define sensitive vars

Signed-off-by: Pascal Andy <pascal@firepress.org>

Author: pascalandy

traefik_stack6/stack-proxy-dns-challenge.yml

@@ -0,0 +1,145 @@
+version: '3.7'
+
+x-default-opts: 
+  &default-opts
+  logging:
+    options:
+      max-size: "10m" 
+
+networks:
+  ntw_front:
+    external: true
+  ntw_proxy:
+    external: true
+
+services:
+
+  # this custom haproxy allows us to move traefik to worker nodes (if needed)
+  # while this container listens on managers and only allows
+  # traefik to connect, read-only, to limited docker api calls
+  # https://github.com/Tecnativa/docker-socket-proxy
+  # image: devmtl/proxysocket:1.9.10 (with wget for heathcheck)
+  # image: tecnativa/docker-socket-proxy
+  proxysocket:
+    <<: *default-opts
+    image: devmtl/proxysocket:1.9.13
+    networks:
+      - ntw_proxy
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      # specific to 'docker stack deploy'
+      NETWORKS: 1
+      SERVICES: 1
+      TASKS: 1
+      SWARM: 1
+    deploy:
+      mode: global
+      placement:
+        constraints: [node.role == manager]
+      restart_policy:
+        condition: on-failure
+      resources:
+        limits:
+          cpus: '0.20'
+          memory: 8M
+        reservations:
+          cpus: '0.10'
+          memory: 4M
+
+  # Traefik reverse proxy has a bunch of features:
+  # - reverse proxy all 80/443 ingress traffic on a swarm
+  # - dynamic config via each app's swarm service labels
+  # - HA multi-container design for traefik
+  # - runs traefik on host NIC directly, to improve performance
+  #    and capture client IP's
+  #
+      #- --debug=true
+      #
+      # OPTION A) Select STAGING or PROD letsencrypt server
+      # https://acme-v02.api.letsencrypt.org/directory
+      # https://acme-staging-v02.api.letsencrypt.org/directory
+      #
+      # OPTION B)
+      #- --entryPoints=Name:http Address::80                            # don't force HTTPS
+      #- --entryPoints=Name:http Address::80 Redirect.EntryPoint:https  # force HTTPS
+      #
+      # If not using proxysocket 
+      #- --docker.endpoint=unix:///var/run/docker.sock
+  traefik:
+    <<: *default-opts
+    image: traefik:1.7.26-alpine
+    ports:
+    - target: 80
+      protocol: tcp
+      published: 80
+      mode: ingress
+    - target: 443
+      protocol: tcp
+      published: 443
+      mode: ingress
+    - target: 8080
+      protocol: tcp
+      published: 8080
+      mode: ingress
+    networks:
+      - ntw_front
+      - ntw_proxy
+    environment:
+      DO_AUTH_TOKEN: ${do_auth_token}
+    volumes:
+      - ${PATH_ACME_JSON_FILE}/acme.json:/etc/traefik/acme/acme.json
+    command:
+      - --docker
+      - --docker.domain=traefik
+      - --docker.swarmMode
+      - --docker.watch
+      - --docker.exposedbydefault=false
+      - --docker.endpoint=tcp://proxysocket:2375
+      - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
+      - --entryPoints=Name:https Address::443 TLS
+      - --defaultentrypoints=http,https
+      - --acme
+      - --acme.email=${ACME_EMAIL}
+      - --acme.dnsChallenge
+      - --acme.dnsChallenge.provider=digitalocean
+      - --acme.domains=*.${MAIN_DOMAIN},${MAIN_DOMAIN}
+      - --acme.entryPoint=https
+      - --acme.onhostrule=true
+      - --acme.storage=/etc/traefik/acme/acme.json
+      - --acme.caserver=https://acme-v02.api.letsencrypt.org/directory
+      - --acme.acmelogging=true
+      - --logLevel=INFO
+      - --api=true
+    deploy:
+      mode: replicated
+      replicas: 1
+      update_config:
+        delay: 2s
+      placement:
+        constraints: [node.labels.nodeid==1]
+      restart_policy:
+        condition: on-failure
+        max_attempts: 20
+      resources:
+        limits:
+          cpus: '0.33'
+          memory: 96M
+        reservations:
+          cpus: '0.05'
+          memory: 48M
+      labels:
+        - traefik.frontend.rule=Host:${DASHBOARD_DOMAIN}
+        - traefik.docker.network=ntw_front
+        - traefik.enable=true
+        - traefik.port=8080
+
+# https://github.com/pascalandy/docker-stack-this, inspired by https://github.com/BretFisher/dogvscat
+
+
+
+
+
+
+
+

traefik_stack6/stack-proxy.yml

@@ -88,7 +88,7 @@ services:
     environment:
       DO_AUTH_TOKEN: ${do_auth_token}
     volumes:
-      - /mnt/DeployGRP/tooldata/traefik/traefik_stack6/acme.json:/etc/traefik/acme/acme.json
+      - ${PATH_ACME_JSON_FILE}/acme.json:/etc/traefik/acme/acme.json
     command:
       - --docker
       - --docker.domain=traefik
@@ -100,7 +100,7 @@ services:
       - --entryPoints=Name:https Address::443 TLS
       - --defaultentrypoints=http,https
       - --acme
-      - --acme.email=relations@firepress.org
+      - --acme.email=${ACME_EMAIL}
       - --acme.httpchallenge
       - --acme.httpchallenge.entrypoint=http
       - --acme.entryPoint=https
@@ -128,7 +128,7 @@ services:
           cpus: '0.05'
           memory: 48M
       labels:
-        - traefik.frontend.rule=Host:traefik.firepress.link
+        - traefik.frontend.rule=Host:${DASHBOARD_DOMAIN}
         - traefik.docker.network=ntw_front
         - traefik.enable=true
         - traefik.port=8080