remna + other changes

2026-04-05 17:51:46 +00:00 · 2026-03-10 01:34:11 +03:00 · 2026-03-10 01:34:11 +03:00 · aa0eb8b32e
commit aa0eb8b32e
parent 6a3c6903c8
7 changed files with 387 additions and 5 deletions
--- a/services/authentik/docker-compose.yml
+++ b/services/authentik/docker-compose.yml
@ -0,0 +1,62 @@
 services:
  postgresql:
    image: docker.io/library/postgres:16-alpine
    restart: unless-stopped
    env_file:
      - /srv/authentik/.env
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - /srv/authentik/postgresql:/var/lib/postgresql/data
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.1-rc1}
    restart: unless-stopped
    command: server
    depends_on:
      postgresql:
        condition: service_healthy
    env_file:
      - /srv/authentik/.env
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    ports:
      - "${COMPOSE_PORT_HTTP:-9000}:9000"
      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
    volumes:
      - /srv/authentik/media:/media
      - /srv/authentik/custom-templates:/templates
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.1-rc1}
    restart: unless-stopped
    command: worker
    user: root
    depends_on:
      postgresql:
        condition: service_healthy
    env_file:
      - /srv/authentik/.env
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /srv/authentik/media:/media
      - /srv/authentik/certs:/certs
      - /srv/authentik/custom-templates:/templates
--- a/services/authentik/start.sh
+++ b/services/authentik/start.sh
@ -0,0 +1,2 @@
 #!/usr/bin/env bash
 docker compose --env-file /srv/authentik/.env up -d
--- a/services/caddy/Caddyfile
+++ b/services/caddy/Caddyfile
@ -1,3 +1,4 @@
 import /opt/homelab/services/caddy/snippets/*.caddy
 {
  email pavel123357@gmail.com
@ -7,12 +8,29 @@
  }
 }
-:80 {
+pass.sesur.dev {
-  respond "Yarik, zdarova"
+  reverse_proxy 127.0.0.1:9000
 }
 home.sesur.dev {
  route {
    import authentik_forward_auth
    reverse_proxy 127.0.0.1:3050
  }
 }
 dozzle.sesur.dev {
  route {
    import authentik_forward_auth
    reverse_proxy 127.0.0.1:9999
  }
 }
 photos.sesur.dev {
  log {
    output file /var/log/caddy/access.log
    format json
  }
  reverse_proxy 127.0.0.1:2283
  # Optional: allow large uploads (adjust as you like)
@ -61,10 +79,25 @@ http://192.168.1.47 {
 http://dozzle.lan {
  reverse_proxy 127.0.0.1:9999
 }
-https://remnawave.lan {
+
-  tls internal
+rat.sesur.dev {
   handle /api/sub/* {
    reverse_proxy 127.0.0.1:4000
  }
  route {
    import authentik_forward_auth
    reverse_proxy 127.0.0.1:4000
  }
 }
 rat-api.sesur.dev {
   @notAllowed {
    not remote_ip 31.57.61.253
    }
   respond @notAllowed "Forbidden" 403
   reverse_proxy 127.0.0.1:4000
 }
 http://cyberchef.lan {
  reverse_proxy 127.0.0.1:8085
 }
--- a/services/caddy/snippets/authentik_forward_auth.caddy
+++ b/services/caddy/snippets/authentik_forward_auth.caddy
@ -0,0 +1,9 @@
 (authentik_forward_auth) {
  reverse_proxy /outpost.goauthentik.io/* http://127.0.0.1:9000
  forward_auth http://127.0.0.1:9000 {
    uri /outpost.goauthentik.io/auth/caddy
    copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt
    trusted_proxies private_ranges
  }
 }
--- a/services/homepage/docker-compose.yml
+++ b/services/homepage/docker-compose.yml
@ -0,0 +1,12 @@
 services:
  homepage:
    image: ghcr.io/gethomepage/homepage:latest
    container_name: homepage
    restart: unless-stopped
    ports:
      - "127.0.0.1:3050:3000"
    volumes:
      - /srv/homepage/config:/app/config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - HOMEPAGE_ALLOWED_HOSTS=home.sesur.dev
--- a/services/remnawave/remnawave-nodes/boostrap.sh
+++ b/services/remnawave/remnawave-nodes/boostrap.sh
@ -0,0 +1,225 @@
 #!/usr/bin/env bash
 set -Eeuo pipefail
 # =========================
 # Config
 # =========================
 ADMIN_USER="${ADMIN_USER:-pvlx}"
 SSH_PORT="${SSH_PORT:-22}"
 NODE_NAME="${NODE_NAME:-fin-node-01}"
 NODE_DIR="${NODE_DIR:-/opt/remnanode}"
 SECRET_KEY="${SECRET_KEY:-}"
 MASTER_API_URL="${MASTER_API_URL:-https://rat-api.sesur.dev}"
 NODE_PORT="${NODE_PORT:-2222}"
 ENABLE_UFW="${ENABLE_UFW:-true}"
 # =========================
 # Helpers
 # =========================
 log() {
  echo
  echo "==> $1"
 }
 require_root() {
  if [[ "${EUID}" -ne 0 ]]; then
    echo "Run as root"
    exit 1
  fi
 }
 require_secret() {
  if [[ -z "${SECRET_KEY}" ]]; then
    echo "SECRET_KEY is empty."
    echo 'Run like:'
    echo 'SECRET_KEY="your-secret" MASTER_API_URL="https://rat-api.sesur.dev" bash bootstrap-remnanode.sh'
    exit 1
  fi
 }
 # =========================
 # Main
 # =========================
 require_root
 require_secret
 log "Updating system"
 apt-get update
 DEBIAN_FRONTEND=noninteractive apt-get upgrade -y
 log "Installing base packages"
 DEBIAN_FRONTEND=noninteractive apt-get install -y \
  ca-certificates curl gnupg lsb-release \
  ufw unattended-upgrades nano logrotate
 log "Enable automatic security updates"
 dpkg-reconfigure -f noninteractive unattended-upgrades || true
 log "Creating admin user"
 if ! id -u "${ADMIN_USER}" >/dev/null 2>&1; then
  adduser --disabled-password --gecos "" "${ADMIN_USER}"
 fi
 usermod -aG sudo "${ADMIN_USER}"
 log "Configuring passwordless sudo for ${ADMIN_USER}"
 echo "${ADMIN_USER} ALL=(ALL) NOPASSWD:ALL" >/etc/sudoers.d/90-${ADMIN_USER}
 chmod 440 /etc/sudoers.d/90-${ADMIN_USER}
 if [[ -f /root/.ssh/authorized_keys ]]; then
  mkdir -p "/home/${ADMIN_USER}/.ssh"
  cp /root/.ssh/authorized_keys "/home/${ADMIN_USER}/.ssh/authorized_keys"
  chown -R "${ADMIN_USER}:${ADMIN_USER}" "/home/${ADMIN_USER}/.ssh"
  chmod 700 "/home/${ADMIN_USER}/.ssh"
  chmod 600 "/home/${ADMIN_USER}/.ssh/authorized_keys"
 fi
 log "Hardening SSH"
 SSHD_CONFIG="/etc/ssh/sshd_config"
 cp "${SSHD_CONFIG}" "${SSHD_CONFIG}.bak.$(date +%s)"
 sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' "${SSHD_CONFIG}"
 sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' "${SSHD_CONFIG}"
 sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' "${SSHD_CONFIG}"
 if grep -q '^AllowUsers' "${SSHD_CONFIG}"; then
  sed -i "s/^AllowUsers.*/AllowUsers ${ADMIN_USER}/" "${SSHD_CONFIG}"
 else
  echo "AllowUsers ${ADMIN_USER}" >> "${SSHD_CONFIG}"
 fi
 systemctl restart ssh || systemctl restart sshd
 log "Installing Docker"
 if ! command -v docker >/dev/null; then
  curl -fsSL https://get.docker.com | sh
 fi
 systemctl enable docker
 systemctl start docker
 usermod -aG docker "${ADMIN_USER}"
 log "Configure Docker logs"
 mkdir -p /etc/docker
 cat >/etc/docker/daemon.json <<'EOF'
 {
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "50m",
    "max-file": "3"
  }
 }
 EOF
 systemctl restart docker
 log "Applying kernel network hardening"
 cat >/etc/sysctl.d/99-remnanode-security.conf <<'EOF'
 net.ipv4.tcp_syncookies = 1
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.default.accept_source_route = 0
 EOF
 sysctl --system
 if [[ "${ENABLE_UFW}" == "true" ]]; then
  log "Configuring firewall"
  ufw --force reset
  ufw default deny incoming
  ufw default allow outgoing
  ufw allow "${SSH_PORT}/tcp"
  ufw allow 443/tcp
  ufw allow "${NODE_PORT}/tcp"
  ufw --force enable
 fi
 log "Creating log directory"
 mkdir -p /var/log/remnanode
 chown root:root /var/log/remnanode
 chmod 755 /var/log/remnanode
 log "Configuring logrotate for remnanode"
 cat >/etc/logrotate.d/remnanode <<'EOF'
 /var/log/remnanode/*.log {
    size 50M
    rotate 5
    compress
    missingok
    notifempty
    copytruncate
 }
 EOF
 log "Creating Remnawave node"
 mkdir -p "${NODE_DIR}"
 cat >"${NODE_DIR}/.env" <<EOF
 SECRET_KEY=${SECRET_KEY}
 NODE_PORT=${NODE_PORT}
 API_HOST=${MASTER_API_URL}
 EOF
 cat >"${NODE_DIR}/docker-compose.yml" <<EOF
 services:
  remnanode:
    image: remnawave/node:latest
    container_name: remnanode
    hostname: ${NODE_NAME}
    network_mode: host
    restart: unless-stopped
    env_file:
      - .env
    cap_add:
      - NET_ADMIN
    volumes:
      - /var/log/remnanode:/var/log/remnanode
    ulimits:
      nofile:
        soft: 1048576
        hard: 1048576
    logging:
      driver: json-file
      options:
        max-size: "50m"
        max-file: "3"
 EOF
 cd "${NODE_DIR}"
 log "Starting node"
 docker compose up -d
 docker compose ps
 echo
 echo "Node installation complete"
 echo
 echo "Master API: ${MASTER_API_URL}"
 echo "Node name: ${NODE_NAME}"
 echo "Node dir: ${NODE_DIR}"
 echo "Logs dir: /var/log/remnanode"
 echo
--- a/services/remnawave/remnawave-nodes/node.env.template
+++ b/services/remnawave/remnawave-nodes/node.env.template
@ -0,0 +1,39 @@
 #####################################
 # Remnawave Node Bootstrap Template
 #####################################
 # Admin user created on VPS
 ADMIN_USER=pvlx
 # SSH port (default 22)
 SSH_PORT=22
 #####################################
 # Node identity
 #####################################
 # Name shown in docker / hostname
 NODE_NAME=fin-node-01
 # Node working directory
 NODE_DIR=/opt/remnanode
 #####################################
 # Remnawave connection
 #####################################
 # SECRET KEY generated in Remnawave panel
 SECRET_KEY=PASTE_NODE_SECRET_HERE
 # Remnawave API endpoint
 MASTER_API_URL=https://rat-api.sesur.dev
 # Node control port
 NODE_PORT=2222
 #####################################
 # Firewall
 #####################################
 # Enable UFW firewall
 ENABLE_UFW=true
		`@ -0,0 +1,2 @@`
							`#!/usr/bin/env bash`
							`docker compose --env-file /srv/authentik/.env up -d`