-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdocker-compose.yaml
115 lines (109 loc) · 4.05 KB
/
docker-compose.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
version: '3.8'
services:
dumpcerts:
image: registry.mydomain.com/dumpcerts:latest
container_name: dumpcerts
restart: always
command: "/certs/acme.json /certs"
volumes:
- ./certs:/certs
omni:
image: ghcr.io/siderolabs/omni:v0.34.0
container_name: omni
restart: unless-stopped
network_mode: host
cap_add:
- NET_ADMIN
command:
- --account-id=<yourAccountID>
- --name=onprem-omni
- --cert=/tls.crt
- --key=/tls.key
- --machine-api-cert=/tls.crt
- --machine-api-key=/tls.key
- --private-key-source=file:///omni.asc
- --event-sink-port=8091
- --bind-addr=0.0.0.0:4443
- --siderolink-api-bind-addr=0.0.0.0:8090
- --k8s-proxy-bind-addr=0.0.0.0:8100
- --advertised-api-url=https://omni.mydomain.com/
- --siderolink-api-advertised-url=https://omni.mydomain.com:8090/
- --siderolink-wireguard-advertised-addr=omni.mydomain.com:50180
- --advertised-kubernetes-proxy-url=https://omni.mydomain.com:8100/
- --auth-auth0-enabled=true
- --auth-auth0-domain=mydomain.us.auth0.com
- --auth-auth0-client-id=<INSERT-CLIENTID-HERE>
labels:
- "traefik.enable=true"
- "traefik.http.routers.omni.rule=HostRegexp(`omni.mydomain.com`)"
- "traefik.http.routers.omni.entrypoints=websecure"
- "traefik.http.routers.omni.tls=true"
- "traefik.http.services.omni.loadbalancer.server.port=4443"
- "traefik.http.services.omni.loadbalancer.server.scheme=https"
volumes:
- ./omni/etcd:/_out/etcd
- ./certs/star_mydomain_com.pem:/tls.crt
- ./certs/star_mydomain_com.key:/tls.key
- ./omni/omni.asc:/omni.asc
- /dev/net/tun:/dev/net/tun
traefik:
container_name: traefik
image: traefik
restart: always
command:
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --providers.docker=true
- --api.dashboard=true
- --log.level=INFO
- --log.filePath=/var/log/traefik.log
- --serversTransport.insecureSkipVerify=true
# Set up LetsEncrypt
- --certificatesresolvers.letsencrypt.acme.dnschallenge=true
- --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
- --certificatesresolvers.letsencrypt.acme.email=youremail@gmail.com
- --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
# Set up an insecure listener that redirects all traffic to TLS
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
# Set up the TLS configuration for our websecure listener
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.certResolver=letsencrypt
- --entrypoints.websecure.http.tls.domains[0].main=*.mydomain.com
environment:
- CLOUDFLARE_DNS_API_TOKEN=<CLOUDFLARE_TOKEN>
ports:
- "80:80"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./certs:/letsencrypt"
- "./traefik/logs/traefik.log:/var/log/traefik.log"
labels:
# Dashboard
- "traefik.enable=true"
- 'traefik.http.routers.traefik.rule=Host(`traefik-rpi1.mydomain.com`)'
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik.service=api@internal"
- 'traefik.http.routers.traefik.middlewares=strip'
- 'traefik.http.middlewares.strip.stripprefix.prefixes=/traefik'
# middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
extra_hosts:
- host.docker.internal:172.19.0.1
networks:
- ipv6
networks:
ipv6:
enable_ipv6: false
driver: bridge
ipam:
driver: default
config:
- subnet: 172.19.0.0/24
gateway: 172.19.0.1