Navy.gif/media-stack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: Make Traefik SSL configuration more flexible

Browse Source
This commit is contained in:
Adrien Poupa 2023-05-13 15:49:14 -04:00
parent 2dbca50c75
commit e63f025b0d
3 changed files with 31 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.env.example
View File

@ -11,7 +11,9 @@ PIA_PASS=
PIA_LOCAL_NETWORK="192.168.0.0/16"
HOSTNAME=localhost
ADGUARD_HOSTNAME=
DNS_CHALLENGE=true
DNS_CHALLENGE_PROVIDER=cloudflare
LETS_ENCRYPT_CA_SERVER=https://acme-v02.api.letsencrypt.org/directory
LETS_ENCRYPT_EMAIL=
CLOUDFLARE_EMAIL=
CLOUDFLARE_DNS_API_TOKEN=

11
README.md
View File

@ -76,7 +76,7 @@ For the first time, run `./update-config.sh` to update the applications base URL
## Environment Variables
| Variable | Description | Default |
|-----------------------------|------------------------------------------------------------------------------------------------------|-------------------------|
|-----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|
| `COMPOSE_FILE` | Docker compose files to load | `docker-compose.yml` |
| `COMPOSE_PATH_SEPARATOR` | Path separator between compose files to load | `:` |
| `USER_ID` | ID of the user to use in Docker containers | `1000` |
@ -90,7 +90,9 @@ For the first time, run `./update-config.sh` to update the applications base URL
| `PIA_LOCAL_NETWORK` | PIA local network | `192.168.0.0/16` |
| `HOSTNAME` | Hostname of the NAS, could be a local IP or a domain name | `localhost` |
| `ADGUARD_HOSTNAME` | AdGuard Home hostname used, if enabled | |
| `DNS_CHALLENGE` | Enable/Disable DNS01 challenge, set to `false` to disable. | `true` |
| `DNS_CHALLENGE_PROVIDER` | Provider for DNS01 challenge, [see list here](https://doc.traefik.io/traefik/https/acme/#providers). | `cloudflare` |
| `LETS_ENCRYPT_CA_SERVER` | Let's Encrypt CA Server used to generate certificates, set to production by default.<br/>Set to `https://acme-staging-v02.api.letsencrypt.org/directory` to test your changes with the staging server. | `https://acme-v02.api.letsencrypt.org/directory` |
| `LETS_ENCRYPT_EMAIL` | E-mail address used to send expiration notifications | |
| `CLOUDFLARE_EMAIL` | CloudFlare Account email | |
| `CLOUDFLARE_DNS_API_TOKEN` | API token with `DNS:Edit` permission | |
@ -199,9 +201,10 @@ baring environment variable changes, see the Traefik documentation above and [Le
Then, fill the CloudFlare `.env` entries.
If you want to test your configuration first, use the Let's Encrypt staging server by uncommenting this:
If you want to test your configuration first, use the Let's Encrypt staging server by updating `LETS_ENCRYPT_CA_SERVER`'s
value in `.env`:
```
#- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
LETS_ENCRYPT_CA_SERVER=https://acme-v02.api.letsencrypt.org/directory
```
If it worked, you will see the staging certificate at https://nas.domain.com.
@ -211,6 +214,8 @@ You are free to use any DNS01 provider. Simply replace `DNS_CHALLENGE_PROVIDER`
[see complete list here](https://doc.traefik.io/traefik/https/acme/#providers).
You will also need to inject the environments variables specific to your provider.
Certificate generation can be disabled by setting `DNS_CHALLENGE` to `false`.
### Accessing from the outside with Tailscale
If we want to make it reachable from outside the network without opening ports or exposing it to the internet, I found

5
docker-compose.yml
View File

@ -17,10 +17,9 @@ services:
- --entrypoints.web.http.redirections.entryPoint.to=web-secure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --certificatesresolvers.myresolver.acme.dnschallenge=true
- --certificatesresolvers.myresolver.acme.dnschallenge=${DNS_CHALLENGE:-true}
- --certificatesresolvers.myresolver.acme.dnschallenge.provider=${DNS_CHALLENGE_PROVIDER:-cloudflare}
# Uncomment to test your configuration by using Let's Encrypt staging certificates
#- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.myresolver.acme.caserver=${LETS_ENCRYPT_CA_SERVER:-https://acme-v02.api.letsencrypt.org/directory}
- --certificatesresolvers.myresolver.acme.email=${LETS_ENCRYPT_EMAIL}
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
ports: