Skip to content

Instantly share code, notes, and snippets.

@robertbaker

robertbaker/.env

Last active March 26, 2021 08:34
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save robertbaker/e58c459eed2fdf800e298ebbabc73b88 to your computer and use it in GitHub Desktop.
Save robertbaker/e58c459eed2fdf800e298ebbabc73b88 to your computer and use it in GitHub Desktop.
Download ZIP
Traefik 2.0 example config with google forward-auth
Raw
.env
UID=1000
TLD=mydomain.com
# ACME
ACME_EMAIL=admin@mydomain.com
CLOUDFLARE_EMAIL=admin@mydomain.com
CLOUDFLARE_API_KEY=xxxx
# OAUTH
OAUTH_CLIENT_ID=xxxx
OAUTH_CLIENT_SECRET=xxxx
OAUTH_SECRET=xxxx
WHITELIST=admin@mydomain.com
REMOTE_MEDIA_ROOT=$HOME/storage/remote/media
Raw
docker-compose.yml
---
networks:
gateway:
external: true
services:
jellyfin:
container_name: jellyfin
devices:
- '/dev/dri:/dev/dri'
environment:
PGID: '${UID}'
PUID: '${UID}'
image: linuxserver/jellyfin
labels:
- traefik.enable=true
- traefik.docker.network=gateway
- 'traefik.http.routers.plex.rule=Host(`jellyfin.${TLD}`)'
- traefik.http.routers.plex.entrypoints=websecure
- traefik.http.routers.plex.tls.options=securetls@file
- traefik.http.routers.plex.tls.certresolver=cfdns
- traefik.http.routers.plex.middlewares=secureHeaders@file
- traefik.http.services.plex.loadbalancer.server.port=8096
networks:
- gateway
ports:
- '8096:8096'
restart: unless-stopped
volumes:
- '/etc/localtime:/etc/localtime:ro'
- '/dev/shm:/dev/shm'
- './jellyfin:/config'
- './jellyfin/transcode:/transcode'
- '${REMOTE_MEDIA_ROOT}:/data/media'
plex:
container_name: plex
environment:
PGID: "${UID}"
PLEX_GID: "${UID}"
PLEX_UID: "${UID}"
PUID: "${UID}"
extra_hosts:
- "analytics.plex.tv:127.0.0.1"
- "metrics.plex.tv:127.0.0.1"
image: linuxserver/plex
labels:
- traefik.enable=true
- traefik.docker.network=gateway
- traefik.http.routers.plex.rule=Host(`plex.${TLD}`)
- traefik.http.routers.plex.entrypoints=websecure
- traefik.http.routers.plex.tls.options=securetls@file
- traefik.http.routers.plex.tls.certresolver=cfdns
- traefik.http.routers.plex.middlewares=secureHeaders@file
- traefik.http.services.plex.loadbalancer.server.port=32400
networks:
- gateway
ports:
- "32400:32400"
restart: unless-stopped
volumes:
- "/etc/localtime:/etc/localtime:ro"
- "/dev/shm:/dev/shm"
- "./plex:/config/Library/Application Support/Plex Media Server"
- "./plex/transcode:/transcode"
- "${REMOTE_MEDIA_ROOT}:/data/media"
netdata:
cap_add:
- SYS_PTRACE
container_name: netdata
environment:
PGID: 999
hostname: myservername
image: netdata/netdata
labels:
- traefik.enable=true
- traefik.docker.network=gateway
- 'traefik.http.routers.netdata.rule=Host(`netdata.${TLD}`)'
- traefik.http.routers.netdata.entrypoints=websecure
- traefik.http.routers.netdata.tls.options=securetls@file
- traefik.http.routers.netdata.tls.certresolver=cfdns
- traefik.http.routers.netdata.middlewares=secureHeaders@file,googleAuth@file
networks:
- gateway
restart: unless-stopped
security_opt:
- 'apparmor:unconfined'
volumes:
- '/etc/localtime:/etc/localtime:ro'
- '/proc:/host/proc:ro'
- '/sys:/host/sys:ro'
- '/var/run/docker.sock:/var/run/docker.sock:ro'
speedtest:
container_name: speedtest
environment:
PGID: '${UID}'
PUID: '${UID}'
image: adolfintel/speedtest
labels:
- traefik.enable=true
- traefik.docker.network=gateway
- 'traefik.http.routers.speedtest.rule=Host(`speedtest.${TLD}`)'
- traefik.http.routers.speedtest.entrypoints=websecure
- traefik.http.routers.speedtest.tls.options=securetls@file
- traefik.http.routers.speedtest.tls.certresolver=cfdns
- traefik.http.routers.speedtest.middlewares=secureHeaders@file
networks:
- gateway
restart: unless-stopped
traefik:
command:
- '--global.sendanonymoususage=false'
- '--providers.file.directory=/etc/traefik'
- '--providers.docker=true'
- '--providers.docker.network=gateway'
- '--providers.docker.exposedbydefault=false'
- '--entrypoints.websecure.address=:443'
- '--certificatesresolvers.cfdns.acme.dnschallenge=true'
- '--certificatesresolvers.cfdns.acme.dnschallenge.provider=cloudflare'
- '--certificatesresolvers.cfdns.acme.storage=/etc/traefik/acme.json'
- '--certificatesresolvers.cfdns.acme.email=${ACME_EMAIL}'
container_name: traefik
environment:
CLOUDFLARE_API_KEY: '${CLOUDFLARE_API_KEY}'
CLOUDFLARE_EMAIL: '${CLOUDFLARE_EMAIL}'
image: 'traefik:v2.0'
networks:
- gateway
ports:
- '443:443'
restart: unless-stopped
volumes:
- '/var/run/docker.sock:/var/run/docker.sock:ro'
- './traefik:/etc/traefik'
watchtower:
command:
- '-c'
- '-s 0 0 4 * * *'
container_name: watchtower
environment:
PGID: '${UID}'
PUID: '${UID}'
image: containrrr/watchtower
labels:
- traefik.enable=false
networks:
- gateway
restart: unless-stopped
volumes:
- '/etc/localtime:/etc/localtime:ro'
- '/var/run/docker.sock:/var/run/docker.sock:ro'
version: '3.7'
Raw
dynamic_conf.yml
tls:
options:
securetls:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
http:
middlewares:
googleAuth:
forwardAuth:
address: "https://oauth.mydomain.com"
trustForwardHeader: true
authResponseHeaders:
- "X-Forwarded-User"
secureHeaders:
headers:
FrameDeny: true
SSLRedirect: true
stsSeconds: 315360000
stsPreload: true
stsIncludeSubdomains: true
contentTypeNosniff: true
browserXssFilter: true
X-Custom-Request-Header: "X-Robots-Tag=noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
@robertbaker
Copy link
Author

robertbaker commented Dec 9, 2019
edited

To create the network: sudo docker network create gateway

File Structure

.
./.env
./docker-compose.yml
./plex
./jellyfin
./traefik/dynamic_conf.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment