diff --git a/config/docker/2024/misc/docker-compose.yml b/config/docker/2024/misc/docker-compose.yml new file mode 100644 index 0000000..8184949 --- /dev/null +++ b/config/docker/2024/misc/docker-compose.yml @@ -0,0 +1,285 @@ +version: "3.7" +########################### NETWORKS +# There is no need to create any networks outside this docker-compose file. +# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. +# Docker Compose version 3.5 or higher required to define networks this way. +networks: + gl_proxy: + name: gl_proxy + driver: bridge + ipam: + config: + - subnet: $GL_PROXY_SUBNET + gateway: $GL_PROXY_GATEWAY + default: + driver: bridge + gl_socket_proxy: + name: gl_socket_proxy + driver: bridge + ipam: + config: + - subnet: $GL_SOCKET_PROXY_SUBNET + gateway: $GL_SOCKET_PROXY_GATEWAY + +########################### SECRETS +secrets: + htpasswd: + file: $SECRETSDIR/htpasswd + cloudflare_email: + file: $SECRETSDIR/cloudflare_email + cloudflare_api_key: + file: $SECRETSDIR/cloudflare_api_key + cloudflare_api_token: + file: $SECRETSDIR/secrets/cloudflare_api_token + authelia_jwt_secret: + file: $SECRETSDIR/authelia_jwt_secret + authelia_session_secret: + file: $SECRETSDIR/authelia_session_secret + authelia_storage_mysql_password: + file: $SECRETSDIR/authelia_storage_mysql_password + authelia_storage_encryption_key: + file: $SECRETSDIR/authelia_storage_encryption_key + authelia_ldap_password: + file: $SECRETSDIR/authelia_ldap_password +# authelia_notifier_smtp_password: +# file: $DOCKERDIR/secrets/authelia_notifier_smtp_password +# authelia_duo_api_secret_key: +# file: $DOCKERDIR/secrets/authelia_duo_api_secret_key +########################### SERVICES +services: + # Traefik 2 - Reverse Proxy + # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. + # touch $DOCKERDIR/traefik2/acme/acme.json + # chmod 600 $DOCKERDIR/traefik2/acme/acme.json + # touch $DOCKERDIR/traefik2/traefik.log + traefik: + container_name: gl-traefik +# image: traefik:latest + image: traefik:v3.0.0-rc1 + #image: traefik:livarot # picodon v2.3.x # chevrotin v2.2.x + restart: always + command: # CLI arguments + - --global.checkNewVersion=true + - --global.sendAnonymousUsage=true + - --entryPoints.http.address=:80 + - --entryPoints.https.address=:443 + #- --entrypoints.https.forwardedHeaders.trustedIPs=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 + - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IP_RANGES + - --entryPoints.traefik.address=:8080 + # - --entryPoints.ping.address=:8081 + - --api=true + # - --api.insecure=true + - --api.dashboard=true + #- --ping=true + #- --pilot.token=$TRAEFIK_PILOT_TOKEN + - --serversTransport.insecureSkipVerify=true + #- --log=true + #- --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC + #- --accessLog=true + #- --accessLog.filePath=/traefik.log + #- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines + #- --accessLog.filters.statusCodes=400-499 + - --providers.docker=true + - --providers.docker.endpoint=$DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security + # Automatically set Host rule for services + # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`) + - --providers.docker.exposedByDefault=false + - --providers.redis=true + - --providers.redis.endpoints=redis:6379 + # - --entrypoints.https.http.middlewares=chain-oauth@file + - --entrypoints.https.http.tls.options=tls-opts@file + # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services + - --entrypoints.https.http.tls.certresolver=$CERTRESOLVER + - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0 + - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0 + - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain + - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain + - --providers.docker.network=gl_proxy +# - --providers.docker.swarmMode=false + - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory + # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file + - --providers.file.watch=true # Only works on top level files in the rules folder + # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing + - --certificatesResolvers.$CERTRESOLVER.acme.email=$CLOUDFLARE_EMAIL + - --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=$DNS_PROVIDER + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=$RESOLVER0 #,$RESOLVER1 + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate + networks: + gl_proxy: + ipv4_address: $TRAEFIK_IP0 # You can specify a static IP + gl_socket_proxy: + ipv4_address: $TRAEFIK_IP1 + security_opt: + - no-new-privileges:true + #healthcheck: + # test: ["CMD", "traefik", "healthcheck", "--ping"] + # interval: 5s + # retries: 3 + ports: + - target: 80 + published: 80 + protocol: tcp + mode: host + - target: 443 + published: 443 + protocol: tcp + mode: host + # - target: 8080 + # published: 8080 + # protocol: tcp + # mode: host + volumes: + - $DOCKERDIR/appdata/traefik2/rules:/rules # file provider directory + - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 + #- $DOCKERDIR/appdata/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container + - $DOCKERDIR/shared:/shared + environment: + - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email + - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key + - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere. + secrets: + - cloudflare_email + - cloudflare_api_key + - htpasswd + labels: + #- "autoheal=true" + - "traefik.enable=true" + # HTTP-to-HTTPS Redirect + - "traefik.http.routers.http-catchall.entrypoints=http" + - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" + - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" + - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" + # HTTP Routers + - "traefik.http.routers.traefik-rtr.entrypoints=https" + - "traefik.http.routers.traefik-rtr.rule=Host(`proxy.local.$DOMAINNAME0`)" + ## Services - API + - "traefik.http.routers.traefik-rtr.service=api@internal" + ## Healthcheck/ping + #- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME0`) && Path(`/ping`)" + #- "traefik.http.routers.ping.tls=true" + #- "traefik.http.routers.ping.service=ping@internal" + ## Middlewares + #- "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file" + - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file" + # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket + socket-proxy: + container_name: gl-socket-proxy + image: ghcr.io/tecnativa/docker-socket-proxy:latest #ghcr.io/tecnativa/docker-socket-proxy:edge + restart: always + networks: + gl_socket_proxy: + ipv4_address: $SOCKET_PROXY_IP # You can specify a static IP + privileged: true + ports: + # - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line. + # I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network. + - "192.168.5.40:2375:2375" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + environment: + - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg + ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). + # 0 to revoke access. + # 1 to grant access. + ## Granted by Default + - EVENTS=1 + - PING=1 + - VERSION=1 + ## Revoked by Default + # Security critical + - AUTH=0 + - SECRETS=0 + - POST=1 # Ouroboros + # Not always needed + - BUILD=0 + - COMMIT=0 + - CONFIGS=0 + - CONTAINERS=1 # Traefik, portainer, etc. + - DISTRIBUTION=0 + - EXEC=1 + - IMAGES=1 # Portainer + - INFO=1 # Portainer + - NETWORKS=1 # Portainer + - NODES=0 + - PLUGINS=0 + - SERVICES=1 # Portainer + - SESSION=0 + - SWARM=0 + - SYSTEM=0 + - TASKS=1 # Portaienr + - VOLUMES=1 # Portainer + + # Portainer - WebUI for Containers + portainer: + container_name: gl-portainer + image: portainer/portainer-ce:latest + restart: unless-stopped + command: -H $DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security + networks: + gl_proxy: + ipv4_address: $PORTAINER_IP0 + gl_socket_proxy: + ipv4_address: $PORTAINER_IP1 + security_opt: + - no-new-privileges:true + # ports: + # - "9000:9000" + volumes: + - $DOCKERDIR/appdata/portainer:/data # Change to local directory if you want to save/transfer config locally + environment: + - TZ=$TZ + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.portainer-rtr.entrypoints=https" + - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.local.$DOMAINNAME0`)" + ## Middlewares + #- "traefik.http.routers.portainer-rtr.middlewares=chain-authelia@file" + - "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth@file" + ## HTTP Services + - "traefik.http.routers.portainer-rtr.service=portainer-svc" + - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" + # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication + authelia: + container_name: gl-authelia + # Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md + image: authelia/authelia:latest + restart: always + networks: + gl_proxy: + ipv4_address: $AUTHELIA_IP # You can specify a static IP + default: + # ports: + # - "9091:9091" + volumes: + - $DOCKERDIR/appdata/authelia:/config + environment: + - TZ=$TZ + - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret + - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret +# - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password + - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key + - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/run/secrets/authelia_ldap_password +# - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password +# - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key + secrets: + - authelia_jwt_secret + - authelia_session_secret +# - authelia_storage_mysql_password + - authelia_storage_encryption_key + - authelia_ldap_password +# - authelia_notifier_smtp_password +# - authelia_duo_api_secret_key + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.authelia-rtr.entrypoints=https" + - "traefik.http.routers.authelia-rtr.rule=Host(`auth.local.$DOMAINNAME0`)" + - "traefik.http.routers.authelia-rtr.tls=true" + ## Middlewares + - "traefik.http.routers.authelia-rtr.middlewares=chain-no-auth@file" + #chain-authelia@file" + ## HTTP Services + - "traefik.http.routers.authelia-rtr.service=authelia-svc" + - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091" diff --git a/config/docker/2024/misc/gl.env b/config/docker/2024/misc/gl.env new file mode 100644 index 0000000..e2586fb --- /dev/null +++ b/config/docker/2024/misc/gl.env @@ -0,0 +1,83 @@ +##### SYSTEM + +PUID=1000 +PGID=1000 +TZ=Europe/HelsinkI +USERDIR=/home/gurulandia +DOCKERDIR=/gurulandia/data/docker +SECRETSDIR=/gurulandia/data/docker/secrets +DOCKER_ENDPOINT=tcp://gl-socket-proxy:2375 + +##### SUBNETS + +GL_PROXY_SUBNET=192.168.91.0/24 +GL_SOCKET_PROXY_SUBNET=192.168.92.0/24 + +##### GATEWAYS + +GL_PROXY_GATEWAY=192.168.91.1 +GL_SOCKET_PROXY_GATEWAY=192.168.92.1 + +##### IP ADDRESSES + +HEIMDALL_IP=192.168.91.2 +VSCODE_IP=192.168.91.3 +YOURLS_IP=192.168.91.4 +LIBRESPEED_IP=192.168.91.5 +ADMINER_IP=192.168.91.6 +DOZZLE_IP0=192.168.91.7 +GLANCES_IP0=192.168.91.8 +CLOUDDNS_IP=192.168.91.9 +CERTDUMPER_IP=192.168.91.10 + +AUTHELIA_IP=192.168.91.252 +PORTAINER_IP0=192.168.91.253 +TRAEFIK_IP0=192.168.91.254 + +DOZZLE_IP1=192.168.92.7 +GLANCES_IP1=192.168.92.8 +TRAEFIK_IP1=192.168.92.252 +PORTAINER_IP1=192.168.92.253 +SOCKET_PROXY_IP=192.168.92.254 + +#SERVER_IP= +#PIHOLE_IP= +#LOCAL_NETWORK= + +##### PORTS + +VSCODE_PORT=8443 +LIBRESPEED_PORT=30001 + +##### DOMAIN + +DOMAINNAME0=gurulandia.eu +DOMAINNAME1=local.gurulandia.eu + +CLOUDFLARE_EMAIL=gurulandia@outlook.com +CLOUDFLARE_IP_RANGES=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,172.64.0.0/13,131.0.72.0/22,104.16.0.0/13,104.24.0.0/14 + +##### DUCKDNS + +DUCKDNSDOMAIN0=gurulandia.duckdns.org +DUCKDNS_TOKEN=99636f9f-46d7-4d80-b171-6ae486d1bc7b + +##### Certificate + +CERTRESOLVER=dns-cloudflare +DNS_PROVIDER=cloudflare +RESOLVER0=1.1.1.1:53 +RESOLVER1=1.0.0.1:53 + +##### DATABASE + +DB_HOST=192.168.99.60 +DB_PORT=3306 +MYSQL_ROOT_PASSWORD= + +VSCODE_PASSWORD=glvscode + +EMAIL=gurulandia@outlook.com + +GUAC_MYSQL_USER=guacamole +GUAC_MYSQL_PASSWORD=guacamole