# Traefik

**Purpose:** Reverse proxy and TLS termination for all homelab services.

| Property       | Value              |
| -------------- | ------------------ |
| Status         | Running            |
| Image          | `traefik:v3.6`     |
| Ports          | `80:80`, `443:443` |
| Created by     | jens               |
| Restart policy | `unless-stopped`   |
| Compose file   | [`../services/traefik/docker-compose.yml`](../services/traefik/docker-compose.yml) |

---

## Configuration

- HTTP (port 80) → automatically redirects to HTTPS
- HTTPS (port 443) → TLS termination via Let's Encrypt
- TLS wildcard certificate for `*.home.jens.pub` and `home.jens.pub`
- Certificate resolver: **Let's Encrypt** via **DNS-01 challenge** (Namecheap provider)
- DNS resolvers used for challenge: `1.1.1.1`, `8.8.8.8`
- Docker provider: auto-discovers containers via socket (opt-in with `traefik.enable=true`)
- Dashboard: enabled, exposed at `traefik.home.jens.pub` (secured, no insecure mode)

## Environment Variables (sensitive)

| Variable              | Description                             |
| --------------------- | --------------------------------------- |
| `NAMECHEAP_API_USER`  | Namecheap account username              |
| `NAMECHEAP_API_KEY`   | Namecheap API key for DNS challenge     |
| `NAMECHEAP_SOURCE_IP` | Whitelisted IP for Namecheap API access |

## Volumes

| Volume                 | Mount                                       |
| ---------------------- | ------------------------------------------- |
| `/var/run/docker.sock` | `:ro` — Docker socket for service discovery |
| `traefik_acme`         | `/acme` — Let's Encrypt certificate storage |

## Networks

- `proxy` (external)