From dd22d6fe1365aa49550e7fef2d852706d115d174 Mon Sep 17 00:00:00 2001 From: ue87775 Date: Wed, 15 Apr 2026 14:40:58 +0200 Subject: [PATCH 1/4] Deployment Script --- deploy.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 deploy.sh diff --git a/deploy.sh b/deploy.sh new file mode 100644 index 0000000..e69de29 -- 2.52.0 From 7da39198f881df64104d7f9f1f4dd570c354617a Mon Sep 17 00:00:00 2001 From: ue87775 Date: Fri, 24 Apr 2026 10:17:03 +0200 Subject: [PATCH 2/4] https://gitea.quangkhai.ch/quangkhai/deployments/issues/6 Uses Crowdsec Co-authored-by: Copilot --- traefik/crowdsec/acquis.yaml | 4 +++ traefik/docker-compose.yaml | 49 ++++++++++++++++++++++++++++++------ 2 files changed, 46 insertions(+), 7 deletions(-) create mode 100644 traefik/crowdsec/acquis.yaml diff --git a/traefik/crowdsec/acquis.yaml b/traefik/crowdsec/acquis.yaml new file mode 100644 index 0000000..f023943 --- /dev/null +++ b/traefik/crowdsec/acquis.yaml @@ -0,0 +1,4 @@ +filenames: + - /var/log/traefik/access.log +labels: + type: traefik diff --git a/traefik/docker-compose.yaml b/traefik/docker-compose.yaml index 8598635..88ed50c 100644 --- a/traefik/docker-compose.yaml +++ b/traefik/docker-compose.yaml @@ -2,11 +2,17 @@ services: traefik: image: traefik:v3.6 container_name: traefik + depends_on: + - crowdsec command: - "--api.dashboard=true" - "--api.insecure=false" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" + - "--experimental.plugins.crowdsec-bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin" + - "--experimental.plugins.crowdsec-bouncer.version=v1.4.2" + - "--accesslog=true" + - "--accesslog.filepath=/var/log/traefik/access.log" # - "--entrypoints.https.address=:443" @@ -14,6 +20,7 @@ services: - "--entrypoints.web.address=:80" - "--entrypoints.websecure.address=:443" - "--entrypoints.mqtt-secure.address=:8883" + - "--entrypoints.websecure.http.middlewares=crowdsec@docker" # Global HTTP -> HTTPS Redirection - "--entrypoints.web.http.redirections.entryPoint.to=websecure" - "--entrypoints.web.http.redirections.entryPoint.scheme=https" @@ -31,6 +38,7 @@ services: volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./letsencrypt:/letsencrypt + - ./logs:/var/log/traefik networks: - proxy_tier restart: unless-stopped @@ -40,21 +48,48 @@ services: timeout: 10s retries: 3 start_period: 5s - resources: - limits: - cpus: '2' - memory: 512M - reservations: - cpus: '1' - memory: 256M + deploy: + resources: + limits: + cpus: '2' + memory: 512M + reservations: + cpus: '1' + memory: 256M labels: # THE MIDDLEWARE DEFINITION - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/" - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true" - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" + - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.enabled=true" + - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.logLevel=INFO" + - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecMode=live" + - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiHost=crowdsec:8080" + - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiScheme=http" + - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiKey=${CROWDSEC_BOUNCER_KEY:-change-me}" + + crowdsec: + image: crowdsecurity/crowdsec:latest + container_name: crowdsec + environment: + - TZ=UTC + - COLLECTIONS=crowdsecurity/traefik + - BOUNCER_KEY_TRAEFIK=${CROWDSEC_BOUNCER_KEY:-change-me} + volumes: + - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro + - ./logs:/var/log/traefik:ro + - crowdsec-db:/var/lib/crowdsec/data + - crowdsec-config:/etc/crowdsec + networks: + - proxy_tier + restart: unless-stopped networks: proxy_tier: name: proxy_tier external: true + +volumes: + crowdsec-db: + crowdsec-config: -- 2.52.0 From 9d7b7224628450f96d66a0f43e4624b3fc41c143 Mon Sep 17 00:00:00 2001 From: ue87775 Date: Mon, 27 Apr 2026 09:09:46 +0200 Subject: [PATCH 3/4] fix Grafana Authelia --- prometheus/docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/prometheus/docker-compose.yml b/prometheus/docker-compose.yml index aba830d..9c3088c 100755 --- a/prometheus/docker-compose.yml +++ b/prometheus/docker-compose.yml @@ -110,4 +110,5 @@ services: - "traefik.http.routers.grafana.rule=Host(`grafana.quangkhai.ch`)" - "traefik.http.routers.grafana.tls.certresolver=myresolver" - "traefik.http.services.grafana.loadbalancer.server.port=3000" + - "traefik.http.routers.grafana.middlewares=authelia-auth@docker" - "traefik.docker.network=proxy_tier" -- 2.52.0 From 2a4d174ba3b4aff62a40a3109c115e57077fe698 Mon Sep 17 00:00:00 2001 From: ue87775 Date: Mon, 27 Apr 2026 09:10:01 +0200 Subject: [PATCH 4/4] Add ping to traefik --- traefik/docker-compose.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/traefik/docker-compose.yaml b/traefik/docker-compose.yaml index 88ed50c..512e18e 100644 --- a/traefik/docker-compose.yaml +++ b/traefik/docker-compose.yaml @@ -9,6 +9,7 @@ services: - "--api.insecure=false" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" + - "--ping=true" - "--experimental.plugins.crowdsec-bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin" - "--experimental.plugins.crowdsec-bouncer.version=v1.4.2" - "--accesslog=true" -- 2.52.0