diff --git a/.env.secret b/.env.secret index 4ab8e6e..ada8316 100644 --- a/.env.secret +++ b/.env.secret Binary files differ diff --git a/.gitignore b/.gitignore index 9ed5a7d..4a19387 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ # git secret hidden .env wg-server/initial_config/wg-server.conf +traefik/cert.key # docker data data/ diff --git a/.gitsecret/paths/mapping.cfg b/.gitsecret/paths/mapping.cfg index 5fba0d9..bb5668b 100644 --- a/.gitsecret/paths/mapping.cfg +++ b/.gitsecret/paths/mapping.cfg @@ -1,2 +1,3 @@ -.env:d83f3294d1d7b8c20b32e8de08b10f160e1ff2944c3d3cba86ef7f3dc4ef2566 +.env:221a7702774fdc6c4a5fa42a1f0787c10d34e347ff57a1c3ee841021c32caba5 wg-server/initial_config/wg-server.conf:5d4fe70ae728a4fd41dbd0323899057884e12d1dd55fb5e0f440562ebaacc34b +traefik/cert.key:84f0baacba7e0c5c879f212a6e04eeef2318e8e43d52359efacf73dfa4f09d47 diff --git a/docker-compose.yml b/docker-compose.yml index 1f95927..f4a2bf1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,38 +1,31 @@ services: - # cloudflared (to public) - # when used with WARP, only 1 HA connection allowed (https://github.com/cloudflare/cloudflared/issues/344) - cloudflared-tunnel: - image: cloudflare/cloudflared:latest - command: tunnel --ha-connections 1 run - - environment: - - TUNNEL_TOKEN=${CLOUDFLARED_TUNNEL_TOKEN} - - networks: - - web-public - - restart: unless-stopped - # http gateway http-gateway: - image: traefik:v2.6 + image: traefik:v2.9 + command: + # static config + --providers.docker + --providers.file.filename=/traefik/config.yaml + + --entrypoints.web.address=:80 + --entrypoints.web.http.redirections.entrypoint.to=websecure + --entrypoints.web.http.redirections.entrypoint.scheme=https + --entrypoints.web.http.redirections.entrypoint.permanent=true + + --entrypoints.websecure.address=:443 + volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - - ./data/http-proxy-acme:/acme:rw + - ./traefik:/traefik:ro + ports: + - 80:80 + - 443:443 networks: - - web-public - web - - command: - --providers.docker - - --entrypoints.web.address=:80 - --entrypoints.web.http.tls=false - extra_hosts: - - "host.docker.internal:host-gateway" + host.docker.internal: host-gateway restart: unless-stopped @@ -53,8 +46,8 @@ networks: - web labels: - - traefik.http.routers.ldap-passwd-webui.rule=Host(`passwd.skyw.me`) - - traefik.http.services.ldap-passwd-webui.loadbalancer.server.port=8080 + traefik.http.routers.ldap-passwd-webui.rule: Host(`passwd.skyw.me`) + traefik.http.services.ldap-passwd-webui.loadbalancer.server.port: 8080 # wireguard server wg-server: @@ -62,11 +55,9 @@ file: wg-server/docker-compose.yml service: wg-server # host network - # networks: - # - web labels: - - traefik.http.routers.wg-server.rule=Host(`wg.skyw.me`) - - traefik.http.services.wg-server.loadbalancer.server.port=8123 + traefik.http.routers.wg-server.rule: Host(`wg.skyw.me`) + traefik.http.services.wg-server.loadbalancer.server.port: 8123 # wiki wiki-db: @@ -83,14 +74,10 @@ networks: - web labels: - - traefik.http.routers.wiki-server.rule=Host(`skyw.me`) || Host(`www.skyw.me`) || Host(`wiki.skyw.me`) - - traefik.http.services.wiki-server.loadbalancer.server.port=3000 + traefik.http.routers.wiki-server.rule: Host(`skyw.me`) || Host(`www.skyw.me`) || Host(`wiki.skyw.me`) + traefik.http.services.wiki-server.loadbalancer.server.port: 3000 networks: # global internal network for web services web: name: "web" - - # public interface (through tunnel) - web-public: - name: "web-public" diff --git a/traefik/cert.cer b/traefik/cert.cer new file mode 100644 index 0000000..8d32f31 --- /dev/null +++ b/traefik/cert.cer @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEmjCCA4KgAwIBAgIUGsi9LDJHVT0euzhCLI6QFGbLve4wDQYJKoZIhvcNAQEL +BQAwgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQw +MgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9y +aXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlh +MB4XDTIzMDEyNjAyMTUwMFoXDTM4MDEyMjAyMTUwMFowYjEZMBcGA1UEChMQQ2xv +dWRGbGFyZSwgSW5jLjEdMBsGA1UECxMUQ2xvdWRGbGFyZSBPcmlnaW4gQ0ExJjAk +BgNVBAMTHUNsb3VkRmxhcmUgT3JpZ2luIENlcnRpZmljYXRlMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2vW9NI2iMyejn9/ih6parhfPIn8Mql/Htcsl +lE99Es8t9wcxqUfG+D2OYgnZk/dxhycRi+V/TESWac+Mp7YMyK/usQx4Ns1DMt89 +iIEsFBqsBsh4iEZFMoe2n0FPqoZfYIJwpdah4ZbTa9Mptp4i4ha+wBxZF9NDY4dp +aRZcX2b+HfRabCdnlyJhZ5PvELE9szERPh2g55tiRkosQslibSfSNMnditkAqhN7 +JzAnMtUpwipYY6NZKpGVkDIax0rKUXwhdAudQab9FPyr4ykoebkyw9jtFG88Fg4Z +mxWNs8pez/bklc70iRBi1pwUR6ZFakkw6OpZOIzEDhr/yAdxpQIDAQABo4IBHDCC +ARgwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD +ATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDA7VoIrNrAIMP74rf2UcyBcG5ejAf +BgNVHSMEGDAWgBQk6FNXXXw0QIep65TbuuEWePwppDBABggrBgEFBQcBAQQ0MDIw +MAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLmNsb3VkZmxhcmUuY29tL29yaWdpbl9j +YTAdBgNVHREEFjAUggkqLnNreXcubWWCB3NreXcubWUwOAYDVR0fBDEwLzAtoCug +KYYnaHR0cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fY2EuY3JsMA0GCSqG +SIb3DQEBCwUAA4IBAQCu20AicTroXqmGMnrHliCLEkN6iIQS5aQv2OMa6DUbObMO +qLK1dutUnmuMH2dCCC/fFBhC3UEMZyQo2iGeLnITJKVZh47Rz99tsNQDTw/C6aRV +m+C4n+pZA8awEIk3hXBHNKx+raAMiz5aYz7maopqAfLnY0VeViSM2yVDxvmtLlgP +vYkoxhP2V2Cel7OquXGMjeAj1/r1BRU3Hzm6DiiKhk5U/IX2cOrD7Tx1jjlpxlmh +XlL1ARq7G/kYJez/4BXRuxx2maBVbaxI2KC/48MbnPuxLkjAT89RcNg7XgqXbh7O +//CjDRSnpQZv+tQJJEWri9upNOISQaPcg8D3F4Jp +-----END CERTIFICATE----- diff --git a/traefik/cert.key.secret b/traefik/cert.key.secret new file mode 100644 index 0000000..210f1bc --- /dev/null +++ b/traefik/cert.key.secret Binary files differ diff --git a/traefik/config.yaml b/traefik/config.yaml new file mode 100644 index 0000000..b44f48d --- /dev/null +++ b/traefik/config.yaml @@ -0,0 +1,8 @@ +tls: + certificates: + - certFile: /traefik/cert.cer + keyFile: /traefik/cert.key + + options: + default: + sniStrict: true diff --git a/wg-server/initial_config/wg-server.conf.secret b/wg-server/initial_config/wg-server.conf.secret index 2806994..89717ce 100644 --- a/wg-server/initial_config/wg-server.conf.secret +++ b/wg-server/initial_config/wg-server.conf.secret Binary files differ