Add Pi-hole with AdGuard DOH/DOT integration, reorganize swarm stacks, add DNS/n8n docs

2025-12-18 15:38:57 +00:00
parent 827f8bbf9d
commit f0c525d0df
44 changed files with 3013 additions and 486 deletions
--- a/services/swarm/traefik/traefik.yml
+++ b/services/swarm/traefik/traefik.yml
@@ -1,54 +1,98 @@
-# traefik.yml - static configuration (file provider)
-checkNewVersion: true
-sendAnonymousUsage: false
+version: '3.8'

-log:
-  level: INFO
+networks:
+  traefik-public:
+    external: true

-api:
-  dashboard: true
-  insecure: false   # set to true only for quick local testing (not recommended for public)
+volumes:
+  traefik_letsencrypt:
+    external: true

-# single entryPoints section (merged)
-entryPoints:
-  web:
-    address: ":80"
-    http:
-      redirections:
-        entryPoint:
-          to: websecure
-          scheme: https
-    # optional timeouts can live under transport as well (kept only on websecure below)
+configs:
+  traefik_dynamic:
+    external: true

-  websecure:
-    address: ":443"
-    http:
-      tls:
-        certResolver: leresolver
-    transport:
-      respondingTimeouts:
-        # keep these large if you expect long uploads/downloads or long-lived requests
-        readTimeout: 600s
-        writeTimeout: 600s
-        idleTimeout: 600s
+services:
+  traefik:
+    image: traefik:v3.6.4
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8080:8080"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - traefik_letsencrypt:/letsencrypt
+    networks:
+      - traefik-public
+    configs:
+      - source: traefik_dynamic
+        target: /etc/traefik/dynamic.yml
+    environment:
+      # Cloudflare API Token (with DNS edit permissions for your domain)
+      - CF_DNS_API_TOKEN=vxrT1xXkioj3Iw3D-emU0I_FcaMb-PeYs_TLiOma
+      - CF_ZONE_API_TOKEN=vxrT1xXkioj3Iw3D-emU0I_FcaMb-PeYs_TLiOma

-providers:
-  swarm:
-    endpoint: "unix:///var/run/docker.sock"
+    # Optional: your Pi-hole DNS can stay
+    dns:
+      - 192.168.1.196
+      - 192.168.1.245
+      - 1.1.1.1

-certificatesResolvers:
-  leresolver:
-    acme:
-      email: "sterlenjohnson6@gmail.com"
-      storage: "/letsencrypt/acme.json"
-      # DNS-01, using DuckDNS provider
-      dnsChallenge:
-        provider: duckdns
-        delayBeforeCheck: 60s
-        # Usually unnecessary to specify "resolvers" unless you have special internal resolvers.
-        # If you DO need Traefik to use specific DNS servers for the challenge, make sure
-        # the container has network access to them and that they will answer public DNS queries.
-        resolvers:
-         - "192.168.1.196:53"
-         - "192.168.1.245:53"
-         - "192.168.1.62:53"
+    command:
+      # Entrypoints
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+
+      # SWARM Provider
+      - "--providers.swarm=true"
+      - "--providers.swarm.network=traefik-public"
+      - "--providers.swarm.exposedbydefault=false"
+
+      # File Provider (Dynamic Config)
+      - "--providers.file.filename=/etc/traefik/dynamic.yml"
+      - "--providers.file.watch=true"
+
+      # Dashboard
+      - "--api.dashboard=true"
+      - "--api.insecure=false"
+
+      # HTTP -> HTTPS
+      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
+      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
+
+      # Let's Encrypt / ACME Cloudflare DNS Challenge
+      - "--certificatesresolvers.cfresolver.acme.email=sterlenjohnson6@gmail.com"
+      - "--certificatesresolvers.cfresolver.acme.storage=/letsencrypt/acme.json"
+      - "--certificatesresolvers.cfresolver.acme.dnschallenge=true"
+      - "--certificatesresolvers.cfresolver.acme.dnschallenge.provider=cloudflare"
+
+      # Optional: increase delay for propagation
+      - "--certificatesresolvers.cfresolver.acme.dnschallenge.propagation.delayBeforeChecks=60"
+      # Logging
+      - "--log.level=INFO"
+
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+      labels:
+        # Dashboard Router
+        - "traefik.enable=true"
+        - "traefik.http.routers.traefik.rule=Host(`traefik.sterl.xyz`)"
+        - "traefik.http.routers.traefik.entrypoints=websecure"
+        - "traefik.http.routers.traefik.tls.certresolver=cfresolver"
+        - "traefik.http.services.traefik.loadbalancer.server.port=8080"
+        - "traefik.http.routers.traefik.service=api@internal"
+
+  whoami:
+    image: traefik/whoami
+    networks:
+      - traefik-public
+    deploy:
+      labels:
+        # Whoami Router
+        - "traefik.enable=true"
+        - "traefik.http.routers.whoami.rule=Host(`whoami.sterl.xyz`)"
+        - "traefik.http.routers.whoami.entrypoints=websecure"
+        - "traefik.http.routers.whoami.tls.certresolver=cfresolver"
+        - "traefik.http.services.whoami.loadbalancer.server.port=80"