Jemmaan

config/docker/2023/New-Docker-Deployment/home/user/.env

@@ -0,0 +1,115 @@
+#### Comment out or delete any unused entries
+
+#### EXAMPLE 
+# DO NOT USE QUOTES TO ENCLOSE THE VALUES
+EXAMPLE_VARIABLE=true
+EXAMPLE_PORT=1234
+EXAMPLE_PASSWORD=kdos9lsk@1l1!
+EXAMPLE_EMAIL=myemail@domain.com
+EXAMPLE_IP=123.123.123.123
+
+#### BELOW ARE SOME OF THE VARIABLES USED IN docker-compose.yml
+
+##### PORTS
+
+APCUPSD_PORT=
+BAZARR_PORT=
+EMBY_PORT=
+GUACAMOLE_PORT=
+HA_DOCKERMON_PORT=
+HEIMDALL_PORT=
+INFLUXDB_PORT=
+IPVANISH_PROXY_PORT=
+IPVANISH_REMOTE_SERVER=
+JACKETT_PORT=
+JDOWNLOADER_PORT=
+LIDARR_PORT=
+MOSQUITTO_HTTP_PORT=
+MOSQUITTO_HTTPS_PORT=
+NZBHYDRA_PORT=
+ORGANIZER_PORT=
+PHPMYADMIN_PORT=
+PLEX_PORT=
+PLEX_WEB_TOOLS_PORT=
+QBITTORRENT_PORT=
+RADARR_PORT= #If you change radarr port then update plex meta agent
+SABNZBD_PORT=
+SONARR_PORT= #If you change sonarr port then update plex meta agent
+TAUTULLI_PORT=
+TRANSMISSION_PORT=
+ZONEMINDER_HTTP_PORT=
+ZONEMINDER_HTTPS_PORT=
+
+##### SYSTEM
+
+PUID=
+PGID=
+TZ=America/New_York
+USERDIR=/home/username
+DOCKERDIR=/home/username/docker
+SECRETSDIR=/home/username/docker/secrets
+SERVER_IP=
+PIHOLE_IP=
+LOCAL_NETWORK=
+
+##### DOMAIN
+
+DOMAINNAME=
+CLOUDFLARE_EMAIL=
+CLOUDFLARE_API_KEY=
+CLOUDFLARE_API_TOKEN=
+CLOUDFLARE_ZONEID=
+DUCKDNS_TOKEN=
+
+##### DATABASE
+
+DB_HOST=
+DB_PORT=
+MYSQL_ROOT_PASSWORD=
+
+##### SECURITY AND PRIVACY
+
+IPVANISH_USERNAME=
+IPVANISH_PASSWORD=
+HTTP_USERNAME=
+HTTP_PASSWORD=
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+OAUTH_SECRET=
+LIDARR_API_KEY=
+RADARR_API_KEY=
+SONARR_API_KEY=
+SABNZBD_API_KEY=
+
+##### NOTIFICATIONS
+
+TGRAM_BOT_TOKEN=
+TGRAM_CHAT_ID=
+MY_EMAIL=
+
+##### APPS
+
+JDOWN_VNC_PASSWD=
+HANDBRAKE_VNC_PASSWD=
+FIREFOX_VNC_PASSWD=
+FILEBOT_VNC_PASSWD=
+QDIRSTAT_VNC_PASSWD=
+MKVTOOLNIX_VNC_PASSWD=
+MAKEMKV_VNC_PASSWD=
+GUAC_MYSQL_USER=
+GUAC_MYSQL_PASSWORD=
+TRANSMISSION_RPC_PASSWORD=
+TRANSMISSION_RPC_USERNAME=
+PIHOLE_WEBPASSWORD=
+
+##### PLEX
+
+PLEX_CLAIM=
+SYN_PLEX=ACCESS-TOKEN@PLEX_SERVER_IP
+NUC_PLEX=ACCESS-TOKEN@PLEX_SERVER_IP
+# Plex libraries section id. Remember to change the numbers below to reflect your library. Add more as needed. 
+# ALWAYS DO A DRY RUN TO VERIFY BEFORE SYNCING
+SYN_PLEX_HOLLYWOOD=1
+NUC_PLEX_HOLLYWOOD=2
+SYN_PLEX_TVSHOWS=2
+NUC_PLEX_TVSHOWS=16

config/docker/2023/New-Docker-Deployment/home/user/base.env

@@ -0,0 +1,77 @@
+##### HOSTNAMES
+#TRAEFIK_HOSTNAME=proxy.
+#PORTAINER_HOSTNAME=portainer.
+#AUTHELIA_HOSTNAME=auth.
+
+TRAEFIK_HOSTNAME=testproxy.
+PORTAINER_HOSTNAME=testportainer.
+AUTHELIA_HOSTNAME=testauth.
+
+##### NETWORKS
+
+PROXY_SUBNET=192.168.91.0/24
+PROXY_GATEWAY=192.168.91.1
+
+TRAEFIK_PROXY_IP=192.168.91.254
+PORTAINER_PROXY_IP=192.168.91.253
+AUTHELIA_IP=192.168.91.252
+
+SOCKET_PROXY_SUBNET=192.168.92.0/24
+SOCKET_PROXY_GATEWAY=192.168.92.1
+
+SOCKET_PROXY_IP=192.168.92.254
+TRAEFIK_SOCKET_PROXY_IP=192.168.92.252
+PORTAINER_SOCKET_PROXY_IP=192.168.92.253
+
+##### DOMAIN
+
+DOMAINNAME0=gurulandia.eu
+DOMAINNAME1=local.gurulandia.eu
+
+##### CLOUDFLARE
+
+CLOUDFLARE_EMAIL=gurulandia@outlook.com
+CLOUDFLARE_IP_RANGES=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,172.64.0.0/13,131.0.72.0/22,104.16.0.0/13,104.24.0.0/14
+
+##### Certificate
+
+CERTRESOLVER=dns-cloudflare
+DNS_PROVIDER=cloudflare
+RESOLVER0=1.1.1.1:53
+RESOLVER1=1.0.0.1:53
+
+
+##### DATABASE
+
+DB_HOST=192.168.99.60
+DB_PORT=3306
+MYSQL_ROOT_PASSWORD=
+
+
+##### IP ADDRESSES
+
+# HEIMDALL_IP=192.168.91.2
+# VSCODE_IP=192.168.91.3
+# YOURLS_IP=192.168.91.4
+# LIBRESPEED_IP=192.168.91.5
+# ADMINER_IP=192.168.91.6
+# DOZZLE_IP0=192.168.91.7
+# GLANCES_IP0=192.168.91.8
+# CLOUDDNS_IP=192.168.91.9
+# CERTDUMPER_IP=192.168.91.10
+
+# DOZZLE_IP1=192.168.92.7
+# GLANCES_IP1=192.168.92.8
+
+#SERVER_IP=
+#PIHOLE_IP=
+#LOCAL_NETWORK=
+
+##### PORTS
+
+# LIBRESPEED_PORT=30001
+
+# VSCODE_PASSWORD=glvscode
+
+# GUAC_MYSQL_USER=guacamole
+# GUAC_MYSQL_PASSWORD=guacamole

config/docker/2023/New-Docker-Deployment/home/user/base.yml

@@ -0,0 +1,330 @@
+version: "3.9"
+#env_file: ./base.env
+########################### NETWORKS
+# There is no need to create any networks outside this docker-compose file.
+# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please.
+# Docker Compose version 3.5 or higher required to define networks this way.
+networks:
+  proxy:
+    name: proxy
+    driver: bridge
+    ipam:
+      config:
+        - subnet: $PROXY_SUBNET
+          gateway: $PROXY_GATEWAY 
+  #default:
+  #  driver: bridge
+  socket_proxy:
+    name: socket_proxy
+    driver: bridge
+    ipam:
+      config:
+        - subnet: $SOCKET_PROXY_SUBNET
+          gateway: $SOCKET_PROXY_GATEWAY
+########################### VOLUMES
+volumes:
+  traefik-logs: {}
+  traefik-acme: {}
+  portainer-data: {}
+
+########################### SECRETS
+secrets:
+  htpasswd:
+    file: $SECRETSDIR/htpasswd
+  cloudflare_email:
+    file: $SECRETSDIR/cloudflare_email
+  cloudflare_api_key:
+    file: $SECRETSDIR/cloudflare_api_key
+  cloudflare_api_token:
+    file: $SECRETSDIR/cloudflare_api_token    
+  authelia_jwt_secret:
+    file: $SECRETSDIR/authelia_jwt_secret
+  authelia_session_secret:
+    file: $SECRETSDIR/authelia_session_secret  
+  authelia_ldap_password:
+    file: $SECRETSDIR/authelia_ldap_password
+  authelia_storage_encryption_key:
+    file: $SECRETSDIR/authelia_storage_encryption_key
+  authelia_storage_mysql_password:
+    file: $DOCKERDIR/secrets/authelia_storage_mysql_password
+#  authelia_notifier_smtp_password:
+#    file: $DOCKERDIR/secrets/authelia_notifier_smtp_password
+#  authelia_duo_api_secret_key:
+#    file: $DOCKERDIR/secrets/authelia_duo_api_secret_key
+
+########################### EXTENSION FIELDS
+# Helps eliminate repetition of sections
+# More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228
+
+# Common environment values
+x-environment: &default-tz-puid-pgid
+  TZ: $TZ
+  PUID: $PUID
+  PGID: $PGID
+
+# Proxy Network and Security
+x-network-and-security: &network-and-security
+  networks:
+    - t2_proxy
+  security_opt:
+    - no-new-privileges:true
+
+# Keys common to some of the services in basic-services.txt
+x-common-keys-basic: &common-keys-basic
+  <<: *network-and-security
+  restart: always
+  # profiles:
+  # - basic
+
+# Keys common to some of the dependent services/apps
+x-common-keys-apps: &common-keys-apps
+  <<: *network-and-security
+  restart: unless-stopped
+  # profiles:
+  # - apps
+
+# Keys common to some of the services in media-services.txt
+x-common-keys-media: &common-keys-media
+  <<: *network-and-security
+  restart: "no"
+  # profiles:
+  # - media
+
+########################### SERVICES
+services:
+  # Traefik 2 - Reverse Proxy
+  # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
+  # touch $DOCKERDIR/traefik2/acme/acme.json
+  # chmod 600 $DOCKERDIR/traefik2/acme/acme.json
+  # touch $DOCKERDIR/traefik2/traefik.log
+  traefik:
+    container_name: traefik
+    image: traefik:latest
+    restart: always
+    command: # CLI arguments
+      - --global.checkNewVersion=true
+      - --global.sendAnonymousUsage=false
+      - --entryPoints.http.address=:80
+      - --entryPoints.https.address=:443
+      - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IP_RANGES
+      - --entryPoints.traefik.address=:8080
+      - --entryPoints.metrics.address=:8082
+      - --entryPoints.gelf.address=:12201
+      - --entryPoints.syslog.address=:15514
+      - --entryPoints.beats.address=:5050
+      - --metrics.prometheus.entryPoint=metrics      
+      - --api=true
+      #- --api.insecure=true
+      - --api.dashboard=true      
+      - --serversTransport.insecureSkipVerify=true
+      - --log=true
+      - --log.filePath=/var/log/traefik/debug.log
+      - --log.format=json
+      - --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
+      - --accessLog=true
+      - --accessLog.filePath=/var/log/traefik/access.log
+      - --accessLog.format=json
+      #- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
+      #- --accessLog.filters.statusCodes=400-499
+      - --providers.docker=true
+      - --providers.docker.endpoint=$DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security
+      # Automatically set Host rule for services
+      # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`)
+      - --providers.docker.exposedByDefault=false
+      # - --entrypoints.https.http.middlewares=chain-oauth@file
+      - --entrypoints.https.http.tls.options=tls-opts@file
+      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
+      - --entrypoints.https.http.tls.certresolver=$CERTRESOLVER
+      - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0
+      - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0
+      - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain
+      - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain
+      - --providers.docker.network=proxy
+      - --providers.docker.swarmMode=false
+      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
+      # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file
+      - --providers.file.watch=true # Only works on top level files in the rules folder
+      #- --certificatesResolvers.$CERTRESOLVER.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
+      - --certificatesResolvers.$CERTRESOLVER.acme.email=$CLOUDFLARE_EMAIL
+      - --certificatesResolvers.$CERTRESOLVER.acme.storage=/etc/traefik/acme/acme.json
+      - --certificatesresolvers.$CERTRESOLVER.acme.dnschallenge=true
+      - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=$DNS_PROVIDER
+      - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=$RESOLVER0 #,$RESOLVER1
+      - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
+    networks:
+      proxy:
+        ipv4_address: $TRAEFIK_PROXY_IP # You can specify a static IP
+      socket_proxy:
+        ipv4_address: $TRAEFIK_SOCKET_PROXY_IP
+    security_opt:
+      - no-new-privileges:true    
+    ports:
+      - "80:80"
+      - "443:443"
+#      - "8080:8080"
+#      - "8082:8082"
+#      - "12201:12201"
+#      - "5050:5050"
+#      - "15514:15514"
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - $DOCKERDIR/appdata/traefik2/rules:/rules # file provider directory
+      - traefik-logs:/var/log/traefik
+      - traefik-acme:/etc/traefik/acme
+      #- $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
+      #- $DOCKERDIR/appdata/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container
+      - $DOCKERDIR/shared:/shared
+    environment:
+      - TZ=$TZ
+      - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
+      - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
+      - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
+      - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere.
+    secrets:
+      - cloudflare_email
+      - cloudflare_api_key
+      - cloudflare_api_token
+      - htpasswd
+    labels:
+      #- "autoheal=true"
+      - "traefik.enable=true"
+      # HTTP-to-HTTPS Redirect
+      - "traefik.http.routers.http-catchall.entrypoints=http"
+      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
+      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      # HTTP Routers
+      - "traefik.http.routers.traefik-rtr.entrypoints=https"
+      - "traefik.http.routers.traefik-rtr.rule=Host(`$TRAEFIK_HOSTNAME$DOMAINNAME1`)"      
+      ## Services - API
+      - "traefik.http.routers.traefik-rtr.service=api@internal"
+      ## Middlewares
+      - "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file"
+      #- "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file"
+  # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
+  socket-proxy:
+    container_name: socket-proxy
+    image: tecnativa/docker-socket-proxy
+    restart: always
+    networks:
+      socket_proxy:
+        ipv4_address: $SOCKET_PROXY_IP # You can specify a static IP
+    privileged: true
+    #ports:
+    # - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line.
+    # I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network.
+    # - "2375:2375"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+    environment:
+      - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
+      ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
+      # 0 to revoke access.
+      # 1 to grant access.
+      ## Granted by Default
+      - EVENTS=1
+      - PING=1
+      - VERSION=1
+      ## Revoked by Default
+      # Security critical
+      - AUTH=0
+      - SECRETS=0
+      - POST=1 # Ouroboros
+      # Not always needed
+      - BUILD=0
+      - COMMIT=0
+      - CONFIGS=0
+      - CONTAINERS=1 # Traefik, portainer, etc.
+      - DISTRIBUTION=0
+      - EXEC=1
+      - IMAGES=1 # Portainer
+      - INFO=1 # Portainer
+      - NETWORKS=1 # Portainer
+      - NODES=0
+      - PLUGINS=0
+      - SERVICES=1 # Portainer
+      - SESSION=0
+      - SWARM=0
+      - SYSTEM=0
+      - TASKS=1 # Portaienr
+      - VOLUMES=1 # Portainer
+
+  # Portainer - WebUI for Containers
+  portainer:
+    container_name: portainer
+    image: portainer/portainer-ce:latest
+    restart: unless-stopped
+    command: -H $DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security
+    networks:
+      proxy:
+        ipv4_address: $PORTAINER_PROXY_IP
+      socket_proxy:
+        ipv4_address: $PORTAINER_SOCKET_PROXY_IP
+    security_opt:
+      - no-new-privileges:true
+    volumes:
+      - portainer-data:/data
+#      - $DOCKERDIR/appdata/portainer:/data # Change to local directory if you want to save/transfer config locally
+    environment:
+      - TZ=$TZ
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.portainer-rtr.entrypoints=https"
+      - "traefik.http.routers.portainer-rtr.rule=Host(`$PORTAINER_HOSTNAME$DOMAINNAME1`)"
+      ## Middlewares
+      - "traefik.http.routers.portainer-rtr.middlewares=chain-authelia@file"
+      #- "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth@file"
+      ## HTTP Services
+      - "traefik.http.routers.portainer-rtr.service=portainer-svc"
+      - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"
+  # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication
+  authelia:
+      container_name: authelia
+      # Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md
+      image: authelia/authelia:latest
+      restart: always
+      networks:
+        proxy:
+          ipv4_address: $AUTHELIA_IP # You can specify a static IP
+        #default:
+      # ports:
+      #   - "9091:9091"
+      volumes:
+        - $DOCKERDIR/appdata/authelia:/config
+      environment:
+        - TZ=$TZ
+        - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret
+        - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret
+        - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key
+        - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/run/secrets/authelia_ldap_password
+        - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password
+#        - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password
+#        - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key
+#        - AUTHELIA_TLS_KEY_FILE
+#        - AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
+#        - AUTHELIA_SESSION_REDIS_PASSWORD_FILE
+#        - AUTHELIA_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE
+#        - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
+#        - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
+
+      secrets:
+        - authelia_jwt_secret
+        - authelia_session_secret
+        - authelia_storage_encryption_key
+        - authelia_ldap_password
+        - authelia_storage_mysql_password
+#        - authelia_notifier_smtp_password
+#        - authelia_duo_api_secret_key
+      labels:
+        - "traefik.enable=true"
+        ## HTTP Routers
+        - "traefik.http.routers.authelia-rtr.entrypoints=https"
+        - "traefik.http.routers.authelia-rtr.rule=Host(`$AUTHELIA_HOSTNAME$DOMAINNAME1`)"
+        - "traefik.http.routers.authelia-rtr.tls=true"
+        ## Middlewares
+        - "traefik.http.routers.authelia-rtr.middlewares=chain-no-auth@file"
+        #chain-authelia@file"
+        ## HTTP Services
+        - "traefik.http.routers.authelia-rtr.service=authelia-svc"
+        - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"