Update Traefik services

Reviewed-on: #1

nginx/sites-available/benoit.mathieu.wiki

@@ -1,26 +0,0 @@
-server {
-    listen 80;
-    server_name benoit.mathieu.wiki www.benoit.mathieu.wiki;
-    return 301 https://$host$request_uri;
-}
-
-server {
-    listen              443 ssl;
-    server_name         benoit.mathieu.wiki;
-
-    ssl_certificate     /etc/letsencrypt/live/benoit.mathieu.wiki/fullchain.pem;
-    ssl_certificate_key   /etc/letsencrypt/live/benoit.mathieu.wiki/privkey.pem;
-    
-    location / {
-        proxy_pass      http://192.168.1.38:8080;
-
-        proxy_redirect      off;
-        proxy_set_header    Host                $host;
-        proxy_set_header    X-REAL-IP           $remote_addr;
-        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-        proxy_set_header    X-Forwarded-Proto   $scheme;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-    }
-}

nginx/sites-available/bookshelf.aldon.fr

@@ -1,28 +0,0 @@
-server {
-        listen 80;
-        server_name bookshelf.aldon.fr;
-        return 301 https://$host$request_uri;
-}
-
-server {
-        listen 443 ssl;
-
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-
-        server_name bookshelf.aldon.fr;
-
-        ssl_certificate     /etc/letsencrypt/live/aldon.fr/fullchain.pem;
-        ssl_certificate_key   /etc/letsencrypt/live/aldon.fr/privkey.pem;
-
-        location / {
-                proxy_pass http://192.168.1.27;
-                proxy_set_header Host $host;
-                proxy_set_header X-Real-IP $remote_addr;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Proto $scheme;
-
-                proxy_http_version 1.1;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "upgrade";
-        }
-}

nginx/sites-available/default

@@ -1,59 +0,0 @@
-##
-# You should look at the following URL's in order to grasp a solid understanding
-# of Nginx configuration files in order to fully unleash the power of Nginx.
-# https://www.nginx.com/resources/wiki/start/
-# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
-# https://wiki.debian.org/Nginx/DirectoryStructure
-#
-# In most cases, administrators will remove this file from sites-enabled/ and
-# leave it as reference inside of sites-available where it will continue to be
-# updated by the nginx packaging team.
-#
-# This file will automatically load configuration files provided by other
-# applications, such as Drupal or Wordpress. These applications will be made
-# available underneath a path with that package name, such as /drupal8.
-#
-# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
-##
-
-# Default server configuration
-#
-server {
-        listen 80 default_server;
-        listen [::]:80 default_server;
-
-        # SSL configuration
-        #
-        # listen 443 ssl default_server;
-        # listen [::]:443 ssl default_server;
-        #
-        # Note: You should disable gzip for SSL traffic.
-        # See: https://bugs.debian.org/773332
-        #
-        # Read up on ssl_ciphers to ensure a secure configuration.
-        # See: https://bugs.debian.org/765782
-        #
-        # Self signed certs generated by the ssl-cert package
-        # Don't use them in a production server!
-        #
-        # include snippets/snakeoil.conf;
-
-        root /var/www/html;
-
-        # Add index.php to the list if you are using PHP
-        index index.html index.htm index.nginx-debian.html;
-
-        server_name _;
-
-        ##
-        # Errors pages
-        ##
-
-        error_page 404 500 502 503 504 /errors/50x.html;
-
-        location ^~ /errors/ {
-                internal;
-                root /usr/share/nginx/html/;
-                allow all;
-        }
-}

nginx/sites-available/discussion.fefan.fr

@@ -1,26 +0,0 @@
-server {
-    listen 80;
-    server_name discussion.fefan.fr;
-    return 301 http://$host$request_uri;
-}
-
-server {
-    listen              443 ssl;
-    server_name         discussion.fefan.fr;
-
-    ssl_certificate     /etc/letsencrypt/live/fefan.fr/fullchain.pem;
-    ssl_certificate_key   /etc/letsencrypt/live/fefan.fr/privkey.pem;
-
-    location / {
-        proxy_pass      http://192.168.1.15:3000;
-
-        proxy_redirect      off;
-        proxy_set_header    Host            $host;
-        proxy_set_header    X-REAL-IP       $remote_addr;
-        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
-
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-    }
-}

nginx/sites-available/fefan.fr

@@ -1,64 +0,0 @@
-server {
-    server_name www.content.fefan.fr;
-    return 301 $scheme://content.fefan.fr$request_uri;
-}
-
-server {
-    listen      443 ssl;
-    listen      [::]:443 ssl;
-    server_name content.fefan.fr;
-
-    ssl_certificate /etc/letsencrypt/live/fefan.fr/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/fefan.fr/privkey.pem;
-
-    ssl_session_cache shared:le_nginx_SSL:10m;
-    ssl_session_timeout 1440m;
-    ssl_session_tickets off;
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_prefer_server_ciphers off;
-    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
-
-    location / {
-        resolver 127.0.0.11 valid=30s;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        set $upstream_strapi 192.168.1.11;
-        proxy_pass http://$upstream_strapi:1337;
-    }
-
-    location = /50x.html {
-        root   /usr/share/nginx/html;
-    }
-
-    error_page   500 502 503 504  /50x.html;
-}
-
-server {
-    listen      443 ssl;
-    listen      [::]:443 ssl;
-    server_name www.fefan.fr fefan.fr;
-
-    ssl_certificate /etc/letsencrypt/live/fefan.fr/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/fefan.fr/privkey.pem;
-
-    ssl_session_cache shared:le_nginx_SSL:10m;
-    ssl_session_timeout 1440m;
-    ssl_session_tickets off;
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_prefer_server_ciphers off;
-    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
-
-    location / {
-        resolver 127.0.0.11 valid=30s;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        set $upstream_next 192.168.1.11;
-        proxy_pass http://$upstream_next:3000;
-    }
-
-    location = /50x.html {
-        root   /usr/share/nginx/html;
-    }
-
-    error_page   500 502 503 504  /50x.html;
-}

nginx/sites-available/gitea.aldon.fr

@@ -1,28 +0,0 @@
-server {
-        listen 80;
-        server_name gitea.aldon.fr;
-        return 301 https://$host$request_uri;
-}
-
-server {
-        listen 443 ssl;
-
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-
-        server_name gitea.aldon.fr;
-
-        ssl_certificate     /etc/letsencrypt/live/aldon.fr/fullchain.pem;
-        ssl_certificate_key   /etc/letsencrypt/live/aldon.fr/privkey.pem;
-
-        location / {
-                proxy_pass http://192.168.1.50:3000;
-                proxy_set_header Host $host;
-                proxy_set_header X-Real-IP $remote_addr;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Proto $scheme;
-
-                proxy_http_version 1.1;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "upgrade";
-        }
-}

nginx/sites-available/grist.aldon.fr

@@ -1,26 +0,0 @@
-server {
-    listen 80;
-    server_name grist.aldon.fr;
-    return 301 http://$host$request_uri;
-}
-
-server {
-    listen              443 ssl;
-    server_name         grist.aldon.fr;
-
-    ssl_certificate     /etc/letsencrypt/live/aldon.fr/fullchain.pem;
-    ssl_certificate_key   /etc/letsencrypt/live/aldon.fr/privkey.pem;
-
-    location / {
-        proxy_pass      http://192.168.1.35:8484;
-
-        proxy_redirect      off;
-        proxy_set_header    Host            $host;
-        proxy_set_header    X-REAL-IP       $remote_addr;
-        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
-
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-    }
-}

nginx/sites-available/keycloak.aldon.fr

@@ -1,26 +0,0 @@
-server {
-    listen 80;
-    server_name keycloak.aldon.fr;
-    return 301 http://$host$request_uri;
-}
-
-server {
-    listen              443 ssl;
-    server_name         keycloak.aldon.fr;
-
-    ssl_certificate     /etc/letsencrypt/live/aldon.fr/fullchain.pem;
-    ssl_certificate_key   /etc/letsencrypt/live/aldon.fr/privkey.pem;
-
-    location / {
-        proxy_pass      http://192.168.1.34:8080;
-
-        proxy_redirect      off;
-        proxy_set_header    Host            $host;
-        proxy_set_header    X-REAL-IP       $remote_addr;
-        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
-
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-    }
-}

nginx/sites-available/nextcloud.aldon.fr

@@ -1,64 +0,0 @@
-map $http_upgrade $connection_upgrade {
-    default upgrade;
-    '' close;
-}
-
-server {
-    listen 80;
-    listen [::]:80;
-
-    if ($scheme = "http") {
-        return 301 https://$host$request_uri;
-    }
-    if ($http_x_forwarded_proto = "http") {
-        return 301 https://$host$request_uri;
-    }
-
-    listen 443 ssl http2;
-    proxy_buffering off;
-    proxy_request_buffering off;
-
-    client_max_body_size 0;
-    client_body_buffer_size 512k;
-    proxy_read_timeout 86400s;
-
-    server_name nextcloud.aldon.fr;
-    
-    ssl_certificate /etc/letsencrypt/live/aldon.fr/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/aldon.fr/privkey.pem;
-
-    ssl_dhparam "/etc/dhparam";
-
-    ssl_early_data on;
-    ssl_session_cache shared:SSL:10m;
-
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ecdh_curve x25519:x448:secp521r1:secp256r1;
-
-    ssl_prefer_server_ciphers on;
-    ssl_conf_command Options PrioritizeChaCha;
-    ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-ECDHE-ECSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:RCDHE-RSA-AES128-GCM-SHA256;
-
-    location / {
-        proxy_pass http://192.168.1.30:11000$request_uri;
-
-        proxy_set_header    Host            $host;
-        proxy_set_header    X-REAL-IP       $remote_addr;
-        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header    X-Forwarded-Port $server_port;
-        proxy_set_header    X-Forwarded-Scheme $scheme;
-        proxy_set_header    X-Forwarded-Proto $scheme;
-        proxy_set_header    Early-Data $ssl_early_data;
-
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $connection_upgrade;
-        
-        # Error pages
-        error_page 502 /502.html;
-        location /502.html {
-                root /var/www/html;
-        }
-    }
-
-}

nginx/sites-available/vaultwarden.aldon.fr

@@ -1,59 +0,0 @@
-upstream vaultwarden-default {
-  zone vaultwarden-default 64k;
-  server 192.168.1.36:8080;
-  keepalive 2;
-}
-
-# See: https://nginx.org/en/docs/http/websocket.html
-map $http_upgrade $connection_upgrade {
-    default upgrade;
-    ''      "";
-}
-
-# Redirect HTTP to HTTPS
-server {
-    listen 80;
-    listen [::]:80;
-    server_name vaultwarden.aldon.fr;
-
-    return 301 https://$host$request_uri;
-}
-
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl http2;
-    server_name vaultwarden.aldon.fr;
-
-    ssl_certificate     /etc/letsencrypt/live/aldon.fr/fullchain.pem;
-    ssl_certificate_key   /etc/letsencrypt/live/aldon.fr/privkey.pem;
-    
-    add_header Strict-Transport-Security "max-age=31536000;";
-    
-    #ssl_trusted_certificate /etc/letsencrypt/live/vaultwarden.aldon.fr/fullchain.pem;
-
-    client_max_body_size 525M;
-
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection $connection_upgrade;
-
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-
-    location / {
-      proxy_pass http://vaultwarden-default;
-    }
-
-    # Optionally add extra authentication besides the ADMIN_TOKEN
-    # Remove the comments below `#` and create the htpasswd_file to have it active
-    #
-    #location /admin {
-    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
-    #  auth_basic "Private";
-    #  auth_basic_user_file /path/to/htpasswd_file;
-    #
-    #  proxy_pass http://vaultwarden-default;
-    #}
-}

services.yml

@@ -0,0 +1,140 @@
+# testt
+http:
+  routers:
+    http-catchall:
+      rule: "HostRegexp(`{host:.+}`)"
+      entryPoints:
+        - web
+      middlewares:
+        - redirect-to-https
+      service: noop
+
+    bookshelf:
+      rule: "Host(`bookshelf.aldon.fr`)"
+      entryPoints:
+        - websecure
+      service: bookshelf
+      tls:
+        certResolver: letsencrypt
+    gitea:
+      rule: "Host(`gitea.aldon.fr`)"
+      entryPoints:
+        - websecure
+      service: gitea
+      tls:
+        certResolver: letsencrypt
+    nextcloud:
+      rule: "Host(`nextcloud.aldon.fr`)"
+      entryPoints:
+        - websecure
+      service: nextcloud
+      tls:
+        certResolver: letsencrypt
+    
+    rocket:
+      rule: "Host(`discussion.fefan.fr`)"
+      entryPoints:
+        - websecure
+      service: rocket
+      tls:
+        certResolver: letsencrypt
+    
+    wiki:
+      rule: "Host(`benoit.mathieu.wiki`)"
+      entryPoints:
+        - websecure
+      service: wiki
+      tls:
+        certResolver: letsencrypt
+    
+    vaultwarden:
+      rule: "Host(`vaultwarden.aldon.fr`)"
+      entryPoints:
+        - websecure
+      service: vaultwarden
+      tls:
+        certResolver: letsencrypt
+    
+    keycloak:
+      rule: "Host(`keycloak.aldon.fr`)"
+      entryPoints:
+        - websecure
+      service: keycloak
+      tls:
+        certResolver: letsencrypt
+    
+    fefan:
+      rule: "Host(`fefan.fr`)"
+      entryPoints:
+        - websecure
+      service: fefan
+      tls:
+        certResolver: letsencrypt
+
+    content-fefan:
+      rule: "Host(`content.fefan.fr`)"
+      entryPoints:
+        - websecure
+      service: content-fefan
+      tls:
+        certResolver: letsencrypt
+
+  services:
+    bookshelf:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://192.168.1.91:80"
+    gitea:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://192.168.1.90:3000"
+    noop:
+      loadBalancer:
+        servers:
+          - url: "http://127.0.0.1"
+    nextcloud:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://192.168.1.30:11000"
+    rocket:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://192.168.1.15:3000"
+    wiki:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://192.168.1.38:8080"
+
+    vaultwarden:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://192.168.1.36:80"
+
+    keycloak:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://192.168.1.34:8080"
+
+    fefan:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://192.168.1.11:3000"
+
+    content-fefan:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://192.168.1.11:1337"
+
+  middlewares:
+    redirect-to-https:
+      redirectScheme:
+        scheme: https