Add m.lksz.me to kateryna_apps

It will be the permanent location of the dynamic traefik config

.gitignore

@@ -1,5 +1,5 @@
 .env.local
-_copy_to_traefik/tls
+_traefik.dynamic/tls
-_copy_to_traefik/shared/acme.json
+_traefik.dynamic/shared/acme.json
 **/app.env
 ddns-updater/config.json

_bin/runtipictl

@@ -58,8 +58,8 @@ dls() {
     local base='{{.Status}}\t{{.ID}}\t{{.Names}}\t{{.Image}}' #'\t{{.Networks}}\t{{.Ports}}\t{{.Mounts}}'
     local compose='{{.Label "com.docker.compose.project"}}\t{{.Label "com.docker.compose.service"}}'
     local format="table $compose\t$base"
-    ROOT_EXEC=1 jlmkr-exec \
+    ROOT_EXEC=1 QUIET=${QUIET:-0} jlmkr-exec \
-        docker "container ls --all --format '$format' | ( sed -u 1q ; sed -Ee 's|^|555|; s|^555runtipi|000runtipi|;' | sort | sed -Ee 's/^[[:digit:]]{3}//' )"
+        docker "container ls --all --format '$format' | ( sed -u '1s/.*/\U&/; q'; sed -Ee 's|^|555|; s|^555runtipi|000runtipi|;' | sort | sed -Ee 's/^[[:digit:]]{3}//' )"
 }
 
 case "${1}" in
@@ -67,7 +67,7 @@ case "${1}" in
         runtipi-cli "${@:2}"
         ;;
     log)
-        jlmkr-exec docker compose --env-file user-config/.env.local logs --tail=${TAIL:-40} "${2:-runtipi}" ${3:+"${@:3}"}
+        jlmkr-exec "POSTGRES_PASSWORD=_ TIPI_VERSION=_ LOCAL_DOMAIN=_ DOMAIN=_" docker compose --env-file user-config/.env.local logs --tail=${TAIL:-40} "${2:-runtipi}" ${3:+"${@:3}"}
         ;;
     start)
         runtipi-cli start --env-file user-config/.env.local --no-permissions
@@ -108,6 +108,7 @@ case "${1}" in
             "" "" "" \
             "" "cli"        "runtipi-cli" \
             "" "dcoapp"     "docker compose for runtipi apps" \
+            "" "dls"        "stylized docker ls" \
             "" "docker"     "docker" \
             "" "dockge"     "dokcer compose for dockge stacks" \
             "" "exec"       "execute within the shell, START_DIR env applies" \

_copy_to_traefik/dynamic/fwd-auth-sysmgr.yml

@@ -1,18 +0,0 @@
-http:
-  middlewares:
-    authentik_sysmgr:
-      forwardAuth:
-        address: https://auth.szk.li/outpost.goauthentik.io/auth/traefik
-        trustForwardHeader: true
-        authResponseHeaders:
-          - X-authentik-username
-          - X-authentik-groups
-          - X-authentik-email
-          - X-authentik-name
-          - X-authentik-uid
-          - X-authentik-jwt
-          - X-authentik-meta-jwks
-          - X-authentik-meta-outpost
-          - X-authentik-meta-provider
-          - X-authentik-meta-app
-          - X-authentik-meta-version

_template/app.env

@@ -1,2 +1,2 @@
-# VARIABLE=value #comment# VARIABLE=value #comment
+# VARIABLE=value #comment
-# APP_ROUTE_OPTIONAL=" || Host(`www.example.com`)"
+APP_ROUTE_OPTIONAL=${LEGACY_ROOT_DOMAIN:+ || Host(`example.${LEGACY_ROOT_DOMAIN}`)}

_template/docker-compose.yml

@@ -2,6 +2,8 @@ services:
   <service-name>:
     hostname: <service-name>.docker
     environment:
+      PUID: "${SZ_USER_UID}"
+      PGID: "${SZ_USER_GID}"
       # RUNTIPI Environment
       RUNTIPI_APP_PORT: "${APP_PORT}"
       RUNTIPI_APP_ID: "${APP_ID}"
@@ -12,8 +14,6 @@ services:
       RUNTIPI_LOCAL_DOMAIN: "${LOCAL_DOMAIN}"
       RUNTIPI_DOMAIN: "${DOMAIN}"
       RUNTIPI_ROOT_DOMAIN: "${ROOT_DOMAIN}"
-      PUID: "${SZ_USER_UID}"
-      PGID: "${SZ_USER_GID}"
     # volumes_from:
     # - "container:vols-dl"
     # - "container:vols-personal-media"

_traefik.dynamic/dynamic/dynamic.yml

@@ -2,6 +2,7 @@ http:
   serversTransports:
     insecuretransport:
       insecureSkipVerify: true
+      
   middlewares:
     secureHeaders:
       headers:

_traefik.dynamic/dynamic/fwd-auth-sysmgr.yml

@@ -0,0 +1,19 @@
+http:
+  middlewares:
+    authentik_sysmgr:
+      forwardAuth:
+        address: https://auth.szk.li/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeadersRegex: "^[Xx]-[Aa]uthentik"
+        # authResponseHeaders:
+        #   - X-authentik-username
+        #   - X-authentik-groups
+        #   - X-authentik-email
+        #   - X-authentik-name
+        #   - X-authentik-uid
+        #   - X-authentik-jwt
+        #   - X-authentik-meta-jwks
+        #   - X-authentik-meta-outpost
+        #   - X-authentik-meta-provider
+        #   - X-authentik-meta-app
+        #   - X-authentik-meta-version

_traefik.dynamic/dynamic/kateryna_apps.yml

@@ -1,23 +1,12 @@
 # http routing section
 http:
   routers:
-    to-auth:
-      rule: "Host(`auth.lksz.me`)"
-      entrypoints:
-      - websecure
-      service: kateryna-traefik
-      tls:
-        certresolver: myresolver
-    to-syncthing:
-      rule: "Host(`sync.lksz.me`)" 
-      entrypoints:
-      - websecure
-      service: kateryna-traefik
-      tls:
-        certresolver: myresolver
     to-kateryna:
       rule: "Host(`kateryna.szk.li`)
         || Host(`kateryna.lksz.me`)
+        || Host(`m.lksz.me`)
+        || Host(`auth.lksz.me`)
+        || Host(`sync.lksz.me`)
         || Host(`radarr.lksz.me`)
         || Host(`sonarr.lksz.me`)
         || Host(`prowlarr.lksz.me`)

_traefik.dynamic/traefik.yml

@@ -14,6 +14,10 @@ providers:
 entryPoints:
   web:
     address: ':80'
+    forwardedHeaders:
+      trustedIPs:
+        - "127.0.0.1/32"
+        - "172.16.0.0/12"
     http:
       redirections:
         entryPoint:
@@ -21,6 +25,10 @@ entryPoints:
           scheme: 'https'
   websecure:
     address: ':443'
+    forwardedHeaders:
+      trustedIPs:
+        - "127.0.0.1/32"
+        - "172.16.0.0/12"
 
 certificatesResolvers:
   httpresolver:

ddns-updater/docker-compose.yml

@@ -3,33 +3,49 @@ services:
     environment:
       USER_UID: "${SZ_USER_UID}"
       USER_GID: "${SZ_USER_GID}"
-    # user: "${SZ_USER_UID}"
 
-    # environment:
+      ### Configuration
-    #   - CONFIG=
+      # DATADIR: "/updater/data"
-    #   - PERIOD=5m
+      # CONFIG_FILEPATH: "/updater/data/config.json"
-    #   - UPDATE_COOLDOWN_PERIOD=5m
+      # CONFIG: ""
-    #   - PUBLICIP_FETCHERS=all
+      # PERIOD: "5m"
-    #   - PUBLICIP_HTTP_PROVIDERS=all
-    #   - PUBLICIPV4_HTTP_PROVIDERS=all
-    #   - PUBLICIPV6_HTTP_PROVIDERS=all
-    #   - PUBLICIP_DNS_PROVIDERS=all
-    #   - PUBLICIP_DNS_TIMEOUT=3s
-    #   - HTTP_TIMEOUT=10s
       
-    #   # Web UI
+      # UPDATE_COOLDOWN_PERIOD: "5m"
-    #   - LISTENING_ADDRESS=:8000
+      # PUBLICIP_FETCHERS: "all"
-    #   - ROOT_URL=/
+      # PUBLICIP_HTTP_PROVIDERS: "all"
+      # PUBLICIPV4_HTTP_PROVIDERS: "all"
+      # PUBLICIPV6_HTTP_PROVIDERS: "all"
+      # PUBLICIP_DNS_PROVIDERS: "all"
+      # PUBLICIP_DNS_TIMEOUT: "3s"
+      # HTTP_TIMEOUT: "10s"
 
-    #   # Backup
+      # RESOLVER_ADDRESS: ""
-    #   - BACKUP_PERIOD=0 # 0 to disable
+      # RESOLVER_TIMEOUT: "5s"
-    #   - BACKUP_DIRECTORY=/updater/data
 
-    #   # Other
+      ### Web UI
-    #   - LOG_LEVEL=info
+      # SERVER_ENABLED: "yes"
-    #   - LOG_CALLER=hidden
+      # LISTENING_ADDRESS: ":8000"
-    #   - SHOUTRRR_ADDRESSES=
+      # ROOT_URL: "/"
-    # restart: always
+
+      ### Backup
+      # BACKUP_PERIOD: "0"
+      # BACKUP_DIRECTORY: "/updater/data"
+
+      ### Other
+      # LOG_LEVEL: "info"
+      # LOG_CALLER: "hidden"
+
+      ### SHOUTRRR
+      # SHOUTRRR_ADDRESSES: ""
+      # SHOUTRRR_DEFAULT_TITLE: "DDNS Updater"
+      
+      ### Health Check
+      # HEALTH_SERVER_ADDRESS: "127.0.0.1:9999"
+      # HEALTH_HEALTHCHECKSIO_BASE_URL: "https://hc-ping.com"
+      # HEALTH_HEALTHCHECKSIO_UUID: ""
+    labels:
+      traefik.http.routers.ddns-updater.rule: Host(`ddns.${ROOT_DOMAIN}`)
+      traefik.http.routers.ddns-updater.middlewares: authentik_sysmgr@file
 
     volumes:
     #- dummy:/updater/data:ro

forgejo/docker-compose.yml

@@ -0,0 +1,18 @@
+services:
+  forgejo:
+    environment:
+      USER_UID: "${SZ_USER_UID}"
+      USER_GID: "${SZ_USER_GID}"
+
+      FORGEJO__server__DOMAIN: "code.${ALT_ROOT_DOMAIN}"
+      FORGEJO__server__ROOT_URL: "https://code.${ALT_ROOT_DOMAIN}"
+      FORGEJO__server__SSH_DOMAIN: "code.${ALT_ROOT_DOMAIN}"
+
+    labels:
+    # Websecure
+      traefik.http.routers.forgejo-more.rule: Host(`code.${ROOT_DOMAIN}`)${APP_ROUTE_OPTIONAL:-}
+      traefik.http.routers.forgejo-more.entrypoints: websecure
+      traefik.http.routers.forgejo-more.service: forgejo
+    # traefik.http.routers.forgejo-more.middlewares: authentik_sysmgr@file
+      traefik.http.routers.forgejo-more.tls: true
+      traefik.http.routers.forgejo-more.tls.certresolver: myresolver

tipi-compose.yml

@@ -4,11 +4,20 @@ services:
       - 8080:8080
     command: 
       - '--providers.docker'
-      - '--providers.file.directory=/srv/runtipi/traefik/dynamic'
+      - '--providers.file.directory=/srv/runtipi/user-config/_traefik.dynamic'
       - '--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}'
       - '--certificatesresolvers.myresolver.acme.storage=/shared/acme.json'
-      - '--certificatesresolvers.myresolver.acme.dnshallenge.entrypoint=cloudflare'
+      - '--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare'
     environment:
       CF_API_EMAIL: "${ACME_EMAIL}"
       CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN}"
+    networks:
+    - tipi_main_network
+    - tipi_internal_network
+
+networks:
+  tipi_internal_network:
+    internal: true
+    attachable: true
+    name: runtipi_internal_network