From e7c69475a689fc65007d59446036411e73b4c92f Mon Sep 17 00:00:00 2001
From: mrkuz <markus@bitsandbobs.net>
Date: Sun, 14 Jun 2026 22:21:58 +0200
Subject: [PATCH] Configure traefik

---
 .gitignore                 |  1 +
 sync.sh                    | 12 +++++++++++
 traefik/.env.template      |  2 ++
 traefik/acme.json          |  6 ++++++
 traefik/config.yml         | 30 ++++++++++++++++++++++++++++
 traefik/docker-compose.yml | 41 ++++++++++++++++++++++++++++++++++++++
 traefik/middleware.yml     |  9 +++++++++
 vps.md                     | 32 ++++++++++++++++++++++++++---
 8 files changed, 130 insertions(+), 3 deletions(-)
 create mode 100644 .gitignore
 create mode 100755 sync.sh
 create mode 100644 traefik/.env.template
 create mode 100644 traefik/acme.json
 create mode 100644 traefik/config.yml
 create mode 100644 traefik/docker-compose.yml
 create mode 100644 traefik/middleware.yml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4c49bd7
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.env
diff --git a/sync.sh b/sync.sh
new file mode 100755
index 0000000..cc0a2bb
--- /dev/null
+++ b/sync.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -e
+
+REMOTE_HOST="135.125.232.253"
+REMOTE_USER="ubuntu"
+REMOTE_DIR="/home/${REMOTE_USER}/compose/traefik"
+
+rsync -avz --progress \
+  -e "ssh -o StrictHostKeyChecking=no" \
+  --exclude 'acme.json' \
+  ./traefik/ \
+  "${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_DIR}/"
diff --git a/traefik/.env.template b/traefik/.env.template
new file mode 100644
index 0000000..ccafca7
--- /dev/null
+++ b/traefik/.env.template
@@ -0,0 +1,2 @@
+CF_API_EMAIL=markus@bitsandbobs.net
+CF_API_KEY=YOUR_CLOUDFLARE_API_TOKEN_HERE
\ No newline at end of file
diff --git a/traefik/acme.json b/traefik/acme.json
new file mode 100644
index 0000000..066be51
--- /dev/null
+++ b/traefik/acme.json
@@ -0,0 +1,6 @@
+{
+  "let's encrypt": {
+    "email": "markus@bitsandbobs.net",
+    "caaPropagationTimeout": 30
+  }
+}
\ No newline at end of file
diff --git a/traefik/config.yml b/traefik/config.yml
new file mode 100644
index 0000000..2d8313f
--- /dev/null
+++ b/traefik/config.yml
@@ -0,0 +1,30 @@
+api:
+  dashboard: true
+  insecure: false
+
+entryPoints:
+  http:
+    address: ":80"
+  https:
+    address: ":443"
+    http:
+      tls:
+        certResolver: letsencrypt
+
+certificateResolvers:
+  letsencrypt:
+    acme:
+      email: markus@bitsandbobs.net
+      storage: /acme.json
+      dnsChallenge:
+        provider: cloudflare
+        resolvers:
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"
+
+providers:
+  file:
+    filename: /etc/traefik/middleware.yml
+  docker:
+    network: public
+    exposedByDefault: false
\ No newline at end of file
diff --git a/traefik/docker-compose.yml b/traefik/docker-compose.yml
new file mode 100644
index 0000000..a5128e0
--- /dev/null
+++ b/traefik/docker-compose.yml
@@ -0,0 +1,41 @@
+services:
+  traefik:
+    image: traefik:v3.7.5
+    container_name: traefik
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    ports:
+      - "80:80"
+      - "443:443"
+    environment:
+      - CF_API_EMAIL=${CF_API_EMAIL}
+      - CF_API_KEY=${CF_API_KEY}
+    env_file:
+      - .env
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./config.yml:/etc/traefik/traefik.yml:ro
+      - ./middleware.yml:/etc/traefik/middleware.yml:ro
+      - ./acme.json:/acme.json
+    networks:
+      - public
+
+  whoami:
+    image: traefik/whoami
+    container_name: whoami
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.whoami.rule=Host(`whoami.bnb1.net`)"
+      - "traefik.http.routers.whoami.entrypoints=https"
+      - "traefik.http.routers.whoami.middlewares=secure-headers@file"
+      - "traefik.http.routers.whoami.tls=true"
+      - "traefik.http.services.whoami.loadbalancer.server.port=80"
+    networks:
+      - public
+
+networks:
+  public:
+    name: public
\ No newline at end of file
diff --git a/traefik/middleware.yml b/traefik/middleware.yml
new file mode 100644
index 0000000..ff9083c
--- /dev/null
+++ b/traefik/middleware.yml
@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    secure-headers:
+      headers:
+        sslRedirect: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
\ No newline at end of file
diff --git a/vps.md b/vps.md
index e54973b..9676dba 100644
--- a/vps.md
+++ b/vps.md
@@ -8,14 +8,40 @@
 
 Copy ssh key: `ssh-copy-id ubuntu@135.125.232.2`
 
-# DNS
+# DNS - Namecheap
 
-| Type | Host | Value | TTL |
+Custom DNS
+
+- dilbert.ns.cloudflare.com
+- virginia.ns.cloudflare.com
+
+# DNS - Cloudlflare
+
+| Name | Type | Content | TTL |
 | --- | --- | --- | --- |
-| A | `*` | 135.125.232.253 | Automatic|
+| `*.bnb1.net` | A | 135.125.232.253 | Auto|
 
 # Ansible
 
 ```bash
 cd ansible && ansible-playbook docker.yml
 ```
+
+# Treafik
+
+## Create Cloudflare API Token
+
+Profile -> API Tokens -> Create Token -> Edit Zone DNS Template -> Select domain in Zone Resources -> Continue to summary
+
+Add to `traefik/.env`.
+
+## Sync files
+
+`./sync-files.sh`
+
+## Run
+
+```sh
+cd $HOME/compose/traefik
+docker compose up -d
+```
\ No newline at end of file