Skip to content

Instantly share code, notes, and snippets.

@HeneryH

HeneryH/compose.yml

Last active November 5, 2024 07:37
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save HeneryH/3585bde9b4c6d5a7ad2d4705d2b6a907 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save HeneryH/3585bde9b4c6d5a7ad2d4705d2b6a907 to your computer and use it in GitHub Desktop.
Download ZIP
Traefik and Zitadel
Raw
compose.yml
version: "3.3"
services:
traefik:
image: "traefik:v3.0"
container_name: "traefik"
command:
# Logging settings
- '--log=true'
- '--log.level=INFO' # DEBUG is next highest
- '--api.dashboard=true' # Enables the web UI imsecure on 8080
- '--api.insecure=true' # Enables the web UI imsecure on 8080
- '--providers.docker=true'
- '--providers.docker.exposedbydefault=false'
- '--entrypoints.web.address=:80'
- '--entrypoints.websecure.address=:443'
- '--entrypoints.web.http.redirections.entrypoint.to=websecure'
- '--entrypoints.web.http.redirections.entrypoint.scheme=https'
# Lets Encrypt with the DNS challenge using Cloudflare
- '--certificatesResolvers.letsencrypt.acme.email=${LE_EMAIL}'
- '--certificatesResolvers.letsencrypt.acme.storage=/etc/letsencrypt/acme.json'
- '--certificatesresolvers.letsencrypt.acme.dnschallenge=true'
- '--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare'
- '--certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=0'
# Dynamic Configuration
labels:
# Expose the dashboard to the internet using auth
# had some troble with this
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`traefik.${DOMAIN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
- 'traefik.http.routers.api.entrypoints=websecure'
- "traefik.http.routers.dashboard.service=api@internal"
- 'traefik.http.routers.dashboard.middlewares=auth-errors,auth-dashboard-oidc'
- 'traefik.http.middlewares.auth-dashboard-oidc.forwardAuth.address=http://oauth2-proxy:4180/oauth2/auth?allowed_groups=261320237939427870:Test'
# - "traefik.http.routers.dashboard.middlewares=auth"
# - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
ports:
- "80:80"
- "443:443"
- "8080:8080" # api.insecure=true Enables the web UI imsecure on 8080
environment:
- CF_API_EMAIL=${CLOUDFLARE_EMAIL}
- CF_API_KEY=${CLOUDFLARE_API_KEY}
volumes:
- "/var/lib/docker/volumes/letsencrypt:/etc/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
depends_on:
oauth2-proxy:
condition: service_healthy
#################### Zitadel Proxy Service ####################
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
container_name: oauth2-proxy
command:
- --http-address=0.0.0.0:4180
- --cookie-secret=aGVsbG8gdGhlcmU=
- --cookie-secure=false # Plain HTTP.
- --email-domain=*
- --provider=oidc
- --client-id=${ZITADEL_CLIENT_ID}
- --client-secret=${ZITADEL_CLIENT_SECRET}
- --oidc-issuer-url=${ZITADEL_ISSUER_URL}
- --oidc-groups-claim=groups
healthcheck:
test: ['CMD', 'wget', '--spider', 'http://localhost:4180/ping']
labels:
- traefik.enable=true
- traefik.http.services.oauth2-proxy.loadbalancer.server.port=4180
- traefik.http.routers.oauth2-proxy.rule=PathPrefix(`/oauth2/`)
- traefik.http.routers.oauth2-proxy.priority=2147483647
- traefik.http.middlewares.auth-errors.errors.status=401-403
- traefik.http.middlewares.auth-errors.errors.service=oauth2-proxy
- traefik.http.middlewares.auth-errors.errors.query=/oauth2/sign_in
whoami:
image: "traefik/whoami"
container_name: "simple-service"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`secure-1.${DOMAIN}`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment