Traefik¶
Shared Traefik reverse proxy for all BluesBraces projects. Runs as a standalone Docker Compose stack on the VPS at /opt/traefik, exposed on the proxy Docker network.
Auto-discovers containers via Docker labels and provisions Let's Encrypt TLS certificates via ACME.
- Repository: JanKrajewskiIT/traefik
- Stack: Traefik v3, Docker, Let's Encrypt
How It Works¶
Traefik listens on ports 80 and 443. HTTP requests are redirected to HTTPS. It watches the Docker socket for containers joining the proxy network and reads their labels to determine routing rules and TLS configuration.
Certificates are stored in acme.json (volume-mounted) and renewed automatically.
Structure¶
├── docker-compose.yml # Traefik service definition
├── .env.example # Template for ACME_EMAIL
└── .gitignore # Excludes .env and acme.json
Deployment¶
CI/CD (GitHub Actions)¶
Push to main triggers .github/workflows/deploy.yml which SSHs into the VPS, clones/pulls the repo via GHCR_TOKEN, and runs docker compose up -d.
Required secrets: VPS_HOST, VPS_USER, VPS_SSH_KEY, GHCR_TOKEN, ACME_EMAIL.
Manual Deployment¶
# First time only
docker network create proxy
# Clone / update repo
cd /opt
git clone https://github.com/JanKrajewskiIT/traefik.git traefik 2>/dev/null || (cd traefik && git pull)
cd /opt/traefik
# Configure (first time only)
cp .env.example .env # Edit ACME_EMAIL
# Ensure acme.json exists with correct permissions
touch acme.json && chmod 600 acme.json
# Deploy
docker compose pull
docker compose up -d --remove-orphans
How Projects Connect¶
Each project joins the proxy Docker network and adds Traefik labels to its services. Traefik auto-discovers them — no central config changes are needed to add a new project.
Example labels:
services:
my-app:
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.my-app.rule=Host(`app.example.com`)"
- "traefik.http.routers.my-app.entrypoints=websecure"
- "traefik.http.routers.my-app.tls.certresolver=letsencrypt"
networks:
proxy:
external: true
Subdomain Map¶
| Subdomain | Project | Service |
|---|---|---|
app.bluebraces.online |
Recron | SolidJS frontend |
api.bluebraces.online |
Recron | YARP API gateway |
auth.bluebraces.online |
Keycloak | Identity provider |
docs.bluebraces.online |
Recron | MkDocs |
velvet.bluebraces.online |
VelvetUi | Demo app |