Gurulandia/Homelab
1
0
Fork 0
Code Pull Requests Actions Wiki Activity

Compare commits

base: Gurulandia:4ca9647a434fa7edeb066e48e65c9acde02962bf
Branches Tags
Gurulandia:main
..
compare: Gurulandia:main
Branches Tags
Gurulandia:main

80 Commits
4ca9647a43 ... main

Author SHA1 Message Date
Gurulandia
de98a0d48d Talteen 2025-03-05 10:47:20 +02:00
Gurulandia
bdf14f68e9 Add Homarr 2025-03-05 10:29:42 +02:00
Gurulandia
6e9e27110d Traefik config 2025-03-05 10:00:59 +02:00
Gurulandia
9d0dd4bdcf add tag to ferretdb image 2025-03-05 09:37:36 +02:00
Gurulandia
861007b3a2 docker-compose,yml -> compose.yml 2025-03-05 09:37:09 +02:00
Gurulandia
89278bfecf Modified 2025-03-05 09:36:40 +02:00
Gurulandia
352ddeb5fd Modify 2025-03-04 21:00:45 +02:00
Gurulandia
030c5d2025 Initial commit 2025-03-04 20:59:29 +02:00
Gurulandia
09db1a8d08 Initial commit 2025-03-04 20:58:17 +02:00
Gurulandia
ef2e780434 Add Technitum DNS 2025-03-04 20:50:41 +02:00
Gurulandia
947ab4f86e Fix rule 2025-02-16 10:28:06 +02:00
Gurulandia
9245d8eacd Added parameters 2025-02-16 10:20:57 +02:00
Gurulandia
212a3a1620 Clean files 2025-02-16 10:18:25 +02:00
Gurulandia
a5612d74c3 Initial komodo commit 2025-02-16 09:44:34 +02:00
Gurulandia
71033032a4 Initial commit 2025-02-16 09:44:10 +02:00
Gurulandia
2dcef3a1f9 Komodo initial commit 2025-02-16 09:43:02 +02:00
Gurulandia
216371ea59 Initial commit 2025-02-09 20:47:02 +02:00
Gurulandia
d291fa594b Correct env files name 2025-02-09 19:24:11 +02:00
Gurulandia
a05c48c672 change filename 2025-02-09 19:23:46 +02:00
Gurulandia
b2dde87abe moved to own file 2025-02-09 19:21:49 +02:00
Gurulandia
394ce1cbd4 edited 2025-02-09 19:21:02 +02:00
Gurulandia
60d7915697 dcc.sh > deploy.sh 2025-02-09 19:19:48 +02:00
Gurulandia
7f527a0522 file renamed 2025-02-09 19:18:54 +02:00
Gurulandia
b8374792f7 remove unnessesary network 2025-02-09 12:35:27 +02:00
Gurulandia
5721a522e0 dcc.sh -> deploy.sh 2025-02-09 12:34:07 +02:00
Gurulandia
c8f735d744 edited 2025-02-09 12:24:01 +02:00
Gurulandia
8ae69e9064 remove project name 2025-02-09 12:05:58 +02:00
Gurulandia
3498a980e2 add name 2025-02-09 12:05:31 +02:00
Gurulandia
12c19660ce remove name: 2025-02-09 12:04:47 +02:00
Gurulandia
87c88a8896 added project name 2025-02-09 12:02:55 +02:00
Gurulandia
bc071e578b dcc.sh -> deploy.sh 2025-02-09 12:02:15 +02:00
Gurulandia
fc1a7eb541 rename env file 2025-02-09 12:01:43 +02:00
Gurulandia
970343ca09 dcc.sh -> deploy.sh 2025-02-09 12:01:09 +02:00
Gurulandia
5c6f308acb fix compose file paths 2025-02-09 11:53:50 +02:00
Gurulandia
c7878f2272 dcc.sh -> deploy.sh 2025-02-09 11:51:47 +02:00
Gurulandia
e2898362a9 dcc.sh .> deploy.sh 2025-02-09 11:48:05 +02:00
Gurulandia
d1c49c2f46 change env file named 2025-02-09 11:47:01 +02:00
Gurulandia
b0e18606e9 edited 2025-02-09 11:41:23 +02:00
Gurulandia
6534ab161c dcc.sh -> deploy.sh 2025-02-09 11:35:11 +02:00
Gurulandia
59818aa530 version to tag 2025-02-09 00:41:24 +02:00
Gurulandia
d375b3a7f8 remove unnessary network 2025-02-09 00:38:39 +02:00
Gurulandia
0794706f54 edited 2025-02-09 00:33:42 +02:00
Gurulandia
93ab81eada change to external network 2025-02-09 00:31:45 +02:00
Gurulandia
2ab0862005 edited 2025-02-09 00:31:07 +02:00
Gurulandia
fdb989c4ff rename file 2025-02-09 00:29:01 +02:00
Gurulandia
8ceb7e1a76 yml to yaml 2025-02-08 19:24:55 +02:00
Gurulandia
fd56710785 update volume mount 2025-02-07 11:49:42 +02:00
Gurulandia
0c16b80908 flatnotes initial commit 2025-02-07 11:20:29 +02:00
Gurulandia
84f89dbab6 fix file tabulators 2025-02-07 11:12:24 +02:00
Gurulandia
a8cf3f1bba fix file tabulators 2025-02-07 11:11:26 +02:00
Gurulandia
eb12831665 change exntension yml to yaml 2025-02-07 10:27:13 +02:00
Gurulandia
d128804d0d updated config 2025-02-07 10:23:08 +02:00
Gurulandia
6c33922677 move healthcheck to container compose file 2025-02-07 10:20:56 +02:00
Gurulandia
3e5169cba5 Initial commit 2025-02-07 10:19:13 +02:00
Gurulandia
c3ee1fdcc9 initial commit 2025-02-07 09:06:19 +02:00
Gurulandia
80665236c3 initial commit 2025-02-07 09:05:30 +02:00
Gurulandia
b8b020c6ac initial commit 2025-02-07 09:02:53 +02:00
Gurulandia
d53940d1d4 db tag change 2025-02-07 08:59:52 +02:00
Gurulandia
83aaa54e37 add depend_on section 2025-02-05 20:33:30 +02:00
Gurulandia
28a72d8c7a added compose variables 2025-02-05 20:32:58 +02:00
Gurulandia
ee4230ac58 Move network to include 2025-02-05 20:32:19 +02:00
Gurulandia
ff55ea012d Initial Commit 2025-02-05 20:29:47 +02:00
Gurulandia
b765a8100c Initial version 2025-02-03 10:17:18 +02:00
Gurulandia
3d1c095b60 enable accecss log filter 2025-02-03 10:16:56 +02:00
Gurulandia
8d217a76c5 Add some configs 2025-02-03 10:16:10 +02:00
Gurulandia
d5ba06fb78 rename follder compose to services 2025-02-02 12:14:03 +02:00
Gurulandia
24a5f78fed move ennvfile to folder env-files 2025-02-02 12:10:22 +02:00
Gurulandia
08be33883b move env files to folder env-files 2025-02-02 12:08:59 +02:00
Gurulandia
04915ea822 Remove unnecessary rows 2025-02-02 12:04:05 +02:00
Gurulandia
0387f346f2 Modify labes 2025-02-02 12:02:09 +02:00
Gurulandia
1d5a717465 remove not needed rows for file 2025-02-02 12:01:49 +02:00
Gurulandia
d312a50508 Change version to tag 2025-02-02 12:00:01 +02:00
Gurulandia
1bf5da7cd1 Fixed Typos 2025-02-02 11:59:35 +02:00
Gurulandia
2f1a9f79b4 change version to tag 2025-02-02 10:03:51 +02:00
Gurulandia
e191599b80 Add Env Variables info 2025-02-02 10:02:51 +02:00
Gurulandia
43e4e1543b Add Domain and certresolver 2025-02-02 09:32:22 +02:00
Gurulandia
52094a036d Add entrypoint maildefaukt (567) and mailsecure (465) 2025-02-02 09:31:39 +02:00
Gurulandia
f8c826a07b Add Traefik labels 2025-02-02 09:29:01 +02:00
Gurulandia
213de5466d Fixed 2025-02-01 17:40:36 +02:00
Gurulandia
c46bbbc075 Initial commit 2025-02-01 17:40:16 +02:00
196 changed files with 1180507 additions and 139 deletions
Expand all files Collapse all files

4
config/docker/current/crowdsec/acquis.d/sshd.yaml Normal file
View File

@@ -0,0 +1,4 @@
Filenames:
- /var/log/auth.log
Labels:
type: syslog

4
config/docker/current/crowdsec/acquis.d/traefik.yaml Normal file
View File

@@ -0,0 +1,4 @@
filenames:
- /var/log/traefik/*
labels:
type: traefik

26
config/docker/current/mailrise/mailrise.conf Normal file
View File

@@ -0,0 +1,26 @@
configs:
discord:
urls:
- discord://1197077230531129365/Lg8HssUw5GhNIs4qYGyxp-52VFFtw17fMAlf-OYDSS3bOjJzGMpRsZ_KCZ5sxOHagK7R/
gotify:
urls:
- gotify://10.0.6.177:8080/AP8JgsUIUm2M1B1
gurulandia@outlook.com:
urls:
- gotify://gotify.lab.gurulandia.eu/AkNhzQxlA9sOsVJ
- mailto://gurul4nd14:okzwnrketthveaaz@gmail.com
gurul4nd14@gmail.com:
urls:
- gotify://gotify.lab.gurulandia.eu/AkNhzQxlA9sOsVJ
- mailto://gurul4nd14:okzwnrketthveaaz@gmail.com
tls:
mode: off
smtp:
auth:
basic:
gurulandia: gurulandia
hostname: mailrise.lab.gurulandia.eu

281
config/docker/current/private-bin/conf.php Normal file
View File

@@ -0,0 +1,281 @@
;<?php http_response_code(403) ; /*
; config file for PrivateBin
;
; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
[main]
; (optional) set a project name to be displayed on the website
; name = "PrivateBin"
; The full URL, with the domain name and directories that point to the
; PrivateBin files, including an ending slash (/). This URL is essential to
; allow Opengraph images to be displayed on social networks.
; basepath = "https://privatebin.example.com/"
; enable or disable the discussion feature, defaults to true
discussion = true
; preselect the discussion feature, defaults to false
opendiscussion = false
; enable or disable the display of dates & times in the comments, defaults to true
; Note that internally the creation time will still get tracked in order to sort
; the comments by creation time, but you can choose not to display them.
; discussiondatedisplay = false
; enable or disable the password feature, defaults to true
password = true
; enable or disable the file upload feature, defaults to false
fileupload = true
; preselect the burn-after-reading feature, defaults to false
burnafterreadingselected = false
; which display mode to preselect by default, defaults to "plaintext"
; make sure the value exists in [formatter_options]
defaultformatter = "plaintext"
; (optional) set a syntax highlighting theme, as found in css/prettify/
; syntaxhighlightingtheme = "sons-of-obsidian"
; size limit per paste or comment in bytes, defaults to 10 Mebibytes
sizelimit = 10485760
; template to include, default is "bootstrap" (tpl/bootstrap.php), also
; available are "page" (tpl/page.php), the classic ZeroBin style and several
; bootstrap variants: "bootstrap-dark", "bootstrap-compact", "bootstrap-page",
; which can be combined with "-dark" and "-compact" for "bootstrap-dark-page"
; and finally "bootstrap-compact-page" - previews at:
; https://privatebin.info/screenshots.html
template = "bootstrap"
; (optional) info text to display
; use single, instead of double quotes for HTML attributes
;info = "More information on the <a href='https://privatebin.info/'>project page</a>."
; (optional) notice to display
; notice = "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service."
; by default PrivateBin will guess the visitors language based on the browsers
; settings. Optionally you can enable the language selection menu, which uses
; a session cookie to store the choice until the browser is closed.
languageselection = false
; set the language your installs defaults to, defaults to English
; if this is set and language selection is disabled, this will be the only language
; languagedefault = "en"
; (optional) URL shortener address to offer after a new paste is created.
; It is suggested to only use this with self-hosted shorteners as this will leak
; the pastes encryption key.
; urlshortener = "https://shortener.example.com/api?link="
; (optional) Let users create a QR code for sharing the paste URL with one click.
; It works both when a new paste is created and when you view a paste.
; qrcode = true
; (optional) Let users send an email sharing the paste URL with one click.
; It works both when a new paste is created and when you view a paste.
; email = true
; (optional) IP based icons are a weak mechanism to detect if a comment was from
; a different user when the same username was used in a comment. It might get
; used to get the IP of a comment poster if the server salt is leaked and a
; SHA512 HMAC rainbow table is generated for all (relevant) IPs.
; Can be set to one these values:
; "none" / "identicon" (default) / "jdenticon" / "vizhash".
; icon = "none"
; Content Security Policy headers allow a website to restrict what sources are
; allowed to be accessed in its context. You need to change this if you added
; custom scripts from third-party domains to your templates, e.g. tracking
; scripts or run your site behind certain DDoS-protection services.
; Check the documentation at https://content-security-policy.com/
; Notes:
; - If you use any bootstrap theme, you can remove the allow-popups from the
; sandbox restrictions.
; - If you use the bootstrap5 theme, you must change default-src to 'self' to
; enable display of the svg icons
; - By default this disallows to load images from third-party servers, e.g. when
; they are embedded in pastes. If you wish to allow that, you can adjust the
; policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images
; for details.
; - The 'wasm-unsafe-eval' is used to enable webassembly support (used for zlib
; compression). You can remove it if compression doesn't need to be supported.
; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
; stay compatible with PrivateBin Alpha 0.19, less secure
; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
; sha256 in HMAC for the deletion token
; zerobincompatibility = false
; Enable or disable the warning message when the site is served over an insecure
; connection (insecure HTTP instead of HTTPS), defaults to true.
; Secure transport methods like Tor and I2P domains are automatically whitelisted.
; It is **strongly discouraged** to disable this.
; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information.
; httpwarning = true
; Pick compression algorithm or disable it. Only applies to pastes/comments
; created after changing the setting.
; Can be set to one these values: "none" / "zlib" (default).
; compression = "zlib"
[expire]
; expire value that is selected per default
; make sure the value exists in [expire_options]
default = "1week"
[expire_options]
; Set each one of these to the number of seconds in the expiration period,
; or 0 if it should never expire
5min = 300
10min = 600
1hour = 3600
1day = 86400
1week = 604800
; Well this is not *exactly* one month, it's 30 days:
1month = 2592000
1year = 31536000
never = 0
[formatter_options]
; Set available formatters, their order and their labels
plaintext = "Plain Text"
syntaxhighlighting = "Source Code"
markdown = "Markdown"
[traffic]
; time limit between calls from the same IP address in seconds
; Set this to 0 to disable rate limiting.
limit = 10
; (optional) Set IPs addresses (v4 or v6) or subnets (CIDR) which are exempted
; from the rate-limit. Invalid IPs will be ignored. If multiple values are to
; be exempted, the list needs to be comma separated. Leave unset to disable
; exemptions.
; exempted = "1.2.3.4,10.10.10/24"
; (optional) If you want only some source IP addresses (v4 or v6) or subnets
; (CIDR) to be allowed to create pastes, set these here. Invalid IPs will be
; ignored. If multiple values are to be exempted, the list needs to be comma
; separated. Leave unset to allow anyone to create pastes.
; creators = "1.2.3.4,10.10.10/24"
; (optional) if your website runs behind a reverse proxy or load balancer,
; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
; header = "X_FORWARDED_FOR"
[purge]
; minimum time limit between two purgings of expired pastes, it is only
; triggered when pastes are created
; Set this to 0 to run a purge every time a paste is created.
limit = 300
; maximum amount of expired pastes to delete in one purge
; Set this to 0 to disable purging. Set it higher, if you are running a large
; site
batchsize = 10
;[model]
; name of data model class to load and directory for storage
; the default model "Filesystem" stores everything in the filesystem
;class = Filesystem
;[model_options]
;dir = PATH "data"
;[model]
; example of a Google Cloud Storage configuration
;class = GoogleCloudStorage
;[model_options]
;bucket = "my-private-bin"
;prefix = "pastes"
;uniformacl = false
;[model]
; example of DB configuration for MySQL
;class = Database
;[model_options]
;dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8"
;tbl = "privatebin_" ; table prefix
;usr = "privatebin"
;pwd = "Z3r0P4ss"
;opt[12] = true ; PDO::ATTR_PERSISTENT
;[model]
; example of DB configuration for SQLite
;class = Database
;[model_options]
;dsn = "sqlite:" PATH "data/db.sq3"
;usr = null
;pwd = null
;opt[12] = true ; PDO::ATTR_PERSISTENT
[model]
; example of DB configuration for PostgreSQL
class = Database
[model_options]
dsn = "pgsql:host=10.0.6.178;dbname=privatebin"
tbl = "privatebin_" ; table prefix
usr = "privatebin"
pwd = "privatebin"
opt[12] = true ; PDO::ATTR_PERSISTENT
;[model]
; example of S3 configuration for Rados gateway / CEPH
;class = S3Storage
;[model_options]
;region = ""
;version = "2006-03-01"
;endpoint = "https://s3.my-ceph.invalid"
;use_path_style_endpoint = true
;bucket = "my-bucket"
;accesskey = "my-rados-user"
;secretkey = "my-rados-pass"
;[model]
; example of S3 configuration for AWS
;class = S3Storage
;[model_options]
;region = "eu-central-1"
;version = "latest"
;bucket = "my-bucket"
;accesskey = "access key id"
;secretkey = "secret access key"
;[model]
; example of S3 configuration for AWS using its SDK default credential provider chain
; if relying on environment variables, the AWS SDK will look for the following:
; - AWS_ACCESS_KEY_ID
; - AWS_SECRET_ACCESS_KEY
; - AWS_SESSION_TOKEN (if needed)
; for more details, see https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials.html#default-credential-chain
;class = S3Storage
;[model_options]
;region = "eu-central-1"
;version = "latest"
;bucket = "my-bucket"
;[yourls]
; When using YOURLS as a "urlshortener" config item:
; - By default, "urlshortener" will point to the YOURLS API URL, with or without
; credentials, and will be visible in public on the PrivateBin web page.
; Only use this if you allow short URL creation without credentials.
; - Alternatively, using the parameters in this section ("signature" and
; "apiurl"), "urlshortener" needs to point to the base URL of your PrivateBin
; instance with "?shortenviayourls&link=" appended. For example:
; urlshortener = "${basepath}?shortenviayourls&link="
; This URL will in turn call YOURLS on the server side, using the URL from
; "apiurl" and the "access signature" from the "signature" parameters below.
; (optional) the "signature" (access key) issued by YOURLS for the using account
; signature = ""
; (optional) the URL of the YOURLS API, called to shorten a PrivateBin URL
; apiurl = "https://yourls.example.com/yourls-api.php"
;[sri]
; Subresource integrity (SRI) hashes used in template files. Uncomment and set
; these for all js files used. See:
; https://github.com/PrivateBin/PrivateBin/wiki/FAQ#user-content-how-to-make-privatebin-work-when-i-have-changed-some-javascript-files
;js/privatebin.js = "sha512-[…]"

58
config/docker/current/traefik/acme.json Normal file
View File

File diff suppressed because one or more lines are too long

19
config/docker/current/traefik/config/mw-authentik.yaml Normal file
View File

@@ -0,0 +1,19 @@
http:
middlewares:
middlewares-authentik:
forwardAuth:
address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

8
config/docker/current/traefik/config/mw-basic-auth.yaml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
middlewares-basic-auth:
basicAuth:
# users:
# - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1"
usersFile: "/users" #be sure to mount the volume through docker-compose.yml
realm: "Traefik 3 Basic Auth"

18
config/docker/current/traefik/config/mw-buffering.yaml Normal file
View File

@@ -0,0 +1,18 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Prevent too large of a body
# https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik
middlewares-buffering:
buffering:
maxRequestBodyBytes: 10485760
memRequestBodyBytes: 2097152
maxResponseBodyBytes: 10485760
memResponseBodyBytes: 2097152
retryExpression: "IsNetworkError() && Attempts() <= 2"

9
config/docker/current/traefik/config/mw-chain-authentik.yaml Normal file
View File

@@ -0,0 +1,9 @@
http:
middlewares:
chain-authentik:
chain:
middlewares:
# - middlewares-crowdsec-bouncer
- middlewares-rate-limit
- middlewares-secure-headers
- middlewares-authentik

8
config/docker/current/traefik/config/mw-chain-basic-auth.yaml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
chain-basic-auth:
chain:
middlewares:
- middlewares-rate-limit
- middlewares-secure-headers
- middlewares-basic-auth

8
config/docker/current/traefik/config/mw-chain-no-auth.yaml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
chain-no-auth:
chain:
middlewares:
- middlewares-default-whitelist
- middlewares-rate-limit
- middlewares-secure-headers

12
config/docker/current/traefik/config/mw-compress.yaml Normal file
View File

@@ -0,0 +1,12 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Compress to save bandwidth
middlewares-compress:
compress: {}

6
config/docker/current/traefik/config/mw-crowdsec-bouncer.yaml Normal file
View File

@@ -0,0 +1,6 @@
http:
middlewares:
middlewares-crowdsec-bouncer:
forwardauth:
address: http://bouncer-traefik:8080/api/v1/forwardAuth
trustForwardHeader: true

8
config/docker/current/traefik/config/mw-default-whitelist.yaml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
middlewares-default-whitelist:
ipWhiteList:
sourceRange:
- "10.0.0.0/8"
- "192.168.0.0/16"
- "172.16.0.0/12"

15
config/docker/current/traefik/config/mw-https-redirectscheme.yaml Normal file
View File

@@ -0,0 +1,15 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Middleware for Redirection
# This can be used instead of global redirection
middlewares-https-redirectscheme:
redirectScheme:
scheme: https
permanent: true

6
config/docker/current/traefik/config/mw-rate-limit.yaml Normal file
View File

@@ -0,0 +1,6 @@
http:
middlewares:
middlewares-rate-limit:
rateLimit:
average: 100
burst: 50

38
config/docker/current/traefik/config/mw-secure-headers.yaml Normal file
View File

@@ -0,0 +1,38 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
################################################################
# Good Basic Security Practices
################################################################
middlewares-secure-headers:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr.
#customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
contentTypeNosniff: true
browserXssFilter: true
# sslForceHost: true # add sslHost to all of the services
# sslHost: "{{env "DOMAINNAME"}}"
referrerPolicy: "same-origin"
# permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
customResponseHeaders:
# X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
# server: ""
# https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732
X-Forwarded-Proto: "https"

35
config/docker/current/traefik/config/tls-opts.yaml Normal file
View File

@@ -0,0 +1,35 @@
################################################################
# TLS Options (https://jellyfin.org/docs/general/networking/traefik2.html#traefik-providertoml)
# toml -> yml
# 2024 updates to cipherSuites from (https://www.smarthomebeginner.com/traefik-v3-docker-compose-guide-2024/)
#
# Set secure options by disabling insecure older TLS/SSL versions
# and insecure ciphers. SNIStrict disabled leaves TLS1.0 open.
# If you have problems with older clients, you can may need to relax
# these minimums. This configuration will give you an A+ SSL security
# score supporting TLS1.2 and TLS1.3
#
# Dynamic configuration
# https://doc.traefik.io/traefik/https/tls/
################################################################
tls:
options:
tls-opts:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
curvePreferences:
- secp521r1 # CurveP521
- secp384r1 # CurveP384
mintls13:
minVersion: VersionTLS13

1175072
config/docker/current/traefik/logs/access.log Normal file
View File

File diff suppressed because it is too large Load Diff

0
config/docker/current/traefik/logs/traefik-access.log Normal file
View File

0
config/docker/current/traefik/logs/traefik-container.log Normal file
View File

0
config/docker/current/traefik/logs/traefik.log Normal file
View File

58
config/docker/current/traefik/old/acme.json Normal file
View File

File diff suppressed because one or more lines are too long

9
config/docker/current/traefik/old/config/mw-authelia.yaml Normal file
View File

@@ -0,0 +1,9 @@
http:
middlewares:
middlewares-authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://auth.local.gurulandia.eu"
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"

8
config/docker/current/traefik/old/config/mw-basic-auth.yaml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
middlewares-basic-auth:
basicAuth:
# users:
# - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1"
usersFile: "/users" #be sure to mount the volume through docker-compose.yml
realm: "Traefik 2 Basic Auth"

8
config/docker/current/traefik/old/config/mw-chain-authelia.yaml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
chain-authelia:
chain:
middlewares:
- middlewares-rate-limit
- middlewares-secure-headers
- middlewares-authelia

8
config/docker/current/traefik/old/config/mw-chain-basic-auth.yaml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
chain-basic-auth:
chain:
middlewares:
- middlewares-rate-limit
- middlewares-secure-headers
- middlewares-basic-auth

9
config/docker/current/traefik/old/config/mw-chain-no-auth.yaml Normal file
View File

@@ -0,0 +1,9 @@
http:
middlewares:
chain-no-auth:
chain:
middlewares:
- middlewares-crowdsec-bouncer
- middlewares-default-whitelist
- middlewares-rate-limit
- middlewares-secure-headers

8
config/docker/current/traefik/old/config/mw-chain-oauth.yaml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
chain-oauth:
chain:
middlewares:
- middlewares-rate-limit
- middlewares-secure-headers
- middlewares-oauth

6
config/docker/current/traefik/old/config/mw-crowdsec-bouncer.yaml Normal file
View File

@@ -0,0 +1,6 @@
http:
middlewares:
middlewares-crowdsec-bouncer:
forwardauth:
address: http://bouncer-traefik:8080/api/v1/forwardAuth
trustForwardHeader: true

8
config/docker/current/traefik/old/config/mw-default-whitelist.yaml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
middlewares-default-whitelist:
ipWhiteList:
sourceRange:
- "10.0.0.0/8"
- "192.168.0.0/16"
- "172.16.0.0/12"

6
config/docker/current/traefik/old/config/mw-rate-limit.yaml Normal file
View File

@@ -0,0 +1,6 @@
http:
middlewares:
middlewares-rate-limit:
rateLimit:
average: 100
burst: 50

31
config/docker/current/traefik/old/config/mw-secure-headers.yaml Normal file
View File

@@ -0,0 +1,31 @@
http:
middlewares:
middlewares-secure-headers:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
sslRedirect: true
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
# frameDeny: true #overwritten by customFrameOptionsValue
customFrameOptionsValue: "allow-from https:gurulandia.eu" #CSP takes care of this but may be needed for organizr.
contentTypeNosniff: true
browserXssFilter: true
# sslForceHost: true # add sslHost to all of the services
# sslHost: "example.com"
referrerPolicy: "same-origin"
# Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
# the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
# contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
server: ""

19
config/docker/current/traefik/old/config/tls-opts.yaml Normal file
View File

@@ -0,0 +1,19 @@
tls:
options:
tls-opts:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true

0
config/docker/current/traefik/old/logs/access.log Normal file
View File

0
config/docker/current/traefik/old/logs/traefik.log Normal file
View File

141
config/docker/current/traefik/traefik.yaml Normal file
View File

@@ -0,0 +1,141 @@
# Traefik 3.x (YAML)
# Updated 2024-June-04
################################################################
# Global configuration - https://doc.traefik.io/traefik/reference/static-configuration/file/
################################################################
global:
checkNewVersion: true #false
sendAnonymousUsage: false
################################################################
# Entrypoints - https://doc.traefik.io/traefik/routing/entrypoints/
################################################################
entryPoints:
web:
address: ":80"
# Global HTTP to HTTPS redirection
http:
# middlewares:
# - crowdsec-bouncer@file
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":443"
http:
# middlewares:
# - crowdsec-bouncer@file
tls:
options: tls-opts@file
certResolver: dns-cloudflare
domains:
- main: "{{env "DOMAINNAME0"}}"
sans:
- "*.{{env "DOMAINNAME0"}}"
- main: "{{env "DOMAINNAME1"}}"
sans:
- "*.{{env "DOMAINNAME1"}}"
- main: "{{env "DOMAINNAME2"}}"
sans:
- "*.{{env "DOMAINNAME2"}}"
- main: "{{env "DOMAINNAME3"}}"
sans:
- "*.{{env "DOMAINNAME3"}}"
forwardedHeaders:
trustedIPs:
# Cloudflare (https://www.cloudflare.com/ips-v4)
- "173.245.48.0/20"
- "103.21.244.0/22"
- "103.22.200.0/22"
- "103.31.4.0/22"
- "141.101.64.0/18"
- "108.162.192.0/18"
- "190.93.240.0/20"
- "188.114.96.0/20"
- "197.234.240.0/22"
- "198.41.128.0/17"
- "162.158.0.0/15"
- "104.16.0.0/13"
- "104.24.0.0/14"
- "172.64.0.0/13"
- "131.0.72.0/22"
- "104.16.0.0/13"
- "104.24.0.0/14"
# Local IPs
- "127.0.0.1/32"
- "10.0.0.0/8"
- "192.168.0.0/16"
- "172.16.0.0/12"
################################################################
# Logs - https://doc.traefik.io/traefik/observability/logs/
################################################################
log:
level: INFO # Options: DEBUG, PANIC, FATAL, ERROR (Default), WARN, and INFO
filePath: /logs/traefik-container.log # Default is to STDOUT
# format: json # Uses text format (common) by default
noColor: false # Recommended to be true when using common
maxSize: 100 # In megabytes
compress: true # gzip compression when rotating
################################################################
# Access logs - https://doc.traefik.io/traefik/observability/access-logs/
################################################################
accessLog:
addInternals: true # things like ping@internal
filePath: /logs/traefik-access.log # In the Common Log Format (CLF) by default
bufferingSize: 100 # Number of log lines
fields:
names:
StartUTC: drop # Write logs in Container Local Time instead of UTC
filters:
statusCodes:
- "204-299"
- "400-499"
- "500-599"
################################################################
# API and Dashboard
################################################################
api:
dashboard: true
# Rely on api@internal and Traefik with Middleware to control access
# insecure: true
################################################################
# Providers - https://doc.traefik.io/traefik/providers/docker/
################################################################
providers:
docker:
#endpoint: "unix:///var/run/docker.sock" # Comment if using socket-proxy
endpoint: "tcp://socket-proxy:2375" # Uncomment if using socket proxy
exposedByDefault: false
network: proxy # network to use for connections to all containers
# defaultRule: TODO
# Enable auto loading of newly created rules by watching a directory
file:
# Apps, LoadBalancers, TLS Options, Middlewares, Middleware Chains
directory: /config
watch: true
################################################################
# Let's Encrypt (ACME)
################################################################
certificatesResolvers:
dns-cloudflare:
acme:
email: "{{env "CF_API_EMAIL"}}"
storage: "/acme.json"
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
dnsChallenge:
provider: cloudflare
#delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
# Custom DNS server resolution
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"

120
config/docker/old/traefik/acme.json Normal file
View File

File diff suppressed because one or more lines are too long

15
config/docker/old/traefik/config/app-bookstack.yml Normal file
View File

@@ -0,0 +1,15 @@
http:
routers:
wiki-rtr: # Bookstack
rule: "Host(`wiki.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-no-auth # - chain-authelia
tls: {}
service: wiki-svc
services:
wiki-svc:
loadBalancer:
servers:
- url: "http://192.168.5.30:53002"

46
config/docker/old/traefik/config/app-ha-pihole.yml Normal file
View File

@@ -0,0 +1,46 @@
http:
routers:
ha-pihole-rtr: # piHole
rule: "Host(`ha-pihole.local.gurulandia.eu`) "
entryPoints:
- https
middlewares:
- chain-no-auth
- pihole-add-admin
service: ha-pihole-svc
tls: {}
ha-pihole-01-rtr: # piHole
rule: "Host(`ha-pihole-01.local.gurulandia.eu`) "
entryPoints:
- https
middlewares:
- chain-no-auth
- pihole-add-admin
service: ha-pihole-01-svc
tls: {}
ha-pihole-02-rtr: # piHole
rule: "Host(`ha-pihole-02.local.gurulandia.eu`) "
entryPoints:
- https
middlewares:
- chain-no-auth
- pihole-add-admin
service: ha-pihole-02-svc
tls: {}
middlewares:
pihole-add-admin:
addPrefix:
prefix: "/admin"
services:
ha-pihole-svc:
loadBalancer:
servers:
- url: "http://192.168.99.250:80"
ha-pihole-01-svc:
loadBalancer:
servers:
- url: "http://192.168.99.245:80"
ha-pihole-02-svc:
loadBalancer:
servers:
- url: "http://192.168.99.246:80"

46
config/docker/old/traefik/config/app-pihole.yml Normal file
View File

@@ -0,0 +1,46 @@
http:
routers:
pihole-rtr: # piHole
rule: "Host(`pihole.local.gurulandia.eu`) "
entryPoints:
- https
middlewares:
- chain-authelia
- pihole-add-admin
service: pihole-svc
tls: {}
pihole-01-rtr: # piHole
rule: "Host(`pihole-01.local.gurulandia.eu`) "
entryPoints:
- https
middlewares:
- chain-authelia
- pihole-add-admin
service: pihole-01-svc
tls: {}
pihole-02-rtr: # piHole
rule: "Host(`pihole-02.local.gurulandia.eu`) "
entryPoints:
- https
middlewares:
- chain-authelia
- pihole-add-admin
service: pihole-02-svc
tls: {}
middlewares:
pihole-add-admin:
addPrefix:
prefix: "/admin"
services:
pihole-svc:
loadBalancer:
servers:
- url: "http://192.168.99.250:80"
pihole-01-svc:
loadBalancer:
servers:
- url: "http://192.168.99.245:80"
pihole-02-svc:
loadBalancer:
servers:
- url: "http://192.168.99.246:80"

15
config/docker/old/traefik/config/app-sophos-xg.yml Normal file
View File

@@ -0,0 +1,15 @@
http:
routers:
sophos-rtr: # Sophos XG
rule: "Host(`fw.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-no-auth # - chain-authelia
tls: {}
service: sophos-svc
services:
sophos-svc:
loadBalancer:
servers:
- url: "https://192.168.99.1:4444"

15
config/docker/old/traefik/config/app-wac.yml Normal file
View File

@@ -0,0 +1,15 @@
http:
routers:
wac-rtr: # Sophos XG
rule: "Host(`wac.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-no-auth # - chain-authelia
tls: {}
service: wac-svc
services:
wac-svc:
loadBalancer:
servers:
- url: "https://192.168.5.50"

9
config/docker/old/traefik/config/mw-authelia.yml Normal file
View File

@@ -0,0 +1,9 @@
http:
middlewares:
middlewares-authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://auth.local.gurulandia.eu"
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"

8
config/docker/old/traefik/config/mw-basic-auth.yml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
middlewares-basic-auth:
basicAuth:
# users:
# - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1"
usersFile: "/users" #be sure to mount the volume through docker-compose.yml
realm: "Traefik 2 Basic Auth"

8
config/docker/old/traefik/config/mw-chain-authelia.yml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
chain-authelia:
chain:
middlewares:
- middlewares-rate-limit
- middlewares-secure-headers
- middlewares-authelia

8
config/docker/old/traefik/config/mw-chain-basic-auth.yml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
chain-basic-auth:
chain:
middlewares:
- middlewares-rate-limit
- middlewares-secure-headers
- middlewares-basic-auth

9
config/docker/old/traefik/config/mw-chain-no-auth.yml Normal file
View File

@@ -0,0 +1,9 @@
http:
middlewares:
chain-no-auth:
chain:
middlewares:
- middlewares-crowdsec-bouncer
- middlewares-default-whitelist
- middlewares-rate-limit
- middlewares-secure-headers

8
config/docker/old/traefik/config/mw-chain-oauth.yml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
chain-oauth:
chain:
middlewares:
- middlewares-rate-limit
- middlewares-secure-headers
- middlewares-oauth

6
config/docker/old/traefik/config/mw-crowdsec-bouncer.yml Normal file
View File

@@ -0,0 +1,6 @@
http:
middlewares:
middlewares-crowdsec-bouncer:
forwardauth:
address: http://bouncer-traefik:8080/api/v1/forwardAuth
trustForwardHeader: true

8
config/docker/old/traefik/config/mw-default-whitelist.yml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
middlewares-default-whitelist:
ipWhiteList:
sourceRange:
- "10.0.0.0/8"
- "192.168.0.0/16"
- "172.16.0.0/12"

6
config/docker/old/traefik/config/mw-rate-limit.yml Normal file
View File

@@ -0,0 +1,6 @@
http:
middlewares:
middlewares-rate-limit:
rateLimit:
average: 100
burst: 50

31
config/docker/old/traefik/config/mw-secure-headers.yml Normal file
View File

@@ -0,0 +1,31 @@
http:
middlewares:
middlewares-secure-headers:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
sslRedirect: true
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
# frameDeny: true #overwritten by customFrameOptionsValue
customFrameOptionsValue: "allow-from https:gurulandia.eu" #CSP takes care of this but may be needed for organizr.
contentTypeNosniff: true
browserXssFilter: true
# sslForceHost: true # add sslHost to all of the services
# sslHost: "example.com"
referrerPolicy: "same-origin"
# Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
# the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
# contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
server: ""

15
config/docker/old/traefik/config/svc-asustor.yml Normal file
View File

@@ -0,0 +1,15 @@
http:
routers:
asustor-rtr: # Asustor Nas
rule: "Host(`nas-01.local.gurulandia.eu`) "
entryPoints:
- https
middlewares:
- chain-authelia
service: asustor-svc
tls: {}
services:
asustor-svc:
loadBalancer:
servers:
- url: "https://gl-p-nas-01.srv.gurulandia.lan:8001"

16
config/docker/old/traefik/config/svc-homeassistant.yml Normal file
View File

@@ -0,0 +1,16 @@
http:
routers:
homeassistant-rtr: # Home Assistant
rule: "Host(`homeassistant.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-authelia
service: homeassistant-svc
tls: {}
services:
homeassistant-svc:
loadBalancer:
servers:
- url: "http://192.168.42.242:50000"

16
config/docker/old/traefik/config/svc-observium.yml Normal file
View File

@@ -0,0 +1,16 @@
http:
routers:
observium-rtr: # Observium
rule: "Host(`observium.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-authelia
service: observium-svc
tls: {}
services:
observium-svc:
loadBalancer:
servers:
- url: "http://192.168.99.81"

15
config/docker/old/traefik/config/svc-pbs.yml Normal file
View File

@@ -0,0 +1,15 @@
http:
routers:
pbs-rtr: # Proxmox PBS
entryPoints:
- "https"
rule: "Host(`pbs-01.local.gurulandia.eu`)"
middlewares:
- chain-authelia
tls: {}
service: pbs-svc
services:
pbs-svc:
loadBalancer:
servers:
- url: "https://gl-v-pbs-01.mgmt.gurulandia.lan:8007"

15
config/docker/old/traefik/config/svc-plex.yml Normal file
View File

@@ -0,0 +1,15 @@
http:
routers:
plex-rtr: # Asustor Nas
rule: "Host(`plex.local.gurulandia.eu`) "
entryPoints:
- https
middlewares:
- chain-authelia
service: plex-svc
tls: {}
services:
plex-svc:
loadBalancer:
servers:
- url: "https://gl-p-nas-01.srv.gurulandia.lan:32400"

27
config/docker/old/traefik/config/svc-pve.yml Normal file
View File

@@ -0,0 +1,27 @@
http:
routers:
pve-01-rtr: # Proxmox PVE 1
rule: "Host(`pve-01.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-authelia
tls: {}
service: pve-01-svc
pve-02-rtr: # Proxmox PVE 2
rule: "Host(`pve-02.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-authelia
tls: {}
service: pve-02-svc
services:
pve-01-svc:
loadBalancer:
servers:
- url: "https://gl-p-pve-01.mgmt.gurulandia.lan:8006"
pve-02-svc:
loadBalancer:
servers:
- url: "https://gl-p-pve-02.mgmt.gurulandia.lan:8006"

39
config/docker/old/traefik/config/svc-routers.yml Normal file
View File

@@ -0,0 +1,39 @@
http:
routers:
gl-p-ap-01-rtr: # AsusWRT
rule: "Host(`ap-01.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-authelia
tls: {}
service: gl-p-ap-01-svc
gl-p-ap-02-rtr: # OpenWRT
rule: "Host(`ap-02.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-authelia
tls: {}
service: gl-p-ap-02-svc
gl-p-ap-03-rtr: # OpenWRT
rule: "Host(`ap-03.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-authelia
tls: {}
service: gl-p-ap-03-svc
services:
gl-p-ap-01-svc:
loadBalancer:
servers:
- url: "http://gl-p-ap-01.wifi.gurulandia.lan"
gl-p-ap-02-svc:
loadBalancer:
servers:
- url: "https://gl-p-ap-02.mgmt.gurulandia.lan"
gl-p-ap-03-svc:
loadBalancer:
servers:
- url: "https://gl-p-ap-03.mgmt.gurulandia.lan"

99
config/docker/old/traefik/config/svc-switchs.yml Normal file
View File

@@ -0,0 +1,99 @@
http:
routers:
gl-p-sw-01-rtr:
rule: "Host(`sw-01.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-authelia
tls: {}
service: gl-p-sw-01-svc
gl-p-sw-02-rtr:
rule: "Host(`sw-02.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-authelia
tls: {}
service: gl-p-sw-02-svc
gl-p-sw-03-rtr:
rule: "Host(`sw-03.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-authelia
tls: {}
service: gl-p-sw-03-svc
gl-p-sw-04-rtr:
rule: "Host(`sw-04.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-authelia
tls: {}
service: gl-p-sw-04-svc
gl-p-sw-05-rtr:
rule: "Host(`sw-05.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-authelia
tls: {}
service: gl-p-sw-05-svc
gl-p-sw-06-rtr:
rule: "Host(`sw-06.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-authelia
tls: {}
service: gl-p-sw-06-svc
gl-p-sw-07-rtr:
rule: "Host(`sw-07.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-authelia
tls: {}
service: gl-p-sw-07-svc
gl-p-sw-08-rtr:
rule: "Host(`sw-08.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-authelia
tls: {}
service: gl-p-sw-08-svc
services:
gl-p-sw-01-svc:
loadBalancer:
servers:
- url: "http://gl-p-sw-01.mgmt.gurulandia.lan"
gl-p-sw-02-svc:
loadBalancer:
servers:
- url: "http://gl-p-sw-02.mgmt.gurulandia.lan"
gl-p-sw-03-svc:
loadBalancer:
servers:
- url: "http://gl-p-sw-03.mgmt.gurulandia.lan"
gl-p-sw-04-svc:
loadBalancer:
servers:
- url: "http://gl-p-sw-04.mgmt.gurulandia.lan"
gl-p-sw-05-svc:
loadBalancer:
servers:
- url: "http://gl-p-sw-05.mgmt.gurulandia.lan"
gl-p-sw-06-svc:
loadBalancer:
servers:
- url: "http://gl-p-sw-06.mgmt.gurulandia.lan"
gl-p-sw-07-svc:
loadBalancer:
servers:
- url: "http://gl-p-sw-07.mgmt.gurulandia.lan"
gl-p-sw-08-svc:
loadBalancer:
servers:
- url: "http://gl-p-sw-08.mgmt.gurulandia.lan"

16
config/docker/old/traefik/config/svc-tasmoadmin.yml Normal file
View File

@@ -0,0 +1,16 @@
http:
routers:
tasmoadmin-rtr: # Tasmo Admin
rule: "Host(`tasmoadmin.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-no-auth #authelia
service: tasmoadmin-svc
tls: {}
services:
tasmoadmin-svc:
loadBalancer:
servers:
- url: "http://192.168.42.242:9541"

16
config/docker/old/traefik/config/svc-truenas.yml Normal file
View File

@@ -0,0 +1,16 @@
http:
routers:
truenas-rtr: # TrueNAS Core
rule: "Host(`nas-02.local.gurulandia.eu`)"
entryPoints:
- "https"
middlewares:
- chain-authelia
service: truenas-svc
tls: {}
services:
truenas-svc:
loadBalancer:
servers:
- url: "https://gl-p-nas-02.mgmt.gurulandia.lan"

19
config/docker/old/traefik/config/tls-opts.yml Normal file
View File

@@ -0,0 +1,19 @@
tls:
options:
tls-opts:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true

0
config/docker/old/traefik/logs/access.log Normal file
View File

0
config/docker/old/traefik/logs/traefik.log Normal file
View File

209
config/docker/old/traefik/traefik.yml Normal file
View File

@@ -0,0 +1,209 @@
################################################################
# Global configuration
################################################################
global:
checkNewVersion: true
sendAnonymousUsage: false
################################################################
# EntryPoints configuration
################################################################
# EntryPoints definition
#
# Optional
#
entryPoints:
http:
address: :80
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: :443
http:
tls:
options: tls-opts@file
certResolver: cloudflarels
domains:
- main: gurulandia.eu
sans:
- '*.gurulandia.eu'
- main: local.gurulandia.eu
sans:
- '*.local.gurulandia.eu'
- main: gurulandia.fi
sans:
- '*.gurulandia.fi'
- main: local.gurulandia.fi
sans:
- '*.local.gurulandia.fi'
forwardedHeaders:
trustedIPs: &trustedIps
- "127.0.0.1/32"
- "10.0.0.0/8"
- "192.168.0.0/16"
- "172.16.0.0/12"
- "173.245.48.0/20"
- "103.21.244.0/22"
- "103.22.200.0/22"
- "103.31.4.0/22"
- "141.101.64.0/18"
- "108.162.192.0/18"
- "190.93.240.0/20"
- "188.114.96.0/20"
- "197.234.240.0/22"
- "198.41.128.0/17"
- "162.158.0.0/15"
- "172.64.0.0/13"
- "131.0.72.0/22"
- "104.16.0.0/13"
- "104.24.0.0/14"
serversTransport:
insecureSkipVerify: true
################################################################
# Traefik logs configuration
################################################################
# Traefik logs
# Enabled by default and log to stdout
#
# Optional
#
log:
# Log level
#
# Optional
# Default: "ERROR"
#
level: INFO
# Sets the filepath for the traefik log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
filePath: "/var/log/traefik/traefik.log"
# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format: json
################################################################
# Access logs configuration
################################################################
# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
accessLog:
# Sets the file path for the access log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
filePath: "/var/log/traefik/access.log"
# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format: json
################################################################
# API and dashboard configuration
################################################################
# Enable API and dashboard
#
# Optional
#
api:
# Enable the API in insecure mode
#
# Optional
# Default: false
#
#insecure: true
# Enabled Dashboard
#
# Optional
# Default: true
#
dashboard: true
################################################################
# Ping configuration
################################################################
# Enable ping
#ping:
# Name of the related entry point
#
# Optional
# Default: "traefik"
#
# entryPoint: traefik
################################################################
# Providers configuration
################################################################
providers:
# Enable Docker configuration backend
docker:
# Docker server endpoint. Can be a tcp or a unix socket endpoint.
#
# Required
# Default: "unix:///var/run/docker.sock"
#
endpoint: tcp://socket-proxy:2375
network: proxy
# Default host rule.
#
# Optional
# Default: "Host(`{{ normalize .Name }}`)"
#
# defaultRule: Host(`{{ normalize .Name }}.docker.localhost`)
# Expose containers by default in traefik
#
# Optional
# Default: true
#
exposedByDefault: false
# Enable File configuration backend
file:
directory: /config
watch: true
# Enable Redis configuration backend
#redis:
#endpoints:
# - "redis:6379"
################################################################
# Certificate Resolvers
################################################################
certificatesResolvers:
cloudflare:
acme:
email: ${CF_API_EMAIL}
storage: acme.json
dnsChallenge:
provider: cloudflare
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"

204
config/docker/old/traefik/traefik.yml.old Normal file
View File

@@ -0,0 +1,204 @@
################################################################
#
# Configuration sample for Traefik v2.
#
# For Traefik v1: https://github.com/traefik/traefik/blob/v1.7/traefik.sample.toml
#
################################################################
################################################################
# Global configuration
################################################################
global:
checkNewVersion: true
sendAnonymousUsage: false
################################################################
# EntryPoints configuration
################################################################
# EntryPoints definition
#
# Optional
#
entryPoints:
http:
address: :80
# http:
# redirections:
# entryPoint:
# to: https
# scheme: https
https:
address: :443
# http:
#tls:
#options: tls-opts@file
#certResolver: cloudflare
#domains:
#- main: gurulandia.eu
#- sans: *.gurulandia.eu
#- main: local.gurulandia.eu
#- sans: *.local.gurulandia.eu
#- main: gurulandia.fi
# sans:
# - *.gurulandia.fi
#forwardedHeaders:
# trustedIPs:
# - "173.245.48.0/20"
# - "103.21.244.0/22"
# - "103.22.200.0/22"
# - "103.31.4.0/22"
# - "141.101.64.0/18"
# - "108.162.192.0/18"
# - "190.93.240.0/20"
# - "188.114.96.0/20"
# - "197.234.240.0/22"
# - "198.41.128.0/17"
# - "162.158.0.0/15"
# - "172.64.0.0/13"
# - "131.0.72.0/22"
# - "104.16.0.0/13"
# - "104.24.0.0/14"
serversTransport:
insecureSkipVerify: true
################################################################
# Traefik logs configuration
################################################################
# Traefik logs
# Enabled by default and log to stdout
#
# Optional
#
log:
# Log level
#
# Optional
# Default: "ERROR"
#
level: INFO
# Sets the filepath for the traefik log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
filePath: "/var/log/traefik/traefik.log"
# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format: json
################################################################
# Access logs configuration
################################################################
# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
accessLog:
# Sets the file path for the access log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
filePath: "/var/log/traefik/access.log"
# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format: json
################################################################
# API and dashboard configuration
################################################################
# Enable API and dashboard
#
# Optional
#
api:
# Enable the API in insecure mode
#
# Optional
# Default: false
#
insecure: true
# Enabled Dashboard
#
# Optional
# Default: true
#
#dashboard: true
################################################################
# Ping configuration
################################################################
# Enable ping
#ping:
# Name of the related entry point
#
# Optional
# Default: "traefik"
#
# entryPoint: traefik
providers:
# Enable Docker configuration backend
docker:
# Docker server endpoint. Can be a tcp or a unix socket endpoint.
#
# Required
# Default: "unix:///var/run/docker.sock"
#
endpoint: tcp://socket-proxy:2375
# Default host rule.
#
# Optional
# Default: "Host(`{{ normalize .Name }}`)"
#
# defaultRule: Host(`{{ normalize .Name }}.docker.localhost`)
# Expose containers by default in traefik
#
# Optional
# Default: true
#
exposedByDefault: false
# Enable File configuration backend
file:
directory: /config
watch: true
# Enable Redis configuration backend
#redis:
#endpoints:
# - "redis:6379"
################################################################
# Certificate Resolvers
################################################################
certificatesResolvers:
cloudflare:
acme:
email: gurulandia@outlook.com
storage: acme.json
dnsChallenge:
provider: cloudflare
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"

47
config/docker/old/traefik/traefik.yml.test Normal file
View File

@@ -0,0 +1,47 @@
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: "https"
scheme: "https"
https:
address: ":443"
http:
middlewares:
- "crowdsec-bouncer@file"
openvpn:
address: ":1194/udp"
k3s:
address: ":6443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: tcp://socket-proxy:2375
exposedByDefault: false
file:
directory: /config
watch: true
certificatesResolvers:
cloudflare:
acme:
email: ${CLOUDFLARE_EMAIL}
storage: acme.json
dnsChallenge:
provider: cloudflare
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
log:
level: INFO
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"

1
config/docker/old/traefik/users Normal file
View File

@@ -0,0 +1 @@
gurulandia:{SHA}pZz64lzpzvjBTCNPWBokXW/7qD0=

8
docker/.env
View File

@@ -29,7 +29,7 @@ DOMAINNAME3=home.gurulandia.fi
##### Traefik Container ##### Traefik Container
TRAEFIK_CONTAINER_NAME=traefik TRAEFIK_CONTAINER_NAME=traefik
TRAEFIK_IMAGE=traefik TRAEFIK_IMAGE=traefik
TRAEFIK_VERSION=latest TRAEFIK_TAG=latest
TRAEFIK_RESTART_POLICY=unless-stopped TRAEFIK_RESTART_POLICY=unless-stopped
#TRAEFIK_IP0=192.168.91.254 #TRAEFIK_IP0=192.168.91.254
#TRAEFIK_IP1=192.168.92.252 #TRAEFIK_IP1=192.168.92.252
@@ -37,7 +37,7 @@ TRAEFIK_RESTART_POLICY=unless-stopped
##### socket-proxy Container ##### socket-proxy Container
SOCKET_PROXY_CONTAINER_NAME=socket-proxy SOCKET_PROXY_CONTAINER_NAME=socket-proxy
SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy
SOCKET_PROXY_VERSION=latest SOCKET_PROXY_TAG=latest
SOCKET_PROXY_RESTART_POLICY=always SOCKET_PROXY_RESTART_POLICY=always
#SOCKET_PROXY_IP=192.168.92.254 #SOCKET_PROXY_IP=192.168.92.254
@@ -61,7 +61,7 @@ RESOLVER1=1.0.0.1:53
##### Crowdsec Container ##### Crowdsec Container
CROWDSEC_CONTAINER_NAME=crowdsec CROWDSEC_CONTAINER_NAME=crowdsec
CROWDSEC_IMAGE=crowdsecurity/crowdsec CROWDSEC_IMAGE=crowdsecurity/crowdsec
CROWDSEC_VERSION=latest CROWDSEC_TAG=latest
CROWDSEC_RESTART_POLICY=unless-stopped CROWDSEC_RESTART_POLICY=unless-stopped
#CROWDSEC_COLLECTIONS="crowdsecurity/linux crowdsecurity/traefik" #CROWDSEC_COLLECTIONS="crowdsecurity/linux crowdsecurity/traefik"
CROWDSEC_COLLECTIONS="crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux fulljackz/proxmox" CROWDSEC_COLLECTIONS="crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux fulljackz/proxmox"
@@ -70,7 +70,7 @@ CROWDSEC_COLLECTIONS="crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity
##### bouncer-traefik Container ##### bouncer-traefik Container
BT_CONTAINER_NAME=bouncer-traefik BT_CONTAINER_NAME=bouncer-traefik
BT_IMAGE=docker.io/fbonalair/traefik-crowdsec-bouncer BT_IMAGE=docker.io/fbonalair/traefik-crowdsec-bouncer
BT_VERSION=latest BT_TAG=latest
BT_RESTART_POLICY=unless-stopped BT_RESTART_POLICY=unless-stopped
GIN_MODE=release GIN_MODE=release
#BT_IP=192.168.92.251 #BT_IP=192.168.92.251

108
docker/.env.template
View File

@@ -25,3 +25,111 @@ SOCKET_PROXY_VERSION=latest
SOCKET_PROXY_RESTART_POLICY=always SOCKET_PROXY_RESTART_POLICY=always
DOCKER_ENDPOINT=tcp://${SOCKET_PROXY_CONTAINER_NAME}:2375 DOCKER_ENDPOINT=tcp://${SOCKET_PROXY_CONTAINER_NAME}:2375
#Configure
#COMPOSE_PROJECT_NAME
#COMPOSE_FILE
#Specifies the path to a Compose file. Specifying multiple Compose files is supported.
#Default behavior: If not provided, Compose looks for a file named compose.yaml in the current directory and, if not found, then Compose searches each parent directory recursively until a file by that name is found.
#When specifying multiple Compose files, the path separators are, by default, on:
#Mac and Linux: : (colon)
#Windows: ; (semicolon) For example:
#COMPOSE_FILE=docker-compose.yml:docker-compose.prod.yml
#The path separator can also be customized using COMPOSE_PATH_SEPARATOR.
#See also the command-line options overview and using -f to specify name and path of one or more Compose files.
#COMPOSE_PROFILES
#Specifies one or more profiles to be enabled when docker compose up is run.
#
#Services with matching profiles are started as well as any services for which no profile has been defined.
#
#For example, calling docker compose upwith COMPOSE_PROFILES=frontend selects services with the frontend profile as well as any services without a profile specified.
#
#If specifying multiple profiles, use a comma as a separator.
#This following example enables all services matching both the frontend and debug profiles and services without a profile.
#COMPOSE_PROFILES=frontend,debug
#See also Using profiles with Compose and the --profile command-line option.
#COMPOSE_CONVERT_WINDOWS_PATHS
#When enabled, Compose performs path conversion from Windows-style to Unix-style in volume definitions.
#Supported values:
#true or 1, to enable
#false or 0, to disable
#Defaults to: 0
#COMPOSE_PATH_SEPARATOR
#Specifies a different path separator for items listed in COMPOSE_FILE.
#Defaults to:
#On macOS and Linux to :
#On Windows to;
#COMPOSE_IGNORE_ORPHANS
#When enabled, Compose doesn't try to detect orphaned containers for the project.
#Supported values:
#true or 1, to enable
#false or 0, to disable
#Defaults to: 0
#COMPOSE_REMOVE_ORPHANS
#When enabled, Compose automatically removes orphaned containers when updating a service or stack. Orphaned containers are those that were created by a previous configuration but are no longer defined in the current compose.yaml file.
#Supported values:
#true or 1, to enable automatic removal of orphaned containers
#false or 0, to disable automatic removal. Compose displays a warning about orphaned containers instead.
#Defaults to: 0
#COMPOSE_PARALLEL_LIMIT
#Specifies the maximum level of parallelism for concurrent engine calls.
#COMPOSE_ANSI
#Specifies when to print ANSI control characters.
#Supported values:
#auto, Compose detects if TTY mode can be used. Otherwise, use plain text mode
#never, use plain text mode
#always or 0, use TTY mode
#Defaults to: auto
#COMPOSE_STATUS_STDOUT
#When enabled, Compose writes its internal status and progress messages to stdout instead of stderr. The default value is false to clearly separate the output streams between Compose messages and your container's logs.
#Supported values:
#true or 1, to enable
#false or 0, to disable
#Defaults to: 0
#COMPOSE_ENV_FILES
#Lets you specify which environment files Compose should use if --env-file isn't used.
#When using multiple environment files, use a comma as a separator. For example:
#COMPOSE_ENV_FILES=.env.envfile1, .env.envfile2
#If COMPOSE_ENV_FILES is not set, and you don't provide --env-file in the CLI, Docker Compose uses the default behavior, which is to look for an .env file in the project directory.
#COMPOSE_MENU
#Requires:
#Docker Compose 2.26.0 and later
#When enabled, Compose displays a navigation menu where you can choose to open the Compose stack in Docker Desktop, switch on watch mode, or use Docker Debug.
#Supported values:
#true or 1, to enable
#false or 0, to disable
#Defaults to: 1 if you obtained Docker Compose through Docker Desktop, otherwise default is 0
#COMPOSE_EXPERIMENTAL
#Requires:
#Docker Compose 2.26.0 and later
#This is an opt-out variable. When turned off it deactivates the experimental features such as the navigation menu or Synchronized file shares.
#Supported values:
#true or 1, to enable
#false or 0, to disable
#Defaults to: 1

25
docker/Lenpaste/compose.yaml Normal file
View File

@@ -0,0 +1,25 @@
version: "3.4"
services:
postgres:
image: docker.io/library/postgres:16.1
environment:
- PGDATA=/var/lib/postgresql/data/pgdata
- POSTGRES_USER=lenpaste
- POSTGRES_PASSWORD=pass
volumes:
- "${PWD}/data/postgres:/var/lib/postgresql/data"
lenpaste:
image: ghcr.io/lcomrade/lenpaste:1.3.1
restart: on-failure:10
environment:
- LENPASTE_DB_DRIVER=postgres
- LENPASTE_DB_SOURCE=postgres://lenpaste:lenpaste@10.0.6.178/lenpaste?sslmode=disable
#postgresql://[user[:password]@][netloc][:port][/dbname][?param1=value1&...]
volumes:
- "${PWD}/data:/data"
ports:
- "58080:80"
depends_on:
- postgres

23
docker/Netbootxyz/compose.yaml Normal file
View File

@@ -0,0 +1,23 @@
services:
netbootxyz:
# image: ghcr.io/netbootxyz/netbootxyz
image: lscr.io/linuxserver/netbootxyz:latest
container_name: netbootxyz
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
#- MENU_VERSION=1.9.9 #optional
#- PORT_RANGE=30000:30010 #optional
#- SUBFOLDER=/ #optional
#- MENU_VERSION=2.0.47 # optional
- NGINX_PORT=80 # optional
- WEB_APP_PORT=3000 # optional
volumes:
- /gurulandia/data/netbootxyz/config:/config # optional
- /gurulandia/data/netbootxyz/assets:/assets # optional
ports:
- 3001:3000 # optional, destination should match ${WEB_APP_PORT} variable above.
- 69:69/udp
- 8080:80 # optional, destination should match ${NGINX_PORT} variable above.
restart: unless-stopped

24
docker/PrivateBin/behind-proxy-with-db/compose.override.yml Normal file
View File

@@ -0,0 +1,24 @@
services:
privatebin:
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.entrypoints=https"
- "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.rule=Host(`${PRIVATEBIN_HOSTNAME}.$DOMAINNAME1`)"
## Middlewares
# - "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.middlewares=chain-authelia@file"
- "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
## HTTP Services
- "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.service=${PRIVATEBIN_HOSTNAME}-svc"
- "traefik.http.services.${PRIVATEBIN_HOSTNAME}-svc.loadbalancer.server.port=8080"
depends_on:
db:
condition: service_healthy
networks:
- ${PRIVATEBINDB_NETWORk_ID}
db:
image: ${PRIVATEBINDB_IMAGE}:${PRIVATEBINDB_TAG}
container_name: ${PRIVATEBINDB_CONTAINER_NAME}
restart: ${PRIVATEBINDB_RESTART_POLICY}
networks:
- ${PRIVATEBINDB_NETWORk_ID}

10
docker/PrivateBin/behind-proxy-with-db/compose.yaml Normal file
View File

@@ -0,0 +1,10 @@
name: privatebin
# Docker Compose v2.20 or greater required to use "include"
include:
#################### NETWORKS ####################
- ../../compose/networks/${PRIVATEBIN_NETWORk_ID}.yaml
- ../../compose/networks/${PRIVATEBINDB_NETWORk_ID}.yaml
#################### SERVICES ####################
- ../../compose/postgres.yaml
- ../../compose/privatebin.yaml

5
docker/PrivateBin/behind-proxy-with-db/deploy.sh Executable file
View File

@@ -0,0 +1,5 @@
docker compose \
--env-file ../../env/privatebin-stack.env \
--env-file ../../env/privatebin-db.env \
--env-file ../../env/common.env \
$1

13
docker/PrivateBin/behind-proxy/compose.override.yml Normal file
View File

@@ -0,0 +1,13 @@
services:
privatebin:
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.entrypoints=https"
- "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.rule=Host(`${PRIVATEBIN_HOSTNAME}.$DOMAINNAME1`)"
## Middlewares
# - "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.middlewares=chain-authelia@file"
- "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
## HTTP Services
- "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.service=${PRIVATEBIN_HOSTNAME}-svc"
- "traefik.http.services.${PRIVATEBIN_HOSTNAME}-svc.loadbalancer.server.port=8080"

7
docker/PrivateBin/behind-proxy/compose.yaml Normal file
View File

@@ -0,0 +1,7 @@
name: privatebin
# Docker Compose v2.20 or greater required to use "include"
include:
#################### NETWORKS ####################
- ../../compose/networks/${PRIVATEBIN_NETWORk_ID}.yaml
#################### SERVICES ####################
- ../../compose/privatebin.yaml

4
docker/PrivateBin/behind-proxy/deploy.sh Executable file
View File

@@ -0,0 +1,4 @@
docker compose \
--env-file ../../env/privatebin-stack.env \
--env-file ../../env/common.env \
$1

4
docker/PrivateBin/compose.override.yml Normal file
View File

@@ -0,0 +1,4 @@
services:
privatebin:
volumes:
- ${DOCKERDIR}/private-bin/conf.php:/srv/cfg/conf.php:ro

7
docker/PrivateBin/compose.yaml Normal file
View File

@@ -0,0 +1,7 @@
name: privatebin
# Docker Compose v2.20 or greater required to use "include"
include:
#################### NETWORKS ####################
- ../../compose/networks/${PRIVATEBIN_NETWORk_ID}.yaml
#################### SERVICES ####################
- ../../compose/privatebin.yaml

4
docker/PrivateBin/deploy.sh Executable file
View File

@@ -0,0 +1,4 @@
docker compose \
--env-file ../env/privatebin-stack.env \
--env-file ../env/common.env \
$1

13
docker/PrivateBin/with-db/compose.override.yml Normal file
View File

@@ -0,0 +1,13 @@
services:
privatebin:
volumes:
- ${DOCKERDIR}/private-bin/conf.php:/srv/cfg/conf.php:ro
depends_on:
db:
condition: service_healthy
db:
image: ${PRIVATEBINDB_IMAGE}:${PRIVATEBINDB_TAG}
container_name: ${PRIVATEBINDB_CONTAINER_NAME}
restart: ${PRIVATEBINDB_RESTART_POLICY}
networks:
- ${PRIVATEBIN_NETWORk_ID}

9
docker/PrivateBin/with-db/compose.yml Normal file
View File

@@ -0,0 +1,9 @@
name: privatebin
# Docker Compose v2.20 or greater required to use "include"
include:
#################### NETWORKS ####################
- ../../compose/networks/${PRIVATEBIN_NETWORk_ID}.yaml
- ../../compose/networks/${PRIVATEBINDB_NETWORk_ID}.yaml
#################### SERVICES ####################
- ../../compose/postgres.yaml
- ../../compose/privatebin.yaml

5
docker/PrivateBin/with-db/deploy.sh Executable file
View File

@@ -0,0 +1,5 @@
docker compose \
--env-file ../../env/privatebin-stack.env \
--env-file ../../env/privatebin-db.env \
--env-file ../../env/common.env \
$1

37
docker/YeetFile/behind-proxy-with-db/compose.override.yml Normal file
View File

@@ -0,0 +1,37 @@
services:
api:
environment:
YEETFILE_DB_HOST: db
YEETFILE_DOMAIN: "${YEETFILE_HOSTNAME}.$DOMAINNAME1"
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.entrypoints=https"
- "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.rule=Host(`${YEETFILE_HOSTNAME}.$DOMAINNAME1`)"
## Middlewares
# - "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.middlewares=chain-authelia@file"
- "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
## HTTP Services
- "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.service=${YEETFILE_HOSTNAME}-svc"
- "traefik.http.services.${YEETFILE_HOSTNAME}-svc.loadbalancer.server.port=8090"
networks:
- ${YEETFILEDB_NETWORk_ID}
depends_on:
db:
condition: service_healthy
db:
image: ${YEETFILEDB_IMAGE}:${YEETFILEDB_TAG}
container_name: ${YEETFILEDB_CONTAINER_NAME}
restart: ${YEETFILEDB_RESTART_POLICY}
environment:
POSTGRES_HOST_AUTH_METHOD: ${POSTGRES_HOST_AUTH_METHOD:-md5}
POSTGRES_USER: ${YEETFILE_DB_USER:-postgres}
POSTGRES_PASSWORD: ${YEETFILE_DB_PASS:-postgres}
POSTGRES_DB: ${YEETFILE_DB_NAME:-yeetfile}
expose:
- 5432
healthcheck:
test: [ "CMD-SHELL", "pg_isready -U postgres" ]
interval: 3s
networks:
- ${YEETFILEDB_NETWORk_ID}

10
docker/YeetFile/behind-proxy-with-db/compose.yml Normal file
View File

@@ -0,0 +1,10 @@
name: yeetfile
# Docker Compose v2.20 or greater required to use "include"
include:
#################### NETWORKS ####################
- ../../compose/networks/${YEETFILE_NETWORk_ID}.yaml
- ../../compose/networks/${YEETFILEDB_NETWORk_ID}.yaml
#################### SERVICES ####################
- ../../compose/postgres.yaml
- ../../compose/yeetfile.yaml

6
docker/YeetFile/behind-proxy-with-db/deploy.sh Executable file
View File

@@ -0,0 +1,6 @@
#docker create network -d brigde proxy
#docker create network -d bridge backend
docker compose --env-file ../../env/YeetFile-stack.env \
--env-file ../../env/YeetFile-db.env \
--env-file ../../env/YeetFile.env \
--env-file ../../env/common.env $1

15
docker/YeetFile/behind-proxy/compose.override.yml Normal file
View File

@@ -0,0 +1,15 @@
services:
api:
environment:
YEETFILE_DOMAIN: "${YEETFILE_HOSTNAME}.$DOMAINNAME1"
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.entrypoints=https"
- "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.rule=Host(`${YEETFILE_HOSTNAME}.$DOMAINNAME1`)"
## Middlewares
# - "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.middlewares=chain-authentik@file"
- "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
## HTTP Services
- "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.service=${YEETFILE_HOSTNAME}-svc"
- "traefik.http.services.${YEETFILE_HOSTNAME}-svc.loadbalancer.server.port=8090"

7
docker/YeetFile/behind-proxy/compose.yml Normal file
View File

@@ -0,0 +1,7 @@
name: yeetfile
# Docker Compose v2.20 or greater required to use "include"
include:
#################### NETWORKS ####################
- ../../compose/networks/${YEETFILE_NETWORk_ID}.yaml
#################### SERVICES ####################
- ../../compose/yeetfile.yaml

2
docker/YeetFile/behind-proxy/deploy.sh Executable file
View File

@@ -0,0 +1,2 @@
#docker create network -d brigde proxy
docker compose --env-file ../../env/YeetFile-stack.env --env-file ../../env/common.env $1

18
docker/YeetFile/compose..override.yaml Normal file
View File

@@ -0,0 +1,18 @@
services:
api:
image: ${YEETFILE_IMAGE}:${YEETFILE_TAG}
container_name: ${YEETFILE_CONTAINER_NAME}
restart: ${YEETFILE_RESTART_POLICY}
security_opt:
- no-new-privileges:true
networks:
- ${YEETFILE_NETWORk_ID}
ports:
- 8090:${YEETFILE_PORT:-8090}
environment:
UID: ${UID:-1000}
GID: ${GID:-1000}
TZ: ${TZ}
YEETFILE_ALLOW_INSECURE_LINKS: 1
YEETFILE_SERVER_SECRET: 2N1oTtwOHTyEbTFtz0yDLuzq3DhgjIWmSKw4gNcH8Vk=

7
docker/YeetFile/compose.yml Normal file
View File

@@ -0,0 +1,7 @@
name: yeetfile
# Docker Compose v2.20 or greater required to use "include"
include:
#################### NETWORKS ####################
- ../compose/networks/${YEETFILE_NETWORk_ID}.yaml
#################### SERVICES ####################
- ../compose/yeetfile.yaml

2
docker/YeetFile/deploy.sh Executable file
View File

@@ -0,0 +1,2 @@
#docker create network -d bridge yeetfile
docker compose --env-file ../env/YeetFile-stack.env --env-file ../env/common.env $1

21
docker/YeetFile/with-db/compose.override.yml Normal file
View File

@@ -0,0 +1,21 @@
services:
api:
environment:
YEETFILE_ALLOW_INSECURE_LINKS: 1
YEETFILE_DB_HOST: db
depends_on:
db:
condition: service_healthy
db:
image: ${YEETFILEDB_IMAGE}:${YEETFILEDB_TAG}
container_name: ${YEETFILEDB_CONTAINER_NAME}
restart: ${YEETFILEDB_RESTART_POLICY}
environment:
POSTGRES_HOST_AUTH_METHOD: ${POSTGRES_HOST_AUTH_METHOD:-md5}
POSTGRES_USER: ${YEETFILE_DB_USER:-postgres}
POSTGRES_PASSWORD: ${YEETFILE_DB_PASS:-postgres}
POSTGRES_DB: ${YEETFILE_DB_NAME:-yeetfile}
expose:
- 5432
networks:
- ${YEETFILE_NETWORk_ID}

9
docker/YeetFile/with-db/compose.yml Normal file
View File

@@ -0,0 +1,9 @@
name: yeetfile
# Docker Compose v2.20 or greater required to use "include"
include:
#################### NETWORKS ####################
- ../../compose/networks/${YEETFILE_NETWORk_ID}.yaml
#################### SERVICES ####################
- ../../compose/postgres.yaml
- ../../compose/yeetfile.yaml

6
docker/YeetFile/with-db/deploy.sh Executable file
View File

@@ -0,0 +1,6 @@
#docker create network -d bridge yeetfile
#docker create network -d bridge backend
docker compose --env-file ../../env/YeetFile-stack.env \
--env-file ../../env/YeetFile.env \
--env-file ../../env/YeetFile-db.env \
--env-file ../../env/common.env $1

2
docker/compose/crowdsec.env
View File

@@ -1,2 +0,0 @@
#CROWDSEC_COLLECTIONS="crowdsecurity/linux crowdsecurity/traefik"
CROWDSEC_COLLECTIONS="crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux fulljackz/proxmox"

113
docker/compose/dc-traefik.yml
View File

@@ -1,113 +0,0 @@
########################### SECRETS
secrets:
cloudflare_email:
file: ${SECRETSDIR}/cloudflare_email
cloudflare_api_key:
file: ${SECRETSDIR}/cloudflare_api_key
cloudflare_api_token:
file: ${SECRETSDIR}/cloudflare_dns_api_token
services:
# Traefik 2 - Reverse Proxy
# Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
# touch $DOCKERDIR/traefik2/acme/acme.json
# chmod 600 $DOCKERDIR/traefik2/acme/acme.json
# touch $DOCKERDIR/traefik2/traefik.log
traefik:
container_name: ${TRAEFIK_CONTAINER_NAME}
image: ${TRAEFIK_IMAGE}:${TRAEFIK_VERSION}
restart: ${TRAEFIK_RESTART_POLICY}
security_opt:
- no-new-privileges:true
networks:
proxy:
socket_proxy:
ports:
- 80:80
- 443:443
#env_file:
#- path: ./traefik.env
# required: true # default
#- path: ./override.env
# required: false
environment:
- CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
- CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=false #true
- --entryPoints.http.address=:80
- --entrypoints.http.http.redirections.entryPoint.to=https
- --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
- --entryPoints.https.address=:443
- --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
# - --entryPoints.traefik.address=:8080
#(- --entryPoints.ping.address=:8081)
- --api=true
#(- --api.insecure=true)
- --api.dashboard=true
#(- --ping=true)
#(- --pilot.token=$TRAEFIK_PILOT_TOKEN)
- --serversTransport.insecureSkipVerify=true
- --log=true
- --log.level=DEBUG #INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --log.filePath= /var/log/traefik/traefik.log
- --accessLog=true
- --accessLog.filePath=/var/log/traefik/access.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
#- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=${DOCKER_ENDPOINT} # Use Docker Socket Proxy instead for improved security
# Automatically set Host rule for services
#(- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`))
- --providers.docker.exposedByDefault=false
#- --providers.redis=true
#- --providers.redis.endpoints=redis:6379
#- --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file
- --entrypoints.https.http.tls.options=tls-opts@file
# Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
- --entrypoints.https.http.tls.certresolver=${CERTRESOLVER}
- --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0
- --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0
- --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain
- --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain
- --entrypoints.https.http.tls.domains[2].main=$DOMAINNAME2
- --entrypoints.https.http.tls.domains[2].sans=*.$DOMAINNAME2
- --entrypoints.https.http.tls.domains[3].main=$DOMAINNAME3 # Pulls main cert for second domain
- --entrypoints.https.http.tls.domains[3].sans=*.$DOMAINNAME3 # Pulls wildcard cert for second domain
- --providers.docker.network=proxy
- --providers.file.directory=/config # Load dynamic configuration from one or more .toml or .yml files in a directory
- --providers.file.watch=true # Only works on top level files in the rules folder
#- --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.$CERTRESOLVER.acme.email=${CF_API_EMAIL}
- --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=${DNS_PROVIDER}
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0} #,$RESOLVER1
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
#healthcheck:
# test: ["CMD", "traefik", "healthcheck", "--ping"]
# interval: 5s
# retries: 3
volumes:
- /etc/localtime:/etc/localtime:ro
#- ${DOCKERDIR}/traefik/traefik.yml:/traefik.yml:ro
- ${DOCKERDIR}/traefik/config:/config:ro # file provider directory
- ${DOCKERDIR}/traefik/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
- ${DOCKERDIR}/traefik/logs:/var/log/traefik # for crowdsec - make sure to touch file before starting container
secrets:
- cloudflare_email
- cloudflare_api_key
- cloudflare_api_token
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`${PROXYNAME}.${DOMAINNAME1}`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${BASICAUTHUSER}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`${PROXYNAME}.${DOMAINNAME1}`)"
- "traefik.http.routers.traefik-secure.middlewares=chain-no-auth@file"
#- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.service=api@internal"

Some files were not shown because too many files have changed in this diff Show More