feat: make it possible to add local certificates

2026-06-08 12:10:05 +08:00 · 2025-06-28 21:16:11 +02:00
parent b63e6a8e32
commit ef9516626e
10 changed files with 203 additions and 54 deletions
--- a/traefik/opencloud.yml
+++ b/traefik/opencloud.yml
@@ -5,9 +5,9 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.opencloud.entrypoints=https"
      - "traefik.http.routers.opencloud.rule=Host(`${OC_DOMAIN:-cloud.opencloud.test}`)"
-      - "traefik.http.routers.opencloud.tls.certresolver=letsencrypt"
      - "traefik.http.routers.opencloud.service=opencloud"
      - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
+      - "traefik.http.routers.opencloud.${TRAEFIK_SERVICES_TLS_CONFIG}"
  traefik:
    image: traefik:v3.3.1
    # release notes: https://github.com/traefik/traefik/releases
@@ -15,38 +15,19 @@ services:
      opencloud-net:
        aliases:
          - ${OC_DOMAIN:-cloud.opencloud.test}
-    command:
-      - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
-      # letsencrypt configuration
-      - "--certificatesResolvers.letsencrypt.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
-      - "--certificatesResolvers.letsencrypt.acme.storage=/certs/acme.json"
-      - "--certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=http"
-      - "--certificatesResolvers.letsencrypt.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
-      # enable dashboard
-      - "--api.dashboard=true"
-      # define entrypoints
-      - "--entryPoints.http.address=:80"
-      - "--entryPoints.http.http.redirections.entryPoint.to=https"
-      - "--entryPoints.http.http.redirections.entryPoint.scheme=https"
-      - "--entryPoints.https.address=:443"
-      # change default timeouts for long-running requests
-      # this is needed for webdav clients that do not support the TUS protocol
-      - "--entryPoints.https.transport.respondingTimeouts.readTimeout=12h"
-      - "--entryPoints.https.transport.respondingTimeouts.writeTimeout=12h"
-      - "--entryPoints.https.transport.respondingTimeouts.idleTimeout=3m"
-      # docker provider (get configuration from container labels)
-      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
-      - "--providers.docker.exposedByDefault=false"
-      # access log
-      - "--accessLog=true"
-      - "--accessLog.format=json"
-      - "--accessLog.fields.headers.names.X-Request-Id=keep"
+    entrypoint: [ "/bin/sh", "/opt/traefik/bin/docker-entrypoint-override.sh"]
+    environment:
+      - "TRAEFIK_SERVICES_TLS_CONFIG=${TRAEFIK_SERVICES_TLS_CONFIG:-tls.certresolver=letsencrypt}"
+      - "TRAEFIK_ACME_EMAIL=${TRAEFIK_ACME_MAIL:-example@example.org}"
+      - "TRAEFIK_ACME_CASERVER=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
-      - "certs:/certs"
+      - "./config/traefik/docker-entrypoint-override.sh:/opt/traefik/bin/docker-entrypoint-override.sh"
+      - "${TRAEFIK_CERTS_DIR:-./certs}:/certs"
+      - "./config/traefik/dynamic:/etc/traefik/dynamic"
    labels:
      - "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
      # defaults to admin:admin
@@ -54,11 +35,8 @@ services:
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.opencloud.test}`)"
      - "traefik.http.routers.traefik.middlewares=traefik-auth"
-      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.traefik.${TRAEFIK_SERVICES_TLS_CONFIG}"
      - "traefik.http.routers.traefik.service=api@internal"
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always
-
-volumes:
-  certs: