From 49a7c3e9bec8eb6328af4e01f33e523c42357a8e Mon Sep 17 00:00:00 2001 From: "mike.wooskey" Date: Sun, 2 Mar 2025 09:55:34 -0500 Subject: [PATCH] Add Sablier Traefik plugin. --- traefik/.env-dist | 14 +++++++++++++- traefik/Dockerfile | 5 +++++ traefik/Makefile | 2 +- traefik/config/setup.sh | 1 + traefik/docker-compose.yaml | 31 +++++++++++++++++++++++++++++++ traefik/setup.sh | 27 ++++++++++++++++++++++++++- 6 files changed, 77 insertions(+), 3 deletions(-) diff --git a/traefik/.env-dist b/traefik/.env-dist index b286bef46..c9c57b06d 100644 --- a/traefik/.env-dist +++ b/traefik/.env-dist @@ -12,7 +12,7 @@ TRAEFIK_CONFIG_VERBOSE=false ## Or use a sidecar service like a VPN client: TRAEFIK_NETWORK_MODE=service:wireguard-client TRAEFIK_NETWORK_MODE=host -## Enable optional docker-compose profiles: default,error_pages,geoip_update,wireguard,wireguard-client +## Enable optional docker-compose profiles: default,error_pages,geoip_sablier,update,wireguard,wireguard-client DOCKER_COMPOSE_PROFILES=default,error_pages ## DOCKER_CONTEXT is used to render context specific config from config/context-template @@ -137,6 +137,18 @@ TRAEFIK_CERT_AUTH_MODULE=github.com/enigmacurry/traefik-certauthz ## mTLS Header TRAEFIK_PLUGIN_MTLS_HEADER=true TRAEFIK_MTLS_HEADER_MODULE=github.com/enigmacurry/traefik-plugin-mtls-header +# Sablier +TRAEFIK_PLUGIN_SABLIER=false +TRAEFIK_SABLIER_MODULE=github.com/mcmikemn/sablier +TRAEFIK_SABLIER_LOGGING_LEVEL=info +TRAEFIK_SABLIER_SESSION_DURATION=5m +TRAEFIK_SABLIER_SESSION_EXPIRATION_INTERVAL=20s +TRAEFIK_SABLIER_STRATEGY=blocking +TRAEFIK_SABLIER_DYNAMIC_CUSTOM_THEMES_PATH= +TRAEFIK_SABLIER_DYNAMIC_SHOW_DETAILS=false +TRAEFIK_SABLIER_DYNAMIC_DEFAUT_THEME=hacker-terminal +TRAEFIK_SABLIER_DYNAMIC_REFRESH_FREQUENCY=5s +TRAEFIK_SABLIER_BLOCKING_TIMEOUT=1m ## Entrypoints: ## Traefik web entrypoint (only used for redirecting to websecure entrypoint) diff --git a/traefik/Dockerfile b/traefik/Dockerfile index 6205dd496..fd3bc1079 100644 --- a/traefik/Dockerfile +++ b/traefik/Dockerfile @@ -14,6 +14,9 @@ ARG CERT_AUTH_MODULE ARG CERT_AUTH_GIT_BRANCH ARG MTLS_HEADER_MODULE ARG MTLS_HEADER_GIT_BRANCH +ARG SABLIER_MODULE +ARG SABLIER_GIT_BRANCH + RUN apk add --update git && \ git clone https://${BLOCKPATH_MODULE}.git /plugins-local/src/github.com/traefik/plugin-blockpath \ --depth 1 --single-branch --branch ${BLOCKPATH_GIT_BRANCH} @@ -28,6 +31,8 @@ RUN git clone https://${CERT_AUTH_MODULE}.git /plugins-local/src/github.com/fame --depth 1 --single-branch --branch ${CERT_AUTH_GIT_BRANCH} RUN git clone https://${MTLS_HEADER_MODULE}.git /plugins-local/src/github.com/pnxs/traefik-plugin-mtls-header \ --depth 1 --single-branch --branch ${MTLS_HEADER_GIT_BRANCH} +RUN git clone https://${SABLIER_MODULE}.git /plugins-local/src/github.com/sablierapp/sablier \ + --depth 1 --single-branch --branch ${SABLIER_GIT_BRANCH} FROM ${TRAEFIK_IMAGE} ARG TRAEFIK_UID TRAEFIK_GID TRAEFIK_DOCKER_GID diff --git a/traefik/Makefile b/traefik/Makefile index b2adee556..2c46f5bff 100644 --- a/traefik/Makefile +++ b/traefik/Makefile @@ -58,7 +58,7 @@ show-wireguard-peers-qr: .PHONY: compose-profiles compose-profiles: - @${BIN}/reconfigure_compose_profiles ${ENV_FILE} TRAEFIK_PLUGIN_MAXMIND_GEOIP=geoip_update TRAEFIK_VPN_ENABLED=wireguard TRAEFIK_VPN_CLIENT_ENABLED=wireguard-client TRAEFIK_ERROR_PAGES_ENABLED=error-pages + @${BIN}/reconfigure_compose_profiles ${ENV_FILE} TRAEFIK_PLUGIN_MAXMIND_GEOIP=geoip_update TRAEFIK_VPN_ENABLED=wireguard TRAEFIK_VPN_CLIENT_ENABLED=wireguard-client TRAEFIK_ERROR_PAGES_ENABLED=error-pages TRAEFIK_PLUGIN_SABLIER=sablier .PHONY: wireguard-reset wireguard-reset: diff --git a/traefik/config/setup.sh b/traefik/config/setup.sh index 1c39d7d64..52db3072b 100644 --- a/traefik/config/setup.sh +++ b/traefik/config/setup.sh @@ -33,6 +33,7 @@ ytt_template() { -v plugin_cert_auth="${TRAEFIK_PLUGIN_CERT_AUTH}" \ -v plugin_referer="${TRAEFIK_PLUGIN_REFERER}" \ -v plugin_mtls_header="${TRAEFIK_PLUGIN_MTLS_HEADER}" \ + -v plugin_sablier="${TRAEFIK_PLUGIN_SABLIER}" \ -v web_entrypoint_enabled="${TRAEFIK_WEB_ENTRYPOINT_ENABLED}" \ -v web_entrypoint_host="${TRAEFIK_WEB_ENTRYPOINT_HOST}" \ -v web_entrypoint_port="${TRAEFIK_WEB_ENTRYPOINT_PORT}" \ diff --git a/traefik/docker-compose.yaml b/traefik/docker-compose.yaml index a14b6ea05..b0b0a3cc9 100644 --- a/traefik/docker-compose.yaml +++ b/traefik/docker-compose.yaml @@ -1,6 +1,7 @@ volumes: traefik: geoip_database: + sablier_config: wireguard: wireguard-client: @@ -41,6 +42,7 @@ services: - TRAEFIK_PLUGIN_MAXMIND_GEOIP=${TRAEFIK_PLUGIN_MAXMIND_GEOIP:-false} - TRAEFIK_PLUGIN_REFERER=${TRAEFIK_PLUGIN_REFERER:-true} - TRAEFIK_PLUGIN_HEADER_AUTHORIZATION=${TRAEFIK_PLUGIN_HEADER_AUTHORIZATION:-true} + - TRAEFIK_PLUGIN_SABLIER=${TRAEFIK_PLUGIN_SABLIER:-false} - TRAEFIK_WEB_ENTRYPOINT_ENABLED=${TRAEFIK_WEB_ENTRYPOINT_ENABLED:-false} - TRAEFIK_WEB_ENTRYPOINT_HOST=${TRAEFIK_WEB_ENTRYPOINT_HOST:-0.0.0.0} - TRAEFIK_WEB_ENTRYPOINT_PORT=${TRAEFIK_WEB_ENTRYPOINT_PORT:-80} @@ -135,6 +137,8 @@ services: CERT_AUTH_GIT_BRANCH: main MTLS_HEADER_MODULE: ${TRAEFIK_MTLS_HEADER_MODULE} MTLS_HEADER_GIT_BRANCH: main + SABLIER_MODULE: ${TRAEFIK_SABLIER_MODULE} + SABLIER_GIT_BRANCH: main TRAEFIK_UID: ${TRAEFIK_UID} TRAEFIK_GID: ${TRAEFIK_GID} TRAEFIK_DOCKER_GID: ${TRAEFIK_DOCKER_GID} @@ -176,6 +180,33 @@ services: volumes: - "geoip_database:/usr/share/GeoIP" + sablier: + profiles: + - sablier + image: sablierapp/sablier:1.8.5 + restart: on-failure:3 + security_opt: + - no-new-privileges:true + #cap_drop: + # - ALL + # sysctls: + # - net.ipv4.conf.all.src_valid_mark=1 + environment: + - LOGGING_LEVEL=${TRAEFIK_SABLIER_LOGGING_LEVEL} + - SESSIONS_DEFAULT_DURATION=${TRAEFIK_SABLIER_SESSION_DURATION} + - SESSIONS_EXPIRATION_INTERVAL=${TRAEFIK_SABLIER_SESSION_EXPIRATION_INTERVAL} + # We may need to use an override yaml file with templating so if TRAEFIK_SABLIER_STRATEGY=dynamic we add the 4 "DYNAMIC" env vars or if TRAEFIK_SABLIER_STRATEGY=blocking we add the 1 "BLOCKING" env var, because I'm not sure how Sablier will handle having them both set + - STRATEGY_DYNAMIC_CUSTOM_THEMES_PATH=${TRAEFIK_SABLIER_DYNAMIC_CUSTOM_THEMES_PATH} + - STRATEGY_DYNAMIC_SHOW_DETAILS_BY_DEFAULT=${TRAEFIK_SABLIER_DYNAMIC_SHOW_DETAILS} + - STRATEGY_DYNAMIC_DEFAUT_THEME=${TRAEFIK_SABLIER_DYNAMIC_DEFAUT_THEME} + - STRATEGY_DYNAMIC_DEFAULT_REFRESH_FREQUENCY=${TRAEFIK_SABLIER_DYNAMIC_REFRESH_FREQUENCY} + - STRATEGY_BLOCKING_DEFAULT_TIMEOUT=${TRAEFIK_SABLIER_BLOCKING_TIMEOUT} + command: + - start + - --provider.name=docker + volumes: + - '/var/run/docker.sock:/var/run/docker.sock' + wireguard: profiles: - wireguard diff --git a/traefik/setup.sh b/traefik/setup.sh index 5a5f89959..8a967c0bd 100755 --- a/traefik/setup.sh +++ b/traefik/setup.sh @@ -312,7 +312,8 @@ error_pages() { middleware() { wizard menu "Traefik middleware config:" \ "MaxMind geoIP locator = ./setup.sh maxmind_geoip" \ - "OAuth2 sentry authorization (make sentry) = make sentry" + "OAuth2 sentry authorization (make sentry) = make sentry" \ + "Sablier = ./setup.sh sablier" } maxmind_geoip() { @@ -331,6 +332,30 @@ maxmind_geoip() { fi } +sablier() { + if ${BIN}/confirm $([[ $(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_PLUGIN_SABLIER) == "true" ]] && echo "yes" || echo "no") "Do you want to enable the Sablier plugin" "?"; then + ${BIN}/reconfigure ${ENV_FILE} TRAEFIK_PLUGIN_SABLIER=true + else + ${BIN}/reconfigure ${ENV_FILE} TRAEFIK_PLUGIN_SABLIER=false + fi + if [[ $(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_PLUGIN_SABLIER) == "true" ]]; then + echo "You may create a free MaxMind account: https://www.maxmind.com/en/geolite2/signup" + echo "" + ${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_SABLIER_LOGGING_LEVEL "Enter the logging level for Sablier" + ${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_SABLIER_SESSION_DURATION "Enter the default session duration (e.g., \"5m\")" + ${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_SABLIER_SESSION_EXPIRATION_INTERVAL "Enter the expiration checking interval. Higher duration gives less stress on CPU. If you only use sessions of 1h, setting this to 5m is a good trade-off" + ${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_SABLIER_STRATEGY "Enter the strategy Sablier should use (\"dynamic\" provides a waiting page for your session, \"blocking\" hangs the request until your session is ready)" + if [[ $(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_SABLIER_STRATEGY) == "blocking" ]]; then + ${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_SABLIER_BLOCKING_TIMEOUT "Enter the default timeout used for the \"blocking\" strategy (e.g., \"1m\")" + else + ALLOW_BLANK=1 ${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_SABLIER_DYNAMIC_CUSTOM_THEMES_PATH "Enter the path to custom themes (Sablier will load all .html files recursively) (leave blank to disable)" + ${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_SABLIER_DYNAMIC_SHOW_DETAILS "Enter \"true\" to show instances details by default in waiting UI, or \"false\" not to" + ${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_SABLIER_DYNAMIC_DEFAUT_THEME "Enter default theme used for the \"dynamic\" strategy (standard themes are \"ghost\", \"shuffle\", \"hacker-terminal\", and \"matrix\"" + ${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_SABLIER_DYNAMIC_REFRESH_FREQUENCY "Enter the default refresh frequency in the HTML page for the \"dynamic\" strategy (e.g., \"5s\")" + fi + fi +} + layer_7_tls_proxy_get_routes() { local ENABLED=$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_LAYER_7_TLS_PROXY_ENABLED) local ROUTES=$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_LAYER_7_TLS_PROXY_ROUTES)