change traefik to use wildcard instead of specifics
This commit is contained in:
admin
parent
ea85352a5f
commit
297e47379f
2 changed files with 78 additions and 28 deletions
51
lxc1/p1-ingress/pre-consolidation-traefik.bak0
Normal file
51
lxc1/p1-ingress/pre-consolidation-traefik.bak0
Normal file
|
|
@ -0,0 +1,51 @@
|
||||||
|
services:
|
||||||
|
traefik:
|
||||||
|
image: traefik:latest
|
||||||
|
container_name: traefik-node${TRAEFIK_NODE_ID}
|
||||||
|
network_mode: host
|
||||||
|
extra_hosts:
|
||||||
|
- "host.docker.internal:host-gateway"
|
||||||
|
cpus: 1.0
|
||||||
|
mem_limit: "1024m"
|
||||||
|
mem_reservation: "128m"
|
||||||
|
restart: always
|
||||||
|
command:
|
||||||
|
- "--api.dashboard=true"
|
||||||
|
- "--api.insecure=true"
|
||||||
|
- "--providers.docker=true"
|
||||||
|
- "--providers.docker.exposedbydefault=false"
|
||||||
|
- "--providers.docker.useBindPortIP=false"
|
||||||
|
- "--entrypoints.web.address=:80"
|
||||||
|
- "--entrypoints.websecure.address=:443"
|
||||||
|
# Variables for flexibility
|
||||||
|
- "--providers.docker.network=${HOME_EXT_NETWORK},${DNS_EXT_NETWORK}"
|
||||||
|
- "--providers.file.directory=/etc/traefik/dynamic"
|
||||||
|
- "--providers.file.watch=true"
|
||||||
|
## DNS resolver
|
||||||
|
- "--certificatesresolvers.dns_resolver.acme.dnschallenge=true"
|
||||||
|
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.provider=desec"
|
||||||
|
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.delaybeforecheck=90"
|
||||||
|
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.disablepropagationcheck=true"
|
||||||
|
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
|
||||||
|
- "--certificatesresolvers.dns_resolver.acme.email=${ACME_EMAIL}"
|
||||||
|
- "--certificatesresolvers.dns_resolver.acme.storage=/letsencrypt/acme.json"
|
||||||
|
## HTTP Resolver
|
||||||
|
- "--certificatesresolvers.http_resolver.acme.httpchallenge=true"
|
||||||
|
- "--certificatesresolvers.http_resolver.acme.httpchallenge.entrypoint=web"
|
||||||
|
- "--certificatesresolvers.http_resolver.acme.storage=/letsencrypt/acme.json"
|
||||||
|
- "--certificatesresolvers.http_resolver.acme.email=${ACME_EMAIL}"
|
||||||
|
## mysresolver resolver for old configs
|
||||||
|
- "--certificatesresolvers.myresolver.acme.dnschallenge=true"
|
||||||
|
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=desec"
|
||||||
|
- "--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=90"
|
||||||
|
- "--certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true"
|
||||||
|
- "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
|
||||||
|
- "--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}"
|
||||||
|
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
|
||||||
|
environment:
|
||||||
|
- DESEC_TOKEN=${DESEC_TOKEN}
|
||||||
|
- DESEC_DOMAIN=${DESEC_DOMAIN}
|
||||||
|
volumes:
|
||||||
|
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
||||||
|
- "/docker/traefik/letsencrypt:/letsencrypt"
|
||||||
|
- "/docker/traefik/dynamic:/etc/traefik/dynamic"
|
||||||
|
|
@ -10,41 +10,40 @@ services:
|
||||||
mem_reservation: "128m"
|
mem_reservation: "128m"
|
||||||
restart: always
|
restart: always
|
||||||
command:
|
command:
|
||||||
|
# --- Core & API ---
|
||||||
- "--api.dashboard=true"
|
- "--api.dashboard=true"
|
||||||
- "--api.insecure=true"
|
# REMOVED: --api.insecure=true (We will route the dashboard securely via Traefik labels instead)
|
||||||
- "--providers.docker=true"
|
- "--providers.docker=true"
|
||||||
- "--providers.docker.exposedbydefault=false"
|
- "--providers.docker.exposedbydefault=false"
|
||||||
- "--providers.docker.useBindPortIP=false"
|
- "--providers.docker.network=${HOME_EXT_NETWORK},${DNS_EXT_NETWORK}" # Ensure these are correct!
|
||||||
- "--entrypoints.web.address=:80"
|
|
||||||
- "--entrypoints.websecure.address=:443"
|
|
||||||
# Variables for flexibility
|
|
||||||
- "--providers.docker.network=${HOME_EXT_NETWORK},${DNS_EXT_NETWORK}"
|
|
||||||
- "--providers.file.directory=/etc/traefik/dynamic"
|
- "--providers.file.directory=/etc/traefik/dynamic"
|
||||||
- "--providers.file.watch=true"
|
- "--providers.file.watch=true"
|
||||||
## DNS resolver
|
|
||||||
- "--certificatesresolvers.dns_resolver.acme.dnschallenge=true"
|
# --- Entrypoints ---
|
||||||
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.provider=desec"
|
- "--entrypoints.web.address=:80"
|
||||||
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.delaybeforecheck=90"
|
# Global Redirect: Force HTTP -> HTTPS for everyone
|
||||||
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.disablepropagationcheck=true"
|
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
|
||||||
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
|
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
|
||||||
- "--certificatesresolvers.dns_resolver.acme.email=${ACME_EMAIL}"
|
|
||||||
- "--certificatesresolvers.dns_resolver.acme.storage=/letsencrypt/acme.json"
|
- "--entrypoints.websecure.address=:443"
|
||||||
## HTTP Resolver
|
# WILDCARD BLANKET: This tells Traefik "Use deSEC to get a wildcard cert for EVERYTHING on port 443"
|
||||||
- "--certificatesresolvers.http_resolver.acme.httpchallenge=true"
|
- "--entrypoints.websecure.http.tls.certresolver=desec"
|
||||||
- "--certificatesresolvers.http_resolver.acme.httpchallenge.entrypoint=web"
|
- "--entrypoints.websecure.http.tls.domains[0].main=mapletree.email"
|
||||||
- "--certificatesresolvers.http_resolver.acme.storage=/letsencrypt/acme.json"
|
- "--entrypoints.websecure.http.tls.domains[0].sans=*.mapletree.email"
|
||||||
- "--certificatesresolvers.http_resolver.acme.email=${ACME_EMAIL}"
|
- "--entrypoints.websecure.http.tls.domains[0].sans=*.dev.mapletree.email" # Optional: Add your dev subdomain too
|
||||||
## mysresolver resolver for old configs
|
- "--entrypoints.websecure.http.tls.domains[0].sans=*.test.mapletree.email"
|
||||||
- "--certificatesresolvers.myresolver.acme.dnschallenge=true"
|
|
||||||
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=desec"
|
# --- One Resolver to Rule Them All (deSEC) ---
|
||||||
- "--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=90"
|
# I renamed this to 'desec' for clarity.
|
||||||
- "--certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true"
|
- "--certificatesresolvers.desec.acme.dnschallenge=true"
|
||||||
- "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
|
- "--certificatesresolvers.desec.acme.dnschallenge.provider=desec"
|
||||||
- "--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}"
|
- "--certificatesresolvers.desec.acme.email=${ACME_EMAIL}"
|
||||||
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
|
- "--certificatesresolvers.desec.acme.storage=/letsencrypt/acme.json"
|
||||||
|
# Optimization: deSEC is fast; we don't need massive delays or propagation checks
|
||||||
|
- "--certificatesresolvers.desec.acme.dnschallenge.delaybeforecheck=10"
|
||||||
|
- "--certificatesresolvers.desec.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
|
||||||
environment:
|
environment:
|
||||||
- DESEC_TOKEN=${DESEC_TOKEN}
|
- DESEC_TOKEN=${DESEC_TOKEN}
|
||||||
- DESEC_DOMAIN=${DESEC_DOMAIN}
|
|
||||||
volumes:
|
volumes:
|
||||||
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
||||||
- "/docker/traefik/letsencrypt:/letsencrypt"
|
- "/docker/traefik/letsencrypt:/letsencrypt"
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue