chriswin/vps-server
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

config traefik

Browse Source
This commit is contained in:
chris
2026-01-19 18:04:58 +00:00
parent dddd076150
commit 97fcc660fb
5 changed files with 89 additions and 300 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docker-compose.yml
View File

@@ -6,7 +6,6 @@
# Whenever I need to remove some service then I can comment out the lines here. # Whenever I need to remove some service then I can comment out the lines here.
include: include:
- path: - path:
- ${SERVICE_PATH}/caddy/caddy.yml
- ${SERVICE_PATH}/crowdsec/crowdsec.yml - ${SERVICE_PATH}/crowdsec/crowdsec.yml
- ${SERVICE_PATH}/headscale/headscale.yml - ${SERVICE_PATH}/headscale/headscale.yml
- ${SERVICE_PATH}/traefik/traefik.yml - ${SERVICE_PATH}/traefik/traefik.yml

189
services/caddy/Caddyfile
View File

@@ -1,189 +0,0 @@
(forward_headers) {
header {
Permissions-Policy interest-cohort=()
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
X-Robots-Tag noindex, nofollow
Referrer-Policy "same-origin"
Content-Security-Policy "frame-ancestors {$public_domain }} *.{$public_domain}"
-Server
Permissions-Policy "geolocation=(self {$public_domain }} *.{$public_domain}), microphone=()"
}
}
auth.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
audiobookshelf.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
gitea.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
headscale.{$public_domain} {
reverse_proxy headscale:8080
tls {$email}
import forward_headers
}
immich.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
ldap.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
linkwarden.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
mealie.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
navidrome.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
ntfy.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
paperless.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
radicale.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
rss.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
pdf.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
superset.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
vaultwarden.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
vikunja.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}

30
services/caddy/caddy.yml
View File

@@ -1,30 +0,0 @@
services:
caddy:
extends:
file: ${TEMPLATES_PATH}
service: default
image: caddy
container_name: caddy
volumes:
- ${SERVICE_PATH}/caddy/config:/etc/headscale
- ${SERVICE_PATH}/caddy/Caddyfile:/etc/caddy/Caddyfile
- ${SERVICE_PATH}/caddy/site:/srv
- ${SERVICE_PATH}/caddy/data:/data
- ${SERVICE_PATH}/caddy/config:/config
- ${SERVICE_PATH}/caddy/certs:/certs
ports:
- "80:80"
- "443:443"
- "443:443/udp"
environment:
email: ${EMAIL}
public_domain: ${PUBLIC_DOMAIN}
private_domain: ${LOCAL_DOMAIN}
main_server_ip: ${MAIN_SERVER_NODE_IP:-10.10.10.2}
cap_add:
- NET_ADMIN
networks:
- ip4net
labels:
# Watchtower
- "com.centurylinklabs.watchtower.enable=true"

44
services/traefik/config/config.yml
View File

@@ -30,7 +30,7 @@ http:
authelia: authelia:
rule: "Host(`auth.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" rule: "Host(`auth.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node service: node
entryPoints: https entrypoints: https,http
tls: tls:
certresolver: myresolver certresolver: myresolver
middlewares: crowdsec-bouncer@file middlewares: crowdsec-bouncer@file
@@ -38,7 +38,7 @@ http:
audiobookshelf: audiobookshelf:
rule: "Host(`audiobookshelf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" rule: "Host(`audiobookshelf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node service: node
entryPoints: https entrypoints: https,http
tls: tls:
certresolver: myresolver certresolver: myresolver
middlewares: crowdsec-bouncer@file middlewares: crowdsec-bouncer@file
@@ -46,7 +46,7 @@ http:
gitea: gitea:
rule: "Host(`gitea.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" rule: "Host(`gitea.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node service: node
entryPoints: https entrypoints: https,http
tls: tls:
certresolver: myresolver certresolver: myresolver
middlewares: crowdsec-bouncer@file middlewares: crowdsec-bouncer@file
@@ -54,7 +54,7 @@ http:
headscale: headscale:
rule: "Host(`headscale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" rule: "Host(`headscale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node service: node
entryPoints: https entrypoints: https,http
tls: tls:
certresolver: myresolver certresolver: myresolver
middlewares: crowdsec-bouncer@file middlewares: crowdsec-bouncer@file
@@ -62,7 +62,7 @@ http:
immich: immich:
rule: "Host(`immich.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" rule: "Host(`immich.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node service: node
entryPoints: https entrypoints: https,http
tls: tls:
certresolver: myresolver certresolver: myresolver
middlewares: crowdsec-bouncer@file middlewares: crowdsec-bouncer@file
@@ -70,7 +70,7 @@ http:
lldap: lldap:
rule: "Host(`ldap.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" rule: "Host(`ldap.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node service: node
entryPoints: https entrypoints: https,http
tls: tls:
certresolver: myresolver certresolver: myresolver
middlewares: crowdsec-bouncer@file middlewares: crowdsec-bouncer@file
@@ -78,7 +78,7 @@ http:
linkwarden: linkwarden:
rule: "Host(`linkwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" rule: "Host(`linkwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node service: node
entryPoints: https entrypoints: https,http
tls: tls:
certresolver: myresolver certresolver: myresolver
middlewares: crowdsec-bouncer@file middlewares: crowdsec-bouncer@file
@@ -86,7 +86,7 @@ http:
mealie: mealie:
rule: "Host(`mealie.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" rule: "Host(`mealie.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node service: node
entryPoints: https entrypoints: https,http
tls: tls:
certresolver: myresolver certresolver: myresolver
middlewares: crowdsec-bouncer@file middlewares: crowdsec-bouncer@file
@@ -94,7 +94,7 @@ http:
navidrome: navidrome:
rule: "Host(`navidrome.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" rule: "Host(`navidrome.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node service: node
entryPoints: https entrypoints: https,http
tls: tls:
certresolver: myresolver certresolver: myresolver
middlewares: crowdsec-bouncer@file middlewares: crowdsec-bouncer@file
@@ -102,7 +102,7 @@ http:
ntfy: ntfy:
rule: "Host(`ntfy.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" rule: "Host(`ntfy.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node service: node
entryPoints: https entrypoints: https,http
tls: tls:
certresolver: myresolver certresolver: myresolver
middlewares: crowdsec-bouncer@file middlewares: crowdsec-bouncer@file
@@ -110,7 +110,7 @@ http:
paperless: paperless:
rule: "Host(`paperless.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" rule: "Host(`paperless.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node service: node
entryPoints: https entrypoints: https,http
tls: tls:
certresolver: myresolver certresolver: myresolver
middlewares: crowdsec-bouncer@file middlewares: crowdsec-bouncer@file
@@ -118,7 +118,7 @@ http:
pdf: pdf:
rule: "Host(`pdf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" rule: "Host(`pdf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node service: node
entryPoints: https entrypoints: https,http
tls: tls:
certresolver: myresolver certresolver: myresolver
middlewares: crowdsec-bouncer@file middlewares: crowdsec-bouncer@file
@@ -126,7 +126,7 @@ http:
radicale: radicale:
rule: "Host(`radicale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" rule: "Host(`radicale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node service: node
entryPoints: https entrypoints: https,http
tls: tls:
certresolver: myresolver certresolver: myresolver
middlewares: crowdsec-bouncer@file middlewares: crowdsec-bouncer@file
@@ -134,16 +134,15 @@ http:
rss: rss:
rule: "Host(`rss.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" rule: "Host(`rss.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node service: node
entryPoints: https entrypoints: https,http
tls: tls:
certresolver: myresolver certresolver: myresolver
middlewares: crowdsec-bouncer@file middlewares: crowdsec-bouncer@file
<<<<<<< HEAD
# superset: # superset:
# rule: "Host(`superset.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" # rule: "Host(`superset.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
# service: node # service: node
# entryPoints: https # entrypoints: https,http
# tls: # tls:
# certresolver: myresolver # certresolver: myresolver
# middlewares: crowdsec-bouncer@file # middlewares: crowdsec-bouncer@file
@@ -151,7 +150,7 @@ http:
vaultwarden: vaultwarden:
rule: "Host(`vaultwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" rule: "Host(`vaultwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node service: node
entryPoints: https entrypoints: https,http
tls: tls:
certresolver: myresolver certresolver: myresolver
middlewares: crowdsec-bouncer@file middlewares: crowdsec-bouncer@file
@@ -159,7 +158,7 @@ http:
vikunja: vikunja:
rule: "Host(`vikunja.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" rule: "Host(`vikunja.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node service: node
entryPoints: https entrypoints: https,http
tls: tls:
certresolver: myresolver certresolver: myresolver
middlewares: crowdsec-bouncer@file middlewares: crowdsec-bouncer@file
@@ -170,3 +169,12 @@ http:
servers: servers:
- url: https://{{ env "TRAEFIK_MAIN_SERVER_NODE_IP" }} - url: https://{{ env "TRAEFIK_MAIN_SERVER_NODE_IP" }}
tls:
stores:
default:
defaultCertificate:
certFile: /etc/certs/server-vps-lan.crt
keyFile: /etc/certs/server-vps-lan.key
defaultCertificate:
- certFile: /etc/certs/server-vps-lan.crt
keyFile: /etc/certs/server-vps-lan.key

3
services/traefik/traefik.yml
View File

@@ -16,7 +16,6 @@ services:
TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN} TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
TRAEFIK_MAIN_SERVER_NODE_IP: ${MAIN_SERVER_NODE_IP} TRAEFIK_MAIN_SERVER_NODE_IP: ${MAIN_SERVER_NODE_IP}
TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY} TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
# INFOMANIAK_ACCESS_TOKEN: ${INFOMANIAK_CERTIFICATE_ACCESS_TOKEN}
volumes: volumes:
- "/var/log/traefik/:/var/log/traefik/" - "/var/log/traefik/:/var/log/traefik/"
- "/var/run/docker.sock:/var/run/docker.sock:ro" - "/var/run/docker.sock:/var/run/docker.sock:ro"
@@ -33,6 +32,8 @@ services:
- "traefik.http.routers.traefik.entrypoints=https" - "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.tls=true" - "traefik.http.routers.traefik.tls=true"
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server-vps-lan.key -out vps-lan.crt \ -subj "/CN=server-vps-lan"
# traefik-agent: # traefik-agent:
# extends: # extends:
# file: ${TEMPLATES_PATH} # file: ${TEMPLATES_PATH}