From 696b6cdb586b00f7d685e16a00992751c1d1807d Mon Sep 17 00:00:00 2001
From: Damien De Paoli <ddp@depaoli.id.au>
Date: Wed, 20 Dec 2023 16:40:09 +1100
Subject: [PATCH] added access logs of errors / slow URLs only, and exposed
 that out into /srv/docker/container/traefik/var/log/access_log, moved all
 passwords into separate env_files

---
 docker-compose.yml       | 54 ++++++++++++++++++++++++----------------
 secrets/bookdb-common    |  2 ++
 secrets/eufy_security_ws |  2 ++
 secrets/padb-common      |  2 ++
 secrets/pihole           |  1 +
 secrets/wiki-common      |  2 ++
 6 files changed, 42 insertions(+), 21 deletions(-)
 create mode 100644 secrets/bookdb-common
 create mode 100644 secrets/eufy_security_ws
 create mode 100644 secrets/padb-common
 create mode 100644 secrets/pihole
 create mode 100644 secrets/wiki-common

diff --git a/docker-compose.yml b/docker-compose.yml
index d653636..ee1d6a9 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,3 +1,5 @@
+# To note, if I am using an env_file to /srv/docker/config/secrets/*, then I have taken the ENV variable with a password for that 
+# container and put it into a separate file (1 place for common pwds like for ldap, but also so this file can be shared safely)
 version: '3.7'
 services:
   traefik:
@@ -18,6 +20,11 @@ services:
       - "--entrypoints.secureweb.address=:443"
       - "--metrics"
       - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0"
+      - "--accessLog"
+      - "--accessLog.filePath=/var/log/access.log"
+      - "--accesslog.fields.names.StartUTC=drop"
+      - "--accesslog.filters.statuscodes=400-599"
+      - "--accesslog.filters.minduration=50ms"
     labels:
       - "com.centurylinklabs.watchtower.enable=true"
       - "traefik.enable=true"
@@ -33,6 +40,7 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - /srv/docker/container/traefik/:/configuration
+      - /srv/docker/container/traefik/var/log/:/var/log/
       - /srv/docker/container/letsencrypt/etc:/letsencrypt
       - /etc/localtime:/etc/localtime:ro
 
@@ -181,7 +189,6 @@ services:
       - "traefik.http.routers.emby.tls=true"
       - "traefik.http.routers.emby.entrypoints=secureweb"
 
-
   #
   # fail2ban is a bit jumpy from memory, so I've added a whitelist
   # but its not going to survive a pull... and it seems if I mount 
@@ -193,6 +200,7 @@ services:
   ## [DEFAULT]
   ## ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
   # sudo docker-compose restart mail
+  ##### CAM/DDP: CHECK this with new mail version, seemed to be new fail2ban env options
   #
   mail:
     image: docker.io/mailserver/docker-mailserver:12.1.0
@@ -246,24 +254,26 @@ services:
       - LDAP_SERVER_HOST=192.168.0.2 # using IP, as we changed over container names (openldap->openldapnew)
       - LDAP_SEARCH_BASE=dc=depaoli,dc=id,dc=au
       - LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
-      - LDAP_BIND_PW=a_real_admin_pass_word_for_2o20
       - LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
       - LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE))
       - LDAP_QUERY_FILTER_ALIAS=(mailAlias=%s)
       - LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))
       - DOVECOT_PASS_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n))
       - DOVECOT_USER_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n))
-#      - ENABLE_SASLAUTHD=1
+#       I can't get SASL auth to work with bitnami ldap for some reason,
+#       given its all internal/local traffic tolerate for now
       - ENABLE_SASLAUTHD=0
+#      - ENABLE_SASLAUTHD=1
 #      - SASLAUTHD_MECHANISMS=ldap
 #      - SASLAUTHD_LDAP_SERVER=openldap
 #      - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
-#      - SASLAUTHD_LDAP_PASSWORD=a_real_admin_pass_word_for_2o20
 #      - SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=depaoli,dc=id,dc=au
 #      - SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=person))
       - POSTMASTER_ADDRESS=postmaster@depaoli.id.au
       - POSTFIX_MESSAGE_SIZE_LIMIT=100000000
       - SSL_TYPE=letsencrypt
+    env_file:
+        - /srv/docker/config/secrets/ldap-mail-common
     cap_add:
       - NET_ADMIN
       - SYS_PTRACE
@@ -279,7 +289,6 @@ services:
       BITNAMI_DEBUG: "true"
       LDAP_ROOT: "dc=depaoli,dc=id,dc=au"
       LDAP_ADMIN_USERNAME: "admin"
-      LDAP_ADMIN_PASSWORD: "a_real_admin_pass_word_for_2o20"
       LDAP_SKIP_DEFAULT_TREE: "yes"
       LDAP_CUSTOM_SCHEMA_FILE: "/schema/postfix-book.ldif"
       LDAP_CUSTOM_LDIF_DIR: "/ldifs"
@@ -290,9 +299,12 @@ services:
       LDAP_TLS_KEY_FILE: "/opt/bitnami/openldap/certs/privkey.pem"
       LDAP_TLS_CA_FILE: "/opt/bitnami/openldap/certs/fullchain.pem"
       LDAP_TLS_DH_PARAMS_FILE: "/opt/bitnami/openldap/certs/dhparam.pem"
+      # these options were from osixia's container, doesn't seem to be an equiv in bitnami, not critical for now as no SASL anyway
 #      LDAP_TLS_CIPHER_SUITE: "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"
 #      LDAP_TLS_PROTOCOL_MIN: "3.1"
 #      LDAP_TLS_VERIFY_CLIENT: "try"
+    env_file:
+        - /srv/docker/config/secrets/ldap-mail-common
     tty: true
     stdin_open: true
     depends_on:
@@ -307,6 +319,7 @@ services:
       - "389:1389"
 #      - "1636:1636"
 
+#  This isn't really needed, so for now trying to live without it -- its not  maintained, and really, I can use ldapsearch anyway
 #  phpldapadmin:
 #    image: ghcr.io/colibris-xyz/phpldapadmin
 #    container_name: phpldapadmin
@@ -546,8 +559,7 @@ services:
 
   cadvisor:
     image: gcr.io/cadvisor/cadvisor:v0.47.2
-# seems latest is way older than the above
-#    image: gcr.io/cadvisor/cadvisor:latest
+#    image: gcr.io/cadvisor/cadvisor:v0.48.1
     container_name: cadvisor
     privileged: true
     command:
@@ -610,8 +622,9 @@ services:
       - "9999:80"
     environment:
       TZ: 'Australia/Melbourne'
-      WEBPASSWORD: 'O701JH&%fDqIw836eTiw1LxzlGw!sn%c'
       PIHOLE_DNS_: '208.67.222.222;208.67.220.220'
+    env_file:
+        - /srv/docker/config/secrets/pihole
     volumes:
       - /srv/docker/container/pihole/etc/:/etc/pihole/
       - /srv/docker/container/pihole/dnsmasq.d/:/etc/dnsmasq.d/
@@ -633,10 +646,10 @@ services:
     image: postgres
     restart: always
     environment:
-      POSTGRES_PASSWORD: blahdeblah
       POSTGRES_USER: ddp
       POSTGRES_DB: library
-      PGPASSWORD: NWNlfa01
+    env_file:
+        - /srv/docker/config/secrets/bookdb-common
     depends_on:
       - pihole
     labels:
@@ -653,10 +666,10 @@ services:
     image: postgres:16
     restart: always
     environment:
-      POSTGRES_PASSWORD: blahdeblah
       POSTGRES_USER: ddp
       POSTGRES_DB: library
-      PGPASSWORD: NWNlfa01
+    env_file:
+        - /srv/docker/config/secrets/bookdb-common
     depends_on:
       - pihole
     labels:
@@ -710,10 +723,10 @@ services:
       context: '/home/ddp/src/photoassistant/db-container'
     restart: always
     environment:
-      POSTGRES_PASSWORD: for_now_pa
       POSTGRES_USER: pa
       POSTGRES_DB: pa
-      PGPASSWORD: for_now_overall_pg_pass
+    env_file:
+        - /srv/docker/config/secrets/padb-common
     ports:
       - '65432:5432'
     depends_on:
@@ -729,10 +742,10 @@ services:
       context: '/home/ddp/src/photoassistant/db-container'
     restart: always
     environment:
-      POSTGRES_PASSWORD: for_now_pa
       POSTGRES_USER: pa
       POSTGRES_DB: pa
-      PGPASSWORD: for_now_overall_pg_pass
+    env_file:
+        - /srv/docker/config/secrets/padb-common
     depends_on:
       - pihole
     volumes:
@@ -821,8 +834,9 @@ services:
     container_name: wikidb
     environment:
       POSTGRES_DB: wiki
-      POSTGRES_PASSWORD: NOE82KzuLOr46EvJOJEmSXr4WW8Lt79Gdmr4n6eD765UHjaD22bvgs1cnU9x4RCn
       POSTGRES_USER: wikijs
+    env_file:
+        - /srv/docker/config/secrets/wiki-common
     logging:
       driver: "none"
     restart: always
@@ -847,8 +861,9 @@ services:
       DB_HOST: wikidb
       DB_PORT: 5432
       DB_USER: wikijs
-      DB_PASS: NOE82KzuLOr46EvJOJEmSXr4WW8Lt79Gdmr4n6eD765UHjaD22bvgs1cnU9x4RCn
       DB_NAME: wiki
+    env_file:
+        - /srv/docker/config/secrets/wiki-common
     restart: always
     volumes:
       - "/srv/docker/container/wiki/data/content:/wiki/data/content"
@@ -867,7 +882,6 @@ services:
     restart: always
     environment:
       - "USERNAME=eufy_hass@depaoli.id.au"
-      - "PASSWORD=JUkoCuA!wH*f9Jeg^w*d"
       - "COUNTRY=AU"
       - "DEBUG=-v"
       - "TRUSTED_DEVICE_NAME=Pixel Pro 7"
@@ -1001,8 +1015,6 @@ services:
     volumes:
       - "/srv/docker/container/sshwifty/:/etc/"
       - "/etc/localtime:/etc/localtime:ro"
-#    ports:
-#      - "8182:8182/tcp"
 
 # myth?
 # this: https://github.com/delnaught/mythtv-containers/blob/main/compose-mythtv/docker-compose.yml
diff --git a/secrets/bookdb-common b/secrets/bookdb-common
new file mode 100644
index 0000000..3ce6bbb
--- /dev/null
+++ b/secrets/bookdb-common
@@ -0,0 +1,2 @@
+POSTGRES_PASSWORD=blahdeblah
+PGPASSWORD=NWNlfa01
diff --git a/secrets/eufy_security_ws b/secrets/eufy_security_ws
new file mode 100644
index 0000000..a34e247
--- /dev/null
+++ b/secrets/eufy_security_ws
@@ -0,0 +1,2 @@
+PASSWORD=JUkoCuA!wH*f9Jeg^w*d
+
diff --git a/secrets/padb-common b/secrets/padb-common
new file mode 100644
index 0000000..d302c61
--- /dev/null
+++ b/secrets/padb-common
@@ -0,0 +1,2 @@
+POSTGRES_PASSWORD=for_now_pa
+PGPASSWORD=for_now_overall_pg_pass
diff --git a/secrets/pihole b/secrets/pihole
new file mode 100644
index 0000000..b8d2f64
--- /dev/null
+++ b/secrets/pihole
@@ -0,0 +1 @@
+WEBPASSWORD='O701JH&%fDqIw836eTiw1LxzlGw!sn%c'
diff --git a/secrets/wiki-common b/secrets/wiki-common
new file mode 100644
index 0000000..161c4c4
--- /dev/null
+++ b/secrets/wiki-common
@@ -0,0 +1,2 @@
+POSTGRES_PASSWORD=NOE82KzuLOr46EvJOJEmSXr4WW8Lt79Gdmr4n6eD765UHjaD22bvgs1cnU9x4RCn
+DB_PASS=${POSTGRES_PASSWORD}