From 5b02fbfc41bac9e3710bef7c140a4d170259c497 Mon Sep 17 00:00:00 2001 From: staffadmin Date: Wed, 8 May 2024 12:49:46 +0200 Subject: [PATCH] test with ssh new ubuntu --- group_vars/all.yml | 45 +- group_vars/controller.yml | 252 ++-- group_vars/kubernetes.yml | 176 +-- hardening.yml | 26 +- host_vars/ovh01.yml | 220 ++-- host_vars/scaleway.yml | 2330 ++++++++++++++++++------------------- hosts | 53 +- 7 files changed, 1549 insertions(+), 1553 deletions(-) diff --git a/group_vars/all.yml b/group_vars/all.yml index 9cfc334..1620132 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,4 +1,41 @@ -github_registry_containerlab: ghcr.io -github_user: staff92 -github_token: ghp_XXXXXXXXX -github_registry_clabernetes: "oci://{{ github_registry_containerlab }}/srl-labs/clabernetes/clabernetes" \ No newline at end of file +#* USERS + +management_user_list: + - name: stephane + shell: '/bin/bash' + authorized_keys: + - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" + exclusive: yes + sudo: + hosts: ALL + as: ALL + commands: ALL + nopasswd: ALL + +#* FIREWALL + +firewall_allowed_tcp_ports: + - "22" + - "80" + - "443" + - "9100" + # - "9090" + # - "3000" + # - "9323" + +#* NETBIRD + +netbird_setup_key: F234BD1F-385B-4BEA-8234-608CCB1062ED +netbird_register: true + +#* TLS + +node_exporter_tls_server_config: + cert_file: /etc/node_exporter/tls.cert + key_file: /etc/node_exporter/tls.key + +#* NODE_EXPORTER + +# node_exporter_basic_auth_users: +# randomuser: examplepassword +node_exporter_web_listen_address: "{{ host_private_address }}:9100" diff --git a/group_vars/controller.yml b/group_vars/controller.yml index 36da195..c0e79fa 100644 --- a/group_vars/controller.yml +++ b/group_vars/controller.yml @@ -1,139 +1,139 @@ ---- +# --- -install_docker: true -install_fail2ban: true +# install_docker: true +# install_fail2ban: true -package_list: - - name: python3-pip - - name: proxychains - - - ######## - # USER # - ######## - -management_user_list: - - name: stephane - shell: '/bin/bash' - authorized_keys: - - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" - exclusive: yes - sudo: - hosts: ALL - as: ALL - commands: ALL - nopasswd: ALL - - ################ - # SSH - CLIENT # - ################ - -# ssh_drop_in_name: null -# #ssh_user: root - -# ssh: -# # noqa var-naming -# Compression: true -# GSSAPIAuthentication: false -# # wokeignore:rule=master -# ControlMaster: auto -# ControlPath: ~/.ssh/.cm%C -# Match: -# - Condition: "final all" -# GSSAPIAuthentication: true -# Host: - -# - Condition: example -# Hostname: example.com -# User: somebody -# ssh_ForwardX11: false - - ################# - # SSH - SERVEUR # - ################# - -sshd_skip_defaults: true -sshd_config_file: /etc/ssh/sshd_config - -sshd_AuthorizedKeysFile: .ssh/authorized_keys -sshd_AcceptEnv: "LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL" -sshd_Protocol: 2 -sshd_LoginGraceTime: 30 -sshd_SyslogFacility: AUTH -sshd_LogLevel: VERBOSE -sshd_PermitRootLogin: 'no' -sshd_StrictModes: 'yes' -sshd_IgnoreRhosts: 'yes' -sshd_HostbasedAuthentication: 'no' -sshd_PasswordAuthentication: 'no' -sshd_PermitEmptyPasswords: 'no' -sshd_ChallengeResponseAuthentication: 'no' -sshd_GSSAPIAuthentication: 'no' -sshd_X11DisplayOffset: 10 -sshd_PrintMotd: 'yes' -sshd_PrintLastLog: 'yes' -sshd_TCPKeepAlive: 'yes' -sshd_Subsystem: "sftp /usr/lib/openssh/sftp-server" -sshd_UsePAM: 'yes' -sshd_UseDNS: 'no' -sshd_KexAlgorithms: "curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" -sshd_Ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr" -sshd_MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com" -sshd_HostKey: - - /etc/ssh/ssh_host_rsa_key - - - ####### - # APT # - ####### - -apt_upgrade: true -apt_repositories: [] -apt_ppas: [] - # # nginx ppa repo - # - repo: ppa:nginx/stable - # # not needed on ubuntu distribution - # #codename: trusty -# apt_packages: +# package_list: # - name: python3-pip +# - name: proxychains - ######### - # ALERT # - ######### +# ######## +# # USER # +# ######## -alert_username: jingohalert -alert_password: jMVmbM2VQ5gEiV -alert_vault: "Jingoh0947;" -alert_list_server: - - '"163.172.84.28"' - - '"37.187.127.90"' -alert_server_ssl: gitea.jingoh.fr +# management_user_list: +# - name: stephane +# shell: '/bin/bash' +# authorized_keys: +# - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" +# exclusive: yes +# sudo: +# hosts: ALL +# as: ALL +# commands: ALL +# nopasswd: ALL - ########## - # CHISEL # - ########## +# ################ +# # SSH - CLIENT # +# ################ -chisel_version: 1.8.1 -chisel_server_host: 163.172.84.28 -chisel_server_port: 8080 -chisel_client_auth_username: user -chisel_client_auth_password: pass +# # ssh_drop_in_name: null +# # #ssh_user: root -chisel_remove_all: - - "{{ chisel_service_destination }}" - - "{{ chisel_config_folder }}" - - "{{ chisel_download_destination }}" - - "{{ chisel_install_destination }}" - - /var/log/chisel +# # ssh: +# # # noqa var-naming +# # Compression: true +# # GSSAPIAuthentication: false +# # # wokeignore:rule=master +# # ControlMaster: auto +# # ControlPath: ~/.ssh/.cm%C +# # Match: +# # - Condition: "final all" +# # GSSAPIAuthentication: true +# # Host: + +# # - Condition: example +# # Hostname: example.com +# # User: somebody +# # ssh_ForwardX11: false + +# ################# +# # SSH - SERVEUR # +# ################# + +# sshd_skip_defaults: true +# sshd_config_file: /etc/ssh/sshd_config + +# sshd_AuthorizedKeysFile: .ssh/authorized_keys +# sshd_AcceptEnv: "LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL" +# sshd_Protocol: 2 +# sshd_LoginGraceTime: 30 +# sshd_SyslogFacility: AUTH +# sshd_LogLevel: VERBOSE +# sshd_PermitRootLogin: 'no' +# sshd_StrictModes: 'yes' +# sshd_IgnoreRhosts: 'yes' +# sshd_HostbasedAuthentication: 'no' +# sshd_PasswordAuthentication: 'no' +# sshd_PermitEmptyPasswords: 'no' +# sshd_ChallengeResponseAuthentication: 'no' +# sshd_GSSAPIAuthentication: 'no' +# sshd_X11DisplayOffset: 10 +# sshd_PrintMotd: 'yes' +# sshd_PrintLastLog: 'yes' +# sshd_TCPKeepAlive: 'yes' +# sshd_Subsystem: "sftp /usr/lib/openssh/sftp-server" +# sshd_UsePAM: 'yes' +# sshd_UseDNS: 'no' +# sshd_KexAlgorithms: "curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" +# sshd_Ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr" +# sshd_MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com" +# sshd_HostKey: +# - /etc/ssh/ssh_host_rsa_key + + +# ####### +# # APT # +# ####### + +# apt_upgrade: true +# apt_repositories: [] +# apt_ppas: [] +# # # nginx ppa repo +# # - repo: ppa:nginx/stable +# # # not needed on ubuntu distribution +# # #codename: trusty +# # apt_packages: +# # - name: python3-pip + + +# ######### +# # ALERT # +# ######### + +# alert_username: jingohalert +# alert_password: jMVmbM2VQ5gEiV +# alert_vault: "Jingoh0947;" +# alert_list_server: +# - '"163.172.84.28"' +# - '"37.187.127.90"' +# alert_server_ssl: gitea.jingoh.fr + +# ########## +# # CHISEL # +# ########## + +# chisel_version: 1.8.1 +# chisel_server_host: 163.172.84.28 +# chisel_server_port: 8080 +# chisel_client_auth_username: user +# chisel_client_auth_password: pass + +# chisel_remove_all: +# - "{{ chisel_service_destination }}" +# - "{{ chisel_config_folder }}" +# - "{{ chisel_download_destination }}" +# - "{{ chisel_install_destination }}" +# - /var/log/chisel -test_vault: !vault | - $ANSIBLE_VAULT;1.2;AES256;prod - 36663965646236326237623936646161653232306263353564666238626564633530363761633164 - 6166363235383964626463353061343635626431396664660a333231303661343362353162353938 - 32373332373362656635393365363635313137306532366536323765346464336634653366383961 - 3965626433316138320a366336393034383065363134623239646230396432356431383935346463 - 6330 +# test_vault: !vault | +# $ANSIBLE_VAULT;1.2;AES256;prod +# 36663965646236326237623936646161653232306263353564666238626564633530363761633164 +# 6166363235383964626463353061343635626431396664660a333231303661343362353162353938 +# 32373332373362656635393365363635313137306532366536323765346464336634653366383961 +# 3965626433316138320a366336393034383065363134623239646230396432356431383935346463 +# 6330 diff --git a/group_vars/kubernetes.yml b/group_vars/kubernetes.yml index 50822dd..65787d8 100644 --- a/group_vars/kubernetes.yml +++ b/group_vars/kubernetes.yml @@ -1,99 +1,99 @@ ---- -package_list: - - name: python3-pip +# --- +# package_list: +# - name: python3-pip -sshd_skip_defaults: true -sshd_config_file: /etc/ssh/sshd_config -sshd_AuthorizedKeysFile: .ssh/authorized_keys -sshd_AcceptEnv: "LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL" -sshd_Protocol: 2 -sshd_LoginGraceTime: 30 -sshd_SyslogFacility: AUTH -sshd_LogLevel: VERBOSE -sshd_PermitRootLogin: 'no' -sshd_StrictModes: 'yes' -sshd_IgnoreRhosts: 'yes' -sshd_HostbasedAuthentication: 'no' -sshd_PasswordAuthentication: 'no' -sshd_PermitEmptyPasswords: 'no' -sshd_ChallengeResponseAuthentication: 'no' -sshd_GSSAPIAuthentication: 'no' -sshd_X11DisplayOffset: 10 -sshd_PrintMotd: 'yes' -sshd_PrintLastLog: 'yes' -sshd_TCPKeepAlive: 'yes' -sshd_Subsystem: "sftp /usr/lib/openssh/sftp-server" -sshd_UsePAM: 'yes' -sshd_UseDNS: 'no' -sshd_KexAlgorithms: "curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" -sshd_Ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr" -sshd_MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com" -sshd_HostKey: - - /etc/ssh/ssh_host_rsa_key +# sshd_skip_defaults: true +# sshd_config_file: /etc/ssh/sshd_config +# sshd_AuthorizedKeysFile: .ssh/authorized_keys +# sshd_AcceptEnv: "LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL" +# sshd_Protocol: 2 +# sshd_LoginGraceTime: 30 +# sshd_SyslogFacility: AUTH +# sshd_LogLevel: VERBOSE +# sshd_PermitRootLogin: 'no' +# sshd_StrictModes: 'yes' +# sshd_IgnoreRhosts: 'yes' +# sshd_HostbasedAuthentication: 'no' +# sshd_PasswordAuthentication: 'no' +# sshd_PermitEmptyPasswords: 'no' +# sshd_ChallengeResponseAuthentication: 'no' +# sshd_GSSAPIAuthentication: 'no' +# sshd_X11DisplayOffset: 10 +# sshd_PrintMotd: 'yes' +# sshd_PrintLastLog: 'yes' +# sshd_TCPKeepAlive: 'yes' +# sshd_Subsystem: "sftp /usr/lib/openssh/sftp-server" +# sshd_UsePAM: 'yes' +# sshd_UseDNS: 'no' +# sshd_KexAlgorithms: "curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" +# sshd_Ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr" +# sshd_MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com" +# sshd_HostKey: +# - /etc/ssh/ssh_host_rsa_key - ####### - # APT # - ####### +# ####### +# # APT # +# ####### -apt_repositories_sources: - - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal main restricted - - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates main restricted - - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal universe - - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates universe - - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal multiverse - - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates multiverse - - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse - - deb http://security.ubuntu.com/ubuntu focal-security main restricted - - deb http://security.ubuntu.com/ubuntu focal-security universe - - deb http://security.ubuntu.com/ubuntu focal-security multiverse +# apt_repositories_sources: +# - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal main restricted +# - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates main restricted +# - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal universe +# - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates universe +# - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal multiverse +# - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates multiverse +# - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse +# - deb http://security.ubuntu.com/ubuntu focal-security main restricted +# - deb http://security.ubuntu.com/ubuntu focal-security universe +# - deb http://security.ubuntu.com/ubuntu focal-security multiverse - ######## - # KUBE # - ######## +# ######## +# # KUBE # +# ######## -disable_firewall: true -# Need public_network for argocd -# I use any because both worker and master are not on the same network ( -# They have only one public IP -kubernetes_subnet: 0.0.0.0/0 +# disable_firewall: true +# # Need public_network for argocd +# # I use any because both worker and master are not on the same network ( +# # They have only one public IP +# kubernetes_subnet: 0.0.0.0/0 -# vip control plan 192.168.25.255 -setup_vip: false -install_nginx_ingress: false -install_longhorn: false +# # vip control plan 192.168.25.255 +# setup_vip: false +# install_nginx_ingress: false +# install_longhorn: false -# This variable is used when the cluster is bootstrapped for the first time -kubernetes_init_host: ovh-master +# # This variable is used when the cluster is bootstrapped for the first time +# kubernetes_init_host: ovh-master -kubernetes_init_app: true +# kubernetes_init_app: true -kubernetes_app: - - url: https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml - namespace: argocd +# kubernetes_app: +# - url: https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml +# namespace: argocd -kubernetes_alias_bashrc: - - path: "/root/.bashrc" - regexp: "^source /usr/share/bash-completion/bash_completion" - state: present - line: "source /usr/share/bash-completion/bash_completion" - - path: "/root/.bashrc" - regexp: "^source /etc/bash_completion" - state: present - line: "source /etc/bash_completion" - - path: "/root/.bashrc" - regexp: "^source <(kubectl completion bash)" - state: present - line: "source <(kubectl completion bash)" - - path: "/root/.bashrc" - regexp: "^alias k=kubectl" - state: present - line: "alias k=kubectl" - - path: "/root/.bashrc" - regexp: "^complete -F __start_kubectl k" - state: present - line: "complete -F __start_kubectl k" - - path: "/root/.bashrc" - regexp: '^alias kname="kubectl config set-context --current --namespace="' - state: present - line: '^alias kname="kubectl config set-context --current --namespace="' \ No newline at end of file +# kubernetes_alias_bashrc: +# - path: "/root/.bashrc" +# regexp: "^source /usr/share/bash-completion/bash_completion" +# state: present +# line: "source /usr/share/bash-completion/bash_completion" +# - path: "/root/.bashrc" +# regexp: "^source /etc/bash_completion" +# state: present +# line: "source /etc/bash_completion" +# - path: "/root/.bashrc" +# regexp: "^source <(kubectl completion bash)" +# state: present +# line: "source <(kubectl completion bash)" +# - path: "/root/.bashrc" +# regexp: "^alias k=kubectl" +# state: present +# line: "alias k=kubectl" +# - path: "/root/.bashrc" +# regexp: "^complete -F __start_kubectl k" +# state: present +# line: "complete -F __start_kubectl k" +# - path: "/root/.bashrc" +# regexp: '^alias kname="kubectl config set-context --current --namespace="' +# state: present +# line: '^alias kname="kubectl config set-context --current --namespace="' \ No newline at end of file diff --git a/hardening.yml b/hardening.yml index 43ed2c2..839e8e3 100644 --- a/hardening.yml +++ b/hardening.yml @@ -81,19 +81,19 @@ #||-----> GPG error: https://pkgs.netbird.io/debian stable InRelease: The following signatures couldn't be verified because the public key is not available roles: - # - robertdebock.update - # - devsec.hardening.os_hardening - # - devsec.hardening.ssh_hardening + # - robertdebock.update + - devsec.hardening.os_hardening + - devsec.hardening.ssh_hardening # - maxlareo.rkhunter # - maxlareo.chkrootkit - # - robertdebock.auditd - - { role: geerlingguy.firewall, tags: firewall } - # - grog.management-user - # - GROG.user - # - GROG.authorized-key - # - GROG.sudo - # - ansible_unattended_upgrades - # - buluma.lynis + - robertdebock.auditd + - geerlingguy.firewall + - grog.management-user + - GROG.user + - GROG.authorized-key + - GROG.sudo + - ansible_unattended_upgrades + - buluma.lynis # roles: # - role: netways.elasticstack.elasticsearch @@ -102,7 +102,7 @@ - name: Update repositories and install py3-pip package community.general.apk: - name: py3-pip + name: python3-pip update_cache: true delegate_to: localhost @@ -121,7 +121,7 @@ firstmatch: true line: '#!Enable-HMAC-ETM' - - name: Reload service httpd, in all cases + - name: Reload service sshd, in all cases ansible.builtin.service: name: sshd.service state: reloaded diff --git a/host_vars/ovh01.yml b/host_vars/ovh01.yml index 1b65aa4..616c551 100644 --- a/host_vars/ovh01.yml +++ b/host_vars/ovh01.yml @@ -1,130 +1,130 @@ ---- +# --- -#* DOCKER -docker_install_compose: true -pip_executable: pip3 +# #* DOCKER +# docker_install_compose: true +# pip_executable: pip3 -#*PIP -pip_install_packages: - - docker-compose +# #*PIP +# pip_install_packages: +# - docker-compose -#* SSH -#ssh_listen_to: "{{ host_private_address }}" +# #* SSH +# #ssh_listen_to: "{{ host_private_address }}" -#* USERS +# #* USERS -management_user_list: - - name: admin - shell: '/bin/bash' - authorized_keys: - - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" - exclusive: yes - sudo: - hosts: ALL - as: ALL - commands: ALL - nopasswd: ALL +# management_user_list: +# - name: admin +# shell: '/bin/bash' +# authorized_keys: +# - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" +# exclusive: yes +# sudo: +# hosts: ALL +# as: ALL +# commands: ALL +# nopasswd: ALL -#* FIREWALL +# #* FIREWALL -firewall_allowed_tcp_ports: - - "22" - - "80" - - "443" - - "9100" - - "9090" - - "3000" - - "9323" +# firewall_allowed_tcp_ports: +# - "22" +# - "80" +# - "443" +# - "9100" +# - "9090" +# - "3000" +# - "9323" -#* NETBIRD +# #* NETBIRD -netbird_setup_key: F234BD1F-385B-4BEA-8234-608CCB1062ED -netbird_register: true +# netbird_setup_key: F234BD1F-385B-4BEA-8234-608CCB1062ED +# netbird_register: true -#* TLS +# #* TLS -node_exporter_tls_server_config: - cert_file: /etc/node_exporter/tls.cert - key_file: /etc/node_exporter/tls.key +# node_exporter_tls_server_config: +# cert_file: /etc/node_exporter/tls.cert +# key_file: /etc/node_exporter/tls.key -#* NODE_EXPORTER +# #* NODE_EXPORTER -# node_exporter_basic_auth_users: -# randomuser: examplepassword -node_exporter_web_listen_address: "{{ host_private_address }}:9100" +# # node_exporter_basic_auth_users: +# # randomuser: examplepassword +# node_exporter_web_listen_address: "{{ host_private_address }}:9100" -#* PROMETHEUS +# #* PROMETHEUS -prometheus_web_listen_address: "{{ host_private_address }}:9090" -prometheus_scrape_configs: - - job_name: "prometheus" # Custom scrape job, here using `static_config` - metrics_path: "/metrics" - static_configs: - - targets: - - "{{ host_private_address }}:9090" - - job_name: "node1" - scheme: https # Custom scrape job, here using `static_config` - metrics_path: "/metrics" - tls_config: - ca_file: "{{ node_exporter_tls_server_config.cert_file }}" - static_configs: - - targets: - - "{{ ansible_hostname }}.netbird.cloud:9100" - - job_name: "node2" - scheme: https # Custom scrape job, here using `static_config` - metrics_path: "/metrics" - tls_config: - ca_file: "/etc/node_exporter/tls_scaleway.cert" - static_configs: - - targets: - - "scaleway.netbird.cloud:9100" - # - "{{ host_private_address }}:9100" - - job_name: "git" - scheme: https # Custom scrape job, here using `static_config` - metrics_path: "/metrics" - static_configs: - - targets: - - "gitea.jingoh.fr" - - job_name: "publicservicediscovery" - metrics_path: "/metrics" - basic_auth: - username: 'jingohtraf' - password: 'FSzmSLr#6i9M#d' - scheme: https - file_sd_configs: - - files: - - "{{ prometheus_config_dir }}/file_sd/node.yml" # This line loads file created from `prometheus_targets` -prometheus_targets: - node: # This is a base file name. File is located in "{{ prometheus_config_dir }}/file_sd/<>.yml" - - targets: # - - "traefik.jingoh.fr" +# prometheus_web_listen_address: "{{ host_private_address }}:9090" +# prometheus_scrape_configs: +# - job_name: "prometheus" # Custom scrape job, here using `static_config` +# metrics_path: "/metrics" +# static_configs: +# - targets: +# - "{{ host_private_address }}:9090" +# - job_name: "node1" +# scheme: https # Custom scrape job, here using `static_config` +# metrics_path: "/metrics" +# tls_config: +# ca_file: "{{ node_exporter_tls_server_config.cert_file }}" +# static_configs: +# - targets: +# - "{{ ansible_hostname }}.netbird.cloud:9100" +# - job_name: "node2" +# scheme: https # Custom scrape job, here using `static_config` +# metrics_path: "/metrics" +# tls_config: +# ca_file: "/etc/node_exporter/tls_scaleway.cert" +# static_configs: +# - targets: +# - "scaleway.netbird.cloud:9100" +# # - "{{ host_private_address }}:9100" +# - job_name: "git" +# scheme: https # Custom scrape job, here using `static_config` +# metrics_path: "/metrics" +# static_configs: +# - targets: +# - "gitea.jingoh.fr" +# - job_name: "publicservicediscovery" +# metrics_path: "/metrics" +# basic_auth: +# username: 'jingohtraf' +# password: 'FSzmSLr#6i9M#d' +# scheme: https +# file_sd_configs: +# - files: +# - "{{ prometheus_config_dir }}/file_sd/node.yml" # This line loads file created from `prometheus_targets` +# prometheus_targets: +# node: # This is a base file name. File is located in "{{ prometheus_config_dir }}/file_sd/<>.yml" +# - targets: # +# - "traefik.jingoh.fr" -#* GRAFANA +# #* GRAFANA -grafana_address: "{{ host_private_address }}" -install_grafana__protocol: "https" -install_grafana__http_addr: "{{ host_private_address }}" -install_grafana__domain: "{{ ansible_hostname }}.netbird.cloud" -inv_install_grafana__cert_file: "{{ node_exporter_tls_server_config.cert_file }}" -inv_install_grafana__cert_key: "{{ node_exporter_tls_server_config.key_file }}" +# grafana_address: "{{ host_private_address }}" +# install_grafana__protocol: "https" +# install_grafana__http_addr: "{{ host_private_address }}" +# install_grafana__domain: "{{ ansible_hostname }}.netbird.cloud" +# inv_install_grafana__cert_file: "{{ node_exporter_tls_server_config.cert_file }}" +# inv_install_grafana__cert_key: "{{ node_exporter_tls_server_config.key_file }}" -# ########## -# # CHISEL # -# ########## +# # ########## +# # # CHISEL # +# # ########## -# chisel_server: false -# chisel_client_server_url: "{{ chisel_server_host }}:8080" -# chisel_client_remotes: "R:{{ chisel_server_host }}:socks" -# chisel_service_name: chisel-client -# chisel_config_name: chisel-client +# # chisel_server: false +# # chisel_client_server_url: "{{ chisel_server_host }}:8080" +# # chisel_client_remotes: "R:{{ chisel_server_host }}:socks" +# # chisel_service_name: chisel-client +# # chisel_config_name: chisel-client -# chisel_conf: -# # chisel enable auth and finder -# - path: "/etc/chisel/{{ chisel_config_name }}.conf" -# regexp: "^AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" -# state: present -# line: "AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" -# - path: "/etc/chisel/{{ chisel_config_name }}.conf" -# regexp: "^FINGERPRINT=--fingerprint {{ chisel_client_server_fingerprint }}" -# state: present -# line: "FINGERPRINT=--fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4]|default('') }}" +# # chisel_conf: +# # # chisel enable auth and finder +# # - path: "/etc/chisel/{{ chisel_config_name }}.conf" +# # regexp: "^AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" +# # state: present +# # line: "AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" +# # - path: "/etc/chisel/{{ chisel_config_name }}.conf" +# # regexp: "^FINGERPRINT=--fingerprint {{ chisel_client_server_fingerprint }}" +# # state: present +# # line: "FINGERPRINT=--fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4]|default('') }}" diff --git a/host_vars/scaleway.yml b/host_vars/scaleway.yml index f27334f..3eed691 100644 --- a/host_vars/scaleway.yml +++ b/host_vars/scaleway.yml @@ -1,1229 +1,1229 @@ ---- +# --- -#* NETBIRD +# #* NETBIRD -netbird_setup_key: F234BD1F-385B-4BEA-8234-608CCB1062ED -netbird_register: true +# netbird_setup_key: F234BD1F-385B-4BEA-8234-608CCB1062ED +# netbird_register: true -#* TLS +# #* TLS -node_exporter_tls_server_config: - cert_file: /etc/node_exporter/tls.cert - key_file: /etc/node_exporter/tls.key +# node_exporter_tls_server_config: +# cert_file: /etc/node_exporter/tls.cert +# key_file: /etc/node_exporter/tls.key -#* NODE_EXPORTER +# #* NODE_EXPORTER -# node_exporter_basic_auth_users: -# randomuser: examplepassword -node_exporter_web_listen_address: "{{ host_private_address }}:9100" +# # node_exporter_basic_auth_users: +# # randomuser: examplepassword +# node_exporter_web_listen_address: "{{ host_private_address }}:9100" - ######## - # USER # - ######## +# ######## +# # USER # +# ######## -management_user_list: - - name: stephane - shell: '/bin/bash' - authorized_keys: - - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" - exclusive: yes - sudo: - hosts: ALL - as: ALL - commands: ALL - nopasswd: ALL +# management_user_list: +# - name: stephane +# shell: '/bin/bash' +# authorized_keys: +# - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" +# exclusive: yes +# sudo: +# hosts: ALL +# as: ALL +# commands: ALL +# nopasswd: ALL - ####### - # APT # - ####### +# ####### +# # APT # +# ####### -apt_repositories_sources: - - deb http://mirrors.online.net/ubuntu focal main restricted - - deb http://mirrors.online.net/ubuntu focal-updates main restricted - - deb http://mirrors.online.net/ubuntu focal universe - - deb http://mirrors.online.net/ubuntu focal-updates universe - - deb http://mirrors.online.net/ubuntu focal multiverse - - deb http://mirrors.online.net/ubuntu focal-updates multiverse - - deb http://mirrors.online.net/ubuntu focal-backports main restricted universe multiverse - - deb http://security.ubuntu.com/ubuntu focal-security main restricted - - deb http://security.ubuntu.com/ubuntu focal-security universe - - deb http://security.ubuntu.com/ubuntu focal-security multiverse +# apt_repositories_sources: +# - deb http://mirrors.online.net/ubuntu focal main restricted +# - deb http://mirrors.online.net/ubuntu focal-updates main restricted +# - deb http://mirrors.online.net/ubuntu focal universe +# - deb http://mirrors.online.net/ubuntu focal-updates universe +# - deb http://mirrors.online.net/ubuntu focal multiverse +# - deb http://mirrors.online.net/ubuntu focal-updates multiverse +# - deb http://mirrors.online.net/ubuntu focal-backports main restricted universe multiverse +# - deb http://security.ubuntu.com/ubuntu focal-security main restricted +# - deb http://security.ubuntu.com/ubuntu focal-security universe +# - deb http://security.ubuntu.com/ubuntu focal-security multiverse -apt_packages: - - name: openssh-server - - name: proxychains +# apt_packages: +# - name: openssh-server +# - name: proxychains - ############ - # ALERTING # - ############ +# ############ +# # ALERTING # +# ############ -alerts_cron: - - name: storage - weekday: 0 - minute: 0 - hour: 15 - user: root - job: "/usr/local/scripts/alerts.sh storage >/dev/null 2>&1" - cron_file: alerts - - name: load - weekday: "*" - minute: "*/5" - hour: "*" - user: root - job: "/usr/local/scripts/alerts.sh load >/dev/null 2>&1" - cron_file: alerts - - name: cpu - weekday: "*" - minute: "*/5" - hour: "*" - user: root - job: "/usr/local/scripts/alerts.sh cpu >/dev/null 2>&1" - cron_file: alerts - - name: ping - weekday: "*" - minute: "*" - hour: 12 - user: root - job: "/usr/local/scripts/alerts.sh ping >/dev/null 2>&1" - cron_file: alerts - - name: ssl - weekday: "*" - minute: 0 - hour: 15 - user: root - job: "/usr/local/scripts/alerts.sh ssl >/dev/null 2>&1" - cron_file: alerts - - name: storage - weekday: 0 - minute: 0 - hour: 15 - user: root - job: "/usr/local/scripts/alerts.sh storage >/dev/null 2>&1" - cron_file: alerts - - name: backup_git - weekday: "*" - minute: 0 - hour: 18 - user: root - job: "/usr/local/scripts/alerts.sh backup_git >/dev/null 2>&1" - cron_file: alerts - - name: backup_vault - weekday: "*" - minute: 0 - hour: 20 - user: root - job: "/usr/local/scripts/alerts.sh backup_vault >/dev/null 2>&1" - cron_file: alerts +# alerts_cron: +# - name: storage +# weekday: 0 +# minute: 0 +# hour: 15 +# user: root +# job: "/usr/local/scripts/alerts.sh storage >/dev/null 2>&1" +# cron_file: alerts +# - name: load +# weekday: "*" +# minute: "*/5" +# hour: "*" +# user: root +# job: "/usr/local/scripts/alerts.sh load >/dev/null 2>&1" +# cron_file: alerts +# - name: cpu +# weekday: "*" +# minute: "*/5" +# hour: "*" +# user: root +# job: "/usr/local/scripts/alerts.sh cpu >/dev/null 2>&1" +# cron_file: alerts +# - name: ping +# weekday: "*" +# minute: "*" +# hour: 12 +# user: root +# job: "/usr/local/scripts/alerts.sh ping >/dev/null 2>&1" +# cron_file: alerts +# - name: ssl +# weekday: "*" +# minute: 0 +# hour: 15 +# user: root +# job: "/usr/local/scripts/alerts.sh ssl >/dev/null 2>&1" +# cron_file: alerts +# - name: storage +# weekday: 0 +# minute: 0 +# hour: 15 +# user: root +# job: "/usr/local/scripts/alerts.sh storage >/dev/null 2>&1" +# cron_file: alerts +# - name: backup_git +# weekday: "*" +# minute: 0 +# hour: 18 +# user: root +# job: "/usr/local/scripts/alerts.sh backup_git >/dev/null 2>&1" +# cron_file: alerts +# - name: backup_vault +# weekday: "*" +# minute: 0 +# hour: 20 +# user: root +# job: "/usr/local/scripts/alerts.sh backup_vault >/dev/null 2>&1" +# cron_file: alerts -alerts_storage: scaleway -alerts_load: scaleway -alerts_ping: ovh -alerts_health: scaleway -alerts_backup_gitea: scaleway -alerts_backup_vault: scaleway -alerts_cpu: scaleway -alerts_ssl: scaleway +# alerts_storage: scaleway +# alerts_load: scaleway +# alerts_ping: ovh +# alerts_health: scaleway +# alerts_backup_gitea: scaleway +# alerts_backup_vault: scaleway +# alerts_cpu: scaleway +# alerts_ssl: scaleway - ############## - # LOG ROTATE # - ############## +# ############## +# # LOG ROTATE # +# ############## -logrotate_scripts: - - name: backup - paths: - - /opt/dockerapps/backup/*.zip - - /opt/dockerapps/vaultwarden/backup/*.tar.xz.gpg - options: - - daily - - rotate 4 - - compress - - missingok - - notifempty - - create 0644 root root - - name: dockerapps-git - path: /opt/dockerapps/logs/homeserver/git*.log - options: - - rotate 12 - - monthly - - compress - - missingok - - delaycompress - scripts: - postrotate: docker-compose restart gitea - - name: dockerapps-grafa - path: /opt/dockerapps/logs/homeserver/grafa*.log - options: - - rotate 12 - - monthly - - compress - - missingok - - delaycompress - scripts: - postrotate: docker-compose restart grafana - - name: dockerapps-traef - path: /opt/dockerapps/logs/homeserver/traef*.log - options: - - rotate 12 - - monthly - - compress - - missingok - - delaycompress - scripts: - postrotate: docker-compose restart traefik - - name: dockerapps-vault - path: /opt/dockerapps/logs/homeserver/vault*.log - options: - - rotate 12 - - monthly - - compress - - missingok - - delaycompress - scripts: - postrotate: docker-compose restart vault - # name: restart gitea - # script: docker-compose restart gitea - # - postrotate: docker-compose restart vaultwarden - # - postrotate: docker-compose restart grafana - - name: dockerapps-backup - paths: - - /opt/dockerapps/backup/gitea-dump-*.zip.1.gz - - /opt/dockerapps/vaultwarden/backup/*gpg.1.gz - options: - - rotate 6 - - monthly - - compress - - missingok - - delaycompress +# logrotate_scripts: +# - name: backup +# paths: +# - /opt/dockerapps/backup/*.zip +# - /opt/dockerapps/vaultwarden/backup/*.tar.xz.gpg +# options: +# - daily +# - rotate 4 +# - compress +# - missingok +# - notifempty +# - create 0644 root root +# - name: dockerapps-git +# path: /opt/dockerapps/logs/homeserver/git*.log +# options: +# - rotate 12 +# - monthly +# - compress +# - missingok +# - delaycompress +# scripts: +# postrotate: docker-compose restart gitea +# - name: dockerapps-grafa +# path: /opt/dockerapps/logs/homeserver/grafa*.log +# options: +# - rotate 12 +# - monthly +# - compress +# - missingok +# - delaycompress +# scripts: +# postrotate: docker-compose restart grafana +# - name: dockerapps-traef +# path: /opt/dockerapps/logs/homeserver/traef*.log +# options: +# - rotate 12 +# - monthly +# - compress +# - missingok +# - delaycompress +# scripts: +# postrotate: docker-compose restart traefik +# - name: dockerapps-vault +# path: /opt/dockerapps/logs/homeserver/vault*.log +# options: +# - rotate 12 +# - monthly +# - compress +# - missingok +# - delaycompress +# scripts: +# postrotate: docker-compose restart vault +# # name: restart gitea +# # script: docker-compose restart gitea +# # - postrotate: docker-compose restart vaultwarden +# # - postrotate: docker-compose restart grafana +# - name: dockerapps-backup +# paths: +# - /opt/dockerapps/backup/gitea-dump-*.zip.1.gz +# - /opt/dockerapps/vaultwarden/backup/*gpg.1.gz +# options: +# - rotate 6 +# - monthly +# - compress +# - missingok +# - delaycompress -########## -# CHISEL # -########## +# ########## +# # CHISEL # +# ########## -# SHOULD BE IN [server] GROUP -chisel_server: true -chisel_basic_auth: "{{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" -chisel_service_name: chisel-server -chisel_config_name: chisel-server -chisel_proxychains_conf: -# chisel enable socks5, reverse and basic auth - - path: "/etc/chisel/{{ chisel_config_name }}.conf" - regexp: "^SOCK5=--socks5" - state: present - line: "SOCK5=--socks5" - - path: "/etc/chisel/{{ chisel_config_name }}.conf" - regexp: "^PID=--reverse" - state: present - line: "PID=--reverse" - - path: "/etc/chisel/{{ chisel_config_name }}.conf" - regexp: "^AUTH=--auth {{ chisel_basic_auth }}" - state: present - line: "AUTH=--auth {{ chisel_basic_auth }}" - - path: "/etc/chisel/{{ chisel_config_name }}.conf" - regexp: "^HOST=--host {{ chisel_server_host }}" - state: present - line: "HOST=--host {{ chisel_server_host }}" -# proxychains replace socks4 to socks5 - - path: "/etc/proxychains.conf" - regexp: "^socks4 127.0.0.1 9050" - state: "absent" - - path: "/etc/proxychains.conf" - regexp: "^socks5 {{ chisel_server_host }} 1080" - state: present - line: "socks5 {{ chisel_server_host }} 1080" +# # SHOULD BE IN [server] GROUP +# chisel_server: true +# chisel_basic_auth: "{{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" +# chisel_service_name: chisel-server +# chisel_config_name: chisel-server +# chisel_proxychains_conf: +# # chisel enable socks5, reverse and basic auth +# - path: "/etc/chisel/{{ chisel_config_name }}.conf" +# regexp: "^SOCK5=--socks5" +# state: present +# line: "SOCK5=--socks5" +# - path: "/etc/chisel/{{ chisel_config_name }}.conf" +# regexp: "^PID=--reverse" +# state: present +# line: "PID=--reverse" +# - path: "/etc/chisel/{{ chisel_config_name }}.conf" +# regexp: "^AUTH=--auth {{ chisel_basic_auth }}" +# state: present +# line: "AUTH=--auth {{ chisel_basic_auth }}" +# - path: "/etc/chisel/{{ chisel_config_name }}.conf" +# regexp: "^HOST=--host {{ chisel_server_host }}" +# state: present +# line: "HOST=--host {{ chisel_server_host }}" +# # proxychains replace socks4 to socks5 +# - path: "/etc/proxychains.conf" +# regexp: "^socks4 127.0.0.1 9050" +# state: "absent" +# - path: "/etc/proxychains.conf" +# regexp: "^socks5 {{ chisel_server_host }} 1080" +# state: present +# line: "socks5 {{ chisel_server_host }} 1080" -################## -# DOCKER-COMPOSE # -################## +# ################## +# # DOCKER-COMPOSE # +# ################## -dockerapp_tree_volumes: -# ALERT - - alertmanager - - alertmanager/cache - - alertmanager/config -#ARA - - ara -#BLACKBOX - - blackbox - - blackbox/config -#GIT - - gitea - - gitea/gitea - - gitea/db - - gitea/runner -#GRAF - - grafana - - grafana/etc - - grafana/lib -#HOMARR - - homarr - - homarr/configs - - homarr/icons -#HOME - - homepage - - homepage/homepage - - homepage/icons -#MEALIE - - mealie -#PORT - - portainer -#PROM - - prometheus - - prometheus/prometheus - - prometheus/prometheus_data -#REGISTRY - - registry - - registry/data -#SEMA - - semaphore -#TRAF - - traefik2 - - traefik2/acme - - traefik2/rules -#VAULT - - vaultwarden -#WIRE - - wireguard - - wireguard/config - - wireguard/lib - - wireguard/lib/modules +# dockerapp_tree_volumes: +# # ALERT +# - alertmanager +# - alertmanager/cache +# - alertmanager/config +# #ARA +# - ara +# #BLACKBOX +# - blackbox +# - blackbox/config +# #GIT +# - gitea +# - gitea/gitea +# - gitea/db +# - gitea/runner +# #GRAF +# - grafana +# - grafana/etc +# - grafana/lib +# #HOMARR +# - homarr +# - homarr/configs +# - homarr/icons +# #HOME +# - homepage +# - homepage/homepage +# - homepage/icons +# #MEALIE +# - mealie +# #PORT +# - portainer +# #PROM +# - prometheus +# - prometheus/prometheus +# - prometheus/prometheus_data +# #REGISTRY +# - registry +# - registry/data +# #SEMA +# - semaphore +# #TRAF +# - traefik2 +# - traefik2/acme +# - traefik2/rules +# #VAULT +# - vaultwarden +# #WIRE +# - wireguard +# - wireguard/config +# - wireguard/lib +# - wireguard/lib/modules -dockerapp_tree_base_dir: - - "/opt/" -dockerapp_service: dockerapps -docker_install_compose: false -pip_executable: pip3 -pip_install_packages: - - docker-compose +# dockerapp_tree_base_dir: +# - "/opt/" +# dockerapp_service: dockerapps +# docker_install_compose: false +# pip_executable: pip3 +# pip_install_packages: +# - docker-compose -dockerapp_compose: - version: "3.9" - ######### IMPORTANT ############# - # This is my main docker-compose file with most of the apps. I run docker on other systems with smaller stacks (web and synology). - # You can copy-paste services from one docker-compose file in this repo to another to add other apps. +# dockerapp_compose: +# version: "3.9" +# ######### IMPORTANT ############# +# # This is my main docker-compose file with most of the apps. I run docker on other systems with smaller stacks (web and synology). +# # You can copy-paste services from one docker-compose file in this repo to another to add other apps. - # 90+ Open source docker stacks - #https://github.com/ethibox/awesome-stacks +# # 90+ Open source docker stacks +# #https://github.com/ethibox/awesome-stacks - #FROM - #https://github.com/htpcBeginner/docker-traefik/blob/master/docker-compose-t2.yml +# #FROM +# #https://github.com/htpcBeginner/docker-traefik/blob/master/docker-compose-t2.yml - ########################### SYSTEM DESCRIPTION - # DOCKER-COMPOSE FOR HOME/MEDIA SERVER - # PROXMOX HOST: Dual Intel Xeon 5420, 16 GB RAM, 240 GB SSD, and 2 TB HDD - # VM: 6 CORES, 12 GB RAM, Ubuntu 20.04, and Docker - # 32 GB for /, 64 GB for /var/lib/docker and transcoding, and 1.5 TB for non-critical data and rclone cache. - # Google Drive mounted using Rclone Docker for media and Proxmox backups +# ########################### SYSTEM DESCRIPTION +# # DOCKER-COMPOSE FOR HOME/MEDIA SERVER +# # PROXMOX HOST: Dual Intel Xeon 5420, 16 GB RAM, 240 GB SSD, and 2 TB HDD +# # VM: 6 CORES, 12 GB RAM, Ubuntu 20.04, and Docker +# # 32 GB for /, 64 GB for /var/lib/docker and transcoding, and 1.5 TB for non-critical data and rclone cache. +# # Google Drive mounted using Rclone Docker for media and Proxmox backups - ########################### NETWORKS - # There is no need to create any networks outside this docker-compose file. - # You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. - # Docker Compose version 3.5 or higher required to define networks this way. - networks: - t2_proxy: - name: t2_proxy - driver: bridge - ipam: - config: - - subnet: 192.168.90.0/24 - default: - driver: bridge - socket_proxy: - name: socket_proxy - driver: bridge - ipam: - config: - - subnet: 192.168.91.0/24 - ########################### EXTENSION FIELDS - # Helps eliminate repetition of sections - # More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228 +# ########################### NETWORKS +# # There is no need to create any networks outside this docker-compose file. +# # You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. +# # Docker Compose version 3.5 or higher required to define networks this way. +# networks: +# t2_proxy: +# name: t2_proxy +# driver: bridge +# ipam: +# config: +# - subnet: 192.168.90.0/24 +# default: +# driver: bridge +# socket_proxy: +# name: socket_proxy +# driver: bridge +# ipam: +# config: +# - subnet: 192.168.91.0/24 +# ########################### EXTENSION FIELDS +# # Helps eliminate repetition of sections +# # More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228 - # # Common environment values - # x-environment: &default-tz-puid-pgid - # TZ: Europe/Paris - # PUID: 1000 - # PGID: 1000 +# # # Common environment values +# # x-environment: &default-tz-puid-pgid +# # TZ: Europe/Paris +# # PUID: 1000 +# # PGID: 1000 - # # Proxy Network and Security - # x-network-and-security: &network-and-security - # networks: - # - t2_proxy - # security_opt: - # - no-new-privileges:true +# # # Proxy Network and Security +# # x-network-and-security: &network-and-security +# # networks: +# # - t2_proxy +# # security_opt: +# # - no-new-privileges:true - # # Keys common to some of the services in basic-services.txt - # x-common-keys-core: &common-keys-core - # <<: *network-and-security - # restart: always - # # profiles: - # # - basic +# # # Keys common to some of the services in basic-services.txt +# # x-common-keys-core: &common-keys-core +# # <<: *network-and-security +# # restart: always +# # # profiles: +# # # - basic - # # Keys common to some of the dependent services/apps - # x-common-keys-apps: &common-keys-apps - # <<: *network-and-security - # restart: unless-stopped - # # profiles: - # # - apps +# # # Keys common to some of the dependent services/apps +# # x-common-keys-apps: &common-keys-apps +# # <<: *network-and-security +# # restart: unless-stopped +# # # profiles: +# # # - apps - # # Keys common to some of the services in media-services.txt - # x-common-keys-media: &common-keys-media - # <<: *network-and-security - # restart: "no" - # # profiles: - # # - media - ########################### SERVICES - services: - ############################# FRONTENDS +# # # Keys common to some of the services in media-services.txt +# # x-common-keys-media: &common-keys-media +# # <<: *network-and-security +# # restart: "no" +# # # profiles: +# # # - media +# ########################### SERVICES +# services: +# ############################# FRONTENDS - # Traefik 2 - Reverse Proxy - # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. - # touch $DOCKERDIR/traefik2/acme/acme.json - # chmod 600 $DOCKERDIR/traefik2/acme/acme.json - # touch $DOCKERDIR/logs/homeserver/traefik.log # customize this +# # Traefik 2 - Reverse Proxy +# # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. +# # touch $DOCKERDIR/traefik2/acme/acme.json +# # chmod 600 $DOCKERDIR/traefik2/acme/acme.json +# # touch $DOCKERDIR/logs/homeserver/traefik.log # customize this - #### LETSENCRYPT CHALLENGE ###### - # https://doc.traefik.io/traefik/user-guides/docker-compose/acme-http/ - # Add new https services/fqdn - # uncomment acme.caserver line and remove/traefik2/acme/letsencrypt/acme.json file - # Down all containers and up all (docker-compose down/up -d), wait for news cert/key on acme.json - # At this moment, cert/key are staging, you need to comment acme.caserver line and remove acme.json file then restart traefik - traefik: - restart: always - security_opt: - - no-new-privileges:true - container_name: traefik - image: traefik:latest - command: # CLI arguments - - --global.checkNewVersion=true - - --global.sendAnonymousUsage=true - - --entryPoints.http.address=:80/tcp - - --entryPoints.https.address=:443/tcp - - --entryPoints.wireguard.address=:443/udp - - --api=true - - --api.dashboard=true - - --log=true - - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC - - --accessLog=true - - --accessLog.filePath=/traefik.log - - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines - - --providers.docker=true - - --providers.docker.endpoint=tcp://socket-proxy:2375 - - --providers.docker.exposedByDefault=false - - --providers.docker.network=t2_proxy - - --providers.docker.swarmMode=false - - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory - - --providers.file.watch=true # Only works on top level files in the rules folder - - --metrics.prometheus=true - - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0 - - --metrics.prometheus.addEntryPointsLabels=true - - --metrics.prometheus.addrouterslabels=true - - --metrics.prometheus.addServicesLabels=true - - --metrics.prometheus.manualrouting=true - - --certificatesresolvers.letsencrypt-resolver.acme.tlschallenge=true - # - --certificatesresolvers.letsencrypt-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory - - --certificatesresolvers.letsencrypt-resolver.acme.email=stephane.gratiasquiquandon@gmail.com - - --certificatesresolvers.letsencrypt-resolver.acme.storage=/letsencrypt/acme.json - networks: - t2_proxy: - ipv4_address: 192.168.90.254 # You can specify a static IP - # Should connect to the docker socket - socket_proxy: - ipv4_address: 192.168.91.3 - environment: - TZ: Europe/Paris - PUID: 1000 - PGID: 1000 - ports: - - target: 80 - published: 80 - protocol: tcp - mode: host - - target: 443 - published: 443 - protocol: tcp - mode: host - - target: 443 - published: 443 - protocol: udp - mode: host - volumes: - - ./traefik2/rules/homeserver:/rules # file provider directory - - ./traefik2/acme/letsencrypt:/letsencrypt - #- ./traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 - - ./logs/homeserver/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container - - /etc/timezone:/etc/timezone:ro - - /etc/localtime:/etc/localtime:ro - labels: - - "traefik.enable=true" - # HTTP-to-HTTPS Redirect - - "traefik.http.routers.http-catchall.entrypoints=http" - - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" - - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" - - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" - - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true" - # HTTP Routers - - "traefik.http.routers.traefik-rtr.entrypoints=https" - - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.jingoh.fr`)" - ## Services - API - - "traefik.http.routers.traefik-rtr.service=api@internal" - - "traefik.http.routers.traefik-rtr.tls=true" - ## MONITORING - - traefik.http.routers.prometheus.entrypoints=https - - traefik.http.routers.prometheus.rule=Host(`traefik.jingoh.fr`) && PathPrefix(`/metrics`) - - traefik.http.routers.prometheus.service=prometheus@internal - - traefik.http.routers.prometheus.middlewares=traefik-basic - ## Middlewares - # echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g - ## Middlewares - - "traefik.http.routers.traefik-rtr.middlewares=traefik-basic" - - "traefik.http.middlewares.traefik-basic.basicauth.users=jingohtraf:$$2y$$05$$JO8mJnOV2PARzEcVj.Grp.H.JbkWYneAIjgMt7c0.5NTyBNDkRIiW" - #- "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.average=10" - # - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.burst=10" - # - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.period=1" - # - "traefik.http.routers.traefik-rtr-ratelimit.middlewares=traefik-rtr-ratelimit@docker" - ## TLS - - "traefik.http.routers.traefik-rtr.tls.certresolver=letsencrypt-resolver" - - "traefik.http.routers.prometheus.tls.certresolver=letsencrypt-resolver" - # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket - socket-proxy: - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - container_name: socket-proxy - image: tecnativa/docker-socket-proxy:latest - networks: - socket_proxy: - ipv4_address: 192.168.91.254 # You can specify a static IP - volumes: - - "/var/run/docker.sock:/var/run/docker.sock" - environment: - - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg - ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). - # 0 to revoke access. - # 1 to grant access. - ## Granted by Default - - EVENTS=1 - - PING=1 - - VERSION=1 - ## Revoked by Default - # Security critical - - AUTH=0 - - SECRETS=0 - - POST=0 # Watchtower - # Not always needed - - BUILD=0 - - COMMIT=0 - - CONFIGS=0 - - CONTAINERS=1 # Traefik, portainer, etc. - - DISTRIBUTION=0 - - EXEC=0 - - IMAGES=1 # Portainer - - INFO=1 # Portainer - - NETWORKS=1 # Portainer - - NODES=0 - - PLUGINS=0 - - SERVICES=1 # Portainer - - SESSION=0 - - SWARM=0 - - SYSTEM=0 - - TASKS=1 # Portainer - - VOLUMES=1 # Portainer +# #### LETSENCRYPT CHALLENGE ###### +# # https://doc.traefik.io/traefik/user-guides/docker-compose/acme-http/ +# # Add new https services/fqdn +# # uncomment acme.caserver line and remove/traefik2/acme/letsencrypt/acme.json file +# # Down all containers and up all (docker-compose down/up -d), wait for news cert/key on acme.json +# # At this moment, cert/key are staging, you need to comment acme.caserver line and remove acme.json file then restart traefik +# traefik: +# restart: always +# security_opt: +# - no-new-privileges:true +# container_name: traefik +# image: traefik:latest +# command: # CLI arguments +# - --global.checkNewVersion=true +# - --global.sendAnonymousUsage=true +# - --entryPoints.http.address=:80/tcp +# - --entryPoints.https.address=:443/tcp +# - --entryPoints.wireguard.address=:443/udp +# - --api=true +# - --api.dashboard=true +# - --log=true +# - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC +# - --accessLog=true +# - --accessLog.filePath=/traefik.log +# - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines +# - --providers.docker=true +# - --providers.docker.endpoint=tcp://socket-proxy:2375 +# - --providers.docker.exposedByDefault=false +# - --providers.docker.network=t2_proxy +# - --providers.docker.swarmMode=false +# - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory +# - --providers.file.watch=true # Only works on top level files in the rules folder +# - --metrics.prometheus=true +# - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0 +# - --metrics.prometheus.addEntryPointsLabels=true +# - --metrics.prometheus.addrouterslabels=true +# - --metrics.prometheus.addServicesLabels=true +# - --metrics.prometheus.manualrouting=true +# - --certificatesresolvers.letsencrypt-resolver.acme.tlschallenge=true +# # - --certificatesresolvers.letsencrypt-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory +# - --certificatesresolvers.letsencrypt-resolver.acme.email=stephane.gratiasquiquandon@gmail.com +# - --certificatesresolvers.letsencrypt-resolver.acme.storage=/letsencrypt/acme.json +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.254 # You can specify a static IP +# # Should connect to the docker socket +# socket_proxy: +# ipv4_address: 192.168.91.3 +# environment: +# TZ: Europe/Paris +# PUID: 1000 +# PGID: 1000 +# ports: +# - target: 80 +# published: 80 +# protocol: tcp +# mode: host +# - target: 443 +# published: 443 +# protocol: tcp +# mode: host +# - target: 443 +# published: 443 +# protocol: udp +# mode: host +# volumes: +# - ./traefik2/rules/homeserver:/rules # file provider directory +# - ./traefik2/acme/letsencrypt:/letsencrypt +# #- ./traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 +# - ./logs/homeserver/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container +# - /etc/timezone:/etc/timezone:ro +# - /etc/localtime:/etc/localtime:ro +# labels: +# - "traefik.enable=true" +# # HTTP-to-HTTPS Redirect +# - "traefik.http.routers.http-catchall.entrypoints=http" +# - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" +# - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" +# - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" +# - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true" +# # HTTP Routers +# - "traefik.http.routers.traefik-rtr.entrypoints=https" +# - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.jingoh.fr`)" +# ## Services - API +# - "traefik.http.routers.traefik-rtr.service=api@internal" +# - "traefik.http.routers.traefik-rtr.tls=true" +# ## MONITORING +# - traefik.http.routers.prometheus.entrypoints=https +# - traefik.http.routers.prometheus.rule=Host(`traefik.jingoh.fr`) && PathPrefix(`/metrics`) +# - traefik.http.routers.prometheus.service=prometheus@internal +# - traefik.http.routers.prometheus.middlewares=traefik-basic +# ## Middlewares +# # echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g +# ## Middlewares +# - "traefik.http.routers.traefik-rtr.middlewares=traefik-basic" +# - "traefik.http.middlewares.traefik-basic.basicauth.users=jingohtraf:$$2y$$05$$JO8mJnOV2PARzEcVj.Grp.H.JbkWYneAIjgMt7c0.5NTyBNDkRIiW" +# #- "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.average=10" +# # - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.burst=10" +# # - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.period=1" +# # - "traefik.http.routers.traefik-rtr-ratelimit.middlewares=traefik-rtr-ratelimit@docker" +# ## TLS +# - "traefik.http.routers.traefik-rtr.tls.certresolver=letsencrypt-resolver" +# - "traefik.http.routers.prometheus.tls.certresolver=letsencrypt-resolver" +# # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket +# socket-proxy: +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# container_name: socket-proxy +# image: tecnativa/docker-socket-proxy:latest +# networks: +# socket_proxy: +# ipv4_address: 192.168.91.254 # You can specify a static IP +# volumes: +# - "/var/run/docker.sock:/var/run/docker.sock" +# environment: +# - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg +# ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). +# # 0 to revoke access. +# # 1 to grant access. +# ## Granted by Default +# - EVENTS=1 +# - PING=1 +# - VERSION=1 +# ## Revoked by Default +# # Security critical +# - AUTH=0 +# - SECRETS=0 +# - POST=0 # Watchtower +# # Not always needed +# - BUILD=0 +# - COMMIT=0 +# - CONFIGS=0 +# - CONTAINERS=1 # Traefik, portainer, etc. +# - DISTRIBUTION=0 +# - EXEC=0 +# - IMAGES=1 # Portainer +# - INFO=1 # Portainer +# - NETWORKS=1 # Portainer +# - NODES=0 +# - PLUGINS=0 +# - SERVICES=1 # Portainer +# - SESSION=0 +# - SWARM=0 +# - SYSTEM=0 +# - TASKS=1 # Portainer +# - VOLUMES=1 # Portainer - # Dozzle - Real-time Docker Log Viewer - dozzle: - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - image: amir20/dozzle:latest - container_name: dozzle - networks: - t2_proxy: - ipv4_address: 192.168.90.169 - # Should connect to the docker engine socket to collect logs - socket_proxy: - ipv4_address: 192.168.91.2 - environment: - TZ: Europe/Paris - PUID: 1000 - PGID: 1000 - DOZZLE_LEVEL: info - #DOZZLE_TAILSIZE: 300 - DOZZLE_FILTER: "status=running" - DOCKER_HOST: tcp://socket-proxy:2375 - #DOZZLE_ADDR: ":8181" - volumes: - - /etc/timezone:/etc/timezone:ro - - /etc/localtime:/etc/localtime:ro - labels: - - "traefik.enable=true" - ## HTTP Routers - - "traefik.http.routers.dozzle-rtr-http.entrypoints=http" - - "traefik.http.routers.dozzle-rtr-http.rule=Host(`dozzle.jingoh.fr`)" - - "traefik.http.routers.dozzle-rtr-http.middlewares=redirect-to-https" - ## HTTPS Routers - - "traefik.http.routers.dozzle-rtr.entrypoints=https" - - "traefik.http.routers.dozzle-rtr.rule=Host(`dozzle.jingoh.fr`)" - ## Services - - "traefik.http.routers.dozzle-rtr.service=dozzle-svc" - - "traefik.http.services.dozzle-svc.loadbalancer.server.port=8080" - ## Middlewares - - "traefik.http.routers.dozzle-rtr.middlewares=dozzle-basic" - - "traefik.http.middlewares.dozzle-basic.basicauth.users=jingohdoz:$$2y$$05$$e5x192gFu6uBevLcZNNU9eEWnekh3p.F8cffX19EBTLMwBQoqHcwW" - ## TLS - - "traefik.http.routers.dozzle-rtr.tls.certresolver=letsencrypt-resolver" +# # Dozzle - Real-time Docker Log Viewer +# dozzle: +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# image: amir20/dozzle:latest +# container_name: dozzle +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.169 +# # Should connect to the docker engine socket to collect logs +# socket_proxy: +# ipv4_address: 192.168.91.2 +# environment: +# TZ: Europe/Paris +# PUID: 1000 +# PGID: 1000 +# DOZZLE_LEVEL: info +# #DOZZLE_TAILSIZE: 300 +# DOZZLE_FILTER: "status=running" +# DOCKER_HOST: tcp://socket-proxy:2375 +# #DOZZLE_ADDR: ":8181" +# volumes: +# - /etc/timezone:/etc/timezone:ro +# - /etc/localtime:/etc/localtime:ro +# labels: +# - "traefik.enable=true" +# ## HTTP Routers +# - "traefik.http.routers.dozzle-rtr-http.entrypoints=http" +# - "traefik.http.routers.dozzle-rtr-http.rule=Host(`dozzle.jingoh.fr`)" +# - "traefik.http.routers.dozzle-rtr-http.middlewares=redirect-to-https" +# ## HTTPS Routers +# - "traefik.http.routers.dozzle-rtr.entrypoints=https" +# - "traefik.http.routers.dozzle-rtr.rule=Host(`dozzle.jingoh.fr`)" +# ## Services +# - "traefik.http.routers.dozzle-rtr.service=dozzle-svc" +# - "traefik.http.services.dozzle-svc.loadbalancer.server.port=8080" +# ## Middlewares +# - "traefik.http.routers.dozzle-rtr.middlewares=dozzle-basic" +# - "traefik.http.middlewares.dozzle-basic.basicauth.users=jingohdoz:$$2y$$05$$e5x192gFu6uBevLcZNNU9eEWnekh3p.F8cffX19EBTLMwBQoqHcwW" +# ## TLS +# - "traefik.http.routers.dozzle-rtr.tls.certresolver=letsencrypt-resolver" - # conf file in/gitea/gitea/gitea/conf/app.ini - # [metrics] - # [log] - gitea: - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - image: gitea/gitea:latest - container_name: gitea - networks: - t2_proxy: - ipv4_address: 192.168.90.170 - environment: - TZ: Europe/Paris - PUID: 1000 - PGID: 1000 - GITEA__database__DB_TYPE: postgres - GITEA__database__HOST: gitea-db:5432 - GITEA__server__DOMAIN: gitea.jingoh.fr - GITEA__server__ROOT_URL: https://gitea.jingoh.fr - GITEA__server__HTTP_PORT: 3000 - GITEA__server__START_SSH_SERVER: "true" - GITEA__server__SSH_PORT: 443 - GITEA__server__SSH_LISTEN_PORT: 2222 - GITEA__server__SSH_DOMAIN: gitea.jingoh.fr - GITEA__repository__USE_COMPAT_SSH_URI: "false" - GITEA__database__NAME: gitea - GITEA__database__USER: root - GITEA__database__PASSWD: uu~Y8aic - volumes: - - ./logs/homeserver/gitea.log:/data/gitea/log/gitea.log - - ./gitea/gitea:/data - - /etc/timezone:/etc/timezone:ro - - /etc/localtime:/etc/localtime:ro - labels: - - "traefik.enable=true" - ## HTTP Routers - - "traefik.http.routers.gitea-rtr-http.entrypoints=http" - - "traefik.http.routers.gitea-rtr-http.rule=Host(`gitea.jingoh.fr`)" - - "traefik.http.routers.gitea-rtr-http.middlewares=redirect-to-https" - ## HTTPS Routers - - "traefik.http.routers.gitea-rtr.entrypoints=https" - - "traefik.http.routers.gitea-rtr.rule=Host(`gitea.jingoh.fr`)" - ## Middlewares - # git push doesn't work with basicauth - #- "traefik.http.routers.gitea-rtr.middlewares=gitea-basic" - #- "traefik.http.middlewares.gitea-basic.basicauth.users=jingohgit:$$2y$$05$$iBHOV.3zFZFTp4kRqD7.I.hQ/Rx3qeHoUjq/3KztwzyU8t1BIK/ne" - ## Services - - "traefik.http.routers.gitea-rtr.service=gitea-svc" - - "traefik.http.services.gitea-svc.loadbalancer.server.port=3000" - ## SSH - - "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)" - - "traefik.tcp.routers.gitea-ssh.entrypoints=https" - - "traefik.tcp.routers.gitea-ssh.service=gitea-ssh-svc" - - "traefik.tcp.services.gitea-ssh-svc.loadbalancer.server.port=2222" - ## TLS - - "traefik.http.routers.gitea-rtr.tls.certresolver=letsencrypt-resolver" +# # conf file in/gitea/gitea/gitea/conf/app.ini +# # [metrics] +# # [log] +# gitea: +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# image: gitea/gitea:latest +# container_name: gitea +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.170 +# environment: +# TZ: Europe/Paris +# PUID: 1000 +# PGID: 1000 +# GITEA__database__DB_TYPE: postgres +# GITEA__database__HOST: gitea-db:5432 +# GITEA__server__DOMAIN: gitea.jingoh.fr +# GITEA__server__ROOT_URL: https://gitea.jingoh.fr +# GITEA__server__HTTP_PORT: 3000 +# GITEA__server__START_SSH_SERVER: "true" +# GITEA__server__SSH_PORT: 443 +# GITEA__server__SSH_LISTEN_PORT: 2222 +# GITEA__server__SSH_DOMAIN: gitea.jingoh.fr +# GITEA__repository__USE_COMPAT_SSH_URI: "false" +# GITEA__database__NAME: gitea +# GITEA__database__USER: root +# GITEA__database__PASSWD: uu~Y8aic +# volumes: +# - ./logs/homeserver/gitea.log:/data/gitea/log/gitea.log +# - ./gitea/gitea:/data +# - /etc/timezone:/etc/timezone:ro +# - /etc/localtime:/etc/localtime:ro +# labels: +# - "traefik.enable=true" +# ## HTTP Routers +# - "traefik.http.routers.gitea-rtr-http.entrypoints=http" +# - "traefik.http.routers.gitea-rtr-http.rule=Host(`gitea.jingoh.fr`)" +# - "traefik.http.routers.gitea-rtr-http.middlewares=redirect-to-https" +# ## HTTPS Routers +# - "traefik.http.routers.gitea-rtr.entrypoints=https" +# - "traefik.http.routers.gitea-rtr.rule=Host(`gitea.jingoh.fr`)" +# ## Middlewares +# # git push doesn't work with basicauth +# #- "traefik.http.routers.gitea-rtr.middlewares=gitea-basic" +# #- "traefik.http.middlewares.gitea-basic.basicauth.users=jingohgit:$$2y$$05$$iBHOV.3zFZFTp4kRqD7.I.hQ/Rx3qeHoUjq/3KztwzyU8t1BIK/ne" +# ## Services +# - "traefik.http.routers.gitea-rtr.service=gitea-svc" +# - "traefik.http.services.gitea-svc.loadbalancer.server.port=3000" +# ## SSH +# - "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)" +# - "traefik.tcp.routers.gitea-ssh.entrypoints=https" +# - "traefik.tcp.routers.gitea-ssh.service=gitea-ssh-svc" +# - "traefik.tcp.services.gitea-ssh-svc.loadbalancer.server.port=2222" +# ## TLS +# - "traefik.http.routers.gitea-rtr.tls.certresolver=letsencrypt-resolver" - gitea-db: - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - image: postgres:14 - container_name: gitea-db - networks: - t2_proxy: - ipv4_address: 192.168.90.171 - environment: - TZ: Europe/Paris - PUID: 1000 - PGID: 1000 - POSTGRES_USER: root - POSTGRES_PASSWORD: uu~Y8aic - POSTGRES_DB: gitea - volumes: - - ./gitea/gitea-db:/var/lib/postgresql/data - - /etc/timezone:/etc/timezone:ro - - /etc/localtime:/etc/localtime:ro - labels: - - traefik.enable=false +# gitea-db: +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# image: postgres:14 +# container_name: gitea-db +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.171 +# environment: +# TZ: Europe/Paris +# PUID: 1000 +# PGID: 1000 +# POSTGRES_USER: root +# POSTGRES_PASSWORD: uu~Y8aic +# POSTGRES_DB: gitea +# volumes: +# - ./gitea/gitea-db:/var/lib/postgresql/data +# - /etc/timezone:/etc/timezone:ro +# - /etc/localtime:/etc/localtime:ro +# labels: +# - traefik.enable=false - #https://github.com/ngoduykhanh/wireguard-ui/blob/master/docker-compose.yaml -> wireguard-ui - wireguard: - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - image: lscr.io/linuxserver/wireguard:latest - container_name: wireguard - cap_add: - - NET_ADMIN - - SYS_MODULE - environment: - TZ: Europe/Paris - PUID: 1000 - PGID: 1000 - SERVERURL: 163.172.84.28 #optional - SERVERPORT: 443 #optional - PEERS: 2 #optional - PEERDNS: auto #optional - INTERNAL_SUBNET: 10.13.13.0 #optional - ALLOWEDIPS: 0.0.0.0/0 #optional - LOG_CONFS: "true" #optional - networks: - t2_proxy: - ipv4_address: 192.168.90.173 - volumes: - - ./wireguard/config:/config - - ./wireguard/lib/modules:/lib/modules - - /etc/timezone:/etc/timezone:ro - - /etc/localtime:/etc/localtime:ro - sysctls: - - net.ipv4.conf.all.src_valid_mark=1 - labels: - - "traefik.enable=true" - ## UDP Routers - - "traefik.udp.routers.wireguard-rtr.entrypoints=wireguard" - - "traefik.udp.services.wireguard.loadbalancer.server.port=51820" - depends_on: - - traefik +# #https://github.com/ngoduykhanh/wireguard-ui/blob/master/docker-compose.yaml -> wireguard-ui +# wireguard: +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# image: lscr.io/linuxserver/wireguard:latest +# container_name: wireguard +# cap_add: +# - NET_ADMIN +# - SYS_MODULE +# environment: +# TZ: Europe/Paris +# PUID: 1000 +# PGID: 1000 +# SERVERURL: 163.172.84.28 #optional +# SERVERPORT: 443 #optional +# PEERS: 2 #optional +# PEERDNS: auto #optional +# INTERNAL_SUBNET: 10.13.13.0 #optional +# ALLOWEDIPS: 0.0.0.0/0 #optional +# LOG_CONFS: "true" #optional +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.173 +# volumes: +# - ./wireguard/config:/config +# - ./wireguard/lib/modules:/lib/modules +# - /etc/timezone:/etc/timezone:ro +# - /etc/localtime:/etc/localtime:ro +# sysctls: +# - net.ipv4.conf.all.src_valid_mark=1 +# labels: +# - "traefik.enable=true" +# ## UDP Routers +# - "traefik.udp.routers.wireguard-rtr.entrypoints=wireguard" +# - "traefik.udp.services.wireguard.loadbalancer.server.port=51820" +# depends_on: +# - traefik - # # Grafana - Graphical data visualization - ## Reset password command-line -> grafana-cli $username reset-admin-password $password - ## Enable log file with rotate (/etc/grafana/grafana.ini) - grafana: - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - image: grafana/grafana:latest - container_name: grafana - networks: - t2_proxy: - ipv4_address: 192.168.90.175 - # ports: - # - "$GRAFANA_PORT:3000" - user: root - volumes: - - ./grafana/lib:/var/lib/grafana - - ./logs/homeserver/grafana.log:/var/log/grafana/grafana.log - environment: - TZ: Europe/Paris - PUID: 1000 - PGID: 1000 - GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel" - labels: - - "traefik.enable=true" - ## HTTP Routers - - "traefik.http.routers.grafana-rtr-http.entrypoints=http" - - "traefik.http.routers.grafana-rtr-http.rule=Host(`grafana.jingoh.fr`)" - - "traefik.http.routers.grafana-rtr-http.middlewares=redirect-to-https" - ## HTTPS Routers - - "traefik.http.routers.grafana-rtr.entrypoints=https" - - "traefik.http.routers.grafana-rtr.rule=Host(`grafana.jingoh.fr`)" - ## Services - - "traefik.http.routers.grafana-rtr.service=grafana-svc" - - "traefik.http.services.grafana-svc.loadbalancer.server.port=3000" - ## TLS - - "traefik.http.routers.grafana-rtr.tls.certresolver=letsencrypt-resolver" - ## Middlewares - - "traefik.http.routers.grafana-rtr.middlewares=grafana-basic" - - "traefik.http.middlewares.grafana-basic.basicauth.users=jingohgraf:$$2y$$05$$DMxSbnKhLv0zW2qYzMpkj.idi88EsFsIdgKoYPzFpxo9ErDHLYCAi" - # NEEDED IF CONFLICTS BETWEEN BASICAUTH AND APP LOGIN PAGE - - "traefik.http.middlewares.grafana-basic.basicauth.removeheader=true" +# # # Grafana - Graphical data visualization +# ## Reset password command-line -> grafana-cli $username reset-admin-password $password +# ## Enable log file with rotate (/etc/grafana/grafana.ini) +# grafana: +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# image: grafana/grafana:latest +# container_name: grafana +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.175 +# # ports: +# # - "$GRAFANA_PORT:3000" +# user: root +# volumes: +# - ./grafana/lib:/var/lib/grafana +# - ./logs/homeserver/grafana.log:/var/log/grafana/grafana.log +# environment: +# TZ: Europe/Paris +# PUID: 1000 +# PGID: 1000 +# GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel" +# labels: +# - "traefik.enable=true" +# ## HTTP Routers +# - "traefik.http.routers.grafana-rtr-http.entrypoints=http" +# - "traefik.http.routers.grafana-rtr-http.rule=Host(`grafana.jingoh.fr`)" +# - "traefik.http.routers.grafana-rtr-http.middlewares=redirect-to-https" +# ## HTTPS Routers +# - "traefik.http.routers.grafana-rtr.entrypoints=https" +# - "traefik.http.routers.grafana-rtr.rule=Host(`grafana.jingoh.fr`)" +# ## Services +# - "traefik.http.routers.grafana-rtr.service=grafana-svc" +# - "traefik.http.services.grafana-svc.loadbalancer.server.port=3000" +# ## TLS +# - "traefik.http.routers.grafana-rtr.tls.certresolver=letsencrypt-resolver" +# ## Middlewares +# - "traefik.http.routers.grafana-rtr.middlewares=grafana-basic" +# - "traefik.http.middlewares.grafana-basic.basicauth.users=jingohgraf:$$2y$$05$$DMxSbnKhLv0zW2qYzMpkj.idi88EsFsIdgKoYPzFpxo9ErDHLYCAi" +# # NEEDED IF CONFLICTS BETWEEN BASICAUTH AND APP LOGIN PAGE +# - "traefik.http.middlewares.grafana-basic.basicauth.removeheader=true" - prometheus: - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - image: prom/prometheus:latest - container_name: prometheus - user: root - networks: - t2_proxy: - ipv4_address: 192.168.90.176 - volumes: - - ./prometheus/prometheus:/etc/prometheus/ - - ./prometheus/prometheus_data:/prometheus - command: - - '--config.file=/etc/prometheus/prometheus.yml' - - '--storage.tsdb.path=/prometheus' - - '--web.console.libraries=/usr/share/prometheus/console_libraries' - - '--web.console.templates=/usr/share/prometheus/consoles' - labels: - - "traefik.enable=true" - ## HTTP Routers - - "traefik.http.routers.prometheus-rtr-http.entrypoints=http" - - "traefik.http.routers.prometheus-rtr-http.rule=Host(`prometheus.jingoh.fr`)" - - "traefik.http.routers.prometheus-rtr-http.middlewares=redirect-to-https" - # HTTPS - - "traefik.http.routers.prometheus-rtr.entrypoints=https" - - "traefik.http.routers.prometheus-rtr.rule=Host(`prometheus.jingoh.fr`)" - - "traefik.http.routers.prometheus-rtr.service=prometheus-svc" - - "traefik.http.services.prometheus-svc.loadbalancer.server.port=9090" - - "traefik.docker.network=t2_proxy" - ## Middlewares - - "traefik.http.routers.prometheus-rtr.middlewares=prometheus-basic" - - "traefik.http.middlewares.prometheus-basic.basicauth.users=jingohprom:$$2y$$05$$7cf/zuj8lI4Gt9K3xfWEKu.hKwzi1lxsjImgvSc9tHZ0QqHOxagH." - ## TLS - - "traefik.http.routers.prometheus-rtr.tls.certresolver=letsencrypt-resolver" +# prometheus: +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# image: prom/prometheus:latest +# container_name: prometheus +# user: root +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.176 +# volumes: +# - ./prometheus/prometheus:/etc/prometheus/ +# - ./prometheus/prometheus_data:/prometheus +# command: +# - '--config.file=/etc/prometheus/prometheus.yml' +# - '--storage.tsdb.path=/prometheus' +# - '--web.console.libraries=/usr/share/prometheus/console_libraries' +# - '--web.console.templates=/usr/share/prometheus/consoles' +# labels: +# - "traefik.enable=true" +# ## HTTP Routers +# - "traefik.http.routers.prometheus-rtr-http.entrypoints=http" +# - "traefik.http.routers.prometheus-rtr-http.rule=Host(`prometheus.jingoh.fr`)" +# - "traefik.http.routers.prometheus-rtr-http.middlewares=redirect-to-https" +# # HTTPS +# - "traefik.http.routers.prometheus-rtr.entrypoints=https" +# - "traefik.http.routers.prometheus-rtr.rule=Host(`prometheus.jingoh.fr`)" +# - "traefik.http.routers.prometheus-rtr.service=prometheus-svc" +# - "traefik.http.services.prometheus-svc.loadbalancer.server.port=9090" +# - "traefik.docker.network=t2_proxy" +# ## Middlewares +# - "traefik.http.routers.prometheus-rtr.middlewares=prometheus-basic" +# - "traefik.http.middlewares.prometheus-basic.basicauth.users=jingohprom:$$2y$$05$$7cf/zuj8lI4Gt9K3xfWEKu.hKwzi1lxsjImgvSc9tHZ0QqHOxagH." +# ## TLS +# - "traefik.http.routers.prometheus-rtr.tls.certresolver=letsencrypt-resolver" - # https://pieterhollander.nl/post/bitwarden/ - # https://github.com/dani-garcia/vaultwarden/blob/main/.env.template - # https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples - vaultwarden: - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - image: vaultwarden/server:latest - container_name: vault - environment: - TZ: Europe/Paris - PUID: 1000 - PGID: 1000 - WEBSOCKET_ENABLED: 1 - ROCKET_PORT: 80 - DOMAIN: https://vault.jingoh.fr - ADMIN_TOKEN: BwI1E5Sqb6clUpsAfXdlkMnQuzwTh7pFPpqK6V8RII/CuBqgbNhj325ynL40dfjs - LOG_FILE: /var/log/vaultwarden.log - SIGNUPS_ALLOWED: "false" - networks: - t2_proxy: - ipv4_address: 192.168.90.177 - volumes: - - ./vaultwarden:/data - - ./logs/homeserver/vaultwarden.log:/var/log/vaultwarden.log - labels: - - traefik.enable=true - ## HTTP Routers - - "traefik.http.routers.bitwarden-rtr-http.entrypoints=http" - - "traefik.http.routers.bitwarden-rtr-http.rule=Host(`bitwarden.jingoh.fr`)" - - "traefik.http.routers.bitwarden-rtr-http.middlewares=redirect-to-https" - ## HTTPS Routers - - traefik.docker.network=t2_proxy - - traefik.http.routers.bitwarden-rtr.entrypoints=https - - traefik.http.routers.bitwarden-rtr.rule=Host(`vault.jingoh.fr`) - - traefik.http.routers.bitwarden-rtr.tls=true - - traefik.http.routers.bitwarden-rtr.service=bitwarden-svc - - traefik.http.services.bitwarden-svc.loadbalancer.server.port=80 - - traefik.http.routers.bitwarden-websocket-rtr.entrypoints=https - - traefik.http.routers.bitwarden-websocket-rtr.rule=Host(`vault.jingoh.fr`) && Path(`/notifications/hub`) - - traefik.http.routers.bitwarden-websocket-rtr.service=bitwarden-websocket-svc - - traefik.http.services.bitwarden-websocket-svc.loadbalancer.server.port=3012 - ## TLS - - "traefik.http.routers.bitwarden-rtr.tls.certresolver=letsencrypt-resolver" - - "traefik.http.routers.bitwarden-websocket-rtr.tls.certresolver=letsencrypt-resolver" +# # https://pieterhollander.nl/post/bitwarden/ +# # https://github.com/dani-garcia/vaultwarden/blob/main/.env.template +# # https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples +# vaultwarden: +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# image: vaultwarden/server:latest +# container_name: vault +# environment: +# TZ: Europe/Paris +# PUID: 1000 +# PGID: 1000 +# WEBSOCKET_ENABLED: 1 +# ROCKET_PORT: 80 +# DOMAIN: https://vault.jingoh.fr +# ADMIN_TOKEN: BwI1E5Sqb6clUpsAfXdlkMnQuzwTh7pFPpqK6V8RII/CuBqgbNhj325ynL40dfjs +# LOG_FILE: /var/log/vaultwarden.log +# SIGNUPS_ALLOWED: "false" +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.177 +# volumes: +# - ./vaultwarden:/data +# - ./logs/homeserver/vaultwarden.log:/var/log/vaultwarden.log +# labels: +# - traefik.enable=true +# ## HTTP Routers +# - "traefik.http.routers.bitwarden-rtr-http.entrypoints=http" +# - "traefik.http.routers.bitwarden-rtr-http.rule=Host(`bitwarden.jingoh.fr`)" +# - "traefik.http.routers.bitwarden-rtr-http.middlewares=redirect-to-https" +# ## HTTPS Routers +# - traefik.docker.network=t2_proxy +# - traefik.http.routers.bitwarden-rtr.entrypoints=https +# - traefik.http.routers.bitwarden-rtr.rule=Host(`vault.jingoh.fr`) +# - traefik.http.routers.bitwarden-rtr.tls=true +# - traefik.http.routers.bitwarden-rtr.service=bitwarden-svc +# - traefik.http.services.bitwarden-svc.loadbalancer.server.port=80 +# - traefik.http.routers.bitwarden-websocket-rtr.entrypoints=https +# - traefik.http.routers.bitwarden-websocket-rtr.rule=Host(`vault.jingoh.fr`) && Path(`/notifications/hub`) +# - traefik.http.routers.bitwarden-websocket-rtr.service=bitwarden-websocket-svc +# - traefik.http.services.bitwarden-websocket-svc.loadbalancer.server.port=3012 +# ## TLS +# - "traefik.http.routers.bitwarden-rtr.tls.certresolver=letsencrypt-resolver" +# - "traefik.http.routers.bitwarden-websocket-rtr.tls.certresolver=letsencrypt-resolver" - homepage: - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - image: ghcr.io/gethomepage/homepage:latest - container_name: homepage - networks: - t2_proxy: - ipv4_address: 192.168.90.178 - volumes: - - ./homepage/homepage:/app/config - - ./homepage/icons:/app/public/icons - - "/var/run/docker.sock:/var/run/docker.sock" - labels: - - traefik.enable=true - ## HTTP Routers - - "traefik.http.routers.homepage-rtr-http.entrypoints=http" - - "traefik.http.routers.homepage-rtr-http.rule=Host(`homepage.jingoh.fr`)" - - "traefik.http.routers.homepage-rtr-http.middlewares=redirect-to-https" - ## HTTPS Routers - - traefik.docker.network=t2_proxy - - traefik.http.routers.homepage-rtr.entrypoints=https - - traefik.http.routers.homepage-rtr.rule=Host(`homepage.jingoh.fr`) - - traefik.http.routers.homepage-rtr.tls=true - - traefik.http.routers.homepage-rtr.service=homepage-svc - - traefik.http.services.homepage-svc.loadbalancer.server.port=3000 - ## TLS - - "traefik.http.routers.homepage-rtr.tls.certresolver=letsencrypt-resolver" +# homepage: +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# image: ghcr.io/gethomepage/homepage:latest +# container_name: homepage +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.178 +# volumes: +# - ./homepage/homepage:/app/config +# - ./homepage/icons:/app/public/icons +# - "/var/run/docker.sock:/var/run/docker.sock" +# labels: +# - traefik.enable=true +# ## HTTP Routers +# - "traefik.http.routers.homepage-rtr-http.entrypoints=http" +# - "traefik.http.routers.homepage-rtr-http.rule=Host(`homepage.jingoh.fr`)" +# - "traefik.http.routers.homepage-rtr-http.middlewares=redirect-to-https" +# ## HTTPS Routers +# - traefik.docker.network=t2_proxy +# - traefik.http.routers.homepage-rtr.entrypoints=https +# - traefik.http.routers.homepage-rtr.rule=Host(`homepage.jingoh.fr`) +# - traefik.http.routers.homepage-rtr.tls=true +# - traefik.http.routers.homepage-rtr.service=homepage-svc +# - traefik.http.services.homepage-svc.loadbalancer.server.port=3000 +# ## TLS +# - "traefik.http.routers.homepage-rtr.tls.certresolver=letsencrypt-resolver" - registry: - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - image: registry:2 - container_name: registry - networks: - t2_proxy: - ipv4_address: 192.168.90.179 - environment: - REGISTRY_STORAGE_DELETE_ENABLED: 'true' - volumes: - - ./registry/data:/var/lib/registry +# registry: +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# image: registry:2 +# container_name: registry +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.179 +# environment: +# REGISTRY_STORAGE_DELETE_ENABLED: 'true' +# volumes: +# - ./registry/data:/var/lib/registry - registry-ui: - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - image: joxit/docker-registry-ui:latest - expose: - - 80 - environment: - - DELETE_IMAGES=true - - NGINX_PROXY_PASS_URL=http://registry:5000 - - SINGLE_REGISTRY=true - - REGISTRY_TITLE= 🧱 Jingoh Container Registry 🧱 - container_name: registry-ui - networks: - t2_proxy: - ipv4_address: 192.168.90.180 - depends_on: - - registry - labels: - - traefik.enable=true - ## HTTP Routers - - traefik.http.routers.registry-rtr-http.entrypoints=http - - traefik.http.routers.registry-rtr-http.rule=Host(`registry.jingoh.fr`) - - traefik.http.routers.registry-rtr-http.middlewares=redirect-to-https - ## HTTPS Routers - - traefik.docker.network=t2_proxy - - traefik.http.routers.registry-rtr.entrypoints=https - - traefik.http.routers.registry-rtr.rule=Host(`registry.jingoh.fr`) - - traefik.http.routers.registry-rtr.tls=true - - traefik.http.routers.registry-rtr.service=registry-svc - - traefik.http.services.registry-svc.loadbalancer.server.port=80 - ## TLS - - traefik.http.routers.registry-rtr.tls.certresolver=letsencrypt-resolver - ## Middlewares - - "traefik.http.routers.registry-rtr.middlewares=registry-basic" - - "traefik.http.middlewares.registry-basic.basicauth.users=jingohdocker:$$2y$$05$$dEBjltxSmPyUuQG3ewQXSu8ez97J8562/XhoDw6AoLbmc3ZQTKg4C" +# registry-ui: +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# image: joxit/docker-registry-ui:latest +# expose: +# - 80 +# environment: +# - DELETE_IMAGES=true +# - NGINX_PROXY_PASS_URL=http://registry:5000 +# - SINGLE_REGISTRY=true +# - REGISTRY_TITLE= 🧱 Jingoh Container Registry 🧱 +# container_name: registry-ui +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.180 +# depends_on: +# - registry +# labels: +# - traefik.enable=true +# ## HTTP Routers +# - traefik.http.routers.registry-rtr-http.entrypoints=http +# - traefik.http.routers.registry-rtr-http.rule=Host(`registry.jingoh.fr`) +# - traefik.http.routers.registry-rtr-http.middlewares=redirect-to-https +# ## HTTPS Routers +# - traefik.docker.network=t2_proxy +# - traefik.http.routers.registry-rtr.entrypoints=https +# - traefik.http.routers.registry-rtr.rule=Host(`registry.jingoh.fr`) +# - traefik.http.routers.registry-rtr.tls=true +# - traefik.http.routers.registry-rtr.service=registry-svc +# - traefik.http.services.registry-svc.loadbalancer.server.port=80 +# ## TLS +# - traefik.http.routers.registry-rtr.tls.certresolver=letsencrypt-resolver +# ## Middlewares +# - "traefik.http.routers.registry-rtr.middlewares=registry-basic" +# - "traefik.http.middlewares.registry-basic.basicauth.users=jingohdocker:$$2y$$05$$dEBjltxSmPyUuQG3ewQXSu8ez97J8562/XhoDw6AoLbmc3ZQTKg4C" - alert: - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - image: binwiederhier/ntfy:latest - container_name: alert - networks: - t2_proxy: - ipv4_address: 192.168.90.181 - volumes: - - ./alertmanager/config/alertmanager.yml:/etc/ntfy/server.yml - - ./alertmanager/cache/:/var/cache/ntfy/ - command: serve - expose: - - 80 - labels: - - traefik.enable=true - ## HTTP Routers - - traefik.http.routers.alertmanager-rtr-http.entrypoints=http - - traefik.http.routers.alertmanager-rtr-http.rule=Host(`alert.jingoh.fr`) - - traefik.http.routers.alertmanager-rtr-http.middlewares=redirect-to-https - ## HTTPS Routers - - traefik.docker.network=t2_proxy - - traefik.http.routers.alertmanager-rtr.entrypoints=https - - traefik.http.routers.alertmanager-rtr.rule=Host(`alert.jingoh.fr`) - - traefik.http.routers.alertmanager-rtr.tls=true - - traefik.http.routers.alertmanager-rtr.service=alertmanager-svc - - traefik.http.services.alertmanager-svc.loadbalancer.server.port=80 - ## TLS - - traefik.http.routers.alertmanager-rtr.tls.certresolver=letsencrypt-resolver - ## Middlewares - - "traefik.http.routers.alertmanager-rtr.middlewares=alertmanager-basic" - - "traefik.http.middlewares.alertmanager-basic.basicauth.users=jingohalert:$$2y$$05$$dEBjltxSmPyUuQG3ewQXSu8ez97J8562/XhoDw6AoLbmc3ZQTKg4C" +# alert: +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# image: binwiederhier/ntfy:latest +# container_name: alert +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.181 +# volumes: +# - ./alertmanager/config/alertmanager.yml:/etc/ntfy/server.yml +# - ./alertmanager/cache/:/var/cache/ntfy/ +# command: serve +# expose: +# - 80 +# labels: +# - traefik.enable=true +# ## HTTP Routers +# - traefik.http.routers.alertmanager-rtr-http.entrypoints=http +# - traefik.http.routers.alertmanager-rtr-http.rule=Host(`alert.jingoh.fr`) +# - traefik.http.routers.alertmanager-rtr-http.middlewares=redirect-to-https +# ## HTTPS Routers +# - traefik.docker.network=t2_proxy +# - traefik.http.routers.alertmanager-rtr.entrypoints=https +# - traefik.http.routers.alertmanager-rtr.rule=Host(`alert.jingoh.fr`) +# - traefik.http.routers.alertmanager-rtr.tls=true +# - traefik.http.routers.alertmanager-rtr.service=alertmanager-svc +# - traefik.http.services.alertmanager-svc.loadbalancer.server.port=80 +# ## TLS +# - traefik.http.routers.alertmanager-rtr.tls.certresolver=letsencrypt-resolver +# ## Middlewares +# - "traefik.http.routers.alertmanager-rtr.middlewares=alertmanager-basic" +# - "traefik.http.middlewares.alertmanager-basic.basicauth.users=jingohalert:$$2y$$05$$dEBjltxSmPyUuQG3ewQXSu8ez97J8562/XhoDw6AoLbmc3ZQTKg4C" - exporter: - image: prom/node-exporter:latest - container_name: exporter - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - user: root - volumes: - - /:/host:ro - command: - - '--path.procfs=/host/proc' - - '--path.rootfs=/rootfs' - - '--path.sysfs=/host/sys' - - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)' - networks: - t2_proxy: - ipv4_address: 192.168.90.183 - labels: - - traefik.enable=true - ## HTTP Routers - - traefik.http.routers.exporter-rtr-http.entrypoints=http - - traefik.http.routers.exporter-rtr-http.rule=Host(`exporter.jingoh.fr`) - - traefik.http.routers.exporter-rtr-http.middlewares=redirect-to-https - ## HTTPS Routers - - traefik.docker.network=t2_proxy - - traefik.http.routers.exporter-rtr.entrypoints=https - - traefik.http.routers.exporter-rtr.rule=Host(`exporter.jingoh.fr`) - - traefik.http.routers.exporter-rtr.tls=true - - traefik.http.routers.exporter-rtr.service=exporter-svc - - traefik.http.services.exporter-svc.loadbalancer.server.port=9100 - ## TLS - - traefik.http.routers.exporter-rtr.tls.certresolver=letsencrypt-resolver - ## Middlewares - - "traefik.http.routers.exporter-rtr.middlewares=exporter-basic" - - "traefik.http.middlewares.exporter-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C" +# exporter: +# image: prom/node-exporter:latest +# container_name: exporter +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# user: root +# volumes: +# - /:/host:ro +# command: +# - '--path.procfs=/host/proc' +# - '--path.rootfs=/rootfs' +# - '--path.sysfs=/host/sys' +# - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)' +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.183 +# labels: +# - traefik.enable=true +# ## HTTP Routers +# - traefik.http.routers.exporter-rtr-http.entrypoints=http +# - traefik.http.routers.exporter-rtr-http.rule=Host(`exporter.jingoh.fr`) +# - traefik.http.routers.exporter-rtr-http.middlewares=redirect-to-https +# ## HTTPS Routers +# - traefik.docker.network=t2_proxy +# - traefik.http.routers.exporter-rtr.entrypoints=https +# - traefik.http.routers.exporter-rtr.rule=Host(`exporter.jingoh.fr`) +# - traefik.http.routers.exporter-rtr.tls=true +# - traefik.http.routers.exporter-rtr.service=exporter-svc +# - traefik.http.services.exporter-svc.loadbalancer.server.port=9100 +# ## TLS +# - traefik.http.routers.exporter-rtr.tls.certresolver=letsencrypt-resolver +# ## Middlewares +# - "traefik.http.routers.exporter-rtr.middlewares=exporter-basic" +# - "traefik.http.middlewares.exporter-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C" - ara-ui: - image: recordsansible/ara-api:latest - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - environment: - - ARA_ALLOWED_HOSTS=["ara.jingoh.fr", "localhost"] - - ARA_DATABASE_ENGINE=django.db.backends.postgresql - - ARA_DATABASE_HOST=ara-db - - ARA_DATABASE_NAME=ara - - ARA_DATABASE_PASSWORD=ara - - ARA_DATABASE_USER=ara - - ARA_DATABASE_PORT=5432 - container_name: ara-ui - networks: - t2_proxy: - ipv4_address: 192.168.90.184 - labels: - - traefik.enable=true - ## HTTP Routers - - traefik.http.routers.ansible-rtr-http.entrypoints=http - - traefik.http.routers.ansible-rtr-http.rule=Host(`ara.jingoh.fr`) - - traefik.http.routers.ansible-rtr-http.middlewares=redirect-to-https - ## HTTPS Routers - - traefik.docker.network=t2_proxy - - traefik.http.routers.ansible-rtr.entrypoints=https - - traefik.http.routers.ansible-rtr.rule=Host(`ara.jingoh.fr`) - - traefik.http.routers.ansible-rtr.tls=true - - traefik.http.routers.ansible-rtr.service=ansible-svc - - traefik.http.services.ansible-svc.loadbalancer.server.port=8000 - ## TLS - - traefik.http.routers.ansible-rtr.tls.certresolver=letsencrypt-resolver - ## Middlewares - - "traefik.http.routers.ansible-rtr.middlewares=ansible-basic" - - "traefik.http.middlewares.ansible-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C" - - "traefik.http.middlewares.ansible-basic.basicauth.removeheader=true" +# ara-ui: +# image: recordsansible/ara-api:latest +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# environment: +# - ARA_ALLOWED_HOSTS=["ara.jingoh.fr", "localhost"] +# - ARA_DATABASE_ENGINE=django.db.backends.postgresql +# - ARA_DATABASE_HOST=ara-db +# - ARA_DATABASE_NAME=ara +# - ARA_DATABASE_PASSWORD=ara +# - ARA_DATABASE_USER=ara +# - ARA_DATABASE_PORT=5432 +# container_name: ara-ui +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.184 +# labels: +# - traefik.enable=true +# ## HTTP Routers +# - traefik.http.routers.ansible-rtr-http.entrypoints=http +# - traefik.http.routers.ansible-rtr-http.rule=Host(`ara.jingoh.fr`) +# - traefik.http.routers.ansible-rtr-http.middlewares=redirect-to-https +# ## HTTPS Routers +# - traefik.docker.network=t2_proxy +# - traefik.http.routers.ansible-rtr.entrypoints=https +# - traefik.http.routers.ansible-rtr.rule=Host(`ara.jingoh.fr`) +# - traefik.http.routers.ansible-rtr.tls=true +# - traefik.http.routers.ansible-rtr.service=ansible-svc +# - traefik.http.services.ansible-svc.loadbalancer.server.port=8000 +# ## TLS +# - traefik.http.routers.ansible-rtr.tls.certresolver=letsencrypt-resolver +# ## Middlewares +# - "traefik.http.routers.ansible-rtr.middlewares=ansible-basic" +# - "traefik.http.middlewares.ansible-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C" +# - "traefik.http.middlewares.ansible-basic.basicauth.removeheader=true" - ara-db: - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - image: postgres:14 - container_name: ara-db - networks: - t2_proxy: - ipv4_address: 192.168.90.185 - environment: - TZ: Europe/Paris - PUID: 1000 - PGID: 1000 - POSTGRES_USER: ara - POSTGRES_PASSWORD: ara - POSTGRES_DB: ara - volumes: - - ./ara:/var/lib/postgresql/data - - /etc/timezone:/etc/timezone:ro - - /etc/localtime:/etc/localtime:ro - labels: - - traefik.enable=false +# ara-db: +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# image: postgres:14 +# container_name: ara-db +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.185 +# environment: +# TZ: Europe/Paris +# PUID: 1000 +# PGID: 1000 +# POSTGRES_USER: ara +# POSTGRES_PASSWORD: ara +# POSTGRES_DB: ara +# volumes: +# - ./ara:/var/lib/postgresql/data +# - /etc/timezone:/etc/timezone:ro +# - /etc/localtime:/etc/localtime:ro +# labels: +# - traefik.enable=false - semaphore-db: - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - container_name: semaphore-db - image: postgres:14 - hostname: postgres - networks: - t2_proxy: - ipv4_address: 192.168.90.186 - volumes: - - ./semaphore/semaphore-db:/var/lib/postgresql/data - environment: - POSTGRES_USER: semaphore - POSTGRES_PASSWORD: uu~Y8aic - POSTGRES_DB: semaphore - labels: - - traefik.enable=false +# semaphore-db: +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# container_name: semaphore-db +# image: postgres:14 +# hostname: postgres +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.186 +# volumes: +# - ./semaphore/semaphore-db:/var/lib/postgresql/data +# environment: +# POSTGRES_USER: semaphore +# POSTGRES_PASSWORD: uu~Y8aic +# POSTGRES_DB: semaphore +# labels: +# - traefik.enable=false - semaphore: - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - expose: - - 3000 - container_name: semaphore - image: semaphoreui/semaphore:latest - user: "${UID}:${GID}" - networks: - t2_proxy: - ipv4_address: 192.168.90.187 - environment: - - SEMAPHORE_DB_USER=semaphore - - SEMAPHORE_DB_PASS=uu~Y8aic - - SEMAPHORE_DB_HOST=semaphore-db - - SEMAPHORE_DB_PORT=5432 - - SEMAPHORE_DB_DIALECT=postgres - - SEMAPHORE_DB=semaphore - - SEMAPHORE_PLAYBOOK_PATH=/tmp/semaphore/ - - SEMAPHORE_ADMIN_PASSWORD=uu~Y8aic - - SEMAPHORE_ADMIN_NAME=admin - - SEMAPHORE_ADMIN_EMAIL=admin@localhost - - SEMAPHORE_ADMIN=admin - - SEMAPHORE_ACCESS_KEY_ENCRYPTION=ShbKLtVWr5yB/G1WO3DOEU5Il0JBlcN//4mpErpSwpQ= # add to your access key encryption ! - - ANSIBLE_HOST_KEY_CHECKING=false # (optional) change to true if you want to enable host key checking - volumes: - - ./semaphore/inventory/:/inventory:ro - - ./semaphore/authorized-keys/:/authorized-keys:ro - - ./semaphore/config/:/etc/semaphore:rw - depends_on: - - semaphore-db - labels: - - traefik.enable=true - ## HTTP Routers - - traefik.http.routers.semaphore-rtr-http.entrypoints=http - - traefik.http.routers.semaphore-rtr-http.rule=Host(`semaphore.jingoh.fr`) - - traefik.http.routers.semaphore-rtr-http.middlewares=redirect-to-https - ## HTTPS Routers - - traefik.docker.network=t2_proxy - - traefik.http.routers.semaphore-rtr.entrypoints=https - - traefik.http.routers.semaphore-rtr.rule=Host(`semaphore.jingoh.fr`) - - traefik.http.routers.semaphore-rtr.tls=true - - traefik.http.routers.semaphore-rtr.service=semaphore-svc - - traefik.http.services.semaphore-svc.loadbalancer.server.port=3000 - # ## WEBSOCKET - # - traefik.http.routers.semaphore-websocket-rtr.entrypoints=https - # - traefik.http.routers.semaphore-websocket-rtr.rule=Host(`semaphore.jingoh.fr`) && Path(`/api/ws`) - # - traefik.http.routers.semaphore-websocket-rtr.service=semaphore-websocket-svc - # - traefik.http.services.semaphore-websocket-svc.loadbalancer.server.port=3000 - ## TLS - - traefik.http.routers.semaphore-rtr.tls.certresolver=letsencrypt-resolver - # ## Middlewares - # - "traefik.http.routers.semaphore-rtr.middlewares=semaphore-basic" - # - "traefik.http.middlewares.semaphore-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C" - # - "traefik.http.middlewares.semaphore-basic.basicauth.removeheader=true" +# semaphore: +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# expose: +# - 3000 +# container_name: semaphore +# image: semaphoreui/semaphore:latest +# user: "${UID}:${GID}" +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.187 +# environment: +# - SEMAPHORE_DB_USER=semaphore +# - SEMAPHORE_DB_PASS=uu~Y8aic +# - SEMAPHORE_DB_HOST=semaphore-db +# - SEMAPHORE_DB_PORT=5432 +# - SEMAPHORE_DB_DIALECT=postgres +# - SEMAPHORE_DB=semaphore +# - SEMAPHORE_PLAYBOOK_PATH=/tmp/semaphore/ +# - SEMAPHORE_ADMIN_PASSWORD=uu~Y8aic +# - SEMAPHORE_ADMIN_NAME=admin +# - SEMAPHORE_ADMIN_EMAIL=admin@localhost +# - SEMAPHORE_ADMIN=admin +# - SEMAPHORE_ACCESS_KEY_ENCRYPTION=ShbKLtVWr5yB/G1WO3DOEU5Il0JBlcN//4mpErpSwpQ= # add to your access key encryption ! +# - ANSIBLE_HOST_KEY_CHECKING=false # (optional) change to true if you want to enable host key checking +# volumes: +# - ./semaphore/inventory/:/inventory:ro +# - ./semaphore/authorized-keys/:/authorized-keys:ro +# - ./semaphore/config/:/etc/semaphore:rw +# depends_on: +# - semaphore-db +# labels: +# - traefik.enable=true +# ## HTTP Routers +# - traefik.http.routers.semaphore-rtr-http.entrypoints=http +# - traefik.http.routers.semaphore-rtr-http.rule=Host(`semaphore.jingoh.fr`) +# - traefik.http.routers.semaphore-rtr-http.middlewares=redirect-to-https +# ## HTTPS Routers +# - traefik.docker.network=t2_proxy +# - traefik.http.routers.semaphore-rtr.entrypoints=https +# - traefik.http.routers.semaphore-rtr.rule=Host(`semaphore.jingoh.fr`) +# - traefik.http.routers.semaphore-rtr.tls=true +# - traefik.http.routers.semaphore-rtr.service=semaphore-svc +# - traefik.http.services.semaphore-svc.loadbalancer.server.port=3000 +# # ## WEBSOCKET +# # - traefik.http.routers.semaphore-websocket-rtr.entrypoints=https +# # - traefik.http.routers.semaphore-websocket-rtr.rule=Host(`semaphore.jingoh.fr`) && Path(`/api/ws`) +# # - traefik.http.routers.semaphore-websocket-rtr.service=semaphore-websocket-svc +# # - traefik.http.services.semaphore-websocket-svc.loadbalancer.server.port=3000 +# ## TLS +# - traefik.http.routers.semaphore-rtr.tls.certresolver=letsencrypt-resolver +# # ## Middlewares +# # - "traefik.http.routers.semaphore-rtr.middlewares=semaphore-basic" +# # - "traefik.http.middlewares.semaphore-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C" +# # - "traefik.http.middlewares.semaphore-basic.basicauth.removeheader=true" - # qBittorrent - Torrent downloader - # Needs trailing / if using PathPrefixStrip - # qbittorrent: - # <<: *common-keys-apps # See EXTENSION FIELDS at the top - # image: lscr.io/linuxserver/qbittorrent:latest - # container_name: qbittorrent - # networks: - # t2_proxy: - # ipv4_address: 192.168.90.174 - # volumes: - # - ./qbittorrent:/config - # - ./downloads:/downloads - # environment: - # # TZ: Europe/Paris - # PUID: 1000 - # PGID: 1000 - # # UMASK_SET: 002 - # labels: - # - "traefik.enable=true" - # ## HTTP Routers - # - "traefik.http.routers.qbittorrent-rtr.entrypoints=https" - # - "traefik.http.routers.qbittorrent-rtr.rule=Host(`qbit.jingoh.fr`)" - # ## Middlewares - # - "traefik.http.routers.qbittorrent-rtr.middlewares=test-auth" - # ## Services - # - "traefik.http.routers.qbittorrent-rtr.service=qbittorrent-svc" - # - "traefik.http.services.qbittorrent-svc.loadbalancer.server.port=8168" - # # Anti ddos - # - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.average=10" - # - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.burst=10" - # - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.period=1" - # - "traefik.http.routers.qbittorrent-rtr-ratelimit.middlewares=qbittorrent-rtr-ratelimit@docker" +# # qBittorrent - Torrent downloader +# # Needs trailing / if using PathPrefixStrip +# # qbittorrent: +# # <<: *common-keys-apps # See EXTENSION FIELDS at the top +# # image: lscr.io/linuxserver/qbittorrent:latest +# # container_name: qbittorrent +# # networks: +# # t2_proxy: +# # ipv4_address: 192.168.90.174 +# # volumes: +# # - ./qbittorrent:/config +# # - ./downloads:/downloads +# # environment: +# # # TZ: Europe/Paris +# # PUID: 1000 +# # PGID: 1000 +# # # UMASK_SET: 002 +# # labels: +# # - "traefik.enable=true" +# # ## HTTP Routers +# # - "traefik.http.routers.qbittorrent-rtr.entrypoints=https" +# # - "traefik.http.routers.qbittorrent-rtr.rule=Host(`qbit.jingoh.fr`)" +# # ## Middlewares +# # - "traefik.http.routers.qbittorrent-rtr.middlewares=test-auth" +# # ## Services +# # - "traefik.http.routers.qbittorrent-rtr.service=qbittorrent-svc" +# # - "traefik.http.services.qbittorrent-svc.loadbalancer.server.port=8168" +# # # Anti ddos +# # - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.average=10" +# # - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.burst=10" +# # - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.period=1" +# # - "traefik.http.routers.qbittorrent-rtr-ratelimit.middlewares=qbittorrent-rtr-ratelimit@docker" - # docker run -p 9925:80 -v ./mealie:/app/data/ hkotel/mealie:latest +# # docker run -p 9925:80 -v ./mealie:/app/data/ hkotel/mealie:latest - mealie: - container_name: mealie - image: hkotel/mealie:latest - user: "${UID}:${GID}" - environment: - - DEFAULT_EMAIL=stephane.gratiasquiquandon@gmail.com - - DEFAULT_GROUP=manger - - BASE_URL=mealie.jingoh.fr - networks: - t2_proxy: - ipv4_address: 192.168.90.188 - volumes: - - ./mealie/:/app/data/ - restart: always - security_opt: - - no-new-privileges:true # See EXTENSION FIELDS at the top - labels: - - traefik.enable=true - ## HTTPS Routers - - traefik.docker.network=t2_proxy - - traefik.http.routers.mealie-rtr.entrypoints=https - - traefik.http.routers.mealie-rtr.rule=Host(`mealie.jingoh.fr`) - - traefik.http.routers.mealie-rtr.tls=true - - traefik.http.routers.mealie-rtr.service=mealie-svc - - traefik.http.services.mealie-svc.loadbalancer.server.port=80 - ## TLS - - traefik.http.routers.mealie-rtr.tls.certresolver=letsencrypt-resolver +# mealie: +# container_name: mealie +# image: hkotel/mealie:latest +# user: "${UID}:${GID}" +# environment: +# - DEFAULT_EMAIL=stephane.gratiasquiquandon@gmail.com +# - DEFAULT_GROUP=manger +# - BASE_URL=mealie.jingoh.fr +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.188 +# volumes: +# - ./mealie/:/app/data/ +# restart: always +# security_opt: +# - no-new-privileges:true # See EXTENSION FIELDS at the top +# labels: +# - traefik.enable=true +# ## HTTPS Routers +# - traefik.docker.network=t2_proxy +# - traefik.http.routers.mealie-rtr.entrypoints=https +# - traefik.http.routers.mealie-rtr.rule=Host(`mealie.jingoh.fr`) +# - traefik.http.routers.mealie-rtr.tls=true +# - traefik.http.routers.mealie-rtr.service=mealie-svc +# - traefik.http.services.mealie-svc.loadbalancer.server.port=80 +# ## TLS +# - traefik.http.routers.mealie-rtr.tls.certresolver=letsencrypt-resolver - # homarr: - # container_name: homarr - # image: ghcr.io/ajnart/homarr:latest - # restart: unless-stopped - # networks: - # t2_proxy: - # ipv4_address: 192.168.90.189 - # volumes: - # - ./homarr/configs:/app/data/configs - # - ./homarr/icons:/app/public/icons - # labels: - # - traefik.enable=true - # ## HTTPS Routers - # - traefik.docker.network=t2_proxy - # - traefik.http.routers.homarr-rtr.entrypoints=https - # - traefik.http.routers.homarr-rtr.rule=Host(`homarr.jingoh.fr`) - # - traefik.http.routers.homarr-rtr.tls=true - # - traefik.http.routers.homarr-rtr.service=homarr-svc - # - traefik.http.services.homarr-svc.loadbalancer.server.port=7575 - # ## TLS - # - traefik.http.routers.homarr-rtr.tls.certresolver=letsencrypt-resolver - # ## Middleware IP whitelist - # - traefik.http.middlewares.dashboard-ipwhitelist.ipwhitelist.sourcerange=192.168.91.1/32 - # - traefik.http.routers.homarr-rtr.middlewares=dashboard-ipwhitelist +# # homarr: +# # container_name: homarr +# # image: ghcr.io/ajnart/homarr:latest +# # restart: unless-stopped +# # networks: +# # t2_proxy: +# # ipv4_address: 192.168.90.189 +# # volumes: +# # - ./homarr/configs:/app/data/configs +# # - ./homarr/icons:/app/public/icons +# # labels: +# # - traefik.enable=true +# # ## HTTPS Routers +# # - traefik.docker.network=t2_proxy +# # - traefik.http.routers.homarr-rtr.entrypoints=https +# # - traefik.http.routers.homarr-rtr.rule=Host(`homarr.jingoh.fr`) +# # - traefik.http.routers.homarr-rtr.tls=true +# # - traefik.http.routers.homarr-rtr.service=homarr-svc +# # - traefik.http.services.homarr-svc.loadbalancer.server.port=7575 +# # ## TLS +# # - traefik.http.routers.homarr-rtr.tls.certresolver=letsencrypt-resolver +# # ## Middleware IP whitelist +# # - traefik.http.middlewares.dashboard-ipwhitelist.ipwhitelist.sourcerange=192.168.91.1/32 +# # - traefik.http.routers.homarr-rtr.middlewares=dashboard-ipwhitelist - portainer: - container_name: portainer - image: portainer/portainer-ce:latest - restart: always - security_opt: - - no-new-privileges:true - networks: - t2_proxy: - ipv4_address: 192.168.90.190 - volumes: - - /etc/localtime:/etc/localtime:ro - - /var/run/docker.sock:/var/run/docker.sock:ro - - ./portainer/:/data/ - labels: - - traefik.enable=true - ## HTTPS Routers - - traefik.docker.network=t2_proxy - - traefik.http.routers.portainer-rtr.entrypoints=https - - traefik.http.routers.portainer-rtr.rule=Host(`docker.jingoh.fr`) - - traefik.http.routers.portainer-rtr.tls=true - - traefik.http.routers.portainer-rtr.service=portainer-svc - - traefik.http.services.portainer-svc.loadbalancer.server.port=9000 - ## TLS - - traefik.http.routers.homarr-rtr.tls.certresolver=letsencrypt-resolver - ## Middleware IP whitelist - # - traefik.http.middlewares.dashboard-ipwhitelist.ipwhitelist.sourcerange=192.168.91.1/32 - # - traefik.http.routers.homarr-rtr.middlewares=dashboard-ipwhitelist \ No newline at end of file +# portainer: +# container_name: portainer +# image: portainer/portainer-ce:latest +# restart: always +# security_opt: +# - no-new-privileges:true +# networks: +# t2_proxy: +# ipv4_address: 192.168.90.190 +# volumes: +# - /etc/localtime:/etc/localtime:ro +# - /var/run/docker.sock:/var/run/docker.sock:ro +# - ./portainer/:/data/ +# labels: +# - traefik.enable=true +# ## HTTPS Routers +# - traefik.docker.network=t2_proxy +# - traefik.http.routers.portainer-rtr.entrypoints=https +# - traefik.http.routers.portainer-rtr.rule=Host(`docker.jingoh.fr`) +# - traefik.http.routers.portainer-rtr.tls=true +# - traefik.http.routers.portainer-rtr.service=portainer-svc +# - traefik.http.services.portainer-svc.loadbalancer.server.port=9000 +# ## TLS +# - traefik.http.routers.homarr-rtr.tls.certresolver=letsencrypt-resolver +# ## Middleware IP whitelist +# # - traefik.http.middlewares.dashboard-ipwhitelist.ipwhitelist.sourcerange=192.168.91.1/32 +# # - traefik.http.routers.homarr-rtr.middlewares=dashboard-ipwhitelist \ No newline at end of file diff --git a/hosts b/hosts index f4be70b..a54360a 100644 --- a/hosts +++ b/hosts @@ -1,53 +1,12 @@ -# Test VM vagrant -; [kubernetes:children] -; kubemaster -; kubeworker - -; [kubemaster] -; ovh_master ansible_host=37.187.127.90 ansible_user=stephane - [netbird] -ovh01 ansible_host=5.135.181.11 ansible_user=stephane -scaleway_fr ansible_host=163.172.84.28 ansible_user=stephane +node1 ansible_host=163.172.209.36 ansible_user=stephane +node2 ansible_host=5.135.181.11 ansible_user=stephane +scaleway ansible_host=163.172.84.28 ansible_user=stephane [controller] scaleway ansible_host=163.172.84.28 ansible_user=stephane -[monitoring] -ovh01 ansible_host=5.135.181.11 ansible_user=stephane -; ubuntu ansible_host=192.168.0.22 ansible_user=vagrant ansible_password=vagrant +[kubernetes] +node1 ansible_host=163.172.209.36 ansible_user=stephane +node2 ansible_host=5.135.181.11 ansible_user=stephane -[elasticsearch] -ubuntu ansible_host=192.168.0.26 ansible_user=vagrant ansible_password=vagrant - -[test] -ubuntu ansible_host=192.168.0.26 ansible_user=vagrant ansible_password=vagrant - -; # TO KNOW WHOIS CHISEL SERVER -; [server] -; scaleway_fr ansible_host=163.172.84.28 ansible_user=stephane - -; [local] -; vagrant ansible_host=192.168.33.10 ansible_user=vagrant ansible_password=vagrant -; ubuntu-worker ansible_host=192.168.33.11 ansible_user=vagrant ansible_password=vagrant - -; [workers] -; ubuntu-worker ansible_host=192.168.33.11 ansible_user=vagrant ansible_password=vagrant - - -#kubectl label node ubuntu-worker node-role.kubernetes.io/worker ubuntu-worker - - - -[testswarm] -manager ansible_host=192.168.50.4 ansible_user=vagrant ansible_password=vagrant ansible_become_password=vagrant -worker1 ansible_host=192.168.50.40 ansible_user=vagrant ansible_password=vagrant ansible_become_password=vagrant -worker2 ansible_host=192.168.50.44 ansible_user=vagrant ansible_password=vagrant ansible_become_password=vagrant - - -[docker_swarm_manager] -manager ansible_host=192.168.50.4 ansible_user=vagrant ansible_password=vagrant ansible_become_password=vagrant - -[docker_swarm_worker] -worker1 ansible_host=192.168.50.40 ansible_user=vagrant ansible_password=vagrant ansible_become_password=vagrant -worker2 ansible_host=192.168.50.44 ansible_user=vagrant ansible_password=vagrant ansible_become_password=vagrant \ No newline at end of file