nebula/docker/conf/traefik.toml

defaultEntryPoints = ["http", "https"]

# Have to enable this because of heimdall
InsecureSkipVerify = true

sendAnonymousUsage = true

[entryPoints]
[entryPoints.http]
  address = ":80"
  [entryPoints.http.redirect]
    entryPoint = "https"
[entryPoints.https]
  address = ":443"
  # This is required for ACME support
  [entryPoints.https.tls]
  [[entryPoints.https.tls.certificates]]
    certFile = "/etc/traefik/git.captnemo.in.crt"
    keyFile  = "/etc/traefik/git.captnemo.in.key"
  [[entryPoints.https.tls.certificates]]
    certFile = "/etc/traefik/rss.captnemo.in.crt"
    keyFile  = "/etc/traefik/rss.captnemo.in.key"
  # This contains 2 domains: {emby|airsonic}.bb8.fun
  [[entryPoints.https.tls.certificates]]
    certFile = "/etc/traefik/emby.in.bb8.fun.crt"
    keyFile  = "/etc/traefik/emby.in.bb8.fun.key"

[docker]
  # Make sure you mount this as readonly
  endpoint = "unix:///var/run/docker.sock"
  domain = "bb8.fun"
  watch = true
  exposedbydefault = false

[file]
[backends]

# This is currently not exposed
# Since I can't apply a authentication
# on this yet

[backends.elibsrv]
[backends.elibsrv.servers.default]
  url = "http://elibsrv.captnemo.in:90"

[backends.scan]
[backends.scan.servers.default]
  url = "http://scan.in.bb8.fun:90"

[frontends]

[frontends.scan]
  backend = "scan"
  [frontends.scan.headers]
    SSLRedirect = true
    SSLTemporaryRedirect = true
    STSSeconds = 2592000
    FrameDeny = true
    ContentTypeNosniff = true
    BrowserXssFilter = true
    ReferrerPolicy = "no-referrer"
  [frontends.scan.headers.customresponseheaders]
    X-Powered-By = "Allomancy"
    Server = "BlackBox"
    X-Clacks-Overhead = "GNU Terry Pratchett"
[frontends.scan.routes.domain]
  rule = "Host:scan.bb8.fun"

[web]
  address = ":1111"
  readOnly = true

# To enable Traefik to export internal metrics to Prometheus
[web.metrics.prometheus]

[acme]

email = "acme@captnemo.in"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = false
onDemand   = false
acmelogging = true

[acme.httpChallenge]
  entryPoint = "http"

[acme.dnsChallenge]
  provider = "cloudflare"
  delayBeforeCheck = 30

# This is a legacy certificate
# From when traefik did not support
# wildcard certs
[[acme.domains]]
main = "bb8.fun"
sans = [
  "ads.bb8.fun",
  "airsonic.bb8.fun",
  "apps.bb8.fun",
  "cadvisor.bb8.fun",
  "dns.bb8.fun",
  "emby.bb8.fun",
  "falcon.bb8.fun", # Temporarily used for lidarr
  "ghost.bb8.fun",
  "grafana.bb8.fun", # Unused
  "headphones.bb8.fun",
  "home.bb8.fun",
  "info.bb8.fun",
  "jackett.bb8.fun",
  "library.bb8.fun",
  "luke.bb8.fun",
  "monitoring.bb8.fun",
  # "lidarr.bb8.fun", (TBA)
  "ombi.bb8.fun", # Unused
  "pics.bb8.fun",
  "radarr.bb8.fun",
  "read.bb8.fun",
  "rey.bb8.fun",
  "scan.bb8.fun",
  "sonarr.bb8.fun",
  "tatooine.bb8.fun",
  "tie.bb8.fun",
  "traefik.bb8.fun",
  "transmission.bb8.fun",
  "wifi.bb8.fun",
  "wiki.bb8.fun"
]
# Primary 2 wildcard certs
[[acme.domains]]
  main = "*.bb8.fun"
# Internal services are also protected!
[[acme.domains]]
  main = "*.in.bb8.fun"
Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00			`defaultEntryPoints = ["http", "https"]`
Adds heimdall 2018-02-18 07:48:20 +00:00
Be a good citizen and report anon metrics to traefik 2018-03-02 09:00:40 +00:00			`# Have to enable this because of heimdall`
Adds heimdall 2018-02-18 07:48:20 +00:00			`InsecureSkipVerify = true`

Be a good citizen and report anon metrics to traefik 2018-03-02 09:00:40 +00:00			`sendAnonymousUsage = true`

Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00			`[entryPoints]`
			`[entryPoints.http]`
			`address = ":80"`
Adds things 2017-11-26 20:16:49 +00:00			`[entryPoints.http.redirect]`
			`entryPoint = "https"`
Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00			`[entryPoints.https]`
			`address = ":443"`
			`# This is required for ACME support`
			`[entryPoints.https.tls]`
Switches gitea to git.captnemo.in 2017-12-25 12:28:13 +00:00			`[[entryPoints.https.tls.certificates]]`
			`certFile = "/etc/traefik/git.captnemo.in.crt"`
			`keyFile = "/etc/traefik/git.captnemo.in.key"`
Adds tt-rss and radarr 2018-01-29 20:09:36 +00:00			`[[entryPoints.https.tls.certificates]]`
			`certFile = "/etc/traefik/rss.captnemo.in.crt"`
			`keyFile = "/etc/traefik/rss.captnemo.in.key"`
Keep internal certs separately deployed 2018-02-27 19:35:47 +00:00			`# This contains 2 domains: {emby\|airsonic}.bb8.fun`
			`[[entryPoints.https.tls.certificates]]`
			`certFile = "/etc/traefik/emby.in.bb8.fun.crt"`
			`keyFile = "/etc/traefik/emby.in.bb8.fun.key"`
Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00
workaround for traefik bug - XFO/Ref policy can't be applied yet 2017-11-29 21:15:38 +00:00			`[docker]`
Single certificate is better 2017-12-03 17:56:11 +00:00			`# Make sure you mount this as readonly`
workaround for traefik bug - XFO/Ref policy can't be applied yet 2017-11-29 21:15:38 +00:00			`endpoint = "unix:///var/run/docker.sock"`
			`domain = "bb8.fun"`
			`watch = true`
			`exposedbydefault = false`

Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00			`[file]`
			`[backends]`

Adds things 2017-11-26 20:16:49 +00:00			`# This is currently not exposed`
			`# Since I can't apply a authentication`
			`# on this yet`
Upgrades gitea 2018-02-03 07:36:06 +00:00
Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00			`[backends.elibsrv]`
			`[backends.elibsrv.servers.default]`
			`url = "http://elibsrv.captnemo.in:90"`

			`[backends.scan]`
			`[backends.scan.servers.default]`
			`url = "http://scan.in.bb8.fun:90"`

			`[frontends]`

			`[frontends.scan]`
			`backend = "scan"`
Security specific stuff 2017-11-29 20:14:05 +00:00			`[frontends.scan.headers]`
			`SSLRedirect = true`
			`SSLTemporaryRedirect = true`
			`STSSeconds = 2592000`
			`FrameDeny = true`
			`ContentTypeNosniff = true`
			`BrowserXssFilter = true`
			`ReferrerPolicy = "no-referrer"`
			`[frontends.scan.headers.customresponseheaders]`
			`X-Powered-By = "Allomancy"`
			`Server = "BlackBox"`
			`X-Clacks-Overhead = "GNU Terry Pratchett"`
Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00			`[frontends.scan.routes.domain]`
			`rule = "Host:scan.bb8.fun"`

Sets up traefik 2017-11-04 21:27:00 +00:00			`[web]`
Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00			`address = ":1111"`
			`readOnly = true`

Traefik monitoring 2018-02-09 20:56:31 +00:00			`# To enable Traefik to export internal metrics to Prometheus`
			`[web.metrics.prometheus]`

Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00			`[acme]`

			`email = "acme@captnemo.in"`
			`storage = "/acme/acme.json"`
			`entryPoint = "https"`
Upgrades gitea 2018-02-03 07:36:06 +00:00			`onHostRule = false`
Adds things 2017-11-26 20:16:49 +00:00			`onDemand = false`
Comment out mysql, upgrade acme config 2017-12-04 06:11:13 +00:00			`acmelogging = true`
Switched apache to 90, traefik to 80 2017-11-26 14:22:49 +00:00
Switch over to HTTP challenge for traefik - This is much faster and more reliable - Unfortunately, can't work for internal domains - so in.bb8.fun certs are up-in-the-air for now - they will keep working till the authorizations stay valid 2018-02-17 21:32:12 +00:00			`[acme.httpChallenge]`
			`entryPoint = "http"`

wildcard certs are here!!! 2018-03-28 10:15:44 +00:00			`[acme.dnsChallenge]`
			`provider = "cloudflare"`
			`delayBeforeCheck = 30`
Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00
wildcard certs are here!!! 2018-03-28 10:15:44 +00:00			`# This is a legacy certificate`
			`# From when traefik did not support`
			`# wildcard certs`
Adds things 2017-11-26 20:16:49 +00:00			`[[acme.domains]]`
			`main = "bb8.fun"`
			`sans = [`
Minor updates 2018-02-17 20:46:56 +00:00			`"ads.bb8.fun",`
Single certificate is better 2017-12-03 17:56:11 +00:00			`"airsonic.bb8.fun",`
Minor updates 2018-02-17 20:46:56 +00:00			`"apps.bb8.fun",`
Single certificate is better 2017-12-03 17:56:11 +00:00			`"cadvisor.bb8.fun",`
Minor updates 2018-02-17 20:46:56 +00:00			`"dns.bb8.fun",`
Adds things 2017-11-26 20:16:49 +00:00			`"emby.bb8.fun",`
Drops headphones 2018-03-07 19:12:42 +00:00			`"falcon.bb8.fun", # Temporarily used for lidarr`
Minor updates 2018-02-17 20:46:56 +00:00			`"ghost.bb8.fun",`
Drops headphones 2018-03-07 19:12:42 +00:00			`"grafana.bb8.fun", # Unused`
Adds things 2017-11-26 20:16:49 +00:00			`"headphones.bb8.fun",`
			`"home.bb8.fun",`
Minor updates 2018-02-17 20:46:56 +00:00			`"info.bb8.fun",`
			`"jackett.bb8.fun",`
Single certificate is better 2017-12-03 17:56:11 +00:00			`"library.bb8.fun",`
add more domains on SSL 2017-12-28 17:07:19 +00:00			`"luke.bb8.fun",`
			`"monitoring.bb8.fun",`
Adds lidarr, remove ombi 2018-03-02 21:27:43 +00:00			`# "lidarr.bb8.fun", (TBA)`
			`"ombi.bb8.fun", # Unused`
add more domains on SSL 2017-12-28 17:07:19 +00:00			`"pics.bb8.fun",`
Minor updates 2018-02-17 20:46:56 +00:00			`"radarr.bb8.fun",`
Single certificate is better 2017-12-03 17:56:11 +00:00			`"read.bb8.fun",`
add more domains on SSL 2017-12-28 17:07:19 +00:00			`"rey.bb8.fun",`
Single certificate is better 2017-12-03 17:56:11 +00:00			`"scan.bb8.fun",`
Minor updates 2018-02-17 20:46:56 +00:00			`"sonarr.bb8.fun",`
add more domains on SSL 2017-12-28 17:07:19 +00:00			`"tatooine.bb8.fun",`
Minor updates 2018-02-17 20:46:56 +00:00			`"tie.bb8.fun",`
Single certificate is better 2017-12-03 17:56:11 +00:00			`"traefik.bb8.fun",`
			`"transmission.bb8.fun",`
Minor updates 2018-02-17 20:46:56 +00:00			`"wifi.bb8.fun",`
Sort the domains 2017-12-03 18:15:51 +00:00			`"wiki.bb8.fun"`
Adds things 2017-11-26 20:16:49 +00:00			`]`
wildcard certs are here!!! 2018-03-28 10:15:44 +00:00			`# Primary 2 wildcard certs`
			`[[acme.domains]]`
			`main = "*.bb8.fun"`
			`# Internal services are also protected!`
			`[[acme.domains]]`
			`main = "*.in.bb8.fun"`