Infrastructure/docker-compose.yml at main · CyberDAS-Dev/Infrastructure · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
version: "3.8"
services:
  traefik:
    image: traefik:v2.5
    container_name: traefik
    restart: unless-stopped
    depends_on:
      - fluentd
    ports:
      - 80:80
      - 443:443
    expose:
      - 8082
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/acme.json:/acme.json
    networks:
      - default
      - proxy
      - monitoring
    command:
      # Дэшборд
      - --api
      # Настройка провайдера (докер)
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=proxy
      - --providers.docker.defaultRule=Host(`{{ (split "-" .Name)._0 }}.${DOMAIN}`)
      # Точки входа
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls.certResolver=letsEncrypt
      - --entrypoints.metrics.address=:8082
      # Мониторинг и логи
      - --log
      - --log.format=json
      - --accessLog
      - --accessLog.format=json
      - --metrics.prometheus.entryPoint=metrics
      # Автоматическое получение сертификатов
      - --certificatesResolvers.letsEncrypt.acme.email=postmaster@${DOMAIN}
      - --certificatesResolvers.letsEncrypt.acme.storage=acme.json
        # Когда в caServer ничего не указано, traefik пытается получить настоящий сертификат
        # Поэтому, при наличии TRAEFIL_REAL_CERTS в окружении, значением caServer будет пустая строка
      - --certificatesResolvers.letsEncrypt.acme.caServer=${TRAEFIK_REAL_CERTS-https://acme-staging-v02.api.letsencrypt.org/directory}
      - --certificatesResolvers.letsEncrypt.acme.httpChallenge.entryPoint=web
    labels:
      # Защищенный доступ (HTTP Basic Auth) к дэшборду
      - traefik.enable=true
      - traefik.http.routers.traefik.entrypoints=websecure
      - traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.services.traefik.loadbalancer.server.port=1111 # dummy значение
      - traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASS_HASH}
      - traefik.http.routers.traefik.middlewares=traefik-auth
    logging:
      driver: fluentd
      options:
        fluentd-address: localhost:24224
        tag: traefik.log

  fluentd:
    image: grafana/fluent-plugin-loki:master
    container_name: fluentd
    restart: always
    ports:
      - 127.0.0.1:24224:24224
      - 127.0.0.1:24224:24224/udp
    command: fluentd -v -p /fluentd/plugins
    environment:
      LOKI_URL: http://loki:3100
    volumes:
      - ./fluentd/fluent.conf:/fluentd/etc/fluent.conf:ro
    networks:
      - default
      - monitoring

networks:
  proxy:
    name: proxy
    external: ${PROXY_IS_EXTERNAL-false}
  monitoring:
    external: true