Bxl-swarm

bxl-swarm/pihole.stack.yaml

@@ -0,0 +1,39 @@
+version: '3.7'
+services:
+  pihole:
+    image: cbcrowe/pihole-unbound:latest
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: any
+        max_attempts: 3
+    ports:
+    - mode: host
+      protocol: tcp
+      published: 53
+      target: 53
+    - mode: host
+      protocol: udp
+      published: 53
+      target: 53
+    - mode: host
+      protocol: tcp
+      published: 80
+      target: 80
+    environment:
+      TZ: 'Europe/Paris'
+      WEBPASSWORD: 'z9w1r0FvKKvuLdXIygDlhidUhinERhOKZTBJtOXCMaFLi1dZvh0f2vsy9miDqsFu'
+      WEBTHEME: 'default-dark'
+      REV_SERVER: 'false'
+      PIHOLE_DNS_: '127.0.0.1#5335'
+      DNSSEC: 'true'
+      DNSMASQ_LISTENING: 'all'
+      FTLCONF_REPLY_ADDR4: '192.168.1.220'
+      FTLCONF_RATE_LIMIT: '0/0'
+      FTL_CMD: 'debug'
+    volumes:
+    - '/mnt/nfs/pihole/config:/etc/pihole'
+    - '/mnt/nfs/pihole/dnsmasq.d:/etc/dnsmasq.d'    
+    # - '/tmp/config:/etc/pihole'
+    # - '/tmp/dnsmasq.d:/etc/dnsmasq.d'    

bxl-swarm/system.stack.yaml

@@ -0,0 +1,93 @@
+version: '3.2'
+
+services:
+  traefik:
+    image: traefik:v2.9
+    command:
+    #- "--api.insecure=true"
+    - "--providers.docker=true"
+    - "--providers.docker.exposedbydefault=false"
+    - "--providers.docker.network=external"
+    - "--providers.docker.swarmmode=true"
+    - "--entrypoints.internal.address=:80"
+    - "--entrypoints.internalsecure.address=:443"
+    - "--entrypoints.internal.http.redirections.entryPoint.to=internalsecure"
+    - "--entrypoints.internal.http.redirections.entryPoint.scheme=https"
+    - "--entrypoints.internal.http.redirections.entryPoint.permanent=true"
+    - "--certificatesresolvers.http.acme.httpchallenge=true"
+    - "--certificatesresolvers.http.acme.httpchallenge.entrypoint=external"
+    - "--certificatesresolvers.http.acme.email=acme@bhasher.com"
+    - "--certificatesresolvers.http.acme.storage=acme.json"
+    - "--entrypoints.external.address=:81"
+    - "--entrypoints.externalsecure.address=:444"
+    - "--entrypoints.external.http.redirections.entryPoint.to=externalsecure"
+    - "--entrypoints.external.http.redirections.entryPoint.scheme=https"
+    - "--entrypoints.external.http.redirections.entryPoint.permanent=true"
+    #- "--log.level=DEBUG"
+    environment:
+    - TZ=Europe/Paris
+    ports:
+    - "80:80"
+    - "443:443"
+    - "81:81"
+    - "444:444"
+    #- "8080:8080"
+    volumes:
+    - /var/run/docker.sock:/var/run/docker.sock:ro
+    - type: bind
+      source: /mnt/nfs/traefik/acme.json
+      target: /acme.json
+    networks:
+    - external
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: any
+        max_attempts: 3
+
+  portainer:
+    image: portainer/portainer-ce:latest
+    command: -H tcp://tasks.agent:9001 --tlsskipverify
+    ports:
+    - "9443:9443"
+    volumes:
+    - /mnt/nfs/portainer_data:/data:rw
+    - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+    - external
+    - agent_network
+    deploy:
+      labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.portainer.rule=Host(`portainer.bxl.bhasher.com`)"
+      - "traefik.http.routers.portainer.entrypoints=externalsecure,internalsecure"
+      - "traefik.http.services.portainer.loadbalancer.server.port=9000"
+      - "traefik.http.routers.portainer.tls=true"
+      - "traefik.http.routers.portainer.tls.certresolver=http"
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: any
+        max_attempts: 3
+      placement:
+        constraints: [node.role == manager]
+
+  agent:
+    image: portainer/agent:latest
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    #  - /var/lib/docker/volumes:/var/lib/docker/volumes
+    networks:
+      - agent_network
+    deploy:
+      mode: global
+      placement:
+        constraints: [node.platform.os == linux]
+
+networks:
+  external:
+    external: true
+  agent_network:
+    driver: overlay
+    attachable: true

bxl-swarm/wireguard.stack.yaml

@@ -0,0 +1,31 @@
+version: '3.7'
+services:
+  wireguard:
+    image: lscr.io/linuxserver/wireguard:latest
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: any
+        max_attempts: 3
+    volumes:
+    - /mnt/nfs/wireguard:/config
+    - /lib/modules:/lib/modules
+    ports:
+    - mode: host
+      protocol: udp
+      published: 51821
+      target: 51820
+    environment:
+    - TZ=Europe/Paris
+    - SERVERURL=vpn.bhasher.com
+    - SERVERPORT=51821
+    - PEERS=5
+    - PEERDNS=auto
+    - INTERNAL_SUBNET=10.13.14.0
+    - ALLOWEDIPS=0.0.0.0/0
+    cap_add:
+    - NET_ADMIN
+    - SYS_MODULE
+    sysctls:
+    - net.ipv4.conf.all.src_valid_mark=1