83 lines
2.7 KiB
YAML
83 lines
2.7 KiB
YAML
{% set deploy_traefik_fa = with_fa|default(false) %}
|
|
---
|
|
version: '3.9'
|
|
services:
|
|
traefik:
|
|
image: traefik:v2.10
|
|
container_name: traefik
|
|
ulimits:
|
|
nofile:
|
|
soft: 4000
|
|
hard: 15000
|
|
restart: always
|
|
network_mode: host
|
|
privileged: true
|
|
volumes:
|
|
- "/var/run/docker.sock:/var/run/docker.sock:z"
|
|
- "./traefik.yaml:/etc/traefik/traefik.yaml:Z,ro"
|
|
- "./dynamic.yaml:/etc/traefik/dynamic.yaml:Z,ro"
|
|
- "acme:/acme"
|
|
labels:
|
|
- "prometheus-scrape.enabled=true"
|
|
- "prometheus-scrape.port=9091"
|
|
- "prometheus-scrape.hostname=host.docker.internal"
|
|
|
|
{% if deploy_traefik_fa %}
|
|
traefik-fa:
|
|
image: quay.io/oauth2-proxy/oauth2-proxy:latest
|
|
restart: unless-stopped
|
|
networks:
|
|
- default # needs network access to talk to keycloak
|
|
- metrics
|
|
depends_on:
|
|
- traefik
|
|
labels:
|
|
traefik.enable: 'true'
|
|
traefik.docker.network: '${COMPOSE_PROJECT_NAME}_default'
|
|
traefik.http.routers.oauth.entrypoints: websecure
|
|
traefik.http.routers.oauth.rule: Host(`traefik-fa.tobiasmanske.de`) || (PathPrefix(`/oauth2`) && !Host(`rss.tobiasmanske.de`))
|
|
traefik.http.services.oauth.loadbalancer.server.port: '4180'
|
|
prometheus-scrape.enabled: "true"
|
|
prometheus-scrape.port: "9091"
|
|
environment:
|
|
OAUTH2_PROXY_PROVIDER: 'keycloak-oidc'
|
|
OAUTH2_PROXY_CLIENT_ID: '{{ traefik.oidc.client_id }}'
|
|
OAUTH2_PROXY_CLIENT_SECRET: '{{ traefik.oidc.client_secret }}'
|
|
OAUTH2_PROXY_OIDC_ISSUER_URL: '{{ traefik.oidc.issuer_url }}'
|
|
OAUTH2_PROXY_COOKIE_DOMAIN: '.tobiasmanske.de'
|
|
OAUTH2_PROXY_COOKIE_REFRESH: '1h'
|
|
OAUTH2_PROXY_COOKIE_SECURE: 'true'
|
|
OAUTH2_PROXY_COOKIE_SECRET: '{{ traefik.oidc.cookie_secret }}'
|
|
OAUTH2_PROXY_EMAIL_DOMAINS: '*'
|
|
OAUTH2_PROXY_FOOTER: '-'
|
|
OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4180'
|
|
OAUTH2_PROXY_METRICS_ADDRESS: "0.0.0.0:9091"
|
|
OAUTH2_PROXY_PASS_BASIC_AUTH: 'false'
|
|
OAUTH2_PROXY_PASS_USER_HEADERS: 'true'
|
|
OAUTH2_PROXY_REVERSE_PROXY: 'true'
|
|
OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: 'true'
|
|
OAUTH2_PROXY_SET_XAUTHREQUEST: 'true'
|
|
OAUTH2_PROXY_WHITELIST_DOMAIN: '.tobiasmanske.de'
|
|
|
|
whoami:
|
|
image: containous/whoami
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
|
|
- "traefik.http.services.whoami.loadbalancer.server.port=80"
|
|
- "traefik.http.routers.whoami.rule=Host(`test.tobiasmanske.de`)"
|
|
- "traefik.http.routers.whoami.entryPoints=websecure"
|
|
- "traefik.http.routers.whoami.middlewares=oauth@file"
|
|
|
|
{% endif %}
|
|
|
|
volumes:
|
|
acme:
|
|
|
|
networks:
|
|
default:
|
|
driver: bridge
|
|
metrics:
|
|
external: true
|
|
...
|