initial docker setup

project/infrastructure/authelia/authelia.yml

@@ -0,0 +1,41 @@
+secrets:
+  JWT_SECRET:
+    file: ${INFRA_PATH}/authelia/secrets/JWT_SECRET
+  SESSION_SECRET:
+    file: ${INFRA_PATH}/authelia/secrets/SESSION_SECRET
+  STORAGE_PASSWORD:
+    file: ${INFRA_PATH}/authelia/secrets/STORAGE_PASSWORD
+  STORAGE_ENCRYPTION_KEY:
+    file: ${INFRA_PATH}/authelia/secrets/STORAGE_ENCRYPTION_KEY
+services:
+  authelia:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: authelia
+    image: authelia/authelia:latest
+    expose:
+      - 9091
+    secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
+    environment:
+      AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET
+      AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
+      AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
+      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY
+      AUTHELIA_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN} # this does not work for access control or openID yet
+      AUTHELIA_LOCAL_DOMAIN: ${LOCAL_DOMAIN} # this does not work for access control or openID yet
+    volumes:
+      - ${INFRA_PATH}/authelia/config:/config
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.authelia.rule=Host(`auth.${PUBLIC_DOMAIN}`)'
+      - "traefik.http.routers.authelia.tls.certresolver=myresolver"
+      - 'traefik.http.routers.authelia.entryPoints=https'
+      - 'traefik.http.routers.authelia.tls=true'
+      - 'traefik.http.routers.authelia.service=authelia-svc'
+      - 'traefik.http.services.authelia-svc.loadbalancer.server.port=9091'
+      # Middleware
+      - "traefik.http.routers.authelia.middlewares=crowdsec-bouncer@file"

project/infrastructure/crowdsec/crowdsec.yml

@@ -0,0 +1,39 @@
+services:
+  crowdsec:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: crowdsec
+    image: crowdsecurity/crowdsec:latest
+    environment:
+      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve"
+    expose:
+      - 8080
+    ports:
+      - 6060:6060
+    volumes:
+      - ${INFRA_PATH}/crowdsec/data:/var/lib/crowdsec/data
+      - ${INFRA_PATH}/crowdsec/config:/etc/crowdsec
+      - /var/log/auth.log:/var/log/auth.log:ro
+      - /var/log/crowdsec:/var/log/crowdsec:ro
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+
+  crowdsec-traefik-bouncer:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: fbonalair/traefik-crowdsec-bouncer:latest
+    container_name: bouncer-traefik
+    environment:
+      CROWDSEC_BOUNCER_API_KEY: ${CROWDSEC_API_KEY}
+      CROWDSEC_AGENT_HOST: crowdsec:8080
+      GIN_MODE: release
+    expose:
+      - 8080
+    depends_on:
+      - crowdsec
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"

project/infrastructure/homepage/homepage.yml

@@ -0,0 +1,25 @@
+services:
+  homepage:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: ghcr.io/gethomepage/homepage:latest
+    container_name: homepage
+    ports:
+      - 3030:3000
+    environment:
+      HOMEPAGE_VAR_LOCAL_DOMAIN: ${LOCAL_DOMAIN}
+      HOMEPAGE_VAR_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
+    volumes:
+      - ${INFRA_PATH}/homepage/config:/app/config
+      - ${INFRA_PATH}/homepage/data/images:/app/public/images
+      - ${INFRA_PATH}/homepage/data/icons:/app/public/icons
+      - /var/run/docker.sock:/var/run/docker.sock:ro # optional, for docker integrations
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.homepage.rule=Host(`homepage.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.homepage.entrypoints=https"
+      - "traefik.http.routers.homepage.tls=true"

project/infrastructure/speedtest/speedtest.yml

@@ -0,0 +1,28 @@
+services:
+  speedtest:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: speedtest
+    image: ghcr.io/librespeed/speedtest:latest
+    environment:
+      MODE: standalone
+      TITLE: "LibreSpeed"
+      #TELEMETRY: "false"
+      #ENABLE_ID_OBFUSCATION: "false"
+      #REDACT_IP_ADDRESSES: "false"
+      #PASSWORD:
+      #EMAIL:
+      #DISABLE_IPINFO: "false"
+      #DISTANCE: "km"
+      #WEBPORT: 80
+    ports:
+      - "4001:80" # webport mapping (host:container)
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.speedtest.rule=Host(`speedtest.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.speedtest.entrypoints=https"
+      - 'traefik.http.routers.speedtest.tls=true'

project/infrastructure/traefik/traefik.yml

@@ -0,0 +1,47 @@
+services:
+  traefik:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: "traefik:latest"
+    container_name: "traefik"
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8079:8080"
+    environment:
+      TRAEFIK_LOCAL_DOMAIN: ${LOCAL_DOMAIN}
+      TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
+      TRAEFIK_AUTH_PUBLIC_DOMAIN: auth.${PUBLIC_DOMAIN}
+    volumes:
+      - "/var/log/crowdsec/:/var/log/crowdsec/"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "${INFRA_PATH}/traefik/letsencrypt:/letsencrypt"
+      - "${INFRA_PATH}/traefik/config:/etc/traefik"
+      - "${INFRA_PATH}/traefik/certs:/etc/certs"
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.routers.traefik.rule=Host(`traefik.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.traefik.entrypoints=https"
+      - "traefik.http.routers.traefik.tls=true"
+
+  whoami:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: traefik/whoami:latest
+    container_name: "traefik-whoami"
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.whoami.rule=Host(`whoami.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.whoami.entrypoints=https"
+      - 'traefik.http.routers.whoami.tls=true'
+      - "traefik.http.routers.whoami.tls.certresolver=myresolver"
+      - "traefik.http.routers.whoami.middlewares=authelia@file,crowdsec-bouncer@file"

project/infrastructure/uptime-kuma/uptime-kuma.yml

@@ -0,0 +1,19 @@
+services:
+  uptime-kuma:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: louislam/uptime-kuma:latest
+    container_name: uptime-kuma
+    volumes:
+      - ${INFRA_PATH}/uptime-kuma/config:/app/data
+    ports:
+      - 5001:3001
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.uptime-kuma.rule=Host(`uptime-kuma.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.uptime-kuma.entrypoints=https"
+      - "traefik.http.routers.uptime-kuma.tls=true"

project/infrastructure/watchtower/watchtower.yml

@@ -0,0 +1,24 @@
+services:
+  watchtower:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: containrrr/watchtower:latest
+    container_name: watchtower
+    environment:
+      - WATCHTOWER_CLEANUP=true
+      - WATCHTOWER_POLL_INTERVAL=43200 # 12h
+      - WATCHTOWER_INCLUDE_RESTARTING=true
+      - WATCHTOWER_LABEL_ENABLE=true
+      - WATCHTOWER_HTTP_API_METRICS=true
+      - WATCHTOWER_HTTP_API_TOKEN=mytoken
+      - WATCHTOWER_HTTP_API_UPDATE=true
+      - WATCHTOWER_HTTP_API_PERIODIC_POLLS=true
+    ports:
+      - 7999:8080
+    volumes:
+      # - ${INFRA_PATH}/watchtower/config:/config.json
+      - /var/run/docker.sock:/var/run/docker.sock
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"