api/traefik/traefik.yml

# Traefik static configuration for microservices gateway

api:
  dashboard: true
  insecure: true  # Dashboard on :8080 (internal only in prod)

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: cloudflare

providers:
  docker:
    exposedByDefault: false
  file:
    directory: /etc/traefik/dynamic
    watch: true

# Automatic TLS via Let's Encrypt + Cloudflare DNS-01 challenge
certificatesResolvers:
  cloudflare:
    acme:
      email: "${ACME_EMAIL}"
      storage: /etc/traefik/acme/acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: "10"
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"