Compare commits

..

1 Commits

Author SHA1 Message Date
3wc
752d84e337 Attempt to disable Letsencrypt for self-signed joy 2021-04-17 23:03:30 +02:00
33 changed files with 103 additions and 607 deletions

View File

@ -3,12 +3,10 @@ kind: pipeline
name: deploy to swarm-test.autonomic.zone
steps:
- name: deployment
image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
image: decentral1se/stack-ssh-deploy:latest
settings:
host: swarm-test.autonomic.zone
stack: traefik
networks:
- proxy
deploy_key:
from_secret: drone_ssh_swarm_test
environment:
@ -16,25 +14,8 @@ steps:
STACK_NAME: traefik
LETS_ENCRYPT_ENV: production
LETS_ENCRYPT_EMAIL: helo@autonomic.zone
TRAEFIK_YML_VERSION: v21
FILE_PROVIDER_YML_VERSION: v10
ENTRYPOINT_VERSION: v4
TRAEFIK_YML_VERSION: v3
FILE_PROVIDER_YML_VERSION: v2
trigger:
branch:
- master
---
kind: pipeline
name: generate recipe catalogue
steps:
- name: release a new version
image: plugins/downstream
settings:
server: https://build.coopcloud.tech
token:
from_secret: drone_abra-bot_token
fork: true
repositories:
- coop-cloud/auto-recipes-catalogue-json
trigger:
event: tag

View File

@ -1,149 +1,27 @@
TYPE=traefik
TIMEOUT=300
ENABLE_AUTO_UPDATE=true
ENABLE_BACKUPS=true
DOMAIN=traefik.example.com
LETS_ENCRYPT_ENV=production
LETS_ENCRYPT_DISABLED=0
LETS_ENCRYPT_EMAIL=certs@example.com
# DASHBOARD_ENABLED=true
# WARN, INFO etc.
LOG_LEVEL=WARN
# This is here so later lines can extend it; you likely don't wanna edit
COMPOSE_FILE="compose.yml"
#####################################################################
# General settings #
#####################################################################
## Host-mode networking
#COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
## "Headless mode" (no domain configured)
#COMPOSE_FILE="$COMPOSE_FILE:compose.headless.yml"
#####################################################################
# Automatic DNS set-up for Letsencrypt #
#####################################################################
## Enable dns challenge (for wildcard domains)
## https://doc.traefik.io/traefik/https/acme/#dnschallenge
#LETS_ENCRYPT_DNS_CHALLENGE_ENABLED=1
#LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER=ovh
## OVH, https://ovh.com
#COMPOSE_FILE="$COMPOSE_FILE:compose.ovh.yml"
#OVH_ENABLED=1
#OVH_APPLICATION_KEY=
#OVH_ENDPOINT=
#SECRET_OVH_APP_SECRET_VERSION=v1
#SECRET_OVH_CONSUMER_KEY=v1
## Gandi, https://gandi.net
## note(3wc): only "V5" (new) API is supported, so far
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
#GANDI_API_KEY_ENABLED=1
#SECRET_GANDIV5_API_KEY_VERSION=v1
## Gandi, https://gandi.net
## note: uses GandiV5 Personal Access Token
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
#GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
## DigitalOcean, https://digitalocean.com
#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
#DIGITALOCEAN_ENABLED=1
#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
#####################################################################
# Manual wildcard certificate insertion #
#####################################################################
# Set wildcards = 1, and uncomment compose_file to enable.
# Create your certs elsewhere and add them like:
# abra app secret insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
# abra app secret insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
#WILDCARDS_ENABLED=1
#SECRET_WILDCARD_CERT_VERSION=v1
#SECRET_WILDCARD_KEY_VERSION=v1
#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
#####################################################################
# Authentication #
#####################################################################
## Enable Keycloak
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
#COMPOSE_FILE="compose.yml:compose.keycloak.yml"
#KEYCLOAK_MIDDLEWARE_ENABLED=1
#KEYCLOAK_TFA_SERVICE=traefik-forward-auth_app
#KEYCLOAK_MIDDLEWARE_2_ENABLED=1
#KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app
## BASIC_AUTH
## Use httpasswd to generate the secret
#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
#BASIC_AUTH=1
#SECRET_USERSFILE_VERSION=v1
#####################################################################
# Prometheus metrics #
#####################################################################
## Enable prometheus metrics collection
## used used by the coop-cloud monitoring stack
#COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
#METRICS_ENABLED=1
#####################################################################
# File provider directory configuration #
# (Route bare metal and non-docker services on the machine!) #
#####################################################################
#FILE_PROVIDER_DIRECTORY_ENABLED=1
#####################################################################
# Additional services #
#####################################################################
## SMTP port 587
#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
#COMPOSE_FILE="compose.yml:compose.smtp.yml"
#SMTP_ENABLED=1
## Compy
#COMPOSE_FILE="$COMPOSE_FILE:compose.compy.yml"
#COMPY_ENABLED=1
## Gitea SSH
# COMPOSE_FILE="$COMPOSE_FILE:compose.gitea.yml"
# GITEA_SSH_ENABLED=1
## Foodsoft SMTP
# COMPOSE_FILE="$COMPOSE_FILE:compose.foodsoft.yml"
# FOODSOFT_SMTP_ENABLED=1
## Peertube RTMP
#COMPOSE_FILE="$COMPOSE_FILE:compose.peertube.yml"
#PEERTUBE_RTMP_ENABLED=1
## Secure Scuttlebutt MUXRPC
#COMPOSE_FILE="$COMPOSE_FILE:compose.ssb.yml"
#SSB_MUXRPC_ENABLED=1
## MSSQL
#COMPOSE_FILE="$COMPOSE_FILE:compose.mssql.yml"
#MSSQL_ENABLED=1
## Mumble
#COMPOSE_FILE="$COMPOSE_FILE:compose.mumble.yml"
#MUMBLE_ENABLED=1
## Matrix
#COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
#MATRIX_FEDERATION_ENABLED=1
## "Web alt", an alternative web port
# NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this
#COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml"
#WEB_ALT_ENABLED=1
## Host-mode networking
#COMPOSE_FILE="compose.yml:compose.host.yml"

View File

@ -7,11 +7,11 @@
<!-- metadata -->
* **Category**: Utilities
* **Status**: ?
* **Image**: [`traefik`](https://hub.docker.com/_/traefik), 4, upstream
* **Image**: [`traefik`](https://hub.docker.com/_/traefik), ❶💚, upstream
* **Healthcheck**: Yes
* **Backups**: No
* **Email**: N/A
* **Tests**: 2
* **Tests**: ❷💛
* **SSO**: ? (Keycloak)
<!-- endmetadata -->
@ -19,31 +19,8 @@
1. Set up Docker Swarm and [`abra`]
2. `abra app new traefik`
3. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
3. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to
your Docker swarm box
4. `abra app deploy YOURAPPDOMAIN`
## Configuring wildcard SSL using DNS
Automatic certificate generation will Just Work™ for most recipes which use a fixed
number of subdomains. For some recipes which need to work across arbitrary
subdomains, like
[`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
need to give Traefik access to your DNS provider so that it can carry out
Letsencrypt DNS challenges.
1. Use Gandi or OVH for DNS 🤡 (support for other providers can be easily added,
see [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
2. Run `abra app config YOURAPPDOMAIN`
3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
`SECRET_GANDIV5_API_KEY_VERSION`
4. Generate an API key for your provider
5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
`SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
`gandiv5_api_key` and `SECRETVALUE` is the API key.
- For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
Access Token, in which case use compose.gandi-personal-access-token.yml.
6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
4. `abra app YOURAPPDOMAIN deploy`
[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra

View File

@ -1,3 +1,2 @@
export TRAEFIK_YML_VERSION=v21
export FILE_PROVIDER_YML_VERSION=v10
export ENTRYPOINT_VERSION=v4
export TRAEFIK_YML_VERSION=v7
export FILE_PROVIDER_YML_VERSION=v1

View File

@ -1,4 +0,0 @@
matrix-synapse:
uncomment:
- compose.matrix.yml
- MATRIX_FEDERATION_ENABLED

View File

@ -1,12 +0,0 @@
version: "3.8"
services:
app:
environment:
- BASIC_AUTH
secrets:
- usersfile
secrets:
usersfile:
name: ${STACK_NAME}_usersfile_${SECRET_USERSFILE_VERSION}
external: true

View File

@ -1,7 +0,0 @@
version: "3.8"
services:
app:
environment:
- COMPY_ENABLED
ports:
- "9999:9999"

View File

@ -1,15 +0,0 @@
version: "3.8"
services:
app:
environment:
- DO_AUTH_TOKEN_FILE=/run/secrets/digitalocean_auth_token
- LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
- LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
secrets:
- digitalocean_auth_token
secrets:
digitalocean_auth_token:
name: ${STACK_NAME}_digitalocean_auth_token_${SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION}
external: true

View File

@ -1,7 +0,0 @@
version: "3.8"
services:
app:
environment:
- FOODSOFT_SMTP_ENABLED
ports:
- "2525:2525"

View File

@ -1,15 +0,0 @@
version: "3.8"
services:
app:
environment:
- GANDIV5_API_KEY_FILE=/run/secrets/gandiv5_api_key
- LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
- LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
secrets:
- gandiv5_api_key
secrets:
gandiv5_api_key:
name: ${STACK_NAME}_gandiv5_api_key_${SECRET_GANDIV5_API_KEY_VERSION}
external: true

View File

@ -1,15 +0,0 @@
version: "3.8"
services:
app:
environment:
- GANDIV5_PERSONAL_ACCESS_TOKEN_FILE=/run/secrets/gandiv5_pat
- LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
- LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
secrets:
- gandiv5_pat
secrets:
gandiv5_pat:
name: ${STACK_NAME}_gandiv5_pat_${SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION}
external: true

View File

@ -1,7 +0,0 @@
version: "3.8"
services:
app:
environment:
- GITEA_SSH_ENABLED
ports:
- "2222:2222"

View File

@ -1,14 +0,0 @@
---
version: "3.8"
services:
app:
deploy:
update_config:
failure_action: rollback
order: start-first
labels:
- "traefik.enable=true"
- "traefik.http.services.traefik.loadbalancer.server.port=web"
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
- "traefik.http.routers.${STACK_NAME}.service=api@internal"

View File

@ -13,3 +13,6 @@ services:
- target: 443
published: 443
mode: host
- target: 2222
published: 2222
mode: host

View File

@ -5,9 +5,6 @@ services:
app:
deploy:
labels:
- "traefik.http.routers.${STACK_NAME}.middlewares=keycloak@file"
- "traefik.http.routers.traefik.middlewares=keycloak@file"
environment:
- KEYCLOAK_MIDDLEWARE_ENABLED
- KEYCLOAK_TFA_SERVICE
- KEYCLOAK_MIDDLEWARE_2_ENABLED
- KEYCLOAK_TFA_SERVICE_2

View File

@ -1,7 +0,0 @@
version: "3.8"
services:
app:
environment:
- MATRIX_FEDERATION_ENABLED
ports:
- "8448:8448"

View File

@ -1,9 +0,0 @@
version: "3.8"
services:
app:
environment:
- METRICS_ENABLED
ports:
- target: 8082
published: 8082
mode: host

View File

@ -1,9 +0,0 @@
---
version: "3.8"
services:
app:
environment:
- MINIO_CONSOLE_ENABLED
ports:
- "9001:9001"

View File

@ -1,10 +0,0 @@
version: "3.8"
services:
app:
environment:
- MSSQL_ENABLED
ports:
- target: 1433
published: 1433
protocol: tcp
mode: host

View File

@ -1,9 +0,0 @@
version: "3.8"
services:
app:
environment:
- MUMBLE_ENABLED
ports:
- "64738:64738/udp"
# note (3wc): see https://github.com/docker/compose/issues/7627
- "64737-64739:64737-64739/tcp"

View File

@ -1,21 +0,0 @@
version: "3.8"
services:
app:
environment:
- OVH_APPLICATION_KEY
- OVH_APPLICATION_SECRET_FILE=/run/secrets/ovh_app_secret
- OVH_CONSUMER_KEY_FILE=/run/secrets/ovh_consumer_key
- OVH_ENABLED
- OVH_ENDPOINT
secrets:
- ovh_app_secret
- ovh_consumer_key
secrets:
ovh_app_secret:
name: ${STACK_NAME}_ovh_app_secret_${SECRET_OVH_APP_SECRET_VERSION}
external: true
ovh_consumer_key:
name: ${STACK_NAME}_ovh_consumer_key_${SECRET_OVH_CONSUMER_KEY}
external: true

View File

@ -1,7 +0,0 @@
version: "3.8"
services:
app:
environment:
- PEERTUBE_RTMP_ENABLED
ports:
- "1935:1935"

View File

@ -3,7 +3,5 @@ version: "3.8"
services:
app:
environment:
- SMTP_ENABLED
ports:
- "587:587"

View File

@ -1,7 +0,0 @@
version: "3.8"
services:
app:
environment:
- SSB_MUXRPC_ENABLED
ports:
- "8008:8008"

View File

@ -1,7 +0,0 @@
version: "3.8"
services:
app:
environment:
- WEB_ALT_ENABLED
ports:
- "8000:8000"

View File

@ -1,16 +0,0 @@
---
version: "3.8"
services:
app:
secrets:
- ssl_cert
- ssl_key
secrets:
ssl_cert:
name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
external: true
ssl_key:
name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
external: true

View File

@ -1,110 +1,60 @@
---
version: "3.8"
services:
app:
image: "traefik:v2.11.10"
# Note(decentral1se): *please do not* add any additional ports here.
# Doing so could break new installs with port conflicts. Please use
# the usual `compose.$app.yml` approach for any additional ports
image: "traefik:v2.4.8"
ports:
- "80:80"
- "443:443"
- "2222:2222"
- "2525:2525"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "letsencrypt:/etc/letsencrypt"
- "file-providers:/etc/traefik/file-providers"
configs:
- source: traefik_yml
target: /etc/traefik/traefik.yml
- source: file_provider_yml
target: /etc/traefik/file-provider.yml
- source: entrypoint
target: /custom-entrypoint.sh
mode: 0555
networks:
- proxy
- internal
environment:
- DASHBOARD_ENABLED
- LETS_ENCRYPT_DISABLED
- LETS_ENCRYPT_EMAIL
- FOODSOFT_SMTP_ENABLED
- GITEA_SSH_ENABLED
- LOG_LEVEL
- SMTP_ENABLED
healthcheck:
test: ["CMD", "traefik", "healthcheck"]
interval: 30s
timeout: 10s
retries: 10
start_period: 1m
command: traefik
entrypoint: /custom-entrypoint.sh
deploy:
update_config:
failure_action: rollback
order: start-first
labels:
- "traefik.enable=true"
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
- "traefik.http.routers.${STACK_NAME}.service=api@internal"
- "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
- "coop-cloud.${STACK_NAME}.version=2.8.0+v2.11.10"
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
- "backupbot.backup=${ENABLE_BACKUPS:-true}"
socket-proxy:
image: lscr.io/linuxserver/socket-proxy:1.26.2-r0-ls26
environment:
- ALLOW_START=0
- ALLOW_STOP=0
- ALLOW_RESTARTS=0
- AUTH=0
- BUILD=0
- COMMIT=0
- CONFIGS=0
- CONTAINERS=1 # Needs access
- DISABLE_IPV6=0
- DISTRIBUTION=0
- EVENTS=1 # Needs access
- EXEC=0
- IMAGES=0
- INFO=0
- NETWORKS=1 # Needs access
- NODES=0
- PING=0
- POST=0
- PLUGINS=0
- SECRETS=0
- SERVICES=1 # Needs access
- SESSION=0
- SWARM=0
- SYSTEM=0
- TASKS=1 # Needs access
- VERSION=1 # Needs access
- VOLUMES=0
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- internal
- "traefik.http.services.traefik.loadbalancer.server.port=web"
- "traefik.http.routers.traefik.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.traefik.entrypoints=web-secure"
#- "traefik.http.routers.traefik.tls.certresolver=${LETS_ENCRYPT_ENV}"
- "traefik.http.routers.traefik.tls.options=default@file"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.middlewares=security@file"
- coop-cloud.${STACK_NAME}.app.version=v2.4.8-d7d63b0d
networks:
proxy:
external: true
internal:
configs:
traefik_yml:
name: ${STACK_NAME}_traefik_yml_${TRAEFIK_YML_VERSION}
file: traefik.yml.tmpl
file: traefik.yml
template_driver: golang
file_provider_yml:
name: ${STACK_NAME}_file_provider_yml_${FILE_PROVIDER_YML_VERSION}
file: file-provider.yml.tmpl
template_driver: golang
entrypoint:
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
file: entrypoint.sh.tmpl
template_driver: golang
file: file-provider.yml
volumes:
letsencrypt:
file-providers:

View File

@ -1,14 +0,0 @@
#!/bin/sh
set -e
{{ if eq (env "OVH_ENABLED") "1" }}
export OVH_CONSUMER_KEY=$(cat "$OVH_CONSUMER_KEY_FILE")
export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
{{ end }}
{{ if eq (env "DIGITALOCEAN_ENABLED") "1" }}
export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
{{ end }}
/entrypoint.sh "$@"

View File

@ -4,27 +4,15 @@ http:
{{ if eq (env "KEYCLOAK_MIDDLEWARE_ENABLED") "1" }}
keycloak:
forwardAuth:
address: "http://{{ env "KEYCLOAK_TFA_SERVICE" }}:4181"
address: "http://traefik-forward-auth:4181"
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-User
{{ end }}
{{ if eq (env "KEYCLOAK_MIDDLEWARE_2_ENABLED") "1" }}
keycloak2:
forwardAuth:
address: "http://{{ env "KEYCLOAK_TFA_SERVICE_2" }}:4181"
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-User
{{ end }}
{{ if eq (env "BASIC_AUTH") "1" }}
basicauth:
basicAuth:
usersFile: "/run/secrets/usersfile"
{{ end }}
security:
headers:
frameDeny: true
sslRedirect: true
browserXssFilter: true
contentTypeNosniff: true
stsIncludeSubdomains: true
@ -44,8 +32,3 @@ tls:
- CurveP521
- CurveP384
sniStrict: true
{{ if eq (env "WILDCARDS_ENABLED") "1" }}
certificates:
- certFile: /run/secrets/ssl_cert
keyFile: /run/secrets/ssl_key
{{ end }}

View File

@ -1 +0,0 @@
Important Security Update! https://nvd.nist.gov/vuln/detail/CVE-2024-45410

6
renovate.json Normal file
View File

@ -0,0 +1,6 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base"
]
}

58
traefik.yml Normal file
View File

@ -0,0 +1,58 @@
---
log:
level: {{ env "LOG_LEVEL" }}
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: proxy
swarmMode: true
file:
filename: /etc/traefik/file-provider.yml
api:
dashboard: {{ env "DASHBOARD_ENABLED" }}
debug: false
entrypoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: web-secure
web-secure:
address: ":443"
{{ if eq (env "GITEA_SSH_ENABLED") "1" }}
gitea-ssh:
address: ":2222"
{{ end }}
{{ if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
foodsoft-smtp:
address: ":2525"
{{ end }}
{{ if eq (env "SMTP_ENABLED") "1" }}
smtp-submission:
address: ":587"
{{ end }}
ping:
entryPoint: web
{{ if not (eq (env "LETS_ENCRYPT_DISABLED") "1") }}
certificatesResolvers:
staging:
acme:
email: {{ env "LETS_ENCRYPT_EMAIL" }}
storage: /etc/letsencrypt/staging-acme.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: web
production:
acme:
email: {{ env "LETS_ENCRYPT_EMAIL" }}
storage: /etc/letsencrypt/production-acme.json
httpChallenge:
entryPoint: web
{{ end }}

View File

@ -1,121 +0,0 @@
---
log:
level: {{ env "LOG_LEVEL" }}
providers:
docker:
endpoint: "tcp://socket-proxy:2375"
exposedByDefault: false
network: proxy
swarmMode: true
{{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
file:
directory: /etc/traefik/file-providers
watch: true
{{ else }}
file:
filename: /etc/traefik/file-provider.yml
{{ end }}
api:
dashboard: {{ env "DASHBOARD_ENABLED" }}
debug: false
entrypoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: web-secure
web-secure:
address: ":443"
{{ if eq (env "GITEA_SSH_ENABLED") "1" }}
gitea-ssh:
address: ":2222"
{{ end }}
{{ if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
foodsoft-smtp:
address: ":2525"
{{ end }}
{{ if eq (env "SMTP_ENABLED") "1" }}
smtp-submission:
address: ":587"
{{ end }}
{{ if eq (env "PEERTUBE_RTMP_ENABLED") "1" }}
peertube-rtmp:
address: ":1935"
{{ end }}
{{ if eq (env "WEB_ALT_ENABLED") "1" }}
web-alt:
address: ":8000"
{{ end }}
{{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
ssb-muxrpc:
address: ":8008"
{{ end }}
{{ if eq (env "MSSQL_ENABLED") "1" }}
mssql:
address: ":1433"
{{ end }}
{{ if eq (env "MUMBLE_ENABLED") "1" }}
mumble:
address: ":64738"
mumble-udp:
address: ":64738/udp"
{{ end }}
{{ if eq (env "COMPY_ENABLED") "1" }}
compy:
address: ":9999"
{{ end }}
{{ if eq (env "METRICS_ENABLED") "1" }}
metrics:
address: ":8082"
http:
middlewares:
- basicauth@file
{{ end }}
{{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
matrix-federation:
address: ":9001"
{{ end }}
ping:
entryPoint: web
{{ if eq (env "METRICS_ENABLED") "1" }}
metrics:
prometheus:
entryPoint: metrics
addRoutersLabels: true
addServicesLabels: true
{{ end }}
certificatesResolvers:
staging:
acme:
email: {{ env "LETS_ENCRYPT_EMAIL" }}
storage: /etc/letsencrypt/staging-acme.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: web
{{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
dnsChallenge:
provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
{{ end }}
production:
acme:
email: {{ env "LETS_ENCRYPT_EMAIL" }}
storage: /etc/letsencrypt/production-acme.json
httpChallenge:
entryPoint: web
{{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
dnsChallenge:
provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
resolvers:
- "1.1.1.1:53"
- "9.9.9.9:53"
{{ end }}