diff --git a/docker-compose.yml b/docker-compose.yml index 47886a8..4e6fa46 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,6 @@ # Whenever I need to remove some service then I can comment out the lines here. include: - path: - - ${SERVICE_PATH}/caddy/caddy.yml - ${SERVICE_PATH}/crowdsec/crowdsec.yml - ${SERVICE_PATH}/headscale/headscale.yml - ${SERVICE_PATH}/traefik/traefik.yml diff --git a/services/caddy/Caddyfile b/services/caddy/Caddyfile deleted file mode 100644 index e21e79e..0000000 --- a/services/caddy/Caddyfile +++ /dev/null @@ -1,189 +0,0 @@ -(forward_headers) { - header { - Permissions-Policy interest-cohort=() - Strict-Transport-Security "max-age=31536000; includeSubdomains" - X-XSS-Protection "1; mode=block" - X-Content-Type-Options "nosniff" - X-Robots-Tag noindex, nofollow - Referrer-Policy "same-origin" - Content-Security-Policy "frame-ancestors {$public_domain }} *.{$public_domain}" - -Server - Permissions-Policy "geolocation=(self {$public_domain }} *.{$public_domain}), microphone=()" - } -} - -auth.{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} - -audiobookshelf.{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} - -gitea.{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} - -headscale.{$public_domain} { - reverse_proxy headscale:8080 - tls {$email} - import forward_headers -} - -immich.{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} - -ldap.{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} - -linkwarden.{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} - -mealie.{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} - -navidrome.{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} - -ntfy.{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} - -paperless.{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} - -radicale.{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} - -rss.{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} - -pdf.{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} - -superset.{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} - -vaultwarden.{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} - -vikunja.{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} - -{$public_domain} { - reverse_proxy {$main_server_ip} { - transport http { - tls_insecure_skip_verify - } - } - tls {$email} - import forward_headers -} diff --git a/services/caddy/caddy.yml b/services/caddy/caddy.yml deleted file mode 100644 index 2cc1148..0000000 --- a/services/caddy/caddy.yml +++ /dev/null @@ -1,30 +0,0 @@ -services: - caddy: - extends: - file: ${TEMPLATES_PATH} - service: default - image: caddy - container_name: caddy - volumes: - - ${SERVICE_PATH}/caddy/config:/etc/headscale - - ${SERVICE_PATH}/caddy/Caddyfile:/etc/caddy/Caddyfile - - ${SERVICE_PATH}/caddy/site:/srv - - ${SERVICE_PATH}/caddy/data:/data - - ${SERVICE_PATH}/caddy/config:/config - - ${SERVICE_PATH}/caddy/certs:/certs - ports: - - "80:80" - - "443:443" - - "443:443/udp" - environment: - email: ${EMAIL} - public_domain: ${PUBLIC_DOMAIN} - private_domain: ${LOCAL_DOMAIN} - main_server_ip: ${MAIN_SERVER_NODE_IP:-10.10.10.2} - cap_add: - - NET_ADMIN - networks: - - ip4net - labels: - # Watchtower - - "com.centurylinklabs.watchtower.enable=true" diff --git a/services/traefik/config/config.yml b/services/traefik/config/config.yml index c8a4345..f503acd 100644 --- a/services/traefik/config/config.yml +++ b/services/traefik/config/config.yml @@ -30,7 +30,7 @@ http: authelia: rule: "Host(`auth.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" service: node - entryPoints: https + entrypoints: https,http tls: certresolver: myresolver middlewares: crowdsec-bouncer@file @@ -38,7 +38,7 @@ http: audiobookshelf: rule: "Host(`audiobookshelf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" service: node - entryPoints: https + entrypoints: https,http tls: certresolver: myresolver middlewares: crowdsec-bouncer@file @@ -46,7 +46,7 @@ http: gitea: rule: "Host(`gitea.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" service: node - entryPoints: https + entrypoints: https,http tls: certresolver: myresolver middlewares: crowdsec-bouncer@file @@ -54,7 +54,7 @@ http: headscale: rule: "Host(`headscale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" service: node - entryPoints: https + entrypoints: https,http tls: certresolver: myresolver middlewares: crowdsec-bouncer@file @@ -62,7 +62,7 @@ http: immich: rule: "Host(`immich.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" service: node - entryPoints: https + entrypoints: https,http tls: certresolver: myresolver middlewares: crowdsec-bouncer@file @@ -70,7 +70,7 @@ http: lldap: rule: "Host(`ldap.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" service: node - entryPoints: https + entrypoints: https,http tls: certresolver: myresolver middlewares: crowdsec-bouncer@file @@ -78,7 +78,7 @@ http: linkwarden: rule: "Host(`linkwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" service: node - entryPoints: https + entrypoints: https,http tls: certresolver: myresolver middlewares: crowdsec-bouncer@file @@ -86,7 +86,7 @@ http: mealie: rule: "Host(`mealie.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" service: node - entryPoints: https + entrypoints: https,http tls: certresolver: myresolver middlewares: crowdsec-bouncer@file @@ -94,7 +94,7 @@ http: navidrome: rule: "Host(`navidrome.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" service: node - entryPoints: https + entrypoints: https,http tls: certresolver: myresolver middlewares: crowdsec-bouncer@file @@ -102,7 +102,7 @@ http: ntfy: rule: "Host(`ntfy.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" service: node - entryPoints: https + entrypoints: https,http tls: certresolver: myresolver middlewares: crowdsec-bouncer@file @@ -110,7 +110,7 @@ http: paperless: rule: "Host(`paperless.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" service: node - entryPoints: https + entrypoints: https,http tls: certresolver: myresolver middlewares: crowdsec-bouncer@file @@ -118,7 +118,7 @@ http: pdf: rule: "Host(`pdf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" service: node - entryPoints: https + entrypoints: https,http tls: certresolver: myresolver middlewares: crowdsec-bouncer@file @@ -126,7 +126,7 @@ http: radicale: rule: "Host(`radicale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" service: node - entryPoints: https + entrypoints: https,http tls: certresolver: myresolver middlewares: crowdsec-bouncer@file @@ -134,16 +134,15 @@ http: rss: rule: "Host(`rss.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" service: node - entryPoints: https + entrypoints: https,http tls: certresolver: myresolver middlewares: crowdsec-bouncer@file -<<<<<<< HEAD # superset: # rule: "Host(`superset.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" # service: node - # entryPoints: https + # entrypoints: https,http # tls: # certresolver: myresolver # middlewares: crowdsec-bouncer@file @@ -151,7 +150,7 @@ http: vaultwarden: rule: "Host(`vaultwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" service: node - entryPoints: https + entrypoints: https,http tls: certresolver: myresolver middlewares: crowdsec-bouncer@file @@ -159,7 +158,7 @@ http: vikunja: rule: "Host(`vikunja.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" service: node - entryPoints: https + entrypoints: https,http tls: certresolver: myresolver middlewares: crowdsec-bouncer@file @@ -170,3 +169,12 @@ http: servers: - url: https://{{ env "TRAEFIK_MAIN_SERVER_NODE_IP" }} +tls: + stores: + default: + defaultCertificate: + certFile: /etc/certs/server-vps-lan.crt + keyFile: /etc/certs/server-vps-lan.key + defaultCertificate: + - certFile: /etc/certs/server-vps-lan.crt + keyFile: /etc/certs/server-vps-lan.key diff --git a/services/traefik/traefik.yml b/services/traefik/traefik.yml index cf08c7d..a41c761 100644 --- a/services/traefik/traefik.yml +++ b/services/traefik/traefik.yml @@ -16,7 +16,6 @@ services: TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN} TRAEFIK_MAIN_SERVER_NODE_IP: ${MAIN_SERVER_NODE_IP} TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY} - # INFOMANIAK_ACCESS_TOKEN: ${INFOMANIAK_CERTIFICATE_ACCESS_TOKEN} volumes: - "/var/log/traefik/:/var/log/traefik/" - "/var/run/docker.sock:/var/run/docker.sock:ro" @@ -33,64 +32,66 @@ services: - "traefik.http.routers.traefik.entrypoints=https" - "traefik.http.routers.traefik.tls=true" - # traefik-agent: - # extends: - # file: ${TEMPLATES_PATH} - # service: default - # image: hhftechnology/traefik-log-dashboard-agent:2.4.0 - # container_name: traefik-log-dashboard-agent - # networks: - # - ip4net - # ports: - # - "8078:5000" - # volumes: - # - "/var/log/crowdsec/:/logs:ro" - # - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data" - # environment: - # TRAEFIK_LOG_DASHBOARD_ACCESS_PATH: /logs/traefik.log - # TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN} - # TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING: true - # TRAEFIK_LOG_DASHBOARD_LOG_FORMAT: json - # healthcheck: - # test: - # [ - # "CMD", - # "wget", - # "--no-verbose", - # "--tries=1", - # "--spider", - # "http://localhost:5000/api/logs/status", - # ] - # interval: 2m - # timeout: 10s - # retries: 3 - # start_period: 30s - # - # traefik-dashboard: - # extends: - # file: ${TEMPLATES_PATH} - # service: default - # image: hhftechnology/traefik-log-dashboard:2.4.0 - # container_name: traefik-log-dashboard - # networks: - # - ip4net - # ports: - # - "8077:3000" - # volumes: - # - ./data/dashboard:/app/data - # - "${SERVICE_PATH}/traefik/log-dashboard/dashboard:/app/data" - # - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data" - # environment: - # AGENT_API_URL: http://192.168.178.35:8078 - # AGENT_API_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN} - # # Display Configuration - # NEXT_PUBLIC_SHOW_DEMO_PAGE: false - # depends_on: - # traefik-agent: - # condition: service_healthy - # labels: - # # traefik - # - "traefik.enable=true" - # - "traefik.http.routers.traefik-log-dashboard.rule=Host(`traefik-dashboard.${LOCAL_DOMAIN}`)" - # - "traefik.http.routers.traefik-log-dashboard.entrypoints=https" - # - "traefik.http.routers.traefik-log-dashboard.tls=true" +# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server-vps-lan.key -out vps-lan.crt \ -subj "/CN=server-vps-lan" + +# traefik-agent: +# extends: +# file: ${TEMPLATES_PATH} +# service: default +# image: hhftechnology/traefik-log-dashboard-agent:2.4.0 +# container_name: traefik-log-dashboard-agent +# networks: +# - ip4net +# ports: +# - "8078:5000" +# volumes: +# - "/var/log/crowdsec/:/logs:ro" +# - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data" +# environment: +# TRAEFIK_LOG_DASHBOARD_ACCESS_PATH: /logs/traefik.log +# TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN} +# TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING: true +# TRAEFIK_LOG_DASHBOARD_LOG_FORMAT: json +# healthcheck: +# test: +# [ +# "CMD", +# "wget", +# "--no-verbose", +# "--tries=1", +# "--spider", +# "http://localhost:5000/api/logs/status", +# ] +# interval: 2m +# timeout: 10s +# retries: 3 +# start_period: 30s +# +# traefik-dashboard: +# extends: +# file: ${TEMPLATES_PATH} +# service: default +# image: hhftechnology/traefik-log-dashboard:2.4.0 +# container_name: traefik-log-dashboard +# networks: +# - ip4net +# ports: +# - "8077:3000" +# volumes: +# - ./data/dashboard:/app/data +# - "${SERVICE_PATH}/traefik/log-dashboard/dashboard:/app/data" +# - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data" +# environment: +# AGENT_API_URL: http://192.168.178.35:8078 +# AGENT_API_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN} +# # Display Configuration +# NEXT_PUBLIC_SHOW_DEMO_PAGE: false +# depends_on: +# traefik-agent: +# condition: service_healthy +# labels: +# # traefik +# - "traefik.enable=true" +# - "traefik.http.routers.traefik-log-dashboard.rule=Host(`traefik-dashboard.${LOCAL_DOMAIN}`)" +# - "traefik.http.routers.traefik-log-dashboard.entrypoints=https" +# - "traefik.http.routers.traefik-log-dashboard.tls=true"