First push from proxy (docker host) to gitea

This commit is contained in:
root 2023-05-08 16:35:25 +00:00
commit a69fa8cc56
25 changed files with 781 additions and 0 deletions

3
traefik/.env Normal file
View file

@ -0,0 +1,3 @@
EMAIL=signup@kh3group.com
API_KEY=a392c6b70da6daeadb76879dad6d3ba1b4951

186
traefik/data/config.yml Normal file
View file

@ -0,0 +1,186 @@
http:
#region routers
routers:
pve01:
entryPoints:
- "http"
- "https"
rule: "Host(`pve01.office.kh3group.com`)"
middlewares:
- default-headers
tls: {}
service: pve01
pve02:
entryPoints:
- "https"
rule: "Host(`pve02.office.kh3group.com`)"
middlewares:
- default-headers
tls: {}
service: pve02
pve03:
entryPoints:
- "https"
rule: "Host(`pve03.office.kh3group.com`)"
middlewares:
- default-headers
tls: {}
service: pve03
pihole:
entryPoints:
- "https"
rule: "Host(`dns.office.kh3group.com`) || Host(`dns.kh3group.com`) "
middlewares:
- default-headers
- addprefix-pihole
tls: {}
service: pihole
pfsense:
entryPoints:
- "https"
rule: "Host(`firewall.office.kh3group.com`)"
middlewares:
- default-headers
tls: {}
service: pfsense
mysite:
entryPoints:
- "https"
rule: "Host(`my.office.kh3group.com`)"
middlewares:
- default-headers
tls: {}
service: mysite
portal:
entryPoints:
- "https"
rule: "Host(`portal.office.kh3group.com`)"
middlewares:
- default-headers
tls: {}
service: portal
printer:
entryPoints:
- "https"
rule: "Host(`printer.office.kh3group.com`)"
middlewares:
- default-headers
# - prefix-printer
tls: {}
service: printer
#endregion
#region services
services:
pve01:
loadBalancer:
servers:
- url: "https://192.168.2.3:8006"
passHostHeader: true
pve02:
loadBalancer:
servers:
- url: "https://192.168.2.10:8006"
passHostHeader: true
pve03:
loadBalancer:
servers:
- url: "https://192.168.100.60:8006"
passHostHeader: true
pihole:
loadBalancer:
servers:
- url: "http://192.168.2.2:80"
passHostHeader: true
pfsense:
loadBalancer:
servers:
- url: "https://192.168.100.1:443"
passHostHeader: true
mysite:
loadBalancer:
serversTransport: sptransport
servers:
- url: "http://192.168.2.34:80"
passHostHeader: true
portal:
loadBalancer:
serversTransport: sptransport
servers:
- url: "http://192.168.2.33:80"
passHostHeader: true
printer:
loadBalancer:
servers:
- url: "https://192.168.100.100"
passHostHeader: true
#endregion
serversTransports:
sptransport:
disableHTTP2: true
middlewares:
addprefix-pihole:
addPrefix:
prefix: "/admin"
https-redirect:
redirectScheme:
scheme: https
prefix-printer:
addPrefix:
prefix: "/main"
default-headers:
headers:
frameDeny: true
sslRedirect: true
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https
idrac:
headers:
frameDeny: true
sslRedirect: true
browserXssFilter: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https
default-whitelist:
ipWhiteList:
sourceRange:
- "10.0.0.0/8"
- "192.168.100.0/24"
- "172.16.16.0/32"
secured:
chain:
middlewares:
- default-whitelist
- default-headers
crowdsec-bouncer:
forwardauth:
address: http://bouncer-traefik:8080/api/v1/forwardAuth
trustForwardHeader: true
#tcp:
# routers:
# mysites:
# rule: "HostSNI(`my.office.kh3group.com`)"
# tls: {}
# service: mysites
# services:
# mysites:
# loadBalancer:
# servers:
# - address: "192.168.2.34:80"

42
traefik/data/traefik.yml Normal file
View file

@ -0,0 +1,42 @@
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
permanent: true
middlewares:
- crowdsec-bouncer@file
https:
address: ":443"
http:
middlewares:
- crowdsec-bouncer@file
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
certificatesResolvers:
cloudflare:
acme:
email: signup@kh3group.com
storage: acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
log:
level: "INFO"
filepath: "/var/log/traefik/traefik.log"
accessLog:
filepath: "/var/log/traefik/access.log"

View file

@ -0,0 +1,46 @@
version: '3'
services:
rproxy:
image: traefik:v2.9
container_name: traefik
hostname: rproxy
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
environment:
- CF_API_EMAIL=$EMAIL
- CF_API_KEY=$API_KEY
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /root/traefik/data/traefik.yml:/traefik.yml:ro
- /root/traefik/data/acme.json:/acme.json
- /root/traefik/data/config.yml:/config.yml:ro
- traefik-logs:/var/log/traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.office.kh3group.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=support:$$apr1$$/SnQnIjg$$kOB5lj/Au8brVdk.tsrFb/"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.office.kh3group.com`)||Host(`traefik.kh3group.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=office.kh3group.com"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.office.kh3group.com"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
proxy:
external: true
volumes:
traefik-logs: