proxy-stack.yaml

version: "3.8"

services:
  traefik:
    image: traefik:v2.11
    ports:
      # Host mode for 80, 443 so that we get external IP addresses in X-Real-Ip header
      # https://stackoverflow.com/questions/49415595/docker-swarm-get-real-ip-client-host-in-nginx
      - mode: host
        protocol: tcp
        published: 80
        target: 80
      - mode: host
        protocol: tcp
        published: 443
        target: 443
      - "8080:8080"  # Traefik dashboard
    command:
      - --api.insecure=true  # Dash on port 8080 without auth. See https://docs.traefik.io/v2.0/operations/dashboard/#secure-mode
      - --api.dashboard=true
      - --api.debug=false
      - --log.level=INFO
      - --providers.docker=true
      - --providers.docker.swarmmode=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=proxy_default
      - --providers.file.filename=/config/dynamic_conf.yml
      - --providers.file.watch=true
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure  # Force HTTPS
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.mytlschallenge.acme.httpchallenge.entrypoint=web
      - --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json
      - --accesslog=true
      - --accesslog.filepath=/logs/traefik.log
      - --accesslog.format=json
      - --accesslog.bufferingsize=0
      - --accesslog.filters.statuscodes=400-498
      - --accesslog.fields.headers.defaultmode=keep
    environment:
      - TZ=Europe/Stockholm
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /media/cluster/certs:/letsencrypt
      - /media/cluster/personal-search/passwd:/passwd:ro
      - /media/cluster/traefik:/config
      - /media/cluster/traefik/logs:/logs
    deploy:
      placement:
        constraints:
          - "node.role==manager"

  fail2ban:
    image: crazymax/fail2ban
    cap_add:
      - NET_ADMIN
      - NET_RAW
    environment:
      - TZ=Europe/Stockholm
      - F2B_DB_PURGE_AGE=14d
    volumes:
      - /root/.ssh:/root/.ssh:ro
      - /media/cluster/fail2ban:/data
      - /media/cluster/traefik/logs/:/var/log/traefik:ro
      - /media/cluster/syslog/log/:/var/log/mikrotik:ro
      - /media/cluster/homeassistant/home-assistant.log:/var/log/homeassistant/home-assistant.log:ro