manager.yml Reference

manager.yml is Traefik Manager's settings file. It is stored inside the config volume at /app/config/manager.yml by default.

INFO

You do not normally need to edit this file by hand. All settings are managed through the Settings panel in the UI. This page is a reference for advanced use, scripted deployments, or bypassing the setup wizard.

The file path can be overridden with the SETTINGS_PATH environment variable.

Full example

yaml

domains:
  - example.com
  - example.net
cert_resolver: cloudflare
traefik_api_url: http://traefik:8080
auth_enabled: true
password_hash: "$2b$12$..."
must_change_password: false
setup_complete: true
otp_enabled: false
otp_secret: ""
visible_tabs:
  docker: true
  kubernetes: false
  swarm: false
  nomad: false
  ecs: false
  consulcatalog: false
  redis: false
  etcd: false
  consul: false
  zookeeper: false
  http_provider: false
  file_external: false
  certs: true
  plugins: false
  logs: true

Key reference

`domains`

Type: list of strings Default: ["example.com"]Env override: DOMAINS (comma-separated)

The base domains Traefik Manager uses when building route rules. Shown as options in the Add Route form.

yaml

domains:
  - example.com
  - home.lab

`cert_resolver`

Type: string (comma-separated) Default: "cloudflare"Env override: CERT_RESOLVER

One or more ACME cert resolver names from your traefik.yml, comma-separated. The first resolver is the default for new routes. Each route can override the resolver individually via the Add/Edit Route form.

yaml

cert_resolver: letsencrypt

cert_resolver: letsencrypt, cloudflare

`traefik_api_url`

Type: string (URL) Default: "http://traefik:8080"Env override: TRAEFIK_API_URL

The internal URL of your Traefik API. Must be reachable from inside the Traefik Manager container. When both containers share a Docker/Podman network, use the container name.

yaml

traefik_api_url: http://traefik:8080

WARNING

Only http:// and https:// URLs are accepted. Any other value is rejected and the default is used.

`auth_enabled`

Type: boolean Default: trueEnv override: AUTH_ENABLED

Controls whether the built-in username/password login is active. Set to false if you are protecting Traefik Manager externally via Authentik, Authelia, or a Traefik basicAuth middleware.

yaml

auth_enabled: false

WARNING

When auth_enabled is false, the UI is completely unauthenticated. Only disable if you have another auth layer in front.

The environment variable takes priority over this field. See AUTH_ENABLED.

`password_hash`

Type: string (bcrypt hash) Default: "" (auto-generated on first start)

Bcrypt hash of the admin password. Generated automatically on first run if not present. Managed by the UI (Settings → Authentication → Change password) or by the CLI reset command.

To generate a hash manually:

bash

python3 -c "import bcrypt; print(bcrypt.hashpw(b'yourpassword', bcrypt.gensalt()).decode())"

yaml

password_hash: "$2b$12$abcdefghij..."

INFO

The ADMIN_PASSWORD environment variable takes priority over this field if set. See env-vars.

`must_change_password`

Type: boolean Default: false

When true, the user is redirected to a forced password-change screen after login. Set automatically by the CLI reset command. Clear it by changing your password through the UI, or set it to false manually.

`setup_complete`

Type: boolean Default: false

Whether the initial setup wizard has been completed. Set to true automatically at the end of the wizard. Set it manually to true to skip the wizard on first start.

Bypass the setup wizard

Pre-populate manager.yml with setup_complete: true, a valid password_hash, and your connection details before starting the container - the wizard will be skipped entirely.

`otp_enabled`

Type: boolean Default: false

Whether TOTP two-factor authentication is active. Managed via Settings → Authentication → Enable/Disable 2FA. See reset-password.md if you need to disable it from the CLI.

`otp_secret`

Type: string (Fernet-encrypted) Default: ""

The TOTP secret used to generate and verify 6-digit codes. Stored encrypted at rest using Fernet symmetric encryption since v0.5.0. Generated when 2FA is enabled. Cleared when 2FA is disabled.

The encryption key is loaded from the OTP_ENCRYPTION_KEY environment variable or auto-generated to /app/config/.otp_key. Do not share or commit this value.

Migration

Existing plaintext secrets from pre-v0.5.0 are automatically encrypted on the next settings save. No manual migration is needed.

`disabled_routes`

Type: map of string → object Default: {}

Stores the full configuration of routes that have been disabled via the enable/disable toggle in the Routes tab. When a route is disabled, its router and service entries are removed from dynamic.yml (so Traefik stops routing it) and saved here.

This field is managed entirely by the UI - do not edit it by hand.

`api_key_hash`

Type: string (bcrypt hash) Default: ""

Bcrypt hash of the generated API key for mobile/app authentication. Set automatically when a key is generated via Settings → Authentication → Generate Key. Clear it (or set api_key_enabled: false) to revoke access.

`api_key_enabled`

Type: boolean Default: false

Whether API key authentication is active. Requests with a valid X-Api-Key header bypass the session login flow when this is true and api_key_hash is set.

`visible_tabs`

Type: map of string → boolean Default: all false

Controls which optional tabs are shown in the navigation. Managed via the setup wizard or Settings → Route Monitoring / System Monitoring.

Key	Tab
`docker`	Docker provider
`kubernetes`	Kubernetes provider
`swarm`	Docker Swarm provider
`nomad`	Nomad provider
`ecs`	Amazon ECS provider
`consulcatalog`	Consul Catalog provider
`redis`	Redis KV provider
`etcd`	etcd KV provider
`consul`	Consul KV provider
`zookeeper`	ZooKeeper KV provider
`http_provider`	HTTP Provider
`file_external`	File provider (external)
`certs`	SSL Certificates monitoring
`plugins`	Plugins monitoring
`logs`	Access logs

Bypassing the setup wizard

Pre-create manager.yml in your config volume before the first container start:

1. Generate a bcrypt password hash

bash

python3 -c "import bcrypt; print(bcrypt.hashpw(b'yourpassword', bcrypt.gensalt()).decode())"

2. Create the file

yaml

domains:
  - yourdomain.com
cert_resolver: cloudflare
traefik_api_url: http://traefik:8080
password_hash: "$2b$12$..."
setup_complete: true
must_change_password: false

3. Start the container

The wizard and the auto-generated password are both skipped. Log in immediately with the password you hashed above.

manager.yml Reference ​

Full example ​

Key reference ​

domains ​

cert_resolver ​

traefik_api_url ​

auth_enabled ​

password_hash ​

must_change_password ​

setup_complete ​

otp_enabled ​

otp_secret ​

disabled_routes ​

api_key_hash ​

api_key_enabled ​

visible_tabs ​

Bypassing the setup wizard ​

manager.yml Reference

Full example

Key reference

`domains`

`cert_resolver`

`traefik_api_url`

`auth_enabled`

`password_hash`

`must_change_password`

`setup_complete`

`otp_enabled`

`otp_secret`

`disabled_routes`

`api_key_hash`

`api_key_enabled`

`visible_tabs`

Bypassing the setup wizard