Include compose files

This commit is contained in:
Florian Hoss 2022-06-30 08:20:53 +02:00
parent 4628820aa4
commit a52cdd50cc
19 changed files with 667 additions and 1 deletions

View file

@ -0,0 +1,49 @@
version: "3.9"
networks:
proxy:
external: true
net:
external: false
services:
gitea-db:
image: lscr.io/linuxserver/mariadb:latest
container_name: gitea-db
restart: always
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
- MYSQL_ROOT_PASSWORD=root
- MYSQL_DATABASE=db
- MYSQL_USER=user
- MYSQL_PASSWORD=password
volumes:
- ./db:/config
expose:
- 3306
networks:
- net
gitea:
image: gitea/gitea:1.15
container_name: gitea
restart: always
depends_on:
- gitea-db
environment:
- USER_UID=1000
- USER_GID=1000
- DISABLE_REGISTRATION=true
- SHOW_REGISTRATION_BUTTOM=false
- GITEA__log__LEVEL=error
volumes:
- ./data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/locatime:ro
expose:
- 3000
networks:
- net
- proxy

View file

@ -0,0 +1,60 @@
version: "3.9"
networks:
proxy:
external: true
net:
external: false
services:
hedgedoc-db:
image: lscr.io/linuxserver/mariadb:latest
container_name: hedgedoc-db
restart: always
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
- MYSQL_ROOT_PASSWORD=root
- MYSQL_DATABASE=db
- MYSQL_USER=user
- MYSQL_PASSWORD=password
volumes:
- ./db:/config
expose:
- 3306
networks:
- net
hedgedoc:
image: lscr.io/linuxserver/hedgedoc:latest
container_name: hedgedoc
restart: always
depends_on:
- hedgedoc-db
environment:
- PGID=1000
- PUID=1000
- TZ=Europe/Berlin
- CMD_DB_HOST=hedgedoc-db
- CMD_DB_USERNAME=user
- CMD_DB_PASSWORD=password
- CMD_DB_NAME=db
- CMD_DB_PORT=3306
- CMD_DOMAIN=pad.example.de
- CMD_PROTOCOL_USESSL=true
- CMD_ALLOW_FREEURL=true
- CMD_ALLOW_PDF_EXPORT=true
- CMD_ALLOW_ANONYMOUS=false
- CMD_ALLOW_ANONYMOUS_EDITS=true
- CMD_ALLOW_EMAIL_REGISTER=false
- CMD_LOGLEVEL=warn
- CMD_SESSION_SECRET=example
volumes:
- ./config:/config
- ./uploads:/opt/hedgedoc/public/uploads
expose:
- 3000
networks:
- net
- proxy

View file

@ -0,0 +1,51 @@
<?php
$CONFIG = array (
'memcache.local' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => 'nextcloud-redis',
'port' => 6379,
),
'datadirectory' => '/data',
'instanceid' => 'example',
'passwordsalt' => 'example',
'secret' => 'example',
'trusted_proxies' =>
array (
0 => 'swag',
),
'trusted_domains' =>
array (
0 => 'cloud.example.de',
),
'dbtype' => 'mysql',
'version' => '22.2.3.0',
'overwriteprotocol' => 'https',
'overwritehost' => 'cloud.example.de',
'overwrite.cli.url' => 'https://cloud.example.de',
'dbname' => 'db',
'dbhost' => 'nextcloud-db',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'user',
'dbpassword' => 'password',
'installed' => true,
'default_phone_region' => 'DE',
'maintenance' => false,
'mail_smtpmode' => 'smtp',
'mail_smtpsecure' => 'tls',
'mail_sendmailmode' => 'smtp',
'mail_smtpauthtype' => 'LOGIN',
'mail_smtpauth' => 1,
'mail_smtphost' => 'smtp.gmail.com',
'mail_smtpport' => '587',
'mail_from_address' => 'nextcloud',
'mail_domain' => 'example.de',
'mail_smtpname' => 'example@gmail.com',
'mail_smtppassword' => 'example',
'theme' => '',
'loglevel' => 2,
);

View file

@ -0,0 +1,57 @@
version: "3.9"
networks:
proxy:
external: true
net:
external: false
volumes:
redis:
services:
nextcloud-redis:
image: redis:latest
container_name: nextcloud-redis
restart: always
volumes:
- redis:/data
networks:
- net
nextcloud-db:
image: lscr.io/linuxserver/mariadb:latest
container_name: nextcloud-db
restart: always
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
- MYSQL_ROOT_PASSWORD=root
- MYSQL_DATABASE=db
- MYSQL_USER=user
- MYSQL_PASSWORD=password
volumes:
- ./db:/config
networks:
- net
nextcloud:
image: lscr.io/linuxserver/nextcloud:latest
container_name: nextcloud
restart: always
depends_on:
- nextcloud-db
- nextcloud-redis
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
volumes:
- ./config:/config
- ./data:/data
expose:
- 443
networks:
- net
- proxy

View file

@ -0,0 +1,16 @@
...
https: {
key: require("fs").readFileSync('/privkey.pem'),
cert: require("fs").readFileSync('/cert.pem')
},
...
requireHttps: true,
...
webSocketNodeVerifyClient: function(info) {
return (info.origin == "https://www.example.de" && info.secure == true);
},

View file

@ -0,0 +1,24 @@
version: "3.9"
networks:
proxy:
external: true
services:
node-red:
image: nodered/node-red:latest
container_name: node-red
restart: always
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
volumes:
- ./data:/data
- /opt/docker/proxy/swag/keys/letsencrypt/privkey.pem:/privkey.pem:ro
- /opt/docker/proxy/swag/keys/letsencrypt/fullchain.pem:/cert.pem:ro
user: "0"
expose:
- 1880
networks:
- proxy

View file

@ -45,7 +45,7 @@ services:
sharelatex-redis:
restart: unless-stopped
image: redis:latest
image: redis:6.2.6
container_name: sharelatex-redis
networks:
- net

View file

@ -0,0 +1,4 @@
#!/bin/bash
docker exec sharelatex tlmgr update --self
docker exec sharelatex tlmgr update --all

View file

@ -0,0 +1,3 @@
## How to generate password hash for user_database.yml
```docker run authelia/authelia:latest authelia hash-password 'yourpassword'```

View file

@ -0,0 +1,71 @@
server:
host: 0.0.0.0
port: 9091
server:
read_buffer_size: 4096
write_buffer_size: 4096
path: "authelia"
log:
level: warn
theme: dark
default_redirection_url: https://example.de
totp:
issuer: authelia.com
duo_api:
hostname: example
integration_key: example
authentication_backend:
disable_reset_password: true
file:
path: /config/users_database.yml
password:
algorithm: argon2id
iterations: 1
salt_length: 16
parallelism: 8
memory: 64
access_control:
default_policy: deny
rules:
- domain: ["example1.example.de"]
resources:
- "^/ping.*$"
policy: bypass
- domain: ["example1.example.de", "example2.example.de"]
policy: two_factor
- domain: ["example3.example.de"]
resources:
- "^/admin(.*)?$"
policy: two_factor
session:
name: authelia_session
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
domain: example.de
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
local:
path: /config/db.sqlite3
ntp:
address: "ntp1.hetzner.com:123"
version: 3
max_desync: 3s
disable_startup_check: false
disable_failure: false
notifier:
smtp:
username: example@gmail.com
host: smtp.gmail.com
port: 465
sender: example@gmail.com

View file

@ -0,0 +1,7 @@
users:
exampleUser:
displayname: "Example User"
password: "$argon2id$v=19$m=65536$3oc26byQuSkQqksq$zM1QiTvVPrMfV6BVLs2t4gM+af5IN7euO0VB6+Q8ZFs"
email: example@example.com
groups:
- admins

View file

@ -0,0 +1,73 @@
version: "3.9"
networks:
proxy:
external: true
net:
external: false
secrets:
jwt:
file: ./secrets/authelia_jwt
duo:
file: ./secrets/authelia_duo
session:
file: ./secrets/authelia_session
storage:
file: ./secrets/authelia_storage
smtp:
file: ./secrets/authelia_smtp
services:
authelia:
image: authelia/authelia:latest
container_name: authelia
restart: always
secrets:
- jwt
- duo
- session
- storage
- smtp
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
- AUTHELIA_JWT_SECRET_FILE=/run/secrets/jwt
- AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/duo
- AUTHELIA_SESSION_SECRET_FILE=/run/secrets/session
- AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/smtp
- AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/storage
volumes:
- /etc/localtime:/etc/localtime:ro
- ./authelia:/config
expose:
- 9091
networks:
- net
healthcheck:
disable: true
swag:
image: lscr.io/linuxserver/swag:latest
container_name: swag
restart: always
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
- URL=fhoss.de
- VALIDATION=dns
- SUBDOMAINS=wildcard
- DNSPLUGIN=hetzner
- ONLY_SUBDOMAINS=true
volumes:
- ./swag:/config
ports:
- "443:443"
- "80:80"
networks:
- net
- proxy

View file

@ -0,0 +1,3 @@
## How to generate password hash for user_database.yml
```docker run authelia/authelia:latest authelia hash-password 'yourpassword'```

View file

@ -0,0 +1,49 @@
server:
host: 0.0.0.0
port: 9091
log:
level: warn
theme: dark
default_redirection_url: https://example.com
totp:
issuer: authelia.com
authentication_backend:
file:
path: /config/users_database.yml
password:
algorithm: argon2id
iterations: 1
salt_length: 16
parallelism: 8
memory: 64
access_control:
default_policy: deny
rules:
- domain: [ two.example.com ]
policy: two_factor
- domain: [ one.example.com ]
policy: one_factor
session:
name: authelia_session
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
domain: example.com
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
local:
path: /config/db.sqlite3
notifier:
smtp:
username: example@example.com
host: smtp.gmail.com
port: 465
sender: example@example.com

View file

@ -0,0 +1,7 @@
users:
exampleUser:
displayname: "Example User"
password: "$argon2id$v=19$m=65536$3oc26byQuSkQqksq$zM1QiTvVPrMfV6BVLs2t4gM+af5IN7euO0VB6+Q8ZFs"
email: example@example.com
groups:
- admins

View file

@ -0,0 +1,76 @@
version: "3.9"
networks:
proxy:
external: true
monitor:
external: true
secrets:
inwx_username:
file: ./secrets/inwx_username
inwx_password:
file: ./secrets/inwx_password
jwt:
file: ./secrets/authelia_jwt
duo:
file: ./secrets/authelia_duo
session:
file: ./secrets/authelia_session
storage:
file: ./secrets/authelia_storage
smtp:
file: ./secrets/authelia_smtp
services:
authelia:
image: authelia/authelia:4
container_name: authelia
secrets:
- jwt
- duo
- session
- storage
- smtp
environment:
- TZ=Europe/Berlin
- AUTHELIA_JWT_SECRET_FILE=/run/secrets/jwt
- AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/duo
- AUTHELIA_SESSION_SECRET_FILE=/run/secrets/session
- AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/smtp
- AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/storage
healthcheck:
disable: true
volumes:
- ./authelia:/config
restart: always
expose:
- 9091
networks:
- proxy
traefik:
image: traefik:2.5
container_name: traefik
restart: always
security_opt:
- no-new-privileges:true
ports:
- "80:80"
- "443:443"
secrets:
- inwx_username
- inwx_password
environment:
- TZ=Europe/Berlin
- INWX_USERNAME_FILE=/run/secrets/inwx_username
- INWX_PASSWORD_FILE=/run/secrets/inwx_password
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/traefik.toml:/traefik.toml:ro
- ./traefik/inwx.json:/inwx.json
- ./traefik/config.toml:/config.toml
networks:
- proxy
- monitor

View file

@ -0,0 +1,57 @@
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
http:
routers:
traefik:
rule: "Host(`proxy.example.com`)"
middlewares:
- authelia
- secHeaders
tls:
certResolver: inwx
service: api@internal
authelia:
rule: "Host(`auth.example.com`)"
middlewares:
- secHeaders
tls:
certResolver: inwx
service: authelia
middlewares:
secHeaders:
headers:
browserXssFilter: true
contentTypeNosniff: true
frameDeny: true
sslRedirect: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
customFrameOptionsValue: "SAMEORIGIN"
customRequestHeaders:
X-Forwarded-Proto: https
authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://auth.example.com"
services:
authelia:
loadBalancer:
servers:
- url: "http://authelia:9091"

View file

@ -0,0 +1,28 @@
api:
dashboard: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
file:
filename: /config.yml
certificatesResolvers:
inwx:
acme:
email: example@example.com
storage: inwx.json
dnsChallenge:
provider: inwx

View file

@ -0,0 +1,31 @@
version: "3.9"
networks:
proxy:
external: true
services:
vaultwarden:
image: vaultwarden/server:1.23.0
container_name: vaultwarden
restart: always
environment:
- DOMAIN=https://vw.example.de
- SIGNUPS_ALLOWED=false
- WEBSOCKET_ENABLED=true
- SMTP_HOST=smtp.gmail.com
- SMTP_FROM=vaultwarden@example.de
- SMTP_PORT=587
- SMTP_SSL=true
- SMTP_USERNAME=example@gmail.com
- SMTP_PASSWORD=example
- DUO_IKEY=example
- DUO_SKEY=example
- DUO_HOST=example
volumes:
- /etc/localtime:/etc/localtime:ro
- ./data:/data/
expose:
- 80
networks:
- proxy