d3850e559a
refactor: use inline basicauth for Traefik dashboard
...
Changed dashboard authentication to use inline basicauth
like Scrapy instead of external .htpasswd file:
**Changes:**
- Updated proxy labels to use basicauth.users=${PROXY_AUTH_USERS}
- Removed .htpasswd file and auth directory
- Removed dashboard-auth middleware from security.yaml
- Removed .htpasswd volume mount from compose.yaml
**Benefits:**
- Consistent with Scrapy authentication pattern
- Simpler configuration (no external files)
- Auth credentials managed centrally via .env
Dashboard accessible at: https://proxy.pivoine.art
Credentials: valknar / ragnarok98 (via PROXY_AUTH_USERS)
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com >
2025-11-06 08:35:43 +01:00
ec76db69ed
feat: add Traefik dashboard at proxy.pivoine.art with basic auth
...
Added secure access to Traefik dashboard:
**Dashboard Configuration:**
- Enabled Traefik API and dashboard
- Configured router for proxy.pivoine.art
- Secured with HTTP Basic Auth middleware
**Security:**
- Created .htpasswd file with bcrypt credentials
- Added dashboard-auth middleware to dynamic/security.yaml
- Mounted .htpasswd file read-only in container
- Dashboard only accessible via HTTPS with valid credentials
**Environment Updates:**
- Added PROXY_AUTH_USERS to .env (htpasswd hash)
- Added PROXY_TRAEFIK_HOST to arty.yml
Dashboard accessible at: https://proxy.pivoine.art
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com >
2025-11-06 08:17:42 +01:00
b420f1d4bf
feat: add comprehensive Traefik security hardening
...
Added security enhancements to Traefik reverse proxy:
**TLS Security:**
- Minimum TLS 1.2 enforced
- Strong cipher suites (ECDHE, AES-GCM, ChaCha20)
- Modern curve preferences (P-521, P-384)
- SNI strict mode enabled
**HTTP Security Headers:**
- HSTS with 1-year max-age, includeSubdomains, and preload
- X-Frame-Options: SAMEORIGIN (clickjacking protection)
- X-XSS-Protection enabled
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy (disable camera, mic, geolocation, etc.)
- X-Robots-Tag for SEO control
**Rate Limiting Middlewares:**
- General: 100 req/s average, 50 burst
- API endpoints: 30 req/s average, 15 burst
**Configuration:**
- Enabled Traefik file provider for dynamic config
- Security headers applied globally to web-secure entrypoint
- Dynamic config in proxy/dynamic/security.yaml
- Auto-reloads on config changes
All HTTPS traffic now benefits from enhanced security headers.
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com >
2025-11-04 23:20:34 +01:00
785942da61
feat: add Scrapy, n8n, and Filestash stacks to Falcon
...
Added three new service stacks to the docker-compose infrastructure:
- **Scrapy stack** (scrapy.pivoine.art):
- scrapyd: Web scraping daemon with web interface (port 6800)
- scrapy: Development container for spider commands
- scrapyrt: Real-time API for running spiders (port 9080)
- **n8n stack** (n8n.pivoine.art):
- Workflow automation platform with PostgreSQL backend
- 200+ integrations for automated tasks
- Runners enabled for task execution
- Webhook support for external triggers
- **Filestash stack** (stash.pivoine.art):
- Web-based file manager with multi-backend support
- Supports SFTP, S3, Dropbox, Google Drive, FTP, WebDAV
- In-browser file viewing and media playback
Infrastructure updates:
- Updated PostgreSQL init script to create n8n database
- Added environment variables to arty.yml for all three stacks
- Updated compose.yaml include list
- Updated CLAUDE.md and README.md documentation
- Normalized service names in existing stacks (gotify, proxy, umami, vpn)
All services integrated with Traefik for SSL termination and include
Watchtower auto-update labels.
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com >
2025-11-04 22:36:13 +01:00
9c8be201ad
refactor: standardize service naming and migrate track to umami
...
Service Naming Standardization:
- Renamed all compose service names to use consistent `{project}_app` pattern
- awsm: `awesome` → `awesome_app`
- gotify: `gotify` → `gotify_app` (also updated container_name)
- proxy: `traefik` → `traefik_app`
- vpn: `wg-easy` → `vpn_app`
- sexy: `directus` → `sexy_api`, `frontend` → `sexy_frontend`
Track to Umami Migration:
- Removed track/ directory (legacy naming)
- Created umami/ directory with updated compose.yaml
- Service now named `umami_app` following naming convention
- Configuration unchanged: PostgreSQL backend, Redis caching, Traefik routing
- Uses TRACK_* environment variables for compatibility with arty.yml
Benefits:
- Consistent naming makes service identification easier across projects
- Aligns with container_name conventions ({PROJECT}_app pattern)
- Improves docker ps readability and service management
- Umami directory name matches actual product name
2025-10-28 22:16:38 +01:00
c02ac86d31
fix: awsm labels
2025-10-26 18:09:22 +01:00
494eecf9ee
fix: awsm labels
2025-10-26 18:03:13 +01:00
7226417411
fix: awsm network name
2025-10-26 17:34:20 +01:00
b2b71c87c8
fix: network name
2025-10-26 11:05:19 +01:00
a371a33682
a new start
2025-10-25 13:58:11 +02:00
