TopherMayor/hermes-ice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
hermes-ice/homelab/concepts/docker-traefik-stack.md
Hermes Agent e4d91aadf9 Initial commit: homelab infrastructure wiki 
- Full Obsidian vault content
- Host configs (ice, grizzley, ubuntu, proxmox, truenas, panda, hyte)
- Media stack documentation
- Traefik HA setup
- Automation scripts
- Bachelor party planning
2026-05-24 16:08:40 -07:00

83 lines
2.8 KiB
Markdown
Raw Permalink Blame History

---
title: Docker Traefik Stack
created: 2026-04-28
updated: 2026-04-28
type: concept
tags: [concept, networking, homelab, docker, traefik]
confidence: high
---
# Docker Traefik Stack
Container orchestration and ingress configuration across the homelab. Two Traefik instances provide high-availability routing.
## Traefik Instances
| Instance | Host | Role | Version |
|----------|------|------|---------|
| ubuntu Traefik | 192.168.50.61 | Primary router | v3.6.7 |
| grizzley Traefik | 192.168.50.84 | Edge ACME + ingress | v3.6.7 |
See [[traefik-ha]] for the full HA strategy.
## Dynamic Config Files (ubuntu)
Located in `homelab/ubuntu/traefik/config/dynamic/`:
| File | Services Routed |
|------|----------------|
| `canonical-hosts.yml` | Grizzley ingress proxy, PVE OpenCode |
| `gitea.yml` | gitea.tophermayor.com |
| `homeassistant.yml` | ha.tophermayor.com |
| `immich.yml` | immich.tophermayor.com |
| `jellyfin.yml` | jellyfin.tophermayor.com |
| `jellyseerr.yml` | jellyseerr.tophermayor.com |
| `media-stack.yml` | Sonarr, Radarr, SABnzbd, Prowlarr, qBittorrent, Lidarr, Readarr (via gluetun) |
| `middlewares.yml` | 30+ middleware definitions |
| `opencode.yml` | opencode.tophermayor.com |
| `proxmox.yml` | proxmox.local.tophermayor.com |
| `stremio.yml` | stremio.local.tophermayor.com |
| `traefik-dashboard.yml` | traefik.local.tophermayor.com |
| `truenas.yml` | truenas.local.tophermayor.com |
| `vaultwarden.yml` | vaultwarden.tophermayor.com |
| `wildcard-certs.yml` | TLS certificate file references |
## Common Middlewares
| Middleware | Purpose |
|------------|---------|
| `local-only@file` | Restrict to local network IPs |
| `authentik-auth@file` | SSO authentication |
| `security-headers@file` | Add security headers |
| `crowdsec-bouncer@file` | Rate limiting and threat protection |
## Docker Networks
| Network | Scope | Purpose |
|---------|-------|---------|
| `proxy-net` | External | Traefik-routed services |
| `app-net` | External | Internal backend communication |
| `authentik-internal` | Bridge | SSO isolation |
| `monitoring-internal` | Bridge | Metrics/logs isolation |
| `immich-internal` | Bridge | Immich DB/Redis/ML |
| `traefik-proxy` | Bridge (grizzley) | Grizzley edge Traefik |
| `media-net` | External | Media stack isolation |
## Container Labels
Standard Traefik labels:
```yaml
labels:
- "traefik.enable=true"
- "traefik.http.services.<service>.loadbalancer.server.port=8096"
- "traefik.http.routers.<router>.rule=Host(`service.tophermayor.com`)"
- "traefik.http.routers.<router>.tls.certresolver=cloudflare"
```
## Related
- [[traefik-ha]] — Traefik HA strategy across ubuntu + grizzley
- [[sso-authentik]] — Authentik SSO middleware
- [[media-stack]] — Media automation routing
- [[hermes-opencode-cluster]] — OpenCode routing via Traefik
Reference in New Issue View Git Blame Copy Permalink