chriswin/vps-server
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

traefik config

Browse Source
This commit is contained in:
chriswin
2026-01-14 00:36:10 +01:00
parent c94852fbaf
commit f18cfb01e8
4 changed files with 319 additions and 319 deletions
Download Patch File Download Diff File Expand all files Collapse all files

164
services/traefik/config.yml
View File

@@ -1,164 +0,0 @@
http:
middlewares:
# Crowdsec
crowdsec-bouncer:
plugin:
crowdsec-bouncer-plugin:
enabled: true
logLevel: INFO
updateIntervalSeconds: 60
crowdsecMode: stream
crowdsecAppsecEnabled: true
crowdsecAppsecHost: crowdsec:7422
crowdsecLapiScheme: http
crowdsecLapiHost: crowdsec:8080
# generated using "docker exec crowdsec cscli bouncers add crowdsecBouncer"
crowdseclapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }}
forwardedHeadersTrustedIPs:
- 10.0.6.0/24
clientTrustedIPs:
- 192.168.178.0/24
captchaProvider: hcaptcha
captchaSiteKey: b2d20610-8dda-4f40-8688-7ca8e1e628f8 # found in hcaptcha account
captchaSecretKey: ES_9511d34bbec34dada169afad0a36991a
captchaGracePeriodSeconds: 1800
captchaHTMLFilePath: /captcha.html
banHTMLFilePath: /ban.html
routers:
authelia:
rule: "Host(`auth.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
audiobookshelf:
rule: "Host(`audiobookshelf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
gitea:
rule: "Host(`gitea.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
headscale:
rule: "Host(`headscale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
immich:
rule: "Host(`immich.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
lldap:
rule: "Host(`lldap.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
linkwarden:
rule: "Host(`linkwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
mealie:
rule: "Host(`mealie.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
navidrome:
rule: "Host(`navidrome.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
ntfy:
rule: "Host(`ntfy.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
paperless:
rule: "Host(`paperless.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
pdf:
rule: "Host(`pdf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
radicale:
rule: "Host(`radicale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
rss:
rule: "Host(`rss.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
superset:
rule: "Host(`superset.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
vaultwarden:
rule: "Host(`vaultwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
vikunja:
rule: "Host(`vikunja.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
services:
node:
loadBalancer:
servers:
- url: {{ env TRAEFIK_MAIN_SERVER_NODE_IP }}
tls:
stores:
default:
defaultCertificate:
certFile: /etc/certs/server.crt
keyFile: /etc/certs/server.key
certificates:
- certFile: /etc/certs/server.crt
keyFile: /etc/certs/server.key

217
services/traefik/config/config.yml
View File

@@ -1,67 +1,164 @@
api: http:
dashboard: true middlewares:
log: # Crowdsec
level: "INFO" crowdsec-bouncer:
plugin:
crowdsec-bouncer-plugin:
enabled: true
logLevel: INFO
updateIntervalSeconds: 60
crowdsecMode: stream
crowdsecAppsecEnabled: true
crowdsecAppsecHost: crowdsec:7422
crowdsecLapiScheme: http
crowdsecLapiHost: crowdsec:8080
# generated using "docker exec crowdsec cscli bouncers add crowdsecBouncer"
crowdseclapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }}
forwardedHeadersTrustedIPs:
- 10.0.6.0/24
clientTrustedIPs:
- 192.168.178.0/24
captchaProvider: hcaptcha
captchaSiteKey: b2d20610-8dda-4f40-8688-7ca8e1e628f8 # found in hcaptcha account
captchaSecretKey: ES_9511d34bbec34dada169afad0a36991a
captchaGracePeriodSeconds: 1800
captchaHTMLFilePath: /captcha.html
banHTMLFilePath: /ban.html
serversTransport: routers:
insecureSkipVerify: true authelia:
rule: "Host(`auth.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
accessLog: audiobookshelf:
filePath: "/var/log/traefik/access.log" # location of traefik logs for crowdsec rule: "Host(`audiobookshelf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
format: json service: node
bufferingSize: 100 # Configuring a buffer of 100 lines entryPoints: https
filters: tls: {}
statusCodes: middlewares: crowdsec-bouncer@file
- "204-299"
- "400-499"
- "500-559" # logged status codes
entryPoints: gitea:
http: rule: "Host(`gitea.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
address: "[::]:80" # Create the HTTP entrypoint on port 80 service: node
forwardedHeaders: entryPoints: https
insecure: false tls: {}
trustedIPs: middlewares: crowdsec-bouncer@file
- "10.0.0.0/8"
- "192.168.178.0/16"
- "2a07:600:200:1::/64"
proxyProtocol:
insecure: false
trustedIPs:
- "10.0.0.0/8"
- "192.168.178.0/16"
- "2a07:600:200:1::/64"
http:
redirections: # HTTPS redirection (80 to 443)
entryPoint:
to: "https" # The target element
scheme: "https" # The redirection target scheme
permanent: true # The target element
https: headscale:
address: "[::]:443" # Create the HTTPS entrypoint on port 443 rule: "Host(`headscale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
forwardedHeaders: service: node
insecure: false entryPoints: https
trustedIPs: tls: {}
- "10.0.0.0/8" middlewares: crowdsec-bouncer@file
- "192.168.178.0/16"
- "2a07:600:200:1::/64"
proxyProtocol:
insecure: false
trustedIPs:
- "10.0.0.0/8"
- "192.168.178.0/16"
- "2a07:600:200:1::/64"
providers: immich:
docker: rule: "Host(`immich.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
endpoint: "unix:///var/run/docker.sock" # Listen to the UNIX Docker socket service: node
exposedByDefault: false entryPoints: https
file: tls: {}
directory: "/etc/traefik" # Link to the dynamic configuration middlewares: crowdsec-bouncer@file
watch: true # Watch for modifications
providersThrottleDuration: "10" # Configuration reload frequency lldap:
rule: "Host(`lldap.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
linkwarden:
rule: "Host(`linkwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
mealie:
rule: "Host(`mealie.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
navidrome:
rule: "Host(`navidrome.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
ntfy:
rule: "Host(`ntfy.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
paperless:
rule: "Host(`paperless.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
pdf:
rule: "Host(`pdf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
radicale:
rule: "Host(`radicale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
rss:
rule: "Host(`rss.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
superset:
rule: "Host(`superset.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
vaultwarden:
rule: "Host(`vaultwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
vikunja:
rule: "Host(`vikunja.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
service: node
entryPoints: https
tls: {}
middlewares: crowdsec-bouncer@file
services:
node:
loadBalancer:
servers:
- url: {{ env TRAEFIK_MAIN_SERVER_NODE_IP }}
tls:
stores:
default:
defaultCertificate:
certFile: /etc/certs/server.crt
keyFile: /etc/certs/server.key
certificates:
- certFile: /etc/certs/server.crt
keyFile: /etc/certs/server.key
metrics:
prometheus: {}

161
services/traefik/config/traefik.yml
View File

@@ -1,96 +1,67 @@
services: api:
traefik: dashboard: true
extends:
file: ${TEMPLATES_PATH}
service: default
image: traefik:v3.6.6
container_name: traefik
ports:
- "80:80"
- "443:443"
- "8079:8080"
networks:
- ip4net
environment:
TRAEFIK_EMAIL: ${EMAIL}
TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
TRAEFIK_MAIN_SERVER_NODE_IP: ${MAIN_SERVER_NODE_IP}
TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
INFOMANIAK_ACCESS_TOKEN: ${INFOMANIAK_CERTIFICATE_ACCESS_TOKEN}
volumes:
- "/var/log/traefik/:/var/log/traefik/"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "${SERVICE_PATH}/traefik/letsencrypt:/letsencrypt"
- "${SERVICE_PATH}/traefik/config:/etc/traefik"
- "${SERVICE_PATH}/traefik/certs:/etc/certs"
- "${SERVICE_PATH}/traefik/html/ban.html:/ban.html"
- "${SERVICE_PATH}/traefik/html/captcha.html:/captcha.html"
labels:
# Traefik
- "traefik.enable=true"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.rule=Host(`traefik.${LOCAL_DOMAIN}`)"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.tls=true"
# traefik-agent: log:
# extends: level: "INFO"
# file: ${TEMPLATES_PATH}
# service: default serversTransport:
# image: hhftechnology/traefik-log-dashboard-agent:2.4.0 insecureSkipVerify: true
# container_name: traefik-log-dashboard-agent
# networks: accessLog:
# - ip4net filePath: "/var/log/traefik/access.log" # location of traefik logs for crowdsec
# ports: format: json
# - "8078:5000" bufferingSize: 100 # Configuring a buffer of 100 lines
# volumes: filters:
# - "/var/log/crowdsec/:/logs:ro" statusCodes:
# - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data" - "204-299"
# environment: - "400-499"
# TRAEFIK_LOG_DASHBOARD_ACCESS_PATH: /logs/traefik.log - "500-559" # logged status codes
# TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
# TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING: true entryPoints:
# TRAEFIK_LOG_DASHBOARD_LOG_FORMAT: json http:
# healthcheck: address: "[::]:80" # Create the HTTP entrypoint on port 80
# test: forwardedHeaders:
# [ insecure: false
# "CMD", trustedIPs:
# "wget", - "10.0.0.0/8"
# "--no-verbose", - "192.168.178.0/16"
# "--tries=1", - "2a07:600:200:1::/64"
# "--spider", proxyProtocol:
# "http://localhost:5000/api/logs/status", insecure: false
# ] trustedIPs:
# interval: 2m - "10.0.0.0/8"
# timeout: 10s - "192.168.178.0/16"
# retries: 3 - "2a07:600:200:1::/64"
# start_period: 30s http:
# redirections: # HTTPS redirection (80 to 443)
# traefik-dashboard: entryPoint:
# extends: to: "https" # The target element
# file: ${TEMPLATES_PATH} scheme: "https" # The redirection target scheme
# service: default permanent: true # The target element
# image: hhftechnology/traefik-log-dashboard:2.4.0
# container_name: traefik-log-dashboard https:
# networks: address: "[::]:443" # Create the HTTPS entrypoint on port 443
# - ip4net forwardedHeaders:
# ports: insecure: false
# - "8077:3000" trustedIPs:
# volumes: - "10.0.0.0/8"
# - ./data/dashboard:/app/data - "192.168.178.0/16"
# - "${SERVICE_PATH}/traefik/log-dashboard/dashboard:/app/data" - "2a07:600:200:1::/64"
# - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data" proxyProtocol:
# environment: insecure: false
# AGENT_API_URL: http://192.168.178.35:8078 trustedIPs:
# AGENT_API_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN} - "10.0.0.0/8"
# # Display Configuration - "192.168.178.0/16"
# NEXT_PUBLIC_SHOW_DEMO_PAGE: false - "2a07:600:200:1::/64"
# depends_on:
# traefik-agent: providers:
# condition: service_healthy docker:
# labels: endpoint: "unix:///var/run/docker.sock" # Listen to the UNIX Docker socket
# # traefik exposedByDefault: false
# - "traefik.enable=true" file:
# - "traefik.http.routers.traefik-log-dashboard.rule=Host(`traefik-dashboard.${LOCAL_DOMAIN}`)" directory: "/etc/traefik" # Link to the dynamic configuration
# - "traefik.http.routers.traefik-log-dashboard.entrypoints=https" watch: true # Watch for modifications
# - "traefik.http.routers.traefik-log-dashboard.tls=true" providersThrottleDuration: "10" # Configuration reload frequency
metrics:
prometheus: {}

96
services/traefik/traefik.yml Normal file
View File

@@ -0,0 +1,96 @@
services:
traefik:
extends:
file: ${TEMPLATES_PATH}
service: default
image: traefik:v3.6.6
container_name: traefik
ports:
- "80:80"
- "443:443"
- "8079:8080"
networks:
- ip4net
environment:
TRAEFIK_EMAIL: ${EMAIL}
TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
TRAEFIK_MAIN_SERVER_NODE_IP: ${MAIN_SERVER_NODE_IP}
TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
INFOMANIAK_ACCESS_TOKEN: ${INFOMANIAK_CERTIFICATE_ACCESS_TOKEN}
volumes:
- "/var/log/traefik/:/var/log/traefik/"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "${SERVICE_PATH}/traefik/letsencrypt:/letsencrypt"
- "${SERVICE_PATH}/traefik/config:/etc/traefik"
- "${SERVICE_PATH}/traefik/certs:/etc/certs"
- "${SERVICE_PATH}/traefik/html/ban.html:/ban.html"
- "${SERVICE_PATH}/traefik/html/captcha.html:/captcha.html"
labels:
# Traefik
- "traefik.enable=true"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.rule=Host(`traefik.${LOCAL_DOMAIN}`)"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.tls=true"
# traefik-agent:
# extends:
# file: ${TEMPLATES_PATH}
# service: default
# image: hhftechnology/traefik-log-dashboard-agent:2.4.0
# container_name: traefik-log-dashboard-agent
# networks:
# - ip4net
# ports:
# - "8078:5000"
# volumes:
# - "/var/log/crowdsec/:/logs:ro"
# - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data"
# environment:
# TRAEFIK_LOG_DASHBOARD_ACCESS_PATH: /logs/traefik.log
# TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
# TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING: true
# TRAEFIK_LOG_DASHBOARD_LOG_FORMAT: json
# healthcheck:
# test:
# [
# "CMD",
# "wget",
# "--no-verbose",
# "--tries=1",
# "--spider",
# "http://localhost:5000/api/logs/status",
# ]
# interval: 2m
# timeout: 10s
# retries: 3
# start_period: 30s
#
# traefik-dashboard:
# extends:
# file: ${TEMPLATES_PATH}
# service: default
# image: hhftechnology/traefik-log-dashboard:2.4.0
# container_name: traefik-log-dashboard
# networks:
# - ip4net
# ports:
# - "8077:3000"
# volumes:
# - ./data/dashboard:/app/data
# - "${SERVICE_PATH}/traefik/log-dashboard/dashboard:/app/data"
# - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data"
# environment:
# AGENT_API_URL: http://192.168.178.35:8078
# AGENT_API_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
# # Display Configuration
# NEXT_PUBLIC_SHOW_DEMO_PAGE: false
# depends_on:
# traefik-agent:
# condition: service_healthy
# labels:
# # traefik
# - "traefik.enable=true"
# - "traefik.http.routers.traefik-log-dashboard.rule=Host(`traefik-dashboard.${LOCAL_DOMAIN}`)"
# - "traefik.http.routers.traefik-log-dashboard.entrypoints=https"
# - "traefik.http.routers.traefik-log-dashboard.tls=true"