From 5411b1b17306e254ce1135cfc7a76a74662c7c2d Mon Sep 17 00:00:00 2001 From: Benjamin Durham <33912370+Bencey@users.noreply.github.com> Date: Mon, 25 Oct 2021 15:47:50 +1300 Subject: [PATCH] Remove remaining references to oauth-proxy (we now have traefik-forward-auth instead!) --- manuscript/recipes/bookstack.md | 42 ++++++++---------- manuscript/recipes/calibre-web.md | 43 +++++++----------- manuscript/recipes/collabora-online.md | 12 ++++- manuscript/recipes/elkarbackup.md | 44 ++++++++----------- manuscript/recipes/emby.md | 19 ++++---- manuscript/recipes/ghost.md | 13 +++++- manuscript/recipes/gitlab.md | 15 +++++-- manuscript/recipes/gollum.md | 53 ++++++++-------------- manuscript/recipes/homeassistant.md | 49 +++++++++++---------- manuscript/recipes/jellyfin.md | 20 +++++---- manuscript/recipes/kanboard.md | 51 +++++---------------- manuscript/recipes/keycloak.md | 14 +++++- manuscript/recipes/komga.md | 18 +++++--- manuscript/recipes/mail.md | 13 +++++- manuscript/recipes/miniflux.md | 13 +++++- manuscript/recipes/minio.md | 11 +++-- manuscript/recipes/munin.md | 45 +++++++------------ manuscript/recipes/nextcloud.md | 16 +++++-- manuscript/recipes/openldap.md | 56 ++++++++++------------- manuscript/recipes/owntracks.md | 41 +++++++---------- manuscript/recipes/photoprism.md | 15 ++++++- manuscript/recipes/plex.md | 13 +++++- manuscript/recipes/privatebin.md | 15 +++++-- manuscript/recipes/realms.md | 47 ++++++++------------ manuscript/recipes/restic.md | 2 +- manuscript/recipes/swarmprom.md | 2 +- manuscript/recipes/tiny-tiny-rss.md | 23 +++++++--- manuscript/recipes/wallabag.md | 55 ++++++++++------------- manuscript/recipes/wekan.md | 61 +++++++++++--------------- manuscript/recipes/wetty.md | 57 ++++++++++++------------ manuscript/reference/networks.md | 4 -- 31 files changed, 437 insertions(+), 445 deletions(-) diff --git a/manuscript/recipes/bookstack.md b/manuscript/recipes/bookstack.md index 038c507..8096170 100644 --- a/manuscript/recipes/bookstack.md +++ b/manuscript/recipes/bookstack.md @@ -67,33 +67,29 @@ services: volumes: - /var/data/runtime/bookstack/db:/var/lib/mysql - proxy: - image: a5huynh/oauth2_proxy - env_file : /var/data/config/bookstack/bookstack.env - networks: - - internal - - traefik_public - deploy: - labels: - - traefik.frontend.rule=Host:bookstack.example.com - - traefik.docker.network=traefik_public - - traefik.port=4180 - volumes: - - /var/data/config/bookstack/authenticated-emails.txt:/authenticated-emails.txt - command: | - -cookie-secure=false - -upstream=http://app - -redirect-url=https://bookstack.example.com - -http-address=http://0.0.0.0:4180 - -email-domain=example.com - -provider=github - -authenticated-emails-file=/authenticated-emails.txt - app: image: solidnerd/bookstack env_file: /var/data/config/bookstack/bookstack.env networks: - internal + - traefik_public + deploy: + labels: + # traefik common + - traefik.enable=true + - traefik.docker.network=traefik_public + + # traefikv1 + - traefik.frontend.rule=Host:bookstack.example.com + - traefik.port=4180 + + # traefikv2 + - "traefik.http.routers.bookstack.rule=Host(`bookstack.example.com`)" + - "traefik.http.services.bookstack.loadbalancer.server.port=4180" + - "traefik.enable=true" + + # Remove if you wish to access the URL directly + - "traefik.http.routers.bookstack.middlewares=forward-auth@file" db-backup: image: mariadb:10 @@ -134,6 +130,6 @@ Launch the BookStack stack by running ```docker stack deploy bookstack -c + PUID= PGID= ``` -Follow the [instructions](https://github.com/bitly/oauth2_proxy) to setup your oauth provider. You need to setup a unique key/secret for each instance of the proxy you want to run, since in each case the callback URL will differ. - ### Setup Docker Swarm Create a docker swarm config file in docker-compose syntax (v3), something like this: @@ -67,31 +63,26 @@ services: volumes: - /var/data/calibre-web:/config - /srv/data/Archive/Ebooks/calibre:/books - networks: - - internal - - proxy: - image: a5huynh/oauth2_proxy - env_file : /var/data/config/calibre-web/calibre-web.env - dns_search: hq.example.com networks: - internal - traefik_public deploy: labels: - - traefik.frontend.rule=Host:calibre-web.example.com + # traefik common + - traefik.enable=true - traefik.docker.network=traefik_public - - traefik.port=4180 - volumes: - - /var/data/config/calibre-web/authenticated-emails.txt:/authenticated-emails.txt - command: | - -cookie-secure=false - -upstream=http://app:8083 - -redirect-url=https://calibre-web.example.com - -http-address=http://0.0.0.0:4180 - -email-domain=example.com - -provider=github - -authenticated-emails-file=/authenticated-emails.txt + + # traefikv1 + - traefik.frontend.rule=Host:calibre.example.com + - traefik.port=8083 + + # traefikv2 + - "traefik.http.routers.calibre.rule=Host(`calibre.example.com`)" + - "traefik.http.services.calibre.loadbalancer.server.port=8083" + - "traefik.enable=true" + + # Remove if you wish to access the URL directly + - "traefik.http.routers.calibre.middlewares=forward-auth@file" networks: traefik_public: @@ -111,7 +102,7 @@ networks: Launch the Calibre-Web stack by running ```docker stack deploy calibre-web -c ``` -Log into your new instance at https://**YOUR-FQDN**. You'll be directed to the initial GUI configuraition. Set the first field (_Location of Calibre database_) to "_/books/_", and when complete, login using defaults username of "**admin**" with password "**admin123**". +Log into your new instance at `https://**YOUR-FQDN**`. You'll be directed to the initial GUI configuraition. Set the first field (_Location of Calibre database_) to "_/books/_", and when complete, login using defaults username of "**admin**" with password "**admin123**". [^1]: Yes, Calibre does provide a server component. But it's not as fully-featured as Calibre-Web (_i.e., you can't use it to send ebooks directly to your Kindle_) [^2]: A future enhancement might be integrating this recipe with the filestore for [NextCloud](/recipes/nextcloud/), so that the desktop database (Calibre) can be kept synced with Calibre-Web. diff --git a/manuscript/recipes/collabora-online.md b/manuscript/recipes/collabora-online.md index 52e0267..7ebb70d 100644 --- a/manuscript/recipes/collabora-online.md +++ b/manuscript/recipes/collabora-online.md @@ -170,10 +170,20 @@ services: - traefik_public deploy: labels: - - traefik.frontend.rule=Host:collabora.batcave.com + # traefik common + - traefik.enable=true - traefik.docker.network=traefik_public + + # traefikv1 + - traefik.frontend.rule=Host:collabora.example.com - traefik.port=80 - traefik.frontend.passHostHeader=true + + + # traefikv2 + - "traefik.http.routers.collabora.rule=Host(`collabora.example.com`)" + - "traefik.http.services.collabora.loadbalancer.server.port=80" + - "traefik.enable=true" # uncomment this line if you want to force nginx to always run on one node (i.e., the one running collabora) #placement: # constraints: diff --git a/manuscript/recipes/elkarbackup.md b/manuscript/recipes/elkarbackup.md index 6a4b2d5..fe3aa69 100644 --- a/manuscript/recipes/elkarbackup.md +++ b/manuscript/recipes/elkarbackup.md @@ -46,11 +46,6 @@ TZ='Etc/UTC' # For mysql MYSQL_ROOT_PASSWORD=password - -#oauth2_proxy -OAUTH2_PROXY_CLIENT_ID= -OAUTH2_PROXY_CLIENT_SECRET= -OAUTH2_PROXY_COOKIE_SECRET= ``` Create ```/var/data/config/elkarbackup/elkarbackup-db-backup.env```, and populate with the following, to setup the nightly database dump. @@ -113,33 +108,30 @@ services: env_file: /var/data/config/elkarbackup/elkarbackup.env networks: - internal + - traefik_public volumes: - /etc/localtime:/etc/localtime:ro - /var/data/:/var/data - /var/data/elkarbackup/backups:/app/backups - /var/data/elkarbackup/uploads:/app/uploads - /var/data/elkarbackup/sshkeys:/app/.ssh + deploy: + labels: + # traefik common + - traefik.enable=true + - traefik.docker.network=traefik_public - proxy: - image: funkypenguin/oauth2_proxy - env_file: /var/data/config/elkarbackup/elkarbackup.env - networks: - - traefik_public - - internal - deploy: - labels: - - traefik.frontend.rule=Host:elkarbackup.example.com - - traefik.port=4180 - volumes: - - /var/data/config/traefik/authenticated-emails.txt:/authenticated-emails.txt - command: | - -cookie-secure=false - -upstream=http://app:80 - -redirect-url=https://elkarbackup.example.com - -http-address=http://0.0.0.0:4180 - -email-domain=example.com - -provider=github - -authenticated-emails-file=/authenticated-emails.txt + # traefikv1 + - traefik.frontend.rule=Host:elkarbackup.example.com + - traefik.port=80 + + # traefikv2 + - "traefik.http.routers.elkarbackup.rule=Host(`elkarbackup.example.com`)" + - "traefik.http.services.elkarbackup.loadbalancer.server.port=80" + - "traefik.enable=true" + + # Remove if you wish to access the URL directly + - "traefik.http.routers.elkarbackup.middlewares=forward-auth@file" networks: traefik_public: @@ -228,7 +220,7 @@ To restore files form a job, click on the "Restore" button in the WebUI, while o This takes you to a list of backup names and file paths. You can choose to download the entire contents of the backup from your browser as a .tar.gz, or to restore the backup to the client. If you click on the **name** of the backup, you can also drill down into the file structure, choosing to restore a single file or directory. -[^1]: If you wanted to expose the ElkarBackup UI directly, you could remove the oauth2_proxy from the design, and move the traefik_public-related labels directly to the app service. You'd also need to add the traefik_public network to the app service. +[^1]: If you wanted to expose the ElkarBackup UI directly, you could remove the traefik-forward-auth from the design. [^2]: The original inclusion of ElkarBackup was due to the efforts of @gpulido in our [Discord server](http://chat.funkypenguin.co.nz). Thanks Gabriel! --8<-- "recipe-footer.md" diff --git a/manuscript/recipes/emby.md b/manuscript/recipes/emby.md index 9898035..25ce41d 100644 --- a/manuscript/recipes/emby.md +++ b/manuscript/recipes/emby.md @@ -49,23 +49,26 @@ services: - /srv/data/:/data deploy: labels: - - traefik.frontend.rule=Host:emby.example.com + # traefik common + - traefik.enable=true - traefik.docker.network=traefik_public - - traefik.port=8096 + + # traefikv1 + - traefik.frontend.rule=Host:emby.example.com + - traefik.port=8096 + + # traefikv2 + - "traefik.http.routers.emby.rule=Host(`emby.example.com`)" + - "traefik.http.services.emby.loadbalancer.server.port=8096" + - "traefik.enable=true" networks: - traefik_public - - internal ports: - 8096:8096 networks: traefik_public: external: true - internal: - driver: overlay - ipam: - config: - - subnet: 172.16.17.0/24 ``` --8<-- "reference-networks.md" diff --git a/manuscript/recipes/ghost.md b/manuscript/recipes/ghost.md index da6ef15..b8fdd4c 100644 --- a/manuscript/recipes/ghost.md +++ b/manuscript/recipes/ghost.md @@ -39,9 +39,18 @@ services: - traefik_public deploy: labels: + # traefik common + - traefik.enable=true + - traefik.docker.network=traefik_public + + # traefikv1 - traefik.frontend.rule=Host:ghost.example.com - - traefik.docker.network=traefik - - traefik.port=2368 + - traefik.port=2368 + + # traefikv2 + - "traefik.http.routers.ghost.rule=Host(`ghost.example.com`)" + - "traefik.http.services.ghost.loadbalancer.server.port=2368" + - "traefik.enable=true" networks: traefik_public: diff --git a/manuscript/recipes/gitlab.md b/manuscript/recipes/gitlab.md index 15cbb0e..9577dda 100644 --- a/manuscript/recipes/gitlab.md +++ b/manuscript/recipes/gitlab.md @@ -80,13 +80,22 @@ services: image: sameersbn/gitlab:latest env_file: /var/data/config/gitlab/gitlab.env networks: - - internal - - traefik_public + - internal + - traefik_public deploy: labels: + # traefik common + - traefik.enable=true + - traefik.docker.network=traefik_public + + # traefikv1 - traefik.frontend.rule=Host:gitlab.example.com - - traefik.docker.network=traefik - traefik.port=80 + + # traefikv2 + - "traefik.http.routers.gitlab.rule=Host(`gitlab.example.com`)" + - "traefik.http.services.gitlab.loadbalancer.server.port=80" + - "traefik.enable=true" restart_policy: delay: 10s max_attempts: 10 diff --git a/manuscript/recipes/gollum.md b/manuscript/recipes/gollum.md index 03a507b..4933665 100644 --- a/manuscript/recipes/gollum.md +++ b/manuscript/recipes/gollum.md @@ -29,7 +29,7 @@ As you'll note in the (_real world_) screenshot above, my requirements for a per Gollum meets all these requirements, and as an added bonus, is extremely fast and lightweight. !!! note - Since Gollum itself offers no user authentication, this design secures gollum behind an [oauth2 proxy](/reference/oauth_proxy/), so that in order to gain access to the Gollum UI at all, oauth2 authentication (_to GitHub, GitLab, Google, etc_) must have already occurred. + Since Gollum itself offers no user authentication, this design secures gollum behind [traefik-forward-auth](/ha-docker-swarm/traefik-forward-auth/), so that in order to gain access to the Gollum UI at all, authentication must have already occurred. --8<-- "recipe-standard-ingredients.md" @@ -40,20 +40,11 @@ Gollum meets all these requirements, and as an added bonus, is extremely fast an We'll need an empty git repository in /var/data/gollum for our data: ```bash + mkdir /var/data/gollum cd /var/data/gollum git init -``` -### Prepare environment - -1. Choose an oauth provider, and obtain a client ID and secret -2. Create gollum.env, and populate with the following variables (_you can make the cookie secret whatever you like_) - -```bash -OAUTH2_PROXY_CLIENT_ID= -OAUTH2_PROXY_CLIENT_SECRET= -OAUTH2_PROXY_COOKIE_SECRET= ``` ### Setup Docker Swarm @@ -70,34 +61,30 @@ services: image: dakue/gollum volumes: - /var/data/gollum:/gollum - networks: - - internal - command: | - --allow-uploads - --emoji - --user-icons gravatar - - proxy: - image: a5huynh/oauth2_proxy - env_file : /var/data/config/gollum/gollum.env networks: - internal - traefik_public deploy: labels: - - traefik.frontend.rule=Host:gollum.example.com + # traefik common + - traefik.enable=true - traefik.docker.network=traefik_public - - traefik.port=4180 - volumes: - - /var/data/config/gollum/authenticated-emails.txt:/authenticated-emails.txt + + # traefikv1 + - traefik.frontend.rule=Host:gollum.example.com + - traefik.port=4567 + + # traefikv2 + - "traefik.http.routers.gollum.rule=Host(`gollum.example.com`)" + - "traefik.http.services.gollum.loadbalancer.server.port=4567" + - "traefik.enable=true" + + # Remove if you wish to access the URL directly + - "traefik.http.routers.wekan.middlewares=forward-auth@file" command: | - -cookie-secure=false - -upstream=http://app:4567 - -redirect-url=https://gollum.example.com - -http-address=http://0.0.0.0:4180 - -email-domain=example.com - -provider=github - -authenticated-emails-file=/authenticated-emails.txt + --allow-uploads + --emoji + --user-icons gravatar networks: traefik_public: @@ -117,8 +104,6 @@ networks: Launch the Gollum stack by running ```docker stack deploy gollum -c ``` -Authenticate against your OAuth provider, and then start editing your wiki! - [^1]: In the current implementation, Gollum is a "single user" tool only. The contents of the wiki are saved as markdown files under /var/data/gollum, and all the git commits are currently "Anonymous" --8<-- "recipe-footer.md" diff --git a/manuscript/recipes/homeassistant.md b/manuscript/recipes/homeassistant.md index c591e53..e141fb9 100644 --- a/manuscript/recipes/homeassistant.md +++ b/manuscript/recipes/homeassistant.md @@ -36,9 +36,6 @@ Create /var/data/config/homeassistant/grafana.env, and populate with the followi ```bash GF_AUTH_BASIC_ENABLED=false -OAUTH2_PROXY_CLIENT_ID= -OAUTH2_PROXY_CLIENT_SECRET= -OAUTH2_PROXY_COOKIE_SECRET= ``` ### Setup Docker Swarm @@ -67,9 +64,18 @@ services: - /etc/localtime:/etc/localtime:ro deploy: labels: - - traefik.frontend.rule=Host:homeassistant.example.com + # traefik common + - traefik.enable=true - traefik.docker.network=traefik_public - - traefik.port=8123 + + # traefikv1 + - traefik.frontend.rule=Host:homeassistant.example.com + - traefik.port=8123 + + # traefikv2 + - "traefik.http.routers.homeassistant.rule=Host(`homeassistant.example.com`)" + - "traefik.http.services.homeassistant.loadbalancer.server.port=8123" + - "traefik.enable=true" networks: - traefik_public - internal @@ -84,29 +90,24 @@ services: - /etc/localtime:/etc/localtime:ro networks: - internal - - grafana-proxy: - image: a5huynh/oauth2_proxy - env_file : /var/data/config/homeassistant/grafana.env - dns_search: hq.example.com - networks: - - internal - traefik_public deploy: labels: - - traefik.frontend.rule=Host:grafana.example.com + # traefik common + - traefik.enable=true - traefik.docker.network=traefik_public - - traefik.port=4180 - volumes: - - /var/data/config/homeassistant/authenticated-emails.txt:/authenticated-emails.txt - command: | - -cookie-secure=false - -upstream=http://grafana-app:3000 - -redirect-url=https://grafana.example.com - -http-address=http://0.0.0.0:4180 - -email-domain=example.com - -provider=github - -authenticated-emails-file=/authenticated-emails.txt + + # traefikv1 + - traefik.frontend.rule=Host:grafana.example.com + - traefik.port=3000 + + # traefikv2 + - "traefik.http.routers.grafana.rule=Host(`grafana.example.com`)" + - "traefik.http.services.grafana.loadbalancer.server.port=3000" + - "traefik.enable=true" + + # Remove if you wish to access the URL directly + - "traefik.http.routers.grafana.middlewares=forward-auth@file" networks: traefik_public: diff --git a/manuscript/recipes/jellyfin.md b/manuscript/recipes/jellyfin.md index 1fdc9be..4519548 100644 --- a/manuscript/recipes/jellyfin.md +++ b/manuscript/recipes/jellyfin.md @@ -58,23 +58,27 @@ services: - /srv/data/:/data deploy: labels: - - traefik.frontend.rule=Host:jellyfin.example.com + # traefik common + - traefik.enable=true - traefik.docker.network=traefik_public - - traefik.port=8096 + + # traefikv1 + - traefik.frontend.rule=Host:jellyfin.example.com + - traefik.port=8096 + + # traefikv2 + - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.example.com`)" + - "traefik.http.services.jellyfin.loadbalancer.server.port=8096" + - "traefik.enable=true" + networks: - traefik_public - - internal ports: - 8096:8096 networks: traefik_public: external: true - internal: - driver: overlay - ipam: - config: - - subnet: 172.16.57.0/24 ``` --8<-- "reference-networks.md" diff --git a/manuscript/recipes/kanboard.md b/manuscript/recipes/kanboard.md index b21ce6e..e445d3e 100644 --- a/manuscript/recipes/kanboard.md +++ b/manuscript/recipes/kanboard.md @@ -33,17 +33,6 @@ Create the location for the bind-mount of the application data, so that it's per mkdir -p /var/data/kanboard ``` -### Setup Environment - -If you intend to use an [OAuth proxy](/reference/oauth_proxy/) to further secure public access to your instance, create a ```kanboard.env``` file to hold your environment variables, and populate with your OAuth provider's details (_the cookie secret you can just make up_): - -```bash -# If you decide to protect kanboard with an oauth_proxy, complete these -OAUTH2_PROXY_CLIENT_ID= -OAUTH2_PROXY_CLIENT_SECRET= -OAUTH2_PROXY_COOKIE_SECRET= -``` - ### Setup Docker Swarm Create a docker swarm config file in docker-compose syntax (v3), something like this: @@ -59,43 +48,25 @@ services: volumes: - /var/data/kanboard:/var/www/app/ networks: - - internal + - traefik_public deploy: labels: - - traefik.frontend.rule=Host:kanboard.example.com + # traefik common + - traefik.enable=true - traefik.docker.network=traefik_public - - traefik.port=80 - proxy: - image: a5huynh/oauth2_proxy - env_file : /var/data/config/kanboard/kanboard.env - networks: - - internal - - traefik_public - deploy: - labels: - - traefik.frontend.rule=Host:kanboard.example.com - - traefik.docker.network=traefik_public - - traefik.port=4180 - volumes: - - /var/data/config/kanboard/authenticated-emails.txt:/authenticated-emails.txt - command: | - -cookie-secure=false - -upstream=http://app - -redirect-url=https://kanboard.example.com - -http-address=http://0.0.0.0:4180 - -email-domain=example.com - -provider=github - -authenticated-emails-file=/authenticated-emails.txt + # traefikv1 + - traefik.frontend.rule=Host:kanboard.example.com + - traefik.port=80 + + # traefikv2 + - "traefik.http.routers.kanboard.rule=Host(`kanboard.example.com`)" + - "traefik.http.services.kanboard.loadbalancer.server.port=80" + - "traefik.enable=true" networks: traefik_public: external: true - internal: - driver: overlay - ipam: - config: - - subnet: 172.16.8.0/24 ``` ## Serving diff --git a/manuscript/recipes/keycloak.md b/manuscript/recipes/keycloak.md index d1fd0d2..c11ea33 100644 --- a/manuscript/recipes/keycloak.md +++ b/manuscript/recipes/keycloak.md @@ -76,10 +76,20 @@ services: - internal deploy: labels: - - traefik.frontend.rule=Host:keycloak.batcave.com - - traefik.port=8080 + # traefik common + - traefik.enable=true - traefik.docker.network=traefik_public + # traefikv1 + - traefik.frontend.rule=Host:keycloak.example.com + - traefik.port=8080 + + # traefikv2 + - "traefik.http.routers.keycloak.rule=Host(`keycloak.example.com`)" + - "traefik.http.services.keycloak.loadbalancer.server.port=8080" + - "traefik.enable=true" + + keycloak-db: env_file: /var/data/config/keycloak/keycloak.env image: postgres:10.1 diff --git a/manuscript/recipes/komga.md b/manuscript/recipes/komga.md index b5d4873..50e6cd2 100644 --- a/manuscript/recipes/komga.md +++ b/manuscript/recipes/komga.md @@ -44,13 +44,21 @@ services: deploy: replicas: 1 labels: + # traefik common - traefik.enable=true - - traefik.frontend.rule=Host:komga.example.com - - traefik.port=8080 - - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181 - - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User - - traefik.frontend.auth.forward.trustForwardHeader=true - traefik.docker.network=traefik_public + + # traefikv1 + - traefik.frontend.rule=Host:komga.example.com + - traefik.port=8080 + + # traefikv2 + - "traefik.http.routers.komga.rule=Host(`komga.example.com`)" + - "traefik.http.services.komga.loadbalancer.server.port=8080" + - "traefik.enable=true" + + # Remove if you wish to access the URL directly + - "traefik.http.routers.komga.middlewares=forward-auth@file" networks: - traefik_public diff --git a/manuscript/recipes/mail.md b/manuscript/recipes/mail.md index c442de9..03d0bf0 100644 --- a/manuscript/recipes/mail.md +++ b/manuscript/recipes/mail.md @@ -139,9 +139,18 @@ services: - traefik_public deploy: labels: - - traefik.frontend.rule=Host:rainloop.example.com + # traefik common + - traefik.enable=true - traefik.docker.network=traefik_public - - traefik.port=8888 + + # traefikv1 + - traefik.frontend.rule=Host:rainloop.example.com + - traefik.port=8888 + + # traefikv2 + - "traefik.http.routers.rainloop.rule=Host(`rainloop.example.com`)" + - "traefik.http.services.rainloop.loadbalancer.server.port=8888" + - "traefik.enable=true" volumes: - /var/data/mailserver/rainloop:/rainloop/data diff --git a/manuscript/recipes/miniflux.md b/manuscript/recipes/miniflux.md index 99448c9..70d8c04 100644 --- a/manuscript/recipes/miniflux.md +++ b/manuscript/recipes/miniflux.md @@ -82,10 +82,19 @@ services: - traefik_public deploy: labels: - - traefik.frontend.rule=Host:miniflux.example.com - - traefik.port=8080 + # traefik common + - traefik.enable=true - traefik.docker.network=traefik_public + # traefikv1 + - traefik.frontend.rule=Host:miniflux.example.com + - traefik.port=8080 + + # traefikv2 + - "traefik.http.routers.miniflux.rule=Host(`miniflux.example.com`)" + - "traefik.http.services.miniflux.loadbalancer.server.port=8080" + - "traefik.enable=true" + miniflux-db: env_file: /var/data/config/miniflux/miniflux.env image: postgres:10.1 diff --git a/manuscript/recipes/minio.md b/manuscript/recipes/minio.md index 45336e8..49ec227 100644 --- a/manuscript/recipes/minio.md +++ b/manuscript/recipes/minio.md @@ -45,7 +45,6 @@ MINIO_SERVER_URL=https://minio.example.com !!! note "If minio redirects you to :9001" `MINIO_BROWSER_REDIRECT_URL` is especially important since recent versions of Minio will redirect web browsers to this URL when they hit the API directly. (*If you find yourself redirected to `http://your-minio-url:9001`, then you've not set this value correctly!*) - ### Setup Docker Swarm Create a docker swarm config file in docker-compose syntax (v3), something like this: @@ -110,15 +109,15 @@ networks: ### Launch Minio stack -Launch the Minio stack by running ```docker stack deploy minio -c ``` +Launch the Minio stack by running ``docker stack deploy minio -c ` -Log into your new instance at https://minio-console.**YOUR-FQDN**, with the root user and password you specified in `minio.env`. +Log into your new instance at `https://minio-console.**YOUR-FQDN**`, with the root user and password you specified in `minio.env`. -If you created ```/var/data/minio```, you'll see nothing. If you mapped `/data` to existing data, you should see all subdirectories in your existing folder represented as buckets. +If you created `/var/data/minio`, you'll see nothing. If you mapped `/data` to existing data, you should see all subdirectories in your existing folder represented as buckets. Use the Minio console to create a user, or (*ill-advisedly*) continue using the root user/password! -If all you need is single-user access to your data, you're done! 🎉 +If all you need is single-user access to your data, you're done! 🎉 If, however, you want to expose data to multiple users, at different privilege levels, you'll need the minio client to create some users and (_potentially_) policies... @@ -193,7 +192,7 @@ aws_access_key_id=spiderman aws_secret_access_key=peterparker ``` -And then I ran (_in the foreground, for debugging_), ```goofys --f -debug_s3 --debug_fuse --endpoint=https://traefik.example.com ``` +And then I ran (_in the foreground, for debugging_), `goofys --f -debug_s3 --debug_fuse --endpoint=https://traefik.example.com ` To permanently mount an S3 bucket using goofys, I'd add something like this to /etc/fstab: diff --git a/manuscript/recipes/munin.md b/manuscript/recipes/munin.md index 04154f7..23830c8 100644 --- a/manuscript/recipes/munin.md +++ b/manuscript/recipes/munin.md @@ -45,13 +45,9 @@ mkdir -p {log,lib,run,cache} ### Prepare environment -Create /var/data/config/munin/munin.env, and populate with the following variables. Use the OAUTH2 variables if you plan to use an [oauth2_proxy](/reference/oauth_proxy/) to protect munin, and set at a **minimum** the `MUNIN_USER`, `MUNIN_PASSWORD`, and `NODES` values: +Create /var/data/config/munin/munin.env, and populate with the following variables. Set at a **minimum** the `MUNIN_USER`, `MUNIN_PASSWORD`, and `NODES` values: ```bash -# Use these if you plan to protect the webUI with an oauth_proxy -OAUTH2_PROXY_CLIENT_ID= -OAUTH2_PROXY_CLIENT_SECRET= -OAUTH2_PROXY_COOKIE_SECRET= MUNIN_USER=odin MUNIN_PASSWORD=lokiisadopted @@ -83,40 +79,33 @@ services: image: funkypenguin/munin-server env_file: /var/data/config/munin/munin.env networks: - - internal + - traefik_public volumes: - /var/data/munin/log:/var/log/munin - /var/data/munin/lib:/var/lib/munin - /var/data/munin/run:/var/run/munin - /var/data/munin/cache:/var/cache/munin - - proxy: - image: funkypenguin/oauth2_proxy - env_file: /var/data/config/munin/munin.env - networks: - - traefik_public - - internal deploy: labels: + # traefik common + - traefik.enable=true + - traefik.docker.network=traefik_public + + # traefikv1 - traefik.frontend.rule=Host:munin.example.com - - traefik.docker.network=traefik - - traefik.port=4180 - command: | - -cookie-secure=false - -upstream=http://munin:8080 - -redirect-url=https://munin.example.com - -http-address=http://0.0.0.0:4180 - -email-domain=example.com - -provider=github + - traefik.port=8080 + + # traefikv2 + - "traefik.http.routers.munin.rule=Host(`munin.example.com`)" + - "traefik.http.services.munin.loadbalancer.server.port=8080" + - "traefik.enable=true" + + # Remove if you wish to access the URL directly + - "traefik.http.routers.wekan.middlewares=forward-auth@file" networks: traefik_public: external: true - internal: - driver: overlay - ipam: - config: - - subnet: 172.16.24.0/24 ``` --8<-- "reference-networks.md" @@ -129,6 +118,6 @@ Launch the Munin stack by running `docker stack deploy munin -c ### Setup Docker Swarm -Create a docker swarm config file in docker-compose syntax (v3) in `/var/data/restic/restic.yml` , something like this: +Create a docker swarm config file in docker-compose syntax (v3) in `/var/data/config/restic/restic.yml` , something like this: --8<-- "premix-cta.md" diff --git a/manuscript/recipes/swarmprom.md b/manuscript/recipes/swarmprom.md index 1422b14..aca80f6 100644 --- a/manuscript/recipes/swarmprom.md +++ b/manuscript/recipes/swarmprom.md @@ -73,7 +73,7 @@ Grafana will make all the data we collect from our swarm beautiful. Create /var/data/swarmprom/grafana.env, and populate with the following variables -```bash +```yaml OAUTH2_PROXY_CLIENT_ID= OAUTH2_PROXY_CLIENT_SECRET= OAUTH2_PROXY_COOKIE_SECRET= diff --git a/manuscript/recipes/tiny-tiny-rss.md b/manuscript/recipes/tiny-tiny-rss.md index 19e995f..80e22a5 100644 --- a/manuscript/recipes/tiny-tiny-rss.md +++ b/manuscript/recipes/tiny-tiny-rss.md @@ -30,9 +30,9 @@ cd /var/data/config/ttrss ### Prepare environment -Create ttrss.env, and populate with the following variables, customizing at least the database password (POSTGRES_PASSWORD **and** DB_PASS) and the TTRSS_SELF_URL to point to your installation. +Create `/var/data/config/ttrs/ttrss.env`, and populate with the following variables, customizing at least the database password (POSTGRES_PASSWORD **and** DB_PASS) and the TTRSS_SELF_URL to point to your installation. -```bash +```yaml # Variables for postgres:latest POSTGRES_USER=ttrss POSTGRES_PASSWORD=mypassword @@ -79,12 +79,21 @@ services: env_file: /var/data/config/ttrss/ttrss.env deploy: labels: - - traefik.frontend.rule=Host:ttrss.funkypenguin.co.nz - - traefik.docker.network=traefik - - traefik.port=8080 + # traefik common + - traefik.enable=true + - traefik.docker.network=traefik_public + + # traefikv1 + - traefik.frontend.rule=Host:ttrss.example.com + - traefik.port=8080 + + # traefikv2 + - "traefik.http.routers.ttrss.rule=Host(`ttrss.example.com`)" + - "traefik.http.services.ttrss.loadbalancer.server.port=8080" + - "traefik.enable=true" networks: - internal - - traefik + - traefik_public db-backup: image: postgres:latest @@ -106,7 +115,7 @@ services: - internal networks: - traefik: + traefik_public: external: true internal: driver: overlay diff --git a/manuscript/recipes/wallabag.md b/manuscript/recipes/wallabag.md index 4120aba..14bbe2e 100644 --- a/manuscript/recipes/wallabag.md +++ b/manuscript/recipes/wallabag.md @@ -30,9 +30,9 @@ mkdir -p {images,db-dump} ### Prepare environment -Create wallabag.env, and populate with the following variables. The only variable you **have** to change is SYMFONY__ENV__DOMAIN_NAME - this **must** be the URL that your Wallabag instance will be available at (_else you'll have no CSS_) +Create `/var/data/config/wallabag/wallabag.env`, and populate with the following variables. The only variable you **have** to change is SYMFONY__ENV__DOMAIN_NAME - this **must** be the URL that your Wallabag instance will be available at (_else you'll have no CSS_) -```bash +```yaml # For the DB container POSTGRES_PASSWORD=wallabag POSTGRES_USER=wallabag @@ -51,17 +51,11 @@ SYMFONY__ENV__MAILER_USER=~ SYMFONY__ENV__MAILER_PASSWORD=~ SYMFONY__ENV__FROM_EMAIL=wallabag@example.com SYMFONY__ENV__FOSUSER_REGISTRATION=false - - -# If you decide to protect wallabag with an oauth_proxy, complete these -OAUTH2_PROXY_CLIENT_ID= -OAUTH2_PROXY_CLIENT_SECRET= -OAUTH2_PROXY_COOKIE_SECRET= ``` -Now create wallabag-backup.env in the same folder, with the following contents. (_This is necessary to prevent environment variables required for backup from breaking the DB container_) +Now create wallabag-`/var/data/config/wallabag/backup.env` with the following contents. (_This is necessary to prevent environment variables required for backup from breaking the DB container_) -```bash +```yaml # For database backups PGUSER=wallabag PGPASSWORD=wallabag @@ -79,7 +73,6 @@ Create a docker swarm config file in docker-compose syntax (v3), something like ```yaml version: '3' services: - wallabag: image: wallabag/wallabag env_file: /var/data/config/wallabag/wallabag.env @@ -87,28 +80,23 @@ services: - internal volumes: - /var/data/wallabag/images:/var/www/wallabag/web/assets/images + deploy: + labels: + # traefik common + - traefik.enable=true + - traefik.docker.network=traefik_public - wallabag_proxy: - image: a5huynh/oauth2_proxy - env_file: /var/data/config/wallabag/wallabag.env - networks: - - internal - - traefik_public - deploy: - labels: - - traefik.frontend.rule=Host:wallabag.example.com - - traefik.docker.network=traefik_public - - traefik.port=4180 - volumes: - - /var/data/config/wallabag/authenticated-emails.txt:/authenticated-emails.txt - command: | - -cookie-secure=false - -upstream=http://wallabag:80 - -redirect-url=https://wallabag.example.com - -http-address=http://0.0.0.0:4180 - -email-domain=example.com - -provider=github - -authenticated-emails-file=/authenticated-emails.txt + # traefikv1 + - traefik.frontend.rule=Host:wallabag.example.com + - traefik.port=80 + + # traefikv2 + - "traefik.http.routers.wallabag.rule=Host(`wallabag.example.com`)" + - "traefik.http.services.wallabag.loadbalancer.server.port=80" + - "traefik.enable=true" + + # Remove if you wish to access the URL directly + - "traefik.http.routers.wallabag.middlewares=forward-auth@file" db: image: postgres @@ -188,7 +176,8 @@ Even with all these elements in place, you still need to enable Redis under Inte ![Wallabag Imports](../images/wallabag_imports.png) -[^1]: If you wanted to expose the Wallabag UI directly (_required for the iOS/Android apps_), you could remove the oauth2_proxy from the design, and move the traefik-related labels directly to the wallabag container. You'd also need to add the traefik_public network to the wallabag container. I found the iOS app to be unreliable and clunky, so elected to leave my oauth_proxy enabled, and to simply use the webUI on my mobile devices instead. YMMMV. +[^1]: If you wanted to expose the Wekan UI directly, you could remove the traefik-forward-auth from the design. I found the iOS app to be unreliable and clunky, so elected to leave my traefik-forward-auth enabled, and to simply use the webUI on my mobile devices instead. YMMMV. + [^2]: I've not tested the email integration, but you'd need an SMTP server listening on port 25 (_since we can't change the port_) to use it --8<-- "recipe-footer.md" diff --git a/manuscript/recipes/wekan.md b/manuscript/recipes/wekan.md index 06cd314..8df6525 100644 --- a/manuscript/recipes/wekan.md +++ b/manuscript/recipes/wekan.md @@ -10,10 +10,10 @@ Wekan is an open-source kanban board which allows a card-based task and to-do ma Wekan allows to create Boards, on which Cards can be moved around between a number of Columns. Boards can have many members, allowing for easy collaboration, just add everyone that should be able to work with you on the board to it, and you are good to go! You can assign colored Labels to cards to facilitate grouping and filtering, additionally you can add members to a card, for example to assign a task to someone. -There's a [video](https://www.youtube.com/watch?v=N3iMLwCNOro) of the developer showing off the app, as well as a f[unctional demo](https://wekan.indie.host/b/t2YaGmyXgNkppcFBq/wekan-fork-roadmap). +There's a [video](https://www.youtube.com/watch?v=N3iMLwCNOro) of the developer showing off the app, as well as a [functional demo](https://wekan.indie.host/b/t2YaGmyXgNkppcFBq/wekan-fork-roadmap). !!! note - For added privacy, this design secures wekan behind an [oauth2 proxy](/reference/oauth_proxy/), so that in order to gain access to the wekan UI at all, oauth2 authentication (_to GitHub, GitLab, Google, etc_) must have already occurred. + For added privacy, this design secures wekan behind a [traefik-forward-auth](/ha-docker-swarm/traefik-forward-auth/), so that in order to gain access to the wekan UI at all, authentication must have already occurred. --8<-- "recipe-standard-ingredients.md" @@ -31,15 +31,9 @@ mkdir -p {wekan-db,wekan-db-dump} ### Prepare environment -You'll need to know the following: +Create `/var/data/config/wekan.env`, and populate with the following variables: -1. Choose an oauth provider, and obtain a client ID and secret -2. Create wekan.env, and populate with the following variables - -```bash -OAUTH2_PROXY_CLIENT_ID= -OAUTH2_PROXY_CLIENT_SECRET= -OAUTH2_PROXY_COOKIE_SECRET= +```yaml MONGO_URL=mongodb://wekandb:27017/wekan ROOT_URL=https://wekan.example.com MAIL_URL=smtp://wekan@wekan.example.com:password@mail.example.com:587/ @@ -60,7 +54,6 @@ Create a docker swarm config file in docker-compose syntax (v3), something like version: '3' services: - wekandb: image: mongo:latest command: mongod --smallfiles --oplogSize 128 @@ -70,33 +63,29 @@ services: - /var/data/runtime/wekan/database:/data/db - /var/data/wekan/database-dump:/dump - proxy: - image: a5huynh/oauth2_proxy - env_file: /var/data/config/wekan/wekan.env - networks: - - traefik - - internal - volumes: - - /var/data/oauth_proxy/authenticated-emails.txt:/authenticated-emails.txt - deploy: - labels: - - traefik.frontend.rule=Host:wekan.example.com - - traefik.docker.network=traefik - - traefik.port=4180 - command: | - -cookie-secure=false - -upstream=http://wekan:80 - -redirect-url=https://wekan.example.com - -http-address=http://0.0.0.0:4180 - -email-domain=example.com - -provider=github - -authenticated-emails-file=/authenticated-emails.txt - wekan: image: wekanteam/wekan:latest networks: - internal + - traefik_public env_file: /var/data/config/wekan/wekan.env + deploy: + labels: + # traefik common + - traefik.enable=true + - traefik.docker.network=traefik_public + + # traefikv1 + - traefik.frontend.rule=Host:wekan.example.com + - traefik.port=4180 + + # traefikv2 + - "traefik.http.routers.wekan.rule=Host(`wekan.example.com`)" + - "traefik.http.services.wekan.loadbalancer.server.port=4180" + - "traefik.enable=true" + + # Remove if you wish to access the URL directly + - "traefik.http.routers.wekan.middlewares=forward-auth@file" db-backup: image: mongo:latest @@ -118,7 +107,7 @@ services: - internal networks: - traefik: + traefik_public: external: true internal: driver: overlay @@ -135,8 +124,8 @@ networks: Launch the Wekan stack by running ```docker stack deploy wekan -c ``` -Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password you specified in gitlab.env. +Log into your new instance at `https://**YOUR-FQDN**`, with user "root" and the password you specified in `wekan.env`. -[^1]: If you wanted to expose the Wekan UI directly, you could remove the oauth2_proxy from the design, and move the traefik-related labels directly to the wekan container. You'd also need to add the traefik network to the wekan container. +[^1]: If you wanted to expose the Wekan UI directly, you could remove the traefik-forward-auth from the design. --8<-- "recipe-footer.md" diff --git a/manuscript/recipes/wetty.md b/manuscript/recipes/wetty.md index e533425..cf3ed12 100644 --- a/manuscript/recipes/wetty.md +++ b/manuscript/recipes/wetty.md @@ -10,30 +10,37 @@ description: Terminal in a browser, baby! ## Why would you need SSH in a browser window? -Need shell access to a node with no external access? Deploy Wetty behind an [oauth_proxy](/reference/oauth_proxy/) with a SSL-terminating reverse proxy ([traefik](/ha-docker-swarm/traefik/)), and suddenly you have the means to SSH to your private host from any web browser (_protected by your [oauth_proxy](/reference/oauth_proxy/) of course, and your OAuth provider's 2FA_) +Need shell access to a node with no external access? Deploy Wetty behind an [traefik-forward-auth](/ha-docker-swarm/traefik-forward-auth/) with a SSL-terminating reverse proxy ([traefik](/ha-docker-swarm/traefik/)), and suddenly you have the means to SSH to your private host from any web browser (_protected by your [traefik-forward-auth](/ha-docker-swarm/traefik-forward-auth/) of course._) Here are some other possible use cases: 1. Access to SSH / CLI from an environment where outgoing SSH is locked down, or SSH client isn't / can't be installed. (_i.e., a corporate network_) 2. Access to long-running processes inside a tmux session (_like [irrsi](https://irssi.org/)_) -3. Remote access to a VM / [container running Kali linux](https://github.com/offensive-security/kali-linux-docker), for penetration testing +3. Remote access to a VM / [container running Kali linux](https://gitlab.com/kalilinux/build-scripts/kali-docker), for penetration testing --8<-- "recipe-standard-ingredients.md" ## Preparation -### Prepare environment +### Setup data locations -Create wetty.env, and populate with the following variables per the [oauth_proxy](/reference/oauth_proxy/) instructions: +First we create a directory to hold the data which wetty will serve: ```bash -OAUTH2_PROXY_CLIENT_ID= -OAUTH2_PROXY_CLIENT_SECRET= -OAUTH2_PROXY_COOKIE_SECRET= +mkdir /var/data/config/wetty +cd /var/data/config/wetty +``` + +### Prepare environment + +Create `/var/data/config/wetty.env`, and populate with the following variables + +```yaml # To use WeTTY to SSH to a host besides the (mostly useless) alpine container it comes with SSHHOST=batcomputer.batcave.com SSHUSER=batman + ``` ### Setup Docker Swarm @@ -48,29 +55,24 @@ services: wetty: image: krishnasrinivas/wetty env_file : /var/data/config/wetty/wetty.env - networks: - - internal - proxy: - image: funkypenguin/oauth2_proxy:latest - env_file: /var/data/config/wetty/wetty.env + deploy: + labels: + # traefik common + - traefik.enable=true + - traefik.docker.network=traefik_public + + # traefikv1 + - traefik.frontend.rule=Host:wetty.example.com + - traefik.port=3000 + + # traefikv2 + - "traefik.http.routers.wetty.rule=Host(`wetty.example.com`)" + - "traefik.http.services.wetty.loadbalancer.server.port=3000" + - "traefik.enable=true" + - "traefik.http.routers.wetty.middlewares=forward-auth@file" networks: - internal - traefik_public - deploy: - labels: - - traefik.frontend.rule=Host:wetty.funkypenguin.co.nz - - traefik.docker.network=traefik_public - - traefik.port=4180 - volumes: - - /etc/localtime:/etc/localtime:ro - - /var/data/config/wetty/authenticated-emails.txt:/authenticated-emails.txt - command: | - -cookie-secure=false - -upstream=http://wetty:3000 - -redirect-url=https://wetty.funkypenguin.co.nz - -http-address=http://0.0.0.0:4180 - -provider=github - -authenticated-emails-file=/authenticated-emails.txt networks: traefik_public: @@ -93,6 +95,7 @@ Launch the Wetty stack by running ```docker stack deploy wetty -c