First commit

2022-10-25 13:34:44 +02:00 · 2022-10-25 13:34:44 +02:00 · f3b9d45ca9
commit f3b9d45ca9
14 changed files with 1724 additions and 0 deletions
--- a/.docker-compose.yml.swp
+++ b/.docker-compose.yml.swp
--- a/cloud/docker-compose.yml
+++ b/cloud/docker-compose.yml
@ -0,0 +1,66 @@
+version: '3'
+
+services:
+  db:
+    image: postgres:14
+    restart: always
+    container_name: nextcloud_db
+    networks:
+      - internal
+    volumes:
+      - db:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=nextcloud
+      - POSTGRES_DB=nextcloud
+      - POSTGRES_USER=nextcloud
+
+  nextcloud:
+    image: nextcloud
+    restart: always
+    container_name: nextcloud
+    networks:
+      - proxy
+      - internal
+    depends_on:
+      - db
+    volumes:
+      - nextcloud:/var/www/html
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.nextcloud-regex-redirect.redirectregex.permanent=true"
+      - "traefik.http.middlewares.nextcloud-regex-redirect.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
+      - "traefik.http.middlewares.nextcloud-regex-redirect.redirectregex.replacement=https://$$1/remote.php/dav/"
+      - "traefik.http.middlewares.nextcloud-headers.headers.frameDeny=true"
+      - "traefik.http.middlewares.nextcloud-headers.headers.sslRedirect=true"
+      - "traefik.http.middlewares.nextcloud-headers.headers.contentTypeNosniff=true"
+      - "traefik.http.middlewares.nextcloud-headers.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.nextcloud-headers.headers.stsPreload=true"
+      - "traefik.http.middlewares.nextcloud-headers.headers.stsSeconds=31536000"
+      - "traefik.http.middlewares.nextcloud-headers.headers.referrerPolicy=same-origin"
+      - "traefik.http.middlewares.nextcloud-headers.headers.browserXssFilter=true"
+      - "traefik.http.middlewares.nextcloud-headers.headers.customRequestHeaders.X-Forwarded-Proto=https"
+      - "traefik.http.middlewares.nextcloud-headers.headers.customRequestHeaders.X-Robots-Tag=none"
+      - "traefik.http.middlewares.nextcloud-headers.headers.customFrameOptionsValue=SAMEORIGIN"
+      - "traefik.http.routers.nextcloud-secure.entrypoints=https"
+      - "traefik.http.routers.nextcloud-secure.rule=Host(`mycld.mrdev023.fr`)"
+      - "traefik.http.routers.nextcloud-secure.tls=true"
+      - "traefik.http.routers.nextcloud-secure.tls.certresolver=sslResolver"
+      - "traefik.http.routers.nextcloud-secure.middlewares=nextcloud-regex-redirect,nextcloud-headers"
+      # - "traefik.http.routers.nextcloud-secure.service=nextcloud"
+      # - "traefik.http.services.nextcloud.loadbalancer.server.port=9002"
+      - "traefik.docker.network=proxy"
+    environment:
+      - POSTGRES_PASSWORD=nextcloud
+      - POSTGRES_DATABASE=nextcloud
+      - POSTGRES_USER=nextcloud
+      - POSTGRES_HOST=db
+      - OVERWRITEPROTOCOL=https
+
+volumes:
+  nextcloud:
+  db:
+
+networks:
+  internal:
+  proxy:
+    external: true
--- a/config/.gitignore
+++ b/config/.gitignore
@ -0,0 +1 @@
+acme.json
--- a/config/traefik.yml
+++ b/config/traefik.yml
@ -0,0 +1,49 @@
+log:
+  level: DEBUG
+
+api:
+  dashboard: true
+
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  format: json
+
+entryPoints:
+  http:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: https
+          scheme: https
+  https:
+    address: ":443"
+  metrics:
+    address: ":8080"
+
+metrics:
+  prometheus:
+    entryPoint: metrics
+    buckets:
+      - 0.1
+      - 0.3
+      - 1.2
+      - 5.0
+    addEntryPointsLabels: true
+    addServicesLabels: true
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+
+certificatesResolvers:
+  sslResolver:
+    acme:
+      email: florian.richer.97@outlook.com
+      tlschallenge: true
+      storage: acme.json
+      keyType: RSA4096
+      #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      httpChallenge:
+        entryPoint: http
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,113 @@
+version: '3'
+
+services:
+  traefik:
+    image: traefik:latest
+    container_name: traefik
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - proxy
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./config/traefik.yml:/traefik.yml:ro
+      - ./config/acme.json:/acme.json
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=mrdev023:$$2y$$05$$t51tXUW6zO9dndSK1JEFS.utJ3th/RYVSgDlouOZhUigjbkTX1zQC$$" 
+      - "traefik.http.middlewares.traefik-stripprefix.stripprefix.prefixes=/traefik"
+      - "traefik.http.routers.traefik-secure.entrypoints=https"
+      - "traefik.http.routers.traefik-secure.rule=Host(`dash.mrdev023.fr`) && (PathPrefix(`/traefik`) || PathPrefix(`/api`))"
+      - "traefik.http.middlewares.tls-rep.redirectregex.permanent=true"
+      - "traefik.http.middlewares.tls-header.headers.SSLRedirect=true"
+      - "traefik.http.middlewares.tls-header.headers.forceSTSHeader=true"
+      - "traefik.http.middlewares.tls-header.headers.STSSeconds=315360000"
+      - "traefik.http.middlewares.tls-header.headers.STSIncludeSubdomains=true"
+      - "traefik.http.middlewares.tls-header.headers.STSPreload=true"
+      - "traefik.http.middlewares.tls-header.headers.browserXSSFilter=true"
+      - "traefik.http.middlewares.tls-header.headers.contentTypeNosniff=true"
+      - "traefik.http.middlewares.tls-header.headers.frameDeny=true"
+      - "traefik.http.middlewares.tls-header.headers.customFrameOptionsValue=SAMEORIGIN"
+      - "traefik.http.middlewares.tls-header.headers.featurePolicy=accelerometer 'none'; ambient-light-sensor 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; usb 'none'; midi 'none'; sync-xhr 'none'; vr 'none'"
+      - "traefik.http.middlewares.tls-header.headers.referrerPolicy=strict-origin-when-cross-origin"
+      - "traefik.http.middlewares.tls-chain.chain.middlewares=tls-rep,tls-header"
+      - "traefik.http.routers.traefik-secure.middlewares=traefik-stripprefix,tls-chain,traefik-auth"
+      - "traefik.http.routers.traefik-secure.tls=true"
+      - "traefik.http.routers.traefik-secure.tls.certresolver=sslResolver"
+      - "traefik.http.routers.traefik-secure.service=api@internal"
+
+  prometheus:
+    image: prom/prometheus:latest
+    restart: unless-stopped
+    container_name: prometheus
+    volumes:
+      - ./prometheus/:/etc/prometheus/
+      - prometheus:/prometheus
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    command:
+      - "--web.route-prefix=/"
+      - "--web.external-url=https://dash.mrdev023.fr/prometheus"
+      - "--config.file=/etc/prometheus/prometheus.yml"
+      - "--storage.tsdb.path=/prometheus"
+      - "--web.console.libraries=/usr/share/prometheus/console_libraries"
+      - "--web.console.templates=/usr/share/prometheus/consoles"
+    networks:
+      - proxy
+      - internal
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.prometheus-auth.basicauth.users=mrdev023:$$2y$$05$$t51tXUW6zO9dndSK1JEFS.utJ3th/RYVSgDlouOZhUigjbkTX1zQC$$"
+      - "traefik.http.middlewares.prometheus-stripprefix.stripprefix.prefixes=/prometheus"
+      - "traefik.http.routers.prometheus-secure.entrypoints=https"
+      - "traefik.http.routers.prometheus-secure.rule=Host(`dash.mrdev023.fr`) && PathPrefix(`/prometheus`)"
+      - "traefik.http.routers.prometheus-secure.middlewares=tls-chain,prometheus-stripprefix,prometheus-auth"
+      - "traefik.http.routers.prometheus-secure.tls=true"
+      - "traefik.http.routers.prometheus-secure.tls.certresolver=sslResolver"
+      - "traefik.http.routers.prometheus-secure.service=prometheus"
+      - "traefik.http.services.prometheus.loadbalancer.server.port=9090"
+      - "traefik.docker.network=proxy"
+
+  grafana:
+    image: grafana/grafana:latest
+    restart: unless-stopped
+    container_name: grafana
+    volumes:
+      - grafana:/var/lib/grafana
+      - ./grafana/provisioning:/etc/grafana/provisioning
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    env_file:
+      - grafana.env
+    depends_on:
+      - prometheus
+    networks:
+      - proxy
+      - internal
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.grafana-auth.basicauth.users=mrdev023:$$2y$$05$$t51tXUW6zO9dndSK1JEFS.utJ3th/RYVSgDlouOZhUigjbkTX1zQC$$"
+      - "traefik.http.middlewares.grafana-stripprefix.stripprefix.prefixes=/grafana"
+      - "traefik.http.routers.grafana-secure.entrypoints=https"
+      - "traefik.http.routers.grafana-secure.rule=Host(`dash.mrdev023.fr`) && PathPrefix(`/grafana`)"
+      - "traefik.http.routers.grafana-secure.middlewares=tls-chain,grafana-stripprefix,grafana-auth"
+      - "traefik.http.routers.grafana-secure.tls=true"
+      - "traefik.http.routers.grafana-secure.tls.certresolver=http"
+      - "traefik.http.routers.grafana-secure.service=grafana"
+      - "traefik.http.services.grafana.loadbalancer.server.port=3000"
+      - "traefik.docker.network=web"
+
+networks:
+  internal:
+  proxy:
+    external: true
+
+volumes:
+  prometheus:
+  grafana:
--- a/74
+++ b/74
@ -0,0 +1,74 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          firewall rules
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start daemon at boot time
+# Description:       Enable service provided by daemon.
+### END INIT INFO
+
+#Suppression des règles précédentes
+iptables -F
+iptables -X
+
+########
+# DROP #
+########
+
+# Définition du blocage général
+iptables -P INPUT DROP
+iptables -P OUTPUT DROP
+iptables -P FORWARD DROP
+
+# Drop des scans XMAS et NULL
+iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
+iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+
+##########
+# ACCEPT #
+##########
+
+# Conservations des connexions déjà établies
+iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# Autorisation du loopback (127.0.0.1)
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+
+# Autorisation des échanges avec le serveur DNS (53)
+iptables -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
+iptables -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# NTP (123)
+iptables -A INPUT -p udp --sport 123 -j ACCEPT
+iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
+
+# HTTP (80)
+iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
+
+# HTTPS (443)
+iptables -A INPUT -p tcp --dport 443 -j ACCEPT
+iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
+
+# SSH (7943)
+iptables -A INPUT -p tcp --dport 7943 -j ACCEPT
+iptables -A OUTPUT -p tcp --dport 7943 -j ACCEPT
+iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH OUTPUT LIKE GIT
+
+# ICMP (Ping)
+iptables -A INPUT -p icmp -j ACCEPT
+iptables -A OUTPUT -p icmp -j ACCEPT
+
+# Parer les attaques de type Déni de Service
+iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
+iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
+iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
+
+# Parer les scans de ports
+iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
--- a/grafana.env
+++ b/grafana.env
@ -0,0 +1,6 @@
+GF_AUTH_ANONYMOUS_ENABLED=true
+GF_AUTH_BASIC_ENABLED=false
+GF_AUTH_PROXY_ENABLED=false
+GF_USERS_ALLOW_SIGN_UP=false
+GF_INSTALL_PLUGINS=grafana-piechart-panel
+GF_SERVER_ROOT_URL=%(protocol)s://%(domain)s:%(http_port)s/grafana
--- a/grafana/provisioning/dashboards/dashboard.yml
+++ b/grafana/provisioning/dashboards/dashboard.yml
@ -0,0 +1,21 @@
+apiVersion: 1
+
+providers:
+  # <string> provider name
+- name: 'default'
+  # <int> org id. will default to orgId 1 if not specified
+  orgId: 1
+  # <string, required> name of the dashboard folder. Required
+  folder: ''
+  # <string> folder UID. will be automatically generated if not specified
+  folderUid: ''
+  # <string, required> provider type. Required
+  type: file
+  # <bool> disable dashboard deletion
+  disableDeletion: false
+  # <bool> enable dashboard editing
+  editable: true
+  # <int> how often Grafana will scan for changed dashboards
+  updateIntervalSeconds: 10
+  options:
+    path: /etc/grafana/provisioning/dashboards
--- a/grafana/provisioning/dashboards/reverse-proxy_rev1.json
+++ b/grafana/provisioning/dashboards/reverse-proxy_rev1.json
--- a/grafana/provisioning/datasources/datasource.yml
+++ b/grafana/provisioning/datasources/datasource.yml
@ -0,0 +1,50 @@
+# config file version
+apiVersion: 1
+
+# list of datasources that should be deleted from the database
+deleteDatasources:
+  - name: Prometheus
+    orgId: 1
+
+# list of datasources to insert/update depending
+# whats available in the database
+datasources:
+  # <string, required> name of the datasource. Required
+- name: Prometheus
+  # <string, required> datasource type. Required
+  type: prometheus
+  # <string, required> access mode. direct or proxy. Required
+  access: proxy
+  # <int> org id. will default to orgId 1 if not specified
+  orgId: 1
+  # <string> url
+  url: http://prometheus:9090
+  # <string> database password, if used
+  password:
+  # <string> database user, if used
+  user:
+  # <string> database name, if used
+  database:
+  # <bool> enable/disable basic auth
+  basicAuth: false
+  # <string> basic auth username
+  basicAuthUser:
+  # <string> basic auth password
+  basicAuthPassword:
+  # <bool> enable/disable with credentials headers
+  withCredentials:
+  # <bool> mark as default datasource. Max one per org
+  isDefault: true
+  # <map> fields that will be converted to json and stored in json_data
+  jsonData:
+     graphiteVersion: "1.1"
+     tlsAuth: false
+     tlsAuthWithCACert: false
+  # <string> json object of data that will be encrypted.
+  secureJsonData:
+    tlsCACert: "..."
+    tlsClientCert: "..."
+    tlsClientKey: "..."
+  version: 1
+  # <bool> allow users to edit datasources from the UI.
+  editable: true
--- a/init.sh
+++ b/init.sh
@ -0,0 +1,6 @@
+#!/bin/bash
+# Must be run as sudo
+
+cp ./firewall /etc/init.d/firewall
+chmod +x /etc/init.d/firewall
+update-rc.d firewall defaults
--- a/prometheus/alert.rules
+++ b/prometheus/alert.rules
@ -0,0 +1,11 @@
+groups:
+- name: traefik
+  rules:
+  - alert: service_down
+    expr: up == 0
+    for: 2m
+    labels:
+      severity: page
+    annotations:
+      summary: "Instance {{ $labels.instance }} down"
+      description: "{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 2 minutes"
--- a/prometheus/prometheus.yml
+++ b/prometheus/prometheus.yml
@ -0,0 +1,12 @@
+global:
+  scrape_interval:     15s
+  evaluation_interval: 15s
+
+rule_files:
+  - 'alert.rules'
+
+scrape_configs:
+  - job_name: 'traefik'
+    scrape_interval: 5s
+    static_configs:
+      - targets: ['traefik:8080']
--- a/whoami/docker-compose.yml
+++ b/whoami/docker-compose.yml
@ -0,0 +1,22 @@
+version: '3'
+
+services: 
+  whoami:
+    image: "containous/whoami"
+    restart: always
+    container_name: "whoami"
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.whoami-secure.entrypoints=https"
+      - "traefik.http.routers.whoami-secure.rule=Host(`whoami.mrdev023.fr`)"
+      - "traefik.http.routers.whoami-secure.tls=true"
+      - "traefik.http.routers.whoami-secure.tls.certresolver=sslResolver"
+      # - "traefik.http.routers.whoami-secure.service=whoami"
+      # - "traefik.http.services.whoami.loadbalancer.server.port=9002"
+      - "traefik.docker.network=proxy"
+
+networks:
+  proxy:
+    external: true