Skip to content

The Gatekeeper — Traefik Reverse Proxy

The Gatekeeper (docker-traefik) guards the threshold of the noosphere, routing traffic across shrines and ceremonies.

  • Static config: traefik.yml generated by Nix (symlink L+ to the store)
  • Dynamic config: traefik_dynamic.yml unsealed by sops to /srv/docker/traefik/conf/
  • Certificates: acme.json (permissions 0600 mandatory)
  • Access logs: /srv/docker/traefik/logs/traefik.log (JSON, rotated daily for 14 days)
EntrypointPortRole
web80Redirect to HTTPS
websecure443TLS, timeout 600s
traefik127.0.0.1:8080API/dashboard/ping (local only)
Terminal window
docker exec traefik traefik healthcheck
# or
curl -s http://127.0.0.1:8080/ping

Onboarding a Service Behind the Gatekeeper

Section titled “Onboarding a Service Behind the Gatekeeper”

In the service’s docker-*.nix file, add these labels:

labels = {
"traefik.enable" = "true";
"traefik.http.routers.<name>.rule" = "Host(`myservice.friloux.me`)";
"traefik.http.routers.<name>.tls" = "true";
"traefik.http.routers.<name>.tls.certresolver" = "lets-encrypt";
"traefik.docker.network" = "web";
"traefik.http.services.<name>.loadbalancer.server.port" = "PORT";
"traefik.http.routers.<name>.middlewares" = "crowdsec@file,rate-limit@file,security-headers@file";
"friloux.me/health-watch" = "true"; # always last
};
networks = ["web"];

Traefik starts only after CrowdSec (after = ["crowdsec.service"]). If CrowdSec fails, Traefik will not awaken.

Let’s Encrypt renews automatically via TLS challenge. In case of trouble:

Terminal window
# View renewal logs
docker logs traefik 2>&1 | grep -i "acme\|cert\|renew"
# Force renewal (delete existing cert)
# Warning: Let's Encrypt limits to 5 attempts per domain per hour
docker stop traefik
rm /srv/docker/traefik/acme.json
touch /srv/docker/traefik/acme.json && chmod 600 /srv/docker/traefik/acme.json
docker start traefik