jack
aa9706bbc4
Traefik: - Enable access logs → /var/log/traefik/access.log (needed for CrowdSec) - Add global security headers middleware: HSTS, X-Frame-Options, CSP, nosniff, XSS filter, referrer policy, permissions policy - Add rate limiting: default 100/s, API 30/s, admin 10/s (strict) - Add Authelia ForwardAuth middleware for SSO integration CrowdSec (new service): - Analyzes Traefik access logs + auth.log in real time - Community IP reputation blocklist (crowdsecurity/traefik + http-cve) - Firewall bouncer: bans malicious IPs at kernel level (iptables) Authelia (new service, auth.csrx.ru): - 2FA/SSO portal with TOTP (Google Authenticator) - Protects: traefik.csrx.ru, sync.csrx.ru, /god-mode/ in Plane - Session: 12h expiry, 30m inactivity, Redis backend - argon2id password hashing Container security: - Add security_opt: no-new-privileges to traefik, vaultwarden, forgejo, grafana, authelia CI/CD security: - Remove hardcoded server IP 87.249.49.32 from workflow - Use SSH_KNOWN_HOSTS secret instead of ssh-keyscan (prevents MITM) - Added SSH_KNOWN_HOSTS secret to Forgejo Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
34 lines
2.9 KiB
YAML
34 lines
2.9 KiB
YAML
---
|
||
services_root: /opt/services
|
||
|
||
# Image versions
|
||
# IMPORTANT: pin each image to a specific version tag.
|
||
# Check Docker Hub for the latest stable release before updating.
|
||
traefik_image: "traefik:v3.3" # https://hub.docker.com/_/traefik/tags
|
||
vaultwarden_image: "vaultwarden/server:1.32.7" # https://hub.docker.com/r/vaultwarden/server/tags
|
||
forgejo_image: "codeberg.org/forgejo/forgejo:9"
|
||
forgejo_db_image: "postgres:16-alpine"
|
||
plane_frontend_image: "makeplane/plane-frontend:stable" # https://hub.docker.com/r/makeplane/plane-frontend/tags
|
||
plane_admin_image: "makeplane/plane-admin:stable" # https://hub.docker.com/r/makeplane/plane-admin/tags
|
||
plane_space_image: "makeplane/plane-space:stable" # https://hub.docker.com/r/makeplane/plane-space/tags
|
||
plane_backend_image: "makeplane/plane-backend:stable" # https://hub.docker.com/r/makeplane/plane-backend/tags
|
||
plane_db_image: "postgres:16-alpine"
|
||
plane_redis_image: "redis:7-alpine"
|
||
# ВАЖНО: MinIO прекратил публикацию образов на Docker Hub с октября 2025.
|
||
# Последний стабильный тег на Docker Hub: RELEASE.2025-04-22T22-12-26Z
|
||
# Рекомендуется перейти на alpine/minio или собирать из исходников.
|
||
plane_minio_image: "minio/minio:RELEASE.2025-04-22T22-12-26Z" # https://hub.docker.com/r/minio/minio/tags
|
||
syncthing_image: "syncthing/syncthing:1.27" # https://hub.docker.com/r/syncthing/syncthing/tags
|
||
act_runner_image: "gitea/act_runner:0.3.0" # https://hub.docker.com/r/gitea/act_runner/tags
|
||
prometheus_image: "prom/prometheus:v3.4.0" # https://hub.docker.com/r/prom/prometheus/tags
|
||
node_exporter_image: "prom/node-exporter:v1.9.1" # https://hub.docker.com/r/prom/node-exporter/tags
|
||
cadvisor_image: "gcr.io/cadvisor/cadvisor:v0.52.1" # https://github.com/google/cadvisor/releases
|
||
grafana_image: "grafana/grafana:11.6.1" # https://hub.docker.com/r/grafana/grafana/tags
|
||
alertmanager_image: "prom/alertmanager:v0.28.1" # https://hub.docker.com/r/prom/alertmanager/tags
|
||
loki_image: "grafana/loki:3.4.3" # https://hub.docker.com/r/grafana/loki/tags
|
||
promtail_image: "grafana/promtail:3.4.3" # https://hub.docker.com/r/grafana/promtail/tags
|
||
crowdsec_image: "crowdsecurity/crowdsec:v1.6.8" # https://hub.docker.com/r/crowdsecurity/crowdsec/tags
|
||
crowdsec_bouncer_image: "crowdsecurity/cs-firewall-bouncer:v0.0.31" # https://hub.docker.com/r/crowdsecurity/cs-firewall-bouncer/tags
|
||
authelia_image: "authelia/authelia:4.38" # https://hub.docker.com/r/authelia/authelia/tags
|
||
redis_image: "redis:7-alpine" # shared with plane-redis
|
||
authelia_admin_user: "admin"
|