Skip to content

Commit

Permalink
* Several updates 2024_01_22. See full commit log.
Browse files Browse the repository at this point in the history 
* Changed domain name variables to align with hostnames (and their prefixes/suffixes) I implemented in the previous commit
    - DOMAINNAME_CLOUD_SERVER is now DOMAINNAME_HS
    - DOMAINNAME_HOME_SYNOLOGY is now DOMAINNAME_DS918
    - DOMAINNAME_SHB is now DOMAINNAME_WS
* Replace Traefik/Cloudflare ACME validation from using Email and Global API Key to Scoped API Toekn (CF_DNS_API_TOKEN). Deleted unwated secrets.
* Split middlewares.yml to individual middleware YML files - to align with Auto-Traefik.
* Split middlewares-chains.yml to individual chain YML files - to align with Auto-Traefik.
* Moved some of the media apps to Media Server docker stack (docker-compose-mds.yml)
* Added more example file providers for various scenarios.
  • Loading branch information
@SimpleHomelab
SimpleHomelab committed Jan 22, 2024
1 parent 3554676 commit 546bf74
Show file tree
Hide file tree
Showing 126 changed files with 737 additions and 449 deletions.
13 changes: 11 additions & 2 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,12 +79,21 @@ appdata/traefik2/rules/toml/*
!appdata/traefik2/rules/ds918
appdata/traefik2/rules/ds918/*
!appdata/traefik2/rules/ds918/*.example
!appdata/traefik2/rules/ds918/tls-opts.yml
!appdata/traefik2/rules/ds918/middlewares-*.yml
!appdata/traefik2/rules/ds918/chain-*.yml
!appdata/traefik2/rules/hs
appdata/traefik2/rules/hs/*
!appdata/traefik2/rules/hs/*.example
!appdata/traefik2/rules/hs/tls-opts.yml
!appdata/traefik2/rules/hs/middlewares.yml
!appdata/traefik2/rules/hs/middlewares-chains.yml
!appdata/traefik2/rules/hs/middlewares-*.yml
!appdata/traefik2/rules/hs/chain-*.yml
!appdata/traefik2/rules/ws
appdata/traefik2/rules/ws/*
!appdata/traefik2/rules/ws/*.example
!appdata/traefik2/rules/ws/tls-opts.yml
!appdata/traefik2/rules/ws/middlewares-*.yml
!appdata/traefik2/rules/ws/chain-*.yml

!appdata/authelia
appdata/authelia/*
Expand Down
17 changes: 17 additions & 0 deletions appdata/traefik2/rules/ds918/app-ds918-dsm-oauth.yml.example
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
http:
routers:
synology-rtr:
rule: "Host(`dsm.{{env "DOMAINNAME_DS918"}}`)"
entryPoints:
- https
middlewares:
- chain-oauth
service: synology-svc
tls:
certResolver: dns-cloudflare
options: tls-opts@file
services:
synology-svc:
loadBalancer:
servers:
- url: "http://192.168.1.254:5000"
17 changes: 17 additions & 0 deletions appdata/traefik2/rules/ds918/app-ds918-video-oauth.yml.example
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
http:
routers:
synology-video-rtr:
rule: "Host(`video.{{env "DOMAINNAME_DS918"}}`)"
entryPoints:
- https
middlewares:
- chain-oauth
service: synology-video-svc
tls:
certResolver: dns-cloudflare
options: tls-opts@file
services:
synology-video-svc:
loadBalancer:
servers:
- url: "http://192.168.1.254:5003"
10 changes: 10 additions & 0 deletions appdata/traefik2/rules/ds918/chain-basic-auth.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
http:
middlewares:
chain-basic-auth:
chain:
middlewares:
- middlewares-rate-limit
- middlewares-https-redirectscheme
- middlewares-secure-headers
- middlewares-basic-auth
- middlewares-compress
9 changes: 9 additions & 0 deletions appdata/traefik2/rules/ds918/chain-no-auth.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
http:
middlewares:
chain-no-auth:
chain:
middlewares:
- middlewares-rate-limit
- middlewares-https-redirectscheme
- middlewares-secure-headers
- middlewares-compress
11 changes: 11 additions & 0 deletions appdata/traefik2/rules/ds918/chain-oauth-external.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
http:
middlewares:
chain-oauth-external:
chain:
middlewares:
- middlewares-rate-limit
- middlewares-https-redirectscheme
- middlewares-secure-headers
- middlewares-oauth-external
- middlewares-compress

10 changes: 10 additions & 0 deletions appdata/traefik2/rules/ds918/chain-oauth.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
http:
middlewares:
chain-oauth:
chain:
middlewares:
- middlewares-rate-limit
- middlewares-https-redirectscheme
- middlewares-secure-headers
- middlewares-oauth
- middlewares-compress
8 changes: 8 additions & 0 deletions appdata/traefik2/rules/ds918/middlewares-basic-auth.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
http:
middlewares:
middlewares-basic-auth:
basicAuth:
# users:
# - "user:$apsdfswWvC/6.$E3FtsfTntPC0wVJ7IUVtX1"
usersFile: "/run/secrets/htpasswd" #be sure to mount the volume through docker-compose.yml
realm: "Traefik 2 Basic Auth"
9 changes: 9 additions & 0 deletions appdata/traefik2/rules/ds918/middlewares-buffering.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
http:
middlewares:
middlewares-buffering:
buffering:
maxResponseBodyBytes: 2000000
maxRequestBodyBytes: 10485760
memRequestBodyBytes: 2097152
memResponseBodyBytes: 2097152
retryExpression: "IsNetworkError() && Attempts() <= 2"
4 changes: 4 additions & 0 deletions appdata/traefik2/rules/ds918/middlewares-compress.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
http:
middlewares:
middlewares-compress:
compress: {}
6 changes: 6 additions & 0 deletions appdata/traefik2/rules/ds918/middlewares-https-redirectscheme.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
http:
middlewares:
middlewares-https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
8 changes: 8 additions & 0 deletions appdata/traefik2/rules/ds918/middlewares-oauth-external.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
http:
middlewares:
middlewares-oauth-external:
forwardAuth:
address: "https://oauth.{{env "DOMAINNAME_DS918"}}"
trustForwardHeader: true
authResponseHeaders:
- "X-Forwarded-User"
8 changes: 8 additions & 0 deletions appdata/traefik2/rules/ds918/middlewares-oauth.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
http:
middlewares:
middlewares-oauth:
forwardAuth:
address: "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml
trustForwardHeader: true
authResponseHeaders:
- "X-Forwarded-User"
6 changes: 6 additions & 0 deletions appdata/traefik2/rules/ds918/middlewares-rate-limit.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
http:
middlewares:
middlewares-rate-limit:
rateLimit:
average: 100
burst: 50
55 changes: 4 additions & 51 deletions ...traefik2/rules/ws/middlewares.yml.example → ...ules/ds918/middlewares-secure-headers.yml
100644 → 100755
View file
Original file line number Diff line number Diff line change
@@ -1,22 +1,5 @@
http:
middlewares:
middlewares-basic-auth:
basicAuth:
# users:
# - "user:$apsdfswWvC/6.$E3FtsfTntPC0wVJ7IUVtX1"
usersFile: "/run/secrets/htpasswd" #be sure to mount the volume through docker-compose.yml
realm: "Traefik 2 Basic Auth"

middlewares-rate-limit:
rateLimit:
average: 100
burst: 50

middlewares-https-redirectscheme:
redirectScheme:
scheme: https
permanent: true

middlewares-secure-headers:
headers:
accessControlAllowMethods:
Expand All @@ -32,50 +15,20 @@ http:
stsPreload: true
forceSTSHeader: true
# frameDeny: true #overwritten by customFrameOptionsValue
customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME_SHB"}}" #CSP takes care of this but may be needed for organizr.
customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME_DS918"}}" #CSP takes care of this but may be needed for organizr.
contentTypeNosniff: true
browserXssFilter: true
# sslForceHost: true # add sslHost to all of the services
# sslHost: "{{env "DOMAINNAME_SHB"}}"
# sslHost: "{{env "DOMAINNAME_DS918"}}"
referrerPolicy: "same-origin"
# Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
# the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
# contentSecurityPolicy: "frame-ancestors '*.{{env "DOMAINNAME_SHB"}}:*';object-src 'none';script-src 'none';"
# contentSecurityPolicy: "frame-ancestors '*.{{env "DOMAINNAME_DS918"}}:*';object-src 'none';script-src 'none';"
# Line below, featurePolicy, was deprecated in v2.5.x in favor permissionPolicy
# featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
server: ""
# https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732
# X-Forwarded-Proto: "https"

middlewares-secure-headers-wp:
headers:
hostsProxyHeaders:
- "X-Forwarded-Host"
stsSeconds: 31536000
stsIncludeSubdomains: true
stsPreload: true
frameDeny: true
contentTypeNosniff: true
browserXssFilter: true

middlewares-oauth:
forwardAuth:
address: "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml
trustForwardHeader: true
authResponseHeaders:
- "X-Forwarded-User"

middlewares-authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://authelia.{{env "DOMAINNAME_SHB"}}"
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"

middlewares-compress:
compress: {}

# X-Forwarded-Proto: "https"
19 changes: 19 additions & 0 deletions appdata/traefik2/rules/ds918/tls-opts.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
tls:
options:
tls-opts:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
4 changes: 2 additions & 2 deletions appdata/traefik2/rules/hs/app-adguard-home-authelia.yml.example
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
http:
routers:
adguard-rtr:
rule: "Host(`ag.{{env "DOMAINNAME_CLOUD_SERVER"}}`)"
rule: "Host(`ag.{{env "DOMAINNAME_HS"}}`)"
entryPoints:
- https
middlewares:
- chain-oauth
- chain-authelia
service: adguard-svc
tls:
certResolver: dns-cloudflare
Expand Down
2 changes: 1 addition & 1 deletion appdata/traefik2/rules/hs/app-adguard-home-oauth.yml.example
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
http:
routers:
adguard-rtr:
rule: "Host(`ag.{{env "DOMAINNAME_CLOUD_SERVER"}}`)"
rule: "Host(`ag.{{env "DOMAINNAME_HS"}}`)"
entryPoints:
- https
middlewares:
Expand Down
2 changes: 1 addition & 1 deletion appdata/traefik2/rules/hs/app-haos-no-auth.yml.example
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
http:
routers:
haos-rtr:
rule: "Host(`haos.{{env "DOMAINNAME_CLOUD_SERVER"}}`)"
rule: "Host(`haos.{{env "DOMAINNAME_HS"}}`)"
entryPoints:
- https
middlewares:
Expand Down
16 changes: 0 additions & 16 deletions appdata/traefik2/rules/hs/app-hassos-no-auth.yml.example
View file

This file was deleted.

2 changes: 1 addition & 1 deletion appdata/traefik2/rules/hs/app-pihole-oauth.yml.example
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
http:
routers:
pihole-rtr:
rule: "Host(`pihole.{{env "DOMAINNAME_CLOUD_SERVER"}}`)"
rule: "Host(`pihole.{{env "DOMAINNAME_HS"}}`)"
entryPoints:
- https
middlewares:
Expand Down
17 changes: 17 additions & 0 deletions appdata/traefik2/rules/hs/app-plex-no-auth.yml.example
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
http:
routers:
splex-rtr:
rule: "Host(`splex.{{env "DOMAINNAME_HS"}}`)"
entryPoints:
- https
middlewares:
- chain-oauth
service: splex-svc
tls:
certResolver: dns-cloudflare
options: tls-opts@file
services:
splex-svc:
loadBalancer:
servers:
- url: "http://192.168.1.238:32400"
22 changes: 22 additions & 0 deletions appdata/traefik2/rules/hs/app-proxmox-ve-oauth.yml.example
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
http:
routers:
proxmox-rtr:
rule: "Host(`pve.{{env "DOMAINNAME_HS"}}`)"
entryPoints:
- https
middlewares:
- chain-oauth
service: proxmox-svc
tls:
certResolver: dns-cloudflare
options: tls-opts@file
services:
proxmox-svc:
loadBalancer:
passHostHeader: true
serversTransport: "pve"
servers:
- url: "https://192.168.1.100:8006/"
serversTransports:
pve:
insecureSkipVerify: true
14 changes: 14 additions & 0 deletions appdata/traefik2/rules/hs/app-second-domain-passthrough.yml.example
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
tcp:
routers:
synology-traefik-rtr:
entryPoints:
- "https"
rule: "HostSNIRegexp(`{{env "DOMAINNAME_DS918"}}`, `{subdomain:[a-z]+}.{{env "DOMAINNAME_DS918"}}`)"
service: synology-traefik-svc
tls:
passthrough: true
services:
synology-traefik-svc:
loadBalancer:
servers:
- address: "192.168.1.254:443"
Loading

0 comments on commit 546bf74

Please sign in to comment.