Merge pull request 'Update traefik Docker tag to v3.6.10' (#11 ) from renovate/traefik-3.x into main

Update traefik Docker tag to v3.6.10
Merge pull request 'Update traefik Docker tag to v3.6.9' (#10 ) from renovate/traefik-3.x into main
2026-03-07 01:03:47 +01:00 · 2026-03-07 00:03:44 +00:00 · 2026-02-24 01:03:20 +01:00 · 2026-02-24 00:03:18 +00:00 · 2026-02-12 01:03:03 +01:00 · 2026-02-12 00:02:59 +00:00
8 changed files with 106 additions and 27 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,12 @@
+# Ignore these files
+**/services/.env
+
+# Ignore these folders
+letsencrypt/
+certs/
+log-dashboard/
+lib/
+**/headscale/config/
+**/headscale/run/
+**/crowdsec/config/
+**/crowdsec/data/
--- a/README.md
+++ b/README.md
@@ -2,3 +2,9 @@

 This configuration includes a reverse proxy using caddy, headscale (VPN) and watchtower (automatic updates).
 It is particularly useful if you do not own an IPV4 address, as this could be deployed on a server. In this case it was deployed on an oracle server and automated using an ansible playbook found on this [repository](https://gitea.crescentec.ch/chriswin/vps-ansible)
+
+For Crowdsec, if an enrollment to your console is wanted, run the following command: 
+```
+docker compose -it exec cscli console enroll $ENROLLMENT_KEY
+```
+where the the enrollment can be found in your console under the engine page.
--- a/renovate.json
+++ b/renovate.json
@@ -0,0 +1,48 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "schedule:automergeDaily"
+    ],
+    "dependencyDashboard": true,
+    "dependencyDashboardTitle": "Renovate Dashboard",
+    "assignees": [
+        "chriswin"
+    ],
+    "labels": [
+        "renovate"
+    ],
+    "configMigration": true,
+    "prHourlyLimit": 0,
+    "packageRules": [
+        {
+            "matchCategories": [
+                "docker"
+            ],
+            "enabled": true,
+            "managerFilePatterns": [
+                "/(^|/)services/*\\Dockerfile$/"
+            ]
+        },
+        {
+            "matchUpdateTypes": [
+                "minor",
+                "patch"
+            ],
+            "automerge": true,
+            "automergeType": "pr"
+        },
+        {
+            "matchUpdateTypes": [
+                "major"
+            ],
+            "automerge": false
+        }
+    ],
+    "docker-compose": {
+        "enabled": true,
+        "managerFilePatterns": [
+            "/(^|/)docker-compose\\.yml$/",
+            "/(^|/)services/.*\\.yml$/"
+        ]
+    }
+}
--- a/services/.env
+++ b/services/.env
@@ -1 +0,0 @@
-CROWDSEC_API_KEY=8lbUZjrGQp9JZln2pa5G1SCj0Fc8f9SaZUwqLm+6ZJQ
--- a/services/crowdsec/crowdsec.yml
+++ b/services/crowdsec/crowdsec.yml
@@ -4,7 +4,7 @@ services:
      file: ${TEMPLATES_PATH}
      service: default
    container_name: crowdsec
-    image: crowdsecurity/crowdsec:v1.7.4
+    image: crowdsecurity/crowdsec:v1.7.6
    environment:
      COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/http-cve
      CROWDSEC_BOUNCER_API_KEY: ${CROWDSEC_API_KEY}
--- a/services/headscale/headscale.yml
+++ b/services/headscale/headscale.yml
@@ -3,19 +3,24 @@ services:
    extends:
      file: ${TEMPLATES_PATH}
      service: default
-    image: docker.io/headscale/headscale 
-    container_name: headscale 
+    image: docker.io/headscale/headscale
+    container_name: headscale
    volumes:
      - ${SERVICE_PATH}/headscale/config:/etc/headscale
      - ${SERVICE_PATH}/headscale/lib:/var/lib/headscale
      - ${SERVICE_PATH}/headscale/run:/var/run/headscale
    ports:
-      - 127.0.0.1:8080:8080 # api 
+      - 127.0.0.1:8080:8080 # api
      - 127.0.0.1:9090:9090 # metrics
    command: serve
    environment:
    networks:
      - ip4net
    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.headscale.rule=Host(`headscale.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.headscale.entrypoints=https"
+      - "traefik.http.routers.headscale.tls.certresolver=myresolver"
+      - "traefik.http.routers.headscale.tls=true"
+      - "traefik.http.routers.headscale.middlewares=crowdsec-bouncer@file"
--- a/services/traefik/config/config.yml
+++ b/services/traefik/config/config.yml
@@ -5,26 +5,28 @@ http:
    crowdsec-bouncer:
      plugin:
        crowdsec-bouncer-traefik-plugin:
-          enabled: true
+          enabled: true 
          logLevel: INFO
          updateIntervalSeconds: 60
-          crowdsecMode: stream
+          crowdsecMode: live 
          crowdsecAppsecEnabled: true
+          crowdsecAppsecFailureBlock: true 
+          crowdsecAppsecUnreachableBlock: true 
          crowdsecAppsecHost: crowdsec:7422
          crowdsecLapiScheme: http
          crowdsecLapiHost: crowdsec:8080
          # generated using "docker exec crowdsec cscli bouncers add crowdsecBouncer"
-          crowdseclapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }}
+          crowdsecLapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }}
          forwardedHeadersTrustedIPs:
            - 10.0.0.0/8
          clientTrustedIPs:
            - 192.168.178.0/24
-          captchaProvider: hcaptcha
-          captchaSiteKey: b2d20610-8dda-4f40-8688-7ca8e1e628f8 # found in hcaptcha account
-          captchaSecretKey: {{ env "TRAEFIK_CAPTCHA_KEY" }}
-          captchaGracePeriodSeconds: 1800
-          captchaHTMLFilePath: /captcha.html
-          banHTMLFilePath: /ban.html
+          # captchaProvider: hcaptcha
+          # captchaSiteKey: b2d20610-8dda-4f40-8688-7ca8e1e628f8 # found in hcaptcha account
+          # captchaSecretKey: {{ env "TRAEFIK_CAPTCHA_KEY" }}
+          # captchaGracePeriodSeconds: 1800
+          # captchaHTMLFilePath: /captcha.html
+          # banHTMLFilePath: /ban.html

  routers:
    authelia:
@@ -51,14 +53,6 @@ http:
        certresolver: myresolver
      middlewares: crowdsec-bouncer@file

-    headscale:
-      rule: "Host(`headscale.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
-      service: node 
-      entrypoints: https,http 
-      tls:
-        certresolver: myresolver
-      middlewares: crowdsec-bouncer@file
-
    immich:
      rule: "Host(`immich.{{ env "TRAEFIK_PUBLIC_DOMAIN" }}`)"
      service: node 
--- a/services/traefik/traefik.yml
+++ b/services/traefik/traefik.yml
@@ -3,7 +3,7 @@ services:
    extends:
      file: ${TEMPLATES_PATH}
      service: default
-    image: traefik:v3.6.6
+    image: traefik:v3.6.10
    container_name: traefik
    ports:
      - "80:80"
@@ -16,6 +16,11 @@ services:
      TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
      TRAEFIK_MAIN_SERVER_NODE_IP: ${MAIN_SERVER_NODE_IP}
      TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
+    deploy:
+      resources:
+        limits:
+          cpus: "0.3"
+          memory: 150M
    volumes:
      - "/var/log/traefik/:/var/log/traefik/"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
@@ -36,7 +41,7 @@ services:
    extends:
      file: ${TEMPLATES_PATH}
      service: default
-    image: hhftechnology/traefik-log-dashboard-agent:2.4.0
+    image: hhftechnology/traefik-log-dashboard-agent:2.5.0
    container_name: traefik-log-dashboard-agent
    networks:
      - ip4net
@@ -50,6 +55,11 @@ services:
      TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN: ${TRAEFIK_DASHBOARD_TOKEN}
      TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING: true
      TRAEFIK_LOG_DASHBOARD_LOG_FORMAT: json
+    deploy:
+      resources:
+        limits:
+          cpus: "0.10"
+          memory: 50M
    healthcheck:
      test:
        [
@@ -69,7 +79,7 @@ services:
    extends:
      file: ${TEMPLATES_PATH}
      service: default
-    image: hhftechnology/traefik-log-dashboard:2.4.0
+    image: hhftechnology/traefik-log-dashboard:2.5.0
    container_name: traefik-log-dashboard
    networks:
      - ip4net
@@ -86,6 +96,11 @@ services:
    depends_on:
      traefik-agent:
        condition: service_healthy
+    deploy:
+      resources:
+        limits:
+          cpus: "0.1"
+          memory: 50M
    labels:
      # traefik
      - "traefik.enable=true"
Author	SHA1	Message	Date
renovate_bot	ddf912a4e9	Merge pull request 'Update traefik Docker tag to v3.6.10' (#11 ) from renovate/traefik-3.x into main	2026-03-07 01:03:47 +01:00
Renovate Bot	15f47d5554	Update traefik Docker tag to v3.6.10	2026-03-07 00:03:44 +00:00
renovate_bot	6992333c6f	Merge pull request 'Update traefik Docker tag to v3.6.9' (#10 ) from renovate/traefik-3.x into main	2026-02-24 01:03:20 +01:00
Renovate Bot	2af1f4c5d9	Update traefik Docker tag to v3.6.9	2026-02-24 00:03:18 +00:00
renovate_bot	e74476439d	Merge pull request 'Update traefik Docker tag to v3.6.8' (#9 ) from renovate/traefik-3.x into main	2026-02-12 01:03:03 +01:00
Renovate Bot	c51f5a6d0d	Update traefik Docker tag to v3.6.8	2026-02-12 00:02:59 +00:00
renovate_bot	3f22dc885c	Merge pull request 'Update hhftechnology/traefik-log-dashboard-agent Docker tag to v2.5.0' (#8 ) from renovate/hhftechnology-traefik-log-dashboard-agent-2.x into main	2026-02-08 01:02:53 +01:00
renovate_bot	456416b04d	Merge pull request 'Update hhftechnology/traefik-log-dashboard Docker tag to v2.5.0' (#7 ) from renovate/hhftechnology-traefik-log-dashboard-2.x into main	2026-02-08 01:02:50 +01:00
Renovate Bot	9a01d992ad	Update hhftechnology/traefik-log-dashboard-agent Docker tag to v2.5.0	2026-02-08 00:02:50 +00:00
Renovate Bot	154165ab18	Update hhftechnology/traefik-log-dashboard Docker tag to v2.5.0	2026-02-08 00:02:49 +00:00
chris	445b638f55	resource and fixes	2026-01-25 22:19:02 +00:00
renovate_bot	afe037ffad	Merge pull request 'Update crowdsecurity/crowdsec Docker tag to v1.7.6' (#6 ) from renovate/crowdsecurity-crowdsec-1.x into main	2026-01-24 01:02:35 +01:00
Renovate Bot	54bcc89c7f	Update crowdsecurity/crowdsec Docker tag to v1.7.6	2026-01-24 00:02:32 +00:00
chris	d0e3149200	clean up traefik and crowdsec improvements	2026-01-23 17:10:12 +00:00
chriswin	c5a3763239	Merge pull request 'Update traefik Docker tag to v3.6.7' (#5 ) from renovate/traefik-3.x into main Reviewed-on: #5	2026-01-21 18:17:05 +01:00
renovate_bot	6287e7b6cd	Merge pull request 'Update hhftechnology/traefik-log-dashboard-agent Docker tag to v2.4.1' (#4 ) from renovate/hhftechnology-traefik-log-dashboard-agent-2.x into main	2026-01-21 18:16:39 +01:00
renovate_bot	f8857d8097	Merge pull request 'Update hhftechnology/traefik-log-dashboard Docker tag to v2.4.1' (#3 ) from renovate/hhftechnology-traefik-log-dashboard-2.x into main	2026-01-21 18:16:39 +01:00
Renovate Bot	74a1e0b0f7	Update traefik Docker tag to v3.6.7	2026-01-21 17:16:38 +00:00
Renovate Bot	9afb7ff397	Update hhftechnology/traefik-log-dashboard-agent Docker tag to v2.4.1	2026-01-21 17:16:37 +00:00
Renovate Bot	adc4358152	Update hhftechnology/traefik-log-dashboard Docker tag to v2.4.1	2026-01-21 17:16:35 +00:00
chriswin	139fe18e76	Update renovate.json	2026-01-21 18:14:26 +01:00
chriswin	152ad30a5a	Update renovate.json	2026-01-21 18:13:15 +01:00
chriswin	632a19e9cc	Merge pull request 'Configure Renovate' (#1 ) from renovate/configure into main Reviewed-on: #1	2026-01-21 17:45:02 +01:00
chriswin	ad916b67bb	Update renovate.json	2026-01-21 17:44:52 +01:00
Renovate Bot	5c3cc4ae60	Add renovate.json	2026-01-21 16:40:12 +00:00
chris	31cad6e3cb	add crowdsec console enrollment	2026-01-21 16:29:22 +00:00
chris	039354993e	cleanup gitignore, improve crowdsec	2026-01-21 16:25:39 +00:00
				`@@ -1 +0,0 @@`
				`CROWDSEC_API_KEY=8lbUZjrGQp9JZln2pa5G1SCj0Fc8f9SaZUwqLm+6ZJQ`