diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..88c498a --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +selfsigned/letsencrypt/acme.json +selfsigned/traefik/log/access.log +certbot/letsencrypt/acme.json +certbot/traefik/log/access.log diff --git a/certbot/00-install-certbot.sh b/certbot/00-install-certbot.sh deleted file mode 100644 index d64b5a4..0000000 --- a/certbot/00-install-certbot.sh +++ /dev/null @@ -1,205 +0,0 @@ -#!/bin/bash -#============================================================================ -# FILE: 00-install-certbot.sh -# USAGE: sudo ./00-install-certbot.sh -# DESCRIPTION: POSIX (hopefully) compatible script to install certbot and -# enabling the HTTP Port for certbot via firewall -#============================================================================ -ROOT_UID=0 -E_NOTROOT=87 - -ENVFILE="certbot.env" - - -#=== FUNCTION ================================================================ -# NAME: determine_distro -# DESCRIPTION: determine which type of Linux Distribution the machine is -# PARAMETERS: none -# RETURNS: distribution name -#=============================================================================== -function determine_distro () -{ - if grep -Eqii "CentOS" /etc/issue || grep -Eq "CentOS" /etc/*-release; then - DISTRO="CentOS" - - elif grep -Eqi "Red Hat Enterprise Linux Server" /etc/issue || grep -Eq "Red Hat Enterprise Linux Server" /etc/*-release ; then - DISTRO="RHEL" - - elif grep -Eqi "Fedora" /etc/issue || grep -Eq "Fedora" /etc/*-release ; then - DISTRO="Fedora" - - elif grep -Eqi "Debian" /etc/issue || grep -Eq "Debian" /etc/*-release ; then - DISTRO="Debian" - - elif grep -Eqi "Ubuntu" /etc/issue || grep -Eq "Ubuntu" /etc/*-release ; then - DISTRO="Ubuntu" - - else - DISTRO=$(uname -s) - - fi -} # ---------- end of function determine_distro ---------- - - -#=== FUNCTION ================================================================ -# NAME: install_certbot -# DESCRIPTION: install certbot binary on machine based on machine's distribution -# PARAMETERS: none -# RETURNS: none -#=============================================================================== - -function install_certbot () -{ - - echo "#-------------------------------------------------------------------------------" - echo "# Installing certbot on the machine " - echo "#-------------------------------------------------------------------------------" - - - determine_distro - - case $DISTRO in - - "CentOS"|"RHEL") - echo -e "Using yum to install certbot on ${DISTRO} \n" - echo -e "Enabling Extra Packages for Enterprise Linux (EPEL)\n" - - yum --enablerepo=extras install epel-release - yum install certbot - - retval=$? - - if [ $retval -ne 0 ]; then - echo -e "Error while installing certbot on machine \n" - exit $retval - fi - ;; - - "Fedora") - echo -e "Using dnf to install certbot on ${DISTRO}\n" - dnf install certbot - ;; - - "Debian") - echo -e "Using apt-get to install certbot on ${DISTRO} \n" - - apt-get install certbot - - retval=$? - - if [ $retval -ne 0 ]; then - echo -e "Error while installing certbot on machine \n" - exit $retval - fi - ;; - - "Ubuntu") - - source /etc/*-release - - echo -e "Distribution Version: $DISTRIB_RELEASE\n" - - case $DISTRIB_RELEASE in - "19.04"|"20.04") - apt-get update - apt-get install -y software-properties-common - add-apt-repository universe - apt-get update - ;; - - "18.04"|"16.04") - apt-get update - apt-get install -y software-properties-common - add-apt-repository universe - add-apt-repository ppa:certbot/certbot - apt-get update - ;; - - *) - echo -e "Check Certbot official docs for manual installation on this version.\n" - ;; - esac - - echo -e "Installing Certbot\n" - apt-get install certbot - - retval=$? - - if [ $retval -ne 0 ]; then - echo -e "Error while installing certbot on machine\n" - exit $retval - fi - ;; - - *) - echo -e "Unknown Distribution. Please install certbot manually\n" - exit 1 - ;; - - esac # --- end of case --- - -} # ---------- end of function install_certbot ---------- - -#------------------------------------------------------------------------------- -# Check if Script is running with Root Privileges -#------------------------------------------------------------------------------- - - -if [ "$UID" -ne "$ROOT_UID" ]; then - echo -e "Must be Root to run this script\n" - exit $E_NOTROOT -fi - -echo "#-------------------------------------------------------------------------------" -echo "# Checking if certbot exists on machine" -echo "#-------------------------------------------------------------------------------" - -if ! command -v certbot &> /dev/null; then - echo -e "certbot not installed on machine\n" - install_certbot -else - echo -e "certbot already exists on machine\n" -fi - -echo "#-------------------------------------------------------------------------------" -echo "# Enabling HTTP Port (80) via Firewall " -echo "#-------------------------------------------------------------------------------" - -determine_distro -echo "DISTRO=$DISTRO" >> $ENVFILE -echo "Enabling HTTP port for certbot on ${DISTRO}" - - -case $DISTRO in - "Raspbian"|"Debian"|"Ubuntu") - if ! command -v ufw &> /dev/null; then - echo -e "no ufw installed on machine\n" - echo -e "installing ufw\n" - apt install ufw - fi - - echo -e "enabling HTTP port on Machine\n" - ufw allow 80 - ;; - - - "CentOS"|"RHEL"|"Fedora") - if ! command -v firewall-cmd &> /dev/null; then - echo -e "no firewall-cmd installed on machine\n" - echo -e "installing firewall-cmd\n" - yum install firewall-cmd - fi - - echo -e "enabling HTTP port on machine\n" - firewall-cmd --add-service=http - firewall-cmd --runtime-to-permanent - ;; - - *) - echo -e "Unknown Distribution. Please enable HTTP Port manually\n" - exit 2 - ;; - -esac # --- end of case --- - -exit 0 diff --git a/certbot/01-generate-certs.sh b/certbot/01-generate-certs.sh deleted file mode 100644 index 453be88..0000000 --- a/certbot/01-generate-certs.sh +++ /dev/null @@ -1,132 +0,0 @@ -#!/bin/bash -#============================================================================ -# FILE: 01-generate-certs.sh -# USAGE: sudo ./01-generate-certs.sh -# DESCRIPTION: generating SSL certificates for given Domain + Email via certbot -#============================================================================ - -ROOT_UID=0 -E_NOTROOT=87 - -MOSQUITTO_CONF=$(pwd)/mosquitto/config/mosquitto.conf -ENVFILE="certbot.env" - -if [ "$UID" -ne "$ROOT_UID" ]; then - echo -e "Must be Root to run this script\n" - exit $E_NOTROOT -fi - -if [ $# -lt 2 ]; then - echo -e "\n USAGE: `basename $0` " - exit 1 -else - DOMAIN=$1 - EMAIL=$2 - echo -e "## CERTBOT Environment Variables\n" - echo -e "CB_DOMAIN=$DOMAIN" >> $ENVFILE - echo -e "CB_EMAIL=$EMAIL" >> $ENVFILE -fi - -echo "#-------------------------------------------------------------------------------" -echo "# Checking if certbot exists on machine" -echo "#-------------------------------------------------------------------------------" - -if ! command -v certbot &> /dev/null; then - echo -e "certbot not installed on machine\n" - echo -e "Please execute 00-install-certbot.sh script first" - exit 1 -else - echo -e "certbot already exists on machine\n" -fi - -echo "#-------------------------------------------------------------------------------" -echo "# Generating SSL Certificates for the Domain using certbot" -echo "#-------------------------------------------------------------------------------" - -certbot certonly \ - --standalone \ - --preferred-challenges http \ - --agree-tos \ - -m $EMAIL \ - -d $DOMAIN - -cert_return=$? - -if [ $cert_return -ne 0 ]; then - echo -e "certbot threw errors while generating certificates\n" - exit $cert_return -fi - - -#------------------------------------------------------------------------------- -# Check if Directory for generated certificates exists and files exist within it -#------------------------------------------------------------------------------- - -CERTDIR=/etc/letsencrypt/live/$DOMAIN - -echo -e "Certificate Directory: $CERTDIR\n" - -if [ -d $CERTDIR ]; then - echo -e "Domain directory in letsencrypt directory exists\n" - echo -e "Checking for certificates in the directory\n" - - if [[ -f $CERTDIR/fullchain.pem ]] && [[ -f $CERTDIR/privkey.pem ]]; then - echo -e "Necessary certificates for SSL/HTTPS exist\n" - else - echo -e "No Certificates exist. Please check certbot logs\n" - exit 3 - fi -else - echo -e "No domain directory exists. Please check certbot logs\n" - exit 3 -fi - - -# Setup Variables for Certificates for Insertion into configuration file + Env file -CAFILE=$CERTDIR/chain.pem -CERTFILE=$CERTDIR/fullchain.pem -KEYFILE=$CERTDIR/privkey.pem - -#------------------------------------------------------------------------------- -# Adding Relevant files and Paths to Environment Variable Files -#------------------------------------------------------------------------------- - -#------------------------------------------------------------------------------- -# INFLUXDB ENVIRONMENT VARIABLES FOR HTTPS -#------------------------------------------------------------------------------- -echo -e "# InfluxDB Environment Variables" >> $ENVFILE -echo -e "INFLUXDB_HTTP_HTTPS_ENABLED=true" >> $ENVFILE -echo -e "INFLUXDB_HTTP_HTTPS_CERTIFICATE=$CERTFILE" >> $ENVFILE -echo -e "INFLUXDB_HTTP_HTTPS_PRIVATE_KEY=$KEYFILE" >> $ENVFILE - - -#------------------------------------------------------------------------------- -# GRAFANA ENVIRONMENT VARIABLES FOR HTTPS -#------------------------------------------------------------------------------- -echo -e "# Grafana Server Environment Variables" >> $ENVFILE -echo -e "GF_SECURITY_ADMIN_USER=admin" >> $ENVFILE -echo -e "GF_SECURITY_ADMIN_PASSWORD=tiguitto" >> $ENVFILE -echo -e "GF_SERVER_PROTOCOL=https" >> $ENVFILE -echo -e "GF_SERVER_DOMAIN=$DOMAIN" >> $ENVFILE -echo -e "GF_SERVER_ROOT_URL=https://$DOMAIN" >> $ENVFILE -echo -e "GF_SERVER_CERT_FILE=$CERTFILE" >> $ENVFILE -echo -e "GF_SERVER_CERT_KEY=$KEYFILE" >> $ENVFILE - -#------------------------------------------------------------------------------- -# TELEGRAF ENVIRONMENT VARIABLES -#------------------------------------------------------------------------------- -echo -e "# Telegraf Environment Variables" >> $ENVFILE -echo -e "TG_MOSQUITTO_USERNAME=subclient" >> $ENVFILE -echo -e "TG_MOSQUITTO_PASSWORD=tiguitto" >> $ENVFILE - -#------------------------------------------------------------------------------- -# Add TLS Certificate Paths to Mosquitto Configuration File -#------------------------------------------------------------------------------- - -echo -e "Adapting the Mosquitto Configuration file\n" - -sed -i "s|##CAFILE|$CAFILE|g" $MOSQUITTO_CONF -sed -i "s|##CERTFILE|$CERTFILE|g" $MOSQUITTO_CONF -sed -i "s|##KEYFILE|$KEYFILE|g" $MOSQUITTO_CONF - -exit 0 \ No newline at end of file diff --git a/certbot/certbot.env b/certbot/certbot.env index b53f1dd..2458daf 100644 --- a/certbot/certbot.env +++ b/certbot/certbot.env @@ -1,2 +1,31 @@ -# VARIABLES WILL BE GENERATED AFTER EXECUTING: -# 01-generate-certs.sh SCRIPT \ No newline at end of file +#InfluxDB Environment Variables +INFLUXDB_DB=edge +INFLUXDB_HTTP_AUTH_ENABLED=true + +#INFLUXDB_HTTP_HTTPS_ENABLED=true +#INFLUXDB_HTTP_HTTPS_CERTIFICATE=/etc/ssl/influxdb/influx-server.crt +#INFLUXDB_HTTP_HTTPS_PRIVATE_KEY=/etc/ssl/influxdb/influx-server.key + +INFLUXDB_ADMIN_USER=admin +INFLUXDB_ADMIN_PASSWORD=tiguitto + +INFLUXDB_USER=tiguitto +INFLUXDB_USER_PASSWORD=tiguitto + +# Gather Traefik Metrics via UDP since HTTPS/HTTP conflict +# Default UDP Port on 8089 +INFLUXDB_UDP_ENABLED=true +INFLUXDB_UDP_DATABASE=traefik + +# Grafana Environment Variables +GF_SECURITY_ADMIN_USER=admin +GF_SECURITY_ADMIN_PASSWORD=tiguitto +GF_SERVER_PROTOCOL=http +GF_SERVER_ROOT_URL=http://127.0.0.1:3000/grafana +GF_SERVER_SERVE_FROM_SUB_PATH=true +#GF_SERVER_CERT_FILE=/etc/ssl/certs/grafana-server.crt +#GF_SERVER_CERT_KEY=/etc/ssl/certs/grafana-server.key + +# Telegraf Environment Variables +TG_MOSQUITTO_USERNAME=subclient +TG_MOSQUITTO_PASSWORD=tiguitto diff --git a/certbot/docker-compose.certbot.yml b/certbot/docker-compose.certbot.yml index 9c0b966..e8ec802 100644 --- a/certbot/docker-compose.certbot.yml +++ b/certbot/docker-compose.certbot.yml @@ -1,66 +1,112 @@ -version: "3" - -services: - influxdb: - image: influxdb - container_name: influxdb - env_file: certbot.env - ports: - - "8086:8086" - volumes: - - /etc/letsencrypt:/etc/letsencrypt - - influxdb_data:/var/lib/influxdb - networks: - - "iotstack" - - mosquitto: - image: eclipse-mosquitto - container_name: mosquitto - volumes: - - /etc/letsencrypt/:/etc/letsencrypt - - ./mosquitto/config:/mosquitto/config - - ./mosquitto/log:/mosquitto/log - - ./mosquitto/data:/mosquitto/data - user: "${USER_ID}:${GRP_ID}" - ports: - - "8883:8883" - - "8884:8884" - links: - - telegraf - restart: always - networks: - - "iotstack" - - telegraf: - image: telegraf - container_name: telegraf - links: - - influxdb - env_file: certbot.env - volumes: - - ./telegraf/telegraf.toml:/etc/telegraf/telegraf.conf:ro - networks: - - "iotstack" - - grafana: - image: grafana/grafana - container_name: grafana - ports: - - "3000:3000" - env_file: certbot.env - user: "0" - links: - - influxdb - volumes: - - grafana_data:/var/lib/grafana - - /etc/letsencrypt:/etc/letsencrypt - networks: - - "iotstack" - -volumes: - influxdb_data: - grafana_data: - -networks: - iotstack: - external: true +version: "3" + +services: + traefik: + image: traefik:v2.2 + container_name: traefik + + restart: always + networks: + - "iotstack" + ports: + - "80:80" + # HTTPS + - "443:443" + # MQTT + - "8883:8883" + - "8884:8884" + depends_on: + # Let every other service start before traefik + - mosquitto + - grafana + - influxdb + - telegraf + volumes: + # Traefik Static Configuration + - ./traefik/traefik.toml:/etc/traefik/traefik.toml + - ./traefik/log/access.log:/log/access.log + # Traefik Dynamic Configuration + - ./traefik/configurations:/etc/traefik/configurations + # SSL Certificates + - "./letsencrypt:/letsencrypt" + # Docker Provider via Socket + - /var/run/docker.sock:/var/run/docker.sock:ro + labels: + - "traefik.enable=true" + - "traefik.http.routers.api-router=api-router@file" + - "traefik.http.routers.traefik-http-router.service=api@internal" + influxdb: + image: influxdb + container_name: influxdb + env_file: certbot.env + volumes: + - influxdb_data:/var/lib/influxdb + networks: + - "iotstack" + labels: + - "traefik.enable=true" + - "traefik.http.routers.influxdb-router=influxdb-router@file" + - "traefik.http.routers.influxdb-router.service=influxdb@file" + + mosquitto: + image: eclipse-mosquitto + container_name: mosquitto + volumes: + - ./mosquitto/config:/mosquitto/config + - ./mosquitto/log:/mosquitto/log + - ./mosquitto/data:/mosquitto/data + user: "${USER_ID}:${GRP_ID}" + expose: + - 8883 + - 8884 + links: + - telegraf + restart: always + networks: + - "iotstack" + labels: + - "traefik.enable=true" + - "traefik.http.routers.mqtt-router=mqtt-router@file" + + # TCP Routers for MQTT and Websockets + - "traefik.tcp.routers.mqtt-router=mqtt-router@file" + # TCP Services for MQTT and Websockets + - "traefik.tcp.services.mosquitto=mosquitto@file" + - "traefik.http.services.mosquitto-ws=mosquitto-ws@file" + + telegraf: + image: telegraf + container_name: telegraf + links: + - influxdb + env_file: certbot.env + volumes: + - ./telegraf/telegraf.toml:/etc/telegraf/telegraf.conf:ro + networks: + - "iotstack" + labels: + - "traefik.enable=false" + + grafana: + image: grafana/grafana + container_name: grafana + env_file: certbot.env + user: "472" + links: + - influxdb + volumes: + - grafana_data:/var/lib/grafana + networks: + - "iotstack" + labels: + - "traefik.enable=true" + - "traefik.http.routers.grafana-router=grafana-router@file" + - "traefik.http.routers.grafana-router.service=grafana@file" + +volumes: + influxdb_data: + grafana_data: + +networks: + iotstack: + external: true diff --git a/certbot/mosquitto/config/mosquitto.conf b/certbot/mosquitto/config/mosquitto.conf index 6734767..2db57b7 100644 --- a/certbot/mosquitto/config/mosquitto.conf +++ b/certbot/mosquitto/config/mosquitto.conf @@ -1,33 +1,23 @@ -# Authentication -allow_anonymous false -password_file /mosquitto/config/passwd - -# Persistence - -persistence true -persistence_location /mosquitto/data/ - - -# Logging -log_dest file /mosquitto/log/mosquitto.log -log_dest stdout -log_timestamp true -log_type all - -# TLS: MQTT -listener 8883 -protocol mqtt -cafile ##CAFILE -certfile ##CERTFILE -keyfile ##KEYFILE -tls_version tlsv1.2 -# require_certificate true # Optional - -# Websockets -listener 8884 -protocol websockets -cafile ##CAFILE -certfile ##CERTFILE -keyfile ##KEYFILE -tls_version tlsv1.2 -# require_certificate true # Optional \ No newline at end of file +# Authentication +# allow_anonymous false +# password_file /mosquitto/config/passwd + +# Persistence +persistence true +persistence_location /mosquitto/data/ + + +# Logging +log_dest file /mosquitto/log/mosquitto.log +log_dest stdout +log_timestamp true +log_type all + +# TLS +port 8883 +# use_identity_as_username true + +# Websockets +listener 9001 +protocol websockets +#use_identity_as_username true \ No newline at end of file diff --git a/certbot/mosquitto/log/mosquitto.log b/certbot/mosquitto/log/mosquitto.log deleted file mode 100644 index e69de29..0000000 diff --git a/certbot/telegraf/telegraf.toml b/certbot/telegraf/telegraf.toml index a559999..24e0e63 100644 --- a/certbot/telegraf/telegraf.toml +++ b/certbot/telegraf/telegraf.toml @@ -1,91 +1,101 @@ -[agent] - interval = "20s" - round_interval = true - metric_batch_size = 1000 - metric_buffer_limit = 10000 - collection_jitter = "0s" - flush_interval = "10s" - flush_jitter = "0s" - precision = "" - debug = true - quiet = false - hostname = "" - omit_hostname = true - -############################################################# -# OUTPUT PLUGINS # -############################################################# -[[outputs.influxdb]] - urls = [ "https://${CB_DOMAIN}:8086" ] - - database = "edge" - - skip_database_creation = false - - timeout = "5s" - username = "${INFLUX_USERNAME}" - password = "${INFLUX_PASSWORD}" - -############################################################### -# PROCESSOR PLUGINS # -############################################################### - -[[processors.regex]] - - order = 1 - - [[processors.regex.tags]] - - # use the `topic` tag to extract information from the MQTT Topic - key = "topic" - # Topic: IOT// - # Extract - pattern = ".*/(.*)/.*" - # Replace the first occurrence - replacement = "${1}" - # Store it in tag called: - result_key = "sensorID" - - -[[processors.enum]] - - order = 2 - - [[processors.enum.mapping]] - - # create a mapping between extracted sensorID and some meta-data - tag = "sensorID" - dest = "location" - - [processors.enum.mapping.value_mappings] - sensor1 = "kitchen" - sensor2 = "livingroom" - -################################################################## -# INPUT PLUGINS # -################################################################## - -[[inputs.mqtt_consumer]] - - servers = [ "ssl://${CB_DOMAIN}:8883" ] - - # Topics to subscribe to: - topics = [ - "IOT/+/acc", - "IOT/+/mag", - "IOT/+/gyro", - "IOT/+/temp" - ] - - # Telegraf will also store the topic as a tag with name `topic` - # NOTE: necessary for the Processor REGEX to extract - topic_tag = "topic" - - # Connection timeout - connection_timeout = "30s" - - username = "${TG_MOSQUITTO_USERNAME}" - password = "${TG_MOSQUITTO_PASSWORD}" - - # Incoming MQTT Payload from Sensor nodes is in InfluxDB Line Protocol strings - data_format = "influx" \ No newline at end of file +[agent] + interval = "20s" + round_interval = true + metric_batch_size = 1000 + metric_buffer_limit = 10000 + collection_jitter = "0s" + flush_interval = "10s" + flush_jitter = "0s" + precision = "" + debug = true + quiet = false + hostname = "" + omit_hostname = true + +############################################################# +# OUTPUT PLUGINS # +############################################################# +[[outputs.influxdb]] + urls = [ "http://influxdb:8086" ] + + database = "edge" + + skip_database_creation = false + + timeout = "5s" + username = "${INFLUXDB_USER}" + password = "${INFLUXDB_USER_PASSWORD}" + ## Use TLS but skip chain & host verification + insecure_skip_verify = true + +############################################################### +# PROCESSOR PLUGINS # +############################################################### + +[[processors.regex]] + + order = 1 + + [[processors.regex.tags]] + + # use the `topic` tag to extract information from the MQTT Topic + key = "topic" + # Topic: IOT// + # Extract + pattern = ".*/(.*)/.*" + # Replace the first occurrence + replacement = "${1}" + # Store it in tag called: + result_key = "sensorID" + + +[[processors.enum]] + + order = 2 + + [[processors.enum.mapping]] + + # create a mapping between extracted sensorID and some meta-data + tag = "sensorID" + dest = "location" + + [processors.enum.mapping.value_mappings] + "sensor1" = "kitchen" + "sensor2" = "livingroom" + +################################################################## +# INPUT PLUGINS # +################################################################## + +[[inputs.mqtt_consumer]] + + servers = [ "tcp://mosquitto:8883" ] + + # Topics to subscribe to: + topics = [ + "IOT/+/acc", + "IOT/+/mag", + "IOT/+/gyro", + "IOT/+/temp" + ] + + # Telegraf will also store the topic as a tag with name `topic` + # NOTE: necessary for the Processor REGEX to extract + topic_tag = "topic" + + # Connection timeout + connection_timeout = "30s" + + username = "${TG_MOSQUITTO_USERNAME}" + password = "${TG_MOSQUITTO_PASSWORD}" + + ## Use TLS but skip chain & host verification + # Use Certificates if `require_certificate true` in `mosquitto.conf` file + #tls_ca = "/etc/telegraf/ca.crt" + #tls_cert = "/etc/telegraf/mqtt-client.crt" + #tls_key = "/etc/telegraf/mqtt-client.key" + ## Use TLS but skip chain & host verification + #insecure_skip_verify = true + + # Incoming MQTT Payload from Sensor nodes is in InfluxDB Line Protocol strings + data_format = "influx" diff --git a/certbot/traefik/configurations/middlewares-http.toml b/certbot/traefik/configurations/middlewares-http.toml new file mode 100644 index 0000000..d1ab5a6 --- /dev/null +++ b/certbot/traefik/configurations/middlewares-http.toml @@ -0,0 +1,7 @@ +[http] + [http.middlewares] + [http.middlewares.user-auth] + [http.middlewares.user-auth.basicAuth] + # Username:Password -> admin:tiguitto + users = ["admin:$apr1$r3puowjd$lXRESWyaLtTa8Qdt6yD.0."] + diff --git a/certbot/traefik/configurations/routers-http.toml b/certbot/traefik/configurations/routers-http.toml new file mode 100644 index 0000000..48bdd9c --- /dev/null +++ b/certbot/traefik/configurations/routers-http.toml @@ -0,0 +1,35 @@ +[http] + [http.routers] + + [http.routers.api-router] + rule = "Host(`dashboard.demo1.iotstack.co`)" + entryPoints = ["web-secure"] + middlewares = ["user-auth"] + service = "api@internal" + + [http.routers.api-router.tls] + certResolver = "myresolver" + + [http.routers.grafana-router] + rule = "Host(`grafana.demo1.iotstack.co`)" + entryPoints = ["web-secure"] + service = "grafana" + + [http.routers.grafana-router.tls] + certResolver = "myresolver" + + [http.routers.influxdb-router] + rule = "Host(`influxdb.demo1.iotstack.co`)" + entryPoints = ["web-secure"] + service = "influxdb" + + [http.routers.influxdb-router.tls] + certResolver = "myresolver" + + [http.routers.mqtt-router] + rule = "Host(`mqtt.demo1.iotstack.co`)" + entryPoints = ["web-secure"] + service = "mosquitto-ws" + + [http.routers.mqtt-router.tls] + certResolver = "myresolver" diff --git a/certbot/traefik/configurations/routers-tcp.toml b/certbot/traefik/configurations/routers-tcp.toml new file mode 100644 index 0000000..de4ef7a --- /dev/null +++ b/certbot/traefik/configurations/routers-tcp.toml @@ -0,0 +1,10 @@ +[tcp] + [tcp.routers] + [tcp.routers.mqtt-router] + entryPoints = ["mqtt"] + service = "mosquitto" + rule = "HostSNI(`*`)" + + [tcp.routers.mqtt-router.tls] + certResolver = "myresolver" + diff --git a/certbot/traefik/configurations/services-http.toml b/certbot/traefik/configurations/services-http.toml new file mode 100644 index 0000000..5101cd1 --- /dev/null +++ b/certbot/traefik/configurations/services-http.toml @@ -0,0 +1,22 @@ +[http] + [http.services] + [http.services.grafana] + [http.services.grafana.loadBalancer] + [[http.services.grafana.loadBalancer.servers]] + url = "http://grafana:3000" + [http.services.grafana.loadBalancer.healthCheck] + path = "grafana/api/health" + interval = "30s" + + [http.services.influxdb] + [http.services.influxdb.loadBalancer] + [[http.services.influxdb.loadBalancer.servers]] + url = "http://influxdb:8086" + [http.services.influxdb.loadBalancer.healthCheck] + path = "/ping" + interval = "30s" + + [http.services.mosquitto-ws] + [http.services.mosquitto-ws.loadBalancer] + [[http.services.mosquitto-ws.loadBalancer.server]] + port = "9001" diff --git a/certbot/traefik/configurations/services-tcp.toml b/certbot/traefik/configurations/services-tcp.toml new file mode 100644 index 0000000..0eb39a8 --- /dev/null +++ b/certbot/traefik/configurations/services-tcp.toml @@ -0,0 +1,7 @@ +[tcp] + [tcp.services] + [tcp.services.mosquitto] + [tcp.services.mosquitto.loadBalancer] + [[tcp.services.mosquitto.loadBalancer.servers]] + address = "mosquitto:8883" + diff --git a/certbot/traefik/traefik.toml b/certbot/traefik/traefik.toml new file mode 100644 index 0000000..5588475 --- /dev/null +++ b/certbot/traefik/traefik.toml @@ -0,0 +1,64 @@ +# Traefik Static Configuration Reference +# Link: https://doc.traefik.io/traefik/reference/static-configuration/file/ + +[global] + checkNewVersion = false + sendAnonymousUsage = false + +[api] + # insecure = true + dashboard = true + debug = true + +[metrics] + [metrics.influxDB] + address = "influxdb:8089" + protocol = "udp" + pushInterval = "42s" + # Same as that of the environment file + database = "traefik" + username = "admin" + password = "tiguitto" + addEntryPointsLabels = true + addServicesLabels = true + +[log] + level = "DEBUG" + +[accessLog] + filePath = "/log/access.log" + bufferingSize = 100 + [accessLog.filters] + statusCodes = ["200", "300-302", "400-499"] + retryAttempts = true + minDuration = 10 + +[entryPoints] + [entryPoints.web] + address = ":80" + + [entryPoints.web-secure] + address = ":443" + + [entryPoints.mqtt] + address = ":8883" + +[retry] + +[providers] + [providers.docker] + endpoint = "unix:///var/run/docker.sock" + exposedByDefault = false + network = "iotstack" + [providers.file] + directory = "/etc/traefik/configurations/" + watch = true + +[certificatesResolvers.myresolver.acme] + email = "lewandowski@swms.de" + storage = "/letsencrypt/acme.json" + # caserver = "https://acme-staging-v02.api.letsencrypt.org/directory" + + [certificatesResolvers.myresolver.acme.httpChallenge] + # used during the challenge + entryPoint = "web" \ No newline at end of file diff --git a/selfsigned/traefik/log/access.log b/selfsigned/traefik/log/access.log deleted file mode 100644 index e69de29..0000000