first commit
This commit is contained in:
commit
999b030820
|
@ -0,0 +1,9 @@
|
|||
PROVIDERS_OIDC_ISSUER_URL=https://sso.vaala.cloud/application/o/labforwardauth/
|
||||
PROVIDERS_OIDC_CLIENT_ID=xxxxxxxxxxxxxxxxx
|
||||
PROVIDERS_OIDC_CLIENT_SECRET=xxxxxxxxxxxxxxxxx
|
||||
AUTH_HOST=auth.vaala.tech
|
||||
COOKIE_DOMAIN=vaala.tech
|
||||
DEFAULT_PROVIDER=oidc
|
||||
SECRET=xxxxxxxxxxxxxxxxx
|
||||
LOG_LEVEL=info
|
||||
LIFETIME=180
|
|
@ -0,0 +1,60 @@
|
|||
#!/bin/sh
|
||||
# ./export-traefik-v2-certificate.sh DOMAIN
|
||||
|
||||
set -e # abort on errors
|
||||
set -u # abort on unset variables
|
||||
|
||||
# adjust these variables according to your setup
|
||||
TRAEFIK_CERT_STORE="/volume1/docker/traefik/acme.json"
|
||||
TRAEFIK_RESOLVER="myresolver"
|
||||
OUTPUT_DIR=/volume1/docker/traefik/cert
|
||||
|
||||
DOMAIN="$1"
|
||||
if [ -z "$DOMAIN" ]; then
|
||||
echo "No domain given"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# minor sanity checks
|
||||
if [ ! -r "$TRAEFIK_CERT_STORE" ]; then
|
||||
echo "File $TRAEFIK_CERT_STORE not readable!"
|
||||
exit 1
|
||||
fi
|
||||
if ! grep "\"${DOMAIN}\"" "$TRAEFIK_CERT_STORE" > /dev/null; then
|
||||
echo "Domain $DOMAIN not found in $TRAEFIK_CERT_STORE"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
KEY_FILE="${OUTPUT_DIR}/${DOMAIN}.key"
|
||||
CERT_FILE="${OUTPUT_DIR}/${DOMAIN}.crt"
|
||||
|
||||
# create new files with strict permissions (mktemp defaults to 600)
|
||||
NEW_KEY_FILE="$(mktemp --tmpdir XXXXX.key.new)"
|
||||
NEW_CERT_FILE="$(mktemp --tmpdir XXXXX.crt.new)"
|
||||
|
||||
# allow ssl-cert group to read certificates (for Debian systems)
|
||||
# chown root:ssl-cert "$NEW_CERT_FILE" "$NEW_KEY_FILE"
|
||||
# chmod 640 "$NEW_CERT_FILE" "$NEW_KEY_FILE"
|
||||
|
||||
# extract certificate
|
||||
cat "$TRAEFIK_CERT_STORE" | jq -r ".${TRAEFIK_RESOLVER}.Certificates[] | select(.domain.main==\"${DOMAIN}\") | .certificate" | base64 -d > "$NEW_CERT_FILE"
|
||||
|
||||
# extract private key
|
||||
cat "$TRAEFIK_CERT_STORE" | jq -r ".${TRAEFIK_RESOLVER}.Certificates[] | select(.domain.main==\"${DOMAIN}\") | .key" | base64 -d > "$NEW_KEY_FILE"
|
||||
|
||||
# check if the contents changed
|
||||
if ! diff -N "$NEW_CERT_FILE" "$CERT_FILE" > /dev/null; then
|
||||
# certificate changed, rotate files
|
||||
echo "Certificate $DOMAIN updated"
|
||||
mv "$NEW_CERT_FILE" "$CERT_FILE"
|
||||
mv "$NEW_KEY_FILE" "$KEY_FILE"
|
||||
else
|
||||
# certificate unchanged, delete temporary files
|
||||
echo "Certificate $DOMAIN unchanged"
|
||||
rm -f "$NEW_CERT_FILE" "$NEW_KEY_FILE"
|
||||
fi
|
||||
|
||||
cp "$OUTPUT_DIR/*.vaala.tech.key" "$OUTPUT_DIR/derper.vaala.tech.key"
|
||||
cp "$OUTPUT_DIR/*.vaala.tech.crt" "$OUTPUT_DIR/derper.vaala.tech.crt"
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,61 @@
|
|||
services:
|
||||
reverse-proxy:
|
||||
image: traefik
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
- "30080:80"
|
||||
- "30443:443"
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- ./traefik.yaml:/etc/traefik/traefik.yaml:ro
|
||||
- ./log:/var/log/traefik
|
||||
- ./acme.json:/acme.json
|
||||
- ./cert:/cert
|
||||
- ./dynamic.yaml:/etc/traefik/dynamic.yaml
|
||||
environment:
|
||||
- CLOUDFLARE_EMAIL=xxxxxxxxxxxxxxxxxx
|
||||
- CLOUDFLARE_DNS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||||
labels:
|
||||
- "traefik.http.routers.traefik-api.rule=Host(`traefik.vaala.tech`)"
|
||||
- "traefik.http.routers.traefik-api.middlewares=traefik-forward-auth"
|
||||
- "traefik.http.routers.traefik-api.tls=true"
|
||||
- "traefik.http.routers.traefik-api.tls.certresolver=myresolver"
|
||||
- "traefik.http.services.traefik-api.loadbalancer.server.port=8080"
|
||||
networks:
|
||||
- traefik
|
||||
|
||||
traefik-forward-auth:
|
||||
image: thomseddon/traefik-forward-auth:2
|
||||
env_file: .auth.env
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- /etc/resolv.conf:/etc/resolv.conf:ro
|
||||
networks:
|
||||
- traefik
|
||||
labels:
|
||||
- "traefik.http.routers.traefik-forward-auth.rule=Host(`auth.vaala.tech`)"
|
||||
- "traefik.http.routers.traefik-forward-auth.tls.certresolver=myresolver"
|
||||
- "traefik.http.routers.traefik-forward-auth.middlewares=traefik-forward-auth"
|
||||
- "traefik.http.routers.traefik-forward-auth.tls=true"
|
||||
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
|
||||
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
|
||||
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
|
||||
|
||||
whoami:
|
||||
image: containous/whoami
|
||||
restart: unless-stopped
|
||||
expose:
|
||||
- 80
|
||||
networks:
|
||||
- traefik
|
||||
labels:
|
||||
- "traefik.http.routers.whoami.rule=Host(`whoami.vaala.tech`)"
|
||||
- "traefik.http.routers.whoami.middlewares=traefik-forward-auth"
|
||||
- "traefik.http.routers.whoami.tls=true"
|
||||
- "traefik.http.routers.whoami.tls.certresolver=myresolver"
|
||||
- "traefik.http.services.whoami.loadbalancer.server.port=80"
|
||||
|
||||
networks:
|
||||
traefik:
|
||||
external:
|
||||
name: traefik
|
|
@ -0,0 +1,57 @@
|
|||
http:
|
||||
services:
|
||||
# sunshine:
|
||||
# loadBalancer:
|
||||
# servers:
|
||||
# - url: https://192.168.100.233:47990
|
||||
v2raya:
|
||||
loadBalancer:
|
||||
servers:
|
||||
- url: http://xxxxxxx:2017
|
||||
kubegateway:
|
||||
loadBalancer:
|
||||
servers:
|
||||
- url: http://x.x.x.x.x:31917
|
||||
|
||||
routers:
|
||||
# sunshine:
|
||||
# rule: Host(`sunshine.vaala.tech`)
|
||||
# service: sunshine
|
||||
# tls:
|
||||
# certresolver: myresolver
|
||||
# entryPoints:
|
||||
# - websecure
|
||||
# middlewares:
|
||||
# - sushineauth
|
||||
# - traefik-forward-auth@docker
|
||||
# - autodetect
|
||||
v2raya:
|
||||
rule: Host(`xxx.vaala.tech`)
|
||||
service: v2raya
|
||||
tls:
|
||||
certresolver: myresolver
|
||||
entryPoints:
|
||||
- websecure
|
||||
middlewares:
|
||||
- traefik-forward-auth@docker
|
||||
kubegateway:
|
||||
rule: HostRegexp(`{subdomain:[a-z0-9]+-gw}.vaala.tech`)
|
||||
# rule: Host(`miku-gw.vaala.tech`)
|
||||
service: kubegateway
|
||||
tls:
|
||||
certresolver: myresolver
|
||||
domains:
|
||||
- sans: "*.vaala.tech"
|
||||
entryPoints:
|
||||
- websecure
|
||||
|
||||
middlewares:
|
||||
sushineauth:
|
||||
headers:
|
||||
customrequestheaders:
|
||||
Authorization: Basic xxxxxxx
|
||||
#customresponseheaders:
|
||||
# X-Content-Type-Options: nosniff
|
||||
autodetect:
|
||||
contentType:
|
||||
autoDetect: true
|
|
@ -0,0 +1,41 @@
|
|||
entryPoints:
|
||||
web:
|
||||
address: ":80"
|
||||
http:
|
||||
redirections:
|
||||
entryPoint:
|
||||
to: websecure
|
||||
scheme: https
|
||||
permanent: true
|
||||
|
||||
websecure:
|
||||
address: ":443"
|
||||
|
||||
api:
|
||||
insecure: true
|
||||
|
||||
providers:
|
||||
docker: {}
|
||||
file:
|
||||
filename: /etc/traefik/dynamic.yaml
|
||||
watch: true
|
||||
|
||||
log:
|
||||
filePath: /var/log/traefik/common.log
|
||||
format: json
|
||||
level: INFO
|
||||
|
||||
accessLog:
|
||||
filePath: /var/log/traefik/access.log
|
||||
format: json
|
||||
|
||||
serversTransport:
|
||||
insecureSkipVerify: true
|
||||
|
||||
certificatesResolvers:
|
||||
myresolver:
|
||||
acme:
|
||||
email: me@vaala.cat
|
||||
storage: acme.json
|
||||
dnsChallenge:
|
||||
provider: cloudflare
|
Loading…
Reference in New Issue