remove allowlist

Update .gitlab-ci.yml file
change pull policy
2025-09-24 20:59:25 -04:00 · 2025-09-24 20:56:34 -04:00 · 2025-09-24 20:54:07 -04:00 · 2025-09-24 20:48:06 -04:00 · 2025-09-24 20:41:03 -04:00 · 2025-09-24 20:32:50 -04:00
13 changed files with 173 additions and 118 deletions
@@ -1,5 +1,7 @@
 .DS_Store
 .env
 docker-compose.env
+*/env
 */config
 */data
+*/mysql
@@ -0,0 +1,15 @@
+---
+gitleaks_scan:
+  image:
+    name: zricethezav/gitleaks:latest
+    entrypoint: [""]
+  stage: test
+  tags: [gitleaks, scan]
+  script:
+    - gitleaks detect --source=. --config=gitleaks.toml --report-format=json --report-path=gitleaks-report.json
+  allow_failure: false
+  only: [main, testing, merge_requests]
+  artifacts:
+    when: always
+    paths: [gitleaks-report.json]
+    expire_in: 1 week
@@ -1,5 +1,17 @@
 # docker compose files

+<!-- vim-markdown-toc GFM -->
+
+* [Description](#description)
+* [Usage](#usage)
+* [Support](#support)
+* [Contributing](#contributing)
+* [Authors and acknowledgment](#authors-and-acknowledgment)
+* [License](#license)
+* [Project status](#project-status)
+
+<!-- vim-markdown-toc -->
+
 ## Description

 This is my collection of docker compose files that I'm either currently using or
@@ -1,8 +1,9 @@
 ---
 services:
  exporter:
-    image: registry.gitlab.com/hectorjsmith/fail2ban-prometheus-exporter:latest
+    image: registry.gitlab.com/hctrdev/fail2ban-prometheus-exporter:latest
    volumes:
      - /var/run/fail2ban/:/var/run/fail2ban:ro
    ports:
-      - "9191:9191"
+      - "9191:9191"
+    restart: 'always'
@@ -0,0 +1,31 @@
+---
+services:
+  mariadb:
+    image: mariadb:10.8
+    command:
+      - --character-set-server=utf8mb4
+      - --collation-server=utf8mb4_unicode_ci
+      - --skip-character-set-client-handshake
+      - --skip-innodb-read-only-compressed # Temporary fix for MariaDB 10.6
+    environment:
+      MYSQL_ROOT_PASSWORD: 123
+    volumes:
+      - mariadb-data:/var/lib/mysql
+
+  redis:
+    image: redis:alpine
+
+  frappe:
+    image: frappe/bench:latest
+    command: bash /workspace/init.sh
+    environment:
+      - SHELL=/bin/bash
+    working_dir: /home/frappe
+    volumes:
+      - .:/workspace
+    ports:
+      - 8000:8000
+      - 9000:9000
+
+volumes:
+  mariadb-data:
@@ -0,0 +1,40 @@
+#!bin/bash
+
+if [ -d "/home/frappe/frappe-bench/apps/frappe" ]; then
+    echo "Bench already exists, skipping init"
+    cd frappe-bench
+    bench start
+else
+    echo "Creating new bench..."
+fi
+
+bench init --skip-redis-config-generation frappe-bench --version version-15
+
+cd frappe-bench
+
+# Use containers instead of localhost
+bench set-mariadb-host mariadb
+bench set-redis-cache-host redis://redis:6379
+bench set-redis-queue-host redis://redis:6379
+bench set-redis-socketio-host redis://redis:6379
+
+# Remove redis, watch from Procfile
+sed -i '/redis/d' ./Procfile
+sed -i '/watch/d' ./Procfile
+
+bench get-app helpdesk --branch main
+
+bench new-site helpdesk.localhost \
+--force \
+--mariadb-root-password 123 \
+--admin-password admin \
+--no-mariadb-socket
+
+bench --site helpdesk.localhost install-app helpdesk
+bench --site helpdesk.localhost set-config developer_mode 1
+bench --site helpdesk.localhost set-config mute_emails 1
+bench --site helpdesk.localhost set-config server_script_enabled 1
+bench --site helpdesk.localhost clear-cache
+bench use helpdesk.localhost
+
+bench start
@@ -0,0 +1,25 @@
+title = "Gitleaks Docker Compose CI/CD Config"
+
+[[rules]]
+id = "docker-env-password"
+description = "Possible password in docker-compose environment"
+regex = "(?i)([A-Z0-9_]*(PASSWORD|PASS|PWD))[=:]\\s*['\"]?[A-Za-z0-9!@#$%^&*()_+={}\\[\\]:;,.<>?~-]{6,}['\"]?"
+tags = ["docker", "compose", "password", "env"]
+
+[[rules]]
+id = "docker-env-secret"
+description = "Generic secret or token in docker-compose environment"
+regex = "(?i)(SECRET|TOKEN|API[_-]?KEY)[=:]\\s*['\"]?[A-Za-z0-9_\\-]{16,}['\"]?"
+tags = ["docker", "compose", "secret", "env"]
+
+[[rules]]
+id = "aws-credentials"
+description = "AWS Access Key or Secret"
+regex = "(AKIA[0-9A-Z]{16}|(?i)aws[_-]secret[_-]access[_-]key\\s*[:=]\\s*[A-Za-z0-9/+=]{40})"
+tags = ["aws", "compose", "credentials"]
+
+[[rules]]
+id = "private-key"
+description = "Private key detected"
+regex = "-----BEGIN( RSA| EC| DSA)? PRIVATE KEY-----"
+tags = ["key", "pem", "compose"]
@@ -1,50 +0,0 @@
-# dependencies
-/node_modules
-/.pnp
-.pnp.js
-
-# testing
-/coverage
-
-# next.js
-/.next/
-/out/
-
-# production
-/build
-
-# misc
-.DS_Store
-*.pem
-
-# debug
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-.pnpm-debug.log*
-
-# env files
-.env*.local
-.env
-
-# vercel
-.vercel
-
-# typescript
-*.tsbuildinfo
-next-env.d.ts
-
-# generated files and folders
-/data
-.idea
-prisma/dev.db
-
-# tests
-/tests
-/test-results/
-/playwright-report/
-/playwright/.cache/
-
-# docker
-pgdata
-certificates
@@ -1,23 +0,0 @@
-version: '3.4'
-services:
-  netbox:
-    ports:
-      - "8000:8080"
-    # If you want the Nginx unit status page visible from the
-    # outside of the container add the following port mapping:
-    # - "8001:8081"
-    # healthcheck:
-      # Time for which the health check can fail after the container is started.
-      # This depends mostly on the performance of your database. On the first start,
-      # when all tables need to be created the start_period should be higher than on
-      # subsequent starts. For the first start after major version upgrades of NetBox
-      # the start_period might also need to be set higher.
-      # Default value in our docker-compose.yml is 60s
-      # start_period: 90s
-    # environment:
-      # SKIP_SUPERUSER: "false"
-      # SUPERUSER_API_TOKEN: ""
-      # SUPERUSER_EMAIL: ""
-      # SUPERUSER_NAME: ""
-      # SUPERUSER_PASSWORD: ""
-
@@ -1,3 +0,0 @@
-consume/
-export/
-docker-compose.env
@@ -1 +0,0 @@
-data/
@@ -1,12 +1,15 @@
-version: "3"
+---
+x-common-env: &common-env
+  PUID: ${UID}
+  PGID: ${GID}
+  TZ: America/New_York
+
 services:
  sabnzbd:
    image: lscr.io/linuxserver/sabnzbd:latest
    container_name: sabnzbd
    environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=America/New_York
+      <<: *common-env
    volumes:
      - /config/.sabnzbd/:/config
      - /storage/theft/usenet:/data/theft/usenet
@@ -14,26 +17,24 @@ services:
      - 8080:8080
    network_mode: "host"
    restart: unless-stopped
+
  prowlarr:
    image: lscr.io/linuxserver/prowlarr:develop
    container_name: prowlarr
    environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=America/New_York
+      <<: *common-env
    volumes:
      - /config/.prowlarr:/config
    ports:
      - 9696:9696
    network_mode: "host"
    restart: unless-stopped
+
  radarr:
    image: lscr.io/linuxserver/radarr:latest
    container_name: radarr
    environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=America/New_York
+      <<: *common-env
    volumes:
      - /config/radarr_config:/config
      - /storage:/data
@@ -44,13 +45,12 @@ services:
    depends_on:
      - sabnzbd
      - prowlarr
+
  sonarr:
    image: lscr.io/linuxserver/sonarr:latest
    container_name: sonarr
    environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=America/New_York
+      <<: *common-env
    volumes:
      - /config/sonarr_config:/config
      - /storage:/data
@@ -61,13 +61,12 @@ services:
    depends_on:
      - sabnzbd
      - prowlarr
+
  lidarr:
    image: lscr.io/linuxserver/lidarr:latest
    container_name: lidarr
    environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=America/New_York
+      <<: *common-env
    volumes:
      - /config/lidarr_config:/config
      - /storage/theft/lidarr/MediaCover:/config/MediaCover
@@ -79,13 +78,12 @@ services:
    depends_on:
      - sabnzbd
      - prowlarr
+
  readarr:
    image: lscr.io/linuxserver/readarr:develop
    container_name: readarr
    environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=America/New_York
+      <<: *common-env
    volumes:
      - /config/readarr_config:/config
      - /storage:/data
@@ -103,10 +101,8 @@ services:
    ports:
      - 6969:6969
    environment:
-      - PUID=1000
-      - PGID=1000
-      - UMASK=002
-      - TZ=America/New_York
+      <<: *common-env
+      UMASK: 002
    volumes:
      - /config/whisparr:/config
      - /storage:/data
@@ -125,13 +121,12 @@ services:
      - /storage/:/data
      - /config/transmission:/config
    environment:
-      - PUID=1000
-      - PGID=1000
-      - OPENVPN_PROVIDER=PIA
-      - OPENVPN_CONFIG=us_east,us_new_york,us_florida,us_atlanta,us_chicago,us_silicon_valley,georgia,italy,lithuania
-      - OPENVPN_USERNAME=${OPENVPN_USER}
-      - OPENVPN_PASSWORD=${OPENVPN_PASS}
-      - LOCAL_NETWORK=10.0.69.96/27
+      <<: *common-env
+      OPENVPN_PROVIDER: PIA
+      OPENVPN_CONFIG: us_east,us_new_york,us_florida,us_atlanta,us_chicago,us_silicon_valley,georgia,italy,lithuania
+      OPENVPN_USERNAME: ${OPENVPN_USER}
+      OPENVPN_PASSWORD: ${OPENVPN_PASS}
+      LOCAL_NETWORK: 10.0.69.96/27
    restart: unless-stopped
    logging:
      driver: json-file
@@ -144,9 +139,9 @@ services:
    image: msroest/sabnzbd_exporter
    container_name: sabnzbd-exporter
    environment:
-      - SABNZBD_BASEURLS=http://dl.homelab.lan:8080/sabnzbd/
-      - SABNZBD_APIKEYS=${SABNZBD_APIKEY}
-      - TZ=America/Detroit
+      <<: *common-env
+      SABNZBD_BASEURLS: http://dl.homelab.lan:8080/sabnzbd/
+      SABNZBD_APIKEYS: ${SABNZBD_APIKEY}
    ports:
      - 9387:9387
    restart: always
@@ -157,6 +152,7 @@ services:
    image: ghcr.io/onedr0p/exportarr:latest
    command: ["sonarr"]
    environment:
+      <<: *common-env
      PORT: 9707
      URL: "http://dl.homelab.lan:8989"
      APIKEY: ${SONARR_APIKEY}
@@ -170,6 +166,7 @@ services:
    image: ghcr.io/onedr0p/exportarr:latest
    command: ["radarr"]
    environment:
+      <<: *common-env
      PORT: 9708
      URL: "http://dl.homelab.lan:7878"
      APIKEY: ${RADARR_APIKEY}
@@ -183,6 +180,7 @@ services:
    image: ghcr.io/onedr0p/exportarr:latest
    command: ["lidarr"]
    environment:
+      <<: *common-env
      PORT: 9709
      URL: "http://dl.homelab.lan:8686"
      APIKEY: ${LIDARR_APIKEY}
@@ -196,6 +194,7 @@ services:
    image: ghcr.io/onedr0p/exportarr:latest
    command: ["prowlarr"]
    environment:
+      <<: *common-env
      PORT: 9710
      URL: "http://dl.homelab.lan:9696"
      APIKEY: ${PROWLARR_APIKEY}
@@ -209,6 +208,7 @@ services:
    image: ghcr.io/onedr0p/exportarr:latest
    command: ["readarr"]
    environment:
+      <<: *common-env
      PORT: 9711
      URL: "http://dl.homelab.lan:8787"
      APIKEY: ${READARR_APIKEY}
@@ -225,5 +225,5 @@ services:
      - /var/run/docker.sock:/var/run/docker.sock
    restart: always
    environment:
+      <<: *common-env
      WATCHTOWER_CLEANUP: "true"
-      TZ: America/Detroit
@@ -12,11 +12,17 @@ services:
      DOMAIN: "${DOMAIN}"
      SHOW_PASSWORD_HINT: "false"
      USE_SYSLOG: "false"
-      LOG_FILE: /data/logs/vaultwarden.log
-      LOG_LEVEL: "warn"
+      LOG_FILE: /var/log/vaultwarden/vaultwarden.log
+      LOG_LEVEL: "debug"
      EXTENDED_LOGGING: "true"
    volumes:
-      - /root/docker/vault/data/:/data
+      - ./data/:/data
+      - /var/log/vaultwarden:/var/log/vaultwarden
    ports:
-      - 127.0.0.1:8090:80
-      - 127.0.0.1:3012:3012
+      - 8090:80
+      - 3012:3012
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
Author	SHA1	Message	Date
cdanesi	3997f30c43	remove allowlist	2025-09-24 20:59:25 -04:00
cdanesi	64f4d90904	Update .gitlab-ci.yml file	2025-09-24 20:56:34 -04:00
cdanesi	5ab5f9a73c	change pull policy	2025-09-24 20:54:07 -04:00
cdanesi	5f794e4e25	fix gitlab-ci to use alternative image	2025-09-24 20:48:06 -04:00
cdanesi	b606507f4f	reformat gitleaks.toml to correct parsing errors	2025-09-24 20:41:03 -04:00
cdanesi	08eb1eee60	add gitleaks scan for CI/CD	2025-09-24 20:32:50 -04:00
cdanesi	1a4884da33	update fail2ban-exporter, vaultwarden	2025-09-24 20:23:23 -04:00
cdanesi	bb1ad2601b	add toc to README	2025-06-18 12:05:25 -04:00
cdanesi	252fad0a44	add frappe helpdesk	2025-06-18 12:04:50 -04:00
cdanesi	1d88863814	refactor theftstack with transmission	2025-06-17 08:36:24 -04:00