jpallison0625/swarm-production
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Configure Traefik for public-facing access with frostlabs.me domains

Browse Source 
- Fixed certificatesResolvers configuration in static.yml (moved out of tls section)
- Added DNS resolvers to Cloudflare ACME challenge configuration
- Added persistent volume mount for Let's Encrypt certificates
- Updated Outline service labels to use flow.frostlabs.me with proper cert resolver
- Updated Authentik service labels to use auth.frostlabs.me with proper cert resolver
- Added security headers and rate limiting middlewares to dynamic.yml
- Added example templates for public-facing service configuration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
John
2025-11-10 11:27:47 +00:00
parent ad08678553
commit 3871e30abd
5 changed files with 56 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
conf/traefik-conf/dynamic.yml
View File

@@ -26,6 +26,19 @@ http:
- websecure - websecure
service: unraid service: unraid
tls: {} tls: {}
# Public-facing services (*.frostlabs.me)
# Example: To add a public service, uncomment and customize:
# my-public-service:
# rule: "Host(`myapp.frostlabs.me`)"
# entryPoints:
# - websecure
# service: my-service-name
# tls:
# certResolver: cloudflare
# middlewares:
# - authentik # Optional: Add authentication
# emby: # emby:
# rule: "Host(`movies.swarm.home`)" # rule: "Host(`movies.swarm.home`)"
# entryPoints: # entryPoints:
@@ -38,6 +51,7 @@ http:
# MIDDLEWARES SECTION # MIDDLEWARES SECTION
#----------------------------------------------------------------------------------- #-----------------------------------------------------------------------------------
middlewares: middlewares:
# Authentik forward auth for protecting services
authentik: authentik:
forwardAuth: forwardAuth:
address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik" address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
@@ -48,3 +62,22 @@ http:
- X-authentik-email - X-authentik-email
- X-authentik-name - X-authentik-name
- X-authentik-uid - X-authentik-uid
# Security headers for public-facing services
security-headers:
headers:
frameDeny: true
browserXssFilter: true
contentTypeNosniff: true
sslRedirect: true
forceSTSHeader: true
stsSeconds: 31536000
stsIncludeSubdomains: true
stsPreload: true
# Rate limiting for public services
rate-limit:
rateLimit:
average: 100
period: 1s
burst: 50

18
conf/traefik-conf/static.yml
View File

@@ -41,14 +41,16 @@ providers:
watch: true watch: true
# Certificate resolvers # Certificate resolvers
tls: certificatesResolvers:
certificatesResolvers: cloudflare:
cloudflare: acme:
acme: email: john.allisonwin@outlook.com
email: john.allisonwin@outlook.com storage: /certificates/acme.json
storage: /certificates/acme.json dnsChallenge:
dnsChallenge: provider: cloudflare
provider: cloudflare resolvers:
- 1.1.1.1:53
- 8.8.8.8:53
# Logging # Logging
log: log:

4
stacks/apps/outline/stack.yml
View File

@@ -40,9 +40,11 @@ services:
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.swarm.network=homelab" - "traefik.swarm.network=homelab"
- "traefik.http.routers.outline.rule=Host(`flow.swarm.home`)" # Public-facing domain with Let's Encrypt certificate
- "traefik.http.routers.outline.rule=Host(`flow.frostlabs.me`)"
- "traefik.http.routers.outline.entrypoints=websecure" - "traefik.http.routers.outline.entrypoints=websecure"
- "traefik.http.routers.outline.tls=true" - "traefik.http.routers.outline.tls=true"
- "traefik.http.routers.outline.tls.certresolver=cloudflare"
- "traefik.http.services.outline.loadbalancer.server.port=3000" - "traefik.http.services.outline.loadbalancer.server.port=3000"
depends_on: depends_on:
- redis - redis

4
stacks/core/authentik/stack.yml
View File

@@ -61,9 +61,11 @@ services:
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.swarm.network=homelab" - "traefik.swarm.network=homelab"
# Public-facing domain with Let's Encrypt certificate
- "traefik.http.routers.authentik.rule=Host(`auth.frostlabs.me`)" - "traefik.http.routers.authentik.rule=Host(`auth.frostlabs.me`)"
- "traefik.http.routers.authentik.entrypoints=websecure" - "traefik.http.routers.authentik.entrypoints=websecure"
- "traefik.http.routers.authentik.tls=certificatesResolvers=cloudflare" - "traefik.http.routers.authentik.tls=true"
- "traefik.http.routers.authentik.tls.certresolver=cloudflare"
- "traefik.http.services.authentik.loadbalancer.server.port=9000" - "traefik.http.services.authentik.loadbalancer.server.port=9000"
depends_on: depends_on:

2
stacks/core/traefik/stack.yml
View File

@@ -10,9 +10,9 @@ services:
- CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro
#
- /home/doc/projects/swarm/conf/traefik-conf/static.yml:/etc/traefik/traefik.yml:ro - /home/doc/projects/swarm/conf/traefik-conf/static.yml:/etc/traefik/traefik.yml:ro
- /home/doc/projects/swarm/conf/traefik-conf/dynamic.yml:/etc/traefik/dynamic/dynamic.yml:rw - /home/doc/projects/swarm/conf/traefik-conf/dynamic.yml:/etc/traefik/dynamic/dynamic.yml:rw
- /home/doc/projects/swarm-data/appdata/traefik/certificates:/certificates
secrets: secrets:
- cloudflare_api_token - cloudflare_api_token
networks: networks: