From 4e16685ebe439b622f37108c338d0ea5002e115d Mon Sep 17 00:00:00 2001
From: BeauTroll <->
Date: Sun, 21 Dec 2025 04:31:56 +0100
Subject: [PATCH] Fix Traefik configuration issues and improve security
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Upgrade to traefik:latest to fix Docker API compatibility with v29
- Fix websecure entrypoint indentation in traefik.yml
- Remove obsolete DOCKER_API_VERSION environment variable
- Remove incompatible network_mode: host setting
- Set network to external for multi-compose compatibility
- Add environment variable support for certificate email
- Add acme.json to .gitignore for security
- Create acme.json with correct 600 permissions

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .env.example       | 1 +
 .gitignore         | 1 +
 docker-compose.yml | 8 ++------
 traefik.yml        | 7 +++----
 4 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/.env.example b/.env.example
index ddf27b9..e74a76a 100644
--- a/.env.example
+++ b/.env.example
@@ -1,3 +1,4 @@
 DASHBOARD_HOST=
 DASHBOARD_USER=
 DASHNOARD_PASSWORD=
+CERT_EMAIL=
diff --git a/.gitignore b/.gitignore
index 4c49bd7..fc2569f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 .env
+acme.json
diff --git a/docker-compose.yml b/docker-compose.yml
index bf9ebca..ad8a535 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,16 +1,13 @@
 services:
   traefik:
-    image: traefik:v3.2
+    image: traefik:latest
     container_name: traefik
     restart: unless-stopped
-    network_mode: host
     security_opt:
       - no-new-privileges:true
     ports:
       - "80:80"
       - "443:443"
-    environment:
-      - DOCKER_API_VERSION=1.44
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./traefik.yml:/etc/traefik/traefik.yml:ro
@@ -25,7 +22,6 @@ services:
       - "traefik.http.routers.traefik-dashboard.tls.certresolver=letsencrypt"
       - "traefik.http.routers.traefik-dashboard.middlewares=traefik-auth"
       - "traefik.http.middlewares.traefik-auth.basicauth.users=${DASHBOARD_USER}:${DASHBOARD_PASSWORD}"
-
 networks:
   traefik-net:
-    external: false
+    external: true
diff --git a/traefik.yml b/traefik.yml
index 6415266..833e984 100644
--- a/traefik.yml
+++ b/traefik.yml
@@ -9,19 +9,18 @@ entryPoints:
         entryPoint:
           to: websecure
           scheme: https
-websecure:
-  address: ":443"
+  websecure:
+    address: ":443"
 
 certificatesResolvers:
   letsencrypt:
     acme:
-      email: votre@email.com
+      email: ${CERT_EMAIL}
       storage: acme.json
       httpChallenge:
         entryPoint: web
 
 providers:
   docker:
-    endpoint: "unix:///var/run/docker.sock"
     exposedByDefault: false
     network: traefik-net