Initial Traefik reverse proxy configuration

Configure Traefik v2.10 with: - Automatic HTTPS using Let's Encrypt - HTTP to HTTPS redirect - Docker service discovery - Security headers middleware - Dashboard with basic auth Configured services: - Mealie (recipes.pkartchner.com) - Gogs (git.pkartchner.com) - Traefik Dashboard (traefik.pkartchner.com) Features: - Automatic SSL certificate management - Force HTTPS on all services - Security headers (HSTS, frame options, XSS protection) - Docker network isolation Next steps: Configure DNS records and port forwarding (see SETUP-INSTRUCTIONS.md) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-20 19:07:55 +00:00
commit bd1dc1abed
6 changed files with 507 additions and 0 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,44 @@
+version: '3.8'
+
+services:
+  traefik:
+    image: traefik:v2.10
+    container_name: traefik
+    restart: always
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - traefik
+    ports:
+      - "80:80"      # HTTP
+      - "443:443"    # HTTPS
+      - "8080:8080"  # Traefik Dashboard (optional, can be disabled)
+    environment:
+      - TZ=America/Denver
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik.yml:/traefik.yml:ro
+      - ./acme.json:/acme.json
+      - ./config.yml:/config.yml:ro
+    labels:
+      - "traefik.enable=true"
+      # Dashboard
+      - "traefik.http.routers.traefik.rule=Host(`traefik.pkartchner.com`)"
+      - "traefik.http.routers.traefik.entrypoints=https"
+      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.routers.traefik.middlewares=traefik-auth"
+      # Dashboard auth (username: admin, password: change-this-password)
+      # Generate new password: echo $(htpasswd -nb admin yourpassword) | sed -e s/\\$/\\$\\$/g
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$8evjlb96$$v8Y6gLV8KLVhqGB1N9NKQR/"
+      # Global redirect to HTTPS
+      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.http-catchall.entrypoints=http"
+      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+networks:
+  traefik:
+    name: traefik
+    driver: bridge