Compare commits
10 Commits
213de5466d
...
04915ea822
| Author | SHA1 | Date | |
|---|---|---|---|
| 04915ea822 | |||
| 0387f346f2 | |||
| 1d5a717465 | |||
| d312a50508 | |||
| 1bf5da7cd1 | |||
| 2f1a9f79b4 | |||
| e191599b80 | |||
| 43e4e1543b | |||
| 52094a036d | |||
| f8c826a07b |
@@ -1,2 +1,88 @@
|
||||
#CROWDSEC_COLLECTIONS="crowdsecurity/linux crowdsecurity/traefik"
|
||||
CROWDSEC_COLLECTIONS="crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux fulljackz/proxmox"
|
||||
TZ=${TZ}
|
||||
#
|
||||
#Register a new agent with LAPI
|
||||
#Without TLS authentication:
|
||||
|
||||
#docker exec -it crowdsec_lapi_container_name cscli machines add agent_user_name --password agent_password
|
||||
#With TLS authentication:
|
||||
|
||||
#Agents are automatically registered and don't need a username or password. The agents' names are derived from the IP address from which they connect.
|
||||
|
||||
#Run an agent connected to LAPI
|
||||
#Add the following environment variables to the docker run command:
|
||||
|
||||
#DISABLE_LOCAL_API=true
|
||||
#AGENT_USERNAME="agent_user_name" - agent_user_name previously registered with LAPI
|
||||
#AGENT_PASSWORD="agent_password" - agent_password previously registered with LAPI
|
||||
#LOCAL_API_URL="http://LAPI_host:LAPI_port"
|
||||
|
||||
#Variable Default Description
|
||||
#CONFIG_FILE /etc/crowdsec/config.yaml Configuration file location
|
||||
#DISABLE_AGENT false Disable the agent, run a LAPI-only container
|
||||
#DISABLE_LOCAL_API false Disable LAPI, run an agent-only container
|
||||
#DISABLE_ONLINE_API false Disable online API registration for signal sharing
|
||||
#TEST_MODE false Don't run the service, only test the configuration: -e TEST_MODE=true
|
||||
#TZ Set the timezone to ensure the logs have a local timestamp.
|
||||
#LOCAL_API_URL http://0.0.0.0:8080 The LAPI URL, you need to change this when DISABLE_LOCAL_API is true:
|
||||
# -e LOCAL_API_URL="http://lapi-address:8080"
|
||||
#PLUGIN_DIR /usr/local/lib/crowdsec/plugins/ Directory for plugins: -e PLUGIN_DIR="<path>"
|
||||
#METRICS_PORT 6060 Port to expose Prometheus metrics
|
||||
#
|
||||
#LAPI (useless with DISABLE_LOCAL_API)
|
||||
# USE_WAL false Enable Write-Ahead Logging with SQLite
|
||||
# CUSTOM_HOSTNAME localhost Name for the local agent (running in the container with LAPI)
|
||||
# CAPI_WHITELISTS_PATH Path for capi_whitelists.yaml
|
||||
#Agent (these don't work with DISABLE_AGENT)
|
||||
# TYPE Labels.type for file in time-machine: -e TYPE="<type>"
|
||||
# DSN Process a single source in time-machine:
|
||||
# -e DSN="file:///var/log/toto.log" or
|
||||
# -e DSN="cloudwatch:///your/group/path:stream_name?profile=dev&backlog=16h" or
|
||||
# -e DSN="journalctl://filters=_SYSTEMD_UNIT=ssh.service"
|
||||
#Bouncers
|
||||
# BOUNCER_KEY_<name> Register a bouncer with the name <name> and a key equal to the value of the environment variable.
|
||||
#Console
|
||||
# ENROLL_KEY Enroll key retrieved from the console to enroll the instance.
|
||||
# ENROLL_INSTANCE_NAME To set an instance name and see it on the console
|
||||
# ENROLL_TAGS Tags of the enrolled instance, for search and filter
|
||||
#Password Auth
|
||||
# AGENT_USERNAME Agent username (to register if is LAPI or to use if it's an agent): -e AGENT_USERNAME="machine_id"
|
||||
# AGENT_PASSWORD Agent password (to register if is LAPI or to use if it's an agent): -e AGENT_PASSWORD="machine_password"
|
||||
#TLS Encryption
|
||||
# USE_TLS false Enable TLS encryption (either as a LAPI or agent)
|
||||
# CACERT_FILE CA certificate bundle (for self-signed certificates)
|
||||
# INSECURE_SKIP_VERIFY Skip LAPI certificate validation
|
||||
# LAPI_CERT_FILE LAPI TLS Certificate path
|
||||
# LAPI_KEY_FILE LAPI TLS Key path
|
||||
#TLS Authentication (these require USE_TLS=true)
|
||||
# CLIENT_CERT_FILE Client TLS Certificate path (enable TLS authentication)
|
||||
# CLIENT_KEY_FILE Client TLS Key path
|
||||
# AGENTS_ALLOWED_OU agent-ou OU values allowed for agents, separated by comma
|
||||
# BOUNCERS_ALLOWED_OU bouncer-ou OU values allowed for bouncers, separated by comma
|
||||
#Hub management
|
||||
# NO_HUB_UPGRADE false Skip hub update / upgrade when the container starts
|
||||
# COLLECTIONS Collections to install, separated by space: -e COLLECTIONS="crowdsecurity/linux crowdsecurity/apache2"
|
||||
# PARSERS Parsers to install, separated by space
|
||||
# SCENARIOS Scenarios to install, separated by space
|
||||
# POSTOVERFLOWS Postoverflows to install, separated by space
|
||||
# CONTEXTS Context files to install, separated by space
|
||||
# APPSEC_CONFIGS Appsec configs files to install, separated by space
|
||||
# APPSEC_RULES Appsec rules files to install, separated by space
|
||||
# DISABLE_COLLECTIONS Collections to remove, separated by space: -e DISABLE_COLLECTIONS="crowdsecurity/linux crowdsecurity/nginx"
|
||||
# DISABLE_PARSERS Parsers to remove, separated by space
|
||||
# DISABLE_SCENARIOS Scenarios to remove, separated by space
|
||||
# DISABLE_POSTOVERFLOWS Postoverflows to remove, separated by space
|
||||
# DISABLE_CONTEXTS Context files to remove, separated by space
|
||||
# DISABLE_APPSEC_CONFIGS Appsec configs files to remove, separated by space
|
||||
# DISABLE_APPSEC_RULES Appsec rules files to remove, separated by space
|
||||
#Log verbosity
|
||||
# LEVEL_FATAL false Force FATAL level for the container log
|
||||
# LEVEL_ERROR false Force ERROR level for the container log
|
||||
# LEVEL_WARN false Force WARN level for the container log
|
||||
# LEVEL_INFO false Force INFO level for the container log
|
||||
# LEVEL_DEBUG false Force DEBUG level for the container log
|
||||
# LEVEL_TRACE false Force TRACE level (VERY verbose) for the container log
|
||||
#Developer options
|
||||
# CI_TESTING false Used during functional tests
|
||||
# DEBUG false Trace the entrypoint
|
||||
@@ -1,6 +1,6 @@
|
||||
services:
|
||||
crowdsec:
|
||||
image: ${CROWDSEC_IMAGE}:${CROWDSEC_VERSION}
|
||||
image: ${CROWDSEC_IMAGE}:${CROWDSEC_TAG}
|
||||
container_name: ${CROWDSEC_CONTAINER_NAME}
|
||||
restart: ${CROWDSEC_RESTART_POLICY}
|
||||
security_opt:
|
||||
|
||||
@@ -12,18 +12,22 @@ services:
|
||||
restart: ${GOTIFY_RESTART_POLICY}
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
ports:
|
||||
- ${GOTIFY_PORT:-8080}:80
|
||||
# environment:
|
||||
# - GOTIFY_DEFAULTUSER_PASS=custom
|
||||
# - GOTIFY_DATABASE_DIALECT=mysql
|
||||
# - GOTIFY_DATABASE_CONNECTION=gotify:ubKrbI1NNn)/ryKT@tcp(mariadb:3306)/gotify?charset=utf8&parseTime=True&loc=Local
|
||||
# - GOTIFY_PLUGINSDIR=data/plugins
|
||||
# ports:
|
||||
# - ${GOTIFY_PORT:-8080}:80
|
||||
env_file:
|
||||
- path: ./gotify.env
|
||||
volumes:
|
||||
- ${DOCKERDIR}/gotify/gotify_data:/app/data
|
||||
- ${DOCKERDIR}/gotify/data:/app/data
|
||||
networks:
|
||||
- proxy
|
||||
# - notification
|
||||
# - database
|
||||
labels:
|
||||
traefik.enable: true
|
||||
## HTTP Routers
|
||||
traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.entrypoints: https
|
||||
traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.rule: Host(`${GOTIFY_HOST_NAME}.$DOMAINNAME1`)
|
||||
## Middlewares
|
||||
#traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.middlewares: chain-authelia@file
|
||||
traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.middlewares: chain-no-auth@file
|
||||
## HTTP Services
|
||||
traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.service: ${GOTIFY_HOST_NAME}-svc
|
||||
traefik.http.services.${GOTIFY_HOST_NAME}-svc.loadbalancer.server.port: 80
|
||||
@@ -3,13 +3,21 @@ services:
|
||||
image: ${MAILRISE_IMAGE}:${MAILRISE_TAG}
|
||||
container_name: ${MAILRISE_CONTAINER_NAME}
|
||||
restart: ${MAILRISE_RESTART_POLICY}
|
||||
command: -vv /etc/mailrise.conf
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
ports:
|
||||
- ${MAILRISE_PORT:-8025}:8025
|
||||
# ports:
|
||||
# - ${MAILRISE_PORT:-8025}:8025
|
||||
volumes:
|
||||
- ${DOCKERDIR}/mailrise/mailrise.conf:/etc/mailrise.conf
|
||||
- ${DOCKERDIR}/mailrise/certs/cert.pem:/etc/ssl/cert.pem
|
||||
- ${DOCKERDIR}/mailrise/certs/key.pem:/etc/ssl/key.pem
|
||||
- ${DOCKERDIR}/mailrise/mailrise.conf:/etc/mailrise.conf:ro
|
||||
networks:
|
||||
- proxy
|
||||
labels:
|
||||
traefik.enable: true
|
||||
traefik.tcp.routers.mailrise.rule: HostSNI(`*`)
|
||||
traefik.tcp.routers.mailrise.tls: true
|
||||
traefik.tcp.routers.mailrise.tls.certresolver: ${CERTRESOLVER}
|
||||
traefik.tcp.routers.mailrise.tls.domains[0].main: mailrise.lab.gurulandia.eu
|
||||
traefik.tcp.routers.mailrise.tls.domains[0].sans: ""
|
||||
traefik.tcp.routers.mailrise.entrypoints: mailsecure,maildefault
|
||||
traefik.docker.network: proxy
|
||||
@@ -3,7 +3,7 @@ services:
|
||||
# Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
|
||||
socket-proxy:
|
||||
container_name: ${SOCKET_PROXY_CONTAINER_NAME}
|
||||
image: ${SOCKET_PROXY_IMAGE}:${SOCKET_PROXY_VERSION}
|
||||
image: ${SOCKET_PROXY_IMAGE}:${SOCKET_PROXY_TAG}
|
||||
restart: ${SOCKET_PROXY_RESTART_POLICY}
|
||||
networks:
|
||||
socket_proxy:
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
services:
|
||||
bouncer-traefik:
|
||||
image: ${BT_IMAGE}:${BT_VERSION}
|
||||
image: ${BT_IMAGE}:${BT_TAG}
|
||||
container_name: ${BT_CONTAINER_NAME}
|
||||
restart: ${BT_RESTART_POLICY}
|
||||
env_file:
|
||||
|
||||
@@ -14,7 +14,7 @@ services:
|
||||
# touch $DOCKERDIR/traefik2/traefik.log
|
||||
traefik:
|
||||
container_name: ${TRAEFIK_CONTAINER_NAME}
|
||||
image: ${TRAEFIK_IMAGE}:${TRAEFIK_VERSION}
|
||||
image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
|
||||
restart: ${TRAEFIK_RESTART_POLICY}
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
@@ -24,6 +24,8 @@ services:
|
||||
ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
- 465:465
|
||||
- 587:587
|
||||
#env_file:
|
||||
#- path: ./traefik.env
|
||||
# required: true # default
|
||||
@@ -41,29 +43,31 @@ services:
|
||||
- --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
|
||||
- --entryPoints.https.address=:443
|
||||
- --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
|
||||
- --entrypoints.mailsecure.address=:465
|
||||
- --entrypoints.maildefault.address=:587
|
||||
# - --entryPoints.traefik.address=:8080
|
||||
#(- --entryPoints.ping.address=:8081)
|
||||
# - --entryPoints.ping.address=:8081
|
||||
- --api=true
|
||||
#(- --api.insecure=true)
|
||||
# - --api.insecure=true)
|
||||
- --api.dashboard=true
|
||||
#(- --ping=true)
|
||||
#(- --pilot.token=$TRAEFIK_PILOT_TOKEN)
|
||||
# - --ping=true)
|
||||
# - --pilot.token=$TRAEFIK_PILOT_TOKEN)
|
||||
- --serversTransport.insecureSkipVerify=true
|
||||
- --log=true
|
||||
- --log.level=DEBUG #INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
|
||||
- --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
|
||||
- --log.filePath= /var/log/traefik/traefik.log
|
||||
- --accessLog=true
|
||||
- --accessLog.filePath=/var/log/traefik/access.log
|
||||
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
|
||||
#- --accessLog.filters.statusCodes=400-499
|
||||
# - --accessLog.filters.statusCodes=400-499
|
||||
- --providers.docker=true
|
||||
- --providers.docker.endpoint=${DOCKER_ENDPOINT} # Use Docker Socket Proxy instead for improved security
|
||||
# Automatically set Host rule for services
|
||||
#(- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`))
|
||||
# - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`)
|
||||
- --providers.docker.exposedByDefault=false
|
||||
#- --providers.redis=true
|
||||
#- --providers.redis.endpoints=redis:6379
|
||||
#- --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file
|
||||
# - --providers.redis=true
|
||||
# - --providers.redis.endpoints=redis:6379
|
||||
# - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file
|
||||
- --entrypoints.https.http.tls.options=tls-opts@file
|
||||
# Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
|
||||
- --entrypoints.https.http.tls.certresolver=${CERTRESOLVER}
|
||||
@@ -75,22 +79,23 @@ services:
|
||||
- --entrypoints.https.http.tls.domains[2].sans=*.$DOMAINNAME2
|
||||
- --entrypoints.https.http.tls.domains[3].main=$DOMAINNAME3 # Pulls main cert for second domain
|
||||
- --entrypoints.https.http.tls.domains[3].sans=*.$DOMAINNAME3 # Pulls wildcard cert for second domain
|
||||
|
||||
- --providers.docker.network=proxy
|
||||
- --providers.file.directory=/config # Load dynamic configuration from one or more .toml or .yml files in a directory
|
||||
- --providers.file.watch=true # Only works on top level files in the rules folder
|
||||
#- --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
|
||||
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
|
||||
- --certificatesResolvers.$CERTRESOLVER.acme.email=${CF_API_EMAIL}
|
||||
- --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json
|
||||
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=${DNS_PROVIDER}
|
||||
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0} #,$RESOLVER1
|
||||
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
|
||||
#healthcheck:
|
||||
# test: ["CMD", "traefik", "healthcheck", "--ping"]
|
||||
# interval: 5s
|
||||
# retries: 3
|
||||
# healthcheck:
|
||||
# test: ["CMD", "traefik", "healthcheck", "--ping"]
|
||||
# interval: 5s
|
||||
# retries: 3
|
||||
volumes:
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
#- ${DOCKERDIR}/traefik/traefik.yml:/traefik.yml:ro
|
||||
# - ${DOCKERDIR}/traefik/traefik.yml:/traefik.yml:ro
|
||||
- ${DOCKERDIR}/traefik/config:/config:ro # file provider directory
|
||||
- ${DOCKERDIR}/traefik/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
|
||||
- ${DOCKERDIR}/traefik/logs:/var/log/traefik # for crowdsec - make sure to touch file before starting container
|
||||
@@ -99,15 +104,15 @@ services:
|
||||
- cloudflare_api_key
|
||||
- cloudflare_api_token
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.traefik.entrypoints=http"
|
||||
- "traefik.http.routers.traefik.rule=Host(`${PROXYNAME}.${DOMAINNAME1}`)"
|
||||
- "traefik.http.middlewares.traefik-auth.basicauth.users=${BASICAUTHUSER}"
|
||||
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
|
||||
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
|
||||
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
|
||||
- "traefik.http.routers.traefik-secure.entrypoints=https"
|
||||
- "traefik.http.routers.traefik-secure.rule=Host(`${PROXYNAME}.${DOMAINNAME1}`)"
|
||||
- "traefik.http.routers.traefik-secure.middlewares=chain-no-auth@file"
|
||||
#- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
|
||||
- "traefik.http.routers.traefik-secure.service=api@internal"
|
||||
traefik.enable: true
|
||||
traefik.http.routers.traefik.entrypoints: http
|
||||
traefik.http.routers.traefik.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
|
||||
traefik.http.middlewares.traefik-auth.basicauth.users: ${BASICAUTHUSER}
|
||||
traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme: https
|
||||
traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto: https
|
||||
traefik.http.routers.traefik.middlewares: traefik-https-redirect
|
||||
traefik.http.routers.traefik-secure.entrypoints: https
|
||||
traefik.http.routers.traefik-secure.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
|
||||
traefik.http.routers.traefik-secure.middlewares: chain-no-auth@file
|
||||
# traefik.http.routers.traefik-secure.middlewares: traefik-auth
|
||||
traefik.http.routers.traefik-secure.service: api@internal
|
||||
|
||||
@@ -9,15 +9,24 @@ TZ=Europe/HelsinkI
|
||||
DOCKERDIR=/gurulandia/data
|
||||
SECRETSDIR=/gurulandia/docker-shared/secrets
|
||||
|
||||
##### DOMAIN
|
||||
DOMAINNAME0=gurulandia.eu
|
||||
DOMAINNAME1=lab.gurulandia.eu
|
||||
DOMAINNAME2=gurulandia.fi
|
||||
DOMAINNAME3=home.gurulandia.fi
|
||||
|
||||
CERTRESOLVER=dns-cloudflare
|
||||
|
||||
##### ProxyName
|
||||
#PROXYNAME=proxy
|
||||
|
||||
##### Gotify Container
|
||||
GOTIFY_CONTAINER_NAME=gotify-server
|
||||
GOTIFY_IMAGE=gotify/serve
|
||||
GOTIFY_IMAGE=gotify/server
|
||||
GOTIFY_TAG=latest
|
||||
GOTIFY_RESTART_POLICY=unless-stopped
|
||||
GOTIFY_PORT=8080
|
||||
GOTIFY_HOST_NAME=gotify
|
||||
|
||||
##### Apprise Container
|
||||
APPRISE_CONTAINER_NAME=apprise-api
|
||||
|
||||
@@ -14,6 +14,4 @@ include:
|
||||
- ../compose/dc-gotify.yml
|
||||
- ../compose/dc-apprise-api.yml
|
||||
- ../compose/dc-mailrise.yml
|
||||
#- ../compose/dc-traefik-bouncer.yml
|
||||
|
||||
|
||||
@@ -22,13 +22,13 @@ DOMAINNAME3=home.gurulandia.fi
|
||||
##### Traefik Container
|
||||
TRAEFIK_CONTAINER_NAME=traefik
|
||||
TRAEFIK_IMAGE=traefik
|
||||
TRAEFIK_VERSION=latest
|
||||
TRAEFIK_TAG=latest
|
||||
TRAEFIK_RESTART_POLICY=unless-stopped
|
||||
|
||||
##### socket-proxy Container
|
||||
SOCKET_PROXY_CONTAINER_NAME=socket-proxy
|
||||
SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy
|
||||
SOCKET_PROXY_VERSION=latest
|
||||
SOCKET_PROXY_TAG=latest
|
||||
SOCKET_PROXY_RESTART_POLICY=always
|
||||
|
||||
DOCKER_ENDPOINT=tcp://${SOCKET_PROXY_CONTAINER_NAME}:2375
|
||||
@@ -51,12 +51,12 @@ RESOLVER1=1.0.0.1:53
|
||||
##### Crowdsec Container
|
||||
CROWDSEC_CONTAINER_NAME=crowdsec
|
||||
CROWDSEC_IMAGE=crowdsecurity/crowdsec
|
||||
CROWDSEC_VERSION=latest
|
||||
CROWDSEC_TAG=latest
|
||||
CROWDSEC_RESTART_POLICY=unless-stopped
|
||||
|
||||
##### bouncer-traefik Container
|
||||
BT_CONTAINER_NAME=bouncer-traefik
|
||||
BT_IMAGE=docker.io/fbonalair/traefik-crowdsec-bouncer
|
||||
BT_VERSION=latest
|
||||
BT_TAG=latest
|
||||
BT_RESTART_POLICY=unless-stopped
|
||||
GIN_MODE=release
|
||||
Reference in New Issue
Block a user