├── README.md ├── auth.yml ├── code-server.yml └── docker-compose.yml /README.md: -------------------------------------------------------------------------------- 1 | # vps-docker-workspace 2 | Набор докер-файлов для статьи на habr https://habr.com/ru/company/macloud/blog/560020/ -------------------------------------------------------------------------------- /auth.yml: -------------------------------------------------------------------------------- 1 | version: '3.9' 2 | networks: 3 | intranet: 4 | external: true 5 | volumes: 6 | keycloakdata: 7 | name: keycloakdata 8 | services: 9 | keycloak: 10 | image: jboss/keycloak 11 | container_name: keycloak 12 | restart: always 13 | networks: 14 | - intranet 15 | volumes: 16 | - keycloakdata:/opt/jboss/keycloak/standalone/data 17 | environment: 18 | DB_VENDOR: h2 19 | KEYCLOAK_USER: admin 20 | KEYCLOAK_PASSWORD: password 21 | PROXY_ADDRESS_FORWARDING: "true" 22 | labels: 23 | - "traefik.enable=true" 24 | - "traefik.http.routers.keycloak.rule=Host(`auth.example.com`)" 25 | - "traefik.http.routers.keycloak.tls=true" 26 | - "traefik.http.routers.keycloak.tls.certresolver=leresolver" 27 | traefik-forward-auth: 28 | image: thomseddon/traefik-forward-auth 29 | container_name: traefik-forward-auth 30 | restart: always 31 | networks: 32 | - intranet 33 | environment: 34 | - DEFAULT_PROVIDER=oidc 35 | - PROVIDERS_OIDC_ISSUER_URL=https://auth.example.com/auth/realms/example 36 | - PROVIDERS_OIDC_CLIENT_ID=traefik 37 | - PROVIDERS_OIDC_CLIENT_SECRET=7afb20e5-74f3-4909-a55b-29c506fc1dc1 38 | - SECRET=ovnenwonroevnponpoi 39 | - LOG_LEVEL=debug 40 | labels: 41 | - "traefik.enable=true" 42 | - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181" 43 | - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User" 44 | - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181" -------------------------------------------------------------------------------- /code-server.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | volumes: 3 | codeserverdata: 4 | codeappdir: 5 | networks: 6 | intranet: 7 | external: true 8 | services: 9 | code-server: 10 | image: ghcr.io/linuxserver/code-server 11 | container_name: code-server 12 | environment: 13 | - PUID=1000 14 | - PGID=1000 15 | - TZ=Europe/London 16 | - SUDO_PASSWORD=password #optional 17 | - PROXY_DOMAIN=code.example.com 18 | volumes: 19 | - codeserverdata:/config 20 | - codeappdir:/app 21 | extra_hosts: 22 | host.docker.internal: host-gateway 23 | restart: always 24 | networks: 25 | - intranet 26 | labels: 27 | - "traefik.enable=true" 28 | - "traefik.http.routers.code.rule=Host(`code.example.com`)" 29 | - "traefik.http.routers.code.tls=true" 30 | - "traefik.http.routers.code.tls.certresolver=leresolver" 31 | - "traefik.http.routers.code.middlewares=traefik-forward-auth" -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | 2 | version: "3.9" 3 | 4 | services: 5 | traefik: 6 | container_name: traefik 7 | image: "traefik:latest" 8 | container_name: traefik 9 | command: 10 | - --entrypoints.web.address=:80 11 | - --entrypoints.websecure.address=:443 12 | - --providers.docker=true 13 | - --providers.docker.exposedbydefault=false 14 | - --log.level=INFO 15 | - --certificatesresolvers.leresolver.acme.httpchallenge=true 16 | - --certificatesresolvers.leresolver.acme.email=user@usermail.com 17 | - --certificatesresolvers.leresolver.acme.storage=/acme.json 18 | - --certificatesresolvers.leresolver.acme.httpchallenge.entrypoint=web 19 | - --entrypoints.web.http.redirections.entryPoint.to=websecure 20 | - --entrypoints.web.http.redirections.entryPoint.scheme=https 21 | - --metrics.prometheus=true 22 | - --api.dashboard=true 23 | ports: 24 | - "80:80" 25 | - "443:443" 26 | volumes: 27 | - "/var/run/docker.sock:/var/run/docker.sock:ro" 28 | - "./acme.json:/acme.json" 29 | networks: 30 | - intranet 31 | labels: 32 | - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)" 33 | - "traefik.http.routers.http-catchall.entrypoints=web" 34 | - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" 35 | - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" 36 | - "traefik.enable=true" 37 | - "traefik.http.routers.traefik.entrypoints=websecure" 38 | - "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)" 39 | - "traefik.http.routers.traefik.tls=true" 40 | - "traefik.http.routers.traefik.service=api@internal" 41 | - "traefik.http.routers.traefik.tls.certresolver=leresolver" 42 | - "traefik.http.routers.traefik.middlewares=traefik-forward-auth" 43 | - "traefik.http.services.traefik.loadbalancer.server.port=8080" 44 | portainer: 45 | image: portainer/portainer-ce:2.5.0-alpine 46 | container_name: portainer 47 | command: -H unix:///var/run/docker.sock 48 | restart: always 49 | volumes: 50 | - /var/run/docker.sock:/var/run/docker.sock 51 | - portainer_data:/data 52 | networks: 53 | - intranet 54 | labels: 55 | # Frontend 56 | - "traefik.enable=true" 57 | - "traefik.http.routers.frontend.rule=Host(`portainer.example.com`)" 58 | - "traefik.http.routers.frontend.entrypoints=websecure" 59 | - "traefik.http.services.frontend.loadbalancer.server.port=9000" 60 | - "traefik.http.routers.frontend.service=frontend" 61 | - "traefik.http.routers.frontend.tls.certresolver=leresolver" 62 | 63 | volumes: 64 | portainer_data: 65 | networks: 66 | intranet: 67 | name: intranet --------------------------------------------------------------------------------