From eed6196da546506f2c4795f4568627910ef89b04 Mon Sep 17 00:00:00 2001 From: knight Date: Thu, 5 Feb 2026 22:04:28 -0500 Subject: [PATCH] Move Traefik file routes to Docker labels --- stacks/authentik/docker-compose.yml | 4 + stacks/brain/docker-compose.yml | 2 +- stacks/changedetection/docker-compose.yml | 2 +- stacks/gollum/docker-compose.yml | 2 +- stacks/invidious/docker-compose.yml | 17 +- stacks/obsidian-tools/docker-compose.yml | 6 +- stacks/service-map/docker-compose.yml | 24 ++ stacks/traefik/conf.d/authentik.yml | 23 -- stacks/traefik/conf.d/dynamic.yml | 14 -- stacks/traefik/conf.d/library.yaml | 19 -- stacks/traefik/conf.d/meshmon.yaml | 19 -- stacks/traefik/conf.d/middlewares.yaml | 261 ---------------------- stacks/traefik/conf.d/minecraft.yaml | 21 -- stacks/traefik/conf.d/radio.yml | 23 -- stacks/traefik/conf.d/sequela.yml | 6 - stacks/traefik/conf.d/spider.yml | 23 -- stacks/traefik/conf.d/tlc.yml | 23 -- stacks/traefik/conf.d/uplink.yml | 45 ---- stacks/traefik/conf.d/wille.yaml | 20 -- stacks/traefik/docker-compose.yml | 122 +++++++++- stacks/traefik/traefik.yml | 4 - stacks/zerotier/docker-compose.yml | 2 +- 22 files changed, 165 insertions(+), 517 deletions(-) create mode 100644 stacks/service-map/docker-compose.yml delete mode 100644 stacks/traefik/conf.d/authentik.yml delete mode 100755 stacks/traefik/conf.d/dynamic.yml delete mode 100755 stacks/traefik/conf.d/library.yaml delete mode 100755 stacks/traefik/conf.d/meshmon.yaml delete mode 100755 stacks/traefik/conf.d/middlewares.yaml delete mode 100755 stacks/traefik/conf.d/minecraft.yaml delete mode 100755 stacks/traefik/conf.d/radio.yml delete mode 100644 stacks/traefik/conf.d/sequela.yml delete mode 100644 stacks/traefik/conf.d/spider.yml delete mode 100755 stacks/traefik/conf.d/tlc.yml delete mode 100644 stacks/traefik/conf.d/uplink.yml delete mode 100755 stacks/traefik/conf.d/wille.yaml diff --git a/stacks/authentik/docker-compose.yml b/stacks/authentik/docker-compose.yml index 038e082..f9d82ec 100644 --- a/stacks/authentik/docker-compose.yml +++ b/stacks/authentik/docker-compose.yml @@ -31,6 +31,10 @@ services: - "traefik.http.routers.authentik.rule=Host(`authentik.${DOMAIN}`)" - "traefik.http.routers.authentik.tls.certresolver=http" - "traefik.http.services.authentik.loadbalancer.server.port=9000" + - "traefik.http.routers.authentik-outpost.entrypoints=https" + - "traefik.http.routers.authentik-outpost.rule=HostRegexp(`{subdomain:[a-z0-9]+}.ghost.tel`) && PathPrefix(`/outpost.goauthentik.io/`)" + - "traefik.http.routers.authentik-outpost.service=authentik" + - "traefik.http.routers.authentik-outpost.tls.certresolver=http" worker: image: ghcr.io/goauthentik/server:latest diff --git a/stacks/brain/docker-compose.yml b/stacks/brain/docker-compose.yml index 0b7e1b0..00e9d43 100644 --- a/stacks/brain/docker-compose.yml +++ b/stacks/brain/docker-compose.yml @@ -16,7 +16,7 @@ services: - "traefik.http.routers.brain.entrypoints=https" - "traefik.http.routers.brain.rule=Host(`brain.${DOMAIN}`)" - "traefik.http.routers.brain.tls.certresolver=http" - - "traefik.http.routers.brain.middlewares=auth@file" + - "traefik.http.routers.brain.middlewares=auth@docker" sftp: image: atmoz/sftp diff --git a/stacks/changedetection/docker-compose.yml b/stacks/changedetection/docker-compose.yml index 7ea79df..8c66ad6 100644 --- a/stacks/changedetection/docker-compose.yml +++ b/stacks/changedetection/docker-compose.yml @@ -18,7 +18,7 @@ services: - "traefik.http.routers.changedetection.entrypoints=https" - "traefik.http.routers.changedetection.rule=Host(`change.${DOMAIN}`)" - "traefik.http.routers.changedetection.tls.certresolver=http" - - "traefik.http.routers.changedetection.middlewares=auth@file" + - "traefik.http.routers.changedetection.middlewares=auth@docker" depends_on: - playwright-chrome diff --git a/stacks/gollum/docker-compose.yml b/stacks/gollum/docker-compose.yml index 4910e07..6d4398a 100644 --- a/stacks/gollum/docker-compose.yml +++ b/stacks/gollum/docker-compose.yml @@ -18,7 +18,7 @@ services: - "traefik.http.routers.gollum.entrypoints=https" - "traefik.http.routers.gollum.rule=Host(`gollum.${DOMAIN}`)" - "traefik.http.routers.gollum.tls.certresolver=http" - - "traefik.http.routers.gollum.middlewares=auth@file" + - "traefik.http.routers.gollum.middlewares=auth@docker" networks: web: diff --git a/stacks/invidious/docker-compose.yml b/stacks/invidious/docker-compose.yml index b2e9d90..e0e6c1c 100644 --- a/stacks/invidious/docker-compose.yml +++ b/stacks/invidious/docker-compose.yml @@ -41,10 +41,10 @@ services: labels: - "com.ghost.tel/stack-type=public" - "traefik.enable=true" - - "traefik.http.services.invidious.loadbalancer.server.port=3000" - - "traefik.http.routers.invidious.entrypoints=https" - - "traefik.http.routers.invidious.rule=Host(`inv.${DOMAIN}`)" - - "traefik.http.routers.invidious.tls.certresolver=http" + - "traefik.http.services.invid.loadbalancer.server.port=3000" + - "traefik.http.routers.invid.entrypoints=http,https" + - "traefik.http.routers.invid.rule=Host(`inv.${DOMAIN}`) && !(Path(`/latest_version`) || PathPrefix(`/api/manifest/dash/id/`) || PathPrefix(`/videoplayback`) || PathPrefix(`/download`))" + - "traefik.http.routers.invid.tls.certresolver=http" networks: - web - default @@ -74,10 +74,11 @@ services: memory: 1G labels: - "traefik.enable=true" - - "traefik.http.services.invidious-companion.loadbalancer.server.port=8282" - - "traefik.http.routers.invidious-companion.entrypoints=https" - - "traefik.http.routers.invidious-companion.rule=Host(`inv.${DOMAIN}`) && PathPrefix(`/companion`)" - - "traefik.http.routers.invidious-companion.tls.certresolver=http" + - "traefik.http.services.invid-companion.loadbalancer.server.port=8282" + - "traefik.http.routers.invid-companion.entrypoints=http,https" + - "traefik.http.routers.invid-companion.rule=Host(`inv.${DOMAIN}`) && (Path(`/latest_version`) || PathPrefix(`/api/manifest/dash/id/`) || PathPrefix(`/youtubei/v1/player`) || PathPrefix(`/videoplayback`) || PathPrefix(`/download`))" + - "traefik.http.routers.invid-companion.tls.certresolver=http" + - "traefik.http.routers.invid-companion.middlewares=invid-companion-prefix@docker" networks: - web - default diff --git a/stacks/obsidian-tools/docker-compose.yml b/stacks/obsidian-tools/docker-compose.yml index beab9e9..26c546a 100644 --- a/stacks/obsidian-tools/docker-compose.yml +++ b/stacks/obsidian-tools/docker-compose.yml @@ -24,7 +24,7 @@ services: - "traefik.http.routers.todo-obbytodo.entrypoints=https" - "traefik.http.routers.todo-obbytodo.rule=Host(`shell.${DOMAIN}`) && PathPrefix(`/todo`)" - "traefik.http.routers.todo-obbytodo.tls.certresolver=http" - - "traefik.http.routers.todo-obbytodo.middlewares=todo-obbytodo-stripprefix@docker,dashboard-auth@file" + - "traefik.http.routers.todo-obbytodo.middlewares=todo-obbytodo-stripprefix@docker,dashboard-auth@docker" - "traefik.http.routers.todo-obbytodo.priority=100" - "traefik.http.middlewares.todo-obbytodo-stripprefix.stripPrefix.prefixes=/todo" - "traefik.http.services.todo-obbytodo.loadbalancer.server.port=3000" @@ -32,7 +32,7 @@ services: - "traefik.http.routers.events-obbytodo.entrypoints=https" - "traefik.http.routers.events-obbytodo.rule=Host(`shell.${DOMAIN}`) && PathPrefix(`/events`)" - "traefik.http.routers.events-obbytodo.tls.certresolver=http" - - "traefik.http.routers.events-obbytodo.middlewares=dashboard-auth@file" + - "traefik.http.routers.events-obbytodo.middlewares=dashboard-auth@docker" - "traefik.http.routers.events-obbytodo.priority=100" - "traefik.http.routers.events-obbytodo.service=todo-obbytodo" @@ -64,7 +64,7 @@ services: - "traefik.http.routers.shell-secure.entrypoints=https" - "traefik.http.routers.shell-secure.rule=Host(`shell.${DOMAIN}`)" - "traefik.http.routers.shell-secure.tls.certresolver=http" - - "traefik.http.routers.shell-secure.middlewares=dashboard-auth@file" + - "traefik.http.routers.shell-secure.middlewares=dashboard-auth@docker" - "traefik.http.services.shell-secure.loadbalancer.server.port=3033" - "traefik.http.routers.shell-secure.service=shell-secure" diff --git a/stacks/service-map/docker-compose.yml b/stacks/service-map/docker-compose.yml new file mode 100644 index 0000000..7ce545b --- /dev/null +++ b/stacks/service-map/docker-compose.yml @@ -0,0 +1,24 @@ +services: + service-map: + build: . + container_name: service-map + restart: unless-stopped + labels: + - "com.ghost.tel/stack-type=dev-only" + - "traefik.enable=true" + - "traefik.http.routers.service-map.rule=Host(`map.ghost.tel`)" + - "traefik.http.routers.service-map.entrypoints=https" + - "traefik.http.routers.service-map.tls.certresolver=http" + - "traefik.http.routers.service-map.middlewares=dashboard-auth@docker" + - "traefik.http.services.service-map.loadbalancer.server.port=3000" + environment: + - HOSTS=ubuntu-dev,ubuntu-prod + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - ~/.ssh:/root/.ssh:ro + networks: + - web + +networks: + web: + external: true diff --git a/stacks/traefik/conf.d/authentik.yml b/stacks/traefik/conf.d/authentik.yml deleted file mode 100644 index 9f1224f..0000000 --- a/stacks/traefik/conf.d/authentik.yml +++ /dev/null @@ -1,23 +0,0 @@ -http: - routers: - authentik: - entrypoints: - - https - rule: "Host(`authentik.ghost.tel`)" - service: authentik - tls: - certResolver: http - - authentik-outpost: - entrypoints: - - https - rule: "HostRegexp(`{subdomain:[a-z0-9]+}.ghost.tel`) && PathPrefix(`/outpost.goauthentik.io/`)" - service: authentik - tls: - certResolver: http - - services: - authentik: - loadBalancer: - servers: - - url: "http://ubuntu-prod.localdomain:9000" diff --git a/stacks/traefik/conf.d/dynamic.yml b/stacks/traefik/conf.d/dynamic.yml deleted file mode 100755 index 57d0596..0000000 --- a/stacks/traefik/conf.d/dynamic.yml +++ /dev/null @@ -1,14 +0,0 @@ -tcp: - routers: - ssh-router: - entryPoints: - - ssh - rule: "HostSNI(`*`)" - service: ssh-service - - services: - ssh-service: - loadBalancer: - servers: - - address: "web:22" # Reference the service name defined in docker-compose - diff --git a/stacks/traefik/conf.d/library.yaml b/stacks/traefik/conf.d/library.yaml deleted file mode 100755 index b203c41..0000000 --- a/stacks/traefik/conf.d/library.yaml +++ /dev/null @@ -1,19 +0,0 @@ -http: - routers: - library: - entrypoints: - - https - - http - rule: Host(`library.ghost.tel`) - service: library - tls: - certResolver: http - middlewares: - - securityHeaders - - services: - library: - loadBalancer: - passHostHeader: true - servers: - - url: "http://docker-dev:8033/" diff --git a/stacks/traefik/conf.d/meshmon.yaml b/stacks/traefik/conf.d/meshmon.yaml deleted file mode 100755 index 20cab42..0000000 --- a/stacks/traefik/conf.d/meshmon.yaml +++ /dev/null @@ -1,19 +0,0 @@ -http: - routers: - meshmon: - entrypoints: - - https - - http - rule: Host(`meshmon.ghost.tel`) - service: meshmon - tls: - certResolver: http - middlewares: - - securityHeaders - - services: - meshmon: - loadBalancer: - passHostHeader: true - servers: - - url: "http://docker-dev:8383/" diff --git a/stacks/traefik/conf.d/middlewares.yaml b/stacks/traefik/conf.d/middlewares.yaml deleted file mode 100755 index 4790083..0000000 --- a/stacks/traefik/conf.d/middlewares.yaml +++ /dev/null @@ -1,261 +0,0 @@ -core: - defaultRuleSyntax: v2 - -http: - routers: - https-redirect: - entryPoints: - - http - # Activate this Router on any Host requested - rule: "hostregexp(`{host:.+}`)" - service: dummy - middlewares: - - redirect-to-https - - # (NEW) Redirect immich.ghost.tel to photos.ghost.tel - immich-redirect: - entryPoints: - - http - - https # Catch both HTTP and HTTPS requests - rule: Host(`immich.ghost.tel`) - service: dummy # Dummy service since it's a redirect, not proxying - middlewares: - - redirect-immich-to-photos - tls: - certResolver: http - - homeassist: - entryPoints: - - https - rule: Host(`home.ghost.tel`) - service: HomeAssistant - tls: - certResolver: http - middlewares: - - securityHeaders - - dynmap: - entryPoints: - - http - - https - rule: Host(`dynmap.ghost.tel`) - service: dynmap - tls: - certResolver: http - - amp: - entryPoints: - - http - rule: Host(`amped.ghost.tel`) - service: amp - tls: - certResolver: http - - # Uncomment if you need them; included for reference - # brake: - # entryPoints: - # - http - # rule: Host(`parker.ramz.cc`) || Host(`whoami.brake.tel`) || Host(`electrate.brake.tel`) || Host(`sarah.brake.tel`) || Host(`brake.tel`) - # service: brake - - # brakehttps: - # entryPoints: - # - https - # rule: Host(`parker.ramz.cc`) || Host(`whoami.brake.tel`) || Host(`electrate.brake.tel`) || Host(`sarah.brake.tel`) || Host(`brake.tel`) - # service: brakehttps - - invid: - entryPoints: - - http - - https - rule: Host(`inv.ghost.tel`) && !(Path(`/latest_version`) || PathPrefix(`/api/manifest/dash/id/`) || PathPrefix(`/videoplayback`) || PathPrefix(`/download`)) - service: invid - tls: - certResolver: http - - # (NEW) Route /companion path to Invidious Companion - invid-companion: - entryPoints: - - http - - https - rule: Host(`inv.ghost.tel`) && (Path(`/latest_version`) || PathPrefix(`/api/manifest/dash/id/`) || PathPrefix(`/youtubei/v1/player`) || PathPrefix(`/videoplayback`) || PathPrefix(`/download`)) - service: invid-companion - tls: - certResolver: http - middlewares: - - invid-companion-prefix - -# tempai: -# entryPoints: -# - http -# - https -# rule: Host(`shell.ghost.tel`) -# service: tempai -# tls: -# certResolver: http -# middlewares: -# - dashboard-auth - - - picam: - entryPoints: - - http - - https - rule: Host(`printview.ghost.tel`) - service: picam - tls: - certResolver: http - - # Example internal API / dashboard config (for reference) - # my-api: - # entryPoints: - # - dashboard - # rule: "PathPrefix(`/dashboard`) || PathPrefix(`/api`)" - # service: api@internal - # middlewares: - # - dashboard-auth - - my-secure-api: - entryPoints: - - https - rule: "Host(`traefik.ghost.tel`)" - service: api@internal - middlewares: - - auth - tls: - certResolver: http - - services: - HomeAssistant: - loadBalancer: - passHostHeader: true - servers: - - url: "http://homeassistant.localdomain:8123" - - dummy: - loadBalancer: - servers: - - url: "localhost" - - dynmap: - loadBalancer: - servers: - - url: "http://ramiel:8123/" - - amp: - loadBalancer: - passHostHeader: true - servers: - - url: "http://192.168.1.205:8080" - - # brake: - # loadBalancer: - # passHostHeader: true - # servers: - # - url: "http://192.168.1.231:3333" - - # brakehttps: - # loadBalancer: - # passHostHeader: true - # servers: - # - url: "http://192.168.1.231:3333" - - invid: - loadBalancer: - passHostHeader: true - servers: - - url: "http://ubuntu-prod.localdomain:3000" - - # (NEW) Invidious Companion service at port 8282 - invid-companion: - loadBalancer: - passHostHeader: true - servers: - - url: "http://ubuntu-prod.localdomain:8282" - - picam: - loadBalancer: - passHostHeader: true - servers: - - url: "http://192.168.1.80:8080" - - # tempai: - # loadBalancer: - # passHostHeader: true - # servers: - # - url: "http://192.168.5.10:3001" - - - middlewares: - # (NEW) Middleware to redirect immich.ghost.tel to photos.ghost.tel - redirect-immich-to-photos: - redirectRegex: - regex: "^https?://immich\\.ghost\\.tel(/.*)?$" - replacement: "https://photos.ghost.tel$1" - permanent: true - - dashboard-auth: - basicAuth: - usersFile: "/basicAuth" - - redirect-to-https: - redirectScheme: - scheme: https - # permanent: true - - auth: - forwardAuth: - address: http://ubuntu-prod.localdomain:9000/outpost.goauthentik.io/auth/traefik - trustForwardHeader: true - authResponseHeaders: - - X-authentik-username - - X-authentik-groups - - X-authentik-email - - X-authentik-name - - X-authentik-uid - - X-authentik-jwt - - X-authentik-meta-jwks - - X-authentik-meta-outpost - - X-authentik-meta-provider - - X-authentik-meta-app - - X-authentik-meta-version - - securityHeaders: - headers: - customResponseHeaders: - X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex" - server: "" - X-Forwarded-Proto: "https" - sslProxyHeaders: - X-Forwarded-Proto: https - referrerPolicy: "same-origin" - hostsProxyHeaders: - - "X-Forwarded-Host" - contentTypeNosniff: true - browserXssFilter: true - forceSTSHeader: true - stsIncludeSubdomains: true - stsSeconds: 63072000 - stsPreload: true - - # (NEW) Adds /companion prefix before passing to Companion - invid-companion-prefix: - addPrefix: - prefix: "/companion" - - gzip: - compress: {} - -# Example for TCP routing (commented out) -# tcp: -# routers: -# router-ssh: -# entryPoints: -# - web-secure -# rule: HostSNI(`*`) -# service: service-ssh -# services: -# service-ssh: -# loadBalancer: -# servers: -# - address: 192.168.1.203:2245 diff --git a/stacks/traefik/conf.d/minecraft.yaml b/stacks/traefik/conf.d/minecraft.yaml deleted file mode 100755 index 8e840aa..0000000 --- a/stacks/traefik/conf.d/minecraft.yaml +++ /dev/null @@ -1,21 +0,0 @@ -http: - routers: - skeyta: - entrypoints: - - https - - http - rule: Host(`skeyta.ghost.tel`) - service: skeyta - tls: - certResolver: http - middlewares: - - securityHeaders - - services: - skeyta: - loadBalancer: - passHostHeader: true - servers: - - url: "http://ramiel.localdomain:8" - - diff --git a/stacks/traefik/conf.d/radio.yml b/stacks/traefik/conf.d/radio.yml deleted file mode 100755 index 6f51b8c..0000000 --- a/stacks/traefik/conf.d/radio.yml +++ /dev/null @@ -1,23 +0,0 @@ -core: - defaultRuleSyntax: v2 - -http: - routers: - radio: - entrypoints: - - https - - http - rule: Host(`radio.uplink.tel`) - service: radio - tls: - certResolver: http - middlewares: - - securityHeaders - - services: - radio: - loadBalancer: - passHostHeader: true - servers: - - url: "http://wunder.localdomain:3000" - diff --git a/stacks/traefik/conf.d/sequela.yml b/stacks/traefik/conf.d/sequela.yml deleted file mode 100644 index f651711..0000000 --- a/stacks/traefik/conf.d/sequela.yml +++ /dev/null @@ -1,6 +0,0 @@ -# sequela.tel routing -# All services now run locally via Docker labels: -# - wiki.sequela.tel / wiki.sequela.uk -> wikijs-public stack -# - matomo.sequela.tel / matomo.sequela.uk -> matomo-public stack -# -# This file is kept for reference but contains no active routes. diff --git a/stacks/traefik/conf.d/spider.yml b/stacks/traefik/conf.d/spider.yml deleted file mode 100644 index cbdce6d..0000000 --- a/stacks/traefik/conf.d/spider.yml +++ /dev/null @@ -1,23 +0,0 @@ -core: - defaultRuleSyntax: v2 - -http: - routers: - spider: - entrypoints: - - https - - http - rule: Host(`spider.ghost.tel`) - service: spider - tls: - certResolver: http - middlewares: - - securityHeaders - - services: - spider: - loadBalancer: - passHostHeader: true - servers: - - url: "http://melchior.localdomain:30870" - diff --git a/stacks/traefik/conf.d/tlc.yml b/stacks/traefik/conf.d/tlc.yml deleted file mode 100755 index f0675f3..0000000 --- a/stacks/traefik/conf.d/tlc.yml +++ /dev/null @@ -1,23 +0,0 @@ -core: - defaultRuleSyntax: v2 - -http: - routers: - tlc: - entrypoints: - - https - - http - rule: Host(`tlc.ghost.tel`) || Host(`thislittlecorner.net`) - service: tlc - tls: - certResolver: http - middlewares: - - securityHeaders - - services: - tlc: - loadBalancer: - passHostHeader: true - servers: - - url: "http://docker-dev:8080/" - diff --git a/stacks/traefik/conf.d/uplink.yml b/stacks/traefik/conf.d/uplink.yml deleted file mode 100644 index 8cc464c..0000000 --- a/stacks/traefik/conf.d/uplink.yml +++ /dev/null @@ -1,45 +0,0 @@ -# uplink.tel routing -# Most services now run locally via Docker labels -# This file only contains routes that still need external proxying - -http: - routers: - # Invidious on uplink.tel still goes to docker-public - # (local invidious is inv.ghost.tel) - invidious-uplink: - entrypoints: - - https - rule: "Host(`invidious.uplink.tel`)" - service: docker-public - tls: - certResolver: http - - # Radio (wunder - currently offline) - radio: - entrypoints: - - https - - http - rule: "Host(`radio.uplink.tel`)" - service: radio-wunder - tls: - certResolver: http - - services: - # Proxy to docker-public's traefik (for invidious.uplink.tel) - docker-public: - loadBalancer: - passHostHeader: true - serversTransport: insecure-transport - servers: - - url: "https://192.168.5.46:443" - - # Radio points to wunder (offline) - radio-wunder: - loadBalancer: - passHostHeader: true - servers: - - url: "http://100.64.0.8:3000" - - serversTransports: - insecure-transport: - insecureSkipVerify: true diff --git a/stacks/traefik/conf.d/wille.yaml b/stacks/traefik/conf.d/wille.yaml deleted file mode 100755 index 678fd72..0000000 --- a/stacks/traefik/conf.d/wille.yaml +++ /dev/null @@ -1,20 +0,0 @@ -http: - routers: - photos: - entrypoints: - - https - - http - rule: Host(`photos.ghost.tel`) - service: wille - tls: - certResolver: http - middlewares: - - securityHeaders - - services: - wille: - loadBalancer: - passHostHeader: true - servers: - - url: "http://wille.localdomain:2283" - diff --git a/stacks/traefik/docker-compose.yml b/stacks/traefik/docker-compose.yml index a4b4573..ce26829 100644 --- a/stacks/traefik/docker-compose.yml +++ b/stacks/traefik/docker-compose.yml @@ -7,6 +7,127 @@ services: - no-new-privileges:true labels: - "com.ghost.tel/stack-type=prod" + - "traefik.enable=true" + - "traefik.http.routers.traefik.entrypoints=https" + - "traefik.http.routers.traefik.rule=Host(`traefik.ghost.tel`)" + - "traefik.http.routers.traefik.service=api@internal" + - "traefik.http.routers.traefik.middlewares=auth@docker" + - "traefik.http.routers.traefik.tls.certresolver=http" + - "traefik.http.routers.immich-redirect.entrypoints=http,https" + - "traefik.http.routers.immich-redirect.rule=Host(`immich.ghost.tel`)" + - "traefik.http.routers.immich-redirect.service=dummy" + - "traefik.http.routers.immich-redirect.middlewares=redirect-immich-to-photos@docker" + - "traefik.http.routers.immich-redirect.tls.certresolver=http" + - "traefik.http.routers.homeassist.entrypoints=https" + - "traefik.http.routers.homeassist.rule=Host(`home.ghost.tel`)" + - "traefik.http.routers.homeassist.service=homeassistant" + - "traefik.http.routers.homeassist.middlewares=securityHeaders@docker" + - "traefik.http.routers.homeassist.tls.certresolver=http" + - "traefik.http.routers.dynmap.entrypoints=http,https" + - "traefik.http.routers.dynmap.rule=Host(`dynmap.ghost.tel`)" + - "traefik.http.routers.dynmap.service=dynmap" + - "traefik.http.routers.dynmap.tls.certresolver=http" + - "traefik.http.routers.amp.entrypoints=http" + - "traefik.http.routers.amp.rule=Host(`amped.ghost.tel`)" + - "traefik.http.routers.amp.service=amp" + - "traefik.http.routers.amp.tls.certresolver=http" + - "traefik.http.routers.picam.entrypoints=http,https" + - "traefik.http.routers.picam.rule=Host(`printview.ghost.tel`)" + - "traefik.http.routers.picam.service=picam" + - "traefik.http.routers.picam.tls.certresolver=http" + - "traefik.http.routers.library.entrypoints=http,https" + - "traefik.http.routers.library.rule=Host(`library.ghost.tel`)" + - "traefik.http.routers.library.service=library" + - "traefik.http.routers.library.middlewares=securityHeaders@docker" + - "traefik.http.routers.library.tls.certresolver=http" + - "traefik.http.routers.meshmon.entrypoints=http,https" + - "traefik.http.routers.meshmon.rule=Host(`meshmon.ghost.tel`)" + - "traefik.http.routers.meshmon.service=meshmon" + - "traefik.http.routers.meshmon.middlewares=securityHeaders@docker" + - "traefik.http.routers.meshmon.tls.certresolver=http" + - "traefik.http.routers.skeyta.entrypoints=http,https" + - "traefik.http.routers.skeyta.rule=Host(`skeyta.ghost.tel`)" + - "traefik.http.routers.skeyta.service=skeyta" + - "traefik.http.routers.skeyta.middlewares=securityHeaders@docker" + - "traefik.http.routers.skeyta.tls.certresolver=http" + - "traefik.http.routers.radio.entrypoints=http,https" + - "traefik.http.routers.radio.rule=Host(`radio.uplink.tel`)" + - "traefik.http.routers.radio.service=radio" + - "traefik.http.routers.radio.middlewares=securityHeaders@docker" + - "traefik.http.routers.radio.tls.certresolver=http" + - "traefik.http.routers.spider.entrypoints=http,https" + - "traefik.http.routers.spider.rule=Host(`spider.ghost.tel`)" + - "traefik.http.routers.spider.service=spider" + - "traefik.http.routers.spider.middlewares=securityHeaders@docker" + - "traefik.http.routers.spider.tls.certresolver=http" + - "traefik.http.routers.tlc.entrypoints=http,https" + - "traefik.http.routers.tlc.rule=Host(`tlc.ghost.tel`) || Host(`thislittlecorner.net`)" + - "traefik.http.routers.tlc.service=tlc" + - "traefik.http.routers.tlc.middlewares=securityHeaders@docker" + - "traefik.http.routers.tlc.tls.certresolver=http" + - "traefik.http.routers.photos.entrypoints=http,https" + - "traefik.http.routers.photos.rule=Host(`photos.ghost.tel`)" + - "traefik.http.routers.photos.service=wille" + - "traefik.http.routers.photos.middlewares=securityHeaders@docker" + - "traefik.http.routers.photos.tls.certresolver=http" + - "traefik.http.routers.invidious-uplink.entrypoints=https" + - "traefik.http.routers.invidious-uplink.rule=Host(`invidious.uplink.tel`)" + - "traefik.http.routers.invidious-uplink.service=docker-public" + - "traefik.http.routers.invidious-uplink.tls.certresolver=http" + - "traefik.http.routers.service-map.entrypoints=https" + - "traefik.http.routers.service-map.rule=Host(`map.ghost.tel`)" + - "traefik.http.routers.service-map.service=service-map" + - "traefik.http.routers.service-map.middlewares=dashboard-auth@docker" + - "traefik.http.routers.service-map.tls.certresolver=http" + - "traefik.http.services.dummy.loadbalancer.server.url=http://127.0.0.1" + - "traefik.http.services.homeassistant.loadbalancer.server.url=http://homeassistant.localdomain:8123" + - "traefik.http.services.homeassistant.loadbalancer.passHostHeader=true" + - "traefik.http.services.dynmap.loadbalancer.server.url=http://ramiel:8123/" + - "traefik.http.services.amp.loadbalancer.server.url=http://192.168.1.205:8080" + - "traefik.http.services.amp.loadbalancer.passHostHeader=true" + - "traefik.http.services.picam.loadbalancer.server.url=http://192.168.1.80:8080" + - "traefik.http.services.picam.loadbalancer.passHostHeader=true" + - "traefik.http.services.library.loadbalancer.server.url=http://docker-dev:8033/" + - "traefik.http.services.library.loadbalancer.passHostHeader=true" + - "traefik.http.services.meshmon.loadbalancer.server.url=http://docker-dev:8383/" + - "traefik.http.services.meshmon.loadbalancer.passHostHeader=true" + - "traefik.http.services.skeyta.loadbalancer.server.url=http://ramiel.localdomain:8" + - "traefik.http.services.skeyta.loadbalancer.passHostHeader=true" + - "traefik.http.services.radio.loadbalancer.server.url=http://100.64.0.8:3000" + - "traefik.http.services.radio.loadbalancer.passHostHeader=true" + - "traefik.http.services.spider.loadbalancer.server.url=http://melchior.localdomain:30870" + - "traefik.http.services.spider.loadbalancer.passHostHeader=true" + - "traefik.http.services.tlc.loadbalancer.server.url=http://docker-dev:8080/" + - "traefik.http.services.tlc.loadbalancer.passHostHeader=true" + - "traefik.http.services.wille.loadbalancer.server.url=http://wille.localdomain:2283" + - "traefik.http.services.wille.loadbalancer.passHostHeader=true" + - "traefik.http.services.service-map.loadbalancer.server.url=http://docker-dev:3333/" + - "traefik.http.services.service-map.loadbalancer.passHostHeader=true" + - "traefik.http.services.docker-public.loadbalancer.server.url=https://192.168.5.46:443" + - "traefik.http.services.docker-public.loadbalancer.passHostHeader=true" + - "traefik.http.services.docker-public.loadbalancer.serversTransport=insecure-transport" + - "traefik.http.serversTransports.insecure-transport.insecureSkipVerify=true" + - "traefik.http.middlewares.redirect-immich-to-photos.redirectregex.regex=^https?://immich\\.ghost\\.tel(/.*)?$" + - "traefik.http.middlewares.redirect-immich-to-photos.redirectregex.replacement=https://photos.ghost.tel$1" + - "traefik.http.middlewares.redirect-immich-to-photos.redirectregex.permanent=true" + - "traefik.http.middlewares.dashboard-auth.basicauth.usersfile=/basicAuth" + - "traefik.http.middlewares.auth.forwardauth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik" + - "traefik.http.middlewares.auth.forwardauth.trustForwardHeader=true" + - "traefik.http.middlewares.auth.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version" + - "traefik.http.middlewares.securityHeaders.headers.customResponseHeaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex" + - "traefik.http.middlewares.securityHeaders.headers.customResponseHeaders.server=" + - "traefik.http.middlewares.securityHeaders.headers.customResponseHeaders.X-Forwarded-Proto=https" + - "traefik.http.middlewares.securityHeaders.headers.sslProxyHeaders.X-Forwarded-Proto=https" + - "traefik.http.middlewares.securityHeaders.headers.referrerPolicy=same-origin" + - "traefik.http.middlewares.securityHeaders.headers.hostsProxyHeaders=X-Forwarded-Host" + - "traefik.http.middlewares.securityHeaders.headers.contentTypeNosniff=true" + - "traefik.http.middlewares.securityHeaders.headers.browserXssFilter=true" + - "traefik.http.middlewares.securityHeaders.headers.forceSTSHeader=true" + - "traefik.http.middlewares.securityHeaders.headers.stsIncludeSubdomains=true" + - "traefik.http.middlewares.securityHeaders.headers.stsSeconds=63072000" + - "traefik.http.middlewares.securityHeaders.headers.stsPreload=true" + - "traefik.http.middlewares.invid-companion-prefix.addprefix.prefix=/companion" + - "traefik.http.middlewares.gzip.compress=true" networks: - web ports: @@ -19,7 +140,6 @@ services: - /var/run/docker.sock:/var/run/docker.sock:ro - ./traefik.yml:/traefik.yml:ro - ./acme.json:/acme.json - - ./conf.d/:/conf.d/ - ./basicAuth:/basicAuth:ro - /var/log:/var/log diff --git a/stacks/traefik/traefik.yml b/stacks/traefik/traefik.yml index 36f2248..a9674ea 100644 --- a/stacks/traefik/traefik.yml +++ b/stacks/traefik/traefik.yml @@ -22,9 +22,6 @@ entryPoints: providers: providersThrottleDuration: 2s - file: - directory: "/conf.d" - watch: true docker: watch: true endpoint: "unix:///var/run/docker.sock" @@ -66,4 +63,3 @@ metrics: - 0.3 - 1.2 - 5.0 - diff --git a/stacks/zerotier/docker-compose.yml b/stacks/zerotier/docker-compose.yml index 83088fd..40a8b4b 100644 --- a/stacks/zerotier/docker-compose.yml +++ b/stacks/zerotier/docker-compose.yml @@ -18,7 +18,7 @@ services: - "traefik.http.routers.zerotier.entrypoints=https" - "traefik.http.routers.zerotier.rule=Host(`zerotierui.${DOMAIN}`)" - "traefik.http.routers.zerotier.tls.certresolver=http" - - "traefik.http.routers.zerotier.middlewares=dashboard-auth@file" + - "traefik.http.routers.zerotier.middlewares=dashboard-auth@docker" - "traefik.http.services.zerotier.loadbalancer.server.port=3000" networks: