diff --git a/apps/gramps/docker-compose.yml b/apps/gramps/docker-compose.yml index 54c69f7..8064fac 100644 --- a/apps/gramps/docker-compose.yml +++ b/apps/gramps/docker-compose.yml @@ -5,7 +5,7 @@ services: container_name: gramps-db restart: always env_file: - - ${PROJECT_ROOT}/secrets/stack-secrets.env + - ${SECRETS_ENV_FILE} environment: POSTGRES_USER: ${GRAMPS_DB_USER} POSTGRES_PASSWORD_FILE: /run/secrets/gramps_db_password @@ -31,7 +31,7 @@ services: - gramps-db restart: always env_file: - - ${PROJECT_ROOT}/secrets/stack-secrets.env + - ${SECRETS_ENV_FILE} environment: DB_URI: ${GRAMPS_DB_URI} GRAMPSWEB_LOGLEVEL: ${GRAMPSWEB_LOGLEVEL} diff --git a/apps/nextcloud/docker-compose.yml b/apps/nextcloud/docker-compose.yml index b9203ea..5c98a83 100644 --- a/apps/nextcloud/docker-compose.yml +++ b/apps/nextcloud/docker-compose.yml @@ -5,9 +5,9 @@ services: context: ${PROJECT_ROOT}/apps/nextcloud container_name: nextcloud-webapp restart: always - hostname: nextcloud.lan.ddnsgeek.com - env_file: - - ${PROJECT_ROOT}/secrets/stack-secrets.env + hostname: ${NEXTCLOUD_TRUSTED_DOMAINS} +# env_file: +# - ${SECRETS_ENV_FILE} volumes: - ${PROJECT_ROOT}/apps/nextcloud/data:/var/www/html/data:rw - ${PROJECT_ROOT}/apps/nextcloud/config:/var/www/html/config:rw @@ -18,22 +18,22 @@ services: - nextcloud-redis environment: - MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password - - MYSQL_DATABASE=${NEXTCLOUD_DB_NAME} + - MYSQL_DATABASE=${NEXTCLOUD_MYSQL_DATABASE} - MYSQL_USER=${NEXTCLOUD_DB_USER} - - MYSQL_HOST=nextcloud_db:3306 - - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.lan.ddnsgeek.com - - OVERWRITEPROTOCOL=https - - OVERWRITECLIURL=https://nextcloud.lan.ddnsgeek.com - - SMTP_HOST=smtp.gmail.com - - SMTP_SECURE=tls - - SMTP_PORT=587 - - SMTP_AUTHTYPE=login + - MYSQL_HOST=${NEXTCLOUD_MYSQL_HOST} + - NEXTCLOUD_TRUSTED_DOMAINS=${NEXTCLOUD_TRUSTED_DOMAINS} + - OVERWRITEPROTOCOL=${NEXTCLOUD_OVERWRITEPROTOCOL} + - OVERWRITECLIURL=${NEXTCLOUD_OVERWRITECLIURL} + - SMTP_HOST=${NEXTCLOUD_SMTP_HOST} + - SMTP_SECURE=${NEXTCLOUD_SMTP_SECURE} + - SMTP_PORT=${NEXTCLOUD_SMTP_PORT} + - SMTP_AUTHTYPE=${NEXTCLOUD_SMTP_AUTHTYPE} - MAIL_FROM_ADDRESS=${NEXTCLOUD_SMTP_FROM_ADDRESS} - MAIL_DOMAIN=${NEXTCLOUD_SMTP_DOMAIN} - SMTP_NAME=${NEXTCLOUD_SMTP_NAME} - SMTP_PASSWORD_FILE=/run/secrets/nextcloud_smtp_password - - REDIS_HOST=redis - - REDIS_HOST_PORT=6379 + - REDIS_HOST=${NEXTCLOUD_REDIS_HOST} + - REDIS_HOST_PORT=${NEXTCLOUD_REDIS_HOST_PORT} - REDIS_HOST_PASSWORD_FILE=/run/secrets/nextcloud_redis_password secrets: - nextcloud_db_password @@ -43,7 +43,7 @@ services: - traefik - nextcloud labels: - - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.lan.ddnsgeek.com`)" + - "traefik.http.routers.nextcloud.rule=Host(`${NEXTCLOUD_TRUSTED_DOMAINS}`)" - "traefik.enable=true" - "traefik.http.routers.nextcloud.entrypoints=websecure" - "traefik.http.routers.nextcloud.tls.certresolver=myresolver" @@ -77,16 +77,16 @@ services: container_name: nextcloud-db hostname: nextcloud_db command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW - env_file: - - ${PROJECT_ROOT}/secrets/stack-secrets.env +# env_file: +# - ${PROJECT_ROOT}/secrets/stack-secrets.env volumes: - ${PROJECT_ROOT}/apps/nextcloud/database:/var/lib/mysql:rw environment: - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/nextcloud_db_root_password - MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password - - MYSQL_DATABASE=${NEXTCLOUD_DB_NAME} + - MYSQL_DATABASE=${NEXTCLOUD_MYSQL_DATABASE} - MYSQL_USER=${NEXTCLOUD_DB_USER} - - MARIADB_AUTO_UPGRADE=1 + - MARIADB_AUTO_UPGRADE=${NEXTCLOUD_MARIADB_AUTO_UPGRADE} - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/nextcloud_admin_password secrets: diff --git a/apps/passbolt/docker-compose.yml b/apps/passbolt/docker-compose.yml index e92cea2..a42c38a 100644 --- a/apps/passbolt/docker-compose.yml +++ b/apps/passbolt/docker-compose.yml @@ -4,10 +4,10 @@ services: container_name: passbolt-db image: mariadb:12 restart: always - env_file: - - ${PROJECT_ROOT}/secrets/stack-secrets.env +# env_file: +# - ${PROJECT_ROOT}/secrets/stack-secrets.env environment: - MYSQL_RANDOM_ROOT_PASSWORD: "true" + MYSQL_RANDOM_ROOT_PASSWORD: ${PASSBOLT_MYSQL_RANDOM_ROOT_PASSWORD} MYSQL_DATABASE: ${PASSBOLT_DB_NAME} MYSQL_USER: ${PASSBOLT_DB_USER} MYSQL_PASSWORD_FILE: /run/secrets/passbolt_db_password @@ -33,15 +33,15 @@ services: restart: always depends_on: - passbolt-db - env_file: - - ${PROJECT_ROOT}/secrets/stack-secrets.env +# env_file: +# - ${PROJECT_ROOT}/secrets/stack-secrets.env environment: - APP_FULL_BASE_URL: https://passbolt.lan.ddnsgeek.com - DATASOURCES_DEFAULT_HOST: "passbolt-db" + APP_FULL_BASE_URL: ${PASSBOLT_APP_FULL_BASE_URL} + DATASOURCES_DEFAULT_HOST: ${PASSBOLT_DATASOURCES_DEFAULT_HOST} DATASOURCES_DEFAULT_USERNAME: ${PASSBOLT_DB_USER} DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/passbolt_db_password DATASOURCES_DEFAULT_DATABASE: ${PASSBOLT_DB_NAME} - PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "CBBB2B8F3E9FACA114537ACB8965B750F7363586" + PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: ${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT} secrets: - passbolt_db_password volumes: diff --git a/core/authelia/configuration.yml b/core/authelia/configuration.yml index 6212d20..57b30fd 100644 --- a/core/authelia/configuration.yml +++ b/core/authelia/configuration.yml @@ -3,16 +3,16 @@ server.address: tcp://0.0.0.0:9091 log: level: info -identity_validation.reset_password.jwt_secret: ${AUTHELIA_JWT_SECRET} +identity_validation.reset_password.jwt_secret: T72Xcxa4d7xpQRypFDZpunlZt0IjqspojmBlxBr69gnkRjzR144YgjZsgFYZK0gS session: - secret: ${AUTHELIA_SESSION_SECRET} + secret: BYksO7YUAJ8gXx9Endgpe46RgB10nkeKpD1qcQPt0GuYGQm2pS2zjJtNOrCEqpav cookies: - domain: lan.ddnsgeek.com authelia_url: https://auth.lan.ddnsgeek.com storage: - encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY} + encryption_key: N7mkWziClgDhLgZDRkRwU6jEHmGF6ciOt53pzoFcZ0meEV1AZCC5bWZd24jeu19y local: path: /config/data/db.sqlite3 diff --git a/core/docker-compose.yml b/core/docker-compose.yml index fad817e..087ac58 100644 --- a/core/docker-compose.yml +++ b/core/docker-compose.yml @@ -17,8 +17,8 @@ services: build: context: ${PROJECT_ROOT}/core - env_file: - - ${PROJECT_ROOT}/secrets/stack-secrets.env + # env_file: + # - ${PROJECT_ROOT}/secrets/stack-secrets.env volumes: - /var/run/docker.sock:/var/run/docker.sock:ro @@ -54,7 +54,7 @@ services: restart: always environment: - COLLECTIONS=crowdsecurity/traefik - - CROWDSEC_LAPI_KEY=${CROWDSEC_LAPI_KEY} +# - CROWDSEC_LAPI_KEY=${CROWDSEC_LAPI_KEY} volumes: - ${PROJECT_ROOT}/core/crowdsec/logs:/logs:ro - ${PROJECT_ROOT}/core/crowdsec/data:/var/lib/crowdsec/data @@ -102,8 +102,12 @@ services: restart: always build: context: ${PROJECT_ROOT}/core/authelia - env_file: - - ${PROJECT_ROOT}/secrets/stack-secrets.env +# env_file: +# - ${PROJECT_ROOT}/secrets/stack-secrets.env +# environment: +# - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET:${AUTHELIA_JWT_SECRET} +# - AUTHELIA_SESSION_SECRET:${AUTHELIA_SESSION_SECRET} +# - AUTHELIA_STORAGE_ENCRYPTION_KEY:${AUTHELIA_STORAGE_ENCRYPTION_KEY} volumes: - ${PROJECT_ROOT}/core/authelia:/config networks: diff --git a/default-environment.env b/default-environment.env index e4f10ca..f92003d 100644 --- a/default-environment.env +++ b/default-environment.env @@ -2,6 +2,7 @@ PROJECT_ROOT=/home/nixos/docker DOMAIN=lan.ddnsgeek.com TZ=Australia/Brisbane EMAIL=wayne.bennett@live.com +SECRETS_ENV_FILE=${PROJECT_ROOT}/secrets/stack-secrets.env # Core CROWDSEC_COLLECTIONS=crowdsecurity/traefik @@ -17,69 +18,43 @@ GITEA_ROOT_URL=https://gitea.lan.ddnsgeek.com/ GRAFANA_ROOT_URL=https://grafana.lan.ddnsgeek.com/ # Nextcloud -NEXTCLOUD_MYSQL_ROOT_PASSWORD=R1m@dmin -NEXTCLOUD_MYSQL_PASSWORD=R1m@dmin NEXTCLOUD_MYSQL_DATABASE=nextcloud -NEXTCLOUD_MYSQL_USER=nextcloud NEXTCLOUD_MYSQL_HOST=nextcloud_db:3306 NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.lan.ddnsgeek.com NEXTCLOUD_OVERWRITEPROTOCOL=https -NEXTCLOUD_OVERWRITECLIURL=https://nextcloud.lan.ddnsgeek.com +NEXTCLOUD_OVERWRITECLIURL=https://${NEXTCLOUD_TRUSTED_DOMAINS} NEXTCLOUD_SMTP_HOST=smtp.gmail.com NEXTCLOUD_SMTP_SECURE=tls NEXTCLOUD_SMTP_PORT=587 NEXTCLOUD_SMTP_AUTHTYPE=login -NEXTCLOUD_MAIL_FROM_ADDRESS=beatz174 -NEXTCLOUD_MAIL_DOMAIN=gmail.com -NEXTCLOUD_SMTP_NAME=beatz174@gmail.com -NEXTCLOUD_SMTP_PASSWORD=kqdw fvml wlag ldgv NEXTCLOUD_REDIS_HOST=redis NEXTCLOUD_REDIS_HOST_PORT=6379 -NEXTCLOUD_REDIS_HOST_PASSWORD=TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n NEXTCLOUD_MARIADB_AUTO_UPGRADE=1 -NEXTCLOUD_ADMIN_USER=admin -NEXTCLOUD_ADMIN_PASSWORD=R1m@dmin # Passbolt PASSBOLT_MYSQL_RANDOM_ROOT_PASSWORD=true PASSBOLT_MYSQL_DATABASE=passbolt PASSBOLT_MYSQL_USER=passbolt -PASSBOLT_MYSQL_PASSWORD=P4ssb0lt PASSBOLT_APP_FULL_BASE_URL=https://passbolt.lan.ddnsgeek.com PASSBOLT_DATASOURCES_DEFAULT_HOST=passbolt-db -PASSBOLT_DATASOURCES_DEFAULT_USERNAME=passbolt -PASSBOLT_DATASOURCES_DEFAULT_PASSWORD=P4ssb0lt -PASSBOLT_DATASOURCES_DEFAULT_DATABASE=passbolt -PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=CBBB2B8F3E9FACA114537ACB8965B750F7363586 # Gramps -GRAMPS_POSTGRES_USER=gramps -GRAMPS_POSTGRES_PASSWORD=grampspassword -GRAMPS_POSTGRES_DB=gramps -GRAMPS_DB_URI=postgresql://gramps:grampspassword@db:5432/gramps GRAMPSWEB_LOGLEVEL=INFO -GRAMPS_INITIAL_ADMIN=admin -GRAMPS_INITIAL_ADMIN_PASSWORD=admin GRAMPSWEB_MEDIAPATH=/app/media GRAMPSWEB_TREE=main # Prometheus stack INFLUXDB_INIT_MODE=setup -INFLUXDB_INIT_USERNAME=admin -INFLUXDB_INIT_PASSWORD=adminpassword INFLUXDB_INIT_ORG=pbs INFLUXDB_INIT_BUCKET=telemetry + DOCKER_EXPORTER_LOG_LEVEL=INFO + PIHOLE_HOSTNAME=pihole.sweet.home -PIHOLE_PASSWORD= PIHOLE_EXPORTER_PORT=9617 # Gotify -GOTIFY_DEFAULTUSER_NAME=admin -GOTIFY_DEFAULTUSER_PASS=R1m@dmin GOTIFY_REGISTRATION=false -#GOTIFY_URL=https://gotify.lan.ddnsgeek.com -#GOTIFY_TOKEN=ADuOnDBG7C27hcf # Portainer PORTAINER_GODEBUG=netdns=cgo diff --git a/monitoring/gotify/docker-compose.yml b/monitoring/gotify/docker-compose.yml index ebaee66..1ff0517 100644 --- a/monitoring/gotify/docker-compose.yml +++ b/monitoring/gotify/docker-compose.yml @@ -4,8 +4,8 @@ services: image: gotify/server:latest container_name: gotify restart: always - env_file: - - ${PROJECT_ROOT}/secrets/stack-secrets.env +# env_file: +# - ${PROJECT_ROOT}/secrets/stack-secrets.env volumes: - ${PROJECT_ROOT}/monitoring/gotify/data:/app/data environment: diff --git a/monitoring/prometheus/docker-compose.yml b/monitoring/prometheus/docker-compose.yml index f95401e..a4b1a1f 100644 --- a/monitoring/prometheus/docker-compose.yml +++ b/monitoring/prometheus/docker-compose.yml @@ -4,8 +4,8 @@ services: prometheus: profiles: ["monitoring","all","prometheus"] image: prom/prometheus:latest - env_file: - - ${PROJECT_ROOT}/secrets/stack-secrets.env +# env_file: +# - ${PROJECT_ROOT}/secrets/stack-secrets.env container_name: prometheus depends_on: # - alertmanager @@ -104,12 +104,12 @@ services: image: influxdb:2.7 container_name: influxdb restart: unless-stopped - env_file: - - ${PROJECT_ROOT}/secrets/stack-secrets.env +# env_file: +# - ${PROJECT_ROOT}/secrets/stack-secrets.env volumes: - ${PROJECT_ROOT}/monitoring/influxdb:/var/lib/influxdb2 environment: - DOCKER_INFLUXDB_INIT_MODE: setup + DOCKER_INFLUXDB_INIT_MODE: ${INFLUXDB_INIT_MODE} DOCKER_INFLUXDB_INIT_USERNAME: ${INFLUXDB_INIT_USERNAME} DOCKER_INFLUXDB_INIT_PASSWORD_FILE: /run/secrets/influxdb_init_password DOCKER_INFLUXDB_INIT_ORG: ${INFLUXDB_INIT_ORG} @@ -212,14 +212,14 @@ services: profiles: ["monitoring","all","prometheus-exporters"] image: ekofr/pihole-exporter:latest container_name: pihole-exporter - env_file: - - ${PROJECT_ROOT}/secrets/stack-secrets.env +# env_file: +# - ${PROJECT_ROOT}/secrets/stack-secrets.env environment: PIHOLE_HOSTNAME: ${PIHOLE_HOSTNAME} PIHOLE_PASSWORD: ${PIHOLE_PASSWORD} - PORT: 9617 + PORT: ${PIHOLE_EXPORTER_PORT} ports: - - "9617:9617" + - "${PIHOLE_EXPORTER_PORT}:${PIHOLE_EXPORTER_PORT}" restart: unless-stopped networks: # - edge diff --git a/monitoring/prometheus/prometheus.yml b/monitoring/prometheus/prometheus.yml index d4db4d4..c769360 100644 --- a/monitoring/prometheus/prometheus.yml +++ b/monitoring/prometheus/prometheus.yml @@ -96,9 +96,9 @@ scrape_configs: scrape_interval: 30s basic_auth: - username: ${PROMETHEUS_KUMA_BASIC_AUTH_USERNAME} + username: wayne.bennett@live.com password_file: /run/secrets/prometheus_kuma_basic_auth_password - +# password: '4vjCco?[%{=+,t`):C' static_configs: - targets: - monitor-kuma:3001 diff --git a/services-up.sh b/services-up.sh index dd9b591..789acb7 100755 --- a/services-up.sh +++ b/services-up.sh @@ -1,6 +1,7 @@ #!/usr/bin/env bash ENV="default-environment.env" +SECRETS="secrets/stack-secrets.env" PROJECT="core" FILES=( -f default-network.yml @@ -21,4 +22,4 @@ FILES=( -f core/test/docker-compose.yml ) -docker compose -p $PROJECT --env-file $ENV "${FILES[@]}" $1 $2 $3 $4 $5 $6 $7 $8 $9 +docker compose -p $PROJECT --env-file $ENV --env-file $SECRETS "${FILES[@]}" $1 $2 $3 $4 $5 $6 $7 $8 $9