Gurulandia/Homelab
1
0
Fork 0
Code Pull Requests Actions Wiki Activity

Modify

Browse Source
This commit is contained in:
Gurulandia
2025-03-04 21:00:45 +02:00
parent 030c5d2025
commit 352ddeb5fd
5 changed files with 83 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docker/compose/networks/default.yaml
View File

@@ -1,4 +1,4 @@
networks: networks:
default: default:
# name: default name: default
driver: bridge driver: bridge

2
docker/compose/networks/proxy.yaml
View File

@@ -1,4 +1,4 @@
networks: networks:
proxy: proxy:
name: proxy name: proxy
external: true external: true

8
docker/docker-compose.yml
View File

@@ -28,10 +28,10 @@ networks:
# Docker Compose v2.20 or greater required to use "include" # Docker Compose v2.20 or greater required to use "include"
include: include:
########################### SERVICES ########################### SERVICES
- compose/dc-traefik.yml - services/dc-traefik.yml
- compose/dc-socket-proxy.yml - services/dc-socket-proxy.yml
- compose/dc-crowdsec.yml - services/dc-crowdsec.yml
- compose/dc-traefik-bouncer.yml - services/dc-traefik-bouncer.yml
# Portainer - WebUI for Containers # Portainer - WebUI for Containers
# portainer: # portainer:

2
docker/env/common.env vendored
View File

@@ -1,6 +1,8 @@
##### SYSTEM ##### SYSTEM
UID=1000 UID=1000
GID=1000 GID=1000
PUID=1000
PGID=1000
TZ=Europe/HelsinkI TZ=Europe/HelsinkI
#USERDIR=/home/gurulandia #USERDIR=/home/gurulandia

123
docker/services/dc-traefik.yml
View File

@@ -1,13 +1,15 @@
########################### SECRETS ########################### SECRETS
secrets: secrets:
cloudflare_email: #cloudflare_email:
file: ${SECRETSDIR}/cloudflare_email # file: ${SECRETSDIR}/cloudflare_email
cloudflare_api_key: #cloudflare_api_key:
file: ${SECRETSDIR}/cloudflare_api_key # file: ${SECRETSDIR}/cloudflare_api_key
basic_auth_credentials:
file: $DOCKERDIR/secrets/basic_auth_credentials
cloudflare_api_token: cloudflare_api_token:
file: ${SECRETSDIR}/cloudflare_dns_api_token file: ${SECRETSDIR}/cloudflare_dns_api_token
services: services:
# Traefik 2 - Reverse Proxy # Traefik 3 - Reverse Proxy
# Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
# touch $DOCKERDIR/traefik2/acme/acme.json # touch $DOCKERDIR/traefik2/acme/acme.json
# chmod 600 $DOCKERDIR/traefik2/acme/acme.json # chmod 600 $DOCKERDIR/traefik2/acme/acme.json
@@ -22,73 +24,97 @@ services:
proxy: proxy:
socket_proxy: socket_proxy:
ports: ports:
- 80:80 - target: 80
- 443:443 published: 80
- 465:465 protocol: tcp
- 587:587 mode: host
- target: 443
published: 443
protocol: tcp
mode: host
#- target: 465
# published: 465
# protocol: tcp
# mode: host
- target: 587
published: 587
protocol: tcp
mode: host
#- 465:465
#- 587:587
#env_file: #env_file:
#- path: ./traefik.env #- path: ./traefik.env
# required: true # default # required: true # default
#- path: ./override.env #- path: ./override.env
# required: false # required: false
environment: environment:
- CF_API_EMAIL_FILE=/run/secrets/cloudflare_email #- CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key #- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
- CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
- HTPASSWD_FILE=/run/secrets/basic_auth_credentials # HTTP Basic Auth Credentials
- DOMAINNAME0 # Passing the domain name to traefik container to be able to use the variable in rules.
- DOMAINNAME1
- DOMAINNAME2
- DOMAINNAME3
#- CF_API_EMAIL
command: # CLI arguments command: # CLI arguments
- --global.checkNewVersion=true - --global.checkNewVersion=true
- --global.sendAnonymousUsage=false #true - --global.sendAnonymousUsage=false #true
- --entryPoints.http.address=:80 - --entrypoints.web.address=:80
- --entrypoints.http.http.redirections.entryPoint.to=https - --entrypoints.websecure.address=:443
- --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file - --entrypoints.traefik.address=:8080
- --entryPoints.https.address=:443 - --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS - --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.mailsecure.address=:465 - --entrypoints.web.http.redirections.entrypoint.permanent=true
- --entrypoints.maildefault.address=:587
# - --entryPoints.traefik.address=:8080
# - --entryPoints.ping.address=:8081
- --api=true - --api=true
# - --api.insecure=true)
- --api.dashboard=true - --api.dashboard=true
# - --ping=true) # - --serversTransport.insecureSkipVerify=true
# - --pilot.token=$TRAEFIK_PILOT_TOKEN) # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --serversTransport.insecureSkipVerify=true - --entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
- --log=true - --log=true
- --log.filePath=/logs/traefik.log
- --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --log.filePath= /var/log/traefik/traefik.log
- --accessLog=true - --accessLog=true
- --accessLog.filePath=/var/log/traefik/access.log - --accessLog.filePath=/logs/access.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=400-499 - --accessLog.filters.statusCodes=204-299,400-499,500-599
- --providers.docker=true - --providers.docker=true
- --providers.docker.endpoint=${DOCKER_ENDPOINT} # Use Docker Socket Proxy instead for improved security - --providers.docker.endpoint=${DOCKER_ENDPOINT} # Use Docker Socket Proxy instead for improved security
# Automatically set Host rule for services
# - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`)
- --providers.docker.exposedByDefault=false - --providers.docker.exposedByDefault=false
# - --providers.redis=true
# - --providers.redis.endpoints=redis:6379
- --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file
- --entrypoints.https.http.tls.options=tls-opts@file
# Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
- --entrypoints.https.http.tls.certresolver=${CERTRESOLVER}
- --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0
- --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0
- --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain
- --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain
- --entrypoints.https.http.tls.domains[2].main=$DOMAINNAME2
- --entrypoints.https.http.tls.domains[2].sans=*.$DOMAINNAME2
- --entrypoints.https.http.tls.domains[3].main=$DOMAINNAME3 # Pulls main cert for second domain
- --entrypoints.https.http.tls.domains[3].sans=*.$DOMAINNAME3 # Pulls wildcard cert for second domain
- --providers.docker.network=proxy - --providers.docker.network=proxy
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.options=tls-opts@file
# Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
- --entrypoints.websecure.http.tls.certresolver=${CERTRESOLVER}
- --entrypoints.websecure.http.tls.domains[0].main=$DOMAINNAME0
- --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAINNAME0
- --entrypoints.websecure.http.tls.domains[1].main=$DOMAINNAME1
- --entrypoints.websecure.http.tls.domains[1].sans=*.$DOMAINNAME1
- --entrypoints.websecure.http.tls.domains[2].main=$DOMAINNAME2
- --entrypoints.websecure.http.tls.domains[2].sans=*.$DOMAINNAME2
- --entrypoints.websecure.http.tls.domains[3].main=$DOMAINNAME3
- --entrypoints.websecure.http.tls.domains[3].sans=*.$DOMAINNAME3
- --providers.file.directory=/config # Load dynamic configuration from one or more .toml or .yml files in a directory - --providers.file.directory=/config # Load dynamic configuration from one or more .toml or .yml files in a directory
- --providers.file.watch=true # Only works on top level files in the rules folder - --providers.file.watch=true # Only works on top level files in the rules folder
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.$CERTRESOLVER.acme.email=${CF_API_EMAIL} - --certificatesResolvers.$CERTRESOLVER.acme.email=${CF_API_EMAIL}
- --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json - --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=${DNS_PROVIDER} - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=${DNS_PROVIDER}
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0} #,$RESOLVER1 - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0},${RESOLVER1}
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
# - --certificatesResolvers.$CERTRESOLVER.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
# - --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
- --entrypoints.mailsecure.address=:465
- --entrypoints.maildefault.address=:587
# - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file
# - --entryPoints.ping.address=:8081
# - --api.insecure=true)
# - --ping=true)
# - --providers.redis=true
# - --providers.redis.endpoints=redis:6379
# - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file
# healthcheck: # healthcheck:
# test: ["CMD", "traefik", "healthcheck", "--ping"] # test: ["CMD", "traefik", "healthcheck", "--ping"]
# interval: 5s # interval: 5s
@@ -100,9 +126,10 @@ services:
- ${DOCKERDIR}/traefik/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 - ${DOCKERDIR}/traefik/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
- ${DOCKERDIR}/traefik/logs:/var/log/traefik # for crowdsec - make sure to touch file before starting container - ${DOCKERDIR}/traefik/logs:/var/log/traefik # for crowdsec - make sure to touch file before starting container
secrets: secrets:
- cloudflare_email #- cloudflare_email
- cloudflare_api_key #- cloudflare_api_key
- cloudflare_api_token - cloudflare_api_token
- basic_auth_credentials
labels: labels:
traefik.enable: true traefik.enable: true
traefik.http.routers.traefik.entrypoints: http traefik.http.routers.traefik.entrypoints: http