General deployment #1
27 changed files with 512 additions and 278 deletions
33
.env.sample
33
.env.sample
|
@ -1,20 +1,25 @@
|
||||||
BASE_DOMAIN=
|
BASE_DOMAIN=
|
||||||
|
SECOND_MAIL_DOMAIN=
|
||||||
BASE_DIR=/srv
|
BASE_DIR=/srv
|
||||||
CERTS_DIR=/srv/proxy/data/caddy/certificates/acme-v02.api.letsencrypt.org
|
CERTS_DIR=/srv/proxy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory
|
||||||
RESTART="no"
|
RESTART="no"
|
||||||
TIMEZONE=Europe/Berlin
|
TIMEZONE=Europe/Berlin
|
||||||
|
|
||||||
POSTGRES_VERSION=15
|
POSTGRES_VERSION=15
|
||||||
|
|
||||||
CADDY_TLS_EMAIL=
|
CADDY_TLS_EMAIL=
|
||||||
|
CADDY_CA_URL=https://acme-v02.api.letsencrypt.org/directory
|
||||||
# CADDY_CA_URL=https://acme-staging-v02.api.letsencrypt.org/directory
|
# CADDY_CA_URL=https://acme-staging-v02.api.letsencrypt.org/directory
|
||||||
CADDY_BYPASS_IP=" "
|
CADDY_BYPASS_IP=" "
|
||||||
CADDY_DEV_PASS=
|
|
||||||
|
PUBLIC_HTML_USER=
|
||||||
|
|
||||||
AUTHENTIK_PG_PWD=
|
AUTHENTIK_PG_PWD=
|
||||||
AUTHENTIK_SECRET_KEY=
|
AUTHENTIK_SECRET_KEY=
|
||||||
AUTHENTIK_MAIL_FROM=
|
AUTHENTIK_MAIL_FROM=
|
||||||
|
|
||||||
|
NEXTCLOUD_PG_PWD=
|
||||||
|
|
||||||
FORGEJO_SETUP_LOCK=true
|
FORGEJO_SETUP_LOCK=true
|
||||||
FORGEJO_PG_PWD=
|
FORGEJO_PG_PWD=
|
||||||
FORGEJO_LFS_JWT_SECTRET=
|
FORGEJO_LFS_JWT_SECTRET=
|
||||||
|
@ -24,20 +29,22 @@ FORGEJO_JWT_SECRET=
|
||||||
FORGEJO_MAIL_FROM=
|
FORGEJO_MAIL_FROM=
|
||||||
FORGEJO_SSH_PORT=
|
FORGEJO_SSH_PORT=
|
||||||
|
|
||||||
|
MATRIX_PG_PWD=
|
||||||
|
MATRIX_MAIL_FROM=
|
||||||
|
# MATRIX_REGISTRATION_SECRET=
|
||||||
|
# MATRIX_MAROON_SECRET=
|
||||||
|
# MATRIX_FORM_SECRET=
|
||||||
|
|
||||||
|
HEDGEDOC_PG_PWD=
|
||||||
|
HEDGEDOC_SESSION_SECRET=
|
||||||
|
HEDGEDOC_OAUTH_CLIENT=
|
||||||
|
HEDGEDOC_OAUTH_SECRET=
|
||||||
|
|
||||||
WOODPECKER_AGENT_SECRET=
|
WOODPECKER_AGENT_SECRET=
|
||||||
WOODPECKER_GITEA_CLIENT=
|
WOODPECKER_GITEA_CLIENT=
|
||||||
WOODPECKER_GITEA_SECRET=
|
WOODPECKER_GITEA_SECRET=
|
||||||
|
|
||||||
# ROUNDCUBE_PG_PWD=
|
VAULTWARDEN_ADMIN_TOKEN=
|
||||||
|
VAULTWARDEN_PG_PWD=
|
||||||
# VAULTWARDEN_ADMIN_TOKEN=
|
|
||||||
|
|
||||||
# NEXTCLOUD_PG_PWD=
|
|
||||||
|
|
||||||
# MATRIX_PG_PWD=
|
|
||||||
# MATRIX_REGISTRATION_SECRET=
|
|
||||||
# MATRIX_MAROON_SECRET=
|
|
||||||
# MATRIX_FORM_SECRET=
|
|
||||||
# MATRIX_MAIL_FROM=
|
|
||||||
|
|
||||||
# MINECRAFT_AMP_LICENSE=
|
# MINECRAFT_AMP_LICENSE=
|
||||||
|
|
|
@ -2,18 +2,26 @@ version: '3.7'
|
||||||
|
|
||||||
# https://github.com/goauthentik/authentik/pkgs/container/server
|
# https://github.com/goauthentik/authentik/pkgs/container/server
|
||||||
# https://goauthentik.io/docs/installation/docker-compose
|
# https://goauthentik.io/docs/installation/docker-compose
|
||||||
|
# https://goauthentik.io/docs/troubleshooting/login
|
||||||
|
|
||||||
# initial setup: https://<your server>/if/flow/initial-setup/
|
# initial setup: https://<your server>/if/flow/initial-setup/
|
||||||
# icon /static/dist/assets/icons/icon.svg
|
# icon /static/dist/assets/icons/icon.svg
|
||||||
|
|
||||||
|
# example flows, e.g. password recovery:
|
||||||
|
# https://goauthentik.io/docs/flow/examples/flows
|
||||||
|
|
||||||
|
# In default-authentication-flow:
|
||||||
|
# - Edit Flow > Behavior Settings > check "Compatibility mode"
|
||||||
|
# - Stage Bindings > Identification > Edit Stage
|
||||||
|
# - Set password stage
|
||||||
|
# - uncheck "Case insenstive matching" and "Show matched user"
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
auth:
|
|
||||||
name: auth
|
|
||||||
authentik:
|
authentik:
|
||||||
|
|
||||||
services:
|
services:
|
||||||
authentik:
|
authentik:
|
||||||
image: ghcr.io/goauthentik/server
|
image: ghcr.io/goauthentik/server:2023.8
|
||||||
container_name: authentik
|
container_name: authentik
|
||||||
restart: "${RESTART:-no}"
|
restart: "${RESTART:-no}"
|
||||||
hostname: auth
|
hostname: auth
|
||||||
|
@ -22,7 +30,6 @@ services:
|
||||||
environment:
|
environment:
|
||||||
- AUTHENTIK_LISTEN__HTTP=0.0.0.0:80
|
- AUTHENTIK_LISTEN__HTTP=0.0.0.0:80
|
||||||
- AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
|
- AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
|
||||||
- AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
|
|
||||||
|
|
||||||
- AUTHENTIK_REDIS__HOST=redis-authentik
|
- AUTHENTIK_REDIS__HOST=redis-authentik
|
||||||
|
|
||||||
|
@ -36,32 +43,41 @@ services:
|
||||||
- AUTHENTIK_EMAIL__USE_TLS=false
|
- AUTHENTIK_EMAIL__USE_TLS=false
|
||||||
- AUTHENTIK_EMAIL__USE_SSL=false
|
- AUTHENTIK_EMAIL__USE_SSL=false
|
||||||
- AUTHENTIK_EMAIL__FROM=${AUTHENTIK_MAIL_FROM}@${BASE_DOMAIN}
|
- AUTHENTIK_EMAIL__FROM=${AUTHENTIK_MAIL_FROM}@${BASE_DOMAIN}
|
||||||
|
|
||||||
|
- AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
|
||||||
|
depends_on:
|
||||||
|
- pg-authentik
|
||||||
|
- redis-authentik
|
||||||
|
networks:
|
||||||
|
- proxy
|
||||||
|
- mail
|
||||||
|
- authentik
|
||||||
|
|
||||||
|
authentik-worker:
|
||||||
|
image: ghcr.io/goauthentik/server:2023.8
|
||||||
|
container_name: authentik-worker
|
||||||
|
restart: "${RESTART:-no}"
|
||||||
|
command: worker
|
||||||
|
environment:
|
||||||
|
- AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
|
||||||
|
|
||||||
|
- AUTHENTIK_REDIS__HOST=redis-authentik
|
||||||
|
- AUTHENTIK_POSTGRESQL__HOST=pg-authentik
|
||||||
|
- AUTHENTIK_POSTGRESQL__USER=authentik
|
||||||
|
- AUTHENTIK_POSTGRESQL__NAME=authentik
|
||||||
|
- AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_PG_PWD:-password}
|
||||||
|
|
||||||
|
- AUTHENTIK_EMAIL__HOST=mail
|
||||||
|
- AUTHENTIK_EMAIL__PORT=25
|
||||||
|
- AUTHENTIK_EMAIL__USE_TLS=false
|
||||||
|
- AUTHENTIK_EMAIL__USE_SSL=false
|
||||||
|
- AUTHENTIK_EMAIL__FROM=${AUTHENTIK_MAIL_FROM}@${BASE_DOMAIN}
|
||||||
depends_on:
|
depends_on:
|
||||||
- pg-authentik
|
- pg-authentik
|
||||||
- redis-authentik
|
- redis-authentik
|
||||||
networks:
|
networks:
|
||||||
- proxy
|
- authentik
|
||||||
- mail
|
- mail
|
||||||
- auth
|
|
||||||
- authentik
|
|
||||||
|
|
||||||
authentik-worker:
|
|
||||||
image: ghcr.io/goauthentik/server
|
|
||||||
container_name: authentik-worker
|
|
||||||
restart: "${RESTART:-no}"
|
|
||||||
command: worker
|
|
||||||
environment:
|
|
||||||
- AUTHENTIK_REDIS__HOST=redis-authentik
|
|
||||||
- AUTHENTIK_POSTGRESQL__HOST=pg-authentik
|
|
||||||
- AUTHENTIK_POSTGRESQL__USER=authentik
|
|
||||||
- AUTHENTIK_POSTGRESQL__NAME=authentik
|
|
||||||
- AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_PG_PWD:-password}
|
|
||||||
- AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
|
|
||||||
depends_on:
|
|
||||||
- pg-authentik
|
|
||||||
- redis-authentik
|
|
||||||
networks:
|
|
||||||
- authentik
|
|
||||||
|
|
||||||
pg-authentik:
|
pg-authentik:
|
||||||
image: postgres:${POSTGRES_VERSION}-alpine
|
image: postgres:${POSTGRES_VERSION}-alpine
|
||||||
|
@ -77,7 +93,7 @@ services:
|
||||||
- authentik
|
- authentik
|
||||||
|
|
||||||
redis-authentik:
|
redis-authentik:
|
||||||
image: redis:alpine
|
image: redis:7-alpine
|
||||||
container_name: redis-authentik
|
container_name: redis-authentik
|
||||||
restart: "${RESTART:-no}"
|
restart: "${RESTART:-no}"
|
||||||
command: --save 60 1 --loglevel warning
|
command: --save 60 1 --loglevel warning
|
||||||
|
|
|
@ -1,10 +1,11 @@
|
||||||
APP_NAME = Forgejo: Beyond coding. We forge.
|
APP_NAME = Forgejo: Beyond coding. We forge.
|
||||||
RUN_MODE = prod
|
RUN_MODE = prod
|
||||||
RUN_USER = git
|
RUN_USER = git
|
||||||
|
WORK_PATH = /data/gitea
|
||||||
|
|
||||||
[repository]
|
[repository]
|
||||||
ROOT = /data/git/repositories
|
ROOT = /data/git/repositories
|
||||||
DEFAULT_PRIVATE = private
|
DEFAULT_PRIVATE = true
|
||||||
|
|
||||||
[repository.local]
|
[repository.local]
|
||||||
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
|
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
|
||||||
|
@ -22,18 +23,18 @@ DISABLE_SSH = false
|
||||||
SSH_PORT = ${FORGEJO_SSH_PORT}
|
SSH_PORT = ${FORGEJO_SSH_PORT}
|
||||||
SSH_LISTEN_PORT = 22
|
SSH_LISTEN_PORT = 22
|
||||||
LFS_START_SERVER = true
|
LFS_START_SERVER = true
|
||||||
DOMAIN = git.${BASE_DOMAIN}
|
|
||||||
LFS_JWT_SECRET = ${FORGEJO_LFS_JWT_SECTRET}
|
LFS_JWT_SECRET = ${FORGEJO_LFS_JWT_SECTRET}
|
||||||
OFFLINE_MODE = false
|
OFFLINE_MODE = false
|
||||||
|
|
||||||
[database]
|
[database]
|
||||||
DB_TYPE = postgres
|
DB_TYPE = postgres
|
||||||
HOST = pg-forgejo:5432
|
HOST = pg-forgejo
|
||||||
NAME = forgejo
|
NAME = forgejo
|
||||||
USER = forgejo
|
USER = forgejo
|
||||||
PASSWD = ${FORGEJO_PG_PWD}
|
PASSWD = ${FORGEJO_PG_PWD}
|
||||||
|
LOG_SQL = false
|
||||||
|
SCHEMA =
|
||||||
SSL_MODE = disable
|
SSL_MODE = disable
|
||||||
CHARSET = utf8
|
|
||||||
|
|
||||||
[indexer]
|
[indexer]
|
||||||
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
|
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
|
||||||
|
@ -50,9 +51,8 @@ REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
|
||||||
PATH = /data/gitea/attachments
|
PATH = /data/gitea/attachments
|
||||||
|
|
||||||
[log]
|
[log]
|
||||||
MODE = console
|
logger.router.MODE = console
|
||||||
LEVEL = info
|
LEVEL = info
|
||||||
ROUTER = console
|
|
||||||
ROOT_PATH = /data/gitea/log
|
ROOT_PATH = /data/gitea/log
|
||||||
|
|
||||||
[security]
|
[security]
|
||||||
|
@ -61,7 +61,7 @@ SECRET_KEY = ${FORGEJO_SECRET_KEY}
|
||||||
REVERSE_PROXY_LIMIT = 1
|
REVERSE_PROXY_LIMIT = 1
|
||||||
REVERSE_PROXY_TRUSTED_PROXIES = *
|
REVERSE_PROXY_TRUSTED_PROXIES = *
|
||||||
INTERNAL_TOKEN = ${FORGEJO_INTERNAL_TOKEN}
|
INTERNAL_TOKEN = ${FORGEJO_INTERNAL_TOKEN}
|
||||||
PASSWORD_HASH_ALGO = pbkdf2
|
PASSWORD_HASH_ALGO = pbkdf2_hi
|
||||||
|
|
||||||
[service]
|
[service]
|
||||||
DISABLE_REGISTRATION = false
|
DISABLE_REGISTRATION = false
|
||||||
|
@ -75,8 +75,8 @@ DEFAULT_ALLOW_CREATE_ORGANIZATION = true
|
||||||
DEFAULT_ENABLE_TIMETRACKING = true
|
DEFAULT_ENABLE_TIMETRACKING = true
|
||||||
NO_REPLY_ADDRESS = noreply.localhost
|
NO_REPLY_ADDRESS = noreply.localhost
|
||||||
|
|
||||||
[oauth2]
|
[service.explore]
|
||||||
JWT_SECRET = ${FORGEJO_JWT_SECRET}
|
DISABLE_USERS_PAGE = true
|
||||||
|
|
||||||
[lfs]
|
[lfs]
|
||||||
PATH = /data/git/lfs
|
PATH = /data/git/lfs
|
||||||
|
@ -89,7 +89,10 @@ FROM = ${FORGEJO_MAIL_FROM}@${BASE_DOMAIN}
|
||||||
|
|
||||||
[openid]
|
[openid]
|
||||||
ENABLE_OPENID_SIGNIN = false
|
ENABLE_OPENID_SIGNIN = false
|
||||||
ENABLE_OPENID_SIGNUP = true
|
ENABLE_OPENID_SIGNUP = false
|
||||||
|
|
||||||
|
[cron.update_checker]
|
||||||
|
ENABLED = false
|
||||||
|
|
||||||
[repository.pull-request]
|
[repository.pull-request]
|
||||||
DEFAULT_MERGE_STYLE = squash
|
DEFAULT_MERGE_STYLE = squash
|
||||||
|
@ -97,8 +100,8 @@ DEFAULT_MERGE_STYLE = squash
|
||||||
[repository.signing]
|
[repository.signing]
|
||||||
DEFAULT_TRUST_MODEL = committer
|
DEFAULT_TRUST_MODEL = committer
|
||||||
|
|
||||||
[cron]
|
[oauth2]
|
||||||
ENABLED = true
|
JWT_SECRET = ${FORGEJO_JWT_SECRET}
|
||||||
|
|
||||||
[webhook]
|
[webhook]
|
||||||
ALLOWED_HOST_LIST = *.${BASE_DOMAIN}
|
ALLOWED_HOST_LIST = *.${BASE_DOMAIN}
|
||||||
|
|
|
@ -14,7 +14,7 @@ networks:
|
||||||
|
|
||||||
services:
|
services:
|
||||||
forgejo:
|
forgejo:
|
||||||
image: codeberg.org/forgejo/forgejo:1.18
|
image: codeberg.org/forgejo/forgejo:1.20
|
||||||
container_name: forgejo
|
container_name: forgejo
|
||||||
restart: "${RESTART:-no}"
|
restart: "${RESTART:-no}"
|
||||||
hostname: git
|
hostname: git
|
||||||
|
@ -23,11 +23,11 @@ services:
|
||||||
- USER_UID=1000
|
- USER_UID=1000
|
||||||
- USER_GID=1000
|
- USER_GID=1000
|
||||||
|
|
||||||
- GITEA__database__DB_TYPE=postgres
|
- FORGEJO__database__DB_TYPE=postgres
|
||||||
- GITEA__database__HOST=pg-forgejo
|
- FORGEJO__database__HOST=pg-forgejo
|
||||||
- GITEA__database__NAME=forgejo
|
- FORGEJO__database__NAME=forgejo
|
||||||
- GITEA__database__USER=forgejo
|
- FORGEJO__database__USER=forgejo
|
||||||
- GITEA__database__PASSWD=${FORGEJO_PG_PWD:-forgejo}
|
- FORGEJO__database__PASSWD=${FORGEJO_PG_PWD:-forgejo}
|
||||||
ports:
|
ports:
|
||||||
- '${FORGEJO_SSH_PORT}:22'
|
- '${FORGEJO_SSH_PORT}:22'
|
||||||
volumes:
|
volumes:
|
||||||
|
|
|
@ -1,7 +1,9 @@
|
||||||
version: '3.7'
|
version: '3.7'
|
||||||
|
|
||||||
# https://quay.io/repository/hedgedoc/hedgedoc
|
# https://quay.io/repository/hedgedoc/hedgedoc
|
||||||
|
# https://docs.hedgedoc.org/setup/docker/
|
||||||
# https://docs.hedgedoc.org/configuration/
|
# https://docs.hedgedoc.org/configuration/
|
||||||
|
# https://goauthentik.io/integrations/services/hedgedoc/
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
hedgedoc:
|
hedgedoc:
|
||||||
|
@ -26,7 +28,7 @@ services:
|
||||||
- CMD_DOMAIN=md.${BASE_DOMAIN}
|
- CMD_DOMAIN=md.${BASE_DOMAIN}
|
||||||
- CMD_PROTOCOL_USESSL=true
|
- CMD_PROTOCOL_USESSL=true
|
||||||
- CMD_URL_ADDPORT=false
|
- CMD_URL_ADDPORT=false
|
||||||
- CMD_ALLOW_ORIGIN=localhost,${BASE_DOMAIN},md.${BASE_DOMAIN}
|
- CMD_ALLOW_ORIGIN=md.${BASE_DOMAIN}
|
||||||
- CMD_CSP_ALLOW_FRAMING=false
|
- CMD_CSP_ALLOW_FRAMING=false
|
||||||
|
|
||||||
- CMD_ALLOW_ANONYMOUS=false
|
- CMD_ALLOW_ANONYMOUS=false
|
||||||
|
@ -36,12 +38,23 @@ services:
|
||||||
- CMD_DEFAULT_PERMISSION=limited
|
- CMD_DEFAULT_PERMISSION=limited
|
||||||
- CMD_SESSION_SECRET=${HEDGEDOC_SESSION_SECRET}
|
- CMD_SESSION_SECRET=${HEDGEDOC_SESSION_SECRET}
|
||||||
|
|
||||||
- CMD_EMAIL=true
|
- CMD_EMAIL=false
|
||||||
- CMD_ALLOW_EMAIL_REGISTER=true
|
- CMD_ALLOW_EMAIL_REGISTER=false
|
||||||
|
|
||||||
|
- CMD_OAUTH2_AUTHORIZATION_URL=https://account.${BASE_DOMAIN}/application/o/authorize/
|
||||||
|
- CMD_OAUTH2_TOKEN_URL=https://account.${BASE_DOMAIN}/application/o/token/
|
||||||
|
- CMD_OAUTH2_USER_PROFILE_URL=https://account.${BASE_DOMAIN}/application/o/userinfo/
|
||||||
|
- CMD_OAUTH2_SCOPE=openid email profile
|
||||||
|
- CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
|
||||||
|
- CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
|
||||||
|
- CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
|
||||||
|
- CMD_OAUTH2_CLIENT_ID=${HEDGEDOC_OAUTH_CLIENT}
|
||||||
|
- CMD_OAUTH2_CLIENT_SECRET=${HEDGEDOC_OAUTH_SECRET}
|
||||||
|
- CMD_OAUTH2_PROVIDERNAME=SSO
|
||||||
volumes:
|
volumes:
|
||||||
- ${BASE_DIR:-/srv}/hedgedoc/uploads:/hedgedoc/public/uploads
|
- ${BASE_DIR:-/srv}/hedgedoc/uploads:/hedgedoc/public/uploads
|
||||||
depends_on:
|
depends_on:
|
||||||
- pg-hackmd
|
- pg-hedgedoc
|
||||||
networks:
|
networks:
|
||||||
- proxy
|
- proxy
|
||||||
- mail
|
- mail
|
||||||
|
|
98
services/mail/15-mailboxes.conf
Normal file
98
services/mail/15-mailboxes.conf
Normal file
|
@ -0,0 +1,98 @@
|
||||||
|
##
|
||||||
|
## Mailbox definitions
|
||||||
|
##
|
||||||
|
|
||||||
|
# Each mailbox is specified in a separate mailbox section. The section name
|
||||||
|
# specifies the mailbox name. If it has spaces, you can put the name
|
||||||
|
# "in quotes". These sections can contain the following mailbox settings:
|
||||||
|
#
|
||||||
|
# auto:
|
||||||
|
# Indicates whether the mailbox with this name is automatically created
|
||||||
|
# implicitly when it is first accessed. The user can also be automatically
|
||||||
|
# subscribed to the mailbox after creation. The following values are
|
||||||
|
# defined for this setting:
|
||||||
|
#
|
||||||
|
# no - Never created automatically.
|
||||||
|
# create - Automatically created, but no automatic subscription.
|
||||||
|
# subscribe - Automatically created and subscribed.
|
||||||
|
#
|
||||||
|
# special_use:
|
||||||
|
# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
|
||||||
|
# mailbox. There are no validity checks, so you could specify anything
|
||||||
|
# you want in here, but it's not a good idea to use flags other than the
|
||||||
|
# standard ones specified in the RFC:
|
||||||
|
#
|
||||||
|
# \All - This (virtual) mailbox presents all messages in the
|
||||||
|
# user's message store.
|
||||||
|
# \Archive - This mailbox is used to archive messages.
|
||||||
|
# \Drafts - This mailbox is used to hold draft messages.
|
||||||
|
# \Flagged - This (virtual) mailbox presents all messages in the
|
||||||
|
# user's message store marked with the IMAP \Flagged flag.
|
||||||
|
# \Important - This (virtual) mailbox presents all messages in the
|
||||||
|
# user's message store deemed important to user.
|
||||||
|
# \Junk - This mailbox is where messages deemed to be junk mail
|
||||||
|
# are held.
|
||||||
|
# \Sent - This mailbox is used to hold copies of messages that
|
||||||
|
# have been sent.
|
||||||
|
# \Trash - This mailbox is used to hold messages that have been
|
||||||
|
# deleted.
|
||||||
|
#
|
||||||
|
# comment:
|
||||||
|
# Defines a default comment or note associated with the mailbox. This
|
||||||
|
# value is accessible through the IMAP METADATA mailbox entries
|
||||||
|
# "/shared/comment" and "/private/comment". Users with sufficient
|
||||||
|
# privileges can override the default value for entries with a custom
|
||||||
|
# value.
|
||||||
|
|
||||||
|
# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
|
||||||
|
namespace inbox {
|
||||||
|
# These mailboxes are widely used and could perhaps be created automatically:
|
||||||
|
mailbox Drafts {
|
||||||
|
auto = subscribe
|
||||||
|
special_use = \Drafts
|
||||||
|
}
|
||||||
|
mailbox Junk {
|
||||||
|
auto = subscribe
|
||||||
|
special_use = \Junk
|
||||||
|
autoexpunge = 30d
|
||||||
|
}
|
||||||
|
mailbox Trash {
|
||||||
|
auto = subscribe
|
||||||
|
special_use = \Trash
|
||||||
|
autoexpunge = 60d
|
||||||
|
}
|
||||||
|
|
||||||
|
# For \Sent mailboxes there are two widely used names. We'll mark both of
|
||||||
|
# them as \Sent. User typically deletes one of them if duplicates are created.
|
||||||
|
mailbox Sent {
|
||||||
|
auto = subscribe
|
||||||
|
special_use = \Sent
|
||||||
|
}
|
||||||
|
|
||||||
|
#mailbox "Sent Messages" {
|
||||||
|
# special_use = \Sent
|
||||||
|
#}
|
||||||
|
|
||||||
|
#mailbox Archive {
|
||||||
|
# auto = subscribe
|
||||||
|
# special_use = \Archive
|
||||||
|
#}
|
||||||
|
|
||||||
|
# If you have a virtual "All messages" mailbox:
|
||||||
|
#mailbox virtual/All {
|
||||||
|
# special_use = \All
|
||||||
|
# comment = All my messages
|
||||||
|
#}
|
||||||
|
|
||||||
|
# If you have a virtual "Flagged" mailbox:
|
||||||
|
#mailbox virtual/Flagged {
|
||||||
|
# special_use = \Flagged
|
||||||
|
# comment = All my flagged messages
|
||||||
|
#}
|
||||||
|
|
||||||
|
# If you have a virtual "Important" mailbox:
|
||||||
|
#mailbox virtual/Important {
|
||||||
|
# special_use = \Important
|
||||||
|
# comment = All my important messages
|
||||||
|
#}
|
||||||
|
}
|
|
@ -4,6 +4,10 @@ version: '3.7'
|
||||||
# https://docker-mailserver.github.io/docker-mailserver/edge/examples/tutorials/basic-installation/
|
# https://docker-mailserver.github.io/docker-mailserver/edge/examples/tutorials/basic-installation/
|
||||||
# https://github.com/docker-mailserver/docker-mailserver
|
# https://github.com/docker-mailserver/docker-mailserver
|
||||||
# https://github.com/docker-mailserver/docker-mailserver/blob/master/docs/content/config/advanced/mail-sieve.md
|
# https://github.com/docker-mailserver/docker-mailserver/blob/master/docs/content/config/advanced/mail-sieve.md
|
||||||
|
# https://docker-mailserver.github.io/docker-mailserver/latest/faq/#how-can-i-make-spamassassin-better-recognize-spam
|
||||||
|
# https://docker-mailserver.github.io/docker-mailserver/latest/examples/use-cases/imap-folders/#mailboxes-aka-imap-folders
|
||||||
|
# https://doc.dovecot.org/configuration_manual/namespace/#core_setting-namespace/mailbox/autoexpunge
|
||||||
|
# https://notes.sagredo.eu/en/qmail-notes-185/expunging-expired-junk-and-trash-emails-with-dovecot-124.html
|
||||||
|
|
||||||
# create account: task srv:mail-setup -- email add <user>@<domain>
|
# create account: task srv:mail-setup -- email add <user>@<domain>
|
||||||
|
|
||||||
|
@ -13,11 +17,13 @@ networks:
|
||||||
|
|
||||||
services:
|
services:
|
||||||
mail:
|
mail:
|
||||||
image: mailserver/docker-mailserver:11
|
image: mailserver/docker-mailserver:12
|
||||||
container_name: mail
|
container_name: mail
|
||||||
restart: "${RESTART:-no}"
|
restart: "${RESTART:-no}"
|
||||||
hostname: mail
|
hostname: post
|
||||||
domainname: ${BASE_DOMAIN}
|
domainname: ${BASE_DOMAIN}
|
||||||
|
cap_add:
|
||||||
|
- NET_ADMIN # For Fail2Ban to work
|
||||||
environment:
|
environment:
|
||||||
- SSL_TYPE=letsencrypt
|
- SSL_TYPE=letsencrypt
|
||||||
# You may want to enable this: https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/#spoof_protection
|
# You may want to enable this: https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/#spoof_protection
|
||||||
|
@ -27,33 +33,44 @@ services:
|
||||||
# Beware creating an Open Relay: https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/#permit_docker
|
# Beware creating an Open Relay: https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/#permit_docker
|
||||||
- PERMIT_DOCKER=connected-networks
|
- PERMIT_DOCKER=connected-networks
|
||||||
- ONE_DIR=1
|
- ONE_DIR=1
|
||||||
- ENABLE_AMAVIS=0
|
|
||||||
|
- ENABLE_AMAVIS=1
|
||||||
- ENABLE_POSTGREY=0
|
- ENABLE_POSTGREY=0
|
||||||
- ENABLE_CLAMAV=0
|
- ENABLE_CLAMAV=0
|
||||||
- ENABLE_SPAMASSASSIN=0
|
- ENABLE_SPAMASSASSIN=1
|
||||||
- ENABLE_MANAGESIEVE=1
|
- ENABLE_MANAGESIEVE=1
|
||||||
- ENABLE_FAIL2BAN=0
|
- ENABLE_FAIL2BAN=1
|
||||||
|
|
||||||
- TZ=${TIMEZONE}
|
- TZ=${TIMEZONE}
|
||||||
- POSTMASTER_ADDRESS=postmaster@${BASE_DOMAIN}
|
- POSTMASTER_ADDRESS=postmaster@${BASE_DOMAIN}
|
||||||
|
|
||||||
|
- SPAMASSASSIN_SPAM_TO_INBOX=1
|
||||||
|
- MOVE_SPAM_TO_JUNK=1
|
||||||
|
- SA_TAG=-10000.0 # set headers on all mails
|
||||||
|
- SA_TAG2=3.75 # above is considered spam
|
||||||
|
- SA_KILL=10000.0 # don't bounce/quarantine anything
|
||||||
|
- "SA_SPAM_SUBJECT=[SPAM] "
|
||||||
ports:
|
ports:
|
||||||
- "25:25"
|
- "25:25" # SMTP (explicit TLS => STARTTLS)
|
||||||
- "143:143"
|
- "143:143" # IMAP4 (explicit TLS => STARTTLS)
|
||||||
- "587:587"
|
- "465:465" # ESMTP (implicit TLS)
|
||||||
- "465:465"
|
- "587:587" # ESMTP (explicit TLS => STARTTLS)
|
||||||
- "993:993"
|
- "993:993" # IMAP4 (implicit TLS)
|
||||||
- "4190:4190" # managesieve
|
- "4190:4190" # managesieve
|
||||||
volumes:
|
volumes:
|
||||||
# config
|
# config
|
||||||
- ${BASE_DIR:-/srv}/mail/config:/tmp/docker-mailserver/
|
- ${BASE_DIR:-/srv}/mail/config:/tmp/docker-mailserver/
|
||||||
|
- ./mail/fail2ban-jail.cf:/tmp/docker-mailserver/fail2ban-jail.cf:ro
|
||||||
|
- ./mail/spamassassin-learn:/etc/cron.d/spamassassin-learn:ro
|
||||||
|
- ./mail/15-mailboxes.conf:/etc/dovecot/conf.d/15-mailboxes.conf:ro
|
||||||
# Mail data
|
# Mail data
|
||||||
- ${BASE_DIR:-/srv}/mail/mail-data:/var/mail/
|
- ${BASE_DIR:-/srv}/mail/mail-data:/var/mail/
|
||||||
- ${BASE_DIR:-/srv}/mail/mail-state:/var/mail-state/
|
- ${BASE_DIR:-/srv}/mail/mail-state:/var/mail-state/
|
||||||
- ${BASE_DIR:-/srv}/mail/mail-logs:/var/log/mail/
|
- ${BASE_DIR:-/srv}/mail/mail-logs:/var/log/mail/
|
||||||
# certificates
|
# certificates
|
||||||
- ${CERTS_DIR}/mail.${BASE_DOMAIN}/mail.${BASE_DOMAIN}.crt:/etc/letsencrypt/live/mail.${BASE_DOMAIN}/fullchain.pem:ro
|
- ${CERTS_DIR}/post.${BASE_DOMAIN}/post.${BASE_DOMAIN}.crt:/etc/letsencrypt/live/post.${BASE_DOMAIN}/fullchain.pem:ro
|
||||||
- ${CERTS_DIR}/mail.${BASE_DOMAIN}/mail.${BASE_DOMAIN}.key:/etc/letsencrypt/live/mail.${BASE_DOMAIN}/privkey.pem:ro
|
- ${CERTS_DIR}/post.${BASE_DOMAIN}/post.${BASE_DOMAIN}.key:/etc/letsencrypt/live/post.${BASE_DOMAIN}/privkey.pem:ro
|
||||||
# - ${CERTS_DIR}/mail.${BASE_DOMAIN}:/etc/letsencrypt/live/
|
|
||||||
networks:
|
networks:
|
||||||
- mail
|
mail:
|
||||||
# cap_add:
|
aliases:
|
||||||
# - NET_ADMIN # For Fail2Ban to work
|
- post.${BASE_DOMAIN}
|
||||||
|
|
40
services/mail/fail2ban-jail.cf
Normal file
40
services/mail/fail2ban-jail.cf
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
[DEFAULT]
|
||||||
|
|
||||||
|
# "bantime" is the number of seconds that a host is banned.
|
||||||
|
bantime = 1w
|
||||||
|
|
||||||
|
# A host is banned if it has generated "maxretry" during the last "findtime"
|
||||||
|
# seconds.
|
||||||
|
findtime = 30m
|
||||||
|
|
||||||
|
# "maxretry" is the number of failures before a host get banned.
|
||||||
|
maxretry = 5
|
||||||
|
|
||||||
|
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
|
||||||
|
# will not ban a host which matches an address in this list. Several addresses
|
||||||
|
# can be defined using space (and/or comma) separator.
|
||||||
|
ignoreip = 127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
|
||||||
|
|
||||||
|
# default ban action
|
||||||
|
# nftables-multiport: block IP only on affected port
|
||||||
|
# nftables-allports: block IP on all ports
|
||||||
|
banaction = nftables-allports
|
||||||
|
|
||||||
|
[dovecot]
|
||||||
|
enabled = true
|
||||||
|
|
||||||
|
[postfix]
|
||||||
|
enabled = true
|
||||||
|
# For a reference on why this mode was chose, see
|
||||||
|
# https://github.com/docker-mailserver/docker-mailserver/issues/3256#issuecomment-1511188760
|
||||||
|
mode = extra
|
||||||
|
|
||||||
|
[postfix-sasl]
|
||||||
|
enabled = true
|
||||||
|
|
||||||
|
# This jail is used for manual bans.
|
||||||
|
# To ban an IP address use: setup.sh fail2ban ban <IP>
|
||||||
|
[custom]
|
||||||
|
enabled = true
|
||||||
|
bantime = 90d
|
||||||
|
port = smtp,pop3,pop3s,imap,imaps,submission,submissions,sieve
|
15
services/mail/spamassassin-learn
Normal file
15
services/mail/spamassassin-learn
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
# This assumes you're having `environment: ONE_DIR=1` in the env-mailserver,
|
||||||
|
# with a consolidated config in `/var/mail-state`
|
||||||
|
#
|
||||||
|
# '> /dev/null' to send error notifications from 'stderr' to 'postmaster@example.com'
|
||||||
|
#
|
||||||
|
# m h dom mon dow user command
|
||||||
|
|
||||||
|
|
||||||
|
# Everyday 3:00AM, learn spam from all users
|
||||||
|
# spam: junk directory
|
||||||
|
0 3 * * * root sa-learn --spam /var/mail/*/*/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin > /dev/null
|
||||||
|
# ham: archive directories
|
||||||
|
15 3 * * * root sa-learn --ham /var/mail/*/*/.Archive* --dbpath /var/mail-state/lib-amavis/.spamassassin > /dev/null
|
||||||
|
# ham: inbox subdirectories
|
||||||
|
30 3 * * * root sa-learn --ham /var/mail/*/*/cur* --dbpath /var/mail-state/lib-amavis/.spamassassin > /dev/null
|
|
@ -37,8 +37,9 @@ services:
|
||||||
restart: "${RESTART:-no}"
|
restart: "${RESTART:-no}"
|
||||||
environment:
|
environment:
|
||||||
- POSTGRES_DB=matrix
|
- POSTGRES_DB=matrix
|
||||||
- POSTGRES_USER=${MATRIX_PG_USER:-matrix}
|
- POSTGRES_USER=matrix
|
||||||
- POSTGRES_PASSWORD=${MATRIX_PG_PWD:-matrix}
|
- POSTGRES_PASSWORD=${MATRIX_PG_PWD:-matrix}
|
||||||
|
- POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
|
||||||
volumes:
|
volumes:
|
||||||
- ${BASE_DIR:-/srv}/matrix/psql:/var/lib/postgresql/data
|
- ${BASE_DIR:-/srv}/matrix/psql:/var/lib/postgresql/data
|
||||||
networks:
|
networks:
|
||||||
|
|
|
@ -3,6 +3,9 @@ version: '3.7'
|
||||||
# https://hub.docker.com/_/nextcloud/
|
# https://hub.docker.com/_/nextcloud/
|
||||||
# https://github.com/nextcloud/docker
|
# https://github.com/nextcloud/docker
|
||||||
# https://docs.nextcloud.com/server/stable/admin_manual/release_schedule.html
|
# https://docs.nextcloud.com/server/stable/admin_manual/release_schedule.html
|
||||||
|
# disable cert verification for local smtp connection:
|
||||||
|
# https://docs.nextcloud.com/server/26/admin_manual/configuration_server/email_configuration.html#tlspeerverification
|
||||||
|
# https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/
|
||||||
|
|
||||||
# create admin account during setup
|
# create admin account during setup
|
||||||
|
|
||||||
|
@ -11,7 +14,7 @@ networks:
|
||||||
|
|
||||||
services:
|
services:
|
||||||
nextcloud:
|
nextcloud:
|
||||||
image: nextcloud:production
|
image: nextcloud:27
|
||||||
container_name: nextcloud
|
container_name: nextcloud
|
||||||
restart: "${RESTART:-no}"
|
restart: "${RESTART:-no}"
|
||||||
hostname: cloud
|
hostname: cloud
|
||||||
|
@ -38,6 +41,22 @@ services:
|
||||||
- mail
|
- mail
|
||||||
- nextcloud
|
- nextcloud
|
||||||
|
|
||||||
|
nextcloud-cron:
|
||||||
|
image: nextcloud:27
|
||||||
|
container_name: nextcloud-cron
|
||||||
|
restart: "${RESTART:-no}"
|
||||||
|
entrypoint: /cron.sh
|
||||||
|
volumes:
|
||||||
|
- ${BASE_DIR:-/srv}/nextcloud/html:/var/www/html # Main folder, needed for updating
|
||||||
|
- ${BASE_DIR:-/srv}/nextcloud/apps:/var/www/html/custom_apps # installed / modified apps
|
||||||
|
- ${BASE_DIR:-/srv}/nextcloud/config:/var/www/html/config # local configuration
|
||||||
|
- ${BASE_DIR:-/srv}/nextcloud/data:/var/www/html/data # the actual data of your Nextcloud
|
||||||
|
- ${BASE_DIR:-/srv}/nextcloud/themes:/var/www/html/themes # theming/branding
|
||||||
|
depends_on:
|
||||||
|
- pg-nextcloud
|
||||||
|
networks:
|
||||||
|
- nextcloud
|
||||||
|
|
||||||
pg-nextcloud:
|
pg-nextcloud:
|
||||||
image: postgres:${POSTGRES_VERSION}-alpine
|
image: postgres:${POSTGRES_VERSION}-alpine
|
||||||
container_name: pg-nextcloud
|
container_name: pg-nextcloud
|
||||||
|
|
|
@ -1,15 +1,13 @@
|
||||||
(logging) {
|
(logging) {
|
||||||
log {
|
log {
|
||||||
output stdout
|
output stdout
|
||||||
format transform "{common_log}"
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
local_certs
|
# local_certs
|
||||||
# email {$TLS_EMAIL}
|
email {$TLS_EMAIL}
|
||||||
# acme_ca {$CA_URL}
|
acme_ca {$CA_URL}
|
||||||
import logging
|
|
||||||
}
|
}
|
||||||
|
|
||||||
(errorpages) {
|
(errorpages) {
|
||||||
|
@ -32,61 +30,52 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
https://{$BASE_DOMAIN} {
|
{$BASE_DOMAIN} {
|
||||||
import errorpages
|
|
||||||
import logging
|
import logging
|
||||||
reverse_proxy /_matrix* matrix:8008
|
import errorpages
|
||||||
|
@matrix {
|
||||||
|
path /_matrix/* /_synapse/*
|
||||||
|
}
|
||||||
|
reverse_proxy @matrix matrix:8008
|
||||||
|
|
||||||
root * /srv/homepage
|
root * /srv/homepage
|
||||||
file_server
|
file_server
|
||||||
}
|
}
|
||||||
|
|
||||||
# https://{$BASE_DOMAIN}:8448 {
|
{$BASE_DOMAIN}:8448 {
|
||||||
# import errorpages
|
import logging
|
||||||
# import logging
|
import errorpages
|
||||||
# reverse_proxy matrix:8008
|
reverse_proxy matrix:8008
|
||||||
# }
|
}
|
||||||
|
|
||||||
# needs to be http!
|
# needs to be http!
|
||||||
http://autoconfig.{$BASE_DOMAIN} {
|
autoconfig.{$BASE_DOMAIN}, autoconfig.{$SECOND_MAIL_DOMAIN} {
|
||||||
file_server {
|
file_server {
|
||||||
root /srv/autoconfig
|
root /srv/autoconfig
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
https://echo.{$BASE_DOMAIN} {
|
status.{$BASE_DOMAIN} {
|
||||||
|
import errorpages
|
||||||
|
import logging
|
||||||
|
redir https://stats.uptimerobot.com/PMoGJHK8W9 permanent
|
||||||
|
}
|
||||||
|
|
||||||
|
post.{$BASE_DOMAIN} {
|
||||||
import errorpages
|
import errorpages
|
||||||
import logging
|
import logging
|
||||||
reverse_proxy echo:8000
|
reverse_proxy echo:8000
|
||||||
}
|
}
|
||||||
|
|
||||||
https://auth.{$BASE_DOMAIN} {
|
account.{$BASE_DOMAIN} {
|
||||||
import errorpages
|
|
||||||
import logging
|
import logging
|
||||||
|
import errorpages
|
||||||
reverse_proxy authentik:80
|
reverse_proxy authentik:80
|
||||||
}
|
}
|
||||||
|
|
||||||
https://mail.{$BASE_DOMAIN} {
|
cloud.{$BASE_DOMAIN} {
|
||||||
import errorpages
|
|
||||||
import logging
|
import logging
|
||||||
reverse_proxy roundcube:80
|
|
||||||
}
|
|
||||||
|
|
||||||
https://git.{$BASE_DOMAIN} {
|
|
||||||
import errorpages
|
import errorpages
|
||||||
import logging
|
|
||||||
reverse_proxy forgejo:3000
|
|
||||||
}
|
|
||||||
|
|
||||||
https://ci.{$BASE_DOMAIN} {
|
|
||||||
import errorpages
|
|
||||||
import logging
|
|
||||||
reverse_proxy woodpecker:8000
|
|
||||||
}
|
|
||||||
|
|
||||||
https://cloud.{$BASE_DOMAIN} {
|
|
||||||
import errorpages
|
|
||||||
import logging
|
|
||||||
redir /.well-known/carddav /remote.php/dav
|
redir /.well-known/carddav /remote.php/dav
|
||||||
redir /.well-known/caldav /remote.php/dav
|
redir /.well-known/caldav /remote.php/dav
|
||||||
redir /.well-known/webfinger /index.php/.well-known/webfinger
|
redir /.well-known/webfinger /index.php/.well-known/webfinger
|
||||||
|
@ -94,51 +83,72 @@ https://cloud.{$BASE_DOMAIN} {
|
||||||
reverse_proxy nextcloud:80
|
reverse_proxy nextcloud:80
|
||||||
}
|
}
|
||||||
|
|
||||||
https://passwords.{$BASE_DOMAIN} {
|
git.{$BASE_DOMAIN} {
|
||||||
import errorpages
|
|
||||||
import logging
|
import logging
|
||||||
reverse_proxy /notifications/hub/negotiate* vaultwarden:80
|
import errorpages
|
||||||
reverse_proxy /notifications/hub* vaultwarden:3012
|
reverse_proxy forgejo:3000
|
||||||
reverse_proxy vaultwarden:80
|
|
||||||
}
|
}
|
||||||
|
|
||||||
https://md.{$BASE_DOMAIN} {
|
home.{$BASE_DOMAIN} {
|
||||||
import errorpages
|
|
||||||
import logging
|
import logging
|
||||||
|
import errorpages
|
||||||
|
reverse_proxy https://doge6m1146mivr5g789a5tbjo0re3lrv.ui.nabu.casa
|
||||||
|
}
|
||||||
|
|
||||||
|
stuff.{$BASE_DOMAIN} {
|
||||||
|
import logging
|
||||||
|
import errorpages
|
||||||
|
root * /srv/public_html
|
||||||
|
file_server browse
|
||||||
|
}
|
||||||
|
|
||||||
|
md.{$BASE_DOMAIN} {
|
||||||
|
import logging
|
||||||
|
import errorpages
|
||||||
reverse_proxy hedgedoc:3000
|
reverse_proxy hedgedoc:3000
|
||||||
}
|
}
|
||||||
|
|
||||||
# https://ci-demo.{$BASE_DOMAIN} {
|
ci.{$BASE_DOMAIN} {
|
||||||
|
import logging
|
||||||
|
import errorpages
|
||||||
|
reverse_proxy woodpecker:8000
|
||||||
|
}
|
||||||
|
|
||||||
|
# echo.{$BASE_DOMAIN} {
|
||||||
|
# import logging
|
||||||
|
# import errorpages
|
||||||
|
# reverse_proxy echo:8000
|
||||||
|
# }
|
||||||
|
|
||||||
|
passwords.{$BASE_DOMAIN} {
|
||||||
|
import logging
|
||||||
|
import errorpages
|
||||||
|
reverse_proxy vaultwarden:80 {
|
||||||
|
header_up X-Real-IP {remote_host}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# ci-demo.{$BASE_DOMAIN} {
|
||||||
|
# import logging
|
||||||
# import errorpages
|
# import errorpages
|
||||||
# import logging
|
|
||||||
# reverse_proxy docker-ci-demo:8000
|
# reverse_proxy docker-ci-demo:8000
|
||||||
# }
|
# }
|
||||||
|
|
||||||
# https://stuff.{$BASE_DOMAIN} {
|
# hackmd-next.{$BASE_DOMAIN} {
|
||||||
|
# import logging
|
||||||
# import errorpages
|
# import errorpages
|
||||||
# import logging
|
|
||||||
# root * /srv/stuff
|
|
||||||
# file_server browse
|
|
||||||
# basicauth /dev {
|
|
||||||
# dev {$DEV_PASS}
|
|
||||||
# }
|
|
||||||
# }
|
|
||||||
|
|
||||||
# https://hackmd-next.{$BASE_DOMAIN} {
|
|
||||||
# import errorpages
|
|
||||||
# import logging
|
|
||||||
# reverse_proxy codimd:3000
|
# reverse_proxy codimd:3000
|
||||||
# }
|
# }
|
||||||
|
|
||||||
# https://amp.{$BASE_DOMAIN} {
|
# amp.{$BASE_DOMAIN} {
|
||||||
|
# import logging
|
||||||
# import errorpages
|
# import errorpages
|
||||||
# import logging
|
|
||||||
# reverse_proxy minecraft:8080
|
# reverse_proxy minecraft:8080
|
||||||
# }
|
# }
|
||||||
|
|
||||||
# https://map.amp.{$BASE_DOMAIN} {
|
# map.amp.{$BASE_DOMAIN} {
|
||||||
|
# import logging
|
||||||
# import errorpages
|
# import errorpages
|
||||||
# import logging
|
|
||||||
# root * /srv/bluemap
|
# root * /srv/bluemap
|
||||||
# file_server
|
# file_server
|
||||||
|
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
ARG CADDY_VERSION=2
|
|
||||||
|
|
||||||
# https://github.com/caddyserver/transform-encoder
|
|
||||||
|
|
||||||
FROM caddy:${CADDY_VERSION}-alpine
|
|
||||||
|
|
||||||
RUN caddy add-package github.com/caddyserver/transform-encoder
|
|
|
@ -1,18 +1,20 @@
|
||||||
<clientConfig version="1.1">
|
<clientConfig version="1.1">
|
||||||
<emailProvider id="${BASE_DOMAIN}">
|
<emailProvider id="${BASE_DOMAIN}">
|
||||||
<domain>${BASE_DOMAIN}</domain>
|
<domain>${BASE_DOMAIN}</domain>
|
||||||
|
<domain>${SECOND_MAIL_DOMAIN}</domain>
|
||||||
|
|
||||||
<displayName>${BASE_DOMAIN} Mail</displayName>
|
<displayName>${BASE_DOMAIN} Mail</displayName>
|
||||||
<incomingServer type="imap">
|
<incomingServer type="imap">
|
||||||
<hostname>mail.${BASE_DOMAIN}</hostname>
|
<hostname>post.${BASE_DOMAIN}</hostname>
|
||||||
<port>993</port>
|
<port>993</port>
|
||||||
<socketType>SSL</socketType>
|
<socketType>SSL</socketType>
|
||||||
<authentication>password-cleartext</authentication>
|
<authentication>password-cleartext</authentication>
|
||||||
<username>%EMAILADDRESS%</username>
|
<username>%EMAILADDRESS%</username>
|
||||||
</incomingServer>
|
</incomingServer>
|
||||||
<outgoingServer type="smtp">
|
<outgoingServer type="smtp">
|
||||||
<hostname>mail.${BASE_DOMAIN}</hostname>
|
<hostname>post.${BASE_DOMAIN}</hostname>
|
||||||
<port>587</port>
|
<port>465</port>
|
||||||
<socketType>STARTTLS</socketType>
|
<socketType>SSL</socketType>
|
||||||
<authentication>password-cleartext</authentication>
|
<authentication>password-cleartext</authentication>
|
||||||
<username>%EMAILADDRESS%</username>
|
<username>%EMAILADDRESS%</username>
|
||||||
</outgoingServer>
|
</outgoingServer>
|
||||||
|
|
|
@ -9,19 +9,15 @@ networks:
|
||||||
|
|
||||||
services:
|
services:
|
||||||
proxy:
|
proxy:
|
||||||
# image: caddy:2-alpine
|
image: caddy:2-alpine
|
||||||
build:
|
|
||||||
context: ./proxy
|
|
||||||
args:
|
|
||||||
CADDY_VERSION: 2
|
|
||||||
container_name: proxy
|
container_name: proxy
|
||||||
restart: "${RESTART:-no}"
|
restart: "${RESTART:-no}"
|
||||||
hostname: ${BASE_DOMAIN}
|
hostname: ${BASE_DOMAIN}
|
||||||
environment:
|
environment:
|
||||||
- BASE_DOMAIN=${BASE_DOMAIN}
|
- BASE_DOMAIN=${BASE_DOMAIN}
|
||||||
|
- SECOND_MAIL_DOMAIN=${SECOND_MAIL_DOMAIN}
|
||||||
- TLS_EMAIL=${CADDY_TLS_EMAIL:-self_signed}
|
- TLS_EMAIL=${CADDY_TLS_EMAIL:-self_signed}
|
||||||
- CA_URL=${CADDY_CA_URL}
|
- CA_URL=${CADDY_CA_URL}
|
||||||
- DEV_PASS=${CADDY_DEV_PASS}
|
|
||||||
ports:
|
ports:
|
||||||
- '80:80'
|
- '80:80'
|
||||||
- '443:443'
|
- '443:443'
|
||||||
|
@ -36,6 +32,7 @@ services:
|
||||||
- ./proxy/errorpages/dist:/srv/errorpages:ro
|
- ./proxy/errorpages/dist:/srv/errorpages:ro
|
||||||
- ${BASE_DIR:-/srv}/proxy/srv/homepage:/srv/homepage:ro
|
- ${BASE_DIR:-/srv}/proxy/srv/homepage:/srv/homepage:ro
|
||||||
- ${BASE_DIR:-/srv}/minecraft/ampdata/instances/Main/Minecraft/bluemap/web/:/srv/bluemap:ro
|
- ${BASE_DIR:-/srv}/minecraft/ampdata/instances/Main/Minecraft/bluemap/web/:/srv/bluemap:ro
|
||||||
|
- ${BASE_DIR:-/srv}/nextcloud/data/${PUBLIC_HTML_USER:-admin}/files/public_html:/srv/public_html:ro
|
||||||
networks:
|
networks:
|
||||||
- proxy
|
- proxy
|
||||||
|
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
<?php
|
|
||||||
|
|
||||||
$config['managesieve_host'] = 'tls://mail.' . $_ENV['BASE_DOMAIN'];
|
|
|
@ -1,56 +0,0 @@
|
||||||
version: "3.7"
|
|
||||||
|
|
||||||
# https://hub.docker.com/r/roundcube/roundcubemail
|
|
||||||
# https://github.com/roundcube/roundcubemail-docker
|
|
||||||
# https://github.com/roundcube/roundcubemail/wiki/Configuration
|
|
||||||
# https://github.com/roundcube/roundcubemail/blob/master/plugins/managesieve/config.inc.php.dist
|
|
||||||
|
|
||||||
# install carddav plugin for use with nextcloud adressbook
|
|
||||||
# docker exec -it roundcube composer require roundcube/carddav --update-no-dev
|
|
||||||
# https://repo.packagist.org/packages/roundcube/carddav
|
|
||||||
|
|
||||||
networks:
|
|
||||||
roundcube:
|
|
||||||
|
|
||||||
services:
|
|
||||||
roundcube:
|
|
||||||
image: roundcube/roundcubemail:1.6.x-apache
|
|
||||||
container_name: roundcube
|
|
||||||
restart: "${RESTART:-no}"
|
|
||||||
hostname: roundcube
|
|
||||||
domainname: ${BASE_DOMAIN}
|
|
||||||
environment:
|
|
||||||
- BASE_DOMAIN=${BASE_DOMAIN}
|
|
||||||
- ROUNDCUBEMAIL_DB_TYPE=pgsql
|
|
||||||
- ROUNDCUBEMAIL_DB_HOST=pg-roundcube
|
|
||||||
- ROUNDCUBEMAIL_DB_NAME=roundcube
|
|
||||||
- ROUNDCUBEMAIL_DB_USER=roundcube
|
|
||||||
- ROUNDCUBEMAIL_DB_PASSWORD=${ROUNDCUBE_PG_PWD:-password}
|
|
||||||
- ROUNDCUBEMAIL_DEFAULT_HOST=tls://mail.${BASE_DOMAIN}
|
|
||||||
- ROUNDCUBEMAIL_SMTP_SERVER=tls://mail.${BASE_DOMAIN}
|
|
||||||
- ROUNDCUBEMAIL_PLUGINS=archive,zipdownload,managesieve,carddav,identity_select
|
|
||||||
- ROUNDCUBEMAIL_SKIN=elastic
|
|
||||||
volumes:
|
|
||||||
- ./roundcube/config:/var/roundcube/config
|
|
||||||
- ${BASE_DIR:-/srv}/roundcube/www:/var/www/html
|
|
||||||
# Skip tls cert verification. DO NOT USE IN PROD!
|
|
||||||
- ./roundcube/skip-ssl.php:/var/roundcube/config/skip-ssl.php
|
|
||||||
depends_on:
|
|
||||||
- pg-roundcube
|
|
||||||
networks:
|
|
||||||
- proxy
|
|
||||||
- mail
|
|
||||||
- roundcube
|
|
||||||
|
|
||||||
pg-roundcube:
|
|
||||||
image: postgres:${POSTGRES_VERSION}-alpine
|
|
||||||
container_name: pg-roundcube
|
|
||||||
restart: "${RESTART:-no}"
|
|
||||||
environment:
|
|
||||||
- POSTGRES_DB=roundcube
|
|
||||||
- POSTGRES_USER=roundcube
|
|
||||||
- POSTGRES_PASSWORD=${ROUNDCUBE_PG_PWD:-password}
|
|
||||||
volumes:
|
|
||||||
- ${BASE_DIR:-/srv}/roundcube/psql:/var/lib/postgresql/data
|
|
||||||
networks:
|
|
||||||
- roundcube
|
|
|
@ -1,19 +0,0 @@
|
||||||
<?php
|
|
||||||
|
|
||||||
$config['imap_conn_options'] = [
|
|
||||||
'ssl' => [
|
|
||||||
'verify_peer' => false,
|
|
||||||
],
|
|
||||||
];
|
|
||||||
|
|
||||||
$config['smtp_conn_options'] = [
|
|
||||||
'ssl' => [
|
|
||||||
'verify_peer' => false,
|
|
||||||
],
|
|
||||||
];
|
|
||||||
|
|
||||||
$config['managesieve_conn_options'] = [
|
|
||||||
'ssl' => [
|
|
||||||
'verify_peer' => false,
|
|
||||||
],
|
|
||||||
];
|
|
|
@ -3,6 +3,9 @@ version: '3.7'
|
||||||
# https://hub.docker.com/r/vaultwarden/server
|
# https://hub.docker.com/r/vaultwarden/server
|
||||||
# https://github.com/dani-garcia/vaultwarden
|
# https://github.com/dani-garcia/vaultwarden
|
||||||
|
|
||||||
|
networks:
|
||||||
|
vaultwarden:
|
||||||
|
|
||||||
services:
|
services:
|
||||||
vaultwarden:
|
vaultwarden:
|
||||||
image: vaultwarden/server:alpine
|
image: vaultwarden/server:alpine
|
||||||
|
@ -12,15 +15,38 @@ services:
|
||||||
domainname: ${BASE_DOMAIN}
|
domainname: ${BASE_DOMAIN}
|
||||||
environment:
|
environment:
|
||||||
- DOMAIN=https://passwords.${BASE_DOMAIN}
|
- DOMAIN=https://passwords.${BASE_DOMAIN}
|
||||||
- WEBSOCKET_ENABLED=true
|
# - WEBSOCKET_ENABLED=true
|
||||||
|
|
||||||
- SMTP_HOST=mail
|
- SMTP_HOST=mail
|
||||||
- SMTP_FROM=vaultwarden@${BASE_DOMAIN}
|
- SMTP_FROM=vaultwarden@${BASE_DOMAIN}
|
||||||
- SMTP_PORT=25
|
- SMTP_PORT=25
|
||||||
- SMTP_SECURITY=off
|
- SMTP_SECURITY=off
|
||||||
- SIGNUPS_ALLOWED=false
|
|
||||||
- ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN}
|
- ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN}
|
||||||
|
# - ADMIN_TOKEN=$$argon2id$$v=19$$m=65540,t=3,p=4$$UUFq04iWk/WXfYWvxfg3nnyhHBiHYKI9AqoSY4eKIP4$$qizUd/eRNDUjb90eXVbCZMT7bAu4ZPpzaO6EUL0LEJ8
|
||||||
|
- SIGNUPS_ALLOWED=false
|
||||||
|
- INVITATIONS_ALLOWED=false
|
||||||
|
- SHOW_PASSWORD_HINT=false
|
||||||
|
|
||||||
|
- DATABASE_URL=postgres://vaultwarden:${VAULTWARDEN_PG_PWD:-vaultwarden}@pg-vaultwarden:5432/vaultwarden
|
||||||
volumes:
|
volumes:
|
||||||
- ${BASE_DIR:-/srv}/vaultwarden:/data
|
- ${BASE_DIR:-/srv}/vaultwarden/data:/data
|
||||||
|
depends_on:
|
||||||
|
- pg-vaultwarden
|
||||||
networks:
|
networks:
|
||||||
- proxy
|
- proxy
|
||||||
- mail
|
- mail
|
||||||
|
- vaultwarden
|
||||||
|
|
||||||
|
pg-vaultwarden:
|
||||||
|
image: postgres:${POSTGRES_VERSION}-alpine
|
||||||
|
container_name: pg-vaultwarden
|
||||||
|
restart: "${RESTART:-no}"
|
||||||
|
environment:
|
||||||
|
- POSTGRES_DB=vaultwarden
|
||||||
|
- POSTGRES_USER=vaultwarden
|
||||||
|
- POSTGRES_PASSWORD=${VAULTWARDEN_PG_PWD:-vaultwarden}
|
||||||
|
volumes:
|
||||||
|
- ${BASE_DIR:-/srv}/vaultwarden/psql:/var/lib/postgresql/data
|
||||||
|
networks:
|
||||||
|
- vaultwarden
|
||||||
|
|
27
services/watchtower/docker-compose.yml
Normal file
27
services/watchtower/docker-compose.yml
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
version: '3.7'
|
||||||
|
|
||||||
|
# https://hub.docker.com/r/containrrr/watchtower
|
||||||
|
# https://containrrr.dev/watchtower/
|
||||||
|
|
||||||
|
services:
|
||||||
|
watchtower:
|
||||||
|
image: containrrr/watchtower
|
||||||
|
container_name: watchtower
|
||||||
|
restart: "${RESTART:-no}"
|
||||||
|
hostname: watchtower
|
||||||
|
domainname: ${BASE_DOMAIN}
|
||||||
|
environment:
|
||||||
|
- TZ=${TIMEZONE}
|
||||||
|
- WATCHTOWER_SCHEDULE=0 0 4 * * *
|
||||||
|
- WATCHTOWER_CLEANUP="true"
|
||||||
|
|
||||||
|
- WATCHTOWER_NOTIFICATIONS=email
|
||||||
|
- WATCHTOWER_NOTIFICATION_EMAIL_FROM=watchtower@${BASE_DOMAIN}
|
||||||
|
- WATCHTOWER_NOTIFICATION_EMAIL_TO=admin@${BASE_DOMAIN}
|
||||||
|
- WATCHTOWER_NOTIFICATION_EMAIL_SERVER=post.${BASE_DOMAIN}
|
||||||
|
- WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT=25
|
||||||
|
- WATCHTOWER_NOTIFICATION_EMAIL_DELAY=2
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
networks:
|
||||||
|
- mail
|
|
@ -3,7 +3,7 @@ version: '3.7'
|
||||||
# https://hub.docker.com/r/woodpeckerci/woodpecker-server/
|
# https://hub.docker.com/r/woodpeckerci/woodpecker-server/
|
||||||
# https://woodpecker-ci.org/docs/administration/setup
|
# https://woodpecker-ci.org/docs/administration/setup
|
||||||
# https://woodpecker-ci.org/docs/administration/server-config
|
# https://woodpecker-ci.org/docs/administration/server-config
|
||||||
# https://woodpecker-ci.org/docs/administration/vcs/gitea
|
# https://woodpecker-ci.org/docs/administration/forges/gitea
|
||||||
|
|
||||||
# auth callback /authorize
|
# auth callback /authorize
|
||||||
|
|
||||||
|
|
|
@ -106,6 +106,7 @@ sudo apk update && sudo apk upgrade && sudo apk add \
|
||||||
git \
|
git \
|
||||||
htop \
|
htop \
|
||||||
nano \
|
nano \
|
||||||
|
nftables \
|
||||||
qemu-guest-agent \
|
qemu-guest-agent \
|
||||||
sudo \
|
sudo \
|
||||||
tree \
|
tree \
|
||||||
|
@ -154,11 +155,18 @@ To mount all:
|
||||||
sudo mount -a
|
sudo mount -a
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### ntp
|
||||||
|
|
||||||
|
```sh
|
||||||
|
rc-update add ntpd
|
||||||
|
service ntpd start
|
||||||
|
```
|
||||||
|
|
||||||
### checkout repo
|
### checkout repo
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
cd /opt
|
cd /opt
|
||||||
sudo git clone https://git.csprung.de/carsten/container-server.git
|
sudo git clone <this repo's url>
|
||||||
```
|
```
|
||||||
|
|
||||||
### awall
|
### awall
|
||||||
|
@ -184,3 +192,9 @@ https://wiki.alpinelinux.org/wiki/Docker
|
||||||
rc-update add docker
|
rc-update add docker
|
||||||
service docker start
|
service docker start
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### cron
|
||||||
|
|
||||||
|
```sh
|
||||||
|
cp -r /opt/container-server/setup/cron/* /etc/periodic/
|
||||||
|
```
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
"variable": {
|
"variable": {
|
||||||
"loop_if": "lo",
|
"loop_if": "lo",
|
||||||
"internet_if": "eth0",
|
"internet_if": "eth0",
|
||||||
"container_if": "docker+"
|
"container_if": ["docker+", "br-+"]
|
||||||
},
|
},
|
||||||
|
|
||||||
"zone": {
|
"zone": {
|
||||||
|
|
3
setup/cron/weekly/docker-prune
Executable file
3
setup/cron/weekly/docker-prune
Executable file
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
docker system prune --volumes --force | tail -n 1 && df -h | grep -v overlay
|
|
@ -8,7 +8,7 @@ includes:
|
||||||
|
|
||||||
vars:
|
vars:
|
||||||
COMPOSE_FILES:
|
COMPOSE_FILES:
|
||||||
sh: touch enabled ; find ./services -iname docker-compose.yml | grep -f enabled || >&2 echo "=== No services enabled ==="
|
sh: touch enabled ; find ./services -iname docker-compose.yml | grep -f enabled || exit 0
|
||||||
COMPOSE_ARGS: -f services/docker-compose.yml -f {{.COMPOSE_FILES | splitLines | join " -f "}}
|
COMPOSE_ARGS: -f services/docker-compose.yml -f {{.COMPOSE_FILES | splitLines | join " -f "}}
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
|
@ -43,6 +43,13 @@ tasks:
|
||||||
cmds:
|
cmds:
|
||||||
- "docker-compose {{.COMPOSE_ARGS}} restart {{.CLI_ARGS}}"
|
- "docker-compose {{.COMPOSE_ARGS}} restart {{.CLI_ARGS}}"
|
||||||
|
|
||||||
|
recreate:
|
||||||
|
desc: Recreate given or active services
|
||||||
|
deps:
|
||||||
|
- util:template
|
||||||
|
cmds:
|
||||||
|
- "docker-compose {{.COMPOSE_ARGS}} up -d --force-recreate {{.CLI_ARGS}}"
|
||||||
|
|
||||||
stop:
|
stop:
|
||||||
desc: Stop given or all services
|
desc: Stop given or all services
|
||||||
cmds:
|
cmds:
|
||||||
|
|
|
@ -28,4 +28,3 @@ tasks:
|
||||||
cmds:
|
cmds:
|
||||||
- mkdir -p /usr/local/share/zsh/site-functions
|
- mkdir -p /usr/local/share/zsh/site-functions
|
||||||
- wget -O /usr/local/share/zsh/site-functions/_task https://raw.githubusercontent.com/go-task/task/master/completion/zsh/_task
|
- wget -O /usr/local/share/zsh/site-functions/_task https://raw.githubusercontent.com/go-task/task/master/completion/zsh/_task
|
||||||
|
|
||||||
|
|
|
@ -17,7 +17,12 @@ tasks:
|
||||||
mail-setup:
|
mail-setup:
|
||||||
desc: Docker-Mailserver setup utility
|
desc: Docker-Mailserver setup utility
|
||||||
cmds:
|
cmds:
|
||||||
- "docker exec mail setup {{.CLI_ARGS}}"
|
- "docker exec -i mail setup {{.CLI_ARGS}}"
|
||||||
|
|
||||||
|
occ:
|
||||||
|
desc: Nextcloud cli
|
||||||
|
cmds:
|
||||||
|
- "docker exec -u 33 nextcloud php ./occ {{.CLI_ARGS}}"
|
||||||
|
|
||||||
psql-dump:
|
psql-dump:
|
||||||
desc: Dump postgres database for backup or update
|
desc: Dump postgres database for backup or update
|
||||||
|
@ -29,7 +34,7 @@ tasks:
|
||||||
psql-restore:
|
psql-restore:
|
||||||
desc: Load postgres database for restore
|
desc: Load postgres database for restore
|
||||||
cmds:
|
cmds:
|
||||||
- docker exec pg-{{.CLI_ARGS}} psql --echo-errors -U {{.CLI_ARGS}} -d {{.CLI_ARGS}} < {{.TMP_DIR}}/{{.CLI_ARGS}}.sql
|
- docker exec -i pg-{{.CLI_ARGS}} psql --echo-errors -U {{.CLI_ARGS}} < {{.TMP_DIR}}/{{.CLI_ARGS}}.sql
|
||||||
|
|
||||||
psql-clear-tmp:
|
psql-clear-tmp:
|
||||||
desc: Clear temporary sql files created by psql-dump
|
desc: Clear temporary sql files created by psql-dump
|
||||||
|
|
Loading…
Reference in a new issue