diff --git a/Docker/gitea/docker-compose.yml b/Docker/gitea/docker-compose.yml new file mode 100644 index 0000000..776817e --- /dev/null +++ b/Docker/gitea/docker-compose.yml @@ -0,0 +1,49 @@ +version: "3.9" + +networks: + proxy: + external: true + net: + external: false + +services: + gitea-db: + image: lscr.io/linuxserver/mariadb:latest + container_name: gitea-db + restart: always + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + - MYSQL_ROOT_PASSWORD=root + - MYSQL_DATABASE=db + - MYSQL_USER=user + - MYSQL_PASSWORD=password + volumes: + - ./db:/config + expose: + - 3306 + networks: + - net + + gitea: + image: gitea/gitea:1.15 + container_name: gitea + restart: always + depends_on: + - gitea-db + environment: + - USER_UID=1000 + - USER_GID=1000 + - DISABLE_REGISTRATION=true + - SHOW_REGISTRATION_BUTTOM=false + - GITEA__log__LEVEL=error + volumes: + - ./data:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/locatime:ro + expose: + - 3000 + networks: + - net + - proxy diff --git a/Docker/hedgedoc/docker-compose.yml b/Docker/hedgedoc/docker-compose.yml new file mode 100644 index 0000000..a728403 --- /dev/null +++ b/Docker/hedgedoc/docker-compose.yml @@ -0,0 +1,60 @@ +version: "3.9" + +networks: + proxy: + external: true + net: + external: false + +services: + hedgedoc-db: + image: lscr.io/linuxserver/mariadb:latest + container_name: hedgedoc-db + restart: always + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + - MYSQL_ROOT_PASSWORD=root + - MYSQL_DATABASE=db + - MYSQL_USER=user + - MYSQL_PASSWORD=password + volumes: + - ./db:/config + expose: + - 3306 + networks: + - net + + hedgedoc: + image: lscr.io/linuxserver/hedgedoc:latest + container_name: hedgedoc + restart: always + depends_on: + - hedgedoc-db + environment: + - PGID=1000 + - PUID=1000 + - TZ=Europe/Berlin + - CMD_DB_HOST=hedgedoc-db + - CMD_DB_USERNAME=user + - CMD_DB_PASSWORD=password + - CMD_DB_NAME=db + - CMD_DB_PORT=3306 + - CMD_DOMAIN=pad.example.de + - CMD_PROTOCOL_USESSL=true + - CMD_ALLOW_FREEURL=true + - CMD_ALLOW_PDF_EXPORT=true + - CMD_ALLOW_ANONYMOUS=false + - CMD_ALLOW_ANONYMOUS_EDITS=true + - CMD_ALLOW_EMAIL_REGISTER=false + - CMD_LOGLEVEL=warn + - CMD_SESSION_SECRET=example + volumes: + - ./config:/config + - ./uploads:/opt/hedgedoc/public/uploads + expose: + - 3000 + networks: + - net + - proxy diff --git a/Docker/nextcloud/config/www/nextcloud/config/config.php b/Docker/nextcloud/config/www/nextcloud/config/config.php new file mode 100644 index 0000000..47e56f3 --- /dev/null +++ b/Docker/nextcloud/config/www/nextcloud/config/config.php @@ -0,0 +1,51 @@ + '\\OC\\Memcache\\Redis', + 'memcache.locking' => '\\OC\\Memcache\\Redis', + 'memcache.distributed' => '\\OC\\Memcache\\Redis', + 'redis' => + array ( + 'host' => 'nextcloud-redis', + 'port' => 6379, + ), + 'datadirectory' => '/data', + 'instanceid' => 'example', + 'passwordsalt' => 'example', + 'secret' => 'example', + 'trusted_proxies' => + array ( + 0 => 'swag', + ), + 'trusted_domains' => + array ( + 0 => 'cloud.example.de', + ), + 'dbtype' => 'mysql', + 'version' => '22.2.3.0', + 'overwriteprotocol' => 'https', + 'overwritehost' => 'cloud.example.de', + 'overwrite.cli.url' => 'https://cloud.example.de', + 'dbname' => 'db', + 'dbhost' => 'nextcloud-db', + 'dbport' => '', + 'dbtableprefix' => 'oc_', + 'mysql.utf8mb4' => true, + 'dbuser' => 'user', + 'dbpassword' => 'password', + 'installed' => true, + 'default_phone_region' => 'DE', + 'maintenance' => false, + 'mail_smtpmode' => 'smtp', + 'mail_smtpsecure' => 'tls', + 'mail_sendmailmode' => 'smtp', + 'mail_smtpauthtype' => 'LOGIN', + 'mail_smtpauth' => 1, + 'mail_smtphost' => 'smtp.gmail.com', + 'mail_smtpport' => '587', + 'mail_from_address' => 'nextcloud', + 'mail_domain' => 'example.de', + 'mail_smtpname' => 'example@gmail.com', + 'mail_smtppassword' => 'example', + 'theme' => '', + 'loglevel' => 2, +); \ No newline at end of file diff --git a/Docker/nextcloud/docker-compose.yml b/Docker/nextcloud/docker-compose.yml new file mode 100644 index 0000000..2517748 --- /dev/null +++ b/Docker/nextcloud/docker-compose.yml @@ -0,0 +1,57 @@ +version: "3.9" + +networks: + proxy: + external: true + net: + external: false + +volumes: + redis: + +services: + nextcloud-redis: + image: redis:latest + container_name: nextcloud-redis + restart: always + volumes: + - redis:/data + networks: + - net + + nextcloud-db: + image: lscr.io/linuxserver/mariadb:latest + container_name: nextcloud-db + restart: always + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + - MYSQL_ROOT_PASSWORD=root + - MYSQL_DATABASE=db + - MYSQL_USER=user + - MYSQL_PASSWORD=password + volumes: + - ./db:/config + networks: + - net + + nextcloud: + image: lscr.io/linuxserver/nextcloud:latest + container_name: nextcloud + restart: always + depends_on: + - nextcloud-db + - nextcloud-redis + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + volumes: + - ./config:/config + - ./data:/data + expose: + - 443 + networks: + - net + - proxy diff --git a/Docker/node-red/data/settings.js b/Docker/node-red/data/settings.js new file mode 100644 index 0000000..e69b8fc --- /dev/null +++ b/Docker/node-red/data/settings.js @@ -0,0 +1,16 @@ +... + +https: { + key: require("fs").readFileSync('/privkey.pem'), + cert: require("fs").readFileSync('/cert.pem') +}, + +... + +requireHttps: true, + +... + +webSocketNodeVerifyClient: function(info) { + return (info.origin == "https://www.example.de" && info.secure == true); +}, \ No newline at end of file diff --git a/Docker/node-red/docker-compose.yml b/Docker/node-red/docker-compose.yml new file mode 100644 index 0000000..21ea0ad --- /dev/null +++ b/Docker/node-red/docker-compose.yml @@ -0,0 +1,24 @@ +version: "3.9" + +networks: + proxy: + external: true + +services: + node-red: + image: nodered/node-red:latest + container_name: node-red + restart: always + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + volumes: + - ./data:/data + - /opt/docker/proxy/swag/keys/letsencrypt/privkey.pem:/privkey.pem:ro + - /opt/docker/proxy/swag/keys/letsencrypt/fullchain.pem:/cert.pem:ro + user: "0" + expose: + - 1880 + networks: + - proxy diff --git a/Docker/sharelatex/docker-compose.yml b/Docker/sharelatex/docker-compose.yml index c5f46a1..ce4b134 100644 --- a/Docker/sharelatex/docker-compose.yml +++ b/Docker/sharelatex/docker-compose.yml @@ -45,7 +45,7 @@ services: sharelatex-redis: restart: unless-stopped - image: redis:latest + image: redis:6.2.6 container_name: sharelatex-redis networks: - net diff --git a/Docker/sharelatex/updatePackages.sh b/Docker/sharelatex/updatePackages.sh new file mode 100755 index 0000000..255625d --- /dev/null +++ b/Docker/sharelatex/updatePackages.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +docker exec sharelatex tlmgr update --self +docker exec sharelatex tlmgr update --all \ No newline at end of file diff --git a/Docker/swag & authelia/README.md b/Docker/swag & authelia/README.md new file mode 100644 index 0000000..b56683b --- /dev/null +++ b/Docker/swag & authelia/README.md @@ -0,0 +1,3 @@ +## How to generate password hash for user_database.yml + +```docker run authelia/authelia:latest authelia hash-password 'yourpassword'``` \ No newline at end of file diff --git a/Docker/swag & authelia/authelia/configuration.yml b/Docker/swag & authelia/authelia/configuration.yml new file mode 100644 index 0000000..24c5d93 --- /dev/null +++ b/Docker/swag & authelia/authelia/configuration.yml @@ -0,0 +1,71 @@ +server: + host: 0.0.0.0 + port: 9091 +server: + read_buffer_size: 4096 + write_buffer_size: 4096 + path: "authelia" +log: + level: warn +theme: dark +default_redirection_url: https://example.de +totp: + issuer: authelia.com + +duo_api: + hostname: example + integration_key: example + +authentication_backend: + disable_reset_password: true + file: + path: /config/users_database.yml + password: + algorithm: argon2id + iterations: 1 + salt_length: 16 + parallelism: 8 + memory: 64 + +access_control: + default_policy: deny + rules: + - domain: ["example1.example.de"] + resources: + - "^/ping.*$" + policy: bypass + - domain: ["example1.example.de", "example2.example.de"] + policy: two_factor + - domain: ["example3.example.de"] + resources: + - "^/admin(.*)?$" + policy: two_factor + +session: + name: authelia_session + expiration: 3600 # 1 hour + inactivity: 300 # 5 minutes + domain: example.de + +regulation: + max_retries: 3 + find_time: 120 + ban_time: 300 + +storage: + local: + path: /config/db.sqlite3 + +ntp: + address: "ntp1.hetzner.com:123" + version: 3 + max_desync: 3s + disable_startup_check: false + disable_failure: false + +notifier: + smtp: + username: example@gmail.com + host: smtp.gmail.com + port: 465 + sender: example@gmail.com \ No newline at end of file diff --git a/Docker/swag & authelia/authelia/user_database.yml b/Docker/swag & authelia/authelia/user_database.yml new file mode 100644 index 0000000..5697986 --- /dev/null +++ b/Docker/swag & authelia/authelia/user_database.yml @@ -0,0 +1,7 @@ +users: + exampleUser: + displayname: "Example User" + password: "$argon2id$v=19$m=65536$3oc26byQuSkQqksq$zM1QiTvVPrMfV6BVLs2t4gM+af5IN7euO0VB6+Q8ZFs" + email: example@example.com + groups: + - admins \ No newline at end of file diff --git a/Docker/swag & authelia/docker-compose.yml b/Docker/swag & authelia/docker-compose.yml new file mode 100644 index 0000000..9e09ac6 --- /dev/null +++ b/Docker/swag & authelia/docker-compose.yml @@ -0,0 +1,73 @@ +version: "3.9" + +networks: + proxy: + external: true + net: + external: false + +secrets: + jwt: + file: ./secrets/authelia_jwt + duo: + file: ./secrets/authelia_duo + session: + file: ./secrets/authelia_session + storage: + file: ./secrets/authelia_storage + smtp: + file: ./secrets/authelia_smtp + +services: + authelia: + image: authelia/authelia:latest + container_name: authelia + restart: always + secrets: + - jwt + - duo + - session + - storage + - smtp + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + - AUTHELIA_JWT_SECRET_FILE=/run/secrets/jwt + - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/duo + - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/session + - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/smtp + - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/storage + volumes: + - /etc/localtime:/etc/localtime:ro + - ./authelia:/config + expose: + - 9091 + networks: + - net + healthcheck: + disable: true + + swag: + image: lscr.io/linuxserver/swag:latest + container_name: swag + restart: always + cap_add: + - NET_ADMIN + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Berlin + - URL=fhoss.de + - VALIDATION=dns + - SUBDOMAINS=wildcard + - DNSPLUGIN=hetzner + - ONLY_SUBDOMAINS=true + volumes: + - ./swag:/config + ports: + - "443:443" + - "80:80" + networks: + - net + - proxy diff --git a/Docker/traefik & authelia/README.md b/Docker/traefik & authelia/README.md new file mode 100644 index 0000000..b56683b --- /dev/null +++ b/Docker/traefik & authelia/README.md @@ -0,0 +1,3 @@ +## How to generate password hash for user_database.yml + +```docker run authelia/authelia:latest authelia hash-password 'yourpassword'``` \ No newline at end of file diff --git a/Docker/traefik & authelia/authelia/configuration.yml b/Docker/traefik & authelia/authelia/configuration.yml new file mode 100644 index 0000000..3ed65a0 --- /dev/null +++ b/Docker/traefik & authelia/authelia/configuration.yml @@ -0,0 +1,49 @@ +server: + host: 0.0.0.0 + port: 9091 +log: + level: warn +theme: dark +default_redirection_url: https://example.com +totp: + issuer: authelia.com + +authentication_backend: + file: + path: /config/users_database.yml + password: + algorithm: argon2id + iterations: 1 + salt_length: 16 + parallelism: 8 + memory: 64 + +access_control: + default_policy: deny + rules: + - domain: [ two.example.com ] + policy: two_factor + - domain: [ one.example.com ] + policy: one_factor + +session: + name: authelia_session + expiration: 3600 # 1 hour + inactivity: 300 # 5 minutes + domain: example.com + +regulation: + max_retries: 3 + find_time: 120 + ban_time: 300 + +storage: + local: + path: /config/db.sqlite3 + +notifier: + smtp: + username: example@example.com + host: smtp.gmail.com + port: 465 + sender: example@example.com \ No newline at end of file diff --git a/Docker/traefik & authelia/authelia/user_database.yml b/Docker/traefik & authelia/authelia/user_database.yml new file mode 100644 index 0000000..5697986 --- /dev/null +++ b/Docker/traefik & authelia/authelia/user_database.yml @@ -0,0 +1,7 @@ +users: + exampleUser: + displayname: "Example User" + password: "$argon2id$v=19$m=65536$3oc26byQuSkQqksq$zM1QiTvVPrMfV6BVLs2t4gM+af5IN7euO0VB6+Q8ZFs" + email: example@example.com + groups: + - admins \ No newline at end of file diff --git a/Docker/traefik & authelia/docker-compose.yml b/Docker/traefik & authelia/docker-compose.yml new file mode 100644 index 0000000..bbb3b87 --- /dev/null +++ b/Docker/traefik & authelia/docker-compose.yml @@ -0,0 +1,76 @@ +version: "3.9" + +networks: + proxy: + external: true + monitor: + external: true + +secrets: + inwx_username: + file: ./secrets/inwx_username + inwx_password: + file: ./secrets/inwx_password + jwt: + file: ./secrets/authelia_jwt + duo: + file: ./secrets/authelia_duo + session: + file: ./secrets/authelia_session + storage: + file: ./secrets/authelia_storage + smtp: + file: ./secrets/authelia_smtp + +services: + authelia: + image: authelia/authelia:4 + container_name: authelia + secrets: + - jwt + - duo + - session + - storage + - smtp + environment: + - TZ=Europe/Berlin + - AUTHELIA_JWT_SECRET_FILE=/run/secrets/jwt + - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/duo + - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/session + - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/smtp + - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/storage + healthcheck: + disable: true + volumes: + - ./authelia:/config + restart: always + expose: + - 9091 + networks: + - proxy + + traefik: + image: traefik:2.5 + container_name: traefik + restart: always + security_opt: + - no-new-privileges:true + ports: + - "80:80" + - "443:443" + secrets: + - inwx_username + - inwx_password + environment: + - TZ=Europe/Berlin + - INWX_USERNAME_FILE=/run/secrets/inwx_username + - INWX_PASSWORD_FILE=/run/secrets/inwx_password + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + - ./traefik/traefik.toml:/traefik.toml:ro + - ./traefik/inwx.json:/inwx.json + - ./traefik/config.toml:/config.toml + networks: + - proxy + - monitor diff --git a/Docker/traefik & authelia/traefik/config.yml b/Docker/traefik & authelia/traefik/config.yml new file mode 100644 index 0000000..0d411f5 --- /dev/null +++ b/Docker/traefik & authelia/traefik/config.yml @@ -0,0 +1,57 @@ +tls: + options: + default: + minVersion: VersionTLS12 + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + curvePreferences: + - CurveP521 + - CurveP384 + sniStrict: true + +http: + routers: + traefik: + rule: "Host(`proxy.example.com`)" + middlewares: + - authelia + - secHeaders + tls: + certResolver: inwx + service: api@internal + authelia: + rule: "Host(`auth.example.com`)" + middlewares: + - secHeaders + tls: + certResolver: inwx + service: authelia + + middlewares: + secHeaders: + headers: + browserXssFilter: true + contentTypeNosniff: true + frameDeny: true + sslRedirect: true + forceSTSHeader: true + stsIncludeSubdomains: true + stsPreload: true + stsSeconds: 31536000 + customFrameOptionsValue: "SAMEORIGIN" + customRequestHeaders: + X-Forwarded-Proto: https + authelia: + forwardAuth: + address: "http://authelia:9091/api/verify?rd=https://auth.example.com" + + services: + authelia: + loadBalancer: + servers: + - url: "http://authelia:9091" diff --git a/Docker/traefik & authelia/traefik/traefik.yml b/Docker/traefik & authelia/traefik/traefik.yml new file mode 100644 index 0000000..a3f5f6f --- /dev/null +++ b/Docker/traefik & authelia/traefik/traefik.yml @@ -0,0 +1,28 @@ +api: + dashboard: true + +entryPoints: + http: + address: ":80" + http: + redirections: + entryPoint: + to: https + scheme: https + https: + address: ":443" + +serversTransport: + insecureSkipVerify: true + +providers: + file: + filename: /config.yml + +certificatesResolvers: + inwx: + acme: + email: example@example.com + storage: inwx.json + dnsChallenge: + provider: inwx \ No newline at end of file diff --git a/Docker/vaultwarden/docker-compose.yml b/Docker/vaultwarden/docker-compose.yml new file mode 100644 index 0000000..ba0c529 --- /dev/null +++ b/Docker/vaultwarden/docker-compose.yml @@ -0,0 +1,31 @@ +version: "3.9" + +networks: + proxy: + external: true + +services: + vaultwarden: + image: vaultwarden/server:1.23.0 + container_name: vaultwarden + restart: always + environment: + - DOMAIN=https://vw.example.de + - SIGNUPS_ALLOWED=false + - WEBSOCKET_ENABLED=true + - SMTP_HOST=smtp.gmail.com + - SMTP_FROM=vaultwarden@example.de + - SMTP_PORT=587 + - SMTP_SSL=true + - SMTP_USERNAME=example@gmail.com + - SMTP_PASSWORD=example + - DUO_IKEY=example + - DUO_SKEY=example + - DUO_HOST=example + volumes: + - /etc/localtime:/etc/localtime:ro + - ./data:/data/ + expose: + - 80 + networks: + - proxy