Initial: Traefik + cloudflared + Gitea auf dama.casa

2026-03-19 14:24:12 +00:00
commit b201d3a13e
12 changed files with 311 additions and 0 deletions
--- a/services/cloudflared/.env.example
+++ b/services/cloudflared/.env.example
@@ -0,0 +1 @@
+# Alle Variablen liegen in /.env.example (Root des Repos)
--- a/services/cloudflared/config/config.yaml
+++ b/services/cloudflared/config/config.yaml
@@ -0,0 +1,9 @@
+tunnel: fbfb9bdc-f049-4c42-9e2a-622adb05f2c8
+credentials-file: /etc/cloudflared/credentials.json
+
+ingress:
+  - hostname: "*.dama.casa"
+    service: https://traefik:443
+    originRequest:
+      noTLSVerify: true
+  - service: http_status:404
--- a/services/cloudflared/docker-compose.yaml
+++ b/services/cloudflared/docker-compose.yaml
@@ -0,0 +1,15 @@
+services:
+  cloudflared:
+    image: cloudflare/cloudflared:latest
+    container_name: cloudflared
+    restart: unless-stopped
+    command: tunnel --no-autoupdate --config /etc/cloudflared/config.yaml run
+    volumes:
+      - ./config/config.yaml:/etc/cloudflared/config.yaml:ro
+      - ./data/credentials.json:/etc/cloudflared/credentials.json:ro
+    networks:
+      - proxy
+
+networks:
+  proxy:
+    external: true
--- a/services/gitea/docker-compose.yaml
+++ b/services/gitea/docker-compose.yaml
@@ -0,0 +1,31 @@
+services:
+  gitea:
+    image: gitea/gitea:latest
+    container_name: gitea
+    restart: unless-stopped
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+      - GITEA__database__DB_TYPE=sqlite3
+      - GITEA__server__ROOT_URL=https://gitea.${DOMAIN}
+      - GITEA__server__DOMAIN=gitea.${DOMAIN}
+      - GITEA__server__HTTP_PORT=3000
+      - GITEA__server__SSH_DOMAIN=gitea.${DOMAIN}
+      - GITEA__server__SSH_PORT=2222
+    volumes:
+      - ./data:/data
+    ports:
+      - "2222:22"
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.gitea.rule=Host(`gitea.${DOMAIN}`)"
+      - "traefik.http.routers.gitea.entrypoints=websecure"
+      - "traefik.http.routers.gitea.tls=true"
+      - "traefik.http.routers.gitea.tls.certresolver=cloudflare"
+      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
+
+networks:
+  proxy:
+    external: true
--- a/services/traefik/.env.example
+++ b/services/traefik/.env.example
@@ -0,0 +1 @@
+# Alle Variablen liegen in /.env.example (Root des Repos)
--- a/services/traefik/config/dynamic/middlewares.yaml
+++ b/services/traefik/config/dynamic/middlewares.yaml
@@ -0,0 +1,20 @@
+http:
+  middlewares:
+    # Basic Auth für Traefik Dashboard
+    # Generieren: echo $(htpasswd -nb user password) | sed -e 's/\$/\$\$/g'
+    traefik-auth:
+      basicAuth:
+        usersFile: /auth/traefik-users
+
+    # Sicherheits-Header für alle Services
+    secure-headers:
+      headers:
+        sslRedirect: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
+        contentTypeNosniff: true
+        browserXssFilter: true
+        referrerPolicy: "strict-origin-when-cross-origin"
+        customFrameOptionsValue: "SAMEORIGIN"
--- a/services/traefik/config/traefik.yaml.template
+++ b/services/traefik/config/traefik.yaml.template
@@ -0,0 +1,43 @@
+api:
+  dashboard: true
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: cloudflare
+        domains:
+          - main: "${DOMAIN}"
+            sans:
+              - "*.${DOMAIN}"
+
+certificatesResolvers:
+  cloudflare:
+    acme:
+      email: "mail@dnlm.de"
+      storage: /acme.json
+      dnsChallenge:
+        provider: cloudflare
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+    network: proxy
+  file:
+    directory: /dynamic
+    watch: true
+
+log:
+  level: INFO
--- a/services/traefik/docker-compose.yaml
+++ b/services/traefik/docker-compose.yaml
@@ -0,0 +1,31 @@
+services:
+  traefik:
+    image: traefik:v3.2
+    container_name: traefik
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+    environment:
+      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
+      - DOCKER_API_VERSION=1.41
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./config/traefik.yaml:/traefik.yaml:ro
+      - ./config/dynamic:/dynamic:ro
+      - ./data/acme.json:/acme.json
+      - ./data/traefik-users:/auth/traefik-users:ro
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.${DOMAIN}`)"
+      - "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
+      - "traefik.http.routers.traefik-dashboard.tls=true"
+      - "traefik.http.routers.traefik-dashboard.tls.certresolver=cloudflare"
+      - "traefik.http.routers.traefik-dashboard.service=api@internal"
+      - "traefik.http.routers.traefik-dashboard.middlewares=traefik-auth@file"
+
+networks:
+  proxy:
+    external: true
				`@@ -0,0 +1 @@`
				`# Alle Variablen liegen in /.env.example (Root des Repos)`