Improve traefik config

2024-10-20 18:29:00 +01:00 · 2024-10-20 18:29:00 +01:00 · 426b4fae83
commit 426b4fae83
parent 8f6420e2d0
16 changed files with 95 additions and 113 deletions
--- a/servers/containers/conduwuit-testing.container
+++ b/servers/containers/conduwuit-testing.container
@ -24,9 +24,6 @@ Label="traefik.http.services.conduwuit-testing.loadbalancer.server.port=6167"

 Label="traefik.http.routers.conduwuit-testing.entrypoints=https,matrix"

-Label="traefik.http.routers.conduwuit-testing.tls.certresolver=letsencrypt"
-# Label="traefik.http.routers.conduwuit-testing.tls.options=intermediate@file"
-
 Label="traefik.http.routers.conduwuit-testing.middlewares=default@file"

 Label="homepage.group=Public"
--- a/servers/containers/conduwuit.container
+++ b/servers/containers/conduwuit.container
@ -24,9 +24,6 @@ Label="traefik.http.services.conduwuit.loadbalancer.server.port=6167"

 Label="traefik.http.routers.conduwuit.entrypoints=https,matrix"

-Label="traefik.http.routers.conduwuit.tls.certresolver=letsencrypt"
-# Label="traefik.http.routers.conduwuit.tls.options=intermediate@file"
-
 Label="traefik.http.routers.conduwuit.middlewares=default@file"

 Label="homepage.group=Public"
--- a/servers/containers/domain-redirects.container
+++ b/servers/containers/domain-redirects.container
@ -27,7 +27,6 @@ Environment="REDIRECT_TYPE=redirect"
 Label="traefik.http.routers.domain-redirects.tls.certresolver=letsencrypt"
 Label="traefik.http.routers.domain-redirects.tls.domains[0].main=ellis.link"
 Label="traefik.http.routers.domain-redirects.tls.domains[0].sans=*.ellis.link"
-# Label="traefik.http.routers.domain-redirects.tls.options=intermediate@file"

 Label="traefik.http.routers.domain-redirects.middlewares=default@file"
 # Label="traefik.http.routers.domain-redirects.middlewares=ellis-link-redirect,joel-ellis-link-redirect,default@file"
--- a/servers/containers/element-web.container
+++ b/servers/containers/element-web.container
@ -22,9 +22,6 @@ Label="traefik.http.services.element-web.loadbalancer.server.port=80"

 Label="traefik.http.routers.element-web.entrypoints=https"

-Label="traefik.http.routers.element-web.tls.certresolver=letsencrypt"
-# Label="traefik.http.routers.element-web.tls.options=intermediate@file"
-
 Label="traefik.http.routers.element-web.middlewares=default@file"

 Label="homepage.group=Services"
--- a/servers/containers/homepage.container
+++ b/servers/containers/homepage.container
@ -19,9 +19,6 @@ Label="traefik.enable=true"
 Label="traefik.http.routers.homepage.rule=Host(`homepage.ellis.link`)"
 Label="traefik.http.routers.homepage.entrypoints=https"

-Label="traefik.http.routers.homepage.tls.certresolver=letsencrypt"
-
-
 Label="traefik.http.middlewares.compress.compress=true"

 Label="traefik.http.middlewares.hsts.headers.stsincludesubdomains=false"
--- a/servers/containers/jade-website-frontend.container
+++ b/servers/containers/jade-website-frontend.container
@ -33,9 +33,6 @@ Label="traefik.http.routers.jade-website-frontend.rule=(Host(`jade.ellis.link`)

 Label="traefik.http.routers.jade-website-frontend.entrypoints=https"

-Label="traefik.http.routers.jade-website-frontend.tls.certresolver=letsencrypt"
-# Label="traefik.http.routers.jade-website-frontend.tls.options=intermediate@file"
-
 Label="traefik.http.routers.jade-website-frontend.middlewares=default@file"

 Label="homepage.group=Public"
--- a/servers/containers/kanidm.container
+++ b/servers/containers/kanidm.container
@ -33,8 +33,6 @@ Label="traefik.http.routers.kanidm.service=kanidm"
 # Label="traefik.tcp.routers.kanidm-tcp.rule=HostSNI(`idm.ellis.link`)"
 # Label="traefik.tcp.routers.kanidm-tcp.service=kanidm"

-Label="traefik.http.routers.kanidm.tls.certresolver=letsencrypt"
-
 # Kanidm is a bit odd here
 Label="traefik.http.services.kanidm.loadbalancer.server.port=8443"
 Label="traefik.http.services.kanidm.loadbalancer.server.scheme=https"
--- a/servers/containers/maubot.container
+++ b/servers/containers/maubot.container
@ -22,9 +22,6 @@ Label="traefik.http.services.maubot.loadbalancer.server.port=29316"

 Label="traefik.http.routers.maubot.entrypoints=https"

-Label="traefik.http.routers.maubot.tls.certresolver=letsencrypt"
-# Label="traefik.http.routers.maubot.tls.options=intermediate@file"
-
 Label="traefik.http.routers.maubot.middlewares=default@file"

 Label="homepage.group=Services"
--- a/servers/containers/mautrix-discord.container
+++ b/servers/containers/mautrix-discord.container
@ -20,9 +20,6 @@ Label="traefik.http.routers.mautrix-discord.rule=Host(`mautrix-discord.ellis.lin
 Label="traefik.http.routers.mautrix-discord.entrypoints=https"
 Label="traefik.http.services.mautrix-discord.loadbalancer.server.port=29334"

-Label="traefik.http.routers.mautrix-discord.tls.certresolver=letsencrypt"
-# Label="traefik.http.routers.mautrix-discord.tls.options=intermediate@file"
-
 Label="traefik.http.routers.mautrix-discord.middlewares=default@file"

 Label="homepage.group=Services"
--- a/servers/containers/mautrix-gmessages.container
+++ b/servers/containers/mautrix-gmessages.container
@ -18,9 +18,6 @@ Label="traefik.http.routers.mautrix-gmessages.rule=Host(`mautrix-gmessages.ellis
 Label="traefik.http.routers.mautrix-gmessages.entrypoints=https"
 Label="traefik.http.services.mautrix-gmessages.loadbalancer.server.port=29334"

-Label="traefik.http.routers.mautrix-gmessages.tls.certresolver=letsencrypt"
-# Label="traefik.http.routers.mautrix-gmessages.tls.options=intermediate@file"
-
 Label="traefik.http.routers.mautrix-gmessages.middlewares=default@file"

 Label="homepage.group=Services"
--- a/servers/containers/sentry-relay.container
+++ b/servers/containers/sentry-relay.container
@ -25,9 +25,6 @@ Label="traefik.http.routers.sentry-relay.rule=Host(`relay.ellis.link`)"

 Label="traefik.http.routers.sentry-relay.entrypoints=https"

-Label="traefik.http.routers.sentry-relay.tls.certresolver=letsencrypt"
-# Label="traefik.http.routers.sentry-relay.tls.options=intermediate@file"
-
 Label="traefik.http.routers.sentry-relay.middlewares=default@file"


--- a/servers/containers/thelounge.container
+++ b/servers/containers/thelounge.container
@ -18,9 +18,6 @@ Label="traefik.http.routers.thelounge.rule=Host(`thelounge.ellis.link`)"
 Label="traefik.http.services.thelounge.loadbalancer.server.port=9000"
 Label="traefik.http.routers.thelounge.entrypoints=https"

-Label="traefik.http.routers.thelounge.tls.certresolver=letsencrypt"
-
-
 Label="traefik.http.middlewares.compress.compress=true"

 Label="traefik.http.middlewares.hsts.headers.stsincludesubdomains=false"
--- a/servers/containers/traefik.container
+++ b/servers/containers/traefik.container
@ -19,10 +19,12 @@ IP6=fd76:6f6d:f45e:ea1a::15

 # HTTP(S)
 PublishPort=0.0.0.0:80:80/tcp
+PublishPort=0.0.0.0:80:80/udp
 PublishPort=0.0.0.0:443:443/tcp
 PublishPort=0.0.0.0:443:443/udp

 PublishPort=[::]:80:80/tcp
+PublishPort=[::]:80:80/udp
 PublishPort=[::]:443:443/tcp
 PublishPort=[::]:443:443/udp

@ -34,21 +36,21 @@ PublishPort=[::]:8448:8448/udp

 # SMTP
 PublishPort=0.0.0.0:25:25/tcp
-PublishPort=0.0.0.0:25:25/udp
+# PublishPort=0.0.0.0:25:25/udp
 PublishPort=[::]:25:25/tcp
-PublishPort=[::]:25:25/udp
+# PublishPort=[::]:25:25/udp

 # SMTPS
 PublishPort=0.0.0.0:465:465/tcp
-PublishPort=0.0.0.0:465:465/udp
+# PublishPort=0.0.0.0:465:465/udp
 PublishPort=[::]:465:465/tcp
-PublishPort=[::]:465:465/udp
+# PublishPort=[::]:465:465/udp

 # IMAPS
 PublishPort=0.0.0.0:465:465/tcp
-PublishPort=0.0.0.0:465:465/udp
+# PublishPort=0.0.0.0:465:465/udp
 PublishPort=[::]:465:465/tcp
-PublishPort=[::]:465:465/udp
+# PublishPort=[::]:465:465/udp

 ReadOnly=true
 Volume=/run/podman/podman.sock:/var/run/docker.sock:z
@ -66,7 +68,7 @@ Network=web.network
 # IP=176.126.240.240
 # IP6=fe80::9724:38eb:9b0f:df7c

-Exec=traefik --configFile=/etc/traefik/config.toml 
+Exec=traefik --configFile=/etc/traefik/config.yml 

 Environment="CF_DNS_API_TOKEN=OzdeI-Km-mI3_WlSOO83Zu0id7rmdd0k2QhOoGNE"

--- a/servers/containers/web.network
+++ b/servers/containers/web.network
@ -2,6 +2,7 @@
 DisableDNS=false
 Internal=false
 IPv6=true
-# Manual subnet to avoid issues with DNS resolution
-# Subnet=10.89.1.0/24
-# Gateway=10.89.1.1
+Subnet=10.89.0.0/24
+Gateway=10.89.0.1
+Subnet=fd76:6f6d:f45e:ea1a::/64
+Gateway=fd76:6f6d:f45e:ea1a::1
--- a/servers/traefik/config.toml
+++ b/servers/traefik/config.toml
@ -1,70 +0,0 @@
-[log]
-level = "INFO"
-# [ping]
-
-[providers.docker]
-exposedbydefault = false
-[providers.file]
-directory="/etc/traefik/additional/" 
-watch=true 
-
-[entrypoints.http]
-address = ":80"
-[entrypoints.https]
-address = ":443"
-[entrypoints.https.http3]
-
-[entrypoints.matrix]
-address = ":8448"
-[entrypoints.matrix.http3]
-
-[entryPoints.http.proxyProtocol]
-insecure = false
-trustedIPs = [ ]
-
-[entryPoints.http.forwardedHeaders]
-insecure = false
-trustedIPs = [ ]
-
-[entryPoints.https.proxyProtocol]
-insecure = false
-trustedIPs = [ ]
-
-[entryPoints.https.forwardedHeaders]
-insecure = false
-trustedIPs = [ ]
-
-[entryPoints.matrix.proxyProtocol]
-insecure = false
-trustedIPs = [ ]
-
-[entryPoints.matrix.forwardedHeaders]
-insecure = false
-trustedIPs = [ ]
-
-[entrypoints.http.http.redirections.entryPoint]
-to="https" 
-scheme = "https"
-
-[http.middlewares]
-[http.middlewares.traefik-compress.compress]
-
-[http.routers.http]
-middlewares = "traefik-compress"
-[http.routers.https]
-middlewares = "traefik-compress"
-[http.routers.traefik]
-middlewares = "traefik-compress"
-# [entryPoints.traefik]
-# address = ":9000"
-
-
-[certificatesresolvers.letsencrypt.acme]
-email = 'jade@ellis.link'
-storage = "/certificates/acme.json"
-
-# - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
-# - "--certificatesresolvers.letsencrypt.acme.httpChallenge.entryPoint=http"
-# tlschallenge = true
-[certificatesresolvers.letsencrypt.acme.dnschallenge]
-provider = "cloudflare"
--- a/servers/traefik/config.yml
+++ b/servers/traefik/config.yml
@ -0,0 +1,82 @@
+global:
+  checkNewVersion: false
+log:
+  level: INFO
+providers:
+  docker:
+    exposedbydefault: false
+  file:
+    directory: /etc/traefik/additional/
+    watch: true
+entrypoints:
+  http:
+    address: :80
+    http3: {}
+    http:
+      redirections:
+        entryPoint:
+          to: https
+          scheme: https
+    # proxyProtocol:
+    #   insecure: false
+    #   trustedIPs: []
+    # forwardedHeaders:
+    #   insecure: false
+    #   trustedIPs: []
+  https:
+    address: :443
+    http3: {}
+    # proxyProtocol:
+    #   insecure: false
+    #   trustedIPs: []
+    # forwardedHeaders:
+    #   insecure: false
+    #   trustedIPs: []
+    http:
+      tls:
+        certResolver: letsencrypt
+  matrix:
+    address: :8448
+    http3: {}
+    # proxyProtocol:
+    #   insecure: false
+    #   trustedIPs: []
+    # forwardedHeaders:
+    #   insecure: false
+    #   trustedIPs: []
+  smtp:
+    address: :25
+    proxyProtocol:
+      trustedIPs: # Trust IPs from inside the "web" network
+        - 10.89.0.0/24
+        - fd76:6f6d:f45e:ea1a::/64
+  smtps:
+    address: :465
+    proxyProtocol:
+      trustedIPs:
+        - 10.89.0.0/24
+        - fd76:6f6d:f45e:ea1a::/64
+  imaps:
+    address: :993
+    proxyProtocol:
+      trustedIPs:
+        - 10.89.0.0/24
+        - fd76:6f6d:f45e:ea1a::/64
+http:
+  middlewares:
+    traefik-compress:
+      compress: {}
+  routers:
+    http:
+      middlewares: traefik-compress
+    https:
+      middlewares: traefik-compress
+    traefik:
+      middlewares: traefik-compress
+certificatesresolvers:
+  letsencrypt:
+    acme:
+      email: jade@ellis.link
+      storage: /certificates/acme.json
+      dnschallenge:
+        provider: cloudflare