revised approach

.gitignore

@@ -1,4 +1,11 @@
-mkdocs/site
+fleetdm/fleet/logs
+fleetdm/fleet/vulndb
+fleetdm/mysql/data
+ghost/mysql/*
+mattermost/volumes
+paperless/consume
+paperless/export
+pihole/etc-pihole
 traefik/log/*.log
 traefik/log/*.gz
 traefik/tls/*.json

README.md

@@ -2,11 +2,15 @@
 
 Services
 
-- traefik as front end proxy, tls, and http3
-- traefik dashboard behind mtls
+- traefik for front end proxy, tls, and http3
+- docs
   - squidfunk/mkdocs-material to build static html
   - nginx to host static html
-- jellyfin for streaming service
+- paperless for document management
+- chat (mattermost)
+- paste (rustypaste)
+- pihole
+- fleet device management
 
 ## Setup
 
@@ -31,33 +35,3 @@ expects `../rskio/mkdocs` to exist
 ``` bash
 git clone https://github.com/rskntroot/rskio.git
 ```
-
-### Jellyfin
-
-expects `/mnt/jellyfin` and `/mnt/media` to exist
-
-#### setup creds
-
-``` bash
-sudo mkdir -p /etc/smb/creds
-sudo vi /etc/smb/creds/share
-sudo chmod 600 /etc/smb/creds/share
-```
-
-create creds files in the format
-
-```
-username=<user>
-password=<pass>
-```
-
-#### edit fstab
-
-``` zsh
-vi /etc/fstab
-```
-
-``` fstab
-//192.168.1.179/Media  /mnt/media  cifs  credentials=/etc/smb/creds/media,iocharset=utf8,vers=3.0,uid=1000,gid=1000,file_mode=0660,dir_mode=0770  0  0
-//192.168.1.179/Jellyfin  /mnt/jellyfin  cifs  credentials=/etc/smb/creds/jellyfin,iocharset=utf8,vers=3.0,uid=1000,gid=1000,file_mode=0660,dir_mode=0770  0  0
-```

compose.yml

@@ -1,65 +0,0 @@
-services:
-  mkdocs:
-    image: squidfunk/mkdocs-material
-    command:
-      - build
-    volumes:
-      - ./mkdocs:/docs
-
-  traefik:
-    image: traefik:latest
-    command:
-      - --configFile=/etc/traefik/traefik.yml
-    ports:
-      - 80:80/tcp
-      - 443:443/tcp
-      - 443:443/udp
-      - 8080:8080/tcp
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - /var/log/traefik:/var/log/traefik
-      - ./traefik/etc:/etc/traefik:ro
-      - ./traefik/tls:/letsencrypt
-
-  nginx:
-    image: nginx:latest
-    restart: unless-stopped
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.rskio.entrypoints=websecure
-      - traefik.http.routers.rskio.rule=Host(`docs.rskio.com`)
-      - traefik.http.routers.rskio.tls=true
-      - traefik.http.routers.rskio.tls.options=docs@file
-      - traefik.http.routers.rskio.tls.certresolver=rskio_certresolver
-      - traefik.http.routers.rskio.service=rskio@docker
-      - traefik.http.services.rskio.loadbalancer.server.port=80
-      - traefik.http.routers.rskio.middlewares=secureHeaders@file
-    volumes:
-      - ./mkdocs/site:/opt/share/mkdocs/html:ro
-      - ./nginx/etc/conf.d:/etc/nginx/conf.d:ro
-    depends_on:
-      mkdocs:
-        condition: service_completed_successfully
-
-  stream:
-    image: jellyfin/jellyfin
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.stream.entrypoints=websecure
-      - traefik.http.routers.stream.rule=Host(`stream.rskio.com`)
-      - traefik.http.routers.stream.tls=true
-      - traefik.http.routers.stream.tls.certresolver=rskio_certresolver
-      - traefik.http.routers.stream.service=stream@docker
-      - traefik.http.services.stream.loadbalancer.server.port=8096
-    tty: true
-    restart: unless-stopped
-    devices:
-      - /dev/dri:/dev/dri
-    volumes:
-      - ./jellyfin/config:/config
-      - ./jellyfin/cache:/cache
-      - /mnt/media:/data
-    ports:
-      - 8096:8096
-    environment:
-      - TZ=US/Mountain

docs/compose.yml

@@ -0,0 +1,33 @@
+services:
+  mkdocs:
+    image: squidfunk/mkdocs-material
+    command:
+      - build
+    volumes:
+      - ./mkdocs:/docs
+
+  docs:
+    image: nginx:latest
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.docs.entrypoints=websecure
+      - traefik.http.routers.docs.rule=Host(`docs.rskio.com`)
+      - traefik.http.routers.docs.tls=true
+      - traefik.http.routers.docs.tls.options=external@file
+      - traefik.http.routers.docs.tls.certresolver=rskio_certresolver
+      - traefik.http.routers.docs.middlewares=secureHeaders@file
+      - traefik.http.routers.docs.service=docs@docker
+      - traefik.http.services.docs.loadbalancer.server.port=80
+    volumes:
+      - ./mkdocs/site:/opt/share/mkdocs/html:ro
+      - ./nginx/etc/conf.d:/etc/nginx/conf.d:ro
+    depends_on:
+      mkdocs:
+        condition: service_completed_successfully
+    networks:
+      - traefik
+
+networks:
+  traefik:
+    external: true

docs/mkdocs

@@ -0,0 +1 @@
+/home/lost/workspace/rskio/mkdocs

fleetdm/compose.yml

@@ -0,0 +1,56 @@
+services:
+  db:
+    image: mysql
+    restart: unless-stopped
+    platform: linux/x86_64
+    volumes:
+      - ./mysql/data:/var/lib/mysql
+    env_file: mysql/default.env
+    cap_add:
+      - SYS_NICE
+    #    ports:
+    #      - 3306:3306
+    networks:
+      - default
+
+  broker:
+    image: redis
+    restart: unless-stopped
+    #    ports:
+    #      - 6379:6379
+    networks:
+      - default
+
+  service:
+    image: fleetdm/fleet
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.fleet.entrypoints=websecure
+      - traefik.http.routers.fleet.rule=Host(`fleet.rskio.com`)
+      - traefik.http.routers.fleet.middlewares=secureHeaders@file
+      - traefik.http.routers.fleet.tls=true
+      - traefik.http.routers.fleet.tls.options=external@file
+      - traefik.http.routers.fleet.service=fleet@docker
+      - traefik.http.services.fleet.loadbalancer.server.port=8412
+      - traefik.http.routers.fleet.tls.certresolver=rskio_certresolver
+    depends_on:
+      - db
+      - broker
+    platform: linux/x86_64
+    command: sh -c "/usr/bin/fleet prepare db --no-prompt && /usr/bin/fleet serve"
+    env_file: fleet/default.env
+    ports:
+      - 8412:8412
+    volumes:
+      - ./fleet:/fleet/
+      - ./fleet/logs:/logs
+      - ./fleet/vulndb:/vulndb
+    networks:
+      - default
+      - traefik
+
+networks:
+  default: {}
+  traefik:
+    external: true

fleetdm/fleet/default.env

@@ -0,0 +1,38 @@
+# Mysql
+
+FLEET_MYSQL_ADDRESS="mysql:3306"
+FLEET_MYSQL_DATABASE="fleet"
+FLEET_MYSQL_USERNAME="fleet"
+FLEET_MYSQL_PASSWORD="fleet-mysql-pswd"
+
+# Redis
+
+FLEET_REDIS_ADDRESS="redis:6379"
+FLEET_SERVER_ADDRESS="0.0.0.0:8412"
+
+# TLS
+
+FLEET_SERVER_TLS=false #TLS is handled by traefik
+#FLEET_SERVER_CERT="fleet/tmp/server.cert"
+#FLEET_SERVER_KEY="fleet/tmp/server.key"
+
+# Logging
+
+FLEET_LOGGING_JSON="true"
+FLEET_OSQUERY_STATUS_LOG_PLUGIN="filesystem"
+FLEET_FILESYSTEM_STATUS_LOG_FILE="/logs/osqueryd.status.log"
+FLEET_OSQUERY_RESULT_LOG_PLUGIN="filesystem"
+FLEET_FILESYSTEM_RESULT_LOG_FILE="/logs/osqueryd.results.log"
+
+# If you have fleet premium, enter key and uncomment
+
+# FLEET_LICENSE_KEY=
+
+
+FLEET_OSQUERY_LABEL_UPDATE_INTERVAL="1m"
+
+# Vulnerabilities
+
+FLEET_VULNERABILITIES_CURRENT_INSTANCE_CHECKS="yes"
+FLEET_VULNERABILITIES_DATABASES_PATH="/vulndb"
+FLEET_VULNERABILITIES_PERIODICITY="5m"

fleetdm/mysql/default.env

@@ -0,0 +1,4 @@
+MYSQL_ROOT_PASSWORD="toor"
+MYSQL_DATABASE="fleet"
+MYSQL_USER="fleet"
+MYSQL_PASSWORD="fleet-mysql-pswd"

ghost/compose.yml

@@ -0,0 +1,85 @@
+services:
+  service:
+    image: ghost:5-alpine
+    ports:
+      - 2368:2368 # Ghost
+    environment:
+      database__client: mysql
+      database__connection__host: ghost-mysql-1
+      database__connection__user: ghost
+      database__connection__password: ghost
+      database__connection__database: ghost
+      url: https://blog.rskio.com
+    depends_on:
+      mysql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+  mysql:
+    image: mysql:8.0.35
+    command: --innodb-buffer-pool-size=1G --innodb-log-buffer-size=500M --innodb-change-buffer-max-size=50 --innodb-flush-log-at-trx_commit=0 --innodb-flush-method=O_DIRECT
+    ports:
+      - 3306:3306
+    environment:
+      MYSQL_ROOT_PASSWORD: root
+      MYSQL_DATABASE: ghost
+      MYSQL_USER: ghost
+      MYSQL_PASSWORD: ghost
+    restart: always
+    volumes:
+      - ./mysql:/var/lib/mysql
+    healthcheck:
+      test: mysql -uroot -proot ghost -e 'select 1'
+      interval: 5s
+      retries: 120
+  redis:
+    image: redis:7.0
+    restart: always
+    ports:
+      - 6379:6379
+    healthcheck:
+      test:
+        - CMD
+        - redis-cli
+        - --raw
+        - incr
+        - ping
+      interval: 1s
+      retries: 120
+#  prometheus:
+#    profiles: [monitoring]
+#    image: prom/prometheus:v2.30.3
+#    container_name: ghost-prometheus
+#    ports:
+#      - 9090:9090
+#    restart: always
+#    volumes:
+#      - ./.docker/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
+#  grafana:
+#    profiles: [monitoring]
+#    image: grafana/grafana:8.3.0
+#    container_name: ghost-grafana
+#    ports:
+#      - 3000:3000
+#    restart: always
+#    environment:
+#      - GF_AUTH_ANONYMOUS_ENABLED=true
+#      - GF_AUTH_ANONYMOUS_ORG_ROLE=Admin
+#    volumes:
+#      - ./.docker/grafana/datasources:/etc/grafana/provisioning/datasources
+#      - ./.docker/grafana/dashboard.yml:/etc/grafana/provisioning/dashboards/main.yaml
+#      - ./.docker/grafana/dashboards:/var/lib/grafana/dashboards
+#  pushgateway:
+#    profiles: [monitoring]
+#    image: prom/pushgateway:v1.6.0
+#    container_name: ghost-pushgateway
+#    ports:
+#      - 9091:9091
+#  mailhog:
+#    image: mailhog/mailhog:latest
+#    container_name: ghost-mailhog
+#    profiles: [ghost]
+#    ports:
+#      - "1025:1025" # SMTP server
+#      - "8025:8025" # Web interface
+#    restart: always

jellyfin

@@ -1 +0,0 @@
-/mnt/jellyfin

mattermost/.env

@@ -0,0 +1,88 @@
+# Domain of service
+DOMAIN=chat.rskio.com
+
+# Container settings
+## Timezone inside the containers. The value needs to be in the form 'Europe/Berlin'.
+## A list of these tz database names can be looked up at Wikipedia
+## https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+TZ=US/Mountain
+RESTART_POLICY=unless-stopped
+
+# Postgres settings
+## Documentation for this image and available settings can be found on hub.docker.com
+## https://hub.docker.com/_/postgres
+## Please keep in mind this will create a superuser and it's recommended to use a less privileged
+## user to connect to the database.
+## A guide on how to change the database user to a nonsuperuser can be found in docs/creation-of-nonsuperuser.md
+POSTGRES_IMAGE_TAG=13-alpine
+POSTGRES_DATA_PATH=./volumes/db/var/lib/postgresql/data
+
+POSTGRES_USER=mattermost
+POSTGRES_PASSWORD=kixvep-sasWaq-gocwy3
+POSTGRES_DB=mattermost
+
+# Nginx
+## The nginx container will use a configuration found at the NGINX_MATTERMOST_CONFIG. The config aims
+## to be secure and uses a catch-all server vhost which will work out-of-the-box. For additional settings
+## or changes ones can edit it or provide another config. Important note: inside the container, nginx sources
+## every config file inside */etc/nginx/conf.d* ending with a *.conf* file extension.
+
+## Inside the container the uid and gid is 101. The folder owner can be set with
+## `sudo chown -R 101:101 ./nginx` if needed.
+## Note that this repository requires nginx version 1.25.1 or later
+NGINX_IMAGE_TAG=alpine
+
+## The folder containing server blocks and any additional config to nginx.conf
+#NGINX_CONFIG_PATH=./nginx/conf.d
+#NGINX_DHPARAMS_FILE=./nginx/dhparams4096.pem
+
+#CERT_PATH=./volumes/web/cert/cert.pem
+#KEY_PATH=./volumes/web/cert/key-no-password.pem
+#GITLAB_PKI_CHAIN_PATH=<path_to_your_gitlab_pki>/pki_chain.pem
+#CERT_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/fullchain.pem
+#KEY_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/privkey.pem
+
+## Exposed ports to the host. Inside the container 80, 443 and 8443 will be used
+#HTTPS_PORT=443
+#HTTP_PORT=80
+#CALLS_PORT=8443
+
+# Mattermost settings
+## Inside the container the uid and gid is 2000. The folder owner can be set with
+## `sudo chown -R 2000:2000 ./volumes/app/mattermost`.
+MATTERMOST_CONFIG_PATH=./volumes/app/mattermost/config
+MATTERMOST_DATA_PATH=./volumes/app/mattermost/data
+MATTERMOST_LOGS_PATH=./volumes/app/mattermost/logs
+MATTERMOST_PLUGINS_PATH=./volumes/app/mattermost/plugins
+MATTERMOST_CLIENT_PLUGINS_PATH=./volumes/app/mattermost/client/plugins
+MATTERMOST_BLEVE_INDEXES_PATH=./volumes/app/mattermost/bleve-indexes
+
+## Bleve index (inside the container)
+MM_BLEVESETTINGS_INDEXDIR=/mattermost/bleve-indexes
+
+## This will be 'mattermost-enterprise-edition' or 'mattermost-team-edition' based on the version of Mattermost you're installing.
+MATTERMOST_IMAGE=mattermost-enterprise-edition
+## Update the image tag if you want to upgrade your Mattermost version. You may also upgrade to the latest one. The example is based on the latest Mattermost ESR version.
+MATTERMOST_IMAGE_TAG=9.11.6
+
+## Make Mattermost container readonly. This interferes with the regeneration of root.html inside the container. Only use
+## it if you know what you're doing.
+## See https://github.com/mattermost/docker/issues/18
+MATTERMOST_CONTAINER_READONLY=false
+
+## The app port is only relevant for using Mattermost without the nginx container as reverse proxy. This is not meant
+## to be used with the internal HTTP server exposed but rather in case one wants to host several services on one host
+## or for using it behind another existing reverse proxy.
+APP_PORT=8065
+
+## Configuration settings for Mattermost. Documentation on the variables and the settings itself can be found at
+## https://docs.mattermost.com/administration/config-settings.html
+## Keep in mind that variables set here will take precedence over the same setting in config.json. This includes
+## the system console as well and settings set with env variables will be greyed out.
+
+## Below one can find necessary settings to spin up the Mattermost container
+MM_SQLSETTINGS_DRIVERNAME=postgres
+MM_SQLSETTINGS_DATASOURCE=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable&connect_timeout=10
+
+## Example settings (any additional setting added here also needs to be introduced in the docker-compose.yml)
+MM_SERVICESETTINGS_SITEURL=https://${DOMAIN}

mattermost/compose.yml

@@ -0,0 +1,62 @@
+services:
+  postgres:
+    image: postgres:${POSTGRES_IMAGE_TAG}
+    restart: ${RESTART_POLICY}
+    #security_opt:
+    #  - no-new-privileges:true
+    #pids_limit: 100
+    #read_only: true
+    tmpfs:
+      - /tmp
+      - /var/run/postgresql
+    volumes:
+      - ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data
+    environment:
+      - TZ
+      - POSTGRES_USER
+      - POSTGRES_PASSWORD
+      - POSTGRES_DB
+    networks:
+      - default
+
+  service:
+    depends_on:
+      - postgres
+    image: mattermost/${MATTERMOST_IMAGE}:${MATTERMOST_IMAGE_TAG}
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.mattermost.entrypoints=websecure
+      - traefik.http.routers.mattermost.rule=Host(`chat.rskio.com`)
+      - traefik.http.routers.mattermost.tls=true
+      - traefik.http.routers.mattermost.tls.options=external@file
+      - traefik.http.routers.mattermost.tls.certresolver=rskio_certresolver
+      - traefik.http.routers.mattermost.service=mattermost@docker
+      - traefik.http.services.mattermost.loadbalancer.server.port=8065
+      - traefik.http.routers.mattermost.middlewares=secureHeaders@file
+    restart: ${RESTART_POLICY}
+    #security_opt:
+    #  - no-new-privileges:true
+    #pids_limit: 200
+    #read_only: ${MATTERMOST_CONTAINER_READONLY}
+    tmpfs:
+      - /tmp
+    volumes:
+      - ${MATTERMOST_CONFIG_PATH}:/mattermost/config:rw
+      - ${MATTERMOST_DATA_PATH}:/mattermost/data:rw
+      - ${MATTERMOST_LOGS_PATH}:/mattermost/logs:rw
+      - ${MATTERMOST_PLUGINS_PATH}:/mattermost/plugins:rw
+      - ${MATTERMOST_CLIENT_PLUGINS_PATH}:/mattermost/client/plugins:rw
+      - ${MATTERMOST_BLEVE_INDEXES_PATH}:/mattermost/bleve-indexes:rw
+    environment:
+      - TZ
+      - MM_SQLSETTINGS_DRIVERNAME
+      - MM_SQLSETTINGS_DATASOURCE
+      - MM_BLEVESETTINGS_INDEXDIR
+      - MM_SERVICESETTINGS_SITEURL
+    networks:
+      - default
+      - traefik
+
+networks:
+  traefik:
+    external: true

mattermost/scripts/UPGRADE.md

@@ -0,0 +1,35 @@
+# IMPORTANT: Please make sure you have enough disk space available for the backups! 
+Because it is more complicated to check the available disk space for various disk formatting options provided by different linux distributions, the script does currently not check for if there is enough disk space. 
+Please check manually before executing this script!
+
+## Upgrading Postgres
+
+```
+$ export PATH_TO_MATTERMOST_DOCKER=path/to/mattermost-docker
+$ ./scripts/upgrade-postgres.sh
+```
+
+Environment variables for upgrading:
+`ttf` means, the script 'tries to find' the environment variables. 
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|:---------:|:--------:|
+| PATH_TO_MATTERMOST_DOCKER | absolute path to your mattermost-docker folder | `string` | n/a | yes |
+| POSTGRES_USER | postgres user to connect to the mattermost database | `string` | ttf | yes |
+| POSTGRES_PASSWORD | postgres password for the POSTGRES_USER to connect to the mattermost database | `string` | ttf | yes |
+| POSTGRES_DB | postgres database name for the mattermost database | `string` | ttf | yes |
+| POSTGRES_OLD_VERSION | postgres database old version which should be upgraded from | `semver` | ttf | yes |
+| POSTGRES_NEW_VERSION | postgres database new version which should be upgraded to | `semver` | 13 | yes |
+| POSTGRES_DOCKER_TAG | postgres docker tag found [here](https://hub.docker.com/_/postgres) including python3-dev | `string` | 13.2-alpine | yes |
+| POSTGRES_OLD_DOCKER_FROM | FROM declaration in the postgres Dockerfile to be replaced | `string` | ttf | yes |
+| POSTGRES_NEW_DOCKER_FROM | FROM declaration in the postgres Dockerfile replacing POSTGRES_OLD_DOCKER_FROM | `string` | ttf | yes |
+| POSTGRES_UPGRADE_LINE | folder name required to upgrade postgres (Needs to match a folder [here](https://github.com/tianon/docker-postgres-upgrade)) | `string` | ttf | yes |
+| MM_OLD_VERSION | mattermost old version which should be upgraded from | `semver` | ttf | yes |
+| MM_NEW_VERSION | mattermost new version which should be upgraded to | `semver` | 5.32.1 | yes |
+
+You can overwrite any of these variables before running this script with:
+```
+$ export VAR_NAME_FROM_ABOVE=yourValue
+$ export PATH_TO_MATTERMOST_DOCKER=path/to/mattermost-docker
+$ ./scripts/upgrade-postgres.sh
+```

mattermost/scripts/issue-certificate.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+usage() {
+  cat <<EOF
+Usage: $0 [-h] <-d DOMAIN> <-o PATH>
+
+Options
+  -h Print this help
+  -o Output path (e.g. \${PWD}/certs)
+  -d Domain certificate is issued for (e.g. mm.example.com)
+
+EOF
+}
+
+issue_cert_standalone() {
+  docker run -it --rm --name certbot -p 80:80 \
+    -v "${1}/etc/letsencrypt:/etc/letsencrypt" \
+    -v "${1}/lib/letsencrypt:/var/lib/letsencrypt" \
+    certbot/certbot certonly --standalone -d "${2}"
+}
+
+authenticator_to_webroot() {
+  sed -i 's/standalone/webroot/' "${1}"/etc/letsencrypt/renewal/"${2}".conf
+  tee -a "${1}"/etc/letsencrypt/renewal/"${2}".conf >/dev/null <<EOF
+webroot_path = /usr/share/nginx/html,
+[[webroot_map]]
+EOF
+}
+
+# become root (keeping environment) and make script executable
+if [ $EUID != 0 ]; then
+  chmod +x "$0"
+  sudo -E ./"$0" "$@"
+  exit $?
+fi
+
+while getopts d:o:h opt; do
+  case "$opt" in
+    d)
+      domain=$OPTARG
+      ;;
+    o)
+      output=$OPTARG
+      ;;
+    h)
+      usage
+      exit 0
+      ;;
+    \?)
+      usage >&2
+      exit 64
+      ;;
+  esac
+done
+
+shift $((OPTIND - 1))
+
+if [ -z "$domain" ]; then
+  echo "-d is required" >&2
+  usage >&2
+  exit 64
+fi
+
+if [ -z "$output" ]; then
+  echo "-o is required" >&2
+  usage >&2
+  exit 64
+fi
+
+if ! which docker 1>/dev/null; then
+  echo "Can't find Docker command" >&2
+  exit 64
+fi
+
+issue_cert_standalone "${output}" "${domain}"
+authenticator_to_webroot "${output}" "${domain}"

mattermost/scripts/upgrade-postgres.sh

@@ -0,0 +1,196 @@
+#!/usr/bin/env bash
+
+set -o errexit
+
+##
+## Instructions
+##
+# Dockerfile stolen from contributions in this issue: https://github.com/mattermost/mattermost-docker/issues/489#issuecomment-790277661
+
+# 1. Edit the variables below to match your environment. This uses default variables and assumes you're on 5.31.0.
+#    If you're wanting to use another version of Postgres/Mattermost , update the variables as desired.
+
+# 2. run 'sudo bash upgrade-postgres.sh' replace upgrade.sh with what you've named the file.
+#    This may take some time to complete as it's migrating the database to Postgres 13.6 from 9.4
+
+
+if [[ $PATH_TO_MATTERMOST_DOCKER == "" ]]; then
+  # shellcheck disable=SC2016
+  echo 'Please export environment variable PATH_TO_MATTERMOST_DOCKER with "$ export PATH_TO_MATTERMOST_DOCKER=/path/to/mattermost-docker", i.e. $PWD before running this script. '
+  exit 1
+fi
+
+##
+## Environment Variables
+##
+# Below are default values in the mattermost-docker container.
+# The script is trying to fetch those variables first. Should fetching fail, please export the variables before running the script.
+if [[ $POSTGRES_USER == "" ]]; then
+  echo "trying to fetch POSTGRES_USER from $PATH_TO_MATTERMOST_DOCKER/docker-compose.yml"
+  POSTGRES_USER=$(grep "^.*-.*POSTGRES_USER=.*$" "$PATH_TO_MATTERMOST_DOCKER"/docker-compose.yml | sed s~^.*-.*POSTGRES_USER=~~g)
+  if [[ $POSTGRES_USER == "" ]]; then
+    echo "could not find POSTGRES_USER set in $PATH_TO_MATTERMOST_DOCKER/docker-compose.yml"
+    echo "please run 'export POSTGRES_USER=yourPostgresUser' before running this script"
+    exit 1
+  fi
+  echo "found POSTGRES_USER=redacted"
+fi
+
+if [[ $POSTGRES_PASSWORD == "" ]]; then
+  echo "trying to fetch POSTGRES_PASSWORD from $PATH_TO_MATTERMOST_DOCKER/docker-compose.yml"
+  POSTGRES_PASSWORD=$(grep "^.*-.*POSTGRES_PASSWORD=.*$" "$PATH_TO_MATTERMOST_DOCKER"/docker-compose.yml | sed s~^.*-.*POSTGRES_PASSWORD=~~g)
+  if [[ $POSTGRES_PASSWORD == "" ]]; then
+    echo "could not find POSTGRES_PASSWORD set in $PATH_TO_MATTERMOST_DOCKER/docker-compose.yml"
+    echo "please run 'export POSTGRES_PASSWORD=yourPostgresPassword' before running this script"
+    exit 1
+  fi
+  echo "found POSTGRES_PASSWORD=redacted"
+fi
+
+if [[ $POSTGRES_DB == "" ]]; then
+  echo "trying to fetch POSTGRES_DB from $PATH_TO_MATTERMOST_DOCKER/docker-compose.yml"
+  POSTGRES_DB=$(grep "^.*-.*POSTGRES_DB=.*$" "$PATH_TO_MATTERMOST_DOCKER"/docker-compose.yml | sed s~^.*-.*POSTGRES_DB=~~g)
+  if [[ $POSTGRES_DB == "" ]]; then
+    echo "could not find POSTGRES_DB set in $PATH_TO_MATTERMOST_DOCKER/docker-compose.yml"
+    echo "please run 'export POSTGRES_DB=yourPostgresDatabase' before running this script"
+    exit 1
+  fi
+  echo "found POSTGRES_DB=$POSTGRES_DB"
+fi
+
+printf "\n"
+if [[ $POSTGRES_OLD_VERSION == "" ]]; then
+  echo "trying to fetch POSTGRES_OLD_VERSION by connecting to database container and echoing the environment variable PG_VERSION"
+  POSTGRES_OLD_VERSION=$(docker exec mattermost-docker_db_1 bash -c 'echo $PG_VERSION') # i.e. 9.4
+  if [[ $POSTGRES_OLD_VERSION == "" ]]; then
+    echo "could not connect to database container to get PG_VERSION"
+    echo "please run 'export POSTGRES_OLD_VERSION=i.e. 9.4' before running this script"
+    echo "check by i.e. running 'sudo cat $PATH_TO_MATTERMOST_DOCKER/volumes/db/var/lib/postgresql/data/PG_VERSION'"
+    exit 1
+  fi
+  echo "found POSTGRES_OLD_VERSION=$POSTGRES_OLD_VERSION"
+fi
+
+if [[ $POSTGRES_NEW_VERSION == "" ]]; then
+  echo "no exported POSTGRES_NEW_VERSION environment variable found"
+  echo "setting POSTGRES_NEW_VERSION environment variable to default 13"
+  POSTGRES_NEW_VERSION=13 # i.e. 13
+  echo "set POSTGRES_NEW_VERSION=$POSTGRES_NEW_VERSION"
+fi
+
+
+if [[ $POSTGRES_DOCKER_TAG == "" ]]; then
+  echo "no exported POSTGRES_DOCKER_TAG environment variable found"
+  echo "setting POSTGRES_DOCKER_TAG environment variable to default 13.2-alpine"
+  echo "tag needs to be an alpine release to include python3-dev found here - https://hub.docker.com/_/postgres"
+  POSTGRES_DOCKER_TAG=13.2-alpine # i.e. '13.2-alpine'
+  echo "set POSTGRES_DOCKER_TAG=$POSTGRES_DOCKER_TAG"
+fi
+
+if [[ $POSTGRES_OLD_DOCKER_FROM == "" ]]; then
+  echo "no exported POSTGRES_OLD_DOCKER_FROM environment variable found"
+  echo "setting POSTGRES_OLD_DOCKER_FROM to default '$(grep 'FROM postgres' "$PATH_TO_MATTERMOST_DOCKER"/db/Dockerfile)'"
+  POSTGRES_OLD_DOCKER_FROM=$(grep 'FROM postgres' "$PATH_TO_MATTERMOST_DOCKER/db/Dockerfile")
+  echo "set POSTGRES_OLD_DOCKER_FROM=$POSTGRES_OLD_DOCKER_FROM"
+fi
+
+if [[ $POSTGRES_NEW_DOCKER_FROM == "" ]]; then
+  echo "no exported POSTGRES_NEW_DOCKER_FROM environment variable found"
+  echo "setting POSTGRES_NEW_DOCKER_FROM to default 'FROM postgres:$POSTGRES_DOCKER_TAG'"
+  POSTGRES_NEW_DOCKER_FROM="FROM postgres:$POSTGRES_DOCKER_TAG"
+  echo "set POSTGRES_NEW_DOCKER_FROM=$POSTGRES_NEW_DOCKER_FROM"
+fi
+
+if [[ $POSTGRES_UPGRADE_LINE == "" ]]; then
+  echo "no exported POSTGRES_UPGRADE_LINE environment variable found"
+  echo "setting POSTGRES_UPGRADE_LINE to default $POSTGRES_OLD_VERSION-to-$POSTGRES_POSTGRES_NEW_VERSION"
+  echo "the POSTGRES_UPGRADE_LINE needs to match a folder found here - https://github.com/tianon/docker-postgres-upgrade"
+  echo "it should read 'old-to-new'"
+  POSTGRES_UPGRADE_LINE=$POSTGRES_OLD_VERSION-to-$POSTGRES_NEW_VERSION # i.e. '9.4-to-13'
+  echo "set POSTGRES_UPGRADE_LINE=$POSTGRES_UPGRADE_LINE"
+fi
+
+printf "\n"
+if [[ $MM_OLD_VERSION == "" ]]; then
+  echo "trying to fetch MM_OLD_VERSION from $PATH_TO_MATTERMOST_DOCKER/docker-compose.yml"
+  MM_OLD_VERSION=$(grep ".*-.*MM_VERSION=.*" "$PATH_TO_MATTERMOST_DOCKER"/docker-compose.yml | sed s~.*-.*MM_VERSION=~~g)
+  if [[ $MM_OLD_VERSION == "" ]]; then
+    echo "could not find MM_OLD_VERSION set in $PATH_TO_MATTERMOST_DOCKER/docker-compose.yml"
+    echo "please run 'export MM_OLD_VERSION=yourMMVersion' before running this script"
+    exit 1
+  fi
+  echo "found MM_OLD_VERSION=$MM_OLD_VERSION"
+fi
+
+if [[ $MM_NEW_VERSION == "" ]]; then
+  echo "no exported MM_NEW_VERSION environment variable found"
+  echo "setting MM_NEW_VERSION to default 5.32.1"
+  MM_NEW_VERSION=5.32.1
+  echo "found MM_NEW_VERSION=$MM_NEW_VERSION"
+fi
+
+printf "\n"
+echo "Path to mattermost-docker: $PATH_TO_MATTERMOST_DOCKER"
+echo "Postgres user: redacted"
+echo "Postgres password: redacted"
+echo "Postgres database name: $POSTGRES_DB"
+echo "Postgres old version: $POSTGRES_OLD_VERSION"
+echo "Postgres new version: $POSTGRES_NEW_VERSION"
+echo "Postgres alpine docker tag including python3-dev: $POSTGRES_DOCKER_TAG"
+echo "Postgres old Dockerfile: $POSTGRES_OLD_DOCKER_FROM"
+echo "Postgres new Dockerfile: $POSTGRES_NEW_DOCKER_FROM"
+echo "Postgres upgrade-line matches a folder here - https://github.com/tianon/docker-postgres-upgrade: $POSTGRES_UPGRADE_LINE"
+echo "Mattermost old version: $MM_OLD_VERSION"
+echo "Mattermost new version: $MM_NEW_VERSION"
+printf "\n"
+df -h
+read -rp "Please make sure you have enough disk space left on your devices. Try to backup and upgrade now? (y/n)" choice
+if [[ "$choice" != "y" && "$choice" != "Y" && "$choice" != "yes" ]]; then
+  exit 0;
+fi
+
+##
+## Script Start
+##
+cd "$PATH_TO_MATTERMOST_DOCKER"
+docker-compose stop
+
+# Creating a backup folder and backing up the mattermost / database.
+mkdir "$PATH_TO_MATTERMOST_DOCKER"/backups
+DATE=$(date +'%F-%H-%M')
+cp -ra "$PATH_TO_MATTERMOST_DOCKER"/volumes/app/mattermost/ "$PATH_TO_MATTERMOST_DOCKER"/backups/mattermost-backup-"$DATE"/
+cp -ra "$PATH_TO_MATTERMOST_DOCKER"/volumes/db/ "$PATH_TO_MATTERMOST_DOCKER"/backups/database-backup-"$DATE"/
+
+mkdir "$PATH_TO_MATTERMOST_DOCKER"/volumes/db/"$POSTGRES_OLD_VERSION"
+mv "$PATH_TO_MATTERMOST_DOCKER"/volumes/db/var/lib/postgresql/data/ "$PATH_TO_MATTERMOST_DOCKER"/volumes/db/"$POSTGRES_OLD_VERSION"
+rm -rf "$PATH_TO_MATTERMOST_DOCKER"/volumes/db/var
+mkdir -p "$PATH_TO_MATTERMOST_DOCKER"/volumes/db/$POSTGRES_NEW_VERSION/data
+
+
+sed -i "s/$POSTGRES_OLD_DOCKER_FROM/$POSTGRES_NEW_DOCKER_FROM/" "$PATH_TO_MATTERMOST_DOCKER"/db/Dockerfile
+sed -i "s/python-dev/python3-dev/" "$PATH_TO_MATTERMOST_DOCKER"/db/Dockerfile
+sed -i "s/$MM_OLD_VERSION/$MM_NEW_VERSION/" "$PATH_TO_MATTERMOST_DOCKER"/app/Dockerfile
+
+
+# replacing the old postgres path with a new path
+sed -i "s#./volumes/db/var/lib/postgresql/data:/var/lib/postgresql/data#./volumes/db/$POSTGRES_NEW_VERSION/data:/var/lib/postgresql/data#" "$PATH_TO_MATTERMOST_DOCKER"/docker-compose.yml
+
+# migrate the database to the new postgres version
+docker run --rm \
+    -e PGUSER="$POSTGRES_USER" \
+    -e POSTGRES_INITDB_ARGS=" -U $POSTGRES_USER" \
+    -e POSTGRES_PASSWORD="$POSTGRES_PASSWORD" \
+    -e POSTGRES_DB="$POSTGRES_DB" \
+    -v "$PATH_TO_MATTERMOST_DOCKER"/volumes/db:/var/lib/postgresql \
+    tianon/postgres-upgrade:"$POSTGRES_UPGRADE_LINE" \
+    --link
+
+cp -p "$PATH_TO_MATTERMOST_DOCKER"/volumes/db/"$POSTGRES_OLD_VERSION"/data/pg_hba.conf "$PATH_TO_MATTERMOST_DOCKER"/volumes/db/$POSTGRES_NEW_VERSION/data/
+
+# rebuild the containers
+docker-compose build
+docker-compose up -d
+
+# reindex the database
+echo "REINDEX SCHEMA CONCURRENTLY public;" | docker exec mattermost-docker_db_1 psql -U "$POSTGRES_USER" "$POSTGRES_DB"
+cd -

mkdocs

@@ -1 +0,0 @@
-../rskio/mkdocs

paperless/compose.env

@@ -0,0 +1,37 @@
+###############################################################################
+# Paperless-ngx settings                                                      #
+###############################################################################
+
+# See http://docs.paperless-ngx.com/configuration/ for all available options.
+
+# The UID and GID of the user used to run paperless in the container. Set this
+# to your UID and GID on the host so that you have write access to the
+# consumption directory.
+USERMAP_UID=1000
+USERMAP_GID=1000
+
+# See the documentation linked above for all options. A few commonly adjusted settings
+# are provided below.
+
+# This is required if you will be exposing Paperless-ngx on a public domain
+# (if doing so please consider security measures such as reverse proxy)
+PAPERLESS_URL=https://paperless.rskio.com
+
+# Adjust this key if you plan to make paperless available publicly. It should
+# be a very long sequence of random characters. You don't need to remember it.
+PAPERLESS_SECRET_KEY=g8fjagl-ahgzxl0-b8zujk1s
+
+# Use this variable to set a timezone for the Paperless Docker containers. Defaults to UTC.
+PAPERLESS_TIME_ZONE=America/Denver
+
+# The default language to use for OCR. Set this to the language most of your
+# documents are written in.
+#PAPERLESS_OCR_LANGUAGE=eng
+
+# Additional languages to install for text recognition, separated by a whitespace.
+# Note that this is different from PAPERLESS_OCR_LANGUAGE (default=eng), which defines
+# the language used for OCR.
+# The container installs English, German, Italian, Spanish and French by default.
+# See https://packages.debian.org/search?keywords=tesseract-ocr-&searchon=names&suite=buster
+# for available languages.
+#PAPERLESS_OCR_LANGUAGES=tur ces

paperless/compose.yml

@@ -0,0 +1,58 @@
+services:
+  broker:
+    image: docker.io/library/redis:8
+    restart: unless-stopped
+    volumes:
+      - redisdata:/data
+    networks:
+      - default
+  db:
+    image: docker.io/library/postgres:17
+    restart: unless-stopped
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: paperless
+      POSTGRES_USER: paperless
+      POSTGRES_PASSWORD: paperless
+    networks:
+      - default
+  service:
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.paperless.entrypoints=websecure
+      - traefik.http.routers.paperless.rule=Host(`paperless.rskio.com`)
+      - traefik.http.routers.paperless.middlewares=secureHeaders@file
+      - traefik.http.routers.paperless.tls=true
+      - traefik.http.routers.paperless.tls.options=internal@file
+      - traefik.http.routers.paperless.service=paperless@docker
+      - traefik.http.services.paperless.loadbalancer.server.port=8000
+      - traefik.http.routers.paperless.tls.certresolver=rskio_certresolver
+    image: ghcr.io/paperless-ngx/paperless-ngx:latest
+    restart: unless-stopped
+    depends_on:
+      - db
+      - broker
+    volumes:
+      - data:/usr/src/paperless/data
+      - media:/usr/src/paperless/media
+      - ./export:/usr/src/paperless/export
+      - ./consume:/usr/src/paperless/consume
+    env_file: compose.env
+    environment:
+      PAPERLESS_REDIS: redis://broker:6379
+      PAPERLESS_DBHOST: db
+    networks:
+      - default
+      - traefik
+
+volumes:
+  data:
+  media:
+  pgdata:
+  redisdata:
+
+networks:
+  traefik:
+    external: true
+  default: {}

paste/compose.yml

@@ -0,0 +1,25 @@
+services:
+  service:
+    image: orhunp/rustypaste:latest
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.paste.entrypoints=websecure
+      - traefik.http.routers.paste.rule=Host(`paste.rskio.com`)
+      - traefik.http.routers.paste.tls=true
+      - traefik.http.routers.paste.tls.options=external@file
+      - traefik.http.routers.paste.tls.certresolver=rskio_certresolver
+      - traefik.http.routers.paste.middlewares=secureHeaders@file
+      - traefik.http.routers.paste.service=paste@docker
+      - traefik.http.services.paste.loadbalancer.server.port=8000
+    environment:
+      - RUST_LOG=debug
+    volumes:
+      - ./paste/data/:/app/upload
+      - ./paste/config.toml:/app/config.toml
+    networks:
+      - traefik
+
+networks:
+  traefik:
+    external: true

paste/config.toml

@@ -0,0 +1,62 @@
+[config]
+refresh_rate = "3s"
+
+[server]
+address = "127.0.0.1:8000"
+url = "https://paste.rskio.com"
+#workers=4
+max_content_length = "10MB"
+upload_path = "./upload"
+timeout = "30s"
+expose_version = false
+expose_list = false
+#auth_tokens = [
+#  "super_secret_token1",
+#  "super_secret_token2",
+#]
+#delete_tokens = [
+#  "super_secret_token1",
+#  "super_secret_token3",
+#]
+handle_spaces = "replace" # or "encode"
+
+[landing_page]
+text = """
+┌─┐┌─┐┬┌─┬┌─┐  ┌─┐┌─┐┌─┐┌┬┐┌─┐
+├┬┘└─┐├┴┐││ │  ├─┘├─┤└─┐ │ ├┤
+┴└─└─┘┴ ┴┴└─┘  ┴  ┴ ┴└─┘ ┴ └─┘
+
+Submit files via HTTP POST here:
+    curl -F 'file=@example.txt' paste.rskio.com
+This will return the URL of the uploaded file.
+
+Content expires 24 hours.
+
+The content may be removed without warning.
+"""
+#file = "index.txt"
+content_type = "text/plain; charset=utf-8"
+
+[paste]
+random_url = { type = "petname", words = 2, separator = "-" }
+#random_url = { type = "alphanumeric", length = 8 }
+#random_url = { type = "alphanumeric", length = 8, no_extension = true }
+#random_url = { type = "alphanumeric", length = 6, suffix_mode = true }
+default_extension = "txt"
+mime_override = [
+  { mime = "image/jpeg", regex = "^.*\\.jpg$" },
+  { mime = "image/png", regex = "^.*\\.png$" },
+  { mime = "image/svg+xml", regex = "^.*\\.svg$" },
+  { mime = "video/webm", regex = "^.*\\.webm$" },
+  { mime = "video/x-matroska", regex = "^.*\\.mkv$" },
+  { mime = "application/octet-stream", regex = "^.*\\.bin$" },
+  { mime = "text/plain", regex = "^.*\\.(log|txt|diff|sh|rs|toml)$" },
+]
+mime_blacklist = [
+  "application/x-dosexec",
+  "application/java-archive",
+  "application/java-vm",
+]
+duplicate_files = true
+# default_expiry = "1h"
+delete_expired_files = { enabled = true, interval = "24h" }

pihole/.env

@@ -0,0 +1 @@
+PIHOLE_SECRET=deviceADMIN

pihole/compose.yml

@@ -0,0 +1,28 @@
+services:
+  service:
+    image: pihole/pihole:latest
+    ports:
+      - "192.168.1.152:53:53/tcp"
+      - "192.168.1.152:53:53/udp"
+      - "8001:80/tcp"
+      #- "443:443/tcp"
+      #- "67:67/udp"
+      #- "123:123/udp"
+    environment:
+      TZ: "America/Denver"
+      FTLCONF_webserver_api_password: ${PIHOLE_SECRET}
+      FTLCONF_dns_listeningMode: "all"
+    volumes:
+      - "./etc-pihole:/etc/pihole"
+      #- './etc-dnsmasq.d:/etc/dnsmasq.d'
+    cap_add:
+      - NET_ADMIN
+      - SYS_TIME
+      - SYS_NICE
+    restart: unless-stopped
+    networks:
+      - traefik
+
+networks:
+  traefik:
+    external: true

setup-network.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Create shared network for Traefik and all services
+NETWORK_NAME="traefik"
+
+echo "Setting up Docker network: $NETWORK_NAME"
+
+# Check if network already exists
+if docker network ls | grep -q "$NETWORK_NAME"; then
+    echo "Network $NETWORK_NAME already exists"
+else
+    # Create the network with a specific subnet to ensure consistency
+    docker network create \
+        --driver bridge \
+        --subnet=172.20.0.0/16 \
+        --gateway=172.20.0.1 \
+        "$NETWORK_NAME"
+fi
+
+echo "Network details:"
+docker network inspect "$NETWORK_NAME" | grep -E "(Name|Subnet|Gateway)"

traefik/compose.yml

@@ -0,0 +1,22 @@
+services:
+  ingress:
+    image: traefik:latest
+    restart: unless-stopped
+    command:
+      - --configFile=/etc/traefik/traefik.yml
+    ports:
+      - 80:80/tcp
+      - 443:443/tcp
+      - 443:443/udp
+      - 8080:8080/tcp
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/log/traefik:/var/log/traefik
+      - ./etc:/etc/traefik:ro
+      - ./tls:/letsencrypt
+    networks:
+      - traefik
+
+networks:
+  traefik:
+    external: true

traefik/etc/dynamic.yml

@@ -1,50 +1,167 @@
+defaultTLS: &defaultTLS
+  minVersion: VersionTLS13
+  cipherSuites:
+    - TLS_AES_256_GCM_SHA384
+    - TLS_AES_128_GCM_SHA256
+    - TLS_CHACHA20_POLY1305_SHA256
+    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+    - TLS_FALLBACK_SCSV
+
 tls:
   options:
-    docs:
-      minVersion: VersionTLS13
-      cipherSuites:
-        - TLS_AES_256_GCM_SHA384
-        - TLS_AES_128_GCM_SHA256
-        - TLS_CHACHA20_POLY1305_SHA256
-        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-        - TLS_FALLBACK_SCSV
-    dashboard:
-      minVersion: VersionTLS13
-      cipherSuites:
-        - TLS_AES_256_GCM_SHA384
-        - TLS_AES_128_GCM_SHA256
-        - TLS_CHACHA20_POLY1305_SHA256
-        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-        - TLS_FALLBACK_SCSV
+    external:
+      <<: *defaultTLS
+
+    internal:
       clientAuth:
         caFiles:
           - /etc/traefik/com.rskio.ca.crt
         clientAuthType: RequireAndVerifyClientCert
+      <<: *defaultTLS
 
 http:
   routers:
-    traefik-dashboard:
-      rule: "Host(`oxy.rskio.com`)"
-      service: "api@internal"
+    stream:
+      rule: Host(`stream.rskio.com`)
+      service: stream@file
       entryPoints:
-        - "websecure"
-      middlewares:
-        - "redirect-dashboard"
+        - websecure
       tls:
-        options: dashboard@file
+        options: external@file
         certResolver: rskio_certresolver
+
+    #    storage:
+    #      rule: Host(`storage.rskio.com`)
+    #      service: storage@file
+    #      entryPoints:
+    #        - websecure
+    #      tls:
+    #        options: internal@file
+    #        certResolver: rskio_certresolver
+    #
+    #    metrics:
+    #      rule: Host(`metrics.rskio.com`)
+    #      service: metrics@file
+    #      entryPoints:
+    #        - websecure
+    #      tls:
+    #        options: internal@file
+    #        certResolver: rskio_certresolver
+
+    pihole:
+      rule: Host(`dns.rskio.com`)
+      service: pihole@file
+      entryPoints:
+        - websecure
+      middlewares:
+        - redirect-pihole
+      tls:
+        options: internal@file
+        certResolver: rskio_certresolver
+
+    #    ghost:
+    #      rule: Host(`blog.rskio.com`)
+    #      service: ghost@file
+    #      entryPoints:
+    #        - websecure
+    #      middlewares:
+    #        - secureHeaders
+    #      tls:
+    #        options: external@file
+    #        certResolver: rskio_certresolver
+
+    network:
+      rule: Host(`network.rskio.com`)
+      service: network@file
+      entryPoints:
+        - websecure
+      middlewares:
+        - secureHeaders
+      tls:
+        options: internal@file
+        certResolver: rskio_certresolver
+
+    core01kvm:
+      rule: Host(`core01.rskio.com`)
+      service: core01kvm@file
+      entrypoints:
+        - websecure
+      middlewares:
+        - secureHeaders
+      tls:
+        options: internal@file
+        certResolver: rskio_certresolver
+
+    traefik-dashboard:
+      rule: Host(`oxy.rskio.com`)
+      service: api@internal
+      entryPoints:
+        - websecure
+      middlewares:
+        - redirect-dashboard
+      tls:
+        options: internal@file
+        certResolver: rskio_certresolver
+
+  serversTransports:
+    backendIgnoreTLS:
+      insecureSkipVerify: true
+
+  services:
+    stream:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.179:8096"
+
+    #    storage:
+    #      loadBalancer:
+    #        servers:
+    #          - url: "https://192.168.1.230:8443"
+    #        serversTransport: backendIgnoreTLS
+    #
+    #    metrics:
+    #      loadBalancer:
+    #        servers:
+    #          - url: "https://192.168.1.230:3000"
+    #        serversTransport: backendIgnoreTLS
+
+    pihole:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.152:8001"
+
+    #    ghost:
+    #      loadBalancer:
+    #        servers:
+    #          - url: "http://192.168.1.152:2368"
+
+    network:
+      loadBalancer:
+        servers:
+          - url: "https://192.168.1.254"
+        serversTransport: backendIgnoreTLS
+
+    core01kvm:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.202"
+
   middlewares:
     redirect-dashboard:
       redirectRegex:
         regex: "^https?://([^/]+)/?$"
         replacement: "https://${1}/dashboard/"
         permanent: true
+
+    redirect-pihole:
+      redirectRegex:
+        regex: "^https?://([^/]+)/?$"
+        replacement: "https://${1}/admin/"
+        permanent: true
+
     secureHeaders:
       headers:
         browserXssFilter: true

traefik/etc/traefik.yml

@@ -37,7 +37,7 @@ api:
 providers:
   docker:
     endpoint: unix:///var/run/docker.sock
-    network: hq_default
+    network: traefik
     exposedByDefault: false
   file:
     filename: /etc/traefik/dynamic.yml