updated frigate, mosquitto and traefik

2025-12-09 17:57:34 +02:00 · 2025-12-09 17:57:34 +02:00 · 3084ac7541
commit 3084ac7541
parent 3f05874d73
6 changed files with 77 additions and 85 deletions
--- a/frigate/compose.yaml
+++ b/frigate/compose.yaml
@ -47,6 +47,11 @@ services:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      - traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${INTERNAL_PORT}
+      # to ensure connection from traefik to frigate backend is secure, set scheme to https
+      #- traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.scheme=https
+      - traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
+      - traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-auth"
+      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
      - traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web
      - traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${WEBAPP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)
      - traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-secureHeaders-redirect@file
--- a/mosquitto/.env
+++ b/mosquitto/.env
@ -1,8 +1,6 @@
 APPLICATION_NAME=mosquitto

 DOCKERDIR=/opt
-#MEDIADIR=/mnt/stpool1/NData1/Media
-#DOWNLOADSDIR=/mnt/stpool1/Downloads

 STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
 DATAROOT=${DOCKERDIR}/data
--- a/mosquitto/compose.yaml
+++ b/mosquitto/compose.yaml
@ -21,34 +21,34 @@ services:

    # ports 1883, 8883 and 9001
    # 9001 not implemented
-#    labels:
-#      - traefik.enable=true
-#      - traefik.docker.network=traefik-net
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
      #
      # tcp services
      # -------------
-#      - traefik.tcp.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${SERVICE_PORT}
+      - traefik.tcp.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${SERVICE_PORT}
      #- "traefik.tcp.services.${APPLICATION_NAME}-secure-svc.loadbalancer.server.port=${SECURE_SERVICE_PORT}"
      #
      # tcp routers
      # ------------
      # limit router to mqtt ":1883" entrypoint
-#      - traefik.tcp.routers.${APPLICATION_NAME}-rtr.entrypoints=mqtt
+      - traefik.tcp.routers.${APPLICATION_NAME}-rtr.entrypoints=mqtt
      # set match criteria for router
-#      - traefik.tcp.routers.${APPLICATION_NAME}-rtr.rule=HostSNI(`*`)
+      - traefik.tcp.routers.${APPLICATION_NAME}-rtr.rule=HostSNI(`*`)
      # assign svc target to routers
-#      - traefik.tcp.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc
+      - traefik.tcp.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc
      #
      # limit router to mqttsecure ":8883" entrypoint
- #     - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=mqttsecure
+      - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=mqttsecure
      # set match criteria for router
- #     - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.rule=HostSNI(`${APPLICATION_NAME}.${DOMAINNAME}`) || HostSNI(`mqtt.${DOMAINNAME}`)
+      - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.rule=HostSNI(`${APPLICATION_NAME}.${DOMAINNAME}`) || HostSNI(`mqtt-px.${DOMAINNAME}`)
      # set router to be dedicated to secure requests only for the host specified in match criteria 
-#      - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls=true
+      - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls=true
      # passthrough tls
-#      - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls.passthrough=true
+      - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls.passthrough=true
      # generate certificates using following certresolver
-#      - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns
+      - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns
      # assign svc target to routers
      #- "traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-secure-svc"
-#      - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc # use same svc as non-secure router to avoid issues with certificates on mosquitto
+      - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc # use same svc as non-secure router to avoid issues with certificates on mosquitto
--- a/traefik/.env
+++ b/traefik/.env
@ -20,4 +20,3 @@ PGID=3011
 TZ=Africa/Johannesburg

 PING_PORT=8083
-WEBAPP_PING=traefik-ping
--- a/traefik/compose.yaml
+++ b/traefik/compose.yaml
@ -40,70 +40,56 @@ services:
    command:
      - --configFile=/config/traefik.yml
    ports:
-      - name: "web"
-        target: 80         # container port
-        host_ip: 0.0.0.0   # host IP; 0.0.0.0 binds to all network interfaces
-        published: "80"    # publicly exposed port, defined as a string
-        protocol: tcp      # port protocol
-        app_protocol: http # application protocol (TCP/IP level 4 / OSI level 7) this port is used for
-        mode: host         # how port is published in swarm setup
-
-      - name: "websecure"
+      - name: web
+        target: 80
+        host_ip: 0.0.0.0
+        published: "80"
+        protocol: tcp
+        app_protocol: http
+        mode: host
+      - name: websecure
        target: 443
        host_ip: 0.0.0.0
        published: "443"
        protocol: tcp
        app_protocol: http
        mode: host
-
-#      - name: "traefik"   # dashboard port - use when not using labels below / reverse proxy for traefik itself
-#        target: 8080
-#        host_ip: 0.0.0.0
-#        published: "8080"
-#        protocol: tcp
-#        app_protocol: http
-#        mode: host
-
-#      - target: 51820
-#        published: "51820"
-#        protocol: udp
-#        mode: host
-#      - target: 32400
-#        published: "32400"
-#        protocol: tcp
-#        mode: host
-#      - target: 1883
-#        published: "1883"
-#        protocol: tcp
-#        mode: host
-#      - target: 8883
-#        published: "8883"
-#        protocol: tcp
-#        mode: host
-#      - target: 19132
-#        published: "19132"
-#        protocol: udp
-#        mode: host
-#      - target: 25565
-#        published: "25565"
-#        protocol: udp
-#        mode: host
-#      - target: 25575
-#        published: "25575"
-#        protocol: tcp
-#        mode: host
-#      - target: 8083
-#        published: "8083"
-#        protocol: tcp
-#        mode: host
-#      - target: 8306
-#        published: "8306"
-#        protocol: tcp
-#        mode: host
-#      - target: 9306
-#        published: "9306"
-#        protocol: tcp
-#        mode: host
+      - name: mqtt
+        target: 1883
+        published: "1883"
+        protocol: tcp
+        app_protocol: mqtt
+        mode: host
+      - name: mqttsecure
+        target: 8883
+        published: "8883"
+        protocol: tcp
+        app_protocol: mqtt
+        mode: host
+    #      - target: 19132
+    #        published: "19132"
+    #        protocol: udp
+    #        mode: host
+    #      - target: 25565
+    #        published: "25565"
+    #        protocol: udp
+    #        mode: host
+    #      - target: 25575
+    #        published: "25575"
+    #        protocol: tcp
+    #        mode: host
+    #      - target: 8083
+    #        published: "8083"
+    #        protocol: tcp
+    #        mode: host
+    #      - target: 8306
+    #        published: "8306"
+    #        protocol: tcp
+    #        mode: host
+    #      - target: 9306
+    #        published: "9306"
+    #        protocol: tcp
+    #        mode: host
    secrets:
      - cf_dns_api_token
    volumes:
@ -117,17 +103,22 @@ services:
      #
      # http routers
      # ------------
-      # http://traefik-px.sthome.org/ping
+      # http://traefik-px-ping.sthome.org/ping
      - traefik.http.routers.${APPLICATION_NAME}-ping-rtr.entrypoints=web
-      - traefik.http.routers.${APPLICATION_NAME}-ping-rtr.rule=Host(`${WEBAPP_PING}.${DOMAINNAME}`)&& PathPrefix(`/`)
-
+      - traefik.http.routers.${APPLICATION_NAME}-ping-rtr.rule=Host(`${WEBAPP_NAME}-ping.${DOMAINNAME}`)&&
+        PathPrefix(`/`)
+      # http://traefik-px.sthome.org/
      - traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web
-      - traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${WEBAPP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)
+      - traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${WEBAPP_NAME}.${DOMAINNAME}`)&&
+        PathPrefix(`/`) || Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&&
+        PathPrefix(`/`)
      # https://appname.domainname/
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure
-      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${WEBAPP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)
+      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${WEBAPP_NAME}.${DOMAINNAME}`)&&
+        PathPrefix(`/`) || Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&&
+        PathPrefix(`/`)
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true
-#      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options.yml@file
+      #      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options.yml@file
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns
      #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.domains[0].main=${DOMAINNAME}"
      #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.domains[0].sans=*.${DOMAINNAME}"
@ -144,7 +135,6 @@ services:
      # http services
      # -------------
      - traefik.http.services.${APPLICATION_NAME}-ping-svc.loadbalancer.server.port=${PING_PORT}
-
      # assign services to routers
      - traefik.http.routers.${APPLICATION_NAME}-ping-rtr.service=${APPLICATION_NAME}-ping-svc
      - traefik.http.routers.${APPLICATION_NAME}-rtr.service=api@internal
--- a/traefik/config/traefik.yml
+++ b/traefik/config/traefik.yml
@ -71,11 +71,11 @@ entryPoints:
  ping:
    address: ":8083"

-#  mqtt:
-#    address: ":1883"
+  mqtt:
+    address: ":1883"

-#  mqttsecure:
-#    address: ":8883"
+  mqttsecure:
+    address: ":8883"

 ping:
  entryPoint: "ping"