public/geek-cookbook
1
0
Fork 0
mirror of https://github.com/funkypenguin/geek-cookbook/ synced 2025-12-13 01:36:23 +00:00
Code Issues Releases Wiki Activity

Remove remaining references to oauth-proxy (we now have traefik-forward-auth instead!)

Browse Source
This commit is contained in:
Benjamin Durham
2021-10-25 15:47:50 +13:00
committed by GitHub
parent f5b1facdd2
commit 5411b1b173
31 changed files with 437 additions and 445 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
manuscript/recipes/bookstack.md
View File

@@ -67,33 +67,29 @@ services:
volumes:
- /var/data/runtime/bookstack/db:/var/lib/mysql
proxy:
image: a5huynh/oauth2_proxy
env_file : /var/data/config/bookstack/bookstack.env
networks:
- internal
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:bookstack.example.com
- traefik.docker.network=traefik_public
- traefik.port=4180
volumes:
- /var/data/config/bookstack/authenticated-emails.txt:/authenticated-emails.txt
command: |
-cookie-secure=false
-upstream=http://app
-redirect-url=https://bookstack.example.com
-http-address=http://0.0.0.0:4180
-email-domain=example.com
-provider=github
-authenticated-emails-file=/authenticated-emails.txt
app:
image: solidnerd/bookstack
env_file: /var/data/config/bookstack/bookstack.env
networks:
- internal
- traefik_public
deploy:
labels:
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
# traefikv1
- traefik.frontend.rule=Host:bookstack.example.com
- traefik.port=4180
# traefikv2
- "traefik.http.routers.bookstack.rule=Host(`bookstack.example.com`)"
- "traefik.http.services.bookstack.loadbalancer.server.port=4180"
- "traefik.enable=true"
# Remove if you wish to access the URL directly
- "traefik.http.routers.bookstack.middlewares=forward-auth@file"
db-backup:
image: mariadb:10
@@ -134,6 +130,6 @@ Launch the BookStack stack by running ```docker stack deploy bookstack -c <path
Log into your new instance at https://**YOUR-FQDN**, authenticate with oauth_proxy, and then login with username 'admin@admin.com' and password 'password'.
[^1]: If you wanted to expose the BookStack UI directly, you could remove the oauth2_proxy from the design, and move the traefik_public-related labels directly to the bookstack container. You'd also need to add the traefik_public network to the bookstack container.
[^1]: If you wanted to expose the Bookstack UI directly, you could remove the traefik-forward-auth from the design.
--8<-- "recipe-footer.md"

43
manuscript/recipes/calibre-web.md
View File

@@ -39,18 +39,14 @@ Ensure that your Calibre library is accessible to the swarm (_i.e., exists on sh
### Prepare environment
We'll use an [oauth-proxy](/reference/oauth_proxy/) to protect the UI from public access, so create calibre-web.env, and populate with the following variables:
Create `/var/data/config/calibre-web/calibre-web.env`, and populate with the following variables
```bash
OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=
OAUTH2_PROXY_COOKIE_SECRET=<make this a random string>
PUID=
PGID=
```
Follow the [instructions](https://github.com/bitly/oauth2_proxy) to setup your oauth provider. You need to setup a unique key/secret for each instance of the proxy you want to run, since in each case the callback URL will differ.
### Setup Docker Swarm
Create a docker swarm config file in docker-compose syntax (v3), something like this:
@@ -67,31 +63,26 @@ services:
volumes:
- /var/data/calibre-web:/config
- /srv/data/Archive/Ebooks/calibre:/books
networks:
- internal
proxy:
image: a5huynh/oauth2_proxy
env_file : /var/data/config/calibre-web/calibre-web.env
dns_search: hq.example.com
networks:
- internal
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:calibre-web.example.com
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
- traefik.port=4180
volumes:
- /var/data/config/calibre-web/authenticated-emails.txt:/authenticated-emails.txt
command: |
-cookie-secure=false
-upstream=http://app:8083
-redirect-url=https://calibre-web.example.com
-http-address=http://0.0.0.0:4180
-email-domain=example.com
-provider=github
-authenticated-emails-file=/authenticated-emails.txt
# traefikv1
- traefik.frontend.rule=Host:calibre.example.com
- traefik.port=8083
# traefikv2
- "traefik.http.routers.calibre.rule=Host(`calibre.example.com`)"
- "traefik.http.services.calibre.loadbalancer.server.port=8083"
- "traefik.enable=true"
# Remove if you wish to access the URL directly
- "traefik.http.routers.calibre.middlewares=forward-auth@file"
networks:
traefik_public:
@@ -111,7 +102,7 @@ networks:
Launch the Calibre-Web stack by running ```docker stack deploy calibre-web -c <path -to-docker-compose.yml>```
Log into your new instance at https://**YOUR-FQDN**. You'll be directed to the initial GUI configuraition. Set the first field (_Location of Calibre database_) to "_/books/_", and when complete, login using defaults username of "**admin**" with password "**admin123**".
Log into your new instance at `https://**YOUR-FQDN**`. You'll be directed to the initial GUI configuraition. Set the first field (_Location of Calibre database_) to "_/books/_", and when complete, login using defaults username of "**admin**" with password "**admin123**".
[^1]: Yes, Calibre does provide a server component. But it's not as fully-featured as Calibre-Web (_i.e., you can't use it to send ebooks directly to your Kindle_)
[^2]: A future enhancement might be integrating this recipe with the filestore for [NextCloud](/recipes/nextcloud/), so that the desktop database (Calibre) can be kept synced with Calibre-Web.

12
manuscript/recipes/collabora-online.md
View File

@@ -170,10 +170,20 @@ services:
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:collabora.batcave.com
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
# traefikv1
- traefik.frontend.rule=Host:collabora.example.com
- traefik.port=80
- traefik.frontend.passHostHeader=true
# traefikv2
- "traefik.http.routers.collabora.rule=Host(`collabora.example.com`)"
- "traefik.http.services.collabora.loadbalancer.server.port=80"
- "traefik.enable=true"
# uncomment this line if you want to force nginx to always run on one node (i.e., the one running collabora)
#placement:
# constraints:

44
manuscript/recipes/elkarbackup.md
View File

@@ -46,11 +46,6 @@ TZ='Etc/UTC'
# For mysql
MYSQL_ROOT_PASSWORD=password
#oauth2_proxy
OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=
OAUTH2_PROXY_COOKIE_SECRET=
```
Create ```/var/data/config/elkarbackup/elkarbackup-db-backup.env```, and populate with the following, to setup the nightly database dump.
@@ -113,33 +108,30 @@ services:
env_file: /var/data/config/elkarbackup/elkarbackup.env
networks:
- internal
- traefik_public
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/data/:/var/data
- /var/data/elkarbackup/backups:/app/backups
- /var/data/elkarbackup/uploads:/app/uploads
- /var/data/elkarbackup/sshkeys:/app/.ssh
deploy:
labels:
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
proxy:
image: funkypenguin/oauth2_proxy
env_file: /var/data/config/elkarbackup/elkarbackup.env
networks:
- traefik_public
- internal
deploy:
labels:
- traefik.frontend.rule=Host:elkarbackup.example.com
- traefik.port=4180
volumes:
- /var/data/config/traefik/authenticated-emails.txt:/authenticated-emails.txt
command: |
-cookie-secure=false
-upstream=http://app:80
-redirect-url=https://elkarbackup.example.com
-http-address=http://0.0.0.0:4180
-email-domain=example.com
-provider=github
-authenticated-emails-file=/authenticated-emails.txt
# traefikv1
- traefik.frontend.rule=Host:elkarbackup.example.com
- traefik.port=80
# traefikv2
- "traefik.http.routers.elkarbackup.rule=Host(`elkarbackup.example.com`)"
- "traefik.http.services.elkarbackup.loadbalancer.server.port=80"
- "traefik.enable=true"
# Remove if you wish to access the URL directly
- "traefik.http.routers.elkarbackup.middlewares=forward-auth@file"
networks:
traefik_public:
@@ -228,7 +220,7 @@ To restore files form a job, click on the "Restore" button in the WebUI, while o
This takes you to a list of backup names and file paths. You can choose to download the entire contents of the backup from your browser as a .tar.gz, or to restore the backup to the client. If you click on the **name** of the backup, you can also drill down into the file structure, choosing to restore a single file or directory.
[^1]: If you wanted to expose the ElkarBackup UI directly, you could remove the oauth2_proxy from the design, and move the traefik_public-related labels directly to the app service. You'd also need to add the traefik_public network to the app service.
[^1]: If you wanted to expose the ElkarBackup UI directly, you could remove the traefik-forward-auth from the design.
[^2]: The original inclusion of ElkarBackup was due to the efforts of @gpulido in our [Discord server](http://chat.funkypenguin.co.nz). Thanks Gabriel!
--8<-- "recipe-footer.md"

19
manuscript/recipes/emby.md
View File

@@ -49,23 +49,26 @@ services:
- /srv/data/:/data
deploy:
labels:
- traefik.frontend.rule=Host:emby.example.com
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
- traefik.port=8096
# traefikv1
- traefik.frontend.rule=Host:emby.example.com
- traefik.port=8096
# traefikv2
- "traefik.http.routers.emby.rule=Host(`emby.example.com`)"
- "traefik.http.services.emby.loadbalancer.server.port=8096"
- "traefik.enable=true"
networks:
- traefik_public
- internal
ports:
- 8096:8096
networks:
traefik_public:
external: true
internal:
driver: overlay
ipam:
config:
- subnet: 172.16.17.0/24
```
--8<-- "reference-networks.md"

13
manuscript/recipes/ghost.md
View File

@@ -39,9 +39,18 @@ services:
- traefik_public
deploy:
labels:
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
# traefikv1
- traefik.frontend.rule=Host:ghost.example.com
- traefik.docker.network=traefik
- traefik.port=2368
- traefik.port=2368
# traefikv2
- "traefik.http.routers.ghost.rule=Host(`ghost.example.com`)"
- "traefik.http.services.ghost.loadbalancer.server.port=2368"
- "traefik.enable=true"
networks:
traefik_public:

15
manuscript/recipes/gitlab.md
View File

@@ -80,13 +80,22 @@ services:
image: sameersbn/gitlab:latest
env_file: /var/data/config/gitlab/gitlab.env
networks:
- internal
- traefik_public
- internal
- traefik_public
deploy:
labels:
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
# traefikv1
- traefik.frontend.rule=Host:gitlab.example.com
- traefik.docker.network=traefik
- traefik.port=80
# traefikv2
- "traefik.http.routers.gitlab.rule=Host(`gitlab.example.com`)"
- "traefik.http.services.gitlab.loadbalancer.server.port=80"
- "traefik.enable=true"
restart_policy:
delay: 10s
max_attempts: 10

53
manuscript/recipes/gollum.md
View File

@@ -29,7 +29,7 @@ As you'll note in the (_real world_) screenshot above, my requirements for a per
Gollum meets all these requirements, and as an added bonus, is extremely fast and lightweight.
!!! note
Since Gollum itself offers no user authentication, this design secures gollum behind an [oauth2 proxy](/reference/oauth_proxy/), so that in order to gain access to the Gollum UI at all, oauth2 authentication (_to GitHub, GitLab, Google, etc_) must have already occurred.
Since Gollum itself offers no user authentication, this design secures gollum behind [traefik-forward-auth](/ha-docker-swarm/traefik-forward-auth/), so that in order to gain access to the Gollum UI at all, authentication must have already occurred.
--8<-- "recipe-standard-ingredients.md"
@@ -40,20 +40,11 @@ Gollum meets all these requirements, and as an added bonus, is extremely fast an
We'll need an empty git repository in /var/data/gollum for our data:
```bash
mkdir /var/data/gollum
cd /var/data/gollum
git init
```
### Prepare environment
1. Choose an oauth provider, and obtain a client ID and secret
2. Create gollum.env, and populate with the following variables (_you can make the cookie secret whatever you like_)
```bash
OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=
OAUTH2_PROXY_COOKIE_SECRET=
```
### Setup Docker Swarm
@@ -70,34 +61,30 @@ services:
image: dakue/gollum
volumes:
- /var/data/gollum:/gollum
networks:
- internal
command: |
--allow-uploads
--emoji
--user-icons gravatar
proxy:
image: a5huynh/oauth2_proxy
env_file : /var/data/config/gollum/gollum.env
networks:
- internal
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:gollum.example.com
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
- traefik.port=4180
volumes:
- /var/data/config/gollum/authenticated-emails.txt:/authenticated-emails.txt
# traefikv1
- traefik.frontend.rule=Host:gollum.example.com
- traefik.port=4567
# traefikv2
- "traefik.http.routers.gollum.rule=Host(`gollum.example.com`)"
- "traefik.http.services.gollum.loadbalancer.server.port=4567"
- "traefik.enable=true"
# Remove if you wish to access the URL directly
- "traefik.http.routers.wekan.middlewares=forward-auth@file"
command: |
-cookie-secure=false
-upstream=http://app:4567
-redirect-url=https://gollum.example.com
-http-address=http://0.0.0.0:4180
-email-domain=example.com
-provider=github
-authenticated-emails-file=/authenticated-emails.txt
--allow-uploads
--emoji
--user-icons gravatar
networks:
traefik_public:
@@ -117,8 +104,6 @@ networks:
Launch the Gollum stack by running ```docker stack deploy gollum -c <path-to-docker-compose.yml>```
Authenticate against your OAuth provider, and then start editing your wiki!
[^1]: In the current implementation, Gollum is a "single user" tool only. The contents of the wiki are saved as markdown files under /var/data/gollum, and all the git commits are currently "Anonymous"
--8<-- "recipe-footer.md"

49
manuscript/recipes/homeassistant.md
View File

@@ -36,9 +36,6 @@ Create /var/data/config/homeassistant/grafana.env, and populate with the followi
```bash
GF_AUTH_BASIC_ENABLED=false
OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=
OAUTH2_PROXY_COOKIE_SECRET=
```
### Setup Docker Swarm
@@ -67,9 +64,18 @@ services:
- /etc/localtime:/etc/localtime:ro
deploy:
labels:
- traefik.frontend.rule=Host:homeassistant.example.com
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
- traefik.port=8123
# traefikv1
- traefik.frontend.rule=Host:homeassistant.example.com
- traefik.port=8123
# traefikv2
- "traefik.http.routers.homeassistant.rule=Host(`homeassistant.example.com`)"
- "traefik.http.services.homeassistant.loadbalancer.server.port=8123"
- "traefik.enable=true"
networks:
- traefik_public
- internal
@@ -84,29 +90,24 @@ services:
- /etc/localtime:/etc/localtime:ro
networks:
- internal
grafana-proxy:
image: a5huynh/oauth2_proxy
env_file : /var/data/config/homeassistant/grafana.env
dns_search: hq.example.com
networks:
- internal
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:grafana.example.com
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
- traefik.port=4180
volumes:
- /var/data/config/homeassistant/authenticated-emails.txt:/authenticated-emails.txt
command: |
-cookie-secure=false
-upstream=http://grafana-app:3000
-redirect-url=https://grafana.example.com
-http-address=http://0.0.0.0:4180
-email-domain=example.com
-provider=github
-authenticated-emails-file=/authenticated-emails.txt
# traefikv1
- traefik.frontend.rule=Host:grafana.example.com
- traefik.port=3000
# traefikv2
- "traefik.http.routers.grafana.rule=Host(`grafana.example.com`)"
- "traefik.http.services.grafana.loadbalancer.server.port=3000"
- "traefik.enable=true"
# Remove if you wish to access the URL directly
- "traefik.http.routers.grafana.middlewares=forward-auth@file"
networks:
traefik_public:

20
manuscript/recipes/jellyfin.md
View File

@@ -58,23 +58,27 @@ services:
- /srv/data/:/data
deploy:
labels:
- traefik.frontend.rule=Host:jellyfin.example.com
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
- traefik.port=8096
# traefikv1
- traefik.frontend.rule=Host:jellyfin.example.com
- traefik.port=8096
# traefikv2
- "traefik.http.routers.jellyfin.rule=Host(`jellyfin.example.com`)"
- "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
- "traefik.enable=true"
networks:
- traefik_public
- internal
ports:
- 8096:8096
networks:
traefik_public:
external: true
internal:
driver: overlay
ipam:
config:
- subnet: 172.16.57.0/24
```
--8<-- "reference-networks.md"

51
manuscript/recipes/kanboard.md
View File

@@ -33,17 +33,6 @@ Create the location for the bind-mount of the application data, so that it's per
mkdir -p /var/data/kanboard
```
### Setup Environment
If you intend to use an [OAuth proxy](/reference/oauth_proxy/) to further secure public access to your instance, create a ```kanboard.env``` file to hold your environment variables, and populate with your OAuth provider's details (_the cookie secret you can just make up_):
```bash
# If you decide to protect kanboard with an oauth_proxy, complete these
OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=
OAUTH2_PROXY_COOKIE_SECRET=
```
### Setup Docker Swarm
Create a docker swarm config file in docker-compose syntax (v3), something like this:
@@ -59,43 +48,25 @@ services:
volumes:
- /var/data/kanboard:/var/www/app/
networks:
- internal
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:kanboard.example.com
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
- traefik.port=80
proxy:
image: a5huynh/oauth2_proxy
env_file : /var/data/config/kanboard/kanboard.env
networks:
- internal
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:kanboard.example.com
- traefik.docker.network=traefik_public
- traefik.port=4180
volumes:
- /var/data/config/kanboard/authenticated-emails.txt:/authenticated-emails.txt
command: |
-cookie-secure=false
-upstream=http://app
-redirect-url=https://kanboard.example.com
-http-address=http://0.0.0.0:4180
-email-domain=example.com
-provider=github
-authenticated-emails-file=/authenticated-emails.txt
# traefikv1
- traefik.frontend.rule=Host:kanboard.example.com
- traefik.port=80
# traefikv2
- "traefik.http.routers.kanboard.rule=Host(`kanboard.example.com`)"
- "traefik.http.services.kanboard.loadbalancer.server.port=80"
- "traefik.enable=true"
networks:
traefik_public:
external: true
internal:
driver: overlay
ipam:
config:
- subnet: 172.16.8.0/24
```
## Serving

14
manuscript/recipes/keycloak.md
View File

@@ -76,10 +76,20 @@ services:
- internal
deploy:
labels:
- traefik.frontend.rule=Host:keycloak.batcave.com
- traefik.port=8080
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
# traefikv1
- traefik.frontend.rule=Host:keycloak.example.com
- traefik.port=8080
# traefikv2
- "traefik.http.routers.keycloak.rule=Host(`keycloak.example.com`)"
- "traefik.http.services.keycloak.loadbalancer.server.port=8080"
- "traefik.enable=true"
keycloak-db:
env_file: /var/data/config/keycloak/keycloak.env
image: postgres:10.1

18
manuscript/recipes/komga.md
View File

@@ -44,13 +44,21 @@ services:
deploy:
replicas: 1
labels:
# traefik common
- traefik.enable=true
- traefik.frontend.rule=Host:komga.example.com
- traefik.port=8080
- traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
- traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
- traefik.frontend.auth.forward.trustForwardHeader=true
- traefik.docker.network=traefik_public
# traefikv1
- traefik.frontend.rule=Host:komga.example.com
- traefik.port=8080
# traefikv2
- "traefik.http.routers.komga.rule=Host(`komga.example.com`)"
- "traefik.http.services.komga.loadbalancer.server.port=8080"
- "traefik.enable=true"
# Remove if you wish to access the URL directly
- "traefik.http.routers.komga.middlewares=forward-auth@file"
networks:
- traefik_public

13
manuscript/recipes/mail.md
View File

@@ -139,9 +139,18 @@ services:
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:rainloop.example.com
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
- traefik.port=8888
# traefikv1
- traefik.frontend.rule=Host:rainloop.example.com
- traefik.port=8888
# traefikv2
- "traefik.http.routers.rainloop.rule=Host(`rainloop.example.com`)"
- "traefik.http.services.rainloop.loadbalancer.server.port=8888"
- "traefik.enable=true"
volumes:
- /var/data/mailserver/rainloop:/rainloop/data

13
manuscript/recipes/miniflux.md
View File

@@ -82,10 +82,19 @@ services:
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:miniflux.example.com
- traefik.port=8080
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
# traefikv1
- traefik.frontend.rule=Host:miniflux.example.com
- traefik.port=8080
# traefikv2
- "traefik.http.routers.miniflux.rule=Host(`miniflux.example.com`)"
- "traefik.http.services.miniflux.loadbalancer.server.port=8080"
- "traefik.enable=true"
miniflux-db:
env_file: /var/data/config/miniflux/miniflux.env
image: postgres:10.1

11
manuscript/recipes/minio.md
View File

@@ -45,7 +45,6 @@ MINIO_SERVER_URL=https://minio.example.com
!!! note "If minio redirects you to :9001"
`MINIO_BROWSER_REDIRECT_URL` is especially important since recent versions of Minio will redirect web browsers to this URL when they hit the API directly. (*If you find yourself redirected to `http://your-minio-url:9001`, then you've not set this value correctly!*)
### Setup Docker Swarm
Create a docker swarm config file in docker-compose syntax (v3), something like this:
@@ -110,15 +109,15 @@ networks:
### Launch Minio stack
Launch the Minio stack by running ```docker stack deploy minio -c <path -to-docker-compose.yml>```
Launch the Minio stack by running ``docker stack deploy minio -c <path -to-docker-compose.yml>`
Log into your new instance at https://minio-console.**YOUR-FQDN**, with the root user and password you specified in `minio.env`.
Log into your new instance at `https://minio-console.**YOUR-FQDN**`, with the root user and password you specified in `minio.env`.
If you created ```/var/data/minio```, you'll see nothing. If you mapped `/data` to existing data, you should see all subdirectories in your existing folder represented as buckets.
If you created `/var/data/minio`, you'll see nothing. If you mapped `/data` to existing data, you should see all subdirectories in your existing folder represented as buckets.
Use the Minio console to create a user, or (*ill-advisedly*) continue using the root user/password!
If all you need is single-user access to your data, you're done! 🎉
If all you need is single-user access to your data, you're done! 🎉
If, however, you want to expose data to multiple users, at different privilege levels, you'll need the minio client to create some users and (_potentially_) policies...
@@ -193,7 +192,7 @@ aws_access_key_id=spiderman
aws_secret_access_key=peterparker
```
And then I ran (_in the foreground, for debugging_), ```goofys --f -debug_s3 --debug_fuse --endpoint=https://traefik.example.com <bucketname> <local mount point>```
And then I ran (_in the foreground, for debugging_), `goofys --f -debug_s3 --debug_fuse --endpoint=https://traefik.example.com <bucketname> <local mount point>`
To permanently mount an S3 bucket using goofys, I'd add something like this to /etc/fstab:

45
manuscript/recipes/munin.md
View File

@@ -45,13 +45,9 @@ mkdir -p {log,lib,run,cache}
### Prepare environment
Create /var/data/config/munin/munin.env, and populate with the following variables. Use the OAUTH2 variables if you plan to use an [oauth2_proxy](/reference/oauth_proxy/) to protect munin, and set at a **minimum** the `MUNIN_USER`, `MUNIN_PASSWORD`, and `NODES` values:
Create /var/data/config/munin/munin.env, and populate with the following variables. Set at a **minimum** the `MUNIN_USER`, `MUNIN_PASSWORD`, and `NODES` values:
```bash
# Use these if you plan to protect the webUI with an oauth_proxy
OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=
OAUTH2_PROXY_COOKIE_SECRET=
MUNIN_USER=odin
MUNIN_PASSWORD=lokiisadopted
@@ -83,40 +79,33 @@ services:
image: funkypenguin/munin-server
env_file: /var/data/config/munin/munin.env
networks:
- internal
- traefik_public
volumes:
- /var/data/munin/log:/var/log/munin
- /var/data/munin/lib:/var/lib/munin
- /var/data/munin/run:/var/run/munin
- /var/data/munin/cache:/var/cache/munin
proxy:
image: funkypenguin/oauth2_proxy
env_file: /var/data/config/munin/munin.env
networks:
- traefik_public
- internal
deploy:
labels:
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
# traefikv1
- traefik.frontend.rule=Host:munin.example.com
- traefik.docker.network=traefik
- traefik.port=4180
command: |
-cookie-secure=false
-upstream=http://munin:8080
-redirect-url=https://munin.example.com
-http-address=http://0.0.0.0:4180
-email-domain=example.com
-provider=github
- traefik.port=8080
# traefikv2
- "traefik.http.routers.munin.rule=Host(`munin.example.com`)"
- "traefik.http.services.munin.loadbalancer.server.port=8080"
- "traefik.enable=true"
# Remove if you wish to access the URL directly
- "traefik.http.routers.wekan.middlewares=forward-auth@file"
networks:
traefik_public:
external: true
internal:
driver: overlay
ipam:
config:
- subnet: 172.16.24.0/24
```
--8<-- "reference-networks.md"
@@ -129,6 +118,6 @@ Launch the Munin stack by running `docker stack deploy munin -c <path -to-docker
Log into your new instance at https://**YOUR-FQDN**, with user and password password you specified in munin.env above.
[^1]: If you wanted to expose the Munin UI directly, you could remove the oauth2_proxy from the design, and move the traefik-related labels directly to the munin container. You'd also need to add the traefik_public network to the munin container.
[^1]: If you wanted to expose the Munin UI directly, you could remove the traefik-forward-auth from the design.
--8<-- "recipe-footer.md"

16
manuscript/recipes/nextcloud.md
View File

@@ -78,9 +78,19 @@ services:
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:nextcloud.example.com
- traefik.docker.network=traefik_public
- traefik.port=80
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
# traefikv1
- traefik.frontend.rule=Host:nextcloud.example.com
- traefik.port=80
# traefikv2
- "traefik.http.routers.nextcloud.rule=Host(`nextcloud.example.com`)"
- "traefik.http.services.nextcloud.loadbalancer.server.port=80"
- "traefik.enable=true"
volumes:
- /var/data/nextcloud/html:/var/www/html
- /var/data/nextcloud/apps:/var/www/html/custom_apps

56
manuscript/recipes/openldap.md
View File

@@ -47,18 +47,8 @@ LDAP_DOMAIN=batcave.gotham
LDAP_ORGANISATION=BatCave Inc
LDAP_ADMIN_PASSWORD=supermansucks
LDAP_TLS=false
# Use these if you plan to protect the LDAP Account Manager webUI with an oauth_proxy
OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=
OAUTH2_PROXY_COOKIE_SECRET=
```
!!! note
I use an [OAuth proxy](/reference/oauth_proxy/) to protect access to the web UI, when the sensitivity of the protected data (i.e. my authentication store) warrants it, or if I don't necessarily trust the security of the webUI.
Create ```authenticated-emails.txt```, and populate with the email addresses (_matched to GitHub user accounts, in my case_) to which you want grant access, using OAuth2.
### Create config.cfg
The Dockerized version of LDAP Account Manager is a little fiddly. In order to maintain a config file which persists across container restarts, we need to present the container with a copy of /var/www/html/config/lam.conf, tweaked for our own requirements.
@@ -339,38 +329,38 @@ services:
image: osixia/openldap
env_file: /var/data/config/openldap/openldap.env
networks:
- traefik_public
- auth_internal
- traefik_public
- auth_internal
volumes:
- /var/data/runtime/openldap/:/var/lib/ldap
- /var/data/openldap/openldap/:/etc/ldap/slapd.d
- /var/data/runtime/openldap/:/var/lib/ldap
- /var/data/openldap/openldap/:/etc/ldap/slapd.d
lam:
image: jacksgt/ldap-account-manager
networks:
- auth_internal
volumes:
- /var/data/openldap/lam/config/config.cfg:/var/www/html/config/config.cfg
- /var/data/openldap/lam/config/batcave.conf:/var/www/html/config/batcave.conf
lam-proxy:
image: funkypenguin/oauth2_proxy
env_file: /var/data/config/openldap/openldap.env
networks:
- traefik_public
- auth_internal
- traefik_public
volumes:
- /var/data/openldap/lam/config/config.cfg:/var/www/html/config/config.cfg
- /var/data/openldap/lam/config/batcave.conf:/var/www/html/config/batcave.conf
deploy:
labels:
- traefik.frontend.rule=Host:lam.batcave.com
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
- traefik.port=4180
command: |
-cookie-secure=false
-upstream=http://lam:8080
-redirect-url=https://lam.batcave.com
-http-address=http://0.0.0.0:4180
-email-domain=batcave.com
-provider=github
# traefikv1
- traefik.frontend.rule=Host:iam.example.com
- traefik.port=8080
# traefikv2
- "traefik.http.routers.iam.rule=Host(`iam.example.com`)"
- "traefik.http.services.iam.loadbalancer.server.port=8080"
- "traefik.enable=true"
# Remove if you wish to access the URL directly
- "traefik.http.routers.iam.middlewares=forward-auth@file"
networks:

41
manuscript/recipes/owntracks.md
View File

@@ -30,10 +30,6 @@ mkdir /var/data/owntracks
Create owntracks.env, and populate with the following variables
```bash
OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=
OAUTH2_PROXY_COOKIE_SECRET=
OTR_USER=recorder
OTR_PASS=yourpassword
OTR_HOST=owntracks.example.com
@@ -56,32 +52,29 @@ services:
- /var/data/owntracks:/owntracks
networks:
- internal
- traefik_public
ports:
- 1883:1883
- 8883:8883
- 8083:8083
owntracks-proxy:
image: a5huynh/oauth2_proxy
env_file : /var/data/config/owntracks/owntracks.env
networks:
- internal
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:owntracks.example.com
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
- traefik.port=4180
volumes:
- /var/data/config/owntracks/authenticated-emails.txt:/authenticated-emails.txt
command: |
-cookie-secure=false
-upstream=http://owntracks-app:8083
-redirect-url=https://owntracks.example.com
-http-address=http://0.0.0.0:4180
-email-domain=example.com
-provider=github
-authenticated-emails-file=/authenticated-emails.txt
# traefikv1
- traefik.frontend.rule=Host:owntracks-app.example.com
- traefik.port=8083
# traefikv2
- "traefik.http.routers.owntracks.rule=Host(`owntracks-app.example.com`)"
- "traefik.http.services.owntracks.loadbalancer.server.port=8083"
- "traefik.enable=true"
# Remove if you wish to access the URL directly
- "traefik.http.routers.owntracks.middlewares=forward-auth@file"
networks:
traefik_public:
@@ -103,7 +96,7 @@ Launch the OwnTracks stack by running ```docker stack deploy owntracks -c <path
Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password you specified in gitlab.env.
[^1]: If you wanted to expose the OwnTracks Web UI directly, you could remove the oauth2_proxy from the design, and move the traefik-related labels directly to the wekan container. You'd also need to add the traefik network to the owntracks container.
[^1]: If you wanted to expose the Owntracks UI directly, you could remove the traefik-forward-auth from the design.
[^2]: I'm using my own image rather than owntracks/recorderd, because of a [potentially swarm-breaking bug](https://github.com/owntracks/recorderd/issues/14) I found in the official container. If this gets resolved (_or if I was mistaken_) I'll update the recipe accordingly.
[^3]: By default, you'll get a fully accessible, unprotected MQTT broker. This may not be suitable for public exposure, so you'll want to look into securing mosquitto with TLS and ACLs.

15
manuscript/recipes/photoprism.md
View File

@@ -111,9 +111,20 @@ services:
deploy:
labels:
- traefik.frontend.rule=Host:photoprism.funkypenguin.co.nz
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
- traefik.port=2342
# traefikv1
- traefik.frontend.rule=Host:photoprism.example.com
- traefik.port=2342
# traefikv2
- "traefik.http.routers.photoprism.rule=Host(`photoprism.example.com`)"
- "traefik.http.services.photoprism.loadbalancer.server.port=2342"
- "traefik.enable=true"
db:
image: mariadb:10.5
env_file: /var/data/config/photoprism/photoprism.env

13
manuscript/recipes/plex.md
View File

@@ -49,9 +49,18 @@ services:
- /var/data/media:/media
deploy:
labels:
- traefik.frontend.rule=Host:plex.example.com
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
- traefik.port=32400
# traefikv1
- traefik.frontend.rule=Host:plex.example.com
- traefik.port=32400
# traefikv2
- "traefik.http.routers.plex.rule=Host(`plex.example.com`)"
- "traefik.http.services.plex.loadbalancer.server.port=32400"
- "traefik.enable=true"
networks:
- traefik_public
- internal

15
manuscript/recipes/privatebin.md
View File

@@ -39,9 +39,18 @@ services:
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:privatebin.example.com
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
- traefik.port=4180
# traefikv1
- traefik.frontend.rule=Host:privatebin.example.com
- traefik.port=4180
# traefikv2
- "traefik.http.routers.privatebin.rule=Host(`privatebin.example.com`)"
- "traefik.http.services.privatebin.loadbalancer.server.port=4180"
- "traefik.enable=true"
networks:
traefik_public:
@@ -57,6 +66,6 @@ Launch the PrivateBin stack by running ```docker stack deploy privatebin -c <pat
Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password you specified in gitlab.env.
[^1]: The [PrivateBin repo](https://github.com/PrivateBin/PrivateBin/blob/master/INSTALL.md) explains how to tweak configuration options, or to use a database instead of file storage, if your volume justifies it :)
[^2]: The inclusion of PrivateBin was due to the efforts of @gkoerk in our [Discord server](http://chat.funkypenguin.co.nz). Thanks Gerry!!
[^2]: The inclusion of Privatebin was due to the efforts of @gkoerk in our [Discord server](http://chat.funkypenguin.co.nz)- Unfortunately on the 22nd August 2020 Jerry passed away. Jerry was very passionate and highly regarded in the field of Information Technology. He will be missed.
--8<-- "recipe-footer.md"

47
manuscript/recipes/realms.md
View File

@@ -36,14 +36,6 @@ Since we'll start with a basic Realms install, let's just create a single direct
mkdir /var/data/realms/
```
Create realms.env, and populate with the following variables (_if you intend to use an [oauth_proxy](/reference/oauth_proxy) to double-secure your installation, which I recommend_)
```bash
OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=
OAUTH2_PROXY_COOKIE_SECRET=
```
### Setup Docker Swarm
Create a docker swarm config file in docker-compose syntax (v3), something like this:
@@ -56,33 +48,29 @@ version: "3"
services:
realms:
image: realms/realms-wiki:latest
env_file: /var/data/config/realms/realms.env
volumes:
- /var/data/realms:/home/wiki/data
networks:
- internal
realms_proxy:
image: funkypenguin/oauth2_proxy:latest
env_file : /var/data/config/realms/realms.env
networks:
- internal
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:realms.funkypenguin.co.nz
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
- traefik.port=4180
volumes:
- /var/data/config/realms/authenticated-emails.txt:/authenticated-emails.txt
command: |
-cookie-secure=false
-upstream=http://realms:5000
-redirect-url=https://realms.funkypenguin.co.nz
-http-address=http://0.0.0.0:4180
-email-domain=funkypenguin.co.nz
-provider=github
-authenticated-emails-file=/authenticated-emails.txt
# traefikv1
- traefik.frontend.rule=Host:realms.example.com
- traefik.port=5000
# traefikv2
- "traefik.http.routers.realms.rule=Host(`realms.example.com`)"
- "traefik.http.services.realms.loadbalancer.server.port=5000"
- "traefik.enable=true"
# Remove if you wish to access the URL directly
- "traefik.http.routers.realms.middlewares=forward-auth@file"
networks:
traefik_public:
@@ -104,7 +92,8 @@ Launch the Wekan stack by running ```docker stack deploy realms -c <path -to-doc
Log into your new instance at https://**YOUR-FQDN**, authenticate against oauth_proxy, and you're immediately presented with Realms wiki, waiting for a fresh edit ;)
[^1]: If you wanted to expose the Realms UI directly, you could remove the oauth2_proxy from the design, and move the traefik_public-related labels directly to the realms container. You'd also need to add the traefik_public network to the realms container.
[^2]: The inclusion of Realms was due to the efforts of @gkoerk in our [Discord server](http://chat.funkypenguin.co.nz). Thanks gkoerk!
[^1]: If you wanted to expose the realms UI directly, you could remove the traefik-forward-auth from the design.
[^2]: The inclusion of Realms was due to the efforts of @gkoerk in our [Discord server](http://chat.funkypenguin.co.nz)- Unfortunately on the 22nd August 2020 Jerry passed away. Jerry was very passionate and highly regarded in the field of Information Technology. He will be missed.
--8<-- "recipe-footer.md"

2
manuscript/recipes/restic.md
View File

@@ -101,7 +101,7 @@ RESTIC_PASSWORD=<repo_password>
### Setup Docker Swarm
Create a docker swarm config file in docker-compose syntax (v3) in `/var/data/restic/restic.yml` , something like this:
Create a docker swarm config file in docker-compose syntax (v3) in `/var/data/config/restic/restic.yml` , something like this:
--8<-- "premix-cta.md"

2
manuscript/recipes/swarmprom.md
View File

@@ -73,7 +73,7 @@ Grafana will make all the data we collect from our swarm beautiful.
Create /var/data/swarmprom/grafana.env, and populate with the following variables
```bash
```yaml
OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=
OAUTH2_PROXY_COOKIE_SECRET=

23
manuscript/recipes/tiny-tiny-rss.md
View File

@@ -30,9 +30,9 @@ cd /var/data/config/ttrss
### Prepare environment
Create ttrss.env, and populate with the following variables, customizing at least the database password (POSTGRES_PASSWORD **and** DB_PASS) and the TTRSS_SELF_URL to point to your installation.
Create `/var/data/config/ttrs/ttrss.env`, and populate with the following variables, customizing at least the database password (POSTGRES_PASSWORD **and** DB_PASS) and the TTRSS_SELF_URL to point to your installation.
```bash
```yaml
# Variables for postgres:latest
POSTGRES_USER=ttrss
POSTGRES_PASSWORD=mypassword
@@ -79,12 +79,21 @@ services:
env_file: /var/data/config/ttrss/ttrss.env
deploy:
labels:
- traefik.frontend.rule=Host:ttrss.funkypenguin.co.nz
- traefik.docker.network=traefik
- traefik.port=8080
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
# traefikv1
- traefik.frontend.rule=Host:ttrss.example.com
- traefik.port=8080
# traefikv2
- "traefik.http.routers.ttrss.rule=Host(`ttrss.example.com`)"
- "traefik.http.services.ttrss.loadbalancer.server.port=8080"
- "traefik.enable=true"
networks:
- internal
- traefik
- traefik_public
db-backup:
image: postgres:latest
@@ -106,7 +115,7 @@ services:
- internal
networks:
traefik:
traefik_public:
external: true
internal:
driver: overlay

55
manuscript/recipes/wallabag.md
View File

@@ -30,9 +30,9 @@ mkdir -p {images,db-dump}
### Prepare environment
Create wallabag.env, and populate with the following variables. The only variable you **have** to change is SYMFONY__ENV__DOMAIN_NAME - this **must** be the URL that your Wallabag instance will be available at (_else you'll have no CSS_)
Create `/var/data/config/wallabag/wallabag.env`, and populate with the following variables. The only variable you **have** to change is SYMFONY__ENV__DOMAIN_NAME - this **must** be the URL that your Wallabag instance will be available at (_else you'll have no CSS_)
```bash
```yaml
# For the DB container
POSTGRES_PASSWORD=wallabag
POSTGRES_USER=wallabag
@@ -51,17 +51,11 @@ SYMFONY__ENV__MAILER_USER=~
SYMFONY__ENV__MAILER_PASSWORD=~
SYMFONY__ENV__FROM_EMAIL=wallabag@example.com
SYMFONY__ENV__FOSUSER_REGISTRATION=false
# If you decide to protect wallabag with an oauth_proxy, complete these
OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=
OAUTH2_PROXY_COOKIE_SECRET=
```
Now create wallabag-backup.env in the same folder, with the following contents. (_This is necessary to prevent environment variables required for backup from breaking the DB container_)
Now create wallabag-`/var/data/config/wallabag/backup.env` with the following contents. (_This is necessary to prevent environment variables required for backup from breaking the DB container_)
```bash
```yaml
# For database backups
PGUSER=wallabag
PGPASSWORD=wallabag
@@ -79,7 +73,6 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
```yaml
version: '3'
services:
wallabag:
image: wallabag/wallabag
env_file: /var/data/config/wallabag/wallabag.env
@@ -87,28 +80,23 @@ services:
- internal
volumes:
- /var/data/wallabag/images:/var/www/wallabag/web/assets/images
deploy:
labels:
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
wallabag_proxy:
image: a5huynh/oauth2_proxy
env_file: /var/data/config/wallabag/wallabag.env
networks:
- internal
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:wallabag.example.com
- traefik.docker.network=traefik_public
- traefik.port=4180
volumes:
- /var/data/config/wallabag/authenticated-emails.txt:/authenticated-emails.txt
command: |
-cookie-secure=false
-upstream=http://wallabag:80
-redirect-url=https://wallabag.example.com
-http-address=http://0.0.0.0:4180
-email-domain=example.com
-provider=github
-authenticated-emails-file=/authenticated-emails.txt
# traefikv1
- traefik.frontend.rule=Host:wallabag.example.com
- traefik.port=80
# traefikv2
- "traefik.http.routers.wallabag.rule=Host(`wallabag.example.com`)"
- "traefik.http.services.wallabag.loadbalancer.server.port=80"
- "traefik.enable=true"
# Remove if you wish to access the URL directly
- "traefik.http.routers.wallabag.middlewares=forward-auth@file"
db:
image: postgres
@@ -188,7 +176,8 @@ Even with all these elements in place, you still need to enable Redis under Inte
![Wallabag Imports](../images/wallabag_imports.png)
[^1]: If you wanted to expose the Wallabag UI directly (_required for the iOS/Android apps_), you could remove the oauth2_proxy from the design, and move the traefik-related labels directly to the wallabag container. You'd also need to add the traefik_public network to the wallabag container. I found the iOS app to be unreliable and clunky, so elected to leave my oauth_proxy enabled, and to simply use the webUI on my mobile devices instead. YMMMV.
[^1]: If you wanted to expose the Wekan UI directly, you could remove the traefik-forward-auth from the design. I found the iOS app to be unreliable and clunky, so elected to leave my traefik-forward-auth enabled, and to simply use the webUI on my mobile devices instead. YMMMV.
[^2]: I've not tested the email integration, but you'd need an SMTP server listening on port 25 (_since we can't change the port_) to use it
--8<-- "recipe-footer.md"

61
manuscript/recipes/wekan.md
View File

@@ -10,10 +10,10 @@ Wekan is an open-source kanban board which allows a card-based task and to-do ma
Wekan allows to create Boards, on which Cards can be moved around between a number of Columns. Boards can have many members, allowing for easy collaboration, just add everyone that should be able to work with you on the board to it, and you are good to go! You can assign colored Labels to cards to facilitate grouping and filtering, additionally you can add members to a card, for example to assign a task to someone.
There's a [video](https://www.youtube.com/watch?v=N3iMLwCNOro) of the developer showing off the app, as well as a f[unctional demo](https://wekan.indie.host/b/t2YaGmyXgNkppcFBq/wekan-fork-roadmap).
There's a [video](https://www.youtube.com/watch?v=N3iMLwCNOro) of the developer showing off the app, as well as a [functional demo](https://wekan.indie.host/b/t2YaGmyXgNkppcFBq/wekan-fork-roadmap).
!!! note
For added privacy, this design secures wekan behind an [oauth2 proxy](/reference/oauth_proxy/), so that in order to gain access to the wekan UI at all, oauth2 authentication (_to GitHub, GitLab, Google, etc_) must have already occurred.
For added privacy, this design secures wekan behind a [traefik-forward-auth](/ha-docker-swarm/traefik-forward-auth/), so that in order to gain access to the wekan UI at all, authentication must have already occurred.
--8<-- "recipe-standard-ingredients.md"
@@ -31,15 +31,9 @@ mkdir -p {wekan-db,wekan-db-dump}
### Prepare environment
You'll need to know the following:
Create `/var/data/config/wekan.env`, and populate with the following variables:
1. Choose an oauth provider, and obtain a client ID and secret
2. Create wekan.env, and populate with the following variables
```bash
OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=
OAUTH2_PROXY_COOKIE_SECRET=
```yaml
MONGO_URL=mongodb://wekandb:27017/wekan
ROOT_URL=https://wekan.example.com
MAIL_URL=smtp://wekan@wekan.example.com:password@mail.example.com:587/
@@ -60,7 +54,6 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
version: '3'
services:
wekandb:
image: mongo:latest
command: mongod --smallfiles --oplogSize 128
@@ -70,33 +63,29 @@ services:
- /var/data/runtime/wekan/database:/data/db
- /var/data/wekan/database-dump:/dump
proxy:
image: a5huynh/oauth2_proxy
env_file: /var/data/config/wekan/wekan.env
networks:
- traefik
- internal
volumes:
- /var/data/oauth_proxy/authenticated-emails.txt:/authenticated-emails.txt
deploy:
labels:
- traefik.frontend.rule=Host:wekan.example.com
- traefik.docker.network=traefik
- traefik.port=4180
command: |
-cookie-secure=false
-upstream=http://wekan:80
-redirect-url=https://wekan.example.com
-http-address=http://0.0.0.0:4180
-email-domain=example.com
-provider=github
-authenticated-emails-file=/authenticated-emails.txt
wekan:
image: wekanteam/wekan:latest
networks:
- internal
- traefik_public
env_file: /var/data/config/wekan/wekan.env
deploy:
labels:
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
# traefikv1
- traefik.frontend.rule=Host:wekan.example.com
- traefik.port=4180
# traefikv2
- "traefik.http.routers.wekan.rule=Host(`wekan.example.com`)"
- "traefik.http.services.wekan.loadbalancer.server.port=4180"
- "traefik.enable=true"
# Remove if you wish to access the URL directly
- "traefik.http.routers.wekan.middlewares=forward-auth@file"
db-backup:
image: mongo:latest
@@ -118,7 +107,7 @@ services:
- internal
networks:
traefik:
traefik_public:
external: true
internal:
driver: overlay
@@ -135,8 +124,8 @@ networks:
Launch the Wekan stack by running ```docker stack deploy wekan -c <path -to-docker-compose.yml>```
Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password you specified in gitlab.env.
Log into your new instance at `https://**YOUR-FQDN**`, with user "root" and the password you specified in `wekan.env`.
[^1]: If you wanted to expose the Wekan UI directly, you could remove the oauth2_proxy from the design, and move the traefik-related labels directly to the wekan container. You'd also need to add the traefik network to the wekan container.
[^1]: If you wanted to expose the Wekan UI directly, you could remove the traefik-forward-auth from the design.
--8<-- "recipe-footer.md"

57
manuscript/recipes/wetty.md
View File

@@ -10,30 +10,37 @@ description: Terminal in a browser, baby!
## Why would you need SSH in a browser window?
Need shell access to a node with no external access? Deploy Wetty behind an [oauth_proxy](/reference/oauth_proxy/) with a SSL-terminating reverse proxy ([traefik](/ha-docker-swarm/traefik/)), and suddenly you have the means to SSH to your private host from any web browser (_protected by your [oauth_proxy](/reference/oauth_proxy/) of course, and your OAuth provider's 2FA_)
Need shell access to a node with no external access? Deploy Wetty behind an [traefik-forward-auth](/ha-docker-swarm/traefik-forward-auth/) with a SSL-terminating reverse proxy ([traefik](/ha-docker-swarm/traefik/)), and suddenly you have the means to SSH to your private host from any web browser (_protected by your [traefik-forward-auth](/ha-docker-swarm/traefik-forward-auth/) of course._)
Here are some other possible use cases:
1. Access to SSH / CLI from an environment where outgoing SSH is locked down, or SSH client isn't / can't be installed. (_i.e., a corporate network_)
2. Access to long-running processes inside a tmux session (_like [irrsi](https://irssi.org/)_)
3. Remote access to a VM / [container running Kali linux](https://github.com/offensive-security/kali-linux-docker), for penetration testing
3. Remote access to a VM / [container running Kali linux](https://gitlab.com/kalilinux/build-scripts/kali-docker), for penetration testing
--8<-- "recipe-standard-ingredients.md"
## Preparation
### Prepare environment
### Setup data locations
Create wetty.env, and populate with the following variables per the [oauth_proxy](/reference/oauth_proxy/) instructions:
First we create a directory to hold the data which wetty will serve:
```bash
OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=
OAUTH2_PROXY_COOKIE_SECRET=
mkdir /var/data/config/wetty
cd /var/data/config/wetty
```
### Prepare environment
Create `/var/data/config/wetty.env`, and populate with the following variables
```yaml
# To use WeTTY to SSH to a host besides the (mostly useless) alpine container it comes with
SSHHOST=batcomputer.batcave.com
SSHUSER=batman
```
### Setup Docker Swarm
@@ -48,29 +55,24 @@ services:
wetty:
image: krishnasrinivas/wetty
env_file : /var/data/config/wetty/wetty.env
networks:
- internal
proxy:
image: funkypenguin/oauth2_proxy:latest
env_file: /var/data/config/wetty/wetty.env
deploy:
labels:
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public
# traefikv1
- traefik.frontend.rule=Host:wetty.example.com
- traefik.port=3000
# traefikv2
- "traefik.http.routers.wetty.rule=Host(`wetty.example.com`)"
- "traefik.http.services.wetty.loadbalancer.server.port=3000"
- "traefik.enable=true"
- "traefik.http.routers.wetty.middlewares=forward-auth@file"
networks:
- internal
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:wetty.funkypenguin.co.nz
- traefik.docker.network=traefik_public
- traefik.port=4180
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/data/config/wetty/authenticated-emails.txt:/authenticated-emails.txt
command: |
-cookie-secure=false
-upstream=http://wetty:3000
-redirect-url=https://wetty.funkypenguin.co.nz
-http-address=http://0.0.0.0:4180
-provider=github
-authenticated-emails-file=/authenticated-emails.txt
networks:
traefik_public:
@@ -93,6 +95,7 @@ Launch the Wetty stack by running ```docker stack deploy wetty -c <path -to-dock
Browse to your new browser-cli-terminal at https://**YOUR-FQDN**. Authenticate with your OAuth provider, and then proceed to login, either to the remote host you specified (_batcomputer.batcave.com, in the example above_), or using user and password "term" to log directly into the Wetty alpine container (_from which you can establish egress SSH_)
[^1]: You could set SSHHOST to the IP of the "docker0" interface on your host, which is normally 172.17.0.1. (_Or run ```/sbin/ip route|awk '/default/ { print $3 }'``` in the container_) This would then provide you the ability to remote-manage your swarm with only web access to Wetty.
[^2]: The inclusion of Wetty was due to the efforts of @gpulido in our [Discord server](http://chat.funkypenguin.co.nz). Thanks Gabriel!
--8<-- "recipe-footer.md"

4
manuscript/reference/networks.md
View File

@@ -12,7 +12,6 @@ In order to avoid IP addressing conflicts as we bring swarm networks up/down, we
| [NightScout](https://geek-cookbook.funkypenguin.co.nz/recipes/nightscout/) | 172.16.4.0/24 |
| [Tiny Tiny RSS](https://geek-cookbook.funkypenguin.co.nz/recipes/tiny-tiny-rss/) | 172.16.5.0/24 |
| [Huginn](https://geek-cookbook.funkypenguin.co.nz/recipes/huginn/) | 172.16.6.0/24 |
| [Kanboard](https://geek-cookbook.funkypenguin.co.nz/recipes/kanboard/) | 172.16.8.0/24 |
| [Gollum](https://geek-cookbook.funkypenguin.co.nz/recipes/gollum/) | 172.16.9.0/24 |
| [Duplicity](https://geek-cookbook.funkypenguin.co.nz/recipes/duplicity/) | 172.16.10.0/24 |
| [Autopirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) | 172.16.11.0/24 |
@@ -21,14 +20,12 @@ In order to avoid IP addressing conflicts as we bring swarm networks up/down, we
| [Home Assistant](https://geek-cookbook.funkypenguin.co.nz/recipes/homeassistant/) | 172.16.14.0/24 |
| [OwnTracks](https://geek-cookbook.funkypenguin.co.nz/recipes/owntracks/) | 172.16.15.0/24 |
| [Plex](https://geek-cookbook.funkypenguin.co.nz/recipes/plex/) | 172.16.16.0/24 |
| [Emby](https://geek-cookbook.funkypenguin.co.nz/recipes/emby/) | 172.16.17.0/24 |
| [Calibre-Web](https://geek-cookbook.funkypenguin.co.nz/recipes/calibre-web/) | 172.16.18.0/24 |
| [Wallabag](https://geek-cookbook.funkypenguin.co.nz/recipes/wallabag/) | 172.16.19.0/24 |
| [InstaPy](https://geek-cookbook.funkypenguin.co.nz/recipes/instapy/) | 172.16.20.0/24 |
| [Archivy](https://geek-cookbook.funkypenguin.co.nz/recipes/archivy/) | 172.16.21.0/24 |
| [MiniFlux](https://geek-cookbook.funkypenguin.co.nz/recipes/miniflux/) | 172.16.22.0/24 |
| [Gitlab Runner](https://geek-cookbook.funkypenguin.co.nz/recipes/gitlab-runner/) | 172.16.23.0/24 |
| [Munin](https://geek-cookbook.funkypenguin.co.nz/recipes/munin/) | 172.16.24.0/24 |
| [Bookstack](https://geek-cookbook.funkypenguin.co.nz/recipes/bookstack/) | 172.16.33.0/24 |
| [Swarmprom](https://geek-cookbook.funkypenguin.co.nz/recipes/swarmprom/) | 172.16.34.0/24 |
| [Realms](https://geek-cookbook.funkypenguin.co.nz/recipes/realms/) | 172.16.35.0/24 |
@@ -40,5 +37,4 @@ In order to avoid IP addressing conflicts as we bring swarm networks up/down, we
| [KeyCloak](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/) | 172.16.49.0/24 |
| [Duplicati](https://geek-cookbook.funkypenguin.co.nz/recipes/duplicati/) | 172.16.55.0/24 |
| [Restic](https://geek-cookbook.funkypenguin.co.nz/recipes/restic/) | 172.16.56.0/24 |
| [Jellyfin](https://geek-cookbook.funkypenguin.co.nz/recipes/jellyfin/) | 172.16.57.0/24 |
| [Paperless NG](https://geek-cookbook.funkypenguin.co.nz/recipes/paperless/) | 172.16.58.0/24 |