From 728e01bc798bb0b3bba7f3a1a5a89736bdbe2a99 Mon Sep 17 00:00:00 2001 From: Steve Dudenhoeffer Date: Sun, 24 Mar 2024 02:26:04 +0000 Subject: [PATCH] added nas/traefik --- nas/traefik/config/configuration.yml.example | 61 +++++ nas/traefik/config/users_database.yml.example | 20 ++ nas/traefik/custom/example-tls.yml | 20 ++ nas/traefik/custom/example.yml | 13 + nas/traefik/custom/nas.yml | 12 + nas/traefik/docker-compose.yml | 92 +++++++ nas/traefik/traefik.yml.example | 230 ++++++++++++++++++ 7 files changed, 448 insertions(+) create mode 100644 nas/traefik/config/configuration.yml.example create mode 100644 nas/traefik/config/users_database.yml.example create mode 100644 nas/traefik/custom/example-tls.yml create mode 100644 nas/traefik/custom/example.yml create mode 100644 nas/traefik/custom/nas.yml create mode 100644 nas/traefik/docker-compose.yml create mode 100644 nas/traefik/traefik.yml.example diff --git a/nas/traefik/config/configuration.yml.example b/nas/traefik/config/configuration.yml.example new file mode 100644 index 0000000..f3f7782 --- /dev/null +++ b/nas/traefik/config/configuration.yml.example @@ -0,0 +1,61 @@ +--- +############################################################### +# Authelia configuration # +############################################################### + +# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE +jwt_secret: a_very_important_secret +default_redirection_url: https://public.example.com + + +log: + level: debug + +totp: + issuer: authelia.com + +# duo_api: +# hostname: api-123456789.example.com +# integration_key: ABCDEF +# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE +# secret_key: 1234567890abcdefghifjkl + +authentication_backend: + file: + path: /config/users_database.yml + +access_control: + default_policy: deny + rules: + # Rules applied to everyone + - domain: public.example.com + policy: bypass + - domain: traefik.example.com + policy: one_factor + - domain: secure.example.com + policy: two_factor + +session: + # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE + secret: unsecure_session_secret + domain: domain.tld + same_site: lax + expiration: 1h + inactivity: 5m + remember_me_duration: 1M + +regulation: + max_retries: 3 + find_time: 120 + ban_time: 300 + +storage: + encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this + local: + path: /config/db.sqlite3 + +notifier: + disable_startup_check: false + filesystem: + filename: /config/notification.txt + \ No newline at end of file diff --git a/nas/traefik/config/users_database.yml.example b/nas/traefik/config/users_database.yml.example new file mode 100644 index 0000000..251ddbc --- /dev/null +++ b/nas/traefik/config/users_database.yml.example @@ -0,0 +1,20 @@ +--- +############################################################### +# Users Database # +############################################################### + +# This file can be used if you do not have an LDAP set up. + +# List of users +users: + authelia: + disabled: false + displayname: "Authelia User" + # Password is authelia + # To generate a password: docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'password' + password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length + email: authelia@authelia.com + groups: + - admins + - dev +... \ No newline at end of file diff --git a/nas/traefik/custom/example-tls.yml b/nas/traefik/custom/example-tls.yml new file mode 100644 index 0000000..01ef585 --- /dev/null +++ b/nas/traefik/custom/example-tls.yml @@ -0,0 +1,20 @@ +http: + routers: + example-tls-router: + rule: "Host(`example-tls.domain.tld`)" + service: example-tls-service + # Optionally, you can add TLS configuration here if your router is serving HTTPS + + services: + example-tls-service: + loadBalancer: + servers: + - url: "https://192.168.0.146" + passHostHeader: true + # Skip TLS verification for the self-signed certificate + serversTransport: "example-tls-servers-transport" + + # Define the serversTransport to skip TLS verification + serversTransports: + example-tls-servers-transport: + insecureSkipVerify: true diff --git a/nas/traefik/custom/example.yml b/nas/traefik/custom/example.yml new file mode 100644 index 0000000..7fd2c73 --- /dev/null +++ b/nas/traefik/custom/example.yml @@ -0,0 +1,13 @@ + +http: + routers: + example-router: + rule: "Host(`example.domain.tld`)" + service: example-service + + services: + example-service: + loadBalancer: + servers: + - url: "http://192.168.0.197:8081" + passHostHeader: true \ No newline at end of file diff --git a/nas/traefik/custom/nas.yml b/nas/traefik/custom/nas.yml new file mode 100644 index 0000000..f90ace3 --- /dev/null +++ b/nas/traefik/custom/nas.yml @@ -0,0 +1,12 @@ +http: + routers: + example-router: + rule: "Host(`nas.dudenhoeffer.casa`)" + service: nas-service + + services: + nas-service: + loadBalancer: + servers: + - url: "http://127.0.0.1:5000" + passHostHeader: true diff --git a/nas/traefik/docker-compose.yml b/nas/traefik/docker-compose.yml new file mode 100644 index 0000000..95c70a4 --- /dev/null +++ b/nas/traefik/docker-compose.yml @@ -0,0 +1,92 @@ +--- +services: + traefik: + image: traefik:latest + container_name: traefik + hostname: traefik + restart: unless-stopped + + dns: 1.1.1.1 + + environment: + - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL} + - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_KEY} + + ports: + - mode: host + protocol: tcp + published: 80 + target: 80 + - mode: host + protocol: tcp + published: 443 + target: 443 + + volumes: + - /volume1/docker/traefik/traefik.yml:/etc/traefik/traefik.yml:ro + - /volume1/docker/traefik/custom:/etc/traefik/custom:ro + - /var/run/docker.sock:/tmp/docker.sock:ro + - certs:/letsencrypt + + labels: + - 'traefik.enable=true' + - 'traefik.http.routers.traefik.rule=Host(`traefik.nas.dudenhoeffer.casa`)' + - "traefik.http.routers.traefik.entrypoints=websecure" + - 'entrypoints.websecure.http.tls=true' + - 'entrypoints.websecure.http.tls.certResolver=letsencrypt' + - 'entrypoints.websecure.http.tls.domains[0].main=nas.dudenhoeffer.casa' + - 'entrypoints.websecure.http.tls.domains[0].sans=*.nas.dudenhoeffer.casa' + - "traefik.http.routers.traefik.service=api@internal" + - 'traefik.http.routers.traefik.middlewares=strip' + - 'traefik.http.middlewares.strip.stripprefix.prefixes=/traefik' + - 'traefik.http.services.traefik.loadbalancer.server.port=8080' + - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https://login.nas.dudenhoeffer.casa/' + - 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true' + - 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' + - 'certificatesresolvers.letsencrypt.acme.dnschallenge=true' + - 'certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare' + - 'certificatesresolvers.letsencrypt.acme.email=${CLOUDFLARE_EMAIL}' + - 'certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json' + + networks: + - web + + authelia: + image: authelia/authelia + container_name: authelia + volumes: + - authelia_config:/config + - /volume1/docker/authelia/configuration.yml:/config/configuration.yml:ro + - /volume1/docker/authelia/users_database.yml:/config/users_database.yml:ro + + environment: + - TZ=${TIMEZONE} + + networks: + - web + + labels: + - 'traefik.enable=true' + - 'traefik.http.routers.authelia.rule=Host(`login.nas.dudenhoeffer.casa`)' + - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.nas.dudenhoeffer.casa/' # yamllint disable-line rule:line-length + - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true' + - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length + - 'traefik.http.services.authelia.loadbalancer.server.port=9091' + + restart: unless-stopped + healthcheck: + ## In production the healthcheck section should be commented. + disable: true + +networks: + web: + external: true + +volumes: + certs: + name: certs + driver: local + + authelia_config: + name: authelia_config + driver: local diff --git a/nas/traefik/traefik.yml.example b/nas/traefik/traefik.yml.example new file mode 100644 index 0000000..d1810f7 --- /dev/null +++ b/nas/traefik/traefik.yml.example @@ -0,0 +1,230 @@ +################################################################ +# +# Configuration sample for Traefik v2. +# +# For Traefik v1: https://github.com/traefik/traefik/blob/v1.7/traefik.sample.toml +# +################################################################ + +################################################################ +# Global configuration +################################################################ +global: + checkNewVersion: true + sendAnonymousUsage: true + +################################################################ +# EntryPoints configuration +################################################################ + +# EntryPoints definition +# +# Optional +# +entryPoints: + web: + address: :80 + http: + redirections: + entryPoint: + to: websecure + scheme: https + websecure: + address: :443 + http: + tls: + certResolver: letsencrypt + domains: + - main: domain.tld + sans: + - "*.domain.tld" + middlewares: + - "authelia@docker" + +################################################################ +# Traefik logs configuration +################################################################ + +# Traefik logs +# Enabled by default and log to stdout +# +# Optional +# +log: + # Log level + # + # Optional + # Default: "ERROR" + # + level: DEBUG + + # Sets the filepath for the traefik log. If not specified, stdout will be used. + # Intermediate directories are created if necessary. + # + # Optional + # Default: os.Stdout + # +# filePath: log/traefik.log + + # Format is either "json" or "common". + # + # Optional + # Default: "common" + # +# format: json + +################################################################ +# Access logs configuration +################################################################ + +# Enable access logs +# By default it will write to stdout and produce logs in the textual +# Common Log Format (CLF), extended with additional fields. +# +# Optional +# +accessLog: + # Sets the file path for the access log. If not specified, stdout will be used. + # Intermediate directories are created if necessary. + # + # Optional + # Default: os.Stdout + # +# filePath: /path/to/log/log.txt + filePath: "/etc/traefik/access.log" + format: common + + # Format is either "json" or "common". + # + # Optional + # Default: "common" + # +# format: json + +################################################################ +# API and dashboard configuration +################################################################ + +# Enable API and dashboard +# +# Optional +# +api: + # Enable the API in insecure mode + # + # Optional + # Default: false + # + insecure: true + + # Enabled Dashboard + # + # Optional + # Default: true + # + dashboard: true + +################################################################ +# Ping configuration +################################################################ + +# Enable ping +ping: + # Name of the related entry point + # + # Optional + # Default: "traefik" + # + entryPoint: traefik + +################################################################ +# Docker configuration backend +################################################################ + +providers: + # Enable Docker configuration backend + docker: + # Docker server endpoint. Can be a tcp or a unix socket endpoint. + # + # Required + # Default: "unix:///var/run/docker.sock" + # + endpoint: unix:///tmp/docker.sock + + # Default host rule. + # + # Optional + # Default: "Host(`{{ normalize .Name }}`)" + # + defaultRule: Host(`{{ normalize .Name }}.domain.tld`) + + # Expose containers by default in traefik + # + # Optional + # Default: true + # + exposedByDefault: true + + network: home-proxy + + file: + directory: /etc/traefik/custom + watch: true + +#tls: +# stores: +# default: +# defaultCertificate: +# certFile: /certs/star.domain.tld.crt +# keyFile: /certs/star.domain.tld..key +# certificates: +# - certFile: /certs/star.domain.tld..crt +# keyFile: /certs/star.domain.tld..key +# stores: +# - default +# + +certificatesResolvers: + letsencrypt: + acme: + email: email@address.com + storage: /letsencrypt/acme.json + dnsChallenge: + provider: cloudflare + # Used to make sure the dns challenge is propagated to the rights dns servers + # resolvers: + # - "1.1.1.1:53" + # - "1.0.0.1:53" + # +experimental: + plugins: + traefik-real-ip: + moduleName: "github.com/soulbalz/traefik-real-ip" + version: "v1.0.3" + +http: + middlewares: + my-traefik-real-ip: + plugin: + traefik-real-ip: + excludednets: + - 1.1.1.1/24 + authelia: + forwardAuth: + address: https://authelia:9091/api/verify?rd=https%3A%2F%2Flogin.dudenhoeffer.casa%2F + trustForwardHeader: true + authResponseHeaders: + - "Remote-User" + - "Remote-Groups" + - "Remote-Email" + - "Remote-Name" + authelia-basic: + forwardAuth: + address: https://authelia:9091/api/verify?auth=basic + trustForwardHeader: true + authResponseHeaders: + - "Remote-User" + - "Remote-Groups" + - "Remote-Email" + - "Remote-Name" +