gitignore: feat: Ignore all data directories

.gitignore

@@ -1,5 +1,10 @@
 # macOS
 .DS_Store
 
-# Docker
-.env
+# Ignore Docker env files
+*.env
+# excluding example env files
+!*.example.env
+
+# Ignore all directories ending with data
+*data/

ipsec-vpn/docker-compose.yml

@@ -0,0 +1,22 @@
+version: "3.9"
+
+networks:
+  dns_net:
+    external: true
+
+services:
+  ipsec-vpn:
+    image: hwdsl2/ipsec-vpn-server
+    container_name: ipsec-vpn
+    restart: always
+    env_file:
+      - ./vpn.env
+    volumes:
+      - "./ikev2-vpn-data:/etc/ipsec.d"
+      - "/lib/modules:/lib/modules:ro"
+    ports:
+      - "500:500/udp"
+      - "4500:4500/udp"
+    networks:
+      - dns_net
+    privileged: true

ipsec-vpn/vpn.env.example

@@ -0,0 +1,37 @@
+# Note: All the variables to this image are optional.
+# See README for more information.
+# To use, uncomment and replace with your own values.
+
+# Define IPsec PSK, VPN username and password
+# - DO NOT put "" or '' around values, or add space around =
+# - DO NOT use these special characters within values: \ " '
+VPN_IPSEC_PSK=psk_goes_here
+VPN_USER=username_goes_here
+VPN_PASSWORD=password_goes_here
+
+# Define additional VPN users
+# - DO NOT put "" or '' around values, or add space around =
+# - DO NOT use these special characters within values: \ " '
+# - Usernames and passwords must be separated by spaces
+# VPN_ADDL_USERS=additional_username_1 additional_username_2
+# VPN_ADDL_PASSWORDS=additional_password_1 additional_password_2
+
+# Use a DNS name for the VPN server
+# - The DNS name must be a fully qualified domain name (FQDN)
+VPN_DNS_NAME=domain_name_goes_here
+
+# Specify a name for the first IKEv2 client
+# - Use one word only, no special characters except '-' and '_'
+# - The default is 'vpnclient' if not specified
+# VPN_CLIENT_NAME=your_client_name
+
+# Use alternative DNS servers
+# - By default, clients are set to use Google Public DNS
+# - Example below shows Cloudflare's DNS service
+VPN_DNS_SRV1=dns_server_goes_here
+# VPN_DNS_SRV2=1.1.1.1
+
+# Protect IKEv2 client config files using a password
+# - By default, no password is required when importing IKEv2 client configuration
+# - Uncomment if you want to protect these files using a random password
+# VPN_PROTECT_CONFIG=yes

pihole/docker-compose.yml

@@ -2,6 +2,7 @@ version: "3.9"
 
 networks:
   dns_net:
+    name: dns_net
     driver: bridge
     ipam:
       config:
@@ -25,16 +26,17 @@ services:
       - "WEBPASSWORD=${PIHOLE_PASSWORD}"
       - "DNS1=172.20.0.11#5335"
       - "DNS2=no"
+      - "DNSMASQ_USER=root"
     volumes:
-      - "./etc-pihole/:/etc/pihole/"
-      - "./etc-dnsmasq.d/:/etc/dnsmasq.d/"
+      - "./pihole-data/:/etc/pihole/"
+      - "./dnsmasq.d-data/:/etc/dnsmasq.d/"
 
   unbound:
     image: mvance/unbound-rpi:latest
     container_name: unbound
     restart: always
     volumes:
-      - "./unbound:/opt/unbound/etc/unbound"
+      - "./unbound-data:/opt/unbound/etc/unbound"
     networks:
       dns_net:
         ipv4_address: 172.20.0.11

traefik/docker-compose.yml

@@ -21,7 +21,7 @@ services:
     ports:
       - "80:80"
       - "443:443"
-      - "8080:8080"
+      # - "8080:8080"
     networks:
       - public
     command:
@@ -29,6 +29,7 @@ services:
       - "--api.insecure=true"
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
+      - "--providers.docker.network=public"
       - "--entrypoints.web.address=:80"
       - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
       - "--entrypoints.websecure.address=:443"
@@ -40,3 +41,12 @@ services:
       - "--certificatesresolvers.le.acme.dnschallenge=true"
       - "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
       - "--certificatesresolvers.le.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dashboard.rule=Host(`${TRAEFIK_DOMAIN}`)"
+      - "traefik.http.routers.dashboard.service=dashboard-service"
+      - "traefik.http.services.dashboard-service.loadbalancer.server.port=8080"
+      - "traefik.http.routers.dashboard.tls=true"
+      - "traefik.http.routers.dashboard.tls.certresolver=le"
+      - "traefik.http.middlewares.dashboard-basicauth.basicauth.users=${BASIC_AUTH_CREDENTIALS}"
+      - "traefik.http.routers.dashboard.middlewares=dashboard-basicauth@docker"

wg-easy/.env.example

@@ -0,0 +1,5 @@
+WG_HOST=vpn_domain_goes_here
+WG_DOMAIN=web_ui_domain_goes_here
+WG_PASSWORD=password_goes_here
+WG_PORT=51820
+WG_DEFAULT_DNS=dns_servers_go_here

wg-easy/docker-compose.yml

@@ -0,0 +1,39 @@
+version: "3.9"
+
+networks:
+  public:
+    external: true
+  dns_net:
+    external: true
+
+services:
+  wg-easy:
+    image: weejewel/wg-easy
+    container_name: wg-easy
+    restart: always
+    environment:
+      - WG_HOST=${WG_HOST}
+      - PASSWORD=${WG_PASSWORD}
+      - WG_PORT=${WG_PORT}
+      - WG_DEFAULT_DNS=${WG_DEFAULT_DNS}
+    volumes:
+      - "./data:/etc/wireguard"
+    ports:
+      - "${WG_PORT}:51820/udp"
+      # - "51821:51821/tcp"
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+    networks:
+      - public
+      - dns_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.wg.rule=Host(`${WG_DOMAIN}`)"
+      - "traefik.http.routers.wg.service=wg-service"
+      - "traefik.http.services.wg-service.loadbalancer.server.port=51821"
+      - "traefik.http.routers.wg.tls=true"
+      - "traefik.http.routers.wg.tls.certresolver=le"