Docker compose offers a very simple way to run and maintain self-hosted homelab. As demonstrated here, tooling available makes automation and setup very easy.
This demo is for a single-node homelab using docker-compose to orchestrate a Cloudflared tunnel connection, a Traefik reverse proxy and Elixir's Livebook app. Cloudflare DNS is automated with CNAME creation from Traefik routes.
graph TB
tf(Terraform) -.- dns
tf -.- argo
dns{Cloudflare DNS} --> argo
argo((Cloudflare Tunnels)) == Tunnel ==> cloudflared
ddns -.- dns
subgraph lan[Docker Network]
style lan stroke-dasharray: 5 5
cloudflared --> traefik[Traefik reverse proxy]
traefik --> livebook[Livebook]
ddns[cloudflare-companion] -. service discovery .- livebook
end
The phony make targets below are used to simplify each step. Look at the Makefile to see what each one does.
First, initialize the config file and terraform project.
make setupThis creates a .env file which you should edit with your own secrets. CLOUDFLARE_API_TOKEN needs Zone.DNS and Account.Cloudflare Tunnel write permissions for the domain in use. Use an API token, not an API key. The value for CLOUDFLARE_TUNNEL_TOKEN will come later.
Then, create the Cloudflared tunnel. You'll need Terraform, unless you create it from the Cloudflare Zero Trust dashboard. Note, using the dashboard setup, point the tunnel endpoint to http://traefik:80 as the cloudflared image sees the host within the docker network.
make terraformThis plans and applies the terraform tunnel configuration. It creates a CNAME record tunnel.example.com that points to the Cloudflared tunnel URL.
Find the tunnel_token value in the terraform output file ./tunnel/terraform.tfstate and add it as the value of CLOUDFLARE_TUNNEL_TOKEN.
Start the docker compose.
make startThis runs docker-compose --compatibility up. The compatibility flag appears to be required in order to set resource limits in docker-compose.