Це стара версія документу!
Traefik
Traefik стек (docker-compose.yml)
version: "3.9" services: traefik: image: traefik:latest container_name: traefik command: # --- Dashboard --- - "--api.dashboard=true" # вмикаємо Dashboard - "--api.insecure=false" # вимикаємо доступ без auth # Для тесту можна включити insecure: # - "--api.insecure=true" # --- Docker provider --- - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" # --- EntryPoints --- - "--entrypoints.web.address=:80" # HTTP - "--entrypoints.websecure.address=:443" # HTTPS # HTTP -> HTTPS redirect - "--entrypoints.web.http.redirections.entryPoint.to=websecure" - "--entrypoints.web.http.redirections.entryPoint.scheme=https" # --- ACME / Let's Encrypt --- - "--certificatesresolvers.lets-encrypt.acme.httpchallenge=true" - "--certificatesresolvers.lets-encrypt.acme.httpchallenge.entrypoint=web" - "[email protected]" - "--certificatesresolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json" ports: - "80:80" # HTTP - "443:443" # HTTPS - "8080:8080" # Dashboard volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./letsencrypt:/letsencrypt restart: unless-stopped networks: - shared_traefik networks: shared_traefik: external: true
💡 Пояснення:
HTTP-only: якщо хочеш тестити без TLS, можна закоментувати websecure entrypoint і редиректи.
HTTPS / Let’s Encrypt: включається через websecure entrypoint і certresolver=lets-encrypt.
Dashboard можна захистити Basic Auth (як ми робили для Karma).
Monitoring стек (docker-compose.yml)
version: "3.9"
services:
prometheus:
image: prom/prometheus:latest
container_name: prometheus
volumes:
- ./prometheus:/etc/prometheus
- prom_data:/prometheus
- ./prometheus/alerts:/etc/prometheus/alerts
command:
- "--config.file=/etc/prometheus/prometheus.yml"
- "--storage.tsdb.path=/prometheus"
- "--storage.tsdb.retention.time=30d"
restart: unless-stopped
ports:
- "9090:9090"
networks:
- shared_traefik
- monitoring
alertmanager:
image: prom/alertmanager:latest
container_name: alertmanager
volumes:
- ./alertmanager:/etc/alertmanager
- alertmanager_data:/alertmanager
command:
- "--config.file=/etc/alertmanager/alertmanager.yml"
- "--storage.path=/alertmanager"
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.alertmanager.rule=Host(`alertmanager.osvex.com`)"
# --- HTTP-only ---
- "traefik.http.routers.alertmanager.entrypoints=web"
# --- HTTPS ---
# - "traefik.http.routers.alertmanager.entrypoints=websecure"
# - "traefik.http.routers.alertmanager.tls.certresolver=lets-encrypt"
- "traefik.http.services.alertmanager.loadbalancer.server.port=9093"
- "traefik.docker.network=shared_traefik"
networks:
- shared_traefik
- monitoring
grafana:
image: grafana/grafana:latest
container_name: grafana
environment:
- GF_SECURITY_ADMIN_USER=admin
- GF_SECURITY_ADMIN_PASSWORD=admin
volumes:
- grafana_data:/var/lib/grafana
labels:
- "traefik.enable=true"
- "traefik.http.routers.grafana.rule=Host(`grafana.osvex.com`)"
# --- HTTP-only ---
- "traefik.http.routers.grafana.entrypoints=web"
# --- HTTPS ---
# - "traefik.http.routers.grafana.entrypoints=websecure"
# - "traefik.http.routers.grafana.tls.certresolver=lets-encrypt"
- "traefik.http.services.grafana.loadbalancer.server.port=3000"
- "traefik.http.services.grafana.loadbalancer.server.scheme=http"
- "traefik.docker.network=shared_traefik"
networks:
- shared_traefik
- monitoring
karma:
image: ghcr.io/prymitive/karma:latest
container_name: karma
command: ["--config.file=/etc/karma/config.yml"]
volumes:
- ./karma:/etc/karma
- karma_data:/karma_data
labels:
- "traefik.enable=true"
- "traefik.http.routers.karma.rule=Host(`karma.osvex.com`)"
# --- HTTP-only ---
- "traefik.http.routers.karma.entrypoints=web"
# --- HTTPS ---
# - "traefik.http.routers.karma.entrypoints=websecure"
# - "traefik.http.routers.karma.tls.certresolver=lets-encrypt"
- "traefik.http.services.karma.loadbalancer.server.port=8080"
- "traefik.http.services.karma.loadbalancer.server.scheme=http"
- "traefik.http.middlewares.karma-auth.basicauth.users=osvex:$$apr1$$fpZgIrG8$$BIT6g9qiTm1RM09s5BZVh/"
- "traefik.http.routers.karma.middlewares=karma-auth"
- "traefik.docker.network=shared_traefik"
networks:
- shared_traefik
- monitoring
loki:
image: grafana/loki:latest
container_name: loki
command: ["-config.file=/etc/loki/config.yml"]
volumes:
- ./loki:/etc/loki
- loki_data:/loki
restart: unless-stopped
ports:
- "3100:3100"
networks:
- shared_traefik
- monitoring
promtail:
image: grafana/promtail:latest
container_name: promtail
command: ["-config.file=/etc/promtail/config.yml"]
volumes:
- ./promtail:/etc/promtail
- /var/log:/var/log:ro
- /tmp:/tmp
restart: unless-stopped
networks:
- shared_traefik
- monitoring
blackbox_exporter:
image: prom/blackbox-exporter:latest
container_name: blackbox_exporter
volumes:
- ./blackbox/blackbox.yml:/etc/blackbox_exporter/config.yml:ro
command: ["--config.file=/etc/blackbox_exporter/config.yml"]
restart: unless-stopped
networks:
- shared_traefik
- monitoring
volumes:
prom_data:
grafana_data:
loki_data:
karma_data:
alertmanager_data:
networks:
shared_traefik:
external: true
monitoring:
driver: bridge
🔹 Пояснення
HTTP-only: для тесту, швидкий доступ без сертифікатів, використовується entrypoint web.
HTTPS / Let’s Encrypt: розкоментувати websecure + tls.certresolver=lets-encrypt і переконатися, що Traefik має доступ до acme.json.
Basic Auth: можна підключити окремо для Dashboard або для сервісів (як у Karma).
traefik.docker.network=shared_traefik — важливий для сервісів із декількома мережами, щоб Traefik знав, по якій мережі проксувати.