From b71bb809123c0db0a149b3855b957b19c60dac3a Mon Sep 17 00:00:00 2001 From: Toby Vincent Date: Sat, 1 May 2021 15:39:41 -0500 Subject: initial commit Signed-off-by: Toby Vincent --- .env | 3 ++ docker-compose.yml | 106 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 109 insertions(+) create mode 100755 .env create mode 100755 docker-compose.yml diff --git a/.env b/.env new file mode 100755 index 0000000..b9bbb4e --- /dev/null +++ b/.env @@ -0,0 +1,3 @@ +DOMAIN=tobyvin.com +EMAIL=tobyv13@gmail.com +WHITELIST=dvincent@ourcomputershop.com \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100755 index 0000000..16f7c15 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,106 @@ +version: "3.3" + +services: + traefik: + image: traefik + container_name: traefik + command: + - --api=true + - --api.dashboard=true + ## providers + - --providers.docker + - --providers.docker.network=proxy + - --providers.docker.exposedbydefault=false + - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAIN`) + - --providers.file.filename=/data/traefik.yml + ## entrypoints + - --entrypoints.web.address=:80 + - --entrypoints.web.http.redirections.entryPoint.to=websecure + - --entrypoints.web.http.redirections.entryPoint.scheme=https + - --entrypoints.web.http.redirections.entrypoint.permanent=true + - --entrypoints.websecure.address=:443 + - --entrypoints.websecure.http.middlewares=secured@docker + - --entrypoints.websecure.http.tls.certResolver=letsencrypt + ## certificatesresolvers + - --certificatesresolvers.letsencrypt.acme.httpchallenge=true + - --certificatesresolvers.letsencrypt.acme.email=$EMAIL + - --certificatesresolvers.letsencrypt.acme.storage=/data/acme.json + - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web + ## debug + # - --log.level=DEBUG + # - --api.insecure=true + # - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - ./data:/data + ports: + - 80:80 + - 443:443 + restart: unless-stopped + depends_on: + - oauth + labels: + ## traefik WebUI + - traefik.enable=true + - traefik.http.routers.api.service=api@internal + # - traefik.http.routers.api.entrypoints=websecure + + oauth: + image: thomseddon/traefik-forward-auth:2.2.0-arm + container_name: oauth + command: + - --log-level=warn + - --log-format=text + - --auth-host=oauth.$DOMAIN + - --cookie-domain=$DOMAIN + - --default-action=auth + - --default-provider=google + - --url-path=/_oauth + - --whitelist=$EMAIL,$WHITELIST + ## CORS/OPTIONS + - --rule.allow-cors.rule=allow + - --rule.allow-cors.rule=Method(`OPTIONS`) + ## foundry + - --rule.foundry.action=allow + - --rule.foundry.rule=Host(`foundry.$DOMAIN`) + ## heimdall + - --rule.personal.action=allow + - --rule.personal.rule=Host(`heimdall.$DOMAIN`) + secrets: + - source: secrets_oauth + target: /secrets_oauth + environment: + - CONFIG=/secrets_oauth + expose: + - 4181 + restart: unless-stopped + labels: + - traefik.enable=true + - traefik.http.routers.oauth.entrypoints=websecure + - traefik.http.services.oauth.loadbalancer.server.port=4181 + ## middlewares + - traefik.http.routers.oauth.middlewares=secured@docker + - traefik.http.middlewares.secured.chain.middlewares=oauth + - traefik.http.middlewares.rate-limit.rateLimit.average=100 + - traefik.http.middlewares.rate-limit.rateLimit.burst=50 + - traefik.http.middlewares.oauth.forwardauth.address=http://oauth:4181 + - traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true + - traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User + # Logout: https://oauth.nasaltmine.com/_oauth/logout + + whoami: + image: traefik/whoami + container_name: whoami + labels: + - traefik.enable=true + - traefik.http.routers.whoami.entrypoints=websecure + +secrets: + secrets_oauth: + file: secrets/oauth + +networks: + default: + driver: overlay + external: + name: proxy -- cgit v1.2.3-70-g09d2