From 237d012c5a70b13b896eb8ffc0e75cf27afc24c2 Mon Sep 17 00:00:00 2001
From: LRVT <21357789+l4rm4nd@users.noreply.github.com>
Date: Thu, 20 Jul 2023 16:51:02 +0200
Subject: [PATCH] Create docker-compose-command-config.yml

add traefik example with command definitions
---
 .../traefik/docker-compose-command-config.yml | 85 +++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100644 examples/traefik/docker-compose-command-config.yml

diff --git a/examples/traefik/docker-compose-command-config.yml b/examples/traefik/docker-compose-command-config.yml
new file mode 100644
index 0000000..43fda0b
--- /dev/null
+++ b/examples/traefik/docker-compose-command-config.yml
@@ -0,0 +1,85 @@
+# This docker compose example configures traefik by command definitions.
+# This makes the traefik.yml static configuration obsolete.
+# Note that we still reference a dynamic configuration for best practice
+
+version: '3.8'
+
+services:
+  traefik:
+    image: traefik:v2.9
+    container_name: traefik
+    command:
+      - --global.checkNewVersion=true # check for updates
+      - --global.sendAnonymousUsage=false # do not send anonymous statistics
+      - --providers.docker=true # enable docker provider
+      - --providers.docker.network=proxy # define default network to monitor for docker provider
+      - --providers.docker.exposedbydefault=false # do not expose docker hosts per default
+      - --providers.docker.swarmModeRefreshSeconds=15s # defeine swarm mode fresh seconds
+      - --providers.providersThrottleDuration=2s # define throttle duration
+      - --providers.file.watch=true # monitor file provider for changes
+      - --providers.file.filename=/etc/traefik/fileConfig.yml # location of the dynamic configuration
+      - --entrypoints.http.address=:80 # entrypoint for unencrypted http
+      - --entrypoints.http.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32 # define cloudflare ip ranges as trusted
+      - --entrypoints.http.http.redirections.entryPoint.to=https # automatic redirect from http to https
+      - --entrypoints.http.http.redirections.entryPoint.scheme=https # automatic redirect from http to https
+      - --entrypoints.https.address=:443 # entrypoint for encrypted https
+      - --entrypoints.https.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32 # define cloudflare ip ranges as trusted
+      - --entrypoints.https.http.middlewares=security-headers@file,rate-limit@file # define default middlewares for all proxy entries
+      - --api.dashboard=true # enable traefik api dashboard
+      - --api.insecure=true # expose traefik api dashboard on TCP/8080 without need for router
+      ####################################################
+      # !!! ADJUST TO YOUR INFRASTRUCTURE SETUP BELOW !!!!
+      - --entrypoints.https.http.tls.certresolver=cloudflare # define default cert resolver
+      - --entrypoints.https.http.tls.domains[0].main=example.com # define main domain, change to your domain
+      - --entrypoints.https.http.tls.domains[0].sans=*.example.com # define sans domain, change to your domain
+      - --certificatesresolvers.cloudflare.acme.email=mycloudflareemail@domain.tld # define your cloudflare email address
+      - --certificatesresolvers.cloudflare.acme.dnschallenge=true # enable dns challenge to obtain wildcard certificates
+      - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare # define provider for certificates
+      - --certificatesresolvers.cloudflare.acme.storage=/etc/traefik/acme.json # define acme path for certificate information
+      - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53 # define cloudflare dns servers as the resolver
+      ####################################################
+      - --log.level=INFO # enable log level
+      - --accesslog=true # enable access logs
+      - --accesslog.filepath=/logs/traefik.log # define access log path
+      - --accesslog.format=json # set access log format to json instead clm
+      - --accesslog.bufferingsize=0 # set access log buffer size to 0
+      - --accesslog.filters.statuscodes=400-599 # only log http errors in logs; alternatively set 200-599 to include successful http requests
+      - --accesslog.fields.headers.defaultmode=drop # drop all headers
+      - --serversTransport.insecureSkipVerify=true # set insecureSkipVerify to true to allow self-signed certificates
+    labels:
+      - traefik.enable=true # enable traefik
+      - traefik.http.routers.api.rule=Host(`traefik.example.com`) # define subdomain for the traefik api dashboard
+      - traefik.http.routers.api.service=api@internal # enable traefik api dashboard
+      - traefik.http.routers.api.middlewares=local-ipwhitelist@file,basic-auth@file # protect dashboard with basic auth and restrict access to private class subnets only    
+    ports:
+      - 80:80 # http
+      - 443:443 # https
+      - 127.0.0.1:8080:8080 # traefik api dashboard
+    networks:
+      - proxy # define traefik docker network
+    environment:
+      - TZ=Europe/Berlin # define timezone
+      - CF_DNS_API_TOKEN=<MY-CF-API-TOKEN> # define your cloudflare api token
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro # pass docker socket as read-only
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik:/etc/traefik/ # bind mount volume for persistent traefik data
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik/logs:/logs # bind mount volume for persistent traefik logs
+    restart: always # always restart traefik
+    extra_hosts:
+      - host.docker.internal:172.17.0.1 # define internal ip; helps for proxying to home assistant
+
+  whoami:
+    image: traefik/whoami
+    networks:
+      - proxy
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.whoami.rule=Host(`whoami.example.com`)
+      - traefik.http.services.whoami.loadbalancer.server.port=80
+      - traefik.docker.network=proxy
+      # Part for optional traefik middlewares
+      - traefik.http.routers.whoami.middlewares=local-ipwhitelist@file
+
+networks:
+  proxy:
+    external: true