sgratias/semaphore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a2fd9548c6a74ee6d57ebb106dbedf4350001104
semaphore/host_vars/scaleway_fr.yml
staffadmin a2fd9548c6 Add kub cluster
2023-11-23 13:51:00 +01:00

1209 lines
44 KiB
YAML
Raw Blame History

---
########
# USER #
########
management_user_list:
- name: stephane
shell: '/bin/bash'
authorized_keys:
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane"
exclusive: yes
sudo:
hosts: ALL
as: ALL
commands: ALL
nopasswd: ALL
#######
# APT #
#######
apt_repositories_sources:
- deb http://mirrors.online.net/ubuntu focal main restricted
- deb http://mirrors.online.net/ubuntu focal-updates main restricted
- deb http://mirrors.online.net/ubuntu focal universe
- deb http://mirrors.online.net/ubuntu focal-updates universe
- deb http://mirrors.online.net/ubuntu focal multiverse
- deb http://mirrors.online.net/ubuntu focal-updates multiverse
- deb http://mirrors.online.net/ubuntu focal-backports main restricted universe multiverse
- deb http://security.ubuntu.com/ubuntu focal-security main restricted
- deb http://security.ubuntu.com/ubuntu focal-security universe
- deb http://security.ubuntu.com/ubuntu focal-security multiverse
apt_packages:
- name: openssh-server
- name: proxychains
############
# ALERTING #
############
alerts_cron:
- name: storage
weekday: 0
minute: 0
hour: 15
user: root
job: "/usr/local/scripts/alerts.sh storage >/dev/null 2>&1"
cron_file: alerts
- name: load
weekday: "*"
minute: "*/5"
hour: "*"
user: root
job: "/usr/local/scripts/alerts.sh load >/dev/null 2>&1"
cron_file: alerts
- name: cpu
weekday: "*"
minute: "*/5"
hour: "*"
user: root
job: "/usr/local/scripts/alerts.sh cpu >/dev/null 2>&1"
cron_file: alerts
- name: ping
weekday: "*"
minute: "*"
hour: 12
user: root
job: "/usr/local/scripts/alerts.sh ping >/dev/null 2>&1"
cron_file: alerts
- name: ssl
weekday: "*"
minute: 0
hour: 15
user: root
job: "/usr/local/scripts/alerts.sh ssl >/dev/null 2>&1"
cron_file: alerts
- name: storage
weekday: 0
minute: 0
hour: 15
user: root
job: "/usr/local/scripts/alerts.sh storage >/dev/null 2>&1"
cron_file: alerts
- name: backup_git
weekday: "*"
minute: 0
hour: 18
user: root
job: "/usr/local/scripts/alerts.sh backup_git >/dev/null 2>&1"
cron_file: alerts
- name: backup_vault
weekday: "*"
minute: 0
hour: 20
user: root
job: "/usr/local/scripts/alerts.sh backup_vault >/dev/null 2>&1"
cron_file: alerts
alerts_storage: scaleway
alerts_load: scaleway
alerts_ping: ovh
alerts_health: scaleway
alerts_backup_gitea: scaleway
alerts_backup_vault: scaleway
alerts_cpu: scaleway
alerts_ssl: scaleway
##############
# LOG ROTATE #
##############
logrotate_scripts:
- name: backup
paths:
- /opt/dockerapps/backup/*.zip
- /opt/dockerapps/vaultwarden/backup/*.tar.xz.gpg
options:
- daily
- rotate 4
- compress
- missingok
- notifempty
- create 0644 root root
- name: dockerapps-git
path: /opt/dockerapps/logs/homeserver/git*.log
options:
- rotate 12
- monthly
- compress
- missingok
- delaycompress
scripts:
postrotate: docker-compose restart gitea
- name: dockerapps-grafa
path: /opt/dockerapps/logs/homeserver/grafa*.log
options:
- rotate 12
- monthly
- compress
- missingok
- delaycompress
scripts:
postrotate: docker-compose restart grafana
- name: dockerapps-traef
path: /opt/dockerapps/logs/homeserver/traef*.log
options:
- rotate 12
- monthly
- compress
- missingok
- delaycompress
scripts:
postrotate: docker-compose restart traefik
- name: dockerapps-vault
path: /opt/dockerapps/logs/homeserver/vault*.log
options:
- rotate 12
- monthly
- compress
- missingok
- delaycompress
scripts:
postrotate: docker-compose restart vault
# name: restart gitea
# script: docker-compose restart gitea
# - postrotate: docker-compose restart vaultwarden
# - postrotate: docker-compose restart grafana
- name: dockerapps-backup
paths:
- /opt/dockerapps/backup/gitea-dump-*.zip.1.gz
- /opt/dockerapps/vaultwarden/backup/*gpg.1.gz
options:
- rotate 6
- monthly
- compress
- missingok
- delaycompress
##########
# CHISEL #
##########
# SHOULD BE IN [server] GROUP
chisel_server: true
chisel_basic_auth: "{{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}"
chisel_service_name: chisel-server
chisel_config_name: chisel-server
chisel_proxychains_conf:
# chisel enable socks5, reverse and basic auth
- path: "/etc/chisel/{{ chisel_config_name }}.conf"
regexp: "^SOCK5=--socks5"
state: present
line: "SOCK5=--socks5"
- path: "/etc/chisel/{{ chisel_config_name }}.conf"
regexp: "^PID=--reverse"
state: present
line: "PID=--reverse"
- path: "/etc/chisel/{{ chisel_config_name }}.conf"
regexp: "^AUTH=--auth {{ chisel_basic_auth }}"
state: present
line: "AUTH=--auth {{ chisel_basic_auth }}"
- path: "/etc/chisel/{{ chisel_config_name }}.conf"
regexp: "^HOST=--host {{ chisel_server_host }}"
state: present
line: "HOST=--host {{ chisel_server_host }}"
# proxychains replace socks4 to socks5
- path: "/etc/proxychains.conf"
regexp: "^socks4 127.0.0.1 9050"
state: "absent"
- path: "/etc/proxychains.conf"
regexp: "^socks5 {{ chisel_server_host }} 1080"
state: present
line: "socks5 {{ chisel_server_host }} 1080"
##################
# DOCKER-COMPOSE #
##################
dockerapp_tree_volumes:
# ALERT
- alertmanager
- alertmanager/cache
- alertmanager/config
#ARA
- ara
#BLACKBOX
- blackbox
- blackbox/config
#GIT
- gitea
- gitea/gitea
- gitea/db
- gitea/runner
#GRAF
- grafana
- grafana/etc
- grafana/lib
#HOMARR
- homarr
- homarr/configs
- homarr/icons
#HOME
- homepage
- homepage/homepage
- homepage/icons
#MEALIE
- mealie
#PORT
- portainer
#PROM
- prometheus
- prometheus/prometheus
- prometheus/prometheus_data
#REGISTRY
- registry
- registry/data
#SEMA
- semaphore
#TRAF
- traefik2
- traefik2/acme
- traefik2/rules
#VAULT
- vaultwarden
#WIRE
- wireguard
- wireguard/config
- wireguard/lib
- wireguard/lib/modules
dockerapp_tree_base_dir:
- "/opt/"
dockerapp_service: dockerapps
docker_install_compose: false
pip_executable: pip3
pip_install_packages:
- docker-compose
dockerapp_compose:
version: "3.9"
######### IMPORTANT #############
# This is my main docker-compose file with most of the apps. I run docker on other systems with smaller stacks (web and synology).
# You can copy-paste services from one docker-compose file in this repo to another to add other apps.
# 90+ Open source docker stacks
#https://github.com/ethibox/awesome-stacks
#FROM
#https://github.com/htpcBeginner/docker-traefik/blob/master/docker-compose-t2.yml
########################### SYSTEM DESCRIPTION
# DOCKER-COMPOSE FOR HOME/MEDIA SERVER
# PROXMOX HOST: Dual Intel Xeon 5420, 16 GB RAM, 240 GB SSD, and 2 TB HDD
# VM: 6 CORES, 12 GB RAM, Ubuntu 20.04, and Docker
# 32 GB for /, 64 GB for /var/lib/docker and transcoding, and 1.5 TB for non-critical data and rclone cache.
# Google Drive mounted using Rclone Docker for media and Proxmox backups
########################### NETWORKS
# There is no need to create any networks outside this docker-compose file.
# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please.
# Docker Compose version 3.5 or higher required to define networks this way.
networks:
t2_proxy:
name: t2_proxy
driver: bridge
ipam:
config:
- subnet: 192.168.90.0/24
default:
driver: bridge
socket_proxy:
name: socket_proxy
driver: bridge
ipam:
config:
- subnet: 192.168.91.0/24
########################### EXTENSION FIELDS
# Helps eliminate repetition of sections
# More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228
# # Common environment values
# x-environment: &default-tz-puid-pgid
# TZ: Europe/Paris
# PUID: 1000
# PGID: 1000
# # Proxy Network and Security
# x-network-and-security: &network-and-security
# networks:
# - t2_proxy
# security_opt:
# - no-new-privileges:true
# # Keys common to some of the services in basic-services.txt
# x-common-keys-core: &common-keys-core
# <<: *network-and-security
# restart: always
# # profiles:
# # - basic
# # Keys common to some of the dependent services/apps
# x-common-keys-apps: &common-keys-apps
# <<: *network-and-security
# restart: unless-stopped
# # profiles:
# # - apps
# # Keys common to some of the services in media-services.txt
# x-common-keys-media: &common-keys-media
# <<: *network-and-security
# restart: "no"
# # profiles:
# # - media
########################### SERVICES
services:
############################# FRONTENDS
# Traefik 2 - Reverse Proxy
# Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
# touch $DOCKERDIR/traefik2/acme/acme.json
# chmod 600 $DOCKERDIR/traefik2/acme/acme.json
# touch $DOCKERDIR/logs/homeserver/traefik.log # customize this
#### LETSENCRYPT CHALLENGE ######
# https://doc.traefik.io/traefik/user-guides/docker-compose/acme-http/
# Add new https services/fqdn
# uncomment acme.caserver line and remove/traefik2/acme/letsencrypt/acme.json file
# Down all containers and up all (docker-compose down/up -d), wait for news cert/key on acme.json
# At this moment, cert/key are staging, you need to comment acme.caserver line and remove acme.json file then restart traefik
traefik:
restart: always
security_opt:
- no-new-privileges:true
container_name: traefik
image: traefik:latest
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80/tcp
- --entryPoints.https.address=:443/tcp
- --entryPoints.wireguard.address=:443/udp
- --api=true
- --api.dashboard=true
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --providers.docker=true
- --providers.docker.endpoint=tcp://socket-proxy:2375
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
- --providers.file.watch=true # Only works on top level files in the rules folder
- --metrics.prometheus=true
- --metrics.prometheus.buckets=0.1,0.3,1.2,5.0
- --metrics.prometheus.addEntryPointsLabels=true
- --metrics.prometheus.addrouterslabels=true
- --metrics.prometheus.addServicesLabels=true
- --metrics.prometheus.manualrouting=true
- --certificatesresolvers.letsencrypt-resolver.acme.tlschallenge=true
# - --certificatesresolvers.letsencrypt-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.letsencrypt-resolver.acme.email=stephane.gratiasquiquandon@gmail.com
- --certificatesresolvers.letsencrypt-resolver.acme.storage=/letsencrypt/acme.json
networks:
t2_proxy:
ipv4_address: 192.168.90.254 # You can specify a static IP
# Should connect to the docker socket
socket_proxy:
ipv4_address: 192.168.91.3
environment:
TZ: Europe/Paris
PUID: 1000
PGID: 1000
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 443
published: 443
protocol: udp
mode: host
volumes:
- ./traefik2/rules/homeserver:/rules # file provider directory
- ./traefik2/acme/letsencrypt:/letsencrypt
#- ./traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
- ./logs/homeserver/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
labels:
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.jingoh.fr`)"
## Services - API
- "traefik.http.routers.traefik-rtr.service=api@internal"
- "traefik.http.routers.traefik-rtr.tls=true"
## MONITORING
- traefik.http.routers.prometheus.entrypoints=https
- traefik.http.routers.prometheus.rule=Host(`traefik.jingoh.fr`) && PathPrefix(`/metrics`)
- traefik.http.routers.prometheus.service=prometheus@internal
- traefik.http.routers.prometheus.middlewares=traefik-basic
## Middlewares
# echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=traefik-basic"
- "traefik.http.middlewares.traefik-basic.basicauth.users=jingohtraf:$$2y$$05$$JO8mJnOV2PARzEcVj.Grp.H.JbkWYneAIjgMt7c0.5NTyBNDkRIiW"
#- "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.average=10"
# - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.burst=10"
# - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.period=1"
# - "traefik.http.routers.traefik-rtr-ratelimit.middlewares=traefik-rtr-ratelimit@docker"
## TLS
- "traefik.http.routers.traefik-rtr.tls.certresolver=letsencrypt-resolver"
- "traefik.http.routers.prometheus.tls.certresolver=letsencrypt-resolver"
# Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
socket-proxy:
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
container_name: socket-proxy
image: tecnativa/docker-socket-proxy:latest
networks:
socket_proxy:
ipv4_address: 192.168.91.254 # You can specify a static IP
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
- LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
# 0 to revoke access.
# 1 to grant access.
## Granted by Default
- EVENTS=1
- PING=1
- VERSION=1
## Revoked by Default
# Security critical
- AUTH=0
- SECRETS=0
- POST=0 # Watchtower
# Not always needed
- BUILD=0
- COMMIT=0
- CONFIGS=0
- CONTAINERS=1 # Traefik, portainer, etc.
- DISTRIBUTION=0
- EXEC=0
- IMAGES=1 # Portainer
- INFO=1 # Portainer
- NETWORKS=1 # Portainer
- NODES=0
- PLUGINS=0
- SERVICES=1 # Portainer
- SESSION=0
- SWARM=0
- SYSTEM=0
- TASKS=1 # Portainer
- VOLUMES=1 # Portainer
# Dozzle - Real-time Docker Log Viewer
dozzle:
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
image: amir20/dozzle:latest
container_name: dozzle
networks:
t2_proxy:
ipv4_address: 192.168.90.169
# Should connect to the docker engine socket to collect logs
socket_proxy:
ipv4_address: 192.168.91.2
environment:
TZ: Europe/Paris
PUID: 1000
PGID: 1000
DOZZLE_LEVEL: info
#DOZZLE_TAILSIZE: 300
DOZZLE_FILTER: "status=running"
DOCKER_HOST: tcp://socket-proxy:2375
#DOZZLE_ADDR: ":8181"
volumes:
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.dozzle-rtr-http.entrypoints=http"
- "traefik.http.routers.dozzle-rtr-http.rule=Host(`dozzle.jingoh.fr`)"
- "traefik.http.routers.dozzle-rtr-http.middlewares=redirect-to-https"
## HTTPS Routers
- "traefik.http.routers.dozzle-rtr.entrypoints=https"
- "traefik.http.routers.dozzle-rtr.rule=Host(`dozzle.jingoh.fr`)"
## Services
- "traefik.http.routers.dozzle-rtr.service=dozzle-svc"
- "traefik.http.services.dozzle-svc.loadbalancer.server.port=8080"
## Middlewares
- "traefik.http.routers.dozzle-rtr.middlewares=dozzle-basic"
- "traefik.http.middlewares.dozzle-basic.basicauth.users=jingohdoz:$$2y$$05$$e5x192gFu6uBevLcZNNU9eEWnekh3p.F8cffX19EBTLMwBQoqHcwW"
## TLS
- "traefik.http.routers.dozzle-rtr.tls.certresolver=letsencrypt-resolver"
# conf file in/gitea/gitea/gitea/conf/app.ini
# [metrics]
# [log]
gitea:
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
image: gitea/gitea:latest
container_name: gitea
networks:
t2_proxy:
ipv4_address: 192.168.90.170
environment:
TZ: Europe/Paris
PUID: 1000
PGID: 1000
GITEA__database__DB_TYPE: postgres
GITEA__database__HOST: gitea-db:5432
GITEA__server__DOMAIN: gitea.jingoh.fr
GITEA__server__ROOT_URL: https://gitea.jingoh.fr
GITEA__server__HTTP_PORT: 3000
GITEA__server__START_SSH_SERVER: "true"
GITEA__server__SSH_PORT: 443
GITEA__server__SSH_LISTEN_PORT: 2222
GITEA__server__SSH_DOMAIN: gitea.jingoh.fr
GITEA__repository__USE_COMPAT_SSH_URI: "false"
GITEA__database__NAME: gitea
GITEA__database__USER: root
GITEA__database__PASSWD: uu~Y8aic
volumes:
- ./logs/homeserver/gitea.log:/data/gitea/log/gitea.log
- ./gitea/gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.gitea-rtr-http.entrypoints=http"
- "traefik.http.routers.gitea-rtr-http.rule=Host(`gitea.jingoh.fr`)"
- "traefik.http.routers.gitea-rtr-http.middlewares=redirect-to-https"
## HTTPS Routers
- "traefik.http.routers.gitea-rtr.entrypoints=https"
- "traefik.http.routers.gitea-rtr.rule=Host(`gitea.jingoh.fr`)"
## Middlewares
# git push doesn't work with basicauth
#- "traefik.http.routers.gitea-rtr.middlewares=gitea-basic"
#- "traefik.http.middlewares.gitea-basic.basicauth.users=jingohgit:$$2y$$05$$iBHOV.3zFZFTp4kRqD7.I.hQ/Rx3qeHoUjq/3KztwzyU8t1BIK/ne"
## Services
- "traefik.http.routers.gitea-rtr.service=gitea-svc"
- "traefik.http.services.gitea-svc.loadbalancer.server.port=3000"
## SSH
- "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)"
- "traefik.tcp.routers.gitea-ssh.entrypoints=https"
- "traefik.tcp.routers.gitea-ssh.service=gitea-ssh-svc"
- "traefik.tcp.services.gitea-ssh-svc.loadbalancer.server.port=2222"
## TLS
- "traefik.http.routers.gitea-rtr.tls.certresolver=letsencrypt-resolver"
gitea-db:
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
image: postgres:14
container_name: gitea-db
networks:
t2_proxy:
ipv4_address: 192.168.90.171
environment:
TZ: Europe/Paris
PUID: 1000
PGID: 1000
POSTGRES_USER: root
POSTGRES_PASSWORD: uu~Y8aic
POSTGRES_DB: gitea
volumes:
- ./gitea/gitea-db:/var/lib/postgresql/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
labels:
- traefik.enable=false
#https://github.com/ngoduykhanh/wireguard-ui/blob/master/docker-compose.yaml -> wireguard-ui
wireguard:
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
image: lscr.io/linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
TZ: Europe/Paris
PUID: 1000
PGID: 1000
SERVERURL: 163.172.84.28 #optional
SERVERPORT: 443 #optional
PEERS: 2 #optional
PEERDNS: auto #optional
INTERNAL_SUBNET: 10.13.13.0 #optional
ALLOWEDIPS: 0.0.0.0/0 #optional
LOG_CONFS: "true" #optional
networks:
t2_proxy:
ipv4_address: 192.168.90.173
volumes:
- ./wireguard/config:/config
- ./wireguard/lib/modules:/lib/modules
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
labels:
- "traefik.enable=true"
## UDP Routers
- "traefik.udp.routers.wireguard-rtr.entrypoints=wireguard"
- "traefik.udp.services.wireguard.loadbalancer.server.port=51820"
depends_on:
- traefik
# # Grafana - Graphical data visualization
## Reset password command-line -> grafana-cli $username reset-admin-password $password
## Enable log file with rotate (/etc/grafana/grafana.ini)
grafana:
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
image: grafana/grafana:latest
container_name: grafana
networks:
t2_proxy:
ipv4_address: 192.168.90.175
# ports:
# - "$GRAFANA_PORT:3000"
user: root
volumes:
- ./grafana/lib:/var/lib/grafana
- ./logs/homeserver/grafana.log:/var/log/grafana/grafana.log
environment:
TZ: Europe/Paris
PUID: 1000
PGID: 1000
GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel"
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.grafana-rtr-http.entrypoints=http"
- "traefik.http.routers.grafana-rtr-http.rule=Host(`grafana.jingoh.fr`)"
- "traefik.http.routers.grafana-rtr-http.middlewares=redirect-to-https"
## HTTPS Routers
- "traefik.http.routers.grafana-rtr.entrypoints=https"
- "traefik.http.routers.grafana-rtr.rule=Host(`grafana.jingoh.fr`)"
## Services
- "traefik.http.routers.grafana-rtr.service=grafana-svc"
- "traefik.http.services.grafana-svc.loadbalancer.server.port=3000"
## TLS
- "traefik.http.routers.grafana-rtr.tls.certresolver=letsencrypt-resolver"
## Middlewares
- "traefik.http.routers.grafana-rtr.middlewares=grafana-basic"
- "traefik.http.middlewares.grafana-basic.basicauth.users=jingohgraf:$$2y$$05$$DMxSbnKhLv0zW2qYzMpkj.idi88EsFsIdgKoYPzFpxo9ErDHLYCAi"
# NEEDED IF CONFLICTS BETWEEN BASICAUTH AND APP LOGIN PAGE
- "traefik.http.middlewares.grafana-basic.basicauth.removeheader=true"
prometheus:
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
image: prom/prometheus:latest
container_name: prometheus
user: root
networks:
t2_proxy:
ipv4_address: 192.168.90.176
volumes:
- ./prometheus/prometheus:/etc/prometheus/
- ./prometheus/prometheus_data:/prometheus
command:
- '--config.file=/etc/prometheus/prometheus.yml'
- '--storage.tsdb.path=/prometheus'
- '--web.console.libraries=/usr/share/prometheus/console_libraries'
- '--web.console.templates=/usr/share/prometheus/consoles'
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.prometheus-rtr-http.entrypoints=http"
- "traefik.http.routers.prometheus-rtr-http.rule=Host(`prometheus.jingoh.fr`)"
- "traefik.http.routers.prometheus-rtr-http.middlewares=redirect-to-https"
# HTTPS
- "traefik.http.routers.prometheus-rtr.entrypoints=https"
- "traefik.http.routers.prometheus-rtr.rule=Host(`prometheus.jingoh.fr`)"
- "traefik.http.routers.prometheus-rtr.service=prometheus-svc"
- "traefik.http.services.prometheus-svc.loadbalancer.server.port=9090"
- "traefik.docker.network=t2_proxy"
## Middlewares
- "traefik.http.routers.prometheus-rtr.middlewares=prometheus-basic"
- "traefik.http.middlewares.prometheus-basic.basicauth.users=jingohprom:$$2y$$05$$7cf/zuj8lI4Gt9K3xfWEKu.hKwzi1lxsjImgvSc9tHZ0QqHOxagH."
## TLS
- "traefik.http.routers.prometheus-rtr.tls.certresolver=letsencrypt-resolver"
# https://pieterhollander.nl/post/bitwarden/
# https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
# https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
vaultwarden:
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
image: vaultwarden/server:latest
container_name: vault
environment:
TZ: Europe/Paris
PUID: 1000
PGID: 1000
WEBSOCKET_ENABLED: 1
ROCKET_PORT: 80
DOMAIN: https://vault.jingoh.fr
ADMIN_TOKEN: BwI1E5Sqb6clUpsAfXdlkMnQuzwTh7pFPpqK6V8RII/CuBqgbNhj325ynL40dfjs
LOG_FILE: /var/log/vaultwarden.log
SIGNUPS_ALLOWED: "false"
networks:
t2_proxy:
ipv4_address: 192.168.90.177
volumes:
- ./vaultwarden:/data
- ./logs/homeserver/vaultwarden.log:/var/log/vaultwarden.log
labels:
- traefik.enable=true
## HTTP Routers
- "traefik.http.routers.bitwarden-rtr-http.entrypoints=http"
- "traefik.http.routers.bitwarden-rtr-http.rule=Host(`bitwarden.jingoh.fr`)"
- "traefik.http.routers.bitwarden-rtr-http.middlewares=redirect-to-https"
## HTTPS Routers
- traefik.docker.network=t2_proxy
- traefik.http.routers.bitwarden-rtr.entrypoints=https
- traefik.http.routers.bitwarden-rtr.rule=Host(`vault.jingoh.fr`)
- traefik.http.routers.bitwarden-rtr.tls=true
- traefik.http.routers.bitwarden-rtr.service=bitwarden-svc
- traefik.http.services.bitwarden-svc.loadbalancer.server.port=80
- traefik.http.routers.bitwarden-websocket-rtr.entrypoints=https
- traefik.http.routers.bitwarden-websocket-rtr.rule=Host(`vault.jingoh.fr`) && Path(`/notifications/hub`)
- traefik.http.routers.bitwarden-websocket-rtr.service=bitwarden-websocket-svc
- traefik.http.services.bitwarden-websocket-svc.loadbalancer.server.port=3012
## TLS
- "traefik.http.routers.bitwarden-rtr.tls.certresolver=letsencrypt-resolver"
- "traefik.http.routers.bitwarden-websocket-rtr.tls.certresolver=letsencrypt-resolver"
homepage:
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
image: ghcr.io/gethomepage/homepage:latest
container_name: homepage
networks:
t2_proxy:
ipv4_address: 192.168.90.178
volumes:
- ./homepage/homepage:/app/config
- ./homepage/icons:/app/public/icons
- "/var/run/docker.sock:/var/run/docker.sock"
labels:
- traefik.enable=true
## HTTP Routers
- "traefik.http.routers.homepage-rtr-http.entrypoints=http"
- "traefik.http.routers.homepage-rtr-http.rule=Host(`homepage.jingoh.fr`)"
- "traefik.http.routers.homepage-rtr-http.middlewares=redirect-to-https"
## HTTPS Routers
- traefik.docker.network=t2_proxy
- traefik.http.routers.homepage-rtr.entrypoints=https
- traefik.http.routers.homepage-rtr.rule=Host(`homepage.jingoh.fr`)
- traefik.http.routers.homepage-rtr.tls=true
- traefik.http.routers.homepage-rtr.service=homepage-svc
- traefik.http.services.homepage-svc.loadbalancer.server.port=3000
## TLS
- "traefik.http.routers.homepage-rtr.tls.certresolver=letsencrypt-resolver"
registry:
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
image: registry:2
container_name: registry
networks:
t2_proxy:
ipv4_address: 192.168.90.179
environment:
REGISTRY_STORAGE_DELETE_ENABLED: 'true'
volumes:
- ./registry/data:/var/lib/registry
registry-ui:
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
image: joxit/docker-registry-ui:latest
expose:
- 80
environment:
- DELETE_IMAGES=true
- NGINX_PROXY_PASS_URL=http://registry:5000
- SINGLE_REGISTRY=true
- REGISTRY_TITLE= 🧱 Jingoh Container Registry 🧱
container_name: registry-ui
networks:
t2_proxy:
ipv4_address: 192.168.90.180
depends_on:
- registry
labels:
- traefik.enable=true
## HTTP Routers
- traefik.http.routers.registry-rtr-http.entrypoints=http
- traefik.http.routers.registry-rtr-http.rule=Host(`registry.jingoh.fr`)
- traefik.http.routers.registry-rtr-http.middlewares=redirect-to-https
## HTTPS Routers
- traefik.docker.network=t2_proxy
- traefik.http.routers.registry-rtr.entrypoints=https
- traefik.http.routers.registry-rtr.rule=Host(`registry.jingoh.fr`)
- traefik.http.routers.registry-rtr.tls=true
- traefik.http.routers.registry-rtr.service=registry-svc
- traefik.http.services.registry-svc.loadbalancer.server.port=80
## TLS
- traefik.http.routers.registry-rtr.tls.certresolver=letsencrypt-resolver
## Middlewares
- "traefik.http.routers.registry-rtr.middlewares=registry-basic"
- "traefik.http.middlewares.registry-basic.basicauth.users=jingohdocker:$$2y$$05$$dEBjltxSmPyUuQG3ewQXSu8ez97J8562/XhoDw6AoLbmc3ZQTKg4C"
alert:
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
image: binwiederhier/ntfy:latest
container_name: alert
networks:
t2_proxy:
ipv4_address: 192.168.90.181
volumes:
- ./alertmanager/config/alertmanager.yml:/etc/ntfy/server.yml
- ./alertmanager/cache/:/var/cache/ntfy/
command: serve
expose:
- 80
labels:
- traefik.enable=true
## HTTP Routers
- traefik.http.routers.alertmanager-rtr-http.entrypoints=http
- traefik.http.routers.alertmanager-rtr-http.rule=Host(`alert.jingoh.fr`)
- traefik.http.routers.alertmanager-rtr-http.middlewares=redirect-to-https
## HTTPS Routers
- traefik.docker.network=t2_proxy
- traefik.http.routers.alertmanager-rtr.entrypoints=https
- traefik.http.routers.alertmanager-rtr.rule=Host(`alert.jingoh.fr`)
- traefik.http.routers.alertmanager-rtr.tls=true
- traefik.http.routers.alertmanager-rtr.service=alertmanager-svc
- traefik.http.services.alertmanager-svc.loadbalancer.server.port=80
## TLS
- traefik.http.routers.alertmanager-rtr.tls.certresolver=letsencrypt-resolver
## Middlewares
- "traefik.http.routers.alertmanager-rtr.middlewares=alertmanager-basic"
- "traefik.http.middlewares.alertmanager-basic.basicauth.users=jingohalert:$$2y$$05$$dEBjltxSmPyUuQG3ewQXSu8ez97J8562/XhoDw6AoLbmc3ZQTKg4C"
exporter:
image: prom/node-exporter:latest
container_name: exporter
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
user: root
volumes:
- /:/host:ro
command:
- '--path.procfs=/host/proc'
- '--path.rootfs=/rootfs'
- '--path.sysfs=/host/sys'
- '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
networks:
t2_proxy:
ipv4_address: 192.168.90.183
labels:
- traefik.enable=true
## HTTP Routers
- traefik.http.routers.exporter-rtr-http.entrypoints=http
- traefik.http.routers.exporter-rtr-http.rule=Host(`exporter.jingoh.fr`)
- traefik.http.routers.exporter-rtr-http.middlewares=redirect-to-https
## HTTPS Routers
- traefik.docker.network=t2_proxy
- traefik.http.routers.exporter-rtr.entrypoints=https
- traefik.http.routers.exporter-rtr.rule=Host(`exporter.jingoh.fr`)
- traefik.http.routers.exporter-rtr.tls=true
- traefik.http.routers.exporter-rtr.service=exporter-svc
- traefik.http.services.exporter-svc.loadbalancer.server.port=9100
## TLS
- traefik.http.routers.exporter-rtr.tls.certresolver=letsencrypt-resolver
## Middlewares
- "traefik.http.routers.exporter-rtr.middlewares=exporter-basic"
- "traefik.http.middlewares.exporter-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C"
ara-ui:
image: recordsansible/ara-api:latest
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
environment:
- ARA_ALLOWED_HOSTS=["ara.jingoh.fr", "localhost"]
- ARA_DATABASE_ENGINE=django.db.backends.postgresql
- ARA_DATABASE_HOST=ara-db
- ARA_DATABASE_NAME=ara
- ARA_DATABASE_PASSWORD=ara
- ARA_DATABASE_USER=ara
- ARA_DATABASE_PORT=5432
container_name: ara-ui
networks:
t2_proxy:
ipv4_address: 192.168.90.184
labels:
- traefik.enable=true
## HTTP Routers
- traefik.http.routers.ansible-rtr-http.entrypoints=http
- traefik.http.routers.ansible-rtr-http.rule=Host(`ara.jingoh.fr`)
- traefik.http.routers.ansible-rtr-http.middlewares=redirect-to-https
## HTTPS Routers
- traefik.docker.network=t2_proxy
- traefik.http.routers.ansible-rtr.entrypoints=https
- traefik.http.routers.ansible-rtr.rule=Host(`ara.jingoh.fr`)
- traefik.http.routers.ansible-rtr.tls=true
- traefik.http.routers.ansible-rtr.service=ansible-svc
- traefik.http.services.ansible-svc.loadbalancer.server.port=8000
## TLS
- traefik.http.routers.ansible-rtr.tls.certresolver=letsencrypt-resolver
## Middlewares
- "traefik.http.routers.ansible-rtr.middlewares=ansible-basic"
- "traefik.http.middlewares.ansible-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C"
- "traefik.http.middlewares.ansible-basic.basicauth.removeheader=true"
ara-db:
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
image: postgres:14
container_name: ara-db
networks:
t2_proxy:
ipv4_address: 192.168.90.185
environment:
TZ: Europe/Paris
PUID: 1000
PGID: 1000
POSTGRES_USER: ara
POSTGRES_PASSWORD: ara
POSTGRES_DB: ara
volumes:
- ./ara:/var/lib/postgresql/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
labels:
- traefik.enable=false
semaphore-db:
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
container_name: semaphore-db
image: postgres:14
hostname: postgres
networks:
t2_proxy:
ipv4_address: 192.168.90.186
volumes:
- ./semaphore/semaphore-db:/var/lib/postgresql/data
environment:
POSTGRES_USER: semaphore
POSTGRES_PASSWORD: uu~Y8aic
POSTGRES_DB: semaphore
labels:
- traefik.enable=false
semaphore:
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
expose:
- 3000
container_name: semaphore
image: semaphoreui/semaphore:latest
user: "${UID}:${GID}"
networks:
t2_proxy:
ipv4_address: 192.168.90.187
environment:
- SEMAPHORE_DB_USER=semaphore
- SEMAPHORE_DB_PASS=uu~Y8aic
- SEMAPHORE_DB_HOST=semaphore-db
- SEMAPHORE_DB_PORT=5432
- SEMAPHORE_DB_DIALECT=postgres
- SEMAPHORE_DB=semaphore
- SEMAPHORE_PLAYBOOK_PATH=/tmp/semaphore/
- SEMAPHORE_ADMIN_PASSWORD=uu~Y8aic
- SEMAPHORE_ADMIN_NAME=admin
- SEMAPHORE_ADMIN_EMAIL=admin@localhost
- SEMAPHORE_ADMIN=admin
- SEMAPHORE_ACCESS_KEY_ENCRYPTION=ShbKLtVWr5yB/G1WO3DOEU5Il0JBlcN//4mpErpSwpQ= # add to your access key encryption !
- ANSIBLE_HOST_KEY_CHECKING=false # (optional) change to true if you want to enable host key checking
volumes:
- ./semaphore/inventory/:/inventory:ro
- ./semaphore/authorized-keys/:/authorized-keys:ro
- ./semaphore/config/:/etc/semaphore:rw
depends_on:
- semaphore-db
labels:
- traefik.enable=true
## HTTP Routers
- traefik.http.routers.semaphore-rtr-http.entrypoints=http
- traefik.http.routers.semaphore-rtr-http.rule=Host(`semaphore.jingoh.fr`)
- traefik.http.routers.semaphore-rtr-http.middlewares=redirect-to-https
## HTTPS Routers
- traefik.docker.network=t2_proxy
- traefik.http.routers.semaphore-rtr.entrypoints=https
- traefik.http.routers.semaphore-rtr.rule=Host(`semaphore.jingoh.fr`)
- traefik.http.routers.semaphore-rtr.tls=true
- traefik.http.routers.semaphore-rtr.service=semaphore-svc
- traefik.http.services.semaphore-svc.loadbalancer.server.port=3000
# ## WEBSOCKET
# - traefik.http.routers.semaphore-websocket-rtr.entrypoints=https
# - traefik.http.routers.semaphore-websocket-rtr.rule=Host(`semaphore.jingoh.fr`) && Path(`/api/ws`)
# - traefik.http.routers.semaphore-websocket-rtr.service=semaphore-websocket-svc
# - traefik.http.services.semaphore-websocket-svc.loadbalancer.server.port=3000
## TLS
- traefik.http.routers.semaphore-rtr.tls.certresolver=letsencrypt-resolver
# ## Middlewares
# - "traefik.http.routers.semaphore-rtr.middlewares=semaphore-basic"
# - "traefik.http.middlewares.semaphore-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C"
# - "traefik.http.middlewares.semaphore-basic.basicauth.removeheader=true"
# qBittorrent - Torrent downloader
# Needs trailing / if using PathPrefixStrip
# qbittorrent:
# <<: *common-keys-apps # See EXTENSION FIELDS at the top
# image: lscr.io/linuxserver/qbittorrent:latest
# container_name: qbittorrent
# networks:
# t2_proxy:
# ipv4_address: 192.168.90.174
# volumes:
# - ./qbittorrent:/config
# - ./downloads:/downloads
# environment:
# # TZ: Europe/Paris
# PUID: 1000
# PGID: 1000
# # UMASK_SET: 002
# labels:
# - "traefik.enable=true"
# ## HTTP Routers
# - "traefik.http.routers.qbittorrent-rtr.entrypoints=https"
# - "traefik.http.routers.qbittorrent-rtr.rule=Host(`qbit.jingoh.fr`)"
# ## Middlewares
# - "traefik.http.routers.qbittorrent-rtr.middlewares=test-auth"
# ## Services
# - "traefik.http.routers.qbittorrent-rtr.service=qbittorrent-svc"
# - "traefik.http.services.qbittorrent-svc.loadbalancer.server.port=8168"
# # Anti ddos
# - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.average=10"
# - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.burst=10"
# - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.period=1"
# - "traefik.http.routers.qbittorrent-rtr-ratelimit.middlewares=qbittorrent-rtr-ratelimit@docker"
# docker run -p 9925:80 -v ./mealie:/app/data/ hkotel/mealie:latest
mealie:
container_name: mealie
image: hkotel/mealie:latest
user: "${UID}:${GID}"
environment:
- DEFAULT_EMAIL=stephane.gratiasquiquandon@gmail.com
- DEFAULT_GROUP=manger
- BASE_URL=mealie.jingoh.fr
networks:
t2_proxy:
ipv4_address: 192.168.90.188
volumes:
- ./mealie/:/app/data/
restart: always
security_opt:
- no-new-privileges:true # See EXTENSION FIELDS at the top
labels:
- traefik.enable=true
## HTTPS Routers
- traefik.docker.network=t2_proxy
- traefik.http.routers.mealie-rtr.entrypoints=https
- traefik.http.routers.mealie-rtr.rule=Host(`mealie.jingoh.fr`)
- traefik.http.routers.mealie-rtr.tls=true
- traefik.http.routers.mealie-rtr.service=mealie-svc
- traefik.http.services.mealie-svc.loadbalancer.server.port=80
## TLS
- traefik.http.routers.mealie-rtr.tls.certresolver=letsencrypt-resolver
# homarr:
# container_name: homarr
# image: ghcr.io/ajnart/homarr:latest
# restart: unless-stopped
# networks:
# t2_proxy:
# ipv4_address: 192.168.90.189
# volumes:
# - ./homarr/configs:/app/data/configs
# - ./homarr/icons:/app/public/icons
# labels:
# - traefik.enable=true
# ## HTTPS Routers
# - traefik.docker.network=t2_proxy
# - traefik.http.routers.homarr-rtr.entrypoints=https
# - traefik.http.routers.homarr-rtr.rule=Host(`homarr.jingoh.fr`)
# - traefik.http.routers.homarr-rtr.tls=true
# - traefik.http.routers.homarr-rtr.service=homarr-svc
# - traefik.http.services.homarr-svc.loadbalancer.server.port=7575
# ## TLS
# - traefik.http.routers.homarr-rtr.tls.certresolver=letsencrypt-resolver
# ## Middleware IP whitelist
# - traefik.http.middlewares.dashboard-ipwhitelist.ipwhitelist.sourcerange=192.168.91.1/32
# - traefik.http.routers.homarr-rtr.middlewares=dashboard-ipwhitelist
portainer:
container_name: portainer
image: portainer/portainer-ce:latest
restart: always
security_opt:
- no-new-privileges:true
networks:
t2_proxy:
ipv4_address: 192.168.90.190
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./portainer/:/data/
labels:
- traefik.enable=true
## HTTPS Routers
- traefik.docker.network=t2_proxy
- traefik.http.routers.portainer-rtr.entrypoints=https
- traefik.http.routers.portainer-rtr.rule=Host(`docker.jingoh.fr`)
- traefik.http.routers.portainer-rtr.tls=true
- traefik.http.routers.portainer-rtr.service=portainer-svc
- traefik.http.services.portainer-svc.loadbalancer.server.port=9000
## TLS
- traefik.http.routers.homarr-rtr.tls.certresolver=letsencrypt-resolver
## Middleware IP whitelist
# - traefik.http.middlewares.dashboard-ipwhitelist.ipwhitelist.sourcerange=192.168.91.1/32
# - traefik.http.routers.homarr-rtr.middlewares=dashboard-ipwhitelist
Reference in New Issue View Git Blame Copy Permalink