Compare commits
109 Commits
self-signe
...
master
Author | SHA1 | Date |
---|---|---|
Moritz | 60b79b447a | |
3wordchant | f1b52916df | |
f | 35d435b4f6 | |
Javielico | b7ea50d6aa | |
Javielico | af33ec8510 | |
3wordchant | 685d32baf1 | |
3wc | e76d61be00 | |
3wc | daec338066 | |
3wc | e92e76ac88 | |
3wc | 70d10587bc | |
3wc | bdf84fcefd | |
3wc | 2db2f71a80 | |
3wc | c558e1dbdb | |
3wc | edc29f9594 | |
3wc | f7f77dc942 | |
p4u1 | ecc12b2b68 | |
decentral1se | a0e70f33be | |
Chris (wolcen) Thompson | e3c1df83fa | |
Chris (wolcen) Thompson | 998190f684 | |
Chris (wolcen) Thompson | cd92c909ba | |
Chris (wolcen) Thompson | 64351c27d1 | |
Chris (wolcen) Thompson | f4b05fd87f | |
Chris (wolcen) Thompson | 3c5333ba71 | |
3wc | 5f2fd0bf37 | |
3wc | ac3a47fe8c | |
Philipp Rothmann | 1e02f358ed | |
Philipp Rothmann | 6cdcc25384 | |
Philipp Rothmann | d2b7b671f5 | |
Philipp Rothmann | c9d80df34d | |
Philipp Rothmann | aaa34c1ea8 | |
Philipp Rothmann | 6dee438492 | |
Philipp Rothmann | ff668b2266 | |
Philipp Rothmann | e2c16be2ff | |
3wc | 892f3c3124 | |
3wc | 4205f4911e | |
3wc | 13eb4a782d | |
decentral1se | b00a65a890 | |
Moritz | a213094d46 | |
Moritz | 8bb3adba81 | |
Moritz | a7bff09db6 | |
3wc | 6167d41588 | |
decentral1se | 31330d967b | |
decentral1se | f23357c9cd | |
3wc | b6bb286282 | |
3wc | 14a34c7b7f | |
3wc | 39bfdb4c82 | |
3wc | 1d43c68274 | |
Cassowary | f1cfb814dd | |
Philipp Rothmann | ece8807959 | |
3wc | a1e75e8c8b | |
3wordchant | b62cb273ef | |
javielico | 5f25a272cb | |
javielico | 4c7a272838 | |
3wc | 2e68186042 | |
3wc | 975d8e01a4 | |
trav | fcff3a2d6a | |
decentral1se | 981d2a3808 | |
Philipp Rothmann | 29eb1058cd | |
decentral1se | df49a1f3b2 | |
3wc | 099dcfaed0 | |
decentral1se | 1d7542cd5f | |
decentral1se | 5e1604322e | |
decentral1se | 36707989d2 | |
decentral1se | 29f90fe409 | |
decentral1se | 8a48c5e507 | |
decentral1se | 612d0cc6cc | |
3wordchant | 36c7b740ab | |
3wc | 59b0f8d645 | |
3wc | 556c448c05 | |
3wc | 26fcaaea69 | |
3wc | 02ebb1412f | |
3wc | 8e91a5a3ee | |
decentral1se | 3048d09cd8 | |
decentral1se | 2c9e980809 | |
decentral1se | ec47f5c9dd | |
decentral1se | cf81dc543a | |
decentral1se | 48f03d8fcf | |
decentral1se | 8c6fe61e60 | |
mirsal | fc5aa70d27 | |
3wordchant | 9e123afb07 | |
3wc | baba7ff87d | |
3wc | e856591c97 | |
3wc | 8bcd8f054e | |
3wc | a9a513e8da | |
3wc | 46010aeb95 | |
Comrade Renovate Bot | 0421dd4747 | |
decentral1se | eb69ba9309 | |
decentral1se | 21cd25f3d6 | |
decentral1se | f9b3475086 | |
decentral1se | ef443bae50 | |
Comrade Renovate Bot | aacf00309e | |
decentral1se | f73e38d143 | |
decentral1se | 661bec4727 | |
decentral1se | 7258b129c4 | |
decentral1se | bbbdfc272d | |
Michael Williams | 2c81622d9a | |
decentral1se | 8ff2f3a294 | |
decentral1se | 2c745416fc | |
decentral1se | d968028216 | |
3wc | 8d309bc7bf | |
decentral1se | 18d8805c99 | |
decentral1se | bdff19882b | |
decentral1se | fd9faeb021 | |
decentral1se | f26557bd40 | |
decentral1se | 2de31afe26 | |
decentral1se | 028ad6ce62 | |
decentral1se | ede226cea7 | |
decentral1se | 9a1dd29d01 | |
decentral1se | 2428f5fabd |
25
.drone.yml
25
.drone.yml
|
@ -3,10 +3,12 @@ kind: pipeline
|
||||||
name: deploy to swarm-test.autonomic.zone
|
name: deploy to swarm-test.autonomic.zone
|
||||||
steps:
|
steps:
|
||||||
- name: deployment
|
- name: deployment
|
||||||
image: decentral1se/stack-ssh-deploy:latest
|
image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
|
||||||
settings:
|
settings:
|
||||||
host: swarm-test.autonomic.zone
|
host: swarm-test.autonomic.zone
|
||||||
stack: traefik
|
stack: traefik
|
||||||
|
networks:
|
||||||
|
- proxy
|
||||||
deploy_key:
|
deploy_key:
|
||||||
from_secret: drone_ssh_swarm_test
|
from_secret: drone_ssh_swarm_test
|
||||||
environment:
|
environment:
|
||||||
|
@ -14,8 +16,25 @@ steps:
|
||||||
STACK_NAME: traefik
|
STACK_NAME: traefik
|
||||||
LETS_ENCRYPT_ENV: production
|
LETS_ENCRYPT_ENV: production
|
||||||
LETS_ENCRYPT_EMAIL: helo@autonomic.zone
|
LETS_ENCRYPT_EMAIL: helo@autonomic.zone
|
||||||
TRAEFIK_YML_VERSION: v3
|
TRAEFIK_YML_VERSION: v5
|
||||||
FILE_PROVIDER_YML_VERSION: v2
|
FILE_PROVIDER_YML_VERSION: v4
|
||||||
|
ENTRYPOINT_VERSION: v1
|
||||||
trigger:
|
trigger:
|
||||||
branch:
|
branch:
|
||||||
- master
|
- master
|
||||||
|
---
|
||||||
|
kind: pipeline
|
||||||
|
name: generate recipe catalogue
|
||||||
|
steps:
|
||||||
|
- name: release a new version
|
||||||
|
image: plugins/downstream
|
||||||
|
settings:
|
||||||
|
server: https://build.coopcloud.tech
|
||||||
|
token:
|
||||||
|
from_secret: drone_abra-bot_token
|
||||||
|
fork: true
|
||||||
|
repositories:
|
||||||
|
- coop-cloud/auto-recipes-catalogue-json
|
||||||
|
|
||||||
|
trigger:
|
||||||
|
event: tag
|
||||||
|
|
124
.env.sample
124
.env.sample
|
@ -1,4 +1,6 @@
|
||||||
TYPE=traefik
|
TYPE=traefik
|
||||||
|
TIMEOUT=300
|
||||||
|
ENABLE_AUTO_UPDATE=true
|
||||||
|
|
||||||
DOMAIN=traefik.example.com
|
DOMAIN=traefik.example.com
|
||||||
LETS_ENCRYPT_ENV=production
|
LETS_ENCRYPT_ENV=production
|
||||||
|
@ -8,19 +10,133 @@ LETS_ENCRYPT_EMAIL=certs@example.com
|
||||||
# WARN, INFO etc.
|
# WARN, INFO etc.
|
||||||
LOG_LEVEL=WARN
|
LOG_LEVEL=WARN
|
||||||
|
|
||||||
|
# This is here so later lines can extend it; you likely don't wanna edit
|
||||||
|
COMPOSE_FILE="compose.yml"
|
||||||
|
|
||||||
|
#####################################################################
|
||||||
|
# General settings #
|
||||||
|
#####################################################################
|
||||||
|
|
||||||
|
## Host-mode networking
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
|
||||||
|
|
||||||
|
## "Headless mode" (no domain configured)
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.headless.yml"
|
||||||
|
|
||||||
|
#####################################################################
|
||||||
|
# Automatic DNS set-up for Letsencrypt #
|
||||||
|
#####################################################################
|
||||||
|
|
||||||
|
## Enable dns challenge (for wildcard domains)
|
||||||
|
## https://doc.traefik.io/traefik/https/acme/#dnschallenge
|
||||||
|
#LETS_ENCRYPT_DNS_CHALLENGE_ENABLED=1
|
||||||
|
#LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER=ovh
|
||||||
|
|
||||||
|
## OVH, https://ovh.com
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.ovh.yml"
|
||||||
|
#OVH_ENABLED=1
|
||||||
|
#OVH_APPLICATION_KEY=
|
||||||
|
#OVH_ENDPOINT=
|
||||||
|
#SECRET_OVH_APP_SECRET_VERSION=v1
|
||||||
|
#SECRET_OVH_CONSUMER_KEY=v1
|
||||||
|
|
||||||
|
## Gandi, https://gandi.net
|
||||||
|
## note(3wc): only "V5" (new) API is supported, so far
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi.yml"
|
||||||
|
#GANDI_ENABLED=1
|
||||||
|
#SECRET_GANDIV5_API_KEY_VERSION=v1
|
||||||
|
|
||||||
|
## DigitalOcean, https://digitalocean.com
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
|
||||||
|
#DIGITALOCEAN_ENABLED=1
|
||||||
|
#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
|
||||||
|
|
||||||
|
#####################################################################
|
||||||
|
# Manual wildcard certificate insertion #
|
||||||
|
#####################################################################
|
||||||
|
|
||||||
|
# Set wildcards = 1, and uncomment compose_file to enable.
|
||||||
|
# Create your certs elsewhere and add them like:
|
||||||
|
# abra app secret insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
|
||||||
|
# abra app secret insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
|
||||||
|
#WILDCARDS_ENABLED=1
|
||||||
|
#SECRET_WILDCARD_CERT_VERSION=v1
|
||||||
|
#SECRET_WILDCARD_KEY_VERSION=v1
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
|
||||||
|
|
||||||
|
#####################################################################
|
||||||
|
# Authentication #
|
||||||
|
#####################################################################
|
||||||
|
|
||||||
## Enable Keycloak
|
## Enable Keycloak
|
||||||
#COMPOSE_FILE="compose.yml:compose.keycloak.yml"
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
|
||||||
#KEYCLOAK_MIDDLEWARE_ENABLED=1
|
#KEYCLOAK_MIDDLEWARE_ENABLED=1
|
||||||
|
#KEYCLOAK_TFA_SERVICE=traefik-forward-auth_app
|
||||||
|
#KEYCLOAK_MIDDLEWARE_2_ENABLED=1
|
||||||
|
#KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app
|
||||||
|
|
||||||
|
## BASIC_AUTH
|
||||||
|
## Use httpasswd to generate the secret
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
|
||||||
|
#BASIC_AUTH=1
|
||||||
|
#SECRET_USERSFILE_VERSION=v1
|
||||||
|
|
||||||
|
#####################################################################
|
||||||
|
# Prometheus metrics #
|
||||||
|
#####################################################################
|
||||||
|
|
||||||
|
## Enable prometheus metrics collection
|
||||||
|
## used used by the coop-cloud monitoring stack
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
|
||||||
|
#METRICS_ENABLED=1
|
||||||
|
|
||||||
|
#####################################################################
|
||||||
|
# File provider directory configuration #
|
||||||
|
# (Route bare metal and non-docker services on the machine!) #
|
||||||
|
#####################################################################
|
||||||
|
#FILE_PROVIDER_DIRECTORY_ENABLED=1
|
||||||
|
|
||||||
|
#####################################################################
|
||||||
|
# Additional services #
|
||||||
|
#####################################################################
|
||||||
|
|
||||||
## SMTP port 587
|
## SMTP port 587
|
||||||
#COMPOSE_FILE="compose.yml:compose.smtp.yml"
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
|
||||||
#SMTP_ENABLED=1
|
#SMTP_ENABLED=1
|
||||||
|
|
||||||
|
## Compy
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.compy.yml"
|
||||||
|
#COMPY_ENABLED=1
|
||||||
|
|
||||||
## Gitea SSH
|
## Gitea SSH
|
||||||
|
# COMPOSE_FILE="$COMPOSE_FILE:compose.gitea.yml"
|
||||||
# GITEA_SSH_ENABLED=1
|
# GITEA_SSH_ENABLED=1
|
||||||
|
|
||||||
## Foodsoft SMTP
|
## Foodsoft SMTP
|
||||||
|
# COMPOSE_FILE="$COMPOSE_FILE:compose.foodsoft.yml"
|
||||||
# FOODSOFT_SMTP_ENABLED=1
|
# FOODSOFT_SMTP_ENABLED=1
|
||||||
|
|
||||||
## Host-mode networking
|
## Peertube RTMP
|
||||||
#COMPOSE_FILE="compose.yml:compose.host.yml"
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.peertube.yml"
|
||||||
|
#PEERTUBE_RTMP_ENABLED=1
|
||||||
|
|
||||||
|
## Secure Scuttlebutt MUXRPC
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.ssb.yml"
|
||||||
|
#SSB_MUXRPC_ENABLED=1
|
||||||
|
|
||||||
|
## MSSQL
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.mssql.yml"
|
||||||
|
#MSSQL_ENABLED=1
|
||||||
|
|
||||||
|
## Mumble
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.mumble.yml"
|
||||||
|
#MUMBLE_ENABLED=1
|
||||||
|
|
||||||
|
## Matrix
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
|
||||||
|
#MATRIX_FEDERATION_ENABLED=1
|
||||||
|
|
||||||
|
## "Web alt", an alternative web port
|
||||||
|
# NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml"
|
||||||
|
#WEB_ALT_ENABLED=1
|
||||||
|
|
29
README.md
29
README.md
|
@ -7,11 +7,11 @@
|
||||||
<!-- metadata -->
|
<!-- metadata -->
|
||||||
* **Category**: Utilities
|
* **Category**: Utilities
|
||||||
* **Status**: ?
|
* **Status**: ?
|
||||||
* **Image**: [`traefik`](https://hub.docker.com/_/traefik), ❶💚, upstream
|
* **Image**: [`traefik`](https://hub.docker.com/_/traefik), 4, upstream
|
||||||
* **Healthcheck**: Yes
|
* **Healthcheck**: Yes
|
||||||
* **Backups**: No
|
* **Backups**: No
|
||||||
* **Email**: N/A
|
* **Email**: N/A
|
||||||
* **Tests**: ❷💛
|
* **Tests**: 2
|
||||||
* **SSO**: ? (Keycloak)
|
* **SSO**: ? (Keycloak)
|
||||||
<!-- endmetadata -->
|
<!-- endmetadata -->
|
||||||
|
|
||||||
|
@ -19,8 +19,29 @@
|
||||||
|
|
||||||
1. Set up Docker Swarm and [`abra`]
|
1. Set up Docker Swarm and [`abra`]
|
||||||
2. `abra app new traefik`
|
2. `abra app new traefik`
|
||||||
3. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to
|
3. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
|
||||||
your Docker swarm box
|
your Docker swarm box
|
||||||
4. `abra app YOURAPPDOMAIN deploy`
|
4. `abra app deploy YOURAPPDOMAIN`
|
||||||
|
|
||||||
|
## Configuring wildcard SSL using DNS
|
||||||
|
|
||||||
|
Automatic certificate generation will Just Work™ for most recipes which use a fixed
|
||||||
|
number of subdomains. For some recipes which need to work across arbitrary
|
||||||
|
subdomains, like
|
||||||
|
[`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
|
||||||
|
[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
|
||||||
|
need to give Traefik access to your DNS provider so that it can carry out
|
||||||
|
Letsencrypt DNS challenges.
|
||||||
|
|
||||||
|
1. Use Gandi or OVH for DNS 🤡 (support for other providers can be easily added,
|
||||||
|
see [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
|
||||||
|
2. Run `abra app config YOURAPPDOMAIN`
|
||||||
|
3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
|
||||||
|
`SECRET_GANDIV5_API_KEY_VERSION`
|
||||||
|
4. Generate an API key for your provider
|
||||||
|
5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
|
||||||
|
`SECRETNAME` is from the compose file (e.g. `compose.gandi.yml`) e.g.
|
||||||
|
`gandiv5_api_key` and `SECRETVALUE` is the API key.
|
||||||
|
6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
|
||||||
|
|
||||||
[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
|
[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
|
||||||
|
|
5
abra.sh
5
abra.sh
|
@ -1,2 +1,3 @@
|
||||||
export TRAEFIK_YML_VERSION=v5
|
export TRAEFIK_YML_VERSION=v20
|
||||||
export FILE_PROVIDER_YML_VERSION=v1
|
export FILE_PROVIDER_YML_VERSION=v10
|
||||||
|
export ENTRYPOINT_VERSION=v3
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
matrix-synapse:
|
||||||
|
uncomment:
|
||||||
|
- compose.matrix.yml
|
||||||
|
- MATRIX_FEDERATION_ENABLED
|
|
@ -0,0 +1,12 @@
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- BASIC_AUTH
|
||||||
|
secrets:
|
||||||
|
- usersfile
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
usersfile:
|
||||||
|
name: ${STACK_NAME}_usersfile_${SECRET_USERSFILE_VERSION}
|
||||||
|
external: true
|
|
@ -0,0 +1,7 @@
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- COMPY_ENABLED
|
||||||
|
ports:
|
||||||
|
- "9999:9999"
|
|
@ -0,0 +1,15 @@
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- DO_AUTH_TOKEN_FILE=/run/secrets/digitalocean_auth_token
|
||||||
|
- LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
|
||||||
|
- LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
|
||||||
|
secrets:
|
||||||
|
- digitalocean_auth_token
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
digitalocean_auth_token:
|
||||||
|
name: ${STACK_NAME}_digitalocean_auth_token_${SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION}
|
||||||
|
external: true
|
|
@ -0,0 +1,7 @@
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- FOODSOFT_SMTP_ENABLED
|
||||||
|
ports:
|
||||||
|
- "2525:2525"
|
|
@ -0,0 +1,15 @@
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- GANDIV5_API_KEY_FILE=/run/secrets/gandiv5_api_key
|
||||||
|
- LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
|
||||||
|
- LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
|
||||||
|
secrets:
|
||||||
|
- gandiv5_api_key
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
gandiv5_api_key:
|
||||||
|
name: ${STACK_NAME}_gandiv5_api_key_${SECRET_GANDIV5_API_KEY_VERSION}
|
||||||
|
external: true
|
|
@ -0,0 +1,7 @@
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- GITEA_SSH_ENABLED
|
||||||
|
ports:
|
||||||
|
- "2222:2222"
|
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
deploy:
|
||||||
|
update_config:
|
||||||
|
failure_action: rollback
|
||||||
|
order: start-first
|
||||||
|
labels:
|
||||||
|
- "traefik.enable=true"
|
||||||
|
- "traefik.http.services.traefik.loadbalancer.server.port=web"
|
||||||
|
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||||
|
- "traefik.http.routers.${STACK_NAME}.service=api@internal"
|
|
@ -13,6 +13,3 @@ services:
|
||||||
- target: 443
|
- target: 443
|
||||||
published: 443
|
published: 443
|
||||||
mode: host
|
mode: host
|
||||||
- target: 2222
|
|
||||||
published: 2222
|
|
||||||
mode: host
|
|
||||||
|
|
|
@ -5,6 +5,9 @@ services:
|
||||||
app:
|
app:
|
||||||
deploy:
|
deploy:
|
||||||
labels:
|
labels:
|
||||||
- "traefik.http.routers.traefik.middlewares=keycloak@file"
|
- "traefik.http.routers.${STACK_NAME}.middlewares=keycloak@file"
|
||||||
environment:
|
environment:
|
||||||
- KEYCLOAK_MIDDLEWARE_ENABLED
|
- KEYCLOAK_MIDDLEWARE_ENABLED
|
||||||
|
- KEYCLOAK_TFA_SERVICE
|
||||||
|
- KEYCLOAK_MIDDLEWARE_2_ENABLED
|
||||||
|
- KEYCLOAK_TFA_SERVICE_2
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- MATRIX_FEDERATION_ENABLED
|
||||||
|
ports:
|
||||||
|
- "8448:8448"
|
|
@ -0,0 +1,9 @@
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- METRICS_ENABLED
|
||||||
|
ports:
|
||||||
|
- target: 8082
|
||||||
|
published: 8082
|
||||||
|
mode: host
|
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- MINIO_CONSOLE_ENABLED
|
||||||
|
ports:
|
||||||
|
- "9001:9001"
|
|
@ -0,0 +1,10 @@
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- MSSQL_ENABLED
|
||||||
|
ports:
|
||||||
|
- target: 1433
|
||||||
|
published: 1433
|
||||||
|
protocol: tcp
|
||||||
|
mode: host
|
|
@ -0,0 +1,9 @@
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- MUMBLE_ENABLED
|
||||||
|
ports:
|
||||||
|
- "64738:64738/udp"
|
||||||
|
# note (3wc): see https://github.com/docker/compose/issues/7627
|
||||||
|
- "64737-64739:64737-64739/tcp"
|
|
@ -0,0 +1,21 @@
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- OVH_APPLICATION_KEY
|
||||||
|
- OVH_APPLICATION_SECRET_FILE=/run/secrets/ovh_app_secret
|
||||||
|
- OVH_CONSUMER_KEY_FILE=/run/secrets/ovh_consumer_key
|
||||||
|
- OVH_ENABLED
|
||||||
|
- OVH_ENDPOINT
|
||||||
|
secrets:
|
||||||
|
- ovh_app_secret
|
||||||
|
- ovh_consumer_key
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
ovh_app_secret:
|
||||||
|
name: ${STACK_NAME}_ovh_app_secret_${SECRET_OVH_APP_SECRET_VERSION}
|
||||||
|
external: true
|
||||||
|
ovh_consumer_key:
|
||||||
|
name: ${STACK_NAME}_ovh_consumer_key_${SECRET_OVH_CONSUMER_KEY}
|
||||||
|
external: true
|
|
@ -0,0 +1,7 @@
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- PEERTUBE_RTMP_ENABLED
|
||||||
|
ports:
|
||||||
|
- "1935:1935"
|
|
@ -3,5 +3,7 @@ version: "3.8"
|
||||||
|
|
||||||
services:
|
services:
|
||||||
app:
|
app:
|
||||||
|
environment:
|
||||||
|
- SMTP_ENABLED
|
||||||
ports:
|
ports:
|
||||||
- "587:587"
|
- "587:587"
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- SSB_MUXRPC_ENABLED
|
||||||
|
ports:
|
||||||
|
- "8008:8008"
|
|
@ -0,0 +1,7 @@
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- WEB_ALT_ENABLED
|
||||||
|
ports:
|
||||||
|
- "8000:8000"
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
secrets:
|
||||||
|
- ssl_cert
|
||||||
|
- ssl_key
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
ssl_cert:
|
||||||
|
name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
|
||||||
|
external: true
|
||||||
|
ssl_key:
|
||||||
|
name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
|
||||||
|
external: true
|
47
compose.yml
47
compose.yml
|
@ -1,58 +1,73 @@
|
||||||
|
---
|
||||||
version: "3.8"
|
version: "3.8"
|
||||||
|
|
||||||
services:
|
services:
|
||||||
app:
|
app:
|
||||||
image: "traefik:v2.4.8"
|
image: "traefik:v2.11.2"
|
||||||
|
# Note(decentral1se): *please do not* add any additional ports here.
|
||||||
|
# Doing so could break new installs with port conflicts. Please use
|
||||||
|
# the usual `compose.$app.yml` approach for any additional ports
|
||||||
ports:
|
ports:
|
||||||
- "80:80"
|
- "80:80"
|
||||||
- "443:443"
|
- "443:443"
|
||||||
- "2222:2222"
|
|
||||||
- "2525:2525"
|
|
||||||
volumes:
|
volumes:
|
||||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
- "/var/run/docker.sock:/var/run/docker.sock"
|
||||||
- "letsencrypt:/etc/letsencrypt"
|
- "letsencrypt:/etc/letsencrypt"
|
||||||
|
- "file-providers:/etc/traefik/file-providers"
|
||||||
configs:
|
configs:
|
||||||
- source: traefik_yml
|
- source: traefik_yml
|
||||||
target: /etc/traefik/traefik.yml
|
target: /etc/traefik/traefik.yml
|
||||||
- source: file_provider_yml
|
- source: file_provider_yml
|
||||||
target: /etc/traefik/file-provider.yml
|
target: /etc/traefik/file-provider.yml
|
||||||
|
- source: entrypoint
|
||||||
|
target: /custom-entrypoint.sh
|
||||||
|
mode: 0555
|
||||||
networks:
|
networks:
|
||||||
- proxy
|
- proxy
|
||||||
environment:
|
environment:
|
||||||
- DASHBOARD_ENABLED
|
- DASHBOARD_ENABLED
|
||||||
- FOODSOFT_SMTP_ENABLED
|
|
||||||
- GITEA_SSH_ENABLED
|
|
||||||
- LOG_LEVEL
|
- LOG_LEVEL
|
||||||
- SMTP_ENABLED
|
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD", "traefik", "healthcheck"]
|
test: ["CMD", "traefik", "healthcheck"]
|
||||||
interval: 30s
|
interval: 30s
|
||||||
timeout: 10s
|
timeout: 10s
|
||||||
retries: 10
|
retries: 10
|
||||||
start_period: 1m
|
start_period: 1m
|
||||||
|
command: traefik
|
||||||
|
entrypoint: /custom-entrypoint.sh
|
||||||
deploy:
|
deploy:
|
||||||
update_config:
|
update_config:
|
||||||
failure_action: rollback
|
failure_action: rollback
|
||||||
order: start-first
|
order: start-first
|
||||||
labels:
|
labels:
|
||||||
- "traefik.enable=true"
|
- "traefik.enable=true"
|
||||||
- "traefik.http.services.traefik.loadbalancer.server.port=web"
|
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
|
||||||
- "traefik.http.routers.traefik.rule=Host(`${DOMAIN}`)"
|
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
|
||||||
- "traefik.http.routers.traefik.entrypoints=web-secure"
|
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||||
- "traefik.http.routers.traefik.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||||
- "traefik.http.routers.traefik.tls.options=default@file"
|
- "traefik.http.routers.${STACK_NAME}.service=api@internal"
|
||||||
- "traefik.http.routers.traefik.service=api@internal"
|
- "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
|
||||||
- "traefik.http.routers.traefik.middlewares=security@file"
|
- "coop-cloud.${STACK_NAME}.version=2.6.3+v2.11.2"
|
||||||
- coop-cloud.${STACK_NAME}.app.version=v2.4.8-d7d63b0d
|
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
proxy:
|
proxy:
|
||||||
external: true
|
external: true
|
||||||
|
|
||||||
configs:
|
configs:
|
||||||
traefik_yml:
|
traefik_yml:
|
||||||
name: ${STACK_NAME}_traefik_yml_${TRAEFIK_YML_VERSION}
|
name: ${STACK_NAME}_traefik_yml_${TRAEFIK_YML_VERSION}
|
||||||
file: traefik.yml
|
file: traefik.yml.tmpl
|
||||||
template_driver: golang
|
template_driver: golang
|
||||||
file_provider_yml:
|
file_provider_yml:
|
||||||
name: ${STACK_NAME}_file_provider_yml_${FILE_PROVIDER_YML_VERSION}
|
name: ${STACK_NAME}_file_provider_yml_${FILE_PROVIDER_YML_VERSION}
|
||||||
file: file-provider.yml
|
file: file-provider.yml.tmpl
|
||||||
|
template_driver: golang
|
||||||
|
entrypoint:
|
||||||
|
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
|
||||||
|
file: entrypoint.sh.tmpl
|
||||||
|
template_driver: golang
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
letsencrypt:
|
letsencrypt:
|
||||||
|
file-providers:
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
{{ if eq (env "OVH_ENABLED") "1" }}
|
||||||
|
export OVH_CONSUMER_KEY=$(cat "$OVH_CONSUMER_KEY_FILE")
|
||||||
|
export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if eq (env "GANDI_ENABLED") "1" }}
|
||||||
|
export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if eq (env "DIGITALOCEAN_ENABLED") "1" }}
|
||||||
|
export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
/entrypoint.sh "$@"
|
|
@ -4,15 +4,27 @@ http:
|
||||||
{{ if eq (env "KEYCLOAK_MIDDLEWARE_ENABLED") "1" }}
|
{{ if eq (env "KEYCLOAK_MIDDLEWARE_ENABLED") "1" }}
|
||||||
keycloak:
|
keycloak:
|
||||||
forwardAuth:
|
forwardAuth:
|
||||||
address: "http://traefik-forward-auth:4181"
|
address: "http://{{ env "KEYCLOAK_TFA_SERVICE" }}:4181"
|
||||||
trustForwardHeader: true
|
trustForwardHeader: true
|
||||||
authResponseHeaders:
|
authResponseHeaders:
|
||||||
- X-Forwarded-User
|
- X-Forwarded-User
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
{{ if eq (env "KEYCLOAK_MIDDLEWARE_2_ENABLED") "1" }}
|
||||||
|
keycloak2:
|
||||||
|
forwardAuth:
|
||||||
|
address: "http://{{ env "KEYCLOAK_TFA_SERVICE_2" }}:4181"
|
||||||
|
trustForwardHeader: true
|
||||||
|
authResponseHeaders:
|
||||||
|
- X-Forwarded-User
|
||||||
|
{{ end }}
|
||||||
|
{{ if eq (env "BASIC_AUTH") "1" }}
|
||||||
|
basicauth:
|
||||||
|
basicAuth:
|
||||||
|
usersFile: "/run/secrets/usersfile"
|
||||||
|
{{ end }}
|
||||||
security:
|
security:
|
||||||
headers:
|
headers:
|
||||||
frameDeny: true
|
frameDeny: true
|
||||||
sslRedirect: true
|
|
||||||
browserXssFilter: true
|
browserXssFilter: true
|
||||||
contentTypeNosniff: true
|
contentTypeNosniff: true
|
||||||
stsIncludeSubdomains: true
|
stsIncludeSubdomains: true
|
||||||
|
@ -32,3 +44,8 @@ tls:
|
||||||
- CurveP521
|
- CurveP521
|
||||||
- CurveP384
|
- CurveP384
|
||||||
sniStrict: true
|
sniStrict: true
|
||||||
|
{{ if eq (env "WILDCARDS_ENABLED") "1" }}
|
||||||
|
certificates:
|
||||||
|
- certFile: /run/secrets/ssl_cert
|
||||||
|
keyFile: /run/secrets/ssl_key
|
||||||
|
{{ end }}
|
|
@ -1,6 +0,0 @@
|
||||||
{
|
|
||||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
|
||||||
"extends": [
|
|
||||||
"config:base"
|
|
||||||
]
|
|
||||||
}
|
|
56
traefik.yml
56
traefik.yml
|
@ -1,56 +0,0 @@
|
||||||
---
|
|
||||||
log:
|
|
||||||
level: {{ env "LOG_LEVEL" }}
|
|
||||||
|
|
||||||
providers:
|
|
||||||
docker:
|
|
||||||
endpoint: "unix:///var/run/docker.sock"
|
|
||||||
exposedByDefault: false
|
|
||||||
network: proxy
|
|
||||||
swarmMode: true
|
|
||||||
file:
|
|
||||||
filename: /etc/traefik/file-provider.yml
|
|
||||||
|
|
||||||
api:
|
|
||||||
dashboard: {{ env "DASHBOARD_ENABLED" }}
|
|
||||||
debug: false
|
|
||||||
|
|
||||||
entrypoints:
|
|
||||||
web:
|
|
||||||
address: ":80"
|
|
||||||
http:
|
|
||||||
redirections:
|
|
||||||
entryPoint:
|
|
||||||
to: web-secure
|
|
||||||
web-secure:
|
|
||||||
address: ":443"
|
|
||||||
{{ if eq (env "GITEA_SSH_ENABLED") "1" }}
|
|
||||||
gitea-ssh:
|
|
||||||
address: ":2222"
|
|
||||||
{{ end }}
|
|
||||||
{{ if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
|
|
||||||
foodsoft-smtp:
|
|
||||||
address: ":2525"
|
|
||||||
{{ end }}
|
|
||||||
{{ if eq (env "SMTP_ENABLED") "1" }}
|
|
||||||
smtp-submission:
|
|
||||||
address: ":587"
|
|
||||||
{{ end }}
|
|
||||||
|
|
||||||
ping:
|
|
||||||
entryPoint: web
|
|
||||||
|
|
||||||
certificatesResolvers:
|
|
||||||
staging:
|
|
||||||
acme:
|
|
||||||
email: {{ env "LETS_ENCRYPT_EMAIL" }}
|
|
||||||
storage: /etc/letsencrypt/staging-acme.json
|
|
||||||
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
||||||
httpChallenge:
|
|
||||||
entryPoint: web
|
|
||||||
production:
|
|
||||||
acme:
|
|
||||||
email: {{ env "LETS_ENCRYPT_EMAIL" }}
|
|
||||||
storage: /etc/letsencrypt/production-acme.json
|
|
||||||
httpChallenge:
|
|
||||||
entryPoint: web
|
|
|
@ -0,0 +1,121 @@
|
||||||
|
---
|
||||||
|
log:
|
||||||
|
level: {{ env "LOG_LEVEL" }}
|
||||||
|
|
||||||
|
providers:
|
||||||
|
docker:
|
||||||
|
endpoint: "unix:///var/run/docker.sock"
|
||||||
|
exposedByDefault: false
|
||||||
|
network: proxy
|
||||||
|
swarmMode: true
|
||||||
|
{{ if eq (env "FILE_PROVIDER_DIRECTORY_ENABLED") "1" }}
|
||||||
|
file:
|
||||||
|
directory: /etc/traefik/file-providers
|
||||||
|
watch: true
|
||||||
|
{{ else }}
|
||||||
|
file:
|
||||||
|
filename: /etc/traefik/file-provider.yml
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
api:
|
||||||
|
dashboard: {{ env "DASHBOARD_ENABLED" }}
|
||||||
|
debug: false
|
||||||
|
|
||||||
|
entrypoints:
|
||||||
|
web:
|
||||||
|
address: ":80"
|
||||||
|
http:
|
||||||
|
redirections:
|
||||||
|
entryPoint:
|
||||||
|
to: web-secure
|
||||||
|
web-secure:
|
||||||
|
address: ":443"
|
||||||
|
{{ if eq (env "GITEA_SSH_ENABLED") "1" }}
|
||||||
|
gitea-ssh:
|
||||||
|
address: ":2222"
|
||||||
|
{{ end }}
|
||||||
|
{{ if eq (env "FOODSOFT_SMTP_ENABLED") "1" }}
|
||||||
|
foodsoft-smtp:
|
||||||
|
address: ":2525"
|
||||||
|
{{ end }}
|
||||||
|
{{ if eq (env "SMTP_ENABLED") "1" }}
|
||||||
|
smtp-submission:
|
||||||
|
address: ":587"
|
||||||
|
{{ end }}
|
||||||
|
{{ if eq (env "PEERTUBE_RTMP_ENABLED") "1" }}
|
||||||
|
peertube-rtmp:
|
||||||
|
address: ":1935"
|
||||||
|
{{ end }}
|
||||||
|
{{ if eq (env "WEB_ALT_ENABLED") "1" }}
|
||||||
|
web-alt:
|
||||||
|
address: ":8000"
|
||||||
|
{{ end }}
|
||||||
|
{{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
|
||||||
|
ssb-muxrpc:
|
||||||
|
address: ":8008"
|
||||||
|
{{ end }}
|
||||||
|
{{ if eq (env "MSSQL_ENABLED") "1" }}
|
||||||
|
mssql:
|
||||||
|
address: ":1433"
|
||||||
|
{{ end }}
|
||||||
|
{{ if eq (env "MUMBLE_ENABLED") "1" }}
|
||||||
|
mumble:
|
||||||
|
address: ":64738"
|
||||||
|
mumble-udp:
|
||||||
|
address: ":64738/udp"
|
||||||
|
{{ end }}
|
||||||
|
{{ if eq (env "COMPY_ENABLED") "1" }}
|
||||||
|
compy:
|
||||||
|
address: ":9999"
|
||||||
|
{{ end }}
|
||||||
|
{{ if eq (env "METRICS_ENABLED") "1" }}
|
||||||
|
metrics:
|
||||||
|
address: ":8082"
|
||||||
|
http:
|
||||||
|
middlewares:
|
||||||
|
- basicauth@file
|
||||||
|
{{ end }}
|
||||||
|
{{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
|
||||||
|
matrix-federation:
|
||||||
|
address: ":9001"
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
ping:
|
||||||
|
entryPoint: web
|
||||||
|
|
||||||
|
{{ if eq (env "METRICS_ENABLED") "1" }}
|
||||||
|
metrics:
|
||||||
|
prometheus:
|
||||||
|
entryPoint: metrics
|
||||||
|
addRoutersLabels: true
|
||||||
|
addServicesLabels: true
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
certificatesResolvers:
|
||||||
|
staging:
|
||||||
|
acme:
|
||||||
|
email: {{ env "LETS_ENCRYPT_EMAIL" }}
|
||||||
|
storage: /etc/letsencrypt/staging-acme.json
|
||||||
|
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||||
|
httpChallenge:
|
||||||
|
entryPoint: web
|
||||||
|
{{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
|
||||||
|
dnsChallenge:
|
||||||
|
provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
|
||||||
|
resolvers:
|
||||||
|
- "1.1.1.1:53"
|
||||||
|
- "8.8.8.8:53"
|
||||||
|
{{ end }}
|
||||||
|
production:
|
||||||
|
acme:
|
||||||
|
email: {{ env "LETS_ENCRYPT_EMAIL" }}
|
||||||
|
storage: /etc/letsencrypt/production-acme.json
|
||||||
|
httpChallenge:
|
||||||
|
entryPoint: web
|
||||||
|
{{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
|
||||||
|
dnsChallenge:
|
||||||
|
provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
|
||||||
|
resolvers:
|
||||||
|
- "1.1.1.1:53"
|
||||||
|
- "9.9.9.9:53"
|
||||||
|
{{ end }}
|
Loading…
Reference in New Issue