traefik config

2026-01-14 00:36:10 +01:00
parent c94852fbaf
commit f18cfb01e8
4 changed files with 319 additions and 319 deletions
--- a/services/traefik/config/config.yml
+++ b/services/traefik/config/config.yml
@@ -1,67 +1,164 @@
-api:
-  dashboard: true
+http:
+  middlewares:

-log:
-  level: "INFO"
+    # Crowdsec
+    crowdsec-bouncer:
+      plugin:
+        crowdsec-bouncer-plugin:
+          enabled: true
+          logLevel: INFO
+          updateIntervalSeconds: 60
+          crowdsecMode: stream
+          crowdsecAppsecEnabled: true
+          crowdsecAppsecHost: crowdsec:7422
+          crowdsecLapiScheme: http
+          crowdsecLapiHost: crowdsec:8080
+          # generated using "docker exec crowdsec cscli bouncers add crowdsecBouncer"
+          crowdseclapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }}
+          forwardedHeadersTrustedIPs:
+            - 10.0.6.0/24
+          clientTrustedIPs:
+            - 192.168.178.0/24
+          captchaProvider: hcaptcha
+          captchaSiteKey: b2d20610-8dda-4f40-8688-7ca8e1e628f8 # found in hcaptcha account
+          captchaSecretKey: ES_9511d34bbec34dada169afad0a36991a
+          captchaGracePeriodSeconds: 1800
+          captchaHTMLFilePath: /captcha.html
+          banHTMLFilePath: /ban.html

-serversTransport:
-  insecureSkipVerify: true
+  routers:
+    authelia:
+      rule: "Host(`auth.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file

-accessLog:
-  filePath: "/var/log/traefik/access.log" # location of traefik logs for crowdsec
-  format: json
-  bufferingSize: 100 # Configuring a buffer of 100 lines
-  filters:
-    statusCodes:
-      - "204-299"
-      - "400-499"
-      - "500-559" # logged status codes
+    audiobookshelf:
+      rule: "Host(`audiobookshelf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file

-entryPoints:
-  http:
-    address: "[::]:80" # Create the HTTP entrypoint on port 80
-    forwardedHeaders:
-      insecure: false
-      trustedIPs:
-        - "10.0.0.0/8"
-        - "192.168.178.0/16"
-        - "2a07:600:200:1::/64"
-    proxyProtocol:
-      insecure: false
-      trustedIPs:
-        - "10.0.0.0/8"
-        - "192.168.178.0/16"
-        - "2a07:600:200:1::/64"
-    http:
-      redirections: # HTTPS redirection (80 to 443)
-        entryPoint:
-          to: "https" # The target element
-          scheme: "https" # The redirection target scheme
-          permanent: true # The target element
+    gitea:
+      rule: "Host(`gitea.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file

-  https:
-    address: "[::]:443" # Create the HTTPS entrypoint on port 443
-    forwardedHeaders:
-      insecure: false
-      trustedIPs:
-        - "10.0.0.0/8"
-        - "192.168.178.0/16"
-        - "2a07:600:200:1::/64"
-    proxyProtocol:
-      insecure: false
-      trustedIPs:
-        - "10.0.0.0/8"
-        - "192.168.178.0/16"
-        - "2a07:600:200:1::/64"
+    headscale:
+      rule: "Host(`headscale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file

-providers:
-  docker:
-    endpoint: "unix:///var/run/docker.sock" # Listen to the UNIX Docker socket
-    exposedByDefault: false
-  file:
-    directory: "/etc/traefik" # Link to the dynamic configuration
-    watch: true # Watch for modifications
-  providersThrottleDuration: "10" # Configuration reload frequency
+    immich:
+      rule: "Host(`immich.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file
+
+    lldap:
+      rule: "Host(`lldap.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file
+
+    linkwarden:
+      rule: "Host(`linkwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file
+
+    mealie:
+      rule: "Host(`mealie.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file
+
+    navidrome:
+      rule: "Host(`navidrome.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file
+
+    ntfy:
+      rule: "Host(`ntfy.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file
+
+    paperless:
+      rule: "Host(`paperless.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file
+
+    pdf:
+      rule: "Host(`pdf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file
+
+    radicale:
+      rule: "Host(`radicale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file
+
+    rss:
+      rule: "Host(`rss.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file
+
+    superset:
+      rule: "Host(`superset.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file
+
+    vaultwarden:
+      rule: "Host(`vaultwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file
+
+    vikunja:
+      rule: "Host(`vikunja.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
+      service: node 
+      entryPoints: https
+      tls: {}
+      middlewares: crowdsec-bouncer@file
+
+  services:
+    node:
+      loadBalancer:
+        servers:
+          - url: {{ env TRAEFIK_MAIN_SERVER_NODE_IP }}
+
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/certs/server.crt
+        keyFile: /etc/certs/server.key
+  certificates:
+    - certFile: /etc/certs/server.crt
+      keyFile: /etc/certs/server.key

-metrics:
-  prometheus: {}
--- a/services/traefik/config/traefik.yml
+++ b/services/traefik/config/traefik.yml
@@ -1,96 +1,67 @@
-services:
-  traefik:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: traefik:v3.6.6
-    container_name: traefik
-    ports:
-      - "80:80"
-      - "443:443"
-      - "8079:8080"
-    networks:
-      - ip4net
-    environment:
-      TRAEFIK_EMAIL: ${EMAIL}
-      TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
-      TRAEFIK_MAIN_SERVER_NODE_IP: ${MAIN_SERVER_NODE_IP}
-      TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
-      INFOMANIAK_ACCESS_TOKEN: ${INFOMANIAK_CERTIFICATE_ACCESS_TOKEN}
-    volumes:
-      - "/var/log/traefik/:/var/log/traefik/"
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
-      - "${SERVICE_PATH}/traefik/letsencrypt:/letsencrypt"
-      - "${SERVICE_PATH}/traefik/config:/etc/traefik"
-      - "${SERVICE_PATH}/traefik/certs:/etc/certs"
-      - "${SERVICE_PATH}/traefik/html/ban.html:/ban.html"
-      - "${SERVICE_PATH}/traefik/html/captcha.html:/captcha.html"
-    labels:
-      # Traefik
-      - "traefik.enable=true"
-      - "traefik.http.routers.traefik.service=api@internal"
-      - "traefik.http.routers.traefik.rule=Host(`traefik.${LOCAL_DOMAIN}`)"
-      - "traefik.http.routers.traefik.entrypoints=https"
-      - "traefik.http.routers.traefik.tls=true"
+api:
+  dashboard: true

-  # traefik-agent:
-  #   extends:
-  #     file: ${TEMPLATES_PATH}
-  #     service: default
-  #   image: hhftechnology/traefik-log-dashboard-agent:2.4.0
-  #   container_name: traefik-log-dashboard-agent
-  #   networks:
-  #     - ip4net
-  #   ports:
-  #     - "8078:5000"
-  #   volumes:
-  #     - "/var/log/crowdsec/:/logs:ro"
-  #     - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data"
-  #   environment:
-  #     TRAEFIK_LOG_DASHBOARD_ACCESS_PATH: /logs/traefik.log
-  #     TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
-  #     TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING: true
-  #     TRAEFIK_LOG_DASHBOARD_LOG_FORMAT: json
-  #   healthcheck:
-  #     test:
-  #       [
-  #         "CMD",
-  #         "wget",
-  #         "--no-verbose",
-  #         "--tries=1",
-  #         "--spider",
-  #         "http://localhost:5000/api/logs/status",
-  #       ]
-  #     interval: 2m
-  #     timeout: 10s
-  #     retries: 3
-  #     start_period: 30s
-  #
-  # traefik-dashboard:
-  #   extends:
-  #     file: ${TEMPLATES_PATH}
-  #     service: default
-  #   image: hhftechnology/traefik-log-dashboard:2.4.0
-  #   container_name: traefik-log-dashboard
-  #   networks:
-  #     - ip4net
-  #   ports:
-  #     - "8077:3000"
-  #   volumes:
-  #     - ./data/dashboard:/app/data
-  #     - "${SERVICE_PATH}/traefik/log-dashboard/dashboard:/app/data"
-  #     - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data"
-  #   environment:
-  #     AGENT_API_URL: http://192.168.178.35:8078
-  #     AGENT_API_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
-  #     # Display Configuration
-  #     NEXT_PUBLIC_SHOW_DEMO_PAGE: false
-  #   depends_on:
-  #     traefik-agent:
-  #       condition: service_healthy
-  #   labels:
-  #     # traefik
-  #     - "traefik.enable=true"
-  #     - "traefik.http.routers.traefik-log-dashboard.rule=Host(`traefik-dashboard.${LOCAL_DOMAIN}`)"
-  #     - "traefik.http.routers.traefik-log-dashboard.entrypoints=https"
-  #     - "traefik.http.routers.traefik-log-dashboard.tls=true"
+log:
+  level: "INFO"
+
+serversTransport:
+  insecureSkipVerify: true
+
+accessLog:
+  filePath: "/var/log/traefik/access.log" # location of traefik logs for crowdsec
+  format: json
+  bufferingSize: 100 # Configuring a buffer of 100 lines
+  filters:
+    statusCodes:
+      - "204-299"
+      - "400-499"
+      - "500-559" # logged status codes
+
+entryPoints:
+  http:
+    address: "[::]:80" # Create the HTTP entrypoint on port 80
+    forwardedHeaders:
+      insecure: false
+      trustedIPs:
+        - "10.0.0.0/8"
+        - "192.168.178.0/16"
+        - "2a07:600:200:1::/64"
+    proxyProtocol:
+      insecure: false
+      trustedIPs:
+        - "10.0.0.0/8"
+        - "192.168.178.0/16"
+        - "2a07:600:200:1::/64"
+    http:
+      redirections: # HTTPS redirection (80 to 443)
+        entryPoint:
+          to: "https" # The target element
+          scheme: "https" # The redirection target scheme
+          permanent: true # The target element
+
+  https:
+    address: "[::]:443" # Create the HTTPS entrypoint on port 443
+    forwardedHeaders:
+      insecure: false
+      trustedIPs:
+        - "10.0.0.0/8"
+        - "192.168.178.0/16"
+        - "2a07:600:200:1::/64"
+    proxyProtocol:
+      insecure: false
+      trustedIPs:
+        - "10.0.0.0/8"
+        - "192.168.178.0/16"
+        - "2a07:600:200:1::/64"
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock" # Listen to the UNIX Docker socket
+    exposedByDefault: false
+  file:
+    directory: "/etc/traefik" # Link to the dynamic configuration
+    watch: true # Watch for modifications
+  providersThrottleDuration: "10" # Configuration reload frequency
+
+metrics:
+  prometheus: {}