properly got pi traefik/authelia working, need to migrate nuc to that setup.
switch pihole to technitium dns server
This commit is contained in:
parent
f26bfb2063
commit
69348652df
1
nuc/cloudflare-dns/.gitignore
vendored
Normal file
1
nuc/cloudflare-dns/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
config.json
|
25
nuc/cloudflare-dns/config.json.example
Normal file
25
nuc/cloudflare-dns/config.json.example
Normal file
@ -0,0 +1,25 @@
|
||||
{
|
||||
"cloudflare": [
|
||||
{
|
||||
"authentication": {
|
||||
"api_token": "api_token_here", // Either api_token or api_key
|
||||
"api_key": {
|
||||
"api_key": "api_key_here",
|
||||
"account_email": "email@address.com"
|
||||
}
|
||||
},
|
||||
"zone_id": "XXXXX",
|
||||
"zone_friendly": "domain.tld",
|
||||
"subdomains": [
|
||||
{
|
||||
"name": "home",
|
||||
"proxied": false
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"a": true,
|
||||
"aaaa": true,
|
||||
"purgeUnknownRecords": false,
|
||||
"ttl": 300
|
||||
}
|
14
nuc/cloudflare-dns/docker-compose.yml
Normal file
14
nuc/cloudflare-dns/docker-compose.yml
Normal file
@ -0,0 +1,14 @@
|
||||
version: '3.9'
|
||||
services:
|
||||
cloudflare-ddns:
|
||||
image: timothyjmiller/cloudflare-ddns:latest
|
||||
container_name: cloudflare-ddns
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
network_mode: 'host'
|
||||
environment:
|
||||
- PUID=1000
|
||||
- PGID=1000
|
||||
volumes:
|
||||
- ./config.json:/config.json
|
||||
restart: unless-stopped
|
5
nuc/dns-server/.env.example
Normal file
5
nuc/dns-server/.env.example
Normal file
@ -0,0 +1,5 @@
|
||||
# DOMAIN_ROOT is the root domain that this service will register as with Traefik
|
||||
DOMAIN_ROOT=domain.tld
|
||||
|
||||
# WEB_UI_PASSWORD is the password for the web ui interface. If unset, it will be randomly generated and retrievable from the logs.
|
||||
WEB_UI_PASSWORD=password
|
67
nuc/dns-server/docker-compose.yml
Normal file
67
nuc/dns-server/docker-compose.yml
Normal file
@ -0,0 +1,67 @@
|
||||
version: "3"
|
||||
services:
|
||||
dns-server:
|
||||
container_name: dns-server
|
||||
hostname: dns-server
|
||||
image: technitium/dns-server:latest
|
||||
# For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting them
|
||||
# network_mode: "host"
|
||||
ports:
|
||||
# - "5380:5380/tcp" #DNS web console (HTTP)
|
||||
# - "53443:53443/tcp" #DNS web console (HTTPS)
|
||||
- "53:53/udp" #DNS service
|
||||
- "53:53/tcp" #DNS service
|
||||
# - "853:853/udp" #DNS-over-QUIC service
|
||||
# - "853:853/tcp" #DNS-over-TLS service
|
||||
# - "443:443/udp" #DNS-over-HTTPS service (HTTP/3)
|
||||
# - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2)
|
||||
# - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal)
|
||||
# - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy)
|
||||
# - "67:67/udp" #DHCP service
|
||||
environment:
|
||||
- DOMAIN_ROOT=${DOMAIN_ROOT} #The root domain name used by this DNS Server to identify itself.
|
||||
- DNS_SERVER_DOMAIN=dns.${DOMAIN_ROOT} #The primary domain name used by this DNS Server to identify itself.
|
||||
# - DNS_SERVER_ADMIN_PASSWORD=${WEB_UI_PASSWORD} #DNS web console admin user password.
|
||||
# - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user.
|
||||
# - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled.
|
||||
# - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol.
|
||||
# - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
|
||||
# - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console.
|
||||
# - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console.
|
||||
# - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
|
||||
# - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworks.
|
||||
# - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworks` recursion option.
|
||||
# - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworks` recursion option.
|
||||
# - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
|
||||
# - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
|
||||
# - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs.
|
||||
# - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses.
|
||||
# - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
|
||||
# - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging.
|
||||
|
||||
labels:
|
||||
- 'traefik.enable=true'
|
||||
- 'traefik.http.routers.dns-server.rule=Host(`dns.${DOMAIN_ROOT}`)'
|
||||
- 'traefik.http.middlewares.dns-server.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/' # yamllint disable-line rule:line-length
|
||||
- 'traefik.http.middlewares.dns-server.forwardauth.trustForwardHeader=true'
|
||||
- 'traefik.http.middlewares.dns-server.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length
|
||||
- 'traefik.http.services.dns-server.loadbalancer.server.port=5380'
|
||||
|
||||
volumes:
|
||||
- dns-config:/etc/dns
|
||||
restart: unless-stopped
|
||||
sysctls:
|
||||
- net.ipv4.ip_local_port_range=1024 65000
|
||||
|
||||
networks:
|
||||
- web
|
||||
|
||||
volumes:
|
||||
dns-config:
|
||||
name: dns-config
|
||||
driver: local
|
||||
|
||||
|
||||
networks:
|
||||
web:
|
||||
external: true
|
@ -33,7 +33,7 @@ services:
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.services.bobross-receiver-mort.loadbalancer.server.port=8080"
|
||||
- "traefik.http.routers.bobross-receiver-mort.rule=Host(`bobross-receiver-mort.dudenhoeffer.casa`)"
|
||||
- "traefik.http.routers.bobross-receiver-mort.rule=Host(`bobross-receiver-mort.dudenhoeffer.casa`) || Host(`mort.dudenhoeffer.casa`)"
|
||||
- 'traefik.http.routers.bobross-receiver-mort.middlewares=authelia@docker'
|
||||
|
||||
extra_hosts:
|
||||
|
5
pi/dns-server/.env.example
Normal file
5
pi/dns-server/.env.example
Normal file
@ -0,0 +1,5 @@
|
||||
# DOMAIN_ROOT is the root domain that this service will register as with Traefik
|
||||
DOMAIN_ROOT=domain.tld
|
||||
|
||||
# WEB_UI_PASSWORD is the password for the web ui interface. If unset, it will be randomly generated and retrievable from the logs.
|
||||
WEB_UI_PASSWORD=password
|
67
pi/dns-server/docker-compose.yml
Normal file
67
pi/dns-server/docker-compose.yml
Normal file
@ -0,0 +1,67 @@
|
||||
version: "3"
|
||||
services:
|
||||
dns-server:
|
||||
container_name: dns-server
|
||||
hostname: dns-server
|
||||
image: technitium/dns-server:latest
|
||||
# For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting them
|
||||
# network_mode: "host"
|
||||
ports:
|
||||
# - "5380:5380/tcp" #DNS web console (HTTP)
|
||||
# - "53443:53443/tcp" #DNS web console (HTTPS)
|
||||
- "53:53/udp" #DNS service
|
||||
- "53:53/tcp" #DNS service
|
||||
# - "853:853/udp" #DNS-over-QUIC service
|
||||
# - "853:853/tcp" #DNS-over-TLS service
|
||||
# - "443:443/udp" #DNS-over-HTTPS service (HTTP/3)
|
||||
# - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2)
|
||||
# - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal)
|
||||
# - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy)
|
||||
# - "67:67/udp" #DHCP service
|
||||
environment:
|
||||
- DOMAIN_ROOT=${DOMAIN_ROOT} #The root domain name used by this DNS Server to identify itself.
|
||||
- DNS_SERVER_DOMAIN=dns.pi.dudenhoeffer.casa #The primary domain name used by this DNS Server to identify itself.
|
||||
# - DNS_SERVER_ADMIN_PASSWORD=${WEB_UI_PASSWORD} #DNS web console admin user password.
|
||||
# - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user.
|
||||
# - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled.
|
||||
# - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol.
|
||||
# - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
|
||||
# - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console.
|
||||
# - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console.
|
||||
# - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
|
||||
# - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworks.
|
||||
# - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworks` recursion option.
|
||||
# - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworks` recursion option.
|
||||
# - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
|
||||
# - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
|
||||
# - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs.
|
||||
# - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses.
|
||||
# - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
|
||||
# - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging.
|
||||
|
||||
labels:
|
||||
- 'traefik.enable=true'
|
||||
- 'traefik.http.routers.dns-server.rule=Host(`dns.${DOMAIN_ROOT}`)'
|
||||
- 'traefik.http.middlewares.dns-server.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/' # yamllint disable-line rule:line-length
|
||||
- 'traefik.http.middlewares.dns-server.forwardauth.trustForwardHeader=true'
|
||||
- 'traefik.http.middlewares.dns-server.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length
|
||||
- 'traefik.http.services.dns-server.loadbalancer.server.port=5380'
|
||||
|
||||
volumes:
|
||||
- dns-config:/etc/dns
|
||||
restart: unless-stopped
|
||||
sysctls:
|
||||
- net.ipv4.ip_local_port_range=1024 65000
|
||||
|
||||
networks:
|
||||
- web
|
||||
|
||||
volumes:
|
||||
dns-config:
|
||||
name: dns-config
|
||||
driver: local
|
||||
|
||||
|
||||
networks:
|
||||
web:
|
||||
external: true
|
18
pi/traefik/.env.example
Normal file
18
pi/traefik/.env.example
Normal file
@ -0,0 +1,18 @@
|
||||
# DOMAIN_ROOT is the root domain that this service will register as with Traefik
|
||||
DOMAIN_ROOT=domain.tld
|
||||
|
||||
# USER_ID is the user id to run the service as. 0 for root
|
||||
USER_ID=1000
|
||||
|
||||
# GROUP_ID is the group id to run the service as. 0 for root
|
||||
GROUP_ID=1000
|
||||
|
||||
# TIMEZONE is the timezone the server is in
|
||||
TIMEZONE=America/New_York
|
||||
|
||||
# CLOUDFLARE_EMAIL is the email for the cloudflare credentials
|
||||
CLOUDFLARE_EMAIL=email@address.com
|
||||
|
||||
# CLOUDFLARE_KEY is the key for your cloudflare credentials
|
||||
CLOUDFLARE_KEY=XXXX
|
||||
|
2
pi/traefik/config/.gitignore
vendored
Normal file
2
pi/traefik/config/.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
configuration.yml
|
||||
users_database.yml
|
61
pi/traefik/config/configuration.yml.example
Normal file
61
pi/traefik/config/configuration.yml.example
Normal file
@ -0,0 +1,61 @@
|
||||
---
|
||||
###############################################################
|
||||
# Authelia configuration #
|
||||
###############################################################
|
||||
|
||||
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
|
||||
jwt_secret: a_very_important_secret
|
||||
default_redirection_url: https://public.example.com
|
||||
|
||||
|
||||
log:
|
||||
level: debug
|
||||
|
||||
totp:
|
||||
issuer: authelia.com
|
||||
|
||||
# duo_api:
|
||||
# hostname: api-123456789.example.com
|
||||
# integration_key: ABCDEF
|
||||
# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
|
||||
# secret_key: 1234567890abcdefghifjkl
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users_database.yml
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
rules:
|
||||
# Rules applied to everyone
|
||||
- domain: public.example.com
|
||||
policy: bypass
|
||||
- domain: traefik.example.com
|
||||
policy: one_factor
|
||||
- domain: secure.example.com
|
||||
policy: two_factor
|
||||
|
||||
session:
|
||||
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
|
||||
secret: unsecure_session_secret
|
||||
domain: domain.tld
|
||||
same_site: lax
|
||||
expiration: 1h
|
||||
inactivity: 5m
|
||||
remember_me_duration: 1M
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 120
|
||||
ban_time: 300
|
||||
|
||||
storage:
|
||||
encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
|
||||
local:
|
||||
path: /config/db.sqlite3
|
||||
|
||||
notifier:
|
||||
disable_startup_check: false
|
||||
filesystem:
|
||||
filename: /config/notification.txt
|
||||
|
20
pi/traefik/config/users_database.yml.example
Normal file
20
pi/traefik/config/users_database.yml.example
Normal file
@ -0,0 +1,20 @@
|
||||
---
|
||||
###############################################################
|
||||
# Users Database #
|
||||
###############################################################
|
||||
|
||||
# This file can be used if you do not have an LDAP set up.
|
||||
|
||||
# List of users
|
||||
users:
|
||||
authelia:
|
||||
disabled: false
|
||||
displayname: "Authelia User"
|
||||
# Password is authelia
|
||||
# To generate a password: docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'password'
|
||||
password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length
|
||||
email: authelia@authelia.com
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
...
|
94
pi/traefik/docker-compose.yml
Normal file
94
pi/traefik/docker-compose.yml
Normal file
@ -0,0 +1,94 @@
|
||||
---
|
||||
version: "3.8"
|
||||
services:
|
||||
traefik:
|
||||
image: traefik:latest
|
||||
container_name: traefik
|
||||
hostname: traefik
|
||||
restart: unless-stopped
|
||||
|
||||
|
||||
environment:
|
||||
- CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
|
||||
- CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_KEY}
|
||||
- DOMAIN_ROOT=${DOMAIN_ROOT}
|
||||
|
||||
ports:
|
||||
- mode: host
|
||||
protocol: tcp
|
||||
published: 80
|
||||
target: 80
|
||||
- mode: host
|
||||
protocol: tcp
|
||||
published: 443
|
||||
target: 443
|
||||
|
||||
volumes:
|
||||
- ./traefik.yml:/etc/traefik/traefik.yml:ro
|
||||
- ./custom:/etc/traefik/custom:ro
|
||||
- /var/run/docker.sock:/tmp/docker.sock:ro
|
||||
- certs:/letsencrypt
|
||||
|
||||
labels:
|
||||
- 'traefik.enable=true'
|
||||
- 'traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_ROOT}`)'
|
||||
- "traefik.http.routers.traefik.entrypoints=websecure"
|
||||
- 'entrypoints.websecure.http.tls=true'
|
||||
- 'entrypoints.websecure.http.tls.certResolver=letsencrypt'
|
||||
- 'entrypoints.websecure.http.tls.domains[0].main=${DOMAIN_ROOT}'
|
||||
- 'entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN_ROOT}'
|
||||
- "traefik.http.routers.traefik.service=api@internal"
|
||||
- 'traefik.http.routers.traefik.middlewares=strip'
|
||||
- 'traefik.http.middlewares.strip.stripprefix.prefixes=/traefik'
|
||||
- 'traefik.http.services.traefik.loadbalancer.server.port=8080'
|
||||
- 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/'
|
||||
- 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
|
||||
- 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
|
||||
- 'certificatesresolvers.letsencrypt.acme.dnschallenge=true'
|
||||
- 'certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare'
|
||||
- 'certificatesresolvers.letsencrypt.acme.email=${CLOUDFLARE_EMAIL}'
|
||||
- 'certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json'
|
||||
|
||||
networks:
|
||||
- web
|
||||
|
||||
authelia:
|
||||
image: authelia/authelia
|
||||
container_name: authelia
|
||||
volumes:
|
||||
- authelia_config:/config
|
||||
- ./config/configuration.yml:/config/configuration.yml:ro
|
||||
- ./config/users_database.yml:/config/users_database.yml:ro
|
||||
|
||||
environment:
|
||||
- DOMAIN_ROOT=${DOMAIN_ROOT}
|
||||
- TZ=${TIMEZONE}
|
||||
|
||||
networks:
|
||||
- web
|
||||
|
||||
labels:
|
||||
- 'traefik.enable=true'
|
||||
- 'traefik.http.routers.authelia.rule=Host(`login.${DOMAIN_ROOT}`)'
|
||||
- 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/' # yamllint disable-line rule:line-length
|
||||
- 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
|
||||
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length
|
||||
- 'traefik.http.services.authelia.loadbalancer.server.port=9091'
|
||||
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
## In production the healthcheck section should be commented.
|
||||
disable: true
|
||||
|
||||
networks:
|
||||
web:
|
||||
external: true
|
||||
|
||||
volumes:
|
||||
certs:
|
||||
name: certs
|
||||
driver: local
|
||||
|
||||
authelia_config:
|
||||
name: authelia_config
|
||||
driver: local
|
230
pi/traefik/traefik.yml.example
Normal file
230
pi/traefik/traefik.yml.example
Normal file
@ -0,0 +1,230 @@
|
||||
################################################################
|
||||
#
|
||||
# Configuration sample for Traefik v2.
|
||||
#
|
||||
# For Traefik v1: https://github.com/traefik/traefik/blob/v1.7/traefik.sample.toml
|
||||
#
|
||||
################################################################
|
||||
|
||||
################################################################
|
||||
# Global configuration
|
||||
################################################################
|
||||
global:
|
||||
checkNewVersion: true
|
||||
sendAnonymousUsage: true
|
||||
|
||||
################################################################
|
||||
# EntryPoints configuration
|
||||
################################################################
|
||||
|
||||
# EntryPoints definition
|
||||
#
|
||||
# Optional
|
||||
#
|
||||
entryPoints:
|
||||
web:
|
||||
address: :80
|
||||
http:
|
||||
redirections:
|
||||
entryPoint:
|
||||
to: websecure
|
||||
scheme: https
|
||||
websecure:
|
||||
address: :443
|
||||
http:
|
||||
tls:
|
||||
certResolver: letsencrypt
|
||||
domains:
|
||||
- main: domain.tld
|
||||
sans:
|
||||
- "*.domain.tld"
|
||||
middlewares:
|
||||
- "authelia@docker"
|
||||
|
||||
################################################################
|
||||
# Traefik logs configuration
|
||||
################################################################
|
||||
|
||||
# Traefik logs
|
||||
# Enabled by default and log to stdout
|
||||
#
|
||||
# Optional
|
||||
#
|
||||
log:
|
||||
# Log level
|
||||
#
|
||||
# Optional
|
||||
# Default: "ERROR"
|
||||
#
|
||||
level: DEBUG
|
||||
|
||||
# Sets the filepath for the traefik log. If not specified, stdout will be used.
|
||||
# Intermediate directories are created if necessary.
|
||||
#
|
||||
# Optional
|
||||
# Default: os.Stdout
|
||||
#
|
||||
# filePath: log/traefik.log
|
||||
|
||||
# Format is either "json" or "common".
|
||||
#
|
||||
# Optional
|
||||
# Default: "common"
|
||||
#
|
||||
# format: json
|
||||
|
||||
################################################################
|
||||
# Access logs configuration
|
||||
################################################################
|
||||
|
||||
# Enable access logs
|
||||
# By default it will write to stdout and produce logs in the textual
|
||||
# Common Log Format (CLF), extended with additional fields.
|
||||
#
|
||||
# Optional
|
||||
#
|
||||
accessLog:
|
||||
# Sets the file path for the access log. If not specified, stdout will be used.
|
||||
# Intermediate directories are created if necessary.
|
||||
#
|
||||
# Optional
|
||||
# Default: os.Stdout
|
||||
#
|
||||
# filePath: /path/to/log/log.txt
|
||||
filePath: "/etc/traefik/access.log"
|
||||
format: common
|
||||
|
||||
# Format is either "json" or "common".
|
||||
#
|
||||
# Optional
|
||||
# Default: "common"
|
||||
#
|
||||
# format: json
|
||||
|
||||
################################################################
|
||||
# API and dashboard configuration
|
||||
################################################################
|
||||
|
||||
# Enable API and dashboard
|
||||
#
|
||||
# Optional
|
||||
#
|
||||
api:
|
||||
# Enable the API in insecure mode
|
||||
#
|
||||
# Optional
|
||||
# Default: false
|
||||
#
|
||||
insecure: true
|
||||
|
||||
# Enabled Dashboard
|
||||
#
|
||||
# Optional
|
||||
# Default: true
|
||||
#
|
||||
dashboard: true
|
||||
|
||||
################################################################
|
||||
# Ping configuration
|
||||
################################################################
|
||||
|
||||
# Enable ping
|
||||
ping:
|
||||
# Name of the related entry point
|
||||
#
|
||||
# Optional
|
||||
# Default: "traefik"
|
||||
#
|
||||
entryPoint: traefik
|
||||
|
||||
################################################################
|
||||
# Docker configuration backend
|
||||
################################################################
|
||||
|
||||
providers:
|
||||
# Enable Docker configuration backend
|
||||
docker:
|
||||
# Docker server endpoint. Can be a tcp or a unix socket endpoint.
|
||||
#
|
||||
# Required
|
||||
# Default: "unix:///var/run/docker.sock"
|
||||
#
|
||||
endpoint: unix:///tmp/docker.sock
|
||||
|
||||
# Default host rule.
|
||||
#
|
||||
# Optional
|
||||
# Default: "Host(`{{ normalize .Name }}`)"
|
||||
#
|
||||
defaultRule: Host(`{{ normalize .Name }}.domain.tld`)
|
||||
|
||||
# Expose containers by default in traefik
|
||||
#
|
||||
# Optional
|
||||
# Default: true
|
||||
#
|
||||
exposedByDefault: true
|
||||
|
||||
network: home-proxy
|
||||
|
||||
file:
|
||||
directory: /etc/traefik/custom
|
||||
watch: true
|
||||
|
||||
#tls:
|
||||
# stores:
|
||||
# default:
|
||||
# defaultCertificate:
|
||||
# certFile: /certs/star.domain.tld.crt
|
||||
# keyFile: /certs/star.domain.tld..key
|
||||
# certificates:
|
||||
# - certFile: /certs/star.domain.tld..crt
|
||||
# keyFile: /certs/star.domain.tld..key
|
||||
# stores:
|
||||
# - default
|
||||
#
|
||||
|
||||
certificatesResolvers:
|
||||
letsencrypt:
|
||||
acme:
|
||||
email: email@address.com
|
||||
storage: /letsencrypt/acme.json
|
||||
dnsChallenge:
|
||||
provider: cloudflare
|
||||
# Used to make sure the dns challenge is propagated to the rights dns servers
|
||||
# resolvers:
|
||||
# - "1.1.1.1:53"
|
||||
# - "1.0.0.1:53"
|
||||
#
|
||||
experimental:
|
||||
plugins:
|
||||
traefik-real-ip:
|
||||
moduleName: "github.com/soulbalz/traefik-real-ip"
|
||||
version: "v1.0.3"
|
||||
|
||||
http:
|
||||
middlewares:
|
||||
my-traefik-real-ip:
|
||||
plugin:
|
||||
traefik-real-ip:
|
||||
excludednets:
|
||||
- 1.1.1.1/24
|
||||
authelia:
|
||||
forwardAuth:
|
||||
address: https://authelia:9091/api/verify?rd=https%3A%2F%2Flogin.dudenhoeffer.casa%2F
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- "Remote-User"
|
||||
- "Remote-Groups"
|
||||
- "Remote-Email"
|
||||
- "Remote-Name"
|
||||
authelia-basic:
|
||||
forwardAuth:
|
||||
address: https://authelia:9091/api/verify?auth=basic
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- "Remote-User"
|
||||
- "Remote-Groups"
|
||||
- "Remote-Email"
|
||||
- "Remote-Name"
|
||||
|
Loading…
x
Reference in New Issue
Block a user