proxy.yml

version: "3.7"

networks:
  traefik-public:
    external: true

volumes:
  consul-data-leader:
  consul-data-replica:

services:
  consul-leader:
    image: consul
    command: agent -server -client=0.0.0.0 -bootstrap
    volumes:
      - consul-data-leader:/consul/data
    environment:
      - CONSUL_BIND_INTERFACE=eth0
      - 'CONSUL_LOCAL_CONFIG={"leave_on_terminate": true}'
    networks:
      - default

  consul-replica:
    image: consul
    command: agent -server -client=0.0.0.0 -retry-join="consul-leader"
    volumes:
      - consul-data-replica:/consul/data
    environment:
      - CONSUL_BIND_INTERFACE=eth0
      - 'CONSUL_LOCAL_CONFIG={"leave_on_terminate": true}'
    networks:
      - default
    deploy:
      mode: global
      placement:
        constraints:
          - node.role == manager
      update_config:
        parallelism: 1
        failure_action: rollback
        monitor: 5s
        max_failure_ratio: 1
        order: stop-first
        delay: 5s
      rollback_config:
        parallelism: 0
        failure_action: continue
        monitor: 5s
        max_failure_ratio: 3
        order: stop-first
      restart_policy:
        max_attempts: 10
        delay: 5s
        window: 120s
        condition: on-failure

  traefik:
    image: traefik
    command: >
      --docker
      --docker.swarmmode
      --docker.watch
      --docker.exposedbydefault=false
      --constraints=tag==traefik-public
      --entrypoints='Name:http Address::80'
      --entrypoints='Name:https Address::443 TLS'
      --consul
      --consul.endpoint="consul-leader:8500"
      --acme
      --acme.email=${EMAIL}
      --acme.storage="traefik/acme/account"
      --acme.entryPoint=https
      --acme.httpChallenge.entryPoint=http
      --acme.onhostrule=true
      --logLevel=WARN
      --api
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - default
      - traefik-public
    depends_on:
      - consul-leader
    ports:
      - 80:80
      - 443:443
    deploy:
      mode: global
      placement:
        constraints:
          - node.role == manager
      labels:
        - traefik.frontend.rule=Host:traefik.${DOMAIN}
        - traefik.enable=true
        - traefik.port=8080
        - traefik.tags=traefik-public
        - traefik.docker.network=traefik-public
        # Traefik service that listens to HTTP
        - traefik.redirectorservice.frontend.entryPoints=http
        - traefik.redirectorservice.frontend.redirect.entryPoint=https
        # Traefik service that listens to HTTPS
        - traefik.webservice.frontend.entryPoints=https
        - traefik.frontend.auth.basic.users=${USERNAME}:${HASHED_PASSWORD}
      update_config:
        parallelism: 1
        failure_action: rollback
        monitor: 5s
        max_failure_ratio: 1
        order: stop-first
        delay: 5s
      rollback_config:
        parallelism: 0
        failure_action: continue
        monitor: 5s
        max_failure_ratio: 3
        order: stop-first
      restart_policy:
        max_attempts: 10
        delay: 5s
        window: 120s
        condition: on-failure