dynamic traefik configuration improvements

turned out that --providers.file.directory cli switch didn't override the file settings, and so, remapping the /etc/traefik dirs was a better approach.
This commit is contained in:
Lockszmith (runtipi@kateryna) 2024-12-13 10:24:05 -05:00
parent df961389c8
commit 303a03518a
11 changed files with 57 additions and 97 deletions

4
.gitignore vendored
View File

@ -1,5 +1,5 @@
.env.local .env.local
_traefik.dynamic/tls _traefik/tls
_traefik.dynamic/shared/acme.json _traefik/shared
**/app.env **/app.env
ddns-updater/config.json ddns-updater/config.json

View File

@ -1,42 +0,0 @@
# http routing section
http:
routers:
# Define a connection between requests and services
"to-kasm-main":
rule: "Host(`k.szk.li`)"
entrypoints:
- websecure
# # If the rule matches, applies the middleware
middlewares:
- authentik_sysmgr
# - test-user
# If the rule matches, forward to the whoami service (declared below)
service: kasm-main
tls:
certresolver: myresolver
# Define a connection between requests and services
"to-kasm-setup":
rule: "Host(`ksetup.szk.li`)"
entrypoints:
- websecure
# # If the rule matches, applies the middleware
middlewares:
- authentik_sysmgr
# - test-user
# If the rule matches, forward to the whoami service (declared below)
service: kasm-setup
tls:
certresolver: myresolver
services:
# Define how to reach an existing service on our infrastructure
kasm-main:
loadBalancer:
servers:
- url: "https://kasm-workspaces:8744"
kasm-setup:
loadBalancer:
servers:
- url: "https://kasm-workspaces:8743"

View File

@ -1,29 +0,0 @@
# http routing section
http:
routers:
to-kateryna:
rule: "Host(`kateryna.szk.li`)
|| Host(`kateryna.lksz.me`)
|| Host(`m.lksz.me`)
|| Host(`auth.lksz.me`)
|| Host(`sync.lksz.me`)
|| Host(`radarr.lksz.me`)
|| Host(`sonarr.lksz.me`)
|| Host(`prowlarr.lksz.me`)
|| Host(`req.lksz.me`)
|| Host(`jd.lksz.me`)
|| Host(`nzb.lksz.me`)
|| Host(`stats.player.lksz.me`)
"
entrypoints:
- websecure
service: kateryna-traefik
tls:
certresolver: myresolver
services:
# Define how to reach an existing service on our infrastructure
kateryna-traefik:
loadBalancer:
servers:
- url: https://kateryna.lksz.me

View File

@ -0,0 +1,4 @@
http:
serversTransports:
insecuretransport:
insecureSkipVerify: true

View File

@ -0,0 +1,8 @@
# Accepts request from defined IP
http:
middlewares:
lan-only:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "192.168.0.0/16"

View File

@ -1,8 +1,4 @@
http: http:
serversTransports:
insecuretransport:
insecureSkipVerify: true
middlewares: middlewares:
secureHeaders: secureHeaders:
headers: headers:
@ -18,14 +14,3 @@ http:
permissionsPolicy: "camera=(), microphone=(), geolocation=()" permissionsPolicy: "camera=(), microphone=(), geolocation=()"
customResponseHeaders: customResponseHeaders:
X-Robots-Tag: "noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" X-Robots-Tag: "noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
tls:
stores:
default:
defaultCertificate:
certFile: /etc/traefik/tls/cert.pem
keyFile: /etc/traefik/tls/key.pem
certificates:
- certFile: /etc/traefik/tls/cert.pem
keyFile: /etc/traefik/tls/key.pem

9
_traefik/dynamic/tls.yml Normal file
View File

@ -0,0 +1,9 @@
tls:
stores:
default:
defaultCertificate:
certFile: /etc/traefik/tls/cert.pem
keyFile: /etc/traefik/tls/key.pem
certificates:
- certFile: /etc/traefik/tls/cert.pem
keyFile: /etc/traefik/tls/key.pem

View File

@ -4,7 +4,7 @@ api:
providers: providers:
docker: docker:
endpoint: 'unix:///var/run/docker.sock' endpoint: "unix:///var/run/docker.sock"
watch: true watch: true
exposedByDefault: false exposedByDefault: false
file: file:
@ -31,12 +31,18 @@ entryPoints:
- "172.16.0.0/12" - "172.16.0.0/12"
certificatesResolvers: certificatesResolvers:
httpresolver: myresolver:
acme: acme:
# email: acme@thisprops.com email: acme@thisprops.com
storage: /shared/acme.json storage: /shared/acme.json
httpChallenge: # httpChallenge:
entryPoint: web # entryPoint: web
#logging: true
dnsChallenge:
provider: cloudflare
resolvers:
- 1.1.1.1:53 # - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers[0]=1.1.1.1:53
- 8.8.8.8:53 # - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers[1]=8.8.8.8:53
log: log:
level: ERROR level: INFO

View File

@ -4,16 +4,35 @@ services:
- 8080:8080 - 8080:8080
command: command:
- '--providers.docker' - '--providers.docker'
- '--providers.file.directory=/srv/runtipi/user-config/_traefik.dynamic' - '--providers.file.directory=/etc/traefik/dynamic'
- '--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}' - '--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}'
- '--certificatesresolvers.myresolver.acme.storage=/shared/acme.json' - '--certificatesresolvers.myresolver.acme.storage=/shared/acme.json'
- '--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare' - '--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare'
- "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
- '--log.level=INFO'
environment: environment:
CF_API_EMAIL: "${ACME_EMAIL}" CF_API_EMAIL: "${ACME_EMAIL:?}"
CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN}" CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN:?}"
networks: networks:
- tipi_main_network - tipi_main_network
- tipi_internal_network - tipi_internal_network
volumes:
- type: bind
source: ./traefik/shared
target: /shared
read_only: false
- type: bind
source: ./traefik
target: /etc/traefik
read_only: false
- type: bind
source: ./user-config/_traefik/dynamic/
target: /etc/traefik/dynamic/
read_only: true
- type: bind
source: ./user-config/_traefik/traefik.yml
target: /etc/traefik/traefik.yml
read_only: true
networks: networks:
tipi_internal_network: tipi_internal_network: