chore: change uptime kuma and add healthchecks.io

coodyme · Jan 21, 2024 · 3db4ea3 · 3db4ea3
1 parent 1d6eaee
commit 3db4ea3
Show file tree

Hide file tree

Showing 7 changed files with 157 additions and 2 deletions.
diff --git a/docker/cloudflared/.env.example b/docker/cloudflared/.env.example
@@ -1 +1 @@
-TOKEN=
+TOKEN=
diff --git a/docker/cloudflared/docker-compose.yml b/docker/cloudflared/docker-compose.yml
@@ -6,5 +6,5 @@ services:
     restart: unless-stopped
     command: tunnel run
     environment:
-      - TUNNEL_TOKEN=${TOKEN}
+      - TUNNEL_TOKEN=$TOKEN
     network_mode: 'bridge'
diff --git a/docker/passbolt/.env.example b/docker/passbolt/.env.example
@@ -0,0 +1,17 @@
+# MariaDB
+MYSQL_DATABASE=passbolt
+MYSQL_USER=passbolt
+MYSQL_PASSWORD=
+
+# Passbolt
+APP_FULL_BASE_URL=
+DATASOURCES_DEFAULT_HOST=
+DATASOURCES_DEFAULT_USERNAME=
+DATASOURCES_DEFAULT_PASSWORD=
+DATASOURCES_DEFAULT_DATABASE=
+EMAIL_TRANSPORT_DEFAULT_HOST=
+EMAIL_TRANSPORT_DEFAULT_PORT=
+EMAIL_TRANSPORT_DEFAULT_USERNAME=
+EMAIL_TRANSPORT_DEFAULT_PASSWORD=
+EMAIL_TRANSPORT_DEFAULT_TLS=
+EMAIL_DEFAULT_FROM=
diff --git a/docker/passbolt/conf/headers.conf b/docker/passbolt/conf/headers.conf
@@ -0,0 +1,20 @@
+http:
+  middlewares:
+    SslHeader:
+      headers:
+        FrameDeny: true
+        AccessControlAllowMethods: 'GET,OPTIONS,PUT'
+        AccessControlAllowOriginList:
+          - origin-list-or-null
+        AccessControlMaxAge: 100
+        AddVaryHeader: true
+        BrowserXssFilter: true
+        ContentTypeNosniff: true
+        ForceSTSHeader: true
+        STSIncludeSubdomains: true
+        STSPreload: true
+        ContentSecurityPolicy: default-src 'self' 'unsafe-inline'
+        CustomFrameOptionsValue: SAMEORIGIN
+        ReferrerPolicy: same-origin
+        PermissionsPolicy: vibrate 'self'
+        STSSeconds: 315360000
diff --git a/docker/passbolt/conf/tls.conf b/docker/passbolt/conf/tls.conf
@@ -0,0 +1,12 @@
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      sniStrict: true
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
diff --git a/docker/passbolt/docker-compose.yml b/docker/passbolt/docker-compose.yml
@@ -0,0 +1,65 @@
+version: '3.9'
+
+services:
+  db:
+    image: mariadb:10.3
+    restart: unless-stopped
+    environment:
+      - MYSQL_RANDOM_ROOT_PASSWORD=true
+      - MYSQL_DATABASE=$MYSQL_DATABASE
+      - MYSQL_USER=$MYSQL_USER
+      - MYSQL_PASSWORD=$MYSQL_PASSWORD
+    volumes:
+      - mariadb_volume:/var/lib/mysql
+
+  passbolt:
+    image: passbolt/passbolt:latest-ce
+    restart: unless-stopped
+    depends_on:
+      - db
+    environment:
+      - APP_FULL_BASE_URL=$APP_FULL_BASE_URL
+      - DATASOURCES_DEFAULT_HOST=$DATASOURCES_DEFAULT_HOST
+      - DATASOURCES_DEFAULT_USERNAME=$DATASOURCES_DEFAULT_USERNAME
+      - DATASOURCES_DEFAULT_PASSWORD=$DATASOURCES_DEFAULT_PASSWORD
+      - DATASOURCES_DEFAULT_DATABASE=$DATASOURCES_DEFAULT_DATABASE
+      - EMAIL_TRANSPORT_DEFAULT_HOST=$EMAIL_TRANSPORT_DEFAULT_HOST
+      - EMAIL_TRANSPORT_DEFAULT_PORT=$EMAIL_TRANSPORT_DEFAULT_PORT
+      - EMAIL_TRANSPORT_DEFAULT_USERNAME=$EMAIL_TRANSPORT_DEFAULT_USERNAME
+      - EMAIL_TRANSPORT_DEFAULT_PASSWORD=$EMAIL_TRANSPORT_DEFAULT_PASSWORD
+      - EMAIL_TRANSPORT_DEFAULT_TLS=true
+      - EMAIL_DEFAULT_FROM=$EMAIL_DEFAULT_FROM
+    volumes:
+      - gpg_volume:/etc/passbolt/gpg
+      - jwt_volume:/etc/passbolt/jwt
+    command: ["/usr/bin/wait-for.sh", "-t", "0", "db:3306", "--", "/docker-entrypoint.sh"]
+    labels:
+      traefik.enable: "true"
+      traefik.http.routers.passbolt-http.entrypoints: "web"
+      traefik.http.routers.passbolt-http.rule: "Host(`passbolt.coody.me`)"
+      traefik.http.routers.passbolt-http.middlewares: "SslHeader@file"
+      traefik.http.routers.passbolt-https.middlewares: "SslHeader@file"
+      traefik.http.routers.passbolt-https.entrypoints: "websecure"
+      traefik.http.routers.passbolt-https.rule: "Host(`passbolt.coody.me`)"
+      traefik.http.routers.passbolt-https.tls: "true"
+      traefik.http.routers.passbolt-https.tls.certresolver: "cloudflare"
+
+  traefik:
+    image: traefik:2.6
+    restart: always
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik.yaml:/traefik.yaml:ro
+      - ./conf/:/etc/traefik/conf
+      - ./shared/:/shared
+    environment:
+      - CF_API_EMAIL=$CF_API_EMAIL
+      - CF_API_KEY=$CF_API_KEY
+
+volumes:
+  mariadb_volume:
+  gpg_volume:
+  jwt_volume:
diff --git a/docker/passbolt/traefik.yml b/docker/passbolt/traefik.yml
@@ -0,0 +1,41 @@
+global:
+  sendAnonymousUsage: false
+log:
+  level: INFO
+  format: common
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    watch: true
+    exposedByDefault: false
+    swarmMode: false
+  file:
+    directory: /etc/traefik/conf/
+    watch: true
+api:
+  dashboard: false
+  debug: false
+  insecure: false
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+          permanent: true
+  websecure:
+    address: ":443"
+certificatesResolvers:
+  cloudflare:
+    acme:
+      email: augusto@coody.me
+      storage: /shared/acme.json
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+      keyType: EC256
+      dnsChallenge:
+        provider: cloudflare
+        resolvers:
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"