From 999b030820a8324f2c59fae55c36d3f27577a612 Mon Sep 17 00:00:00 2001 From: Vaala Cat <-e> Date: Sun, 5 Feb 2023 23:20:41 +0800 Subject: [PATCH] first commit --- .auth.env | 9 +++++++ acme.json | 0 cert.sh | 60 ++++++++++++++++++++++++++++++++++++++++++++ cert/.gitkeep | 0 docker-compose.yaml | 61 +++++++++++++++++++++++++++++++++++++++++++++ dynamic.yaml | 57 ++++++++++++++++++++++++++++++++++++++++++ log/.gitkeep | 0 traefik.yaml | 41 ++++++++++++++++++++++++++++++ 8 files changed, 228 insertions(+) create mode 100755 .auth.env create mode 100644 acme.json create mode 100755 cert.sh create mode 100644 cert/.gitkeep create mode 100755 docker-compose.yaml create mode 100755 dynamic.yaml create mode 100644 log/.gitkeep create mode 100755 traefik.yaml diff --git a/.auth.env b/.auth.env new file mode 100755 index 0000000..6ac6079 --- /dev/null +++ b/.auth.env @@ -0,0 +1,9 @@ +PROVIDERS_OIDC_ISSUER_URL=https://sso.vaala.cloud/application/o/labforwardauth/ +PROVIDERS_OIDC_CLIENT_ID=xxxxxxxxxxxxxxxxx +PROVIDERS_OIDC_CLIENT_SECRET=xxxxxxxxxxxxxxxxx +AUTH_HOST=auth.vaala.tech +COOKIE_DOMAIN=vaala.tech +DEFAULT_PROVIDER=oidc +SECRET=xxxxxxxxxxxxxxxxx +LOG_LEVEL=info +LIFETIME=180 diff --git a/acme.json b/acme.json new file mode 100644 index 0000000..e69de29 diff --git a/cert.sh b/cert.sh new file mode 100755 index 0000000..7156e98 --- /dev/null +++ b/cert.sh @@ -0,0 +1,60 @@ +#!/bin/sh +# ./export-traefik-v2-certificate.sh DOMAIN + +set -e # abort on errors +set -u # abort on unset variables + +# adjust these variables according to your setup +TRAEFIK_CERT_STORE="/volume1/docker/traefik/acme.json" +TRAEFIK_RESOLVER="myresolver" +OUTPUT_DIR=/volume1/docker/traefik/cert + +DOMAIN="$1" +if [ -z "$DOMAIN" ]; then + echo "No domain given" + exit 1 +fi + +# minor sanity checks +if [ ! -r "$TRAEFIK_CERT_STORE" ]; then + echo "File $TRAEFIK_CERT_STORE not readable!" + exit 1 +fi +if ! grep "\"${DOMAIN}\"" "$TRAEFIK_CERT_STORE" > /dev/null; then + echo "Domain $DOMAIN not found in $TRAEFIK_CERT_STORE" + exit 1 +fi + +KEY_FILE="${OUTPUT_DIR}/${DOMAIN}.key" +CERT_FILE="${OUTPUT_DIR}/${DOMAIN}.crt" + +# create new files with strict permissions (mktemp defaults to 600) +NEW_KEY_FILE="$(mktemp --tmpdir XXXXX.key.new)" +NEW_CERT_FILE="$(mktemp --tmpdir XXXXX.crt.new)" + +# allow ssl-cert group to read certificates (for Debian systems) +# chown root:ssl-cert "$NEW_CERT_FILE" "$NEW_KEY_FILE" +# chmod 640 "$NEW_CERT_FILE" "$NEW_KEY_FILE" + +# extract certificate +cat "$TRAEFIK_CERT_STORE" | jq -r ".${TRAEFIK_RESOLVER}.Certificates[] | select(.domain.main==\"${DOMAIN}\") | .certificate" | base64 -d > "$NEW_CERT_FILE" + +# extract private key +cat "$TRAEFIK_CERT_STORE" | jq -r ".${TRAEFIK_RESOLVER}.Certificates[] | select(.domain.main==\"${DOMAIN}\") | .key" | base64 -d > "$NEW_KEY_FILE" + +# check if the contents changed +if ! diff -N "$NEW_CERT_FILE" "$CERT_FILE" > /dev/null; then + # certificate changed, rotate files + echo "Certificate $DOMAIN updated" + mv "$NEW_CERT_FILE" "$CERT_FILE" + mv "$NEW_KEY_FILE" "$KEY_FILE" +else + # certificate unchanged, delete temporary files + echo "Certificate $DOMAIN unchanged" + rm -f "$NEW_CERT_FILE" "$NEW_KEY_FILE" +fi + +cp "$OUTPUT_DIR/*.vaala.tech.key" "$OUTPUT_DIR/derper.vaala.tech.key" +cp "$OUTPUT_DIR/*.vaala.tech.crt" "$OUTPUT_DIR/derper.vaala.tech.crt" + +exit 0 diff --git a/cert/.gitkeep b/cert/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100755 index 0000000..331a35e --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,61 @@ +services: + reverse-proxy: + image: traefik + restart: unless-stopped + ports: + - "30080:80" + - "30443:443" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ./traefik.yaml:/etc/traefik/traefik.yaml:ro + - ./log:/var/log/traefik + - ./acme.json:/acme.json + - ./cert:/cert + - ./dynamic.yaml:/etc/traefik/dynamic.yaml + environment: + - CLOUDFLARE_EMAIL=xxxxxxxxxxxxxxxxxx + - CLOUDFLARE_DNS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxx + labels: + - "traefik.http.routers.traefik-api.rule=Host(`traefik.vaala.tech`)" + - "traefik.http.routers.traefik-api.middlewares=traefik-forward-auth" + - "traefik.http.routers.traefik-api.tls=true" + - "traefik.http.routers.traefik-api.tls.certresolver=myresolver" + - "traefik.http.services.traefik-api.loadbalancer.server.port=8080" + networks: + - traefik + + traefik-forward-auth: + image: thomseddon/traefik-forward-auth:2 + env_file: .auth.env + restart: unless-stopped + volumes: + - /etc/resolv.conf:/etc/resolv.conf:ro + networks: + - traefik + labels: + - "traefik.http.routers.traefik-forward-auth.rule=Host(`auth.vaala.tech`)" + - "traefik.http.routers.traefik-forward-auth.tls.certresolver=myresolver" + - "traefik.http.routers.traefik-forward-auth.middlewares=traefik-forward-auth" + - "traefik.http.routers.traefik-forward-auth.tls=true" + - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181" + - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181" + - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User" + + whoami: + image: containous/whoami + restart: unless-stopped + expose: + - 80 + networks: + - traefik + labels: + - "traefik.http.routers.whoami.rule=Host(`whoami.vaala.tech`)" + - "traefik.http.routers.whoami.middlewares=traefik-forward-auth" + - "traefik.http.routers.whoami.tls=true" + - "traefik.http.routers.whoami.tls.certresolver=myresolver" + - "traefik.http.services.whoami.loadbalancer.server.port=80" + +networks: + traefik: + external: + name: traefik diff --git a/dynamic.yaml b/dynamic.yaml new file mode 100755 index 0000000..3b29f46 --- /dev/null +++ b/dynamic.yaml @@ -0,0 +1,57 @@ +http: + services: + # sunshine: + # loadBalancer: + # servers: + # - url: https://192.168.100.233:47990 + v2raya: + loadBalancer: + servers: + - url: http://xxxxxxx:2017 + kubegateway: + loadBalancer: + servers: + - url: http://x.x.x.x.x:31917 + + routers: + # sunshine: + # rule: Host(`sunshine.vaala.tech`) + # service: sunshine + # tls: + # certresolver: myresolver + # entryPoints: + # - websecure + # middlewares: + # - sushineauth + # - traefik-forward-auth@docker + # - autodetect + v2raya: + rule: Host(`xxx.vaala.tech`) + service: v2raya + tls: + certresolver: myresolver + entryPoints: + - websecure + middlewares: + - traefik-forward-auth@docker + kubegateway: + rule: HostRegexp(`{subdomain:[a-z0-9]+-gw}.vaala.tech`) + # rule: Host(`miku-gw.vaala.tech`) + service: kubegateway + tls: + certresolver: myresolver + domains: + - sans: "*.vaala.tech" + entryPoints: + - websecure + + middlewares: + sushineauth: + headers: + customrequestheaders: + Authorization: Basic xxxxxxx + #customresponseheaders: + # X-Content-Type-Options: nosniff + autodetect: + contentType: + autoDetect: true diff --git a/log/.gitkeep b/log/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/traefik.yaml b/traefik.yaml new file mode 100755 index 0000000..723665a --- /dev/null +++ b/traefik.yaml @@ -0,0 +1,41 @@ +entryPoints: + web: + address: ":80" + http: + redirections: + entryPoint: + to: websecure + scheme: https + permanent: true + + websecure: + address: ":443" + +api: + insecure: true + +providers: + docker: {} + file: + filename: /etc/traefik/dynamic.yaml + watch: true + +log: + filePath: /var/log/traefik/common.log + format: json + level: INFO + +accessLog: + filePath: /var/log/traefik/access.log + format: json + +serversTransport: + insecureSkipVerify: true + +certificatesResolvers: + myresolver: + acme: + email: me@vaala.cat + storage: acme.json + dnsChallenge: + provider: cloudflare