Erst wenn Phase 1–4 stabil laufen.
+# NICHT gleichzeitig mit der Netz-Migration starten.
+#
+# Voraussetzungen:
+#   - Domain + DNS-Eintrag vorhanden
+#   - Port 80 + 443 auf Router weitergeleitet
+#   - ./traefik/traefik.yml angelegt (Vorlage unten)
+#   - ./traefik/dynamic/middlewares.yml angelegt (Vorlage unten)
+#
+# Nach dem Start pro Container in 03_stack-frontend.yml:
+#   - traefik.enable: "false" → "true"
+#   - yourdomain.tld anpassen
+#   - ports:-Block auskommentieren
+#   - docker compose -f 03_stack-frontend.yml up -d --force-recreate <name>
+# =============================================================================
+
+networks:
+  frontend_net:
+    external: true
+
+services:
+  traefik:
+    image: traefik:v3.3
+    container_name: traefik
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - traefik_certs:/certs
+      - ./traefik/traefik.yml:/etc/traefik/traefik.yml:ro
+      - ./traefik/dynamic:/etc/traefik/dynamic:ro
+    networks:
+      frontend_net:
+        ipv4_address: 172.20.0.2    # statische IP — Infrastrukturanker
+    labels:
+      traefik.enable: "true"
+      traefik.http.routers.traefik-dash.rule: "Host(`traefik.yourdomain.tld`)"
+      traefik.http.routers.traefik-dash.entrypoints: "websecure"
+      traefik.http.routers.traefik-dash.tls.certresolver: "letsencrypt"
+      traefik.http.routers.traefik-dash.service: "api@internal"
+      traefik.http.routers.traefik-dash.middlewares: "auth@file"
+      traefik.docker.network: "frontend_net"
+
+volumes:
+  traefik_certs:
+    name: traefik_certs
+
+# =============================================================================
+# traefik/traefik.yml (Vorlage):
+# =============================================================================
+# api:
+#   dashboard: true
+# entryPoints:
+#   web:
+#     address: ":80"
+#     http:
+#       redirections:
+#         entryPoint:
+#           to: websecure
+#           scheme: https
+#   websecure:
+#     address: ":443"
+# certificatesResolvers:
+#   letsencrypt:
+#     acme:
+#       email: deine@email.de
+#       storage: /certs/acme.json
+#       httpChallenge:
+#         entryPoint: web
+# providers:
+#   docker:
+#     exposedByDefault: false
+#     network: frontend_net
+#   file:
+#     directory: /etc/traefik/dynamic
+#     watch: true
+#
+# =============================================================================
+# traefik/dynamic/middlewares.yml (Vorlage):
+# =============================================================================
+# http:
+#   middlewares:
+#     auth:
+#       basicAuth:
+#         users:
+#           - "admin:$apr1$..."  # htpasswd generieren: htpasswd -nb admin passwort