Compare commits

...

11 Commits

Author SHA1 Message Date
Lockszmith (@kateryna) 19bf22a19f Add m.lksz.me to kateryna_apps 2024-12-08 16:55:58 -05:00
Lockszmith (@kateryna) ba135cde97 Improve runtipi dls output (uppercase headers) 2024-12-08 16:55:19 -05:00
Lockszmith (@kateryna) 954a6935ac Updated user-config template 2024-12-08 16:53:10 -05:00
Lockszmith (runtipi@kateryna) 52a35d6fa9 expose ddns-updater behind authentik 2024-12-08 14:49:24 -05:00
Lockszmith (runtipi@kateryna) 1a5fcea90e Add forgejo 2024-12-08 14:49:24 -05:00
Lockszmith (runtipi@kateryna) bb6531fc44 add internal IP addresses to trusted forwardedHeaders 2024-12-08 14:49:24 -05:00
Lockszmith (runtipi@kateryna) b8b33c280f switch forwardAuth response headers matching to RegEx 2024-12-08 14:49:24 -05:00
Lockszmith (runtipi@kateryna) fca5cfed8a cleanup kateryna-apps 2024-12-08 14:49:24 -05:00
Lockszmith (runtipi@kateryna) 57254b4bf3 reduce noise for runtipictl log 2024-12-08 14:49:24 -05:00
Lockszmith (runtipi@kateryna) 35049fb94c add an internal network for better isolation 2024-12-08 14:49:24 -05:00
Lockszmith (runtipi@kateryna) a31e7c6cd3 moved _copy_to_traefik into _traefik.dynamic
It will be the permanent location of the dynamic traefik config
2024-12-08 14:49:24 -05:00
15 changed files with 109 additions and 409 deletions

4
.gitignore vendored
View File

@ -1,5 +1,5 @@
.env.local .env.local
_copy_to_traefik/tls _traefik.dynamic/tls
_copy_to_traefik/shared/acme.json _traefik.dynamic/shared/acme.json
**/app.env **/app.env
ddns-updater/config.json ddns-updater/config.json

View File

@ -58,8 +58,8 @@ dls() {
local base='{{.Status}}\t{{.ID}}\t{{.Names}}\t{{.Image}}' #'\t{{.Networks}}\t{{.Ports}}\t{{.Mounts}}' local base='{{.Status}}\t{{.ID}}\t{{.Names}}\t{{.Image}}' #'\t{{.Networks}}\t{{.Ports}}\t{{.Mounts}}'
local compose='{{.Label "com.docker.compose.project"}}\t{{.Label "com.docker.compose.service"}}' local compose='{{.Label "com.docker.compose.project"}}\t{{.Label "com.docker.compose.service"}}'
local format="table $compose\t$base" local format="table $compose\t$base"
ROOT_EXEC=1 jlmkr-exec \ ROOT_EXEC=1 QUIET=${QUIET:-0} jlmkr-exec \
docker "container ls --all --format '$format' | ( sed -u 1q ; sed -Ee 's|^|555|; s|^555runtipi|000runtipi|;' | sort | sed -Ee 's/^[[:digit:]]{3}//' )" docker "container ls --all --format '$format' | ( sed -u '1s/.*/\U&/; q'; sed -Ee 's|^|555|; s|^555runtipi|000runtipi|;' | sort | sed -Ee 's/^[[:digit:]]{3}//' )"
} }
case "${1}" in case "${1}" in
@ -67,7 +67,7 @@ case "${1}" in
runtipi-cli "${@:2}" runtipi-cli "${@:2}"
;; ;;
log) log)
jlmkr-exec docker compose --env-file user-config/.env.local logs --tail=${TAIL:-40} "${2:-runtipi}" ${3:+"${@:3}"} jlmkr-exec "POSTGRES_PASSWORD=_ TIPI_VERSION=_ LOCAL_DOMAIN=_ DOMAIN=_" docker compose --env-file user-config/.env.local logs --tail=${TAIL:-40} "${2:-runtipi}" ${3:+"${@:3}"}
;; ;;
start) start)
runtipi-cli start --env-file user-config/.env.local --no-permissions runtipi-cli start --env-file user-config/.env.local --no-permissions
@ -108,6 +108,7 @@ case "${1}" in
"" "" "" \ "" "" "" \
"" "cli" "runtipi-cli" \ "" "cli" "runtipi-cli" \
"" "dcoapp" "docker compose for runtipi apps" \ "" "dcoapp" "docker compose for runtipi apps" \
"" "dls" "stylized docker ls" \
"" "docker" "docker" \ "" "docker" "docker" \
"" "dockge" "dokcer compose for dockge stacks" \ "" "dockge" "dokcer compose for dockge stacks" \
"" "exec" "execute within the shell, START_DIR env applies" \ "" "exec" "execute within the shell, START_DIR env applies" \

View File

@ -1,18 +0,0 @@
http:
middlewares:
authentik_sysmgr:
forwardAuth:
address: https://auth.szk.li/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

File diff suppressed because one or more lines are too long

View File

@ -1,2 +1,2 @@
# VARIABLE=value #comment# VARIABLE=value #comment # VARIABLE=value #comment
# APP_ROUTE_OPTIONAL=" || Host(`www.example.com`)" APP_ROUTE_OPTIONAL=${LEGACY_ROOT_DOMAIN:+ || Host(`example.${LEGACY_ROOT_DOMAIN}`)}

View File

@ -2,6 +2,8 @@ services:
<service-name>: <service-name>:
hostname: <service-name>.docker hostname: <service-name>.docker
environment: environment:
PUID: "${SZ_USER_UID}"
PGID: "${SZ_USER_GID}"
# RUNTIPI Environment # RUNTIPI Environment
RUNTIPI_APP_PORT: "${APP_PORT}" RUNTIPI_APP_PORT: "${APP_PORT}"
RUNTIPI_APP_ID: "${APP_ID}" RUNTIPI_APP_ID: "${APP_ID}"
@ -12,8 +14,6 @@ services:
RUNTIPI_LOCAL_DOMAIN: "${LOCAL_DOMAIN}" RUNTIPI_LOCAL_DOMAIN: "${LOCAL_DOMAIN}"
RUNTIPI_DOMAIN: "${DOMAIN}" RUNTIPI_DOMAIN: "${DOMAIN}"
RUNTIPI_ROOT_DOMAIN: "${ROOT_DOMAIN}" RUNTIPI_ROOT_DOMAIN: "${ROOT_DOMAIN}"
PUID: "${SZ_USER_UID}"
PGID: "${SZ_USER_GID}"
# volumes_from: # volumes_from:
# - "container:vols-dl" # - "container:vols-dl"
# - "container:vols-personal-media" # - "container:vols-personal-media"

View File

@ -2,6 +2,7 @@ http:
serversTransports: serversTransports:
insecuretransport: insecuretransport:
insecureSkipVerify: true insecureSkipVerify: true
middlewares: middlewares:
secureHeaders: secureHeaders:
headers: headers:

View File

@ -0,0 +1,19 @@
http:
middlewares:
authentik_sysmgr:
forwardAuth:
address: https://auth.szk.li/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeadersRegex: "^[Xx]-[Aa]uthentik"
# authResponseHeaders:
# - X-authentik-username
# - X-authentik-groups
# - X-authentik-email
# - X-authentik-name
# - X-authentik-uid
# - X-authentik-jwt
# - X-authentik-meta-jwks
# - X-authentik-meta-outpost
# - X-authentik-meta-provider
# - X-authentik-meta-app
# - X-authentik-meta-version

View File

@ -1,23 +1,12 @@
# http routing section # http routing section
http: http:
routers: routers:
to-auth:
rule: "Host(`auth.lksz.me`)"
entrypoints:
- websecure
service: kateryna-traefik
tls:
certresolver: myresolver
to-syncthing:
rule: "Host(`sync.lksz.me`)"
entrypoints:
- websecure
service: kateryna-traefik
tls:
certresolver: myresolver
to-kateryna: to-kateryna:
rule: "Host(`kateryna.szk.li`) rule: "Host(`kateryna.szk.li`)
|| Host(`kateryna.lksz.me`) || Host(`kateryna.lksz.me`)
|| Host(`m.lksz.me`)
|| Host(`auth.lksz.me`)
|| Host(`sync.lksz.me`)
|| Host(`radarr.lksz.me`) || Host(`radarr.lksz.me`)
|| Host(`sonarr.lksz.me`) || Host(`sonarr.lksz.me`)
|| Host(`prowlarr.lksz.me`) || Host(`prowlarr.lksz.me`)

View File

@ -14,6 +14,10 @@ providers:
entryPoints: entryPoints:
web: web:
address: ':80' address: ':80'
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32"
- "172.16.0.0/12"
http: http:
redirections: redirections:
entryPoint: entryPoint:
@ -21,6 +25,10 @@ entryPoints:
scheme: 'https' scheme: 'https'
websecure: websecure:
address: ':443' address: ':443'
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32"
- "172.16.0.0/12"
certificatesResolvers: certificatesResolvers:
httpresolver: httpresolver:

View File

@ -3,33 +3,49 @@ services:
environment: environment:
USER_UID: "${SZ_USER_UID}" USER_UID: "${SZ_USER_UID}"
USER_GID: "${SZ_USER_GID}" USER_GID: "${SZ_USER_GID}"
# user: "${SZ_USER_UID}"
# environment: ### Configuration
# - CONFIG= # DATADIR: "/updater/data"
# - PERIOD=5m # CONFIG_FILEPATH: "/updater/data/config.json"
# - UPDATE_COOLDOWN_PERIOD=5m # CONFIG: ""
# - PUBLICIP_FETCHERS=all # PERIOD: "5m"
# - PUBLICIP_HTTP_PROVIDERS=all
# - PUBLICIPV4_HTTP_PROVIDERS=all # UPDATE_COOLDOWN_PERIOD: "5m"
# - PUBLICIPV6_HTTP_PROVIDERS=all # PUBLICIP_FETCHERS: "all"
# - PUBLICIP_DNS_PROVIDERS=all # PUBLICIP_HTTP_PROVIDERS: "all"
# - PUBLICIP_DNS_TIMEOUT=3s # PUBLICIPV4_HTTP_PROVIDERS: "all"
# - HTTP_TIMEOUT=10s # PUBLICIPV6_HTTP_PROVIDERS: "all"
# PUBLICIP_DNS_PROVIDERS: "all"
# PUBLICIP_DNS_TIMEOUT: "3s"
# HTTP_TIMEOUT: "10s"
# # Web UI # RESOLVER_ADDRESS: ""
# - LISTENING_ADDRESS=:8000 # RESOLVER_TIMEOUT: "5s"
# - ROOT_URL=/
# # Backup ### Web UI
# - BACKUP_PERIOD=0 # 0 to disable # SERVER_ENABLED: "yes"
# - BACKUP_DIRECTORY=/updater/data # LISTENING_ADDRESS: ":8000"
# ROOT_URL: "/"
# # Other ### Backup
# - LOG_LEVEL=info # BACKUP_PERIOD: "0"
# - LOG_CALLER=hidden # BACKUP_DIRECTORY: "/updater/data"
# - SHOUTRRR_ADDRESSES=
# restart: always ### Other
# LOG_LEVEL: "info"
# LOG_CALLER: "hidden"
### SHOUTRRR
# SHOUTRRR_ADDRESSES: ""
# SHOUTRRR_DEFAULT_TITLE: "DDNS Updater"
### Health Check
# HEALTH_SERVER_ADDRESS: "127.0.0.1:9999"
# HEALTH_HEALTHCHECKSIO_BASE_URL: "https://hc-ping.com"
# HEALTH_HEALTHCHECKSIO_UUID: ""
labels:
traefik.http.routers.ddns-updater.rule: Host(`ddns.${ROOT_DOMAIN}`)
traefik.http.routers.ddns-updater.middlewares: authentik_sysmgr@file
volumes: volumes:
#- dummy:/updater/data:ro #- dummy:/updater/data:ro

View File

@ -0,0 +1,18 @@
services:
forgejo:
environment:
USER_UID: "${SZ_USER_UID}"
USER_GID: "${SZ_USER_GID}"
FORGEJO__server__DOMAIN: "code.${ALT_ROOT_DOMAIN}"
FORGEJO__server__ROOT_URL: "https://code.${ALT_ROOT_DOMAIN}"
FORGEJO__server__SSH_DOMAIN: "code.${ALT_ROOT_DOMAIN}"
labels:
# Websecure
traefik.http.routers.forgejo-more.rule: Host(`code.${ROOT_DOMAIN}`)${APP_ROUTE_OPTIONAL:-}
traefik.http.routers.forgejo-more.entrypoints: websecure
traefik.http.routers.forgejo-more.service: forgejo
# traefik.http.routers.forgejo-more.middlewares: authentik_sysmgr@file
traefik.http.routers.forgejo-more.tls: true
traefik.http.routers.forgejo-more.tls.certresolver: myresolver

View File

@ -4,11 +4,20 @@ services:
- 8080:8080 - 8080:8080
command: command:
- '--providers.docker' - '--providers.docker'
- '--providers.file.directory=/srv/runtipi/traefik/dynamic' - '--providers.file.directory=/srv/runtipi/user-config/_traefik.dynamic'
- '--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}' - '--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}'
- '--certificatesresolvers.myresolver.acme.storage=/shared/acme.json' - '--certificatesresolvers.myresolver.acme.storage=/shared/acme.json'
- '--certificatesresolvers.myresolver.acme.dnshallenge.entrypoint=cloudflare' - '--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare'
environment: environment:
CF_API_EMAIL: "${ACME_EMAIL}" CF_API_EMAIL: "${ACME_EMAIL}"
CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN}" CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN}"
networks:
- tipi_main_network
- tipi_internal_network
networks:
tipi_internal_network:
internal: true
attachable: true
name: runtipi_internal_network