Refactor docker-compose.yml to update dozzle service configuration

.env.example

@@ -5,7 +5,8 @@ LOG_LEVEL="INFO"
 NETWORK="web"
 TZ="Asia/Singapore"
 ## dashboard configs
-HOST="furyhawk.lol"
+HOST="localhost"
+DOMAINNAME="furyhawk.lol"
 HOSTNAME="node00"
 DATADIR="/home/furyhawk/media"
 # subdomain for dashboard.

compose/base.yml

@@ -1,7 +1,8 @@
 x-environment: &default-environment
-  LOG_LEVEL: "INFO"
+  LOG_LEVEL: "ERROR"
   ACME_PATH: "./acme.json"
   NETWORK: "${NETWORK:-host}"
+  TZ: "${TZ:-Asia/Singapore}"
   FIN_LOCATION: ""
   STREAMLIT_FIN_SERVER_PORT: "8501"
   GROQ_API_KEY: "${GROQ_API_KEY}"
@@ -19,6 +20,10 @@ services:
     image: portainer/portainer-ce:sts
     command: -H unix:///var/run/docker.sock
     container_name: portainer
+    security_opt:
+      - no-new-privileges:true
+    environment:
+      - TZ="${TZ:-Asia/Singapore}"
     restart: always
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
@@ -37,6 +42,8 @@ services:
       dockerfile: ./traefik/Dockerfile
     image: traefik_production
     container_name: traefik
+    security_opt:
+      - no-new-privileges:true
     restart: always
     volumes:
       - logs:/logs
@@ -45,8 +52,14 @@ services:
     extra_hosts:
     - "host.docker.internal:host-gateway"
     ports:
-      - "80:80"
+      - target: 80
-      - "443:443"
+        published: 80
+        protocol: tcp
+        mode: host
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: host
       - "7687:7687"
       - "8083:8083"
       - "8084:8084"
@@ -55,4 +68,11 @@ services:
       # - "1883:1883"
       # - 18083:18083
     networks:
-      - net
+      - net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.entrypoints=web-secure"
+      - "traefik.http.routers.traefik.rule=Host(`dashboard.${DOMAINNAME}`)"
+      - "traefik.http.routers.traefik.middlewares=auth"
+      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.traefik.service=api@internal"

compose/traefik/traefik.yml

@@ -94,7 +94,7 @@ http:
     dashboard:
       entryPoints:
         - web-secure
-      rule: "Host(`dashboard.furyhawk.lol`) && PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+      rule: "Host(`dashboard.furyhawk.lol`)"
       middlewares:
         - auth
       tls:
@@ -456,6 +456,12 @@ http:
         replacement: https://${1}
         permanent: true
 
+    rate-limit:
+      rateLimit:
+        average: 384
+        burst: 64
+        period: 10s
+
     # redirect to resume
     redirect-resume:
       redirectRegex:
@@ -475,6 +481,27 @@ http:
       stripprefix:
         prefixes:
           - "/neo4j"
+    secure-headers:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+        accessControlMaxAge: 100
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        stsSeconds: 63072000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        # forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works.
+        customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+        contentTypeNosniff: true
+        browserXssFilter: true
+        referrerPolicy: "same-origin"
+        permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # disable search engines from indexing home server
+          server: "" # hide server info from visitors
 
   services:
     portainer_service:

test/core.yml

@@ -2,8 +2,15 @@ services:
   reverse-proxy:
     image: traefik:latest
     ports:
-      - "80:80"
+      - target: 80
-      - "8080:8080"
+        published: 80
+        protocol: tcp
+        mode: host
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: host
+      # - "8080:8080"
       # - "443:443"
     volumes:
       - ./traefik.yml:/traefik.yml:ro
@@ -15,11 +22,36 @@ services:
     image: amir20/dozzle:latest
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
+    ports:
+      - "8081:8080"
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.dozzle.entrypoints=web"
-      - "traefik.http.routers.dozzle.rule=Host(`$HOSTNAME`)"
+      - "traefik.http.routers.dozzle.rule=Host(`$HOSTNAME`) && PathPrefix(`/dozzle`)"
-      - "traefik.http.services.dozzle.loadbalancer.server.port=8080"
+      - "traefik.http.services.dozzle.loadbalancer.server.port=8081"
+  # Homepage - Application Dashboard
+  homepage:
+    image: ghcr.io/gethomepage/homepage:latest
+    container_name: homepage
+    security_opt:
+      - no-new-privileges:true
+    restart: unless-stopped
+    ports:
+     - "3000:3000"
+    # volumes:
+    #   - $DOCKERDIR/appdata/homepage:/app/config
+    environment:
+      TZ: $TZ
+      PUID: $PUID
+      PGID: $PGID
+    labels:
+      - "traefik.enable=true"
+      # HTTP Routers
+      - "traefik.http.routers.homepage-rtr.entrypoints=web"
+      - "traefik.http.routers.homepage-rtr.rule=Host(`$HOSTNAME`) && PathPrefix(`/home`)" # Both domain.com and www.domain.com
+      # HTTP Services
+      - "traefik.http.routers.homepage-rtr.service=homepage-svc"
+      - "traefik.http.services.homepage-svc.loadbalancer.server.port=3000"
 
 # volumes:
 #   tls: