Add traefik
This commit is contained in:
parent
994324d812
commit
3c7b1b29c1
163
traefik/docker-compose.yml
Normal file
163
traefik/docker-compose.yml
Normal file
@ -0,0 +1,163 @@
|
||||
version: '3.5'
|
||||
|
||||
networks:
|
||||
default:
|
||||
driver: bridge
|
||||
socket_proxy:
|
||||
external:
|
||||
name: socket_proxy
|
||||
|
||||
|
||||
services:
|
||||
# Only accept needed incoming docker API calls
|
||||
socket-proxy:
|
||||
container_name: socket-proxy
|
||||
environment:
|
||||
- LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
|
||||
## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
|
||||
# 0 to revoke access.
|
||||
# 1 to grant access.
|
||||
## Granted by Default
|
||||
- EVENTS=1
|
||||
- PING=1
|
||||
- VERSION=1
|
||||
## Revoked by Default
|
||||
# Security critical
|
||||
- AUTH=0
|
||||
- SECRETS=0
|
||||
- POST=1 # Watchtower
|
||||
- DELETE=1 # Watchtower
|
||||
# GET Optons
|
||||
- BUILD=0
|
||||
- COMMIT=0
|
||||
- CONFIGS=0
|
||||
- CONTAINERS=1 # Traefik, portainer, etc.
|
||||
- DISTRIBUTION=0
|
||||
- EXEC=0
|
||||
- IMAGES=1 # Portainer, Watchtower
|
||||
- INFO=1 # Portainer
|
||||
- NETWORKS=1 # Portainer, Watchtower
|
||||
- NODES=0
|
||||
- PLUGINS=0
|
||||
- SERVICES=1 # Portainer
|
||||
- SESSION=0
|
||||
- SWARM=0
|
||||
- SYSTEM=0
|
||||
- TASKS=1 # Portaienr
|
||||
- VOLUMES=1 # Portainer
|
||||
# POST Options
|
||||
- CONTAINERS_CREATE=1 # WatchTower
|
||||
- CONTAINERS_START=1 # WatchTower
|
||||
- CONTAINERS_UPDATE=1 # WatchTower
|
||||
# DELETE Options
|
||||
- CONTAINERS_DELETE=1 # WatchTower
|
||||
- IMAGES_DELETE=1 # WatchTower
|
||||
image: fluencelabs/docker-socket-proxy
|
||||
labels:
|
||||
- "com.centurylinklabs.watchtower.enable=true"
|
||||
networks:
|
||||
- socket_proxy
|
||||
ports:
|
||||
- "127.0.0.1:2375:2375"
|
||||
# Always restart if server restart etc.
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
||||
|
||||
# watchtower keeps docker iamges automatically up to date
|
||||
watchtower:
|
||||
container_name: watchtower
|
||||
depends_on:
|
||||
- socket-proxy
|
||||
environment:
|
||||
WATCHTOWER_CLEANUP: "true"
|
||||
WATCHTOWER_REMOVE_VOLUMES: "true"
|
||||
WATCHTOWER_INCLUDE_STOPPED: "true"
|
||||
WATCHTOWER_NO_STARTUP_MESSAGE: "false"
|
||||
WATCHTOWER_SCHEDULE: "0 30 12 * * *" # Everyday at 12:30
|
||||
DOCKER_HOST: tcp://socket-proxy:2375
|
||||
image: containrrr/watchtower
|
||||
labels:
|
||||
- "com.centurylinklabs.watchtower.enable=true"
|
||||
networks:
|
||||
- default
|
||||
- socket_proxy
|
||||
restart: unless-stopped
|
||||
|
||||
traefik:
|
||||
depends_on:
|
||||
# - dockerproxy
|
||||
- watchtower
|
||||
# Always restart also at boot unless manually stopped
|
||||
restart: unless-stopped
|
||||
# The official v2 Traefik docker image
|
||||
image: traefik:v2.3
|
||||
networks:
|
||||
- socket_proxy
|
||||
- default
|
||||
env_file: live.env
|
||||
container_name: "traefik"
|
||||
# Enables the web UI and tells Traefik to listen to docker
|
||||
command:
|
||||
# logging
|
||||
- "--log.filePath=/logs/traefik.log"
|
||||
- "--log.level=DEBUG"
|
||||
# API and Dashboard
|
||||
#- "--api.insecure=true"
|
||||
- "--api=true"
|
||||
- "--api.dashboard=true"
|
||||
# Docker as provider
|
||||
- "--providers.docker=true"
|
||||
- "--providers.docker.exposedbydefault=false"
|
||||
# Entrypoints (not HTTPS)
|
||||
- "--entrypoints.web.address=:80"
|
||||
#- "--entrypoints.teamspeak.address=:9987/udp"
|
||||
# HTTPS (websecure entrypoint)
|
||||
- "--entrypoints.websecure.address=:443"
|
||||
# SSH for Gitlab Entrypoint
|
||||
- "--entrypoints.ssh.address=:2222"
|
||||
# Use this CA server for testing
|
||||
# - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||
- "--certificatesresolvers.myresolver.acme.email=${EMAIL}"
|
||||
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
|
||||
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
|
||||
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
|
||||
# Docker socket proxy cli commands
|
||||
- "--providers.docker.endpoint=tcp://socket-proxy:2375"
|
||||
labels:
|
||||
# enable watchtower for traefik
|
||||
- "com.centurylinklabs.watchtower.enable=true"
|
||||
# Dashboard stuff
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.traefik-https.rule=Host(`traefik.${DOMAIN}`)"
|
||||
- "traefik.http.routers.traefik-https.entrypoints=websecure"
|
||||
- "traefik.http.routers.traefik-https.middlewares=auth"
|
||||
- "traefik.http.routers.traefik-https.service=api@internal"
|
||||
- "traefik.http.routers.traefik-https.tls=true"
|
||||
- "traefik.http.routers.traefik-https.tls.certresolver=myresolver"
|
||||
- "traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASSWORD_HASH}"
|
||||
# http to https redirect
|
||||
- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
|
||||
- "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
|
||||
- "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
|
||||
- "traefik.http.routers.http_catchall.entrypoints=web"
|
||||
- "traefik.http.routers.http_catchall.middlewares=https-redirect"
|
||||
|
||||
ports:
|
||||
# The HTTP port
|
||||
- "80:80"
|
||||
# The HTTPS port
|
||||
- "443:443"
|
||||
# TH ssh port for Gitlab
|
||||
- "2222:2222" # The SSH port
|
||||
# The Web UI (enabled by --api.insecure=true)
|
||||
#- "8080:8080"
|
||||
# TS3 ports
|
||||
#- "9987:9987/udp"
|
||||
#- "10011:10011"
|
||||
#- "30033:30033"
|
||||
volumes:
|
||||
# For certificate
|
||||
- "./volumes/letsencrypt/acme.json:/letsencrypt/acme.json"
|
||||
# For logging
|
||||
- "./volumes/logs/traefik.log:/logs/traefik.log"
|
4
traefik/live.env.tpl
Normal file
4
traefik/live.env.tpl
Normal file
@ -0,0 +1,4 @@
|
||||
TRAEFIK_USER=username
|
||||
TRAEFIK_PASSWORD_HASH=hash
|
||||
DOMAIN=domain.com
|
||||
EMAIL=user@domain.de
|
Loading…
x
Reference in New Issue
Block a user