From 28efc0b15770f6eef3dd5b0d467d76f917de7675 Mon Sep 17 00:00:00 2001 From: Gurulandia Date: Sun, 1 Mar 2026 12:20:40 +0200 Subject: [PATCH] Jemmaan --- config/docker/2022/test/.env | 12 + config/docker/2022/test/gl.env | 85 ++++++ config/docker/2022/test/test-base-stack.yml | 294 ++++++++++++++++++++ config/docker/2022/test/test-log-stack.yml | 225 +++++++++++++++ 4 files changed, 616 insertions(+) create mode 100644 config/docker/2022/test/.env create mode 100644 config/docker/2022/test/gl.env create mode 100644 config/docker/2022/test/test-base-stack.yml create mode 100644 config/docker/2022/test/test-log-stack.yml diff --git a/config/docker/2022/test/.env b/config/docker/2022/test/.env new file mode 100644 index 0000000..f628c98 --- /dev/null +++ b/config/docker/2022/test/.env @@ -0,0 +1,12 @@ +ELASTIC_VERSION=7.16.1 +ES_JAVA_OPTS=-Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true +FILEBEAT_TAG=7.16.1 +GRAYLOG_HOSTNAME=test-graylog.local.gurulandia.eu +GRAYLOG_URL=http://127.0.0.1:9000/ +GRAYLOG_VERSION=4.2.4-1-jre11 +GRAYLOG_PLUGINS=4.2.4 +MONGO_VERSION=3 +OFELIA_TAG=v0.3.6 +TRAEFIK_TAG=2.5.5 +TRAEFIK_HOSTNAME=test-traefik.local.gurulandia.eu +TZ=Europe/Helsinki diff --git a/config/docker/2022/test/gl.env b/config/docker/2022/test/gl.env new file mode 100644 index 0000000..e0193a1 --- /dev/null +++ b/config/docker/2022/test/gl.env @@ -0,0 +1,85 @@ +##### SYSTEM + +PUID=1000 +PGID=1000 +TZ=Europe/Helsinki +USERDIR=/home/gurulandia +DOCKERDIR=/gurulandia/data/docker +SECRETSDIR=/gurulandia/data/docker/secrets +DOCKER_ENDPOINT=tcp://socket-proxy:2375 + +##### SUBNETS + +PROXY_SUBNET=192.168.91.0/24 +SOCKET_PROXY_SUBNET=192.168.92.0/24 + +##### GATEWAYS + +PROXY_GATEWAY=192.168.91.1 +SOCKET_PROXY_GATEWAY=192.168.92.1 + +##### IP ADDRESSES + +SOCKET_PROXY_IP=192.168.92.254 + +TRAEFIK_PROXY_IP=192.168.91.254 +TRAEFIK_SOCKET_PROXY_IP=192.168.92.252 + +PORTAINER_PROXY_IP=192.168.91.253 +PORTAINER_SOCKET_PROXY_IP=192.168.92.253 + +AUTHELIA_IP=192.168.91.252 + +HEIMDALL_IP=192.168.91.2 +VSCODE_IP=192.168.91.3 +YOURLS_IP=192.168.91.4 +LIBRESPEED_IP=192.168.91.5 +ADMINER_IP=192.168.91.6 +DOZZLE_IP0=192.168.91.7 +GLANCES_IP0=192.168.91.8 +CLOUDDNS_IP=192.168.91.9 +CERTDUMPER_IP=192.168.91.10 + +DOZZLE_IP1=192.168.92.7 +GLANCES_IP1=192.168.92.8 + +#SERVER_IP= +#PIHOLE_IP= +#LOCAL_NETWORK= + +##### PORTS + +LIBRESPEED_PORT=30001 + +##### DOMAIN + +DOMAINNAME0=gurulandia.eu +DOMAINNAME1=local.gurulandia.eu + +CLOUDFLARE_EMAIL=gurulandia@outlook.com +CLOUDFLARE_IP_RANGES=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,172.64.0.0/13,131.0.72.0/22,104.16.0.0/13,104.24.0.0/14 + +##### DUCKDNS + +DUCKDNSDOMAIN0=gurulandia.duckdns.org +DUCKDNS_TOKEN=99636f9f-46d7-4d80-b171-6ae486d1bc7b + +##### Certificate + +CERTRESOLVER=dns-cloudflare +DNS_PROVIDER=cloudflare +RESOLVER0=1.1.1.1:53 +RESOLVER1=1.0.0.1:53 + +##### DATABASE + +DB_HOST=192.168.99.60 +DB_PORT=3306 +MYSQL_ROOT_PASSWORD= + +VSCODE_PASSWORD=glvscode + +EMAIL=gurulandia@outlook.com + +GUAC_MYSQL_USER=guacamole +GUAC_MYSQL_PASSWORD=guacamole \ No newline at end of file diff --git a/config/docker/2022/test/test-base-stack.yml b/config/docker/2022/test/test-base-stack.yml new file mode 100644 index 0000000..97ed7fc --- /dev/null +++ b/config/docker/2022/test/test-base-stack.yml @@ -0,0 +1,294 @@ +version: "3.7" +########################### NETWORKS +# There is no need to create any networks outside this docker-compose file. +# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. +# Docker Compose version 3.5 or higher required to define networks this way. +networks: + proxy: + name: proxy + driver: bridge + ipam: + config: + - subnet: $PROXY_SUBNET + gateway: $PROXY_GATEWAY + default: + driver: bridge + socket_proxy: + name: socket_proxy + driver: bridge + ipam: + config: + - subnet: $SOCKET_PROXY_SUBNET + gateway: $SOCKET_PROXY_GATEWAY +########################### VOLUMES +volumes: + portainer-data: + driver: local +########################### SECRETS +secrets: + htpasswd: + file: $SECRETSDIR/htpasswd + cloudflare_email: + file: $SECRETSDIR/cloudflare_email + cloudflare_api_key: + file: $SECRETSDIR/cloudflare_api_key + cloudflare_api_token: + file: $SECRETSDIR/secrets/cloudflare_api_token + authelia_jwt_secret: + file: $SECRETSDIR/authelia_jwt_secret + authelia_session_secret: + file: $SECRETSDIR/authelia_session_secret + authelia_ldap_password: + file: $SECRETSDIR/authelia_ldap_password + authelia_storage_encryption_key: + file: $SECRETSDIR/authelia_storage_encryption_key +# authelia_storage_mysql_password: +# file: $DOCKERDIR/secrets/authelia_storage_mysql_password +# authelia_notifier_smtp_password: +# file: $DOCKERDIR/secrets/authelia_notifier_smtp_password +# authelia_duo_api_secret_key: +# file: $DOCKERDIR/secrets/authelia_duo_api_secret_key +########################### SERVICES +services: + # Traefik 2 - Reverse Proxy + # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. + # touch $DOCKERDIR/traefik2/acme/acme.json + # chmod 600 $DOCKERDIR/traefik2/acme/acme.json + # touch $DOCKERDIR/traefik2/traefik.log + traefik: + container_name: test-traefik + image: traefik:latest + #image: traefik:livarot # picodon v2.3.x # chevrotin v2.2.x + restart: always + command: # CLI arguments +# - --global.checkNewVersion=true +# - --global.sendAnonymousUsage=true + - --entryPoints.http.address=:80 + - --entryPoints.https.address=:443 + #- --entrypoints.https.forwardedHeaders.trustedIPs=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 + - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IP_RANGES + - --entryPoints.traefik.address=:8080 + # - --entryPoints.ping.address=:8081 + - --api=true + #- --api.insecure=true + - --api.dashboard=true + #- --ping=true + #- --pilot.token=$TRAEFIK_PILOT_TOKEN + - --serversTransport.insecureSkipVerify=true + - --log=true + - --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC + - --log.filePath=/traefik.log + - --accessLog=true + - --accessLog.filePath=/access.log + - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines + - --accessLog.filters.statusCodes=400-499 + - --providers.docker=true + - --providers.docker.endpoint=$DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security + # Automatically set Host rule for services + # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`) + - --providers.docker.exposedByDefault=false + # - --entrypoints.https.http.middlewares=chain-oauth@file + - --entrypoints.https.http.tls.options=tls-opts@file + # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services + - --entrypoints.https.http.tls.certresolver=$CERTRESOLVER + - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0 + - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0 + - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain + - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain + - --providers.docker.network=proxy + - --providers.docker.swarmMode=false + - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory + # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file + - --providers.file.watch=true # Only works on top level files in the rules folder + # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing + - --certificatesResolvers.$CERTRESOLVER.acme.email=$CLOUDFLARE_EMAIL + - --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=$DNS_PROVIDER + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=$RESOLVER0 #,$RESOLVER1 + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate + networks: + proxy: + ipv4_address: $TRAEFIK_PROXY_IP # You can specify a static IP + socket_proxy: + ipv4_address: $TRAEFIK_SOCKET_PROXY_IP + security_opt: + - no-new-privileges:true + #healthcheck: + # test: ["CMD", "traefik", "healthcheck", "--ping"] + # interval: 5s + # retries: 3 + ports: + - target: 80 + published: 80 + protocol: tcp + mode: host + - target: 443 + published: 443 + protocol: tcp + mode: host + #- target: 8080 + # published: 8080 + # protocol: tcp + # mode: host + volumes: + - $DOCKERDIR/appdata/traefik2/rules:/rules # file provider directory + - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 + - $DOCKERDIR/appdata/traefik2/logs/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container + - $DOCKERDIR/appdata/traefik2/logs/access.log:/access.log + - $DOCKERDIR/shared:/shared + environment: + - TZ=$TZ + - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email + - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key + - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere. + secrets: + - cloudflare_email + - cloudflare_api_key + - htpasswd + labels: + #- "autoheal=true" + - "traefik.enable=true" + # HTTP-to-HTTPS Redirect + - "traefik.http.routers.http-catchall.entrypoints=http" + - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" + - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" + - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" + # HTTP Routers + - "traefik.http.routers.traefik-rtr.entrypoints=https" + - "traefik.http.routers.traefik-rtr.rule=Host(`testproxy.local.$DOMAINNAME0`)" + ## Services - API + - "traefik.http.routers.traefik-rtr.service=api@internal" + ## Healthcheck/ping + #- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME0`) && Path(`/ping`)" + #- "traefik.http.routers.ping.tls=true" + #- "traefik.http.routers.ping.service=ping@internal" + ## Middlewares + #- "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file" + - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file" + # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket + socket-proxy: + container_name: socket-proxy + image: tecnativa/docker-socket-proxy + restart: always + networks: + socket_proxy: + ipv4_address: $SOCKET_PROXY_IP # You can specify a static IP + privileged: true + #ports: + # - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line. + # I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network. + # - "2375:2375" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + environment: + - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg + ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). + # 0 to revoke access. + # 1 to grant access. + ## Granted by Default + - EVENTS=1 + - PING=1 + - VERSION=1 + ## Revoked by Default + # Security critical + - AUTH=0 + - SECRETS=0 + - POST=1 # Ouroboros + # Not always needed + - BUILD=0 + - COMMIT=0 + - CONFIGS=0 + - CONTAINERS=1 # Traefik, portainer, etc. + - DISTRIBUTION=0 + - EXEC=1 + - IMAGES=1 # Portainer + - INFO=1 # Portainer + - NETWORKS=1 # Portainer + - NODES=0 + - PLUGINS=0 + - SERVICES=1 # Portainer + - SESSION=0 + - SWARM=0 + - SYSTEM=0 + - TASKS=1 # Portaienr + - VOLUMES=1 # Portainer + + # Portainer - WebUI for Containers + portainer: + container_name: testportainer + image: portainer/portainer-ce:latest + restart: unless-stopped + command: -H $DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security + networks: + proxy: + ipv4_address: $PORTAINER_PROXY_IP + socket_proxy: + ipv4_address: $PORTAINER_SOCKET_PROXY_IP + security_opt: + - no-new-privileges:true + volumes: + - portainer-data:/data +# - $DOCKERDIR/appdata/portainer:/data # Change to local directory if you want to save/transfer config locally + environment: + - TZ=$TZ + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.portainer-rtr.entrypoints=https" + - "traefik.http.routers.portainer-rtr.rule=Host(`testportainer.local.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.portainer-rtr.middlewares=chain-authelia@file" + #- "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth@file" + ## HTTP Services + - "traefik.http.routers.portainer-rtr.service=portainer-svc" + - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" + # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication + authelia: + container_name: authelia + # Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md + image: authelia/authelia:latest + restart: always + networks: + proxy: + ipv4_address: $AUTHELIA_IP # You can specify a static IP + #default: + # ports: + # - "9091:9091" + volumes: + - $DOCKERDIR/appdata/authelia:/config + environment: + - TZ=$TZ + - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret + - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret + - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key + - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/run/secrets/authelia_ldap_password +# - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password +# - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password +# - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key +# - AUTHELIA_TLS_KEY_FILE +# - AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE +# - AUTHELIA_SESSION_REDIS_PASSWORD_FILE +# - AUTHELIA_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE +# - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE +# - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE + + secrets: + - authelia_jwt_secret + - authelia_session_secret + - authelia_storage_encryption_key + - authelia_ldap_password +# - authelia_storage_mysql_password +# - authelia_notifier_smtp_password +# - authelia_duo_api_secret_key + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.authelia-rtr.entrypoints=https" + - "traefik.http.routers.authelia-rtr.rule=Host(`testauth.local.$DOMAINNAME0`)" + - "traefik.http.routers.authelia-rtr.tls=true" + ## Middlewares + - "traefik.http.routers.authelia-rtr.middlewares=chain-no-auth@file" + #chain-authelia@file" + ## HTTP Services + - "traefik.http.routers.authelia-rtr.service=authelia-svc" + - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091" diff --git a/config/docker/2022/test/test-log-stack.yml b/config/docker/2022/test/test-log-stack.yml new file mode 100644 index 0000000..f784582 --- /dev/null +++ b/config/docker/2022/test/test-log-stack.yml @@ -0,0 +1,225 @@ +version: "3.8" +services: + traefik: + image: traefik:${TRAEFIK_TAG} + restart: unless-stopped + container_name: traefik + ports: + - "80:80" + - "443:443" + - "8082:8082" + - "12201:12201" + - "5050:5050" + - "15514:15514" + networks: + - front + - back + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + - ./traefik/etc/traefik.yml:/traefik.yml + - traefik_logs:/var/log/traefik + - traefik_acme:/etc/traefik/acme + labels: + traefik.enable: "true" + traefik.http.middlewares.traefik-auth.basicauth.users: 'admin:$$apr1$$Rv.Ge.aI$$17ij9Ajq8QuxXbkhMdcOv0' + traefik.http.routers.traefik-secure.entrypoints: https + traefik.http.routers.traefik-secure.rule: Host(`$TRAEFIK_HOSTNAME`, `localhost`) + traefik.http.routers.traefik-secure.middlewares: traefik-auth + traefik.http.routers.traefik-secure.tls: "true" + traefik.http.routers.traefik-secure.service: api@internal + traefik.http.services.traefik.loadbalancer.server.port: 8080 + env_file: ./traefik/etc/cloudflare.env + mongodb: + image: mongo:${MONGO_VERSION} + container_name: mongodb + volumes: + - mongo_data:/data/db + networks: + - back + healthcheck: + test: ["CMD-SHELL", "echo 'db.stats().ok' | mongo localhost:27017/test --quiet"] + interval: 30s + timeout: 10s + retries: 5 + start_period: 30s + restart: unless-stopped + labels: + traefik.enable: "false" + elasticsearch: + image: docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION} + container_name: g2elasticsearch + volumes: + - es_data:/usr/share/elasticsearch/data + environment: + - http.host=0.0.0.0 + - network.host=0.0.0.0 + - bootstrap.memory_lock=true + - "ES_JAVA_OPTS=${ES_JAVA_OPTS}" + - cluster.name=graylog + - cluster.routing.use_adaptive_replica_selection=true + - indices.recovery.max_bytes_per_sec=500mb + - discovery.seed_hosts=elastic01 + - cluster.initial_master_nodes=elastic01 + - node.name=elastic01 + ulimits: + memlock: + soft: -1 + hard: -1 + networks: + - back + healthcheck: + test: ["CMD-SHELL", "curl --silent --fail localhost:9200/_cluster/health || exit 1"] + interval: 30s + timeout: 10s + retries: 5 + start_period: 30s + restart: unless-stopped + labels: + traefik.enable: "false" + graylog: + image: graylog/graylog:${GRAYLOG_VERSION} + container_name: graylog + volumes: + - graylog_journal:/usr/share/graylog/data/journal + - graylog_data:/usr/share/graylog/data + - graylog_archives:/archives + - graylog_shared:/data/shared + - graylog_geoip:/etc/graylog/server:ro + - ./graylog/node-id.gl2:/usr/share/graylog/data/config/node-id + - ./graylog/plugins/graylog-plugin-enterprise-${GRAYLOG_PLUGINS}.jar:/usr/share/graylog/plugin/graylog-plugin-enterprise-${GRAYLOG_PLUGINS}.jar + - ./graylog/plugins/graylog-plugin-enterprise-integrations-${GRAYLOG_PLUGINS}.jar:/usr/share/graylog/plugin/graylog-plugin-enterprise-integrations-${GRAYLOG_PLUGINS}.jar + - ./graylog/plugins/graylog-plugin-integrations-${GRAYLOG_PLUGINS}.jar:/usr/share/graylog/plugin/graylog-plugin-integrations-${GRAYLOG_PLUGINS}.jar + - ./graylog/plugins/graylog-plugin-enterprise-es6-${GRAYLOG_PLUGINS}.jar:/usr/share/graylog/plugin/graylog-plugin-enterprise-es6-${GRAYLOG_PLUGINS}.jar + - ./graylog/plugins/graylog-plugin-enterprise-es7-${GRAYLOG_PLUGINS}.jar:/usr/share/graylog/plugin/graylog-plugin-enterprise-es7-${GRAYLOG_PLUGINS}.jar + - ./graylog/plugins/metrics-reporter-prometheus-3.0.0.jar:/usr/share/graylog/plugin/metrics-reporter-prometheus-3.0.0.jar + env_file: + - ./graylog/graylog.env + environment: + - GRAYLOG_HTTP_EXTERNAL_URI=${GRAYLOG_URL} + depends_on: + - mongodb + - elasticsearch + expose: + # Graylog web interface and REST API + - "9000" + # Syslog TCP + - "1514" + # Syslog UDP + - "1514/udp" + # GELF TCP + - "12201" + # GELF UDP + - "12201/udp" + # GELF HTTP + - "12202/tcp" + # Beats + - "5050" + # syslog-15514 + - "15514" + healthcheck: + test: ["CMD-SHELL", "curl --silent --fail localhost:9000/api/system/lbstatus || exit 1"] + interval: 30s + timeout: 10s + retries: 5 + start_period: 30s + networks: + - back + labels: + traefik.enable: "true" + traefik.http.routers.graylog-secure.entrypoints: https + traefik.http.routers.graylog-secure.rule: Host(`${GRAYLOG_HOSTNAME}`) + traefik.http.routers.graylog-secure.tls: "true" + traefik.http.routers.graylog-secure.tls.domains[0].main: ${GRAYLOG_HOSTNAME} + traefik.http.routers.graylog-secure.tls.certresolver: letsencrypt + traefik.http.routers.graylog-secure.service: graylog + traefik.http.routers.graylog-secure.middlewares: graylog-header,graylog-header-x + traefik.http.middlewares.graylog-header.headers.customrequestheaders.X-Graylog-Server-URL: https://$GRAYLOG_HOSTNAME/ + traefik.http.middlewares.graylog-header-x.headers.hostsProxyHeaders: X-Forwarded-For + traefik.http.services.graylog.loadbalancer.server.port: 9000 + traefik.tcp.routers.gelf.entrypoints: gelf + traefik.tcp.routers.gelf.rule: HostSNI(`*`) + traefik.tcp.routers.gelf.tls.passthrough: "true" + traefik.tcp.routers.gelf.tls: "false" + traefik.tcp.routers.gelf.service: gelf + traefik.tcp.services.gelf.loadbalancer.server.port: 12201 + traefik.tcp.routers.beats.entrypoints: beats + traefik.tcp.routers.beats.rule: HostSNI(`*`) + traefik.tcp.routers.beats.tls.passthrough: "true" + traefik.tcp.routers.beats.tls: "true" + traefik.tcp.routers.beats.service: beats + traefik.tcp.services.beats.loadbalancer.server.port: 5050 + traefik.tcp.routers.syslog.entrypoints: syslog + traefik.tcp.routers.syslog.rule: HostSNI(`*`) + traefik.tcp.routers.syslog.tls.passthrough: "true" + traefik.tcp.routers.syslog.tls: "false" + traefik.tcp.routers.syslog.service: syslog + traefik.tcp.services.syslog.loadbalancer.server.port: 15514 + restart: unless-stopped + geoip: + image: maxmindinc/geoipupdate:latest + restart: unless-stopped + container_name: geoip + networks: + - back + labels: + traefik.enable: "false" + volumes: + - graylog_geoip:/usr/share/GeoIP + env_file: + - ./geoip/geoip.env + filebeat: + image: docker.elastic.co/beats/filebeat-oss:${FILEBEAT_TAG} + user: root + restart: unless-stopped + container_name: filebeat + # Disabling strict permission check: + # https://www.elastic.co/guide/en/beats/libbeat/6.6/config-file-permissions.html + command: ["--strict.perms=false"] + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - traefik_logs:/var/log/traefik:ro + - ./filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro + - filebeat_registry:/usr/share/filebeat/data + expose: + - "5601" + networks: + - back + labels: + traefik.enable: "false" + env_file: + - ./.env + ofelia: + image: mcuadros/ofelia:${OFELIA_TAG} + restart: unless-stopped + container_name: ofelia + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - ./ofelia/config.ini:/etc/config.ini + command: + - 'daemon' + - '--config=/etc/config.ini' + networks: + - back + labels: + traefik.enable: "false" +volumes: + traefik_logs: {} + traefik_acme: {} + mongo_data: {} + es_data: {} + graylog_journal: {} + graylog_archives: {} + graylog_shared: {} + graylog_geoip: {} + graylog_data: {} + filebeat_registry: {} +networks: + front: + ipam: + config: + - subnet: 172.16.220.0/24 + back: + ipam: + config: + - subnet: 172.16.221.0/24