blob: 16f7c15f93062fc6979e991674ba3cc345c9208b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
version: "3.3"
services:
traefik:
image: traefik
container_name: traefik
command:
- --api=true
- --api.dashboard=true
## providers
- --providers.docker
- --providers.docker.network=proxy
- --providers.docker.exposedbydefault=false
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAIN`)
- --providers.file.filename=/data/traefik.yml
## entrypoints
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.middlewares=secured@docker
- --entrypoints.websecure.http.tls.certResolver=letsencrypt
## certificatesresolvers
- --certificatesresolvers.letsencrypt.acme.httpchallenge=true
- --certificatesresolvers.letsencrypt.acme.email=$EMAIL
- --certificatesresolvers.letsencrypt.acme.storage=/data/acme.json
- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
## debug
# - --log.level=DEBUG
# - --api.insecure=true
# - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data:/data
ports:
- 80:80
- 443:443
restart: unless-stopped
depends_on:
- oauth
labels:
## traefik WebUI
- traefik.enable=true
- traefik.http.routers.api.service=api@internal
# - traefik.http.routers.api.entrypoints=websecure
oauth:
image: thomseddon/traefik-forward-auth:2.2.0-arm
container_name: oauth
command:
- --log-level=warn
- --log-format=text
- --auth-host=oauth.$DOMAIN
- --cookie-domain=$DOMAIN
- --default-action=auth
- --default-provider=google
- --url-path=/_oauth
- --whitelist=$EMAIL,$WHITELIST
## CORS/OPTIONS
- --rule.allow-cors.rule=allow
- --rule.allow-cors.rule=Method(`OPTIONS`)
## foundry
- --rule.foundry.action=allow
- --rule.foundry.rule=Host(`foundry.$DOMAIN`)
## heimdall
- --rule.personal.action=allow
- --rule.personal.rule=Host(`heimdall.$DOMAIN`)
secrets:
- source: secrets_oauth
target: /secrets_oauth
environment:
- CONFIG=/secrets_oauth
expose:
- 4181
restart: unless-stopped
labels:
- traefik.enable=true
- traefik.http.routers.oauth.entrypoints=websecure
- traefik.http.services.oauth.loadbalancer.server.port=4181
## middlewares
- traefik.http.routers.oauth.middlewares=secured@docker
- traefik.http.middlewares.secured.chain.middlewares=oauth
- traefik.http.middlewares.rate-limit.rateLimit.average=100
- traefik.http.middlewares.rate-limit.rateLimit.burst=50
- traefik.http.middlewares.oauth.forwardauth.address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User
# Logout: https://oauth.nasaltmine.com/_oauth/logout
whoami:
image: traefik/whoami
container_name: whoami
labels:
- traefik.enable=true
- traefik.http.routers.whoami.entrypoints=websecure
secrets:
secrets_oauth:
file: secrets/oauth
networks:
default:
driver: overlay
external:
name: proxy
|