diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5444ca7..8bd450a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -12,7 +12,3 @@ repos: - id: check-shebang-scripts-are-executable - id: check-merge-conflict - id: detect-private-key - - repo: https://github.com/IamTheFij/docker-pre-commit - rev: v3.0.1 - hooks: - - id: docker-compose-check diff --git a/docker-compose/cloudflared/docker-compose.yaml b/docker-compose/cloudflared/docker-compose.yaml new file mode 100644 index 0000000..771688a --- /dev/null +++ b/docker-compose/cloudflared/docker-compose.yaml @@ -0,0 +1,12 @@ +services: + cloudflared: + container_name: cloudflared + image: cloudflare/cloudflared:latest + restart: unless-stopped + command: tunnel --no-autoupdate run --token ${CLOUDFLARE_TOKEN} + networks: + - homelab-network + environment: + - ${CLOUDFLARE_TOKEN}=${CLOUDFLARE_TOKEN} + security_opt: + - no-new-privileges:true diff --git a/docker-compose/compose-template.yaml b/docker-compose/compose-template.yaml new file mode 100644 index 0000000..5438483 --- /dev/null +++ b/docker-compose/compose-template.yaml @@ -0,0 +1,8 @@ +services: + service_name: + container_name: service_name + restart: unless-stopped + networks: + - homelab-network + security_opt: + - no-new-privileges:true diff --git a/docker-compose/docker-compose.yaml b/docker-compose/docker-compose.yaml new file mode 100644 index 0000000..fd9bfdd --- /dev/null +++ b/docker-compose/docker-compose.yaml @@ -0,0 +1,46 @@ +version: "3.7" +name: "homelab" + +networks: + homelab-network: + driver: bridge + ipam: + config: + - subnet: 172.30.0.0/16 + ip_range: 172.30.0.0/24 + gateway: 172.30.0.1 + +include: + - path: ./portainer/docker-compose.yaml + project_directory: .. + env_file: docker-compose/.env + - path: ./uptime-kuma/docker-compose.yaml + project_directory: .. + env_file: docker-compose/.env + - path: ./heimdall/docker-compose.yaml + project_directory: .. + env_file: docker-compose/.env + - path: ./postgres/docker-compose.yaml + project_directory: .. + env_file: docker-compose/.env + - path: ./nextcloud/docker-compose.yaml + project_directory: .. + env_file: docker-compose/.env + - path: ./littlelink/docker-compose.yaml + project_directory: .. + env_file: docker-compose/.env + - path: ./ntp/docker-compose.yaml + project_directory: .. + env_file: docker-compose/.env + - path: ./cloudflared/docker-compose.yaml + project_directory: .. + env_file: docker-compose/.env + - path: ./wireguard/docker-compose.yaml + project_directory: .. + env_file: docker-compose/.env + - path: ./pihole/docker-compose.yaml + project_directory: .. + env_file: docker-compose/.env + - path: ./code-server/docker-compose.yaml + project_directory: .. + env_file: docker-compose/.env diff --git a/docker-compose/heimdall/docker-compose.yaml b/docker-compose/heimdall/docker-compose.yaml new file mode 100644 index 0000000..e08f3c0 --- /dev/null +++ b/docker-compose/heimdall/docker-compose.yaml @@ -0,0 +1,18 @@ +services: + heimdall: + container_name: heimdall + image: linuxserver/heimdall:2.5.8 + restart: unless-stopped + networks: + - homelab-network + environment: + - PUID=1000 + - PGID=1000 + - TZ=Africa/Nairobi + volumes: + - ~/docker-volumes/heimdall-config:/config + ports: + - 2010:80 + - 2011:443 + security_opt: + - no-new-privileges:true diff --git a/docker-compose/littlelink/docker-compose.yaml b/docker-compose/littlelink/docker-compose.yaml new file mode 100644 index 0000000..ee1fb7a --- /dev/null +++ b/docker-compose/littlelink/docker-compose.yaml @@ -0,0 +1,40 @@ +services: + littlelink: + container_name: littlelink + image: ghcr.io/techno-tim/littlelink-server:latest + restart: unless-stopped + networks: + - homelab-network + environment: + - META_TITLE=Rodney Osodo LittleLink + - META_DESCRIPTION=Software Engineer | Content Creator | Homelab | 🇰🇪 + - META_AUTHOR=Rodney Osodo + - META_KEYWORDS=HomeLab, Software Engineering, Mechatronics Engineering + - LANG=en + - META_INDEX_STATUS=all + - OG_SITE_NAME=Rodney Osodo + - OG_TITLE=Rodney Osodo + - OG_DESCRIPTION=The home of Rodney Osodo + - OG_URL=https://rodneyosodo.com + - OG_IMAGE=https://pbs.twimg.com/profile_images/1266015480206237704/j78P7w8U_400x400.jpg + - OG_IMAGE_WIDTH=400 + - OG_IMAGE_HEIGHT=400 + - THEME=Dark + - FAVICON_URL=https://pbs.twimg.com/profile_images/1266015480206237704/j78P7w8U_400x400.jpg + - AVATAR_URL=https://pbs.twimg.com/profile_images/1266015480206237704/j78P7w8U_400x400.jpg + - AVATAR_2X_URL=https://pbs.twimg.com/profile_images/1266015480206237704/j78P7w8U_400x400.jpg + - AVATAR_ALT=Rodney Osodo Profile Pic + - NAME=RodneyOsodo + - BIO=Software Engineer | Content Creator | Homelab | 🇰🇪 + - BUTTON_ORDER=GITHUB,TIKTOK,TWITTER,LINKED_IN,YOUTUBE,INSTAGRAM + - GITHUB=https://github.com/rodneyosodo + - TIKTOK=https://www.tiktok.com/@b1ackd0t + - TWITTER=https://twitter.com/b1ackd0t + - LINKED_IN=https://www.linkedin.com/in/rodneyosodo/ + - YOUTUBE=https://www.youtube.com/@rodneyosodo + - INSTAGRAM=https://www.instagram.com/rodneyosodo/ + - FOOTER=Rodney Osodo © 2022 + ports: + - 2040:3000 + security_opt: + - no-new-privileges:true diff --git a/docker-compose/nextcloud/docker-compose.yaml b/docker-compose/nextcloud/docker-compose.yaml new file mode 100644 index 0000000..c88e334 --- /dev/null +++ b/docker-compose/nextcloud/docker-compose.yaml @@ -0,0 +1,19 @@ +services: + nextcloud: + container_name: nextcloud + image: nextcloud:28.0.1 + restart: unless-stopped + networks: + - homelab-network + ports: + - 2030:80 + volumes: + - ~/docker-volumes/nextcloud:/var/www/html + environment: + - POSTGRES_USER=${POSTGRES_USER} + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + - POSTGRES_DB=${POSTGRES_DB} + - POSTGRES_HOST=postgres + # TODO: Add SMTP settings + security_opt: + - no-new-privileges:true diff --git a/docker-compose/ntp/docker-compose.yaml b/docker-compose/ntp/docker-compose.yaml new file mode 100644 index 0000000..a8ee8be --- /dev/null +++ b/docker-compose/ntp/docker-compose.yaml @@ -0,0 +1,17 @@ +services: + ntp: + container_name: ntp + image: cturra/ntp:latest + restart: unless-stopped + networks: + - homelab-network + ports: + - 123:123/udp + environment: + - NTP_SERVERS=time.cloudflare.com,time1.google.com,time2.google.com,time3.google.com + - LOG_LEVEL=0 + - TZ=Africa/Nairobi + - NOCLIENTLOG=true + # - ENABLE_NTS=true # Google NTS doesn't like this + security_opt: + - no-new-privileges:true diff --git a/docker-compose/pihole/docker-compose.yaml b/docker-compose/pihole/docker-compose.yaml new file mode 100644 index 0000000..ee10411 --- /dev/null +++ b/docker-compose/pihole/docker-compose.yaml @@ -0,0 +1,41 @@ +services: + pihole: + container_name: pihole + image: pihole/pihole:latest + restart: unless-stopped + networks: + homelab-network: + ipv4_address: 172.30.0.10 + ports: + - "53:53/tcp" + - "53:53/udp" + - "67:67/udp" + - "2050:80/tcp" + environment: + - TZ=Africa/Nairobi + - WEBPASSWORD=${PIHOLE_WEBPASSWORD} + - PIHOLE_DNS_=172.30.0.11#2051 + - DNSMASQ_LISTENING=all + - VIRTUAL_HOST=pihole.yourdomain.com + volumes: + - ~/docker-volumes/pihole:/etc/pihole + - ~/docker-volumes/pihole/etc-dnsmasq.d:/etc/dnsmasq.d + cap_add: + - NET_ADMIN + security_opt: + - no-new-privileges:true + + unbound: + container_name: unbound + image: mvance/unbound:latest + restart: unless-stopped + networks: + homelab-network: + ipv4_address: 172.30.0.11 + volumes: + - ./docker-compose/pihole/unbound/unbound.conf:/opt/unbound/etc/unbound/unbound.conf + ports: + - "2051:53/tcp" + - "2051:53/udp" + security_opt: + - no-new-privileges:true diff --git a/docker-compose/pihole/unbound/unbound.conf b/docker-compose/pihole/unbound/unbound.conf new file mode 100644 index 0000000..08129f3 --- /dev/null +++ b/docker-compose/pihole/unbound/unbound.conf @@ -0,0 +1,368 @@ +server: + ########################################################################### + # BASIC SETTINGS + ########################################################################### + # Time to live maximum for RRsets and messages in the cache. If the maximum + # kicks in, responses to clients still get decrementing TTLs based on the + # original (larger) values. When the internal TTL expires, the cache item + # has expired. Can be set lower to force the resolver to query for data + # often, and not trust (very large) TTL values. + cache-max-ttl: 86400 + + # Time to live minimum for RRsets and messages in the cache. If the minimum + # kicks in, the data is cached for longer than the domain owner intended, + # and thus less queries are made to look up the data. Zero makes sure the + # data in the cache is as the domain owner intended, higher values, + # especially more than an hour or so, can lead to trouble as the data in + # the cache does not match up with the actual data any more. + cache-min-ttl: 300 + + # Set the working directory for the program. + directory: "/opt/unbound/etc/unbound" + + # Enable or disable whether IPv4 queries are answered or issued. + # Default: yes + do-ip4: yes + + # Enable or disable whether IPv6 queries are answered or issued. + # If disabled, queries are not answered on IPv6, and queries are not sent + # on IPv6 to the internet nameservers. With this option you can disable the + # IPv6 transport for sending DNS traffic, it does not impact the contents + # of the DNS traffic, which may have IPv4 (A) and IPv6 (AAAA) addresses in + # it. + # Default: yes + # May be set to yes if you have IPv6 connectivity + do-ip6: yes + + # Enable or disable whether TCP queries are answered or issued. + # Default: yes + do-tcp: yes + + # Enable or disable whether UDP queries are answered or issued. + # Default: yes + do-udp: yes + + # RFC 6891. Number of bytes size to advertise as the EDNS reassembly buffer + # size. This is the value put into datagrams over UDP towards peers. + # The actual buffer size is determined by msg-buffer-size (both for TCP and + # UDP). Do not set higher than that value. + # Default is 1232 which is the DNS Flag Day 2020 recommendation. + # Setting to 512 bypasses even the most stringent path MTU problems, but + # is seen as extreme, since the amount of TCP fallback generated is + # excessive (probably also for this resolver, consider tuning the outgoing + # tcp number). + edns-buffer-size: 1232 + + # Listen to for queries from clients and answer from this network interface + # and port. + interface: 0.0.0.0@2051 + # interface: ::0 + port: 53 + + # If enabled, prefer IPv6 transport for sending DNS queries to internet + # nameservers. + # Default: yes + # You want to leave this to no unless you have *native* IPv6. With 6to4 and + # Terredo tunnels your web browser should favor IPv4 for the same reasons + prefer-ip6: no + + # Rotates RRSet order in response (the pseudo-random number is taken from + # the query ID, for speed and thread safety). + rrset-roundrobin: yes + + # Drop user privileges after binding the port. + username: "_unbound" + + ########################################################################### + # LOGGING + ########################################################################### + + # Do not print log lines to inform about local zone actions + log-local-actions: no + + # Do not print one line per query to the log + log-queries: no + + # Do not print one line per reply to the log + log-replies: no + + # Do not print log lines that say why queries return SERVFAIL to clients + log-servfail: no + + # If you want to log to a file, use: + # logfile: /opt/unbound/etc/unbound/unbound.log + # Set log location (using /dev/null further limits logging) + logfile: /dev/null + + # Set logging level + # Level 0: No verbosity, only errors. + # Level 1: Gives operational information. + # Level 2: Gives detailed operational information including short information per query. + # Level 3: Gives query level information, output per query. + # Level 4: Gives algorithm level information. + # Level 5: Logs client identification for cache misses. + verbosity: 0 + + ########################################################################### + # PERFORMANCE SETTINGS + ########################################################################### + # https://nlnetlabs.nl/documentation/unbound/howto-optimise/ + # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/ + + # Number of slabs in the infrastructure cache. Slabs reduce lock contention + # by threads. Must be set to a power of 2. + infra-cache-slabs: 4 + + # Number of incoming TCP buffers to allocate per thread. Default + # is 10. If set to 0, or if do-tcp is "no", no TCP queries from + # clients are accepted. For larger installations increasing this + # value is a good idea. + incoming-num-tcp: 10 + + # Number of slabs in the key cache. Slabs reduce lock contention by + # threads. Must be set to a power of 2. Setting (close) to the number + # of cpus is a reasonable guess. + key-cache-slabs: 4 + + # Number of bytes size of the message cache. + # Unbound recommendation is to Use roughly twice as much rrset cache memory + # as you use msg cache memory. + msg-cache-size: 142768128 + + # Number of slabs in the message cache. Slabs reduce lock contention by + # threads. Must be set to a power of 2. Setting (close) to the number of + # cpus is a reasonable guess. + msg-cache-slabs: 4 + + # The number of queries that every thread will service simultaneously. If + # more queries arrive that need servicing, and no queries can be jostled + # out (see jostle-timeout), then the queries are dropped. + # This is best set at half the number of the outgoing-range. + # This Unbound instance was compiled with libevent so it can efficiently + # use more than 1024 file descriptors. + num-queries-per-thread: 4096 + + # The number of threads to create to serve clients. + # This is set dynamically at run time to effectively use available CPUs + # resources + num-threads: 3 + + # Number of ports to open. This number of file descriptors can be opened + # per thread. + # This Unbound instance was compiled with libevent so it can efficiently + # use more than 1024 file descriptors. + outgoing-range: 8192 + + # Number of bytes size of the RRset cache. + # Use roughly twice as much rrset cache memory as msg cache memory + rrset-cache-size: 285536256 + + # Number of slabs in the RRset cache. Slabs reduce lock contention by + # threads. Must be set to a power of 2. + rrset-cache-slabs: 4 + + # Do no insert authority/additional sections into response messages when + # those sections are not required. This reduces response size + # significantly, and may avoid TCP fallback for some responses. This may + # cause a slight speedup. + minimal-responses: yes + + # # Fetch the DNSKEYs earlier in the validation process, when a DS record + # is encountered. This lowers the latency of requests at the expense of + # little more CPU usage. + prefetch: yes + + # Fetch the DNSKEYs earlier in the validation process, when a DS record is + # encountered. This lowers the latency of requests at the expense of little + # more CPU usage. + prefetch-key: yes + + # Have unbound attempt to serve old responses from cache with a TTL of 0 in + # the response without waiting for the actual resolution to finish. The + # actual resolution answer ends up in the cache later on. + serve-expired: yes + + # If not 0, then set the SO_RCVBUF socket option to get more buffer space on + # UDP port 53 incoming queries. So that short spikes on busy servers do not + # drop packets (see counter in netstat -su). Otherwise, the number of bytes + # to ask for, try �4m� on a busy server. + # The OS caps it at a maximum, on linux Unbound needs root permission to + # bypass the limit, or the admin can use sysctl net.core.rmem_max. + # Default: 0 (use system value) + # For example: sysctl -w net.core.rmem_max=4194304 + # To persist reboots, edit /etc/sysctl.conf to include: + # net.core.rmem_max=4194304 + # Larger socket buffer. OS may need config. + # Ensure kernel buffer is large enough to not lose messages in traffic spikes + #so-rcvbuf: 4m + + # Open dedicated listening sockets for incoming queries for each thread and + # try to set the SO_REUSEPORT socket option on each socket. May distribute + # incoming queries to threads more evenly. + so-reuseport: yes + + # If not 0, then set the SO_SNDBUF socket option to get more buffer space + # on UDP port 53 outgoing queries. + # Specify the number of bytes to ask for, try �4m� on a very busy server. + # The OS caps it at a maximum, on linux Unbound needs root permission to + # bypass the limit, or the admin can use sysctl net.core.wmem_max. + # For example: sysctl -w net.core.wmem_max=4194304 + # To persist reboots, edit /etc/sysctl.conf to include: + # net.core.wmem_max=4194304 + # Default: 0 (use system value) + # Larger socket buffer. OS may need config. + # Ensure kernel buffer is large enough to not lose messages in traffic spikes + #so-sndbuf: 4m + + ########################################################################### + # PRIVACY SETTINGS + ########################################################################### + + # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other + # denials, using information from previous NXDO-MAINs answers. In other + # words, use cached NSEC records to generate negative answers within a + # range and positive answers from wildcards. This increases performance, + # decreases latency and resource utilization on both authoritative and + # recursive servers, and increases privacy. Also, it may help increase + # resilience to certain DoS attacks in some circumstances. + aggressive-nsec: yes + + # Extra delay for timeouted UDP ports before they are closed, in msec. + # This prevents very delayed answer packets from the upstream (recursive) + # servers from bouncing against closed ports and setting off all sort of + # close-port counters, with eg. 1500 msec. When timeouts happen you need + # extra sockets, it checks the ID and remote IP of packets, and unwanted + # packets are added to the unwanted packet counter. + delay-close: 10000 + + # Prevent the unbound server from forking into the background as a daemon + do-daemonize: no + + # Add localhost to the do-not-query-address list. + do-not-query-localhost: no + + # Number of bytes size of the aggressive negative cache. + neg-cache-size: 4M + + # Send minimum amount of information to upstream servers to enhance + # privacy (best privacy). + qname-minimisation: yes + + ########################################################################### + # SECURITY SETTINGS + ########################################################################### + # Only give access to recursion clients from LAN IPs + access-control: 127.0.0.1/32 allow + access-control: 192.168.0.0/16 allow + access-control: 172.16.0.0/12 allow + access-control: 10.0.0.0/8 allow + access-control: fc00::/7 allow + access-control: ::1/128 allow + + # File with trust anchor for one zone, which is tracked with RFC5011 + # probes. + auto-trust-anchor-file: "var/root.key" + + # Enable chroot (i.e, change apparent root directory for the current + # running process and its children) + chroot: "/opt/unbound/etc/unbound" + + # Deny queries of type ANY with an empty response. + deny-any: yes + + # Harden against algorithm downgrade when multiple algorithms are + # advertised in the DS record. + harden-algo-downgrade: yes + + # RFC 8020. returns nxdomain to queries for a name below another name that + # is already known to be nxdomain. + harden-below-nxdomain: yes + + # Require DNSSEC data for trust-anchored zones, if such data is absent, the + # zone becomes bogus. If turned off you run the risk of a downgrade attack + # that disables security for a zone. + harden-dnssec-stripped: yes + + # Only trust glue if it is within the servers authority. + harden-glue: yes + + # Ignore very large queries. + harden-large-queries: yes + + # Perform additional queries for infrastructure data to harden the referral + # path. Validates the replies if trust anchors are configured and the zones + # are signed. This enforces DNSSEC validation on nameserver NS sets and the + # nameserver addresses that are encountered on the referral path to the + # answer. Experimental option. + harden-referral-path: no + + # Ignore very small EDNS buffer sizes from queries. + harden-short-bufsize: yes + + # If enabled the HTTP header User-Agent is not set. Use with caution + # as some webserver configurations may reject HTTP requests lacking + # this header. If needed, it is better to explicitly set the + # the http-user-agent. + hide-http-user-agent: no + + # Refuse id.server and hostname.bind queries + hide-identity: yes + + # Refuse version.server and version.bind queries + hide-version: yes + + # Set the HTTP User-Agent header for outgoing HTTP requests. If + # set to "", the default, then the package name and version are + # used. + http-user-agent: "DNS" + + # Report this identity rather than the hostname of the server. + identity: "DNS" + + # These private network addresses are not allowed to be returned for public + # internet names. Any occurrence of such addresses are removed from DNS + # answers. Additionally, the DNSSEC validator may mark the answers bogus. + # This protects against DNS Rebinding + private-address: 10.0.0.0/8 + private-address: 172.16.0.0/12 + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: fd00::/8 + private-address: fe80::/10 + private-address: ::ffff:0:0/96 + + # Enable ratelimiting of queries (per second) sent to nameserver for + # performing recursion. More queries are turned away with an error + # (servfail). This stops recursive floods (e.g., random query names), but + # not spoofed reflection floods. Cached responses are not rate limited by + # this setting. Experimental option. + ratelimit: 1000 + + # Use this certificate bundle for authenticating connections made to + # outside peers (e.g., auth-zone urls, DNS over TLS connections). + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + + # Set the total number of unwanted replies to eep track of in every thread. + # When it reaches the threshold, a defensive action of clearing the rrset + # and message caches is taken, hopefully flushing away any poison. + # Unbound suggests a value of 10 million. + unwanted-reply-threshold: 10000 + + # Use 0x20-encoded random bits in the query to foil spoof attempts. This + # perturbs the lowercase and uppercase of query names sent to authority + # servers and checks if the reply still has the correct casing. + # This feature is an experimental implementation of draft dns-0x20. + # Experimental option. + # Don't use Capitalization randomization as it known to cause DNSSEC issues + # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 + use-caps-for-id: yes + + # Help protect users that rely on this validator for authentication from + # potentially bad data in the additional section. Instruct the validator to + # remove data from the additional section of secure messages that are not + # signed properly. Messages that are insecure, bogus, indeterminate or + # unchecked are not affected. + val-clean-additional: yes + +remote-control: + control-enable: no diff --git a/docker-compose/portainer/docker-compose.yaml b/docker-compose/portainer/docker-compose.yaml new file mode 100644 index 0000000..a6f1a2c --- /dev/null +++ b/docker-compose/portainer/docker-compose.yaml @@ -0,0 +1,19 @@ +volumes: + portainer-data: + driver: local + +services: + portainer: + container_name: portainer + image: portainer/portainer-ce:2.19.4-alpine + restart: unless-stopped + networks: + - homelab-network + ports: + - 9443:9443 + - 8000:8000 + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ~/docker-volumes/portainer-data:/data + security_opt: + - no-new-privileges:true diff --git a/docker-compose/postgres/docker-compose.yaml b/docker-compose/postgres/docker-compose.yaml new file mode 100644 index 0000000..0d1bf8e --- /dev/null +++ b/docker-compose/postgres/docker-compose.yaml @@ -0,0 +1,17 @@ +services: + postgres: + container_name: postgres + image: postgres:16.1-alpine + restart: unless-stopped + networks: + - homelab-network + environment: + - POSTGRES_USER=${POSTGRES_USER} + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + - POSTGRES_DB=${POSTGRES_DB} + ports: + - 5432:5432 + volumes: + - ~/docker-volumes/postgres-data:/var/lib/postgresql/data + security_opt: + - no-new-privileges:true diff --git a/docker-compose/uptime-kuma/docker-compose.yaml b/docker-compose/uptime-kuma/docker-compose.yaml new file mode 100644 index 0000000..3905db9 --- /dev/null +++ b/docker-compose/uptime-kuma/docker-compose.yaml @@ -0,0 +1,14 @@ +services: + uptime-kuma: + container_name: uptime-kuma + image: louislam/uptime-kuma:1.23.11-alpine + restart: unless-stopped + networks: + - homelab-network + ports: + - 3001:3001 + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ~/docker-volumes/uptime-kuma-data:/app/data + security_opt: + - no-new-privileges:true diff --git a/docker-compose/wireguard/docker-compose.yaml b/docker-compose/wireguard/docker-compose.yaml new file mode 100644 index 0000000..ed99627 --- /dev/null +++ b/docker-compose/wireguard/docker-compose.yaml @@ -0,0 +1,24 @@ +services: + wireguard: + container_name: wireguard + image: ghcr.io/wg-easy/wg-easy:latest + restart: unless-stopped + networks: + - homelab-network + environment: + - LANG=en + - WG_HOST=vpn.homelab.rodneyosodo.com + - PASSWORD=${WIREGUARD_PASSWORD} + volumes: + - ~/docker-volumes/wireguard:/etc/wireguard + ports: + - "51820:51820/udp" + - "51821:51821/tcp" + cap_add: + - NET_ADMIN + - SYS_MODULE + sysctls: + - net.ipv4.ip_forward=1 + - net.ipv4.conf.all.src_valid_mark=1 + security_opt: + - no-new-privileges:true