From cee4e64b46891866743459894afcf7d8f9ff84bc Mon Sep 17 00:00:00 2001 From: Gurulandia Date: Sun, 1 Mar 2026 13:33:38 +0200 Subject: [PATCH] Jemmaan --- .../2024/homelab/compose/dc-crowdsec.yml | 23 ++++ .../docker/2024/homelab/compose/dc-minio.yml | 33 ++++++ .../2024/homelab/compose/dc-socket-proxy.yml | 46 ++++++++ .../2024/homelab/compose/dc-traefik.yml | 110 ++++++++++++++++++ 4 files changed, 212 insertions(+) create mode 100644 config/docker/2024/homelab/compose/dc-crowdsec.yml create mode 100644 config/docker/2024/homelab/compose/dc-minio.yml create mode 100644 config/docker/2024/homelab/compose/dc-socket-proxy.yml create mode 100644 config/docker/2024/homelab/compose/dc-traefik.yml diff --git a/config/docker/2024/homelab/compose/dc-crowdsec.yml b/config/docker/2024/homelab/compose/dc-crowdsec.yml new file mode 100644 index 0000000..21c4c35 --- /dev/null +++ b/config/docker/2024/homelab/compose/dc-crowdsec.yml @@ -0,0 +1,23 @@ +services: + crowdsec: + image: ${CROWDSEC_IMAGE}:${CROWDSEC_VERSION} + container_name: ${CROWDSEC_CONTAINER_NAME} + restart: ${CROWDSEC_RESTART_POLICY} + security_opt: + - no-new-privileges:true + networks: + - proxy + #proxy: + # ipv4_address: ${CROWDSEC_IP} # You can specify a static IP + environment: + GID: "${GID-1000}" + COLLECTIONS: ${CROWDSEC_COLLECTIONS} + volumes: + - /etc/localtime:/etc/localtime:ro + #- ${DOCKERDIR}/crowdsec/acquis.d:/etc/crowdsec/acquis.d + #- ${DOCKERDIR}/crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml + - ${DOCKERDIR}/crowdsec/db:/var/lib/crowdsec/data/ + - ${DOCKERDIR}/crowdsec/config:/etc/crowdsec/ + - ${DOCKERDIR}/traefik/logs:/var/log/traefik/:ro + - /var/log/auth.log:/logs/auth.log:ro + - /var/log/syslog.log:/logs/syslog.log:ro diff --git a/config/docker/2024/homelab/compose/dc-minio.yml b/config/docker/2024/homelab/compose/dc-minio.yml new file mode 100644 index 0000000..3c640e3 --- /dev/null +++ b/config/docker/2024/homelab/compose/dc-minio.yml @@ -0,0 +1,33 @@ +networks: + minio: + name: minio + driver: bridge +########################### SECRETS +secrets: + root_user: + file: $SECRETSDIR/minio/minio_root_user + root_password: + file: $SECRETSDIR/minio/minio_root_password +services: + minio: + container_name: ${CONTAINER_NAME} + image: ${IMAGE}:${VERSION} + restart: ${RESTART_POLICY} + volumes: + - /share/Minio:/bitnami/minio/data + environment: + - MINIO_ROOT_USER_FILE=/run/secrets/root_user + - MINIO_ROOT_PASSWORD_FILE=/run/secrets/root_password + - PGID=${PGID} + - PUID=${PUID} + - TZ=${TZ} + ports: + - ${PORT1}:9000 + - ${PORT2}:9001 + networks: + minio: + security_opt: + - no-new-privileges:true + secrets: + - root_user + - root_password \ No newline at end of file diff --git a/config/docker/2024/homelab/compose/dc-socket-proxy.yml b/config/docker/2024/homelab/compose/dc-socket-proxy.yml new file mode 100644 index 0000000..a7cd092 --- /dev/null +++ b/config/docker/2024/homelab/compose/dc-socket-proxy.yml @@ -0,0 +1,46 @@ +########################### SERVICES +services: + # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket + socket-proxy: + container_name: ${SOCKET_PROXY_CONTAINER_NAME} + image: ${SOCKET_PROXY_IMAGE}:${SOCKET_PROXY_VERSION} +# image: ghcr.io/tecnativa/docker-socket-proxy:latest + restart: ${SOCKET_PROXY_RESTART_POLICY} + networks: + socket_proxy: + ipv4_address: ${SOCKET_PROXY_IP} + privileged: true + ports: + # - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line. + # I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network. + - "2375:2375" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + env_file: + - path: ./socket-proxy.env + required: true + #environment: + # - LOG_LEVEL=$LOG_LEVEL + # - EVENTS=${EVENTS} + # - PING=${PING} + # - VERSION=${VERSION} + # - AUTH=${AUTH} + # - SECRETS=${SECRETS} + # - POST=${POST} + # - BUILD=${BUILD} + # - COMMIT=${COMMIT} + # - CONFIGS=${CONFIGS} + # - CONTAINERS=${CONTAINERS} + # - DISTRIBUTION=${DISTRIBUTION} + # - EXEC=${EXEC} + # - IMAGES=${IMAGES} + # - INFO=${INFO} + # - NETWORKS=${NETWORKS} + # - NODES=${NODES} + # - PLUGINS=${PLUGINS} + # - SERVICES=${SERVICES} + # - SESSION=${SESSION} + # - SWARM=${SWARM} + # - SYSTEM=${SYSTEM} + # - TASKS=${TASKS} + # - VOLUMES=${VOLUMES} diff --git a/config/docker/2024/homelab/compose/dc-traefik.yml b/config/docker/2024/homelab/compose/dc-traefik.yml new file mode 100644 index 0000000..70bdb19 --- /dev/null +++ b/config/docker/2024/homelab/compose/dc-traefik.yml @@ -0,0 +1,110 @@ +########################### SECRETS +secrets: + cloudflare_api_key: + file: $SECRETSDIR/cloudflare_api_key + cloudflare_dns_api_token: + file: ${SECRETSDIR}/cloudflare_dns_api_token + +services: + # Traefik 2 - Reverse Proxy + # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. + # touch $DOCKERDIR/traefik/acme.json + # chmod 600 $DOCKERDIR/traefik/acme.json + # touch $DOCKERDIR/traefik/logs/access.log + # touch $DOCKERDIR/traefik/logs/traefik.log + + traefik: + container_name: ${TRAEFIK_CONTAINER_NAME} + image: ${TRAEFIK_IMAGE}:${TRAEFIK_VERSION} + restart: ${TRAEFIK_RESTART_POLICY} + security_opt: + - no-new-privileges:true + networks: + proxy: + ipv4_address: ${TRAEFIK_IP0} # You can specify a static IP + socket_proxy: + ipv4_address: ${TRAEFIK_IP1} + ports: + - 80:80 + - 443:443 + environment: + - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key + - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_dns_api_token + command: # CLI arguments + - --global.checkNewVersion=true + - --global.sendAnonymousUsage=false #true + - --entryPoints.http.address=:80 + - --entrypoints.http.http.redirections.entryPoint.to=https + - --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file + - --entryPoints.https.address=:443 + - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS #,$LOCAL_IPS +# - --entryPoints.traefik.address=:8080 + #(- --entryPoints.ping.address=:8081) + - --api=true + #(- --api.insecure=true) + - --api.dashboard=true + #(- --ping=true) + #(- --pilot.token=$TRAEFIK_PILOT_TOKEN) + - --serversTransport.insecureSkipVerify=true + - --log=true + - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC + - --log.filePath= /var/log/traefik/traefik.log + - --accessLog=true + - --accessLog.filePath=/var/log/traefik/access.log + - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines + #- --accessLog.filters.statusCodes=400-499 + - --providers.docker=true + - --providers.docker.endpoint=${DOCKER_ENDPOINT} # Use Docker Socket Proxy instead for improved security + # Automatically set Host rule for services + #(- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`)) + - --providers.docker.exposedByDefault=false + #- --providers.redis=true + #- --providers.redis.endpoints=redis:6379 + #- --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file + - --entrypoints.https.http.tls.options=tls-opts@file + # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services + - --entrypoints.https.http.tls.certresolver=${CERTRESOLVER} + - --entrypoints.https.http.tls.domains[0].main=${DOMAINNAME0} + - --entrypoints.https.http.tls.domains[0].sans=*.${DOMAINNAME0} + - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain + - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain + - --entrypoints.https.http.tls.domains[2].main=$DOMAINNAME2 + - --entrypoints.https.http.tls.domains[2].sans=*.$DOMAINNAME2 + - --entrypoints.https.http.tls.domains[3].main=$DOMAINNAME3 # Pulls main cert for second domain + - --entrypoints.https.http.tls.domains[3].sans=*.$DOMAINNAME3 # Pulls wildcard cert for second domain + - --providers.docker.network=proxy + - --providers.file.directory=/config # Load dynamic configuration from one or more .toml or .yml files in a directory + #(- --providers.file.filename=/path/to/file # Load dynamic configuration from a file) + - --providers.file.watch=true # Only works on top level files in the rules folder + - --certificatesresolvers.$CERTRESOLVER.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing + - --certificatesresolvers.$CERTRESOLVER.acme.email=${CF_API_EMAIL} + - --certificatesresolvers.$CERTRESOLVER.acme.storage=/acme.json + - --certificatesresolvers.$CERTRESOLVER.acme.dnsChallenge.provider=${DNS_PROVIDER} + - --certificatesresolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER1} + - --certificatesresolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate + #healthcheck: + # test: ["CMD", "traefik", "healthcheck", "--ping"] + # interval: 5s + # retries: 3 + volumes: + - /etc/localtime:/etc/localtime:ro + #- ${DOCKERDIR}/traefik/traefik.yml:/traefik.yml:ro + - ${DOCKERDIR}/traefik/config:/config:ro # file provider directory + - ${DOCKERDIR}/traefik/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 + - ${DOCKERDIR}/traefik/logs:/var/log/traefik # for crowdsec - make sure to touch file before starting container + secrets: + - cloudflare_api_key + - cloudflare_dns_api_token + labels: + - "traefik.enable=true" + - "traefik.http.routers.traefik.entrypoints=http" + - "traefik.http.routers.traefik.rule=Host(`test-proxy.${DOMAINNAME1}`)" + - "traefik.http.middlewares.traefik-auth.basicauth.users=${BASICAUTHUSER}" + - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https" + - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.routers.traefik.middlewares=traefik-https-redirect" + - "traefik.http.routers.traefik-secure.entrypoints=https" + - "traefik.http.routers.traefik-secure.rule=Host(`test-proxy.${DOMAINNAME1}`)" + - "traefik.http.routers.traefik-secure.middlewares=chain-no-auth@file" + #- "traefik.http.routers.traefik-secure.middlewares=traefik-auth" + - "traefik.http.routers.traefik-secure.service=api@internal"