sgratias/semaphore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
68ab9f821576de2f8402f54bc086c562537d1a93
semaphore/host_vars/scaleway_fr.yml
staffadmin 68ab9f8215 POUSH
2023-11-11 17:50:01 +01:00

419 lines
14 KiB
YAML
Raw Blame History

---
#######
# APT #
#######
apt_packages:
- name: openssh-server
- name: proxychains
apt_repositories_sources:
- deb http://mirrors.online.net/ubuntu focal main restricted
- deb http://mirrors.online.net/ubuntu focal-updates main restricted
- deb http://mirrors.online.net/ubuntu focal universe
- deb http://mirrors.online.net/ubuntu focal-updates universe
- deb http://mirrors.online.net/ubuntu focal multiverse
- deb http://mirrors.online.net/ubuntu focal-updates multiverse
- deb http://mirrors.online.net/ubuntu focal-backports main restricted universe multiverse
- deb http://security.ubuntu.com/ubuntu focal-security main restricted
- deb http://security.ubuntu.com/ubuntu focal-security universe
- deb http://security.ubuntu.com/ubuntu focal-security multiverse
############
# ALERTING #
############
alerts_cron:
- name: storage
weekday: 0
minute: 0
hour: 15
user: root
job: "/usr/local/scripts/alerts.sh storage >/dev/null 2>&1"
cron_file: alerts
- name: load
weekday: "*"
minute: "*/5"
hour: "*"
user: root
job: "/usr/local/scripts/alerts.sh load >/dev/null 2>&1"
cron_file: alerts
- name: cpu
weekday: "*"
minute: "*/5"
hour: "*"
user: root
job: "/usr/local/scripts/alerts.sh cpu >/dev/null 2>&1"
cron_file: alerts
- name: ping
weekday: "*"
minute: "*"
hour: 12
user: root
job: "/usr/local/scripts/alerts.sh ping >/dev/null 2>&1"
cron_file: alerts
- name: ssl
weekday: "*"
minute: 0
hour: 15
user: root
job: "/usr/local/scripts/alerts.sh ssl >/dev/null 2>&1"
cron_file: alerts
- name: storage
weekday: 0
minute: 0
hour: 15
user: root
job: "/usr/local/scripts/alerts.sh storage >/dev/null 2>&1"
cron_file: alerts
- name: backup_git
weekday: "*"
minute: 0
hour: 18
user: root
job: "/usr/local/scripts/alerts.sh backup_git >/dev/null 2>&1"
cron_file: alerts
- name: backup_vault
weekday: "*"
minute: 0
hour: 20
user: root
job: "/usr/local/scripts/alerts.sh backup_vault >/dev/null 2>&1"
cron_file: alerts
alerts_storage: scaleway
alerts_load: scaleway
alerts_ping: ovh
alerts_health: scaleway
alerts_backup_gitea: scaleway
alerts_backup_vault: scaleway
alerts_cpu: scaleway
alerts_ssl: scaleway
##############
# LOG ROTATE #
##############
logrotate_scripts:
- name: backup
paths:
- /opt/dockerapps/backup/*.zip
- /opt/dockerapps/appdata/vaultwarden/backup/*.tar.xz.gpg
options:
- daily
- rotate 4
- compress
- missingok
- notifempty
- create 0644 root root
- name: dockerapps-git
path: /opt/dockerapps/logs/homeserver/git*.log
options:
- rotate 12
- monthly
- compress
- missingok
- delaycompress
scripts:
postrotate: docker-compose restart gitea
- name: dockerapps-grafa
path: /opt/dockerapps/logs/homeserver/grafa*.log
options:
- rotate 12
- monthly
- compress
- missingok
- delaycompress
scripts:
postrotate: docker-compose restart grafana
- name: dockerapps-traef
path: /opt/dockerapps/logs/homeserver/traef*.log
options:
- rotate 12
- monthly
- compress
- missingok
- delaycompress
scripts:
postrotate: docker-compose restart traefik
- name: dockerapps-vault
path: /opt/dockerapps/logs/homeserver/vault*.log
options:
- rotate 12
- monthly
- compress
- missingok
- delaycompress
scripts:
postrotate: docker-compose restart vault
# name: restart gitea
# script: docker-compose restart gitea
# - postrotate: docker-compose restart vaultwarden
# - postrotate: docker-compose restart grafana
- name: dockerapps-backup
paths:
- /opt/dockerapps/backup/gitea-dump-*.zip
- /opt/dockerapps/appdata/vaultwarden/backup/*.gpg
- /opt/dockerapps/appdata/vaultwarden/backup/*gpg.1.gz
options:
- rotate 6
- monthly
- compress
- missingok
- delaycompress
##########
# CHISEL #
##########
# SHOULD BE IN [server] GROUP
chisel_server: true
chisel_basic_auth: "{{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}"
chisel_service_name: chisel-server
chisel_config_name: chisel-server
chisel_proxychains_conf:
# chisel enable socks5, reverse and basic auth
- path: "/etc/chisel/{{ chisel_config_name }}.conf"
regexp: "^SOCK5=--socks5"
state: present
line: "SOCK5=--socks5"
- path: "/etc/chisel/{{ chisel_config_name }}.conf"
regexp: "^PID=--reverse"
state: present
line: "PID=--reverse"
- path: "/etc/chisel/{{ chisel_config_name }}.conf"
regexp: "^AUTH=--auth {{ chisel_basic_auth }}"
state: present
line: "AUTH=--auth {{ chisel_basic_auth }}"
- path: "/etc/chisel/{{ chisel_config_name }}.conf"
regexp: "^HOST=--host {{ chisel_server_host }}"
state: present
line: "HOST=--host {{ chisel_server_host }}"
# proxychains replace socks4 to socks5
- path: "/etc/proxychains.conf"
regexp: "^socks4 127.0.0.1 9050"
state: "absent"
- path: "/etc/proxychains.conf"
regexp: "^socks5 {{ chisel_server_host }} 1080"
state: present
line: "socks5 {{ chisel_server_host }} 1080"
##################
# DOCKER-COMPOSE #
##################
dockerapp_tree_volumes:
- alertmanager
- ara
- blackbox
- gitea
- grafana
- homarr
- homepage
- mealie
- portainer
- prometheus
- registry
- semaphore
- traefik2
- vaultwarden
- wireguard
dockerapp_tree_base_dir:
- "/opt/"
dockerapp_service: dockerapps
docker_install_compose: false
pip_executable: pip3
pip_install_packages:
- docker-compose
dockerapp_compose:
version: "3.9"
######### IMPORTANT #############
# This is my main docker-compose file with most of the apps. I run docker on other systems with smaller stacks (web and synology).
# You can copy-paste services from one docker-compose file in this repo to another to add other apps.
# 90+ Open source docker stacks
#https://github.com/ethibox/awesome-stacks
#FROM
#https://github.com/htpcBeginner/docker-traefik/blob/master/docker-compose-t2.yml
########################### SYSTEM DESCRIPTION
# DOCKER-COMPOSE FOR HOME/MEDIA SERVER
# PROXMOX HOST: Dual Intel Xeon 5420, 16 GB RAM, 240 GB SSD, and 2 TB HDD
# VM: 6 CORES, 12 GB RAM, Ubuntu 20.04, and Docker
# 32 GB for /, 64 GB for /var/lib/docker and transcoding, and 1.5 TB for non-critical data and rclone cache.
# Google Drive mounted using Rclone Docker for media and Proxmox backups
########################### NETWORKS
# There is no need to create any networks outside this docker-compose file.
# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please.
# Docker Compose version 3.5 or higher required to define networks this way.
networks:
t2_proxy:
name: t2_proxy
driver: bridge
ipam:
config:
- subnet: 192.168.90.0/24
default:
driver: bridge
socket_proxy:
name: socket_proxy
driver: bridge
ipam:
config:
- subnet: 192.168.91.0/24
########################### EXTENSION FIELDS
# Helps eliminate repetition of sections
# More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228
# # Common environment values
# x-environment: &default-tz-puid-pgid
# TZ: Europe/Paris
# PUID: 1000
# PGID: 1000
# # Proxy Network and Security
# x-network-and-security: &network-and-security
# networks:
# - t2_proxy
# security_opt:
# - no-new-privileges:true
# # Keys common to some of the services in basic-services.txt
# x-common-keys-core: &common-keys-core
# <<: *network-and-security
# restart: always
# # profiles:
# # - basic
# # Keys common to some of the dependent services/apps
# x-common-keys-apps: &common-keys-apps
# <<: *network-and-security
# restart: unless-stopped
# # profiles:
# # - apps
# # Keys common to some of the services in media-services.txt
# x-common-keys-media: &common-keys-media
# <<: *network-and-security
# restart: "no"
# # profiles:
# # - media
########################### SERVICES
services:
############################# FRONTENDS
# Traefik 2 - Reverse Proxy
# Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
# touch $DOCKERDIR/traefik2/acme/acme.json
# chmod 600 $DOCKERDIR/traefik2/acme/acme.json
# touch $DOCKERDIR/logs/homeserver/traefik.log # customize this
#### LETSENCRYPT CHALLENGE ######
# https://doc.traefik.io/traefik/user-guides/docker-compose/acme-http/
# Add new https services/fqdn
# uncomment acme.caserver line and remove appdata/traefik2/acme/letsencrypt/acme.json file
# Down all containers and up all (docker-compose down/up -d), wait for news cert/key on acme.json
# At this moment, cert/key are staging, you need to comment acme.caserver line and remove acme.json file then restart traefik
traefik:
#<<: *common-keys-core # See EXTENSION FIELDS at the top -> TODO
container_name: traefik
image: traefik:latest
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80/tcp
- --entryPoints.https.address=:443/tcp
- --entryPoints.wireguard.address=:443/udp
- --api=true
- --api.dashboard=true
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --providers.docker=true
- --providers.docker.endpoint=tcp://socket-proxy:2375
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
- --providers.file.watch=true # Only works on top level files in the rules folder
- --metrics.prometheus=true
- --metrics.prometheus.buckets=0.1,0.3,1.2,5.0
- --metrics.prometheus.addEntryPointsLabels=true
- --metrics.prometheus.addrouterslabels=true
- --metrics.prometheus.addServicesLabels=true
- --metrics.prometheus.manualrouting=true
- --certificatesresolvers.letsencrypt-resolver.acme.tlschallenge=true
# - --certificatesresolvers.letsencrypt-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.letsencrypt-resolver.acme.email=stephane.gratiasquiquandon@gmail.com
- --certificatesresolvers.letsencrypt-resolver.acme.storage=/letsencrypt/acme.json
networks:
t2_proxy:
ipv4_address: 192.168.90.254 # You can specify a static IP
# Should connect to the docker socket
socket_proxy:
ipv4_address: 192.168.91.3
environment:
#<<: *default-tz-puid-pgid -> TODO
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 443
published: 443
protocol: udp
mode: host
volumes:
- ./appdata/traefik2/rules/homeserver:/rules # file provider directory
- ./appdata/traefik2/acme/letsencrypt:/letsencrypt
#- ./appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
- ./logs/homeserver/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
labels:
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.jingoh.fr`)"
## Services - API
- "traefik.http.routers.traefik-rtr.service=api@internal"
- "traefik.http.routers.traefik-rtr.tls=true"
## MONITORING
- traefik.http.routers.prometheus.entrypoints=https
- traefik.http.routers.prometheus.rule=Host(`traefik.jingoh.fr`) && PathPrefix(`/metrics`)
- traefik.http.routers.prometheus.service=prometheus@internal
- traefik.http.routers.prometheus.middlewares=traefik-basic
## Middlewares
# echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=traefik-basic"
- "traefik.http.middlewares.traefik-basic.basicauth.users=jingohtraf:$$2y$$05$$JO8mJnOV2PARzEcVj.Grp.H.JbkWYneAIjgMt7c0.5NTyBNDkRIiW"
#- "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.average=10"
# - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.burst=10"
# - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.period=1"
# - "traefik.http.routers.traefik-rtr-ratelimit.middlewares=traefik-rtr-ratelimit@docker"
## TLS
- "traefik.http.routers.traefik-rtr.tls.certresolver=letsencrypt-resolver"
- "traefik.http.routers.prometheus.tls.certresolver=letsencrypt-resolver"
Reference in New Issue View Git Blame Copy Permalink