added traefik files and settings

docker-compose.yml

@@ -1,44 +1,6 @@
 version: '3'
 
 services:
-  cloudflareddns:
-    container_name: cloudflareddns
-    hostname: cloudflareddns
-    image: hotio/cloudflareddns:latest
-    environment:
-      - PGID=$PGID
-      - PUID=$PUID
-      - TZ=$TZ
-      - CF_APITOKEN=eSH_TXT95jL2NrHL8cT6kcrx4X-sdJswxGH1rbT6
-      - CF_HOSTS=aknlw.com
-      - CF_RECORDTYPES=A
-      - CF_USER=akanealw@gmail.com
-      - CF_ZONES=aknlw.com
-      - DETECTION_MODE=dig-whoami.cloudflare
-      - INTERVAL=300
-      - LOG_LEVEL=2
-    restart: always
-    volumes:
-      - ./appdata/cloudflareddns/config:/config
-      - /etc/localtime:/etc/localtime:ro
-      
-  nginxproxymanager:
-    container_name: nginxproxymanager
-    hostname: nginxproxymanager
-    image: jc21/nginx-proxy-manager:latest
-    environment:
-      - X_FRAME_OPTIONS=sameorigin
-      - DB_SQLITE_FILE=/data/database.sqlite
-    ports:
-      - 8443:443/tcp
-      - 80:80/tcp
-      - 81:81/tcp
-    restart: always
-    volumes:
-      - ./appdata/nginxproxymanager/data:/data
-      - ./appdata/nginxproxymanager/letsencrypt:/etc/letsencrypt
-      - /etc/localtime:/etc/localtime:ro
-
   openvpn:
     container_name: openvpn
     hostname: openvpn
@@ -72,6 +34,10 @@ services:
     image: portainer/portainer-ce:latest
     environment:
       - AGENT_SECRET=$ADMIN
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.portainer.entryPoints=https
+      - traefik.http.services.portainer.loadbalancer.server.port=9000
     ports:
       - 9000:9000/tcp
     restart: always
@@ -111,6 +77,10 @@ services:
       - DEBUG=false
       - LAN_NETWORK=192.168.1.0/24
       - NAME_SERVERS=209.222.18.222,84.200.69.80,37.235.1.174,1.1.1.1,209.222.18.218,37.235.1.177,84.200.70.40,1.0.0.1
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.privoxyvpn.entryPoints=https
+      - traefik.http.services.privoxyvpn.loadbalancer.server.port=8118
     privileged: true
     sysctls:
       - net.ipv4.conf.all.src_valid_mark=1
@@ -120,3 +90,27 @@ services:
     volumes:
       - ./appdata/privoxyvpn/config:/config
       - /etc/localtime:/etc/localtime:ro
+
+  traefik:
+    container_name: traefik
+    image: traefik:2.5
+    ports:
+      - 80:80
+      - 443:443
+      - 8080:8080
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./appdata/traefik/:/etc/traefik/
+    networks:
+      - default
+    labels:
+      traefik.http.routers.api.rule: Host(`traefik.aknlw.com`)
+      traefik.http.routers.api.entryPoints: https
+      traefik.http.routers.api.service: api@internal
+      traefik.enable: true
+    environment:
+      DO_AUTH_TOKEN: dop_v1_0c437a780149010ce186a09117fa6edec29bda0afecc8831cd8c025798990891
+    restart: unless-stopped
+
+networks:
+  default:

fileConfig.yml

@@ -0,0 +1,81 @@
+http:
+  ## EXTERNAL ROUTING EXAMPLE - Only use if you want to proxy something manually ##
+  routers:
+#    homeassistant:
+#      entryPoints:
+#        - https
+#      rule: 'Host(`homeassistant.domain.com`)'
+#      service: homeassistant
+#      middlewares:
+#        - "auth"  
+#  ## SERVICES EXAMPLE ##
+  services:
+#    homeassistant:
+#      loadBalancer:
+#        servers:
+#          - url: http://192.168.60.5:8123/
+
+#  ## MIDDLEWARES ##
+  middlewares:
+#  Only Allow Local networks
+#   local-ipwhitelist:
+#     ipWhiteList:
+#       sourceRange: 
+#         - 127.0.0.1/32 # localhost
+#         - 192.168.1.1/24 # LAN Subnet
+  
+#  # Authelia guard
+#    authelia:
+#      forwardauth:
+#        address: http://authelia:9091/api/verify?rd=https://identity.aknlw.com/ # replace auth with your authelia container name
+#        trustForwardHeader: true
+#        authResponseHeaders:
+#          - Remote-User
+#          - Remote-Groups
+#          - Remote-Name
+#          - Remote-Email
+  
+#  # Authelia basic auth guard
+#    authelia-basic:
+#      forwardauth:
+#        address: http://authelia:9091/api/verify?auth=basic # replace auth with your authelia container name
+#        trustForwardHeader: true
+#        authResponseHeaders:
+#          - Remote-User
+#          - Remote-Groups
+#          - Remote-Name
+#          - Remote-Email
+
+    # Security headers
+    securityHeaders:
+      headers:
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
+          server: ""
+          X-Forwarded-Proto: "https"
+        sslProxyHeaders:
+          X-Forwarded-Proto: https
+        referrerPolicy: "strict-origin-when-cross-origin"
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+        contentTypeNosniff: true
+        browserXssFilter: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsSeconds: 63072000
+        stsPreload: true
+
+# Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.6.0&config=intermediate&guideline=5.6
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

traefik.yml

@@ -0,0 +1,71 @@
+global:
+  checkNewVersion: true
+  sendAnonymousUsage: false
+
+serversTransport:
+  insecureSkipVerify: true
+
+entryPoints:
+  # Not used in apps, but redirect everything from HTTP to HTTPS
+  http:
+    address: :80
+    http:
+      redirections:
+        entryPoint:
+          to: https
+          scheme: https
+
+  # HTTPS endpoint, with domain wildcard
+  https:
+    address: :443
+    http:
+      tls:
+        # Generate a wildcard domain certificate
+        certResolver: letsencrypt
+        domains:
+          - main: aknlw.com
+            sans:
+              - '*.aknlw.com'
+      middlewares:
+        - securityHeaders@file
+
+providers:
+  providersThrottleDuration: 2
+
+  # File provider for connecting things that are outside of docker / defining middleware
+  file:
+    filename: /etc/traefik/fileConfig.yml
+    watch: true
+
+  # Docker provider for connecting all apps that are inside of the docker network
+  docker:
+    watch: true
+    network: docker_default # Add Your Docker Network Name Here
+    # Default host rule to containername.domain.example
+    defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.aknlw.com`)"
+    swarmModeRefreshSeconds: 15
+    exposedByDefault: false
+
+# Enable traefik ui
+api:
+  dashboard: true
+  insecure: true
+
+# Log level INFO|DEBUG|ERROR
+log:
+  level: INFO
+
+# Use letsencrypt to generate ssl serficiates
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+      email: akanealw@gmail.com
+      storage: /etc/traefik/acme.json
+      dnsChallenge:
+        provider: digitalocean
+        delayBeforeCheck: 0
+        # Used to make sure the dns challenge is propagated to the rights dns servers
+        resolvers:
+          - "8.8.8.8:443"
+          - "8.8.4.4:443"