From 7ccaee4d6f4215e7975219e2f99b183433d8864a Mon Sep 17 00:00:00 2001
From: Vassiliy Yegorov <va@egorovanet.ru>
Date: Wed, 30 Jul 2025 02:18:18 +0000
Subject: [PATCH] init

---
 .gitignore          |  2 ++
 README.md           | 17 +++++++++++
 data/traefik.yml    | 48 +++++++++++++++++++++++++++++
 docker-compose.yaml | 73 +++++++++++++++++++++++++++++++++++++++++++++
 init.sh             |  6 ++++
 5 files changed, 146 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 data/traefik.yml
 create mode 100644 docker-compose.yaml
 create mode 100755 init.sh

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..8054fde
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+logs/*
+data/acme.json
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..94456b9
--- /dev/null
+++ b/README.md
@@ -0,0 +1,17 @@
+# Tinyauth
+
+## Что нужно
+
+суб домены:
+
+- traefik.
+- tinyauth.
+- app1.
+
+## генерация секрета tiny
+
+openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32 && echo
+
+## генерация юзеров
+
+docker run --rm -it ghcr.io/steveiliop56/tinyauth:v3 user create --username admin --password pa4803w0rd | sed 's/\$/\$\$/g'
diff --git a/data/traefik.yml b/data/traefik.yml
new file mode 100644
index 0000000..42f623e
--- /dev/null
+++ b/data/traefik.yml
@@ -0,0 +1,48 @@
+global:
+  checkNewVersion: true
+
+log:
+  level: info
+  filePath: /data/stdout.log
+  format: common
+
+accessLog:
+  filePath: "/data/access.log"
+  filters:
+    statusCodes:
+      - "500-505"
+    retryAttempts: true
+    minDuration: "10ms"
+
+serversTransport:
+  insecureSkipVerify: true
+
+api:
+  dashboard: true
+
+entryPoints:
+  http:
+    address: ":80"
+    forwardedHeaders:
+      insecure: true
+    http:
+      redirections:
+        entryPoint:
+          to: "https"
+          scheme: "https"
+          permanent: true
+  https:
+    address: ":443"
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+
+certificatesResolvers:
+  letsEncrypt:
+    acme:
+      email: noreply@yandex.ru
+      storage: acme.json
+      httpChallenge:
+        entryPoint: http
diff --git a/docker-compose.yaml b/docker-compose.yaml
new file mode 100644
index 0000000..a6a1c1e
--- /dev/null
+++ b/docker-compose.yaml
@@ -0,0 +1,73 @@
+services:
+  traefik:
+    image: traefik
+    container_name: traefik
+    restart: unless-stopped
+    cap_add:
+      - NET_BIND_SERVICE
+    security_opt:
+      - no-new-privileges:true
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.entrypoints=https"
+      - "traefik.http.routers.traefik.rule=Host(`traefik.lab.realmanual.ru`)"
+      - "traefik.http.routers.traefik.tls=true"
+      - 'traefik.http.routers.traefik.tls.options=default'
+      - "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
+      - 'traefik.http.middlewares.tinyauth.forwardauth.address=http://tinyauth:3000/api/auth/traefik'
+      - 'traefik.http.middlewares.tinyauth.forwardauth.trustForwardHeader=true'
+      - 'traefik.http.routers.traefik.middlewares=tinyauth'
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./data/traefik.yml:/traefik.yml:ro
+      - ./data/acme.json:/acme.json
+      - ./logs/stdout.log:/data/stdout.log:rw
+      - ./logs/access.log:/data/access.log:rw
+    ports:
+      - 80:80
+      - 443:443
+    networks:
+      - webproxy
+
+  tinyauth:
+    container_name: tinyauth-ggsel
+    image: ghcr.io/steveiliop56/tinyauth:v3
+    restart: unless-stopped
+    environment:
+      - SECRET=dfmGGllQXsQ7U8KbJ47etByrVqWuiKvo
+      - APP_URL=https://tinyauth.lab.realmanual.ru
+      - USERS=admin:$$2a$$10$$arlbhE48xDt58L3a5aZc6.j4tGWrandXjwCPBUh8RzJI6ZeuA6Psy # pass: pa4803w0rd
+      - DISABLE_CONTINUE=true
+      - APP_TITLE=My best auth
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.tinyauth.entrypoints=https'
+      - "traefik.http.routers.tinyauth.tls.certresolver=letsEncrypt"
+      - 'traefik.http.routers.tinyauth.tls=true'
+      - 'traefik.http.routers.tinyauth.rule=Host(`tinyauth.lab.realmanual.ru`)'
+      - 'traefik.http.middlewares.tinyauth-ggsel.forwardauth.address=http://tinyauth:3000/api/auth/traefik'
+      - "traefik.docker.network=webproxy"
+    networks:
+      - webproxy
+
+  whoami:
+    image: traefik/whoami:latest
+    container_name: app1
+    restart: unless-stopped
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.whoami.entrypoints=https'
+      - "traefik.http.routers.whoami.tls.certresolver=letsEncrypt"
+      - 'traefik.http.routers.whoami.tls=true'
+      - 'traefik.http.routers.whoami.rule=Host(`app1.lab.realmanual.ru`)'
+      - 'traefik.http.routers.whoami.middlewares=tinyauth'
+      - "traefik.docker.network=webproxy"
+    networks:
+      - webproxy
+
+networks:
+  webproxy:
+    name: webproxy
diff --git a/init.sh b/init.sh
new file mode 100755
index 0000000..8a93a50
--- /dev/null
+++ b/init.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+touch data/acme.json
+touch logs/access.log
+touch logs/stdout.log
+chmod 600 data/acme.json