Archive projects

.archived/traefik-dashboard/config.yml

@@ -0,0 +1,52 @@
+http:
+ #region routers 
+  routers:
+    example:
+      entryPoints:
+        - "websecure"
+      rule: "Host(`example.local.domain.name`)"
+      middlewares:
+        - default-headers
+        - https-redirectscheme
+      tls: {}
+      service: example
+#endregion
+
+#region services
+  services:
+    example:
+      loadBalancer:
+        servers:
+          - url: "http://ip:port/"
+        passHostHeader: true
+#endregion
+
+  middlewares:
+    https-redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true
+    default-headers:
+      headers:
+        frameDeny: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 15552000
+        customFrameOptionsValue: SAMEORIGIN
+        customRequestHeaders:
+          X-Forwarded-Proto: https
+
+    default-whitelist:
+      ipAllowList:
+        sourceRange:
+        - "127.0.0.1/32"
+        - "local ip subnet"
+
+    secured:
+      chain:
+        middlewares:
+        - default-whitelist
+        - default-headers

.archived/traefik-dashboard/docker-compose.yml

@@ -0,0 +1,67 @@
+services:
+  traefik_socket_proxy:
+    container_name: traefik_socket_proxy
+    image: ghcr.io/11notes/socket-proxy:2.1.3
+    restart: unless-stopped
+    read_only: true
+    user: ${PUID}:${PGID}
+    environment:
+      TZ: ${TZ}
+    volumes:
+      - /run/docker.sock:/run/docker.sock:ro
+      - socket-proxy:/run/proxy
+    networks:
+      - frontend
+
+  traefik:
+    container_name: traefik
+    image: docker.io/library/traefik:v3.5.0
+    restart: unless-stopped
+    depends_on:
+      traefik_socket_proxy:
+        condition: service_healthy
+    security_opt:
+      - no-new-privileges:true
+    secrets:
+      - cf_api_token
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.traefik.entrypoints=web
+      - traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN}`)
+      - traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}
+      - traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https
+      - traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https
+      - traefik.http.routers.traefik.middlewares=traefik-https-redirect
+      - traefik.http.routers.traefik-secure.entrypoints=websecure
+      - traefik.http.routers.traefik-secure.rule=Host(`${TRAEFIK_DOMAIN}`)
+      - traefik.http.routers.traefik-secure.middlewares=traefik-auth
+      - traefik.http.routers.traefik-secure.service=api@internal
+    environment:
+      - CF_DNS_API_TOKEN_FILE=/run/secrets/cf_api_token
+      - TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS}
+    volumes:
+      - ${APPDATA_PATH}/traefik/data/traefik.yml:/traefik.yml:ro
+      - ${APPDATA_PATH}/traefik/data/acme.json:/acme.json # chmod 600
+      - ${APPDATA_PATH}/traefik/data/config.yml:/config.yml:ro
+      - ${APPDATA_PATH}/traefik/logs:/var/log/traefik
+      - /etc/localtime:/etc/localtime:ro
+      - socket-proxy:/var/run
+    ports:
+      - 80:80
+      - 81:81
+      - 443:443
+      - 443:443/udp
+      - 444:444
+      - 444:444/udp
+    networks:
+      - frontend
+
+networks:
+  frontend:
+    external: true
+secrets:
+  cf_api_token:
+    file: ${APPDATA_PATH}/traefik/secrets/cf_api_token
+
+volumes:
+  socket-proxy:

.archived/traefik-dashboard/traefik.yml

@@ -0,0 +1,70 @@
+api:
+  dashboard: true
+  debug: true
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      middlewares:
+        - default-whitelist@file
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+    http:
+      middlewares:
+        - default-whitelist@file
+      tls:
+        certResolver: letsencrypt
+        domains:
+          - main: '*.local.domain.name'
+  web-external:
+    address: ":81"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure-external
+          scheme: https
+  websecure-external:
+    address: ":444"
+    http:
+      tls:
+        certResolver: letsencrypt
+        domains:
+          - main: domain.name
+            sans:
+              - '*.domain.name'
+serversTransport:
+  insecureSkipVerify: true
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+  file:
+    filename: /config.yml
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: email@domain.name
+      storage: acme.json
+      caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
+      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
+      dnsChallenge:
+        provider: cloudflare
+        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
+        #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"
+log:
+  level: "INFO"
+  filePath: "/var/log/traefik/traefik.log"
+  maxSize: 10
+  maxBackups: 5
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  fields:
+    names:
+      StartUTC: drop