mirror of
https://github.com/Dvorinka/Containr.git
synced 2026-06-03 20:12:58 +00:00
small fix, don't worry about it
This commit is contained in:
Tomas Dvorak
@@ -0,0 +1,13 @@
|
||||
# Cloudflare Tunnel Configuration
|
||||
# This file provides additional configuration for cloudflared
|
||||
# You can customize this for more advanced tunnel setups
|
||||
|
||||
tunnel: auto
|
||||
logfile: /var/log/cloudflared.log
|
||||
loglevel: info
|
||||
|
||||
# Optional: Ingress rules for more control
|
||||
# ingress:
|
||||
# - hostname: your-domain.com
|
||||
# service: http://traefik:80
|
||||
# - service: http_status:404
|
||||
@@ -0,0 +1,225 @@
|
||||
services:
|
||||
traefik:
|
||||
image: traefik:v3.2
|
||||
container_name: containr-traefik
|
||||
command:
|
||||
- "--api.dashboard=true"
|
||||
- "--api.insecure=${TRAEFIK_API_INSECURE:-true}"
|
||||
- "--providers.docker=true"
|
||||
- "--providers.docker.exposedbydefault=false"
|
||||
- "--providers.file.filename=/etc/traefik/traefik-dynamic.yml"
|
||||
- "--entrypoints.web.address=:80"
|
||||
- "--entrypoints.websecure.address=:443"
|
||||
- "--entrypoints.traefik.address=:8080"
|
||||
- "--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL:-admin@localhost}"
|
||||
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
|
||||
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
|
||||
- "--log.level=${LOG_LEVEL:-INFO}"
|
||||
- "--accesslog=true"
|
||||
- "--metrics.prometheus=true"
|
||||
- "--ping=true"
|
||||
- "--ping.entrypoint=traefik"
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
- "8080:8080"
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
- ../data/letsencrypt:/letsencrypt
|
||||
- ./traefik-dynamic.yml:/etc/traefik/traefik-dynamic.yml:ro
|
||||
networks:
|
||||
- containr-network
|
||||
restart: unless-stopped
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.${DOMAIN:-localhost}`)"
|
||||
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
|
||||
- "traefik.http.routers.traefik-dashboard.tls=true"
|
||||
- "traefik.http.routers.traefik-dashboard.tls.certresolver=myresolver"
|
||||
- "traefik.http.routers.traefik-dashboard.service=api@internal"
|
||||
- "traefik.http.routers.traefik-dashboard.middlewares=traefik-auth,secureHeaders@file"
|
||||
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_AUTH:-admin:$$apr1$$b8mh8c8v$$KkR8hQZQZQZQZQZQZQZQZ/}"
|
||||
healthcheck:
|
||||
test: ["CMD", "traefik", "healthcheck", "--ping"]
|
||||
interval: 30s
|
||||
timeout: 10s
|
||||
retries: 3
|
||||
|
||||
postgres:
|
||||
image: postgres:15-alpine
|
||||
container_name: containr-postgres
|
||||
environment:
|
||||
POSTGRES_DB: ${POSTGRES_DB:-containr}
|
||||
POSTGRES_USER: ${POSTGRES_USER:-containr_user}
|
||||
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-dev_password_123}
|
||||
ports:
|
||||
- "5432:5432"
|
||||
volumes:
|
||||
- postgres_data:/var/lib/postgresql/data
|
||||
networks:
|
||||
- containr-network
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-containr_user} -d ${POSTGRES_DB:-containr}"]
|
||||
interval: 30s
|
||||
timeout: 10s
|
||||
retries: 3
|
||||
|
||||
redis:
|
||||
image: redis:7-alpine
|
||||
container_name: containr-redis
|
||||
command: redis-server --requirepass ${REDIS_PASSWORD:-dev_redis_123}
|
||||
volumes:
|
||||
- redis_data:/data
|
||||
networks:
|
||||
- containr-network
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "redis-cli -a ${REDIS_PASSWORD:-dev_redis_123} ping | grep PONG"]
|
||||
interval: 30s
|
||||
timeout: 10s
|
||||
retries: 3
|
||||
|
||||
backend:
|
||||
build:
|
||||
context: ../app/backend
|
||||
dockerfile: Dockerfile
|
||||
container_name: containr-backend
|
||||
ports:
|
||||
- "8082:8080"
|
||||
environment:
|
||||
- DATABASE_URL=postgres://${POSTGRES_USER:-containr_user}:${POSTGRES_PASSWORD:-dev_password_123}@postgres:5432/${POSTGRES_DB:-containr}?sslmode=disable
|
||||
- REDIS_URL=redis://:${REDIS_PASSWORD:-dev_redis_123}@redis:6379/0
|
||||
- PORT=8080
|
||||
- HOST=0.0.0.0
|
||||
- ENVIRONMENT=${ENVIRONMENT:-production}
|
||||
- JWT_SECRET=${JWT_SECRET:-dev_jwt_secret_key_change_in_production}
|
||||
- CONTAINR_AGENT_AUTH_TOKEN=${CONTAINR_AGENT_AUTH_TOKEN:-}
|
||||
- CONTAINR_AGENT_AUTH_TOKENS=${CONTAINR_AGENT_AUTH_TOKENS:-}
|
||||
- COOKIE_SECURE=${COOKIE_SECURE:-true}
|
||||
- TRUSTED_PROXY_CIDR=${TRUSTED_PROXY_CIDR:-172.20.0.0/16}
|
||||
- CORS_ORIGINS=${CORS_ORIGINS:-http://localhost,http://localhost:3000}
|
||||
- BETTER_AUTH_URL=${BETTER_AUTH_URL:-http://localhost:8082}
|
||||
- BETTER_AUTH_PROXY_URL=${BETTER_AUTH_PROXY_URL:-http://127.0.0.1:3001}
|
||||
- BETTER_AUTH_INTERNAL_URL=${BETTER_AUTH_INTERNAL_URL:-http://127.0.0.1:3001/internal/session}
|
||||
- BETTER_AUTH_INTERNAL_TOKEN=${BETTER_AUTH_INTERNAL_TOKEN:-PLACEHOLDER_INTERNAL_AUTH_TOKEN}
|
||||
- BETTER_AUTH_SECRET=${BETTER_AUTH_SECRET:-PLACEHOLDER_BETTER_AUTH_SECRET_CHANGE_ME_32CHARS_MIN}
|
||||
- BETTER_AUTH_AUTO_MIGRATE=${BETTER_AUTH_AUTO_MIGRATE:-true}
|
||||
- BETTER_AUTH_TRUSTED_ORIGINS=${BETTER_AUTH_TRUSTED_ORIGINS:-http://localhost:3000,http://localhost:8082}
|
||||
- FRONTEND_URL=${FRONTEND_URL:-http://localhost:3000}
|
||||
- BACKEND_URL=${BACKEND_URL:-http://localhost:8082}
|
||||
- DB_HOST=postgres
|
||||
- DB_PORT=5432
|
||||
- DB_NAME=${POSTGRES_DB:-containr}
|
||||
- DB_USER=${POSTGRES_USER:-containr_user}
|
||||
- DB_PASSWORD=${POSTGRES_PASSWORD:-dev_password_123}
|
||||
- AUTH_PORT=${AUTH_PORT:-3001}
|
||||
- GITHUB_CLIENT_ID=${GITHUB_CLIENT_ID:-}
|
||||
- GITHUB_CLIENT_SECRET=${GITHUB_CLIENT_SECRET:-}
|
||||
- GITLAB_CLIENT_ID=${GITLAB_CLIENT_ID:-PLACEHOLDER_GITLAB_CLIENT_ID}
|
||||
- GITLAB_CLIENT_SECRET=${GITLAB_CLIENT_SECRET:-PLACEHOLDER_GITLAB_CLIENT_SECRET}
|
||||
- GITLAB_OAUTH_AUTHORIZE_URL=${GITLAB_OAUTH_AUTHORIZE_URL:-https://gitlab.com/oauth/authorize}
|
||||
- GITLAB_OAUTH_TOKEN_URL=${GITLAB_OAUTH_TOKEN_URL:-https://gitlab.com/oauth/token}
|
||||
- GITLAB_OAUTH_USERINFO_URL=${GITLAB_OAUTH_USERINFO_URL:-https://gitlab.com/api/v4/user}
|
||||
- BITBUCKET_CLIENT_ID=${BITBUCKET_CLIENT_ID:-PLACEHOLDER_BITBUCKET_CLIENT_ID}
|
||||
- BITBUCKET_CLIENT_SECRET=${BITBUCKET_CLIENT_SECRET:-PLACEHOLDER_BITBUCKET_CLIENT_SECRET}
|
||||
- BITBUCKET_OAUTH_AUTHORIZE_URL=${BITBUCKET_OAUTH_AUTHORIZE_URL:-https://bitbucket.org/site/oauth2/authorize}
|
||||
- BITBUCKET_OAUTH_TOKEN_URL=${BITBUCKET_OAUTH_TOKEN_URL:-https://bitbucket.org/site/oauth2/access_token}
|
||||
- BITBUCKET_OAUTH_USERINFO_URL=${BITBUCKET_OAUTH_USERINFO_URL:-https://api.bitbucket.org/2.0/user}
|
||||
- BITBUCKET_OAUTH_EMAILS_URL=${BITBUCKET_OAUTH_EMAILS_URL:-https://api.bitbucket.org/2.0/user/emails}
|
||||
- GITEA_CLIENT_ID=${GITEA_CLIENT_ID:-PLACEHOLDER_GITEA_CLIENT_ID}
|
||||
- GITEA_CLIENT_SECRET=${GITEA_CLIENT_SECRET:-PLACEHOLDER_GITEA_CLIENT_SECRET}
|
||||
- GITEA_OAUTH_AUTHORIZE_URL=${GITEA_OAUTH_AUTHORIZE_URL:-https://gitea.example.com/login/oauth/authorize}
|
||||
- GITEA_OAUTH_TOKEN_URL=${GITEA_OAUTH_TOKEN_URL:-https://gitea.example.com/login/oauth/access_token}
|
||||
- GITEA_OAUTH_USERINFO_URL=${GITEA_OAUTH_USERINFO_URL:-https://gitea.example.com/api/v1/user}
|
||||
- GITHUB_APP_ID=${GITHUB_APP_ID:-}
|
||||
- GITHUB_APP_SLUG=${GITHUB_APP_SLUG:-}
|
||||
- GITHUB_APP_PRIVATE_KEY=${GITHUB_APP_PRIVATE_KEY:-}
|
||||
- GITHUB_APP_BASE_URL=${GITHUB_APP_BASE_URL:-https://api.github.com}
|
||||
- GITLAB_API_URL=${GITLAB_API_URL:-https://gitlab.com/api/v4}
|
||||
- GITLAB_BASE_URL=${GITLAB_BASE_URL:-https://gitlab.com}
|
||||
- BITBUCKET_API_URL=${BITBUCKET_API_URL:-https://api.bitbucket.org/2.0}
|
||||
- BITBUCKET_BASE_URL=${BITBUCKET_BASE_URL:-https://bitbucket.org}
|
||||
- GITEA_BASE_URL=${GITEA_BASE_URL:-https://gitea.example.com}
|
||||
networks:
|
||||
- containr-network
|
||||
depends_on:
|
||||
postgres:
|
||||
condition: service_healthy
|
||||
redis:
|
||||
condition: service_healthy
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:8080/health"]
|
||||
interval: 30s
|
||||
timeout: 10s
|
||||
retries: 3
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.backend.rule=Host(`api.${DOMAIN:-localhost}`)"
|
||||
- "traefik.http.routers.backend.entrypoints=web"
|
||||
- "traefik.http.routers.backend.middlewares=secureHeaders@file"
|
||||
- "traefik.http.routers.backend-secure.rule=Host(`api.${DOMAIN:-localhost}`)"
|
||||
- "traefik.http.routers.backend-secure.entrypoints=websecure"
|
||||
- "traefik.http.routers.backend-secure.tls=true"
|
||||
- "traefik.http.routers.backend-secure.tls.certresolver=myresolver"
|
||||
- "traefik.http.routers.backend-secure.middlewares=secureHeaders@file"
|
||||
- "traefik.http.services.backend.loadbalancer.server.port=8080"
|
||||
|
||||
frontend:
|
||||
build:
|
||||
context: ../app/frontend
|
||||
dockerfile: Dockerfile
|
||||
args:
|
||||
VITE_API_URL: ${VITE_API_URL:-http://localhost:8082}
|
||||
VITE_AUTH_URL: ${VITE_AUTH_URL:-http://localhost:8082/api/auth}
|
||||
container_name: containr-frontend
|
||||
ports:
|
||||
- "3000:80"
|
||||
networks:
|
||||
- containr-network
|
||||
depends_on:
|
||||
backend:
|
||||
condition: service_healthy
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:80/"]
|
||||
interval: 30s
|
||||
timeout: 10s
|
||||
retries: 3
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.frontend.rule=Host(`${DOMAIN:-localhost}`) || Host(`www.${DOMAIN:-localhost}`)"
|
||||
- "traefik.http.routers.frontend.entrypoints=web"
|
||||
- "traefik.http.routers.frontend.middlewares=secureHeaders@file"
|
||||
- "traefik.http.routers.frontend-secure.rule=Host(`${DOMAIN:-localhost}`) || Host(`www.${DOMAIN:-localhost}`)"
|
||||
- "traefik.http.routers.frontend-secure.entrypoints=websecure"
|
||||
- "traefik.http.routers.frontend-secure.tls=true"
|
||||
- "traefik.http.routers.frontend-secure.tls.certresolver=myresolver"
|
||||
- "traefik.http.routers.frontend-secure.middlewares=secureHeaders@file"
|
||||
- "traefik.http.services.frontend.loadbalancer.server.port=80"
|
||||
|
||||
cloudflared:
|
||||
image: cloudflare/cloudflared:latest
|
||||
container_name: containr-cloudflared
|
||||
command: tunnel --no-autoupdate run --token ${CLOUDFLARED_TOKEN:-}
|
||||
networks:
|
||||
- containr-network
|
||||
restart: unless-stopped
|
||||
depends_on:
|
||||
- traefik
|
||||
profiles:
|
||||
- cloudflared
|
||||
|
||||
volumes:
|
||||
postgres_data:
|
||||
driver: local
|
||||
redis_data:
|
||||
driver: local
|
||||
|
||||
networks:
|
||||
containr-network:
|
||||
driver: bridge
|
||||
ipam:
|
||||
config:
|
||||
- subnet: 172.20.0.0/16
|
||||
@@ -0,0 +1,46 @@
|
||||
# Traefik Dynamic Configuration
|
||||
http:
|
||||
middlewares:
|
||||
secureHeaders:
|
||||
headers:
|
||||
customRequestHeaders:
|
||||
X-Forwarded-Proto: "https"
|
||||
customResponseHeaders:
|
||||
X-Content-Type-Options: "nosniff"
|
||||
X-Frame-Options: "DENY"
|
||||
X-XSS-Protection: "1; mode=block"
|
||||
Referrer-Policy: "strict-origin-when-cross-origin"
|
||||
Permissions-Policy: "camera=(), microphone=(), geolocation=()"
|
||||
contentTypeNosniff: true
|
||||
browserXssFilter: true
|
||||
forceSTSHeader: true
|
||||
stsIncludeSubdomains: true
|
||||
stsPreload: true
|
||||
stsSeconds: 31536000
|
||||
|
||||
rateLimit:
|
||||
rateLimit:
|
||||
average: 100
|
||||
burst: 50
|
||||
period: "1m"
|
||||
|
||||
compress:
|
||||
compress:
|
||||
excludedContentTypes:
|
||||
- "text/event-stream"
|
||||
minResponseBodyBytes: 1024
|
||||
|
||||
tls:
|
||||
options:
|
||||
default:
|
||||
minVersion: "VersionTLS12"
|
||||
cipherSuites:
|
||||
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
|
||||
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
|
||||
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
|
||||
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
|
||||
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
|
||||
sniStrict: true
|
||||
curvePreferences:
|
||||
- "CurveP521"
|
||||
- "CurveP384"
|
||||
@@ -0,0 +1,69 @@
|
||||
# Traefik Static Configuration
|
||||
api:
|
||||
dashboard: true
|
||||
insecure: true # Enable dashboard without authentication for local development
|
||||
debug: false
|
||||
|
||||
providers:
|
||||
docker:
|
||||
endpoint: "unix:///var/run/docker.sock"
|
||||
exposedByDefault: false
|
||||
network: containr-network
|
||||
watch: true
|
||||
|
||||
entryPoints:
|
||||
web:
|
||||
address: ":80"
|
||||
http:
|
||||
redirections:
|
||||
entryPoint:
|
||||
to: websecure
|
||||
scheme: https
|
||||
permanent: true
|
||||
|
||||
websecure:
|
||||
address: ":443"
|
||||
http:
|
||||
middlewares:
|
||||
- secureHeaders@file
|
||||
|
||||
certificatesResolvers:
|
||||
myresolver:
|
||||
acme:
|
||||
email: ${ACME_EMAIL}
|
||||
storage: /letsencrypt/acme.json
|
||||
httpChallenge:
|
||||
entryPoint: web
|
||||
|
||||
log:
|
||||
level: INFO
|
||||
filePath: "/var/log/traefik/traefik.log"
|
||||
format: json
|
||||
|
||||
accessLog:
|
||||
filePath: "/var/log/traefik/access.log"
|
||||
format: json
|
||||
bufferingSize: 100
|
||||
fields:
|
||||
defaultMode: keep
|
||||
names:
|
||||
ClientUsername: drop
|
||||
headers:
|
||||
defaultMode: keep
|
||||
names:
|
||||
User-Agent: keep
|
||||
Authorization: drop
|
||||
Content-Type: keep
|
||||
|
||||
metrics:
|
||||
prometheus:
|
||||
addEntryPointsLabels: true
|
||||
addServicesLabels: true
|
||||
manualRouting: true
|
||||
|
||||
ping:
|
||||
entryPoint: web
|
||||
|
||||
global:
|
||||
checkNewVersion: true
|
||||
sendAnonymousUsage: false
|
||||
Reference in New Issue
Block a user