traefix/nginx -> caddy

2022-09-04 08:37:29 -06:00 · 2022-09-04 08:37:29 -06:00 · f3a7499d1f
parent 3adfb37947
commit f3a7499d1f
16 changed files with 124 additions and 101 deletions
--- a/homelab/.gitignore
+++ b/homelab/.gitignore
@ -1,2 +1,3 @@
 password
 samba-users.env
 secrets
--- a/homelab/Caddyfile
+++ b/homelab/Caddyfile
@ -0,0 +1,60 @@
 {
  email neale@woozle.org
  # Uncomment to use testing CA
  #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
 }
 import /run/secrets/caddy-users
 (restricted-access) {
  basicauth {
    import home-users
  }
 }
 git.woozle.org {
  reverse_proxy gitea:3000
 }
 drive.woozle.org {
  import restricted-access
  # XXX: browsing says method not allowed
  @get {
    method GET
  }
  # route overrides built-in ordering
  route {
    file_server @get browse {
      root /srv/ext/
    }
    reverse_proxy webdav:8000
  }
 }
 # XXX: have this use caddy auth
 ancestry.woozle.org {
  reverse_proxy geneweb:2317
 }
 sweetums.woozle.org {
  handle /transmission/* {
    import restricted-access
    reverse_proxy host.docker.internal:9091
  }
  handle_path /sucker/* {
    import restricted-access
    reverse_proxy host.docker.internal:5880
  }
  file_server /public/* {
    root /srv/ext/storage/public
  }
  import restricted-access
  file_server {
    root /www
  }
 }
--- a/homelab/HOSTS
+++ b/homelab/HOSTS
@ -1 +0,0 @@
 sweetums.woozle.org
--- a/homelab/dave.yaml
+++ b/homelab/dave.yaml
@ -0,0 +1,4 @@
 address: "0.0.0.0"
 port: "8000"
 dir: "/data"
 prefix: "/"
--- a/homelab/deploy.sh
+++ b/homelab/deploy.sh
@ -2,9 +2,4 @@
 stack=$(basename $(pwd))
-cat HOSTS | while read host; do
+docker stack deploy -c docker-compose.yaml --prune $stack
    echo "=== $host"
    export FQDN=$host
    export HOSTNAME=${host%%.*}
    docker -H ssh://$host stack deploy -c docker-compose.yaml --prune $stack
 done
--- a/homelab/docker-compose.yaml
+++ b/homelab/docker-compose.yaml
@ -1,21 +1,7 @@
 version: "3.8"
 services:
-  traefik:
+  caddy:
-    image: traefik
+    image: caddy:2-alpine
    environment:
      TRAEFIK_API: "true"
      TRAEFIK_API_INSECURE: "true"
      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: :80
      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_SCHEME: https
      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: :443
      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCYRPT_ACME_EMAIL: neale@woozle.org
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: /acme.json
      XXX_TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_TLSCHALLENGE: "true"
      TRAEFIK_PROVIDERS_DOCKER_SWARMMODE: "true"
      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: "false"
    ports:
      - target: 443
        published: 443
@ -25,34 +11,21 @@ services:
        mode: host
    volumes:
      - type: bind
-        source: /var/run/docker.sock
+        source: /srv/ext
-        target: /var/run/docker.sock
+        target: /srv/ext
        read_only: true
      - type: bind
-        source: /srv/ext/sys/traefik/acme.json
+        source: /srv/ext/sys/caddy
-        target: /acme.json
+        target: /data/caddy
-    deploy:
+    configs:
-      labels:
+      - source: Caddyfile
-        # XXX: This HSTS stuff doesn't seem to be working
+        target: /etc/caddy/Caddyfile
-        traefik.enable: "true"
+      - source: index.html
-        traefik.frontend.headers.STSSeconds: "31536000"
+        target: /www/index.html
        traefik.frontend.headers.STSPreload: "true"
        traefik.http.routers.dashboard.rule: "Host(`$FQDN`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
        traefik.http.routers.dashboard.tls.certresolver: letsencrypt
        traefik.http.routers.dashboard.middlewares: forward-auth
        traefik.http.routers.dashboard.service: api@internal
        traefik.http.middlewares.forward-auth.forwardauth.address: http://simpleauth:8080/
        traefik.http.services.traefik.loadbalancer.server.port: "1"
  simpleauth:
    image: ghcr.io/nealey/simpleauth
    secrets:
-      - password
+      - caddy-users
-    deploy:
+    extra_hosts:
-      labels:
+      - host.docker.internal:host-gateway
        traefik.enable: "true"
        traefik.http.routers.simpleauth.rule: "Host(`$FQDN`) && Path(`/`)"
        traefik.http.services.simpleauth.loadbalancer.server.port: "8080"
  plex:
    image: ghcr.io/linuxserver/plex
@ -61,6 +34,7 @@ services:
    environment:
      TZ: US/Mountain
      VERSION: public
      PLEX_CLAIM: claim-jp4-HfTyRzCce4WzUdj5
    volumes:
      - type: bind
        source: /srv/ext/sys/plex
@ -83,11 +57,6 @@ services:
      - type: bind
        source: /srv/ext/incoming
        target: /srv/ext/incoming
    deploy:
      labels:
        # This isn't going to work, because transmission binds to the host network.
        traefik.http.routers.transmission.rule: "PathPrefix(`/transmission`)"
        traefik.http.services.transmission.loadbalancer.server.port: "9091"
  gitea:
    image: gitea/gitea:1
@ -106,13 +75,6 @@ services:
        source: /etc/localtime
        target: /etc/localtime
        read_only: true
    deploy:
      labels:
        traefik.enable: "true"
        traefik.http.routers.gitea.rule: "Host(`git.woozle.org`)"
        traefik.http.routers.gitea.middlewares: gitea-striparoo
        traefik.http.middlewares.gitea-striparoo.stripprefix.prefixes: "/gitea"
        traefik.http.services.gitea.loadbalancer.server.port: "3000"
  atlas:
    image: ctassisf/ripe-atlas-alpine:arm64v8
@ -138,18 +100,6 @@ services:
      - type: bind
        source: /srv/ext/sys/geneweb/log
        target: /usr/local/share/geneweb/log
    deploy:
      labels:
        traefik.enable: "true"
        traefik.http.routers.gwsetup.rule: "PathPrefix(`/gwsetup`)"
        traefik.http.middlewares.gwsetup-striparoo.stripprefix.prefixes: "/gwsetup"
        traefik.http.routers.gwsetup.middlewares: gwsetup-striparoo,forward-auth
        traefik.http.routers.gwsetup.service: gwsetup
        traefik.http.services.gwsetup.loadbalancer.server.port: "2316"
        traefik.http.routers.geneweb.rule: "Host(`ancestry.woozle.org`)"
        traefik.http.routers.geneweb.service: geneweb
        traefik.http.services.geneweb.loadbalancer.server.port: "2317"
  samba:
    image: dperson/samba
@ -165,13 +115,9 @@ services:
      USERID: 911
      GROUPID: 911
      # name;path;browse;readonly;guest
-      SHARE1: storage;/srv/ext/storage;yes;no;no
+      SHARE1: drive;/srv/ext;yes;no;no
      SHARE2: media;/srv/ext/media;yes;no;no
      SHARE3: software;/srv/ext/software;yes;no;no
      SHARE4: backups;/srv/ext/backups;yes;no;no
      SHARE4: incoming;/srv/ext/incoming;yes;no;no
    env_file:
-      - samba-users.env
+      - secrets/samba-users.env
    ports:
      - published: 139
        target: 139
@ -182,40 +128,28 @@ services:
    image: micromata/dave
    volumes:
      - type: bind
-        source: /srv/ext/storage
+        source: /srv/ext
        target: /data
    configs:
      - source: dave.yaml
        target: /config/config.yaml
    user: "911:911"
    deploy:
      labels:
        traefik.enable: "true"
        traefik.http.routers.webdav.rule: "Host(`drive.woozle.org`)"
        traefik.http.services.webdav.loadbalancer.server.port: "8000"
  public:
    image: caddy
    volumes:
      - type: bind
        source: /srv/ext/storage/public
        target: /usr/share/caddy/public
        read_only: true
    deploy:
      labels:
        traefik.enable: "true"
        traefik.http.routers.public.rule: "PathPrefix(`/public`)"
        traefik.http.services.public.loadbalancer.server.port: "80"
 configs:
  dave.yaml:
    file: dave.yaml
-    name: dave.yaml-v1
+    name: dave.yaml-v3
  Caddyfile:
    file: Caddyfile
    name: Caddyfile-v17
  index.html:
    file: index.html
    name: index.html-v8
 secrets:
-  password:
+  caddy-users:
-    file: password
+    file: secrets/caddy-users
-    name: password-v1
+    name: caddy-users-v2
 networks:
  hostnet:
--- a/homelab/index.html
+++ b/homelab/index.html
@ -0,0 +1,30 @@
 <!DOCTYPE html>
 <html>
  <head>
    <title>Sweetums</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bulma@0.9.3/css/bulma.min.css">
  </head>
  <body>
    <section class="section">
      <div class="container">
        <menu class="menu">
          <p class="menu-label">Woozle</p>
          <ul class="menu-list">
            <li><a href="//drive.woozle.org/">📁 Drive</a></li>
            <li><a href="//ancestry.woozle.org/">👪 Ancestry</a></li>
            <li><a href="//git.woozle.org/">🗄️ Git</a></li>
          </ul>
          <p class="menu-label">Sweetums</p>
          <ul class="menu-list">
            <li><a href="/sucker/">💿 Media Sucker</a></li>
            <li><a href="/transmission/">📥 Transmission</a></li>
          </ul>
        </menu>
    </template>
  </body>
 </html>
 <!-- 
 vi: ts=2 sw=2 et ai 
 -->
--- a/homelab/unused/grafana.ini.tmpl
+++ b/homelab/unused/grafana.ini.tmpl
--- a/homelab/unused/netdata.conf
+++ b/homelab/unused/netdata.conf
--- a/homelab/unused/periodic/backup-systemd
+++ b/homelab/unused/periodic/backup-systemd
--- a/homelab/unused/periodic/btrfs-scrub
+++ b/homelab/unused/periodic/btrfs-scrub
--- a/homelab/unused/periodic/ddns-update
+++ b/homelab/unused/periodic/ddns-update
--- a/homelab/unused/periodic/gdrive-backup
+++ b/homelab/unused/periodic/gdrive-backup
--- a/homelab/unused/periodic/last-run
+++ b/homelab/unused/periodic/last-run
--- a/homelab/unused/periodic/nextcloud-cron
+++ b/homelab/unused/periodic/nextcloud-cron
--- a/homelab/unused/prometheus.yaml
+++ b/homelab/unused/prometheus.yaml