From 68ab9f821576de2f8402f54bc086c562537d1a93 Mon Sep 17 00:00:00 2001
From: staffadmin <stephane.gratiasquiquandon@gmail.com>
Date: Sat, 11 Nov 2023 17:50:01 +0100
Subject: [PATCH] POUSH

---
 host_vars/scaleway_fr.yml | 111 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 110 insertions(+), 1 deletion(-)

diff --git a/host_vars/scaleway_fr.yml b/host_vars/scaleway_fr.yml
index 965156f..9134782 100644
--- a/host_vars/scaleway_fr.yml
+++ b/host_vars/scaleway_fr.yml
@@ -306,4 +306,113 @@ dockerapp_compose:
   #   <<: *network-and-security
   #   restart: "no"
   #   # profiles:
-  #   # - media
\ No newline at end of file
+  #   # - media
+  ########################### SERVICES
+  services:
+    ############################# FRONTENDS
+
+    # Traefik 2 - Reverse Proxy
+    # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
+    # touch $DOCKERDIR/traefik2/acme/acme.json
+    # chmod 600 $DOCKERDIR/traefik2/acme/acme.json
+    # touch $DOCKERDIR/logs/homeserver/traefik.log # customize this
+
+    #### LETSENCRYPT CHALLENGE ######
+    # https://doc.traefik.io/traefik/user-guides/docker-compose/acme-http/
+    # Add new https services/fqdn
+    # uncomment acme.caserver line and remove appdata/traefik2/acme/letsencrypt/acme.json file 
+    # Down all containers and up all (docker-compose down/up -d), wait for news cert/key on acme.json
+    # At this moment, cert/key are staging, you need to comment acme.caserver line and remove acme.json file then restart traefik 
+    traefik:
+      #<<: *common-keys-core # See EXTENSION FIELDS at the top -> TODO
+      container_name: traefik
+      image: traefik:latest
+      command: # CLI arguments
+        - --global.checkNewVersion=true
+        - --global.sendAnonymousUsage=true
+        - --entryPoints.http.address=:80/tcp
+        - --entryPoints.https.address=:443/tcp
+        - --entryPoints.wireguard.address=:443/udp
+        - --api=true
+        - --api.dashboard=true
+        - --log=true
+        - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
+        - --accessLog=true
+        - --accessLog.filePath=/traefik.log
+        - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
+        - --providers.docker=true
+        - --providers.docker.endpoint=tcp://socket-proxy:2375
+        - --providers.docker.exposedByDefault=false
+        - --providers.docker.network=t2_proxy
+        - --providers.docker.swarmMode=false
+        - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
+        - --providers.file.watch=true # Only works on top level files in the rules folder
+        - --metrics.prometheus=true
+        - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0
+        - --metrics.prometheus.addEntryPointsLabels=true
+        - --metrics.prometheus.addrouterslabels=true
+        - --metrics.prometheus.addServicesLabels=true
+        - --metrics.prometheus.manualrouting=true
+        - --certificatesresolvers.letsencrypt-resolver.acme.tlschallenge=true
+      # - --certificatesresolvers.letsencrypt-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+        - --certificatesresolvers.letsencrypt-resolver.acme.email=stephane.gratiasquiquandon@gmail.com
+        - --certificatesresolvers.letsencrypt-resolver.acme.storage=/letsencrypt/acme.json
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.254 # You can specify a static IP
+        # Should connect to the docker socket
+        socket_proxy:
+          ipv4_address: 192.168.91.3
+      environment:
+        #<<: *default-tz-puid-pgid -> TODO
+      ports:
+        - target: 80
+          published: 80
+          protocol: tcp
+          mode: host
+        - target: 443
+          published: 443
+          protocol: tcp
+          mode: host
+        - target: 443
+          published: 443
+          protocol: udp
+          mode: host
+      volumes:
+        - ./appdata/traefik2/rules/homeserver:/rules # file provider directory
+        - ./appdata/traefik2/acme/letsencrypt:/letsencrypt
+        #- ./appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
+        - ./logs/homeserver/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container
+        - /etc/timezone:/etc/timezone:ro
+        - /etc/localtime:/etc/localtime:ro
+      labels:
+        - "traefik.enable=true"
+        # HTTP-to-HTTPS Redirect
+        - "traefik.http.routers.http-catchall.entrypoints=http"
+        - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
+        - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
+        - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+        - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
+        # HTTP Routers
+        - "traefik.http.routers.traefik-rtr.entrypoints=https"
+        - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.jingoh.fr`)"
+        ## Services - API
+        - "traefik.http.routers.traefik-rtr.service=api@internal"
+        - "traefik.http.routers.traefik-rtr.tls=true"
+        ## MONITORING
+        - traefik.http.routers.prometheus.entrypoints=https
+        - traefik.http.routers.prometheus.rule=Host(`traefik.jingoh.fr`) && PathPrefix(`/metrics`)
+        - traefik.http.routers.prometheus.service=prometheus@internal
+        - traefik.http.routers.prometheus.middlewares=traefik-basic
+        ## Middlewares
+        # echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
+        ## Middlewares
+        - "traefik.http.routers.traefik-rtr.middlewares=traefik-basic"
+        - "traefik.http.middlewares.traefik-basic.basicauth.users=jingohtraf:$$2y$$05$$JO8mJnOV2PARzEcVj.Grp.H.JbkWYneAIjgMt7c0.5NTyBNDkRIiW"
+        #- "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.average=10"
+        # - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.burst=10"
+        # - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.period=1"
+      # - "traefik.http.routers.traefik-rtr-ratelimit.middlewares=traefik-rtr-ratelimit@docker"
+        ## TLS 
+        - "traefik.http.routers.traefik-rtr.tls.certresolver=letsencrypt-resolver"
+        - "traefik.http.routers.prometheus.tls.certresolver=letsencrypt-resolver"