--- ########## # DOCKER # ########## dockerapp_tree_base_dir: - "/opt" # - "/opt/entreprise/dockerapps" #docker_install_compose: false # boostrap dockerapp: dockerapp_service: dockerapps dockerapp_tree_volumes: - "gitlab" - "gitlab/config" - "gitlab/data" - "gitlab/docker" - "gitlab/logs" - "gitlab-runner" - "gitlab-runner/certs" - "gitlab-runner/docker" - "pypi-mirror" - "pypi-mirror/etc" - "sonarqube" - "sonarqube/postgresql" - "sonarqube/sonarqube" - "sonarqube/sonarqube/data" - "sonarqube/sonarqube/extensions" - "sonarqube/sonarqube/key" - "sonarqube/sonarqube/logs" - "traefik/certs" # generate docker-compose.yml dockerapp_compose: version: '3.9' networks: t2_proxy: name: t2_proxy driver: bridge ipam: config: - subnet: 192.168.90.0/24 default: driver: bridge socket_proxy: name: socket_proxy driver: bridge ipam: config: - subnet: 192.168.91.0/24 x-environment: &default-tz-puid-pgid TZ: Europe/Paris PUID: 1000 PGID: 1000 # Proxy Network and Security x-network-and-security: &network-and-security networks: - t2_proxy security_opt: - no-new-privileges:true # Keys common to some of the services in basic-services.txt x-common-keys-core: &common-keys-core <<: *network-and-security restart: always # profiles: # - basic # Keys common to some of the dependent services/apps x-common-keys-apps: &common-keys-apps <<: *network-and-security restart: unless-stopped # profiles: # - apps services: pypi-mirror: image: "pypa/bandersnatch:latest" restart: always networks: dev_net: ipv4_address: 10.10.20.9 command: python /bandersnatch/src/runner.py 3600 logging: driver: "json-file" options: max-size: "10m" max-file: "10" volumes: - "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/pypi-mirror/etc/bandersnatch.conf:/conf/bandersnatch.conf" # Traefik 2 - Reverse Proxy # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. # touch $DOCKERDIR/traefik2/acme/acme.json # chmod 600 $DOCKERDIR/traefik2/acme/acme.json # touch $DOCKERDIR/logs/homeserver/traefik.log # customize this #### LETSENCRYPT CHALLENGE ###### # https://doc.traefik.io/traefik/user-guides/docker-compose/acme-http/ # Add new https services/fqdn # uncomment acme.caserver line and remove appdata/traefik2/acme/letsencrypt/acme.json file # Down all containers and up all (docker-compose down/up -d), wait for news cert/key on acme.json # At this moment, cert/key are staging, you need to comment acme.caserver line and remove acme.json file then restart traefik traefik: <<: *common-keys-core # See EXTENSION FIELDS at the top container_name: traefik image: traefik:latest command: # CLI arguments - --global.checkNewVersion=true - --global.sendAnonymousUsage=true - --entryPoints.http.address=:80/tcp - --entryPoints.https.address=:443/tcp - --entryPoints.wireguard.address=:443/udp - --api=true - --api.dashboard=true - --log=true - --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC - --accessLog=true - --accessLog.filePath=/traefik.log - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines - --providers.docker=true - --providers.docker.endpoint=tcp://socket-proxy:2375 - --providers.docker.exposedByDefault=false - --providers.docker.network=t2_proxy - --providers.docker.swarmMode=false - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory - --providers.file.watch=true # Only works on top level files in the rules folder - --metrics.prometheus=true - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0 - --metrics.prometheus.addEntryPointsLabels=true - --metrics.prometheus.addrouterslabels=true - --metrics.prometheus.addServicesLabels=true - --metrics.prometheus.manualrouting=true - --certificatesresolvers.letsencrypt-resolver.acme.tlschallenge=true #- --certificatesresolvers.letsencrypt-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory - --certificatesresolvers.letsencrypt-resolver.acme.email=stephane.gratiasquiquandon@gmail.com - --certificatesresolvers.letsencrypt-resolver.acme.storage=/letsencrypt/acme.json networks: t2_proxy: ipv4_address: 192.168.90.254 # You can specify a static IP socket_proxy: environment: <<: *default-tz-puid-pgid ports: - target: 80 published: 80 protocol: tcp mode: host - target: 443 published: 443 protocol: tcp mode: host - target: 443 published: 443 protocol: udp mode: host volumes: - ./appdata/traefik2/rules/homeserver:/rules # file provider directory - ./appdata/traefik2/acme/letsencrypt:/letsencrypt #- ./appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 - ./logs/homeserver/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro labels: - "traefik.enable=true" # HTTP-to-HTTPS Redirect - "traefik.http.routers.http-catchall.entrypoints=http" - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true" # HTTP Routers - "traefik.http.routers.traefik-rtr.entrypoints=https" - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.jingoh.fr`)" ## Services - API - "traefik.http.routers.traefik-rtr.service=api@internal" - "traefik.http.routers.traefik-rtr.tls=true" ## MONITORING - traefik.http.routers.prometheus.entrypoints=https - traefik.http.routers.prometheus.rule=Host(`traefik.jingoh.fr`) && PathPrefix(`/metrics`) - traefik.http.routers.prometheus.service=prometheus@internal - traefik.http.routers.prometheus.middlewares=traefik-basic ## Middlewares # echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g ## Middlewares - "traefik.http.routers.traefik-rtr.middlewares=traefik-basic" - "traefik.http.middlewares.traefik-basic.basicauth.users=jingohtraf:$$2y$$05$$JO8mJnOV2PARzEcVj.Grp.H.JbkWYneAIjgMt7c0.5NTyBNDkRIiW" #- "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.average=10" # - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.burst=10" # - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.period=1" # - "traefik.http.routers.traefik-rtr-ratelimit.middlewares=traefik-rtr-ratelimit@docker" ## TLS - "traefik.http.routers.traefik-rtr.tls.certresolver=letsencrypt-resolver" - "traefik.http.routers.prometheus.tls.certresolver=letsencrypt-resolver" # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket socket-proxy: <<: *common-keys-core # See EXTENSION FIELDS at the top container_name: socket-proxy image: tecnativa/docker-socket-proxy:latest networks: socket_proxy: ipv4_address: 192.168.91.254 # You can specify a static IP volumes: - "/var/run/docker.sock:/var/run/docker.sock" environment: - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). # 0 to revoke access. # 1 to grant access. ## Granted by Default - EVENTS=1 - PING=1 - VERSION=1 ## Revoked by Default # Security critical - AUTH=0 - SECRETS=0 - POST=0 # Watchtower # Not always needed - BUILD=0 - COMMIT=0 - CONFIGS=0 - CONTAINERS=1 # Traefik, portainer, etc. - DISTRIBUTION=0 - EXEC=0 - IMAGES=0 # Portainer - INFO=0 # Portainer - NETWORKS=0 # Portainer - NODES=0 - PLUGINS=0 - SERVICES=0 # Portainer - SESSION=0 - SWARM=0 - SYSTEM=0 - TASKS=0 # Portainer - VOLUMES=0 # Portainer ############## # KUBERNETES # ##############