mirror of
https://github.com/openziti/zrok.git
synced 2024-11-24 17:13:51 +01:00
add self-hosted zrok instance for Docker
This commit is contained in:
parent
1b3eacc04e
commit
79ec8150a6
30
docker/compose/zrok-instance/Caddyfile
Normal file
30
docker/compose/zrok-instance/Caddyfile
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
|
||||||
|
{
|
||||||
|
email ${ZROK_ACME_EMAIL}
|
||||||
|
acme_ca https://acme-v02.api.letsencrypt.org/directory
|
||||||
|
}
|
||||||
|
|
||||||
|
*.${ZROK_ZONE} {
|
||||||
|
tls {
|
||||||
|
dns digitalocean {env.DIGITALOCEAN_ACCESS_TOKEN}
|
||||||
|
propagation_timeout 60m
|
||||||
|
}
|
||||||
|
|
||||||
|
log {
|
||||||
|
output stdout
|
||||||
|
format console
|
||||||
|
level DEBUG
|
||||||
|
}
|
||||||
|
|
||||||
|
@oauth host oauth.${ZROK_ZONE}
|
||||||
|
reverse_proxy @oauth frontend:8181
|
||||||
|
|
||||||
|
@ctrl host ctrl.${ZROK_ZONE}
|
||||||
|
reverse_proxy @ctrl zrok:18080
|
||||||
|
|
||||||
|
reverse_proxy frontend:8080 {
|
||||||
|
header_up Host {http.request.host}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
13
docker/compose/zrok-instance/caddy.Dockerfile
Normal file
13
docker/compose/zrok-instance/caddy.Dockerfile
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
# Use the official Caddy image as a parent image
|
||||||
|
FROM caddy:2-builder AS builder
|
||||||
|
|
||||||
|
# Build Caddy with the digitalocean DNS provider
|
||||||
|
RUN xcaddy build \
|
||||||
|
--with github.com/caddy-dns/digitalocean
|
||||||
|
|
||||||
|
# Use the official Caddy image to create the final image
|
||||||
|
FROM caddy:2
|
||||||
|
|
||||||
|
# Copy the custom Caddy build into the final image
|
||||||
|
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
|
||||||
|
|
76
docker/compose/zrok-instance/compose.yml
Normal file
76
docker/compose/zrok-instance/compose.yml
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
services:
|
||||||
|
zrok_env:
|
||||||
|
image: busybox
|
||||||
|
command: chown -Rc 65534:65534 /var/lib/zrok/env; chmod ug=rwX,o-rwx -Rc /var/lib/zrok/env
|
||||||
|
volumes:
|
||||||
|
- zrok_env:/var/lib/zrok/env
|
||||||
|
zrok:
|
||||||
|
depends_on:
|
||||||
|
zrok_env:
|
||||||
|
condition: service_completed_successfully
|
||||||
|
image: openziti/zrok:0.4.20
|
||||||
|
command: controller --verbose ./etc/ctrl.yml
|
||||||
|
working_dir: /var/lib/zrok
|
||||||
|
volumes:
|
||||||
|
- ./zrok_etc:/var/lib/zrok/etc
|
||||||
|
networks:
|
||||||
|
quickstart:
|
||||||
|
restart: unless-stopped
|
||||||
|
ports:
|
||||||
|
- 127.0.0.1:18080:18080
|
||||||
|
environment:
|
||||||
|
PFXLOG_NO_JSON: "true"
|
||||||
|
frontend:
|
||||||
|
depends_on:
|
||||||
|
zrok_env:
|
||||||
|
condition: service_completed_successfully
|
||||||
|
image: openziti/zrok:0.4.20
|
||||||
|
command: access public --verbose ./etc/frontend.yml
|
||||||
|
working_dir: /var/lib/zrok
|
||||||
|
volumes:
|
||||||
|
- zrok_env:/var/lib/zrok/env
|
||||||
|
- ./zrok_etc:/var/lib/zrok/etc
|
||||||
|
networks:
|
||||||
|
quickstart:
|
||||||
|
restart: unless-stopped
|
||||||
|
ports:
|
||||||
|
- 127.0.0.1:8080:8080
|
||||||
|
- 127.0.0.1:8081:8081
|
||||||
|
environment:
|
||||||
|
PFXLOG_NO_JSON: "true"
|
||||||
|
HOME: /var/lib/zrok/env
|
||||||
|
ZROK_ADMIN_TOKEN:
|
||||||
|
ZROK_API_ENDPOINT:
|
||||||
|
quickstart:
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
quickstart:
|
||||||
|
aliases:
|
||||||
|
- ziti.${ZROK_ZONE}
|
||||||
|
caddy:
|
||||||
|
build:
|
||||||
|
context: .
|
||||||
|
dockerfile: ./caddy.Dockerfile
|
||||||
|
restart: unless-stopped
|
||||||
|
environment:
|
||||||
|
DIGITALOCEAN_ACCESS_TOKEN:
|
||||||
|
ports:
|
||||||
|
- "80:80"
|
||||||
|
- "443:443"
|
||||||
|
- "443:443/udp"
|
||||||
|
volumes:
|
||||||
|
- ./Caddyfile:/etc/caddy/Caddyfile
|
||||||
|
- caddy_data:/data
|
||||||
|
- caddy_config:/config
|
||||||
|
networks:
|
||||||
|
quickstart:
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
caddy_data:
|
||||||
|
caddy_config:
|
||||||
|
zrok_env:
|
||||||
|
|
||||||
|
networks:
|
||||||
|
quickstart:
|
||||||
|
driver: bridge
|
||||||
|
|
141
docker/compose/zrok-instance/ctrl.web.yaml
Normal file
141
docker/compose/zrok-instance/ctrl.web.yaml
Normal file
@ -0,0 +1,141 @@
|
|||||||
|
# this is a partial ziti controller configuration that redefines the quickstart's list of web listeners as two:
|
||||||
|
# client-management (private listener) and edge-client (public listener)
|
||||||
|
web:
|
||||||
|
# name - required
|
||||||
|
# Provides a name for this listener, used for logging output. Not required to be unique, but is highly suggested.
|
||||||
|
- name: edge-client
|
||||||
|
# bindPoints - required
|
||||||
|
# One or more bind points are required. A bind point specifies an interface (interface:port string) that defines
|
||||||
|
# where on the host machine the webListener will listen and the address (host:port) that should be used to
|
||||||
|
# publicly address the webListener(i.e. mydomain.com, localhost, 127.0.0.1). This public address may be used for
|
||||||
|
# incoming address resolution as well as used in responses in the API.
|
||||||
|
bindPoints:
|
||||||
|
#interface - required
|
||||||
|
# A host:port string on which network interface to listen on. 0.0.0.0 will listen on all interfaces
|
||||||
|
- interface: 0.0.0.0:1280
|
||||||
|
# address - required
|
||||||
|
# The public address that external incoming requests will be able to resolve. Used in request processing and
|
||||||
|
# response content that requires full host:port/path addresses.
|
||||||
|
address: ziti.${ZROK_ZONE}:1280
|
||||||
|
# identity - optional
|
||||||
|
# Allows the webListener to have a specific identity instead of defaulting to the root 'identity' section.
|
||||||
|
identity:
|
||||||
|
ca: "/persistent/pki/root-ca/certs/root-ca.cert"
|
||||||
|
key: "/persistent/pki/intermediate-ca/keys/server.key"
|
||||||
|
server_cert: "/persistent/pki/intermediate-ca/certs/server.chain.pem"
|
||||||
|
cert: "/persistent/pki/intermediate-ca/certs/client.cert"
|
||||||
|
#alt_server_certs:
|
||||||
|
#- server_cert: ""
|
||||||
|
# server_key: ""
|
||||||
|
|
||||||
|
# options - optional
|
||||||
|
# Allows the specification of webListener level options - mainly dealing with HTTP/TLS settings. These options are
|
||||||
|
# used for all http servers started by the current webListener.
|
||||||
|
options:
|
||||||
|
# idleTimeoutMs - optional, default 5000ms
|
||||||
|
# The maximum amount of idle time in milliseconds allowed for pipelined HTTP requests. Setting this too high
|
||||||
|
# can cause resources on the host to be consumed as clients remain connected and idle. Lowering this value
|
||||||
|
# will cause clients to reconnect on subsequent HTTPs requests.
|
||||||
|
idleTimeout: 5000ms #http timeouts, new
|
||||||
|
# readTimeoutMs - optional, default 5000ms
|
||||||
|
# The maximum amount of time in milliseconds http servers will wait to read the first incoming requests. A higher
|
||||||
|
# value risks consuming resources on the host with clients that are acting bad faith or suffering from high latency
|
||||||
|
# or packet loss. A lower value can risk losing connections to high latency/packet loss clients.
|
||||||
|
readTimeout: 5000ms
|
||||||
|
# writeTimeoutMs - optional, default 100000ms
|
||||||
|
# The total maximum time in milliseconds that the http server will wait for a single requests to be received and
|
||||||
|
# responded too. A higher value can allow long-running requests to consume resources on the host. A lower value
|
||||||
|
# can risk ending requests before the server has a chance to respond.
|
||||||
|
writeTimeout: 100000ms
|
||||||
|
# minTLSVersion - optional, default TLS1.2
|
||||||
|
# The minimum version of TSL to support
|
||||||
|
minTLSVersion: TLS1.2
|
||||||
|
# maxTLSVersion - optional, default TLS1.3
|
||||||
|
# The maximum version of TSL to support
|
||||||
|
maxTLSVersion: TLS1.3
|
||||||
|
# apis - required
|
||||||
|
# Allows one or more APIs to be bound to this webListener
|
||||||
|
apis:
|
||||||
|
# binding - required
|
||||||
|
# Specifies an API to bind to this webListener. Built-in APIs are
|
||||||
|
# - edge-management
|
||||||
|
# - edge-client
|
||||||
|
# - fabric-management
|
||||||
|
# - binding: edge-management
|
||||||
|
# # options - arg optional/required
|
||||||
|
# # This section is used to define values that are specified by the API they are associated with.
|
||||||
|
# # These settings are per API. The example below is for the 'edge-api' and contains both optional values and
|
||||||
|
# # required values.
|
||||||
|
# options: { }
|
||||||
|
- binding: edge-client
|
||||||
|
options: { }
|
||||||
|
#- binding: fabric
|
||||||
|
# options: { }
|
||||||
|
- name: client-management
|
||||||
|
# bindPoints - required
|
||||||
|
# One or more bind points are required. A bind point specifies an interface (interface:port string) that defines
|
||||||
|
# where on the host machine the webListener will listen and the address (host:port) that should be used to
|
||||||
|
# publicly address the webListener(i.e. mydomain.com, localhost, 127.0.0.1). This public address may be used for
|
||||||
|
# incoming address resolution as well as used in responses in the API.
|
||||||
|
bindPoints:
|
||||||
|
#interface - required
|
||||||
|
# A host:port string on which network interface to listen on. 0.0.0.0 will listen on all interfaces
|
||||||
|
- interface: 0.0.0.0:1281
|
||||||
|
# address - required
|
||||||
|
# The public address that external incoming requests will be able to resolve. Used in request processing and
|
||||||
|
# response content that requires full host:port/path addresses.
|
||||||
|
address: 127.0.0.1:1281
|
||||||
|
# identity - optional
|
||||||
|
# Allows the webListener to have a specific identity instead of defaulting to the root 'identity' section.
|
||||||
|
identity:
|
||||||
|
ca: "/persistent/pki/root-ca/certs/root-ca.cert"
|
||||||
|
key: "/persistent/pki/intermediate-ca/keys/server.key"
|
||||||
|
server_cert: "/persistent/pki/intermediate-ca/certs/server.chain.pem"
|
||||||
|
cert: "/persistent/pki/intermediate-ca/certs/client.cert"
|
||||||
|
#alt_server_certs:
|
||||||
|
#- server_cert: ""
|
||||||
|
# server_key: ""
|
||||||
|
|
||||||
|
# options - optional
|
||||||
|
# Allows the specification of webListener level options - mainly dealing with HTTP/TLS settings. These options are
|
||||||
|
# used for all http servers started by the current webListener.
|
||||||
|
options:
|
||||||
|
# idleTimeoutMs - optional, default 5000ms
|
||||||
|
# The maximum amount of idle time in milliseconds allowed for pipelined HTTP requests. Setting this too high
|
||||||
|
# can cause resources on the host to be consumed as clients remain connected and idle. Lowering this value
|
||||||
|
# will cause clients to reconnect on subsequent HTTPs requests.
|
||||||
|
idleTimeout: 5000ms #http timeouts, new
|
||||||
|
# readTimeoutMs - optional, default 5000ms
|
||||||
|
# The maximum amount of time in milliseconds http servers will wait to read the first incoming requests. A higher
|
||||||
|
# value risks consuming resources on the host with clients that are acting bad faith or suffering from high latency
|
||||||
|
# or packet loss. A lower value can risk losing connections to high latency/packet loss clients.
|
||||||
|
readTimeout: 5000ms
|
||||||
|
# writeTimeoutMs - optional, default 100000ms
|
||||||
|
# The total maximum time in milliseconds that the http server will wait for a single requests to be received and
|
||||||
|
# responded too. A higher value can allow long-running requests to consume resources on the host. A lower value
|
||||||
|
# can risk ending requests before the server has a chance to respond.
|
||||||
|
writeTimeout: 100000ms
|
||||||
|
# minTLSVersion - optional, default TLS1.2
|
||||||
|
# The minimum version of TSL to support
|
||||||
|
minTLSVersion: TLS1.2
|
||||||
|
# maxTLSVersion - optional, default TLS1.3
|
||||||
|
# The maximum version of TSL to support
|
||||||
|
maxTLSVersion: TLS1.3
|
||||||
|
# apis - required
|
||||||
|
# Allows one or more APIs to be bound to this webListener
|
||||||
|
apis:
|
||||||
|
# binding - required
|
||||||
|
# Specifies an API to bind to this webListener. Built-in APIs are
|
||||||
|
# - edge-management
|
||||||
|
# - edge-client
|
||||||
|
# - fabric-management
|
||||||
|
- binding: edge-management
|
||||||
|
# options - arg optional/required
|
||||||
|
# This section is used to define values that are specified by the API they are associated with.
|
||||||
|
# These settings are per API. The example below is for the 'edge-api' and contains both optional values and
|
||||||
|
# required values.
|
||||||
|
options: { }
|
||||||
|
#- binding: edge-client
|
||||||
|
# options: { }
|
||||||
|
- binding: fabric
|
||||||
|
options: { }
|
25
docker/compose/zrok-instance/zrok_ctrl.yml
Normal file
25
docker/compose/zrok-instance/zrok_ctrl.yml
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
# _____ __ ___ | | __
|
||||||
|
# |_ / '__/ _ \| |/ /
|
||||||
|
# / /| | | (_) | <
|
||||||
|
# /___|_| \___/|_|\_\
|
||||||
|
# controller configuration
|
||||||
|
|
||||||
|
v: 3
|
||||||
|
admin:
|
||||||
|
# generate these admin tokens from a source of randomness, e.g.
|
||||||
|
# LC_ALL=C tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c32
|
||||||
|
secrets:
|
||||||
|
- ""
|
||||||
|
endpoint:
|
||||||
|
host: 0.0.0.0
|
||||||
|
port: 18080
|
||||||
|
invites:
|
||||||
|
invites_open: true
|
||||||
|
token_strategy: store
|
||||||
|
store:
|
||||||
|
path: ./etc/zrok.db
|
||||||
|
type: sqlite3
|
||||||
|
ziti:
|
||||||
|
api_endpoint: https://ziti.${ZROK_ZONE}:1281/edge/management/v1
|
||||||
|
username: admin
|
||||||
|
password: ""
|
12
docker/compose/zrok-instance/zrok_frontend.yml
Normal file
12
docker/compose/zrok-instance/zrok_frontend.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
v: 3
|
||||||
|
host_match: ${ZROK_ZONE}
|
||||||
|
address: 0.0.0.0:8080
|
||||||
|
oauth:
|
||||||
|
bind_address: 0.0.0.0:8181
|
||||||
|
redirect_url: https://oauth.${ZROK_ZONE}
|
||||||
|
cookie_domain: ${ZROK_ZONE}
|
||||||
|
hash_key: ${ZROK_OAUTH_HASH_KEY}
|
||||||
|
providers:
|
||||||
|
- name: google
|
||||||
|
client_id: ""
|
||||||
|
client_secret: ""
|
Loading…
Reference in New Issue
Block a user