• Docker preparations

sudo chmod +x /usr/local/bin/docker-compose

sudo usermod -aG docker ${USER}

// refresh group membership without logging
su - ${USER}

sudo nano /etc/environment
// edit variables
PUID=1000
PGID=140
TZ="Europe/Zagreb"
USERDIR="/home/USER"
MYSQL_ROOT_PASSWORD="passsword"
HTTP_USERNAME=username
HTTP_PASSWORD=mystrongpassword
DOMAINNAME=example.com
CLOUDFLARE_EMAIL=email@example.com
CLOUDFLARE_API_KEY=XXXXXXXXXXXX // Global API key
PLEX_CLAIM=claim-YYYYYYYYY // get from plex.tv/claim

• PUID and PGID – the user ID of the linux user, who we want to run the home server apps as, and group ID of docker.
• Both of these can be obtained using the id command as shown below.

• TZ – the timezone that you want to set for your containers. Get your TZ from here.
• USERDIR – the path to the path to the home folder of the current user.
• You can also get this using the following command: cd ~ ; pwd
• MYSQL_ROOT_PASSWORD – MySQL administrator password for MariaDB and phpMyAdmin.

mkdir ~/docker
sudo setfacl -Rdm g:docker:rwx ~/docker
sudo chmod -R 775 ~/docker

• Use this HTPASSWD Generator, to create a username and password and add them to the ${USERDIR}/docker/shared/.htpasswd file as shown below: username:mystrongpassword

• Prepare Traefik Folders and Files

mkdir ${USERDIR}/docker/traefik
mkdir ${USERDIR}/docker/traefik/acme
touch ${USERDIR}/docker/traefik/acme/acme.json
chmod 600 ${USERDIR}/docker/traefik/acme/acme.json
touch ${USERDIR}/docker/traefik/traefik.toml

// traefik.toml file contents
#debug = true

logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
InsecureSkipVerify = true 
defaultEntryPoints = ["https", "http"]

# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations 
[api]
  entryPoint = "traefik"
  dashboard = true
  address = ":8080"
  # usersFile = "/shared/.htpasswd"

# Force HTTPS
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
    MinVersion = "VersionTLS12"
    CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"]
  [entryPoints.monitor]
  address = ":8081"

[file]
  watch = true
  filename = "/etc/traefik/rules.toml"

# Let's encrypt configuration
[acme]
email = "email@domain.com" #any email id will work
storage="/etc/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging=true 
onDemand = false #create certificate when container is created
[acme.dnsChallenge]
  provider = "cloudflare"
  delayBeforeCheck = 300
[[acme.domains]]
   main = "EXAMPLE.COM"
[[acme.domains]]
   main = "*.EXAMPLE.COM"
   
# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "EXAMPLE.COM"
watch = true
# This will hide all docker containers that don't have explicitly  
# set label to "enable"
exposedbydefault = false

• Extra config file for docker-gc image
  wget -P ${USERDIR}/docker/shared/ https://raw.githubusercontent.com/clockworksoul/docker-gc-cron/master/compose/docker-gc-exclude

• Create Traefix docker network
  docker network create traefik_proxy

• Start from docker-compose file
  docker-compose -f ${USERDIR}/docker/docker-compose.yml up -d

• Proxying Non-Docker Host System Apps
  touch ${USERDIR}/docker/traefik/rules.toml

// file contents
# Putting non-docker apps behind traefik proxy.  This example shows pihole.
[backends]
  [backends.backend-pihole]
    [backends.backend-pihole.servers]
      [backends.backend-pihole.servers.server-pihole-ext]
        url = "http://192.168.100.26"
        weight = 0

[frontends]
  [frontends.frontend-pihole]
    backend = "backend-pihole"
    passHostHeader = true
#    basicAuth = [
#      HTTP Authentication
#      "xxx:yyyyyyyyyyyy",
#    ]
    [frontends.frontend-pihole.routes]
          [frontends.frontend-pihole.routes.route-pihole-ext]
        rule = "Host:pi.example.com"

// Check logs for status  
docker-compose logs -tf --tail="50" traefik

// starting containers
docker-compose -f ~/docker/docker-compose.yml up -d

// see running containers
docker ps -a

// check container logs
docker-compose logs

// stop any running docker container
docker-compose stop CONTAINER-NAME

// go back to how it was before running docker compose file
docker-compose -f ~/docker/docker-compose.yml down

// docker cleanup
docker system prune
docker image prune
docker volume prune

// validate docker compose file
docker-compose -f docker-compose.yml config

// check all running ports
sudo netstat -tulpn | grep LISTEN

// add non root user to sudo group
usermod -aG sudo username

// make script executable, add #!/bin/bash at top of script
chmod +x script.sh

• Docker bench for security here

• Turn docker run command to docker compose snippet

• Handy docker compose cheatsheet

• Script to setup Traefik reverse-proxy in Docker with Compose

• install script to use:

curl -vsL https://gist.githubusercontent.com/jerkovicl/c31d1a0323f2e9104e4fae8eadf9c7f7/raw/3d5dc9040219b4095f75ada40e5ae31aa6503400/traefik_docker_setup.sh | bash -s