Compare commits
10 Commits
b669c71136
...
0c9048e351
| Author | SHA1 | Date | |
|---|---|---|---|
| 0c9048e351 | |||
| 41058a9f4d | |||
| 45bab1f1ed | |||
| 62c21123e2 | |||
| f3d000aefa | |||
| 4e7d8518c1 | |||
| 01c8ae3b88 | |||
| 731e4f0d35 | |||
| 77a4439f8b | |||
| c3e8291a79 |
@@ -1,5 +1,8 @@
|
||||
TRAEFIK_USER=
|
||||
SSL_EMAIL=
|
||||
CF_API_EMAIL=
|
||||
CF_API_KEY=
|
||||
DOMAIN_NAME=
|
||||
SUBDOMAIN=
|
||||
# TRAEFIK_USER=
|
||||
SSL_EMAIL_FILE=/run/secrets/CF_API_EMAIL
|
||||
CF_API_EMAIL_FILE=/run/secrets/CF_API_EMAIL
|
||||
CF_API_KEY_FILE=/run/secrets/CF_API_KEY
|
||||
SSH_PORT=
|
||||
TZ=
|
||||
@@ -4,11 +4,13 @@ services:
|
||||
container_name: ${SUBDOMAIN}
|
||||
restart: always
|
||||
command:
|
||||
# General settings
|
||||
- "--log.level=DEBUG"
|
||||
- "--api.insecure=false"
|
||||
- "--api.dashboard=true"
|
||||
- "--providers.docker=true"
|
||||
- "--providers.docker.exposedbydefault=false"
|
||||
# EntryPoints configuration
|
||||
- "--entrypoints.web.address=:80"
|
||||
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
|
||||
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
|
||||
@@ -18,41 +20,60 @@ services:
|
||||
- "--entrypoints.websecure.http.tls.certresolver=cloudflare"
|
||||
- "--entrypoints.websecure.http.tls.domains[0].main=${DOMAIN_NAME}"
|
||||
- "--entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN_NAME}"
|
||||
- "--entrypoints.ssh.address=:${SSH_PORT}"
|
||||
# Cloudflare IPs trusted for forwarded headers
|
||||
- "--entryPoints.web.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22"
|
||||
- "--entryPoints.websecure.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22"
|
||||
- "--certificatesresolvers.cloudflare.acme.dnschallenge=true"
|
||||
- "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
|
||||
- "--certificatesresolvers.cloudflare.acme.email=${CF_API_EMAIL}"
|
||||
- "--certificatesresolvers.cloudflare.acme.email=${CF_API_EMAIL_FILE}"
|
||||
- "--certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json"
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.http.routers.traefik_dashboard.rule=Host(`traefik.jojops.com`)
|
||||
# - traefik.http.routers.traefik_dashboard.rule=Host(`traefik.jojops.com`) && PathPrefix(`/outpost.goauthentik.io/`)
|
||||
- traefik.http.routers.traefik_dashboard.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
|
||||
- traefik.http.routers.traefik_dashboard.entrypoints=websecure
|
||||
- traefik.http.routers.traefik_dashboard.service=api@internal
|
||||
- traefik.http.routers.traefik_dashboard.tls=true
|
||||
- traefik.http.middlewares.myauth.basicauth.users=${TRAEFIK_USER}
|
||||
# - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$46.RmdYB$$Rx33ChqUskl4PF1ZqSXYV1
|
||||
# - traefik.http.middlewares.myauth.basicauth.users=${TRAEFIK_USER}
|
||||
# - traefik.http.routers.traefik_dashboard.middlewares=myauth@docker
|
||||
- traefik.http.routers.traefik_dashboard.middlewares=authentik-forwardauth@docker
|
||||
- traefik.http.routers.traefik_dashboard.tls.certresolver=cloudflare
|
||||
# - traefik.http.routers.traefik-secure.tls.domains[0].main=jojops.com
|
||||
# - traefik.http.routers.traefik-secure.tls.domains[0].sans=*.jojops.com
|
||||
# - traefik.http.middlewares.myauth.redirectscheme.scheme=https
|
||||
- traefik.http.services.traefik_dashboard.loadbalancer.server.port=80
|
||||
# - "traefik.http.middlewares.cloudflare-ips.ipallowlist.sourcerange=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32"
|
||||
- traefik.http.middlewares.traefik_dashboard.headers.SSLRedirect=true
|
||||
- traefik.http.middlewares.traefik_dashboard.headers.STSSeconds=315360000
|
||||
- traefik.http.middlewares.traefik_dashboard.headers.browserXSSFilter=true
|
||||
- traefik.http.middlewares.traefik_dashboard.headers.contentTypeNosniff=true
|
||||
- traefik.http.middlewares.traefik_dashboard.headers.forceSTSHeader=true
|
||||
- traefik.http.middlewares.traefik_dashboard.headers.SSLHost=${DOMAIN_NAME}
|
||||
- traefik.http.middlewares.traefik_dashboard.headers.STSIncludeSubdomains=true
|
||||
- traefik.http.middlewares.traefik_dashboard.headers.STSPreload=true
|
||||
- traefik.http.middlewares.traefik_dashboard.headers.frameDeny=true
|
||||
env_file:
|
||||
- .env
|
||||
secrets:
|
||||
- SSH_PORT
|
||||
- CF_API_KEY
|
||||
- CF_API_EMAIL
|
||||
volumes:
|
||||
- ./traefik_data:/letsencrypt
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
- "558:558"
|
||||
networks:
|
||||
- frontend
|
||||
- webapp
|
||||
- mgmt
|
||||
- remote
|
||||
secrets:
|
||||
SSH_PORT:
|
||||
file: .secrets/SSH_PORT
|
||||
CF_API_KEY:
|
||||
file: .secrets/CF_API_KEY
|
||||
CF_API_EMAIL:
|
||||
file: .secrets/CF_API_EMAIL
|
||||
networks:
|
||||
frontend:
|
||||
external:
|
||||
@@ -63,3 +84,6 @@ networks:
|
||||
mgmt:
|
||||
external:
|
||||
true
|
||||
remote:
|
||||
external:
|
||||
true
|
||||
@@ -18,16 +18,16 @@ services:
|
||||
- traefik.http.middlewares.$SUBDOMAIN.headers.STSIncludeSubdomains=true
|
||||
- traefik.http.middlewares.$SUBDOMAIN.headers.STSPreload=true
|
||||
- traefik.http.middlewares.$SUBDOMAIN.headers.frameDeny=true
|
||||
- traefik.http.routers.$SUBDOMAIN.middlewares=$SUBDOMAIN@docker
|
||||
- traefik.http.routers.$SUBDOMAIN.middlewares=authentik-forwardauth@docker
|
||||
- traefik.http.services.$SUBDOMAIN.loadbalancer.server.port=8080
|
||||
- traefik.docker.network=webapp
|
||||
- traefik.docker.network=mgmt
|
||||
env_file:
|
||||
- .env
|
||||
networks:
|
||||
- webapp
|
||||
- mgmt
|
||||
- db
|
||||
networks:
|
||||
webapp:
|
||||
mgmt:
|
||||
external:
|
||||
true
|
||||
db:
|
||||
|
||||
@@ -12,11 +12,8 @@ services:
|
||||
- ./media:/media
|
||||
- ./custom-templates:/templates
|
||||
networks:
|
||||
- webapp
|
||||
- mgmt
|
||||
- db
|
||||
# ports:
|
||||
# - "${COMPOSE_PORT_HTTP:-9000}:9000"
|
||||
# - "${COMPOSE_PORT_HTTPS:-9443}:9443"
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.http.routers.$SUBDOMAIN.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
|
||||
@@ -32,28 +29,21 @@ services:
|
||||
- traefik.http.middlewares.$SUBDOMAIN.headers.STSIncludeSubdomains=true
|
||||
- traefik.http.middlewares.$SUBDOMAIN.headers.STSPreload=true
|
||||
- traefik.http.middlewares.$SUBDOMAIN.headers.frameDeny=true
|
||||
# - traefik.http.routers.$SUBDOMAIN.middlewares=$SUBDOMAIN@docker
|
||||
- traefik.http.routers.$SUBDOMAIN.middlewares=$SUBDOMAIN@docker
|
||||
- traefik.http.routers.$SUBDOMAIN.service=$SUBDOMAIN
|
||||
- traefik.http.services.$SUBDOMAIN.loadbalancer.server.port=9000
|
||||
- traefik.docker.network=webapp
|
||||
- "traefik.http.routers.authentik-output-rtr.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.${DOMAIN_NAME}`) && PathPrefix(`/outpost.goauthentik.io/`)"
|
||||
|
||||
- traefik.docker.network=mgmt
|
||||
# ForwardAuth middleware definition
|
||||
- "traefik.http.middlewares.authentik-forwardauth.forwardauth.address=http://authentik-server-1:9000/outpost.goauthentik.io/auth/traefik"
|
||||
- "traefik.http.middlewares.authentik-forwardauth.forwardauth.trustForwardHeader=true"
|
||||
- "traefik.http.middlewares.authentik-forwardauth.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
|
||||
# Outpost router for /outpost.goauthentik.io paths
|
||||
- "traefik.http.routers.$SUBDOMAIN-outpost.rule=Host(`authentik.jojops.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
|
||||
# - "traefik.http.routers.authentik-outpost.entrypoints=websecure"
|
||||
# - "traefik.http.routers.authentik-outpost.tls=true"
|
||||
- traefik.http.routers.$SUBDOMAIN.priority=15
|
||||
# - "traefik.http.routers.authentik-outpost.service=authentik-svc"
|
||||
- "traefik.http.routers.authentik-outpost.rule=Host(`authentik.jojops.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
|
||||
- "traefik.http.routers.authentik-outpost.rule=HostRegexp(`{$SUBDOMAIN:[a-z0-9-]+}.$DOMAIN_NAME`) && PathPrefix(`/outpost.goauthentik.io/`)"
|
||||
- "traefik.http.routers.authentik-outpost.entrypoints=websecure"
|
||||
- "traefik.http.routers.authentik-outpost.tls=true"
|
||||
- "traefik.http.routers.authentik-outpost.priority=15"
|
||||
- "traefik.http.routers.authentik-outpost.service=authentik"
|
||||
|
||||
worker:
|
||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG}
|
||||
restart: unless-stopped
|
||||
@@ -67,12 +57,12 @@ services:
|
||||
networks:
|
||||
- db
|
||||
volumes:
|
||||
# - /var/run/docker.sock:/var/run/docker.sock
|
||||
# - /var/run/docker.sock:/var/run/docker.sock # Optional, only if using external outposts
|
||||
- ./media:/media
|
||||
- ./certs:/certs
|
||||
- ./custom-templates:/templates
|
||||
networks:
|
||||
webapp:
|
||||
mgmt:
|
||||
external: true
|
||||
db:
|
||||
external: true
|
||||
|
||||
@@ -20,30 +20,35 @@ services:
|
||||
- traefik.http.middlewares.gitea.headers.frameDeny=true
|
||||
- traefik.http.routers.gitea.middlewares=gitea@docker
|
||||
- traefik.http.services.gitea.loadbalancer.server.port=3000
|
||||
- traefik.docker.network=webapp
|
||||
# - traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)
|
||||
# - traefik.tcp.routers.gitea-ssh.entrypoints=ssh
|
||||
# - traefik.tcp.routers.gitea-ssh.service=gitea-ssh
|
||||
# - traefik.tcp.services.gitea-ssh.loadbalancer.server.port=
|
||||
# - traefik.tcp.routers.gitea-ssh.tls=false
|
||||
- traefik.docker.network=mgmt
|
||||
env_file:
|
||||
- .env
|
||||
secrets:
|
||||
- DB_PASS
|
||||
# - SSH_PORT
|
||||
volumes:
|
||||
- gitea-data:/var/lib/gitea
|
||||
- ./config:/etc/gitea
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
# ports:
|
||||
# - "3000:3000"
|
||||
# - "2222:2222"
|
||||
networks:
|
||||
- webapp
|
||||
- mgmt
|
||||
- db
|
||||
volumes:
|
||||
gitea-data:
|
||||
name: gitea-data
|
||||
networks:
|
||||
webapp:
|
||||
mgmt:
|
||||
external: true
|
||||
db:
|
||||
external: true
|
||||
secrets:
|
||||
DB_PASS:
|
||||
file: .secrets/DB_PASS
|
||||
# SSH_PORT:
|
||||
# file: .secrets/SSH_PORT
|
||||
@@ -24,12 +24,8 @@ services:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- ./data:/data
|
||||
networks:
|
||||
# - webapp
|
||||
- mgmt
|
||||
networks:
|
||||
# webapp:
|
||||
# external:
|
||||
# true
|
||||
mgmt:
|
||||
external:
|
||||
true
|
||||
2
templates/.env.example
Normal file
2
templates/.env.example
Normal file
@@ -0,0 +1,2 @@
|
||||
DOMAIN_NAME=
|
||||
SUBDOMAIN=
|
||||
@@ -0,0 +1,29 @@
|
||||
services:
|
||||
%SERVICE%:
|
||||
image: %IMAGE%
|
||||
container_name: %NAME%
|
||||
restart: unless-stopped
|
||||
env_file:
|
||||
- .env
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.$SUBDOMAIN.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)"
|
||||
- "traefik.http.routers.$SUBDOMAIN.tls=true"
|
||||
- "traefik.http.routers.$SUBDOMAIN.entrypoints=web,websecure"
|
||||
- "traefik.http.routers.$SUBDOMAIN.tls.certresolver=cloudflare"
|
||||
- "traefik.http.middlewares.$SUBDOMAIN.headers.SSLRedirect=true"
|
||||
- "traefik.http.middlewares.$SUBDOMAIN.headers.STSSeconds=315360000"
|
||||
- "traefik.http.middlewares.$SUBDOMAIN.headers.browserXSSFilter=true"
|
||||
- "traefik.http.middlewares.$SUBDOMAIN.headers.contentTypeNosniff=true"
|
||||
- "traefik.http.middlewares.$SUBDOMAIN.headers.forceSTSHeader=true"
|
||||
- "traefik.http.middlewares.$SUBDOMAIN.headers.SSLHost=${DOMAIN_NAME}"
|
||||
- "traefik.http.middlewares.$SUBDOMAIN.headers.STSIncludeSubdomains=true"
|
||||
- "traefik.http.middlewares.$SUBDOMAIN.headers.STSPreload=true"
|
||||
- "traefik.http.routers.$SUBDOMAIN.middlewares=$SUBDOMAIN@docker"
|
||||
- "traefik.http.services.$SUBDOMAIN.loadbalancer.server.port=%PORT%"
|
||||
networks:
|
||||
- %NETWORK%
|
||||
networks:
|
||||
%NETWORK%:
|
||||
external:
|
||||
true
|
||||
@@ -18,7 +18,7 @@ services:
|
||||
- traefik.http.middlewares.n8n.headers.STSIncludeSubdomains=true
|
||||
- traefik.http.middlewares.n8n.headers.STSPreload=true
|
||||
- traefik.http.middlewares.n8n.headers.frameDeny=true
|
||||
- traefik.http.routers.n8n.middlewares=n8n@docker
|
||||
- traefik.http.routers.n8n.middlewares=authentik-forwardauth@docker
|
||||
- traefik.http.services.n8n.loadbalancer.server.port=5678
|
||||
- traefik.docker.network=webapp
|
||||
env_file:
|
||||
|
||||
Reference in New Issue
Block a user