aykhans/my-self-host-services
1
0
Fork 0
mirror of https://github.com/aykhans/my-self-host-services.git synced 2026-05-29 15:35:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
153 Commits 1 Branch 0 Tags
58e247f7707ec2ec9c3d6e597051c35f2b74f9bf
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
aykhans 58e247f770 crowdsec: enable sshd acquisition, add http admin probing scenario
2026-05-10 00:51:24 +04:00
caddy
caddy: update crowdsec config
2026-05-10 00:23:30 +04:00
croc
add container_name
2026-03-05 14:08:56 +00:00
crowdsec
crowdsec: enable sshd acquisition, add http admin probing scenario
2026-05-10 00:51:24 +04:00
ech0
add ech0 service
2026-03-05 14:10:47 +00:00
ghost
migrate ghost from sqlite to mysql 8
2026-04-25 23:57:13 +00:00
gitea
bump versions
2026-04-25 17:38:03 +04:00
glance
update rss feed
2026-04-17 21:38:29 +00:00
gopkg_proxy
add log rotation
2026-02-17 18:07:17 +00:00
grafana
bump versions
2026-04-25 17:38:03 +04:00
immich
add log rotation
2026-02-17 18:07:17 +00:00
memos
bump versions
2026-04-25 17:38:03 +04:00
private_volume
add 'private_volume'
2025-05-13 16:31:52 +04:00
prometheus
fix cadvisor
2026-04-25 17:49:53 +04:00
sftpgo
add log rotation
2026-02-17 18:07:17 +00:00
slash
add log rotation
2026-02-17 18:07:17 +00:00
stalwart
stalwart: add caddy IP ot AllowedIP list
2026-04-26 14:52:21 +00:00
uptime_kuma
add log rotation
2026-02-17 18:07:17 +00:00
vaultwarden
vaultwarden: bump version to 1.36.0
2026-05-09 20:29:46 +00:00
volume/textarea
general refactoring
2025-12-23 13:52:38 +00:00
watchtower
watchtower: add ~/.docker/config.json
2026-04-28 10:57:43 +00:00
wg_easy
add log rotation
2026-02-17 18:07:17 +00:00
.gitignore
add 'private_volume'
2025-05-13 16:31:52 +04:00
main.sh
add crowdsec
2026-05-10 00:07:06 +04:00
README.md
add crowdsec
2026-05-10 00:07:06 +04:00

README.md

Prerequisites

  • Bash
  • Docker
  • Docker compose
  • Ports:
    • Caddy
      • 80/tcp (HTTP)
      • 443/tcp (HTTPS)
    • Stalwart
      • 25/tcp (SMTP)
      • 110/tcp (POP3)
      • 995/tcp (POP3S)
      • 143/tcp (IMAP)
      • 993/tcp (IMAPS)
      • 465/tcp (SMTPS)
      • 587/tcp (SUBMISSION)
      • 4190/tcp (ManageSieve)
    • Croc
      • 9009-9013/tcp (relay)
    • SFTPGo
      • 2022/tcp (SFTP)
    • WireGuard Easy
      • 51820/udp (WireGuard)

Getting Started

Follow these steps to set up and start the services:

1. Grant Execute Permissions

Ensure the main.sh script has the necessary permissions:

chmod +x main.sh

2. Generate Environment Files

Create .env configuration files with the following command:

./main.sh generate-env

3. Configure Environment Variables

Edit the generated .env files to fill in the required fields:

  • ./gitea/.env
  • ./sftpgo/.env
  • ./vaultwarden/.env
  • ./glance/.env
  • ./ghost/.env
  • ./immich/.env
  • ./uptime_kuma/.env
  • ./croc/.env
  • ./stalwart/.env
  • ./caddy/.env
  • ./crowdsec/.env
  • ./caddy/Caddyfile.private

4. Bouncer Keys (CrowdSec)

Generate two keys and write them into the matching .env files:

CADDY_KEY=$(openssl rand -hex 32)
FW_KEY=$(openssl rand -hex 32)

# crowdsec/.env
sed -i "s|^CROWDSEC_BOUNCER_KEY_CADDY=.*|CROWDSEC_BOUNCER_KEY_CADDY=$CADDY_KEY|" ./crowdsec/.env
sed -i "s|^CROWDSEC_BOUNCER_KEY_FW=.*|CROWDSEC_BOUNCER_KEY_FW=$FW_KEY|" ./crowdsec/.env

# caddy/.env (same value as CADDY key above)
sed -i "s|^CROWDSEC_API_KEY=.*|CROWDSEC_API_KEY=$CADDY_KEY|" ./caddy/.env

(Optional) get a Console enroll key from https://app.crowdsec.net and put it in CROWDSEC_ENROLL_KEY.

5. Start Services

Launch all services with the following command:

./main.sh start

6. Host Firewall Bouncer (CrowdSec, nftables)

The Caddy bouncer protects HTTP services. Stalwart's mail ports (25/465/587/143/993/110/995/4190) bypass Caddy, so install a firewall bouncer on the host:

sudo apt install crowdsec-firewall-bouncer-nftables

Edit /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml:

mode: nftables
api_url: http://127.0.0.1:18080/
api_key: <value of CROWDSEC_BOUNCER_KEY_FW from crowdsec/.env>
update_frequency: 10s

Enable and start:

sudo systemctl enable --now crowdsec-firewall-bouncer

Verify:

docker exec crowdsec cscli bouncers list      # should show 'caddy' and 'firewall'
docker exec crowdsec cscli decisions list     # current bans
sudo nft list ruleset | grep -A2 crowdsec     # kernel-level rules in place

Allowlist your operator IP at any time:

docker exec crowdsec cscli allowlist create operator -d "Operator IPs"
docker exec crowdsec cscli allowlist add operator <your-public-ip>

Stopping Services

To stop all running services, use:

./main.sh stop
Reference in New Issue View Git Blame Copy Permalink
S
Description
No description provided
Readme 975 KiB
Languages
Shell 55.2%
Go 28.9%
HTML 13.3%
Dockerfile 2.6%