Remove unnecessary rows

docker/compose/crowdsec.env

@@ -1,2 +1,88 @@
 #CROWDSEC_COLLECTIONS="crowdsecurity/linux crowdsecurity/traefik"
 CROWDSEC_COLLECTIONS="crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux fulljackz/proxmox"
+TZ=${TZ}
+#
+#Register a new agent with LAPI
+#Without TLS authentication:
+
+#docker exec -it crowdsec_lapi_container_name cscli machines add agent_user_name --password agent_password
+#With TLS authentication:
+
+#Agents are automatically registered and don't need a username or password. The agents' names are derived from the IP address from which they connect.
+
+#Run an agent connected to LAPI
+#Add the following environment variables to the docker run command:
+
+#DISABLE_LOCAL_API=true
+#AGENT_USERNAME="agent_user_name" - agent_user_name previously registered with LAPI
+#AGENT_PASSWORD="agent_password" - agent_password previously registered with LAPI
+#LOCAL_API_URL="http://LAPI_host:LAPI_port"
+
+#Variable	            Default	                            Description
+#CONFIG_FILE	            /etc/crowdsec/config.yaml	        Configuration file location
+#DISABLE_AGENT	        false	                            Disable the agent, run a LAPI-only container
+#DISABLE_LOCAL_API	    false	                            Disable LAPI, run an agent-only container
+#DISABLE_ONLINE_API	    false	                            Disable online API registration for signal sharing
+#TEST_MODE	            false	                            Don't run the service, only test the configuration: -e TEST_MODE=true
+#TZ		                                                    Set the timezone⁠ to ensure the logs have a local timestamp.
+#LOCAL_API_URL	        http://0.0.0.0:8080	                The LAPI URL, you need to change this when DISABLE_LOCAL_API is true: 
+#                                                            -e LOCAL_API_URL="http://lapi-address:8080"
+#PLUGIN_DIR	            /usr/local/lib/crowdsec/plugins/	Directory for plugins: -e PLUGIN_DIR="<path>"
+#METRICS_PORT	        6060	                            Port to expose Prometheus metrics
+#
+#LAPI (useless with DISABLE_LOCAL_API)
+#  USE_WAL	            false	                            Enable Write-Ahead Logging with SQLite
+#  CUSTOM_HOSTNAME	    localhost	                        Name for the local agent (running in the container with LAPI)
+#  CAPI_WHITELISTS_PATH		                                Path for capi_whitelists.yaml
+#Agent		(these don't work with DISABLE_AGENT)
+#  TYPE		                                                Labels.type⁠ for file in time-machine: -e TYPE="<type>"
+#  DSN		                                                Process a single source in time-machine: 
+#                                                            -e DSN="file:///var/log/toto.log" or 
+#                                                            -e DSN="cloudwatch:///your/group/path:stream_name?profile=dev&backlog=16h" or
+#                                                            -e DSN="journalctl://filters=_SYSTEMD_UNIT=ssh.service"
+#Bouncers		
+#  BOUNCER_KEY_<name>		                                Register a bouncer with the name <name> and a key equal to the value of the environment variable.
+#Console		
+#  ENROLL_KEY		                                        Enroll key retrieved from the console⁠ to enroll the instance.
+#  ENROLL_INSTANCE_NAME		                                To set an instance name and see it on the console⁠
+#  ENROLL_TAGS		                                        Tags of the enrolled instance, for search and filter
+#Password Auth		
+#  AGENT_USERNAME		Agent username (to register if is LAPI or to use if it's an agent): -e AGENT_USERNAME="machine_id"
+#  AGENT_PASSWORD		Agent password (to register if is LAPI or to use if it's an agent): -e AGENT_PASSWORD="machine_password"
+#TLS Encryption		
+#  USE_TLS	false	Enable TLS encryption (either as a LAPI or agent)
+#  CACERT_FILE		CA certificate bundle (for self-signed certificates)
+#  INSECURE_SKIP_VERIFY		Skip LAPI certificate validation
+#  LAPI_CERT_FILE		LAPI TLS Certificate path
+#  LAPI_KEY_FILE		LAPI TLS Key path
+#TLS Authentication		(these require USE_TLS=true)
+#  CLIENT_CERT_FILE		Client TLS Certificate path (enable TLS authentication)
+#  CLIENT_KEY_FILE		Client TLS Key path
+#  AGENTS_ALLOWED_OU	agent-ou	OU values allowed for agents, separated by comma
+#  BOUNCERS_ALLOWED_OU	bouncer-ou	OU values allowed for bouncers, separated by comma
+#Hub management		
+# NO_HUB_UPGRADE	false	Skip hub update / upgrade when the container starts
+# COLLECTIONS		Collections to install, separated by space: -e COLLECTIONS="crowdsecurity/linux crowdsecurity/apache2"
+# PARSERS		Parsers to install, separated by space
+# SCENARIOS		Scenarios to install, separated by space
+# POSTOVERFLOWS		Postoverflows to install, separated by space
+# CONTEXTS		Context files to install, separated by space
+# APPSEC_CONFIGS		Appsec configs files to install, separated by space
+# APPSEC_RULES		Appsec rules files to install, separated by space
+# DISABLE_COLLECTIONS		Collections to remove, separated by space: -e DISABLE_COLLECTIONS="crowdsecurity/linux crowdsecurity/nginx"
+# DISABLE_PARSERS		Parsers to remove, separated by space
+# DISABLE_SCENARIOS		Scenarios to remove, separated by space
+# DISABLE_POSTOVERFLOWS		Postoverflows to remove, separated by space
+# DISABLE_CONTEXTS		Context files to remove, separated by space
+# DISABLE_APPSEC_CONFIGS		Appsec configs files to remove, separated by space
+# DISABLE_APPSEC_RULES		Appsec rules files to remove, separated by space
+#Log verbosity		
+# LEVEL_FATAL	false	Force FATAL level for the container log
+# LEVEL_ERROR	false	Force ERROR level for the container log
+# LEVEL_WARN	false	Force WARN level for the container log
+# LEVEL_INFO	false	Force INFO level for the container log
+# LEVEL_DEBUG	false	Force DEBUG level for the container log
+# LEVEL_TRACE	false	Force TRACE level (VERY verbose) for the container log
+#Developer options		
+# CI_TESTING	false	Used during functional tests
+# DEBUG	false	Trace the entrypoint

docker/compose/dc-crowdsec.yml

@@ -1,6 +1,6 @@
 services:
   crowdsec:
-    image: ${CROWDSEC_IMAGE}:${CROWDSEC_VERSION}
+    image: ${CROWDSEC_IMAGE}:${CROWDSEC_TAG}
     container_name: ${CROWDSEC_CONTAINER_NAME}
     restart: ${CROWDSEC_RESTART_POLICY}
     security_opt:

docker/compose/dc-gotify.yml

@@ -12,18 +12,22 @@ services:
     restart: ${GOTIFY_RESTART_POLICY}
     security_opt:
     - no-new-privileges:true
-    ports:
+#    ports:
-      - ${GOTIFY_PORT:-8080}:80
+#      - ${GOTIFY_PORT:-8080}:80
-#    environment:
-#      - GOTIFY_DEFAULTUSER_PASS=custom
-#      - GOTIFY_DATABASE_DIALECT=mysql
-#      - GOTIFY_DATABASE_CONNECTION=gotify:ubKrbI1NNn)/ryKT@tcp(mariadb:3306)/gotify?charset=utf8&parseTime=True&loc=Local
-#      - GOTIFY_PLUGINSDIR=data/plugins
     env_file:
       - path: ./gotify.env
     volumes:
-      - ${DOCKERDIR}/gotify/gotify_data:/app/data
+      - ${DOCKERDIR}/gotify/data:/app/data
     networks:
        - proxy
-#      - notification
+    labels:
-#      - database
+      traefik.enable: true
+      ## HTTP Routers
+      traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.entrypoints: https
+      traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.rule: Host(`${GOTIFY_HOST_NAME}.$DOMAINNAME1`)
+      ## Middlewares
+      #traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.middlewares: chain-authelia@file
+      traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.middlewares: chain-no-auth@file
+      ## HTTP Services
+      traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.service: ${GOTIFY_HOST_NAME}-svc
+      traefik.http.services.${GOTIFY_HOST_NAME}-svc.loadbalancer.server.port: 80

docker/compose/dc-mailrise.yml

@@ -3,13 +3,21 @@ services:
     image: ${MAILRISE_IMAGE}:${MAILRISE_TAG}
     container_name: ${MAILRISE_CONTAINER_NAME}
     restart: ${MAILRISE_RESTART_POLICY}
+    command: -vv /etc/mailrise.conf
     security_opt:
       - no-new-privileges:true
-    ports:
+#    ports:
-      - ${MAILRISE_PORT:-8025}:8025
+#      - ${MAILRISE_PORT:-8025}:8025
     volumes:
-      - ${DOCKERDIR}/mailrise/mailrise.conf:/etc/mailrise.conf
+      - ${DOCKERDIR}/mailrise/mailrise.conf:/etc/mailrise.conf:ro
-      - ${DOCKERDIR}/mailrise/certs/cert.pem:/etc/ssl/cert.pem
-      - ${DOCKERDIR}/mailrise/certs/key.pem:/etc/ssl/key.pem
     networks:
       - proxy
+    labels:
+      traefik.enable: true
+      traefik.tcp.routers.mailrise.rule: HostSNI(`*`)
+      traefik.tcp.routers.mailrise.tls: true
+      traefik.tcp.routers.mailrise.tls.certresolver: ${CERTRESOLVER}
+      traefik.tcp.routers.mailrise.tls.domains[0].main: mailrise.lab.gurulandia.eu
+      traefik.tcp.routers.mailrise.tls.domains[0].sans: ""
+      traefik.tcp.routers.mailrise.entrypoints: mailsecure,maildefault
+      traefik.docker.network: proxy

docker/compose/dc-socket-proxy.yml

@@ -3,7 +3,7 @@ services:
   # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
   socket-proxy:
     container_name: ${SOCKET_PROXY_CONTAINER_NAME}
-    image: ${SOCKET_PROXY_IMAGE}:${SOCKET_PROXY_VERSION}
+    image: ${SOCKET_PROXY_IMAGE}:${SOCKET_PROXY_TAG}
     restart: ${SOCKET_PROXY_RESTART_POLICY}
     networks:
       socket_proxy:

docker/compose/dc-traefik-bouncer.yml

@@ -1,6 +1,6 @@
 services:
   bouncer-traefik:
-    image: ${BT_IMAGE}:${BT_VERSION}
+    image: ${BT_IMAGE}:${BT_TAG}
     container_name: ${BT_CONTAINER_NAME}
     restart: ${BT_RESTART_POLICY}
     env_file:

docker/compose/dc-traefik.yml

@@ -14,7 +14,7 @@ services:
   # touch $DOCKERDIR/traefik2/traefik.log
   traefik:
     container_name: ${TRAEFIK_CONTAINER_NAME}
-    image: ${TRAEFIK_IMAGE}:${TRAEFIK_VERSION}
+    image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
     restart: ${TRAEFIK_RESTART_POLICY}
     security_opt:
       - no-new-privileges:true
@@ -24,6 +24,8 @@ services:
     ports:
       - 80:80
       - 443:443
+      - 465:465
+      - 587:587
     #env_file:
     #- path: ./traefik.env
     #  required: true # default
@@ -41,16 +43,18 @@ services:
       - --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
       - --entryPoints.https.address=:443
       - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
+      - --entrypoints.mailsecure.address=:465
+      - --entrypoints.maildefault.address=:587
 #      - --entryPoints.traefik.address=:8080
-      #(- --entryPoints.ping.address=:8081)
+#      - --entryPoints.ping.address=:8081
       - --api=true
-      #(- --api.insecure=true)
+#      - --api.insecure=true)
       - --api.dashboard=true
-      #(- --ping=true)
+#      - --ping=true)
-      #(- --pilot.token=$TRAEFIK_PILOT_TOKEN)
+#      - --pilot.token=$TRAEFIK_PILOT_TOKEN)
       - --serversTransport.insecureSkipVerify=true
       - --log=true
-      - --log.level=DEBUG #INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
+      - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
       - --log.filePath= /var/log/traefik/traefik.log
       - --accessLog=true
       - --accessLog.filePath=/var/log/traefik/access.log
@@ -59,7 +63,7 @@ services:
       - --providers.docker=true
       - --providers.docker.endpoint=${DOCKER_ENDPOINT} # Use Docker Socket Proxy instead for improved security
       # Automatically set Host rule for services
-      #(- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`))
+#      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`)
       - --providers.docker.exposedByDefault=false
 #      - --providers.redis=true
 #      - --providers.redis.endpoints=redis:6379
@@ -75,6 +79,7 @@ services:
       - --entrypoints.https.http.tls.domains[2].sans=*.$DOMAINNAME2
       - --entrypoints.https.http.tls.domains[3].main=$DOMAINNAME3 # Pulls main cert for second domain
       - --entrypoints.https.http.tls.domains[3].sans=*.$DOMAINNAME3 # Pulls wildcard cert for second domain
+
       - --providers.docker.network=proxy
       - --providers.file.directory=/config # Load dynamic configuration from one or more .toml or .yml files in a directory
       - --providers.file.watch=true # Only works on top level files in the rules folder
@@ -99,15 +104,15 @@ services:
       - cloudflare_api_key
       - cloudflare_api_token
     labels:
-      - "traefik.enable=true"
+      traefik.enable: true
-      - "traefik.http.routers.traefik.entrypoints=http"
+      traefik.http.routers.traefik.entrypoints: http
-      - "traefik.http.routers.traefik.rule=Host(`${PROXYNAME}.${DOMAINNAME1}`)"
+      traefik.http.routers.traefik.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
-      - "traefik.http.middlewares.traefik-auth.basicauth.users=${BASICAUTHUSER}"
+      traefik.http.middlewares.traefik-auth.basicauth.users: ${BASICAUTHUSER}
-      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
+      traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme: https
-      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
+      traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto: https
-      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
+      traefik.http.routers.traefik.middlewares: traefik-https-redirect
-      - "traefik.http.routers.traefik-secure.entrypoints=https"
+      traefik.http.routers.traefik-secure.entrypoints: https
-      - "traefik.http.routers.traefik-secure.rule=Host(`${PROXYNAME}.${DOMAINNAME1}`)"
+      traefik.http.routers.traefik-secure.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
-      - "traefik.http.routers.traefik-secure.middlewares=chain-no-auth@file"
+      traefik.http.routers.traefik-secure.middlewares: chain-no-auth@file
-      #- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
+#      traefik.http.routers.traefik-secure.middlewares: traefik-auth
-      - "traefik.http.routers.traefik-secure.service=api@internal"
+      traefik.http.routers.traefik-secure.service: api@internal

docker/notification/.env

@@ -9,15 +9,24 @@ TZ=Europe/HelsinkI
 DOCKERDIR=/gurulandia/data
 SECRETSDIR=/gurulandia/docker-shared/secrets
 
+##### DOMAIN
+DOMAINNAME0=gurulandia.eu
+DOMAINNAME1=lab.gurulandia.eu
+DOMAINNAME2=gurulandia.fi
+DOMAINNAME3=home.gurulandia.fi
+
+CERTRESOLVER=dns-cloudflare
+
 ##### ProxyName
 #PROXYNAME=proxy
 
 ##### Gotify Container
 GOTIFY_CONTAINER_NAME=gotify-server
-GOTIFY_IMAGE=gotify/serve
+GOTIFY_IMAGE=gotify/server
 GOTIFY_TAG=latest
 GOTIFY_RESTART_POLICY=unless-stopped
 GOTIFY_PORT=8080
+GOTIFY_HOST_NAME=gotify
 
 ##### Apprise Container
 APPRISE_CONTAINER_NAME=apprise-api

docker/notification/docker-compose.yml

@@ -14,6 +14,4 @@ include:
   - ../compose/dc-gotify.yml
   - ../compose/dc-apprise-api.yml
   - ../compose/dc-mailrise.yml
-  #- ../compose/dc-traefik-bouncer.yml
-
     

docker/proxy/.env

@@ -22,13 +22,13 @@ DOMAINNAME3=home.gurulandia.fi
 ##### Traefik Container
 TRAEFIK_CONTAINER_NAME=traefik
 TRAEFIK_IMAGE=traefik
-TRAEFIK_VERSION=latest
+TRAEFIK_TAG=latest
 TRAEFIK_RESTART_POLICY=unless-stopped
 
 ##### socket-proxy Container
 SOCKET_PROXY_CONTAINER_NAME=socket-proxy
 SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy
-SOCKET_PROXY_VERSION=latest
+SOCKET_PROXY_TAG=latest
 SOCKET_PROXY_RESTART_POLICY=always
 
 DOCKER_ENDPOINT=tcp://${SOCKET_PROXY_CONTAINER_NAME}:2375
@@ -51,12 +51,12 @@ RESOLVER1=1.0.0.1:53
 ##### Crowdsec Container
 CROWDSEC_CONTAINER_NAME=crowdsec
 CROWDSEC_IMAGE=crowdsecurity/crowdsec
-CROWDSEC_VERSION=latest
+CROWDSEC_TAG=latest
 CROWDSEC_RESTART_POLICY=unless-stopped
 
 ##### bouncer-traefik Container
 BT_CONTAINER_NAME=bouncer-traefik
 BT_IMAGE=docker.io/fbonalair/traefik-crowdsec-bouncer
-BT_VERSION=latest
+BT_TAG=latest
 BT_RESTART_POLICY=unless-stopped
 GIN_MODE=release