From e4c034e6e3a9d8e33a44468c3089b100ea5d46aa Mon Sep 17 00:00:00 2001 From: SmartHomeBeginner Date: Wed, 30 Sep 2020 13:03:28 -0400 Subject: [PATCH] updated readme and more --- README.md | 3 +- docker-compose-t2-synology.yml | 4 +- docker-compose-t2-web.yml | 92 ++++++++-------------------------- docker-compose-t2.yml | 5 +- 4 files changed, 28 insertions(+), 76 deletions(-) diff --git a/README.md b/README.md index 86e84b6..e0495ea 100755 --- a/README.md +++ b/README.md @@ -7,6 +7,7 @@ This is the updated docker-compose repo of all the media and home server apps de - Synology Docker Media Server with Traefik, Docker Compose, and Cloudflare: [https://www.smarthomebeginner.com/synology-docker-media-server/](https://www.smarthomebeginner.com/synology-docker-media-server/) - Google OAuth 2 MFA Protection for Docker - [https://www.smarthomebeginner.com/google-oauth-with-traefik-docker/](https://www.smarthomebeginner.com/google-oauth-with-traefik-docker/) - Authelia MFA Protection for Docker - [https://www.smarthomebeginner.com/docker-authelia-tutorial/](https://www.smarthomebeginner.com/docker-authelia-tutorial/) +- Traefik Docker Security Best Practices - [https://www.smarthomebeginner.com/traefik-docker-security-best-practices/](https://www.smarthomebeginner.com/traefik-docker-security-best-practices/) ### Old Posts: @@ -135,7 +136,7 @@ We will try to keep this repo up-to-date. For now, here are the apps currently i - Monitorr - Webfront to display the status of any webapp or service (OBSOLETE) - Cloud Commander - Web File Manager (OBSOLETE) - Cloud9 - Cloud IDE (OBSOLETE) -- SMTP To Telegram - Sends all incoming Email messages to Telegram +- SMTP To Telegram - Sends all incoming Email messages to Telegram ### MAINTENANCE diff --git a/docker-compose-t2-synology.yml b/docker-compose-t2-synology.yml index fa0b4cc..d2c5c59 100755 --- a/docker-compose-t2-synology.yml +++ b/docker-compose-t2-synology.yml @@ -83,7 +83,7 @@ services: # Portainer - WebUI for Containers portainer: container_name: portainer - image: portainer/portainer:latest + image: portainer/portainer-ce:latest restart: unless-stopped # command: -H unix:///var/run/docker.sock # # Use Docker Socket Proxy instead for improved security # command: -H tcp://socket-proxy:2375 # appears to not work. Workaround was to create a new socket-proxy:2375 endpoint on portainer settings @@ -168,7 +168,7 @@ services: container_name: redis image: redis:latest restart: unless-stopped - entrypoint: redis-server --appendonly yes --maxmemory 512mb --maxmemory-policy allkeys-lru + entrypoint: redis-server --appendonly yes --requirepass $REDIS_PASSWORD --maxmemory 512mb --maxmemory-policy allkeys-lru ports: - "$REDIS_PORT:6379" security_opt: diff --git a/docker-compose-t2-web.yml b/docker-compose-t2-web.yml index 107760d..5f66718 100644 --- a/docker-compose-t2-web.yml +++ b/docker-compose-t2-web.yml @@ -32,18 +32,6 @@ secrets: file: $SECRETSDIR/authelia_notifier_smtp_password authelia_duo_api_secret_key: file: $SECRETSDIR/authelia_duo_api_secret_key - wordpress_db_name: - file: $SECRETSDIR/wordpress_db_name - wordpress_db_user: - file: $SECRETSDIR/wordpress_db_user - wordpress_db_password: - file: $SECRETSDIR/wordpress_db_password - guac_db_name: - file: $SECRETSDIR/guac_db_name - guac_mysql_user: - file: $SECRETSDIR/guac_mysql_user - guac_mysql_password: - file: $SECRETSDIR/guac_mysql_password ########################### SERVICES services: @@ -246,7 +234,7 @@ services: # Portainer - WebUI for Containers portainer: container_name: portainer - image: portainer/portainer:latest + image: portainer/portainer-ce:latest restart: unless-stopped # command: -H unix:///var/run/docker.sock # # Use Docker Socket Proxy instead for improved security # command: -H tcp://socket-proxy:2375 # appears to not work. Workaround was to create a new socket-proxy:2375 endpoint on portainer settings @@ -279,7 +267,7 @@ services: # After starting container for first time dexec and mysqladmin -u root password mariadb: container_name: mariadb - image: linuxserver/mariadb:latest + image: linuxserver/mariadb:110.4.14mariabionic-ls77 restart: always networks: t2_proxy: @@ -300,9 +288,9 @@ services: # Redis - Key-value Store redis: container_name: redis - image: redis:latest + image: redis:6.0.6 restart: unless-stopped - entrypoint: redis-server --appendonly yes --maxmemory 512mb --maxmemory-policy allkeys-lru + entrypoint: redis-server --appendonly yes --requirepass $REDIS_PASSWORD --maxmemory 512mb --maxmemory-policy allkeys-lru networks: - t2_proxy security_opt: @@ -323,6 +311,7 @@ services: - no-new-privileges:true environment: - REDIS_HOST=redis + - REDIS_PASSWORD=$REDIS_PASSWORD labels: - "traefik.enable=true" ## HTTP Routers @@ -371,7 +360,7 @@ services: # Nginx - Web Server nginx: container_name: nginx - image: nginx:stable-alpine + image: nginx:1.18 restart: unless-stopped depends_on: - php7 @@ -390,22 +379,25 @@ services: - "traefik.enable=true" ## HTTP Routers SHB - "traefik.http.routers.nginx-shb-rtr.entrypoints=https" - - "traefik.http.routers.nginx-shb-rtr.rule=HostHeader(`www.$DOMAINNAME`)" - ## HTTP Routers SHB + - "traefik.http.routers.nginx-shb-rtr.rule=HostHeader(`$DOMAINNAME`) || HostHeader(`www.$DOMAINNAME`)" + ## HTTP Routers DASH - "traefik.http.routers.nginx-dash-rtr.entrypoints=https" - "traefik.http.routers.nginx-dash-rtr.rule=HostHeader(`dash.$DOMAINNAME`)" ## HTTP Routers KHUB - "traefik.http.routers.nginx-khub-rtr.entrypoints=https" - - "traefik.http.routers.nginx-khub-rtr.rule=HostHeader(`www.$DOMAINNAME1`)" + - "traefik.http.routers.nginx-khub-rtr.rule=HostHeader(`$DOMAINNAME1`) || HostHeader(`www.$DOMAINNAME1`)" ## Middlewares - - "traefik.http.routers.nginx-khub-rtr.middlewares=chain-no-auth@file" - - "traefik.http.routers.nginx-shb-rtr.middlewares=chain-authelia-wp@file" + - "traefik.http.routers.nginx-khub-rtr.middlewares=khub-redirect,chain-no-auth@file" + - "traefik.http.routers.nginx-shb-rtr.middlewares=shb-redirect,chain-authelia-wp@file" - "traefik.http.routers.nginx-dash-rtr.middlewares=chain-authelia@file" # Redirect shb non-www to www middleware - #- "traefik.http.middlewares.shb-redirect.redirectregex.regex=^https?://$DOMAINNAME/(.*)" - #- "traefik.http.middlewares.shb-redirect.redirectregex.replacement=https://www.$DOMAINNAME/$${1}" - #- "traefik.http.middlewares.shb-redirect.redirectregex.permanent=true" - # Redirect khub non-www to www middleware - Handled by Cloudflare + - "traefik.http.middlewares.shb-redirect.redirectregex.regex=^https?://$DOMAINNAME/(.*)" + - "traefik.http.middlewares.shb-redirect.redirectregex.replacement=https://www.$DOMAINNAME/$${1}" + - "traefik.http.middlewares.shb-redirect.redirectregex.permanent=true" + # Redirect khub non-www to www middleware + - "traefik.http.middlewares.khub-redirect.redirectregex.regex=^https?://$DOMAINNAME1/(.*)" + - "traefik.http.middlewares.khub-redirect.redirectregex.replacement=https://www.$DOMAINNAME1/$${1}" + - "traefik.http.middlewares.khub-redirect.redirectregex.permanent=true" ## HTTP Services - "traefik.http.routers.nginx-shb-rtr.service=nginx-svc" - "traefik.http.routers.nginx-khub-rtr.service=nginx-svc" @@ -415,7 +407,7 @@ services: # PHP - Hypertext Preprocessor php7: container_name: php7 - image: php:7-fpm-alpine-custom + image: php:7.4-fpm-custom build: context: $DOCKERDIR/custom/ dockerfile: Dockerfile-php7 @@ -441,8 +433,8 @@ services: networks: - t2_proxy - socket_proxy - depends_on: - - socket-proxy + # depends_on: + # - socket-proxy security_opt: - no-new-privileges:true # ports: @@ -542,48 +534,6 @@ services: - "traefik.http.routers.vscode-rtr.service=vscode-svc" - "traefik.http.services.vscode-svc.loadbalancer.server.port=8080" - # Guacamole Daemon - Needed for Guacamole - guacd: - image: guacamole/guacd - container_name: guacd - restart: unless-stopped - security_opt: - - no-new-privileges:true - networks: - - t2_proxy - - # Guacamole - Remote desktop, SSH, on Telnet on any HTML5 Browser - guacamole: - image: guacamole/guacamole:latest - container_name: guacamole - restart: unless-stopped - networks: - - t2_proxy - security_opt: - - no-new-privileges:true - environment: - GUACD_HOSTNAME: guacd - MYSQL_HOSTNAME: mariadb - MYSQL_PORT: 3306 - MYSQL_DATABASE_FILE: /run/secrets/guac_db_name - MYSQL_USER_FILE: /run/secrets/guac_mysql_user - MYSQL_PASSWORD_FILE: /run/secrets/guac_mysql_password - secrets: - - guac_db_name - - guac_mysql_user - - guac_mysql_password - labels: - - "traefik.enable=true" - ## HTTP Routers - - "traefik.http.routers.guacamole-rtr.entrypoints=https" - - "traefik.http.routers.guacamole-rtr.rule=HostHeader(`guac.$DOMAINNAME`)" - ## Middlewares - - "traefik.http.routers.guacamole-rtr.middlewares=chain-authelia@file,add-guacamole" - - "traefik.http.middlewares.add-guacamole.addPrefix.prefix=/guacamole" - ## HTTP Services - - "traefik.http.routers.guacamole-rtr.service=guacamole-svc" - - "traefik.http.services.guacamole-svc.loadbalancer.server.port=8080" - ########################### HOME # UniFi Controller - Managing UniFi Network diff --git a/docker-compose-t2.yml b/docker-compose-t2.yml index 418f3e3..0c42953 100755 --- a/docker-compose-t2.yml +++ b/docker-compose-t2.yml @@ -67,7 +67,7 @@ services: # touch $DOCKERDIR/traefik2/traefik.log traefik: container_name: traefik - image: traefik:chevrotin # the chevrotin tag refers to v2.2.x + image: traefik:2.2.7 # chevrotin # the chevrotin tag refers to v2.2.x restart: unless-stopped command: # CLI arguments - --global.checkNewVersion=true @@ -426,6 +426,7 @@ services: volumes: - $USERDIR/docker/homeassistant:/config - /etc/localtime:/etc/localtime:ro + #- /media/ssd/motioneye:/media/motioneye environment: - PUID=$PUID - PGID=$PGID @@ -777,7 +778,7 @@ services: # NZBHydra2 - NZB meta search hydra: - image: linuxserver/hydra2:latest + image: linuxserver/nzbhydra2:latest container_name: hydra restart: unless-stopped networks: