From bfd7f5bd3fb6a39eece4548cb646690e517ca0df Mon Sep 17 00:00:00 2001 From: Jade Ellis Date: Thu, 7 Mar 2024 19:17:16 +0000 Subject: [PATCH] Set up homepaged, improved TLS and tried to get IPv6 functional --- servers/containers/homepage.container | 29 +++++++++++++++++ servers/containers/thelounge.container | 5 +++ servers/containers/traefik.container | 15 ++++++--- servers/containers/web.network | 6 ++-- servers/homepage/bookmarks.yaml | 0 servers/homepage/docker.yaml | 2 ++ servers/homepage/services.yaml | 0 servers/homepage/settings.yaml | 2 ++ servers/homepage/widgets.yaml | 9 ++++++ servers/traefik/config.toml | 43 ++++++++++++++++++++++---- 10 files changed, 98 insertions(+), 13 deletions(-) create mode 100644 servers/containers/homepage.container create mode 100644 servers/homepage/bookmarks.yaml create mode 100644 servers/homepage/docker.yaml create mode 100644 servers/homepage/services.yaml create mode 100644 servers/homepage/settings.yaml create mode 100644 servers/homepage/widgets.yaml diff --git a/servers/containers/homepage.container b/servers/containers/homepage.container new file mode 100644 index 00000000..9c32fcb1 --- /dev/null +++ b/servers/containers/homepage.container @@ -0,0 +1,29 @@ + + +[Unit] +Description=homepage Dashboard +Wants=network-online.target +After=network-online.target + +[Container] +ContainerName=homepage +NoNewPrivileges=true +Image=ghcr.io/gethomepage/homepage:latest +Volume=/etc/homepage:/app/config:z +PodmanArgs=--privileged +Volume=/run/podman/podman.sock:/var/run/docker.sock:z +AutoUpdate=local +Network=web.network + +Label="traefik.enable=true" +Label="traefik.http.routers.homepage.rule=Host(`homepage.ellis.link`)" +Label="traefik.http.routers.homepage.entrypoints=https" + +Label="traefik.http.routers.homepage.tls.certresolver=letsencrypt" + +[Service] +Restart=on-failure +TimeoutStartSec=900 + +[Install] +WantedBy=default.target \ No newline at end of file diff --git a/servers/containers/thelounge.container b/servers/containers/thelounge.container index 70a89b74..b305cb0d 100644 --- a/servers/containers/thelounge.container +++ b/servers/containers/thelounge.container @@ -20,6 +20,11 @@ Label="traefik.http.routers.thelounge.entrypoints=https" Label="traefik.http.routers.thelounge.tls.certresolver=letsencrypt" +Label="homepage.group=Social" +Label="homepage.name=TheLounge" +Label="homepage.href=https://thelounge.ellis.link/" +Label="homepage.description=IRC web client / bouncer" + [Service] Restart=on-failure TimeoutStartSec=900 diff --git a/servers/containers/traefik.container b/servers/containers/traefik.container index 8866bcef..84b0ba43 100644 --- a/servers/containers/traefik.container +++ b/servers/containers/traefik.container @@ -11,9 +11,14 @@ ContainerName=traefik PodmanArgs=--privileged NoNewPrivileges=true Image=docker.io/library/traefik:latest -PublishPort=80:80/tcp -PublishPort=443:443/tcp -PublishPort=443:443/udp +PublishPort=0.0.0.0:80:80/tcp +PublishPort=0.0.0.0:443:443/tcp +PublishPort=0.0.0.0:443:443/udp + +PublishPort=[::]:80:80/tcp +PublishPort=[::]:443:443/tcp +PublishPort=[::]:443:443/udp + # PublishPort=8448:8448/tcp ReadOnly=true Volume=/run/podman/podman.sock:/var/run/docker.sock:z @@ -24,7 +29,9 @@ Volume=/etc/traefik:/etc/traefik:ro,z # Volume=/var/srv/matrix/caddy/Caddyfile:/etc/caddy/Caddyfile:ro,z AutoUpdate=registry Network=web.network -# IP=10.89.1.10 + +IP=176.126.240.240 +IP6=fe80::9724:38eb:9b0f:df7c Exec=traefik --configFile=/etc/traefik/config.toml diff --git a/servers/containers/web.network b/servers/containers/web.network index 0d27f5ef..98f954e4 100644 --- a/servers/containers/web.network +++ b/servers/containers/web.network @@ -1,7 +1,7 @@ [Network] DisableDNS=false Internal=false - +IPv6=true # Manual subnet to avoid issues with DNS resolution -Subnet=10.89.1.0/24 -Gateway=10.89.1.1 \ No newline at end of file +# Subnet=10.89.1.0/24 +# Gateway=10.89.1.1 \ No newline at end of file diff --git a/servers/homepage/bookmarks.yaml b/servers/homepage/bookmarks.yaml new file mode 100644 index 00000000..e69de29b diff --git a/servers/homepage/docker.yaml b/servers/homepage/docker.yaml new file mode 100644 index 00000000..d166d127 --- /dev/null +++ b/servers/homepage/docker.yaml @@ -0,0 +1,2 @@ +local: + socket: /var/run/docker.sock diff --git a/servers/homepage/services.yaml b/servers/homepage/services.yaml new file mode 100644 index 00000000..e69de29b diff --git a/servers/homepage/settings.yaml b/servers/homepage/settings.yaml new file mode 100644 index 00000000..d89b83eb --- /dev/null +++ b/servers/homepage/settings.yaml @@ -0,0 +1,2 @@ +startUrl: https://homepage.ellis.link +base: https://homepage.ellis.link \ No newline at end of file diff --git a/servers/homepage/widgets.yaml b/servers/homepage/widgets.yaml new file mode 100644 index 00000000..e347dc44 --- /dev/null +++ b/servers/homepage/widgets.yaml @@ -0,0 +1,9 @@ + +- resources: + cpu: true + memory: true + disk: / + +- search: + provider: duckduckgo + target: _blank \ No newline at end of file diff --git a/servers/traefik/config.toml b/servers/traefik/config.toml index 7e62c0dc..c156d902 100644 --- a/servers/traefik/config.toml +++ b/servers/traefik/config.toml @@ -8,6 +8,31 @@ exposedbydefault = false address = ":80" [entrypoints.https] address = ":443" +[entrypoints.https.http3] + +[entryPoints.http.proxyProtocol] +insecure = false +trustedIPs = [ ] + +[entryPoints.http.forwardedHeaders] +insecure = false +trustedIPs = [ ] + +[entryPoints.https.proxyProtocol] +insecure = false +trustedIPs = [ ] + +[entryPoints.https.forwardedHeaders] +insecure = false +trustedIPs = [ ] + +[entrypoints.http.http.redirections.entryPoint] +to="https" +scheme = "https" + +# [entryPoints.traefik] +# address = ":9000" + [certificatesresolvers.letsencrypt.acme] email = 'jade@ellis.link' @@ -16,10 +41,16 @@ storage = "/certificates/acme.json" # - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" # - "--certificatesresolvers.letsencrypt.acme.httpChallenge.entryPoint=http" tlschallenge = true +[tls.options.modern] +minVersion = "VersionTLS13" -[entrypoints.http.http.redirections.entryPoint] -to="https" -scheme = "https" - -[entryPoints.traefik] -address = ":9000" \ No newline at end of file +[tls.options.intermediate] +minVersion = "VersionTLS12" +cipherSuites = [ + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" +] \ No newline at end of file