Compare commits
No commits in common. "43579925e9ccb73d22ed69e41da3687b98ce0eea" and "ea85352a5f24f412e2c03de8f5134cac0bb76091" have entirely different histories.
43579925e9
...
ea85352a5f
3 changed files with 28 additions and 126 deletions
|
|
@ -1,51 +0,0 @@
|
|||
services:
|
||||
traefik:
|
||||
image: traefik:latest
|
||||
container_name: traefik-node${TRAEFIK_NODE_ID}
|
||||
network_mode: host
|
||||
extra_hosts:
|
||||
- "host.docker.internal:host-gateway"
|
||||
cpus: 1.0
|
||||
mem_limit: "1024m"
|
||||
mem_reservation: "128m"
|
||||
restart: always
|
||||
command:
|
||||
- "--api.dashboard=true"
|
||||
- "--api.insecure=true"
|
||||
- "--providers.docker=true"
|
||||
- "--providers.docker.exposedbydefault=false"
|
||||
- "--providers.docker.useBindPortIP=false"
|
||||
- "--entrypoints.web.address=:80"
|
||||
- "--entrypoints.websecure.address=:443"
|
||||
# Variables for flexibility
|
||||
- "--providers.docker.network=${HOME_EXT_NETWORK},${DNS_EXT_NETWORK}"
|
||||
- "--providers.file.directory=/etc/traefik/dynamic"
|
||||
- "--providers.file.watch=true"
|
||||
## DNS resolver
|
||||
- "--certificatesresolvers.dns_resolver.acme.dnschallenge=true"
|
||||
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.provider=desec"
|
||||
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.delaybeforecheck=90"
|
||||
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.disablepropagationcheck=true"
|
||||
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
|
||||
- "--certificatesresolvers.dns_resolver.acme.email=${ACME_EMAIL}"
|
||||
- "--certificatesresolvers.dns_resolver.acme.storage=/letsencrypt/acme.json"
|
||||
## HTTP Resolver
|
||||
- "--certificatesresolvers.http_resolver.acme.httpchallenge=true"
|
||||
- "--certificatesresolvers.http_resolver.acme.httpchallenge.entrypoint=web"
|
||||
- "--certificatesresolvers.http_resolver.acme.storage=/letsencrypt/acme.json"
|
||||
- "--certificatesresolvers.http_resolver.acme.email=${ACME_EMAIL}"
|
||||
## mysresolver resolver for old configs
|
||||
- "--certificatesresolvers.myresolver.acme.dnschallenge=true"
|
||||
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=desec"
|
||||
- "--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=90"
|
||||
- "--certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true"
|
||||
- "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
|
||||
- "--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}"
|
||||
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
|
||||
environment:
|
||||
- DESEC_TOKEN=${DESEC_TOKEN}
|
||||
- DESEC_DOMAIN=${DESEC_DOMAIN}
|
||||
volumes:
|
||||
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
||||
- "/docker/traefik/letsencrypt:/letsencrypt"
|
||||
- "/docker/traefik/dynamic:/etc/traefik/dynamic"
|
||||
|
|
@ -10,40 +10,41 @@ services:
|
|||
mem_reservation: "128m"
|
||||
restart: always
|
||||
command:
|
||||
# --- Core & API ---
|
||||
- "--api.dashboard=true"
|
||||
# REMOVED: --api.insecure=true (We will route the dashboard securely via Traefik labels instead)
|
||||
- "--api.insecure=true"
|
||||
- "--providers.docker=true"
|
||||
- "--providers.docker.exposedbydefault=false"
|
||||
- "--providers.docker.network=${HOME_EXT_NETWORK},${DNS_EXT_NETWORK}" # Ensure these are correct!
|
||||
- "--providers.docker.useBindPortIP=false"
|
||||
- "--entrypoints.web.address=:80"
|
||||
- "--entrypoints.websecure.address=:443"
|
||||
# Variables for flexibility
|
||||
- "--providers.docker.network=${HOME_EXT_NETWORK},${DNS_EXT_NETWORK}"
|
||||
- "--providers.file.directory=/etc/traefik/dynamic"
|
||||
- "--providers.file.watch=true"
|
||||
|
||||
# --- Entrypoints ---
|
||||
- "--entrypoints.web.address=:80"
|
||||
# Global Redirect: Force HTTP -> HTTPS for everyone
|
||||
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
|
||||
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
|
||||
|
||||
- "--entrypoints.websecure.address=:443"
|
||||
# WILDCARD BLANKET: This tells Traefik "Use deSEC to get a wildcard cert for EVERYTHING on port 443"
|
||||
- "--entrypoints.websecure.http.tls.certresolver=desec"
|
||||
- "--entrypoints.websecure.http.tls.domains[0].main=mapletree.email"
|
||||
- "--entrypoints.websecure.http.tls.domains[0].sans=*.mapletree.email"
|
||||
- "--entrypoints.websecure.http.tls.domains[0].sans=*.dev.mapletree.email" # Optional: Add your dev subdomain too
|
||||
- "--entrypoints.websecure.http.tls.domains[0].sans=*.test.mapletree.email"
|
||||
|
||||
# --- One Resolver to Rule Them All (deSEC) ---
|
||||
# I renamed this to 'desec' for clarity.
|
||||
- "--certificatesresolvers.desec.acme.dnschallenge=true"
|
||||
- "--certificatesresolvers.desec.acme.dnschallenge.provider=desec"
|
||||
- "--certificatesresolvers.desec.acme.email=${ACME_EMAIL}"
|
||||
- "--certificatesresolvers.desec.acme.storage=/letsencrypt/acme.json"
|
||||
# Optimization: deSEC is fast; we don't need massive delays or propagation checks
|
||||
- "--certificatesresolvers.desec.acme.dnschallenge.delaybeforecheck=10"
|
||||
- "--certificatesresolvers.desec.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
|
||||
## DNS resolver
|
||||
- "--certificatesresolvers.dns_resolver.acme.dnschallenge=true"
|
||||
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.provider=desec"
|
||||
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.delaybeforecheck=90"
|
||||
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.disablepropagationcheck=true"
|
||||
- "--certificatesresolvers.dns_resolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
|
||||
- "--certificatesresolvers.dns_resolver.acme.email=${ACME_EMAIL}"
|
||||
- "--certificatesresolvers.dns_resolver.acme.storage=/letsencrypt/acme.json"
|
||||
## HTTP Resolver
|
||||
- "--certificatesresolvers.http_resolver.acme.httpchallenge=true"
|
||||
- "--certificatesresolvers.http_resolver.acme.httpchallenge.entrypoint=web"
|
||||
- "--certificatesresolvers.http_resolver.acme.storage=/letsencrypt/acme.json"
|
||||
- "--certificatesresolvers.http_resolver.acme.email=${ACME_EMAIL}"
|
||||
## mysresolver resolver for old configs
|
||||
- "--certificatesresolvers.myresolver.acme.dnschallenge=true"
|
||||
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=desec"
|
||||
- "--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=90"
|
||||
- "--certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true"
|
||||
- "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
|
||||
- "--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}"
|
||||
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
|
||||
environment:
|
||||
- DESEC_TOKEN=${DESEC_TOKEN}
|
||||
- DESEC_DOMAIN=${DESEC_DOMAIN}
|
||||
volumes:
|
||||
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
||||
- "/docker/traefik/letsencrypt:/letsencrypt"
|
||||
|
|
|
|||
|
|
@ -1,48 +0,0 @@
|
|||
services:
|
||||
forgejo:
|
||||
image: codeberg.org/forgejo/forgejo:9.0
|
||||
container_name: fj-node${FJ_NODE_ID}
|
||||
restart: always
|
||||
environment:
|
||||
- FORGEJO__database__DB_TYPE=mysql
|
||||
- FORGEJO__database__HOST=172.16.201.150
|
||||
- FORGEJO__database__PORT=3306
|
||||
- FORGEJO__database__NAME=${FJ_DB_NAME}
|
||||
- FORGEJO__database__USER=${FJ_DB_USER}
|
||||
- FORGEJO__database__PASSWD=${FJ_DB_PASS}
|
||||
- FORGEJO__server__DOMAIN=git.${TRAEFIK_DNS_SUFFIX}
|
||||
- FORGEJO__server__ROOT_URL=https://git.${TRAEFIK_DNS_SUFFIX}/
|
||||
- FORGEJO__server__SSH_PORT=2222
|
||||
|
||||
volumes:
|
||||
- /git_data:/data
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
ports:
|
||||
- "3022:3000"
|
||||
- "2222:22"
|
||||
networks:
|
||||
- fj_external
|
||||
labels:
|
||||
- "traefik.enable=${TRAEFIK_ENABLE}"
|
||||
- "traefik.docker.network=fj_external"
|
||||
|
||||
# --- SHARED HA ROUTER (git.domain.com) ---
|
||||
- "traefik.http.routers.forgejo-shared-${FJ_NODE_ID}.rule=Host(`git.${TRAEFIK_DNS_SUFFIX}`)"
|
||||
- "traefik.http.routers.forgejo-shared-${FJ_NODE_ID}.entrypoints=${TRAEFIK_ENTRY_POINTS}"
|
||||
- "traefik.http.routers.forgejo-shared-${FJ_NODE_ID}.tls.certresolver=${TRAEFIK_RESOLVER}"
|
||||
- "traefik.http.routers.forgejo-shared-${FJ_NODE_ID}.service=forgejo-common-svc"
|
||||
|
||||
# --- NODE-SPECIFIC ADMIN ROUTER (git1... git2...) ---
|
||||
- "traefik.http.routers.forgejo-admin-${FJ_NODE_ID}.rule=Host(`git${FJ_NODE_ID}.${TRAEFIK_DNS_SUFFIX}`)"
|
||||
- "traefik.http.routers.forgejo-admin-${FJ_NODE_ID}.entrypoints=${TRAEFIK_ENTRY_POINTS}"
|
||||
- "traefik.http.routers.forgejo-admin-${FJ_NODE_ID}.tls.certresolver=${TRAEFIK_RESOLVER}"
|
||||
- "traefik.http.routers.forgejo-admin-${FJ_NODE_ID}.service=forgejo-common-svc"
|
||||
|
||||
# --- SHARED SERVICE ---
|
||||
- "traefik.http.services.forgejo-common-svc.loadbalancer.server.port=3000"
|
||||
# Forgejo benefits from sticky sessions to keep the web-git terminal stable
|
||||
- "traefik.http.services.forgejo-common-svc.loadbalancer.sticky.cookie=true"
|
||||
networks:
|
||||
fj_external:
|
||||
external: true
|
||||
Loading…
Reference in a new issue