150 lines
9.5 KiB
YAML
150 lines
9.5 KiB
YAML
services:
|
|
traefik:
|
|
image: traefik:latest
|
|
container_name: traefik
|
|
restart: unless-stopped
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
labels:
|
|
- "com.ghost.tel/stack-type=prod"
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.traefik.entrypoints=https"
|
|
- "traefik.http.routers.traefik.rule=Host(`traefik.ghost.tel`)"
|
|
- "traefik.http.routers.traefik.service=api@internal"
|
|
- "traefik.http.routers.traefik.middlewares=auth@docker"
|
|
- "traefik.http.routers.traefik.tls.certresolver=http"
|
|
- "traefik.http.routers.immich-redirect.entrypoints=http,https"
|
|
- "traefik.http.routers.immich-redirect.rule=Host(`immich.ghost.tel`)"
|
|
- "traefik.http.routers.immich-redirect.service=dummy"
|
|
- "traefik.http.routers.immich-redirect.middlewares=redirect-immich-to-photos@docker"
|
|
- "traefik.http.routers.immich-redirect.tls.certresolver=http"
|
|
- "traefik.http.routers.homeassist.entrypoints=https"
|
|
- "traefik.http.routers.homeassist.rule=Host(`home.ghost.tel`)"
|
|
- "traefik.http.routers.homeassist.service=homeassistant"
|
|
- "traefik.http.routers.homeassist.middlewares=securityHeaders@docker"
|
|
- "traefik.http.routers.homeassist.tls.certresolver=http"
|
|
- "traefik.http.routers.dynmap.entrypoints=http,https"
|
|
- "traefik.http.routers.dynmap.rule=Host(`dynmap.ghost.tel`)"
|
|
- "traefik.http.routers.dynmap.service=dynmap"
|
|
- "traefik.http.routers.dynmap.tls.certresolver=http"
|
|
- "traefik.http.routers.amp.entrypoints=http"
|
|
- "traefik.http.routers.amp.rule=Host(`amped.ghost.tel`)"
|
|
- "traefik.http.routers.amp.service=amp"
|
|
- "traefik.http.routers.amp.tls.certresolver=http"
|
|
- "traefik.http.routers.picam.entrypoints=http,https"
|
|
- "traefik.http.routers.picam.rule=Host(`printview.ghost.tel`)"
|
|
- "traefik.http.routers.picam.service=picam"
|
|
- "traefik.http.routers.picam.tls.certresolver=http"
|
|
- "traefik.http.routers.library.entrypoints=http,https"
|
|
- "traefik.http.routers.library.rule=Host(`library.ghost.tel`)"
|
|
- "traefik.http.routers.library.service=library"
|
|
- "traefik.http.routers.library.middlewares=securityHeaders@docker"
|
|
- "traefik.http.routers.library.tls.certresolver=http"
|
|
- "traefik.http.routers.meshmon.entrypoints=http,https"
|
|
- "traefik.http.routers.meshmon.rule=Host(`meshmon.ghost.tel`)"
|
|
- "traefik.http.routers.meshmon.service=meshmon"
|
|
- "traefik.http.routers.meshmon.middlewares=securityHeaders@docker"
|
|
- "traefik.http.routers.meshmon.tls.certresolver=http"
|
|
- "traefik.http.routers.skeyta.entrypoints=http,https"
|
|
- "traefik.http.routers.skeyta.rule=Host(`skeyta.ghost.tel`)"
|
|
- "traefik.http.routers.skeyta.service=skeyta"
|
|
- "traefik.http.routers.skeyta.middlewares=securityHeaders@docker"
|
|
- "traefik.http.routers.skeyta.tls.certresolver=http"
|
|
- "traefik.http.routers.radio.entrypoints=http,https"
|
|
- "traefik.http.routers.radio.rule=Host(`radio.uplink.tel`)"
|
|
- "traefik.http.routers.radio.service=radio-wunder"
|
|
- "traefik.http.routers.radio.middlewares=securityHeaders@docker"
|
|
- "traefik.http.routers.radio.tls.certresolver=http"
|
|
- "traefik.http.routers.sdr.entrypoints=http,https"
|
|
- "traefik.http.routers.sdr.rule=Host(`sdr.uplink.tel`)"
|
|
- "traefik.http.routers.sdr.service=sdr"
|
|
- "traefik.http.routers.sdr.middlewares=redirect-to-https"
|
|
- "traefik.http.routers.sdr.tls.certresolver=http"
|
|
- "traefik.http.routers.spider.entrypoints=http,https"
|
|
- "traefik.http.routers.spider.rule=Host(`spider.ghost.tel`)"
|
|
- "traefik.http.routers.spider.service=spider"
|
|
- "traefik.http.routers.spider.middlewares=securityHeaders@docker"
|
|
- "traefik.http.routers.spider.tls.certresolver=http"
|
|
- "traefik.http.routers.photos.entrypoints=http,https"
|
|
- "traefik.http.routers.photos.rule=Host(`photos.ghost.tel`)"
|
|
- "traefik.http.routers.photos.service=wille"
|
|
- "traefik.http.routers.photos.middlewares=securityHeaders@docker"
|
|
- "traefik.http.routers.photos.tls.certresolver=http"
|
|
- "traefik.http.routers.invidious-uplink.entrypoints=https"
|
|
- "traefik.http.routers.invidious-uplink.rule=Host(`invidious.uplink.tel`)"
|
|
- "traefik.http.routers.invidious-uplink.service=docker-public"
|
|
- "traefik.http.routers.invidious-uplink.tls.certresolver=http"
|
|
- "traefik.http.routers.service-map.entrypoints=https"
|
|
- "traefik.http.routers.service-map.rule=Host(`map.ghost.tel`)"
|
|
- "traefik.http.routers.service-map.service=service-map"
|
|
- "traefik.http.routers.service-map.middlewares=dashboard-auth@docker"
|
|
- "traefik.http.routers.service-map.tls.certresolver=http"
|
|
- "traefik.http.services.dummy.loadbalancer.server.url=http://127.0.0.1"
|
|
- "traefik.http.services.homeassistant.loadbalancer.server.url=http://homeassistant.localdomain:8123"
|
|
- "traefik.http.services.homeassistant.loadbalancer.passHostHeader=true"
|
|
- "traefik.http.services.dynmap.loadbalancer.server.url=http://ramiel:8123/"
|
|
- "traefik.http.services.amp.loadbalancer.server.url=http://192.168.1.205:8080"
|
|
- "traefik.http.services.amp.loadbalancer.passHostHeader=true"
|
|
- "traefik.http.services.picam.loadbalancer.server.url=http://192.168.1.80:8080"
|
|
- "traefik.http.services.picam.loadbalancer.passHostHeader=true"
|
|
- "traefik.http.services.library.loadbalancer.server.url=http://docker-dev:8033/"
|
|
- "traefik.http.services.library.loadbalancer.passHostHeader=true"
|
|
- "traefik.http.services.meshmon.loadbalancer.server.url=http://docker-dev:8383/"
|
|
- "traefik.http.services.meshmon.loadbalancer.passHostHeader=true"
|
|
- "traefik.http.services.skeyta.loadbalancer.server.url=http://ramiel.localdomain:8"
|
|
- "traefik.http.services.skeyta.loadbalancer.passHostHeader=true"
|
|
- "traefik.http.services.radio-wunder.loadbalancer.server.url=http://wunder.localdomain:3000"
|
|
- "traefik.http.services.sdr.loadbalancer.server.url=http://wunder.localdomain:8073"
|
|
- "traefik.http.services.sdr.loadbalancer.passHostHeader=true"
|
|
- "traefik.http.services.radio-wunder.loadbalancer.passHostHeader=true"
|
|
- "traefik.http.services.spider.loadbalancer.server.url=http://melchior.localdomain:30870"
|
|
- "traefik.http.services.spider.loadbalancer.passHostHeader=true"
|
|
- "traefik.http.services.wille.loadbalancer.server.url=http://wille.localdomain:2283"
|
|
- "traefik.http.services.wille.loadbalancer.passHostHeader=true"
|
|
- "traefik.http.services.service-map.loadbalancer.server.url=http://docker-dev:3333/"
|
|
- "traefik.http.services.service-map.loadbalancer.passHostHeader=true"
|
|
- "traefik.http.services.docker-public.loadbalancer.server.url=https://192.168.5.46:443"
|
|
- "traefik.http.services.docker-public.loadbalancer.passHostHeader=true"
|
|
- "traefik.http.services.docker-public.loadbalancer.serversTransport=insecure-transport"
|
|
- "traefik.http.serversTransports.insecure-transport.insecureSkipVerify=true"
|
|
- "traefik.http.middlewares.redirect-immich-to-photos.redirectregex.regex=^https?://immich\\.ghost\\.tel(/.*)?$"
|
|
- "traefik.http.middlewares.redirect-immich-to-photos.redirectregex.replacement=https://photos.ghost.tel$1"
|
|
- "traefik.http.middlewares.redirect-immich-to-photos.redirectregex.permanent=true"
|
|
- "traefik.http.middlewares.dashboard-auth.basicauth.usersfile=/basicAuth"
|
|
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
|
|
- "traefik.http.middlewares.auth.forwardauth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
|
|
- "traefik.http.middlewares.auth.forwardauth.trustForwardHeader=true"
|
|
- "traefik.http.middlewares.auth.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
|
|
- "traefik.http.middlewares.securityHeaders.headers.customResponseHeaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex"
|
|
- "traefik.http.middlewares.securityHeaders.headers.customResponseHeaders.server="
|
|
- "traefik.http.middlewares.securityHeaders.headers.customResponseHeaders.X-Forwarded-Proto=https"
|
|
- "traefik.http.middlewares.securityHeaders.headers.sslProxyHeaders.X-Forwarded-Proto=https"
|
|
- "traefik.http.middlewares.securityHeaders.headers.referrerPolicy=same-origin"
|
|
- "traefik.http.middlewares.securityHeaders.headers.hostsProxyHeaders=X-Forwarded-Host"
|
|
- "traefik.http.middlewares.securityHeaders.headers.contentTypeNosniff=true"
|
|
- "traefik.http.middlewares.securityHeaders.headers.browserXssFilter=true"
|
|
- "traefik.http.middlewares.securityHeaders.headers.forceSTSHeader=true"
|
|
- "traefik.http.middlewares.securityHeaders.headers.stsIncludeSubdomains=true"
|
|
- "traefik.http.middlewares.securityHeaders.headers.stsSeconds=63072000"
|
|
- "traefik.http.middlewares.securityHeaders.headers.stsPreload=true"
|
|
- "traefik.http.middlewares.invid-companion-prefix.addprefix.prefix=/companion"
|
|
- "traefik.http.middlewares.gzip.compress=true"
|
|
networks:
|
|
- web
|
|
ports:
|
|
- 80:80
|
|
- 443:443
|
|
- 8080:8080
|
|
environment:
|
|
- TZ=America/New_York
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- ./traefik.yml:/traefik.yml:ro
|
|
- ./acme.json:/acme.json
|
|
- ./basicAuth:/basicAuth:ro
|
|
- /var/log:/var/log
|
|
|
|
networks:
|
|
web:
|
|
external: true
|