From c2542953ec0f5a02a826c239f65d1bc05ffda603 Mon Sep 17 00:00:00 2001 From: staffadmin Date: Sun, 14 Jul 2024 17:04:14 +0200 Subject: [PATCH] up --- host_vars/scaleway.yml | 1227 ---------------------------------------- roles/requirements.yml | 9 +- 2 files changed, 4 insertions(+), 1232 deletions(-) diff --git a/host_vars/scaleway.yml b/host_vars/scaleway.yml index 607eb96..df6030c 100644 --- a/host_vars/scaleway.yml +++ b/host_vars/scaleway.yml @@ -9,1230 +9,3 @@ pip_install_packages: # netbird_setup_key: F234BD1F-385B-4BEA-8234-608CCB1062ED # netbird_register: true - -# #* TLS - -# node_exporter_tls_server_config: -# cert_file: /etc/node_exporter/tls.cert -# key_file: /etc/node_exporter/tls.key - - -node_exporter_tls_server_config: - cert_file: /etc/node_exporter/tls.cert - key_file: /etc/node_exporter/tls.key - -# #* NODE_EXPORTER - -# # node_exporter_basic_auth_users: -# # randomuser: examplepassword -# node_exporter_web_listen_address: "{{ host_private_address }}:9100" - - - -# ######## -# # USER # -# ######## - -# management_user_list: -# - name: stephane -# shell: '/bin/bash' -# authorized_keys: -# - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" -# exclusive: yes -# sudo: -# hosts: ALL -# as: ALL -# commands: ALL -# nopasswd: ALL - - -# ####### -# # APT # -# ####### - -# apt_repositories_sources: -# - deb http://mirrors.online.net/ubuntu focal main restricted -# - deb http://mirrors.online.net/ubuntu focal-updates main restricted -# - deb http://mirrors.online.net/ubuntu focal universe -# - deb http://mirrors.online.net/ubuntu focal-updates universe -# - deb http://mirrors.online.net/ubuntu focal multiverse -# - deb http://mirrors.online.net/ubuntu focal-updates multiverse -# - deb http://mirrors.online.net/ubuntu focal-backports main restricted universe multiverse -# - deb http://security.ubuntu.com/ubuntu focal-security main restricted -# - deb http://security.ubuntu.com/ubuntu focal-security universe -# - deb http://security.ubuntu.com/ubuntu focal-security multiverse - -# apt_packages: -# - name: openssh-server -# - name: proxychains - -# ############ -# # ALERTING # -# ############ - -# alerts_cron: -# - name: storage -# weekday: 0 -# minute: 0 -# hour: 15 -# user: root -# job: "/usr/local/scripts/alerts.sh storage >/dev/null 2>&1" -# cron_file: alerts -# - name: load -# weekday: "*" -# minute: "*/5" -# hour: "*" -# user: root -# job: "/usr/local/scripts/alerts.sh load >/dev/null 2>&1" -# cron_file: alerts -# - name: cpu -# weekday: "*" -# minute: "*/5" -# hour: "*" -# user: root -# job: "/usr/local/scripts/alerts.sh cpu >/dev/null 2>&1" -# cron_file: alerts -# - name: ping -# weekday: "*" -# minute: "*" -# hour: 12 -# user: root -# job: "/usr/local/scripts/alerts.sh ping >/dev/null 2>&1" -# cron_file: alerts -# - name: ssl -# weekday: "*" -# minute: 0 -# hour: 15 -# user: root -# job: "/usr/local/scripts/alerts.sh ssl >/dev/null 2>&1" -# cron_file: alerts -# - name: storage -# weekday: 0 -# minute: 0 -# hour: 15 -# user: root -# job: "/usr/local/scripts/alerts.sh storage >/dev/null 2>&1" -# cron_file: alerts -# - name: backup_git -# weekday: "*" -# minute: 0 -# hour: 18 -# user: root -# job: "/usr/local/scripts/alerts.sh backup_git >/dev/null 2>&1" -# cron_file: alerts -# - name: backup_vault -# weekday: "*" -# minute: 0 -# hour: 20 -# user: root -# job: "/usr/local/scripts/alerts.sh backup_vault >/dev/null 2>&1" -# cron_file: alerts - -# alerts_storage: scaleway -# alerts_load: scaleway -# alerts_ping: ovh -# alerts_health: scaleway -# alerts_backup_gitea: scaleway -# alerts_backup_vault: scaleway -# alerts_cpu: scaleway -# alerts_ssl: scaleway - -# ############## -# # LOG ROTATE # -# ############## - -# logrotate_scripts: -# - name: backup -# paths: -# - /opt/dockerapps/backup/*.zip -# - /opt/dockerapps/vaultwarden/backup/*.tar.xz.gpg -# options: -# - daily -# - rotate 4 -# - compress -# - missingok -# - notifempty -# - create 0644 root root -# - name: dockerapps-git -# path: /opt/dockerapps/logs/homeserver/git*.log -# options: -# - rotate 12 -# - monthly -# - compress -# - missingok -# - delaycompress -# scripts: -# postrotate: docker-compose restart gitea -# - name: dockerapps-grafa -# path: /opt/dockerapps/logs/homeserver/grafa*.log -# options: -# - rotate 12 -# - monthly -# - compress -# - missingok -# - delaycompress -# scripts: -# postrotate: docker-compose restart grafana -# - name: dockerapps-traef -# path: /opt/dockerapps/logs/homeserver/traef*.log -# options: -# - rotate 12 -# - monthly -# - compress -# - missingok -# - delaycompress -# scripts: -# postrotate: docker-compose restart traefik -# - name: dockerapps-vault -# path: /opt/dockerapps/logs/homeserver/vault*.log -# options: -# - rotate 12 -# - monthly -# - compress -# - missingok -# - delaycompress -# scripts: -# postrotate: docker-compose restart vault -# # name: restart gitea -# # script: docker-compose restart gitea -# # - postrotate: docker-compose restart vaultwarden -# # - postrotate: docker-compose restart grafana -# - name: dockerapps-backup -# paths: -# - /opt/dockerapps/backup/gitea-dump-*.zip.1.gz -# - /opt/dockerapps/vaultwarden/backup/*gpg.1.gz -# options: -# - rotate 6 -# - monthly -# - compress -# - missingok -# - delaycompress - - -# ########## -# # CHISEL # -# ########## - -# # SHOULD BE IN [server] GROUP -# chisel_server: true -# chisel_basic_auth: "{{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" -# chisel_service_name: chisel-server -# chisel_config_name: chisel-server -# chisel_proxychains_conf: -# # chisel enable socks5, reverse and basic auth -# - path: "/etc/chisel/{{ chisel_config_name }}.conf" -# regexp: "^SOCK5=--socks5" -# state: present -# line: "SOCK5=--socks5" -# - path: "/etc/chisel/{{ chisel_config_name }}.conf" -# regexp: "^PID=--reverse" -# state: present -# line: "PID=--reverse" -# - path: "/etc/chisel/{{ chisel_config_name }}.conf" -# regexp: "^AUTH=--auth {{ chisel_basic_auth }}" -# state: present -# line: "AUTH=--auth {{ chisel_basic_auth }}" -# - path: "/etc/chisel/{{ chisel_config_name }}.conf" -# regexp: "^HOST=--host {{ chisel_server_host }}" -# state: present -# line: "HOST=--host {{ chisel_server_host }}" -# # proxychains replace socks4 to socks5 -# - path: "/etc/proxychains.conf" -# regexp: "^socks4 127.0.0.1 9050" -# state: "absent" -# - path: "/etc/proxychains.conf" -# regexp: "^socks5 {{ chisel_server_host }} 1080" -# state: present -# line: "socks5 {{ chisel_server_host }} 1080" - - - - -# ################## -# # DOCKER-COMPOSE # -# ################## - -# dockerapp_tree_volumes: -# # ALERT -# - alertmanager -# - alertmanager/cache -# - alertmanager/config -# #ARA -# - ara -# #BLACKBOX -# - blackbox -# - blackbox/config -# #GIT -# - gitea -# - gitea/gitea -# - gitea/db -# - gitea/runner -# #GRAF -# - grafana -# - grafana/etc -# - grafana/lib -# #HOMARR -# - homarr -# - homarr/configs -# - homarr/icons -# #HOME -# - homepage -# - homepage/homepage -# - homepage/icons -# #MEALIE -# - mealie -# #PORT -# - portainer -# #PROM -# - prometheus -# - prometheus/prometheus -# - prometheus/prometheus_data -# #REGISTRY -# - registry -# - registry/data -# #SEMA -# - semaphore -# #TRAF -# - traefik2 -# - traefik2/acme -# - traefik2/rules -# #VAULT -# - vaultwarden -# #WIRE -# - wireguard -# - wireguard/config -# - wireguard/lib -# - wireguard/lib/modules - -# dockerapp_tree_base_dir: -# - "/opt/" -# dockerapp_service: dockerapps -# docker_install_compose: false -# pip_executable: pip3 -# pip_install_packages: -# - docker-compose - -# dockerapp_compose: -# version: "3.9" -# ######### IMPORTANT ############# -# # This is my main docker-compose file with most of the apps. I run docker on other systems with smaller stacks (web and synology). -# # You can copy-paste services from one docker-compose file in this repo to another to add other apps. - -# # 90+ Open source docker stacks -# #https://github.com/ethibox/awesome-stacks - -# #FROM -# #https://github.com/htpcBeginner/docker-traefik/blob/master/docker-compose-t2.yml - -# ########################### SYSTEM DESCRIPTION -# # DOCKER-COMPOSE FOR HOME/MEDIA SERVER -# # PROXMOX HOST: Dual Intel Xeon 5420, 16 GB RAM, 240 GB SSD, and 2 TB HDD -# # VM: 6 CORES, 12 GB RAM, Ubuntu 20.04, and Docker -# # 32 GB for /, 64 GB for /var/lib/docker and transcoding, and 1.5 TB for non-critical data and rclone cache. -# # Google Drive mounted using Rclone Docker for media and Proxmox backups - -# ########################### NETWORKS -# # There is no need to create any networks outside this docker-compose file. -# # You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. -# # Docker Compose version 3.5 or higher required to define networks this way. -# networks: -# t2_proxy: -# name: t2_proxy -# driver: bridge -# ipam: -# config: -# - subnet: 192.168.90.0/24 -# default: -# driver: bridge -# socket_proxy: -# name: socket_proxy -# driver: bridge -# ipam: -# config: -# - subnet: 192.168.91.0/24 -# ########################### EXTENSION FIELDS -# # Helps eliminate repetition of sections -# # More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228 - -# # # Common environment values -# # x-environment: &default-tz-puid-pgid -# # TZ: Europe/Paris -# # PUID: 1000 -# # PGID: 1000 - -# # # Proxy Network and Security -# # x-network-and-security: &network-and-security -# # networks: -# # - t2_proxy -# # security_opt: -# # - no-new-privileges:true - -# # # Keys common to some of the services in basic-services.txt -# # x-common-keys-core: &common-keys-core -# # <<: *network-and-security -# # restart: always -# # # profiles: -# # # - basic - -# # # Keys common to some of the dependent services/apps -# # x-common-keys-apps: &common-keys-apps -# # <<: *network-and-security -# # restart: unless-stopped -# # # profiles: -# # # - apps - -# # # Keys common to some of the services in media-services.txt -# # x-common-keys-media: &common-keys-media -# # <<: *network-and-security -# # restart: "no" -# # # profiles: -# # # - media -# ########################### SERVICES -# services: -# ############################# FRONTENDS - -# # Traefik 2 - Reverse Proxy -# # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. -# # touch $DOCKERDIR/traefik2/acme/acme.json -# # chmod 600 $DOCKERDIR/traefik2/acme/acme.json -# # touch $DOCKERDIR/logs/homeserver/traefik.log # customize this - -# #### LETSENCRYPT CHALLENGE ###### -# # https://doc.traefik.io/traefik/user-guides/docker-compose/acme-http/ -# # Add new https services/fqdn -# # uncomment acme.caserver line and remove/traefik2/acme/letsencrypt/acme.json file -# # Down all containers and up all (docker-compose down/up -d), wait for news cert/key on acme.json -# # At this moment, cert/key are staging, you need to comment acme.caserver line and remove acme.json file then restart traefik -# traefik: -# restart: always -# security_opt: -# - no-new-privileges:true -# container_name: traefik -# image: traefik:latest -# command: # CLI arguments -# - --global.checkNewVersion=true -# - --global.sendAnonymousUsage=true -# - --entryPoints.http.address=:80/tcp -# - --entryPoints.https.address=:443/tcp -# - --entryPoints.wireguard.address=:443/udp -# - --api=true -# - --api.dashboard=true -# - --log=true -# - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC -# - --accessLog=true -# - --accessLog.filePath=/traefik.log -# - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines -# - --providers.docker=true -# - --providers.docker.endpoint=tcp://socket-proxy:2375 -# - --providers.docker.exposedByDefault=false -# - --providers.docker.network=t2_proxy -# - --providers.docker.swarmMode=false -# - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory -# - --providers.file.watch=true # Only works on top level files in the rules folder -# - --metrics.prometheus=true -# - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0 -# - --metrics.prometheus.addEntryPointsLabels=true -# - --metrics.prometheus.addrouterslabels=true -# - --metrics.prometheus.addServicesLabels=true -# - --metrics.prometheus.manualrouting=true -# - --certificatesresolvers.letsencrypt-resolver.acme.tlschallenge=true -# # - --certificatesresolvers.letsencrypt-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory -# - --certificatesresolvers.letsencrypt-resolver.acme.email=stephane.gratiasquiquandon@gmail.com -# - --certificatesresolvers.letsencrypt-resolver.acme.storage=/letsencrypt/acme.json -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.254 # You can specify a static IP -# # Should connect to the docker socket -# socket_proxy: -# ipv4_address: 192.168.91.3 -# environment: -# TZ: Europe/Paris -# PUID: 1000 -# PGID: 1000 -# ports: -# - target: 80 -# published: 80 -# protocol: tcp -# mode: host -# - target: 443 -# published: 443 -# protocol: tcp -# mode: host -# - target: 443 -# published: 443 -# protocol: udp -# mode: host -# volumes: -# - ./traefik2/rules/homeserver:/rules # file provider directory -# - ./traefik2/acme/letsencrypt:/letsencrypt -# #- ./traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 -# - ./logs/homeserver/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container -# - /etc/timezone:/etc/timezone:ro -# - /etc/localtime:/etc/localtime:ro -# labels: -# - "traefik.enable=true" -# # HTTP-to-HTTPS Redirect -# - "traefik.http.routers.http-catchall.entrypoints=http" -# - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" -# - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" -# - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" -# - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true" -# # HTTP Routers -# - "traefik.http.routers.traefik-rtr.entrypoints=https" -# - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.jingoh.fr`)" -# ## Services - API -# - "traefik.http.routers.traefik-rtr.service=api@internal" -# - "traefik.http.routers.traefik-rtr.tls=true" -# ## MONITORING -# - traefik.http.routers.prometheus.entrypoints=https -# - traefik.http.routers.prometheus.rule=Host(`traefik.jingoh.fr`) && PathPrefix(`/metrics`) -# - traefik.http.routers.prometheus.service=prometheus@internal -# - traefik.http.routers.prometheus.middlewares=traefik-basic -# ## Middlewares -# # echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g -# ## Middlewares -# - "traefik.http.routers.traefik-rtr.middlewares=traefik-basic" -# - "traefik.http.middlewares.traefik-basic.basicauth.users=jingohtraf:$$2y$$05$$JO8mJnOV2PARzEcVj.Grp.H.JbkWYneAIjgMt7c0.5NTyBNDkRIiW" -# #- "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.average=10" -# # - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.burst=10" -# # - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.period=1" -# # - "traefik.http.routers.traefik-rtr-ratelimit.middlewares=traefik-rtr-ratelimit@docker" -# ## TLS -# - "traefik.http.routers.traefik-rtr.tls.certresolver=letsencrypt-resolver" -# - "traefik.http.routers.prometheus.tls.certresolver=letsencrypt-resolver" -# # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket -# socket-proxy: -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# container_name: socket-proxy -# image: tecnativa/docker-socket-proxy:latest -# networks: -# socket_proxy: -# ipv4_address: 192.168.91.254 # You can specify a static IP -# volumes: -# - "/var/run/docker.sock:/var/run/docker.sock" -# environment: -# - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg -# ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). -# # 0 to revoke access. -# # 1 to grant access. -# ## Granted by Default -# - EVENTS=1 -# - PING=1 -# - VERSION=1 -# ## Revoked by Default -# # Security critical -# - AUTH=0 -# - SECRETS=0 -# - POST=0 # Watchtower -# # Not always needed -# - BUILD=0 -# - COMMIT=0 -# - CONFIGS=0 -# - CONTAINERS=1 # Traefik, portainer, etc. -# - DISTRIBUTION=0 -# - EXEC=0 -# - IMAGES=1 # Portainer -# - INFO=1 # Portainer -# - NETWORKS=1 # Portainer -# - NODES=0 -# - PLUGINS=0 -# - SERVICES=1 # Portainer -# - SESSION=0 -# - SWARM=0 -# - SYSTEM=0 -# - TASKS=1 # Portainer -# - VOLUMES=1 # Portainer - -# # Dozzle - Real-time Docker Log Viewer -# dozzle: -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# image: amir20/dozzle:latest -# container_name: dozzle -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.169 -# # Should connect to the docker engine socket to collect logs -# socket_proxy: -# ipv4_address: 192.168.91.2 -# environment: -# TZ: Europe/Paris -# PUID: 1000 -# PGID: 1000 -# DOZZLE_LEVEL: info -# #DOZZLE_TAILSIZE: 300 -# DOZZLE_FILTER: "status=running" -# DOCKER_HOST: tcp://socket-proxy:2375 -# #DOZZLE_ADDR: ":8181" -# volumes: -# - /etc/timezone:/etc/timezone:ro -# - /etc/localtime:/etc/localtime:ro -# labels: -# - "traefik.enable=true" -# ## HTTP Routers -# - "traefik.http.routers.dozzle-rtr-http.entrypoints=http" -# - "traefik.http.routers.dozzle-rtr-http.rule=Host(`dozzle.jingoh.fr`)" -# - "traefik.http.routers.dozzle-rtr-http.middlewares=redirect-to-https" -# ## HTTPS Routers -# - "traefik.http.routers.dozzle-rtr.entrypoints=https" -# - "traefik.http.routers.dozzle-rtr.rule=Host(`dozzle.jingoh.fr`)" -# ## Services -# - "traefik.http.routers.dozzle-rtr.service=dozzle-svc" -# - "traefik.http.services.dozzle-svc.loadbalancer.server.port=8080" -# ## Middlewares -# - "traefik.http.routers.dozzle-rtr.middlewares=dozzle-basic" -# - "traefik.http.middlewares.dozzle-basic.basicauth.users=jingohdoz:$$2y$$05$$e5x192gFu6uBevLcZNNU9eEWnekh3p.F8cffX19EBTLMwBQoqHcwW" -# ## TLS -# - "traefik.http.routers.dozzle-rtr.tls.certresolver=letsencrypt-resolver" - -# # conf file in/gitea/gitea/gitea/conf/app.ini -# # [metrics] -# # [log] -# gitea: -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# image: gitea/gitea:latest -# container_name: gitea -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.170 -# environment: -# TZ: Europe/Paris -# PUID: 1000 -# PGID: 1000 -# GITEA__database__DB_TYPE: postgres -# GITEA__database__HOST: gitea-db:5432 -# GITEA__server__DOMAIN: gitea.jingoh.fr -# GITEA__server__ROOT_URL: https://gitea.jingoh.fr -# GITEA__server__HTTP_PORT: 3000 -# GITEA__server__START_SSH_SERVER: "true" -# GITEA__server__SSH_PORT: 443 -# GITEA__server__SSH_LISTEN_PORT: 2222 -# GITEA__server__SSH_DOMAIN: gitea.jingoh.fr -# GITEA__repository__USE_COMPAT_SSH_URI: "false" -# GITEA__database__NAME: gitea -# GITEA__database__USER: root -# GITEA__database__PASSWD: uu~Y8aic -# volumes: -# - ./logs/homeserver/gitea.log:/data/gitea/log/gitea.log -# - ./gitea/gitea:/data -# - /etc/timezone:/etc/timezone:ro -# - /etc/localtime:/etc/localtime:ro -# labels: -# - "traefik.enable=true" -# ## HTTP Routers -# - "traefik.http.routers.gitea-rtr-http.entrypoints=http" -# - "traefik.http.routers.gitea-rtr-http.rule=Host(`gitea.jingoh.fr`)" -# - "traefik.http.routers.gitea-rtr-http.middlewares=redirect-to-https" -# ## HTTPS Routers -# - "traefik.http.routers.gitea-rtr.entrypoints=https" -# - "traefik.http.routers.gitea-rtr.rule=Host(`gitea.jingoh.fr`)" -# ## Middlewares -# # git push doesn't work with basicauth -# #- "traefik.http.routers.gitea-rtr.middlewares=gitea-basic" -# #- "traefik.http.middlewares.gitea-basic.basicauth.users=jingohgit:$$2y$$05$$iBHOV.3zFZFTp4kRqD7.I.hQ/Rx3qeHoUjq/3KztwzyU8t1BIK/ne" -# ## Services -# - "traefik.http.routers.gitea-rtr.service=gitea-svc" -# - "traefik.http.services.gitea-svc.loadbalancer.server.port=3000" -# ## SSH -# - "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)" -# - "traefik.tcp.routers.gitea-ssh.entrypoints=https" -# - "traefik.tcp.routers.gitea-ssh.service=gitea-ssh-svc" -# - "traefik.tcp.services.gitea-ssh-svc.loadbalancer.server.port=2222" -# ## TLS -# - "traefik.http.routers.gitea-rtr.tls.certresolver=letsencrypt-resolver" - -# gitea-db: -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# image: postgres:14 -# container_name: gitea-db -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.171 -# environment: -# TZ: Europe/Paris -# PUID: 1000 -# PGID: 1000 -# POSTGRES_USER: root -# POSTGRES_PASSWORD: uu~Y8aic -# POSTGRES_DB: gitea -# volumes: -# - ./gitea/gitea-db:/var/lib/postgresql/data -# - /etc/timezone:/etc/timezone:ro -# - /etc/localtime:/etc/localtime:ro -# labels: -# - traefik.enable=false - -# #https://github.com/ngoduykhanh/wireguard-ui/blob/master/docker-compose.yaml -> wireguard-ui -# wireguard: -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# image: lscr.io/linuxserver/wireguard:latest -# container_name: wireguard -# cap_add: -# - NET_ADMIN -# - SYS_MODULE -# environment: -# TZ: Europe/Paris -# PUID: 1000 -# PGID: 1000 -# SERVERURL: 163.172.84.28 #optional -# SERVERPORT: 443 #optional -# PEERS: 2 #optional -# PEERDNS: auto #optional -# INTERNAL_SUBNET: 10.13.13.0 #optional -# ALLOWEDIPS: 0.0.0.0/0 #optional -# LOG_CONFS: "true" #optional -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.173 -# volumes: -# - ./wireguard/config:/config -# - ./wireguard/lib/modules:/lib/modules -# - /etc/timezone:/etc/timezone:ro -# - /etc/localtime:/etc/localtime:ro -# sysctls: -# - net.ipv4.conf.all.src_valid_mark=1 -# labels: -# - "traefik.enable=true" -# ## UDP Routers -# - "traefik.udp.routers.wireguard-rtr.entrypoints=wireguard" -# - "traefik.udp.services.wireguard.loadbalancer.server.port=51820" -# depends_on: -# - traefik - -# # # Grafana - Graphical data visualization -# ## Reset password command-line -> grafana-cli $username reset-admin-password $password -# ## Enable log file with rotate (/etc/grafana/grafana.ini) -# grafana: -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# image: grafana/grafana:latest -# container_name: grafana -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.175 -# # ports: -# # - "$GRAFANA_PORT:3000" -# user: root -# volumes: -# - ./grafana/lib:/var/lib/grafana -# - ./logs/homeserver/grafana.log:/var/log/grafana/grafana.log -# environment: -# TZ: Europe/Paris -# PUID: 1000 -# PGID: 1000 -# GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel" -# labels: -# - "traefik.enable=true" -# ## HTTP Routers -# - "traefik.http.routers.grafana-rtr-http.entrypoints=http" -# - "traefik.http.routers.grafana-rtr-http.rule=Host(`grafana.jingoh.fr`)" -# - "traefik.http.routers.grafana-rtr-http.middlewares=redirect-to-https" -# ## HTTPS Routers -# - "traefik.http.routers.grafana-rtr.entrypoints=https" -# - "traefik.http.routers.grafana-rtr.rule=Host(`grafana.jingoh.fr`)" -# ## Services -# - "traefik.http.routers.grafana-rtr.service=grafana-svc" -# - "traefik.http.services.grafana-svc.loadbalancer.server.port=3000" -# ## TLS -# - "traefik.http.routers.grafana-rtr.tls.certresolver=letsencrypt-resolver" -# ## Middlewares -# - "traefik.http.routers.grafana-rtr.middlewares=grafana-basic" -# - "traefik.http.middlewares.grafana-basic.basicauth.users=jingohgraf:$$2y$$05$$DMxSbnKhLv0zW2qYzMpkj.idi88EsFsIdgKoYPzFpxo9ErDHLYCAi" -# # NEEDED IF CONFLICTS BETWEEN BASICAUTH AND APP LOGIN PAGE -# - "traefik.http.middlewares.grafana-basic.basicauth.removeheader=true" - -# prometheus: -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# image: prom/prometheus:latest -# container_name: prometheus -# user: root -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.176 -# volumes: -# - ./prometheus/prometheus:/etc/prometheus/ -# - ./prometheus/prometheus_data:/prometheus -# command: -# - '--config.file=/etc/prometheus/prometheus.yml' -# - '--storage.tsdb.path=/prometheus' -# - '--web.console.libraries=/usr/share/prometheus/console_libraries' -# - '--web.console.templates=/usr/share/prometheus/consoles' -# labels: -# - "traefik.enable=true" -# ## HTTP Routers -# - "traefik.http.routers.prometheus-rtr-http.entrypoints=http" -# - "traefik.http.routers.prometheus-rtr-http.rule=Host(`prometheus.jingoh.fr`)" -# - "traefik.http.routers.prometheus-rtr-http.middlewares=redirect-to-https" -# # HTTPS -# - "traefik.http.routers.prometheus-rtr.entrypoints=https" -# - "traefik.http.routers.prometheus-rtr.rule=Host(`prometheus.jingoh.fr`)" -# - "traefik.http.routers.prometheus-rtr.service=prometheus-svc" -# - "traefik.http.services.prometheus-svc.loadbalancer.server.port=9090" -# - "traefik.docker.network=t2_proxy" -# ## Middlewares -# - "traefik.http.routers.prometheus-rtr.middlewares=prometheus-basic" -# - "traefik.http.middlewares.prometheus-basic.basicauth.users=jingohprom:$$2y$$05$$7cf/zuj8lI4Gt9K3xfWEKu.hKwzi1lxsjImgvSc9tHZ0QqHOxagH." -# ## TLS -# - "traefik.http.routers.prometheus-rtr.tls.certresolver=letsencrypt-resolver" - -# # https://pieterhollander.nl/post/bitwarden/ -# # https://github.com/dani-garcia/vaultwarden/blob/main/.env.template -# # https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples -# vaultwarden: -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# image: vaultwarden/server:latest -# container_name: vault -# environment: -# TZ: Europe/Paris -# PUID: 1000 -# PGID: 1000 -# WEBSOCKET_ENABLED: 1 -# ROCKET_PORT: 80 -# DOMAIN: https://vault.jingoh.fr -# ADMIN_TOKEN: BwI1E5Sqb6clUpsAfXdlkMnQuzwTh7pFPpqK6V8RII/CuBqgbNhj325ynL40dfjs -# LOG_FILE: /var/log/vaultwarden.log -# SIGNUPS_ALLOWED: "false" -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.177 -# volumes: -# - ./vaultwarden:/data -# - ./logs/homeserver/vaultwarden.log:/var/log/vaultwarden.log -# labels: -# - traefik.enable=true -# ## HTTP Routers -# - "traefik.http.routers.bitwarden-rtr-http.entrypoints=http" -# - "traefik.http.routers.bitwarden-rtr-http.rule=Host(`bitwarden.jingoh.fr`)" -# - "traefik.http.routers.bitwarden-rtr-http.middlewares=redirect-to-https" -# ## HTTPS Routers -# - traefik.docker.network=t2_proxy -# - traefik.http.routers.bitwarden-rtr.entrypoints=https -# - traefik.http.routers.bitwarden-rtr.rule=Host(`vault.jingoh.fr`) -# - traefik.http.routers.bitwarden-rtr.tls=true -# - traefik.http.routers.bitwarden-rtr.service=bitwarden-svc -# - traefik.http.services.bitwarden-svc.loadbalancer.server.port=80 -# - traefik.http.routers.bitwarden-websocket-rtr.entrypoints=https -# - traefik.http.routers.bitwarden-websocket-rtr.rule=Host(`vault.jingoh.fr`) && Path(`/notifications/hub`) -# - traefik.http.routers.bitwarden-websocket-rtr.service=bitwarden-websocket-svc -# - traefik.http.services.bitwarden-websocket-svc.loadbalancer.server.port=3012 -# ## TLS -# - "traefik.http.routers.bitwarden-rtr.tls.certresolver=letsencrypt-resolver" -# - "traefik.http.routers.bitwarden-websocket-rtr.tls.certresolver=letsencrypt-resolver" - -# homepage: -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# image: ghcr.io/gethomepage/homepage:latest -# container_name: homepage -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.178 -# volumes: -# - ./homepage/homepage:/app/config -# - ./homepage/icons:/app/public/icons -# - "/var/run/docker.sock:/var/run/docker.sock" -# labels: -# - traefik.enable=true -# ## HTTP Routers -# - "traefik.http.routers.homepage-rtr-http.entrypoints=http" -# - "traefik.http.routers.homepage-rtr-http.rule=Host(`homepage.jingoh.fr`)" -# - "traefik.http.routers.homepage-rtr-http.middlewares=redirect-to-https" -# ## HTTPS Routers -# - traefik.docker.network=t2_proxy -# - traefik.http.routers.homepage-rtr.entrypoints=https -# - traefik.http.routers.homepage-rtr.rule=Host(`homepage.jingoh.fr`) -# - traefik.http.routers.homepage-rtr.tls=true -# - traefik.http.routers.homepage-rtr.service=homepage-svc -# - traefik.http.services.homepage-svc.loadbalancer.server.port=3000 -# ## TLS -# - "traefik.http.routers.homepage-rtr.tls.certresolver=letsencrypt-resolver" - -# registry: -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# image: registry:2 -# container_name: registry -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.179 -# environment: -# REGISTRY_STORAGE_DELETE_ENABLED: 'true' -# volumes: -# - ./registry/data:/var/lib/registry - -# registry-ui: -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# image: joxit/docker-registry-ui:latest -# expose: -# - 80 -# environment: -# - DELETE_IMAGES=true -# - NGINX_PROXY_PASS_URL=http://registry:5000 -# - SINGLE_REGISTRY=true -# - REGISTRY_TITLE= 🧱 Jingoh Container Registry 🧱 -# container_name: registry-ui -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.180 -# depends_on: -# - registry -# labels: -# - traefik.enable=true -# ## HTTP Routers -# - traefik.http.routers.registry-rtr-http.entrypoints=http -# - traefik.http.routers.registry-rtr-http.rule=Host(`registry.jingoh.fr`) -# - traefik.http.routers.registry-rtr-http.middlewares=redirect-to-https -# ## HTTPS Routers -# - traefik.docker.network=t2_proxy -# - traefik.http.routers.registry-rtr.entrypoints=https -# - traefik.http.routers.registry-rtr.rule=Host(`registry.jingoh.fr`) -# - traefik.http.routers.registry-rtr.tls=true -# - traefik.http.routers.registry-rtr.service=registry-svc -# - traefik.http.services.registry-svc.loadbalancer.server.port=80 -# ## TLS -# - traefik.http.routers.registry-rtr.tls.certresolver=letsencrypt-resolver -# ## Middlewares -# - "traefik.http.routers.registry-rtr.middlewares=registry-basic" -# - "traefik.http.middlewares.registry-basic.basicauth.users=jingohdocker:$$2y$$05$$dEBjltxSmPyUuQG3ewQXSu8ez97J8562/XhoDw6AoLbmc3ZQTKg4C" - -# alert: -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# image: binwiederhier/ntfy:latest -# container_name: alert -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.181 -# volumes: -# - ./alertmanager/config/alertmanager.yml:/etc/ntfy/server.yml -# - ./alertmanager/cache/:/var/cache/ntfy/ -# command: serve -# expose: -# - 80 -# labels: -# - traefik.enable=true -# ## HTTP Routers -# - traefik.http.routers.alertmanager-rtr-http.entrypoints=http -# - traefik.http.routers.alertmanager-rtr-http.rule=Host(`alert.jingoh.fr`) -# - traefik.http.routers.alertmanager-rtr-http.middlewares=redirect-to-https -# ## HTTPS Routers -# - traefik.docker.network=t2_proxy -# - traefik.http.routers.alertmanager-rtr.entrypoints=https -# - traefik.http.routers.alertmanager-rtr.rule=Host(`alert.jingoh.fr`) -# - traefik.http.routers.alertmanager-rtr.tls=true -# - traefik.http.routers.alertmanager-rtr.service=alertmanager-svc -# - traefik.http.services.alertmanager-svc.loadbalancer.server.port=80 -# ## TLS -# - traefik.http.routers.alertmanager-rtr.tls.certresolver=letsencrypt-resolver -# ## Middlewares -# - "traefik.http.routers.alertmanager-rtr.middlewares=alertmanager-basic" -# - "traefik.http.middlewares.alertmanager-basic.basicauth.users=jingohalert:$$2y$$05$$dEBjltxSmPyUuQG3ewQXSu8ez97J8562/XhoDw6AoLbmc3ZQTKg4C" - -# exporter: -# image: prom/node-exporter:latest -# container_name: exporter -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# user: root -# volumes: -# - /:/host:ro -# command: -# - '--path.procfs=/host/proc' -# - '--path.rootfs=/rootfs' -# - '--path.sysfs=/host/sys' -# - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)' -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.183 -# labels: -# - traefik.enable=true -# ## HTTP Routers -# - traefik.http.routers.exporter-rtr-http.entrypoints=http -# - traefik.http.routers.exporter-rtr-http.rule=Host(`exporter.jingoh.fr`) -# - traefik.http.routers.exporter-rtr-http.middlewares=redirect-to-https -# ## HTTPS Routers -# - traefik.docker.network=t2_proxy -# - traefik.http.routers.exporter-rtr.entrypoints=https -# - traefik.http.routers.exporter-rtr.rule=Host(`exporter.jingoh.fr`) -# - traefik.http.routers.exporter-rtr.tls=true -# - traefik.http.routers.exporter-rtr.service=exporter-svc -# - traefik.http.services.exporter-svc.loadbalancer.server.port=9100 -# ## TLS -# - traefik.http.routers.exporter-rtr.tls.certresolver=letsencrypt-resolver -# ## Middlewares -# - "traefik.http.routers.exporter-rtr.middlewares=exporter-basic" -# - "traefik.http.middlewares.exporter-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C" - -# ara-ui: -# image: recordsansible/ara-api:latest -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# environment: -# - ARA_ALLOWED_HOSTS=["ara.jingoh.fr", "localhost"] -# - ARA_DATABASE_ENGINE=django.db.backends.postgresql -# - ARA_DATABASE_HOST=ara-db -# - ARA_DATABASE_NAME=ara -# - ARA_DATABASE_PASSWORD=ara -# - ARA_DATABASE_USER=ara -# - ARA_DATABASE_PORT=5432 -# container_name: ara-ui -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.184 -# labels: -# - traefik.enable=true -# ## HTTP Routers -# - traefik.http.routers.ansible-rtr-http.entrypoints=http -# - traefik.http.routers.ansible-rtr-http.rule=Host(`ara.jingoh.fr`) -# - traefik.http.routers.ansible-rtr-http.middlewares=redirect-to-https -# ## HTTPS Routers -# - traefik.docker.network=t2_proxy -# - traefik.http.routers.ansible-rtr.entrypoints=https -# - traefik.http.routers.ansible-rtr.rule=Host(`ara.jingoh.fr`) -# - traefik.http.routers.ansible-rtr.tls=true -# - traefik.http.routers.ansible-rtr.service=ansible-svc -# - traefik.http.services.ansible-svc.loadbalancer.server.port=8000 -# ## TLS -# - traefik.http.routers.ansible-rtr.tls.certresolver=letsencrypt-resolver -# ## Middlewares -# - "traefik.http.routers.ansible-rtr.middlewares=ansible-basic" -# - "traefik.http.middlewares.ansible-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C" -# - "traefik.http.middlewares.ansible-basic.basicauth.removeheader=true" - -# ara-db: -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# image: postgres:14 -# container_name: ara-db -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.185 -# environment: -# TZ: Europe/Paris -# PUID: 1000 -# PGID: 1000 -# POSTGRES_USER: ara -# POSTGRES_PASSWORD: ara -# POSTGRES_DB: ara -# volumes: -# - ./ara:/var/lib/postgresql/data -# - /etc/timezone:/etc/timezone:ro -# - /etc/localtime:/etc/localtime:ro -# labels: -# - traefik.enable=false - - - -# semaphore-db: -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# container_name: semaphore-db -# image: postgres:14 -# hostname: postgres -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.186 -# volumes: -# - ./semaphore/semaphore-db:/var/lib/postgresql/data -# environment: -# POSTGRES_USER: semaphore -# POSTGRES_PASSWORD: uu~Y8aic -# POSTGRES_DB: semaphore -# labels: -# - traefik.enable=false - -# semaphore: -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# expose: -# - 3000 -# container_name: semaphore -# image: semaphoreui/semaphore:latest -# user: "${UID}:${GID}" -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.187 -# environment: -# - SEMAPHORE_DB_USER=semaphore -# - SEMAPHORE_DB_PASS=uu~Y8aic -# - SEMAPHORE_DB_HOST=semaphore-db -# - SEMAPHORE_DB_PORT=5432 -# - SEMAPHORE_DB_DIALECT=postgres -# - SEMAPHORE_DB=semaphore -# - SEMAPHORE_PLAYBOOK_PATH=/tmp/semaphore/ -# - SEMAPHORE_ADMIN_PASSWORD=uu~Y8aic -# - SEMAPHORE_ADMIN_NAME=admin -# - SEMAPHORE_ADMIN_EMAIL=admin@localhost -# - SEMAPHORE_ADMIN=admin -# - SEMAPHORE_ACCESS_KEY_ENCRYPTION=ShbKLtVWr5yB/G1WO3DOEU5Il0JBlcN//4mpErpSwpQ= # add to your access key encryption ! -# - ANSIBLE_HOST_KEY_CHECKING=false # (optional) change to true if you want to enable host key checking -# volumes: -# - ./semaphore/inventory/:/inventory:ro -# - ./semaphore/authorized-keys/:/authorized-keys:ro -# - ./semaphore/config/:/etc/semaphore:rw -# depends_on: -# - semaphore-db -# labels: -# - traefik.enable=true -# ## HTTP Routers -# - traefik.http.routers.semaphore-rtr-http.entrypoints=http -# - traefik.http.routers.semaphore-rtr-http.rule=Host(`semaphore.jingoh.fr`) -# - traefik.http.routers.semaphore-rtr-http.middlewares=redirect-to-https -# ## HTTPS Routers -# - traefik.docker.network=t2_proxy -# - traefik.http.routers.semaphore-rtr.entrypoints=https -# - traefik.http.routers.semaphore-rtr.rule=Host(`semaphore.jingoh.fr`) -# - traefik.http.routers.semaphore-rtr.tls=true -# - traefik.http.routers.semaphore-rtr.service=semaphore-svc -# - traefik.http.services.semaphore-svc.loadbalancer.server.port=3000 -# # ## WEBSOCKET -# # - traefik.http.routers.semaphore-websocket-rtr.entrypoints=https -# # - traefik.http.routers.semaphore-websocket-rtr.rule=Host(`semaphore.jingoh.fr`) && Path(`/api/ws`) -# # - traefik.http.routers.semaphore-websocket-rtr.service=semaphore-websocket-svc -# # - traefik.http.services.semaphore-websocket-svc.loadbalancer.server.port=3000 -# ## TLS -# - traefik.http.routers.semaphore-rtr.tls.certresolver=letsencrypt-resolver -# # ## Middlewares -# # - "traefik.http.routers.semaphore-rtr.middlewares=semaphore-basic" -# # - "traefik.http.middlewares.semaphore-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C" -# # - "traefik.http.middlewares.semaphore-basic.basicauth.removeheader=true" - -# # qBittorrent - Torrent downloader -# # Needs trailing / if using PathPrefixStrip -# # qbittorrent: -# # <<: *common-keys-apps # See EXTENSION FIELDS at the top -# # image: lscr.io/linuxserver/qbittorrent:latest -# # container_name: qbittorrent -# # networks: -# # t2_proxy: -# # ipv4_address: 192.168.90.174 -# # volumes: -# # - ./qbittorrent:/config -# # - ./downloads:/downloads -# # environment: -# # # TZ: Europe/Paris -# # PUID: 1000 -# # PGID: 1000 -# # # UMASK_SET: 002 -# # labels: -# # - "traefik.enable=true" -# # ## HTTP Routers -# # - "traefik.http.routers.qbittorrent-rtr.entrypoints=https" -# # - "traefik.http.routers.qbittorrent-rtr.rule=Host(`qbit.jingoh.fr`)" -# # ## Middlewares -# # - "traefik.http.routers.qbittorrent-rtr.middlewares=test-auth" -# # ## Services -# # - "traefik.http.routers.qbittorrent-rtr.service=qbittorrent-svc" -# # - "traefik.http.services.qbittorrent-svc.loadbalancer.server.port=8168" -# # # Anti ddos -# # - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.average=10" -# # - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.burst=10" -# # - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.period=1" -# # - "traefik.http.routers.qbittorrent-rtr-ratelimit.middlewares=qbittorrent-rtr-ratelimit@docker" - -# # docker run -p 9925:80 -v ./mealie:/app/data/ hkotel/mealie:latest - -# mealie: -# container_name: mealie -# image: hkotel/mealie:latest -# user: "${UID}:${GID}" -# environment: -# - DEFAULT_EMAIL=stephane.gratiasquiquandon@gmail.com -# - DEFAULT_GROUP=manger -# - BASE_URL=mealie.jingoh.fr -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.188 -# volumes: -# - ./mealie/:/app/data/ -# restart: always -# security_opt: -# - no-new-privileges:true # See EXTENSION FIELDS at the top -# labels: -# - traefik.enable=true -# ## HTTPS Routers -# - traefik.docker.network=t2_proxy -# - traefik.http.routers.mealie-rtr.entrypoints=https -# - traefik.http.routers.mealie-rtr.rule=Host(`mealie.jingoh.fr`) -# - traefik.http.routers.mealie-rtr.tls=true -# - traefik.http.routers.mealie-rtr.service=mealie-svc -# - traefik.http.services.mealie-svc.loadbalancer.server.port=80 -# ## TLS -# - traefik.http.routers.mealie-rtr.tls.certresolver=letsencrypt-resolver - -# # homarr: -# # container_name: homarr -# # image: ghcr.io/ajnart/homarr:latest -# # restart: unless-stopped -# # networks: -# # t2_proxy: -# # ipv4_address: 192.168.90.189 -# # volumes: -# # - ./homarr/configs:/app/data/configs -# # - ./homarr/icons:/app/public/icons -# # labels: -# # - traefik.enable=true -# # ## HTTPS Routers -# # - traefik.docker.network=t2_proxy -# # - traefik.http.routers.homarr-rtr.entrypoints=https -# # - traefik.http.routers.homarr-rtr.rule=Host(`homarr.jingoh.fr`) -# # - traefik.http.routers.homarr-rtr.tls=true -# # - traefik.http.routers.homarr-rtr.service=homarr-svc -# # - traefik.http.services.homarr-svc.loadbalancer.server.port=7575 -# # ## TLS -# # - traefik.http.routers.homarr-rtr.tls.certresolver=letsencrypt-resolver -# # ## Middleware IP whitelist -# # - traefik.http.middlewares.dashboard-ipwhitelist.ipwhitelist.sourcerange=192.168.91.1/32 -# # - traefik.http.routers.homarr-rtr.middlewares=dashboard-ipwhitelist - -# portainer: -# container_name: portainer -# image: portainer/portainer-ce:latest -# restart: always -# security_opt: -# - no-new-privileges:true -# networks: -# t2_proxy: -# ipv4_address: 192.168.90.190 -# volumes: -# - /etc/localtime:/etc/localtime:ro -# - /var/run/docker.sock:/var/run/docker.sock:ro -# - ./portainer/:/data/ -# labels: -# - traefik.enable=true -# ## HTTPS Routers -# - traefik.docker.network=t2_proxy -# - traefik.http.routers.portainer-rtr.entrypoints=https -# - traefik.http.routers.portainer-rtr.rule=Host(`docker.jingoh.fr`) -# - traefik.http.routers.portainer-rtr.tls=true -# - traefik.http.routers.portainer-rtr.service=portainer-svc -# - traefik.http.services.portainer-svc.loadbalancer.server.port=9000 -# ## TLS -# - traefik.http.routers.homarr-rtr.tls.certresolver=letsencrypt-resolver -# ## Middleware IP whitelist -# # - traefik.http.middlewares.dashboard-ipwhitelist.ipwhitelist.sourcerange=192.168.91.1/32 -# # - traefik.http.routers.homarr-rtr.middlewares=dashboard-ipwhitelist \ No newline at end of file diff --git a/roles/requirements.yml b/roles/requirements.yml index 70b3e83..449acd1 100644 --- a/roles/requirements.yml +++ b/roles/requirements.yml @@ -6,7 +6,6 @@ - src: GROG.sudo # DOCKER - src: geerlingguy.docker -- src: prometheus.prometheus.node_exporter # CONTAINERD # - src: geerlingguy.containerd # # KUBERNETES @@ -21,7 +20,9 @@ # # PACKAGE # - src: GROG.package # # IPTABLES -# - src: geerlingguy.firewall +- src: geerlingguy.firewall +- src: robertdebock.auditd +- src: buluma.lynis # # LOG ROTATE # - src: nickhammond.logrotate # - src: ome.logrotate @@ -32,13 +33,11 @@ # - src: ome.selinux_utils # # HELM # - src: geerlingguy.helm - - # ## SETUP # - src: buluma.lynis # - src: maxlareo.rkhunter # - src: maxlareo.chkrootkit -# - src: robertdebock.auditd +- src: robertdebock.auditd # - src: robertdebock.update # # - src: buluma.auditd # # version: v1.0.10