83 lines
3.1 KiB
YAML
Executable File
83 lines
3.1 KiB
YAML
Executable File
# ==============================================================================
|
|
# OGNIRNAS - INFRAESTRUCTURA CORE: TRAEFIK V3 & DOCKER-SOCKET-PROXY
|
|
# ==============================================================================
|
|
# Última revisión: 2026-01-06
|
|
# Propietario: Ognir (UID 1032 / GID 100)
|
|
# Objetivo: Reverse Proxy con autenticación reforzada y aislamiento del socket.
|
|
# ==============================================================================
|
|
|
|
version: "3.9"
|
|
|
|
services:
|
|
# ----------------------------------------------------------------------------
|
|
# SERVICE: traefik-socket-proxy
|
|
# Capa de seguridad que evita el acceso directo de Traefik al socket de Docker.
|
|
# ----------------------------------------------------------------------------
|
|
traefik-socket-proxy:
|
|
image: tecnativa/docker-socket-proxy:latest
|
|
container_name: traefik-socket-proxy
|
|
restart: always
|
|
networks:
|
|
- services-internal-net
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
environment:
|
|
- CONTAINERS=1
|
|
- NETWORKS=1
|
|
- SERVICES=1
|
|
- VERSION=1
|
|
- EVENTS=1
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# SERVICE: traefik (v3.0)
|
|
# Orquestador principal. Gestiona TLS y Dashboard seguro.
|
|
# ----------------------------------------------------------------------------
|
|
traefik:
|
|
image: traefik:v3.0
|
|
container_name: traefik
|
|
restart: always
|
|
user: "1032:100" # Ejecución bajo el usuario Ognir para permisos de archivos
|
|
depends_on:
|
|
traefik-socket-proxy:
|
|
condition: service_started
|
|
|
|
networks:
|
|
proxy-macvlan-net:
|
|
ipv4_address: 192.168.178.25 # IP estática en red local
|
|
services-internal-net: {}
|
|
|
|
volumes:
|
|
- /volume1/docker/configs/traefik:/etc/traefik:ro
|
|
- /volume1/docker/data/traefik:/letsencrypt
|
|
- /volume1/docker/data/traefik/logs:/var/log/traefik
|
|
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.docker.network=services-internal-net"
|
|
|
|
# --- CONFIGURACIÓN DEL ROUTER (DASHBOARD) ---
|
|
- "traefik.http.routers.traefik-dash.rule=Host(`traefik.ognir-server.synology.me`)"
|
|
- "traefik.http.routers.traefik-dash.entrypoints=websecure"
|
|
- "traefik.http.routers.traefik-dash.tls=true"
|
|
- "traefik.http.routers.traefik-dash.tls.certresolver=letsencrypt"
|
|
|
|
# --- SERVICIO INTERNO (API V3) ---
|
|
- "traefik.http.routers.traefik-dash.service=api@internal"
|
|
|
|
# --- MIDDLEWARES (ORDEN PRIORITARIO: LOGIN > SEGURIDAD) ---
|
|
# Colocamos auth-dashboard primero para asegurar que el prompt salte antes
|
|
# de aplicar las cabeceras de seguridad que podrían bloquearlo en caché.
|
|
- "traefik.http.routers.traefik-dash.middlewares=auth-dashboard@file,security-headers@file"
|
|
|
|
command:
|
|
- "--configFile=/etc/traefik/traefik.yml"
|
|
|
|
# ------------------------------------------------------------------------------
|
|
# REDES EXTERNAS PRE-EXISTENTES
|
|
# ------------------------------------------------------------------------------
|
|
networks:
|
|
proxy-macvlan-net:
|
|
external: true
|
|
services-internal-net:
|
|
external: true
|