hhf/deployment
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initialize configuration files and secrets for the application

Browse source
This commit is contained in:
HHF Technology 2025-02-11 21:01:44 +05:30
parent 0eaa0e4a49
commit 4aea402df2
78 changed files with 2338 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
.gitignore vendored Normal file
View file

21
appdata/crowdsec/acquis.yaml Normal file
View file

@ -0,0 +1,21 @@
#filenames:
# - /var/log/nginx/*.log
# - ./tests/nginx/nginx.log
##this is not a syslog log, indicate which kind of logs it is
#labels:
# type: nginx
---
filenames:
- /var/log/auth.log
- /var/log/syslog
labels:
type: syslog
---
#filename: /var/log/apache2/*.log
#labels:
# type: apache2
---
filenames:
- /var/log/traefik/traefik-access.log
labels:
type: traefik

330
appdata/crowdsec/ban.html Normal file
View file

@ -0,0 +1,330 @@
<!DOCTYPE html>
<html lang="en">
<head>
<title>CrowdSec Access Forbidden</title>
<meta content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<style>
/*! tailwindcss v3.2.7 | MIT License | https://tailwindcss.com*/
*,
:after,
:before {
border: 0 solid #e5e7eb;
box-sizing: border-box
}
:after,
:before {
--tw-content: ""
}
html {
-webkit-text-size-adjust: 100%;
font-feature-settings: normal;
font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, Segoe UI, Roboto, Helvetica Neue, Arial, Noto Sans, sans-serif, Apple Color Emoji, Segoe UI Emoji, Segoe UI Symbol, Noto Color Emoji;
line-height: 1.5;
-moz-tab-size: 4;
-o-tab-size: 4;
tab-size: 4
}
body {
line-height: inherit;
margin: 0
}
h1,
h2,
h3,
h4,
h5,
h6 {
font-size: inherit;
font-weight: inherit
}
a {
color: inherit;
text-decoration: inherit
}
h1,
h2,
h3,
h4,
h5,
h6,
hr,
p,
pre {
margin: 0
}
*,
::backdrop,
:after,
:before {
--tw-border-spacing-x: 0;
--tw-border-spacing-y: 0;
--tw-translate-x: 0;
--tw-translate-y: 0;
--tw-rotate: 0;
--tw-skew-x: 0;
--tw-skew-y: 0;
--tw-scale-x: 1;
--tw-scale-y: 1;
--tw-pan-x: ;
--tw-pan-y: ;
--tw-pinch-zoom: ;
--tw-scroll-snap-strictness: proximity;
--tw-ordinal: ;
--tw-slashed-zero: ;
--tw-numeric-figure: ;
--tw-numeric-spacing: ;
--tw-numeric-fraction: ;
--tw-ring-inset: ;
--tw-ring-offset-width: 0px;
--tw-ring-offset-color: #fff;
--tw-ring-color: #3b82f680;
--tw-ring-offset-shadow: 0 0 #0000;
--tw-ring-shadow: 0 0 #0000;
--tw-shadow: 0 0 #0000;
--tw-shadow-colored: 0 0 #0000;
--tw-blur: ;
--tw-brightness: ;
--tw-contrast: ;
--tw-grayscale: ;
--tw-hue-rotate: ;
--tw-invert: ;
--tw-saturate: ;
--tw-sepia: ;
--tw-drop-shadow: ;
--tw-backdrop-blur: ;
--tw-backdrop-brightness: ;
--tw-backdrop-contrast: ;
--tw-backdrop-grayscale: ;
--tw-backdrop-hue-rotate: ;
--tw-backdrop-invert: ;
--tw-backdrop-opacity: ;
--tw-backdrop-saturate: ;
--tw-backdrop-sepia:
}
.flex {
display: flex
}
.flex-wrap {
flex-wrap: wrap
}
.inline-flex {
display: inline-flex
}
.h-24 {
height: 6rem
}
.h-6 {
height: 1.5rem
}
.h-full {
height: 100%
}
.h-screen {
height: 100vh
}
.text-center {
text-align: center
}
.w-24 {
width: 6rem
}
.w-6 {
width: 1.5rem
}
.w-full {
width: 100%
}
.w-screen {
width: 100vw
}
.my-3 {
margin-top: 0.75rem;
margin-bottom: 0.75rem
}
.flex-col {
flex-direction: column
}
.items-center {
align-items: center
}
.justify-center {
justify-content: center
}
.justify-between {
justify-content: space-between
}
.space-y-1>:not([hidden])~:not([hidden]) {
--tw-space-y-reverse: 0;
margin-bottom: calc(.25rem*var(--tw-space-y-reverse));
margin-top: calc(.25rem*(1 - var(--tw-space-y-reverse)))
}
.space-y-4>:not([hidden])~:not([hidden]) {
--tw-space-y-reverse: 0;
margin-bottom: calc(1rem*var(--tw-space-y-reverse));
margin-top: calc(1rem*(1 - var(--tw-space-y-reverse)))
}
.rounded-xl {
border-radius: .75rem
}
.border-2 {
border-width: 2px
}
.border-black {
--tw-border-opacity: 1;
border-color: rgb(0 0 0/var(--tw-border-opacity))
}
.p-4 {
padding: 1rem
}
.px-4 {
padding-left: 1rem;
padding-right: 1rem
}
.py-2 {
padding-bottom: .5rem;
padding-top: .5rem
}
.text-2xl {
font-size: 1.5rem;
line-height: 2rem
}
.text-sm {
font-size: .875rem;
line-height: 1.25rem
}
.text-xl {
font-size: 1.25rem;
line-height: 1.75rem
}
.font-bold {
font-weight: 700
}
.text-white {
--tw-text-opacity: 1;
color: rgb(255 255 255/var(--tw-text-opacity))
}
@media (min-width:640px) {
.sm\:w-2\/3 {
width: 66.666667%
}
}
@media (min-width:768px) {
.md\:flex-row {
flex-direction: row
}
}
@media (min-width:1024px) {
.lg\:w-1\/2 {
width: 50%
}
.lg\:text-3xl {
font-size: 1.875rem;
line-height: 2.25rem
}
.lg\:text-xl {
font-size: 1.25rem;
line-height: 1.75rem
}
}
@media (min-width:1280px) {
.xl\:text-4xl {
font-size: 2.25rem;
line-height: 2.5rem
}
}
</style>
</head>
<body class="h-screen w-screen p-4">
<div class="h-full w-full flex flex-col justify-center items-center">
<div class="border-2 border-black rounded-xl p-4 text-center w-full sm:w-2/3 lg:w-1/2">
<div class="flex flex-col items-center space-y-4">
<svg fill="black" class="h-24 w-24" aria-hidden="true" focusable="false" data-prefix="fas"
data-icon="exclamation-triangle" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512"
class="warning">
<path
d="M569.517 440.013C587.975 472.007 564.806 512 527.94 512H48.054c-36.937 0-59.999-40.055-41.577-71.987L246.423 23.985c18.467-32.009 64.72-31.951 83.154 0l239.94 416.028zM288 354c-25.405 0-46 20.595-46 46s20.595 46 46 46 46-20.595 46-46-20.595-46-46-46zm-43.673-165.346l7.418 136c.347 6.364 5.609 11.346 11.982 11.346h48.546c6.373 0 11.635-4.982 11.982-11.346l7.418-136c.375-6.874-5.098-12.654-11.982-12.654h-63.383c-6.884 0-12.356 5.78-11.981 12.654z">
</path>
</svg>
<h1 class="text-2xl lg:text-3xl xl:text-4xl">CrowdSec Access Forbidden</h1>
</div>
<div class="flex justify-center flex-wrap">
<p class="my-3">This security check has been powered by</p>
<a href="https://crowdsec.net/" target="_blank" rel="noopener" class="inline-flex flex-col items-center">
<svg fill="black" width="33.92" height="33.76" viewBox="0 0 254.4 253.2">
<defs>
<clipPath id="a">
<path d="M0 52h84v201.2H0zm0 0" />
</clipPath>
<clipPath id="b">
<path d="M170 52h84.4v201.2H170zm0 0" />
</clipPath>
</defs>
<path
d="M59.3 128.4c1.4 2.3 2.5 4.6 3.4 7-1-4.1-2.3-8.1-4.3-12-3.1-6-7.8-5.8-10.7 0-2 4-3.2 8-4.3 12.1 1-2.4 2-4.8 3.4-7.1 3.4-5.8 8.8-6 12.5 0M207.8 128.4a42.9 42.9 0 013.4 7c-1-4.1-2.3-8.1-4.3-12-3.2-6-7.8-5.8-10.7 0-2 4-3.3 8-4.3 12.1.9-2.4 2-4.8 3.4-7.1 3.4-5.8 8.8-6 12.5 0M134.6 92.9c2 3.5 3.6 7 4.8 10.7-1.3-5.4-3-10.6-5.6-15.7-4-7.5-9.7-7.2-13.3 0a75.4 75.4 0 00-5.6 16c1.2-3.8 2.7-7.4 4.7-11 4.1-7.2 10.6-7.5 15 0M43.8 136.8c.9 4.6 3.7 8.3 7.3 9.2 0 2.7 0 5.5.2 8.2.3 3.3.4 6.6 1 9.6.3 2.3 1 2.2 1.3 0 .5-3 .6-6.3 1-9.6l.2-8.2c3.5-1 6.4-4.6 7.2-9.2a17.8 17.8 0 01-9 2.4c-3.5 0-6.6-1-9.2-2.4M192.4 136.8c.8 4.6 3.7 8.3 7.2 9.2 0 2.7 0 5.5.3 8.2.3 3.3.4 6.6 1 9.6.3 2.3.9 2.2 1.2 0 .6-3 .7-6.3 1-9.6.2-2.7.3-5.5.2-8.2 3.6-1 6.4-4.6 7.3-9.2a17.8 17.8 0 01-9.1 2.4c-3.4 0-6.6-1-9.1-2.4M138.3 104.6c-3.1 1.9-7 3-11.3 3-4.3 0-8.2-1.1-11.3-3 1 5.8 4.5 10.3 9 11.5 0 3.4 0 6.8.3 10.2.4 4.1.5 8.2 1.2 12 .4 2.9 1.2 2.7 1.6 0 .7-3.8.8-7.9 1.2-12 .3-3.4.3-6.8.3-10.2 4.5-1.2 8-5.7 9-11.5" />
<path
d="M51 146c0 2.7.1 5.5.3 8.2.3 3.3.4 6.6 1 9.6.3 2.3 1 2.2 1.3 0 .5-3 .6-6.3 1-9.6l.2-8.2c3.5-1 6.4-4.6 7.2-9.2a17.8 17.8 0 01-9 2.4c-3.5 0-6.6-1-9.2-2.4.9 4.6 3.7 8.3 7.3 9.2M143.9 105c-1.9-.4-3.5-1.2-4.9-2.3 1.4 5.6 2.5 11.3 4 17 1.2 5 2 10 2.4 15 .6 7.8-4.5 14.5-10.9 14.5h-15c-6.4 0-11.5-6.7-11-14.5.5-5 1.3-10 2.6-15 1.3-5.3 2.3-10.5 3.6-15.7-2.2 1.2-4.8 1.9-7.7 2-4.7.1-9.4-.3-14-1-4-.4-6.7-3-8-6.7-1.3-3.4-2-7-3.3-10.4-.5-1.5-1.6-2.8-2.4-4.2-.4-.6-.8-1.2-.9-1.8v-7.8a77 77 0 0124.5-3c6.1 0 12 1 17.8 3.2 4.7 1.7 9.7 1.8 14.4 0 9-3.4 18.2-3.8 27.5-3 4.9.5 9.8 1.6 14.8 2.4v8.2c0 .6-.3 1.5-.7 1.7-2 .9-2.2 2.7-2.7 4.5-.9 3.2-1.8 6.4-2.9 9.5a11 11 0 01-8.8 7.7 40.6 40.6 0 01-18.4-.2m29.4 80.6c-3.2-26.8-6.4-50-8.9-60.7a14.3 14.3 0 0014.1-14h.4a9 9 0 005.6-16.5 14.3 14.3 0 00-3.7-27.2 9 9 0 00-6.9-14.6c2.4-1.1 4.5-3 5.8-5 3.4-5.3 4-29-8-44.4-5-6.3-9.8-2.5-10 1.8-1 13.2-1.1 23-4.5 34.3a9 9 0 00-16-4.1 14.3 14.3 0 00-28.4 0 9 9 0 00-16 4.1c-3.4-11.2-3.5-21.1-4.4-34.3-.3-4.3-5.2-8-10-1.8-12 15.3-11.5 39-8.1 44.4 1.3 2 3.4 3.9 5.8 5a9 9 0 00-7 14.6 14.3 14.3 0 00-3.6 27.2A9 9 0 0075 111h.5a14.5 14.5 0 0014.3 14c-4 17.2-10 66.3-15 111.3l-1.3 13.4a1656.4 1656.4 0 01106.6 0l-1.4-12.7-5.4-51.3" />
<g clip-path="url(#a)">
<path
d="M83.5 136.6l-2.3.7c-5 1-9.8 1-14.8-.2-1.4-.3-2.7-1-3.8-1.9l3.1 13.7c1 4 1.7 8 2 12 .5 6.3-3.6 11.6-8.7 11.6H46.9c-5.1 0-9.2-5.3-8.7-11.6.3-4 1-8 2-12 1-4.2 1.8-8.5 2.9-12.6-1.8 1-3.9 1.5-6.3 1.6a71 71 0 01-11.1-.7 7.7 7.7 0 01-6.5-5.5c-1-2.7-1.6-5.6-2.6-8.3-.4-1.2-1.3-2.3-2-3.4-.2-.4-.6-1-.6-1.4v-6.3c6.4-2 13-2.6 19.6-2.5 4.9.1 9.6 1 14.2 2.6 3.9 1.4 7.9 1.5 11.7 0 1.8-.7 3.6-1.2 5.5-1.6a13 13 0 01-1.6-15.5A18.3 18.3 0 0159 73.1a11.5 11.5 0 00-17.4 8.1 7.2 7.2 0 00-12.9 3.3c-2.7-9-2.8-17-3.6-27.5-.2-3.4-4-6.5-8-1.4C7.5 67.8 7.9 86.9 10.6 91c1.1 1.7 2.8 3.1 4.7 4a7.2 7.2 0 00-5.6 11.7 11.5 11.5 0 00-2.9 21.9 7.2 7.2 0 004.5 13.2h.3c0 .6 0 1.1.2 1.7.9 5.4 5.6 9.5 11.3 9.5A1177.2 1177.2 0 0010 253.2c18.1-1.5 38.1-2.6 59.5-3.4.4-4.6.8-9.3 1.4-14 1.2-11.6 3.3-30.5 5.7-49.7 2.2-18 4.7-36.3 7-49.5" />
</g>
<g clip-path="url(#b)">
<path
d="M254.4 118.2c0-5.8-4.2-10.5-9.7-11.4a7.2 7.2 0 00-5.6-11.7c2-.9 3.6-2.3 4.7-4 2.7-4.2 3.1-23.3-6.5-35.5-4-5.1-7.8-2-8 1.4-.8 10.5-.9 18.5-3.6 27.5a7.2 7.2 0 00-12.8-3.3 11.5 11.5 0 00-17.8-7.9 18.4 18.4 0 01-4.5 22 13 13 0 01-1.3 15.2c2.4.5 4.8 1 7.1 2 3.8 1.3 7.8 1.4 11.6 0 7.2-2.8 14.6-3 22-2.4 4 .4 7.9 1.2 12 1.9l-.1 6.6c0 .5-.2 1.2-.5 1.3-1.7.7-1.8 2.2-2.2 3.7l-2.3 7.6a8.8 8.8 0 01-7 6.1c-5 1-10 1-14.9-.2-1.5-.3-2.8-1-3.9-1.9 1.2 4.5 2 9.1 3.2 13.7 1 4 1.6 8 2 12 .4 6.3-3.6 11.6-8.8 11.6h-12c-5.2 0-9.3-5.3-8.8-11.6.4-4 1-8 2-12 1-4.2 1.9-8.5 3-12.6-1.8 1-4 1.5-6.3 1.6-3.7 0-7.5-.3-11.2-.7a7.7 7.7 0 01-3.7-1.5c3.1 18.4 7.1 51.2 12.5 100.9l.6 5.3.8 7.9c21.4.7 41.5 1.9 59.7 3.4L243 243l-4.4-41.2a606 606 0 00-7-48.7 11.5 11.5 0 0011.2-11.2h.4a7.2 7.2 0 004.4-13.2c4-1.8 6.8-5.8 6.8-10.5" />
</g>
<path
d="M180 249.6h.4a6946 6946 0 00-7.1-63.9l5.4 51.3 1.4 12.6M164.4 125c2.5 10.7 5.7 33.9 8.9 60.7a570.9 570.9 0 00-8.9-60.7M74.8 236.3l-1.4 13.4 1.4-13.4" />
</svg>
<span>CrowdSec</span>
</a>
</div>
</div>
</div>
</body>
</html>

13
appdata/crowdsec/whitelists_custom.yaml Normal file
View file

@ -0,0 +1,13 @@
name: crowdsecurity/whitelists
description: "Whitelist events from private ipv4 addresses"
whitelist:
reason: "private ipv4/ipv6 ip/ranges"
ip:
- "127.0.0.1"
- "::1"
- "10.0.0.168"
- "10.0.0.137"
cidr:
- "192.168.0.0/16"
- "10.0.0.0/8"
- "172.16.0.0/12"

26
appdata/homepage/config/bookmarks.yaml Normal file
View file

@ -0,0 +1,26 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/latest/configs/bookmarks
- Social:
- Twitter:
- icon: twitter.png
href: https://twitter.com/home?lang=fr
description: Social media platform
- LinkedIn:
- icon: linkedin.png
href: https://www.linkedin.com/home/?originalSubdomain=fr
description: Professional networking
- Travail:
- GitLab:
- icon: gitlab.png
href: https://gitlab.com/users/sign_in
description: DevOps platform
- GitHub:
- icon: github.png
href: https://git.hhf.technology/
description: Code hosting platform
- Stack Overflow:
- abbr: SOV
href: https://stackoverflow.com/questions/69185617/caddy-allow-http-with-api-platform
description: Developer Q&A

0
appdata/homepage/config/custom.css Normal file
View file

0
appdata/homepage/config/custom.js Normal file
View file

10
appdata/homepage/config/docker.yaml Normal file
View file

@ -0,0 +1,10 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/latest/configs/docker/
# my-docker:
# host: 10.0.0.243
# port: 2375
#my-docker:
# socket: /var/run/docker.sock

BIN
appdata/homepage/config/icons/authentik.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 3.6 KiB

BIN
appdata/homepage/config/icons/cloudflare.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 7.4 KiB

BIN
appdata/homepage/config/icons/crowdsec.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
appdata/homepage/config/icons/github.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 8.4 KiB

BIN
appdata/homepage/config/icons/gitlab.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
appdata/homepage/config/icons/linkedin.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 5.7 KiB

BIN
appdata/homepage/config/icons/passbolt.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 5.9 KiB

BIN
appdata/homepage/config/icons/portainer.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 8.7 KiB

BIN
appdata/homepage/config/icons/qBittorrent.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 76 KiB

BIN
appdata/homepage/config/icons/traefik.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
appdata/homepage/config/icons/twitter.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 13 KiB

2
appdata/homepage/config/kubernetes.yaml Normal file
View file

@ -0,0 +1,2 @@
---
# sample kubernetes config

146
appdata/homepage/config/services.yaml Normal file
View file

@ -0,0 +1,146 @@
# For configuration options and examples, please see:
# https://gethomepage.dev/latest/configs/services
- Containers:
- Portainer:
icon: portainer.png
href: {{HOMEPAGE_VAR_PORTAINER_URL_EXTERNAL}}
siteMonitor: {{HOMEPAGE_VAR_PORTAINER_URL_EXTERNAL}}
container: portainer
description: docker gestionnary
widget:
type: portainer
url: {{HOMEPAGE_VAR_PORTAINER_URL_INTERNAL}}
env: 1
key: {{HOMEPAGE_VAR_PORTAINER_KEY}}
- Traefik:
icon: traefik.png
href: {{HOMEPAGE_VAR_TRAEFIK_URL_EXTERNAL}}
siteMonitor: {{HOMEPAGE_VAR_TRAEFIK_URL_EXTERNAL}}
container: traefik
description: reverse proxy
widget:
type: traefik
url: {{HOMEPAGE_VAR_TRAEFIK_URL_EXTERNAL}}
username: {{HOMEPAGE_VAR_TRAEFIK_USERNAME}}
password: {{HOMEPAGE_VAR_TRAEFIK_PASSWORD}} # optional
- authentik:
icon: authentik.png
href: {{HOMEPAGE_VAR_AUTHENTIK_URL_EXTERNAL}}
siteMonitor: {{HOMEPAGE_VAR_AUTHENTIK_URL_EXTERNAL}}
container: authentik_server
description: SSO connexion
widget:
type: authentik
url: {{HOMEPAGE_VAR_AUTHENTIK_URL_EXTERNAL}}
key: {{HOMEPAGE_VAR_AUTHENTIK_API_KEY}}
- Crowdsec:
icon: /icons/crowdsec.png
container: crowdsec
href: {{HOMEPAGE_VAR_CROWDSEC_WEBSITE}}
description: ip firewall
widget:
type: crowdsec
url: {{HOMEPAGE_VAR_CROWDSEC_URL_INTERNAL}}
username: {{HOMEPAGE_VAR_CROWDSEC_USERNAME}}
password: {{HOMEPAGE_VAR_CROWDSEC_PASSWORD}}
- Passbolt:
icon: /icons/passbolt.png
container: passbolt
href: {{HOMEPAGE_VAR_PASSBOLT_URL_EXTERNAL}}
description: password gestionnary
- Media:
- Calendar:
widget:
type: calendar
view: monthly # or 'agenda' if you prefer a list view
firstDayInWeek: sunday # or 'monday', depending on your preference
showTime: true # to show event times
integrations:
- type: sonarr # active widget type that is currently enabled on homepage - possible values: radarr, sonarr, lidarr, readarr
service_group: Media # group name where widget exists
service_name: Sonarr # service name for that widget
#color: teal # optional - defaults to pre-defined color for the service (teal for sonarr)
params: # optional - additional params for the service
unmonitored: true # optional - defaults to false, used with *arr stack
- type: radarr # active widget type that is currently enabled on homepage - possible values: radarr, sonarr, lidarr, readarr
service_group: Media # group name where widget exists
service_name: Radarr # service name for that widget
#color: teal # optional - defaults to pre-defined color for the service (teal for sonarr)
params: # optional - additional params for the service
unmonitored: true # optional - defaults to false, used with *arr stack
- type: lidarr # active widget type that is currently enabled on homepage - possible values: radarr, sonarr, lidarr, readarr
service_group: Media # group name where widget exists
service_name: Lidarr # service name for that widget
#color: teal # optional - defaults to pre-defined color for the service (teal for sonarr)
params: # optional - additional params for the service
unmonitored: true # optional - defaults to false, used with *arr stack
- type: readarr # active widget type that is currently enabled on homepage - possible values: radarr, sonarr, lidarr, readarr
service_group: Media # group name where widget exists
service_name: Readarr # service name for that widget
#color: teal # optional - defaults to pre-defined color for the service (teal for sonarr)
params: # optional - additional params for the service
unmonitored: true # optional - defaults to false, used with *arr stack
- Sonarr:
icon: sonarr.png
href: {{HOMEPAGE_VAR_SONARR_URL_EXTERNAL}}
siteMonitor: {{HOMEPAGE_VAR_SONARR_URL_EXTERNAL}}
description: gestionnaire de séries TV
widget:
type: sonarr
url: {{HOMEPAGE_VAR_SONARR_URL_INTERNAL}}
key: {{HOMEPAGE_VAR_SONARR_KEY}}
enableQueue: true
- Readarr:
icon: readarr.png
href: {{HOMEPAGE_VAR_READARR_URL_EXTERNAL}}
siteMonitor: {{HOMEPAGE_VAR_READARR_URL_EXTERNAL}}
description: gestionnaire de livres
widget:
type: readarr
url: {{HOMEPAGE_VAR_READARR_URL_INTERNAL}}
key: {{HOMEPAGE_VAR_READARR_KEY}}
- Prowlarr:
icon: prowlarr.png
href: {{HOMEPAGE_VAR_PROWLARR_URL_EXTERNAL}}
siteMonitor: {{HOMEPAGE_VAR_PROWLARR_URL_EXTERNAL}}
description: gestionnaire d'indexeurs
widget:
type: prowlarr
url: {{HOMEPAGE_VAR_PROWLARR_URL_INTERNAL}}
key: {{HOMEPAGE_VAR_PROWLARR_KEY}}
- Lidarr:
icon: lidarr.png
href: {{HOMEPAGE_VAR_LIDARR_URL_EXTERNAL}}
siteMonitor: {{HOMEPAGE_VAR_LIDARR_URL_EXTERNAL}}
description: gestionnaire de musique
widget:
type: lidarr
url: {{HOMEPAGE_VAR_LIDARR_URL_INTERNAL}}
key: {{HOMEPAGE_VAR_LIDARR_KEY}}
- Radarr:
icon: radarr.png
href: {{HOMEPAGE_VAR_RADARR_URL_EXTERNAL}}
siteMonitor: {{HOMEPAGE_VAR_RADARR_URL_EXTERNAL}}
description: gestionnaire de films
widget:
type: radarr
url: {{HOMEPAGE_VAR_RADARR_URL_INTERNAL}}
key: {{HOMEPAGE_VAR_RADARR_KEY}}
- DNS:
- Cloudflare:
icon: /icons/cloudflare.png
href: {{HOMEPAGE_VAR_CLOUDFLARE_URL}}
description: gestion des DNS externe
- downloads:
- qBittorrent:
href: {{HOMEPAGE_VAR_QBITTORRENT_URL_EXTERNAL}}
description: torrent downloader
widget:
type: qbittorrent
url: {{HOMEPAGE_VAR_QBITTORRENT_URL_EXTERNAL}}
username: {{HOMEPAGE_VAR_QBITTORRENT_USERNAME}}
password: {{HOMEPAGE_VAR_QBITTORRENT_PASSWORD}}

31
appdata/homepage/config/settings.yaml Normal file
View file

@ -0,0 +1,31 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/latest/configs/settings
title: My custom Homepage
background:
image: https://images.unsplash.com/photo-1502790671504-542ad42d5189?auto=format&fit=crop&w=2560&q=80
#image: https://cdnb.artstation.com/p/assets/images/images/006/897/659/large/mikael-gustafsson-wallpaper-m>
blur: sm # sm, md, xl... see https://tailwindcss.com/docs/backdrop-blur
saturate: 100 # 0, 50, 100... see https://tailwindcss.com/docs/backdrop-saturate
brightness: 50 # 0, 50, 75... see https://tailwindcss.com/docs/backdrop-brightness
opacity: 100 # 0-100
language: fr
useEqualHeights: true
showStats: true
layout:
Containers:
tab: Services
Hypervisor:
tab: Services
DNS:
tab: utilities
Media:
tab: Media Management
downloads:
tab: Media Management

23
appdata/homepage/config/widgets.yaml Normal file
View file

@ -0,0 +1,23 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/latest/configs/service-widgets
- resources:
cpu: true
memory: true
- search:
provider: google
target: _blank
- openweathermap:
label: Lyon #optional
latitude: 45.750000
longitude: 4.850000
units: metric # or imperial
provider: openweathermap
apiKey: d1de5d84854a33108d9360b3a88f84b8 # required only if not using provider, this reveals api key in requests
cache: 5 # Time in minutes to cache API responses, to stay within limits
format: # optional, Intl.NumberFormat options
maximumFractionDigits: 1

140
appdata/traefik/config/traefik.yaml Normal file
View file

@ -0,0 +1,140 @@
################################################################
# Global configuration - https://doc.traefik.io/traefik/reference/static-configuration/file/
################################################################
global:
checkNewVersion: false
sendAnonymousUsage: false
################################################################
# Providers - https://doc.traefik.io/traefik/providers/docker/
################################################################
providers:
docker:
#endpoint: "unix:///var/run/docker.sock" # Comment if using socket-proxy
endpoint: "tcp://socket-proxy:2375" # Uncomment if using socket proxy
exposedByDefault: false
network: traefik # network to use for connections to all containers
# Enable auto loading of newly created rules by watching a directory
file:
# Apps, LoadBalancers, TLS Options, Middlewares, Middleware Chains
directory: /rules
watch: true
################################################################
# Entrypoints - https://doc.traefik.io/traefik/routing/entrypoints/
################################################################
entryPoints:
web:
address: ":80"
# Global HTTP to HTTPS redirection
http:
redirections:
entrypoint:
to: websecure
scheme: https
middlewares:
- crowdsec@file
- middlewares-compress@file
- middlewares-secure-headers@file
websecure:
address: ":443"
http:
middlewares:
- crowdsec@file
- middlewares-compress@file
- middlewares-secure-headers@file
tls:
options: tls-opts@file
certResolver: le
http3: {}
forwardedHeaders:
trustedIPs:
# Cloudflare (https://www.cloudflare.com/ips-v4)
- "173.245.48.0/20"
- "103.21.244.0/22"
- "103.22.200.0/22"
- "103.31.4.0/22"
- "141.101.64.0/18"
- "108.162.192.0/18"
- "190.93.240.0/20"
- "188.114.96.0/20"
- "197.234.240.0/22"
- "198.41.128.0/17"
- "162.158.0.0/15"
- "104.16.0.0/13"
- "104.24.0.0/14"
- "172.64.0.0/13"
- "131.0.72.0/22"
# Local IPs
- "127.0.0.1/32"
- "10.0.0.0/8"
- "192.168.0.0/16"
- "172.16.0.0/12"
################################################################
# Logs - https://doc.traefik.io/traefik/observability/logs/
################################################################
log:
level: INFO # Options: DEBUG, PANIC, FATAL, ERROR (Default), WARN, and INFO
filePath: /logs/traefik-container.log # Default is to STDOUT
# format: json # Uses text format (common) by default
noColor: false # Recommended to be true when using common
maxSize: 100 # In megabytes
compress: true # gzip compression when rotating
################################################################
# Access logs - https://doc.traefik.io/traefik/observability/access-logs/
################################################################
accessLog:
addInternals: true # things like ping@internal
filePath: /logs/traefik-access.log # In the Common Log Format (CLF) by default
bufferingSize: 100 # Number of log lines
fields:
names:
StartUTC: drop # Write logs in Container Local Time instead of UTC
filters:
statusCodes:
- "204-299"
- "400-499"
- "500-599"
################################################################
# API and Dashboard
################################################################
api:
dashboard: true
# Rely on api@internal and Traefik with Middleware to control access
# insecure: true
################################################################
# Let's Encrypt (ACME)
################################################################
certificatesResolvers:
le:
acme:
email: "CHANGEME"
storage: "/data/acme.json"
caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
dnsChallenge:
provider: cloudflare
#delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
# Custom DNS server resolution
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
################################################################
# Bouncer traefik (crowdsec)
################################################################
experimental:
plugins:
# crowdsec bouncer for traefik
traefik-bouncer:
moduleName: git.hhf.technology/maxlerebourg/crowdsec-bouncer-traefik-plugin
version: v1.3.3-beta1
# http cache for traefik
souin:
moduleName: git.hhf.technology/darkweak/souin
version: v1.6.50

18
appdata/traefik/rules/bouncer-crowdsec.yaml Normal file
View file

@ -0,0 +1,18 @@
http:
middlewares:
crowdsec:
plugin:
traefik-bouncer:
enabled: true
logLevel: DEBUG
updateIntervalSeconds: 60
defaultDecisionSeconds: 60
httpTimeoutSeconds: 10
crowdsecMode: live #live stream #alone
crowdsecAppsecEnabled: false
crowdsecAppsecHost: crowdsec:7422
crowdsecAppsecFailureBlock: true
crowdsecLapiKey: {{ env "CROWDSEC_TRAEFIK_BOUNCER_LAPI_KEY" }}
crowdsecLapiHost: crowdsec:8080
crowdsecLapiScheme: http
banHTMLFilePath: ./ban.html

14
appdata/traefik/rules/default-headers.yaml Normal file
View file

@ -0,0 +1,14 @@
http:
middlewares:
default-headers:
headers:
frameDeny: true
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https

30
appdata/traefik/rules/forwardAuth-authentik.yaml Normal file
View file

@ -0,0 +1,30 @@
################################################################
# Middlewares (https://git.hhf.technology/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://git.hhf.technology/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
################################################################
# Forward Authentication - OAUTH / 2FA
################################################################
#
# https://git.hhf.technology/goauthentik/authentik/issues/2366
forwardAuth-authentik:
forwardAuth:
address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

19
appdata/traefik/rules/middlewares-authentik.yaml Normal file
View file

@ -0,0 +1,19 @@
http:
middlewares:
# https://git.hhf.technology/goauthentik/authentik/issues/2366
middlewares-authentik:
forwardAuth:
address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

18
appdata/traefik/rules/middlewares-buffering.yaml Normal file
View file

@ -0,0 +1,18 @@
################################################################
# Middlewares (https://git.hhf.technology/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://git.hhf.technology/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Prevent too large of a body
# https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik
middlewares-buffering:
buffering:
maxRequestBodyBytes: 10485760
memRequestBodyBytes: 2097152
maxResponseBodyBytes: 10485760
memResponseBodyBytes: 2097152
retryExpression: "IsNetworkError() && Attempts() <= 2"

17
appdata/traefik/rules/middlewares-compress.yaml Normal file
View file

@ -0,0 +1,17 @@
################################################################
# Middlewares (https://git.hhf.technology/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://git.hhf.technology/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
middlewares-compress:
compress:
includedContentTypes:
- application/json
- text/html
- text/plain
minResponseBodyBytes: 1024
defaultEncoding: gzip

80
appdata/traefik/rules/middlewares-http-cache.yaml Normal file
View file

@ -0,0 +1,80 @@
http:
middlewares:
http-cache:
plugin:
souin:
api:
# prometheus: {}
souin: {}
default_cache:
ttl: 60s # TTL par défaut pour toutes les URLs
allowed_http_verbs:
- GET
- HEAD
- POST
default_cache_control: public, max-age=60
force: true
log_level: debug
portainer-cache:
plugin:
souin:
api:
prometheus: {}
souin: {}
default_cache:
regex:
exclude: '/api/.*|/auth/.*|/settings/.*' # Exclure les APIs sensibles de Portainer du cache
ttl: 60s # TTL global par défaut
allowed_http_verbs:
- GET
- HEAD
default_cache_control: public, max-age=60
log_level: debug
urls:
'portainer.{{ env "DOMAINNAME"}}':
ttl: 120s
default_cache_control: public, max-age=120
'portainer.{{ env "DOMAINNAME"}}/login':
ttl: 0s # Ne pas mettre en cache la page de login
ykeys:
Portainer_API_Key:
headers:
Content-Type: 'application/json'
surrogate_keys:
Portainer_Surrogate_Key:
headers:
Content-Type: 'application/json'
servarr-cache:
plugin:
souin:
api:
prometheus: {}
souin: {}
default_cache:
regex:
exclude: '/api/.*|/auth/.*|/indexers/.*|/download/.*|/profile/.*' # Exclure les API, indexeurs, et téléchargements du cache
ttl: 60s # TTL global par défaut
allowed_http_verbs:
- GET
- HEAD
default_cache_control: public, max-age=60
log_level: debug
urls:
'sonarr.{{ env "DOMAINNAME" }}/':
ttl: 300s
'radarr.{{ env "DOMAINNAME" }}/':
ttl: 300s
'lidarr.{{ env "DOMAINNAME" }}/':
ttl: 300s
'readarr.{{ env "DOMAINNAME" }}/':
ttl: 300s
ykeys:
Servarr_Static_Key:
headers:
Content-Type: 'text/html'
surrogate_keys:
Servarr_Surrogate_Key:
headers:
Content-Type: 'application/json'

15
appdata/traefik/rules/middlewares-https-redirectscheme.yaml Normal file
View file

@ -0,0 +1,15 @@
################################################################
# Middlewares (https://git.hhf.technology/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://git.hhf.technology/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Middleware for Redirection
# This can be used instead of global redirection
middlewares-https-redirectscheme:
redirectScheme:
scheme: https
permanent: true

14
appdata/traefik/rules/middlewares-rate-limit.yaml Normal file
View file

@ -0,0 +1,14 @@
################################################################
# Middlewares (https://git.hhf.technology/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://git.hhf.technology/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# DDoS Prevention
middlewares-rate-limit:
rateLimit:
average: 100
burst: 50

39
appdata/traefik/rules/middlewares-secure-headers.yaml Normal file
View file

@ -0,0 +1,39 @@
################################################################
# Middlewares (https://git.hhf.technology/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://git.hhf.technology/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
################################################################
# Good Basic Security Practices
################################################################
middlewares-secure-headers:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
# customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr.
customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
contentTypeNosniff: true
browserXssFilter: true
sslForceHost: true # add sslHost to all of the services
sslHost: "{{env "DOMAINNAME"}}"
referrerPolicy: "same-origin"
permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,noindex,nofollow" #global not tracking with websearch
# X-Robots-Tag: "noindex,nofollow" " # nextcloud recommandation
server: ""
# https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732
# X-Forwarded-Proto: "https"

114
appdata/traefik/rules/routing.yaml Normal file
View file

@ -0,0 +1,114 @@
http:
# if you want add athentik on your service just add this on rour router
routers:
authentik-rtr:
service: authentik-svc
rule: Host(`{{ env "AUTHENTIK_HOST" }}`)
authentik-output-rtr:
service: authentik-svc
rule: HostRegexp(`{subdomain:[a-z0-9-]+}.{{ env "DOMAINNAME" }}`) && PathPrefix(`{{ env "AUTHENTIK_OUTPOST_PATH_PREFIX" }}`)
traefik-rtr:
rule: "Host(`{{ env "TRAEFIK_DASHBOARD_HOST" }}`)"
service: api@internal
middlewares:
- traefik-dashboard-auth@file
portainer-rtr:
service: portainer-svc
rule: Host(`{{ env "PORTAINER_HOST" }}`)
middlewares:
- portainer-cache@file
homepage-rtr:
service: homepage-svc
rule: Host(`{{ env "HOMEPAGE_HOST" }}`)
middlewares:
- middlewares-authentik@file
prowlarr-rtr:
service: prowlarr-svc
rule: Host(`{{ env "PROWLARR_HOST" }}`)
middlewares:
- servarr-cache@file
sonarr-rtr:
service: sonarr-svc
rule: Host(`{{ env "SONARR_HOST" }}`)
middlewares:
- servarr-cache@file
radarr-rtr:
service: radarr-svc
rule: Host(`{{ env "RADARR_HOST" }}`)
middlewares:
- servarr-cache@file
lidarr-rtr:
service: lidarr-svc
rule: Host(`{{ env "LIDARR_HOST" }}`)
middlewares:
- servarr-cache@file
readarr-rtr:
service: readarr-svc
rule: Host(`{{ env "READARR_HOST" }}`)
middlewares:
- servarr-cache@file
torrent-rtr:
service: torrent-svc
rule: Host(`{{ env "TORRENT_HOST" }}`)
services:
authentik-svc:
loadBalancer:
servers:
- url: {{ env "AUTHENTIK_URL" }}
portainer-svc:
loadBalancer:
servers:
- url: {{ env "PORTAINER_URL" }}
homepage-svc:
loadBalancer:
servers:
- url: {{ env "HOMEPAGE_URL" }}
prowlarr-svc:
loadBalancer:
servers:
- url: {{ env "PROWLARR_URL" }}
sonarr-svc:
loadBalancer:
servers:
- url: {{ env "SONARR_URL" }}
radarr-svc:
loadBalancer:
servers:
- url: {{ env "RADARR_URL" }}
lidarr-svc:
loadBalancer:
servers:
- url: {{ env "LIDARR_URL" }}
readarr-svc:
loadBalancer:
servers:
- url: {{ env "READARR_URL" }}
torrent-svc:
loadBalancer:
servers:
- url: {{ env "TORRENT_URL" }}
serversTransports:
insecureTransport:
insecureSkipVerify: true

35
appdata/traefik/rules/tls-opts.yaml Normal file
View file

@ -0,0 +1,35 @@
################################################################
# TLS Options (https://jellyfin.org/docs/general/networking/traefik2.html#traefik-providertoml)
# toml -> yml
# 2024 updates to cipherSuites from (https://www.smarthomebeginner.com/traefik-v3-docker-compose-guide-2024/)
#
# Set secure options by disabling insecure older TLS/SSL versions
# and insecure ciphers. SNIStrict disabled leaves TLS1.0 open.
# If you have problems with older clients, you can may need to relax
# these minimums. This configuration will give you an A+ SSL security
# score supporting TLS1.2 and TLS1.3
#
# Dynamic configuration
# https://doc.traefik.io/traefik/https/tls/
################################################################
tls:
options:
tls-opts:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
curvePreferences:
- secp521r1 # CurveP521
- secp384r1 # CurveP384
mintls13:
minVersion: VersionTLS13

6
appdata/traefik/rules/traefik-dashboard-auth.yaml Normal file
View file

@ -0,0 +1,6 @@
http:
middlewares:
traefik-dashboard-auth:
basicAuth:
users:
- "{{ env "TRAEFIK_DASHBOARD_CREDENTIALS" }}"

0
docs/Authentik_en.md Normal file
View file

0
docs/Authentik_fr.md Normal file
View file

210
docs/doc_en.md Normal file
View file

@ -0,0 +1,210 @@
# Homelab Docker Server
## Version Information
The secrets will be set up progressively, taking into account the compatibility of each service.
This project configures a Homelab Docker server with a simple setup. In the future, more services will be added.
## Project Inspiration and More Details
### CrowdSec
- [CrowdSec Blog - Enhance Docker Compose Security](https://www.crowdsec.net/blog/enhance-docker-compose-security)
- [Traefik Bouncer GitHub](https://git.hhf.technology/maxlerebourg/crowdsec-bouncer-traefik-plugin)
- [Traefik Bouncer Tutorial](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin)
### Project Architecture Inspiration and Authentik Documentation:
- [GitHub - hhf](https://git.hhf.technology/hhf/authentik_traefik)
- Thanks to @hhf
## Initial Setup
1. **Rename the `.env.example` file to `.env`.**
2. **Fill in the variables in the `.env` file:**
- `DOMAINNAME`: Domain name.
- `TZ`: Time zone.
- Create an account on [CrowdSec](https://www.crowdsec.net) (free).
- Create a secret with the API key generated on Cloudflare for Let's Encrypt. See the [tutorial here](https://youtu.be/n1vOfdz5Nm8?si=a7WRX2rLfm4HydtU&t=1012).
- Add the Cloudflare API key to `/secret/cf_dns_api_token`.
3. Generate the secrets for Authentik:
# Secrets to Create
The following secrets (defined in the base `compose.yaml` file) need to be created:
I recommend creating secrets with the following syntax:
```bash
echo -n 'VALUE_CHANGEME' > SECRET_NAME_CHANGEME
```
Check out Traefik's info at https://doc.traefik.io/traefik/https/acme/#providers. Cloudflare specific information: https://go-acme.github.io/lego/dns/cloudflare/
- `cf_email`
- `cf_dns_api_token`
```bash
echo -n 'CHANGEME@gmail.com' > cf_email
echo -n 'CHANGEME-LONGAPI-CHANGEME' > cf_dns_api_token
```
Specific to Authentik (https://docs.goauthentik.io/docs/installation/docker-compose#preparation)
- `authentik_postgresql_db`
- `authentik_postgresql_user`
- `authentik_postgresql_password`
- `authentik_secret_key`
```bash
echo -n 'authentik_db' > authentik_postgresql_db
echo -n 'authentik_user' > authentik_postgresql_user
openssl rand 36 | base64 -w 0 > authentik_postgresql_password
openssl rand 60 | base64 -w 0 > authentik_secret_key
```
Create a Gmail account and enter the information:
- `gmail_smtp_username`
- `gmail_smtp_password`
```bash
echo -n 'CHANGEME@gmail.com' > gmail_smtp_username
echo -n 'CHANGEME' > gmail_smtp_password
```
Go to https://dev.maxmind.com/geoip/geolite2-free-geolocation-data to generate a free license key (https://www.maxmind.com/en/accounts/current/license-key) for use.
- `geoip_account_id`
- `geoip_license_key`
```bash
echo -n 'CHANGEME' > geoip_account_id
echo -n 'CHANGEME' > geoip_license_key
```
---
4. **Let's Encrypt Configuration in `/appdata/traefik/config/traefik.yaml`:**
**Development Mode**
- During installation, ensure the line `caServer: https://acme-v02.api.letsencrypt.org/directory` is commented out.
- Replace `CHANGEME` with your email.
**Switch to Production:**
- Delete the `acme.json` file in `/appdata/traefik/data/`.
- Uncomment the line `caServer: https://acme-v02.api.letsencrypt.org/directory` in `/appdata/traefik/config/traefik.yaml`.
- Restart the project to obtain a production SSL certificate.
## Project Launch
1. **Start the project:**
Navigate to the `/my-compose/` folder where the `docker-compose.yaml` file is located, then run the command:
```bash
docker compose up -d
```
2. **Check the services:**
To check if all services are active, run:
```bash
docker ps
```
_Tip: To read the logs of a specific container, use:_
```bash
docker logs 'container_name'
```
3. **Add the security engine on CrowdSec:**
- Go to [CrowdSec](https://www.crowdsec.net), click on "Add Security Engine," and copy the token displayed after `sudo`.
![add security engine](images/crowdsec_1.png)
![add security engine](images/crowdsec_2.png)
4. **Run the following command in the terminal:**
```bash
docker exec crowdsec cscli console enroll -e context 'retrieved token'
```
![add security engine](images/crowdsec_3.png)
5. **Return to the CrowdSec website:**
- In the "Engines" section, accept the invitation. You should see an active item appear.
![add security engine](images/crowdsec_4.png)
6. **Create the Traefik bouncer:**
To allow CrowdSec to read Traefik logs, run:
```bash
docker exec crowdsec cscli bouncers add traefik-bouncer
```
7. **Add the API key:**
- Copy the generated API key and set the variable `CROWDSEC_TRAEFIK_BOUNCER_LAPI_KEY` in the `.env` file located in `/my-compose/.env`.
8. **Restart the project:**
```bash
docker compose up -d --force-recreate
```
9. **Wait a few minutes for the CrowdSec service to activate:**
- After a few minutes, you should see the active page on the CrowdSec web interface.
![add security engine](images/crowdsec_6.png)
## Additional Information
- **Logs**: To read the startup logs of CrowdSec or Traefik, use the following commands:
```bash
docker logs --tail 100 -f traefik
```
```bash
docker logs --tail 100 -f crowdsec
```
- **If errors occur:** Delete the `config` folder and restart the services with:
```bash
docker compose up -d --force-recreate
```
If that fails, delete the `appdata/crowdsec/db` and `appdata/crowdsec/config` folders and restart the setup from scratch (bouncer + add engine).
- **Add a database other than SQLite:**
- First, launch the project with SQLite.
- Follow the tutorial [CrowdSec database custom](https://docs.crowdsec.net/docs/next/local_api/database/).
- Edit the file `appdata/crowdsec/config/crowdsec/config.yaml`.
- Delete the `appdata/crowdsec/data` folder.
- Reconfigure from scratch (engine + bouncer).
- **Available `cscli` commands:** Check the documentation [here](https://docs.crowdsec.net/docs/cscli/).
### Qbittorrent (documentation coming soon)
To retrieve the Qbittorrent password: run the command
`docker logs qbittorrent`.
### Servarr (documentation coming soon):
### Authentik
Follow this documentation [Authentik](https://git.hhf.technology/hhf/authentik_traefik/blob/traefik3/README.md)

210
docs/doc_fr.md Normal file
View file

@ -0,0 +1,210 @@
# Homelab Docker Server
## Information de version
Les secrets seront mis en place progressivement, en prenant en compte les compatibilités de chaque service.
Ce projet configure un serveur Homelab Docker avec une configuration simple à l'avenir, d'autres services
## Inspiration du projet et plus de détails
### CrowdSec
- [CrowdSec Blog - Enhance Docker Compose Security](https://www.crowdsec.net/blog/enhance-docker-compose-security)
- [Traefik Bouncer GitHub](https://git.hhf.technology/maxlerebourg/crowdsec-bouncer-traefik-plugin)
- [Traefik Bouncer Tutorial](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin)
### Inspiration architecture du projet et documentation pour authentik :
- [GitHub - hhf](https://git.hhf.technology/hhf/authentik_traefik)
- Merci à @hhf
## Configuration Initiale
1. **Renommer le fichier `.env.example` en `.env`.**
2. **Renseigner les variables dans le fichier `.env` :**
- `DOMAINNAME` : Nom de domaine.
- `TZ` : Fuseau horaire.
- Créer un compte sur [CrowdSec](https://www.crowdsec.net) (gratuit).
- Créer un secret avec la clé API générée sur Cloudflare pour Let's Encrypt. Voir le [tutoriel ici](https://youtu.be/n1vOfdz5Nm8?si=a7WRX2rLfm4HydtU&t=1012).
- Ajouter la clé API Cloudflare dans `/secret/cf_dns_api_token`.
3. Génerer les secrets pour authentik :
# Secrets à créer
Les secrets suivants (définis dans le fichier `compose.yaml` de base) doivent être créés :
Je vous recommande de créer les secrets avec la syntaxe suivante :
```bash
echo -n 'VALEUR_CHANGEME' > NOM_DU_SECRET_CHANGEME
```
Consultez les informations sur Traefik à l'adresse suivante : https://doc.traefik.io/traefik/https/acme/#providers. Informations spécifiques à Cloudflare : https://go-acme.github.io/lego/dns/cloudflare/
- `cf_email`
- `cf_dns_api_token`
```bash
echo -n 'CHANGEME@gmail.com' > cf_email
echo -n 'CHANGEME-LONGAPI-CHANGEME' > cf_dns_api_token
```
Spécifique à Authentik (https://docs.goauthentik.io/docs/installation/docker-compose#preparation)
- `authentik_postgresql_db`
- `authentik_postgresql_user`
- `authentik_postgresql_password`
- `authentik_secret_key`
```bash
echo -n 'authentik_db' > authentik_postgresql_db
echo -n 'authentik_user' > authentik_postgresql_user
openssl rand 36 | base64 -w 0 > authentik_postgresql_password
openssl rand 60 | base64 -w 0 > authentik_secret_key
```
Créez un compte Gmail et saisissez les informations :
- `gmail_smtp_username`
- `gmail_smtp_password`
```bash
echo -n 'CHANGEME@gmail.com' > gmail_smtp_username
echo -n 'CHANGEME' > gmail_smtp_password
```
Allez sur https://dev.maxmind.com/geoip/geolite2-free-geolocation-data pour générer une clé de licence gratuite (https://www.maxmind.com/en/accounts/current/license-key) à utiliser.
- `geoip_account_id`
- `geoip_license_key`
```bash
echo -n 'CHANGEME' > geoip_account_id
echo -n 'CHANGEME' > geoip_license_key
```
---
4. **Configuration Let's Encrypt dans `/appdata/traefik/config/traefik.yaml` :**
**Developpement mode**
- Pendant l'installation, assurez-vous que la ligne `caServer: https://acme-v02.api.letsencrypt.org/directory` est commentée.
- remplacez `CHANGEME` par votre email
**Passage en production :**
- Supprimez le fichier `acme.json` dans `/appdata/traefik/data/`.
- Décommentez la ligne `caServer: https://acme-v02.api.letsencrypt.org/directory` dans `/appdata/traefik/config/traefik.yaml`.
- Relancez le projet pour obtenir un certificat SSL en production.
## Lancement du Projet
1. **Démarrer le projet :**
Allez dans le dossier `/my-compose/` où se trouve le fichier `docker-compose.yaml`, puis exécutez la commande :
```bash
docker compose up -d
```
2. **Vérification des services :**
Pour vérifier que tous les services sont actifs, exécutez :
```bash
docker ps
```
_Astuce : Pour lire les logs d'un conteneur spécifique, utilisez :_
```bash
docker logs 'nom_du_conteneur'
```
3. **Ajouter le moteur de sécurité sur CrowdSec :**
- Allez sur [CrowdSec](https://www.crowdsec.net), cliquez sur "Add Security Engine", et copiez le token affiché après `sudo`.
![add security engine](images/crowdsec_1.png)
![add security engine](images/crowdsec_2.png)
4. **Exécuter la commande suivante dans le terminal :**
```bash
docker exec crowdsec cscli console enroll -e context 'token récupéré'
```
![add security engine](images/crowdsec_3.png)
5. **Retourner sur le site CrowdSec :**
- Dans la section "Engines", acceptez l'invitation. Vous devriez voir un élément actif apparaître.
![add security engine](images/crowdsec_4.png)
6. **Créer le bouncer Traefik :**
Pour que CrowdSec puisse lire les logs de Traefik, exécutez :
```bash
docker exec crowdsec cscli bouncers add traefik-bouncer
```
7. **Ajouter la clé API :**
- Copiez la clé API générée et définissez la variable `CROWDSEC_TRAEFIK_BOUNCER_LAPI_KEY` dans le fichier `.env` situé dans `/my-compose/.env`.
8. **Relancer le projet :**
```bash
docker compose up -d --force-recreate
```
9. **Attendre quelques minutes pour l'activation du service CrowdSec :**
- Après quelques minutes, vous devriez voir la page active sur l'interface web de CrowdSec.
![add security engine](images/crowdsec_6.png)
## Informations supplémentaires
- **Logs** : Pour lire les logs de démarrage de CrowdSec ou Traefik, utilisez les commandes suivantes :
```bash
docker logs --tail 100 -f traefik
```
```bash
docker logs --tail 100 -f crowdsec
```
- **En cas d'erreurs :** Supprimez le dossier `config` et relancez les services avec :
```bash
docker compose up -d --force-recreate
```
Si cela échoue, supprimez les dossiers `appdata/crowdsec/db` et `appdata/crowdsec/config` puis recommencez la configuration depuis le début (bouncer + add engine).
- **Ajouter une base de données autre que SQLite :**
- Lancez d'abord le projet avec SQLite.
- Suivez le tutoriel [CrowdSec database custom](https://docs.crowdsec.net/docs/next/local_api/database/).
- Modifiez le fichier `appdata/crowdsec/config/crowdsec/config.yaml`.
- Supprimez le dossier `appdata/crowdsec/data`.
- Reconfigurez à partir de zéro (engine + bouncer).
- **Commandes `cscli` disponibles :** Consultez la documentation [ici](https://docs.crowdsec.net/docs/cscli/).
### Qbittorrent (documentation à venir)
Pour obtenir le mot de passe Qbittorrent : exécutez la commande
`docker logs qbittorrent`.
### Servarr (documentation à venir) :
### AUthentik
suivre cette documentation [Authentik](https://git.hhf.technology/hhf/authentik_traefik/blob/traefik3/README.md)

BIN
docs/images/authentik_admin.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 110 KiB

BIN
docs/images/crowdsec_1.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
docs/images/crowdsec_10.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
docs/images/crowdsec_2.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
docs/images/crowdsec_3.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 7.4 KiB

BIN
docs/images/crowdsec_4.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
docs/images/crowdsec_5.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
docs/images/crowdsec_6.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
docs/images/crowdsec_7.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
docs/images/crowdsec_8.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
docs/images/crowdsec_9.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 9.2 KiB

BIN
docs/images/lets-encrypt-conf.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 62 KiB

BIN
docs/images/prowlarr_1.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
docs/images/prowlarr_2.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 66 KiB

BIN
docs/images/prowlarr_3.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 159 KiB

BIN
docs/images/prowlarr_4.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 106 KiB

BIN
docs/images/qbittorent_3.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
docs/images/qbittorent_4.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 251 KiB

BIN
docs/images/traefik_1.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
docs/images/traefik_dashboard.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 122 KiB

223
my-compose/.env.example Normal file
View file

@ -0,0 +1,223 @@
################################################################
# Base Configuration
################################################################
DOCKERDIR=/CHAMGEME/Homelab-docker-server
PUID=root
PGID=root
TZ=Europe/Paris
DOMAINNAME=CHANGE_ME
################################################################
# SMTP Configuration base conf wit google smtp
# https://support.google.com/accounts/answer/185833?hl=fr
################################################################
SMPT_EMAIL_HOST=smtp.gmail.com
SMPT_EMAIL_PORT=25
SMPT_EMAIL_USERNAME=gmail_smtp_username # secrets name
SMPT_EMAIL_PASSWORD=gmail_smtp_password # secrets name
SMPT_EMAIL_USE_TLS=true
SMPT_EMAIL_USE_SSL=false
SMPT_EMAIL_TIMEOUT=10
SMPT_EMAIL_FROM=gmail_smtp_username # secrets name
################################################################
#################### Traefik 3 - June 2024 #####################
# Cloudflare IPs (IPv4 and/or IPv6): https://www.cloudflare.com/ips/
################################################################
CF_EMAIL=CHANGEME
CLOUDFLARE_IPS=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22
LOCAL_IPS=127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
################################################################
# Secrets command
################################################################
SECRETS_RUN=/run/secrets/
SECRETS_FILE=file://${SECRETS_RUN}
################################################################
# Proxy services
################################################################
DOCKER_HOST=tcp://socket-proxy:2375
################################################################
# Traefik Configuration
# generate TRAEFIK_DASHBOARD_CREDENTIALS here : https://www.web2generators.com/apache-tools/htpasswd-generator
################################################################
TRAEFIK_DASHBOARD_CREDENTIALS=CHANGE_ME
TRAEFIK_DASHBOARD_NAME=traefik-dashboard
TRAEFIK_DASHBOARD_HOST=${TRAEFIK_DASHBOARD_NAME}.${DOMAINNAME}
# Traefik load balancing
# https://gethomepage.dev/latest/widgets/services/traefik/
HOMEPAGE_VAR_TRAEFIK_URL_EXTERNAL=https://${TRAEFIK_DASHBOARD_HOST}
HOMEPAGE_VAR_TRAEFIK_USERNAME=admin
HOMEPAGE_VAR_TRAEFIK_PASSWORD=CHANGE_ME
################################################################
# Portainer Configuration
################################################################
PORTAINER_SERVICE_NAME=portainer
PORTAINER_HOST=${PORTAINER_SERVICE_NAME}.${DOMAINNAME}
PORTAINER_URL=http://${PORTAINER_SERVICE_NAME}:9000
# Homepage configuration for Portainer
# https://gethomepage.dev/latest/widgets/services/portainer/
HOMEPAGE_VAR_PORTAINER_URL_EXTERNAL=https://${PORTAINER_HOST}
HOMEPAGE_VAR_PORTAINER_URL_INTERNAL=${PORTAINER_URL}
HOMEPAGE_VAR_PORTAINER_KEY=CHANGE_ME
################################################################
# Authentik Configuration
################################################################
AUTHENTIK_SERVICE_NAME=authentik_server
AUTHENTIK_SERVICE_PORT=9000
AUTHENTIK_COOKIE_DOMAIN=${DOMAINNAME}
AUTHENTIK_HOST=authentik.${DOMAINNAME}
AUTHENTIK_URL=http://${AUTHENTIK_SERVICE_NAME}:${AUTHENTIK_SERVICE_PORT}
AUTHENTIK_OUTPOST_PATH_PREFIX=/outpost.goauthentik.io/
POSTGRES_PASSWORD_FILE=${SECRETS_RUN}authentik_postgresql_password
#POSTGRES_USER_FILE=${SECRETS_RUN}authentik_postgresql_user
POSTGRES_USER_FILE=${SECRETS_RUN}authentik_postgresql_db
POSTGRES_DB_FILE=${SECRETS_RUN}authentik_postgresql_db
AUTHENTIK_REDIS__HOST=authentik_redis
AUTHENTIK_POSTGRESQL__HOST=authentik_postgresql
AUTHENTIK_POSTGRESQL__NAME=${SECRETS_FILE}authentik_postgresql_db
#AUTHENTIK_POSTGRESQL__USER=${SECRETS_FILE}authentik_postgresql_user
AUTHENTIK_POSTGRESQL__USER=${SECRETS_FILE}authentik_postgresql_db
AUTHENTIK_POSTGRESQL__PASSWORD=${SECRETS_FILE}authentik_postgresql_password
AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
AUTHENTIK_DISABLE_UPDATE_CHECK=false
AUTHENTIK_ERROR_REPORTING__ENABLED=false
AUTHENTIK_LOG_LEVEL=info # debug, info, warning, error, trace
AUTHENTIK_SECRET_KEY=${SECRETS_FILE}authentik_secret_key # openssl rand 60 | base64 -w 0
AUTHENTIK_COOKIE_DOMAIN=${DOMAINNAME}
# AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS: CHANGEME_IFAPPLICABLE # Defaults to all of: 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fe80::/10, ::1/128
DOCKER_HOST=tcp://socket-proxy:2375 # Use this if you have Socket Proxy enabled.
# SMPT authentik configuration
AUTHENTIK_EMAIL__HOST=${SMPT_EMAIL_HOST}
AUTHENTIK_EMAIL__PORT=${SMPT_EMAIL_PORT}
AUTHENTIK_EMAIL__USERNAME=${SECRETS_FILE}${SMPT_EMAIL_USERNAME}
AUTHENTIK_EMAIL__PASSWORD=${SECRETS_FILE}${SMPT_EMAIL_PASSWORD}
AUTHENTIK_EMAIL__USE_TLS=${SMPT_EMAIL_USE_TLS}
AUTHENTIK_EMAIL__USE_SSL=${SMPT_EMAIL_USE_SSL}
AUTHENTIK_EMAIL__TIMEOUT=${SMPT_EMAIL_TIMEOUT}
AUTHENTIK_EMAIL__FROM=${SECRETS_FILE}${SMPT_EMAIL_FROM}
# Homepage configuration for Authentik
# https://gethomepage.dev/latest/widgets/services/authentik/
HOMEPAGE_VAR_AUTHENTIK_URL_EXTERNAL=https://${AUTHENTIK_HOST}
HOMEPAGE_VAR_AUTHENTIK_URL_INTERNAL=${AUTHENTIK_URL}
HOMEPAGE_VAR_AUTHENTIK_API_KEY=CHANGE_ME
################################################################
# GeoIP Configuration
# Go to https://dev.maxmind.com/geoip/geolite2-free-geolocation-data in order to generate a free license key
# https://www.maxmind.com/en/accounts/current/license-key for use.
################################################################
GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
GEOIPUPDATE_FREQUENCY=8
GEOIPUPDATE_ACCOUNT_ID_FILE=${SECRETS_RUN}geoip_acccount_id
GEOIPUPDATE_LICENSE_KEY_FILE=${SECRETS_RUN}geoip_license_key
################################################################
# Crowdsec Configuration
################################################################
CROWDSEC_TRAEFIK_BOUNCER_LAPI_KEY=CHANGE_ME #to get api key : docker exec crowdsec cscli bouncers add traefik-bouncer
# Homepage configuration for Crowdsec
# got to /appdata/crowdsec/config/local_api_credentials.yaml and past HOMEPAGE_VAR_CROWDSEC_PASSWORD value
HOMEPAGE_VAR_CROWDSEC_WEBSITE=https://app.crowdsec.net
HOMEPAGE_VAR_CROWDSEC_URL_INTERNAL=http://crowdsec:8080
HOMEPAGE_VAR_CROWDSEC_USERNAME=localhost
HOMEPAGE_VAR_CROWDSEC_PASSWORD=CHANGE_ME
################################################################
# Homepage Configuration
################################################################
HOMEPAGE_SERVICE_NAME=homepage
HOMEPAGE_PORT=3000
HOMEPAGE_HOST=${HOMEPAGE_SERVICE_NAME}.${DOMAINNAME}
HOMEPAGE_URL=http://${HOMEPAGE_SERVICE_NAME}:${HOMEPAGE_PORT}
################################################################
# Cloudflare Configuration (not a docker)
################################################################
HOMEPAGE_VAR_CLOUDFLARE_URL=https://dash.cloudflare.com/login/?lang=fr-fr
################################################################
# qBittorrent Configuration
################################################################
TORRENT_SERVICE_NAME=torrent
TORRENT_PORT=8090
TORRENT_HOST=${TORRENT_SERVICE_NAME}.${DOMAINNAME}
TORRENT_URL=http://CHANGE_ME:${TORRENT_PORT} # service name host not work actually, just add docker host ip
# Homepage configuration for qBittorrent
# See Homepage tutorial: https://gethomepage.dev/latest/widgets/services/qbittorrent/
HOMEPAGE_VAR_QBITTORRENT_URL_EXTERNAL=https://${TORRENT_HOST}
HOMEPAGE_VAR_QBITTORRENT_URL_INTERNAL=${TORRENT_URL}
HOMEPAGE_VAR_QBITTORRENT_USERNAME=admin
HOMEPAGE_VAR_QBITTORRENT_PASSWORD=CHANGE_ME
################################################################
# Servarr Configuration
# See Homepage tutorial:
# https://gethomepage.dev/latest/widgets/services/prowlarr/
# https://gethomepage.dev/latest/widgets/services/lidarr/
# https://gethomepage.dev/latest/widgets/services/readarr/
# https://gethomepage.dev/latest/widgets/services/sonarr/
# https://gethomepage.dev/latest/widgets/services/radarr/
################################################################
BASE_PATH_MEDIA=CHANGEME
PROWLARR_SERVICE_NAME=prowlarr
SONARR_SERVICE_NAME=sonarr
RADARR_SERVICE_NAME=radarr
LIDARR_SERVICE_NAME=lidarr
READARR_SERVICE_NAME=readarr
PROWLARR_SERVICE_PORT=9696
SONARR_SERVICE_PORT=8989
RADARR_SERVICE_PORT=7878
LIDARR_SERVICE_PORT=8686
READARR_SERVICE_PORT=8787
PROWLARR_HOST=${PROWLARR_SERVICE_NAME}.${DOMAINNAME}
SONARR_HOST=${SONARR_SERVICE_NAME}.${DOMAINNAME}
RADARR_HOST=${RADARR_SERVICE_NAME}.${DOMAINNAME}
LIDARR_HOST=${LIDARR_SERVICE_NAME}.${DOMAINNAME}
READARR_HOST=${READARR_SERVICE_NAME}.${DOMAINNAME}
PROWLARR_URL=http://${PROWLARR_SERVICE_NAME}:${PROWLARR_SERVICE_PORT}
SONARR_URL=http://${SONARR_SERVICE_NAME}:${SONARR_SERVICE_PORT}
RADARR_URL=http://${RADARR_SERVICE_NAME}:${RADARR_SERVICE_PORT}
LIDARR_URL=http://${LIDARR_SERVICE_NAME}:${LIDARR_SERVICE_PORT}
READARR_URL=http://${READARR_SERVICE_NAME}:${READARR_SERVICE_PORT}
# Homepage configuration for Servarr Services
HOMEPAGE_VAR_PROWLARR_URL_EXTERNAL=https://${PROWLARR_HOST}
HOMEPAGE_VAR_PROWLARR_URL_INTERNAL=${PROWLARR_URL}
HOMEPAGE_VAR_PROWLARR_KEY=CHANGE_ME
HOMEPAGE_VAR_SONARR_URL_EXTERNAL=https://${SONARR_HOST}
HOMEPAGE_VAR_SONARR_URL_INTERNAL=${SONARR_URL}
HOMEPAGE_VAR_SONARR_KEY=CHANGE_ME
HOMEPAGE_VAR_RADARR_URL_EXTERNAL=https://${RADARR_HOST}
HOMEPAGE_VAR_RADARR_URL_INTERNAL=${RADARR_URL}
HOMEPAGE_VAR_RADARR_KEY=CHANGE_ME
HOMEPAGE_VAR_LIDARR_URL_EXTERNAL=https://${LIDARR_HOST}
HOMEPAGE_VAR_LIDARR_URL_INTERNAL=${LIDARR_URL}
HOMEPAGE_VAR_LIDARR_KEY=CHANGE_ME
HOMEPAGE_VAR_READARR_URL_EXTERNAL=https://${READARR_HOST}
HOMEPAGE_VAR_READARR_URL_INTERNAL=${READARR_URL}
HOMEPAGE_VAR_READARR_KEY=CHANGE_ME

179
my-compose/authentik/authentik-compose.yaml Normal file
View file

@ -0,0 +1,179 @@
# ------------------------------
# -- authentik (Identity Provider / SSO)
# -- Updated/Created 2024-July-02
# ------------------------------
name: authentik # Project Name
networks:
authentik-backend:
name: authentik-backend
services:
authentik_postgresql:
image: docker.io/library/postgres:16-alpine
container_name: authentik_postgresql
shm_size: 128mb # https://hub.docker.com/_/postgres
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
networks:
- authentik-backend
volumes:
- "$DOCKERDIR/appdata/authentik/postgresql/data:/var/lib/postgresql/data"
secrets:
- authentik_postgresql_db
- authentik_postgresql_user
- authentik_postgresql_password
environment:
- POSTGRES_PASSWORD_FILE
- POSTGRES_USER_FILE
- POSTGRES_DB_FILE
authentik_redis:
image: docker.io/library/redis:alpine
container_name: authentik_redis
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
networks:
- authentik-backend
volumes:
- "$DOCKERDIR/appdata/authentik/redis/data:/data"
authentik_server:
image: ghcr.io/goauthentik/server:latest
container_name: authentik_server
restart: unless-stopped
command: server
depends_on:
- authentik_postgresql
- authentik_redis
- traefik
- crowdsec
networks:
- traefik
- socket_proxy
- authentik-backend
secrets:
- authentik_postgresql_db
- authentik_postgresql_user
- authentik_postgresql_password
- authentik_secret_key
environment:
- AUTHENTIK_REDIS__HOST
- AUTHENTIK_POSTGRESQL__HOST
- AUTHENTIK_POSTGRESQL__NAME
- AUTHENTIK_POSTGRESQL__USER
- AUTHENTIK_POSTGRESQL__PASSWORD
- AUTHENTIK_DISABLE_STARTUP_ANALYTICS
- AUTHENTIK_DISABLE_UPDATE_CHECK
- AUTHENTIK_ERROR_REPORTING__ENABLED
- AUTHENTIK_LOG_LEVEL
- AUTHENTIK_SECRET_KEY
- AUTHENTIK_COOKIE_DOMAIN
volumes:
- "$DOCKERDIR/appdata/authentik/media:/media"
- "$DOCKERDIR/appdata/authentik/custom-templates:/templates"
- "$DOCKERDIR/appdata/authentik/geoip/data:/geoip"
authentik_worker:
image: ghcr.io/goauthentik/server:latest
container_name: authentik_worker
restart: unless-stopped
user: 1000:1000
command: worker
depends_on:
- authentik_postgresql
- authentik_redis
networks:
- socket_proxy
- authentik-backend
secrets:
- authentik_postgresql_db
- authentik_postgresql_user
- authentik_postgresql_password
- authentik_secret_key
- gmail_smtp_username
- gmail_smtp_password
environment:
- DOCKER_HOST
- AUTHENTIK_REDIS__HOST
- AUTHENTIK_POSTGRESQL__HOST
- AUTHENTIK_POSTGRESQL__NAME
- AUTHENTIK_POSTGRESQL__USER
- AUTHENTIK_POSTGRESQL__PASSWORD
- AUTHENTIK_DISABLE_STARTUP_ANALYTICS
- AUTHENTIK_DISABLE_UPDATE_CHECK
- AUTHENTIK_ERROR_REPORTING__ENABLED
- AUTHENTIK_SECRET_KEY
- AUTHENTIK_COOKIE_DOMAIN
- AUTHENTIK_LOG_LEVEL
- AUTHENTIK_EMAIL__HOST
- AUTHENTIK_EMAIL__PORT
- AUTHENTIK_EMAIL__USERNAME
- AUTHENTIK_EMAIL__PASSWORD
- AUTHENTIK_EMAIL__USE_TLS
- AUTHENTIK_EMAIL__USE_SSL
- AUTHENTIK_EMAIL__TIMEOUT
- AUTHENTIK_EMAIL__FROM
volumes:
- "$DOCKERDIR/appdata/authentik/media:/media"
- "$DOCKERDIR/appdata/authentik/custom-templates:/templates"
- "$DOCKERDIR/appdata/authentik/geoip/data:/geoip"
geoipupdate:
image: ghcr.io/maxmind/geoipupdate:latest
container_name: geoipupdate
restart: unless-stopped
user: ${PUID}:${PGID}
volumes:
- "$DOCKERDIR/appdata/authentik/geoip/data:/usr/share/GeoIP"
networks:
- authentik-backend
secrets:
- geoip_account_id
- geoip_license_key
environment:
- GEOIPUPDATE_EDITION_IDS
- GEOIPUPDATE_FREQUENCY
- GEOIPUPDATE_ACCOUNT_ID_FILE
- GEOIPUPDATE_LICENSE_KEY_FILE
whoami-individual:
image: traefik/whoami:latest
container_name: whoami-individual
restart: unless-stopped
security_opt:
- no-new-privileges:true
depends_on:
- traefik
- authentik_server
- authentik_worker
networks:
- traefik
environment:
- TZ
whoami-catchall:
image: traefik/whoami:latest
container_name: whoami-catchall
restart: unless-stopped
security_opt:
- no-new-privileges:true
depends_on:
- traefik
- authentik_server
- authentik_worker
networks:
- traefik
environment:
- TZ

59
my-compose/compose.yaml Normal file
View file

@ -0,0 +1,59 @@
###############################################################
# Networks
###############################################################
networks:
socket_proxy:
name: socket_proxy
driver: bridge
ipam:
config:
- subnet: 172.16.224.0/24
traefik:
name: traefik
driver: bridge
ipam:
config:
- subnet: 10.255.224.0/20
###############################################################
# Docker Secrets
# Owner (default): root:root
# Recommend Set Owner to match container user Example: UID=1100, GID=1100
# Permissions of files & directory on host to: 0400 (-r--)
###############################################################
secrets:
## Cloudflare / Traefik
cf_email:
file: ${DOCKERDIR}/secrets/cf_email
cf_dns_api_token:
file: ${DOCKERDIR}/secrets/cf_dns_api_token
## Authentik
authentik_postgresql_db:
file: ${DOCKERDIR}/secrets/authentik_postgresql_db
authentik_postgresql_user:
file: ${DOCKERDIR}/secrets/authentik_postgresql_user
authentik_postgresql_password:
file: ${DOCKERDIR}/secrets/authentik_postgresql_password
authentik_secret_key:
file: ${DOCKERDIR}/secrets/authentik_secret_key
gmail_smtp_username:
file: ${DOCKERDIR}/secrets/gmail_smtp_username
gmail_smtp_password:
file: ${DOCKERDIR}/secrets/gmail_smtp_password
# ## GeoIP
geoip_account_id:
file: ${DOCKERDIR}/secrets/geoip_account_id
geoip_license_key:
file: ${DOCKERDIR}/secrets/geoip_license_key
###############################################################
# Include
# Merge all of the below compose files into one large compose at run time
# Thanks to Anand (SmartHomeBeginner), this is clean!
###############################################################
include:
- ${DOCKERDIR}/my-compose/traefik/traefik-compose.yaml
- ${DOCKERDIR}/my-compose/socket-proxy/socket-proxy-compose.yaml
- ${DOCKERDIR}/my-compose/crowdsec/crowdsec-compose.yaml
- ${DOCKERDIR}/my-compose/authentik/authentik-compose.yaml
- ${DOCKERDIR}/my-compose/portainer/portainer-compose.yaml
- ${DOCKERDIR}/my-compose/servarr/servarr-compose.yaml
- ${DOCKERDIR}/my-compose/homepage/homepage-compose.yaml

26
my-compose/crowdsec/crowdsec-compose.yaml Normal file
View file

@ -0,0 +1,26 @@
services:
crowdsec:
image: crowdsecurity/crowdsec:latest
container_name: crowdsec
expose:
- "8080"
depends_on:
- traefik
environment:
COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/sshd"
volumes:
- /var/log/crowdsec:/var/log/crowdsec:ro
- $DOCKERDIR/appdata/crowdsec/data:/var/lib/crowdsec/data/
- $DOCKERDIR/appdata/crowdsec/config/crowdsec:/etc/crowdsec
- $DOCKERDIR/appdata/crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
- $DOCKERDIR/appdata/crowdsec/whitelists_custom.yaml:/etc/crowdsec/parsers/s02-enrich/whitelists.yaml
# read traefik logs
- $DOCKERDIR/logs/traefik/:/var/log/traefik/:ro
# read linux auth logs
- /var/log/auth.log:/var/log/auth.log:ro
- /var/log/syslog:/var/log/syslog:ro
restart: unless-stopped
labels:
- traefik.enable=false
networks:
- traefik

15
my-compose/homepage/homepage-compose.yaml Normal file
View file

@ -0,0 +1,15 @@
services:
homepage:
image: ghcr.io/gethomepage/homepage:latest
container_name: homepage
restart: unless-stopped
env_file:
- ${DOCKERDIR}/my-compose/.env
ports:
- 3000:3000
volumes:
- $DOCKERDIR/appdata/homepage/config:/app/config # Make sure your local config directory exists
- $DOCKERDIR/appdata/homepage/config/icons:/app/public/icons
networks:
- traefik
- socket_proxy

18
my-compose/portainer/portainer-compose.yaml Normal file
View file

@ -0,0 +1,18 @@
services:
portainer:
image: portainer/portainer-ee:2.20.3
container_name: portainer
restart: unless-stopped
command: --host tcp://socket-proxy:2375
depends_on:
- socket-proxy
environment:
- TZ=${TZ}
volumes:
- "$DOCKERDIR/appdata/portainer/data:/data"
networks:
- socket_proxy
- traefik
ports:
- "9090:9000"

119
my-compose/servarr/servarr-compose.yaml Normal file
View file

@ -0,0 +1,119 @@
services:
prowlarr:
image: lscr.io/linuxserver/prowlarr:latest
container_name: prowlarr
environment:
- TZ=${TZ}
- PUID=${SERVARR_PUID}
- PGID=${SERVARR_PGID}
volumes:
- $DOCKERDIR/appdata/servarr/prowlarr/config:/config
- $DOCKERDIR/appdata/servarr/prowlarr/Backup:/data/Backup
- ${BASE_PATH_MEDIA}/downloads:/data/downloads
ports:
- 9696:9696
restart: unless-stopped
networks:
- traefik
sonarr:
image: lscr.io/linuxserver/sonarr:latest
container_name: sonarr
environment:
- TZ=${TZ}
- PUID=${SERVARR_PUID}
- PGID=${SERVARR_PGID}
volumes:
- $DOCKERDIR/appdata/servarr/sonarr/Config:/config
- $DOCKERDIR/appdata/servarr/sonarr/Backup:/data/Backup
- ${BASE_PATH_MEDIA}/series:/data/tvshows
- ${BASE_PATH_MEDIA}/downloads:/data/downloads
ports:
- 8989:8989
restart: unless-stopped
networks:
- traefik
radarr:
image: lscr.io/linuxserver/radarr:latest
container_name: radarr
environment:
- TZ=${TZ}
- PUID=${SERVARR_PUID}
- PGID=${SERVARR_PGID}
volumes:
- $DOCKERDIR/appdata/servarr/radarr/Config:/config
- $DOCKERDIR/appdata/servarr/radarr/Backup:/data/Backup
- ${BASE_PATH_MEDIA}/movies:/data/movies
- ${BASE_PATH_MEDIA}/downloads:/data/downloads
ports:
- 7878:7878
restart: unless-stopped
networks:
- traefik
lidarr:
image: lscr.io/linuxserver/lidarr:latest
container_name: lidarr
environment:
- TZ=${TZ}
- PUID=${SERVARR_PUID}
- PGID=${SERVARR_PGID}
volumes:
- $DOCKERDIR/appdata/servarr/lidarr/Config:/config
- $DOCKERDIR/appdata/servarr/lidarr/Backup:/data/Backup
- ${BASE_PATH_MEDIA}/music:/data/musicfolder
- ${BASE_PATH_MEDIA}/downloads:/data/downloads
ports:
- 8686:8686
restart: unless-stopped
networks:
- traefik
readarr:
image: lscr.io/linuxserver/readarr:develop
container_name: readarr
environment:
- TZ=Etc/UTC
- PUID=${SERVARR_PUID}
- PGID=${SERVARR_PGID}
volumes:
- $DOCKERDIR/appdata/servarr/readarr/config:/config
- ${BASE_PATH_MEDIA}/books:/data/books # optional
- ${BASE_PATH_MEDIA}/downloads:/data/downloads # optional
ports:
- 8787:8787
restart: unless-stopped
networks:
- traefik
qbittorrent:
image: lscr.io/linuxserver/qbittorrent:latest
container_name: qbittorrent
environment:
- TZ=${TZ}
- WEBUI_PORT=8090
- TORRENTING_PORT=6881
- PUID=${SERVARR_PUID}
- PGID=${SERVARR_PGID}
volumes:
- $DOCKERDIR/appdata/servarr/qbittorrent:/config
- ${BASE_PATH_MEDIA}/downloads:/downloads #optional
ports:
- 8090:8090
- 6881:6881
- 6881:6881/udp
restart: unless-stopped
networks:
- traefik
flaresolverr:
image: ghcr.io/flaresolverr/flaresolverr:latest
container_name: flaresolverr
environment:
- LOG_LEVEL=info
ports:
- 8191:8191
restart: unless-stopped
networks:
- traefik

50
my-compose/socket-proxy/socket-proxy-compose.yaml Normal file
View file

@ -0,0 +1,50 @@
name: socket-proxy # Project Name
services:
socket-proxy:
image: tecnativa/docker-socket-proxy:0.1.2
container_name: socket-proxy
restart: unless-stopped
security_opt:
- no-new-privileges=true
networks:
- socket_proxy
#socket_proxy:
# ipv4_address: 172.16.224.254
privileged: true # true for VM. false for unprivileged LXC container.
ports:
- "127.0.0.1:2375:2375"
environment:
- LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
### 0 to revoke access.
### 1 to grant access.
## Granted by Default
- EVENTS=1
- PING=1
- VERSION=1
## Revoked by Default
### Security critical
- AUTH=0
- SECRETS=0
- POST=1 # Watchtower
### Not always needed
- BUILD=0
- COMMIT=0
- CONFIGS=0
- CONTAINERS=1 # Traefik, portainer, etc.
- POST=1
- DISTRIBUTION=0
- EXEC=1
- IMAGES=1 # Portainer
- INFO=1 # Portainer
- NETWORKS=1 # Portainer
- NODES=0
- PLUGINS=0
- SERVICES=1 # Portainer
- SESSION=0
- SWARM=0
- SYSTEM=0
- TASKS=1 # Portainer
- VOLUMES=1 # Portainer
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro

60
my-compose/traefik/traefik-compose.yaml Normal file
View file

@ -0,0 +1,60 @@
###############################################################
#
# https://docs.docker.com/compose/compose-file/05-services/#security_opt
# https://docs.docker.com/compose/environment-variables/set-environment-variables/
#
###############################################################
name: traefik
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
# user: ${PUID}:${PGID} # uncomment if you using a user and group role
env_file:
- ${DOCKERDIR}/my-compose/.env
security_opt:
- no-new-privileges=true
depends_on:
- socket-proxy
networks:
traefik:
aliases:
- traefik.${DOMAINNAME}
socket_proxy:
command:
- "--configFile=/config/traefik.yaml"
- "--certificatesResolvers.le.acme.email=${CF_EMAIL}" # set email on lets encrypt because environment variable not work on traefik.yaml
ports:
# - "80:80" # SHORT Syntax of below verbose definition
- name: web
host_ip: 0.0.0.0 # All interfaces, not a specific one
target: 80 # Container Port
published: "80" # STRING
protocol: tcp # tcp or udp
app_protocol: http # OPTIONAL. Layer 7 Protocol used. "Richer behavior"
mode: host # or Ingress for load balancing
- name: websecure
host_ip: 0.0.0.0
target: 443
published: "443"
protocol: tcp
app_protocol: https
mode: host
secrets:
- cf_dns_api_token
environment:
- TZ=${TZ}
- DOMAINNAME=${DOMAINNAME}
- TRAEFIK_ENTRYPOINTS_websecure_HTTP_TLS_DOMAINS_0_MAIN=${DOMAINNAME} # domain for websecure and let's encrypt
- TRAEFIK_ENTRYPOINTS_websecure_HTTP_TLS_DOMAINS_0_SANS=*.${DOMAINNAME} # domain for websecure and let's encrypt
## uncomment if you want activate dashboard auth credentials
## Docker Secrets
- CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token
volumes:
- "$DOCKERDIR/appdata/traefik/config:/config" # traefik.yaml
- "$DOCKERDIR/appdata/traefik/data:/data" # acme.json defined in traefik.yaml
- "$DOCKERDIR/appdata/traefik/rules:/rules" # Dynamic File Provider directory
- "$DOCKERDIR/appdata/crowdsec/ban.html:/ban.html" # html file for crowdsec ban ### comment if you dont use crowdsec
- "$DOCKERDIR/logs/traefik:/logs"

1
secrets/authentik_postgresql_db Normal file
View file

@ -0,0 +1 @@
authentik_db

1
secrets/authentik_postgresql_password Normal file
View file

@ -0,0 +1 @@
CHANGEME

1
secrets/authentik_postgresql_user Normal file
View file

@ -0,0 +1 @@
CHANGEME

1
secrets/authentik_secret_key Normal file
View file

@ -0,0 +1 @@
CHANGEME

1
secrets/cf_dns_api_token Normal file
View file

@ -0,0 +1 @@
CHANGME

1
secrets/cf_email Normal file
View file

@ -0,0 +1 @@
CHANGEME

1
secrets/gmail_smtp_password Normal file
View file

@ -0,0 +1 @@
CHANGEME

1
secrets/gmail_smtp_username Normal file
View file

@ -0,0 +1 @@
CHANGEME