From 7190566b9622ce63c77f8ea09c4918ad7e87dff0 Mon Sep 17 00:00:00 2001 From: taudris Date: Tue, 19 Oct 2021 23:08:25 -0700 Subject: [PATCH] Initial commit. --- portainer/docker-compose-https.yml | 52 ++++++++ portainer/docker-compose.yml | 30 +++++ vaultwarden/docker-compose-complex.yml | 171 +++++++++++++++++++++++++ vaultwarden/docker-compose.yml | 49 +++++++ vlmcsd/docker-compose.yml | 6 + 5 files changed, 308 insertions(+) create mode 100644 portainer/docker-compose-https.yml create mode 100644 portainer/docker-compose.yml create mode 100644 vaultwarden/docker-compose-complex.yml create mode 100644 vaultwarden/docker-compose.yml create mode 100644 vlmcsd/docker-compose.yml diff --git a/portainer/docker-compose-https.yml b/portainer/docker-compose-https.yml new file mode 100644 index 0000000..de1735c --- /dev/null +++ b/portainer/docker-compose-https.yml @@ -0,0 +1,52 @@ +version: "3.3" + +services: + traefik: + container_name: traefik + image: "traefik:v2.5" + command: + - --entrypoints.web.address=:80 + - --entrypoints.websecure.address=:443 + - --providers.docker + - --log.level=DEBUG + - --certificatesresolvers.leresolver.acme.httpchallenge=true + - --certificatesresolvers.leresolver.acme.email=patches11@gmail.com #Set your email address here, is for the generation of SSL certificates with Let's Encrypt. + - --certificatesresolvers.leresolver.acme.storage=./acme.json + - --certificatesresolvers.leresolver.acme.httpchallenge.entrypoint=web + ports: + - "80:80" + - "443:443" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock:ro" + - "./acme.json:/acme.json" + labels: + - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)" + - "traefik.http.routers.http-catchall.entrypoints=web" + - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" + - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" + + portainer: + image: portainer/portainer-ce:2.0.0 + command: -H unix:///var/run/docker.sock + restart: always + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - portainer_data:/data + labels: + # Frontend + - "traefik.enable=true" + - "traefik.http.routers.frontend.rule=Host(`portainer.taudris.com`)" + - "traefik.http.routers.frontend.entrypoints=websecure" + - "traefik.http.services.frontend.loadbalancer.server.port=9000" + - "traefik.http.routers.frontend.service=frontend" + - "traefik.http.routers.frontend.tls.certresolver=leresolver" + + # Edge + - "traefik.http.routers.edge.rule=Host(`portainer-edge.taudris.com`)" + - "traefik.http.routers.edge.entrypoints=websecure" + - "traefik.http.services.edge.loadbalancer.server.port=8000" + - "traefik.http.routers.edge.service=edge" + - "traefik.http.routers.edge.tls.certresolver=leresolver" + +volumes: + portainer_data: \ No newline at end of file diff --git a/portainer/docker-compose.yml b/portainer/docker-compose.yml new file mode 100644 index 0000000..713b373 --- /dev/null +++ b/portainer/docker-compose.yml @@ -0,0 +1,30 @@ +version: '3.2' + +services: + agent: + image: portainer/agent + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /var/lib/docker/volumes:/var/lib/docker/volumes + deploy: + mode: global + placement: + constraints: [node.platform.os == linux] + + portainer: + image: portainer/portainer-ce + command: -H tcp://tasks.agent:9001 --tlsskipverify + ports: + - "9443:9443" + - "9000:9000" + - "8000:8000" + volumes: + - portainer_data:/data + deploy: + mode: replicated + replicas: 1 + placement: + constraints: [node.role == manager] + +volumes: + portainer_data: diff --git a/vaultwarden/docker-compose-complex.yml b/vaultwarden/docker-compose-complex.yml new file mode 100644 index 0000000..3b28a0f --- /dev/null +++ b/vaultwarden/docker-compose-complex.yml @@ -0,0 +1,171 @@ +#pulled from https://github.com/dadatuputi/bitwarden_gcloud +version: '3' + +services: + bitwarden: + image: vaultwarden/server:alpine + restart: always + container_name: bitwarden + depends_on: + - proxy + volumes: + - ${PWD}/bitwarden:/data + - ${PWD}/utilities/backup.sh:/backup.sh:ro + environment: + - LOG_FILE=/data/bitwarden.log + - WEBSOCKET_ENABLED=true # required for websockets + - SHOW_PASSWORD_HINT=false + - DOMAIN=https://${DOMAIN} # DOMAIN is set in .env but doesn't have protocol prefix + - SMTP_FROM_NAME=Bitwarden (${DOMAIN}) + - IP_HEADER=X-Forwarded-For + - ADMIN_TOKEN # Value-less variables are set in .env + - SIGNUPS_ALLOWED + - SMTP_HOST + - SMTP_FROM + - SMTP_PORT + - SMTP_SSL + - SMTP_EXPLICIT_TLS + - SMTP_USERNAME + - SMTP_PASSWORD + - YUBICO_CLIENT_ID + - YUBICO_SECRET_KEY + - YUBICO_SERVER + - ORG_CREATE_USER + - BACKUP + - BACKUP_DAYS + - BACKUP_DIR + - BACKUP_EMAIL_FROM_NAME + - BACKUP_ENCRYPTION_KEY + - BACKUP_EMAIL_TO + - BACKUP_EMAIL_NOTIFY + - BACKUP_RCLONE_CONF + - BACKUP_RCLONE_DEST + command: > + sh -c 'if [ -n "$BACKUP" ]; + then + apk --update --no-cache add sqlite + ln -sf /proc/1/fd/1 /var/log/backup.log && + sed -i "/ash \\/backup\\.sh /d" /etc/crontabs/root && + echo "$BACKUP_SCHEDULE ash /backup.sh $BACKUP" >> /etc/crontabs/root && + crond -d 8; + fi && + exec /start.sh' + + proxy: + # Caddy provides an automatic HTTPS reverse proxy with Let's Encrypt cert provisioning + # https://caddyserver.com/ + image: caddy/caddy:alpine + restart: always + container_name: proxy + volumes: + - ${PWD}/caddy/Caddyfile:/etc/caddy/Caddyfile:ro + - ${PWD}/caddy/data:/data + - caddycerts:/root/.caddy + ports: + - 80:80 # Port 80 is necessary for Let's Encrypt ACME + - 443:443 + environment: + - LOG_FILE=/data/logs/caddy.log + - ACME_AGREE=true # agree to ACME for auto HTTPS + - DOMAIN # Value-less variables are set in .env + - EMAIL + + + ddns: + # This provides a ddclient dynamic dns updating cron which is as simple as running it + # and editing the ddns/config/ddclient.conf file + # https://github.com/linuxserver/docker-ddclient + image: linuxserver/ddclient + restart: always + container_name: ddns + depends_on: + - bitwarden + volumes: + - ${PWD}/ddns:/config + environment: + - PUID + - PGID + - TZ + + + fail2ban: + # Implements fail2ban functionality, banning ips that + # try to bruteforce your vault + # https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup + # https://github.com/crazy-max/docker-fail2ban + image: crazymax/fail2ban:latest + restart: always + container_name: fail2ban + depends_on: + - bitwarden + volumes: + - ${PWD}/fail2ban:/data + - ${PWD}/bitwarden:/bitwarden:ro + network_mode: "host" + privileged: true + cap_add: + - NET_ADMIN + - NET_RAW + environment: + - F2B_DB_PURGE_AGE=30d + - F2B_LOG_TARGET=/data/fail2ban.log + - F2B_LOG_LEVEL=INFO + - F2B_IPTABLES_CHAIN=INPUT + - SSMTP_HOST=${SMTP_HOST} + - SSMTP_PORT=${SMTP_PORT} + - SSMTP_USER=${SMTP_USERNAME} + - SSMTP_PASSWORD=${SMTP_PASSWORD} + - SSMTP_HOSTNAME=Bitwarden (${DOMAIN}) + - SSMTP_TLS=${SMTP_SSL} + - SSMTP_STARTTLS=YES + - TZ + + + countryblock: + # The block script will block any country (defaults to CN and AU) + # Requires cap_add as listed and privileged because it uses iptables and ipset + # https://hub.docker.com/_/alpine/ + image: alpine:latest + restart: always + container_name: countryblock + depends_on: + - bitwarden + volumes: + - ${PWD}/countryblock/block.sh:/block.sh:ro + network_mode: "host" + privileged: true + cap_add: + - NET_ADMIN + - NET_RAW + environment: + - COUNTRIES + - COUNTRYBLOCK_SCHEDULE + - TZ + command: > + sh -c 'apk --update --no-cache add ipset iptables ip6tables wget bash tzdata && + ln -sf /proc/1/fd/1 /var/log/block.log && + sed -i "/bash \\/block\\.sh update/d" /etc/crontabs/root && + echo "$COUNTRYBLOCK_SCHEDULE bash /block.sh update" >> /etc/crontabs/root && + crond -d 8 && + bash /block.sh start' + + + watchtower: + # Watchtower will pull down your new image, gracefully shut down your existing container + # and restart it with the same options that were used when it was deployed initially + # https://github.com/containrrr/watchtower + image: containrrr/watchtower + restart: always + container_name: watchtower + depends_on: + - bitwarden + volumes: + - /var/run/docker.sock:/var/run/docker.sock + environment: + - WATCHTOWER_CLEANUP=true + - WATCHTOWER_SCHEDULE + - TZ + + +volumes: + caddycerts: \ No newline at end of file diff --git a/vaultwarden/docker-compose.yml b/vaultwarden/docker-compose.yml new file mode 100644 index 0000000..d07ae8e --- /dev/null +++ b/vaultwarden/docker-compose.yml @@ -0,0 +1,49 @@ +version: "3.8" + +services: + + traefik: + image: "traefik:v2.5" + container_name: "traefik" + restart: always + command: + #- --log.level=DEBUG + - --api.insecure=true + - --providers.docker=true + - --providers.docker.exposedbydefault=false + - --entrypoints.web.address=:80 + ports: + - "9021:80" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock:ro" + + vaultwarden: + image: vaultwarden/server + container_name: "vaultwarden" + restart: always + volumes: + - /etc/vaultwarden/data:/data + - /var/log/vaultwarden:/var/log + environment: + LOG_FILE: '/var/log/vaultwarden.log' + SIGNUPS_ALLOWED: 'true' + DOMAIN: 'https://bitwarden.taudris.com' + ADMIN_TOKEN: 'tQDU8ur6yEk5HGgGbk6sobaCnJ9dUYRzWBevdcM2k6JmC6WNiFsjN4G7y4buTLAp' + SMTP_HOST: 'smtp.zoho.com' + SMTP_FROM: 'admin@taudris.com' + SMTP_FROM_NAME: 'Bitwarden' + SMTP_PORT: '587' + SMTP_SSL: 'true' + SMTP_USERNAME: 'admin@taudris.com' + SMTP_PASSWORD: 'dsSQ@K54!7ppjW' + SMTP_TIMEOUT: '15' + WEBSOCKET_ENABLED: 'true' + labels: + - traefik.enable=true + - traefik.docker.network=traefik + - traefik.http.routers.bitwarden-ui.rule=Host(`bitwarden.taudris.com`, `apps.taudris.com`) + - traefik.http.routers.bitwarden-ui.service=bitwarden-ui + - traefik.http.services.bitwarden-ui.loadbalancer.server.port=80 + - traefik.http.routers.bitwarden-websocket.rule=Host(`bitwarden.taudris.com`, `apps.taudris.com`) && Path(`/notifications/hub`) + - traefik.http.routers.bitwarden-websocket.service=bitwarden-websocket + - traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012 diff --git a/vlmcsd/docker-compose.yml b/vlmcsd/docker-compose.yml new file mode 100644 index 0000000..aa7e18e --- /dev/null +++ b/vlmcsd/docker-compose.yml @@ -0,0 +1,6 @@ +version: "3.8" +services: + vlmcsd: + image: mikolatero/vlmcsd + ports: + - "1688:1688"