Gurulandia/Homelab
1
0
Fork 0
Code Pull Requests Actions Wiki Activity

Compare commits

base: Gurulandia:b2dde87abe2d6bffab7c05bc6a8c3f5fa8f29ad6
Branches Tags
Gurulandia:main
..
compare: Gurulandia:main
Branches Tags
Gurulandia:main

19 Commits
b2dde87abe ... main

Author SHA1 Message Date
Gurulandia
de98a0d48d Talteen 2025-03-05 10:47:20 +02:00
Gurulandia
bdf14f68e9 Add Homarr 2025-03-05 10:29:42 +02:00
Gurulandia
6e9e27110d Traefik config 2025-03-05 10:00:59 +02:00
Gurulandia
9d0dd4bdcf add tag to ferretdb image 2025-03-05 09:37:36 +02:00
Gurulandia
861007b3a2 docker-compose,yml -> compose.yml 2025-03-05 09:37:09 +02:00
Gurulandia
89278bfecf Modified 2025-03-05 09:36:40 +02:00
Gurulandia
352ddeb5fd Modify 2025-03-04 21:00:45 +02:00
Gurulandia
030c5d2025 Initial commit 2025-03-04 20:59:29 +02:00
Gurulandia
09db1a8d08 Initial commit 2025-03-04 20:58:17 +02:00
Gurulandia
ef2e780434 Add Technitum DNS 2025-03-04 20:50:41 +02:00
Gurulandia
947ab4f86e Fix rule 2025-02-16 10:28:06 +02:00
Gurulandia
9245d8eacd Added parameters 2025-02-16 10:20:57 +02:00
Gurulandia
212a3a1620 Clean files 2025-02-16 10:18:25 +02:00
Gurulandia
a5612d74c3 Initial komodo commit 2025-02-16 09:44:34 +02:00
Gurulandia
71033032a4 Initial commit 2025-02-16 09:44:10 +02:00
Gurulandia
2dcef3a1f9 Komodo initial commit 2025-02-16 09:43:02 +02:00
Gurulandia
216371ea59 Initial commit 2025-02-09 20:47:02 +02:00
Gurulandia
d291fa594b Correct env files name 2025-02-09 19:24:11 +02:00
Gurulandia
a05c48c672 change filename 2025-02-09 19:23:46 +02:00
73 changed files with 1177407 additions and 80 deletions
Expand all files Collapse all files

19
config/docker/current/traefik/config/mw-authentik.yaml Normal file
View File

@@ -0,0 +1,19 @@
http:
middlewares:
middlewares-authentik:
forwardAuth:
address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

2
config/docker/current/traefik/config/mw-basic-auth.yaml
View File

@@ -5,4 +5,4 @@ http:
# users:
# - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1"
usersFile: "/users" #be sure to mount the volume through docker-compose.yml
realm: "Traefik 2 Basic Auth"
realm: "Traefik 3 Basic Auth"

18
config/docker/current/traefik/config/mw-buffering.yaml Normal file
View File

@@ -0,0 +1,18 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Prevent too large of a body
# https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik
middlewares-buffering:
buffering:
maxRequestBodyBytes: 10485760
memRequestBodyBytes: 2097152
maxResponseBodyBytes: 10485760
memResponseBodyBytes: 2097152
retryExpression: "IsNetworkError() && Attempts() <= 2"

9
config/docker/current/traefik/config/mw-chain-authentik.yaml Normal file
View File

@@ -0,0 +1,9 @@
http:
middlewares:
chain-authentik:
chain:
middlewares:
# - middlewares-crowdsec-bouncer
- middlewares-rate-limit
- middlewares-secure-headers
- middlewares-authentik

1
config/docker/current/traefik/config/mw-chain-no-auth.yaml
View File

@@ -3,7 +3,6 @@ http:
chain-no-auth:
chain:
middlewares:
- middlewares-crowdsec-bouncer
- middlewares-default-whitelist
- middlewares-rate-limit
- middlewares-secure-headers

12
config/docker/current/traefik/config/mw-compress.yaml Normal file
View File

@@ -0,0 +1,12 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Compress to save bandwidth
middlewares-compress:
compress: {}

15
config/docker/current/traefik/config/mw-https-redirectscheme.yaml Normal file
View File

@@ -0,0 +1,15 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Middleware for Redirection
# This can be used instead of global redirection
middlewares-https-redirectscheme:
redirectScheme:
scheme: https
permanent: true

29
config/docker/current/traefik/config/mw-secure-headers.yaml
View File

@@ -1,5 +1,15 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
################################################################
# Good Basic Security Practices
################################################################
middlewares-secure-headers:
headers:
accessControlAllowMethods:
@@ -9,23 +19,20 @@ http:
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
sslRedirect: true
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
# frameDeny: true #overwritten by customFrameOptionsValue
customFrameOptionsValue: "allow-from https:gurulandia.eu" #CSP takes care of this but may be needed for organizr.
customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr.
#customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
contentTypeNosniff: true
browserXssFilter: true
# sslForceHost: true # add sslHost to all of the services
# sslHost: "example.com"
# sslHost: "{{env "DOMAINNAME"}}"
referrerPolicy: "same-origin"
# Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
# the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
# contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
# permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
server: ""
# X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
# server: ""
# https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732
X-Forwarded-Proto: "https"

22
config/docker/current/traefik/config/tls-opts.yaml
View File

@@ -1,6 +1,21 @@
################################################################
# TLS Options (https://jellyfin.org/docs/general/networking/traefik2.html#traefik-providertoml)
# toml -> yml
# 2024 updates to cipherSuites from (https://www.smarthomebeginner.com/traefik-v3-docker-compose-guide-2024/)
#
# Set secure options by disabling insecure older TLS/SSL versions
# and insecure ciphers. SNIStrict disabled leaves TLS1.0 open.
# If you have problems with older clients, you can may need to relax
# these minimums. This configuration will give you an A+ SSL security
# score supporting TLS1.2 and TLS1.3
#
# Dynamic configuration
# https://doc.traefik.io/traefik/https/tls/
################################################################
tls:
options:
tls-opts:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
@@ -14,6 +29,7 @@ tls:
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
- secp521r1 # CurveP521
- secp384r1 # CurveP384
mintls13:
minVersion: VersionTLS13

1175072
config/docker/current/traefik/logs/access.log
View File

File diff suppressed because it is too large Load Diff

0
config/docker/current/traefik/logs/traefik-access.log Normal file
View File

0
config/docker/current/traefik/logs/traefik-container.log Normal file
View File

58
config/docker/current/traefik/old/acme.json Normal file
View File

File diff suppressed because one or more lines are too long

0
config/docker/current/traefik/config/mw-authelia.yaml → config/docker/current/traefik/old/config/mw-authelia.yaml
View File

8
config/docker/current/traefik/old/config/mw-basic-auth.yaml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
middlewares-basic-auth:
basicAuth:
# users:
# - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1"
usersFile: "/users" #be sure to mount the volume through docker-compose.yml
realm: "Traefik 2 Basic Auth"

0
config/docker/current/traefik/config/mw-chain-authelia.yaml → config/docker/current/traefik/old/config/mw-chain-authelia.yaml
View File

8
config/docker/current/traefik/old/config/mw-chain-basic-auth.yaml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
chain-basic-auth:
chain:
middlewares:
- middlewares-rate-limit
- middlewares-secure-headers
- middlewares-basic-auth

9
config/docker/current/traefik/old/config/mw-chain-no-auth.yaml Normal file
View File

@@ -0,0 +1,9 @@
http:
middlewares:
chain-no-auth:
chain:
middlewares:
- middlewares-crowdsec-bouncer
- middlewares-default-whitelist
- middlewares-rate-limit
- middlewares-secure-headers

0
config/docker/current/traefik/config/mw-chain-oauth.yaml → config/docker/current/traefik/old/config/mw-chain-oauth.yaml
View File

6
config/docker/current/traefik/old/config/mw-crowdsec-bouncer.yaml Normal file
View File

@@ -0,0 +1,6 @@
http:
middlewares:
middlewares-crowdsec-bouncer:
forwardauth:
address: http://bouncer-traefik:8080/api/v1/forwardAuth
trustForwardHeader: true

8
config/docker/current/traefik/old/config/mw-default-whitelist.yaml Normal file
View File

@@ -0,0 +1,8 @@
http:
middlewares:
middlewares-default-whitelist:
ipWhiteList:
sourceRange:
- "10.0.0.0/8"
- "192.168.0.0/16"
- "172.16.0.0/12"

6
config/docker/current/traefik/old/config/mw-rate-limit.yaml Normal file
View File

@@ -0,0 +1,6 @@
http:
middlewares:
middlewares-rate-limit:
rateLimit:
average: 100
burst: 50

31
config/docker/current/traefik/old/config/mw-secure-headers.yaml Normal file
View File

@@ -0,0 +1,31 @@
http:
middlewares:
middlewares-secure-headers:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
sslRedirect: true
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
# frameDeny: true #overwritten by customFrameOptionsValue
customFrameOptionsValue: "allow-from https:gurulandia.eu" #CSP takes care of this but may be needed for organizr.
contentTypeNosniff: true
browserXssFilter: true
# sslForceHost: true # add sslHost to all of the services
# sslHost: "example.com"
referrerPolicy: "same-origin"
# Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
# the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
# contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
server: ""

19
config/docker/current/traefik/old/config/tls-opts.yaml Normal file
View File

@@ -0,0 +1,19 @@
tls:
options:
tls-opts:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true

0
config/docker/current/traefik/old/logs/access.log Normal file
View File

0
config/docker/current/traefik/old/logs/traefik.log Normal file
View File

141
config/docker/current/traefik/traefik.yaml Normal file
View File

@@ -0,0 +1,141 @@
# Traefik 3.x (YAML)
# Updated 2024-June-04
################################################################
# Global configuration - https://doc.traefik.io/traefik/reference/static-configuration/file/
################################################################
global:
checkNewVersion: true #false
sendAnonymousUsage: false
################################################################
# Entrypoints - https://doc.traefik.io/traefik/routing/entrypoints/
################################################################
entryPoints:
web:
address: ":80"
# Global HTTP to HTTPS redirection
http:
# middlewares:
# - crowdsec-bouncer@file
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":443"
http:
# middlewares:
# - crowdsec-bouncer@file
tls:
options: tls-opts@file
certResolver: dns-cloudflare
domains:
- main: "{{env "DOMAINNAME0"}}"
sans:
- "*.{{env "DOMAINNAME0"}}"
- main: "{{env "DOMAINNAME1"}}"
sans:
- "*.{{env "DOMAINNAME1"}}"
- main: "{{env "DOMAINNAME2"}}"
sans:
- "*.{{env "DOMAINNAME2"}}"
- main: "{{env "DOMAINNAME3"}}"
sans:
- "*.{{env "DOMAINNAME3"}}"
forwardedHeaders:
trustedIPs:
# Cloudflare (https://www.cloudflare.com/ips-v4)
- "173.245.48.0/20"
- "103.21.244.0/22"
- "103.22.200.0/22"
- "103.31.4.0/22"
- "141.101.64.0/18"
- "108.162.192.0/18"
- "190.93.240.0/20"
- "188.114.96.0/20"
- "197.234.240.0/22"
- "198.41.128.0/17"
- "162.158.0.0/15"
- "104.16.0.0/13"
- "104.24.0.0/14"
- "172.64.0.0/13"
- "131.0.72.0/22"
- "104.16.0.0/13"
- "104.24.0.0/14"
# Local IPs
- "127.0.0.1/32"
- "10.0.0.0/8"
- "192.168.0.0/16"
- "172.16.0.0/12"
################################################################
# Logs - https://doc.traefik.io/traefik/observability/logs/
################################################################
log:
level: INFO # Options: DEBUG, PANIC, FATAL, ERROR (Default), WARN, and INFO
filePath: /logs/traefik-container.log # Default is to STDOUT
# format: json # Uses text format (common) by default
noColor: false # Recommended to be true when using common
maxSize: 100 # In megabytes
compress: true # gzip compression when rotating
################################################################
# Access logs - https://doc.traefik.io/traefik/observability/access-logs/
################################################################
accessLog:
addInternals: true # things like ping@internal
filePath: /logs/traefik-access.log # In the Common Log Format (CLF) by default
bufferingSize: 100 # Number of log lines
fields:
names:
StartUTC: drop # Write logs in Container Local Time instead of UTC
filters:
statusCodes:
- "204-299"
- "400-499"
- "500-599"
################################################################
# API and Dashboard
################################################################
api:
dashboard: true
# Rely on api@internal and Traefik with Middleware to control access
# insecure: true
################################################################
# Providers - https://doc.traefik.io/traefik/providers/docker/
################################################################
providers:
docker:
#endpoint: "unix:///var/run/docker.sock" # Comment if using socket-proxy
endpoint: "tcp://socket-proxy:2375" # Uncomment if using socket proxy
exposedByDefault: false
network: proxy # network to use for connections to all containers
# defaultRule: TODO
# Enable auto loading of newly created rules by watching a directory
file:
# Apps, LoadBalancers, TLS Options, Middlewares, Middleware Chains
directory: /config
watch: true
################################################################
# Let's Encrypt (ACME)
################################################################
certificatesResolvers:
dns-cloudflare:
acme:
email: "{{env "CF_API_EMAIL"}}"
storage: "/acme.json"
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
dnsChallenge:
provider: cloudflare
#delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
# Custom DNS server resolution
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"

25
docker/Lenpaste/compose.yaml Normal file
View File

@@ -0,0 +1,25 @@
version: "3.4"
services:
postgres:
image: docker.io/library/postgres:16.1
environment:
- PGDATA=/var/lib/postgresql/data/pgdata
- POSTGRES_USER=lenpaste
- POSTGRES_PASSWORD=pass
volumes:
- "${PWD}/data/postgres:/var/lib/postgresql/data"
lenpaste:
image: ghcr.io/lcomrade/lenpaste:1.3.1
restart: on-failure:10
environment:
- LENPASTE_DB_DRIVER=postgres
- LENPASTE_DB_SOURCE=postgres://lenpaste:lenpaste@10.0.6.178/lenpaste?sslmode=disable
#postgresql://[user[:password]@][netloc][:port][/dbname][?param1=value1&...]
volumes:
- "${PWD}/data:/data"
ports:
- "58080:80"
depends_on:
- postgres

23
docker/Netbootxyz/compose.yaml Normal file
View File

@@ -0,0 +1,23 @@
services:
netbootxyz:
# image: ghcr.io/netbootxyz/netbootxyz
image: lscr.io/linuxserver/netbootxyz:latest
container_name: netbootxyz
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
#- MENU_VERSION=1.9.9 #optional
#- PORT_RANGE=30000:30010 #optional
#- SUBFOLDER=/ #optional
#- MENU_VERSION=2.0.47 # optional
- NGINX_PORT=80 # optional
- WEB_APP_PORT=3000 # optional
volumes:
- /gurulandia/data/netbootxyz/config:/config # optional
- /gurulandia/data/netbootxyz/assets:/assets # optional
ports:
- 3001:3000 # optional, destination should match ${WEB_APP_PORT} variable above.
- 69:69/udp
- 8080:80 # optional, destination should match ${NGINX_PORT} variable above.
restart: unless-stopped

21
docker/compose/ferretdb.yaml Normal file
View File

@@ -0,0 +1,21 @@
services:
ferretdb:
container_name: ${FERRETDB_CONTAINER_NAME}
image: ${FERRETDB_IMAGE}
restart: ${FERRETDB_RESTART_POLICY}
security_opt:
- no-new-privileges:true
labels:
- "komodo.skip=" # Prevent Komodo from stopping with StopAllContainers
#depends_on:
# - postgres
logging:
driver: ${COMPOSE_LOGGING_DRIVER:-local}
networks:
- komodo
# ports:
# - 27017:27017
env_file: ../env/komodo.env
environment:
#- FERRETDB_POSTGRESQL_URL=postgres://komodo:komodo@10.0.6.178/komodo?sslmode=disable
- FERRETDB_POSTGRESQL_URL=postgres://${PSQL_HOST}:${PSQL_PORT}/${KOMODO_DATABASE_DB_NAME:-komodo}?sslmode=disable

18
docker/compose/homepage.yaml Normal file
View File

@@ -0,0 +1,18 @@
services:
homepage:
image: ${HOMEPAGE_IMAGE}:${HOMEPAGE_TAG}
container_name: ${HOMEPAGE_CONTAINER_NAME}
restart: ${FLATNOTES_RESTART_POLICY}
security_opt:
- no-new-privileges:true
networks:
- ${HOMEPAGE_NETWORK_ID}
# ports:
# - 3000:3000
volumes:
- ${DOCKERDIR}/homepage:/app/config # Make sure your local config directory exists
# - /var/run/docker.sock:/var/run/docker.sock:ro # (optional) For docker integrations
environment:
PUID: ${UID:-1000}
PGID: ${GID:-1000}
TZ: ${TZ}

4
docker/compose/joplin-server.yaml
View File

@@ -14,5 +14,5 @@ services:
GID: ${GID:-1000}
TZ: ${TZ}
env_file:
- path: ../env/.env.joplin-srv
- path: ../env/.env.joplin-srv.db-cred
- path: ../env/joplin-srv.env
- path: ../env/joplin-srv-db.env

59
docker/compose/komodo-core.yaml Normal file
View File

@@ -0,0 +1,59 @@
secrets:
komodo_passkey:
file: ${SECRETSDIR}/komodo/komodo_passkey
komodo_webhook_secret:
file: ${SECRETSDIR}/komodo/komodo_webhook_secret
komodo_jwt_secret:
file: ${SECRETSDIR}/komodo/komodo_jwt_secret
komodo_oidc_client_id:
file: ${SECRETSDIR}/komodo/komodo_oidc_client_id
komodo_oidc_client_secret:
file: ${SECRETSDIR}/komodo/komodo_oidc_client_secret
services:
core:
container_name: ${KOMODO_CORE_CONTAINER_NAME}
image: ${KOMODO_CORE_IMAGE}:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
restart: ${KOMODO_RESTART_POLICY}
secrets:
- komodo_passkey
- komodo_webhook_secret
- komodo_jwt_secret
- komodo_oidc_client_id
- komodo_oidc_client_secret
labels:
- "komodo.skip=" # Prevent Komodo from stopping with StopAllContainers
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.${KOMODO_HOSTNAME}-rtr.entrypoints=https"
- "traefik.http.routers.${KOMODO_HOSTNAME}-rtr.rule=Host(`${KOMODO_HOSTNAME}.${DOMAINNAME1}`)"
## Middlewares
- "traefik.http.routers.${KOMODO_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
## HTTP Services
- "traefik.http.routers.${KOMODO_HOSTNAME}-rtr.service=${KOMODO_HOSTNAME}-svc"
- "traefik.http.services.${KOMODO_HOSTNAME}-svc.loadbalancer.server.port=9120"
depends_on:
- ferretdb
logging:
driver: ${COMPOSE_LOGGING_DRIVER:-local}
networks:
- ${KOMODO_NETWORk_ID}
- komodo
# ports:
# - 9120:9120
env_file: ../env/komodo.env
environment:
KOMODO_DATABASE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb:27017/${KOMODO_DATABASE_DB_NAME:-komodo}?authMechanism=PLAIN
volumes:
## Core cache for repos for latest commit hash / contents
- repo-cache:/repo-cache
## Store sync files on server
# - /path/to/syncs:/syncs
## Optionally mount a custom core.config.toml
# - /path/to/core.config.toml:/config/config.toml
## Allows for systemd Periphery connection at
## "http://host.docker.internal:8120"
# extra_hosts:
# - host.docker.internal:host-gateway
volumes:
# Core
repo-cache:

35
docker/compose/komodo-periphery.yaml Normal file
View File

@@ -0,0 +1,35 @@
secrets:
komodo_passkey:
file: ${SECRETSDIR}/komodo/komodo_passkey
services:
## Deploy Periphery container using this block,
## or deploy the Periphery binary with systemd using
## https://github.com/mbecker20/komodo/tree/main/scripts
periphery:
container_name: ${KOMODO_PERTIPHERY_CONTAINER_NAME}
image: ${KOMODO_PERTIPHERY_IMAGE}:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
restart: ${KOMODO_RESTART_POLICY}
labels:
- "komodo.skip=" # Prevent Komodo from stopping with StopAllContainers
logging:
driver: ${COMPOSE_LOGGING_DRIVER:-local}
networks:
- komodo
env_file: ../env/komodo.env
environment:
PERIPHERY_REPO_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/repos
PERIPHERY_STACK_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/stacks
PERIPHERY_SSL_KEY_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/key.pem
PERIPHERY_SSL_CERT_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/cert.pem
volumes:
## Mount external docker socket
- /var/run/docker.sock:/var/run/docker.sock
## Allow Periphery to see processes outside of container
- /proc:/proc
## Specify the Periphery agent root directory.
## Must be the same inside and outside the container,
## or docker will get confused. See https://github.com/mbecker20/komodo/discussions/180.
## Default: /etc/komodo.
- ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}:${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}
secrets:
- komodo_passkey

23
docker/compose/netbootxyz.yaml Normal file
View File

@@ -0,0 +1,23 @@
services:
netbootxyz:
# image: ghcr.io/netbootxyz/netbootxyz
image: lscr.io/linuxserver/netbootxyz:latest
container_name: netbootxyz
environment:
- PUID=${UID:-1000}
- PGID=${GID:-1000}
- TZ=${TZ}
#- MENU_VERSION=1.9.9 #optional
#- PORT_RANGE=30000:30010 #optional
#- SUBFOLDER=/ #optional
#- MENU_VERSION=2.0.47 # optional
- NGINX_PORT=80 # optional
- WEB_APP_PORT=3000 # optional
volumes:
- ${DOCKERDIR}/netbootxyz/config:/config # optional
- ${DOCKERDIR}/netbootxyz/assets:/assets # optional
ports:
- 3001:3000 # optional, destination should match ${WEB_APP_PORT} variable above.
- 69:69/udp
- 8080:80 # optional, destination should match ${NGINX_PORT} variable above.
restart: unless-stopped

2
docker/compose/networks/default.yaml
View File

@@ -1,4 +1,4 @@
networks:
default:
# name: default
name: default
driver: bridge

4
docker/compose/networks/komodo.yaml Normal file
View File

@@ -0,0 +1,4 @@
networks:
komodo:
name: komodo
driver: bridge

2
docker/compose/networks/proxy.yaml
View File

@@ -1,4 +1,4 @@
networks:
proxy:
name: proxy
external: true
# external: true

8
docker/docker-compose.yml
View File

@@ -28,10 +28,10 @@ networks:
# Docker Compose v2.20 or greater required to use "include"
include:
########################### SERVICES
- compose/dc-traefik.yml
- compose/dc-socket-proxy.yml
- compose/dc-crowdsec.yml
- compose/dc-traefik-bouncer.yml
- services/dc-traefik.yml
- services/dc-socket-proxy.yml
- services/dc-crowdsec.yml
- services/dc-traefik-bouncer.yml
# Portainer - WebUI for Containers
# portainer:

2
docker/env/.env.proxy vendored
View File

@@ -1,4 +1,4 @@
BASICAUTHUSER=gurulandia:$$apr1$$kBqxEDFb$$aOgGWvLwFUDhSymDy430m.
# BASICAUTHUSER=gurulandia:$$apr1$$kBqxEDFb$$aOgGWvLwFUDhSymDy430m.
# create basic auth with: echo $(htpasswd -nb "<USER>" "<PASSWORD>") | sed -e s/\\$/\\$\\$/g
##### trustedIPs

5
docker/env/.env.stack.proxy vendored
View File

@@ -7,11 +7,12 @@ PROXYNAME=proxy
TRAEFIK_CONTAINER_NAME=traefik
TRAEFIK_IMAGE=traefik
TRAEFIK_TAG=latest
TRAEFIK_RESTART_POLICY=unless-stopped
TRAEFIK_RESTART_POLICY=always
##### socket-proxy Container
SOCKET_PROXY_CONTAINER_NAME=socket-proxy
SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy
#SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy
SOCKET_PROXY_IMAGE=lscr.io/linuxserver/socket-proxy
SOCKET_PROXY_TAG=latest
SOCKET_PROXY_RESTART_POLICY=always

2
docker/env/common.env vendored
View File

@@ -1,6 +1,8 @@
##### SYSTEM
UID=1000
GID=1000
PUID=1000
PGID=1000
TZ=Europe/HelsinkI
#USERDIR=/home/gurulandia

8
docker/env/homepage-stack.env vendored Normal file
View File

@@ -0,0 +1,8 @@
HOMEPAGE_NETWORK_ID=proxy
HOMEPAGE_HOSTNAME=homepage
##### Homepage Container
HOMEPAGE_CONTAINER_NAME=homepage
HOMEPAGE_IMAGE=ghcr.io/gethomepage/homepage
HOMEPAGE_TAG=latest
HOMEPAGE_RESTART_POLICY=unless-stopped

0
docker/env/.env.joplin-srv → docker/env/joplin-srv.env vendored
View File

17
docker/env/komodo-stack.env vendored Normal file
View File

@@ -0,0 +1,17 @@
KOMODO_NETWORk_ID=proxy
KOMODO_HOSTNAME=komodo
KOMODO_RESTART_POLICY=unless-stopped
##### Komodo Core Container
KOMODO_CORE_CONTAINER_NAME=komodo-core
KOMODO_CORE_IMAGE=ghcr.io/mbecker20/komodo
##### Komodo Periphery Container
KOMODO_PERTIPHERY_CONTAINER_NAME=komodo-periphery
KOMODO_PERTIPHERY_IMAGE=ghcr.io/mbecker20/periphery
##### FerretDB Core Container
FERRETDB_CONTAINER_NAME=komodo-ferretdb
FERRETDB_IMAGE=ghcr.io/ferretdb/ferretdb:1
FERRETDB_RESTART_POLICY=${KOMODO_RESTART_POLICY}

133
docker/env/komodo.env vendored Normal file
View File

@@ -0,0 +1,133 @@
####################################
# 🦎 KOMODO COMPOSE - VARIABLES 🦎 #
####################################
## These compose variables can be used with all Komodo deployment options.
## Pass these variables to the compose up command using `--env-file komodo/compose.env`.
## Additionally, they are passed to both Komodo Core and Komodo Periphery with `env_file: ./compose.env`,
## so you can pass any additional environment variables to Core / Periphery directly in this file as well.
PSQL_HOST=10.0.6.178
PSQL_PORT=5432
## Stick to a specific version, or use `latest`
COMPOSE_KOMODO_IMAGE_TAG=latest
## Note: 🚨 Podman does NOT support local logging driver 🚨. See Podman options here:
## `https://docs.podman.io/en/v4.6.1/markdown/podman-run.1.html#log-driver-driver`
COMPOSE_LOGGING_DRIVER=local # Enable log rotation with the local driver.
## DB credentials - Ignored for Sqlite
KOMODO_DB_USERNAME=komodo
KOMODO_DB_PASSWORD=komodo
## Configure a secure passkey to authenticate between Core / Periphery.
KOMODO_PASSKEY_FILE=/run/secrets/komodo_passkey
#=-------------------------=#
#= Komodo Core Environment =#
#=-------------------------=#
## Full variable list + descriptions are available here:
## 🦎 https://github.com/mbecker20/komodo/blob/main/config/core.config.toml 🦎
## Note. Secret variables also support `${VARIABLE}_FILE` syntax to pass docker compose secrets.
## Docs: https://docs.docker.com/compose/how-tos/use-secrets/#examples
## Used for Oauth / Webhook url suggestion / Caddy reverse proxy.
KOMODO_HOST=https://komodo.lab.gurulandia.eu
## Displayed in the browser tab.
KOMODO_TITLE=Komodo by Gurulandia
#Komodo
## Create a server matching this address as the "first server".
## Use `https://host.docker.internal:8120` when using systemd-managed Periphery.
KOMODO_FIRST_SERVER=https://periphery:8120
## Make all buttons just double-click, rather than the full confirmation dialog.
KOMODO_DISABLE_CONFIRM_DIALOG=true
## Rate Komodo polls your servers for
## status / container status / system stats / alerting.
## Options: 1-sec, 5-sec, 15-sec, 1-min, 5-min.
## Default: 15-sec
KOMODO_MONITORING_INTERVAL="15-sec"
## Rate Komodo polls Resources for updates,
## like outdated commit hash.
## Options: 1-min, 5-min, 15-min, 30-min, 1-hr.
## Default: 5-min
KOMODO_RESOURCE_POLL_INTERVAL="5-min"
## Used to auth incoming webhooks. Alt: KOMODO_WEBHOOK_SECRET_FILE
KOMODO_WEBHOOK_SECRET_FILE=/run/secrets/komodo_webhook_secret
## Used to generate jwt. Alt: KOMODO_JWT_SECRET_FILE
KOMODO_JWT_SECRET_FILE=/run/secrets/komodo_jwt_secret
## Enable login with username + password.
KOMODO_LOCAL_AUTH=true
## Disable new user signups.
KOMODO_DISABLE_USER_REGISTRATION=false
## All new logins are auto enabled
KOMODO_ENABLE_NEW_USERS=true
## Disable non-admins from creating new resources.
KOMODO_DISABLE_NON_ADMIN_CREATE=false
## Allows all users to have Read level access to all resources.
KOMODO_TRANSPARENT_MODE=false
## Time to live for jwt tokens.
## Options: 1-hr, 12-hr, 1-day, 3-day, 1-wk, 2-wk
KOMODO_JWT_TTL="1-day"
## OIDC Login
KOMODO_OIDC_ENABLED=true
## Must reachable from Komodo Core container
KOMODO_OIDC_PROVIDER=https://authentik.lab.gurulandia.eu/application/o/komodo/
## Change the host to one reachable be reachable by users (optional if it is the same as above).
## DO NOT include the `path` part of the URL.
KOMODO_OIDC_REDIRECT_HOST=https://authentik.lab.gurulandia.eu
## Your client credentials
KOMODO_OIDC_CLIENT_ID_FILE=/run/secrets/komodo_oidc_client_id
KOMODO_OIDC_CLIENT_SECRET_FILE=/run/secrets/komodo_oidc_client_secret
## Make usernames the full email.
KOMODO_OIDC_USE_FULL_EMAIL=true
## Add additional trusted audiences for token claims verification.
## Supports comma separated list, and passing with _FILE (for compose secrets).
# KOMODO_OIDC_ADDITIONAL_AUDIENCES=abc,123 # Alt: KOMODO_OIDC_ADDITIONAL_AUDIENCES_FILE
## Github Oauth
KOMODO_GITHUB_OAUTH_ENABLED=false
# KOMODO_GITHUB_OAUTH_ID= # Alt: KOMODO_GITHUB_OAUTH_ID_FILE
# KOMODO_GITHUB_OAUTH_SECRET= # Alt: KOMODO_GITHUB_OAUTH_SECRET_FILE
## Google Oauth
KOMODO_GOOGLE_OAUTH_ENABLED=false
# KOMODO_GOOGLE_OAUTH_ID= # Alt: KOMODO_GOOGLE_OAUTH_ID_FILE
# KOMODO_GOOGLE_OAUTH_SECRET= # Alt: KOMODO_GOOGLE_OAUTH_SECRET_FILE
## Aws - Used to launch Builder instances and ServerTemplate instances.
KOMODO_AWS_ACCESS_KEY_ID= # Alt: KOMODO_AWS_ACCESS_KEY_ID_FILE
KOMODO_AWS_SECRET_ACCESS_KEY= # Alt: KOMODO_AWS_SECRET_ACCESS_KEY_FILE
## Hetzner - Used to launch ServerTemplate instances
## Hetzner Builder not supported due to Hetzner pay-by-the-hour pricing model
KOMODO_HETZNER_TOKEN= # Alt: KOMODO_HETZNER_TOKEN_FILE
#=------------------------------=#
#= Komodo Periphery Environment =#
#=------------------------------=#
## Full variable list + descriptions are available here:
## 🦎 https://github.com/mbecker20/komodo/blob/main/config/periphery.config.toml 🦎
## Periphery passkeys must include KOMODO_PASSKEY to authenticate.
PERIPHERY_PASSKEYS_FILE=/run/secrets/komodo_passkey
## Specify the root directory used by Periphery agent.
PERIPHERY_ROOT_DIRECTORY=/etc/komodo
## Enable SSL using self signed certificates.
## Connect to Periphery at https://address:8120.
PERIPHERY_SSL_ENABLED=true
## If the disk size is overreporting, can use one of these to
## whitelist / blacklist the disks to filter them, whichever is easier.
## Accepts comma separated list of paths.
## Usually whitelisting just /etc/hostname gives correct size.
PERIPHERY_INCLUDE_DISK_MOUNTS=/etc/hostname
# PERIPHERY_EXCLUDE_DISK_MOUNTS=/snap,/etc/repos

9
docker/env/technitum-dns-stack.env vendored Normal file
View File

@@ -0,0 +1,9 @@
TECHNITUM_DNS_NETWORk_ID=proxy
TECHNITUM_DNS_HOSTNAME=komodo
TECHNITUM_DNS_RESTART_POLICY=unless-stopped
##### Komodo Core Container
TECHNITUM_DNS_CONTAINER_NAME=dns-server
TECHNITUM_DNS_IMAGE=technitium/dns-server
TECHNITUM_DNS_TAG=latest

66
docker/env/technitum-dns.env vendored Normal file
View File

@@ -0,0 +1,66 @@
# The primary domain name used by this DNS Server to identify itself.
DNS_SERVER_DOMAIN=lab.gurulandia.eu
# DNS web console admin user password.
# DNS_SERVER_ADMIN_PASSWORD=password
# The path to a file that contains a plain text password for the DNS web console admin user.
DNS_SERVER_ADMIN_PASSWORD_FILE = /run/secrets/technitium_admin_password
# DNS Server will use IPv6 for querying whenever possible with this option enabled.
# DNS_SERVER_PREFER_IPV6=false
# Comma separated list of network interface IP addresses that you want the web service to listen on for requests.
# The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified.
# Note! This must be used only with "host" network mode.
# DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1
# The TCP port number for the DNS web console over HTTP protocol.
# DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380
# The TCP port number for the DNS web console over HTTPS protocol.
# DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
# Enables HTTPS for the DNS web console.
# DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false
# Enables self signed TLS certificate for the DNS web console.
# DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false
# Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
# DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false
# Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL.
# DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks
# Comma separated list of IP addresses or network addresses to allow access.
# Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet.
# The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback.
# Valid only for `UseSpecifiedNetworkACL` recursion option.
# DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2
# Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option.
# This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
# DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24
# Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option.
# This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
# DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24
# Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
# DNS_SERVER_ENABLE_BLOCKING=false
# Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
# DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false
# A comma separated list of block list URLs.
# DNS_SERVER_BLOCK_LIST_URLS=
# Comma separated list of forwarder addresses.
# DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8
# Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
# DNS_SERVER_FORWARDER_PROTOCOL=Tcp
# Enable this option to use local time instead of UTC for logging.
DNS_SERVER_LOG_USING_LOCAL_TIME=true

22
docker/homarr/compose.yaml Normal file
View File

@@ -0,0 +1,22 @@
#---------------------------------------------------------------------#
# Homarr - A simple, yet powerful dashboard for your server. #
#---------------------------------------------------------------------#
services:
homarr:
container_name: homarr
image: ghcr.io/homarr-labs/homarr:latest
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock # Optional, only if you want docker integration
- /gurulandia/data/homarr/appdata:/appdata
environment:
- SECRET_ENCRYPTION_KEY=9a3fb9c060d3ff37ac0e0785177979ec48620144b8fd3e5883c02e27f68b2dba # <--- can be generated with `openssl rand -hex 32`
- DB_DRIVER=mysql2
- DB_DIALECT=mysql
- DB_HOST=10.0.6.180
- DB_PORT=3306
- DB_NAME=homarr
- DB_USER=homarr
- DB_PASSWORD=homarr
ports:
- 7575:7575

55
docker/homepage/behind-proxy/compose.override.yaml Normal file
View File

@@ -0,0 +1,55 @@
secrets:
title:
file: /gurulandia/data/homepage/secrets/title
services:
homepage:
image: ghcr.io/gethomepage/homepage:latest
container_name: homepage
ports:
- 3000:3000
volumes:
- /gurulandia/data/homepage:/app/config # Make sure your local config directory exists
- /var/run/docker.sock:/var/run/docker.sock:ro # (optional) For docker integrations
environment:
- PUID=1000
- PGID=1000
- HOMEPAGE_VAR_BASE="https://homepage.lab.gurulandia.eu/"
#- HOMEPAGE_VAR_TITLE="Gurulandia's Awesome Homepage"
- HOMEPAGE_FILE_TITLE=/run/secrets/title
networks:
- proxy
- socket_proxy
labels:
traefik.enable: true
## HTTP Routers
traefik.http.routers.homepage-rtr.entrypoints: https
traefik.http.routers.homepage-rtr.rule: Host(`homepage.lab.gurulandia.eu`)
## Middlewares
#- "traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.middlewares=chain-authelia@file"
traefik.http.routers.homepage-rtr.middlewares: chain-authentik@file
#traefik.http.routers.homepage-rtr.middlewares: chain-no-auth@file
## HTTP Services
traefik.http.routers.homepage-rtr.service: homepage-svc
traefik.http.services.homepage-svc.loadbalancer.server.port: 3000
secrets:
- title
networks:
proxy:
external: true
socket_proxy:
external: true
#services:
# homepage:
# labels:
# - "traefik.enable=true"
## HTTP Routers
# - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.entrypoints=https"
# - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.rule=Host(`${HOMEPAGE_HOSTNAME}.$DOMAINNAME1`)"
## Middlewares
# - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.middlewares=chain-authelia@file"
# - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
## HTTP Services
# - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.service=${HOMEPAGE_HOSTNAME}-svc"
# - "traefik.http.services.${HOMEPAGE_HOSTNAME}-svc.loadbalancer.server.port=22300"

7
docker/homepage/behind-proxy/compose.yaml Normal file
View File

@@ -0,0 +1,7 @@
name: homepagee
# Docker Compose v2.20 or greater required to use "include"
include:
#################### NETWORKS ####################
- ../../compose/networks/${HOMEPAGR_NETWORk_ID}.yaml
#################### SERVICES ####################
- ../../compose/homepage.yaml

4
docker/homepage/behind-proxy/deploy.sh Executable file
View File

@@ -0,0 +1,4 @@
docker compose \
--env-file ../../env/homepage-stack.env \
--env-file ../../env/common.env \
$1

7
docker/homepage/compose.yaml Normal file
View File

@@ -0,0 +1,7 @@
name: homepagee
# Docker Compose v2.20 or greater required to use "include"
include:
#################### NETWORKS ####################
- ../compose/networks/${HOMEPAGR_NETWORk_ID}.yaml
#################### SERVICES ####################
- ../compose/homepage.yaml

4
docker/homepage/deploy.sh Executable file
View File

@@ -0,0 +1,4 @@
docker compose \
--env-file ../env/homepage-stack.env \
--env-file ../env/common.env \
$1

133
docker/jemma/komodo/compose.env Normal file
View File

@@ -0,0 +1,133 @@
####################################
# 🦎 KOMODO COMPOSE - VARIABLES 🦎 #
####################################
## These compose variables can be used with all Komodo deployment options.
## Pass these variables to the compose up command using `--env-file komodo/compose.env`.
## Additionally, they are passed to both Komodo Core and Komodo Periphery with `env_file: ./compose.env`,
## so you can pass any additional environment variables to Core / Periphery directly in this file as well.
PSQL_HOST=10.0.6.178
PSQL_PORT=5432
## Stick to a specific version, or use `latest`
COMPOSE_KOMODO_IMAGE_TAG=latest
## Note: 🚨 Podman does NOT support local logging driver 🚨. See Podman options here:
## `https://docs.podman.io/en/v4.6.1/markdown/podman-run.1.html#log-driver-driver`
COMPOSE_LOGGING_DRIVER=local # Enable log rotation with the local driver.
## DB credentials - Ignored for Sqlite
KOMODO_DB_USERNAME=komodo
KOMODO_DB_PASSWORD=komodo
## Configure a secure passkey to authenticate between Core / Periphery.
KOMODO_PASSKEY_FILE=/run/secrets/komodo_passkey
#=-------------------------=#
#= Komodo Core Environment =#
#=-------------------------=#
## Full variable list + descriptions are available here:
## 🦎 https://github.com/mbecker20/komodo/blob/main/config/core.config.toml 🦎
## Note. Secret variables also support `${VARIABLE}_FILE` syntax to pass docker compose secrets.
## Docs: https://docs.docker.com/compose/how-tos/use-secrets/#examples
## Used for Oauth / Webhook url suggestion / Caddy reverse proxy.
KOMODO_HOST=https://komodo.lab.gurulandia.eu
## Displayed in the browser tab.
KOMODO_TITLE=Komodo by Gurulandia
#Komodo
## Create a server matching this address as the "first server".
## Use `https://host.docker.internal:8120` when using systemd-managed Periphery.
KOMODO_FIRST_SERVER=https://periphery:8120
## Make all buttons just double-click, rather than the full confirmation dialog.
KOMODO_DISABLE_CONFIRM_DIALOG=true
## Rate Komodo polls your servers for
## status / container status / system stats / alerting.
## Options: 1-sec, 5-sec, 15-sec, 1-min, 5-min.
## Default: 15-sec
KOMODO_MONITORING_INTERVAL="15-sec"
## Rate Komodo polls Resources for updates,
## like outdated commit hash.
## Options: 1-min, 5-min, 15-min, 30-min, 1-hr.
## Default: 5-min
KOMODO_RESOURCE_POLL_INTERVAL="5-min"
## Used to auth incoming webhooks. Alt: KOMODO_WEBHOOK_SECRET_FILE
KOMODO_WEBHOOK_SECRET_FILE=/run/secrets/komodo_webhook_secret
## Used to generate jwt. Alt: KOMODO_JWT_SECRET_FILE
KOMODO_JWT_SECRET_FILE=/run/secrets/komodo_jwt_secret
## Enable login with username + password.
KOMODO_LOCAL_AUTH=true
## Disable new user signups.
KOMODO_DISABLE_USER_REGISTRATION=false
## All new logins are auto enabled
KOMODO_ENABLE_NEW_USERS=true
## Disable non-admins from creating new resources.
KOMODO_DISABLE_NON_ADMIN_CREATE=false
## Allows all users to have Read level access to all resources.
KOMODO_TRANSPARENT_MODE=false
## Time to live for jwt tokens.
## Options: 1-hr, 12-hr, 1-day, 3-day, 1-wk, 2-wk
KOMODO_JWT_TTL="1-day"
## OIDC Login
KOMODO_OIDC_ENABLED=true
## Must reachable from Komodo Core container
KOMODO_OIDC_PROVIDER=https://authentik.lab.gurulandia.eu/application/o/komodo/
## Change the host to one reachable be reachable by users (optional if it is the same as above).
## DO NOT include the `path` part of the URL.
KOMODO_OIDC_REDIRECT_HOST=https://authentik.lab.gurulandia.eu
## Your client credentials
KOMODO_OIDC_CLIENT_ID_FILE=/run/secrets/komodo_oidc_client_id
KOMODO_OIDC_CLIENT_SECRET_FILE=/run/secrets/komodo_oidc_client_secret
## Make usernames the full email.
KOMODO_OIDC_USE_FULL_EMAIL=true
## Add additional trusted audiences for token claims verification.
## Supports comma separated list, and passing with _FILE (for compose secrets).
# KOMODO_OIDC_ADDITIONAL_AUDIENCES=abc,123 # Alt: KOMODO_OIDC_ADDITIONAL_AUDIENCES_FILE
## Github Oauth
KOMODO_GITHUB_OAUTH_ENABLED=false
# KOMODO_GITHUB_OAUTH_ID= # Alt: KOMODO_GITHUB_OAUTH_ID_FILE
# KOMODO_GITHUB_OAUTH_SECRET= # Alt: KOMODO_GITHUB_OAUTH_SECRET_FILE
## Google Oauth
KOMODO_GOOGLE_OAUTH_ENABLED=false
# KOMODO_GOOGLE_OAUTH_ID= # Alt: KOMODO_GOOGLE_OAUTH_ID_FILE
# KOMODO_GOOGLE_OAUTH_SECRET= # Alt: KOMODO_GOOGLE_OAUTH_SECRET_FILE
## Aws - Used to launch Builder instances and ServerTemplate instances.
KOMODO_AWS_ACCESS_KEY_ID= # Alt: KOMODO_AWS_ACCESS_KEY_ID_FILE
KOMODO_AWS_SECRET_ACCESS_KEY= # Alt: KOMODO_AWS_SECRET_ACCESS_KEY_FILE
## Hetzner - Used to launch ServerTemplate instances
## Hetzner Builder not supported due to Hetzner pay-by-the-hour pricing model
KOMODO_HETZNER_TOKEN= # Alt: KOMODO_HETZNER_TOKEN_FILE
#=------------------------------=#
#= Komodo Periphery Environment =#
#=------------------------------=#
## Full variable list + descriptions are available here:
## 🦎 https://github.com/mbecker20/komodo/blob/main/config/periphery.config.toml 🦎
## Periphery passkeys must include KOMODO_PASSKEY to authenticate.
PERIPHERY_PASSKEYS_FILE=/run/secrets/komodo_passkey
## Specify the root directory used by Periphery agent.
PERIPHERY_ROOT_DIRECTORY=/etc/komodo
## Enable SSL using self signed certificates.
## Connect to Periphery at https://address:8120.
PERIPHERY_SSL_ENABLED=true
## If the disk size is overreporting, can use one of these to
## whitelist / blacklist the disks to filter them, whichever is easier.
## Accepts comma separated list of paths.
## Usually whitelisting just /etc/hostname gives correct size.
PERIPHERY_INCLUDE_DISK_MOUNTS=/etc/hostname
# PERIPHERY_EXCLUDE_DISK_MOUNTS=/snap,/etc/repos

161
docker/jemma/komodo/compose.yaml Normal file
View File

@@ -0,0 +1,161 @@
###################################
# 🦎 KOMODO COMPOSE - POSTGRES 🦎 #
###################################
## This compose file will deploy:
## 1. Postgres + FerretDB Mongo adapter (https://www.ferretdb.com)
## 2. Komodo Core
## 3. Komodo Periphery
name: komodo
secrets:
komodo_db_user:
file: ${SECRETSDIR}/komodo/komodo_db_user
komodo_db_password:
file: ${SECRETSDIR}/komodo/komodo_db_password
komodo_passkey:
file: ${SECRETSDIR}/komodo/komodo_passkey
komodo_webhook_secret:
file: ${SECRETSDIR}/komodo/komodo_webhook_secret
komodo_jwt_secret:
file: ${SECRETSDIR}/komodo/komodo_jwt_secret
komodo_oidc_client_id:
file: ${SECRETSDIR}/komodo/komodo_oidc_client_id
komodo_oidc_client_secret:
file: ${SECRETSDIR}/komodo/komodo_oidc_client_secret
services:
#postgres:
# image: postgres
# labels:
# komodo.skip: # Prevent Komodo from stopping with StopAllContainers
# restart: unless-stopped
# logging:
# driver: ${COMPOSE_LOGGING_DRIVER:-local}
# networks:
# - default
# ports:
# - 5432:5432
# volumes:
# - pg-data:/var/lib/postgresql/data
# environment:
# - POSTGRES_USER=${KOMODO_DB_USERNAME}
# - POSTGRES_PASSWORD=${KOMODO_DB_PASSWORD}
# - POSTGRES_DB=${KOMODO_DATABASE_DB_NAME:-komodo}
ferretdb:
#container_name: ${TRAEFIK_CONTAINER_NAME}
#image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
#restart: ${TRAEFIK_RESTART_POLICY}
restart: unless-stopped
security_opt:
- no-new-privileges:true
image: ghcr.io/ferretdb/ferretdb
labels:
komodo.skip: # Prevent Komodo from stopping with StopAllContainers
#depends_on:
# - postgres
logging:
driver: ${COMPOSE_LOGGING_DRIVER:-local}
networks:
- default
# ports:
# - 27017:27017
env_file: ./compose.env
environment:
#- FERRETDB_POSTGRESQL_URL=postgres://komodo:komodo@10.0.6.178/komodo?sslmode=disable
- FERRETDB_POSTGRESQL_URL=postgres://${PSQL_HOST}:${PSQL_PORT}/${KOMODO_DATABASE_DB_NAME:-komodo}?sslmode=disable
core:
#container_name: ${TRAEFIK_CONTAINER_NAME}
#image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
#restart: ${TRAEFIK_RESTART_POLICY}
restart: unless-stopped
image: ghcr.io/mbecker20/komodo:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
secrets:
- komodo_db_user
- komodo_db_password
- komodo_passkey
- komodo_webhook_secret
- komodo_jwt_secret
- komodo_oidc_client_id
- komodo_oidc_client_secret
labels:
komodo.skip: # Prevent Komodo from stopping with StopAllContainers
traefik.enable: true
## HTTP Routers
traefik.http.routers.komodo-rtr.entrypoints: https
traefik.http.routers.komodo-rtr.rule: Host(`komodo.lab.gurulandia.eu`)
## Middlewares
# - "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.middlewares=chain-authelia@file"
traefik.http.routers.komodo-rtr.middlewares: chain-no-auth@file
## HTTP Services
traefik.http.routers.komodo-rtr.service: komodo-svc
traefik.http.services.komodo-svc.loadbalancer.server.port: 9120
depends_on:
- ferretdb
logging:
driver: ${COMPOSE_LOGGING_DRIVER:-local}
networks:
- default
- proxy
ports:
- 9120:9120
env_file: ./compose.env
environment:
KOMODO_DATABASE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb:27017/${KOMODO_DATABASE_DB_NAME:-komodo}?authMechanism=PLAIN
volumes:
## Core cache for repos for latest commit hash / contents
- repo-cache:/repo-cache
## Store sync files on server
# - /path/to/syncs:/syncs
## Optionally mount a custom core.config.toml
# - /path/to/core.config.toml:/config/config.toml
## Allows for systemd Periphery connection at
## "http://host.docker.internal:8120"
# extra_hosts:
# - host.docker.internal:host-gateway
## Deploy Periphery container using this block,
## or deploy the Periphery binary with systemd using
## https://github.com/mbecker20/komodo/tree/main/scripts
periphery:
#container_name: ${TRAEFIK_CONTAINER_NAME}
#image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
#restart: ${TRAEFIK_RESTART_POLICY}
restart: unless-stopped
image: ghcr.io/mbecker20/periphery:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
labels:
komodo.skip: # Prevent Komodo from stopping with StopAllContainers
logging:
driver: ${COMPOSE_LOGGING_DRIVER:-local}
networks:
- default
env_file: ./compose.env
environment:
PERIPHERY_REPO_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/repos
PERIPHERY_STACK_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/stacks
PERIPHERY_SSL_KEY_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/key.pem
PERIPHERY_SSL_CERT_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/cert.pem
volumes:
## Mount external docker socket
- /var/run/docker.sock:/var/run/docker.sock
## Allow Periphery to see processes outside of container
- /proc:/proc
## Specify the Periphery agent root directory.
## Must be the same inside and outside the container,
## or docker will get confused. See https://github.com/mbecker20/komodo/discussions/180.
## Default: /etc/komodo.
- ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}:${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}
secrets:
- komodo_passkey
volumes:
# Postgres
#pg-data:
# Core
repo-cache:
networks:
default: {}
proxy:
external: true

10
docker/komodo/compose.yaml Normal file
View File

@@ -0,0 +1,10 @@
name: komodo
# Docker Compose v2.20 or greater required to use "include"
include:
#################### NETWORKS ####################
- ../compose/networks/${KOMODO_NETWORk_ID}.yaml
- ../compose/networks/komodo.yaml
#################### SERVICES ####################
- ../compose/ferretdb.yaml
- ../compose/komodo-core.yaml
- ../compose/komodo-periphery.yaml

5
docker/komodo/deploy.sh Executable file
View File

@@ -0,0 +1,5 @@
docker compose \
--env-file ../env/komodo-stack.env \
--env-file ../env/komodo.env \
--env-file ../env/common.env \
$1 $2 $3

21
docker/memos/compose.yaml Normal file
View File

@@ -0,0 +1,21 @@
services:
memos:
image: neosmemo/memos:stable
restart: always
# depends_on:
# - db
ports:
- 5230:5230
environment:
- MEMOS_DRIVER=postgres
- MEMOS_DSN=user=memos password=memos dbname=memos host=10.0.6.178 sslmode=disable
# db:
# image: postgres:16.1
# restart: unless-stopped
# volumes:
# - "./database:/var/lib/postgresql/data/"
# environment:
# POSTGRES_USER: memos
# POSTGRES_PASSWORD: secret
# POSTGRES_DB: memosdb

35
docker/nginx/compose.yaml Normal file
View File

@@ -0,0 +1,35 @@
services:
web:
image: nginx:latest
container_name: jimsgarage
volumes:
- /gurulandia/data/nginx/templates:/etc/nginx/templates
- /gurulandia/data/nginx/web:/usr/share/nginx/html
environment:
- NGINX_HOST=nginx.lab.gurulandia.eu
- NGINX_PORT=80
ports:
- 8089:80
labels:
- "traefik.enable=true"
#- "traefik.http.routers.nginx.entrypoints=http"
#- "traefik.http.routers.nginx.rule=Host(`nginx.jimsgarage.co.uk`)"
#- "traefik.http.middlewares.nginx-https-redirect.redirectscheme.scheme=https"
#- "traefik.http.routers.nginx.middlewares=nginx-https-redirect"
- "traefik.http.routers.nginx-secure.entrypoints=https"
- "traefik.http.routers.nginx-secure.rule=Host(`nginx.lab.gurulandia.eu`)"
#- "traefik.http.routers.nginx-secure.tls=true"
#- "traefik.http.routers.nginx-secure.service=nginx"
- "traefik.http.services.nginx.loadbalancer.server.port=80"
#- "traefik.http.routers.nginx-secure.middlewares=chain-no-auth@file"
#- "traefik.http.routers.nginx-secure.middlewares=chain-authentik@file" #add this to any container you want to use the Authentik web proxy
- "traefik.http.routers.nginx-secure.middlewares=middlewares-authentik@file" #add this to any container you want to use the Authentik web proxy
# - "traefik.docker.network=proxy"
networks:
proxy:
security_opt:
- no-new-privileges:true
networks:
proxy:
external: true

22
docker/pgweb/compose.yaml Normal file
View File

@@ -0,0 +1,22 @@
services:
pgweb:
container_name: pgweb
image: sosedoff/pgweb:latest
#build: .
#environment:
# PGWEB_DATABASE_URL: postgres://pgweb:pgweb@pgweb-postgres:5432/pgweb?sslmode=disable
ports:
- 58081:8081
networks:
- pgweb
#depends_on:
# postgres:
# condition: service_healthy
healthcheck:
test: ["CMD", "nc", "-vz", "127.0.0.1", "58081"]
interval: 5s
volumes:
- /gurulandia/data/pgweb:/home/pgweb/.pgweb/bookmarks
networks:
pgweb:
name: pgweb

0
docker/proxy/docker-compose.yml → docker/proxy/compose.yml
View File

34
docker/redis/compose.yaml Normal file
View File

@@ -0,0 +1,34 @@
services:
redis:
container_name: redis
image: redis:latest
command: redis-server
volumes:
- redis:/var/lib/redis
- redis-config:/usr/local/etc/redis/redis.conf
ports:
- 6379:6379
networks:
- redis-network
redis-commander:
container_name: redis-commander
image: rediscommander/redis-commander:latest
environment:
- REDIS_HOSTS=local:redis:6379
- HTTP_USER=root
- HTTP_PASSWORD=qwerty
ports:
- 8081:8081
networks:
- redis-network
depends_on:
- redis
volumes:
redis:
redis-config:
networks:
redis-network:
driver: bridge

133
docker/services/dc-traefik.yml
View File

@@ -1,94 +1,120 @@
########################### SECRETS
secrets:
cloudflare_email:
file: ${SECRETSDIR}/cloudflare_email
cloudflare_api_key:
file: ${SECRETSDIR}/cloudflare_api_key
#cloudflare_email:
# file: ${SECRETSDIR}/cloudflare_email
#cloudflare_api_key:
# file: ${SECRETSDIR}/cloudflare_api_key
basic_auth_credentials:
file: $DOCKERDIR/secrets/basic_auth_credentials
cloudflare_api_token:
file: ${SECRETSDIR}/cloudflare_dns_api_token
services:
# Traefik 2 - Reverse Proxy
# Traefik 3 - Reverse Proxy
# Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
# touch $DOCKERDIR/traefik2/acme/acme.json
# chmod 600 $DOCKERDIR/traefik2/acme/acme.json
# touch $DOCKERDIR/traefik2/traefik.log
traefik:
container_name: ${TRAEFIK_CONTAINER_NAME}
image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
restart: ${TRAEFIK_RESTART_POLICY}
container_name: ${TRAEFIK_CONTAINER_NAME:-traefik}
image: ${TRAEFIK_IMAGE:-traefik}:${TRAEFIK_TAG:-latest}
restart: ${TRAEFIK_RESTART_POLICY:-always}
security_opt:
- no-new-privileges:true
user: ${UID:-1000}:${GID:-1000}
networks:
proxy:
socket_proxy:
ports:
- 80:80
- 443:443
- 465:465
- 587:587
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
#- target: 465
# published: 465
# protocol: tcp
# mode: host
#- target: 587
# published: 587
# protocol: tcp
# mode: host
#- 465:465
#- 587:587
#env_file:
#- path: ./traefik.env
# required: true # default
#- path: ./override.env
# required: false
environment:
- CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
#- CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
#- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
- CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
- HTPASSWD_FILE=/run/secrets/basic_auth_credentials # HTTP Basic Auth Credentials
- DOMAINNAME0 # Passing the domain name to traefik container to be able to use the variable in rules.
- DOMAINNAME1
- DOMAINNAME2
- DOMAINNAME3
- CF_API_EMAIL
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=false #true
- --entryPoints.http.address=:80
- --entrypoints.http.http.redirections.entryPoint.to=https
- --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
- --entryPoints.https.address=:443
- --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
- --entrypoints.mailsecure.address=:465
- --entrypoints.maildefault.address=:587
# - --entryPoints.traefik.address=:8080
# - --entryPoints.ping.address=:8081
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.traefik.address=:8080
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --api=true
# - --api.insecure=true)
- --api.dashboard=true
# - --ping=true)
# - --pilot.token=$TRAEFIK_PILOT_TOKEN)
- --serversTransport.insecureSkipVerify=true
# - --serversTransport.insecureSkipVerify=true
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
- --log=true
- --log.filePath=/logs/traefik.log
- --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --log.filePath= /var/log/traefik/traefik.log
- --accessLog=true
- --accessLog.filePath=/var/log/traefik/access.log
- --accessLog.filePath=/logs/access.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=400-499
- --accessLog.filters.statusCodes=204-299,400-499,500-599
- --providers.docker=true
- --providers.docker.endpoint=${DOCKER_ENDPOINT} # Use Docker Socket Proxy instead for improved security
# Automatically set Host rule for services
# - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`)
- --providers.docker.exposedByDefault=false
# - --providers.redis=true
# - --providers.redis.endpoints=redis:6379
- --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file
- --entrypoints.https.http.tls.options=tls-opts@file
# Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
- --entrypoints.https.http.tls.certresolver=${CERTRESOLVER}
- --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0
- --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0
- --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain
- --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain
- --entrypoints.https.http.tls.domains[2].main=$DOMAINNAME2
- --entrypoints.https.http.tls.domains[2].sans=*.$DOMAINNAME2
- --entrypoints.https.http.tls.domains[3].main=$DOMAINNAME3 # Pulls main cert for second domain
- --entrypoints.https.http.tls.domains[3].sans=*.$DOMAINNAME3 # Pulls wildcard cert for second domain
- --providers.docker.network=proxy
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.options=tls-opts@file
# Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
- --entrypoints.websecure.http.tls.certresolver=${CERTRESOLVER}
- --entrypoints.websecure.http.tls.domains[0].main=$DOMAINNAME0
- --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAINNAME0
- --entrypoints.websecure.http.tls.domains[1].main=$DOMAINNAME1
- --entrypoints.websecure.http.tls.domains[1].sans=*.$DOMAINNAME1
- --entrypoints.websecure.http.tls.domains[2].main=$DOMAINNAME2
- --entrypoints.websecure.http.tls.domains[2].sans=*.$DOMAINNAME2
- --entrypoints.websecure.http.tls.domains[3].main=$DOMAINNAME3
- --entrypoints.websecure.http.tls.domains[3].sans=*.$DOMAINNAME3
- --providers.file.directory=/config # Load dynamic configuration from one or more .toml or .yml files in a directory
- --providers.file.watch=true # Only works on top level files in the rules folder
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.$CERTRESOLVER.acme.email=${CF_API_EMAIL}
- --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=${DNS_PROVIDER}
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0} #,$RESOLVER1
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0},${RESOLVER1}
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
# - --certificatesResolvers.$CERTRESOLVER.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
# - --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
# - --entrypoints.mailsecure.address=:465
# - --entrypoints.maildefault.address=:587
# - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file
# - --entryPoints.ping.address=:8081
# - --api.insecure=true)
# - --ping=true)
# - --providers.redis=true
# - --providers.redis.endpoints=redis:6379
# - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file
# healthcheck:
# test: ["CMD", "traefik", "healthcheck", "--ping"]
# interval: 5s
@@ -100,18 +126,19 @@ services:
- ${DOCKERDIR}/traefik/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
- ${DOCKERDIR}/traefik/logs:/var/log/traefik # for crowdsec - make sure to touch file before starting container
secrets:
- cloudflare_email
- cloudflare_api_key
#- cloudflare_email
#- cloudflare_api_key
- cloudflare_api_token
- basic_auth_credentials
labels:
traefik.enable: true
traefik.http.routers.traefik.entrypoints: http
traefik.http.routers.traefik.entrypoints: web
traefik.http.routers.traefik.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
traefik.http.middlewares.traefik-auth.basicauth.users: ${BASICAUTHUSER}
traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme: https
traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto: https
traefik.http.routers.traefik.middlewares: traefik-https-redirect
traefik.http.routers.traefik-secure.entrypoints: https
traefik.http.routers.traefik-secure.entrypoints: websecure
traefik.http.routers.traefik-secure.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
traefik.http.routers.traefik-secure.middlewares: chain-no-auth@file
# traefik.http.routers.traefik-secure.middlewares: traefik-auth

20
docker/snibox/.env Normal file
View File

@@ -0,0 +1,20 @@
# Secrets
SECRET_KEY_BASE=580b4894107e15810dd7100132ad18905d3b218bea2812a6c35662e783443c912f8454c479afcf5aaf4fdac0fa0c52308ef062a440f5360cf9161f2b1d9e0834
# SSL
FORCE_SSL=false
# Database
DB_NAME=snibox
DB_USER=snibox
DB_PASS=snibox
DB_HOST=10.0.6.178
DB_PORT=5432
# Mailgun. Required by 'Reset password feature'. Feel free to start without this setup.
MAILGUN_SMTP_PORT=587
MAILGUN_SMTP_SERVER=smtp.eu.mailgun.org
MAILGUN_SMTP_LOGIN=sender@mail.gurulandia.eu
MAILGUN_SMTP_PASSWORD=fd2481f27f76e35110ddf9b7b04ad09f-667818f5-87cb2de
MAILGUN_API_KEY=0bbddf40b4f522902c3566ac64d6843f-667818f5-f7e29b98
MAILGUN_DOMAIN=mail.gurulandia.eu
MAILGUN_PUBLIC_KEY=pubkey-1d7092746ca1272cb49c7c16615663d1

41
docker/snibox/compose.yaml Normal file
View File

@@ -0,0 +1,41 @@
services:
frontend:
image: snibox/nginx-puma:1.15.9
ports:
- "8000:80"
volumes:
- static-files:/var/www/html
depends_on:
- backend
backend:
image: snibox/snibox:latest
command: sh -c "rm -rf tmp/pids && ./bin/rails s -p 3000 -b '0.0.0.0'"
environment:
DB_NAME: "${DB_NAME}"
DB_USER: "${DB_USER}"
DB_PASS: "${DB_PASS}"
DB_HOST: "${DB_HOST}"
DB_PORT: "${DB_PORT}"
FORCE_SSL: "${FORCE_SSL}"
MAILGUN_SMTP_PORT: "${MAILGUN_SMTP_PORT}"
MAILGUN_SMTP_SERVER: "${MAILGUN_SMTP_SERVER}"
MAILGUN_SMTP_LOGIN: "${MAILGUN_SMTP_LOGIN}"
MAILGUN_SMTP_PASSWORD: "${MAILGUN_SMTP_PASSWORD}"
MAILGUN_API_KEY: "${MAILGUN_API_KEY}"
MAILGUN_DOMAIN: "${MAILGUN_DOMAIN}"
MAILGUN_PUBLIC_KEY: "${MAILGUN_PUBLIC_KEY}"
SECRET_KEY_BASE: "${SECRET_KEY_BASE}"
volumes:
- static-files:/app/public
# depends_on:
# - database
# database:
# image: postgres:10.7-alpine
# volumes:
# - pg-data:/var/lib/postgresql/data
volumes:
# pg-data:
static-files:

56
docker/snibox/setup Executable file
View File

@@ -0,0 +1,56 @@
#!/bin/bash
set -e
GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[0;33m'
NC='\033[0m'
DEFAULT_SECRET='paste_your_key'
function report_status() {
if [ $? -eq 0 ]
then
echo -e "${GREEN}Done${NC}"
else
echo -e "${RED}Unable to complete task${NC}"
exit 1
fi
}
echo -e "Copy .env.sample to .env:"
if [ ! -f .env ]
then
cp .env.sample .env
report_status
else
echo -e "${GREEN}File .env already exists${NC}"
fi
echo -e "\nPull images:"
docker compose pull
report_status
echo -e "\nInject secret key:"
if grep -Rq "$DEFAULT_SECRET" .env
then
secret=$(docker compose run --rm --no-deps backend ./bin/rake secret)
echo "$secret"
# based on https://stackoverflow.com/a/22084103
sed -i.bak "s/$DEFAULT_SECRET/$secret/" .env
rm .env.bak
report_status
else
echo -e "${GREEN}Personal secret key exists${NC}"
fi
echo -e "\nCreate database:"
docker compose run --rm backend ./bin/rake db:create
report_status
echo -e "\nRun migrations:"
docker compose run --rm backend ./bin/rake db:migrate
report_status
echo -e "\n${GREEN}Setup completed!${NC}"

60
docker/technitum-dns/compose.yaml Normal file
View File

@@ -0,0 +1,60 @@
secrets:
technitium_admin_password:
file: ${SECRETSDIR}/technitum-dns/admin_password
services:
dns-server:
container_name: ${TECHNITUM_DNS_CONTAINER_NAME}
image: ${TECHNITUM_DNS_IMAGE}:${TECHNITUM_DNS_TAG}
restart: ${TECHNITUM_DNS_RESTART_POLICY}
security_opt:
- no-new-privileges:true
networks:
- dns
# For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting them
# network_mode: "host"
ports:
- "5380:5380/tcp" #DNS web console (HTTP)
# - "53443:53443/tcp" #DNS web console (HTTPS)
- "53:53/udp" #DNS service
- "53:53/tcp" #DNS service
# - "853:853/udp" #DNS-over-QUIC service
# - "853:853/tcp" #DNS-over-TLS service
# - "443:443/udp" #DNS-over-HTTPS service (HTTP/3)
# - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2)
# - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal)
# - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy)
# - "67:67/udp" #DHCP service
environment:
- DNS_SERVER_DOMAIN
# - DNS_SERVER_ADMIN_PASSWORD=password #DNS web console admin user password.
# - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user.
- DNS_SERVER_ADMIN_PASSWORD_FILE
# - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled.
# - DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1 #Comma separated list of network interface IP addresses that you want the web service to listen on for requests. The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified. Note! This must be used only with "host" network mode.
# - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol.
# - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
# - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console.
# - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console.
# - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
# - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL.
# - DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2 #Comma separated list of IP addresses or network addresses to allow access. Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback. Valid only for `UseSpecifiedNetworkACL` recursion option.
# - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
# - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
# - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
# - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
# - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs.
# - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses.
# - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
- DNS_SERVER_LOG_USING_LOCAL_TIME
volumes:
- config:/etc/dns
sysctls:
- net.ipv4.ip_local_port_range=1024 65000
secrets:
- technitium_admin_password
volumes:
config:
networks:
dns:
name: dns

581
docker/vaultwarden/.env.template Normal file
View File

@@ -0,0 +1,581 @@
# shellcheck disable=SC2034,SC2148
## Vaultwarden Configuration File
## Uncomment any of the following lines to change the defaults
##
## Be aware that most of these settings will be overridden if they were changed
## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json .
##
## By default, Vaultwarden expects for this file to be named ".env" and located
## in the current working directory. If this is not the case, the environment
## variable ENV_FILE can be set to the location of this file prior to starting
## Vaultwarden.
####################
### Data folders ###
####################
## Main data folder
# DATA_FOLDER=data
## Individual folders, these override %DATA_FOLDER%
# RSA_KEY_FILENAME=data/rsa_key
# ICON_CACHE_FOLDER=data/icon_cache
# ATTACHMENTS_FOLDER=data/attachments
# SENDS_FOLDER=data/sends
# TMP_FOLDER=data/tmp
## Templates data folder, by default uses embedded templates
## Check source code to see the format
# TEMPLATES_FOLDER=data/templates
## Automatically reload the templates for every request, slow, use only for development
# RELOAD_TEMPLATES=false
## Web vault settings
# WEB_VAULT_FOLDER=web-vault/
# WEB_VAULT_ENABLED=true
#########################
### Database settings ###
#########################
## Database URL
## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
# DATABASE_URL=data/db.sqlite3
## When using MySQL, specify an appropriate connection URI.
## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html
# DATABASE_URL=mysql://user:password@host[:port]/database_name
## When using PostgreSQL, specify an appropriate connection URI (recommended)
## or keyword/value connection string.
## Details:
## - https://docs.diesel.rs/2.1.x/diesel/pg/struct.PgConnection.html
## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
# DATABASE_URL=postgresql://user:password@host[:port]/database_name
## Enable WAL for the DB
## Set to false to avoid enabling WAL during startup.
## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
## this setting only prevents Vaultwarden from automatically enabling it on start.
## Please read project wiki page about this setting first before changing the value as it can
## cause performance degradation or might render the service unable to start.
# ENABLE_DB_WAL=true
## Database connection retries
## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely
# DB_CONNECTION_RETRIES=15
## Database timeout
## Timeout when acquiring database connection
# DATABASE_TIMEOUT=30
## Database max connections
## Define the size of the connection pool used for connecting to the database.
# DATABASE_MAX_CONNS=10
## Database connection initialization
## Allows SQL statements to be run whenever a new database connection is created.
## This is mainly useful for connection-scoped pragmas.
## If empty, a database-specific default is used:
## - SQLite: "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;"
## - MySQL: ""
## - PostgreSQL: ""
# DATABASE_CONN_INIT=""
#################
### WebSocket ###
#################
## Enable websocket notifications
# ENABLE_WEBSOCKET=true
##########################
### Push notifications ###
##########################
## Enables push notifications (requires key and id from https://bitwarden.com/host)
## Details about mobile client push notification:
## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification
# PUSH_ENABLED=false
# PUSH_INSTALLATION_ID=CHANGEME
# PUSH_INSTALLATION_KEY=CHANGEME
# WARNING: Do not modify the following settings unless you fully understand their implications!
# Default Push Relay and Identity URIs
# PUSH_RELAY_URI=https://push.bitwarden.com
# PUSH_IDENTITY_URI=https://identity.bitwarden.com
# European Union Data Region Settings
# If you have selected "European Union" as your data region, use the following URIs instead.
# PUSH_RELAY_URI=https://api.bitwarden.eu
# PUSH_IDENTITY_URI=https://identity.bitwarden.eu
#####################
### Schedule jobs ###
#####################
## Job scheduler settings
##
## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron),
## and are always in terms of UTC time (regardless of your local time zone settings).
##
## The schedule format is a bit different from crontab as crontab does not contains seconds.
## You can test the the format here: https://crontab.guru, but remove the first digit!
## SEC MIN HOUR DAY OF MONTH MONTH DAY OF WEEK
## "0 30 9,12,15 1,15 May-Aug Mon,Wed,Fri"
## "0 30 * * * * "
## "0 30 1 * * * "
##
## How often (in ms) the job scheduler thread checks for jobs that need running.
## Set to 0 to globally disable scheduled jobs.
# JOB_POLL_INTERVAL_MS=30000
##
## Cron schedule of the job that checks for Sends past their deletion date.
## Defaults to hourly (5 minutes after the hour). Set blank to disable this job.
# SEND_PURGE_SCHEDULE="0 5 * * * *"
##
## Cron schedule of the job that checks for trashed items to delete permanently.
## Defaults to daily (5 minutes after midnight). Set blank to disable this job.
# TRASH_PURGE_SCHEDULE="0 5 0 * * *"
##
## Cron schedule of the job that checks for incomplete 2FA logins.
## Defaults to once every minute. Set blank to disable this job.
# INCOMPLETE_2FA_SCHEDULE="30 * * * * *"
##
## Cron schedule of the job that sends expiration reminders to emergency access grantors.
## Defaults to hourly (3 minutes after the hour). Set blank to disable this job.
# EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 3 * * * *"
##
## Cron schedule of the job that grants emergency access requests that have met the required wait time.
## Defaults to hourly (7 minutes after the hour). Set blank to disable this job.
# EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 7 * * * *"
##
## Cron schedule of the job that cleans old events from the event table.
## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start.
# EVENT_CLEANUP_SCHEDULE="0 10 0 * * *"
## Number of days to retain events stored in the database.
## If unset (the default), events are kept indefinitely and the scheduled job is disabled!
# EVENTS_DAYS_RETAIN=
##
## Cron schedule of the job that cleans old auth requests from the auth request.
## Defaults to every minute. Set blank to disable this job.
# AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *"
##
## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
## Defaults to every minute. Set blank to disable this job.
# DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *"
########################
### General settings ###
########################
## Domain settings
## The domain must match the address from where you access the server
## It's recommended to configure this value, otherwise certain functionality might not work,
## like attachment downloads, email links and U2F.
## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
## To use HTTPS, the recommended way is to put Vaultwarden behind a reverse proxy
## Details:
## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS
## - https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
## For development
# DOMAIN=http://localhost
## For public server
# DOMAIN=https://vw.domain.tld
## For public server (URL with port number)
# DOMAIN=https://vw.domain.tld:8443
## For public server (URL with path)
# DOMAIN=https://domain.tld/vw
## Controls whether users are allowed to create Bitwarden Sends.
## This setting applies globally to all users.
## To control this on a per-org basis instead, use the "Disable Send" org policy.
# SENDS_ALLOWED=true
## HIBP Api Key
## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key
# HIBP_API_KEY=
## Per-organization attachment storage limit (KB)
## Max kilobytes of attachment storage allowed per organization.
## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization.
# ORG_ATTACHMENT_LIMIT=
## Per-user attachment storage limit (KB)
## Max kilobytes of attachment storage allowed per user.
## When this limit is reached, the user will not be allowed to upload further attachments.
# USER_ATTACHMENT_LIMIT=
## Per-user send storage limit (KB)
## Max kilobytes of send storage allowed per user.
## When this limit is reached, the user will not be allowed to upload further sends.
# USER_SEND_LIMIT=
## Number of days to wait before auto-deleting a trashed item.
## If unset (the default), trashed items are not auto-deleted.
## This setting applies globally, so make sure to inform all users of any changes to this setting.
# TRASH_AUTO_DELETE_DAYS=
## Number of minutes to wait before a 2FA-enabled login is considered incomplete,
## resulting in an email notification. An incomplete 2FA login is one where the correct
## master password was provided but the required 2FA step was not completed, which
## potentially indicates a master password compromise. Set to 0 to disable this check.
## This setting applies globally to all users.
# INCOMPLETE_2FA_TIME_LIMIT=3
## Disable icon downloading
## Set to true to disable icon downloading in the internal icon service.
## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external
## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons
## will be deleted eventually, but won't be downloaded again.
# DISABLE_ICON_DOWNLOAD=false
## Controls if new users can register
# SIGNUPS_ALLOWED=true
## Controls if new users need to verify their email address upon registration
## Note that setting this option to true prevents logins until the email address has been verified!
## The welcome email will include a verification link, and login attempts will periodically
## trigger another verification email to be sent.
# SIGNUPS_VERIFY=false
## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time
## an email verification link has been sent another verification email will be sent
# SIGNUPS_VERIFY_RESEND_TIME=3600
## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification
## email will be re-sent upon an attempted login.
# SIGNUPS_VERIFY_RESEND_LIMIT=6
## Controls if new users from a list of comma-separated domains can register
## even if SIGNUPS_ALLOWED is set to false
# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org
## Controls whether event logging is enabled for organizations
## This setting applies to organizations.
## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings.
# ORG_EVENTS_ENABLED=false
## Controls which users can create new orgs.
## Blank or 'all' means all users can create orgs (this is the default):
# ORG_CREATION_USERS=
## 'none' means no users can create orgs:
# ORG_CREATION_USERS=none
## A comma-separated list means only those users can create orgs:
# ORG_CREATION_USERS=admin1@example.com,admin2@example.com
## Invitations org admins to invite users, even when signups are disabled
# INVITATIONS_ALLOWED=true
## Name shown in the invitation emails that don't come from a specific organization
# INVITATION_ORG_NAME=Vaultwarden
## The number of hours after which an organization invite token, emergency access invite token,
## email verification token and deletion request token will expire (must be at least 1)
# INVITATION_EXPIRATION_HOURS=120
## Controls whether users can enable emergency access to their accounts.
## This setting applies globally to all users.
# EMERGENCY_ACCESS_ALLOWED=true
## Controls whether users can change their email.
## This setting applies globally to all users
# EMAIL_CHANGE_ALLOWED=true
## Number of server-side passwords hashing iterations for the password hash.
## The default for new users. If changed, it will be updated during login for existing users.
# PASSWORD_ITERATIONS=600000
## Controls whether users can set or show password hints. This setting applies globally to all users.
# PASSWORD_HINTS_ALLOWED=true
## Controls whether a password hint should be shown directly in the web page if
## SMTP service is not configured and password hints are allowed.
## Not recommended for publicly-accessible instances because this provides
## unauthenticated access to potentially sensitive data.
# SHOW_PASSWORD_HINT=false
#########################
### Advanced settings ###
#########################
## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP"
## Set to the string "none" (without quotes), to disable any headers and just use the remote IP
# IP_HEADER=X-Real-IP
## Icon service
## The predefined icon services are: internal, bitwarden, duckduckgo, google.
## To specify a custom icon service, set a URL template with exactly one instance of `{}`,
## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`.
##
## `internal` refers to Vaultwarden's built-in icon fetching implementation.
## If an external service is set, an icon request to Vaultwarden will return an HTTP
## redirect to the corresponding icon at the external service. An external service may
## be useful if your Vaultwarden instance has no external network connectivity, or if
## you are concerned that someone may probe your instance to try to detect whether icons
## for certain sites have been cached.
# ICON_SERVICE=internal
## Icon redirect code
## The HTTP status code to use for redirects to an external icon service.
## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent).
## Temporary redirects are useful while testing different icon services, but once a service
## has been decided on, consider using permanent redirects for cacheability. The legacy codes
## are currently better supported by the Bitwarden clients.
# ICON_REDIRECT_CODE=302
## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
## Default: 2592000 (30 days)
# ICON_CACHE_TTL=2592000
## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
## Default: 2592000 (3 days)
# ICON_CACHE_NEGTTL=259200
## Icon download timeout
## Configure the timeout value when downloading the favicons.
## The default is 10 seconds, but this could be to low on slower network connections
# ICON_DOWNLOAD_TIMEOUT=10
## Block HTTP domains/IPs by Regex
## Any domains or IPs that match this regex won't be fetched by the internal HTTP client.
## Useful to hide other servers in the local network. Check the WIKI for more details
## NOTE: Always enclose this regex withing single quotes!
# HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
## Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address.
## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
# HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true
## Client Settings
## Enable experimental feature flags for clients.
## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3".
##
## The following flags are available:
## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
## - "autofill-v2": Use the new autofill implementation.
## - "browser-fileless-import": Directly import credentials from other providers without a file.
## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
## Require new device emails. When a user logs in an email is required to be sent.
## If sending the email fails the login attempt will fail!!
# REQUIRE_DEVICE_EMAIL=false
## Enable extended logging, which shows timestamps and targets in the logs
# EXTENDED_LOGGING=true
## Timestamp format used in extended logging.
## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime
# LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f"
## Logging to Syslog
## This requires extended logging
# USE_SYSLOG=false
## Logging to file
# LOG_FILE=/path/to/log
## Log level
## Change the verbosity of the log output
## Valid values are "trace", "debug", "info", "warn", "error" and "off"
## Setting it to "trace" or "debug" would also show logs for mounted routes and static file, websocket and alive requests
## For a specific module append a comma separated `path::to::module=log_level`
## For example, to only see debug logs for icons use: LOG_LEVEL="info,vaultwarden::api::icons=debug"
# LOG_LEVEL=info
## Token for the admin interface, preferably an Argon2 PCH string
## Vaultwarden has a built-in generator by calling `vaultwarden hash`
## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
## If not set, the admin panel is disabled
## New Argon2 PHC string
## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$`
## Also, use single quotes (') instead of double quotes (") to enclose the string when needed
# ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78'
## Old plain text string (Will generate warnings in favor of Argon2)
# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
## Enable this to bypass the admin panel security. This option is only
## meant to be used with the use of a separate auth layer in front
# DISABLE_ADMIN_TOKEN=false
## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in.
# ADMIN_RATELIMIT_SECONDS=300
## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
# ADMIN_RATELIMIT_MAX_BURST=3
## Set the lifetime of admin sessions to this value (in minutes).
# ADMIN_SESSION_LIFETIME=20
## Allowed iframe ancestors (Know the risks!)
## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value.
## Multiple values must be separated with a whitespace.
# ALLOWED_IFRAME_ANCESTORS=
## Allowed connect-src (Know the risks!)
## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value.
## Multiple values must be separated with a whitespace. And only HTTPS values are allowed.
## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld"
# ALLOWED_CONNECT_SRC=""
## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
# LOGIN_RATELIMIT_SECONDS=60
## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2.
# LOGIN_RATELIMIT_MAX_BURST=10
## BETA FEATURE: Groups
## Controls whether group support is enabled for organizations
## This setting applies to organizations.
## Disabled by default because this is a beta feature, it contains known issues!
## KNOW WHAT YOU ARE DOING!
# ORG_GROUPS_ENABLED=false
## Increase secure note size limit (Know the risks!)
## Sets the secure note size limit to 100_000 instead of the default 10_000.
## WARNING: This could cause issues with clients. Also exports will not work on Bitwarden servers!
## KNOW WHAT YOU ARE DOING!
# INCREASE_NOTE_SIZE_LIMIT=false
## Enforce Single Org with Reset Password Policy
## Enforce that the Single Org policy is enabled before setting the Reset Password policy
## Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available.
## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
# ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false
########################
### MFA/2FA settings ###
########################
## Yubico (Yubikey) Settings
## Set your Client ID and Secret Key for Yubikey OTP
## You can generate it here: https://upgrade.yubico.com/getapikey/
## You can optionally specify a custom OTP server
# YUBICO_CLIENT_ID=11111
# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
## Duo Settings
## You need to configure the DUO_IKEY, DUO_SKEY, and DUO_HOST options to enable global Duo support.
## Otherwise users will need to configure it themselves.
## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
## Then set the following options, based on the values obtained from the last step:
# DUO_IKEY=<Client ID>
# DUO_SKEY=<Client Secret>
# DUO_HOST=<API Hostname>
## After that, you should be able to follow the rest of the guide linked above,
## ignoring the fields that ask for the values that you already configured beforehand.
##
## If you want to attempt to use Duo's 'Traditional Prompt' (deprecated, iframe based) set DUO_USE_IFRAME to 'true'.
## Duo no longer supports this, but it still works for some integrations.
## If you aren't sure, leave this alone.
# DUO_USE_IFRAME=false
## Email 2FA settings
## Email token size
## Number of digits in an email 2FA token (min: 6, max: 255).
## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting!
# EMAIL_TOKEN_SIZE=6
##
## Token expiration time
## Maximum time in seconds a token is valid. The time the user has to open email client and copy token.
# EMAIL_EXPIRATION_TIME=600
##
## Maximum attempts before an email token is reset and a new email will need to be sent.
# EMAIL_ATTEMPTS_LIMIT=3
##
## Setup email 2FA regardless of any organization policy
# EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false
## Automatically setup email 2FA as fallback provider when needed
# EMAIL_2FA_AUTO_FALLBACK=false
## Other MFA/2FA settings
## Disable 2FA remember
## Enabling this would force the users to use a second factor to login every time.
## Note that the checkbox would still be present, but ignored.
# DISABLE_2FA_REMEMBER=false
##
## Authenticator Settings
## Disable authenticator time drifted codes to be valid.
## TOTP codes of the previous and next 30 seconds will be invalid
##
## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
## we allow by default the TOTP code which was valid one step back and one in the future.
## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
## You can disable this, so that only the current TOTP Code is allowed.
## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
# AUTHENTICATOR_DISABLE_TIME_DRIFT=false
###########################
### SMTP Email settings ###
###########################
## Mail specific settings, set SMTP_FROM and either SMTP_HOST or USE_SENDMAIL to enable the mail service.
## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
# SMTP_HOST=smtp.domain.tld
# SMTP_FROM=vaultwarden@domain.tld
# SMTP_FROM_NAME=Vaultwarden
# SMTP_USERNAME=username
# SMTP_PASSWORD=password
# SMTP_TIMEOUT=15
## Choose the type of secure connection for SMTP. The default is "starttls".
## The available options are:
## - "starttls": The default port is 587.
## - "force_tls": The default port is 465.
## - "off": The default port is 25.
## Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS).
# SMTP_SECURITY=starttls
# SMTP_PORT=587
# Whether to send mail via the `sendmail` command
# USE_SENDMAIL=false
# Which sendmail command to use. The one found in the $PATH is used if not specified.
# SENDMAIL_COMMAND="/path/to/sendmail"
## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.
## Possible values: ["Plain", "Login", "Xoauth2"].
## Multiple options need to be separated by a comma ','.
# SMTP_AUTH_MECHANISM=
## Server name sent during the SMTP HELO
## By default this value should be is on the machine's hostname,
## but might need to be changed in case it trips some anti-spam filters
# HELO_NAME=
## Embed images as email attachments
# SMTP_EMBED_IMAGES=true
## SMTP debugging
## When set to true this will output very detailed SMTP messages.
## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting!
# SMTP_DEBUG=false
## Accept Invalid Certificates
## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
## Only use this as a last resort if you are not able to use a valid certificate.
## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead.
# SMTP_ACCEPT_INVALID_CERTS=false
## Accept Invalid Hostnames
## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
## Only use this as a last resort if you are not able to use a valid certificate.
# SMTP_ACCEPT_INVALID_HOSTNAMES=false
#######################
### Rocket settings ###
#######################
## Rocket specific settings
## See https://rocket.rs/v0.5/guide/configuration/ for more details.
# ROCKET_ADDRESS=0.0.0.0
## The default port is 8000, unless running in a Docker container, in which case it is 80.
# ROCKET_PORT=8000
# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
# vim: syntax=ini

40
docker/vaultwarden/compose.yaml Normal file
View File

@@ -0,0 +1,40 @@
services:
# Vaultwarden Password Manager
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
security_opt:
- no-new-privileges:true
restart: unless-stopped
# profiles: ["core", "all"]
networks:
- proxy
environment:
# This is required to allow vaultwarden to verify the TLS certificate!
- DOMAIN=https://${DOMAIN}
- DATABASE_URL=${DATABASE_URL}
- ADMIN_TOKEN=${ADMIN_TOKEN}
- ICON_SERVICE=${ICON_SERVICE}
- SMTP_HOST=${SMTP_HOST}
- SMTP_SECURITY=${SMTP_SECURITY}
- SMTP_PORT=${SMTP_PORT}
- SMTP_FROM=vaultwarden@mail.gurulandia.eu
- SMTP_USERNAME=${SMTP_USERNAME}
- SMTP_PASSWORD=${SMTP_PASSWORD}
volumes:
- /gurulandia/data/vaultwarden/data:/data
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.vaultwarden-rtr.entrypoints=https"
- "traefik.http.routers.vaultwarden-rtr.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.vaultwarden-rtr.tls=true"
## Middlewares
- "traefik.http.routers.vaultwarden-rtr.middlewares=chain-no-auth@file"
## HTTP Services
- "traefik.http.routers.vaultwarden-rtr.service=vaultwarden-svc"
- "traefik.http.services.vaultwarden-svc.loadbalancer.server.port=80"
networks:
proxy:
name: proxy
external: true

29
docker/whoami/compose.yaml Normal file
View File

@@ -0,0 +1,29 @@
name: whoami # Project Name
services:
whoami:
image: traefik/whoami:latest
container_name: whoami
restart: unless-stopped
security_opt:
- no-new-privileges=true
#depends_on:
# - traefik
networks:
- proxy
environment:
- TZ=${TZ}
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.whoami-rtr.entrypoints=https"
- "traefik.http.routers.whoami-rtr.rule=Host(`whoami.lab.gurulandia.eu`)"
## Middlewares
# - "traefik.http.routers.authentik-rtr.middlewares=chain-authelia@file"
# - "traefik.http.routers.authentik-rtr.middlewares=chain-no-auth@file"
- "traefik.http.routers.whoami-rtr.middlewares=chain-authentik@file"
## HTTP Services
- "traefik.http.routers.whoami-rtr.service=whoami-svc"
- "traefik.http.services.whoami-svc.loadbalancer.server.port=80"
networks:
proxy:
external: true

24
komodo/smtp.toml Normal file
View File

@@ -0,0 +1,24 @@
[[variable]]
name = "SMTP_HOST"
value = "smtp.eu.mailgun.org"
is_secret = false
[[variable]]
name = "SMTP_USERNAME"
value = "sender@mail.gurulandia.eu"
is_secret = false
[[variable]]
name = "SMTP_PASSWORD"
value = "fd2481f27f76e35110ddf9b7b04ad09f-667818f5-87cb2de3"
is_secret = true
[[variable]]
name = "SMTP_PORT"
value = "587"
is_secret = false
[[variable]]
name = "SMTP_SECURITY"
value = "starttls"
is_secret = false

24
setup/powershell_install.sh Normal file
View File

@@ -0,0 +1,24 @@
###################################
# Prerequisites
# Update the list of packages
sudo apt-get update
# Install pre-requisite packages.
sudo apt-get install -y wget
# Download the PowerShell package file
wget https://github.com/PowerShell/PowerShell/releases/download/v7.5.0/powershell_7.5.0-1.deb_amd64.deb
###################################
# Install the PowerShell package
sudo dpkg -i powershell_7.5.0-1.deb_amd64.deb
# Resolve missing dependencies and finish the install (if necessary)
sudo apt-get install -f
# Delete the downloaded package file
rm powershell_7.5.0-1.deb_amd64.deb
# Start PowerShell
pwsh