Merge remote-tracking branch 'refs/remotes/origin/main'

homelab/local-hosts/druid/config/socks5-server/secrets.env

@@ -0,0 +1,58 @@
+{
+	"socks5_PROXY_PASSWORD": "ENC[AES256_GCM,data:3vhWRlpsg9iPQBL9NYDCIAkPnQJWP9RsDkGn0ZxbSUik946Cgoynkhm86gVOwz++,iv:/78Bkd2UY41AK6FcxQBpgxUCm5Fl56U+4PKVHBnXyQ0=,tag:9bHK8/BeRaql07eYDaj0MQ==,type:str]",
+	"sops": {
+		"shamir_threshold": 2,
+		"key_groups": [
+			{
+				"hc_vault": null,
+				"age": [
+					{
+						"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
+						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkVXl1YkVSVXY1MklTM2FD\nZUFEbGJ3RC8rVEE0TzRqRysxb3hOSXpUTVFFCi9LbDhxdHVnNXhzT2NnNnJPTzZ2\nMGMxeExRR281aExLSWRkYmZpK1FFWlkKLS0tIDBIeHRrRVBzWGtJNDFWUmRiU1JI\nVWU2QlJYdm02ZFp0UHh2anZhMTFrbTQKgGvI8L7ZPBbvFXpVo0kCtObc7tDg8rBE\n2aV+jKFJwf+td+CUcB9pZR1hOicT5xpTdMRR4bLPqkf7HN5D4+Dtb28=\n-----END AGE ENCRYPTED FILE-----\n"
+					}
+				]
+			},
+			{
+				"hc_vault": null,
+				"age": [
+					{
+						"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
+						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSHV4SUltbUVlY01TT1RV\nQUF5VDNFKzJHV09rakk5U1ViQzJlSEtnVGhRCm9YMU5hclN6bTBxZHc4Y1FmelNN\ncVducDBOdlRjQ1JQL3dJd25kNDFFWjQKLS0tIHFhYlpIbjdLek1SY2c2cE5TVlRy\nL3FFRG51MStNTDNnM1N2NlVvaU1BQnMKCN4uWdrzxaVaL9GF/KgHqX8qnHcfPXYH\nvxd8wIV4Lrd91BhRla+z/YY2qdP6TAcp67YmfnDARlVY7Kc/16c05aM=\n-----END AGE ENCRYPTED FILE-----\n"
+					}
+				]
+			},
+			{
+				"hc_vault": null,
+				"age": [
+					{
+						"recipient": "age193t908fjxl8ekl77p5xqnpj4xmw3y0khvyzlrw22hdzjduk6l53q05spq3",
+						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdnhrUVlYU2pUQzhPYkI3\nZ1RSRXBOcXNnN05Fb1h3dkwwQmxHR0JZZEEwCnIySVF6bGpZcUc0OVYwWWpKb1lE\ndC96MS9wNk1landreVZYdXVUN243bkEKLS0tIDQzSHQzY2IwM1lmb0lNaytvclZS\nR3FjaE9BZUJHWGpmYXFQa2JOak4wOVUK8JWXxymc+mwD/alPB3fQIWfcxEpijbeL\n4EiOjjU4hXnaBf2GB/x2Xf4vBI06eItZKOo8j3FNa9EIsmO2hT5C8A0=\n-----END AGE ENCRYPTED FILE-----\n"
+					}
+				]
+			},
+			{
+				"hc_vault": null,
+				"age": [
+					{
+						"recipient": "age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855",
+						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1dWRtZy9Xc05OQjV5S3N0\neVBRNnpuMzk4VnhyOTB2ZEdVZGplaWpBbkhNCnJudU5Rc3BOZnF1MDRURWVMWGs3\nektHTFFEYVlNMFhodFBpcmdtOVpyQ1EKLS0tIGtreDhpbnc0cmFhcC9HT0tzTHJr\nT01CQ3NHRDFycFh1M0JhUEF5T0VnZ00K2KjeT1Oz8uf9m0syYu/QJFZJqi1kTDwt\ns9ISBmLvQ0tV0MrdizxD8X26jrIgkBbJkrx057TNCRvn4BbHlK19NRg=\n-----END AGE ENCRYPTED FILE-----\n"
+					},
+					{
+						"recipient": "age1n20krynrj75jqfy2muvhrygvzd4ee8ngamljqavsrk033zwx0ses2tdtfe",
+						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbUJnZk4ydEFlMkluNFR5\nWTN0YytrTENsUE1Ya2w3ZWRwYUlvQ2h0OEJNCktrR29PbmlveUJrYlZCQjJFRG9K\nTEdKYWRSSy9kRVplZXFwTUd0QXlrWTQKLS0tIDRrWHBDR0pHdnUyVVNDdkkxUWNM\nSjdlbmw5WWxZMm5pbTlXN0RpZXBHVEEKRBCZHtcfEb8BZgop/1LtE9c3GAWl/sqs\n8W1qZ7MrALrnRjDnScs2W5Q7T3RpZqhnoE9yogVuxizNnzHz/vzpQ2o=\n-----END AGE ENCRYPTED FILE-----\n"
+					}
+				]
+			}
+		],
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2024-10-21T21:56:18Z",
+		"mac": "ENC[AES256_GCM,data:tpilWMKXq4JZuAFoxZCA25uP08I9yfHUdpUxmnFU99mfZ4/fyqVFOAhXtN03V5izJEOG8ZFMgmITAW3u5rssi9J6Ql/5EzOeufDgVV201YLQqkyQo/URMMD+durdglTTmAkdM2STFOCYItyEkhEem43x28DCYbrEi7QVJHHRNc4=,iv:FlwABxaO6eVAVJZpolaMNwHV/U2JubGzDw4MrnBr7do=,tag:VP5I6sl/aETfRZm+gjNpGg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.0"
+	}
+}

homelab/local-hosts/druid/config/traefik/.env

@@ -0,0 +1 @@
+DOCKER_DATA=/home/admin/data/traefik

homelab/local-hosts/druid/config/traefik/config/middlewares.yaml

@@ -0,0 +1,27 @@
+http:
+  middlewares:
+    lan-only:
+      ipWhiteList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "192.168.1.1/24"
+    securityheaders:
+      headers:
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
+          server: ""
+        sslProxyHeaders:
+          X-Forwarded-Proto: https
+        referrerPolicy: "same-origin"
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+          X-Scheme: https
+        contentTypeNosniff: true
+        browserXssFilter: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsSeconds: 63072000
+        stsPreload: true
+

homelab/local-hosts/druid/config/traefik/config/tls.yaml

@@ -0,0 +1,4 @@
+tls:
+  options:
+    tls12:
+      minVersion: VersionTLS12

homelab/local-hosts/druid/config/traefik/config/traefik_api.yaml

@@ -0,0 +1,8 @@
+http:
+  routers:
+    api:
+      rule: "Host(`traefik.jafner.tools`)"
+      entryPoints: "websecure"
+      service: "api@internal"
+      tls:
+        certResolver: "lets-encrypt"

homelab/local-hosts/druid/config/traefik/docker-compose.yml

@@ -0,0 +1,18 @@
+services:
+  traefik:
+    container_name: traefik_traefik
+    image: traefik:latest
+    restart: "no"
+    networks:
+      - web
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik.yaml:/traefik.yaml
+      - ./config:/config
+      - $DOCKER_DATA/acme.json:/acme.json
+networks:
+  web:
+    external: true

homelab/local-hosts/druid/config/traefik/traefik.yaml

@@ -0,0 +1,28 @@
+entryPoints:
+  web:
+    address: :80
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: :443
+
+certificatesResolvers:
+  lets-encrypt:
+    acme:
+      email: jafner425@gmail.com
+      storage: acme.json
+      tlsChallenge: {}
+
+api: 
+  insecure: true
+  dashboard: true
+
+providers:
+  docker:
+    watch: true
+    network: web
+  file:
+    directory: /config

homelab/local-hosts/druid/config/uptime-kuma/.env

@@ -0,0 +1 @@
+DOCKER_DATA=/home/admin/data/uptime-kuma

homelab/local-hosts/druid/config/uptime-kuma/docker-compose.yml

@@ -0,0 +1,16 @@
+services:
+  uptime-kuma:
+    image: louislam/uptime-kuma:latest
+    container_name: uptime-kuma_uptime-kuma
+    restart: "no"
+    volumes:
+      - $DOCKER_DATA:/app/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      - web
+    labels:
+      - traefik.http.routers.uptime-kuma.rule=Host(`uptime.jafner.tools`)
+      - traefik.http.routers.uptime-kuma.tls.certresolver=lets-encrypt
+networks:
+  web: 
+    external: true

homelab/local-hosts/druid/config/vaultwarden/.env

@@ -0,0 +1 @@
+DOCKER_DATA=/home/admin/data/vaultwarden

homelab/local-hosts/druid/config/vaultwarden/README.md

@@ -0,0 +1,2 @@
+# Admin console
+Access the admin console at https://bitwarden.jafner.tools/admin

homelab/local-hosts/druid/config/vaultwarden/docker-compose.yml

@@ -0,0 +1,20 @@
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    container_name: vaultwarden_vaultwarden
+    restart: "no"
+    env_file:
+      - path: ./vaultwarden_secrets.env
+        required: false
+    networks:
+      - web
+    volumes:
+      - $DOCKER_DATA/data:/data
+    labels:
+      - traefik.http.routers.vaultwarden.rule=Host(`bitwarden.jafner.tools`)
+      - traefik.http.routers.vaultwarden.tls.certresolver=lets-encrypt
+      - traefik.http.routers.vaultwarden.tls.options=tls12@file
+      - traefik.http.routers.vaultwarden.middlewares=securityheaders@file
+networks:
+  web:
+    external: true

homelab/local-hosts/druid/config/wireguard/.env

@@ -0,0 +1 @@
+DOCKER_DATA=/home/admin/data/wireguard

homelab/local-hosts/druid/config/wireguard/docker-compose.yml

@@ -0,0 +1,32 @@
+services:
+  wg-easy:
+    image: weejewel/wg-easy:latest
+    container_name: wireguard_wg-easy
+    restart: "no"
+    env_file:
+      - path: ./wireguard.env
+        required: true
+      - path: ./wireguard_secrets.env
+        required: false
+    ports:
+      - 53820:51820/udp
+    networks:
+      - web
+    volumes:
+      - ${DOCKER_DATA}/wg-easy:/etc/wireguard
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+      - net.ipv4.ip_forward=1
+    labels:
+      - traefik.http.routers.wg-easy.rule=Host(`vpn.jafner.tools`)
+      - traefik.http.routers.wg-easy.tls.certresolver=lets-encrypt
+      - traefik.http.routers.wg-easy.tls.options=tls12@file
+      - traefik.http.routers.wg-easy.middlewares=securityheaders@file
+      - traefik.http.services.wg-easy.loadbalancer.server.port=51821
+
+networks:
+  web:
+    external: true

homelab/local-hosts/druid/config/wireguard/wireguard.env

@@ -0,0 +1,3 @@
+WG_HOST=vpn.jafner.tools
+WG_PORT=53820
+WG_DEFAULT_DNS=1.1.1.1

homelab/local-hosts/druid/inxi.txt

@@ -0,0 +1,20 @@
+System:
+  Host: barbarian Kernel: 5.15.107+truenas arch: x86_64 bits: 64 Console: pty pts/1 Distro: Debian
+    GNU/Linux 11 (bullseye)
+Machine:
+  Type: Desktop Mobo: Gigabyte model: X99-SLI-CF v: x.x serial: N/A UEFI: American Megatrends
+    v: F24a date: 01/11/2018
+CPU:
+  Info: 6-core Intel Core i7-5930K [MT MCP] speed (MHz): avg: 2333 min/max: 1200/3700
+Graphics:
+  Device-1: NVIDIA GK208B [GeForce GT 710] driver: N/A
+  Display: server: No display server data found. Headless machine? tty: 177x61
+  API: N/A Message: No API data available in console. Headless machine?
+Network:
+  Device-1: Intel Ethernet I218-V driver: e1000e
+  Device-2: Mellanox MT26448 [ConnectX EN 10GigE PCIe 2.0 5GT/s] driver: mlx4_core
+Drives:
+  Local Storage: total: raw: 174.73 TiB usable: 116.17 TiB used: 55.56 TiB (47.8%)
+Info:
+  Processes: 518 Uptime: 22d 6h 2m Memory: total: 64 GiB available: 62.64 GiB
+  used: 39.08 GiB (62.4%) Init: systemd target: multi-user (3) Shell: Zsh inxi: 3.3.30