general update oon docker config

project/infrastructure/authelia/authelia.yml

@@ -16,6 +16,8 @@ services:
     image: authelia/authelia:latest
     ports:
       - 9959:9959 # metrics prometheus
+    networks: 
+      - ip6net
     expose:
       - 9091
     secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
@@ -40,4 +42,4 @@ services:
       - 'traefik.http.routers.authelia.service=authelia-svc'
       - 'traefik.http.services.authelia-svc.loadbalancer.server.port=9091'
       # Middleware
-      - "traefik.http.routers.authelia.middlewares=crowdsec-bouncer@file"
+      #- "traefik.http.routers.authelia.middlewares=crowdsec-bouncer@file"

project/infrastructure/crowdsec/crowdsec.yml

@@ -6,34 +6,21 @@ services:
     container_name: crowdsec
     image: crowdsecurity/crowdsec:latest
     environment:
-      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve"
+      COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/http-cve
+      CROWDSEC_BOUNCER_API_KEY: ${CROWDSEC_API_KEY}
+      CUSTOM_HOSTNAME: crowdsec
     expose:
       - 8080
     ports:
       - 6060:6060
+    networks: 
+      - ip4net
+      - ip6net
     volumes:
       - ${INFRA_PATH}/crowdsec/data:/var/lib/crowdsec/data
       - ${INFRA_PATH}/crowdsec/config:/etc/crowdsec
       - /var/log/auth.log:/var/log/auth.log:ro
       - /var/log/crowdsec:/var/log/crowdsec:ro
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
-
-  crowdsec-traefik-bouncer:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: fbonalair/traefik-crowdsec-bouncer:latest
-    container_name: bouncer-traefik
-    environment:
-      CROWDSEC_BOUNCER_API_KEY: ${CROWDSEC_API_KEY}
-      CROWDSEC_AGENT_HOST: crowdsec:8080
-      GIN_MODE: release
-    expose:
-      - 8080
-    depends_on:
-      - crowdsec
     labels:
       # Watchtower
       - "com.centurylinklabs.watchtower.enable=true"

project/infrastructure/homepage/homepage.yml

@@ -7,6 +7,8 @@ services:
     container_name: homepage
     ports:
       - 3030:3000
+    networks: 
+      - ip4net
     environment:
       HOMEPAGE_VAR_LOCAL_DOMAIN: ${LOCAL_DOMAIN}
       HOMEPAGE_VAR_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}

project/infrastructure/speedtest/speedtest.yml

@@ -18,6 +18,8 @@ services:
       #WEBPORT: 80
     ports:
       - "4001:80" # webport mapping (host:container)
+    networks: 
+      - ip4net
     labels:
       # Watchtower
       - "com.centurylinklabs.watchtower.enable=true"

project/infrastructure/syncthing/syncthing.yml

@@ -12,6 +12,9 @@ services:
       - 22000:22000/tcp # TCP file transfers
       - 22000:22000/udp # QUIC file transfers
       - 21027:21027/udp # Receive local discovery broadcasts
+    networks: 
+      - ip4net
+      - ip6net
     labels:
       # Watchtower
       - "com.centurylinklabs.watchtower.enable=true"

project/infrastructure/traefik/traefik.yml

@@ -9,16 +9,22 @@ services:
       - "80:80"
       - "443:443"
       - "8079:8080"
+    networks:
+      - ip6net
+      - ip4net
     environment:
       TRAEFIK_LOCAL_DOMAIN: ${LOCAL_DOMAIN}
       TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
       TRAEFIK_AUTH_PUBLIC_DOMAIN: auth.${PUBLIC_DOMAIN}
+      TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
     volumes:
       - "/var/log/crowdsec/:/var/log/crowdsec/"
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - "${INFRA_PATH}/traefik/letsencrypt:/letsencrypt"
       - "${INFRA_PATH}/traefik/config:/etc/traefik"
       - "${INFRA_PATH}/traefik/certs:/etc/certs"
+      - "${INFRA_PATH}/traefik/html/ban.html:/ban.html"
+      - "${INFRA_PATH}/traefik/html/captcha.html:/captcha.html"
     labels:
       # Watchtower
       - "com.centurylinklabs.watchtower.enable=true"
@@ -35,6 +41,8 @@ services:
       service: default
     image: traefik/whoami:latest
     container_name: "traefik-whoami"
+    networks: 
+      - ip4net
     labels:
       # Watchtower
       - "com.centurylinklabs.watchtower.enable=true"

project/infrastructure/uptime-kuma/uptime-kuma.yml

@@ -1,14 +1,24 @@
 services:
   uptime-kuma:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
+    # not using the template because ncsd is not configured to support changing PUID/PGID
+    # https://github.com/louislam/uptime-kuma/issues/4743
+    # extends:
+    #   file: ${TEMPLATES_PATH}
+    #   service: default
     image: louislam/uptime-kuma:latest
     container_name: uptime-kuma
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges=true
+    environment:
+      TZ: ${TZ}
     volumes:
       - ${INFRA_PATH}/uptime-kuma/config:/app/data
     ports:
       - 5001:3001
+    networks:
+      - ip4net
+      - ip6net
     labels:
       # Watchtower
       - "com.centurylinklabs.watchtower.enable=true"

project/infrastructure/watchtower/watchtower.yml

@@ -16,6 +16,8 @@ services:
       - WATCHTOWER_HTTP_API_PERIODIC_POLLS=true
     ports:
       - 7999:8080
+    networks:
+      - ip4net
     volumes:
       # - ${INFRA_PATH}/watchtower/config:/config.json
       - /var/run/docker.sock:/var/run/docker.sock