Add DNS

Signed-off-by: Bensuperpc <bensuperpc@gmail.com>

Makefile

@@ -13,7 +13,7 @@
 
 DOCKER := docker
 
-PROFILES := webserver wordpress adminer uptime-kuma portainer qbittorrent gitea jellyfin watchtower backup
+PROFILES := caddy wordpress adminer uptime-kuma qbittorrent gitea jellyfin watchtower backup openssh dns-server syncthing
 PROFILE_CMD := $(addprefix --profile ,$(PROFILES))
 
 COMPOSE_FILES :=  $(shell find docker-compose*.yml | sed -e 's/^/--file /')

README.md

@@ -51,7 +51,7 @@ cd infrastructure
 
 ### Configure the domain
 
-For all **bensuperpc.org**, you need to replace it with your domain, example: **mydomain.com**
+For all **bensuperpc.org**, you need to replace it with your domain, example: **mydomain.com**, so the same for **bensuperpc.com** ect...
 
 ```sh
 find . \( -type d -name .git -prune \) -o -type f -print0 | xargs -0 sed -i 's/bensuperpc.org/mydomain.com/g'
@@ -59,21 +59,23 @@ find . \( -type d -name .git -prune \) -o -type f -print0 | xargs -0 sed -i 's/b
 
 Check if all bensuperpc.* are replaced by your domain in [Caddyfile](caddy/wordpress/Caddyfile)
 
-And then, caddy will generate the certificate for you and renew it automatically :D (It's easier than certbot and nginx)
+And then, caddy will generate the certificate for you and renew it automatically :D
 
 | Domain name | Type | Description |
 | --- | --- | --- |
-| bensuperpc.org | Main | Main domain |
-| adminer.bensuperpc.org | Sub | Adminer for MariaDB for wordpress only |
-| uptimekuma.bensuperpc.org | Sub | Uptime Kuma for monitoring |
-| torrent.bensuperpc.org | Sub | Torrent server |
-| git.bensuperpc.org | Sub | Gitea for git |
-| link.bensuperpc.org | Sub | For link shortener |
-| jellyfin.bensuperpc.org | Sub | Jellyfin for media server |
+| [bensuperpc.org](https://bensuperpc.org) | Main | Main domain |
+| [adminer.bensuperpc.org](https://adminer.bensuperpc.org) | Sub | Adminer for MariaDB for wordpress only |
+| [uptimekuma.bensuperpc.org](https://uptimekuma.bensuperpc.org) | Sub | Uptime Kuma for monitoring |
+| [torrent.bensuperpc.org](https://torrent.bensuperpc.org) | Sub | Torrent server |
+| [git.bensuperpc.org](https://git.bensuperpc.org) | Sub | Gitea for git |
+| [link.bensuperpc.org](https://link.bensuperpc.org) | Sub | For link shortener |
+| [jellyfin.bensuperpc.org](https://jellyfin.bensuperpc.org) | Sub | Jellyfin for media server |
+| [syncthing.bensuperpc.org](https://syncthing.bensuperpc.org) | Sub | SyncThing for file synchronization |
+| [ssh.bensuperpc.org](https://ssh.bensuperpc.org) | Sub | Openssh for ssh |
 | bensuperpc.com | Main | Redirect to bensuperpc.org |
-| bensuperpc.fr | Sub | Redirect to bensuperpc.org |
-| bensuperpc.net | Sub | Redirect to bensuperpc.org |
-| bensuperpc.ovh | Sub | Redirect to bensuperpc.org |
+| bensuperpc.fr | Main | Redirect to bensuperpc.org |
+| bensuperpc.net | Main | Redirect to bensuperpc.org |
+| bensuperpc.ovh | Main | Redirect to bensuperpc.org |
 
 ### Configure the infrastructure
 
@@ -163,12 +165,10 @@ You can find all services on the [docker-compose.yml](docker-compose.yml) file o
 | Torrent | Torrent server | [torrent.bensuperpc.org](https://torrent.bensuperpc.org) |
 | Gitea | Gitea for git | [git.bensuperpc.org](https://git.bensuperpc.org) |
 | Jellyfin | Jellyfin for media server | [jellyfin.bensuperpc.org](https://jellyfin.bensuperpc.org) |
+| SyncThing | SyncThing for file synchronization | [syncthing.bensuperpc.org](https://syncthing.bensuperpc.org) |
+| Openssh | Openssh for ssh | [ssh.bensuperpc.org](https://ssh.bensuperpc.org) |
 
-## URL
-
-You can access to the website with:
-
-- [bensuperpc.org](https://bensuperpc.org) and [www.bensuperpc.org](https://www.bensuperpc.org) (Wordpress for now)
+You can disable some services by removing the service name in PROFILES variable in the [Makefile](Makefile) file.
 
 ## Build with
 

caddy/bensuperpc.org/Caddyfile

@@ -5,7 +5,7 @@ www.bensuperpc.org {
 	file_server
 	encode zstd gzip
 
-	#metrics /metrics
+	# metrics /metrics
 
 	@disallowed {
 		path /xmlrpc.php
@@ -29,6 +29,9 @@ www.bensuperpc.org {
 
 		# clickjacking protection
 		X-Frame-Options DENY
+
+		# Disable powerful features we don't need
+        Permissions-Policy "geolocation=(), camera=(), microphone=() interest-cohort=()"
 	}
 }
 
@@ -56,7 +59,29 @@ jellyfin.bensuperpc.org {
 	reverse_proxy jellyfin:8096
 }
 
+ssh.bensuperpc.org {
+	reverse_proxy openssh:2222
+}
+
+syncthing.bensuperpc.org {
+	reverse_proxy syncthing:8384 {
+		header_up Host {upstream_hostport}
+	}
+}
+
+dns.bensuperpc.org {
+	reverse_proxy dns-server:5380
+}
+
 link.bensuperpc.org {
+	# TODO: Use service with database
+	# Friendly links
+	redir /gnous https://gnous.eu permanent
+	redir /proxy https://imagisphe.re permanent
+	redir /patch https://spaceint.fr permanent
+	redir /greep https://greep.fr permanent
+
+	# Youtube links
 	redir /rickroll https://www.youtube.com/watch?v=dQw4w9WgXcQ permanent
 	redir /babyshark https://www.youtube.com/watch?v=XqZsoesa55w permanent
 	redir /cowcowcow https://www.youtube.com/watch?v=FavUpD_IjVY permanent

docker-compose.adminer.yml

@@ -0,0 +1,19 @@
+version: '3.9'
+
+services:
+  # Adminer
+  adminer:
+    image: adminer:latest
+    container_name: adminer
+    profiles:
+      - adminer
+    restart: on-failure
+    env_file: 
+      - env/adminer.env
+    depends_on:
+      - wordpress_db
+      - caddy
+    networks:
+      - infra-network
+    security_opt:
+      - no-new-privileges:true

docker-compose.backup.yml

@@ -12,9 +12,19 @@ services:
       - env/backup.env
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
+      - backup:/archive
       - caddy_data:/backup/caddy_data:ro
       - caddy_config:/backup/caddy_config:ro
-      - backup:/archive
+#      - gitea_data:/backup/gitea_data:ro
+#      - gitea_config:/backup/gitea_config:ro
+#      - wordpress_db:/backup/wordpress_db:ro
+#      - wordpress:/backup/wordpress:ro
+#      - jellyfin_config:/backup/jellyfin_config:ro
+#      - jellyfin_data:/backup/jellyfin_data:ro
+#      - jellyfin_cache:/backup/jellyfin_cache:ro
+#      - qbittorrent_config:/backup/qbittorrent_config:ro
+#      - qbittorrent_data:/backup/qbittorrent_data:ro
+#      - uptimekuma_data:/backup/uptimekuma_data:ro
     networks:
       - infra-network
     security_opt:

docker-compose.caddy.yml

@@ -1,12 +1,12 @@
 version: '3.9'
 
 services:
-  # Webserver
+  # Caddy
   caddy:
     image: caddy:latest
-    container_name: webserver
+    container_name: caddy
     profiles:
-      - webserver
+      - caddy
     restart: on-failure
     ports:
       - 80:80
@@ -18,17 +18,26 @@ services:
       - ./caddy:/etc/caddy:ro
     networks:
       - infra-network
+    env_file:
+      - env/caddy.env
+    cap_add:
+      - NET_ADMIN
     security_opt:
       - no-new-privileges:true
-#    cap_drop:
-#      - ALL
-#    cap_add:
-#      - CHOWN
-#      - FOWNER
-#      - DAC_OVERRIDE
-#      - SETGID
-#      - SETUID
-#      - NET_BIND_SERVICE
+    #    cap_drop:
+    #      - ALL
+    #    cap_add:
+    #      - CHOWN
+    #      - FOWNER
+    #      - DAC_OVERRIDE
+    #      - SETGID
+    #      - SETUID
+    #      - NET_BIND_SERVICE
+    healthcheck:
+      test: pidof caddy || exit 1
+      interval: 120s
+      timeout: 10s
+      retries: 3
 
 volumes:
   caddy_data:

docker-compose.dns.yml

@@ -0,0 +1,23 @@
+version: '3.9'
+
+services:
+  dns-server:
+    container_name: dns-server
+    hostname: dns-server
+    profiles:
+      - dns-server
+    image: technitium/dns-server:latest
+    restart: on-failure
+    networks:
+      - infra-network
+    security_opt:
+      - no-new-privileges:true
+    volumes:
+      - dns-config:/etc/dns
+    env_file:
+      - env/technitium.env
+
+volumes:
+  dns-config:
+    name: dns-config
+

docker-compose.openssh.yml

@@ -0,0 +1,25 @@
+version: '3.9'
+
+services:
+  # Openssh
+  openssh:
+    image: linuxserver/openssh-server:latest
+    container_name: openssh
+    profiles:
+      - openssh
+    restart: on-failure
+    env_file:
+      - env/openssh.env
+    volumes:
+      - openssh_config:/config
+      - openssh_data:/data
+    networks:
+      - infra-network
+    security_opt:
+      - no-new-privileges:true
+
+volumes:
+  openssh_config:
+    name: openssh_config
+  openssh_data:
+    name: openssh_data

docker-compose.syncthing.yml

@@ -0,0 +1,25 @@
+version: '3.9'
+
+services:
+  # syncthing
+  syncthing:
+    image: linuxserver/syncthing:latest
+    container_name: syncthing
+    profiles:
+      - syncthing
+    restart: on-failure
+    env_file:
+      - env/syncthing.env
+    volumes:
+      - syncthing_config:/config
+      - syncthing_data:/data1
+    networks:
+      - infra-network
+    security_opt:
+      - no-new-privileges:true
+
+volumes:
+  syncthing_config:
+    name: syncthing_config
+  syncthing_data:
+    name: syncthing_data

docker-compose.wordpress.yml

@@ -32,7 +32,7 @@ services:
       - caddy
     restart: on-failure
     volumes:
-      - database:/var/lib/mysql:rw
+      - wordpress_db:/var/lib/mysql:rw
     env_file:
       - env/wordpress_db.env
     command: '--default-authentication-plugin=mysql_native_password'
@@ -41,25 +41,8 @@ services:
     security_opt:
       - no-new-privileges:true
 
-  # Adminer
-  adminer:
-    image: adminer:latest
-    container_name: adminer
-    profiles:
-      - adminer
-    restart: on-failure
-    env_file: 
-      - env/adminer.env
-    depends_on:
-      - wordpress_db
-      - caddy
-    networks:
-      - infra-network
-    security_opt:
-      - no-new-privileges:true
-
 volumes:
-  database:
-    name: database
+  wordpress_db:
+    name: wordpress_db
   wordpress:
     name: wordpress

env/openssh.env

@@ -0,0 +1,11 @@
+PUID=1000
+PGID=1000
+PUBLIC_KEY=
+# PUBLIC_KEY_FILE=
+# PUBLIC_KEY_DIR=
+# PUBLIC_KEY_URL=
+SUDO_ACCESS=false
+PASSWORD_ACCESS=false
+# USER_PASSWORD=
+# USER_PASSWORD_FILE=
+# USER_NAME=

env/syncthing.env

@@ -0,0 +1,2 @@
+PUID=1000
+PGID=1000

env/technitium.env

@@ -0,0 +1,18 @@
+DNS_SERVER_DOMAIN=dns-server
+DNS_SERVER_ADMIN_PASSWORD=fddsdfF548TjSNbi490fzZspmLSDf
+# DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt
+# DNS_SERVER_PREFER_IPV6=false
+# DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380
+# DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443
+# DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=true
+# DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false
+# DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=true
+# DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks
+# DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24
+# DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24
+# DNS_SERVER_ENABLE_BLOCKING=false
+# DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false
+# DNS_SERVER_BLOCK_LIST_URLS=
+# DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8
+# DNS_SERVER_FORWARDER_PROTOCOL=Tcp
+# DNS_SERVER_LOG_USING_LOCAL_TIME=true