Initial commit: Infraestructura OgnirNAS estabilizada

2026-01-05 14:28:03 +01:00
commit 368f16c6a5
10 changed files with 297 additions and 0 deletions
--- a/traefik/docker-compose.yml
+++ b/traefik/docker-compose.yml
@@ -0,0 +1,70 @@
+# ==============================================================================
+# DOCKER COMPOSE - INFRAESTRUCTURA TRAEFIK (ESTÁNDAR OGNIR)
+# ==============================================================================
+
+version: "3.9"
+
+services:
+  traefik-socket-proxy:
+    image: tecnativa/docker-socket-proxy:latest
+    container_name: traefik-socket-proxy
+    restart: always
+    networks:
+      - services-internal-net
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - CONTAINERS=1
+      - NETWORKS=1
+      - SERVICES=1
+      - VERSION=1
+      - EVENTS=1
+      # Recuperado del original para estabilidad del socket
+      - CONNECT_TIMEOUT=30
+      - SERVER_TIMEOUT=30
+      - CLIENT_TIMEOUT=30
+
+  traefik:
+    image: traefik:v3.0
+    container_name: traefik
+    restart: always
+    user: "1032:100"
+    depends_on:
+      traefik-socket-proxy:
+        condition: service_started
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik-dash.rule=Host(`traefik.ognir-server.synology.me`)"
+      - "traefik.http.routers.traefik-dash.entrypoints=websecure"
+      - "traefik.http.routers.traefik-dash.tls=true"
+      - "traefik.http.routers.traefik-dash.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.traefik-dash.service=api@internal"
+      # Middleware de seguridad (debe existir en /dynamic/middlewares.yml)
+      - "traefik.http.routers.traefik-dash.middlewares=seguridad-general@file"
+    networks:
+      proxy-macvlan-net:
+        ipv4_address: 192.168.178.25
+      services-internal-net:
+    
+    # Recuperado íntegramente del original
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:8080/ping"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
+
+    volumes:
+      - /volume1/docker/configs/traefik:/etc/traefik:ro
+      - /volume1/docker/data/traefik:/letsencrypt
+      - /volume1/docker/data/traefik/logs:/var/log/traefik
+    
+    command:
+      # Única instrucción necesaria: cargar el archivo documentado
+      - "--configFile=/etc/traefik/traefik.yml"
+
+networks:
+  proxy-macvlan-net:
+    external: true
+  services-internal-net:
+    external: true
--- a/traefik/dynamic/dashboard.yml
+++ b/traefik/dynamic/dashboard.yml
@@ -0,0 +1,11 @@
+http:
+  routers:
+    api:
+      rule: "Host(`traefik.ognir-server.synology.me`) || Host(`ognir-server.synology.me`)"
+      service: api@internal
+      middlewares:
+        - auth-dashboard@file
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
--- a/traefik/dynamic/external_services.yml
+++ b/traefik/dynamic/external_services.yml
@@ -0,0 +1,15 @@
+http:
+  routers:
+    router-fritz:
+      rule: "Host(`fritz.ognir-server.synology.me`)"
+      entryPoints:
+        - "websecure"
+      service: "fritz-service"
+      tls:
+        certResolver: "letsencrypt"
+
+  services:
+    fritz-service:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.178.1"
--- a/traefik/dynamic/middlewares.yml
+++ b/traefik/dynamic/middlewares.yml
@@ -0,0 +1,17 @@
+# ==============================================================================
+# MIDDLEWARES DE SEGURIDAD (CONFIGURACIÓN DINÁMICA)
+# ==============================================================================
+
+http:
+  middlewares:
+    seguridad-general:
+      headers:
+        # Cabeceras de seguridad recomendadas (HSTS, XSS, etc.)
+        forceSTSHeader: true
+        stsSeconds: 31536000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        contentTypeNosniff: true
+        browserXssFilter: true
+        frameDeny: true # Evita que tu sitio sea cargado en un iframe (protección clickjacking)
+        referrerPolicy: "same-origin"
--- a/traefik/traefik.yml
+++ b/traefik/traefik.yml
@@ -0,0 +1,53 @@
+# ==============================================================================
+# CONFIGURACIÓN ESTÁTICA - MIGRACIÓN DESDE COMMANDS
+# ==============================================================================
+
+global:
+  checkNewVersion: false
+  sendAnonymousUsage: false
+
+api:
+  dashboard: true
+  insecure: true # Mantiene puerto 8080 para debug y healthcheck
+
+# Recuperado del original: Necesario para el Healthcheck del Docker-compose
+ping: true
+
+log:
+  level: ERROR
+  filePath: "/var/log/traefik/traefik.log"
+
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+
+# --- Entrypoints: Puertos de red y Redirección Global ---
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+
+# --- Proveedores: Docker (vía Proxy) y Archivos Locales ---
+providers:
+  docker:
+    endpoint: "tcp://traefik-socket-proxy:2375"
+    exposedByDefault: false
+    network: services-internal-net
+  file:
+    # Ruta donde se encuentran tus middlewares y servicios externos
+    directory: "/etc/traefik/dynamic"
+    watch: true
+
+# --- Certificados ACME (Let's Encrypt) ---
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: "tortosaantonio@gmail.com"
+      # Ruta exacta validada en tu original
+      storage: "/letsencrypt/data/acme.json"
+      tlsChallenge: {}