master
Jeff Clement 8 months ago
parent fb80d49edb
commit 3980282e40
Signed by: jclement
GPG Key ID: 3BCB43A3F0E1D7DA
  1. 25
      dashboard/docker-compose.yml
  2. 20
      linkding/docker-compose.yml
  3. 47
      miniflux/docker-compose.yml
  4. 54
      monica/docker-compose.yml
  5. 196
      privatebin/conf.php
  6. 23
      privatebin/docker-compose.yml
  7. 17
      syncthing/docker-compose.yml
  8. 5
      traefik/README.md
  9. 0
      traefik/acme.json
  10. 26
      traefik/docker-compose.yml
  11. 54
      traefik/traefik-dynamic.yml
  12. 38
      traefik/traefik.yml
  13. 28
      upload/docker-compose.yml
  14. 18
      whoami/docker-compose.yml

@ -0,0 +1,25 @@
version: '3'
services:
flame:
image: pawelmalak/flame:multiarch
volumes:
- data:/app/data
ports:
- 127.0.0.1:5005:5005
environment:
- PASSWORD=changeme
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.flame.entrypoints=websecure"
- "traefik.http.routers.flame.rule=Host(`dash.erraticbits.ca`)"
- "traefik.http.routers.flame.tls.certresolver=lets-encr"
volumes:
data:
networks:
default:
external:
name: traefik_net

@ -0,0 +1,20 @@
version: '3'
services:
linkding:
image: sissbruecker/linkding:latest
volumes:
- "data:/etc/linkding/data"
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.linkding.entrypoints=websecure"
- "traefik.http.routers.linkding.rule=Host(`links.erraticbits.ca`)"
- "traefik.http.routers.linkding.tls.certresolver=lets-encr"
volumes:
data:
networks:
default:
name: traefik_net

@ -0,0 +1,47 @@
version: '3.4'
services:
miniflux:
image: miniflux/miniflux:latest
restart: always
depends_on:
- db
environment:
- DATABASE_URL=postgres://miniflux:changemetoo@db/miniflux?sslmode=disable
- RUN_MIGRATIONS=1
- CREATE_ADMIN=1
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=changeme
- BASE_URL=https://news.erraticbits.ca
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_net"
- "traefik.http.routers.miniflux.entrypoints=websecure"
- "traefik.http.routers.miniflux.rule=Host(`news.erraticbits.ca`)"
- "traefik.http.routers.miniflux.tls.certresolver=lets-encr"
networks:
- traefik_net
- backend
db:
image: postgres:latest
restart: always
environment:
- POSTGRES_USER=miniflux
- POSTGRES_PASSWORD=changemetoo
volumes:
- miniflux-db:/var/lib/postgresql/data
healthcheck:
test: ["CMD", "pg_isready", "-U", "miniflux"]
interval: 10s
start_period: 30s
networks:
- backend
volumes:
miniflux-db:
networks:
backend:
traefik_net:
external: true

@ -0,0 +1,54 @@
version: "3.4"
services:
app:
image: monica
depends_on:
- db
environment:
- APP_KEY=
- APP_ENV=production
- APP_URL=https://crm.erraticbits.ca
- DB_HOST=db
- MAIL_DRIVER=smtp
- MAIL_HOST=smtp.mailgun.org
- MAIL_USERNAME=
- MAIL_PASSWORD=
- MAIL_FROM_ADDRESS=
- MAIL_PORT=587
volumes:
- data:/var/www/html/storage
restart: always
networks:
- backend
- traefik_net
labels:
- "traefik.enable=true"
- "traefik.http.routers.monica.entrypoints=websecure"
- "traefik.docker.network=traefik_net"
- "traefik.http.routers.monica.rule=Host(`crm.erraticbits.ca`)"
- "traefik.http.routers.monica.tls.certresolver=lets-encr"
db:
image: mysql:5.7
networks:
- backend
environment:
- MYSQL_RANDOM_ROOT_PASSWORD=true
- MYSQL_DATABASE=monica
- MYSQL_USER=homestead
- MYSQL_PASSWORD=secret
volumes:
- mysql:/var/lib/mysql
restart: always
volumes:
data:
mysql:
networks:
backend:
traefik_net:
external: true

@ -0,0 +1,196 @@
;<?php http_response_code(403); /*
; config file for PrivateBin
;
; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
[main]
; (optional) set a project name to be displayed on the website
name = "ErraticBin"
; The full URL, with the domain name and directories that point to the PrivateBin files
; This URL is essential to allow Opengraph images to be displayed on social networks
; basepath = ""
; enable or disable the discussion feature, defaults to true
discussion = true
; preselect the discussion feature, defaults to false
opendiscussion = false
; enable or disable the password feature, defaults to true
password = true
; enable or disable the file upload feature, defaults to false
fileupload = true
; preselect the burn-after-reading feature, defaults to false
burnafterreadingselected = false
; which display mode to preselect by default, defaults to "plaintext"
; make sure the value exists in [formatter_options]
defaultformatter = "plaintext"
; (optional) set a syntax highlighting theme, as found in css/prettify/
; syntaxhighlightingtheme = "sons-of-obsidian"
; size limit per paste or comment in bytes, defaults to 10 Mebibytes
sizelimit = 10485760
; template to include, default is "bootstrap" (tpl/bootstrap.php)
template = "bootstrap"
; (optional) info text to display
; use single, instead of double quotes for HTML attributes
;info = "More information on the <a href='https://privatebin.info/'>project page</a>."
; (optional) notice to display
; notice = "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service."
; by default PrivateBin will guess the visitors language based on the browsers
; settings. Optionally you can enable the language selection menu, which uses
; a session cookie to store the choice until the browser is closed.
languageselection = false
; set the language your installs defaults to, defaults to English
; if this is set and language selection is disabled, this will be the only language
; languagedefault = "en"
; (optional) URL shortener address to offer after a new paste is created
; it is suggested to only use this with self-hosted shorteners as this will leak
; the pastes encryption key
; urlshortener = "https://shortener.example.com/api?link="
; (optional) Let users create a QR code for sharing the paste URL with one click.
; It works both when a new paste is created and when you view a paste.
; qrcode = true
; (optional) IP based icons are a weak mechanism to detect if a comment was from
; a different user when the same username was used in a comment. It might be
; used to get the IP of a non anonymous comment poster if the server salt is
; leaked and a SHA256 HMAC rainbow table is generated for all (relevant) IPs.
; Can be set to one these values: "none" / "vizhash" / "identicon" (default).
; icon = "none"
; Content Security Policy headers allow a website to restrict what sources are
; allowed to be accessed in its context. You need to change this if you added
; custom scripts from third-party domains to your templates, e.g. tracking
; scripts or run your site behind certain DDoS-protection services.
; Check the documentation at https://content-security-policy.com/
; Notes:
; - If you use a bootstrap theme, you can remove the allow-popups from the
; sandbox restrictions.
; - By default this disallows to load images from third-party servers, e.g. when
; they are embedded in pastes. If you wish to allow that, you can adjust the
; policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images
; for details.
; - The 'unsafe-eval' is used in two cases; to check if the browser supports
; async functions and display an error if not and for Chrome to enable
; webassembly support (used for zlib compression). You can remove it if Chrome
; doesn't need to be supported and old browsers don't need to be warned.
; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
; stay compatible with PrivateBin Alpha 0.19, less secure
; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
; sha256 in HMAC for the deletion token
; zerobincompatibility = false
; Enable or disable the warning message when the site is served over an insecure
; connection (insecure HTTP instead of HTTPS), defaults to true.
; Secure transport methods like Tor and I2P domains are automatically whitelisted.
; It is **strongly discouraged** to disable this.
; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information.
; httpwarning = true
; Pick compression algorithm or disable it. Only applies to pastes/comments
; created after changing the setting.
; Can be set to one these values: "none" / "zlib" (default).
; compression = "zlib"
[expire]
; expire value that is selected per default
; make sure the value exists in [expire_options]
default = "1week"
[expire_options]
; Set each one of these to the number of seconds in the expiration period,
; or 0 if it should never expire
5min = 300
10min = 600
1hour = 3600
1day = 86400
1week = 604800
; Well this is not *exactly* one month, it's 30 days:
1month = 2592000
1year = 31536000
never = 0
[formatter_options]
; Set available formatters, their order and their labels
plaintext = "Plain Text"
syntaxhighlighting = "Source Code"
markdown = "Markdown"
[traffic]
; time limit between calls from the same IP address in seconds
; Set this to 0 to disable rate limiting.
limit = 10
; (optional) Set IPs addresses (v4 or v6) or subnets (CIDR) which are exempted
; from the rate-limit. Invalid IPs will be ignored. If multiple values are to
; be exempted, the list needs to be comma separated. Leave unset to disable
; exemptions.
; exempted = "1.2.3.4,10.10.10/24"
; (optional) If you want only some source IP addresses (v4 or v6) or subnets
; (CIDR) to be allowed to create pastes, set these here. Invalid IPs will be
; ignored. If multiple values are to be exempted, the list needs to be comma
; separated. Leave unset to allow anyone to create pastes.
; creators = "1.2.3.4,10.10.10/24"
; (optional) if your website runs behind a reverse proxy or load balancer,
; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
; header = "X_FORWARDED_FOR"
[purge]
; minimum time limit between two purgings of expired pastes, it is only
; triggered when pastes are created
; Set this to 0 to run a purge every time a paste is created.
limit = 300
; maximum amount of expired pastes to delete in one purge
; Set this to 0 to disable purging. Set it higher, if you are running a large
; site
batchsize = 10
[model]
; name of data model class to load and directory for storage
; the default model "Filesystem" stores everything in the filesystem
class = Filesystem
[model_options]
dir = PATH "data"
;[model]
; example of a Google Cloud Storage configuration
;class = GoogleCloudStorage
;[model_options]
;bucket = "my-private-bin"
;prefix = "pastes"
;[model]
; example of DB configuration for MySQL
;class = Database
;[model_options]
;dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8"
;tbl = "privatebin_" ; table prefix
;usr = "privatebin"
;pwd = "Z3r0P4ss"
;opt[12] = true ; PDO::ATTR_PERSISTENT
;[model]
; example of DB configuration for SQLite
;class = Database
;[model_options]
;dsn = "sqlite:" PATH "data/db.sq3"
;usr = null
;pwd = null
;opt[12] = true ; PDO::ATTR_PERSISTENT

@ -0,0 +1,23 @@
version: "3.7"
services:
privatebin:
image: privatebin/fs
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.privatebin.entrypoints=websecure"
- "traefik.http.routers.privatebin.rule=Host(`paste.erraticbits.ca`)"
- "traefik.http.routers.privatebin.tls.certresolver=lets-encr"
volumes:
- data:/srv/data
- ./conf.php:/srv/cfg/conf.php:ro
networks:
- traefik_net
volumes:
data:
networks:
traefik_net:
external: true

@ -0,0 +1,17 @@
version: "3"
services:
syncthing:
image: syncthing/syncthing
environment:
- PUID=1000
- PGID=1000
volumes:
- data:/var/syncthing
ports: # these ports are exposed on bare machine (not through traefik)
- 8384:8384
- 22000:22000/tcp
- 22000:22000/udp
restart: unless-stopped
volumes:
data:

@ -0,0 +1,5 @@
Make sure to fix file permissions on `acme.json`
```
$ chmod 600 acme.json
```

@ -0,0 +1,26 @@
version: "3.7"
services:
traefik:
image: "traefik:latest"
container_name: "traefik"
restart: always
hostname: "traefik"
ports:
- "80:80"
- "443:443"
#- "8080:8080" # management port
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./traefik.yml:/traefik.yml:ro"
- "./traefik-dynamic.yml:/traefik-dynamic.yml:ro"
- "./acme.json:/acme.json"
labels:
- "traefik.enable=true"
networks:
default:
external:
name: traefik_net

@ -0,0 +1,54 @@
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
http:
middlewares:
# Redirect non-www URLs to their www equivalent
# Use with traefik.http.routers.myRouter.middlewares: "redirect-non-www-to-www@file"
redirect-non-www-to-www:
# Redirect a request from an url to another with regex matching and replacement
redirectregex:
# Apply a permanent redirection (HTTP 301)
permanent: true
# The regular expression to match and capture elements from the request URL
regex: "^https?://(?:www\\.)?(.+)"
# How to modify the URL to have the new target URL
replacement: "https://www.${1}"
# Redirect www URLs to their non-www equivalent
# Use with traefik.http.routers.myRouter.middlewares: "redirect-www-to-non-www@file"
redirect-www-to-non-www:
# Redirect a request from an url to another with regex matching and replacement
redirectregex:
# Apply a permanent redirection (HTTP 301)
permanent: true
# The regular expression to match and capture elements from the request URL
regex: "^https?://www\\.(.+)"
# How to modify the URL to have the new target URL
replacement: "https://${1}"
secHeaders:
headers:
browserXssFilter: true
contentTypeNosniff: true
customFrameOptionsValue: "SAMEORIGIN"
#sslRedirect: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15768000
contentSecurityPolicy: "upgrade-insecure-requests"
referrerPolicy: "no-referrer-when-downgrade"
permissionsPolicy: "interest-cohort=()"

@ -0,0 +1,38 @@
log:
level: INFO
api:
insecure: true
dashboard: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
http:
middlewares:
- secHeaders@file
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: "/traefik-dynamic.yml"
certificatesResolvers:
lets-encr:
acme:
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory
storage: acme.json
email: replacewithyouremail@gmail.com
httpChallenge:
entryPoint: web

@ -0,0 +1,28 @@
version: '3.8'
services:
transfersh:
restart: always
image: dutchcoders/transfer.sh:v1.3.1
environment:
- PURGE_DAYS=30
- PURGE_INTERVAL=12
labels:
- "traefik.enable=true"
- "traefik.http.routers.upload.entrypoints=websecure"
- "traefik.http.routers.upload.rule=Host(`upload.erraticbits.ca`)"
- "traefik.http.routers.upload.tls.certresolver=lets-encr"
volumes:
- data:/files
command: --basedir /files --provider local
volumes:
data:
networks:
default:
external:
name: traefik_net

@ -0,0 +1,18 @@
version: "3.7"
services:
whoami:
image: "containous/whoami"
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami1.entrypoints=websecure"
- "traefik.http.routers.whoami1.rule=Host(`kilo.erraticbits.ca`)"
- "traefik.http.routers.whoami1.tls.certresolver=lets-encr"
networks:
- traefik_net
networks:
traefik_net:
external: true
Loading…
Cancel
Save