avoid unnecessary nested content

reverse-proxy/README.md

@@ -0,0 +1,30 @@
+# Reverse-Proxy
+Creates a reverse proxy to expose other services running in the NAS
+
+## Traefik
+[`traefik`](https://hub.docker.com/_/traefik) is a reverse proxy for docker services.
+
+### 🌐 Ports
+- `80 TCP`: HTTP access. Should always redirect to HTTPs
+- `443 TCP`: HTTPs access
+
+### 📂 Volumes
+- `traefik_dynamic_config`: Folder containing the dynamic configuration for `File` provider. See [traefik documentation](https://doc.traefik.io/traefik/providers/file/).
+
+### 📝 Configs
+- `traefik.yml`: [Static configuration file](https://doc.traefik.io/traefik/providers/file/)
+- `dynamic/authelia.yml`: [HTTP ForwardAuth](https://doc.traefik.io/traefik/middlewares/http/forwardauth/) middlewares to authenticate via the authentication service (Authelia)
+- `dynamic/hsts.yml`: Set of HTTP headers to enable [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
+- `dynamic/htransformation.yml`: HTTP header conversion via [htransformation](https://github.com/tommoulard/htransformation) to enable authentication on some services
+- `dynamic/portainer.yml`: Route exposing Portainer
+- `dynamic/synology.yml`: Route exposing the Synology DSM interface of the host
+- `dynamic/tls.yml`: [TLS](https://doc.traefik.io/traefik/https/tls/) configuration of the instance
+- `dynamic/traefik.yml`: Route exposing the Traefik API/Dashboard
+- `dynamic/qbittorrent-api.yml`: Special case exposing the API of qBittorrent with BasicAuth managed by the Authentication service
+
+### 🔒 Secrets
+- `traefik_tls_cert`: Self-signed certificate for Traefik. Particularly useful in development to avoid generating new certificates on each restart.
+- `traefik_tls_key`: Self-signed private key for Traefik. Used with `traefik_tls_cert`.
+
+### 📒 Documentation
+- [Traefik](https://doc.traefik.io/) official documentation

reverse-proxy/configs/dynamic/authelia.yml

@@ -0,0 +1,20 @@
+http:
+  middlewares:
+    authelia:
+      forwardAuth:
+        address: 'http://authelia:9091/api/verify?rd=https%3A%2F%2Fauthelia.{{ env `NASCOMPOSE_DOMAIN` }}%2F'
+        trustForwardHeader: true
+        authResponseHeaders:
+          - Remote-User
+          - Remote-Groups
+          - Remote-Name
+          - Remote-Email
+    authelia-basic:
+      forwardAuth:
+        address: http://authelia:9091/api/verify?auth=basic
+        trustForwardHeader: true
+        authResponseHeaders:
+          - Remote-User
+          - Remote-Groups
+          - Remote-Name
+          - Remote-Email

reverse-proxy/configs/dynamic/hsts.yml

@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    hsts:
+      headers:
+        frameDeny: true
+        browserXssFilter: true
+        stsSeconds: 31536000 # 1 year
+        stsPreload: true
+        stsIncludeSubdomains: true

reverse-proxy/configs/dynamic/portainer.yml

@@ -0,0 +1,11 @@
+http:
+  #TODO: Convert to inline configuration for portainer
+  routers:
+    portainer:
+      rule: 'Host(`portainer.{{ env `NASCOMPOSE_DOMAIN` }}`)'
+      service: portainer@file
+  services:
+    portainer:
+      loadBalancer:
+        servers:
+          - url: https://{{ env `NASCOMPOSE_MACVLAN_PORTAINER_IP` }}:9443/

reverse-proxy/configs/dynamic/qbittorrent-api.yml

@@ -0,0 +1,7 @@
+http:
+  routers:
+    qbittorrent-api:
+      rule: 'Host(`qbittorrent-api.{{ env `NASCOMPOSE_DOMAIN` }}`)'
+      service: qbittorrent@docker
+      middlewares:
+        - authelia-basic@file

reverse-proxy/configs/dynamic/synology.yml

@@ -0,0 +1,10 @@
+http:
+  routers:
+    synology:
+      rule: 'Host(`synology.{{ env `NASCOMPOSE_DOMAIN` }}`)'
+      service: synology@file
+  services:
+    synology:
+      loadBalancer:
+        servers:
+          - url: https://{{ env `NASCOMPOSE_MACVLAN_SYNOLOGY_IP` }}:5001/

reverse-proxy/configs/dynamic/traefik.yml

@@ -0,0 +1,8 @@
+http:
+  #TODO: Convert to inline configuration for traefik
+  # Allows internal services to use `http://traefik/` to use the traefik interface.
+  # Useful for tools like Heimdall which use the traefik API.
+  routers:
+    traefik-internal:
+      rule: Host(`traefik`)
+      service: api@internal

reverse-proxy/configs/traefik.yml

@@ -0,0 +1,41 @@
+providers:
+  docker:
+    exposedByDefault: false
+    network: reverse-proxy
+    defaultRule: 'Host(`{{ index .Labels "com.docker.compose.service" }}.{{ env `NASCOMPOSE_DOMAIN` }}`)'
+  file:
+    directory: /etc/traefik/dynamic/
+
+serverstransport:
+  insecureskipverify: true
+
+api: {}
+accessLog: {}
+
+certificatesResolvers:
+  defaultResolver:
+    acme:
+      storage: /etc/traefik/acme/acme.json
+      dnsChallenge:
+        provider: cloudflare
+
+entryPoints:
+  web:
+    address: :80
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: :443
+    http:
+      tls:
+        certResolver: defaultResolver
+      middlewares:
+        - hsts@file
+  ssh:
+    address: :22
+
+global:
+  sendAnonymousUsage: false

reverse-proxy/docker-compose.macvlan.yml

@@ -0,0 +1,12 @@
+services:
+  traefik:
+    environment:
+      NASCOMPOSE_MACVLAN_SYNOLOGY_IP: ${NASCOMPOSE_MACVLAN_HOST_IP?}
+      NASCOMPOSE_MACVLAN_PORTAINER_IP: ${NASCOMPOSE_MACVLAN_PORTAINER_IP?}
+    networks:
+      macvlan:
+        ipv4_address: ${NASCOMPOSE_MACVLAN_TRAEFIK_IP?}
+
+networks:
+  macvlan:
+    external: true

reverse-proxy/docker-compose.yml

@@ -0,0 +1,31 @@
+name: reverse-proxy
+
+services:
+  traefik:
+    hostname: traefik
+    image: traefik
+    environment:
+      NASCOMPOSE_DOMAIN: ${NASCOMPOSE_DOMAIN?}
+      CF_DNS_API_TOKEN_FILE: /run/secrets/cf_dns_token
+      TRAEFIK_CERTIFICATESRESOLVERS_DEFAULTRESOLVER_ACME_EMAIL: admin@${NASCOMPOSE_DOMAIN?}
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_DOMAINS_0_MAIN: '*.${NASCOMPOSE_DOMAIN?}'
+      LEGO_DISABLE_CNAME_SUPPORT: true
+    networks:
+      - reverse-proxy
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ${NASCOMPOSE_SERVICES?}/reverse-proxy/volumes/traefik_acme:/etc/traefik/acme
+      # Config
+      - ${NASCOMPOSE_SERVICES?}/reverse-proxy/configs/traefik.yml:/etc/traefik/traefik.yml:ro
+      - ${NASCOMPOSE_SERVICES?}/reverse-proxy/configs/dynamic:/etc/traefik/dynamic:ro
+      # Secrets
+      - ${NASCOMPOSE_SERVICES?}/reverse-proxy/secrets/cf_dns_token:/run/secrets/cf_dns_token:ro
+    restart: unless-stopped
+    labels:
+      traefik.enable: true
+      traefik.http.routers.traefik.service: api@internal
+      traefik.http.routers.traefik.middlewares: authelia@file
+
+networks:
+  reverse-proxy:
+    name: reverse-proxy