Resolve "Migrate to Traefik v2"

5 years ago · 98e90af2d7
16 changed files with 153 additions and 281 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -19,6 +19,5 @@ docker_build:
  script:
    - apk add docker-compose
    - scripts/subinstallers/gen_prod_env.sh "$MISTBORN_DEFAULT_PASSWORD"
    - cp compose/production/traefik/traefik.toml.template compose/production/traefik/traefik.toml
    - docker-compose -f base.yml build
--- a/base.yml
+++ b/base.yml
@ -14,7 +14,14 @@ services:
      - redis
    labels:
      - "traefik.enable=true"
-      - "traefik.port=5000"
+      - "traefik.http.routers.django-http.rule=Host(`home.mistborn`)"
      - "traefik.http.routers.django-http.entrypoints=web"
      - "traefik.http.routers.django-http.middlewares=mistborn_headers@file"
      - "traefik.http.routers.django-https.rule=Host(`home.mistborn`)"
      - "traefik.http.routers.django-https.entrypoints=websecure"
      - "traefik.http.routers.django-https.middlewares=mistborn_headers@file"
      - "traefik.http.routers.django-https.tls.certresolver=basic"
      - "traefik.http.services.django-service.loadbalancer.server.port=5000"
    env_file:
      - ./.envs/.production/.django
      - ./.envs/.production/.postgres
@ -38,20 +45,41 @@ services:
    restart: unless-stopped
  traefik:
-    build:
+    #build:
-      context: .
+    #  context: .
-      dockerfile: ./compose/production/traefik/Dockerfile
+    #  dockerfile: ./compose/production/traefik/Dockerfile
-    image: mistborn_production_traefik
+    #image: mistborn_production_traefik
    image: traefik:v2.2
    container_name: mistborn_production_traefik
    depends_on:
      - django
    volumes:
-      - production_traefik:/etc/traefik/acme
+      #- production_traefik:/etc/traefik/acme
      - ./compose/production/traefik/dynamic.toml:/dynamic.toml:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ../mistborn_volumes/base/tls:/tls
+      - ../mistborn_volumes/base/tls:/tls:ro
-    ports:
+    network_mode: host
-      - "0.0.0.0:80:80/tcp"
+      #ports:
-      - "0.0.0.0:443:443/tcp"
+    #  - "0.0.0.0:80:80/tcp"
    #  - "0.0.0.0:443:443/tcp"
    #  #- "0.0.0.0:8080:8080/tcp" # dashboard
    command:
      ## API settings
      #- --api.insecure=true
      #- --api.dashboard=true
      #- --api.debug=true
      ## Logs
      - --log.level=ERROR
      ## Providers
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.file.filename=/dynamic.toml
      #- --providers.docker.network=default
      ## Entrypoints
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      ## Certificates
      #- --serversTransport.insecureSkipVerify=true
    restart: unless-stopped
  redis:
@ -136,6 +164,14 @@ services:
     - "${MISTBORN_DNS_BIND_IP}:53:53/udp"
   labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pihole-http.rule=Host(`pihole.mistborn`)"
      - "traefik.http.routers.pihole-http.entrypoints=web"
      - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.pihole-https.rule=Host(`pihole.mistborn`)"
      - "traefik.http.routers.pihole-https.entrypoints=websecure"
      - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.pihole-https.tls.certresolver=basic"
      - "traefik.http.services.pihole-service.loadbalancer.server.port=80"
   environment:
     - ServerIP=10.2.0.3
     - DNS1='10.2.0.2#5054' # docs say port 5054, was 54; use network_mode: host to see which port is used
--- a/compose/production/traefik/Dockerfile
+++ b/compose/production/traefik/Dockerfile
@ -1,5 +1,5 @@
-FROM traefik:alpine
+FROM traefik:v2.2
 RUN mkdir -p /etc/traefik/acme
 RUN touch /etc/traefik/acme/acme.json
 RUN chmod 600 /etc/traefik/acme/acme.json
-COPY ./compose/production/traefik/traefik.toml /etc/traefik
+#COPY ./compose/production/traefik/dynamic.toml /etc/traefik
--- a/compose/production/traefik/dynamic.toml
+++ b/compose/production/traefik/dynamic.toml
@ -0,0 +1,31 @@
 [tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/tls/cert.crt"
      keyFile = "/tls/cert.key"
 [tls.options]
  [tls.options.default]
    minVersion = "VersionTLS12"
 [http.services]
  [http.services.cockpit.loadBalancer]
    [[http.services.cockpit.loadBalancer.servers]]
      url = "http://10.2.3.1:9090"
 [http.routers]
  [http.routers.cockpit]
    rule = "Host(`cockpit.mistborn`)"
    service = "cockpit"
    entrypoints = ["web", "websecure"]
    #middlewares =
 [http.middlewares]
  [http.middlewares.mistborn_auth.forwardAuth]
    address = "https://home.mistborn/auth/"
    trustForwardHeader = true
    [http.middlewares.mistborn_auth.forwardAuth.tls]
      insecureSkipVerify = true
  [http.middlewares.mistborn_headers.headers]
    hostsProxyHeaders = ['X-CSRFToken']
--- a/compose/production/traefik/traefik.toml.template
+++ b/compose/production/traefik/traefik.toml.template
@ -1,257 +0,0 @@
 #debug = true
 logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
 InsecureSkipVerify = true 
 defaultEntryPoints = ["http", "https"]
 #defaultEntryPoints = ["http"]
 # Entrypoints, http and https
 [entryPoints]
  # http should be redirected to https
  [entryPoints.http]
  address = ":80"
    #[entryPoints.http.redirect]
    #entryPoint = "https"
  # https is the default
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
    [entryPoints.https.tls.defaultCertificate]
      certFile = "/tls/cert.crt"
      keyFile = "/tls/cert.key"
 ## Enable ACME (Let's Encrypt): automatic SSL
 #[acme]
 ## Email address used for registration
 #email = "steven@cyber5k.com"
 #storage = "/etc/traefik/acme/acme.json"
 #entryPoint = "https"
 #onDemand = false
 #OnHostRule = true
 #  # Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
 #  [acme.httpChallenge]
 #  entryPoint = "http"
 [file]
 [backends]
  [backends.django]
    [backends.django.servers.server1]
      url = "http://django:5000"
  [backends.pihole]
    [backends.pihole.servers.server1]
      url = "http://pihole:80"
  [backends.homeassistant]
    [backends.homeassistant.servers.server1]
      url = "http://homeassistant:8123"
  [backends.syncthing]
    [backends.syncthing.servers.server1]
      url = "http://syncthing:8384"
  [backends.rocketchat]
    [backends.rocketchat.servers.server1]
      url = "http://rocketchat:3000"
  [backends.nextcloud]
    [backends.nextcloud.servers.server1]
      url = "http://nextcloud:80"
  [backends.onlyoffice]
    [backends.onlyoffice.servers.server1]
      url = "http://onlyoffice:80"
  [backends.bitwarden]
    [backends.bitwarden.servers.server1]
      url = "http://bitwarden:80"
  [backends.jellyfin]
    [backends.jellyfin.servers.server1]
      url = "http://jellyfin:8096"
  [backends.jitsi]
    [backends.jitsi.servers.server1]
      url = "http://jitsi-web:80"
  [backends.raspap]
    [backends.raspap.servers.server1]
      url = "http://raspap:80"
  [backends.cockpit]
    [backends.cockpit.servers.server1]
      url = "http://10.2.3.1:9090"
 [frontends]
  [frontends.django]
    backend = "django"
    passHostHeader = true
    [frontends.django.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.django.routes.dr1]
      #rule = "Host:mistborn.cyber5k.com"
      rule = "Host:home.mistborn"
  [frontends.pihole]
    backend = "pihole"
    passHostHeader = true
    [frontends.pihole.auth]
      [frontends.pihole.auth.forward]
        address = "https://home.mistborn/auth/"
        trustForwardHeader = false
        [frontends.pihole.auth.forward.tls]
          insecureSkipVerify = true
    [frontends.pihole.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.pihole.routes.dr1]
      rule = "Host:pihole.mistborn"
  [frontends.homeassistant]
    backend = "homeassistant"
    passHostHeader = true
    [frontends.homeassistant.auth]
      [frontends.homeassistant.auth.forward]
        address = "https://home.mistborn/auth/"
        trustForwardHeader = false
        [frontends.homeassistant.auth.forward.tls]
          insecureSkipVerify = true
    [frontends.homeassistant.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.homeassistant.routes.dr1]
      rule = "Host:homeassistant.mistborn"
  [frontends.syncthing]
    backend = "syncthing"
    passHostHeader = true
    [frontends.syncthing.auth]
      [frontends.syncthing.auth.forward]
        address = "https://home.mistborn/auth/"
        trustForwardHeader = false
        [frontends.syncthing.auth.forward.tls]
          insecureSkipVerify = true
    [frontends.syncthing.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.syncthing.routes.dr1]
      rule = "Host:syncthing.mistborn"
  [frontends.rocketchat]
    backend = "rocketchat"
    passHostHeader = true
    [frontends.rocketchat.auth]
      [frontends.rocketchat.auth.forward]
        address = "https://home.mistborn/auth/"
        trustForwardHeader = false
        [frontends.rocketchat.auth.forward.tls]
          insecureSkipVerify = true
    [frontends.rocketchat.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.rocketchat.routes.dr1]
      rule = "Host:chat.mistborn"
  [frontends.nextcloud]
    backend = "nextcloud"
    passHostHeader = true
    [frontends.nextcloud.auth]
      [frontends.nextcloud.auth.forward]
        address = "https://home.mistborn/auth/"
        trustForwardHeader = false
        [frontends.nextcloud.auth.forward.tls]
          insecureSkipVerify = true
    [frontends.nextcloud.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.nextcloud.routes.dr1]
      rule = "Host:nextcloud.mistborn"
  [frontends.onlyoffice]
    backend = "onlyoffice"
    passHostHeader = true
    [frontends.onlyoffice.auth]
      [frontends.onlyoffice.auth.forward]
        address = "https://home.mistborn/auth/"
        trustForwardHeader = false
        [frontends.onlyoffice.auth.forward.tls]
          insecureSkipVerify = true
    [frontends.onlyoffice.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.onlyoffice.routes.dr1]
      rule = "Host:onlyoffice.mistborn"
  [frontends.bitwarden]
    backend = "bitwarden"
    passHostHeader = true
    [frontends.bitwarden.auth]
      [frontends.bitwarden.auth.forward]
        address = "https://home.mistborn/auth/"
        trustForwardHeader = false
        [frontends.bitwarden.auth.forward.tls]
          insecureSkipVerify = true
    [frontends.bitwarden.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.bitwarden.routes.dr1]
      rule = "Host:bitwarden.mistborn"
  [frontends.jellyfin]
    backend = "jellyfin"
    passHostHeader = true
    [frontends.jellyfin.auth]
      [frontends.jellyfin.auth.forward]
        address = "https://home.mistborn/auth/"
        trustForwardHeader = false
        [frontends.jellyfin.auth.forward.tls]
          insecureSkipVerify = true
    [frontends.jellyfin.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.jellyfin.routes.dr1]
      rule = "Host:jellyfin.mistborn"
  [frontends.jitsi]
    backend = "jitsi"
    passHostHeader = true
    [frontends.jitsi.auth]
      [frontends.jitsi.auth.forward]
        address = "https://home.mistborn/auth/"
        trustForwardHeader = false
        [frontends.jitsi.auth.forward.tls]
          insecureSkipVerify = true
    [frontends.jitsi.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.jitsi.routes.dr1]
      rule = "Host:jitsi.mistborn"
  [frontends.raspap]
    backend = "raspap"
    passHostHeader = true
    [frontends.raspap.auth]
      [frontends.raspap.auth.forward]
        address = "https://home.mistborn/auth/"
        trustForwardHeader = false
        [frontends.raspap.auth.forward.tls]
          insecureSkipVerify = true
    [frontends.raspap.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.raspap.routes.dr1]
      rule = "Host:raspap.mistborn"
  [frontends.cockpit]
    backend = "cockpit"
    passHostHeader = true
    [frontends.cockpit.auth]
      [frontends.cockpit.auth.forward]
        address = "https://home.mistborn/auth/"
        trustForwardHeader = false
        [frontends.cockpit.auth.forward.tls]
          insecureSkipVerify = true
    [frontends.cockpit.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.cockpit.routes.dr1]
      rule = "Host:cockpit.mistborn"
 ## Connection to docker host system (docker.sock)
 #[docker]
 #endpoint = "unix:///var/run/docker.sock"
 #domain = "localhost"
 #watch = true
 ## This will hide all docker containers that don't have explicitly  
 ## set label to "enable"
 #exposedbydefault = false
--- a/extra/bitwarden.yml
+++ b/extra/bitwarden.yml
@ -10,7 +10,14 @@ services:
      - ../../mistborn_volumes/extra/bitwarden:/data
    labels:
      - "traefik.enable=true"
-      - "traefik.port=80"
+      - "traefik.http.routers.bitwarden-http.rule=Host(`bitwarden.mistborn`)"
      - "traefik.http.routers.bitwarden-http.entrypoints=web"
      - "traefik.http.routers.bitwarden-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.bitwarden-https.rule=Host(`bitwarden.mistborn`)"
      - "traefik.http.routers.bitwarden-https.entrypoints=websecure"
      - "traefik.http.routers.bitwarden-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.bitwarden-https.tls.certresolver=basic"
      - "traefik.http.services.bitwarden-service.loadbalancer.server.port=80"
    ports:
      - 3012:3012/tcp
    restart: unless-stopped
--- a/extra/homeassistant.yml
+++ b/extra/homeassistant.yml
@ -10,7 +10,14 @@ services:
      - TZ=America/New_York
    labels:
      - "traefik.enable=true"
-      - "traefik.port=8123"
+      - "traefik.http.routers.homeassistant-http.rule=Host(`homeassistant.mistborn`)"
      - "traefik.http.routers.homeassistant-http.entrypoints=web"
      - "traefik.http.routers.homeassistant-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.homeassistant-https.rule=Host(`homeassistant.mistborn`)"
      - "traefik.http.routers.homeassistant-https.entrypoints=websecure"
      - "traefik.http.routers.homeassistant-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.homeassistant-https.tls.certresolver=basic"
      - "traefik.http.services.homeassistant-service.loadbalancer.server.port=8123"
    restart: unless-stopped 
 networks:
--- a/extra/jellyfin.yml
+++ b/extra/jellyfin.yml
@ -14,7 +14,14 @@ services:
      - ../../mistborn_volumes/extra/nextcloud:/media:ro
    labels:
      - "traefik.enable=true"
-      - "traefik.port=8096"
+      - "traefik.http.routers.jellyfin-http.rule=Host(`jellyfin.mistborn`)"
      - "traefik.http.routers.jellyfin-http.entrypoints=web"
      - "traefik.http.routers.jellyfin-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.jellyfin-https.rule=Host(`jellyfin.mistborn`)"
      - "traefik.http.routers.jellyfin-https.entrypoints=websecure"
      - "traefik.http.routers.jellyfin-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.jellyfin-https.tls.certresolver=basic"
      - "traefik.http.services.jellyfin-service.loadbalancer.server.port=8096"
    restart: unless-stopped
 networks:
--- a/extra/jitsi-meet.yml
+++ b/extra/jitsi-meet.yml
@ -9,7 +9,14 @@ services:
            #- '${HTTPS_PORT}:443'
        labels:
            - "traefik.enable=true"
-            - "traefik.port=${HTTP_PORT}"
+            - "traefik.http.routers.jitsi-http.rule=Host(`jitsi.mistborn`)"
            - "traefik.http.routers.jitsi-http.entrypoints=web"
            - "traefik.http.routers.jitsi-http.middlewares=mistborn_auth@file"
            - "traefik.http.routers.jitsi-https.rule=Host(`jitsi.mistborn`)"
            - "traefik.http.routers.jitsi-https.entrypoints=websecure"
            - "traefik.http.routers.jitsi-https.middlewares=mistborn_auth@file"
            - "traefik.http.routers.jitsi-https.tls.certresolver=basic"
            - "traefik.http.services.jitsi-service.loadbalancer.server.port=${HTTP_PORT}"
        volumes:
            - ${CONFIG}/web:/config
            - ${CONFIG}/web/letsencrypt:/etc/letsencrypt
--- a/extra/nextcloud.yml
+++ b/extra/nextcloud.yml
@ -9,7 +9,14 @@ services:
      - ../.envs/.production/.nextcloud
    labels:
      - "traefik.enable=true"
-      - "traefik.port=80"
+      - "traefik.http.routers.nextcloud-http.rule=Host(`nextcloud.mistborn`)"
      - "traefik.http.routers.nextcloud-http.entrypoints=web"
      - "traefik.http.routers.nextcloud-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.nextcloud-https.rule=Host(`nextcloud.mistborn`)"
      - "traefik.http.routers.nextcloud-https.entrypoints=websecure"
      - "traefik.http.routers.nextcloud-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.nextcloud-https.tls.certresolver=basic"
      - "traefik.http.services.nextcloud-service.loadbalancer.server.port=80"
    volumes:
      - ../../mistborn_volumes/extra/nextcloud:/var/www/html
    environment:
--- a/extra/onlyoffice.yml
+++ b/extra/onlyoffice.yml
@ -11,7 +11,14 @@ services:
      - ../.envs/.production/.onlyoffice
    labels:
      - "traefik.enable=true"
-      - "traefik.port=80"
+      - "traefik.http.routers.onlyoffice-http.rule=Host(`onlyoffice.mistborn`)"
      - "traefik.http.routers.onlyoffice-http.entrypoints=web"
      - "traefik.http.routers.onlyoffice-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.onlyoffice-https.rule=Host(`onlyoffice.mistborn`)"
      - "traefik.http.routers.onlyoffice-https.entrypoints=websecure"
      - "traefik.http.routers.onlyoffice-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.onlyoffice-https.tls.certresolver=basic"
      - "traefik.http.services.onlyoffice-service.loadbalancer.server.port=80"
    restart: unless-stopped 
 networks:
--- a/extra/raspap.yml
+++ b/extra/raspap.yml
@ -10,7 +10,14 @@ services:
    container_name: mistborn_production_raspap
    labels:
      - "traefik.enable=true"
-      - "traefik.port=80"
+      - "traefik.http.routers.raspap-http.rule=Host(`raspap.mistborn`)"
      - "traefik.http.routers.raspap-http.entrypoints=web"
      - "traefik.http.routers.raspap-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.raspap-https.rule=Host(`raspap.mistborn`)"
      - "traefik.http.routers.raspap-https.entrypoints=websecure"
      - "traefik.http.routers.raspap-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.raspap-https.tls.certresolver=basic"
      - "traefik.http.services.raspap-service.loadbalancer.server.port=80"
    env_file:
      - ../.envs/.production/.pihole
    command: /start
--- a/extra/rocketchat.yml
+++ b/extra/rocketchat.yml
@ -17,7 +17,14 @@ services:
      - Accounts_UseDNSDomainCheck=False
    labels:
      - "traefik.enable=true"
-      - "traefik.port=3000"
+      - "traefik.http.routers.chat-http.rule=Host(`chat.mistborn`)"
      - "traefik.http.routers.chat-http.entrypoints=web"
      - "traefik.http.routers.chat-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.chat-https.rule=Host(`chat.mistborn`)"
      - "traefik.http.routers.chat-https.entrypoints=websecure"
      - "traefik.http.routers.chat-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.chat-https.tls.certresolver=basic"
      - "traefik.http.services.chat-service.loadbalancer.server.port=3000"
    depends_on:
      - mongo
    #ports:
--- a/extra/syncthing.yml
+++ b/extra/syncthing.yml
@ -19,7 +19,14 @@ services:
      - 21027:21027/udp # protocol discovery
    labels:
      - "traefik.enable=true"
-      - "traefik.port=8384"
+      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.mistborn`)"
      - "traefik.http.routers.syncthing-http.entrypoints=web"
      - "traefik.http.routers.syncthing-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.mistborn`)"
      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
      - "traefik.http.routers.syncthing-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.syncthing-https.tls.certresolver=basic"
      - "traefik.http.services.syncthing-service.loadbalancer.server.port=8384"
    restart: unless-stopped
 networks:
--- a/scripts/install.sh
+++ b/scripts/install.sh
@ -205,7 +205,7 @@ sudo mkdir -p ../mistborn_volumes/base/pihole/etc-dnsmasqd
 sudo mkdir -p ../mistborn_volumes/extra
 # Traefik final setup (cockpit)
-cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml
+#cp ./compose/production/traefik/traefikv2.toml.template ./compose/production/traefik/traefik.toml
 # setup tls certs 
 source ./scripts/subinstallers/openssl.sh
--- a/scripts/update.sh
+++ b/scripts/update.sh
@ -17,7 +17,7 @@ sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/
 sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/"
 # handle updates to traefik
-sudo cp /opt/mistborn/compose/production/traefik/traefik.toml.template /opt/mistborn/compose/production/traefik/traefik.toml
+#sudo cp /opt/mistborn/compose/production/traefik/traefik.toml.template /opt/mistborn/compose/production/traefik/traefik.toml
 sudo systemctl daemon-reload
 sudo systemctl enable Mistborn-setup.service