diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 03623c1..c38e178 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,6 +19,5 @@ docker_build: script: - apk add docker-compose - scripts/subinstallers/gen_prod_env.sh "$MISTBORN_DEFAULT_PASSWORD" - - cp compose/production/traefik/traefik.toml.template compose/production/traefik/traefik.toml - docker-compose -f base.yml build diff --git a/base.yml b/base.yml index 4596b96..f0536ef 100644 --- a/base.yml +++ b/base.yml @@ -14,7 +14,14 @@ services: - redis labels: - "traefik.enable=true" - - "traefik.port=5000" + - "traefik.http.routers.django-http.rule=Host(`home.mistborn`)" + - "traefik.http.routers.django-http.entrypoints=web" + - "traefik.http.routers.django-http.middlewares=mistborn_headers@file" + - "traefik.http.routers.django-https.rule=Host(`home.mistborn`)" + - "traefik.http.routers.django-https.entrypoints=websecure" + - "traefik.http.routers.django-https.middlewares=mistborn_headers@file" + - "traefik.http.routers.django-https.tls.certresolver=basic" + - "traefik.http.services.django-service.loadbalancer.server.port=5000" env_file: - ./.envs/.production/.django - ./.envs/.production/.postgres @@ -38,20 +45,41 @@ services: restart: unless-stopped traefik: - build: - context: . - dockerfile: ./compose/production/traefik/Dockerfile - image: mistborn_production_traefik + #build: + # context: . + # dockerfile: ./compose/production/traefik/Dockerfile + #image: mistborn_production_traefik + image: traefik:v2.2 container_name: mistborn_production_traefik depends_on: - django volumes: - - production_traefik:/etc/traefik/acme + #- production_traefik:/etc/traefik/acme + - ./compose/production/traefik/dynamic.toml:/dynamic.toml:ro - /var/run/docker.sock:/var/run/docker.sock:ro - - ../mistborn_volumes/base/tls:/tls - ports: - - "0.0.0.0:80:80/tcp" - - "0.0.0.0:443:443/tcp" + - ../mistborn_volumes/base/tls:/tls:ro + network_mode: host + #ports: + # - "0.0.0.0:80:80/tcp" + # - "0.0.0.0:443:443/tcp" + # #- "0.0.0.0:8080:8080/tcp" # dashboard + command: + ## API settings + #- --api.insecure=true + #- --api.dashboard=true + #- --api.debug=true + ## Logs + - --log.level=ERROR + ## Providers + - --providers.docker=true + - --providers.docker.exposedbydefault=false + - --providers.file.filename=/dynamic.toml + #- --providers.docker.network=default + ## Entrypoints + - --entrypoints.web.address=:80 + - --entrypoints.websecure.address=:443 + ## Certificates + #- --serversTransport.insecureSkipVerify=true restart: unless-stopped redis: @@ -136,6 +164,14 @@ services: - "${MISTBORN_DNS_BIND_IP}:53:53/udp" labels: - "traefik.enable=true" + - "traefik.http.routers.pihole-http.rule=Host(`pihole.mistborn`)" + - "traefik.http.routers.pihole-http.entrypoints=web" + - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.pihole-https.rule=Host(`pihole.mistborn`)" + - "traefik.http.routers.pihole-https.entrypoints=websecure" + - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.pihole-https.tls.certresolver=basic" + - "traefik.http.services.pihole-service.loadbalancer.server.port=80" environment: - ServerIP=10.2.0.3 - DNS1='10.2.0.2#5054' # docs say port 5054, was 54; use network_mode: host to see which port is used diff --git a/compose/production/traefik/Dockerfile b/compose/production/traefik/Dockerfile index 7088e6f..04c5f93 100644 --- a/compose/production/traefik/Dockerfile +++ b/compose/production/traefik/Dockerfile @@ -1,5 +1,5 @@ -FROM traefik:alpine +FROM traefik:v2.2 RUN mkdir -p /etc/traefik/acme RUN touch /etc/traefik/acme/acme.json RUN chmod 600 /etc/traefik/acme/acme.json -COPY ./compose/production/traefik/traefik.toml /etc/traefik +#COPY ./compose/production/traefik/dynamic.toml /etc/traefik diff --git a/compose/production/traefik/dynamic.toml b/compose/production/traefik/dynamic.toml new file mode 100644 index 0000000..0eeb776 --- /dev/null +++ b/compose/production/traefik/dynamic.toml @@ -0,0 +1,31 @@ +[tls.stores] + [tls.stores.default] + [tls.stores.default.defaultCertificate] + certFile = "/tls/cert.crt" + keyFile = "/tls/cert.key" + +[tls.options] + [tls.options.default] + minVersion = "VersionTLS12" + +[http.services] + [http.services.cockpit.loadBalancer] + [[http.services.cockpit.loadBalancer.servers]] + url = "http://10.2.3.1:9090" + +[http.routers] + [http.routers.cockpit] + rule = "Host(`cockpit.mistborn`)" + service = "cockpit" + entrypoints = ["web", "websecure"] + #middlewares = + +[http.middlewares] + [http.middlewares.mistborn_auth.forwardAuth] + address = "https://home.mistborn/auth/" + trustForwardHeader = true + [http.middlewares.mistborn_auth.forwardAuth.tls] + insecureSkipVerify = true + + [http.middlewares.mistborn_headers.headers] + hostsProxyHeaders = ['X-CSRFToken'] \ No newline at end of file diff --git a/compose/production/traefik/traefik.toml.template b/compose/production/traefik/traefik.toml.template deleted file mode 100644 index 267d53b..0000000 --- a/compose/production/traefik/traefik.toml.template +++ /dev/null @@ -1,257 +0,0 @@ -#debug = true - -logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC -InsecureSkipVerify = true - -defaultEntryPoints = ["http", "https"] -#defaultEntryPoints = ["http"] - -# Entrypoints, http and https -[entryPoints] - # http should be redirected to https - [entryPoints.http] - address = ":80" - #[entryPoints.http.redirect] - #entryPoint = "https" - # https is the default - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - [entryPoints.https.tls.defaultCertificate] - certFile = "/tls/cert.crt" - keyFile = "/tls/cert.key" - -## Enable ACME (Let's Encrypt): automatic SSL -#[acme] -## Email address used for registration -#email = "steven@cyber5k.com" -#storage = "/etc/traefik/acme/acme.json" -#entryPoint = "https" -#onDemand = false -#OnHostRule = true -# # Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge -# [acme.httpChallenge] -# entryPoint = "http" - -[file] -[backends] - [backends.django] - [backends.django.servers.server1] - url = "http://django:5000" - - [backends.pihole] - [backends.pihole.servers.server1] - url = "http://pihole:80" - - [backends.homeassistant] - [backends.homeassistant.servers.server1] - url = "http://homeassistant:8123" - - [backends.syncthing] - [backends.syncthing.servers.server1] - url = "http://syncthing:8384" - - [backends.rocketchat] - [backends.rocketchat.servers.server1] - url = "http://rocketchat:3000" - - [backends.nextcloud] - [backends.nextcloud.servers.server1] - url = "http://nextcloud:80" - - [backends.onlyoffice] - [backends.onlyoffice.servers.server1] - url = "http://onlyoffice:80" - - [backends.bitwarden] - [backends.bitwarden.servers.server1] - url = "http://bitwarden:80" - - [backends.jellyfin] - [backends.jellyfin.servers.server1] - url = "http://jellyfin:8096" - - [backends.jitsi] - [backends.jitsi.servers.server1] - url = "http://jitsi-web:80" - - [backends.raspap] - [backends.raspap.servers.server1] - url = "http://raspap:80" - - [backends.cockpit] - [backends.cockpit.servers.server1] - url = "http://10.2.3.1:9090" - -[frontends] - [frontends.django] - backend = "django" - passHostHeader = true - [frontends.django.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.django.routes.dr1] - #rule = "Host:mistborn.cyber5k.com" - rule = "Host:home.mistborn" - - [frontends.pihole] - backend = "pihole" - passHostHeader = true - [frontends.pihole.auth] - [frontends.pihole.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.pihole.auth.forward.tls] - insecureSkipVerify = true - [frontends.pihole.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.pihole.routes.dr1] - rule = "Host:pihole.mistborn" - - [frontends.homeassistant] - backend = "homeassistant" - passHostHeader = true - [frontends.homeassistant.auth] - [frontends.homeassistant.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.homeassistant.auth.forward.tls] - insecureSkipVerify = true - [frontends.homeassistant.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.homeassistant.routes.dr1] - rule = "Host:homeassistant.mistborn" - - [frontends.syncthing] - backend = "syncthing" - passHostHeader = true - [frontends.syncthing.auth] - [frontends.syncthing.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.syncthing.auth.forward.tls] - insecureSkipVerify = true - [frontends.syncthing.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.syncthing.routes.dr1] - rule = "Host:syncthing.mistborn" - - [frontends.rocketchat] - backend = "rocketchat" - passHostHeader = true - [frontends.rocketchat.auth] - [frontends.rocketchat.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.rocketchat.auth.forward.tls] - insecureSkipVerify = true - [frontends.rocketchat.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.rocketchat.routes.dr1] - rule = "Host:chat.mistborn" - - [frontends.nextcloud] - backend = "nextcloud" - passHostHeader = true - [frontends.nextcloud.auth] - [frontends.nextcloud.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.nextcloud.auth.forward.tls] - insecureSkipVerify = true - [frontends.nextcloud.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.nextcloud.routes.dr1] - rule = "Host:nextcloud.mistborn" - - [frontends.onlyoffice] - backend = "onlyoffice" - passHostHeader = true - [frontends.onlyoffice.auth] - [frontends.onlyoffice.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.onlyoffice.auth.forward.tls] - insecureSkipVerify = true - [frontends.onlyoffice.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.onlyoffice.routes.dr1] - rule = "Host:onlyoffice.mistborn" - - [frontends.bitwarden] - backend = "bitwarden" - passHostHeader = true - [frontends.bitwarden.auth] - [frontends.bitwarden.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.bitwarden.auth.forward.tls] - insecureSkipVerify = true - [frontends.bitwarden.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.bitwarden.routes.dr1] - rule = "Host:bitwarden.mistborn" - - [frontends.jellyfin] - backend = "jellyfin" - passHostHeader = true - [frontends.jellyfin.auth] - [frontends.jellyfin.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.jellyfin.auth.forward.tls] - insecureSkipVerify = true - [frontends.jellyfin.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.jellyfin.routes.dr1] - rule = "Host:jellyfin.mistborn" - - [frontends.jitsi] - backend = "jitsi" - passHostHeader = true - [frontends.jitsi.auth] - [frontends.jitsi.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.jitsi.auth.forward.tls] - insecureSkipVerify = true - [frontends.jitsi.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.jitsi.routes.dr1] - rule = "Host:jitsi.mistborn" - - [frontends.raspap] - backend = "raspap" - passHostHeader = true - [frontends.raspap.auth] - [frontends.raspap.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.raspap.auth.forward.tls] - insecureSkipVerify = true - [frontends.raspap.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.raspap.routes.dr1] - rule = "Host:raspap.mistborn" - - [frontends.cockpit] - backend = "cockpit" - passHostHeader = true - [frontends.cockpit.auth] - [frontends.cockpit.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.cockpit.auth.forward.tls] - insecureSkipVerify = true - [frontends.cockpit.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.cockpit.routes.dr1] - rule = "Host:cockpit.mistborn" - -## Connection to docker host system (docker.sock) -#[docker] -#endpoint = "unix:///var/run/docker.sock" -#domain = "localhost" -#watch = true -## This will hide all docker containers that don't have explicitly -## set label to "enable" -#exposedbydefault = false diff --git a/extra/bitwarden.yml b/extra/bitwarden.yml index dc6ff56..377b4b8 100644 --- a/extra/bitwarden.yml +++ b/extra/bitwarden.yml @@ -10,7 +10,14 @@ services: - ../../mistborn_volumes/extra/bitwarden:/data labels: - "traefik.enable=true" - - "traefik.port=80" + - "traefik.http.routers.bitwarden-http.rule=Host(`bitwarden.mistborn`)" + - "traefik.http.routers.bitwarden-http.entrypoints=web" + - "traefik.http.routers.bitwarden-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.bitwarden-https.rule=Host(`bitwarden.mistborn`)" + - "traefik.http.routers.bitwarden-https.entrypoints=websecure" + - "traefik.http.routers.bitwarden-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.bitwarden-https.tls.certresolver=basic" + - "traefik.http.services.bitwarden-service.loadbalancer.server.port=80" ports: - 3012:3012/tcp restart: unless-stopped diff --git a/extra/homeassistant.yml b/extra/homeassistant.yml index 2588772..db70d62 100644 --- a/extra/homeassistant.yml +++ b/extra/homeassistant.yml @@ -10,7 +10,14 @@ services: - TZ=America/New_York labels: - "traefik.enable=true" - - "traefik.port=8123" + - "traefik.http.routers.homeassistant-http.rule=Host(`homeassistant.mistborn`)" + - "traefik.http.routers.homeassistant-http.entrypoints=web" + - "traefik.http.routers.homeassistant-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.homeassistant-https.rule=Host(`homeassistant.mistborn`)" + - "traefik.http.routers.homeassistant-https.entrypoints=websecure" + - "traefik.http.routers.homeassistant-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.homeassistant-https.tls.certresolver=basic" + - "traefik.http.services.homeassistant-service.loadbalancer.server.port=8123" restart: unless-stopped networks: diff --git a/extra/jellyfin.yml b/extra/jellyfin.yml index e829e1a..2235322 100644 --- a/extra/jellyfin.yml +++ b/extra/jellyfin.yml @@ -14,7 +14,14 @@ services: - ../../mistborn_volumes/extra/nextcloud:/media:ro labels: - "traefik.enable=true" - - "traefik.port=8096" + - "traefik.http.routers.jellyfin-http.rule=Host(`jellyfin.mistborn`)" + - "traefik.http.routers.jellyfin-http.entrypoints=web" + - "traefik.http.routers.jellyfin-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.jellyfin-https.rule=Host(`jellyfin.mistborn`)" + - "traefik.http.routers.jellyfin-https.entrypoints=websecure" + - "traefik.http.routers.jellyfin-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.jellyfin-https.tls.certresolver=basic" + - "traefik.http.services.jellyfin-service.loadbalancer.server.port=8096" restart: unless-stopped networks: diff --git a/extra/jitsi-meet.yml b/extra/jitsi-meet.yml index cc86c8f..7f4b0ed 100644 --- a/extra/jitsi-meet.yml +++ b/extra/jitsi-meet.yml @@ -9,7 +9,14 @@ services: #- '${HTTPS_PORT}:443' labels: - "traefik.enable=true" - - "traefik.port=${HTTP_PORT}" + - "traefik.http.routers.jitsi-http.rule=Host(`jitsi.mistborn`)" + - "traefik.http.routers.jitsi-http.entrypoints=web" + - "traefik.http.routers.jitsi-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.jitsi-https.rule=Host(`jitsi.mistborn`)" + - "traefik.http.routers.jitsi-https.entrypoints=websecure" + - "traefik.http.routers.jitsi-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.jitsi-https.tls.certresolver=basic" + - "traefik.http.services.jitsi-service.loadbalancer.server.port=${HTTP_PORT}" volumes: - ${CONFIG}/web:/config - ${CONFIG}/web/letsencrypt:/etc/letsencrypt diff --git a/extra/nextcloud.yml b/extra/nextcloud.yml index dc72353..c452356 100644 --- a/extra/nextcloud.yml +++ b/extra/nextcloud.yml @@ -9,7 +9,14 @@ services: - ../.envs/.production/.nextcloud labels: - "traefik.enable=true" - - "traefik.port=80" + - "traefik.http.routers.nextcloud-http.rule=Host(`nextcloud.mistborn`)" + - "traefik.http.routers.nextcloud-http.entrypoints=web" + - "traefik.http.routers.nextcloud-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.nextcloud-https.rule=Host(`nextcloud.mistborn`)" + - "traefik.http.routers.nextcloud-https.entrypoints=websecure" + - "traefik.http.routers.nextcloud-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.nextcloud-https.tls.certresolver=basic" + - "traefik.http.services.nextcloud-service.loadbalancer.server.port=80" volumes: - ../../mistborn_volumes/extra/nextcloud:/var/www/html environment: diff --git a/extra/onlyoffice.yml b/extra/onlyoffice.yml index 63a54a7..043d33e 100644 --- a/extra/onlyoffice.yml +++ b/extra/onlyoffice.yml @@ -11,7 +11,14 @@ services: - ../.envs/.production/.onlyoffice labels: - "traefik.enable=true" - - "traefik.port=80" + - "traefik.http.routers.onlyoffice-http.rule=Host(`onlyoffice.mistborn`)" + - "traefik.http.routers.onlyoffice-http.entrypoints=web" + - "traefik.http.routers.onlyoffice-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.onlyoffice-https.rule=Host(`onlyoffice.mistborn`)" + - "traefik.http.routers.onlyoffice-https.entrypoints=websecure" + - "traefik.http.routers.onlyoffice-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.onlyoffice-https.tls.certresolver=basic" + - "traefik.http.services.onlyoffice-service.loadbalancer.server.port=80" restart: unless-stopped networks: diff --git a/extra/raspap.yml b/extra/raspap.yml index 66575e9..3be7dce 100644 --- a/extra/raspap.yml +++ b/extra/raspap.yml @@ -10,7 +10,14 @@ services: container_name: mistborn_production_raspap labels: - "traefik.enable=true" - - "traefik.port=80" + - "traefik.http.routers.raspap-http.rule=Host(`raspap.mistborn`)" + - "traefik.http.routers.raspap-http.entrypoints=web" + - "traefik.http.routers.raspap-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.raspap-https.rule=Host(`raspap.mistborn`)" + - "traefik.http.routers.raspap-https.entrypoints=websecure" + - "traefik.http.routers.raspap-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.raspap-https.tls.certresolver=basic" + - "traefik.http.services.raspap-service.loadbalancer.server.port=80" env_file: - ../.envs/.production/.pihole command: /start diff --git a/extra/rocketchat.yml b/extra/rocketchat.yml index a568aec..42350c3 100644 --- a/extra/rocketchat.yml +++ b/extra/rocketchat.yml @@ -17,7 +17,14 @@ services: - Accounts_UseDNSDomainCheck=False labels: - "traefik.enable=true" - - "traefik.port=3000" + - "traefik.http.routers.chat-http.rule=Host(`chat.mistborn`)" + - "traefik.http.routers.chat-http.entrypoints=web" + - "traefik.http.routers.chat-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.chat-https.rule=Host(`chat.mistborn`)" + - "traefik.http.routers.chat-https.entrypoints=websecure" + - "traefik.http.routers.chat-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.chat-https.tls.certresolver=basic" + - "traefik.http.services.chat-service.loadbalancer.server.port=3000" depends_on: - mongo #ports: diff --git a/extra/syncthing.yml b/extra/syncthing.yml index 4bd5e89..6083393 100644 --- a/extra/syncthing.yml +++ b/extra/syncthing.yml @@ -19,7 +19,14 @@ services: - 21027:21027/udp # protocol discovery labels: - "traefik.enable=true" - - "traefik.port=8384" + - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.mistborn`)" + - "traefik.http.routers.syncthing-http.entrypoints=web" + - "traefik.http.routers.syncthing-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.mistborn`)" + - "traefik.http.routers.syncthing-https.entrypoints=websecure" + - "traefik.http.routers.syncthing-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.syncthing-https.tls.certresolver=basic" + - "traefik.http.services.syncthing-service.loadbalancer.server.port=8384" restart: unless-stopped networks: diff --git a/scripts/install.sh b/scripts/install.sh index a904d7c..6caba26 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -205,7 +205,7 @@ sudo mkdir -p ../mistborn_volumes/base/pihole/etc-dnsmasqd sudo mkdir -p ../mistborn_volumes/extra # Traefik final setup (cockpit) -cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml +#cp ./compose/production/traefik/traefikv2.toml.template ./compose/production/traefik/traefik.toml # setup tls certs source ./scripts/subinstallers/openssl.sh diff --git a/scripts/update.sh b/scripts/update.sh index 40e1c74..ce5a4e2 100755 --- a/scripts/update.sh +++ b/scripts/update.sh @@ -17,7 +17,7 @@ sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/ sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/" # handle updates to traefik -sudo cp /opt/mistborn/compose/production/traefik/traefik.toml.template /opt/mistborn/compose/production/traefik/traefik.toml +#sudo cp /opt/mistborn/compose/production/traefik/traefik.toml.template /opt/mistborn/compose/production/traefik/traefik.toml sudo systemctl daemon-reload sudo systemctl enable Mistborn-setup.service