167 lines
7.2 KiB
YAML
167 lines
7.2 KiB
YAML
networks:
|
|
proxy:
|
|
external: false
|
|
name: proxy
|
|
enable_ipv6: true
|
|
|
|
volumes:
|
|
letsencrypt:
|
|
name: letsencrypt
|
|
portainer:
|
|
name: portainer
|
|
traefik_log:
|
|
name: traefik_log
|
|
crowdsec_data:
|
|
name: crowdsec_data
|
|
crowdsec_etc:
|
|
name: crowdsec_etc
|
|
|
|
services:
|
|
traefik:
|
|
image: traefik:v3
|
|
container_name: traefik
|
|
restart: unless-stopped
|
|
command:
|
|
- --experimental.plugins.bouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
|
|
- --experimental.plugins.bouncer.version=v1.5.0
|
|
- --global.sendAnonymousUsage=false
|
|
- --api.dashboard=true
|
|
- --api.insecure=true
|
|
- --providers.docker=true
|
|
- --providers.docker.network=proxy
|
|
- --providers.docker.exposedByDefault=false
|
|
- --entryPoints.web.address=:80
|
|
- --entryPoints.web.forwardedHeaders.insecure=true
|
|
- --entryPoints.websecure.address=:443
|
|
- --entryPoints.websecure.http3.advertisedPort=443
|
|
- --entryPoints.websecure.forwardedHeaders.insecure=true
|
|
- --entryPoints.ssh.address=:222/tcp
|
|
- --entryPoints.smtp.address=:25
|
|
- --entryPoints.smtp-ssl.address=:465
|
|
- --entryPoints.imap-ssl.address=:993
|
|
- --entryPoints.sieve.address=:4190
|
|
- --certificatesresolvers.cs.acme.tlschallenge=true
|
|
- --certificatesresolvers.cs.acme.email=christiansteinle@arcor.de
|
|
- --certificatesresolvers.cs.acme.storage=/letsencrypt/acme.json
|
|
- --log=true
|
|
- --log.level=INFO
|
|
- --accessLog=true
|
|
- --accessLog.filePath=/logs/traefik.log
|
|
- --accessLog.format=json
|
|
- --accessLog.bufferingSize=0
|
|
- --accessLog.fields.headers.defaultMode=drop
|
|
- --accessLog.fields.headers.names.User-Agent=keep
|
|
- --metrics.prometheus=true
|
|
- --metrics.prometheus.manualRouting=true
|
|
- --metrics.prometheus.addRoutersLabels=true
|
|
environment:
|
|
- INFOMANIAK_ACCESS_TOKEN=5IraYq8HK9qur57Mj_TnHQ9pS9G79NPvjF8ID17n-EvfYO7TU6Fi0ZmDKSX6mIhTQJbyYegRd1hfmM-t
|
|
ports:
|
|
- "25:25"
|
|
- target: 80
|
|
published: 80
|
|
protocol: tcp
|
|
mode: host
|
|
- target: 443
|
|
published: 443
|
|
protocol: tcp
|
|
mode: host
|
|
- target: 443
|
|
published: 443
|
|
protocol: udp
|
|
mode: host
|
|
- "465:465"
|
|
- "993:993"
|
|
- "4190:4190"
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- letsencrypt:/letsencrypt
|
|
- traefik_log:/logs
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.traefik.entrypoints=web"
|
|
- "traefik.http.routers.traefik.rule=Host(`traefik.steinle-computer.de`)"
|
|
- "traefik.http.routers.traefik.middlewares=traefik"
|
|
- "traefik.http.middlewares.traefik.redirectscheme.scheme=https"
|
|
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
|
|
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.steinle-computer.de`)"
|
|
- "traefik.http.routers.traefik-secure.tls.certresolver=cs"
|
|
- "traefik.http.routers.traefik-secure.service=api@internal"
|
|
- "traefik.http.routers.traefik-secure.middlewares=auth"
|
|
- "traefik.http.middlewares.auth.basicauth.users=chris:$$apr1$$xe634m7n$$gpkZ11O7CrbiWAhsWKNlO1"
|
|
- "traefik.http.services.traefik-secure.loadbalancer.server.port=8080"
|
|
- "traefik.http.routers.metrics.entrypoints=web"
|
|
- "traefik.http.routers.metrics.rule=Host(`traefik.steinle-computer.de`) && PathPrefix(`/metrics`)"
|
|
- "traefik.http.routers.metrics.middlewares=traefik"
|
|
- "traefik.http.routers.metrics-secure.entrypoints=websecure"
|
|
- "traefik.http.routers.metrics-secure.rule=Host(`traefik.steinle-computer.de`) && PathPrefix(`/metrics`)"
|
|
- "traefik.http.routers.metrics-secure.tls.certresolver=cs"
|
|
- "traefik.http.routers.metrics-secure.middlewares=auth"
|
|
- "traefik.http.routers.metrics-secure.service=prometheus@internal"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.defaultDecisionSeconds=60"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecMode=live"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecAppsecEnabled=false"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecAppsecHost=crowdsec:7422"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecAppsecFailureBlock=true"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecAppsecUnreachableBlock=true"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiKey=Q6aU8YIY5zr2c/gNg9WTvm2PPMu+jyEhVKIftcZSBSE"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiHost=crowdsec:8080"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiScheme=http"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiTLSInsecureVerify=false"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.forwardedHeadersTrustedIPs=91.108.113.212,192.168.0.0/16,172.17.0.0/16"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.clientTrustedIPs=91.108.113.212,192.168.0.0/16,172.17.0.0/16"
|
|
networks:
|
|
- proxy
|
|
|
|
portainer:
|
|
image: portainer/portainer-ce:alpine
|
|
container_name: portainer
|
|
command: -H unix:///var/run/docker.sock
|
|
restart: unless-stopped
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
- portainer:/data
|
|
networks:
|
|
- proxy
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.portainer.entrypoints=web"
|
|
- "traefik.http.routers.portainer.rule=Host(`portainer.steinle-computer.de`)"
|
|
- "traefik.http.routers.portainer.middlewares=portainer"
|
|
- "traefik.http.middlewares.portainer.redirectscheme.scheme=https"
|
|
- "traefik.http.routers.portainer-secure.entrypoints=websecure"
|
|
- "traefik.http.routers.portainer-secure.rule=Host(`portainer.steinle-computer.de`)"
|
|
- "traefik.http.routers.portainer-secure.middlewares=portainer-secure"
|
|
- "traefik.http.middlewares.portainer-secure.headers.addvaryheader=true"
|
|
- "traefik.http.middlewares.portainer-secure.headers.accesscontrolalloworiginlist=https://homer.fam-steinle.de"
|
|
- "traefik.http.middlewares.portainer-secure.headers.accesscontrolallowheaders=x-api-key"
|
|
- "traefik.http.routers.portainer-secure.tls.certresolver=cs"
|
|
- "traefik.http.services.portainer-secure.loadbalancer.server.port=9000"
|
|
|
|
crowdsec:
|
|
image: crowdsecurity/crowdsec
|
|
container_name: crowdsec
|
|
restart: unless-stopped
|
|
ports:
|
|
- 127.0.0.1:9876:8080 # port mapping for local firewall bouncers
|
|
expose:
|
|
- 8080 # http api for bouncers
|
|
- 6060 # metrics endpoint for prometheus
|
|
- 7422 # appsec waf endpoint
|
|
volumes:
|
|
# crowdsec container data
|
|
- crowdsec_data:/var/lib/crowdsec/data
|
|
- crowdsec_etc:/etc/crowdsec
|
|
# log bind mounts into crowdsec
|
|
- /var/log/auth.log:/var/log/auth.log:ro
|
|
- /var/log/syslog:/var/log/syslog:ro
|
|
- traefik_log:/var/log/traefik:ro
|
|
environment:
|
|
- GID=1000
|
|
- COLLECTIONS=crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/base-http-scenarios crowdsecurity/sshd crowdsecurity/linux crowdsecurity/appsec-generic-rules crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs
|
|
#- CUSTOM_HOSTNAME=my-crowdsec-host123
|
|
networks:
|
|
- proxy
|
|
|