213 lines
8.6 KiB
Django/Jinja
213 lines
8.6 KiB
Django/Jinja
# vi: ft=yaml
|
|
version: "3.7"
|
|
|
|
networks:
|
|
traefik:
|
|
external: true
|
|
|
|
configs:
|
|
services:
|
|
external: true
|
|
name: "{{ services.config_name }}"
|
|
|
|
volumes:
|
|
acme:
|
|
driver_opts:
|
|
type: "nfs"
|
|
o: "addr=lewis.dmz,nolock,soft,rw"
|
|
device: ":/mnt/data/nfs/traefik/acme"
|
|
|
|
services:
|
|
traefik:
|
|
image: traefik:3.0.0-beta2
|
|
networks:
|
|
- traefik
|
|
ports:
|
|
- mode: host
|
|
protocol: tcp
|
|
published: 443
|
|
target: 443
|
|
- mode: host
|
|
protocol: tcp
|
|
published: 80
|
|
target: 80
|
|
- mode: host
|
|
protocol: tcp
|
|
published: 444
|
|
target: 444
|
|
deploy:
|
|
placement:
|
|
constraints:
|
|
- node.role == manager
|
|
labels:
|
|
- traefik.enable=true
|
|
- traefik.http.routers.dashboard.entrypoints=localsecure
|
|
- traefik.http.routers.dashboard.rule=Host(`traefik.kun.is`)
|
|
- traefik.http.routers.dashboard.service=api@internal
|
|
- traefik.http.services.dashboard.loadbalancer.server.port=8080
|
|
- traefik.http.routers.dashboard.tls=true
|
|
- traefik.http.routers.dashboard.tls.certresolver=letsencrypt
|
|
- traefik.docker.network=traefik
|
|
|
|
- traefik.http.routers.esrom.entrypoints=websecure
|
|
- traefik.http.routers.esrom.service=esrom@file
|
|
- traefik.http.routers.esrom.rule=Host(`esrom.kun.is`)
|
|
- traefik.http.routers.esrom.tls=true
|
|
- traefik.http.routers.esrom.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.cyberchef.entrypoints=websecure
|
|
- traefik.http.routers.cyberchef.service=k3s@file
|
|
- traefik.http.routers.cyberchef.rule=Host(`cyberchef.kun.is`)
|
|
- traefik.http.routers.cyberchef.tls=true
|
|
- traefik.http.routers.cyberchef.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.freshrss.entrypoints=websecure
|
|
- traefik.http.routers.freshrss.service=k3s@file
|
|
- traefik.http.routers.freshrss.rule=Host(`rss.kun.is`)
|
|
- traefik.http.routers.freshrss.tls=true
|
|
- traefik.http.routers.freshrss.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.inbucket.entrypoints=localsecure
|
|
- traefik.http.routers.inbucket.service=k3s@file
|
|
- traefik.http.routers.inbucket.rule=Host(`inbucket.kun.is`)
|
|
- traefik.http.routers.inbucket.tls=true
|
|
- traefik.http.routers.inbucket.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.radicale.entrypoints=websecure
|
|
- traefik.http.routers.radicale.service=k3s@file
|
|
- traefik.http.routers.radicale.rule=Host(`dav.kun.is`)
|
|
- traefik.http.routers.radicale.tls=true
|
|
- traefik.http.routers.radicale.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.syncthing.entrypoints=localsecure
|
|
- traefik.http.routers.syncthing.service=k3s@file
|
|
- traefik.http.routers.syncthing.rule=Host(`sync.kun.is`)
|
|
- traefik.http.routers.syncthing.tls=true
|
|
- traefik.http.routers.syncthing.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.pihole.entrypoints=localsecure
|
|
- traefik.http.routers.pihole.service=k3s@file
|
|
- traefik.http.routers.pihole.rule=Host(`pihole.kun.is`)
|
|
- traefik.http.routers.pihole.tls=true
|
|
- traefik.http.routers.pihole.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.hedgedoc.entrypoints=websecure
|
|
- traefik.http.routers.hedgedoc.service=k3s@file
|
|
- traefik.http.routers.hedgedoc.rule=Host(`md.kun.is`)
|
|
- traefik.http.routers.hedgedoc.tls=true
|
|
- traefik.http.routers.hedgedoc.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.nextcloud.entrypoints=websecure
|
|
- traefik.http.routers.nextcloud.service=k3s@file
|
|
- traefik.http.routers.nextcloud.rule=Host(`cloud.kun.is`)
|
|
- traefik.http.routers.nextcloud.tls=true
|
|
- traefik.http.routers.nextcloud.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.paperless-ngx.entrypoints=websecure
|
|
- traefik.http.routers.paperless-ngx.service=k3s@file
|
|
- traefik.http.routers.paperless-ngx.rule=Host(`paperless.kun.is`)
|
|
- traefik.http.routers.paperless-ngx.tls=true
|
|
- traefik.http.routers.paperless-ngx.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.kitchenowl.entrypoints=websecure
|
|
- traefik.http.routers.kitchenowl.service=k3s@file
|
|
- traefik.http.routers.kitchenowl.rule=Host(`boodschappen.kun.is`)
|
|
- traefik.http.routers.kitchenowl.tls=true
|
|
- traefik.http.routers.kitchenowl.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.forgejo.entrypoints=websecure
|
|
- traefik.http.routers.forgejo.service=k3s@file
|
|
- traefik.http.routers.forgejo.rule=Host(`git.kun.is`)
|
|
- traefik.http.routers.forgejo.tls=true
|
|
- traefik.http.routers.forgejo.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.jellyfin.entrypoints=websecure
|
|
- traefik.http.routers.jellyfin.service=k3s@file
|
|
- traefik.http.routers.jellyfin.rule=Host(`media.kun.is`)
|
|
- traefik.http.routers.jellyfin.tls=true
|
|
- traefik.http.routers.jellyfin.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.transmission.entrypoints=localsecure
|
|
- traefik.http.routers.transmission.service=k3s@file
|
|
- traefik.http.routers.transmission.rule=Host(`transmission.kun.is`)
|
|
- traefik.http.routers.transmission.tls=true
|
|
- traefik.http.routers.transmission.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.jellyseerr.entrypoints=localsecure
|
|
- traefik.http.routers.jellyseerr.service=k3s@file
|
|
- traefik.http.routers.jellyseerr.rule=Host(`jellyseerr.kun.is`)
|
|
- traefik.http.routers.jellyseerr.tls=true
|
|
- traefik.http.routers.jellyseerr.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.radarr.entrypoints=localsecure
|
|
- traefik.http.routers.radarr.service=k3s@file
|
|
- traefik.http.routers.radarr.rule=Host(`radarr.kun.is`)
|
|
- traefik.http.routers.radarr.tls=true
|
|
- traefik.http.routers.radarr.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.prowlarr.entrypoints=localsecure
|
|
- traefik.http.routers.prowlarr.service=k3s@file
|
|
- traefik.http.routers.prowlarr.rule=Host(`prowlarr.kun.is`)
|
|
- traefik.http.routers.prowlarr.tls=true
|
|
- traefik.http.routers.prowlarr.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.sonarr.entrypoints=localsecure
|
|
- traefik.http.routers.sonarr.service=k3s@file
|
|
- traefik.http.routers.sonarr.rule=Host(`sonarr.kun.is`)
|
|
- traefik.http.routers.sonarr.tls=true
|
|
- traefik.http.routers.sonarr.tls.certresolver=letsencrypt
|
|
|
|
- traefik.http.routers.bazarr.entrypoints=localsecure
|
|
- traefik.http.routers.bazarr.service=k3s@file
|
|
- traefik.http.routers.bazarr.rule=Host(`bazarr.kun.is`)
|
|
- traefik.http.routers.bazarr.tls=true
|
|
- traefik.http.routers.bazarr.tls.certresolver=letsencrypt
|
|
volumes:
|
|
- type: bind
|
|
source: /var/run/docker.sock
|
|
target: /var/run/docker.sock
|
|
- type: volume
|
|
source: acme
|
|
target: /acme
|
|
volume:
|
|
nocopy: true
|
|
configs:
|
|
- source: services
|
|
target: /etc/traefik/services.yml
|
|
command:
|
|
- --providers.docker
|
|
- --providers.docker.swarmmode
|
|
- --providers.docker.watch
|
|
- --providers.docker.exposedbydefault=false
|
|
|
|
- --providers.file.filename=/etc/traefik/services.yml
|
|
|
|
- --api
|
|
- --api.insecure=false
|
|
- --api.dashboard=true
|
|
|
|
- --entrypoints.web.address=:80
|
|
- --entrypoints.web.http.redirections.entrypoint=true
|
|
- --entrypoints.web.http.redirections.entrypoint.to=websecure
|
|
- --entrypoints.web.http.redirections.entrypoint.scheme=https
|
|
- --entrypoints.web.http.redirections.entrypoint.permanent=true
|
|
|
|
- --entrypoints.websecure.address=:443
|
|
|
|
- --entrypoints.localsecure.address=:444
|
|
|
|
- --certificatesresolvers.letsencrypt.acme=true
|
|
- --certificatesresolvers.letsencrypt.acme.email=pim@kunis.nl
|
|
- --certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json
|
|
- --certificatesresolvers.letsencrypt.acme.httpchallenge=true
|
|
- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
|
|
|
|
- --serversTransport.insecureSkipVerify=true
|
|
|
|
- --accesslog=true
|
|
- --accesslog.fields.defaultmode=keep
|
|
- --accesslog.fields.names.ClientUsername=drop
|
|
- --accesslog.fields.headers.defaultmode=keep
|
|
- --accesslog.fields.headers.names.User-Agent=keep
|
|
- --accesslog.fields.headers.names.Authorization=drop
|
|
- --accesslog.fields.headers.names.Content-Type=keep
|