infra/infra.yml

  socketproxy:
services:
    networks:
    image: tecnativa/docker-socket-proxy
      - socketproxy
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    environment:
      NETWORKS: 1
      SERVICES: 1
      TASKS: 1
    #  Non Default permissions
      CONTAINERS: 1
    #   BUILD: 1
    #   COMMIT: 1
    #   CONFIGS: 1
    #   CONTAINERS: 1
    #   DISTRIBUTION: 1
    #   EXEC: 1
    #   GRPC: 1
    #   IMAGES: 1
    #   INFO: 1
    #   NETWORKS: 1
    #   NODES: 1
    #   PLUGINS: 1
    #   SERVICES: 1
    #   SESSION: 1
    #   SWARM: 1
    #   SYSTEM: 1
    #   TASKS: 1
    #   VOLUMES: 1
{% for key, value in socketproxy_env.items() %}
      {{ key }}: {{ value }}
{% endfor %}
    deploy:
      endpoint_mode: dnsrr
      placement:
        constraints:
          - node.role == manager
      update_config:
        order: start-first
        failure_action: rollback
        delay: 0s
        parallelism: 1
      restart_policy:
        condition: on-failure


  traefik-http:
    image: traefik:v2
    command:
      - "--providers.docker.endpoint=http://socketproxy_socketproxy:2375"
      - "--log.level=ERROR"
      - "--global.checknewversion=false"
      - "--global.sendanonymoususage=false"
      - "--providers.docker.swarmMode=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=traefik"
      - "--serverstransport.insecureskipverify=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.web.http.redirections.entryPoint.permanent=true"  # Permanent redirect
      - "--certificatesresolvers.letsencryptresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.letsencryptresolver.acme.email=admin@nixc.us"
      - "--certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json"
      - "--api.dashboard=true"
      - "--entryPoints.websecure.forwardedHeaders.insecure=true"
      - "--entryPoints.websecure.transport.respondingTimeouts.idleTimeout=600s"
      - "--entryPoints.websecure.transport.respondingTimeouts.readTimeout=600s"
      - "--entryPoints.websecure.transport.respondingTimeouts.writeTimeout=600s"
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    volumes:
      - /mnt/tank/persist/nixc.us/traefik/production/config:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik
      - socketproxy
    deploy:
      endpoint_mode: dnsrr
      placement:
        constraints:
          - node.hostname == {{hostname}}
      labels:
        homepage.group: Infrastructure
        homepage.name: Ingress
        homepage.href: https://{{url}}/
        homepage.description:
        us.nixc.autodeploy: "true"
        traefik.enable: "true"
        traefik.docker.network: traefik
        traefik.http.routers.traefik_traefik-http.tls: "true"
        traefik.http.routers.traefik_traefik-http.rule: "Host(`{{url}}`)"
        traefik.http.routers.traefik_traefik-http.entrypoints: "websecure"
        traefik.http.routers.traefik_traefik-http.tls.certresolver: "letsencryptresolver"
        traefik.http.routers.traefik_traefik-http.service: "api@internal"
        traefik.http.services.traefik_traefik-http.loadbalancer.server.port: "888"
      update_config:
        order: stop-first
        failure_action: rollback
        delay: 15s
        parallelism: 1
      restart_policy:
        condition: on-failure

# docker network create --driver=overlay socketproxy
networks:
  socketproxy:
    external: true
  traefik:
    external: true