Add Pi-hole with AdGuard DOH/DOT integration, reorganize swarm stacks, add DNS/n8n docs

2025-12-18 15:38:57 +00:00
parent 827f8bbf9d
commit f0c525d0df
44 changed files with 3013 additions and 486 deletions
--- a/services/swarm/traefik/dynamic.yml
+++ b/services/swarm/traefik/dynamic.yml
@@ -0,0 +1,123 @@
+http:
+  middlewares:
+    # Middleware to redirect non-www to www (optional, valid for steril.xyz if needed)
+    # my-www-redirect:
+    #   redirectRegex:
+    #     regex: "^https?://(?:www\\.)?(.+)"
+    #     replacement: "https://www.$${1}"
+    
+    # Secure Headers Middleware
+    security-headers:
+      headers:
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
+          server: ""
+        sslProxyHeaders:
+          X-Forwarded-Proto: https
+        referrerPolicy: "same-origin"
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+        contentTypeNosniff: true
+        browserXssFilter: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsSeconds: 63072000
+        stsPreload: true
+
+    # Basic Auth Middleware (Example)
+    # my-basic-auth:
+    #   basicAuth:
+    #     users:
+    #       - "admin:$apr1$..."
+
+  tls:
+    options:
+      default:
+        minVersion: VersionTLS12
+        cipherSuites:
+          - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+          - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+          - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+          - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+
+  routers:
+    # Pi-hole
+    pihole:
+      rule: "Host(`pihole.sterl.xyz`)"
+      service: pihole
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cfresolver
+
+    # Pi-hole 2
+    pihole2:
+      rule: "Host(`pihole2.sterl.xyz`)"
+      service: pihole2
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cfresolver
+
+    # Proxmox (HTTPS)
+    proxmox:
+      rule: "Host(`proxmox.sterl.xyz`)"
+      service: proxmox
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cfresolver
+
+    # Proxmox Monitor
+    proxmox-monitor:
+      rule: "Host(`proxmox-monitor.sterl.xyz`)"
+      service: proxmox-monitor
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cfresolver
+
+    # OpenMediaVault (OMV)
+    omv:
+      rule: "Host(`omv.sterl.xyz`)"
+      service: omv
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cfresolver
+
+  services:
+    pihole:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.196:7300"
+    
+    pihole2:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.245:7300"
+
+    proxmox:
+      loadBalancer:
+        servers:
+          # Proxmox typically runs on HTTPS with self-signed certs
+          - url: "https://192.168.1.57:8006"
+        serversTransport: "insecureSkipVerify"
+
+    proxmox-monitor:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.57:8008"
+
+    omv:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.70:80"
+
+  serversTransports:
+    insecureSkipVerify:
+      insecureSkipVerify: true
+