chriswin/vps-server
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

config traefik

Browse Source
This commit is contained in:
chris
2026-01-19 18:04:58 +00:00
parent dddd076150
commit 97fcc660fb
5 changed files with 89 additions and 300 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docker-compose.yml
View File

@@ -6,7 +6,6 @@
# Whenever I need to remove some service then I can comment out the lines here.
include:
- path:
- ${SERVICE_PATH}/caddy/caddy.yml
- ${SERVICE_PATH}/crowdsec/crowdsec.yml
- ${SERVICE_PATH}/headscale/headscale.yml
- ${SERVICE_PATH}/traefik/traefik.yml

189
services/caddy/Caddyfile
View File

@@ -1,189 +0,0 @@
(forward_headers) {
header {
Permissions-Policy interest-cohort=()
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
X-Robots-Tag noindex, nofollow
Referrer-Policy "same-origin"
Content-Security-Policy "frame-ancestors {$public_domain }} *.{$public_domain}"
-Server
Permissions-Policy "geolocation=(self {$public_domain }} *.{$public_domain}), microphone=()"
}
}
auth.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
audiobookshelf.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
gitea.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
headscale.{$public_domain} {
reverse_proxy headscale:8080
tls {$email}
import forward_headers
}
immich.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
ldap.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
linkwarden.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
mealie.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
navidrome.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
ntfy.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
paperless.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
radicale.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
rss.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
pdf.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
superset.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
vaultwarden.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
vikunja.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}

30
services/caddy/caddy.yml
View File

@@ -1,30 +0,0 @@
services:
caddy:
extends:
file: ${TEMPLATES_PATH}
service: default
image: caddy
container_name: caddy
volumes:
- ${SERVICE_PATH}/caddy/config:/etc/headscale
- ${SERVICE_PATH}/caddy/Caddyfile:/etc/caddy/Caddyfile
- ${SERVICE_PATH}/caddy/site:/srv
- ${SERVICE_PATH}/caddy/data:/data
- ${SERVICE_PATH}/caddy/config:/config
- ${SERVICE_PATH}/caddy/certs:/certs
ports:
- "80:80"
- "443:443"
- "443:443/udp"
environment:
email: ${EMAIL}
public_domain: ${PUBLIC_DOMAIN}
private_domain: ${LOCAL_DOMAIN}
main_server_ip: ${MAIN_SERVER_NODE_IP:-10.10.10.2}
cap_add:
- NET_ADMIN
networks:
- ip4net
labels:
# Watchtower
- "com.centurylinklabs.watchtower.enable=true"

44
services/traefik/config/config.yml
View File

@@ -30,7 +30,7 @@ http:
authelia:
rule: "Host(`auth.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
entrypoints: https,http
tls:
certresolver: myresolver
middlewares: crowdsec-bouncer@file
@@ -38,7 +38,7 @@ http:
audiobookshelf:
rule: "Host(`audiobookshelf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
entrypoints: https,http
tls:
certresolver: myresolver
middlewares: crowdsec-bouncer@file
@@ -46,7 +46,7 @@ http:
gitea:
rule: "Host(`gitea.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
entrypoints: https,http
tls:
certresolver: myresolver
middlewares: crowdsec-bouncer@file
@@ -54,7 +54,7 @@ http:
headscale:
rule: "Host(`headscale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
entrypoints: https,http
tls:
certresolver: myresolver
middlewares: crowdsec-bouncer@file
@@ -62,7 +62,7 @@ http:
immich:
rule: "Host(`immich.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
entrypoints: https,http
tls:
certresolver: myresolver
middlewares: crowdsec-bouncer@file
@@ -70,7 +70,7 @@ http:
lldap:
rule: "Host(`ldap.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
entrypoints: https,http
tls:
certresolver: myresolver
middlewares: crowdsec-bouncer@file
@@ -78,7 +78,7 @@ http:
linkwarden:
rule: "Host(`linkwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
entrypoints: https,http
tls:
certresolver: myresolver
middlewares: crowdsec-bouncer@file
@@ -86,7 +86,7 @@ http:
mealie:
rule: "Host(`mealie.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
entrypoints: https,http
tls:
certresolver: myresolver
middlewares: crowdsec-bouncer@file
@@ -94,7 +94,7 @@ http:
navidrome:
rule: "Host(`navidrome.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
entrypoints: https,http
tls:
certresolver: myresolver
middlewares: crowdsec-bouncer@file
@@ -102,7 +102,7 @@ http:
ntfy:
rule: "Host(`ntfy.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
entrypoints: https,http
tls:
certresolver: myresolver
middlewares: crowdsec-bouncer@file
@@ -110,7 +110,7 @@ http:
paperless:
rule: "Host(`paperless.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
entrypoints: https,http
tls:
certresolver: myresolver
middlewares: crowdsec-bouncer@file
@@ -118,7 +118,7 @@ http:
pdf:
rule: "Host(`pdf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
entrypoints: https,http
tls:
certresolver: myresolver
middlewares: crowdsec-bouncer@file
@@ -126,7 +126,7 @@ http:
radicale:
rule: "Host(`radicale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
entrypoints: https,http
tls:
certresolver: myresolver
middlewares: crowdsec-bouncer@file
@@ -134,16 +134,15 @@ http:
rss:
rule: "Host(`rss.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
entrypoints: https,http
tls:
certresolver: myresolver
middlewares: crowdsec-bouncer@file
<<<<<<< HEAD
# superset:
# rule: "Host(`superset.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
# service: node
# entryPoints: https
# entrypoints: https,http
# tls:
# certresolver: myresolver
# middlewares: crowdsec-bouncer@file
@@ -151,7 +150,7 @@ http:
vaultwarden:
rule: "Host(`vaultwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
entrypoints: https,http
tls:
certresolver: myresolver
middlewares: crowdsec-bouncer@file
@@ -159,7 +158,7 @@ http:
vikunja:
rule: "Host(`vikunja.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
entrypoints: https,http
tls:
certresolver: myresolver
middlewares: crowdsec-bouncer@file
@@ -170,3 +169,12 @@ http:
servers:
- url: https://{{ env "TRAEFIK_MAIN_SERVER_NODE_IP" }}
tls:
stores:
default:
defaultCertificate:
certFile: /etc/certs/server-vps-lan.crt
keyFile: /etc/certs/server-vps-lan.key
defaultCertificate:
- certFile: /etc/certs/server-vps-lan.crt
keyFile: /etc/certs/server-vps-lan.key

125
services/traefik/traefik.yml
View File

@@ -16,7 +16,6 @@ services:
TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
TRAEFIK_MAIN_SERVER_NODE_IP: ${MAIN_SERVER_NODE_IP}
TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
# INFOMANIAK_ACCESS_TOKEN: ${INFOMANIAK_CERTIFICATE_ACCESS_TOKEN}
volumes:
- "/var/log/traefik/:/var/log/traefik/"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
@@ -33,64 +32,66 @@ services:
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.tls=true"
# traefik-agent:
# extends:
# file: ${TEMPLATES_PATH}
# service: default
# image: hhftechnology/traefik-log-dashboard-agent:2.4.0
# container_name: traefik-log-dashboard-agent
# networks:
# - ip4net
# ports:
# - "8078:5000"
# volumes:
# - "/var/log/crowdsec/:/logs:ro"
# - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data"
# environment:
# TRAEFIK_LOG_DASHBOARD_ACCESS_PATH: /logs/traefik.log
# TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
# TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING: true
# TRAEFIK_LOG_DASHBOARD_LOG_FORMAT: json
# healthcheck:
# test:
# [
# "CMD",
# "wget",
# "--no-verbose",
# "--tries=1",
# "--spider",
# "http://localhost:5000/api/logs/status",
# ]
# interval: 2m
# timeout: 10s
# retries: 3
# start_period: 30s
#
# traefik-dashboard:
# extends:
# file: ${TEMPLATES_PATH}
# service: default
# image: hhftechnology/traefik-log-dashboard:2.4.0
# container_name: traefik-log-dashboard
# networks:
# - ip4net
# ports:
# - "8077:3000"
# volumes:
# - ./data/dashboard:/app/data
# - "${SERVICE_PATH}/traefik/log-dashboard/dashboard:/app/data"
# - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data"
# environment:
# AGENT_API_URL: http://192.168.178.35:8078
# AGENT_API_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
# # Display Configuration
# NEXT_PUBLIC_SHOW_DEMO_PAGE: false
# depends_on:
# traefik-agent:
# condition: service_healthy
# labels:
# # traefik
# - "traefik.enable=true"
# - "traefik.http.routers.traefik-log-dashboard.rule=Host(`traefik-dashboard.${LOCAL_DOMAIN}`)"
# - "traefik.http.routers.traefik-log-dashboard.entrypoints=https"
# - "traefik.http.routers.traefik-log-dashboard.tls=true"
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server-vps-lan.key -out vps-lan.crt \ -subj "/CN=server-vps-lan"
# traefik-agent:
# extends:
# file: ${TEMPLATES_PATH}
# service: default
# image: hhftechnology/traefik-log-dashboard-agent:2.4.0
# container_name: traefik-log-dashboard-agent
# networks:
# - ip4net
# ports:
# - "8078:5000"
# volumes:
# - "/var/log/crowdsec/:/logs:ro"
# - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data"
# environment:
# TRAEFIK_LOG_DASHBOARD_ACCESS_PATH: /logs/traefik.log
# TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
# TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING: true
# TRAEFIK_LOG_DASHBOARD_LOG_FORMAT: json
# healthcheck:
# test:
# [
# "CMD",
# "wget",
# "--no-verbose",
# "--tries=1",
# "--spider",
# "http://localhost:5000/api/logs/status",
# ]
# interval: 2m
# timeout: 10s
# retries: 3
# start_period: 30s
#
# traefik-dashboard:
# extends:
# file: ${TEMPLATES_PATH}
# service: default
# image: hhftechnology/traefik-log-dashboard:2.4.0
# container_name: traefik-log-dashboard
# networks:
# - ip4net
# ports:
# - "8077:3000"
# volumes:
# - ./data/dashboard:/app/data
# - "${SERVICE_PATH}/traefik/log-dashboard/dashboard:/app/data"
# - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data"
# environment:
# AGENT_API_URL: http://192.168.178.35:8078
# AGENT_API_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
# # Display Configuration
# NEXT_PUBLIC_SHOW_DEMO_PAGE: false
# depends_on:
# traefik-agent:
# condition: service_healthy
# labels:
# # traefik
# - "traefik.enable=true"
# - "traefik.http.routers.traefik-log-dashboard.rule=Host(`traefik-dashboard.${LOCAL_DOMAIN}`)"
# - "traefik.http.routers.traefik-log-dashboard.entrypoints=https"
# - "traefik.http.routers.traefik-log-dashboard.tls=true"