diff --git a/admin/bootstrap/.env b/admin/bootstrap/.env new file mode 100644 index 0000000..b612f38 --- /dev/null +++ b/admin/bootstrap/.env @@ -0,0 +1,13 @@ +# Cloudflare (создайте Scoped API Token c правами Zone:Read + DNS:Edit +# для зоны nothing.help — не используйте глобальный API‑ключ!) +CF_API_TOKEN=jRq98TKXi2rYYtG42x9w1M8EOElt5V5BOkA4TBoY + +# Секрет для cookie (ровно 32 латинских буквы/цифры) +# openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32 +TINYAUTH_SECRET=TtbYjkb1ZfzyXG7D6Q3FR6Ri8Pw2K98i + +# Пользователи Tinyauth (формат для docker/compose!) +# Пример с одним юзером admin: +# admin:$2a$10$yVb0... (bcrypt) +# Если несколько — через запятую. +TINYAUTH_USERS='deadcxap:$$2a$$10$$5x5iG8uDD/A.zxTCr14iUuLS1d8FgEiH8oi1de6pF2Nl/iZNDBEvG' diff --git a/admin/bootstrap/caddy-labeled/Dockerfile b/admin/bootstrap/caddy-labeled/Dockerfile new file mode 100644 index 0000000..6adad5d --- /dev/null +++ b/admin/bootstrap/caddy-labeled/Dockerfile @@ -0,0 +1,7 @@ +FROM caddy:2-builder AS builder +RUN xcaddy build \ + --with github.com/lucaslorentz/caddy-docker-proxy/v2 \ + --with github.com/caddy-dns/cloudflare + +FROM caddy:2 +COPY --from=builder /usr/bin/caddy /usr/bin/caddy diff --git a/admin/bootstrap/docker-compose.yml b/admin/bootstrap/docker-compose.yml new file mode 100644 index 0000000..ac6e7fe --- /dev/null +++ b/admin/bootstrap/docker-compose.yml @@ -0,0 +1,72 @@ +services: + caddy: + build: + context: ./caddy-labeled + dockerfile: Dockerfile + container_name: caddy + restart: unless-stopped + ports: + - "80:80" + - "443:443" + - "443:443/udp" # HTTP/3 + environment: + - CADDY_INGRESS_NETWORKS=proxy + - CF_API_TOKEN=${CF_API_TOKEN} + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - caddy_data:/data + networks: [proxy] + # Глобальные настройки + сниппет для forward_auth (Tinyauth) + labels: + caddy.email: dead@cxap.space + caddy.acme_dns: "cloudflare {env.CF_API_TOKEN}" + # сниппет аутентификации + caddy: (tinyauth_forwarder) + caddy.forward_auth: tinyauth:3000 + caddy.forward_auth.uri: /api/auth/caddy + caddy.forward_auth.copy_headers: Remote-User Remote-Name Remote-Email Remote-Groups + command: ["caddy","docker-proxy","--watch","--docker-host","unix:///var/run/docker.sock"] + + tinyauth: + image: ghcr.io/steveiliop56/tinyauth:v3 + container_name: tinyauth + restart: unless-stopped + environment: + - APP_URL=https://auth.realy.nothing.help + - SECRET=${TINYAUTH_SECRET} + - USERS=${TINYAUTH_USERS} + - COOKIE_SECURE=true + - DISABLE_CONTINUE=true + - APP_TITLE="Оставь надежду, всяк сюда входящий..." + - FORGOT_PASSWORD_MESSAGE="Штош, сочувствую, но нчием помочь не могу." + expose: ["3000"] + networks: [proxy] + labels: + caddy: auth.realy.nothing.help + caddy.encode: zstd gzip + caddy.reverse_proxy: "{{upstreams 3000}}" + + portainer: + image: portainer/portainer-ce:latest + container_name: portainer + restart: always + expose: + - "9000" # HTTP UI внутрь докера + - "8000" # Edge (если нужен: лучше через NetBird; иначе публикуйте отдельно с FW) + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - portainer_data:/data + networks: [proxy] + labels: + caddy: port.realy.nothing.help + caddy.encode: zstd gzip + caddy.import: tinyauth_forwarder * + caddy.reverse_proxy: "{{upstreams 9000}}" + +volumes: + caddy_data: + portainer_data: + +networks: + proxy: + external: true diff --git a/admin/bootstrap/init.sh b/admin/bootstrap/init.sh new file mode 100644 index 0000000..4d6f581 --- /dev/null +++ b/admin/bootstrap/init.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +N=$(awk '/^networks:/,/^[^[:space:]]/{if($1=="name:"){print $2; exit}}' docker-compose.yml); N=${N:-proxy} +docker network inspect "$N" >/dev/null 2>&1 || docker network create --driver bridge --attachable "$N" +docker compose up -d --build