steve/steveternet
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

restructure services based on host machine

Browse Source
This commit is contained in:
Steve Dudenhoeffer
2024-01-06 01:33:42 +00:00
parent 350eee1ff0
commit f26bfb2063
49 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
nuc/traefik/.env.example Normal file
View File

@@ -0,0 +1,26 @@
# DOMAIN_ROOT is the root domain that this service will register as with Traefik
DOMAIN_ROOT=domain.tld
# USER_ID is the user id to run the service as. 0 for root
USER_ID=1000
# GROUP_ID is the group id to run the service as. 0 for root
GROUP_ID=1000
# TIMEZONE is the timezone the server is in
TIMEZONE=America/New_York
# CLOUDFLARE_EMAIL is the email for the cloudflare credentials
CLOUDFLARE_EMAIL=email@address.com
# CLOUDFLARE_KEY is the key for your cloudflare credentials
CLOUDFLARE_KEY=XXXX
# AUTH_JWT_SECRET is the secret used for authelia's json web tokens. (can just be a random string)
AUTH_JWT_SECRET=SOMErandomSTRING
# AUTH_SESSION_SECRET is the secret (random string) used to encrypt session data in redis
AUTH_SESSION_SECRET=SOMEotherRANDOMstring
# AUTH_STORAGE_KEY is the secret (random string) used to encrypt the data at rest
AUTH_STORAGE_KEY=ANOTHERrandomSTRING

13
nuc/traefik/custom/homeassistant.yml Normal file
View File

@@ -0,0 +1,13 @@
http:
routers:
homeassistant-router:
rule: "Host(`homeassistant.dudenhoeffer.casa`)"
service: homeassistant-service
services:
homeassistant-service:
loadBalancer:
servers:
- url: "http://192.168.0.197:8123"
passHostHeader: true

13
nuc/traefik/custom/nas.yml Normal file
View File

@@ -0,0 +1,13 @@
http:
routers:
nas-router:
rule: "Host(`nas.dudenhoeffer.casa`)"
service: nas-service
# Optionally, you can add TLS configuration here if your router is serving HTTPS
services:
nas-service:
loadBalancer:
servers:
- url: "http://192.168.0.145:5000"
passHostHeader: true

40
nuc/traefik/custom/nextcloud.yml Normal file
View File

@@ -0,0 +1,40 @@
http:
routers:
nextcloud:
rule: "Host(`cloud.dudenhoeffer.casa`)"
#entrypoints:
# - "web"
service: nextcloud
#middlewares:
# - nextcloud-chain
services:
nextcloud:
loadBalancer:
#serversTransport: "nextcloud-servers-transport"
servers:
- url: "http://nextcloud-aio-nextcloud:9000" # Use the host's IP address if Traefik runs outside the host network
middlewares:
nextcloud-secure-headers:
headers:
hostsProxyHeaders:
- "X-Forwarded-Host"
referrerPolicy: "same-origin"
https-redirect:
redirectscheme:
scheme: https
nextcloud-chain:
chain:
middlewares:
# - ... (e.g. rate limiting middleware)
- https-redirect
- nextcloud-secure-headers
# Define the serversTransport to skip TLS verification
serversTransports:
nextcloud-servers-transport:
insecureSkipVerify: true

13
nuc/traefik/custom/pihole.yml Normal file
View File

@@ -0,0 +1,13 @@
http:
routers:
pihole-router:
rule: "Host(`pihole.dudenhoeffer.casa`)"
service: pihole-service
services:
pihole-service:
loadBalancer:
servers:
- url: "http://192.168.0.197:8081"
passHostHeader: true

20
nuc/traefik/custom/scrypted.yml Normal file
View File

@@ -0,0 +1,20 @@
http:
routers:
scrypted-router:
rule: "Host(`scrypted.dudenhoeffer.casa`)"
service: scrypted-service
# Optionally, you can add TLS configuration here if your router is serving HTTPS
services:
scrypted-service:
loadBalancer:
servers:
- url: "https://192.168.0.197:10443"
passHostHeader: true
# Skip TLS verification for the self-signed certificate
serversTransport: "scrypted-servers-transport"
# Define the serversTransport to skip TLS verification
serversTransports:
scrypted-servers-transport:
insecureSkipVerify: true

20
nuc/traefik/custom/unifi.yml Normal file
View File

@@ -0,0 +1,20 @@
http:
routers:
unifi-router:
rule: "Host(`unifi.dudenhoeffer.casa`)"
service: unifi-service
# Optionally, you can add TLS configuration here if your router is serving HTTPS
services:
unifi-service:
loadBalancer:
servers:
- url: "https://192.168.0.146"
passHostHeader: true
# Skip TLS verification for the self-signed certificate
serversTransport: "unifi-servers-transport"
# Define the serversTransport to skip TLS verification
serversTransports:
unifi-servers-transport:
insecureSkipVerify: true

13
nuc/traefik/custom/wireguard.yml Normal file
View File

@@ -0,0 +1,13 @@
http:
routers:
wireguard2-router:
rule: "Host(`wireguard2.dudenhoeffer.casa`)"
service: wireguard2-service
services:
wireguard2-service:
loadBalancer:
servers:
- url: "http://192.168.0.197:51821"
passHostHeader: true

89
nuc/traefik/docker-compose.yml Normal file
View File

@@ -0,0 +1,89 @@
---
version: "3.8"
services:
traefik:
image: traefik:latest
container_name: traefik
hostname: traefik
restart: unless-stopped
environment:
- CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
- CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_KEY}
- DOMAIN_ROOT=${DOMAIN_ROOT}
ports:
- mode: host
protocol: tcp
published: 80
target: 80
- mode: host
protocol: tcp
published: 443
target: 443
volumes:
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./custom:/etc/traefik/custom:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
- certs:/letsencrypt
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_ROOT}`)'
- "traefik.http.routers.traefik.entrypoints=websecure"
- 'entrypoints.websecure.http.tls=true'
- 'entrypoints.websecure.http.tls.certResolver=letsencrypt'
- 'entrypoints.websecure.http.tls.domains[0].main=${DOMAIN_ROOT}'
- 'entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN_ROOT}'
- "traefik.http.routers.traefik.service=api@internal"
- 'traefik.http.routers.traefik.middlewares=strip'
- 'traefik.http.middlewares.strip.stripprefix.prefixes=/traefik'
- 'traefik.http.services.traefik.loadbalancer.server.port=8080'
- 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/'
- 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
- 'certificatesresolvers.letsencrypt.acme.dnschallenge=true'
- 'certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare'
- 'certificatesresolvers.letsencrypt.acme.email=${CLOUDFLARE_EMAIL}'
- 'certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json'
networks:
- web
authelia:
image: docker.io/authelia/authelia:latest
container_name: authelia
restart: unless-stopped
environment:
- TZ=${TIMEZONE}
- AUTHELIA_JWT_SECRET=${AUTH_JWT_SECRET}
- AUTHELIA_SESSION_SECRET=${AUTH_SESSION_SECRET}
- AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTH_STORAGE_KEY}
- DOMAIN_ROOT=${DOMAIN_ROOT}
volumes:
- authelia_config:/config
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.authelia.rule=Host(`login.${DOMAIN_ROOT}`)'
- 'traefik.http.services.authelia.loadbalancer.server.port=9091'
networks:
- web
networks:
web:
external: true
volumes:
certs:
external: true
authelia_config:
external: true

230
nuc/traefik/traefik.yml.example Normal file
View File

@@ -0,0 +1,230 @@
################################################################
#
# Configuration sample for Traefik v2.
#
# For Traefik v1: https://github.com/traefik/traefik/blob/v1.7/traefik.sample.toml
#
################################################################
################################################################
# Global configuration
################################################################
global:
checkNewVersion: true
sendAnonymousUsage: true
################################################################
# EntryPoints configuration
################################################################
# EntryPoints definition
#
# Optional
#
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
http:
tls:
certResolver: letsencrypt
domains:
- main: domain.tld
sans:
- "*.domain.tld"
middlewares:
- "authelia@docker"
################################################################
# Traefik logs configuration
################################################################
# Traefik logs
# Enabled by default and log to stdout
#
# Optional
#
log:
# Log level
#
# Optional
# Default: "ERROR"
#
level: DEBUG
# Sets the filepath for the traefik log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
# filePath: log/traefik.log
# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format: json
################################################################
# Access logs configuration
################################################################
# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
accessLog:
# Sets the file path for the access log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
# filePath: /path/to/log/log.txt
filePath: "/etc/traefik/access.log"
format: common
# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format: json
################################################################
# API and dashboard configuration
################################################################
# Enable API and dashboard
#
# Optional
#
api:
# Enable the API in insecure mode
#
# Optional
# Default: false
#
insecure: true
# Enabled Dashboard
#
# Optional
# Default: true
#
dashboard: true
################################################################
# Ping configuration
################################################################
# Enable ping
ping:
# Name of the related entry point
#
# Optional
# Default: "traefik"
#
entryPoint: traefik
################################################################
# Docker configuration backend
################################################################
providers:
# Enable Docker configuration backend
docker:
# Docker server endpoint. Can be a tcp or a unix socket endpoint.
#
# Required
# Default: "unix:///var/run/docker.sock"
#
endpoint: unix:///tmp/docker.sock
# Default host rule.
#
# Optional
# Default: "Host(`{{ normalize .Name }}`)"
#
defaultRule: Host(`{{ normalize .Name }}.domain.tld`)
# Expose containers by default in traefik
#
# Optional
# Default: true
#
exposedByDefault: true
network: home-proxy
file:
directory: /etc/traefik/custom
watch: true
#tls:
# stores:
# default:
# defaultCertificate:
# certFile: /certs/star.domain.tld.crt
# keyFile: /certs/star.domain.tld..key
# certificates:
# - certFile: /certs/star.domain.tld..crt
# keyFile: /certs/star.domain.tld..key
# stores:
# - default
#
certificatesResolvers:
letsencrypt:
acme:
email: email@address.com
storage: /letsencrypt/acme.json
dnsChallenge:
provider: cloudflare
# Used to make sure the dns challenge is propagated to the rights dns servers
# resolvers:
# - "1.1.1.1:53"
# - "1.0.0.1:53"
#
experimental:
plugins:
traefik-real-ip:
moduleName: "github.com/soulbalz/traefik-real-ip"
version: "v1.0.3"
http:
middlewares:
my-traefik-real-ip:
plugin:
traefik-real-ip:
excludednets:
- 1.1.1.1/24
authelia:
forwardAuth:
address: https://authelia:9091/api/verify?rd=https%3A%2F%2Flogin.dudenhoeffer.casa%2F
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"
- "Remote-Email"
- "Remote-Name"
authelia-basic:
forwardAuth:
address: https://authelia:9091/api/verify?auth=basic
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"
- "Remote-Email"
- "Remote-Name"