add forgejo alias, disable nextcloud containers

Basic crowdsec and metabase dashboard setup is done. journalctl ssh
monitoring and alerts work. Need to check if other log sources work.

No bouncers active yet!

README.md

@@ -1,3 +1,3 @@
-wireguard and traefik on the same vpn network
-add traefik entry point to the vpn network
-only enable api and dashboard on the internal networl
+TODO
+====
+* Try out cAdvisor and a dashboard like 10619

crowdsec/acquis.d/docker-containers.yml

@@ -0,0 +1,9 @@
+source: docker
+container_name:
+  - nextcloud-app
+  - forgejo-app
+  - prometheus
+  - grafana
+  - mailserver
+labels:
+  type: syslog

crowdsec/acquis.d/host-ssh.yml

@@ -0,0 +1,5 @@
+source: journalctl
+journalctl_filter:
+   - "_SYSTEMD_UNIT=ssh.service"
+labels:
+    type: syslog

crowdsec/acquis.d/nextcloud.yml

@@ -0,0 +1,5 @@
+source: file
+filenames:
+   - /run/logs/nextcloud.log
+labels:
+    type: Nextcloud

crowdsec/acquis.d/traefik.yml

@@ -0,0 +1,5 @@
+source: file
+filenames:
+  - /run/logs/traefik-access.log
+labels:
+    type: traefik

crowdsec/dashboard/Dockerfile

@@ -0,0 +1,3 @@
+FROM metabase/metabase
+
+RUN mkdir /data/ && wget https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip && unzip metabase_sqlite.zip -d /data/

dms/docker-compose.yaml

@@ -1,5 +1,3 @@
-version: "3.8"
-
 # logger driver - change this driver to ship all container logs to a different location
 x-logging: &logging
   logging:
@@ -45,4 +43,4 @@ services:
       retries: 0
     <<: *logging
     labels:
-      - "traefik.enable=true"
+      - "traefik.enable=false"

dms/mailserver.env

@@ -254,7 +254,7 @@ ENABLE_QUOTAS=1
 # Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!)
 #
 # empty => 10240000 (~10 MB)
-POSTFIX_MESSAGE_SIZE_LIMIT=
+POSTFIX_MESSAGE_SIZE_LIMIT=104857600 # 100MB
 
 # Mails larger than this limit won't be scanned.
 # ClamAV must be enabled (ENABLE_CLAMAV=1) for this.

docker-compose.yml

@@ -1,5 +1,3 @@
-version: "3.8"
-
 # logger driver - change this driver to ship all container logs to a different location
 x-logging: &logging
   logging:
@@ -46,7 +44,6 @@ services:
     labels:
       - "traefik.enable=true"
       # Make the traefik dashboard available under https://oxmox.dev/traefik/dashboard/
-      # For some reason it's slow when used this way. It's fast when exposed via port 8080 and api.insecure=true.
       - "traefik.http.routers.traefik_api.rule=Host(`oxmox.dev`) && (PathPrefix(`/api`) || PathPrefix(`/traefik`))"
       - "traefik.http.routers.traefik_api.entrypoints=websecure"
       - "traefik.http.routers.traefik_api.tls.certresolver=myresolver"
@@ -66,6 +63,8 @@ services:
       - "traefik.http.routers.whoami.tls.certresolver=myresolver"
 
   nextcloud-db:
+    profiles:
+      - donotstart
     image: mariadb:latest
     container_name: "nextcloud-db"
     restart: unless-stopped
@@ -105,7 +104,9 @@ services:
       - "traefik.enable=false"
 
   nextcloud-app:
-    image: nextcloud:latest
+    profiles:
+      - donotstart
+    image: nextcloud:27-apache
     container_name: "nextcloud-app"
     restart: unless-stopped
     <<: *logging
@@ -122,11 +123,11 @@ services:
       - MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password
       - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/nextcloud_db_root_password
       # reverse proxy setup
-      - APACHE_DISABLE_REWRITE_IP=1
-      - TRUSTED_PROXIES=192.168.128.0/24
-      - NEXTCLOUD_TRUSTED_DOMAINS=oxmox.dev
+      #- APACHE_DISABLE_REWRITE_IP=0
+      - TRUSTED_PROXIES="172.18.0.0/16 172.18.0.9"
+      - NEXTCLOUD_TRUSTED_DOMAINS=cloud.oxmox.dev
       # PHP tuning
-      - PHP_MEMORY_LIMIT=256M # default=512M
+      - PHP_MEMORY_LIMIT=512M # default=512M
       - PHP_UPLOAD_LIMIT=512M # default=512M
       # Sadly this did not work for me.
       #- NEXTCLOUD_ADMIN_USER=admin
@@ -137,13 +138,11 @@ services:
       - nextcloud_admin_password
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.nextcloud_app.rule=Host(`oxmox.dev`) && PathPrefix(`/nextcloud`)"
+      - "traefik.http.routers.nextcloud_app.rule=Host(`cloud.oxmox.dev`)"
       - "traefik.http.routers.nextcloud_app.entrypoints=websecure"
       - "traefik.http.routers.nextcloud_app.tls.certresolver=myresolver"
-      - "traefik.http.routers.nextcloud_app.middlewares=nextcloud_app_strip"
-      - "traefik.http.middlewares.nextcloud_app_strip.stripprefix.prefixes=/nextcloud"
 
-      - "traefik.http.routers.nextcloud_dav.rule=Host(`oxmox.dev`) && PathPrefix(`/.well-known/`)"
+      - "traefik.http.routers.nextcloud_dav.rule=(Host(`cloud.oxmox.dev`) || Host(`oxmox.dev`)) && PathPrefix(`/.well-known/`)"
       - "traefik.http.routers.nextcloud_dav.entrypoints=websecure"
       - "traefik.http.routers.nextcloud_dav.tls.certresolver=myresolver"
       - "traefik.http.routers.nextcloud_dav.middlewares=nextcloud_app_dav"
@@ -151,6 +150,8 @@ services:
       - "traefik.http.middlewares.nextcloud_app_dav.replacepathregex.replacement=/remote.php/dav/"
 
   nextcloud-app-cron:
+    profiles:
+      - donotstart
     image: nextcloud:latest
     container_name: "nextcloud-app-cron"
     restart: unless-stopped
@@ -224,11 +225,9 @@ services:
       - FORGEJO__database__PASSWD=forgejo1234
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.forgejo_app.rule=Host(`oxmox.dev`) && PathPrefix(`/forge`)"
+      - "traefik.http.routers.forgejo_app.rule=Host(`forge.oxmox.dev`)"
       - "traefik.http.routers.forgejo_app.entrypoints=websecure"
       - "traefik.http.routers.forgejo_app.tls.certresolver=myresolver"
-      - "traefik.http.routers.forgejo_app.middlewares=forgejo_app_strip"
-      - "traefik.http.middlewares.forgejo_app_strip.stripprefix.prefixes=/forge"
       - "traefik.http.services.forgejo-app.loadbalancer.server.port=3000"
 
   prometheus:
@@ -240,6 +239,7 @@ services:
       - '--web.external-url=/prometheus/'
       - '--web.route-prefix=/prometheus/'
       - '--storage.tsdb.path=/prometheus/tsdb'
+        #- '--log.level=debug'
     volumes:
       - ./prometheus:/prometheus
       - /etc/timezone:/etc/timezone:ro
@@ -254,6 +254,9 @@ services:
       - "traefik.http.routers.prometheus_app.tls.certresolver=myresolver"
       - "traefik.http.routers.prometheus_app.middlewares=traefik_api_auth"
       - "traefik.http.services.prometheus_app.loadbalancer.server.port=9090"
+    extra_hosts:
+      # To be able to reach node-exporter which listens on the host network.
+      - "host.docker.internal:host-gateway"
 
   grafana:
     image: grafana/grafana
@@ -287,19 +290,15 @@ services:
     container_name: node-exporter
     restart: unless-stopped
     <<: *logging
-    #network_mode: host
+    # Put node-exporter on the host network to get meaningful network stats.
+    network_mode: host
     pid: host
     volumes:
-      #- /proc:/host/proc:ro
-      #- /sys:/host/sys:ro
       - /:/rootfs:ro,rslave
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
     command:
-      #- '--path.procfs=/host/proc'
       - '--path.rootfs=/rootfs'
-      #- '--path.sysfs=/host/sys'
-      #- '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
     expose:
       - 9100
 
@@ -344,6 +343,65 @@ services:
     labels:
       - "traefik.enable=false"
 
+  crowdsec:
+    image: crowdsecurity/crowdsec:latest-debian
+    container_name: "crowdsec"
+    restart: unless-stopped
+    <<: *logging
+    environment:
+      #this is the list of collections we want to install
+      #https://hub.crowdsec.net/author/crowdsecurity/collections/nginx
+      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/nextcloud"
+      GID: "${GID-1000}"
+    depends_on:
+      - traefik
+    volumes:
+      - ./crowdsec/acquis.d:/etc/crowdsec/acquis.d
+      - ./crowdsec/config.yaml.local:/etc/crowdsec/config.yaml.local
+      - ./crowdsec/etc:/etc/crowdsec/
+      - ./crowdsec/db:/var/lib/crowdsec/data/
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+      - /var/log/journal:/run/log/journal # host journald
+      - /var/run/docker.sock:/var/run/docker.sock:ro # host docker
+      - ./traefik/logs/access.log:/run/logs/traefik-access.log:ro
+      - ./nextcloud-app/nextcloud/data/nextcloud.log:/run/logs/nextcloud.log:ro
+
+  # metabase, because security is cool, but dashboards are cooler
+  crowdsec-dashboard:
+    container_name: "crowdsec-dashboard"
+    # we're using a custom Dockerfile so that metabase pops with pre-configured dashboards
+    build: ./crowdsec/dashboard
+    restart: unless-stopped
+    <<: *logging
+    ports:
+      - 3000:3000
+    environment:
+      MB_DB_FILE: /data/metabase.db
+      MGID: "${GID-1000}"
+    depends_on:
+      - 'crowdsec'
+    volumes:
+      - ./crowdsec/db:/metabase-data/
+      # FIXME: as soon as I enable this the metabase config is lost and the setup wizard starts.
+      # If it's not enabled then everythings works and the dashboard uses the
+      # default app downloaded in the dockerfile. This means default user and
+      # password. Problem is, once the container is restarted the changes are
+      # lost and we're back with the default user and password.
+      # I do not understand why this is happening, how to debug it or anything
+      # else. Metabase bad :(
+      #- ./crowdsec/dashboard-db/:/data/
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.crowdsec_dashboard_app.rule=Host(`oxmox.dev`) && PathPrefix(`/crowdsec`)"
+      - "traefik.http.routers.crowdsec_dashboard_app.entrypoints=websecure"
+      - "traefik.http.routers.crowdsec_dashboard_app.tls.certresolver=myresolver"
+      - "traefik.http.routers.crowdsec_dashboard_app.middlewares=traefik_api_auth"
+      - "traefik.http.routers.crowdsec_dashboard_app.middlewares=traefik_api_auth,crowdsec_dashboard_app_strip"
+      - "traefik.http.middlewares.crowdsec_dashboard_app_strip.stripprefix.prefixes=/crowdsec"
+      - "traefik.http.services.crowdsec_dashboard_app.loadbalancer.server.port=3000"
 
   #wireguard:
   #  image: lscr.io/linuxserver/wireguard:latest

env.sh

@@ -1,2 +1,3 @@
 alias nextcloud-occ='docker exec -it -u 33 nextcloud-app /var/www/html/occ'
 alias mail-setup='docker exec -it mailserver setup'
+alias forgejo='docker exec -u git -it forgejo-app forgejo'

prometheus/prometheus.yml

@@ -1,20 +1,25 @@
 global:
-  scrape_interval: 30s
+  scrape_interval: 15s
   scrape_timeout: 10s
   evaluation_interval: 1m
 
 scrape_configs:
 - job_name: 'traefik'
-  scrape_interval: 1m
   static_configs:
   - targets: ['traefik:8080'] 
 
 - job_name: 'node'
-  scrape_interval: 1m
   static_configs:
-  - targets: ['node-exporter:9100'] 
+  - targets: ['host.docker.internal:9100']
 
 - job_name: 'loki'
-  scrape_interval: 1m
   static_configs:
     - targets: ['loki-app:3100']
+
+- job_name: 'docker'
+  static_configs:
+    - targets: ['host.docker.internal:9323']
+
+- job_name: 'prometheus'
+  static_configs:
+    - targets: ['localhost:9090']