Add some configs

config/docker/current/crowdsec/acquis.d/sshd.yaml

@@ -0,0 +1,4 @@
+Filenames:
+- /var/log/auth.log
+Labels:
+type: syslog

config/docker/current/crowdsec/acquis.d/traefik.yaml

@@ -0,0 +1,4 @@
+filenames:
+  - /var/log/traefik/*
+labels:
+  type: traefik

config/docker/current/mailrise/mailrise.conf

@@ -0,0 +1,19 @@
+configs:
+  discord:
+    urls:
+      - discord://1197077230531129365/Lg8HssUw5GhNIs4qYGyxp-52VFFtw17fMAlf-OYDSS3bOjJzGMpRsZ_KCZ5sxOHagK7R/
+  gotify:
+    urls:
+      - gotify://gotify.lab.gurulandia.eu/AP8JgsUIUm2M1B1
+
+  gurulandia@outlook.com:
+    urls:
+      - gotify://gotify.lab.gurulandia.eu/AkNhzQxlA9sOsVJ
+tls:
+  mode: off
+
+smtp:
+  auth:
+    basic:
+     gurulandia: gurulandia
+  hostname: mailrise.lab.gurulandia.eu

config/docker/current/traefik/config/mw-authelia.yml

@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    middlewares-authelia:
+      forwardAuth:
+        address: "http://authelia:9091/api/verify?rd=https://auth.local.gurulandia.eu"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "Remote-User"
+          - "Remote-Groups"

config/docker/current/traefik/config/mw-basic-auth.yml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    middlewares-basic-auth:
+      basicAuth:
+        # users:
+        #   - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1"
+        usersFile: "/users" #be sure to mount the volume through docker-compose.yml
+        realm: "Traefik 2 Basic Auth"

config/docker/current/traefik/config/mw-chain-authelia.yml

@@ -0,0 +1,8 @@
+http:
+  middlewares:        
+    chain-authelia:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-authelia

config/docker/current/traefik/config/mw-chain-basic-auth.yml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    chain-basic-auth:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-basic-auth

config/docker/current/traefik/config/mw-chain-no-auth.yml

@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    chain-no-auth:
+      chain:
+        middlewares:
+          - middlewares-crowdsec-bouncer
+          - middlewares-default-whitelist
+          - middlewares-rate-limit
+          - middlewares-secure-headers

config/docker/current/traefik/config/mw-chain-oauth.yml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    chain-oauth:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-oauth

config/docker/current/traefik/config/mw-crowdsec-bouncer.yml

@@ -0,0 +1,6 @@
+http:
+  middlewares:    
+    middlewares-crowdsec-bouncer:
+      forwardauth:
+        address: http://bouncer-traefik:8080/api/v1/forwardAuth
+        trustForwardHeader: true

config/docker/current/traefik/config/mw-default-whitelist.yml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    middlewares-default-whitelist:
+      ipWhiteList:
+        sourceRange:
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"

config/docker/current/traefik/config/mw-rate-limit.yml

@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    middlewares-rate-limit:
+      rateLimit:
+        average: 100
+        burst: 50

config/docker/current/traefik/config/mw-secure-headers.yml

@@ -0,0 +1,31 @@
+http:
+  middlewares:
+    middlewares-secure-headers:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+        accessControlMaxAge: 100
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        sslRedirect: true
+        stsSeconds: 63072000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        # frameDeny: true #overwritten by customFrameOptionsValue
+        customFrameOptionsValue: "allow-from https:gurulandia.eu" #CSP takes care of this but may be needed for organizr.
+        contentTypeNosniff: true
+        browserXssFilter: true
+        # sslForceHost: true # add sslHost to all of the services
+        # sslHost: "example.com"
+        referrerPolicy: "same-origin"
+        # Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
+        # the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
+        # contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
+        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
+          server: ""
+          

config/docker/current/traefik/config/tls-opts.yml

@@ -0,0 +1,19 @@
+tls:
+  options:
+    tls-opts:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+        - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      sniStrict: true

config/docker/old/traefik/config/app-bookstack.yml

@@ -0,0 +1,15 @@
+http:
+  routers:
+    wiki-rtr: # Bookstack
+      rule: "Host(`wiki.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-no-auth # - chain-authelia
+      tls: {}
+      service: wiki-svc
+  services:
+    wiki-svc:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.5.30:53002"

config/docker/old/traefik/config/app-ha-pihole.yml

@@ -0,0 +1,46 @@
+http:
+  routers:
+    ha-pihole-rtr: # piHole
+      rule: "Host(`ha-pihole.local.gurulandia.eu`) "
+      entryPoints:
+        - https
+      middlewares:
+        - chain-no-auth
+        - pihole-add-admin
+      service: ha-pihole-svc
+      tls: {}
+    ha-pihole-01-rtr: # piHole
+      rule: "Host(`ha-pihole-01.local.gurulandia.eu`) "
+      entryPoints:
+        - https
+      middlewares:
+        - chain-no-auth
+        - pihole-add-admin
+      service: ha-pihole-01-svc
+      tls: {}
+    ha-pihole-02-rtr: # piHole
+      rule: "Host(`ha-pihole-02.local.gurulandia.eu`) "
+      entryPoints:
+        - https
+      middlewares:
+        - chain-no-auth
+        - pihole-add-admin
+      service: ha-pihole-02-svc
+      tls: {}
+  middlewares:
+    pihole-add-admin:
+      addPrefix:
+        prefix: "/admin"
+  services:
+    ha-pihole-svc:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.99.250:80"
+    ha-pihole-01-svc:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.99.245:80"
+    ha-pihole-02-svc:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.99.246:80"

config/docker/old/traefik/config/app-pihole.yml

@@ -0,0 +1,46 @@
+http:
+  routers:
+    pihole-rtr: # piHole
+      rule: "Host(`pihole.local.gurulandia.eu`) "
+      entryPoints:
+        - https
+      middlewares:
+        - chain-authelia
+        - pihole-add-admin
+      service: pihole-svc
+      tls: {}
+    pihole-01-rtr: # piHole
+      rule: "Host(`pihole-01.local.gurulandia.eu`) "
+      entryPoints:
+        - https
+      middlewares:
+        - chain-authelia
+        - pihole-add-admin
+      service: pihole-01-svc
+      tls: {}
+    pihole-02-rtr: # piHole
+      rule: "Host(`pihole-02.local.gurulandia.eu`) "
+      entryPoints:
+        - https
+      middlewares:
+        - chain-authelia
+        - pihole-add-admin
+      service: pihole-02-svc
+      tls: {}
+  middlewares:
+    pihole-add-admin:
+      addPrefix:
+        prefix: "/admin"
+  services:
+    pihole-svc:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.99.250:80"
+    pihole-01-svc:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.99.245:80"
+    pihole-02-svc:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.99.246:80"

config/docker/old/traefik/config/app-sophos-xg.yml

@@ -0,0 +1,15 @@
+http:
+  routers:
+    sophos-rtr: # Sophos XG
+      rule: "Host(`fw.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-no-auth # - chain-authelia
+      tls: {}
+      service: sophos-svc
+  services:
+    sophos-svc:
+      loadBalancer:
+        servers:
+          - url: "https://192.168.99.1:4444"

config/docker/old/traefik/config/app-wac.yml

@@ -0,0 +1,15 @@
+http:
+  routers:
+    wac-rtr: # Sophos XG
+      rule: "Host(`wac.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-no-auth # - chain-authelia
+      tls: {}
+      service: wac-svc
+  services:
+    wac-svc:
+      loadBalancer:
+        servers:
+          - url: "https://192.168.5.50"

config/docker/old/traefik/config/mw-authelia.yml

@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    middlewares-authelia:
+      forwardAuth:
+        address: "http://authelia:9091/api/verify?rd=https://auth.local.gurulandia.eu"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "Remote-User"
+          - "Remote-Groups"

config/docker/old/traefik/config/mw-basic-auth.yml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    middlewares-basic-auth:
+      basicAuth:
+        # users:
+        #   - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1"
+        usersFile: "/users" #be sure to mount the volume through docker-compose.yml
+        realm: "Traefik 2 Basic Auth"

config/docker/old/traefik/config/mw-chain-authelia.yml

@@ -0,0 +1,8 @@
+http:
+  middlewares:        
+    chain-authelia:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-authelia

config/docker/old/traefik/config/mw-chain-basic-auth.yml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    chain-basic-auth:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-basic-auth

config/docker/old/traefik/config/mw-chain-no-auth.yml

@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    chain-no-auth:
+      chain:
+        middlewares:
+          - middlewares-crowdsec-bouncer
+          - middlewares-default-whitelist
+          - middlewares-rate-limit
+          - middlewares-secure-headers

config/docker/old/traefik/config/mw-chain-oauth.yml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    chain-oauth:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-oauth

config/docker/old/traefik/config/mw-crowdsec-bouncer.yml

@@ -0,0 +1,6 @@
+http:
+  middlewares:    
+    middlewares-crowdsec-bouncer:
+      forwardauth:
+        address: http://bouncer-traefik:8080/api/v1/forwardAuth
+        trustForwardHeader: true

config/docker/old/traefik/config/mw-default-whitelist.yml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    middlewares-default-whitelist:
+      ipWhiteList:
+        sourceRange:
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"

config/docker/old/traefik/config/mw-rate-limit.yml

@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    middlewares-rate-limit:
+      rateLimit:
+        average: 100
+        burst: 50

config/docker/old/traefik/config/mw-secure-headers.yml

@@ -0,0 +1,31 @@
+http:
+  middlewares:
+    middlewares-secure-headers:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+        accessControlMaxAge: 100
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        sslRedirect: true
+        stsSeconds: 63072000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        # frameDeny: true #overwritten by customFrameOptionsValue
+        customFrameOptionsValue: "allow-from https:gurulandia.eu" #CSP takes care of this but may be needed for organizr.
+        contentTypeNosniff: true
+        browserXssFilter: true
+        # sslForceHost: true # add sslHost to all of the services
+        # sslHost: "example.com"
+        referrerPolicy: "same-origin"
+        # Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
+        # the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
+        # contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
+        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
+          server: ""
+          

config/docker/old/traefik/config/svc-asustor.yml

@@ -0,0 +1,15 @@
+http:
+  routers:
+    asustor-rtr: # Asustor Nas
+      rule: "Host(`nas-01.local.gurulandia.eu`) "
+      entryPoints:
+        - https
+      middlewares:
+        - chain-authelia 
+      service: asustor-svc
+      tls: {}    
+  services:
+    asustor-svc:
+      loadBalancer:
+        servers:
+          - url: "https://gl-p-nas-01.srv.gurulandia.lan:8001"

config/docker/old/traefik/config/svc-homeassistant.yml

@@ -0,0 +1,16 @@
+http:
+  routers:
+    homeassistant-rtr: # Home Assistant
+      rule: "Host(`homeassistant.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-authelia
+      service: homeassistant-svc
+      tls:  {}
+  services:
+    homeassistant-svc:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.42.242:50000"
+          

config/docker/old/traefik/config/svc-observium.yml

@@ -0,0 +1,16 @@
+http:
+  routers:
+    observium-rtr: # Observium
+      rule: "Host(`observium.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-authelia
+      service: observium-svc
+      tls:  {}
+  services:
+    observium-svc:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.99.81"
+          

config/docker/old/traefik/config/svc-pbs.yml

@@ -0,0 +1,15 @@
+http:
+  routers:
+    pbs-rtr: # Proxmox PBS
+      entryPoints:
+        - "https"
+      rule: "Host(`pbs-01.local.gurulandia.eu`)"
+      middlewares:
+        - chain-authelia
+      tls: {}
+      service: pbs-svc
+  services:
+    pbs-svc:
+      loadBalancer:
+        servers:
+          - url: "https://gl-v-pbs-01.mgmt.gurulandia.lan:8007"

config/docker/old/traefik/config/svc-plex.yml

@@ -0,0 +1,15 @@
+http:
+  routers:
+    plex-rtr: # Asustor Nas
+      rule: "Host(`plex.local.gurulandia.eu`) "
+      entryPoints:
+        - https
+      middlewares:
+        - chain-authelia 
+      service: plex-svc
+      tls: {}    
+  services:
+    plex-svc:
+      loadBalancer:
+        servers:
+          - url: "https://gl-p-nas-01.srv.gurulandia.lan:32400"

config/docker/old/traefik/config/svc-pve.yml

@@ -0,0 +1,27 @@
+http:
+  routers:
+    pve-01-rtr: # Proxmox PVE 1
+      rule: "Host(`pve-01.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-authelia
+      tls: {}
+      service: pve-01-svc      
+    pve-02-rtr: # Proxmox PVE 2
+      rule: "Host(`pve-02.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-authelia
+      tls: {}
+      service: pve-02-svc
+  services:
+    pve-01-svc:
+      loadBalancer:
+        servers:
+          - url: "https://gl-p-pve-01.mgmt.gurulandia.lan:8006"
+    pve-02-svc:
+      loadBalancer:
+        servers:
+          - url: "https://gl-p-pve-02.mgmt.gurulandia.lan:8006"

config/docker/old/traefik/config/svc-routers.yml

@@ -0,0 +1,39 @@
+http:
+  routers:
+    gl-p-ap-01-rtr: # AsusWRT
+      rule: "Host(`ap-01.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-authelia
+      tls: {}
+      service: gl-p-ap-01-svc
+    gl-p-ap-02-rtr: # OpenWRT
+      rule: "Host(`ap-02.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-authelia
+      tls: {}
+      service: gl-p-ap-02-svc
+    gl-p-ap-03-rtr: # OpenWRT
+      rule: "Host(`ap-03.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-authelia
+      tls: {}
+      service: gl-p-ap-03-svc
+  services:
+    gl-p-ap-01-svc:
+      loadBalancer:
+        servers:
+          - url: "http://gl-p-ap-01.wifi.gurulandia.lan"
+    gl-p-ap-02-svc:
+      loadBalancer:
+        servers:
+          - url: "https://gl-p-ap-02.mgmt.gurulandia.lan"
+    gl-p-ap-03-svc:
+      loadBalancer:
+        servers:
+          - url: "https://gl-p-ap-03.mgmt.gurulandia.lan"  

config/docker/old/traefik/config/svc-switchs.yml

@@ -0,0 +1,99 @@
+http:
+  routers:
+    gl-p-sw-01-rtr: 
+      rule: "Host(`sw-01.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-authelia
+      tls: {}
+      service: gl-p-sw-01-svc
+    gl-p-sw-02-rtr: 
+      rule: "Host(`sw-02.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-authelia
+      tls: {}
+      service: gl-p-sw-02-svc
+    gl-p-sw-03-rtr: 
+      rule: "Host(`sw-03.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-authelia
+      tls: {}
+      service: gl-p-sw-03-svc
+    gl-p-sw-04-rtr: 
+      rule: "Host(`sw-04.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-authelia
+      tls: {}
+      service: gl-p-sw-04-svc
+    gl-p-sw-05-rtr: 
+      rule: "Host(`sw-05.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-authelia
+      tls: {}
+      service: gl-p-sw-05-svc
+    gl-p-sw-06-rtr: 
+      rule: "Host(`sw-06.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-authelia
+      tls: {}
+      service: gl-p-sw-06-svc
+    gl-p-sw-07-rtr: 
+      rule: "Host(`sw-07.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-authelia
+      tls: {}
+      service: gl-p-sw-07-svc
+    gl-p-sw-08-rtr: 
+      rule: "Host(`sw-08.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-authelia
+      tls: {}
+      service: gl-p-sw-08-svc
+  services:
+    gl-p-sw-01-svc:
+      loadBalancer:
+        servers:
+          - url: "http://gl-p-sw-01.mgmt.gurulandia.lan"
+    gl-p-sw-02-svc:
+      loadBalancer:
+        servers:
+          - url: "http://gl-p-sw-02.mgmt.gurulandia.lan"
+    gl-p-sw-03-svc:
+      loadBalancer:
+        servers:
+          - url: "http://gl-p-sw-03.mgmt.gurulandia.lan"
+    gl-p-sw-04-svc:
+      loadBalancer:
+        servers:
+          - url: "http://gl-p-sw-04.mgmt.gurulandia.lan"
+    gl-p-sw-05-svc:
+      loadBalancer:
+        servers:
+          - url: "http://gl-p-sw-05.mgmt.gurulandia.lan"
+    gl-p-sw-06-svc:
+      loadBalancer:
+        servers:
+          - url: "http://gl-p-sw-06.mgmt.gurulandia.lan"
+    gl-p-sw-07-svc:
+      loadBalancer:
+        servers:
+          - url: "http://gl-p-sw-07.mgmt.gurulandia.lan"
+    gl-p-sw-08-svc:
+      loadBalancer:
+        servers:
+          - url: "http://gl-p-sw-08.mgmt.gurulandia.lan"

config/docker/old/traefik/config/svc-tasmoadmin.yml

@@ -0,0 +1,16 @@
+http:
+  routers:
+    tasmoadmin-rtr: # Tasmo Admin
+      rule: "Host(`tasmoadmin.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-no-auth #authelia
+      service: tasmoadmin-svc
+      tls:  {}
+  services:
+    tasmoadmin-svc:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.42.242:9541"
+          

config/docker/old/traefik/config/svc-truenas.yml

@@ -0,0 +1,16 @@
+http:
+  routers:
+    truenas-rtr: # TrueNAS Core
+      rule: "Host(`nas-02.local.gurulandia.eu`)"
+      entryPoints:
+        - "https"
+      middlewares:
+        - chain-authelia
+      service: truenas-svc
+      tls:  {}
+  services:
+    truenas-svc:
+      loadBalancer:
+        servers:
+          - url: "https://gl-p-nas-02.mgmt.gurulandia.lan"
+          

config/docker/old/traefik/config/tls-opts.yml

@@ -0,0 +1,19 @@
+tls:
+  options:
+    tls-opts:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+        - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      sniStrict: true

config/docker/old/traefik/traefik.yml

@@ -0,0 +1,209 @@
+################################################################
+# Global configuration
+################################################################
+global:
+  checkNewVersion: true
+  sendAnonymousUsage: false
+
+################################################################
+# EntryPoints configuration
+################################################################
+
+# EntryPoints definition
+#
+# Optional
+#
+entryPoints:
+  http:
+    address: :80
+    http:
+      redirections:
+        entryPoint:
+          to: https
+          scheme: https
+  https:
+    address: :443
+    http:
+      tls:
+        options: tls-opts@file
+        certResolver: cloudflarels
+        domains: 
+        - main: gurulandia.eu
+          sans: 
+            - '*.gurulandia.eu'
+        - main: local.gurulandia.eu
+          sans: 
+            - '*.local.gurulandia.eu'
+        - main: gurulandia.fi
+          sans: 
+            - '*.gurulandia.fi'
+        - main: local.gurulandia.fi
+          sans: 
+            - '*.local.gurulandia.fi'
+    forwardedHeaders:
+      trustedIPs: &trustedIps
+        - "127.0.0.1/32"
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"
+        - "173.245.48.0/20"
+        - "103.21.244.0/22"
+        - "103.22.200.0/22"
+        - "103.31.4.0/22"
+        - "141.101.64.0/18"
+        - "108.162.192.0/18"
+        - "190.93.240.0/20"
+        - "188.114.96.0/20"
+        - "197.234.240.0/22"
+        - "198.41.128.0/17"
+        - "162.158.0.0/15"
+        - "172.64.0.0/13"
+        - "131.0.72.0/22"
+        - "104.16.0.0/13"
+        - "104.24.0.0/14"
+
+serversTransport:
+  insecureSkipVerify: true
+################################################################
+# Traefik logs configuration
+################################################################
+
+# Traefik logs
+# Enabled by default and log to stdout
+#
+# Optional
+#
+log:
+  # Log level
+  #
+  # Optional
+  # Default: "ERROR"
+  #
+  level: INFO
+
+  # Sets the filepath for the traefik log. If not specified, stdout will be used.
+  # Intermediate directories are created if necessary.
+  #
+  # Optional
+  # Default: os.Stdout
+  #
+  filePath: "/var/log/traefik/traefik.log"
+
+  # Format is either "json" or "common".
+  #
+  # Optional
+  # Default: "common"
+  #
+#  format: json
+
+################################################################
+# Access logs configuration
+################################################################
+# Enable access logs
+# By default it will write to stdout and produce logs in the textual
+# Common Log Format (CLF), extended with additional fields.
+#
+# Optional
+#
+accessLog:
+  # Sets the file path for the access log. If not specified, stdout will be used.
+  # Intermediate directories are created if necessary.
+  #
+  # Optional
+  # Default: os.Stdout
+  #
+  filePath: "/var/log/traefik/access.log"
+
+  # Format is either "json" or "common".
+  #
+  # Optional
+  # Default: "common"
+  #
+#  format: json
+
+################################################################
+# API and dashboard configuration
+################################################################
+
+# Enable API and dashboard
+#
+# Optional
+#
+api:
+  # Enable the API in insecure mode
+  #
+  # Optional
+  # Default: false
+  #
+  #insecure: true
+
+  # Enabled Dashboard
+  #
+  # Optional
+  # Default: true
+  #
+  dashboard: true
+
+################################################################
+# Ping configuration
+################################################################
+
+# Enable ping
+#ping:
+  # Name of the related entry point
+  #
+  # Optional
+  # Default: "traefik"
+  #
+#  entryPoint: traefik
+
+################################################################
+# Providers configuration
+################################################################
+
+providers:
+  # Enable Docker configuration backend
+  docker:
+    # Docker server endpoint. Can be a tcp or a unix socket endpoint.
+    #
+    # Required
+    # Default: "unix:///var/run/docker.sock"
+    #
+    endpoint: tcp://socket-proxy:2375 
+    network: proxy
+    # Default host rule.
+    #
+    # Optional
+    # Default: "Host(`{{ normalize .Name }}`)"
+    #
+#    defaultRule: Host(`{{ normalize .Name }}.docker.localhost`)
+
+    # Expose containers by default in traefik
+    #
+    # Optional
+    # Default: true
+    #
+    exposedByDefault: false
+
+  # Enable File configuration backend
+  file:
+    directory: /config
+    watch: true
+  # Enable Redis configuration backend
+  #redis:
+    #endpoints:
+     # - "redis:6379"
+################################################################
+# Certificate Resolvers
+################################################################
+certificatesResolvers:
+  cloudflare:
+    acme:
+      email: ${CF_API_EMAIL}
+      storage: acme.json
+      dnsChallenge:
+        provider: cloudflare
+        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"

config/docker/old/traefik/traefik.yml.old

@@ -0,0 +1,204 @@
+################################################################
+#
+# Configuration sample for Traefik v2.
+#
+# For Traefik v1: https://github.com/traefik/traefik/blob/v1.7/traefik.sample.toml
+#
+################################################################
+
+################################################################
+# Global configuration
+################################################################
+global:
+  checkNewVersion: true
+  sendAnonymousUsage: false
+
+################################################################
+# EntryPoints configuration
+################################################################
+
+# EntryPoints definition
+#
+# Optional
+#
+entryPoints:
+  http:
+    address: :80
+#    http:
+#      redirections:
+#        entryPoint:
+#          to: https
+#          scheme: https
+  https:
+    address: :443
+#    http:
+      #tls:
+        #options: tls-opts@file
+        #certResolver: cloudflare
+        #domains:
+          #- main: gurulandia.eu
+          #- sans: *.gurulandia.eu
+          #- main: local.gurulandia.eu
+          #- sans: *.local.gurulandia.eu
+          #- main: gurulandia.fi
+          #  sans: 
+          #    - *.gurulandia.fi
+    #forwardedHeaders:
+    #  trustedIPs:
+    #    - "173.245.48.0/20"
+    #    - "103.21.244.0/22"
+    #    - "103.22.200.0/22"
+    #    - "103.31.4.0/22"
+    #    - "141.101.64.0/18"
+    #    - "108.162.192.0/18"
+    #    - "190.93.240.0/20"
+    #    - "188.114.96.0/20"
+    #    - "197.234.240.0/22"
+    #    - "198.41.128.0/17"
+    #    - "162.158.0.0/15"
+    #    - "172.64.0.0/13"
+    #    - "131.0.72.0/22"
+    #    - "104.16.0.0/13"
+    #    - "104.24.0.0/14"
+
+serversTransport:
+  insecureSkipVerify: true
+################################################################
+# Traefik logs configuration
+################################################################
+
+# Traefik logs
+# Enabled by default and log to stdout
+#
+# Optional
+#
+log:
+  # Log level
+  #
+  # Optional
+  # Default: "ERROR"
+  #
+  level: INFO
+
+  # Sets the filepath for the traefik log. If not specified, stdout will be used.
+  # Intermediate directories are created if necessary.
+  #
+  # Optional
+  # Default: os.Stdout
+  #
+  filePath: "/var/log/traefik/traefik.log"
+
+  # Format is either "json" or "common".
+  #
+  # Optional
+  # Default: "common"
+  #
+#  format: json
+
+################################################################
+# Access logs configuration
+################################################################
+# Enable access logs
+# By default it will write to stdout and produce logs in the textual
+# Common Log Format (CLF), extended with additional fields.
+#
+# Optional
+#
+accessLog:
+  # Sets the file path for the access log. If not specified, stdout will be used.
+  # Intermediate directories are created if necessary.
+  #
+  # Optional
+  # Default: os.Stdout
+  #
+  filePath: "/var/log/traefik/access.log"
+
+  # Format is either "json" or "common".
+  #
+  # Optional
+  # Default: "common"
+  #
+#  format: json
+
+################################################################
+# API and dashboard configuration
+################################################################
+
+# Enable API and dashboard
+#
+# Optional
+#
+api:
+  # Enable the API in insecure mode
+  #
+  # Optional
+  # Default: false
+  #
+  insecure: true
+
+  # Enabled Dashboard
+  #
+  # Optional
+  # Default: true
+  #
+  #dashboard: true
+
+################################################################
+# Ping configuration
+################################################################
+
+# Enable ping
+#ping:
+  # Name of the related entry point
+  #
+  # Optional
+  # Default: "traefik"
+  #
+#  entryPoint: traefik
+
+providers:
+  # Enable Docker configuration backend
+  docker:
+    # Docker server endpoint. Can be a tcp or a unix socket endpoint.
+    #
+    # Required
+    # Default: "unix:///var/run/docker.sock"
+    #
+    endpoint: tcp://socket-proxy:2375
+
+    # Default host rule.
+    #
+    # Optional
+    # Default: "Host(`{{ normalize .Name }}`)"
+    #
+#    defaultRule: Host(`{{ normalize .Name }}.docker.localhost`)
+
+    # Expose containers by default in traefik
+    #
+    # Optional
+    # Default: true
+    #
+    exposedByDefault: false
+
+  # Enable File configuration backend
+  file:
+    directory: /config
+    watch: true
+  # Enable Redis configuration backend
+  #redis:
+    #endpoints:
+     # - "redis:6379"
+################################################################
+# Certificate Resolvers
+################################################################
+certificatesResolvers:
+  cloudflare:
+    acme:
+      email: gurulandia@outlook.com
+      storage: acme.json
+      dnsChallenge:
+        provider: cloudflare
+        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"

config/docker/old/traefik/traefik.yml.test

@@ -0,0 +1,47 @@
+api:
+  dashboard: true
+  debug: true
+
+entryPoints:
+  http:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: "https"
+          scheme: "https"
+  https:
+    address: ":443"
+    http:
+      middlewares:
+        - "crowdsec-bouncer@file"
+  openvpn:
+    address: ":1194/udp"
+
+  k3s:
+    address: ":6443"
+serversTransport:
+  insecureSkipVerify: true
+providers:
+  docker:
+    endpoint: tcp://socket-proxy:2375
+    exposedByDefault: false
+  file:
+    directory: /config
+    watch: true
+certificatesResolvers:
+  cloudflare:
+    acme:
+      email: ${CLOUDFLARE_EMAIL}
+      storage: acme.json
+      dnsChallenge:
+        provider: cloudflare
+        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"
+log:
+  level: INFO
+  filePath: "/var/log/traefik/traefik.log"
+accessLog:
+  filePath: "/var/log/traefik/access.log"

config/docker/old/traefik/users

@@ -0,0 +1 @@
+gurulandia:{SHA}pZz64lzpzvjBTCNPWBokXW/7qD0=