Attempt to tidy up Caddy and Metrics

deployment/docker/Caddyfile

@@ -1,3 +0,0 @@
-your-domain.com {
-	reverse_proxy 127.0.0.1:7000
-}

deployment/docker/docker-compose-caddy.yaml

@@ -1,21 +0,0 @@
-version: "3.7"
-
-services:
-  caddy:
-    image: caddy:latest
-    restart: unless-stopped
-    cap_add:
-      - NET_ADMIN
-    ports:
-      - "80:80"
-      - "443:443"
-      - "443:443/udp"
-    volumes:
-      - $PWD/Caddyfile:/etc/caddy/Caddyfile
-      - $PWD/site:/srv
-      - caddy_data:/data
-      - caddy_config:/config
-
-volumes:
-  caddy_data:
-  caddy_config:

deployment/docker/docker-compose.yaml

@@ -116,23 +116,29 @@ services:
     networks:
       - knightcrawler-network
 
-  addon:
-    image: gabisonfire/knightcrawler-addon:latest
-    ports:
-      - "7000:7000"
-    labels:
-      logging: "promtail"
-    env_file:
-      - .env
-    <<: *knightcrawler-app
-    networks:
-      - knightcrawler-network
+addon:
+  <<: *knightcrawler-app
+  env_file:
+    - .env
+  hostname: knightcrawler-addon
+  image: gabisonfire/knightcrawler-addon:latest
+  labels:
+    logging: "promtail"
+  networks:
+    - knightcrawler-network
+  ports:
+    - "7000:7000"
+
       
 networks:
   knightcrawler-network:
     driver: bridge
     name: knightcrawler-network
 
+  caddy:
+    name: caddy
+    external: true
+
 volumes:
   postgres:
   mongo:

deployment/docker/example_cloudflare_tunnel/.env.example

@@ -0,0 +1 @@
+TOKEN=cloudflare-tunnel-token-here

deployment/docker/example_cloudflare_tunnel/docker-compose.yml

@@ -0,0 +1,18 @@
+name: cloudflared
+
+networks:
+  cloudflare-tunnel:
+    name: cloudflare-tunnel
+    external: true
+
+services:
+  cloudflared:
+    container_name: cloudflared
+    command: tunnel --no-autoupdate run --token ${TOKEN}
+    hostname: cloudflared
+    image: cloudflare/cloudflared:latest
+    networks:
+      - cloudflare-tunnel
+    restart: always
+    security_opt:
+      - no-new-privileges:true

deployment/docker/optional_metrics/docker-compose.yml

@@ -1,74 +1,76 @@
-version: '3.8'
 name: knightcrawler-metrics
 
+networks:
+  knightcrawler-network:
+    external: true
+
+volumes:
+  grafana-data:
+  loki-data:
+    
 services:
   prometheus:
-    image: prom/prometheus:v2.20.1
-    volumes:
-      - ./config/prometheus/config.yml:/etc/prometheus/prometheus.yml
     command:
       - '--config.file=/etc/prometheus/prometheus.yml'
-    ports:
-      - "9090:9090"
+    image: prom/prometheus:v2.20.1
     networks:
       - knightcrawler-network
-    
-  grafana:
-    image: grafana/grafana:latest
+    ports:
+      - 9090:9090
     volumes:
-      - ./config/grafana/datasources:/etc/grafana/provisioning/datasources
-      - ./config/grafana/dashboards/dashboards.yml:/etc/grafana/provisioning/dashboards/dashboards.yml
-      - ./config/grafana/dashboards/logs.json:/var/lib/grafana/dashboards/logs.json
-      - grafana-data:/var/lib/grafana
-    ports:
-      - "3000:3000"
-    environment:
-      - GF_PATHS_PROVISIONING=/etc/grafana/provisioning
-      - GF_SECURITY_ADMIN_USER=admin
-      - GF_SECURITY_ADMIN_PASSWORD=admin_password
-    depends_on:
-      - prometheus
-    networks:
-      - knightcrawler-network
+      - ./config/prometheus/config.yml:/etc/prometheus/prometheus.yml
+
+grafana:
+  depends_on:
+    - prometheus
+  environment:
+    - GF_PATHS_PROVISIONING=/etc/grafana/provisioning
+    - GF_SECURITY_ADMIN_PASSWORD=admin_password
+    - GF_SECURITY_ADMIN_USER=admin
+  image: grafana/grafana:latest
+  networks:
+    - knightcrawler-network
+  ports:
+    - "3000:3000"
+  volumes:
+    - ./config/grafana/dashboards/dashboards.yml:/etc/grafana/provisioning/dashboards/dashboards.yml
+    - ./config/grafana/dashboards/logs.json:/var/lib/grafana/dashboards/logs.json
+    - ./config/grafana/datasources:/etc/grafana/provisioning/datasources
+    - grafana-data:/var/lib/grafana
 
   postgres-exporter:
-    image: prometheuscommunity/postgres-exporter
     env_file:
-      - .env
+      - ../.env
     environment:
       DATA_SOURCE_NAME: "postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}?sslmode=disable"
+    image: prometheuscommunity/postgres-exporter
     networks:
       - knightcrawler-network
       
   promtail:
     image: grafana/promtail:2.9.4
     volumes:
+      - ./config/promtail/config.yml:/etc/promtail/config.yml
       - /var/lib/docker/containers:/var/lib/docker/containers:ro
       - /var/run/docker.sock:/var/run/docker.sock
-      - ./config/promtail/config.yml:/etc/promtail/config.yml
-    command: -config.file=/etc/promtail/config.yml
+    command:
+      - '-config.file=/etc/promtail/config.yml'
     depends_on:
       - prometheus
       - loki
     networks:
       - knightcrawler-network
+
       
   loki:
-    image: grafana/loki:2.9.4
-    command: -config.file=/etc/loki/local-config.yml
+    command: '-config.file=/etc/loki/local-config.yml'
     depends_on:
-      - prometheus
       - grafana
-    volumes:
-      - loki-data:/loki
-      - ./config/loki/config.yml:/etc/loki/local-config.yml
+      - prometheus
+    image: grafana/loki:2.9.4
     networks:
       - knightcrawler-network
-        
-volumes:
-  loki-data:
-  grafana-data:
-      
-networks:
-  knightcrawler-network:
-    external: true
+    volumes:
+      - ./config/loki/config.yml:/etc/loki/local-config.yml
+      - loki-data:/loki
+

deployment/docker/optional_reverse_proxy/configs/Caddyfile

@@ -0,0 +1,62 @@
+{
+	## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	## Let's Encrpyt staging environment
+	## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	## Once you have confirmed Caddy works you should comment out
+	## the below line:
+	acme_ca https://acme-staging-v02.api.letsencrypt.org/director
+}
+
+(security-headers) {
+	## These are the recommended default settings in Caddy documentation
+	## https://caddyserver.com/docs/caddyfile/directives/header
+	header {
+		## disable FLoC tracking
+		Permissions-Policy "interest-cohort=()"
+
+		## enable HSTS
+		Strict-Transport-Security "max-age=300;" # 5 minutes
+		## NOTE: I have dramatically lowered the above for testing.
+		## Once you have confirmed that everything works, start increasing the number
+		## the goal is to have HSTS set to one year with subdomains and preloading :
+		## 
+		# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
+		## 
+		## Warning: You should ensure that you fully understand the implications
+		## of HSTS preloading before you include the directive in your policy and
+		## before you submit. It means that your entire domain and all subdomains,
+		## including those managed or maintained by third parties, will only work
+		## with HTTPS. Preloading should be viewed as a one way ticket.
+		## Whilst it is possible to be removed, it can take a long time and you
+		## may not be removed from all browsers.
+
+		## disable clients from sniffing the media type
+		X-Content-Type-Options "nosniff"
+
+		## clickjacking protection
+		X-Frame-Options "DENY"
+	}
+}
+
+(cloudflare-tunnel-protection) {
+	import ./snippets/cloudflare-replace-X-Forwarded-For
+	trusted_proxies 172.17.0.0/16 # This needs to be your docker subnet
+	# I beleive this is what is configured by default.
+	# If you can't make it work ask for my help on discord.
+}
+
+knightcrawler.your-domain.com {
+	## Uncomment to enable logging
+	# log {
+	# 	output file /var/log/caddy/knightcrawler.your-domain.com.log {
+	# 		roll_size 10mb
+	# 		roll_keep 5
+	# 		roll_keep_for 720h
+	# 	}
+	# }
+
+	encode gzip
+	## DO NOT ENABLE UNTIL YOU HAVE DISABLED THE TESTING ENVIRONMENT
+	# import security-headers
+	reverse_proxy knightcrawler-addon:7000
+}

deployment/docker/optional_reverse_proxy/configs/snippets/cloudflare-replace-X-Forwarded-For

@@ -0,0 +1,2 @@
+header_up X-Real-IP {http.request.header.CF-Connecting-IP}
+header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}

deployment/docker/optional_reverse_proxy/docker-compose.yaml

@@ -0,0 +1,39 @@
+name: caddy
+
+networks:
+  caddy:
+    name: caddy
+    external: true
+
+  # cloudflare-tunnel:
+  #   name: cloudflare-tunnel
+  #   external: true
+
+volumes:
+  config:
+  data:
+
+services:
+  # Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
+  # https://github.com/caddyserver/caddy
+  caddy:
+    cap_add:
+      - NET_ADMIN
+    container_name: caddy
+    hostname: caddy
+    image: caddy:2.7.6 # May be out of date, but using the `:latest` tag is how you accidentally break your server
+    networks:
+      - caddy
+      # - cloudflare-tunnel
+    ports:
+      - 80:80
+      - 443:443
+      - 443:443/udp
+    restart: always
+    security_opt:
+      - no-new-privileges:true
+    volumes:
+      - ./configs/:/etc/caddy/ # /etc/caddy/Caddyfile and /etc/caddy/snippets/
+      - ./logs:/var/log/caddy/
+      - config:/config
+      - data:/data