diff --git a/1. docker-stacks/authentik/docker-compose.yml b/1. docker-stacks/authentik/docker-compose.yml index e69de29..f977af8 100644 --- a/1. docker-stacks/authentik/docker-compose.yml +++ b/1. docker-stacks/authentik/docker-compose.yml @@ -0,0 +1,90 @@ +services: + postgresql: + image: docker.io/library/postgres:16-alpine + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] + start_period: 20s + interval: 30s + retries: 5 + timeout: 5s + volumes: + - database:/var/lib/postgresql/data + environment: + POSTGRES_PASSWORD: ${PG_PASS} + POSTGRES_USER: ${PG_USER:-authentik} + POSTGRES_DB: ${PG_DB:-authentik} + env_file: + - .env + networks: + - internal + + redis: + image: docker.io/library/redis:alpine + command: --save 60 1 --loglevel warning + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "redis-cli ping | grep PONG"] + start_period: 20s + interval: 30s + retries: 5 + timeout: 3s + volumes: + - redis:/data + networks: + - internal + + server: + image: ghcr.io/goauthentik/server:2024.10.1 + command: server + environment: + AUTHENTIK_REDIS__HOST: redis + AUTHENTIK_POSTGRESQL__HOST: postgresql + AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} + AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} + AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} + AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY} + volumes: + - ./media:/media + - ./custom-templates:/templates + env_file: + - .env + networks: + - internal + - proxy # Moet in proxy netwerk om door Traefik gezien te worden + labels: + - "traefik.enable=true" + # De URL waarop Authentik bereikbaar wordt: + - "traefik.http.routers.authentik.rule=Host(`authentik.stackbabber.nl`)" + - "traefik.http.routers.authentik.entrypoints=web" + - "traefik.http.services.authentik.loadbalancer.server.port=9000" + + worker: + image: ghcr.io/goauthentik/server:2024.10.1 + command: worker + environment: + AUTHENTIK_REDIS__HOST: redis + AUTHENTIK_POSTGRESQL__HOST: postgresql + AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} + AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} + AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} + AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY} + depends_on: + - postgresql + - redis + env_file: + - .env + networks: + - internal + +volumes: + database: + driver: local + redis: + driver: local + +networks: + proxy: + external: true + internal: + driver: bridge \ No newline at end of file diff --git a/1. docker-stacks/traefik/data/rules/external.yml b/1. docker-stacks/traefik/data/rules/external.yml new file mode 100644 index 0000000..89fce97 --- /dev/null +++ b/1. docker-stacks/traefik/data/rules/external.yml @@ -0,0 +1,15 @@ +http: + routers: + # Router voor je NAS interface + nas-router: + rule: "Host(`nas.stackbabber.nl`)" + service: "nas-service" + entryPoints: + - "web" + + services: + # Service definitie (IP en Poort van de NAS) + nas-service: + loadBalancer: + servers: + - url: "http://10.52.150.20:5000" # Pas poort aan indien nodig \ No newline at end of file diff --git a/1. docker-stacks/traefik/data/traefik.yml b/1. docker-stacks/traefik/data/traefik.yml index 5252cdb..1b64a76 100644 --- a/1. docker-stacks/traefik/data/traefik.yml +++ b/1. docker-stacks/traefik/data/traefik.yml @@ -5,30 +5,21 @@ api: entryPoints: web: address: ":80" - # BELANGRIJK: Omdat NPM de SSL doet, zetten we de automatische redirect hier UIT. - # Anders krijg je een "Too many redirects" loop. - # http: - # redirections: - # entryPoint: - # to: websecure - # scheme: https - - # Hier vertellen we Traefik: "Vertrouw headers van de NAS" - forwardedHeaders: - trustedIPs: - - "127.0.0.1/32" # Localhost - - "10.0.0.0/8" # Intern netwerk (ruim) - - "192.168.0.0/16" # Intern netwerk (ruim) - - "172.16.0.0/12" # Docker intern - - "10.52.150.20/32" # <--- JOUW NAS IP (Cruciaal!) - - websecure: - address: ":443" - # Ook voor HTTPS poort (voor het geval NPM via 443 doorstuurt) + # Trusted IPs config (zodat Authentik straks de juiste IP's ziet via de NAS) forwardedHeaders: trustedIPs: - "127.0.0.1/32" - - "10.52.150.20/32" # <--- JOUW NAS IP + - "10.0.0.0/8" + - "192.168.0.0/16" + - "172.16.0.0/12" + - "10.52.150.20/32" # Jouw NAS IP + + websecure: + address: ":443" + forwardedHeaders: + trustedIPs: + - "127.0.0.1/32" + - "10.52.150.20/32" # Jouw NAS IP providers: docker: @@ -36,8 +27,12 @@ providers: exposedByDefault: false network: proxy -# We laten de certificaat-resolvers wel in de config staan voor de toekomst, -# maar Traefik gebruikt ze nu nog niet omdat NPM de certificaten regelt. + # --- NIEUW: FILE PROVIDER --- + # Hiermee kun je externe hosts (zoals je NAS zelf) koppelen + file: + directory: "/rules" + watch: true + certificatesResolvers: letsencrypt: acme: diff --git a/1. docker-stacks/traefik/docker-compose.yml b/1. docker-stacks/traefik/docker-compose.yml index 71b90be..b8835c7 100644 --- a/1. docker-stacks/traefik/docker-compose.yml +++ b/1. docker-stacks/traefik/docker-compose.yml @@ -12,20 +12,19 @@ services: - "443:443" - "8080:8080" environment: - # Deze leest hij uit je .env bestand op de server - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN} volumes: - /etc/localtime:/etc/localtime:ro - /var/run/docker.sock:/var/run/docker.sock:ro - ./data/traefik.yml:/traefik.yml:ro - ./data/acme.json:/acme.json + # Hier koppelen we de map met regels voor externe hosts (NAS etc.) + - ./data/rules:/rules labels: - "traefik.enable=true" - # We gebruiken nu je echte domein! - "traefik.http.routers.traefik.rule=Host(`traefik.stackbabber.nl`)" - - "traefik.http.routers.traefik.entrypoints=websecure" - - "traefik.http.routers.traefik.tls.certresolver=letsencrypt" - - "traefik.http.services.traefik.loadbalancer.server.port=8080" + - "traefik.http.routers.traefik.entrypoints=web" + - "traefik.http.routers.traefik.service=api@internal" networks: proxy: diff --git a/3. scripts/update-all.sh b/3. scripts/update-all.sh index 1179c46..4d12ed3 100644 --- a/3. scripts/update-all.sh +++ b/3. scripts/update-all.sh @@ -1,71 +1,66 @@ #!/bin/bash -# Stop het script direct als er een error optreedt +# Stop direct bij errors set -e -# --- KLEUREN DEFINITIES (Voor mooie output) --- +# --- KLEUREN --- GREEN='\033[0;32m' BLUE='\033[0;34m' YELLOW='\033[1;33m' RED='\033[0;31m' -NC='\033[0m' # No Color +NC='\033[0m' -# --- PADEN AUTOMATISCH BEPALEN --- -# Dit is de magie: We kijken waar DIT script staat, en gaan 1 map omhoog. -# Hierdoor werkt het script altijd, ongeacht hoe je hoofdmap heet. +# --- PADEN --- SCRIPT_PATH=$(readlink -f "$0") SCRIPT_DIR=$(dirname "$SCRIPT_PATH") REPO_DIR=$(dirname "$SCRIPT_DIR") -STACKS_DIR="$REPO_DIR/1. docker-stacks" +STACKS_DIR="$REPO_DIR/1. docker-stacks" # Let op: kleine letters zoals op jouw server echo -e "${BLUE}==========================================${NC}" -echo -e "${BLUE}๐Ÿš€ Start Docker Update Script - $(date)${NC}" -echo -e "${BLUE}==========================================${NC}" +echo -e "${BLUE}๐Ÿš€ Start Docker Update - $(date)${NC}" -# 1. GIT UPDATE -echo -e "${YELLOW}๐Ÿ“ฅ Pullen van Git...${NC}" -echo -e " Locatie: $REPO_DIR" +# 1. GIT +echo -e "${YELLOW}๐Ÿ“ฅ Git Pull...${NC}" cd "$REPO_DIR" -git pull origin main +git fetch --all +git reset --hard origin/main -# 2. CONTAINERS UPDATEN -echo -e "${YELLOW}๐Ÿ”„ Containers bijwerken...${NC}" +# 2. TRAEFIK VOORBEREIDING (Cruciaal!) +# Traefik heeft specifieke mappen en lege bestanden nodig +TRAEFIK_DIR="$STACKS_DIR/traefik" +if [ -d "$TRAEFIK_DIR" ]; then + echo -e " ๐Ÿ”จ ${YELLOW}Traefik checks uitvoeren...${NC}" + mkdir -p "$TRAEFIK_DIR/data" + # Certificaten bestand (moet chmod 600 zijn) + if [ ! -f "$TRAEFIK_DIR/data/acme.json" ]; then + touch "$TRAEFIK_DIR/data/acme.json" + chmod 600 "$TRAEFIK_DIR/data/acme.json" + fi + # Externe regels bestand (voor je NAS/andere hosts) + if [ ! -f "$TRAEFIK_DIR/data/rules/external.yml" ]; then + mkdir -p "$TRAEFIK_DIR/data/rules" + touch "$TRAEFIK_DIR/data/rules/external.yml" + fi +fi -# Zoek alle mappen die een docker-compose.yml bevatten (max 2 diep in 1. Docker-Stacks) +# 3. CONTAINERS STARTEN +echo -e "${YELLOW}๐Ÿ”„ Services starten...${NC}" find "$STACKS_DIR" -maxdepth 2 -name "docker-compose.yml" | while read composefile; do dir=$(dirname "$composefile") service_name=$(basename "$dir") - echo -e " ๐Ÿ‘‰ Bezig met service: ${GREEN}$service_name${NC}" + echo -e " ๐Ÿ‘‰ Service: ${GREEN}$service_name${NC}" cd "$dir" - - # --- SPECIAAL VOOR TRAEFIK --- - # Traefik crasht als acme.json niet bestaat of verkeerde rechten heeft. - # Dit script repareert dat automatisch. - if [ "$service_name" == "traefik" ]; then - if [ ! -f "./data/acme.json" ]; then - echo -e " ๐Ÿ”จ ${YELLOW}Traefik: acme.json aanmaken en rechten (600) zetten...${NC}" - mkdir -p ./data - touch ./data/acme.json - chmod 600 ./data/acme.json - fi - fi - # ----------------------------- - # Check of er een .env bestand is (informatief) if [ -f .env ]; then docker compose up -d --remove-orphans else - echo -e " โš ๏ธ ${RED}Let op: Geen .env bestand gevonden (check je secrets)!${NC}" - # We proberen alsnog te starten, sommige containers hebben geen .env nodig + echo -e " โš ๏ธ ${RED}Geen .env gevonden! (Check je secrets op de server)${NC}" docker compose up -d --remove-orphans fi done -# 3. OPRUIMEN -echo -e "${YELLOW}๐Ÿงน Oude images opruimen...${NC}" +echo -e "${YELLOW}๐Ÿงน Opruimen...${NC}" docker image prune -f -echo -e "${BLUE}==========================================${NC}" -echo -e "${GREEN}โœ… Update compleet!${NC}" -echo -e "${BLUE}==========================================${NC}" \ No newline at end of file +echo -e "${GREEN}โœ… Klaar!${NC}" \ No newline at end of file