readme.md

DoT.yml stored in /etc/traefik/conf.d (`--providers.file.directory=/etc/traefik/traefik.conf.d)

My Traefik container is defined in portainer - provided comepose file by way of example

Replace my.dot.domain.here with the URL requests are coming in on. Reaplce ip.address.of.pihole with the.. IP.... address...of.......your...... you get the gist.

DoT.yml

tcp:
  routers:
    rou_dot:
      entryPoints:
        - dot
      rule: HostSNI(`my.dot.domain.here`)
      service: svc_dot
      tls:
        certResolver: le
  services:
    svc_dot:
      loadBalancer:
        servers:
          - address: 'ip.address.of.pihole'
          
tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

traefik-compose.yml

version: '3.3'

services:
  traefik_v2:
    container_name: traefik
    hostname: traefik
    image: traefik:${TRAEFIK_TAG}
    command:
      # Providers
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.watch=true
      - --providers.docker.exposedbydefault=false
      - --providers.file=true
      - --providers.file.watch=true
      - --providers.file.directory=/etc/traefik/traefik.conf.d
      #
      - --api.dashboard=true
      - --api.insecure=true
      - --api.debug=false
      #
      - --log.filepath=/etc/traefik/traefik.log
      - --log.level=ERROR
      #
      - --accesslog.format=common
      - --accesslog.filePath=/etc/traefik/traefik_access.log
      # Set up an insecure listener that redirects all traffic to TLS
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=web-secure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web-secure.address=:443
      # Set up the TLS configuration for our web-secure listener
      - --entrypoints.web-secure.http.tls=true
      - --entrypoints.web-secure.http.tls.certResolver=le
      - --entrypoints.web-secure.http.tls.domains[0].main=${TRAEFIK_DOMAIN1}
      - --entrypoints.web-secure.http.tls.domains[0].sans=*.${TRAEFIK_DOMAIN1}
      - --entrypoints.web-secure.http.tls.domains[1].main=${TRAEFIK_DOMAIN2}
      - --entrypoints.web-secure.http.tls.domains[1].sans=*.${TRAEFIK_DOMAIN2}
      # Other Entrypoints
      - --entrypoints.dot.address=:853
      - --entrypoints.wireguard.address=:51820
      # LetsEncrypt
      - --certificatesresolvers.le.acme.email=${LE_EMAIL}
      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
      - --certificatesResolvers.le.acme.dnsChallenge=true
      - --certificatesResolvers.le.acme.dnsChallenge.provider=cloudflare
     #- --providers.file=true
    environment:
      - TZ=Europe/London
      - CF_API_EMAIL=${CF_API_EMAIL}
      - CF_API_KEY=${CF_API_KEY}
    volumes:
      # - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik_confd:/etc/traefik/traefik.conf.d
      - traefik_letsencrypt:/letsencrypt
    mac_address: ${TRAEFIK_MAC}
    networks:
      home:
        ipv4_address: ${TRAEFIK_IP}
    restart: always

networks:
  home:
    external: true

volumes:
  traefik_confd:
    external: true
  traefik_letsencrypt:
    external: true