adding untested changes and new dockers

2026-03-11 22:18:38 -03:00
parent fae6ea1abe
commit 52af4904da
34 changed files with 949 additions and 4 deletions
--- a/tools/wireguard/traefik/dynamic.yml
+++ b/tools/wireguard/traefik/dynamic.yml
@@ -0,0 +1,97 @@
+# =============================================================================
+# Traefik Dynamic Configuration
+# This file defines your routers, services, and middlewares.
+#
+# HTTP → HTTPS redirection is handled globally in traefik.yml, so each service
+# only needs a single router for HTTPS.
+#
+# Sections marked "No changes needed" are reusable building blocks.
+# Sections marked "CONFIGURE" are where you add your own services.
+# =============================================================================
+
+http:
+    # --- No changes needed ---------------------------------------------------
+    middlewares:
+        https-headers:
+            # Required for services that need to know the original protocol
+            # (e.g. Mastodon, Matrix/Synapse)
+            headers:
+                customRequestHeaders:
+                    X-Forwarded-Proto: "https"
+
+    serversTransports:
+        # Use this for backend containers that use self-signed TLS certs
+        # (e.g. Nextcloud). Reference it in a service with:
+        #   serversTransport: insecure-transport
+        insecure-transport:
+            insecureSkipVerify: true
+    # -------------------------------------------------------------------------
+
+    # --- CONFIGURE -----------------------------------------------------------
+    routers:
+        # Basic service
+        my-service:
+            rule: "Host(`service.example.com`)"  # <-- change domain
+            entryPoints:
+                - websecure
+            service: my-service
+            tls:
+                certResolver: letsencrypt
+
+        # Service that needs X-Forwarded-Proto (e.g. Mastodon, Synapse)
+        my-service-with-headers:
+            rule: "Host(`other.example.com`)"  # <-- change domain
+            entryPoints:
+                - websecure
+            service: my-service-with-headers
+            middlewares:
+                - https-headers
+            tls:
+                certResolver: letsencrypt
+
+        # Service with a self-signed cert on the backend (e.g. Nextcloud)
+        my-https-backend:
+            rule: "Host(`secure.example.com`)"  # <-- change domain
+            entryPoints:
+                - websecure
+            service: my-https-backend
+            tls:
+                certResolver: letsencrypt
+
+    services:
+        my-service:
+            loadBalancer:
+                servers:
+                    - url: "http://container-name:PORT"  # <-- change container name and port
+
+        my-service-with-headers:
+            loadBalancer:
+                servers:
+                    - url: "http://container-name:PORT"  # <-- change container name and port
+
+        my-https-backend:
+            loadBalancer:
+                servers:
+                    - url: "https://container-name:PORT"  # <-- change container name and port
+                serversTransport: insecure-transport
+    # -------------------------------------------------------------------------
+
+# =============================================================================
+# TCP — only needed for raw TCP services (game servers, etc.)
+# Remove this section entirely if you don't need it.
+# =============================================================================
+tcp:
+    # --- CONFIGURE -----------------------------------------------------------
+    routers:
+        my-tcp-service:
+            rule: "HostSNI(`*`)"
+            entryPoints:
+                - my-tcp-entrypoint  # <-- must match an entrypoint defined in traefik.yml
+            service: my-tcp-service
+
+    services:
+        my-tcp-service:
+            loadBalancer:
+                servers:
+                    - address: "container-name:PORT"  # <-- change container name and port
+    # -------------------------------------------------------------------------
--- a/tools/wireguard/traefik/traefik.yml
+++ b/tools/wireguard/traefik/traefik.yml
@@ -0,0 +1,45 @@
+# =============================================================================
+# Traefik Static Configuration
+# You generally do not need to change anything in this file except the section
+# marked with "CONFIGURE" below.
+# =============================================================================
+
+# --- No changes needed -------------------------------------------------------
+api:
+    dashboard: true
+    insecure: true # Dashboard on port 8080 - only accessible via WireGuard
+
+entryPoints:
+    web:
+        address: ":80"
+        http:
+            redirections:
+                entryPoint:
+                    to: websecure
+                    scheme: https
+    websecure:
+        address: ":443"
+    # Add extra TCP/UDP entrypoints here if you need to expose non-HTTP services
+    # my-tcp:
+    #     address: ":PORT"
+
+providers:
+    file:
+        filename: /etc/traefik/dynamic.yml
+        watch: true
+
+tls:
+    options:
+        default:
+            sniStrict: true # Rejects TLS connections for unknown hostnames
+# -----------------------------------------------------------------------------
+
+# --- CONFIGURE ---------------------------------------------------------------
+certificatesResolvers:
+    letsencrypt:
+        acme:
+            email: YOUR_EMAIL_HERE@EMAIL.COM  # <-- change this
+            storage: /letsencrypt/acme.json
+            httpChallenge:
+                entryPoint: web
+# -----------------------------------------------------------------------------