version: "3.0" # # updated: 2023-06-05 # stack: traefik # x-logging: &x-logging logging: driver: loki options: loki-url: "http://loki:3100/loki/api/v1/push" loki-retries: "5" loki-batch-size: "400" x-common: &x-common <<: *x-logging restart: "no" stop_grace_period: 5s stdin_open: true tty: true privileged: false security_opt: - no-new-privileges=true cap_drop: - ALL cap_add: - KILL dns: - 1.1.1.1 - 8.8.8.8 - 1.0.0.1 - 8.8.4.4 ipc: "shareable" extra_hosts: - "template.home:192.168.0.0" environment: TZ: "Europe/Paris" PUID: 1000 PGID: 1000 user: 1000:1000 labels: com.centurylinklabs.watchtower.enable: true logging: "promtail" com.stack.name: "common" com.stack.service.name: "common" devices: - /dev/kmsg:/dev/kmsg deploy: restart_policy: delay: 5s max_attempts: 3 window: 120s resources: limits: cpus: "0.50" memory: 256M ulimits: nproc: 65535 nofile: soft: 20000 hard: 40000 tmpfs: - /tmp:rw,noexec,nosuid,size=64k sysctls: net.core.somaxconn: 1024 net.ipv4.tcp_syncookies: 0 x-volume-timezone: &x-volume-timezone "/etc/timezone:/etc/timezone:ro" x-volume-localtime: &x-volume-localtime "/etc/localtime:/etc/localtime:ro" x-volume-docker-socket: &x-volume-docker-socket "/var/run/docker.sock:/var/run/docker.sock:rw" x-volume-cgroups: &x-volume-cgroups "/proc/cgroups:/cgroup:rw" x-volume-ssl: &x-volume-ssl "/opt/docker/ssl:/ssl:ro" networks: proxy: external: true services: varnish: <<: *x-common user: 0:0 privileged: true cap_add: - DAC_OVERRIDE - SETUID - SETGID - CHOWN - NET_ADMIN - NET_RAW - IPC_LOCK - MKNOD - NET_BIND_SERVICE - NET_BROADCAST - SYS_ADMIN - FSETID - SETFCAP - SETPCAP - SYS_CHROOT container_name: varnish hostname: varnish image: varnish:latest restart: always networks: - proxy ports: - "8443:80" - "9131:9131" expose: - "80" - "9131" command: "-s default,1G -n /tmp/varnish -p tcp_fastopen=on -p gzip_level=9 -p feature=+http2 -p thread_pools=8 -p thread_pool_min=128 -p thread_pool_max=1000" environment: VARNISH_SIZE: 1G VARNISH_HTTP_PORT: 80 VARNISH_PROXY_PORT: 8443 labels: com.stack.name: "traefik" com.stack.service.name: "varnish" deploy: resources: limits: cpus: "4.0" memory: 1G tmpfs: - /tmp:rw,size=512M volumes: - *x-volume-timezone - *x-volume-localtime - /opt/docker/traefik/conf/varnish.vcl:/etc/varnish/default.vcl:ro - /mnt/varnish:/var/lib/varnish - /mnt/varnish:/tmp/varnish traefik: <<: *x-common user: 0:0 cap_add: - DAC_OVERRIDE - CHOWN container_name: traefik hostname: traefik image: traefik:3.0 restart: always depends_on: - varnish networks: - proxy ports: - "80:80" - "443:443/tcp" - "443:443/udp" - "6082:6082" expose: - "80" - "443" - "6082" environment: TZ: "Europe/Paris" CF_API_EMAIL: [cloudflareemail] #CF_DNS_API_TOKEN: "[cloudflare api token]" CF_API_KEY: "[cloudflare api key]" labels: com.stack.name: "traefik" com.stack.service.name: "traefik" deploy: resources: limits: cpus: "4.0" memory: 1G tmpfs: - /tmp:rw,noexec,nosuid,size=512M volumes: - *x-volume-timezone - *x-volume-localtime - *x-volume-docker-socket - *x-volume-cgroups - *x-volume-ssl - /opt/docker/traefik/conf/traefik.yml:/traefik.yml:ro - /opt/docker/traefik/conf/config.yml:/config.yml:ro - /opt/docker/traefik/datas/acme.json:/acme.json - /opt/docker/traefik/datas/log/:/var/log/traefik/ crowdsec: <<: *x-common user: 0:0 cap_add: - DAC_OVERRIDE - CHOWN container_name: crowdsec hostname: crowdsec image: crowdsecurity/crowdsec:latest restart: always depends_on: - traefik networks: - proxy ports: - "8081:8080" - "6060:6060" expose: - "8080" - "6060" environment: GID: 1000 COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik" labels: com.stack.name: "traefik" com.stack.service.name: "crowdsec" volumes: - *x-volume-timezone - *x-volume-localtime - *x-volume-docker-socket - *x-volume-cgroups - /opt/docker/traefik/conf/acquis.yml:/etc/crowdsec/acquis.yaml:ro - /opt/docker/traefik/conf/crowdsec/:/etc/crowdsec/acquis.d/:ro - /opt/docker/traefik/datas/crowdsec/db:/var/lib/crowdsec/data - /opt/docker/traefik/datas/log/:/var/log/traefik/:ro crowdsec-bouncer: <<: *x-common container_name: crowdsec-bouncer hostname: crowdsec-bouncer image: fbonalair/traefik-crowdsec-bouncer:latest restart: always depends_on: - crowdsec networks: - proxy ports: - "8082:8080" expose: - "8080" environment: PORT: 8080 GIN_MODE: "release" CROWDSEC_BOUNCER_API_KEY: [crowdsec bouncer api key] CROWDSEC_AGENT_HOST: crowdsec:8081 CROWDSEC_BOUNCER_SCHEME: "http" labels: com.stack.name: "traefik" com.stack.service.name: "bouncer" volumes: - *x-volume-timezone - *x-volume-localtime fail2ban: <<: *x-common user: 0:0 cap_add: - NET_ADMIN - NET_RAW - SETGID container_name: fail2ban hostname: fail2ban image: crazymax/fail2ban:latest restart: always depends_on: - traefik networks: - proxy environment: F2B_DB_PURGE_AGE: "14d" labels: com.stack.name: "traefik" com.stack.service.name: "fail2ban" deploy: resources: limits: cpus: "4.0" memory: 1G volumes: - *x-volume-timezone - *x-volume-localtime - /opt/docker/traefik/datas/f2b:/data - /opt/docker/traefik/datas/log:/var/log/traefik:ro whoami: <<: *x-common container_name: whoami hostname: whoami image: containous/whoami:latest restart: always networks: - proxy labels: com.stack.name: "traefik" com.stack.service.name: "whoami" deploy: resources: limits: cpus: "4.0" memory: 1G volumes: - *x-volume-timezone - *x-volume-localtime modsecurity: <<: *x-common user: 0:0 cap_add: - DAC_OVERRIDE - SETUID - SETGID - CHOWN container_name: modsecurity hostname: modsecurity image: owasp/modsecurity-crs:apache restart: always depends_on: - whoami - traefik networks: - proxy ports: - "2080:80" expose: - "80" environment: PARANOIA: 1 ANOMALY_INBOUND: 10 ANOMALY_OUTBOUND: 5 BACKEND: http://whoami LOGLEVEL: error MODSEC_REQ_BODY_LIMIT: 1073741824 MODSEC_REQ_BODY_NOFILES_LIMIT: 1073741824 SERVER_ADMIN: tech@domain.com MODSEC_AUDIT_LOG_FORMAT: "Native" MODSEC_AUDIT_LOG_TYPE: "Concurrent" MODSEC_AUDIT_STORAGE: /audit labels: com.stack.name: "traefik" com.stack.service.name: "modsecurity" deploy: resources: limits: cpus: "4.0" memory: 1G tmpfs: - /tmp:rw,noexec,nosuid,size=512M volumes: - *x-volume-timezone - *x-volume-localtime - /opt/docker/traefik/conf/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf - /opt/docker/traefik/datas/modsecurity:/audit