From 303a03518a8e9e3fe90676b640904e1fdbfa741a Mon Sep 17 00:00:00 2001 From: "Lockszmith (runtipi@kateryna)" Date: Fri, 13 Dec 2024 10:24:05 -0500 Subject: [PATCH] dynamic traefik configuration improvements turned out that --providers.file.directory cli switch didn't override the file settings, and so, remapping the /etc/traefik dirs was a better approach. --- .gitignore | 4 +- _traefik.dynamic/dynamic/kasm-workspaces.yml | 42 ------------------- _traefik.dynamic/dynamic/kateryna_apps.yml | 29 ------------- _traefik/dynamic/http.yml | 4 ++ .../dynamic/mw.fwd-auth-sysmgr.yml | 0 _traefik/dynamic/mw.lan-only.yml | 8 ++++ .../dynamic/mw.secureHeaders.yml | 15 ------- .../ha.yml => _traefik/dynamic/rt.ha.yml | 0 _traefik/dynamic/tls.yml | 9 ++++ {_traefik.dynamic => _traefik}/traefik.yml | 18 +++++--- tipi-compose.yml | 25 +++++++++-- 11 files changed, 57 insertions(+), 97 deletions(-) delete mode 100644 _traefik.dynamic/dynamic/kasm-workspaces.yml delete mode 100644 _traefik.dynamic/dynamic/kateryna_apps.yml create mode 100644 _traefik/dynamic/http.yml rename _traefik.dynamic/dynamic/fwd-auth-sysmgr.yml => _traefik/dynamic/mw.fwd-auth-sysmgr.yml (100%) create mode 100644 _traefik/dynamic/mw.lan-only.yml rename _traefik.dynamic/dynamic/dynamic.yml => _traefik/dynamic/mw.secureHeaders.yml (63%) rename _traefik.dynamic/dynamic/ha.yml => _traefik/dynamic/rt.ha.yml (100%) create mode 100644 _traefik/dynamic/tls.yml rename {_traefik.dynamic => _traefik}/traefik.yml (57%) diff --git a/.gitignore b/.gitignore index 03e9ceb..c4cc9af 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ .env.local -_traefik.dynamic/tls -_traefik.dynamic/shared/acme.json +_traefik/tls +_traefik/shared **/app.env ddns-updater/config.json diff --git a/_traefik.dynamic/dynamic/kasm-workspaces.yml b/_traefik.dynamic/dynamic/kasm-workspaces.yml deleted file mode 100644 index 3d478bb..0000000 --- a/_traefik.dynamic/dynamic/kasm-workspaces.yml +++ /dev/null @@ -1,42 +0,0 @@ -# http routing section -http: - routers: - # Define a connection between requests and services - "to-kasm-main": - rule: "Host(`k.szk.li`)" - entrypoints: - - websecure - # # If the rule matches, applies the middleware - middlewares: - - authentik_sysmgr - # - test-user - # If the rule matches, forward to the whoami service (declared below) - service: kasm-main - tls: - certresolver: myresolver - - # Define a connection between requests and services - "to-kasm-setup": - rule: "Host(`ksetup.szk.li`)" - entrypoints: - - websecure - # # If the rule matches, applies the middleware - middlewares: - - authentik_sysmgr - # - test-user - # If the rule matches, forward to the whoami service (declared below) - service: kasm-setup - tls: - certresolver: myresolver - - - services: - # Define how to reach an existing service on our infrastructure - kasm-main: - loadBalancer: - servers: - - url: "https://kasm-workspaces:8744" - kasm-setup: - loadBalancer: - servers: - - url: "https://kasm-workspaces:8743" diff --git a/_traefik.dynamic/dynamic/kateryna_apps.yml b/_traefik.dynamic/dynamic/kateryna_apps.yml deleted file mode 100644 index aaf1d10..0000000 --- a/_traefik.dynamic/dynamic/kateryna_apps.yml +++ /dev/null @@ -1,29 +0,0 @@ -# http routing section -http: - routers: - to-kateryna: - rule: "Host(`kateryna.szk.li`) - || Host(`kateryna.lksz.me`) - || Host(`m.lksz.me`) - || Host(`auth.lksz.me`) - || Host(`sync.lksz.me`) - || Host(`radarr.lksz.me`) - || Host(`sonarr.lksz.me`) - || Host(`prowlarr.lksz.me`) - || Host(`req.lksz.me`) - || Host(`jd.lksz.me`) - || Host(`nzb.lksz.me`) - || Host(`stats.player.lksz.me`) - " - entrypoints: - - websecure - service: kateryna-traefik - tls: - certresolver: myresolver - - services: - # Define how to reach an existing service on our infrastructure - kateryna-traefik: - loadBalancer: - servers: - - url: https://kateryna.lksz.me diff --git a/_traefik/dynamic/http.yml b/_traefik/dynamic/http.yml new file mode 100644 index 0000000..ef2bee2 --- /dev/null +++ b/_traefik/dynamic/http.yml @@ -0,0 +1,4 @@ +http: + serversTransports: + insecuretransport: + insecureSkipVerify: true diff --git a/_traefik.dynamic/dynamic/fwd-auth-sysmgr.yml b/_traefik/dynamic/mw.fwd-auth-sysmgr.yml similarity index 100% rename from _traefik.dynamic/dynamic/fwd-auth-sysmgr.yml rename to _traefik/dynamic/mw.fwd-auth-sysmgr.yml diff --git a/_traefik/dynamic/mw.lan-only.yml b/_traefik/dynamic/mw.lan-only.yml new file mode 100644 index 0000000..0cab8f0 --- /dev/null +++ b/_traefik/dynamic/mw.lan-only.yml @@ -0,0 +1,8 @@ +# Accepts request from defined IP +http: + middlewares: + lan-only: + ipWhiteList: + sourceRange: + - "127.0.0.1/32" + - "192.168.0.0/16" \ No newline at end of file diff --git a/_traefik.dynamic/dynamic/dynamic.yml b/_traefik/dynamic/mw.secureHeaders.yml similarity index 63% rename from _traefik.dynamic/dynamic/dynamic.yml rename to _traefik/dynamic/mw.secureHeaders.yml index 18769aa..3ca24bc 100644 --- a/_traefik.dynamic/dynamic/dynamic.yml +++ b/_traefik/dynamic/mw.secureHeaders.yml @@ -1,8 +1,4 @@ http: - serversTransports: - insecuretransport: - insecureSkipVerify: true - middlewares: secureHeaders: headers: @@ -18,14 +14,3 @@ http: permissionsPolicy: "camera=(), microphone=(), geolocation=()" customResponseHeaders: X-Robots-Tag: "noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - -tls: - stores: - default: - defaultCertificate: - certFile: /etc/traefik/tls/cert.pem - keyFile: /etc/traefik/tls/key.pem - certificates: - - certFile: /etc/traefik/tls/cert.pem - keyFile: /etc/traefik/tls/key.pem - diff --git a/_traefik.dynamic/dynamic/ha.yml b/_traefik/dynamic/rt.ha.yml similarity index 100% rename from _traefik.dynamic/dynamic/ha.yml rename to _traefik/dynamic/rt.ha.yml diff --git a/_traefik/dynamic/tls.yml b/_traefik/dynamic/tls.yml new file mode 100644 index 0000000..39b4586 --- /dev/null +++ b/_traefik/dynamic/tls.yml @@ -0,0 +1,9 @@ +tls: + stores: + default: + defaultCertificate: + certFile: /etc/traefik/tls/cert.pem + keyFile: /etc/traefik/tls/key.pem + certificates: + - certFile: /etc/traefik/tls/cert.pem + keyFile: /etc/traefik/tls/key.pem diff --git a/_traefik.dynamic/traefik.yml b/_traefik/traefik.yml similarity index 57% rename from _traefik.dynamic/traefik.yml rename to _traefik/traefik.yml index 7c8216f..a1af91f 100644 --- a/_traefik.dynamic/traefik.yml +++ b/_traefik/traefik.yml @@ -4,7 +4,7 @@ api: providers: docker: - endpoint: 'unix:///var/run/docker.sock' + endpoint: "unix:///var/run/docker.sock" watch: true exposedByDefault: false file: @@ -31,12 +31,18 @@ entryPoints: - "172.16.0.0/12" certificatesResolvers: - httpresolver: + myresolver: acme: -# email: acme@thisprops.com + email: acme@thisprops.com storage: /shared/acme.json - httpChallenge: - entryPoint: web + # httpChallenge: + # entryPoint: web + #logging: true + dnsChallenge: + provider: cloudflare + resolvers: + - 1.1.1.1:53 # - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers[0]=1.1.1.1:53 + - 8.8.8.8:53 # - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers[1]=8.8.8.8:53 log: - level: ERROR + level: INFO diff --git a/tipi-compose.yml b/tipi-compose.yml index c25c122..b9b6d50 100644 --- a/tipi-compose.yml +++ b/tipi-compose.yml @@ -4,16 +4,35 @@ services: - 8080:8080 command: - '--providers.docker' - - '--providers.file.directory=/srv/runtipi/user-config/_traefik.dynamic' + - '--providers.file.directory=/etc/traefik/dynamic' - '--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}' - '--certificatesresolvers.myresolver.acme.storage=/shared/acme.json' - '--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare' + - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53" + - '--log.level=INFO' environment: - CF_API_EMAIL: "${ACME_EMAIL}" - CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN}" + CF_API_EMAIL: "${ACME_EMAIL:?}" + CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN:?}" networks: - tipi_main_network - tipi_internal_network + volumes: + - type: bind + source: ./traefik/shared + target: /shared + read_only: false + - type: bind + source: ./traefik + target: /etc/traefik + read_only: false + - type: bind + source: ./user-config/_traefik/dynamic/ + target: /etc/traefik/dynamic/ + read_only: true + - type: bind + source: ./user-config/_traefik/traefik.yml + target: /etc/traefik/traefik.yml + read_only: true networks: tipi_internal_network: