diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..40f82e6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,35 @@ +docker-compose.yml.save +docker-compose.yml.save.1 +.bash_history +.bashrc +.docker/ +/root/.env +.env-mysql +.local/ +.profile +.python_history +.selected_editor +.ssh/ +.wget-hsts +cert-export/ +backup-yml-snippets/ +snipeit/ +pwm/ +docker-setup.sh/ +snipeit/ +uptime-kuma/ +vikunja/ +drone/data/ +elasticsearch/data/ +gitea/data/ +elasticsearch/data/ +graylog/data/ +mariadb/data/ +mongodb/data/ +nginx/data/ +portainer/data/ +portainer/portainer-backup/ +traefik/data/acme.json +traefik/data/acme.json.bak +traefik/data/certs/ +vaultwarden/data/ diff --git a/adminer/docker-compose.yml b/adminer/docker-compose.yml new file mode 100644 index 0000000..a9e4e59 --- /dev/null +++ b/adminer/docker-compose.yml @@ -0,0 +1,28 @@ +version: "3" + +services: + dbgui: + image: adminer:4 + container_name: adminer + hostname: dbgui + restart: always + networks: + - proxy + - backend + labels: + - "traefik.enable=true" + - "traefik.http.routers.adminer.entrypoints=http" + - "traefik.http.routers.adminer.rule=Host(`db.office.kh3group.com`)" + - "traefik.http.middlewares.adminer-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.adminer.middlewares=adminer-https-redirect" + - "traefik.http.routers.adminer-secure.rule=Host(`db.office.kh3group.com`)" + - "traefik.http.routers.adminer-secure.tls=true" + - "traefik.http.routers.adminer-secure.service=adminer" + - "traefik.http.services.adminer.loadbalancer.server.port=8080" + - "traefik.docker.network=proxy" + +networks: + proxy: + external: true + backend: + external: true diff --git a/crowdsec/Dockerfile b/crowdsec/Dockerfile new file mode 100644 index 0000000..4423bc2 --- /dev/null +++ b/crowdsec/Dockerfile @@ -0,0 +1,2 @@ +FROM metabase/metabase +RUN mkdir /data/ && wget https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip && unzip metabase_sqlite.zip -d /data/ diff --git a/crowdsec/data/config/acquis.yaml b/crowdsec/data/config/acquis.yaml new file mode 100644 index 0000000..784993b --- /dev/null +++ b/crowdsec/data/config/acquis.yaml @@ -0,0 +1,4 @@ +filenames: + - /var/log/traefik/* +labels: + type: traefik diff --git a/crowdsec/docker-compose.yml b/crowdsec/docker-compose.yml new file mode 100644 index 0000000..e673108 --- /dev/null +++ b/crowdsec/docker-compose.yml @@ -0,0 +1,38 @@ +version: '3.8' +services: + guard: + image: crowdsecurity/crowdsec:v1.4.3 + container_name: crowdsec + hostname: guard + environment: + COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik" + volumes: + - /root/crowdsec/data/config/acquis.yaml:/etc/crowdsec/acquis.yaml + - crowdsec-db:/var/lib/crowdsec/data/ + - crowdsec-config:/etc/crowdsec/ + - traefik_traefik-logs:/var/log/traefik/:ro + networks: + - proxy + restart: unless-stopped + + bouncer-traefik: + image: fbonalair/traefik-crowdsec-bouncer:latest + container_name: bouncer-traefik + hostname: bouncer-traefik + environment: + CROWDSEC_BOUNCER_API_KEY: 22bae1bfe5ec4d708efc9471a665a3c1 + CROWDSEC_AGENT_HOST: guard:8080 + networks: + - proxy + depends_on: + - guard + restart: unless-stopped + +networks: + proxy: + external: true +volumes: + crowdsec-db: + crowdsec-config: + traefik_traefik-logs: + external: true diff --git a/docker-setup.sh b/docker-setup.sh new file mode 100755 index 0000000..550a91c --- /dev/null +++ b/docker-setup.sh @@ -0,0 +1,11 @@ +#!/bin/bash +apt-get update +apt-get install -y ca-certificates curl gnupg lsb-release +mkdir -p /etc/apt/keyrings +curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg +echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null +apt-get update +apt-get install -y docker-ce docker-ce-cli containerd.io +curl -SL https://github.com/docker/compose/releases/download/v2.12.0/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose +ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose +chmod +x /usr/bin/docker-compose diff --git a/drone/.env b/drone/.env new file mode 100644 index 0000000..30670f6 --- /dev/null +++ b/drone/.env @@ -0,0 +1,3 @@ +DRONE_GITEA_CLIENT_ID=0e1dc5a7-e7c6-49a9-bfb6-0788b841cd80 +DRONE_GITEA_CLIENT_SECRET=gto_zpobgtdlqcfeha7not3qezm2yccfpahvrxpmu2smsj5gzxyepcna +DRONE_RPC_SECRET=5d92181e9ce8ec5574a28b09d8f185d7 diff --git a/drone/docker-compose.yml b/drone/docker-compose.yml new file mode 100644 index 0000000..f15a7b1 --- /dev/null +++ b/drone/docker-compose.yml @@ -0,0 +1,56 @@ +version: '3' + +services: + ci: + image: drone/drone:latest + container_name: drone + hostname: ci + volumes: + - /root/drone/data:/data + environment: + - DRONE_GITEA_SERVER=https://git.office.kh3group.com + - DRONE_GIT_ALWAYS_AUTH=true + - DRONE_GITEA_CLIENT_ID=${DRONE_GITEA_CLIENT_ID} + - DRONE_GITEA_CLIENT_SECRET=${DRONE_GITEA_CLIENT_SECRET} + - DRONE_SERVER_HOST=drone.office.kh3group.com + - DRONE_SERVER_PROTO=https + - DRONE_RPC_SECRET=${DRONE_RPC_SECRET} + - DRONE_USER_CREATE=username:support,admin:true + restart: unless-stopped + labels: + - "traefik.http.routers.drone.entrypoints=http" + - "traefik.http.routers.drone.rule=Host(`drone.office.kh3group.com`)" + - "traefik.http.middlewares.drone-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.drone.middlewares=drone-https-redirect" + - "traefik.enable=true" + - "traefik.http.routers.drone-secure.entrypoints=https" + - "traefik.http.routers.drone-secure.rule=Host(`drone.office.kh3group.com`) || Host(`drone.kh3group.com`)" + - "traefik.http.routers.drone-secure.tls=true" + - "traefik.http.routers.drone-secure.service=drone" + - "traefik.http.services.drone.loadbalancer.server.port=80" + - "traefik.docker.network=proxy" + networks: + - proxy + - backend + + ci-agent: + image: drone/drone-runner-docker:1 + container_name: drone-runner + hostname: ci-agent + volumes: + - /var/run/docker.sock:/var/run/docker.sock + environment: + - DRONE_RPC_PROTO=https + - DRONE_RPC_HOST=drone.office.kh3group.com + - DRONE_RPC_SECRET=${DRONE_RPC_SECRET} + - DRONE_RUNNER_CAPACITY=2 + - DRONE_RUNNER_NAME=droner1 + restart: unless-stopped + networks: + - backend + +networks: + proxy: + external: true + backend: + external: true diff --git a/elasticsearch/docker-compose.yml b/elasticsearch/docker-compose.yml new file mode 100644 index 0000000..891c4b6 --- /dev/null +++ b/elasticsearch/docker-compose.yml @@ -0,0 +1,29 @@ +services: + search: + image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2 + container_name: elasticsearch + hostname: search + restart: always + environment: + - http.host=0.0.0.0 + - transport.host=localhost + - network.host=0.0.0.0 + - "ES_JAVA_OPTS=-Xms256m -Xmx256m" + deploy: + resources: + limits: + memory: 512m + networks: + - backend + volumes: + - /root/elasticsearch/data/es_data:/var/lib/elasticsearch/data + healthcheck: + test: ["CMD-SHELL", "curl --silent --fail localhost:9200/_cluster/health || exit 1"] + interval: 30s + timeout: 10s + retries: 5 + start_period: 30s + +networks: + backend: + external: true diff --git a/gitea/Dockerfile b/gitea/Dockerfile new file mode 100644 index 0000000..5d08b8b --- /dev/null +++ b/gitea/Dockerfile @@ -0,0 +1,4 @@ +FROM alpine/git:latest +WORKDIR /git +VOLUME /git/notebook.git +CMD ["init", "--bare", "notebook.git"] diff --git a/gitea/docker-compose.yml b/gitea/docker-compose.yml new file mode 100644 index 0000000..a966615 --- /dev/null +++ b/gitea/docker-compose.yml @@ -0,0 +1,35 @@ +version: "3" + +services: + gitbox: + image: gitea/gitea:latest + container_name: gitea + hostname: gitbox + restart: unless-stopped + volumes: + - /root/gitea/data:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + networks: + - backend + - proxy + ports: + - "2222:22" + labels: + - "traefik.enable=true" + - "traefik.http.routers.gitbox.entrypoints=http" + - "traefik.http.routers.gitbox.rule=Host(`git.office.kh3group.com`)" + - "traefik.http.middlewares.gitbox-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.gitbox.middlewares=gitbox-https-redirect" + - "traefik.http.routers.gitbox-secure.entrypoints=https" + - "traefik.http.routers.gitbox-secure.rule=Host(`git.office.kh3group.com`)||Host(`git.kh3group.com`)" + - "traefik.http.routers.gitbox-secure.tls=true" + - "traefik.http.routers.gitbox-secure.service=gitbox" + - "traefik.http.services.gitbox.loadbalancer.server.port=3000" + - "traefik.docker.network=proxy" + +networks: + backend: + external: true + proxy: + external: true diff --git a/graylog/.env b/graylog/.env new file mode 100644 index 0000000..3198090 --- /dev/null +++ b/graylog/.env @@ -0,0 +1,4 @@ +GRAYLOG_PASSWORD_SECRET="9MpRZ75yyhNZkCycJj6tL4CcCej9yK8oP7o6KynnGxQhyEbAvYUM9Jv7BkSKYF7M" +GRAYLOG_ROOT_PASSWORD_SHA2="90ecc336d6200b1389eb49c4b557ee42892345c2f727453ae82c96e6de94098e" + + diff --git a/graylog/docker-compose.yml b/graylog/docker-compose.yml new file mode 100644 index 0000000..b1d90d0 --- /dev/null +++ b/graylog/docker-compose.yml @@ -0,0 +1,72 @@ +version: '3' + +services: + logs: + image: graylog/graylog:5.0 + container_name: graylog + hostname: logs + entrypoint: "/usr/bin/tini -- wait-for-it search:9200 -- /docker-entrypoint.sh" + volumes: + - /root/graylog/data/graylog_data:/usr/share/graylog/data/data + - /root/graylog/data/graylog_journal:/usr/share/graylog/data/journal + networks: + - proxy + - backend + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.logs.entrypoints=http" + - "traefik.http.routers.logs.rule=Host(`logs.office.kh3group.com`)" + - "traefik.http.middlewares.logs-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.logs.middlewares=logs-https-redirect" + - "traefik.http.routers.logs-secure.entrypoints=https" + - "traefik.http.routers.logs-secure.rule=Host(`logs.office.kh3group.com`)||Host(`logs.kh3group.com`)" + - "traefik.http.routers.logs-secure.tls=true" + - "traefik.http.routers.logs-secure.service=logs" + - "traefik.http.services.logs.loadbalancer.server.port=9000" + - "traefik.docker.network=proxy" + environment: + - GRAYLOG_PASSWORD_SECRET=${GRAYLOG_PASSWORD_SECRET} + - GRAYLOG_ROOT_PASSWORD_SHA2=${GRAYLOG_ROOT_PASSWORD_SHA2} + - GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000 + - GRAYLOG_HTTP_EXTERNAL_URI=http://logs.office.kh3group.com/ + - GRAYLOG_ELASTICSEARCH_HOSTS=http://search:9200 + - GRAYLOG_MONGODB_URI=mongodb://nosqldb:27017/graylog + - GRAYLOG_ROOT_TIMEZONE=Africa/Accra + healthcheck: + test: [ "CMD", "curl", "-f", "http://127.0.0.1:9000" ] + interval: 30s + timeout: 10s + retries: 5 + start_period: 30s + ports: + - "5044:5044/tcp" # Beats + - "5140:5140/udp" # Syslog + - "5140:5140/tcp" # Syslog + - "5141:5141/udp" # Syslog 2 + - "5141:5141/tcp" # Syslog 2 + - "5142:5142/udp" # Syslog 3 + - "5142:5142/tcp" # Syslog 3 + - "5143:5143/udp" # Syslog 4 + - "5143:5143/tcp" # Syslog 4 + - "5144:5144/udp" # Syslog 5 + - "5144:5144/tcp" # Syslog 5 + - "5145:5145/udp" # Syslog 6 + - "5145:5145/tcp" # Syslog 6 + - "5146:5146/udp" # Syslog 7 + - "5146:5146/tcp" # Syslog 7 + - "5555:5555/tcp" # RAW TCP + - "5555:5555/udp" # RAW TCP + - "9000:9000/tcp" # Server API + - "12201:12201/tcp" # GELF TCP + - "12201:12201/udp" # GELF UDP + #- "10000:10000/tcp" # Custom TCP port + #- "10000:10000/udp" # Custom UDP port + - "13301:13301/tcp" # Forwarder data + - "13302:13302/tcp" # Forwarder config + +networks: + backend: + external: true + proxy: + external: true diff --git a/mariadb/.env b/mariadb/.env new file mode 100644 index 0000000..468f493 --- /dev/null +++ b/mariadb/.env @@ -0,0 +1,5 @@ +# Mysql Parameters + MYSQL_ROOT_PASSWORD = pass@w0rd1 + MYSQL_DATABASE = snipeit + MYSQL_USER = snipeit + MYSQL_PASSWORD = pass@w0rd1 diff --git a/mariadb/docker-compose.yml b/mariadb/docker-compose.yml new file mode 100644 index 0000000..83264eb --- /dev/null +++ b/mariadb/docker-compose.yml @@ -0,0 +1,17 @@ +version: "3" + +services: + db: + image: mariadb:10.5 + container_name: mariadb + hostname: ims + restart: always + volumes: + - /root/mariadb/data:/var/lib/mysql + env_file: .env + networks: + - backend + +networks: + backend: + external: true diff --git a/mongodb/docker-compose.yml b/mongodb/docker-compose.yml new file mode 100644 index 0000000..597eab4 --- /dev/null +++ b/mongodb/docker-compose.yml @@ -0,0 +1,22 @@ +version: '3' + +services: + nosqldb: + image: mongo:5 + container_name: mongodb + hostname: nosqldb + restart: always + networks: + - backend + volumes: + - /root/mongodb/data/mongo_data:/data/db + healthcheck: + test: ["CMD-SHELL", "echo 'db.stats().ok' | mongo localhost:27017/test --quiet"] + interval: 30s + timeout: 10s + retries: 5 + start_period: 30s + +networks: + backend: + external: true diff --git a/nginx/docker-compose.yml b/nginx/docker-compose.yml new file mode 100644 index 0000000..240ca6c --- /dev/null +++ b/nginx/docker-compose.yml @@ -0,0 +1,28 @@ +version: '3' + +services: + docs: + image: nginx:stable-alpine-slim + container_name: nginx + hostname: docs + restart: always + volumes: + - /root/nginx/data/mkdocs/site:/usr/share/nginx/html:ro + networks: + - proxy + labels: + - "traefik.enable=true" + - "traefik.http.routers.docs.entrypoints=http" + - "traefik.http.routers.docs.rule=Host(`docs.office.kh3group.com`)" + - "traefik.http.middlewares.docs-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.docs.middlewares=docs-https-redirect" + - "traefik.http.routers.docs-secure.entrypoints=https" + - "traefik.http.routers.docs-secure.rule=Host(`docs.office.kh3group.com`)||Host(`docs.kh3group.com`)" + - "traefik.http.routers.docs-secure.tls=true" + - "traefik.http.routers.docs-secure.service=docs" + - "traefik.http.services.docs.loadbalancer.server.port=80" + - "traefik.docker.network=proxy" + +networks: + proxy: + external: true diff --git a/portainer/docker-compose.yml b/portainer/docker-compose.yml new file mode 100644 index 0000000..91e6c3e --- /dev/null +++ b/portainer/docker-compose.yml @@ -0,0 +1,31 @@ +version: '3' + +services: + mgmt: + image: portainer/portainer-ce:2.15.0-alpine + container_name: portainer + hostname: mgmt + restart: unless-stopped + security_opt: + - no-new-privileges:true + networks: + - proxy + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + - /root/portainer/data:/data + labels: + - "traefik.enable=true" + - "traefik.http.routers.portainer.entrypoints=http" + - "traefik.http.routers.portainer.rule=Host(`mgmt.office.kh3group.com`)" + - "traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.portainer.middlewares=portainer-https-redirect" + - "traefik.http.routers.portainer-secure.rule=Host(`mgmt.office.kh3group.com`)||Host(`mgmt.kh3group.com`)" + - "traefik.http.routers.portainer-secure.tls=true" + - "traefik.http.routers.portainer-secure.service=portainer" + - "traefik.http.services.portainer.loadbalancer.server.port=9000" + - "traefik.docker.network=proxy" + - "com.github.SnowMB.traefik-certificate-extractor.restart_domain=office.kh3group.com" +networks: + proxy: + external: true diff --git a/traefik/.env b/traefik/.env new file mode 100644 index 0000000..13ad42c --- /dev/null +++ b/traefik/.env @@ -0,0 +1,3 @@ +EMAIL=signup@kh3group.com +API_KEY=a392c6b70da6daeadb76879dad6d3ba1b4951 + diff --git a/traefik/data/config.yml b/traefik/data/config.yml new file mode 100644 index 0000000..5ca49e9 --- /dev/null +++ b/traefik/data/config.yml @@ -0,0 +1,186 @@ +http: + #region routers + routers: + pve01: + entryPoints: + - "http" + - "https" + rule: "Host(`pve01.office.kh3group.com`)" + middlewares: + - default-headers + tls: {} + service: pve01 + pve02: + entryPoints: + - "https" + rule: "Host(`pve02.office.kh3group.com`)" + middlewares: + - default-headers + tls: {} + service: pve02 + pve03: + entryPoints: + - "https" + rule: "Host(`pve03.office.kh3group.com`)" + middlewares: + - default-headers + tls: {} + service: pve03 + pihole: + entryPoints: + - "https" + rule: "Host(`dns.office.kh3group.com`) || Host(`dns.kh3group.com`) " + middlewares: + - default-headers + - addprefix-pihole + tls: {} + service: pihole + pfsense: + entryPoints: + - "https" + rule: "Host(`firewall.office.kh3group.com`)" + middlewares: + - default-headers + tls: {} + service: pfsense + mysite: + entryPoints: + - "https" + rule: "Host(`my.office.kh3group.com`)" + middlewares: + - default-headers + tls: {} + service: mysite + portal: + entryPoints: + - "https" + rule: "Host(`portal.office.kh3group.com`)" + middlewares: + - default-headers + tls: {} + service: portal + printer: + entryPoints: + - "https" + rule: "Host(`printer.office.kh3group.com`)" + middlewares: + - default-headers + # - prefix-printer + tls: {} + service: printer +#endregion +#region services + services: + pve01: + loadBalancer: + servers: + - url: "https://192.168.2.3:8006" + passHostHeader: true + pve02: + loadBalancer: + servers: + - url: "https://192.168.2.10:8006" + passHostHeader: true + pve03: + loadBalancer: + servers: + - url: "https://192.168.100.60:8006" + passHostHeader: true + pihole: + loadBalancer: + servers: + - url: "http://192.168.2.2:80" + passHostHeader: true + pfsense: + loadBalancer: + servers: + - url: "https://192.168.100.1:443" + passHostHeader: true + mysite: + loadBalancer: + serversTransport: sptransport + servers: + - url: "http://192.168.2.34:80" + passHostHeader: true + portal: + loadBalancer: + serversTransport: sptransport + servers: + - url: "http://192.168.2.33:80" + passHostHeader: true + printer: + loadBalancer: + servers: + - url: "https://192.168.100.100" + passHostHeader: true +#endregion + serversTransports: + sptransport: + disableHTTP2: true + + middlewares: + addprefix-pihole: + addPrefix: + prefix: "/admin" + https-redirect: + redirectScheme: + scheme: https + prefix-printer: + addPrefix: + prefix: "/main" + + default-headers: + headers: + frameDeny: true + sslRedirect: true + browserXssFilter: true + contentTypeNosniff: true + forceSTSHeader: true + stsIncludeSubdomains: true + stsPreload: true + stsSeconds: 15552000 + customFrameOptionsValue: SAMEORIGIN + customRequestHeaders: + X-Forwarded-Proto: https + + idrac: + headers: + frameDeny: true + sslRedirect: true + browserXssFilter: true + forceSTSHeader: true + stsIncludeSubdomains: true + stsSeconds: 15552000 + customFrameOptionsValue: SAMEORIGIN + customRequestHeaders: + X-Forwarded-Proto: https + + default-whitelist: + ipWhiteList: + sourceRange: + - "10.0.0.0/8" + - "192.168.100.0/24" + - "172.16.16.0/32" + + secured: + chain: + middlewares: + - default-whitelist + - default-headers + + crowdsec-bouncer: + forwardauth: + address: http://bouncer-traefik:8080/api/v1/forwardAuth + trustForwardHeader: true + +#tcp: +# routers: +# mysites: +# rule: "HostSNI(`my.office.kh3group.com`)" +# tls: {} +# service: mysites +# services: +# mysites: +# loadBalancer: +# servers: +# - address: "192.168.2.34:80" diff --git a/traefik/data/traefik.yml b/traefik/data/traefik.yml new file mode 100644 index 0000000..5cda4d7 --- /dev/null +++ b/traefik/data/traefik.yml @@ -0,0 +1,42 @@ +api: + dashboard: true + debug: true +entryPoints: + http: + address: ":80" + http: + redirections: + entryPoint: + to: https + scheme: https + permanent: true + middlewares: + - crowdsec-bouncer@file + https: + address: ":443" + http: + middlewares: + - crowdsec-bouncer@file +serversTransport: + insecureSkipVerify: true +providers: + docker: + endpoint: "unix:///var/run/docker.sock" + exposedByDefault: false + file: + filename: /config.yml +certificatesResolvers: + cloudflare: + acme: + email: signup@kh3group.com + storage: acme.json + dnsChallenge: + provider: cloudflare + resolvers: + - "1.1.1.1:53" + - "1.0.0.1:53" +log: + level: "INFO" + filepath: "/var/log/traefik/traefik.log" +accessLog: + filepath: "/var/log/traefik/access.log" diff --git a/traefik/docker-compose.yml b/traefik/docker-compose.yml new file mode 100644 index 0000000..56e49ff --- /dev/null +++ b/traefik/docker-compose.yml @@ -0,0 +1,46 @@ +version: '3' + +services: + rproxy: + image: traefik:v2.9 + container_name: traefik + hostname: rproxy + restart: unless-stopped + security_opt: + - no-new-privileges:true + networks: + - proxy + ports: + - 80:80 + - 443:443 + environment: + - CF_API_EMAIL=$EMAIL + - CF_API_KEY=$API_KEY + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + - /root/traefik/data/traefik.yml:/traefik.yml:ro + - /root/traefik/data/acme.json:/acme.json + - /root/traefik/data/config.yml:/config.yml:ro + - traefik-logs:/var/log/traefik + labels: + - "traefik.enable=true" + - "traefik.http.routers.traefik.entrypoints=http" + - "traefik.http.routers.traefik.rule=Host(`traefik.office.kh3group.com`)" + - "traefik.http.middlewares.traefik-auth.basicauth.users=support:$$apr1$$/SnQnIjg$$kOB5lj/Au8brVdk.tsrFb/" + - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https" + - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.routers.traefik.middlewares=traefik-https-redirect" + - "traefik.http.routers.traefik-secure.entrypoints=https" + - "traefik.http.routers.traefik-secure.rule=Host(`traefik.office.kh3group.com`)||Host(`traefik.kh3group.com`)" + - "traefik.http.routers.traefik-secure.middlewares=traefik-auth" + - "traefik.http.routers.traefik-secure.tls=true" + - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare" + - "traefik.http.routers.traefik-secure.tls.domains[0].main=office.kh3group.com" + - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.office.kh3group.com" + - "traefik.http.routers.traefik-secure.service=api@internal" +networks: + proxy: + external: true +volumes: + traefik-logs: diff --git a/vaultwarden/.env b/vaultwarden/.env new file mode 100644 index 0000000..4312c49 --- /dev/null +++ b/vaultwarden/.env @@ -0,0 +1 @@ +ADMIN_TOKEN=AA3dZSkzngyxOpp1HPhJzbNFIEVgnZYROdbToHVXouUAlULSrkw7XEyUYHNVRYyY diff --git a/vaultwarden/docker-compose.yml b/vaultwarden/docker-compose.yml new file mode 100644 index 0000000..96463ac --- /dev/null +++ b/vaultwarden/docker-compose.yml @@ -0,0 +1,50 @@ +version: "3" + +services: + pass: + image: vaultwarden/server + container_name: vaultwarden + hostname: pass + restart: unless-stopped + volumes: + - /root/vaultwarden/data:/data + environment: + - WEBSOCKET_ENABLED=true + - WEB_VAULT_ENABLED=true + - DOMAIN=http://pass.office.kh3group.com + - SIGNUPS_ALLOWED=false + - SIGNUPS_DOMAINS_WHITELIST=kh3group.com,office.kh3group.com + # Comment admin token to disable admin interface + - ADMIN_TOKEN=${ADMIN_TOKEN} + - SMTP_HOST=smtp.gmail.com + - SMTP_FROM=alerts@kh3group.com + - SMTP_PORT=587 + - SMTP_SSL=true + - SMTP_USERNAME=alerts@kh3group.com + - SMTP_PASSWORD=anruflwtglalnjto + networks: + - proxy + labels: + - "traefik.enable=true" + - "traefik.http.routers.vaultwarden.entrypoints=http" + - "traefik.http.routers.vaultwarden.rule=Host(`pass.office.kh3group.com`)" + - "traefik.http.middlewares.vaultwarden-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.vaultwarden.middlewares=vaultwarden-https-redirect" + - "traefik.http.routers.vaultwarden-secure.entrypoints=https" + - "traefik.http.routers.vaultwarden-secure.rule=Host(`pass.office.kh3group.com`)||Host(`pass.kh3group.com`)" + - "traefik.http.routers.vaultwarden-secure.tls=true" + - "traefik.http.routers.vaultwarden-secure.service=vaultwarden" + - "traefik.http.services.vaultwarden.loadbalancer.server.port=80" + - "traefik.docker.network=proxy" + # Watchtower Update + - "com.centurylinklabs.watchtower.enable=true" + # Ip filtering + #- "traefik.http.routers.bitwarden.middlewares=whitelist@file" + logging: + driver: "syslog" + options: + tag: "Bitwarden" + +networks: + proxy: + external: true