traefik: feat: Add custom error pages

.gitignore

@@ -1,5 +1,11 @@
 # macOS
 .DS_Store
+._*
 
-# Docker
-.env
+# Ignore Docker env files
+*.env
+# excluding example env files
+!*.example.env
+
+# Ignore all directories ending with data
+*data/

flame/.env.example

@@ -0,0 +1,2 @@
+FLAME_PASSWORD=password_goes_here
+FLAME_ROUTERS_RULE=Host(`domain_goes_here`) || Host(`domain_goes_here`)

flame/docker-compose.yml

@@ -20,7 +20,7 @@ services:
       - public
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.flame.rule=Host(`ykz.app`) || Host(`www.ykz.app`)"
+      - "traefik.http.routers.flame.rule=${FLAME_ROUTERS_RULE}"
       - "traefik.http.routers.flame.middlewares=redirect-www@docker"
       - "traefik.http.middlewares.redirect-www.redirectregex.regex=^https?://www\\.(.+)"
       - "traefik.http.middlewares.redirect-www.redirectregex.replacement=https://$${1}"

freshrss/.env.example

@@ -0,0 +1,11 @@
+# set IS_ARM to :arm for ARM version
+IS_ARM=
+
+FRESHRSS_DOMAIN=freshrss.ykz.app
+CRON_MIN=2,32
+
+# Variables below are only used at the very first run
+ADMIN_USERNAME=admin_username_goes_here
+ADMIN_EMAIL=admin_email_goes_here
+ADMIN_PASSWORD=admin_password_goes_here
+ADMIN_API_PASSWORD=admin_api_password_goes_here

freshrss/docker-compose.yml

@@ -0,0 +1,48 @@
+version: "3.9"
+
+networks:
+  public:
+    external: true
+
+services:
+  freshrss:
+    image: freshrss/freshrss${IS_ARM}
+    container_name: freshrss
+    restart: always
+    logging:
+      options:
+        max-size: 10m
+    volumes:
+      - "./freshrss-data:/var/www/FreshRSS/data"
+      - "./freshrss-extensions-data:/var/www/FreshRSS/extensions"
+    environment:
+      TZ: Asia/Singapore
+      CRON_MIN: '${CRON_MIN}'
+      FRESHRSS_INSTALL: |-
+        --api_enabled
+        --default_user ${ADMIN_USERNAME}
+        --language en
+      FRESHRSS_USER: |-
+        --api_password ${ADMIN_API_PASSWORD}
+        --email ${ADMIN_EMAIL}
+        --language en
+        --password ${ADMIN_PASSWORD}
+        --user ${ADMIN_USERNAME}
+    # ports:
+    #   - "80:80"
+    networks:
+      - public
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.freshrss.rule=Host(`${FRESHRSS_DOMAIN}`)"
+      - "traefik.http.routers.freshrss.service=freshrss-service"
+      - "traefik.http.services.freshrss-service.loadbalancer.server.port=80"
+      - "traefik.http.routers.freshrss.tls=true"
+      - "traefik.http.routers.freshrss.tls.certresolver=le"
+      - traefik.http.middlewares.freshrssM1.compress=true
+      - traefik.http.middlewares.freshrssM2.headers.browserXssFilter=true
+      - traefik.http.middlewares.freshrssM2.headers.forceSTSHeader=true
+      - traefik.http.middlewares.freshrssM2.headers.frameDeny=true
+      - traefik.http.middlewares.freshrssM2.headers.referrerPolicy=no-referrer-when-downgrade
+      - traefik.http.middlewares.freshrssM2.headers.stsSeconds=31536000
+      - traefik.http.routers.freshrss.middlewares=freshrssM1,freshrssM2

homeassistant/.env.example

@@ -0,0 +1 @@
+HOMEASSISTANT_DOMAIN=domain_goes_here

homeassistant/docker-compose.yml

@@ -0,0 +1,11 @@
+version: "3.9"
+
+services:
+  homeassistant:
+    image: "ghcr.io/home-assistant/home-assistant:stable"
+    container_name: homeassistant
+    restart: always
+    volumes:
+      - "./homeassistant-config-data:/config"
+      - "/etc/localtime:/etc/localtime:ro"
+    network_mode: host

ipsec-vpn/docker-compose.yml

@@ -0,0 +1,22 @@
+version: "3.9"
+
+networks:
+  dns_net:
+    external: true
+
+services:
+  ipsec-vpn:
+    image: hwdsl2/ipsec-vpn-server
+    container_name: ipsec-vpn
+    restart: always
+    env_file:
+      - ./vpn.env
+    volumes:
+      - "./ikev2-vpn-data:/etc/ipsec.d"
+      - "/lib/modules:/lib/modules:ro"
+    ports:
+      - "500:500/udp"
+      - "4500:4500/udp"
+    networks:
+      - dns_net
+    privileged: true

ipsec-vpn/vpn.env.example

@@ -0,0 +1,37 @@
+# Note: All the variables to this image are optional.
+# See README for more information.
+# To use, uncomment and replace with your own values.
+
+# Define IPsec PSK, VPN username and password
+# - DO NOT put "" or '' around values, or add space around =
+# - DO NOT use these special characters within values: \ " '
+VPN_IPSEC_PSK=psk_goes_here
+VPN_USER=username_goes_here
+VPN_PASSWORD=password_goes_here
+
+# Define additional VPN users
+# - DO NOT put "" or '' around values, or add space around =
+# - DO NOT use these special characters within values: \ " '
+# - Usernames and passwords must be separated by spaces
+# VPN_ADDL_USERS=additional_username_1 additional_username_2
+# VPN_ADDL_PASSWORDS=additional_password_1 additional_password_2
+
+# Use a DNS name for the VPN server
+# - The DNS name must be a fully qualified domain name (FQDN)
+VPN_DNS_NAME=domain_name_goes_here
+
+# Specify a name for the first IKEv2 client
+# - Use one word only, no special characters except '-' and '_'
+# - The default is 'vpnclient' if not specified
+# VPN_CLIENT_NAME=your_client_name
+
+# Use alternative DNS servers
+# - By default, clients are set to use Google Public DNS
+# - Example below shows Cloudflare's DNS service
+VPN_DNS_SRV1=dns_server_goes_here
+# VPN_DNS_SRV2=1.1.1.1
+
+# Protect IKEv2 client config files using a password
+# - By default, no password is required when importing IKEv2 client configuration
+# - Uncomment if you want to protect these files using a random password
+# VPN_PROTECT_CONFIG=yes

nextcloud/.env.example

@@ -0,0 +1,4 @@
+NEXTCLOUD_DOMAIN=nextcloud_domain_goes_here
+DB_ROOT_PASSWORD=mariadb_root_password_goes_here
+NEXTCLOUD_DB_PASSWORD=mariadb_nextcloud_user_password_goes_here
+COLLABORA_DOMAIN=collabora_domain_goes_here

nextcloud/docker-compose.yml

@@ -0,0 +1,76 @@
+version: "3.9"
+
+networks:
+  public:
+    external: true
+
+services:
+  nextcloud:
+    image: lscr.io/linuxserver/nextcloud:latest
+    container_name: nextcloud
+    restart: always
+    volumes:
+      - "./nextcloud-config-data:/config"
+      - "./nextcloud-data:/data"
+    environment:
+      - "PUID=1000"
+      - "PGID=1000"
+      - "TZ=Asia/Singapore"
+    # ports:
+    #   - "443:443"
+    networks:
+      - public
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.nextcloud.rule=Host(`${NEXTCLOUD_DOMAIN}`)"
+      - "traefik.http.routers.nextcloud.service=nextcloud-service"
+      - "traefik.http.services.nextcloud-service.loadbalancer.server.port=443"
+      - "traefik.http.services.nextcloud-service.loadbalancer.server.scheme=https"
+      - "traefik.http.routers.nextcloud.tls=true"
+      - "traefik.http.routers.nextcloud.tls.certresolver=le"
+      # Nextcloud DAV services discovery
+      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
+      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.replacement=https://$${1}/remote.php/dav/"
+      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.permanent=true"
+      # HSTS
+      - "traefik.http.middlewares.nextcloud-headers.headers.stsSeconds=15552000"
+      # Apply middlewares
+      - "traefik.http.routers.nextcloud.middlewares=nextcloud-redirectregex,nextcloud-headers"
+
+  mariadb:
+    image: lscr.io/linuxserver/mariadb:latest
+    container_name: mariadb
+    restart: always
+    volumes:
+      - "./mariadb-data:/config"
+    environment:
+      - "PUID=1000"
+      - "PGID=1000"
+      - "MYSQL_ROOT_PASSWORD=${DB_ROOT_PASSWORD}"
+      - "TZ=Asia/Singapore"
+      - "MYSQL_DATABASE=nextcloud_db"
+      - "MYSQL_USER=nextcloud"
+      - "MYSQL_PASSWORD=${NEXTCLOUD_DB_PASSWORD}"
+    # ports:
+    #   - "3306:3306"
+    networks:
+      - public
+
+  collabora:
+    image: collabora/code
+    container_name: collabora
+    restart: always
+    environment:
+      - "domain=${NEXTCLOUD_DOMAIN}"
+      - "extra_params=--o:ssl.enable=false --o:ssl.termination=true"
+    # ports:
+    #   - "9980:9980"
+    networks:
+      - public
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.collabora.rule=Host(`${COLLABORA_DOMAIN}`)"
+      - "traefik.http.routers.collabora.service=collabora-service"
+      - "traefik.http.services.collabora-service.loadbalancer.server.port=9980"
+      - "traefik.http.routers.collabora.tls=true"
+      - "traefik.http.routers.collabora.tls.certresolver=le"

pihole/docker-compose.yml

@@ -1,7 +1,10 @@
 version: "3.9"
 
 networks:
+  public:
+    external: true
   dns_net:
+    name: dns_net
     driver: bridge
     ipam:
       config:
@@ -15,9 +18,10 @@ services:
     ports:
       - "53:53/tcp"
       - "53:53/udp"
-      - "8180:80/tcp"
+      # - "8180:80/tcp"
     hostname: pihole
     networks:
+      public: {}
       dns_net:
         ipv4_address: 172.20.0.10
     environment:
@@ -25,16 +29,29 @@ services:
       - "WEBPASSWORD=${PIHOLE_PASSWORD}"
       - "DNS1=172.20.0.11#5335"
       - "DNS2=no"
+      - "DNSMASQ_USER=root"
     volumes:
-      - "./etc-pihole/:/etc/pihole/"
-      - "./etc-dnsmasq.d/:/etc/dnsmasq.d/"
+      - "./pihole-data/:/etc/pihole/"
+      - "./dnsmasq.d-data/:/etc/dnsmasq.d/"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.pihole.rule=Host(`${PIHOLE_DOMAIN}`)"
+      - "traefik.http.routers.pihole.service=pihole-service"
+      - "traefik.http.services.pihole-service.loadbalancer.server.port=80"
+      - "traefik.http.routers.pihole.tls=true"
+      - "traefik.http.routers.pihole.tls.certresolver=le"
+      # - "traefik.http.middlewares.pihole-admin.addprefix.prefix=/admin"
+      - "traefik.http.middlewares.pihole-redirect.redirectregex.regex=^https://pihole.ykz.app/$$"
+      - "traefik.http.middlewares.pihole-redirect.redirectregex.replacement=https://pihole.ykz.app/admin"
+      - "traefik.http.middlewares.pihole-redirect.redirectregex.permanent=true"
+      - "traefik.http.routers.pihole.middlewares=pihole-redirect"
 
   unbound:
-    image: mvance/unbound-rpi:latest
+    image: mvance/unbound${IS_RPI}:latest
     container_name: unbound
     restart: always
     volumes:
-      - "./unbound:/opt/unbound/etc/unbound"
+      - "./unbound-data:/opt/unbound/etc/unbound"
     networks:
       dns_net:
         ipv4_address: 172.20.0.11

pihole/fetch_root_hints.sh

@@ -1,3 +1,3 @@
 #!/usr/bin/env bash
 
-wget https://www.internic.net/domain/named.root -O unbound/root.hints
+wget https://www.internic.net/domain/named.root -O unbound-data/root.hints

syncthing/.env.example

@@ -0,0 +1,2 @@
+SYNCTHING_DOMAIN=domain_goes_here
+SYNCTHING_HOSTNAME=hostname_goes_here # will appear on dashboard

syncthing/docker-compose.yml

@@ -0,0 +1,32 @@
+version: "3.9"
+
+networks:
+  public:
+    external: true
+
+services:
+  syncthing:
+    image: syncthing/syncthing
+    container_name: syncthing
+    hostname: ${SYNCTHING_HOSTNAME}
+    restart: always
+    volumes:
+      - "./syncthing-data:/var/syncthing"
+      - "../vaultwarden/vaultwarden-data:/mnt/vaultwarden-data"
+    environment:
+      - "PUID=1000"
+      - "PGID=1000"
+    ports:
+      # - "8384:8384" # Web UI
+      - "22000:22000/tcp" # TCP file transfers
+      - "22000:22000/udp" # QUIC file transfers
+      - "21027:21027/udp" # Receive local discovery broadcasts
+    networks:
+      - public
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.syncthing.rule=Host(`${SYNCTHING_DOMAIN}`)"
+      - "traefik.http.routers.syncthing.service=syncthing-service"
+      - "traefik.http.services.syncthing-service.loadbalancer.server.port=8384"
+      - "traefik.http.routers.syncthing.tls=true"
+      - "traefik.http.routers.syncthing.tls.certresolver=le"

traefik/.gitignore

@@ -1 +1,2 @@
 acme.json
+certs/

traefik/docker-compose.yml

@@ -18,20 +18,25 @@ services:
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - "./acme.json:/acme.json"
+      - "./dynamic:/etc/traefik/dynamic"
+      - "./certs:/certs"
     ports:
       - "80:80"
       - "443:443"
-      - "8080:8080"
+      # - "8080:8080"
     networks:
-      - public
+      public:
+        ipv4_address: 172.22.0.254
     command:
       - "--log.level=DEBUG"
       - "--api.insecure=true"
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
+      - "--providers.docker.network=public"
       - "--entrypoints.web.address=:80"
       - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
       - "--entrypoints.websecure.address=:443"
+      - "--providers.file.directory=/etc/traefik/dynamic"
 
       # Let's Encrypt
       - "--certificatesresolvers.le.acme.email=${CF_API_EMAIL}"
@@ -40,3 +45,41 @@ services:
       - "--certificatesresolvers.le.acme.dnschallenge=true"
       - "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
       - "--certificatesresolvers.le.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
+      - "--serversTransport.insecureSkipVerify=true"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dashboard.rule=Host(`${TRAEFIK_DOMAIN}`)"
+      - "traefik.http.routers.dashboard.service=dashboard-service"
+      - "traefik.http.services.dashboard-service.loadbalancer.server.port=8080"
+      - "traefik.http.routers.dashboard.tls=true"
+      - "traefik.http.routers.dashboard.tls.certresolver=le"
+      - "traefik.http.middlewares.dashboard-basicauth.basicauth.users=${BASIC_AUTH_CREDENTIALS}"
+      - "traefik.http.routers.dashboard.middlewares=dashboard-basicauth,error-pages-middleware"
+
+  error-pages:
+    image: tarampampam/error-pages
+    container_name: error-pages
+    restart: always
+    environment:
+      TEMPLATE_NAME: lost-in-space
+      SHOW_DETAILS: true
+    labels:
+      traefik.enable: true
+      # use as "fallback" for any NON-registered services (with priority below normal)
+      traefik.http.routers.error-pages.rule: HostRegexp(`{host:.+}`) || Host(`error.ykz.app`)
+      traefik.http.routers.error-pages.priority: 10
+      # "errors" middleware settings
+      traefik.http.routers.error-pages.middlewares: error-pages-middleware
+      traefik.http.middlewares.error-pages-middleware.errors.status: 400-599
+      traefik.http.middlewares.error-pages-middleware.errors.service: error-pages-service
+      traefik.http.middlewares.error-pages-middleware.errors.query: /{status}.html
+      # define service properties
+      traefik.http.services.error-pages-service.loadbalancer.server.port: 8080
+      traefik.http.routers.error-pages.service: error-pages-service
+      traefik.http.routers.error-pages.tls: true
+      traefik.http.routers.error-pages.tls.certresolver: le
+      traefik.http.routers.traefik.middlewares: error-pages-middleware
+    networks:
+      - public
+    depends_on:
+      - traefik

traefik/dynamic/cert-neteasemusic.yml

@@ -0,0 +1,4 @@
+tls:
+  certificates:
+    - certFile: /certs/neteasemusic.crt
+      keyFile: /certs/neteasemusic.key

traefik/dynamic/homeassistant.yml

@@ -0,0 +1,13 @@
+http:
+  routers:
+    homeassistant:
+      rule: "Host(`ha.ykz.app`)"
+      tls:
+        certResolver: le
+      service: homeassistant
+  services:
+    homeassistant:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.2.200:8123"
+

traefik/dynamic/neteasemusic.yml

@@ -0,0 +1,18 @@
+http:
+  routers:
+    neteasemusic:
+      rule: "Host(`music.163.com`)"
+      tls: {}
+      middlewares: unblockNeteaseMusic
+      service: neteasemusic
+  services:
+    neteasemusic:
+      loadBalancer:
+        servers:
+          - url: "https://music.163.com"
+  middlewares:
+    unblockNeteaseMusic:
+      headers:
+        customRequestHeaders:
+          X-Real-IP: "1.1.0.0"
+          X-Forwarded-For: "1.1.0.0"

uptime-kuma/.env.example

@@ -0,0 +1 @@
+UPTIME_KUMA_DOMAIN=domain_goes_here

uptime-kuma/docker-compose.yml

@@ -0,0 +1,25 @@
+version: "3.9"
+
+networks:
+  public:
+    external: true
+
+services:
+  uptime-kuma:
+    image: louislam/uptime-kuma
+    container_name: uptime-kuma
+    restart: always
+    volumes:
+      - "./uptime-kuma-data:/app/data"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+    # ports:
+    #   - "3001:3001"
+    networks:
+      - public
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.uptime-kuma.rule=Host(`${UPTIME_KUMA_DOMAIN}`)"
+      - "traefik.http.routers.uptime-kuma.service=uptime-kuma-service"
+      - "traefik.http.services.uptime-kuma-service.loadbalancer.server.port=3001"
+      - "traefik.http.routers.uptime-kuma.tls=true"
+      - "traefik.http.routers.uptime-kuma.tls.certresolver=le"

vaultwarden/.env.example

@@ -0,0 +1,3 @@
+SIGNUPS_ALLOWED=false # set to true to allow signups
+VAULTWARDEN_DOMAIN=domain_goes_here
+ADMIN_TOKEN=token_goes_here

vaultwarden/docker-compose.yml

@@ -0,0 +1,29 @@
+version: "3.9"
+
+networks:
+  public:
+    external: true
+
+services:
+  vaultwarden:
+    image: vaultwarden/server
+    container_name: vaultwarden
+    restart: always
+    volumes:
+      - "./vaultwarden-data:/data"
+    environment:
+      - "WEBSOCKET_ENABLED=true"
+      - "SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED}"
+      - "ADMIN_TOKEN=${ADMIN_TOKEN}"
+      - "DOMAIN=https://${VAULTWARDEN_DOMAIN}"
+    # ports:
+    #   - "80:80"
+    networks:
+      - public
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.vaultwarden.rule=Host(`${VAULTWARDEN_DOMAIN}`)"
+      - "traefik.http.routers.vaultwarden.service=vaultwarden-service"
+      - "traefik.http.services.vaultwarden-service.loadbalancer.server.port=80"
+      - "traefik.http.routers.vaultwarden.tls=true"
+      - "traefik.http.routers.vaultwarden.tls.certresolver=le"

wg-easy/.env.example

@@ -0,0 +1,5 @@
+WG_HOST=vpn_domain_goes_here
+WG_DOMAIN=web_ui_domain_goes_here
+WG_PASSWORD=password_goes_here
+WG_PORT=51820
+WG_DEFAULT_DNS=dns_servers_go_here

wg-easy/docker-compose.yml

@@ -0,0 +1,39 @@
+version: "3.9"
+
+networks:
+  public:
+    external: true
+  dns_net:
+    external: true
+
+services:
+  wg-easy:
+    image: weejewel/wg-easy
+    container_name: wg-easy
+    restart: always
+    environment:
+      - WG_HOST=${WG_HOST}
+      - PASSWORD=${WG_PASSWORD}
+      - WG_PORT=${WG_PORT}
+      - WG_DEFAULT_DNS=${WG_DEFAULT_DNS}
+    volumes:
+      - "./data:/etc/wireguard"
+    ports:
+      - "${WG_PORT}:51820/udp"
+      # - "51821:51821/tcp"
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+    networks:
+      - public
+      - dns_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.wg.rule=Host(`${WG_DOMAIN}`)"
+      - "traefik.http.routers.wg.service=wg-service"
+      - "traefik.http.services.wg-service.loadbalancer.server.port=51821"
+      - "traefik.http.routers.wg.tls=true"
+      - "traefik.http.routers.wg.tls.certresolver=le"