steve/steveternet
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added nas/traefik

Browse Source
This commit is contained in:
Steve Dudenhoeffer 2024-03-24 02:26:04 +00:00
parent 484492c4c0
commit 728e01bc79
7 changed files with 448 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
nas/traefik/config/configuration.yml.example Normal file
View File

@ -0,0 +1,61 @@
---
###############################################################
# Authelia configuration #
###############################################################
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
jwt_secret: a_very_important_secret
default_redirection_url: https://public.example.com
log:
level: debug
totp:
issuer: authelia.com
# duo_api:
# hostname: api-123456789.example.com
# integration_key: ABCDEF
# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
# secret_key: 1234567890abcdefghifjkl
authentication_backend:
file:
path: /config/users_database.yml
access_control:
default_policy: deny
rules:
# Rules applied to everyone
- domain: public.example.com
policy: bypass
- domain: traefik.example.com
policy: one_factor
- domain: secure.example.com
policy: two_factor
session:
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
secret: unsecure_session_secret
domain: domain.tld
same_site: lax
expiration: 1h
inactivity: 5m
remember_me_duration: 1M
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
local:
path: /config/db.sqlite3
notifier:
disable_startup_check: false
filesystem:
filename: /config/notification.txt

20
nas/traefik/config/users_database.yml.example Normal file
View File

@ -0,0 +1,20 @@
---
###############################################################
# Users Database #
###############################################################
# This file can be used if you do not have an LDAP set up.
# List of users
users:
authelia:
disabled: false
displayname: "Authelia User"
# Password is authelia
# To generate a password: docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'password'
password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length
email: authelia@authelia.com
groups:
- admins
- dev
...

20
nas/traefik/custom/example-tls.yml Normal file
View File

@ -0,0 +1,20 @@
http:
routers:
example-tls-router:
rule: "Host(`example-tls.domain.tld`)"
service: example-tls-service
# Optionally, you can add TLS configuration here if your router is serving HTTPS
services:
example-tls-service:
loadBalancer:
servers:
- url: "https://192.168.0.146"
passHostHeader: true
# Skip TLS verification for the self-signed certificate
serversTransport: "example-tls-servers-transport"
# Define the serversTransport to skip TLS verification
serversTransports:
example-tls-servers-transport:
insecureSkipVerify: true

13
nas/traefik/custom/example.yml Normal file
View File

@ -0,0 +1,13 @@
http:
routers:
example-router:
rule: "Host(`example.domain.tld`)"
service: example-service
services:
example-service:
loadBalancer:
servers:
- url: "http://192.168.0.197:8081"
passHostHeader: true

12
nas/traefik/custom/nas.yml Normal file
View File

@ -0,0 +1,12 @@
http:
routers:
example-router:
rule: "Host(`nas.dudenhoeffer.casa`)"
service: nas-service
services:
nas-service:
loadBalancer:
servers:
- url: "http://127.0.0.1:5000"
passHostHeader: true

92
nas/traefik/docker-compose.yml Normal file
View File

@ -0,0 +1,92 @@
---
services:
traefik:
image: traefik:latest
container_name: traefik
hostname: traefik
restart: unless-stopped
dns: 1.1.1.1
environment:
- CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
- CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_KEY}
ports:
- mode: host
protocol: tcp
published: 80
target: 80
- mode: host
protocol: tcp
published: 443
target: 443
volumes:
- /volume1/docker/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
- /volume1/docker/traefik/custom:/etc/traefik/custom:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
- certs:/letsencrypt
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.traefik.rule=Host(`traefik.nas.dudenhoeffer.casa`)'
- "traefik.http.routers.traefik.entrypoints=websecure"
- 'entrypoints.websecure.http.tls=true'
- 'entrypoints.websecure.http.tls.certResolver=letsencrypt'
- 'entrypoints.websecure.http.tls.domains[0].main=nas.dudenhoeffer.casa'
- 'entrypoints.websecure.http.tls.domains[0].sans=*.nas.dudenhoeffer.casa'
- "traefik.http.routers.traefik.service=api@internal"
- 'traefik.http.routers.traefik.middlewares=strip'
- 'traefik.http.middlewares.strip.stripprefix.prefixes=/traefik'
- 'traefik.http.services.traefik.loadbalancer.server.port=8080'
- 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https://login.nas.dudenhoeffer.casa/'
- 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
- 'certificatesresolvers.letsencrypt.acme.dnschallenge=true'
- 'certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare'
- 'certificatesresolvers.letsencrypt.acme.email=${CLOUDFLARE_EMAIL}'
- 'certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json'
networks:
- web
authelia:
image: authelia/authelia
container_name: authelia
volumes:
- authelia_config:/config
- /volume1/docker/authelia/configuration.yml:/config/configuration.yml:ro
- /volume1/docker/authelia/users_database.yml:/config/users_database.yml:ro
environment:
- TZ=${TIMEZONE}
networks:
- web
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.authelia.rule=Host(`login.nas.dudenhoeffer.casa`)'
- 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.nas.dudenhoeffer.casa/' # yamllint disable-line rule:line-length
- 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length
- 'traefik.http.services.authelia.loadbalancer.server.port=9091'
restart: unless-stopped
healthcheck:
## In production the healthcheck section should be commented.
disable: true
networks:
web:
external: true
volumes:
certs:
name: certs
driver: local
authelia_config:
name: authelia_config
driver: local

230
nas/traefik/traefik.yml.example Normal file
View File

@ -0,0 +1,230 @@
################################################################
#
# Configuration sample for Traefik v2.
#
# For Traefik v1: https://github.com/traefik/traefik/blob/v1.7/traefik.sample.toml
#
################################################################
################################################################
# Global configuration
################################################################
global:
checkNewVersion: true
sendAnonymousUsage: true
################################################################
# EntryPoints configuration
################################################################
# EntryPoints definition
#
# Optional
#
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
http:
tls:
certResolver: letsencrypt
domains:
- main: domain.tld
sans:
- "*.domain.tld"
middlewares:
- "authelia@docker"
################################################################
# Traefik logs configuration
################################################################
# Traefik logs
# Enabled by default and log to stdout
#
# Optional
#
log:
# Log level
#
# Optional
# Default: "ERROR"
#
level: DEBUG
# Sets the filepath for the traefik log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
# filePath: log/traefik.log
# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format: json
################################################################
# Access logs configuration
################################################################
# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
accessLog:
# Sets the file path for the access log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
# filePath: /path/to/log/log.txt
filePath: "/etc/traefik/access.log"
format: common
# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format: json
################################################################
# API and dashboard configuration
################################################################
# Enable API and dashboard
#
# Optional
#
api:
# Enable the API in insecure mode
#
# Optional
# Default: false
#
insecure: true
# Enabled Dashboard
#
# Optional
# Default: true
#
dashboard: true
################################################################
# Ping configuration
################################################################
# Enable ping
ping:
# Name of the related entry point
#
# Optional
# Default: "traefik"
#
entryPoint: traefik
################################################################
# Docker configuration backend
################################################################
providers:
# Enable Docker configuration backend
docker:
# Docker server endpoint. Can be a tcp or a unix socket endpoint.
#
# Required
# Default: "unix:///var/run/docker.sock"
#
endpoint: unix:///tmp/docker.sock
# Default host rule.
#
# Optional
# Default: "Host(`{{ normalize .Name }}`)"
#
defaultRule: Host(`{{ normalize .Name }}.domain.tld`)
# Expose containers by default in traefik
#
# Optional
# Default: true
#
exposedByDefault: true
network: home-proxy
file:
directory: /etc/traefik/custom
watch: true
#tls:
# stores:
# default:
# defaultCertificate:
# certFile: /certs/star.domain.tld.crt
# keyFile: /certs/star.domain.tld..key
# certificates:
# - certFile: /certs/star.domain.tld..crt
# keyFile: /certs/star.domain.tld..key
# stores:
# - default
#
certificatesResolvers:
letsencrypt:
acme:
email: email@address.com
storage: /letsencrypt/acme.json
dnsChallenge:
provider: cloudflare
# Used to make sure the dns challenge is propagated to the rights dns servers
# resolvers:
# - "1.1.1.1:53"
# - "1.0.0.1:53"
#
experimental:
plugins:
traefik-real-ip:
moduleName: "github.com/soulbalz/traefik-real-ip"
version: "v1.0.3"
http:
middlewares:
my-traefik-real-ip:
plugin:
traefik-real-ip:
excludednets:
- 1.1.1.1/24
authelia:
forwardAuth:
address: https://authelia:9091/api/verify?rd=https%3A%2F%2Flogin.dudenhoeffer.casa%2F
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"
- "Remote-Email"
- "Remote-Name"
authelia-basic:
forwardAuth:
address: https://authelia:9091/api/verify?auth=basic
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"
- "Remote-Email"
- "Remote-Name"