Initial commit.
This commit is contained in:
commit
7190566b96
|
@ -0,0 +1,52 @@
|
|||
version: "3.3"
|
||||
|
||||
services:
|
||||
traefik:
|
||||
container_name: traefik
|
||||
image: "traefik:v2.5"
|
||||
command:
|
||||
- --entrypoints.web.address=:80
|
||||
- --entrypoints.websecure.address=:443
|
||||
- --providers.docker
|
||||
- --log.level=DEBUG
|
||||
- --certificatesresolvers.leresolver.acme.httpchallenge=true
|
||||
- --certificatesresolvers.leresolver.acme.email=patches11@gmail.com #Set your email address here, is for the generation of SSL certificates with Let's Encrypt.
|
||||
- --certificatesresolvers.leresolver.acme.storage=./acme.json
|
||||
- --certificatesresolvers.leresolver.acme.httpchallenge.entrypoint=web
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
volumes:
|
||||
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
||||
- "./acme.json:/acme.json"
|
||||
labels:
|
||||
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
|
||||
- "traefik.http.routers.http-catchall.entrypoints=web"
|
||||
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
|
||||
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
|
||||
|
||||
portainer:
|
||||
image: portainer/portainer-ce:2.0.0
|
||||
command: -H unix:///var/run/docker.sock
|
||||
restart: always
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- portainer_data:/data
|
||||
labels:
|
||||
# Frontend
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.frontend.rule=Host(`portainer.taudris.com`)"
|
||||
- "traefik.http.routers.frontend.entrypoints=websecure"
|
||||
- "traefik.http.services.frontend.loadbalancer.server.port=9000"
|
||||
- "traefik.http.routers.frontend.service=frontend"
|
||||
- "traefik.http.routers.frontend.tls.certresolver=leresolver"
|
||||
|
||||
# Edge
|
||||
- "traefik.http.routers.edge.rule=Host(`portainer-edge.taudris.com`)"
|
||||
- "traefik.http.routers.edge.entrypoints=websecure"
|
||||
- "traefik.http.services.edge.loadbalancer.server.port=8000"
|
||||
- "traefik.http.routers.edge.service=edge"
|
||||
- "traefik.http.routers.edge.tls.certresolver=leresolver"
|
||||
|
||||
volumes:
|
||||
portainer_data:
|
|
@ -0,0 +1,30 @@
|
|||
version: '3.2'
|
||||
|
||||
services:
|
||||
agent:
|
||||
image: portainer/agent
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- /var/lib/docker/volumes:/var/lib/docker/volumes
|
||||
deploy:
|
||||
mode: global
|
||||
placement:
|
||||
constraints: [node.platform.os == linux]
|
||||
|
||||
portainer:
|
||||
image: portainer/portainer-ce
|
||||
command: -H tcp://tasks.agent:9001 --tlsskipverify
|
||||
ports:
|
||||
- "9443:9443"
|
||||
- "9000:9000"
|
||||
- "8000:8000"
|
||||
volumes:
|
||||
- portainer_data:/data
|
||||
deploy:
|
||||
mode: replicated
|
||||
replicas: 1
|
||||
placement:
|
||||
constraints: [node.role == manager]
|
||||
|
||||
volumes:
|
||||
portainer_data:
|
|
@ -0,0 +1,171 @@
|
|||
#pulled from https://github.com/dadatuputi/bitwarden_gcloud
|
||||
version: '3'
|
||||
|
||||
services:
|
||||
bitwarden:
|
||||
image: vaultwarden/server:alpine
|
||||
restart: always
|
||||
container_name: bitwarden
|
||||
depends_on:
|
||||
- proxy
|
||||
volumes:
|
||||
- ${PWD}/bitwarden:/data
|
||||
- ${PWD}/utilities/backup.sh:/backup.sh:ro
|
||||
environment:
|
||||
- LOG_FILE=/data/bitwarden.log
|
||||
- WEBSOCKET_ENABLED=true # required for websockets
|
||||
- SHOW_PASSWORD_HINT=false
|
||||
- DOMAIN=https://${DOMAIN} # DOMAIN is set in .env but doesn't have protocol prefix
|
||||
- SMTP_FROM_NAME=Bitwarden (${DOMAIN})
|
||||
- IP_HEADER=X-Forwarded-For
|
||||
- ADMIN_TOKEN # Value-less variables are set in .env
|
||||
- SIGNUPS_ALLOWED
|
||||
- SMTP_HOST
|
||||
- SMTP_FROM
|
||||
- SMTP_PORT
|
||||
- SMTP_SSL
|
||||
- SMTP_EXPLICIT_TLS
|
||||
- SMTP_USERNAME
|
||||
- SMTP_PASSWORD
|
||||
- YUBICO_CLIENT_ID
|
||||
- YUBICO_SECRET_KEY
|
||||
- YUBICO_SERVER
|
||||
- ORG_CREATE_USER
|
||||
- BACKUP
|
||||
- BACKUP_DAYS
|
||||
- BACKUP_DIR
|
||||
- BACKUP_EMAIL_FROM_NAME
|
||||
- BACKUP_ENCRYPTION_KEY
|
||||
- BACKUP_EMAIL_TO
|
||||
- BACKUP_EMAIL_NOTIFY
|
||||
- BACKUP_RCLONE_CONF
|
||||
- BACKUP_RCLONE_DEST
|
||||
command: >
|
||||
sh -c 'if [ -n "$BACKUP" ];
|
||||
then
|
||||
apk --update --no-cache add sqlite
|
||||
ln -sf /proc/1/fd/1 /var/log/backup.log &&
|
||||
sed -i "/ash \\/backup\\.sh /d" /etc/crontabs/root &&
|
||||
echo "$BACKUP_SCHEDULE ash /backup.sh $BACKUP" >> /etc/crontabs/root &&
|
||||
crond -d 8;
|
||||
fi &&
|
||||
exec /start.sh'
|
||||
|
||||
proxy:
|
||||
# Caddy provides an automatic HTTPS reverse proxy with Let's Encrypt cert provisioning
|
||||
# https://caddyserver.com/
|
||||
image: caddy/caddy:alpine
|
||||
restart: always
|
||||
container_name: proxy
|
||||
volumes:
|
||||
- ${PWD}/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
|
||||
- ${PWD}/caddy/data:/data
|
||||
- caddycerts:/root/.caddy
|
||||
ports:
|
||||
- 80:80 # Port 80 is necessary for Let's Encrypt ACME
|
||||
- 443:443
|
||||
environment:
|
||||
- LOG_FILE=/data/logs/caddy.log
|
||||
- ACME_AGREE=true # agree to ACME for auto HTTPS
|
||||
- DOMAIN # Value-less variables are set in .env
|
||||
- EMAIL
|
||||
|
||||
|
||||
ddns:
|
||||
# This provides a ddclient dynamic dns updating cron which is as simple as running it
|
||||
# and editing the ddns/config/ddclient.conf file
|
||||
# https://github.com/linuxserver/docker-ddclient
|
||||
image: linuxserver/ddclient
|
||||
restart: always
|
||||
container_name: ddns
|
||||
depends_on:
|
||||
- bitwarden
|
||||
volumes:
|
||||
- ${PWD}/ddns:/config
|
||||
environment:
|
||||
- PUID
|
||||
- PGID
|
||||
- TZ
|
||||
|
||||
|
||||
fail2ban:
|
||||
# Implements fail2ban functionality, banning ips that
|
||||
# try to bruteforce your vault
|
||||
# https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup
|
||||
# https://github.com/crazy-max/docker-fail2ban
|
||||
image: crazymax/fail2ban:latest
|
||||
restart: always
|
||||
container_name: fail2ban
|
||||
depends_on:
|
||||
- bitwarden
|
||||
volumes:
|
||||
- ${PWD}/fail2ban:/data
|
||||
- ${PWD}/bitwarden:/bitwarden:ro
|
||||
network_mode: "host"
|
||||
privileged: true
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
- NET_RAW
|
||||
environment:
|
||||
- F2B_DB_PURGE_AGE=30d
|
||||
- F2B_LOG_TARGET=/data/fail2ban.log
|
||||
- F2B_LOG_LEVEL=INFO
|
||||
- F2B_IPTABLES_CHAIN=INPUT
|
||||
- SSMTP_HOST=${SMTP_HOST}
|
||||
- SSMTP_PORT=${SMTP_PORT}
|
||||
- SSMTP_USER=${SMTP_USERNAME}
|
||||
- SSMTP_PASSWORD=${SMTP_PASSWORD}
|
||||
- SSMTP_HOSTNAME=Bitwarden (${DOMAIN})
|
||||
- SSMTP_TLS=${SMTP_SSL}
|
||||
- SSMTP_STARTTLS=YES
|
||||
- TZ
|
||||
|
||||
|
||||
countryblock:
|
||||
# The block script will block any country (defaults to CN and AU)
|
||||
# Requires cap_add as listed and privileged because it uses iptables and ipset
|
||||
# https://hub.docker.com/_/alpine/
|
||||
image: alpine:latest
|
||||
restart: always
|
||||
container_name: countryblock
|
||||
depends_on:
|
||||
- bitwarden
|
||||
volumes:
|
||||
- ${PWD}/countryblock/block.sh:/block.sh:ro
|
||||
network_mode: "host"
|
||||
privileged: true
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
- NET_RAW
|
||||
environment:
|
||||
- COUNTRIES
|
||||
- COUNTRYBLOCK_SCHEDULE
|
||||
- TZ
|
||||
command: >
|
||||
sh -c 'apk --update --no-cache add ipset iptables ip6tables wget bash tzdata &&
|
||||
ln -sf /proc/1/fd/1 /var/log/block.log &&
|
||||
sed -i "/bash \\/block\\.sh update/d" /etc/crontabs/root &&
|
||||
echo "$COUNTRYBLOCK_SCHEDULE bash /block.sh update" >> /etc/crontabs/root &&
|
||||
crond -d 8 &&
|
||||
bash /block.sh start'
|
||||
|
||||
|
||||
watchtower:
|
||||
# Watchtower will pull down your new image, gracefully shut down your existing container
|
||||
# and restart it with the same options that were used when it was deployed initially
|
||||
# https://github.com/containrrr/watchtower
|
||||
image: containrrr/watchtower
|
||||
restart: always
|
||||
container_name: watchtower
|
||||
depends_on:
|
||||
- bitwarden
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
environment:
|
||||
- WATCHTOWER_CLEANUP=true
|
||||
- WATCHTOWER_SCHEDULE
|
||||
- TZ
|
||||
|
||||
|
||||
volumes:
|
||||
caddycerts:
|
|
@ -0,0 +1,49 @@
|
|||
version: "3.8"
|
||||
|
||||
services:
|
||||
|
||||
traefik:
|
||||
image: "traefik:v2.5"
|
||||
container_name: "traefik"
|
||||
restart: always
|
||||
command:
|
||||
#- --log.level=DEBUG
|
||||
- --api.insecure=true
|
||||
- --providers.docker=true
|
||||
- --providers.docker.exposedbydefault=false
|
||||
- --entrypoints.web.address=:80
|
||||
ports:
|
||||
- "9021:80"
|
||||
volumes:
|
||||
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
||||
|
||||
vaultwarden:
|
||||
image: vaultwarden/server
|
||||
container_name: "vaultwarden"
|
||||
restart: always
|
||||
volumes:
|
||||
- /etc/vaultwarden/data:/data
|
||||
- /var/log/vaultwarden:/var/log
|
||||
environment:
|
||||
LOG_FILE: '/var/log/vaultwarden.log'
|
||||
SIGNUPS_ALLOWED: 'true'
|
||||
DOMAIN: 'https://bitwarden.taudris.com'
|
||||
ADMIN_TOKEN: 'tQDU8ur6yEk5HGgGbk6sobaCnJ9dUYRzWBevdcM2k6JmC6WNiFsjN4G7y4buTLAp'
|
||||
SMTP_HOST: 'smtp.zoho.com'
|
||||
SMTP_FROM: 'admin@taudris.com'
|
||||
SMTP_FROM_NAME: 'Bitwarden'
|
||||
SMTP_PORT: '587'
|
||||
SMTP_SSL: 'true'
|
||||
SMTP_USERNAME: 'admin@taudris.com'
|
||||
SMTP_PASSWORD: 'dsSQ@K54!7ppjW'
|
||||
SMTP_TIMEOUT: '15'
|
||||
WEBSOCKET_ENABLED: 'true'
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.docker.network=traefik
|
||||
- traefik.http.routers.bitwarden-ui.rule=Host(`bitwarden.taudris.com`, `apps.taudris.com`)
|
||||
- traefik.http.routers.bitwarden-ui.service=bitwarden-ui
|
||||
- traefik.http.services.bitwarden-ui.loadbalancer.server.port=80
|
||||
- traefik.http.routers.bitwarden-websocket.rule=Host(`bitwarden.taudris.com`, `apps.taudris.com`) && Path(`/notifications/hub`)
|
||||
- traefik.http.routers.bitwarden-websocket.service=bitwarden-websocket
|
||||
- traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012
|
|
@ -0,0 +1,6 @@
|
|||
version: "3.8"
|
||||
services:
|
||||
vlmcsd:
|
||||
image: mikolatero/vlmcsd
|
||||
ports:
|
||||
- "1688:1688"
|
Loading…
Reference in New Issue