Add Pi-hole with AdGuard DOH/DOT integration, reorganize swarm stacks, add DNS/n8n docs

services/swarm/traefik/dynamic.yml

@@ -0,0 +1,123 @@
+http:
+  middlewares:
+    # Middleware to redirect non-www to www (optional, valid for steril.xyz if needed)
+    # my-www-redirect:
+    #   redirectRegex:
+    #     regex: "^https?://(?:www\\.)?(.+)"
+    #     replacement: "https://www.$${1}"
+    
+    # Secure Headers Middleware
+    security-headers:
+      headers:
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
+          server: ""
+        sslProxyHeaders:
+          X-Forwarded-Proto: https
+        referrerPolicy: "same-origin"
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+        contentTypeNosniff: true
+        browserXssFilter: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsSeconds: 63072000
+        stsPreload: true
+
+    # Basic Auth Middleware (Example)
+    # my-basic-auth:
+    #   basicAuth:
+    #     users:
+    #       - "admin:$apr1$..."
+
+  tls:
+    options:
+      default:
+        minVersion: VersionTLS12
+        cipherSuites:
+          - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+          - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+          - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+          - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+
+  routers:
+    # Pi-hole
+    pihole:
+      rule: "Host(`pihole.sterl.xyz`)"
+      service: pihole
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cfresolver
+
+    # Pi-hole 2
+    pihole2:
+      rule: "Host(`pihole2.sterl.xyz`)"
+      service: pihole2
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cfresolver
+
+    # Proxmox (HTTPS)
+    proxmox:
+      rule: "Host(`proxmox.sterl.xyz`)"
+      service: proxmox
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cfresolver
+
+    # Proxmox Monitor
+    proxmox-monitor:
+      rule: "Host(`proxmox-monitor.sterl.xyz`)"
+      service: proxmox-monitor
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cfresolver
+
+    # OpenMediaVault (OMV)
+    omv:
+      rule: "Host(`omv.sterl.xyz`)"
+      service: omv
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cfresolver
+
+  services:
+    pihole:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.196:7300"
+    
+    pihole2:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.245:7300"
+
+    proxmox:
+      loadBalancer:
+        servers:
+          # Proxmox typically runs on HTTPS with self-signed certs
+          - url: "https://192.168.1.57:8006"
+        serversTransport: "insecureSkipVerify"
+
+    proxmox-monitor:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.57:8008"
+
+    omv:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.70:80"
+
+  serversTransports:
+    insecureSkipVerify:
+      insecureSkipVerify: true
+

services/swarm/traefik/traefik.yml

@@ -1,54 +1,98 @@
-# traefik.yml - static configuration (file provider)
-checkNewVersion: true
-sendAnonymousUsage: false
+version: '3.8'
 
-log:
-  level: INFO
+networks:
+  traefik-public:
+    external: true
 
-api:
-  dashboard: true
-  insecure: false   # set to true only for quick local testing (not recommended for public)
+volumes:
+  traefik_letsencrypt:
+    external: true
 
-# single entryPoints section (merged)
-entryPoints:
-  web:
-    address: ":80"
-    http:
-      redirections:
-        entryPoint:
-          to: websecure
-          scheme: https
-    # optional timeouts can live under transport as well (kept only on websecure below)
+configs:
+  traefik_dynamic:
+    external: true
 
-  websecure:
-    address: ":443"
-    http:
-      tls:
-        certResolver: leresolver
-    transport:
-      respondingTimeouts:
-        # keep these large if you expect long uploads/downloads or long-lived requests
-        readTimeout: 600s
-        writeTimeout: 600s
-        idleTimeout: 600s
+services:
+  traefik:
+    image: traefik:v3.6.4
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8080:8080"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - traefik_letsencrypt:/letsencrypt
+    networks:
+      - traefik-public
+    configs:
+      - source: traefik_dynamic
+        target: /etc/traefik/dynamic.yml
+    environment:
+      # Cloudflare API Token (with DNS edit permissions for your domain)
+      - CF_DNS_API_TOKEN=vxrT1xXkioj3Iw3D-emU0I_FcaMb-PeYs_TLiOma
+      - CF_ZONE_API_TOKEN=vxrT1xXkioj3Iw3D-emU0I_FcaMb-PeYs_TLiOma
 
-providers:
-  swarm:
-    endpoint: "unix:///var/run/docker.sock"
+    # Optional: your Pi-hole DNS can stay
+    dns:
+      - 192.168.1.196
+      - 192.168.1.245
+      - 1.1.1.1
 
-certificatesResolvers:
-  leresolver:
-    acme:
-      email: "sterlenjohnson6@gmail.com"
-      storage: "/letsencrypt/acme.json"
-      # DNS-01, using DuckDNS provider
-      dnsChallenge:
-        provider: duckdns
-        delayBeforeCheck: 60s
-        # Usually unnecessary to specify "resolvers" unless you have special internal resolvers.
-        # If you DO need Traefik to use specific DNS servers for the challenge, make sure
-        # the container has network access to them and that they will answer public DNS queries.
-        resolvers:
-         - "192.168.1.196:53"
-         - "192.168.1.245:53"
-         - "192.168.1.62:53"
+    command:
+      # Entrypoints
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+
+      # SWARM Provider
+      - "--providers.swarm=true"
+      - "--providers.swarm.network=traefik-public"
+      - "--providers.swarm.exposedbydefault=false"
+
+      # File Provider (Dynamic Config)
+      - "--providers.file.filename=/etc/traefik/dynamic.yml"
+      - "--providers.file.watch=true"
+
+      # Dashboard
+      - "--api.dashboard=true"
+      - "--api.insecure=false"
+
+      # HTTP -> HTTPS
+      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
+      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
+
+      # Let's Encrypt / ACME Cloudflare DNS Challenge
+      - "--certificatesresolvers.cfresolver.acme.email=sterlenjohnson6@gmail.com"
+      - "--certificatesresolvers.cfresolver.acme.storage=/letsencrypt/acme.json"
+      - "--certificatesresolvers.cfresolver.acme.dnschallenge=true"
+      - "--certificatesresolvers.cfresolver.acme.dnschallenge.provider=cloudflare"
+
+      # Optional: increase delay for propagation
+      - "--certificatesresolvers.cfresolver.acme.dnschallenge.propagation.delayBeforeChecks=60"
+      # Logging
+      - "--log.level=INFO"
+
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+      labels:
+        # Dashboard Router
+        - "traefik.enable=true"
+        - "traefik.http.routers.traefik.rule=Host(`traefik.sterl.xyz`)"
+        - "traefik.http.routers.traefik.entrypoints=websecure"
+        - "traefik.http.routers.traefik.tls.certresolver=cfresolver"
+        - "traefik.http.services.traefik.loadbalancer.server.port=8080"
+        - "traefik.http.routers.traefik.service=api@internal"
+
+  whoami:
+    image: traefik/whoami
+    networks:
+      - traefik-public
+    deploy:
+      labels:
+        # Whoami Router
+        - "traefik.enable=true"
+        - "traefik.http.routers.whoami.rule=Host(`whoami.sterl.xyz`)"
+        - "traefik.http.routers.whoami.entrypoints=websecure"
+        - "traefik.http.routers.whoami.tls.certresolver=cfresolver"
+        - "traefik.http.services.whoami.loadbalancer.server.port=80"