plausible analytics & traefik - initial commit

Author: julienhmmt

traefik-plausible/README.md

@@ -0,0 +1,42 @@
+# docker-compose Traefik & Plausible
+
+Plausible is an analytics tools for your website, with a lightweight script, GPDR compliant and simple. It is less complicated than Matomo, but there is less functionnality. To have more informations at [plausible website](https://plausible.io/simple-web-analytics).  
+
+## :factory: Requirements
+
+* linux host (tested successfully on Ubuntu 20.04 && 22.04, Debian 10 & 11)
+* docker >= 23.x
+* docker compose (plugin) >= 2.17.x
+
+## :rocket: How to use
+
+Clone this repo where you want with this line :
+
+```bash
+git clone https://github.com/Mettmett/docker-compose.git:traefik-plausible
+```
+
+You need to edit files `plausible-conf.env` and `.env` at the source folder to modify the values of some vars.
+
+After that when you're all set, press the red button to initiate :fire: !
+
+```bash
+docker compose pull && docker compose up -d && docker compose logs -f
+```
+
+## :star: Author
+
+Made by Julien HOMMET :fr: for [my personnal website](https://j.hommet.net)
+
+* Twitter: [@mettmettz](https://twitter.com/mettmettz)
+* GitHub: [Mettmett](https://github.com/Mettmett)
+
+## :wrench: Support & Contribution
+
+Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
+
+## :moneybag: Licence
+
+[CC BY-NC-SA](https://creativecommons.org/licenses/by-nc-sa/4.0)
+
+## :anchor: Misc

traefik-plausible/clickhouse/clickhouse-config.xml

@@ -0,0 +1,14 @@
+<yandex>
+    <logger>
+        <level>warning</level>
+        <console>true</console>
+    </logger>
+
+    <!-- Stop all the unnecessary logging -->
+    <query_thread_log remove="remove"/>
+    <query_log remove="remove"/>
+    <text_log remove="remove"/>
+    <trace_log remove="remove"/>
+    <metric_log remove="remove"/>
+    <asynchronous_metric_log remove="remove"/>
+</yandex>

traefik-plausible/clickhouse/clickhouse-user-config.xml

@@ -0,0 +1,8 @@
+<yandex>
+    <profiles>
+        <default>
+            <log_queries>0</log_queries>
+            <log_query_threads>0</log_query_threads>
+        </default>
+    </profiles>
+</yandex>

traefik-plausible/conf/acme.json

@@ -0,0 +1,67 @@
+---
+global:
+  sendAnonymousUsage: true
+  checkNewVersion: false
+
+api:
+  #insecure: true
+  dashboard: true
+  #debug: true
+
+log:
+  filePath: "/etc/traefik/applog.log"
+  format: json
+  level: "ERROR"
+
+providers:
+  docker:
+    #endpoint: unix:///var/run/docker.sock
+    endpoint: tcp://dockerproxy:2375
+    network: dockerproxynet
+    exposedByDefault: false
+    watch: true
+    swarmMode: false
+  file:
+    directory: "/etc/traefik/dynamic"
+    watch: true
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+  metrics:
+    address: ":9090"
+  ping:
+    address: ":8082"
+
+ping:
+  entryPoint: "ping"
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: mail@domain.name
+      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+      caServer: https://acme-v02.api.letsencrypt.org/directory
+      storage: acme.json
+      keyType: EC256
+      httpChallenge:
+        entryPoint: web
+
+metrics:
+  prometheus:
+    entryPoint: metrics
+    addEntryPointsLabels: true
+    addRoutersLabels: true
+    addServicesLabels: true
+    buckets:
+      - 0.1
+      - 0.3
+      - 1.2
+      - 5.0

traefik-plausible/conf/traefik.yml

@@ -0,0 +1,48 @@
+---
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      sniStrict: true
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      alpnProtocols:
+        - h2
+        - http/1.1
+    mintls13:
+      minVersion: VersionTLS13
+
+http:
+  middlewares:
+    security:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+        accessControlMaxAge: 100
+        addVaryHeader: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        frameDeny: true
+        sslRedirect: true
+        sslForceHost: true
+        stsPreload: true
+        customFrameOptionsValue: SAMEORIGIN
+        referrerPolicy: "same-origin"
+        featurePolicy: "camera 'none'; microphone 'none'; payment 'none'; usb 'none';"
+        stsSeconds: 315360000
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"

traefik-plausible/conf/traefikdynamic/general.yml

@@ -0,0 +1,21 @@
+---
+http:
+  routers:
+    rt-traefik:
+      entryPoints:
+      - websecure
+      service: api@internal
+      rule: Host (`traefik.domain.name`)
+      tls:
+        options: default
+        certResolver: letsencrypt
+
+    rt-plausible:
+      entryPoints:
+      - websecure
+      middlewares:
+      - security
+      service: sc-plausible
+      rule: Host (`plausible.domain.local`)
+      tls:
+        certResolver: letsencrypt

traefik-plausible/conf/traefikdynamic/routers.yml

@@ -0,0 +1,7 @@
+---
+http:
+  services:
+    sc-plausible:
+      loadBalancer:
+        servers:
+        - url: "http://plausible:8000"

traefik-plausible/conf/traefikdynamic/services.yml

@@ -0,0 +1,150 @@
+---
+
+services:
+  dockerproxy:
+    image: tecnativa/docker-socket-proxy:edge
+    restart: always
+    container_name: dockerproxy
+    networks:
+      - dockerproxynet
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      LOG_LEVEL: info
+      # 0 to revoke access / 1 to grant access.
+      ## Granted by Default
+      EVENTS: 1
+      PING: 1
+      VERSION: 1
+      ## Revoked by Default
+      # Security critical
+      AUTH: 0
+      SECRETS: 0
+      # Not always needed
+      BUILD: 0
+      COMMIT: 0
+      CONFIGS: 0
+      CONTAINERS: 1 # Traefik, portainer, etc.
+      DISTRIBUTION: 0
+      EXEC: 0
+      IMAGES: 1 # Portainer
+      INFO: 1 # Portainer
+      NETWORKS: 1 # Portainer
+      NODES: 0
+      PLUGINS: 0
+      SERVICES: 1 # Portainer
+      SESSION: 0
+      SWARM: 0
+      SYSTEM: 0
+      TASKS: 1 # Portainer
+      VOLUMES: 1 # Portainer
+      TZ: "Europe/Paris"
+
+  traefik:
+    image: traefik:saintmarcelin
+    restart: unless-stopped
+    container_name: traefik
+    networks:
+      - dockerproxynet
+    ports:
+      - target : 80
+        published : 80
+        protocol: tcp
+        mode : host
+      - target : 443
+        published : 443
+        protocol: tcp
+        mode : host
+    volumes:
+      - ./conf/acme.json:/acme.json
+      - ./conf/traefik.yml:/etc/traefik/traefik.yml:ro
+      - ./conf/traefikdynamic:/etc/traefik/dynamic:ro
+      - ./logs/traefik.log:/etc/traefik/applog.log
+      - /etc/localtime:/etc/localtime:ro
+      #- /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      TZ: "Europe/Paris"
+    healthcheck:
+      test: ["CMD", "traefik", "healthcheck", "--ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+    mem_limit: 256m
+    mem_reservation: 128m
+    depends_on:
+      - dockerproxy
+
+  plausible_mail:
+    image: bytemark/smtp
+    container_name: plausible_mail
+    restart: unless-stopped
+    environment:
+      RELAY_HOST: mail.domain.local
+      RELAY_PORT: 587
+      RELAY_USERNAME: changeme@domain.local
+      RELAY_PASSWORD: changeme
+      TZ: Europe/Paris
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+    mem_limit: 128m
+    mem_reservation: 64m
+
+  plausible_db:
+    image: postgres:14-alpine
+    container_name: plausible_db
+    restart: unless-stopped
+    volumes:
+      - db-data:/var/lib/postgresql/data
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      POSTGRES_USER: plausibledbuser
+      POSTGRES_PASSWORD: plausibledbpassword
+      POSTGRES_DB: plausibledb
+      TZ: Europe/Paris
+
+  plausible_events_db:
+    image: clickhouse/clickhouse-server:22.6-alpine
+    container_name: plausible_events_db
+    restart: unless-stopped
+    volumes:
+      - event-data:/var/lib/clickhouse
+      - ./clickhouse/clickhouse-config.xml:/etc/clickhouse-server/config.d/logging.xml:ro
+      - ./clickhouse/clickhouse-user-config.xml:/etc/clickhouse-server/users.d/logging.xml:ro
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      TZ: Europe/Paris
+    ulimits:
+      nofile:
+        soft: 262144
+        hard: 262144
+
+  plausible:
+    image: plausible/analytics:latest
+    container_name: plausible
+    restart: unless-stopped
+    command: sh -c "sleep 10 && /entrypoint.sh db createdb && /entrypoint.sh db migrate && /entrypoint.sh db init-admin && /entrypoint.sh run"
+    depends_on:
+      - plausible_db
+      - plausible_events_db
+      - plausible_mail
+    env_file:
+      - plausible-conf.env
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      TZ: Europe/Paris
+
+volumes:
+  db-data:
+    driver: local
+  event-data:
+    driver: local
+  geoip:
+    driver: local
+
+networks:
+  dockerproxynet:
+    name: dockerproxynet
+    ipam:
+      config:
+        - subnet: 172.16.10.0/24