Gurulandia/Homelab
1
0
Fork 0
Code Pull Requests Actions Wiki Activity

rename follder compose to services

Browse Source
This commit is contained in:
Gurulandia
2025-02-02 12:14:03 +02:00
parent 24a5f78fed
commit d5ba06fb78
13 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
docker/compose/dc-apprise-api.yml
View File

@@ -1,17 +0,0 @@
services:
apprise-api:
image: ${APPRISE_IMAGE}:${APPRISE_TAG}
container_name: ${APPRISE_CONTAINER_NAME}
restart: ${APPRISE_RESTART_POLICY}
security_opt:
- no-new-privileges:true
environment:
- PUID=${PUID:-1000}
- PGID=${PGID:-1000}
- TZ=${TZ}
volumes:
- ${DOCKERDIR}/apprise-api/config:/config
ports:
- ${APPRISE_PORT:-8000}:8000
networks:
- proxy

22
docker/compose/dc-crowdsec.yml
View File

@@ -1,22 +0,0 @@
services:
crowdsec:
image: ${CROWDSEC_IMAGE}:${CROWDSEC_TAG}
container_name: ${CROWDSEC_CONTAINER_NAME}
restart: ${CROWDSEC_RESTART_POLICY}
security_opt:
- no-new-privileges:true
networks:
- proxy
environment:
GID: "${GID:-1000}"
env_file:
- path: ./env-files/crowdsec.env
volumes:
- /etc/localtime:/etc/localtime:ro
- ${DOCKERDIR}/crowdsec/acquis.d:/etc/crowdsec/acquis.d
#- ${DOCKERDIR}/crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
- ${DOCKERDIR}/crowdsec/db:/var/lib/crowdsec/data/
- ${DOCKERDIR}/crowdsec/config:/etc/crowdsec/
- ${DOCKERDIR}/traefik/logs:/var/log/traefik/:ro
- /var/log/auth.log:/logs/auth.log:ro
- /var/log/syslog.log:/logs/syslog.log:ro

33
docker/compose/dc-gotify.yml
View File

@@ -1,33 +0,0 @@
#networks:
# notification:
# name: notification
# driver: bridge
# database:
# name: database
# external: true
services:
gotify:
image: ${GOTIFY_IMAGE}:${GOTIFY_TAG}
container_name: ${GOTIFY_CONTAINER_NAME}
restart: ${GOTIFY_RESTART_POLICY}
security_opt:
- no-new-privileges:true
# ports:
# - ${GOTIFY_PORT:-8080}:80
env_file:
- path: ./env-files/gotify.env
volumes:
- ${DOCKERDIR}/gotify/data:/app/data
networks:
- proxy
labels:
traefik.enable: true
## HTTP Routers
traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.entrypoints: https
traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.rule: Host(`${GOTIFY_HOST_NAME}.$DOMAINNAME1`)
## Middlewares
#traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.middlewares: chain-authelia@file
traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.middlewares: chain-no-auth@file
## HTTP Services
traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.service: ${GOTIFY_HOST_NAME}-svc
traefik.http.services.${GOTIFY_HOST_NAME}-svc.loadbalancer.server.port: 80

23
docker/compose/dc-mailrise.yml
View File

@@ -1,23 +0,0 @@
services:
mailrise:
image: ${MAILRISE_IMAGE}:${MAILRISE_TAG}
container_name: ${MAILRISE_CONTAINER_NAME}
restart: ${MAILRISE_RESTART_POLICY}
command: -vv /etc/mailrise.conf
security_opt:
- no-new-privileges:true
# ports:
# - ${MAILRISE_PORT:-8025}:8025
volumes:
- ${DOCKERDIR}/mailrise/mailrise.conf:/etc/mailrise.conf:ro
networks:
- proxy
labels:
traefik.enable: true
traefik.tcp.routers.mailrise.rule: HostSNI(`*`)
traefik.tcp.routers.mailrise.tls: true
traefik.tcp.routers.mailrise.tls.certresolver: ${CERTRESOLVER}
traefik.tcp.routers.mailrise.tls.domains[0].main: mailrise.lab.gurulandia.eu
traefik.tcp.routers.mailrise.tls.domains[0].sans: ""
traefik.tcp.routers.mailrise.entrypoints: mailsecure,maildefault
traefik.docker.network: proxy

18
docker/compose/dc-socket-proxy.yml
View File

@@ -1,18 +0,0 @@
########################### SERVICES
services:
# Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
socket-proxy:
container_name: ${SOCKET_PROXY_CONTAINER_NAME}
image: ${SOCKET_PROXY_IMAGE}:${SOCKET_PROXY_TAG}
restart: ${SOCKET_PROXY_RESTART_POLICY}
networks:
socket_proxy:
privileged: true
ports:
# - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line.
# I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network.
- "2375:2375"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
env_file:
- path: ./env-files/socket-proxy.env

11
docker/compose/dc-traefik-bouncer.yml
View File

@@ -1,11 +0,0 @@
services:
bouncer-traefik:
image: ${BT_IMAGE}:${BT_TAG}
container_name: ${BT_CONTAINER_NAME}
restart: ${BT_RESTART_POLICY}
env_file:
- path: ./env-files/traefik-bouncer.env
networks:
- proxy
security_opt:
- no-new-privileges:true

118
docker/compose/dc-traefik.yml
View File

@@ -1,118 +0,0 @@
########################### SECRETS
secrets:
cloudflare_email:
file: ${SECRETSDIR}/cloudflare_email
cloudflare_api_key:
file: ${SECRETSDIR}/cloudflare_api_key
cloudflare_api_token:
file: ${SECRETSDIR}/cloudflare_dns_api_token
services:
# Traefik 2 - Reverse Proxy
# Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
# touch $DOCKERDIR/traefik2/acme/acme.json
# chmod 600 $DOCKERDIR/traefik2/acme/acme.json
# touch $DOCKERDIR/traefik2/traefik.log
traefik:
container_name: ${TRAEFIK_CONTAINER_NAME}
image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
restart: ${TRAEFIK_RESTART_POLICY}
security_opt:
- no-new-privileges:true
networks:
proxy:
socket_proxy:
ports:
- 80:80
- 443:443
- 465:465
- 587:587
#env_file:
#- path: ./traefik.env
# required: true # default
#- path: ./override.env
# required: false
environment:
- CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
- CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=false #true
- --entryPoints.http.address=:80
- --entrypoints.http.http.redirections.entryPoint.to=https
- --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
- --entryPoints.https.address=:443
- --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
- --entrypoints.mailsecure.address=:465
- --entrypoints.maildefault.address=:587
# - --entryPoints.traefik.address=:8080
# - --entryPoints.ping.address=:8081
- --api=true
# - --api.insecure=true)
- --api.dashboard=true
# - --ping=true)
# - --pilot.token=$TRAEFIK_PILOT_TOKEN)
- --serversTransport.insecureSkipVerify=true
- --log=true
- --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --log.filePath= /var/log/traefik/traefik.log
- --accessLog=true
- --accessLog.filePath=/var/log/traefik/access.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
# - --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=${DOCKER_ENDPOINT} # Use Docker Socket Proxy instead for improved security
# Automatically set Host rule for services
# - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`)
- --providers.docker.exposedByDefault=false
# - --providers.redis=true
# - --providers.redis.endpoints=redis:6379
# - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file
- --entrypoints.https.http.tls.options=tls-opts@file
# Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
- --entrypoints.https.http.tls.certresolver=${CERTRESOLVER}
- --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0
- --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0
- --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain
- --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain
- --entrypoints.https.http.tls.domains[2].main=$DOMAINNAME2
- --entrypoints.https.http.tls.domains[2].sans=*.$DOMAINNAME2
- --entrypoints.https.http.tls.domains[3].main=$DOMAINNAME3 # Pulls main cert for second domain
- --entrypoints.https.http.tls.domains[3].sans=*.$DOMAINNAME3 # Pulls wildcard cert for second domain
- --providers.docker.network=proxy
- --providers.file.directory=/config # Load dynamic configuration from one or more .toml or .yml files in a directory
- --providers.file.watch=true # Only works on top level files in the rules folder
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.$CERTRESOLVER.acme.email=${CF_API_EMAIL}
- --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=${DNS_PROVIDER}
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0} #,$RESOLVER1
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
# healthcheck:
# test: ["CMD", "traefik", "healthcheck", "--ping"]
# interval: 5s
# retries: 3
volumes:
- /etc/localtime:/etc/localtime:ro
# - ${DOCKERDIR}/traefik/traefik.yml:/traefik.yml:ro
- ${DOCKERDIR}/traefik/config:/config:ro # file provider directory
- ${DOCKERDIR}/traefik/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
- ${DOCKERDIR}/traefik/logs:/var/log/traefik # for crowdsec - make sure to touch file before starting container
secrets:
- cloudflare_email
- cloudflare_api_key
- cloudflare_api_token
labels:
traefik.enable: true
traefik.http.routers.traefik.entrypoints: http
traefik.http.routers.traefik.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
traefik.http.middlewares.traefik-auth.basicauth.users: ${BASICAUTHUSER}
traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme: https
traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto: https
traefik.http.routers.traefik.middlewares: traefik-https-redirect
traefik.http.routers.traefik-secure.entrypoints: https
traefik.http.routers.traefik-secure.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
traefik.http.routers.traefik-secure.middlewares: chain-no-auth@file
# traefik.http.routers.traefik-secure.middlewares: traefik-auth
traefik.http.routers.traefik-secure.service: api@internal

88
docker/compose/env-files/crowdsec.env
View File

@@ -1,88 +0,0 @@
#CROWDSEC_COLLECTIONS="crowdsecurity/linux crowdsecurity/traefik"
CROWDSEC_COLLECTIONS="crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux fulljackz/proxmox"
TZ=${TZ}
#
#Register a new agent with LAPI
#Without TLS authentication:
#docker exec -it crowdsec_lapi_container_name cscli machines add agent_user_name --password agent_password
#With TLS authentication:
#Agents are automatically registered and don't need a username or password. The agents' names are derived from the IP address from which they connect.
#Run an agent connected to LAPI
#Add the following environment variables to the docker run command:
#DISABLE_LOCAL_API=true
#AGENT_USERNAME="agent_user_name" - agent_user_name previously registered with LAPI
#AGENT_PASSWORD="agent_password" - agent_password previously registered with LAPI
#LOCAL_API_URL="http://LAPI_host:LAPI_port"
#Variable Default Description
#CONFIG_FILE /etc/crowdsec/config.yaml Configuration file location
#DISABLE_AGENT false Disable the agent, run a LAPI-only container
#DISABLE_LOCAL_API false Disable LAPI, run an agent-only container
#DISABLE_ONLINE_API false Disable online API registration for signal sharing
#TEST_MODE false Don't run the service, only test the configuration: -e TEST_MODE=true
#TZ Set the timezone to ensure the logs have a local timestamp.
#LOCAL_API_URL http://0.0.0.0:8080 The LAPI URL, you need to change this when DISABLE_LOCAL_API is true:
# -e LOCAL_API_URL="http://lapi-address:8080"
#PLUGIN_DIR /usr/local/lib/crowdsec/plugins/ Directory for plugins: -e PLUGIN_DIR="<path>"
#METRICS_PORT 6060 Port to expose Prometheus metrics
#
#LAPI (useless with DISABLE_LOCAL_API)
# USE_WAL false Enable Write-Ahead Logging with SQLite
# CUSTOM_HOSTNAME localhost Name for the local agent (running in the container with LAPI)
# CAPI_WHITELISTS_PATH Path for capi_whitelists.yaml
#Agent (these don't work with DISABLE_AGENT)
# TYPE Labels.type for file in time-machine: -e TYPE="<type>"
# DSN Process a single source in time-machine:
# -e DSN="file:///var/log/toto.log" or
# -e DSN="cloudwatch:///your/group/path:stream_name?profile=dev&backlog=16h" or
# -e DSN="journalctl://filters=_SYSTEMD_UNIT=ssh.service"
#Bouncers
# BOUNCER_KEY_<name> Register a bouncer with the name <name> and a key equal to the value of the environment variable.
#Console
# ENROLL_KEY Enroll key retrieved from the console to enroll the instance.
# ENROLL_INSTANCE_NAME To set an instance name and see it on the console
# ENROLL_TAGS Tags of the enrolled instance, for search and filter
#Password Auth
# AGENT_USERNAME Agent username (to register if is LAPI or to use if it's an agent): -e AGENT_USERNAME="machine_id"
# AGENT_PASSWORD Agent password (to register if is LAPI or to use if it's an agent): -e AGENT_PASSWORD="machine_password"
#TLS Encryption
# USE_TLS false Enable TLS encryption (either as a LAPI or agent)
# CACERT_FILE CA certificate bundle (for self-signed certificates)
# INSECURE_SKIP_VERIFY Skip LAPI certificate validation
# LAPI_CERT_FILE LAPI TLS Certificate path
# LAPI_KEY_FILE LAPI TLS Key path
#TLS Authentication (these require USE_TLS=true)
# CLIENT_CERT_FILE Client TLS Certificate path (enable TLS authentication)
# CLIENT_KEY_FILE Client TLS Key path
# AGENTS_ALLOWED_OU agent-ou OU values allowed for agents, separated by comma
# BOUNCERS_ALLOWED_OU bouncer-ou OU values allowed for bouncers, separated by comma
#Hub management
# NO_HUB_UPGRADE false Skip hub update / upgrade when the container starts
# COLLECTIONS Collections to install, separated by space: -e COLLECTIONS="crowdsecurity/linux crowdsecurity/apache2"
# PARSERS Parsers to install, separated by space
# SCENARIOS Scenarios to install, separated by space
# POSTOVERFLOWS Postoverflows to install, separated by space
# CONTEXTS Context files to install, separated by space
# APPSEC_CONFIGS Appsec configs files to install, separated by space
# APPSEC_RULES Appsec rules files to install, separated by space
# DISABLE_COLLECTIONS Collections to remove, separated by space: -e DISABLE_COLLECTIONS="crowdsecurity/linux crowdsecurity/nginx"
# DISABLE_PARSERS Parsers to remove, separated by space
# DISABLE_SCENARIOS Scenarios to remove, separated by space
# DISABLE_POSTOVERFLOWS Postoverflows to remove, separated by space
# DISABLE_CONTEXTS Context files to remove, separated by space
# DISABLE_APPSEC_CONFIGS Appsec configs files to remove, separated by space
# DISABLE_APPSEC_RULES Appsec rules files to remove, separated by space
#Log verbosity
# LEVEL_FATAL false Force FATAL level for the container log
# LEVEL_ERROR false Force ERROR level for the container log
# LEVEL_WARN false Force WARN level for the container log
# LEVEL_INFO false Force INFO level for the container log
# LEVEL_DEBUG false Force DEBUG level for the container log
# LEVEL_TRACE false Force TRACE level (VERY verbose) for the container log
#Developer options
# CI_TESTING false Used during functional tests
# DEBUG false Trace the entrypoint

10
docker/compose/env-files/gotify.env
View File

@@ -1,10 +0,0 @@
DB_HOST=10.0.6.178
DB_PORT=5432
DB_USER=gotify
DB_PWD=gotify
DB_NAME=gotify
GOTIFY_DEFAULTUSER_NAME=admin
GOTIFY_DEFAULTUSER_PASS=admin
GOTIFY_DATABASE_DIALECT=postgres
GOTIFY_DATABASE_CONNECTION=host=${DB_HOST} port=${DB_PORT} user=${DB_USER} dbname=${DB_NAME} password=${DB_PWD}
GOTIFY_PLUGINSDIR=data/plugins

33
docker/compose/env-files/socket-proxy.env
View File

@@ -1,33 +0,0 @@
#PORT=53000
LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
# 0 to revoke access.
# 1 to grant access.
## Granted by Default
EVENTS=1
PING=1
VERSION=1
#Revoked by Default
# Security critical
AUTH=0
SECRETS=0
POST=1 # Watchtower
# Not always needed
BUILD=0
COMMIT=0
CONFIGS=0
CONTAINERS=1 # Traefik, portainer, etc.
DISTRIBUTION=0
EXEC=1
IMAGES=1 # Portainer
INFO=1 # Portainer
NETWORKS=1 # Portainer
NODES=0
PLUGINS=0
SERVICES=1 # Portainer
SESSION=0
SWARM=0
SYSTEM=0
TASKS=1 # Portaienr
VOLUMES=1 # Portainer

3
docker/compose/env-files/traefik-bouncer.env
View File

@@ -1,3 +0,0 @@
CROWDSEC_BOUNCER_API_KEY: DCorbNfoRexKZR7QGyhdkiBgmvATNMKTZZh2fVpTvSo # docker exec -t crowdsec cscli bouncers add traefik-bouncer
CROWDSEC_AGENT_HOST: ${CROWDSEC_CONTAINER_NAME}:8080
GIN_MODE: release