The latest articles on DEV Community by Luc Allaire (@wolf361). https://dev.to/wolf361 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F954241%2Fb6a8793a-3924-4e43-90b4-b31b7ca84a47.jpg https://dev.to/wolf361 en Luc Allaire Fri, 08 May 2026 21:00:00 +0000 https://dev.to/wolf361/zero-config-dns-and-monitoring-for-your-traefik-homelab-2ph2 https://dev.to/wolf361/zero-config-dns-and-monitoring-for-your-traefik-homelab-2ph2 <p>Every Traefik service you expose already has a <code>Host()</code> rule that declares its public hostname. That information exists exactly once — in a Docker label — and propagates nowhere useful.</p> <p>So you end up maintaining three or four systems by hand: Cloudflare for public DNS, NetBird for internal VPN-only hostnames, Uptime Kuma for monitoring — with groups, tags, and status pages configured per service. Add a container and you need to update everything manually. Remove it 4 months later and those records stay unless you remember to clean them up.</p> <p><strong>traefik-mesh-companion</strong> makes the container definition the single source of truth and syncs the rest automatically.</p> <h2> What It Does </h2> <p>A Go sidecar that watches the Docker socket and syncs your Traefik routing labels to:</p> <ul> <li> <strong>NetBird</strong> — internal mesh VPN DNS records</li> <li> <strong>Cloudflare</strong> — A records or CNAMEs to a CF Tunnel endpoint</li> <li> <strong>Uptime Kuma</strong> — monitors, status page groups, tags, domain bindings</li> <li> <strong>Gatus</strong> (via Gatus Bridge) — endpoints and groups</li> </ul> <p>A single Docker Compose sidecar. No Kubernetes, no Helm, no operator.</p> <h2> How It Works </h2> <h3> Split-Horizon DNS via Entrypoints </h3> <p>No new label namespace for DNS routing. Two env vars filter your existing entrypoint labels:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">INTERNAL_FILTER=internal</span> <span class="c1"># routers on this entrypoint → NetBird</span> <span class="s">EXTERNAL_FILTER=https</span> <span class="c1"># routers on this entrypoint → Cloudflare</span> </code></pre> </div> <p>Your existing Traefik labels stay exactly as-is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Matches INTERNAL_FILTER → NetBird only</span> <span class="na">traefik.http.routers.dashboard.rule</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Host(`dashboard.internal.example.com`)"</span> <span class="na">traefik.http.routers.dashboard.entrypoints</span><span class="pi">:</span> <span class="s">internal</span> <span class="c1"># Matches EXTERNAL_FILTER → Cloudflare only</span> <span class="na">traefik.http.routers.api.rule</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Host(`api.example.com`)"</span> <span class="na">traefik.http.routers.api.entrypoints</span><span class="pi">:</span> <span class="s">https</span> </code></pre> </div> <p>Force-override per container if needed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mesh.dns.internal</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="c1"># exclude from internal pipeline</span> <span class="na">mesh.routers.admin.managed</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="c1"># exclude this router from everything</span> </code></pre> </div> <h3> The Rule Parser </h3> <p>Pure-Go regex AST. Handles compound rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="p">(</span><span class="n">Host</span><span class="p">(</span><span class="s">`a.example.com`</span><span class="p">)</span> <span class="o">||</span> <span class="n">Host</span><span class="p">(</span><span class="s">`b.example.com`</span><span class="p">))</span> <span class="o">&amp;&amp;</span> <span class="n">PathPrefix</span><span class="p">(</span><span class="s">`/v2`</span><span class="p">)</span> </code></pre> </div> <p>Both hostnames extracted for DNS. <code>PathPrefix</code> captured separately for monitor URL construction. <code>HostRegexp</code> intentionally skipped — you can't derive a static DNS record from a dynamic pattern.</p> <h3> Monitoring Label Hierarchy </h3> <p>The <code>mesh.routers.*</code> namespace sits outside Traefik's schema validator. Fallback hierarchy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mesh.routers.&lt;router_name&gt;.kuma.&lt;property&gt; ← highest priority mesh.routers.&lt;router_name&gt;.&lt;property&gt; mesh.kuma.&lt;property&gt; mesh.&lt;property&gt; ← lowest priority </code></pre> </div> <p>Real example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">traefik.http.routers.api.rule</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Host(`api.example.com`)"</span> <span class="na">traefik.http.routers.api.entrypoints</span><span class="pi">:</span> <span class="s">https</span> <span class="na">mesh.routers.api.kuma.url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/health"</span> <span class="na">mesh.routers.api.kuma.accepted_status_codes</span><span class="pi">:</span> <span class="s2">"</span><span class="s">200,</span><span class="nv"> </span><span class="s">204"</span> <span class="na">mesh.routers.api.kuma.interval</span><span class="pi">:</span> <span class="s2">"</span><span class="s">30"</span> <span class="na">mesh.kuma.tags</span><span class="pi">:</span> <span class="s2">"</span><span class="s">backend,</span><span class="nv"> </span><span class="s">prod:green"</span> <span class="na">mesh.kuma.pages</span><span class="pi">:</span> <span class="s2">"</span><span class="s">public-status:APIs"</span> </code></pre> </div> <p>Tags use djb2 deterministic hashing — same tag name always maps to the same color across nodes and restarts. Override with hex: <code>prod:#22c55e</code>.</p> <h2> Quick Start </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">mesh-companion</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">ghcr.io/wolf-infra/traefik-mesh-companion:stable</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">traefik-mesh-companion</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/var/run/docker.sock:/var/run/docker.sock:ro</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">SYNC_INTERVAL=1m</span> <span class="pi">-</span> <span class="s">LOG_LEVEL=info</span> <span class="c1"># Internal (NetBird)</span> <span class="pi">-</span> <span class="s">INTERNAL_PROVIDER=netbird</span> <span class="pi">-</span> <span class="s">INTERNAL_FILTER=internal</span> <span class="pi">-</span> <span class="s">INTERNAL_CLEANUP=true</span> <span class="pi">-</span> <span class="s">NETBIRD_API_TOKEN=your_netbird_token</span> <span class="pi">-</span> <span class="s">NETBIRD_TARGET_IP=100.64.0.5</span> <span class="c1"># External (Cloudflare)</span> <span class="pi">-</span> <span class="s">EXTERNAL_PROVIDER=cloudflare</span> <span class="pi">-</span> <span class="s">EXTERNAL_FILTER=https</span> <span class="pi">-</span> <span class="s">EXTERNAL_CLEANUP=true</span> <span class="pi">-</span> <span class="s">CLOUDFLARE_API_TOKEN=your_cf_token</span> <span class="pi">-</span> <span class="s">CLOUDFLARE_TARGET_DOMAIN=your-tunnel-uuid.cfargotunnel.com</span> <span class="c1"># Monitoring (Uptime Kuma)</span> <span class="pi">-</span> <span class="s">MONITOR_PROVIDER=kuma</span> <span class="pi">-</span> <span class="s">KUMA_URL=http://kuma.example.com</span> <span class="pi">-</span> <span class="s">KUMA_USERNAME=admin</span> <span class="pi">-</span> <span class="s">KUMA_PASSWORD=${KUMA_PASS}</span> <span class="pi">-</span> <span class="s">KUMA_AUTO_ENABLE=true</span> <span class="pi">-</span> <span class="s">KUMA_GLOBAL_STATUS_PAGE=home-lab</span> </code></pre> </div> <p>Use <code>stable</code> — it tracks the latest release. <code>latest</code> tracks <code>main</code> and is explicitly experimental.</p> <h2> Advanced: Distributed Coordinator </h2> <p>Running multiple edge nodes writing to one Uptime Kuma? They face race conditions on status page writes — both read current state, both modify it and last write ends up stomping the other's changes.</p> <p>The companion ships a built-in Distributed Coordinator. One node is the server. Clients provision monitors locally and forward status page attachment operations to the server for sequential processing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Primary node</span> <span class="pi">-</span> <span class="s">KUMA_COORDINATOR_MODE=server</span> <span class="pi">-</span> <span class="s">KUMA_COORDINATOR_PORT=8081</span> <span class="c1"># Other nodes</span> <span class="pi">-</span> <span class="s">KUMA_COORDINATOR_MODE=client</span> <span class="pi">-</span> <span class="s">KUMA_COORDINATOR_URL=http://primary:8081</span> </code></pre> </div> <p>No external queue. Stateless — clients resend full state on reconnect.</p> <h2> Try It </h2> <p>GitHub: <a href="https://github.com/wolf-infra/traefik-mesh-companion" rel="noopener noreferrer">github.com/wolf-infra/traefik-mesh-companion</a></p> <p>Full env var reference, label override docs, and Gatus Bridge config are in the README. The <code>core.Processor</code> interface makes adding new DNS or monitoring backends straightforward — PRs welcome.</p> <p>Additional DNS backends are in development — the <code>core.Processor</code> interface is designed for exactly this. PRs welcome.</p> traefik docker go selfhosted