Ma config docker compose monitoring et reverse proxy

J’aime bien séparer ma domotique du reste. Du coup j’ai une VM dédié pour le reverse proxy et le monitoring système+domotique et le reverse proxy (elles ont fusionné, elles étaient séparées avant mais bon…)
Je vous donne un exemple de ce qu’il peut être fait avec docker compose et traefik :

Fichier docker-compose.yml :

version: "3.3"

services:

  traefik:
    image: "traefik:v2.0.0-rc3"
    container_name: "traefik"
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.mydnschallenge.acme.dnschallenge=true"
      - "--certificatesresolvers.mydnschallenge.acme.dnschallenge.provider=ovh"
      - "--certificatesresolvers.mydnschallenge.acme.email=xxxx@gmail.com"
      - "--certificatesresolvers.mydnschallenge.acme.storage=/letsencrypt/acme.json"
      - "--providers.file.filename=/file_provider/traefik.toml"
      - "--serversTransport.insecureSkipVerify=true"
      - "--metrics.influxdb=true"
      - "--metrics.influxdb.address=influxdb:8086"
      - "--metrics.influxdb.protocol=http"
      - "--metrics.influxdb.database=traefik"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    environment:
      - "OVH_ENDPOINT=ovh-eu"
      - "OVH_APPLICATION_KEY=xxxx"
      - "OVH_APPLICATION_SECRET=xxxx"
      - "OVH_CONSUMER_KEY=xxxx"
    volumes:
      - "./traefik:/file_provider"
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    restart: always

  influxdb:
    image: "influxdb:latest"
    container_name: "influxdb"
    volumes:
      - "/root/influxbd/data:/var/lib/influxdb"
      - "/root/influxdb/config:/etc/influxdb"
    ports:
      - "8086:8086"
      - "8089:8089/udp"
    restart: always

  grafana:
    image: "grafana/grafana:latest"
    container_name: "grafana"
    user: "0"
    ports:
      - "3000:3000"
    links:
      - influxdb
    volumes:
      - "./grafana:/var/lib/grafana"
    environment:
      - GF_INSTALL_PLUGINS=grafana-clock-panel,grafana-piechart-panel
      - GF_SERVER_ROOT_URL=https://xxxx.xxxx.fr
      - GF_SERVER_DOMAIN=xxxx.xxxx.fr
      - GF_USERS_ALLOW_SIGNUP=false
      - GF_SECURITY_ADMIN_USER=xxxx
      - GF_SECURITY_ADMIN_PASSWORD=xxxx
      - GF_SMTP_ENABLED=true
      - GF_SMTP_HOST=smtp.gmail.com:587
      - GF_SMTP_USER=xxxx@gmail.com
      - GF_SMTP_PASSWORD=xxxx
      - GF_SMTP_FROM_ADDRESS=xxxx@gmail.com
      - GF_SMTP_FROM_NAME=Grafana
      - GF_SMTP_SKIP_VERIFY=true
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.grafana.entryPoints=web"
      - "traefik.http.routers.grafana.rule=host(`xxxx.xxxx.fr`)"
      - "traefik.http.middlewares.grafana-redirect.redirectScheme.scheme=https"
      - "traefik.http.middlewares.grafana-redirect.redirectScheme.permanent=true"
      - "traefik.http.routers.grafana.middlewares=grafana-redirect"
      #SSL
      - "traefik.http.routers.grafana-ssl.entryPoints=websecure"
      - "traefik.http.routers.grafana-ssl.rule=host(`xxxx.xxxx.fr`)"
      - "traefik.http.routers.grafana-ssl.tls=true"
      - "traefik.http.routers.grafana-ssl.tls.certResolver=mydnschallenge"
      - "traefik.http.routers.grafana-ssl.service=grafana-ssl"
      - "traefik.http.services.grafana-ssl.loadBalancer.server.port=3000"
    restart: always

  portainer:
    image: "portainer/portainer"
    container_name: "portainer"
    restart: always
    ports:
      - "9000:9000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./portainer_data:/data
    labels:
      - "traefik.enable=false" #désactivé trop risqué !!!

Fichier traefik.toml :

[http.routers]
  [http.routers.hass]
    # By default, routers listen to every entry points
    rule = "Host(`xxxx.xxxx.fr`)"
    service = "hass"
    [http.routers.hass.tls]
      certResolver = "mydnschallenge"

  [http.routers.nas]
    # By default, routers listen to every entry points
    rule = "Host(`xxxx.xxxx.fr`)"
    service = "nas"
    [http.routers.nas.tls]
      certResolver = "mydnschallenge"

  [http.routers.proxmox]
    # By default, routers listen to every entry points
    rule = "Host(`xxxx.xxxx.fr`)"
    service = "proxmox"
    [http.routers.proxmox.tls]
      certResolver = "mydnschallenge"

  [http.routers.fbx]
    # By default, routers listen to every entry points
    rule = "Host(`xxxx.xxxx.fr`)"
    service = "fbx"
    middlewares = ["redirect"]
    [http.routers.fbx.tls]
      certResolver = "mydnschallenge"

  [http.routers.shell]
    # By default, routers listen to every entry points
    rule = "Host(`xxxx.xxxx.fr`)"
    service = "shell"
    middlewares = ["redirect"]
    [http.routers.shell.tls]
      certResolver = "mydnschallenge"

  [http.routers.web]
    # By default, routers listen to every entry points
    rule = "Host(`xxxx.xxxx.fr`)"
    service = "web"
    middlewares = ["redirect"]
    [http.routers.web.tls]
      certResolver = "mydnschallenge"


[http.services]
  [http.services.hass.loadBalancer]
    [[http.services.hass.loadBalancer.servers]]
      url = "http://192.168.1.3:8123"

  [http.services.nas.loadBalancer]
    [[http.services.nas.loadBalancer.servers]]
      url = "http://192.168.1.5:8080"

  [http.services.proxmox.loadBalancer]
    [[http.services.proxmox.loadBalancer.servers]]
      url = "https://192.168.1.1:8006"

  [http.services.fbx.loadBalancer]
    [[http.services.fbx.loadBalancer.servers]]
      url = "http://192.168.1.254"

  [http.services.shell.loadBalancer]
    [[http.services.shell.loadBalancer.servers]]
      url = "http://192.168.1.3:4200"

  [http.services.web.loadBalancer]
    [[http.services.web.loadBalancer.servers]]
      url = "http://192.168.1.5:9080"

[http.middlewares]
  [http.middlewares.redirect.redirectScheme]
    scheme = "https"

[serversTransport]
  insecureSkipVerify = true

Du coup tout le traffic provenant des port 80 et 443 de ma box sont dirigés vers cette VM et c’est traefik qui va faire ce qu’il faut pour accéder au bon service en fonction du sous domaine appelé.

J’ai portainer qui fait la gestion de mes conteneurs, un seul portainer qui tourne sur cette VM qui s’adresse au docker local et au docker home assistant qui est sur la VM 192.168.1.3 via l’API docker.

1 J'aime