From 2deb975dae053d3ae329bd45c16a2c664f0b9aec Mon Sep 17 00:00:00 2001 From: Jake Kasper Date: Wed, 20 Aug 2025 14:08:02 -0400 Subject: [PATCH] create folders and edgeweb --- EdgeWeb/edgeweb-authentik.yaml | 114 ++++++++++++++++++ EdgeWeb/edgeweb-portainer.yaml | 48 ++++++++ EdgeWeb/edgeweb-traefik-env.env | 12 ++ EdgeWeb/edgeweb-traefik.yaml | 173 ++++++++++++++++++++++++++++ docuseal.yaml => QNAP/docuseal.yaml | 0 5 files changed, 347 insertions(+) create mode 100644 EdgeWeb/edgeweb-authentik.yaml create mode 100644 EdgeWeb/edgeweb-portainer.yaml create mode 100644 EdgeWeb/edgeweb-traefik-env.env create mode 100644 EdgeWeb/edgeweb-traefik.yaml rename docuseal.yaml => QNAP/docuseal.yaml (100%) diff --git a/EdgeWeb/edgeweb-authentik.yaml b/EdgeWeb/edgeweb-authentik.yaml new file mode 100644 index 0000000..6a9e07a --- /dev/null +++ b/EdgeWeb/edgeweb-authentik.yaml @@ -0,0 +1,114 @@ +services: + postgresql: + image: docker.io/library/postgres:16-alpine + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "pg_isready -d authentik -U authentik"] + start_period: 20s + interval: 30s + retries: 5 + timeout: 5s + networks: + - authentik-net + volumes: + - /docker/authentik/db:/var/lib/postgresql/data + environment: + POSTGRES_PASSWORD: authentik + POSTGRES_USER: authentik + POSTGRES_DB: authentik + redis: + image: docker.io/library/redis:alpine + command: --save 60 1 --loglevel warning + restart: unless-stopped + networks: + - authentik-net + healthcheck: + test: ["CMD-SHELL", "redis-cli ping | grep PONG"] + start_period: 20s + interval: 30s + retries: 5 + timeout: 3s + volumes: + - /docker/authentik/redis:/data + server: + image: ghcr.io/goauthentik/server:2025.6.4 + restart: unless-stopped + command: server + environment: + AUTHENTIK_SECRET_KEY: F2rRTxbvERKsX2vma8Vq8ABjfierwj4VnvYwiFQ8h64ZPQ3Kx4Ks97mLnE94kyyWBWE4mnByvp9Z + AUTHENTIK_REDIS__HOST: redis + AUTHENTIK_POSTGRESQL__HOST: postgresql + AUTHENTIK_POSTGRESQL__USER: authentik + AUTHENTIK_POSTGRESQL__NAME: authentik + AUTHENTIK_POSTGRESQL__PASSWORD: authentik + AUTHENTIK_EMAIL_HOST: smtp.gmail.com + AUTHENTIK_EMAIL_PORT: 587 + AUTHENTIK_EMAIL_USERNAME: jake@kaspers.us + AUTHENTIK_EMAIL_PASSWORD: oqozrafdhnjcihsc + AUTHENTIK_EMAIL_USE_TLS: true + AUTHENTIK_EMAIL_FROM: authentik@kaspers.us + AUTHENTIK_LOG_LEVEL: debug + AUTHENTIK_HOST: https://auth.kaspers.us + volumes: + - /docker/authentik/media:/media + - /docker/authentik/templates:/templates + - /docker/authentik/blueprints/:/blueprints/ + ports: + - 9001:9000 + - 9444:9443 + depends_on: + postgresql: + condition: service_healthy + redis: + condition: service_healthy + networks: + - authentik-net + - proxy + labels: + - "traefik.enable=true" + - "traefik.http.routers.authentik.rule=Host(`auth.kaspers.us`)" # ⚠️ UPDATE to your domain + - "traefik.http.routers.authentik.entrypoints=websecure" # Assumes your HTTP entrypoint is 'web' + - "traefik.http.services.authentik.loadbalancer.server.port=9000" + - "traefik.http.routers.external.tls=true" + - "traefik.docker.network=proxy" + - "traefik.constraint=proxy-public" + - "traefik.http.middlewares.authentik-headers.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.routers.authentik.middlewares=authentik-headers@docker" + worker: + image: ghcr.io/goauthentik/server:2025.6.4 + restart: unless-stopped + command: worker + networks: + - authentik-net + environment: + AUTHENTIK_SECRET_KEY: F2rRTxbvERKsX2vma8Vq8ABjfierwj4VnvYwiFQ8h64ZPQ3Kx4Ks97mLnE94kyyWBWE4mnByvp9Z + AUTHENTIK_REDIS__HOST: redis + AUTHENTIK_POSTGRESQL__HOST: postgresql + AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} + AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} + AUTHENTIK_POSTGRESQL__PASSWORD: authentik + AUTHENTIK_LOG_LEVEL: debug + # `user: root` and the docker socket volume are optional. + # See more for the docker socket integration here: + # https://goauthentik.io/docs/outposts/integrations/docker + # Removing `user: root` also prevents the worker from fixing the permissions + # on the mounted folders, so when removing this make sure the folders have the correct UID/GID + # (1000:1000 by default) + user: root + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /docker/authentik/certs:/certs + - /docker/authentik/media:/media + - /docker/authentik/templates:/templates + - /docker/authentik/blueprints/:/blueprints/ + depends_on: + postgresql: + condition: service_healthy + redis: + condition: service_healthy + +networks: + authentik-net: + driver: bridge + proxy: + external: true \ No newline at end of file diff --git a/EdgeWeb/edgeweb-portainer.yaml b/EdgeWeb/edgeweb-portainer.yaml new file mode 100644 index 0000000..c0565e8 --- /dev/null +++ b/EdgeWeb/edgeweb-portainer.yaml @@ -0,0 +1,48 @@ +# Docker Compose for Portainer with Traefik Labels +# +# This configuration deploys the Portainer Community Edition container +# and uses Docker labels to integrate it with a running Traefik instance. +# +version: '3.8' + +services: + portainer: + image: portainer/portainer-ce:latest + container_name: portainer + restart: unless-stopped + # The command tells Portainer to manage the local Docker environment. + command: -H unix:///var/run/docker.sock + ports: + - 8000:8000/tcp + - 9443:9443/tcp + volumes: + # Mount the Docker socket to allow Portainer to manage containers. + - /var/run/docker.sock:/var/run/docker.sock + # A named volume for Portainer's persistent data. + - /docker/portainer:/data + networks: + # Connect Portainer to your existing Traefik proxy network. + # IMPORTANT: Replace 'proxy' with the actual name of your Traefik network. + - proxy + labels: + traefik.enable: 'true' + traefik.docker.network: proxy + traefik.http.routers.portainer.rule: Host(`edgeweb.kaspers.us`) + traefik.http.routers.portainer.entrypoints: 'websecure' + traefik.http.routers.portainer.tls.certresolver: 'letsencrypt' + traefik.http.services.portainer.loadbalancer.server.port: '9443' + traefik.http.services.portainer.loadbalancer.server.scheme: 'https' + traefik.http.routers.portainer.tls: 'true' + + # --- Authentik Middleware (Optional) --- + # If you have Authentik configured as a middleware in Traefik, + # uncomment the line below to protect the Portainer dashboard. + # Replace 'authentik@docker' if your middleware has a different name. + # - "traefik.http.routers.portainer.middlewares=authentik@docker" + + +networks: + # Define the external network created by your main Traefik stack. + # This tells Docker Compose not to create a new network. + proxy: + external: true \ No newline at end of file diff --git a/EdgeWeb/edgeweb-traefik-env.env b/EdgeWeb/edgeweb-traefik-env.env new file mode 100644 index 0000000..5332a1e --- /dev/null +++ b/EdgeWeb/edgeweb-traefik-env.env @@ -0,0 +1,12 @@ +ROOT_DOMAIN=kaspers.us +HTTP_TIMEOUT=60 +POLLING_INTERVAL=10 +PROPAGATION_TIMEOUT=3600 +TTL=300 +PROVIDERS_GOOGLE_CLIENT_ID= +PROVIDERS_GOOGLE_CLIENT_SECRET= +SECRET=RandomTextGoesHere +WHITELIST= +LOG_LEVEL=INFO +ZONE_ID=7e2d1b9d7e0f7a5056bfaea28f070ba3 +TUNNEL_TOKEN=eyJhIjoiNmZkNGQyNGRhNDNiNTgyZDY3NjA4ZmZlZjU1NDljNGEiLCJ0IjoiYTUxNjEwNWQtNTI3OC00MTVlLTkxZWQtNjg5ZGFkOWY3MjFiIiwicyI6Ik9HVmxNbU01TW1JdFl6RTJZeTAwWXpRekxXSmpOVE10WTJGbU9UZzNOVEF3WWpKaSJ9 \ No newline at end of file diff --git a/EdgeWeb/edgeweb-traefik.yaml b/EdgeWeb/edgeweb-traefik.yaml new file mode 100644 index 0000000..d129636 --- /dev/null +++ b/EdgeWeb/edgeweb-traefik.yaml @@ -0,0 +1,173 @@ +version: '3.8' + +services: + reverse-proxy: + image: traefik:latest + command: + - "--log" + - "--log.level=debug" + - "--log.format=json" + - "--api.insecure=true" + - "--providers.docker" + - "--providers.docker.exposedbydefault=false" + - "--providers.file.directory=/config" + - "--providers.file.watch=true" + - "--serversTransport.insecureSkipVerify=true" # Allow self-signed certificates for target hosts - https://doc.traefik.io/traefik/routing/overview/#insecureskipverify + - "--metrics" + - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0" + - "--entrypoints.web.address=:80" + - "--entrypoints.web.http.redirections.entrypoint.to=websecure" + - "--entrypoints.web.http.redirections.entrypoint.scheme=https" + - "--entrypoints.websecure.address=:443" + - "--entrypoints.websecure.http.tls=true" + - "--entrypoints.websecure.http.tls.certresolver=letsencrypt" + - "--entrypoints.webinternal.address=:82" + - "--certificatesresolvers.letsencrypt.acme.email=kasperj@gmail.com" + - "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/letsencrypt.json" + - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" + - "--certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=300" + - "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=8.8.8.8:53" + environment: + - CLOUDFLARE_DNS_API_TOKEN=n-iAlyJaGKcJwUcbxiIYA6kmxTVPBF_ez-g0fglW + - CLOUDFLARE_API_KEY=n-iAlyJaGKcJwUcbxiIYA6kmxTVPBF_ez-g0fglW + - CLOUDFLARE_HTTP_TIMEOUT=${HTTP_TIMEOUT} + - CLOUDFLARE_POLLING_INTERVAL=${POLLING_INTERVAL} + - CLOUDFLARE_PROPAGATION_TIMEOUT=${PROPAGATION_TIMEOUT} + - CLOUDFLARE_TTL=${TTL} + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.api.rule=Host(`traefik-api.kaspers.us`) + - traefik.http.routers.api.service=api@internal + - traefik.http.routers.api.entrypoints=websecure + - traefik.http.routers.api.tls=true + - traefik.http.services.api.loadbalancer.server.port=8080 + - traefik.docker.network=proxy + - traefik.http.routers.api.tls.certresolver=letsencrypt + - traefik.http.routers.dashboard.rule=Host(`traefik.kaspers.us`) + - traefik.http.routers.dashboard.entrypoints=web + - traefik.http.routers.dashboard.service=api@internal + - traefik.http.routers.dashboard.tls=true + - traefik.http.routers.dashboard.tls.certresolver=letsencrypt + ports: + # HTTP + - target: 80 + published: 80 + # HTTPS + - target: 443 + published: 443 + # Web UI (enabled by --api.insecure=true) + - target: 8080 + published: 8182 + networks: + - proxy + volumes: + # So that Traefik can listen to the Docker events + - /var/run/docker.sock:/var/run/docker.sock + - /docker/traefik/acme:/etc/traefik/acme/ + - /docker/traefik/origcerts:/etc/traefik/certs/ + - /docker/traefik:/config + - /docker/traefik/cloudflare:/cloudflare +# traefik-forward-auth: +# image: thomseddon/traefik-forward-auth:2.1.0 +# networks: +# - traefik +# environment: +# - PROVIDERS_GOOGLE_CLIENT_ID=${PROVIDERS_GOOGLE_CLIENT_ID} +# - PROVIDERS_GOOGLE_CLIENT_SECRET=${PROVIDERS_GOOGLE_CLIENT_SECRET} +# - SECRET=${SECRET} +# - AUTH_HOST=auth.${ROOT_DOMAIN} +# - COOKIE_DOMAIN=${ROOT_DOMAIN} +# - WHITELIST=${WHITELIST} +# deploy: +# labels: +# - traefik.enable=true +# - traefik.docker.network=traefik +# +# - traefik.http.routers.auth.rule=Host(`auth.${ROOT_DOMAIN}`) +# - traefik.http.routers.auth.entrypoints=websecure +# - traefik.http.routers.auth.tls=true +# - traefik.http.routers.auth.tls.domains[0].main=${ROOT_DOMAIN} +# - traefik.http.routers.auth.tls.domains[0].sans=*.${ROOT_DOMAIN} +# - traefik.http.routers.auth.tls.certresolver=letsencrypt +# - traefik.http.routers.auth.service=auth@docker +# +# - traefik.http.services.auth.loadbalancer.server.port=4181 +# +# - traefik.http.middlewares.forward-auth.forwardauth.address=http://traefik-forward-auth:4181 +# - traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true +# - traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User +# +# - traefik.http.routers.auth.middlewares=forward-auth +# +# - traefik.constraint=proxy-public + + tunnel: + container_name: cloudflared-tunnel + image: cloudflare/cloudflared + restart: unless-stopped + command: tunnel run + networks: + - proxy + environment: + - TUNNEL_TOKEN=${TUNNEL_TOKEN} + + error-pages: + image: tarampampam/error-pages:2.26.0 + environment: + TEMPLATE_NAME: l7-dark + networks: + - proxy + deploy: + labels: + - traefik.enable=true + - traefik.docker.network=proxy + + # use as "fallback" for any non-registered services (with priority below normal) + - traefik.http.routers.error-pages.rule=HostRegexp(`{host:.+}`) + - traefik.http.routers.error-pages.priority=10 + + # should say that all of your services work on https + - traefik.http.routers.error-pages.tls='true' + - traefik.http.routers.error-pages.entrypoints=websecure + - traefik.http.routers.error-pages.middlewares=error-pages + - traefik.http.services.error-pages.loadbalancer.server.port=8080 + + # "errors" middleware settings + - traefik.http.middlewares.error-pages.errors.status=400-599 + - traefik.http.middlewares.error-pages.errors.service=error-pages + - traefik.http.middlewares.error-pages.errors.query=/{status}.html + + cloudflare-companion: + image: ghcr.io/tiredofit/docker-traefik-cloudflare-companion:latest + volumes: + - /var/run/docker.sock:/var/run/docker.sock + environment: + - TIMEZONE=America/New_York + - LOG_TYPE=CONSOLE + - LOG_LEVEL=INFO + - TRAEFIK_VERSION=2 + - RC_TYPE=CNAME + - TARGET_DOMAIN=a516105d-5278-415e-91ed-689dad9f721b.cfargotunnel.com + - DOMAIN1_TARGET_DOMAIN=a516105d-5278-415e-91ed-689dad9f721b.cfargotunnel.com + - REFRESH_ENTRIES=TRUE + - TRAEFIK_DEFAULT_RULE=FALSE + - TRAEFIK_ENABLE_LABEL_ONLY=TRUE + - DEFAULT_MODE=SKIP + - PURGE_ON_DELETE=TRUE + - ENABLE_TRAEFIK_POLL=TRUE + - TRAEFIK_POLL_URL=http://reverse-proxy:8080/ + - TRAEFIK_FILTER_LABEL=traefik.constraint + - TRAEFIK_FILTER=proxy-public + - DOMAIN1=${ROOT_DOMAIN} + - DOMAIN1_ZONE_ID=${ZONE_ID} + - DOMAIN1_PROXIED=TRUE + - TRAEFIK_EXCLUDED_HOST1=.* + - CF_TOKEN=n-iAlyJaGKcJwUcbxiIYA6kmxTVPBF_ez-g0fglW + restart: always + networks: + - proxy + +networks: + proxy: + external: true \ No newline at end of file diff --git a/docuseal.yaml b/QNAP/docuseal.yaml similarity index 100% rename from docuseal.yaml rename to QNAP/docuseal.yaml