{"id":49571009,"url":"https://github.com/rubennati/secure-docker-blueprint","last_synced_at":"2026-05-03T14:02:07.595Z","repository":{"id":351894498,"uuid":"1212900498","full_name":"rubennati/secure-docker-blueprint","owner":"rubennati","description":"Security-hardened Docker Compose blueprint for self-hosted infrastructure — Traefik reverse proxy, CrowdSec integration, Authentik SSO, standardized patterns, Docker Secrets, network isolation.","archived":false,"fork":false,"pushed_at":"2026-04-26T22:32:39.000Z","size":772,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-26T23:21:42.260Z","etag":null,"topics":["authentik","blueprint","crowdsec","docker","docker-compose","homelab","infrastructure-as-code","nextcloud","onlyoffice","paperless-ngx","self-hosted","traefik","wordpress"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rubennati.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-16T21:01:38.000Z","updated_at":"2026-04-20T20:58:13.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/rubennati/secure-docker-blueprint","commit_stats":null,"previous_names":["rubennati/secure-docker-blueprint"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/rubennati/secure-docker-blueprint","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rubennati%2Fsecure-docker-blueprint","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rubennati%2Fsecure-docker-blueprint/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rubennati%2Fsecure-docker-blueprint/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rubennati%2Fsecure-docker-blueprint/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rubennati","download_url":"https://codeload.github.com/rubennati/secure-docker-blueprint/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rubennati%2Fsecure-docker-blueprint/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32571456,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-03T06:36:36.687Z","status":"ssl_error","status_checked_at":"2026-05-03T06:36:09.306Z","response_time":103,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentik","blueprint","crowdsec","docker","docker-compose","homelab","infrastructure-as-code","nextcloud","onlyoffice","paperless-ngx","self-hosted","traefik","wordpress"],"created_at":"2026-05-03T14:02:06.148Z","updated_at":"2026-05-03T14:02:07.572Z","avatar_url":"https://github.com/rubennati.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Secure Docker Blueprint\n\n**Modular, security-hardened Docker Compose setups for self-hosted infrastructure.**\n\nProduction-ready configurations for 15+ services — with standardized patterns, Docker Secrets, Traefik routing, and network isolation out of the box.\n\n[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE)\n[![Version](https://img.shields.io/badge/version-v0.5.0-blue)](CHANGELOG.md)\n[![Status](https://img.shields.io/badge/status-pre--1.0-yellow)](ROADMAP.md)\n\n\u003e **Pre-1.0** — structure is stable and core services are ready to use, but paths, env variables, and defaults can still change before v1.0. See [ROADMAP.md](ROADMAP.md) for the v1.0 criteria.\n\n---\n\n## Features\n\n- **Docker Secrets** — passwords and tokens never in environment variables\n- **Socket Proxy** — no direct Docker socket access on app containers\n- **Network Isolation** — databases and backends in isolated networks, no internet exposure\n- **Pinned Versions** — every image uses an explicit version tag, never `:latest`\n- **Consistent Structure** — every service follows the same compose and env patterns\n- **Template-based Config** — Traefik and dnsmasq configs rendered via `envsubst`\n- **Modular** — use any combination of services, each works independently\n- **Zero Hardcoded Values** — everything configurable via `.env`\n\n## What's Included\n\n### Core Infrastructure\n\n| Service | Status | Description |\n|---------|--------|-------------|\n| [Traefik](core/traefik/) | ✅ | Reverse proxy with Socket Proxy, 5 security levels, 3 TLS profiles, access policies |\n| [Authentik](core/authentik/) | ✅ | SSO / Identity Provider for centralized authentication (Forward-Auth, OAuth2 / OIDC / SAML) |\n| [OnlyOffice](core/onlyoffice/) | ✅ | Document editing server for Seafile, Nextcloud, etc. |\n| [dnsmasq](core/dnsmasq/) | ✅ | DNS forwarder with wildcard zones for Tailscale / split-DNS setups |\n| [acme-certs](core/acme-certs/) | 🚧 | Certificate tool (acme.sh) for devices without Traefik (NAS, routers) |\n| [CrowdSec](core/crowdsec/) | ✅ | Intrusion detection engine + Traefik bouncer plugin — log analysis, threat decisions, L7 blocking |\n| [Whoami](core/whoami/) | ✅ | Traefik debug service to verify routing, TLS, and middlewares |\n| [Dockhand](core/dockhand/) | ✅ | Docker management with Git-based stacks |\n| [Portainer](core/portainer/) | ✅ | Docker management UI |\n| [Hawser](core/hawser/) | ✅ | Remote Docker agent for Dockhand |\n| [Portainer Agent](core/portainer-agent/) | ✅ | Remote Docker agent for Portainer (multi-host) |\n\nPlanned in `core/`: Keycloak (alternative / heavier IAM next to Authentik).\n\n### Repository layout\n\nFive top-level areas, each with a clear mandate. Per-category READMEs (`core/README.md`, `business/README.md`, `monitoring/README.md`, `backup/README.md`) describe what belongs where and why.\n\n| Directory | Scope |\n|---|---|\n| [`core/`](core/) | Infrastructure shared by everything — Traefik, CrowdSec, identity providers (Authentik + Keycloak planned), OnlyOffice, certs |\n| [`apps/`](apps/) | General-purpose self-hosted apps — equally useful for private homelab or a company |\n| [`business/`](business/) | Apps that only make sense in a company context — invoicing, helpdesk, newsletter, compliance |\n| [`monitoring/`](monitoring/) | Ops observability — uptime, metrics, content-change watching, disk SMART |\n| [`backup/`](backup/) | Ops backup — Kopia / Bareos / UrBackup, structurally separate because of privileged access + remote targets |\n\n### Applications\n\nThe blueprint takes a **choice-matrix** approach: where several tools compete (dashboards, photo galleries, wikis, form builders), multiple options are included so you can test and pick what fits.\n\n**Status:** ✅ Ready · 🚧 Draft · 📋 Planned\n\n#### Dashboards \u0026 launchers\n\n| App | Stack | Status | Description |\n|---|---|---|---|\n| [Dashy](apps/dashy/) | Single container | ✅ | Homelab dashboard, YAML-configured |\n| [Heimdall](apps/heimdall/) | Single container (LSIO) | ✅ | App-launcher with widget support |\n| [Homarr](apps/homarr/) | Single container | ✅ | Modern dashboard with rich integrations |\n| [Homepage](apps/homepage/) | Single container | 🚧 | File-based YAML dashboard (gethomepage) |\n\n#### Publishing \u0026 knowledge\n\n| App | Stack | Status | Description |\n|---|---|---|---|\n| [Ghost](apps/ghost/) | App + MySQL | ✅ | Blog / CMS with SMTP + optional ActivityPub (Fediverse) |\n| [WordPress](apps/wordpress/) | App + MariaDB | ✅ | Classic CMS, hardened (mu-plugin + test-script) |\n| [BookStack](apps/bookstack/) | App (LSIO) + MariaDB | 🚧 | Wiki / knowledge base (Laravel) |\n\n#### Photo galleries\n\nFive options — test and pick what fits your workflow.\n\n| App | Stack | Status | Description |\n|---|---|---|---|\n| [Immich](apps/immich/) | Server + ML + Postgres (pgvectors) + Valkey | 🚧 | AI-powered photo backup with mobile apps |\n| [LibrePhotos](apps/librephotos/) | Nginx + Django+ML + React + pgautoupgrade | 🚧 | Google-Photos-like (OwnPhotos fork) |\n| [Lychee](apps/lycheeorg/) | App (Laravel) + MariaDB + Redis | 🚧 | Clean, fast gallery |\n| [PhotoPrism](apps/photoprism/) | App (Go+TensorFlow) + MariaDB | 🚧 | AI classification + WebDAV |\n| [Photoview](apps/photoview/) | App (Go+GraphQL) + MariaDB | 🚧 | RAW processing + face recognition |\n\n#### Scheduling \u0026 booking\n\nThree 1:1-booking apps as a choice-matrix (pick one), plus a planned group-polling tool for a different axis.\n\n| App | Stack | Status | When to use |\n|---|---|---|---|\n| [Cal.com](apps/calcom/) | Next.js + Postgres | 🚧 | Commercial-ready pathway, feature-richest, AGPL + commercial licence. **2026 note:** production codebase goes closed-source — see [calcom/UPSTREAM.md](apps/calcom/UPSTREAM.md). |\n| [Cal.diy](apps/caldiy/) | Next.js + Postgres | 🚧 | MIT community edition of Cal.com, \"personal / non-production\" per upstream. Pick if strict OSS matters. |\n| [Easy!Appointments](apps/easyappointments/) | PHP + MariaDB | 🚧 | Lightweight PHP alternative, established 2013, simpler than Cal.com, GPL-3.0. |\n\nPlanned: **Rallly** (group scheduling polls — Doodle alternative, complementary not competing with the 1:1 bookers above).\n\n#### Productivity \u0026 personal\n\n| App | Stack | Status | Description |\n|---|---|---|---|\n| [Monica](apps/monicahq/) | App (Laravel) + MariaDB | 🚧 | Personal CRM for relationships |\n| [NocoDB](apps/nocodb/) | Single container + SQLite | ✅ | No-code database / spreadsheet UI (Airtable alternative) |\n| [OpnForm](apps/opnform/) | API (Laravel) + UI (Nuxt) + Postgres + Redis | 🚧 | Self-hosted form builder (Typeform alternative) |\n| [n8n](apps/n8n/) | Single container + SQLite | ✅ | Visual workflow automation (Zapier alternative) |\n\n\u003e **Cloud-free data-collection chain:** `OpnForm → n8n → NocoDB` — forms collect, n8n transforms, NocoDB stores + presents. All three on `proxy-public`, addressable as `http://\u003capp\u003e-app:\u003cport\u003e` for internal calls.\n\n#### File sync \u0026 documents\n\n| App | Stack | Status | Description |\n|---|---|---|---|\n| [Nextcloud](apps/nextcloud/) | App + MariaDB + Redis + Nginx + Cron | ✅ | File sync, collaboration, optional OnlyOffice |\n| [Paperless-ngx](apps/paperless-ngx/) | App + Postgres + Redis + Gotenberg + Tika | ✅ | Document management with OCR, optional Authentik SSO |\n| [Seafile](apps/seafile/) | App + MariaDB + Memcached + optional components | ✅ | File sync \u0026 share (community edition) |\n| [Seafile Pro](apps/seafile-pro/) | App + MariaDB + Memcached + SeaDoc + ClamAV + SeaSearch | ✅ | File sync \u0026 share (pro edition) |\n\n#### Identity \u0026 security\n\n| App | Stack | Status | Description |\n|---|---|---|---|\n| [Vaultwarden](apps/vaultwarden/) | App + MariaDB | ✅ | Bitwarden-compatible password manager |\n\nPlanned (apps/): Headscale (self-hosted Tailscale control server), PrivateBin, SnapPass.\n\n#### Networking\n\n| App | Stack | Status | Description |\n|---|---|---|---|\n| [UniFi Network App](apps/unifi/) | Controller (LSIO) + MongoDB 4.4 | 🚧 | Ubiquiti UniFi device controller |\n\n#### Developer \u0026 admin tools\n\n| App | Stack | Status | Description |\n|---|---|---|---|\n| [Adminer](apps/adminer/) | Single container | ✅ | Database administration UI (connects to other apps' DBs) |\n| [IT-Tools](apps/it-tools/) | Single container | ✅ | Collection of IT / developer utilities (JSON, hash, regex, etc.) |\n\nDocker-management tools (Dockhand / Portainer / Hawser) moved to [`core/`](core/) — they're infrastructure, not apps.\n\nPlanned (apps/): Wiki.js, Outline, Formbricks, HeyForm, Shlink.\n\n### Business apps\n\nSee [`business/README.md`](business/README.md) for the full category README + rollout phases.\n\n| App | Function | Status | Description |\n|---|---|---|---|\n| [Invoice Ninja](business/invoiceninja/) | Billing | ✅ | Invoicing, quotes, client portal |\n| [Dolibarr](business/dolibarr/) | ERP / CRM | 🚧 | Accounting, projects, HR, inventory |\n| [Kimai](business/kimai/) | Time tracking | 🚧 | Per-project/customer hours → Invoice Ninja |\n| [Listmonk](business/listmonk/) | Newsletter | 🚧 | Mailing list + transactional mail |\n| [Matomo](business/matomo/) | Web analytics | 🚧 | GDPR-compliant, full-featured (Google Analytics alternative) |\n| [Zammad](business/zammad/) | Helpdesk | 🚧 | Full 7-service helpdesk / ticketing / SLA |\n| [OpenSign](business/opensign/) | E-signatures | 🚧 | DocuSign alternative, eIDAS-capable |\n\nPlanned: Ackee, Plausible CE, Live Helper Chat, Eramba GRC.\n\n### Monitoring\n\nSee [`monitoring/README.md`](monitoring/README.md) for the full category README.\n\n| App | Axis | Status | Description |\n|---|---|---|---|\n| [Uptime Kuma](monitoring/uptime-kuma/) | Uptime (UI) | 🚧 | Click-config uptime monitor, 90+ notification integrations |\n| [Gatus](monitoring/gatus/) | Uptime (YAML) | 🚧 | Config-as-code health checks with Prometheus export |\n| [Beszel](monitoring/beszel/) | Host metrics (hub) | 🚧 | Lightweight hub + local agent for CPU / RAM / disk / docker stats |\n| [Beszel Agent](monitoring/beszel-agent/) | Host metrics (remote agent) | 🚧 | Standalone agent for additional hosts; pairs with Beszel hub |\n| [changedetection.io](monitoring/changedetection/) | Content watcher | 🚧 | Page diff + notification (restock / price / ToS) |\n| [Healthchecks](monitoring/healthchecks/) | Cron / scheduled-job | 🚧 | Dead-man's switch for backups / cron / scheduled tasks |\n\nPlanned: Statping, ciao, Checkmate, Zabbix, Grafana + Prometheus, Scrutiny.\n\n### Backup\n\nSee [`backup/README.md`](backup/README.md) for tool choices and the per-app isolation principle.\n\nPlanned: Kopia, Borgmatic, Bareos, UrBackup.\n\n## Quick Start\n\n```bash\n# Clone\ngit clone https://github.com/your-user/secure-docker-blueprint.git\ncd secure-docker-blueprint\n\n# 1. Start Traefik (required for all apps)\ncd core/traefik\ncp .env.example .env # Edit: domain, email, DNS provider\n./ops/scripts/render.sh # Render config templates\ndocker compose up -d\n\n# 2. Add an app (e.g. Vaultwarden)\ncd ../../apps/vaultwarden\ncp .env.example .env # Edit: domain, security level\n\nmkdir -p secrets\nopenssl rand -base64 32 \u003e secrets/db_pwd.txt\nopenssl rand -base64 32 \u003e secrets/db_root_pwd.txt\n\ndocker compose up -d\n```\n\nEvery app follows the same workflow: copy `.env.example` → create secrets → `docker compose up -d`.\n\n## Security Model\n\nEvery service in this blueprint enforces:\n\n| Rule | How |\n|------|-----|\n| No privilege escalation | `no-new-privileges:true` on every container |\n| Secrets not in env vars | Docker Secrets with `_FILE` pattern or custom entrypoint |\n| No direct socket access | Socket Proxy with granular API filtering |\n| Network isolation | Internal networks for databases and backend services |\n| Read-only filesystem | Where the image supports it |\n| Minimal capabilities | `cap_drop: ALL` where possible |\n\nThree patterns for secret handling:\n\n| Scenario | Pattern |\n|----------|---------|\n| Image supports `_FILE` env vars | `POSTGRES_PASSWORD_FILE: /run/secrets/...` |\n| Image doesn't support `_FILE` | Custom entrypoint reads secret at runtime |\n| Secret embedded in JSON config | Env var in `.env` (gitignored) |\n\n## Project Structure\n\n```\nsecure-docker-blueprint/\n│\n├── core/ # Infrastructure (always needed)\n│ ├── traefik/ # Reverse proxy + socket proxy\n│ ├── authentik/ # SSO / Identity provider\n│ ├── crowdsec/ # Intrusion detection + Traefik bouncer\n│ ├── onlyoffice/ # Document editing server\n│ ├── dnsmasq/ # DNS forwarder / split-DNS\n│ ├── acme-certs/ # Certificate tool (acme.sh)\n│ ├── whoami/ # Traefik debug service\n│ ├── dockhand/ # Docker management (Git-based stacks)\n│ ├── hawser/ # Remote Docker agent for Dockhand\n│ ├── portainer/ # Docker management UI\n│ └── portainer-agent/ # Remote Docker agent for Portainer\n│\n├── apps/ # General-purpose apps (homelab + company)\n│ ├── dashy/ heimdall/ homarr/ homepage/\n│ ├── ghost/ wordpress/ bookstack/\n│ ├── immich/ paperless-ngx/ nextcloud/ seafile/ seafile-pro/\n│ ├── vaultwarden/\n│ ├── nocodb/ n8n/ opnform/ monicahq/\n│ ├── calcom/ caldiy/ easyappointments/\n│ ├── adminer/ it-tools/ unifi/\n│ └── ...\n│\n├── business/ # Company-only apps\n│ ├── invoiceninja/ dolibarr/ kimai/\n│ ├── listmonk/ matomo/ zammad/ opensign/\n│ └── ...\n│\n├── monitoring/ # Ops observability\n│ ├── uptime-kuma/ gatus/ beszel/ changedetection/ healthchecks/\n│ └── ...\n│\n├── backup/ # Backup tooling\n│\n├── docs/\n│ ├── standards/ # Conventions and patterns\n│ ├── bugfixes/ # Per-incident root-cause docs\n│ ├── audits/ # Consistency \u0026 maintenance audit logs\n│ └── templates/ # Starter template for new apps\n│\n└── scripts/\n └── overview.sh # Dashboard of all running services\n```\n\n### Per-App Layout\n\nEvery app follows the same structure:\n\n```\napps/example/\n├── docker-compose.yml # Standardized block order\n├── .env.example # All variables with placeholders\n├── config/ # Config files (committed)\n├── secrets/ # Secret files (gitignored)\n└── volumes/ # Persistent data (gitignored)\n```\n\n## Conventions\n\nAll services follow documented standards. See [docs/standards/](docs/standards/):\n\n- **[Compose Structure](docs/standards/compose-structure.md)** — block order, rules, common patterns\n- **[Env Structure](docs/standards/env-structure.md)** — section order, variable rules, checklist\n- **[Naming Conventions](docs/standards/naming-conventions.md)** — containers, env vars, networks, volumes, file structure\n- **[Traefik Labels](docs/standards/traefik-labels.md)** — routing pattern, security levels, TLS profiles\n- **[Security Baseline](docs/standards/security-baseline.md)** — required hardening, secret patterns, socket proxy rules\n- **[Networking](docs/standards/networking.md)** — network types, isolation rules, special cases\n\n## Adding a New App\n\n```bash\ncp -r docs/templates apps/my-new-app\ncd apps/my-new-app\n# Edit docker-compose.yml and .env.example following the standards\n```\n\nSee [docs/templates/README.md](docs/templates/README.md) for details.\n\n## Dashboard\n\nQuick overview of all configured services:\n\n```bash\n./scripts/overview.sh\n```\n\n## Requirements\n\n- **Docker** 24.0+ with Compose v2\n- **Linux** host (tested on Debian 12/13)\n- **Domain** with a DNS provider supported by Traefik (e.g. Cloudflare)\n- **Optional:** Tailscale for `acc-tailscale` access policies\n\n## Roadmap\n\nSee [ROADMAP.md](ROADMAP.md) for planned features, services under evaluation, and future ideas.\n\n## Contributing\n\nContributions are welcome. Please follow the [conventions](docs/standards/) when adding new services or modifying existing ones.\n\n## License\n\n[Apache License 2.0](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frubennati%2Fsecure-docker-blueprint","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frubennati%2Fsecure-docker-blueprint","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frubennati%2Fsecure-docker-blueprint/lists"}