first working version

2024-05-19 10:21:20 +02:00 · 2024-05-19 10:21:20 +02:00 · 7a8e7eaafb
commit 7a8e7eaafb
3 changed files with 168 additions and 0 deletions
--- a/global/docker-compose.yml
+++ b/global/docker-compose.yml
@ -0,0 +1,77 @@
+services:
+  traefik:
+    image: "traefik:v2.2"
+    container_name: "traefik"
+    restart: always
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8080:8080"
+    volumes:
+      - "letsencrypt:/letsencrypt"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "${PWD}/traefik.toml:/etc/traefik/traefik.toml"
+      - "${PWD}/dynamic.toml:/etc/traefik/dynamic.toml"
+    networks:
+      - internal
+      - traefik-public
+
+  portainer:
+    image: portainer/portainer-ce:latest
+    command: -H unix:///var/run/docker.sock
+    restart: always
+    ports:
+      - 9000:9000
+      - 8000:8000
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - portainer_data:/data
+    labels:
+      - traefik.enable=true
+      - traefik.http.middlewares.portainer-redirect-websecure.redirectscheme.scheme=https
+      - traefik.http.routers.portainer-web.rule=Host(`portainer.example.com`)
+      - traefik.http.routers.portainer-web.entrypoints=web
+      - traefik.http.routers.portainer-web.middlewares=portainer-redirect-websecure
+      - traefik.http.routers.portainer-websecure.entrypoints=websecure
+      - traefik.http.routers.portainer-websecure.rule=Host(`portainer.example.com`)
+      - traefik.tags= traefik-public
+      - traefik.docker.network=traefik-public
+      - traefik.http.routers.portainer-websecure.tls=true
+      - traefik.http.routers.portainer-websecure.tls.certresolver=myresolver
+      - traefik.http.services.portainer-global.loadbalancer.server.port=9000
+    networks:
+      - internal
+      - traefik-public
+
+  webmin-proxy:
+    image: qoomon/docker-host
+    restart: always
+    cap_add: ["NET_ADMIN", "NET_RAW"]
+    labels:
+      - traefik.enable=true
+      - traefik.http.middlewares.webmin-redirect-websecure.redirectscheme.scheme=https
+      - traefik.http.routers.webmin-web.rule=Host(`webmin.mailneu.herrmann.es`)
+      - traefik.http.routers.webmin-web.entrypoints=web
+      - traefik.http.routers.webmin-web.middlewares=webmin-redirect-websecure
+      - traefik.http.routers.webmin-websecure.entrypoints=websecure
+      - traefik.http.routers.webmin-websecure.rule=Host(`webmin.mailneu.herrmann.es`)
+      - traefik.tags= traefik-public
+      - traefik.docker.network=traefik-public
+      - traefik.http.routers.webmin-websecure.tls=true
+      - traefik.http.routers.webmin-websecure.tls.certresolver=myresolver
+      - traefik.http.services.webmin-global.loadbalancer.server.port=10000
+    networks:
+      - internal
+      - traefik-public
+
+volumes:
+  letsencrypt:
+  portainer_data:
+
+networks:
+  traefik-public:
+    name: traefik-public
+    external: false
+  internal:
+    name: internal
+    external: false
--- a/global/dynamic.toml
+++ b/global/dynamic.toml
@ -0,0 +1,37 @@
+[tls]
+  [tls.options]
+    [tls.options.minTLS12]
+      minVersion = "VersionTLS12"
+      preferServerCipherSuites = true
+      sniStrict = true
+      cipherSuites = [
+        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+        "TLS_AES_128_GCM_SHA256",
+        "TLS_AES_256_GCM_SHA384",
+        "TLS_CHACHA20_POLY1305_SHA256"
+      ]
+      curvePreferences = [
+        "CurveP521",
+        "CurveP384"
+      ]
+
+[http]
+  [http.middlewares]
+    [http.middlewares.secHeaders]
+      [http.middlewares.secHeaders.headers]
+        browserXssFilter= true
+        contentTypeNosniff= true
+        sslRedirect= true
+    #HSTS Configuration
+
+    #Set this to false if you want to exclude subdomains from HSTS
+        stsIncludeSubdomains=true
+
+    #Set this to true if you want to add your domain to the hstspreload list.
+    #This operation is very difficult and time consuming if not impossible to revert.
+    #Make sure you read the explanation and do your research properly.
+        stsPreload= false
+        
+        stsSeconds= 15768000
--- a/global/traefik.toml
+++ b/global/traefik.toml
@ -0,0 +1,54 @@
+[global]
+  checkNewVersion = true
+  sendAnonymousUsage = true
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":80"
+
+  [entryPoints.websecure]
+    address = ":443"
+
+[api]
+  insecure = true
+
+[providers]
+# Enable Docker configuration backend
+  [providers.docker]
+    exposedByDefault = false
+
+# Enable File Provider
+  [providers.file]
+    filename = "/etc/traefik/dynamic.toml"
+
+# Enable ACME (Let's Encrypt): automatic SSL.
+[certificatesResolvers.myresolver.acme]
+
+  # Email address used for registration.
+  #
+  # Required
+  #
+  email = "email@example.com"
+
+  # File or key used for certificates storage.
+  #
+  # Required
+  #
+  storage = "/letsencrypt/acme.json"
+
+  # CA server to use.
+  # Uncomment the line to use Let's Encrypt's staging server,
+  # leave commented to go to prod.
+  #
+  # Optional
+  # Default: "https://acme-v02.api.letsencrypt.org/directory"
+  #
+  # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
+
+  [certificatesResolvers.myresolver.acme.httpChallenge]
+    # EntryPoint to use for the HTTP-01 challenges.
+    #
+    # Required
+    #
+    entryPoint = "web"
+