manager.yml Reference¶

manager.yml is Traefik Manager's settings file. It is stored inside the config volume at /app/config/manager.yml by default.

Note

You do not normally need to edit this file by hand. All settings are managed through the Settings panel in the UI. This page is a reference for advanced use, scripted deployments, or bypassing the setup wizard.

The file path can be overridden with the SETTINGS_PATH environment variable.

Full example¶

domains:
  - example.com
  - example.net
cert_resolver: cloudflare
traefik_api_url: http://traefik:8080
auth_enabled: true
password_hash: "$2b$12$..."
must_change_password: false
setup_complete: true
otp_enabled: false
otp_secret: ""
visible_tabs:
  docker: true
  kubernetes: false
  swarm: false
  nomad: false
  ecs: false
  consulcatalog: false
  redis: false
  etcd: false
  consul: false
  zookeeper: false
  http_provider: false
  file_external: false
  certs: true
  plugins: false
  logs: true

Key reference¶

`domains`¶

Type: list of strings Default: ["example.com"] Env override: DOMAINS (comma-separated)

The base domains Traefik Manager uses when building route rules. Shown as options in the Add Route form.

domains:
  - example.com
  - home.lab

`cert_resolver`¶

Type: string Default: "cloudflare" Env override: CERT_RESOLVER

The ACME cert resolver name from your traefik.yml. Pre-filled in the Add Route form as the default TLS resolver.

cert_resolver: letsencrypt

`traefik_api_url`¶

Type: string (URL) Default: "http://traefik:8080" Env override: TRAEFIK_API_URL

The internal URL of your Traefik API. Must be reachable from inside the Traefik Manager container. When both containers share a Docker/Podman network, use the container name.

traefik_api_url: http://traefik:8080

Warning

Only http:// and https:// URLs are accepted. Any other value is rejected and the default is used.

`auth_enabled`¶

Type: boolean Default: true Env override: AUTH_ENABLED

Controls whether the built-in username/password login is active. Set to false if you are protecting Traefik Manager externally via Authentik, Authelia, or a Traefik basicAuth middleware.

auth_enabled: false

Warning

When auth_enabled is false, the UI is completely unauthenticated. Only disable if you have another auth layer in front.

The environment variable takes priority over this field. See AUTH_ENABLED.

`password_hash`¶

Type: string (bcrypt hash) Default: "" (auto-generated on first start)

Bcrypt hash of the admin password. Generated automatically on first run if not present. Managed by the UI (Settings → Authentication → Change password) or by the CLI reset command.

To generate a hash manually:

python3 -c "import bcrypt; print(bcrypt.hashpw(b'yourpassword', bcrypt.gensalt()).decode())"

password_hash: "$2b$12$abcdefghij..."

Note

The ADMIN_PASSWORD environment variable takes priority over this field if set. See env-vars.

`must_change_password`¶

Type: boolean Default: false

When true, the user is redirected to a forced password-change screen after login. Set automatically by the CLI reset command. Clear it by changing your password through the UI, or set it to false manually.

`setup_complete`¶

Type: boolean Default: false

Whether the initial setup wizard has been completed. Set to true automatically at the end of the wizard. Set it manually to true to skip the wizard on first start.

Bypass the setup wizard

Pre-populate manager.yml with setup_complete: true, a valid password_hash, and your connection details before starting the container — the wizard will be skipped entirely.

`otp_enabled`¶

Type: boolean Default: false

Whether TOTP two-factor authentication is active. Managed via Settings → Authentication → Enable/Disable 2FA. See reset-password.md if you need to disable it from the CLI.

`otp_secret`¶

Type: string (base32) Default: ""

The TOTP secret used to generate and verify 6-digit codes. Generated when 2FA is enabled. Cleared when 2FA is disabled. Do not share or commit this value.

`visible_tabs`¶

Type: map of string → boolean Default: all false

Controls which optional tabs are shown in the navigation. Managed via the setup wizard or Settings → Route Monitoring / System Monitoring.

Key	Tab
`docker`	Docker provider
`kubernetes`	Kubernetes provider
`swarm`	Docker Swarm provider
`nomad`	Nomad provider
`ecs`	Amazon ECS provider
`consulcatalog`	Consul Catalog provider
`redis`	Redis KV provider
`etcd`	etcd KV provider
`consul`	Consul KV provider
`zookeeper`	ZooKeeper KV provider
`http_provider`	HTTP Provider
`file_external`	File provider (external)
`certs`	SSL Certificates monitoring
`plugins`	Plugins monitoring
`logs`	Access logs

Bypassing the setup wizard¶

Pre-create manager.yml in your config volume before the first container start:

1. Generate a bcrypt password hash

python3 -c "import bcrypt; print(bcrypt.hashpw(b'yourpassword', bcrypt.gensalt()).decode())"

2. Create the file

domains:
  - yourdomain.com
cert_resolver: cloudflare
traefik_api_url: http://traefik:8080
password_hash: "$2b$12$..."
setup_complete: true
must_change_password: false

3. Start the container

The wizard and the auto-generated password are both skipped. Log in immediately with the password you hashed above.

manager.yml Reference¶

Full example¶

Key reference¶

domains¶

cert_resolver¶

traefik_api_url¶

auth_enabled¶

password_hash¶

must_change_password¶

setup_complete¶

otp_enabled¶

otp_secret¶

visible_tabs¶

Bypassing the setup wizard¶

`domains`¶

`cert_resolver`¶

`traefik_api_url`¶

`auth_enabled`¶

`password_hash`¶

`must_change_password`¶

`setup_complete`¶

`otp_enabled`¶

`otp_secret`¶

`visible_tabs`¶