Complex example using autoconf (#271)
* Add bunkerweb docker-compose * Add authelia docker-compose * Add radarr/sonarr/prowlarr/transmission docker-compose * Add jellyfin docker-compose * Add nextcloud docker-compose * Add heimdall docker-compose * move brawdunoir homelab example to community subfolder of examples Co-authored-by: bunkerity <contact@bunkerity.com>
This commit is contained in:
parent
7860aeab94
commit
5af2fb7783
|
@ -0,0 +1,4 @@
|
|||
PUID=1000
|
||||
PGID=1000
|
||||
UMASK=002
|
||||
TZ=Europe/Paris
|
|
@ -0,0 +1,161 @@
|
|||
# yamllint disable rule:comments-indentation
|
||||
---
|
||||
theme: auto
|
||||
|
||||
jwt_secret: changeme
|
||||
|
||||
default_redirection_url: https://example.com
|
||||
|
||||
##
|
||||
## Server Configuration
|
||||
##
|
||||
server:
|
||||
host: 0.0.0.0
|
||||
port: 9091
|
||||
|
||||
##
|
||||
## Log Configuration
|
||||
##
|
||||
log:
|
||||
## Level of verbosity for logs: info, debug, trace.
|
||||
level: debug
|
||||
|
||||
##
|
||||
## TOTP Configuration
|
||||
##
|
||||
## Parameters used for TOTP generation.
|
||||
totp:
|
||||
disable: false
|
||||
issuer: authelia.com
|
||||
algorithm: sha1
|
||||
digits: 6
|
||||
period: 30
|
||||
skew: 1
|
||||
secret_size: 32
|
||||
|
||||
##
|
||||
## WebAuthn Configuration
|
||||
##
|
||||
## Parameters used for WebAuthn.
|
||||
webauthn:
|
||||
disable: false
|
||||
timeout: 60s
|
||||
display_name: Authelia
|
||||
attestation_conveyance_preference: indirect
|
||||
user_verification: preferred
|
||||
|
||||
##
|
||||
## NTP Configuration
|
||||
##
|
||||
## This is used to validate the servers time is accurate enough to validate TOTP.
|
||||
ntp:
|
||||
address: "time.cloudflare.com:123"
|
||||
version: 4
|
||||
max_desync: 3s
|
||||
disable_startup_check: false
|
||||
disable_failure: false
|
||||
|
||||
##
|
||||
## Authentication Backend Provider Configuration
|
||||
##
|
||||
## Used for verifying user passwords and retrieve information such as email address and groups users belong to.
|
||||
##
|
||||
## The available providers are: `file`, `ldap`. You must use only one of these providers.
|
||||
authentication_backend:
|
||||
## Password Reset Options.
|
||||
password_reset:
|
||||
disable: true
|
||||
refresh_interval: disable
|
||||
|
||||
file:
|
||||
path: /config/users_database.yml
|
||||
|
||||
##
|
||||
## Password Policy Configuration.
|
||||
##
|
||||
password_policy:
|
||||
standard:
|
||||
enabled: false
|
||||
min_length: 12
|
||||
max_length: 0
|
||||
require_uppercase: true
|
||||
require_lowercase: true
|
||||
require_number: true
|
||||
require_special: true
|
||||
zxcvbn:
|
||||
enabled: true
|
||||
min_score: 3
|
||||
|
||||
##
|
||||
## Access Control Configuration
|
||||
##
|
||||
## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
|
||||
access_control:
|
||||
default_policy: deny
|
||||
networks:
|
||||
- name: internal
|
||||
networks:
|
||||
- 10.20.30.0/24
|
||||
- 192.168.1.0/24
|
||||
rules:
|
||||
- domain: "example.com"
|
||||
networks:
|
||||
- internal
|
||||
policy: bypass
|
||||
- domain: "*.example.com"
|
||||
networks:
|
||||
- internal
|
||||
policy: bypass
|
||||
- domain: "radarr.example.com"
|
||||
subject: "group:admins"
|
||||
policy: one_factor
|
||||
- domain: "sonarr.example.com"
|
||||
subject: "group:admins"
|
||||
policy: one_factor
|
||||
- domain: "prowlarr.example.com"
|
||||
subject: "group:admins"
|
||||
policy: one_factor
|
||||
- domain: "transmission.example.com"
|
||||
subject: "group:admins"
|
||||
policy: one_factor
|
||||
- domain: "example.com"
|
||||
policy: one_factor
|
||||
|
||||
##
|
||||
## Session Provider Configuration
|
||||
##
|
||||
## The session cookies identify the user once logged in.
|
||||
## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined.
|
||||
session:
|
||||
name: authelia_session
|
||||
domain: example.com
|
||||
same_site: lax
|
||||
secret: insecure_session_secret
|
||||
expiration: 1h
|
||||
inactivity: 1h
|
||||
remember_me_duration: 1M
|
||||
|
||||
##
|
||||
## Regulation Configuration
|
||||
##
|
||||
## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made
|
||||
## in a short period of time.
|
||||
regulation:
|
||||
max_retries: 5
|
||||
find_time: 2m
|
||||
ban_time: 1d
|
||||
|
||||
storage:
|
||||
encryption_key: 8EUfpC7aWuxoJVmmHsAonoAQt38Hxq3H3rYWjNMUdSpMVz6Y6jGzFCrtrFHqBYnUHZN4JF
|
||||
local:
|
||||
path: /config/db.sqlite3
|
||||
|
||||
##
|
||||
## Notification Provider
|
||||
##
|
||||
## Notifications are sent to users when they require a password reset, a Webauthn registration or a TOTP registration.
|
||||
## The available providers are: filesystem, smtp. You must use only one of these providers.
|
||||
notifier:
|
||||
disable_startup_check: true
|
||||
filesystem:
|
||||
filename: /config/notification.txt
|
|
@ -0,0 +1,8 @@
|
|||
users:
|
||||
John:
|
||||
displayname: "John Doe"
|
||||
# password is "whynot123"
|
||||
password: "$argon2id$v=19$m=65536,t=3,p=4$ZjVaWjlOQ2tZOCttdTArZQ$3fpj/Mc1XQgX17NuDcS0BKVXXVfMEIZ7knf2yT+L77M"
|
||||
email: john.doe@example.com
|
||||
groups:
|
||||
- admins
|
|
@ -0,0 +1,30 @@
|
|||
version: '3.5'
|
||||
|
||||
services:
|
||||
authelia:
|
||||
image: authelia/authelia
|
||||
container_name: authelia
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
disable: true
|
||||
environment:
|
||||
- PUID=${PUID}
|
||||
- PGID=${PGID}
|
||||
- UMASK=${UMASK}
|
||||
- TZ=${TZ}
|
||||
networks:
|
||||
bw-services:
|
||||
aliases:
|
||||
- authelia
|
||||
volumes:
|
||||
- ./config:/config
|
||||
labels:
|
||||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.SERVER_NAME=auth.example.com"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://authelia:9091"
|
||||
- "bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no"
|
||||
|
||||
networks:
|
||||
bw-services:
|
||||
name: bw-services
|
|
@ -0,0 +1,16 @@
|
|||
SecAction \
|
||||
"id:900130,\
|
||||
phase:1,\
|
||||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:tx.crs_exclusions_nextcloud=1"
|
||||
|
||||
# WebDAV
|
||||
SecAction \
|
||||
"id:900200,\
|
||||
phase:1,\
|
||||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"
|
|
@ -0,0 +1 @@
|
|||
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
|
|
@ -0,0 +1,53 @@
|
|||
version: '3.5'
|
||||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.4.2
|
||||
container_name: mybunker
|
||||
restart: always
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
environment:
|
||||
- MULTISITE=yes
|
||||
- AUTOCONF_MODE=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- SERVER_NAME=
|
||||
- USE_GZIP=yes
|
||||
- SERVE_FILES=no
|
||||
- BAD_BEHAVIOR_STATUS_CODES=400 401 403 405 444
|
||||
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
|
||||
labels:
|
||||
- "bunkerweb.AUTOCONF"
|
||||
networks:
|
||||
- bw-autoconf
|
||||
- bw-services
|
||||
|
||||
myautoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.4.2
|
||||
container_name: myautoconf
|
||||
restart: always
|
||||
# ⚠️ read this if you use local folders for volumes ⚠️
|
||||
# bunkerweb runs as an unprivileged user with UID/GID 101
|
||||
# don't forget to edit the permissions of the files and folders accordingly
|
||||
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
|
||||
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
|
||||
# you can also run ./setup.sh as root to do this for you
|
||||
# more info at https://docs.bunkerweb.io
|
||||
volumes:
|
||||
- ./bw-data:/data
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
networks:
|
||||
- bw-autoconf
|
||||
|
||||
networks:
|
||||
bw-autoconf:
|
||||
ipam:
|
||||
driver: default
|
||||
config:
|
||||
- subnet: 10.20.30.0/24
|
||||
bw-services:
|
||||
name: bw-services
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ $(id -u) -ne 0 ] ; then
|
||||
echo "❌ Run me as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
chown -R root:101 bw-data
|
||||
chmod -R 770 bw-data
|
|
@ -0,0 +1,3 @@
|
|||
PUID=1000
|
||||
PGID=1000
|
||||
TZ=Europe/Paris
|
|
@ -0,0 +1,37 @@
|
|||
version: '3.5'
|
||||
|
||||
services:
|
||||
heimdall:
|
||||
image: lscr.io/linuxserver/heimdall:latest
|
||||
container_name: heimdall
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
bw-services:
|
||||
aliases:
|
||||
- heimdall
|
||||
environment:
|
||||
- PUID=${PUID}
|
||||
- PGID=${PGID}
|
||||
- TZ=${TZ}
|
||||
volumes:
|
||||
- ./config:/config
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
labels:
|
||||
- "bunkerweb.SERVER_NAME=example.com"
|
||||
- "bunkerweb.ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT"
|
||||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://heimdall"
|
||||
- "bunkerweb.LIMIT_REQ_RATE=10r/s"
|
||||
- "bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia"
|
||||
- "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri"
|
||||
- "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email"
|
||||
- "bunkerweb.REVERSE_PROXY_URL_999=/authelia"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length \"\""
|
||||
|
||||
networks:
|
||||
bw-services:
|
||||
name: bw-services
|
|
@ -0,0 +1,4 @@
|
|||
PUID=1000
|
||||
PGID=1000
|
||||
UMASK=002
|
||||
TZ=Europe/Paris
|
|
@ -0,0 +1,30 @@
|
|||
version: '3.5'
|
||||
|
||||
services:
|
||||
jellyfin:
|
||||
container_name: jellyfin
|
||||
image: cr.hotio.dev/hotio/jellyfin
|
||||
environment:
|
||||
- PUID=${PUID}
|
||||
- PGID=${PGID}
|
||||
- TZ=${TZ}
|
||||
- UMASK=${UMASK}
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
bw-services:
|
||||
aliases:
|
||||
- jellyfin
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
volumes:
|
||||
- path/to/config:/config
|
||||
- path/to/data:/media # should be the same as radarr/sonarr
|
||||
labels:
|
||||
- "bunkerweb.SERVER_NAME=jellyfin.example.com"
|
||||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://jellyfin:8096"
|
||||
|
||||
networks:
|
||||
bw-services:
|
||||
name: bw-services
|
|
@ -0,0 +1,4 @@
|
|||
PUID=1000
|
||||
PGID=1000
|
||||
UMASK=002
|
||||
TZ=Europe/Paris
|
|
@ -0,0 +1,154 @@
|
|||
version: '3.5'
|
||||
|
||||
services:
|
||||
radarr:
|
||||
image: linuxserver/radarr
|
||||
container_name: radarr
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- PUID=${PUID}
|
||||
- PGID=${PGID}
|
||||
- UMASK=${UMASK}
|
||||
- TZ=${TZ}
|
||||
networks:
|
||||
bw-services:
|
||||
aliases:
|
||||
- radarr
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
volumes:
|
||||
- path/to/config:/config
|
||||
- path/to/data:/data # should be same as transmission
|
||||
labels:
|
||||
- "bunkerweb.SERVER_NAME=radarr.example.com"
|
||||
- "bunkerweb.ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT"
|
||||
- "bunkerweb.REVERSE_PROXY_WS=yes"
|
||||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://radarr:7878"
|
||||
- "bunkerweb.LIMIT_REQ_URL_1=^/api"
|
||||
- "bunkerweb.LIMIT_REQ_RATE_1=10r/s"
|
||||
- "bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia"
|
||||
- "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri"
|
||||
- "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email"
|
||||
- "bunkerweb.REVERSE_PROXY_URL_999=/authelia"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length \"\""
|
||||
|
||||
sonarr:
|
||||
image: linuxserver/sonarr
|
||||
container_name: sonarr
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- PUID=${PUID}
|
||||
- PGID=${PGID}
|
||||
- UMASK=${UMASK}
|
||||
- TZ=${TZ}
|
||||
networks:
|
||||
bw-services:
|
||||
aliases:
|
||||
- sonarr
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
volumes:
|
||||
- path/to/config:/config
|
||||
- path/to/data:/data # should be same as transmission
|
||||
labels:
|
||||
- "bunkerweb.SERVER_NAME=sonarr.example.com"
|
||||
- "bunkerweb.ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT"
|
||||
- "bunkerweb.REVERSE_PROXY_WS=yes"
|
||||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://sonarr:8989"
|
||||
- "bunkerweb.LIMIT_REQ_URL_1=^/api"
|
||||
- "bunkerweb.LIMIT_REQ_RATE_1=10r/s"
|
||||
- "bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia"
|
||||
- "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri"
|
||||
- "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email"
|
||||
- "bunkerweb.REVERSE_PROXY_URL_999=/authelia"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length \"\""
|
||||
|
||||
prowlarr:
|
||||
container_name: prowlarr
|
||||
image: linuxserver/prowlarr:develop
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- PUID=${PUID}
|
||||
- PGID=${PGID}
|
||||
- UMASK=${UMASK}
|
||||
- TZ=${TZ}
|
||||
volumes:
|
||||
- path/to/config:/config
|
||||
networks:
|
||||
bw-services:
|
||||
aliases:
|
||||
- prowlarr
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
labels:
|
||||
- "bunkerweb.SERVER_NAME=prowlarr.example.com"
|
||||
- "bunkerweb.ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT"
|
||||
- "bunkerweb.REVERSE_PROXY_WS=yes"
|
||||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://prowlarr:9696"
|
||||
- "bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia"
|
||||
- "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri"
|
||||
- "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email"
|
||||
- "bunkerweb.REVERSE_PROXY_URL_999=/authelia"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length \"\""
|
||||
|
||||
flaresolverr:
|
||||
container_name: flaresolverr
|
||||
image: flaresolverr/flaresolverr
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
- 8191:8191
|
||||
environment:
|
||||
- LOG_LEVEL=${LOG_LEVEL:-info}
|
||||
- LOG_HTML=${LOG_HTML:-false}
|
||||
- CAPTCHA_SOLVER=${CAPTCHA_SOLVER:-none}
|
||||
- PUID=${PUID}
|
||||
- PGID=${PGID}
|
||||
- TZ=${TZ}
|
||||
|
||||
transmission:
|
||||
container_name: transmission
|
||||
image: linuxserver/transmission
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
bw-services:
|
||||
aliases:
|
||||
- transmission
|
||||
environment:
|
||||
- PUID=${PUID}
|
||||
- PGID=${PGID}
|
||||
- TZ=${TZ}
|
||||
volumes:
|
||||
- path/to/config:/config
|
||||
- path/to/data/downloads:/data/downloads # path to /data should be same as other services
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
labels:
|
||||
- "bunkerweb.SERVER_NAME=transmission.example.com"
|
||||
- "bunkerweb.ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT"
|
||||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://transmission:9091"
|
||||
- "bunkerweb.LIMIT_REQ_RATE=10r/s"
|
||||
- "bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia"
|
||||
- "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri"
|
||||
- "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email"
|
||||
- "bunkerweb.REVERSE_PROXY_URL_999=/authelia"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length \"\""
|
||||
|
||||
networks:
|
||||
bw-services:
|
||||
name: bw-services
|
|
@ -0,0 +1,3 @@
|
|||
PUID=1000
|
||||
PGID=1000
|
||||
TZ=Europe/Paris
|
|
@ -0,0 +1,81 @@
|
|||
version: '3.5'
|
||||
|
||||
services:
|
||||
nextcloud:
|
||||
image: nextcloud:23-apache
|
||||
container_name: nextcloud
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- path/to/app:/var/www/html
|
||||
- path/to/data:/var/www/html/data
|
||||
networks:
|
||||
bw-services:
|
||||
aliases:
|
||||
- nextcloud
|
||||
nextcloud:
|
||||
environment:
|
||||
- PUID=${PUID}
|
||||
- PGID=${PGID}
|
||||
- TZ=${TZ}
|
||||
- MYSQL_HOST=mydb
|
||||
- MYSQL_DATABASE=nextcloud
|
||||
- MYSQL_USER=nextcloud
|
||||
- MYSQL_PASSWORD=changeme # should be same as mariadb password
|
||||
- REDIS_HOST=redis
|
||||
- NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.example.com
|
||||
- TRUSTED_PROXIES=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
|
||||
- APACHE_DISABLE_REWRITE_IP=1
|
||||
labels:
|
||||
- "bunkerweb.SERVER_NAME=nextcloud.example.com"
|
||||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://nextcloud"
|
||||
- "bunkerweb.MAX_CLIENT_SIZE=10G"
|
||||
- "bunkerweb.USE_CLIENT_CACHE=yes"
|
||||
- "bunkerweb.SERVE_FILES=no"
|
||||
- "bunkerweb.ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS|SEARCH"
|
||||
- "bunkerweb.X_FRAME_OPTIONS=SAMEORIGIN"
|
||||
- "bunkerweb.USE_GZIP=yes"
|
||||
- "bunkerweb.BAD_BEHAVIOR_STATUS_CODES=400 401 403 405 444"
|
||||
- "bunkerweb.WHITELIST_USER_AGENT=WebDAV"
|
||||
- "bunkerweb.LIMIT_REQ_URL_1=/apps"
|
||||
- "bunkerweb.LIMIT_REQ_RATE_1=15r/s"
|
||||
- "bunkerweb.LIMIT_REQ_URL_2=/apps/text/session/sync"
|
||||
- "bunkerweb.LIMIT_REQ_RATE_2=8r/s"
|
||||
- "bunkerweb.LIMIT_REQ_URL_3=/core/preview"
|
||||
- "bunkerweb.LIMIT_REQ_RATE_3=50r/s"
|
||||
|
||||
mydb:
|
||||
image: mariadb:10.8
|
||||
container_name: mariadb
|
||||
restart: unless-stopped
|
||||
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb-file-per-table=1 --skip-innodb-read-only-compressed
|
||||
networks:
|
||||
nextcloud:
|
||||
volumes:
|
||||
- $HOMEDIR/nextcloud/db:/var/lib/mysql
|
||||
environment:
|
||||
- PUID=${PUID}
|
||||
- PGID=${PGID}
|
||||
- TZ=${TZ}
|
||||
- MYSQL_ROOT_PASSWORD=changeme
|
||||
- MYSQL_DATABASE=nextcloud
|
||||
- MYSQL_USER=nextcloud
|
||||
- MYSQL_PASSWORD=changeme # should be same as nextcloud database password
|
||||
|
||||
redis:
|
||||
image: redis:7
|
||||
container_name: redis
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- PUID=${PUID}
|
||||
- PGID=${PGID}
|
||||
- TZ=${TZ}
|
||||
networks:
|
||||
nextcloud:
|
||||
|
||||
|
||||
networks:
|
||||
nextcloud:
|
||||
bw-services:
|
||||
name: bw-services
|
Loading…
Reference in New Issue