aykhans/my-self-host-services
1
0
Fork 0
mirror of https://github.com/aykhans/my-self-host-services.git synced 2026-05-29 15:35:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
165 Commits 1 Branch 0 Tags
1581be1722e5c66c00f03d94e1b269719abeae23
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
aykhans 1581be1722 monitoring/crowdsec: add MaxMind GeoLite2-City.mmdb
2026-05-17 13:17:08 +04:00
caddy
caddy: forward original Host to all upstreams, drop redundant X-Forwarded-* overrides
2026-05-10 02:57:56 +04:00
croc
add container_name
2026-03-05 14:08:56 +00:00
crowdsec
monitoring/crowdsec: add MaxMind GeoLite2-City.mmdb
2026-05-17 13:17:08 +04:00
ech0
add ech0 service
2026-03-05 14:10:47 +00:00
ghost
migrate ghost from sqlite to mysql 8
2026-04-25 23:57:13 +00:00
gitea
bump versions
2026-04-25 17:38:03 +04:00
glance
update rss feed
2026-04-17 21:38:29 +00:00
gopkg_proxy
add log rotation
2026-02-17 18:07:17 +00:00
grafana
monitoring/crowdsec: add MaxMind GeoLite2-City.mmdb
2026-05-17 13:17:08 +04:00
immich
add log rotation
2026-02-17 18:07:17 +00:00
memos
bump versions
2026-04-25 17:38:03 +04:00
private_volume
add 'private_volume'
2025-05-13 16:31:52 +04:00
prometheus
monitoring: update crowdsec
2026-05-16 00:28:15 +04:00
sftpgo
add log rotation
2026-02-17 18:07:17 +00:00
slash
add log rotation
2026-02-17 18:07:17 +00:00
stalwart
stalwart: add caddy IP ot AllowedIP list
2026-04-26 14:52:21 +00:00
uptime_kuma
add log rotation
2026-02-17 18:07:17 +00:00
vaultwarden
vaultwarden: bump version to 1.36.0
2026-05-09 20:29:46 +00:00
volume/textarea
general refactoring
2025-12-23 13:52:38 +00:00
watchtower
watchtower: add ~/.docker/config.json
2026-04-28 10:57:43 +00:00
wg_easy
add log rotation
2026-02-17 18:07:17 +00:00
.gitignore
add 'private_volume'
2025-05-13 16:31:52 +04:00
main.sh
add crowdsec
2026-05-10 00:07:06 +04:00
README.md
update README.md
2026-05-10 01:16:38 +04:00

README.md

Prerequisites

  • Bash
  • Docker
  • Docker compose
  • Ports:
    • Caddy
      • 80/tcp (HTTP)
      • 443/tcp (HTTPS)
    • Stalwart
      • 25/tcp (SMTP)
      • 110/tcp (POP3)
      • 995/tcp (POP3S)
      • 143/tcp (IMAP)
      • 993/tcp (IMAPS)
      • 465/tcp (SMTPS)
      • 587/tcp (SUBMISSION)
      • 4190/tcp (ManageSieve)
    • Croc
      • 9009-9013/tcp (relay)
    • SFTPGo
      • 2022/tcp (SFTP)
    • WireGuard Easy
      • 51820/udp (WireGuard)

Getting Started

Follow these steps to set up and start the services:

1. Grant Execute Permissions

Ensure the main.sh script has the necessary permissions:

chmod +x main.sh

2. Generate Environment Files

Create .env configuration files with the following command:

./main.sh generate-env

3. Configure Environment Variables

Edit the generated .env files to fill in the required fields:

  • ./gitea/.env
  • ./sftpgo/.env
  • ./vaultwarden/.env
  • ./glance/.env
  • ./ghost/.env
  • ./immich/.env
  • ./uptime_kuma/.env
  • ./croc/.env
  • ./stalwart/.env
  • ./caddy/.env
  • ./crowdsec/.env
  • ./caddy/Caddyfile.private

4. Bouncer Keys (CrowdSec)

Generate two keys and write them into the matching .env files:

CADDY_KEY=$(openssl rand -hex 32)
FW_KEY=$(openssl rand -hex 32)

# crowdsec/.env
sed -i "s|^CROWDSEC_BOUNCER_KEY_CADDY=.*|CROWDSEC_BOUNCER_KEY_CADDY=$CADDY_KEY|" ./crowdsec/.env
sed -i "s|^CROWDSEC_BOUNCER_KEY_FW=.*|CROWDSEC_BOUNCER_KEY_FW=$FW_KEY|" ./crowdsec/.env

# caddy/.env (same value as CADDY key above)
sed -i "s|^CROWDSEC_API_KEY=.*|CROWDSEC_API_KEY=$CADDY_KEY|" ./caddy/.env

(Optional) get a Console enroll key from https://app.crowdsec.net and put it in CROWDSEC_ENROLL_KEY.

5. Start Services

Launch all services with the following command:

./main.sh start

6. Host Firewall Bouncer (CrowdSec, nftables)

The Caddy bouncer protects HTTP services. Stalwart's mail ports (25/465/587/143/993/110/995/4190) bypass Caddy, so install a firewall bouncer on the host. CrowdSec packages live on PackageCloud, not in the default apt repos, so add the repo first:

curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec-firewall-bouncer-nftables

Do NOT use install.crowdsec.net (that installs the engine too, which we already run in Docker).

Patch the default config (the package writes api_url: http://127.0.0.1:8080/ but our LAPI is on 18080):

FW_KEY=$(grep '^CROWDSEC_BOUNCER_KEY_FW=' ./crowdsec/.env | cut -d= -f2)
sudo sed -i "s|^api_url:.*|api_url: http://127.0.0.1:18080/|" /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
sudo sed -i "s|^api_key:.*|api_key: $FW_KEY|" /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
sudo systemctl enable --now crowdsec-firewall-bouncer
sudo systemctl status crowdsec-firewall-bouncer --no-pager

Verify:

docker exec crowdsec cscli bouncers list      # 'firewall' should appear with a non-empty IP and recent 'Last API pull'
sudo nft list ruleset | grep crowdsec         # kernel-level rules in place

Stopping Services

To stop all running services, use:

./main.sh stop
Reference in New Issue View Git Blame Copy Permalink
S
Description
No description provided
Readme 975 KiB
Languages
Shell 55.2%
Go 28.9%
HTML 13.3%
Dockerfile 2.6%