This Docker Compose setup configures Traefik as a reverse proxy with automatic Let's Encrypt SSL certificates using DNS challenge via DigitalOcean.

• Automatic HTTPS with Let's Encrypt SSL certificates
• DNS challenge using DigitalOcean (works for internal IPs)
• Automatic certificate renewal
• HTTP to HTTPS redirection
• Traefik dashboard for monitoring
• Easy to extend with additional services

1. Docker and Docker Compose installed on your NAS
2. Domain console.lol with DNS pointing to your NAS IP (10.0.0.54)
3. DigitalOcean account with API token for DNS challenge
4. DNS records configured:
   • *.console.lol → 10.0.0.54 (wildcard A record)
   • Or individual A records for each subdomain

In your DigitalOcean DNS panel for console.lol:

Type: A
Hostname: *
Value: 10.0.0.54
TTL: 3600

Or create individual A records:

• nas.console.lol → 10.0.0.54
• syncthing.console.lol → 10.0.0.54
• traefik.console.lol → 10.0.0.54

1. Go to https://cloud.digitalocean.com/account/api/tokens
2. Generate a new token with read/write access
3. Copy the token

cp .env.example .env

Edit .env and add your DigitalOcean API token:

DO_AUTH_TOKEN=your_actual_token_here

Edit traefik/traefik.yml and replace your-email@example.com with your actual email address for Let's Encrypt notifications.

docker network create proxy

docker compose up -d

docker compose logs -f traefik

Watch for successful certificate generation. It should show:

• Certificate obtained for console.lol and *.console.lol

The following services are pre-configured:

The dashboard is protected with basic auth:

• Username: admin
• Password: admin (change this!)

To generate a new password hash:

echo $(htpasswd -nb admin your_password) | sed -e s/\\$/\\$\\$/g

Update the hash in docker-compose.yml under the traefik-auth.basicauth.users label.

To add a new service, edit traefik/config.yml:

http:
  routers:
    your-service-name:
      entryPoints:
        - 'https'
      rule: 'Host(`your-service.console.lol`)'
      middlewares:
        - default-headers
      tls:
        certResolver: digitalocean
      service: your-service-name

  services:
    your-service-name:
      loadBalancer:
        servers:
          - url: 'http://10.0.0.54:PORT'
        passHostHeader: true

Then reload Traefik:

docker compose restart traefik

.
├── docker-compose.yml          # Main Docker Compose configuration
├── .env                        # Environment variables (DO NOT commit)
├── .env.example               # Example environment file
├── traefik/
│   ├── traefik.yml           # Static Traefik configuration
│   ├── config.yml            # Dynamic configuration (routes/services)
│   └── acme.json             # Let's Encrypt certificates storage
└── README.md                 # This file

1. Check DigitalOcean API token is correct
2. Verify DNS records are propagated: dig nas.console.lol
3. Check Traefik logs: docker compose logs -f traefik
4. Ensure acme.json has 600 permissions

1. Check the backend service is running on the specified port
2. Verify firewall allows ports 80 and 443
3. Check Traefik dashboard for router status
4. Test backend directly: curl http://10.0.0.54:PORT

Certificates auto-renew 30 days before expiration. Check logs around renewal time.

• The .env file contains sensitive API tokens - never commit it to version control
• Change the default Traefik dashboard password
• Consider restricting access to the Traefik dashboard to local network only
• The default-whitelist middleware is configured for private IP ranges

After making changes to traefik/config.yml:

docker compose restart traefik

After making changes to traefik/traefik.yml or docker-compose.yml:

docker compose down
docker compose up -d

docker compose down

• Traefik Documentation
• Let's Encrypt DNS Challenge
• DigitalOcean DNS Provider