Jafner/Jafner.net
1
0
Fork 0
Code Issues 16 Pull Requests Actions Packages Projects Releases Wiki Activity

Fix: Work around Docker's symlink indigestion.

Browse Source
This commit is contained in:
Joey Hafner 2025-02-08 00:26:04 -08:00
parent e43dd47b93
commit ce1c51b8d4
Signed by: Jafner
GPG Key ID: 6D9A24EF2F389E55
10 changed files with 303 additions and 419 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

123
homelab/stacks/traefik/config/ai.yaml
View File

@ -1,123 +0,0 @@
tcp:
routers:
dungeon-master:
entrypoints:
- "websecure"
- "web"
rule: HostSNIRegexp(`^.+\.ai\.jafner\.(net|dev)$`)
service: "dungeon-master@file"
tls:
passthrough: true
services:
dungeon-master:
loadBalancer:
servers:
- address: "192.168.1.135:443"
http:
routers:
dungeon-master:
entrypoints:
- "websecure"
- "web"
rule: HostRegexp(`^.+\.ai\.jafner\.(net|dev)$`)
service: "dungeon-master@file"
services:
dungeon-master:
loadBalancer:
passHostHeader: true
servers:
- url: "https://192.168.1.135"
# http:
# routers:
# ollama:
# rule: "Host(`ollama.jafner.net`)"
# entryPoints: "websecure"
# middlewares:
# - "lan-only@file"
# service: "ollama@file"
# tls:
# certResolver: "lets-encrypt"
# open-webui:
# rule: "Host(`openwebui.jafner.net`)"
# entryPoints: "websecure"
# middlewares:
# - "lan-only@file"
# service: "open-webui@file"
# tls:
# certResolver: "lets-encrypt"
# sillytavern:
# rule: "Host(`sillytavern.jafner.net`)"
# entryPoints: "websecure"
# middlewares:
# - "lan-only@file"
# service: "sillytavern@file"
# tls:
# certResolver: "lets-encrypt"
# sdwebui:
# rule: "Host(`sdwebui.jafner.net`)"
# entryPoints: "websecure"
# middlewares:
# - "lan-only@file"
# service: "sdwebui@file"
# tls:
# certResolver: "lets-encrypt"
# oobabooga:
# rule: "Host(`oobabooga.jafner.net`)"
# entryPoints: "websecure"
# middlewares:
# - "lan-only@file"
# service: "oobabooga@file"
# tls:
# certResolver: "lets-encrypt"
# oobabooga-api:
# rule: "Host(`oobabooga-api.jafner.net`)"
# entryPoints: "websecure"
# middlewares:
# - "lan-only@file"
# service: "oobabooga-api@file"
# tls:
# certResolver: "lets-encrypt"
# exui:
# rule: "Host(`exui.jafner.net`)"
# entryPoints: "websecure"
# middlewares:
# - "lan-only@file"
# service: "exui@file"
# tls:
# certResolver: "lets-encrypt"
# services:
# ollama:
# loadBalancer:
# servers:
# - url: "http://192.168.1.135:11434"
# open-webui:
# loadBalancer:
# servers:
# - url: "http://192.168.1.135:3000"
# sillytavern:
# loadBalancer:
# servers:
# - url: "http://192.168.1.135:8000"
# sdwebui:
# loadBalancer:
# servers:
# - url: "http://192.168.1.135:7868"
# oobabooga:
# loadBalancer:
# servers:
# - url: "http://192.168.1.135:7860"
# oobabooga-api:
# loadBalancer:
# servers:
# - url: "http://192.168.1.135:5010"
# exui:
# loadBalancer:
# servers:
# - url: "http://192.168.1.135:5030"

298
homelab/stacks/traefik/config/config.yaml Normal file
View File

@ -0,0 +1,298 @@
tls:
options:
tls12:
minVersion: VersionTLS12
http:
routers:
api:
rule: "Host(`traefik.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "api@internal"
tls:
certResolver: "lets-encrypt"
barbarian:
rule: "Host(`barbarian.nas.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "barbarian@file"
tls:
certResolver: "lets-encrypt"
monk:
rule: "Host(`monk.nas.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "monk@file"
tls:
certResolver: "lets-encrypt"
paladin:
rule: "Host(`paladin.nas.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "paladin@file"
tls:
certResolver: "lets-encrypt"
ranger:
rule: "Host(`pihole.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "ranger@file"
tls:
certResolver: "lets-encrypt"
silver-hand:
entrypoints:
- "websecure"
- "web"
rule: HostRegexp(`^.+\.jafner\.dev$`)
service: "silver-hand@file"
desktop:
entrypoints:
- "websecure"
- "web"
rule: HostRegexp(`^.+\.ai\.jafner\.(net|dev)$`)
service: "desktop@file"
toes-day:
rule: "Host(`day.toes.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "toes-day@file"
tls:
certResolver: "lets-encrypt"
toes-night:
rule: "Host(`night.toes.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "toes-night@file"
tls:
certResolver: "lets-encrypt"
lab-rack:
rule: "Host(`rack.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "lab-rack@file"
tls:
certResolver: "lets-encrypt"
sprout-day:
rule: "Host(`day.sprout.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "sprout-day@file"
tls:
certResolver: "lets-encrypt"
figment-day:
rule: "Host(`day.figment.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "figment-day@file"
tls:
certResolver: "lets-encrypt"
figment-night:
rule: "Host(`night.figment.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "figment-night@file"
tls:
certResolver: "lets-encrypt"
president-day:
rule: "Host(`day.president.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "president-day@file"
tls:
certResolver: "lets-encrypt"
cowboy-day:
rule: "Host(`day.cowboy.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "cowboy-day@file"
tls:
certResolver: "lets-encrypt"
middlewares:
lan-only:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.1/24"
simple-auth:
basicAuth:
usersFile: "/.htpasswd"
securityheaders:
headers:
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
server: ""
sslProxyHeaders:
X-Forwarded-Proto: https
referrerPolicy: "same-origin"
hostsProxyHeaders:
- "X-Forwarded-Host"
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Scheme: https
contentTypeNosniff: true
browserXssFilter: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsSeconds: 63072000
stsPreload: true
pihole:
addprefix:
prefix: "/admin"
traefik-forward-auth:
forwardauth:
address: http://forwardauth:4181
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-User
traefik-forward-auth-privileged:
forwardauth:
address: http://forwardauth-privileged:4181
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-User
nextcloud-headers:
headers:
accessControlMaxAge: 100
sslRedirect: true
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
customFrameOptionsValue: "SAMEORIGIN" #CSP takes care of this but may be needed for organizr.
contentTypeNosniff: true
browserXssFilter: true
sslForceHost: true
sslHost: "nextcloud.jafner.net"
referrerPolicy: "no-referrer"
#contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
customResponseHeaders:
X-Robots-Tag: "noindex, nofollow"
server: ""
nextcloud-redirect:
redirectRegex:
permanent: true
regex: "https://(.*)/.well-known/(card|cal)dav"
replacement: "https://${1}/remote.php/dav/"
keycloak:
headers:
customResponseHeaders:
X-Robots-Tag: "noindex, nofollow"
referrerPolicy: "same-origin"
hostsProxyHeaders:
- "X-Forwarded-Host"
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Scheme: https
serversTransports:
insecureskipverify:
insecureSkipVerify: true
services:
barbarian:
loadBalancer:
servers:
- url: "http://192.168.1.10/"
monk:
loadBalancer:
servers:
- url: "http://192.168.1.11/"
paladin:
loadBalancer:
servers:
- url: "http://192.168.1.12/"
ranger:
loadBalancer:
servers:
- url: "http://192.168.1.32/"
silver-hand:
loadBalancer:
passHostHeader: true
servers:
- url: "https://192.168.1.31"
- url: "https://192.168.1.32"
- url: "https://192.168.1.33"
desktop:
loadBalancer:
passHostHeader: true
servers:
- url: "https://192.168.1.135"
toes-day:
loadBalancer:
servers:
- url: "http://192.168.1.50/"
lab-rack:
loadBalancer:
servers:
- url: "http://192.168.1.51/"
cowboy-day:
loadBalancer:
servers:
- url: "http://192.168.1.52/"
figment-day:
loadBalancer:
servers:
- url: "http://192.168.1.53/"
figment-night:
loadBalancer:
servers:
- url: "http://192.168.1.54/"
president-day:
loadBalancer:
servers:
- url: "http://192.168.1.55/"
toes-night:
loadBalancer:
servers:
- url: "http://192.168.1.56"
sprout-day:
loadBalancer:
servers:
- url: "http://192.168.1.57/"
tcp:
routers:
silver-hand:
entrypoints:
- "websecure"
- "web"
rule: HostSNIRegexp(`^.+\.jafner\.dev$`)
service: "silver-hand@file"
tls:
passthrough: true
desktop:
entrypoints:
- "websecure"
- "web"
rule: HostSNIRegexp(`^.+\.ai\.jafner\.(net|dev)$`)
service: "desktop@file"
tls:
passthrough: true
services:
silver-hand:
loadBalancer:
servers:
- address: "192.168.1.31:443"
- address: "192.168.1.32:443"
- address: "192.168.1.33:443"
desktop:
loadBalancer:
servers:
- address: "192.168.1.135:443"

82
homelab/stacks/traefik/config/config_addons.yaml
View File

@ -1,82 +0,0 @@
http:
middlewares:
lan-only:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.1/24"
simple-auth:
basicAuth:
usersFile: "/.htpasswd"
securityheaders:
headers:
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
server: ""
sslProxyHeaders:
X-Forwarded-Proto: https
referrerPolicy: "same-origin"
hostsProxyHeaders:
- "X-Forwarded-Host"
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Scheme: https
contentTypeNosniff: true
browserXssFilter: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsSeconds: 63072000
stsPreload: true
pihole:
addprefix:
prefix: "/admin"
traefik-forward-auth:
forwardauth:
address: http://forwardauth:4181
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-User
traefik-forward-auth-privileged:
forwardauth:
address: http://forwardauth-privileged:4181
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-User
nextcloud-headers:
headers:
accessControlMaxAge: 100
sslRedirect: true
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
customFrameOptionsValue: "SAMEORIGIN" #CSP takes care of this but may be needed for organizr.
contentTypeNosniff: true
browserXssFilter: true
sslForceHost: true
sslHost: "nextcloud.jafner.net"
referrerPolicy: "no-referrer"
#contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
customResponseHeaders:
X-Robots-Tag: "noindex, nofollow"
server: ""
nextcloud-redirect:
redirectRegex:
permanent: true
regex: "https://(.*)/.well-known/(card|cal)dav"
replacement: "https://${1}/remote.php/dav/"
keycloak:
headers:
customResponseHeaders:
X-Robots-Tag: "noindex, nofollow"
referrerPolicy: "same-origin"
hostsProxyHeaders:
- "X-Forwarded-Host"
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Scheme: https
serversTransports:
insecureskipverify:
insecureSkipVerify: true

40
homelab/stacks/traefik/config/nas.yaml
View File

@ -1,40 +0,0 @@
http:
routers:
barbarian:
rule: "Host(`barbarian.nas.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "barbarian@file"
tls:
certResolver: "lets-encrypt"
monk:
rule: "Host(`monk.nas.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "monk@file"
tls:
certResolver: "lets-encrypt"
paladin:
rule: "Host(`paladin.nas.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "paladin@file"
tls:
certResolver: "lets-encrypt"
services:
barbarian:
loadBalancer:
servers:
- url: "http://192.168.1.10/"
monk:
loadBalancer:
servers:
- url: "http://192.168.1.11/"
paladin:
loadBalancer:
servers:
- url: "http://192.168.1.12/"

17
homelab/stacks/traefik/config/ranger.yaml
View File

@ -1,17 +0,0 @@
http:
routers:
ranger:
rule: "Host(`pihole.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "ranger@file"
tls:
certResolver: "lets-encrypt"
services:
ranger:
loadBalancer:
servers:
- url: "http://192.168.1.32/"

36
homelab/stacks/traefik/config/silver-hand.yaml
View File

@ -1,36 +0,0 @@
tcp:
routers:
silver-hand:
entrypoints:
- "websecure"
- "web"
rule: HostSNIRegexp(`^.+\.jafner\.dev$`)
service: "silver-hand@file"
tls:
passthrough: true
services:
silver-hand:
loadBalancer:
servers:
- address: "192.168.1.31:443"
- address: "192.168.1.32:443"
- address: "192.168.1.33:443"
http:
routers:
silver-hand:
entrypoints:
- "websecure"
- "web"
rule: HostRegexp(`^.+\.jafner\.dev$`)
service: "silver-hand@file"
services:
silver-hand:
loadBalancer:
passHostHeader: true
servers:
- url: "https://192.168.1.31"
- url: "https://192.168.1.32"
- url: "https://192.168.1.33"

100
homelab/stacks/traefik/config/tasmota.yaml
View File

@ -1,100 +0,0 @@
http:
routers:
toes-day:
rule: "Host(`day.toes.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "toes-day@file"
tls:
certResolver: "lets-encrypt"
toes-night:
rule: "Host(`night.toes.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "toes-night@file"
tls:
certResolver: "lets-encrypt"
lab-rack:
rule: "Host(`rack.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "lab-rack@file"
tls:
certResolver: "lets-encrypt"
sprout-day:
rule: "Host(`day.sprout.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "sprout-day@file"
tls:
certResolver: "lets-encrypt"
figment-day:
rule: "Host(`day.figment.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "figment-day@file"
tls:
certResolver: "lets-encrypt"
figment-night:
rule: "Host(`night.figment.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "figment-night@file"
tls:
certResolver: "lets-encrypt"
president-day:
rule: "Host(`day.president.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "president-day@file"
tls:
certResolver: "lets-encrypt"
cowboy-day:
rule: "Host(`day.cowboy.tasmota.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
service: "cowboy-day@file"
tls:
certResolver: "lets-encrypt"
services:
toes-day:
loadBalancer:
servers:
- url: "http://192.168.1.50/"
lab-rack:
loadBalancer:
servers:
- url: "http://192.168.1.51/"
cowboy-day:
loadBalancer:
servers:
- url: "http://192.168.1.52/"
figment-day:
loadBalancer:
servers:
- url: "http://192.168.1.53/"
figment-night:
loadBalancer:
servers:
- url: "http://192.168.1.54/"
president-day:
loadBalancer:
servers:
- url: "http://192.168.1.55/"
toes-night:
loadBalancer:
servers:
- url: "http://192.168.1.56"
sprout-day:
loadBalancer:
servers:
- url: "http://192.168.1.57/"

4
homelab/stacks/traefik/config/tls.yaml
View File

@ -1,4 +0,0 @@
tls:
options:
tls12:
minVersion: VersionTLS12

11
homelab/stacks/traefik/config/traefik_api.yaml
View File

@ -1,11 +0,0 @@
http:
routers:
api:
rule: "Host(`traefik.jafner.net`)"
entryPoints: "websecure"
middlewares:
- "lan-only@file"
#- "traefik-forward-auth@file"
service: "api@internal"
tls:
certResolver: "lets-encrypt"

11
homelab/stacks/traefik/stack.nix
View File

@ -1,16 +1,15 @@
{ sys, ... }: let stack = "traefik"; in {
home-manager.users."${sys.username}".home.file = {
"${stack}" = {
enable = true;
recursive = true;
source = ./.;
target = "stacks/${stack}/";
};
"${stack}/.env" = {
enable = true;
text = ''APPDATA=${sys.dataDirs.appdata}/${stack}'';
target = "stacks/${stack}/.env";
};
"${stack}/config/config.yaml" = {
enable = true;
source = ./config/config.yaml;
target = "stacks/${stack}/config/config.yaml";
};
};
sops.secrets."${stack}" = {
sopsFile = ./traefik.secrets;