First commit

traefik.yml

@@ -0,0 +1,71 @@
+global:
+  checkNewVersion: true
+  sendAnonymousUsage: false
+
+# 1. EntryPoints Definition
+# We define the ports Traefik listens on.
+# HTTP (80) automatically redirects to HTTPS (443).
+# SMTP (25) is passthrough for Mailman.
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+          permanent: true
+
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: letsencrypt
+
+# 2. Providers
+# Traefik watches the Docker socket to discover services.
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false # Containers are ignored unless they have "traefik.enable=true"
+    network: proxy_net # Must match the network name in docker-compose.yml
+
+  # # Optional: Watch a directory for dynamic config files (good for custom TLS certs or middlewares)
+  # file:
+  #   directory: /etc/traefik/dynamic
+  #   watch: true
+
+# 3. API & Dashboard
+# The dashboard is enabled but "insecure" mode is OFF.
+# Access is protected by the Basic Auth middleware defined in docker-compose.yml.
+api:
+  dashboard: true
+  insecure: false
+  debug: false
+
+# Health check ping endpoint
+ping:
+  entryPoint: web
+
+# 4. Certificate Resolver (Let's Encrypt)
+# Uses the HTTP Challenge, which requires Port 80 to be open.
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: info@jmpgames.it
+      storage: /acme.json # This file is persisted via Docker volume
+      httpChallenge:
+        entryPoint: web
+
+# 5. Logging
+# Access logs are written to a file that Fail2Ban on the host will monitor.
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  bufferingSize: 100 # Buffer lines slightly to reduce I/O, but keep low for Fail2Ban responsiveness
+  filters:
+    statusCodes:
+      - "400-499"
+      - "500-599"
+
+log:
+  level: INFO