* Several updates 2023_01_26. See full commit log.

* bash_aliases updates due to moving my proxmox server from the cloud back into my home - I now have fiber with 10 Gbps :-)
* Added --drive-stop-on-upload-limit switch to stop rclone upload when google drive errors out due to quota.
* Added crowdsec and traefik-bouncer to basic-services.txt as without them none of the service would be accessible and traefik won't start.
* Remove cf-companion. I now just wildcard all CNAMEs to the root domain pointing to my IP. Much simpler this way and its not a big security risk.
* Updated README with crowdsec related posts.
* Obsoleted cf-companion (see above) and heimdall (replaced with homepage)
* Updated traefik to v2.9
* Updated docker and docker-compose versions.
* Added crowdsecurity/blocklist-mirror to export all the blocked IPs as a list.
* Added whoami container for testing purposes
* Exposed some ports to the host now that my server is inside my home network.
* Added AdGuard Home sync to sync all my instances of adguard home.

Author: SimpleHomelab

README.md

@@ -5,7 +5,7 @@ This is the updated docker-compose repo of all the media, home, and web server a
 - [Docker Media Server Ubuntu: Compose for 23 Awesome Apps](https://www.smarthomebeginner.com/docker-media-server-2022/)
 - [Ultimate Traefik Docker Compose Guide [2022] with LetsEncrypt](https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/)
 - [WordPress on Docker with Nginx, Traefik, LE SSL, Security, and Speed](https://www.smarthomebeginner.com/wordpress-on-docker-traefik/)
-- [Synology Docker Media Server with Traefik, Docker Compose, and Cloudflare](https://www.smarthomebeginner.com/synology-docker-media-server/)
+- [Ultimate Synology NAS Docker Compose Media Server 2022](https://www.smarthomebeginner.com/synology-nas-docker-media-server-2022/)
 
 <div style="padding:20px;border: 3px solid red;">
 <h3>IMPORTANT</h3>
@@ -42,6 +42,11 @@ Go step-by-step. If you bite too big of a piece, I guarantee you will choke.
 - [Google OAuth 2 MFA Protection for Docker](https://www.smarthomebeginner.com/traefik-forward-auth-google-oauth-2022/)
 - [Authelia MFA Protection for Docker](https://www.smarthomebeginner.com/docker-authelia-tutorial/)
 - [Traefik Docker Security Best Practices](https://www.smarthomebeginner.com/traefik-docker-security-best-practices/)
+- [Crowdsec Docker Compose Guide Part 1: Powerful IPS with Firewall Bouncer](https://www.smarthomebeginner.com/crowdsec-docker-compose-1-fw-bouncer/)
+- [CrowdSec Docker Part 2: Improved IPS with Cloudflare Bouncer](https://www.smarthomebeginner.com/crowdsec-cloudflare-bouncer/)
+- [CrowdSec Docker Part 3: Traefik Bouncer for Additional Security](https://www.smarthomebeginner.com/crowdsec-traefik-bouncer/)
+- [CrowdSec Multiserver Docker (Part 4): For Ultimate Protection](https://www.smarthomebeginner.com/crowdsec-multiserver-docker/)
+- [Ultimate Docker to Podman Migration Guide: It's NOT difficult](https://www.smarthomebeginner.com/docker-to-podman-migration-guide/)
 - [Nextcloud Docker with Traefik Reverse Proxy for Beginners](https://www.smarthomebeginner.com/traefik-docker-nextcloud/)
 
 ### Obsolete Posts (for educational purposes):
@@ -51,6 +56,7 @@ The following posts have been updated/replaced by the posts linked above:
 - [Docker Media Server with Traefik 2 Reverse Proxy](https://www.smarthomebeginner.com/traefik-2-docker-tutorial/)
 - [Docker Media Server without Reverse Proxy ](https://www.smarthomebeginner.com/docker-home-media-server-2018-basic/)
 - [Docker Media Server with Traefik 1 Reverse Proxy](https://www.smarthomebeginner.com/traefik-reverse-proxy-tutorial-for-docker/)
+- [Synology Docker Media Server with Traefik, Docker Compose, and Cloudflare](https://www.smarthomebeginner.com/synology-docker-media-server/)
 
 ## Docker, Docker Compose, and Traefik Versions (updated September, 2022)
 

appdata/traefik2/rules/cloudserver/middlewares-chains.yml

@@ -15,12 +15,12 @@ http:
           - middlewares-rate-limit
           - middlewares-https-redirectscheme
           - middlewares-secure-headers
-          - middlewares-compress
+          - middlewares-compress 
 
     chain-basic-auth:
       chain:
         middlewares:
-          - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec
+          - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec        
           - middlewares-rate-limit
           - middlewares-https-redirectscheme
           - middlewares-secure-headers
@@ -30,7 +30,7 @@ http:
     chain-oauth:
       chain:
         middlewares:
-          - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec
+          - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec        
           - middlewares-rate-limit
           - middlewares-https-redirectscheme
           - middlewares-secure-headers

docker-compose-t2-obsolete.yml

@@ -1994,4 +1994,51 @@ services:
       #- "traefik.http.routers.headscale-rtr.middlewares=chain-no-auth@file"
       ## HTTP Services
       - "traefik.http.routers.headscale-rtr.service=headscale-svc"
-      - "traefik.http.services.headscale-svc.loadbalancer.server.port=8080"
+      - "traefik.http.services.headscale-svc.loadbalancer.server.port=8080"
+
+
+  # Cloudflare-Companion - Automatic CNAME DNS Creation
+  cf-companion:
+    <<: *common-keys-core # See EXTENSION FIELDS at the top
+    container_name: cf-companion
+    image: tiredofit/traefik-cloudflare-companion:latest
+    networks:
+      - socket_proxy
+    environment:
+      - TIMEZONE=$TZ
+      - TRAEFIK_VERSION=2
+      - CF_TOKEN__FILE=/run/secrets/cf_token
+      - TARGET_DOMAIN=cdoc.$DOMAINNAME_CLOUD_SERVER # Edit this. Either a subdomain or just $DOMAINNAME_CLOUD_SERVER pointing to the IP will work. See: https://github.com/htpcBeginner/docker-traefik/issues/244.
+      - DOMAIN1=$DOMAINNAME_CLOUD_SERVER
+      - DOMAIN1_ZONE_ID=$CLOUDFLARE_ZONEID # Copy from Cloudflare Overview page
+      - DOMAIN1_PROXIED=TRUE
+      - DOCKER_HOST=tcp://socket-proxy:2375
+    secrets: 
+      - cf_token
+    labels:
+      # Add hosts specified in rules here to force cf-companion to create the CNAMEs
+      # Since cf-companion creates CNAMEs based on host rules, this a workaround for non-docker/external apps
+      - "traefik.http.routers.cf-companion-rtr.rule=Host(Host(`webmin.$DOMAINNAME_CLOUD_SERVER`) || Host(`shell.$DOMAINNAME_CLOUD_SERVER`) || Host(`stcdoc.$DOMAINNAME_CLOUD_SERVER`) || Host(`ag.$DOMAINNAME_CLOUD_SERVER`)"
+
+  # Heimdall - Application Dashboard
+  heimdall:
+    <<: *common-keys-core # See EXTENSION FIELDS at the top
+    image: lscr.io/linuxserver/heimdall
+    container_name: heimdall
+    # ports:
+    #  - "$HEIMDALL_PORT:80" # 80 to 82 already taken by other services
+      # - "444:443" # 443 used by Traefik/Nginx Proxy Manager. Disabled because we will put Heimdall behind proxy.
+    volumes:
+      - $DOCKERDIR/appdata/heimdall:/config
+    environment:
+      <<: *default-tz-puid-pgid
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.heimdall-rtr.entrypoints=https"
+      - "traefik.http.routers.heimdall-rtr.rule=Host(`$DOMAINNAME_CLOUD_SERVER`,`www.$DOMAINNAME_CLOUD_SERVER`)"
+      ## Middlewares
+      - "traefik.http.routers.heimdall-rtr.middlewares=chain-oauth@file"
+      ## HTTP Services
+      - "traefik.http.routers.heimdall-rtr.service=heimdall-svc"
+      - "traefik.http.services.heimdall-svc.loadbalancer.server.port=80"

docker-compose-t2-synology.yml

@@ -125,7 +125,7 @@ services:
   traefik:
     <<: *common-keys-core # See EXTENSION FIELDS at the top
     container_name: traefik
-    image: traefik:2.8
+    image: traefik:2.9
     command: # CLI arguments
       - --global.checkNewVersion=true
       - --global.sendAnonymousUsage=true

docker-compose-t2-web.yml

@@ -10,8 +10,8 @@ version: "3.9"
 # Digital Ocean: 1 vCPU, 2 GB RAM, and 50 GB NVME
 # Use this Referral Link and get $100 Credit: https://m.do.co/c/5ae8e2c8f34b
 
-# Docker: 20.10.17
-# Docker Compose: 2.6.0 (v2 https://docs.docker.com/compose/#compose-v2-and-the-new-docker-compose-command)
+# Docker: 20.10.21
+# Docker Compose: v2.12.2 (docker-compose-plugin for Docker)
 
 ########################### NETWORKS
 # There is no need to create any networks outside this docker-compose file.
@@ -113,7 +113,7 @@ services:
   traefik:
     <<: *common-keys-core # See EXTENSION FIELDS at the top
     container_name: traefik
-    image: traefik:2.8
+    image: traefik:2.9
     command: # CLI arguments
       - --global.checkNewVersion=true
       - --global.sendAnonymousUsage=true
@@ -349,6 +349,8 @@ services:
       - "traefik.http.routers.autoindex-rtr.service=autoindex-svc"
       - "traefik.http.services.autoindex-svc.loadbalancer.server.port=80"
 
+  ############################# SECURITY
+
   # CrowdSec - Open-source & collaborative security IPS
   crowdsec:
     <<: *common-keys-core # See EXTENSION FIELDS at the top
@@ -358,7 +360,7 @@ services:
       - "$CROWDSEC_API_PORT:8080"
       - "$ZEROTIER_IP_WEBSERVER:$CROWDSEC_PROMETHEUS_EXPORT:6060" # If you don't use ZeroTier remove use just $CROWDSEC_PROMETHEUS_EXPORT:6060
     environment:
-      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux crowdsecurity/nginx crowdsecurity/sshd"
+      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux crowdsecurity/nginx fulljackz/proxmox"
       GID: "${GID-1000}"
       CUSTOM_HOSTNAME: dSHB
     volumes:
@@ -368,17 +370,16 @@ services:
       - $DOCKERDIR/appdata/crowdsec/config:/etc/crowdsec
 
   # CrowdSec Bouncer - Traefik
+  # sudo docker exec crowdsec cscli bouncer add traefik-bouncer
   traefik-bouncer:
     <<: *common-keys-core # See EXTENSION FIELDS at the top
     image: fbonalair/traefik-crowdsec-bouncer
     container_name: traefik-bouncer
-    #ports:
-    #  - "$TRAEFIK_BOUNCER_PORT:8080"
     environment:
       GIN_MODE: release # default is debug (more logs)
       CROWDSEC_BOUNCER_API_KEY: $CROWDSEC_BOUNCER_TRAEFIK_API_KEY # sudo docker exec crowdsec cscli bouncers add traefik-bouncer
       CROWDSEC_AGENT_HOST: crowdsec:8080 # CrowdSec host and port
-      CROWDSEC_BOUNCER_LOG_LEVEL: 1 # 1 INFO 2 WARN https://pkg.go.dev/github.com/rs/zerolog#readme-leveled-logging
+      CROWDSEC_BOUNCER_LOG_LEVEL: 2 # https://pkg.go.dev/github.com/rs/zerolog#readme-leveled-logging
 
   # CrowdSec Bouncer - Cloudflare
   # sudo docker exec crowdsec cscli bouncer add cloudflare-bouncer
@@ -387,11 +388,27 @@ services:
     <<: *common-keys-core # See EXTENSION FIELDS at the top
     image: crowdsecurity/cloudflare-bouncer
     container_name: cloudflare-bouncer
-    #ports:
-    #  - "$CLOUDFLARE_BOUNCER_PORT:2112"
     volumes:
       - $DOCKERDIR/appdata/cloudflare-bouncer/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml
-      - $DOCKERDIR/appdata/cloudflare-bouncer/cf-bouncer:/cf-bouncer
+
+  # CrowdSec Blocklist Mirror - For PiHole/AdGuard Use
+  # sudo docker exec crowdsec cscli bouncer add cloudflare-bouncer
+  crowdsec-blocklist:
+    <<: *common-keys-core # See EXTENSION FIELDS at the top
+    image: crowdsecurity/blocklist-mirror
+    container_name: crowdsec-blocklist
+    volumes:
+      - $DOCKERDIR/appdata/crowdsec-blocklist/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-blocklist-mirror.yaml
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.crowdsec-blocklist-rtr.entrypoints=https"
+      - "traefik.http.routers.crowdsec-blocklist-rtr.rule=Host(`blocklist.$DOMAINNAME_SHB`)" # https://domain.com/security/blocklist
+      ## Middlewares
+      - "traefik.http.routers.crowdsec-blocklist-rtr.middlewares=chain-oauth@file"
+      ## HTTP Services
+      - "traefik.http.routers.crowdsec-blocklist-rtr.service=crowdsec-blocklist-svc"
+      - "traefik.http.services.crowdsec-blocklist-svc.loadbalancer.server.port=41412"
 
   ############################# DATABASE
 
@@ -559,6 +576,7 @@ services:
       - "traefik.http.routers.vscode-rtr.service=vscode-svc"
       - "traefik.http.services.vscode-svc.loadbalancer.server.port=8443"
 
+  # WG-EASY - WireGuard Easy
   wg-easy:
     image: weejewel/wg-easy
     container_name: wg-easy
@@ -583,18 +601,17 @@ services:
       - WG_HOST=$SERVER_IP
       - PASSWORD=$WGEASY_PASSWORD
       # Optional:
-      # - PASSWORD=foobar123
       # - WG_PORT=51820
-      # - WG_DEFAULT_ADDRESS=10.8.0.x
-      # - WG_DEFAULT_DNS=1.1.1.1
+      - WG_DEFAULT_ADDRESS=192.168.20.x
+      - WG_DEFAULT_DNS=1.1.1.1
       # - WG_MTU=1420
-      # - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24
+      - WG_ALLOWED_IPS=0.0.0.0/0, ::/0
       # - WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt
       # - WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt
       # - WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt
       # - WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt
 
-  ############################# MAINTENANCE
+  ############################# MAINTENANCE AND TESTING
 
   # Docker-GC - Automatic Docker Garbage Collection
   # Create docker-gc-exclude file
@@ -616,3 +633,19 @@ services:
       CLEAN_UP_VOLUMES: 1
       TZ: $TZ
       DOCKER_HOST: tcp://socket-proxy:2375
+
+  # WhoAmI - For Testing and Troubleshooting
+  whoami:
+    <<: *common-keys-core # See EXTENSION FIELDS at the top
+    image: traefik/whoami
+    container_name: whoami
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.whoami-rtr.entrypoints=https"
+      - "traefik.http.routers.whoami-rtr.rule=Host(`whoami.$DOMAINNAME_SHB`)"
+      ## Middlewares
+      - "traefik.http.routers.whoami-rtr.middlewares=chain-oauth@file"
+      ## HTTP Services
+      - "traefik.http.routers.whoami-rtr.service=whoami-svc"
+      - "traefik.http.services.whoami-svc.loadbalancer.server.port=80"