Files
57_Wolve 7faa9098de feat: unified launcher, multi-OS hardening, login alerts & auto-updates
Restructure around a single entry point (automations.sh) with a Gum wizard and
a self-extracting bundle for repo-less installs. Add scripts/oslib.sh so the
provisioning scripts (setup-host, harden-ssh, harden-jumphost, sshuser) run on
Alpine/Debian/Alma; seed root keys from globals/.

- ntfy SSH-login alerts (user, source IP, key, region, jump target) via pam_exec
- daily auto-updates with AUTO_REBOOT=idle (reboots only when no SSH active) and
  opt-in Alpine stable-branch upgrades
- generic + per-deployment cloud-init; Gitea release workflow on tag
- README/LICENSE/.gitignore/.gitattributes (force LF); repo URLs -> Gitea
2026-06-12 14:56:02 -05:00

66 lines
1.9 KiB
YAML

# beszel stack -- caddy (TLS) + beszel hub (server monitoring).
#
# Topology:
# Browser + agents -> caddy:443 -> beszel:8090
#
# No Anubis: agents push metrics over HTTP/WebSocket and a PoW gate would
# break them. Beszel's API surface is what agents use.
#
# OIDC is configured post-deploy through the Beszel admin UI (PocketBase
# settings), not via env vars or config file. See the deploy.sh "DEPLOYED"
# block for the exact steps.
name: beszel
volumes:
beszel-data:
caddy-data:
caddy-config:
services:
caddy:
image: caddy:${CADDY_TAG:-2-alpine}
container_name: caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
# - "443:443/udp" # HTTP/3 -- disabled (Caddy QUIC + reverse_proxy
# placeholder bug). Re-enable when fixed.
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- caddy-data:/data
- caddy-config:/config
environment:
BESZEL_DOMAIN: "${BESZEL_DOMAIN}"
ACME_EMAIL: "${ACME_EMAIL}"
depends_on:
- beszel
healthcheck:
test: ["CMD", "wget", "-qO-", "http://127.0.0.1:2019/config/"]
interval: 30s
timeout: 5s
retries: 3
start_period: 10s
beszel:
image: henrygd/beszel:${BESZEL_TAG:-latest}
container_name: beszel
restart: unless-stopped
command: serve --http "0.0.0.0:8090"
volumes:
- beszel-data:/beszel_data
environment:
# Disable username/password auth -- force OIDC. Comment out until
# you've configured an OIDC provider in the admin UI, otherwise you
# lock yourself out on first run.
# DISABLE_PASSWORD_AUTH: "true"
# Allow OIDC to auto-create user accounts on first login.
USER_CREATION: "${USER_CREATION:-true}"
healthcheck:
test: ["CMD", "wget", "-qO-", "http://127.0.0.1:8090/api/health"]
interval: 30s
timeout: 5s
retries: 3
start_period: 30s