valknar/docker-compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
82 Commits 1 Branch 0 Tags
576036c86c94fa383f19c04943d4220ab81f4d3e
Commit Graph

12 Commits

Author SHA1 Message Date
Sebastian Krüger
576036c86c fix: add port 8080 to Traefik dashboard service 
Added loadbalancer.server.port=8080 to dashboard configuration
since the Traefik API/dashboard runs on port 8080 internally.

Also added ping endpoint for healthchecks.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-06 08:46:13 +01:00
Sebastian Krüger
dae4c5f5f2 fix: streamline Traefik dashboard labels with HTTP redirect 
Updated dashboard configuration to match the working pattern
from other services (Links, Scrapy, etc):

**Changes:**
- Added HTTP to HTTPS redirect middleware
- Added separate web and web-secure routers
- Renamed middleware from dashboard-auth to just auth
- Added explicit docker.network label
- Now follows the exact same pattern as Links stack

**Label Structure:**
- web router: HTTP entrypoint with redirect middleware
- web-secure router: HTTPS with TLS cert resolver and auth
- Consistent naming: proxy-web, proxy-web-secure, proxy-auth

This ensures the dashboard works the same way as all
other services in the stack.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-06 08:41:02 +01:00
Sebastian Krüger
d3850e559a refactor: use inline basicauth for Traefik dashboard 
Changed dashboard authentication to use inline basicauth
like Scrapy instead of external .htpasswd file:

**Changes:**
- Updated proxy labels to use basicauth.users=${PROXY_AUTH_USERS}
- Removed .htpasswd file and auth directory
- Removed dashboard-auth middleware from security.yaml
- Removed .htpasswd volume mount from compose.yaml

**Benefits:**
- Consistent with Scrapy authentication pattern
- Simpler configuration (no external files)
- Auth credentials managed centrally via .env

Dashboard accessible at: https://proxy.pivoine.art
Credentials: valknar / ragnarok98 (via PROXY_AUTH_USERS)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-06 08:35:43 +01:00
Sebastian Krüger
ec76db69ed feat: add Traefik dashboard at proxy.pivoine.art with basic auth 
Added secure access to Traefik dashboard:

**Dashboard Configuration:**
- Enabled Traefik API and dashboard
- Configured router for proxy.pivoine.art
- Secured with HTTP Basic Auth middleware

**Security:**
- Created .htpasswd file with bcrypt credentials
- Added dashboard-auth middleware to dynamic/security.yaml
- Mounted .htpasswd file read-only in container
- Dashboard only accessible via HTTPS with valid credentials

**Environment Updates:**
- Added PROXY_AUTH_USERS to .env (htpasswd hash)
- Added PROXY_TRAEFIK_HOST to arty.yml

Dashboard accessible at: https://proxy.pivoine.art

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-06 08:17:42 +01:00
Sebastian Krüger
b420f1d4bf feat: add comprehensive Traefik security hardening 
Added security enhancements to Traefik reverse proxy:

**TLS Security:**
- Minimum TLS 1.2 enforced
- Strong cipher suites (ECDHE, AES-GCM, ChaCha20)
- Modern curve preferences (P-521, P-384)
- SNI strict mode enabled

**HTTP Security Headers:**
- HSTS with 1-year max-age, includeSubdomains, and preload
- X-Frame-Options: SAMEORIGIN (clickjacking protection)
- X-XSS-Protection enabled
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy (disable camera, mic, geolocation, etc.)
- X-Robots-Tag for SEO control

**Rate Limiting Middlewares:**
- General: 100 req/s average, 50 burst
- API endpoints: 30 req/s average, 15 burst

**Configuration:**
- Enabled Traefik file provider for dynamic config
- Security headers applied globally to web-secure entrypoint
- Dynamic config in proxy/dynamic/security.yaml
- Auto-reloads on config changes

All HTTPS traffic now benefits from enhanced security headers.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-04 23:20:34 +01:00
Sebastian Krüger
785942da61 feat: add Scrapy, n8n, and Filestash stacks to Falcon 
Added three new service stacks to the docker-compose infrastructure:

- **Scrapy stack** (scrapy.pivoine.art):
  - scrapyd: Web scraping daemon with web interface (port 6800)
  - scrapy: Development container for spider commands
  - scrapyrt: Real-time API for running spiders (port 9080)

- **n8n stack** (n8n.pivoine.art):
  - Workflow automation platform with PostgreSQL backend
  - 200+ integrations for automated tasks
  - Runners enabled for task execution
  - Webhook support for external triggers

- **Filestash stack** (stash.pivoine.art):
  - Web-based file manager with multi-backend support
  - Supports SFTP, S3, Dropbox, Google Drive, FTP, WebDAV
  - In-browser file viewing and media playback

Infrastructure updates:
- Updated PostgreSQL init script to create n8n database
- Added environment variables to arty.yml for all three stacks
- Updated compose.yaml include list
- Updated CLAUDE.md and README.md documentation
- Normalized service names in existing stacks (gotify, proxy, umami, vpn)

All services integrated with Traefik for SSL termination and include
Watchtower auto-update labels.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-04 22:36:13 +01:00
Sebastian Krüger
9c8be201ad refactor: standardize service naming and migrate track to umami 
Service Naming Standardization:
- Renamed all compose service names to use consistent `{project}_app` pattern
- awsm: `awesome` → `awesome_app`
- gotify: `gotify` → `gotify_app` (also updated container_name)
- proxy: `traefik` → `traefik_app`
- vpn: `wg-easy` → `vpn_app`
- sexy: `directus` → `sexy_api`, `frontend` → `sexy_frontend`

Track to Umami Migration:
- Removed track/ directory (legacy naming)
- Created umami/ directory with updated compose.yaml
- Service now named `umami_app` following naming convention
- Configuration unchanged: PostgreSQL backend, Redis caching, Traefik routing
- Uses TRACK_* environment variables for compatibility with arty.yml

Benefits:
- Consistent naming makes service identification easier across projects
- Aligns with container_name conventions ({PROJECT}_app pattern)
- Improves docker ps readability and service management
- Umami directory name matches actual product name
 2025-10-28 22:16:38 +01:00
Sebastian Krüger
c02ac86d31 fix: awsm labels 2025-10-26 18:09:22 +01:00
Sebastian Krüger
494eecf9ee fix: awsm labels 2025-10-26 18:03:13 +01:00
Sebastian Krüger
7226417411 fix: awsm network name 2025-10-26 17:34:20 +01:00
Sebastian Krüger
b2b71c87c8 fix: network name 2025-10-26 11:05:19 +01:00
Sebastian Krüger
a371a33682 a new start 2025-10-25 13:58:11 +02:00