Refresh repository to match reality (Part1)

2024-09-23 17:03:36 +02:00
parent 61020cae89
commit 1d52e2ac75
15 changed files with 218 additions and 55 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,5 @@
 *.nas-compose.env
+/**/volumes/*
+/**/secrets/*
+@eaDir
+.DS_Store
--- a/authentication/docker-compose.yml
+++ b/authentication/docker-compose.yml
@@ -1,10 +1,13 @@
-name: authentication
+version: "3.8"

 services:
  authelia:
    hostname: authelia
    image: authelia/authelia
-    command: --config /etc/authelia/configuration.yml,/etc/authelia/access.yml,/etc/authelia/authentication.yml
+    command:
+      - --config=/etc/authelia/configuration.yml
+      - --config=/etc/authelia/access.yml
+      - --config=/etc/authelia/authentication.yml
    environment:
      PUID: ${NASCOMPOSE_UID?}
      PGID: ${NASCOMPOSE_GID?}
@@ -13,7 +16,7 @@ services:
      AUTHELIA_NOTIFIER_SMTP_ADDRESS: ${NASCOMPOSE_AUTHELIA_SMTP_ADDRESS?}
      AUTHELIA_NOTIFIER_SMTP_USERNAME: ${NASCOMPOSE_AUTHELIA_SMTP_USERNAME?}
      AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/smtp_password
-      AUTHELIA_NOTIFIER_SMTP_SENDER: "authelia@${NASCOMPOSE_DOMAIN?}"
+      AUTHELIA_NOTIFIER_SMTP_SENDER: authelia@${NASCOMPOSE_DOMAIN?}
      X_AUTHELIA_CONFIG_FILTERS: template
      TEMPLATE_NASCOMPOSE_DOMAIN: ${NASCOMPOSE_DOMAIN?}
    networks:
@@ -34,7 +37,10 @@ services:
    restart: unless-stopped
    labels:
      traefik.enable: true
-
+  authelia-redis:
+    hostname: authelia-redis
+    image: redis
+    restart: unless-stopped
  lldap:
    image: lldap/lldap
    environment:
@@ -52,8 +58,8 @@ services:
      - ${NASCOMPOSE_SERVICES?}/authentication/secrets/lldap_key_seed:/run/secrets/key_seed:ro
    labels:
      traefik.enable: true
+      traefik.http.routers.lldap.middlewares: authelia@file
      traefik.http.services.lldap.loadbalancer.server.port: 17170
-
 networks:
  reverse-proxy:
    external: true
--- a/bootstrap/docker-compose.yml
+++ b/bootstrap/docker-compose.yml
@@ -1,11 +1,10 @@
-name: bootstrap
-
+version: "3.8"
 services:
  portainer:
    hostname: portainer
-    image: portainer/portainer-ce
-    command: >
-      --admin-password-file /run/secrets/portainer_password
+    image: portainer/portainer-ee
+    command:
+      - --admin-password-file=/run/secrets/portainer_password
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/packages/ContainerManager/var/docker/volumes/:/var/lib/docker/volumes/
--- a/docker-monitoring/docker-compose.yml
+++ b/docker-monitoring/docker-compose.yml
@@ -1,5 +1,4 @@
 name: docker-monitoring
-
 services:
  watchtower:
    hostname: watchtower
@@ -12,7 +11,6 @@ services:
      WATCHTOWER_NOTIFICATION_URL: /run/secrets/notification_url
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
-      # Secrets
      - ${NASCOMPOSE_SERVICES?}/docker-monitoring/secrets/notification_url:/run/secrets/notification_url:ro
    restart: unless-stopped
  dockge:
@@ -20,15 +18,16 @@ services:
    image: louislam/dockge
    networks:
      - reverse-proxy
+    environment:
+      DOCKGE_STACKS_DIR: ${NASCOMPOSE_SERVICES?}/
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
-      - ${NASCOMPOSE_SERVICES?}/docker-monitoring/volumes/dockge_stacks/:/opt/stacks/
+      - ${NASCOMPOSE_SERVICES?}/:${NASCOMPOSE_SERVICES?}/
      - ${NASCOMPOSE_SERVICES?}/docker-monitoring/volumes/dockge_data/:/app/data/
    restart: unless-stopped
    labels:
      traefik.enable: true
      traefik.http.routers.dockge.middlewares: authelia@file
-
 networks:
  reverse-proxy:
    external: true
--- a/git/docker-compose.yml
+++ b/git/docker-compose.yml
@@ -0,0 +1,22 @@
+version: "3.8"
+services:
+  gitea:
+    container_name: gitea
+    image: gitea/gitea:latest-rootless
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    volumes:
+      - ${NASCOMPOSE_DATA?}/git:/var/lib/gitea/git/lfs
+      - ${NASCOMPOSE_SERVICES?}/git/volumes/gitea_data:/var/lib/gitea
+      - ${NASCOMPOSE_SERVICES?}/git/volumes/gitea_config:/etc/gitea
+    networks:
+      - reverse-proxy
+    restart: unless-stopped
+    labels:
+      traefik.enable: true
+      traefik.http.services.gitea.loadbalancer.server.port: 3000
+      traefik.tcp.routers.gitea.entryPoints: ssh
+      traefik.tcp.routers.gitea.rule: HostSNI(`*`)
+      traefik.tcp.services.gitea.loadbalancer.server.port: 2222
+networks:
+  reverse-proxy:
+    external: true
--- a/monitoring/compose.yml
+++ b/monitoring/compose.yml
@@ -0,0 +1,68 @@
+version: "3.8"
+services:
+  loki:
+    image: grafana/loki
+    command: -config.file=/etc/loki/local-config.yaml
+    networks:
+      default: null
+      macvlan:
+        ipv4_address: ${NASCOMPOSE_MACVLAN_LOKI_IP?}
+    restart: unless-stopped
+  promtail:
+    image: grafana/promtail
+    volumes:
+      - /var/log:/var/log
+      - ${NASCOMPOSE_SERVICES?}/monitoring/config/promtail_config.yaml:/etc/promtail/config.yaml
+      - ${NASCOMPOSE_SERVICES?}/monitoring/volumes/promtail_logs/:/data/logs/
+    command: -config.file=/etc/promtail/config.yaml
+    restart: unless-stopped
+  grafana:
+    image: grafana/grafana-oss
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    volumes:
+      - ${NASCOMPOSE_SERVICES?}/monitoring/volumes/grafana_data/:/var/lib/grafana
+      - ${NASCOMPOSE_SERVICES?}/monitoring/config/grafana.ini:/etc/grafana/grafana.ini:ro
+    networks:
+      - reverse-proxy
+      - default
+    restart: unless-stopped
+    labels:
+      traefik.enable: true
+  cadvisor:
+    image: gcr.io/cadvisor/cadvisor
+    hostname: cadvisor
+    command:
+      - --enable_metrics=app,cpu,memory,network,oom_event,percpu
+      - --store_container_labels=false
+      - --docker_only=true
+      - --whitelisted_container_labels=com.docker.compose.project,com.docker.compose.service
+    volumes:
+      - /:/rootfs:ro
+      - /var/run:/var/run:ro
+      - /sys:/sys:ro
+      - /var/packages/ContainerManager/var/docker/:/var/lib/docker:ro
+    networks:
+      - reverse-proxy
+      - default
+    restart: unless-stopped
+    labels:
+      traefik.enable: true
+      traefik.http.routers.cadvisor.middlewares: authelia@file
+  prometheus:
+    image: prom/prometheus
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    volumes:
+      - ${NASCOMPOSE_SERVICES?}/monitoring/config/prometheus_config/prometheus.yml:/etc/prometheus/prometheus.yml
+      - ${NASCOMPOSE_SERVICES?}/monitoring/volumes/prometheus_data/:/prometheus/
+    restart: unless-stopped
+    networks:
+      - reverse-proxy
+      - default
+    labels:
+      traefik.enable: true
+      traefik.http.routers.prometheus.middlewares: authelia@file
+networks:
+  reverse-proxy:
+    external: true
+  macvlan:
+    external: true
--- a/monitoring/config/promtail_config.yaml
+++ b/monitoring/config/promtail_config.yaml
@@ -0,0 +1,25 @@
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+
+positions:
+  filename: /data/logs/positions.yaml
+
+clients:
+  - url: http://loki:3100/loki/api/v1/push
+
+scrape_configs:
+- job_name: system
+  static_configs:
+  - targets:
+      - localhost
+    labels:
+      job: varlogs
+      __path__: /var/log/*.log
+- job_name: traefik
+  static_configs:
+  - targets:
+      - traefik
+    labels:
+      job: traefik
+      __path__: /data/logs/traefik/*.log
--- a/photo-collector/docker-compose.yml
+++ b/photo-collector/docker-compose.yml
@@ -1,5 +1,4 @@
-name: photo-collector
-
+version: "3.8"
 services:
  immich:
    hostname: immich
@@ -44,13 +43,13 @@ services:
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: postgres
      POSTGRES_DB: immich
-      POSTGRES_INITDB_ARGS: '--data-checksums'
+      POSTGRES_INITDB_ARGS: --data-checksums
    volumes:
      - ${NASCOMPOSE_SERVICES?}/photo-collector/volumes/immich_postgres_data/:/var/lib/postgresql/data/
    healthcheck:
      test: pg_isready --dbname='immich' --username='postgres' || exit 1; Chksum="$$(psql --dbname='immich' --username='postgres' --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1
      interval: 5m
-      #start_interval: 30s
+      start_interval: 30s
      start_period: 5m
    command: ["postgres", "-c" ,"shared_preload_libraries=vectors.so", "-c", 'search_path="$$user", public, vectors', "-c", "logging_collector=on", "-c", "max_wal_size=2GB", "-c", "shared_buffers=512MB", "-c", "wal_compression=on"]
    restart: unless-stopped
--- a/reverse-proxy/configs/dynamic/authelia.yml
+++ b/reverse-proxy/configs/dynamic/authelia.yml
@@ -2,18 +2,11 @@ http:
  middlewares:
    authelia:
      forwardAuth:
-        address: 'http://authelia:9091/api/verify?rd=https%3A%2F%2Fauthelia.{{ env `NASCOMPOSE_DOMAIN` }}%2F'
-        trustForwardHeader: true
-        authResponseHeaders:
-          - Remote-User
-          - Remote-Groups
-          - Remote-Name
-          - Remote-Email
-    authelia-basic:
-      forwardAuth:
-        address: http://authelia:9091/api/verify?auth=basic
+        address: http://authelia:9091/api/authz/forward-auth
        trustForwardHeader: true
        authResponseHeaders:
+          - Authorization
+          - Proxy-Authorization
          - Remote-User
          - Remote-Groups
          - Remote-Name
--- a/reverse-proxy/configs/dynamic/compress.yml
+++ b/reverse-proxy/configs/dynamic/compress.yml
@@ -0,0 +1,39 @@
+http:
+  middlewares:
+    compress:
+      compress:
+        includedContentTypes:
+          - application/atom+xml
+          - application/geo+json
+          - application/javascript
+          - application/x-javascript
+          - application/json
+          - application/ld+json
+          - application/manifest+json
+          - application/rdf+xml
+          - application/rss+xml
+          - application/vnd.ms-fontobject
+          - application/wasm
+          - application/x-web-app-manifest+json
+          - application/xhtml+xml
+          - application/xml
+          - font/eot
+          - font/otf
+          - font/ttf
+          - image/bmp
+          - image/svg+xml
+          - image/vnd.microsoft.icon
+          - image/x-icon
+          - text/cache-manifest
+          - text/calendar
+          - text/css
+          - text/html
+          - text/javascript
+          - text/markdown
+          - text/plain
+          - text/xml
+          - text/vcard
+          - text/vnd.rim.location.xloc
+          - text/vtt
+          - text/x-component
+          - text/x-cross-domain-policy
--- a/reverse-proxy/configs/dynamic/hsts.yml
+++ b/reverse-proxy/configs/dynamic/hsts.yml
@@ -2,7 +2,7 @@ http:
  middlewares:
    hsts:
      headers:
-        frameDeny: true
+        customFrameOptionsValue: SAMEORIGIN
        browserXssFilter: true
        stsSeconds: 31536000 # 1 year
        stsPreload: true
--- a/reverse-proxy/configs/dynamic/qbittorrent-api.yml
+++ b/reverse-proxy/configs/dynamic/qbittorrent-api.yml
@@ -1,7 +0,0 @@
-http:
-  routers:
-    qbittorrent-api:
-      rule: 'Host(`qbittorrent-api.{{ env `NASCOMPOSE_DOMAIN` }}`)'
-      service: qbittorrent@docker
-      middlewares:
-        - authelia-basic@file
--- a/reverse-proxy/configs/dynamic/traefik.yml
+++ b/reverse-proxy/configs/dynamic/traefik.yml
@@ -1,8 +0,0 @@
-http:
-  #TODO: Convert to inline configuration for traefik
-  # Allows internal services to use `http://traefik/` to use the traefik interface.
-  # Useful for tools like Heimdall which use the traefik API.
-  routers:
-    traefik-internal:
-      rule: Host(`traefik`)
-      service: api@internal
--- a/reverse-proxy/configs/traefik.yml
+++ b/reverse-proxy/configs/traefik.yml
@@ -9,33 +9,60 @@ providers:
 serverstransport:
  insecureskipverify: true

-api: {}
-accessLog: {}
+api:
+  dashboard: true
+  insecure: true
+accessLog:
+  filePath: /var/log/traefik/access.log
+  format: json
+  fields:
+    defaultMode: keep
+    names:
+      StartLocal: drop
+      ClientAddr: drop
+    headers:
+      defaultMode: drop
+      names:
+        Remote-User: keep
+metrics:
+  prometheus:
+    addRoutersLabels: true
+    entryPoint: metrics

 certificatesResolvers:
  defaultResolver:
    acme:
      storage: /etc/traefik/acme/acme.json
-      dnsChallenge:
-        provider: cloudflare
+      tlsChallenge: {}

 entryPoints:
  web:
-    address: :80
+    address: :8080
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
+          permanent: true
  websecure:  
-    address: :443
+    address: :8443
+    asDefault: true
    http:
      tls:
        certResolver: defaultResolver
      middlewares:
        - hsts@file
+        - compress@file
+    http3:
+      advertisedPort: 443
  ssh:
-    address: :22
+    address: :8022
+  ssh-tarpit:
+    address: :8222
+  metrics:
+    address: :9982
+  traefik:
+    address: :8081

 global:
  sendAnonymousUsage: false
--- a/tv-collector/docker-compose.yml
+++ b/tv-collector/docker-compose.yml
@@ -1,5 +1,4 @@
 name: tv-collector
-
 services:
  sonarr:
    hostname: sonarr
@@ -19,11 +18,9 @@ services:
    labels:
      traefik.enable: true
      traefik.http.routers.sonarr.middlewares: authelia@file
-
 networks:
  tv-collector:
    name: tv-collector
-
  reverse-proxy:
    external: true
  torrents: