Docker/proxmox-docker
Docker/proxmox-docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added traefik, mosquitto and home-assitant stacks

Browse Source
This commit is contained in:
Chris Stuurman 2025-12-08 12:32:28 +02:00
parent d6741e6d4c
commit d3778e8d78
95 changed files with 2630 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
home-assistant/.env Normal file
View File

@ -0,0 +1,27 @@
#
# values to be used for substitution by docker compose in compose.yml AND .*.env files
#
DOMAINNAME=sthome.org
APPLICATION_NAME=home-assistant
DOCKERDIR=/opt
#MEDIADIR=/mnt/stpool1/NData1/Media
#DOWNLOADSDIR=/mnt/stpool1/Downloads
STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
DATAROOT=${DOCKERDIR}/data
DATADIR=${DATAROOT}/${APPLICATION_NAME}
SECRETSDIR=${STACKSDIR}/secrets
WEBUI_PORT=8123
HOME_ASSISTANT_LOCAL=10.0.2.253 # for mDNS
#
# Generate DB_PASSWORD with:
# openssl rand 36 | base64 -w 0 > /mnt/SSD1/docker/stacks/home-assistant/secrets/home-assistant_postgresql_password
POSTGRES_DB_PORT=5432
POSTGRES_DB_HOST=home-assistant_postgresql
POSTGRES_DB_NAME=/run/secrets/home-assistant_postgresql_database
POSTGRES_DB_USER=/run/secrets/home-assistant_postgresql_username
POSTGRES_DB_PASSWORD=/run/secrets/home-assistant_postgresql_password

12
home-assistant/.home-assistant.env Normal file
View File

@ -0,0 +1,12 @@
#
# environment variables for home-assistant
#
PUID=3035
PGID=3034
TZ=Africa/Johannesburg
PORT=${WEBUI_PORT} #8123

9
home-assistant/.postgresql.env Normal file
View File

@ -0,0 +1,9 @@
PUID=70
PGID=70
TZ=Africa/Johannesburg
DB_HOST=${POSTGRES_DB_HOST}
DB_PORT=${POSTGRES_DB_PORT}
POSTGRES_DB_FILE=${POSTGRES_DB_NAME}
POSTGRES_USER_FILE=${POSTGRES_DB_USER}
POSTGRES_PASSWORD_FILE=${POSTGRES_DB_PASSWORD}

83
home-assistant/compose.yaml Normal file
View File

@ -0,0 +1,83 @@
name: home-assistant
secrets:
home-assistant_postgresql_database:
file: ${SECRETSDIR}/home-assistant_postgresql_database
home-assistant_postgresql_password:
file: ${SECRETSDIR}/home-assistant_postgresql_password
home-assistant_postgresql_username:
file: ${SECRETSDIR}/home-assistant_postgresql_username
networks:
postgres-net:
external: true
traefik-net:
external: true
services:
home-assistant:
image: ghcr.io/home-assistant/home-assistant:stable
hostname: home-assistant
privileged: true
volumes:
- /etc/localtime:/etc/localtime:ro
- ${DATADIR}/config:/config
# - /run/dbus:/run/dbus:ro
restart: unless-stopped
env_file: .home-assistant.env
ports:
- 8123:8123
networks:
traefik-net: null
postgres-net: null
# macvlan1:
# ipv4_address: ${HOME_ASSISTANT_LOCAL}
depends_on:
postgresql:
condition: service_healthy
# labels:
# - traefik.enable=true
# - traefik.docker.network=traefik-net
# - traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}
# - traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web
# - traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&&
# PathPrefix(`/`)
# - traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-secureHeaders-redirect@file
# - traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc
# - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure
# - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&&
# PathPrefix(`/`)
# - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-secureHeaders@file
# - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true
# - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file
# - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns
# - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc
# for mDNS
# avahi-tools:
# volumes:
# - /run/dbus:/var/run/dbus
# - /run/avahi-daemon:/var/run/avahi-daemon
# image: ahasbini/avahi-tools:latest
# command: avahi-publish -a home-assistant.local ${HOME_ASSISTANT_LOCAL}
postgresql:
image: postgres:16-alpine
hostname: ${APPLICATION_NAME}_postgresql
shm_size: 128mb # https://hub.docker.com/_/postgres
restart: unless-stopped
env_file: .postgresql.env
healthcheck:
test:
- CMD-SHELL
- pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
networks:
postgres-net:
aliases:
- home-assistant_postgresql
secrets:
- home-assistant_postgresql_database
- home-assistant_postgresql_password
- home-assistant_postgresql_username
volumes:
- ${DATADIR}/pgdata:/var/lib/postgresql/data
- ${DATADIR}/pgbackups:/mnt/backups

1
home-assistant/secrets/home-assistant_postgresql_database Normal file
View File

@ -0,0 +1 @@
home-assistant

1
home-assistant/secrets/home-assistant_postgresql_password Normal file
View File

@ -0,0 +1 @@
M1ykv2TSzPD4c7lq4ixyBIl/q9kf4NyVIziQ3Yzansst4kZx

1
home-assistant/secrets/home-assistant_postgresql_username Normal file
View File

@ -0,0 +1 @@
home-assistant

17
mosquitto/.env Normal file
View File

@ -0,0 +1,17 @@
APPLICATION_NAME=mosquitto
DOCKERDIR=/opt
#MEDIADIR=/mnt/stpool1/NData1/Media
#DOWNLOADSDIR=/mnt/stpool1/Downloads
STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
DATAROOT=${DOCKERDIR}/data
DATADIR=${DATAROOT}/${APPLICATION_NAME}
SECRETSDIR=${STACKSDIR}/secrets
DOMAINNAME=sthome.org
SERVICE_PORT=1883
SECURE_SERVICE_PORT=8883
PUID=3047
PGID=3046

6
mosquitto/.mosquitto.env Normal file
View File

@ -0,0 +1,6 @@
PUID=${PUID}
PGID=${PGID}
TZ=Africa/Johannesburg

54
mosquitto/compose.yaml Normal file
View File

@ -0,0 +1,54 @@
name: mosquitto
networks:
traefik-net:
external: true
services:
mosquitto:
image: eclipse-mosquitto
hostname: mosquitto
env_file: .mosquitto.env
user: ${PUID}:${PGID}
networks:
traefik-net:
aliases:
- mqtt
volumes:
- ${DATADIR}/appdata:/mosquitto/data
- ${DATADIR}/config:/mosquitto/config
- ${DATADIR}/logs:/mosquitto/log
- ${DATADIR}/configinc:/mosquitto/configinc # maps the default folder for password.txt file
restart: unless-stopped
# ports 1883, 8883 and 9001
# 9001 not implemented
# labels:
# - traefik.enable=true
# - traefik.docker.network=traefik-net
#
# tcp services
# -------------
# - traefik.tcp.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${SERVICE_PORT}
#- "traefik.tcp.services.${APPLICATION_NAME}-secure-svc.loadbalancer.server.port=${SECURE_SERVICE_PORT}"
#
# tcp routers
# ------------
# limit router to mqtt ":1883" entrypoint
# - traefik.tcp.routers.${APPLICATION_NAME}-rtr.entrypoints=mqtt
# set match criteria for router
# - traefik.tcp.routers.${APPLICATION_NAME}-rtr.rule=HostSNI(`*`)
# assign svc target to routers
# - traefik.tcp.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc
#
# limit router to mqttsecure ":8883" entrypoint
# - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=mqttsecure
# set match criteria for router
# - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.rule=HostSNI(`${APPLICATION_NAME}.${DOMAINNAME}`) || HostSNI(`mqtt.${DOMAINNAME}`)
# set router to be dedicated to secure requests only for the host specified in match criteria
# - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls=true
# passthrough tls
# - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls.passthrough=true
# generate certificates using following certresolver
# - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns
# assign svc target to routers
#- "traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-secure-svc"
# - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc # use same svc as non-secure router to avoid issues with certificates on mosquitto

1
networks/.env Normal file
View File

@ -0,0 +1 @@
# VARIABLE=value #comment

70
networks/compose.yaml Normal file
View File

@ -0,0 +1,70 @@
name: networks
networks:
traefik-net:
name: traefik-net
attachable: true
driver: bridge
ipam:
config:
- subnet: 10.255.224.0/20 # Range: 10.255.224.1 - 10.255.239.254
driver_opts:
# NB! bridge name should be 15 characters or less
com.docker.network.bridge.name: "br-traefik"
postgres-net:
name: postgres-net
driver: bridge
internal: true
driver_opts:
com.docker.network.bridge.name: "br-postgres"
mariadb-net:
name: mariadb-net
driver: bridge
internal: true
driver_opts:
com.docker.network.bridge.name: "br-mariadb"
mysql-net:
name: mysql-net
driver: bridge
internal: true
driver_opts:
com.docker.network.bridge.name: "br-mysql"
authentik-net:
name: authentik-net
driver: bridge
internal: true
driver_opts:
com.docker.network.bridge.name: "br-authentik"
fireflyiii-net:
name: fireflyiii-net
driver: bridge
internal: true
driver_opts:
com.docker.network.bridge.name: "br-fireflyiii"
vaultwarden-net:
name: vaultwarden-net
driver: bridge
internal: true
driver_opts:
com.docker.network.bridge.name: "br-vaultwarden"
digikam-net:
name: digikam-net
driver: bridge
internal: true
driver_opts:
com.docker.network.bridge.name: "br-digikam"
services:
netbb:
image: busybox
hostname: netsvc2
networks:
- traefik-net
- postgres-net
- mariadb-net
- mysql-net
- authentik-net
- fireflyiii-net
- vaultwarden-net
- digikam-net

21
traefik/.env Normal file
View File

@ -0,0 +1,21 @@
################################################################
# .env
# When both env_file and environment are set for a service, values set by environment have precedence.
# https://docs.docker.com/compose/environment-variables/envvars-precedence/
#
#
################################################################
APPLICATION_NAME=traefik
WEBAPP_NAME=traefik-px
DOCKERDIR=/opt
STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
SECRETSDIR=${STACKSDIR}/secrets
DOMAINNAME=sthome.org
PUID=3012
PGID=3011
TZ=Africa/Johannesburg

37
traefik/.socket-proxy.env Normal file
View File

@ -0,0 +1,37 @@
#
# environment variables for socket-proxy
#
LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
### 0 to revoke access.
### 1 to grant access.
## Granted by Default
EVENTS=1
PING=1
VERSION=1
## Revoked by Default
### Security critical
AUTH=0
SECRETS=0
POST=1 # Watchtower
### Not always needed
BUILD=0
COMMIT=0
CONFIGS=0
CONTAINERS=1 # Traefik, portainer, etc.
DISTRIBUTION=0
EXEC=0
IMAGES=1 # Portainer
INFO=1 # Portainer
NETWORKS=1 # Portainer
NODES=0
PLUGINS=0
SERVICES=1 # Portainer
SESSION=0
SWARM=0
SYSTEM=0
TASKS=1 # Portainer
VOLUMES=1 # Portainer

16
traefik/.traefik.env Normal file
View File

@ -0,0 +1,16 @@
#
# environment variables for traefik
#
PUID=${PUID}
PGID=${PGID}
TZ=${TZ}
################################################################
#################### Traefik 3 - June 2024 #####################
# Cloudflare IPs (IPv4 and/or IPv6): https://www.cloudflare.com/ips/
################################################################
CLOUDFLARE_IPS=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22
LOCAL_IPS=127.0.0.1/32,10.0.0.0/24,192.168.2.0/24,172.16.0.0/12,10.255.224.0/20
CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token

193
traefik/backup/compose.yaml Normal file
View File

@ -0,0 +1,193 @@
name: traefik
###############################################################
# Networks
###############################################################
networks:
socket_proxy:
driver: bridge
driver_opts:
com.docker.network.bridge.name: br-traefik_sx
traefik-net:
external: true
mariadb-net:
external: true
###############################################################
# Docker Secrets
# Owner (default): root:root
# Recommend Set Owner to match container user Example: UID=1100, GID=1100
# Permissions of files & directory on host to: 0400 (-r--)
###############################################################
secrets:
## Cloudflare / Traefik
cf_dns_api_token:
file: ${SECRETSDIR}/cf_dns_api_token
###############################################################
services:
traefik:
image: traefik:v3.2.1 # traefik:v3.1.7 # traefik:3.1.2 # traefik:v3.1.7-nanoserver-ltsc2022
hostname: traefik
restart: unless-stopped
env_file: .traefik.env
security_opt:
- no-new-privileges=true
depends_on:
- socket-proxy # Comment out if not using socket-proxy
networks:
- traefik-net
- socket_proxy
- mariadb-net
command:
- --configFile=/config/traefik.yml
ports:
#- name: "web"
- target: 80 # container port
host_ip: 0.0.0.0 # host IP; 0.0.0.0 binds to all network interfaces
published: "80" # publicly exposed port, defined as a string
protocol: tcp # port protocol
app_protocol: http # application protocol (TCP/IP level 4 / OSI level 7) this port is used for
mode: host # how port is published in swarm setup
#- name: "websecure"
- target: 443
host_ip: 0.0.0.0
published: "443"
protocol: tcp
app_protocol: http
mode: host
- name: "traefik"
target: 8080
host_ip: 0.0.0.0
published: "8080"
protocol: tcp
app_protocol: http
mode: host
- target: 9080
host_ip: 0.0.0.0
published: "9080"
protocol: tcp
mode: host
- target: 9443
host_ip: 0.0.0.0
published: "9443"
protocol: tcp
mode: host
# - target: 51820
# published: "51820"
# protocol: udp
# mode: host
# - target: 32400
# published: "32400"
# protocol: tcp
# mode: host
# - target: 1883
# published: "1883"
# protocol: tcp
# mode: host
# - target: 8883
# published: "8883"
# protocol: tcp
# mode: host
# - target: 19132
# published: "19132"
# protocol: udp
# mode: host
# - target: 25565
# published: "25565"
# protocol: udp
# mode: host
# - target: 25575
# published: "25575"
# protocol: tcp
# mode: host
# - target: 8083
# published: "8083"
# protocol: tcp
# mode: host
# - target: 8306
# published: "8306"
# protocol: tcp
# mode: host
# - target: 9306
# published: "9306"
# protocol: tcp
# mode: host
secrets:
- cf_dns_api_token
volumes:
- $STACKSDIR/config:/config # traefik.yaml
- $STACKSDIR/rules:/rules # Dynamic File Provider directory
- $STACKSDIR/users:/mnt/users # basic-auth username and password hashes
- $DATADIR/appdata:/data # acme.json defined in traefik.yaml
- $DATADIR/logs:/logs
# labels:
# - traefik.enable=true
#
# http routers
# ------------
# - traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web
# - traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${WEBAPP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&&
# PathPrefix(`/`)
# https://appname.domainname/
# - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure
# - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${WEBAPP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&&
# PathPrefix(`/`)
# - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true
# - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options.yml
# - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns
#- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.domains[0].main=${DOMAINNAME}"
#- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.domains[0].sans=*.${DOMAINNAME}"
#
# http basic-auth middlewares
# ---------------------------
# - traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt
#
# assign middlewares to routers
# -----------------------------
# - traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-auth
# - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth
#
# http services
# -------------
# - traefik.http.routers.${APPLICATION_NAME}-rtr.service=api@internal
# - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=api@internal
###############################################################
socket-proxy:
image: tecnativa/docker-socket-proxy:0.2.0 #0.1.2
hostname: traefik_socket-proxy
restart: unless-stopped
env_file: .socket-proxy.env
security_opt:
- no-new-privileges=true
networks:
- socket_proxy
privileged: true # true for VM. false for unprivileged LXC container.
#depends_on:
# - traefik
ports:
- 127.0.0.1:2375:2375
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
###############################################################
# whoami:
# image: traefik/whoami:latest
# container_name: whoami
# restart: unless-stopped
# security_opt:
# - no-new-privileges=true
# depends_on:
# - traefik
# networks:
# - traefik
# environment:
# - TZ
# labels:
# - "traefik.enable=true"
# ## HTTP Routers
# - "traefik.http.routers.whoami-rtr.rule=Host(`whoami.${DOMAINNAME}`)"
###############################################################

20
traefik/backup/traefik/.env Normal file
View File

@ -0,0 +1,20 @@
################################################################
# .env
# When both env_file and environment are set for a service, values set by environment have precedence.
# https://docs.docker.com/compose/environment-variables/envvars-precedence/
#
#
################################################################
APPLICATION_NAME=traefik
DOCKERDIR=/mnt/SSD1/docker/
STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
SECRETSDIR=${STACKSDIR}/secrets
DOMAINNAME=sthome.org
PUID=3012
PGID=3011
TZ=Africa/Johannesburg

36
traefik/backup/traefik/.socket-proxy.env Normal file
View File

@ -0,0 +1,36 @@
#
# environment variables for socket-proxy
#
LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
### 0 to revoke access.
### 1 to grant access.
## Granted by Default
EVENTS=1
PING=1
VERSION=1
## Revoked by Default
### Security critical
AUTH=0
SECRETS=0
POST=1 # Watchtower
### Not always needed
BUILD=0
COMMIT=0
CONFIGS=0
CONTAINERS=1 # Traefik, portainer, etc.
DISTRIBUTION=0
EXEC=0
IMAGES=1 # Portainer
INFO=1 # Portainer
NETWORKS=1 # Portainer
NODES=0
PLUGINS=0
SERVICES=1 # Portainer
SESSION=0
SWARM=0
SYSTEM=0
TASKS=1 # Portainer
VOLUMES=1 # Portainer

15
traefik/backup/traefik/.traefik.env Normal file
View File

@ -0,0 +1,15 @@
#
# environment variables for traefik
#
PUID=${PUID}
PGID=${PGID}
TZ=${TZ}
################################################################
#################### Traefik 3 - June 2024 #####################
# Cloudflare IPs (IPv4 and/or IPv6): https://www.cloudflare.com/ips/
################################################################
CLOUDFLARE_IPS=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22
LOCAL_IPS=127.0.0.1/32,10.0.0.0/24,192.168.2.0/24,172.16.0.0/12,10.255.224.0/20
CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token

206
traefik/backup/traefik/compose.yml Normal file
View File

@ -0,0 +1,206 @@
name: traefik
###############################################################
# Networks
###############################################################
networks:
socket_proxy:
driver: bridge
driver_opts:
com.docker.network.bridge.name: "br-traefik_sx"
traefik-net:
external: true
mariadb-net:
external: true
###############################################################
# Docker Secrets
# Owner (default): root:root
# Recommend Set Owner to match container user Example: UID=1100, GID=1100
# Permissions of files & directory on host to: 0400 (-r--)
###############################################################
secrets:
## Cloudflare / Traefik
cf_dns_api_token:
file: ${SECRETSDIR}/cf_dns_api_token
###############################################################
services:
traefik:
image: traefik:v3.3.3 # v3.2.1 # v3.1.7 # 3.1.2 # v3.1.7-nanoserver-ltsc2022
hostname: traefik
restart: unless-stopped
env_file: .traefik.env
security_opt:
- no-new-privileges=true
depends_on:
- socket-proxy # Comment out if not using socket-proxy
networks:
- traefik-net
- socket_proxy
- mariadb-net
command:
- "--configFile=/config/traefik.yml"
ports:
- target: 80 # Container Port
host_ip: 0.0.0.0 # All interfaces, not a specific one
published: "80" # STRING
protocol: tcp # tcp or udp
mode: host # or Ingress for load balancing
- target: 443
host_ip: 0.0.0.0
published: "443"
protocol: tcp
mode: host
- target: 51820 # wg-easy udp port
published: "51820"
protocol: udp
mode: host
- target: 32400 # plex remote access tcp port
published: "32400"
protocol: tcp
mode: host
- target: 1883 # mosquitto port
published: "1883"
protocol: tcp
mode: host
- target: 8883 # mosquitto secure port
published: "8883"
protocol: tcp
mode: host
- target: 19132 # minecraft-bedrock port
published: "19132"
protocol: udp
mode: host
- target: 25565 # minecraft-java port
published: "25565"
protocol: udp
mode: host
- target: 25575 # minecraft-java rcon port
published: "25575"
protocol: tcp
mode: host
- target: 8083 # ping port
published: "8083"
protocol: tcp
mode: host
- target: 8306 # mariadb port
published: "8306"
protocol: tcp
mode: host
- target: 9306 # mysql port
published: "9306"
protocol: tcp
mode: host
- target: 2022 # sftp port1
published: "2022"
protocol: tcp
mode: host
- target: 2023 # sftp port2
published: "2023"
protocol: tcp
mode: host
- target: 2024 # sftp port3
published: "2024"
protocol: tcp
mode: host
- target: 2025 # sftp port4
published: "2025"
protocol: tcp
mode: host
- target: 2026 # sftp port5
published: "2026"
protocol: tcp
mode: host
- target: 2027 # sftp port6
published: "2027"
protocol: tcp
mode: host
- target: 2028 # sftp port7
published: "2028"
protocol: tcp
mode: host
- target: 2029 # sftp port8
published: "2029"
protocol: tcp
mode: host
secrets:
- cf_dns_api_token
volumes:
- "$STACKSDIR/config:/config" # traefik.yml
- "$STACKSDIR/rules:/rules" # Dynamic File Provider directory
- "$STACKSDIR/users:/mnt/users" # basic-auth username and password hashes
- "$DATADIR/appdata:/data" # acme.json defined in traefik.yaml
- "$DATADIR/logs:/logs"
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
#
# http basic-auth middlewares
# ---------------------------
- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
#
# http routers
# ------------
# http
- "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
- "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`traefik.${DOMAINNAME}`)&& PathPrefix(`/`)"
# attach middlewares to router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-auth, http-mw-rateLimit-secureHeaders-compress-redirect@file"
# assign svc target to router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.service=api@internal"
# https
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`traefik.${DOMAINNAME}`)&& PathPrefix(`/`)"
# attach middlewares to routers
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth, http-mw-rateLimit-secureHeaders-compress@file"
# tls
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
# assign svc target to router
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=api@internal"
###############################################################
socket-proxy:
image: tecnativa/docker-socket-proxy:0.2.0 #0.1.2
hostname: traefik_socket-proxy
restart: unless-stopped
env_file: .socket-proxy.env
security_opt:
- no-new-privileges=true
networks:
- socket_proxy
privileged: true # true for VM. false for unprivileged LXC container.
#depends_on:
# - traefik
ports:
- "127.0.0.1:2375:2375"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
# the following bind is to persist the non-zero setting of backend docker-events.timeout server
- type: bind
source: "${DATADIR}/haproxy/haproxy.cfg.template"
target: /usr/local/etc/haproxy/haproxy.cfg.template
###############################################################
whoami:
image: traefik/whoami:latest
container_name: whoami
restart: unless-stopped
security_opt:
- no-new-privileges=true
depends_on:
- traefik
networks:
- traefik-net
environment:
- TZ
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.whoami-rtr.entrypoints=web"
- "traefik.http.routers.whoami-rtr.rule=Host(`whoami.${DOMAINNAME}`)"
###############################################################

256
traefik/backup/traefik/config/traefik.yml Normal file
View File

@ -0,0 +1,256 @@
################################################################
# Global configuration - https://doc.traefik.io/traefik/reference/static-configuration/file/
################################################################
global:
checkNewVersion: false
sendAnonymousUsage: false
################################################################
# Entrypoints - https://doc.traefik.io/traefik/routing/entrypoints/
################################################################
entryPoints:
web:
address: ":80"
#reusePort: true
# Global HTTP to HTTPS redirection
# http:
# redirections:
# entrypoint:
# to: websecure
# scheme: https
websecure:
address: ":443"
http:
tls:
certResolver: sthomeresolver
#domains:
# - main: "sthome.org"
# sans:
# - "*.sthome.org"
forwardedHeaders:
trustedIPs:
# Cloudflare (https://www.cloudflare.com/ips-v4)
- "173.245.48.0/20"
- "103.21.244.0/22"
- "103.22.200.0/22"
- "103.31.4.0/22"
- "141.101.64.0/18"
- "108.162.192.0/18"
- "190.93.240.0/20"
- "188.114.96.0/20"
- "197.234.240.0/22"
- "198.41.128.0/17"
- "162.158.0.0/15"
- "104.16.0.0/13"
- "104.24.0.0/14"
- "172.64.0.0/13"
- "131.0.72.0/22"
# Local IPs
- "127.0.0.1/32"
- "10.0.0.0/24"
- "192.168.2.0/24"
- "172.16.0.0/12"
wireguard:
address: ":51820/udp"
plex:
address: ":32400"
http:
redirections:
entrypoint:
to: websecure
scheme: https
metrics:
address: ":8082"
ping:
address: ":8083"
mariadb:
address: ":8306"
mysql:
address: ":9306"
mqtt:
address: ":1883"
mqttsecure:
address: ":8883"
mc-bedrock:
address: ":19132/udp"
mc-java:
address: ":25565/udp"
mc-java-rcon:
address: ":25575"
sftp1:
address: ":2022"
sftp2:
address: ":2023"
sftp3:
address: ":2024"
sftp4:
address: ":2025"
sftp5:
address: ":2026"
sftp6:
address: ":2027"
sftp7:
address: ":2028"
sftp8:
address: ":2029"
ping:
entryPoint: "ping"
################################################################
# Logs - https://doc.traefik.io/traefik/observability/logs/
################################################################
log:
level: DEBUG # Options: DEBUG, PANIC, FATAL, ERROR (Default), WARN, and INFO
filePath: /logs/traefik-container.log # Default is to STDOUT
format: json # Uses text format (common) by default
noColor: false # Recommended to be true when using common
maxSize: 100 # In megabytes
compress: true # gzip compression when rotating
################################################################
# Access logs - https://doc.traefik.io/traefik/observability/access-logs/
################################################################
accessLog:
addInternals: true # things like ping@internal
filePath: /logs/traefik-access.log # In the Common Log Format (CLF) by default
bufferingSize: 100 # Number of log lines
fields:
names:
StartUTC: drop # Write logs in Container Local Time instead of UTC
filters:
statusCodes:
- "204-299"
- "400-499"
- "500-599"
################################################################
# Prometheus - https://doc.traefik.io/traefik/observability/metrics/prometheus/
################################################################
metrics:
prometheus:
entryPoint: metrics
buckets:
- 0.1
- 0.3
- 1.2
- 5.0
addEntryPointsLabels: true
addRoutersLabels: true
addServicesLabels: true
################################################################
# API and Dashboard
################################################################
api:
dashboard: true
# disableDashboardAd: true
# Rely on api@internal and Traefik with Middleware to control access
# insecure: true
################################################################
# Providers - https://doc.traefik.io/traefik/providers/docker/
################################################################
providers:
docker:
#endpoint: "unix:///var/run/docker.sock" # Comment if using socket-proxy
endpoint: "tcp://traefik_socket-proxy:2375" # Uncomment if using socket proxy
exposedByDefault: false
network: traefik-net # network to use for connections to all containers
# defaultRule: TODO
# Enable auto loading of newly created rules by watching a directory
file:
# Apps, LoadBalancers, TLS Options, Middlewares, Middleware Chains
directory: /rules # /etc/traefik
watch: true
################################################################
# tls
################################################################
tls:
stores:
default:
# defaultCertificate:
# certFile: /data/sthome-org.pem
# keyFile: /data/sthome-org-key.pem
defaultGeneratedCert:
resolver: solver-dns
domain:
main: sthome.org
sans:
- plex.sthome.org
- emby.sthome.org
- jellyfin.sthome.org
- traefik.sthome.org
################################################################
# ACME
################################################################
certificatesResolvers:
# sthomeresolver:
# acme:
# email: "stuurmcp@telkomsa.net"
# storage: "/data/acme.json" # "/etc/traefik/letsencrypt/acme.json"
# #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
# caServer: "https://acme-v02.api.letsencrypt.org/directory" # production:
# dnsChallenge:
# provider: cloudflare
# #delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
# # Custom DNS server resolution
# resolvers:
# - "1.1.1.1:53"
# - "8.8.8.8:53"
##
# sthome-org:
# acme:
# email: "stuurmcp@telkomsa.net"
# storage: "/data/acme.json" # "/etc/traefik/letsencrypt/acme.json"
# #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
# caServer: "https://acme-v02.api.letsencrypt.org/directory" # production:
# dnsChallenge:
# provider: cloudflare
# #delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
# # Custom DNS server resolution
# resolvers:
# - "1.1.1.1:53"
# - "8.8.8.8:53"
solver-dns:
acme:
email: "stuurmcp@telkomsa.net"
storage: "/data/acme.json" # "/etc/traefik/letsencrypt/acme.json"
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
caServer: "https://acme-v02.api.letsencrypt.org/directory" # production:
dnsChallenge:
provider: cloudflare
#delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
# Custom DNS server resolution
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
#sthome-net:
# acme:
# email: "stuurmcp@telkomsa.net"
# storage: "/etc/traefik/local/acme.json" # "/data/acme.json"
# caServer: "https://upd.sthome.net/acme-v02.api" # production:
# dnsChallenge:
# provider: sthomelocal
#delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
# Custom DNS server resolution
# resolvers:
# - "10.0.0.15:53"
# - "192.168.2.1:53"

19
traefik/backup/traefik/rules.bak/middlewares-authentik.yml Normal file
View File

@ -0,0 +1,19 @@
http:
middlewares:
# https://github.com/goauthentik/authentik/issues/2366
middlewares-authentik:
forwardAuth:
address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

18
traefik/backup/traefik/rules.bak/middlewares-buffering.yml Normal file
View File

@ -0,0 +1,18 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Prevent too large of a body
# https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik
middlewares-buffering:
buffering:
maxRequestBodyBytes: 10485760
memRequestBodyBytes: 2097152
maxResponseBodyBytes: 10485760
memResponseBodyBytes: 2097152
retryExpression: "IsNetworkError() && Attempts() <= 2"

15
traefik/backup/traefik/rules.bak/middlewares-compress.yml Normal file
View File

@ -0,0 +1,15 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Compress to save bandwidth
middlewares-compress:
compress: {}
#-----------------------
# middlewares-https-redirectscheme.yaml

15
traefik/backup/traefik/rules.bak/middlewares-https-redirectscheme.yml Normal file
View File

@ -0,0 +1,15 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Middleware for Redirection
# This can be used instead of global redirection
middlewares-https-redirectscheme:
redirectScheme:
scheme: https
permanent: true

14
traefik/backup/traefik/rules.bak/middlewares-rate-limit.yml Normal file
View File

@ -0,0 +1,14 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# DDoS Prevention
middlewares-rate-limit:
rateLimit:
average: 100
burst: 50

36
traefik/backup/traefik/rules.bak/middlewares-secure-headers.yml Normal file
View File

@ -0,0 +1,36 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
################################################################
# Good Basic Security Practices
################################################################
middlewares-secure-headers:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
#customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr.
customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
contentTypeNosniff: true
browserXssFilter: true
# sslForceHost: true # add sslHost to all of the services
# sslHost: "{{env "DOMAINNAME"}}"
referrerPolicy: "same-origin"
permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
server: ""

35
traefik/backup/traefik/rules.bak/tls-opts.yml Normal file
View File

@ -0,0 +1,35 @@
################################################################
# TLS Options (https://jellyfin.org/docs/general/networking/traefik2.html#traefik-providertoml)
# toml -> yml
# 2024 updates to cipherSuites from (https://www.smarthomebeginner.com/traefik-v3-docker-compose-guide-2024/)
#
# Set secure options by disabling insecure older TLS/SSL versions
# and insecure ciphers. SNIStrict disabled leaves TLS1.0 open.
# If you have problems with older clients, you can may need to relax
# these minimums. This configuration will give you an A+ SSL security
# score supporting TLS1.2 and TLS1.3
#
# Dynamic configuration
# https://doc.traefik.io/traefik/https/tls/
################################################################
tls:
options:
tls-opts:
sniStrict: false #true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
curvePreferences:
- secp521r1 # CurveP521
- secp384r1 # CurveP384
mintls13:
minVersion: VersionTLS13

38
traefik/backup/traefik/rules/ext-cctv.yml Normal file
View File

@ -0,0 +1,38 @@
# external service
# https://doc.traefik.io/traefik/providers/file/
http:
#
# http routers
# ------------
routers:
cctv-rtr:
entryPoints:
- "web"
rule: "Host(`cctv.sthome.org`)&& PathPrefix(`/`)"
middlewares:
- http-mw-rateLimit-secureHeaders-redirect@file
service: "ext-cctv-svc"
cctv-secure-rtr:
entryPoints:
- "websecure"
rule: "Host(`cctv.sthome.org`)&& PathPrefix(`/`)"
tls:
certresolver: "solver-dns"
options: tls-options@file
middlewares:
- http-mw-rateLimit-secureHeaders@file
service: "ext-cctv-svc"
#
# http service
# ------------
# https://doc.traefik.io/traefik/routing/services/
services:
ext-cctv-svc:
loadBalancer:
servers:
- url: "http://10.0.0.10:80" # safest to use ip address, with reservation in dhcp server
passHostHeader: true

59
traefik/backup/traefik/rules/ext-frigate.yml Normal file
View File

@ -0,0 +1,59 @@
# external service
# https://doc.traefik.io/traefik/providers/file/
http:
#
# http routers
# ------------
routers:
frigate-rtr:
entryPoints:
- "web"
rule: "Host(`frigate.sthome.org`)&& PathPrefix(`/`)"
middlewares:
- frigate-auth
- http-mw-rateLimit-secureHeaders-redirect@file
service: "ext-frigate-svc"
frigate-secure-rtr:
entryPoints:
- "websecure"
rule: "Host(`frigate.sthome.org`)&& PathPrefix(`/`)"
tls:
certresolver: "solver-dns"
options: tls-options@file
middlewares:
- frigate-auth
- http-mw-rateLimit-secureHeaders@file
service: "ext-frigate-svc"
frigate-secure-status-rtr:
entryPoints:
- "websecure"
rule: "Host(`frigate.sthome.org`)&& PathPrefix(`/stats`)"
tls:
certresolver: "solver-dns"
options: tls-options@file
service: "ext-frigate-svc"
#
# http middlewares
# ----------------
middlewares:
frigate-auth:
basicauth:
usersfile: "/mnt/users/frigate.txt"
# frigate-https-redirect:
# redirectscheme:
# scheme: https
# permanent: true
#
# http service
# ------------
# https://doc.traefik.io/traefik/routing/services/
services:
ext-frigate-svc:
loadBalancer:
servers:
- url: "http://10.0.0.51:5000" # safest to use ip address, with reservation in dhcp server
passHostHeader: true

52
traefik/backup/traefik/rules/ext-home-assistant.yml Normal file
View File

@ -0,0 +1,52 @@
# external service
# https://doc.traefik.io/traefik/providers/file/
http:
#
# http routers
# ------------
routers:
home-assistant-rtr:
entryPoints:
- "web"
rule: "Host(`home-assistant.sthome.org`)&& PathPrefix(`/`)"
tls:
certresolver: "solver-dns"
middlewares:
# - home-assistant-auth
- http-mw-secureHeaders-redirect
service: "ext-home-assistant-svc"
home-assistant-secure-rtr:
entryPoints:
- "websecure"
rule: "Host(`home-assistant.sthome.org`)&& PathPrefix(`/`)"
tls:
certresolver: "solver-dns"
middlewares:
# - home-assistant-auth
- http-mw-secureHeaders
service: "ext-home-assistant-svc"
#
# http middlewares
# ----------------
# middlewares:
# home-assistant-auth:
# basicauth:
# usersfile: "/mnt/users/home-assistant.txt"
# home-assistant-https-redirect:
# redirectscheme:
# scheme: https
# permanent: true
#
# http service
# ------------
# https://doc.traefik.io/traefik/routing/services/
services:
ext-home-assistant-svc:
loadBalancer:
servers:
#- url: "http://home-assistant-local.sthome.org:8123" # requires local dns, i.e. 10.0.0.1, to be first nameserver in truenas and in docker /etc/resolv.conf
- url: "http://10.0.0.51:8123" # safest to use ip address, with reservation in dhcp server
passHostHeader: true

30
traefik/backup/traefik/rules/forwardAuth-authentik.yml Normal file
View File

@ -0,0 +1,30 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
################################################################
# Forward Authentication - OAUTH / 2FA
################################################################
#
# https://github.com/goauthentik/authentik/issues/2366
forwardAuth-authentik:
forwardAuth:
address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

18
traefik/backup/traefik/rules/http-middlewares-buffering.yml Normal file
View File

@ -0,0 +1,18 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Prevent too large of a body
# https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik
http-mw-buffering:
buffering:
maxRequestBodyBytes: 10485760
memRequestBodyBytes: 2097152
maxResponseBodyBytes: 10485760
memResponseBodyBytes: 2097152
retryExpression: "IsNetworkError() && Attempts() <= 2"

9
traefik/backup/traefik/rules/http-middlewares-chain-ratelimit-secureheaders-compress-redirect.yml Normal file
View File

@ -0,0 +1,9 @@
http:
middlewares:
http-mw-rateLimit-secureHeaders-compress-redirect:
chain:
middlewares:
- http-mw-rateLimit
- http-mw-secureHeaders
- http-mw-compress
- http-mw-redirectScheme

8
traefik/backup/traefik/rules/http-middlewares-chain-ratelimit-secureheaders-compress.yml Normal file
View File

@ -0,0 +1,8 @@
http:
middlewares:
http-mw-rateLimit-secureHeaders-compress:
chain:
middlewares:
- http-mw-rateLimit
- http-mw-secureHeaders
- http-mw-compress

8
traefik/backup/traefik/rules/http-middlewares-chain-ratelimit-secureheaders-redirect.yml Normal file
View File

@ -0,0 +1,8 @@
http:
middlewares:
http-mw-rateLimit-secureHeaders-redirect:
chain:
middlewares:
- http-mw-rateLimit
- http-mw-secureHeaders
- http-mw-redirectScheme

7
traefik/backup/traefik/rules/http-middlewares-chain-ratelimit-secureheaders.yml Normal file
View File

@ -0,0 +1,7 @@
http:
middlewares:
http-mw-rateLimit-secureHeaders:
chain:
middlewares:
- http-mw-rateLimit
- http-mw-secureHeaders

7
traefik/backup/traefik/rules/http-middlewares-chain-secureheaders-redirect.yml Normal file
View File

@ -0,0 +1,7 @@
http:
middlewares:
http-mw-secureHeaders-redirect:
chain:
middlewares:
- http-mw-secureHeaders
- http-mw-redirectScheme

12
traefik/backup/traefik/rules/http-middlewares-compress.yml Normal file
View File

@ -0,0 +1,12 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Compress to save bandwidth
http-mw-compress:
compress: {}

14
traefik/backup/traefik/rules/http-middlewares-ratelimit.yml Normal file
View File

@ -0,0 +1,14 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# DDoS Prevention
http-mw-rateLimit:
rateLimit:
average: 100
burst: 50

15
traefik/backup/traefik/rules/http-middlewares-redirectscheme.yml Normal file
View File

@ -0,0 +1,15 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Middleware for Redirection
# This can be used instead of global redirection
http-mw-redirectScheme:
redirectscheme:
scheme: https
permanent: true

36
traefik/backup/traefik/rules/http-middlewares-secureheaders.yml Normal file
View File

@ -0,0 +1,36 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
################################################################
# Good Basic Security Practices
################################################################
http-mw-secureHeaders:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
stsSeconds: 63072000 # 2 years
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
#customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr.
customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
contentTypeNosniff: true
browserXssFilter: true
# sslForceHost: true # add sslHost to all of the services
# sslHost: "{{env "DOMAINNAME"}}"
referrerPolicy: "same-origin"
permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
server: ""

29
traefik/backup/traefik/rules/sftpgo-tcp-svc.yml Normal file
View File

@ -0,0 +1,29 @@
# sftpgo - multiple ports per service
# and thus cannot configure as labels
tcp:
routers:
sftpgo-tcp-rtr:
entrypoints: ["sftp1", "sftp2", "sftp3", "sftp4", "sftp5", "sftp6", "sftp7", "sftp8"]
rule: "HostSNI(`*`)"
service: "sftpgo-tcp-svc"
sftpgo-tcp-secure-rtr:
entrypoints: ["sftp1", "sftp2", "sftp3", "sftp4", "sftp5", "sftp6", "sftp7", "sftp8"]
rule: "HostSNI(`sftpgo.sthome.org`)"
tls:
options: "tls-options@file"
certresolver: "solver-dns"
passthrough: true
service: "sftpgo-tcp-svc"
services:
sftpgo-tcp-svc:
loadBalancer:
servers:
- address: "sftpgo:2022"
- address: "sftpgo:2023"
- address: "sftpgo:2024"
- address: "sftpgo:2025"
- address: "sftpgo:2026"
- address: "sftpgo:2027"
- address: "sftpgo:2028"
- address: "sftpgo:2029"

37
traefik/backup/traefik/rules/tls-options.yml Normal file
View File

@ -0,0 +1,37 @@
################################################################
# TLS Options (https://jellyfin.org/docs/general/networking/traefik2.html#traefik-providertoml)
# toml -> yml
# 2024 updates to cipherSuites from (https://www.smarthomebeginner.com/traefik-v3-docker-compose-guide-2024/)
#
# Set secure options by disabling insecure older TLS/SSL versions
# and insecure ciphers. SNIStrict disabled leaves TLS1.0 open.
# If you have problems with older clients, you can may need to relax
# these minimums. This configuration will give you an A+ SSL security
# score supporting TLS1.2 and TLS1.3
#
# Dynamic configuration
# https://doc.traefik.io/traefik/https/tls/
################################################################
tls:
options:
tls-options:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
curvePreferences:
# CurveP256, CurveP384, CurveP521, X25519
# secp256r1, secp384r1, secp521r1, x25519, x448
- secp521r1
- secp384r1
mintls13:
minVersion: VersionTLS13

6
traefik/backup/traefik/rules/tls-stores.yml Normal file
View File

@ -0,0 +1,6 @@
tls:
stores:
default:
defaultCertificate:
certFile: /data/sthome-org.pem
keyFile: /data/sthome-org-key.pem

1
traefik/backup/traefik/rules/users.txt Normal file
View File

@ -0,0 +1 @@
chris:$$2y$$05$$mUVwUOShyKPPnDsX/ClCc.sNYYCBvbvQd2WG794SUlJsGE1GC0ofy

1
traefik/backup/traefik/secrets/cf_dns_api_token Normal file
View File

@ -0,0 +1 @@
662gfbdISWlkkFVfFSYErGQotZDmxX46rKE2hcHO

1
traefik/backup/traefik/secrets/cf_email Normal file
View File

@ -0,0 +1 @@
stuurmcp@telkomsa.net

36
traefik/backup/traefik/secrets/middlewares-secure-headers.yml Normal file
View File

@ -0,0 +1,36 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
################################################################
# Good Basic Security Practices
################################################################
middlewares-secure-headers:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
stsSeconds: 63072000 # 2 years
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
#customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr.
customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
contentTypeNosniff: true
browserXssFilter: true
# sslForceHost: true # add sslHost to all of the services
# sslHost: "{{env "DOMAINNAME"}}"
referrerPolicy: "same-origin"
permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
server: ""

5
traefik/backup/traefik/users/cctv.txt Normal file
View File

@ -0,0 +1,5 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
home:$2y$05$VjkUjMGVdxMn3N/rMK8nBuh1jAUfezo8i4167enEg7i9Xl45cVQGi
Home:$2y$05$JP8tB1nkPA8tbhEnhGV6teke.X87eFX4V9hi9qa2ArLISJ4Ksf2ca

3
traefik/backup/traefik/users/common.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

7
traefik/backup/traefik/users/frigate.txt Normal file
View File

@ -0,0 +1,7 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
home:$2y$05$VjkUjMGVdxMn3N/rMK8nBuh1jAUfezo8i4167enEg7i9Xl45cVQGi
Home:$2y$05$JP8tB1nkPA8tbhEnhGV6teke.X87eFX4V9hi9qa2ArLISJ4Ksf2ca
zelna:$2y$10$1OREtkEjjO0834TnxYAaWe2.N.gM4V01cOqDRRoEmG.SiiIvLsEk.
Zelna:$2y$10$vgfcMmEB3L8nAReV4cUyw.BR7PAMIEmzNdeCpLNcHxvepul88InZ6

3
traefik/backup/traefik/users/lidarr.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

5
traefik/backup/traefik/users/photoview.txt Normal file
View File

@ -0,0 +1,5 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
home:$2y$05$VjkUjMGVdxMn3N/rMK8nBuh1jAUfezo8i4167enEg7i9Xl45cVQGi
Home:$2y$05$JP8tB1nkPA8tbhEnhGV6teke.X87eFX4V9hi9qa2ArLISJ4Ksf2ca

4
traefik/backup/traefik/users/prometheus.txt Normal file
View File

@ -0,0 +1,4 @@
grafana:$2y$05$r6bSihiBh.xKWV5FPP9yPunhIr0t.cavZqq2Ghsl6TEGKbXDXk6qy
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

3
traefik/backup/traefik/users/prowlarr.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

3
traefik/backup/traefik/users/qbittorrent.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

3
traefik/backup/traefik/users/radarr.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

3
traefik/backup/traefik/users/readarr.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

3
traefik/backup/traefik/users/sonarr.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

3
traefik/backup/traefik/users/syncthing.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

3
traefik/backup/traefik/users/traefik.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

179
traefik/compose.yaml Normal file
View File

@ -0,0 +1,179 @@
name: traefik
###############################################################
# Networks
###############################################################
networks:
socket_proxy:
driver: bridge
driver_opts:
com.docker.network.bridge.name: br-traefik_sx
traefik-net:
external: true
mariadb-net:
external: true
###############################################################
# Docker Secrets
# Owner (default): root:root
# Recommend Set Owner to match container user Example: UID=1100, GID=1100
# Permissions of files & directory on host to: 0400 (-r--)
###############################################################
secrets:
## Cloudflare / Traefik
cf_dns_api_token:
file: ${SECRETSDIR}/cf_dns_api_token
###############################################################
services:
traefik:
image: traefik:v3.2.1 # traefik:v3.1.7 # traefik:3.1.2 # traefik:v3.1.7-nanoserver-ltsc2022
hostname: traefik
restart: unless-stopped
env_file: .traefik.env
security_opt:
- no-new-privileges=true
depends_on:
- socket-proxy # Comment out if not using socket-proxy
networks:
- traefik-net
- socket_proxy
- mariadb-net
command:
- --configFile=/config/traefik.yml
ports:
- name: "web"
target: 80 # container port
host_ip: 0.0.0.0 # host IP; 0.0.0.0 binds to all network interfaces
published: "80" # publicly exposed port, defined as a string
protocol: tcp # port protocol
app_protocol: http # application protocol (TCP/IP level 4 / OSI level 7) this port is used for
mode: host # how port is published in swarm setup
- name: "websecure"
target: 443
host_ip: 0.0.0.0
published: "443"
protocol: tcp
app_protocol: http
mode: host
# - name: "traefik" # dashboard port - use when not using labels below
# target: 8080
# host_ip: 0.0.0.0
# published: "8080"
# protocol: tcp
# app_protocol: http
# mode: host
# - target: 51820
# published: "51820"
# protocol: udp
# mode: host
# - target: 32400
# published: "32400"
# protocol: tcp
# mode: host
# - target: 1883
# published: "1883"
# protocol: tcp
# mode: host
# - target: 8883
# published: "8883"
# protocol: tcp
# mode: host
# - target: 19132
# published: "19132"
# protocol: udp
# mode: host
# - target: 25565
# published: "25565"
# protocol: udp
# mode: host
# - target: 25575
# published: "25575"
# protocol: tcp
# mode: host
# - target: 8083
# published: "8083"
# protocol: tcp
# mode: host
# - target: 8306
# published: "8306"
# protocol: tcp
# mode: host
# - target: 9306
# published: "9306"
# protocol: tcp
# mode: host
secrets:
- cf_dns_api_token
volumes:
- $STACKSDIR/config:/config # traefik.yaml
- $STACKSDIR/rules:/rules # Dynamic File Provider directory
- $STACKSDIR/users:/mnt/users # basic-auth username and password hashes
- $DATADIR/appdata:/data # acme.json defined in traefik.yaml
- $DATADIR/logs:/logs
labels:
- traefik.enable=true
#
# http routers
# ------------
- traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web
- traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${WEBAPP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)
# https://appname.domainname/
- traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure
- traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${WEBAPP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)
- traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true
# - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options.yml@file
- traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns
#- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.domains[0].main=${DOMAINNAME}"
#- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.domains[0].sans=*.${DOMAINNAME}"
#
# http basic-auth middlewares
# ---------------------------
- traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt
#
# assign middlewares to routers
# -----------------------------
- traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-auth
- traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth
#
# http services
# -------------
- traefik.http.routers.${APPLICATION_NAME}-rtr.service=api@internal
- traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=api@internal
###############################################################
socket-proxy:
image: tecnativa/docker-socket-proxy:0.2.0 #0.1.2
hostname: traefik_socket-proxy
restart: unless-stopped
env_file: .socket-proxy.env
security_opt:
- no-new-privileges=true
networks:
- socket_proxy
privileged: true # true for VM. false for unprivileged LXC container.
#depends_on:
# - traefik
ports:
- 127.0.0.1:2375:2375
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
###############################################################
# whoami:
# image: traefik/whoami:latest
# container_name: whoami
# restart: unless-stopped
# security_opt:
# - no-new-privileges=true
# depends_on:
# - traefik
# networks:
# - traefik
# environment:
# - TZ
# labels:
# - "traefik.enable=true"
# ## HTTP Routers
# - "traefik.http.routers.whoami-rtr.rule=Host(`whoami.${DOMAINNAME}`)"
###############################################################

256
traefik/config/traefik-truenas.yml Normal file
View File

@ -0,0 +1,256 @@
################################################################
# Global configuration - https://doc.traefik.io/traefik/reference/static-configuration/file/
################################################################
global:
checkNewVersion: false
sendAnonymousUsage: false
################################################################
# Entrypoints - https://doc.traefik.io/traefik/routing/entrypoints/
################################################################
entryPoints:
web:
address: ":80"
#reusePort: true
# Global HTTP to HTTPS redirection
# http:
# redirections:
# entrypoint:
# to: websecure
# scheme: https
websecure:
address: ":443"
http:
tls:
certResolver: sthomeresolver
#domains:
# - main: "sthome.org"
# sans:
# - "*.sthome.org"
forwardedHeaders:
trustedIPs:
# Cloudflare (https://www.cloudflare.com/ips-v4)
- "173.245.48.0/20"
- "103.21.244.0/22"
- "103.22.200.0/22"
- "103.31.4.0/22"
- "141.101.64.0/18"
- "108.162.192.0/18"
- "190.93.240.0/20"
- "188.114.96.0/20"
- "197.234.240.0/22"
- "198.41.128.0/17"
- "162.158.0.0/15"
- "104.16.0.0/13"
- "104.24.0.0/14"
- "172.64.0.0/13"
- "131.0.72.0/22"
# Local IPs
- "127.0.0.1/32"
- "10.0.0.0/24"
- "192.168.2.0/24"
- "172.16.0.0/12"
wireguard:
address: ":51820/udp"
plex:
address: ":32400"
http:
redirections:
entrypoint:
to: websecure
scheme: https
metrics:
address: ":8082"
ping:
address: ":8083"
mariadb:
address: ":8306"
mysql:
address: ":9306"
mqtt:
address: ":1883"
mqttsecure:
address: ":8883"
mc-bedrock:
address: ":19132/udp"
mc-java:
address: ":25565/udp"
mc-java-rcon:
address: ":25575"
sftp1:
address: ":2022"
sftp2:
address: ":2023"
sftp3:
address: ":2024"
sftp4:
address: ":2025"
sftp5:
address: ":2026"
sftp6:
address: ":2027"
sftp7:
address: ":2028"
sftp8:
address: ":2029"
ping:
entryPoint: "ping"
################################################################
# Logs - https://doc.traefik.io/traefik/observability/logs/
################################################################
log:
level: DEBUG # Options: DEBUG, PANIC, FATAL, ERROR (Default), WARN, and INFO
filePath: /logs/traefik-container.log # Default is to STDOUT
format: json # Uses text format (common) by default
noColor: false # Recommended to be true when using common
maxSize: 100 # In megabytes
compress: true # gzip compression when rotating
################################################################
# Access logs - https://doc.traefik.io/traefik/observability/access-logs/
################################################################
accessLog:
addInternals: true # things like ping@internal
filePath: /logs/traefik-access.log # In the Common Log Format (CLF) by default
bufferingSize: 100 # Number of log lines
fields:
names:
StartUTC: drop # Write logs in Container Local Time instead of UTC
filters:
statusCodes:
- "204-299"
- "400-499"
- "500-599"
################################################################
# Prometheus - https://doc.traefik.io/traefik/observability/metrics/prometheus/
################################################################
metrics:
prometheus:
entryPoint: metrics
buckets:
- 0.1
- 0.3
- 1.2
- 5.0
addEntryPointsLabels: true
addRoutersLabels: true
addServicesLabels: true
################################################################
# API and Dashboard
################################################################
api:
dashboard: true
# disableDashboardAd: true
# Rely on api@internal and Traefik with Middleware to control access
# insecure: true
################################################################
# Providers - https://doc.traefik.io/traefik/providers/docker/
################################################################
providers:
docker:
#endpoint: "unix:///var/run/docker.sock" # Comment if using socket-proxy
endpoint: "tcp://traefik_socket-proxy:2375" # Uncomment if using socket proxy
exposedByDefault: false
network: traefik-net # network to use for connections to all containers
# defaultRule: TODO
# Enable auto loading of newly created rules by watching a directory
file:
# Apps, LoadBalancers, TLS Options, Middlewares, Middleware Chains
directory: /rules # /etc/traefik
watch: true
################################################################
# tls
################################################################
tls:
stores:
default:
# defaultCertificate:
# certFile: /data/sthome-org.pem
# keyFile: /data/sthome-org-key.pem
defaultGeneratedCert:
resolver: solver-dns
domain:
main: sthome.org
sans:
- plex.sthome.org
- emby.sthome.org
- jellyfin.sthome.org
- traefik.sthome.org
################################################################
# ACME
################################################################
certificatesResolvers:
# sthomeresolver:
# acme:
# email: "stuurmcp@telkomsa.net"
# storage: "/data/acme.json" # "/etc/traefik/letsencrypt/acme.json"
# #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
# caServer: "https://acme-v02.api.letsencrypt.org/directory" # production:
# dnsChallenge:
# provider: cloudflare
# #delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
# # Custom DNS server resolution
# resolvers:
# - "1.1.1.1:53"
# - "8.8.8.8:53"
##
# sthome-org:
# acme:
# email: "stuurmcp@telkomsa.net"
# storage: "/data/acme.json" # "/etc/traefik/letsencrypt/acme.json"
# #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
# caServer: "https://acme-v02.api.letsencrypt.org/directory" # production:
# dnsChallenge:
# provider: cloudflare
# #delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
# # Custom DNS server resolution
# resolvers:
# - "1.1.1.1:53"
# - "8.8.8.8:53"
solver-dns:
acme:
email: "stuurmcp@telkomsa.net"
storage: "/data/acme.json" # "/etc/traefik/letsencrypt/acme.json"
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
caServer: "https://acme-v02.api.letsencrypt.org/directory" # production:
dnsChallenge:
provider: cloudflare
#delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
# Custom DNS server resolution
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
#sthome-net:
# acme:
# email: "stuurmcp@telkomsa.net"
# storage: "/etc/traefik/local/acme.json" # "/data/acme.json"
# caServer: "https://upd.sthome.net/acme-v02.api" # production:
# dnsChallenge:
# provider: sthomelocal
#delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
# Custom DNS server resolution
# resolvers:
# - "10.0.0.15:53"
# - "192.168.2.1:53"

195
traefik/config/traefik.yml Normal file
View File

@ -0,0 +1,195 @@
################################################################
# Global configuration - https://doc.traefik.io/traefik/reference/static-configuration/file/
################################################################
global:
checkNewVersion: false
sendAnonymousUsage: false
################################################################
# Entrypoints - https://doc.traefik.io/traefik/routing/entrypoints/
################################################################
entryPoints:
web:
address: ":80"
#reusePort: true
# Global HTTP to HTTPS redirection
# http:
# redirections:
# entrypoint:
# to: websecure
# scheme: https
websecure:
address: ":443"
http:
tls:
options: "tls-options@file"
certResolver: sthomeresolver
#domains:
# - main: "sthome.org"
# sans:
# - "*.sthome.org"
forwardedHeaders:
trustedIPs:
# Cloudflare (https://www.cloudflare.com/ips-v4)
- "173.245.48.0/20"
- "103.21.244.0/22"
- "103.22.200.0/22"
- "103.31.4.0/22"
- "141.101.64.0/18"
- "108.162.192.0/18"
- "190.93.240.0/20"
- "188.114.96.0/20"
- "197.234.240.0/22"
- "198.41.128.0/17"
- "162.158.0.0/15"
- "104.16.0.0/13"
- "104.24.0.0/14"
- "172.64.0.0/13"
- "131.0.72.0/22"
# Local IPs
- "127.0.0.1/32"
- "10.0.0.0/24"
- "192.168.2.0/24"
- "172.16.0.0/12"
traefik:
address: ":8080"
# wireguard:
# address: ":51820/udp"
metrics:
address: ":8082"
ping:
address: ":8083"
# mqtt:
# address: ":1883"
# mqttsecure:
# address: ":8883"
ping:
entryPoint: "ping"
################################################################
# Logs - https://doc.traefik.io/traefik/observability/logs/
################################################################
log:
level: DEBUG # Options: DEBUG, PANIC, FATAL, ERROR (Default), WARN, and INFO
filePath: /logs/traefik-container.log # Default is to STDOUT
format: json # Uses text format (common) by default
noColor: false # Recommended to be true when using common
maxSize: 100 # In megabytes
compress: true # gzip compression when rotating
################################################################
# Access logs - https://doc.traefik.io/traefik/observability/access-logs/
################################################################
accessLog:
addInternals: true # things like ping@internal
filePath: /logs/traefik-access.log # In the Common Log Format (CLF) by default
bufferingSize: 100 # Number of log lines
fields:
names:
StartUTC: drop # Write logs in Container Local Time instead of UTC
filters:
statusCodes:
- "204-299"
- "400-499"
- "500-599"
################################################################
# Prometheus - https://doc.traefik.io/traefik/observability/metrics/prometheus/
################################################################
metrics:
prometheus:
entryPoint: metrics
buckets:
- 0.1
- 0.3
- 1.2
- 5.0
addEntryPointsLabels: true
addRoutersLabels: true
addServicesLabels: true
################################################################
# API and Dashboard
################################################################
api:
dashboard: true
# disableDashboardAd: true
# Rely on api@internal and Traefik with Middleware to control access
insecure: true
################################################################
# Providers - https://doc.traefik.io/traefik/providers/docker/
################################################################
providers:
docker:
#endpoint: "unix:///var/run/docker.sock" # Comment if using socket-proxy
endpoint: "tcp://traefik_socket-proxy:2375" # Uncomment if using socket proxy
exposedByDefault: false
network: traefik-net # network to use for connections to all containers
# defaultRule: TODO
# Enable auto loading of newly created rules by watching a directory
file:
# Apps, LoadBalancers, TLS Options, Middlewares, Middleware Chains
directory: /rules # /etc/traefik
watch: true
################################################################
# tls
################################################################
tls:
stores:
default:
# defaultCertificate:
# certFile: /data/sthome-org.pem
# keyFile: /data/sthome-org-key.pem
defaultGeneratedCert:
resolver: solver-dns
domain:
main: sthome.org
sans:
- plex.sthome.org
- emby.sthome.org
- jellyfin.sthome.org
- traefik.sthome.org
################################################################
# ACME
################################################################
certificatesResolvers:
solver-dns:
acme:
email: "stuurmcp@telkomsa.net"
storage: "/data/acme.json" # "/etc/traefik/letsencrypt/acme.json"
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
caServer: "https://acme-v02.api.letsencrypt.org/directory" # production:
dnsChallenge:
provider: cloudflare
#delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
# Custom DNS server resolution
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
#sthome-net:
# acme:
# email: "stuurmcp@telkomsa.net"
# storage: "/etc/traefik/local/acme.json" # "/data/acme.json"
# caServer: "https://upd.sthome.net/acme-v02.api" # production:
# dnsChallenge:
# provider: sthomelocal
#delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
# Custom DNS server resolution
# resolvers:
# - "10.0.0.15:53"
# - "192.168.2.1:53"

30
traefik/rules/forwardAuth-authentik.yml Normal file
View File

@ -0,0 +1,30 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
################################################################
# Forward Authentication - OAUTH / 2FA
################################################################
#
# https://github.com/goauthentik/authentik/issues/2366
forwardAuth-authentik:
forwardAuth:
address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

18
traefik/rules/http-middlewares-buffering.yml Normal file
View File

@ -0,0 +1,18 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Prevent too large of a body
# https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik
http-mw-buffering:
buffering:
maxRequestBodyBytes: 10485760
memRequestBodyBytes: 2097152
maxResponseBodyBytes: 10485760
memResponseBodyBytes: 2097152
retryExpression: "IsNetworkError() && Attempts() <= 2"

9
traefik/rules/http-middlewares-chain-ratelimit-secureheaders-compress-redirect.yml Normal file
View File

@ -0,0 +1,9 @@
http:
middlewares:
http-mw-rateLimit-secureHeaders-compress-redirect:
chain:
middlewares:
- http-mw-rateLimit
- http-mw-secureHeaders
- http-mw-compress
- http-mw-redirectScheme

8
traefik/rules/http-middlewares-chain-ratelimit-secureheaders-compress.yml Normal file
View File

@ -0,0 +1,8 @@
http:
middlewares:
http-mw-rateLimit-secureHeaders-compress:
chain:
middlewares:
- http-mw-rateLimit
- http-mw-secureHeaders
- http-mw-compress

8
traefik/rules/http-middlewares-chain-ratelimit-secureheaders-redirect.yml Normal file
View File

@ -0,0 +1,8 @@
http:
middlewares:
http-mw-rateLimit-secureHeaders-redirect:
chain:
middlewares:
- http-mw-rateLimit
- http-mw-secureHeaders
- http-mw-redirectScheme

7
traefik/rules/http-middlewares-chain-ratelimit-secureheaders.yml Normal file
View File

@ -0,0 +1,7 @@
http:
middlewares:
http-mw-rateLimit-secureHeaders:
chain:
middlewares:
- http-mw-rateLimit
- http-mw-secureHeaders

7
traefik/rules/http-middlewares-chain-secureheaders-redirect.yml Normal file
View File

@ -0,0 +1,7 @@
http:
middlewares:
http-mw-secureHeaders-redirect:
chain:
middlewares:
- http-mw-secureHeaders
- http-mw-redirectScheme

12
traefik/rules/http-middlewares-compress.yml Normal file
View File

@ -0,0 +1,12 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Compress to save bandwidth
http-mw-compress:
compress: {}

14
traefik/rules/http-middlewares-ratelimit.yml Normal file
View File

@ -0,0 +1,14 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# DDoS Prevention
http-mw-rateLimit:
rateLimit:
average: 100
burst: 50

15
traefik/rules/http-middlewares-redirectscheme.yml Normal file
View File

@ -0,0 +1,15 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Middleware for Redirection
# This can be used instead of global redirection
http-mw-redirectScheme:
redirectscheme:
scheme: https
permanent: true

36
traefik/rules/http-middlewares-secureheaders.yml Normal file
View File

@ -0,0 +1,36 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
################################################################
# Good Basic Security Practices
################################################################
http-mw-secureHeaders:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
stsSeconds: 63072000 # 2 years
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
#customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr.
customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
contentTypeNosniff: true
browserXssFilter: true
# sslForceHost: true # add sslHost to all of the services
# sslHost: "{{env "DOMAINNAME"}}"
referrerPolicy: "same-origin"
permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
server: ""

37
traefik/rules/tls-options.yml Normal file
View File

@ -0,0 +1,37 @@
################################################################
# TLS Options (https://jellyfin.org/docs/general/networking/traefik2.html#traefik-providertoml)
# toml -> yml
# 2024 updates to cipherSuites from (https://www.smarthomebeginner.com/traefik-v3-docker-compose-guide-2024/)
#
# Set secure options by disabling insecure older TLS/SSL versions
# and insecure ciphers. SNIStrict disabled leaves TLS1.0 open.
# If you have problems with older clients, you can may need to relax
# these minimums. This configuration will give you an A+ SSL security
# score supporting TLS1.2 and TLS1.3
#
# Dynamic configuration
# https://doc.traefik.io/traefik/https/tls/
################################################################
tls:
options:
tls-options:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
curvePreferences:
# CurveP256, CurveP384, CurveP521, X25519
# secp256r1, secp384r1, secp521r1, x25519, x448
- secp521r1
- secp384r1
mintls13:
minVersion: VersionTLS13

6
traefik/rules/tls-stores.yml Normal file
View File

@ -0,0 +1,6 @@
tls:
stores:
default:
defaultCertificate:
certFile: /data/sthome-org.pem
keyFile: /data/sthome-org-key.pem

1
traefik/rules/users.txt Normal file
View File

@ -0,0 +1 @@
chris:$$2y$$05$$mUVwUOShyKPPnDsX/ClCc.sNYYCBvbvQd2WG794SUlJsGE1GC0ofy

1
traefik/secrets/cf_dns_api_token Normal file
View File

@ -0,0 +1 @@
662gfbdISWlkkFVfFSYErGQotZDmxX46rKE2hcHO

1
traefik/secrets/cf_email Normal file
View File

@ -0,0 +1 @@
stuurmcp@telkomsa.net

36
traefik/secrets/middlewares-secure-headers.yml Normal file
View File

@ -0,0 +1,36 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
################################################################
# Good Basic Security Practices
################################################################
middlewares-secure-headers:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
stsSeconds: 63072000 # 2 years
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
#customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr.
customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
contentTypeNosniff: true
browserXssFilter: true
# sslForceHost: true # add sslHost to all of the services
# sslHost: "{{env "DOMAINNAME"}}"
referrerPolicy: "same-origin"
permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
server: ""

5
traefik/users/cctv.txt Normal file
View File

@ -0,0 +1,5 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
home:$2y$05$VjkUjMGVdxMn3N/rMK8nBuh1jAUfezo8i4167enEg7i9Xl45cVQGi
Home:$2y$05$JP8tB1nkPA8tbhEnhGV6teke.X87eFX4V9hi9qa2ArLISJ4Ksf2ca

3
traefik/users/common.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

7
traefik/users/frigate.txt Normal file
View File

@ -0,0 +1,7 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
home:$2y$05$VjkUjMGVdxMn3N/rMK8nBuh1jAUfezo8i4167enEg7i9Xl45cVQGi
Home:$2y$05$JP8tB1nkPA8tbhEnhGV6teke.X87eFX4V9hi9qa2ArLISJ4Ksf2ca
zelna:$2y$10$1OREtkEjjO0834TnxYAaWe2.N.gM4V01cOqDRRoEmG.SiiIvLsEk.
Zelna:$2y$10$vgfcMmEB3L8nAReV4cUyw.BR7PAMIEmzNdeCpLNcHxvepul88InZ6

3
traefik/users/lidarr.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

5
traefik/users/photoview.txt Normal file
View File

@ -0,0 +1,5 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
home:$2y$05$VjkUjMGVdxMn3N/rMK8nBuh1jAUfezo8i4167enEg7i9Xl45cVQGi
Home:$2y$05$JP8tB1nkPA8tbhEnhGV6teke.X87eFX4V9hi9qa2ArLISJ4Ksf2ca

4
traefik/users/prometheus.txt Normal file
View File

@ -0,0 +1,4 @@
grafana:$2y$05$r6bSihiBh.xKWV5FPP9yPunhIr0t.cavZqq2Ghsl6TEGKbXDXk6qy
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

3
traefik/users/prowlarr.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

3
traefik/users/qbittorrent.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

3
traefik/users/radarr.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

3
traefik/users/readarr.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

3
traefik/users/sonarr.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

3
traefik/users/syncthing.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC

3
traefik/users/traefik.txt Normal file
View File

@ -0,0 +1,3 @@
admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC