ddp/docker-compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added access logs of errors / slow URLs only, and exposed that out into /srv/docker/container/traefik/var/log/access_log, moved all passwords into separate env_files

Browse Source
This commit is contained in:
Damien De Paoli
2023-12-20 16:40:09 +11:00
parent 80d15db83a
commit 696b6cdb58
6 changed files with 42 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
docker-compose.yml
View File

@@ -1,3 +1,5 @@
# To note, if I am using an env_file to /srv/docker/config/secrets/*, then I have taken the ENV variable with a password for that
# container and put it into a separate file (1 place for common pwds like for ldap, but also so this file can be shared safely)
version: '3.7' version: '3.7'
services: services:
traefik: traefik:
@@ -18,6 +20,11 @@ services:
- "--entrypoints.secureweb.address=:443" - "--entrypoints.secureweb.address=:443"
- "--metrics" - "--metrics"
- "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0" - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0"
- "--accessLog"
- "--accessLog.filePath=/var/log/access.log"
- "--accesslog.fields.names.StartUTC=drop"
- "--accesslog.filters.statuscodes=400-599"
- "--accesslog.filters.minduration=50ms"
labels: labels:
- "com.centurylinklabs.watchtower.enable=true" - "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true" - "traefik.enable=true"
@@ -33,6 +40,7 @@ services:
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro
- /srv/docker/container/traefik/:/configuration - /srv/docker/container/traefik/:/configuration
- /srv/docker/container/traefik/var/log/:/var/log/
- /srv/docker/container/letsencrypt/etc:/letsencrypt - /srv/docker/container/letsencrypt/etc:/letsencrypt
- /etc/localtime:/etc/localtime:ro - /etc/localtime:/etc/localtime:ro
@@ -181,7 +189,6 @@ services:
- "traefik.http.routers.emby.tls=true" - "traefik.http.routers.emby.tls=true"
- "traefik.http.routers.emby.entrypoints=secureweb" - "traefik.http.routers.emby.entrypoints=secureweb"
# #
# fail2ban is a bit jumpy from memory, so I've added a whitelist # fail2ban is a bit jumpy from memory, so I've added a whitelist
# but its not going to survive a pull... and it seems if I mount # but its not going to survive a pull... and it seems if I mount
@@ -193,6 +200,7 @@ services:
## [DEFAULT] ## [DEFAULT]
## ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ## ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
# sudo docker-compose restart mail # sudo docker-compose restart mail
##### CAM/DDP: CHECK this with new mail version, seemed to be new fail2ban env options
# #
mail: mail:
image: docker.io/mailserver/docker-mailserver:12.1.0 image: docker.io/mailserver/docker-mailserver:12.1.0
@@ -246,24 +254,26 @@ services:
- LDAP_SERVER_HOST=192.168.0.2 # using IP, as we changed over container names (openldap->openldapnew) - LDAP_SERVER_HOST=192.168.0.2 # using IP, as we changed over container names (openldap->openldapnew)
- LDAP_SEARCH_BASE=dc=depaoli,dc=id,dc=au - LDAP_SEARCH_BASE=dc=depaoli,dc=id,dc=au
- LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au - LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
- LDAP_BIND_PW=a_real_admin_pass_word_for_2o20
- LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE)) - LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
- LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE)) - LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE))
- LDAP_QUERY_FILTER_ALIAS=(mailAlias=%s) - LDAP_QUERY_FILTER_ALIAS=(mailAlias=%s)
- LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward))) - LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))
- DOVECOT_PASS_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n)) - DOVECOT_PASS_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n))
- DOVECOT_USER_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n)) - DOVECOT_USER_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n))
# - ENABLE_SASLAUTHD=1 # I can't get SASL auth to work with bitnami ldap for some reason,
# given its all internal/local traffic tolerate for now
- ENABLE_SASLAUTHD=0 - ENABLE_SASLAUTHD=0
# - ENABLE_SASLAUTHD=1
# - SASLAUTHD_MECHANISMS=ldap # - SASLAUTHD_MECHANISMS=ldap
# - SASLAUTHD_LDAP_SERVER=openldap # - SASLAUTHD_LDAP_SERVER=openldap
# - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au # - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
# - SASLAUTHD_LDAP_PASSWORD=a_real_admin_pass_word_for_2o20
# - SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=depaoli,dc=id,dc=au # - SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=depaoli,dc=id,dc=au
# - SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=person)) # - SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=person))
- POSTMASTER_ADDRESS=postmaster@depaoli.id.au - POSTMASTER_ADDRESS=postmaster@depaoli.id.au
- POSTFIX_MESSAGE_SIZE_LIMIT=100000000 - POSTFIX_MESSAGE_SIZE_LIMIT=100000000
- SSL_TYPE=letsencrypt - SSL_TYPE=letsencrypt
env_file:
- /srv/docker/config/secrets/ldap-mail-common
cap_add: cap_add:
- NET_ADMIN - NET_ADMIN
- SYS_PTRACE - SYS_PTRACE
@@ -279,7 +289,6 @@ services:
BITNAMI_DEBUG: "true" BITNAMI_DEBUG: "true"
LDAP_ROOT: "dc=depaoli,dc=id,dc=au" LDAP_ROOT: "dc=depaoli,dc=id,dc=au"
LDAP_ADMIN_USERNAME: "admin" LDAP_ADMIN_USERNAME: "admin"
LDAP_ADMIN_PASSWORD: "a_real_admin_pass_word_for_2o20"
LDAP_SKIP_DEFAULT_TREE: "yes" LDAP_SKIP_DEFAULT_TREE: "yes"
LDAP_CUSTOM_SCHEMA_FILE: "/schema/postfix-book.ldif" LDAP_CUSTOM_SCHEMA_FILE: "/schema/postfix-book.ldif"
LDAP_CUSTOM_LDIF_DIR: "/ldifs" LDAP_CUSTOM_LDIF_DIR: "/ldifs"
@@ -290,9 +299,12 @@ services:
LDAP_TLS_KEY_FILE: "/opt/bitnami/openldap/certs/privkey.pem" LDAP_TLS_KEY_FILE: "/opt/bitnami/openldap/certs/privkey.pem"
LDAP_TLS_CA_FILE: "/opt/bitnami/openldap/certs/fullchain.pem" LDAP_TLS_CA_FILE: "/opt/bitnami/openldap/certs/fullchain.pem"
LDAP_TLS_DH_PARAMS_FILE: "/opt/bitnami/openldap/certs/dhparam.pem" LDAP_TLS_DH_PARAMS_FILE: "/opt/bitnami/openldap/certs/dhparam.pem"
# these options were from osixia's container, doesn't seem to be an equiv in bitnami, not critical for now as no SASL anyway
# LDAP_TLS_CIPHER_SUITE: "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC" # LDAP_TLS_CIPHER_SUITE: "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"
# LDAP_TLS_PROTOCOL_MIN: "3.1" # LDAP_TLS_PROTOCOL_MIN: "3.1"
# LDAP_TLS_VERIFY_CLIENT: "try" # LDAP_TLS_VERIFY_CLIENT: "try"
env_file:
- /srv/docker/config/secrets/ldap-mail-common
tty: true tty: true
stdin_open: true stdin_open: true
depends_on: depends_on:
@@ -307,6 +319,7 @@ services:
- "389:1389" - "389:1389"
# - "1636:1636" # - "1636:1636"
# This isn't really needed, so for now trying to live without it -- its not maintained, and really, I can use ldapsearch anyway
# phpldapadmin: # phpldapadmin:
# image: ghcr.io/colibris-xyz/phpldapadmin # image: ghcr.io/colibris-xyz/phpldapadmin
# container_name: phpldapadmin # container_name: phpldapadmin
@@ -546,8 +559,7 @@ services:
cadvisor: cadvisor:
image: gcr.io/cadvisor/cadvisor:v0.47.2 image: gcr.io/cadvisor/cadvisor:v0.47.2
# seems latest is way older than the above # image: gcr.io/cadvisor/cadvisor:v0.48.1
# image: gcr.io/cadvisor/cadvisor:latest
container_name: cadvisor container_name: cadvisor
privileged: true privileged: true
command: command:
@@ -610,8 +622,9 @@ services:
- "9999:80" - "9999:80"
environment: environment:
TZ: 'Australia/Melbourne' TZ: 'Australia/Melbourne'
WEBPASSWORD: 'O701JH&%fDqIw836eTiw1LxzlGw!sn%c'
PIHOLE_DNS_: '208.67.222.222;208.67.220.220' PIHOLE_DNS_: '208.67.222.222;208.67.220.220'
env_file:
- /srv/docker/config/secrets/pihole
volumes: volumes:
- /srv/docker/container/pihole/etc/:/etc/pihole/ - /srv/docker/container/pihole/etc/:/etc/pihole/
- /srv/docker/container/pihole/dnsmasq.d/:/etc/dnsmasq.d/ - /srv/docker/container/pihole/dnsmasq.d/:/etc/dnsmasq.d/
@@ -633,10 +646,10 @@ services:
image: postgres image: postgres
restart: always restart: always
environment: environment:
POSTGRES_PASSWORD: blahdeblah
POSTGRES_USER: ddp POSTGRES_USER: ddp
POSTGRES_DB: library POSTGRES_DB: library
PGPASSWORD: NWNlfa01 env_file:
- /srv/docker/config/secrets/bookdb-common
depends_on: depends_on:
- pihole - pihole
labels: labels:
@@ -653,10 +666,10 @@ services:
image: postgres:16 image: postgres:16
restart: always restart: always
environment: environment:
POSTGRES_PASSWORD: blahdeblah
POSTGRES_USER: ddp POSTGRES_USER: ddp
POSTGRES_DB: library POSTGRES_DB: library
PGPASSWORD: NWNlfa01 env_file:
- /srv/docker/config/secrets/bookdb-common
depends_on: depends_on:
- pihole - pihole
labels: labels:
@@ -710,10 +723,10 @@ services:
context: '/home/ddp/src/photoassistant/db-container' context: '/home/ddp/src/photoassistant/db-container'
restart: always restart: always
environment: environment:
POSTGRES_PASSWORD: for_now_pa
POSTGRES_USER: pa POSTGRES_USER: pa
POSTGRES_DB: pa POSTGRES_DB: pa
PGPASSWORD: for_now_overall_pg_pass env_file:
- /srv/docker/config/secrets/padb-common
ports: ports:
- '65432:5432' - '65432:5432'
depends_on: depends_on:
@@ -729,10 +742,10 @@ services:
context: '/home/ddp/src/photoassistant/db-container' context: '/home/ddp/src/photoassistant/db-container'
restart: always restart: always
environment: environment:
POSTGRES_PASSWORD: for_now_pa
POSTGRES_USER: pa POSTGRES_USER: pa
POSTGRES_DB: pa POSTGRES_DB: pa
PGPASSWORD: for_now_overall_pg_pass env_file:
- /srv/docker/config/secrets/padb-common
depends_on: depends_on:
- pihole - pihole
volumes: volumes:
@@ -821,8 +834,9 @@ services:
container_name: wikidb container_name: wikidb
environment: environment:
POSTGRES_DB: wiki POSTGRES_DB: wiki
POSTGRES_PASSWORD: NOE82KzuLOr46EvJOJEmSXr4WW8Lt79Gdmr4n6eD765UHjaD22bvgs1cnU9x4RCn
POSTGRES_USER: wikijs POSTGRES_USER: wikijs
env_file:
- /srv/docker/config/secrets/wiki-common
logging: logging:
driver: "none" driver: "none"
restart: always restart: always
@@ -847,8 +861,9 @@ services:
DB_HOST: wikidb DB_HOST: wikidb
DB_PORT: 5432 DB_PORT: 5432
DB_USER: wikijs DB_USER: wikijs
DB_PASS: NOE82KzuLOr46EvJOJEmSXr4WW8Lt79Gdmr4n6eD765UHjaD22bvgs1cnU9x4RCn
DB_NAME: wiki DB_NAME: wiki
env_file:
- /srv/docker/config/secrets/wiki-common
restart: always restart: always
volumes: volumes:
- "/srv/docker/container/wiki/data/content:/wiki/data/content" - "/srv/docker/container/wiki/data/content:/wiki/data/content"
@@ -867,7 +882,6 @@ services:
restart: always restart: always
environment: environment:
- "USERNAME=eufy_hass@depaoli.id.au" - "USERNAME=eufy_hass@depaoli.id.au"
- "PASSWORD=JUkoCuA!wH*f9Jeg^w*d"
- "COUNTRY=AU" - "COUNTRY=AU"
- "DEBUG=-v" - "DEBUG=-v"
- "TRUSTED_DEVICE_NAME=Pixel Pro 7" - "TRUSTED_DEVICE_NAME=Pixel Pro 7"
@@ -1001,8 +1015,6 @@ services:
volumes: volumes:
- "/srv/docker/container/sshwifty/:/etc/" - "/srv/docker/container/sshwifty/:/etc/"
- "/etc/localtime:/etc/localtime:ro" - "/etc/localtime:/etc/localtime:ro"
# ports:
# - "8182:8182/tcp"
# myth? # myth?
# this: https://github.com/delnaught/mythtv-containers/blob/main/compose-mythtv/docker-compose.yml # this: https://github.com/delnaught/mythtv-containers/blob/main/compose-mythtv/docker-compose.yml

2
secrets/bookdb-common Normal file
View File

@@ -0,0 +1,2 @@
POSTGRES_PASSWORD=blahdeblah
PGPASSWORD=NWNlfa01

2
secrets/eufy_security_ws Normal file
View File

@@ -0,0 +1,2 @@
PASSWORD=JUkoCuA!wH*f9Jeg^w*d

2
secrets/padb-common Normal file
View File

@@ -0,0 +1,2 @@
POSTGRES_PASSWORD=for_now_pa
PGPASSWORD=for_now_overall_pg_pass

1
secrets/pihole Normal file
View File

@@ -0,0 +1 @@
WEBPASSWORD='O701JH&%fDqIw836eTiw1LxzlGw!sn%c'

2
secrets/wiki-common Normal file
View File

@@ -0,0 +1,2 @@
POSTGRES_PASSWORD=NOE82KzuLOr46EvJOJEmSXr4WW8Lt79Gdmr4n6eD765UHjaD22bvgs1cnU9x4RCn
DB_PASS=${POSTGRES_PASSWORD}