remove allowlist

.gitignore

@@ -1,5 +1,7 @@
 .DS_Store
 .env
 docker-compose.env
+*/env
 */config
 */data
+*/mysql

.gitlab-ci.yml

@@ -0,0 +1,15 @@
+---
+gitleaks_scan:
+  image:
+    name: zricethezav/gitleaks:latest
+    entrypoint: [""]
+  stage: test
+  tags: [gitleaks, scan]
+  script:
+    - gitleaks detect --source=. --config=gitleaks.toml --report-format=json --report-path=gitleaks-report.json
+  allow_failure: false
+  only: [main, testing, merge_requests]
+  artifacts:
+    when: always
+    paths: [gitleaks-report.json]
+    expire_in: 1 week

README.md

@@ -1,5 +1,17 @@
 # docker compose files
 
+<!-- vim-markdown-toc GFM -->
+
+* [Description](#description)
+* [Usage](#usage)
+* [Support](#support)
+* [Contributing](#contributing)
+* [Authors and acknowledgment](#authors-and-acknowledgment)
+* [License](#license)
+* [Project status](#project-status)
+
+<!-- vim-markdown-toc -->
+
 ## Description
 
 This is my collection of docker compose files that I'm either currently using or

fail2ban-exporter/docker-compose.yml

@@ -1,8 +1,9 @@
 ---
 services:
   exporter:
-    image: registry.gitlab.com/hectorjsmith/fail2ban-prometheus-exporter:latest
+    image: registry.gitlab.com/hctrdev/fail2ban-prometheus-exporter:latest
     volumes:
       - /var/run/fail2ban/:/var/run/fail2ban:ro
     ports:
-      - "9191:9191"
+      - "9191:9191"
+    restart: 'always'

frappe-helpdesk/docker-compose.yml

@@ -0,0 +1,31 @@
+---
+services:
+  mariadb:
+    image: mariadb:10.8
+    command:
+      - --character-set-server=utf8mb4
+      - --collation-server=utf8mb4_unicode_ci
+      - --skip-character-set-client-handshake
+      - --skip-innodb-read-only-compressed # Temporary fix for MariaDB 10.6
+    environment:
+      MYSQL_ROOT_PASSWORD: 123
+    volumes:
+      - mariadb-data:/var/lib/mysql
+
+  redis:
+    image: redis:alpine
+
+  frappe:
+    image: frappe/bench:latest
+    command: bash /workspace/init.sh
+    environment:
+      - SHELL=/bin/bash
+    working_dir: /home/frappe
+    volumes:
+      - .:/workspace
+    ports:
+      - 8000:8000
+      - 9000:9000
+
+volumes:
+  mariadb-data:

frappe-helpdesk/init.sh

@@ -0,0 +1,40 @@
+#!bin/bash
+
+if [ -d "/home/frappe/frappe-bench/apps/frappe" ]; then
+    echo "Bench already exists, skipping init"
+    cd frappe-bench
+    bench start
+else
+    echo "Creating new bench..."
+fi
+
+bench init --skip-redis-config-generation frappe-bench --version version-15
+
+cd frappe-bench
+
+# Use containers instead of localhost
+bench set-mariadb-host mariadb
+bench set-redis-cache-host redis://redis:6379
+bench set-redis-queue-host redis://redis:6379
+bench set-redis-socketio-host redis://redis:6379
+
+# Remove redis, watch from Procfile
+sed -i '/redis/d' ./Procfile
+sed -i '/watch/d' ./Procfile
+
+bench get-app helpdesk --branch main
+
+bench new-site helpdesk.localhost \
+--force \
+--mariadb-root-password 123 \
+--admin-password admin \
+--no-mariadb-socket
+
+bench --site helpdesk.localhost install-app helpdesk
+bench --site helpdesk.localhost set-config developer_mode 1
+bench --site helpdesk.localhost set-config mute_emails 1
+bench --site helpdesk.localhost set-config server_script_enabled 1
+bench --site helpdesk.localhost clear-cache
+bench use helpdesk.localhost
+
+bench start

gitleaks.toml

@@ -0,0 +1,25 @@
+title = "Gitleaks Docker Compose CI/CD Config"
+
+[[rules]]
+id = "docker-env-password"
+description = "Possible password in docker-compose environment"
+regex = "(?i)([A-Z0-9_]*(PASSWORD|PASS|PWD))[=:]\\s*['\"]?[A-Za-z0-9!@#$%^&*()_+={}\\[\\]:;,.<>?~-]{6,}['\"]?"
+tags = ["docker", "compose", "password", "env"]
+
+[[rules]]
+id = "docker-env-secret"
+description = "Generic secret or token in docker-compose environment"
+regex = "(?i)(SECRET|TOKEN|API[_-]?KEY)[=:]\\s*['\"]?[A-Za-z0-9_\\-]{16,}['\"]?"
+tags = ["docker", "compose", "secret", "env"]
+
+[[rules]]
+id = "aws-credentials"
+description = "AWS Access Key or Secret"
+regex = "(AKIA[0-9A-Z]{16}|(?i)aws[_-]secret[_-]access[_-]key\\s*[:=]\\s*[A-Za-z0-9/+=]{40})"
+tags = ["aws", "compose", "credentials"]
+
+[[rules]]
+id = "private-key"
+description = "Private key detected"
+regex = "-----BEGIN( RSA| EC| DSA)? PRIVATE KEY-----"
+tags = ["key", "pem", "compose"]

linkwarden/.gitignore

@@ -1,50 +0,0 @@
-# dependencies
-/node_modules
-/.pnp
-.pnp.js
-
-# testing
-/coverage
-
-# next.js
-/.next/
-/out/
-
-# production
-/build
-
-# misc
-.DS_Store
-*.pem
-
-# debug
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-.pnpm-debug.log*
-
-# env files
-.env*.local
-.env
-
-# vercel
-.vercel
-
-# typescript
-*.tsbuildinfo
-next-env.d.ts
-
-# generated files and folders
-/data
-.idea
-prisma/dev.db
-
-# tests
-/tests
-/test-results/
-/playwright-report/
-/playwright/.cache/
-
-# docker
-pgdata
-certificates

netbox/docker-compose.override.yml.example

@@ -1,23 +0,0 @@
-version: '3.4'
-services:
-  netbox:
-    ports:
-      - "8000:8080"
-    # If you want the Nginx unit status page visible from the
-    # outside of the container add the following port mapping:
-    # - "8001:8081"
-    # healthcheck:
-      # Time for which the health check can fail after the container is started.
-      # This depends mostly on the performance of your database. On the first start,
-      # when all tables need to be created the start_period should be higher than on
-      # subsequent starts. For the first start after major version upgrades of NetBox
-      # the start_period might also need to be set higher.
-      # Default value in our docker-compose.yml is 60s
-      # start_period: 90s
-    # environment:
-      # SKIP_SUPERUSER: "false"
-      # SUPERUSER_API_TOKEN: ""
-      # SUPERUSER_EMAIL: ""
-      # SUPERUSER_NAME: ""
-      # SUPERUSER_PASSWORD: ""
-

paperless-ngx/.gitignore

@@ -1,3 +0,0 @@
-consume/
-export/
-docker-compose.env

spoolman/.gitignore

@@ -1 +0,0 @@
-data/

theftstack/docker-compose.transmission.yml

@@ -1,12 +1,15 @@
-version: "3"
+---
+x-common-env: &common-env
+  PUID: ${UID}
+  PGID: ${GID}
+  TZ: America/New_York
+
 services:
   sabnzbd:
     image: lscr.io/linuxserver/sabnzbd:latest
     container_name: sabnzbd
     environment:
-      - PUID=1000
+      <<: *common-env
-      - PGID=1000
-      - TZ=America/New_York
     volumes:
       - /config/.sabnzbd/:/config
       - /storage/theft/usenet:/data/theft/usenet
@@ -14,26 +17,24 @@ services:
       - 8080:8080
     network_mode: "host"
     restart: unless-stopped
+
   prowlarr:
     image: lscr.io/linuxserver/prowlarr:develop
     container_name: prowlarr
     environment:
-      - PUID=1000
+      <<: *common-env
-      - PGID=1000
-      - TZ=America/New_York
     volumes:
       - /config/.prowlarr:/config
     ports:
       - 9696:9696
     network_mode: "host"
     restart: unless-stopped
+
   radarr:
     image: lscr.io/linuxserver/radarr:latest
     container_name: radarr
     environment:
-      - PUID=1000
+      <<: *common-env
-      - PGID=1000
-      - TZ=America/New_York
     volumes:
       - /config/radarr_config:/config
       - /storage:/data
@@ -44,13 +45,12 @@ services:
     depends_on:
       - sabnzbd
       - prowlarr
+
   sonarr:
     image: lscr.io/linuxserver/sonarr:latest
     container_name: sonarr
     environment:
-      - PUID=1000
+      <<: *common-env
-      - PGID=1000
-      - TZ=America/New_York
     volumes:
       - /config/sonarr_config:/config
       - /storage:/data
@@ -61,13 +61,12 @@ services:
     depends_on:
       - sabnzbd
       - prowlarr
+
   lidarr:
     image: lscr.io/linuxserver/lidarr:latest
     container_name: lidarr
     environment:
-      - PUID=1000
+      <<: *common-env
-      - PGID=1000
-      - TZ=America/New_York
     volumes:
       - /config/lidarr_config:/config
       - /storage/theft/lidarr/MediaCover:/config/MediaCover
@@ -79,13 +78,12 @@ services:
     depends_on:
       - sabnzbd
       - prowlarr
+
   readarr:
     image: lscr.io/linuxserver/readarr:develop
     container_name: readarr
     environment:
-      - PUID=1000
+      <<: *common-env
-      - PGID=1000
-      - TZ=America/New_York
     volumes:
       - /config/readarr_config:/config
       - /storage:/data
@@ -103,10 +101,8 @@ services:
     ports:
       - 6969:6969
     environment:
-      - PUID=1000
+      <<: *common-env
-      - PGID=1000
+      UMASK: 002
-      - UMASK=002
-      - TZ=America/New_York
     volumes:
       - /config/whisparr:/config
       - /storage:/data
@@ -125,13 +121,12 @@ services:
       - /storage/:/data
       - /config/transmission:/config
     environment:
-      - PUID=1000
+      <<: *common-env
-      - PGID=1000
+      OPENVPN_PROVIDER: PIA
-      - OPENVPN_PROVIDER=PIA
+      OPENVPN_CONFIG: us_east,us_new_york,us_florida,us_atlanta,us_chicago,us_silicon_valley,georgia,italy,lithuania
-      - OPENVPN_CONFIG=us_east,us_new_york,us_florida,us_atlanta,us_chicago,us_silicon_valley,georgia,italy,lithuania
+      OPENVPN_USERNAME: ${OPENVPN_USER}
-      - OPENVPN_USERNAME=${OPENVPN_USER}
+      OPENVPN_PASSWORD: ${OPENVPN_PASS}
-      - OPENVPN_PASSWORD=${OPENVPN_PASS}
+      LOCAL_NETWORK: 10.0.69.96/27
-      - LOCAL_NETWORK=10.0.69.96/27
     restart: unless-stopped
     logging:
       driver: json-file
@@ -144,9 +139,9 @@ services:
     image: msroest/sabnzbd_exporter
     container_name: sabnzbd-exporter
     environment:
-      - SABNZBD_BASEURLS=http://dl.homelab.lan:8080/sabnzbd/
+      <<: *common-env
-      - SABNZBD_APIKEYS=${SABNZBD_APIKEY}
+      SABNZBD_BASEURLS: http://dl.homelab.lan:8080/sabnzbd/
-      - TZ=America/Detroit
+      SABNZBD_APIKEYS: ${SABNZBD_APIKEY}
     ports:
       - 9387:9387
     restart: always
@@ -157,6 +152,7 @@ services:
     image: ghcr.io/onedr0p/exportarr:latest
     command: ["sonarr"]
     environment:
+      <<: *common-env
       PORT: 9707
       URL: "http://dl.homelab.lan:8989"
       APIKEY: ${SONARR_APIKEY}
@@ -170,6 +166,7 @@ services:
     image: ghcr.io/onedr0p/exportarr:latest
     command: ["radarr"]
     environment:
+      <<: *common-env
       PORT: 9708
       URL: "http://dl.homelab.lan:7878"
       APIKEY: ${RADARR_APIKEY}
@@ -183,6 +180,7 @@ services:
     image: ghcr.io/onedr0p/exportarr:latest
     command: ["lidarr"]
     environment:
+      <<: *common-env
       PORT: 9709
       URL: "http://dl.homelab.lan:8686"
       APIKEY: ${LIDARR_APIKEY}
@@ -196,6 +194,7 @@ services:
     image: ghcr.io/onedr0p/exportarr:latest
     command: ["prowlarr"]
     environment:
+      <<: *common-env
       PORT: 9710
       URL: "http://dl.homelab.lan:9696"
       APIKEY: ${PROWLARR_APIKEY}
@@ -209,6 +208,7 @@ services:
     image: ghcr.io/onedr0p/exportarr:latest
     command: ["readarr"]
     environment:
+      <<: *common-env
       PORT: 9711
       URL: "http://dl.homelab.lan:8787"
       APIKEY: ${READARR_APIKEY}
@@ -225,5 +225,5 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
     restart: always
     environment:
+      <<: *common-env
       WATCHTOWER_CLEANUP: "true"
-      TZ: America/Detroit

vaultwarden/docker-compose.yml

@@ -12,11 +12,17 @@ services:
       DOMAIN: "${DOMAIN}"
       SHOW_PASSWORD_HINT: "false"
       USE_SYSLOG: "false"
-      LOG_FILE: /data/logs/vaultwarden.log
+      LOG_FILE: /var/log/vaultwarden/vaultwarden.log
-      LOG_LEVEL: "warn"
+      LOG_LEVEL: "debug"
       EXTENDED_LOGGING: "true"
     volumes:
-      - /root/docker/vault/data/:/data
+      - ./data/:/data
+      - /var/log/vaultwarden:/var/log/vaultwarden
     ports:
-      - 127.0.0.1:8090:80
+      - 8090:80
-      - 127.0.0.1:3012:3012
+      - 3012:3012
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"