fosrl/docs
1
0
Fork 0
mirror of https://github.com/fosrl/docs.git synced 2025-05-12 13:20:43 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

standarize code block formatting with prettier

Browse source
This commit is contained in:
miloschwartz 2025-04-10 21:56:12 -04:00
parent 8d980307e0
commit e301452e0d
No known key found for this signature in database
42 changed files with 832 additions and 813 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
packages/docusaurus/.prettierrc
View file

@ -1,5 +1,5 @@
{
"tabWidth": 4,
"printWidth": 80,
"trailingComma": "none"
"tabWidth": 2,
"printWidth": 80,
"trailingComma": "none"
}

24
packages/docusaurus/docs/01-overview.md
View file

@ -30,32 +30,26 @@ Note that these guides may be out of date, as the project is still in active dev
Fossorial has a couple major components:
### [**Pangolin**](https://github.com/fosrl/pangolin) (Management Application & Central Server)
The central hub for managing the application. Pangolin includes:
- Most business logic.
- External facing rest API.
- WebSocket server for managing Newt sites.
- Internal facing rest API for communication between components on the VPS.
- Frontend server for the web interface.
- Main database for storing data.
- Authentication system.
The central hub for managing the application. Pangolin includes: - Most business logic. - External facing rest API. - WebSocket server for managing Newt sites. - Internal facing rest API for communication between components on the VPS. - Frontend server for the web interface. - Main database for storing data. - Authentication system.
### [**Gerbil**](https://github.com/fosrl/gerbil) (WireGuard Interface Management)
Acts as the intermediary for managing WireGuard configurations. It creates and maintains the secure tunnels between sites and the Pangolin server.
Acts as the intermediary for managing WireGuard configurations. It creates and maintains the secure tunnels between sites and the Pangolin server.
### [**Traefik**](https://github.com/traefik/traefik) (Reverse Proxy)
A high-performance, modular reverse proxy that routes requests to private resources. Traefik is widely adopted, and its plugin system allows further customization and security enhancements. For example:
- Out-of-the-box compatibility with plugins like [Fail2Ban](https://plugins.traefik.io/plugins/628c9ebcffc0cd18356a979f/fail2-ban) or [CrowdSec](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin).
- Enhanced security via our custom Traefik plugin Badger, which acts as an authentication bouncer.
A high-performance, modular reverse proxy that routes requests to private resources. Traefik is widely adopted, and its plugin system allows further customization and security enhancements. For example: - Out-of-the-box compatibility with plugins like [Fail2Ban](https://plugins.traefik.io/plugins/628c9ebcffc0cd18356a979f/fail2-ban) or [CrowdSec](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin). - Enhanced security via our custom Traefik plugin Badger, which acts as an authentication bouncer.
### [**Badger**](https://github.com/fosrl/badger) (Traefik Plugin Middleware):
A custom Traefik plugin that acts as an authentication bouncer. Badger:
- Intercepts requests to the Traefik reverse proxy.
- Redirects unauthenticated requests to the Pangolin server for authentication.
### [**Newt**](https://github.com/fosrl/newt) (Minimal User Space WireGuard Client)
A lightweight client designed to run on the private network. Newt:
- Connects to the Pangolin server via WebSocket and Gerbil via fully user space WireGuard
- Facilitates networking through its connection to Gerbil and creating TCP proxies
A lightweight client designed to run on the private network. Newt: - Connects to the Pangolin server via WebSocket and Gerbil via fully user space WireGuard - Facilitates networking through its connection to Gerbil and creating TCP proxies
## System Diagram

13
packages/docusaurus/docs/02-Getting Started/02-dns-networking.md
View file

@ -45,7 +45,6 @@ Docker automatically creates iptables NAT rules when container ports are publish
:::
Following ports should be exposed on Operating system level.
### TCP 80
@ -78,9 +77,9 @@ By default the config defaults to using the bellow settings:
```yaml
gerbil:
block_size: 24
site_block_size: 30
subnet_group: 100.89.137.0/20
block_size: 24
site_block_size: 30
subnet_group: 100.89.137.0/20
```
This means that Gerbil will choose the first /24 subnet in the `100.89.137.0/20` range to operate its network. `100.89.137.0/20` is in the CGNAT range which should avoid overlap with most private networks, but if it does please make sure to change this in your config **before** registering your first Gerbil.
@ -109,7 +108,7 @@ Since Cloudflare proxy obscures the destination IP of the host, you will also ne
```yaml
gerbil:
start_port: 51820
# highlight-next-line
base_endpoint: "104.21.16.1" # Replace with your VPS IP
start_port: 51820
# highlight-next-line
base_endpoint: "104.21.16.1" # Replace with your VPS IP
```

48
packages/docusaurus/docs/02-Getting Started/03-quick-install.md
View file

@ -5,13 +5,13 @@ import WgetQuickInstaller from "@site/src/components/WgetQuickInstaller";
## Prerequisites
- A Linux system with root access and a public IP address
- We recommend Ubuntu or Debian based systems
- [A domain name pointed to your server's IP address](./02-dns-networking.md)
- [TCP ports 80, 443, and UDP port 51820 exposed to your Linux instance.](./02-dns-networking.md)
- **Note:** Dockers NAT-based port publishing feature automatically exposes all ports defined in `docker-compose` file. This behavior can bypass your host firewall settings, potentially exposing services that you did not intend to make public. It is important to review and manage these port configurations to minimize security risks.
- An email address for Let's Encrypt certificate registration
- (Optionally) a SMTP server
- A Linux system with root access and a public IP address
- We recommend Ubuntu or Debian based systems
- [A domain name pointed to your server's IP address](./02-dns-networking.md)
- [TCP ports 80, 443, and UDP port 51820 exposed to your Linux instance.](./02-dns-networking.md)
- **Note:** Dockers NAT-based port publishing feature automatically exposes all ports defined in `docker-compose` file. This behavior can bypass your host firewall settings, potentially exposing services that you did not intend to make public. It is important to review and manage these port configurations to minimize security risks.
- An email address for Let's Encrypt certificate registration
- (Optionally) a SMTP server
## Using a VPS
@ -58,11 +58,11 @@ You'll need to configure the admin user. This is the first user in the system. Y
1. **Admin Email**: Defaults to `admin@yourdomain.com` but can be customized
2. **Admin Password**: Must meet these requirements:
- At least 8 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one digit
- At least one special character
- At least 8 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one digit
- At least one special character
### 4. Security Settings
@ -77,11 +77,11 @@ Decide whether to enable email functionality. This allows Pangolin to send trans
If enabled, you'll need to provide:
- SMTP host
- SMTP port (defaults to 587)
- SMTP username
- SMTP password
- No-reply email address. This is the sender email address that Pangolin will email from. Many times this should be the same as the username.
- SMTP host
- SMTP port (defaults to 587)
- SMTP username
- SMTP password
- No-reply email address. This is the sender email address that Pangolin will email from. Many times this should be the same as the username.
### 6. Docker Installation
@ -93,11 +93,11 @@ If Docker isn't already installed, the installer will:
Supported distributions:
- Ubuntu/Debian
- Fedora
- OpenSUSE
- RHEL
- Amazon Linux
- Ubuntu/Debian
- Fedora
- OpenSUSE
- RHEL
- Amazon Linux
### 7. Container Deployment
@ -117,5 +117,5 @@ After successful installation:
## Notes
- The installer checks for an existing configuration and won't overwrite it if found
- Docker installation is optional if already present
- The installer checks for an existing configuration and won't overwrite it if found
- Docker installation is optional if already present

8
packages/docusaurus/docs/02-Getting Started/05-quick-setup.md
View file

@ -57,7 +57,7 @@ For example on a Linux client, you can write your copied config to a wg0.conf fi
1. Head to the **Resources** tab and select the `Add Resource` button (or use the tab in the setup workflow)
2. Give your resource a name like "Bitwarden"
3. Choose a subdomain for this resource. The subdomain must be ***globally unique** across all orgs and sites
3. Choose a subdomain for this resource. The subdomain must be **\*globally unique** across all orgs and sites
4. Choose the site that this resource is at. The resource target must be accessible behind the tunnel attached to this site.
5. Press `Create Resource`
@ -68,9 +68,9 @@ For example on a Linux client, you can write your copied config to a wg0.conf fi
1. You should now be on the **Connectivity** page under your new resource
2. If you would like to secure this site with https, leave the `Enable SSL` toggle enabled
3. Add a target for this resource. If your resource is accessible on your internal network at `http://192.168.1.24:8080` for example, then choose the following
Method: HTTP
IP Address: 192.168.1.24
Port: 8080
Method: HTTP
IP Address: 192.168.1.24
Port: 8080
4. Press `Add Target` and you will see the target added to the list and enabled.
5. Press `Save Changes`
6. Try to access your resource by clicking the url at the top

69
packages/docusaurus/docs/03-Pangolin/01-overview.md
View file

@ -10,45 +10,45 @@ _Sites page of Pangolin dashboard (dark mode) showing multiple tunnels connected
### Reverse Proxy Through WireGuard Tunnel
- Expose private resources on your network **without opening ports** (firewall punching).
- Secure and easy to configure site-to-site connectivity via a custom **user space WireGuard client**, [Newt](https://github.com/fosrl/newt).
- Built-in support for any WireGuard client.
- Automated **SSL certificates** (https) via [LetsEncrypt](https://letsencrypt.org/).
- Support for HTTP/HTTPS and **raw TCP/UDP services**.
- Load balancing.
- Expose private resources on your network **without opening ports** (firewall punching).
- Secure and easy to configure site-to-site connectivity via a custom **user space WireGuard client**, [Newt](https://github.com/fosrl/newt).
- Built-in support for any WireGuard client.
- Automated **SSL certificates** (https) via [LetsEncrypt](https://letsencrypt.org/).
- Support for HTTP/HTTPS and **raw TCP/UDP services**.
- Load balancing.
### Identity & Access Management
- Centralized authentication system using platform SSO. **Users will only have to manage one login.**
- **Define access control rules for IPs, IP ranges, and URL paths per resource.**
- TOTP with backup codes for two-factor authentication.
- Create organizations, each with multiple sites, users, and roles.
- **Role-based access control** to manage resource access permissions.
- Additional authentication options include:
- Email whitelisting with **one-time passcodes.**
- **Temporary, self-destructing share links.**
- Resource specific pin codes.
- Resource specific passwords.
- Centralized authentication system using platform SSO. **Users will only have to manage one login.**
- **Define access control rules for IPs, IP ranges, and URL paths per resource.**
- TOTP with backup codes for two-factor authentication.
- Create organizations, each with multiple sites, users, and roles.
- **Role-based access control** to manage resource access permissions.
- Additional authentication options include:
- Email whitelisting with **one-time passcodes.**
- **Temporary, self-destructing share links.**
- Resource specific pin codes.
- Resource specific passwords.
### Simple Dashboard UI
- Manage sites, users, and roles with a clean and intuitive UI.
- Monitor site usage and connectivity.
- Light and dark mode options.
- Mobile friendly.
- Manage sites, users, and roles with a clean and intuitive UI.
- Monitor site usage and connectivity.
- Light and dark mode options.
- Mobile friendly.
### Easy Deployment
- Run on any cloud provider or on-premises.
- **Docker Compose based setup** for simplified deployment.
- Future-proof installation script for streamlined setup and feature additions.
- Use any WireGuard client to connect, or use **Newt, our custom user space client** for the best experience.
- Run on any cloud provider or on-premises.
- **Docker Compose based setup** for simplified deployment.
- Future-proof installation script for streamlined setup and feature additions.
- Use any WireGuard client to connect, or use **Newt, our custom user space client** for the best experience.
### Modular Design
- Extend functionality with existing [Traefik](https://github.com/traefik/traefik) plugins, such as [CrowdSec](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin) and [Geoblock](https://github.com/PascalMinder/geoblock).
- **Automatically install and configure Crowdsec via Pangolin's installer script.**
- Attach as many sites to the central server as you wish.
- Extend functionality with existing [Traefik](https://github.com/traefik/traefik) plugins, such as [CrowdSec](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin) and [Geoblock](https://github.com/PascalMinder/geoblock).
- **Automatically install and configure Crowdsec via Pangolin's installer script.**
- Attach as many sites to the central server as you wish.
<img src={require("./img/collage.png").default} alt="Collage"/>
@ -60,19 +60,19 @@ _Sites page of Pangolin dashboard (dark mode) showing multiple tunnels connected
2. **Domain Configuration**:
- Point your domain name to the VPS and configure Pangolin with your preferred settings.
- Point your domain name to the VPS and configure Pangolin with your preferred settings.
You can [buy a cheap domain at Namecheap](https://namecheap.pxf.io/c/6099916/386170/5618)
3. **Connect Private Sites**:
- Install Newt or use another WireGuard client on private sites.
- Automatically establish a connection from these sites to the central server.
- Install Newt or use another WireGuard client on private sites.
- Automatically establish a connection from these sites to the central server.
4. **Expose Resources**:
- Add resources to the central server and configure access control rules.
- Access these resources securely from anywhere.
- Add resources to the central server and configure access control rules.
- Access these resources securely from anywhere.
**Use Case Example - Bypassing Port Restrictions in Home Lab**:
Imagine private sites where the ISP restricts port forwarding. By connecting these sites to Pangolin via WireGuard, you can securely expose HTTP and HTTPS resources on the private network without any networking complexity.
@ -80,7 +80,6 @@ You can [buy a cheap domain at Namecheap](https://namecheap.pxf.io/c/6099916/386
**Use Case Example - IoT Networks**:
IoT networks are often fragmented and difficult to manage. By deploying Pangolin on a central server, you can connect all your IoT sites via Newt or another WireGuard client. This creates a simple, secure, and centralized way to access IoT resources without the need for intricate networking setups.
<img src={require("./img/resources.png").default} alt="Resources"/>
_Resources page of Pangolin dashboard (dark mode) showing HTTPS and TCP resources with access control rules._
@ -88,10 +87,10 @@ _Resources page of Pangolin dashboard (dark mode) showing HTTPS and TCP resource
## Similar Projects and Inspirations
**Cloudflare Tunnels**:
A similar approach to proxying private resources securely, but Pangolin is a self-hosted alternative, giving you full control over your infrastructure.
A similar approach to proxying private resources securely, but Pangolin is a self-hosted alternative, giving you full control over your infrastructure.
**Authentik and Authelia**:
These projects inspired Pangolins centralized authentication system for proxies, enabling robust user and role management.
These projects inspired Pangolins centralized authentication system for proxies, enabling robust user and role management.
## Project Development / Roadmap

288
packages/docusaurus/docs/03-Pangolin/02-Configuration/02-config.md
View file

@ -7,72 +7,72 @@ Pangolin is configured using a `config.yml` file. The file is expected to be mou
### `app`
- `dashboard_url`: string
- Example: `https://example.com` or `https://pangolin.example.com`
- The url where the application is hosted. This is used for many things, including generating links.
- You can run Pangolin on a subdomain or root domain. Users will be redirected to this url to complete the auth step.
- Example: `https://example.com` or `https://pangolin.example.com`
- The url where the application is hosted. This is used for many things, including generating links.
- You can run Pangolin on a subdomain or root domain. Users will be redirected to this url to complete the auth step.
- `log_level`: string
- Options: `debug`, `info`, `warn`, `error`
- The log level for the application.
- Options: `debug`, `info`, `warn`, `error`
- The log level for the application.
- `save_logs`: boolean
- Whether to save logs to a file. Logs are saved to `config/logs/`.
- Logs rotate
- Max size: 20MB
- Max files: 7 days
- Whether to save logs to a file. Logs are saved to `config/logs/`.
- Logs rotate
- Max size: 20MB
- Max files: 7 days
- `log_failed_attempts` (optional): boolean
- Whether to log failed authentication attempts. This is useful for security tools like Crowdsec and Fail2ban.
- Whether to log failed authentication attempts. This is useful for security tools like Crowdsec and Fail2ban.
### `server`
- `external_port`: int
- The port the external facing (public) API will listen on.
- The port the external facing (public) API will listen on.
- `internal_port`: int
- The port the internal private facing (private) API will listen on.
- The port the internal private facing (private) API will listen on.
- `next_port`: int
- The port the frontend server will listen on.
- The port the frontend server will listen on.
- `internal_hostname`: string
- Example: `pangolin`
- The hostname of the Pangolin container. This is used for internal communication between the components.
- If running with Docker Compose, this should be the name of the container, which is likely `pangolin`.
- Example: `pangolin`
- The hostname of the Pangolin container. This is used for internal communication between the components.
- If running with Docker Compose, this should be the name of the container, which is likely `pangolin`.
- `session_cookie_name`: string
- Example: `p_session_token`
- The name of the session cookie. This is used to store the session token for the main application.
- Example: `p_session_token`
- The name of the session cookie. This is used to store the session token for the main application.
- `resource_access_token_param`: string
- Example: `p_token`
- Pass access token in this query parameter in each request for authentication.
- Example: `p_token`
- Pass access token in this query parameter in each request for authentication.
- `resource_access_token_headers`: object
- Pass access token in these headers in each request for authentication.
- `id`: string
- Example: `P-Access-Token-Id`
- The name of the header used to pass the access token ID.
- `token`: string
- Example: `P-Access-Token`
- The name of the header used to pass the access token.
- Pass access token in these headers in each request for authentication.
- `id`: string
- Example: `P-Access-Token-Id`
- The name of the header used to pass the access token ID.
- `token`: string
- Example: `P-Access-Token`
- The name of the header used to pass the access token.
- `resource_session_request_param`: string
- Example: `p_session_request`
- The query parameter used to pass the session request token to be exchanged for a real session token in Badger.
- Example: `p_session_request`
- The query parameter used to pass the session request token to be exchanged for a real session token in Badger.
- `cors`: object (optional)
- Configuration for Cross-Origin Resource Sharing (CORS).
- `origins`: array of strings (optional)
- Example: `["https://pangolin.example.com"]`
- List of allowed origins for cross-origin requests.
- `methods`: array of strings (optional)
- Example: `["GET", "POST", "PUT", "DELETE", "PATCH"]`
- HTTP methods allowed for CORS requests.
- `allowed_headers`: array of strings (optional)
- Example: `["X-CSRF-Token", "Content-Type"]`
- HTTP headers allowed in CORS requests.
- `credentials`: boolean (optional)
- Whether to allow credentials.
- Default: true
- Configuration for Cross-Origin Resource Sharing (CORS).
- `origins`: array of strings (optional)
- Example: `["https://pangolin.example.com"]`
- List of allowed origins for cross-origin requests.
- `methods`: array of strings (optional)
- Example: `["GET", "POST", "PUT", "DELETE", "PATCH"]`
- HTTP methods allowed for CORS requests.
- `allowed_headers`: array of strings (optional)
- Example: `["X-CSRF-Token", "Content-Type"]`
- HTTP headers allowed in CORS requests.
- `credentials`: boolean (optional)
- Whether to allow credentials.
- Default: true
- `trust_proxy`: boolean (optional)
- Whether to trust the proxy headers (e.g., `X-Forwarded-For`) for determining the client IP address.
- Default: `true`
- Whether to trust the proxy headers (e.g., `X-Forwarded-For`) for determining the client IP address.
- Default: `true`
- `dashboard_session_length_hours`: int (optional)
- The length of time in hours that the dashboard session will last after logging in.
- Default: `720`
- The length of time in hours that the dashboard session will last after logging in.
- Default: `720`
- `resource_session_length_hours`: int (optional)
- The length of time in hours that a session for each resource will last after logging in.
- Default: `720`
- The length of time in hours that a session for each resource will last after logging in.
- Default: `720`
### `domains`
@ -81,27 +81,27 @@ Pangolin is configured using a `config.yml` file. The file is expected to be mou
At least one domain must be configured.
- `<domain_key>`: string
- The unique key for the domain configuration. This can be anything you want.
- `base_domain`: string
- Example: `example.com`
- `cert_resolver`: string
- Example: `letsencrypt`
- The name of the Traefik certificate resolver to use for this domain. This must match the name of the certificate resolver in the Traefik configuration.
- `prefer_wildcard_cert`: boolean
- Example: `true`
- Whether to prefer a wildcard certificate when generating certificates. This is useful if you want to use a wildcard certificate for the base domain and all subdomains.
- The unique key for the domain configuration. This can be anything you want.
- `base_domain`: string
- Example: `example.com`
- `cert_resolver`: string
- Example: `letsencrypt`
- The name of the Traefik certificate resolver to use for this domain. This must match the name of the certificate resolver in the Traefik configuration.
- `prefer_wildcard_cert`: boolean
- Example: `true`
- Whether to prefer a wildcard certificate when generating certificates. This is useful if you want to use a wildcard certificate for the base domain and all subdomains.
### `traefik`
- `http_entrypoint`: string
- Example: `web`
- The name of the Traefik entrypoint for HTTP traffic. This must match the name of the entrypoint in the Traefik configuration.
- Example: `web`
- The name of the Traefik entrypoint for HTTP traffic. This must match the name of the entrypoint in the Traefik configuration.
- `https_entrypoint`: string
- Example: `websecure`
- The name of the Traefik entrypoint for HTTPS traffic. This must match the name of the entrypoint in the Traefik configuration.
- Example: `websecure`
- The name of the Traefik entrypoint for HTTPS traffic. This must match the name of the entrypoint in the Traefik configuration.
- `additional_middlewares`: array of strings (optional)
- Example: `["middleware1", "middleware2"]`
- Additional middlewares to apply to the resource router generated at runtime. These must be defined in another Traefik configuration provider like the dynamic file provider.
- Example: `["middleware1", "middleware2"]`
- Additional middlewares to apply to the resource router generated at runtime. These must be defined in another Traefik configuration provider like the dynamic file provider.
### `gerbil`
@ -121,67 +121,67 @@ At least one domain must be configured.
### `rate_limits`
- `global`: object
- The global rate limit configuration for all requests to the external Pangolin API.
- `window_minutes`: int
- Example: `1`
- The window in minutes for the rate limit.
- `max_requests`: int
- Example: `100`
- The maximum number of requests allowed in the window.
- The global rate limit configuration for all requests to the external Pangolin API.
- `window_minutes`: int
- Example: `1`
- The window in minutes for the rate limit.
- `max_requests`: int
- Example: `100`
- The maximum number of requests allowed in the window.
### `email` (optional)
- `smtp_host` (optional): string
- The SMTP host for sending emails.
- The SMTP host for sending emails.
- `smtp_port` (optional): int
- The SMTP port for sending emails.
- The SMTP port for sending emails.
- `smtp_user` (optional): string
- The SMTP username for sending emails.
- The SMTP username for sending emails.
- `smtp_pass` (optional): string
- The SMTP password for sending emails.
- The SMTP password for sending emails.
- `smtp_secure` (optional): boolean
- Whether to use a secure connection when sending emails. Use this if you're using port 465.
- Default: `false`
- Whether to use a secure connection when sending emails. Use this if you're using port 465.
- Default: `false`
- `no_reply` (optional): string
- Example: `no-reply@example.com`
- The address to send emails from. This can be any email address. Most often this will be the same as the `smtp_user`.
- Example: `no-reply@example.com`
- The address to send emails from. This can be any email address. Most often this will be the same as the `smtp_user`.
- `smtp_tls_reject_unauthorized` (optional): boolean
- Do not fail if the server certificate cannot be verified.
- Default: `false`
- Do not fail if the server certificate cannot be verified.
- Default: `false`
### `users`
- `server_admin`: object
- The server admin who can always create new organizations. This user will always be created on startup.
- `email`: string
- Env: USERS_SERVERADMIN_EMAIL
- The email address of the server admin.
- `password`: string
- Env: USERS_SERVERADMIN_PASSWORD
- The password of the server admin.
- This password will always overwrite the password in the database on startup. This is useful for resetting the password.
- The password must meet the following requirements:
- At least 8 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one digit
- At least one special character
- The server admin who can always create new organizations. This user will always be created on startup.
- `email`: string
- Env: USERS_SERVERADMIN_EMAIL
- The email address of the server admin.
- `password`: string
- Env: USERS_SERVERADMIN_PASSWORD
- The password of the server admin.
- This password will always overwrite the password in the database on startup. This is useful for resetting the password.
- The password must meet the following requirements:
- At least 8 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one digit
- At least one special character
### `flags` (optional)
- `require_email_verification` (optional): boolean
- Whether to require email verification for new users. If set to `true`, new users will need to verify their email address before they can log in.
- Only turn this on if you have email configured.
- Whether to require email verification for new users. If set to `true`, new users will need to verify their email address before they can log in.
- Only turn this on if you have email configured.
- `disable_signup_without_invite` (optional): boolean
- Whether to allow users to sign up without an explicit invite. If set to `true`, the "Sign Up" button will be removed from the login form.
- Users will still be able to sign up if they have a valid invite.
- Whether to allow users to sign up without an explicit invite. If set to `true`, the "Sign Up" button will be removed from the login form.
- Users will still be able to sign up if they have a valid invite.
- `disable_user_create_org` (optional): boolean
- Whether to allow users to create new organizations. If set to `true`, users will not be able to create new organizations.
- The server admin can always create new organizations.
- Whether to allow users to create new organizations. If set to `true`, users will not be able to create new organizations.
- The server admin can always create new organizations.
- `allow_raw_resources` (optional): boolean
- Whether to allow users to create raw TCP/UDP resources. If set to `false`, users will only be able to create http/https resources.
- Whether to allow users to create raw TCP/UDP resources. If set to `false`, users will only be able to create http/https resources.
- `allow_base_domain_resources` (optional): boolean
- Whether to allow users to create resources on the base domain. If set to `false`, users will only be able to create resources on subdomains.
- Whether to allow users to create resources on the base domain. If set to `false`, users will only be able to create resources on subdomains.
## Example Configuration File
@ -189,62 +189,62 @@ This is just an example and is not meant to be used as is. It is not complete. Y
```yaml
app:
dashboard_url: "https://example.com"
log_level: "info"
save_logs: false
dashboard_url: "https://example.com"
log_level: "info"
save_logs: false
domains:
domain1:
base_domain: "example.com"
cert_resolver: "letsencrypt"
prefer_wildcard_cert: false
domain1:
base_domain: "example.com"
cert_resolver: "letsencrypt"
prefer_wildcard_cert: false
server:
external_port: 3000
internal_port: 3001
next_port: 3002
internal_hostname: "pangolin"
session_cookie_name: "p_session_token"
resource_access_token_param: "p_token"
resource_access_token_headers:
id: "P-Access-Token-Id"
token: "P-Access-Token"
resource_session_request_param: "p_session_request"
external_port: 3000
internal_port: 3001
next_port: 3002
internal_hostname: "pangolin"
session_cookie_name: "p_session_token"
resource_access_token_param: "p_token"
resource_access_token_headers:
id: "P-Access-Token-Id"
token: "P-Access-Token"
resource_session_request_param: "p_session_request"
traefik:
cert_resolver: "letsencrypt"
http_entrypoint: "web"
https_entrypoint: "websecure"
cert_resolver: "letsencrypt"
http_entrypoint: "web"
https_entrypoint: "websecure"
gerbil:
start_port: 51820
base_endpoint: "example.com"
use_subdomain: false
block_size: 24
site_block_size: 30
subnet_group: 100.89.137.0/20
start_port: 51820
base_endpoint: "example.com"
use_subdomain: false
block_size: 24
site_block_size: 30
subnet_group: 100.89.137.0/20
rate_limits:
global:
window_minutes: 1
max_requests: 100
global:
window_minutes: 1
max_requests: 100
email:
smtp_host: "host.hoster.net"
smtp_port: 587
smtp_user: "no-reply@example.com"
smtp_pass: "aaaaaaaaaaaaaaaaaa"
no_reply: "no-reply@example.com"
smtp_host: "host.hoster.net"
smtp_port: 587
smtp_user: "no-reply@example.com"
smtp_pass: "aaaaaaaaaaaaaaaaaa"
no_reply: "no-reply@example.com"
users:
server_admin:
email: "admin@example.com"
password: "Password123!"
server_admin:
email: "admin@example.com"
password: "Password123!"
flags:
require_email_verification: true
disable_signup_without_invite: true
disable_user_create_org: true
allow_raw_resources: true
allow_base_domain_resources: true
require_email_verification: true
disable_signup_without_invite: true
disable_user_create_org: true
allow_raw_resources: true
allow_base_domain_resources: true
```

3
packages/docusaurus/docs/03-Pangolin/02-Configuration/03-wildcard-certs.md
View file

@ -16,7 +16,9 @@ It is highly reccommended that you read the [official Traefik documentation](htt
1. Wildcard certificates allow you to secure your all subdomains with a single certificate. This reduces the number of certificates you need to manage.
2. You can add new subdomains to resources without needing to generate a new certificate each time. Without a wildcard certificate, you would need to wait (up to a few minutes usually) for a new certificate to be generated and loaded by Traefik.
- For example: A wildcard cert `*.example.com` could protect `api.example.com`, `blog.example.com`, and another `*.subdomain.example.com` could protect `api.subdomain.example.com`, `blog.subdomain.example.com`, etc.
3. The [rate limits](https://letsencrypt.org/docs/rate-limits/) for Let's Encrypt are per domain. Using a wildcard certificate reduces the number of domains you have, which can help you avoid hitting these limits.
## Setting Up Wildcard Certificates
@ -24,6 +26,7 @@ It is highly reccommended that you read the [official Traefik documentation](htt
1. Make sure the stack is not running.
2. Update the Traefik configuration to use the DNS-01 challenge instead of the HTTP-01 challenge. This tells Traefik to use your DNS provider to create the DNS records needed for the challenge.
3. Set the `prefer_wildcard_cert` flag to `true` in the Pangolin configuration file for your domain.
- This settings will try to encourage Traefik to request one wildcard certificate for each level of the domain used by your existing resources.
- For example: If you have two resources `blog.example.com` and `blog.subdomain.example.com`, Traefik should try to request a wildcard certificate for `*.example.com` and `*.subdomain.example.com` automatically for you.

2
packages/docusaurus/docs/03-Pangolin/03-without-tunneling.md
View file

@ -8,7 +8,7 @@ You can also use "local" sites to expose resources on the same VPS as Pangolin i
:::
You can use Pangolin without Gerbil and tunneling. In this configuration Pangolin is essentially acting as a normal reverse proxy and authentication manager and can be deployed on the *local* network in order to provide access to resources.
You can use Pangolin without Gerbil and tunneling. In this configuration Pangolin is essentially acting as a normal reverse proxy and authentication manager and can be deployed on the _local_ network in order to provide access to resources.
All setup remains the same, except Pangolin and Traefik must now be on the same network you want to proxy targets to and you do not need to install Gerbil.

2
packages/docusaurus/docs/03-Pangolin/04-api-documentation.md
View file

@ -3,6 +3,7 @@
Initial API documentation for pangolin. This documentation includes public endpoints, request/response formats, usage examples, and any limitations or constraints. This document is not complete but will be added to over time to compass more of the API.
### Base URL
```
https://pangolin.yourdomain.com/api/v1/
```
@ -93,6 +94,7 @@ https://pangolin.yourdomain.com/api/v1/
### 1.3 Resource Management
- **Create Resource**
- **Endpoint:** `PUT /org/{orgId}/site/{siteId}/resource`
- **Description:** Creates a new resource for a specific organization and site.
- **Authentication:** Session cookie required

50
packages/docusaurus/docs/03-Pangolin/05-tcp-udp.md
View file

@ -28,13 +28,13 @@ If you are using the standard install with a Docker network you will need to exp
```yaml
gerbil:
ports:
- 51820:51820/udp # LEAVE ALONE: For Wireguard
- 443:443 # LEAVE ALONE: For HTTPS
- 80:80 # LEAVE ALONE: For HTTP
ports:
- 51820:51820/udp # LEAVE ALONE: For Wireguard
- 443:443 # LEAVE ALONE: For HTTPS
- 80:80 # LEAVE ALONE: For HTTP
- 1704:1704/udp # ADDED
- 1602:1602 # ADDED
- 1704:1704/udp # ADDED
- 1602:1602 # ADDED
```
## Configuring Traefik
@ -45,10 +45,10 @@ But this is pretty simple! All you need to do is edit your static Traefik config
```yaml
entryPoints:
udp-1704:
address: ":1704/udp"
tcp-1602:
address: ":1602/tcp"
udp-1704:
address: ":1704/udp"
tcp-1602:
address: ":1602/tcp"
```
:::info
@ -61,20 +61,20 @@ Now, the whole entry points section would look something like this:
```yaml
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
http:
tls:
certResolver: letsencrypt
transport:
respondingTimeouts:
readTimeout: 30m
tcp-1602:
address: ":1602/tcp"
udp-1704:
address: ":1704/udp"
web:
address: ":80"
websecure:
address: ":443"
http:
tls:
certResolver: letsencrypt
transport:
respondingTimeouts:
readTimeout: 30m
tcp-1602:
address: ":1602/tcp"
udp-1704:
address: ":1704/udp"
```
## Update Config
@ -83,7 +83,7 @@ Make sure that the `allow_raw_resources` flag in your `/config/config.yml` is se
```yaml
flags:
allow_raw_resources: true
allow_raw_resources: true
```
## Restart The Stack

62
packages/docusaurus/docs/03-Pangolin/06-bypass-rules.md
View file

@ -6,37 +6,37 @@ Rules allow you to either "allow" and bypass the Pangolin auth system (no pin, l
This table compiles paths that need to be allowed for various apps to work with Pangolin authentication.
| App | Required Bypass Rules |
|-----|------------------------|
| **Media Management** | |
| Radarr | `/api/*` |
| Sonarr | `/api/*` |
| Lidarr | `/api/*` |
| Jellyfin (iOS) | `/system/info/public` |
| Jellyfin (Roku) | `/System/Info/Public`<br />`/Users/AuthenticateByName`<br />`/Users/Public`<br />`/QuickConnect/Initiate`<br />`/QuickConnect/Connect`<br />`/Users/AuthenticateWithQuickConnect` |
| **Management & Monitoring** | |
| Tautulli | `/api/*` |
| Harbour | `/api/*` |
| Hoarder App | `/api/*` |
| Uptime Kuma Manager | `/api/*`<br />`/socket.io/*` |
| MeshCentral | `/api/*`<br />`/meshrelay.ashx`<br />`/agent.ashx` |
| **Security & Privacy** | |
| AdGuard Home | `/api/*` |
| Vaultwarden/Bitwarden | `/api/*`<br />`/identity/*`<br />`/wl/*`<br />Always Deny - Path - `/admin/*` |
| **Cloud & Sync** | |
| Nextcloud | `/` (Main interface)<br />`/index.php` (Core handler)<br />`/remote.php` (Remote access)<br />`/status.php` (Status checks)<br />`/ocs` (Collaboration Services API)<br />`/apps` (Applications)<br />`/remote.php/webdav` (WebDAV endpoint)<br />`/remote.php/dav` (CalDAV/CardDAV)<br />`/remote.php/caldav` (Calendar sync)<br />`/remote.php/carddav` (Contacts sync)<br />`/ocs/v1.php` (API endpoints)<br />`/ocs/v2.php` (API v2 endpoints)<br />`/login` (Authentication)<br />`/.well-known/*` (Service discovery)<br />`/.well-known/webfinger` (WebFinger protocol)<br />`/s/*` (Shared files/folders) |
| **Photo Management** | |
| Immich | `/api/*`<br />`/.well-known/immich` |
| **File Management** | |
| Filebrowser | `/static/*`<br />`/share/*` <br/> `/api/public/dl/*` |
| **Notes & Knowledge Management** | |
| Joplin Notes Server | `/api/*`<br />`/shares/*`<br />`/css/*`<br />`/images/*`<br />Always Deny - Path - `/login/*` (optional) |
| Erugo | `/api/*`<br />`/shares/*`<br />`/build/*`<br />`/get-logo` |
| **Communication** | |
| Matrix/Synapse (Clients) | `/_matrix/*`<br />`/_synapse/client/*` |
| Matrix/Synapse (Federation) | `/_matrix/*` |
| **Notifications** | |
| Gotify | `/version`<br />`/message`<br />`/application`<br />`/client`<br />`/stream`<br />`/plugin`<br />`/health` |
| App | Required Bypass Rules |
| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Media Management** | |
| Radarr | `/api/*` |
| Sonarr | `/api/*` |
| Lidarr | `/api/*` |
| Jellyfin (iOS) | `/system/info/public` |
| Jellyfin (Roku) | `/System/Info/Public`<br />`/Users/AuthenticateByName`<br />`/Users/Public`<br />`/QuickConnect/Initiate`<br />`/QuickConnect/Connect`<br />`/Users/AuthenticateWithQuickConnect` |
| **Management & Monitoring** | |
| Tautulli | `/api/*` |
| Harbour | `/api/*` |
| Hoarder App | `/api/*` |
| Uptime Kuma Manager | `/api/*`<br />`/socket.io/*` |
| MeshCentral | `/api/*`<br />`/meshrelay.ashx`<br />`/agent.ashx` |
| **Security & Privacy** | |
| AdGuard Home | `/api/*` |
| Vaultwarden/Bitwarden | `/api/*`<br />`/identity/*`<br />`/wl/*`<br />Always Deny - Path - `/admin/*` |
| **Cloud & Sync** | |
| Nextcloud | `/` (Main interface)<br />`/index.php` (Core handler)<br />`/remote.php` (Remote access)<br />`/status.php` (Status checks)<br />`/ocs` (Collaboration Services API)<br />`/apps` (Applications)<br />`/remote.php/webdav` (WebDAV endpoint)<br />`/remote.php/dav` (CalDAV/CardDAV)<br />`/remote.php/caldav` (Calendar sync)<br />`/remote.php/carddav` (Contacts sync)<br />`/ocs/v1.php` (API endpoints)<br />`/ocs/v2.php` (API v2 endpoints)<br />`/login` (Authentication)<br />`/.well-known/*` (Service discovery)<br />`/.well-known/webfinger` (WebFinger protocol)<br />`/s/*` (Shared files/folders) |
| **Photo Management** | |
| Immich | `/api/*`<br />`/.well-known/immich` |
| **File Management** | |
| Filebrowser | `/static/*`<br />`/share/*` <br/> `/api/public/dl/*` |
| **Notes & Knowledge Management** | |
| Joplin Notes Server | `/api/*`<br />`/shares/*`<br />`/css/*`<br />`/images/*`<br />Always Deny - Path - `/login/*` (optional) |
| Erugo | `/api/*`<br />`/shares/*`<br />`/build/*`<br />`/get-logo` |
| **Communication** | |
| Matrix/Synapse (Clients) | `/_matrix/*`<br />`/_synapse/client/*` |
| Matrix/Synapse (Federation) | `/_matrix/*` |
| **Notifications** | |
| Gotify | `/version`<br />`/message`<br />`/application`<br />`/client`<br />`/stream`<br />`/plugin`<br />`/health` |
## Types of Rules

6
packages/docusaurus/docs/04-Newt/01-overview.md
View file

@ -64,9 +64,9 @@ services:
container_name: newt
restart: unless-stopped
command:
- --id 31frd0uzbjvp721
- --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
- --endpoint https://example.com
- --id 31frd0uzbjvp721
- --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
- --endpoint https://example.com
```
:::note

32
packages/docusaurus/docs/04-Newt/02-install.md
View file

@ -74,28 +74,28 @@ You can also run it with Docker compose. For example, a service in your `docker-
```yaml
services:
newt:
image: fosrl/newt
container_name: newt
restart: unless-stopped
environment:
- PANGOLIN_ENDPOINT=https://example.com
- NEWT_ID=2ix2t8xk22ubpfy
- NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2
newt:
image: fosrl/newt
container_name: newt
restart: unless-stopped
environment:
- PANGOLIN_ENDPOINT=https://example.com
- NEWT_ID=2ix2t8xk22ubpfy
- NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2
```
You can also pass the CLI args to the container:
```yaml
services:
newt:
image: fosrl/newt
container_name: newt
restart: unless-stopped
command:
- --id 31frd0uzbjvp721
- --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
- --endpoint https://example.com
newt:
image: fosrl/newt
container_name: newt
restart: unless-stopped
command:
- --id 31frd0uzbjvp721
- --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
- --endpoint https://example.com
```
### Unraid

45
packages/docusaurus/docs/04-Newt/04-homeassistant.md
View file

@ -10,7 +10,6 @@ This Home Assistant add-on allows you to easily run **Newt** directly in Home As
## Features
- Easy installation via Home Assistant Add-on Store
- Automated setup and execution of the Newt container
- Supports `amd64`, `armv7`, `armhf`, and `aarch64` architectures
@ -18,39 +17,33 @@ This Home Assistant add-on allows you to easily run **Newt** directly in Home As
## Installation
### **1. Add the GitHub Repository as an Add-on Source**
- Go to **Settings → Add-ons → Add-on Store**.
- Click the menu (three dots in the top right) and select **Repositories**.
- Add the following URL:
```
https://github.com/Ferdinand99/home-assistant-newt-addon
```
or
```
https://git.opland.net/Ferdinand99/home-assistant-newt-addon/
```
```
https://github.com/Ferdinand99/home-assistant-newt-addon
```
or
```
https://git.opland.net/Ferdinand99/home-assistant-newt-addon/
```
1. Click **Add** and wait for the repository to load.
### **2. Install and Start the Add-on**
1. Find **Newt Add-on** in the list and click **Install**.
2. Go to the **Configuration** tab and enter your values for:
- **PANGOLIN_ENDPOINT** (e.g., `https://example.com`)
- **NEWT_ID**
- **NEWT_SECRET**
- **PANGOLIN_ENDPOINT** (e.g., `https://example.com`)
- **NEWT_ID**
- **NEWT_SECRET**
3. Click **Save** and then **Start**.
4. Check the **Logs** tab to verify that everything is running correctly.
## **Configuration**
After installation, you can configure the add-on via the Home Assistant UI:
```yaml
@ -69,7 +62,6 @@ The following environment variables are passed to the `Newt` container:
## Troubleshooting
#### **Add-on does not start?**
- Check the logs in Home Assistant (`Settings → Add-ons → Newt → Logs`).
@ -80,22 +72,19 @@ The following environment variables are passed to the `Newt` container:
- Restart the add-on after making changes.
- Try removing the container manually:
```shell
docker stop newt
docker rm newt
```
```shell
docker stop newt
docker rm newt
```
- Then start the add-on again.
#### **Docker not available?**
- Home Assistant OS manages Docker automatically, but check if the system has access to Docker by running:
```shell
docker info
```
```shell
docker info
```
If this fails, there may be a restriction in Home Assistant OS.

8
packages/docusaurus/docs/05-Gerbil/01-overview.md
View file

@ -59,10 +59,10 @@ services:
container_name: gerbil
restart: unless-stopped
command:
- --reachableAt=http://gerbil:3003
- --generateAndSaveKeyTo=/var/config/key
- --remoteConfig=http://pangolin:3001/api/v1/gerbil/get-config
- --reportBandwidthTo=http://pangolin:3001/api/v1/gerbil/receive-bandwidth
- --reachableAt=http://gerbil:3003
- --generateAndSaveKeyTo=/var/config/key
- --remoteConfig=http://pangolin:3001/api/v1/gerbil/get-config
- --reportBandwidthTo=http://pangolin:3001/api/v1/gerbil/receive-bandwidth
```
:::tip

22
packages/docusaurus/docs/05-Gerbil/02-developer-guide.md
View file

@ -7,12 +7,15 @@ This guide provides essential information for developers working on the Gerbil p
To get started with the Gerbil project, follow these setup instructions:
### Prerequisites
- **Go**: Ensure that you have Go installed on your system. The project uses Go version 1.23.1 or later. You can download it from [golang.org](https://golang.org/dl/).
- **Docker**: Install Docker to build and run the application in a containerized environment.
- **Git**: Make sure Git is installed to clone the repository.
### Installation Steps
1. **Clone the Repository**:
```bash
git clone https://github.com/fosrl/gerbil.git
cd gerbil
@ -20,12 +23,14 @@ To get started with the Gerbil project, follow these setup instructions:
2. **Install Dependencies**:
Run the following command to download all required Go dependencies:
```bash
go mod download
```
3. **Build the Application**:
You can build the application using Docker or directly using Go:
- **Using Docker**:
```bash
docker build -t gerbil .
@ -37,13 +42,13 @@ To get started with the Gerbil project, follow these setup instructions:
4. **Run the Application**:
To run the application, execute:
```bash
./gerbil \
--reachableAt=http://gerbil:3003 \
--generateAndSaveKeyTo=/var/config/key \
--remoteConfig=http://pangolin:3001/api/v1/gerbil/get-config \
--reportBandwidthTo=http://pangolin:3001/api/v1/gerbil/receive-bandwidth
```
```bash
./gerbil \
--reachableAt=http://gerbil:3003 \
--generateAndSaveKeyTo=/var/config/key \
--remoteConfig=http://pangolin:3001/api/v1/gerbil/get-config \
--reportBandwidthTo=http://pangolin:3001/api/v1/gerbil/receive-bandwidth
```
## 2. Project Structure Overview
@ -75,6 +80,7 @@ gerbil/
The development workflow for contributing to Gerbil involves several key steps:
1. **Branching**: Create a new branch for your feature or bug fix.
```bash
git checkout -b feature/my-feature-name
```
@ -84,11 +90,13 @@ The development workflow for contributing to Gerbil involves several key steps:
3. **Testing Locally**: Run tests locally to ensure your changes do not break existing functionality.
4. **Committing Changes**: Commit your changes with a descriptive message.
```bash
git commit -m "Add feature X"
```
5. **Pushing Changes**: Push your branch to the remote repository.
```bash
git push origin feature/my-feature-name
```

5
packages/docusaurus/docs/05-Gerbil/03-system-architecture-documentation.md
View file

@ -7,6 +7,7 @@ This document outlines the system architecture of the Gerbil project, a Go appli
The Gerbil project is structured around a central application that interacts with the WireGuard VPN service to create, manage, and configure tunnels. The application is built using Go and leverages various libraries for logging, networking, and configuration management.
### Key Features:
- **WireGuard Management**: Create and manage WireGuard interfaces and peers.
- **Logging**: Centralized logging functionality to track application behavior.
- **Configuration**: JSON-based configuration management for easy setup and modification.
@ -21,6 +22,7 @@ The main components of the Gerbil project include:
- **Dockerfile**: Defines how to build and run the application in a containerized environment.
### Interaction Flow:
1. The main application starts and initializes the logger.
2. It reads configuration from `config_example.json` or an equivalent file or a remote http api hosted in Pangolin.
3. Based on the configuration, it interacts with the WireGuard API using the `wgctrl` library and netlink to set up tunnels and peers.
@ -53,6 +55,7 @@ The main components of the Gerbil project include:
```
### Description:
- **Configuration**: The application reads from a configuration file that specifies settings like private keys, listen ports, and peers.
- **Main Application**: Orchestrates the flow by initializing components and executing commands based on user input.
- **Logger**: Captures events during execution for later review.
@ -61,6 +64,7 @@ The main components of the Gerbil project include:
## 4. Design Decisions and Rationale
### Key Design Decisions:
- **Use of Go**: Chosen for its performance, concurrency support, and ease of deployment.
- **JSON Configuration**: Provides a human-readable format that is easy to modify without requiring recompilation.
- **Modular Logging**: Encapsulated logging functionality allows for consistent logging practices across different parts of the application.
@ -68,5 +72,6 @@ The main components of the Gerbil project include:
## 5. System Constraints and Limitations
### Constraints:
- **Platform Dependency**: The application relies on Linux-based systems due to its use of netlink sockets for network management.
- **Privileged Operations**: Requires elevated permissions to create network interfaces and modify routing tables.

4
packages/docusaurus/docs/07-Modules/01-overview.md
View file

@ -14,6 +14,7 @@ When installing Crowdsec via the Pangolin installer, the Crowdsec Traefik Bounce
The CrowdSec Bouncer plugin for Traefik integrates CrowdSecs security engine to block malicious traffic in real time. It runs as middleware within a Traefik container and enforces decisions based on CrowdSecs threat intelligence. This helps protect services from bots, attackers, and abusive IPs dynamically.
For additional information, consult the following resources:
- [Traefik Plugin Catalog](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin)
- [Github Repository](https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin)
@ -22,6 +23,7 @@ For additional information, consult the following resources:
The GeoBlock plugin for Traefik is a middleware that restricts access based on the clients geographic location. It runs within a Traefik container and uses IP-based geolocation to allow or block traffic from specific countries. This is useful for security, compliance, or access control in Traefik-managed services.
For more details, please refer to the following resources:
- [Github Repository](https://github.com/PascalMinder/geoblock)
## Metrics
@ -33,6 +35,7 @@ Currently you can claim metric data from Traefik and Crowdsec with Prometheus an
Prometheus is an open-source monitoring and alerting toolkit designed for collecting and querying time-series metrics. It runs as a Docker container and uses a pull-based model to scrape data from configured endpoints. Prometheus integrates well with Grafana for visualization and Alertmanager for alert handling.
For more details, please refer to the following resources:
- [Homepage](https://prometheus.io/)
- [Github Repository](https://github.com/prometheus/prometheus)
@ -41,5 +44,6 @@ For more details, please refer to the following resources:
Grafana is an open-source analytics and visualization platform used to monitor and display time-series data. It runs as a Docker container and supports multiple data sources, including Prometheus, InfluxDB, and MySQL. Grafana provides interactive dashboards, alerting, and extensive customization options for data visualization.
For more details, please refer to the following resources:
- [Homepage](https://grafana.com/)
- [Github Repository](https://github.com/grafana/grafana)

23
packages/docusaurus/docs/07-Modules/02-crowdsec.md
View file

@ -15,6 +15,7 @@ By default, Crowdsec is installed with a basic configuration, which includes the
#### Syslog
For systems utilizing Syslog, the following volumes should be added to the `docker-compose.yml` file:
```yaml
service:
crowdsec:
@ -24,10 +25,11 @@ service:
```
Create a `syslog.yaml` file under `/config/crowdsec/acquis.d` with the following content:
```yaml
filenames:
- /var/log/auth.log
- /var/log/syslog
- /var/log/auth.log
- /var/log/syslog
labels:
type: syslog
```
@ -35,11 +37,13 @@ labels:
#### Journalctl
To log iptables to journalctl, execute the following command on your host system:
```bash
iptables -A INPUT -j LOG --log-prefix "iptables: "
```
Update the `docker-compose.yml` file as follows:
```yaml
service:
crowdsec:
@ -54,6 +58,7 @@ service:
```
Create a `journalctl.yaml` file under `/config/crowdsec/acquis.d` with the following content:
```yaml
source: journalctl
journalctl_filter:
@ -67,31 +72,37 @@ labels:
By default, only Traefik requests are secured through the Crowdsec bouncer. To extend protection to your host system (e.g., SSH), follow these steps to add a firewall bouncer:
1. Install the Crowdsec repositories. Refer to the [installation documentation](https://docs.crowdsec.net/docs/next/getting_started/install_crowdsec/#install-our-repositories):
```bash
curl -s https://install.crowdsec.net | sudo sh
```
2. Install the firewall bouncer. For Debian/Ubuntu systems using IPTables, refer to the [documentation](https://docs.crowdsec.net/u/bouncers/firewall/):
```bash
sudo apt install crowdsec-firewall-bouncer-iptables
```
3. Create an API key for the firewall bouncer to communicate with your CrowdSec Docker container. ("vps-firewall" is a placeholder name for the key):
```bash
docker exec -it crowdsec cscli bouncers add vps-firewall
```
4. Copy the dispalyed API key and insert it into the bouncer's configuration file:
```bash
nano /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
```
5. Restart the firewall bouncer:
```bash
systemctl restart crowdsec-firewall-bouncer
```
6. Update the `docker-compose.yml` file to expose communication port `8080` for the CrowdSec container and restart the container:
```yaml
service:
crowdsec:
@ -101,11 +112,13 @@ service:
```
7. Verify communication between the firewall bouncer and the CrowdSec container by running:
```bash
docker exec crowdsec cscli metrics
```
The output should look like this:
```bash
+------------------------------------------------------------------+
| Local API Bouncers Metrics |
@ -123,11 +136,13 @@ The output should look like this:
To display a custom ban page to attackers, follow these steps:
1. Place a `ban.html` page in the `/config/traefik` directory. If you prefer not to create your own, you can download the official example:
```bash
wget https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/blob/main/ban.html
```
2. Update the `/config/traefik/dynamic_config.yml` file to include the following:
```yaml
http:
middlewares:
@ -142,11 +157,13 @@ http:
To use a custom captcha page, follow these steps:
1. Place a `captcha.html` page in the `/config/traefik` directory. If you don't want to create your own, you can download the official example:
```bash
wget https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/blob/main/captcha.html
```
2. Update the `/config/traefik/dynamic_config.yml` file with the following configuration, replacing `<SERVICE>` with your captcha provider (e.g. hCaptcha, reCaptcha, Turnstile), and `<KEY>` with the appropriate site and secret keys:
```yaml
http:
middlewares:
@ -165,11 +182,13 @@ http:
You can test your configuration by adding a temporary ban or captcha for your IP. The ban will last for one minute.
To add a ban:
```bash
docker exec crowdsec cscli decisions add --ip <YOUR IP> -d 1m --type ban
```
To trigger a captcha challenge:
```bash
docker exec crowdsec cscli decisions add --ip <YOUR IP> -d 1m --type captcha
```

10
packages/docusaurus/docs/07-Modules/03-geoblock.md
View file

@ -7,6 +7,7 @@ GeoBlock is a Traefik middleware that uses IP-based geolocation to allow or bloc
To integrate GeoBlock into your Traefik setup, follow the steps below:
1. Add the following configuration to your `/config/traefik/traefik_config.yml` file:
```yaml
entryPoints:
websecure:
@ -22,6 +23,7 @@ experimental:
```
2. Add the following configuration to your `/config/traefik/dynamic_config.yml` file. Setting `blackListMode: false` enables GeoBlock in whitelist mode, allowing only the specified countries. Remember to add the appropriate countries when traveling. A list of country codes can be found in the [documentation](https://github.com/PascalMinder/geoblock#full-plugin-sample-configuration).
```yaml
http:
middlewares:
@ -45,6 +47,7 @@ http:
```
3. Restart Traefik to apply the changes:
```bash
docker restart traefik
```
@ -52,8 +55,9 @@ docker restart traefik
## Testing
To monitor GeoBlock activities in the Traefik logs, enable logging by setting the following options to `true`:
```yaml
logLocalRequests: true
logAllowedRequests: true
logApiRequests: true
logLocalRequests: true
logAllowedRequests: true
logApiRequests: true
```

18
packages/docusaurus/docs/07-Modules/04-metrics.md
View file

@ -19,9 +19,9 @@ For claiming metrics from Traefik we have to adjust some configuration files.
```yaml
service:
gerbil:
ports:
- 8082:8082
gerbil:
ports:
- 8082:8082
```
2. Update the `/config/traefik/traefik_config.yml` file to include the following:
@ -29,7 +29,7 @@ service:
```yaml
entryPoints:
metrics:
address: ':8082'
address: ":8082"
metrics:
prometheus:
@ -58,9 +58,9 @@ For claiming metrics from Crowdsec we have to adjust the docker compose files.
```yaml
service:
crowdsec:
ports:
- 6060:6060
crowdsec:
ports:
- 6060:6060
```
2. Restart the Crowdsec container to apply the changes:
@ -102,11 +102,11 @@ scrape_configs:
- job_name: traefik
static_configs:
- targets: ['172.17.0.1:8082']
- targets: ["172.17.0.1:8082"]
- job_name: crowdsec
static_configs:
- targets: ['172.17.0.1:6060']
- targets: ["172.17.0.1:6060"]
```
3. Create a folder `data` in `/config/prometheus` and change the ower and owning group:

342
packages/docusaurus/docusaurus.config.ts
View file

@ -5,186 +5,186 @@ import type * as Preset from "@docusaurus/preset-classic";
// This runs in Node.js - Don't use client-side code here (browser APIs, JSX...)
const config: Config = {
title: "Fossorial Docs",
tagline: "Adapted for use in burrowing",
favicon: "img/favicon.ico",
title: "Fossorial Docs",
tagline: "Adapted for use in burrowing",
favicon: "img/favicon.ico",
// Set the production url of your site here
url: "https://docs.fossorial.io",
// Set the /<baseUrl>/ pathname under which your site is served
// For GitHub pages deployment, it is often '/<projectName>/'
baseUrl: "/",
// Set the production url of your site here
url: "https://docs.fossorial.io",
// Set the /<baseUrl>/ pathname under which your site is served
// For GitHub pages deployment, it is often '/<projectName>/'
baseUrl: "/",
// GitHub pages deployment config.
// If you aren't using GitHub pages, you don't need these.
organizationName: "Fossorial", // Usually your GitHub org/user name.
projectName: "docs", // Usually your repo name.
// GitHub pages deployment config.
// If you aren't using GitHub pages, you don't need these.
organizationName: "Fossorial", // Usually your GitHub org/user name.
projectName: "docs", // Usually your repo name.
onBrokenLinks: "throw",
onBrokenMarkdownLinks: "warn",
onBrokenLinks: "throw",
onBrokenMarkdownLinks: "warn",
// Even if you don't use internationalization, you can use this field to set
// useful metadata like html lang. For example, if your site is Chinese, you
// may want to replace "en" with "zh-Hans".
i18n: {
defaultLocale: "en",
locales: ["en"]
},
// Even if you don't use internationalization, you can use this field to set
// useful metadata like html lang. For example, if your site is Chinese, you
// may want to replace "en" with "zh-Hans".
i18n: {
defaultLocale: "en",
locales: ["en"]
},
presets: [
[
"classic",
{
docs: {
sidebarCollapsed: false,
sidebarPath: "./sidebars.ts",
routeBasePath: "/"
// Please change this to your repo.
// Remove this to remove the "edit this page" links.
// editUrl:
// 'https://github.com/facebook/docusaurus/tree/main/packages/create-docusaurus/templates/shared/',
},
blog: false,
// blog: {
// showReadingTime: true,
// feedOptions: {
// type: ['rss', 'atom'],
// xslt: true,
// },
// // Please change this to your repo.
// // Remove this to remove the "edit this page" links.
// // editUrl:
// // 'https://github.com/facebook/docusaurus/tree/main/packages/create-docusaurus/templates/shared/',
// // Useful options to enforce blogging best practices
// onInlineTags: 'warn',
// onInlineAuthors: 'warn',
// onUntruncatedBlogPosts: 'warn',
// },
theme: {
customCss: "./src/css/custom.css"
}
} satisfies Preset.Options
]
],
themeConfig: {
// Replace with your project's social card
image: "img/docusaurus-social-card.jpg",
colorMode: {
defaultMode: "light",
disableSwitch: false,
respectPrefersColorScheme: true
presets: [
[
"classic",
{
docs: {
sidebarCollapsed: false,
sidebarPath: "./sidebars.ts",
routeBasePath: "/"
// Please change this to your repo.
// Remove this to remove the "edit this page" links.
// editUrl:
// 'https://github.com/facebook/docusaurus/tree/main/packages/create-docusaurus/templates/shared/',
},
// announcementBar: {
// id: "support_us",
// content:
// 'If you like Pangolin, please <a target="_blank" rel="noopener noreferrer" href="https://github.com/fosrl/pangolin">star us on GitHub!</a>',
// isCloseable: false
blog: false,
// blog: {
// showReadingTime: true,
// feedOptions: {
// type: ['rss', 'atom'],
// xslt: true,
// },
// // Please change this to your repo.
// // Remove this to remove the "edit this page" links.
// // editUrl:
// // 'https://github.com/facebook/docusaurus/tree/main/packages/create-docusaurus/templates/shared/',
// // Useful options to enforce blogging best practices
// onInlineTags: 'warn',
// onInlineAuthors: 'warn',
// onUntruncatedBlogPosts: 'warn',
// },
algolia: {
// The application ID provided by Algolia
appId: "CVXQS7OHYA",
// Public API key: it is safe to commit it
apiKey: "37f86a9f9a04ab1c0f17339c86566ce5",
indexName: "fossorial",
contextualSearch: false
},
navbar: {
title: "Fossorial",
logo: {
alt: "Fossorial Logo",
src: "img/pangolin_orange.svg"
},
items: [
// {
// type: "docSidebar",
// sidebarId: "tutorialSidebar",
// position: "left",
// label: "Docs",
// },
// {to: '/blog', label: 'Blog', position: 'left'},
{
href: "https://fossorial.io",
label: "fossorial.io",
position: "left"
},
{
href: "https://discord.gg/HCJR8Xhme4",
label: "Discord",
position: "left"
},
{
href: "https://github.com/fosrl",
position: "right",
className: "header-github-link",
"aria-label": "GitHub repository"
}
]
},
// footer: {
// style: "dark",
// links: [
// {
// title: "Docs",
// items: [
// {
// label: "Docs",
// to: "/overview",
// },
// ],
// },
// {
// title: "Community",
// items: [
// // {
// // label: 'Stack Overflow',
// // href: 'https://stackoverflow.com/questions/tagged/docusaurus',
// // },
// {
// label: "Discord",
// href: "https://discord.gg/HCJR8Xhme4",
// },
// // {
// // label: 'X',
// // href: 'https://x.com/docusaurus',
// // },
// ],
// },
// {
// title: "More",
// items: [
// // {
// // label: 'Blog',
// // to: '/blog',
// // },
// {
// label: "GitHub",
// href: "https://github.com/fosrl",
// },
// ],
// },
// ],
// copyright: `${new Date().getFullYear()} Built by Fossorial`,
// },
prism: {
theme: prismThemes.oneLight,
darkTheme: prismThemes.oneDark
theme: {
customCss: "./src/css/custom.css"
}
} satisfies Preset.ThemeConfig,
plugins: [
[
"@dipakparmar/docusaurus-plugin-umami",
/** @type {import('@dipakparmar/docusaurus-plugin-umami').Options} */
{
websiteID: "d9a3a131-d2f4-4f8f-922b-80d668e96640", // Required
analyticsDomain: "umami.dev.fossorial.io", // Required
dataAutoTrack: false, // Optional
dataDoNotTrack: false, // Optional
dataCache: true, // Optional
dataDomains: "docs.fossorial.io" // comma separated list of domains, *Recommended*
}
]
} satisfies Preset.Options
]
],
themeConfig: {
// Replace with your project's social card
image: "img/docusaurus-social-card.jpg",
colorMode: {
defaultMode: "light",
disableSwitch: false,
respectPrefersColorScheme: true
},
// announcementBar: {
// id: "support_us",
// content:
// 'If you like Pangolin, please <a target="_blank" rel="noopener noreferrer" href="https://github.com/fosrl/pangolin">star us on GitHub!</a>',
// isCloseable: false
// },
algolia: {
// The application ID provided by Algolia
appId: "CVXQS7OHYA",
// Public API key: it is safe to commit it
apiKey: "37f86a9f9a04ab1c0f17339c86566ce5",
indexName: "fossorial",
contextualSearch: false
},
navbar: {
title: "Fossorial",
logo: {
alt: "Fossorial Logo",
src: "img/pangolin_orange.svg"
},
items: [
// {
// type: "docSidebar",
// sidebarId: "tutorialSidebar",
// position: "left",
// label: "Docs",
// },
// {to: '/blog', label: 'Blog', position: 'left'},
{
href: "https://fossorial.io",
label: "fossorial.io",
position: "left"
},
{
href: "https://discord.gg/HCJR8Xhme4",
label: "Discord",
position: "left"
},
{
href: "https://github.com/fosrl",
position: "right",
className: "header-github-link",
"aria-label": "GitHub repository"
}
]
},
// footer: {
// style: "dark",
// links: [
// {
// title: "Docs",
// items: [
// {
// label: "Docs",
// to: "/overview",
// },
// ],
// },
// {
// title: "Community",
// items: [
// // {
// // label: 'Stack Overflow',
// // href: 'https://stackoverflow.com/questions/tagged/docusaurus',
// // },
// {
// label: "Discord",
// href: "https://discord.gg/HCJR8Xhme4",
// },
// // {
// // label: 'X',
// // href: 'https://x.com/docusaurus',
// // },
// ],
// },
// {
// title: "More",
// items: [
// // {
// // label: 'Blog',
// // to: '/blog',
// // },
// {
// label: "GitHub",
// href: "https://github.com/fosrl",
// },
// ],
// },
// ],
// copyright: `${new Date().getFullYear()} Built by Fossorial`,
// },
prism: {
theme: prismThemes.oneLight,
darkTheme: prismThemes.oneDark
}
} satisfies Preset.ThemeConfig,
plugins: [
[
"@dipakparmar/docusaurus-plugin-umami",
/** @type {import('@dipakparmar/docusaurus-plugin-umami').Options} */
{
websiteID: "d9a3a131-d2f4-4f8f-922b-80d668e96640", // Required
analyticsDomain: "umami.dev.fossorial.io", // Required
dataAutoTrack: false, // Optional
dataDoNotTrack: false, // Optional
dataCache: true, // Optional
dataDomains: "docs.fossorial.io" // comma separated list of domains, *Recommended*
}
]
]
};
export default config;

4
packages/docusaurus/sidebars.ts
View file

@ -1,4 +1,4 @@
import type {SidebarsConfig} from '@docusaurus/plugin-content-docs';
import type { SidebarsConfig } from "@docusaurus/plugin-content-docs";
// This runs in Node.js - Don't use client-side code here (browser APIs, JSX...)
@ -14,7 +14,7 @@ import type {SidebarsConfig} from '@docusaurus/plugin-content-docs';
*/
const sidebars: SidebarsConfig = {
// By default, Docusaurus generates a sidebar from the docs folder structure
tutorialSidebar: [{type: 'autogenerated', dirName: '.'}],
tutorialSidebar: [{ type: "autogenerated", dirName: "." }]
// But you can create a sidebar manually
/*

22
packages/docusaurus/src/components/DockerCompose.tsx
View file

@ -3,15 +3,15 @@ import React, { useEffect, useState } from "react";
import { fetchLatestRelease } from "../lib/fetchLatestRelease";
const DockerCompose: React.FC = () => {
const [text, setText] = useState<string>("");
const [text, setText] = useState<string>("");
useEffect(() => {
(async () => {
const pangolinVersion = await fetchLatestRelease("fosrl/pangolin");
const gerbilVersion = await fetchLatestRelease("fosrl/gerbil");
useEffect(() => {
(async () => {
const pangolinVersion = await fetchLatestRelease("fosrl/pangolin");
const gerbilVersion = await fetchLatestRelease("fosrl/gerbil");
setText(
`services:
setText(
`services:
pangolin:
image: fosrl/pangolin:${pangolinVersion}
container_name: pangolin
@ -63,11 +63,11 @@ networks:
default:
driver: bridge
name: pangolin`
);
})();
}, []);
);
})();
}, []);
return <CodeBlock language="yml">{text}</CodeBlock>;
return <CodeBlock language="yml">{text}</CodeBlock>;
};
export default DockerCompose;

12
packages/docusaurus/src/components/DynamicTraefikConfig.tsx
View file

@ -1,9 +1,9 @@
import CodeBlock from '@theme/CodeBlock';
import CodeBlock from "@theme/CodeBlock";
const DynamicTraefikConfig: React.FC = () => {
return (
<CodeBlock language="yml">
{`http:
return (
<CodeBlock language="yml">
{`http:
middlewares:
redirect-to-https:
redirectScheme:
@ -57,8 +57,8 @@ const DynamicTraefikConfig: React.FC = () => {
servers:
- url: "http://pangolin:3000" # API/WebSocket server
`}
</CodeBlock>
);
</CodeBlock>
);
};
export default DynamicTraefikConfig;

22
packages/docusaurus/src/components/StaticTraefikConfig.tsx
View file

@ -1,15 +1,15 @@
import CodeBlock from '@theme/CodeBlock';
import CodeBlock from "@theme/CodeBlock";
import React, { useEffect, useState } from "react";
import { fetchLatestRelease } from "../lib/fetchLatestRelease";
const StaticTraefikConfig: React.FC = () => {
const [text, setText] = useState<string>("");
const [text, setText] = useState<string>("");
useEffect(() => {
(async () => {
const badgerVersion = await fetchLatestRelease("fosrl/badger");
useEffect(() => {
(async () => {
const badgerVersion = await fetchLatestRelease("fosrl/badger");
setText(`api:
setText(`api:
insecure: true
dashboard: true
@ -53,14 +53,10 @@ entryPoints:
serversTransport:
insecureSkipVerify: true`);
})();
}, []);
})();
}, []);
return (
<CodeBlock language="yml">
{text}
</CodeBlock>
);
return <CodeBlock language="yml">{text}</CodeBlock>;
};
export default StaticTraefikConfig;

16
packages/docusaurus/src/components/UpdatingVersionsYaml.tsx
View file

@ -3,22 +3,22 @@ import React, { useEffect, useState } from "react";
import { fetchLatestRelease } from "../lib/fetchLatestRelease";
const UpdatingVersionsYaml: React.FC = () => {
const [text, setText] = useState<string>("");
const [text, setText] = useState<string>("");
useEffect(() => {
(async () => {
const pangolinVersion = await fetchLatestRelease("fosrl/pangolin");
useEffect(() => {
(async () => {
const pangolinVersion = await fetchLatestRelease("fosrl/pangolin");
setText(`services:
setText(`services:
pangolin:
image: fosrl/pangolin:${pangolinVersion} # increase the tag to the latest version number, or use "latest"
container_name: pangolin
restart: unless-stopped
...`);
})();
}, []);
})();
}, []);
return <CodeBlock language="yml">{text}</CodeBlock>;
return <CodeBlock language="yml">{text}</CodeBlock>;
};
export default UpdatingVersionsYaml;

20
packages/docusaurus/src/components/WgetNewtInstaller.tsx
View file

@ -3,19 +3,19 @@ import React, { useEffect, useState } from "react";
import { fetchLatestRelease } from "../lib/fetchLatestRelease";
const WgetNewtInstaller: React.FC = () => {
const [text, setText] = useState<string>("");
const [text, setText] = useState<string>("");
useEffect(() => {
(async () => {
const newtVersion = await fetchLatestRelease("fosrl/newt");
useEffect(() => {
(async () => {
const newtVersion = await fetchLatestRelease("fosrl/newt");
setText(
`wget -O newt "https://github.com/fosrl/newt/releases/download/${newtVersion}/newt_linux_amd64" && chmod +x ./newt`
);
})();
}, []);
setText(
`wget -O newt "https://github.com/fosrl/newt/releases/download/${newtVersion}/newt_linux_amd64" && chmod +x ./newt`
);
})();
}, []);
return <CodeBlock language="bash">{text}</CodeBlock>;
return <CodeBlock language="bash">{text}</CodeBlock>;
};
export default WgetNewtInstaller;

20
packages/docusaurus/src/components/WgetQuickInstaller.tsx
View file

@ -3,18 +3,18 @@ import React, { useEffect, useState } from "react";
import { fetchLatestRelease } from "../lib/fetchLatestRelease";
const WgetQuickInstall: React.FC = () => {
const [text, setText] = useState<string>("");
const [text, setText] = useState<string>("");
useEffect(() => {
(async () => {
const release = await fetchLatestRelease("fosrl/pangolin");
setText(
`wget -O installer "https://github.com/fosrl/pangolin/releases/download/${release}/installer_linux_$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')" && chmod +x ./installer`
);
})();
}, []);
useEffect(() => {
(async () => {
const release = await fetchLatestRelease("fosrl/pangolin");
setText(
`wget -O installer "https://github.com/fosrl/pangolin/releases/download/${release}/installer_linux_$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')" && chmod +x ./installer`
);
})();
}, []);
return <CodeBlock language="bash">{text}</CodeBlock>;
return <CodeBlock language="bash">{text}</CodeBlock>;
};
export default WgetQuickInstall;

16
packages/docusaurus/src/components/WithoutTunnelingCompose.tsx
View file

@ -3,13 +3,13 @@ import React, { useEffect, useState } from "react";
import { fetchLatestRelease } from "../lib/fetchLatestRelease";
const WithoutTunnelingCompose: React.FC = () => {
const [text, setText] = useState<string>("");
const [text, setText] = useState<string>("");
useEffect(() => {
(async () => {
const pangolinVersion = await fetchLatestRelease("fosrl/pangolin");
useEffect(() => {
(async () => {
const pangolinVersion = await fetchLatestRelease("fosrl/pangolin");
setText(`services:
setText(`services:
pangolin:
image: fosrl/pangolin:${pangolinVersion}
container_name: pangolin
@ -38,10 +38,10 @@ const WithoutTunnelingCompose: React.FC = () => {
- ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
- ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
`);
})();
}, []);
})();
}, []);
return <CodeBlock language="yml">{text}</CodeBlock>;
return <CodeBlock language="yml">{text}</CodeBlock>;
};
export default WithoutTunnelingCompose;

201
packages/docusaurus/src/css/custom.css
View file

@ -8,194 +8,193 @@
/* You can override the default Infima variables here. */
:root {
/* Primary colors converted from HSL to hex */
--ifm-color-primary: hsl(24.6, 95%, 53.1%);
--ifm-color-primary-dark: hsl(24.6, 95%, 48%);
--ifm-color-primary-darker: hsl(24.6, 95%, 43%);
--ifm-color-primary-darkest: hsl(24.6, 95%, 38%);
--ifm-color-primary-light: hsl(24.6, 95%, 58%);
--ifm-color-primary-lighter: hsl(24.6, 95%, 63%);
--ifm-color-primary-lightest: hsl(24.6, 95%, 68%);
/* Primary colors converted from HSL to hex */
--ifm-color-primary: hsl(24.6, 95%, 53.1%);
--ifm-color-primary-dark: hsl(24.6, 95%, 48%);
--ifm-color-primary-darker: hsl(24.6, 95%, 43%);
--ifm-color-primary-darkest: hsl(24.6, 95%, 38%);
--ifm-color-primary-light: hsl(24.6, 95%, 58%);
--ifm-color-primary-lighter: hsl(24.6, 95%, 63%);
--ifm-color-primary-lightest: hsl(24.6, 95%, 68%);
/* Additional custom variables */
--ifm-background-color: #FFFFFF;
--ifm-font-color-base: hsl(20, 0%, 10%);
--ifm-code-font-size: 85%;
--docusaurus-highlighted-code-line-bg: rgba(0, 0, 0, 0.1);
/* Additional custom variables */
--ifm-background-color: #ffffff;
--ifm-font-color-base: hsl(20, 0%, 10%);
--ifm-code-font-size: 85%;
--docusaurus-highlighted-code-line-bg: rgba(0, 0, 0, 0.1);
/* Chart colors */
--chart-color-1: hsl(12, 76%, 61%);
--chart-color-2: hsl(173, 58%, 39%);
--chart-color-3: hsl(197, 37%, 24%);
--chart-color-4: hsl(43, 74%, 66%);
--chart-color-5: hsl(27, 87%, 67%);
/* Chart colors */
--chart-color-1: hsl(12, 76%, 61%);
--chart-color-2: hsl(173, 58%, 39%);
--chart-color-3: hsl(197, 37%, 24%);
--chart-color-4: hsl(43, 74%, 66%);
--chart-color-5: hsl(27, 87%, 67%);
--ifm-global-shadow-lw: none;
--ifm-font-family-base: "Inter";
--ifm-global-shadow-lw: none;
--ifm-font-family-base: "Inter";
--ifm-breadcrumb-item-background-active: --ifm-background-color;
--ifm-breadcrumb-item-background-active: --ifm-background-color;
}
/* For readability concerns, you should choose a lighter palette in dark mode. */
[data-theme="dark"] {
/* Primary colors for dark mode */
--ifm-color-primary: hsl(20.5, 90.2%, 48.2%);
--ifm-color-primary-dark: hsl(20.5, 90.2%, 43%);
--ifm-color-primary-darker: hsl(20.5, 90.2%, 38%);
--ifm-color-primary-darkest: hsl(20.5, 90.2%, 33%);
--ifm-color-primary-light: hsl(20.5, 90.2%, 53%);
--ifm-color-primary-lighter: hsl(20.5, 90.2%, 58%);
--ifm-color-primary-lightest: hsl(20.5, 90.2%, 63%);
/* Primary colors for dark mode */
--ifm-color-primary: hsl(20.5, 90.2%, 48.2%);
--ifm-color-primary-dark: hsl(20.5, 90.2%, 43%);
--ifm-color-primary-darker: hsl(20.5, 90.2%, 38%);
--ifm-color-primary-darkest: hsl(20.5, 90.2%, 33%);
--ifm-color-primary-light: hsl(20.5, 90.2%, 53%);
--ifm-color-primary-lighter: hsl(20.5, 90.2%, 58%);
--ifm-color-primary-lightest: hsl(20.5, 90.2%, 63%);
--ifm-background-color: #1A1A1A;
--ifm-background-color: #1a1a1a;
/* Additional custom variables for dark mode */
--ifm-font-color-base: hsl(60, 9.1%, 97.8%);
--docusaurus-highlighted-code-line-bg: rgba(0, 0, 0, 0.3);
/* Additional custom variables for dark mode */
--ifm-font-color-base: hsl(60, 9.1%, 97.8%);
--docusaurus-highlighted-code-line-bg: rgba(0, 0, 0, 0.3);
/* Chart colors for dark mode */
--chart-color-1: hsl(220, 70%, 50%);
--chart-color-2: hsl(160, 60%, 45%);
--chart-color-3: hsl(30, 80%, 55%);
--chart-color-4: hsl(280, 65%, 60%);
--chart-color-5: hsl(340, 75%, 55%);
/* Chart colors for dark mode */
--chart-color-1: hsl(220, 70%, 50%);
--chart-color-2: hsl(160, 60%, 45%);
--chart-color-3: hsl(30, 80%, 55%);
--chart-color-4: hsl(280, 65%, 60%);
--chart-color-5: hsl(340, 75%, 55%);
--ifm-navbar-background-color: #1A1A1A;
--ifm-navbar-background-color: #1a1a1a;
}
.main {
font-family: "Comic Sans MS", sans-serif;
font-family: "Comic Sans MS", sans-serif;
}
.header-github-link:hover {
opacity: 0.6;
opacity: 0.6;
}
.header-github-link:before {
content: "";
width: 24px;
height: 24px;
display: flex;
background: url("data:image/svg+xml,%3Csvg viewBox='0 0 24 24' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12'/%3E%3C/svg%3E")
no-repeat;
content: "";
width: 24px;
height: 24px;
display: flex;
background: url("data:image/svg+xml,%3Csvg viewBox='0 0 24 24' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12'/%3E%3C/svg%3E")
no-repeat;
}
html[data-theme="dark"] .header-github-link:before {
background: url("data:image/svg+xml,%3Csvg viewBox='0 0 24 24' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath fill='white' d='M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12'/%3E%3C/svg%3E")
no-repeat;
background: url("data:image/svg+xml,%3Csvg viewBox='0 0 24 24' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath fill='white' d='M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12'/%3E%3C/svg%3E")
no-repeat;
}
.navbar {
border-bottom: 0px solid rgb(218, 221, 225);
max-width: 1600px; /* Limits the content width */
width: 100%; /* Ensures it scales responsively */
margin: 0 auto; /* Centers the inner content */
padding: 0 20px; /* Optional: Adds padding to prevent content from touching edges */
box-sizing: border-box;
border-bottom: 0px solid rgb(218, 221, 225);
max-width: 1600px; /* Limits the content width */
width: 100%; /* Ensures it scales responsively */
margin: 0 auto; /* Centers the inner content */
padding: 0 20px; /* Optional: Adds padding to prevent content from touching edges */
box-sizing: border-box;
}
html[data-theme="dark"] .navbar {
border-bottom: 0px solid #444950;
border-bottom: 0px solid #444950;
}
.main-wrapper {
max-width: 1600px;
width: 100%; /* Ensures responsiveness */
margin: 0 auto; /* Centers the container */
box-sizing: border-box; /* Ensures padding doesnt affect max-width */
max-width: 1600px;
width: 100%; /* Ensures responsiveness */
margin: 0 auto; /* Centers the container */
box-sizing: border-box; /* Ensures padding doesnt affect max-width */
}
article {
max-width: 800px;
margin-left: auto;
margin-right: auto;
max-width: 800px;
margin-left: auto;
margin-right: auto;
}
aside {
font-size: 0.9rem;
font-size: 0.9rem;
}
.theme-doc-sidebar-container {
border-right: 0px !important;
border-right: 0px !important;
}
.theme-admonition {
border: 0px solid rgb(218, 221, 225);
border: 0px solid rgb(218, 221, 225);
}
.prism-code {
border: 1px solid rgb(218, 221, 225);
border: 1px solid rgb(218, 221, 225);
}
html[data-theme="dark"] .theme-admonition {
border: 0px solid #333333;
border: 0px solid #333333;
}
html[data-theme="dark"] .prism-code {
border: 1px solid #333333;
background-color: #242424 !important; /* Darker background for code blocks */
border: 1px solid #333333;
background-color: #242424 !important; /* Darker background for code blocks */
}
div[class^="announcementBarContent"] a {
color: var(--ifm-link-color);
text-decoration: inherit;
color: var(--ifm-link-color);
text-decoration: inherit;
}
div[class^="announcementBarContent"] a:hover {
color: var(--ifm-link-color);
text-decoration: underline;
color: var(--ifm-link-color);
text-decoration: underline;
}
.navbar .navbar__items {
flex: auto;
flex: auto;
}
.dropdown__link {
font-size: inherit;
font-size: inherit;
}
@media screen and (max-width: 996px) {
:root {
--ifm-font-size-base: 16px;
}
article header h1 {
font-size: 1.5rem !important;
}
.hero .hero__title {
font-size: 2.5rem;
}
:root {
--ifm-font-size-base: 16px;
}
article header h1 {
font-size: 1.5rem !important;
}
.hero .hero__title {
font-size: 2.5rem;
}
}
@media screen and (min-width: 997px) {
:root {
--ifm-font-size-base: 16px;
}
article header h1 {
font-size: 2rem !important;
}
:root {
--ifm-font-size-base: 16px;
}
article header h1 {
font-size: 2rem !important;
}
}
.pagination-nav__label::before {
display: none;
display: none;
}
.pagination-nav__label::after {
display: none;
display: none;
}
.table-of-contents {
border: 0px;
border: 0px;
}
/* Default (mobile styles remain unchanged) */
.breadcrumbs li:first-child {
display: none;
display: none;
}
.breadcrumbs li:nth-child(2) .breadcrumbs__link{
padding-left: 0px !important;
.breadcrumbs li:nth-child(2) .breadcrumbs__link {
padding-left: 0px !important;
}
html[data-theme="dark"] {
background-color: #1A1A1A !important;
background-color: #1a1a1a !important;
}

26
packages/docusaurus/src/lib/fetchLatestRelease.ts
View file

@ -1,17 +1,15 @@
export async function fetchLatestRelease(repo: string) {
try {
const response = await fetch(
`https://api.github.com/repos/${repo}/releases/latest`
);
if (!response.ok) {
throw new Error(
`Failed to fetch release info: ${response.statusText}`
);
}
const data = await response.json();
const latestVersion = data.tag_name;
return latestVersion;
} catch (error) {
console.error("Error fetching latest release:", error);
try {
const response = await fetch(
`https://api.github.com/repos/${repo}/releases/latest`
);
if (!response.ok) {
throw new Error(`Failed to fetch release info: ${response.statusText}`);
}
const data = await response.json();
const latestVersion = data.tag_name;
return latestVersion;
} catch (error) {
console.error("Error fetching latest release:", error);
}
}

18
packages/docusaurus/tsconfig.json
View file

@ -1,11 +1,11 @@
{
// This file is not used in compilation. It is here just for a nice editor experience.
"extends": "@docusaurus/tsconfig",
"compilerOptions": {
"baseUrl": ".",
"paths": {
"@/*": ["./*"]
}
},
"exclude": [".docusaurus", "build"]
// This file is not used in compilation. It is here just for a nice editor experience.
"extends": "@docusaurus/tsconfig",
"compilerOptions": {
"baseUrl": ".",
"paths": {
"@/*": ["./*"]
}
},
"exclude": [".docusaurus", "build"]
}

2
sst.config.ts
View file

@ -10,5 +10,5 @@ export default {
},
stacks(app) {
app.stack(DocusaurusStack);
}
},
} satisfies SSTConfig;

66
stacks/DocusaurusStack.ts
View file

@ -3,40 +3,40 @@ import * as route53 from "aws-cdk-lib/aws-route53";
import { ViewerProtocolPolicy } from "aws-cdk-lib/aws-cloudfront";
export function DocusaurusStack({ stack }: StackContext) {
const hostedZone = route53.HostedZone.fromLookup(stack, "HostedZone", {
domainName: "fossorial.io",
});
const hostedZone = route53.HostedZone.fromLookup(stack, "HostedZone", {
domainName: "fossorial.io",
});
const site = new StaticSite(stack, "DocusaurusSite", {
path: "packages/docusaurus",
buildOutput: "build",
buildCommand: "npm run build",
customDomain: {
domainName: "docs.fossorial.io",
hostedZone: hostedZone.zoneName,
isExternalDomain: false,
const site = new StaticSite(stack, "DocusaurusSite", {
path: "packages/docusaurus",
buildOutput: "build",
buildCommand: "npm run build",
customDomain: {
domainName: "docs.fossorial.io",
hostedZone: hostedZone.zoneName,
isExternalDomain: false,
},
cdk: {
distribution: {
defaultBehavior: {
viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
compress: true,
},
cdk: {
distribution: {
defaultBehavior: {
viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
compress: true,
},
errorResponses: [
{
httpStatus: 403,
responseHttpStatus: 200,
responsePagePath: "/index.html",
},
{
httpStatus: 404,
responseHttpStatus: 200,
responsePagePath: "/index.html",
},
],
},
},
});
errorResponses: [
{
httpStatus: 403,
responseHttpStatus: 200,
responsePagePath: "/index.html",
},
{
httpStatus: 404,
responseHttpStatus: 200,
responsePagePath: "/index.html",
},
],
},
},
});
stack.addOutputs({});
stack.addOutputs({});
}