{% set deploy_traefik_fa = with_fa|default(false) %} --- version: '3.9' services: traefik: image: traefik:v2.10 container_name: traefik ulimits: nofile: soft: 4000 hard: 15000 restart: always network_mode: host privileged: true volumes: - "/var/run/docker.sock:/var/run/docker.sock:z" - "./traefik.yaml:/etc/traefik/traefik.yaml:Z,ro" - "./dynamic.yaml:/etc/traefik/dynamic.yaml:Z,ro" - "acme:/acme" labels: - "prometheus-scrape.enabled=true" - "prometheus-scrape.port=9091" - "prometheus-scrape.hostname=host.docker.internal" {% if deploy_traefik_fa %} traefik-fa: image: quay.io/oauth2-proxy/oauth2-proxy:latest restart: unless-stopped networks: - default # needs network access to talk to keycloak - metrics depends_on: - traefik labels: traefik.enable: 'true' traefik.http.routers.oauth.entrypoints: websecure traefik.http.routers.oauth.rule: Host(`traefik-fa.tobiasmanske.de`) || (PathPrefix(`/oauth2`) && !Host(`rss.tobiasmanske.de`)) traefik.http.services.oauth.loadbalancer.server.port: '4180' prometheus-scrape.enabled: "true" prometheus-scrape.port: "9091" environment: OAUTH2_PROXY_PROVIDER: 'keycloak-oidc' OAUTH2_PROXY_CLIENT_ID: '{{ traefik.oidc.client_id }}' OAUTH2_PROXY_CLIENT_SECRET: '{{ traefik.oidc.client_secret }}' OAUTH2_PROXY_OIDC_ISSUER_URL: '{{ traefik.oidc.issuer_url }}' OAUTH2_PROXY_COOKIE_DOMAIN: '.tobiasmanske.de' OAUTH2_PROXY_COOKIE_REFRESH: '1h' OAUTH2_PROXY_COOKIE_SECURE: 'true' OAUTH2_PROXY_COOKIE_SECRET: '{{ traefik.oidc.cookie_secret }}' OAUTH2_PROXY_EMAIL_DOMAINS: '*' OAUTH2_PROXY_FOOTER: '-' OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4180' OAUTH2_PROXY_METRICS_ADDRESS: "0.0.0.0:9091" OAUTH2_PROXY_PASS_BASIC_AUTH: 'false' OAUTH2_PROXY_PASS_USER_HEADERS: 'true' OAUTH2_PROXY_REVERSE_PROXY: 'true' OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: 'true' OAUTH2_PROXY_SET_XAUTHREQUEST: 'true' OAUTH2_PROXY_WHITELIST_DOMAIN: '.tobiasmanske.de' whoami: image: containous/whoami labels: - "traefik.enable=true" - "traefik.http.services.whoami.loadbalancer.server.port=80" - "traefik.http.routers.whoami.rule=Host(`test.tobiasmanske.de`)" - "traefik.http.routers.whoami.entryPoints=websecure" - "traefik.http.routers.whoami.middlewares=oauth@file" {% endif %} volumes: acme: networks: default: driver: bridge metrics: external: true ...