diff --git a/.gitignore b/.gitignore index fd89bd6..047870a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,11 @@ -mkdocs/site +fleetdm/fleet/logs +fleetdm/fleet/vulndb +fleetdm/mysql/data +ghost/mysql/* +mattermost/volumes +paperless/consume +paperless/export +pihole/etc-pihole traefik/log/*.log traefik/log/*.gz traefik/tls/*.json diff --git a/README.md b/README.md index 6a2f60f..0752d7a 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,15 @@ Services -- traefik as front end proxy, tls, and http3 -- traefik dashboard behind mtls -- squidfunk/mkdocs-material to build static html -- nginx to host static html -- jellyfin for streaming service +- traefik for front end proxy, tls, and http3 +- docs + - squidfunk/mkdocs-material to build static html + - nginx to host static html +- paperless for document management +- chat (mattermost) +- paste (rustypaste) +- pihole +- fleet device management ## Setup @@ -31,33 +35,3 @@ expects `../rskio/mkdocs` to exist ``` bash git clone https://github.com/rskntroot/rskio.git ``` - -### Jellyfin - -expects `/mnt/jellyfin` and `/mnt/media` to exist - -#### setup creds - -``` bash -sudo mkdir -p /etc/smb/creds -sudo vi /etc/smb/creds/share -sudo chmod 600 /etc/smb/creds/share -``` - -create creds files in the format - -``` -username= -password= -``` - -#### edit fstab - -``` zsh -vi /etc/fstab -``` - -``` fstab -//192.168.1.179/Media /mnt/media cifs credentials=/etc/smb/creds/media,iocharset=utf8,vers=3.0,uid=1000,gid=1000,file_mode=0660,dir_mode=0770 0 0 -//192.168.1.179/Jellyfin /mnt/jellyfin cifs credentials=/etc/smb/creds/jellyfin,iocharset=utf8,vers=3.0,uid=1000,gid=1000,file_mode=0660,dir_mode=0770 0 0 -``` diff --git a/compose.yml b/compose.yml deleted file mode 100644 index d49f863..0000000 --- a/compose.yml +++ /dev/null @@ -1,65 +0,0 @@ -services: - mkdocs: - image: squidfunk/mkdocs-material - command: - - build - volumes: - - ./mkdocs:/docs - - traefik: - image: traefik:latest - command: - - --configFile=/etc/traefik/traefik.yml - ports: - - 80:80/tcp - - 443:443/tcp - - 443:443/udp - - 8080:8080/tcp - volumes: - - /var/run/docker.sock:/var/run/docker.sock:ro - - /var/log/traefik:/var/log/traefik - - ./traefik/etc:/etc/traefik:ro - - ./traefik/tls:/letsencrypt - - nginx: - image: nginx:latest - restart: unless-stopped - labels: - - traefik.enable=true - - traefik.http.routers.rskio.entrypoints=websecure - - traefik.http.routers.rskio.rule=Host(`docs.rskio.com`) - - traefik.http.routers.rskio.tls=true - - traefik.http.routers.rskio.tls.options=docs@file - - traefik.http.routers.rskio.tls.certresolver=rskio_certresolver - - traefik.http.routers.rskio.service=rskio@docker - - traefik.http.services.rskio.loadbalancer.server.port=80 - - traefik.http.routers.rskio.middlewares=secureHeaders@file - volumes: - - ./mkdocs/site:/opt/share/mkdocs/html:ro - - ./nginx/etc/conf.d:/etc/nginx/conf.d:ro - depends_on: - mkdocs: - condition: service_completed_successfully - - stream: - image: jellyfin/jellyfin - labels: - - traefik.enable=true - - traefik.http.routers.stream.entrypoints=websecure - - traefik.http.routers.stream.rule=Host(`stream.rskio.com`) - - traefik.http.routers.stream.tls=true - - traefik.http.routers.stream.tls.certresolver=rskio_certresolver - - traefik.http.routers.stream.service=stream@docker - - traefik.http.services.stream.loadbalancer.server.port=8096 - tty: true - restart: unless-stopped - devices: - - /dev/dri:/dev/dri - volumes: - - ./jellyfin/config:/config - - ./jellyfin/cache:/cache - - /mnt/media:/data - ports: - - 8096:8096 - environment: - - TZ=US/Mountain diff --git a/docs/compose.yml b/docs/compose.yml new file mode 100644 index 0000000..6d42083 --- /dev/null +++ b/docs/compose.yml @@ -0,0 +1,33 @@ +services: + mkdocs: + image: squidfunk/mkdocs-material + command: + - build + volumes: + - ./mkdocs:/docs + + docs: + image: nginx:latest + restart: unless-stopped + labels: + - traefik.enable=true + - traefik.http.routers.docs.entrypoints=websecure + - traefik.http.routers.docs.rule=Host(`docs.rskio.com`) + - traefik.http.routers.docs.tls=true + - traefik.http.routers.docs.tls.options=external@file + - traefik.http.routers.docs.tls.certresolver=rskio_certresolver + - traefik.http.routers.docs.middlewares=secureHeaders@file + - traefik.http.routers.docs.service=docs@docker + - traefik.http.services.docs.loadbalancer.server.port=80 + volumes: + - ./mkdocs/site:/opt/share/mkdocs/html:ro + - ./nginx/etc/conf.d:/etc/nginx/conf.d:ro + depends_on: + mkdocs: + condition: service_completed_successfully + networks: + - traefik + +networks: + traefik: + external: true diff --git a/docs/mkdocs b/docs/mkdocs new file mode 120000 index 0000000..24a25ef --- /dev/null +++ b/docs/mkdocs @@ -0,0 +1 @@ +/home/lost/workspace/rskio/mkdocs \ No newline at end of file diff --git a/nginx/etc/conf.d/default.conf b/docs/nginx/etc/conf.d/default.conf similarity index 100% rename from nginx/etc/conf.d/default.conf rename to docs/nginx/etc/conf.d/default.conf diff --git a/fleetdm/compose.yml b/fleetdm/compose.yml new file mode 100644 index 0000000..d7f1446 --- /dev/null +++ b/fleetdm/compose.yml @@ -0,0 +1,56 @@ +services: + db: + image: mysql + restart: unless-stopped + platform: linux/x86_64 + volumes: + - ./mysql/data:/var/lib/mysql + env_file: mysql/default.env + cap_add: + - SYS_NICE + # ports: + # - 3306:3306 + networks: + - default + + broker: + image: redis + restart: unless-stopped + # ports: + # - 6379:6379 + networks: + - default + + service: + image: fleetdm/fleet + restart: unless-stopped + labels: + - traefik.enable=true + - traefik.http.routers.fleet.entrypoints=websecure + - traefik.http.routers.fleet.rule=Host(`fleet.rskio.com`) + - traefik.http.routers.fleet.middlewares=secureHeaders@file + - traefik.http.routers.fleet.tls=true + - traefik.http.routers.fleet.tls.options=external@file + - traefik.http.routers.fleet.service=fleet@docker + - traefik.http.services.fleet.loadbalancer.server.port=8412 + - traefik.http.routers.fleet.tls.certresolver=rskio_certresolver + depends_on: + - db + - broker + platform: linux/x86_64 + command: sh -c "/usr/bin/fleet prepare db --no-prompt && /usr/bin/fleet serve" + env_file: fleet/default.env + ports: + - 8412:8412 + volumes: + - ./fleet:/fleet/ + - ./fleet/logs:/logs + - ./fleet/vulndb:/vulndb + networks: + - default + - traefik + +networks: + default: {} + traefik: + external: true diff --git a/fleetdm/fleet/default.env b/fleetdm/fleet/default.env new file mode 100644 index 0000000..0ba92bd --- /dev/null +++ b/fleetdm/fleet/default.env @@ -0,0 +1,38 @@ +# Mysql + +FLEET_MYSQL_ADDRESS="mysql:3306" +FLEET_MYSQL_DATABASE="fleet" +FLEET_MYSQL_USERNAME="fleet" +FLEET_MYSQL_PASSWORD="fleet-mysql-pswd" + +# Redis + +FLEET_REDIS_ADDRESS="redis:6379" +FLEET_SERVER_ADDRESS="0.0.0.0:8412" + +# TLS + +FLEET_SERVER_TLS=false #TLS is handled by traefik +#FLEET_SERVER_CERT="fleet/tmp/server.cert" +#FLEET_SERVER_KEY="fleet/tmp/server.key" + +# Logging + +FLEET_LOGGING_JSON="true" +FLEET_OSQUERY_STATUS_LOG_PLUGIN="filesystem" +FLEET_FILESYSTEM_STATUS_LOG_FILE="/logs/osqueryd.status.log" +FLEET_OSQUERY_RESULT_LOG_PLUGIN="filesystem" +FLEET_FILESYSTEM_RESULT_LOG_FILE="/logs/osqueryd.results.log" + +# If you have fleet premium, enter key and uncomment + +# FLEET_LICENSE_KEY= + + +FLEET_OSQUERY_LABEL_UPDATE_INTERVAL="1m" + +# Vulnerabilities + +FLEET_VULNERABILITIES_CURRENT_INSTANCE_CHECKS="yes" +FLEET_VULNERABILITIES_DATABASES_PATH="/vulndb" +FLEET_VULNERABILITIES_PERIODICITY="5m" diff --git a/fleetdm/mysql/default.env b/fleetdm/mysql/default.env new file mode 100644 index 0000000..1e83d2c --- /dev/null +++ b/fleetdm/mysql/default.env @@ -0,0 +1,4 @@ +MYSQL_ROOT_PASSWORD="toor" +MYSQL_DATABASE="fleet" +MYSQL_USER="fleet" +MYSQL_PASSWORD="fleet-mysql-pswd" diff --git a/ghost/compose.yml b/ghost/compose.yml new file mode 100644 index 0000000..b780271 --- /dev/null +++ b/ghost/compose.yml @@ -0,0 +1,85 @@ +services: + service: + image: ghost:5-alpine + ports: + - 2368:2368 # Ghost + environment: + database__client: mysql + database__connection__host: ghost-mysql-1 + database__connection__user: ghost + database__connection__password: ghost + database__connection__database: ghost + url: https://blog.rskio.com + depends_on: + mysql: + condition: service_healthy + redis: + condition: service_healthy + mysql: + image: mysql:8.0.35 + command: --innodb-buffer-pool-size=1G --innodb-log-buffer-size=500M --innodb-change-buffer-max-size=50 --innodb-flush-log-at-trx_commit=0 --innodb-flush-method=O_DIRECT + ports: + - 3306:3306 + environment: + MYSQL_ROOT_PASSWORD: root + MYSQL_DATABASE: ghost + MYSQL_USER: ghost + MYSQL_PASSWORD: ghost + restart: always + volumes: + - ./mysql:/var/lib/mysql + healthcheck: + test: mysql -uroot -proot ghost -e 'select 1' + interval: 5s + retries: 120 + redis: + image: redis:7.0 + restart: always + ports: + - 6379:6379 + healthcheck: + test: + - CMD + - redis-cli + - --raw + - incr + - ping + interval: 1s + retries: 120 +# prometheus: +# profiles: [monitoring] +# image: prom/prometheus:v2.30.3 +# container_name: ghost-prometheus +# ports: +# - 9090:9090 +# restart: always +# volumes: +# - ./.docker/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml +# grafana: +# profiles: [monitoring] +# image: grafana/grafana:8.3.0 +# container_name: ghost-grafana +# ports: +# - 3000:3000 +# restart: always +# environment: +# - GF_AUTH_ANONYMOUS_ENABLED=true +# - GF_AUTH_ANONYMOUS_ORG_ROLE=Admin +# volumes: +# - ./.docker/grafana/datasources:/etc/grafana/provisioning/datasources +# - ./.docker/grafana/dashboard.yml:/etc/grafana/provisioning/dashboards/main.yaml +# - ./.docker/grafana/dashboards:/var/lib/grafana/dashboards +# pushgateway: +# profiles: [monitoring] +# image: prom/pushgateway:v1.6.0 +# container_name: ghost-pushgateway +# ports: +# - 9091:9091 +# mailhog: +# image: mailhog/mailhog:latest +# container_name: ghost-mailhog +# profiles: [ghost] +# ports: +# - "1025:1025" # SMTP server +# - "8025:8025" # Web interface +# restart: always diff --git a/jellyfin b/jellyfin deleted file mode 120000 index 1f76c12..0000000 --- a/jellyfin +++ /dev/null @@ -1 +0,0 @@ -/mnt/jellyfin \ No newline at end of file diff --git a/mattermost/.env b/mattermost/.env new file mode 100644 index 0000000..f6cea5e --- /dev/null +++ b/mattermost/.env @@ -0,0 +1,88 @@ +# Domain of service +DOMAIN=chat.rskio.com + +# Container settings +## Timezone inside the containers. The value needs to be in the form 'Europe/Berlin'. +## A list of these tz database names can be looked up at Wikipedia +## https://en.wikipedia.org/wiki/List_of_tz_database_time_zones +TZ=US/Mountain +RESTART_POLICY=unless-stopped + +# Postgres settings +## Documentation for this image and available settings can be found on hub.docker.com +## https://hub.docker.com/_/postgres +## Please keep in mind this will create a superuser and it's recommended to use a less privileged +## user to connect to the database. +## A guide on how to change the database user to a nonsuperuser can be found in docs/creation-of-nonsuperuser.md +POSTGRES_IMAGE_TAG=13-alpine +POSTGRES_DATA_PATH=./volumes/db/var/lib/postgresql/data + +POSTGRES_USER=mattermost +POSTGRES_PASSWORD=kixvep-sasWaq-gocwy3 +POSTGRES_DB=mattermost + +# Nginx +## The nginx container will use a configuration found at the NGINX_MATTERMOST_CONFIG. The config aims +## to be secure and uses a catch-all server vhost which will work out-of-the-box. For additional settings +## or changes ones can edit it or provide another config. Important note: inside the container, nginx sources +## every config file inside */etc/nginx/conf.d* ending with a *.conf* file extension. + +## Inside the container the uid and gid is 101. The folder owner can be set with +## `sudo chown -R 101:101 ./nginx` if needed. +## Note that this repository requires nginx version 1.25.1 or later +NGINX_IMAGE_TAG=alpine + +## The folder containing server blocks and any additional config to nginx.conf +#NGINX_CONFIG_PATH=./nginx/conf.d +#NGINX_DHPARAMS_FILE=./nginx/dhparams4096.pem + +#CERT_PATH=./volumes/web/cert/cert.pem +#KEY_PATH=./volumes/web/cert/key-no-password.pem +#GITLAB_PKI_CHAIN_PATH=/pki_chain.pem +#CERT_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/fullchain.pem +#KEY_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/privkey.pem + +## Exposed ports to the host. Inside the container 80, 443 and 8443 will be used +#HTTPS_PORT=443 +#HTTP_PORT=80 +#CALLS_PORT=8443 + +# Mattermost settings +## Inside the container the uid and gid is 2000. The folder owner can be set with +## `sudo chown -R 2000:2000 ./volumes/app/mattermost`. +MATTERMOST_CONFIG_PATH=./volumes/app/mattermost/config +MATTERMOST_DATA_PATH=./volumes/app/mattermost/data +MATTERMOST_LOGS_PATH=./volumes/app/mattermost/logs +MATTERMOST_PLUGINS_PATH=./volumes/app/mattermost/plugins +MATTERMOST_CLIENT_PLUGINS_PATH=./volumes/app/mattermost/client/plugins +MATTERMOST_BLEVE_INDEXES_PATH=./volumes/app/mattermost/bleve-indexes + +## Bleve index (inside the container) +MM_BLEVESETTINGS_INDEXDIR=/mattermost/bleve-indexes + +## This will be 'mattermost-enterprise-edition' or 'mattermost-team-edition' based on the version of Mattermost you're installing. +MATTERMOST_IMAGE=mattermost-enterprise-edition +## Update the image tag if you want to upgrade your Mattermost version. You may also upgrade to the latest one. The example is based on the latest Mattermost ESR version. +MATTERMOST_IMAGE_TAG=9.11.6 + +## Make Mattermost container readonly. This interferes with the regeneration of root.html inside the container. Only use +## it if you know what you're doing. +## See https://github.com/mattermost/docker/issues/18 +MATTERMOST_CONTAINER_READONLY=false + +## The app port is only relevant for using Mattermost without the nginx container as reverse proxy. This is not meant +## to be used with the internal HTTP server exposed but rather in case one wants to host several services on one host +## or for using it behind another existing reverse proxy. +APP_PORT=8065 + +## Configuration settings for Mattermost. Documentation on the variables and the settings itself can be found at +## https://docs.mattermost.com/administration/config-settings.html +## Keep in mind that variables set here will take precedence over the same setting in config.json. This includes +## the system console as well and settings set with env variables will be greyed out. + +## Below one can find necessary settings to spin up the Mattermost container +MM_SQLSETTINGS_DRIVERNAME=postgres +MM_SQLSETTINGS_DATASOURCE=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable&connect_timeout=10 + +## Example settings (any additional setting added here also needs to be introduced in the docker-compose.yml) +MM_SERVICESETTINGS_SITEURL=https://${DOMAIN} diff --git a/mattermost/compose.yml b/mattermost/compose.yml new file mode 100644 index 0000000..0fe7523 --- /dev/null +++ b/mattermost/compose.yml @@ -0,0 +1,62 @@ +services: + postgres: + image: postgres:${POSTGRES_IMAGE_TAG} + restart: ${RESTART_POLICY} + #security_opt: + # - no-new-privileges:true + #pids_limit: 100 + #read_only: true + tmpfs: + - /tmp + - /var/run/postgresql + volumes: + - ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data + environment: + - TZ + - POSTGRES_USER + - POSTGRES_PASSWORD + - POSTGRES_DB + networks: + - default + + service: + depends_on: + - postgres + image: mattermost/${MATTERMOST_IMAGE}:${MATTERMOST_IMAGE_TAG} + labels: + - traefik.enable=true + - traefik.http.routers.mattermost.entrypoints=websecure + - traefik.http.routers.mattermost.rule=Host(`chat.rskio.com`) + - traefik.http.routers.mattermost.tls=true + - traefik.http.routers.mattermost.tls.options=external@file + - traefik.http.routers.mattermost.tls.certresolver=rskio_certresolver + - traefik.http.routers.mattermost.service=mattermost@docker + - traefik.http.services.mattermost.loadbalancer.server.port=8065 + - traefik.http.routers.mattermost.middlewares=secureHeaders@file + restart: ${RESTART_POLICY} + #security_opt: + # - no-new-privileges:true + #pids_limit: 200 + #read_only: ${MATTERMOST_CONTAINER_READONLY} + tmpfs: + - /tmp + volumes: + - ${MATTERMOST_CONFIG_PATH}:/mattermost/config:rw + - ${MATTERMOST_DATA_PATH}:/mattermost/data:rw + - ${MATTERMOST_LOGS_PATH}:/mattermost/logs:rw + - ${MATTERMOST_PLUGINS_PATH}:/mattermost/plugins:rw + - ${MATTERMOST_CLIENT_PLUGINS_PATH}:/mattermost/client/plugins:rw + - ${MATTERMOST_BLEVE_INDEXES_PATH}:/mattermost/bleve-indexes:rw + environment: + - TZ + - MM_SQLSETTINGS_DRIVERNAME + - MM_SQLSETTINGS_DATASOURCE + - MM_BLEVESETTINGS_INDEXDIR + - MM_SERVICESETTINGS_SITEURL + networks: + - default + - traefik + +networks: + traefik: + external: true diff --git a/mattermost/scripts/UPGRADE.md b/mattermost/scripts/UPGRADE.md new file mode 100644 index 0000000..814a126 --- /dev/null +++ b/mattermost/scripts/UPGRADE.md @@ -0,0 +1,35 @@ +# IMPORTANT: Please make sure you have enough disk space available for the backups! +Because it is more complicated to check the available disk space for various disk formatting options provided by different linux distributions, the script does currently not check for if there is enough disk space. +Please check manually before executing this script! + +## Upgrading Postgres + +``` +$ export PATH_TO_MATTERMOST_DOCKER=path/to/mattermost-docker +$ ./scripts/upgrade-postgres.sh +``` + +Environment variables for upgrading: +`ttf` means, the script 'tries to find' the environment variables. + +| Name | Description | Type | Default | Required | +|------|-------------|------|:---------:|:--------:| +| PATH_TO_MATTERMOST_DOCKER | absolute path to your mattermost-docker folder | `string` | n/a | yes | +| POSTGRES_USER | postgres user to connect to the mattermost database | `string` | ttf | yes | +| POSTGRES_PASSWORD | postgres password for the POSTGRES_USER to connect to the mattermost database | `string` | ttf | yes | +| POSTGRES_DB | postgres database name for the mattermost database | `string` | ttf | yes | +| POSTGRES_OLD_VERSION | postgres database old version which should be upgraded from | `semver` | ttf | yes | +| POSTGRES_NEW_VERSION | postgres database new version which should be upgraded to | `semver` | 13 | yes | +| POSTGRES_DOCKER_TAG | postgres docker tag found [here](https://hub.docker.com/_/postgres) including python3-dev | `string` | 13.2-alpine | yes | +| POSTGRES_OLD_DOCKER_FROM | FROM declaration in the postgres Dockerfile to be replaced | `string` | ttf | yes | +| POSTGRES_NEW_DOCKER_FROM | FROM declaration in the postgres Dockerfile replacing POSTGRES_OLD_DOCKER_FROM | `string` | ttf | yes | +| POSTGRES_UPGRADE_LINE | folder name required to upgrade postgres (Needs to match a folder [here](https://github.com/tianon/docker-postgres-upgrade)) | `string` | ttf | yes | +| MM_OLD_VERSION | mattermost old version which should be upgraded from | `semver` | ttf | yes | +| MM_NEW_VERSION | mattermost new version which should be upgraded to | `semver` | 5.32.1 | yes | + +You can overwrite any of these variables before running this script with: +``` +$ export VAR_NAME_FROM_ABOVE=yourValue +$ export PATH_TO_MATTERMOST_DOCKER=path/to/mattermost-docker +$ ./scripts/upgrade-postgres.sh +``` diff --git a/mattermost/scripts/issue-certificate.sh b/mattermost/scripts/issue-certificate.sh new file mode 100755 index 0000000..aa82e26 --- /dev/null +++ b/mattermost/scripts/issue-certificate.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +usage() { + cat < <-o PATH> + +Options + -h Print this help + -o Output path (e.g. \${PWD}/certs) + -d Domain certificate is issued for (e.g. mm.example.com) + +EOF +} + +issue_cert_standalone() { + docker run -it --rm --name certbot -p 80:80 \ + -v "${1}/etc/letsencrypt:/etc/letsencrypt" \ + -v "${1}/lib/letsencrypt:/var/lib/letsencrypt" \ + certbot/certbot certonly --standalone -d "${2}" +} + +authenticator_to_webroot() { + sed -i 's/standalone/webroot/' "${1}"/etc/letsencrypt/renewal/"${2}".conf + tee -a "${1}"/etc/letsencrypt/renewal/"${2}".conf >/dev/null <&2 + exit 64 + ;; + esac +done + +shift $((OPTIND - 1)) + +if [ -z "$domain" ]; then + echo "-d is required" >&2 + usage >&2 + exit 64 +fi + +if [ -z "$output" ]; then + echo "-o is required" >&2 + usage >&2 + exit 64 +fi + +if ! which docker 1>/dev/null; then + echo "Can't find Docker command" >&2 + exit 64 +fi + +issue_cert_standalone "${output}" "${domain}" +authenticator_to_webroot "${output}" "${domain}" diff --git a/mattermost/scripts/upgrade-postgres.sh b/mattermost/scripts/upgrade-postgres.sh new file mode 100755 index 0000000..b1ba55b --- /dev/null +++ b/mattermost/scripts/upgrade-postgres.sh @@ -0,0 +1,196 @@ +#!/usr/bin/env bash + +set -o errexit + +## +## Instructions +## +# Dockerfile stolen from contributions in this issue: https://github.com/mattermost/mattermost-docker/issues/489#issuecomment-790277661 + +# 1. Edit the variables below to match your environment. This uses default variables and assumes you're on 5.31.0. +# If you're wanting to use another version of Postgres/Mattermost , update the variables as desired. + +# 2. run 'sudo bash upgrade-postgres.sh' replace upgrade.sh with what you've named the file. +# This may take some time to complete as it's migrating the database to Postgres 13.6 from 9.4 + + +if [[ $PATH_TO_MATTERMOST_DOCKER == "" ]]; then + # shellcheck disable=SC2016 + echo 'Please export environment variable PATH_TO_MATTERMOST_DOCKER with "$ export PATH_TO_MATTERMOST_DOCKER=/path/to/mattermost-docker", i.e. $PWD before running this script. ' + exit 1 +fi + +## +## Environment Variables +## +# Below are default values in the mattermost-docker container. +# The script is trying to fetch those variables first. Should fetching fail, please export the variables before running the script. +if [[ $POSTGRES_USER == "" ]]; then + echo "trying to fetch POSTGRES_USER from $PATH_TO_MATTERMOST_DOCKER/docker-compose.yml" + POSTGRES_USER=$(grep "^.*-.*POSTGRES_USER=.*$" "$PATH_TO_MATTERMOST_DOCKER"/docker-compose.yml | sed s~^.*-.*POSTGRES_USER=~~g) + if [[ $POSTGRES_USER == "" ]]; then + echo "could not find POSTGRES_USER set in $PATH_TO_MATTERMOST_DOCKER/docker-compose.yml" + echo "please run 'export POSTGRES_USER=yourPostgresUser' before running this script" + exit 1 + fi + echo "found POSTGRES_USER=redacted" +fi + +if [[ $POSTGRES_PASSWORD == "" ]]; then + echo "trying to fetch POSTGRES_PASSWORD from $PATH_TO_MATTERMOST_DOCKER/docker-compose.yml" + POSTGRES_PASSWORD=$(grep "^.*-.*POSTGRES_PASSWORD=.*$" "$PATH_TO_MATTERMOST_DOCKER"/docker-compose.yml | sed s~^.*-.*POSTGRES_PASSWORD=~~g) + if [[ $POSTGRES_PASSWORD == "" ]]; then + echo "could not find POSTGRES_PASSWORD set in $PATH_TO_MATTERMOST_DOCKER/docker-compose.yml" + echo "please run 'export POSTGRES_PASSWORD=yourPostgresPassword' before running this script" + exit 1 + fi + echo "found POSTGRES_PASSWORD=redacted" +fi + +if [[ $POSTGRES_DB == "" ]]; then + echo "trying to fetch POSTGRES_DB from $PATH_TO_MATTERMOST_DOCKER/docker-compose.yml" + POSTGRES_DB=$(grep "^.*-.*POSTGRES_DB=.*$" "$PATH_TO_MATTERMOST_DOCKER"/docker-compose.yml | sed s~^.*-.*POSTGRES_DB=~~g) + if [[ $POSTGRES_DB == "" ]]; then + echo "could not find POSTGRES_DB set in $PATH_TO_MATTERMOST_DOCKER/docker-compose.yml" + echo "please run 'export POSTGRES_DB=yourPostgresDatabase' before running this script" + exit 1 + fi + echo "found POSTGRES_DB=$POSTGRES_DB" +fi + +printf "\n" +if [[ $POSTGRES_OLD_VERSION == "" ]]; then + echo "trying to fetch POSTGRES_OLD_VERSION by connecting to database container and echoing the environment variable PG_VERSION" + POSTGRES_OLD_VERSION=$(docker exec mattermost-docker_db_1 bash -c 'echo $PG_VERSION') # i.e. 9.4 + if [[ $POSTGRES_OLD_VERSION == "" ]]; then + echo "could not connect to database container to get PG_VERSION" + echo "please run 'export POSTGRES_OLD_VERSION=i.e. 9.4' before running this script" + echo "check by i.e. running 'sudo cat $PATH_TO_MATTERMOST_DOCKER/volumes/db/var/lib/postgresql/data/PG_VERSION'" + exit 1 + fi + echo "found POSTGRES_OLD_VERSION=$POSTGRES_OLD_VERSION" +fi + +if [[ $POSTGRES_NEW_VERSION == "" ]]; then + echo "no exported POSTGRES_NEW_VERSION environment variable found" + echo "setting POSTGRES_NEW_VERSION environment variable to default 13" + POSTGRES_NEW_VERSION=13 # i.e. 13 + echo "set POSTGRES_NEW_VERSION=$POSTGRES_NEW_VERSION" +fi + + +if [[ $POSTGRES_DOCKER_TAG == "" ]]; then + echo "no exported POSTGRES_DOCKER_TAG environment variable found" + echo "setting POSTGRES_DOCKER_TAG environment variable to default 13.2-alpine" + echo "tag needs to be an alpine release to include python3-dev found here - https://hub.docker.com/_/postgres" + POSTGRES_DOCKER_TAG=13.2-alpine # i.e. '13.2-alpine' + echo "set POSTGRES_DOCKER_TAG=$POSTGRES_DOCKER_TAG" +fi + +if [[ $POSTGRES_OLD_DOCKER_FROM == "" ]]; then + echo "no exported POSTGRES_OLD_DOCKER_FROM environment variable found" + echo "setting POSTGRES_OLD_DOCKER_FROM to default '$(grep 'FROM postgres' "$PATH_TO_MATTERMOST_DOCKER"/db/Dockerfile)'" + POSTGRES_OLD_DOCKER_FROM=$(grep 'FROM postgres' "$PATH_TO_MATTERMOST_DOCKER/db/Dockerfile") + echo "set POSTGRES_OLD_DOCKER_FROM=$POSTGRES_OLD_DOCKER_FROM" +fi + +if [[ $POSTGRES_NEW_DOCKER_FROM == "" ]]; then + echo "no exported POSTGRES_NEW_DOCKER_FROM environment variable found" + echo "setting POSTGRES_NEW_DOCKER_FROM to default 'FROM postgres:$POSTGRES_DOCKER_TAG'" + POSTGRES_NEW_DOCKER_FROM="FROM postgres:$POSTGRES_DOCKER_TAG" + echo "set POSTGRES_NEW_DOCKER_FROM=$POSTGRES_NEW_DOCKER_FROM" +fi + +if [[ $POSTGRES_UPGRADE_LINE == "" ]]; then + echo "no exported POSTGRES_UPGRADE_LINE environment variable found" + echo "setting POSTGRES_UPGRADE_LINE to default $POSTGRES_OLD_VERSION-to-$POSTGRES_POSTGRES_NEW_VERSION" + echo "the POSTGRES_UPGRADE_LINE needs to match a folder found here - https://github.com/tianon/docker-postgres-upgrade" + echo "it should read 'old-to-new'" + POSTGRES_UPGRADE_LINE=$POSTGRES_OLD_VERSION-to-$POSTGRES_NEW_VERSION # i.e. '9.4-to-13' + echo "set POSTGRES_UPGRADE_LINE=$POSTGRES_UPGRADE_LINE" +fi + +printf "\n" +if [[ $MM_OLD_VERSION == "" ]]; then + echo "trying to fetch MM_OLD_VERSION from $PATH_TO_MATTERMOST_DOCKER/docker-compose.yml" + MM_OLD_VERSION=$(grep ".*-.*MM_VERSION=.*" "$PATH_TO_MATTERMOST_DOCKER"/docker-compose.yml | sed s~.*-.*MM_VERSION=~~g) + if [[ $MM_OLD_VERSION == "" ]]; then + echo "could not find MM_OLD_VERSION set in $PATH_TO_MATTERMOST_DOCKER/docker-compose.yml" + echo "please run 'export MM_OLD_VERSION=yourMMVersion' before running this script" + exit 1 + fi + echo "found MM_OLD_VERSION=$MM_OLD_VERSION" +fi + +if [[ $MM_NEW_VERSION == "" ]]; then + echo "no exported MM_NEW_VERSION environment variable found" + echo "setting MM_NEW_VERSION to default 5.32.1" + MM_NEW_VERSION=5.32.1 + echo "found MM_NEW_VERSION=$MM_NEW_VERSION" +fi + +printf "\n" +echo "Path to mattermost-docker: $PATH_TO_MATTERMOST_DOCKER" +echo "Postgres user: redacted" +echo "Postgres password: redacted" +echo "Postgres database name: $POSTGRES_DB" +echo "Postgres old version: $POSTGRES_OLD_VERSION" +echo "Postgres new version: $POSTGRES_NEW_VERSION" +echo "Postgres alpine docker tag including python3-dev: $POSTGRES_DOCKER_TAG" +echo "Postgres old Dockerfile: $POSTGRES_OLD_DOCKER_FROM" +echo "Postgres new Dockerfile: $POSTGRES_NEW_DOCKER_FROM" +echo "Postgres upgrade-line matches a folder here - https://github.com/tianon/docker-postgres-upgrade: $POSTGRES_UPGRADE_LINE" +echo "Mattermost old version: $MM_OLD_VERSION" +echo "Mattermost new version: $MM_NEW_VERSION" +printf "\n" +df -h +read -rp "Please make sure you have enough disk space left on your devices. Try to backup and upgrade now? (y/n)" choice +if [[ "$choice" != "y" && "$choice" != "Y" && "$choice" != "yes" ]]; then + exit 0; +fi + +## +## Script Start +## +cd "$PATH_TO_MATTERMOST_DOCKER" +docker-compose stop + +# Creating a backup folder and backing up the mattermost / database. +mkdir "$PATH_TO_MATTERMOST_DOCKER"/backups +DATE=$(date +'%F-%H-%M') +cp -ra "$PATH_TO_MATTERMOST_DOCKER"/volumes/app/mattermost/ "$PATH_TO_MATTERMOST_DOCKER"/backups/mattermost-backup-"$DATE"/ +cp -ra "$PATH_TO_MATTERMOST_DOCKER"/volumes/db/ "$PATH_TO_MATTERMOST_DOCKER"/backups/database-backup-"$DATE"/ + +mkdir "$PATH_TO_MATTERMOST_DOCKER"/volumes/db/"$POSTGRES_OLD_VERSION" +mv "$PATH_TO_MATTERMOST_DOCKER"/volumes/db/var/lib/postgresql/data/ "$PATH_TO_MATTERMOST_DOCKER"/volumes/db/"$POSTGRES_OLD_VERSION" +rm -rf "$PATH_TO_MATTERMOST_DOCKER"/volumes/db/var +mkdir -p "$PATH_TO_MATTERMOST_DOCKER"/volumes/db/$POSTGRES_NEW_VERSION/data + + +sed -i "s/$POSTGRES_OLD_DOCKER_FROM/$POSTGRES_NEW_DOCKER_FROM/" "$PATH_TO_MATTERMOST_DOCKER"/db/Dockerfile +sed -i "s/python-dev/python3-dev/" "$PATH_TO_MATTERMOST_DOCKER"/db/Dockerfile +sed -i "s/$MM_OLD_VERSION/$MM_NEW_VERSION/" "$PATH_TO_MATTERMOST_DOCKER"/app/Dockerfile + + +# replacing the old postgres path with a new path +sed -i "s#./volumes/db/var/lib/postgresql/data:/var/lib/postgresql/data#./volumes/db/$POSTGRES_NEW_VERSION/data:/var/lib/postgresql/data#" "$PATH_TO_MATTERMOST_DOCKER"/docker-compose.yml + +# migrate the database to the new postgres version +docker run --rm \ + -e PGUSER="$POSTGRES_USER" \ + -e POSTGRES_INITDB_ARGS=" -U $POSTGRES_USER" \ + -e POSTGRES_PASSWORD="$POSTGRES_PASSWORD" \ + -e POSTGRES_DB="$POSTGRES_DB" \ + -v "$PATH_TO_MATTERMOST_DOCKER"/volumes/db:/var/lib/postgresql \ + tianon/postgres-upgrade:"$POSTGRES_UPGRADE_LINE" \ + --link + +cp -p "$PATH_TO_MATTERMOST_DOCKER"/volumes/db/"$POSTGRES_OLD_VERSION"/data/pg_hba.conf "$PATH_TO_MATTERMOST_DOCKER"/volumes/db/$POSTGRES_NEW_VERSION/data/ + +# rebuild the containers +docker-compose build +docker-compose up -d + +# reindex the database +echo "REINDEX SCHEMA CONCURRENTLY public;" | docker exec mattermost-docker_db_1 psql -U "$POSTGRES_USER" "$POSTGRES_DB" +cd - diff --git a/mkdocs b/mkdocs deleted file mode 120000 index 07a87cc..0000000 --- a/mkdocs +++ /dev/null @@ -1 +0,0 @@ -../rskio/mkdocs \ No newline at end of file diff --git a/paperless/compose.env b/paperless/compose.env new file mode 100644 index 0000000..392572c --- /dev/null +++ b/paperless/compose.env @@ -0,0 +1,37 @@ +############################################################################### +# Paperless-ngx settings # +############################################################################### + +# See http://docs.paperless-ngx.com/configuration/ for all available options. + +# The UID and GID of the user used to run paperless in the container. Set this +# to your UID and GID on the host so that you have write access to the +# consumption directory. +USERMAP_UID=1000 +USERMAP_GID=1000 + +# See the documentation linked above for all options. A few commonly adjusted settings +# are provided below. + +# This is required if you will be exposing Paperless-ngx on a public domain +# (if doing so please consider security measures such as reverse proxy) +PAPERLESS_URL=https://paperless.rskio.com + +# Adjust this key if you plan to make paperless available publicly. It should +# be a very long sequence of random characters. You don't need to remember it. +PAPERLESS_SECRET_KEY=g8fjagl-ahgzxl0-b8zujk1s + +# Use this variable to set a timezone for the Paperless Docker containers. Defaults to UTC. +PAPERLESS_TIME_ZONE=America/Denver + +# The default language to use for OCR. Set this to the language most of your +# documents are written in. +#PAPERLESS_OCR_LANGUAGE=eng + +# Additional languages to install for text recognition, separated by a whitespace. +# Note that this is different from PAPERLESS_OCR_LANGUAGE (default=eng), which defines +# the language used for OCR. +# The container installs English, German, Italian, Spanish and French by default. +# See https://packages.debian.org/search?keywords=tesseract-ocr-&searchon=names&suite=buster +# for available languages. +#PAPERLESS_OCR_LANGUAGES=tur ces diff --git a/paperless/compose.yml b/paperless/compose.yml new file mode 100644 index 0000000..0101eba --- /dev/null +++ b/paperless/compose.yml @@ -0,0 +1,58 @@ +services: + broker: + image: docker.io/library/redis:8 + restart: unless-stopped + volumes: + - redisdata:/data + networks: + - default + db: + image: docker.io/library/postgres:17 + restart: unless-stopped + volumes: + - pgdata:/var/lib/postgresql/data + environment: + POSTGRES_DB: paperless + POSTGRES_USER: paperless + POSTGRES_PASSWORD: paperless + networks: + - default + service: + labels: + - traefik.enable=true + - traefik.http.routers.paperless.entrypoints=websecure + - traefik.http.routers.paperless.rule=Host(`paperless.rskio.com`) + - traefik.http.routers.paperless.middlewares=secureHeaders@file + - traefik.http.routers.paperless.tls=true + - traefik.http.routers.paperless.tls.options=internal@file + - traefik.http.routers.paperless.service=paperless@docker + - traefik.http.services.paperless.loadbalancer.server.port=8000 + - traefik.http.routers.paperless.tls.certresolver=rskio_certresolver + image: ghcr.io/paperless-ngx/paperless-ngx:latest + restart: unless-stopped + depends_on: + - db + - broker + volumes: + - data:/usr/src/paperless/data + - media:/usr/src/paperless/media + - ./export:/usr/src/paperless/export + - ./consume:/usr/src/paperless/consume + env_file: compose.env + environment: + PAPERLESS_REDIS: redis://broker:6379 + PAPERLESS_DBHOST: db + networks: + - default + - traefik + +volumes: + data: + media: + pgdata: + redisdata: + +networks: + traefik: + external: true + default: {} diff --git a/paste/compose.yml b/paste/compose.yml new file mode 100644 index 0000000..5000d6b --- /dev/null +++ b/paste/compose.yml @@ -0,0 +1,25 @@ +services: + service: + image: orhunp/rustypaste:latest + restart: unless-stopped + labels: + - traefik.enable=true + - traefik.http.routers.paste.entrypoints=websecure + - traefik.http.routers.paste.rule=Host(`paste.rskio.com`) + - traefik.http.routers.paste.tls=true + - traefik.http.routers.paste.tls.options=external@file + - traefik.http.routers.paste.tls.certresolver=rskio_certresolver + - traefik.http.routers.paste.middlewares=secureHeaders@file + - traefik.http.routers.paste.service=paste@docker + - traefik.http.services.paste.loadbalancer.server.port=8000 + environment: + - RUST_LOG=debug + volumes: + - ./paste/data/:/app/upload + - ./paste/config.toml:/app/config.toml + networks: + - traefik + +networks: + traefik: + external: true diff --git a/paste/config.toml b/paste/config.toml new file mode 100644 index 0000000..7b53cdf --- /dev/null +++ b/paste/config.toml @@ -0,0 +1,62 @@ +[config] +refresh_rate = "3s" + +[server] +address = "127.0.0.1:8000" +url = "https://paste.rskio.com" +#workers=4 +max_content_length = "10MB" +upload_path = "./upload" +timeout = "30s" +expose_version = false +expose_list = false +#auth_tokens = [ +# "super_secret_token1", +# "super_secret_token2", +#] +#delete_tokens = [ +# "super_secret_token1", +# "super_secret_token3", +#] +handle_spaces = "replace" # or "encode" + +[landing_page] +text = """ +┌─┐┌─┐┬┌─┬┌─┐ ┌─┐┌─┐┌─┐┌┬┐┌─┐ +├┬┘└─┐├┴┐││ │ ├─┘├─┤└─┐ │ ├┤ +┴└─└─┘┴ ┴┴└─┘ ┴ ┴ ┴└─┘ ┴ └─┘ + +Submit files via HTTP POST here: + curl -F 'file=@example.txt' paste.rskio.com +This will return the URL of the uploaded file. + +Content expires 24 hours. + +The content may be removed without warning. +""" +#file = "index.txt" +content_type = "text/plain; charset=utf-8" + +[paste] +random_url = { type = "petname", words = 2, separator = "-" } +#random_url = { type = "alphanumeric", length = 8 } +#random_url = { type = "alphanumeric", length = 8, no_extension = true } +#random_url = { type = "alphanumeric", length = 6, suffix_mode = true } +default_extension = "txt" +mime_override = [ + { mime = "image/jpeg", regex = "^.*\\.jpg$" }, + { mime = "image/png", regex = "^.*\\.png$" }, + { mime = "image/svg+xml", regex = "^.*\\.svg$" }, + { mime = "video/webm", regex = "^.*\\.webm$" }, + { mime = "video/x-matroska", regex = "^.*\\.mkv$" }, + { mime = "application/octet-stream", regex = "^.*\\.bin$" }, + { mime = "text/plain", regex = "^.*\\.(log|txt|diff|sh|rs|toml)$" }, +] +mime_blacklist = [ + "application/x-dosexec", + "application/java-archive", + "application/java-vm", +] +duplicate_files = true +# default_expiry = "1h" +delete_expired_files = { enabled = true, interval = "24h" } diff --git a/pihole/.env b/pihole/.env new file mode 100644 index 0000000..504092e --- /dev/null +++ b/pihole/.env @@ -0,0 +1 @@ +PIHOLE_SECRET=deviceADMIN diff --git a/pihole/compose.yml b/pihole/compose.yml new file mode 100644 index 0000000..e556451 --- /dev/null +++ b/pihole/compose.yml @@ -0,0 +1,28 @@ +services: + service: + image: pihole/pihole:latest + ports: + - "192.168.1.152:53:53/tcp" + - "192.168.1.152:53:53/udp" + - "8001:80/tcp" + #- "443:443/tcp" + #- "67:67/udp" + #- "123:123/udp" + environment: + TZ: "America/Denver" + FTLCONF_webserver_api_password: ${PIHOLE_SECRET} + FTLCONF_dns_listeningMode: "all" + volumes: + - "./etc-pihole:/etc/pihole" + #- './etc-dnsmasq.d:/etc/dnsmasq.d' + cap_add: + - NET_ADMIN + - SYS_TIME + - SYS_NICE + restart: unless-stopped + networks: + - traefik + +networks: + traefik: + external: true diff --git a/setup-network.sh b/setup-network.sh new file mode 100755 index 0000000..7a5cc93 --- /dev/null +++ b/setup-network.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +# Create shared network for Traefik and all services +NETWORK_NAME="traefik" + +echo "Setting up Docker network: $NETWORK_NAME" + +# Check if network already exists +if docker network ls | grep -q "$NETWORK_NAME"; then + echo "Network $NETWORK_NAME already exists" +else + # Create the network with a specific subnet to ensure consistency + docker network create \ + --driver bridge \ + --subnet=172.20.0.0/16 \ + --gateway=172.20.0.1 \ + "$NETWORK_NAME" +fi + +echo "Network details:" +docker network inspect "$NETWORK_NAME" | grep -E "(Name|Subnet|Gateway)" diff --git a/traefik/compose.yml b/traefik/compose.yml new file mode 100644 index 0000000..72cfef4 --- /dev/null +++ b/traefik/compose.yml @@ -0,0 +1,22 @@ +services: + ingress: + image: traefik:latest + restart: unless-stopped + command: + - --configFile=/etc/traefik/traefik.yml + ports: + - 80:80/tcp + - 443:443/tcp + - 443:443/udp + - 8080:8080/tcp + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - /var/log/traefik:/var/log/traefik + - ./etc:/etc/traefik:ro + - ./tls:/letsencrypt + networks: + - traefik + +networks: + traefik: + external: true diff --git a/traefik/etc/dynamic.yml b/traefik/etc/dynamic.yml index 8db1821..ba700b0 100644 --- a/traefik/etc/dynamic.yml +++ b/traefik/etc/dynamic.yml @@ -1,50 +1,167 @@ +defaultTLS: &defaultTLS + minVersion: VersionTLS13 + cipherSuites: + - TLS_AES_256_GCM_SHA384 + - TLS_AES_128_GCM_SHA256 + - TLS_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_FALLBACK_SCSV + tls: options: - docs: - minVersion: VersionTLS13 - cipherSuites: - - TLS_AES_256_GCM_SHA384 - - TLS_AES_128_GCM_SHA256 - - TLS_CHACHA20_POLY1305_SHA256 - - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_FALLBACK_SCSV - dashboard: - minVersion: VersionTLS13 - cipherSuites: - - TLS_AES_256_GCM_SHA384 - - TLS_AES_128_GCM_SHA256 - - TLS_CHACHA20_POLY1305_SHA256 - - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_FALLBACK_SCSV + external: + <<: *defaultTLS + + internal: clientAuth: caFiles: - /etc/traefik/com.rskio.ca.crt clientAuthType: RequireAndVerifyClientCert + <<: *defaultTLS http: routers: - traefik-dashboard: - rule: "Host(`oxy.rskio.com`)" - service: "api@internal" + stream: + rule: Host(`stream.rskio.com`) + service: stream@file entryPoints: - - "websecure" - middlewares: - - "redirect-dashboard" + - websecure tls: - options: dashboard@file + options: external@file certResolver: rskio_certresolver + + # storage: + # rule: Host(`storage.rskio.com`) + # service: storage@file + # entryPoints: + # - websecure + # tls: + # options: internal@file + # certResolver: rskio_certresolver + # + # metrics: + # rule: Host(`metrics.rskio.com`) + # service: metrics@file + # entryPoints: + # - websecure + # tls: + # options: internal@file + # certResolver: rskio_certresolver + + pihole: + rule: Host(`dns.rskio.com`) + service: pihole@file + entryPoints: + - websecure + middlewares: + - redirect-pihole + tls: + options: internal@file + certResolver: rskio_certresolver + + # ghost: + # rule: Host(`blog.rskio.com`) + # service: ghost@file + # entryPoints: + # - websecure + # middlewares: + # - secureHeaders + # tls: + # options: external@file + # certResolver: rskio_certresolver + + network: + rule: Host(`network.rskio.com`) + service: network@file + entryPoints: + - websecure + middlewares: + - secureHeaders + tls: + options: internal@file + certResolver: rskio_certresolver + + core01kvm: + rule: Host(`core01.rskio.com`) + service: core01kvm@file + entrypoints: + - websecure + middlewares: + - secureHeaders + tls: + options: internal@file + certResolver: rskio_certresolver + + traefik-dashboard: + rule: Host(`oxy.rskio.com`) + service: api@internal + entryPoints: + - websecure + middlewares: + - redirect-dashboard + tls: + options: internal@file + certResolver: rskio_certresolver + + serversTransports: + backendIgnoreTLS: + insecureSkipVerify: true + + services: + stream: + loadBalancer: + servers: + - url: "http://192.168.1.179:8096" + + # storage: + # loadBalancer: + # servers: + # - url: "https://192.168.1.230:8443" + # serversTransport: backendIgnoreTLS + # + # metrics: + # loadBalancer: + # servers: + # - url: "https://192.168.1.230:3000" + # serversTransport: backendIgnoreTLS + + pihole: + loadBalancer: + servers: + - url: "http://192.168.1.152:8001" + + # ghost: + # loadBalancer: + # servers: + # - url: "http://192.168.1.152:2368" + + network: + loadBalancer: + servers: + - url: "https://192.168.1.254" + serversTransport: backendIgnoreTLS + + core01kvm: + loadBalancer: + servers: + - url: "http://192.168.1.202" + middlewares: redirect-dashboard: redirectRegex: regex: "^https?://([^/]+)/?$" replacement: "https://${1}/dashboard/" permanent: true + + redirect-pihole: + redirectRegex: + regex: "^https?://([^/]+)/?$" + replacement: "https://${1}/admin/" + permanent: true + secureHeaders: headers: browserXssFilter: true diff --git a/traefik/etc/traefik.yml b/traefik/etc/traefik.yml index 373e6ac..8648a27 100644 --- a/traefik/etc/traefik.yml +++ b/traefik/etc/traefik.yml @@ -37,7 +37,7 @@ api: providers: docker: endpoint: unix:///var/run/docker.sock - network: hq_default + network: traefik exposedByDefault: false file: filename: /etc/traefik/dynamic.yml