Initial commit.

portainer/docker-compose-https.yml

@@ -0,0 +1,52 @@
+version: "3.3"
+
+services:
+  traefik:
+    container_name: traefik
+    image: "traefik:v2.5"
+    command:
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --providers.docker
+      - --log.level=DEBUG
+      - --certificatesresolvers.leresolver.acme.httpchallenge=true
+      - --certificatesresolvers.leresolver.acme.email=patches11@gmail.com #Set your email address here, is for the generation of SSL certificates with Let's Encrypt. 
+      - --certificatesresolvers.leresolver.acme.storage=./acme.json
+      - --certificatesresolvers.leresolver.acme.httpchallenge.entrypoint=web
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "./acme.json:/acme.json"
+    labels:
+      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.http-catchall.entrypoints=web"
+      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+  portainer:
+    image: portainer/portainer-ce:2.0.0
+    command: -H unix:///var/run/docker.sock
+    restart: always
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - portainer_data:/data
+    labels:
+      # Frontend
+      - "traefik.enable=true"
+      - "traefik.http.routers.frontend.rule=Host(`portainer.taudris.com`)"
+      - "traefik.http.routers.frontend.entrypoints=websecure"
+      - "traefik.http.services.frontend.loadbalancer.server.port=9000"
+      - "traefik.http.routers.frontend.service=frontend"
+      - "traefik.http.routers.frontend.tls.certresolver=leresolver"
+      
+      # Edge
+      - "traefik.http.routers.edge.rule=Host(`portainer-edge.taudris.com`)"
+      - "traefik.http.routers.edge.entrypoints=websecure"
+      - "traefik.http.services.edge.loadbalancer.server.port=8000"
+      - "traefik.http.routers.edge.service=edge"
+      - "traefik.http.routers.edge.tls.certresolver=leresolver"
+
+volumes:
+  portainer_data:

portainer/docker-compose.yml

@@ -0,0 +1,30 @@
+version: '3.2'
+
+services:
+  agent:
+    image: portainer/agent
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+    deploy:
+      mode: global
+      placement:
+        constraints: [node.platform.os == linux]
+
+  portainer:
+    image: portainer/portainer-ce
+    command: -H tcp://tasks.agent:9001 --tlsskipverify
+    ports:
+      - "9443:9443"
+      - "9000:9000"
+      - "8000:8000"
+    volumes:
+      - portainer_data:/data
+    deploy:
+      mode: replicated
+      replicas: 1
+      placement:
+        constraints: [node.role == manager]
+
+volumes:
+  portainer_data:

vaultwarden/docker-compose-complex.yml

@@ -0,0 +1,171 @@
+#pulled from https://github.com/dadatuputi/bitwarden_gcloud
+version: '3'
+
+services:
+  bitwarden:
+    image: vaultwarden/server:alpine
+    restart: always
+    container_name: bitwarden
+    depends_on: 
+    - proxy
+    volumes:
+    - ${PWD}/bitwarden:/data
+    - ${PWD}/utilities/backup.sh:/backup.sh:ro
+    environment:
+    - LOG_FILE=/data/bitwarden.log
+    - WEBSOCKET_ENABLED=true            # required for websockets
+    - SHOW_PASSWORD_HINT=false
+    - DOMAIN=https://${DOMAIN}          # DOMAIN is set in .env but doesn't have protocol prefix
+    - SMTP_FROM_NAME=Bitwarden (${DOMAIN})
+    - IP_HEADER=X-Forwarded-For
+    - ADMIN_TOKEN                       # Value-less variables are set in .env
+    - SIGNUPS_ALLOWED
+    - SMTP_HOST
+    - SMTP_FROM
+    - SMTP_PORT
+    - SMTP_SSL
+    - SMTP_EXPLICIT_TLS
+    - SMTP_USERNAME
+    - SMTP_PASSWORD
+    - YUBICO_CLIENT_ID
+    - YUBICO_SECRET_KEY
+    - YUBICO_SERVER
+    - ORG_CREATE_USER
+    - BACKUP
+    - BACKUP_DAYS
+    - BACKUP_DIR
+    - BACKUP_EMAIL_FROM_NAME
+    - BACKUP_ENCRYPTION_KEY
+    - BACKUP_EMAIL_TO
+    - BACKUP_EMAIL_NOTIFY
+    - BACKUP_RCLONE_CONF
+    - BACKUP_RCLONE_DEST
+    command: >
+      sh -c 'if [ -n "$BACKUP" ]; 
+             then 
+               apk --update --no-cache add sqlite
+               ln -sf /proc/1/fd/1 /var/log/backup.log &&
+               sed -i "/ash \\/backup\\.sh /d" /etc/crontabs/root &&
+               echo "$BACKUP_SCHEDULE ash /backup.sh $BACKUP" >> /etc/crontabs/root && 
+               crond -d 8; 
+             fi &&
+             exec /start.sh'
+
+  proxy:
+    # Caddy provides an automatic HTTPS reverse proxy with Let's Encrypt cert provisioning
+    # https://caddyserver.com/
+    image: caddy/caddy:alpine
+    restart: always
+    container_name: proxy
+    volumes:
+    - ${PWD}/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
+    - ${PWD}/caddy/data:/data
+    - caddycerts:/root/.caddy
+    ports:
+    - 80:80                             # Port 80 is necessary for Let's Encrypt ACME
+    - 443:443
+    environment:
+    - LOG_FILE=/data/logs/caddy.log
+    - ACME_AGREE=true                   # agree to ACME for auto HTTPS
+    - DOMAIN                            # Value-less variables are set in .env
+    - EMAIL
+
+
+  ddns:
+    # This provides a ddclient dynamic dns updating cron which is as simple as running it
+    # and editing the ddns/config/ddclient.conf file
+    # https://github.com/linuxserver/docker-ddclient
+    image: linuxserver/ddclient
+    restart: always
+    container_name: ddns
+    depends_on: 
+    - bitwarden
+    volumes:
+    - ${PWD}/ddns:/config
+    environment:
+    - PUID
+    - PGID
+    - TZ
+
+
+  fail2ban:
+    # Implements fail2ban functionality, banning ips that 
+    # try to bruteforce your vault
+    # https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup
+    # https://github.com/crazy-max/docker-fail2ban
+    image: crazymax/fail2ban:latest
+    restart: always
+    container_name: fail2ban
+    depends_on:
+    - bitwarden
+    volumes:
+    - ${PWD}/fail2ban:/data
+    - ${PWD}/bitwarden:/bitwarden:ro
+    network_mode: "host"
+    privileged: true
+    cap_add:
+    - NET_ADMIN
+    - NET_RAW
+    environment:
+    - F2B_DB_PURGE_AGE=30d
+    - F2B_LOG_TARGET=/data/fail2ban.log
+    - F2B_LOG_LEVEL=INFO
+    - F2B_IPTABLES_CHAIN=INPUT
+    - SSMTP_HOST=${SMTP_HOST}
+    - SSMTP_PORT=${SMTP_PORT}
+    - SSMTP_USER=${SMTP_USERNAME}
+    - SSMTP_PASSWORD=${SMTP_PASSWORD}
+    - SSMTP_HOSTNAME=Bitwarden (${DOMAIN})
+    - SSMTP_TLS=${SMTP_SSL}
+    - SSMTP_STARTTLS=YES
+    - TZ
+
+
+  countryblock:
+    # The block script will block any country (defaults to CN and AU)
+    # Requires cap_add as listed and privileged because it uses iptables and ipset
+    # https://hub.docker.com/_/alpine/
+    image: alpine:latest
+    restart: always
+    container_name: countryblock
+    depends_on: 
+    - bitwarden
+    volumes:
+    - ${PWD}/countryblock/block.sh:/block.sh:ro
+    network_mode: "host"
+    privileged: true
+    cap_add:
+    - NET_ADMIN
+    - NET_RAW
+    environment:
+    - COUNTRIES
+    - COUNTRYBLOCK_SCHEDULE
+    - TZ
+    command: >
+      sh -c 'apk --update --no-cache add ipset iptables ip6tables wget bash tzdata &&
+             ln -sf /proc/1/fd/1 /var/log/block.log &&
+             sed -i "/bash \\/block\\.sh update/d" /etc/crontabs/root &&
+             echo "$COUNTRYBLOCK_SCHEDULE bash /block.sh update" >> /etc/crontabs/root &&
+             crond -d 8 &&
+             bash /block.sh start'    
+
+
+  watchtower:
+    # Watchtower will pull down your new image, gracefully shut down your existing container 
+    # and restart it with the same options that were used when it was deployed initially
+    # https://github.com/containrrr/watchtower
+    image: containrrr/watchtower
+    restart: always
+    container_name: watchtower
+    depends_on: 
+    - bitwarden
+    volumes:
+    - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+    - WATCHTOWER_CLEANUP=true
+    - WATCHTOWER_SCHEDULE
+    - TZ
+
+
+volumes:
+  caddycerts:

vaultwarden/docker-compose.yml

@@ -0,0 +1,49 @@
+version: "3.8"
+
+services:
+
+  traefik:
+    image: "traefik:v2.5"
+    container_name: "traefik"
+    restart: always
+    command:
+      #- --log.level=DEBUG
+      - --api.insecure=true
+      - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
+      - --entrypoints.web.address=:80
+    ports:
+      - "9021:80"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+
+  vaultwarden:
+    image: vaultwarden/server
+    container_name: "vaultwarden"
+    restart: always
+    volumes:
+      - /etc/vaultwarden/data:/data
+      - /var/log/vaultwarden:/var/log
+    environment:
+      LOG_FILE: '/var/log/vaultwarden.log'
+      SIGNUPS_ALLOWED: 'true'
+      DOMAIN: 'https://bitwarden.taudris.com'
+      ADMIN_TOKEN: 'tQDU8ur6yEk5HGgGbk6sobaCnJ9dUYRzWBevdcM2k6JmC6WNiFsjN4G7y4buTLAp'
+      SMTP_HOST: 'smtp.zoho.com'
+      SMTP_FROM: 'admin@taudris.com'
+      SMTP_FROM_NAME: 'Bitwarden'
+      SMTP_PORT: '587'
+      SMTP_SSL: 'true'
+      SMTP_USERNAME: 'admin@taudris.com'
+      SMTP_PASSWORD: 'dsSQ@K54!7ppjW'
+      SMTP_TIMEOUT: '15'
+      WEBSOCKET_ENABLED: 'true'
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik
+      - traefik.http.routers.bitwarden-ui.rule=Host(`bitwarden.taudris.com`, `apps.taudris.com`)
+      - traefik.http.routers.bitwarden-ui.service=bitwarden-ui
+      - traefik.http.services.bitwarden-ui.loadbalancer.server.port=80
+      - traefik.http.routers.bitwarden-websocket.rule=Host(`bitwarden.taudris.com`, `apps.taudris.com`) && Path(`/notifications/hub`)
+      - traefik.http.routers.bitwarden-websocket.service=bitwarden-websocket
+      - traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012

vlmcsd/docker-compose.yml

@@ -0,0 +1,6 @@
+version: "3.8"
+services:
+  vlmcsd:
+    image: mikolatero/vlmcsd
+    ports:
+      - "1688:1688"