diff --git a/Docker/traefik & teleport/etc/teleport.yaml b/Docker/traefik & teleport/etc/teleport.yaml new file mode 100644 index 0000000..4881c2d --- /dev/null +++ b/Docker/traefik & teleport/etc/teleport.yaml @@ -0,0 +1,61 @@ +version: v2 +teleport: + nodename: example + data_dir: /var/lib/teleport + log: + output: stdout + severity: INFO + format: + output: text + ca_pin: "" + diag_addr: "" +auth_service: + enabled: "yes" + listen_addr: 0.0.0.0:3025 + public_addr: teleport.example.de:3025 + cluster_name: teleport.example.de + proxy_listener_mode: multiplex + session_recording: "off" + web_idle_timeout: 10m +ssh_service: + enabled: "yes" + permit_user_env: true + commands: + - name: Compose + command: ["/bin/sh", "-c", "docker compose version --short"] + period: "168h" + - name: Docker + command: ["/bin/sh", "-c", "docker system info | grep Running | cut -d' ' -f4"] + period: "30m" + - name: Engine + command: ["/bin/sh", "-c", "docker version --format '{{.Server.Version}}'"] + period: "168h" + - name: Kernel + command: ["/bin/uname", "-r"] + period: "168h" + - name: Teleport + command: ["/bin/sh", "-c", "teleport version | cut -d' ' -f2"] + period: "168h" + - name: Restic + command: ["/bin/sh", "-c", "restic version | cut -d ' ' -f2"] + period: "168h" + - name: Rclone + command: ["/bin/sh", "-c", "rclone version | head -1 | cut -d ' ' -f2"] + period: "168h" +proxy_service: + enabled: "yes" + web_listen_addr: 0.0.0.0:3080 + public_addr: teleport.example.de:443 + ssh_public_addr: teleport.example.de:3023 + tunnel_public_addr: teleport.example.de:3024 + https_keypairs: [] + acme: + enabled: "yes" + email: "mail@example.de" +app_service: + enabled: "yes" + apps: + - name: "proxy" + description: "Traefik" + public_addr: "proxy.teleport.example.de" + uri: "http://localhost:8080" diff --git a/Docker/traefik & teleport/proxy/docker-compose.yml b/Docker/traefik & teleport/proxy/docker-compose.yml new file mode 100644 index 0000000..259e49a --- /dev/null +++ b/Docker/traefik & teleport/proxy/docker-compose.yml @@ -0,0 +1,32 @@ +version: "3.9" + +networks: + proxy: + external: true + +secrets: + hetzner: + file: ./secrets/hetzner_key + +services: + traefik: + image: traefik:2.8 + container_name: traefik + restart: always + secrets: + - hetzner + environment: + - TZ=Europe/Berlin + - HETZNER_API_KEY_FILE=/run/secrets/hetzner + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + - ./traefik/static.toml:/etc/traefik/traefik.toml + - ./traefik/dynamic.toml:/dynamic.toml + - ./secrets/acme.json:/acme.json + ports: + - "80:80" + - "443:443" + - "127.0.0.1:8080:8080" + networks: + - proxy diff --git a/Docker/traefik & teleport/proxy/traefik/dynamic.toml b/Docker/traefik & teleport/proxy/traefik/dynamic.toml new file mode 100644 index 0000000..f983dd4 --- /dev/null +++ b/Docker/traefik & teleport/proxy/traefik/dynamic.toml @@ -0,0 +1,31 @@ +[http] + [http.middlewares] + [http.middlewares.sec-headers.headers] + frameDeny = true + browserXssFilter = true + contentTypeNosniff = true + forceSTSHeader = true + stsIncludeSubdomains = true + stsPreload = true + stsSeconds = 63072000 + customFrameOptionsValue = "SAMEORIGIN" + +[tcp] + [tcp.routers] + [tcp.routers.teleport] + entryPoints = ["websecure"] + rule = "HostSNIRegexp(`teleport.unjx.de`, `{subdomain:[a-z]+}.teleport.unjx.de`)" + service = "teleport" + [tcp.routers.teleport.tls] + passthrough = true + + [tcp.services] + [tcp.services.teleport.loadBalancer] + [[tcp.services.teleport.loadBalancer.servers]] + address = "172.18.0.1:3080" + +[tls] + [tls.options] + [tls.options.default] + minVersion = "VersionTLS13" + sniStrict = true diff --git a/Docker/traefik & teleport/proxy/traefik/static.toml b/Docker/traefik & teleport/proxy/traefik/static.toml new file mode 100644 index 0000000..2df654c --- /dev/null +++ b/Docker/traefik & teleport/proxy/traefik/static.toml @@ -0,0 +1,40 @@ +[global] + checkNewVersion = true + sendAnonymousUsage = false + +[serversTransport] + insecureSkipVerify = true + +[entryPoints] + [entryPoints.web] + address = ":80" + [entryPoints.web.http.redirections] + [entryPoints.web.http.redirections.entryPoint] + to = "websecure" + + [entryPoints.websecure] + address = ":443" + +[providers] + [providers.file] + filename = "dynamic.toml" + watch = true + + [providers.docker] + +[api] + dashboard = true + insecure = true + +[log] +# uncomment in needed +# [accessLog] + +################################################################ +# Lets's Encrypt +################################################################ +[certificatesResolvers.hetzner.acme] + email = "mail@example.de" + storage = "acme.json" + [certificatesResolvers.hetzner.acme.dnsChallenge] + provider = "hetzner"