README.md

@@ -1,3 +1,3 @@
-TODO
-====
-* Try out cAdvisor and a dashboard like 10619
+wireguard and traefik on the same vpn network
+add traefik entry point to the vpn network
+only enable api and dashboard on the internal networl

crowdsec/acquis.d/docker-containers.yml

@@ -1,9 +0,0 @@
-source: docker
-container_name:
-  - nextcloud-app
-  - forgejo-app
-  - prometheus
-  - grafana
-  - mailserver
-labels:
-  type: syslog

crowdsec/acquis.d/host-ssh.yml

@@ -1,5 +0,0 @@
-source: journalctl
-journalctl_filter:
-   - "_SYSTEMD_UNIT=ssh.service"
-labels:
-    type: syslog

crowdsec/acquis.d/nextcloud.yml

@@ -1,5 +0,0 @@
-source: file
-filenames:
-   - /run/logs/nextcloud.log
-labels:
-    type: Nextcloud

crowdsec/acquis.d/traefik.yml

@@ -1,5 +0,0 @@
-source: file
-filenames:
-  - /run/logs/traefik-access.log
-labels:
-    type: traefik

crowdsec/dashboard/Dockerfile

@@ -1,3 +0,0 @@
-FROM metabase/metabase
-
-RUN mkdir /data/ && wget https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip && unzip metabase_sqlite.zip -d /data/

dms/docker-compose.yaml

@@ -1,3 +1,5 @@
+version: "3.8"
+
 # logger driver - change this driver to ship all container logs to a different location
 x-logging: &logging
   logging:
@@ -43,4 +45,4 @@ services:
       retries: 0
     <<: *logging
     labels:
-      - "traefik.enable=false"
+      - "traefik.enable=true"

dms/mailserver.env

@@ -254,7 +254,7 @@ ENABLE_QUOTAS=1
 # Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!)
 #
 # empty => 10240000 (~10 MB)
-POSTFIX_MESSAGE_SIZE_LIMIT=104857600 # 100MB
+POSTFIX_MESSAGE_SIZE_LIMIT=
 
 # Mails larger than this limit won't be scanned.
 # ClamAV must be enabled (ENABLE_CLAMAV=1) for this.

docker-compose.yml

@@ -1,3 +1,5 @@
+version: "3.8"
+
 # logger driver - change this driver to ship all container logs to a different location
 x-logging: &logging
   logging:
@@ -44,6 +46,7 @@ services:
     labels:
       - "traefik.enable=true"
       # Make the traefik dashboard available under https://oxmox.dev/traefik/dashboard/
+      # For some reason it's slow when used this way. It's fast when exposed via port 8080 and api.insecure=true.
       - "traefik.http.routers.traefik_api.rule=Host(`oxmox.dev`) && (PathPrefix(`/api`) || PathPrefix(`/traefik`))"
       - "traefik.http.routers.traefik_api.entrypoints=websecure"
       - "traefik.http.routers.traefik_api.tls.certresolver=myresolver"
@@ -63,8 +66,6 @@ services:
       - "traefik.http.routers.whoami.tls.certresolver=myresolver"
 
   nextcloud-db:
-    profiles:
-      - donotstart
     image: mariadb:latest
     container_name: "nextcloud-db"
     restart: unless-stopped
@@ -104,9 +105,7 @@ services:
       - "traefik.enable=false"
 
   nextcloud-app:
-    profiles:
-      - donotstart
-    image: nextcloud:27-apache
+    image: nextcloud:latest
     container_name: "nextcloud-app"
     restart: unless-stopped
     <<: *logging
@@ -123,11 +122,11 @@ services:
       - MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password
       - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/nextcloud_db_root_password
       # reverse proxy setup
-      #- APACHE_DISABLE_REWRITE_IP=0
-      - TRUSTED_PROXIES="172.18.0.0/16 172.18.0.9"
-      - NEXTCLOUD_TRUSTED_DOMAINS=cloud.oxmox.dev
+      - APACHE_DISABLE_REWRITE_IP=1
+      - TRUSTED_PROXIES=192.168.128.0/24
+      - NEXTCLOUD_TRUSTED_DOMAINS=oxmox.dev
       # PHP tuning
-      - PHP_MEMORY_LIMIT=512M # default=512M
+      - PHP_MEMORY_LIMIT=256M # default=512M
       - PHP_UPLOAD_LIMIT=512M # default=512M
       # Sadly this did not work for me.
       #- NEXTCLOUD_ADMIN_USER=admin
@@ -138,11 +137,13 @@ services:
       - nextcloud_admin_password
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.nextcloud_app.rule=Host(`cloud.oxmox.dev`)"
+      - "traefik.http.routers.nextcloud_app.rule=Host(`oxmox.dev`) && PathPrefix(`/nextcloud`)"
       - "traefik.http.routers.nextcloud_app.entrypoints=websecure"
       - "traefik.http.routers.nextcloud_app.tls.certresolver=myresolver"
+      - "traefik.http.routers.nextcloud_app.middlewares=nextcloud_app_strip"
+      - "traefik.http.middlewares.nextcloud_app_strip.stripprefix.prefixes=/nextcloud"
 
-      - "traefik.http.routers.nextcloud_dav.rule=(Host(`cloud.oxmox.dev`) || Host(`oxmox.dev`)) && PathPrefix(`/.well-known/`)"
+      - "traefik.http.routers.nextcloud_dav.rule=Host(`oxmox.dev`) && PathPrefix(`/.well-known/`)"
       - "traefik.http.routers.nextcloud_dav.entrypoints=websecure"
       - "traefik.http.routers.nextcloud_dav.tls.certresolver=myresolver"
       - "traefik.http.routers.nextcloud_dav.middlewares=nextcloud_app_dav"
@@ -150,8 +151,6 @@ services:
       - "traefik.http.middlewares.nextcloud_app_dav.replacepathregex.replacement=/remote.php/dav/"
 
   nextcloud-app-cron:
-    profiles:
-      - donotstart
     image: nextcloud:latest
     container_name: "nextcloud-app-cron"
     restart: unless-stopped
@@ -225,9 +224,11 @@ services:
       - FORGEJO__database__PASSWD=forgejo1234
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.forgejo_app.rule=Host(`forge.oxmox.dev`)"
+      - "traefik.http.routers.forgejo_app.rule=Host(`oxmox.dev`) && PathPrefix(`/forge`)"
       - "traefik.http.routers.forgejo_app.entrypoints=websecure"
       - "traefik.http.routers.forgejo_app.tls.certresolver=myresolver"
+      - "traefik.http.routers.forgejo_app.middlewares=forgejo_app_strip"
+      - "traefik.http.middlewares.forgejo_app_strip.stripprefix.prefixes=/forge"
       - "traefik.http.services.forgejo-app.loadbalancer.server.port=3000"
 
   prometheus:
@@ -239,7 +240,6 @@ services:
       - '--web.external-url=/prometheus/'
       - '--web.route-prefix=/prometheus/'
       - '--storage.tsdb.path=/prometheus/tsdb'
-        #- '--log.level=debug'
     volumes:
       - ./prometheus:/prometheus
       - /etc/timezone:/etc/timezone:ro
@@ -254,9 +254,6 @@ services:
       - "traefik.http.routers.prometheus_app.tls.certresolver=myresolver"
       - "traefik.http.routers.prometheus_app.middlewares=traefik_api_auth"
       - "traefik.http.services.prometheus_app.loadbalancer.server.port=9090"
-    extra_hosts:
-      # To be able to reach node-exporter which listens on the host network.
-      - "host.docker.internal:host-gateway"
 
   grafana:
     image: grafana/grafana
@@ -290,15 +287,19 @@ services:
     container_name: node-exporter
     restart: unless-stopped
     <<: *logging
-    # Put node-exporter on the host network to get meaningful network stats.
-    network_mode: host
+    #network_mode: host
     pid: host
     volumes:
+      #- /proc:/host/proc:ro
+      #- /sys:/host/sys:ro
       - /:/rootfs:ro,rslave
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
     command:
+      #- '--path.procfs=/host/proc'
       - '--path.rootfs=/rootfs'
+      #- '--path.sysfs=/host/sys'
+      #- '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
     expose:
       - 9100
 
@@ -343,65 +344,6 @@ services:
     labels:
       - "traefik.enable=false"
 
-  crowdsec:
-    image: crowdsecurity/crowdsec:latest-debian
-    container_name: "crowdsec"
-    restart: unless-stopped
-    <<: *logging
-    environment:
-      #this is the list of collections we want to install
-      #https://hub.crowdsec.net/author/crowdsecurity/collections/nginx
-      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/nextcloud"
-      GID: "${GID-1000}"
-    depends_on:
-      - traefik
-    volumes:
-      - ./crowdsec/acquis.d:/etc/crowdsec/acquis.d
-      - ./crowdsec/config.yaml.local:/etc/crowdsec/config.yaml.local
-      - ./crowdsec/etc:/etc/crowdsec/
-      - ./crowdsec/db:/var/lib/crowdsec/data/
-      - /etc/timezone:/etc/timezone:ro
-      - /etc/localtime:/etc/localtime:ro
-      - /var/log/journal:/run/log/journal # host journald
-      - /var/run/docker.sock:/var/run/docker.sock:ro # host docker
-      - ./traefik/logs/access.log:/run/logs/traefik-access.log:ro
-      - ./nextcloud-app/nextcloud/data/nextcloud.log:/run/logs/nextcloud.log:ro
-
-  # metabase, because security is cool, but dashboards are cooler
-  crowdsec-dashboard:
-    container_name: "crowdsec-dashboard"
-    # we're using a custom Dockerfile so that metabase pops with pre-configured dashboards
-    build: ./crowdsec/dashboard
-    restart: unless-stopped
-    <<: *logging
-    ports:
-      - 3000:3000
-    environment:
-      MB_DB_FILE: /data/metabase.db
-      MGID: "${GID-1000}"
-    depends_on:
-      - 'crowdsec'
-    volumes:
-      - ./crowdsec/db:/metabase-data/
-      # FIXME: as soon as I enable this the metabase config is lost and the setup wizard starts.
-      # If it's not enabled then everythings works and the dashboard uses the
-      # default app downloaded in the dockerfile. This means default user and
-      # password. Problem is, once the container is restarted the changes are
-      # lost and we're back with the default user and password.
-      # I do not understand why this is happening, how to debug it or anything
-      # else. Metabase bad :(
-      #- ./crowdsec/dashboard-db/:/data/
-      - /etc/timezone:/etc/timezone:ro
-      - /etc/localtime:/etc/localtime:ro
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.crowdsec_dashboard_app.rule=Host(`oxmox.dev`) && PathPrefix(`/crowdsec`)"
-      - "traefik.http.routers.crowdsec_dashboard_app.entrypoints=websecure"
-      - "traefik.http.routers.crowdsec_dashboard_app.tls.certresolver=myresolver"
-      - "traefik.http.routers.crowdsec_dashboard_app.middlewares=traefik_api_auth"
-      - "traefik.http.routers.crowdsec_dashboard_app.middlewares=traefik_api_auth,crowdsec_dashboard_app_strip"
-      - "traefik.http.middlewares.crowdsec_dashboard_app_strip.stripprefix.prefixes=/crowdsec"
-      - "traefik.http.services.crowdsec_dashboard_app.loadbalancer.server.port=3000"
 
   #wireguard:
   #  image: lscr.io/linuxserver/wireguard:latest

env.sh

@@ -1,3 +1,2 @@
 alias nextcloud-occ='docker exec -it -u 33 nextcloud-app /var/www/html/occ'
 alias mail-setup='docker exec -it mailserver setup'
-alias forgejo='docker exec -u git -it forgejo-app forgejo'

prometheus/prometheus.yml

@@ -1,25 +1,20 @@
 global:
-  scrape_interval: 15s
+  scrape_interval: 30s
   scrape_timeout: 10s
   evaluation_interval: 1m
 
 scrape_configs:
 - job_name: 'traefik'
+  scrape_interval: 1m
   static_configs:
   - targets: ['traefik:8080'] 
 
 - job_name: 'node'
+  scrape_interval: 1m
   static_configs:
-  - targets: ['host.docker.internal:9100']
+  - targets: ['node-exporter:9100'] 
 
 - job_name: 'loki'
+  scrape_interval: 1m
   static_configs:
-    - targets: ['loki-app:3100']
-
-- job_name: 'docker'
-  static_configs:
-    - targets: ['host.docker.internal:9323']
-
-- job_name: 'prometheus'
-  static_configs:
-    - targets: ['localhost:9090']
+    - targets: ['loki-app:3100']