adds traefik

traefik/docker-compose.yaml

@@ -0,0 +1,30 @@
+services:
+  traefik:
+    image: traefik:latest
+    container_name: traefik
+    restart: always
+    ports:
+      - "443:443"
+      - "8082:8082"
+      - "2222:2222"
+    networks:
+      - traefik
+    environment:
+      - VARIOMEDIA_API_TOKEN=${VARIOMEDIA_API_TOKEN}  # Variomedia API key
+      - TRAEFIK_METRICS_PROMETHEUS=true
+      - TRAEFIK_METRICS_PROMETHEUS_ENTRYPOINT=metrics
+      - TRAEFIK_METRICS_PROMETHEUS_ADDENTRYPOINTSLABELS=true
+      - TRAEFIK_METRICS_PROMETHEUS_ADDSERVICESLABELS=true
+      - TRAEFIK_METRICS_PROMETHEUS_MANUALROUTING=true
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik.yml:/etc/traefik/traefik.yml:ro
+      - ./acme.json:/letsencrypt/acme.json
+      - ./log:/var/log/traefik
+    dns:
+      - "10.20.1.1"
+      - "10.20.0.1"
+      - "1.1.1.1"  # Cloudflare DNS
+networks:
+  traefik:
+    external: true

traefik/traefik.toml

@@ -0,0 +1,140 @@
+[global]
+  checkNewVersion = true
+  sendAnonymousUsage = false
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":80"
+  [entryPoints.websecure]
+    address = ":443"
+  [entryPoints.metrics]
+    address = ":8082"  # Dedicated port for Prometheus metrics
+  [entryPoints.ssh]
+    address = ":2222"
+    [entryPoints.ssh.transport]
+      [entryPoints.ssh.transport.lifeCycle]
+        graceTimeOut = "30s"
+      [entryPoints.ssh.transport.respondingTimeouts]
+        idleTimeout = "3m"
+        readTimeout = "1m"
+
+
+[api]
+  dashboard = true
+
+[metrics.prometheus]
+  entryPoint = "metrics"
+  addEntryPointsLabels = true
+  addServicesLabels = true
+  manualRouting = true
+
+[log]
+  level = "INFO"
+  filePath = "/var/log/traefik/traefik.log"
+
+[accessLog]
+  filePath = "/var/log/traefik/access.log"
+
+[providers.docker]
+  endpoint = "unix:///var/run/docker.sock"
+  exposedByDefault = false
+
+[certificatesResolvers.variomedia.acme]
+  email = "tim@unkrig.dev"
+  storage = "/letsencrypt/acme.json"
+  caServer = "https://acme-v02.api.letsencrypt.org/directory"
+  [certificatesResolvers.variomedia.acme.dnsChallenge]
+    provider = "variomedia"
+    delayBeforeCheck = 0
+
+[providers]
+  [providers.file]
+    filename = "/etc/traefik/traefik.toml"
+    watch = true
+
+[http.routers]
+  [http.routers.traefik]
+    rule = "Host(`traefik.unkrig.dev`)"
+    entryPoints = ["websecure"]
+    service = "api@internal"
+    tls.certresolver = "variomedia"
+
+  [http.routers.cloud_unkrig_dev]
+    rule = "Host(`cloud.unkrig.dev`)"
+    entryPoints = ["websecure"]
+    service = "cloud_unkrig_dev"
+    tls.certresolver = "variomedia"
+    middlewares = ["nextcloud-headers"]
+
+  [http.routers.git_unkrig_dev]
+    rule = "Host(`git.unkrig.dev`)"
+    entryPoints = ["websecure"]
+    service = "git_unkrig_dev"
+    tls.certresolver = "variomedia"
+
+  [http.routers.ha_unkrig_dev]
+    rule = "Host(`homeassistant.unkrig.dev`)"
+    entryPoints = ["websecure"]
+    service = "ha_unkrig_dev"
+    tls.certresolver = "variomedia"
+
+  [http.routers.auth_unkrig_dev]
+    rule = "Host(`auth.unkrig.dev`)"
+    entryPoints = ["websecure"]
+    service = "auth_unkrig_dev"
+    tls.certresolver = "variomedia"
+    middlewares = ["auth-headers"]
+
+  [http.routers.photos_unkrig_dev]
+    rule = "Host(`photos.unkrig.dev`)"
+    entryPoints = ["websecure"]
+    service = "photos_unkrig_dev"
+    tls.certresolver = "variomedia"
+
+[http.services]
+  [http.services.cloud_unkrig_dev.loadBalancer]
+    [[http.services.cloud_unkrig_dev.loadBalancer.servers]]
+      url = "http://10.20.1.8:11000"
+
+  [http.services.git_unkrig_dev.loadBalancer]
+    [[http.services.git_unkrig_dev.loadBalancer.servers]]
+      url = "http://10.20.1.6:2345"
+
+  [http.services.ha_unkrig_dev.loadBalancer]
+    [[http.services.ha_unkrig_dev.loadBalancer.servers]]
+      url = "http://10.20.1.20:8123"
+
+  [http.services.auth_unkrig_dev.loadBalancer]
+    [[http.services.rss_unkrig_dev.loadBalancer.servers]]
+      url = "http://10.20.1.1:9000"
+
+  [http.services.rss_unkrig_dev.loadBalancer]
+    [[http.services.rss_unkrig_dev.loadBalancer.servers]]
+      url = "http://10.20.1.5:2283"
+
+[http.middlewares]
+  [http.middlewares.nextcloud-headers.headers]
+#    stsSeconds = 15552000
+#    stsIncludeSubdomains = true
+#    stsPreload = true
+#    customFrameOptionsValue = "SAMEORIGIN"
+#    contentTypeNosniff = true
+#    browserXssFilter = true
+#    referrerPolicy = "no-referrer"
+     hostsProxyHeaders = [ "X-Forwarded-Host" ]
+     referrerPolicy = "same-origin"
+
+  [http.middlewares.auth-headers.headers]
+     hostsProxyHeaders = [ "X-Forwarded-Host" ]
+     referrerPolicy = "same-origin"
+
+[tcp.routers]
+  [tcp.routers.git_ssh]
+    entryPoints = ["ssh"]
+    service = "git_ssh_service"
+    rule = "HostSNI(`*`)"
+
+[tcp.services]
+  [tcp.services.git_ssh_service.loadBalancer]
+    [[tcp.services.git_ssh_service.loadBalancer.servers]]
+      address = "10.20.1.6:2346"

traefik/traefik.yml

@@ -0,0 +1,167 @@
+global:
+  checkNewVersion: true
+  sendAnonymousUsage: false
+entryPoints:
+  web:
+    address: :80
+  websecure:
+    address: :443
+    transport:
+      respondingTimeouts:
+        readTimeout: 600s
+        idleTimeout: 600s
+        writeTimeout: 600s
+  metrics:
+    address: :8082
+  ssh:
+    address: :2222
+    transport:
+      lifeCycle:
+        graceTimeOut: 30s
+      respondingTimeouts:
+        idleTimeout: 3m
+        readTimeout: 1m
+api:
+  dashboard: true
+metrics:
+  prometheus:
+    entryPoint: metrics
+    addEntryPointsLabels: true
+    addServicesLabels: true
+    manualRouting: true
+log:
+  level: INFO
+  filePath: /var/log/traefik/traefik.log
+accessLog:
+  filePath: /var/log/traefik/access.log
+providers:
+  docker:
+    endpoint: unix:///var/run/docker.sock
+    exposedByDefault: false
+  file:
+    filename: /etc/traefik/traefik.yml
+    watch: true
+certificatesResolvers:
+  variomedia:
+    acme:
+      email: tim@unkrig.dev
+      storage: /letsencrypt/acme.json
+      caServer: https://acme-v02.api.letsencrypt.org/directory
+      dnsChallenge:
+        provider: variomedia
+        delayBeforeCheck: 0
+
+http:
+  routers:
+    traefik:
+      rule: Host(`traefik.unkrig.dev`)
+      entryPoints:
+        - websecure
+      service: api@internal
+      tls:
+        certresolver: variomedia
+    cloud_unkrig_dev:
+      rule: Host(`cloud.unkrig.dev`)
+      entryPoints:
+        - websecure
+      service: cloud_unkrig_dev
+      tls:
+        certresolver: variomedia
+      middlewares:
+        - nextcloud-headers
+    ha_unkrig_dev:
+      rule: Host(`homeassistant.unkrig.dev`)
+      entryPoints:
+        - websecure
+      service: ha_unkrig_dev
+      tls:
+        certresolver: variomedia
+    rss_unkrig_dev:
+      rule: Host(`rss.unkrig.dev`)
+      entryPoints:
+        - websecure
+      service: rss_unkrig_dev
+      tls:
+        certresolver: variomedia
+    auth_unkrig_dev:
+      rule: Host(`auth.unkrig.dev`)
+      entryPoints:
+        - websecure
+      service: auth_unkrig_dev
+      tls:
+        certresolver: variomedia
+      middlewares:
+        - auth-headers
+    photos_unkrig_dev:
+      rule: Host(`photos.unkrig.dev`)
+      entryPoints:
+        - websecure
+      service: photos_unkrig_dev
+      tls:
+        certresolver: variomedia
+      middlewares:
+        - immich-headers
+
+  services:
+    cloud_unkrig_dev:
+      loadBalancer:
+        servers:
+          - url: http://10.20.1.8:11000
+    ha_unkrig_dev:
+      loadBalancer:
+        servers:
+          - url: http://10.20.1.20:8123
+    rss_unkrig_dev:
+      loadBalancer:
+        servers:
+          - url: http://10.20.1.1:80
+    auth_unkrig_dev:
+      loadBalancer:
+        servers:
+          - url: http://10.20.1.2:9000
+    photos_unkrig_dev:
+      loadBalancer:
+        servers:
+          - url: http://10.20.1.2:2283
+  middlewares:
+    nextcloud-headers:
+      headers:
+        hostsProxyHeaders:
+          - X-Forwarded-Host
+        referrerPolicy: same-origin
+    auth-headers:
+      headers:
+        hostsProxyHeaders:
+          - X-Forwarded-Host
+        referrerPolicy: same-origin
+    immich-headers:
+      headers:
+#        hostsProxyHeaders:
+#          - X-Forwarded-Host
+#        referrerPolicy: same-origin
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+        referrerPolicy: "same-origin"
+        stsSeconds: 63072000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+
+tcp:
+  serversTransports:
+    git_ssh_transport:
+      terminationDelay: 300
+  routers:
+    git_ssh:
+      entryPoints:
+        - ssh
+      service: git_ssh_service
+      rule: HostSNI(`*`)
+  services:
+    git_ssh_service:
+      loadBalancer:
+        servers:
+          - address: 10.20.1.1:2346
+        serversTransport: git_ssh_transport

traefik/traefik.yml.bak

@@ -0,0 +1,178 @@
+global:
+  checkNewVersion: true
+  sendAnonymousUsage: false
+entryPoints:
+  web:
+    address: :80
+  websecure:
+    address: :443
+    transport:
+      respondingTimeouts:
+        readTimeout: 600s
+        idleTimeout: 600s
+        writeTimeout: 600s
+  metrics:
+    address: :8082
+  ssh:
+    address: :2222
+    transport:
+      lifeCycle:
+        graceTimeOut: 30s
+      respondingTimeouts:
+        idleTimeout: 3m
+        readTimeout: 1m
+api:
+  dashboard: true
+metrics:
+  prometheus:
+    entryPoint: metrics
+    addEntryPointsLabels: true
+    addServicesLabels: true
+    manualRouting: true
+log:
+  level: INFO
+  filePath: /var/log/traefik/traefik.log
+accessLog:
+  filePath: /var/log/traefik/access.log
+providers:
+  docker:
+    endpoint: unix:///var/run/docker.sock
+    exposedByDefault: false
+  file:
+    filename: /etc/traefik/traefik.yml
+    watch: true
+certificatesResolvers:
+  variomedia:
+    acme:
+      email: tim@unkrig.dev
+      storage: /letsencrypt/acme.json
+      caServer: https://acme-v02.api.letsencrypt.org/directory
+      dnsChallenge:
+        provider: variomedia
+        delayBeforeCheck: 0
+
+http:
+  routers:
+    traefik:
+      rule: Host(`traefik.unkrig.dev`)
+      entryPoints:
+        - websecure
+      service: api@internal
+      tls:
+        certresolver: variomedia
+    cloud_unkrig_dev:
+      rule: Host(`cloud.unkrig.dev`)
+      entryPoints:
+        - websecure
+      service: cloud_unkrig_dev
+      tls:
+        certresolver: variomedia
+      middlewares:
+        - nextcloud-headers
+    git_unkrig_dev:
+      rule: Host(`git.unkrig.dev`)
+      entryPoints:
+        - websecure
+      service: git_unkrig_dev
+      tls:
+        certresolver: variomedia
+    ha_unkrig_dev:
+      rule: Host(`homeassistant.unkrig.dev`)
+      entryPoints:
+        - websecure
+      service: ha_unkrig_dev
+      tls:
+        certresolver: variomedia
+    rss_unkrig_dev:
+      rule: Host(`rss.unkrig.dev`)
+      entryPoints:
+        - websecure
+      service: rss_unkrig_dev
+      tls:
+        certresolver: variomedia
+    auth_unkrig_dev:
+      rule: Host(`auth.unkrig.dev`)
+      entryPoints:
+        - websecure
+      service: auth_unkrig_dev
+      tls:
+        certresolver: variomedia
+      middlewares:
+        - auth-headers
+    photos_unkrig_dev:
+      rule: Host(`photos.unkrig.dev`)
+      entryPoints:
+        - websecure
+      service: photos_unkrig_dev
+      tls:
+        certresolver: variomedia
+      middlewares:
+        - immich-headers
+
+  services:
+    cloud_unkrig_dev:
+      loadBalancer:
+        servers:
+          - url: http://10.20.1.8:11000
+    git_unkrig_dev:
+      loadBalancer:
+        servers:
+          - url: http://10.20.1.6:2345
+    ha_unkrig_dev:
+      loadBalancer:
+        servers:
+          - url: http://10.20.1.20:8123
+    rss_unkrig_dev:
+      loadBalancer:
+        servers:
+          - url: http://10.20.1.1:80
+    auth_unkrig_dev:
+      loadBalancer:
+        servers:
+          - url: http://10.20.1.1:9000
+    photos_unkrig_dev:
+      loadBalancer:
+        servers:
+          - url: http://10.20.1.5:2283
+  middlewares:
+    nextcloud-headers:
+      headers:
+        hostsProxyHeaders:
+          - X-Forwarded-Host
+        referrerPolicy: same-origin
+    auth-headers:
+      headers:
+        hostsProxyHeaders:
+          - X-Forwarded-Host
+        referrerPolicy: same-origin
+    immich-headers:
+      headers:
+#        hostsProxyHeaders:
+#          - X-Forwarded-Host
+#        referrerPolicy: same-origin
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+        referrerPolicy: "same-origin"
+        stsSeconds: 63072000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+
+tcp:
+  serversTransports:
+    git_ssh_transport:
+      terminationDelay: 300
+  routers:
+    git_ssh:
+      entryPoints:
+        - ssh
+      service: git_ssh_service
+      rule: HostSNI(`*`)
+  services:
+    git_ssh_service:
+      loadBalancer:
+        servers:
+          - address: 10.20.1.6:2346
+        serversTransport: git_ssh_transport