General deployment #1

Merged
carsten merged 18 commits from deploy into main 2023-09-13 22:33:47 +02:00
27 changed files with 512 additions and 278 deletions

View file

@ -1,20 +1,25 @@
BASE_DOMAIN= BASE_DOMAIN=
SECOND_MAIL_DOMAIN=
BASE_DIR=/srv BASE_DIR=/srv
CERTS_DIR=/srv/proxy/data/caddy/certificates/acme-v02.api.letsencrypt.org CERTS_DIR=/srv/proxy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory
RESTART="no" RESTART="no"
TIMEZONE=Europe/Berlin TIMEZONE=Europe/Berlin
POSTGRES_VERSION=15 POSTGRES_VERSION=15
CADDY_TLS_EMAIL= CADDY_TLS_EMAIL=
CADDY_CA_URL=https://acme-v02.api.letsencrypt.org/directory
# CADDY_CA_URL=https://acme-staging-v02.api.letsencrypt.org/directory # CADDY_CA_URL=https://acme-staging-v02.api.letsencrypt.org/directory
CADDY_BYPASS_IP=" " CADDY_BYPASS_IP=" "
CADDY_DEV_PASS=
PUBLIC_HTML_USER=
AUTHENTIK_PG_PWD= AUTHENTIK_PG_PWD=
AUTHENTIK_SECRET_KEY= AUTHENTIK_SECRET_KEY=
AUTHENTIK_MAIL_FROM= AUTHENTIK_MAIL_FROM=
NEXTCLOUD_PG_PWD=
FORGEJO_SETUP_LOCK=true FORGEJO_SETUP_LOCK=true
FORGEJO_PG_PWD= FORGEJO_PG_PWD=
FORGEJO_LFS_JWT_SECTRET= FORGEJO_LFS_JWT_SECTRET=
@ -24,20 +29,22 @@ FORGEJO_JWT_SECRET=
FORGEJO_MAIL_FROM= FORGEJO_MAIL_FROM=
FORGEJO_SSH_PORT= FORGEJO_SSH_PORT=
MATRIX_PG_PWD=
MATRIX_MAIL_FROM=
# MATRIX_REGISTRATION_SECRET=
# MATRIX_MAROON_SECRET=
# MATRIX_FORM_SECRET=
HEDGEDOC_PG_PWD=
HEDGEDOC_SESSION_SECRET=
HEDGEDOC_OAUTH_CLIENT=
HEDGEDOC_OAUTH_SECRET=
WOODPECKER_AGENT_SECRET= WOODPECKER_AGENT_SECRET=
WOODPECKER_GITEA_CLIENT= WOODPECKER_GITEA_CLIENT=
WOODPECKER_GITEA_SECRET= WOODPECKER_GITEA_SECRET=
# ROUNDCUBE_PG_PWD= VAULTWARDEN_ADMIN_TOKEN=
VAULTWARDEN_PG_PWD=
# VAULTWARDEN_ADMIN_TOKEN=
# NEXTCLOUD_PG_PWD=
# MATRIX_PG_PWD=
# MATRIX_REGISTRATION_SECRET=
# MATRIX_MAROON_SECRET=
# MATRIX_FORM_SECRET=
# MATRIX_MAIL_FROM=
# MINECRAFT_AMP_LICENSE= # MINECRAFT_AMP_LICENSE=

View file

@ -2,18 +2,26 @@ version: '3.7'
# https://github.com/goauthentik/authentik/pkgs/container/server # https://github.com/goauthentik/authentik/pkgs/container/server
# https://goauthentik.io/docs/installation/docker-compose # https://goauthentik.io/docs/installation/docker-compose
# https://goauthentik.io/docs/troubleshooting/login
# initial setup: https://<your server>/if/flow/initial-setup/ # initial setup: https://<your server>/if/flow/initial-setup/
# icon /static/dist/assets/icons/icon.svg # icon /static/dist/assets/icons/icon.svg
# example flows, e.g. password recovery:
# https://goauthentik.io/docs/flow/examples/flows
# In default-authentication-flow:
# - Edit Flow > Behavior Settings > check "Compatibility mode"
# - Stage Bindings > Identification > Edit Stage
# - Set password stage
# - uncheck "Case insenstive matching" and "Show matched user"
networks: networks:
auth:
name: auth
authentik: authentik:
services: services:
authentik: authentik:
image: ghcr.io/goauthentik/server image: ghcr.io/goauthentik/server:2023.8
container_name: authentik container_name: authentik
restart: "${RESTART:-no}" restart: "${RESTART:-no}"
hostname: auth hostname: auth
@ -22,7 +30,6 @@ services:
environment: environment:
- AUTHENTIK_LISTEN__HTTP=0.0.0.0:80 - AUTHENTIK_LISTEN__HTTP=0.0.0.0:80
- AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY} - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
- AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
- AUTHENTIK_REDIS__HOST=redis-authentik - AUTHENTIK_REDIS__HOST=redis-authentik
@ -36,32 +43,41 @@ services:
- AUTHENTIK_EMAIL__USE_TLS=false - AUTHENTIK_EMAIL__USE_TLS=false
- AUTHENTIK_EMAIL__USE_SSL=false - AUTHENTIK_EMAIL__USE_SSL=false
- AUTHENTIK_EMAIL__FROM=${AUTHENTIK_MAIL_FROM}@${BASE_DOMAIN} - AUTHENTIK_EMAIL__FROM=${AUTHENTIK_MAIL_FROM}@${BASE_DOMAIN}
- AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
depends_on:
- pg-authentik
- redis-authentik
networks:
- proxy
- mail
- authentik
authentik-worker:
image: ghcr.io/goauthentik/server:2023.8
container_name: authentik-worker
restart: "${RESTART:-no}"
command: worker
environment:
- AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
- AUTHENTIK_REDIS__HOST=redis-authentik
- AUTHENTIK_POSTGRESQL__HOST=pg-authentik
- AUTHENTIK_POSTGRESQL__USER=authentik
- AUTHENTIK_POSTGRESQL__NAME=authentik
- AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_PG_PWD:-password}
- AUTHENTIK_EMAIL__HOST=mail
- AUTHENTIK_EMAIL__PORT=25
- AUTHENTIK_EMAIL__USE_TLS=false
- AUTHENTIK_EMAIL__USE_SSL=false
- AUTHENTIK_EMAIL__FROM=${AUTHENTIK_MAIL_FROM}@${BASE_DOMAIN}
depends_on: depends_on:
- pg-authentik - pg-authentik
- redis-authentik - redis-authentik
networks: networks:
- proxy - authentik
- mail - mail
- auth
- authentik
authentik-worker:
image: ghcr.io/goauthentik/server
container_name: authentik-worker
restart: "${RESTART:-no}"
command: worker
environment:
- AUTHENTIK_REDIS__HOST=redis-authentik
- AUTHENTIK_POSTGRESQL__HOST=pg-authentik
- AUTHENTIK_POSTGRESQL__USER=authentik
- AUTHENTIK_POSTGRESQL__NAME=authentik
- AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_PG_PWD:-password}
- AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
depends_on:
- pg-authentik
- redis-authentik
networks:
- authentik
pg-authentik: pg-authentik:
image: postgres:${POSTGRES_VERSION}-alpine image: postgres:${POSTGRES_VERSION}-alpine
@ -77,7 +93,7 @@ services:
- authentik - authentik
redis-authentik: redis-authentik:
image: redis:alpine image: redis:7-alpine
container_name: redis-authentik container_name: redis-authentik
restart: "${RESTART:-no}" restart: "${RESTART:-no}"
command: --save 60 1 --loglevel warning command: --save 60 1 --loglevel warning

View file

@ -1,10 +1,11 @@
APP_NAME = Forgejo: Beyond coding. We forge. APP_NAME = Forgejo: Beyond coding. We forge.
RUN_MODE = prod RUN_MODE = prod
RUN_USER = git RUN_USER = git
WORK_PATH = /data/gitea
[repository] [repository]
ROOT = /data/git/repositories ROOT = /data/git/repositories
DEFAULT_PRIVATE = private DEFAULT_PRIVATE = true
[repository.local] [repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
@ -13,83 +14,85 @@ LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
TEMP_PATH = /data/gitea/uploads TEMP_PATH = /data/gitea/uploads
[server] [server]
APP_DATA_PATH = /data/gitea APP_DATA_PATH = /data/gitea
DOMAIN = git.${BASE_DOMAIN} DOMAIN = git.${BASE_DOMAIN}
SSH_DOMAIN = git.${BASE_DOMAIN} SSH_DOMAIN = git.${BASE_DOMAIN}
HTTP_PORT = 3000 HTTP_PORT = 3000
ROOT_URL = https://git.${BASE_DOMAIN}/ ROOT_URL = https://git.${BASE_DOMAIN}/
DISABLE_SSH = false DISABLE_SSH = false
SSH_PORT = ${FORGEJO_SSH_PORT} SSH_PORT = ${FORGEJO_SSH_PORT}
SSH_LISTEN_PORT = 22 SSH_LISTEN_PORT = 22
LFS_START_SERVER = true LFS_START_SERVER = true
DOMAIN = git.${BASE_DOMAIN} LFS_JWT_SECRET = ${FORGEJO_LFS_JWT_SECTRET}
LFS_JWT_SECRET = ${FORGEJO_LFS_JWT_SECTRET} OFFLINE_MODE = false
OFFLINE_MODE = false
[database] [database]
DB_TYPE = postgres DB_TYPE = postgres
HOST = pg-forgejo:5432 HOST = pg-forgejo
NAME = forgejo NAME = forgejo
USER = forgejo USER = forgejo
PASSWD = ${FORGEJO_PG_PWD} PASSWD = ${FORGEJO_PG_PWD}
LOG_SQL = false
SCHEMA =
SSL_MODE = disable SSL_MODE = disable
CHARSET = utf8
[indexer] [indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
[session] [session]
PROVIDER_CONFIG = /data/gitea/sessions PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file PROVIDER = file
[picture] [picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
[attachment] [attachment]
PATH = /data/gitea/attachments PATH = /data/gitea/attachments
[log] [log]
MODE = console logger.router.MODE = console
LEVEL = info LEVEL = info
ROUTER = console
ROOT_PATH = /data/gitea/log ROOT_PATH = /data/gitea/log
[security] [security]
INSTALL_LOCK = ${FORGEJO_SETUP_LOCK} INSTALL_LOCK = ${FORGEJO_SETUP_LOCK}
SECRET_KEY = ${FORGEJO_SECRET_KEY} SECRET_KEY = ${FORGEJO_SECRET_KEY}
REVERSE_PROXY_LIMIT = 1 REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = * REVERSE_PROXY_TRUSTED_PROXIES = *
INTERNAL_TOKEN = ${FORGEJO_INTERNAL_TOKEN} INTERNAL_TOKEN = ${FORGEJO_INTERNAL_TOKEN}
PASSWORD_HASH_ALGO = pbkdf2 PASSWORD_HASH_ALGO = pbkdf2_hi
[service] [service]
DISABLE_REGISTRATION = false DISABLE_REGISTRATION = false
REQUIRE_SIGNIN_VIEW = false REQUIRE_SIGNIN_VIEW = false
REGISTER_EMAIL_CONFIRM = false REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false ENABLE_NOTIFY_MAIL = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = true ALLOW_ONLY_EXTERNAL_REGISTRATION = true
ENABLE_CAPTCHA = false ENABLE_CAPTCHA = false
DEFAULT_KEEP_EMAIL_PRIVATE = false DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost NO_REPLY_ADDRESS = noreply.localhost
[oauth2] [service.explore]
JWT_SECRET = ${FORGEJO_JWT_SECRET} DISABLE_USERS_PAGE = true
[lfs] [lfs]
PATH = /data/git/lfs PATH = /data/git/lfs
[mailer] [mailer]
ENABLED = true ENABLED = true
SMTP_ADDR = mail SMTP_ADDR = mail
SMTP_PORT = 25 SMTP_PORT = 25
FROM = ${FORGEJO_MAIL_FROM}@${BASE_DOMAIN} FROM = ${FORGEJO_MAIL_FROM}@${BASE_DOMAIN}
[openid] [openid]
ENABLE_OPENID_SIGNIN = false ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = true ENABLE_OPENID_SIGNUP = false
[cron.update_checker]
ENABLED = false
[repository.pull-request] [repository.pull-request]
DEFAULT_MERGE_STYLE = squash DEFAULT_MERGE_STYLE = squash
@ -97,8 +100,8 @@ DEFAULT_MERGE_STYLE = squash
[repository.signing] [repository.signing]
DEFAULT_TRUST_MODEL = committer DEFAULT_TRUST_MODEL = committer
[cron] [oauth2]
ENABLED = true JWT_SECRET = ${FORGEJO_JWT_SECRET}
[webhook] [webhook]
ALLOWED_HOST_LIST = *.${BASE_DOMAIN} ALLOWED_HOST_LIST = *.${BASE_DOMAIN}

View file

@ -14,7 +14,7 @@ networks:
services: services:
forgejo: forgejo:
image: codeberg.org/forgejo/forgejo:1.18 image: codeberg.org/forgejo/forgejo:1.20
container_name: forgejo container_name: forgejo
restart: "${RESTART:-no}" restart: "${RESTART:-no}"
hostname: git hostname: git
@ -23,11 +23,11 @@ services:
- USER_UID=1000 - USER_UID=1000
- USER_GID=1000 - USER_GID=1000
- GITEA__database__DB_TYPE=postgres - FORGEJO__database__DB_TYPE=postgres
- GITEA__database__HOST=pg-forgejo - FORGEJO__database__HOST=pg-forgejo
- GITEA__database__NAME=forgejo - FORGEJO__database__NAME=forgejo
- GITEA__database__USER=forgejo - FORGEJO__database__USER=forgejo
- GITEA__database__PASSWD=${FORGEJO_PG_PWD:-forgejo} - FORGEJO__database__PASSWD=${FORGEJO_PG_PWD:-forgejo}
ports: ports:
- '${FORGEJO_SSH_PORT}:22' - '${FORGEJO_SSH_PORT}:22'
volumes: volumes:

View file

@ -1,7 +1,9 @@
version: '3.7' version: '3.7'
# https://quay.io/repository/hedgedoc/hedgedoc # https://quay.io/repository/hedgedoc/hedgedoc
# https://docs.hedgedoc.org/setup/docker/
# https://docs.hedgedoc.org/configuration/ # https://docs.hedgedoc.org/configuration/
# https://goauthentik.io/integrations/services/hedgedoc/
networks: networks:
hedgedoc: hedgedoc:
@ -26,7 +28,7 @@ services:
- CMD_DOMAIN=md.${BASE_DOMAIN} - CMD_DOMAIN=md.${BASE_DOMAIN}
- CMD_PROTOCOL_USESSL=true - CMD_PROTOCOL_USESSL=true
- CMD_URL_ADDPORT=false - CMD_URL_ADDPORT=false
- CMD_ALLOW_ORIGIN=localhost,${BASE_DOMAIN},md.${BASE_DOMAIN} - CMD_ALLOW_ORIGIN=md.${BASE_DOMAIN}
- CMD_CSP_ALLOW_FRAMING=false - CMD_CSP_ALLOW_FRAMING=false
- CMD_ALLOW_ANONYMOUS=false - CMD_ALLOW_ANONYMOUS=false
@ -36,12 +38,23 @@ services:
- CMD_DEFAULT_PERMISSION=limited - CMD_DEFAULT_PERMISSION=limited
- CMD_SESSION_SECRET=${HEDGEDOC_SESSION_SECRET} - CMD_SESSION_SECRET=${HEDGEDOC_SESSION_SECRET}
- CMD_EMAIL=true - CMD_EMAIL=false
- CMD_ALLOW_EMAIL_REGISTER=true - CMD_ALLOW_EMAIL_REGISTER=false
- CMD_OAUTH2_AUTHORIZATION_URL=https://account.${BASE_DOMAIN}/application/o/authorize/
- CMD_OAUTH2_TOKEN_URL=https://account.${BASE_DOMAIN}/application/o/token/
- CMD_OAUTH2_USER_PROFILE_URL=https://account.${BASE_DOMAIN}/application/o/userinfo/
- CMD_OAUTH2_SCOPE=openid email profile
- CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
- CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
- CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
- CMD_OAUTH2_CLIENT_ID=${HEDGEDOC_OAUTH_CLIENT}
- CMD_OAUTH2_CLIENT_SECRET=${HEDGEDOC_OAUTH_SECRET}
- CMD_OAUTH2_PROVIDERNAME=SSO
volumes: volumes:
- ${BASE_DIR:-/srv}/hedgedoc/uploads:/hedgedoc/public/uploads - ${BASE_DIR:-/srv}/hedgedoc/uploads:/hedgedoc/public/uploads
depends_on: depends_on:
- pg-hackmd - pg-hedgedoc
networks: networks:
- proxy - proxy
- mail - mail

View file

@ -0,0 +1,98 @@
##
## Mailbox definitions
##
# Each mailbox is specified in a separate mailbox section. The section name
# specifies the mailbox name. If it has spaces, you can put the name
# "in quotes". These sections can contain the following mailbox settings:
#
# auto:
# Indicates whether the mailbox with this name is automatically created
# implicitly when it is first accessed. The user can also be automatically
# subscribed to the mailbox after creation. The following values are
# defined for this setting:
#
# no - Never created automatically.
# create - Automatically created, but no automatic subscription.
# subscribe - Automatically created and subscribed.
#
# special_use:
# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
# mailbox. There are no validity checks, so you could specify anything
# you want in here, but it's not a good idea to use flags other than the
# standard ones specified in the RFC:
#
# \All - This (virtual) mailbox presents all messages in the
# user's message store.
# \Archive - This mailbox is used to archive messages.
# \Drafts - This mailbox is used to hold draft messages.
# \Flagged - This (virtual) mailbox presents all messages in the
# user's message store marked with the IMAP \Flagged flag.
# \Important - This (virtual) mailbox presents all messages in the
# user's message store deemed important to user.
# \Junk - This mailbox is where messages deemed to be junk mail
# are held.
# \Sent - This mailbox is used to hold copies of messages that
# have been sent.
# \Trash - This mailbox is used to hold messages that have been
# deleted.
#
# comment:
# Defines a default comment or note associated with the mailbox. This
# value is accessible through the IMAP METADATA mailbox entries
# "/shared/comment" and "/private/comment". Users with sufficient
# privileges can override the default value for entries with a custom
# value.
# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
namespace inbox {
# These mailboxes are widely used and could perhaps be created automatically:
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
autoexpunge = 30d
}
mailbox Trash {
auto = subscribe
special_use = \Trash
autoexpunge = 60d
}
# For \Sent mailboxes there are two widely used names. We'll mark both of
# them as \Sent. User typically deletes one of them if duplicates are created.
mailbox Sent {
auto = subscribe
special_use = \Sent
}
#mailbox "Sent Messages" {
# special_use = \Sent
#}
#mailbox Archive {
# auto = subscribe
# special_use = \Archive
#}
# If you have a virtual "All messages" mailbox:
#mailbox virtual/All {
# special_use = \All
# comment = All my messages
#}
# If you have a virtual "Flagged" mailbox:
#mailbox virtual/Flagged {
# special_use = \Flagged
# comment = All my flagged messages
#}
# If you have a virtual "Important" mailbox:
#mailbox virtual/Important {
# special_use = \Important
# comment = All my important messages
#}
}

View file

@ -4,6 +4,10 @@ version: '3.7'
# https://docker-mailserver.github.io/docker-mailserver/edge/examples/tutorials/basic-installation/ # https://docker-mailserver.github.io/docker-mailserver/edge/examples/tutorials/basic-installation/
# https://github.com/docker-mailserver/docker-mailserver # https://github.com/docker-mailserver/docker-mailserver
# https://github.com/docker-mailserver/docker-mailserver/blob/master/docs/content/config/advanced/mail-sieve.md # https://github.com/docker-mailserver/docker-mailserver/blob/master/docs/content/config/advanced/mail-sieve.md
# https://docker-mailserver.github.io/docker-mailserver/latest/faq/#how-can-i-make-spamassassin-better-recognize-spam
# https://docker-mailserver.github.io/docker-mailserver/latest/examples/use-cases/imap-folders/#mailboxes-aka-imap-folders
# https://doc.dovecot.org/configuration_manual/namespace/#core_setting-namespace/mailbox/autoexpunge
# https://notes.sagredo.eu/en/qmail-notes-185/expunging-expired-junk-and-trash-emails-with-dovecot-124.html
# create account: task srv:mail-setup -- email add <user>@<domain> # create account: task srv:mail-setup -- email add <user>@<domain>
@ -13,11 +17,13 @@ networks:
services: services:
mail: mail:
image: mailserver/docker-mailserver:11 image: mailserver/docker-mailserver:12
container_name: mail container_name: mail
restart: "${RESTART:-no}" restart: "${RESTART:-no}"
hostname: mail hostname: post
domainname: ${BASE_DOMAIN} domainname: ${BASE_DOMAIN}
cap_add:
- NET_ADMIN # For Fail2Ban to work
environment: environment:
- SSL_TYPE=letsencrypt - SSL_TYPE=letsencrypt
# You may want to enable this: https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/#spoof_protection # You may want to enable this: https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/#spoof_protection
@ -27,33 +33,44 @@ services:
# Beware creating an Open Relay: https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/#permit_docker # Beware creating an Open Relay: https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/#permit_docker
- PERMIT_DOCKER=connected-networks - PERMIT_DOCKER=connected-networks
- ONE_DIR=1 - ONE_DIR=1
- ENABLE_AMAVIS=0
- ENABLE_AMAVIS=1
- ENABLE_POSTGREY=0 - ENABLE_POSTGREY=0
- ENABLE_CLAMAV=0 - ENABLE_CLAMAV=0
- ENABLE_SPAMASSASSIN=0 - ENABLE_SPAMASSASSIN=1
- ENABLE_MANAGESIEVE=1 - ENABLE_MANAGESIEVE=1
- ENABLE_FAIL2BAN=0 - ENABLE_FAIL2BAN=1
- TZ=${TIMEZONE} - TZ=${TIMEZONE}
- POSTMASTER_ADDRESS=postmaster@${BASE_DOMAIN} - POSTMASTER_ADDRESS=postmaster@${BASE_DOMAIN}
- SPAMASSASSIN_SPAM_TO_INBOX=1
- MOVE_SPAM_TO_JUNK=1
- SA_TAG=-10000.0 # set headers on all mails
- SA_TAG2=3.75 # above is considered spam
- SA_KILL=10000.0 # don't bounce/quarantine anything
- "SA_SPAM_SUBJECT=[SPAM] "
ports: ports:
- "25:25" - "25:25" # SMTP (explicit TLS => STARTTLS)
- "143:143" - "143:143" # IMAP4 (explicit TLS => STARTTLS)
- "587:587" - "465:465" # ESMTP (implicit TLS)
- "465:465" - "587:587" # ESMTP (explicit TLS => STARTTLS)
- "993:993" - "993:993" # IMAP4 (implicit TLS)
- "4190:4190" # managesieve - "4190:4190" # managesieve
volumes: volumes:
# config # config
- ${BASE_DIR:-/srv}/mail/config:/tmp/docker-mailserver/ - ${BASE_DIR:-/srv}/mail/config:/tmp/docker-mailserver/
- ./mail/fail2ban-jail.cf:/tmp/docker-mailserver/fail2ban-jail.cf:ro
- ./mail/spamassassin-learn:/etc/cron.d/spamassassin-learn:ro
- ./mail/15-mailboxes.conf:/etc/dovecot/conf.d/15-mailboxes.conf:ro
# Mail data # Mail data
- ${BASE_DIR:-/srv}/mail/mail-data:/var/mail/ - ${BASE_DIR:-/srv}/mail/mail-data:/var/mail/
- ${BASE_DIR:-/srv}/mail/mail-state:/var/mail-state/ - ${BASE_DIR:-/srv}/mail/mail-state:/var/mail-state/
- ${BASE_DIR:-/srv}/mail/mail-logs:/var/log/mail/ - ${BASE_DIR:-/srv}/mail/mail-logs:/var/log/mail/
# certificates # certificates
- ${CERTS_DIR}/mail.${BASE_DOMAIN}/mail.${BASE_DOMAIN}.crt:/etc/letsencrypt/live/mail.${BASE_DOMAIN}/fullchain.pem:ro - ${CERTS_DIR}/post.${BASE_DOMAIN}/post.${BASE_DOMAIN}.crt:/etc/letsencrypt/live/post.${BASE_DOMAIN}/fullchain.pem:ro
- ${CERTS_DIR}/mail.${BASE_DOMAIN}/mail.${BASE_DOMAIN}.key:/etc/letsencrypt/live/mail.${BASE_DOMAIN}/privkey.pem:ro - ${CERTS_DIR}/post.${BASE_DOMAIN}/post.${BASE_DOMAIN}.key:/etc/letsencrypt/live/post.${BASE_DOMAIN}/privkey.pem:ro
# - ${CERTS_DIR}/mail.${BASE_DOMAIN}:/etc/letsencrypt/live/
networks: networks:
- mail mail:
# cap_add: aliases:
# - NET_ADMIN # For Fail2Ban to work - post.${BASE_DOMAIN}

View file

@ -0,0 +1,40 @@
[DEFAULT]
# "bantime" is the number of seconds that a host is banned.
bantime = 1w
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 30m
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
# default ban action
# nftables-multiport: block IP only on affected port
# nftables-allports: block IP on all ports
banaction = nftables-allports
[dovecot]
enabled = true
[postfix]
enabled = true
# For a reference on why this mode was chose, see
# https://github.com/docker-mailserver/docker-mailserver/issues/3256#issuecomment-1511188760
mode = extra
[postfix-sasl]
enabled = true
# This jail is used for manual bans.
# To ban an IP address use: setup.sh fail2ban ban <IP>
[custom]
enabled = true
bantime = 90d
port = smtp,pop3,pop3s,imap,imaps,submission,submissions,sieve

View file

@ -0,0 +1,15 @@
# This assumes you're having `environment: ONE_DIR=1` in the env-mailserver,
# with a consolidated config in `/var/mail-state`
#
# '> /dev/null' to send error notifications from 'stderr' to 'postmaster@example.com'
#
# m h dom mon dow user command
# Everyday 3:00AM, learn spam from all users
# spam: junk directory
0 3 * * * root sa-learn --spam /var/mail/*/*/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin > /dev/null
# ham: archive directories
15 3 * * * root sa-learn --ham /var/mail/*/*/.Archive* --dbpath /var/mail-state/lib-amavis/.spamassassin > /dev/null
# ham: inbox subdirectories
30 3 * * * root sa-learn --ham /var/mail/*/*/cur* --dbpath /var/mail-state/lib-amavis/.spamassassin > /dev/null

View file

@ -37,8 +37,9 @@ services:
restart: "${RESTART:-no}" restart: "${RESTART:-no}"
environment: environment:
- POSTGRES_DB=matrix - POSTGRES_DB=matrix
- POSTGRES_USER=${MATRIX_PG_USER:-matrix} - POSTGRES_USER=matrix
- POSTGRES_PASSWORD=${MATRIX_PG_PWD:-matrix} - POSTGRES_PASSWORD=${MATRIX_PG_PWD:-matrix}
- POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
volumes: volumes:
- ${BASE_DIR:-/srv}/matrix/psql:/var/lib/postgresql/data - ${BASE_DIR:-/srv}/matrix/psql:/var/lib/postgresql/data
networks: networks:

View file

@ -3,6 +3,9 @@ version: '3.7'
# https://hub.docker.com/_/nextcloud/ # https://hub.docker.com/_/nextcloud/
# https://github.com/nextcloud/docker # https://github.com/nextcloud/docker
# https://docs.nextcloud.com/server/stable/admin_manual/release_schedule.html # https://docs.nextcloud.com/server/stable/admin_manual/release_schedule.html
# disable cert verification for local smtp connection:
# https://docs.nextcloud.com/server/26/admin_manual/configuration_server/email_configuration.html#tlspeerverification
# https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/
# create admin account during setup # create admin account during setup
@ -11,7 +14,7 @@ networks:
services: services:
nextcloud: nextcloud:
image: nextcloud:production image: nextcloud:27
container_name: nextcloud container_name: nextcloud
restart: "${RESTART:-no}" restart: "${RESTART:-no}"
hostname: cloud hostname: cloud
@ -38,6 +41,22 @@ services:
- mail - mail
- nextcloud - nextcloud
nextcloud-cron:
image: nextcloud:27
container_name: nextcloud-cron
restart: "${RESTART:-no}"
entrypoint: /cron.sh
volumes:
- ${BASE_DIR:-/srv}/nextcloud/html:/var/www/html # Main folder, needed for updating
- ${BASE_DIR:-/srv}/nextcloud/apps:/var/www/html/custom_apps # installed / modified apps
- ${BASE_DIR:-/srv}/nextcloud/config:/var/www/html/config # local configuration
- ${BASE_DIR:-/srv}/nextcloud/data:/var/www/html/data # the actual data of your Nextcloud
- ${BASE_DIR:-/srv}/nextcloud/themes:/var/www/html/themes # theming/branding
depends_on:
- pg-nextcloud
networks:
- nextcloud
pg-nextcloud: pg-nextcloud:
image: postgres:${POSTGRES_VERSION}-alpine image: postgres:${POSTGRES_VERSION}-alpine
container_name: pg-nextcloud container_name: pg-nextcloud

View file

@ -1,15 +1,13 @@
(logging) { (logging) {
log { log {
output stdout output stdout
format transform "{common_log}"
} }
} }
{ {
local_certs # local_certs
# email {$TLS_EMAIL} email {$TLS_EMAIL}
# acme_ca {$CA_URL} acme_ca {$CA_URL}
import logging
} }
(errorpages) { (errorpages) {
@ -32,61 +30,52 @@
} }
} }
https://{$BASE_DOMAIN} { {$BASE_DOMAIN} {
import errorpages
import logging import logging
reverse_proxy /_matrix* matrix:8008 import errorpages
@matrix {
path /_matrix/* /_synapse/*
}
reverse_proxy @matrix matrix:8008
root * /srv/homepage root * /srv/homepage
file_server file_server
} }
# https://{$BASE_DOMAIN}:8448 { {$BASE_DOMAIN}:8448 {
# import errorpages import logging
# import logging import errorpages
# reverse_proxy matrix:8008 reverse_proxy matrix:8008
# } }
# needs to be http! # needs to be http!
http://autoconfig.{$BASE_DOMAIN} { autoconfig.{$BASE_DOMAIN}, autoconfig.{$SECOND_MAIL_DOMAIN} {
file_server { file_server {
root /srv/autoconfig root /srv/autoconfig
} }
} }
https://echo.{$BASE_DOMAIN} { status.{$BASE_DOMAIN} {
import errorpages
import logging
redir https://stats.uptimerobot.com/PMoGJHK8W9 permanent
}
post.{$BASE_DOMAIN} {
import errorpages import errorpages
import logging import logging
reverse_proxy echo:8000 reverse_proxy echo:8000
} }
https://auth.{$BASE_DOMAIN} { account.{$BASE_DOMAIN} {
import errorpages
import logging import logging
import errorpages
reverse_proxy authentik:80 reverse_proxy authentik:80
} }
https://mail.{$BASE_DOMAIN} { cloud.{$BASE_DOMAIN} {
import errorpages
import logging import logging
reverse_proxy roundcube:80
}
https://git.{$BASE_DOMAIN} {
import errorpages import errorpages
import logging
reverse_proxy forgejo:3000
}
https://ci.{$BASE_DOMAIN} {
import errorpages
import logging
reverse_proxy woodpecker:8000
}
https://cloud.{$BASE_DOMAIN} {
import errorpages
import logging
redir /.well-known/carddav /remote.php/dav redir /.well-known/carddav /remote.php/dav
redir /.well-known/caldav /remote.php/dav redir /.well-known/caldav /remote.php/dav
redir /.well-known/webfinger /index.php/.well-known/webfinger redir /.well-known/webfinger /index.php/.well-known/webfinger
@ -94,51 +83,72 @@ https://cloud.{$BASE_DOMAIN} {
reverse_proxy nextcloud:80 reverse_proxy nextcloud:80
} }
https://passwords.{$BASE_DOMAIN} { git.{$BASE_DOMAIN} {
import errorpages
import logging import logging
reverse_proxy /notifications/hub/negotiate* vaultwarden:80 import errorpages
reverse_proxy /notifications/hub* vaultwarden:3012 reverse_proxy forgejo:3000
reverse_proxy vaultwarden:80
} }
https://md.{$BASE_DOMAIN} { home.{$BASE_DOMAIN} {
import errorpages
import logging import logging
import errorpages
reverse_proxy https://doge6m1146mivr5g789a5tbjo0re3lrv.ui.nabu.casa
}
stuff.{$BASE_DOMAIN} {
import logging
import errorpages
root * /srv/public_html
file_server browse
}
md.{$BASE_DOMAIN} {
import logging
import errorpages
reverse_proxy hedgedoc:3000 reverse_proxy hedgedoc:3000
} }
# https://ci-demo.{$BASE_DOMAIN} { ci.{$BASE_DOMAIN} {
import logging
import errorpages
reverse_proxy woodpecker:8000
}
# echo.{$BASE_DOMAIN} {
# import logging
# import errorpages
# reverse_proxy echo:8000
# }
passwords.{$BASE_DOMAIN} {
import logging
import errorpages
reverse_proxy vaultwarden:80 {
header_up X-Real-IP {remote_host}
}
}
# ci-demo.{$BASE_DOMAIN} {
# import logging
# import errorpages # import errorpages
# import logging
# reverse_proxy docker-ci-demo:8000 # reverse_proxy docker-ci-demo:8000
# } # }
# https://stuff.{$BASE_DOMAIN} { # hackmd-next.{$BASE_DOMAIN} {
# import logging
# import errorpages # import errorpages
# import logging
# root * /srv/stuff
# file_server browse
# basicauth /dev {
# dev {$DEV_PASS}
# }
# }
# https://hackmd-next.{$BASE_DOMAIN} {
# import errorpages
# import logging
# reverse_proxy codimd:3000 # reverse_proxy codimd:3000
# } # }
# https://amp.{$BASE_DOMAIN} { # amp.{$BASE_DOMAIN} {
# import logging
# import errorpages # import errorpages
# import logging
# reverse_proxy minecraft:8080 # reverse_proxy minecraft:8080
# } # }
# https://map.amp.{$BASE_DOMAIN} { # map.amp.{$BASE_DOMAIN} {
# import logging
# import errorpages # import errorpages
# import logging
# root * /srv/bluemap # root * /srv/bluemap
# file_server # file_server

View file

@ -1,7 +0,0 @@
ARG CADDY_VERSION=2
# https://github.com/caddyserver/transform-encoder
FROM caddy:${CADDY_VERSION}-alpine
RUN caddy add-package github.com/caddyserver/transform-encoder

View file

@ -1,18 +1,20 @@
<clientConfig version="1.1"> <clientConfig version="1.1">
<emailProvider id="${BASE_DOMAIN}"> <emailProvider id="${BASE_DOMAIN}">
<domain>${BASE_DOMAIN}</domain> <domain>${BASE_DOMAIN}</domain>
<domain>${SECOND_MAIL_DOMAIN}</domain>
<displayName>${BASE_DOMAIN} Mail</displayName> <displayName>${BASE_DOMAIN} Mail</displayName>
<incomingServer type="imap"> <incomingServer type="imap">
<hostname>mail.${BASE_DOMAIN}</hostname> <hostname>post.${BASE_DOMAIN}</hostname>
<port>993</port> <port>993</port>
<socketType>SSL</socketType> <socketType>SSL</socketType>
<authentication>password-cleartext</authentication> <authentication>password-cleartext</authentication>
<username>%EMAILADDRESS%</username> <username>%EMAILADDRESS%</username>
</incomingServer> </incomingServer>
<outgoingServer type="smtp"> <outgoingServer type="smtp">
<hostname>mail.${BASE_DOMAIN}</hostname> <hostname>post.${BASE_DOMAIN}</hostname>
<port>587</port> <port>465</port>
<socketType>STARTTLS</socketType> <socketType>SSL</socketType>
<authentication>password-cleartext</authentication> <authentication>password-cleartext</authentication>
<username>%EMAILADDRESS%</username> <username>%EMAILADDRESS%</username>
</outgoingServer> </outgoingServer>

View file

@ -9,19 +9,15 @@ networks:
services: services:
proxy: proxy:
# image: caddy:2-alpine image: caddy:2-alpine
build:
context: ./proxy
args:
CADDY_VERSION: 2
container_name: proxy container_name: proxy
restart: "${RESTART:-no}" restart: "${RESTART:-no}"
hostname: ${BASE_DOMAIN} hostname: ${BASE_DOMAIN}
environment: environment:
- BASE_DOMAIN=${BASE_DOMAIN} - BASE_DOMAIN=${BASE_DOMAIN}
- SECOND_MAIL_DOMAIN=${SECOND_MAIL_DOMAIN}
- TLS_EMAIL=${CADDY_TLS_EMAIL:-self_signed} - TLS_EMAIL=${CADDY_TLS_EMAIL:-self_signed}
- CA_URL=${CADDY_CA_URL} - CA_URL=${CADDY_CA_URL}
- DEV_PASS=${CADDY_DEV_PASS}
ports: ports:
- '80:80' - '80:80'
- '443:443' - '443:443'
@ -36,6 +32,7 @@ services:
- ./proxy/errorpages/dist:/srv/errorpages:ro - ./proxy/errorpages/dist:/srv/errorpages:ro
- ${BASE_DIR:-/srv}/proxy/srv/homepage:/srv/homepage:ro - ${BASE_DIR:-/srv}/proxy/srv/homepage:/srv/homepage:ro
- ${BASE_DIR:-/srv}/minecraft/ampdata/instances/Main/Minecraft/bluemap/web/:/srv/bluemap:ro - ${BASE_DIR:-/srv}/minecraft/ampdata/instances/Main/Minecraft/bluemap/web/:/srv/bluemap:ro
- ${BASE_DIR:-/srv}/nextcloud/data/${PUBLIC_HTML_USER:-admin}/files/public_html:/srv/public_html:ro
networks: networks:
- proxy - proxy

View file

@ -1,3 +0,0 @@
<?php
$config['managesieve_host'] = 'tls://mail.' . $_ENV['BASE_DOMAIN'];

View file

@ -1,56 +0,0 @@
version: "3.7"
# https://hub.docker.com/r/roundcube/roundcubemail
# https://github.com/roundcube/roundcubemail-docker
# https://github.com/roundcube/roundcubemail/wiki/Configuration
# https://github.com/roundcube/roundcubemail/blob/master/plugins/managesieve/config.inc.php.dist
# install carddav plugin for use with nextcloud adressbook
# docker exec -it roundcube composer require roundcube/carddav --update-no-dev
# https://repo.packagist.org/packages/roundcube/carddav
networks:
roundcube:
services:
roundcube:
image: roundcube/roundcubemail:1.6.x-apache
container_name: roundcube
restart: "${RESTART:-no}"
hostname: roundcube
domainname: ${BASE_DOMAIN}
environment:
- BASE_DOMAIN=${BASE_DOMAIN}
- ROUNDCUBEMAIL_DB_TYPE=pgsql
- ROUNDCUBEMAIL_DB_HOST=pg-roundcube
- ROUNDCUBEMAIL_DB_NAME=roundcube
- ROUNDCUBEMAIL_DB_USER=roundcube
- ROUNDCUBEMAIL_DB_PASSWORD=${ROUNDCUBE_PG_PWD:-password}
- ROUNDCUBEMAIL_DEFAULT_HOST=tls://mail.${BASE_DOMAIN}
- ROUNDCUBEMAIL_SMTP_SERVER=tls://mail.${BASE_DOMAIN}
- ROUNDCUBEMAIL_PLUGINS=archive,zipdownload,managesieve,carddav,identity_select
- ROUNDCUBEMAIL_SKIN=elastic
volumes:
- ./roundcube/config:/var/roundcube/config
- ${BASE_DIR:-/srv}/roundcube/www:/var/www/html
# Skip tls cert verification. DO NOT USE IN PROD!
- ./roundcube/skip-ssl.php:/var/roundcube/config/skip-ssl.php
depends_on:
- pg-roundcube
networks:
- proxy
- mail
- roundcube
pg-roundcube:
image: postgres:${POSTGRES_VERSION}-alpine
container_name: pg-roundcube
restart: "${RESTART:-no}"
environment:
- POSTGRES_DB=roundcube
- POSTGRES_USER=roundcube
- POSTGRES_PASSWORD=${ROUNDCUBE_PG_PWD:-password}
volumes:
- ${BASE_DIR:-/srv}/roundcube/psql:/var/lib/postgresql/data
networks:
- roundcube

View file

@ -1,19 +0,0 @@
<?php
$config['imap_conn_options'] = [
'ssl' => [
'verify_peer' => false,
],
];
$config['smtp_conn_options'] = [
'ssl' => [
'verify_peer' => false,
],
];
$config['managesieve_conn_options'] = [
'ssl' => [
'verify_peer' => false,
],
];

View file

@ -3,6 +3,9 @@ version: '3.7'
# https://hub.docker.com/r/vaultwarden/server # https://hub.docker.com/r/vaultwarden/server
# https://github.com/dani-garcia/vaultwarden # https://github.com/dani-garcia/vaultwarden
networks:
vaultwarden:
services: services:
vaultwarden: vaultwarden:
image: vaultwarden/server:alpine image: vaultwarden/server:alpine
@ -12,15 +15,38 @@ services:
domainname: ${BASE_DOMAIN} domainname: ${BASE_DOMAIN}
environment: environment:
- DOMAIN=https://passwords.${BASE_DOMAIN} - DOMAIN=https://passwords.${BASE_DOMAIN}
- WEBSOCKET_ENABLED=true # - WEBSOCKET_ENABLED=true
- SMTP_HOST=mail - SMTP_HOST=mail
- SMTP_FROM=vaultwarden@${BASE_DOMAIN} - SMTP_FROM=vaultwarden@${BASE_DOMAIN}
- SMTP_PORT=25 - SMTP_PORT=25
- SMTP_SECURITY=off - SMTP_SECURITY=off
- SIGNUPS_ALLOWED=false
- ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN} - ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN}
# - ADMIN_TOKEN=$$argon2id$$v=19$$m=65540,t=3,p=4$$UUFq04iWk/WXfYWvxfg3nnyhHBiHYKI9AqoSY4eKIP4$$qizUd/eRNDUjb90eXVbCZMT7bAu4ZPpzaO6EUL0LEJ8
- SIGNUPS_ALLOWED=false
- INVITATIONS_ALLOWED=false
- SHOW_PASSWORD_HINT=false
- DATABASE_URL=postgres://vaultwarden:${VAULTWARDEN_PG_PWD:-vaultwarden}@pg-vaultwarden:5432/vaultwarden
volumes: volumes:
- ${BASE_DIR:-/srv}/vaultwarden:/data - ${BASE_DIR:-/srv}/vaultwarden/data:/data
depends_on:
- pg-vaultwarden
networks: networks:
- proxy - proxy
- mail - mail
- vaultwarden
pg-vaultwarden:
image: postgres:${POSTGRES_VERSION}-alpine
container_name: pg-vaultwarden
restart: "${RESTART:-no}"
environment:
- POSTGRES_DB=vaultwarden
- POSTGRES_USER=vaultwarden
- POSTGRES_PASSWORD=${VAULTWARDEN_PG_PWD:-vaultwarden}
volumes:
- ${BASE_DIR:-/srv}/vaultwarden/psql:/var/lib/postgresql/data
networks:
- vaultwarden

View file

@ -0,0 +1,27 @@
version: '3.7'
# https://hub.docker.com/r/containrrr/watchtower
# https://containrrr.dev/watchtower/
services:
watchtower:
image: containrrr/watchtower
container_name: watchtower
restart: "${RESTART:-no}"
hostname: watchtower
domainname: ${BASE_DOMAIN}
environment:
- TZ=${TIMEZONE}
- WATCHTOWER_SCHEDULE=0 0 4 * * *
- WATCHTOWER_CLEANUP="true"
- WATCHTOWER_NOTIFICATIONS=email
- WATCHTOWER_NOTIFICATION_EMAIL_FROM=watchtower@${BASE_DOMAIN}
- WATCHTOWER_NOTIFICATION_EMAIL_TO=admin@${BASE_DOMAIN}
- WATCHTOWER_NOTIFICATION_EMAIL_SERVER=post.${BASE_DOMAIN}
- WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT=25
- WATCHTOWER_NOTIFICATION_EMAIL_DELAY=2
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- mail

View file

@ -3,7 +3,7 @@ version: '3.7'
# https://hub.docker.com/r/woodpeckerci/woodpecker-server/ # https://hub.docker.com/r/woodpeckerci/woodpecker-server/
# https://woodpecker-ci.org/docs/administration/setup # https://woodpecker-ci.org/docs/administration/setup
# https://woodpecker-ci.org/docs/administration/server-config # https://woodpecker-ci.org/docs/administration/server-config
# https://woodpecker-ci.org/docs/administration/vcs/gitea # https://woodpecker-ci.org/docs/administration/forges/gitea
# auth callback /authorize # auth callback /authorize

View file

@ -106,6 +106,7 @@ sudo apk update && sudo apk upgrade && sudo apk add \
git \ git \
htop \ htop \
nano \ nano \
nftables \
qemu-guest-agent \ qemu-guest-agent \
sudo \ sudo \
tree \ tree \
@ -154,11 +155,18 @@ To mount all:
sudo mount -a sudo mount -a
``` ```
### ntp
```sh
rc-update add ntpd
service ntpd start
```
### checkout repo ### checkout repo
```sh ```sh
cd /opt cd /opt
sudo git clone https://git.csprung.de/carsten/container-server.git sudo git clone <this repo's url>
``` ```
### awall ### awall
@ -184,3 +192,9 @@ https://wiki.alpinelinux.org/wiki/Docker
rc-update add docker rc-update add docker
service docker start service docker start
``` ```
### cron
```sh
cp -r /opt/container-server/setup/cron/* /etc/periodic/
```

View file

@ -4,7 +4,7 @@
"variable": { "variable": {
"loop_if": "lo", "loop_if": "lo",
"internet_if": "eth0", "internet_if": "eth0",
"container_if": "docker+" "container_if": ["docker+", "br-+"]
}, },
"zone": { "zone": {

3
setup/cron/weekly/docker-prune Executable file
View file

@ -0,0 +1,3 @@
#!/bin/sh
docker system prune --volumes --force | tail -n 1 && df -h | grep -v overlay

View file

@ -8,7 +8,7 @@ includes:
vars: vars:
COMPOSE_FILES: COMPOSE_FILES:
sh: touch enabled ; find ./services -iname docker-compose.yml | grep -f enabled || >&2 echo "=== No services enabled ===" sh: touch enabled ; find ./services -iname docker-compose.yml | grep -f enabled || exit 0
COMPOSE_ARGS: -f services/docker-compose.yml -f {{.COMPOSE_FILES | splitLines | join " -f "}} COMPOSE_ARGS: -f services/docker-compose.yml -f {{.COMPOSE_FILES | splitLines | join " -f "}}
tasks: tasks:
@ -43,6 +43,13 @@ tasks:
cmds: cmds:
- "docker-compose {{.COMPOSE_ARGS}} restart {{.CLI_ARGS}}" - "docker-compose {{.COMPOSE_ARGS}} restart {{.CLI_ARGS}}"
recreate:
desc: Recreate given or active services
deps:
- util:template
cmds:
- "docker-compose {{.COMPOSE_ARGS}} up -d --force-recreate {{.CLI_ARGS}}"
stop: stop:
desc: Stop given or all services desc: Stop given or all services
cmds: cmds:

View file

@ -28,4 +28,3 @@ tasks:
cmds: cmds:
- mkdir -p /usr/local/share/zsh/site-functions - mkdir -p /usr/local/share/zsh/site-functions
- wget -O /usr/local/share/zsh/site-functions/_task https://raw.githubusercontent.com/go-task/task/master/completion/zsh/_task - wget -O /usr/local/share/zsh/site-functions/_task https://raw.githubusercontent.com/go-task/task/master/completion/zsh/_task

View file

@ -17,7 +17,12 @@ tasks:
mail-setup: mail-setup:
desc: Docker-Mailserver setup utility desc: Docker-Mailserver setup utility
cmds: cmds:
- "docker exec mail setup {{.CLI_ARGS}}" - "docker exec -i mail setup {{.CLI_ARGS}}"
occ:
desc: Nextcloud cli
cmds:
- "docker exec -u 33 nextcloud php ./occ {{.CLI_ARGS}}"
psql-dump: psql-dump:
desc: Dump postgres database for backup or update desc: Dump postgres database for backup or update
@ -29,7 +34,7 @@ tasks:
psql-restore: psql-restore:
desc: Load postgres database for restore desc: Load postgres database for restore
cmds: cmds:
- docker exec pg-{{.CLI_ARGS}} psql --echo-errors -U {{.CLI_ARGS}} -d {{.CLI_ARGS}} < {{.TMP_DIR}}/{{.CLI_ARGS}}.sql - docker exec -i pg-{{.CLI_ARGS}} psql --echo-errors -U {{.CLI_ARGS}} < {{.TMP_DIR}}/{{.CLI_ARGS}}.sql
psql-clear-tmp: psql-clear-tmp:
desc: Clear temporary sql files created by psql-dump desc: Clear temporary sql files created by psql-dump