de rest van de config erbij

traefik/.gitignore

@@ -0,0 +1,2 @@
+acme.json
+.env

traefik/docker-compose.yml

@@ -0,0 +1,75 @@
+services:
+  traefik:
+    image: traefik:v3.5
+    container_name: traefik
+    restart: unless-stopped
+    #env_file: [./.env]
+    env_file:
+      - /srv/traefik/secrets/cloudflare.env
+    command:
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
+      - --providers.file.directory=/etc/traefik/dynamic
+      - --providers.file.watch=true
+      - --api.dashboard=true
+      - --ping
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /srv/traefik/static/traefik.yml:/traefik.yml:ro
+      - /srv/traefik/git/dynamic:/etc/traefik/dynamic:rw
+      - /srv/traefik/acme.json:/letsencrypt/acme.json
+    security_opt: [ "no-new-privileges:true" ]
+    read_only: true
+    tmpfs: [ "/tmp" ]
+    healthcheck:
+      test: ["CMD", "traefik", "healthcheck", "--ping"]
+      interval: 10s
+      timeout: 3s
+      retries: 3
+    logging:
+      options: { max-size: "10m", max-file: "3" }
+
+  git-sync:
+    image: registry.k8s.io/git-sync/git-sync:v4.3.0
+    restart: unless-stopped
+    user: "0:0"
+    env_file: [./.env]
+    environment:
+      - GITSYNC_REPO=https://git.japnet.nl/infra/traefik-dynamic.git
+      - GITSYNC_BRANCH=main
+      - GITSYNC_ROOT=/git
+      - GITSYNC_DEST=dynamic
+      - GITSYNC_WAIT=10
+      - GITSYNC_ONE_TIME=false
+    volumes:
+      - /srv/traefik/git:/git:rw
+    security_opt: [ "no-new-privileges:true" ]
+    read_only: true
+    tmpfs: [ "/tmp" ]
+
+#  cloudflared:
+#    image: cloudflare/cloudflared:latest
+#    command: ["tunnel","--no-autoupdate","run","--token","${CLOUDFLARE_TUNNEL_TOKEN}"]
+#    restart: unless-stopped
+#    env_file:
+#     - /srv/traefik/secrets/cloudflared.env
+#    security_opt:
+#      - no-new-privileges:true
+#    read_only: true
+  cloudflared:
+    image: cloudflare/cloudflared:2025.10.1
+    restart: unless-stopped
+    env_file:
+      - /srv/traefik/secrets/cloudflared.env  # bevat TUNNEL_TOKEN
+    command: ["tunnel","run"]                  # géén token in command
+    user: "65532:65532"                        # non-root (optioneel)
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp

traefik/secrets/cloudflare.env

@@ -0,0 +1 @@
+CF_DNS_API_TOKEN=gTv8JLoTvAQ9hkK-QPAAGIMMquKSi2iNSJU4Hues

traefik/secrets/cloudflare.example

@@ -0,0 +1 @@
+CF_DNS_API_TOKEN=<apitoken van cloudflare>

traefik/secrets/cloudflared.env

@@ -0,0 +1,3 @@
+TUNNEL_TOKEN=eyJhIjoiODhjYmY2YTdkZmI4YTI3MmRjNjdjMGFmOGVhZjQ4NzUiLCJ0IjoiYjY5YjNhNWItMWIyNi00YTZlLWJlNjgtMjAxZjgwODlkODIyIiwicyI6Ik9EVmtNVEUwWkdRdE5HVm1NQzAwTVdObUxUaGxaVGd0WW1ZMU9UZ3daV0ZrTVRObCJ9
+TUNNEL_TRANSPORT_PROTOCOL=quic
+NO_AUTOUPDATE=true

traefik/secrets/cloudflared.example

@@ -0,0 +1,3 @@
+TUNNEL_TOKEN=<tunneltoken>
+TUNNEL_TRANSPORT_PROTOCOL=quic
+NO_AUTOUPDATE=true

traefik/static/traefik.yml

@@ -0,0 +1,35 @@
+entryPoints:
+  web:
+    address: ":80"
+  websecure:
+    address: ":443"
+
+providers:
+  docker:
+    exposedByDefault: false
+  file:
+    directory: /etc/traefik/dynamic
+    watch: true
+
+api:
+  dashboard: true
+
+ping: {}   # zodat healthcheck niet "unhealthy" is
+
+certificatesResolvers:
+  cf:
+    acme:
+      email: admin@japnet.nl          # gebruik jouw e-mail
+      storage: /letsencrypt/acme.json
+      dnsChallenge:
+        provider: cloudflare
+        delayBeforeCheck: 0s
+        # optioneel: resolvers:
+        # resolvers:
+        #   - "1.1.1.1:53"
+        #   - "8.8.8.8:53"
+
+
+
+log:
+  level: INFO