From 0bb0cd575caf13cb21607aafb55c98203e6ca5c5 Mon Sep 17 00:00:00 2001 From: BhasherBEL Date: Tue, 26 Sep 2023 09:53:42 +0200 Subject: [PATCH] bxl-shp --- bxl-shp/apps/docker-compose.baikal.yaml | 23 ++ bxl-shp/apps/docker-compose.dashy.yaml | 29 +++ bxl-shp/apps/docker-compose.invoice.yaml | 79 ++++++ bxl-shp/apps/docker-compose.matrix.yaml | 39 +++ bxl-shp/apps/docker-compose.mealie.yaml | 30 +++ bxl-shp/apps/docker-compose.mediaserver.yaml | 211 ++++++++++++++++ bxl-shp/apps/docker-compose.pihole.yaml | 38 +++ bxl-shp/apps/docker-compose.smarthome.yaml | 73 ++++++ bxl-shp/apps/docker-compose.syncthing.yaml | 31 +++ bxl-shp/apps/docker-compose.tg2.yaml | 14 ++ bxl-shp/apps/docker-compose.wireguard.yaml | 23 ++ bxl-shp/config/borg/borg.service | 14 ++ bxl-shp/config/borg/borg.timer | 9 + bxl-shp/config/dashy/config.yml | 227 ++++++++++++++++++ .../config/idp/authelia.configuration.yaml | 167 +++++++++++++ bxl-shp/config/invoiceninja/in-vhost.conf | 28 +++ bxl-shp/config/monitoring/mikrotik.yaml | 42 ++++ bxl-shp/config/monitoring/prometheus.yaml | 40 +++ bxl-shp/config/riot/config.json | 7 + bxl-shp/config/smarthome/mosquitto.conf | 3 + bxl-shp/deploy.sh | 5 + bxl-shp/system/docker-compose.auth.yaml | 99 ++++++++ bxl-shp/system/docker-compose.backup.yaml | 19 ++ bxl-shp/system/docker-compose.monitoring.yaml | 134 +++++++++++ bxl-shp/system/docker-compose.portainer.yaml | 23 ++ bxl-shp/system/docker-compose.storage.yaml | 35 +++ bxl-shp/system/docker-compose.traefik.yaml | 57 +++++ bxl-shp/system/docker-compose.watchtower.yaml | 32 +++ 28 files changed, 1531 insertions(+) create mode 100644 bxl-shp/apps/docker-compose.baikal.yaml create mode 100644 bxl-shp/apps/docker-compose.dashy.yaml create mode 100644 bxl-shp/apps/docker-compose.invoice.yaml create mode 100644 bxl-shp/apps/docker-compose.matrix.yaml create mode 100644 bxl-shp/apps/docker-compose.mealie.yaml create mode 100644 bxl-shp/apps/docker-compose.mediaserver.yaml create mode 100644 bxl-shp/apps/docker-compose.pihole.yaml create mode 100644 bxl-shp/apps/docker-compose.smarthome.yaml create mode 100644 bxl-shp/apps/docker-compose.syncthing.yaml create mode 100644 bxl-shp/apps/docker-compose.tg2.yaml create mode 100644 bxl-shp/apps/docker-compose.wireguard.yaml create mode 100644 bxl-shp/config/borg/borg.service create mode 100644 bxl-shp/config/borg/borg.timer create mode 100644 bxl-shp/config/dashy/config.yml create mode 100644 bxl-shp/config/idp/authelia.configuration.yaml create mode 100644 bxl-shp/config/invoiceninja/in-vhost.conf create mode 100644 bxl-shp/config/monitoring/mikrotik.yaml create mode 100644 bxl-shp/config/monitoring/prometheus.yaml create mode 100644 bxl-shp/config/riot/config.json create mode 100644 bxl-shp/config/smarthome/mosquitto.conf create mode 100755 bxl-shp/deploy.sh create mode 100644 bxl-shp/system/docker-compose.auth.yaml create mode 100644 bxl-shp/system/docker-compose.backup.yaml create mode 100644 bxl-shp/system/docker-compose.monitoring.yaml create mode 100644 bxl-shp/system/docker-compose.portainer.yaml create mode 100644 bxl-shp/system/docker-compose.storage.yaml create mode 100644 bxl-shp/system/docker-compose.traefik.yaml create mode 100644 bxl-shp/system/docker-compose.watchtower.yaml diff --git a/bxl-shp/apps/docker-compose.baikal.yaml b/bxl-shp/apps/docker-compose.baikal.yaml new file mode 100644 index 0000000..395cd84 --- /dev/null +++ b/bxl-shp/apps/docker-compose.baikal.yaml @@ -0,0 +1,23 @@ +services: + baikal: + container_name: baikal + image: ckulka/baikal:nginx + restart: on-failure + environment: + - TZ=Europe/Paris + volumes: + - $DATA/baikal/config:/var/www/baikal/config + - $DATA/baikal/data:/var/www/baikal/Specific + labels: + - "traefik.enable=true" + - "traefik.http.routers.baikal.rule=Host(`baikal.bxl.bhasher.com`)" + - "traefik.http.services.baikal.loadbalancer.server.port=80" + - "traefik.http.routers.baikal.tls=true" + - "traefik.http.routers.baikal.tls.certresolver=http" + - "traefik.http.routers.baikal.entrypoints=internalsecure,externalsecure" + networks: + - external + +networks: + external: + external: true diff --git a/bxl-shp/apps/docker-compose.dashy.yaml b/bxl-shp/apps/docker-compose.dashy.yaml new file mode 100644 index 0000000..3d27a2a --- /dev/null +++ b/bxl-shp/apps/docker-compose.dashy.yaml @@ -0,0 +1,29 @@ +services: + dashy: + container_name: dashy + image: dashy + environment: + - NODE_ENV=production + restart: unless-stopped + volumes: + - $CONFIG/dashy/config.yml:/app/public/conf.yml + labels: + - "traefik.enable=true" + - "traefik.http.routers.dashy.rule=Host(`hub.bhasher.com`)" + - "traefik.http.routers.dashy.entrypoints=internalsecure" + - "traefik.http.services.dashy.loadbalancer.server.port=80" + - "traefik.http.routers.dashy.tls=true" + - "traefik.http.routers.dashy.tls.certresolver=http" + - "traefik.http.routers.dashy.middlewares=authelia@docker" + - "com.centurylinklabs.watchtower.enable=false" + healthcheck: + test: ['CMD', 'node', '/app/services/healthcheck'] + interval: 1m30s + timeout: 10s + retries: 3 + networks: + - external + +networks: + external: + external: true diff --git a/bxl-shp/apps/docker-compose.invoice.yaml b/bxl-shp/apps/docker-compose.invoice.yaml new file mode 100644 index 0000000..8b4a0af --- /dev/null +++ b/bxl-shp/apps/docker-compose.invoice.yaml @@ -0,0 +1,79 @@ +services: +# invoicenginx: +# container_name: invoice_nginx +# image: nginx:latest +# restart: on-failure +# volumes: +# - $CONFIG/invoiceninja/in-vhost.conf:/etc/nginx/conf.d/in-vhost.conf:ro +# - $DATA/invoiceninja/public:/var/www/app/public:ro +# environment: +# - TRUSTED_PROXIES='*' +# depends_on: +# - invoiceninja +# networks: +# - invoice +# - external +# #labels: +# #- "traefik.enable=true" +# #- "traefik.http.routers.invoice.rule=Host(`invoice.bhasher.com`)" +# #- "traefik.http.services.invoice.loadbalancer.server.port=80" +# #- "traefik.http.routers.invoice.tls=true" +# #- "traefik.http.routers.invoice.tls.certresolver=http" +# #- "traefik.http.routers.invoice.entrypoints=internalsecure" +# +# invoiceninja: +# image: invoiceninja/invoiceninja:5 +# container_name: invoice_ninja +# environment: +# - APP_URL=https://invoice.bhasher.com +# - APP_KEY=${INVOICENINJA_APIKEY} +# - REQUIRE_HTTPS=true +# - PHANTOMJS_PDF_GENERATION=false +# - PDF_GENERATOR=snappdf +# - QUEUE_CONNECTION=database +# - DB_HOST=mariadb +# - DB_DATABASE=invoiceninja +# - DB_USERNAME=root +# - DB_PASSWORD=${MARIADB_ROOT} +# - IN_USER_EMAIL=invoice@bhasher.com +# - IN_PASSWORD=${INVOICENINJA_PASSWORD} +# - TRUSTED_PROXIES='*' +# restart: unless-stopped +# volumes: +# - $DATA/invoiceninja/public:/var/www/app/public:rw +# - $DATA/invoiceninja/storage:/var/www/app/storage:rw +# networks: +# - invoice +# - storage + + invoiceplane: + container_name: invoiceplane + image: mhzawadi/invoiceplane:latest + volumes: + - $DATA/invoiceplane/uploads:/var/www/html/uploads + - $DATA/invoiceplane/ipconfig.php:/var/www/html/ipconfig.php + - /etc/localtime:/etc/localtime:ro + environment: + - IP_URL=https://invoice.bhasher.com + #- MYSQL_HOST=mariadb + #- MYSQL_USER=root + #- MYSQL_PASSWORD=${MARIADB_ROOT} + #- MYSQL_DB=InvoicePlane + #- DISABLE_SETUP=false + labels: + - "traefik.enable=true" + - "traefik.http.routers.invoice.rule=Host(`invoice.bhasher.com`)" + - "traefik.http.services.invoice.loadbalancer.server.port=80" + - "traefik.http.routers.invoice.tls=true" + - "traefik.http.routers.invoice.tls.certresolver=http" + - "traefik.http.routers.invoice.entrypoints=internalsecure" + networks: + - external + - storage + +networks: + invoice: + external: + external: true + storage: + external: true diff --git a/bxl-shp/apps/docker-compose.matrix.yaml b/bxl-shp/apps/docker-compose.matrix.yaml new file mode 100644 index 0000000..31ac056 --- /dev/null +++ b/bxl-shp/apps/docker-compose.matrix.yaml @@ -0,0 +1,39 @@ +services: + matrix-synapse: + container_name: matrix-synapse + image: matrixdotorg/synapse:latest + restart: unless-stopped + environment: + - SYNAPSE_SERVER_NAME=matrix.bhasher.com + - SYNAPSE_REPORT_STATS=no + volumes: + - $DATA/matrix/synapse:/data:rw + labels: + - "traefik.enable=true" + - "traefik.http.routers.matrix-synapse.rule=Host(`matrix.bhasher.com`)" + - "traefik.http.routers.matrix-synapse.tls=true" + - "traefik.http.routers.matrix-synapse.tls.certresolver=http" + - "traefik.http.routers.matrix-synapse.entrypoints=internalsecure,externalsecure" + - "traefik.http.services.matrix-synapse.loadbalancer.server.port=8008" + networks: + - external + + matrix-riot: + container_name: matrix-element + image: ghcr.io/bubuntux/element-web + restart: unless-stopped + volumes: + - $CONFIG/riot/config.json:/etc/element-web/config.json:ro + labels: + - "traefik.enable=true" + - "traefik.http.routers.matrix-riot.rule=Host(`element.bhasher.com`)" + - "traefik.http.routers.matrix-riot.tls=true" + - "traefik.http.routers.matrix-riot.tls.certresolver=http" + - "traefik.http.routers.matrix-riot.entrypoints=internalsecure,externalsecure" + - "traefik.http.services.matrix-riot.loadbalancer.server.port=80" + networks: + - external + +networks: + external: + external: true diff --git a/bxl-shp/apps/docker-compose.mealie.yaml b/bxl-shp/apps/docker-compose.mealie.yaml new file mode 100644 index 0000000..cefdc1a --- /dev/null +++ b/bxl-shp/apps/docker-compose.mealie.yaml @@ -0,0 +1,30 @@ +services: + mealie: + container_name: mealie + image: hkotel/mealie:latest + restart: always + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Paris + - RECIPE_PUBLIC=true + - RECIPE_SHOW_NUTRITION=true + - RECIPE_SHOW_ASSETS=true + - RECIPE_LANDSCAPE_VIEW=true + - RECIPE_DISABLE_COMMENTS=true + - RECIPE_DISABLE_AMOUNT=false + labels: + - "traefik.enable=true" + - "traefik.http.routers.mealie.rule=Host(`mealie.bhasher.com`)" + - "traefik.http.services.mealie.loadbalancer.server.port=80" + - "traefik.http.routers.mealie.tls=true" + - "traefik.http.routers.mealie.tls.certresolver=http" + - "traefik.http.routers.mealie.entrypoints=internalsecure,externalsecure" + volumes: + - $DATA/mealie/:/app/data + networks: + - external + +networks: + external: + external: true diff --git a/bxl-shp/apps/docker-compose.mediaserver.yaml b/bxl-shp/apps/docker-compose.mediaserver.yaml new file mode 100644 index 0000000..693c560 --- /dev/null +++ b/bxl-shp/apps/docker-compose.mediaserver.yaml @@ -0,0 +1,211 @@ +services: + jellyfin: + container_name: jellyfin + image: linuxserver/jellyfin:latest + volumes: + - $DATA/mediaserver/jellyfin:/config + - /mnt/movies/series:/data/tvshows + - /mnt/movies/movies:/data/movies + - /mnt/movies/musics:/data/musics + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Paris + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.bhasher.com`)" + - "traefik.http.routers.jellyfin.entrypoints=internalsecure,externalsecure" + - "traefik.http.services.jellyfin.loadbalancer.server.port=8096" + - "traefik.http.routers.jellyfin.tls=true" + - "traefik.http.routers.jellyfin.tls.certresolver=http" + networks: + - auth + - external + + radarr: + container_name: radarr + image: lscr.io/linuxserver/radarr:latest + environment: + - TZ=Europe/Paris + - PUID=1000 + - PGID=1000 + volumes: + - $DATA/mediaserver/radarr:/config + - /mnt/movies/movies:/movies + - /mnt/movies/tmp:/downloads + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.radarr.rule=Host(`radarr.bhasher.com`)" + - "traefik.http.services.radarr.loadbalancer.server.port=7878" + - "traefik.http.routers.radarr.tls=true" + - "traefik.http.routers.radarr.tls.certresolver=http" + - "traefik.http.routers.radarr.entrypoints=internalsecure" + - "traefik.http.routers.radarr.middlewares=authelia@docker" + networks: + - mediaserver + - external + + sonarr: + container_name: sonarr + image: lscr.io/linuxserver/sonarr:latest + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Paris + volumes: + - $DATA/mediaserver/sonarr:/config + - /mnt/movies/series:/tv + - /mnt/movies/tmp:/downloads + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.sonarr.rule=Host(`sonarr.bhasher.com`)" + - "traefik.http.services.sonarr.loadbalancer.server.port=8989" + - "traefik.http.routers.sonarr.tls=true" + - "traefik.http.routers.sonarr.tls.certresolver=http" + - "traefik.http.routers.sonarr.entrypoints=internalsecure" + - "traefik.http.routers.sonarr.middlewares=authelia@docker" + networks: + - mediaserver + - external + + lidarr: + container_name: lidarr + image: lscr.io/linuxserver/lidarr:latest + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Paris + volumes: + - $DATA/mediaserver/lidarr:/config + - /mnt/movies/musics:/music + - /mnt/movies/tmp:/downloads + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.lidarr.rule=Host(`lidarr.bhasher.com`)" + - "traefik.http.services.lidarr.loadbalancer.server.port=8686" + - "traefik.http.routers.lidarr.tls=true" + - "traefik.http.routers.lidarr.tls.certresolver=http" + - "traefik.http.routers.lidarr.entrypoints=internalsecure" + - "traefik.http.routers.lidarr.middlewares=authelia@docker" + networks: + - mediaserver + - external + + transmission: + container_name: transmission + image: lscr.io/linuxserver/transmission:latest + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Paris + volumes: + - $DATA/mediaserver/transmission:/config + - /mnt/movies/tmp:/downloads + - /mnt/movies/torrents:/watch + ports: + - 51413:51413/tcp + - 51413:51413/udp + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.transmission.rule=Host(`transmission.bhasher.com`)" + - "traefik.http.services.transmission.loadbalancer.server.port=9091" + - "traefik.http.routers.transmission.tls=true" + - "traefik.http.routers.transmission.tls.certresolver=http" + - "traefik.http.routers.transmission.entrypoints=internalsecure" + - "traefik.http.routers.transmission.middlewares=authelia@docker" + networks: + - mediaserver + - external + +# jackett: +# container_name: jackett +# image: lscr.io/linuxserver/jackett:latest +# environment: +# - PUID=1000 +# - PGID=1000 +# - TZ=Europe/Paris +# - AUTO_UPDATE=true +# volumes: +# - $DATA/mediaserver/jackett:/config +# - /mnt/movies/torrents:/downloads +# restart: unless-stopped +# labels: +# - "traefik.enable=true" +# - "traefik.http.routers.jackett.rule=Host(`jackett.bhasher.com`)" +# - "traefik.http.services.jackett.loadbalancer.server.port=9117" +# - "traefik.http.routers.jackett.tls=true" +# - "traefik.http.routers.jackett.tls.certresolver=http" +# - "traefik.http.routers.jackett.entrypoints=internalsecure" +# - "traefik.http.routers.jackett.middlewares=authelia@docker" +# networks: +# - mediaserver +# - external + + prowlarr: + container_name: prowlarr + image: lscr.io/linuxserver/prowlarr:latest + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Paris + volumes: + - $DATA/mediaserver/prowlarr:/config + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.prowlarr.rule=Host(`prowlarr.bhasher.com`)" + - "traefik.http.services.prowlarr.loadbalancer.server.port=9696" + - "traefik.http.routers.prowlarr.tls=true" + - "traefik.http.routers.prowlarr.tls.certresolver=http" + - "traefik.http.routers.prowlarr.entrypoints=internalsecure" + - "traefik.http.routers.prowlarr.middlewares=authelia@docker" + networks: + - mediaserver + - external + + flaresolverr: + container_name: flaresolverr + image: ghcr.io/flaresolverr/flaresolverr:latest + environment: + - LOG_LEVEL=info + - LOG_HTML=false + - CAPTCHA_SOLVER=none + - TZ=Europe/Paris + restart: unless-stopped + networks: + - mediaserver + + bazarr: + container_name: bazarr + image: lscr.io/linuxserver/bazarr + environment: + - TZ=Europe/Paris + - PUID=1000 + - PGID=1000 + volumes: + - $DATA/mediaserver/bazarr:/config + - /mnt/movies/movies:/movies + - /mnt/movies/series:/tv + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.bazarr.rule=Host(`bazarr.bhasher.com`)" + - "traefik.http.services.bazarr.loadbalancer.server.port=6767" + - "traefik.http.routers.bazarr.tls=true" + - "traefik.http.routers.bazarr.tls.certresolver=http" + - "traefik.http.routers.bazarr.entrypoints=internalsecure" + - "traefik.http.routers.bazarr.middlewares=authelia@docker" + networks: + - mediaserver + - external + +networks: + mediaserver: + external: + external: true + diff --git a/bxl-shp/apps/docker-compose.pihole.yaml b/bxl-shp/apps/docker-compose.pihole.yaml new file mode 100644 index 0000000..9b8596a --- /dev/null +++ b/bxl-shp/apps/docker-compose.pihole.yaml @@ -0,0 +1,38 @@ +services: + pihole: + container_name: pihole + image: cbcrowe/pihole-unbound:latest + ports: + - 53:53/tcp + - 53:53/udp + environment: + - TZ=Europe/Paris + - WEBPASSWORD= + - WEBTHEME=default-dark + - REV_SERVER=false + - PIHOLE_DNS_=127.0.0.1#5335 + - DNSSEC=true + - DNSMASQ_LISTENING=all + - FTLCONF_LOCAL_IPV4=192.168.1.220 + - FTLCONF_RATE_LIMIT=0/0 + - FTL_CMD=debug + - DNSMASQ_USER=root + volumes: + - $DATA/pihole/config:/etc/pihole + - $DATA/pihole/dnsmasq.d:/etc/dnsmasq.d + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.pihole.rule=Host(`pihole.bhasher.com`)" + - "traefik.http.routers.pihole.entrypoints=internalsecure" + - "traefik.http.services.pihole.loadbalancer.server.port=80" + - "traefik.http.routers.pihole.tls=true" + - "traefik.http.routers.pihole.tls.certresolver=http" + - "traefik.http.routers.pihole.middlewares=pihole-strip,authelia@docker" + - "traefik.http.middlewares.pihole-strip.addprefix.prefix=/admin" + networks: + - external + +networks: + external: + external: true diff --git a/bxl-shp/apps/docker-compose.smarthome.yaml b/bxl-shp/apps/docker-compose.smarthome.yaml new file mode 100644 index 0000000..00b8d8f --- /dev/null +++ b/bxl-shp/apps/docker-compose.smarthome.yaml @@ -0,0 +1,73 @@ +services: + hass: + container_name: hass + image: ghcr.io/home-assistant/home-assistant:stable + volumes: + - $DATA/hass:/config + - /etc/localtime:/etc/localtime:ro + networks: + - smarthome + - external + restart: on-failure + labels: + - "traefik.enable=true" + - "traefik.http.routers.hass.rule=Host(`hass.bhasher.com`)" + - "traefik.http.routers.hass.entrypoints=internalsecure" + - "traefik.http.services.hass.loadbalancer.server.port=8123" + - "traefik.http.routers.hass.tls=true" + - "traefik.http.routers.hass.tls.certresolver=http" + + mosquitto: + container_name: mosquitto + image: eclipse-mosquitto:latest + volumes: + - $CONFIG/smarthome/mosquitto.conf:/mosquitto/config/mosquitto.conf:ro + - $DATA/mosquitto/data:/mosquitto/data + - $DATA/mosquitto/passwordfile:/mosquitto/passwordfile + - /etc/localtime:/etc/localtime:ro + ports: + - 1883:1883 + - 9001:9001 + networks: + - smarthome + - external + restart: on-failure + + zigbee2mqtt: + container_name: zigbee2mqtt + restart: unless-stopped + image: koenkk/zigbee2mqtt:latest + volumes: + - $DATA/zigbee2mqtt:/app/data + - /run/udev:/run/udev:ro + - /etc/localtime:/etc/localtime:ro + devices: + - /dev/ttyACM0:/dev/ttyACM0 + networks: + - smarthome + + nodered: + container_name: nodered + restart: on-failure + image: nodered/node-red:latest + volumes: + - $DATA/nodered:/data + - /etc/localtime:/etc/localtime:ro + networks: + - smarthome + - external + labels: + - "traefik.enable=true" + - "traefik.http.routers.nodered.rule=Host(`nodered.bhasher.com`)" + - "traefik.http.routers.nodered.entrypoints=internalsecure" + - "traefik.http.services.nodered.loadbalancer.server.port=1880" + - "traefik.http.routers.nodered.tls=true" + - "traefik.http.routers.nodered.tls.certresolver=http" + - "traefik.http.routers.nodered.middlewares=authelia@docker" + + +networks: + smarthome: + external: + external: true + diff --git a/bxl-shp/apps/docker-compose.syncthing.yaml b/bxl-shp/apps/docker-compose.syncthing.yaml new file mode 100644 index 0000000..9e9d4ce --- /dev/null +++ b/bxl-shp/apps/docker-compose.syncthing.yaml @@ -0,0 +1,31 @@ +services: + syncthing: + container_name: syncthing + image: syncthing/syncthing:latest + hostname: snode0 + environment: + - PUID=33 + - PGID=33 + volumes: + - $DATA/syncthing:/var/syncthing:rw + - /mnt/syncDocuments:/mnt/SyncDocuments:rw + - /mnt/brieuc-pictures:/mnt/pictures:rw + labels: + - "traefik.enable=true" + - "traefik.http.routers.syncthing.rule=Host(`syncthing.bhasher.com`)" + - "traefik.http.routers.syncthing.entrypoints=internalsecure" + - "traefik.http.services.syncthing.loadbalancer.server.port=8384" + - "traefik.http.routers.syncthing.tls=true" + - "traefik.http.routers.syncthing.tls.certresolver=http" + - "traefik.http.routers.syncthing.middlewares=authelia@docker" + ports: + - 22000:22000/tcp # TCP file transfers + - 22000:22000/udp # QUIC file transfers + - 21027:21027/udp # Receive local discovery broadcasts + restart: unless-stopped + networks: + - external + +networks: + external: + external: true diff --git a/bxl-shp/apps/docker-compose.tg2.yaml b/bxl-shp/apps/docker-compose.tg2.yaml new file mode 100644 index 0000000..39f350d --- /dev/null +++ b/bxl-shp/apps/docker-compose.tg2.yaml @@ -0,0 +1,14 @@ +services: + tg2: + container_name: tg2 + image: tg2:latest + restart: on-failure + environment: + - TGTG_EMAIL=tgtg.trash@bhasher.com + - TELEGRAM_TOKEN=${TELEGRAM_TOKEN} + - TELEGRAM_ID=${TELEGRAM_ID} + volumes: + - $DATA/tg2:/data + labels: + - "com.centurylinklabs.watchtower.enable=false" + diff --git a/bxl-shp/apps/docker-compose.wireguard.yaml b/bxl-shp/apps/docker-compose.wireguard.yaml new file mode 100644 index 0000000..7988dec --- /dev/null +++ b/bxl-shp/apps/docker-compose.wireguard.yaml @@ -0,0 +1,23 @@ +services: + wireguard: + container_name: wireguard + image: lscr.io/linuxserver/wireguard:latest + restart: always + volumes: + - $DATA/wireguard:/config + - /lib/modules:/lib/modules + ports: + - 51822:51820/udp + environment: + - TZ=Europe/Paris + - SERVERURL=vpn.bhasher.com + - SERVERPORT=51822 + - PEERS=10 + - PEERDNS=auto + - INTERNAL_SUBNET=10.13.14.0 + - ALLOWEDIPS=0.0.0.0/0 + cap_add: + - NET_ADMIN + - SYS_MODULE + sysctls: + - net.ipv4.conf.all.src_valid_mark=1 diff --git a/bxl-shp/config/borg/borg.service b/bxl-shp/config/borg/borg.service new file mode 100644 index 0000000..0d9d71b --- /dev/null +++ b/bxl-shp/config/borg/borg.service @@ -0,0 +1,14 @@ +[Unit] +Description=Start Borg Backup Container +After=docker.service +ConditionPathExists=/mnt/borg + +[Service] +Type=oneshot +ExecStart=/usr/bin/docker start borg +User=pi +Group=pi +Restart=no + +[Install] +WantedBy=multi-user.target diff --git a/bxl-shp/config/borg/borg.timer b/bxl-shp/config/borg/borg.timer new file mode 100644 index 0000000..17763b3 --- /dev/null +++ b/bxl-shp/config/borg/borg.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Run Borg Backup at 4 a.m. every day + +[Timer] +OnCalendar=*-*-* 04:00:00 +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/bxl-shp/config/dashy/config.yml b/bxl-shp/config/dashy/config.yml new file mode 100644 index 0000000..d7129bd --- /dev/null +++ b/bxl-shp/config/dashy/config.yml @@ -0,0 +1,227 @@ +pageInfo: + title: Homelab + description: Welcome to bhasher's homelab dashboard! + navLinks: + - title: GitHub + path: https://github.com/BhasherBEL +appConfig: + theme: one-dark + layout: auto + iconSize: small + language: en + statusCheck: true + colCount: 8 +sections: + - name: Public services + icon: fa-server + displayData: + sortBy: most-used + rows: 1 + cols: 3 + collapsed: false + hideForGuests: false + items: + - title: Jellyfin + icon: hl-jellyfin + url: https://jellyfin.bhasher.com + statusCheckUrl: http://jellyfin:8096 + id: 0_1507_jellyfin + - title: Authelia + icon: hl-authelia + url: https://idp.bhasher.com + statusCheckUrl: http://authelia:9091 + id: 1_1507_authelia + - title: Mealie + icon: hl-mealie + url: https://mealie.bhasher.com + statusCheckUrl: http://mealie + id: 2_1507_mealie + - title: Baikal + icon: hl-baikal + url: https://baikal.bxl.bhasher.com + statusCheckUrl: http://baikal + id: 3_1507_baikal + - title: Element web + icon: hl-element + url: https://element.bhasher.com + statusCheckUrl: http://matrix-riot + id: 4_1507_elementweb + - title: Shlink + icon: hl-shlink + url: https://shlink.bhasher.com + statusCheckUrl: https://shlink_ui + id: 5_1507_shlink + - name: Private services + displayData: + sortBy: most-used + rows: 1 + cols: 3 + collapsed: false + hideForGuests: false + items: + - title: Bazarr + icon: hl-bazarr + url: https://bazarr.bhasher.com + statusCheckUrl: http://bazarr:6767 + id: 0_1631_bazarr + - title: Radarr + icon: hl-radarr + url: https://radarr.bhasher.com + statusCheckUrl: http://radarr:7878 + id: 1_1631_radarr + - title: Sonarr + icon: hl-sonarr + url: https://sonarr.bhasher.com + statusCheckUrl: http://sonarr:8989 + id: 2_1631_sonarr + - title: Lidarr + icon: hl-lidarr + url: https://lidarr.bhasher.com + statusCheckUrl: http://lidarr:8686 + id: 3_1631_lidarr + - title: Transmission + icon: hl-transmission + url: https://transmission.bhasher.com + statusCheckUrl: http://transmission:9091 + id: 4_1631_transmission + - title: Prowlarr + icon: hl-prowlarr + url: https://prowlarr.bhasher.com + statusCheckUrl: http://prowlarr:9696 + id: 5_1631_prowlarr + - title: Grafana + icon: hl-grafana + url: https://grafana.bhasher.com + statusCheckUrl: http://grafana:3000 + id: 6_1631_grafana + - title: Portainer + icon: hl-portainer + url: https://portainer.bxl.bhasher.com + statusCheckUrl: http://portainer:9000 + id: 7_1631_portainer + - title: InvoiceNinja + icon: hl-invoiceninja + url: https://invoice.bhasher.com + statusCheckUrl: http://invoicenginx + id: 8_1631_invoiceninja + - title: Dashboard + icon: hl-dashy + url: https://hub.bhasher.com + statusCheckUrl: http://dashy + id: 9_1631_dashboard + - title: Syncthing + icon: hl-syncthing + url: https://syncthing.bhasher.com + statusCheckUrl: http://syncthing:8384 + id: 10_1631_syncthing + - title: Portainer (VPS) + icon: hl-portainer + url: https://portainer.vps.bhasher.com + id: 11_1631_portainervps + - title: Portainer (LLN) + icon: hl-portainer + url: https://portainer.lln.bhasher.com + id: 12_1631_portainerlln + - title: Home assistant + icon: hl-home-assistant + url: https://hass.bhasher.com + statusCheckUrl: http://hass:8123 + id: 13_1631_homeassistant + - title: Node-red + icon: hl-node-red + url: https://nodered.bhasher.com + statusCheckUrl: http://nodered:1880 + id: 14_1631_nodered + - title: Planka + icon: hl-planka + url: https://planka.bhasher.com + statusCheckUrl: http://planka:1337 + id: 15_1631_planka + - name: System services + displayData: + sortBy: most-used + rows: 1 + cols: 2 + collapsed: false + hideForGuests: false + items: + - title: Prometeus + icon: hl-prometheus + url: https://prometheus.bhasher.com + statusCheckUrl: http://prometheus:9090 + id: 0_1545_prometeus + - title: Traefik + icon: hl-traefik + url: https://traefik.bhasher.com + statusCheckUrl: http://traefik:8080 + id: 1_1545_traefik + - title: User manager + icon: hl-phpldapadmin + url: https://lum.bhasher.com + statusCheckUrl: http://ldapusermanager + id: 2_1545_usermanager + - title: Mikrotik router + icon: hl-mikrotik + url: http://192.168.1.1:8080/ + id: 3_1545_mikrotikrouter + - name: Real life survey + widgets: + - type: clock + options: + timezone: Europe/Brussels + format: fr-FR + hideDate: false + id: 0_1554_clock + - type: public-holidays + options: + country: BE + holidayType: all + monthsToShow: 4 + lang: fr + id: 1_1554_publicholidays + displayData: + sortBy: default + rows: 1 + cols: 2 + collapsed: false + hideForGuests: false + - name: Online survey + displayData: + sortBy: default + rows: 1 + cols: 2 + collapsed: false + hideForGuests: false + widgets: + - type: public-ip + id: 0_1331_publicip + - type: github-profile-stats + options: + username: BhasherBEL + hideLanguagesCard: true + id: 1_1331_githubprofilestats + - type: crypto-watch-list + options: + currency: USD + sortBy: marketCap + assets: + - bitcoin + - ethereum + id: 2_1331_cryptowatchlist + - name: Random + widgets: + - type: joke + options: + language: en + category: all + id: 0_609_joke + - type: xkcd-comic + options: + comic: random + id: 1_609_xkcdcomic + displayData: + sortBy: default + rows: 1 + cols: 4 + collapsed: false + hideForGuests: false diff --git a/bxl-shp/config/idp/authelia.configuration.yaml b/bxl-shp/config/idp/authelia.configuration.yaml new file mode 100644 index 0000000..20374b4 --- /dev/null +++ b/bxl-shp/config/idp/authelia.configuration.yaml @@ -0,0 +1,167 @@ +default_redirection_url: https://hub.bhasher.com +theme: dark + +server: + host: 0.0.0.0 + port: 9091 + +log: + level: info + +totp: + disable: false + issuer: idp.bhasher.com + algorithm: sha256 + digits: 6 + period: 30 + skew: 1 + secret_size: 32 + +ntp: + disable_startup_check: true + +authentication_backend: + password_reset: + disable: false + refresh_interval: 5m + ldap: + user: cn=readonly,dc=bhasher,dc=com + implementation: custom + url: ldap://openldap + timeout: 5s + start_tls: false + base_dn: DC=bhasher,DC=com + username_attribute: uid + additional_users_dn: ou=users + users_filter: (&({username_attribute}={input})(objectClass=inetOrgPerson)) + additional_groups_dn: ou=groups + groups_filter: (&(uniqueMember={dn})(objectClass=groupOfUniqueNames)) + group_name_attribute: cn + mail_attribute: mail + display_name_attribute: cn + permit_referrals: false + +access_control: + default_policy: deny + rules: + - domain: 'radarr.bhasher.com' + policy: one_factor + subject: + - "group:mediaserver" + - domain: 'sonarr.bhasher.com' + policy: one_factor + subject: + - "group:mediaserver" + - domain: 'jellyfin.bhasher.com' + policy: one_factor + subject: + - "group:mediaserver" + - domain: 'lum.bhasher.com' + policy: two_factor + subject: + - "group:admin" + - domain: '*.bhasher.com' + policy: one_factor + subject: + - "group:admin" + +session: + name: auth_session + domain: bhasher.com + same_site: lax + expiration: 1d + inactivity: 3h + remember_me_duration: 1w + redis: + host: redis + port: 6379 + +regulation: + max_retries: 3 + find_time: 1m + ban_time: 5m + +storage: + # local: + # path: /data/db.sqlite3 + postgres: + host: postgres + port: 5432 + database: authelia + schema: public + username: postgres + +notifier: + smtp: + host: bdubois.io + port: 587 + sender: no-reply@bhasher.com + +password_policy: + standard: + enabled: true + min_length: 8 + max_length: 0 + require_uppercase: false + require_lowercase: false + require_number: false + require_special: false + +telemetry: + metrics: + enabled: true + address: "tcp://0.0.0.0:9959" + buffers: + read: 4096 + write: 4096 + timeouts: + read: 6s + write: 6s + idle: 30s + + +identity_providers: + oidc: + enforce_pkce: public_clients_only + clients: + - id: grafana + description: Grafana + secret: '$argon2id$v=19$m=65536,t=3,p=4$dQfNyInvlh1Lgw3JXi7G6A$M/WaNpHJkAyaQcXIMsOTl0+gBWGPPVBoCm7NpEQfTpI' + public: false + authorization_policy: one_factor + redirect_uris: + - https://grafana.bhasher.com/login/generic_oauth + consent_mode: implicit + scopes: + - openid + - profile + - groups + - email + userinfo_signing_algorithm: none + - id: matrix_synapse + description: Matrix Synapse + secret: '$argon2id$v=19$m=65536,t=3,p=4$Z+6HONrjDp54s+MhXuq1cA$bjc5tMGD3gR6AaBYIDx3S2mz/UfPv6a0n1Vf3q2Ifik' + public: false + authorization_policy: one_factor + redirect_uris: + - https://matrix.bhasher.com/_synapse/client/oidc/callback + consent_mode: implicit + scopes: + - openid + - profile + - email + userinfo_signing_algorithm: none + - id: portainer + description: Portainer + secret: '$argon2id$v=19$m=65536,t=3,p=4$7bqhx/sMH6Hes4ggVwpEPg$uue9QyGkROpAihkGpbDV6YjKCJlZVXj1JBkJfyLj2MI' + public: false + authorization_policy: two_factor + redirect_uris: + - https://portainer.bxl.bhasher.com + consent_mode: implicit + scopes: + - openid + - profile + - groups + - email + userinfo_signing_algorithm: none diff --git a/bxl-shp/config/invoiceninja/in-vhost.conf b/bxl-shp/config/invoiceninja/in-vhost.conf new file mode 100644 index 0000000..cce2ea7 --- /dev/null +++ b/bxl-shp/config/invoiceninja/in-vhost.conf @@ -0,0 +1,28 @@ +server { + listen 80 default_server; + server_name _; + + client_max_body_size 100M; + + root /var/www/app/public/; + index index.php; + + location / { + try_files $uri $uri/ /index.php?$query_string; + } + + location = /favicon.ico { access_log off; log_not_found off; } + location = /robots.txt { access_log off; log_not_found off; } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass invoiceninja:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_intercept_errors off; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + } +} + diff --git a/bxl-shp/config/monitoring/mikrotik.yaml b/bxl-shp/config/monitoring/mikrotik.yaml new file mode 100644 index 0000000..faa77fc --- /dev/null +++ b/bxl-shp/config/monitoring/mikrotik.yaml @@ -0,0 +1,42 @@ +devices: + - name: router + address: 192.168.1.1 + username: prometheus + password: ck1Jm25pcgW4IbnrHa3VCkxVR5H19fbO + features: + bgp: true # + dhcp: true + dhcpv6: true # + dhcpl: true + dhcp_leases: true + routes: true # + pools: true # + optics: true # + wlansta: true + wlanif: true + ipsec: true # + ipsec-peers: true # + monitor: true + health: true + conntrack: true + pool: true # + resource: true + +features: + bgp: true # + dhcp: true + dhcpv6: true # + dhcpl: true + dhcp_leases: true + routes: true # + pools: true # + optics: true # + wlansta: true + wlanif: true + ipsec: true # + ipsec-peers: true # + monitor: true + health: true + conntrack: true + pool: true # + resource: true diff --git a/bxl-shp/config/monitoring/prometheus.yaml b/bxl-shp/config/monitoring/prometheus.yaml new file mode 100644 index 0000000..5d97955 --- /dev/null +++ b/bxl-shp/config/monitoring/prometheus.yaml @@ -0,0 +1,40 @@ +global: + scrape_interval: 60s # By default, scrape targets every 15 seconds. + + # Attach these labels to any time series or alerts when communicating with + # external systems (federation, remote storage, Alertmanager). + external_labels: + monitor: 'monitor' + +# A scrape configuration containing exactly one endpoint to scrape: +# Here it's Prometheus itself. +scrape_configs: + # The job name is added as a label `job=` to any timeseries scraped from this config. + - job_name: 'prometheus' + static_configs: + - targets: ['localhost:9090'] + + - job_name: "Docker Job" + static_configs: + - targets: ["host.docker.internal:9323"] + + - job_name: 'cadvisor' + static_configs: + - targets: ['cadvisor:8080'] + + - job_name: 'node-exporter' + static_configs: + - targets: ['node-exporter:9100'] + + - job_name: 'treafik' + static_configs: + - targets: ['traefik:8080'] + + - job_name: 'authelia' + static_configs: + - targets: ['authelia:9959'] + + - job_name: 'mikrotik' + static_configs: + - targets: ['mikrotik:9436'] + diff --git a/bxl-shp/config/riot/config.json b/bxl-shp/config/riot/config.json new file mode 100644 index 0000000..2b97e4e --- /dev/null +++ b/bxl-shp/config/riot/config.json @@ -0,0 +1,7 @@ +{ + "default_server_config": { + "m.homeserver": { + "base_url": "https://matrix.bhasher.com" + } + } +} diff --git a/bxl-shp/config/smarthome/mosquitto.conf b/bxl-shp/config/smarthome/mosquitto.conf new file mode 100644 index 0000000..8a39f82 --- /dev/null +++ b/bxl-shp/config/smarthome/mosquitto.conf @@ -0,0 +1,3 @@ +listener 1883 +allow_anonymous false +password_file /mosquitto/passwordfile diff --git a/bxl-shp/deploy.sh b/bxl-shp/deploy.sh new file mode 100755 index 0000000..b75a94e --- /dev/null +++ b/bxl-shp/deploy.sh @@ -0,0 +1,5 @@ +cd ~/homelab/bxl-shp +cmd=$(find . -type f \( -name "docker-compose.*.yaml" \) | awk '{printf "-f %s \0", $0}' | xargs -0 -I{} echo "docker compose {} --env-file .env up -d") +echo $cmd +eval $cmd +# -name "docker-compose.yaml" -o diff --git a/bxl-shp/system/docker-compose.auth.yaml b/bxl-shp/system/docker-compose.auth.yaml new file mode 100644 index 0000000..9a0c33a --- /dev/null +++ b/bxl-shp/system/docker-compose.auth.yaml @@ -0,0 +1,99 @@ +services: + openldap: + container_name: openldap + image: osixia/openldap:1.5.0 + restart: unless-stopped + environment: + - LDAP_ADMIN_USERNAME=admin + - LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD} + - LDAP_READONLY_USER=true + - LDAP_READONLY_USER_USERNAME=readonly + - LDAP_READONLY_USER_PASSWORD=${LDAP_READONLY_PASSWORD} + - LDAP_DOMAIN=bhasher.com + - LDAP_ORGANISATION=Bhasher + - LDAP_RFC2307BIS_SCHEMA=true + - LDAP_TLS=false + volumes: + - $DATA/openldap/ldap:/var/lib/ldap + - $DATA/openldap/slapd.d:/etc/ldap/slapd.d + networks: + - auth + + ldapusermanager: + container_name: ldapusermanager + image: wheelybird/ldap-user-manager:latest + restart: unless-stopped + environment: + - LDAP_URI=ldap://openldap + - LDAP_BASE_DN=dc=bhasher,dc=com + - LDAP_ADMIN_BIND_DN=cn=admin,dc=bhasher,dc=com + - LDAP_ADMINS_GROUP=admin + - SERVER_HOSTNAME=lum.bhasher.com + - NO_HTTPS=true + - ORGANISATION_NAME=Bhasher + - LDAP_REQUIRE_STARTTLS=false + - FORCE_RFC2307BIS=true + - SHOW_POSIX_ATTRIBUTES=false + - LDAP_ADMIN_BIND_PWD=${LDAP_ADMIN_PASSWORD} + - LDAP_USER_OU=users + - LDAP_GROUP_OU=groups + - LDAP_ACCOUNT_ATTRIBUTE=uid + - LDAP_GROUP_ATTRIBUTE=cn + - USERNAME_FORMAT={first_name}.{last_name} + - ENFORCE_SAFE_SYSTEM_NAMES=false + - PASSWORD_HASH=SHA512CRYPT + - ACCEPT_WEAK_PASSWORDS=false + - LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES=jpegPhoto^:Profile picture,sshpubkey^+:SSH public key + #- REMOTE_HTTP_HEADERS_LOGIN=true + labels: + - "traefik.enable=true" + - "traefik.http.routers.lum.rule=Host(`lum.bhasher.com`)" + - "traefik.http.routers.lum.entrypoints=internalsecure" + - "traefik.http.services.lum.loadbalancer.server.port=80" + - "traefik.http.routers.lum.tls=true" + - "traefik.http.routers.lum.tls.certresolver=http" + #- "traefik.http.routers.lum.middlewares=authelia@docker" + networks: + - auth + - external + + authelia: + container_name: authelia + image: authelia/authelia:latest + restart: unless-stopped + environment: + - TZ=Europe/Paris + - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD=${LDAP_READONLY_PASSWORD} + - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET} + - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET} + - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_ENCRYPTION_KEY} + - AUTHELIA_STORAGE_POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + - AUTHELIA_NOTIFIER_SMTP_PASSWORD=${SMTP_PASSWORD} + - AUTHELIA_NOTIFIER_SMTP_USERNAME=${SMTP_USER} + - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/secrets/oidc_certificate.pem + - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=${AUTHELIA_OIDC_HMAC} + labels: + - "traefik.enable=true" + - "traefik.http.routers.authelia.rule=Host(`idp.bhasher.com`)" + - "traefik.http.routers.authelia.entrypoints=internalsecure,externalsecure" + - "traefik.http.services.authelia.loadbalancer.server.port=9091" + - "traefik.http.routers.authelia.tls=true" + - "traefik.http.routers.authelia.tls.certresolver=http" + - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https%3A%2F%2Fidp.bhasher.com%2F' + - 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true' + - 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' + volumes: + - $CONFIG/idp/authelia.configuration.yaml:/config/configuration.yml:ro + - $DATA/authelia:/secrets:ro + networks: + - auth + - storage + - external + +networks: + auth: + name: auth + external: + external: true + storage: + external: true diff --git a/bxl-shp/system/docker-compose.backup.yaml b/bxl-shp/system/docker-compose.backup.yaml new file mode 100644 index 0000000..693c3ff --- /dev/null +++ b/bxl-shp/system/docker-compose.backup.yaml @@ -0,0 +1,19 @@ +services: + borg: + container_name: borg + image: pschiffe/borg + volumes: + - /mnt/borg:/borg/repo + - $DATA/borg/config:/root + - $DATA:/borg/data/docker-data:ro + - /etc/localtime:/etc/localtime:ro + environment: + - BORG_REPO=/borg/repo + - BORG_PASSPHRASE=${BORG_PASSPHRASE} + - BACKUP_DIRS=/borg/data + - COMPRESSION=lz4 + - PRUNE=1 + restart: "no" + profiles: + - dnr + diff --git a/bxl-shp/system/docker-compose.monitoring.yaml b/bxl-shp/system/docker-compose.monitoring.yaml new file mode 100644 index 0000000..7fa6951 --- /dev/null +++ b/bxl-shp/system/docker-compose.monitoring.yaml @@ -0,0 +1,134 @@ +services: + prometheus: + container_name: prometheus + image: prom/prometheus:latest + restart: unless-stopped + user: root + labels: + - "traefik.enable=true" + - "traefik.http.routers.prom.rule=Host(`prometheus.bhasher.com`)" + - "traefik.http.routers.prom.entrypoints=internalsecure" + - "traefik.http.services.prom.loadbalancer.server.port=9090" + - "traefik.http.routers.prom.tls=true" + - "traefik.http.routers.prom.tls.certresolver=http" + - "traefik.http.routers.prom.middlewares=authelia@docker" + extra_hosts: + - "host.docker.internal:host-gateway" + volumes: + - $CONFIG/monitoring/prometheus.yaml:/etc/prometheus/prometheus.yml:ro + - $DATA/monitoring/prometheus:/prometheus + - /etc/localtime:/etc/localtime:ro + networks: + - monitoring + - external + + grafana: + container_name: grafana + image: grafana/grafana + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.grafana.rule=Host(`grafana.bhasher.com`)" + - "traefik.http.routers.grafana.entrypoints=internalsecure" + - "traefik.http.services.grafana.loadbalancer.server.port=3000" + - "traefik.http.routers.grafana.tls=true" + - "traefik.http.routers.grafana.tls.certresolver=http" + environment: + - GF_SERVER_ROOT_URL=https://grafana.bhasher.com + - GF_SMTP_ENABLED=true + - GF_SMTP_HOST=bdubois.io:465 + - GF_SMTP_USER=${SMTP_USER} + - GF_SMTP_PASSWORD=${SMTP_PASSWORD} + - GF_SMTP_FROM_ADDRESS=grafana@bhasher.com + - GF_AUTH_LOGIN_DISABLE_LOGIN_FORM=true + - GF_AUTH_DISABLE_SIGNOUT_MENU=true + - GF_AUTH_OAUTH_AUTO_LOGIN=true + - GF_AUTH_GENERIC_OAUTH_ENABLED=true + - GF_AUTH_GENERIC_OAUTH_ICON=signin + - GF_AUTH_GENERIC_OAUTH_NAME=Authelia + - GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana + - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=${GRAFANA_OAUTH} + - GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email groups + - GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES=false + - GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://idp.bhasher.com/api/oidc/authorization + - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://idp.bhasher.com/api/oidc/token + - GF_AUTH_GENERIC_OAUTH_API_URL=https://idp.bhasher.com/api/oidc/userinfo + - GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username + - GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH=groups + - GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=name + - GF_AUTH_GENERIC_OAUTH_USE_PKCE=false + - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(roles[*], 'admin') && 'Admin' || 'Viewer' + - GF_AUTH_GENERIC_OAUTH_GROUPS_PATH=groups + - GF_AUTH_GENERIC_OAUTH_ALLOWED_GROUPS=admin + volumes: + - $DATA/monitoring/grafana:/var/lib/grafana + - /etc/localtime:/etc/localtime:ro + networks: + - external + - monitoring + + cadvisor: + container_name: cadvisor + image: gcr.io/cadvisor/cadvisor:v0.47.0 #v0.47.1 + volumes: + - /:/rootfs:ro + - /var/run:/var/run:rw + - /sys:/sys:ro + - /var/lib/docker/:/var/lib/docker:ro + - /etc/localtime:/etc/localtime:ro + restart: always + command: + - "--housekeeping_interval=60s" + - "--docker_only=true" + - "--store_container_labels=false" + - "--disable_metrics=percpu,sched,tcp,udp,disk,diskIO,hugetlb,referenced_memory,cpu_topology,resctrl" + networks: + - monitoring + healthcheck: + test: wget --quiet --tries=1 --spider http://localhost:8080/healthz || exit 1 + interval: 15s + timeout: 15s + retries: 5 + start_period: 30s + + node-exporter: + container_name: node-exporter + image: quay.io/prometheus/node-exporter:latest + volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /:/rootfs:ro + - /:/host:ro,rslave + - /etc/localtime:/etc/localtime:ro + command: + - '--path.rootfs=/host' + - '--path.procfs=/host/proc' + - '--path.sysfs=/host/sys' + - '--collector.filesystem.ignored-mount-points' + - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)" + restart: always + networks: + - monitoring + + mikrotik: + container_name: mikrotik + image: ogi4i/mikrotik-exporter:latest + #image: nshttpd/mikrotik-exporter-linux-arm64:1.0.12-DEVEL + command: + - -config-file + - /config.yaml + restart: unless-stopped + environment: + - CONFIG_FILE=/config.yaml + volumes: + - $CONFIG/monitoring/mikrotik.yaml:/config.yaml:ro + - /etc/localtime:/etc/localtime:ro + networks: + - monitoring + + +networks: + monitoring: + name: monitoring + external: + external: true diff --git a/bxl-shp/system/docker-compose.portainer.yaml b/bxl-shp/system/docker-compose.portainer.yaml new file mode 100644 index 0000000..7c7a695 --- /dev/null +++ b/bxl-shp/system/docker-compose.portainer.yaml @@ -0,0 +1,23 @@ +services: + portainer: + container_name: portainer + image: portainer/portainer-ce:latest + ports: + - "9443:9443" + volumes: + - $DATA/portainer:/data:rw + - /var/run/docker.sock:/var/run/docker.sock + labels: + - "traefik.enable=true" + - "traefik.http.routers.portainer.rule=Host(`portainer.bxl.bhasher.com`)" + - "traefik.http.routers.portainer.entrypoints=externalsecure,internalsecure" + - "traefik.http.services.portainer.loadbalancer.server.port=9000" + - "traefik.http.routers.portainer.tls=true" + - "traefik.http.routers.portainer.tls.certresolver=http" + restart: unless-stopped + networks: + - external + +networks: + external: + external: true diff --git a/bxl-shp/system/docker-compose.storage.yaml b/bxl-shp/system/docker-compose.storage.yaml new file mode 100644 index 0000000..c2e1446 --- /dev/null +++ b/bxl-shp/system/docker-compose.storage.yaml @@ -0,0 +1,35 @@ +services: + postgres: + container_name: postgres + image: postgres:15 + restart: unless-stopped + environment: + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + volumes: + - $DATA/postgres:/var/lib/postgresql/data + networks: + - storage + + redis: + container_name: redis + image: redis:latest + restart: unless-stopped + networks: + - storage + + mariadb: + container_name: mariadb + image: mariadb:latest + restart: on-failure + environment: + - MARIADB_ROOT_PASSWORD=${MARIADB_ROOT} + volumes: + - $DATA/mariadb:/var/lib/mysql:rw + networks: + - storage + + +networks: + storage: + name: storage diff --git a/bxl-shp/system/docker-compose.traefik.yaml b/bxl-shp/system/docker-compose.traefik.yaml new file mode 100644 index 0000000..77576b3 --- /dev/null +++ b/bxl-shp/system/docker-compose.traefik.yaml @@ -0,0 +1,57 @@ +services: + traefik: + container_name: traefik + image: traefik:v2.9 + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--providers.docker.exposedbydefault=false" + - "--providers.docker.network=external" + - "--entrypoints.internal.address=:80" + - "--entrypoints.internalsecure.address=:443" + - "--entrypoints.internal.http.redirections.entryPoint.to=internalsecure" + - "--entrypoints.internal.http.redirections.entryPoint.scheme=https" + - "--entrypoints.internal.http.redirections.entryPoint.permanent=true" + - "--certificatesresolvers.http.acme.httpchallenge=true" + - "--certificatesresolvers.http.acme.httpchallenge.entrypoint=external" + - "--certificatesresolvers.http.acme.email=acme@bhasher.com" + - "--certificatesresolvers.http.acme.storage=acme.json" + - "--entrypoints.external.address=:81" + - "--entrypoints.externalsecure.address=:444" + - "--entrypoints.external.http.redirections.entryPoint.to=externalsecure" + - "--entrypoints.external.http.redirections.entryPoint.scheme=https" + - "--entrypoints.external.http.redirections.entryPoint.permanent=true" + #- "--log.level=DEBUG" + - "--metrics.prometheus=true" + - "--api.dashboard=true" + environment: + - TZ=Europe/Paris + ports: + - "80:80" + - "443:443" + - "81:81" + - "444:444" + #- "8080:8080" + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - type: bind + source: $DATA/traefik/acme.json + target: /acme.json + - type: bind + source: $DATA/traefik/rules.toml + target: /rules.toml + restart: always + labels: + - "traefik.enable=true" + - "traefik.http.routers.traefik.rule=Host(`traefik.bhasher.com`)" + - "traefik.http.services.traefik.loadbalancer.server.port=8080" + - "traefik.http.routers.traefik.tls=true" + - "traefik.http.routers.traefik.tls.certresolver=http" + - "traefik.http.routers.traefik.entrypoints=internalsecure" + - "traefik.http.routers.traefik.middlewares=authelia@docker" + networks: + - external + +networks: + external: + name: external diff --git a/bxl-shp/system/docker-compose.watchtower.yaml b/bxl-shp/system/docker-compose.watchtower.yaml new file mode 100644 index 0000000..b73b05a --- /dev/null +++ b/bxl-shp/system/docker-compose.watchtower.yaml @@ -0,0 +1,32 @@ +services: + watchtower: + container_name: watchtower + image: containrrr/watchtower + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /etc/localtime:/etc/localtime:ro + command: + - "--cleanup" + - "--schedule=0 0 3 * * SAT" + - "--label-enable" + #- "--monitor-only" + - "--http-api-metrics=true" + - "--http-api-token=watchtower" + #- "--run-once=true" + # emails notification + - "--notifications=email" + - "--notifications-level=trace" + - "--notification-email-from=watchtower.noreply@bhasher.com" + - "--notification-email-to=watchtower.homelab@bhasher.com" + - "--notification-email-server=bdubois.io" + - "--notification-email-server-port=465" + - "--notification-email-server-user=${SMTP_USER}" + - "--notification-email-server-password=${SMTP_PASSWORD}" + networks: + - monitoring + labels: + - "com.centurylinklabs.watchtower.enable=false" + +networks: + monitoring: + external: true