services: traefik: image: traefik:v3.5 networks: # Connect to the 'traefik_proxy' overlay network for inter-container communication across nodes - homelab-local ports: # Expose Traefik's entry points to the Swarm # Swarm requires the long syntax for ports. - target: 80 # Container port (Traefik web entry point) published: 80 # Host port exposed on the nodes protocol: tcp # 'host' mode binds directly to the node's IP where the task runs. # 'ingress' mode uses Swarm's Routing Mesh (load balances across nodes). # Choose based on your load balancing strategy. 'host' is often simpler if using an external LB. mode: host - target: 443 # Container port ( Traefik websecure entry point) published: 443 # Host port protocol: tcp mode: host volumes: # Mount the Docker socket for the Swarm provider # This MUST be run from a manager node to access the Swarm API via the socket. - /var/run/docker.sock:/var/run/docker.sock:ro # Swarm API socket - /home/doc/projects/swarm-data/appdata/traefik/certificates/local:/certs:ro - /home/doc/projects/swarm/conf/traefik-local-conf:/dynamic:ro # Traefik Static configuration via command-line arguments command: # HTTP EntryPoint - "--entrypoints.web.address=:80" # Configure HTTP to HTTPS Redirection - "--entrypoints.web.http.redirections.entrypoint.to=websecure" - "--entrypoints.web.http.redirections.entrypoint.scheme=https" - "--entrypoints.web.http.redirections.entrypoint.permanent=true" # HTTPS EntryPoint - "--entrypoints.websecure.address=:443" - "--entrypoints.websecure.http.tls=true" # Attach dynamic TLS file - "--providers.file.filename=/dynamic/dynamic.yml" # Providers # Enable the Docker Swarm provider (instead of Docker provider) - "--providers.swarm.endpoint=unix:///var/run/docker.sock" # Watch for Swarm service changes (requires socket access) - "--providers.swarm.watch=true" # Recommended: Don't expose services by default; require explicit labels - "--providers.swarm.exposedbydefault=false" # Specify the default network for Traefik to connect to services - "--providers.swarm.network=homelab-local" # API & Dashboard - "--api.dashboard=true" # Enable the dashboard - "--api.insecure=false" # Explicitly disable insecure API mod # Observability - "--log.level=INFO" # Set the Log Level e.g INFO, DEBUG - "--accesslog=true" # Enable Access Logs - "--metrics.prometheus=falso" # Enable Prometheus deploy: replicas: 1 placement: # Placement constraints restrict where Traefik tasks can run. # Running on manager nodes is common for accessing the Swarm API via the socket. constraints: - node.hostname == p0 # Traefik Dynamic configuration via labels # In Swarm, labels on the service definition configure Traefik routing for that service. labels: - "traefik.enable=true" # Dashboard router - "traefik.http.routers.dashboard.rule=Host(`dashboard.swarm.localhost`)" - "traefik.http.routers.dashboard.entrypoints=websecure" - "traefik.http.routers.dashboard.service=api@internal" - "traefik.http.routers.dashboard.tls=true" # Basic‑auth middleware - "traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$$apr1$$KWe9YrFZ$$pCQuQTJD16kxFTrVOtL8f." - "traefik.http.routers.dashboard.middlewares=dashboard-auth@swarm" # Service hint - "traefik.http.services.traefik.loadbalancer.server.port=8080" # Deploy the Whoami application whoami: image: traefik/whoami networks: - homelab-local deploy: labels: # Enable Service discovery for Traefik - "traefik.enable=true" # Define the WHoami router rule - "traefik.http.routers.whoami.rule=Host(`whoami.swarm.localhost`)" # Expose Whoami on the HTTPS entrypoint - "traefik.http.routers.whoami.entrypoints=websecure" # Enable TLS - "traefik.http.routers.whoami.tls=true" # Expose the whoami port number to Traefik - traefik.http.services.whoami.loadbalancer.server.port=80 # Define the overlay network for Swarm networks: homelab-local: external: true