├── .github └── workflows │ ├── audacity-build-push-ghcr.yml │ ├── boringproxy-build-push-ghcr.yml │ ├── capa-build-push-ghcr.yml │ ├── ctfd-build-push-ghcr.yml │ ├── debian-stable-slim-build-push-ghcr.yml │ ├── fakemachine-build-push-ghcr.yml │ ├── fetch-build-push-ghcr.yml │ ├── filepond-build-push-ghcr.yml │ ├── firefox-build-push-ghcr.yml │ ├── forgejo-root-build-push-ghcr.yml │ ├── gimp-build-push-ghcr.yml │ ├── gitea-root-build-push-ghcr.yml │ ├── gossa-build-push-ghcr.yml │ ├── keycloak-build-push-ghcr.yml │ ├── lossless-cut-build-push-ghcr.yml │ ├── mariadb-build-push-ghcr.yml │ ├── mastodon-build-push-ghcr.yml │ ├── mimic3-build-push-ghcr.yml │ ├── mimic3-gpu-build-push-ghcr.yml │ ├── musescore-web-build-push-ghcr.yml │ ├── net-clients-build-push-ghcr.yml │ ├── nextcloud-build-push-ghcr.yml │ ├── nginx-securimage-build-push-ghcr.yml │ ├── opensearch-build-push-ghcr.yml │ ├── opensearch-dashboards-build-push-ghcr.yml │ ├── postgres-build-push-ghcr.yml │ ├── redis-build-push-ghcr.yml │ ├── serverless-registry-proxy-build-push-ghcr.yml │ ├── signal-build-push-ghcr.yml │ ├── stunnel-build-push-ghcr.yml │ ├── tunneler-build-push-ghcr.yml │ ├── wireproxy-build-push-ghcr.yml │ ├── xfce-build-push-ghcr.yml │ └── ytdlp-build-push-ghcr.yml ├── .gitignore ├── LICENSE ├── README.md ├── audacity └── Dockerfile ├── booksonic ├── .dockerignore ├── audiobooks │ └── .gitignore ├── config │ └── .gitignore ├── docker-compose.yml ├── ldap_notes.txt ├── ldap_setup.sh ├── othermedia │ └── .gitignore ├── podcasts │ └── .gitignore └── proxy │ └── nginx.conf ├── boringproxy ├── Dockerfile └── boringproxy-docker.sh ├── calibre-web ├── docker-compose.yml └── scripts │ └── getevent.sh ├── capa ├── .gitignore ├── Dockerfile ├── README.md └── capa-docker.sh ├── chromium ├── chromium-docker.sh └── chromium.desktop ├── ctfd ├── Dockerfile ├── data │ ├── CTFd │ │ ├── logs │ │ │ └── .gitignore │ │ └── uploads │ │ │ └── .gitignore │ ├── mariadb │ │ └── .gitignore │ └── redis │ │ └── .gitignore └── docker-compose.yml ├── debian ├── Dockerfile └── external_tools_install.sh ├── docker-registry ├── certs │ └── .gitignore └── run.sh ├── elasticsearch ├── .env.example ├── .gitignore └── docker-compose.yml ├── fakemachine └── Dockerfile ├── fetch ├── Dockerfile └── fetch-docker.sh ├── filepond ├── Dockerfile ├── docker-compose.yml ├── nginx │ └── sites-available │ │ └── default ├── php │ ├── config.php │ ├── php.ini │ └── submit.php ├── site │ └── index.html ├── supervisord.conf └── upload │ ├── .gitignore │ ├── tmp │ └── .gitignore │ └── variants │ └── .gitignore ├── firefox-web ├── docker-compose.yml └── docker │ └── appdata │ └── firefox │ └── .gitignore ├── firefox ├── Dockerfile ├── entrypoint.sh ├── firefox-docker.sh ├── firefox.desktop └── local.conf ├── fluentd ├── Dockerfile ├── conf │ └── fluent.conf └── docker-compose.yml ├── forgejo ├── .dockerignore ├── .gitignore ├── Dockerfile ├── docker-compose.yml ├── env.docker.sample ├── env.podman.sample └── forgejo │ ├── conf │ └── .gitignore │ ├── db │ └── .gitignore │ ├── git │ └── .gitignore │ └── log │ └── .gitignore ├── gimp ├── Dockerfile ├── gimp-docker.sh └── gimp.desktop ├── gitea ├── .dockerignore ├── .gitignore ├── Dockerfile ├── docker-compose.yml ├── env.docker.sample ├── env.podman.sample └── gitea │ ├── conf │ └── .gitignore │ ├── db │ └── .gitignore │ ├── git │ └── .gitignore │ └── log │ └── .gitignore ├── gogs └── docker-compose.yml ├── gossa ├── Dockerfile ├── docker-compose.yml └── gossa.sh ├── keycloak ├── .dockerignore ├── .env.example ├── .gitignore ├── Dockerfile ├── docker-compose.yml └── docker-entrypoint.sh ├── libreoffice-browser └── docker-compose.yml ├── libreoffice ├── libreoffice-docker.sh └── libreoffice.desktop ├── lldap ├── .env.example ├── .gitignore ├── bootstrap │ ├── .gitignore │ ├── get-bootstrap-sh.sh │ ├── group-configs │ │ ├── .gitignore │ │ ├── administrators.json.example │ │ ├── developers.json.example │ │ └── service.json.example │ └── user-configs │ │ ├── .gitignore │ │ ├── bind.json.example │ │ └── poweruser.json.example ├── certs │ ├── .gitignore │ └── gen_self_signed_certs.sh ├── data │ └── .gitignore └── docker-compose.yml ├── lossless-cut └── Dockerfile ├── mariadb └── Dockerfile ├── mastodon-linuxserver-io ├── .dockerignore ├── .gitignore ├── Dockerfile ├── docker-compose.yml ├── env.production.sample └── env_setup.sh ├── metasploit ├── .gitignore ├── docker-compose.yml └── msf4 │ └── .gitignore ├── mimic3 ├── Dockerfile ├── Dockerfile.gpu ├── data │ └── .gitignore └── docker-compose.yml ├── musescore-web ├── .gitignore ├── Dockerfile ├── docker-compose.yml ├── files │ └── .gitignore └── startapp.sh ├── net-clients └── Dockerfile ├── netbox ├── .gitignore ├── config │ ├── netbox-secret.env.example │ ├── netbox.env.example │ ├── postgres.env.example │ ├── process.env.example │ └── redis.env.example ├── docker-compose.yml └── netbox │ ├── custom-plugins │ └── .gitignore │ ├── media │ └── .gitignore │ └── preload │ ├── device_roles.yml │ ├── initializers.txt │ └── manufacturers.yml ├── nextcloud ├── .dockerignore ├── data │ └── .gitignore ├── db │ └── .gitignore ├── docker-compose.yml └── docker │ └── Dockerfile ├── nginx-proxy ├── config │ └── proxy_overrides.conf └── docker-compose.yml ├── nginx-securimage ├── docker-compose.yml ├── docker │ └── nginx.Dockerfile ├── nginx │ └── server.conf ├── php │ ├── php-fpm-settings.conf │ └── php.ini └── webcontent │ └── index.php ├── nodejs-nginx ├── .dockerignore ├── .gitignore ├── Dockerfile ├── docker-compose.yml ├── index.js ├── nginx │ └── default.conf └── package.json ├── openldap ├── docker-compose.yml └── ldap-cert-renew-restart.sh ├── opensearch ├── .creds.curlrc.example ├── .gitignore ├── certs │ ├── .gitignore │ └── generate-certificates.sh ├── dashboards.Dockerfile ├── docker-compose.yml ├── opensearch.Dockerfile ├── opensearch.yml ├── opensearch_dashboards.yml ├── security-admin-docker-compose.sh ├── security │ ├── .gitignore │ ├── action_groups.yml │ ├── audit.yml │ ├── config.yml.example │ ├── internal_users.yml │ ├── roles.yml │ ├── roles_mapping.yml │ └── tenants.yml └── shared-objects │ ├── scripts │ ├── index-refresh.py │ └── shared-object-creation.sh │ └── templates │ └── ecs_template.json ├── owntracks ├── .gitignore ├── config │ └── recorder.conf ├── docker-compose.yml └── store │ └── .gitignore ├── pihole-dnscrypt-proxy ├── dnscrypt-proxy │ └── config │ │ ├── dnscrypt-proxy-ipv4-only.toml │ │ └── dnscrypt-proxy.toml ├── docker-compose.yml └── pihole │ ├── etc │ ├── dnsmasq.d │ │ └── .gitignore │ └── pihole │ │ ├── .gitignore │ │ └── custom.list │ └── var │ └── log │ └── .gitignore ├── pihole ├── docker-compose.yml ├── etc-dnscrypt-proxy │ └── dnscrypt-proxy.toml ├── etc-dnsmasq.d │ ├── .gitignore │ └── 03-custom-dns.conf ├── etc-pihole │ ├── .gitignore │ └── custom.list ├── podman-compose.yml └── var-log │ └── .gitignore ├── podgrab ├── config │ └── .gitignore ├── data │ └── .gitignore └── docker-compose.yml ├── podman-specific └── traefik-podman │ ├── certs │ └── .gitignore │ ├── docker-compose.yml │ ├── letsencrypt │ └── .gitignore │ ├── rules │ ├── web.toml │ └── whoami.toml │ └── traefik-podman.service ├── postgres ├── .dockerignore ├── .env.example ├── .gitignore ├── Dockerfile ├── docker-compose.yml └── scripts │ ├── container-health.sh │ ├── docker-entrypoint-initdb.d │ └── noop.sh │ ├── docker-entrypoint-startdb.d │ └── init-db-from-env.sh │ └── docker-entrypoint-startdb.sh ├── redis └── Dockerfile ├── rembg └── rembg-docker.sh ├── samba ├── docker-compose.yml ├── samba-pod-kube-play.service ├── samba-pod-kube-play.yaml └── samba.service ├── screego └── docker-compose.yml ├── serverless-registry-proxy └── docker-compose.yml ├── shared ├── boringproxy │ ├── boringproxy-client.service │ └── boringproxy-server.service ├── debian-bookworm-sources.list ├── docker-uid-gid-setup.sh ├── jdk-cacerts-auto-import.sh └── service_check_passthrough.sh ├── signal └── Dockerfile ├── smtp4dev ├── certs │ └── .gitignore ├── docker-compose.yml ├── smtp_new_cert_restart.sh └── systemd-stuff │ ├── smtp.service │ └── step-smtp.service ├── splunk └── docker-compose.yml ├── step-ca ├── .dockerignore ├── .gitignore ├── README.md ├── docker-compose.yml ├── step-ca-podman.service └── step │ ├── .gitignore │ ├── certs │ └── .gitignore │ ├── config │ └── .gitignore │ ├── db │ └── .gitignore │ ├── secrets │ └── .gitignore │ └── templates │ └── .gitignore ├── stunnel └── Dockerfile ├── tini-privdrop-supervisord ├── Dockerfile └── supervisord.conf ├── traefix-proxy ├── certs │ └── .gitignore ├── docker-compose.yml ├── letsencrypt │ └── .gitignore └── traefik-tls.toml ├── transmission-openvpn ├── docker-compose.yml └── download │ └── .gitignore ├── tunneler ├── Dockerfile ├── bash_support_functions.sh ├── croc_relay_entrypoint.sh ├── docker-compose.yml └── supervisord.conf ├── uptime-kuma └── docker-compose.yml ├── vaultwarden ├── .env ├── data │ └── .gitignore └── docker-compose.yml ├── whoami ├── docker-compose.yml ├── whoami-pod-kubeplay.service ├── whoami-pod-kubeplay.yaml └── whoami-podman-compose.service ├── wireproxy ├── .dockerignore ├── .gitignore ├── Dockerfile ├── config.env ├── docker-compose.yml ├── entrypoint.sh ├── wireproxy-podman.service └── wireproxy.env.sample ├── xfce └── Dockerfile └── yt-dlp ├── Dockerfile └── yt-dlp-docker.sh /.github/workflows/signal-build-push-ghcr.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: signal-build-push-ghcr 3 | 4 | on: 5 | push: 6 | branches: 7 | - 'master' 8 | paths: 9 | - 'signal/**' 10 | - '.github/workflows/signal-build-push-ghcr.yml' 11 | pull_request: 12 | paths: 13 | - 'signal/**' 14 | - '.github/workflows/signal-build-push-ghcr.yml' 15 | workflow_dispatch: 16 | repository_dispatch: 17 | schedule: 18 | - cron: '0 12 15 * *' 19 | 20 | jobs: 21 | docker: 22 | runs-on: ${{ matrix.os }} 23 | permissions: 24 | actions: write 25 | packages: write 26 | contents: read 27 | security-events: write 28 | strategy: 29 | fail-fast: false 30 | matrix: 31 | include: 32 | - os: ubuntu-24.04 33 | arch: amd64 34 | platform: linux/amd64 35 | steps: 36 | - 37 | name: Cancel previous run in progress 38 | uses: styfle/cancel-workflow-action@0.12.1 39 | with: 40 | ignore_sha: true 41 | all_but_latest: true 42 | access_token: ${{ secrets.GITHUB_TOKEN }} 43 | - 44 | name: Checkout 45 | uses: actions/checkout@v4 46 | - 47 | name: Generate arch tag suffix 48 | shell: bash 49 | run: echo "archtag=$([[ "${{ matrix.platform }}" == 'linux/amd64' ]] && echo '' || ( echo -n '-' ; echo "${{ matrix.platform }}" | cut -d '/' -f 2) )" >> $GITHUB_OUTPUT 50 | id: arch_tag_suffix 51 | - 52 | name: Set up Docker Buildx 53 | uses: docker/setup-buildx-action@v3 54 | with: 55 | driver-opts: | 56 | image=moby/buildkit:master 57 | - 58 | name: Log in to registry 59 | uses: docker/login-action@v3 60 | with: 61 | registry: ghcr.io 62 | username: ${{ github.repository_owner }} 63 | password: ${{ secrets.GITHUB_TOKEN }} 64 | - 65 | name: Build and push 66 | uses: docker/build-push-action@v6 67 | with: 68 | context: ./signal 69 | file: ./signal/Dockerfile 70 | build-args: | 71 | TARGETPLATFORM=${{ matrix.platform }} 72 | push: true 73 | provenance: false 74 | platforms: ${{ matrix.platform }} 75 | tags: ghcr.io/${{ github.repository_owner }}/signal:latest${{ steps.arch_tag_suffix.outputs.archtag }} 76 | - 77 | name: Run Trivy vulnerability scanner 78 | if: ${{ matrix.platform == 'linux/amd64' }} 79 | id: trivy-scan 80 | uses: aquasecurity/trivy-action@0.29.0 81 | env: 82 | TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db 83 | with: 84 | scan-type: 'image' 85 | scanners: 'vuln' 86 | image-ref: ghcr.io/${{ github.repository_owner }}/signal:latest${{ steps.arch_tag_suffix.outputs.archtag }} 87 | format: 'sarif' 88 | output: 'trivy-results.sarif' 89 | severity: 'HIGH,CRITICAL' 90 | vuln-type: 'os,library' 91 | hide-progress: true 92 | ignore-unfixed: true 93 | exit-code: '0' 94 | - 95 | name: Upload Trivy scan results to GitHub Security tab 96 | if: ${{ matrix.platform == 'linux/amd64' }} 97 | uses: github/codeql-action/upload-sarif@v3 98 | with: 99 | sarif_file: 'trivy-results.sarif' 100 | -------------------------------------------------------------------------------- /.github/workflows/stunnel-build-push-ghcr.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: stunnel-build-push-ghcr 3 | 4 | on: 5 | push: 6 | branches: 7 | - 'master' 8 | paths: 9 | - 'stunnel/**' 10 | - '.github/workflows/stunnel-build-push-ghcr.yml' 11 | pull_request: 12 | paths: 13 | - 'stunnel/**' 14 | - '.github/workflows/stunnel-build-push-ghcr.yml' 15 | workflow_dispatch: 16 | repository_dispatch: 17 | schedule: 18 | - cron: '0 12 15 * *' 19 | 20 | jobs: 21 | docker: 22 | runs-on: ${{ matrix.os }} 23 | permissions: 24 | actions: write 25 | packages: write 26 | contents: read 27 | security-events: write 28 | strategy: 29 | fail-fast: false 30 | matrix: 31 | include: 32 | - os: ubuntu-24.04 33 | arch: amd64 34 | platform: linux/amd64 35 | steps: 36 | - 37 | name: Cancel previous run in progress 38 | uses: styfle/cancel-workflow-action@0.12.1 39 | with: 40 | ignore_sha: true 41 | all_but_latest: true 42 | access_token: ${{ secrets.GITHUB_TOKEN }} 43 | - 44 | name: Checkout 45 | uses: actions/checkout@v4 46 | - 47 | name: Generate arch tag suffix 48 | shell: bash 49 | run: echo "archtag=$([[ "${{ matrix.platform }}" == 'linux/amd64' ]] && echo '' || ( echo -n '-' ; echo "${{ matrix.platform }}" | cut -d '/' -f 2) )" >> $GITHUB_OUTPUT 50 | id: arch_tag_suffix 51 | - 52 | name: Set up Docker Buildx 53 | uses: docker/setup-buildx-action@v3 54 | with: 55 | driver-opts: | 56 | image=moby/buildkit:master 57 | - 58 | name: Log in to registry 59 | uses: docker/login-action@v3 60 | with: 61 | registry: ghcr.io 62 | username: ${{ github.repository_owner }} 63 | password: ${{ secrets.GITHUB_TOKEN }} 64 | - 65 | name: Build and push 66 | uses: docker/build-push-action@v6 67 | with: 68 | context: ./stunnel 69 | file: ./stunnel/Dockerfile 70 | build-args: | 71 | TARGETPLATFORM=${{ matrix.platform }} 72 | push: true 73 | provenance: false 74 | platforms: ${{ matrix.platform }} 75 | tags: ghcr.io/${{ github.repository_owner }}/stunnel:latest${{ steps.arch_tag_suffix.outputs.archtag }} 76 | - 77 | name: Run Trivy vulnerability scanner 78 | if: ${{ matrix.platform == 'linux/amd64' }} 79 | id: trivy-scan 80 | uses: aquasecurity/trivy-action@0.29.0 81 | env: 82 | TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db 83 | with: 84 | scan-type: 'image' 85 | scanners: 'vuln' 86 | image-ref: ghcr.io/${{ github.repository_owner }}/stunnel:latest${{ steps.arch_tag_suffix.outputs.archtag }} 87 | format: 'sarif' 88 | output: 'trivy-results.sarif' 89 | severity: 'HIGH,CRITICAL' 90 | vuln-type: 'os,library' 91 | hide-progress: true 92 | ignore-unfixed: true 93 | exit-code: '0' 94 | - 95 | name: Upload Trivy scan results to GitHub Security tab 96 | if: ${{ matrix.platform == 'linux/amd64' }} 97 | uses: github/codeql-action/upload-sarif@v3 98 | with: 99 | sarif_file: 'trivy-results.sarif' 100 | -------------------------------------------------------------------------------- /.github/workflows/xfce-build-push-ghcr.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: xfce-build-push-ghcr 3 | 4 | on: 5 | push: 6 | branches: 7 | - 'main' 8 | pull_request: 9 | workflow_dispatch: 10 | repository_dispatch: 11 | schedule: 12 | - cron: '0 12 15 * *' 13 | 14 | env: 15 | REGISTRY: ghcr.io 16 | IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/xfce 17 | IMAGE_PLATFORM: linux/amd64 18 | REPO_CONTEXT: ./xfce 19 | REPO_CONTAINERFILE: ./xfce/Dockerfile 20 | 21 | jobs: 22 | buildpushscan: 23 | runs-on: ubuntu-latest 24 | permissions: 25 | actions: write 26 | packages: write 27 | contents: read 28 | security-events: write 29 | steps: 30 | - 31 | name: Cancel previous run in progress 32 | id: cancel-previous-runs 33 | uses: styfle/cancel-workflow-action@0.11.0 34 | with: 35 | ignore_sha: true 36 | all_but_latest: true 37 | access_token: ${{ secrets.GITHUB_TOKEN }} 38 | - 39 | name: Checkout 40 | id: repo-checkout 41 | uses: actions/checkout@v3 42 | - 43 | name: Set up QEMU 44 | id: setup-qemu 45 | uses: docker/setup-qemu-action@v2 46 | - 47 | name: Log in to registry 48 | id: registry-login 49 | uses: docker/login-action@v2 50 | with: 51 | registry: ${{ env.REGISTRY }} 52 | username: ${{ github.repository_owner }} 53 | password: ${{ secrets.GITHUB_TOKEN }} 54 | - 55 | name: Build base image 56 | id: build-base-image 57 | uses: docker/build-push-action@v3 58 | with: 59 | context: ${{ env.REPO_CONTEXT }} 60 | file: ${{ env.REPO_CONTAINERFILE }} 61 | push: true 62 | target: base 63 | tags: ${{ env.IMAGE_NAME }}:base 64 | build-args: | 65 | GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} 66 | platforms: ${{ env.IMAGE_PLATFORM }} 67 | - 68 | name: Build plus image 69 | id: build-plus-image 70 | uses: docker/build-push-action@v3 71 | with: 72 | context: ${{ env.REPO_CONTEXT }} 73 | file: ${{ env.REPO_CONTAINERFILE }} 74 | push: true 75 | target: plus 76 | tags: ${{ env.IMAGE_NAME }}:latest 77 | build-args: | 78 | GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} 79 | platforms: ${{ env.IMAGE_PLATFORM }} 80 | - 81 | name: Run Trivy vulnerability scanner 82 | id: trivy-scan 83 | uses: aquasecurity/trivy-action@master 84 | env: 85 | TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db 86 | with: 87 | scan-type: 'image' 88 | scanners: 'vuln' 89 | image-ref: ${{ env.IMAGE_NAME }}:latest 90 | format: 'sarif' 91 | output: 'trivy-results.sarif' 92 | severity: 'HIGH,CRITICAL' 93 | vuln-type: 'os,library' 94 | hide-progress: true 95 | ignore-unfixed: true 96 | exit-code: '0' 97 | - 98 | name: Upload Trivy scan results to GitHub Security tab 99 | uses: github/codeql-action/upload-sarif@v2 100 | if: always() 101 | with: 102 | sarif_file: 'trivy-results.sarif' 103 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .envrc 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2024, Seth Grover 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | 7 | * Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | * Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation 12 | and/or other materials provided with the distribution. 13 | 14 | * Neither the name of the copyright holder nor the names of its 15 | contributors may be used to endorse or promote products derived from 16 | this software without specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 24 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 25 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 26 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 27 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /audacity/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:bookworm-slim 2 | 3 | # x11docker --alsa $(find /dev/snd/ -type c | sed 's/^/--share /') oci.guero.org/audacity 4 | 5 | LABEL maintainer="mero.mero.guero@gmail.com" 6 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 7 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker/tree/master/audacity' 8 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 9 | LABEL org.opencontainers.image.title='oci.guero.org/audacity' 10 | LABEL org.opencontainers.image.description='Dockerized Audacity (X11)' 11 | 12 | ENV DEBIAN_FRONTEND noninteractive 13 | ENV LC_ALL C.UTF-8 14 | ENV LANG C.UTF-8 15 | 16 | # configure unprivileged user and runtime parameters 17 | ARG PUID=1000 18 | ARG PGID=1000 19 | ENV PUID $PUID 20 | ENV PGID $PGID 21 | ENV PUSER "audacity" 22 | ENV PGROUP "audacity" 23 | 24 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/debian-bookworm-sources.list /etc/apt/sources.list 25 | 26 | RUN rm -f /etc/apt/sources.list.d/debian.sources && \ 27 | apt-get -q update && \ 28 | apt-get install --no-install-recommends -y -q \ 29 | audacity \ 30 | libdbus-glib-1-2 \ 31 | gnome-icon-theme \ 32 | pulseaudio-utils && \ 33 | env DEBIAN_FRONTEND=noninteractive apt-get -q -y --purge remove curl && \ 34 | env DEBIAN_FRONTEND=noninteractive apt-get -q -y autoremove && \ 35 | apt-get clean && \ 36 | rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \ 37 | groupadd --gid ${PGID} ${PUSER} && \ 38 | useradd -m --uid ${PUID} --gid ${PGID} ${PUSER} && \ 39 | usermod -a -G audio ${PUSER} && \ 40 | mkdir -p /etc/pulse/ && \ 41 | touch /etc/pulse/client.conf && \ 42 | chown root:audio /etc/pulse/client.conf && \ 43 | chmod 664 /etc/pulse/client.conf && \ 44 | mkdir -p /home/${PUSER}/.audacity-data \ 45 | /home/${PUSER}/.audacity-file && \ 46 | chown -R ${PUID}:${PGID} /home/${PUSER} 47 | 48 | ENTRYPOINT ["/usr/bin/audacity"] -------------------------------------------------------------------------------- /booksonic/.dockerignore: -------------------------------------------------------------------------------- 1 | **/*.crt 2 | **/*.key 3 | **/*.pem 4 | docker-compose*yml 5 | config 6 | audiobooks 7 | podcasts 8 | othermedia -------------------------------------------------------------------------------- /booksonic/audiobooks/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /booksonic/config/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /booksonic/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | 5 | booksonic: 6 | image: linuxserver/booksonic:latest 7 | container_name: booksonic 8 | hostname: booksonic 9 | expose: 10 | - 4040 11 | environment: 12 | - PUID=1000 13 | - PGID=100 14 | - TZ=America/Denver 15 | volumes: 16 | - ./config:/config 17 | - ./audiobooks:/audiobooks 18 | - ./podcasts:/podcasts 19 | - ./othermedia:/othermedia 20 | restart: unless-stopped 21 | networks: 22 | - proxy 23 | 24 | proxy: 25 | image: nginx:alpine 26 | container_name: booksonic_proxy 27 | hostname: proxy 28 | links: 29 | - booksonic 30 | expose: 31 | - 80 32 | volumes: 33 | - ./proxy/nginx.conf:/etc/nginx/nginx.conf:ro 34 | networks: 35 | - proxy 36 | restart: unless-stopped 37 | labels: 38 | - "traefik.enable=true" 39 | - "traefik.http.routers.booksonic.rule=Host(`booksonic.example.org`)" 40 | - "traefik.http.routers.booksonic.entrypoints=websecure" 41 | - "traefik.http.routers.booksonic.tls.certresolver=myresolver" 42 | 43 | networks: 44 | proxy: 45 | external: 46 | name: traefik-proxy 47 | 48 | -------------------------------------------------------------------------------- /booksonic/ldap_notes.txt: -------------------------------------------------------------------------------- 1 | Getting LDAP authentication to work with my own certificates on the openLDAP server 2 | 3 | (see ldap_setup.sh) 4 | 5 | 1. config 6 | * ldaps://example.com:636/dc=example,dc=com 7 | * (&(|(|(gidNumber=1000)(gidNumber=100)))(uid={0})(objectClass=posixAccount)) 8 | * cn=binddn,dc=example,dc=com / ******** 9 | * auto-create users 10 | 11 | 2. copy certs to /usr/local/share/ca-certificates/ in container 12 | * for file in /*.crt; do docker cp "$file" booksonic:/usr/local/share/ca-certificates/; done 13 | 14 | 3. docker-compose exec booksonic bash -c 'for file in /usr/local/share/ca-certificates/*.crt; do keytool -importcert -file "$file" -alias "($(basename "$file" | sed "s/\.crt//")" -keystore /usr/lib/jvm/java-8-openjdk-armhf/jre/lib/security/cacerts -keypass changeit -storepass changeit -noprompt; done; kill $(pidof java)' 15 | 16 | 4. wait for booksonic to restart 17 | -------------------------------------------------------------------------------- /booksonic/ldap_setup.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # force-navigate to script directory (containing docker-compose.yml) 4 | RUN_PATH="$(pwd)" 5 | [[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath 6 | [[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname 7 | if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then 8 | echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME" 9 | exit 1 10 | fi 11 | SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))" 12 | pushd "$SCRIPT_PATH" >/dev/null 2>&1 13 | 14 | # set up booksonic LDAP configuration 15 | for file in /usr/local/share/ca-certificates/*.crt; do docker cp "$file" booksonic:/usr/local/share/ca-certificates/; done 16 | 17 | docker-compose exec booksonic bash -c 'for file in /usr/local/share/ca-certificates/*.crt; do keytool -importcert -file "$file" -alias "($(basename "$file" | sed "s/\.crt//")" -keystore /usr/lib/jvm/java-8-openjdk-armhf/jre/lib/security/cacerts -keypass changeit -storepass changeit -noprompt; done; kill $(pidof java)' 18 | 19 | popd >/dev/null 2>&1 20 | 21 | -------------------------------------------------------------------------------- /booksonic/othermedia/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /booksonic/podcasts/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /booksonic/proxy/nginx.conf: -------------------------------------------------------------------------------- 1 | worker_processes 1; 2 | 3 | events { worker_connections 1024; } 4 | 5 | http { 6 | 7 | include /etc/nginx/mime.types; 8 | sendfile on; 9 | 10 | client_max_body_size 20m; 11 | 12 | fastcgi_buffers 16 64k; 13 | fastcgi_buffer_size 256k; 14 | fastcgi_read_timeout 300s; 15 | fastcgi_busy_buffers_size 384k; 16 | fastcgi_request_buffering off; 17 | 18 | proxy_connect_timeout 180s; 19 | proxy_read_timeout 300s; 20 | proxy_send_timeout 300s; 21 | proxy_buffer_size 512k; 22 | proxy_buffers 16 4m; 23 | proxy_busy_buffers_size 16m; 24 | 25 | upstream docker-booksonic { 26 | server booksonic:4040; 27 | } 28 | 29 | server { 30 | listen 80; 31 | 32 | location / { 33 | gzip off; 34 | 35 | # https://github.com/airsonic/airsonic/issues/260#issuecomment-512648526 36 | sub_filter_types text/xml application/json; 37 | sub_filter_once off; 38 | sub_filter 'subsonic' 'madsonic'; 39 | 40 | proxy_pass http://docker-booksonic; 41 | proxy_set_header Host $http_host; 42 | proxy_set_header X-Real-IP $remote_addr; 43 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 44 | proxy_set_header X-Forwarded-Proto http; 45 | } 46 | } 47 | 48 | } 49 | 50 | -------------------------------------------------------------------------------- /boringproxy/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:alpine AS go-build 2 | 3 | RUN apk --no-cache add --update git && \ 4 | git clone https://github.com/boringproxy/boringproxy.git /boringproxy && \ 5 | cd /boringproxy/cmd/boringproxy && \ 6 | go build -ldflags "-X main.Version=$(git describe --tags)" 7 | 8 | FROM alpine:latest 9 | 10 | LABEL maintainer="mero.mero.guero@gmail.com" 11 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 12 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker/tree/master/boringproxy' 13 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 14 | LABEL org.opencontainers.image.title='oci.guero.org/boringproxy' 15 | LABEL org.opencontainers.image.description='Dockerized boringproxy' 16 | 17 | ARG DEFAULT_UID=1000 18 | ARG DEFAULT_GID=1000 19 | ENV DEFAULT_UID $DEFAULT_UID 20 | ENV DEFAULT_GID $DEFAULT_GID 21 | ENV PUSER "boring" 22 | ENV PGROUP "boring" 23 | ENV PUSER_PRIV_DROP true 24 | 25 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/docker-uid-gid-setup.sh /usr/local/bin/docker-uid-gid-setup.sh 26 | COPY --from=go-build --chmod=755 /boringproxy/cmd/boringproxy/boringproxy /boringproxy 27 | 28 | RUN apk update --no-cache && \ 29 | apk upgrade --no-cache && \ 30 | apk --no-cache add --update \ 31 | bash \ 32 | ca-certificates \ 33 | libcap \ 34 | openssh-client \ 35 | openssh-server \ 36 | openssl \ 37 | shadow && \ 38 | addgroup -g ${DEFAULT_GID} ${PGROUP} && \ 39 | adduser -D -u ${DEFAULT_UID} -h /home/${PUSER} -s /sbin/nologin -G ${PGROUP} -g ${PUSER} ${PUSER} && \ 40 | mkdir -p /home/${PUSER}/.ssh /home/${PUSER}/certs /home/${PUSER}/db && \ 41 | chmod 700 /home/${PUSER}/.ssh /home/${PUSER}/certs /home/${PUSER}/db && \ 42 | touch /home/${PUSER}/.ssh/authorized_keys && \ 43 | chmod 600 /home/${PUSER}/.ssh/authorized_keys && \ 44 | chown ${PUSER}:${PGROUP} /home/${PUSER}/.ssh /home/${PUSER}/.ssh/authorized_keys && \ 45 | chown root:${PGROUP} /boringproxy && \ 46 | setcap 'CAP_NET_BIND_SERVICE+eip' /boringproxy && \ 47 | chmod 755 /usr/local/bin/docker-uid-gid-setup.sh 48 | 49 | WORKDIR /home/${PUSER}/db 50 | 51 | ENTRYPOINT ["/usr/local/bin/docker-uid-gid-setup.sh", "/boringproxy"] 52 | -------------------------------------------------------------------------------- /boringproxy/boringproxy-docker.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | [[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath 4 | if ! command -v "$REALPATH" >/dev/null 2>&1; then 5 | echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH" 6 | exit 1 7 | fi 8 | 9 | ENGINE="${CONTAINER_ENGINE:-docker}" 10 | IMAGE="oci.guero.org/boringproxy:latest" 11 | TRUSTED_CA="" 12 | CERTS_DIR="" 13 | DB_DIR="$(pwd)" 14 | if [[ "$ENGINE" == "podman" ]]; then 15 | CONTAINER_PUID=0 16 | CONTAINER_PGID=0 17 | else 18 | CONTAINER_PUID=$(id -u) 19 | CONTAINER_PGID=$(id -g) 20 | fi 21 | 22 | while getopts 've:i:u:g:d:c:t:' OPTION; do 23 | case "$OPTION" in 24 | v) 25 | VERBOSE_FLAG="-v" 26 | set -x 27 | ;; 28 | 29 | e) 30 | ENGINE="$OPTARG" 31 | ;; 32 | 33 | i) 34 | IMAGE="$OPTARG" 35 | ;; 36 | 37 | u) 38 | CONTAINER_PUID="$OPTARG" 39 | ;; 40 | 41 | g) 42 | CONTAINER_PGID="$OPTARG" 43 | ;; 44 | 45 | t) 46 | TRUSTED_CA="$OPTARG" 47 | ;; 48 | 49 | c) 50 | CERTS_DIR="$OPTARG" 51 | ;; 52 | 53 | d) 54 | DB_DIR="$OPTARG" 55 | ;; 56 | 57 | ?) 58 | echo "script usage: $(basename $0) [-v] [-e engine] [-i image] [-u uid] [-g gid] [-d db-dir] [-c cert-dir] [-t trust-ca]" >&2 59 | exit 1 60 | ;; 61 | esac 62 | done 63 | shift "$(($OPTIND -1))" 64 | 65 | MOUNT_ARGS=() 66 | ENV_ARGS=() 67 | CERTS_ARGS=() 68 | 69 | DB_DIR_FULL="$($REALPATH "${DB_DIR}")" 70 | mkdir -p "${DB_DIR_FULL}" 71 | MOUNT_ARGS+=( -v ) 72 | MOUNT_ARGS+=( "${DB_DIR_FULL}:/home/boring/db:rw" ) 73 | 74 | if [[ -w "${HOME}"/.ssh/authorized_keys ]]; then 75 | MOUNT_ARGS+=( -v ) 76 | MOUNT_ARGS+=( "${HOME}/.ssh/authorized_keys:/home/boring/.ssh/authorized_keys:rw" ) 77 | fi 78 | 79 | if [[ -n "${TRUSTED_CA}" ]] && [[ -e "${TRUSTED_CA}" ]]; then 80 | TRUSTED_CA_FULL="$($REALPATH "${TRUSTED_CA}")" 81 | MOUNT_ARGS+=( -v ) 82 | MOUNT_ARGS+=( "${TRUSTED_CA_FULL}:${TRUSTED_CA_FULL}:ro" ) 83 | ENV_ARGS+=( -e ) 84 | ENV_ARGS+=( PUSER_CA_TRUST="${TRUSTED_CA_FULL}" ) 85 | fi 86 | 87 | if [[ -n "${CERTS_DIR}" ]]; then 88 | mkdir -p "${CERTS_DIR}" 89 | CERTS_DIR_FULL="$($REALPATH "${CERTS_DIR}")" 90 | MOUNT_ARGS+=( -v ) 91 | MOUNT_ARGS+=( "${CERTS_DIR_FULL}:/home/boring/certs:rw" ) 92 | CERTS_ARGS+=( -cert-dir ) 93 | CERTS_ARGS+=( /home/boring/certs ) 94 | fi 95 | 96 | "${ENGINE}" run -i -t --rm \ 97 | -e PUID="${CONTAINER_PUID}" \ 98 | -e PGID="${CONTAINER_PGID}" \ 99 | --network host \ 100 | --workdir /home/boring/db \ 101 | "${MOUNT_ARGS[@]}" \ 102 | "${ENV_ARGS[@]}" \ 103 | "${IMAGE}" "$@" "${CERTS_ARGS[@]}" 104 | 105 | -------------------------------------------------------------------------------- /calibre-web/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | 3 | calibre: 4 | image: lscr.io/linuxserver/calibre-web:latest 5 | # platform: linux/arm64/v8 6 | build: 7 | context: . 8 | dockerfile: Dockerfile 9 | container_name: calibre 10 | expose: 11 | - 8083 12 | environment: 13 | - PUID=1000 14 | - PGID=100 15 | - TZ=America/Denver 16 | - DOCKER_MODS=linuxserver/mods:universal-calibre 17 | volumes: 18 | - ./config:/config:rw 19 | - ./data:/books:rw 20 | # - /etc/ssl/certs:/etc/ssl/certs:ro 21 | - ./scripts:/custom-cont-init.d:ro 22 | restart: unless-stopped 23 | # ports: 24 | # - 127.0.0.1:8083:8083 25 | networks: 26 | - proxy 27 | labels: 28 | - "traefik.enable=true" 29 | - "traefik.http.routers.calibre.rule=Host(`calibre.example.org`)" 30 | - "traefik.http.routers.calibre.entrypoints=websecure" 31 | - "traefik.http.routers.calibre.tls.certresolver=myresolver" 32 | - "traefik.http.services.calibre.loadbalancer.server.port=8083" 33 | 34 | networks: 35 | proxy: 36 | name: traefik-proxy 37 | external: true 38 | 39 | -------------------------------------------------------------------------------- /calibre-web/scripts/getevent.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "**** Installing getevent ****" 4 | pip3 install --no-cache-dir -U gevent 5 | 6 | -------------------------------------------------------------------------------- /capa/.gitignore: -------------------------------------------------------------------------------- 1 | *.exe 2 | -------------------------------------------------------------------------------- /capa/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:bookworm-slim 2 | 3 | LABEL maintainer="mero.mero.guero@gmail.com" 4 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 5 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker/tree/master/capa' 6 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 7 | LABEL org.opencontainers.image.title='oci.guero.org/capa' 8 | LABEL org.opencontainers.image.description='Dockerized capa' 9 | 10 | ARG DEFAULT_UID=1000 11 | ARG DEFAULT_GID=1000 12 | ENV DEFAULT_UID $DEFAULT_UID 13 | ENV DEFAULT_GID $DEFAULT_GID 14 | ENV PUSER "capa" 15 | ENV PGROUP "capa" 16 | ENV PUSER_PRIV_DROP true 17 | 18 | ENV DEBIAN_FRONTEND noninteractive 19 | ENV TERM xterm 20 | 21 | ENV CAPA_VERSION "9.1.0" 22 | ENV CAPA_URL "https://github.com/fireeye/capa/releases/download/v${CAPA_VERSION}/capa-v${CAPA_VERSION}-linux.zip" 23 | ENV CAPA_DIR "/opt/capa" 24 | ENV CAPA_BIN "${CAPA_DIR}/capa" 25 | 26 | ADD "$CAPA_URL" /tmp/capa.zip 27 | 28 | RUN apt-get update && \ 29 | apt-get install --no-install-recommends -y -q \ 30 | unzip && \ 31 | cd /tmp && \ 32 | unzip ./capa.zip && \ 33 | chmod 755 ./capa && \ 34 | mkdir -p "${CAPA_DIR}" && \ 35 | mv ./capa "${CAPA_BIN}" && \ 36 | rm -f ./capa.zip && \ 37 | apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages --purge remove \ 38 | unzip && \ 39 | apt-get -q -y autoremove && \ 40 | apt-get clean && \ 41 | rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* 42 | 43 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/docker-uid-gid-setup.sh /usr/local/bin/docker-uid-gid-setup.sh 44 | 45 | RUN chmod 755 /usr/local/bin/docker-uid-gid-setup.sh && \ 46 | groupadd --gid ${DEFAULT_GID} ${PUSER} && \ 47 | useradd -m --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} ${PUSER} 48 | 49 | ENV PATH "${CAPA_DIR}:${PATH}" 50 | 51 | ENTRYPOINT ["/usr/local/bin/docker-uid-gid-setup.sh", "${CAPA_BIN}" ] 52 | -------------------------------------------------------------------------------- /capa/capa-docker.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ENCODING="utf-8" 4 | 5 | IMAGE="${CAPA_IMAGE:-oci.guero.org/capa:latest}" 6 | ENGINE="${CONTAINER_ENGINE:-docker}" 7 | 8 | IN_FILE="$1" 9 | if [[ -z $IN_FILE ]] ; then 10 | echo "usage:" 11 | echo " capa-docker.sh [capa options]" 12 | exit 1 13 | elif [[ ! -f "$IN_FILE" ]]; then 14 | echo "usage:" 15 | echo " capa-docker.sh [capa options]" 16 | echo "" 17 | echo "$IN_FILE does not exist!" 18 | exit 1 19 | else 20 | shift 21 | fi 22 | 23 | TEMP_DIR=$(mktemp -d -t capa.XXXXXXXXXX) 24 | 25 | function finish { 26 | rm -rf "$TEMP_DIR" 27 | } 28 | trap finish EXIT 29 | 30 | IN_BASENAME="$(basename "$IN_FILE")" 31 | 32 | cp "$IN_FILE" "$TEMP_DIR/" 33 | 34 | $ENGINE run --rm -t \ 35 | -v "$TEMP_DIR:/data:rw" \ 36 | -e PUSER_PRIV_DROP=$([[ "$CONTAINER_ENGINE" == "docker" ]] && echo true || echo false) \ 37 | "$CAPA_IMAGE" "/data/$IN_BASENAME" "$@" 38 | -------------------------------------------------------------------------------- /chromium/chromium-docker.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ENGINE="${CONTAINER_ENGINE:-docker}" 4 | if [[ "$ENGINE" == "podman" ]]; then 5 | CONTAINER_PUID=0 6 | CONTAINER_PGID=0 7 | else 8 | CONTAINER_PUID=$(id -u) 9 | CONTAINER_PGID=$(id -g) 10 | fi 11 | 12 | function dstopped(){ 13 | local name=$1 14 | local state 15 | state=$($ENGINE inspect --format "{{.State.Running}}" "$name" 2>/dev/null) 16 | 17 | if [[ "$state" == "false" ]]; then 18 | $ENGINE rm "$name" 19 | fi 20 | } 21 | 22 | dstopped chromium 23 | 24 | # detect gpu devices to pass through 25 | GPU_DEVICES=$( \ 26 | echo "$( \ 27 | find /dev -maxdepth 1 -regextype posix-extended -iregex '.+/nvidia([0-9]|ctl)' \ 28 | | grep --color=never '.' \ 29 | || echo '/dev/dri'\ 30 | )" \ 31 | | sed -E "s/^/--device /" \ 32 | ) 33 | 34 | 35 | DOWNLOAD_DIR="$(type xdg-user-dir >/dev/null 2>&1 && xdg-user-dir DOWNLOAD || echo "$HOME/Downloads")" 36 | 37 | mkdir -p "$DOWNLOAD_DIR" \ 38 | "$HOME"/.config/chromium 39 | export XDG_RUNTIME_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}" 40 | 41 | # create the container 42 | $ENGINE run -d --rm \ 43 | --name chromium \ 44 | --cap-add SYS_ADMIN \ 45 | --security-opt apparmor:unconfined \ 46 | --net host \ 47 | --device /dev/input \ 48 | --group-add $(getent group audio | cut -d: -f3) \ 49 | $GPU_DEVICES \ 50 | -v "$DOWNLOAD_DIR:/downloads" \ 51 | -v "$HOME/.config/chromium:/data" \ 52 | -e PUID=$CONTAINER_PUID \ 53 | -e PGID=$CONTAINER_PGID \ 54 | -e DISPLAY=unix$DISPLAY \ 55 | -e LANG=${LANG:-en_US.UTF-8} \ 56 | -e PULSE_SERVER=unix:$XDG_RUNTIME_DIR/pulse/native \ 57 | -v /tmp/.X11-unix:/tmp/.X11-unix:ro \ 58 | -v /dev/shm:/dev/shm \ 59 | -v /etc/machine-id:/etc/machine-id:ro \ 60 | -v $XDG_RUNTIME_DIR/pulse:$XDG_RUNTIME_DIR/pulse:ro \ 61 | -v $XDG_RUNTIME_DIR/bus:$XDG_RUNTIME_DIR/bus:ro \ 62 | -v /var/lib/dbus/machine-id:/var/lib/dbus/machine-id:ro \ 63 | -v /run/dbus:/run/dbus:ro \ 64 | -v /run/udev/data:/run/udev/data:ro \ 65 | -v /etc/localtime:/etc/localtime:ro \ 66 | -v /etc/timezone:/etc/timezone:ro \ 67 | andrewmackrodt/chromium-x11 68 | -------------------------------------------------------------------------------- /chromium/chromium.desktop: -------------------------------------------------------------------------------- 1 | [Desktop Entry] 2 | Name=Chromium 3 | Comment=Web Browser 4 | GenericName=Web Browser 5 | X-GNOME-FullName=Chromium Web Browser 6 | Exec=/home/user/.local/bin/chromium-docker.sh %u 7 | Terminal=false 8 | X-MultipleArgs=false 9 | Type=Application 10 | Icon=web-browser.png 11 | Categories=Network;WebBrowser; 12 | MimeType=text/html;text/xml;application/xhtml+xml;application/xml;application/vnd.mozilla.xul+xml;application/rss+xml;application/rdf+xml;image/gif;image/jpeg;image/png;x-scheme-handler/http;x-scheme-handler/https; 13 | StartupWMClass=Chromium 14 | StartupNotify=true 15 | -------------------------------------------------------------------------------- /ctfd/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ctfd/ctfd:3.7.6 2 | 3 | LABEL maintainer="mero.mero.guero@gmail.com" 4 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 5 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker' 6 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 7 | LABEL org.opencontainers.image.title='oci.guero.org/ctfd' 8 | LABEL org.opencontainers.image.description='Dockerized CTFd' 9 | 10 | ARG DEFAULT_UID=1000 11 | ARG DEFAULT_GID=1000 12 | ENV DEFAULT_UID $DEFAULT_UID 13 | ENV DEFAULT_GID $DEFAULT_GID 14 | ENV PUSER "ctfd" 15 | ENV PGROUP "ctfd" 16 | ENV PUSER_PRIV_DROP true 17 | ENV PUSER_CHOWN "/opt/CTFd;/var/log/CTFd;/var/uploads" 18 | 19 | ENV TERM xterm 20 | 21 | USER root 22 | 23 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/docker-uid-gid-setup.sh /usr/bin/docker-uid-gid-setup.sh 24 | 25 | RUN mkdir -p /opt/CTFd /var/log/CTFd /var/uploads && \ 26 | chown -R $PUSER:$PGROUP /opt/CTFd /var/log/CTFd /var/uploads && \ 27 | chmod 755 /usr/bin/docker-uid-gid-setup.sh 28 | 29 | ENTRYPOINT ["/usr/bin/docker-uid-gid-setup.sh", "/opt/CTFd/docker-entrypoint.sh"] 30 | -------------------------------------------------------------------------------- /ctfd/data/CTFd/logs/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /ctfd/data/CTFd/uploads/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /ctfd/data/mariadb/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /ctfd/data/redis/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /ctfd/docker-compose.yml: -------------------------------------------------------------------------------- 1 | x-process-variables: &process-variables 2 | # If you're using podman (which does the UID/GUID mapping for you) 3 | # change PUID/PGID to 0, uncomment PUSER_PRIV_DROP : 'false' and 4 | # set '--user=mysql' to '--user=root' in the ctfd command section. 5 | PUID : 1000 6 | PGID : 1000 7 | # PUSER_PRIV_DROP : 'false' 8 | 9 | services: 10 | ctfd: 11 | image: oci.guero.org/ctfd:latest 12 | container_name: ctfd 13 | hostname: ctfd 14 | restart: unless-stopped 15 | environment: 16 | << : *process-variables 17 | UPLOAD_FOLDER : '/var/uploads' 18 | DATABASE_URL : 'mysql+pymysql://ctfd:Correct_Horse_Battery_Staple@db/ctfd' 19 | REDIS_URL : 'redis://cache:6379' 20 | WORKERS : 5 21 | LOG_FOLDER : '/var/log/CTFd' 22 | ACCESS_LOG : '-' 23 | ERROR_LOG : '-' 24 | REVERSE_PROXY : 'false' 25 | SECRET_KEY : 'Mistake_After_Childhood_Roar' 26 | volumes: 27 | - ./data/CTFd/logs:/var/log/CTFd:rw 28 | - ./data/CTFd/uploads:/var/uploads:rw 29 | depends_on: 30 | - db 31 | networks: 32 | - default 33 | ports: 34 | - "127.0.0.1:8000:8000" 35 | 36 | db: 37 | image: oci.guero.org/mariadb:latest 38 | container_name: db 39 | hostname: db 40 | restart: unless-stopped 41 | environment: 42 | << : *process-variables 43 | MYSQL_ROOT_PASSWORD : 'ctfd' 44 | MYSQL_USER : 'ctfd' 45 | MYSQL_PASSWORD : 'Correct_Horse_Battery_Staple' 46 | MYSQL_DATABASE : 'ctfd' 47 | volumes: 48 | - ./data/mariadb:/var/lib/mysql:rw 49 | networks: 50 | - default 51 | command: [mariadbd, --user=mysql, --character-set-server=utf8mb4, --collation-server=utf8mb4_unicode_ci, --wait_timeout=28800, --log-warnings=0] 52 | 53 | cache: 54 | image: oci.guero.org/redis:latest 55 | container_name: cache 56 | hostname: cache 57 | restart: unless-stopped 58 | networks: 59 | - default 60 | environment: 61 | << : *process-variables 62 | command: 63 | - sh 64 | - -c 65 | - redis-server 66 | volumes: 67 | - ./data/redis:/data:rw 68 | healthcheck: 69 | test: ["CMD-SHELL", "pidof redis-server || exit 1" ] 70 | interval: 60s 71 | timeout: 15s 72 | retries: 3 73 | start_period: 45s 74 | 75 | networks: 76 | default: 77 | external: false 78 | 79 | 80 | -------------------------------------------------------------------------------- /debian/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:bookworm-slim 2 | 3 | ARG DEFAULT_UID=1000 4 | ARG DEFAULT_GID=1000 5 | ENV DEFAULT_UID $DEFAULT_UID 6 | ENV DEFAULT_GID $DEFAULT_GID 7 | ENV PUSER "user" 8 | ENV PGROUP "user" 9 | 10 | ENV PUSER_PRIV_DROP true 11 | 12 | ARG GITHUB_TOKEN 13 | 14 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/docker-uid-gid-setup.sh /usr/local/bin/docker-uid-gid-setup.sh 15 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/debian-bookworm-sources.list /etc/apt/sources.list 16 | COPY --chmod=755 external_tools_install.sh /usr/local/bin/ 17 | 18 | RUN rm -f /etc/apt/sources.list.d/debian.sources && \ 19 | apt-get -q update && \ 20 | apt-get install -q -y --no-install-recommends \ 21 | fasttrack-archive-keyring && \ 22 | echo "deb https://fasttrack.debian.net/debian/ bookworm-fasttrack main contrib non-free" >> /etc/apt/sources.list && \ 23 | apt-get -y -q --no-install-recommends upgrade && \ 24 | apt-get install -q -y --no-install-recommends \ 25 | autossh \ 26 | bash \ 27 | bc \ 28 | bzip2 \ 29 | ca-certificates \ 30 | curl \ 31 | detox \ 32 | direnv \ 33 | dtrx \ 34 | expect \ 35 | f3 \ 36 | file \ 37 | git \ 38 | gpg \ 39 | iproute2 \ 40 | iputils-ping \ 41 | jc \ 42 | jo \ 43 | jq \ 44 | less \ 45 | lz4 \ 46 | moreutils \ 47 | ncat \ 48 | ncdu \ 49 | netcat-openbsd \ 50 | openssh-client \ 51 | procps \ 52 | psmisc \ 53 | pv \ 54 | p7zip-full \ 55 | p7zip-rar \ 56 | ripgrep \ 57 | rsync \ 58 | socat \ 59 | sqlite3 \ 60 | stunnel \ 61 | sudo \ 62 | telnet \ 63 | unzip \ 64 | vim-tiny \ 65 | w3m \ 66 | wget \ 67 | whois \ 68 | xz-utils \ 69 | zip \ 70 | zlib1g && \ 71 | sed -i "s/set[[:space:]]*compatible/set nocompatible/g" /etc/vim/vimrc.tiny && \ 72 | groupadd --gid ${DEFAULT_GID} ${PGROUP} && \ 73 | useradd -m --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} --home /home/${PUSER} ${PUSER} && \ 74 | usermod -a -G tty ${PUSER} && \ 75 | chsh -s /bin/bash ${PUSER} && \ 76 | usermod -a -G sudo ${PUSER} && \ 77 | echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers && \ 78 | chmod 755 /usr/local/bin/docker-uid-gid-setup.sh && \ 79 | GITHUB_TOKEN=$GITHUB_TOKEN /usr/local/bin/external_tools_install.sh && \ 80 | find /usr/bin -mindepth 1 -maxdepth 1 -type f ! -user root -exec chown -v root:root "{}" ';' && \ 81 | apt-get clean && \ 82 | rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/local/bin/external_tools_install.sh 83 | 84 | ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh"] 85 | 86 | ENTRYPOINT /bin/bash 87 | -------------------------------------------------------------------------------- /docker-registry/certs/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /docker-registry/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -p 5000:5000 registry:2 4 | -------------------------------------------------------------------------------- /elasticsearch/.env.example: -------------------------------------------------------------------------------- 1 | ELASTIC_PASSWORD=password 2 | KIBANA_PASSWORD=password 3 | STACK_VERSION=8.18.0 4 | CLUSTER_NAME=docker-cluster 5 | LICENSE=basic 6 | ES_PORT=9200 7 | KIBANA_PORT=5601 8 | MEM_LIMIT=4294967296 9 | -------------------------------------------------------------------------------- /elasticsearch/.gitignore: -------------------------------------------------------------------------------- 1 | .env 2 | 3 | -------------------------------------------------------------------------------- /fakemachine/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:latest as build 2 | 3 | RUN mkdir -p /usr/src && \ 4 | cd /usr/src && \ 5 | git clone --recurse-submodules --shallow-submodules --single-branch --depth 1 https://github.com/go-debos/fakemachine && \ 6 | cd ./fakemachine/cmd/fakemachine && \ 7 | go build . 8 | 9 | FROM tianon/qemu:native 10 | 11 | LABEL maintainer="mero.mero.guero@gmail.com" 12 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 13 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker/tree/master/fakemachine' 14 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 15 | LABEL org.opencontainers.image.title='oci.guero.org/fakemachine' 16 | LABEL org.opencontainers.image.description='Dockerized fakemachine' 17 | 18 | ARG DEFAULT_UID=1000 19 | ARG DEFAULT_GID=1000 20 | ENV DEFAULT_UID $DEFAULT_UID 21 | ENV DEFAULT_GID $DEFAULT_GID 22 | ENV PUSER "fakemachine" 23 | ENV PGROUP "fakemachine" 24 | ENV PUSER_PRIV_DROP true 25 | 26 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/docker-uid-gid-setup.sh /usr/local/bin/docker-uid-gid-setup.sh 27 | 28 | RUN apt-get -q update && \ 29 | apt-get -y -q --no-install-recommends upgrade && \ 30 | apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages install --no-install-recommends \ 31 | bash \ 32 | busybox \ 33 | libslirp-helper \ 34 | procps \ 35 | psmisc \ 36 | rsync \ 37 | tini \ 38 | user-mode-linux && \ 39 | apt-get -y autoremove -qq && \ 40 | apt-get clean && \ 41 | rm -rf /var/cache/apt/* /var/lib/apt/lists/* /tmp/* /var/tmp/* && \ 42 | groupadd --gid ${DEFAULT_GID} ${PUSER} && \ 43 | useradd -M --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} --home /nonexistant ${PUSER} && \ 44 | usermod -a -G tty ${PUSER} && \ 45 | chmod 755 /usr/local/bin/docker-uid-gid-setup.sh 46 | 47 | COPY --from=build --chmod=755 /usr/src/fakemachine/cmd/fakemachine/fakemachine /usr/bin/fakemachine 48 | 49 | ENTRYPOINT ["/usr/bin/tini", \ 50 | "--", \ 51 | "/usr/local/bin/docker-uid-gid-setup.sh", \ 52 | "/usr/bin/fakemachine"] 53 | -------------------------------------------------------------------------------- /fetch/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:alpine AS go-build 2 | 3 | RUN apk --no-cache add --update git ca-certificates && \ 4 | update-ca-certificates && \ 5 | git clone https://github.com/gruntwork-io/fetch /fetch && \ 6 | cd /fetch && \ 7 | go build -ldflags "-X main.Version=$(git describe --tags)" 8 | 9 | LABEL maintainer="mero.mero.guero@gmail.com" 10 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 11 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker/tree/master/fetch' 12 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 13 | LABEL org.opencontainers.image.title='oci.guero.org/fetch' 14 | LABEL org.opencontainers.image.description='Dockerized fetch' 15 | 16 | 17 | FROM scratch 18 | 19 | COPY --from=go-build --chmod=755 /fetch/fetch /fetch 20 | COPY --from=go-build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ 21 | 22 | ENTRYPOINT ["/fetch"] 23 | -------------------------------------------------------------------------------- /fetch/fetch-docker.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ENGINE="${CONTAINER_ENGINE:-docker}" 4 | UID_ARGS=() 5 | if [[ "$ENGINE" == "docker" ]]; then 6 | UID_ARGS+=( --user ) 7 | UID_ARGS+=( $(id -u):$(id -g) ) 8 | fi 9 | 10 | TEMP_DIR="$(TMPDIR="$(pwd)" mktemp -d -t fetch.XXXXXXXXXX)" 11 | TEMP_DIR_BASENAME="$(basename "$TEMP_DIR")" 12 | 13 | function finish { 14 | rm -rf "$TEMP_DIR" 15 | } 16 | trap finish EXIT 17 | 18 | $ENGINE run -i -t --rm \ 19 | "${UID_ARGS[@]}" \ 20 | -v "$TEMP_DIR:/tmp/$TEMP_DIR_BASENAME:rw" \ 21 | -w "/tmp/$TEMP_DIR_BASENAME" \ 22 | oci.guero.org/fetch "$@" "/tmp/$TEMP_DIR_BASENAME" 23 | 24 | mv "$TEMP_DIR"/* ./ >/dev/null 2>&1 || true 25 | -------------------------------------------------------------------------------- /filepond/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | upload: 3 | build: 4 | context: . 5 | dockerfile: Dockerfile 6 | image: oci.guero.org/filepond-nginx:latest 7 | restart: "no" 8 | stdin_open: false 9 | tty: true 10 | hostname: upload 11 | networks: 12 | - default 13 | environment: 14 | - PUID=1000 15 | - PGID=1000 16 | ports: 17 | - "127.0.0.1:8000:80" 18 | volumes: 19 | - ./upload:/var/www/upload/server/php/files:rw 20 | healthcheck: 21 | test: ["CMD", "wget", "-qO-", "http://localhost"] 22 | interval: 30s 23 | timeout: 15s 24 | retries: 3 25 | start_period: 60s 26 | 27 | networks: 28 | default: 29 | external: false 30 | -------------------------------------------------------------------------------- /filepond/nginx/sites-available/default: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80 default_server; 3 | 4 | sendfile on; 5 | gzip off; 6 | client_max_body_size 50G; 7 | client_body_buffer_size 4M; 8 | 9 | root /var/www/upload; 10 | index index.php index.html; 11 | autoindex off; 12 | 13 | location ^~ /server/php/(files|tmp|variants) { 14 | deny all; 15 | return 404; 16 | } 17 | 18 | location ~ (\.php|/server/php/)$ { 19 | include snippets/fastcgi-php.conf; 20 | fastcgi_buffers 16 64k; 21 | fastcgi_buffer_size 256k; 22 | fastcgi_read_timeout 300s; 23 | fastcgi_send_timeout 300s; 24 | fastcgi_busy_buffers_size 384k; 25 | fastcgi_request_buffering off; 26 | fastcgi_pass unix:/run/php/php8.2-fpm.sock; 27 | } 28 | 29 | location ~ /\.ht { 30 | deny all; 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /filepond/php/config.php: -------------------------------------------------------------------------------- 1 | /etc/pulse/client.conf 5 | # Connect to the host's server using the mounted UNIX socket 6 | default-server = $PULSE_SERVER 7 | 8 | # Prevent a server running in the container 9 | autospawn = no 10 | daemon-binary = /bin/true 11 | 12 | # Prevent the use of shared memory 13 | enable-shm = false 14 | EOF 15 | fi 16 | 17 | exec /opt/firefox/firefox "$@" 18 | -------------------------------------------------------------------------------- /firefox/firefox-docker.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ENGINE="${CONTAINER_ENGINE:-docker}" 4 | if [[ "$ENGINE" == "podman" ]]; then 5 | CONTAINER_PUID=0 6 | CONTAINER_PGID=0 7 | else 8 | CONTAINER_PUID=$(id -u) 9 | CONTAINER_PGID=$(id -g) 10 | fi 11 | 12 | function dstopped(){ 13 | local name=$1 14 | local state 15 | state=$($ENGINE inspect --format "{{.State.Running}}" "$name" 2>/dev/null) 16 | 17 | if [[ "$state" == "false" ]]; then 18 | $ENGINE rm "$name" 19 | fi 20 | 21 | echo "$state" 22 | } 23 | 24 | state=$(dstopped firefox) 25 | 26 | if [[ "$state" == "true" ]]; then 27 | $ENGINE exec -u $CONTAINER_PUID -d firefox /opt/firefox/firefox --new-tab --url "$@" 28 | 29 | else 30 | GPU_DEVICES=$( \ 31 | echo "$( \ 32 | find /dev -maxdepth 1 -regextype posix-extended -iregex '.+/nvidia([0-9]|ctl)' \ 33 | | grep --color=never '.' \ 34 | || echo '/dev/dri'\ 35 | )" \ 36 | | sed -E "s/^/--device /" \ 37 | ) 38 | 39 | DOWNLOAD_DIR="$(type xdg-user-dir >/dev/null 2>&1 && xdg-user-dir DOWNLOAD || echo "$HOME/Downloads")" 40 | 41 | mkdir -p "$DOWNLOAD_DIR" \ 42 | "$HOME"/.mozilla/firefox \ 43 | "$HOME"/.cache/mozilla/firefox 44 | export XDG_RUNTIME_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}" 45 | 46 | $ENGINE run -d --rm \ 47 | --net host \ 48 | -v "$HOME/.mozilla/firefox:/home/firefox/.mozilla/firefox" \ 49 | -v "$HOME/.cache/mozilla/firefox:/home/firefox/.cache/mozilla/firefox" \ 50 | -v "$DOWNLOAD_DIR:/home/firefox/Downloads" \ 51 | -v $XDG_RUNTIME_DIR/bus:$XDG_RUNTIME_DIR/bus:ro \ 52 | -v $XDG_RUNTIME_DIR/pulse:$XDG_RUNTIME_DIR/pulse:ro \ 53 | -v /dev/shm:/dev/shm \ 54 | -v /tmp:/tmp \ 55 | -v /etc/localtime:/etc/localtime:ro \ 56 | -v /etc/timezone:/etc/timezone:ro \ 57 | -v /etc/machine-id:/etc/machine-id:ro \ 58 | -v /run/dbus:/run/dbus:ro \ 59 | -v /run/udev/data:/run/udev/data:ro \ 60 | -v /tmp/.X11-unix:/tmp/.X11-unix:ro \ 61 | -v /var/lib/dbus/machine-id:/var/lib/dbus/machine-id:ro \ 62 | -e "DISPLAY=$DISPLAY" \ 63 | -e GDK_DPI_SCALE \ 64 | -e GDK_SCALE \ 65 | -e PGID=$CONTAINER_PGID \ 66 | -e PUID=$CONTAINER_PUID \ 67 | -e PULSE_SERVER=unix:$XDG_RUNTIME_DIR/pulse/native \ 68 | -e TZ="$(head -n 1 /etc/timezone)" \ 69 | --device /dev/input \ 70 | $GPU_DEVICES \ 71 | --group-add $(getent group audio | cut -d: -f3) \ 72 | --name firefox \ 73 | oci.guero.org/firefox "$@" 74 | fi -------------------------------------------------------------------------------- /firefox/firefox.desktop: -------------------------------------------------------------------------------- 1 | [Desktop Entry] 2 | Name=Firefox 3 | Comment=Web Browser 4 | GenericName=Web Browser 5 | X-GNOME-FullName=Firefox Web Browser 6 | Exec=/home/user/.local/bin/firefox-docker.sh %u 7 | Terminal=false 8 | X-MultipleArgs=false 9 | Type=Application 10 | Icon=web-browser.png 11 | Categories=Network;WebBrowser; 12 | MimeType=text/html;text/xml;application/xhtml+xml;application/xml;application/vnd.mozilla.xul+xml;application/rss+xml;application/rdf+xml;image/gif;image/jpeg;image/png;x-scheme-handler/http;x-scheme-handler/https; 13 | StartupWMClass=Firefox 14 | StartupNotify=true 15 | -------------------------------------------------------------------------------- /firefox/local.conf: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | rgb 7 | 8 | 9 | 10 | 11 | true 12 | 13 | 14 | 15 | 16 | hintslight 17 | 18 | 19 | 20 | 21 | true 22 | 23 | 24 | 25 | 26 | lcddefault 27 | 28 | 29 | 30 | 31 | false 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /fluentd/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM docker.io/library/fluentd:latest 2 | USER root 3 | RUN ["gem", "install", "fluent-plugin-loomsystems"] 4 | USER fluent 5 | -------------------------------------------------------------------------------- /fluentd/conf/fluent.conf: -------------------------------------------------------------------------------- 1 | 2 | @type tcp 3 | tag ** 4 | 5 | @type json 6 | 7 | bind 0.0.0.0 8 | port 24224 9 | 10 | 11 | 12 | @type loomsystems 13 | host 10.9.0.215 14 | use_ssl false 15 | port 5045 16 | -------------------------------------------------------------------------------- /fluentd/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | fluentd: 3 | image: fluentd-test:latest 4 | build: 5 | context: . 6 | dockerfile: Dockerfile 7 | volumes: 8 | - ./conf:/fluentd/etc 9 | ports: 10 | - "24224:24224" 11 | - "24224:24224/udp" 12 | networks: 13 | - default 14 | 15 | networks: 16 | default: 17 | external: false 18 | -------------------------------------------------------------------------------- /forgejo/.dockerignore: -------------------------------------------------------------------------------- 1 | .env 2 | forgejo -------------------------------------------------------------------------------- /forgejo/.gitignore: -------------------------------------------------------------------------------- 1 | .env 2 | -------------------------------------------------------------------------------- /forgejo/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM codeberg.org/forgejo/forgejo:10 2 | 3 | LABEL maintainer="mero.mero.guero@gmail.com" 4 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 5 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker' 6 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 7 | LABEL org.opencontainers.image.title='oci.guero.org/forgejo' 8 | LABEL org.opencontainers.image.description='Dockerized Forgejo unsafely running as root' 9 | 10 | RUN sed -i '/^RUN_MODE[[:space:]]*=.*/a RUN_USER = root\nI_AM_BEING_UNSAFE_RUNNING_AS_ROOT = true' /etc/templates/app.ini 11 | -------------------------------------------------------------------------------- /forgejo/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | 3 | ################################################################################ 4 | server: 5 | container_name: forgejo 6 | restart: unless-stopped 7 | # 8 | # docker: 9 | # image: codeberg.org/forgejo/forgejo:1.18.0-rc1-1-rootless 10 | # (doesn't exist yet? https://codeberg.org/forgejo/-/packages) 11 | # OR 12 | # image: codeberg.org/forgejo/forgejo:1.18.0-rc1-1 13 | # (may need to manually chown .ssh directory upon startup?) 14 | # 15 | # podman (rootless): 16 | image: oci.guero.org/forgejo:root 17 | # 18 | build: 19 | context: . 20 | dockerfile: Dockerfile 21 | # 22 | env_file: .env 23 | volumes: 24 | # 25 | # docker (latest-rootless): 26 | # - ./forgejo/git:/var/lib/gitea:rw 27 | # - ./forgejo/conf:/etc/gitea:rw 28 | # 29 | # docker (latest): 30 | # - ./forgejo/git:/data/git:rw 31 | # - ./forgejo/conf:/data/gitea/conf:rw 32 | # - ./forgejo/log:/data/gitea/log:rw 33 | # 34 | # podman: 35 | - ./forgejo/git:/data/git:rw 36 | - ./forgejo/conf:/data/gitea/conf:rw 37 | - ./forgejo/log:/data/gitea/log:rw 38 | # 39 | - /etc/timezone:/etc/timezone:ro 40 | - /etc/localtime:/etc/localtime:ro 41 | networks: 42 | - forgejo 43 | ports: 44 | - "127.0.0.1:3000:3000" 45 | # - "127.0.0.1:2222:2222" 46 | 47 | ################################################################################ 48 | db: 49 | container_name: forgejo-db 50 | restart: unless-stopped 51 | image: lscr.io/linuxserver/mariadb:latest 52 | env_file: .env 53 | volumes: 54 | - ./forgejo/db:/config:rw 55 | networks: 56 | - forgejo 57 | 58 | networks: 59 | forgejo: 60 | external: false 61 | # name: 62 | -------------------------------------------------------------------------------- /forgejo/env.docker.sample: -------------------------------------------------------------------------------- 1 | # forgejo 2 | USER_UID=1000 3 | USER_GID=1000 4 | ROOT_URL=http://localhost:3000/ 5 | GITEA__database__DB_TYPE=mysql 6 | GITEA__database__HOST=db:3306 7 | GITEA__database__NAME=forgejo 8 | GITEA__database__USER=forgejo 9 | GITEA__database__PASSWD=forgejo 10 | 11 | # mariadb 12 | PUID=1000 13 | PGID=1000 14 | TZ=America/Boise 15 | MYSQL_DATABASE=forgejo 16 | MYSQL_USER=forgejo 17 | MYSQL_PASSWORD=forgejo 18 | MYSQL_ROOT_PASSWORD=forgejo -------------------------------------------------------------------------------- /forgejo/env.podman.sample: -------------------------------------------------------------------------------- 1 | # forgejo 2 | USER_UID=0 3 | USER_GID=0 4 | ROOT_URL=http://localhost:3000/ 5 | GITEA__database__DB_TYPE=mysql 6 | GITEA__database__HOST=db:3306 7 | GITEA__database__NAME=forgejo 8 | GITEA__database__USER=forgejo 9 | GITEA__database__PASSWD=forgejo 10 | 11 | # mariadb 12 | PUID=0 13 | PGID=0 14 | TZ=America/Boise 15 | MYSQL_DATABASE=forgejo 16 | MYSQL_USER=forgejo 17 | MYSQL_PASSWORD=forgejo 18 | MYSQL_ROOT_PASSWORD=forgejo -------------------------------------------------------------------------------- /forgejo/forgejo/conf/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /forgejo/forgejo/db/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /forgejo/forgejo/git/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /forgejo/forgejo/log/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /gimp/gimp-docker.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | IMAGE="${GIMP_IMAGE:-oci.guero.org/gimp:latest}" 4 | ENGINE="${CONTAINER_ENGINE:-docker}" 5 | if [[ "$ENGINE" == "podman" ]]; then 6 | CONTAINER_PUID=0 7 | CONTAINER_PGID=0 8 | else 9 | CONTAINER_PUID=$(id -u) 10 | CONTAINER_PGID=$(id -g) 11 | fi 12 | 13 | if [[ ! -d "$HOME/.config/GIMP" ]]; then 14 | TMP_CONTAINER_ID="$($ENGINE run --detach --rm --entrypoint=sleep "$IMAGE" infinity)" 15 | mkdir -p "$HOME/.config" 16 | $ENGINE cp $TMP_CONTAINER_ID:/home/gimp/.config/GIMP "$HOME/.config"/ 17 | $ENGINE stop $TMP_CONTAINER_ID 18 | find "$HOME/.config/GIMP" -type d -exec chmod 700 "{}" \; 19 | find "$HOME/.config/GIMP" -type f -exec chmod 600 "{}" \; 20 | fi 21 | 22 | mkdir -p "$HOME/.fonts" "$HOME/.local/share/fonts" "$HOME/.config/GIMP" 23 | 24 | DOCS_FOLDER="$(realpath $(pwd))" 25 | if [[ -n "$1" ]]; then 26 | if [[ -f "$1" ]]; then 27 | DOCS_FOLDER="$(dirname "$(realpath "$1")")" 28 | DOC_FILE="/home/gimp/Documents/$(basename "$1")" 29 | shift 30 | set -- "$@" "$DOC_FILE" 31 | elif [[ -d "$1" ]]; then 32 | DOCS_FOLDER="$(realpath "$1")" 33 | shift 34 | fi 35 | fi 36 | 37 | if [[ "$(realpath "$DOCS_FOLDER")" == "$(realpath "$HOME")" ]]; then 38 | echo "\$DOCS_FOLDER needs to be a directory other than \"$HOME\"" >&2 39 | exit 1 40 | fi 41 | 42 | # remember, if you're using NVIDIA you need to do 43 | # sudo nvidia-ctk cdi generate --output=/etc/cdi/nvidia.yaml 44 | # to update the CDI specification after a driver update 45 | 46 | $ENGINE run -d --rm \ 47 | -v /dev/shm:/dev/shm \ 48 | -v /etc/localtime:/etc/localtime:ro \ 49 | -v /etc/timezone:/etc/timezone:ro \ 50 | -v /etc/machine-id:/etc/machine-id:ro \ 51 | -v /run/udev/data:/run/udev/data:ro \ 52 | -v /tmp/.X11-unix:/tmp/.X11-unix:ro \ 53 | -v /usr/share/fonts:/usr/share/fonts:ro \ 54 | -v "$HOME"/.config/GIMP:/home/gimp/.config/GIMP \ 55 | -v "$HOME"/.fonts:/home/gimp/.fonts:ro \ 56 | -v "$HOME"/.local/share/fonts:/home/gimp/.local/share/fonts:ro \ 57 | -v "$DOCS_FOLDER":/home/gimp/Documents \ 58 | -e "DISPLAY=$DISPLAY" \ 59 | -e GDK_DPI_SCALE \ 60 | -e GDK_SCALE \ 61 | -e PGID=$CONTAINER_PGID \ 62 | -e PUID=$CONTAINER_PUID \ 63 | --device /dev/input \ 64 | --gpus all \ 65 | --name gimp-$(date -u +%s) \ 66 | "$IMAGE" \ 67 | --no-splash "$@" 68 | -------------------------------------------------------------------------------- /gimp/gimp.desktop: -------------------------------------------------------------------------------- 1 | [Desktop Entry] 2 | Name=GIMP Image Editor 3 | Comment=Create images and edit photographs 4 | GenericName=Image Editor 5 | Exec=/home/user/.local/bin/gimp-docker.sh %U 6 | Terminal=false 7 | X-MultipleArgs=false 8 | Type=Application 9 | Icon=graphics 10 | Categories=Graphics;2DGraphics;RasterGraphics;GTK; 11 | MimeType=image/bmp;image/g3fax;image/gif;image/x-fits;image/x-pcx;image/x-portable-anymap;image/x-portable-bitmap;image/x-portable-graymap;image/x-portable-pixmap;image/x-psd;image/x-sgi;image/x-tga;image/x-xbitmap;image/x-xwindowdump;image/x-xcf;image/x-compressed-xcf;image/x-gimp-gbr;image/x-gimp-pat;image/x-gimp-gih;image/tiff;image/jpeg;image/x-psp;application/postscript;image/png;image/x-icon;image/x-xpixmap;image/svg+xml;application/pdf;image/x-wmf;image/jp2;image/jpeg2000;image/jpx;image/x-xcursor; 12 | StartupWMClass=GIMP 13 | StartupNotify=true -------------------------------------------------------------------------------- /gitea/.dockerignore: -------------------------------------------------------------------------------- 1 | .env 2 | gitea -------------------------------------------------------------------------------- /gitea/.gitignore: -------------------------------------------------------------------------------- 1 | .env 2 | -------------------------------------------------------------------------------- /gitea/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM gitea/gitea:latest 2 | 3 | LABEL maintainer="mero.mero.guero@gmail.com" 4 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 5 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker' 6 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 7 | LABEL org.opencontainers.image.title='oci.guero.org/gitea' 8 | LABEL org.opencontainers.image.description='Dockerized Gitea unsafely running as root' 9 | 10 | RUN sed -i '/^RUN_MODE[[:space:]]*=.*/a RUN_USER = root\nI_AM_BEING_UNSAFE_RUNNING_AS_ROOT = true' /etc/templates/app.ini 11 | -------------------------------------------------------------------------------- /gitea/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | 3 | ################################################################################ 4 | server: 5 | container_name: gitea 6 | restart: unless-stopped 7 | # 8 | # docker: 9 | # image: docker.io/gitea/gitea:latest-rootless 10 | # OR 11 | # image: docker.io/gitea/gitea:latest 12 | # (may need to manually chown .ssh directory upon startup?) 13 | # 14 | # podman (rootless): 15 | image: oci.guero.org/gitea:root 16 | # 17 | build: 18 | context: . 19 | dockerfile: Dockerfile 20 | # 21 | env_file: .env 22 | volumes: 23 | # 24 | # docker (latest-rootless): 25 | # - ./gitea/git:/var/lib/gitea:rw 26 | # - ./gitea/conf:/etc/gitea:rw 27 | # 28 | # docker (latest): 29 | # - ./gitea/git:/data/git:rw 30 | # - ./gitea/conf:/data/gitea/conf:rw 31 | # - ./gitea/log:/data/gitea/log:rw 32 | # 33 | # podman: 34 | - ./gitea/git:/data/git:rw 35 | - ./gitea/conf:/data/gitea/conf:rw 36 | - ./gitea/log:/data/gitea/log:rw 37 | # 38 | - /etc/timezone:/etc/timezone:ro 39 | - /etc/localtime:/etc/localtime:ro 40 | networks: 41 | - gitea 42 | ports: 43 | - "127.0.0.1:3000:3000" 44 | # - "127.0.0.1:2222:2222" 45 | 46 | ################################################################################ 47 | db: 48 | container_name: gitea-db 49 | restart: unless-stopped 50 | image: lscr.io/linuxserver/mariadb:latest 51 | env_file: .env 52 | volumes: 53 | - ./gitea/db:/config:rw 54 | networks: 55 | - gitea 56 | 57 | networks: 58 | gitea: 59 | external: false 60 | -------------------------------------------------------------------------------- /gitea/env.docker.sample: -------------------------------------------------------------------------------- 1 | # gitea 2 | USER_UID=1000 3 | USER_GID=1000 4 | ROOT_URL=http://localhost:3000/ 5 | GITEA__database__DB_TYPE=mysql 6 | GITEA__database__HOST=db:3306 7 | GITEA__database__NAME=gitea 8 | GITEA__database__USER=gitea 9 | GITEA__database__PASSWD=gitea 10 | 11 | # mariadb 12 | PUID=1000 13 | PGID=1000 14 | TZ=America/Boise 15 | MYSQL_DATABASE=gitea 16 | MYSQL_USER=gitea 17 | MYSQL_PASSWORD=gitea 18 | MYSQL_ROOT_PASSWORD=gitea -------------------------------------------------------------------------------- /gitea/env.podman.sample: -------------------------------------------------------------------------------- 1 | # gitea 2 | USER_UID=0 3 | USER_GID=0 4 | ROOT_URL=http://localhost:3000/ 5 | GITEA__database__DB_TYPE=mysql 6 | GITEA__database__HOST=db:3306 7 | GITEA__database__NAME=gitea 8 | GITEA__database__USER=gitea 9 | GITEA__database__PASSWD=gitea 10 | 11 | # mariadb 12 | PUID=0 13 | PGID=0 14 | TZ=America/Boise 15 | MYSQL_DATABASE=gitea 16 | MYSQL_USER=gitea 17 | MYSQL_PASSWORD=gitea 18 | MYSQL_ROOT_PASSWORD=gitea -------------------------------------------------------------------------------- /gitea/gitea/conf/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /gitea/gitea/db/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /gitea/gitea/git/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /gitea/gitea/log/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /gogs/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | 3 | services: 4 | gogs: 5 | container_name: gogs 6 | image: gogs/gogs:latest 7 | volumes: 8 | - ./data:/data 9 | expose: 10 | - 3000 11 | - 10022 12 | ports: 13 | - "0.0.0.0:10022:22/tcp" 14 | - "0.0.0.0:3000:3000/tcp" 15 | networks: 16 | - proxy 17 | labels: 18 | - "traefik.enable=true" 19 | - "traefik.http.routers.gogs.rule=Host(`gogs.example.org`)" 20 | - "traefik.http.routers.gogs.entrypoints=websecure" 21 | - "traefik.http.routers.gogs.tls.certresolver=myresolver" 22 | - "traefik.http.services.gogs.loadbalancer.server.port=3000" 23 | restart: unless-stopped 24 | 25 | networks: 26 | proxy: 27 | external: 28 | name: traefik-proxy -------------------------------------------------------------------------------- /gossa/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM pldubouilh/gossa:latest 2 | 3 | LABEL maintainer="mero.mero.guero@gmail.com" 4 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 5 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker' 6 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 7 | LABEL org.opencontainers.image.title='oci.guero.org/gossa' 8 | LABEL org.opencontainers.image.description='Dockerized gossa' 9 | 10 | ARG DEFAULT_UID=1000 11 | ARG DEFAULT_GID=1000 12 | ENV DEFAULT_UID $DEFAULT_UID 13 | ENV DEFAULT_GID $DEFAULT_GID 14 | ENV PUSER "user" 15 | ENV PGROUP "user" 16 | ENV PUSER_PRIV_DROP true 17 | USER root 18 | 19 | ENV UID $DEFAULT_UID 20 | ENV GID $DEFAULT_GID 21 | ENV HOST "0.0.0.0" 22 | ENV PORT "8001" 23 | ENV PREFIX "/" 24 | ENV FOLLOW_SYMLINKS "false" 25 | ENV SKIP_HIDDEN_FILES "true" 26 | ENV DATADIR "/shared" 27 | ENV READONLY "false" 28 | ENV VERBOSE "false" 29 | 30 | ENV TERM xterm 31 | 32 | RUN apk update --no-cache && \ 33 | apk upgrade --no-cache && \ 34 | apk add --no-cache bash jq procps psmisc shadow rsync tini && \ 35 | addgroup ${PUSER} tty 36 | 37 | ADD --chmod=755 https://raw.githubusercontent.com/mmguero/docker/master/shared/docker-uid-gid-setup.sh /usr/bin/docker-uid-gid-setup.sh 38 | ADD --chmod=755 gossa.sh /usr/bin/gossa.sh 39 | 40 | EXPOSE $PORT 41 | 42 | ENTRYPOINT ["/sbin/tini", "--", "/usr/bin/docker-uid-gid-setup.sh"] 43 | 44 | ENTRYPOINT ["/sbin/tini", \ 45 | "--", \ 46 | "/usr/bin/docker-uid-gid-setup.sh"] 47 | 48 | CMD ["/usr/bin/gossa.sh"] 49 | -------------------------------------------------------------------------------- /gossa/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | gossa: 3 | build: 4 | context: . 5 | dockerfile: Dockerfile 6 | image: oci.guero.org/gossa:latest 7 | restart: unless-stopped 8 | stdin_open: false 9 | tty: true 10 | hostname: gossa 11 | networks: 12 | - default 13 | ports: 14 | - 127.0.0.1:8001:8001 15 | environment: 16 | - PUID=1000 17 | - PGID=1000 18 | - HOST=0.0.0.0 19 | - PORT=8001 20 | - PREFIX=/files/ 21 | - FOLLOW_SYMLINKS=false 22 | - SKIP_HIDDEN_FILES=true 23 | - DATADIR=/shared 24 | - READONLY=false 25 | - VERBOSE=false 26 | volumes: 27 | - type: bind 28 | bind: 29 | create_host_path: false 30 | source: ./upload 31 | target: /shared 32 | labels: 33 | traefik.enable: false 34 | # traefik.http.routers.gossa.rule: Host(`gossa.example.org`) 35 | # traefik.http.routers.gossa.entrypoints: websecure 36 | # traefik.http.routers.gossa.tls.certresolver: myresolver 37 | # traefik.http.services.gossa.loadbalancer.server.port: 443 38 | 39 | networks: 40 | proxy: 41 | external: false 42 | # name: traefik-proxy 43 | -------------------------------------------------------------------------------- /gossa/gossa.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | export UID=${PUID:-$DEFAULT_UID} 4 | export GID=${PGID:-$DEFAULT_GID} 5 | 6 | /gossa \ 7 | -h ${HOST:-0.0.0.0} \ 8 | -p ${PORT:-8001} \ 9 | -k=${SKIP_HIDDEN_FILES:-true} \ 10 | -ro=${READONLY:-false} \ 11 | --symlinks=${FOLLOW_SYMLINKS:-false} \ 12 | --prefix="${PREFIX:-/}" \ 13 | --verb=${VERBOSE:-false} \ 14 | "${DATADIR:-/shared}" 15 | -------------------------------------------------------------------------------- /keycloak/.dockerignore: -------------------------------------------------------------------------------- 1 | .env 2 | data -------------------------------------------------------------------------------- /keycloak/.env.example: -------------------------------------------------------------------------------- 1 | ########################################################################### 2 | # process environment variables 3 | PUID=1000 4 | PGID=1000 5 | TZ=America/Denver 6 | 7 | ########################################################################### 8 | # PostgreSQL environment variables 9 | POSTGRES_HOST=postgres 10 | PGPORT=5432 11 | 12 | POSTGRES_DB=postgres 13 | POSTGRES_USER=postgres 14 | POSTGRES_PASSWORD=xxxxxxxxxxxxxxxx 15 | 16 | POSTGRES_KEYCLOAK_DB=keycloak 17 | POSTGRES_KEYCLOAK_USER=keycloak 18 | POSTGRES_KEYCLOAK_PASSWORD=xxxxxxxxxxxxxxxx 19 | 20 | ########################################################################### 21 | # Keycloak environment variables 22 | KC_HOSTNAME= 23 | KC_HOSTNAME_STRICT=false 24 | KC_HEALTH_ENABLED=true 25 | KC_METRICS_ENABLED=true 26 | KC_HTTP_ENABLED=true 27 | KC_CACHE=local 28 | KC_PROXY_HEADERS=xforwarded 29 | 30 | KC_BOOTSTRAP_ADMIN_USERNAME= 31 | KC_BOOTSTRAP_ADMIN_PASSWORD= 32 | 33 | KC_HTTP_RELATIVE_PATH=/ 34 | -------------------------------------------------------------------------------- /keycloak/.gitignore: -------------------------------------------------------------------------------- 1 | .env 2 | data -------------------------------------------------------------------------------- /keycloak/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM registry.access.redhat.com/ubi9 AS ubi-micro-build 2 | 3 | RUN mkdir -p /mnt/rootfs && \ 4 | dnf install --nodocs -y --releasever 9 --setopt install_weak_deps=false --installroot /mnt/rootfs \ 5 | curl-minimal \ 6 | postgresql \ 7 | procps-ng \ 8 | psmisc \ 9 | rsync \ 10 | util-linux \ 11 | which && \ 12 | dnf --installroot /mnt/rootfs clean all && \ 13 | rpm --root /mnt/rootfs -e --nodeps setup 14 | 15 | FROM quay.io/keycloak/keycloak:26.2 AS builder 16 | 17 | ENV KC_HEALTH_ENABLED=true 18 | ENV KC_METRICS_ENABLED=true 19 | ENV KC_HTTP_RELATIVE_PATH=/ 20 | ENV KC_DB=postgres 21 | 22 | WORKDIR /opt/keycloak 23 | 24 | RUN /opt/keycloak/bin/kc.sh build 25 | 26 | FROM quay.io/keycloak/keycloak:26.2 27 | 28 | LABEL maintainer="mero.mero.guero@gmail.com" 29 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 30 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker/tree/master/keycloak' 31 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 32 | LABEL org.opencontainers.image.title='oci.guero.org/keycloak' 33 | LABEL org.opencontainers.image.description='Dockerized Keycloak' 34 | 35 | 36 | ARG DEFAULT_UID=1000 37 | ARG DEFAULT_GID=1000 38 | ENV DEFAULT_UID $DEFAULT_UID 39 | ENV DEFAULT_GID $DEFAULT_GID 40 | ENV PUID $DEFAULT_UID 41 | ENV PUSER "keycloak" 42 | ENV PGROUP "keycloak" 43 | ENV PUSER_PRIV_DROP true 44 | ENV PUSER_CA_TRUST "/var/local/ca-trust" 45 | # This is to handle an issue when running with rootless podman and 46 | # "userns_mode: keep-id". It seems that anything defined as a VOLUME 47 | # in the Dockerfile is getting set with an ownership of 999:999. 48 | # This is to override that, although I'm not yet sure if there are 49 | # other implications. See containers/podman#23347. 50 | ENV PUSER_CHOWN "/var/local/ca-trust" 51 | USER root 52 | 53 | ENV TERM xterm 54 | 55 | ENV TINI_VERSION v0.19.0 56 | ENV TINI_URL https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini 57 | 58 | COPY --from=ubi-micro-build /mnt/rootfs / 59 | COPY --from=builder /opt/keycloak/ /opt/keycloak/ 60 | 61 | # Remove the opensearch-security plugin - Malcolm manages authentication and encryption via NGINX reverse proxy 62 | # Remove the performance-analyzer plugin - Reduce resources in docker image 63 | RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') && \ 64 | mkdir -p /var/local/ca-trust && \ 65 | chown -R $PUSER:$PGROUP /var/local/ca-trust && \ 66 | curl -sSLf -o /usr/bin/tini "${TINI_URL}-${BINARCH}" && \ 67 | chmod +x /usr/bin/tini 68 | 69 | ADD --chmod=755 https://raw.githubusercontent.com/mmguero/docker/master/shared/docker-uid-gid-setup.sh /usr/local/bin/docker-uid-gid-setup.sh 70 | ADD --chmod=755 docker-entrypoint.sh /usr/local/bin/ 71 | 72 | # see PUSER_CHOWN comment above 73 | VOLUME ["/var/local/ca-trust"] 74 | 75 | ENTRYPOINT ["/usr/bin/tini", \ 76 | "--", \ 77 | "/bin/bash", \ 78 | "/usr/local/bin/docker-uid-gid-setup.sh", \ 79 | "/usr/local/bin/docker-entrypoint.sh", \ 80 | "/opt/keycloak/bin/kc.sh"] 81 | 82 | CMD ["start"] 83 | -------------------------------------------------------------------------------- /keycloak/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | 3 | postgres: 4 | restart: unless-stopped 5 | # userns_mode: keep-id 6 | image: oci.guero.org/postgres:latest 7 | container_name: keycloak-postgres 8 | hostname: postgres 9 | env_file: .env 10 | environment: 11 | PGDATA: /var/lib/postgresql/data/pgdata 12 | volumes: 13 | - type: bind 14 | bind: 15 | create_host_path: false 16 | source: ./data 17 | target: /var/lib/postgresql/data 18 | networks: 19 | - proxy 20 | expose: 21 | - 5432 22 | 23 | keycloak: 24 | restart: unless-stopped 25 | # userns_mode: keep-id 26 | image: oci.guero.org/keycloak:latest 27 | build: 28 | context: . 29 | dockerfile: Dockerfile 30 | container_name: keycloak 31 | hostname: keycloak 32 | env_file: .env 33 | links: 34 | - postgres 35 | networks: 36 | - proxy 37 | expose: 38 | - 8080 39 | # ports: 40 | # - 127.0.0.1:8080:8080/tcp 41 | volumes: 42 | - type: bind 43 | bind: 44 | create_host_path: false 45 | source: ./ca-trust 46 | target: /var/local/ca-trust 47 | read_only: true 48 | labels: 49 | traefik.enable : true 50 | traefik.http.routers.keycloak.rule : "Host(`keycloak.example.org`)" 51 | traefik.http.routers.keycloak.entrypoints : "websecure" 52 | traefik.http.routers.keycloak.tls.certresolver : "myresolver" 53 | traefik.http.services.keycloak.loadbalancer.server.port : 8080 54 | 55 | networks: 56 | proxy: 57 | external: true 58 | name: traefik-proxy 59 | 60 | -------------------------------------------------------------------------------- /keycloak/docker-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | POSTGRES_HOST=${POSTGRES_HOST:-postgres} 4 | PGPORT=${PGPORT:-5432} 5 | POSTGRES_MAIN_DB=${POSTGRES_DB:-postgres} 6 | POSTGRES_KEYCLOAK_DB=${POSTGRES_KEYCLOAK_DB:-keycloak} 7 | export KC_DB_USERNAME="${POSTGRES_KEYCLOAK_USER:-keycloak}" 8 | export KC_DB_PASSWORD="${POSTGRES_KEYCLOAK_PASSWORD:-}" 9 | export KC_DB_URL="jdbc:postgresql://${POSTGRES_HOST}:${PGPORT}/${POSTGRES_KEYCLOAK_DB}" 10 | export KC_DB=postgres 11 | 12 | until PGPASSWORD="${KC_DB_PASSWORD}" pg_isready -U "${KC_DB_USERNAME}" \ 13 | -h "${POSTGRES_HOST}" -p ${PGPORT} >/dev/null 2>&1; do 14 | sleep 5 15 | done 16 | echo "PostgreSQL is responding..." 17 | 18 | until PGPASSWORD="${KC_DB_PASSWORD}" psql -U "${KC_DB_USERNAME}" \ 19 | -h "${POSTGRES_HOST}" -p ${PGPORT} \ 20 | -d "${POSTGRES_MAIN_DB}" -tAc \ 21 | "SELECT 1 FROM pg_database WHERE datname = '${POSTGRES_KEYCLOAK_DB}';" 2>/dev/null | grep -q 1; do 22 | sleep 5 23 | done 24 | echo "PostgreSQL is up and ready at ${KC_DB_URL}!" 25 | 26 | exec "$@" 27 | -------------------------------------------------------------------------------- /libreoffice-browser/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | libreoffice: 3 | image: lscr.io/linuxserver/libreoffice:latest 4 | container_name: libreoffice 5 | hostname: libreoffice 6 | restart: unless-stopped 7 | environment: 8 | PUID : 1000 9 | PGID : 1000 10 | TZ : "America/Denver" 11 | DISABLE_IPV6 : true 12 | ports: 13 | - "127.0.0.1:3000:3000" 14 | - "127.0.0.1:3001:3001" 15 | volumes: 16 | - ./config:/config:z 17 | # - /home/user/Documents:/files/Documents:z 18 | # - /home/user/.fonts:/usr/share/fonts/user:z 19 | - /usr/share/fonts:/usr/share/fonts/host:z 20 | -------------------------------------------------------------------------------- /libreoffice/libreoffice-docker.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # https://github.com/woahbase/alpine-libreoffice 4 | # https://hub.docker.com/r/woahbase/alpine-libreoffice 5 | 6 | ENGINE="${CONTAINER_ENGINE:-docker}" 7 | if [[ "$ENGINE" == "podman" ]]; then 8 | CONTAINER_PUID=0 9 | CONTAINER_PGID=0 10 | else 11 | CONTAINER_PUID=$(id -u) 12 | CONTAINER_PGID=$(id -g) 13 | fi 14 | 15 | DOCS_FOLDER="$(realpath $(pwd))" 16 | if [[ -n "$1" ]]; then 17 | if [[ -f "$1" ]]; then 18 | DOCS_FOLDER="$(dirname "$(realpath "$1")")" 19 | DOC_FILE="/home/alpine/Documents/$(basename "$1")" 20 | shift 21 | set -- "$@" "$DOC_FILE" 22 | elif [[ -d "$1" ]]; then 23 | DOCS_FOLDER="$(realpath "$1")" 24 | shift 25 | fi 26 | fi 27 | 28 | mkdir -p "$HOME/.config/libreoffice" "$HOME/.fonts" 29 | export XDG_RUNTIME_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}" 30 | 31 | $ENGINE run -d --rm \ 32 | -v $XDG_RUNTIME_DIR/bus:$XDG_RUNTIME_DIR/bus:ro \ 33 | -v /dev/shm:/dev/shm \ 34 | -v /etc/localtime:/etc/localtime:ro \ 35 | -v /etc/timezone:/etc/timezone:ro \ 36 | -v /etc/machine-id:/etc/machine-id:ro \ 37 | -v /run/dbus:/run/dbus:ro \ 38 | -v /run/udev/data:/run/udev/data:ro \ 39 | -v /tmp/.X11-unix:/tmp/.X11-unix:ro \ 40 | -v /usr/share/fonts:/usr/share/fonts:ro \ 41 | -v /var/lib/dbus/machine-id:/var/lib/dbus/machine-id:ro \ 42 | -v "$HOME"/.config/libreoffice:/home/alpine/.config/libreoffice \ 43 | -v "$HOME"/.fonts:/home/alpine/.fonts:ro \ 44 | -v "$DOCS_FOLDER":/home/alpine/Documents \ 45 | -e "DISPLAY=$DISPLAY" \ 46 | -e GDK_DPI_SCALE \ 47 | -e GDK_SCALE \ 48 | -e PGID=$CONTAINER_PGID \ 49 | -e PUID=$CONTAINER_PUID \ 50 | --device /dev/input \ 51 | --name libreoffice-$(date -u +%s) \ 52 | woahbase/alpine-libreoffice:latest \ 53 | "$@" 54 | -------------------------------------------------------------------------------- /libreoffice/libreoffice.desktop: -------------------------------------------------------------------------------- 1 | [Desktop Entry] 2 | Name=LibreOffice 3 | Comment=Office Productivity Software Suite 4 | GenericName=Office Productivity Software Suite 5 | Exec=/home/user/.local/bin/libreoffice-docker.sh %u 6 | Terminal=false 7 | X-MultipleArgs=false 8 | Type=Application 9 | Icon=spreadsheet 10 | Categories=Office;Spreadsheet; 11 | MimeType=application/vnd.oasis.opendocument.spreadsheet;application/vnd.oasis.opendocument.spreadsheet-template;application/vnd.sun.xml.calc;application/vnd.sun.xml.calc.template;application/msexcel;application/vnd.ms-excel;application/vnd.openxmlformats-officedocument.spreadsheetml.sheet;application/vnd.ms-excel.sheet.macroenabled.12;application/vnd.openxmlformats-officedocument.spreadsheetml.template;application/vnd.ms-excel.template.macroenabled.12;application/vnd.ms-excel.sheet.binary.macroenabled.12;text/csv;application/x-dbf;text/spreadsheet;application/csv;application/excel;application/tab-separated-values;application/vnd.lotus-1-2-3;application/vnd.oasis.opendocument.chart;application/vnd.oasis.opendocument.chart-template;application/x-dbase;application/x-dos_ms_excel;application/x-excel;application/x-msexcel;application/x-ms-excel;application/x-quattropro;application/x-123;text/comma-separated-values;text/tab-separated-values;text/x-comma-separated-values;text/x-csv; 12 | StartupWMClass=LibreOffice 13 | StartupNotify=true -------------------------------------------------------------------------------- /lldap/.env.example: -------------------------------------------------------------------------------- 1 | UID=1000 2 | GID=1000 3 | TZ=America/Denver 4 | LLDAP_LDAP_BASE_DN=dc=example,dc=org 5 | LLDAP_JWT_SECRET=xxxxxxxxxxxxxxxx 6 | LLDAP_LDAP_USER_PASS=yyyyyyyyyyyyyyyy 7 | 8 | # environment variables for bootstrapping 9 | # https://github.com/lldap/lldap/blob/main/example_configs/bootstrap/bootstrap.md#environment-variables 10 | # 11 | LLDAP_URL=http://lldap:17170 12 | LLDAP_ADMIN_USERNAME=admin 13 | LLDAP_ADMIN_PASSWORD=yyyyyyyyyyyyyyyy 14 | DO_CLEANUP=false 15 | # LLDAP_SET_PASSWORD_PATH 16 | # LLDAP_URL_FILE 17 | # LLDAP_ADMIN_USERNAME_FILE 18 | # LLDAP_ADMIN_PASSWORD_FILE 19 | 20 | # other environment variables 21 | # 22 | # LLDAP_CONFIG_FILE 23 | # LLDAP_DATABASE_URL 24 | # LLDAP_DATABASE_URL=mysql://mysql-user:password@mysql-server/my-database 25 | # LLDAP_DATABASE_URL=postgres://postgres-user:password@postgres-server/my-database 26 | # LLDAP_HTTP_HOST 27 | # LLDAP_HTTP_PORT 28 | # LLDAP_HTTP_URL 29 | # LLDAP_JWT_SECRET 30 | # LLDAP_JWT_SECRET_FILE 31 | # LLDAP_KEY_FILE 32 | # LLDAP_KEY_SEED 33 | # LLDAP_LDAP_BASE 34 | # LLDAP_LDAP_BASE_DN 35 | # LLDAP_LDAP_HOST 36 | # LLDAP_LDAP_PORT 37 | # LLDAP_LDAPS_OPTIONS__CERT_FILE 38 | # LLDAP_LDAPS_OPTIONS__ENABLED 39 | # LLDAP_LDAPS_OPTIONS__KEY_FILE 40 | # LLDAP_LDAPS_OPTIONS__PORT 41 | # LLDAP_LDAP_USER_DN 42 | # LLDAP_LDAP_USER_EMAIL 43 | # LLDAP_LDAP_USER_PASS 44 | # LLDAP_LDAP_USER_PASS_FILE 45 | # LLDAP_PASSWORD 46 | # LLDAP_SERVER_KEY_FILE 47 | # LLDAP_SERVER_KEY_SEED 48 | # LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET 49 | # LLDAP_SMTP_OPTIONS__FROM 50 | # LLDAP_SMTP_OPTIONS__PASSWORD 51 | # LLDAP_SMTP_OPTIONS__PORT 52 | # LLDAP_SMTP_OPTIONS__SERVER 53 | # LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION 54 | # LLDAP_SMTP_OPTIONS__TLS_REQUIRED 55 | # LLDAP_SMTP_OPTIONS__TO 56 | # LLDAP_SMTP_OPTIONS__USER 57 | # LLDAP_TEST_EMAIL_TO 58 | # LLDAP_USERNAME 59 | # LLDAP_VERBOSE 60 | -------------------------------------------------------------------------------- /lldap/.gitignore: -------------------------------------------------------------------------------- 1 | .env 2 | .envrc 3 | -------------------------------------------------------------------------------- /lldap/bootstrap/.gitignore: -------------------------------------------------------------------------------- 1 | bootstrap.sh 2 | 3 | -------------------------------------------------------------------------------- /lldap/bootstrap/get-bootstrap-sh.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | curl -o ./bootstrap.sh -sSL https://raw.githubusercontent.com/lldap/lldap/main/example_configs/bootstrap/bootstrap.sh 4 | chmod 755 ./bootstrap.sh -------------------------------------------------------------------------------- /lldap/bootstrap/group-configs/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /lldap/bootstrap/group-configs/administrators.json.example: -------------------------------------------------------------------------------- 1 | { 2 | "name": "administrators" 3 | } -------------------------------------------------------------------------------- /lldap/bootstrap/group-configs/developers.json.example: -------------------------------------------------------------------------------- 1 | { 2 | "name": "developers" 3 | } -------------------------------------------------------------------------------- /lldap/bootstrap/group-configs/service.json.example: -------------------------------------------------------------------------------- 1 | { 2 | "name": "service" 3 | } -------------------------------------------------------------------------------- /lldap/bootstrap/user-configs/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /lldap/bootstrap/user-configs/bind.json.example: -------------------------------------------------------------------------------- 1 | { 2 | "id": "bind", 3 | "email": "bind@example.org", 4 | "password": "xxxxxxxx", 5 | "displayName": "LDAP Service Account", 6 | "groups": [ 7 | "service", 8 | "lldap_strict_readonly" 9 | ] 10 | } -------------------------------------------------------------------------------- /lldap/bootstrap/user-configs/poweruser.json.example: -------------------------------------------------------------------------------- 1 | { 2 | "id": "sikari", 3 | "email": "sikari@nerve.gov", 4 | "password": "zzzzzzzz", 5 | "displayName": "Shinji Ikari", 6 | "firstName": "Shinji", 7 | "lastName": "Ikari", 8 | "groups": [ 9 | "lldap_admin" 10 | ] 11 | } -------------------------------------------------------------------------------- /lldap/certs/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /lldap/certs/gen_self_signed_certs.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # one may wish to consider not using self-signed certificates in production 4 | openssl req -subj '/CN=localhost' -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 3650 5 | -------------------------------------------------------------------------------- /lldap/data/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /lldap/docker-compose.yml: -------------------------------------------------------------------------------- 1 | # LDAPTLS_REQCERT=never ldapsearch -LLL -H "ldaps://localhost:6360" -D "uid=admin,ou=people,dc=example,dc=org" -w 'xxxxxxxxxxxxxxxx' -b "dc=example,dc=org" 2 | # docker compose exec lldap /bootstrap/bootstrap.sh 3 | 4 | services: 5 | lldap: 6 | image: lldap/lldap:stable 7 | ports: 8 | # For LDAP 9 | - "127.0.0.1:3890:3890" 10 | # For LDAPS (if LLDAP_LDAPS_OPTIONS__ENABLED=true) 11 | - "0.0.0.0:6360:6360" 12 | # For the web front-end 13 | - "127.0.0.1:17170:17170" 14 | networks: 15 | - default 16 | volumes: 17 | - ./certs/cert.pem:/certs/cert.pem:ro 18 | - ./certs/key.pem:/certs/key.pem:ro 19 | - ./data:/data:rw 20 | - ./bootstrap:/bootstrap:ro 21 | env_file: 22 | - .env 23 | environment: 24 | - LLDAP_LDAPS_OPTIONS__ENABLED=true 25 | - LLDAP_LDAPS_OPTIONS__CERT_FILE=/certs/cert.pem 26 | - LLDAP_LDAPS_OPTIONS__KEY_FILE=/certs/key.pem 27 | - USER_CONFIGS_DIR=/bootstrap/user-configs 28 | - GROUP_CONFIGS_DIR=/bootstrap/group-configs 29 | 30 | networks: 31 | default: 32 | external: false 33 | 34 | -------------------------------------------------------------------------------- /lossless-cut/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:bookworm-slim 2 | 3 | # https://github.com/mifi/lossless-cut 4 | # x11docker --pulseaudio --gpu oci.guero.org/lossless-cut:latest 5 | 6 | LABEL maintainer="mero.mero.guero@gmail.com" 7 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 8 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker/tree/master/lossless-cut' 9 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 10 | LABEL org.opencontainers.image.title='oci.guero.org/lossless-cut' 11 | LABEL org.opencontainers.image.description='Dockerized LosslessCut' 12 | 13 | ENV DEBIAN_FRONTEND noninteractive 14 | ENV LC_ALL C.UTF-8 15 | ENV LANG C.UTF-8 16 | 17 | # configure unprivileged user and runtime parameters 18 | ARG PUID=1000 19 | ARG PGID=1000 20 | ENV PUID $PUID 21 | ENV PGID $PGID 22 | ENV PUSER "cutter" 23 | ENV PGROUP "cutter" 24 | 25 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/debian-bookworm-sources.list /etc/apt/sources.list 26 | 27 | RUN rm -f /etc/apt/sources.list.d/debian.sources && \ 28 | apt-get -q update && \ 29 | apt-get install --no-install-recommends -y -q \ 30 | bzip2 \ 31 | ca-certificates \ 32 | curl \ 33 | libasound2 \ 34 | libdbus-glib-1-2 \ 35 | libdrm2 \ 36 | libgbm1 \ 37 | libgdk-pixbuf-2.0-0 \ 38 | libgtk-3-0 \ 39 | libnss3 \ 40 | libnss3-tools \ 41 | libxcomposite1 \ 42 | libxcursor1 \ 43 | libxdamage1 \ 44 | libxfixes3 \ 45 | libxrender1 \ 46 | libxss1 \ 47 | pulseaudio-utils && \ 48 | mkdir -p /opt && \ 49 | cd /opt && \ 50 | curl -sSL -J -O "https://github.com/mifi/lossless-cut/releases/latest/download/LosslessCut-linux-x64.tar.bz2" && \ 51 | tar xvf ./LosslessCut-linux-x64.tar.bz2 && \ 52 | rm -f ./LosslessCut-linux-x64.tar.bz2 && \ 53 | env DEBIAN_FRONTEND=noninteractive apt-get -q -y --purge remove curl ca-certificates && \ 54 | env DEBIAN_FRONTEND=noninteractive apt-get -q -y autoremove && \ 55 | apt-get clean && \ 56 | rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \ 57 | groupadd --gid ${PGID} ${PUSER} && \ 58 | useradd -m --uid ${PUID} --gid ${PGID} ${PUSER} && \ 59 | usermod -a -G audio ${PUSER} && \ 60 | mkdir -p /etc/pulse/ && \ 61 | touch /etc/pulse/client.conf && \ 62 | chown root:audio /etc/pulse/client.conf && \ 63 | chmod 664 /etc/pulse/client.conf && \ 64 | mkdir -p /home/${PUSER}/Videos && \ 65 | chown -R ${PUID}:${PGID} /home/${PUSER} 66 | 67 | ENV LD_LIBRARY_PATH=/opt/LosslessCut-linux-x64 68 | 69 | ENTRYPOINT ["/opt/LosslessCut-linux-x64/losslesscut", "--no-sandbox"] 70 | -------------------------------------------------------------------------------- /mariadb/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM mariadb:11-noble 2 | 3 | LABEL maintainer="mero.mero.guero@gmail.com" 4 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 5 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker' 6 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 7 | LABEL org.opencontainers.image.title='oci.guero.org/mariadb' 8 | LABEL org.opencontainers.image.description='Dockerized MariaDB' 9 | 10 | ARG DEFAULT_UID=999 11 | ARG DEFAULT_GID=999 12 | ENV DEFAULT_UID $DEFAULT_UID 13 | ENV DEFAULT_GID $DEFAULT_GID 14 | ENV PUSER "mysql" 15 | ENV PGROUP "mysql" 16 | ENV PUSER_PRIV_DROP true 17 | ENV PUSER_CHOWN "/var/log/mysql;/var/lib/mysql" 18 | 19 | ENV TERM xterm 20 | 21 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/docker-uid-gid-setup.sh /usr/bin/docker-uid-gid-setup.sh 22 | 23 | RUN mkdir -p /var/lib/mysql /var/log/mysql /home/mysql && \ 24 | chown -R $PUSER:$PGROUP /var/lib/mysql /var/log/mysql /home/mysql && \ 25 | sed -i 's/\(if.*id[[:space:]]-u.*\);/\1 \&\& [ "${PUSER_PRIV_DROP:-true}" != "false" ];/' /usr/local/bin/docker-entrypoint.sh && \ 26 | chmod 755 /usr/bin/docker-uid-gid-setup.sh 27 | 28 | USER root 29 | 30 | WORKDIR /home/mysql 31 | 32 | ENTRYPOINT ["/usr/bin/docker-uid-gid-setup.sh", "/usr/local/bin/docker-entrypoint.sh"] 33 | 34 | CMD ["mariadb"] 35 | -------------------------------------------------------------------------------- /mastodon-linuxserver-io/.dockerignore: -------------------------------------------------------------------------------- 1 | env.production 2 | env.postgres 3 | /db 4 | /config 5 | -------------------------------------------------------------------------------- /mastodon-linuxserver-io/.gitignore: -------------------------------------------------------------------------------- 1 | env.production 2 | env.postgres 3 | /db 4 | /config -------------------------------------------------------------------------------- /mastodon-linuxserver-io/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM lscr.io/linuxserver/mastodon:latest 2 | 3 | LABEL maintainer="mero.mero.guero@gmail.com" 4 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 5 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker/tree/master/mastodon-linuxserver-io' 6 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 7 | LABEL org.opencontainers.image.title='oci.guero.org/mastodon' 8 | LABEL org.opencontainers.image.description='Dockerized Mastodon' 9 | 10 | RUN sed -i -n '/^[[:space:]]*listen.*[::]/!p' /defaults/nginx/site-confs/default.conf.sample && \ 11 | sed -i -n '/^[[:space:]]*listen.*[::]/!p' /app/www/dist/nginx.conf 12 | -------------------------------------------------------------------------------- /mastodon-linuxserver-io/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | 3 | mastodon: 4 | image: oci.guero.org/mastodon:latest 5 | build: 6 | context: . 7 | dockerfile: Dockerfile 8 | container_name: mastodon 9 | env_file: ./env.production 10 | environment: 11 | - PUID=1000 12 | - PGID=1000 13 | - TZ=America/Denver 14 | - LOCAL_DOMAIN=mastodon.example.com 15 | # - ALTERNATE_DOMAINS=127.0.0.1,localhost 16 | volumes: 17 | - ./config:/config 18 | ports: 19 | - "127.0.0.1:45580:80" 20 | - "127.0.0.1:45543:443" 21 | networks: 22 | - default 23 | restart: unless-stopped 24 | healthcheck: 25 | test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1'] 26 | depends_on: 27 | - redis 28 | - postgres 29 | 30 | redis: 31 | image: docker.io/bitnami/redis:latest 32 | container_name: redis 33 | environment: 34 | - ALLOW_EMPTY_PASSWORD=yes 35 | networks: 36 | - default 37 | restart: unless-stopped 38 | healthcheck: 39 | test: ['CMD', 'redis-cli', 'ping'] 40 | 41 | postgres: 42 | hostname: db 43 | container_name: postgres 44 | image: docker.io/library/postgres:17 45 | env_file: ./env.postgres 46 | logging: 47 | options: 48 | max-size: 10m 49 | max-file: "3" 50 | networks: 51 | - default 52 | volumes: 53 | - ./db:/var/lib/postgresql/data 54 | healthcheck: 55 | test: [ "CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ] 56 | restart: unless-stopped 57 | 58 | networks: 59 | default: 60 | external: false 61 | -------------------------------------------------------------------------------- /mastodon-linuxserver-io/env.production.sample: -------------------------------------------------------------------------------- 1 | # This is a sample configuration file. You can generate your configuration 2 | # with the `rake mastodon:setup` interactive setup wizard, but to customize 3 | # your setup even further, you'll need to edit it manually. This sample does 4 | # not demonstrate all available configuration options. Please look at 5 | # https://docs.joinmastodon.org/admin/config/ for the full documentation. 6 | 7 | # Note that this file accepts slightly different syntax depending on whether 8 | # you are using `docker-compose` or not. In particular, if you use 9 | # `docker-compose`, the value of each declared variable will be taken verbatim, 10 | # including surrounding quotes. 11 | # See: https://github.com/mastodon/mastodon/issues/16895 12 | 13 | # Federation 14 | # ---------- 15 | # This identifies your server and cannot be changed safely later 16 | # ---------- 17 | LOCAL_DOMAIN=mastodon.example.com 18 | 19 | # Redis 20 | # ----- 21 | REDIS_HOST=localhost 22 | REDIS_PORT=6379 23 | 24 | # PostgreSQL 25 | # ---------- 26 | DB_HOST=/var/run/postgresql 27 | DB_USER=mastodon 28 | DB_NAME=mastodon_production 29 | DB_PASS= 30 | DB_PORT=5432 31 | 32 | # Elasticsearch (optional) 33 | # ------------------------ 34 | ES_ENABLED=false 35 | ES_HOST=localhost 36 | ES_PORT=9200 37 | # Authentication for ES (optional) 38 | ES_USER=elastic 39 | ES_PASS=password 40 | 41 | # Secrets 42 | # ------- 43 | # Make sure to use `rake secret` to generate secrets 44 | # ------- 45 | SECRET_KEY_BASE= 46 | OTP_SECRET= 47 | 48 | # Web Push 49 | # -------- 50 | # Generate with `rake mastodon:webpush:generate_vapid_key` 51 | # -------- 52 | VAPID_PRIVATE_KEY= 53 | VAPID_PUBLIC_KEY= 54 | 55 | # Sending mail 56 | # ------------ 57 | SMTP_SERVER=smtp.gmail.com 58 | SMTP_PORT=587 59 | SMTP_LOGIN= 60 | SMTP_PASSWORD= 61 | SMTP_FROM_ADDRESS= 62 | SMTP_DOMAIN= 63 | SMTP_OPENSSL_VERIFY_MODE=none 64 | 65 | # File storage (optional) 66 | # ----------------------- 67 | S3_ENABLED=false 68 | S3_BUCKET=files.example.com 69 | AWS_ACCESS_KEY_ID= 70 | AWS_SECRET_ACCESS_KEY= 71 | S3_ALIAS_HOST=files.example.com 72 | 73 | # IP and session retention 74 | # ----------------------- 75 | # Make sure to modify the scheduling of ip_cleanup_scheduler in config/sidekiq.yml 76 | # to be less than daily if you lower IP_RETENTION_PERIOD below two days (172800). 77 | # ----------------------- 78 | IP_RETENTION_PERIOD=31556952 79 | SESSION_RETENTION_PERIOD=31556952 80 | -------------------------------------------------------------------------------- /mastodon-linuxserver-io/env_setup.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # this is a bash script 4 | if [ -z "$BASH_VERSION" ]; then 5 | echo "Wrong interpreter, please run \"$0\" with bash" 6 | exit 1 7 | fi 8 | 9 | if [ -t 0 ]; then 10 | INTERACTIVE_SHELL=yes 11 | else 12 | INTERACTIVE_SHELL=no 13 | fi 14 | 15 | set -e 16 | set -u 17 | set -o pipefail 18 | shopt -s nullglob 19 | 20 | ENCODING="utf-8" 21 | 22 | # force-navigate to base directory (where this script lives) 23 | [[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath 24 | [[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname 25 | if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then 26 | echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME" 27 | exit 1 28 | fi 29 | SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))" 30 | pushd "$SCRIPT_PATH" >/dev/null 2>&1 31 | 32 | # stuff for running the image to generate secrets 33 | MASTODON_IMAGE=${MASTODON_IMAGE:-oci.guero.org/mastodon:latest} 34 | CONTAINER_ENGINE="${CONTAINER_ENGINE:-docker}" 35 | if [[ "$CONTAINER_ENGINE" == "podman" ]]; then 36 | DEFAULT_UID=0 37 | DEFAULT_GID=0 38 | else 39 | DEFAULT_UID=$(id -u) 40 | DEFAULT_GID=$(id -g) 41 | fi 42 | 43 | # do we really want to do this? 44 | unset CONFIRMATION 45 | [[ $INTERACTIVE_SHELL == "no" ]] || read -p "(Re)generate secrets [Y/n]? " CONFIRMATION 46 | CONFIRMATION=${CONFIRMATION:-Y} 47 | if [[ $CONFIRMATION =~ ^[Yy]$ ]]; then 48 | 49 | # generate secrets 50 | REDIS_HOST=redis 51 | REDIS_PORT=6379 52 | POSTGRES_HOST=postgres 53 | POSTGRES_USER=mastodon 54 | POSTGRES_DB_NAME=mastodon 55 | POSTGRES_DB_PORT=5432 56 | POSTGRES_PASSWORD="$(LC_ALL=C tr -dc 'A-Za-z0-9_' env.postgres 63 | POSTGRES_USER=${POSTGRES_USER} 64 | POSTGRES_PASSWORD=${POSTGRES_PASSWORD} 65 | POSTGRES_DB=${POSTGRES_DB_NAME} 66 | POSTGRES_INITDB_ARGS="--encoding=UTF-8" 67 | EOF 68 | 69 | # update mastodon env file with secrets 70 | [[ ! -f ./env.production ]] && [[ -f ./env.production.sample ]] && cp ./env.production.sample ./env.production 71 | sed -i "s/^\(DB_HOST=\).*/\1${POSTGRES_HOST}/" ./env.production 72 | sed -i "s/^\(DB_NAME=\).*/\1${POSTGRES_DB_NAME}/" ./env.production 73 | sed -i "s/^\(DB_PASS=\).*/\1${POSTGRES_PASSWORD}/" ./env.production 74 | sed -i "s/^\(DB_PORT=\).*/\1${POSTGRES_DB_PORT}/" ./env.production 75 | sed -i "s/^\(DB_USER=\).*/\1${POSTGRES_USER}/" ./env.production 76 | sed -i "s/^\(REDIS_HOST=\).*/\1${REDIS_HOST}/" ./env.production 77 | sed -i "s/^\(REDIS_PORT=\).*/\1${REDIS_PORT}/" ./env.production 78 | sed -i "s/^\(OTP_SECRET=\).*/\1${OTP_SECRET}/" ./env.production 79 | sed -i "s/^\(SECRET_KEY_BASE=\).*/\1${SECRET_KEY_BASE}/" ./env.production 80 | sed -i "s/^\(VAPID_PRIVATE_KEY=\).*/\1${VAPID_PRIVATE_KEY}/" ./env.production 81 | sed -i "s/^\(VAPID_PUBLIC_KEY=\).*/\1${VAPID_PUBLIC_KEY}/" ./env.production 82 | fi 83 | mkdir -p ./db ./config 84 | 85 | popd >/dev/null 2>&1 86 | -------------------------------------------------------------------------------- /metasploit/.gitignore: -------------------------------------------------------------------------------- 1 | .envrc 2 | -------------------------------------------------------------------------------- /metasploit/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | ms: 3 | image: metasploitframework/metasploit-framework:latest 4 | environment: 5 | MSF_UID: 0 6 | MSF_GID: 0 7 | DATABASE_URL: postgres://postgres@db:5432/msf?pool=200&timeout=5 8 | HOME: /home/msf 9 | depends_on: 10 | - db 11 | ports: 12 | - 127.0.0.1:4444:4444 13 | command: 14 | - tail 15 | - -f 16 | - /dev/null 17 | volumes: 18 | - ./msf4:/home/msf/.msf4 19 | tty: true 20 | 21 | db: 22 | image: postgres:17-alpine 23 | volumes: 24 | - pg_data:/var/lib/postgresql/data 25 | environment: 26 | POSTGRES_HOST_AUTH_METHOD: trust 27 | 28 | volumes: 29 | pg_data: 30 | driver: local 31 | -------------------------------------------------------------------------------- /metasploit/msf4/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /mimic3/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 2 | 3 | ARG TARGETARCH=amd64 4 | ARG TARGETVARIANT= 5 | 6 | ARG DEFAULT_UID=1000 7 | ARG DEFAULT_GID=1000 8 | ENV DEFAULT_UID $DEFAULT_UID 9 | ENV DEFAULT_GID $DEFAULT_GID 10 | ENV PUSER "mimic3" 11 | ENV PGROUP "mimic3" 12 | ENV PUSER_PRIV_DROP true 13 | ENV PUSER_RLIMIT_UNLOCK true 14 | 15 | ENV DEBIAN_FRONTEND noninteractive 16 | ENV LANG C.UTF-8 17 | ENV PYTHONUNBUFFERED 1 18 | ENV PYTHONDONTWRITEBYTECODE 1 19 | 20 | ARG MIMIC3_BRANCH=master 21 | ENV MIMIC3_BRANCH $MIMIC3_BRANCH 22 | ARG MIMIC3_VOICES_LANG=en 23 | ENV MIMIC3_VOICES_LANG $MIMIC3_VOICES_LANG 24 | 25 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/docker-uid-gid-setup.sh /usr/local/bin/docker-uid-gid-setup.sh 26 | 27 | RUN echo "Dir::Cache var/cache/apt/${TARGETARCH}${TARGETVARIANT};" > /etc/apt/apt.conf.d/01cache 28 | 29 | RUN --mount=type=cache,id=apt-run,target=/var/cache/apt \ 30 | mkdir -p /var/cache/apt/${TARGETARCH}${TARGETVARIANT}/archives/partial \ 31 | /usr/local/share/mycroft/mimic3 && \ 32 | apt-get update && \ 33 | apt-get install --yes --no-install-recommends \ 34 | build-essential git python3 python3-dev python3-pip python3-venv \ 35 | ca-certificates libespeak-ng1 tini vim-tiny jq && \ 36 | sed -i "s/set[[:space:]]*compatible/set nocompatible/g" /etc/vim/vimrc.tiny && \ 37 | groupadd --gid ${DEFAULT_GID} ${PGROUP} && \ 38 | useradd -m --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} --home /home/${PUSER} ${PUSER} && \ 39 | usermod -a -G tty ${PUSER} && \ 40 | chsh -s /bin/bash ${PUSER} && \ 41 | git clone --recurse-submodules --shallow-submodules --single-branch --depth 1 -b "${MIMIC3_BRANCH}" https://github.com/MycroftAI/mimic3 /tmp/mimic3 && \ 42 | mkdir -p /home/${PUSER}/app && \ 43 | cp -r /tmp/mimic3/opentts_abc /home/${PUSER}/app/opentts_abc && \ 44 | cp -r /tmp/mimic3/mimic3_http /home/${PUSER}/app/mimic3_http && \ 45 | cp -r /tmp/mimic3/mimic3_tts /home/${PUSER}/app/mimic3_tts && \ 46 | cp /tmp/mimic3/LICENSE \ 47 | /tmp/mimic3/MANIFEST.in \ 48 | /tmp/mimic3/README.md \ 49 | /tmp/mimic3/setup.py \ 50 | /tmp/mimic3/install.sh \ 51 | /tmp/mimic3/requirements.txt /home/${PUSER}/app/ && \ 52 | cp -r /tmp/mimic3/voices /usr/local/share/mycroft/mimic3/voices && \ 53 | apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages autoremove && \ 54 | apt-get clean && \ 55 | rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* 56 | 57 | 58 | WORKDIR /home/mimic3/app 59 | 60 | # Install mimic3 61 | RUN --mount=type=cache,id=pip-requirements,target=/root/.cache/pip \ 62 | ./install.sh && \ 63 | mkdir -p /home/${PUSER}/.local/share/mycroft/mimic3/voices && \ 64 | /home/${PUSER}/app/.venv/bin/python3 -m mimic3_tts.download 2>/dev/null | \ 65 | jq -r '. |= keys | .[]' | sort | grep "^${MIMIC3_VOICES_LANG}" | \ 66 | xargs -r -L 1 /home/${PUSER}/app/.venv/bin/python3 -m mimic3_tts.download --output-dir /home/${PUSER}/.local/share/mycroft/mimic3/voices && \ 67 | chown -R ${PUSER}:${PUSER} /home/${PUSER} && \ 68 | mkdir -p /root/.local/share/mycroft/mimic3 && \ 69 | ln -s /home/${PUSER}/.local/share/mycroft/mimic3/voices /root/.local/share/mycroft/mimic3/voices && \ 70 | chmod 755 /usr/local/bin/docker-uid-gid-setup.sh 71 | 72 | WORKDIR /home/mimic3/app 73 | 74 | EXPOSE 59125 75 | 76 | ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh"] 77 | 78 | CMD ["/home/mimic3/app/.venv/bin/python3", "-m", "mimic3_http"] 79 | -------------------------------------------------------------------------------- /mimic3/data/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /mimic3/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | 3 | services: 4 | mimic: 5 | # image: oci.guero.org/mimic3:gpu 6 | image: oci.guero.org/mimic3:latest 7 | ports: 8 | - "127.0.0.1:59125:59125" 9 | volumes: 10 | - ./data:/home/mimic3/.local/share/mycroft/mimic3:rw 11 | restart: unless-stopped 12 | -------------------------------------------------------------------------------- /musescore-web/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmguero/docker/40f67f3606171c50156b4e7de4d3b47145e4b150/musescore-web/.gitignore -------------------------------------------------------------------------------- /musescore-web/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM jlesage/baseimage-gui:debian-12-v4 2 | 3 | ENV APP_NAME "MuseScore" 4 | ENV WEB_AUDIO 1 5 | 6 | RUN add-pkg musescore 7 | 8 | COPY startapp.sh /startapp.sh 9 | -------------------------------------------------------------------------------- /musescore-web/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | musescore: 3 | image: oci.guero.org/musescore-web:latest 4 | build: 5 | context: . 6 | dockerfile: Dockerfile 7 | container_name: musescore 8 | hostname: musescore 9 | restart: unless-stopped 10 | environment: 11 | USER_ID : 1000 12 | GROUP_ID : 1000 13 | WEB_AUDIO : 1 14 | WEB_AUTHENTICATION : 0 15 | SECURE_CONNECTION : 0 16 | VNC_LISTENING_PORT : -1 17 | WEB_LISTENING_PORT : 5800 18 | networks: 19 | - default 20 | volumes: 21 | - type: bind 22 | bind: 23 | create_host_path: false 24 | source: ./files 25 | target: /musescore-files 26 | 27 | musescore-files: 28 | image: oci.guero.org/gossa:latest 29 | restart: unless-stopped 30 | hostname: musescore-files 31 | networks: 32 | - default 33 | environment: 34 | - PUID=1000 35 | - PGID=1000 36 | - HOST=0.0.0.0 37 | - PORT=8001 38 | - PREFIX=/ 39 | - FOLLOW_SYMLINKS=false 40 | - SKIP_HIDDEN_FILES=true 41 | - DATADIR=/shared 42 | - READONLY=false 43 | - VERBOSE=false 44 | volumes: 45 | - type: bind 46 | bind: 47 | create_host_path: false 48 | source: ./files 49 | target: /shared 50 | 51 | networks: 52 | default: 53 | external: false 54 | -------------------------------------------------------------------------------- /musescore-web/files/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /musescore-web/startapp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | command -v musescore >/dev/null 2>&1 && musescore || mscore -------------------------------------------------------------------------------- /net-clients/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:latest 2 | 3 | LABEL maintainer="mero.mero.guero@gmail.com" 4 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 5 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker/tree/master/net-clients' 6 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 7 | LABEL org.opencontainers.image.title='oci.guero.org/net-clients' 8 | LABEL org.opencontainers.image.description='Dockerized Network Client Utilities' 9 | 10 | RUN apk add --no-cache \ 11 | autossh \ 12 | bash \ 13 | bat \ 14 | busybox-extras \ 15 | ca-certificates \ 16 | croc \ 17 | curl \ 18 | file \ 19 | git \ 20 | iproute2 \ 21 | jc \ 22 | jo \ 23 | jq \ 24 | moreutils \ 25 | mosh \ 26 | netcat-openbsd \ 27 | openssh-client \ 28 | psmisc \ 29 | pv \ 30 | rclone \ 31 | rsync \ 32 | shadow \ 33 | socat \ 34 | stunnel \ 35 | w3m \ 36 | wget \ 37 | whois \ 38 | yq 39 | 40 | ENTRYPOINT /bin/bash 41 | -------------------------------------------------------------------------------- /netbox/.gitignore: -------------------------------------------------------------------------------- 1 | /config/*.env 2 | /redis 3 | /postgres 4 | 5 | # development 6 | .envrc 7 | .direnv 8 | -------------------------------------------------------------------------------- /netbox/config/netbox-secret.env.example: -------------------------------------------------------------------------------- 1 | EMAIL_PASSWORD= 2 | EMAIL_USERNAME=netbox 3 | NAPALM_PASSWORD= 4 | NAPALM_USERNAME= 5 | SECRET_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 6 | SUPERUSER_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 7 | SUPERUSER_NAME=admin 8 | SUPERUSER_PASSWORD=admin 9 | -------------------------------------------------------------------------------- /netbox/config/netbox.env.example: -------------------------------------------------------------------------------- 1 | NETBOX_DEFAULT_SITE=default 2 | 3 | ENFORCE_GLOBAL_UNIQUE=False 4 | EXEMPT_VIEW_PERMISSIONS=* 5 | LOGIN_REQUIRED=True 6 | LOGIN_FORM_HIDDEN=False 7 | LOGIN_PERSISTENCE=True 8 | ALLOW_TOKEN_RETRIEVAL=False 9 | ISOLATED_DEPLOYMENT=True 10 | 11 | CORS_ORIGIN_ALLOW_ALL=True 12 | # If using the NetBox interface to create API tokens, set this 13 | # (see https://docs.djangoproject.com/en/4.1/ref/settings/#csrf-trusted-origins) 14 | # CSRF_TRUSTED_ORIGINS=https://netbox.example.org 15 | CSRF_TRUSTED_ORIGINS=http://* https://* 16 | 17 | # Remote authentication allows NetBox to automatically create user accounts from NGINX 18 | # https://netboxlabs.com/docs/netbox/en/stable/configuration/remote-authentication 19 | # https://netboxlabs.com/docs/netbox/en/stable/administration/permissions/ 20 | REMOTE_AUTH_ENABLED=True 21 | REMOTE_AUTH_BACKEND=netbox.authentication.RemoteUserBackend 22 | REMOTE_AUTH_HEADER=HTTP_X_REMOTE_AUTH 23 | REMOTE_AUTH_GROUP_HEADER=HTTP_X_REMOTE_AUTH_GROUP 24 | REMOTE_AUTH_USER_EMAIL=HTTP_X_REMOTE_AUTH_EMAIL 25 | REMOTE_AUTH_USER_FIRST_NAME=HTTP_X_REMOTE_AUTH_FIRST_NAME 26 | REMOTE_AUTH_USER_LAST_NAME=HTTP_X_REMOTE_AUTH_LAST_NAME 27 | REMOTE_AUTH_AUTO_CREATE_USER=True 28 | REMOTE_AUTH_AUTO_CREATE_GROUPS=True 29 | REMOTE_AUTH_GROUP_SYNC_ENABLED=False 30 | REMOTE_AUTH_DEFAULT_GROUPS=standard 31 | REMOTE_AUTH_STAFF_GROUPS=administrator 32 | REMOTE_AUTH_STAFF_USERS= 33 | REMOTE_AUTH_SUPERUSER_GROUPS=administrator 34 | REMOTE_AUTH_SUPERUSERS= 35 | 36 | EMAIL_FROM=netbox@bar.com 37 | EMAIL_PORT=25 38 | EMAIL_SERVER=localhost 39 | EMAIL_SSL_CERTFILE= 40 | EMAIL_SSL_KEYFILE= 41 | EMAIL_TIMEOUT=5 42 | # EMAIL_USE_SSL and EMAIL_USE_TLS are mutually exclusive, i.e. they can't both be `true`! 43 | EMAIL_USE_SSL=false 44 | EMAIL_USE_TLS=false 45 | GRAPHQL_ENABLED=true 46 | HOUSEKEEPING_INTERVAL=86400 47 | MAX_PAGE_SIZE=1000 48 | MEDIA_ROOT=/opt/netbox/netbox/media 49 | METRICS_ENABLED=false 50 | NAPALM_TIMEOUT=10 51 | REDIS_CACHE_DATABASE=1 52 | REDIS_CACHE_INSECURE_SKIP_TLS_VERIFY=false 53 | REDIS_CACHE_SSL=false 54 | REDIS_DATABASE=0 55 | REDIS_INSECURE_SKIP_TLS_VERIFY=false 56 | REDIS_SSL=false 57 | RELEASE_CHECK_URL= 58 | CENSUS_REPORTING_ENABLED=false 59 | SKIP_STARTUP_SCRIPTS=true 60 | SKIP_SUPERUSER=false 61 | SUPERUSER_EMAIL=admin@example.com 62 | WEBHOOKS_ENABLED=true 63 | 64 | PUSER_CHOWN=/etc/netbox/config -------------------------------------------------------------------------------- /netbox/config/postgres.env.example: -------------------------------------------------------------------------------- 1 | POSTGRES_HOST=netbox-postgres 2 | PGPORT=5432 3 | 4 | POSTGRES_DB=postgres 5 | POSTGRES_USER=postgres 6 | POSTGRES_PASSWORD=xxxxxxxxxxxxxxxx 7 | 8 | POSTGRES_NETBOX_DB=netbox 9 | POSTGRES_NETBOX_USER=netbox 10 | POSTGRES_NETBOX_PASSWORD=xxxxxxxxxxxxxxxx 11 | 12 | POSTGRES_DISABLED=false 13 | -------------------------------------------------------------------------------- /netbox/config/process.env.example: -------------------------------------------------------------------------------- 1 | # docker containers will run processes as unprivileged user with UID:GID 2 | PUID=1000 3 | PGID=1000 4 | -------------------------------------------------------------------------------- /netbox/config/redis.env.example: -------------------------------------------------------------------------------- 1 | REDIS_HOST=netbox-redis 2 | REDIS_PORT=6379 3 | REDIS_CACHE_HOST=netbox-redis-cache 4 | REDIS_CACHE_PORT=6379 5 | REDIS_PASSWORD=XXXXXXXXXXXXXXXXXXXXXXXX 6 | -------------------------------------------------------------------------------- /netbox/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | netbox-postgres: 3 | image: ghcr.io/mmguero-dev/malcolm/postgresql:main 4 | restart: "no" 5 | stdin_open: false 6 | tty: true 7 | networks: 8 | - default 9 | env_file: 10 | - ./config/process.env 11 | - ./config/postgres.env 12 | volumes: 13 | - type: bind 14 | bind: 15 | create_host_path: false 16 | source: ./postgres 17 | target: /var/lib/postgresql/data 18 | healthcheck: 19 | test: ["CMD", "/usr/local/bin/container_health.sh"] 20 | interval: 60s 21 | timeout: 15s 22 | retries: 3 23 | start_period: 45s 24 | netbox-redis: 25 | image: ghcr.io/mmguero-dev/malcolm/redis:main 26 | restart: "no" 27 | stdin_open: false 28 | tty: true 29 | networks: 30 | - default 31 | env_file: 32 | - ./config/process.env 33 | - ./config/redis.env 34 | command: 35 | - sh 36 | - -c 37 | - redis-server --appendonly yes --requirepass $$REDIS_PASSWORD 38 | volumes: 39 | - type: bind 40 | bind: 41 | create_host_path: false 42 | source: ./redis 43 | target: /data 44 | healthcheck: 45 | test: ["CMD", "/usr/local/bin/container_health.sh"] 46 | interval: 60s 47 | timeout: 15s 48 | retries: 3 49 | start_period: 45s 50 | netbox-redis-cache: 51 | image: ghcr.io/mmguero-dev/malcolm/redis:main 52 | restart: "no" 53 | stdin_open: false 54 | tty: true 55 | networks: 56 | - default 57 | env_file: 58 | - ./config/process.env 59 | - ./config/redis.env 60 | command: 61 | - sh 62 | - -c 63 | - redis-server --requirepass $$REDIS_PASSWORD 64 | healthcheck: 65 | test: ["CMD", "/usr/local/bin/container_health.sh"] 66 | interval: 60s 67 | timeout: 15s 68 | retries: 3 69 | start_period: 45s 70 | netbox-core: 71 | image: ghcr.io/mmguero-dev/malcolm/netbox:main 72 | restart: "no" 73 | stdin_open: false 74 | tty: true 75 | networks: 76 | - default 77 | env_file: 78 | - ./config/process.env 79 | - ./config/netbox.env 80 | - ./config/netbox-secret.env 81 | - ./config/postgres.env 82 | - ./config/redis.env 83 | depends_on: 84 | - netbox-postgres 85 | - netbox-redis 86 | - netbox-redis-cache 87 | volumes: 88 | - type: bind 89 | bind: 90 | create_host_path: false 91 | source: ./netbox/media 92 | target: /opt/netbox/netbox/media 93 | - type: bind 94 | bind: 95 | create_host_path: false 96 | source: ./netbox/preload 97 | target: /opt/netbox-preload 98 | read_only: true 99 | - type: bind 100 | bind: 101 | create_host_path: false 102 | source: ./netbox/custom-plugins 103 | target: /opt/netbox-custom-plugins 104 | read_only: true 105 | healthcheck: 106 | test: ["CMD", "/usr/local/bin/container_health.sh"] 107 | interval: 60s 108 | timeout: 15s 109 | retries: 3 110 | start_period: 120s 111 | labels: 112 | traefik.enable : false 113 | # traefik.http.routers.netbox.rule : "Host(`netbox.example.org`)" 114 | # traefik.http.routers.netbox.entrypoints : "websecure" 115 | # traefik.http.routers.netbox.tls.certresolver : "myresolver" 116 | # traefik.http.services.netbox.loadbalancer.server.port : 8080 117 | 118 | networks: 119 | default: 120 | external: false 121 | -------------------------------------------------------------------------------- /netbox/netbox/custom-plugins/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /netbox/netbox/media/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /netbox/netbox/preload/initializers.txt: -------------------------------------------------------------------------------- 1 | Files in this directory should be formatted for import by the netbox-initializers 2 | plugin (https://github.com/tobiasge/netbox-initializers). -------------------------------------------------------------------------------- /netbox/netbox/preload/manufacturers.yml: -------------------------------------------------------------------------------- 1 | - name: Unspecified 2 | slug: unspecified 3 | -------------------------------------------------------------------------------- /nextcloud/.dockerignore: -------------------------------------------------------------------------------- 1 | **/*.crt 2 | **/*.key 3 | **/*.pem 4 | docker-compose*yml 5 | data 6 | db 7 | docker 8 | -------------------------------------------------------------------------------- /nextcloud/data/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /nextcloud/db/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /nextcloud/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | 5 | postgres: 6 | image: oci.guero.org/postgres:latest 7 | container_name: nextcloud-postgres 8 | hostname: postgres 9 | environment: 10 | PUID: 1000 11 | PGID: 100 12 | TZ: America/Denver 13 | POSTGRES_USER: postgres 14 | POSTGRES_PASSWORD: XXXXXXXXXXXXXXX 15 | PGDATA: /var/lib/postgresql/data/pgdata 16 | volumes: 17 | - ./db:/var/lib/postgresql/data/pgdata 18 | restart: unless-stopped 19 | networks: 20 | - proxy 21 | 22 | nextcloud: 23 | image: oci.guero.org/nextcloud:latest 24 | build: 25 | context: . 26 | dockerfile: docker/Dockerfile 27 | container_name: nextcloud 28 | hostname: nextcloud 29 | links: 30 | - postgres 31 | expose: 32 | - 80 33 | environment: 34 | - PUID=1000 35 | - PGID=100 36 | - TZ=America/Denver 37 | - POSTGRES_DB=nextcloud 38 | - POSTGRES_USER=postgres 39 | - POSTGRES_PASSWORD=XXXXXXXXX 40 | - POSTGRES_HOST=postgres 41 | - NEXTCLOUD_ADMIN_USER=admin 42 | volumes: 43 | - ./data:/var/www/html 44 | restart: unless-stopped 45 | networks: 46 | - proxy 47 | labels: 48 | - "traefik.enable=true" 49 | - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.example.org`)" 50 | - "traefik.http.routers.nextcloud.entrypoints=websecure" 51 | - "traefik.http.routers.nextcloud.tls.certresolver=myresolver" 52 | 53 | networks: 54 | proxy: 55 | external: 56 | name: traefik-proxy 57 | 58 | -------------------------------------------------------------------------------- /nextcloud/docker/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM nextcloud:latest 2 | 3 | LABEL maintainer="mero.mero.guero@gmail.com" 4 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 5 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker/tree/master/nextcloud' 6 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 7 | LABEL org.opencontainers.image.title='oci.guero.org/nextcloud' 8 | LABEL org.opencontainers.image.description='Dockerized Nextcloud' 9 | 10 | RUN apt-get update && \ 11 | apt-get -y -q --no-install-recommends install smbclient && \ 12 | apt-get clean && \ 13 | rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* 14 | 15 | -------------------------------------------------------------------------------- /nginx-proxy/config/proxy_overrides.conf: -------------------------------------------------------------------------------- 1 | client_max_body_size 1024m; 2 | -------------------------------------------------------------------------------- /nginx-proxy/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '2' 2 | 3 | services: 4 | nginx-proxy: 5 | image: jwilder/nginx-proxy:latest 6 | container_name: nginx-proxy 7 | ports: 8 | - 0.0.0.0:80:80 9 | - 0.0.0.0:443:443 10 | volumes: 11 | - conf:/etc/nginx/conf.d 12 | - vhost:/etc/nginx/vhost.d 13 | - dhparam:/etc/nginx/dhparam 14 | - certs:/etc/nginx/certs:ro 15 | - html:/usr/share/nginx/html:ro 16 | - ./config/proxy_overrides.conf:/etc/nginx/conf.d/proxy_overrides.conf:ro 17 | - /var/run/docker.sock:/tmp/docker.sock:ro 18 | networks: 19 | - proxy 20 | restart: always 21 | 22 | letsencrypt: 23 | image: jrcs/letsencrypt-nginx-proxy-companion:latest 24 | container_name: nginx-proxy-le 25 | volumes_from: 26 | - nginx-proxy 27 | volumes: 28 | - certs:/etc/nginx/certs:rw 29 | - html:/usr/share/nginx/html:rw 30 | - /var/run/docker.sock:/var/run/docker.sock:ro 31 | restart: always 32 | 33 | volumes: 34 | conf: 35 | vhost: 36 | dhparam: 37 | certs: 38 | html: 39 | 40 | networks: 41 | proxy: 42 | external: 43 | name: nginx-proxy 44 | -------------------------------------------------------------------------------- /nginx-securimage/docker-compose.yml: -------------------------------------------------------------------------------- 1 | # todo 2 | # X-Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' 3 | # X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' 4 | # Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' 5 | 6 | services: 7 | web: 8 | image: oci.guero.org/nginx-securimage:latest 9 | container_name: nginx-securimage 10 | build: 11 | context: . 12 | dockerfile: docker/nginx.Dockerfile 13 | volumes: 14 | - ./nginx/server.conf:/etc/nginx/conf.d/server.conf:ro 15 | - ./php/php.ini:/etc/php7/conf.d/settings.ini:ro 16 | - ./php/php-fpm-settings.conf:/etc/php7/php-fpm.d/server.conf:ro 17 | - ./webcontent/index.php:/var/www/html/index.php:ro 18 | - ./webcontent/favicon.ico:/var/www/html/favicon.ico:ro 19 | - ./index.html:/var/www/html/story/index.html:ro 20 | ports: 21 | - "8080:8080" 22 | -------------------------------------------------------------------------------- /nginx-securimage/docker/nginx.Dockerfile: -------------------------------------------------------------------------------- 1 | FROM trafex/alpine-nginx-php7:latest 2 | 3 | LABEL maintainer="mero.mero.guero@gmail.com" 4 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 5 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker/tree/master/nginx-securimage' 6 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 7 | LABEL org.opencontainers.image.title='oci.guero.org/nginx-securimage' 8 | LABEL org.opencontainers.image.description='Dockerized NGINX with Securimage PHP Captcha' 9 | 10 | ENV WEBROOT /var/www/html 11 | 12 | RUN mkdir -p "$WEBROOT" && \ 13 | cd "$WEBROOT" && \ 14 | rm -f ./test.html && \ 15 | mkdir ./securimage && \ 16 | curl -ksSL "https://github.com/dapphp/securimage/tarball/master" | tar xzvf - -C ./securimage --strip-components 1 && \ 17 | curl -ksSL -o /tmp/story.zip "https://html5up.net/story/download" && \ 18 | unzip /tmp/story.zip -d "$WEBROOT" && \ 19 | rm -f /tmp/story.zip "$WEBROOT"/index*html "$WEBROOT"/README.txt 20 | 21 | ADD webcontent "$WEBROOT" 22 | 23 | EXPOSE 8080 24 | 25 | WORKDIR "$WEBROOT" 26 | 27 | -------------------------------------------------------------------------------- /nginx-securimage/nginx/server.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmguero/docker/40f67f3606171c50156b4e7de4d3b47145e4b150/nginx-securimage/nginx/server.conf -------------------------------------------------------------------------------- /nginx-securimage/php/php-fpm-settings.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmguero/docker/40f67f3606171c50156b4e7de4d3b47145e4b150/nginx-securimage/php/php-fpm-settings.conf -------------------------------------------------------------------------------- /nginx-securimage/php/php.ini: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmguero/docker/40f67f3606171c50156b4e7de4d3b47145e4b150/nginx-securimage/php/php.ini -------------------------------------------------------------------------------- /nodejs-nginx/.dockerignore: -------------------------------------------------------------------------------- 1 | node_modules -------------------------------------------------------------------------------- /nodejs-nginx/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules -------------------------------------------------------------------------------- /nodejs-nginx/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:alpine 2 | 3 | WORKDIR /usr/src/app 4 | 5 | COPY package*.json /usr/src/app 6 | 7 | RUN npm install 8 | 9 | COPY . /usr/src/app 10 | 11 | CMD npm start 12 | -------------------------------------------------------------------------------- /nodejs-nginx/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | webapp: 3 | restart: unless-stopped 4 | image: nodeapp 5 | build: . 6 | # ports: 7 | # - 127.0.0.1:3000:3000 8 | volumes: 9 | - ./:/usr/src/app 10 | - /usr/src/app/node_modules 11 | networks: 12 | - default 13 | 14 | proxy: 15 | restart: unless-stopped 16 | image: nginx:alpine 17 | ports: 18 | - 127.0.0.1:8000:80 19 | depends_on: 20 | - webapp 21 | volumes: 22 | - ./nginx/default.conf:/etc/nginx/conf.d/default.conf 23 | networks: 24 | - default 25 | 26 | networks: 27 | default: 28 | external: false 29 | -------------------------------------------------------------------------------- /nodejs-nginx/index.js: -------------------------------------------------------------------------------- 1 | const http = require('http') 2 | const server = http.createServer((req, res) => { 3 | res.writeHead(200, { 'content-type': 'text/html' }) 4 | 5 | if (req.url === '/') { 6 | res.write('

Node.js and NGINX

') 7 | res.end() 8 | } else { 9 | res.write('

404 Not Found

') 10 | res.end() 11 | } 12 | }) 13 | 14 | server.listen(process.env.PORT || 3000, () => console.log(`server running on ${server.address().port}`)) 15 | -------------------------------------------------------------------------------- /nodejs-nginx/nginx/default.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name nodeapp.example.com; 4 | 5 | location / { 6 | proxy_pass http://webapp:3000; 7 | proxy_http_version 1.1; 8 | proxy_set_header Upgrade $http_upgrade; 9 | proxy_set_header Connection 'upgrade'; 10 | proxy_set_header Host $host; 11 | proxy_cache_bypass $http_upgrade; 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /nodejs-nginx/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "node-nginx", 3 | "version": "0.0.1", 4 | "description": "Node.js with NGINX", 5 | "main": "index.js", 6 | "scripts": { 7 | "start": "node index.js" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /openldap/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | openldap: 3 | image: osixia/openldap:latest 4 | container_name: openldap 5 | environment: 6 | - LDAP_LOG_LEVEL=32768 7 | - LDAP_ORGANISATION=example.org 8 | - LDAP_DOMAIN=example.org 9 | - LDAP_BASE_DN= 10 | - LDAP_ADMIN_PASSWORD=password 11 | - LDAP_CONFIG_PASSWORD=password 12 | - LDAP_READONLY_USER=true 13 | - LDAP_READONLY_USER_USERNAME=binddn 14 | - LDAP_READONLY_USER_PASSWORD=password 15 | - LDAP_RFC2307BIS_SCHEMA=false 16 | - LDAP_BACKEND=mdb 17 | - LDAP_TLS=true 18 | - LDAP_TLS_CRT_FILENAME=ldap.crt 19 | - LDAP_TLS_KEY_FILENAME=ldap.key 20 | # the CA file should contain the whole CA chain (e.g., intermediate + root) 21 | - LDAP_TLS_CA_CRT_FILENAME=ca.crt 22 | - LDAP_TLS_ENFORCE=false 23 | - LDAP_TLS_CIPHER_SUITE=SECURE256:-VERS-SSL3.0 24 | - LDAP_TLS_PROTOCOL_MIN=3.1 25 | - LDAP_TLS_VERIFY_CLIENT=never 26 | - LDAP_REPLICATION=false 27 | - KEEP_EXISTING_CONFIG=false 28 | - LDAP_REMOVE_CONFIG_AFTER_SETUP=true 29 | - LDAP_SSL_HELPER_PREFIX=ldap 30 | # for podman: 31 | # - DISABLE_CHOWN=true 32 | # - LDAP_OPENLDAP_UID=0 33 | # - LDAP_OPENLDAP_GID=0 34 | volumes: 35 | - /var/lib/ldap 36 | - /etc/ldap/slapd.d 37 | - ./certs_ldap:/container/service/slapd/assets/certs:rw 38 | expose: 39 | - 389 40 | - 636 41 | ports: 42 | - "0.0.0.0:389:389" 43 | - "0.0.0.0:636:636" 44 | domainname: openldap 45 | hostname: openldap 46 | restart: unless-stopped 47 | phpldapadmin: 48 | image: osixia/phpldapadmin:latest 49 | container_name: phpldapadmin 50 | expose: 51 | - 443 52 | ports: 53 | - "0.0.0.0:443:443" 54 | environment: 55 | - PHPLDAPADMIN_LDAP_HOSTS=openldap 56 | - PHPLDAPADMIN_HTTPS=true 57 | - PHPLDAPADMIN_HTTPS_CRT_FILENAME=ldap.crt 58 | - PHPLDAPADMIN_HTTPS_KEY_FILENAME=ldap.key 59 | - PHPLDAPADMIN_HTTPS_CA_CRT_FILENAME=ca.crt 60 | - PHPLDAPADMIN_LDAP_CLIENT_TLS_CRT_FILENAME=ldap.crt 61 | - PHPLDAPADMIN_LDAP_CLIENT_TLS_KEY_FILENAME=ldap.key 62 | - PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME=ca.crt 63 | volumes: 64 | - ./certs_web:/container/service/phpldapadmin/assets/apache2/certs:rw 65 | - ./certs_web:/container/service/ldap-client/assets/certs:rw 66 | depends_on: 67 | - openldap 68 | domainname: phpldapadmin 69 | hostname: phpldapadmin 70 | restart: unless-stopped 71 | -------------------------------------------------------------------------------- /openldap/ldap-cert-renew-restart.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | RUN_PATH="$(pwd)" 6 | [[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath 7 | [[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname 8 | if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then 9 | echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME" 10 | exit 1 11 | fi 12 | SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))" 13 | pushd "$SCRIPT_PATH" >/dev/null 2>&1 14 | 15 | for DEST in certs_ldap certs_web; do 16 | /bin/cp -vf "$HOME"/services/certs/ca.crt \ 17 | "$HOME"/services/certs/ldap.crt \ 18 | "$HOME"/services/certs/ldap.key \ 19 | ./$DEST 20 | done 21 | 22 | # docker-compose down || true 23 | # podman-compose down || true 24 | systemctl --user stop openldap 25 | 26 | # docker-compose up -d 27 | # podman-compose --podman-run-args '--uidmap 33:0:1 --uidmap 0:1:33 --uidmap 34:34:64536' up -d 28 | systemctl --user start openldap 29 | 30 | sleep 20 31 | 32 | ldapmodify -D "cn=admin,$(grep LDAP_BASE_DN ./docker-compose.yml | sed "s/[^=]*=//")" -w "$(grep LDAP_ADMIN_PASSWORD ./docker-compose.yml | sed "s/[^=]*=//")" -h 127.0.0.1 -p 389 -a -f ./export.ldif 33 | 34 | popd >/dev/null 2>&1 35 | -------------------------------------------------------------------------------- /opensearch/.creds.curlrc.example: -------------------------------------------------------------------------------- 1 | user: "username:password" 2 | insecure -------------------------------------------------------------------------------- /opensearch/.gitignore: -------------------------------------------------------------------------------- 1 | # development 2 | .envrc 3 | .direnv 4 | 5 | # authentication 6 | .creds.curlrc -------------------------------------------------------------------------------- /opensearch/certs/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /opensearch/opensearch.Dockerfile: -------------------------------------------------------------------------------- 1 | FROM opensearchproject/opensearch:2.18.0 2 | 3 | ARG DEFAULT_UID=1000 4 | ARG DEFAULT_GID=1000 5 | ENV DEFAULT_UID $DEFAULT_UID 6 | ENV DEFAULT_GID $DEFAULT_GID 7 | ENV PUID $DEFAULT_UID 8 | ENV PUSER "opensearch" 9 | ENV PGROUP "opensearch" 10 | ENV PUSER_CHOWN "/usr/share/opensearch/data" 11 | ENV PUSER_PRIV_DROP true 12 | 13 | ENV TERM xterm 14 | 15 | ENV TINI_VERSION v0.19.0 16 | ENV TINI_URL https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini 17 | 18 | ARG DISABLE_INSTALL_DEMO_CONFIG=true 19 | ENV DISABLE_INSTALL_DEMO_CONFIG $DISABLE_INSTALL_DEMO_CONFIG 20 | ENV OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk 21 | 22 | USER root 23 | 24 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/docker-uid-gid-setup.sh /usr/local/bin/docker-uid-gid-setup.sh 25 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/jdk-cacerts-auto-import.sh /usr/local/bin/jdk-cacerts-auto-import.sh 26 | 27 | RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') && \ 28 | yum upgrade -y && \ 29 | yum install -y curl-minimal psmisc findutils util-linux openssl rsync python3 zip unzip && \ 30 | curl -sSLf -o /usr/bin/tini "${TINI_URL}-${BINARCH}" && \ 31 | usermod -a -G tty ${PUSER} && \ 32 | echo -e 'cluster.name: "docker-cluster"\nnetwork.host: 0.0.0.0\nbootstrap.memory_lock: true\nhttp.cors.enabled: true\nhttp.cors.allow-origin: "*"\nhttp.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE\nhttp.cors.allow-headers: "kbn-version, Origin, X-Requested-With, Content-Type, Accept, Engaged-Auth-Token Authorization"' > /usr/share/opensearch/config/opensearch.yml && \ 33 | sed -i "s/#[[:space:]]*\([0-9]*-[0-9]*:-XX:-\(UseConcMarkSweepGC\|UseCMSInitiatingOccupancyOnly\)\)/\1/" /usr/share/opensearch/config/jvm.options && \ 34 | sed -i "s/^[0-9][0-9]*\(-:-XX:\(+UseG1GC\|G1ReservePercent\|InitiatingHeapOccupancyPercent\)\)/$($OPENSEARCH_JAVA_HOME/bin/java -version 2>&1 | grep version | awk '{print $3}' | tr -d '\"' | cut -d. -f1)\1/" /usr/share/opensearch/config/jvm.options && \ 35 | sed -i '/^[[:space:]]*runOpensearch.*/i /usr/local/bin/jdk-cacerts-auto-import.sh || true' /usr/share/opensearch/opensearch-docker-entrypoint.sh && \ 36 | mkdir -p /var/local/ca-trust && \ 37 | chown --silent -R ${PUSER}:${PGROUP} /usr/share/opensearch /var/local/ca-trust && \ 38 | chmod 755 /usr/bin/tini /usr/local/bin/*.sh && \ 39 | yum clean all && \ 40 | rm -rf /var/cache/yum 41 | 42 | VOLUME ["/var/local/ca-trust"] 43 | 44 | ENTRYPOINT ["/usr/bin/tini", \ 45 | "--", \ 46 | "/usr/local/bin/docker-uid-gid-setup.sh"] 47 | 48 | CMD ["/usr/share/opensearch/opensearch-docker-entrypoint.sh"] 49 | -------------------------------------------------------------------------------- /opensearch/opensearch.yml: -------------------------------------------------------------------------------- 1 | --- 2 | cluster.name: docker-cluster 3 | network.host: 0.0.0.0 4 | node.roles: [] 5 | 6 | plugins.security.ssl.http.enabled: true 7 | plugins.security.ssl.http.pemcert_filepath: node.pem 8 | plugins.security.ssl.http.pemkey_filepath: node-key.pem 9 | plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem 10 | plugins.security.ssl.transport.enforce_hostname_verification: false 11 | plugins.security.ssl.transport.pemcert_filepath: node.pem 12 | plugins.security.ssl.transport.pemkey_filepath: node-key.pem 13 | plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem 14 | plugins.security.ssl.transport.resolve_hostname: false 15 | 16 | plugins.security.authcz.admin_dn: 17 | - 'CN=admin,OU=Testing,O=Development,L=Rexburg,ST=IDAHO,C=US' 18 | 19 | plugins.security.nodes_dn: 20 | - 'CN=node*.dns.a-record,OU=Testing,O=Development,L=Rexburg,ST=IDAHO,C=US' 21 | 22 | plugins.security.audit.type: internal_opensearch -------------------------------------------------------------------------------- /opensearch/security-admin-docker-compose.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -z "$BASH_VERSION" ]; then 4 | echo "Wrong interpreter, please run \"$0\" with bash" 5 | exit 1 6 | fi 7 | 8 | set -e 9 | 10 | ENCODING="utf-8" 11 | 12 | RUN_PATH="$(pwd)" 13 | [[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath 14 | [[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname 15 | if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then 16 | echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME" 17 | exit 1 18 | fi 19 | SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))" 20 | pushd "$SCRIPT_PATH" >/dev/null 2>&1 21 | 22 | ${CONTAINER_ENGINE:-docker} compose exec opensearch-node1 /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \ 23 | -cd /usr/share/opensearch/config/opensearch-security/ \ 24 | -icl -nhnv \ 25 | -cacert /usr/share/opensearch/config/root-ca.pem \ 26 | -cert /usr/share/opensearch/config/admin.pem \ 27 | -key /usr/share/opensearch/config/admin-key.pem 28 | 29 | popd >/dev/null 2>&1 -------------------------------------------------------------------------------- /opensearch/security/.gitignore: -------------------------------------------------------------------------------- 1 | config.yml 2 | -------------------------------------------------------------------------------- /opensearch/security/action_groups.yml: -------------------------------------------------------------------------------- 1 | _meta: 2 | type: "actiongroups" 3 | config_version: 2 4 | -------------------------------------------------------------------------------- /opensearch/security/audit.yml: -------------------------------------------------------------------------------- 1 | _meta: 2 | type: "audit" 3 | config_version: 2 4 | 5 | config: 6 | # enable/disable audit logging 7 | enabled: false 8 | 9 | audit: 10 | # Enable/disable REST API auditing 11 | enable_rest: true 12 | 13 | # Categories to exclude from REST API auditing 14 | disabled_rest_categories: 15 | - AUTHENTICATED 16 | - GRANTED_PRIVILEGES 17 | 18 | # Enable/disable Transport API auditing 19 | enable_transport: true 20 | 21 | # Categories to exclude from Transport API auditing 22 | disabled_transport_categories: 23 | - AUTHENTICATED 24 | - GRANTED_PRIVILEGES 25 | 26 | # Users to be excluded from auditing. Wildcard patterns are supported. Eg: 27 | # ignore_users: ["test-user", "employee-*"] 28 | ignore_users: 29 | - kibanaserver 30 | 31 | # Requests to be excluded from auditing. Wildcard patterns are supported. Eg: 32 | # ignore_requests: ["indices:data/read/*", "SearchRequest"] 33 | ignore_requests: [] 34 | 35 | # Log individual operations in a bulk request 36 | resolve_bulk_requests: false 37 | 38 | # Include the body of the request (if available) for both REST and the transport layer 39 | log_request_body: true 40 | 41 | # Logs all indices affected by a request. Resolves aliases and wildcards/date patterns 42 | resolve_indices: true 43 | 44 | # Exclude sensitive headers from being included in the logs. Eg: Authorization 45 | exclude_sensitive_headers: true 46 | 47 | compliance: 48 | # enable/disable compliance 49 | enabled: true 50 | 51 | # Log updates to internal security changes 52 | internal_config: true 53 | 54 | # Log external config files for the node 55 | external_config: false 56 | 57 | # Log only metadata of the document for read events 58 | read_metadata_only: true 59 | 60 | # Map of indexes and fields to monitor for read events. Wildcard patterns are supported for both index names and fields. Eg: 61 | # read_watched_fields: { 62 | # "twitter": ["message"] 63 | # "logs-*": ["id", "attr*"] 64 | # } 65 | read_watched_fields: {} 66 | 67 | # List of users to ignore for read events. Wildcard patterns are supported. Eg: 68 | # read_ignore_users: ["test-user", "employee-*"] 69 | read_ignore_users: 70 | - kibanaserver 71 | 72 | # Log only metadata of the document for write events 73 | write_metadata_only: true 74 | 75 | # Log only diffs for document updates 76 | write_log_diffs: false 77 | 78 | # List of indices to watch for write events. Wildcard patterns are supported 79 | # write_watched_indices: ["twitter", "logs-*"] 80 | write_watched_indices: [] 81 | 82 | # List of users to ignore for write events. Wildcard patterns are supported. Eg: 83 | # write_ignore_users: ["test-user", "employee-*"] 84 | write_ignore_users: 85 | - kibanaserver 86 | -------------------------------------------------------------------------------- /opensearch/security/config.yml.example: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "config" 4 | config_version: 2 5 | 6 | config: 7 | dynamic: 8 | http: 9 | anonymous_auth_enabled: false 10 | authc: 11 | internal_auth: 12 | order: 0 13 | description: "HTTP basic authentication using the internal user database" 14 | http_enabled: true 15 | transport_enabled: true 16 | http_authenticator: 17 | type: basic 18 | challenge: false 19 | authentication_backend: 20 | type: internal 21 | ldap_auth: 22 | order: 1 23 | description: "Authenticate using LDAP" 24 | http_enabled: true 25 | transport_enabled: true 26 | http_authenticator: 27 | type: basic 28 | challenge: false 29 | authentication_backend: 30 | type: ldap 31 | config: 32 | enable_ssl: true 33 | enable_start_tls: false 34 | enable_ssl_client_auth: false 35 | verify_hostnames: false 36 | pemtrustedcas_filepath: /usr/share/opensearch/config/root-ca.pem 37 | hosts: 38 | - 192.168.10.123:6360 39 | bind_dn: uid=bind,ou=people,dc=example,dc=org 40 | password: "p@55w0rd" 41 | userbase: ou=people,dc=example,dc=org 42 | usersearch: (uid={0}) 43 | username_attribute: uid 44 | authz: 45 | ldap_roles: 46 | description: "Authorize using LDAP" 47 | http_enabled: true 48 | transport_enabled: true 49 | authorization_backend: 50 | type: ldap 51 | config: 52 | enable_ssl: true 53 | enable_start_tls: false 54 | enable_ssl_client_auth: false 55 | verify_hostnames: false 56 | pemtrustedcas_filepath: /usr/share/opensearch/config/root-ca.pem 57 | hosts: 58 | - 192.168.10.123:6360 59 | bind_dn: uid=bind,ou=people,dc=example,dc=org 60 | password: "p@55w0rd" 61 | userbase: ou=people,dc=example,dc=org 62 | usersearch: (uid={0}) 63 | username_attribute: uid 64 | rolebase: ou=groups,dc=example,dc=org 65 | rolesearch: (member={0}) 66 | userroleattribute: null 67 | userrolename: disabled 68 | rolename: cn 69 | resolve_nested_roles: false 70 | skip_users: 71 | - admin 72 | - kibanaserver 73 | -------------------------------------------------------------------------------- /opensearch/security/internal_users.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This is the internal user database 3 | # The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh 4 | 5 | _meta: 6 | type: "internalusers" 7 | config_version: 2 8 | 9 | admin: 10 | hash: "$2y$12$qi5zOIrpHaDn.iNck9YXXuq.05DLu9TCTn7MpQ0hdiqLCmYmE/U0W" 11 | reserved: true 12 | backend_roles: 13 | - "administrators" 14 | description: "Demo admin user" 15 | 16 | kibanaserver: 17 | hash: "$2y$12$qf.ha.L9eGbg18PWpyw6mualIwuvH5UP21yWWmsPJVaHpp3yU5hee" 18 | reserved: true 19 | description: "Demo kibanaserver user" 20 | -------------------------------------------------------------------------------- /opensearch/security/roles_mapping.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | _meta: 4 | type: "rolesmapping" 5 | config_version: 2 6 | 7 | all_access: 8 | reserved: false 9 | backend_roles: 10 | - "administrators" 11 | # uncomment this for TESTING ONLY to give all users all access (don't be stupid, though) 12 | # users: 13 | # - "*" 14 | description: "Maps administrators to all_access" 15 | 16 | own_index: 17 | reserved: false 18 | users: 19 | - "*" 20 | description: "Allow full access to an index named like the username" 21 | 22 | kibana_user: 23 | reserved: false 24 | backend_roles: 25 | - "kibanauser" 26 | - "developers" 27 | - "service" 28 | 29 | readall: 30 | reserved: false 31 | backend_roles: 32 | - "readall" 33 | - "developers" 34 | - "service" 35 | 36 | manage_snapshots: 37 | reserved: false 38 | backend_roles: 39 | - "snapshotrestore" 40 | - "developers" 41 | - "service" 42 | 43 | kibana_server: 44 | reserved: true 45 | users: 46 | - "kibanaserver" 47 | -------------------------------------------------------------------------------- /opensearch/security/tenants.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "tenants" 4 | config_version: 2 5 | -------------------------------------------------------------------------------- /opensearch/shared-objects/templates/ecs_template.json: -------------------------------------------------------------------------------- 1 | { 2 | "index_patterns" : ["ecs-*"], 3 | "priority": 500, 4 | "composed_of": [ 5 | "ecs_agent", 6 | "ecs_base", 7 | "ecs_client", 8 | "ecs_cloud", 9 | "ecs_container", 10 | "ecs_data_stream", 11 | "ecs_destination", 12 | "ecs_device", 13 | "ecs_dll", 14 | "ecs_dns", 15 | "ecs_ecs", 16 | "ecs_email", 17 | "ecs_error", 18 | "ecs_event", 19 | "ecs_faas", 20 | "ecs_file", 21 | "ecs_group", 22 | "ecs_host", 23 | "ecs_http", 24 | "ecs_log", 25 | "ecs_network", 26 | "ecs_observer", 27 | "ecs_orchestrator", 28 | "ecs_organization", 29 | "ecs_package", 30 | "ecs_process", 31 | "ecs_registry", 32 | "ecs_related", 33 | "ecs_rule", 34 | "ecs_server", 35 | "ecs_service", 36 | "ecs_source", 37 | "ecs_threat", 38 | "ecs_tls", 39 | "ecs_tracing", 40 | "ecs_url", 41 | "ecs_user", 42 | "ecs_user_agent", 43 | "ecs_volume", 44 | "ecs_vulnerability" 45 | ], 46 | "template" :{ 47 | "settings" : { 48 | "index" : { 49 | "mapping.total_fields.limit" : "3000", 50 | "mapping.nested_fields.limit" : "250", 51 | "max_docvalue_fields_search" : "200" 52 | } 53 | } 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /owntracks/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmguero/docker/40f67f3606171c50156b4e7de4d3b47145e4b150/owntracks/.gitignore -------------------------------------------------------------------------------- /owntracks/config/recorder.conf: -------------------------------------------------------------------------------- 1 | #(@)ot-recorder.default 2 | # 3 | # Specify global configuration options for the OwnTracks Recorder 4 | # and its associated utilities to override compiled-in defaults. 5 | 6 | OTR_TOPICS = "owntracks/#" 7 | 8 | # Binding on 0.0.0.0 will listen on IPv4 only 9 | # Binding on [::] will listen on IPv4 and IPv6 10 | OTR_HTTPHOST = "0.0.0.0" 11 | # OTR_HTTPHOST = "[::]" 12 | 13 | # CA data for MQTT client 14 | # OTR_CAPATH = "/config" 15 | # OTR_CAFILE = "ca.pem" 16 | 17 | # Server Certificate for builtin HTTPS server 18 | # OTR_CERTFILE = "cert.pem" 19 | # OTR_KEYFILE = "key.pem" 20 | -------------------------------------------------------------------------------- /owntracks/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | owntracks: 3 | image: owntracks/recorder:latest 4 | container_name: owntracks 5 | hostname: owntracks 6 | restart: "no" 7 | environment: 8 | OTR_PORT : '0' 9 | networks: 10 | - default 11 | # ports: 12 | # - "127.0.0.1:8083:8083" 13 | volumes: 14 | - /etc/localtime:/etc/localtime:ro 15 | - ./config:/config:rw 16 | - ./store:/store:rw 17 | 18 | networks: 19 | default: 20 | external: false 21 | -------------------------------------------------------------------------------- /owntracks/store/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /pihole-dnscrypt-proxy/docker-compose.yml: -------------------------------------------------------------------------------- 1 | networks: 2 | pihole_net: 3 | driver: bridge 4 | ipam: 5 | config: 6 | - subnet: "172.18.0.0/24" 7 | # - subnet: "fd00::/64" 8 | 9 | services: 10 | dnscrypt-proxy: 11 | container_name: dnscrypt-proxy 12 | image: klutchell/dnscrypt-proxy:main 13 | user: nobody 14 | environment: 15 | TZ: 'America/Denver' 16 | networks: 17 | pihole_net: 18 | ipv4_address: "172.18.0.2" 19 | # ipv6_address: "fd00::2" 20 | expose: 21 | - "53/udp" 22 | - "53/tcp" 23 | volumes: 24 | # - "./dnscrypt-proxy/config/dnscrypt-proxy.toml:/config/dnscrypt-proxy.toml:ro" 25 | - "./dnscrypt-proxy/config/dnscrypt-proxy-ipv4-only.toml:/config/dnscrypt-proxy.toml:ro" 26 | restart: always 27 | healthcheck: 28 | test: ["CMD", "dnsprobe", "google.com", "127.0.0.1:53"] 29 | interval: 720s 30 | timeout: 5s 31 | retries: 2 32 | start_period: 30s 33 | 34 | pihole: 35 | container_name: pihole 36 | image: pihole/pihole:latest 37 | networks: 38 | pihole_net: 39 | ipv4_address: "172.18.0.3" 40 | # ipv6_address: "fd00::3" 41 | ports: 42 | # include any other IPs here as well (for VPN interfaces, etc.) 43 | - "53:53/tcp" 44 | - "53:53/udp" 45 | # - "80:80/tcp" 46 | # - "443:443/tcp" 47 | environment: 48 | TZ: 'America/Denver' 49 | WEBPASSWORD: 'password' 50 | DNS1: "172.18.0.2#53" 51 | DNS2: "no" 52 | # DNS_FQDN_REQUIRED: 'false' 53 | # DNS_BOGUS_PRIV: 'false' 54 | # ServerIP: '192.168.0.216' 55 | DNSMASQ_LISTENING: 'all' 56 | DHCP_ACTIVE: 'false' 57 | RATE_LIMIT: '0/0' 58 | volumes: 59 | - './pihole/etc/pihole/:/etc/pihole/' 60 | - './pihole/etc/dnsmasq.d/:/etc/dnsmasq.d/' 61 | # run `touch ./pihole/var/log/pihole.log` and `touch ./pihole/var/log/FTL.log` first unless you like errors 62 | - './pihole/var/log/:/var/log/pihole/' 63 | dns: 64 | - 1.1.1.1 65 | restart: always 66 | depends_on: 67 | - dnscrypt-proxy -------------------------------------------------------------------------------- /pihole-dnscrypt-proxy/pihole/etc/dnsmasq.d/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | -------------------------------------------------------------------------------- /pihole-dnscrypt-proxy/pihole/etc/pihole/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | -------------------------------------------------------------------------------- /pihole-dnscrypt-proxy/pihole/etc/pihole/custom.list: -------------------------------------------------------------------------------- 1 | # custom.list is in canonical hosts format (see http://man7.org/linux/man-pages/man5/hosts.5.html) 2 | 3 | # 192.168.1.10 foo.example.org foo 4 | -------------------------------------------------------------------------------- /pihole-dnscrypt-proxy/pihole/var/log/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | -------------------------------------------------------------------------------- /pihole/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | dnscrypt: 3 | container_name: dnscrypt-proxy 4 | image: klutchell/dnscrypt-proxy:latest 5 | networks: 6 | pihole_net: 7 | ipv4_address: 172.25.0.2 8 | expose: 9 | - "5300/udp" 10 | - "5300/tcp" 11 | environment: 12 | TZ: 'America/Denver' 13 | volumes: 14 | - './etc-dnscrypt-proxy:/config' 15 | dns: 16 | - 1.1.1.1 17 | restart: always 18 | 19 | pihole: 20 | container_name: pihole 21 | image: pihole/pihole:latest 22 | networks: 23 | pihole_net: 24 | ipv4_address: 172.25.0.3 25 | ports: 26 | # include any other IPs here as well (for VPN interfaces, etc.) 27 | - "53:53/tcp" 28 | - "53:53/udp" 29 | # - "80:80/tcp" 30 | # - "443:443/tcp" 31 | environment: 32 | TZ: 'America/Denver' 33 | WEBPASSWORD: 'password' 34 | DNS1: "172.25.0.2#5300" 35 | DNS2: "no" 36 | # DNS_FQDN_REQUIRED: 'false' 37 | # DNS_BOGUS_PRIV: 'false' 38 | # ServerIP: '192.168.0.216' 39 | DNSMASQ_LISTENING: 'all' 40 | DHCP_ACTIVE: 'false' 41 | RATE_LIMIT: '0/0' 42 | volumes: 43 | - './etc-pihole/:/etc/pihole/' 44 | - './etc-dnsmasq.d/:/etc/dnsmasq.d/' 45 | # run `touch ./var-log/pihole.log` and `touch ./var-log/FTL.log` first unless you like errors 46 | - './var-log/:/var/log/pihole/' 47 | dns: 48 | - 1.1.1.1 49 | restart: always 50 | depends_on: 51 | - dnscrypt 52 | 53 | networks: 54 | pihole_net: 55 | driver: bridge 56 | ipam: 57 | config: 58 | - subnet: 172.25.0.0/24 59 | -------------------------------------------------------------------------------- /pihole/etc-dnsmasq.d/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | -------------------------------------------------------------------------------- /pihole/etc-dnsmasq.d/03-custom-dns.conf: -------------------------------------------------------------------------------- 1 | # wildcard match for example.org and *.example.org 2 | # address=/example.org/192.168.123.45 3 | -------------------------------------------------------------------------------- /pihole/etc-pihole/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | -------------------------------------------------------------------------------- /pihole/etc-pihole/custom.list: -------------------------------------------------------------------------------- 1 | # custom.list is in canonical hosts format (see http://man7.org/linux/man-pages/man5/hosts.5.html) 2 | 3 | # 192.168.1.10 foo.example.org foo 4 | -------------------------------------------------------------------------------- /pihole/podman-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | dnscrypt: 3 | container_name: dnscrypt-proxy 4 | image: klutchell/dnscrypt-proxy:latest 5 | networks: 6 | pihole_net: 7 | ipv4_address: 172.25.0.2 8 | expose: 9 | - "5300/udp" 10 | - "5300/tcp" 11 | cap_add: 12 | - NET_ADMIN 13 | environment: 14 | TZ: 'America/Denver' 15 | security_opt: 16 | - label:disable 17 | volumes: 18 | - './etc-dnscrypt-proxy:/config' 19 | dns: 20 | - 1.1.1.1 21 | restart: always 22 | 23 | pihole: 24 | container_name: pihole 25 | image: pihole/pihole:latest 26 | networks: 27 | pihole_net: 28 | ipv4_address: 172.25.0.3 29 | ports: 30 | # include any other IPs here as well (for VPN interfaces, etc.) 31 | - "53:53/tcp" 32 | - "53:53/udp" 33 | # - "80:80/tcp" 34 | # - "443:443/tcp" 35 | cap_add: 36 | - NET_ADMIN 37 | environment: 38 | TZ: 'America/Denver' 39 | WEBPASSWORD: 'password' 40 | DNS1: "172.25.0.2#5300" 41 | DNS2: "no" 42 | DNSMASQ_LISTENING: 'all' 43 | DHCP_ACTIVE: 'false' 44 | RATE_LIMIT: '0/0' 45 | security_opt: 46 | - label:disable 47 | volumes: 48 | - './etc-pihole/:/etc/pihole/' 49 | - './etc-dnsmasq.d/:/etc/dnsmasq.d/' 50 | # run `touch ./var-log/pihole.log` and `touch ./var-log/FTL.log` first unless you like errors 51 | - './var-log/:/var/log/pihole/' 52 | dns: 53 | - 1.1.1.1 54 | restart: always 55 | depends_on: 56 | - dnscrypt 57 | 58 | networks: 59 | # podman network create --driver=bridge --subnet 172.25.0.0/24 pihole_net 60 | pihole_net: 61 | name: pihole_net 62 | external: true 63 | -------------------------------------------------------------------------------- /pihole/var-log/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | -------------------------------------------------------------------------------- /podgrab/config/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /podgrab/data/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /podgrab/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | podgrab: 3 | image: akhilrex/podgrab:latest 4 | container_name: podgrab 5 | restart: unless-stopped 6 | security_opt: 7 | - no-new-privileges 8 | user: "1000:1000" 9 | environment: 10 | - CHECK_FREQUENCY=180 11 | volumes: 12 | - ./config:/config 13 | - ./data:/assets 14 | networks: 15 | - podgrab 16 | expose: 17 | - 8080 18 | ports: 19 | - "127.0.0.1:8080:8080" 20 | #labels: 21 | # - "traefik.enable=true" 22 | # - "traefik.http.routers.podgrab.rule=Host(`podgrab.example.org`)" 23 | # - "traefik.http.routers.podgrab.entrypoints=websecure" 24 | # - "traefik.http.routers.podgrab.tls.certresolver=myresolver" 25 | # - "traefik.http.services.podgrab.loadbalancer.server.port=8080" 26 | 27 | networks: 28 | podgrab: 29 | external: false 30 | # name: traefik-proxy 31 | -------------------------------------------------------------------------------- /podman-specific/traefik-podman/certs/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /podman-specific/traefik-podman/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | 3 | traefik: 4 | image: "traefik:latest" 5 | container_name: "traefik" 6 | command: 7 | - "--api.insecure=true" 8 | - "--providers.docker=false" 9 | - "--providers.file=true" 10 | - "--providers.file.directory=/etc/traefik/sites-enabled" 11 | - "--providers.file.watch=true" 12 | - "--entrypoints.web.address=:80" 13 | - "--entrypoints.web.http.redirections.entryPoint.to=websecure" 14 | - "--entrypoints.web.http.redirections.entryPoint.scheme=https" 15 | - "--entrypoints.web.http.redirections.entrypoint.permanent=true" 16 | - "--entrypoints.websecure.address=:443" 17 | # - "--certificatesresolvers.myresolver.acme.tlschallenge=true" 18 | - "--certificatesresolvers.myresolver.acme.httpchallenge=true" 19 | - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web" 20 | # - "--certificatesresolvers.myresolver.acme.caserver=https://ca.example.org:9000/acme/acme/directory" 21 | - "--certificatesresolvers.myresolver.acme.email=user@example.org" 22 | - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json" 23 | ports: 24 | - "80:80" 25 | - "443:443" 26 | networks: 27 | - default 28 | volumes: 29 | - "./letsencrypt:/letsencrypt:rw" 30 | - "./certs:/etc/ssl/certs:ro" 31 | - "./rules:/etc/traefik/sites-enabled:ro" 32 | 33 | whoami: 34 | image: "traefik/whoami:latest" 35 | container_name: "whoami" 36 | expose: 37 | - 80 38 | networks: 39 | - default 40 | 41 | networks: 42 | default: 43 | external: 44 | name: podman 45 | -------------------------------------------------------------------------------- /podman-specific/traefik-podman/letsencrypt/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /podman-specific/traefik-podman/rules/web.toml: -------------------------------------------------------------------------------- 1 | [http.routers] 2 | 3 | [http.routers.web] 4 | rule = "Host(`web.example.org`)" 5 | entrypoints = ["websecure"] 6 | service = "web" 7 | [http.routers.web.tls] 8 | certResolver = "myresolver" 9 | 10 | [http.services] 11 | 12 | [http.services.web.loadBalancer] 13 | [[http.services.web.loadBalancer.servers]] 14 | url = "http://host.containers.internal:9443" 15 | -------------------------------------------------------------------------------- /podman-specific/traefik-podman/rules/whoami.toml: -------------------------------------------------------------------------------- 1 | [http.routers] 2 | 3 | [http.routers.whoami] 4 | rule = "Host(`whoami.example.org`)" 5 | entrypoints = ["websecure"] 6 | service = "whoami" 7 | [http.routers.whoami.tls] 8 | certResolver = "myresolver" 9 | 10 | [http.services] 11 | 12 | [http.services.whoami.loadBalancer] 13 | [[http.services.whoami.loadBalancer.servers]] 14 | url = "http://whoami:80" 15 | -------------------------------------------------------------------------------- /podman-specific/traefik-podman/traefik-podman.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | AssertPathExists=/run/user/%U/podman/podman.sock 3 | AssertPathExists=%h/services/traefik-podman 4 | After=network.target 5 | 6 | [Service] 7 | WorkingDirectory=%h/services/traefik-podman 8 | Environment="DOCKER_HOST=unix:///run/user/%U/podman/podman.sock" 9 | ExecStart=docker-compose -f docker-compose.yml up --no-color --abort-on-container-exit 10 | ExecStop=docker-compose -f docker-compose.yml down 11 | Restart=always 12 | 13 | [Install] 14 | WantedBy=default.target 15 | -------------------------------------------------------------------------------- /postgres/.dockerignore: -------------------------------------------------------------------------------- 1 | .env 2 | data -------------------------------------------------------------------------------- /postgres/.env.example: -------------------------------------------------------------------------------- 1 | PUID=1000 2 | PGID=1000 3 | 4 | PGPORT=5432 5 | 6 | POSTGRES_DB=postgres 7 | POSTGRES_USER=postgres 8 | POSTGRES_PASSWORD=xxxxxxxxxxxxxxxx 9 | 10 | # POSTGRES_FOOBAR_DB=foobar 11 | # POSTGRES_FOOBAR_USER=foobar 12 | # POSTGRES_FOOBAR_PASSWORD=xxxxxxxxxxxxxxxx 13 | -------------------------------------------------------------------------------- /postgres/.gitignore: -------------------------------------------------------------------------------- 1 | .env 2 | data -------------------------------------------------------------------------------- /postgres/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM postgres:17-alpine 2 | 3 | LABEL maintainer="mero.mero.guero@gmail.com" 4 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 5 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker' 6 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 7 | LABEL org.opencontainers.image.title='oci.guero.org/postgres' 8 | LABEL org.opencontainers.image.description='Dockerized PostgreSQL' 9 | 10 | ARG DEFAULT_UID=1000 11 | ARG DEFAULT_GID=1000 12 | ENV DEFAULT_UID $DEFAULT_UID 13 | ENV DEFAULT_GID $DEFAULT_GID 14 | ENV PUSER "postgres" 15 | ENV PGROUP "postgres" 16 | ENV PUSER_PRIV_DROP true 17 | ENV PUSER_CHOWN "/run/postgresql;/var/lib/postgresql" 18 | USER root 19 | 20 | ENV TERM xterm 21 | 22 | ADD --chmod=755 https://raw.githubusercontent.com/mmguero/docker/master/shared/docker-uid-gid-setup.sh /usr/bin/docker-uid-gid-setup.sh 23 | ADD --chmod=755 scripts/docker-entrypoint-initdb.d/*.sh /docker-entrypoint-initdb.d/ 24 | ADD --chmod=755 scripts/docker-entrypoint-startdb.d/*.sh /docker-entrypoint-startdb.d/ 25 | ADD --chmod=755 scripts/*.sh /usr/bin/ 26 | 27 | RUN apk update --no-cache && \ 28 | apk upgrade --no-cache && \ 29 | apk add --no-cache bash jq procps psmisc shadow tini && \ 30 | apk add --no-cache --virtual .build-deps rsync && \ 31 | rsync -a --no-o --no-g --no-perms /usr/local/bin/ /usr/bin/ && \ 32 | rsync -a --no-o --no-g --no-perms /usr/local/share/ /usr/share/ && \ 33 | rsync -a --no-o --no-g --no-perms /usr/local/lib/ /usr/lib/ && \ 34 | rm -rf /usr/local/bin /usr/local/share /usr/local/lib && \ 35 | ln -s /usr/bin /usr/local/bin && \ 36 | ln -s /usr/share /usr/local/share && \ 37 | ln -s /usr/lib /usr/local/lib && \ 38 | apk del .build-deps && \ 39 | chmod 00775 /var/lib/postgresql /var/lib/postgresql/data /run/postgresql && \ 40 | sed -i 's/\(if.*id[[:space:]]-u.*\);/\1 \&\& [ "${PUSER_PRIV_DROP:-true}" != "false" ];/' /usr/local/bin/docker-entrypoint.sh 41 | 42 | 43 | ENTRYPOINT ["/sbin/tini", "--", "/usr/bin/docker-uid-gid-setup.sh"] 44 | 45 | ENTRYPOINT ["/sbin/tini", \ 46 | "--", \ 47 | "/usr/bin/docker-uid-gid-setup.sh", \ 48 | "/usr/bin/docker-entrypoint-startdb.sh"] 49 | 50 | CMD ["/usr/bin/docker-entrypoint.sh", "postgres"] 51 | -------------------------------------------------------------------------------- /postgres/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | postgres: 3 | build: 4 | context: . 5 | dockerfile: Dockerfile 6 | image: oci.guero.org/postgres:17-alpine 7 | # userns_mode: keep-id 8 | env_file: 9 | - .env 10 | volumes: 11 | - type: bind 12 | bind: 13 | create_host_path: false 14 | source: ./data 15 | target: /var/lib/postgresql/data 16 | networks: 17 | - default 18 | # ports: 19 | # - "127.0.0.1:5432:5432" 20 | expose: 21 | - 5432 22 | restart: unless-stopped 23 | healthcheck: 24 | test: ["CMD", "/usr/local/bin/container_health.sh"] 25 | interval: 60s 26 | timeout: 15s 27 | retries: 3 28 | start_period: 45s 29 | 30 | networks: 31 | default: 32 | external: false 33 | -------------------------------------------------------------------------------- /postgres/scripts/container-health.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | # check if postgres is ready and responding 6 | pg_isready -d "${POSTGRES_DB}" -U "${POSTGRES_USER}" >/dev/null 2>&1 || exit 1 7 | -------------------------------------------------------------------------------- /postgres/scripts/docker-entrypoint-initdb.d/noop.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # this file is just a placeholder 4 | 5 | exit 0 -------------------------------------------------------------------------------- /postgres/scripts/docker-entrypoint-startdb.d/init-db-from-env.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # This script looks at the environment variables named: 4 | # - POSTGRES_XXX_DB 5 | # - POSTGRES_XXX_USER 6 | # - POSTGRES_XXX_PASSWORD 7 | # And, if it finds all three variables where XXX is the same value (e.g.) 8 | # NETBOX, KEYCLOAK, FOOBAR, etc.) it will create the corresponding user/password and 9 | # database and grant that user permissions for that database. It's also 10 | # granting default public schema privileges to the users created. 11 | 12 | MAIN_DB=${POSTGRES_DB:-postgres} 13 | MAIN_USER=${POSTGRES_USER:-postgres} 14 | 15 | declare -A POSTGRES_DB 16 | declare -A POSTGRES_USER 17 | declare -A POSTGRES_PASSWORD 18 | 19 | for var in $(env); do 20 | if [[ "$var" =~ ^POSTGRES_([A-Za-z0-9_]+)_(DB|USER|PASSWORD)=(.*) ]]; then 21 | base="${BASH_REMATCH[1]}" 22 | type="${BASH_REMATCH[2]}" 23 | value="${BASH_REMATCH[3]}" 24 | if [[ "$type" == "DB" ]]; then 25 | POSTGRES_DB["$base"]="$value" 26 | elif [[ "$type" == "USER" ]]; then 27 | POSTGRES_USER["$base"]="$value" 28 | elif [[ "$type" == "PASSWORD" ]]; then 29 | POSTGRES_PASSWORD["$base"]="$value" 30 | fi 31 | fi 32 | done 33 | 34 | TEMP_SQL=$(mktemp) 35 | touch "$TEMP_SQL" 36 | PSQL_VAR_ARGS=() 37 | for base in "${!POSTGRES_DB[@]}"; do 38 | if [[ ${#base} -gt 1 ]] && [[ -n "${POSTGRES_USER[$base]}" ]] && [[ -n "${POSTGRES_PASSWORD[$base]}" ]]; then 39 | KEYNAME=$(echo "${base,,}") 40 | PSQL_VAR_ARGS+=( -v ) 41 | PSQL_VAR_ARGS+=( "${KEYNAME}user=${POSTGRES_USER[$base]}" ) 42 | PSQL_VAR_ARGS+=( -v ) 43 | PSQL_VAR_ARGS+=( "${KEYNAME}password=${POSTGRES_PASSWORD[$base]}" ) 44 | PSQL_VAR_ARGS+=( -v ) 45 | PSQL_VAR_ARGS+=( "${KEYNAME}db=${POSTGRES_DB[$base]}" ) 46 | cat >> "$TEMP_SQL" </dev/null 2>&1; do 36 | sleep 1 37 | done 38 | [[ -d /docker-entrypoint-startdb.d ]] && docker_process_start_files /docker-entrypoint-startdb.d/* 39 | 40 | # Wait for the background process to complete and exit with its exit code 41 | wait $BACKGROUND_PID 42 | EXIT_CODE=$? 43 | exit $EXIT_CODE -------------------------------------------------------------------------------- /redis/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM redis:7-alpine 2 | 3 | ARG DEFAULT_UID=999 4 | ARG DEFAULT_GID=1000 5 | ENV DEFAULT_UID $DEFAULT_UID 6 | ENV DEFAULT_GID $DEFAULT_GID 7 | ENV PUSER "redis" 8 | ENV PGROUP "redis" 9 | ENV PUSER_PRIV_DROP true 10 | 11 | ENV TERM xterm 12 | 13 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/docker-uid-gid-setup.sh /usr/local/bin/docker-uid-gid-setup.sh 14 | 15 | RUN apk update --no-cache && \ 16 | apk upgrade --no-cache && \ 17 | apk --no-cache add bash psmisc shadow tini && \ 18 | chmod 755 /usr/local/bin/docker-uid-gid-setup.sh && \ 19 | addgroup ${PUSER} tty 20 | 21 | WORKDIR /home/${PUSER} 22 | 23 | ENTRYPOINT [ "/sbin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh" ] 24 | -------------------------------------------------------------------------------- /rembg/rembg-docker.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # docker wrapper script for danielgatis/rembg (rembg i) 4 | # https://github.com/danielgatis/rembg 5 | 6 | IMAGE="${REMBG_IMAGE:-docker.io/danielgatis/rembg}" 7 | ENGINE="${CONTAINER_ENGINE:-docker}" 8 | 9 | ENCODING="utf-8" 10 | 11 | while getopts vi:o: opts; do 12 | case ${opts} in 13 | v) set -x ;; 14 | i) IN_FILE=${OPTARG} ;; 15 | o) OUT_FILE=${OPTARG} ;; 16 | esac 17 | done 18 | shift "$(($OPTIND -1))" 19 | 20 | if [[ -z "${IN_FILE}" ]] || [[ -z "${OUT_FILE}" ]] ; then 21 | echo "usage:" >&2 22 | echo " rembg-docker.sh -i -o [-- other rembg options]" >&2 23 | exit 1 24 | elif [[ ! -f "${IN_FILE}" ]]; then 25 | echo "usage:" >&2 26 | echo " rembg-docker.sh -i -o [-- other rembg options]" >&2 27 | echo "" >&2 28 | echo "${IN_FILE} does not exist!" >&2 29 | exit 1 30 | fi 31 | 32 | TEMP_DIR=$(mktemp -d -t rembg.XXXXXXXXXX) 33 | 34 | function finish { 35 | rm -rf "${TEMP_DIR}" 36 | } 37 | trap finish EXIT 38 | 39 | IN_BASENAME="$(basename "${IN_FILE}")" 40 | OUT_BASENAME="$(basename "${OUT_FILE}")" 41 | 42 | cp "${IN_FILE}" "${TEMP_DIR}/" 43 | 44 | "${ENGINE}" run --rm \ 45 | -u $([[ "${ENGINE}" == "podman" ]] && echo 0 || id -u):$([[ "${ENGINE}" == "podman" ]] && echo 0 || id -g) \ 46 | -v "${TEMP_DIR}:/data:rw" \ 47 | "${IMAGE}" i "$@" "/data/${IN_BASENAME}" "/data/${OUT_BASENAME}" 48 | 49 | cp "${TEMP_DIR}/${OUT_BASENAME}" "${OUT_FILE}" 50 | 51 | echo "${OUT_FILE}" 52 | -------------------------------------------------------------------------------- /samba/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | samba: 3 | image: dperson/samba:latest 4 | environment: 5 | TZ: 'America/Denver' 6 | USERID: 1000 7 | GROUPID: 1000 8 | ports: 9 | - "0.0.0.0:137:137/udp" 10 | - "0.0.0.0:138:138/udp" 11 | - "0.0.0.0:139:139/tcp" 12 | - "0.0.0.0:445:445/tcp" 13 | read_only: true 14 | tmpfs: 15 | - /tmp 16 | restart: "no" 17 | volumes: 18 | - /home/user/Public:/public:z 19 | command: '-s "Public;/public;yes;no;yes;guest" -u "guest;guest" -p -r' 20 | -------------------------------------------------------------------------------- /samba/samba-pod-kube-play.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | AssertPathExists=%h/services/share 3 | After=network.target 4 | 5 | [Service] 6 | WorkingDirectory=%h/services/share 7 | ExecStart=podman kube play --network="slirp4netns:port_handler=slirp4netns" --wait --replace samba-pod.yaml 8 | ExecStop=podman kube play --down --force samba-pod.yaml 9 | Restart=always 10 | 11 | [Install] 12 | WantedBy=default.target 13 | -------------------------------------------------------------------------------- /samba/samba-pod-kube-play.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | labels: 5 | app: share-samba-1-pod 6 | name: share-samba-1-pod 7 | spec: 8 | containers: 9 | - args: 10 | - -s 11 | - Public;/public;yes;no;yes;guest 12 | - -u 13 | - guest;transfer 14 | - -p 15 | - -r 16 | env: 17 | - name: GROUPID 18 | value: "0" 19 | - name: TZ 20 | value: America/Denver 21 | - name: USERID 22 | value: "0" 23 | image: docker.io/dperson/samba:latest 24 | name: share-samba-1 25 | ports: 26 | - containerPort: 139 27 | hostIP: 0.0.0.0 28 | hostPort: 139 29 | - containerPort: 445 30 | hostIP: 0.0.0.0 31 | hostPort: 445 32 | - containerPort: 137 33 | hostIP: 0.0.0.0 34 | hostPort: 137 35 | protocol: UDP 36 | - containerPort: 138 37 | hostIP: 0.0.0.0 38 | hostPort: 138 39 | protocol: UDP 40 | securityContext: 41 | readOnlyRootFilesystem: true 42 | volumeMounts: 43 | - mountPath: /public 44 | name: home-user-Public-host-0 45 | - mountPath: /tmp 46 | name: tmp-1 47 | - mountPath: /var/lib/samba 48 | name: var-lib-samba-pvc 49 | - mountPath: /var/log/samba 50 | name: var-log-samba-pvc 51 | - mountPath: /etc 52 | name: etc-pvc 53 | - mountPath: /run/samba 54 | name: run-samba-pvc 55 | - mountPath: /var/cache/samba 56 | name: var-cache-samba-pvc 57 | volumes: 58 | - hostPath: 59 | path: /home/user/Public 60 | type: Directory 61 | name: home-user-Public-host-0 62 | - emptyDir: 63 | medium: Memory 64 | name: tmp-1 65 | - name: var-lib-samba-pvc 66 | persistentVolumeClaim: 67 | claimName: var-lib-samba 68 | - name: var-log-samba-pvc 69 | persistentVolumeClaim: 70 | claimName: var-log-samba 71 | - name: etc-pvc 72 | persistentVolumeClaim: 73 | claimName: etc 74 | - name: run-samba-pvc 75 | persistentVolumeClaim: 76 | claimName: run-samba 77 | - name: var-cache-samba-pvc 78 | persistentVolumeClaim: 79 | claimName: var-cache-samba 80 | 81 | -------------------------------------------------------------------------------- /samba/samba.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | AssertPathExists=%h/services/share 3 | After=network.target 4 | 5 | [Service] 6 | WorkingDirectory=%h/services/share 7 | ExecStart=podman compose -f docker-compose.yml up --no-color --abort-on-container-exit 8 | ExecStop=podman compose -f docker-compose.yml down 9 | Restart=always 10 | 11 | [Install] 12 | WantedBy=default.target 13 | -------------------------------------------------------------------------------- /serverless-registry-proxy/docker-compose.yml: -------------------------------------------------------------------------------- 1 | # Serverless reverse proxy for exposing container registries (GCR, Docker Hub, Artifact Registry etc) on custom domains. 2 | # https://github.com/ahmetb/serverless-registry-proxy 3 | # https://cloud.google.com/blog/topics/developers-practitioners/hack-your-own-custom-domains-container-registry 4 | 5 | services: 6 | serverless-registry-proxy: 7 | image: oci.guero.org/gcr-proxy:latest 8 | restart: unless-stopped 9 | container_name: serverless-registry-proxy 10 | ports: 11 | - "127.0.0.1:80:80" 12 | environment: 13 | REGISTRY_HOST : 'ghcr.io' 14 | REPO_PREFIX : 'username' 15 | PORT : 80 16 | -------------------------------------------------------------------------------- /shared/boringproxy/boringproxy-client.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | AssertPathExists=%h/services/boringproxy/client 3 | 4 | [Service] 5 | WorkingDirectory=%h/services/boringproxy/client 6 | ExecStart=%h/.local/bin/boringproxy client -client-name srv -acme-email user@example.org -acme-certificate-authority 'https://step.example.org:9000/acme/acme/directory' -cert-dir %h/services/boringproxy/client/certs -user user -token xxxxxxxxxx -server proxy.example.org 7 | Restart=always 8 | PrivateTmp=true 9 | NoNewPrivileges=true 10 | 11 | [Install] 12 | WantedBy=default.target 13 | -------------------------------------------------------------------------------- /shared/boringproxy/boringproxy-server.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | AssertPathExists=%h/services/boringproxy/server 3 | 4 | [Service] 5 | WorkingDirectory=%h/services/boringproxy/server 6 | ExecStart=%h/.local/bin/boringproxy server -accept-ca-terms -acme-email user@example.org -acme-certificate-authority 'https://step.example.org:9000/acme/acme/directory' -admin-domain proxy.example.org -cert-dir %h/services/boringproxy/server/certs -print-login -public-ip 192.168.0.10 7 | Restart=always 8 | PrivateTmp=true 9 | NoNewPrivileges=true 10 | 11 | [Install] 12 | WantedBy=default.target 13 | 14 | -------------------------------------------------------------------------------- /shared/debian-bookworm-sources.list: -------------------------------------------------------------------------------- 1 | deb http://ftp.debian.org/debian/ bookworm main contrib non-free non-free-firmware 2 | deb-src http://ftp.debian.org/debian/ bookworm main contrib non-free non-free-firmware 3 | deb http://ftp.debian.org/debian/ bookworm-updates main 4 | deb-src http://ftp.debian.org/debian/ bookworm-updates main 5 | deb http://security.debian.org/debian-security bookworm-security main 6 | deb-src http://security.debian.org/debian-security bookworm-security main 7 | -------------------------------------------------------------------------------- /shared/jdk-cacerts-auto-import.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # determine the location of the cacerts file we're adding to 4 | 5 | JDK_DIR="$(find /usr -type d -name jdk | head -n 1)" 6 | 7 | CACERTS_FILE="$JDK_DIR"/lib/security/cacerts 8 | KEYTOOL_BIN="$JDK_DIR"/bin/keytool 9 | 10 | if [[ ! -f "$CACERTS_FILE" ]] || [[ ! -x "$KEYTOOL_BIN" ]]; then 11 | echo "Unable to locate cacerts and/or keytool " >&2 12 | exit 1 13 | fi 14 | 15 | unset TRUSTED_CA_DIR 16 | TRUSTED_CA_DIRNAME=${CA_DIR:-"ca-trust"} 17 | CA_DIR_PARENTS=( 18 | "$JDK_DIR"/../"$TRUSTED_CA_DIRNAME" 19 | /etc/"$TRUSTED_CA_DIRNAME" 20 | /opt/"$TRUSTED_CA_DIRNAME" 21 | /var/local/"$TRUSTED_CA_DIRNAME" 22 | /"$TRUSTED_CA_DIRNAME" 23 | ) 24 | for i in ${CA_DIR_PARENTS[@]}; do 25 | TMP_DIR="$(realpath "$i")" 26 | if [[ -d "$i" ]]; then 27 | TRUSTED_CA_DIR="$i" 28 | break; 29 | fi 30 | done 31 | 32 | if [[ -z $TRUSTED_CA_DIR ]] || [[ ! -d "$TRUSTED_CA_DIR" ]]; then 33 | echo "Unable to locate directory containing trusted CA certificates" >&2 34 | exit 1 35 | fi 36 | 37 | echo 38 | find "$TRUSTED_CA_DIR" -type f -print0 | while read -d $'\0' CRT_FILE; do 39 | CRT_FILE_BASE="$(basename "$CRT_FILE" | sed 's/\.[^.]*$//')" 40 | if [[ -n $CRT_FILE_BASE ]] && [[ "$CRT_FILE_BASE" != \.* ]] ; then 41 | echo "Importing \"$CRT_FILE_BASE\"... " 42 | ( "$KEYTOOL_BIN" -importcert -cacerts -trustcacerts -file "$CRT_FILE" -alias "$CRT_FILE_BASE" -keypass changeit -storepass changeit -noprompt 2>&1 | grep -Pv "(already exists)" ) || true 43 | "$KEYTOOL_BIN" -list -cacerts -alias "$CRT_FILE_BASE" -keypass changeit -storepass changeit -noprompt 44 | echo 45 | fi 46 | done 47 | -------------------------------------------------------------------------------- /signal/Dockerfile: -------------------------------------------------------------------------------- 1 | # docker run -d --rm \ 2 | # -v /tmp/.X11-unix:/tmp/.X11-unix \ 3 | # -e DISPLAY=unix\$DISPLAY \ 4 | # --device /dev/video0 \ 5 | # --device /dev/snd:/dev/snd \ 6 | # --device /dev/dri \ 7 | # -v /dev/shm:/dev/shm \ 8 | # signal 9 | 10 | FROM debian:bookworm-slim 11 | 12 | LABEL maintainer="mero.mero.guero@gmail.com" 13 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 14 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker/tree/master/signal' 15 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 16 | LABEL org.opencontainers.image.title='oci.guero.org/signal' 17 | LABEL org.opencontainers.image.description='Dockerized Signal (X11)' 18 | 19 | ENV DEBIAN_FRONTEND noninteractive 20 | 21 | ENV SIGNAL_USER signaler 22 | 23 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/debian-bookworm-sources.list /etc/apt/sources.list 24 | 25 | RUN rm -f /etc/apt/sources.list.d/debian.sources && \ 26 | apt-get -q update && \ 27 | apt-get install -q -y --no-install-recommends \ 28 | ca-certificates \ 29 | curl \ 30 | gnupg2 \ 31 | libasound2 \ 32 | libdrm2 \ 33 | libgbm1 \ 34 | libgtk-3-0 \ 35 | libx11-xcb1 \ 36 | libxkbfile1 && \ 37 | bash -c "curl -sSL https://updates.signal.org/desktop/apt/keys.asc | apt-key add -" && \ 38 | echo "deb https://updates.signal.org/desktop/apt xenial main" >> /etc/apt/sources.list && \ 39 | apt-get -q update && \ 40 | apt-get install -q -y --no-install-recommends signal-desktop && \ 41 | apt-get clean && \ 42 | rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* 43 | 44 | RUN groupadd --gid 1000 ${SIGNAL_USER} && \ 45 | useradd -m --uid 1000 --gid 1000 ${SIGNAL_USER} 46 | 47 | USER $SIGNAL_USER 48 | 49 | WORKDIR /opt/Signal 50 | 51 | ENTRYPOINT [ "/opt/Signal/signal-desktop"] 52 | 53 | CMD [ "--no-sandbox" ] -------------------------------------------------------------------------------- /smtp4dev/certs/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /smtp4dev/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | smtp4dev: 3 | image: rnwood/smtp4dev:latest 4 | hostname: smtp4dev 5 | container_name: smtp4dev 6 | restart: unless-stopped 7 | expose: 8 | - 80 9 | - 25 10 | - 143 11 | # ports: 12 | # - "127.0.0.1:25123:80" 13 | volumes: 14 | - smtp4dev-data:/smtp4dev 15 | environment: 16 | - ServerOptions__TlsMode=None 17 | - ServerOptions__DisableIPv6=true 18 | 19 | stunnel-smtp: 20 | image: oci.guero.org/stunnel:latest 21 | hostname: stunnel-smtp 22 | container_name: stunnel-smtp 23 | restart: unless-stopped 24 | ports: 25 | - "0.0.0.0:3025:3025" 26 | volumes: 27 | - ./certs/smtp.pem:/etc/stunnel/stunnel.pem:ro 28 | - ./certs/ca.crt:/etc/stunnel/ca.crt:ro 29 | environment: 30 | CLIENT : "no" 31 | SERVICE : "smtp" 32 | ACCEPT : "0.0.0.0:3025" 33 | CONNECT : "smtp4dev:25" 34 | depends_on: 35 | - smtp4dev 36 | 37 | stunnel-imap: 38 | image: oci.guero.org/stunnel:latest 39 | hostname: stunnel-imap 40 | container_name: stunnel-imap 41 | restart: unless-stopped 42 | ports: 43 | - "0.0.0.0:3143:3143" 44 | volumes: 45 | - ./certs/smtp.pem:/etc/stunnel/stunnel.pem:ro 46 | - ./certs/ca.crt:/etc/stunnel/ca.crt:ro 47 | environment: 48 | CLIENT : "no" 49 | SERVICE : "imap" 50 | ACCEPT : "0.0.0.0:3143" 51 | CONNECT : "smtp4dev:143" 52 | depends_on: 53 | - smtp4dev 54 | 55 | stunnel-http: 56 | image: oci.guero.org/stunnel:latest 57 | hostname: stunnel-http 58 | container_name: stunnel-http 59 | restart: unless-stopped 60 | ports: 61 | - "0.0.0.0:3443:3443" 62 | volumes: 63 | - ./certs/smtp.pem:/etc/stunnel/stunnel.pem:ro 64 | - ./certs/ca.crt:/etc/stunnel/ca.crt:ro 65 | environment: 66 | CLIENT : "no" 67 | SERVICE : "http" 68 | ACCEPT : "0.0.0.0:3443" 69 | CONNECT : "smtp4dev:80" 70 | depends_on: 71 | - smtp4dev 72 | 73 | volumes: 74 | smtp4dev-data: 75 | -------------------------------------------------------------------------------- /smtp4dev/smtp_new_cert_restart.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | set -u 5 | set -o pipefail 6 | 7 | ENCODING="utf-8" 8 | 9 | RUN_PATH="$(pwd)" 10 | [[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath 11 | [[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname 12 | if ! (command -v "$REALPATH" && command -v "$DIRNAME") > /dev/null; then 13 | echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME" 14 | exit 1 15 | fi 16 | SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))" 17 | 18 | CERT_DIR=${SRV_CERT_DIR:-"$SCRIPT_PATH"} 19 | OUTPUT_DIR= 20 | KEY_BASE=${SRV_CERT_BASE:-"$(hostname -s)"} 21 | CA_NAME="ca.crt" 22 | EXECUTE_COMMAND= 23 | RESTART_COMPOSE= 24 | RESTART_COMPOSE_FILE=docker-compose.yml 25 | 26 | while getopts 'vnd:o:b:a:x:r:f:' OPTION; do 27 | case "$OPTION" in 28 | v) 29 | VERBOSE_FLAG="-v" 30 | set -x 31 | ;; 32 | 33 | d) 34 | CERT_DIR="$OPTARG" 35 | ;; 36 | 37 | o) 38 | OUTPUT_DIR="$OPTARG" 39 | ;; 40 | 41 | b) 42 | KEY_BASE="$OPTARG" 43 | ;; 44 | 45 | a) 46 | CA_NAME="$OPTARG" 47 | ;; 48 | 49 | x) 50 | EXECUTE_COMMAND="$OPTARG" 51 | ;; 52 | 53 | r) 54 | RESTART_COMPOSE="$OPTARG" 55 | ;; 56 | 57 | f) 58 | RESTART_COMPOSE_FILE="$OPTARG" 59 | ;; 60 | 61 | ?) 62 | echo "script usage: $(basename $0) [-v (verbose)] [-d ] [-o ] [-b ] [-a ] [-r <(podman-compose|docker-compose) if restarting containers>] [-f ] [-x ]" >&2 63 | exit 1 64 | ;; 65 | esac 66 | done 67 | shift "$(($OPTIND -1))" 68 | 69 | CRT_NAME="$KEY_BASE.crt" 70 | KEY_NAME="$KEY_BASE.key" 71 | PEM_NAME="$KEY_BASE.pem" 72 | 73 | CERT_DIR="$($REALPATH -e "$CERT_DIR")" 74 | OUTPUT_DIR="$($REALPATH -e "$OUTPUT_DIR")" 75 | 76 | pushd "$CERT_DIR" >/dev/null 2>&1 77 | 78 | if [[ -r "$CRT_NAME" ]] && [[ -r "$KEY_NAME" ]] && [[ -r "$CA_NAME" ]]; then 79 | 80 | cat "$CRT_NAME" "$KEY_NAME" > "$PEM_NAME" 81 | chmod 600 "$PEM_NAME" 82 | 83 | if [[ -n "$OUTPUT_DIR" ]] && [[ -d "$OUTPUT_DIR" ]]; then 84 | cp -v "$CRT_NAME" "$KEY_NAME" "$PEM_NAME" "$CA_NAME" "$OUTPUT_DIR"/ 85 | fi 86 | 87 | if [[ -n "$EXECUTE_COMMAND" ]]; then 88 | $EXECUTE_COMMAND 89 | fi 90 | 91 | if [[ -n "$RESTART_COMPOSE" ]] && "$RESTART_COMPOSE" --version >/dev/null 2>&1 && [[ -f "$RESTART_COMPOSE_FILE" ]]; then 92 | pushd "$($DIRNAME $($REALPATH -e "$RESTART_COMPOSE_FILE"))" 93 | "$RESTART_COMPOSE" down 94 | # systemd will restart the service 95 | # "$RESTART_COMPOSE" up -d 96 | fi 97 | 98 | popd >/dev/null 2>&1 99 | 100 | else 101 | echo "Unable to read CA, certificate and key files" >&2 102 | 103 | popd >/dev/null 2>&1 104 | exit 1 105 | fi 106 | 107 | -------------------------------------------------------------------------------- /smtp4dev/systemd-stuff/smtp.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | AssertPathExists=/run/user/%U/podman/podman.sock 3 | AssertPathExists=%h/services/smtp4dev 4 | After=network.target 5 | 6 | [Service] 7 | WorkingDirectory=%h/services/smtp4dev 8 | Environment="DOCKER_HOST=unix:///run/user/%U/podman/podman.sock" 9 | ExecStart=%h/.asdf/shims/podman-compose -f docker-compose.yml up --no-color --abort-on-container-exit 10 | ExecStop=%h/.asdf/shims/podman-compose -f docker-compose.yml down 11 | Restart=always 12 | 13 | [Install] 14 | WantedBy=default.target 15 | -------------------------------------------------------------------------------- /smtp4dev/systemd-stuff/step-smtp.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | AssertPathExists=%h/services/smtp4dev/certs-orig 3 | 4 | [Service] 5 | WorkingDirectory=%h/services/smtp4dev/certs-orig 6 | ExecStart=%h/.local/bin/step ca renew --daemon --exec "%h/services/smtp4dev/smtp_new_cert_restart.sh -v -d %h/services/smtp4dev/certs-orig -o %h/services/smtp4dev/certs -b smtp -a %h/services/smtp4dev/certs-orig/ca.crt -r %h/.asdf/shims/podman-compose -f %h/services/smtp4dev/docker-compose.yml" --force smtp.crt smtp.key 7 | Restart=always 8 | PrivateTmp=false 9 | NoNewPrivileges=false 10 | 11 | [Install] 12 | WantedBy=default.target 13 | -------------------------------------------------------------------------------- /splunk/docker-compose.yml: -------------------------------------------------------------------------------- 1 | volumes: 2 | opt-splunk-etc: 3 | opt-splunk-var: 4 | 5 | services: 6 | splunkenterprise: 7 | hostname: splunkenterprise 8 | container_name: splunkenterprise 9 | image: store/splunk/splunk:9.4 10 | expose: 11 | - 1514 12 | - 8000 13 | - 9997 14 | environment: 15 | - SPLUNK_START_ARGS=--accept-license 16 | - SPLUNK_PASSWORD=123ABCdef! 17 | - SPLUNK_LICENSE_URI=Free 18 | - SPLUNK_ENABLE_LISTEN=9997 19 | - SPLUNK_ADD=tcp 1514 20 | volumes: 21 | - opt-splunk-etc:/opt/splunk/etc 22 | - opt-splunk-var:/opt/splunk/var 23 | ports: 24 | - 127.0.0.1:1514:1514 25 | - 127.0.0.1:8002:8000 26 | - 127.0.0.1:9997:9997 27 | -------------------------------------------------------------------------------- /step-ca/.dockerignore: -------------------------------------------------------------------------------- 1 | **/.git* 2 | -------------------------------------------------------------------------------- /step-ca/.gitignore: -------------------------------------------------------------------------------- 1 | /secrets.txt 2 | -------------------------------------------------------------------------------- /step-ca/docker-compose.yml: -------------------------------------------------------------------------------- 1 | # https://smallstep.com/docs/tutorials/docker-tls-certificate-authority 2 | 3 | services: 4 | ca: 5 | image: smallstep/step-ca:latest 6 | user: root 7 | ports: 8 | - "0.0.0.0:9000:9000" 9 | volumes: 10 | - ./step:/home/step:rw 11 | - ./secrets.txt:/home/step/secrets/password:ro 12 | restart: always 13 | 14 | -------------------------------------------------------------------------------- /step-ca/step-ca-podman.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | AssertPathExists=/run/user/%U/podman/podman.sock 3 | AssertPathExists=%h/services/step-ca 4 | After=network.target 5 | 6 | [Service] 7 | WorkingDirectory=%h/services/step-ca 8 | Environment="DOCKER_HOST=unix:///run/user/%U/podman/podman.sock" 9 | ExecStart=podman-compose -f docker-compose.yml --podman-run-args '--uidmap 1000:0:1 --uidmap 0:1:1000 --uidmap 1001:1001:64536' up --no-color --abort-on-container-exit 10 | ExecStop=podman-compose -f docker-compose.yml down 11 | Restart=always 12 | 13 | [Install] 14 | WantedBy=default.target 15 | 16 | -------------------------------------------------------------------------------- /step-ca/step/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /step-ca/step/certs/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /step-ca/step/config/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /step-ca/step/db/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /step-ca/step/secrets/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /step-ca/step/templates/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /stunnel/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM vimagick/stunnel:latest 2 | 3 | LABEL maintainer="mero.mero.guero@gmail.com" 4 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 5 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker/tree/master/stunnel' 6 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 7 | LABEL org.opencontainers.image.title='oci.guero.org/stunnel' 8 | LABEL org.opencontainers.image.description='Dockerized stunnel' 9 | 10 | RUN apk --no-cache add openssl && \ 11 | sed -i '/cert =.*/i CAfile = /etc/stunnel/ca.crt' /entrypoint.sh 12 | -------------------------------------------------------------------------------- /tini-privdrop-supervisord/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:bookworm-slim 2 | 3 | ENV DEBIAN_FRONTEND noninteractive 4 | ENV TERM xterm 5 | ENV LANG C.UTF-8 6 | 7 | # configure unprivileged user and runtime parameters 8 | ARG DEFAULT_UID=1000 9 | ARG DEFAULT_GID=1000 10 | ENV DEFAULT_UID $DEFAULT_UID 11 | ENV DEFAULT_GID $DEFAULT_GID 12 | ENV PUSER "asuka" 13 | ENV PGROUP "asuka" 14 | ENV PUSER_PRIV_DROP true 15 | 16 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/docker-uid-gid-setup.sh /usr/local/bin/docker-uid-gid-setup.sh 17 | ADD supervisord.conf /etc/supervisord.conf 18 | 19 | RUN apt-get update && \ 20 | apt-get install --no-install-recommends -y -q \ 21 | iproute2 \ 22 | iputils-ping \ 23 | procps \ 24 | psmisc \ 25 | supervisor \ 26 | tini \ 27 | vim-tiny && \ 28 | apt-get -q -y autoremove && \ 29 | apt-get clean && \ 30 | rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \ 31 | chmod 755 /usr/local/bin/docker-uid-gid-setup.sh && \ 32 | groupadd --gid ${DEFAULT_GID} ${PUSER} && \ 33 | useradd -m --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} ${PUSER} && \ 34 | usermod -a -G tty ${PUSER} 35 | 36 | ENTRYPOINT [ "/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh" ] 37 | 38 | CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"] 39 | 40 | -------------------------------------------------------------------------------- /tini-privdrop-supervisord/supervisord.conf: -------------------------------------------------------------------------------- 1 | [unix_http_server] 2 | file=/tmp/supervisor.sock 3 | chmod=0700 4 | 5 | [supervisord] 6 | nodaemon=true 7 | logfile=/dev/null 8 | logfile_maxbytes=0 9 | pidfile=/tmp/supervisord.pid 10 | 11 | [rpcinterface:supervisor] 12 | supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface 13 | 14 | [supervisorctl] 15 | serverurl=unix:///tmp/supervisor.sock 16 | 17 | [program:sleepy] 18 | command=sleep infinity 19 | autostart=true 20 | autorestart=true 21 | startsecs=0 22 | startretries=0 23 | stopasgroup=true 24 | killasgroup=true 25 | stdout_logfile=/dev/fd/1 26 | stdout_logfile_maxbytes=0 27 | stdout_logfile_backups=0 28 | redirect_stderr=true 29 | -------------------------------------------------------------------------------- /traefix-proxy/certs/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /traefix-proxy/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | 3 | traefik: 4 | image: "traefik:latest" 5 | container_name: "traefik" 6 | command: 7 | - "--api.insecure=true" 8 | - "--providers.docker=true" 9 | - "--providers.docker.exposedbydefault=false" 10 | - "--providers.file.filename=/traefik-tls.toml" 11 | - "--entrypoints.web.address=:80" 12 | - "--entrypoints.web.http.redirections.entryPoint.to=websecure" 13 | - "--entrypoints.web.http.redirections.entryPoint.scheme=https" 14 | - "--entrypoints.web.http.redirections.entrypoint.permanent=true" 15 | - "--entrypoints.websecure.address=:443" 16 | - "--entrypoints.websecure.http.tls.options=default@file" 17 | # - "--certificatesresolvers.myresolver.acme.tlschallenge=true" 18 | - "--certificatesresolvers.myresolver.acme.httpchallenge=true" 19 | - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web" 20 | # - "--certificatesresolvers.myresolver.acme.caserver=https://ca.example.org:9000/acme/acme/directory" 21 | - "--certificatesresolvers.myresolver.acme.email=user@example.org" 22 | - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json" 23 | ports: 24 | - 0.0.0.0:80:80 25 | - 0.0.0.0:443:443 26 | networks: 27 | - proxy 28 | volumes: 29 | - "./letsencrypt:/letsencrypt:rw" 30 | - "./certs:/etc/ssl/certs:ro" 31 | - "./traefik-tls.toml:/traefik-tls.toml:ro" 32 | - "/var/run/docker.sock:/var/run/docker.sock:ro" 33 | restart: unless-stopped 34 | 35 | whoami: 36 | image: "traefik/whoami:latest" 37 | container_name: "whoami" 38 | networks: 39 | - proxy 40 | labels: 41 | - "traefik.enable=true" 42 | - "traefik.http.routers.whoami.rule=Host(`whoami.example.org`)" 43 | - "traefik.http.routers.whoami.entrypoints=websecure" 44 | - "traefik.http.routers.whoami.tls.certresolver=myresolver" 45 | restart: unless-stopped 46 | 47 | networks: 48 | proxy: 49 | external: 50 | name: traefik-proxy 51 | 52 | -------------------------------------------------------------------------------- /traefix-proxy/letsencrypt/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /traefix-proxy/traefik-tls.toml: -------------------------------------------------------------------------------- 1 | [tls.options] 2 | [tls.options.default] 3 | minVersion = "VersionTLS12" 4 | cipherSuites = [ 5 | "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 6 | "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 7 | "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 8 | "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 9 | "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 10 | "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 11 | ] -------------------------------------------------------------------------------- /transmission-openvpn/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | transmission-openvpn: 3 | cap_add: 4 | - NET_ADMIN 5 | volumes: 6 | - ./download:/data:rw 7 | - ./default.ovpn:/etc/openvpn/custom/default.ovpn:rw 8 | environment: 9 | - OPENVPN_PROVIDER=custom 10 | - OPENVPN_USERNAME= 11 | - OPENVPN_PASSWORD= 12 | - LOCAL_NETWORK=192.168.0.0/16 13 | - OPENVPN_OPTS=--tls-cipher DEFAULT:@SECLEVEL=0 14 | logging: 15 | driver: json-file 16 | options: 17 | max-size: 10m 18 | ports: 19 | - '127.0.0.1:9091:9091' 20 | dns: 21 | - 8.8.8.8 22 | - 8.8.4.4 23 | image: haugene/transmission-openvpn 24 | restart: unless-stopped 25 | healthcheck: 26 | test: ["CMD", "curl", "--connect-timeout", "15", "-o", "/dev/null", "--silent", "--show-error", "--fail", "http://localhost:9091" ] 27 | interval: 60s 28 | timeout: 30s 29 | retries: 3 30 | start_period: 90s 31 | -------------------------------------------------------------------------------- /transmission-openvpn/download/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | 4 | -------------------------------------------------------------------------------- /tunneler/bash_support_functions.sh: -------------------------------------------------------------------------------- 1 | function server() 2 | { 3 | local PORT="${1:-8000}" 4 | command -v xdg-open >/dev/null 2>&1 && sleep 1 && xdg-open "http://localhost:${PORT}/" & 5 | if command -v goStatic >/dev/null 2>&1; then 6 | goStatic -vhost "" -path "$(pwd)" -port $PORT 7 | elif command -v python3 >/dev/null 2>&1; then 8 | python3 -m http.server --bind 0.0.0.0 $PORT 9 | elif command -v python >/dev/null 2>&1; then 10 | python -m SimpleHTTPServer $PORT 11 | elif command -v ruby >/dev/null 2>&1; then 12 | ruby -run -e httpd -- --bind-address=0.0.0.0 --port=$PORT . 13 | elif command -v http-server >/dev/null 2>&1; then 14 | http-server -a 0.0.0.0 --port $PORT 15 | elif command -v php >/dev/null 2>&1; then 16 | php -S 0.0.0.0:$PORT -t . 17 | else 18 | echo "No tool available for service HTTP" >&2 19 | fi 20 | } 21 | 22 | function hys() 23 | { 24 | hostyoself host --url ${HOSTYOSELF_URL:-https://hostyoself.com} 25 | } 26 | 27 | function hysi_cleanup() 28 | { 29 | local DEL_IDX="${1}" 30 | [[ -n "$DEL_IDX" ]] && [[ -f "$DEL_IDX" ]] && rm -vf "$DEL_IDX" 31 | } 32 | 33 | function hysi() 34 | { 35 | local DEL_IDX= 36 | if [[ ! -f ./index.html ]] && command -v tree >/dev/null 2>&1 && tree -x --dirsfirst --gitignore -H . -o index.html >/dev/null 2>&1; then 37 | DEL_IDX=./index.html 38 | fi 39 | trap "hysi_cleanup '${DEL_IDX}'" SIGINT EXIT RETURN 40 | hys 41 | } 42 | 43 | alias crocs='croc --yes' -------------------------------------------------------------------------------- /tunneler/croc_relay_entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | if [ "$CROC_PORT_NON_SEQUENTIAL" == "true" ]; then 6 | PORTS="$CROC_PORT_LOW,$CROC_PORT_HIGH" 7 | elif [ -n "$CROC_PORT_LOW" ] && [ -n "$CROC_PORT_HIGH" ]; then 8 | PORTS="$(seq -s , "$CROC_PORT_LOW" "$CROC_PORT_HIGH")" 9 | else 10 | PORTS="$(seq -s , 9009 9013)" 11 | fi 12 | 13 | if [ -n "$CROC_PASS" ]; then 14 | /usr/bin/croc --pass "$CROC_PASS" relay --ports "$PORTS" 15 | else 16 | /usr/bin/croc relay --ports "$PORTS" 17 | fi 18 | -------------------------------------------------------------------------------- /tunneler/docker-compose.yml: -------------------------------------------------------------------------------- 1 | x-process-variables: &process-variables 2 | # docker containers will run processes as unprivileged user with UID:GID 3 | PUID : 1000 4 | PGID : 1000 5 | 6 | services: 7 | tunneler: 8 | build: 9 | context: . 10 | dockerfile: Dockerfile 11 | image: oci.guero.org/tunneler:latest 12 | container_name: tunneler 13 | ulimits: 14 | memlock: 15 | soft: -1 16 | hard: -1 17 | stdin_open: false 18 | tty: true 19 | cap_add: 20 | - IPC_LOCK 21 | - NET_ADMIN 22 | - NET_RAW 23 | - SYS_ADMIN 24 | - NET_BIND_SERVICE 25 | environment: 26 | << : *process-variables 27 | WORMHOLE_PORT : 4001 28 | WORMHOLE_AUTOSTART : 'false' 29 | CROC_PORT_LOW : 9009 30 | CROC_PORT_HIGH : 9013 31 | CROC_PORT_NON_SEQUENTIAL : 'false' 32 | CROC_PASS : '' 33 | CROC_AUTOSTART : 'false' 34 | HOSTYOSELF_AUTOSTART : 'false' 35 | HOSTYOSELF_PORT : 8010 36 | HOSTYOSELF_URL : 'https://hostyoself.example.org' 37 | ports: 38 | - "0.0.0.0:4001:4001/tcp" 39 | - "0.0.0.0:8010:8010/tcp" 40 | - "0.0.0.0:9009-9013:9009-9013/tcp" 41 | restart: unless-stopped 42 | -------------------------------------------------------------------------------- /tunneler/supervisord.conf: -------------------------------------------------------------------------------- 1 | [unix_http_server] 2 | file=/tmp/supervisor.sock 3 | chmod=0700 4 | 5 | [supervisord] 6 | nodaemon=true 7 | logfile=/dev/null 8 | logfile_maxbytes=0 9 | pidfile=/tmp/supervisord.pid 10 | 11 | [rpcinterface:supervisor] 12 | supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface 13 | 14 | [supervisorctl] 15 | serverurl=unix:///tmp/supervisor.sock 16 | 17 | ; just some examples, may figure out other stuff to put here 18 | 19 | [program:wormhole] 20 | command=twist3 transitrelay --port=tcp:%(ENV_WORMHOLE_PORT)s --blur-usage=100 21 | autostart=%(ENV_WORMHOLE_AUTOSTART)s 22 | autorestart=true 23 | startsecs=0 24 | startretries=0 25 | stopasgroup=true 26 | killasgroup=true 27 | stdout_logfile=/dev/fd/1 28 | stdout_logfile_maxbytes=0 29 | stdout_logfile_backups=0 30 | redirect_stderr=true 31 | 32 | [program:hostyoself] 33 | command=hostyoself relay --url "%(ENV_HOSTYOSELF_URL)s" --port %(ENV_HOSTYOSELF_PORT)s 34 | autostart=%(ENV_HOSTYOSELF_AUTOSTART)s 35 | autorestart=true 36 | startsecs=0 37 | startretries=0 38 | stopasgroup=true 39 | killasgroup=true 40 | stdout_logfile=/dev/fd/1 41 | stdout_logfile_maxbytes=0 42 | stdout_logfile_backups=0 43 | redirect_stderr=true 44 | 45 | [program:croc] 46 | command=/usr/local/bin/croc_relay_entrypoint.sh 47 | autostart=%(ENV_CROC_AUTOSTART)s 48 | autorestart=true 49 | startsecs=0 50 | startretries=0 51 | stopasgroup=true 52 | killasgroup=true 53 | stdout_logfile=/dev/fd/1 54 | stdout_logfile_maxbytes=0 55 | stdout_logfile_backups=0 56 | redirect_stderr=true 57 | 58 | [program:wireproxy] 59 | command=/usr/bin/wireproxy --config "%(ENV_WIREPROXY_CONF)s" 60 | autostart=%(ENV_WIREPROXY_AUTOSTART)s 61 | autorestart=true 62 | startsecs=0 63 | startretries=0 64 | stopasgroup=true 65 | killasgroup=true 66 | stdout_logfile=/dev/fd/1 67 | stdout_logfile_maxbytes=0 68 | stdout_logfile_backups=0 69 | redirect_stderr=true 70 | -------------------------------------------------------------------------------- /uptime-kuma/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | 3 | uptime-kuma: 4 | image: louislam/uptime-kuma:latest 5 | container_name: uptime-kuma 6 | expose: 7 | - 3001 8 | environment: 9 | - PUID=1000 10 | - PGID=100 11 | - TZ=America/Denver 12 | - NODE_ENV=production 13 | - NODE_EXTRA_CA_CERTS=/extra_ca.crt 14 | volumes: 15 | - ./data:/app/data 16 | - ./extra_ca.crt:/extra_ca.crt:ro 17 | restart: unless-stopped 18 | networks: 19 | - proxy 20 | labels: 21 | - "traefik.enable=true" 22 | - "traefik.http.routers.uptime.rule=Host(`uptime.example.org`)" 23 | - "traefik.http.routers.uptime.entrypoints=websecure" 24 | - "traefik.http.routers.uptime.tls.certresolver=myresolver" 25 | - "traefik.http.services.uptime.loadbalancer.server.port=3001" 26 | 27 | networks: 28 | proxy: 29 | external: 30 | name: traefik-proxy 31 | -------------------------------------------------------------------------------- /vaultwarden/.env: -------------------------------------------------------------------------------- 1 | SMTP_HOST= 2 | SMTP_FROM= 3 | SMTP_PORT= 4 | SMTP_SSL= 5 | SMTP_USERNAME= 6 | SMTP_PASSWORD= 7 | YUBICO_CLIENT_ID= 8 | YUBICO_SECRET_KEY= 9 | -------------------------------------------------------------------------------- /vaultwarden/data/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | -------------------------------------------------------------------------------- /vaultwarden/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | vaultwarden: 3 | image: vaultwarden/server:latest 4 | container_name: vaultwarden 5 | hostname: vaultwarden 6 | environment: 7 | WEBSOCKET_ENABLED: 'false' # Required to use websockets 8 | SIGNUPS_ALLOWED: 'true' # set to false to disable signups 9 | PUID: 1000 10 | PGID: 100 11 | TZ: 'America/Denver' 12 | volumes: 13 | - ./data:/data 14 | env_file: 15 | - .env 16 | restart: unless-stopped 17 | networks: 18 | - proxy 19 | labels: 20 | - "traefik.enable=true" 21 | - "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.example.org`)" 22 | - "traefik.http.routers.vaultwarden.entrypoints=websecure" 23 | - "traefik.http.routers.vaultwarden.tls.certresolver=myresolver" 24 | 25 | networks: 26 | proxy: 27 | name: traefik-proxy 28 | external: true 29 | 30 | -------------------------------------------------------------------------------- /whoami/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | whoami: 3 | image: "docker.io/traefik/whoami:latest" 4 | network_mode: "pasta" 5 | ports: 6 | - "127.0.0.1:40002:80/tcp" 7 | -------------------------------------------------------------------------------- /whoami/whoami-pod-kubeplay.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | AssertPathExists=%h/services/whoami 3 | After=network.target 4 | 5 | [Service] 6 | WorkingDirectory=%h/services/whoami 7 | ExecStart=podman kube play --network=pasta --wait --replace whoami-pod.yaml 8 | ExecStop=podman kube play --down --force whoami-pod.yaml 9 | Restart=always 10 | 11 | [Install] 12 | WantedBy=default.target 13 | -------------------------------------------------------------------------------- /whoami/whoami-pod-kubeplay.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | labels: 5 | app: whoami-pod 6 | name: whoami-pod 7 | spec: 8 | containers: 9 | - env: 10 | image: docker.io/traefik/whoami:latest 11 | name: whoami 12 | ports: 13 | - containerPort: 80 14 | hostIP: 127.0.0.1 15 | hostPort: 40002 16 | 17 | -------------------------------------------------------------------------------- /whoami/whoami-podman-compose.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | AssertPathExists=%h/services/whoami 3 | After=network.target 4 | 5 | [Service] 6 | WorkingDirectory=%h/services/whoami 7 | ExecStart=podman compose -f docker-compose.yml up --no-color --abort-on-container-exit 8 | ExecStop=podman compose -f docker-compose.yml down 9 | Restart=always 10 | 11 | [Install] 12 | WantedBy=default.target 13 | -------------------------------------------------------------------------------- /wireproxy/.dockerignore: -------------------------------------------------------------------------------- 1 | wireproxy.env* 2 | -------------------------------------------------------------------------------- /wireproxy/.gitignore: -------------------------------------------------------------------------------- 1 | wireproxy.env* 2 | config.env.local 3 | docker-compose-local.yml 4 | -------------------------------------------------------------------------------- /wireproxy/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:1 as build 2 | 3 | RUN mkdir -p /usr/src && \ 4 | cd /usr/src && \ 5 | git clone --recurse-submodules --shallow-submodules --single-branch --depth 1 https://github.com/pufferffish/wireproxy && \ 6 | cd ./wireproxy && \ 7 | make 8 | 9 | FROM debian:12-slim AS runtime 10 | 11 | LABEL maintainer="mero.mero.guero@gmail.com" 12 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 13 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker/tree/master/wireproxy' 14 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 15 | LABEL org.opencontainers.image.title='oci.guero.org/wireproxy' 16 | LABEL org.opencontainers.image.description='Dockerized wireproxy' 17 | 18 | ARG DEFAULT_UID=1000 19 | ARG DEFAULT_GID=1000 20 | ENV DEFAULT_UID $DEFAULT_UID 21 | ENV DEFAULT_GID $DEFAULT_GID 22 | ENV PUSER "wired" 23 | ENV PGROUP "wired" 24 | ENV PUSER_PRIV_DROP true 25 | 26 | # false - read /etc/wireproxy/config from bind-mounted file 27 | # true - generate /etc/wireproxy/config from environment variables 28 | ENV WIREPROXY_CONFIG_FROM_ENVS false 29 | 30 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/docker-uid-gid-setup.sh /usr/local/bin/docker-uid-gid-setup.sh 31 | COPY entrypoint.sh /usr/local/bin/entrypoint.sh 32 | COPY config.env /etc/wireproxy/config.env 33 | 34 | RUN apt-get -q update && \ 35 | apt-get -y -q --no-install-recommends upgrade && \ 36 | apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages install --no-install-recommends \ 37 | bash gettext-base rsync && \ 38 | groupadd --gid ${DEFAULT_GID} ${PGROUP} && \ 39 | useradd --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} --no-create-home --home /var/www/html -s /sbin/nologin ${PUSER} && \ 40 | usermod -a -G tty ${PUSER} && \ 41 | chown -R ${PUSER}:${PGROUP} /etc/wireproxy && \ 42 | chmod 755 /usr/local/bin/docker-uid-gid-setup.sh /usr/local/bin/entrypoint.sh 43 | 44 | COPY --from=build /usr/src/wireproxy/wireproxy /usr/bin/wireproxy 45 | 46 | VOLUME [ "/etc/wireproxy"] 47 | 48 | ENTRYPOINT ["/usr/local/bin/docker-uid-gid-setup.sh"] 49 | 50 | CMD ["/usr/local/bin/entrypoint.sh"] 51 | -------------------------------------------------------------------------------- /wireproxy/config.env: -------------------------------------------------------------------------------- 1 | [Interface] 2 | Address = $LOCAL_ADDRESS 3 | MTU = $MTU 4 | PrivateKey = $LOCAL_KEY 5 | DNS = $DNS 6 | 7 | [Peer] 8 | PublicKey = $ENDPOINT_KEY 9 | # PresharedKey = $PRESHARED_KEY 10 | Endpoint = $ENDPOINT_ADDRESS 11 | PersistentKeepalive = $KEEPALIVE 12 | AllowedIPs = $ALLOWED_IPS 13 | 14 | [Socks5] 15 | BindAddress = $SOCKS_ADDRESS 16 | -------------------------------------------------------------------------------- /wireproxy/docker-compose.yml: -------------------------------------------------------------------------------- 1 | x-process-variables: &process-variables 2 | # docker containers will run processes as unprivileged user with UID:GID 3 | PUID : 1000 4 | PGID : 1000 5 | 6 | services: 7 | wireproxy: 8 | build: 9 | context: . 10 | dockerfile: Dockerfile 11 | image: oci.guero.org/wireproxy:latest 12 | container_name: wireproxy 13 | environment: 14 | << : *process-variables 15 | WIREPROXY_CONFIG_FROM_ENVS : 'true' 16 | volumes: 17 | - ./config.env:/etc/wireproxy/config.env:ro 18 | env_file: 19 | - wireproxy.env 20 | ports: 21 | - "127.0.0.1:11080:11080" 22 | restart: unless-stopped 23 | -------------------------------------------------------------------------------- /wireproxy/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ -n "$WIREPROXY_CONFIG_FROM_ENVS" ]] && [[ "$WIREPROXY_CONFIG_FROM_ENVS" == "true" ]]; then 4 | /usr/bin/envsubst < /etc/wireproxy/config.env > /etc/wireproxy/config 5 | fi 6 | 7 | /usr/bin/wireproxy -c /etc/wireproxy/config 8 | -------------------------------------------------------------------------------- /wireproxy/wireproxy-podman.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | AssertPathExists=/run/user/%U/podman/podman.sock 3 | AssertPathExists=%h/services/wireproxy 4 | After=network.target 5 | 6 | [Service] 7 | WorkingDirectory=%h/services/wireproxy 8 | Environment="DOCKER_HOST=unix:///run/user/%U/podman/podman.sock" 9 | ExecStart=docker-compose -f docker-compose.yml up --no-color --abort-on-container-exit 10 | ExecStop=docker-compose -f docker-compose.yml down 11 | Restart=always 12 | 13 | [Install] 14 | WantedBy=default.target 15 | -------------------------------------------------------------------------------- /wireproxy/wireproxy.env.sample: -------------------------------------------------------------------------------- 1 | ALLOWED_IPS=0.0.0.0/0 2 | DNS=1.1.1.1 3 | ENDPOINT_ADDRESS=172.16.0.131:51820 4 | ENDPOINT_KEY=barbaz 5 | KEEPALIVE=25 6 | LOCAL_ADDRESS=192.168.10.13/32 7 | LOCAL_KEY=foobar 8 | MTU=1420 9 | PRESHARED_KEY= 10 | SOCKS_ADDRESS=0.0.0.0:11080 -------------------------------------------------------------------------------- /yt-dlp/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:latest 2 | 3 | LABEL maintainer="mero.mero.guero@gmail.com" 4 | LABEL org.opencontainers.image.authors='mero.mero.guero@gmail.com' 5 | LABEL org.opencontainers.image.url='https://github.com/mmguero/docker/tree/master/yt-dlp' 6 | LABEL org.opencontainers.image.source='https://github.com/mmguero/docker' 7 | LABEL org.opencontainers.image.title='oci.guero.org/yt-dlp' 8 | LABEL org.opencontainers.image.description='Dockerized yt-dlp' 9 | 10 | ARG DEFAULT_UID=1000 11 | ARG DEFAULT_GID=1000 12 | ENV DEFAULT_UID $DEFAULT_UID 13 | ENV DEFAULT_GID $DEFAULT_GID 14 | ENV PUSER "ytdlp" 15 | ENV PGROUP "ytdlp" 16 | ENV PUSER_PRIV_DROP true 17 | 18 | ENV PYTHONUNBUFFERED 1 19 | 20 | COPY --from=mwader/static-ffmpeg:latest /ffmpeg /ffprobe /usr/bin/ 21 | ADD https://raw.githubusercontent.com/mmguero/docker/master/shared/docker-uid-gid-setup.sh /usr/local/bin/docker-uid-gid-setup.sh 22 | 23 | RUN apk add --update --no-cache bash curl shadow py3-pip && \ 24 | apk add --no-cache --virtual .build-deps \ 25 | build-base \ 26 | gcc \ 27 | make \ 28 | musl-dev \ 29 | python3-dev \ 30 | py3-setuptools \ 31 | py3-wheel && \ 32 | python3 -m pip install --break-system-packages --no-cache yt-dlp && \ 33 | apk del .build-deps && \ 34 | chmod 755 /usr/local/bin/docker-uid-gid-setup.sh && \ 35 | addgroup -g ${DEFAULT_GID} ${PGROUP} && \ 36 | adduser -D -H -u ${DEFAULT_UID} -h /nonexistant -s /sbin/nologin -G ${PGROUP} -g ${PUSER} ${PUSER} && \ 37 | addgroup ${PUSER} tty && \ 38 | addgroup ${PUSER} shadow 39 | 40 | ENTRYPOINT ["/usr/local/bin/docker-uid-gid-setup.sh", "/usr/bin/yt-dlp"] 41 | 42 | CMD [] 43 | -------------------------------------------------------------------------------- /yt-dlp/yt-dlp-docker.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ENGINE="${CONTAINER_ENGINE:-docker}" 4 | if [[ "$ENGINE" == "podman" ]]; then 5 | CONTAINER_PUID=0 6 | CONTAINER_PGID=0 7 | else 8 | CONTAINER_PUID=$(id -u) 9 | CONTAINER_PGID=$(id -g) 10 | fi 11 | 12 | DIR="$(pwd)" 13 | 14 | $ENGINE run -i -t --rm \ 15 | -e PUID=$CONTAINER_PUID \ 16 | -e PGID=$CONTAINER_PGID \ 17 | -v "$DIR:$DIR:rw" \ 18 | -w "$DIR" \ 19 | oci.guero.org/yt-dlp "$@" 20 | --------------------------------------------------------------------------------