{pkgs, ...}: { project.name = "infrastructure"; networks.dmz = { name = "dmz"; external = true; }; docker-compose.volumes = { traefik-logs = null; }; services = { traefik.service = { image = "traefik:v3.1.4"; container_name = "traefik"; useHostStore = true; ports = [ "80:80" "81:81" "443:443" "444:444" "8421:8080" ]; labels = { "traefik.enable" = "true"; "traefik.http.routers.dashboard.rule" = "Host(`traefik.ghoscht.com`)"; "traefik.http.routers.dashboard.entrypoints" = "websecure"; "traefik.http.services.dashboard.loadbalancer.server.port" = "8080"; "traefik.http.routers.dashboard.tls" = "true"; "traefik.http.routers.dashboard.tls.certresolver" = "letsencrypt"; "traefik.http.routers.dashboard.tls.domains[0].main" = "ghoscht.com"; "traefik.http.routers.dashboard.tls.domains[0].sans" = "*.ghoscht.com"; "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme" = "https"; "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto" = "https"; "diun.enable" = "true"; "diun.watch_repo" = "true"; "diun.sort_tags" = "semver"; "diun.include_tags" = "^v\\d+\\.\\d+\\.\\d+$$"; }; volumes = [ "/home/ghoscht/.docker/infrastructure/traefik_config/traefik.yml:/traefik.yml:ro" "/home/ghoscht/.docker/infrastructure/traefik_config/conf:/conf:ro" "/storage/dataset/docker/infrastructure/traefik_data/acme.json:/acme.json" "/var/run/docker.sock:/var/run/docker.sock:ro" "traefik-logs:/var/log/traefik" ]; env_file = [ "/home/ghoscht/.docker/infrastructure/traefik.env" ]; restart = "always"; networks = [ "dmz" ]; }; crowdsec.service = { image = "crowdsecurity/crowdsec:v1.6.3"; container_name = "crowdsec"; environment = { GID = "1000"; COLLECTIONS = "crowdsecurity/linux crowdsecurity/traefik firix/authentik LePresidente/gitea Dominic-Wagner/vaultwarden"; }; volumes = [ "/storage/dataset/docker/infrastructure/crowdsec_config/acquis.yaml:/etc/crowdsec/acquis.yaml" "/storage/dataset/docker/infrastructure/crowdsec_config/profiles.yaml:/etc/crowdsec/profiles.yaml" "/storage/dataset/docker/infrastructure/crowdsec_config/ntfy.yaml:/etc/crowdsec/notifications/ntfy.yaml" "/storage/dataset/docker/infrastructure/crowdsec_db:/var/lib/crowdsec/data/" "/storage/dataset/docker/infrastructure/crowdsec_data:/etc/crowdsec/" "traefik-logs:/var/log/traefik/:ro" "/var/run/docker.sock:/var/run/docker.sock:ro" ]; labels = { "diun.enable" = "true"; "diun.watch_repo" = "true"; "diun.sort_tags" = "semver"; "diun.include_tags" = "^v\\d+\\.\\d+\\.\\d+$$"; }; depends_on = [ "traefik" ]; networks = [ "dmz" ]; restart = "always"; }; bouncer-traefik.service = { image = "fbonalair/traefik-crowdsec-bouncer:0.5.0"; environment = { CROWDSEC_AGENT_HOST = "crowdsec:8080"; }; env_file = [ "/home/ghoscht/.docker/infrastructure/traefik-bouncer.env" ]; depends_on = [ "crowdsec" ]; networks = [ "dmz" ]; restart = "always"; }; scrutiny.service = { image = "ghcr.io/analogj/scrutiny:v0.8.0-omnibus"; container_name = "scrutiny"; restart = "always"; labels = { "traefik.enable" = "true"; "traefik.http.routers.scrutiny.entrypoints" = "websecure"; "traefik.http.routers.scrutiny.rule" = "Host(`scrutiny.ghoscht.com`)"; "traefik.http.services.scrutiny.loadbalancer.server.port" = "8080"; "traefik.http.routers.scrutiny.tls" = "true"; "traefik.http.routers.scrutiny.tls.certresolver" = "letsencrypt"; }; capabilities = { SYS_RAWIO = true; SYS_ADMIN = true; #enables nvme support }; volumes = [ "/run/udev:/run/udev:ro" "/storage/dataset/docker/infrastructure/scrutiny_data:/opt/scrutiny/config" "/storage/dataset/docker/infrastructure/scrutiny_influxdb_data:/opt/scrutiny/influxdb" ]; devices = [ "/dev/nvme0" "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" "/dev/sde" "/dev/sdf" ]; networks = [ "dmz" ]; }; diun.service = { image = "crazymax/diun:4.28"; container_name = "diun"; restart = "always"; command = "serve"; volumes = [ "/storage/dataset/docker/infrastructure/diun_data:/data" "/var/run/docker.sock:/var/run/docker.sock" ]; environment = { TZ = "Europe/Berlin"; LOG_LEVEL = "info"; #Only when setting workers=1 sorting can be actually observed DIUN_WATCH_WORKERS = "20"; DIUN_WATCH_SCHEDULE = "0 */6 * * *"; DIUN_WATCH_JITTER = "30s"; DIUN_WATCH_RUNONSTARTUP = "true"; DIUN_PROVIDERS_DOCKER = "true"; DIUN_DEFAULTS_MAXTAGS = 1; DIUN_DEFAULTS_NOTIFYON = "new"; DIUN_NOTIF_NTFY_ENDPOINT = "http://ntfy"; DIUN_NOTIF_NTFY_TOPIC = "docker-updates"; }; env_file = [ "/home/ghoscht/.docker/infrastructure/diun.env" ]; networks = [ "dmz" ]; }; }; }