169 lines
5.4 KiB
Nix
169 lines
5.4 KiB
Nix
{pkgs, ...}: {
|
|
project.name = "infrastructure";
|
|
|
|
networks.dmz = {
|
|
name = "dmz";
|
|
external = true;
|
|
};
|
|
|
|
docker-compose.volumes = {
|
|
traefik-logs = null;
|
|
};
|
|
|
|
services = {
|
|
traefik.service = {
|
|
image = "traefik:3.1.4";
|
|
container_name = "traefik";
|
|
useHostStore = true;
|
|
ports = [
|
|
"80:80"
|
|
"81:81"
|
|
"443:443"
|
|
"444:444"
|
|
"8421:8080"
|
|
];
|
|
labels = {
|
|
"traefik.enable" = "true";
|
|
"diun.enable" = "true";
|
|
|
|
"traefik.http.routers.dashboard.rule" = "Host(`traefik.ghoscht.com`)";
|
|
"traefik.http.routers.dashboard.entrypoints" = "websecure";
|
|
"traefik.http.services.dashboard.loadbalancer.server.port" = "8080";
|
|
"traefik.http.routers.dashboard.tls" = "true";
|
|
"traefik.http.routers.dashboard.tls.certresolver" = "letsencrypt";
|
|
|
|
"traefik.http.routers.dashboard.tls.domains[0].main" = "ghoscht.com";
|
|
"traefik.http.routers.dashboard.tls.domains[0].sans" = "*.ghoscht.com";
|
|
|
|
"traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme" = "https";
|
|
"traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto" = "https";
|
|
};
|
|
volumes = [
|
|
"/home/ghoscht/.docker/infrastructure/traefik_config/traefik.yml:/traefik.yml:ro"
|
|
"/home/ghoscht/.docker/infrastructure/traefik_config/conf:/conf:ro"
|
|
"/home/ghoscht/.docker/infrastructure/traefik_data/acme.json:/acme.json"
|
|
"/var/run/docker.sock:/var/run/docker.sock:ro"
|
|
"traefik-logs:/var/log/traefik"
|
|
];
|
|
env_file = [
|
|
"/home/ghoscht/.docker/infrastructure/traefik.env"
|
|
];
|
|
restart = "always";
|
|
networks = [
|
|
"dmz"
|
|
];
|
|
};
|
|
crowdsec.service = {
|
|
image = "crowdsecurity/crowdsec:v1.6.4";
|
|
container_name = "crowdsec";
|
|
environment = {
|
|
GID = "1000";
|
|
COLLECTIONS = "crowdsecurity/linux crowdsecurity/traefik firix/authentik LePresidente/gitea Dominic-Wagner/vaultwarden crowdsecurity/appsec-generic-rules crowdsecurity/appsec-virtual-patching";
|
|
};
|
|
volumes = [
|
|
"/home/ghoscht/.docker/infrastructure/crowdsec_config/acquis.yaml:/etc/crowdsec/acquis.yaml"
|
|
"/home/ghoscht/.docker/infrastructure/crowdsec_config/profiles.yaml:/etc/crowdsec/profiles.yaml"
|
|
"/home/ghoscht/.docker/infrastructure/crowdsec_config/ntfy.yaml:/etc/crowdsec/notifications/ntfy.yaml"
|
|
"/home/ghoscht/.docker/infrastructure/crowdsec_db:/var/lib/crowdsec/data/"
|
|
"/home/ghoscht/.docker/infrastructure/crowdsec_data:/etc/crowdsec/"
|
|
"traefik-logs:/var/log/traefik/:ro"
|
|
"/var/run/docker.sock:/var/run/docker.sock:ro"
|
|
];
|
|
labels = {
|
|
"diun.enable" = "true";
|
|
"diun.include_tags" = "^v\\d+\\.\\d+\\.\\d+$$";
|
|
};
|
|
depends_on = [
|
|
"traefik"
|
|
];
|
|
networks = [
|
|
"dmz"
|
|
];
|
|
restart = "always";
|
|
};
|
|
bouncer-traefik.service = {
|
|
image = "fbonalair/traefik-crowdsec-bouncer:0.5.0";
|
|
environment = {
|
|
CROWDSEC_AGENT_HOST = "crowdsec:8080";
|
|
};
|
|
env_file = [
|
|
"/home/ghoscht/.docker/infrastructure/traefik-bouncer.env"
|
|
];
|
|
depends_on = [
|
|
"crowdsec"
|
|
];
|
|
networks = [
|
|
"dmz"
|
|
];
|
|
restart = "always";
|
|
};
|
|
scrutiny.service = {
|
|
image = "ghcr.io/analogj/scrutiny:v0.8.0-omnibus";
|
|
container_name = "scrutiny";
|
|
restart = "always";
|
|
labels = {
|
|
"traefik.enable" = "true";
|
|
"traefik.http.routers.scrutiny.entrypoints" = "websecure";
|
|
"traefik.http.routers.scrutiny.rule" = "Host(`scrutiny.ghoscht.com`)";
|
|
"traefik.http.services.scrutiny.loadbalancer.server.port" = "8080";
|
|
"traefik.http.routers.scrutiny.tls" = "true";
|
|
"traefik.http.routers.scrutiny.tls.certresolver" = "letsencrypt";
|
|
};
|
|
capabilities = {
|
|
SYS_RAWIO = true;
|
|
SYS_ADMIN = true; #enables nvme support
|
|
};
|
|
volumes = [
|
|
"/run/udev:/run/udev:ro"
|
|
"/home/ghoscht/.docker/infrastructure/scrutiny_data:/opt/scrutiny/config"
|
|
"/home/ghoscht/.docker/infrastructure/scrutiny_influxdb_data:/opt/scrutiny/influxdb"
|
|
];
|
|
devices = [
|
|
"/dev/nvme0"
|
|
"/dev/sda"
|
|
"/dev/sdb"
|
|
"/dev/sdc"
|
|
"/dev/sdd"
|
|
"/dev/sde"
|
|
"/dev/sdf"
|
|
];
|
|
networks = [
|
|
"dmz"
|
|
];
|
|
};
|
|
diun.service = {
|
|
image = "crazymax/diun:4.28";
|
|
container_name = "diun";
|
|
restart = "always";
|
|
volumes = [
|
|
"/home/ghoscht/.docker/infrastructure/diun_data:/data"
|
|
"/var/run/docker.sock:/var/run/docker.sock"
|
|
];
|
|
environment = {
|
|
TZ = "Europe/Berlin";
|
|
LOG_LEVEL = "info";
|
|
#Only when setting workers=1 sorting can be actually observed
|
|
DIUN_WATCH_WORKERS = "20";
|
|
DIUN_WATCH_SCHEDULE = "0 */6 * * *";
|
|
DIUN_WATCH_JITTER = "30s";
|
|
DIUN_WATCH_RUNONSTARTUP = "true";
|
|
DIUN_PROVIDERS_DOCKER = "true";
|
|
|
|
DIUN_DEFAULTS_SORTTAGS = "semver";
|
|
DIUN_DEFAULTS_INCLUDETAGS = "^\\d+\\.\\d+\\.\\d+$$";
|
|
DIUN_DEFAULTS_WATCHREPO = "true";
|
|
DIUN_DEFAULTS_MAXTAGS = 1;
|
|
DIUN_DEFAULTS_NOTIFYON = "new";
|
|
|
|
DIUN_NOTIF_NTFY_ENDPOINT = "http://ntfy";
|
|
DIUN_NOTIF_NTFY_TOPIC = "docker-updates";
|
|
};
|
|
env_file = [
|
|
"/home/ghoscht/.docker/infrastructure/diun.env"
|
|
];
|
|
networks = [
|
|
"dmz"
|
|
];
|
|
};
|
|
};
|
|
}
|