Traefik added (#37)

* Added NodeRed

* Added Node-RED

* Added Traefik with Simple App for testing

* Added Traefik with Simple App for testing

* Delete services/nodered/docker-compose.yml

* Delete services/nodered/.env

* Delete services/nodered/README.md

* Delete services/nodered/config/serve.json

* Update README.md

---------

Co-authored-by: Bart <[email protected]>

README.md

@@ -33,6 +33,7 @@ If you would like to add your own config, you can use the [service-template](tem
 - [Tailscale Exit Node](services/tailscale-exit-node)
 - [Tautulli](services/tautulli)
 - [Technitium DNS](services/technitium)
+- [Traefik Reverse Proxy](services/traefik)
 - [Uptime Kuma](services/uptime-kuma)
 - [Vaultwarden](services/vaultwarden)
 - [qBittorrent](services/qbittorrent)

services/traefik/.env

@@ -0,0 +1,8 @@
+#version=1.0
+#url=https://github.com/2Tiny2Scale/tailscale-docker-sidecar-configs
+#COMPOSE_PROJECT_NAME= // only use in multiple deployments on the same infra
+SERVICE=traefik
+IMAGE_URL=traefik:latest
+SERVICEPORT=80
+TS_AUTHKEY= //Insert Tailscale key here from the Admin Portal
+DNS_SERVER=1.1.1.1

services/traefik/README.md

@@ -0,0 +1,11 @@
+# Traefik with Tailscale Sidecar Configuration
+
+This Docker Compose configuration sets up [Traefik](https://github.com/traefik/traefik) with Tailscale as a sidecar container to securely manage and route your traffic over a private Tailscale network. By integrating Tailscale, you can enhance the security and privacy of your Traefik instance, ensuring that access is restricted to devices within your Tailscale network.
+
+## Traefik
+
+[Traefik](https://github.com/traefik/traefik) is a modern, open-source reverse proxy and load balancer that simplifies the deployment and management of services in dynamic environments. It supports a wide range of integrations with container orchestration platforms and cloud providers, offering features like automatic HTTPS, load balancing, and monitoring. By incorporating Tailscale, your Traefik instance is safeguarded, ensuring that only authorized users and devices on your Tailscale network can access your applications and services.
+
+## Configuration Overview
+
+In this setup, the `tailscale-traefik` service runs Tailscale, which manages secure networking for the Traefik service. The `traefik` service uses the Tailscale network stack via Docker's `network_mode: service:` configuration. This ensures that Traefik’s dashboard and routing functionalities are only accessible through the Tailscale network (or locally, if preferred), adding an extra layer of privacy and security to your network architecture.

services/traefik/config/serve.json

@@ -0,0 +1,16 @@
+{
+  "TCP": {
+    "443": {
+      "HTTPS": true
+    }
+  },
+  "Web": {
+    "${TS_CERT_DOMAIN}:443": {
+      "Handlers": {
+        "/": {
+          "Proxy": "http://127.0.0.1:80" 
+        }
+      }
+    }
+  }
+}

services/traefik/docker-compose.yml

@@ -0,0 +1,80 @@
+services:
+# Make sure you have updated/checked the .env file with the correct variables. 
+# All the ${ xx } need to be defined there.
+  # Tailscale Sidecar Configuration
+  tailscale:
+    image: tailscale/tailscale:latest # Image to be used
+    container_name: ${SERVICE} # Name for local container management
+    hostname: ${SERVICE} # Name used within your Tailscale environment
+    environment:
+      - TS_AUTHKEY=${TS_AUTHKEY}
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_SERVE_CONFIG=/config/serve.json # Tailsacale Serve configuration to expose the web interface on your local Tailnet - remove this line if not required
+      - TS_USERSPACE=false
+    volumes:
+      - ${PWD}/config:/config # Config folder used to store Tailscale files - you may need to change the path
+      - ${PWD}/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path
+      - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work
+    cap_add:
+      - net_admin # Tailscale requirement
+      - sys_module # Tailscale requirement
+    ports:
+      - 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Binding port ${SERVICE}PORT to the local network - may be removed if only exposure to your Tailnet is required
+    # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below
+    # dns: 
+    #   - ${DNS_SERVER}
+    healthcheck:
+      test: ["CMD", "tailscale", "status"] # Check if Tailscale is running
+      interval: 1m # How often to perform the check
+      timeout: 10s # Time to wait for the check to succeed
+      retries: 3 # Number of retries before marking as unhealthy
+      start_period: 10s # Time to wait before starting health checks
+    restart: always
+
+  # ${SERVICE}
+  traefik_proxy:
+    image: ${IMAGE_URL} # Image to be used
+    network_mode: service:tailscale # Sidecar configuration to route ${SERVICE} through Tailscale
+    container_name: app-${SERVICE} # Name for local container management
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Amsterdam
+    depends_on:
+      - tailscale
+    healthcheck:
+      test: ["CMD", "pgrep", "-f", "${SERVICE}"] # Check if ${SERVICE} process is running
+      interval: 1m # How often to perform the check
+      timeout: 10s # Time to wait for the check to succeed
+      retries: 3 # Number of retries before marking as unhealthy
+      start_period: 30s # Time to wait before starting health checks
+    restart: always
+    volumes:
+      - type: bind
+        source: ${PWD}/${SERVICE}/app/traefik.yml
+        target: /etc/traefik.yml
+      - ${PWD}/${SERVICE}/log/:/var/log/
+      - /var/run/docker.sock:/var/run/docker.sock #Required for the Service Connections
+    command:
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.ssl.address=:443"
+      - --log.level=INFO
+      - --log.filepath=/var/log/traefik.log
+      - --accesslog=true
+      - --accesslog.filepath=/var/log/traefik.access.log
+      - --experimental.plugins.traefik-plugin-geoblock.modulename=github.com/nscuro/traefik-plugin-geoblock
+      - --experimental.plugins.traefik-plugin-geoblock.version=v0.14.0
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.mydashboard.rule=Host(`traefik.domain.local`)
+      - traefik.http.routers.mydashboard.service=api@internal
+
+  simpleweb:
+    image: yeasy/simple-web:latest
+    labels:
+      - traefik.enable=true # To 
+      - traefik.http.routers.simpleweb.rule=Host(`simpleweb.domain.local`)
+      - traefik.http.routers.simpleweb.entrypoints=web