Commit 18188ffb authored by kaiyou's avatar kaiyou

Add structure to the apps, core and user projects

parent a23c4191
version: '2.1'
services:
db:
image: mariadb
volumes:
- ./data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD
- MYSQL_DATABASE
- MYSQL_USER
- MYSQL_PASSWORD
nextcloud:
image: nextcloud:13
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:${hostname}
- traefik.port=80
volumes:
- ./conf:/var/www/html/config
- ./files:/data
- ./apps:/var/www/html/apps
networks:
default:
enable_ipv6: true
driver: bridge
ipam:
driver: default
config:
- subnet: "${prefix}/64"
gateway: "${prefix}1"
#!/usr/sbin/nft -f
{% set nets = [] %}
{% set ip4 = [] %}
{% set ip6 = [] %}
{% for network in networks %}
{% set i = (network['Name'], "br-" + network['Id'][:12], network["IPAM"]["Config"], network["Labels"]) %}
{% set r = (nets.append(i) if (network['Driver'] == 'bridge' and network['Attachable'] == True) else 0) %}
{% endfor %}
{% for container in containers %}
{% for dspec, sspecs in container['HostConfig']['PortBindings'].items() %}
{% set dport, proto = dspec.split('/') %}
{% for sspec in sspecs %}
{% set saddr, sport = sspec['HostIp'], sspec['HostPort'] %}
{% set network = container['NetworkSettings']['Networks'].values().__iter__().__next__() %}
{% set i = (saddr, sport, proto, dport, network) %}
{% set r = (ip4.append(i) if ':' not in saddr else 0), (ip6.append(i) if '.' not in saddr else 0) %}
{% endfor %}
{% endfor %}
{% endfor %}
flush ruleset
table inet filter {
chain common {
ct state invalid counter log drop
ct state {established, related} accept
meta iifname "lo" accept
meta oifname "lo" accept
ip6 nexthdr icmpv6 accept
}
chain input {
type filter hook input priority 0;
jump common
# allow ssh
ip daddr {{ utils.environ("ADMIN_IPV4") }} tcp dport 22 counter accept
ip6 daddr {{ utils.environ("ADMIN_IPV6") }} tcp dport 22 counter accept
# allow dhcpv6
udp dport 546 counter accept
# ipsec
udp dport {500,4500} counter accept
ip6 nexthdr {ah, esp} counter accept
counter drop
}
chain output {
type filter hook output priority 0;
jump common
# allow dhcpv6
udp dport 547 counter accept
# ipsec
udp sport {500,4500} counter accept
ip6 nexthdr {ah, esp} counter accept
# setup and upgrade
tcp dport {22,80,443} counter accept
# ntp, dns
udp dport {53,123} counter accept
# logs
ip6 daddr {{ utils.environ("LOGS_IPV6") }} udp dport 12201 accept
# nated traffic
meta mark 1 counter accept
counter drop
}
chain forward {
type filter hook forward priority 0;
jump common
# container to internet and other hosts, project internal connections
{% for name, bridge, prefixes, labels in nets %}
iif "{{ bridge }}" oif "{{ utils.environ("PUBLIC_IFACE") }}" accept
iif "{{ bridge }}" oif "{{ utils.environ("COMMON_IFACE") }}" accept
iif "{{ bridge }}" oif "{{ bridge }}" accept
{% endfor %}
# nated traffic
meta mark 1 counter accept
counter drop
}
}
table ip nat {
chain services {
{% for saddr, sport, proto, dport, network in ip4 %}
ip daddr {{ saddr }} {{ proto }} dport {{ sport }} meta mark set 1 counter dnat {{ network["IPAddress"] }}:{{ dport }}
{% endfor %}
counter
}
chain prerouting {
type nat hook prerouting priority 0;
jump services
}
chain postrouting {
type nat hook postrouting priority 0;
# declared nat
# nat outgoing ipv4 traffic
{% for name, bridge, prefixes, labels in nets %}
{% for prefix in prefixes %}{% if "." in prefix["Subnet"] %}
ip saddr {{ prefix["Subnet"] }} oif "{{ utils.environ("PUBLIC_IFACE") }}" counter snat {{ labels.get("snat4", utils.environ("SNAT4")) }}
{% endif %}{% endfor %}
{% endfor %}
}
chain output {
type nat hook output priority 0;
jump services
}
chain input {
type nat hook input priority 0;
}
}
table ip6 nat {
chain services {
{% for saddr, sport, proto, dport, network in ip6 %}
ip6 daddr {{ saddr }} {{ proto }} dport {{ sport }} meta mark set 1 counter dnat to [{{ network["GlobalIPv6Address"] }}]:{{ dport }}
{% endfor %}
}
chain prerouting {
type nat hook prerouting priority 0;
jump services
}
chain postrouting {
type nat hook postrouting priority 0;
# declared nat
# nat outgoing ipv6 traffic
{% for name, bridge, prefixes, labels in nets %}
{% for prefix in prefixes %}{% if ":" in prefix["Subnet"] %}
ip6 saddr {{ prefix["Subnet"] }} oif "{{ utils.environ("PUBLIC_IFACE") }}" counter snat {{ labels.get("snat6", utils.environ("SNAT6")) }}
{% endif %}{% endfor %}
{% endfor %}
}
chain output {
type nat hook output priority 0;
jump services
}
chain input {
type nat hook input priority 0;
}
}
version: '2'
services:
db:
restart: always
image: mariadb:latest
volumes:
- ./data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD
- MYSQL_DATABASE
- MYSQL_USER
- MYSQL_PASSWORD
dns:
restart: always
image: tedomum/pdns
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:dns0.tedomum.net
- traefik.frontend.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'
- traefik.port=8081
ports:
- "${ipv4}:53:53/udp"
- "${ipv4}:53:53"
networks:
default:
ipv6_address: ${ipv6}
command: |
--launch=gmysql
--local-ipv6=::
--allow-axfr-ips=${AXFR}
--webserver-address=0.0.0.0
--gmysql-host=dns_db_1
--gmysql-user=${MYSQL_USER}
--gmysql-password=${MYSQL_PASSWORD}
--gmysql-dbname=${MYSQL_DATABASE}
--gmysql-innodb-read-committed=no
--api=yes
--api-key=${PDNSADMIN_API_KEY}
--default-soa-edit-signed=INCEPTION-INCREMENT
--default-soa-edit=INCEPTION-INCREMENT
--default-soa-name=dns0.tedomum.net.
--default-soa-mail=admin.tedomum.net.
admin:
restart: always
image: tedomum/pdnsadmin
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:dns.tedomum.net
- traefik.port=8000
volumes:
- ./admin:/data
environment:
- PDNSADMIN_SECRET_KEY
- PDNSADMIN_SERVER=https://dns0.tedomum.net
- PDNSADMIN_API_KEY
- PDNSADMIN_VERSION=4.0.3
networks:
default:
external:
name: main
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment