Manage Traefik dynamic configuration (.yml/.yaml) with a friendly UI and a small API that watches your config directory, validates rules, and writes changes back to disk.
Create your local env file first:
cp .env.example .env.localnpm install
# start UI
npm run dev
# start API
npm run server:devnpm run dev picks up frontend VITE_* values from .env.local automatically. npm run server:dev uses the same .env.local file for backend variables.
Key environment variables:
TRAEFIK_DYNAMIC_CONFIG_PATH(default/config/dynamic) – directory with your Traefik dynamic config files. Must be set before starting - cannot be changed at runtime.TRM_METADATA_PATH(default/config/metadata) – where the app stores metadata.TRM_BACKUP_PATH(default/config/backups) – backup location for prior versions.TRM_PORT(default3001),TRM_HOST(default0.0.0.0).TRM_MAX_BACKUP_FILES(default10) – maximum number of backups to keep per rule.TRM_FILE_WATCH_DEBOUNCE(default2000) – milliseconds to wait before resyncing after file changes.TRM_ADMIN_USERNAME,TRM_ADMIN_PASSWORD– bootstrap admin credentials for the built-in login.TRM_SESSION_SECRET– signing secret for the admin session cookie.TRM_AUTH_ENABLED– optional explicit auth toggle. Defaults totruewhen bootstrap credentials are present.TRM_SESSION_TTL_HOURS(default12) – admin session lifetime.TRM_COOKIE_SECURE(defaultfalse) – set totruewhen serving TRM over HTTPS directly.- Frontend → backend target:
VITE_API_BASE(defaulthttp://localhost:3001).
Admin login credentials are not stored in the repo. The backend only enables admin auth when you provide TRM_ADMIN_USERNAME, TRM_ADMIN_PASSWORD, and TRM_SESSION_SECRET. If those are unset, the UI runs without login.
Tests:
npm testInteractive docs:
- Swagger UI:
http://localhost:3001/api-docs - Raw OpenAPI JSON:
http://localhost:3001/api-docs/openapi.json
The repository's Docker assets now live under docker/.
To run the bundled sample stack against testing/vm-critical:
docker compose -f docker/docker-compose.yml up --buildIf you want admin login enabled for that stack, export these before starting Compose:
export TRM_ADMIN_USERNAME=admin
export TRM_ADMIN_PASSWORD=change-me
export TRM_SESSION_SECRET=$(openssl rand -hex 32)
docker compose -f docker/docker-compose.yml up --buildThis repo builds and publishes two images to GHCR (via GitHub Actions on main and tags):
ghcr.io/stephenjoly/traefik-rules-manager-backend:latest– API, port3001.ghcr.io/stephenjoly/traefik-rules-manager-frontend:latest– UI, port4173, expectsVITE_API_BASE.
To pull:
docker pull ghcr.io/stephenjoly/traefik-rules-manager-backend:latest
docker pull ghcr.io/stephenjoly/traefik-rules-manager-frontend:latestCreate docker-compose.yml alongside your Traefik setup:
services:
trm-backend:
image: ghcr.io/stephenjoly/traefik-rules-manager-backend:latest
environment:
TRAEFIK_DYNAMIC_CONFIG_PATH: /config/dynamic
TRM_METADATA_PATH: /config/metadata
TRM_BACKUP_PATH: /config/backups
TRM_PORT: 3001
TRM_HOST: 0.0.0.0
volumes:
- /path/to/traefik/dynamic:/config/dynamic
- /path/to/trm/metadata:/config/metadata
- /path/to/trm/backups:/config/backups
ports:
- "3001:3001"
restart: unless-stopped
trm-frontend:
image: ghcr.io/stephenjoly/traefik-rules-manager-frontend:latest
environment:
VITE_API_BASE: http://trm-backend:3001
depends_on:
- trm-backend
ports:
- "4173:4173"
restart: unless-stoppedThen run:
docker compose up -dBrowse the UI at http://localhost:4173, select your Traefik dynamic config directory (or rely on the backend defaults), and manage rules. The backend processes .yml/.yaml files in a flat directory (no subfolders).
TRM now supports built-in admin authentication and one-time automation API keys.
Recommended production setup:
- Set
TRM_ADMIN_USERNAME,TRM_ADMIN_PASSWORD, andTRM_SESSION_SECRET - Keep the backend on a trusted network or behind your reverse proxy
- Set
TRM_COOKIE_SECURE=trueif TRM is served directly over HTTPS - Restrict which systems can reach the automation API
- Rotate or revoke API keys when automation no longer needs them
The admin UI uses an HttpOnly session cookie. Automation clients should use Authorization: Bearer <api-key> against the dedicated automation endpoints under /api/automation.
For production deployments:
- Restrict network access via firewall rules or Docker networks
- Use volume permissions to ensure the container can read/write config files:
# Container runs as UID 1000 (typical first Linux user) # If your volumes are already owned by your user (uid 1000), no action needed # Otherwise, set proper ownership: sudo chown -R 1000:1000 /path/to/traefik/dynamic sudo chown -R 1000:1000 /path/to/trm/metadata sudo chown -R 1000:1000 /path/to/trm/backups
- Monitor the application using the
/healthand/readyendpoints - Backup your configs regularly - TRM creates backups but they're stored locally
POST /api/auth/login– create admin sessionPOST /api/auth/logout– clear admin sessionGET /api/auth/session– inspect current admin sessionGET /api/admin/api-keys– list API keys without secretsPOST /api/admin/api-keys– create a new API key and return the plaintext oncePOST /api/admin/api-keys/:id/revoke– revoke a keyDELETE /api/admin/api-keys/:id– permanently delete a keyPOST /api/automation/rules– create a rule with bearer authGET /api/automation/rules– list rules with bearer authGET /api/automation/rules/:id– fetch a rule with bearer authPUT /api/automation/rules/:id– update a rule with bearer authDELETE /api/automation/rules/:id– delete a rule with bearer auth
TRM serves Swagger UI directly from the backend:
GET /api-docs– interactive docs with Try It Out supportGET /api-docs/openapi.json– raw OpenAPI document
How to use the docs:
- Open
/api-docs - Call
POST /api/auth/loginfirst if you want to exercise admin/session-based endpoints - Use the bearer auth control for
/api/automation/*routes after creating an API key
GET /health- Liveness check (filesystem accessible)GET /ready- Readiness check (initial discovery completed)
- Create a new GitHub repo and push this code.
- GitHub Actions (
.github/workflows/docker-publish.yml) will build and push images to GHCR using the repo’sGITHUB_TOKENwhenever you push tomainor tagv*.*.*. - Pull and run the images as shown above on any machine that can reach your Traefik config directory.