From ae2ea3f9a6d4256d6e78a40d41c356778b6bad1c Mon Sep 17 00:00:00 2001 From: Marko Korhonen Date: Mon, 3 Apr 2023 23:20:36 +0300 Subject: [PATCH] Switch from traefik to caddy --- docker/caddy/Caddyfile | 74 +++++++++++++++++ docker/caddy/docker-compose.toml | 18 ++++ docker/forgejo/docker-compose.toml | 14 +--- docker/index.korhonen.cc/docker-compose.toml | 26 ------ docker/jellyfin/docker-compose.toml | 17 ---- docker/misskey/docker-compose.toml | 12 --- docker/pihole/docker-compose.toml | 12 --- docker/traefik/docker-compose.toml | 53 ------------ docker/traefik/dynamic.toml | 86 -------------------- docker/traefik/traefik.toml | 41 ---------- docker/tvheadend/docker-compose.toml | 16 ---- docker/umami/docker-compose.toml | 12 --- home/.config/nvim/lua/plugins/init.lua | 3 + root/etc/pacman.conf | 4 +- 14 files changed, 98 insertions(+), 290 deletions(-) create mode 100644 docker/caddy/Caddyfile create mode 100644 docker/caddy/docker-compose.toml delete mode 100644 docker/index.korhonen.cc/docker-compose.toml delete mode 100644 docker/traefik/docker-compose.toml delete mode 100644 docker/traefik/dynamic.toml delete mode 100644 docker/traefik/traefik.toml diff --git a/docker/caddy/Caddyfile b/docker/caddy/Caddyfile new file mode 100644 index 00000000..1ac51545 --- /dev/null +++ b/docker/caddy/Caddyfile @@ -0,0 +1,74 @@ +korhonen.cc, *.korhonen.cc { + tls {$CLOUDFLARE_EMAIL} { + dns cloudflare {$CLOUDFLARE_API_TOKEN} + resolvers 1.1.1.1 + } + + @homepage host korhonen.cc + handle @homepage { + root * /var/www/korhonen.cc + file_server + } + + @wkd host openpgpkey.korhonen.cc + handle @wkd { + root * /var/www/wkd + file_server browse + } + + @index host index.korhonen.cc + handle @index { + root * /docker/index.korhonen.cc + file_server browse + } + + @home-assistant host home.korhonen.cc + handle @home-assistant { + reverse_proxy home-assistant:8123 + } + + @authentik host sso.korhonen.cc + handle @authentik { + reverse_proxy authentik:9000 + } + + @forgejo host git.korhonen.cc + handle @forgejo { + reverse_proxy forgejo:3000 + } + + @searx host search.korhonen.cc + handle @searx { + reverse_proxy searx:8080 + } + + @freshrss host rss.korhonen.cc + handle @freshrss { + reverse_proxy freshrss + } + + @jellyfin host jellyfin.korhonen.cc + handle @jellyfin { + reverse_proxy jellyfin:8096 + } + + @misskey host social.korhonen.cc + handle @misskey { + reverse_proxy misskey:3000 + } + + @pihole host pihole.korhonen.cc + handle @pihole { + reverse_proxy pihole + } + + @umami host umami.korhonen.cc + handle @umami { + reverse_proxy umami:3000 + } + + # Fallback for unhandled domains + handle { + redir https://korhonen.cc/404.html + } +} diff --git a/docker/caddy/docker-compose.toml b/docker/caddy/docker-compose.toml new file mode 100644 index 00000000..e335ee2e --- /dev/null +++ b/docker/caddy/docker-compose.toml @@ -0,0 +1,18 @@ +[services.caddy] +image = "slothcroissant/caddy-cloudflaredns" +container_name = "caddy" +restart = "unless-stopped" +ports = ["80:80", "443:443/tcp", "443:443/udp"] +networks = ["proxy"] +volumes = [ + "/docker/caddy/data:/data", + "/docker/caddy/config:/config", + "/var/www/korhonen.cc:/var/www/korhonen.cc", + "/var/www/wkd:/var/www/wkd", + "/var/www/index.korhonen.cc:/var/www/index.korhonen.cc", + "./Caddyfile:/etc/caddy/Caddyfile", +] +environment = ["CLOUDFLARE_EMAIL", "CLOUDFLARE_API_TOKEN", "ACME_AGREE=true"] + +[networks.proxy] +external = true diff --git a/docker/forgejo/docker-compose.toml b/docker/forgejo/docker-compose.toml index 001661fd..a6dc63d6 100644 --- a/docker/forgejo/docker-compose.toml +++ b/docker/forgejo/docker-compose.toml @@ -4,20 +4,8 @@ container_name = "forgejo" environment = ["TZ=Europe/Helsinki", "USER_UID=1000", "USER_GID=1000"] restart = "unless-stopped" networks = ["postgres", "proxy"] -ports = ["3000:3000", "22:22"] +ports = ["22:22"] volumes = ["/docker/forgejo:/data", "/etc/localtime:/etc/localtime:ro"] -labels = [ - "traefik.enable=true", - "traefik.docker.network=proxy", - "traefik.http.routers.forgejo-redirect.entrypoints=http", - "traefik.http.routers.forgejo-redirect.rule=Host(`git.korhonen.cc`)", - "traefik.http.routers.forgejo-redirect.middlewares=http2https@file", - "traefik.http.routers.forgejo.entrypoints=https", - "traefik.http.routers.forgejo.middlewares=secHeaders@file,compress@file", - "traefik.http.routers.forgejo.rule=Host(`git.korhonen.cc`)", - "traefik.http.routers.forgejo.service=forgejo", - "traefik.http.services.forgejo.loadbalancer.server.port=3000", -] [networks.postgres] external = true diff --git a/docker/index.korhonen.cc/docker-compose.toml b/docker/index.korhonen.cc/docker-compose.toml deleted file mode 100644 index 856e6fc0..00000000 --- a/docker/index.korhonen.cc/docker-compose.toml +++ /dev/null @@ -1,26 +0,0 @@ -[services] - -[services.nginx] -image = "fraoustin/fancyindex" -container_name = "index.korhonen.cc" -environment = ["DISABLE_AUTH=true", "CONTAINER_TIMEZONE=\"Europe/Helsinki\""] -volumes = ["/docker/index.korhonen.cc:/share"] -networks = ["proxy"] -restart = "unless-stopped" -labels = [ - "traefik.enable=true", - "traefik.docker.network=proxy", - "traefik.http.routers.index-redirect.entrypoints=http", - "traefik.http.routers.index-redirect.rule=Host(`index.korhonen.cc`)", - "traefik.http.routers.index-redirect.middlewares=http2https@file", - "traefik.http.routers.index.entrypoints=https", - "traefik.http.routers.index.middlewares=secHeaders@file,compress@file", - "traefik.http.routers.index.rule=Host(`index.korhonen.cc`)", - "traefik.http.routers.index.service=index", - "traefik.http.services.index.loadbalancer.server.port=80", -] - -[networks] - -[networks.proxy] -external = true diff --git a/docker/jellyfin/docker-compose.toml b/docker/jellyfin/docker-compose.toml index 0b5a10c4..f69335b9 100644 --- a/docker/jellyfin/docker-compose.toml +++ b/docker/jellyfin/docker-compose.toml @@ -1,10 +1,7 @@ -[services] - [services.jellyfin] image = "jellyfin/jellyfin" container_name = "jellyfin" environment = ["TZ=Europe/Helsinki"] -ports = ["8096:8096"] networks = ["proxy", "authentik"] restart = "unless-stopped" volumes = [ @@ -18,20 +15,6 @@ devices = [ "/dev/dri/renderD128:/dev/dri/renderD128", "/dev/dri/card0:/dev/dri/card0", ] -labels = [ - "traefik.enable=true", - "traefik.docker.network=proxy", - "traefik.http.routers.jellyfin-redirect.entrypoints=http", - "traefik.http.routers.jellyfin-redirect.rule=Host(`jellyfin.korhonen.cc`)", - "traefik.http.routers.jellyfin-redirect.middlewares=http2https@file", - "traefik.http.routers.jellyfin.entrypoints=https", - "traefik.http.routers.jellyfin.middlewares=secHeaders@file,compress@file", - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.korhonen.cc`)", - "traefik.http.routers.jellyfin.service=jellyfin", - "traefik.http.services.jellyfin.loadbalancer.server.port=8096", -] - -[networks] [networks.proxy] external = true diff --git a/docker/misskey/docker-compose.toml b/docker/misskey/docker-compose.toml index 30039f61..01ca5b28 100644 --- a/docker/misskey/docker-compose.toml +++ b/docker/misskey/docker-compose.toml @@ -9,18 +9,6 @@ volumes = [ "/docker/misskey/files:/misskey/files", "/docker/misskey/config:/misskey/.config:ro", ] -labels = [ - "traefik.enable=true", - "traefik.docker.network=proxy", - "traefik.http.routers.misskey-redirect.entrypoints=http", - "traefik.http.routers.misskey-redirect.rule=Host(`social.korhonen.cc`)", - "traefik.http.routers.misskey-redirect.middlewares=http2https@file", - "traefik.http.routers.misskey.entrypoints=https", - "traefik.http.routers.misskey.middlewares=secHeaders@file,compress@file", - "traefik.http.routers.misskey.rule=Host(`social.korhonen.cc`)", - "traefik.http.routers.misskey.service=misskey", - "traefik.http.services.misskey.loadbalancer.server.port=3000", -] [services.elasticsearch] image = "docker.elastic.co/elasticsearch/elasticsearch:7.17.8" diff --git a/docker/pihole/docker-compose.toml b/docker/pihole/docker-compose.toml index a578112e..9f328196 100644 --- a/docker/pihole/docker-compose.toml +++ b/docker/pihole/docker-compose.toml @@ -12,18 +12,6 @@ volumes = [ dns = ["127.0.0.1", "1.1.1.1"] cap_add = ["NET_ADMIN"] restart = "unless-stopped" -labels = [ - "traefik.enable=true", - "traefik.docker.network=proxy", - "traefik.http.routers.pihole-redirect.entrypoints=http", - "traefik.http.routers.pihole-redirect.rule=Host(`pihole.korhonen.cc`)", - "traefik.http.routers.pihole-redirect.middlewares=http2https@file", - "traefik.http.routers.pihole.entrypoints=https", - "traefik.http.routers.pihole.middlewares=secHeaders@file,compress@file", - "traefik.http.routers.pihole.rule=Host(`pihole.korhonen.cc`)", - "traefik.http.routers.pihole.service=pihole", - "traefik.http.services.pihole.loadbalancer.server.port=80", -] [services.pihole.environment] TZ = "Europe/Helsinki" diff --git a/docker/traefik/docker-compose.toml b/docker/traefik/docker-compose.toml deleted file mode 100644 index 4f10a200..00000000 --- a/docker/traefik/docker-compose.toml +++ /dev/null @@ -1,53 +0,0 @@ -[services.traefik] -image = "traefik" -container_name = "traefik" -restart = "unless-stopped" -ports = ["80:80", "443:443/tcp", "443:443/udp"] -environment = [ - "TZ=Europe/Helsinki", - "ADMIN_EMAIL", - "CF_API_EMAIL=${ADMIN_EMAIL}", - "CF_API_KEY", - "CF_ZONE_API_TOKEN", - "CF_DNS_API_TOKEN", -] -security_opt = ["no-new-privileges:true"] -networks = ["proxy"] -volumes = [ - "/etc/localtime:/etc/localtime:ro", - "/var/run/docker.sock:/var/run/docker.sock:ro", - "./traefik.toml:/traefik.toml:ro", - "./dynamic.toml:/dynamic.toml:ro", - "/docker/traefik/traefik/acme.json:/acme.json", - "/docker/traefik/traefik/log:/var/log", -] -labels = [ - "traefik.enable=true", - "traefik.docker.network=proxy", - "traefik.http.routers.redirect.entrypoints=http", - "traefik.http.routers.redirect.rule=Host(`traefik.korhonen.cc`)", - "traefik.http.routers.redirect.middlewares=http2https@file", - "traefik.http.routers.dashboard.entrypoints=https", - "traefik.http.routers.dashboard.middlewares=secHeaders@file,compress@file,authentik@file", - "traefik.http.routers.dashboard.rule=Host(`traefik.korhonen.cc`)", - "traefik.http.routers.dashboard.service=api@internal", -] - -[services.fail2ban] -image = "crazymax/fail2ban" -container_name = "fail2ban" -restart = "unless-stopped" -network_mode = "host" -cap_add = ["NET_ADMIN", "NET_RAW"] -environment = ["TZ=Europe/Helsinki"] -volumes = [ - "/etc/localtime:/etc/localtime:ro", - "/docker/traefik/traefik/log:/var/log/traefik:ro", - "/docker/traefik/fail2ban:/data", - "/docker/forgejo/gitea/log/gitea.log:/var/log/forgejo:ro", - "/docker/homeautomation/home-assistant/home-assistant.log:/var/log/hass", - "/mnt/Storage/Nextcloud/nextcloud.log:/var/log/nextcloud:ro", -] - -[networks.proxy] -external = true diff --git a/docker/traefik/dynamic.toml b/docker/traefik/dynamic.toml deleted file mode 100644 index e19fe3d6..00000000 --- a/docker/traefik/dynamic.toml +++ /dev/null @@ -1,86 +0,0 @@ -[http.middlewares.authentik.forwardAuth] -address = "http://authentik:9000/outpost.goauthentik.io/auth/traefik" -trustForwardHeader = true -authResponseHeaders = [ - "X-authentik-username", - "X-authentik-groups", - "X-authentik-email", - "X-authentik-name", - "X-authentik-uid", - "X-authentik-jwt", - "X-authentik-meta-jwks", - "X-authentik-meta-outpost", - "X-authentik-meta-provider", - "X-authentik-meta-app", - "X-authentik-meta-version", -] - -[http.middlewares.compress.compress] - -[http.middlewares.http2https.redirectScheme] -scheme = "https" -permanent = true - -[http.middlewares.secHeaders.headers] -browserXssFilter = true -contentTypeNosniff = true -frameDeny = true -sslRedirect = true -stsIncludeSubdomains = true -stsPreload = true -stsSeconds = 31_536_000 -customFrameOptionsValue = "SAMEORIGIN" -referrerPolicy = "strict-origin-when-cross-origin" -accesscontrolAllowMethods = ["GET", "OPTIONS", "POST"] -accesscontrolAllowOriginList = ["https://korhonen.cc"] -accessControlAllowHeaders = [ - "Accept", - "Accept-Encoding", - "Accept-Language", - "Access-Control-Request-Headers", - "Access-Control-Request-Method", - "Connection", - "Content-Type", - "DNT", - "Host", - "Origin", - "Referer", - "Sec-Fetch-Dest", - "Sec-Fetch-Mode", - "Sec-Fetch-Site", - "User-Agent", -] -accesscontrolMaxAge = 100 -addVaryHeader = true - -[http.middlewares.nextcloud-redirect-dav.redirectRegex] -permanent = true -regex = "https://cloud.korhonen.cc/.well-known/(card|cal)dav" -replacement = "https://cloud.korhonen.cc/remote.php/dav/" - -[http.middlewares.nextcloud-redirect-extra.redirectRegex] -permanent = true -regex = "https://cloud.korhonen.cc/.well-known/(.*)" -replacement = "https://cloud.korhonen.cc/index.php/.well-known/${1}" - -[http.middlewares.nextcloud-security-headers.headers.customResponseHeaders] -X-Robots-Tag = "noindex,nofollow" - -[http.middlewares.www2non-www.redirectregex] -permanent = true -regex = "^https?://www\\.(.+)" -replacement = "https://${1}" - -[http.serversTransports.ignorecert] -insecureSkipVerify = true - -[tls.options.default] -minVersion = "VersionTLS12" -cipherSuites = [ - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", -] - -[tls.options.mintls13] -minVersion = "VersionTLS13" diff --git a/docker/traefik/traefik.toml b/docker/traefik/traefik.toml deleted file mode 100644 index 21d60236..00000000 --- a/docker/traefik/traefik.toml +++ /dev/null @@ -1,41 +0,0 @@ -[experimental] -http3 = true - -[api] -dashboard = true - -[entryPoints.http] -address = ":80" - -[entryPoints.https] -address = ":443" - -[entryPoints.https.http3] - -[entryPoints.https.http.tls] -options = "default" -certResolver = "letsEncrypt" - -[[entryPoints.https.http.tls.domains]] -main = "korhonen.cc" -sans = ["*.korhonen.cc"] - -[certificatesResolvers.letsEncrypt.acme] -email = "admin@korhonen.cc" -storage = "acme.json" - -[certificatesResolvers.letsEncrypt.acme.dnsChallenge] -provider = "cloudflare" - -[accessLog] -filePath = "/var/log/access.log" - -[accessLog.filters] -statusCodes = ["400-499"] - -[providers.docker] -endpoint = "unix:///var/run/docker.sock" -exposedByDefault = false - -[providers.file] -filename = "/dynamic.toml" diff --git a/docker/tvheadend/docker-compose.toml b/docker/tvheadend/docker-compose.toml index f4201682..cdbff58c 100644 --- a/docker/tvheadend/docker-compose.toml +++ b/docker/tvheadend/docker-compose.toml @@ -1,5 +1,3 @@ -[services] - [services.tvheadend] image = "linuxserver/tvheadend" container_name = "tvheadend" @@ -14,20 +12,6 @@ ports = ["9981:9981", "9982:9982"] devices = ["/dev/dvb:/dev/dvb"] restart = "unless-stopped" networks = ["proxy"] -labels = [ - "traefik.enable=true", - "traefik.docker.network=proxy", - "traefik.http.routers.tvheadend-redirect.entrypoints=http", - "traefik.http.routers.tvheadend-redirect.rule=Host(`tvheadend.korhonen.cc`)", - "traefik.http.routers.tvheadend-redirect.middlewares=http2https@file", - "traefik.http.routers.tvheadend.entrypoints=https", - "traefik.http.routers.tvheadend.middlewares=secHeaders@file,compress@file", - "traefik.http.routers.tvheadend.rule=Host(`tvheadend.korhonen.cc`)", - "traefik.http.routers.tvheadend.service=tvheadend", - "traefik.http.services.tvheadend.loadbalancer.server.port=9981", -] - -[networks] [networks.proxy] external = true diff --git a/docker/umami/docker-compose.toml b/docker/umami/docker-compose.toml index d4cbd228..3d5a92da 100644 --- a/docker/umami/docker-compose.toml +++ b/docker/umami/docker-compose.toml @@ -4,18 +4,6 @@ container_name = "umami" restart = "unless-stopped" networks = ["postgres", "proxy"] env_file = ".env" -labels = [ - "traefik.enable=true", - "traefik.docker.network=proxy", - "traefik.http.routers.umami-redirect.entrypoints=http", - "traefik.http.routers.umami-redirect.rule=Host(`umami.korhonen.cc`)", - "traefik.http.routers.umami-redirect.middlewares=http2https@file", - "traefik.http.routers.umami.entrypoints=https", - "traefik.http.routers.umami.middlewares=secHeaders@file,compress@file", - "traefik.http.routers.umami.rule=Host(`umami.korhonen.cc`)", - "traefik.http.routers.umami.service=umami", - "traefik.http.services.umami.loadbalancer.server.port=3000", -] [services.umami.environment] DATABASE_URL = "postgresql://umami:${POSTGRES_PASS}@postgres:5432/umami" diff --git a/home/.config/nvim/lua/plugins/init.lua b/home/.config/nvim/lua/plugins/init.lua index c53fdf76..46b5b6f0 100644 --- a/home/.config/nvim/lua/plugins/init.lua +++ b/home/.config/nvim/lua/plugins/init.lua @@ -203,6 +203,9 @@ local plugins = { "norcalli/nvim-colorizer.lua", config = true, }, + + -- Caddyfile syntax support + "isobit/vim-caddyfile", } local lazy_opts = {} diff --git a/root/etc/pacman.conf b/root/etc/pacman.conf index 2256bea2..aff3bcd5 100755 --- a/root/etc/pacman.conf +++ b/root/etc/pacman.conf @@ -10,7 +10,7 @@ LocalFileSigLevel = Optional CacheDir = /var/cache/pacman/pkg {%@@ if profile == "Moria" @@%} CleanMethod=KeepCurrent -CacheDir=/docker/index.korhonen.cc/repo/arch_linux/korhonen_aur/x86_64 +CacheDir=/var/www/index.korhonen.cc/repo/arch_linux/korhonen_aur/x86_64 {%@@ endif @@%} [cachyos-v3] @@ -43,7 +43,7 @@ Include = /etc/pacman.d/mirrorlist [korhonen_aur] {%@@ if profile == "Moria" @@%} -Server = file:///docker/index.korhonen.cc/repo/arch_linux/$repo/$arch +Server = file:///var/www/index.korhonen.cc/repo/arch_linux/$repo/$arch {%@@ else @@%} Include = /etc/pacman.d/pacserve Server = https://index.korhonen.cc/repo/arch_linux/$repo/$arch