diff --git a/.env b/.env index 4d4ab1a..980a584 100644 --- a/.env +++ b/.env @@ -12,3 +12,33 @@ UMASK=000 TZ=America/Chicago ADMIN_USERNAME=akanealw ADMIN_PASSWORD=8ung1e1! + +#KUTT +PORT=3000 +DEFAULT_DOMAIN=aknlw.com +SITE_NAME=Kutt +DISALLOW_REGISTRATION=true +DISALLOW_ANONYMOUS_LINKS=true +USER_LIMIT_PER_DAY=50 +CUSTOM_DOMAIN_USE_HTTPS=true +JWT_SECRET=%5qCnXx%My^W6tXQCSz4 +ADMIN_EMAILS=akanealw@gmail.com +MAIL_HOST=smtp.gmail.com +MAIL_PORT=587 +MAIL_SECURE=false +MAIL_requireTLS=true +MAIL_USER=akanealw@gmail.com +MAIL_FROM=akanealw@gmail.com +MAIL_PASSWORD=bzslssyiffjqgdwm + +#OWNCLOUD +OWNCLOUD_VERSION=10.11 +OWNCLOUD_DOMAIN=192.168.1.32:8092 +OWNCLOUD_TRUSTED_DOMAINS=192.168.1.32,owncloud.akanealw.com +ADMIN_USERNAME=akanealw +ADMIN_PASSWORD=pknFeqRqFc3RA5N6!rDL + +# COLLABORA CODE +NEXTCLOUD_DOMAIN=owncloud.akanealw.com +LO_ONLINE_USERNAME=akanealw +LO_ONLINE_PASSWORD=rET7trWieaYVPCft*zLR \ No newline at end of file diff --git a/authelia.conf b/authelia.conf new file mode 100644 index 0000000..37a181f --- /dev/null +++ b/authelia.conf @@ -0,0 +1,33 @@ +location / { +set $upstream_authelia http://192.168.1.30:9091; +proxy_pass $upstream_authelia; +client_body_buffer_size 128k; + +#Timeout if the real server is dead +proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + +# Advanced Proxy Config +send_timeout 5m; +proxy_read_timeout 360; +proxy_send_timeout 360; +proxy_connect_timeout 360; + +# Basic Proxy Config +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $http_host; +proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Forwarded-Ssl on; +proxy_redirect http:// $scheme://; +proxy_http_version 1.1; +proxy_set_header Connection ""; +proxy_cache_bypass $cookie_session; +proxy_no_cache $cookie_session; +proxy_buffers 64 256k; + +# If behind reverse proxy, forwards the correct IP, assumes you're using Cloudflare. Adjust IP for your Docker network. +set_real_ip_from 192.168.1.0/24; +real_ip_recursive on; +} \ No newline at end of file diff --git a/configuration.yml b/configuration.yml new file mode 100644 index 0000000..b5a9dd2 --- /dev/null +++ b/configuration.yml @@ -0,0 +1,136 @@ +theme: dark +jwt_secret: 9DGPzQy8SZQ7rV57V3DJnw + +#default_redirection_url: https://www.google.com/ + +server: + host: 0.0.0.0 + port: 9091 + path: "" + read_buffer_size: 4096 + write_buffer_size: 4096 + enable_pprof: false + enable_expvars: false + disable_healthcheck: false + tls: + key: "" + certificate: "" + +log: + level: info + +totp: + disable: false + issuer: akanealw.com + algorithm: sha1 + digits: 6 + period: 30 + skew: 0 + secret_size: 32 + +authentication_backend: + disable_reset_password: true + refresh_interval: 5m + file: + path: /config/users_database.yml + password: + algorithm: argon2id + iterations: 1 + salt_length: 16 + parallelism: 8 + memory: 64 + +access_control: + default_policy: deny + rules: + # bypass rule + - domain: "auth.akanealw.com" + policy: bypass + - domain: "bitwarden.akanealw.com" + policy: bypass + - domain: "meshcentral.akanealw.com" + policy: bypass + - domain: "owncloud.akanealw.com" + policy: bypass + - domain: "overseerr.akanealw.com" + policy: bypass + - domain: "plex.akanealw.com" + policy: bypass + - domain: "tautulli.akanealw.com" + policy: bypass + + # two_factor rule + - domain: "akanealw.com" + policy: two_factor + - domain: "codeserver.akanealw.com" + policy: two_factor + - domain: "freshrss.akanealw.com" + policy: two_factor + - domain: "gitea.akanealw.com" + policy: two_factor + - domain: "jackett.akanealw.com" + policy: two_factor + - domain: "jdownloader.akanealw.com" + policy: two_factor + - domain: "kavita.akanealw.com" + policy: two_factor + - domain: "metube.akanealw.com" + policy: two_factor + - domain: "monitorr.akanealw.com" + policy: two_factor + - domain: "mstream.akanealw.com" + policy: two_factor + - domain: "nzbhydra.akanealw.com" + policy: two_factor + - domain: "portainer.akanealw.com" + policy: two_factor + - domain: "prowlarr.akanealw.com" + policy: two_factor + - domain: "qbittorrent.akanealw.com" + policy: two_factor + - domain: "radarr.akanealw.com" + policy: two_factor + - domain: "sabnzbd.akanealw.com" + policy: two_factor + - domain: "sonarr.akanealw.com" + policy: two_factor + - domain: "tdarr.akanealw.com" + policy: two_factor + - domain: "www.akanealw.com" + policy: two_factor + +session: + name: authelia_session + domain: akanealw.com + same_site: lax + secret: 8r9y4d8mY7NfQtpCe2oU + expiration: 1h + inactivity: 5m + remember_me_duration: 1w + +regulation: + max_retries: 3 + find_time: 10m + ban_time: 12h + +storage: + local: + path: /config/db.sqlite3 + encryption_key: iiB7C8Bn4A2gAhzs2fWaggUug76PZ4LU + +notifier: + disable_startup_check: true + smtp: + username: akanealw@gmail.com + password: qlvmffuzpscltdgz + host: smtp.gmail.com + port: 587 + sender: akanealw@gmail.com + identifier: proxyserver + subject: "[Authelia] {title}" + startup_check_address: akanealw@gmail.com + disable_require_tls: false + disable_html_emails: false + tls: + skip_verify: false + minimum_version: TLS1.2 diff --git a/docker-compose.yml b/docker-compose.yml index 25a7fcc..a149dfa 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,7 @@ version: '3' services: +# dockerserver-01 jackett: container_name: jackett hostname: jackett @@ -192,5 +193,341 @@ services: - ./appdata/sonarr:/config - /mnt/data:/data +# dockerserver-02 + bitwarden: + container_name: bitwarden + hostname: bitwarden + image: vaultwarden/server:latest + environment: + - TZ=$TZ + - ADMIN_TOKEN=h/oRssGu83I1E1WQGiSchYMAJnM0JcDXmjeI/A3QgMCasn/IK9zZldH5FXim0rSi + - DATABASE_URL=data/db.sqlite3 + - DISABLE_ADMIN_TOKEN=false + - DOMAIN=https://bitwarden.akanealw.com + - ENABLE_DB_WAL=true + - INVITATIONS_ALLOWED=false + - SHOW_PASSWORD_HINT=false + - SIGNUPS_ALLOWED=false + - SIGNUPS_VERIFY=false + - SMTP_PORT=587 + - SMTP_SSL=true + ports: + - 8081:80/tcp + restart: always + volumes: + - ./appdata/vaultwarden:/data + - /etc/localtime:/etc/localtime:ro + + collabora: + container_name: collabora + hostname: collabora + image: collabora/code + environment: + domain: ${NEXTCLOUD_DOMAIN} + username: ${LO_ONLINE_USERNAME} + password: ${LO_ONLINE_PASSWORD} + cap_add: + - MKNOD + ports: + - "9980:9980" + restart: always + volumes: + - ./appdata/collabora/code:/etc/loolwsd + + freshrss: + container_name: freshrss + hostname: freshrss + image: freshrss/freshrss:latest + environment: + - PUID=$PUID + - PGID=$PGID + - CRON_MIN=*/20 + - TZ=$TZ + depends_on: + - freshrss-db + ports: + - 8082:80/tcp + restart: always + volumes: + - ./appdata/freshrss/data:/var/www/FreshRSS/data + - ./appdata/freshrss/extensions:/var/www/FreshRSS/extensions + - /etc/localtime:/etc/localtime:ro + + freshrss-db: + container_name: freshrss-db + hostname: freshrss-db + image: postgres:12-alpine + environment: + - PUID=$PUID + - PGID=$PGID + - POSTGRES_USER=freshrss + - POSTGRES_PASSWORD=freshrss + - POSTGRES_DB=freshrss + restart: always + volumes: + - ./appdata/freshrss/db/data:/var/lib/postgresql/data + - /etc/localtime:/etc/localtime:ro + + kavita: + container_name: kavita + hostname: kavita + image: kizaing/kavita:latest + ports: + - "5002:5000" + restart: always + volumes: + - /mnt/storage/ComicsAndManga:/comicsandmanga + - ./appdata/kavita/config:/kavita/config + + kutt: + container_name: kutt + hostname: kutt + image: kutt/kutt:latest + environment: + DB_HOST: kutt-postgres + DB_NAME: kutt + DB_USER: kutt + DB_PASSWORD: kutt + REDIS_HOST: kutt-redis + env_file: + - /opt/docker/.env + command: ["./wait-for-it.sh", "kutt-postgres:5432", "--", "npm", "start"] + depends_on: + - kutt-postgres + - kutt-redis + ports: + - 3000:3000/tcp + restart: always + + kutt-redis: + container_name: kutt-redis + hostname: kutt-redis + image: redis:6.0-alpine + restart: always + volumes: + - ./appdata/kutt/redis_data:/data + + kutt-postgres: + container_name: kutt-postgres + hostname: kutt-postgres + image: postgres:12-alpine + environment: + - POSTGRES_USER=kutt + - POSTGRES_PASSWORD=kutt + - POSTGRES_DB=kutt + restart: always + volumes: + - ./appdata/kutt/postgres_data:/var/lib/postgresql/data + + meshcentral: + container_name: meshcentral + hostname: meshcentral + image: typhonragewind/meshcentral:latest + environment: + - HOSTNAME=meshcentral.akanealw.com + - REVERSE_PROXY=false + - IFRAME=true + - ALLOW_NEW_ACCOUNTS=false + - WEBRTC=true + ports: + - 443:443/tcp + - 80:80/tcp + restart: always + volumes: + - ./appdata/meshcentral/data:/opt/meshcentral/meshcentral-data + - ./appdata/meshcentral/user_files:/opt/meshcentral/meshcentral-files + + monitorr: + container_name: monitorr + hostname: monitorr + image: monitorr/monitorr:latest + environment: + - PGID=$PGID + - PUID=$PUID + - TZ=$TZ + ports: + - 8084:80/tcp + restart: always + volumes: + - /mnt/data:/HD:ro + - ./appdata/monitorr/app:/app + - ./appdata/monitorr/config:/config + - /etc/localtime:/etc/localtime:ro + + mstream: + image: lscr.io/linuxserver/mstream:latest + container_name: mstream + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + ports: + - 3001:3000 + restart: always + volumes: + - ./appdata/mstream:/config + - /mnt/storage/music:/music + + owncloud: + hostname: owncloud + image: owncloud/server:${OWNCLOUD_VERSION} + container_name: owncloud + restart: always + ports: + - 8092:8080 + depends_on: + - owncloud-mariadb + - owncloud-redis + environment: + - OWNCLOUD_DOMAIN=${OWNCLOUD_DOMAIN} + - OWNCLOUD_TRUSTED_DOMAINS=${OWNCLOUD_TRUSTED_DOMAINS} + - OWNCLOUD_DB_TYPE=mysql + - OWNCLOUD_DB_NAME=owncloud + - OWNCLOUD_DB_USERNAME=owncloud + - OWNCLOUD_DB_PASSWORD=owncloud + - OWNCLOUD_DB_HOST=owncloud-mariadb + - OWNCLOUD_ADMIN_USERNAME=${ADMIN_USERNAME} + - OWNCLOUD_ADMIN_PASSWORD=${ADMIN_PASSWORD} + - OWNCLOUD_MYSQL_UTF8MB4=true + - OWNCLOUD_REDIS_ENABLED=true + - OWNCLOUD_REDIS_HOST=owncloud-redis + healthcheck: + test: ["CMD", "/usr/bin/healthcheck"] + interval: 30s + timeout: 10s + retries: 5 + volumes: + - ./appdata/owncloud/files:/mnt/data + + owncloud-mariadb: + hostname: owncloud-mariadb + image: mariadb:10.6 + container_name: owncloud-mariadb + restart: always + environment: + - MYSQL_ROOT_PASSWORD=owncloud + - MYSQL_USER=owncloud + - MYSQL_PASSWORD=owncloud + - MYSQL_DATABASE=owncloud + command: ["--max-allowed-packet=128M", "--innodb-log-file-size=64M"] + healthcheck: + test: ["CMD", "mysqladmin", "ping", "-u", "root", "--password=owncloud"] + interval: 10s + timeout: 5s + retries: 5 + volumes: + - ./appdata/owncloud-mariadb/mysql:/var/lib/mysql + + owncloud-redis: + hostname: owncloud-redis + image: redis:6 + container_name: owncloud-redis + restart: always + command: ["--databases", "1"] + healthcheck: + test: ["CMD", "redis-cli", "ping"] + interval: 10s + timeout: 5s + retries: 5 + volumes: + - ./appdata/owncloud-redis:/data + + organizr: + container_name: organizr + hostname: organizr + image: organizr/organizr:latest + environment: + - PGID=$PGID + - PUID=$PUID + - FPM=false + ports: + - 8085:80/tcp + restart: always + volumes: + - ./appdata/organizr/config:/config + - /etc/localtime:/etc/localtime:ro + +# proxyserver + authelia: + container_name: authelia + hostname: authelia + image: authelia/authelia + environment: + - TZ=America/Chicago + ports: + - 9091:9091 + restart: always + volumes: + - ./appdata/authelia/config:/config + + gluetun: + container_name: gluetun + hostname: gluetun + image: qmcgaw/gluetun + environment: + - VPN_SERVICE_PROVIDER=mullvad + - VPN_TYPE=wireguard + - WIREGUARD_PRIVATE_KEY=aOlTmJ/KpTi0qZeed3rXNcRPPTIw0InAvf1gMV4EtXo= + - WIREGUARD_ADDRESSES=10.66.182.60/32 + - HTTPPROXY=on + - SERVER_CITIES=New York NY + - TZ=$TZ + cap_add: + - NET_ADMIN + devices: + - /dev/net/tun:/dev/net/tun + ports: + - 8888:8888/tcp # HTTP proxy + - 8388:8388/tcp # Shadowsocks + - 8388:8388/udp # Shadowsocks + restart: always + volumes: + - ./appdata/gluetun:/gluetun + + nginxproxymanager: + container_name: nginxproxymanager + hostname: nginxproxymanager + image: jc21/nginx-proxy-manager:latest + environment: + - X_FRAME_OPTIONS=sameorigin + - DB_SQLITE_FILE=/data/database.sqlite + ports: + - 8443:443/tcp + - 8080:80/tcp + - 8081:81/tcp + restart: always + volumes: + - ./appdata/nginxproxymanager/data:/data + - ./appdata/nginxproxymanager/letsencrypt:/etc/letsencrypt + - /etc/localtime:/etc/localtime:ro + + openvpn: + container_name: openvpn + hostname: openvpn + image: kylemanna/openvpn + cap_add: + - NET_ADMIN + ports: + - "1194:1194/tcp" + restart: always + volumes: + - ./appdata/openvpn/conf:/etc/openvpn + + openssh-server: + container_name: openssh-server + hostname: openssh-server + image: lscr.io/linuxserver/openssh-server:latest + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + - PUBLIC_KEY_FILE=/config/aknlw.com.pub + - USER_NAME=akanealw + ports: + - 2222:2222 + restart: always + volumes: + - ./appdata/openssh-server/config:/config + networks: default: \ No newline at end of file diff --git a/protected_domain.conf b/protected_domain.conf new file mode 100644 index 0000000..688385c --- /dev/null +++ b/protected_domain.conf @@ -0,0 +1,75 @@ +location /authelia { +internal; +set $upstream_authelia http://192.168.1.30:9091/api/verify; +proxy_pass_request_body off; +proxy_pass $upstream_authelia; +proxy_set_header Content-Length ""; + +# Timeout if the real server is dead +proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; +client_body_buffer_size 128k; +proxy_set_header Host $host; +proxy_set_header X-Original-URL $scheme://$http_host$request_uri; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $remote_addr; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $http_host; +proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Forwarded-Ssl on; +proxy_redirect http:// $scheme://; +proxy_http_version 1.1; +proxy_set_header Connection ""; +proxy_cache_bypass $cookie_session; +proxy_no_cache $cookie_session; +proxy_buffers 4 32k; + +send_timeout 5m; +proxy_read_timeout 240; +proxy_send_timeout 240; +proxy_connect_timeout 240; +} + +location / { +set $upstream_kavita $forward_scheme://$server:$port; +proxy_pass $upstream_kavita; + +auth_request /authelia; +auth_request_set $target_url https://$http_host$request_uri; +auth_request_set $user $upstream_http_remote_user; +auth_request_set $email $upstream_http_remote_email; +auth_request_set $groups $upstream_http_remote_groups; +proxy_set_header Remote-User $user; +proxy_set_header Remote-Email $email; +proxy_set_header Remote-Groups $groups; + +error_page 401 =302 https://auth.akanealw.com/?rd=$target_url; + +client_body_buffer_size 128k; + +proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + +send_timeout 5m; +proxy_read_timeout 360; +proxy_send_timeout 360; +proxy_connect_timeout 360; + +proxy_set_header Host $host; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection upgrade; +proxy_set_header Accept-Encoding gzip; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $http_host; +proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Forwarded-Ssl on; +proxy_redirect http:// $scheme://; +proxy_http_version 1.1; +proxy_set_header Connection ""; +proxy_cache_bypass $cookie_session; +proxy_no_cache $cookie_session; +proxy_buffers 64 256k; + +set_real_ip_from 192.168.1.0/24; +real_ip_recursive on; +} \ No newline at end of file diff --git a/users_database.yml b/users_database.yml new file mode 100644 index 0000000..35ed2b2 --- /dev/null +++ b/users_database.yml @@ -0,0 +1,8 @@ +users: + akanealw: + displayname: "akanealw" + password: "$argon2id$v=19$m=65536,t=1,p=8$ZWJ2UGVPUDE2SnU0YXNvNg$Q3LQfN90kPI5/3Yr06WmTUjFbvIBBZPJP44YLhysT0M" + email: akanealw@gmail.com + groups: + - admins + \ No newline at end of file