-
Notifications
You must be signed in to change notification settings - Fork 1
/
docker-compose.yml
125 lines (118 loc) · 4.54 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
version: "3.3"
services:
# SOCKS Proxy
proxy-socks-dante:
image: "lthn/dante:v1.0.0"
volumes:
- ./images/proxy-socks-dante/conf/sockd.passwd:/home/danted/conf/sockd.passwd
env_file:
- .env
ports:
- "2020:2020"
labels:
- "traefik.enable=true"
- "traefik.http.services.dante.loadbalancer.server.port=2020"
- "traefik.http.routers.dante.rule=HostRegexp(`${SERVER_CNAME_NAMESPACE}`, `{subdomain:[a-z]+}.${SERVER_CNAME_NAMESPACE}`)"
- "traefik.http.routers.dante.entrypoints=dante"
- "traefik.http.routers.dante.middlewares=authentik@docker"
router-traefik:
image: "traefik:v2.10"
env_file:
- .env
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.dante.address=:1080"
- "--entrypoints.openvpn.address=:1194"
- "--entrypoints.wireguard.address=:51820"
- "--certificatesresolvers.exitNode.acme.tlschallenge=true"
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.exitNode.acme.email=devops@lethean.io"
- "--certificatesresolvers.exitNode.acme.storage=/letsencrypt/acme.json"
- "--experimental.plugins.ldapAuth.modulename=github.com/wiltonsr/ldapAuth"
- "--experimental.plugins.ldapAuth.version=v0.0.22"
ports:
- "443:443"
- "80:8080"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
auth-jwt-proxy:
image: ghcr.io/goauthentik/proxy
ports:
- 9000:9000
- 9443:9443
env_file:
- .env
environment:
AUTHENTIK_HOST: https://${AUTH_HOSTNAME}
AUTHENTIK_INSECURE: "false"
AUTHENTIK_TOKEN: qilbRpXKmXlgDYQZUsL6EiyhsMocyT4vQ0rP9bFL
# Starting with 2021.9, you can optionally set this too
# when authentik_host for internal communication doesn't match the public URL
# AUTHENTIK_HOST_BROWSER: https://external-domain.tld
labels:
traefik.enable: true
traefik.port: 9000
traefik.http.routers.authentik.rule: HostRegexp(`${SERVER_CNAME_NAMESPACE}`, `{subdomain:[a-z]+}.${SERVER_CNAME_NAMESPACE}`) && PathPrefix(`/outpost.goauthentik.io/`)
# `authentik-proxy` refers to the service name in the compose file.
traefik.http.middlewares.authentik.forwardauth.address: https://${AUTH_HOSTNAME}/outpost.goauthentik.io/auth/traefik
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
restart: unless-stopped
vpn-openvpn:
image: lthn/openvpn
ports:
- "0.0.0.0:1194:1194/udp"
- "8080:8080/tcp"
- "8081:8081/tcp"
devices:
- /dev/net/tun
cap_add:
- NET_ADMIN
environment:
EASYRSA: /usr/local/share/easy-rsa/easyrsa3
EASYRSA_PKI: /etc/openvpn/pki
EASYRSA_VARS_FILE: /etc/openvpn/vars
EASYRSA_BATCH: 1
EASYRSA_NO_PASS: 1
EASYRSA_ALGO: "ed"
EASYRSA_DN: "cn_only"
UPN: dev.server.host.uk.com
labels:
- "traefik.enable=true"
- "traefik.udp.routers.openvpn.rule=HostRegexp(`${SERVER_CNAME_NAMESPACE}`, `{subdomain:[a-z]+}.${SERVER_CNAME_NAMESPACE}`)"
- "traefik.udp.routers.openvpn.entrypoints=openvpn"
restart: unless-stopped
vpn-wireguard:
image: linuxserver/wireguard:latest
cap_add:
- NET_ADMIN
- SYS_MODULE #optional
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- SERVERURL=$NODE_HOSTNAME #optional
- SERVERPORT=51820 #optional
- PEERS=1 #optional
- PEERDNS=auto #optional
- INTERNAL_SUBNET=10.13.13.0 #optional
- ALLOWEDIPS=0.0.0.0/0 #optional
- PERSISTENTKEEPALIVE_PEERS= #optional
- LOG_CONFS=true #optional
volumes:
- ./config:/config
- /lib/modules:/lib/modules #optional
ports:
- 51820:51820/udp
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
labels:
- "traefik.enable=true"
- "traefik.udp.routers.wireguard.rule=HostRegexp(`${SERVER_CNAME_NAMESPACE}`, `{subdomain:[a-z]+}.${SERVER_CNAME_NAMESPACE}`)"
- "traefik.udp.routers.wireguard.entrypoints=wireguard"
restart: unless-stopped