diff --git a/README.md b/README.md index 35c26cb..79d2002 100644 --- a/README.md +++ b/README.md @@ -122,7 +122,8 @@ The aims is to provide a ready-to-run recipes that you can just copy, paste and # Docker Managers - [Diun](apps/docker/diun.md) -- [nginx-proxy-manager](apps/docker/npm.md) +- [Doku](apps/docker/doku.md) +- [Portainer](apps/docker/portainer.md) - [WatchTower](apps/docker/watch-tower.md) @@ -286,8 +287,11 @@ The aims is to provide a ready-to-run recipes that you can just copy, paste and - [change-detection](apps/other/change-detection.md) - [Cockpit](apps/other/cockpit.md) - [Code server](apps/other/code.md) +- [Crowdsec](apps/other/crowdsec.md) +- [Firefox](apps/other/firefox.md) - [Firefox sync server](apps/other/firefox-sync.md) - [LanguageTool server](apps/other/language-tool.md) +- [Ntfy](apps/other/ntfy.md) - [VPN client](apps/other/vpn.md) - [OpenSpeedTest](apps/other/openspeedtest.md) @@ -329,9 +333,11 @@ The aims is to provide a ready-to-run recipes that you can just copy, paste and # Reverse proxy & SSO - [Authelia](apps/reverse-proxy-sso/authelia.md) -- [Traefik](apps/reverse-proxy-sso/traefik.md) - [Caddy](https://caddyserver.com/) 🔗 - very good web server with reverse-proxy & automatic https. -- [Nginx Proxy Manager](https://nginxproxymanager.com/) 🔗 - another nice solution based on the battle-tested & probably the most popular web-server - nginx. It has a pretty UI that allows to manage the services. +- [lldap](https://github.com/nitnelave/lldap/) 🔗 - simple ldap implementation with a nice UI. +- [nginx-proxy-manager](apps/reverse-proxy-sso/npm.md) +- [Traefik](apps/reverse-proxy-sso/traefik.md) + diff --git a/apps/cloud/filerun.md b/apps/cloud/filerun.md index 9bc90f1..343b95a 100644 --- a/apps/cloud/filerun.md +++ b/apps/cloud/filerun.md @@ -17,7 +17,7 @@ ## docker-compose.yml ```yml -version: '2' +--- services: db: image: mariadb:10.1 @@ -29,10 +29,10 @@ services: MYSQL_PASSWORD: db_user_password_01 MYSQL_DATABASE: filerundb volumes: - - ./data/db:/var/lib/mysql + - ./db:/var/lib/mysql - web: - image: afian/filerun + filerun: + image: filerun/filerun container_name: filerun restart: unless-stopped environment: @@ -42,8 +42,8 @@ services: FR_DB_USER: db_user FR_DB_PASS: db_user_password_01 APACHE_RUN_USER: www-data - APACHE_RUN_USER_ID: 33 APACHE_RUN_GROUP: www-data + APACHE_RUN_USER_ID: 33 APACHE_RUN_GROUP_ID: 33 depends_on: - db @@ -52,14 +52,6 @@ services: ports: - "3090:80" volumes: - - ./data/html:/var/www/html - - ./data/user-files:/user-files + - ./html:/var/www/html + - ./user-files:/user-files ``` - -## Running -Create the folders first: -```sh -mkdir /data /data/html /data/user-files -``` - -The default FileRun credentials are: superuser:superuser diff --git a/apps/docker/doku.md b/apps/docker/doku.md new file mode 100644 index 0000000..fd94cd4 --- /dev/null +++ b/apps/docker/doku.md @@ -0,0 +1,24 @@ +# Doku +Doku is a web-based Docker disk usage monitor. + +
+ +- [Homepage](https://docker-disk.space) +- [Github repo](https://github.com/amerkurev/doku) + +![Screenshot](doku.png) + + +## docker-compose.yml +```yml +--- +services: + doku: + image: amerkurev/doku + container_name: doku + ports: + - 9090:9090 + volumes: + - '/var/run/docker.sock:/var/run/docker.sock:ro' + - '/:/hostroot:ro' +``` diff --git a/apps/docker/doku.png b/apps/docker/doku.png new file mode 100644 index 0000000..a498b4e Binary files /dev/null and b/apps/docker/doku.png differ diff --git a/apps/docker/portainer.md b/apps/docker/portainer.md new file mode 100644 index 0000000..9608ecd --- /dev/null +++ b/apps/docker/portainer.md @@ -0,0 +1,24 @@ +# Portainer +A nice UI for managing docker/kubernetes/swarm containers. + +
+ +- [Homepage](https://www.portainer.io) +- [Github repo](https://github.com/portainer/portainer) + + +## docker-compose.yml +```yml +--- +services: + portainer: + image: portainer/portainer-ce + container_name: portainer + restart: unless-stopped + ports: + - 8000:8000 + - 9443:9443 + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ./data:/data +``` diff --git a/apps/downloads/qbit.md b/apps/downloads/qbit.md index 94901f4..12abbed 100644 --- a/apps/downloads/qbit.md +++ b/apps/downloads/qbit.md @@ -1,5 +1,6 @@ # qbittorrent - ugly as hell +- less ugly with docker-mods theme - probably the best (as of today)
@@ -14,7 +15,6 @@ ## docker-compose.yml ```yml --- -version: "2.1" services: qbittorrent: image: linuxserver/qbittorrent @@ -26,6 +26,9 @@ services: - TZ=Europe/Dublin - UMASK_SET=022 - WEBUI_PORT=3030 + # apply a nice UI theme https://docs.theme-park.dev/setup/#docker-mods + - DOCKER_MODS=ghcr.io/gilbn/theme.park:qbittorrent + - TP_THEME=space-gray volumes: - ./config:/config - ./downloads:/downloads diff --git a/apps/monitors/uptime-kuma.md b/apps/monitors/uptime-kuma.md index 7d94d9b..df6cffd 100644 --- a/apps/monitors/uptime-kuma.md +++ b/apps/monitors/uptime-kuma.md @@ -16,7 +16,6 @@ It is a self-hosted monitoring tool like "Uptime Robot". ## docker-compose.yml ```yml -version: '3.3' services: uptime-kuma: image: louislam/uptime-kuma diff --git a/apps/other/crowdsec.md b/apps/other/crowdsec.md new file mode 100644 index 0000000..ea577df --- /dev/null +++ b/apps/other/crowdsec.md @@ -0,0 +1,150 @@ +# Crowdsec + +It's basically a self-hosted crowd-based firewall. +Setup is a bit cumbersome but (probably) well worth it :-) + +
+ +- [Homepage](https://www.crowdsec.net) +- [Github repo](https://github.com/crowdsecurity/crowdsec) +- [Docker Hub](https://hub.docker.com/r/crowdsecurity/crowdsec) +- [Crowdsec Hub](https://hub.crowdsec.net) +- [Traefik bouncer](https://github.com/fbonalair/traefik-crowdsec-bouncer) +- [Collections](https://hub.crowdsec.net/browse/#collections) + + + +## How does that work +- There are 2 parts of the solution: analyser & bouncer +- Crowdsec container (below) just basically analyses your server logs +- Bouncer container (below) uses the analysis to bounce off the potential attacks + +## Local Setup +This describes how to setup crowdsec with traefik bouncer. There are other bouncers you can use (if you don't use traefik). + +1. Create 2 files with the following content (`acquis.yml` and `docker-compose.yml`). Remember to update the paths to your logs in `docker-compose.yml`! +2. Start the containers (`docker compose up -d`) +3. Wait a minute or so (until it finishes installing collections), you can follow the logs to see what's going on (`docker compose logs -f`) +4. Add bouncer to the crowdsec instance: + ```sh + docker exec crowdsec cscli bouncers add traefik-bouncer + ``` +5. Copy the API key printed in the command output and paste it back in the `docker-compose.yml` in the bouncer config (`CROWDSEC_BOUNCER_API_KEY`) +6. Restart the containers +7. That's it. + +## Online console +Unless you want to have an online console, than do this as well: +1. Register at https://app.crowdsec.net/ +2. Enroll your instance, with the API key from there, e.g.: + ```sh + docker exec crowdsec cscli console enroll cl8m56qpu00060vlcwgj898z0 + ``` + +## Traefik middleware +1. Add traefik middleweare in the dynamic config, e.g. + ```toml + [http.middlewares.crowdsec.forwardauth] + address = "http://:3300/api/v1/forwardAuth" + ``` +2. Use this middleware in your services, e.g. + ```toml + [http.routers.authelia] + rule ="Host(`login.domain.com`)" + service = "authelia" + tls = { } + middlewares = [ "crowdsec" ] + ``` + + +## acquis.yml +```yml +--- +filenames: + - /logs/auth.log + - /logs/syslog + - /logs/kern.log +labels: + type: syslog + +--- +filenames: + - /logs/apache2/*.log + - /logs/*httpd*.log + - /logs/httpd/*log +labels: + type: apache2 + +--- +filenames: + - /logs/nginx/*.log +labels: + type: nginx + +--- +filenames: + - /logs/authelia.log +labels: + type: authelia + +--- +filenames: + - /logs/traefik/*.log +labels: + type: traefik +``` + +## docker-compose.yml +```yml +--- +services: + crowdsec: + image: crowdsecurity/crowdsec + container_name: crowdsec + restart: unless-stopped + environment: + - GID="${GID-1000}" + - COLLECTIONS=crowdsecurity/linux crowdsecurity/iptables crowdsecurity/apache2 crowdsecurity/sshd crowdsecurity/traefik LePresidente/authelia crowdsecurity/nginx crowdsecurity/base-http-scenarios + volumes: + - /var/log/auth.log:/logs/auth.log:ro + - /var/log/syslog.log:/logs/syslog.log:ro + - /var/log/kern.log:/logs/kern.log:ro + - /var/log/apache:/logs/apache:ro + - /var/log/httpd:/logs/httpd:ro + - /var/log/authelia.log:/logs/authelia.log:ro + - /var/log/traefik/logs:/logs/traefik:ro + + - ./acquis.yml:/etc/crowdsec/acquis.yaml + - ./data:/var/lib/crowdsec/data/ + - ./config:/etc/crowdsec/ + + bouncer: + image: fbonalair/traefik-crowdsec-bouncer + container_name: crowdsec-bouncer + restart: unless-stopped + environment: + - PORT=8090 + - CROWDSEC_BOUNCER_API_KEY=changeme + - CROWDSEC_AGENT_HOST=crowdsec:8080 + ports: + - 3300:8090 +``` + + +## Useful commands + +1. List installed items +```sh +docker exec crowdsec cscli scenarios list +docker exec crowdsec cscli collections list +docker exec crowdsec cscli parsers list +``` + +2. Block/unblock an ip +```sh +docker exec crowdsec cscli decisions add --ip 192.168.1.1 +docker exec crowdsec cscli decisions remove --ip 192.168.1.1 +docker exec crowdsec cscli decisions list +docker exec crowdsec cscli decisions help # display help on decisions command +docker exec crowdsec cscli decisions add --help # display help on add command +``` diff --git a/apps/other/firefox.md b/apps/other/firefox.md new file mode 100644 index 0000000..6be0e5b --- /dev/null +++ b/apps/other/firefox.md @@ -0,0 +1,29 @@ +# Firefox +It's a browser inside a browser! + +- Very useful when you need to check a site that is blocked by your provider (work/school) (assuming that the firefox instance you host is not blocked). +- a bit slow, but it works! + +
+ +- [Github repo](https://github.com/linuxserver/docker-firefox) + + +## docker-compose.yml +```yml +--- +services: + firefox: + image: lscr.io/linuxserver/firefox:latest + container_name: firefox + shm_size: "1gb" + restart: unless-stopped + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Dublin + ports: + - 3123:3000 + volumes: + - ./config:/config +``` diff --git a/apps/other/ntfy.md b/apps/other/ntfy.md new file mode 100644 index 0000000..6468afa --- /dev/null +++ b/apps/other/ntfy.md @@ -0,0 +1,54 @@ +# NTFY +A self-hosted notification server (like pushover). + +- has mobile apps for ios and android +- interesting conceptually (simple pub-sub) +- very easy to use (from curl to php) +- notifications arrive promptly, within seconds (1 - 10) (not as instant as e.g. pushover) +- sometimes apps need to be restarted to show notifications (sometimes a notification shows up in notification center, but not in the app) +- no sync between clients - i.e. the same notification must be marked as read or dismissed in all subscribers (in pushover, when I read one on my phone - it shows as read on laptop) + +
+ +- [Homepage](https://ntfy.sh) +- [Github repo](https://github.com/binwiederhier/ntfy) +- [Docs](https://ntfy.sh/docs/) + + +## ntfy/server.yml +```yml +# options: https://ntfy.sh/docs/config/ + +base-url: https://ntfy.domain.com + +# needed for performance +cache-file: /var/cache/ntfy/cache.db +cache-duration: "12h" +cache-startup-queries: | + pragma journal_mode = WAL; + pragma synchronous = normal; + pragma temp_store = memory; + +# This is needed for instant mobile notifications +upstream-base-url: "https://ntfy.sh" +``` + + +## docker-compose.yml +```yml +--- +services: + ntfy: + image: binwiederhier/ntfy + container_name: ntfy + restart: unless-stopped + command: + - serve + environment: + - TZ=Europe/Dublin + volumes: + - ./cache:/var/cache/ntfy + - ./ntfy:/etc/ntfy + ports: + - 3040:80 +``` diff --git a/apps/docker/npm.md b/apps/reverse-proxy-sso/npm.md similarity index 100% rename from apps/docker/npm.md rename to apps/reverse-proxy-sso/npm.md