Navy.gif/media-stack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: Make Traefik SSL configuration more flexible

Browse Source
This commit is contained in:
Adrien Poupa 2023-05-13 15:49:14 -04:00
parent 2dbca50c75
commit e63f025b0d
3 changed files with 31 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.env.example
View File

@ -11,7 +11,9 @@ PIA_PASS=
PIA_LOCAL_NETWORK="192.168.0.0/16" PIA_LOCAL_NETWORK="192.168.0.0/16"
HOSTNAME=localhost HOSTNAME=localhost
ADGUARD_HOSTNAME= ADGUARD_HOSTNAME=
DNS_CHALLENGE=true
DNS_CHALLENGE_PROVIDER=cloudflare DNS_CHALLENGE_PROVIDER=cloudflare
LETS_ENCRYPT_CA_SERVER=https://acme-v02.api.letsencrypt.org/directory
LETS_ENCRYPT_EMAIL= LETS_ENCRYPT_EMAIL=
CLOUDFLARE_EMAIL= CLOUDFLARE_EMAIL=
CLOUDFLARE_DNS_API_TOKEN= CLOUDFLARE_DNS_API_TOKEN=

11
README.md
View File

@ -76,7 +76,7 @@ For the first time, run `./update-config.sh` to update the applications base URL
## Environment Variables ## Environment Variables
| Variable | Description | Default | | Variable | Description | Default |
|-----------------------------|------------------------------------------------------------------------------------------------------|-------------------------| |-----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|
| `COMPOSE_FILE` | Docker compose files to load | `docker-compose.yml` | | `COMPOSE_FILE` | Docker compose files to load | `docker-compose.yml` |
| `COMPOSE_PATH_SEPARATOR` | Path separator between compose files to load | `:` | | `COMPOSE_PATH_SEPARATOR` | Path separator between compose files to load | `:` |
| `USER_ID` | ID of the user to use in Docker containers | `1000` | | `USER_ID` | ID of the user to use in Docker containers | `1000` |
@ -90,7 +90,9 @@ For the first time, run `./update-config.sh` to update the applications base URL
| `PIA_LOCAL_NETWORK` | PIA local network | `192.168.0.0/16` | | `PIA_LOCAL_NETWORK` | PIA local network | `192.168.0.0/16` |
| `HOSTNAME` | Hostname of the NAS, could be a local IP or a domain name | `localhost` | | `HOSTNAME` | Hostname of the NAS, could be a local IP or a domain name | `localhost` |
| `ADGUARD_HOSTNAME` | AdGuard Home hostname used, if enabled | | | `ADGUARD_HOSTNAME` | AdGuard Home hostname used, if enabled | |
| `DNS_CHALLENGE` | Enable/Disable DNS01 challenge, set to `false` to disable. | `true` |
| `DNS_CHALLENGE_PROVIDER` | Provider for DNS01 challenge, [see list here](https://doc.traefik.io/traefik/https/acme/#providers). | `cloudflare` | | `DNS_CHALLENGE_PROVIDER` | Provider for DNS01 challenge, [see list here](https://doc.traefik.io/traefik/https/acme/#providers). | `cloudflare` |
| `LETS_ENCRYPT_CA_SERVER` | Let's Encrypt CA Server used to generate certificates, set to production by default.<br/>Set to `https://acme-staging-v02.api.letsencrypt.org/directory` to test your changes with the staging server. | `https://acme-v02.api.letsencrypt.org/directory` |
| `LETS_ENCRYPT_EMAIL` | E-mail address used to send expiration notifications | | | `LETS_ENCRYPT_EMAIL` | E-mail address used to send expiration notifications | |
| `CLOUDFLARE_EMAIL` | CloudFlare Account email | | | `CLOUDFLARE_EMAIL` | CloudFlare Account email | |
| `CLOUDFLARE_DNS_API_TOKEN` | API token with `DNS:Edit` permission | | | `CLOUDFLARE_DNS_API_TOKEN` | API token with `DNS:Edit` permission | |
@ -199,9 +201,10 @@ baring environment variable changes, see the Traefik documentation above and [Le
Then, fill the CloudFlare `.env` entries. Then, fill the CloudFlare `.env` entries.
If you want to test your configuration first, use the Let's Encrypt staging server by uncommenting this: If you want to test your configuration first, use the Let's Encrypt staging server by updating `LETS_ENCRYPT_CA_SERVER`'s
value in `.env`:
``` ```
#- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory LETS_ENCRYPT_CA_SERVER=https://acme-v02.api.letsencrypt.org/directory
``` ```
If it worked, you will see the staging certificate at https://nas.domain.com. If it worked, you will see the staging certificate at https://nas.domain.com.
@ -211,6 +214,8 @@ You are free to use any DNS01 provider. Simply replace `DNS_CHALLENGE_PROVIDER`
[see complete list here](https://doc.traefik.io/traefik/https/acme/#providers). [see complete list here](https://doc.traefik.io/traefik/https/acme/#providers).
You will also need to inject the environments variables specific to your provider. You will also need to inject the environments variables specific to your provider.
Certificate generation can be disabled by setting `DNS_CHALLENGE` to `false`.
### Accessing from the outside with Tailscale ### Accessing from the outside with Tailscale
If we want to make it reachable from outside the network without opening ports or exposing it to the internet, I found If we want to make it reachable from outside the network without opening ports or exposing it to the internet, I found

5
docker-compose.yml
View File

@ -17,10 +17,9 @@ services:
- --entrypoints.web.http.redirections.entryPoint.to=web-secure - --entrypoints.web.http.redirections.entryPoint.to=web-secure
- --entrypoints.web.http.redirections.entryPoint.scheme=https - --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true - --entrypoints.web.http.redirections.entrypoint.permanent=true
- --certificatesresolvers.myresolver.acme.dnschallenge=true - --certificatesresolvers.myresolver.acme.dnschallenge=${DNS_CHALLENGE:-true}
- --certificatesresolvers.myresolver.acme.dnschallenge.provider=${DNS_CHALLENGE_PROVIDER:-cloudflare} - --certificatesresolvers.myresolver.acme.dnschallenge.provider=${DNS_CHALLENGE_PROVIDER:-cloudflare}
# Uncomment to test your configuration by using Let's Encrypt staging certificates - --certificatesresolvers.myresolver.acme.caserver=${LETS_ENCRYPT_CA_SERVER:-https://acme-v02.api.letsencrypt.org/directory}
#- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.myresolver.acme.email=${LETS_ENCRYPT_EMAIL} - --certificatesresolvers.myresolver.acme.email=${LETS_ENCRYPT_EMAIL}
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
ports: ports: