Sanitized mirror from private repository - 2026-04-18 11:19:59 UTC
This commit is contained in:
63
hosts/vms/matrix-ubuntu/crowdsec.yaml
Normal file
63
hosts/vms/matrix-ubuntu/crowdsec.yaml
Normal file
@@ -0,0 +1,63 @@
|
||||
# CrowdSec Security Stack - Intrusion Detection & Prevention
|
||||
# =============================================================================
|
||||
# Co-located with NPM on matrix-ubuntu for direct log access (no rsync needed).
|
||||
# CrowdSec engine (LAPI) parses NPM access/error logs and host syslog.
|
||||
# Blocking is handled by crowdsec-firewall-bouncer-nftables installed on the
|
||||
# host (not containerized) — drops packets at the network layer via nftables,
|
||||
# avoiding nginx auth_request conflicts with Authentik SSO.
|
||||
#
|
||||
# Ports: 8580 (LAPI), 6060 (Prometheus metrics)
|
||||
#
|
||||
# Setup steps after first deploy:
|
||||
# 1. Install firewall bouncer on host:
|
||||
# curl -s https://install.crowdsec.net | sudo sh
|
||||
# sudo apt install crowdsec-firewall-bouncer-nftables
|
||||
# 2. Generate bouncer API key:
|
||||
# docker exec crowdsec cscli bouncers add firewall-bouncer
|
||||
# 3. Configure /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml:
|
||||
# api_url: http://127.0.0.1:8580/
|
||||
# api_key: <generated key>
|
||||
# deny_log: true
|
||||
# 4. Start bouncer: sudo systemctl enable --now crowdsec-firewall-bouncer
|
||||
# 5. Enroll in CrowdSec console (optional):
|
||||
# docker exec crowdsec cscli console enroll <key>
|
||||
#
|
||||
# Collections installed via COLLECTIONS env var:
|
||||
# - crowdsecurity/nginx-proxy-manager — NPM log parser + scenarios
|
||||
# - crowdsecurity/base-http-scenarios — generic HTTP attack detection
|
||||
# - crowdsecurity/http-cve — known CVE exploit detection
|
||||
# - crowdsecurity/linux — SSH brute force, etc.
|
||||
# =============================================================================
|
||||
|
||||
services:
|
||||
crowdsec:
|
||||
image: crowdsecurity/crowdsec:latest
|
||||
container_name: crowdsec
|
||||
restart: unless-stopped
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
environment:
|
||||
TZ: America/Los_Angeles
|
||||
COLLECTIONS: >-
|
||||
crowdsecurity/nginx-proxy-manager
|
||||
crowdsecurity/base-http-scenarios
|
||||
crowdsecurity/http-cve
|
||||
crowdsecurity/linux
|
||||
GID: "1000"
|
||||
CROWDSEC_PROMETHEUS_LISTEN_ADDR: "0.0.0.0"
|
||||
CROWDSEC_PROMETHEUS_LISTEN_PORT: "6060"
|
||||
volumes:
|
||||
- /opt/crowdsec/config:/etc/crowdsec
|
||||
- /opt/crowdsec/data:/var/lib/crowdsec/data
|
||||
# NPM logs — direct mount, same host
|
||||
- /opt/npm/data/logs:/var/log/npm:ro
|
||||
- /var/log:/var/log/host:ro
|
||||
ports:
|
||||
- "8580:8080"
|
||||
- "6060:6060"
|
||||
healthcheck:
|
||||
test: ["CMD", "cscli", "version"]
|
||||
interval: 30s
|
||||
timeout: 10s
|
||||
retries: 3
|
||||
start_period: 30s
|
||||
39
hosts/vms/matrix-ubuntu/docker-compose.livekit.yml
Normal file
39
hosts/vms/matrix-ubuntu/docker-compose.livekit.yml
Normal file
@@ -0,0 +1,39 @@
|
||||
# LiveKit SFU + JWT service for MatrixRTC (Element X / Element Call)
|
||||
# Host: matrix-ubuntu (192.168.0.154 / 100.85.21.51)
|
||||
# Deploy path: /opt/livekit/
|
||||
#
|
||||
# Public endpoints (via NPM on Calypso -> livekit.mx.vish.gg):
|
||||
# LiveKit SFU: https://livekit.mx.vish.gg/livekit/sfu/
|
||||
# JWT service: https://livekit.mx.vish.gg/livekit/jwt/
|
||||
# Healthcheck: https://livekit.mx.vish.gg/livekit/jwt/healthz
|
||||
#
|
||||
# Announced via .well-known/matrix/client on mx.vish.gg:
|
||||
# "org.matrix.msc4143.rtc_foci": [{"type":"livekit","livekit_service_url":"https://livekit.mx.vish.gg/livekit/jwt"}]
|
||||
#
|
||||
# NOTE: This compose file lives at /opt/livekit/docker-compose.yml on matrix-ubuntu
|
||||
# It is NOT deployed via Portainer GitOps — managed manually on the host.
|
||||
# Config file: /opt/livekit/livekit.yaml
|
||||
|
||||
services:
|
||||
livekit:
|
||||
image: livekit/livekit-server:latest
|
||||
container_name: livekit
|
||||
command: --config /etc/livekit/livekit.yaml
|
||||
volumes:
|
||||
- /opt/livekit/livekit.yaml:/etc/livekit/livekit.yaml:ro
|
||||
# network_mode: host — uses host networking for WebRTC NAT traversal
|
||||
# Ports: 7880 (HTTP/WS), 7881 (RTC TCP), 50000-60000/udp (WebRTC media)
|
||||
network_mode: host
|
||||
restart: unless-stopped
|
||||
|
||||
lk-jwt-service:
|
||||
image: ghcr.io/element-hq/lk-jwt-service:latest-ci
|
||||
container_name: lk-jwt-service
|
||||
environment:
|
||||
- LIVEKIT_URL=wss://livekit.mx.vish.gg
|
||||
- LIVEKIT_KEY=livekit_key
|
||||
- LIVEKIT_SECRET=800649495d6b00e27fbafc71REDACTED_GITEA_TOKEN # pragma: allowlist secret
|
||||
- LIVEKIT_FULL_ACCESS_HOMESERVERS=mx.vish.gg
|
||||
ports:
|
||||
- "8089:8080"
|
||||
restart: unless-stopped
|
||||
22
hosts/vms/matrix-ubuntu/livekit-config.yaml
Normal file
22
hosts/vms/matrix-ubuntu/livekit-config.yaml
Normal file
@@ -0,0 +1,22 @@
|
||||
# LiveKit SFU configuration
|
||||
# Deployed at: /opt/livekit/livekit.yaml on matrix-ubuntu
|
||||
# Docs: https://docs.livekit.io/home/self-hosting/deployment/
|
||||
|
||||
port: 7880
|
||||
rtc:
|
||||
tcp_port: 7881
|
||||
port_range_start: 50000
|
||||
port_range_end: 60000
|
||||
use_external_ip: true # Auto-detects 184.23.52.14
|
||||
use_ice_lite: true
|
||||
|
||||
room:
|
||||
auto_create: false # Required — lk-jwt-service creates rooms for authorized users only
|
||||
|
||||
keys:
|
||||
# API key name: livekit_key
|
||||
# Secret stored in livekit.yml docker-compose env var
|
||||
livekit_key: 800649495d6b00e27fbafc71REDACTED_GITEA_TOKEN # pragma: allowlist secret
|
||||
|
||||
logging:
|
||||
level: info
|
||||
22
hosts/vms/matrix-ubuntu/nginx-proxy-manager.yaml
Normal file
22
hosts/vms/matrix-ubuntu/nginx-proxy-manager.yaml
Normal file
@@ -0,0 +1,22 @@
|
||||
# Nginx Proxy Manager — matrix-ubuntu VM
|
||||
# Reverse proxy for all homelab domains
|
||||
# Ports: 80 (HTTP), 443 (HTTPS), 81 (Admin UI)
|
||||
# URL: http://192.168.0.154:81 (admin)
|
||||
#
|
||||
# Migrated from Calypso 2026-03-20 to enable split-horizon DNS
|
||||
# (Synology nginx on Calypso occupied ports 80/443)
|
||||
|
||||
services:
|
||||
nginx-proxy-manager:
|
||||
image: jc21/nginx-proxy-manager:latest
|
||||
container_name: nginx-proxy-manager
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
- "81:81"
|
||||
environment:
|
||||
TZ: America/Los_Angeles
|
||||
volumes:
|
||||
- /opt/npm/data:/data
|
||||
- /opt/npm/letsencrypt:/etc/letsencrypt
|
||||
restart: unless-stopped
|
||||
Reference in New Issue
Block a user