Navy.gif/media-stack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: Make Traefik SSL configuration more flexible

Browse Source
This commit is contained in:
Adrien Poupa 2023-05-13 15:49:14 -04:00
parent 2dbca50c75
commit e63f025b0d
3 changed files with 31 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.env.example
View File

@ -11,7 +11,9 @@ PIA_PASS=
PIA_LOCAL_NETWORK="192.168.0.0/16" PIA_LOCAL_NETWORK="192.168.0.0/16"
HOSTNAME=localhost HOSTNAME=localhost
ADGUARD_HOSTNAME= ADGUARD_HOSTNAME=
DNS_CHALLENGE=true
DNS_CHALLENGE_PROVIDER=cloudflare DNS_CHALLENGE_PROVIDER=cloudflare
LETS_ENCRYPT_CA_SERVER=https://acme-v02.api.letsencrypt.org/directory
LETS_ENCRYPT_EMAIL= LETS_ENCRYPT_EMAIL=
CLOUDFLARE_EMAIL= CLOUDFLARE_EMAIL=
CLOUDFLARE_DNS_API_TOKEN= CLOUDFLARE_DNS_API_TOKEN=

49
README.md
View File

@ -75,26 +75,28 @@ For the first time, run `./update-config.sh` to update the applications base URL
## Environment Variables ## Environment Variables
| Variable | Description | Default | | Variable | Description | Default |
|-----------------------------|------------------------------------------------------------------------------------------------------|-------------------------| |-----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|
| `COMPOSE_FILE` | Docker compose files to load | `docker-compose.yml` | | `COMPOSE_FILE` | Docker compose files to load | `docker-compose.yml` |
| `COMPOSE_PATH_SEPARATOR` | Path separator between compose files to load | `:` | | `COMPOSE_PATH_SEPARATOR` | Path separator between compose files to load | `:` |
| `USER_ID` | ID of the user to use in Docker containers | `1000` | | `USER_ID` | ID of the user to use in Docker containers | `1000` |
| `GROUP_ID` | ID of the user group to use in Docker containers | `1000` | | `GROUP_ID` | ID of the user group to use in Docker containers | `1000` |
| `TIMEZONE` | TimeZone used by the container. | `America/New_York` | | `TIMEZONE` | TimeZone used by the container. | `America/New_York` |
| `DATA_ROOT` | Host location of the data files | `/mnt/data` | | `DATA_ROOT` | Host location of the data files | `/mnt/data` |
| `DOWNLOAD_ROOT` | Host download location for qBittorrent, should be a subfolder of `DATA_ROOT` | `/mnt/data/torrents` | | `DOWNLOAD_ROOT` | Host download location for qBittorrent, should be a subfolder of `DATA_ROOT` | `/mnt/data/torrents` |
| `PIA_LOCATION` | Servers to use for PIA | `ca` (Montreal, Canada) | | `PIA_LOCATION` | Servers to use for PIA | `ca` (Montreal, Canada) |
| `PIA_USER` | PIA username | | | `PIA_USER` | PIA username | |
| `PIA_PASS` | PIA password | | | `PIA_PASS` | PIA password | |
| `PIA_LOCAL_NETWORK` | PIA local network | `192.168.0.0/16` | | `PIA_LOCAL_NETWORK` | PIA local network | `192.168.0.0/16` |
| `HOSTNAME` | Hostname of the NAS, could be a local IP or a domain name | `localhost` | | `HOSTNAME` | Hostname of the NAS, could be a local IP or a domain name | `localhost` |
| `ADGUARD_HOSTNAME` | AdGuard Home hostname used, if enabled | | | `ADGUARD_HOSTNAME` | AdGuard Home hostname used, if enabled | |
| `DNS_CHALLENGE_PROVIDER` | Provider for DNS01 challenge, [see list here](https://doc.traefik.io/traefik/https/acme/#providers). | `cloudflare` | | `DNS_CHALLENGE` | Enable/Disable DNS01 challenge, set to `false` to disable. | `true` |
| `LETS_ENCRYPT_EMAIL` | E-mail address used to send expiration notifications | | | `DNS_CHALLENGE_PROVIDER` | Provider for DNS01 challenge, [see list here](https://doc.traefik.io/traefik/https/acme/#providers). | `cloudflare` |
| `CLOUDFLARE_EMAIL` | CloudFlare Account email | | | `LETS_ENCRYPT_CA_SERVER` | Let's Encrypt CA Server used to generate certificates, set to production by default.<br/>Set to `https://acme-staging-v02.api.letsencrypt.org/directory` to test your changes with the staging server. | `https://acme-v02.api.letsencrypt.org/directory` |
| `CLOUDFLARE_DNS_API_TOKEN` | API token with `DNS:Edit` permission | | | `LETS_ENCRYPT_EMAIL` | E-mail address used to send expiration notifications | |
| `CLOUDFLARE_ZONE_API_TOKEN` | API token with `Zone:Read` permission | | | `CLOUDFLARE_EMAIL` | CloudFlare Account email | |
| `CLOUDFLARE_DNS_API_TOKEN` | API token with `DNS:Edit` permission | |
| `CLOUDFLARE_ZONE_API_TOKEN` | API token with `Zone:Read` permission | |
## PIA WireGuard VPN ## PIA WireGuard VPN
@ -199,9 +201,10 @@ baring environment variable changes, see the Traefik documentation above and [Le
Then, fill the CloudFlare `.env` entries. Then, fill the CloudFlare `.env` entries.
If you want to test your configuration first, use the Let's Encrypt staging server by uncommenting this: If you want to test your configuration first, use the Let's Encrypt staging server by updating `LETS_ENCRYPT_CA_SERVER`'s
value in `.env`:
``` ```
#- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory LETS_ENCRYPT_CA_SERVER=https://acme-v02.api.letsencrypt.org/directory
``` ```
If it worked, you will see the staging certificate at https://nas.domain.com. If it worked, you will see the staging certificate at https://nas.domain.com.
@ -211,6 +214,8 @@ You are free to use any DNS01 provider. Simply replace `DNS_CHALLENGE_PROVIDER`
[see complete list here](https://doc.traefik.io/traefik/https/acme/#providers). [see complete list here](https://doc.traefik.io/traefik/https/acme/#providers).
You will also need to inject the environments variables specific to your provider. You will also need to inject the environments variables specific to your provider.
Certificate generation can be disabled by setting `DNS_CHALLENGE` to `false`.
### Accessing from the outside with Tailscale ### Accessing from the outside with Tailscale
If we want to make it reachable from outside the network without opening ports or exposing it to the internet, I found If we want to make it reachable from outside the network without opening ports or exposing it to the internet, I found

5
docker-compose.yml
View File

@ -17,10 +17,9 @@ services:
- --entrypoints.web.http.redirections.entryPoint.to=web-secure - --entrypoints.web.http.redirections.entryPoint.to=web-secure
- --entrypoints.web.http.redirections.entryPoint.scheme=https - --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true - --entrypoints.web.http.redirections.entrypoint.permanent=true
- --certificatesresolvers.myresolver.acme.dnschallenge=true - --certificatesresolvers.myresolver.acme.dnschallenge=${DNS_CHALLENGE:-true}
- --certificatesresolvers.myresolver.acme.dnschallenge.provider=${DNS_CHALLENGE_PROVIDER:-cloudflare} - --certificatesresolvers.myresolver.acme.dnschallenge.provider=${DNS_CHALLENGE_PROVIDER:-cloudflare}
# Uncomment to test your configuration by using Let's Encrypt staging certificates - --certificatesresolvers.myresolver.acme.caserver=${LETS_ENCRYPT_CA_SERVER:-https://acme-v02.api.letsencrypt.org/directory}
#- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.myresolver.acme.email=${LETS_ENCRYPT_EMAIL} - --certificatesresolvers.myresolver.acme.email=${LETS_ENCRYPT_EMAIL}
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
ports: ports: