Merge branch 'master' of https://github.com/tborychowski/self-hosted-cookbook

* 'master' of https://github.com/tborychowski/self-hosted-cookbook: add crowdsec setup lldap filerun update doku . add firefox browser ntfy add portainer; move nginx-p-m to the correct group
2025-06-27 13:15:23 +00:00 · 2022-10-02 11:28:18 +01:00 · 2022-10-02 11:28:18 +01:00 · 7a3bcbe52b
commit 7a3bcbe52b
parent 7ab9bacdcd 47e12b3e66
11 changed files with 301 additions and 20 deletions
--- a/README.md
+++ b/README.md
@ -122,7 +122,8 @@ The aims is to provide a ready-to-run recipes that you can just copy, paste and

 # Docker Managers
 - [Diun](apps/docker/diun.md)
- [nginx-proxy-manager](apps/docker/npm.md)
+- [Doku](apps/docker/doku.md)
+- [Portainer](apps/docker/portainer.md)
 - [WatchTower](apps/docker/watch-tower.md)


@ -286,8 +287,11 @@ The aims is to provide a ready-to-run recipes that you can just copy, paste and
 - [change-detection](apps/other/change-detection.md)
 - [Cockpit](apps/other/cockpit.md)
 - [Code server](apps/other/code.md)
+- [Crowdsec](apps/other/crowdsec.md)
+- [Firefox](apps/other/firefox.md)
 - [Firefox sync server](apps/other/firefox-sync.md)
 - [LanguageTool server](apps/other/language-tool.md)
+- [Ntfy](apps/other/ntfy.md)
 - [VPN client](apps/other/vpn.md)
 - [OpenSpeedTest](apps/other/openspeedtest.md)

@ -329,9 +333,11 @@ The aims is to provide a ready-to-run recipes that you can just copy, paste and

 # Reverse proxy & SSO
 - [Authelia](apps/reverse-proxy-sso/authelia.md)
- [Traefik](apps/reverse-proxy-sso/traefik.md)
 - [Caddy](https://caddyserver.com/) 🔗 - very good web server with reverse-proxy & automatic https.
- [Nginx Proxy Manager](https://nginxproxymanager.com/) 🔗 - another nice solution based on the battle-tested & probably the most popular web-server - nginx. It has a pretty UI that allows to manage the services.
+- [lldap](https://github.com/nitnelave/lldap/) 🔗 - simple ldap implementation with a nice UI.
+- [nginx-proxy-manager](apps/reverse-proxy-sso/npm.md)
+- [Traefik](apps/reverse-proxy-sso/traefik.md)
+



--- a/apps/cloud/filerun.md
+++ b/apps/cloud/filerun.md
@ -17,7 +17,7 @@

 ## docker-compose.yml
 ```yml
-version: '2'
+---
 services:
  db:
    image: mariadb:10.1
@ -29,10 +29,10 @@ services:
      MYSQL_PASSWORD: db_user_password_01
      MYSQL_DATABASE: filerundb
    volumes:
-      - ./data/db:/var/lib/mysql
+      - ./db:/var/lib/mysql

-  web:
-    image: afian/filerun
+  filerun:
+    image: filerun/filerun
    container_name: filerun
    restart: unless-stopped
    environment:
@ -42,8 +42,8 @@ services:
      FR_DB_USER: db_user
      FR_DB_PASS: db_user_password_01
      APACHE_RUN_USER: www-data
-      APACHE_RUN_USER_ID: 33
      APACHE_RUN_GROUP: www-data
+      APACHE_RUN_USER_ID: 33
      APACHE_RUN_GROUP_ID: 33
    depends_on:
      - db
@ -52,14 +52,6 @@ services:
    ports:
      - "3090:80"
    volumes:
-      - ./data/html:/var/www/html
-      - ./data/user-files:/user-files
+      - ./html:/var/www/html
+      - ./user-files:/user-files
 ```
-
-## Running
-Create the folders first:
-```sh
-mkdir /data /data/html /data/user-files
-```
-
-The default FileRun credentials are: superuser:superuser
--- a/apps/docker/doku.md
+++ b/apps/docker/doku.md
@ -0,0 +1,24 @@
+# Doku
+Doku is a web-based Docker disk usage monitor.
+
+<br>
+
+- [Homepage](https://docker-disk.space)
+- [Github repo](https://github.com/amerkurev/doku)
+
+![Screenshot](doku.png)
+
+
+## docker-compose.yml
+```yml
+---
+services:
+  doku:
+    image: amerkurev/doku
+    container_name: doku
+    ports:
+      - 9090:9090
+    volumes:
+      - '/var/run/docker.sock:/var/run/docker.sock:ro'
+      - '/:/hostroot:ro'
+```
--- a/apps/docker/doku.png
+++ b/apps/docker/doku.png
--- a/apps/docker/portainer.md
+++ b/apps/docker/portainer.md
@ -0,0 +1,24 @@
+# Portainer
+A nice UI for managing docker/kubernetes/swarm containers.
+
+<br>
+
+- [Homepage](https://www.portainer.io)
+- [Github repo](https://github.com/portainer/portainer)
+
+
+## docker-compose.yml
+```yml
+---
+services:
+  portainer:
+    image: portainer/portainer-ce
+    container_name: portainer
+    restart: unless-stopped
+    ports:
+      - 8000:8000
+      - 9443:9443
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./data:/data
+```
--- a/apps/downloads/qbit.md
+++ b/apps/downloads/qbit.md
@ -1,5 +1,6 @@
 # qbittorrent
 - ugly as hell
+- less ugly with docker-mods theme
 - probably the best (as of today)

 <br>
@ -14,7 +15,6 @@
 ## docker-compose.yml
 ```yml
 ---
-version: "2.1"
 services:
  qbittorrent:
    image: linuxserver/qbittorrent
@ -26,6 +26,9 @@ services:
      - TZ=Europe/Dublin
      - UMASK_SET=022
      - WEBUI_PORT=3030
+	  # apply a nice UI theme https://docs.theme-park.dev/setup/#docker-mods
+      - DOCKER_MODS=ghcr.io/gilbn/theme.park:qbittorrent
+      - TP_THEME=space-gray
    volumes:
      - ./config:/config
      - ./downloads:/downloads
--- a/apps/monitors/uptime-kuma.md
+++ b/apps/monitors/uptime-kuma.md
@ -16,7 +16,6 @@ It is a self-hosted monitoring tool like "Uptime Robot".

 ## docker-compose.yml
 ```yml
-version: '3.3'
 services:
  uptime-kuma:
    image: louislam/uptime-kuma
--- a/apps/other/crowdsec.md
+++ b/apps/other/crowdsec.md
@ -0,0 +1,150 @@
+# Crowdsec
+
+It's basically a self-hosted crowd-based firewall.
+Setup is a bit cumbersome but (probably) well worth it :-)
+
+<br>
+
+- [Homepage](https://www.crowdsec.net)
+- [Github repo](https://github.com/crowdsecurity/crowdsec)
+- [Docker Hub](https://hub.docker.com/r/crowdsecurity/crowdsec)
+- [Crowdsec Hub](https://hub.crowdsec.net)
+- [Traefik bouncer](https://github.com/fbonalair/traefik-crowdsec-bouncer)
+- [Collections](https://hub.crowdsec.net/browse/#collections)
+
+
+
+## How does that work
+- There are 2 parts of the solution: analyser & bouncer
+- Crowdsec container (below) just basically analyses your server logs
+- Bouncer container (below) uses the analysis to bounce off the potential attacks
+
+## Local Setup
+This describes how to setup crowdsec with traefik bouncer. There are other bouncers you can use (if you don't use traefik).
+
+1. Create 2 files with the following content (`acquis.yml` and `docker-compose.yml`). Remember to update the paths to your logs in `docker-compose.yml`!
+2. Start the containers (`docker compose up -d`)
+3. Wait a minute or so (until it finishes installing collections), you can follow the logs to see what's going on (`docker compose logs -f`)
+4. Add bouncer to the crowdsec instance:
+    ```sh
+    docker exec crowdsec cscli bouncers add traefik-bouncer
+    ```
+5. Copy the API key printed in the command output and paste it back in the `docker-compose.yml` in the bouncer config (`CROWDSEC_BOUNCER_API_KEY`)
+6. Restart the containers
+7. That's it.
+
+## Online console
+Unless you want to have an online console, than do this as well:
+1. Register at https://app.crowdsec.net/
+2. Enroll your instance, with the API key from there, e.g.:
+    ```sh
+    docker exec crowdsec cscli console enroll cl8m56qpu00060vlcwgj898z0
+    ```
+
+## Traefik middleware
+1. Add traefik middleweare in the dynamic config, e.g.
+    ```toml
+    [http.middlewares.crowdsec.forwardauth]
+    address = "http://<server ip>:3300/api/v1/forwardAuth"
+    ```
+2. Use this middleware in your services, e.g.
+    ```toml
+    [http.routers.authelia]
+    rule ="Host(`login.domain.com`)"
+    service = "authelia"
+    tls = { }
+    middlewares = [ "crowdsec" ]
+    ```
+
+
+## acquis.yml
+```yml
+---
+filenames:
+ - /logs/auth.log
+ - /logs/syslog
+ - /logs/kern.log
+labels:
+  type: syslog
+
+---
+filenames:
+  - /logs/apache2/*.log
+  - /logs/*httpd*.log
+  - /logs/httpd/*log
+labels:
+  type: apache2
+
+---
+filenames:
+  - /logs/nginx/*.log
+labels:
+  type: nginx
+
+---
+filenames:
+ - /logs/authelia.log
+labels:
+  type: authelia
+
+---
+filenames:
+  - /logs/traefik/*.log
+labels:
+  type: traefik
+```
+
+## docker-compose.yml
+```yml
+---
+services:
+  crowdsec:
+    image: crowdsecurity/crowdsec
+    container_name: crowdsec
+    restart: unless-stopped
+    environment:
+      - GID="${GID-1000}"
+      - COLLECTIONS=crowdsecurity/linux crowdsecurity/iptables crowdsecurity/apache2 crowdsecurity/sshd crowdsecurity/traefik LePresidente/authelia crowdsecurity/nginx crowdsecurity/base-http-scenarios
+    volumes:
+      - /var/log/auth.log:/logs/auth.log:ro
+      - /var/log/syslog.log:/logs/syslog.log:ro
+      - /var/log/kern.log:/logs/kern.log:ro
+      - /var/log/apache:/logs/apache:ro
+      - /var/log/httpd:/logs/httpd:ro
+      - /var/log/authelia.log:/logs/authelia.log:ro
+      - /var/log/traefik/logs:/logs/traefik:ro
+
+      - ./acquis.yml:/etc/crowdsec/acquis.yaml
+      - ./data:/var/lib/crowdsec/data/
+      - ./config:/etc/crowdsec/
+
+  bouncer:
+    image: fbonalair/traefik-crowdsec-bouncer
+    container_name: crowdsec-bouncer
+    restart: unless-stopped
+    environment:
+      - PORT=8090
+      - CROWDSEC_BOUNCER_API_KEY=changeme
+      - CROWDSEC_AGENT_HOST=crowdsec:8080
+    ports:
+      - 3300:8090
+```
+
+
+## Useful commands
+
+1. List installed items
+```sh
+docker exec crowdsec cscli scenarios list
+docker exec crowdsec cscli collections list
+docker exec crowdsec cscli parsers list
+```
+
+2. Block/unblock an ip
+```sh
+docker exec crowdsec cscli decisions add --ip 192.168.1.1
+docker exec crowdsec cscli decisions remove --ip 192.168.1.1
+docker exec crowdsec cscli decisions list
+docker exec crowdsec cscli decisions help			# display help on decisions command
+docker exec crowdsec cscli decisions add --help		# display help on add command
+```
--- a/apps/other/firefox.md
+++ b/apps/other/firefox.md
@ -0,0 +1,29 @@
+# Firefox
+It's a browser inside a browser!
+
+- Very useful when you need to check a site that is blocked by your provider (work/school) (assuming that the firefox instance you host is not blocked).
+- a bit slow, but it works!
+
+<br>
+
+- [Github repo](https://github.com/linuxserver/docker-firefox)
+
+
+## docker-compose.yml
+```yml
+---
+services:
+  firefox:
+    image: lscr.io/linuxserver/firefox:latest
+    container_name: firefox
+    shm_size: "1gb"
+    restart: unless-stopped
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Dublin
+    ports:
+      - 3123:3000
+    volumes:
+      - ./config:/config
+```
--- a/apps/other/ntfy.md
+++ b/apps/other/ntfy.md
@ -0,0 +1,54 @@
+# NTFY
+A self-hosted notification server (like pushover).
+
+- has mobile apps for ios and android
+- interesting conceptually (simple pub-sub)
+- very easy to use (from curl to php)
+- notifications arrive promptly, within seconds (1 - 10) (not as instant as e.g. pushover)
+- sometimes apps need to be restarted to show notifications (sometimes a notification shows up in notification center, but not in the app)
+- no sync between clients - i.e. the same notification must be marked as read or dismissed in all subscribers (in pushover, when I read one on my phone - it shows as read on laptop)
+
+<br>
+
+- [Homepage](https://ntfy.sh)
+- [Github repo](https://github.com/binwiederhier/ntfy)
+- [Docs](https://ntfy.sh/docs/)
+
+
+## ntfy/server.yml
+```yml
+# options: https://ntfy.sh/docs/config/
+
+base-url: https://ntfy.domain.com
+
+# needed for performance
+cache-file: /var/cache/ntfy/cache.db
+cache-duration: "12h"
+cache-startup-queries: |
+    pragma journal_mode = WAL;
+    pragma synchronous = normal;
+    pragma temp_store = memory;
+
+# This is needed for instant mobile notifications
+upstream-base-url: "https://ntfy.sh"
+```
+
+
+## docker-compose.yml
+```yml
+---
+services:
+  ntfy:
+    image: binwiederhier/ntfy
+    container_name: ntfy
+    restart: unless-stopped
+    command:
+      - serve
+    environment:
+      - TZ=Europe/Dublin
+    volumes:
+      - ./cache:/var/cache/ntfy
+      - ./ntfy:/etc/ntfy
+    ports:
+      - 3040:80
+```
--- a/apps/reverse-proxy-sso/npm.md
+++ b/apps/reverse-proxy-sso/npm.md