From f18cfb01e874b048f14b7a25e5c723d177b3a7f2 Mon Sep 17 00:00:00 2001 From: chriswin Date: Wed, 14 Jan 2026 00:36:10 +0100 Subject: [PATCH] traefik config --- services/traefik/config.yml | 164 --------------------- services/traefik/config/config.yml | 217 ++++++++++++++++++++-------- services/traefik/config/traefik.yml | 161 +++++++++------------ services/traefik/traefik.yml | 96 ++++++++++++ 4 files changed, 319 insertions(+), 319 deletions(-) delete mode 100644 services/traefik/config.yml create mode 100644 services/traefik/traefik.yml diff --git a/services/traefik/config.yml b/services/traefik/config.yml deleted file mode 100644 index 6859554..0000000 --- a/services/traefik/config.yml +++ /dev/null @@ -1,164 +0,0 @@ -http: - middlewares: - - # Crowdsec - crowdsec-bouncer: - plugin: - crowdsec-bouncer-plugin: - enabled: true - logLevel: INFO - updateIntervalSeconds: 60 - crowdsecMode: stream - crowdsecAppsecEnabled: true - crowdsecAppsecHost: crowdsec:7422 - crowdsecLapiScheme: http - crowdsecLapiHost: crowdsec:8080 - # generated using "docker exec crowdsec cscli bouncers add crowdsecBouncer" - crowdseclapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }} - forwardedHeadersTrustedIPs: - - 10.0.6.0/24 - clientTrustedIPs: - - 192.168.178.0/24 - captchaProvider: hcaptcha - captchaSiteKey: b2d20610-8dda-4f40-8688-7ca8e1e628f8 # found in hcaptcha account - captchaSecretKey: ES_9511d34bbec34dada169afad0a36991a - captchaGracePeriodSeconds: 1800 - captchaHTMLFilePath: /captcha.html - banHTMLFilePath: /ban.html - - routers: - authelia: - rule: "Host(`auth.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - audiobookshelf: - rule: "Host(`audiobookshelf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - gitea: - rule: "Host(`gitea.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - headscale: - rule: "Host(`headscale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - immich: - rule: "Host(`immich.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - lldap: - rule: "Host(`lldap.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - linkwarden: - rule: "Host(`linkwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - mealie: - rule: "Host(`mealie.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - navidrome: - rule: "Host(`navidrome.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - ntfy: - rule: "Host(`ntfy.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - paperless: - rule: "Host(`paperless.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - pdf: - rule: "Host(`pdf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - radicale: - rule: "Host(`radicale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - rss: - rule: "Host(`rss.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - superset: - rule: "Host(`superset.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - vaultwarden: - rule: "Host(`vaultwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - vikunja: - rule: "Host(`vikunja.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" - service: node - entryPoints: https - tls: {} - middlewares: crowdsec-bouncer@file - - services: - node: - loadBalancer: - servers: - - url: {{ env TRAEFIK_MAIN_SERVER_NODE_IP }} - -tls: - stores: - default: - defaultCertificate: - certFile: /etc/certs/server.crt - keyFile: /etc/certs/server.key - certificates: - - certFile: /etc/certs/server.crt - keyFile: /etc/certs/server.key - diff --git a/services/traefik/config/config.yml b/services/traefik/config/config.yml index 35c4d1d..6859554 100644 --- a/services/traefik/config/config.yml +++ b/services/traefik/config/config.yml @@ -1,67 +1,164 @@ -api: - dashboard: true +http: + middlewares: -log: - level: "INFO" + # Crowdsec + crowdsec-bouncer: + plugin: + crowdsec-bouncer-plugin: + enabled: true + logLevel: INFO + updateIntervalSeconds: 60 + crowdsecMode: stream + crowdsecAppsecEnabled: true + crowdsecAppsecHost: crowdsec:7422 + crowdsecLapiScheme: http + crowdsecLapiHost: crowdsec:8080 + # generated using "docker exec crowdsec cscli bouncers add crowdsecBouncer" + crowdseclapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }} + forwardedHeadersTrustedIPs: + - 10.0.6.0/24 + clientTrustedIPs: + - 192.168.178.0/24 + captchaProvider: hcaptcha + captchaSiteKey: b2d20610-8dda-4f40-8688-7ca8e1e628f8 # found in hcaptcha account + captchaSecretKey: ES_9511d34bbec34dada169afad0a36991a + captchaGracePeriodSeconds: 1800 + captchaHTMLFilePath: /captcha.html + banHTMLFilePath: /ban.html -serversTransport: - insecureSkipVerify: true + routers: + authelia: + rule: "Host(`auth.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file -accessLog: - filePath: "/var/log/traefik/access.log" # location of traefik logs for crowdsec - format: json - bufferingSize: 100 # Configuring a buffer of 100 lines - filters: - statusCodes: - - "204-299" - - "400-499" - - "500-559" # logged status codes + audiobookshelf: + rule: "Host(`audiobookshelf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file -entryPoints: - http: - address: "[::]:80" # Create the HTTP entrypoint on port 80 - forwardedHeaders: - insecure: false - trustedIPs: - - "10.0.0.0/8" - - "192.168.178.0/16" - - "2a07:600:200:1::/64" - proxyProtocol: - insecure: false - trustedIPs: - - "10.0.0.0/8" - - "192.168.178.0/16" - - "2a07:600:200:1::/64" - http: - redirections: # HTTPS redirection (80 to 443) - entryPoint: - to: "https" # The target element - scheme: "https" # The redirection target scheme - permanent: true # The target element + gitea: + rule: "Host(`gitea.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file - https: - address: "[::]:443" # Create the HTTPS entrypoint on port 443 - forwardedHeaders: - insecure: false - trustedIPs: - - "10.0.0.0/8" - - "192.168.178.0/16" - - "2a07:600:200:1::/64" - proxyProtocol: - insecure: false - trustedIPs: - - "10.0.0.0/8" - - "192.168.178.0/16" - - "2a07:600:200:1::/64" + headscale: + rule: "Host(`headscale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file -providers: - docker: - endpoint: "unix:///var/run/docker.sock" # Listen to the UNIX Docker socket - exposedByDefault: false - file: - directory: "/etc/traefik" # Link to the dynamic configuration - watch: true # Watch for modifications - providersThrottleDuration: "10" # Configuration reload frequency + immich: + rule: "Host(`immich.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file + + lldap: + rule: "Host(`lldap.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file + + linkwarden: + rule: "Host(`linkwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file + + mealie: + rule: "Host(`mealie.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file + + navidrome: + rule: "Host(`navidrome.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file + + ntfy: + rule: "Host(`ntfy.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file + + paperless: + rule: "Host(`paperless.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file + + pdf: + rule: "Host(`pdf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file + + radicale: + rule: "Host(`radicale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file + + rss: + rule: "Host(`rss.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file + + superset: + rule: "Host(`superset.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file + + vaultwarden: + rule: "Host(`vaultwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file + + vikunja: + rule: "Host(`vikunja.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)" + service: node + entryPoints: https + tls: {} + middlewares: crowdsec-bouncer@file + + services: + node: + loadBalancer: + servers: + - url: {{ env TRAEFIK_MAIN_SERVER_NODE_IP }} + +tls: + stores: + default: + defaultCertificate: + certFile: /etc/certs/server.crt + keyFile: /etc/certs/server.key + certificates: + - certFile: /etc/certs/server.crt + keyFile: /etc/certs/server.key -metrics: - prometheus: {} diff --git a/services/traefik/config/traefik.yml b/services/traefik/config/traefik.yml index 9969069..35c4d1d 100644 --- a/services/traefik/config/traefik.yml +++ b/services/traefik/config/traefik.yml @@ -1,96 +1,67 @@ -services: - traefik: - extends: - file: ${TEMPLATES_PATH} - service: default - image: traefik:v3.6.6 - container_name: traefik - ports: - - "80:80" - - "443:443" - - "8079:8080" - networks: - - ip4net - environment: - TRAEFIK_EMAIL: ${EMAIL} - TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN} - TRAEFIK_MAIN_SERVER_NODE_IP: ${MAIN_SERVER_NODE_IP} - TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY} - INFOMANIAK_ACCESS_TOKEN: ${INFOMANIAK_CERTIFICATE_ACCESS_TOKEN} - volumes: - - "/var/log/traefik/:/var/log/traefik/" - - "/var/run/docker.sock:/var/run/docker.sock:ro" - - "${SERVICE_PATH}/traefik/letsencrypt:/letsencrypt" - - "${SERVICE_PATH}/traefik/config:/etc/traefik" - - "${SERVICE_PATH}/traefik/certs:/etc/certs" - - "${SERVICE_PATH}/traefik/html/ban.html:/ban.html" - - "${SERVICE_PATH}/traefik/html/captcha.html:/captcha.html" - labels: - # Traefik - - "traefik.enable=true" - - "traefik.http.routers.traefik.service=api@internal" - - "traefik.http.routers.traefik.rule=Host(`traefik.${LOCAL_DOMAIN}`)" - - "traefik.http.routers.traefik.entrypoints=https" - - "traefik.http.routers.traefik.tls=true" +api: + dashboard: true - # traefik-agent: - # extends: - # file: ${TEMPLATES_PATH} - # service: default - # image: hhftechnology/traefik-log-dashboard-agent:2.4.0 - # container_name: traefik-log-dashboard-agent - # networks: - # - ip4net - # ports: - # - "8078:5000" - # volumes: - # - "/var/log/crowdsec/:/logs:ro" - # - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data" - # environment: - # TRAEFIK_LOG_DASHBOARD_ACCESS_PATH: /logs/traefik.log - # TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN} - # TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING: true - # TRAEFIK_LOG_DASHBOARD_LOG_FORMAT: json - # healthcheck: - # test: - # [ - # "CMD", - # "wget", - # "--no-verbose", - # "--tries=1", - # "--spider", - # "http://localhost:5000/api/logs/status", - # ] - # interval: 2m - # timeout: 10s - # retries: 3 - # start_period: 30s - # - # traefik-dashboard: - # extends: - # file: ${TEMPLATES_PATH} - # service: default - # image: hhftechnology/traefik-log-dashboard:2.4.0 - # container_name: traefik-log-dashboard - # networks: - # - ip4net - # ports: - # - "8077:3000" - # volumes: - # - ./data/dashboard:/app/data - # - "${SERVICE_PATH}/traefik/log-dashboard/dashboard:/app/data" - # - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data" - # environment: - # AGENT_API_URL: http://192.168.178.35:8078 - # AGENT_API_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN} - # # Display Configuration - # NEXT_PUBLIC_SHOW_DEMO_PAGE: false - # depends_on: - # traefik-agent: - # condition: service_healthy - # labels: - # # traefik - # - "traefik.enable=true" - # - "traefik.http.routers.traefik-log-dashboard.rule=Host(`traefik-dashboard.${LOCAL_DOMAIN}`)" - # - "traefik.http.routers.traefik-log-dashboard.entrypoints=https" - # - "traefik.http.routers.traefik-log-dashboard.tls=true" +log: + level: "INFO" + +serversTransport: + insecureSkipVerify: true + +accessLog: + filePath: "/var/log/traefik/access.log" # location of traefik logs for crowdsec + format: json + bufferingSize: 100 # Configuring a buffer of 100 lines + filters: + statusCodes: + - "204-299" + - "400-499" + - "500-559" # logged status codes + +entryPoints: + http: + address: "[::]:80" # Create the HTTP entrypoint on port 80 + forwardedHeaders: + insecure: false + trustedIPs: + - "10.0.0.0/8" + - "192.168.178.0/16" + - "2a07:600:200:1::/64" + proxyProtocol: + insecure: false + trustedIPs: + - "10.0.0.0/8" + - "192.168.178.0/16" + - "2a07:600:200:1::/64" + http: + redirections: # HTTPS redirection (80 to 443) + entryPoint: + to: "https" # The target element + scheme: "https" # The redirection target scheme + permanent: true # The target element + + https: + address: "[::]:443" # Create the HTTPS entrypoint on port 443 + forwardedHeaders: + insecure: false + trustedIPs: + - "10.0.0.0/8" + - "192.168.178.0/16" + - "2a07:600:200:1::/64" + proxyProtocol: + insecure: false + trustedIPs: + - "10.0.0.0/8" + - "192.168.178.0/16" + - "2a07:600:200:1::/64" + +providers: + docker: + endpoint: "unix:///var/run/docker.sock" # Listen to the UNIX Docker socket + exposedByDefault: false + file: + directory: "/etc/traefik" # Link to the dynamic configuration + watch: true # Watch for modifications + providersThrottleDuration: "10" # Configuration reload frequency + +metrics: + prometheus: {} diff --git a/services/traefik/traefik.yml b/services/traefik/traefik.yml new file mode 100644 index 0000000..9969069 --- /dev/null +++ b/services/traefik/traefik.yml @@ -0,0 +1,96 @@ +services: + traefik: + extends: + file: ${TEMPLATES_PATH} + service: default + image: traefik:v3.6.6 + container_name: traefik + ports: + - "80:80" + - "443:443" + - "8079:8080" + networks: + - ip4net + environment: + TRAEFIK_EMAIL: ${EMAIL} + TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN} + TRAEFIK_MAIN_SERVER_NODE_IP: ${MAIN_SERVER_NODE_IP} + TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY} + INFOMANIAK_ACCESS_TOKEN: ${INFOMANIAK_CERTIFICATE_ACCESS_TOKEN} + volumes: + - "/var/log/traefik/:/var/log/traefik/" + - "/var/run/docker.sock:/var/run/docker.sock:ro" + - "${SERVICE_PATH}/traefik/letsencrypt:/letsencrypt" + - "${SERVICE_PATH}/traefik/config:/etc/traefik" + - "${SERVICE_PATH}/traefik/certs:/etc/certs" + - "${SERVICE_PATH}/traefik/html/ban.html:/ban.html" + - "${SERVICE_PATH}/traefik/html/captcha.html:/captcha.html" + labels: + # Traefik + - "traefik.enable=true" + - "traefik.http.routers.traefik.service=api@internal" + - "traefik.http.routers.traefik.rule=Host(`traefik.${LOCAL_DOMAIN}`)" + - "traefik.http.routers.traefik.entrypoints=https" + - "traefik.http.routers.traefik.tls=true" + + # traefik-agent: + # extends: + # file: ${TEMPLATES_PATH} + # service: default + # image: hhftechnology/traefik-log-dashboard-agent:2.4.0 + # container_name: traefik-log-dashboard-agent + # networks: + # - ip4net + # ports: + # - "8078:5000" + # volumes: + # - "/var/log/crowdsec/:/logs:ro" + # - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data" + # environment: + # TRAEFIK_LOG_DASHBOARD_ACCESS_PATH: /logs/traefik.log + # TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN} + # TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING: true + # TRAEFIK_LOG_DASHBOARD_LOG_FORMAT: json + # healthcheck: + # test: + # [ + # "CMD", + # "wget", + # "--no-verbose", + # "--tries=1", + # "--spider", + # "http://localhost:5000/api/logs/status", + # ] + # interval: 2m + # timeout: 10s + # retries: 3 + # start_period: 30s + # + # traefik-dashboard: + # extends: + # file: ${TEMPLATES_PATH} + # service: default + # image: hhftechnology/traefik-log-dashboard:2.4.0 + # container_name: traefik-log-dashboard + # networks: + # - ip4net + # ports: + # - "8077:3000" + # volumes: + # - ./data/dashboard:/app/data + # - "${SERVICE_PATH}/traefik/log-dashboard/dashboard:/app/data" + # - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data" + # environment: + # AGENT_API_URL: http://192.168.178.35:8078 + # AGENT_API_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN} + # # Display Configuration + # NEXT_PUBLIC_SHOW_DEMO_PAGE: false + # depends_on: + # traefik-agent: + # condition: service_healthy + # labels: + # # traefik + # - "traefik.enable=true" + # - "traefik.http.routers.traefik-log-dashboard.rule=Host(`traefik-dashboard.${LOCAL_DOMAIN}`)" + # - "traefik.http.routers.traefik-log-dashboard.entrypoints=https" + # - "traefik.http.routers.traefik-log-dashboard.tls=true"