diff --git a/traefik/conf.d/rules.yml b/traefik/conf.d/rules.yml new file mode 100644 index 0000000..510e696 --- /dev/null +++ b/traefik/conf.d/rules.yml @@ -0,0 +1,147 @@ +# dynamic configuration +http: + middlewares: + middlewares-authentik: + forwardAuth: + address: http://ubuntu:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version + routers: + hass-router: + entryPoints: + - "hass" + rule: "Host(`home.thoster.net`) && PathPrefix(`/`)" + service: hass-service + tls: + certResolver: letsencrypt + paperless-router: + entryPoints: + - "websecure" + rule: "Host(`pl.home.thoster.net`) && PathPrefix(`/`)" + middlewares: + - "middlewares-authentik" + priority: 15 + service: paperless-service + tls: + certResolver: letsencrypt + hass-router-auth: + entryPoints: + - "websecure" + rule: "Host(`hass.home.thoster.net`) && PathPrefix(`/outpost.goauthentik.io/`)" + priority: 15 + service: authentik + tls: + certResolver: letsencrypt + paperless-router-auth: + entryPoints: + - "websecure" + rule: "Host(`pl.home.thoster.net`) && PathPrefix(`/outpost.goauthentik.io/`)" + priority: 15 + service: authentik + tls: + certResolver: letsencrypt + default-router: + entryPoints: + - "websecure" + rule: "Host(`home.thoster.net`) && PathPrefix(`/`)" + middlewares: + - middlewares-authentik + service: wikimd-service + tls: + certResolver: letsencrypt + default-router-auth: + entryPoints: + - "websecure" + rule: "Host(`home.thoster.net`) && PathPrefix(`/outpost.goauthentik.io/`)" + priority: 15 + service: authentik + tls: + certResolver: letsencrypt + photos-router: + entryPoints: + - "websecure" + rule: "Host(`photo.home.thoster.net`) && PathPrefix(`/`)" + service: photos-service + tls: + certResolver: letsencrypt + auth-router: + entryPoints: + - "websecure" + rule: "Host(`auth.home.thoster.net`) && PathPrefix(`/`)" + service: auth-service + tls: + certResolver: letsencrypt + hass2-router: + entryPoints: + - "websecure" + rule: "Host(`hass.home.thoster.net`) && PathPrefix(`/`)" + middlewares: + - "middlewares-authentik" + service: hass-service + tls: + certResolver: letsencrypt + nas-router: + entryPoints: + - "websecure" + rule: "Host(`nas.home.thoster.net`) && PathPrefix(`/`)" + service: nas-service + tls: + certResolver: letsencrypt + ai-router: + entryPoints: + - "websecure" + rule: "Host(`ai.home.thoster.net`) && PathPrefix(`/`)" + service: ai-service + tls: + certResolver: letsencrypt + + services: + hass-service: + loadBalancer: + servers: + - url: "http://ubuntu:8123" + photos-service: + loadBalancer: + servers: + - url: "http://ubuntu:2283" + nas-service: + loadBalancer: + servers: + - url: "http://nas" + ai-service: + loadBalancer: + servers: + - url: "http://ubuntu:8082" + wikimd-service: + loadBalancer: + servers: + - url: "http://ubuntu:5200" + auth-service: + loadBalancer: + servers: + - url: "http://ubuntu:9000" + paperless-service: + loadBalancer: + servers: + - url: "http://ubuntu:8000" + dummy-service: + loadBalancer: + servers: + - url: "http://whoami" + authentik: + loadBalancer: + servers: + - url: "http://ubuntu:9000/outpost.goauthentik.io" + diff --git a/traefik/conf.d/rules.yml.backup b/traefik/conf.d/rules.yml.backup new file mode 100644 index 0000000..2ff2b1d --- /dev/null +++ b/traefik/conf.d/rules.yml.backup @@ -0,0 +1,90 @@ +# dynamic configuration +http: + routers: + # Redirect all HTTP traffic to HTTPS +# http-redirect-router: +# entryPoints: +# - "web" +# rule: "HostAny() && PathPrefix('/')" +# middlewares: +# - "redirect_https" +# service: dummy-service + hass-router: + entryPoints: + - "hass" + rule: "Host(`home.thoster.net`) && PathPrefix(`/`)" + service: hass-service + tls: + certResolver: letsencrypt + default-router: + entryPoints: + - "websecure" + rule: "Host(`home.thoster.net`) && PathPrefix(`/`)" + service: php-service + tls: + certResolver: letsencrypt + photos-router: + entryPoints: + - "websecure" + rule: "Host(`photo.home.thoster.net`) && PathPrefix(`/`)" + service: photos-service + tls: + certResolver: letsencrypt + auth-router: + entryPoints: + - "websecure" + rule: "Host(`auth.home.thoster.net`) && PathPrefix(`/`)" + service: auth-service + tls: + certResolver: letsencrypt + hass2-router: + entryPoints: + - "websecure" + rule: "Host(`hass.home.thoster.net`) && PathPrefix(`/`)" + service: hass-service + tls: + certResolver: letsencrypt + nas-router: + entryPoints: + - "websecure" + rule: "Host(`nas.home.thoster.net`) && PathPrefix(`/`)" + service: nas-service + tls: + certResolver: letsencrypt + ai-router: + entryPoints: + - "websecure" + rule: "Host(`ai.home.thoster.net`) && PathPrefix(`/`)" + service: ai-service + tls: + certResolver: letsencrypt + + services: + hass-service: + loadBalancer: + servers: + - url: "http://ubuntu:8123" + photos-service: + loadBalancer: + servers: + - url: "http://ubuntu:2283" + nas-service: + loadBalancer: + servers: + - url: "http://nas" + ai-service: + loadBalancer: + servers: + - url: "http://mini:8080" + php-service: + loadBalancer: + servers: + - url: "http://nginx-php-fastcgi" + auth-service: + loadBalancer: + servers: + - url: "http://ubuntu:9000" + dummy-service: + loadBalancer: + servers: + - url: "http://whoami" diff --git a/traefik/conf.d/rules.yml.backup2 b/traefik/conf.d/rules.yml.backup2 new file mode 100644 index 0000000..a6aacd6 --- /dev/null +++ b/traefik/conf.d/rules.yml.backup2 @@ -0,0 +1,137 @@ +# dynamic configuration +http: + middlewares: + middlewares-authentik: + forwardAuth: + address: http://ubuntu:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version + routers: + hass-router: + entryPoints: + - "hass" + rule: "Host(`home.thoster.net`) && PathPrefix(`/`)" + service: hass-service + tls: + certResolver: letsencrypt + paperless-router: + entryPoints: + - "websecure" + rule: "Host(`pl.home.thoster.net`) && PathPrefix(`/`)" + middlewares: + - "middlewares-authentik" + priority: 15 + service: paperless-service + tls: + certResolver: letsencrypt + paperless-router-auth: + entryPoints: + - "websecure" + rule: "Host(`pl.home.thoster.net`) && PathPrefix(`/outpost.goauthentik.io/`)" + priority: 15 + service: authentik + tls: + certResolver: letsencrypt + default-router: + entryPoints: + - "websecure" + rule: "Host(`home.thoster.net`) && PathPrefix(`/`)" + middlewares: + - middlewares-authentik + service: wikimd-service + tls: + certResolver: letsencrypt + default-router-auth: + entryPoints: + - "websecure" + rule: "Host(`home.thoster.net`) && PathPrefix(`/outpost.goauthentik.io/`)" + priority: 15 + service: authentik + tls: + certResolver: letsencrypt + photos-router: + entryPoints: + - "websecure" + rule: "Host(`photo.home.thoster.net`) && PathPrefix(`/`)" + service: photos-service + tls: + certResolver: letsencrypt + auth-router: + entryPoints: + - "websecure" + rule: "Host(`auth.home.thoster.net`) && PathPrefix(`/`)" + service: auth-service + tls: + certResolver: letsencrypt + hass2-router: + entryPoints: + - "websecure" + rule: "Host(`hass.home.thoster.net`) && PathPrefix(`/`)" + service: hass-service + tls: + certResolver: letsencrypt + nas-router: + entryPoints: + - "websecure" + rule: "Host(`nas.home.thoster.net`) && PathPrefix(`/`)" + service: nas-service + tls: + certResolver: letsencrypt + ai-router: + entryPoints: + - "websecure" + rule: "Host(`ai.home.thoster.net`) && PathPrefix(`/`)" + service: ai-service + tls: + certResolver: letsencrypt + + services: + hass-service: + loadBalancer: + servers: + - url: "http://ubuntu:8123" + photos-service: + loadBalancer: + servers: + - url: "http://ubuntu:2283" + nas-service: + loadBalancer: + servers: + - url: "http://nas" + ai-service: + loadBalancer: + servers: + - url: "http://mini:8080" + wikimd-service: + loadBalancer: + servers: + - url: "http://ubuntu:5200" + auth-service: + loadBalancer: + servers: + - url: "http://ubuntu:9000" + paperless-service: + loadBalancer: + servers: + - url: "http://ubuntu:8000" + dummy-service: + loadBalancer: + servers: + - url: "http://whoami" + authentik: + loadBalancer: + servers: + - url: "http://ubuntu:9000/outpost.goauthentik.io" + diff --git a/traefik/ssl/.gitignore b/traefik/ssl/.gitignore new file mode 100644 index 0000000..08a7346 --- /dev/null +++ b/traefik/ssl/.gitignore @@ -0,0 +1 @@ +acme.json diff --git a/traefik/traefik.yaml b/traefik/traefik.yaml new file mode 100644 index 0000000..e6b1949 --- /dev/null +++ b/traefik/traefik.yaml @@ -0,0 +1,65 @@ +providers: + file: + directory: /etc/traefik/conf.d/ + +entryPoints: + web: + address: ':80' + http: + redirections: + entryPoint: + to: websecure + scheme: https + + websecure: + address: ':443' + http: + tls: + certResolver: letsencrypt + + paperless: + address: ':5200' + + traefik: + address: ':8080' + + hass: + address: ':444' + http: + tls: + certResolver: letsencrypt + redirections: + entryPoint: + scheme: https + +certificatesResolvers: + letsencrypt: + acme: + email: "stefan@ostermail.de" + storage: /etc/traefik/ssl/acme.json + tlsChallenge: {} + +api: + dashboard: true + insecure: true + +log: + filePath: /var/log/traefik/traefik.log + format: json + level: INFO + +accessLog: + filePath: /var/log/traefik/traefik-access.log + format: json + filters: + statusCodes: + - "200" + - "400-599" + retryAttempts: true + minDuration: "10ms" + bufferingSize: 0 + fields: + headers: + defaultMode: drop + names: + User-Agent: keep