diff --git a/.remote-sync.json b/.remote-sync.json deleted file mode 100644 index e43df73d..00000000 --- a/.remote-sync.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "uploadOnSave": true, - "useAtomicWrites": true, - "deleteLocal": false, - "hostname": "ansible2.grote.lan", - "port": "22", - "target": "/home/mg/ansible", - "ignore": [ - ".git/**" - ], - "username": "mg", - "keyfile": "C:\\Users\\mg\\Desktop\\NextCloud\\Rest\\ssh-keys\\ssh_key_heimserver_mg2.ppk", - "transport": "scp", - "watch": [] -} diff --git a/docker-compose/acng/docker-compose.yml.j2 b/docker-compose/acng/docker-compose.yml.j2 index 6debac32..765387bf 100644 --- a/docker-compose/acng/docker-compose.yml.j2 +++ b/docker-compose/acng/docker-compose.yml.j2 @@ -7,7 +7,7 @@ services: ports: - "9999:9999" volumes: - - cache:/var/cache/apt-cacher-ng + - /mnt/acng_cache:/var/cache/apt-cacher-ng environment: USER: acng-admin PASS: {{ lookup('keepass', 'acng_webinterface', 'password') }} @@ -15,6 +15,3 @@ services: THRESHOLD: 60 # package housekeeping threshold labels: com.centurylinklabs.watchtower.enable: true - -volumes: - cache: diff --git a/docker-compose/blocky/config.yml.j2 b/docker-compose/blocky/config.yml.j2 index d50e67b8..c14bcbd0 100644 --- a/docker-compose/blocky/config.yml.j2 +++ b/docker-compose/blocky/config.yml.j2 @@ -39,6 +39,10 @@ blocking: - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts - https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt - https://www.github.developerdan.com/hosts/lists/amp-hosts-extended.txt + - https://v.firebog.net/hosts/AdguardDNS.txt + - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt + - https://raw.githubusercontent.com/r-a-y/mobile-hosts/master/AdguardMobileAds.txt + - https://raw.githubusercontent.com/r-a-y/mobile-hosts/master/AdguardMobileSpyware.txt # - | # # inline definition with YAML literal block scalar style # someadsdomain.com diff --git a/docker-compose/homer/docker-compose.yml.j2 b/docker-compose/homer/docker-compose.yml.j2 index a9badb7f..cd9c1cb9 100644 --- a/docker-compose/homer/docker-compose.yml.j2 +++ b/docker-compose/homer/docker-compose.yml.j2 @@ -14,5 +14,21 @@ services: - ./assets/:/www/assets ports: - 333:8080 + networks: + - traefik labels: com.centurylinklabs.watchtower.enable: true + + traefik.http.routers.homer.rule: Host(`www.mgrote.net`,`mgrote.net`) + traefik.enable: true + traefik.http.routers.homer.tls: true + traefik.http.routers.homer.tls.certresolver: resolver_letsencrypt + traefik.http.routers.homer.entrypoints: entry_https + traefik.http.services.homer.loadbalancer.server.port: 8080 + + traefik.http.routers.homer.middlewares: nforwardauth + +######## Networks ######## +networks: + traefik: + external: true diff --git a/docker-compose/httpd/docker-compose.yml.j2 b/docker-compose/httpd/docker-compose.yml.j2 index 012e0bae..e198f88d 100644 --- a/docker-compose/httpd/docker-compose.yml.j2 +++ b/docker-compose/httpd/docker-compose.yml.j2 @@ -26,6 +26,7 @@ services: MAX_CONTENT_LENGTH: 50 UPLOAD_DIRECTORY: /uploads AUTH_TOKEN: {{ lookup('keepass', 'httpd-api-server-token', 'password') }} + ENABLE_WEBSERVER: false labels: com.centurylinklabs.watchtower.enable: true diff --git a/docker-compose/nextcloud/.env.j2 b/docker-compose/nextcloud/.env.j2 index 0fd451d8..2ff6f9a8 100644 --- a/docker-compose/nextcloud/.env.j2 +++ b/docker-compose/nextcloud/.env.j2 @@ -2,4 +2,4 @@ MYSQL_ROOT_PASSWORD={{ lookup('keepass', 'nextcloud_mysql_root_password', 'passw MYSQL_PASSWORD={{ lookup('keepass', 'nextcloud_mysql_password', 'password') }} REDIS_HOST_PASSWORD={{ lookup('keepass', 'nextcloud_redis_host_password', 'password') }} SMTP_PASSWORD={{ lookup('keepass', 'postfix_absender_passwort', 'password') }} -NC_MAJOR_VERSION=25 +NC_MAJOR_VERSION=26 diff --git a/docker-compose/nextcloud/docker-compose.yml.j2 b/docker-compose/nextcloud/docker-compose.yml.j2 index ef6f4cd6..6ba263cc 100644 --- a/docker-compose/nextcloud/docker-compose.yml.j2 +++ b/docker-compose/nextcloud/docker-compose.yml.j2 @@ -76,7 +76,7 @@ services: PHP_MEMORY_LIMIT: 1024M PHP_UPLOAD_LIMIT: 10G APACHE_DISABLE_REWRITE_IP: 1 - TRUSTED_PROXIES: "192.168.2.43" # docker10.grote.lan/traefik + TRUSTED_PROXIES: "192.168.48.0/24" # Subnetz in dem sich traefik befindet volumes: - app:/var/www/html - data:/var/www/html/data diff --git a/docker-compose/registry/docker-compose.yml.j2 b/docker-compose/registry/docker-compose.yml.j2 index a4d26022..9e8cc0a8 100644 --- a/docker-compose/registry/docker-compose.yml.j2 +++ b/docker-compose/registry/docker-compose.yml.j2 @@ -27,18 +27,19 @@ services: traefik.http.routers.registry.entrypoints: entry_https traefik.http.services.registry.loadbalancer.server.port: 5000 - traefik.http.routers.registry.middlewares: registry-ipwhitelist - traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.0.0/16 + traefik.http.routers.registry.middlewares: error-pages-middleware,registry-ipwhitelist - traefik.http.routers.registry.middlewares: error-pages-middleware + traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24 # .48. ist Docker + traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth com.centurylinklabs.watchtower.depends-on: oci-registry-redis com.centurylinklabs.watchtower.enable: true + # registry aufräumen: docker exec -it oci-registry /bin/registry garbage-collect [--dry-run] --delete-untagged=true /etc/docker/registry/config.yml + # testen mit: # docker pull ubuntu # docker image tag ubuntu registry.mgrote.net/myfirstimage - # docker login --username regadmin --password registry.mgrote.net # docker push registry.mgrote.net/myfirstimage # docker pull registry.mgrote.net/myfirstimage @@ -63,12 +64,13 @@ services: DELETE_IMAGES: true SINGLE_REGISTRY: true NGINX_PROXY_PASS_URL: http://oci-registry:5000 + SHOW_CONTENT_DIGEST: true # https://github.com/Joxit/docker-registry-ui/issues/297 networks: - traefik - intern labels: traefik.http.routers.registry-ui.rule: Host(`registry.mgrote.net`)&&PathPrefix(`/ui`) # mache unter /ui erreichbar, damit wird demPfad dieser Prefix hinzugefügt, die Anwendung "hört" dort abrer nicht - traefik.http.routers.registry-ui.middlewares: registry-ui-strip-prefix,registry-ui-auth,error-pages-middleware # also entferne den Prefix danach wieder + traefik.http.routers.registry-ui.middlewares: registry-ui-strip-prefix,error-pages-middleware,nforwardauth # also entferne den Prefix danach wieder traefik.http.middlewares.registry-ui-strip-prefix.stripprefix.prefixes: /ui # hier ist die Middleware definiert traefik.enable: true traefik.http.routers.registry-ui.tls: true @@ -79,7 +81,6 @@ services: com.centurylinklabs.watchtower.depends-on: oci-registry-redis,oci-registry com.centurylinklabs.watchtower.enable: true - traefik.http.middlewares.registry-ui-auth.basicauth.users: ui-user:$$2y$$05$$6NLaW1ewe/t4M/qnaPHCx.bmsIKR5MOukwJFrvhyFUcqueRcm9i8K # echo $(htpasswd -nB ui-user password) | sed -e s/\\$/\\$\\$/g ######## Networks ######## networks: diff --git a/docker-compose/traefik/docker-compose.yml.j2 b/docker-compose/traefik/docker-compose.yml.j2 index 388a9e9f..55568ca6 100644 --- a/docker-compose/traefik/docker-compose.yml.j2 +++ b/docker-compose/traefik/docker-compose.yml.j2 @@ -3,7 +3,7 @@ services: ######## traefik ######## traefik: container_name: "traefik" - image: traefik:latest + image: traefik:2.9 restart: always volumes: - /var/run/docker.sock:/var/run/docker.sock:ro @@ -21,7 +21,19 @@ services: TZ: Europe/Berlin labels: com.centurylinklabs.watchtower.enable: true -######## traefik ######## + # hier sind gemeinsame middlewares defniert und zu einer chain zusammengefasst + # CAVE: die Reihenfolge innerhalb von Chains/von Middlewares ist wichtig + # Aufbau: traefik.http.middlewares..chain.middlewares: middleware1,middleware2,middleware3 + # diese kann dann direkt eingebunden werden: + # Beispiel: XXXXX + # beim Einsatz von nforwardauth: + # Beispiel: YYYYY + + # Middleware default + # enthält Rate-Limiting, Error-Pages und ZZZ? + + +######## error-pages ######## # https://github.com/tarampampam/error-pages/wiki/Traefik-(docker-compose) error-pages: container_name: "traefik-error-pages" @@ -29,6 +41,7 @@ services: environment: TEMPLATE_NAME: ghost labels: + com.centurylinklabs.watchtower.depends-on: traefik com.centurylinklabs.watchtower.enable: true traefik.enable: true @@ -49,6 +62,39 @@ services: networks: - traefik +######## nforwardauth ######## +# https://github.com/NOSDuco/nforwardauth + nforwardauth: + container_name: "traefik-nforwardauth" + image: nosduco/nforwardauth:v1 + depends_on: + - traefik + networks: + - traefik + volumes: + - ./passwd:/passwd:ro # Mount local passwd file at /passwd as ready only + environment: + TOKEN_SECRET: {{ lookup('keepass', 'traefik-nforwardauth-token-secret', 'password') }} # Secret to use when signing auth token + AUTH_HOST: auth.mgrote.net + #COOKIE_DOMAIN: mgrote.net # Set domain for the cookies. This value will allow cookie and auth on *.yourdomain.com (including base domain) + PORT: 3000 # Set specific port to listen on + labels: + com.centurylinklabs.watchtower.depends-on: traefik + com.centurylinklabs.watchtower.enable: true + + traefik.enable: true + traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`) + + traefik.http.middlewares.nforwardauth.forwardauth.address: http://nforwardauth:3000 + + traefik.http.services.nforwardauth.loadbalancer.server.port: 3000 + traefik.http.routers.nforwardauth.tls: true + traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt + traefik.http.routers.nforwardauth.entrypoints: entry_https + + # traefik.http.routers.nforwardauth.middlewares: error-pages-middleware + + ######## Networks ######## networks: traefik: diff --git a/docker-compose/traefik/file-provider.yml b/docker-compose/traefik/file-provider.yml index 37132f6e..dd2619a5 100644 --- a/docker-compose/traefik/file-provider.yml +++ b/docker-compose/traefik/file-provider.yml @@ -19,7 +19,7 @@ http: ###### router ##### routers: router_dokuwiki: - rule: "Host(`dokuwiki.mgrote.net`,`mgrote.net`,`www.mgrote.net`,`wiki.mgrote.net`)" + rule: "Host(`dokuwiki.mgrote.net`,`wiki.mgrote.net`)" service: "service_dokuwiki" entrypoints: - entry_https diff --git a/docker-compose/traefik/passwd b/docker-compose/traefik/passwd new file mode 100644 index 00000000..4f9165fd --- /dev/null +++ b/docker-compose/traefik/passwd @@ -0,0 +1,2 @@ +echo "michaelgrote:$(mkpasswd -m sha-512 CTRqDgqth1lwgefS0-YXDKadZLqo8N)" +michaelgrote:$6$L1HOdqYIBBZol0D5$Qcj.1NcF1Mk7iZjBU2/uuvUEYuRbl6w0XfQyBTTlmClhx1yoJjwTOGwSdueKjq5MPyD9R5xCixVUQ/qfvRJb30 diff --git a/docker-compose/traefik/traefik.yml b/docker-compose/traefik/traefik.yml index 0c623bb5..a4fa47a8 100644 --- a/docker-compose/traefik/traefik.yml +++ b/docker-compose/traefik/traefik.yml @@ -31,7 +31,7 @@ certificatesResolvers: tlsChallenge: true log: - level: INFO + level: DEBUG api: insecure: true diff --git a/docker-compose/whoami/docker-compose.yml.j2 b/docker-compose/whoami/docker-compose.yml.j2 new file mode 100644 index 00000000..6719b823 --- /dev/null +++ b/docker-compose/whoami/docker-compose.yml.j2 @@ -0,0 +1,21 @@ +version: '3' +services: + # here it works as expected + whoami: + image: traefik/whoami + container_name: whoami + restart: always + networks: + - traefik + labels: + traefik.http.routers.whoami.rule: Host(`whoami.mgrote.net`) + traefik.http.routers.whoami.middlewares: nforwardauth + traefik.enable: true + traefik.http.routers.whoami.tls: true + traefik.http.routers.whoami.tls.certresolver: resolver_letsencrypt + traefik.http.routers.whoami.entrypoints: entry_https + traefik.http.services.whoami.loadbalancer.server.port: 80 + +networks: + traefik: + external: true diff --git a/group_vars/all.yml b/group_vars/all.yml index 6c15967d..67bf4ec5 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -114,7 +114,7 @@ postfix_smtp_server_port: 587 postfix_smtp_use_tls: "yes" ### mgrote.apt_manage_sources - manage_sources_apt_proxy: "docker10.grote.lan:9999" + manage_sources_apt_proxy: "192.168.2.43:9999" # als IP da apt warum auch immer >10s braucht den Namen aufzulösen ### mgrote.tmux tmux_conf_destination: "/home/mg/.tmux.conf" tmux_bashrc_destination: "/home/mg/.bashrc" diff --git a/host_vars/docker10.grote.lan.yml b/host_vars/docker10.grote.lan.yml index ac9773cb..a2abd428 100644 --- a/host_vars/docker10.grote.lan.yml +++ b/host_vars/docker10.grote.lan.yml @@ -18,11 +18,17 @@ create: true lvnames: - lvname: ociregistry - size: +100%FREE + size: 10G create: true filesystem: xfs mount: true mntp: /mnt/oci-registry + - lvname: acng_cache + size: 10G + create: true + filesystem: xfs + mount: true + mntp: /mnt/acng_cache manage_lvm: true pvresize_to_max: true ### mgrote.restic @@ -69,6 +75,9 @@ - name: registry state: present network: traefik + - name: whoami + state: present + network: traefik ### oefenweb.ufw ufw_rules: - rule: allow @@ -146,7 +155,7 @@ src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/http/http_response config: | [http_response] - env.sites http://docker10.grote.lan:333 http://docker10.grote.lan:8888/nodes http://docker10.grote.lan:1234 https://nextcloud.mgrote.net http://docker10.grote.lan:3344 http://docker10.grote.lan:5000 https://miniflux.mgrote.net/ http://docker10.grote.lan:3001 http://docker10.grote.lan:8081 http://docker10.grote.lan:9999/acng-report.html + env.sites http://docker10.grote.lan:333 http://docker10.grote.lan:8888/nodes http://docker10.grote.lan:1234 https://nextcloud.mgrote.net http://docker10.grote.lan:3344 http://docker10.grote.lan:5000 https://miniflux.mgrote.net/ http://docker10.grote.lan:3001 http://docker10.grote.lan:8081 http://docker10.grote.lan:9999/acng-report.html https://auth.mgrote.net env.max_time 20 env.short_label true env.follow_redirect true @@ -302,6 +311,6 @@ env.repo oxidized-configs env.user mg env.git_ref HEAD - env.warning 720 + env.warning 1000 env.critical 2880 env.token {{ lookup('keepass', 'gitea_commit_time_diff_oxidized_token', 'password') }} diff --git a/host_vars/pve5.grote.lan.yml b/host_vars/pve5.grote.lan.yml index 2741c164..1eea9992 100644 --- a/host_vars/pve5.grote.lan.yml +++ b/host_vars/pve5.grote.lan.yml @@ -298,5 +298,11 @@ env.max_time 20 env.short_label true env.follow_redirect true + - name: lxc_guests + src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/lxc/lxc_guests + config: | + [lxc_guests] + user root + group root munin_node_disabled_plugins: - name: lvm_ diff --git a/keepass_db.kdbx b/keepass_db.kdbx index e5e04b49..4821fd75 100644 Binary files a/keepass_db.kdbx and b/keepass_db.kdbx differ