ue87775
96 lines
3.5 KiB
YAML
96 lines
3.5 KiB
YAML
services:
|
|
traefik:
|
|
image: traefik:v3.6
|
|
container_name: traefik
|
|
depends_on:
|
|
- crowdsec
|
|
command:
|
|
- "--api.dashboard=true"
|
|
- "--api.insecure=false"
|
|
- "--providers.docker=true"
|
|
- "--providers.docker.exposedbydefault=false"
|
|
- "--experimental.plugins.crowdsec-bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
|
|
- "--experimental.plugins.crowdsec-bouncer.version=v1.4.2"
|
|
- "--accesslog=true"
|
|
- "--accesslog.filepath=/var/log/traefik/access.log"
|
|
|
|
# - "--entrypoints.https.address=:443"
|
|
|
|
# Entrypoints
|
|
- "--entrypoints.web.address=:80"
|
|
- "--entrypoints.websecure.address=:443"
|
|
- "--entrypoints.mqtt-secure.address=:8883"
|
|
- "--entrypoints.websecure.http.middlewares=crowdsec@docker"
|
|
# Global HTTP -> HTTPS Redirection
|
|
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
|
|
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
|
|
# Certificates Resolution (Let's Encrypt)
|
|
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
|
|
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
|
|
- "--certificatesresolvers.myresolver.acme.email=olivia@quangkhai.ch"
|
|
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
|
|
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
- "8080:8080" # Traefik Dashboard
|
|
- "8883:8883" # MQTT TLS
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- ./letsencrypt:/letsencrypt
|
|
- ./logs:/var/log/traefik
|
|
networks:
|
|
- proxy_tier
|
|
restart: unless-stopped
|
|
healthcheck:
|
|
test: ["CMD", "traefik", "healthcheck", "--ping"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 5s
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '2'
|
|
memory: 512M
|
|
reservations:
|
|
cpus: '1'
|
|
memory: 256M
|
|
labels:
|
|
# THE MIDDLEWARE DEFINITION
|
|
- "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/"
|
|
- "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
|
|
- "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
|
|
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.enabled=true"
|
|
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.logLevel=INFO"
|
|
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecMode=live"
|
|
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiHost=crowdsec:8080"
|
|
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiScheme=http"
|
|
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiKey=${CROWDSEC_BOUNCER_KEY:-change-me}"
|
|
|
|
crowdsec:
|
|
image: crowdsecurity/crowdsec:latest
|
|
container_name: crowdsec
|
|
environment:
|
|
- TZ=UTC
|
|
- COLLECTIONS=crowdsecurity/traefik
|
|
- BOUNCER_KEY_TRAEFIK=${CROWDSEC_BOUNCER_KEY:-change-me}
|
|
volumes:
|
|
- ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
|
|
- ./logs:/var/log/traefik:ro
|
|
- crowdsec-db:/var/lib/crowdsec/data
|
|
- crowdsec-config:/etc/crowdsec
|
|
networks:
|
|
- proxy_tier
|
|
restart: unless-stopped
|
|
|
|
|
|
networks:
|
|
proxy_tier:
|
|
name: proxy_tier
|
|
external: true
|
|
|
|
volumes:
|
|
crowdsec-db:
|
|
crowdsec-config:
|