Add traefik

2023-02-05 16:32:56 +08:00 · 2023-02-05 16:32:56 +08:00 · ac67029cea
commit ac67029cea
parent 77fcf82e9e
6 changed files with 151 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,36 @@
+# Created by https://www.toptal.com/developers/gitignore/api/macos
+# Edit at https://www.toptal.com/developers/gitignore?templates=macos
+
+### macOS ###
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### macOS Patch ###
+# iCloud generated files
+*.icloud
+
+# End of https://www.toptal.com/developers/gitignore/api/macos
--- a/README.md
+++ b/README.md
@ -1,3 +1,4 @@
-# docker-compose-collection
+# Docker-compose-collection
+
+Each folder store my used service configuration

-docker-compose.yaml collection
--- a/traefik/docker-compose.yaml
+++ b/traefik/docker-compose.yaml
@ -0,0 +1,28 @@
+# Please replace xxx with your configuraiton
+
+version: "3"
+services:
+  traefik:
+    image: traefik:latest
+    container_name: traefik
+    network_mode: host
+    restart: unless-stopped
+    environment:
+      - CLOUDFLARE_EMAIL=xxx@xxx
+      - CLOUDFLARE_DNS_API_TOKEN=xxx
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./certs:/letsencrypt
+      - ./dashboard_authfile:/dashboard_authfile:ro
+      - ./dynamic.yml:/dynamic.yml
+      - ./traefik.yml:/traefik.yml:ro
+    labels:
+      - "traefik.enable=true"
+      - 'traefik.http.routers.traefik.rule=Host(`xxx.domain`)'
+      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - 'traefik.http.routers.traefik.middlewares=strip,basic-auth-global'
+      - 'traefik.http.middlewares.strip.stripprefix.prefixes=/traefik'
+      - "traefik.http.services.traefik.loadbalancer.server.port=443"
+      - "traefik.http.middlewares.basic-auth-global.basicauth.usersfile=/dashboard_authfile"
--- a/traefik/dynamic.yml
+++ b/traefik/dynamic.yml
@ -0,0 +1,14 @@
+http:
+  routers:
+    nextcloud:
+      rule: Host(`subservice.xxx.domain`)
+      service: subservice
+      entryPoints: ["websecure"]
+      tls:
+        certResolver: letsencrypt
+
+  services:
+    subservice:
+      loadBalancer:
+        servers:
+          - url: http://192.168.xxx.xxx
--- a/traefik/readme.md
+++ b/traefik/readme.md
@ -0,0 +1,22 @@
+# Traefik configutaion
+
+I personally use this Traefik stack to serve my self-hosted service
+
+* Split the static configuration and dynamic configuration
+  * Enable experimental https3
+  * File provider options in dynamic.yml (Used to customize Non-docker service)
+* Enable the Wildcard Lets encrypt with Cloudflare API
+  * DNS challenge with no port open need
+  * Widcard options in traefik.yml
+* Enable and encrypt the traefik dashboard with authfile
+
+I disabled the auto proxy to newly added docker container in traefik. Just add the label in each container. 
+
+```yaml
+labels:
+            - "traefik.enable=true"
+            - "traefik.http.routers.subservice.rule=Host(`subservice.xxx.domain`)"
+            - "traefik.http.routers.subservice.entrypoints=websecure"
+            - "traefik.http.routers.subservice.tls.certresolver=letsencrypt"
+```
+
--- a/traefik/traefik.yml
+++ b/traefik/traefik.yml
@ -0,0 +1,48 @@
+## STATIC CONFIGURATION
+log:
+  level: INFO
+
+api:
+  insecure: false
+  dashboard: true
+
+experimental:
+  http3: true
+
+entryPoints:
+  web:
+    address: ":80"                            # Create the HTTP entrypoint on port 80
+    http:
+      redirections:                           # HTTPS redirection (80 to 443)
+        entryPoint:
+          to: "websecure"                         # The target element
+          scheme: "https"
+                     # The redirection target scheme
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: letsencrypt
+        domains:
+          - main: '*.xxx.domain'
+            sans:
+              - xxx.domain
+    http3: {}
+
+global:
+  checknewversion: false                       # Periodically check if a new version has been released.
+  sendanonymoususage: false                    # Periodically send anonymous usage statistics.
+
+providers:
+  docker:
+    exposedByDefault: false
+  file:
+    filename: "/dynamic.yml"
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: xxx@xxx
+      storage: /letsencrypt/acme.json
+      dnsChallenge:
+        provider: cloudflare