Merge pull request 'Update traefik Docker tag to v3.6.10' (#11) from renovate/traefik-3.x into main

Reviewed-on: #5

.env

@@ -18,6 +18,7 @@ PGID=1000
 SECOND_LEVEL_DOMAIN=crescentec
 TOP_LEVEL_DOMAIN=ch
 LOCAL_DOMAIN=crescentec.lan
+LOCAL_VPS_DOMAIN=crescentec-vps.lan
 PUBLIC_DOMAIN=crescentec.ch
 
 # Personal info

.gitignore

@@ -0,0 +1,12 @@
+# Ignore these files
+**/services/.env
+
+# Ignore these folders
+letsencrypt/
+certs/
+log-dashboard/
+lib/
+**/headscale/config/
+**/headscale/run/
+**/crowdsec/config/
+**/crowdsec/data/

README.md

@@ -2,3 +2,9 @@
 
 This configuration includes a reverse proxy using caddy, headscale (VPN) and watchtower (automatic updates).
 It is particularly useful if you do not own an IPV4 address, as this could be deployed on a server. In this case it was deployed on an oracle server and automated using an ansible playbook found on this [repository](https://gitea.crescentec.ch/chriswin/vps-ansible)
+
+For Crowdsec, if an enrollment to your console is wanted, run the following command: 
+```
+docker compose -it exec cscli console enroll $ENROLLMENT_KEY
+```
+where the the enrollment can be found in your console under the engine page.

docker-compose.yml

@@ -6,10 +6,9 @@
 # Whenever I need to remove some service then I can comment out the lines here.
 include:
   - path:
-      - ${SERVICE_PATH}/caddy/caddy.yml
       - ${SERVICE_PATH}/crowdsec/crowdsec.yml
       - ${SERVICE_PATH}/headscale/headscale.yml
-      # - ${SERVICE_PATH}/traefik/traefik.yml
+      - ${SERVICE_PATH}/traefik/traefik.yml
     env_file: ${SERVICE_PATH}/.env
 
 networks:

renovate.json

@@ -0,0 +1,48 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "schedule:automergeDaily"
+    ],
+    "dependencyDashboard": true,
+    "dependencyDashboardTitle": "Renovate Dashboard",
+    "assignees": [
+        "chriswin"
+    ],
+    "labels": [
+        "renovate"
+    ],
+    "configMigration": true,
+    "prHourlyLimit": 0,
+    "packageRules": [
+        {
+            "matchCategories": [
+                "docker"
+            ],
+            "enabled": true,
+            "managerFilePatterns": [
+                "/(^|/)services/*\\Dockerfile$/"
+            ]
+        },
+        {
+            "matchUpdateTypes": [
+                "minor",
+                "patch"
+            ],
+            "automerge": true,
+            "automergeType": "pr"
+        },
+        {
+            "matchUpdateTypes": [
+                "major"
+            ],
+            "automerge": false
+        }
+    ],
+    "docker-compose": {
+        "enabled": true,
+        "managerFilePatterns": [
+            "/(^|/)docker-compose\\.yml$/",
+            "/(^|/)services/.*\\.yml$/"
+        ]
+    }
+}

services/caddy/Caddyfile

@@ -1,189 +0,0 @@
-(forward_headers) {
-        header {
-                Permissions-Policy interest-cohort=()
-                Strict-Transport-Security "max-age=31536000; includeSubdomains"
-                X-XSS-Protection "1; mode=block"
-                X-Content-Type-Options "nosniff"
-                X-Robots-Tag noindex, nofollow
-                Referrer-Policy "same-origin"
-                Content-Security-Policy "frame-ancestors {$public_domain }} *.{$public_domain}"
-                -Server
-                Permissions-Policy "geolocation=(self {$public_domain }} *.{$public_domain}), microphone=()"
-        }
-}
-
-auth.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-audiobookshelf.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-gitea.{$public_domain} {
-        reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-headscale.{$public_domain} {
-        reverse_proxy headscale:8080
-        tls {$email}
-        import forward_headers
-}
-
-immich.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-ldap.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-linkwarden.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-mealie.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-navidrome.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-ntfy.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-paperless.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-radicale.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-rss.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-pdf.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-superset.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-vaultwarden.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-vikunja.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-{$public_domain} {
-        reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}

services/caddy/caddy.yml

@@ -1,30 +0,0 @@
-services:
-  caddy:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: caddy 
-    container_name: caddy 
-    volumes:
-      - ${SERVICE_PATH}/caddy/config:/etc/headscale
-      - ${SERVICE_PATH}/caddy/Caddyfile:/etc/caddy/Caddyfile
-      - ${SERVICE_PATH}/caddy/site:/srv
-      - ${SERVICE_PATH}/caddy/data:/data
-      - ${SERVICE_PATH}/caddy/config:/config
-      - ${SERVICE_PATH}/caddy/certs:/certs
-    ports:
-      - "80:80"
-      - "443:443"
-      - "443:443/udp"
-    environment:
-      email: ${EMAIL}
-      public_domain: ${PUBLIC_DOMAIN}
-      private_domain: ${LOCAL_DOMAIN}
-      main_server_ip: ${MAIN_SERVER_NODE_IP:-10.10.10.2}
-    cap_add:
-      - NET_ADMIN
-    networks:
-      - ip4net
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"

services/crowdsec/crowdsec.yml

@@ -4,7 +4,7 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: crowdsec
-    image: crowdsecurity/crowdsec:v1.7.4
+    image: crowdsecurity/crowdsec:v1.7.6
     environment:
       COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/http-cve
       CROWDSEC_BOUNCER_API_KEY: ${CROWDSEC_API_KEY}

services/headscale/headscale.yml

@@ -3,19 +3,24 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: docker.io/headscale/headscale 
+    image: docker.io/headscale/headscale
-    container_name: headscale 
+    container_name: headscale
     volumes:
       - ${SERVICE_PATH}/headscale/config:/etc/headscale
       - ${SERVICE_PATH}/headscale/lib:/var/lib/headscale
       - ${SERVICE_PATH}/headscale/run:/var/run/headscale
     ports:
-      - 127.0.0.1:8080:8080 # api 
+      - 127.0.0.1:8080:8080 # api
       - 127.0.0.1:9090:9090 # metrics
     command: serve
     environment:
     networks:
       - ip4net
     labels:
-      # Watchtower
+      # Traefik
-      - "com.centurylinklabs.watchtower.enable=true"
+      - "traefik.enable=true"
+      - "traefik.http.routers.headscale.rule=Host(`headscale.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.headscale.entrypoints=https"
+      - "traefik.http.routers.headscale.tls.certresolver=myresolver"
+      - "traefik.http.routers.headscale.tls=true"
+      - "traefik.http.routers.headscale.middlewares=crowdsec-bouncer@file"

services/traefik/config/config.yml

@@ -5,32 +5,34 @@ http:
     crowdsec-bouncer:
       plugin:
         crowdsec-bouncer-traefik-plugin:
-          enabled: true
+          enabled: true 
           logLevel: INFO
           updateIntervalSeconds: 60
-          crowdsecMode: stream
+          crowdsecMode: live 
           crowdsecAppsecEnabled: true
+          crowdsecAppsecFailureBlock: true 
+          crowdsecAppsecUnreachableBlock: true 
           crowdsecAppsecHost: crowdsec:7422
           crowdsecLapiScheme: http
           crowdsecLapiHost: crowdsec:8080
           # generated using "docker exec crowdsec cscli bouncers add crowdsecBouncer"
-          crowdseclapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }}
+          crowdsecLapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }}
           forwardedHeadersTrustedIPs:
             - 10.0.0.0/8
           clientTrustedIPs:
             - 192.168.178.0/24
-          captchaProvider: hcaptcha
+          # captchaProvider: hcaptcha
-          captchaSiteKey: b2d20610-8dda-4f40-8688-7ca8e1e628f8 # found in hcaptcha account
+          # captchaSiteKey: b2d20610-8dda-4f40-8688-7ca8e1e628f8 # found in hcaptcha account
-          captchaSecretKey: {{ env "TRAEFIK_CAPTCHA_KEY" }}
+          # captchaSecretKey: {{ env "TRAEFIK_CAPTCHA_KEY" }}
-          captchaGracePeriodSeconds: 1800
+          # captchaGracePeriodSeconds: 1800
-          captchaHTMLFilePath: /captcha.html
+          # captchaHTMLFilePath: /captcha.html
-          banHTMLFilePath: /ban.html
+          # banHTMLFilePath: /ban.html
 
   routers:
     authelia:
       rule: "Host(`auth.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https,http
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -38,7 +40,7 @@ http:
     audiobookshelf:
       rule: "Host(`audiobookshelf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https,http
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -46,15 +48,7 @@ http:
     gitea:
       rule: "Host(`gitea.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https,http
+      entrypoints: https,http 
-      tls:
-        certresolver: myresolver
-      middlewares: crowdsec-bouncer@file
-
-    headscale:
-      rule: "Host(`headscale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
-      service: node 
-      entryPoints: https,http
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -62,15 +56,15 @@ http:
     immich:
       rule: "Host(`immich.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https,http
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
 
     lldap:
-      rule: "Host(`lldap.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      rule: "Host(`ldap.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https,http
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -78,7 +72,7 @@ http:
     linkwarden:
       rule: "Host(`linkwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https,http
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -86,7 +80,7 @@ http:
     mealie:
       rule: "Host(`mealie.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https,http
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -94,7 +88,7 @@ http:
     navidrome:
       rule: "Host(`navidrome.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https,http
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -102,7 +96,7 @@ http:
     ntfy:
       rule: "Host(`ntfy.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https,http
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -110,7 +104,7 @@ http:
     paperless:
       rule: "Host(`paperless.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https,http
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -118,7 +112,7 @@ http:
     pdf:
       rule: "Host(`pdf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https,http
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -126,7 +120,7 @@ http:
     radicale:
       rule: "Host(`radicale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https,http
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -134,23 +128,23 @@ http:
     rss:
       rule: "Host(`rss.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https,http
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
 
-    superset:
+    # superset:
-      rule: "Host(`superset.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+    #   rule: "Host(`superset.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
-      service: node 
+    #   service: node 
-      entryPoints: https,http
+    #   entrypoints: https,http
-      tls:
+    #   tls:
-        certresolver: myresolver
+    #     certresolver: myresolver
-      middlewares: crowdsec-bouncer@file
+    #   middlewares: crowdsec-bouncer@file
 
     vaultwarden:
       rule: "Host(`vaultwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https,http
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -158,7 +152,7 @@ http:
     vikunja:
       rule: "Host(`vikunja.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https,http
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -167,4 +161,14 @@ http:
     node:
       loadBalancer:
         servers:
-          - url: http://{{ env "TRAEFIK_MAIN_SERVER_NODE_IP" }}
+          - url: https://{{ env "TRAEFIK_MAIN_SERVER_NODE_IP" }}
+
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/certs/server-vps-lan.crt
+        keyFile: /etc/certs/server-vps-lan.key
+  certificates:
+    - certFile: /etc/certs/server-vps-lan.crt
+      keyFile: /etc/certs/server-vps-lan.key

services/traefik/config/traefik.yml

@@ -32,12 +32,6 @@ entryPoints:
         - "10.0.0.0/8"
         - "192.168.178.0/16"
         - "2a07:600:200:1::/64"
-    http:
-      redirections: # HTTPS redirection (80 to 443)
-        entryPoint:
-          to: "https" # The target element
-          scheme: "https" # The redirection target scheme
-          permanent: true # The target element
 
   https:
     address: "[::]:443" # Create the HTTPS entrypoint on port 443
@@ -57,11 +51,12 @@ entryPoints:
 certificatesResolvers:
   myresolver:
     acme:
-      email: chris.windler@crescentec.ch 
+      email: chris.windler@crescentec.ch
-      storage: acme.json
+      storage: letsencrypt/acme.json
+      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
       httpChallenge:
         # used during the challenge
-        entryPoint: http 
+        entryPoint: http
 
 providers:
   docker:

services/traefik/traefik.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: traefik:v3.6.6
+    image: traefik:v3.6.10
     container_name: traefik
     ports:
       - "80:80"
@@ -16,7 +16,11 @@ services:
       TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
       TRAEFIK_MAIN_SERVER_NODE_IP: ${MAIN_SERVER_NODE_IP}
       TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
-      INFOMANIAK_ACCESS_TOKEN: ${INFOMANIAK_CERTIFICATE_ACCESS_TOKEN}
+    deploy:
+      resources:
+        limits:
+          cpus: "0.3"
+          memory: 150M
     volumes:
       - "/var/log/traefik/:/var/log/traefik/"
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
@@ -29,68 +33,77 @@ services:
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.traefik.service=api@internal"
-      - "traefik.http.routers.traefik.rule=Host(`traefik.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.traefik.rule=Host(`traefik.${LOCAL_VPS_DOMAIN}`)"
       - "traefik.http.routers.traefik.entrypoints=https"
       - "traefik.http.routers.traefik.tls=true"
 
-  # traefik-agent:
+  traefik-agent:
-  #   extends:
+    extends:
-  #     file: ${TEMPLATES_PATH}
+      file: ${TEMPLATES_PATH}
-  #     service: default
+      service: default
-  #   image: hhftechnology/traefik-log-dashboard-agent:2.4.0
+    image: hhftechnology/traefik-log-dashboard-agent:2.5.0
-  #   container_name: traefik-log-dashboard-agent
+    container_name: traefik-log-dashboard-agent
-  #   networks:
+    networks:
-  #     - ip4net
+      - ip4net
-  #   ports:
+    ports:
-  #     - "8078:5000"
+      - "8078:5000"
-  #   volumes:
+    volumes:
-  #     - "/var/log/crowdsec/:/logs:ro"
+      - "/var/log/traefik/:/logs:ro"
-  #     - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data"
+      - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data"
-  #   environment:
+    environment:
-  #     TRAEFIK_LOG_DASHBOARD_ACCESS_PATH: /logs/traefik.log
+      TRAEFIK_LOG_DASHBOARD_ACCESS_PATH: /logs/access.log
-  #     TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
+      TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
-  #     TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING: true
+      TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING: true
-  #     TRAEFIK_LOG_DASHBOARD_LOG_FORMAT: json
+      TRAEFIK_LOG_DASHBOARD_LOG_FORMAT: json
-  #   healthcheck:
+    deploy:
-  #     test:
+      resources:
-  #       [
+        limits:
-  #         "CMD",
+          cpus: "0.10"
-  #         "wget",
+          memory: 50M
-  #         "--no-verbose",
+    healthcheck:
-  #         "--tries=1",
+      test:
-  #         "--spider",
+        [
-  #         "http://localhost:5000/api/logs/status",
+          "CMD",
-  #       ]
+          "wget",
-  #     interval: 2m
+          "--no-verbose",
-  #     timeout: 10s
+          "--tries=1",
-  #     retries: 3
+          "--spider",
-  #     start_period: 30s
+          "http://localhost:5000/api/logs/status",
-  #
+        ]
-  # traefik-dashboard:
+      interval: 2m
-  #   extends:
+      timeout: 10s
-  #     file: ${TEMPLATES_PATH}
+      retries: 3
-  #     service: default
+      start_period: 30s
-  #   image: hhftechnology/traefik-log-dashboard:2.4.0
+
-  #   container_name: traefik-log-dashboard
+  traefik-dashboard:
-  #   networks:
+    extends:
-  #     - ip4net
+      file: ${TEMPLATES_PATH}
-  #   ports:
+      service: default
-  #     - "8077:3000"
+    image: hhftechnology/traefik-log-dashboard:2.5.0
-  #   volumes:
+    container_name: traefik-log-dashboard
-  #     - ./data/dashboard:/app/data
+    networks:
-  #     - "${SERVICE_PATH}/traefik/log-dashboard/dashboard:/app/data"
+      - ip4net
-  #     - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data"
+    ports:
-  #   environment:
+      - "8077:3000"
-  #     AGENT_API_URL: http://192.168.178.35:8078
+    volumes:
-  #     AGENT_API_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
+      - "${SERVICE_PATH}/traefik/log-dashboard/dashboard:/app/data"
-  #     # Display Configuration
+      - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data"
-  #     NEXT_PUBLIC_SHOW_DEMO_PAGE: false
+    environment:
-  #   depends_on:
+      AGENT_API_URL: http://traefik-agent:5000
-  #     traefik-agent:
+      AGENT_API_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
-  #       condition: service_healthy
+      # Display Configuration
-  #   labels:
+      NEXT_PUBLIC_SHOW_DEMO_PAGE: false
-  #     # traefik
+    depends_on:
-  #     - "traefik.enable=true"
+      traefik-agent:
-  #     - "traefik.http.routers.traefik-log-dashboard.rule=Host(`traefik-dashboard.${LOCAL_DOMAIN}`)"
+        condition: service_healthy
-  #     - "traefik.http.routers.traefik-log-dashboard.entrypoints=https"
+    deploy:
-  #     - "traefik.http.routers.traefik-log-dashboard.tls=true"
+      resources:
+        limits:
+          cpus: "0.1"
+          memory: 50M
+    labels:
+      # traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik-log-dashboard.rule=Host(`traefik-dashboard.${LOCAL_VPS_DOMAIN}`)"
+      - "traefik.http.routers.traefik-log-dashboard.entrypoints=https"
+      - "traefik.http.routers.traefik-log-dashboard.tls=true"