Separate traefik dashboard and update traefik configs

traefik-dashboard/config.yml

@@ -42,6 +42,7 @@ http:
     default-whitelist:
       ipAllowList:
         sourceRange:
+        - "127.0.0.1/32"
         - "local ip subnet"
 
     secured:

traefik-dashboard/docker-compose.yml

@@ -32,8 +32,11 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     ports:
       - 80:80
+      - 81:81
       - 443:443
       - 443:443/udp
+      - 444:444
+      - 444:444/udp
     networks:
       - frontend
 

traefik-dashboard/traefik.yml

@@ -0,0 +1,70 @@
+api:
+  dashboard: true
+  debug: true
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      middlewares:
+        - default-whitelist@file
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+    http:
+      middlewares:
+        - default-whitelist@file
+      tls:
+        certResolver: letsencrypt
+        domains:
+          - main: '*.local.domain.name'
+  web-external:
+    address: ":81"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure-external
+          scheme: https
+  websecure-external:
+    address: ":444"
+    http:
+      tls:
+        certResolver: letsencrypt
+        domains:
+          - main: domain.name
+            sans:
+              - '*.domain.name'
+serversTransport:
+  insecureSkipVerify: true
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+  file:
+    filename: /config.yml
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: email@domain.name
+      storage: acme.json
+      caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
+      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
+      dnsChallenge:
+        provider: cloudflare
+        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
+        #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"
+log:
+  level: "INFO"
+  filePath: "/var/log/traefik/traefik.log"
+  maxSize: 10
+  maxBackups: 5
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  fields:
+    names:
+      StartUTC: drop

traefik/compose.yml

@@ -1,59 +0,0 @@
-services:
-  traefik:
-    container_name: traefik
-    image: docker.io/library/traefik:v3.5.0
-    restart: unless-stopped
-    security_opt:
-      - no-new-privileges:true
-    secrets:
-      - cf_api_token
-    command:
-      - --log.level=DEBUG
-      - --log.filepath=/var/log/traefik/traefik.log
-      - --accesslog=true
-      - --accesslog.format=json
-      - --accesslog.filepath=/var/log/traefik/access.log
-      - --api.dashboard=false
-      - --providers.docker=true
-      - --providers.docker.exposedbydefault=false
-      - --providers.docker.network=frontend
-      # Set up LetsEncrypt certificate resolver
-      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
-      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
-      - --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53
-      - --certificatesresolvers.letsencrypt.acme.dnschallenge.delayBeforeCheck=20
-      - --certificatesresolvers.letsencrypt.acme.email=${CF_EMAIL}
-      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
-      # staging environment of LE, remove for real certs
-      # - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
-      # Set up an insecure listener that redirects all traffic to TLS
-      - --entrypoints.web.address=:80
-      - --entrypoints.websecure.address=:443
-      - --entrypoints.web.http.redirections.entrypoint.to=websecure
-      - --entrypoints.web.http.redirections.entrypoint.scheme=https
-      # Set up the TLS configuration for our websecure listener
-      - --entrypoints.websecure.http.tls=true
-      - --entrypoints.websecure.http.tls.certResolver=letsencrypt
-      - --entrypoints.websecure.http.tls.domains[0].main=${DOMAIN}
-      - --entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN}
-    environment:
-      - CF_DNS_API_TOKEN_FILE=/run/secrets/cf_api_token
-    volumes:
-      - ${APPDATA_PATH}/traefik/letsencrypt/acme.json:/acme.json
-      - ${APPDATA_PATH}/traefik/logs:/var/log/traefik
-      - /etc/localtime:/etc/localtime:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    ports:
-      - 80:80
-      - 443:443
-      - 443:443/udp
-    networks:
-      - frontend
-
-networks:
-  frontend:
-    external: true
-
-secrets:
-  cf_api_token:
-    file: ${APPDATA_PATH}/traefik/secrets/cf_api_token

traefik/traefik.yml

@@ -18,15 +18,12 @@ entryPoints:
           - main: domain.name
             sans:
               - '*.domain.name'
-              - '*.local.domain.name'
 serversTransport:
-  insecureSkipVerify: true
+  insecureSkipVerify: false
 providers:
   docker:
     endpoint: "unix:///var/run/docker.sock"
     exposedByDefault: false
-  file:
-    filename: /config.yml
 certificatesResolvers:
   letsencrypt:
     acme: