Traefik
← Home
Reverse proxy running in the network Swarm stack on PCT 108. Handles all *.carr-family.org traffic.
- Config:
/mnt/tank/appdata/traefik/traefik.yml - Dynamic routes:
/mnt/tank/appdata/traefik/routes.yml - Certs:
/mnt/tank/appdata/traefik/certs/acme.json - TLS: Cloudflare DNS challenge (
CF_DNS_API_TOKEN_FILEfrom Docker secret) - Entrypoints:
web(80 → 443 redirect),websecure(443) - Trusted IPs:
192.168.2.0/24(LAN),100.64.0.0/10(Tailscale), Cloudflare IP ranges
Two providers: Swarm (local Docker socket on PCT 108) + Docker (tcp://192.168.2.191:2375 for standalone containers on PCT 102).
Static Routes (routes.yml)
Used for services not in Docker Swarm (standalone containers, VMs, or other LXC nodes).
| Host | Backend |
|---|---|
homeassist.carr-family.org |
192.168.2.129:8123 |
qbittorrent-vpn.carr-family.org |
192.168.2.190:8081 |
qbittorrent.carr-family.org |
192.168.2.190:8080 (lan-only) |
ai.carr-family.org |
192.168.2.81:3000 |
gcjobs.carr-family.org |
192.168.2.81:8501 |
jellyfin.carr-family.org |
192.168.2.191:8096 |
n8n.carr-family.org |
192.168.2.83:5678 (lan-only) |
litellm.carr-family.org |
192.168.2.83:4000 (lan-only) |
openclaw.carr-family.org |
192.168.2.83:18789 (lan-only) |
odysseus.carr-family.org |
192.168.2.83:7000 (lan-only) |
otterwiki.carr-family.org |
192.168.2.105:8081 |
pterodactyl.carr-family.org |
192.168.2.136:80 (lan-only) |
qui.carr-family.org |
192.168.2.190:7476 |
gcjobs-filler.carr-family.org |
192.168.2.81:8000 |
Middlewares
| Name | Purpose |
|---|---|
lan-only |
IP allowlist — LAN + Tailscale |
auth |
Basic auth via traefik_auth secret |
secure-headers |
HSTS |
authentik |
ForwardAuth → Authentik outpost (removed from routes.yml as of 2026-06-12 — compose labels may still reference it) |
Cross-provider reference: Middlewares defined in routes.yml must be referenced as authentik@file / lan-only@file in Swarm service labels — plain names default to @swarm and 404.
Docker Secrets
| Secret | Purpose |
|---|---|
cf_dns_token |
Cloudflare DNS challenge for TLS |
cf_api_email |
Cloudflare account email |
traefik_auth |
Dashboard basic auth |
routes.yml Edit Gotcha
sed -i replaces the file with a new inode; Traefik's bind-mount stays pinned to the old inode and misses changes. Always write in-place and force-restart after any edit:
pct exec 108 -- docker service update --force network_traefik
Cloudflare DNS-only (UDP game traffic — bypasses Traefik)
| Host | IP | Notes |
|---|---|---|
satisfactory.carr-family.org |
174.95.181.77 (public IP) |
Grey cloud (proxy off); router port forwards → 192.168.2.134. TCP+UDP 7777, TCP 8888 (ReliableMessaging). |