Shields.io

posted on: 18. November 2025 tags: selfhosted, Docker, Docker-Compose,

Note: This page was automatically translated using DeepL, the original was written in German here

I recently started running my own Shields server for individually generated badges – and best of all, it’s also publicly accessible at shieldsio.itsrye.uk.

Docker Compose Link to heading

If you want to set up something similar, here is my current docker-compose.yml, which I use to run the server (once for a classic deployment and once including a Cloudflare Tunnel integration to make the service securely available to the outside world without directly exposed ports):

Option 1: Without Cloudflare (directly via reverse proxy / exposed port) Link to heading

services:
  shieldsio:
     image: ghcr.io/badges/shields:next
     labels:
       uk.itsrye.autoheal.enable: true
       com.centurylinklabs.watchtower.enable: true
     volumes:
       - ./config.yml:/usr/src/app/config/local.yml:ro
     environment:
       PORT: 9234
       BASE_URL: "https://shieldsio.itsrye.uk"

This option is suitable if the container is to be available locally on the network or routed to the internet via a classic reverse proxy (e.g., Traefik, Nginx, Caddy).

Option 2: With Cloudflare Tunnel (no open ports necessary) Link to heading

services:
  shieldsio:
     image: ghcr.io/badges/shields:next
     labels:
       uk.itsrye.autoheal.enable: true
       com.centurylinklabs.watchtower.enable: true
     networks:
       - cloudflare-net
     volumes:
       - ./config.yml:/usr/src/app/config/local.yml:ro
     environment:
       PORT: 9234
       BASE_URL: "https://shieldsio.itsrye.uk"
  cloudflared:
    image: cloudflare/cloudflared:latest
    restart: unless-stopped
    mem_limit: 25MB
    command: tunnel run
    networks:
      - cloudflare-net
    links:
      - "shieldsio:shieldsio"
    env_file:
      - path: ./cf.env
        required: true
    labels:
      com.centurylinklabs.watchtower.enable: true
      uk.itsrye.autoheal.enable: true

networks:
  cloudflare-net:
    attachable: false
    labels:
       uk.itsrye.container.connectsTo: Cloudflare

This variant requires a previously set up Cloudflare tunnel (cf.env contains the tunnel credentials). Advantage:

  • No exposed port, as Cloudflare initiates the connection
  • Automatic security provided by Cloudflare
  • Ideal for homelab or VPS setups without a publicly accessible IP