properly got pi traefik/authelia working, need to migrate nuc to that setup.

switch pihole to technitium dns server

pi/traefik/docker-compose.yml

@@ -0,0 +1,94 @@
+---
+version: "3.8"
+services:
+  traefik:
+    image: traefik:latest
+    container_name: traefik
+    hostname: traefik
+    restart: unless-stopped
+
+   
+    environment:
+      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
+      - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_KEY}
+      - DOMAIN_ROOT=${DOMAIN_ROOT}
+      
+    ports:
+      - mode: host
+        protocol: tcp
+        published: 80
+        target: 80
+      - mode: host
+        protocol: tcp
+        published: 443
+        target: 443
+
+    volumes:
+      - ./traefik.yml:/etc/traefik/traefik.yml:ro
+      - ./custom:/etc/traefik/custom:ro
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - certs:/letsencrypt
+
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_ROOT}`)'
+      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - 'entrypoints.websecure.http.tls=true'
+      - 'entrypoints.websecure.http.tls.certResolver=letsencrypt'
+      - 'entrypoints.websecure.http.tls.domains[0].main=${DOMAIN_ROOT}'
+      - 'entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN_ROOT}'
+      - "traefik.http.routers.traefik.service=api@internal"
+      - 'traefik.http.routers.traefik.middlewares=strip'
+      - 'traefik.http.middlewares.strip.stripprefix.prefixes=/traefik'
+      - 'traefik.http.services.traefik.loadbalancer.server.port=8080'
+      - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/'
+      - 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
+      - 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
+      - 'certificatesresolvers.letsencrypt.acme.dnschallenge=true'
+      - 'certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare'
+      - 'certificatesresolvers.letsencrypt.acme.email=${CLOUDFLARE_EMAIL}'
+      - 'certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json'
+
+    networks:
+      - web
+
+  authelia:
+    image: authelia/authelia
+    container_name: authelia
+    volumes:
+      - authelia_config:/config
+      - ./config/configuration.yml:/config/configuration.yml:ro
+      - ./config/users_database.yml:/config/users_database.yml:ro
+
+    environment:
+      - DOMAIN_ROOT=${DOMAIN_ROOT}
+      - TZ=${TIMEZONE}
+
+    networks:
+      - web
+
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.authelia.rule=Host(`login.${DOMAIN_ROOT}`)'
+      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/'  # yamllint disable-line rule:line-length
+      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
+      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'  # yamllint disable-line rule:line-length
+      - 'traefik.http.services.authelia.loadbalancer.server.port=9091'
+
+    restart: unless-stopped
+    healthcheck:
+      ## In production the healthcheck section should be commented.
+      disable: true
+
+networks:
+  web:
+    external: true
+
+volumes:
+  certs:
+    name: certs
+    driver: local
+
+  authelia_config:
+    name: authelia_config
+    driver: local