diff options
| author | Toby Vincent <tobyv13@gmail.com> | 2021-05-01 15:39:41 -0500 |
|---|---|---|
| committer | Toby Vincent <tobyv13@gmail.com> | 2021-05-01 16:06:20 -0500 |
| commit | b71bb809123c0db0a149b3855b957b19c60dac3a (patch) | |
| tree | 3877bf6581f0e25e13642eef2086f93c2731c1f0 /docker-compose.yml | |
initial commit
Signed-off-by: Toby Vincent <tobyv13@gmail.com>
Diffstat (limited to 'docker-compose.yml')
| -rwxr-xr-x | docker-compose.yml | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100755 index 0000000..16f7c15 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,106 @@ +version: "3.3" + +services: + traefik: + image: traefik + container_name: traefik + command: + - --api=true + - --api.dashboard=true + ## providers + - --providers.docker + - --providers.docker.network=proxy + - --providers.docker.exposedbydefault=false + - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAIN`) + - --providers.file.filename=/data/traefik.yml + ## entrypoints + - --entrypoints.web.address=:80 + - --entrypoints.web.http.redirections.entryPoint.to=websecure + - --entrypoints.web.http.redirections.entryPoint.scheme=https + - --entrypoints.web.http.redirections.entrypoint.permanent=true + - --entrypoints.websecure.address=:443 + - --entrypoints.websecure.http.middlewares=secured@docker + - --entrypoints.websecure.http.tls.certResolver=letsencrypt + ## certificatesresolvers + - --certificatesresolvers.letsencrypt.acme.httpchallenge=true + - --certificatesresolvers.letsencrypt.acme.email=$EMAIL + - --certificatesresolvers.letsencrypt.acme.storage=/data/acme.json + - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web + ## debug + # - --log.level=DEBUG + # - --api.insecure=true + # - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - ./data:/data + ports: + - 80:80 + - 443:443 + restart: unless-stopped + depends_on: + - oauth + labels: + ## traefik WebUI + - traefik.enable=true + - traefik.http.routers.api.service=api@internal + # - traefik.http.routers.api.entrypoints=websecure + + oauth: + image: thomseddon/traefik-forward-auth:2.2.0-arm + container_name: oauth + command: + - --log-level=warn + - --log-format=text + - --auth-host=oauth.$DOMAIN + - --cookie-domain=$DOMAIN + - --default-action=auth + - --default-provider=google + - --url-path=/_oauth + - --whitelist=$EMAIL,$WHITELIST + ## CORS/OPTIONS + - --rule.allow-cors.rule=allow + - --rule.allow-cors.rule=Method(`OPTIONS`) + ## foundry + - --rule.foundry.action=allow + - --rule.foundry.rule=Host(`foundry.$DOMAIN`) + ## heimdall + - --rule.personal.action=allow + - --rule.personal.rule=Host(`heimdall.$DOMAIN`) + secrets: + - source: secrets_oauth + target: /secrets_oauth + environment: + - CONFIG=/secrets_oauth + expose: + - 4181 + restart: unless-stopped + labels: + - traefik.enable=true + - traefik.http.routers.oauth.entrypoints=websecure + - traefik.http.services.oauth.loadbalancer.server.port=4181 + ## middlewares + - traefik.http.routers.oauth.middlewares=secured@docker + - traefik.http.middlewares.secured.chain.middlewares=oauth + - traefik.http.middlewares.rate-limit.rateLimit.average=100 + - traefik.http.middlewares.rate-limit.rateLimit.burst=50 + - traefik.http.middlewares.oauth.forwardauth.address=http://oauth:4181 + - traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true + - traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User + # Logout: https://oauth.nasaltmine.com/_oauth/logout + + whoami: + image: traefik/whoami + container_name: whoami + labels: + - traefik.enable=true + - traefik.http.routers.whoami.entrypoints=websecure + +secrets: + secrets_oauth: + file: secrets/oauth + +networks: + default: + driver: overlay + external: + name: proxy |