diff --git a/Popup-Homelab/.env b/Popup-Homelab/.env new file mode 100644 index 0000000..382dcd6 --- /dev/null +++ b/Popup-Homelab/.env @@ -0,0 +1,60 @@ +############################################################################################################### +############################################################################################################### +# GENERAL +############################################################################################################### +############################################################################################################### +# Docker machine username +HOST_USER=ubuntu +# Where container data will be stored (note user above) +WORKING_DIR=/home/${HOST_USER}/docker +# Your domain, including TLD (e.g., jimgarage.co.uk - not just jimsgarage) +DOMAIN=jimsgarage.co.uk + +############################################################################################################### +############################################################################################################### +# TRAEFIK +############################################################################################################### +############################################################################################################### +TRAEFIK_DASHBOARD_CREDENTIALS=admin:$$2y$$05$$3A1ctqF6JF4F4Jk2UsMhnevo6DHogXKb5IrnJyz53F3xUqoWvVx.i + +############################################################################################################### +############################################################################################################### +# AUTHENTIK +############################################################################################################### +############################################################################################################### +PG_PASS=JXIwsF3fHJ2tTbqIgfXkUV/LrX1O51b3bNVTQ+Khx1BNCRWq +AUTHENTIK_SECRET_KEY=RrgGRY9hcUj/LE99uiAc7aRFZXh5GH+jUpwl2yHDQ6HD8Sv2sN+yweQ2MlWfvMNBOfklzLGEY6+PsY4a +AUTHENTIK_ERROR_REPORTING__ENABLED=true + +# SMTP Host Emails are sent to +AUTHENTIK_EMAIL__HOST=localhost +AUTHENTIK_EMAIL__PORT=25 +# Optionally authenticate (don't add quotation marks to your password) +AUTHENTIK_EMAIL__USERNAME= +AUTHENTIK_EMAIL__PASSWORD= +# Use StartTLS +AUTHENTIK_EMAIL__USE_TLS=false +# Use SSL +AUTHENTIK_EMAIL__USE_SSL=false +AUTHENTIK_EMAIL__TIMEOUT=10 +# Email address authentik will send from, should have a correct @domain +AUTHENTIK_EMAIL__FROM=authentik@localhost + +############################################################################################################### +############################################################################################################### +# MIROTALK +############################################################################################################### +############################################################################################################### + +# OIDC - OpenID Connect +# 1. Sign up for an account at https://auth0.com. +# 2. Navigate to https://manage.auth0.com/ to create a new application tailored to your specific requirements. +# For those seeking an open-source solution, check out: https://github.com/panva/node-oidc-provider + +OIDC_ENABLED=true # true or false +OIDC_ISSUER_BASE_URL='https://authentik.$DOMAIN/application/o/mirotalk/' +OIDC_BASE_URL='https://mirotalk.${DOMAIN}' # https://p2p.mirotalk.com +OIDC_CLIENT_ID='JQsgccwyOHsPMFiQXmCgh3tcrmdatqwJXezxx4gG' +OIDC_CLIENT_SECRET='FqXHbAxsAvCYMYTRKiKyyhuEe3M3lUrT1i9txC0powVbCebDe7NywMpH68kmZGcMlqqYZsSP8fo8BtFrebIjAW00Zp3vCNHSyAHNnTljhwx7tio0AV910y7B5MNceafh' +OIDC_AUTH_REUIRED=true # set to true if authentication is required for all routes +SESSION_SECRET='mirotalk-p2p-oidc-secret' \ No newline at end of file diff --git a/Popup-Homelab/acquis.yaml b/Popup-Homelab/acquis.yaml new file mode 100644 index 0000000..866ab5b --- /dev/null +++ b/Popup-Homelab/acquis.yaml @@ -0,0 +1,4 @@ +filenames: + - /var/log/traefik/* +labels: + type: traefik \ No newline at end of file diff --git a/Popup-Homelab/cf-token b/Popup-Homelab/cf-token new file mode 100644 index 0000000..92d3a82 --- /dev/null +++ b/Popup-Homelab/cf-token @@ -0,0 +1 @@ +cf-token-here \ No newline at end of file diff --git a/Popup-Homelab/custom.list b/Popup-Homelab/custom.list new file mode 100644 index 0000000..97a5681 --- /dev/null +++ b/Popup-Homelab/custom.list @@ -0,0 +1,2 @@ +192.168.200.118 traefik.jimsgarge.co.uk +192.168.200.118 portainer.jimsgarge.co.uk \ No newline at end of file diff --git a/Popup-Homelab/docker-compose.yaml b/Popup-Homelab/docker-compose.yaml new file mode 100644 index 0000000..9e74358 --- /dev/null +++ b/Popup-Homelab/docker-compose.yaml @@ -0,0 +1,672 @@ +secrets: + cf-token: + file: ./cf-token + +services: +############################################################################################################### +############################################################################################################### +# TRAEFIK +# See video: https://youtu.be/CmUzMi5QLzI +# DUE TO COMPLEXITY, THIS WILL PULL A TEST CERTIFICATE. TO CHANGE, EDIT THE TRAEFIK.YAML FILE +############################################################################################################### +############################################################################################################### + traefik: + image: traefik:latest # or traefik:v3.3 to pin a version + container_name: traefik + restart: unless-stopped + security_opt: + - no-new-privileges:true # helps to increase security + secrets: + - cf-token # the secret at the top of this file + env_file: + - .env # store other secrets e.g., dashboard password + networks: + proxy: + ports: + - 80:80 + - 443:443 + environment: + # DUE TO COMPLEXITY, THIS WILL PULL A TEST CERTIFICATE. TO CHANGE, EDIT THE TRAEFIK.YAML FILE + - TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS} + # - CF_API_EMAIL=your@email.com # Cloudflare email + # - CF_DNS_API_TOKEN=YOUR-TOKEN # Cloudflare API Token + - CF_DNS_API_TOKEN_FILE=/run/secrets/cf-token # see https://doc.traefik.io/traefik/https/acme/#providers + # token file is the proper way to do it + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + - ${WORKING_DIR}/traefik/traefik.yaml:/traefik.yaml:ro + # you will need to create the below acem.json before running and set permissions to 600 + - ${WORKING_DIR}/traefik/acme.json:/acme.json + - ${WORKING_DIR}/traefik/config.yaml:/config.yaml:ro + - ${WORKING_DIR}/traefik/logs:/var/log/traefik + labels: + - "traefik.enable=true" + - "traefik.http.routers.traefik.entrypoints=http" + - "traefik.http.routers.traefik.rule=Host(`traefik-docker.$DOMAIN`)" + - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}" + - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https" + - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.routers.traefik.middlewares=traefik-https-redirect" + - "traefik.http.routers.traefik-secure.entrypoints=https" + - "traefik.http.routers.traefik-secure.rule=Host(`traefik-docker.$DOMAIN`)" + - "traefik.http.routers.traefik-secure.middlewares=traefik-auth" + - "traefik.http.routers.traefik-secure.tls=true" + - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare" + - "traefik.http.routers.traefik-secure.tls.domains[0].main=$DOMAIN" + - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.$DOMAIN" + - "traefik.http.routers.traefik-secure.service=api@internal" + +############################################################################################################### +############################################################################################################### +# CROWDSEC +# See video: https://youtu.be/bGOANkuxRNA +############################################################################################################### +############################################################################################################### + crowdsec: + image: crowdsecurity/crowdsec:latest + container_name: crowdsec + environment: + GID: "${GID-1000}" + COLLECTIONS: "crowdsecurity/traefik" + depends_on: + - 'traefik' + volumes: + - ./acquis.yaml:/etc/crowdsec/acquis.yaml + - ${WORKING_DIR}/crowdsec/db:/var/lib/crowdsec/data/ + - ${WORKING_DIR}/crowdsec/config:/etc/crowdsec/ + - ${WORKING_DIR}/traefik/logs:/var/log/traefik/:ro + networks: + - proxy + restart: unless-stopped + + bouncer-traefik: + image: docker.io/fbonalair/traefik-crowdsec-bouncer:latest + container_name: bouncer-traefik + environment: + CROWDSEC_BOUNCER_API_KEY: a946jLUgh8AAoThQFEAfaTa5YkI5LSNhGWkzkdtTIns # generate in crowdsec container - cscli bouncer add - then add here and redeploy + CROWDSEC_AGENT_HOST: crowdsec:8080 + networks: + - proxy # same network as traefik + crowdsec + depends_on: + - crowdsec + restart: unless-stopped + +############################################################################################################### +############################################################################################################### +# PIHOLE & CLOUDFLARED +# See video: https://youtu.be/mnry95ay0Bk +############################################################################################################### +############################################################################################################### + +# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/ + cloudflared: + container_name: cloudflared + # Restart on crashes and on reboots + restart: unless-stopped + image: cloudflare/cloudflared:latest + command: proxy-dns + environment: + - "TUNNEL_DNS_UPSTREAM=https://1.1.1.1/dns-query,https://1.0.0.1/dns-query,https://9.9.9.9/dns-query,https://149.112.112.9/dns-query" + # Listen on an unprivileged port + - "TUNNEL_DNS_PORT=5053" + # Listen on all interfaces + - "TUNNEL_DNS_ADDRESS=0.0.0.0" + # Attach cloudflared only to the private network + networks: + pihole_internal: + ipv4_address: 172.70.9.2 + security_opt: + - no-new-privileges:true + + pihole: + container_name: pihole + image: pihole/pihole:latest + ports: + # On Ubuntu port 53 is in use by resolved. Edit the file at /etc/systemd/resolved.conf and change the line DNSStubListener=yes to no, then use command sudo service systemd-resolved restart + - "53:53/tcp" + - "53:53/udp" + # - "67:67/udp" DHCP - uncomment if using it + - "500:80/tcp" # left port 500 open in case you need to connect via IP:500 + # - "443:443/tcp" + networks: + pihole_internal: + ipv4_address: 172.70.9.3 + proxy: + environment: + TZ: 'Europe/London' + # Set a password to access the web interface. Not setting one will result in a random password being assigned + FTLCONF_webserver_api_password: 'correct horse battery staple' + # If using Docker's default `bridge` network setting the dns listening mode should be set to 'all'3 + FTLCONF_dns_listeningMode: 'all' + FTLCONF_dns_upstreams: '172.70.9.2#5053' + # Volumes store your data between container upgrades + volumes: + # - './custom.list:/etc/pihole/hosts/custom.list' # remember to add your domains to this + - '${WORKING_DIR}/pihole/:/etc/pihole/' + - '${WORKING_DIR}/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/' + # Recommended but not required (DHCP needs NET_ADMIN) + # https://github.com/pi-hole/docker-pi-hole#note-on-capabilities + #cap_add: + # - NET_ADMIN + restart: unless-stopped + depends_on: + - cloudflared + labels: + - "traefik.enable=true" + - "traefik.http.routers.pihole.entrypoints=http" + - "traefik.http.routers.pihole.rule=Host(`piholev6.$DOMAIN`)" + - "traefik.http.middlewares.pihole-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.pihole.middlewares=pihole-https-redirect" + - "traefik.http.routers.pihole-secure.entrypoints=https" + - "traefik.http.routers.pihole-secure.rule=Host(`piholev6.$DOMAIN`)" + - "traefik.http.routers.pihole-secure.tls=true" + - "traefik.http.routers.pihole-secure.service=pihole" + - "traefik.http.services.pihole.loadbalancer.server.port=80" + - "traefik.docker.network=proxy" + +############################################################################################################### +############################################################################################################### +# AUTHENTIK +# See video: https://youtu.be/1bTSOdYiIOQ +############################################################################################################### +############################################################################################################### + + postgresql: + image: docker.io/library/postgres:16-alpine + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] + start_period: 20s + interval: 30s + retries: 5 + timeout: 5s + volumes: + - database:/var/lib/postgresql/data + environment: + POSTGRES_PASSWORD: ${PG_PASS:?database password required} + POSTGRES_USER: ${PG_USER:-authentik} + POSTGRES_DB: ${PG_DB:-authentik} + env_file: + - .env + redis: + image: docker.io/library/redis:alpine + command: --save 60 1 --loglevel warning + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "redis-cli ping | grep PONG"] + start_period: 20s + interval: 30s + retries: 5 + timeout: 3s + volumes: + - redis:/data + server: + image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1} + restart: unless-stopped + command: server + environment: + AUTHENTIK_REDIS__HOST: redis + AUTHENTIK_POSTGRESQL__HOST: postgresql + AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} + AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} + AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} + volumes: + - ${WORKING_DIR}/authentik/media:/media + - ${WORKING_DIR}/authentik/custom-templates:/templates + env_file: + - .env + #ports: + # - "${COMPOSE_PORT_HTTP:-9000}:9000" + # - "${COMPOSE_PORT_HTTPS:-9443}:9443" + depends_on: + postgresql: + condition: service_healthy + redis: + condition: service_healthy + networks: + proxy: + labels: + - "traefik.enable=true" + - "traefik.http.routers.authentik.entrypoints=http" + - "traefik.http.routers.authentik.rule=Host(`authentik.$DOMAIN`)" + - "traefik.http.middlewares.authentik-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.authentik.middlewares=authentik-https-redirect" + - "traefik.http.routers.authentik-secure.entrypoints=https" + - "traefik.http.routers.authentik-secure.rule=Host(`authentik.$DOMAIN`)" + - "traefik.http.routers.authentik-secure.tls=true" + - "traefik.http.routers.authentik-secure.service=authentik" + - "traefik.http.services.authentik.loadbalancer.server.scheme=https" + - "traefik.http.services.authentik.loadbalancer.server.port=9443" + - "traefik.docker.network=proxy" + + worker: + image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1} + restart: unless-stopped + command: worker + environment: + AUTHENTIK_REDIS__HOST: redis + AUTHENTIK_POSTGRESQL__HOST: postgresql + AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} + AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} + AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} + # `user: root` and the docker socket volume are optional. + # See more for the docker socket integration here: + # https://goauthentik.io/docs/outposts/integrations/docker + # Removing `user: root` also prevents the worker from fixing the permissions + # on the mounted folders, so when removing this make sure the folders have the correct UID/GID + # (1000:1000 by default) + user: root + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ${WORKING_DIR}/authentik/media:/media + - ${WORKING_DIR}/authentik/certs:/certs + - ${WORKING_DIR}/authentik/custom-templates:/templates + env_file: + - .env + depends_on: + postgresql: + condition: service_healthy + redis: + condition: service_healthy + +############################################################################################################### +############################################################################################################### +# PORTAINER +############################################################################################################### +############################################################################################################### + + portainer: + image: portainer/portainer-ce:latest + container_name: portainer + ports: + - 8000:8000 + - 9443:9443 + volumes: + - portainer_data:/data + - /var/run/docker.sock:/var/run/docker.sock + restart: unless-stopped + networks: + proxy: + labels: + - "traefik.enable=true" + - "traefik.http.routers.portainer.entrypoints=http" + - "traefik.http.routers.portainer.rule=Host(`portainer.$DOMAIN`)" + - "traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.portainer.middlewares=portainer-https-redirect" + - "traefik.http.routers.portainer-secure.entrypoints=https" + - "traefik.http.routers.portainer-secure.rule=Host(`portainer.$DOMAIN`)" + - "traefik.http.routers.portainer-secure.tls=true" + - "traefik.http.routers.portainer-secure.service=portainer" + - "traefik.http.services.portainer.loadbalancer.server.scheme=https" + - "traefik.http.services.portainer.loadbalancer.server.port=9443" + - "traefik.docker.network=proxy" + +############################################################################################################### +############################################################################################################### +# GOTIFY +# See video: https://youtu.be/Ft69PY7iitw +############################################################################################################### +############################################################################################################### + + gotify: + image: gotify/server + container_name: gotify + volumes: + - ${WORKING_DIR}/gotify:/app/data + restart: unless-stopped + security_opt: + - no-new-privileges:true + networks: + proxy: + environment: + - TZ=Europe/London + labels: + - "traefik.enable=true" + - "traefik.http.routers.gotify.entrypoints=http" + - "traefik.http.routers.gotify.rule=Host(`gotify.$DOMAIN`)" + - "traefik.http.middlewares.gotify-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.gotify.middlewares=gotify-https-redirect" + - "traefik.http.routers.gotify-secure.entrypoints=https" + - "traefik.http.routers.gotify-secure.rule=Host(`gotify.$DOMAIN`)" + - "traefik.http.routers.gotify-secure.tls=true" + - "traefik.http.routers.gotify-secure.service=gotify" + - "traefik.http.services.gotify.loadbalancer.server.port=80" + - "traefik.docker.network=proxy" + +############################################################################################################### +############################################################################################################### +# HOMEPAGE +# See video: https://youtu.be/4AwUNy2eztA +############################################################################################################### +############################################################################################################### + + homepage: + image: ghcr.io/benphelps/homepage:latest + container_name: homepage + # uncomment if you do not want to run as root + #user: 1000:1000 + # uncomment if you are not using a reverse proxy + #ports: + # - 3000:3000 + volumes: + - ${WORKING_DIR}/homepage/config:/app/config # Make sure your local config directory exists + - /var/run/docker.sock:/var/run/docker.sock # (optional) For docker integrations + networks: + proxy: + labels: + - "traefik.enable=true" + - "traefik.http.routers.homepage.entrypoints=http" + - "traefik.http.routers.homepage.rule=Host(`homepage.$DOMAIN`)" + - "traefik.http.middlewares.homepage-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.homepage.middlewares=homepage-https-redirect" + - "traefik.http.routers.homepage-secure.entrypoints=https" + - "traefik.http.routers.homepage-secure.rule=Host(`homepage.$DOMAIN`)" + - "traefik.http.routers.homepage-secure.tls=true" + - "traefik.http.routers.homepage-secure.service=homepage" + - "traefik.http.services.homepage.loadbalancer.server.port=3000" + - "traefik.docker.network=proxy" + security_opt: + - no-new-privileges:true + +############################################################################################################### +############################################################################################################### +# IT-TOOLS +# See video: https://youtu.be/CbIASgzUIUU +############################################################################################################### +############################################################################################################### + + it-tools: + image: 'corentinth/it-tools:latest' + #ports: + # - '8080:80' + restart: unless-stopped + container_name: it-tools + networks: + - proxy + labels: + - "traefik.enable=true" + - "traefik.docker.network=proxy" + - "traefik.http.routers.it-tools.entrypoints=http" + - "traefik.http.routers.it-tools.rule=Host(`it-tools.$DOMAIN`)" + - "traefik.http.middlewares.it-tools-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.it-tools.middlewares=it-tools-https-redirect" + - "traefik.http.routers.it-tools-secure.entrypoints=https" + - "traefik.http.routers.it-tools-secure.rule=Host(`it-tools.$DOMAIN`)" + - "traefik.http.routers.it-tools-secure.tls=true" + - "traefik.http.routers.it-tools-secure.tls.certresolver=cloudflare" + - "traefik.http.routers.it-tools-secure.service=it-tools" + - "traefik.http.services.it-tools.loadbalancer.server.port=80" + +############################################################################################################### +############################################################################################################### +# JELLYFIN +# See video: https://youtu.be/VHXefJ7Ne6I +############################################################################################################### +############################################################################################################### + + jellyfin: + image: jellyfin/jellyfin + container_name: jellyfin + user: 1000:1000 + #group_add: + # - '109' # This needs to be the group id of running `stat -c '%g' /dev/dri/renderD128` on the docker host + environment: + - TZ=Europe/London + volumes: + - ${WORKING_DIR}/jellyfin/config:/config + - ${WORKING_DIR}/jellyfin/cache:/cache + # You will need to map your NAS first (mount), then uncomment and reference below + # - /home/ubuntu/YOUR_NAS/Films:/Films:ro + # - /home/ubuntu/YOUR_NAS/TVShows:/TVShows:ro + # - /home/ubuntu/YOUR_NAS/Audiobooks:/Audiobooks:ro + # - /home/ubuntu/YOUR_NAS/Music:/Music:ro + #ports: You will need to uncomment if you aren't running through a proxy + # - 8096:8096 + # - 8920:8920 #optional + # - 7359:7359/udp #optional + # - 1900:1900/udp #optional + #devices: uncomment these and amend if you require GPU accelerated transcoding - this is for Intel + # - /dev/dri/renderD128:/dev/dri/renderD128 + # - /dev/dri/card0:/dev/dri/card0 + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.jellyfin.entrypoints=http" + - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.$DOMAIN`)" + - "traefik.http.middlewares.jellyfin-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.jellyfin.middlewares=jellyfin-https-redirect" + - "traefik.http.routers.jellyfin-secure.entrypoints=https" + - "traefik.http.routers.jellyfin-secure.rule=Host(`jellyfin.$DOMAIN`)" + - "traefik.http.routers.jellyfin-secure.tls=true" + - "traefik.http.routers.jellyfin-secure.service=jellyfin" + - "traefik.http.services.jellyfin.loadbalancer.server.port=8096" + - "traefik.docker.network=proxy" + networks: + proxy: + security_opt: + - no-new-privileges:true + +############################################################################################################### +############################################################################################################### +# MIROTALK +# See video: https://youtu.be/LuLzStcvia0 +############################################################################################################### +############################################################################################################### + + mirotalk: + image: mirotalk/p2p:latest + container_name: mirotalk + hostname: mirotalk + volumes: + - .env:/src/.env:ro + # These volumes are not mandatory, uncomment if you want to use it + # - ./app/:/src/app/:ro # useful for changing the UI JS + # - ./public/:/src/public/:ro + restart: unless-stopped + networks: + proxy: + # Uncomment ports and comment labels if you're not using a reverse proxy + #ports: + # - '${PORT}:${PORT}' + labels: + - "traefik.enable=true" + - "traefik.docker.network=proxy" + - "traefik.http.routers.mirotalk.entrypoints=http" + - "traefik.http.routers.mirotalk.rule=Host(`mirotalk.$DOMAIN`)" + - "traefik.http.middlewares.mirotalk-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.mirotalk.middlewares=mirotalk-https-redirect" + - "traefik.http.routers.mirotalk-secure.entrypoints=https" + - "traefik.http.routers.mirotalk-secure.rule=Host(`mirotalk.$DOMAIN`)" + - "traefik.http.routers.mirotalk-secure.tls=true" + - "traefik.http.routers.mirotalk-secure.tls.certresolver=cloudflare" + - "traefik.http.routers.mirotalk-secure.service=mirotalk" + - "traefik.http.services.mirotalk.loadbalancer.server.port=3000" # make sure the loadbalancer is the last line!!! + +############################################################################################################### +############################################################################################################### +# RESTIC +# See video: https://youtu.be/WBBTC5WfGis +############################################################################################################### +############################################################################################################### + + backup: + image: mazzolino/restic + container_name: restic + hostname: your_host_name + environment: + RUN_ON_STARTUP: "true" #change as you wish + BACKUP_CRON: "0 */12 * * *" #this is twice daily, i.e., every 12 hours + RESTIC_REPOSITORY: /restic + RESTIC_PASSWORD: MY_SUPER_LONG_PASSWORD + RESTIC_BACKUP_SOURCES: /mnt/volumes + RESTIC_COMPRESSION: auto + RESTIC_BACKUP_ARGS: >- + --tag restic-proxmox #add tags, whatever you need to mark backups + --verbose + RESTIC_FORGET_ARGS: >- #change as required + --keep-last 10 + --keep-daily 7 + --keep-weekly 5 + --keep-monthly 12 + TZ: Europe/London + volumes: + # this will store locally + - ${WORKING_DIR}/restic:/restic + - ${WORKING_DIR}/restic-restore:/tmp-for-restore + # recommend to store on a NAS or other device - uncomment below + # - /home/ubuntu/truenas/Restic-Proxmox-Backup:/restic #change the left hand side to where you want to store the backups. As you can see I'm storing it on my NAS that is mounted to the host /home/truenas + # - /home/ubuntu/truenas/Restic-Proxmox-Backup/tmp-for-restore:/tmp-for-restore #USE THIS FOLDER FOR RESTORE - CAN VIEW EACH CONTAINER + # The data of your existing containers (i.e., all of the containers in here /docker) + - ${WORKING_DIR}:/mnt/volumes:ro + security_opt: + - no-new-privileges:true + + prune: + image: mazzolino/restic + container_name: restic-prune + hostname: your_host_name + environment: + RUN_ON_STARTUP: "true" + PRUNE_CRON: "0 0 4 * * *" + RESTIC_REPOSITORY: /restic + RESTIC_PASSWORD: USE_SAME_PASSWORD_AS_ABOVE + TZ: Europe/London + security_opt: + - no-new-privileges:true + + check: + image: mazzolino/restic + container_name: restic-check + hostname: your_host_name + environment: + RUN_ON_STARTUP: "false" + CHECK_CRON: "0 15 5 * * *" + RESTIC_CHECK_ARGS: >- + --read-data-subset=10% + RESTIC_REPOSITORY: /restic + RESTIC_PASSWORD: USE_SAME_PASSWORD_AS_ABOVE + TZ: Europe/London + security_opt: + - no-new-privileges:true + +############################################################################################################### +############################################################################################################### +# UPTIME_KUMA +# See video: https://youtu.be/0FId6vahLAI +############################################################################################################### +############################################################################################################### + + uptime-kuma: + image: louislam/uptime-kuma:1 + container_name: uptime-kuma + volumes: + - ${WORKING_DIR}/uptime-kuma:/app/data + restart: unless-stopped + security_opt: + - no-new-privileges:true + networks: + proxy: + labels: + - "traefik.enable=true" + - "traefik.http.routers.uptime-kuma.entrypoints=http" + - "traefik.http.routers.uptime-kuma.rule=Host(`uptime-kuma.$DOMAIN`)" + - "traefik.http.middlewares.uptime-kuma-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.uptime-kuma.middlewares=uptime-kuma-https-redirect" + - "traefik.http.routers.uptime-kuma-secure.entrypoints=https" + - "traefik.http.routers.uptime-kuma-secure.rule=Host(`uptime-kuma.$DOMAIN`)" + - "traefik.http.routers.uptime-kuma-secure.tls=true" + - "traefik.http.routers.uptime-kuma-secure.service=uptime-kuma" + - "traefik.http.services.uptime-kuma.loadbalancer.server.port=3001" + - "traefik.docker.network=proxy" + +############################################################################################################### +############################################################################################################### +# VAULTWARDEN +# See video: https://youtu.be/DnAOiYhdiII +############################################################################################################### +############################################################################################################### + + vaultwarden: + container_name: vaultwarden + image: vaultwarden/server:latest + volumes: + - '${WORKING_DIR}/vaultwarden/:/data/' + restart: unless-stopped + networks: + proxy: + labels: + - "traefik.enable=true" + - "traefik.http.routers.vaultwarden.entrypoints=http" + - "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.$DOMAIN`)" + - "traefik.http.middlewares.vaultwarden-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.vaultwarden.middlewares=vaultwarden-https-redirect" + - "traefik.http.routers.vaultwarden-secure.entrypoints=https" + - "traefik.http.routers.vaultwarden-secure.rule=Host(`vaultwarden.$DOMAIN`)" + - "traefik.http.routers.vaultwarden-secure.tls=true" + - "traefik.http.routers.vaultwarden-secure.service=vaultwarden" + - "traefik.http.services.vaultwarden.loadbalancer.server.port=80" + - "traefik.docker.network=proxy" + security_opt: + - no-new-privileges:true + +############################################################################################################### +############################################################################################################### +# WIREGUARD +# See video: https://youtu.be/C59dOinNurk +############################################################################################################### +############################################################################################################### + + wireguard-easy: + image: ghcr.io/wg-easy/wg-easy + container_name: wg-easy + volumes: + - ${WORKING_DIR}/wireguard-easy/etc_wireguard:/etc/wireguard + ports: + - "51820:51820/udp" + # - "51821:51821/tcp" + restart: unless-stopped + networks: + - proxy + cap_add: + - NET_ADMIN + - SYS_MODULE + # - NET_RAW # ?? Uncomment if using Podman + sysctls: + - net.ipv4.ip_forward=1 + - net.ipv4.conf.all.src_valid_mark=1 + labels: + - "traefik.enable=true" + - "traefik.docker.network=proxy" + - "traefik.http.routers.wireguard.entrypoints=http" + - "traefik.http.routers.wireguard.rule=Host(`wireguard.$DOMAIN`)" + - "traefik.http.middlewares.wireguard-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.wireguard.middlewares=wireguard-https-redirect" + - "traefik.http.routers.wireguard-secure.entrypoints=https" + - "traefik.http.routers.wireguard-secure.rule=Host(`wireguard.$DOMAIN`)" + - "traefik.http.routers.wireguard-secure.tls=true" + - "traefik.http.routers.wireguard-secure.tls.certresolver=cloudflare" + - "traefik.http.routers.wireguard-secure.service=wireguard" + - "traefik.http.services.wireguard.loadbalancer.server.port=51821" + + +volumes: + portainer_data: + database: + driver: local + redis: + driver: local + +networks: + proxy: + name: proxy + driver: bridge + ipam: + config: + - subnet: 10.8.250.0/24 + pihole_internal: + name: pihole_internal + driver: bridge + ipam: + config: + - subnet: 172.70.9.0/29 \ No newline at end of file diff --git a/Popup-Homelab/docker/traefik/acme.json b/Popup-Homelab/docker/traefik/acme.json new file mode 100644 index 0000000..d84d29d --- /dev/null +++ b/Popup-Homelab/docker/traefik/acme.json @@ -0,0 +1 @@ +remember to chmod this to 600!!! \ No newline at end of file diff --git a/Popup-Homelab/docker/traefik/config.yaml b/Popup-Homelab/docker/traefik/config.yaml new file mode 100644 index 0000000..6888376 --- /dev/null +++ b/Popup-Homelab/docker/traefik/config.yaml @@ -0,0 +1,40 @@ +http: + middlewares: + crowdsec-bouncer: + forwardauth: + address: http://bouncer-traefik:8080/api/v1/forwardAuth + trustForwardHeader: true + # https://github.com/goauthentik/authentik/issues/2366 + middlewares-authentik: + forwardAuth: + address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik" + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version + default-security-headers: + headers: + customBrowserXSSValue: 0 # X-XSS-Protection=1; mode=block + contentTypeNosniff: true # X-Content-Type-Options=nosniff + forceSTSHeader: true # Add the Strict-Transport-Security header even when the connection is HTTP + frameDeny: false # X-Frame-Options=deny + referrerPolicy: "strict-origin-when-cross-origin" + stsIncludeSubdomains: true # Add includeSubdomains to the Strict-Transport-Security header + stsPreload: true # Add preload flag appended to the Strict-Transport-Security header + stsSeconds: 3153600 # Set the max-age of the Strict-Transport-Security header (63072000 = 2 years) + contentSecurityPolicy: "default-src 'self'" + customRequestHeaders: + X-Forwarded-Proto: https + https-redirectscheme: + redirectScheme: + scheme: https + permanent: true \ No newline at end of file diff --git a/Popup-Homelab/docker/traefik/traefik.yaml b/Popup-Homelab/docker/traefik/traefik.yaml new file mode 100644 index 0000000..b7babd0 --- /dev/null +++ b/Popup-Homelab/docker/traefik/traefik.yaml @@ -0,0 +1,49 @@ +api: + dashboard: true + debug: true +entryPoints: + http: + address: ":80" + http: + middlewares: + - crowdsec-bouncer@file + redirections: + entrypoint: + to: https + scheme: https + https: + address: ":443" + http: + middlewares: + - crowdsec-bouncer@file + tcp: + address: ":10000" + apis: + address: ":33073" +serversTransport: + insecureSkipVerify: true +providers: + docker: + endpoint: "unix:///var/run/docker.sock" + exposedByDefault: false + file: + filename: /config.yaml +certificatesResolvers: + cloudflare: + acme: + # caServer: https://acme-v02.api.letsencrypt.org/directory # production (default) + caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging (testing) + email: your@email.com + storage: acme.json + dnsChallenge: + provider: cloudflare + # disablePropagationCheck: true # Some people using Cloudflare note this can solve DNS propagation issues. + resolvers: + - "1.1.1.1:53" + - "1.0.0.1:53" + +log: + level: "INFO" + filePath: "/var/log/traefik/traefik.log" +accessLog: + filePath: "/var/log/traefik/access.log"