Switch from traefik to caddy
This commit is contained in:
parent
2a9517822d
commit
219d5c7633
74
docker/caddy/Caddyfile
Normal file
74
docker/caddy/Caddyfile
Normal file
|
@ -0,0 +1,74 @@
|
|||
korhonen.cc, *.korhonen.cc {
|
||||
tls {$CLOUDFLARE_EMAIL} {
|
||||
dns cloudflare {$CLOUDFLARE_API_TOKEN}
|
||||
resolvers 1.1.1.1
|
||||
}
|
||||
|
||||
@homepage host korhonen.cc
|
||||
handle @homepage {
|
||||
root * /var/www/korhonen.cc
|
||||
file_server
|
||||
}
|
||||
|
||||
@wkd host openpgpkey.korhonen.cc
|
||||
handle @wkd {
|
||||
root * /var/www/wkd
|
||||
file_server browse
|
||||
}
|
||||
|
||||
@index host index.korhonen.cc
|
||||
handle @index {
|
||||
root * /docker/index.korhonen.cc
|
||||
file_server browse
|
||||
}
|
||||
|
||||
@home-assistant host home.korhonen.cc
|
||||
handle @home-assistant {
|
||||
reverse_proxy home-assistant:8123
|
||||
}
|
||||
|
||||
@authentik host sso.korhonen.cc
|
||||
handle @authentik {
|
||||
reverse_proxy authentik:9000
|
||||
}
|
||||
|
||||
@forgejo host git.korhonen.cc
|
||||
handle @forgejo {
|
||||
reverse_proxy forgejo:3000
|
||||
}
|
||||
|
||||
@searx host search.korhonen.cc
|
||||
handle @searx {
|
||||
reverse_proxy searx:8080
|
||||
}
|
||||
|
||||
@freshrss host rss.korhonen.cc
|
||||
handle @freshrss {
|
||||
reverse_proxy freshrss
|
||||
}
|
||||
|
||||
@jellyfin host jellyfin.korhonen.cc
|
||||
handle @jellyfin {
|
||||
reverse_proxy jellyfin:8096
|
||||
}
|
||||
|
||||
@misskey host social.korhonen.cc
|
||||
handle @misskey {
|
||||
reverse_proxy misskey:3000
|
||||
}
|
||||
|
||||
@pihole host pihole.korhonen.cc
|
||||
handle @pihole {
|
||||
reverse_proxy pihole
|
||||
}
|
||||
|
||||
@umami host umami.korhonen.cc
|
||||
handle @umami {
|
||||
reverse_proxy umami:3000
|
||||
}
|
||||
|
||||
# Fallback for unhandled domains
|
||||
handle {
|
||||
redir https://korhonen.cc/404.html
|
||||
}
|
||||
}
|
18
docker/caddy/docker-compose.toml
Normal file
18
docker/caddy/docker-compose.toml
Normal file
|
@ -0,0 +1,18 @@
|
|||
[services.caddy]
|
||||
image = "slothcroissant/caddy-cloudflaredns"
|
||||
container_name = "caddy"
|
||||
restart = "unless-stopped"
|
||||
ports = ["80:80", "443:443/tcp", "443:443/udp"]
|
||||
networks = ["proxy"]
|
||||
volumes = [
|
||||
"/docker/caddy/data:/data",
|
||||
"/docker/caddy/config:/config",
|
||||
"/var/www/korhonen.cc:/var/www/korhonen.cc",
|
||||
"/var/www/wkd:/var/www/wkd",
|
||||
"/var/www/index.korhonen.cc:/var/www/index.korhonen.cc",
|
||||
"./Caddyfile:/etc/caddy/Caddyfile",
|
||||
]
|
||||
environment = ["CLOUDFLARE_EMAIL", "CLOUDFLARE_API_TOKEN", "ACME_AGREE=true"]
|
||||
|
||||
[networks.proxy]
|
||||
external = true
|
|
@ -4,20 +4,8 @@ container_name = "forgejo"
|
|||
environment = ["TZ=Europe/Helsinki", "USER_UID=1000", "USER_GID=1000"]
|
||||
restart = "unless-stopped"
|
||||
networks = ["postgres", "proxy"]
|
||||
ports = ["3000:3000", "22:22"]
|
||||
ports = ["22:22"]
|
||||
volumes = ["/docker/forgejo:/data", "/etc/localtime:/etc/localtime:ro"]
|
||||
labels = [
|
||||
"traefik.enable=true",
|
||||
"traefik.docker.network=proxy",
|
||||
"traefik.http.routers.forgejo-redirect.entrypoints=http",
|
||||
"traefik.http.routers.forgejo-redirect.rule=Host(`git.korhonen.cc`)",
|
||||
"traefik.http.routers.forgejo-redirect.middlewares=http2https@file",
|
||||
"traefik.http.routers.forgejo.entrypoints=https",
|
||||
"traefik.http.routers.forgejo.middlewares=secHeaders@file,compress@file",
|
||||
"traefik.http.routers.forgejo.rule=Host(`git.korhonen.cc`)",
|
||||
"traefik.http.routers.forgejo.service=forgejo",
|
||||
"traefik.http.services.forgejo.loadbalancer.server.port=3000",
|
||||
]
|
||||
|
||||
[networks.postgres]
|
||||
external = true
|
||||
|
|
|
@ -1,26 +0,0 @@
|
|||
[services]
|
||||
|
||||
[services.nginx]
|
||||
image = "fraoustin/fancyindex"
|
||||
container_name = "index.korhonen.cc"
|
||||
environment = ["DISABLE_AUTH=true", "CONTAINER_TIMEZONE=\"Europe/Helsinki\""]
|
||||
volumes = ["/docker/index.korhonen.cc:/share"]
|
||||
networks = ["proxy"]
|
||||
restart = "unless-stopped"
|
||||
labels = [
|
||||
"traefik.enable=true",
|
||||
"traefik.docker.network=proxy",
|
||||
"traefik.http.routers.index-redirect.entrypoints=http",
|
||||
"traefik.http.routers.index-redirect.rule=Host(`index.korhonen.cc`)",
|
||||
"traefik.http.routers.index-redirect.middlewares=http2https@file",
|
||||
"traefik.http.routers.index.entrypoints=https",
|
||||
"traefik.http.routers.index.middlewares=secHeaders@file,compress@file",
|
||||
"traefik.http.routers.index.rule=Host(`index.korhonen.cc`)",
|
||||
"traefik.http.routers.index.service=index",
|
||||
"traefik.http.services.index.loadbalancer.server.port=80",
|
||||
]
|
||||
|
||||
[networks]
|
||||
|
||||
[networks.proxy]
|
||||
external = true
|
|
@ -1,10 +1,7 @@
|
|||
[services]
|
||||
|
||||
[services.jellyfin]
|
||||
image = "jellyfin/jellyfin"
|
||||
container_name = "jellyfin"
|
||||
environment = ["TZ=Europe/Helsinki"]
|
||||
ports = ["8096:8096"]
|
||||
networks = ["proxy", "authentik"]
|
||||
restart = "unless-stopped"
|
||||
volumes = [
|
||||
|
@ -18,20 +15,6 @@ devices = [
|
|||
"/dev/dri/renderD128:/dev/dri/renderD128",
|
||||
"/dev/dri/card0:/dev/dri/card0",
|
||||
]
|
||||
labels = [
|
||||
"traefik.enable=true",
|
||||
"traefik.docker.network=proxy",
|
||||
"traefik.http.routers.jellyfin-redirect.entrypoints=http",
|
||||
"traefik.http.routers.jellyfin-redirect.rule=Host(`jellyfin.korhonen.cc`)",
|
||||
"traefik.http.routers.jellyfin-redirect.middlewares=http2https@file",
|
||||
"traefik.http.routers.jellyfin.entrypoints=https",
|
||||
"traefik.http.routers.jellyfin.middlewares=secHeaders@file,compress@file",
|
||||
"traefik.http.routers.jellyfin.rule=Host(`jellyfin.korhonen.cc`)",
|
||||
"traefik.http.routers.jellyfin.service=jellyfin",
|
||||
"traefik.http.services.jellyfin.loadbalancer.server.port=8096",
|
||||
]
|
||||
|
||||
[networks]
|
||||
|
||||
[networks.proxy]
|
||||
external = true
|
||||
|
|
|
@ -9,18 +9,6 @@ volumes = [
|
|||
"/docker/misskey/files:/misskey/files",
|
||||
"/docker/misskey/config:/misskey/.config:ro",
|
||||
]
|
||||
labels = [
|
||||
"traefik.enable=true",
|
||||
"traefik.docker.network=proxy",
|
||||
"traefik.http.routers.misskey-redirect.entrypoints=http",
|
||||
"traefik.http.routers.misskey-redirect.rule=Host(`social.korhonen.cc`)",
|
||||
"traefik.http.routers.misskey-redirect.middlewares=http2https@file",
|
||||
"traefik.http.routers.misskey.entrypoints=https",
|
||||
"traefik.http.routers.misskey.middlewares=secHeaders@file,compress@file",
|
||||
"traefik.http.routers.misskey.rule=Host(`social.korhonen.cc`)",
|
||||
"traefik.http.routers.misskey.service=misskey",
|
||||
"traefik.http.services.misskey.loadbalancer.server.port=3000",
|
||||
]
|
||||
|
||||
[services.elasticsearch]
|
||||
image = "docker.elastic.co/elasticsearch/elasticsearch:7.17.8"
|
||||
|
|
|
@ -12,18 +12,6 @@ volumes = [
|
|||
dns = ["127.0.0.1", "1.1.1.1"]
|
||||
cap_add = ["NET_ADMIN"]
|
||||
restart = "unless-stopped"
|
||||
labels = [
|
||||
"traefik.enable=true",
|
||||
"traefik.docker.network=proxy",
|
||||
"traefik.http.routers.pihole-redirect.entrypoints=http",
|
||||
"traefik.http.routers.pihole-redirect.rule=Host(`pihole.korhonen.cc`)",
|
||||
"traefik.http.routers.pihole-redirect.middlewares=http2https@file",
|
||||
"traefik.http.routers.pihole.entrypoints=https",
|
||||
"traefik.http.routers.pihole.middlewares=secHeaders@file,compress@file",
|
||||
"traefik.http.routers.pihole.rule=Host(`pihole.korhonen.cc`)",
|
||||
"traefik.http.routers.pihole.service=pihole",
|
||||
"traefik.http.services.pihole.loadbalancer.server.port=80",
|
||||
]
|
||||
|
||||
[services.pihole.environment]
|
||||
TZ = "Europe/Helsinki"
|
||||
|
|
|
@ -1,53 +0,0 @@
|
|||
[services.traefik]
|
||||
image = "traefik"
|
||||
container_name = "traefik"
|
||||
restart = "unless-stopped"
|
||||
ports = ["80:80", "443:443/tcp", "443:443/udp"]
|
||||
environment = [
|
||||
"TZ=Europe/Helsinki",
|
||||
"ADMIN_EMAIL",
|
||||
"CF_API_EMAIL=${ADMIN_EMAIL}",
|
||||
"CF_API_KEY",
|
||||
"CF_ZONE_API_TOKEN",
|
||||
"CF_DNS_API_TOKEN",
|
||||
]
|
||||
security_opt = ["no-new-privileges:true"]
|
||||
networks = ["proxy"]
|
||||
volumes = [
|
||||
"/etc/localtime:/etc/localtime:ro",
|
||||
"/var/run/docker.sock:/var/run/docker.sock:ro",
|
||||
"./traefik.toml:/traefik.toml:ro",
|
||||
"./dynamic.toml:/dynamic.toml:ro",
|
||||
"/docker/traefik/traefik/acme.json:/acme.json",
|
||||
"/docker/traefik/traefik/log:/var/log",
|
||||
]
|
||||
labels = [
|
||||
"traefik.enable=true",
|
||||
"traefik.docker.network=proxy",
|
||||
"traefik.http.routers.redirect.entrypoints=http",
|
||||
"traefik.http.routers.redirect.rule=Host(`traefik.korhonen.cc`)",
|
||||
"traefik.http.routers.redirect.middlewares=http2https@file",
|
||||
"traefik.http.routers.dashboard.entrypoints=https",
|
||||
"traefik.http.routers.dashboard.middlewares=secHeaders@file,compress@file,authentik@file",
|
||||
"traefik.http.routers.dashboard.rule=Host(`traefik.korhonen.cc`)",
|
||||
"traefik.http.routers.dashboard.service=api@internal",
|
||||
]
|
||||
|
||||
[services.fail2ban]
|
||||
image = "crazymax/fail2ban"
|
||||
container_name = "fail2ban"
|
||||
restart = "unless-stopped"
|
||||
network_mode = "host"
|
||||
cap_add = ["NET_ADMIN", "NET_RAW"]
|
||||
environment = ["TZ=Europe/Helsinki"]
|
||||
volumes = [
|
||||
"/etc/localtime:/etc/localtime:ro",
|
||||
"/docker/traefik/traefik/log:/var/log/traefik:ro",
|
||||
"/docker/traefik/fail2ban:/data",
|
||||
"/docker/forgejo/gitea/log/gitea.log:/var/log/forgejo:ro",
|
||||
"/docker/homeautomation/home-assistant/home-assistant.log:/var/log/hass",
|
||||
"/mnt/Storage/Nextcloud/nextcloud.log:/var/log/nextcloud:ro",
|
||||
]
|
||||
|
||||
[networks.proxy]
|
||||
external = true
|
|
@ -1,86 +0,0 @@
|
|||
[http.middlewares.authentik.forwardAuth]
|
||||
address = "http://authentik:9000/outpost.goauthentik.io/auth/traefik"
|
||||
trustForwardHeader = true
|
||||
authResponseHeaders = [
|
||||
"X-authentik-username",
|
||||
"X-authentik-groups",
|
||||
"X-authentik-email",
|
||||
"X-authentik-name",
|
||||
"X-authentik-uid",
|
||||
"X-authentik-jwt",
|
||||
"X-authentik-meta-jwks",
|
||||
"X-authentik-meta-outpost",
|
||||
"X-authentik-meta-provider",
|
||||
"X-authentik-meta-app",
|
||||
"X-authentik-meta-version",
|
||||
]
|
||||
|
||||
[http.middlewares.compress.compress]
|
||||
|
||||
[http.middlewares.http2https.redirectScheme]
|
||||
scheme = "https"
|
||||
permanent = true
|
||||
|
||||
[http.middlewares.secHeaders.headers]
|
||||
browserXssFilter = true
|
||||
contentTypeNosniff = true
|
||||
frameDeny = true
|
||||
sslRedirect = true
|
||||
stsIncludeSubdomains = true
|
||||
stsPreload = true
|
||||
stsSeconds = 31_536_000
|
||||
customFrameOptionsValue = "SAMEORIGIN"
|
||||
referrerPolicy = "strict-origin-when-cross-origin"
|
||||
accesscontrolAllowMethods = ["GET", "OPTIONS", "POST"]
|
||||
accesscontrolAllowOriginList = ["https://korhonen.cc"]
|
||||
accessControlAllowHeaders = [
|
||||
"Accept",
|
||||
"Accept-Encoding",
|
||||
"Accept-Language",
|
||||
"Access-Control-Request-Headers",
|
||||
"Access-Control-Request-Method",
|
||||
"Connection",
|
||||
"Content-Type",
|
||||
"DNT",
|
||||
"Host",
|
||||
"Origin",
|
||||
"Referer",
|
||||
"Sec-Fetch-Dest",
|
||||
"Sec-Fetch-Mode",
|
||||
"Sec-Fetch-Site",
|
||||
"User-Agent",
|
||||
]
|
||||
accesscontrolMaxAge = 100
|
||||
addVaryHeader = true
|
||||
|
||||
[http.middlewares.nextcloud-redirect-dav.redirectRegex]
|
||||
permanent = true
|
||||
regex = "https://cloud.korhonen.cc/.well-known/(card|cal)dav"
|
||||
replacement = "https://cloud.korhonen.cc/remote.php/dav/"
|
||||
|
||||
[http.middlewares.nextcloud-redirect-extra.redirectRegex]
|
||||
permanent = true
|
||||
regex = "https://cloud.korhonen.cc/.well-known/(.*)"
|
||||
replacement = "https://cloud.korhonen.cc/index.php/.well-known/${1}"
|
||||
|
||||
[http.middlewares.nextcloud-security-headers.headers.customResponseHeaders]
|
||||
X-Robots-Tag = "noindex,nofollow"
|
||||
|
||||
[http.middlewares.www2non-www.redirectregex]
|
||||
permanent = true
|
||||
regex = "^https?://www\\.(.+)"
|
||||
replacement = "https://${1}"
|
||||
|
||||
[http.serversTransports.ignorecert]
|
||||
insecureSkipVerify = true
|
||||
|
||||
[tls.options.default]
|
||||
minVersion = "VersionTLS12"
|
||||
cipherSuites = [
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
||||
]
|
||||
|
||||
[tls.options.mintls13]
|
||||
minVersion = "VersionTLS13"
|
|
@ -1,41 +0,0 @@
|
|||
[experimental]
|
||||
http3 = true
|
||||
|
||||
[api]
|
||||
dashboard = true
|
||||
|
||||
[entryPoints.http]
|
||||
address = ":80"
|
||||
|
||||
[entryPoints.https]
|
||||
address = ":443"
|
||||
|
||||
[entryPoints.https.http3]
|
||||
|
||||
[entryPoints.https.http.tls]
|
||||
options = "default"
|
||||
certResolver = "letsEncrypt"
|
||||
|
||||
[[entryPoints.https.http.tls.domains]]
|
||||
main = "korhonen.cc"
|
||||
sans = ["*.korhonen.cc"]
|
||||
|
||||
[certificatesResolvers.letsEncrypt.acme]
|
||||
email = "admin@korhonen.cc"
|
||||
storage = "acme.json"
|
||||
|
||||
[certificatesResolvers.letsEncrypt.acme.dnsChallenge]
|
||||
provider = "cloudflare"
|
||||
|
||||
[accessLog]
|
||||
filePath = "/var/log/access.log"
|
||||
|
||||
[accessLog.filters]
|
||||
statusCodes = ["400-499"]
|
||||
|
||||
[providers.docker]
|
||||
endpoint = "unix:///var/run/docker.sock"
|
||||
exposedByDefault = false
|
||||
|
||||
[providers.file]
|
||||
filename = "/dynamic.toml"
|
|
@ -1,5 +1,3 @@
|
|||
[services]
|
||||
|
||||
[services.tvheadend]
|
||||
image = "linuxserver/tvheadend"
|
||||
container_name = "tvheadend"
|
||||
|
@ -14,20 +12,6 @@ ports = ["9981:9981", "9982:9982"]
|
|||
devices = ["/dev/dvb:/dev/dvb"]
|
||||
restart = "unless-stopped"
|
||||
networks = ["proxy"]
|
||||
labels = [
|
||||
"traefik.enable=true",
|
||||
"traefik.docker.network=proxy",
|
||||
"traefik.http.routers.tvheadend-redirect.entrypoints=http",
|
||||
"traefik.http.routers.tvheadend-redirect.rule=Host(`tvheadend.korhonen.cc`)",
|
||||
"traefik.http.routers.tvheadend-redirect.middlewares=http2https@file",
|
||||
"traefik.http.routers.tvheadend.entrypoints=https",
|
||||
"traefik.http.routers.tvheadend.middlewares=secHeaders@file,compress@file",
|
||||
"traefik.http.routers.tvheadend.rule=Host(`tvheadend.korhonen.cc`)",
|
||||
"traefik.http.routers.tvheadend.service=tvheadend",
|
||||
"traefik.http.services.tvheadend.loadbalancer.server.port=9981",
|
||||
]
|
||||
|
||||
[networks]
|
||||
|
||||
[networks.proxy]
|
||||
external = true
|
||||
|
|
|
@ -4,18 +4,6 @@ container_name = "umami"
|
|||
restart = "unless-stopped"
|
||||
networks = ["postgres", "proxy"]
|
||||
env_file = ".env"
|
||||
labels = [
|
||||
"traefik.enable=true",
|
||||
"traefik.docker.network=proxy",
|
||||
"traefik.http.routers.umami-redirect.entrypoints=http",
|
||||
"traefik.http.routers.umami-redirect.rule=Host(`umami.korhonen.cc`)",
|
||||
"traefik.http.routers.umami-redirect.middlewares=http2https@file",
|
||||
"traefik.http.routers.umami.entrypoints=https",
|
||||
"traefik.http.routers.umami.middlewares=secHeaders@file,compress@file",
|
||||
"traefik.http.routers.umami.rule=Host(`umami.korhonen.cc`)",
|
||||
"traefik.http.routers.umami.service=umami",
|
||||
"traefik.http.services.umami.loadbalancer.server.port=3000",
|
||||
]
|
||||
|
||||
[services.umami.environment]
|
||||
DATABASE_URL = "postgresql://umami:${POSTGRES_PASS}@postgres:5432/umami"
|
||||
|
|
|
@ -203,6 +203,9 @@ local plugins = {
|
|||
"norcalli/nvim-colorizer.lua",
|
||||
config = true,
|
||||
},
|
||||
|
||||
-- Caddyfile syntax support
|
||||
"isobit/vim-caddyfile",
|
||||
}
|
||||
|
||||
local lazy_opts = {}
|
||||
|
|
|
@ -10,7 +10,7 @@ LocalFileSigLevel = Optional
|
|||
CacheDir = /var/cache/pacman/pkg
|
||||
{%@@ if profile == "Moria" @@%}
|
||||
CleanMethod=KeepCurrent
|
||||
CacheDir=/docker/index.korhonen.cc/repo/arch_linux/korhonen_aur/x86_64
|
||||
CacheDir=/var/www/index.korhonen.cc/repo/arch_linux/korhonen_aur/x86_64
|
||||
{%@@ endif @@%}
|
||||
|
||||
[cachyos-v3]
|
||||
|
@ -43,7 +43,7 @@ Include = /etc/pacman.d/mirrorlist
|
|||
|
||||
[korhonen_aur]
|
||||
{%@@ if profile == "Moria" @@%}
|
||||
Server = file:///docker/index.korhonen.cc/repo/arch_linux/$repo/$arch
|
||||
Server = file:///var/www/index.korhonen.cc/repo/arch_linux/$repo/$arch
|
||||
{%@@ else @@%}
|
||||
Include = /etc/pacman.d/pacserve
|
||||
Server = https://index.korhonen.cc/repo/arch_linux/$repo/$arch
|
||||
|
|
Loading…
Reference in a new issue