commit 1f0b812d388b434255025f6281d6447b62341a5f Author: Gurulandia Date: Sat Jan 11 20:56:07 2025 +0200 Upload files to "/" diff --git a/.env b/.env new file mode 100644 index 0000000..852b407 --- /dev/null +++ b/.env @@ -0,0 +1,119 @@ +COMPOSE_PROJECT_NAME=proxy + +##### SYSTEM +PUID=1000 +PGID=1000 +TZ=Europe/HelsinkI + +#USERDIR=/home/gurulandia +DOCKERDIR=/gurulandia/data +SECRETSDIR=/gurulandia/docker-shared/secrets + +##### DOMAIN +DOMAINNAME0=gurulandia.eu +DOMAINNAME1=local.gurulandia.eu +DOMAINNAME2=gurulandia.fi +DOMAINNAME3=local.gurulandia.fi + +##### SUBNETS + +PROXY_SUBNET=192.168.91.0/24 +SOCKET_PROXY_SUBNET=192.168.92.0/24 + +##### GATEWAYS + +PROXY_GATEWAY=192.168.91.1 +SOCKET_PROXY_GATEWAY=192.168.92.1 + +##### Traefik Container +TRAEFIK_CONTAINER_NAME=traefik +TRAEFIK_IMAGE=traefik +TRAEFIK_VERSION=v3.0.0-rc1 #latest +TRAEFIK_RESTART_POLICY=unless-stopped +TRAEFIK_IP0=192.168.91.254 +TRAEFIK_IP1=192.168.92.252 + +##### socket-proxy Container +SOCKET_PROXY_CONTAINER_NAME=socket-proxy +SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy +SOCKET_PROXY_VERSION=latest +SOCKET_PROXY_RESTART_POLICY=always +SOCKET_PROXY_IP=192.168.92.254 + +DOCKER_ENDPOINT=tcp://${SOCKET_PROXY_CONTAINER_NAME}:2375 + +BASICAUTHUSER=gurulandia:$$apr1$$kBqxEDFb$$aOgGWvLwFUDhSymDy430m. +# create basic auth with: echo $(htpasswd -nb "" "") | sed -e s/\\$/\\$\\$/g + +##### trustedIPs +CLOUDFLARE_IPS=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,172.64.0.0/13,131.0.72.0/22,104.16.0.0/13,104.24.0.0/14 +LOCAL_IPS=127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 + +##### Certificate +CF_API_EMAIL=gurulandia@outlook.com + +CERTRESOLVER=dns-cloudflare +DNS_PROVIDER=cloudflare +RESOLVER0=1.1.1.1:53 +RESOLVER1=1.0.0.1:53 + +##### Crowdsec Container +CROWDSEC_CONTAINER_NAME=crowdsec +CROWDSEC_IMAGE=crowdsecurity/crowdsec +CROWDSEC_VERSION=latest +CROWDSEC_RESTART_POLICY=unless-stopped +#CROWDSEC_COLLECTIONS="crowdsecurity/linux crowdsecurity/traefik" +CROWDSEC_COLLECTIONS="crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux fulljackz/proxmox" +CROWDSEC_IP=192.168.92.253 + +##### bouncer-traefik Container +BT_CONTAINER_NAME=bouncer-traefik +BT_IMAGE=docker.io/fbonalair/traefik-crowdsec-bouncer +BT_VERSION=latest +BT_RESTART_POLICY=unless-stopped +BT_IP=192.168.92.251 + +##### IP ADDRESSES + +#HEIMDALL_IP=192.168.91.2 +#VSCODE_IP=192.168.91.3 +#YOURLS_IP=192.168.91.4 +#LIBRESPEED_IP=192.168.91.5 +#ADMINER_IP=192.168.91.6 +#DOZZLE_IP0=192.168.91.7 +#GLANCES_IP0=192.168.91.8 +#CLOUDDNS_IP=192.168.91.9 +#CERTDUMPER_IP=192.168.91.10 + +#AUTHELIA_IP=192.168.91.252 +#PORTAINER_IP0=192.168.91.251 + + +#DOZZLE_IP1=192.168.92.7 +#GLANCES_IP1=192.168.92.8 +#PORTAINER_IP1=192.168.92.253 + +#SERVER_IP= +#PIHOLE_IP= +#LOCAL_NETWORK= + +##### PORTS + +#VSCODE_PORT=8443 +#LIBRESPEED_PORT=30001 + +##### DUCKDNS + +#DUCKDNSDOMAIN0=gurulandia.duckdns.org +#DUCKDNS_TOKEN=99636f9f-46d7-4d80-b171-6ae486d1bc7b + +##### DATABASE + +# DB_HOST=192.168.99.60 +# DB_PORT=3306 +# MYSQL_ROOT_PASSWORD= + +# VSCODE_PASSWORD=glvscode + +# GUAC_MYSQL_USER=guacamole +# GUAC_MYSQL_PASSWORD=guacamole diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..d7c987c --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,122 @@ +########################### NETWORKS +# There is no need to create any networks outside this docker-compose file. +# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. +# Docker Compose version 3.5 or higher required to define networks this way. +networks: + proxy: + name: proxy + driver: bridge + ipam: + config: + - subnet: $PROXY_SUBNET + gateway: $PROXY_GATEWAY + socket_proxy: + name: socket_proxy + driver: bridge + ipam: + config: + - subnet: $SOCKET_PROXY_SUBNET + gateway: $SOCKET_PROXY_GATEWAY + +########################### SECRETS +#secrets: +# cloudflare_email: +# file: ${SECRETSDIR}/cloudflare_email + #cloudflare_api_token: + # file: ${SECRETSDIR}/cloudflare_api_token + #authelia_jwt_secret: + # file: $SECRETSDIR/authelia_jwt_secret + #authelia_session_secret: + # file: $SECRETSDIR/authelia_session_secret + #authelia_storage_mysql_password: + # file: $SECRETSDIR/authelia_storage_mysql_password + #authelia_storage_encryption_key: + # file: $SECRETSDIR/authelia_storage_encryption_key + #authelia_ldap_password: + # file: $SECRETSDIR/authelia_ldap_password +# authelia_notifier_smtp_password: +# file: $DOCKERDIR/secrets/authelia_notifier_smtp_password +# authelia_duo_api_secret_key: +# file: $DOCKERDIR/secrets/authelia_duo_api_secret_key + +# Docker Compose v2.20 or greater required to use "include" +include: +########################### SERVICES + - compose/dc-traefik.yml + - composes/dc-socket-proxy.yml + - compose/dc-crowdsec.yml + - compose/dc-traefik-bouncer.yml + + # Portainer - WebUI for Containers + # portainer: + # container_name: gl-portainer + # image: portainer/portainer-ce:latest + # restart: unless-stopped + # command: -H $DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security + # networks: + # gl_proxy: + # ipv4_address: $PORTAINER_IP0 + # gl_socket_proxy: + # ipv4_address: $PORTAINER_IP1 + # security_opt: + # - no-new-privileges:true + # ports: + # - "9000:9000" + # volumes: + # - $DOCKERDIR/appdata/portainer:/data # Change to local directory if you want to save/transfer config locally + # environment: + # - TZ=$TZ + # labels: + # - "traefik.enable=true" + ## HTTP Routers +# - "traefik.http.routers.portainer-rtr.entrypoints=https" +# - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.local.$DOMAINNAME0`)" + ## Middlewares + #- "traefik.http.routers.portainer-rtr.middlewares=chain-authelia@file" +# - "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth@file" + ## HTTP Services +# - "traefik.http.routers.portainer-rtr.service=portainer-svc" +# - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" + # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication + # authelia: + # container_name: gl-authelia + # Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md + # image: authelia/authelia:latest + # restart: always + # networks: + # gl_proxy: + # ipv4_address: $AUTHELIA_IP # You can specify a static IP + # default: + # ports: + # - "9091:9091" + # volumes: + # - $DOCKERDIR/appdata/authelia:/config + # environment: + # - TZ=$TZ + # - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret + # - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret +# - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password + # - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key + # - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/run/secrets/authelia_ldap_password +# - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password +# - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key + # secrets: + # - authelia_jwt_secret + # - authelia_session_secret +# - authelia_storage_mysql_password + # - authelia_storage_encryption_key + # - authelia_ldap_password +# - authelia_notifier_smtp_password +# - authelia_duo_api_secret_key + # labels: + # - "traefik.enable=true" + ## HTTP Routers + # - "traefik.http.routers.authelia-rtr.entrypoints=https" + # - "traefik.http.routers.authelia-rtr.rule=Host(`auth.local.$DOMAINNAME0`)" + # - "traefik.http.routers.authelia-rtr.tls=true" + ## Middlewares + # - "traefik.http.routers.authelia-rtr.middlewares=chain-no-auth@file" + #chain-authelia@file" + ## HTTP Services + # - "traefik.http.routers.authelia-rtr.service=authelia-svc" + # - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"