Add ping to traefik

Uses Crowdsec

Co-authored-by: Copilot <copilot@github.com>

.gitignore

@@ -0,0 +1,31 @@
+# Environment files with credentials
+.env
+.env.local
+.env.*.local
+
+# Database files
+*.sqlite3
+*.db
+
+# Logs
+*.log
+logs/
+
+# Dependencies
+node_modules/
+venv/
+env/
+
+# OS
+.DS_Store
+Thumbs.db
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# Letsencrypt
+letsencrypt/

authelia/docker-compose.yml

@@ -5,7 +5,7 @@ networks:
 
 services:
   authelia:
-    image: authelia/authelia:latest
+    image: authelia/authelia:4.37.5
     container_name: authelia
     volumes:
       - ./config:/config
@@ -14,6 +14,19 @@ services:
     environment:
       - TZ=UTC
     restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:9091/api/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    resources:
+      limits:
+        cpus: '0.5'
+        memory: 512M
+      reservations:
+        cpus: '0.25'
+        memory: 256M
     labels:
       - "traefik.enable=true"
       # The URL where you will actually log in
@@ -21,8 +34,6 @@ services:
       - "traefik.http.routers.authelia.entrypoints=websecure"
       - "traefik.http.routers.authelia.tls.certresolver=myresolver"
       - "traefik.http.services.authelia.loadbalancer.server.port=9091"
-
-# --- ADD THESE THREE LINES BELOW ---
       - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/"
       - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
       - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"

prometheus/docker-compose.yml

@@ -18,17 +18,26 @@ services:
     image: pdreker/fritz_exporter:2
     container_name: fritz-exporter
     restart: always
+    env_file:
+      - ./.env
     environment:
-      FRITZ_HOSTNAME: '192.168.178.1'
+      FRITZ_HOSTNAME: '${FRITZ_HOSTNAME}'
-      FRITZ_USERNAME: 'fritz9297'
+      FRITZ_USERNAME: '${FRITZ_USERNAME}'
-      FRITZ_PASSWORD: 'VeNuocNuocVe26!'
+      FRITZ_PASSWORD: '${FRITZ_PASSWORD}'
     ports:
       - "9787:9787"
     networks:
       - back-tier
+    resources:
+      limits:
+        cpus: '0.2'
+        memory: 128M
+      reservations:
+        cpus: '0.1'
+        memory: 64M
 
   prometheus:
-    image: prom/prometheus:latest
+    image: prom/prometheus:v2.54.0
     volumes:
       - ./prometheus/:/etc/prometheus/
       - prometheus_data:/prometheus
@@ -44,13 +53,26 @@ services:
     networks:
       - back-tier
     restart: always
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:9090/-/healthy"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    resources:
+      limits:
+        cpus: '1'
+        memory: 1G
+      reservations:
+        cpus: '0.5'
+        memory: 512M
 #    deploy:
 #      placement:
 #        constraints:
 #          - node.hostname == ${HOSTNAME}
 
   grafana:
-    image: grafana/grafana
+    image: grafana/grafana:11.0.0
     user: "472"
     depends_on:
       - prometheus
@@ -68,6 +90,19 @@ services:
       - front-tier
       - proxy_tier
     restart: always
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:3000/api/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    resources:
+      limits:
+        cpus: '1'
+        memory: 512M
+      reservations:
+        cpus: '0.5'
+        memory: 256M
     labels:
       - "traefik.enable=true"
       # HTTP to HTTPS Redirect
@@ -75,4 +110,5 @@ services:
       - "traefik.http.routers.grafana.rule=Host(`grafana.quangkhai.ch`)"
       - "traefik.http.routers.grafana.tls.certresolver=myresolver"
       - "traefik.http.services.grafana.loadbalancer.server.port=3000"
+      - "traefik.http.routers.grafana.middlewares=authelia-auth@docker"
       - "traefik.docker.network=proxy_tier"

traefik/crowdsec/acquis.yaml

@@ -0,0 +1,4 @@
+filenames:
+  - /var/log/traefik/access.log
+labels:
+  type: traefik

traefik/docker-compose.yaml

@@ -2,11 +2,18 @@ services:
   traefik:
     image: traefik:v3.6
     container_name: traefik
+    depends_on:
+      - crowdsec
     command:
-      #- "--api.dashboard=true"
+      - "--api.dashboard=true"
-      - "--api.insecure=true"
+      - "--api.insecure=false"
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
+      - "--ping=true"
+      - "--experimental.plugins.crowdsec-bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
+      - "--experimental.plugins.crowdsec-bouncer.version=v1.4.2"
+      - "--accesslog=true"
+      - "--accesslog.filepath=/var/log/traefik/access.log"
 
 #      - "--entrypoints.https.address=:443"
 
@@ -14,6 +21,7 @@ services:
       - "--entrypoints.web.address=:80"
       - "--entrypoints.websecure.address=:443"
       - "--entrypoints.mqtt-secure.address=:8883"
+      - "--entrypoints.websecure.http.middlewares=crowdsec@docker"
       # Global HTTP -> HTTPS Redirection
       - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
       - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
@@ -31,16 +39,58 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./letsencrypt:/letsencrypt
+      - ./logs:/var/log/traefik
     networks:
       - proxy_tier
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "traefik", "healthcheck", "--ping"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 5s
+    deploy:
+      resources:
+        limits:
+          cpus: '2'
+          memory: 512M
+        reservations:
+          cpus: '1'
+          memory: 256M
     labels:
       # THE MIDDLEWARE DEFINITION
       - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/"
       - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
       - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
+      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.enabled=true"
+      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.logLevel=INFO"
+      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecMode=live"
+      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiHost=crowdsec:8080"
+      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiScheme=http"
+      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiKey=${CROWDSEC_BOUNCER_KEY:-change-me}"
+
+  crowdsec:
+    image: crowdsecurity/crowdsec:latest
+    container_name: crowdsec
+    environment:
+      - TZ=UTC
+      - COLLECTIONS=crowdsecurity/traefik
+      - BOUNCER_KEY_TRAEFIK=${CROWDSEC_BOUNCER_KEY:-change-me}
+    volumes:
+      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
+      - ./logs:/var/log/traefik:ro
+      - crowdsec-db:/var/lib/crowdsec/data
+      - crowdsec-config:/etc/crowdsec
+    networks:
+      - proxy_tier
+    restart: unless-stopped
 
 
 networks:
   proxy_tier:
     name: proxy_tier
     external: true
+
+volumes:
+  crowdsec-db:
+  crowdsec-config: