From cba188f8ea9a194c4aab47bd0e68fac38f8850b6 Mon Sep 17 00:00:00 2001
From: stcb <21@stcb.cc>
Date: Thu, 21 Nov 2024 13:37:24 +0100
Subject: [PATCH] Add traefik, grafana, traefik dynamic conf

---
 docker-compose.yml                   | 63 ++++++++++++++++++++++++++++
 traefik/dynamic_conf.d/nextcloud.yml | 35 ++++++++++++++++
 traefik/traefik.yml                  | 26 ++++++++++++
 3 files changed, 124 insertions(+)
 create mode 100644 docker-compose.yml
 create mode 100644 traefik/dynamic_conf.d/nextcloud.yml
 create mode 100644 traefik/traefik.yml

diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..5bd125b
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,63 @@
+version: "3.3"
+
+services:
+
+  traefik:
+    image: "traefik:latest"
+    container_name: "traefik"
+    command:
+#      - "--log.level=DEBUG"
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--providers.file.directory=/etc/traefik/dynamic_conf.d"
+      - "--entryPoints.https.address=:443"
+      - "--entryPoints.http.address=:80"
+      - "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/letsencrypt/acme.json"
+      - "--certificatesresolvers.letsencrypt.acme.email=infra@clps.ch"
+      - "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
+    volumes:
+      - "/home/cloud/traefik/dynamic_conf.d:/etc/traefik/dynamic_conf.d/"
+      - "/home/cloud/traefik/letsencrypt/acme.json:/etc/traefik/letsencrypt/acme.json"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8069:8080"
+
+  grafana:
+    image: "grafana/grafana:latest"
+    container_name: "grafana"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.grafana.rule=Host(`grafana.clps.ch`)"
+      - "traefik.http.routers.grafana.entrypoints=https"
+      - "traefik.http.routers.grafana.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.grafana.tls=true"
+      - "traefik.http.services.grafana.loadbalancer.server.port=3000"
+    depends_on:
+      - traefik
+    #networks:
+    #  - traefik-net
+
+  nextcloud:
+    image: "nextcloud/all-in-one:latest"
+    container_name: "nextcloud-aio-mastercontainer"
+    init: true
+    environment:
+      - "APACHE_PORT=11000"
+      - "APACHE_IP_BINDING=0.0.0.0"
+    ports:
+      -  "8080:8080"
+      -  "8443:8443"
+    volumes:
+      - "nextcloud_aio_mastercontainer:/mnt/docker-aio-config"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+    depends_on:
+      -  traefik
+    restart: unless-stopped
+
+volumes:
+  nextcloud_aio_mastercontainer:
+
diff --git a/traefik/dynamic_conf.d/nextcloud.yml b/traefik/dynamic_conf.d/nextcloud.yml
new file mode 100644
index 0000000..4414f26
--- /dev/null
+++ b/traefik/dynamic_conf.d/nextcloud.yml
@@ -0,0 +1,35 @@
+http:
+  routers:
+    nextcloud:
+      rule: "Host(`cloud.clps.ch`)"
+      entrypoints:
+        - "https"
+      service: nextcloud
+      middlewares:
+        - nextcloud-chain
+      tls:
+        certresolver: "letsencrypt"
+
+  services:
+    nextcloud:
+      loadBalancer:
+        servers:
+          - url: "http://nextcloud-aio-mastercontainer:11000" # Use the host's IP address if Traefik runs outside the host network
+
+  middlewares:
+    nextcloud-secure-headers:
+      headers:
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        referrerPolicy: "same-origin"
+
+    https-redirect:
+      redirectscheme:
+        scheme: https
+
+    nextcloud-chain:
+      chain:
+        middlewares:
+          # - ... (e.g. rate limiting middleware)
+          - https-redirect
+          - nextcloud-secure-headers
diff --git a/traefik/traefik.yml b/traefik/traefik.yml
new file mode 100644
index 0000000..3e66149
--- /dev/null
+++ b/traefik/traefik.yml
@@ -0,0 +1,26 @@
+# STATIC CONFIGURATION
+
+entryPoints:
+  https:
+    address: ":443" # Create an entrypoint called "https" that uses port 443
+    # If you want to enable HTTP/3 support, uncomment the line below
+    # http3: {}
+  web:
+    address: ":80"
+
+certificatesResolvers:
+  # Define "letsencrypt" certificate resolver
+  letsencrypt:
+    acme:
+      storage: /letsencrypt/acme.json # Defines the path where certificates should be stored
+      email: "infra@clps.ch" #Where LE sends notification about certificates expiring
+      tlschallenge: true
+
+providers:
+  file:
+    directory: "/etc/traefik/dynamic_conf.d" # Adjust the path according your needs.
+    watch: true
+
+# Enable HTTP/3 feature by uncommenting the lines below. Don't forget to route 443 UDP to Traefik (Firewall\NAT\Traefik Container)
+# experimental:
+  # http3: true