Compare commits
27 Commits
f0521563b5
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| ddf912a4e9 | |||
| 15f47d5554 | |||
| 6992333c6f | |||
| 2af1f4c5d9 | |||
| e74476439d | |||
| c51f5a6d0d | |||
| 3f22dc885c | |||
| 456416b04d | |||
| 9a01d992ad | |||
| 154165ab18 | |||
| 445b638f55 | |||
| afe037ffad | |||
| 54bcc89c7f | |||
| d0e3149200 | |||
| c5a3763239 | |||
| 6287e7b6cd | |||
| f8857d8097 | |||
| 74a1e0b0f7 | |||
| 9afb7ff397 | |||
| adc4358152 | |||
| 139fe18e76 | |||
| 152ad30a5a | |||
| 632a19e9cc | |||
| ad916b67bb | |||
| 5c3cc4ae60 | |||
| 31cad6e3cb | |||
| 039354993e |
12
.gitignore
vendored
Normal file
12
.gitignore
vendored
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
# Ignore these files
|
||||||
|
**/services/.env
|
||||||
|
|
||||||
|
# Ignore these folders
|
||||||
|
letsencrypt/
|
||||||
|
certs/
|
||||||
|
log-dashboard/
|
||||||
|
lib/
|
||||||
|
**/headscale/config/
|
||||||
|
**/headscale/run/
|
||||||
|
**/crowdsec/config/
|
||||||
|
**/crowdsec/data/
|
||||||
@@ -2,3 +2,9 @@
|
|||||||
|
|
||||||
This configuration includes a reverse proxy using caddy, headscale (VPN) and watchtower (automatic updates).
|
This configuration includes a reverse proxy using caddy, headscale (VPN) and watchtower (automatic updates).
|
||||||
It is particularly useful if you do not own an IPV4 address, as this could be deployed on a server. In this case it was deployed on an oracle server and automated using an ansible playbook found on this [repository](https://gitea.crescentec.ch/chriswin/vps-ansible)
|
It is particularly useful if you do not own an IPV4 address, as this could be deployed on a server. In this case it was deployed on an oracle server and automated using an ansible playbook found on this [repository](https://gitea.crescentec.ch/chriswin/vps-ansible)
|
||||||
|
|
||||||
|
For Crowdsec, if an enrollment to your console is wanted, run the following command:
|
||||||
|
```
|
||||||
|
docker compose -it exec cscli console enroll $ENROLLMENT_KEY
|
||||||
|
```
|
||||||
|
where the the enrollment can be found in your console under the engine page.
|
||||||
|
|||||||
48
renovate.json
Normal file
48
renovate.json
Normal file
@@ -0,0 +1,48 @@
|
|||||||
|
{
|
||||||
|
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||||
|
"extends": [
|
||||||
|
"schedule:automergeDaily"
|
||||||
|
],
|
||||||
|
"dependencyDashboard": true,
|
||||||
|
"dependencyDashboardTitle": "Renovate Dashboard",
|
||||||
|
"assignees": [
|
||||||
|
"chriswin"
|
||||||
|
],
|
||||||
|
"labels": [
|
||||||
|
"renovate"
|
||||||
|
],
|
||||||
|
"configMigration": true,
|
||||||
|
"prHourlyLimit": 0,
|
||||||
|
"packageRules": [
|
||||||
|
{
|
||||||
|
"matchCategories": [
|
||||||
|
"docker"
|
||||||
|
],
|
||||||
|
"enabled": true,
|
||||||
|
"managerFilePatterns": [
|
||||||
|
"/(^|/)services/*\\Dockerfile$/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"matchUpdateTypes": [
|
||||||
|
"minor",
|
||||||
|
"patch"
|
||||||
|
],
|
||||||
|
"automerge": true,
|
||||||
|
"automergeType": "pr"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"matchUpdateTypes": [
|
||||||
|
"major"
|
||||||
|
],
|
||||||
|
"automerge": false
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"docker-compose": {
|
||||||
|
"enabled": true,
|
||||||
|
"managerFilePatterns": [
|
||||||
|
"/(^|/)docker-compose\\.yml$/",
|
||||||
|
"/(^|/)services/.*\\.yml$/"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -1 +0,0 @@
|
|||||||
CROWDSEC_API_KEY=8lbUZjrGQp9JZln2pa5G1SCj0Fc8f9SaZUwqLm+6ZJQ
|
|
||||||
@@ -4,7 +4,7 @@ services:
|
|||||||
file: ${TEMPLATES_PATH}
|
file: ${TEMPLATES_PATH}
|
||||||
service: default
|
service: default
|
||||||
container_name: crowdsec
|
container_name: crowdsec
|
||||||
image: crowdsecurity/crowdsec:v1.7.4
|
image: crowdsecurity/crowdsec:v1.7.6
|
||||||
environment:
|
environment:
|
||||||
COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/http-cve
|
COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/http-cve
|
||||||
CROWDSEC_BOUNCER_API_KEY: ${CROWDSEC_API_KEY}
|
CROWDSEC_BOUNCER_API_KEY: ${CROWDSEC_API_KEY}
|
||||||
|
|||||||
@@ -17,5 +17,10 @@ services:
|
|||||||
networks:
|
networks:
|
||||||
- ip4net
|
- ip4net
|
||||||
labels:
|
labels:
|
||||||
# Watchtower
|
# Traefik
|
||||||
- "com.centurylinklabs.watchtower.enable=true"
|
- "traefik.enable=true"
|
||||||
|
- "traefik.http.routers.headscale.rule=Host(`headscale.${PUBLIC_DOMAIN}`)"
|
||||||
|
- "traefik.http.routers.headscale.entrypoints=https"
|
||||||
|
- "traefik.http.routers.headscale.tls.certresolver=myresolver"
|
||||||
|
- "traefik.http.routers.headscale.tls=true"
|
||||||
|
- "traefik.http.routers.headscale.middlewares=crowdsec-bouncer@file"
|
||||||
|
|||||||
@@ -8,23 +8,25 @@ http:
|
|||||||
enabled: true
|
enabled: true
|
||||||
logLevel: INFO
|
logLevel: INFO
|
||||||
updateIntervalSeconds: 60
|
updateIntervalSeconds: 60
|
||||||
crowdsecMode: stream
|
crowdsecMode: live
|
||||||
crowdsecAppsecEnabled: true
|
crowdsecAppsecEnabled: true
|
||||||
|
crowdsecAppsecFailureBlock: true
|
||||||
|
crowdsecAppsecUnreachableBlock: true
|
||||||
crowdsecAppsecHost: crowdsec:7422
|
crowdsecAppsecHost: crowdsec:7422
|
||||||
crowdsecLapiScheme: http
|
crowdsecLapiScheme: http
|
||||||
crowdsecLapiHost: crowdsec:8080
|
crowdsecLapiHost: crowdsec:8080
|
||||||
# generated using "docker exec crowdsec cscli bouncers add crowdsecBouncer"
|
# generated using "docker exec crowdsec cscli bouncers add crowdsecBouncer"
|
||||||
crowdseclapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }}
|
crowdsecLapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }}
|
||||||
forwardedHeadersTrustedIPs:
|
forwardedHeadersTrustedIPs:
|
||||||
- 10.0.0.0/8
|
- 10.0.0.0/8
|
||||||
clientTrustedIPs:
|
clientTrustedIPs:
|
||||||
- 192.168.178.0/24
|
- 192.168.178.0/24
|
||||||
captchaProvider: hcaptcha
|
# captchaProvider: hcaptcha
|
||||||
captchaSiteKey: b2d20610-8dda-4f40-8688-7ca8e1e628f8 # found in hcaptcha account
|
# captchaSiteKey: b2d20610-8dda-4f40-8688-7ca8e1e628f8 # found in hcaptcha account
|
||||||
captchaSecretKey: {{ env "TRAEFIK_CAPTCHA_KEY" }}
|
# captchaSecretKey: {{ env "TRAEFIK_CAPTCHA_KEY" }}
|
||||||
captchaGracePeriodSeconds: 1800
|
# captchaGracePeriodSeconds: 1800
|
||||||
captchaHTMLFilePath: /captcha.html
|
# captchaHTMLFilePath: /captcha.html
|
||||||
banHTMLFilePath: /ban.html
|
# banHTMLFilePath: /ban.html
|
||||||
|
|
||||||
routers:
|
routers:
|
||||||
authelia:
|
authelia:
|
||||||
@@ -51,14 +53,6 @@ http:
|
|||||||
certresolver: myresolver
|
certresolver: myresolver
|
||||||
middlewares: crowdsec-bouncer@file
|
middlewares: crowdsec-bouncer@file
|
||||||
|
|
||||||
headscale:
|
|
||||||
rule: "Host(`headscale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
|
|
||||||
service: node
|
|
||||||
entrypoints: https,http
|
|
||||||
tls:
|
|
||||||
certresolver: myresolver
|
|
||||||
middlewares: crowdsec-bouncer@file
|
|
||||||
|
|
||||||
immich:
|
immich:
|
||||||
rule: "Host(`immich.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
|
rule: "Host(`immich.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
|
||||||
service: node
|
service: node
|
||||||
|
|||||||
@@ -3,7 +3,7 @@ services:
|
|||||||
extends:
|
extends:
|
||||||
file: ${TEMPLATES_PATH}
|
file: ${TEMPLATES_PATH}
|
||||||
service: default
|
service: default
|
||||||
image: traefik:v3.6.6
|
image: traefik:v3.6.10
|
||||||
container_name: traefik
|
container_name: traefik
|
||||||
ports:
|
ports:
|
||||||
- "80:80"
|
- "80:80"
|
||||||
@@ -16,6 +16,11 @@ services:
|
|||||||
TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
|
TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
|
||||||
TRAEFIK_MAIN_SERVER_NODE_IP: ${MAIN_SERVER_NODE_IP}
|
TRAEFIK_MAIN_SERVER_NODE_IP: ${MAIN_SERVER_NODE_IP}
|
||||||
TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
|
TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
|
||||||
|
deploy:
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpus: "0.3"
|
||||||
|
memory: 150M
|
||||||
volumes:
|
volumes:
|
||||||
- "/var/log/traefik/:/var/log/traefik/"
|
- "/var/log/traefik/:/var/log/traefik/"
|
||||||
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
||||||
@@ -36,7 +41,7 @@ services:
|
|||||||
extends:
|
extends:
|
||||||
file: ${TEMPLATES_PATH}
|
file: ${TEMPLATES_PATH}
|
||||||
service: default
|
service: default
|
||||||
image: hhftechnology/traefik-log-dashboard-agent:2.4.0
|
image: hhftechnology/traefik-log-dashboard-agent:2.5.0
|
||||||
container_name: traefik-log-dashboard-agent
|
container_name: traefik-log-dashboard-agent
|
||||||
networks:
|
networks:
|
||||||
- ip4net
|
- ip4net
|
||||||
@@ -50,6 +55,11 @@ services:
|
|||||||
TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
|
TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
|
||||||
TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING: true
|
TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING: true
|
||||||
TRAEFIK_LOG_DASHBOARD_LOG_FORMAT: json
|
TRAEFIK_LOG_DASHBOARD_LOG_FORMAT: json
|
||||||
|
deploy:
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpus: "0.10"
|
||||||
|
memory: 50M
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test:
|
test:
|
||||||
[
|
[
|
||||||
@@ -69,7 +79,7 @@ services:
|
|||||||
extends:
|
extends:
|
||||||
file: ${TEMPLATES_PATH}
|
file: ${TEMPLATES_PATH}
|
||||||
service: default
|
service: default
|
||||||
image: hhftechnology/traefik-log-dashboard:2.4.0
|
image: hhftechnology/traefik-log-dashboard:2.5.0
|
||||||
container_name: traefik-log-dashboard
|
container_name: traefik-log-dashboard
|
||||||
networks:
|
networks:
|
||||||
- ip4net
|
- ip4net
|
||||||
@@ -86,6 +96,11 @@ services:
|
|||||||
depends_on:
|
depends_on:
|
||||||
traefik-agent:
|
traefik-agent:
|
||||||
condition: service_healthy
|
condition: service_healthy
|
||||||
|
deploy:
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpus: "0.1"
|
||||||
|
memory: 50M
|
||||||
labels:
|
labels:
|
||||||
# traefik
|
# traefik
|
||||||
- "traefik.enable=true"
|
- "traefik.enable=true"
|
||||||
|
|||||||
Reference in New Issue
Block a user