From 3c7b1b29c1a71381ee3ffbe969277dc8e79e97bb Mon Sep 17 00:00:00 2001
From: sporada <porada@posteo.de>
Date: Thu, 25 Mar 2021 14:44:16 +0100
Subject: [PATCH] Add traefik

---
 traefik/docker-compose.yml | 163 +++++++++++++++++++++++++++++++++++++
 traefik/live.env.tpl       |   4 +
 2 files changed, 167 insertions(+)
 create mode 100644 traefik/docker-compose.yml
 create mode 100644 traefik/live.env.tpl

diff --git a/traefik/docker-compose.yml b/traefik/docker-compose.yml
new file mode 100644
index 0000000..a70de92
--- /dev/null
+++ b/traefik/docker-compose.yml
@@ -0,0 +1,163 @@
+version: '3.5'
+
+networks:
+  default:
+    driver: bridge
+  socket_proxy:
+    external:
+      name: socket_proxy
+  
+
+services:
+  # Only accept needed incoming docker API calls
+  socket-proxy:
+      container_name: socket-proxy
+      environment:
+        - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
+        ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
+        # 0 to revoke access.
+        # 1 to grant access.
+        ## Granted by Default
+        - EVENTS=1
+        - PING=1
+        - VERSION=1
+        ## Revoked by Default
+        # Security critical
+        - AUTH=0
+        - SECRETS=0
+        - POST=1 # Watchtower
+        - DELETE=1 # Watchtower
+        # GET Optons
+        - BUILD=0
+        - COMMIT=0
+        - CONFIGS=0
+        - CONTAINERS=1 # Traefik, portainer, etc.
+        - DISTRIBUTION=0
+        - EXEC=0
+        - IMAGES=1 # Portainer, Watchtower
+        - INFO=1 # Portainer
+        - NETWORKS=1 # Portainer, Watchtower
+        - NODES=0
+        - PLUGINS=0
+        - SERVICES=1 # Portainer
+        - SESSION=0
+        - SWARM=0
+        - SYSTEM=0
+        - TASKS=1 # Portaienr
+        - VOLUMES=1 # Portainer
+        # POST Options
+        - CONTAINERS_CREATE=1 # WatchTower
+        - CONTAINERS_START=1 # WatchTower
+        - CONTAINERS_UPDATE=1 # WatchTower
+        # DELETE Options
+        - CONTAINERS_DELETE=1 # WatchTower
+        - IMAGES_DELETE=1 # WatchTower
+      image: fluencelabs/docker-socket-proxy
+      labels:
+        - "com.centurylinklabs.watchtower.enable=true"
+      networks:
+        - socket_proxy
+      ports:
+        - "127.0.0.1:2375:2375"
+      # Always restart if server restart etc.
+      restart: unless-stopped
+      volumes:
+        - "/var/run/docker.sock:/var/run/docker.sock"
+
+  # watchtower keeps docker iamges automatically up to date
+  watchtower:
+      container_name: watchtower
+      depends_on:
+        - socket-proxy
+      environment:
+        WATCHTOWER_CLEANUP: "true"
+        WATCHTOWER_REMOVE_VOLUMES: "true"
+        WATCHTOWER_INCLUDE_STOPPED: "true"
+        WATCHTOWER_NO_STARTUP_MESSAGE: "false"
+        WATCHTOWER_SCHEDULE: "0 30 12 * * *" # Everyday at 12:30
+        DOCKER_HOST: tcp://socket-proxy:2375
+      image: containrrr/watchtower
+      labels:
+        - "com.centurylinklabs.watchtower.enable=true"
+      networks:
+        - default
+        - socket_proxy
+      restart: unless-stopped
+
+  traefik:
+    depends_on:
+#      - dockerproxy
+      - watchtower
+    # Always restart also at boot unless manually stopped
+    restart: unless-stopped
+    # The official v2 Traefik docker image
+    image: traefik:v2.3
+    networks:
+      - socket_proxy
+      - default
+    env_file: live.env
+    container_name: "traefik"
+    # Enables the web UI and tells Traefik to listen to docker
+    command:
+      # logging
+      - "--log.filePath=/logs/traefik.log"
+      - "--log.level=DEBUG"
+      # API and Dashboard
+      #- "--api.insecure=true"
+      - "--api=true"      
+      - "--api.dashboard=true"
+      # Docker as provider
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      # Entrypoints (not HTTPS)
+      - "--entrypoints.web.address=:80"
+      #- "--entrypoints.teamspeak.address=:9987/udp"
+      # HTTPS (websecure entrypoint)
+      - "--entrypoints.websecure.address=:443"
+      # SSH for Gitlab Entrypoint
+      - "--entrypoints.ssh.address=:2222"
+      # Use this CA server for testing
+      # - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.myresolver.acme.email=${EMAIL}"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+      # Docker socket proxy cli commands
+      - "--providers.docker.endpoint=tcp://socket-proxy:2375"
+    labels:
+      # enable watchtower for traefik
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Dashboard stuff
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik-https.rule=Host(`traefik.${DOMAIN}`)"
+      - "traefik.http.routers.traefik-https.entrypoints=websecure"
+      - "traefik.http.routers.traefik-https.middlewares=auth"
+      - "traefik.http.routers.traefik-https.service=api@internal"
+      - "traefik.http.routers.traefik-https.tls=true"
+      - "traefik.http.routers.traefik-https.tls.certresolver=myresolver"
+      - "traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASSWORD_HASH}"
+      # http to https redirect
+      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
+      - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
+      - "traefik.http.routers.http_catchall.entrypoints=web"
+      - "traefik.http.routers.http_catchall.middlewares=https-redirect"
+
+    ports:
+      # The HTTP port
+      - "80:80"
+      # The HTTPS port
+      - "443:443"
+      # TH ssh port for Gitlab
+      - "2222:2222" # The SSH port
+      # The Web UI (enabled by --api.insecure=true)
+      #- "8080:8080"
+      # TS3 ports
+      #- "9987:9987/udp"
+      #- "10011:10011"
+      #- "30033:30033"
+    volumes:
+      # For certificate
+      - "./volumes/letsencrypt/acme.json:/letsencrypt/acme.json"
+      # For logging
+      - "./volumes/logs/traefik.log:/logs/traefik.log"
diff --git a/traefik/live.env.tpl b/traefik/live.env.tpl
new file mode 100644
index 0000000..e4356f4
--- /dev/null
+++ b/traefik/live.env.tpl
@@ -0,0 +1,4 @@
+TRAEFIK_USER=username
+TRAEFIK_PASSWORD_HASH=hash
+DOMAIN=domain.com
+EMAIL=user@domain.de