Compare commits

..

11 Commits

Author SHA1 Message Date
Lockszmith (@kateryna) 19bf22a19f Add m.lksz.me to kateryna_apps 2024-12-08 16:55:58 -05:00
Lockszmith (@kateryna) ba135cde97 Improve runtipi dls output (uppercase headers) 2024-12-08 16:55:19 -05:00
Lockszmith (@kateryna) 954a6935ac Updated user-config template 2024-12-08 16:53:10 -05:00
Lockszmith (runtipi@kateryna) 52a35d6fa9 expose ddns-updater behind authentik 2024-12-08 14:49:24 -05:00
Lockszmith (runtipi@kateryna) 1a5fcea90e Add forgejo 2024-12-08 14:49:24 -05:00
Lockszmith (runtipi@kateryna) bb6531fc44 add internal IP addresses to trusted forwardedHeaders 2024-12-08 14:49:24 -05:00
Lockszmith (runtipi@kateryna) b8b33c280f switch forwardAuth response headers matching to RegEx 2024-12-08 14:49:24 -05:00
Lockszmith (runtipi@kateryna) fca5cfed8a cleanup kateryna-apps 2024-12-08 14:49:24 -05:00
Lockszmith (runtipi@kateryna) 57254b4bf3 reduce noise for runtipictl log 2024-12-08 14:49:24 -05:00
Lockszmith (runtipi@kateryna) 35049fb94c add an internal network for better isolation 2024-12-08 14:49:24 -05:00
Lockszmith (runtipi@kateryna) a31e7c6cd3 moved _copy_to_traefik into _traefik.dynamic
It will be the permanent location of the dynamic traefik config
2024-12-08 14:49:24 -05:00
15 changed files with 109 additions and 409 deletions

4
.gitignore vendored
View File

@ -1,5 +1,5 @@
.env.local
_copy_to_traefik/tls
_copy_to_traefik/shared/acme.json
_traefik.dynamic/tls
_traefik.dynamic/shared/acme.json
**/app.env
ddns-updater/config.json

View File

@ -58,8 +58,8 @@ dls() {
local base='{{.Status}}\t{{.ID}}\t{{.Names}}\t{{.Image}}' #'\t{{.Networks}}\t{{.Ports}}\t{{.Mounts}}'
local compose='{{.Label "com.docker.compose.project"}}\t{{.Label "com.docker.compose.service"}}'
local format="table $compose\t$base"
ROOT_EXEC=1 jlmkr-exec \
docker "container ls --all --format '$format' | ( sed -u 1q ; sed -Ee 's|^|555|; s|^555runtipi|000runtipi|;' | sort | sed -Ee 's/^[[:digit:]]{3}//' )"
ROOT_EXEC=1 QUIET=${QUIET:-0} jlmkr-exec \
docker "container ls --all --format '$format' | ( sed -u '1s/.*/\U&/; q'; sed -Ee 's|^|555|; s|^555runtipi|000runtipi|;' | sort | sed -Ee 's/^[[:digit:]]{3}//' )"
}
case "${1}" in
@ -67,7 +67,7 @@ case "${1}" in
runtipi-cli "${@:2}"
;;
log)
jlmkr-exec docker compose --env-file user-config/.env.local logs --tail=${TAIL:-40} "${2:-runtipi}" ${3:+"${@:3}"}
jlmkr-exec "POSTGRES_PASSWORD=_ TIPI_VERSION=_ LOCAL_DOMAIN=_ DOMAIN=_" docker compose --env-file user-config/.env.local logs --tail=${TAIL:-40} "${2:-runtipi}" ${3:+"${@:3}"}
;;
start)
runtipi-cli start --env-file user-config/.env.local --no-permissions
@ -108,6 +108,7 @@ case "${1}" in
"" "" "" \
"" "cli" "runtipi-cli" \
"" "dcoapp" "docker compose for runtipi apps" \
"" "dls" "stylized docker ls" \
"" "docker" "docker" \
"" "dockge" "dokcer compose for dockge stacks" \
"" "exec" "execute within the shell, START_DIR env applies" \

View File

@ -1,18 +0,0 @@
http:
middlewares:
authentik_sysmgr:
forwardAuth:
address: https://auth.szk.li/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

File diff suppressed because one or more lines are too long

View File

@ -1,2 +1,2 @@
# VARIABLE=value #comment# VARIABLE=value #comment
# APP_ROUTE_OPTIONAL=" || Host(`www.example.com`)"
# VARIABLE=value #comment
APP_ROUTE_OPTIONAL=${LEGACY_ROOT_DOMAIN:+ || Host(`example.${LEGACY_ROOT_DOMAIN}`)}

View File

@ -2,6 +2,8 @@ services:
<service-name>:
hostname: <service-name>.docker
environment:
PUID: "${SZ_USER_UID}"
PGID: "${SZ_USER_GID}"
# RUNTIPI Environment
RUNTIPI_APP_PORT: "${APP_PORT}"
RUNTIPI_APP_ID: "${APP_ID}"
@ -12,8 +14,6 @@ services:
RUNTIPI_LOCAL_DOMAIN: "${LOCAL_DOMAIN}"
RUNTIPI_DOMAIN: "${DOMAIN}"
RUNTIPI_ROOT_DOMAIN: "${ROOT_DOMAIN}"
PUID: "${SZ_USER_UID}"
PGID: "${SZ_USER_GID}"
# volumes_from:
# - "container:vols-dl"
# - "container:vols-personal-media"

View File

@ -2,6 +2,7 @@ http:
serversTransports:
insecuretransport:
insecureSkipVerify: true
middlewares:
secureHeaders:
headers:

View File

@ -0,0 +1,19 @@
http:
middlewares:
authentik_sysmgr:
forwardAuth:
address: https://auth.szk.li/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeadersRegex: "^[Xx]-[Aa]uthentik"
# authResponseHeaders:
# - X-authentik-username
# - X-authentik-groups
# - X-authentik-email
# - X-authentik-name
# - X-authentik-uid
# - X-authentik-jwt
# - X-authentik-meta-jwks
# - X-authentik-meta-outpost
# - X-authentik-meta-provider
# - X-authentik-meta-app
# - X-authentik-meta-version

View File

@ -1,23 +1,12 @@
# http routing section
http:
routers:
to-auth:
rule: "Host(`auth.lksz.me`)"
entrypoints:
- websecure
service: kateryna-traefik
tls:
certresolver: myresolver
to-syncthing:
rule: "Host(`sync.lksz.me`)"
entrypoints:
- websecure
service: kateryna-traefik
tls:
certresolver: myresolver
to-kateryna:
rule: "Host(`kateryna.szk.li`)
|| Host(`kateryna.lksz.me`)
|| Host(`m.lksz.me`)
|| Host(`auth.lksz.me`)
|| Host(`sync.lksz.me`)
|| Host(`radarr.lksz.me`)
|| Host(`sonarr.lksz.me`)
|| Host(`prowlarr.lksz.me`)

View File

@ -14,6 +14,10 @@ providers:
entryPoints:
web:
address: ':80'
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32"
- "172.16.0.0/12"
http:
redirections:
entryPoint:
@ -21,6 +25,10 @@ entryPoints:
scheme: 'https'
websecure:
address: ':443'
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32"
- "172.16.0.0/12"
certificatesResolvers:
httpresolver:

View File

@ -3,33 +3,49 @@ services:
environment:
USER_UID: "${SZ_USER_UID}"
USER_GID: "${SZ_USER_GID}"
# user: "${SZ_USER_UID}"
# environment:
# - CONFIG=
# - PERIOD=5m
# - UPDATE_COOLDOWN_PERIOD=5m
# - PUBLICIP_FETCHERS=all
# - PUBLICIP_HTTP_PROVIDERS=all
# - PUBLICIPV4_HTTP_PROVIDERS=all
# - PUBLICIPV6_HTTP_PROVIDERS=all
# - PUBLICIP_DNS_PROVIDERS=all
# - PUBLICIP_DNS_TIMEOUT=3s
# - HTTP_TIMEOUT=10s
### Configuration
# DATADIR: "/updater/data"
# CONFIG_FILEPATH: "/updater/data/config.json"
# CONFIG: ""
# PERIOD: "5m"
# # Web UI
# - LISTENING_ADDRESS=:8000
# - ROOT_URL=/
# UPDATE_COOLDOWN_PERIOD: "5m"
# PUBLICIP_FETCHERS: "all"
# PUBLICIP_HTTP_PROVIDERS: "all"
# PUBLICIPV4_HTTP_PROVIDERS: "all"
# PUBLICIPV6_HTTP_PROVIDERS: "all"
# PUBLICIP_DNS_PROVIDERS: "all"
# PUBLICIP_DNS_TIMEOUT: "3s"
# HTTP_TIMEOUT: "10s"
# # Backup
# - BACKUP_PERIOD=0 # 0 to disable
# - BACKUP_DIRECTORY=/updater/data
# RESOLVER_ADDRESS: ""
# RESOLVER_TIMEOUT: "5s"
# # Other
# - LOG_LEVEL=info
# - LOG_CALLER=hidden
# - SHOUTRRR_ADDRESSES=
# restart: always
### Web UI
# SERVER_ENABLED: "yes"
# LISTENING_ADDRESS: ":8000"
# ROOT_URL: "/"
### Backup
# BACKUP_PERIOD: "0"
# BACKUP_DIRECTORY: "/updater/data"
### Other
# LOG_LEVEL: "info"
# LOG_CALLER: "hidden"
### SHOUTRRR
# SHOUTRRR_ADDRESSES: ""
# SHOUTRRR_DEFAULT_TITLE: "DDNS Updater"
### Health Check
# HEALTH_SERVER_ADDRESS: "127.0.0.1:9999"
# HEALTH_HEALTHCHECKSIO_BASE_URL: "https://hc-ping.com"
# HEALTH_HEALTHCHECKSIO_UUID: ""
labels:
traefik.http.routers.ddns-updater.rule: Host(`ddns.${ROOT_DOMAIN}`)
traefik.http.routers.ddns-updater.middlewares: authentik_sysmgr@file
volumes:
#- dummy:/updater/data:ro

View File

@ -0,0 +1,18 @@
services:
forgejo:
environment:
USER_UID: "${SZ_USER_UID}"
USER_GID: "${SZ_USER_GID}"
FORGEJO__server__DOMAIN: "code.${ALT_ROOT_DOMAIN}"
FORGEJO__server__ROOT_URL: "https://code.${ALT_ROOT_DOMAIN}"
FORGEJO__server__SSH_DOMAIN: "code.${ALT_ROOT_DOMAIN}"
labels:
# Websecure
traefik.http.routers.forgejo-more.rule: Host(`code.${ROOT_DOMAIN}`)${APP_ROUTE_OPTIONAL:-}
traefik.http.routers.forgejo-more.entrypoints: websecure
traefik.http.routers.forgejo-more.service: forgejo
# traefik.http.routers.forgejo-more.middlewares: authentik_sysmgr@file
traefik.http.routers.forgejo-more.tls: true
traefik.http.routers.forgejo-more.tls.certresolver: myresolver

View File

@ -4,11 +4,20 @@ services:
- 8080:8080
command:
- '--providers.docker'
- '--providers.file.directory=/srv/runtipi/traefik/dynamic'
- '--providers.file.directory=/srv/runtipi/user-config/_traefik.dynamic'
- '--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}'
- '--certificatesresolvers.myresolver.acme.storage=/shared/acme.json'
- '--certificatesresolvers.myresolver.acme.dnshallenge.entrypoint=cloudflare'
- '--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare'
environment:
CF_API_EMAIL: "${ACME_EMAIL}"
CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN}"
networks:
- tipi_main_network
- tipi_internal_network
networks:
tipi_internal_network:
internal: true
attachable: true
name: runtipi_internal_network