From 1d52e2ac7516b60f4a61086e9455c7b1861e87ea Mon Sep 17 00:00:00 2001 From: Colin Hebert Date: Mon, 23 Sep 2024 17:03:36 +0200 Subject: [PATCH] Refresh repository to match reality (Part1) --- .gitignore | 4 ++ authentication/docker-compose.yml | 16 +++-- bootstrap/docker-compose.yml | 9 ++- docker-monitoring/docker-compose.yml | 7 +- git/docker-compose.yml | 22 ++++++ monitoring/compose.yml | 68 +++++++++++++++++++ monitoring/config/promtail_config.yaml | 25 +++++++ photo-collector/docker-compose.yml | 7 +- reverse-proxy/configs/dynamic/authelia.yml | 13 +--- reverse-proxy/configs/dynamic/compress.yml | 39 +++++++++++ reverse-proxy/configs/dynamic/hsts.yml | 2 +- .../configs/dynamic/qbittorrent-api.yml | 7 -- reverse-proxy/configs/dynamic/traefik.yml | 8 --- reverse-proxy/configs/traefik.yml | 43 +++++++++--- tv-collector/docker-compose.yml | 3 - 15 files changed, 218 insertions(+), 55 deletions(-) create mode 100644 git/docker-compose.yml create mode 100644 monitoring/compose.yml create mode 100644 monitoring/config/promtail_config.yaml create mode 100644 reverse-proxy/configs/dynamic/compress.yml delete mode 100644 reverse-proxy/configs/dynamic/qbittorrent-api.yml delete mode 100644 reverse-proxy/configs/dynamic/traefik.yml diff --git a/.gitignore b/.gitignore index 8cde040..3767b39 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,5 @@ *.nas-compose.env +/**/volumes/* +/**/secrets/* +@eaDir +.DS_Store diff --git a/authentication/docker-compose.yml b/authentication/docker-compose.yml index 28ac09f..d1a8b83 100644 --- a/authentication/docker-compose.yml +++ b/authentication/docker-compose.yml @@ -1,10 +1,13 @@ -name: authentication +version: "3.8" services: authelia: hostname: authelia image: authelia/authelia - command: --config /etc/authelia/configuration.yml,/etc/authelia/access.yml,/etc/authelia/authentication.yml + command: + - --config=/etc/authelia/configuration.yml + - --config=/etc/authelia/access.yml + - --config=/etc/authelia/authentication.yml environment: PUID: ${NASCOMPOSE_UID?} PGID: ${NASCOMPOSE_GID?} @@ -13,7 +16,7 @@ services: AUTHELIA_NOTIFIER_SMTP_ADDRESS: ${NASCOMPOSE_AUTHELIA_SMTP_ADDRESS?} AUTHELIA_NOTIFIER_SMTP_USERNAME: ${NASCOMPOSE_AUTHELIA_SMTP_USERNAME?} AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/smtp_password - AUTHELIA_NOTIFIER_SMTP_SENDER: "authelia@${NASCOMPOSE_DOMAIN?}" + AUTHELIA_NOTIFIER_SMTP_SENDER: authelia@${NASCOMPOSE_DOMAIN?} X_AUTHELIA_CONFIG_FILTERS: template TEMPLATE_NASCOMPOSE_DOMAIN: ${NASCOMPOSE_DOMAIN?} networks: @@ -34,7 +37,10 @@ services: restart: unless-stopped labels: traefik.enable: true - + authelia-redis: + hostname: authelia-redis + image: redis + restart: unless-stopped lldap: image: lldap/lldap environment: @@ -52,8 +58,8 @@ services: - ${NASCOMPOSE_SERVICES?}/authentication/secrets/lldap_key_seed:/run/secrets/key_seed:ro labels: traefik.enable: true + traefik.http.routers.lldap.middlewares: authelia@file traefik.http.services.lldap.loadbalancer.server.port: 17170 - networks: reverse-proxy: external: true diff --git a/bootstrap/docker-compose.yml b/bootstrap/docker-compose.yml index 143e8a2..ec0166a 100644 --- a/bootstrap/docker-compose.yml +++ b/bootstrap/docker-compose.yml @@ -1,11 +1,10 @@ -name: bootstrap - +version: "3.8" services: portainer: hostname: portainer - image: portainer/portainer-ce - command: > - --admin-password-file /run/secrets/portainer_password + image: portainer/portainer-ee + command: + - --admin-password-file=/run/secrets/portainer_password volumes: - /var/run/docker.sock:/var/run/docker.sock - /var/packages/ContainerManager/var/docker/volumes/:/var/lib/docker/volumes/ diff --git a/docker-monitoring/docker-compose.yml b/docker-monitoring/docker-compose.yml index 28c8601..36d7988 100644 --- a/docker-monitoring/docker-compose.yml +++ b/docker-monitoring/docker-compose.yml @@ -1,5 +1,4 @@ name: docker-monitoring - services: watchtower: hostname: watchtower @@ -12,7 +11,6 @@ services: WATCHTOWER_NOTIFICATION_URL: /run/secrets/notification_url volumes: - /var/run/docker.sock:/var/run/docker.sock - # Secrets - ${NASCOMPOSE_SERVICES?}/docker-monitoring/secrets/notification_url:/run/secrets/notification_url:ro restart: unless-stopped dockge: @@ -20,15 +18,16 @@ services: image: louislam/dockge networks: - reverse-proxy + environment: + DOCKGE_STACKS_DIR: ${NASCOMPOSE_SERVICES?}/ volumes: - /var/run/docker.sock:/var/run/docker.sock - - ${NASCOMPOSE_SERVICES?}/docker-monitoring/volumes/dockge_stacks/:/opt/stacks/ + - ${NASCOMPOSE_SERVICES?}/:${NASCOMPOSE_SERVICES?}/ - ${NASCOMPOSE_SERVICES?}/docker-monitoring/volumes/dockge_data/:/app/data/ restart: unless-stopped labels: traefik.enable: true traefik.http.routers.dockge.middlewares: authelia@file - networks: reverse-proxy: external: true diff --git a/git/docker-compose.yml b/git/docker-compose.yml new file mode 100644 index 0000000..68e2dd0 --- /dev/null +++ b/git/docker-compose.yml @@ -0,0 +1,22 @@ +version: "3.8" +services: + gitea: + container_name: gitea + image: gitea/gitea:latest-rootless + user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?} + volumes: + - ${NASCOMPOSE_DATA?}/git:/var/lib/gitea/git/lfs + - ${NASCOMPOSE_SERVICES?}/git/volumes/gitea_data:/var/lib/gitea + - ${NASCOMPOSE_SERVICES?}/git/volumes/gitea_config:/etc/gitea + networks: + - reverse-proxy + restart: unless-stopped + labels: + traefik.enable: true + traefik.http.services.gitea.loadbalancer.server.port: 3000 + traefik.tcp.routers.gitea.entryPoints: ssh + traefik.tcp.routers.gitea.rule: HostSNI(`*`) + traefik.tcp.services.gitea.loadbalancer.server.port: 2222 +networks: + reverse-proxy: + external: true diff --git a/monitoring/compose.yml b/monitoring/compose.yml new file mode 100644 index 0000000..b499ba7 --- /dev/null +++ b/monitoring/compose.yml @@ -0,0 +1,68 @@ +version: "3.8" +services: + loki: + image: grafana/loki + command: -config.file=/etc/loki/local-config.yaml + networks: + default: null + macvlan: + ipv4_address: ${NASCOMPOSE_MACVLAN_LOKI_IP?} + restart: unless-stopped + promtail: + image: grafana/promtail + volumes: + - /var/log:/var/log + - ${NASCOMPOSE_SERVICES?}/monitoring/config/promtail_config.yaml:/etc/promtail/config.yaml + - ${NASCOMPOSE_SERVICES?}/monitoring/volumes/promtail_logs/:/data/logs/ + command: -config.file=/etc/promtail/config.yaml + restart: unless-stopped + grafana: + image: grafana/grafana-oss + user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?} + volumes: + - ${NASCOMPOSE_SERVICES?}/monitoring/volumes/grafana_data/:/var/lib/grafana + - ${NASCOMPOSE_SERVICES?}/monitoring/config/grafana.ini:/etc/grafana/grafana.ini:ro + networks: + - reverse-proxy + - default + restart: unless-stopped + labels: + traefik.enable: true + cadvisor: + image: gcr.io/cadvisor/cadvisor + hostname: cadvisor + command: + - --enable_metrics=app,cpu,memory,network,oom_event,percpu + - --store_container_labels=false + - --docker_only=true + - --whitelisted_container_labels=com.docker.compose.project,com.docker.compose.service + volumes: + - /:/rootfs:ro + - /var/run:/var/run:ro + - /sys:/sys:ro + - /var/packages/ContainerManager/var/docker/:/var/lib/docker:ro + networks: + - reverse-proxy + - default + restart: unless-stopped + labels: + traefik.enable: true + traefik.http.routers.cadvisor.middlewares: authelia@file + prometheus: + image: prom/prometheus + user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?} + volumes: + - ${NASCOMPOSE_SERVICES?}/monitoring/config/prometheus_config/prometheus.yml:/etc/prometheus/prometheus.yml + - ${NASCOMPOSE_SERVICES?}/monitoring/volumes/prometheus_data/:/prometheus/ + restart: unless-stopped + networks: + - reverse-proxy + - default + labels: + traefik.enable: true + traefik.http.routers.prometheus.middlewares: authelia@file +networks: + reverse-proxy: + external: true + macvlan: + external: true diff --git a/monitoring/config/promtail_config.yaml b/monitoring/config/promtail_config.yaml new file mode 100644 index 0000000..a3e67f7 --- /dev/null +++ b/monitoring/config/promtail_config.yaml @@ -0,0 +1,25 @@ +server: + http_listen_port: 9080 + grpc_listen_port: 0 + +positions: + filename: /data/logs/positions.yaml + +clients: + - url: http://loki:3100/loki/api/v1/push + +scrape_configs: +- job_name: system + static_configs: + - targets: + - localhost + labels: + job: varlogs + __path__: /var/log/*.log +- job_name: traefik + static_configs: + - targets: + - traefik + labels: + job: traefik + __path__: /data/logs/traefik/*.log diff --git a/photo-collector/docker-compose.yml b/photo-collector/docker-compose.yml index c5c60e2..5cca69c 100644 --- a/photo-collector/docker-compose.yml +++ b/photo-collector/docker-compose.yml @@ -1,5 +1,4 @@ -name: photo-collector - +version: "3.8" services: immich: hostname: immich @@ -44,13 +43,13 @@ services: POSTGRES_USER: postgres POSTGRES_PASSWORD: postgres POSTGRES_DB: immich - POSTGRES_INITDB_ARGS: '--data-checksums' + POSTGRES_INITDB_ARGS: --data-checksums volumes: - ${NASCOMPOSE_SERVICES?}/photo-collector/volumes/immich_postgres_data/:/var/lib/postgresql/data/ healthcheck: test: pg_isready --dbname='immich' --username='postgres' || exit 1; Chksum="$$(psql --dbname='immich' --username='postgres' --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1 interval: 5m - #start_interval: 30s + start_interval: 30s start_period: 5m command: ["postgres", "-c" ,"shared_preload_libraries=vectors.so", "-c", 'search_path="$$user", public, vectors', "-c", "logging_collector=on", "-c", "max_wal_size=2GB", "-c", "shared_buffers=512MB", "-c", "wal_compression=on"] restart: unless-stopped diff --git a/reverse-proxy/configs/dynamic/authelia.yml b/reverse-proxy/configs/dynamic/authelia.yml index 37f0e61..56049ab 100644 --- a/reverse-proxy/configs/dynamic/authelia.yml +++ b/reverse-proxy/configs/dynamic/authelia.yml @@ -2,18 +2,11 @@ http: middlewares: authelia: forwardAuth: - address: 'http://authelia:9091/api/verify?rd=https%3A%2F%2Fauthelia.{{ env `NASCOMPOSE_DOMAIN` }}%2F' - trustForwardHeader: true - authResponseHeaders: - - Remote-User - - Remote-Groups - - Remote-Name - - Remote-Email - authelia-basic: - forwardAuth: - address: http://authelia:9091/api/verify?auth=basic + address: http://authelia:9091/api/authz/forward-auth trustForwardHeader: true authResponseHeaders: + - Authorization + - Proxy-Authorization - Remote-User - Remote-Groups - Remote-Name diff --git a/reverse-proxy/configs/dynamic/compress.yml b/reverse-proxy/configs/dynamic/compress.yml new file mode 100644 index 0000000..145c0ec --- /dev/null +++ b/reverse-proxy/configs/dynamic/compress.yml @@ -0,0 +1,39 @@ +http: + middlewares: + compress: + compress: + includedContentTypes: + - application/atom+xml + - application/geo+json + - application/javascript + - application/x-javascript + - application/json + - application/ld+json + - application/manifest+json + - application/rdf+xml + - application/rss+xml + - application/vnd.ms-fontobject + - application/wasm + - application/x-web-app-manifest+json + - application/xhtml+xml + - application/xml + - font/eot + - font/otf + - font/ttf + - image/bmp + - image/svg+xml + - image/vnd.microsoft.icon + - image/x-icon + - text/cache-manifest + - text/calendar + - text/css + - text/html + - text/javascript + - text/markdown + - text/plain + - text/xml + - text/vcard + - text/vnd.rim.location.xloc + - text/vtt + - text/x-component + - text/x-cross-domain-policy diff --git a/reverse-proxy/configs/dynamic/hsts.yml b/reverse-proxy/configs/dynamic/hsts.yml index 8ed0ea2..27e3bd8 100644 --- a/reverse-proxy/configs/dynamic/hsts.yml +++ b/reverse-proxy/configs/dynamic/hsts.yml @@ -2,7 +2,7 @@ http: middlewares: hsts: headers: - frameDeny: true + customFrameOptionsValue: SAMEORIGIN browserXssFilter: true stsSeconds: 31536000 # 1 year stsPreload: true diff --git a/reverse-proxy/configs/dynamic/qbittorrent-api.yml b/reverse-proxy/configs/dynamic/qbittorrent-api.yml deleted file mode 100644 index da0f38d..0000000 --- a/reverse-proxy/configs/dynamic/qbittorrent-api.yml +++ /dev/null @@ -1,7 +0,0 @@ -http: - routers: - qbittorrent-api: - rule: 'Host(`qbittorrent-api.{{ env `NASCOMPOSE_DOMAIN` }}`)' - service: qbittorrent@docker - middlewares: - - authelia-basic@file diff --git a/reverse-proxy/configs/dynamic/traefik.yml b/reverse-proxy/configs/dynamic/traefik.yml deleted file mode 100644 index 26fb57e..0000000 --- a/reverse-proxy/configs/dynamic/traefik.yml +++ /dev/null @@ -1,8 +0,0 @@ -http: - #TODO: Convert to inline configuration for traefik - # Allows internal services to use `http://traefik/` to use the traefik interface. - # Useful for tools like Heimdall which use the traefik API. - routers: - traefik-internal: - rule: Host(`traefik`) - service: api@internal diff --git a/reverse-proxy/configs/traefik.yml b/reverse-proxy/configs/traefik.yml index 68a7ccf..6c4fbf6 100644 --- a/reverse-proxy/configs/traefik.yml +++ b/reverse-proxy/configs/traefik.yml @@ -9,33 +9,60 @@ providers: serverstransport: insecureskipverify: true -api: {} -accessLog: {} +api: + dashboard: true + insecure: true +accessLog: + filePath: /var/log/traefik/access.log + format: json + fields: + defaultMode: keep + names: + StartLocal: drop + ClientAddr: drop + headers: + defaultMode: drop + names: + Remote-User: keep +metrics: + prometheus: + addRoutersLabels: true + entryPoint: metrics certificatesResolvers: defaultResolver: acme: storage: /etc/traefik/acme/acme.json - dnsChallenge: - provider: cloudflare + tlsChallenge: {} entryPoints: web: - address: :80 + address: :8080 http: redirections: entryPoint: to: websecure scheme: https - websecure: - address: :443 + permanent: true + websecure: + address: :8443 + asDefault: true http: tls: certResolver: defaultResolver middlewares: - hsts@file + - compress@file + http3: + advertisedPort: 443 ssh: - address: :22 + address: :8022 + ssh-tarpit: + address: :8222 + metrics: + address: :9982 + traefik: + address: :8081 global: sendAnonymousUsage: false diff --git a/tv-collector/docker-compose.yml b/tv-collector/docker-compose.yml index e651bed..bb8b4d2 100644 --- a/tv-collector/docker-compose.yml +++ b/tv-collector/docker-compose.yml @@ -1,5 +1,4 @@ name: tv-collector - services: sonarr: hostname: sonarr @@ -19,11 +18,9 @@ services: labels: traefik.enable: true traefik.http.routers.sonarr.middlewares: authelia@file - networks: tv-collector: name: tv-collector - reverse-proxy: external: true torrents: