Merge branch 'master'
This commit is contained in:
commit
38e3c16de5
24 changed files with 752 additions and 0 deletions
35
.gitignore
vendored
Normal file
35
.gitignore
vendored
Normal file
|
|
@ -0,0 +1,35 @@
|
||||||
|
docker-compose.yml.save
|
||||||
|
docker-compose.yml.save.1
|
||||||
|
.bash_history
|
||||||
|
.bashrc
|
||||||
|
.docker/
|
||||||
|
/root/.env
|
||||||
|
.env-mysql
|
||||||
|
.local/
|
||||||
|
.profile
|
||||||
|
.python_history
|
||||||
|
.selected_editor
|
||||||
|
.ssh/
|
||||||
|
.wget-hsts
|
||||||
|
cert-export/
|
||||||
|
backup-yml-snippets/
|
||||||
|
snipeit/
|
||||||
|
pwm/
|
||||||
|
docker-setup.sh/
|
||||||
|
snipeit/
|
||||||
|
uptime-kuma/
|
||||||
|
vikunja/
|
||||||
|
drone/data/
|
||||||
|
elasticsearch/data/
|
||||||
|
gitea/data/
|
||||||
|
elasticsearch/data/
|
||||||
|
graylog/data/
|
||||||
|
mariadb/data/
|
||||||
|
mongodb/data/
|
||||||
|
nginx/data/
|
||||||
|
portainer/data/
|
||||||
|
portainer/portainer-backup/
|
||||||
|
traefik/data/acme.json
|
||||||
|
traefik/data/acme.json.bak
|
||||||
|
traefik/data/certs/
|
||||||
|
vaultwarden/data/
|
||||||
28
adminer/docker-compose.yml
Normal file
28
adminer/docker-compose.yml
Normal file
|
|
@ -0,0 +1,28 @@
|
||||||
|
version: "3"
|
||||||
|
|
||||||
|
services:
|
||||||
|
dbgui:
|
||||||
|
image: adminer:4
|
||||||
|
container_name: adminer
|
||||||
|
hostname: dbgui
|
||||||
|
restart: always
|
||||||
|
networks:
|
||||||
|
- proxy
|
||||||
|
- backend
|
||||||
|
labels:
|
||||||
|
- "traefik.enable=true"
|
||||||
|
- "traefik.http.routers.adminer.entrypoints=http"
|
||||||
|
- "traefik.http.routers.adminer.rule=Host(`db.office.kh3group.com`)"
|
||||||
|
- "traefik.http.middlewares.adminer-https-redirect.redirectscheme.scheme=https"
|
||||||
|
- "traefik.http.routers.adminer.middlewares=adminer-https-redirect"
|
||||||
|
- "traefik.http.routers.adminer-secure.rule=Host(`db.office.kh3group.com`)"
|
||||||
|
- "traefik.http.routers.adminer-secure.tls=true"
|
||||||
|
- "traefik.http.routers.adminer-secure.service=adminer"
|
||||||
|
- "traefik.http.services.adminer.loadbalancer.server.port=8080"
|
||||||
|
- "traefik.docker.network=proxy"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
proxy:
|
||||||
|
external: true
|
||||||
|
backend:
|
||||||
|
external: true
|
||||||
2
crowdsec/Dockerfile
Normal file
2
crowdsec/Dockerfile
Normal file
|
|
@ -0,0 +1,2 @@
|
||||||
|
FROM metabase/metabase
|
||||||
|
RUN mkdir /data/ && wget https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip && unzip metabase_sqlite.zip -d /data/
|
||||||
4
crowdsec/data/config/acquis.yaml
Normal file
4
crowdsec/data/config/acquis.yaml
Normal file
|
|
@ -0,0 +1,4 @@
|
||||||
|
filenames:
|
||||||
|
- /var/log/traefik/*
|
||||||
|
labels:
|
||||||
|
type: traefik
|
||||||
38
crowdsec/docker-compose.yml
Normal file
38
crowdsec/docker-compose.yml
Normal file
|
|
@ -0,0 +1,38 @@
|
||||||
|
version: '3.8'
|
||||||
|
services:
|
||||||
|
guard:
|
||||||
|
image: crowdsecurity/crowdsec:v1.4.3
|
||||||
|
container_name: crowdsec
|
||||||
|
hostname: guard
|
||||||
|
environment:
|
||||||
|
COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik"
|
||||||
|
volumes:
|
||||||
|
- /root/crowdsec/data/config/acquis.yaml:/etc/crowdsec/acquis.yaml
|
||||||
|
- crowdsec-db:/var/lib/crowdsec/data/
|
||||||
|
- crowdsec-config:/etc/crowdsec/
|
||||||
|
- traefik_traefik-logs:/var/log/traefik/:ro
|
||||||
|
networks:
|
||||||
|
- proxy
|
||||||
|
restart: unless-stopped
|
||||||
|
|
||||||
|
bouncer-traefik:
|
||||||
|
image: fbonalair/traefik-crowdsec-bouncer:latest
|
||||||
|
container_name: bouncer-traefik
|
||||||
|
hostname: bouncer-traefik
|
||||||
|
environment:
|
||||||
|
CROWDSEC_BOUNCER_API_KEY: 22bae1bfe5ec4d708efc9471a665a3c1
|
||||||
|
CROWDSEC_AGENT_HOST: guard:8080
|
||||||
|
networks:
|
||||||
|
- proxy
|
||||||
|
depends_on:
|
||||||
|
- guard
|
||||||
|
restart: unless-stopped
|
||||||
|
|
||||||
|
networks:
|
||||||
|
proxy:
|
||||||
|
external: true
|
||||||
|
volumes:
|
||||||
|
crowdsec-db:
|
||||||
|
crowdsec-config:
|
||||||
|
traefik_traefik-logs:
|
||||||
|
external: true
|
||||||
11
docker-setup.sh
Executable file
11
docker-setup.sh
Executable file
|
|
@ -0,0 +1,11 @@
|
||||||
|
#!/bin/bash
|
||||||
|
apt-get update
|
||||||
|
apt-get install -y ca-certificates curl gnupg lsb-release
|
||||||
|
mkdir -p /etc/apt/keyrings
|
||||||
|
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
|
||||||
|
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
|
||||||
|
apt-get update
|
||||||
|
apt-get install -y docker-ce docker-ce-cli containerd.io
|
||||||
|
curl -SL https://github.com/docker/compose/releases/download/v2.12.0/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
|
||||||
|
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
|
||||||
|
chmod +x /usr/bin/docker-compose
|
||||||
3
drone/.env
Normal file
3
drone/.env
Normal file
|
|
@ -0,0 +1,3 @@
|
||||||
|
DRONE_GITEA_CLIENT_ID=0e1dc5a7-e7c6-49a9-bfb6-0788b841cd80
|
||||||
|
DRONE_GITEA_CLIENT_SECRET=gto_zpobgtdlqcfeha7not3qezm2yccfpahvrxpmu2smsj5gzxyepcna
|
||||||
|
DRONE_RPC_SECRET=5d92181e9ce8ec5574a28b09d8f185d7
|
||||||
56
drone/docker-compose.yml
Normal file
56
drone/docker-compose.yml
Normal file
|
|
@ -0,0 +1,56 @@
|
||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
ci:
|
||||||
|
image: drone/drone:latest
|
||||||
|
container_name: drone
|
||||||
|
hostname: ci
|
||||||
|
volumes:
|
||||||
|
- /root/drone/data:/data
|
||||||
|
environment:
|
||||||
|
- DRONE_GITEA_SERVER=https://git.office.kh3group.com
|
||||||
|
- DRONE_GIT_ALWAYS_AUTH=true
|
||||||
|
- DRONE_GITEA_CLIENT_ID=${DRONE_GITEA_CLIENT_ID}
|
||||||
|
- DRONE_GITEA_CLIENT_SECRET=${DRONE_GITEA_CLIENT_SECRET}
|
||||||
|
- DRONE_SERVER_HOST=drone.office.kh3group.com
|
||||||
|
- DRONE_SERVER_PROTO=https
|
||||||
|
- DRONE_RPC_SECRET=${DRONE_RPC_SECRET}
|
||||||
|
- DRONE_USER_CREATE=username:support,admin:true
|
||||||
|
restart: unless-stopped
|
||||||
|
labels:
|
||||||
|
- "traefik.http.routers.drone.entrypoints=http"
|
||||||
|
- "traefik.http.routers.drone.rule=Host(`drone.office.kh3group.com`)"
|
||||||
|
- "traefik.http.middlewares.drone-https-redirect.redirectscheme.scheme=https"
|
||||||
|
- "traefik.http.routers.drone.middlewares=drone-https-redirect"
|
||||||
|
- "traefik.enable=true"
|
||||||
|
- "traefik.http.routers.drone-secure.entrypoints=https"
|
||||||
|
- "traefik.http.routers.drone-secure.rule=Host(`drone.office.kh3group.com`) || Host(`drone.kh3group.com`)"
|
||||||
|
- "traefik.http.routers.drone-secure.tls=true"
|
||||||
|
- "traefik.http.routers.drone-secure.service=drone"
|
||||||
|
- "traefik.http.services.drone.loadbalancer.server.port=80"
|
||||||
|
- "traefik.docker.network=proxy"
|
||||||
|
networks:
|
||||||
|
- proxy
|
||||||
|
- backend
|
||||||
|
|
||||||
|
ci-agent:
|
||||||
|
image: drone/drone-runner-docker:1
|
||||||
|
container_name: drone-runner
|
||||||
|
hostname: ci-agent
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
environment:
|
||||||
|
- DRONE_RPC_PROTO=https
|
||||||
|
- DRONE_RPC_HOST=drone.office.kh3group.com
|
||||||
|
- DRONE_RPC_SECRET=${DRONE_RPC_SECRET}
|
||||||
|
- DRONE_RUNNER_CAPACITY=2
|
||||||
|
- DRONE_RUNNER_NAME=droner1
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- backend
|
||||||
|
|
||||||
|
networks:
|
||||||
|
proxy:
|
||||||
|
external: true
|
||||||
|
backend:
|
||||||
|
external: true
|
||||||
29
elasticsearch/docker-compose.yml
Normal file
29
elasticsearch/docker-compose.yml
Normal file
|
|
@ -0,0 +1,29 @@
|
||||||
|
services:
|
||||||
|
search:
|
||||||
|
image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
|
||||||
|
container_name: elasticsearch
|
||||||
|
hostname: search
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
- http.host=0.0.0.0
|
||||||
|
- transport.host=localhost
|
||||||
|
- network.host=0.0.0.0
|
||||||
|
- "ES_JAVA_OPTS=-Xms256m -Xmx256m"
|
||||||
|
deploy:
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
memory: 512m
|
||||||
|
networks:
|
||||||
|
- backend
|
||||||
|
volumes:
|
||||||
|
- /root/elasticsearch/data/es_data:/var/lib/elasticsearch/data
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD-SHELL", "curl --silent --fail localhost:9200/_cluster/health || exit 1"]
|
||||||
|
interval: 30s
|
||||||
|
timeout: 10s
|
||||||
|
retries: 5
|
||||||
|
start_period: 30s
|
||||||
|
|
||||||
|
networks:
|
||||||
|
backend:
|
||||||
|
external: true
|
||||||
4
gitea/Dockerfile
Normal file
4
gitea/Dockerfile
Normal file
|
|
@ -0,0 +1,4 @@
|
||||||
|
FROM alpine/git:latest
|
||||||
|
WORKDIR /git
|
||||||
|
VOLUME /git/notebook.git
|
||||||
|
CMD ["init", "--bare", "notebook.git"]
|
||||||
35
gitea/docker-compose.yml
Normal file
35
gitea/docker-compose.yml
Normal file
|
|
@ -0,0 +1,35 @@
|
||||||
|
version: "3"
|
||||||
|
|
||||||
|
services:
|
||||||
|
gitbox:
|
||||||
|
image: gitea/gitea:latest
|
||||||
|
container_name: gitea
|
||||||
|
hostname: gitbox
|
||||||
|
restart: unless-stopped
|
||||||
|
volumes:
|
||||||
|
- /root/gitea/data:/data
|
||||||
|
- /etc/timezone:/etc/timezone:ro
|
||||||
|
- /etc/localtime:/etc/localtime:ro
|
||||||
|
networks:
|
||||||
|
- backend
|
||||||
|
- proxy
|
||||||
|
ports:
|
||||||
|
- "2222:22"
|
||||||
|
labels:
|
||||||
|
- "traefik.enable=true"
|
||||||
|
- "traefik.http.routers.gitbox.entrypoints=http"
|
||||||
|
- "traefik.http.routers.gitbox.rule=Host(`git.office.kh3group.com`)"
|
||||||
|
- "traefik.http.middlewares.gitbox-https-redirect.redirectscheme.scheme=https"
|
||||||
|
- "traefik.http.routers.gitbox.middlewares=gitbox-https-redirect"
|
||||||
|
- "traefik.http.routers.gitbox-secure.entrypoints=https"
|
||||||
|
- "traefik.http.routers.gitbox-secure.rule=Host(`git.office.kh3group.com`)||Host(`git.kh3group.com`)"
|
||||||
|
- "traefik.http.routers.gitbox-secure.tls=true"
|
||||||
|
- "traefik.http.routers.gitbox-secure.service=gitbox"
|
||||||
|
- "traefik.http.services.gitbox.loadbalancer.server.port=3000"
|
||||||
|
- "traefik.docker.network=proxy"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
backend:
|
||||||
|
external: true
|
||||||
|
proxy:
|
||||||
|
external: true
|
||||||
4
graylog/.env
Normal file
4
graylog/.env
Normal file
|
|
@ -0,0 +1,4 @@
|
||||||
|
GRAYLOG_PASSWORD_SECRET="9MpRZ75yyhNZkCycJj6tL4CcCej9yK8oP7o6KynnGxQhyEbAvYUM9Jv7BkSKYF7M"
|
||||||
|
GRAYLOG_ROOT_PASSWORD_SHA2="90ecc336d6200b1389eb49c4b557ee42892345c2f727453ae82c96e6de94098e"
|
||||||
|
|
||||||
|
|
||||||
72
graylog/docker-compose.yml
Normal file
72
graylog/docker-compose.yml
Normal file
|
|
@ -0,0 +1,72 @@
|
||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
logs:
|
||||||
|
image: graylog/graylog:5.0
|
||||||
|
container_name: graylog
|
||||||
|
hostname: logs
|
||||||
|
entrypoint: "/usr/bin/tini -- wait-for-it search:9200 -- /docker-entrypoint.sh"
|
||||||
|
volumes:
|
||||||
|
- /root/graylog/data/graylog_data:/usr/share/graylog/data/data
|
||||||
|
- /root/graylog/data/graylog_journal:/usr/share/graylog/data/journal
|
||||||
|
networks:
|
||||||
|
- proxy
|
||||||
|
- backend
|
||||||
|
restart: unless-stopped
|
||||||
|
labels:
|
||||||
|
- "traefik.enable=true"
|
||||||
|
- "traefik.http.routers.logs.entrypoints=http"
|
||||||
|
- "traefik.http.routers.logs.rule=Host(`logs.office.kh3group.com`)"
|
||||||
|
- "traefik.http.middlewares.logs-https-redirect.redirectscheme.scheme=https"
|
||||||
|
- "traefik.http.routers.logs.middlewares=logs-https-redirect"
|
||||||
|
- "traefik.http.routers.logs-secure.entrypoints=https"
|
||||||
|
- "traefik.http.routers.logs-secure.rule=Host(`logs.office.kh3group.com`)||Host(`logs.kh3group.com`)"
|
||||||
|
- "traefik.http.routers.logs-secure.tls=true"
|
||||||
|
- "traefik.http.routers.logs-secure.service=logs"
|
||||||
|
- "traefik.http.services.logs.loadbalancer.server.port=9000"
|
||||||
|
- "traefik.docker.network=proxy"
|
||||||
|
environment:
|
||||||
|
- GRAYLOG_PASSWORD_SECRET=${GRAYLOG_PASSWORD_SECRET}
|
||||||
|
- GRAYLOG_ROOT_PASSWORD_SHA2=${GRAYLOG_ROOT_PASSWORD_SHA2}
|
||||||
|
- GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000
|
||||||
|
- GRAYLOG_HTTP_EXTERNAL_URI=http://logs.office.kh3group.com/
|
||||||
|
- GRAYLOG_ELASTICSEARCH_HOSTS=http://search:9200
|
||||||
|
- GRAYLOG_MONGODB_URI=mongodb://nosqldb:27017/graylog
|
||||||
|
- GRAYLOG_ROOT_TIMEZONE=Africa/Accra
|
||||||
|
healthcheck:
|
||||||
|
test: [ "CMD", "curl", "-f", "http://127.0.0.1:9000" ]
|
||||||
|
interval: 30s
|
||||||
|
timeout: 10s
|
||||||
|
retries: 5
|
||||||
|
start_period: 30s
|
||||||
|
ports:
|
||||||
|
- "5044:5044/tcp" # Beats
|
||||||
|
- "5140:5140/udp" # Syslog
|
||||||
|
- "5140:5140/tcp" # Syslog
|
||||||
|
- "5141:5141/udp" # Syslog 2
|
||||||
|
- "5141:5141/tcp" # Syslog 2
|
||||||
|
- "5142:5142/udp" # Syslog 3
|
||||||
|
- "5142:5142/tcp" # Syslog 3
|
||||||
|
- "5143:5143/udp" # Syslog 4
|
||||||
|
- "5143:5143/tcp" # Syslog 4
|
||||||
|
- "5144:5144/udp" # Syslog 5
|
||||||
|
- "5144:5144/tcp" # Syslog 5
|
||||||
|
- "5145:5145/udp" # Syslog 6
|
||||||
|
- "5145:5145/tcp" # Syslog 6
|
||||||
|
- "5146:5146/udp" # Syslog 7
|
||||||
|
- "5146:5146/tcp" # Syslog 7
|
||||||
|
- "5555:5555/tcp" # RAW TCP
|
||||||
|
- "5555:5555/udp" # RAW TCP
|
||||||
|
- "9000:9000/tcp" # Server API
|
||||||
|
- "12201:12201/tcp" # GELF TCP
|
||||||
|
- "12201:12201/udp" # GELF UDP
|
||||||
|
#- "10000:10000/tcp" # Custom TCP port
|
||||||
|
#- "10000:10000/udp" # Custom UDP port
|
||||||
|
- "13301:13301/tcp" # Forwarder data
|
||||||
|
- "13302:13302/tcp" # Forwarder config
|
||||||
|
|
||||||
|
networks:
|
||||||
|
backend:
|
||||||
|
external: true
|
||||||
|
proxy:
|
||||||
|
external: true
|
||||||
5
mariadb/.env
Normal file
5
mariadb/.env
Normal file
|
|
@ -0,0 +1,5 @@
|
||||||
|
# Mysql Parameters
|
||||||
|
MYSQL_ROOT_PASSWORD = pass@w0rd1
|
||||||
|
MYSQL_DATABASE = snipeit
|
||||||
|
MYSQL_USER = snipeit
|
||||||
|
MYSQL_PASSWORD = pass@w0rd1
|
||||||
17
mariadb/docker-compose.yml
Normal file
17
mariadb/docker-compose.yml
Normal file
|
|
@ -0,0 +1,17 @@
|
||||||
|
version: "3"
|
||||||
|
|
||||||
|
services:
|
||||||
|
db:
|
||||||
|
image: mariadb:10.5
|
||||||
|
container_name: mariadb
|
||||||
|
hostname: ims
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- /root/mariadb/data:/var/lib/mysql
|
||||||
|
env_file: .env
|
||||||
|
networks:
|
||||||
|
- backend
|
||||||
|
|
||||||
|
networks:
|
||||||
|
backend:
|
||||||
|
external: true
|
||||||
22
mongodb/docker-compose.yml
Normal file
22
mongodb/docker-compose.yml
Normal file
|
|
@ -0,0 +1,22 @@
|
||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
nosqldb:
|
||||||
|
image: mongo:5
|
||||||
|
container_name: mongodb
|
||||||
|
hostname: nosqldb
|
||||||
|
restart: always
|
||||||
|
networks:
|
||||||
|
- backend
|
||||||
|
volumes:
|
||||||
|
- /root/mongodb/data/mongo_data:/data/db
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD-SHELL", "echo 'db.stats().ok' | mongo localhost:27017/test --quiet"]
|
||||||
|
interval: 30s
|
||||||
|
timeout: 10s
|
||||||
|
retries: 5
|
||||||
|
start_period: 30s
|
||||||
|
|
||||||
|
networks:
|
||||||
|
backend:
|
||||||
|
external: true
|
||||||
28
nginx/docker-compose.yml
Normal file
28
nginx/docker-compose.yml
Normal file
|
|
@ -0,0 +1,28 @@
|
||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
docs:
|
||||||
|
image: nginx:stable-alpine-slim
|
||||||
|
container_name: nginx
|
||||||
|
hostname: docs
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- /root/nginx/data/mkdocs/site:/usr/share/nginx/html:ro
|
||||||
|
networks:
|
||||||
|
- proxy
|
||||||
|
labels:
|
||||||
|
- "traefik.enable=true"
|
||||||
|
- "traefik.http.routers.docs.entrypoints=http"
|
||||||
|
- "traefik.http.routers.docs.rule=Host(`docs.office.kh3group.com`)"
|
||||||
|
- "traefik.http.middlewares.docs-https-redirect.redirectscheme.scheme=https"
|
||||||
|
- "traefik.http.routers.docs.middlewares=docs-https-redirect"
|
||||||
|
- "traefik.http.routers.docs-secure.entrypoints=https"
|
||||||
|
- "traefik.http.routers.docs-secure.rule=Host(`docs.office.kh3group.com`)||Host(`docs.kh3group.com`)"
|
||||||
|
- "traefik.http.routers.docs-secure.tls=true"
|
||||||
|
- "traefik.http.routers.docs-secure.service=docs"
|
||||||
|
- "traefik.http.services.docs.loadbalancer.server.port=80"
|
||||||
|
- "traefik.docker.network=proxy"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
proxy:
|
||||||
|
external: true
|
||||||
31
portainer/docker-compose.yml
Normal file
31
portainer/docker-compose.yml
Normal file
|
|
@ -0,0 +1,31 @@
|
||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
mgmt:
|
||||||
|
image: portainer/portainer-ce:2.15.0-alpine
|
||||||
|
container_name: portainer
|
||||||
|
hostname: mgmt
|
||||||
|
restart: unless-stopped
|
||||||
|
security_opt:
|
||||||
|
- no-new-privileges:true
|
||||||
|
networks:
|
||||||
|
- proxy
|
||||||
|
volumes:
|
||||||
|
- /etc/localtime:/etc/localtime:ro
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
|
- /root/portainer/data:/data
|
||||||
|
labels:
|
||||||
|
- "traefik.enable=true"
|
||||||
|
- "traefik.http.routers.portainer.entrypoints=http"
|
||||||
|
- "traefik.http.routers.portainer.rule=Host(`mgmt.office.kh3group.com`)"
|
||||||
|
- "traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https"
|
||||||
|
- "traefik.http.routers.portainer.middlewares=portainer-https-redirect"
|
||||||
|
- "traefik.http.routers.portainer-secure.rule=Host(`mgmt.office.kh3group.com`)||Host(`mgmt.kh3group.com`)"
|
||||||
|
- "traefik.http.routers.portainer-secure.tls=true"
|
||||||
|
- "traefik.http.routers.portainer-secure.service=portainer"
|
||||||
|
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
|
||||||
|
- "traefik.docker.network=proxy"
|
||||||
|
- "com.github.SnowMB.traefik-certificate-extractor.restart_domain=office.kh3group.com"
|
||||||
|
networks:
|
||||||
|
proxy:
|
||||||
|
external: true
|
||||||
3
traefik/.env
Normal file
3
traefik/.env
Normal file
|
|
@ -0,0 +1,3 @@
|
||||||
|
EMAIL=signup@kh3group.com
|
||||||
|
API_KEY=a392c6b70da6daeadb76879dad6d3ba1b4951
|
||||||
|
|
||||||
186
traefik/data/config.yml
Normal file
186
traefik/data/config.yml
Normal file
|
|
@ -0,0 +1,186 @@
|
||||||
|
http:
|
||||||
|
#region routers
|
||||||
|
routers:
|
||||||
|
pve01:
|
||||||
|
entryPoints:
|
||||||
|
- "http"
|
||||||
|
- "https"
|
||||||
|
rule: "Host(`pve01.office.kh3group.com`)"
|
||||||
|
middlewares:
|
||||||
|
- default-headers
|
||||||
|
tls: {}
|
||||||
|
service: pve01
|
||||||
|
pve02:
|
||||||
|
entryPoints:
|
||||||
|
- "https"
|
||||||
|
rule: "Host(`pve02.office.kh3group.com`)"
|
||||||
|
middlewares:
|
||||||
|
- default-headers
|
||||||
|
tls: {}
|
||||||
|
service: pve02
|
||||||
|
pve03:
|
||||||
|
entryPoints:
|
||||||
|
- "https"
|
||||||
|
rule: "Host(`pve03.office.kh3group.com`)"
|
||||||
|
middlewares:
|
||||||
|
- default-headers
|
||||||
|
tls: {}
|
||||||
|
service: pve03
|
||||||
|
pihole:
|
||||||
|
entryPoints:
|
||||||
|
- "https"
|
||||||
|
rule: "Host(`dns.office.kh3group.com`) || Host(`dns.kh3group.com`) "
|
||||||
|
middlewares:
|
||||||
|
- default-headers
|
||||||
|
- addprefix-pihole
|
||||||
|
tls: {}
|
||||||
|
service: pihole
|
||||||
|
pfsense:
|
||||||
|
entryPoints:
|
||||||
|
- "https"
|
||||||
|
rule: "Host(`firewall.office.kh3group.com`)"
|
||||||
|
middlewares:
|
||||||
|
- default-headers
|
||||||
|
tls: {}
|
||||||
|
service: pfsense
|
||||||
|
mysite:
|
||||||
|
entryPoints:
|
||||||
|
- "https"
|
||||||
|
rule: "Host(`my.office.kh3group.com`)"
|
||||||
|
middlewares:
|
||||||
|
- default-headers
|
||||||
|
tls: {}
|
||||||
|
service: mysite
|
||||||
|
portal:
|
||||||
|
entryPoints:
|
||||||
|
- "https"
|
||||||
|
rule: "Host(`portal.office.kh3group.com`)"
|
||||||
|
middlewares:
|
||||||
|
- default-headers
|
||||||
|
tls: {}
|
||||||
|
service: portal
|
||||||
|
printer:
|
||||||
|
entryPoints:
|
||||||
|
- "https"
|
||||||
|
rule: "Host(`printer.office.kh3group.com`)"
|
||||||
|
middlewares:
|
||||||
|
- default-headers
|
||||||
|
# - prefix-printer
|
||||||
|
tls: {}
|
||||||
|
service: printer
|
||||||
|
#endregion
|
||||||
|
#region services
|
||||||
|
services:
|
||||||
|
pve01:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: "https://192.168.2.3:8006"
|
||||||
|
passHostHeader: true
|
||||||
|
pve02:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: "https://192.168.2.10:8006"
|
||||||
|
passHostHeader: true
|
||||||
|
pve03:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: "https://192.168.100.60:8006"
|
||||||
|
passHostHeader: true
|
||||||
|
pihole:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: "http://192.168.2.2:80"
|
||||||
|
passHostHeader: true
|
||||||
|
pfsense:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: "https://192.168.100.1:443"
|
||||||
|
passHostHeader: true
|
||||||
|
mysite:
|
||||||
|
loadBalancer:
|
||||||
|
serversTransport: sptransport
|
||||||
|
servers:
|
||||||
|
- url: "http://192.168.2.34:80"
|
||||||
|
passHostHeader: true
|
||||||
|
portal:
|
||||||
|
loadBalancer:
|
||||||
|
serversTransport: sptransport
|
||||||
|
servers:
|
||||||
|
- url: "http://192.168.2.33:80"
|
||||||
|
passHostHeader: true
|
||||||
|
printer:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: "https://192.168.100.100"
|
||||||
|
passHostHeader: true
|
||||||
|
#endregion
|
||||||
|
serversTransports:
|
||||||
|
sptransport:
|
||||||
|
disableHTTP2: true
|
||||||
|
|
||||||
|
middlewares:
|
||||||
|
addprefix-pihole:
|
||||||
|
addPrefix:
|
||||||
|
prefix: "/admin"
|
||||||
|
https-redirect:
|
||||||
|
redirectScheme:
|
||||||
|
scheme: https
|
||||||
|
prefix-printer:
|
||||||
|
addPrefix:
|
||||||
|
prefix: "/main"
|
||||||
|
|
||||||
|
default-headers:
|
||||||
|
headers:
|
||||||
|
frameDeny: true
|
||||||
|
sslRedirect: true
|
||||||
|
browserXssFilter: true
|
||||||
|
contentTypeNosniff: true
|
||||||
|
forceSTSHeader: true
|
||||||
|
stsIncludeSubdomains: true
|
||||||
|
stsPreload: true
|
||||||
|
stsSeconds: 15552000
|
||||||
|
customFrameOptionsValue: SAMEORIGIN
|
||||||
|
customRequestHeaders:
|
||||||
|
X-Forwarded-Proto: https
|
||||||
|
|
||||||
|
idrac:
|
||||||
|
headers:
|
||||||
|
frameDeny: true
|
||||||
|
sslRedirect: true
|
||||||
|
browserXssFilter: true
|
||||||
|
forceSTSHeader: true
|
||||||
|
stsIncludeSubdomains: true
|
||||||
|
stsSeconds: 15552000
|
||||||
|
customFrameOptionsValue: SAMEORIGIN
|
||||||
|
customRequestHeaders:
|
||||||
|
X-Forwarded-Proto: https
|
||||||
|
|
||||||
|
default-whitelist:
|
||||||
|
ipWhiteList:
|
||||||
|
sourceRange:
|
||||||
|
- "10.0.0.0/8"
|
||||||
|
- "192.168.100.0/24"
|
||||||
|
- "172.16.16.0/32"
|
||||||
|
|
||||||
|
secured:
|
||||||
|
chain:
|
||||||
|
middlewares:
|
||||||
|
- default-whitelist
|
||||||
|
- default-headers
|
||||||
|
|
||||||
|
crowdsec-bouncer:
|
||||||
|
forwardauth:
|
||||||
|
address: http://bouncer-traefik:8080/api/v1/forwardAuth
|
||||||
|
trustForwardHeader: true
|
||||||
|
|
||||||
|
#tcp:
|
||||||
|
# routers:
|
||||||
|
# mysites:
|
||||||
|
# rule: "HostSNI(`my.office.kh3group.com`)"
|
||||||
|
# tls: {}
|
||||||
|
# service: mysites
|
||||||
|
# services:
|
||||||
|
# mysites:
|
||||||
|
# loadBalancer:
|
||||||
|
# servers:
|
||||||
|
# - address: "192.168.2.34:80"
|
||||||
42
traefik/data/traefik.yml
Normal file
42
traefik/data/traefik.yml
Normal file
|
|
@ -0,0 +1,42 @@
|
||||||
|
api:
|
||||||
|
dashboard: true
|
||||||
|
debug: true
|
||||||
|
entryPoints:
|
||||||
|
http:
|
||||||
|
address: ":80"
|
||||||
|
http:
|
||||||
|
redirections:
|
||||||
|
entryPoint:
|
||||||
|
to: https
|
||||||
|
scheme: https
|
||||||
|
permanent: true
|
||||||
|
middlewares:
|
||||||
|
- crowdsec-bouncer@file
|
||||||
|
https:
|
||||||
|
address: ":443"
|
||||||
|
http:
|
||||||
|
middlewares:
|
||||||
|
- crowdsec-bouncer@file
|
||||||
|
serversTransport:
|
||||||
|
insecureSkipVerify: true
|
||||||
|
providers:
|
||||||
|
docker:
|
||||||
|
endpoint: "unix:///var/run/docker.sock"
|
||||||
|
exposedByDefault: false
|
||||||
|
file:
|
||||||
|
filename: /config.yml
|
||||||
|
certificatesResolvers:
|
||||||
|
cloudflare:
|
||||||
|
acme:
|
||||||
|
email: signup@kh3group.com
|
||||||
|
storage: acme.json
|
||||||
|
dnsChallenge:
|
||||||
|
provider: cloudflare
|
||||||
|
resolvers:
|
||||||
|
- "1.1.1.1:53"
|
||||||
|
- "1.0.0.1:53"
|
||||||
|
log:
|
||||||
|
level: "INFO"
|
||||||
|
filepath: "/var/log/traefik/traefik.log"
|
||||||
|
accessLog:
|
||||||
|
filepath: "/var/log/traefik/access.log"
|
||||||
46
traefik/docker-compose.yml
Normal file
46
traefik/docker-compose.yml
Normal file
|
|
@ -0,0 +1,46 @@
|
||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
rproxy:
|
||||||
|
image: traefik:v2.9
|
||||||
|
container_name: traefik
|
||||||
|
hostname: rproxy
|
||||||
|
restart: unless-stopped
|
||||||
|
security_opt:
|
||||||
|
- no-new-privileges:true
|
||||||
|
networks:
|
||||||
|
- proxy
|
||||||
|
ports:
|
||||||
|
- 80:80
|
||||||
|
- 443:443
|
||||||
|
environment:
|
||||||
|
- CF_API_EMAIL=$EMAIL
|
||||||
|
- CF_API_KEY=$API_KEY
|
||||||
|
volumes:
|
||||||
|
- /etc/localtime:/etc/localtime:ro
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
|
- /root/traefik/data/traefik.yml:/traefik.yml:ro
|
||||||
|
- /root/traefik/data/acme.json:/acme.json
|
||||||
|
- /root/traefik/data/config.yml:/config.yml:ro
|
||||||
|
- traefik-logs:/var/log/traefik
|
||||||
|
labels:
|
||||||
|
- "traefik.enable=true"
|
||||||
|
- "traefik.http.routers.traefik.entrypoints=http"
|
||||||
|
- "traefik.http.routers.traefik.rule=Host(`traefik.office.kh3group.com`)"
|
||||||
|
- "traefik.http.middlewares.traefik-auth.basicauth.users=support:$$apr1$$/SnQnIjg$$kOB5lj/Au8brVdk.tsrFb/"
|
||||||
|
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
|
||||||
|
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
|
||||||
|
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
|
||||||
|
- "traefik.http.routers.traefik-secure.entrypoints=https"
|
||||||
|
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.office.kh3group.com`)||Host(`traefik.kh3group.com`)"
|
||||||
|
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
|
||||||
|
- "traefik.http.routers.traefik-secure.tls=true"
|
||||||
|
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
|
||||||
|
- "traefik.http.routers.traefik-secure.tls.domains[0].main=office.kh3group.com"
|
||||||
|
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.office.kh3group.com"
|
||||||
|
- "traefik.http.routers.traefik-secure.service=api@internal"
|
||||||
|
networks:
|
||||||
|
proxy:
|
||||||
|
external: true
|
||||||
|
volumes:
|
||||||
|
traefik-logs:
|
||||||
1
vaultwarden/.env
Normal file
1
vaultwarden/.env
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
ADMIN_TOKEN=AA3dZSkzngyxOpp1HPhJzbNFIEVgnZYROdbToHVXouUAlULSrkw7XEyUYHNVRYyY
|
||||||
50
vaultwarden/docker-compose.yml
Normal file
50
vaultwarden/docker-compose.yml
Normal file
|
|
@ -0,0 +1,50 @@
|
||||||
|
version: "3"
|
||||||
|
|
||||||
|
services:
|
||||||
|
pass:
|
||||||
|
image: vaultwarden/server
|
||||||
|
container_name: vaultwarden
|
||||||
|
hostname: pass
|
||||||
|
restart: unless-stopped
|
||||||
|
volumes:
|
||||||
|
- /root/vaultwarden/data:/data
|
||||||
|
environment:
|
||||||
|
- WEBSOCKET_ENABLED=true
|
||||||
|
- WEB_VAULT_ENABLED=true
|
||||||
|
- DOMAIN=http://pass.office.kh3group.com
|
||||||
|
- SIGNUPS_ALLOWED=false
|
||||||
|
- SIGNUPS_DOMAINS_WHITELIST=kh3group.com,office.kh3group.com
|
||||||
|
# Comment admin token to disable admin interface
|
||||||
|
- ADMIN_TOKEN=${ADMIN_TOKEN}
|
||||||
|
- SMTP_HOST=smtp.gmail.com
|
||||||
|
- SMTP_FROM=alerts@kh3group.com
|
||||||
|
- SMTP_PORT=587
|
||||||
|
- SMTP_SSL=true
|
||||||
|
- SMTP_USERNAME=alerts@kh3group.com
|
||||||
|
- SMTP_PASSWORD=anruflwtglalnjto
|
||||||
|
networks:
|
||||||
|
- proxy
|
||||||
|
labels:
|
||||||
|
- "traefik.enable=true"
|
||||||
|
- "traefik.http.routers.vaultwarden.entrypoints=http"
|
||||||
|
- "traefik.http.routers.vaultwarden.rule=Host(`pass.office.kh3group.com`)"
|
||||||
|
- "traefik.http.middlewares.vaultwarden-https-redirect.redirectscheme.scheme=https"
|
||||||
|
- "traefik.http.routers.vaultwarden.middlewares=vaultwarden-https-redirect"
|
||||||
|
- "traefik.http.routers.vaultwarden-secure.entrypoints=https"
|
||||||
|
- "traefik.http.routers.vaultwarden-secure.rule=Host(`pass.office.kh3group.com`)||Host(`pass.kh3group.com`)"
|
||||||
|
- "traefik.http.routers.vaultwarden-secure.tls=true"
|
||||||
|
- "traefik.http.routers.vaultwarden-secure.service=vaultwarden"
|
||||||
|
- "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
|
||||||
|
- "traefik.docker.network=proxy"
|
||||||
|
# Watchtower Update
|
||||||
|
- "com.centurylinklabs.watchtower.enable=true"
|
||||||
|
# Ip filtering
|
||||||
|
#- "traefik.http.routers.bitwarden.middlewares=whitelist@file"
|
||||||
|
logging:
|
||||||
|
driver: "syslog"
|
||||||
|
options:
|
||||||
|
tag: "Bitwarden"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
proxy:
|
||||||
|
external: true
|
||||||
Loading…
Add table
Add a link
Reference in a new issue