first commit

2023-02-05 23:20:41 +08:00 · 2023-02-05 23:20:41 +08:00 · 999b030820
commit 999b030820
8 changed files with 228 additions and 0 deletions
--- a/.auth.env
+++ b/.auth.env
@ -0,0 +1,9 @@
+PROVIDERS_OIDC_ISSUER_URL=https://sso.vaala.cloud/application/o/labforwardauth/
+PROVIDERS_OIDC_CLIENT_ID=xxxxxxxxxxxxxxxxx
+PROVIDERS_OIDC_CLIENT_SECRET=xxxxxxxxxxxxxxxxx
+AUTH_HOST=auth.vaala.tech
+COOKIE_DOMAIN=vaala.tech
+DEFAULT_PROVIDER=oidc
+SECRET=xxxxxxxxxxxxxxxxx
+LOG_LEVEL=info
+LIFETIME=180
--- a/acme.json
+++ b/acme.json
--- a/cert.sh
+++ b/cert.sh
@ -0,0 +1,60 @@
+#!/bin/sh
+# ./export-traefik-v2-certificate.sh DOMAIN
+
+set -e # abort on errors
+set -u # abort on unset variables
+
+# adjust these variables according to your setup
+TRAEFIK_CERT_STORE="/volume1/docker/traefik/acme.json"
+TRAEFIK_RESOLVER="myresolver"
+OUTPUT_DIR=/volume1/docker/traefik/cert
+
+DOMAIN="$1"
+if [ -z "$DOMAIN" ]; then
+    echo "No domain given"
+    exit 1
+fi
+
+# minor sanity checks
+if [ ! -r "$TRAEFIK_CERT_STORE" ]; then
+    echo "File $TRAEFIK_CERT_STORE not readable!"
+    exit 1
+fi
+if ! grep "\"${DOMAIN}\"" "$TRAEFIK_CERT_STORE" > /dev/null; then
+    echo "Domain $DOMAIN not found in $TRAEFIK_CERT_STORE"
+    exit 1
+fi
+
+KEY_FILE="${OUTPUT_DIR}/${DOMAIN}.key"
+CERT_FILE="${OUTPUT_DIR}/${DOMAIN}.crt"
+
+# create new files with strict permissions (mktemp defaults to 600)
+NEW_KEY_FILE="$(mktemp --tmpdir XXXXX.key.new)"
+NEW_CERT_FILE="$(mktemp --tmpdir XXXXX.crt.new)"
+
+# allow ssl-cert group to read certificates (for Debian systems)
+# chown root:ssl-cert "$NEW_CERT_FILE" "$NEW_KEY_FILE"
+# chmod 640 "$NEW_CERT_FILE" "$NEW_KEY_FILE"
+
+# extract certificate
+cat "$TRAEFIK_CERT_STORE" | jq -r ".${TRAEFIK_RESOLVER}.Certificates[] | select(.domain.main==\"${DOMAIN}\") | .certificate" | base64 -d > "$NEW_CERT_FILE"
+
+# extract private key
+cat "$TRAEFIK_CERT_STORE" | jq -r ".${TRAEFIK_RESOLVER}.Certificates[] | select(.domain.main==\"${DOMAIN}\") | .key" | base64 -d > "$NEW_KEY_FILE"
+
+# check if the contents changed
+if ! diff -N "$NEW_CERT_FILE" "$CERT_FILE" > /dev/null; then
+    # certificate changed, rotate files
+    echo "Certificate $DOMAIN updated"
+    mv "$NEW_CERT_FILE" "$CERT_FILE"
+    mv "$NEW_KEY_FILE" "$KEY_FILE"
+else
+    # certificate unchanged, delete temporary files
+    echo "Certificate $DOMAIN unchanged"
+    rm -f "$NEW_CERT_FILE" "$NEW_KEY_FILE"
+fi
+
+cp "$OUTPUT_DIR/*.vaala.tech.key" "$OUTPUT_DIR/derper.vaala.tech.key"
+cp "$OUTPUT_DIR/*.vaala.tech.crt" "$OUTPUT_DIR/derper.vaala.tech.crt"
+
+exit 0
--- a/cert/.gitkeep
+++ b/cert/.gitkeep
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -0,0 +1,61 @@
+services:
+  reverse-proxy:
+    image: traefik
+    restart: unless-stopped
+    ports:
+      - "30080:80"
+      - "30443:443"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./traefik.yaml:/etc/traefik/traefik.yaml:ro
+      - ./log:/var/log/traefik
+      - ./acme.json:/acme.json
+      - ./cert:/cert
+      - ./dynamic.yaml:/etc/traefik/dynamic.yaml
+    environment:
+      - CLOUDFLARE_EMAIL=xxxxxxxxxxxxxxxxxx
+      - CLOUDFLARE_DNS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
+    labels:
+      - "traefik.http.routers.traefik-api.rule=Host(`traefik.vaala.tech`)"
+      - "traefik.http.routers.traefik-api.middlewares=traefik-forward-auth"
+      - "traefik.http.routers.traefik-api.tls=true"
+      - "traefik.http.routers.traefik-api.tls.certresolver=myresolver"
+      - "traefik.http.services.traefik-api.loadbalancer.server.port=8080"
+    networks:
+      - traefik
+
+  traefik-forward-auth:
+    image: thomseddon/traefik-forward-auth:2
+    env_file: .auth.env
+    restart: unless-stopped
+    volumes:
+      - /etc/resolv.conf:/etc/resolv.conf:ro
+    networks:
+      - traefik
+    labels:
+      - "traefik.http.routers.traefik-forward-auth.rule=Host(`auth.vaala.tech`)"
+      - "traefik.http.routers.traefik-forward-auth.tls.certresolver=myresolver"
+      - "traefik.http.routers.traefik-forward-auth.middlewares=traefik-forward-auth"
+      - "traefik.http.routers.traefik-forward-auth.tls=true"
+      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
+      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
+      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
+
+  whoami:
+    image: containous/whoami
+    restart: unless-stopped
+    expose:
+      - 80
+    networks:
+      - traefik
+    labels:
+      - "traefik.http.routers.whoami.rule=Host(`whoami.vaala.tech`)"
+      - "traefik.http.routers.whoami.middlewares=traefik-forward-auth"
+      - "traefik.http.routers.whoami.tls=true"
+      - "traefik.http.routers.whoami.tls.certresolver=myresolver"
+      - "traefik.http.services.whoami.loadbalancer.server.port=80"
+
+networks:
+  traefik:
+    external:
+      name: traefik
--- a/dynamic.yaml
+++ b/dynamic.yaml
@ -0,0 +1,57 @@
+http:
+  services:
+    # sunshine:
+    #  loadBalancer:
+    #    servers:
+    #    - url: https://192.168.100.233:47990
+    v2raya:
+      loadBalancer:
+        servers:
+        - url: http://xxxxxxx:2017
+    kubegateway:
+      loadBalancer:
+        servers:
+        - url: http://x.x.x.x.x:31917
+
+  routers:
+    #    sunshine:
+    #  rule: Host(`sunshine.vaala.tech`)
+    #  service: sunshine
+    #  tls:
+    #    certresolver: myresolver
+    #  entryPoints:
+    #    - websecure
+    #  middlewares:
+    #    - sushineauth
+    #    - traefik-forward-auth@docker
+          # - autodetect
+    v2raya:
+      rule: Host(`xxx.vaala.tech`)
+      service: v2raya
+      tls:
+        certresolver: myresolver
+      entryPoints:
+        - websecure
+      middlewares:
+        - traefik-forward-auth@docker
+    kubegateway:
+      rule: HostRegexp(`{subdomain:[a-z0-9]+-gw}.vaala.tech`)
+        # rule: Host(`miku-gw.vaala.tech`)
+      service: kubegateway
+      tls:
+        certresolver: myresolver
+        domains:
+          - sans: "*.vaala.tech"
+      entryPoints:
+        - websecure
+
+  middlewares:
+    sushineauth:
+      headers:
+        customrequestheaders:
+          Authorization: Basic xxxxxxx
+            #customresponseheaders:
+          #          X-Content-Type-Options: nosniff
+    autodetect:
+      contentType:
+        autoDetect: true
--- a/log/.gitkeep
+++ b/log/.gitkeep
--- a/traefik.yaml
+++ b/traefik.yaml
@ -0,0 +1,41 @@
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+          permanent: true
+
+  websecure:
+    address: ":443"
+
+api:
+  insecure: true
+
+providers:
+  docker: {}
+  file:
+    filename: /etc/traefik/dynamic.yaml
+    watch: true
+
+log:
+  filePath: /var/log/traefik/common.log
+  format: json
+  level: INFO
+
+accessLog:
+  filePath: /var/log/traefik/access.log
+  format: json
+
+serversTransport:
+  insecureSkipVerify: true
+
+certificatesResolvers:
+  myresolver:
+    acme:
+      email: me@vaala.cat
+      storage: acme.json
+      dnsChallenge:
+        provider: cloudflare