From 054d0c30e5112339569993b40144a05d7205428e Mon Sep 17 00:00:00 2001 From: Jean Froment Date: Fri, 11 Sep 2020 12:03:17 +0200 Subject: [PATCH] Update to Traefik v2 --- .env.sample | 15 ++-- .gitignore | 1 + docker-compose.yml | 189 ++++++++++++++++++++------------------------- traefik.toml | 40 ---------- traefik.yml | 29 +++++++ update-all.sh | 4 + 6 files changed, 128 insertions(+), 150 deletions(-) delete mode 100644 traefik.toml create mode 100644 traefik.yml diff --git a/.env.sample b/.env.sample index 8530f5b..fbeb33c 100644 --- a/.env.sample +++ b/.env.sample @@ -1,18 +1,21 @@ +# General Traefik (reverse proxy) settings TRAEFIK_DOMAIN=mydomain.com ACME_MAIL=my-email@my-provider.com + +# HTTP Auth HTTP_USER=myuser HTTP_PASSWORD=mypassword_encoded -PORTAINER_ADMIN_PASSWORD=h4ckMePleAse + +# Containers permissions mapping PGID=1000 PUID=1000 -# now these cloufdlare variables are useless -CLOUDFLARE_EMAIL=your@email.com -CLOUDFLARE_API_KEY=your_cloudflare_api_key - # Nextcloud NEXTCLOUD_ADMIN_USER=admin NEXTCLOUD_ADMIN_PASSWORD=nextcloud_admin_password NEXTCLOUD_DB_NAME=nextcloud_db_name NEXTCLOUD_DB_USER=nextcloud -NEXTCLOUD_DB_PASSWORD=nextcloud_db_password \ No newline at end of file +NEXTCLOUD_DB_PASSWORD=nextcloud_db_password + +# Portainer +PORTAINER_ADMIN_PASSWORD=h4ckMePleAse \ No newline at end of file diff --git a/.gitignore b/.gitignore index afa2706..ce97b42 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,5 @@ /config tunnel-options.sh .env +http_auth backup/ diff --git a/docker-compose.yml b/docker-compose.yml index b962570..ebfaf28 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,30 +2,37 @@ version: '3' services: traefik: - image: traefik:v1.7-alpine + image: traefik:v2 container_name: traefik restart: always - networks: - - webgateway - command: --acme.email=${ACME_MAIL} --docker.domain=${TRAEFIK_DOMAIN} #--acme.dnschallenge=true --acme.dnschallenge.provider="cloudflare" --acme.dnschallenge.delaybeforecheck=300 + command: --certificatesresolvers.le.acme.email=${ACME_MAIL} ports: - "80:80" - "443:443" - #- "8080:8080" - # environment: - # - CF_API_EMAIL=${CLOUDFLARE_EMAIL} - # - CF_API_KEY=${CLOUDFLARE_API_KEY} volumes: - /var/run/docker.sock:/var/run/docker.sock - - ./traefik.toml:/traefik.toml + - ./traefik.yml:/etc/traefik/traefik.yaml:ro - /opt/traefik/acme.json:/acme.json + - ./http_auth:/http_auth + labels: + - "traefik.enable=true" + # HTTP to HTTPS redirection + - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)" + - "traefik.http.routers.http_catchall.entrypoints=insecure" + - "traefik.http.routers.http_catchall.middlewares=https_redirect" + - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https" + - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true" + # Docker labels for enabling Traefik dashboard + - "traefik.http.routers.traefik.rule=Host(`traefik.${TRAEFIK_DOMAIN}`)" + - "traefik.http.routers.traefik.entrypoints=secure" + - "traefik.http.routers.traefik.service=api@internal" + - "traefik.http.routers.traefik.tls.certresolver=le" + - "traefik.http.routers.traefik.middlewares=common-auth" deluge: image: linuxserver/deluge container_name: deluge restart: always - networks: - - web volumes: - torrents:/torrents - configdeluge:/config @@ -35,18 +42,16 @@ services: - PUID=${PUID} - TZ=Europe/Paris labels: - - 'traefik.backend=deluge' - - 'traefik.port=8112' - - 'traefik.frontend.rule=Host:deluge.${TRAEFIK_DOMAIN}' - - 'traefik.frontend.auth.basic.users=${HTTP_USER}:${HTTP_PASSWORD}' - - 'traefik.enable=true' + - "traefik.enable=true" + - "traefik.http.routers.deluge.rule=Host(`deluge.${TRAEFIK_DOMAIN}`)" + - "traefik.http.routers.deluge.entrypoints=secure" + - "traefik.http.routers.deluge.tls.certresolver=le" + - "traefik.http.routers.deluge.middlewares=common-auth" plex: image: linuxserver/plex container_name: plex restart: always - networks: - - web ports: - "32400:32400" - "32400:32400/udp" @@ -62,20 +67,16 @@ services: - PUID=${PUID} - TZ=Europe/Paris - VERSION=latest - #- VERSION=1.14.0.5470-9d51fdfaa labels: - - 'traefik.backend=plex' - - 'traefik.port=32400' - - 'traefik.frontend.rule=Host:plex.${TRAEFIK_DOMAIN}' - #- 'traefik.frontend.auth.basic.users=${HTTP_USER}:${HTTP_PASSWORD}' - - 'traefik.enable=true' + - "traefik.enable=true" + - "traefik.http.routers.plex.rule=Host(`plex.${TRAEFIK_DOMAIN}`)" + - "traefik.http.routers.plex.entrypoints=secure" + - "traefik.http.routers.plex.tls.certresolver=le" jackett: image: linuxserver/jackett container_name: jackett restart: always - networks: - - web volumes: - config:/config - torrents:/downloads @@ -85,18 +86,16 @@ services: - PUID=${PUID} - TZ=Europe/Paris labels: - - 'traefik.backend=jackett' - - 'traefik.port=9117' - - 'traefik.frontend.rule=Host:jackett.${TRAEFIK_DOMAIN}' - - 'traefik.frontend.auth.basic.users=${HTTP_USER}:${HTTP_PASSWORD}' - - 'traefik.enable=true' + - "traefik.enable=true" + - "traefik.http.routers.jackett.rule=Host(`jackett.${TRAEFIK_DOMAIN}`)" + - "traefik.http.routers.jackett.entrypoints=secure" + - "traefik.http.routers.jackett.tls.certresolver=le" + - "traefik.http.routers.jackett.middlewares=common-auth" sonarr: image: linuxserver/sonarr:preview container_name: sonarr restart: always - networks: - - web volumes: - configsonarr:/config - torrents:/torrents @@ -106,18 +105,16 @@ services: - PUID=${PUID} - TZ=Europe/Paris labels: - - 'traefik.backend=sonarr' - - 'traefik.port=8989' - - 'traefik.frontend.rule=Host:sonarr.${TRAEFIK_DOMAIN}' - - 'traefik.frontend.auth.basic.users=${HTTP_USER}:${HTTP_PASSWORD}' - - 'traefik.enable=true' + - "traefik.enable=true" + - "traefik.http.routers.sonarr.rule=Host(`sonarr.${TRAEFIK_DOMAIN}`)" + - "traefik.http.routers.sonarr.entrypoints=secure" + - "traefik.http.routers.sonarr.tls.certresolver=le" + - "traefik.http.routers.sonarr.middlewares=common-auth" radarr: image: linuxserver/radarr container_name: radarr restart: always - networks: - - web volumes: - configradarr:/config - torrents:/torrents @@ -127,18 +124,16 @@ services: - PUID=${PUID} - TZ=Europe/Paris labels: - - 'traefik.backend=radarr' - - 'traefik.port=7878' - - 'traefik.frontend.rule=Host:radarr.${TRAEFIK_DOMAIN}' - - 'traefik.frontend.auth.basic.users=${HTTP_USER}:${HTTP_PASSWORD}' - - 'traefik.enable=true' + - "traefik.enable=true" + - "traefik.http.routers.radarr.rule=Host(`radarr.${TRAEFIK_DOMAIN}`)" + - "traefik.http.routers.radarr.entrypoints=secure" + - "traefik.http.routers.radarr.tls.certresolver=le" + - "traefik.http.routers.radarr.middlewares=common-auth" bazarr: image: linuxserver/bazarr container_name: bazarr restart: always - networks: - - web volumes: - torrents:/torrents - configbazarr:/config @@ -147,18 +142,16 @@ services: - PUID=${PUID} - TZ=Europe/Paris labels: - - 'traefik.backend=bazarr' - - 'traefik.port=6767' - - 'traefik.frontend.rule=Host:bazarr.${TRAEFIK_DOMAIN}' - - 'traefik.frontend.auth.basic.users=${HTTP_USER}:${HTTP_PASSWORD}' - - 'traefik.enable=true' + - "traefik.enable=true" + - "traefik.http.routers.bazarr.rule=Host(`bazarr.${TRAEFIK_DOMAIN}`)" + - "traefik.http.routers.bazarr.entrypoints=secure" + - "traefik.http.routers.bazarr.tls.certresolver=le" + - "traefik.http.routers.bazarr.middlewares=common-auth" lidarr: image: linuxserver/lidarr:preview container_name: lidarr restart: always - networks: - - web volumes: - configlidarr:/config - torrents:/torrents @@ -167,18 +160,16 @@ services: - PUID=${PUID} - TZ=Europe/Paris labels: - - 'traefik.backend=lidarr' - - 'traefik.port=8686' - - 'traefik.frontend.rule=Host:lidarr.${TRAEFIK_DOMAIN}' - - 'traefik.frontend.auth.basic.users=${HTTP_USER}:${HTTP_PASSWORD}' - - 'traefik.enable=true' + - "traefik.enable=true" + - "traefik.http.routers.lidarr.rule=Host(`lidarr.${TRAEFIK_DOMAIN}`)" + - "traefik.http.routers.lidarr.entrypoints=secure" + - "traefik.http.routers.lidarr.tls.certresolver=le" + - "traefik.http.routers.lidarr.middlewares=common-auth" tautulli: image: linuxserver/tautulli container_name: tautulli restart: always - networks: - - web volumes: - configtautulli:/config - config:/logs:ro # Inside of tautulli, bind to logs via "/logs/Plex Media Server/Logs" @@ -187,16 +178,15 @@ services: - PUID=${PUID} - TZ=Europe/Paris labels: - - 'traefik.tautulli.backend=tautulli' - - 'traefik.tautulli.port=8181' - - 'traefik.tautulli.frontend.rule=Host:tautulli.${TRAEFIK_DOMAIN}' - - 'traefik.enable=true' + - "traefik.enable=true" + - "traefik.http.routers.tautulli.rule=Host(`tautulli.${TRAEFIK_DOMAIN}`)" + - "traefik.http.routers.tautulli.entrypoints=secure" + - "traefik.http.routers.tautulli.tls.certresolver=le" jdownloader: image: jlesage/jdownloader-2 container_name: jdownloader - networks: - - web + restart: unless-stopped volumes: - configjdownloader:/config - downloads:/output @@ -205,18 +195,16 @@ services: - GROUP_ID=${PGID} - TZ=Europe/Paris labels: - - 'traefik.backend=jdownloader' - - 'traefik.port=5800' - - 'traefik.frontend.rule=Host:jdownloader.${TRAEFIK_DOMAIN}' - - 'traefik.frontend.auth.basic.users=${HTTP_USER}:${HTTP_PASSWORD}' - - 'traefik.enable=true' + - "traefik.enable=true" + - "traefik.http.routers.jdownloader.rule=Host(`jdownloader.${TRAEFIK_DOMAIN}`)" + - "traefik.http.routers.jdownloader.entrypoints=secure" + - "traefik.http.routers.jdownloader.tls.certresolver=le" + - "traefik.http.routers.jdownloader.middlewares=common-auth" nextcloud: image: wonderfall/nextcloud container_name: nextcloud restart: always - networks: - - web volumes: - confignextcloud:/config - nextclouddata:/data @@ -234,10 +222,10 @@ services: - DB_USER=${NEXTCLOUD_DB_USER} - DB_PASSWORD=${NEXTCLOUD_DB_PASSWORD} labels: - - 'traefik.backend=nextcloud' - - 'traefik.port=8888' - - 'traefik.frontend.rule=Host:nextcloud.${TRAEFIK_DOMAIN}' - - 'traefik.enable=true' + - "traefik.enable=true" + - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.${TRAEFIK_DOMAIN}`)" + - "traefik.http.routers.nextcloud.entrypoints=secure" + - "traefik.http.routers.nextcloud.tls.certresolver=le" portainer: image: portainer/portainer @@ -245,22 +233,18 @@ services: restart: always volumes: - /var/run/docker.sock:/var/run/docker.sock - networks: - - web command: --admin-password ${PORTAINER_ADMIN_PASSWORD} --host=unix:///var/run/docker.sock labels: - - 'traefik.backend=portainer' - - 'traefik.port=9000' - - 'traefik.frontend.rule=Host:portainer.${TRAEFIK_DOMAIN}' - - 'traefik.enable=true' + - "traefik.enable=true" + - "traefik.http.routers.portainer.rule=Host(`portainer.${TRAEFIK_DOMAIN}`)" + - "traefik.http.routers.portainer.entrypoints=secure" + - "traefik.http.routers.portainer.tls.certresolver=le" netdata: image: netdata/netdata restart: always container_name: netdata hostname: netdata.${TRAEFIK_DOMAIN} - networks: - - web environment: PGID: 999 cap_add: @@ -272,18 +256,16 @@ services: - /sys:/host/sys:ro - /var/run/docker.sock:/var/run/docker.sock:rw labels: - - 'traefik.backend=netdata' - - 'traefik.port=19999' - - 'traefik.frontend.rule=Host:netdata.${TRAEFIK_DOMAIN}' - - 'traefik.frontend.auth.basic.users=${HTTP_USER}:${HTTP_PASSWORD}' - - 'traefik.enable=true' + - "traefik.enable=true" + - "traefik.http.routers.netdata.rule=Host(`netdata.${TRAEFIK_DOMAIN}`)" + - "traefik.http.routers.netdata.entrypoints=secure" + - "traefik.http.routers.netdata.tls.certresolver=le" + - "traefik.http.routers.netdata.middlewares=common-auth" duplicati: image: linuxserver/duplicati container_name: duplicati restart: unless-stopped - networks: - - web environment: - PUID=${PUID} - PGID=${PGID} @@ -293,18 +275,17 @@ services: - backups:/backups - alldata:/source labels: - - 'traefik.backend=duplicati' - - 'traefik.port=8200' - - 'traefik.frontend.rule=Host:duplicati.${TRAEFIK_DOMAIN}' - - 'traefik.frontend.auth.basic.users=${HTTP_USER}:${HTTP_PASSWORD}' - - 'traefik.enable=true' + - "traefik.enable=true" + - "traefik.http.routers.duplicati.rule=Host(`duplicati.${TRAEFIK_DOMAIN}`)" + - "traefik.http.routers.duplicati.entrypoints=secure" + - "traefik.http.routers.duplicati.tls.certresolver=le" + - "traefik.http.routers.duplicati.middlewares=common-auth" + +networks: + default: + external: + name: "traefik-network" -networks: - webgateway: - driver: bridge - web: - external: - name: seedbox_webgateway volumes: alldata: driver: local-persist diff --git a/traefik.toml b/traefik.toml deleted file mode 100644 index 078fb95..0000000 --- a/traefik.toml +++ /dev/null @@ -1,40 +0,0 @@ -#https://docs.traefik.io/toml/ -#https://docs.traefik.io/user-guide/examples/ -################################################################ -# Global configuration -################################################################ -logLevel = "WARNING" -defaultEntryPoints = ["http", "https"] -InsecureSkipVerify = true - -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.redirect] - entryPoint = "https" - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - -[retry] - -[acme] -email = "overriden@in-traefik.yml" -storage = "acme.json" -entryPoint = "https" -onHostRule = true -acmeLogging = true -[acme.httpChallenge] - entryPoint = "http" - -################################################################ -# Docker configuration backend -################################################################ -[docker] -endpoint = "unix:///var/run/docker.sock" -domain = "mydomain.com" -watch = true -exposedByDefault = false - -[file] -watch = true diff --git a/traefik.yml b/traefik.yml new file mode 100644 index 0000000..d86a129 --- /dev/null +++ b/traefik.yml @@ -0,0 +1,29 @@ +api: + dashboard: true + +providers: + docker: + endpoint: "unix:///var/run/docker.sock" + network: "traefik-network" + exposedByDefault: false # Only expose explicitly enabled containers + +entryPoints: + insecure: + address: ":80" + secure: + address: ":443" + +certificatesResolvers: + le: + acme: + email: overriden@in-dockercompose.yml + storage: acme.json + httpChallenge: + # used during the challenge + entryPoint: insecure + +http: + middlewares: + common-auth: + basicAuth: + usersFile: "/http_auth" \ No newline at end of file diff --git a/update-all.sh b/update-all.sh index a00d6ad..2954add 100755 --- a/update-all.sh +++ b/update-all.sh @@ -1,5 +1,9 @@ #!/bin/bash +# Create/update http_auth file according to values in .env file +source .env +echo "${HTTP_USER}:${HTTP_PASSWORD}" > http_auth + echo "[$0] ***** Pulling all images... *****" docker-compose pull echo "[$0] ***** Recreating containers if required... *****"