Merge pull request 'Update traefik Docker tag to v3.6.10' (#11) from renovate/traefik-3.x into main

Reviewed-on: #5

.gitignore

@@ -0,0 +1,12 @@
+# Ignore these files
+**/services/.env
+
+# Ignore these folders
+letsencrypt/
+certs/
+log-dashboard/
+lib/
+**/headscale/config/
+**/headscale/run/
+**/crowdsec/config/
+**/crowdsec/data/

README.md

@@ -2,3 +2,9 @@
 
 This configuration includes a reverse proxy using caddy, headscale (VPN) and watchtower (automatic updates).
 It is particularly useful if you do not own an IPV4 address, as this could be deployed on a server. In this case it was deployed on an oracle server and automated using an ansible playbook found on this [repository](https://gitea.crescentec.ch/chriswin/vps-ansible)
+
+For Crowdsec, if an enrollment to your console is wanted, run the following command: 
+```
+docker compose -it exec cscli console enroll $ENROLLMENT_KEY
+```
+where the the enrollment can be found in your console under the engine page.

docker-compose.yml

@@ -6,7 +6,6 @@
 # Whenever I need to remove some service then I can comment out the lines here.
 include:
   - path:
-      - ${SERVICE_PATH}/caddy/caddy.yml
       - ${SERVICE_PATH}/crowdsec/crowdsec.yml
       - ${SERVICE_PATH}/headscale/headscale.yml
       - ${SERVICE_PATH}/traefik/traefik.yml

renovate.json

@@ -0,0 +1,48 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "schedule:automergeDaily"
+    ],
+    "dependencyDashboard": true,
+    "dependencyDashboardTitle": "Renovate Dashboard",
+    "assignees": [
+        "chriswin"
+    ],
+    "labels": [
+        "renovate"
+    ],
+    "configMigration": true,
+    "prHourlyLimit": 0,
+    "packageRules": [
+        {
+            "matchCategories": [
+                "docker"
+            ],
+            "enabled": true,
+            "managerFilePatterns": [
+                "/(^|/)services/*\\Dockerfile$/"
+            ]
+        },
+        {
+            "matchUpdateTypes": [
+                "minor",
+                "patch"
+            ],
+            "automerge": true,
+            "automergeType": "pr"
+        },
+        {
+            "matchUpdateTypes": [
+                "major"
+            ],
+            "automerge": false
+        }
+    ],
+    "docker-compose": {
+        "enabled": true,
+        "managerFilePatterns": [
+            "/(^|/)docker-compose\\.yml$/",
+            "/(^|/)services/.*\\.yml$/"
+        ]
+    }
+}

services/.env

@@ -1 +0,0 @@
-CROWDSEC_API_KEY=8lbUZjrGQp9JZln2pa5G1SCj0Fc8f9SaZUwqLm+6ZJQ

services/caddy/Caddyfile

@@ -1,189 +0,0 @@
-(forward_headers) {
-        header {
-                Permissions-Policy interest-cohort=()
-                Strict-Transport-Security "max-age=31536000; includeSubdomains"
-                X-XSS-Protection "1; mode=block"
-                X-Content-Type-Options "nosniff"
-                X-Robots-Tag noindex, nofollow
-                Referrer-Policy "same-origin"
-                Content-Security-Policy "frame-ancestors {$public_domain }} *.{$public_domain}"
-                -Server
-                Permissions-Policy "geolocation=(self {$public_domain }} *.{$public_domain}), microphone=()"
-        }
-}
-
-auth.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-audiobookshelf.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-gitea.{$public_domain} {
-        reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-headscale.{$public_domain} {
-        reverse_proxy headscale:8080
-        tls {$email}
-        import forward_headers
-}
-
-immich.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-ldap.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-linkwarden.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-mealie.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-navidrome.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-ntfy.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-paperless.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-radicale.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-rss.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-pdf.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-superset.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-vaultwarden.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-vikunja.{$public_domain} {
-	reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}
-
-{$public_domain} {
-        reverse_proxy {$main_server_ip} {
-                transport http {
-                        tls_insecure_skip_verify
-                }
-        }
-        tls {$email}
-        import forward_headers
-}

services/caddy/caddy.yml

@@ -1,30 +0,0 @@
-services:
-  caddy:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: caddy 
-    container_name: caddy 
-    volumes:
-      - ${SERVICE_PATH}/caddy/config:/etc/headscale
-      - ${SERVICE_PATH}/caddy/Caddyfile:/etc/caddy/Caddyfile
-      - ${SERVICE_PATH}/caddy/site:/srv
-      - ${SERVICE_PATH}/caddy/data:/data
-      - ${SERVICE_PATH}/caddy/config:/config
-      - ${SERVICE_PATH}/caddy/certs:/certs
-    ports:
-      - "80:80"
-      - "443:443"
-      - "443:443/udp"
-    environment:
-      email: ${EMAIL}
-      public_domain: ${PUBLIC_DOMAIN}
-      private_domain: ${LOCAL_DOMAIN}
-      main_server_ip: ${MAIN_SERVER_NODE_IP:-10.10.10.2}
-    cap_add:
-      - NET_ADMIN
-    networks:
-      - ip4net
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"

services/crowdsec/crowdsec.yml

@@ -4,7 +4,7 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: crowdsec
-    image: crowdsecurity/crowdsec:v1.7.4
+    image: crowdsecurity/crowdsec:v1.7.6
     environment:
       COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/http-cve
       CROWDSEC_BOUNCER_API_KEY: ${CROWDSEC_API_KEY}

services/headscale/headscale.yml

@@ -17,5 +17,10 @@ services:
     networks:
       - ip4net
     labels:
-      # Watchtower
+      # Traefik
-      - "com.centurylinklabs.watchtower.enable=true"
+      - "traefik.enable=true"
+      - "traefik.http.routers.headscale.rule=Host(`headscale.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.headscale.entrypoints=https"
+      - "traefik.http.routers.headscale.tls.certresolver=myresolver"
+      - "traefik.http.routers.headscale.tls=true"
+      - "traefik.http.routers.headscale.middlewares=crowdsec-bouncer@file"

services/traefik/config/config.yml

@@ -8,29 +8,31 @@ http:
           enabled: true 
           logLevel: INFO
           updateIntervalSeconds: 60
-          crowdsecMode: stream
+          crowdsecMode: live 
           crowdsecAppsecEnabled: true
+          crowdsecAppsecFailureBlock: true 
+          crowdsecAppsecUnreachableBlock: true 
           crowdsecAppsecHost: crowdsec:7422
           crowdsecLapiScheme: http
           crowdsecLapiHost: crowdsec:8080
           # generated using "docker exec crowdsec cscli bouncers add crowdsecBouncer"
-          crowdseclapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }}
+          crowdsecLapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }}
           forwardedHeadersTrustedIPs:
             - 10.0.0.0/8
           clientTrustedIPs:
             - 192.168.178.0/24
-          captchaProvider: hcaptcha
+          # captchaProvider: hcaptcha
-          captchaSiteKey: b2d20610-8dda-4f40-8688-7ca8e1e628f8 # found in hcaptcha account
+          # captchaSiteKey: b2d20610-8dda-4f40-8688-7ca8e1e628f8 # found in hcaptcha account
-          captchaSecretKey: {{ env "TRAEFIK_CAPTCHA_KEY" }}
+          # captchaSecretKey: {{ env "TRAEFIK_CAPTCHA_KEY" }}
-          captchaGracePeriodSeconds: 1800
+          # captchaGracePeriodSeconds: 1800
-          captchaHTMLFilePath: /captcha.html
+          # captchaHTMLFilePath: /captcha.html
-          banHTMLFilePath: /ban.html
+          # banHTMLFilePath: /ban.html
 
   routers:
     authelia:
       rule: "Host(`auth.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https 
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -38,7 +40,7 @@ http:
     audiobookshelf:
       rule: "Host(`audiobookshelf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https 
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -46,15 +48,7 @@ http:
     gitea:
       rule: "Host(`gitea.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https 
+      entrypoints: https,http 
-      tls:
-        certresolver: myresolver
-      middlewares: crowdsec-bouncer@file
-
-    headscale:
-      rule: "Host(`headscale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
-      service: node 
-      entryPoints: https 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -62,7 +56,7 @@ http:
     immich:
       rule: "Host(`immich.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https 
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -70,7 +64,7 @@ http:
     lldap:
       rule: "Host(`ldap.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https 
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -78,7 +72,7 @@ http:
     linkwarden:
       rule: "Host(`linkwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https 
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -86,7 +80,7 @@ http:
     mealie:
       rule: "Host(`mealie.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https 
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -94,7 +88,7 @@ http:
     navidrome:
       rule: "Host(`navidrome.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https 
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -102,7 +96,7 @@ http:
     ntfy:
       rule: "Host(`ntfy.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https 
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -110,7 +104,7 @@ http:
     paperless:
       rule: "Host(`paperless.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https 
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -118,7 +112,7 @@ http:
     pdf:
       rule: "Host(`pdf.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https 
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -126,7 +120,7 @@ http:
     radicale:
       rule: "Host(`radicale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https 
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -134,16 +128,15 @@ http:
     rss:
       rule: "Host(`rss.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https 
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
 
-<<<<<<< HEAD
     # superset:
     #   rule: "Host(`superset.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
     #   service: node 
-    #   entryPoints: https
+    #   entrypoints: https,http
     #   tls:
     #     certresolver: myresolver
     #   middlewares: crowdsec-bouncer@file
@@ -151,7 +144,7 @@ http:
     vaultwarden:
       rule: "Host(`vaultwarden.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https 
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -159,7 +152,7 @@ http:
     vikunja:
       rule: "Host(`vikunja.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
       service: node 
-      entryPoints: https 
+      entrypoints: https,http 
       tls:
         certresolver: myresolver
       middlewares: crowdsec-bouncer@file
@@ -170,3 +163,12 @@ http:
         servers:
           - url: https://{{ env "TRAEFIK_MAIN_SERVER_NODE_IP" }}
 
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/certs/server-vps-lan.crt
+        keyFile: /etc/certs/server-vps-lan.key
+  certificates:
+    - certFile: /etc/certs/server-vps-lan.crt
+      keyFile: /etc/certs/server-vps-lan.key

services/traefik/traefik.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: traefik:v3.6.6
+    image: traefik:v3.6.10
     container_name: traefik
     ports:
       - "80:80"
@@ -16,7 +16,11 @@ services:
       TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
       TRAEFIK_MAIN_SERVER_NODE_IP: ${MAIN_SERVER_NODE_IP}
       TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
-      # INFOMANIAK_ACCESS_TOKEN: ${INFOMANIAK_CERTIFICATE_ACCESS_TOKEN}
+    deploy:
+      resources:
+        limits:
+          cpus: "0.3"
+          memory: 150M
     volumes:
       - "/var/log/traefik/:/var/log/traefik/"
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
@@ -33,64 +37,73 @@ services:
       - "traefik.http.routers.traefik.entrypoints=https"
       - "traefik.http.routers.traefik.tls=true"
 
-  # traefik-agent:
+  traefik-agent:
-  #   extends:
+    extends:
-  #     file: ${TEMPLATES_PATH}
+      file: ${TEMPLATES_PATH}
-  #     service: default
+      service: default
-  #   image: hhftechnology/traefik-log-dashboard-agent:2.4.0
+    image: hhftechnology/traefik-log-dashboard-agent:2.5.0
-  #   container_name: traefik-log-dashboard-agent
+    container_name: traefik-log-dashboard-agent
-  #   networks:
+    networks:
-  #     - ip4net
+      - ip4net
-  #   ports:
+    ports:
-  #     - "8078:5000"
+      - "8078:5000"
-  #   volumes:
+    volumes:
-  #     - "/var/log/crowdsec/:/logs:ro"
+      - "/var/log/traefik/:/logs:ro"
-  #     - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data"
+      - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data"
-  #   environment:
+    environment:
-  #     TRAEFIK_LOG_DASHBOARD_ACCESS_PATH: /logs/traefik.log
+      TRAEFIK_LOG_DASHBOARD_ACCESS_PATH: /logs/access.log
-  #     TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
+      TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
-  #     TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING: true
+      TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING: true
-  #     TRAEFIK_LOG_DASHBOARD_LOG_FORMAT: json
+      TRAEFIK_LOG_DASHBOARD_LOG_FORMAT: json
-  #   healthcheck:
+    deploy:
-  #     test:
+      resources:
-  #       [
+        limits:
-  #         "CMD",
+          cpus: "0.10"
-  #         "wget",
+          memory: 50M
-  #         "--no-verbose",
+    healthcheck:
-  #         "--tries=1",
+      test:
-  #         "--spider",
+        [
-  #         "http://localhost:5000/api/logs/status",
+          "CMD",
-  #       ]
+          "wget",
-  #     interval: 2m
+          "--no-verbose",
-  #     timeout: 10s
+          "--tries=1",
-  #     retries: 3
+          "--spider",
-  #     start_period: 30s
+          "http://localhost:5000/api/logs/status",
-  #
+        ]
-  # traefik-dashboard:
+      interval: 2m
-  #   extends:
+      timeout: 10s
-  #     file: ${TEMPLATES_PATH}
+      retries: 3
-  #     service: default
+      start_period: 30s
-  #   image: hhftechnology/traefik-log-dashboard:2.4.0
+
-  #   container_name: traefik-log-dashboard
+  traefik-dashboard:
-  #   networks:
+    extends:
-  #     - ip4net
+      file: ${TEMPLATES_PATH}
-  #   ports:
+      service: default
-  #     - "8077:3000"
+    image: hhftechnology/traefik-log-dashboard:2.5.0
-  #   volumes:
+    container_name: traefik-log-dashboard
-  #     - ./data/dashboard:/app/data
+    networks:
-  #     - "${SERVICE_PATH}/traefik/log-dashboard/dashboard:/app/data"
+      - ip4net
-  #     - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data"
+    ports:
-  #   environment:
+      - "8077:3000"
-  #     AGENT_API_URL: http://192.168.178.35:8078
+    volumes:
-  #     AGENT_API_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
+      - "${SERVICE_PATH}/traefik/log-dashboard/dashboard:/app/data"
-  #     # Display Configuration
+      - "${SERVICE_PATH}/traefik/log-dashboard/positions:/data"
-  #     NEXT_PUBLIC_SHOW_DEMO_PAGE: false
+    environment:
-  #   depends_on:
+      AGENT_API_URL: http://traefik-agent:5000
-  #     traefik-agent:
+      AGENT_API_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
-  #       condition: service_healthy
+      # Display Configuration
-  #   labels:
+      NEXT_PUBLIC_SHOW_DEMO_PAGE: false
-  #     # traefik
+    depends_on:
-  #     - "traefik.enable=true"
+      traefik-agent:
-  #     - "traefik.http.routers.traefik-log-dashboard.rule=Host(`traefik-dashboard.${LOCAL_DOMAIN}`)"
+        condition: service_healthy
-  #     - "traefik.http.routers.traefik-log-dashboard.entrypoints=https"
+    deploy:
-  #     - "traefik.http.routers.traefik-log-dashboard.tls=true"
+      resources:
+        limits:
+          cpus: "0.1"
+          memory: 50M
+    labels:
+      # traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik-log-dashboard.rule=Host(`traefik-dashboard.${LOCAL_VPS_DOMAIN}`)"
+      - "traefik.http.routers.traefik-log-dashboard.entrypoints=https"
+      - "traefik.http.routers.traefik-log-dashboard.tls=true"