86 lines
3.2 KiB
YAML
Executable File
86 lines
3.2 KiB
YAML
Executable File
# ==============================================================================
|
|
# OGNIRNAS - INFRAESTRUCTURA CORE: TRAEFIK V3 & DOCKER-SOCKET-PROXY
|
|
# ==============================================================================
|
|
# Última revisión: 2026-01-06 (Fase: Auditoría y Seguridad Activa)
|
|
# Propietario: Ognir (UID 1032 / GID 100)
|
|
# ==============================================================================
|
|
|
|
version: "3.9"
|
|
|
|
services:
|
|
# ----------------------------------------------------------------------------
|
|
# SERVICE: traefik-socket-proxy
|
|
# Cortafuegos para el socket de Docker. Aísla a Traefik del motor del NAS.
|
|
# ----------------------------------------------------------------------------
|
|
traefik-socket-proxy:
|
|
image: tecnativa/docker-socket-proxy:latest
|
|
container_name: traefik-socket-proxy
|
|
restart: always
|
|
networks:
|
|
- services-internal-net
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
environment:
|
|
- CONTAINERS=1
|
|
- NETWORKS=1
|
|
- SERVICES=1
|
|
- VERSION=1
|
|
- EVENTS=1
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# SERVICE: traefik (v3.0)
|
|
# Reverse Proxy con TLS, Dashboard seguro y registro de actividad (Logs).
|
|
# ----------------------------------------------------------------------------
|
|
traefik:
|
|
image: traefik:v3.0
|
|
container_name: traefik
|
|
restart: always
|
|
user: "1032:100"
|
|
depends_on:
|
|
traefik-socket-proxy:
|
|
condition: service_started
|
|
|
|
networks:
|
|
proxy-macvlan-net:
|
|
ipv4_address: 192.168.178.25 # IP fija en red local (Fritz!Box)
|
|
services-internal-net: {}
|
|
|
|
volumes:
|
|
- /volume1/docker/configs/traefik:/etc/traefik:ro
|
|
- /volume1/docker/data/traefik:/letsencrypt
|
|
- /volume1/docker/data/traefik/logs:/var/log/traefik # Persistencia de logs
|
|
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.docker.network=services-internal-net"
|
|
|
|
# --- ROUTER DASHBOARD ---
|
|
- "traefik.http.routers.traefik-dash.rule=Host(`traefik.ognir-server.synology.me`)"
|
|
- "traefik.http.routers.traefik-dash.entrypoints=websecure"
|
|
- "traefik.http.routers.traefik-dash.tls=true"
|
|
- "traefik.http.routers.traefik-dash.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.traefik-dash.service=api@internal"
|
|
|
|
# --- MIDDLEWARES (SEGURIDAD REFORZADA) ---
|
|
# Primero Auth (Login) y luego Headers de seguridad.
|
|
- "traefik.http.routers.traefik-dash.middlewares=auth-dashboard@file,security-headers@file"
|
|
|
|
command:
|
|
- "--configFile=/etc/traefik/traefik.yml"
|
|
# --- CONFIGURACIÓN DEL VIGILANTE (ACCESS LOGS) ---
|
|
# Activa el registro de cada petición que llega desde internet.
|
|
- "--accesslog=true"
|
|
# Ruta interna (mapeada al volumen data/traefik/logs)
|
|
- "--accesslog.filepath=/var/log/traefik/access.log"
|
|
# Buffering para no castigar el disco/SSD del NAS constantemente
|
|
- "--accesslog.bufferingsize=100"
|
|
|
|
# ------------------------------------------------------------------------------
|
|
# REDES EXTERNAS
|
|
# ------------------------------------------------------------------------------
|
|
networks:
|
|
proxy-macvlan-net:
|
|
external: true
|
|
services-internal-net:
|
|
external: true
|