crappyrules
/
mistborn
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Mistborn is your own virtual private cloud platform and WebUI that manages self hosted services, and secures them with firewall, Wireguard VPN w/ PiHole-DNSCrypt, and IP filtering. Optional SIEM+IDS. Supports 2FA, Nextcloud, Jitsi, Home Assistant, +
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
203 Commits
15 Branches
0 Tags
962 KiB
 
 
Tree: 92ba477fc9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '92ba477fc9'
${ noResults }
mistborn/base.yml

258 lines
8.3 KiB
Raw Blame History

version: '3'
volumes:
production_postgres_data: {}
production_postgres_data_backups: {}
production_traefik: {}
services:
django:
image: "cyber5k/mistborn:${MISTBORN_TAG}"
container_name: mistborn_production_django
depends_on:
- postgres
- redis
ports:
- "${MISTBORN_DNS_BIND_IP}:5000:5000/tcp" # auth access
labels:
- "traefik.enable=true"
- "traefik.http.routers.django-http.rule=Host(`home.mistborn`)"
- "traefik.http.routers.django-http.entrypoints=web"
- "traefik.http.routers.django-http.middlewares=mistborn_headers@file"
- "traefik.http.routers.django-https.rule=Host(`home.mistborn`)"
- "traefik.http.routers.django-https.entrypoints=websecure"
- "traefik.http.routers.django-https.middlewares=mistborn_headers@file"
- "traefik.http.routers.django-https.tls.certresolver=basic"
- "traefik.http.services.django-service.loadbalancer.server.port=5000"
env_file:
- ./.envs/.production/.django
- ./.envs/.production/.postgres
volumes:
- ../mistborn_volumes/base/media:/mistborn-media
- ../mistborn_volumes/base/private_media:/mistborn-private-media
command: /start
restart: unless-stopped
postgres:
build:
context: .
dockerfile: ./compose/production/postgres/Dockerfile
image: mistborn_production_postgres
container_name: mistborn_production_postgres
volumes:
- production_postgres_data:/var/lib/postgresql/data
- production_postgres_data_backups:/backups
env_file:
- ./.envs/.production/.postgres
restart: unless-stopped
traefik:
#build:
# context: .
# dockerfile: ./compose/production/traefik/Dockerfile
#image: mistborn_production_traefik
image: traefik:v2.4.9
container_name: mistborn_production_traefik
depends_on:
- django
- redis
volumes:
#- production_traefik:/etc/traefik/acme
- ./compose/production/traefik/dynamic.toml:/dynamic.toml:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ../mistborn_volumes/base/tls:/tls:ro
network_mode: host
#ports:
# - "0.0.0.0:80:80/tcp"
# - "0.0.0.0:443:443/tcp"
# #- "0.0.0.0:8080:8080/tcp" # dashboard
command:
## API settings
#- --api.insecure=true
#- --api.dashboard=true
#- --api.debug=true
## Logs
- --log.level=ERROR
## Providers
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.file.filename=/dynamic.toml
#- --providers.docker.network=default
## Entrypoints
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
## Certificates
#- --serversTransport.insecureSkipVerify=true
restart: unless-stopped
portal:
build:
context: ./compose/production/portal/
dockerfile: Dockerfile
image: mistborn_production_portal
container_name: mistborn_production_portal
ports:
- "${MISTBORN_DNS_BIND_IP}:5001:80"
environment:
- SERVER_REDIRECT=home.mistborn
# optionally define path to redirect all requests
# if not set nginx var $request_uri is used
- SERVER_REDIRECT_PATH=/
# optionally define schema to redirect all requests
# if not set but X-Forwarded-Proto is send as request header with value 'https' this will be used.
# In all other cases nginx var `$scheme` is used
#- SERVER_REDIRECT_SCHEME=https
# optionally define the http code to use for redirection
# allowed Codes are: 301, 302, 303, 307, 308, default is 301
#- SERVER_REDIRECT_CODE=301
# optionally define the http code to redirect POST requests
# if not set or not in allowed Codes, SERVER_REDIRECT_CODE will be used
#- SERVER_REDIRECT_POST_CODE=
# optionally define the http code to redirect PUT, PATCH and DELETE requests
# if not set or not in allowed Codes, SERVER_REDIRECT_CODE will be used
#- SERVER_REDIRECT_PUT_PATCH_DELETE_CODE=
# optionally define the location for the nginx access log
# if not set /dev/stdout is used
#- SERVER_ACCESS_LOG=/dev/null
# optionally define the location for the nginx error log
# if not set /dev/stderr is used
#- SERVER_ERROR_LOG=/dev/null
restart: unless-stopped
redis:
image: redis:6.2-alpine
container_name: mistborn_production_redis
restart: unless-stopped
celeryworker:
image: "cyber5k/mistborn:${MISTBORN_TAG}"
container_name: mistborn_production_celeryworker
volumes:
- /home/mistborn/.ssh:/ssh
- ../mistborn_volumes/base/media:/mistborn-media
- ../mistborn_volumes/base/private_media:/mistborn-private-media
env_file:
- ./.envs/.production/.django
- ./.envs/.production/.postgres
- ./.envs/.production/.pihole
networks:
default:
dns_net:
ipv4_address: 10.2.1.3
dns:
- 10.2.1.2
depends_on:
- traefik
- pihole
command: /start-celeryworker
restart: unless-stopped
celeryworker-low-priority:
image: "cyber5k/mistborn:${MISTBORN_TAG}"
container_name: mistborn_production_celeryworker_low_priority
volumes:
- /home/mistborn/.ssh:/ssh
- ../mistborn_volumes/base/media:/mistborn-media
- ../mistborn_volumes/base/private_media:/mistborn-private-media
env_file:
- ./.envs/.production/.django
- ./.envs/.production/.postgres
- ./.envs/.production/.pihole
networks:
default:
dns_net:
ipv4_address: 10.2.1.4
dns:
- 10.2.1.2
depends_on:
- traefik
- pihole
command: /start-celeryworker-low-priority
restart: unless-stopped
celerybeat:
image: "cyber5k/mistborn:${MISTBORN_TAG}"
container_name: mistborn_production_celerybeat
env_file:
- ./.envs/.production/.django
- ./.envs/.production/.postgres
command: /start-celerybeat
restart: unless-stopped
# flower:
# image: "cyber5k/mistborn:${MISTBORN_TAG}"
# container_name: mistborn_production_flower
# env_file:
# - ./.envs/.production/.django
# - ./.envs/.production/.postgres
# ports:
# - "5555:5555/tcp"
# command: /start-flower
# restart: unless-stopped
pihole:
container_name: mistborn_production_pihole
image: pihole/pihole:v5.8
env_file:
- ./.envs/.production/.pihole
ports:
- "${MISTBORN_DNS_BIND_IP}:53:53/tcp"
- "${MISTBORN_DNS_BIND_IP}:53:53/udp"
labels:
- "traefik.enable=true"
- "traefik.http.routers.pihole-http.rule=Host(`pihole.mistborn`)"
- "traefik.http.routers.pihole-http.entrypoints=web"
- "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file,add-pihole-admin"
- "traefik.http.routers.pihole-https.rule=Host(`pihole.mistborn`)"
- "traefik.http.routers.pihole-https.entrypoints=websecure"
- "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file,add-pihole-admin"
- "traefik.http.routers.pihole-https.tls.certresolver=basic"
- "traefik.http.middlewares.add-pihole-admin.addPrefix.prefix=/admin"
- "traefik.http.services.pihole-service.loadbalancer.server.port=80"
environment:
- ServerIP=10.2.0.3
- PIHOLE_DNS_=10.2.0.2#5054
#- DNS1='10.2.0.2#5054' # docs say port 5054, was 54; use network_mode: host to see which port is used
#- DNS2=''
- IPv6='false'
- DNSMASQ_LISTENING=all
# TZ: 'America/New York'
# Volumes store your data between container upgrades
volumes:
- ../mistborn_volumes/base/pihole/etc-pihole:/etc/pihole/
- ../mistborn_volumes/base/pihole/etc-dnsmasqd:/etc/dnsmasq.d/
dns:
- 127.0.0.1
networks:
default:
pihole_net:
ipv4_address: 10.2.0.3
dns_net:
ipv4_address: 10.2.1.2
restart: unless-stopped
dnscrypt-proxy:
container_name: mistborn_production_dnscrypt_proxy
image: cyber5k/dnscrypt-proxy:latest
environment:
- DNSCRYPT_LISTEN_PORT=5054
# resolvers: https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md
#- DNSCRYPT_SERVER_NAMES=['scaleway-fr','google','yandex','cloudflare']
- DNSCRYPT_SERVER_NAMES=['cloudflare']
networks:
pihole_net:
ipv4_address: 10.2.0.2
restart: unless-stopped
networks:
pihole_net:
driver: bridge
ipam:
config:
- subnet: 10.2.0.0/29
dns_net:
driver: bridge
ipam:
config:
- subnet: 10.2.1.0/24