florian.richer/myserver-configuration
1
0
Fork 0
Code Issues 1 Activity

move all confs

Browse source
This commit is contained in:
Florian RICHER 2023-05-02 18:38:04 +02:00
parent f46c445b8d
commit 8e2ccd309d
No known key found for this signature in database
GPG key ID: 6BF27BF8A1E71623
50 changed files with 350 additions and 350 deletions
Download patch file Download diff file Expand all files Collapse all files

21
confs/affine/docker-compose.yml Normal file
View file

@ -0,0 +1,21 @@
version: '3'
services:
affine:
image: ghcr.io/toeverything/affine:nightly-server-latest
restart: always
container_name: affine
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.affine-secure.entrypoints=https"
- "traefik.http.routers.affine-secure.rule=Host(`affine.mrdev023.fr`)"
- "traefik.http.routers.affine-secure.tls=true"
- "traefik.http.routers.affine-secure.tls.certresolver=sslResolver"
- "traefik.http.services.affine-secure.loadbalancer.server.port=3000"
- "traefik.docker.network=proxy"
networks:
proxy:
external: true

2
confs/cloud/cron.sh Executable file
View file

@ -0,0 +1,2 @@
#!/bin/sh
docker-compose exec -T nextcloud su - www-data -s /bin/bash -c 'php -f /var/www/html/cron.php'

70
confs/cloud/docker-compose.yml Normal file
View file

@ -0,0 +1,70 @@
version: '3'
services:
db:
image: postgres:14
restart: always
container_name: nextcloud_db
networks:
- internal
volumes:
- db:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=nextcloud
- POSTGRES_DB=nextcloud
- POSTGRES_USER=nextcloud
nextcloud:
image: nextcloud
restart: always
container_name: nextcloud
networks:
- proxy
- protonmail
- internal
depends_on:
- db
volumes:
- nextcloud:/var/www/html
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.nextcloud-compress.compress=true"
- "traefik.http.middlewares.nextcloud-regex-redirect.redirectregex.permanent=true"
- "traefik.http.middlewares.nextcloud-regex-redirect.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
- "traefik.http.middlewares.nextcloud-regex-redirect.redirectregex.replacement=https://$$1/remote.php/dav/"
- "traefik.http.middlewares.nextcloud-headers.headers.frameDeny=true"
- "traefik.http.middlewares.nextcloud-headers.headers.sslRedirect=true"
- "traefik.http.middlewares.nextcloud-headers.headers.contentTypeNosniff=true"
- "traefik.http.middlewares.nextcloud-headers.headers.stsIncludeSubdomains=true"
- "traefik.http.middlewares.nextcloud-headers.headers.stsPreload=true"
- "traefik.http.middlewares.nextcloud-headers.headers.stsSeconds=31536000"
- "traefik.http.middlewares.nextcloud-headers.headers.referrerPolicy=same-origin"
- "traefik.http.middlewares.nextcloud-headers.headers.browserXssFilter=true"
- "traefik.http.middlewares.nextcloud-headers.headers.customRequestHeaders.X-Forwarded-Proto=https"
- "traefik.http.middlewares.nextcloud-headers.headers.customRequestHeaders.X-Robots-Tag=none"
- "traefik.http.middlewares.nextcloud-headers.headers.customFrameOptionsValue=SAMEORIGIN"
- "traefik.http.routers.nextcloud-secure.entrypoints=https"
- "traefik.http.routers.nextcloud-secure.rule=Host(`mycld.mrdev023.fr`)"
- "traefik.http.routers.nextcloud-secure.tls=true"
- "traefik.http.routers.nextcloud-secure.tls.certresolver=sslResolver"
- "traefik.http.routers.nextcloud-secure.middlewares=nextcloud-compress,nextcloud-regex-redirect,nextcloud-headers"
# - "traefik.http.routers.nextcloud-secure.service=nextcloud"
# - "traefik.http.services.nextcloud.loadbalancer.server.port=9002"
- "traefik.docker.network=proxy"
environment:
- POSTGRES_PASSWORD=nextcloud
- POSTGRES_DATABASE=nextcloud
- POSTGRES_USER=nextcloud
- POSTGRES_HOST=db
- OVERWRITEPROTOCOL=https
volumes:
nextcloud:
db:
networks:
internal:
proxy:
external: true
protonmail:
external: true

3
confs/dolibarr/.gitignore vendored Normal file
View file

@ -0,0 +1,3 @@
dolibarr/
dump/
mysql/

46
confs/dolibarr/docker-compose.yml Normal file
View file

@ -0,0 +1,46 @@
version: '3'
services:
mariadb:
image: mariadb:latest
environment:
MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: dolibarr
volumes:
- ./mysql/data:/var/lib/mysql
- ./dump:/root/dump
networks:
- internal
dolibarr:
image: upshift/dolibarr:latest
restart: always
container_name: dolibarr
environment:
DOLI_DB_HOST: mariadb
DOLI_DB_USER: root
DOLI_DB_PASSWORD: root
DOLI_DB_NAME: dolibarr
DOLI_URL_ROOT: 'http://0.0.0.0'
DOLI_ADMIN_LOGIN: admin
DOLI_ADMIN_PASSWORD: admin
PHP_INI_date.timezone: 'Europe/Paris'
DOLI_INSTALL_AUTO: 1
volumes:
- ./dolibarr/documents:/var/www/documents
- ./dolibarr/html:/var/www/html
networks:
- proxy
- internal
labels:
- "traefik.enable=true"
- "traefik.http.routers.dolibarr-secure.entrypoints=https"
- "traefik.http.routers.dolibarr-secure.rule=Host(`dolibarr.mrdev023.fr`)"
- "traefik.http.routers.dolibarr-secure.tls=true"
- "traefik.http.routers.dolibarr-secure.tls.certresolver=sslResolver"
- "traefik.docker.network=proxy"
networks:
internal:
proxy:
external: true

26
confs/home_assistant/docker-compose.yml Normal file
View file

@ -0,0 +1,26 @@
version: '3'
services:
home_assistant:
image: homeassistant/home-assistant
restart: always
container_name: home_assistant
environment:
- TZ=Europe/Paris
volumes:
- home_assistant_config:/config
- /etc/localtime:/etc/localtime:ro
network_mode: host
expose:
- 8123
labels:
- "traefik.enable=true"
- "traefik.http.routers.homeassistant-secure.entrypoints=https"
- "traefik.http.routers.homeassistant-secure.rule=Host(`domo.mrdev023.fr`)"
- "traefik.http.routers.homeassistant-secure.tls=true"
- "traefik.http.routers.homeassistant-secure.tls.certresolver=sslResolver"
# - "traefik.http.routers.homeassistant-secure.service=homeassistant"
- "traefik.http.services.homeassistant.loadbalancer.server.port=8123"
volumes:
home_assistant_config:

66
confs/matrix/docker-compose.yaml Normal file
View file

@ -0,0 +1,66 @@
version: '3'
services:
postgres:
image: postgres:latest
restart: unless-stopped
networks:
- internal
volumes:
- db:/var/lib/postgresql/data
environment:
- POSTGRES_DB=synapse
- POSTGRES_USER=synapse
- POSTGRES_PASSWORD=WRyu2kuArNjRxojstqpg7EfcoUP9zoka
- POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
synapse:
image: matrixdotorg/synapse:latest
restart: unless-stopped
ports:
- 8448:8448
networks:
- internal
- proxy
volumes:
- matrix:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.matrix-secure.entrypoints=https"
- "traefik.http.routers.matrix-secure.rule=Host(`matrix.mrdev023.fr`)"
- "traefik.http.routers.matrix-secure.tls=true"
- "traefik.http.routers.matrix-secure.tls.certresolver=sslResolver"
- "traefik.port=8008"
- "traefik.docker.network=proxy"
well-kwown:
image: nginx:latest
restart: unless-stopped
networks:
- internal
- proxy
volumes:
- ./nginx/matrix.conf:/etc/nginx/conf.d/matrix.conf
- ./nginx/www:/var/www/
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
- "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
- "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS"
- "traefik.http.routers.matrix-wellknown.rule=Host(`matrix.mrdev023.fr`) && PathPrefix(`/.well-known/matrix`)"
- "traefik.http.routers.matrix-wellknown.tls=true"
- "traefik.http.routers.matrix-wellknown.tls.certresolver=sslResolver"
- "traefik.http.routers.matrix-wellknown.middlewares=cors-headers@docker"
- "traefik.docker.network=proxy"
volumes:
db:
web:
matrix:
networks:
internal:
proxy:
external: true

17
confs/matrix/nginx/matrix.conf Normal file
View file

@ -0,0 +1,17 @@
server {
listen 80 default_server;
server_name matrix.mrdev023.fr;
# Traefik -> nginx -> synapse
location /_matrix {
proxy_pass http://synapse:8008;
proxy_set_header X-Forwarded-For $remote_addr;
client_max_body_size 128m;
}
location /.well-known/matrix/ {
root /var/www/;
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
}

5
confs/matrix/nginx/www/.well-known/matrix/client Normal file
View file

@ -0,0 +1,5 @@
{
"m.homeserver": {
"base_url": "https://matrix.mrdev023.fr"
}
}

3
confs/matrix/nginx/www/.well-known/matrix/server Normal file
View file

@ -0,0 +1,3 @@
{
"m.server": "matrix.mrdev023.fr:443"
}

50
confs/n8n/docker-compose.yml Normal file
View file

@ -0,0 +1,50 @@
version: '3'
services:
db:
image: postgres:14
restart: always
container_name: n8n_db
networks:
- internal
volumes:
- db:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=n8n
- POSTGRES_DB=n8n
- POSTGRES_USER=n8n
n8n:
image: n8nio/n8n
restart: always
container_name: n8n
networks:
- internal
- proxy
volumes:
- n8n:/home/node/.n8n
labels:
- "traefik.enable=true"
- "traefik.http.routers.n8n-secure.entrypoints=https"
- "traefik.http.routers.n8n-secure.rule=Host(`n8n.mrdev023.fr`)"
- "traefik.http.routers.n8n-secure.tls=true"
- "traefik.http.routers.n8n-secure.tls.certresolver=sslResolver"
# - "traefik.http.routers.whoami-secure.service=whoami"
# - "traefik.http.services.whoami.loadbalancer.server.port=9002"
- "traefik.docker.network=proxy"
environment:
- DB_TYPE=postgresdb
- DB_POSTGRESDB_PORT=5432
- DB_POSTGRESDB_HOST=db
- DB_POSTGRESDB_DATABASE=n8n
- DB_POSTGRESDB_USER=n8n
- DB_POSTGRESDB_PASSWORD=n8n
volumes:
n8n:
db:
networks:
internal:
proxy:
external: true

72
confs/outline/docker-compose.yml Normal file
View file

@ -0,0 +1,72 @@
version: "3"
services:
outline:
image: outlinewiki/outline
env_file: ./docker.env
depends_on:
- postgres
- redis
- storage
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.outline-secure.entrypoints=https"
- "traefik.http.routers.outline-secure.rule=Host(`outline.mrdev023.fr`)"
- "traefik.http.routers.outline-secure.tls=true"
- "traefik.http.routers.outline-secure.tls.certresolver=sslResolver"
- "traefik.http.services.whoami.loadbalancer.server.port=3000"
- "traefik.docker.network=proxy"
redis:
image: redis
env_file: ./docker.env
volumes:
- ./redis.conf:/redis.conf
command: ["redis-server", "/redis.conf"]
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 10s
timeout: 30s
retries: 3
postgres:
image: postgres
env_file: ./docker.env
volumes:
- database-data:/var/lib/postgresql/data
healthcheck:
test: ["CMD", "pg_isready"]
interval: 30s
timeout: 20s
retries: 3
environment:
POSTGRES_USER: 'user'
POSTGRES_PASSWORD: 'pass'
POSTGRES_DB: 'outline'
storage:
image: minio/minio
env_file: ./docker.env
entrypoint: sh
command: -c 'minio server'
deploy:
restart_policy:
condition: on-failure
volumes:
- storage-data:/data
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
interval: 30s
timeout: 20s
retries: 3
volumes:
https-portal-data:
storage-data:
database-data:
networks:
proxy:
external: true

96
confs/penpot/config.env Normal file
View file

@ -0,0 +1,96 @@
## Should be set to the public domain where penpot is going to be served.
##
## NOTE: If you are going to serve it under different domain than
## 'localhost' without HTTPS, consider setting the
## `disable-secure-session-cookies' flag on the 'PENPOT_FLAGS'
## setting.
PENPOT_PUBLIC_URI=https://penpot.mrdev023.fr
## Feature flags.
PENPOT_FLAGS=disable-registration disable-demo-users enable-login disable-email-verification
## Temporal workaround because of bad builtin default
PENPOT_HTTP_SERVER_HOST=0.0.0.0
## Standard database connection parameters (only postgresql is supported):
PENPOT_DATABASE_URI=postgresql://penpot-postgres/penpot
PENPOT_DATABASE_USERNAME=penpot
PENPOT_DATABASE_PASSWORD=penpot
## Redis is used for the websockets notifications.
PENPOT_REDIS_URI=redis://penpot-redis/0
## By default, files uploaded by users are stored in local
## filesystem. But it can be configured to store in AWS S3.
PENPOT_ASSETS_STORAGE_BACKEND=assets-fs
PENPOT_STORAGE_ASSETS_FS_DIRECTORY=/opt/data/assets
## Telemetry. When enabled, a periodical process will send anonymous
## data about this instance. Telemetry data will enable us to learn on
## how the application is used, based on real scenarios. If you want
## to help us, please leave it enabled.
PENPOT_TELEMETRY_ENABLED=true
## Email sending configuration. By default, emails are printed in the
## console, but for production usage is recommended to setup a real
## SMTP provider. Emails are used to confirm user registrations.
PENPOT_SMTP_DEFAULT_FROM=no-reply@example.com
PENPOT_SMTP_DEFAULT_REPLY_TO=no-reply@example.com
# PENPOT_SMTP_HOST=
# PENPOT_SMTP_PORT=
# PENPOT_SMTP_USERNAME=
# PENPOT_SMTP_PASSWORD=
# PENPOT_SMTP_TLS=true
# PENPOT_SMTP_SSL=false
## Comma separated list of allowed domains to register. Empty to allow
## all.
# PENPOT_REGISTRATION_DOMAIN_WHITELIST=""
## Authentication providers
## Google
# PENPOT_GOOGLE_CLIENT_ID=
# PENPOT_GOOGLE_CLIENT_SECRET=
## GitHub
# PENPOT_GITHUB_CLIENT_ID=
# PENPOT_GITHUB_CLIENT_SECRET=
## GitLab
# PENPOT_GITLAB_BASE_URI=https://gitlab.com
# PENPOT_GITLAB_CLIENT_ID=
# PENPOT_GITLAB_CLIENT_SECRET=
## OpenID Connect (since 1.5.0)
# PENPOT_OIDC_BASE_URI=
# PENPOT_OIDC_CLIENT_ID=
# PENPOT_OIDC_CLIENT_SECRET=
## LDAP
##
## NOTE: to enable ldap, you will need to put 'enable-login-with-ldap'
## on the 'PENPOT_FLAGS' environment variable.
# PENPOT_LDAP_HOST=ldap
# PENPOT_LDAP_PORT=10389
# PENPOT_LDAP_SSL=false
# PENPOT_LDAP_STARTTLS=false
# PENPOT_LDAP_BASE_DN=ou=people,dc=planetexpress,dc=com
# PENPOT_LDAP_BIND_DN=cn=admin,dc=planetexpress,dc=com
# PENPOT_LDAP_BIND_PASSWORD=GoodNewsEveryone
# PENPOT_LDAP_ATTRS_USERNAME=uid
# PENPOT_LDAP_ATTRS_EMAIL=mail
# PENPOT_LDAP_ATTRS_FULLNAME=cn

78
confs/penpot/docker-compose.yml Normal file
View file

@ -0,0 +1,78 @@
version: '3.5'
services:
penpot-frontend:
image: 'penpotapp/frontend:latest'
restart: always
volumes:
- penpot_assets_data:/opt/data
env_file:
- config.env
depends_on:
- penpot-backend
- penpot-exporter
labels:
- "traefik.enable=true"
- "traefik.http.routers.penpot-secure.entrypoints=https"
- "traefik.http.routers.penpot-secure.rule=Host(`penpot.mrdev023.fr`)"
- "traefik.http.routers.penpot-secure.tls=true"
- "traefik.http.routers.penpot-secure.tls.certresolver=sslResolver"
# - "traefik.http.routers.whoami-secure.service=whoami"
# - "traefik.http.services.whoami.loadbalancer.server.port=9002"
- "traefik.docker.network=proxy"
networks:
- internal
- proxy
penpot-backend:
image: 'penpotapp/backend:latest'
restart: always
volumes:
- penpot_assets_data:/opt/data
depends_on:
- penpot-postgres
- penpot-redis
env_file:
- config.env
networks:
- internal
penpot-exporter:
image: 'penpotapp/exporter:latest'
restart: always
env_file:
- config.env
environment:
# Don't touch it; this uses internal docker network to
# communicate with the frontend.
- PENPOT_PUBLIC_URI=http://penpot-frontend
networks:
- internal
penpot-postgres:
image: 'postgres:14'
restart: always
environment:
- POSTGRES_INITDB_ARGS=--data-checksums
- POSTGRES_DB=penpot
- POSTGRES_USER=penpot
- POSTGRES_PASSWORD=penpot
volumes:
- penpot_postgres_data:/var/lib/postgresql/data
networks:
- internal
penpot-redis:
image: redis:7
restart: always
networks:
- internal
volumes:
penpot_postgres_data:
penpot_assets_data:
networks:
internal:
proxy:
external: true

31
confs/pihole/docker-compose.yml Normal file
View file

@ -0,0 +1,31 @@
version: "3"
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
networks:
- proxy
ports:
- "53:53/tcp"
- "53:53/udp"
environment:
TZ: 'Europe/Paris'
DNSMASQ_LISTENING: 'all'
WEBPASSWORD: 'ad89wahdw9d'
volumes:
- './etc-pihole:/etc/pihole'
- './etc-dnsmasq.d:/etc/dnsmasq.d'
labels:
- "traefik.enable=true"
- "traefik.http.routers.pihole-secure.entrypoints=https"
- "traefik.http.routers.pihole-secure.rule=Host(`pihole.mrdev023.fr`)"
- "traefik.http.routers.pihole-secure.tls=true"
- "traefik.http.routers.pihole-secure.tls.certresolver=http"
- "traefik.http.services.pihole.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
restart: always
networks:
proxy:
external: true

37
confs/pihole/etc-dnsmasq.d/01-pihole.conf Normal file
View file

@ -0,0 +1,37 @@
# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Dnsmasq config for Pi-hole's FTLDNS
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.
###############################################################################
# FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE. #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
# #
# IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN: #
# /etc/pihole/setupVars.conf #
# #
# ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE #
# WITHIN /etc/dnsmasq.d/yourname.conf #
###############################################################################
addn-hosts=/etc/pihole/local.list
addn-hosts=/etc/pihole/custom.list
localise-queries
no-resolv
log-queries
log-facility=/var/log/pihole/pihole.log
log-async
cache-size=10000
server=8.8.8.8
server=8.8.4.4
except-interface=nonexisting

42
confs/pihole/etc-dnsmasq.d/06-rfc6761.conf Normal file
View file

@ -0,0 +1,42 @@
# Pi-hole: A black hole for Internet advertisements
# (c) 2021 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# RFC 6761 config file for Pi-hole
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.
###############################################################################
# FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE. #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
# #
# CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE #
# WITHIN /etc/dnsmasq.d/yourname.conf #
###############################################################################
# RFC 6761: Caching DNS servers SHOULD recognize
# test, localhost, invalid
# names as special and SHOULD NOT attempt to look up NS records for them, or
# otherwise query authoritative DNS servers in an attempt to resolve these
# names.
server=/test/
server=/localhost/
server=/invalid/
# The same RFC requests something similar for
# 10.in-addr.arpa. 21.172.in-addr.arpa. 27.172.in-addr.arpa.
# 16.172.in-addr.arpa. 22.172.in-addr.arpa. 28.172.in-addr.arpa.
# 17.172.in-addr.arpa. 23.172.in-addr.arpa. 29.172.in-addr.arpa.
# 18.172.in-addr.arpa. 24.172.in-addr.arpa. 30.172.in-addr.arpa.
# 19.172.in-addr.arpa. 25.172.in-addr.arpa. 31.172.in-addr.arpa.
# 20.172.in-addr.arpa. 26.172.in-addr.arpa. 168.192.in-addr.arpa.
# Pi-hole implements this via the dnsmasq option "bogus-priv" (see
# 01-pihole.conf) because this also covers IPv6.
# OpenWRT furthermore blocks bind, local, onion domains
# see https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob_plain;f=package/network/services/dnsmasq/files/rfc6761.conf;hb=HEAD
# and https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
# We do not include the ".local" rule ourselves, see https://github.com/pi-hole/pi-hole/pull/4282#discussion_r689112972
server=/bind/
server=/onion/

1
confs/pihole/etc-pihole/adlists.list Normal file
View file

@ -0,0 +1 @@
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

0
confs/pihole/etc-pihole/custom.list Normal file
View file

0
confs/pihole/etc-pihole/dhcp.leases Normal file
View file

9
confs/pihole/etc-pihole/dns-servers.conf Normal file
View file

@ -0,0 +1,9 @@
Google (ECS, DNSSEC);8.8.8.8;8.8.4.4;2001:4860:4860:0:0:0:0:8888;2001:4860:4860:0:0:0:0:8844
OpenDNS (ECS, DNSSEC);208.67.222.222;208.67.220.220;2620:119:35::35;2620:119:53::53
Level3;4.2.2.1;4.2.2.2;;
Comodo;8.26.56.26;8.20.247.20;;
DNS.WATCH (DNSSEC);84.200.69.80;84.200.70.40;2001:1608:10:25:0:0:1c04:b12f;2001:1608:10:25:0:0:9249:d69b
Quad9 (filtered, DNSSEC);9.9.9.9;149.112.112.112;2620:fe::fe;2620:fe::9
Quad9 (unfiltered, no DNSSEC);9.9.9.10;149.112.112.10;2620:fe::10;2620:fe::fe:10
Quad9 (filtered, ECS, DNSSEC);9.9.9.11;149.112.112.11;2620:fe::11;2620:fe::fe:11
Cloudflare (DNSSEC);1.1.1.1;1.0.0.1;2606:4700:4700::1111;2606:4700:4700::1001

BIN
confs/pihole/etc-pihole/gravity.db Normal file
View file

Binary file not shown.

BIN
confs/pihole/etc-pihole/gravity_old.db Normal file
View file

Binary file not shown.

165578
confs/pihole/etc-pihole/list.1.raw.githubusercontent.com.domains Normal file
View file

File diff suppressed because it is too large Load diff

1
confs/pihole/etc-pihole/list.1.raw.githubusercontent.com.domains.sha1 Normal file
View file

@ -0,0 +1 @@
ff54f3730e1efafd13cb49a132e3c41f4b2f7437 /etc/pihole/list.1.raw.githubusercontent.com.domains

16839
confs/pihole/etc-pihole/list.2.raw.githubusercontent.com.domains Normal file
View file

File diff suppressed because it is too large Load diff

1
confs/pihole/etc-pihole/list.2.raw.githubusercontent.com.domains.sha1 Normal file
View file

@ -0,0 +1 @@
1caf2c98a1a2a147544eb5e023679eb0beed8f2a /etc/pihole/list.2.raw.githubusercontent.com.domains

1
confs/pihole/etc-pihole/local.list Normal file
View file

@ -0,0 +1 @@
### Do not modify this file, it will be overwritten by pihole -g

21
confs/pihole/etc-pihole/logrotate Normal file
View file

@ -0,0 +1,21 @@
/var/log/pihole/pihole.log {
su root root
daily
copytruncate
rotate 5
compress
delaycompress
notifempty
nomail
}
/var/log/pihole/FTL.log {
su root root
weekly
copytruncate
rotate 3
compress
delaycompress
notifempty
nomail
}

1
confs/pihole/etc-pihole/macvendor.db Symbolic link
View file

@ -0,0 +1 @@
/macvendor.db

1
confs/pihole/etc-pihole/migration_backup/adlists.list Normal file
View file

@ -0,0 +1 @@
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

3
confs/pihole/etc-pihole/pihole-FTL.conf Normal file
View file

@ -0,0 +1,3 @@
#; Pi-hole FTL config file
#; Comments should start with #; to avoid issues with PHP and bash reading this file
LOCAL_IPV4=0.0.0.0

BIN
confs/pihole/etc-pihole/pihole-FTL.db Normal file
View file

Binary file not shown.

8
confs/pihole/etc-pihole/setupVars.conf Normal file
View file

@ -0,0 +1,8 @@
INSTALL_WEB_INTERFACE=true
WEBPASSWORD=3bbfdf71e1f0cb5be7f470af136acbd9c44821f1bf44a1c55b38b7f68d85ffe7
PIHOLE_DNS_1=8.8.8.8
PIHOLE_DNS_2=8.8.4.4
PIHOLE_INTERFACE=eth0
QUERY_LOGGING=true
BLOCKING_ENABLED=true
DNSMASQ_LISTENING=all

8
confs/pihole/etc-pihole/setupVars.conf.update.bak Normal file
View file

@ -0,0 +1,8 @@
INSTALL_WEB_INTERFACE=true
WEBPASSWORD=3bbfdf71e1f0cb5be7f470af136acbd9c44821f1bf44a1c55b38b7f68d85ffe7
PIHOLE_DNS_1=8.8.8.8
PIHOLE_DNS_2=8.8.4.4
PIHOLE_INTERFACE=eth0
QUERY_LOGGING=true
BLOCKING_ENABLED=true
DNSMASQ_LISTENING=all

11
confs/pihole/etc-pihole/versions Normal file
View file

@ -0,0 +1,11 @@
CORE_BRANCH=master
WEB_BRANCH=master
FTL_BRANCH=master
CORE_VERSION=v5.13-0-g17779ba
WEB_VERSION=v5.16-0-gc2afe42
FTL_VERSION=v5.18.2
DOCKER_VERSION=2022.10
GITHUB_CORE_VERSION=v5.14.2
GITHUB_WEB_VERSION=v5.18
GITHUB_FTL_VERSION=v5.20
GITHUB_DOCKER_VERSION=2022.12.1

11
confs/prometheus/alert.rules Normal file
View file

@ -0,0 +1,11 @@
groups:
- name: traefik
rules:
- alert: service_down
expr: up == 0
for: 2m
labels:
severity: page
annotations:
summary: "Instance {{ $labels.instance }} down"
description: "{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 2 minutes"

12
confs/prometheus/prometheus.yml Normal file
View file

@ -0,0 +1,12 @@
global:
scrape_interval: 15s
evaluation_interval: 15s
rule_files:
- 'alert.rules'
scrape_configs:
- job_name: 'traefik'
scrape_interval: 5s
static_configs:
- targets: ['traefik:8080']

18
confs/protonmail/docker-compose.yml Normal file
View file

@ -0,0 +1,18 @@
version: '3'
services:
protonmail-bridge:
image: shenxn/protonmail-bridge
restart: always
container_name: protonmail-bridge
networks:
- protonmail
volumes:
- protonmail:/root
volumes:
protonmail:
networks:
protonmail:
external: true

2
confs/protonmail/init.sh Executable file
View file

@ -0,0 +1,2 @@
#!/bin/sh
docker-compose run protonmail-bridge init

29
confs/rhasspy/docker-compose.yml Normal file
View file

@ -0,0 +1,29 @@
version: '3'
services:
rhasspy:
image: rhasspy/rhasspy
restart: always
container_name: rhasspy
volumes:
- rhasspy_profiles:/profiles
- /etc/localtime:/etc/localtime:ro
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.rhasspy-secure.entrypoints=https"
- "traefik.http.routers.rhasspy-secure.rule=Host(`rhasspy.mrdev023.fr`)"
- "traefik.http.routers.rhasspy-secure.tls=true"
- "traefik.http.routers.rhasspy-secure.tls.certresolver=sslResolver"
# - "traefik.http.routers.rhasspy-secure.service=rhasspy"
- "traefik.http.services.rhasspy.loadbalancer.server.port=12101"
- "traefik.docker.network=proxy"
command: --user-profiles /profiles --profile fr
volumes:
rhasspy_profiles:
networks:
proxy:
external: true

2
confs/traefik/config/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
acme.json
acme.json*

1
confs/traefik/config/dynamic_conf.yaml Normal file
View file

@ -0,0 +1 @@
http: {}

51
confs/traefik/config/traefik.yml Normal file
View file

@ -0,0 +1,51 @@
log:
level: DEBUG
api:
dashboard: true
accessLog:
filePath: "/var/log/traefik/access.log"
format: json
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
metrics:
address: ":8080"
metrics:
prometheus:
entryPoint: metrics
buckets:
- 0.1
- 0.3
- 1.2
- 5.0
addEntryPointsLabels: true
addServicesLabels: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
http:
endpoint: "http://http_provider/dynamic_conf.yaml"
certificatesResolvers:
sslResolver:
acme:
email: florian.richer.97@outlook.com
tlschallenge: {}
storage: acme.json
keyType: RSA4096
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: http

126
confs/traefik/docker-compose.yml Normal file
View file

@ -0,0 +1,126 @@
version: '3'
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- providers
- proxy
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./config/traefik.yml:/traefik.yml:ro
- ./config/acme.json:/acme.json:rw
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
extra_hosts:
- "host.docker.internal:host-gateway"
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.traefik-auth.basicauth.users=mrdev023:$$2y$$05$$t51tXUW6zO9dndSK1JEFS.utJ3th/RYVSgDlouOZhUigjbkTX1zQC$$"
- "traefik.http.middlewares.traefik-stripprefix.stripprefix.prefixes=/traefik"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`dash.mrdev023.fr`) && (PathPrefix(`/traefik`) || PathPrefix(`/api`))"
- "traefik.http.middlewares.tls-rep.redirectregex.permanent=true"
- "traefik.http.middlewares.tls-header.headers.SSLRedirect=true"
- "traefik.http.middlewares.tls-header.headers.forceSTSHeader=true"
- "traefik.http.middlewares.tls-header.headers.STSSeconds=315360000"
- "traefik.http.middlewares.tls-header.headers.STSIncludeSubdomains=true"
- "traefik.http.middlewares.tls-header.headers.STSPreload=true"
- "traefik.http.middlewares.tls-header.headers.browserXSSFilter=true"
- "traefik.http.middlewares.tls-header.headers.contentTypeNosniff=true"
- "traefik.http.middlewares.tls-header.headers.frameDeny=true"
- "traefik.http.middlewares.tls-header.headers.customFrameOptionsValue=SAMEORIGIN"
- "traefik.http.middlewares.tls-header.headers.featurePolicy=accelerometer 'none'; ambient-light-sensor 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; usb 'none'; midi 'none'; sync-xhr 'none'; vr 'none'"
- "traefik.http.middlewares.tls-header.headers.referrerPolicy=strict-origin-when-cross-origin"
- "traefik.http.middlewares.tls-chain.chain.middlewares=tls-rep,tls-header"
- "traefik.http.routers.traefik-secure.middlewares=traefik-stripprefix,tls-chain,traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=sslResolver"
- "traefik.http.routers.traefik-secure.service=api@internal"
prometheus:
image: prom/prometheus:latest
restart: unless-stopped
container_name: prometheus
volumes:
- ./prometheus/:/etc/prometheus/
- prometheus:/prometheus
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
command:
- "--web.route-prefix=/"
- "--web.external-url=https://dash.mrdev023.fr/prometheus"
- "--config.file=/etc/prometheus/prometheus.yml"
- "--storage.tsdb.path=/prometheus"
- "--web.console.libraries=/usr/share/prometheus/console_libraries"
- "--web.console.templates=/usr/share/prometheus/consoles"
networks:
- proxy
- internal
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.prometheus-auth.basicauth.users=mrdev023:$$2y$$05$$t51tXUW6zO9dndSK1JEFS.utJ3th/RYVSgDlouOZhUigjbkTX1zQC$$"
- "traefik.http.middlewares.prometheus-stripprefix.stripprefix.prefixes=/prometheus"
- "traefik.http.routers.prometheus-secure.entrypoints=https"
- "traefik.http.routers.prometheus-secure.rule=Host(`dash.mrdev023.fr`) && PathPrefix(`/prometheus`)"
- "traefik.http.routers.prometheus-secure.middlewares=tls-chain,prometheus-stripprefix,prometheus-auth"
- "traefik.http.routers.prometheus-secure.tls=true"
- "traefik.http.routers.prometheus-secure.tls.certresolver=sslResolver"
- "traefik.http.routers.prometheus-secure.service=prometheus"
- "traefik.http.services.prometheus.loadbalancer.server.port=9090"
- "traefik.docker.network=proxy"
grafana:
image: grafana/grafana:latest
restart: unless-stopped
container_name: grafana
volumes:
- grafana:/var/lib/grafana
- ./grafana/provisioning:/etc/grafana/provisioning
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
env_file:
- grafana.env
depends_on:
- prometheus
networks:
- proxy
- internal
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.grafana-auth.basicauth.users=mrdev023:$$2y$$05$$t51tXUW6zO9dndSK1JEFS.utJ3th/RYVSgDlouOZhUigjbkTX1zQC$$"
- "traefik.http.middlewares.grafana-stripprefix.stripprefix.prefixes=/grafana"
- "traefik.http.routers.grafana-secure.entrypoints=https"
- "traefik.http.routers.grafana-secure.rule=Host(`dash.mrdev023.fr`) && PathPrefix(`/grafana`)"
- "traefik.http.routers.grafana-secure.middlewares=tls-chain,grafana-stripprefix,grafana-auth"
- "traefik.http.routers.grafana-secure.tls=true"
- "traefik.http.routers.grafana-secure.tls.certresolver=http"
- "traefik.http.routers.grafana-secure.service=grafana"
- "traefik.http.services.grafana.loadbalancer.server.port=3000"
- "traefik.docker.network=proxy"
http_provider:
image: httpd:latest
restart: unless-stopped
container_name: http_provider
networks:
- internal
- providers
volumes:
- ./config/dynamic_conf.yaml:/usr/local/apache2/htdocs/dynamic_conf.yaml
networks:
providers:
internal:
proxy:
external: true
volumes:
prometheus:
grafana:

6
confs/traefik/grafana.env Normal file
View file

@ -0,0 +1,6 @@
GF_AUTH_ANONYMOUS_ENABLED=true
GF_AUTH_BASIC_ENABLED=false
GF_AUTH_PROXY_ENABLED=false
GF_USERS_ALLOW_SIGN_UP=false
GF_INSTALL_PLUGINS=grafana-piechart-panel
GF_SERVER_ROOT_URL=%(protocol)s://%(domain)s:%(http_port)s/grafana

21
confs/traefik/grafana/provisioning/dashboards/dashboard.yml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: 1
providers:
# <string> provider name
- name: 'default'
# <int> org id. will default to orgId 1 if not specified
orgId: 1
# <string, required> name of the dashboard folder. Required
folder: ''
# <string> folder UID. will be automatically generated if not specified
folderUid: ''
# <string, required> provider type. Required
type: file
# <bool> disable dashboard deletion
disableDeletion: false
# <bool> enable dashboard editing
editable: true
# <int> how often Grafana will scan for changed dashboards
updateIntervalSeconds: 10
options:
path: /etc/grafana/provisioning/dashboards

1293
confs/traefik/grafana/provisioning/dashboards/reverse-proxy_rev1.json Normal file
View file

File diff suppressed because it is too large Load diff

50
confs/traefik/grafana/provisioning/datasources/datasource.yml Normal file
View file

@ -0,0 +1,50 @@
# config file version
apiVersion: 1
# list of datasources that should be deleted from the database
deleteDatasources:
- name: Prometheus
orgId: 1
# list of datasources to insert/update depending
# whats available in the database
datasources:
# <string, required> name of the datasource. Required
- name: Prometheus
# <string, required> datasource type. Required
type: prometheus
# <string, required> access mode. direct or proxy. Required
access: proxy
# <int> org id. will default to orgId 1 if not specified
orgId: 1
# <string> url
url: http://prometheus:9090
# <string> database password, if used
password:
# <string> database user, if used
user:
# <string> database name, if used
database:
# <bool> enable/disable basic auth
basicAuth: false
# <string> basic auth username
basicAuthUser:
# <string> basic auth password
basicAuthPassword:
# <bool> enable/disable with credentials headers
withCredentials:
# <bool> mark as default datasource. Max one per org
isDefault: true
# <map> fields that will be converted to json and stored in json_data
jsonData:
graphiteVersion: "1.1"
tlsAuth: false
tlsAuthWithCACert: false
# <string> json object of data that will be encrypted.
secureJsonData:
tlsCACert: "..."
tlsClientCert: "..."
tlsClientKey: "..."
version: 1
# <bool> allow users to edit datasources from the UI.
editable: true

22
confs/whoami/docker-compose.yml Normal file
View file

@ -0,0 +1,22 @@
version: '3'
services:
whoami:
image: "containous/whoami"
restart: always
container_name: "whoami"
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami-secure.entrypoints=https"
- "traefik.http.routers.whoami-secure.rule=Host(`whoami.mrdev023.fr`)"
- "traefik.http.routers.whoami-secure.tls=true"
- "traefik.http.routers.whoami-secure.tls.certresolver=sslResolver"
# - "traefik.http.routers.whoami-secure.service=whoami"
# - "traefik.http.services.whoami.loadbalancer.server.port=9002"
- "traefik.docker.network=proxy"
networks:
proxy:
external: true