From 5d7a350afeb0ffea38a6648b1fab7a5c7d689241 Mon Sep 17 00:00:00 2001 From: furyhawk Date: Fri, 31 May 2024 17:39:45 +0800 Subject: [PATCH] Refactor traefik.yml to add TLS challenge for ACME certificates --- LibreChat | 1 + compose/traefik/traefik.yml | 1 + emqx-docker | 1 + {compose => swarm}/deploy-cloudy.yml | 0 swarm/portainer.yml | 50 +++++++++++++++ swarm/traefik.yml | 96 ++++++++++++++++++++++++++++ 6 files changed, 149 insertions(+) create mode 160000 LibreChat create mode 160000 emqx-docker rename {compose => swarm}/deploy-cloudy.yml (100%) create mode 100644 swarm/portainer.yml create mode 100644 swarm/traefik.yml diff --git a/LibreChat b/LibreChat new file mode 160000 index 0000000..026961f --- /dev/null +++ b/LibreChat @@ -0,0 +1 @@ +Subproject commit 026961f7191ff85eb8a3197bb20deba2b58b490a diff --git a/compose/traefik/traefik.yml b/compose/traefik/traefik.yml index 4cf4c06..370e829 100644 --- a/compose/traefik/traefik.yml +++ b/compose/traefik/traefik.yml @@ -46,6 +46,7 @@ certificatesResolvers: email: "furyx@hotmail.com" storage: /etc/traefik/acme/acme.json # https://docs.traefik.io/master/https/acme/#httpchallenge + tlsChallenge: {} httpChallenge: entryPoint: web diff --git a/emqx-docker b/emqx-docker new file mode 160000 index 0000000..554e4b1 --- /dev/null +++ b/emqx-docker @@ -0,0 +1 @@ +Subproject commit 554e4b18725da24a974f37d810675126f30c1e1d diff --git a/compose/deploy-cloudy.yml b/swarm/deploy-cloudy.yml similarity index 100% rename from compose/deploy-cloudy.yml rename to swarm/deploy-cloudy.yml diff --git a/swarm/portainer.yml b/swarm/portainer.yml new file mode 100644 index 0000000..335b913 --- /dev/null +++ b/swarm/portainer.yml @@ -0,0 +1,50 @@ +services: + agent: + image: portainer/agent + environment: + AGENT_CLUSTER_ADDR: tasks.agent + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /var/lib/docker/volumes:/var/lib/docker/volumes + networks: + - agent-network + deploy: + mode: global + placement: + constraints: + - node.platform.os == linux + + portainer: + image: portainer/portainer-ce + command: -H tcp://tasks.agent:9001 --tlsskipverify + volumes: + - portainer-data:/data + networks: + - agent-network + - traefik-public + deploy: + placement: + constraints: + - node.role == manager + - node.labels.portainer.portainer-data == true + labels: + - traefik.enable=true + - traefik.docker.network=traefik-public + - traefik.constraint-label=traefik-public + - traefik.http.routers.portainer-http.rule=Host(`port.${DOMAIN?Variable not set}`) + - traefik.http.routers.portainer-http.entrypoints=http + - traefik.http.routers.portainer-http.middlewares=https-redirect + - traefik.http.routers.portainer-https.rule=Host(`port.${DOMAIN?Variable not set}`) + - traefik.http.routers.portainer-https.entrypoints=https + - traefik.http.routers.portainer-https.tls=true + - traefik.http.routers.portainer-https.tls.certresolver=le + - traefik.http.services.portainer.loadbalancer.server.port=9000 + +networks: + agent-network: + attachable: true + traefik-public: + external: true + +volumes: + portainer-data: diff --git a/swarm/traefik.yml b/swarm/traefik.yml new file mode 100644 index 0000000..180a87b --- /dev/null +++ b/swarm/traefik.yml @@ -0,0 +1,96 @@ +services: + + traefik: + # Use the latest v3.0.x Traefik image available + image: traefik:latest + ports: + - target: 80 + published: 80 + mode: host + - target: 443 + published: 443 + mode: host + deploy: + placement: + constraints: + # Make the traefik service run only on the node with this label + # as the node with it has the volume for the certificates + - node.labels.traefik-public.traefik-public-certificates == true + labels: + # Enable Traefik for this service, to make it available in the public network + - traefik.enable=true + # Use the traefik-public network (declared below) + - traefik.docker.network=traefik-public + # Use the custom label "traefik.constraint-label=traefik-public" + # This public Traefik will only use services with this label + # That way you can add other internal Traefik instances per stack if needed + - traefik.constraint-label=traefik-public + # admin-auth middleware with HTTP Basic auth + # Using the environment variables USERNAME and HASHED_PASSWORD + - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set} + # traefik-https the actual router using HTTPS + - traefik.http.routers.traefik-public-https.rule=Host(`dashboard.${DOMAIN?Variable not set}`) + - traefik.http.routers.traefik-public-https.entrypoints=https + - traefik.http.routers.traefik-public-https.tls=true + # Use the special Traefik service api@internal with the web UI/Dashboard + - traefik.http.routers.traefik-public-https.service=api@internal + # Use the "le" (Let's Encrypt) resolver created below + - traefik.http.routers.traefik-public-https.tls.certresolver=le + # Enable HTTP Basic auth, using the middleware created above + - traefik.http.routers.traefik-public-https.middlewares=admin-auth + # Define the port inside of the Docker service to use + - traefik.http.services.traefik-public.loadbalancer.server.port=8080 + volumes: + # Add Docker as a mounted volume, so that Traefik can read the labels of other services + - /var/run/docker.sock:/var/run/docker.sock:ro + # Mount the volume to store the certificates + - traefik-public-certificates:/certificates + command: + # Enable Docker in Traefik, so that it reads labels from Docker services + - --providers.docker + # Add a constraint to only use services with the label "traefik.constraint-label=traefik-public" + - --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`) + # Do not expose all Docker services, only the ones explicitly exposed + - --providers.docker.exposedbydefault=false + # Enable Docker Swarm mode + - --providers.swarm.endpoint=unix:///var/run/docker.sock + # Create an entrypoint "http" listening on port 80 + - --entrypoints.http.address=:80 + # Create an entrypoint "https" listening on port 443 + - --entrypoints.https.address=:443 + # Redirect HTTP to HTTPS + - --entrypoints.http.http.redirections.entrypoint.to=https + - --entrypoints.http.http.redirections.entrypoint.scheme=https + - --entrypoints.http.http.redirections.entrypoint.permanent=true + # Create an entrypoint "postgres-socket" listening on port 5432 + - --entrypoints.postgres-socket.address=:5432 + # Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL + - --certificatesresolvers.le.acme.email=${EMAIL?Variable not set} + # Store the Let's Encrypt certificates in the mounted volume + - --certificatesresolvers.le.acme.storage=/certificates/acme.json + # Use the TLS Challenge for Let's Encrypt + - --certificatesresolvers.le.acme.tlschallenge=true + # Enable the access log, with HTTP requests + - --accesslog=true + # Enable the Traefik log, for configurations and errors + - --log=true + - --log.level=INFO + # Enable the Dashboard and API + - --api=true + - --dashboard=true + networks: + # Use the public network created to be shared between Traefik and + # any other service that needs to be publicly available with HTTPS + - traefik-public + +volumes: + # Create a volume to store the certificates, there is a constraint to make sure + # Traefik is always deployed to the same Docker node with the same volume containing + # the HTTPS certificates + traefik-public-certificates: + +networks: + # Use the previously created public network "traefik-public", shared with other + # services that need to be publicly available via this Traefik + traefik-public: + external: true