Merge branch 'master' of https://github.com/tborychowski/self-hosted-cookbook

* 'master' of https://github.com/tborychowski/self-hosted-cookbook: add crowdsec setup lldap filerun update doku . add firefox browser ntfy add portainer; move nginx-p-m to the correct group
2025-06-27 13:15:23 +00:00 · 2022-10-02 11:28:18 +01:00 · 2022-10-02 11:28:18 +01:00 · 7a3bcbe52b
commit 7a3bcbe52b
parent 7ab9bacdcd 47e12b3e66
11 changed files with 301 additions and 20 deletions
--- a/README.md
+++ b/README.md
@ -122,7 +122,8 @@ The aims is to provide a ready-to-run recipes that you can just copy, paste and
 # Docker Managers
 - [Diun](apps/docker/diun.md)
- [nginx-proxy-manager](apps/docker/npm.md)
+- [Doku](apps/docker/doku.md)
 - [Portainer](apps/docker/portainer.md)
 - [WatchTower](apps/docker/watch-tower.md)
@ -286,8 +287,11 @@ The aims is to provide a ready-to-run recipes that you can just copy, paste and
 - [change-detection](apps/other/change-detection.md)
 - [Cockpit](apps/other/cockpit.md)
 - [Code server](apps/other/code.md)
 - [Crowdsec](apps/other/crowdsec.md)
 - [Firefox](apps/other/firefox.md)
 - [Firefox sync server](apps/other/firefox-sync.md)
 - [LanguageTool server](apps/other/language-tool.md)
 - [Ntfy](apps/other/ntfy.md)
 - [VPN client](apps/other/vpn.md)
 - [OpenSpeedTest](apps/other/openspeedtest.md)
@ -329,9 +333,11 @@ The aims is to provide a ready-to-run recipes that you can just copy, paste and
 # Reverse proxy & SSO
 - [Authelia](apps/reverse-proxy-sso/authelia.md)
 - [Traefik](apps/reverse-proxy-sso/traefik.md)
 - [Caddy](https://caddyserver.com/) 🔗 - very good web server with reverse-proxy & automatic https.
- [Nginx Proxy Manager](https://nginxproxymanager.com/) 🔗 - another nice solution based on the battle-tested & probably the most popular web-server - nginx. It has a pretty UI that allows to manage the services.
+- [lldap](https://github.com/nitnelave/lldap/) 🔗 - simple ldap implementation with a nice UI.
 - [nginx-proxy-manager](apps/reverse-proxy-sso/npm.md)
 - [Traefik](apps/reverse-proxy-sso/traefik.md)
--- a/apps/cloud/filerun.md
+++ b/apps/cloud/filerun.md
@ -17,7 +17,7 @@
 ## docker-compose.yml
 ```yml
-version: '2'
+---
 services:
  db:
    image: mariadb:10.1
@ -29,10 +29,10 @@ services:
      MYSQL_PASSWORD: db_user_password_01
      MYSQL_DATABASE: filerundb
    volumes:
-      - ./data/db:/var/lib/mysql
+      - ./db:/var/lib/mysql
-  web:
+  filerun:
-    image: afian/filerun
+    image: filerun/filerun
    container_name: filerun
    restart: unless-stopped
    environment:
@ -42,8 +42,8 @@ services:
      FR_DB_USER: db_user
      FR_DB_PASS: db_user_password_01
      APACHE_RUN_USER: www-data
      APACHE_RUN_USER_ID: 33
      APACHE_RUN_GROUP: www-data
      APACHE_RUN_USER_ID: 33
      APACHE_RUN_GROUP_ID: 33
    depends_on:
      - db
@ -52,14 +52,6 @@ services:
    ports:
      - "3090:80"
    volumes:
-      - ./data/html:/var/www/html
+      - ./html:/var/www/html
-      - ./data/user-files:/user-files
+      - ./user-files:/user-files
 ```
 ## Running
 Create the folders first:
 ```sh
 mkdir /data /data/html /data/user-files
 ```
 The default FileRun credentials are: superuser:superuser
--- a/apps/docker/doku.md
+++ b/apps/docker/doku.md
@ -0,0 +1,24 @@
 # Doku
 Doku is a web-based Docker disk usage monitor.
 <br>
 - [Homepage](https://docker-disk.space)
 - [Github repo](https://github.com/amerkurev/doku)
 ![Screenshot](doku.png)
 ## docker-compose.yml
 ```yml
 ---
 services:
  doku:
    image: amerkurev/doku
    container_name: doku
    ports:
      - 9090:9090
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock:ro'
      - '/:/hostroot:ro'
 ```
--- a/apps/docker/doku.png
+++ b/apps/docker/doku.png
--- a/apps/docker/portainer.md
+++ b/apps/docker/portainer.md
@ -0,0 +1,24 @@
 # Portainer
 A nice UI for managing docker/kubernetes/swarm containers.
 <br>
 - [Homepage](https://www.portainer.io)
 - [Github repo](https://github.com/portainer/portainer)
 ## docker-compose.yml
 ```yml
 ---
 services:
  portainer:
    image: portainer/portainer-ce
    container_name: portainer
    restart: unless-stopped
    ports:
      - 8000:8000
      - 9443:9443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/data
 ```
--- a/apps/downloads/qbit.md
+++ b/apps/downloads/qbit.md
@ -1,5 +1,6 @@
 # qbittorrent
 - ugly as hell
 - less ugly with docker-mods theme
 - probably the best (as of today)
 <br>
@ -14,7 +15,6 @@
 ## docker-compose.yml
 ```yml
 ---
 version: "2.1"
 services:
  qbittorrent:
    image: linuxserver/qbittorrent
@ -26,6 +26,9 @@ services:
      - TZ=Europe/Dublin
      - UMASK_SET=022
      - WEBUI_PORT=3030
 	  # apply a nice UI theme https://docs.theme-park.dev/setup/#docker-mods
      - DOCKER_MODS=ghcr.io/gilbn/theme.park:qbittorrent
      - TP_THEME=space-gray
    volumes:
      - ./config:/config
      - ./downloads:/downloads
--- a/apps/monitors/uptime-kuma.md
+++ b/apps/monitors/uptime-kuma.md
@ -16,7 +16,6 @@ It is a self-hosted monitoring tool like "Uptime Robot".
 ## docker-compose.yml
 ```yml
 version: '3.3'
 services:
  uptime-kuma:
    image: louislam/uptime-kuma
--- a/apps/other/crowdsec.md
+++ b/apps/other/crowdsec.md
@ -0,0 +1,150 @@
 # Crowdsec
 It's basically a self-hosted crowd-based firewall.
 Setup is a bit cumbersome but (probably) well worth it :-)
 <br>
 - [Homepage](https://www.crowdsec.net)
 - [Github repo](https://github.com/crowdsecurity/crowdsec)
 - [Docker Hub](https://hub.docker.com/r/crowdsecurity/crowdsec)
 - [Crowdsec Hub](https://hub.crowdsec.net)
 - [Traefik bouncer](https://github.com/fbonalair/traefik-crowdsec-bouncer)
 - [Collections](https://hub.crowdsec.net/browse/#collections)
 ## How does that work
 - There are 2 parts of the solution: analyser & bouncer
 - Crowdsec container (below) just basically analyses your server logs
 - Bouncer container (below) uses the analysis to bounce off the potential attacks
 ## Local Setup
 This describes how to setup crowdsec with traefik bouncer. There are other bouncers you can use (if you don't use traefik).
 1. Create 2 files with the following content (`acquis.yml` and `docker-compose.yml`). Remember to update the paths to your logs in `docker-compose.yml`!
 2. Start the containers (`docker compose up -d`)
 3. Wait a minute or so (until it finishes installing collections), you can follow the logs to see what's going on (`docker compose logs -f`)
 4. Add bouncer to the crowdsec instance:
    ```sh
    docker exec crowdsec cscli bouncers add traefik-bouncer
    ```
 5. Copy the API key printed in the command output and paste it back in the `docker-compose.yml` in the bouncer config (`CROWDSEC_BOUNCER_API_KEY`)
 6. Restart the containers
 7. That's it.
 ## Online console
 Unless you want to have an online console, than do this as well:
 1. Register at https://app.crowdsec.net/
 2. Enroll your instance, with the API key from there, e.g.:
    ```sh
    docker exec crowdsec cscli console enroll cl8m56qpu00060vlcwgj898z0
    ```
 ## Traefik middleware
 1. Add traefik middleweare in the dynamic config, e.g.
    ```toml
    [http.middlewares.crowdsec.forwardauth]
    address = "http://<server ip>:3300/api/v1/forwardAuth"
    ```
 2. Use this middleware in your services, e.g.
    ```toml
    [http.routers.authelia]
    rule ="Host(`login.domain.com`)"
    service = "authelia"
    tls = { }
    middlewares = [ "crowdsec" ]
    ```
 ## acquis.yml
 ```yml
 ---
 filenames:
 - /logs/auth.log
 - /logs/syslog
 - /logs/kern.log
 labels:
  type: syslog
 ---
 filenames:
  - /logs/apache2/*.log
  - /logs/*httpd*.log
  - /logs/httpd/*log
 labels:
  type: apache2
 ---
 filenames:
  - /logs/nginx/*.log
 labels:
  type: nginx
 ---
 filenames:
 - /logs/authelia.log
 labels:
  type: authelia
 ---
 filenames:
  - /logs/traefik/*.log
 labels:
  type: traefik
 ```
 ## docker-compose.yml
 ```yml
 ---
 services:
  crowdsec:
    image: crowdsecurity/crowdsec
    container_name: crowdsec
    restart: unless-stopped
    environment:
      - GID="${GID-1000}"
      - COLLECTIONS=crowdsecurity/linux crowdsecurity/iptables crowdsecurity/apache2 crowdsecurity/sshd crowdsecurity/traefik LePresidente/authelia crowdsecurity/nginx crowdsecurity/base-http-scenarios
    volumes:
      - /var/log/auth.log:/logs/auth.log:ro
      - /var/log/syslog.log:/logs/syslog.log:ro
      - /var/log/kern.log:/logs/kern.log:ro
      - /var/log/apache:/logs/apache:ro
      - /var/log/httpd:/logs/httpd:ro
      - /var/log/authelia.log:/logs/authelia.log:ro
      - /var/log/traefik/logs:/logs/traefik:ro
      - ./acquis.yml:/etc/crowdsec/acquis.yaml
      - ./data:/var/lib/crowdsec/data/
      - ./config:/etc/crowdsec/
  bouncer:
    image: fbonalair/traefik-crowdsec-bouncer
    container_name: crowdsec-bouncer
    restart: unless-stopped
    environment:
      - PORT=8090
      - CROWDSEC_BOUNCER_API_KEY=changeme
      - CROWDSEC_AGENT_HOST=crowdsec:8080
    ports:
      - 3300:8090
 ```
 ## Useful commands
 1. List installed items
 ```sh
 docker exec crowdsec cscli scenarios list
 docker exec crowdsec cscli collections list
 docker exec crowdsec cscli parsers list
 ```
 2. Block/unblock an ip
 ```sh
 docker exec crowdsec cscli decisions add --ip 192.168.1.1
 docker exec crowdsec cscli decisions remove --ip 192.168.1.1
 docker exec crowdsec cscli decisions list
 docker exec crowdsec cscli decisions help			# display help on decisions command
 docker exec crowdsec cscli decisions add --help		# display help on add command
 ```
--- a/apps/other/firefox.md
+++ b/apps/other/firefox.md
@ -0,0 +1,29 @@
 # Firefox
 It's a browser inside a browser!
 - Very useful when you need to check a site that is blocked by your provider (work/school) (assuming that the firefox instance you host is not blocked).
 - a bit slow, but it works!
 <br>
 - [Github repo](https://github.com/linuxserver/docker-firefox)
 ## docker-compose.yml
 ```yml
 ---
 services:
  firefox:
    image: lscr.io/linuxserver/firefox:latest
    container_name: firefox
    shm_size: "1gb"
    restart: unless-stopped
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Dublin
    ports:
      - 3123:3000
    volumes:
      - ./config:/config
 ```
--- a/apps/other/ntfy.md
+++ b/apps/other/ntfy.md
@ -0,0 +1,54 @@
 # NTFY
 A self-hosted notification server (like pushover).
 - has mobile apps for ios and android
 - interesting conceptually (simple pub-sub)
 - very easy to use (from curl to php)
 - notifications arrive promptly, within seconds (1 - 10) (not as instant as e.g. pushover)
 - sometimes apps need to be restarted to show notifications (sometimes a notification shows up in notification center, but not in the app)
 - no sync between clients - i.e. the same notification must be marked as read or dismissed in all subscribers (in pushover, when I read one on my phone - it shows as read on laptop)
 <br>
 - [Homepage](https://ntfy.sh)
 - [Github repo](https://github.com/binwiederhier/ntfy)
 - [Docs](https://ntfy.sh/docs/)
 ## ntfy/server.yml
 ```yml
 # options: https://ntfy.sh/docs/config/
 base-url: https://ntfy.domain.com
 # needed for performance
 cache-file: /var/cache/ntfy/cache.db
 cache-duration: "12h"
 cache-startup-queries: |
    pragma journal_mode = WAL;
    pragma synchronous = normal;
    pragma temp_store = memory;
 # This is needed for instant mobile notifications
 upstream-base-url: "https://ntfy.sh"
 ```
 ## docker-compose.yml
 ```yml
 ---
 services:
  ntfy:
    image: binwiederhier/ntfy
    container_name: ntfy
    restart: unless-stopped
    command:
      - serve
    environment:
      - TZ=Europe/Dublin
    volumes:
      - ./cache:/var/cache/ntfy
      - ./ntfy:/etc/ntfy
    ports:
      - 3040:80
 ```
--- a/apps/reverse-proxy-sso/npm.md
+++ b/apps/reverse-proxy-sso/npm.md