quangkhai/deployments
1
1
Fork 0
Code Issues 3 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: quangkhai/deployments:519335d856a8cbb1f8d6510d52983edb249628f4
Branches Tags
quangkhai/deployments:main quangkhai/deployments:feature/issue-6-add-crowdsec quangkhai/deployments:feature/grafana_openid
...
compare: quangkhai/deployments:feature/issue-6-add-crowdsec
Branches Tags
quangkhai/deployments:feature/issue-6-add-crowdsec quangkhai/deployments:main quangkhai/deployments:feature/grafana_openid

8 Commits
519335d856 ... feature/issue-6-add-crowdsec

Author SHA1 Message Date
ue87775 2a4d174ba3 Add ping to traefik 2026-04-27 09:10:01 +02:00
ue87775 9d7b722462 fix Grafana Authelia 2026-04-27 09:09:46 +02:00
ue87775 7da39198f8 #6 
Uses Crowdsec

Co-authored-by: Copilot <copilot@github.com>
 2026-04-24 10:17:03 +02:00
ue87775 dd22d6fe13 Deployment Script 2026-04-15 14:40:58 +02:00
quangkhai ff110c77ee add gitignore 2026-04-15 07:12:37 +02:00
quangkhai 9c283409d8 refactoring prometheus 2026-04-15 07:12:24 +02:00
quangkhai 5d1de4bc4e refactoring traefik 2026-04-15 07:12:01 +02:00
quangkhai fd9a34e273 refactor Authelia 2026-04-15 07:10:58 +02:00
6 changed files with 142 additions and 10 deletions
Expand all files Collapse all files
.gitignore
+31
View File
@@ -0,0 +1,31 @@
# Environment files with credentials
.env
.env.local
.env.*.local
# Database files
*.sqlite3
*.db
# Logs
*.log
logs/
# Dependencies
node_modules/
venv/
env/
# OS
.DS_Store
Thumbs.db
# IDE
.vscode/
.idea/
*.swp
*.swo
*~
# Letsencrypt
letsencrypt/
authelia/docker-compose.yml
+14 -3
View File
@@ -5,7 +5,7 @@ networks:
services:
authelia:
image: authelia/authelia:latest
image: authelia/authelia:4.37.5
container_name: authelia
volumes:
- ./config:/config
@@ -14,6 +14,19 @@ services:
environment:
- TZ=UTC
restart: unless-stopped
healthcheck:
test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:9091/api/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
resources:
limits:
cpus: '0.5'
memory: 512M
reservations:
cpus: '0.25'
memory: 256M
labels:
- "traefik.enable=true"
# The URL where you will actually log in
@@ -21,8 +34,6 @@ services:
- "traefik.http.routers.authelia.entrypoints=websecure"
- "traefik.http.routers.authelia.tls.certresolver=myresolver"
- "traefik.http.services.authelia.loadbalancer.server.port=9091"
# --- ADD THESE THREE LINES BELOW ---
- "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/"
- "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
deploy.sh
View File
prometheus/docker-compose.yml
+41 -5
View File
@@ -18,17 +18,26 @@ services:
image: pdreker/fritz_exporter:2
container_name: fritz-exporter
restart: always
env_file:
- ./.env
environment:
FRITZ_HOSTNAME: '192.168.178.1'
FRITZ_USERNAME: 'fritz9297'
FRITZ_PASSWORD: 'VeNuocNuocVe26!'
FRITZ_HOSTNAME: '${FRITZ_HOSTNAME}'
FRITZ_USERNAME: '${FRITZ_USERNAME}'
FRITZ_PASSWORD: '${FRITZ_PASSWORD}'
ports:
- "9787:9787"
networks:
- back-tier
resources:
limits:
cpus: '0.2'
memory: 128M
reservations:
cpus: '0.1'
memory: 64M
prometheus:
image: prom/prometheus:latest
image: prom/prometheus:v2.54.0
volumes:
- ./prometheus/:/etc/prometheus/
- prometheus_data:/prometheus
@@ -44,13 +53,26 @@ services:
networks:
- back-tier
restart: always
healthcheck:
test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:9090/-/healthy"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
resources:
limits:
cpus: '1'
memory: 1G
reservations:
cpus: '0.5'
memory: 512M
# deploy:
# placement:
# constraints:
# - node.hostname == ${HOSTNAME}
grafana:
image: grafana/grafana
image: grafana/grafana:11.0.0
user: "472"
depends_on:
- prometheus
@@ -68,6 +90,19 @@ services:
- front-tier
- proxy_tier
restart: always
healthcheck:
test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:3000/api/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
resources:
limits:
cpus: '1'
memory: 512M
reservations:
cpus: '0.5'
memory: 256M
labels:
- "traefik.enable=true"
# HTTP to HTTPS Redirect
@@ -75,4 +110,5 @@ services:
- "traefik.http.routers.grafana.rule=Host(`grafana.quangkhai.ch`)"
- "traefik.http.routers.grafana.tls.certresolver=myresolver"
- "traefik.http.services.grafana.loadbalancer.server.port=3000"
- "traefik.http.routers.grafana.middlewares=authelia-auth@docker"
- "traefik.docker.network=proxy_tier"
traefik/crowdsec/acquis.yaml
+4
View File
@@ -0,0 +1,4 @@
filenames:
- /var/log/traefik/access.log
labels:
type: traefik
traefik/docker-compose.yaml
+52 -2
View File
@@ -2,11 +2,18 @@ services:
traefik:
image: traefik:v3.6
container_name: traefik
depends_on:
- crowdsec
command:
#- "--api.dashboard=true"
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.insecure=false"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--ping=true"
- "--experimental.plugins.crowdsec-bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
- "--experimental.plugins.crowdsec-bouncer.version=v1.4.2"
- "--accesslog=true"
- "--accesslog.filepath=/var/log/traefik/access.log"
# - "--entrypoints.https.address=:443"
@@ -14,6 +21,7 @@ services:
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.mqtt-secure.address=:8883"
- "--entrypoints.websecure.http.middlewares=crowdsec@docker"
# Global HTTP -> HTTPS Redirection
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
@@ -31,16 +39,58 @@ services:
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
- ./logs:/var/log/traefik
networks:
- proxy_tier
restart: unless-stopped
healthcheck:
test: ["CMD", "traefik", "healthcheck", "--ping"]
interval: 30s
timeout: 10s
retries: 3
start_period: 5s
deploy:
resources:
limits:
cpus: '2'
memory: 512M
reservations:
cpus: '1'
memory: 256M
labels:
# THE MIDDLEWARE DEFINITION
- "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/"
- "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.enabled=true"
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.logLevel=INFO"
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecMode=live"
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiHost=crowdsec:8080"
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiScheme=http"
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiKey=${CROWDSEC_BOUNCER_KEY:-change-me}"
crowdsec:
image: crowdsecurity/crowdsec:latest
container_name: crowdsec
environment:
- TZ=UTC
- COLLECTIONS=crowdsecurity/traefik
- BOUNCER_KEY_TRAEFIK=${CROWDSEC_BOUNCER_KEY:-change-me}
volumes:
- ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
- ./logs:/var/log/traefik:ro
- crowdsec-db:/var/lib/crowdsec/data
- crowdsec-config:/etc/crowdsec
networks:
- proxy_tier
restart: unless-stopped
networks:
proxy_tier:
name: proxy_tier
external: true
volumes:
crowdsec-db:
crowdsec-config: