diff --git a/.gitignore b/.gitignore index 11ee758..20e6aa2 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .env.local +_copy_to_traefik/tls diff --git a/_copy_to_traefik/dynamic/dynamic.yml b/_copy_to_traefik/dynamic/dynamic.yml new file mode 100644 index 0000000..1d02dc6 --- /dev/null +++ b/_copy_to_traefik/dynamic/dynamic.yml @@ -0,0 +1,30 @@ +http: + serversTransports: + insecuretransport: + insecureSkipVerify: true + middlewares: + secureHeaders: + headers: + sslRedirect: true + forceSTSHeader: true + stsIncludeSubdomains: true + stsPreload: true + stsSeconds: 31536000 + customFrameOptionsValue: "SAMEORIGIN" + contentTypeNosniff: true + browserXssFilter: true + referrerPolicy: "strict-origin-when-cross-origin" + permissionsPolicy: "camera=(), microphone=(), geolocation=()" + customResponseHeaders: + X-Robots-Tag: "noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" + +tls: + stores: + default: + defaultCertificate: + certFile: /etc/traefik/tls/cert.pem + keyFile: /etc/traefik/tls/key.pem + certificates: + - certFile: /etc/traefik/tls/cert.pem + keyFile: /etc/traefik/tls/key.pem + diff --git a/_copy_to_traefik/dynamic/fwd-auth-sysmgr.yml b/_copy_to_traefik/dynamic/fwd-auth-sysmgr.yml new file mode 100644 index 0000000..3e91092 --- /dev/null +++ b/_copy_to_traefik/dynamic/fwd-auth-sysmgr.yml @@ -0,0 +1,18 @@ +http: + middlewares: + authentik_sysmgr: + forwardAuth: + address: https://auth.szk.li/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version \ No newline at end of file diff --git a/_copy_to_traefik/dynamic/ha.yml b/_copy_to_traefik/dynamic/ha.yml new file mode 100644 index 0000000..82ad8e7 --- /dev/null +++ b/_copy_to_traefik/dynamic/ha.yml @@ -0,0 +1,23 @@ +# http routing section +http: + routers: + # Define a connection between requests and services + "to-ha": + rule: "Host(`ha.lksz.me`)" + entrypoints: + - websecure + # # If the rule matches, applies the middleware + # middlewares: + # - test-user + # If the rule matches, forward to the whoami service (declared below) + service: home-assistant + tls: + certresolver: myresolver + + services: + # Define how to reach an existing service on our infrastructure + home-assistant: + loadBalancer: + servers: + - url: "http://ha.lan:8123" + #- address: "ha.lan:8123" diff --git a/_copy_to_traefik/dynamic/kasm-workspaces.yml b/_copy_to_traefik/dynamic/kasm-workspaces.yml new file mode 100644 index 0000000..3d478bb --- /dev/null +++ b/_copy_to_traefik/dynamic/kasm-workspaces.yml @@ -0,0 +1,42 @@ +# http routing section +http: + routers: + # Define a connection between requests and services + "to-kasm-main": + rule: "Host(`k.szk.li`)" + entrypoints: + - websecure + # # If the rule matches, applies the middleware + middlewares: + - authentik_sysmgr + # - test-user + # If the rule matches, forward to the whoami service (declared below) + service: kasm-main + tls: + certresolver: myresolver + + # Define a connection between requests and services + "to-kasm-setup": + rule: "Host(`ksetup.szk.li`)" + entrypoints: + - websecure + # # If the rule matches, applies the middleware + middlewares: + - authentik_sysmgr + # - test-user + # If the rule matches, forward to the whoami service (declared below) + service: kasm-setup + tls: + certresolver: myresolver + + + services: + # Define how to reach an existing service on our infrastructure + kasm-main: + loadBalancer: + servers: + - url: "https://kasm-workspaces:8744" + kasm-setup: + loadBalancer: + servers: + - url: "https://kasm-workspaces:8743" diff --git a/_copy_to_traefik/dynamic/kateryna_apps.yml b/_copy_to_traefik/dynamic/kateryna_apps.yml new file mode 100644 index 0000000..a4f79c8 --- /dev/null +++ b/_copy_to_traefik/dynamic/kateryna_apps.yml @@ -0,0 +1,40 @@ +# http routing section +http: + routers: + to-auth: + rule: "Host(`auth.lksz.me`)" + entrypoints: + - websecure + service: kateryna-traefik + tls: + certresolver: myresolver + to-syncthing: + rule: "Host(`sync.lksz.me`)" + entrypoints: + - websecure + service: kateryna-traefik + tls: + certresolver: myresolver + to-kateryna: + rule: "Host(`kateryna.szk.li`) + || Host(`kateryna.lksz.me`) + || Host(`radarr.lksz.me`) + || Host(`sonarr.lksz.me`) + || Host(`prowlarr.lksz.me`) + || Host(`req.lksz.me`) + || Host(`jd.lksz.me`) + || Host(`nzb.lksz.me`) + || Host(`stats.player.lksz.me`) + " + entrypoints: + - websecure + service: kateryna-traefik + tls: + certresolver: myresolver + + services: + # Define how to reach an existing service on our infrastructure + kateryna-traefik: + loadBalancer: + servers: + - url: https://kateryna.lksz.me diff --git a/_copy_to_traefik/traefik.yml b/_copy_to_traefik/traefik.yml new file mode 100644 index 0000000..d82af92 --- /dev/null +++ b/_copy_to_traefik/traefik.yml @@ -0,0 +1,34 @@ +api: + dashboard: true + insecure: true + +providers: + docker: + endpoint: 'unix:///var/run/docker.sock' + watch: true + exposedByDefault: false + file: + directory: /etc/traefik/dynamic + watch: true + +entryPoints: + web: + address: ':80' + http: + redirections: + entryPoint: + to: 'websecure' + scheme: 'https' + websecure: + address: ':443' + +certificatesResolvers: + httpresolver: + acme: +# email: acme@thisprops.com + storage: /shared/acme.json + httpChallenge: + entryPoint: web + +log: + level: ERROR