Compare commits
6 Commits
352ddeb5fd
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| de98a0d48d | |||
| bdf14f68e9 | |||
| 6e9e27110d | |||
| 9d0dd4bdcf | |||
| 861007b3a2 | |||
| 89278bfecf |
19
config/docker/current/traefik/config/mw-authentik.yaml
Normal file
19
config/docker/current/traefik/config/mw-authentik.yaml
Normal file
@@ -0,0 +1,19 @@
|
||||
http:
|
||||
middlewares:
|
||||
middlewares-authentik:
|
||||
forwardAuth:
|
||||
address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- X-authentik-username
|
||||
- X-authentik-groups
|
||||
- X-authentik-email
|
||||
- X-authentik-name
|
||||
- X-authentik-uid
|
||||
- X-authentik-jwt
|
||||
- X-authentik-meta-jwks
|
||||
- X-authentik-meta-outpost
|
||||
- X-authentik-meta-provider
|
||||
- X-authentik-meta-app
|
||||
- X-authentik-meta-version
|
||||
|
||||
@@ -5,4 +5,4 @@ http:
|
||||
# users:
|
||||
# - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1"
|
||||
usersFile: "/users" #be sure to mount the volume through docker-compose.yml
|
||||
realm: "Traefik 2 Basic Auth"
|
||||
realm: "Traefik 3 Basic Auth"
|
||||
|
||||
18
config/docker/current/traefik/config/mw-buffering.yaml
Normal file
18
config/docker/current/traefik/config/mw-buffering.yaml
Normal file
@@ -0,0 +1,18 @@
|
||||
################################################################
|
||||
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
|
||||
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
|
||||
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
|
||||
#
|
||||
# Dynamic configuration
|
||||
################################################################
|
||||
http:
|
||||
middlewares:
|
||||
# Prevent too large of a body
|
||||
# https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik
|
||||
middlewares-buffering:
|
||||
buffering:
|
||||
maxRequestBodyBytes: 10485760
|
||||
memRequestBodyBytes: 2097152
|
||||
maxResponseBodyBytes: 10485760
|
||||
memResponseBodyBytes: 2097152
|
||||
retryExpression: "IsNetworkError() && Attempts() <= 2"
|
||||
@@ -0,0 +1,9 @@
|
||||
http:
|
||||
middlewares:
|
||||
chain-authentik:
|
||||
chain:
|
||||
middlewares:
|
||||
# - middlewares-crowdsec-bouncer
|
||||
- middlewares-rate-limit
|
||||
- middlewares-secure-headers
|
||||
- middlewares-authentik
|
||||
@@ -3,7 +3,6 @@ http:
|
||||
chain-no-auth:
|
||||
chain:
|
||||
middlewares:
|
||||
- middlewares-crowdsec-bouncer
|
||||
- middlewares-default-whitelist
|
||||
- middlewares-rate-limit
|
||||
- middlewares-secure-headers
|
||||
|
||||
12
config/docker/current/traefik/config/mw-compress.yaml
Normal file
12
config/docker/current/traefik/config/mw-compress.yaml
Normal file
@@ -0,0 +1,12 @@
|
||||
################################################################
|
||||
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
|
||||
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
|
||||
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
|
||||
#
|
||||
# Dynamic configuration
|
||||
################################################################
|
||||
http:
|
||||
middlewares:
|
||||
# Compress to save bandwidth
|
||||
middlewares-compress:
|
||||
compress: {}
|
||||
@@ -0,0 +1,15 @@
|
||||
################################################################
|
||||
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
|
||||
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
|
||||
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
|
||||
#
|
||||
# Dynamic configuration
|
||||
################################################################
|
||||
http:
|
||||
middlewares:
|
||||
# Middleware for Redirection
|
||||
# This can be used instead of global redirection
|
||||
middlewares-https-redirectscheme:
|
||||
redirectScheme:
|
||||
scheme: https
|
||||
permanent: true
|
||||
@@ -1,5 +1,15 @@
|
||||
################################################################
|
||||
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
|
||||
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
|
||||
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
|
||||
#
|
||||
# Dynamic configuration
|
||||
################################################################
|
||||
http:
|
||||
middlewares:
|
||||
################################################################
|
||||
# Good Basic Security Practices
|
||||
################################################################
|
||||
middlewares-secure-headers:
|
||||
headers:
|
||||
accessControlAllowMethods:
|
||||
@@ -9,23 +19,20 @@ http:
|
||||
accessControlMaxAge: 100
|
||||
hostsProxyHeaders:
|
||||
- "X-Forwarded-Host"
|
||||
sslRedirect: true
|
||||
stsSeconds: 63072000
|
||||
stsIncludeSubdomains: true
|
||||
stsPreload: true
|
||||
forceSTSHeader: true
|
||||
# frameDeny: true #overwritten by customFrameOptionsValue
|
||||
customFrameOptionsValue: "allow-from https:gurulandia.eu" #CSP takes care of this but may be needed for organizr.
|
||||
customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr.
|
||||
#customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
||||
contentTypeNosniff: true
|
||||
browserXssFilter: true
|
||||
# sslForceHost: true # add sslHost to all of the services
|
||||
# sslHost: "example.com"
|
||||
# sslHost: "{{env "DOMAINNAME"}}"
|
||||
referrerPolicy: "same-origin"
|
||||
# Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
|
||||
# the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
|
||||
# contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
|
||||
featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
|
||||
# permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
|
||||
customResponseHeaders:
|
||||
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
|
||||
server: ""
|
||||
|
||||
# X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
|
||||
# server: ""
|
||||
# https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732
|
||||
X-Forwarded-Proto: "https"
|
||||
@@ -1,6 +1,21 @@
|
||||
################################################################
|
||||
# TLS Options (https://jellyfin.org/docs/general/networking/traefik2.html#traefik-providertoml)
|
||||
# toml -> yml
|
||||
# 2024 updates to cipherSuites from (https://www.smarthomebeginner.com/traefik-v3-docker-compose-guide-2024/)
|
||||
#
|
||||
# Set secure options by disabling insecure older TLS/SSL versions
|
||||
# and insecure ciphers. SNIStrict disabled leaves TLS1.0 open.
|
||||
# If you have problems with older clients, you can may need to relax
|
||||
# these minimums. This configuration will give you an A+ SSL security
|
||||
# score supporting TLS1.2 and TLS1.3
|
||||
#
|
||||
# Dynamic configuration
|
||||
# https://doc.traefik.io/traefik/https/tls/
|
||||
################################################################
|
||||
tls:
|
||||
options:
|
||||
tls-opts:
|
||||
sniStrict: true
|
||||
minVersion: VersionTLS12
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
@@ -14,6 +29,7 @@ tls:
|
||||
- TLS_CHACHA20_POLY1305_SHA256
|
||||
- TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
|
||||
curvePreferences:
|
||||
- CurveP521
|
||||
- CurveP384
|
||||
sniStrict: true
|
||||
- secp521r1 # CurveP521
|
||||
- secp384r1 # CurveP384
|
||||
mintls13:
|
||||
minVersion: VersionTLS13
|
||||
File diff suppressed because it is too large
Load Diff
58
config/docker/current/traefik/old/acme.json
Normal file
58
config/docker/current/traefik/old/acme.json
Normal file
File diff suppressed because one or more lines are too long
@@ -0,0 +1,8 @@
|
||||
http:
|
||||
middlewares:
|
||||
middlewares-basic-auth:
|
||||
basicAuth:
|
||||
# users:
|
||||
# - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1"
|
||||
usersFile: "/users" #be sure to mount the volume through docker-compose.yml
|
||||
realm: "Traefik 2 Basic Auth"
|
||||
@@ -0,0 +1,8 @@
|
||||
http:
|
||||
middlewares:
|
||||
chain-basic-auth:
|
||||
chain:
|
||||
middlewares:
|
||||
- middlewares-rate-limit
|
||||
- middlewares-secure-headers
|
||||
- middlewares-basic-auth
|
||||
@@ -0,0 +1,9 @@
|
||||
http:
|
||||
middlewares:
|
||||
chain-no-auth:
|
||||
chain:
|
||||
middlewares:
|
||||
- middlewares-crowdsec-bouncer
|
||||
- middlewares-default-whitelist
|
||||
- middlewares-rate-limit
|
||||
- middlewares-secure-headers
|
||||
@@ -0,0 +1,6 @@
|
||||
http:
|
||||
middlewares:
|
||||
middlewares-crowdsec-bouncer:
|
||||
forwardauth:
|
||||
address: http://bouncer-traefik:8080/api/v1/forwardAuth
|
||||
trustForwardHeader: true
|
||||
@@ -0,0 +1,8 @@
|
||||
http:
|
||||
middlewares:
|
||||
middlewares-default-whitelist:
|
||||
ipWhiteList:
|
||||
sourceRange:
|
||||
- "10.0.0.0/8"
|
||||
- "192.168.0.0/16"
|
||||
- "172.16.0.0/12"
|
||||
@@ -0,0 +1,6 @@
|
||||
http:
|
||||
middlewares:
|
||||
middlewares-rate-limit:
|
||||
rateLimit:
|
||||
average: 100
|
||||
burst: 50
|
||||
@@ -0,0 +1,31 @@
|
||||
http:
|
||||
middlewares:
|
||||
middlewares-secure-headers:
|
||||
headers:
|
||||
accessControlAllowMethods:
|
||||
- GET
|
||||
- OPTIONS
|
||||
- PUT
|
||||
accessControlMaxAge: 100
|
||||
hostsProxyHeaders:
|
||||
- "X-Forwarded-Host"
|
||||
sslRedirect: true
|
||||
stsSeconds: 63072000
|
||||
stsIncludeSubdomains: true
|
||||
stsPreload: true
|
||||
forceSTSHeader: true
|
||||
# frameDeny: true #overwritten by customFrameOptionsValue
|
||||
customFrameOptionsValue: "allow-from https:gurulandia.eu" #CSP takes care of this but may be needed for organizr.
|
||||
contentTypeNosniff: true
|
||||
browserXssFilter: true
|
||||
# sslForceHost: true # add sslHost to all of the services
|
||||
# sslHost: "example.com"
|
||||
referrerPolicy: "same-origin"
|
||||
# Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
|
||||
# the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
|
||||
# contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
|
||||
featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
|
||||
customResponseHeaders:
|
||||
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
|
||||
server: ""
|
||||
|
||||
19
config/docker/current/traefik/old/config/tls-opts.yaml
Normal file
19
config/docker/current/traefik/old/config/tls-opts.yaml
Normal file
@@ -0,0 +1,19 @@
|
||||
tls:
|
||||
options:
|
||||
tls-opts:
|
||||
minVersion: VersionTLS12
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
||||
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
||||
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
||||
- TLS_AES_128_GCM_SHA256
|
||||
- TLS_AES_256_GCM_SHA384
|
||||
- TLS_CHACHA20_POLY1305_SHA256
|
||||
- TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
|
||||
curvePreferences:
|
||||
- CurveP521
|
||||
- CurveP384
|
||||
sniStrict: true
|
||||
0
config/docker/current/traefik/old/logs/access.log
Normal file
0
config/docker/current/traefik/old/logs/access.log
Normal file
0
config/docker/current/traefik/old/logs/traefik.log
Normal file
0
config/docker/current/traefik/old/logs/traefik.log
Normal file
141
config/docker/current/traefik/traefik.yaml
Normal file
141
config/docker/current/traefik/traefik.yaml
Normal file
@@ -0,0 +1,141 @@
|
||||
# Traefik 3.x (YAML)
|
||||
# Updated 2024-June-04
|
||||
|
||||
################################################################
|
||||
# Global configuration - https://doc.traefik.io/traefik/reference/static-configuration/file/
|
||||
################################################################
|
||||
global:
|
||||
checkNewVersion: true #false
|
||||
sendAnonymousUsage: false
|
||||
|
||||
################################################################
|
||||
# Entrypoints - https://doc.traefik.io/traefik/routing/entrypoints/
|
||||
################################################################
|
||||
entryPoints:
|
||||
web:
|
||||
address: ":80"
|
||||
# Global HTTP to HTTPS redirection
|
||||
http:
|
||||
# middlewares:
|
||||
# - crowdsec-bouncer@file
|
||||
redirections:
|
||||
entryPoint:
|
||||
to: websecure
|
||||
scheme: https
|
||||
permanent: true
|
||||
|
||||
websecure:
|
||||
address: ":443"
|
||||
http:
|
||||
# middlewares:
|
||||
# - crowdsec-bouncer@file
|
||||
tls:
|
||||
options: tls-opts@file
|
||||
certResolver: dns-cloudflare
|
||||
domains:
|
||||
- main: "{{env "DOMAINNAME0"}}"
|
||||
sans:
|
||||
- "*.{{env "DOMAINNAME0"}}"
|
||||
- main: "{{env "DOMAINNAME1"}}"
|
||||
sans:
|
||||
- "*.{{env "DOMAINNAME1"}}"
|
||||
- main: "{{env "DOMAINNAME2"}}"
|
||||
sans:
|
||||
- "*.{{env "DOMAINNAME2"}}"
|
||||
- main: "{{env "DOMAINNAME3"}}"
|
||||
sans:
|
||||
- "*.{{env "DOMAINNAME3"}}"
|
||||
forwardedHeaders:
|
||||
trustedIPs:
|
||||
# Cloudflare (https://www.cloudflare.com/ips-v4)
|
||||
- "173.245.48.0/20"
|
||||
- "103.21.244.0/22"
|
||||
- "103.22.200.0/22"
|
||||
- "103.31.4.0/22"
|
||||
- "141.101.64.0/18"
|
||||
- "108.162.192.0/18"
|
||||
- "190.93.240.0/20"
|
||||
- "188.114.96.0/20"
|
||||
- "197.234.240.0/22"
|
||||
- "198.41.128.0/17"
|
||||
- "162.158.0.0/15"
|
||||
- "104.16.0.0/13"
|
||||
- "104.24.0.0/14"
|
||||
- "172.64.0.0/13"
|
||||
- "131.0.72.0/22"
|
||||
- "104.16.0.0/13"
|
||||
- "104.24.0.0/14"
|
||||
# Local IPs
|
||||
- "127.0.0.1/32"
|
||||
- "10.0.0.0/8"
|
||||
- "192.168.0.0/16"
|
||||
- "172.16.0.0/12"
|
||||
|
||||
################################################################
|
||||
# Logs - https://doc.traefik.io/traefik/observability/logs/
|
||||
################################################################
|
||||
log:
|
||||
level: INFO # Options: DEBUG, PANIC, FATAL, ERROR (Default), WARN, and INFO
|
||||
filePath: /logs/traefik-container.log # Default is to STDOUT
|
||||
# format: json # Uses text format (common) by default
|
||||
noColor: false # Recommended to be true when using common
|
||||
maxSize: 100 # In megabytes
|
||||
compress: true # gzip compression when rotating
|
||||
|
||||
################################################################
|
||||
# Access logs - https://doc.traefik.io/traefik/observability/access-logs/
|
||||
################################################################
|
||||
accessLog:
|
||||
addInternals: true # things like ping@internal
|
||||
filePath: /logs/traefik-access.log # In the Common Log Format (CLF) by default
|
||||
bufferingSize: 100 # Number of log lines
|
||||
fields:
|
||||
names:
|
||||
StartUTC: drop # Write logs in Container Local Time instead of UTC
|
||||
filters:
|
||||
statusCodes:
|
||||
- "204-299"
|
||||
- "400-499"
|
||||
- "500-599"
|
||||
|
||||
################################################################
|
||||
# API and Dashboard
|
||||
################################################################
|
||||
api:
|
||||
dashboard: true
|
||||
# Rely on api@internal and Traefik with Middleware to control access
|
||||
# insecure: true
|
||||
|
||||
################################################################
|
||||
# Providers - https://doc.traefik.io/traefik/providers/docker/
|
||||
################################################################
|
||||
providers:
|
||||
docker:
|
||||
#endpoint: "unix:///var/run/docker.sock" # Comment if using socket-proxy
|
||||
endpoint: "tcp://socket-proxy:2375" # Uncomment if using socket proxy
|
||||
exposedByDefault: false
|
||||
network: proxy # network to use for connections to all containers
|
||||
# defaultRule: TODO
|
||||
|
||||
# Enable auto loading of newly created rules by watching a directory
|
||||
file:
|
||||
# Apps, LoadBalancers, TLS Options, Middlewares, Middleware Chains
|
||||
directory: /config
|
||||
watch: true
|
||||
|
||||
################################################################
|
||||
# Let's Encrypt (ACME)
|
||||
################################################################
|
||||
certificatesResolvers:
|
||||
dns-cloudflare:
|
||||
acme:
|
||||
email: "{{env "CF_API_EMAIL"}}"
|
||||
storage: "/acme.json"
|
||||
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
|
||||
dnsChallenge:
|
||||
provider: cloudflare
|
||||
#delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
|
||||
# Custom DNS server resolution
|
||||
resolvers:
|
||||
- "1.1.1.1:53"
|
||||
- "8.8.8.8:53"
|
||||
@@ -1,4 +1,4 @@
|
||||
networks:
|
||||
proxy:
|
||||
name: proxy
|
||||
external: true
|
||||
# external: true
|
||||
2
docker/env/.env.proxy
vendored
2
docker/env/.env.proxy
vendored
@@ -1,4 +1,4 @@
|
||||
BASICAUTHUSER=gurulandia:$$apr1$$kBqxEDFb$$aOgGWvLwFUDhSymDy430m.
|
||||
# BASICAUTHUSER=gurulandia:$$apr1$$kBqxEDFb$$aOgGWvLwFUDhSymDy430m.
|
||||
# create basic auth with: echo $(htpasswd -nb "<USER>" "<PASSWORD>") | sed -e s/\\$/\\$\\$/g
|
||||
|
||||
##### trustedIPs
|
||||
|
||||
5
docker/env/.env.stack.proxy
vendored
5
docker/env/.env.stack.proxy
vendored
@@ -7,11 +7,12 @@ PROXYNAME=proxy
|
||||
TRAEFIK_CONTAINER_NAME=traefik
|
||||
TRAEFIK_IMAGE=traefik
|
||||
TRAEFIK_TAG=latest
|
||||
TRAEFIK_RESTART_POLICY=unless-stopped
|
||||
TRAEFIK_RESTART_POLICY=always
|
||||
|
||||
##### socket-proxy Container
|
||||
SOCKET_PROXY_CONTAINER_NAME=socket-proxy
|
||||
SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy
|
||||
#SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy
|
||||
SOCKET_PROXY_IMAGE=lscr.io/linuxserver/socket-proxy
|
||||
SOCKET_PROXY_TAG=latest
|
||||
SOCKET_PROXY_RESTART_POLICY=always
|
||||
|
||||
|
||||
2
docker/env/komodo-stack.env
vendored
2
docker/env/komodo-stack.env
vendored
@@ -13,5 +13,5 @@ KOMODO_PERTIPHERY_IMAGE=ghcr.io/mbecker20/periphery
|
||||
|
||||
##### FerretDB Core Container
|
||||
FERRETDB_CONTAINER_NAME=komodo-ferretdb
|
||||
FERRETDB_IMAGE=ghcr.io/ferretdb/ferretdb
|
||||
FERRETDB_IMAGE=ghcr.io/ferretdb/ferretdb:1
|
||||
FERRETDB_RESTART_POLICY=${KOMODO_RESTART_POLICY}
|
||||
22
docker/homarr/compose.yaml
Normal file
22
docker/homarr/compose.yaml
Normal file
@@ -0,0 +1,22 @@
|
||||
#---------------------------------------------------------------------#
|
||||
# Homarr - A simple, yet powerful dashboard for your server. #
|
||||
#---------------------------------------------------------------------#
|
||||
services:
|
||||
homarr:
|
||||
container_name: homarr
|
||||
image: ghcr.io/homarr-labs/homarr:latest
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock # Optional, only if you want docker integration
|
||||
- /gurulandia/data/homarr/appdata:/appdata
|
||||
environment:
|
||||
- SECRET_ENCRYPTION_KEY=9a3fb9c060d3ff37ac0e0785177979ec48620144b8fd3e5883c02e27f68b2dba # <--- can be generated with `openssl rand -hex 32`
|
||||
- DB_DRIVER=mysql2
|
||||
- DB_DIALECT=mysql
|
||||
- DB_HOST=10.0.6.180
|
||||
- DB_PORT=3306
|
||||
- DB_NAME=homarr
|
||||
- DB_USER=homarr
|
||||
- DB_PASSWORD=homarr
|
||||
ports:
|
||||
- 7575:7575
|
||||
@@ -1,14 +1,55 @@
|
||||
secrets:
|
||||
title:
|
||||
file: /gurulandia/data/homepage/secrets/title
|
||||
services:
|
||||
homepage:
|
||||
image: ghcr.io/gethomepage/homepage:latest
|
||||
container_name: homepage
|
||||
ports:
|
||||
- 3000:3000
|
||||
volumes:
|
||||
- /gurulandia/data/homepage:/app/config # Make sure your local config directory exists
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro # (optional) For docker integrations
|
||||
environment:
|
||||
- PUID=1000
|
||||
- PGID=1000
|
||||
- HOMEPAGE_VAR_BASE="https://homepage.lab.gurulandia.eu/"
|
||||
#- HOMEPAGE_VAR_TITLE="Gurulandia's Awesome Homepage"
|
||||
- HOMEPAGE_FILE_TITLE=/run/secrets/title
|
||||
networks:
|
||||
- proxy
|
||||
- socket_proxy
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
traefik.enable: true
|
||||
## HTTP Routers
|
||||
- "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.entrypoints=https"
|
||||
- "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.rule=Host(`${HOMEPAGE_HOSTNAME}.$DOMAINNAME1`)"
|
||||
traefik.http.routers.homepage-rtr.entrypoints: https
|
||||
traefik.http.routers.homepage-rtr.rule: Host(`homepage.lab.gurulandia.eu`)
|
||||
## Middlewares
|
||||
#- "traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.middlewares=chain-authelia@file"
|
||||
traefik.http.routers.homepage-rtr.middlewares: chain-authentik@file
|
||||
#traefik.http.routers.homepage-rtr.middlewares: chain-no-auth@file
|
||||
## HTTP Services
|
||||
traefik.http.routers.homepage-rtr.service: homepage-svc
|
||||
traefik.http.services.homepage-svc.loadbalancer.server.port: 3000
|
||||
secrets:
|
||||
- title
|
||||
networks:
|
||||
proxy:
|
||||
external: true
|
||||
socket_proxy:
|
||||
external: true
|
||||
|
||||
|
||||
#services:
|
||||
# homepage:
|
||||
# labels:
|
||||
# - "traefik.enable=true"
|
||||
## HTTP Routers
|
||||
# - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.entrypoints=https"
|
||||
# - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.rule=Host(`${HOMEPAGE_HOSTNAME}.$DOMAINNAME1`)"
|
||||
## Middlewares
|
||||
# - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.middlewares=chain-authelia@file"
|
||||
- "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
|
||||
# - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
|
||||
## HTTP Services
|
||||
- "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.service=${HOMEPAGE_HOSTNAME}-svc"
|
||||
- "traefik.http.services.${HOMEPAGE_HOSTNAME}-svc.loadbalancer.server.port=22300"
|
||||
|
||||
# - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.service=${HOMEPAGE_HOSTNAME}-svc"
|
||||
# - "traefik.http.services.${HOMEPAGE_HOSTNAME}-svc.loadbalancer.server.port=22300"
|
||||
35
docker/nginx/compose.yaml
Normal file
35
docker/nginx/compose.yaml
Normal file
@@ -0,0 +1,35 @@
|
||||
services:
|
||||
web:
|
||||
image: nginx:latest
|
||||
container_name: jimsgarage
|
||||
volumes:
|
||||
- /gurulandia/data/nginx/templates:/etc/nginx/templates
|
||||
- /gurulandia/data/nginx/web:/usr/share/nginx/html
|
||||
environment:
|
||||
- NGINX_HOST=nginx.lab.gurulandia.eu
|
||||
- NGINX_PORT=80
|
||||
ports:
|
||||
- 8089:80
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
#- "traefik.http.routers.nginx.entrypoints=http"
|
||||
#- "traefik.http.routers.nginx.rule=Host(`nginx.jimsgarage.co.uk`)"
|
||||
#- "traefik.http.middlewares.nginx-https-redirect.redirectscheme.scheme=https"
|
||||
#- "traefik.http.routers.nginx.middlewares=nginx-https-redirect"
|
||||
- "traefik.http.routers.nginx-secure.entrypoints=https"
|
||||
- "traefik.http.routers.nginx-secure.rule=Host(`nginx.lab.gurulandia.eu`)"
|
||||
#- "traefik.http.routers.nginx-secure.tls=true"
|
||||
#- "traefik.http.routers.nginx-secure.service=nginx"
|
||||
- "traefik.http.services.nginx.loadbalancer.server.port=80"
|
||||
#- "traefik.http.routers.nginx-secure.middlewares=chain-no-auth@file"
|
||||
#- "traefik.http.routers.nginx-secure.middlewares=chain-authentik@file" #add this to any container you want to use the Authentik web proxy
|
||||
- "traefik.http.routers.nginx-secure.middlewares=middlewares-authentik@file" #add this to any container you want to use the Authentik web proxy
|
||||
# - "traefik.docker.network=proxy"
|
||||
networks:
|
||||
proxy:
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
|
||||
networks:
|
||||
proxy:
|
||||
external: true
|
||||
@@ -15,11 +15,12 @@ services:
|
||||
# chmod 600 $DOCKERDIR/traefik2/acme/acme.json
|
||||
# touch $DOCKERDIR/traefik2/traefik.log
|
||||
traefik:
|
||||
container_name: ${TRAEFIK_CONTAINER_NAME}
|
||||
image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
|
||||
restart: ${TRAEFIK_RESTART_POLICY}
|
||||
container_name: ${TRAEFIK_CONTAINER_NAME:-traefik}
|
||||
image: ${TRAEFIK_IMAGE:-traefik}:${TRAEFIK_TAG:-latest}
|
||||
restart: ${TRAEFIK_RESTART_POLICY:-always}
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
user: ${UID:-1000}:${GID:-1000}
|
||||
networks:
|
||||
proxy:
|
||||
socket_proxy:
|
||||
@@ -36,10 +37,10 @@ services:
|
||||
# published: 465
|
||||
# protocol: tcp
|
||||
# mode: host
|
||||
- target: 587
|
||||
published: 587
|
||||
protocol: tcp
|
||||
mode: host
|
||||
#- target: 587
|
||||
# published: 587
|
||||
# protocol: tcp
|
||||
# mode: host
|
||||
#- 465:465
|
||||
#- 587:587
|
||||
#env_file:
|
||||
@@ -56,7 +57,7 @@ services:
|
||||
- DOMAINNAME1
|
||||
- DOMAINNAME2
|
||||
- DOMAINNAME3
|
||||
#- CF_API_EMAIL
|
||||
- CF_API_EMAIL
|
||||
|
||||
command: # CLI arguments
|
||||
- --global.checkNewVersion=true
|
||||
@@ -104,10 +105,9 @@ services:
|
||||
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
|
||||
# - --certificatesResolvers.$CERTRESOLVER.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
|
||||
|
||||
|
||||
# - --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
|
||||
- --entrypoints.mailsecure.address=:465
|
||||
- --entrypoints.maildefault.address=:587
|
||||
# - --entrypoints.mailsecure.address=:465
|
||||
# - --entrypoints.maildefault.address=:587
|
||||
# - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file
|
||||
# - --entryPoints.ping.address=:8081
|
||||
# - --api.insecure=true)
|
||||
@@ -132,13 +132,13 @@ services:
|
||||
- basic_auth_credentials
|
||||
labels:
|
||||
traefik.enable: true
|
||||
traefik.http.routers.traefik.entrypoints: http
|
||||
traefik.http.routers.traefik.entrypoints: web
|
||||
traefik.http.routers.traefik.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
|
||||
traefik.http.middlewares.traefik-auth.basicauth.users: ${BASICAUTHUSER}
|
||||
traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme: https
|
||||
traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto: https
|
||||
traefik.http.routers.traefik.middlewares: traefik-https-redirect
|
||||
traefik.http.routers.traefik-secure.entrypoints: https
|
||||
traefik.http.routers.traefik-secure.entrypoints: websecure
|
||||
traefik.http.routers.traefik-secure.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
|
||||
traefik.http.routers.traefik-secure.middlewares: chain-no-auth@file
|
||||
# traefik.http.routers.traefik-secure.middlewares: traefik-auth
|
||||
|
||||
Reference in New Issue
Block a user