blob: f2c01900b098d639c7b81c4d051aac3fdb01f831 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
version: "3.3"
services:
traefik:
image: traefik
container_name: traefik
env_file: .env
command:
- --api
- --api.dashboard
## providers
- --providers.docker
- --providers.docker.network=proxy
- --providers.docker.exposedbydefault=false
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAIN`)
- --providers.file.directory=/data
## entrypoints
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.middlewares=secured@docker
- --entrypoints.websecure.http.tls.certResolver=letsencrypt
## certificatesresolvers
- --certificatesresolvers.letsencrypt.acme.httpchallenge
- --certificatesresolvers.letsencrypt.acme.email=$EMAIL
- --certificatesresolvers.letsencrypt.acme.storage=/data/acme.json
- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- data:/data
ports:
- 80:80
- 443:443
restart: unless-stopped
depends_on:
- auth
labels:
## traefik WebUI
- traefik.enable=true
- traefik.http.routers.api.service=api@internal
# - traefik.http.routers.api.entrypoints=websecure
auth:
image: thomseddon/traefik-forward-auth:2.2.0-arm
container_name: auth
command:
- --log-level=warn
- --log-format=text
- --auth-host=auth.$DOMAIN
- --cookie-domain=$DOMAIN
- --default-action=auth
- --default-provider=google
- --url-path=/_oauth
- --whitelist=$EMAIL,$WHITELIST
## CORS/OPTIONS
- --rule.allow-cors.rule=allow
- --rule.allow-cors.rule=Method(`OPTIONS`)
## foundry
- --rule.foundry.action=allow
- --rule.foundry.rule=Host(`foundry.$DOMAIN`)
## heimdall
- --rule.personal.action=allow
- --rule.personal.rule=Host(`heimdall.$DOMAIN`)
secrets:
- source: auth
target: /auth
environment:
- CONFIG=/auth
expose:
- 4181
restart: unless-stopped
labels:
- traefik.enable=true
- traefik.http.routers.auth.entrypoints=websecure
- traefik.http.services.auth.loadbalancer.server.port=4181
## middlewares
- traefik.http.routers.auth.middlewares=secured@docker
- traefik.http.middlewares.secured.chain.middlewares=auth
- traefik.http.middlewares.rate-limit.rateLimit.average=100
- traefik.http.middlewares.rate-limit.rateLimit.burst=50
- traefik.http.middlewares.auth.forwardauth.address=http://auth:4181
- traefik.http.middlewares.auth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.auth.forwardauth.authResponseHeaders=X-Forwarded-User
# Logout: https://auth.${DOMAIN}/_oauth/logout
whoami:
image: traefik/whoami
container_name: whoami
labels:
- traefik.enable=true
- traefik.http.routers.whoami.entrypoints=websecure
secrets:
auth:
external: true
name: traefik_auth
volumes:
data:
driver: local
driver_opts:
type: "nfs"
o: addr=bifrost,nolock,soft,rw
device: ":/mnt/share/docker/traefik"
networks:
default:
name: proxy
external: true
|