d0a2273b71
Features: - Traefik reverse proxy with automatic SSL (Let's Encrypt) - Authelia SSO and 2FA authentication - CrowdSec intrusion detection/prevention - AdGuard Home DNS - TrueNAS Nextcloud routing configured - Portainer Git Repository deployment ready Security: - Cloudflare integration with strict SSL - Rate limiting and security headers - Network segmentation (external/internal) - Automatic threat blocking |
||
|---|---|---|
| authelia | ||
| crowdsec | ||
| docs | ||
| examples | ||
| monitoring | ||
| traefik | ||
| .env.example | ||
| .gitignore | ||
| GIT-REPO-SETUP.md | ||
| MIGRATE-FROM-NPM.md | ||
| PORTAINER-DEPLOY.md | ||
| QUICKSTART.md | ||
| README-DEPLOY.md | ||
| README.md | ||
| SETUP-TRUENAS-NEXTCLOUD.md | ||
| SETUP.md | ||
| SUMMARY.md | ||
| docker-compose.external.yml | ||
| docker-compose.override.yml.example | ||
| docker-compose.yml | ||
| setup.ps1 | ||
| stack.env | ||
README.md
LemonSec 🍋
A comprehensive, security-focused reverse proxy and authentication stack for homelab and small business deployments.
Architecture
Internet → Cloudflare → Traefik → {Authelia → Your Services}
↓
CrowdSec (threat detection)
↓
AdGuard Home (internal DNS)
For TrueNAS Scale Users
If you run Nextcloud on TrueNAS Scale (separate VM), LemonSec acts as the secure gateway:
Internet → Cloudflare → Traefik (Proxmox VM) → TrueNAS Nextcloud
↓
Authelia (family SSO)
See SETUP-TRUENAS-NEXTCLOUD.md for step-by-step guide.
Components
| Component | Purpose | External | Internal |
|---|---|---|---|
| Traefik | Reverse Proxy & Load Balancer | ✅ 443/80 | ✅ 8443 |
| Authelia | SSO & 2FA Authentication | ✅ auth.lemonlink.eu | ✅ |
| CrowdSec | Intrusion Detection/Prevention | ✅ | ✅ |
| AdGuard Home | DNS + Ad Blocking | ❌ | ✅ DNS |
| Redis | Session Storage | ❌ | ✅ |
Network Segmentation
External Network (traefik-external)
- Entry: Cloudflare (orange cloud)
- Security: CrowdSec + Authelia 2FA
- Examples: nextcloud.lemonlink.eu, vault.lemonlink.eu
Internal Network (traefik-internal)
- Entry: Tailscale/VPN only
- Security: Authelia (one_factor on trusted networks)
- Examples: traefik.local.lemonlink.eu, portainer.local.lemonlink.eu
Quick Start
🚀 Deploy via Portainer (Recommended for Proxmox)
The easiest way to deploy on Proxmox with Portainer:
- Push to Git:
git remote add origin https://git.lemonlink.eu/impulsivefps/LemonSec.git
git push -u origin main
- In Portainer:
- Stacks → Add Stack → Repository
- URL:
https://git.lemonlink.eu/impulsivefps/LemonSec - Add environment variables from
stack.env - Deploy
Full Portainer guide: PORTAINER-DEPLOY.md
🚀 TrueNAS + Nextcloud Quick Start
If your main goal is securing TrueNAS Nextcloud for family:
# 1. Clone and configure
cd LemonSec
cp .env.example .env
# Edit: Add Cloudflare API, TrueNAS_IP, Nextcloud port
# 2. Setup
./setup.ps1 # or create secrets manually
# 3. Deploy
docker-compose up -d
docker-compose -f docker-compose.yml -f docker-compose.external.yml up -d
# 4. Configure TrueNAS Nextcloud
# Apps → Nextcloud → Add environment variables
# NEXTCLOUD_TRUSTED_DOMAINS=cloud.lemonlink.eu
# OVERWRITEPROTOCOL=https
# TRUSTED_PROXIES=YOUR_PROXMOX_VM_IP
Full guide: SETUP-TRUENAS-NEXTCLOUD.md
Migrating from Nginx Proxy Manager?
See MIGRATE-FROM-NPM.md for side-by-side migration guide.
1. Prerequisites
- Docker & Docker Compose installed
- Domain managed by Cloudflare
- Tailscale installed on server
- Ports 80/443 forwarded to Proxmox server
2. Configuration
# Clone and setup
cd LemonSec
# Copy and edit environment
cp .env.example .env
nano .env
# Run setup script (generates secrets)
./setup.ps1 # On Windows
# or
bash setup.sh # On Linux
3. Cloudflare Setup
See CLOUDFLARE.md for detailed DNS configuration.
Quick checklist:
- Create API token with DNS:Edit permissions
- Add A record pointing to your server IP
- Enable orange cloud (proxy)
- Set SSL/TLS mode to "Full (strict)"
- Enable "Always Use HTTPS"
4. Deploy
# Start core services
docker-compose up -d
# Check Traefik is working
docker-compose logs -f traefik
# Generate CrowdSec API key
docker-compose exec crowdsec cscli bouncers add traefik-bouncer
# Add key to .env, then restart
docker-compose up -d
# Setup Authelia users
docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'YOUR_PASSWORD'
# Add hash to authelia/users_database.yml
5. Add Your Services
See examples/ for service templates.
# docker-compose.override.yml or separate file
services:
myapp:
image: myapp:latest
networks:
- services
labels:
- "traefik.enable=true"
- "traefik.http.routers.myapp.rule=Host(`myapp.lemonlink.eu`)"
- "traefik.http.routers.myapp.entrypoints=websecure"
- "traefik.http.routers.myapp.tls.certresolver=letsencrypt"
- "traefik.http.routers.myapp.middlewares=authelia@docker"
Security Features
1. Multi-Factor Authentication
- TOTP (Google Authenticator, Authy, etc.)
- WebAuthn/FIDO2 (YubiKey, Windows Hello, etc.)
- Duo Push (with configuration)
2. Threat Detection (CrowdSec)
- Real-time log analysis
- Community blocklists
- Automatic IP banning
- Metrics and alerts
3. Network Isolation
- Internal services inaccessible from internet
- External services protected by auth
- Docker network segmentation
4. TLS/SSL
- Automatic Let's Encrypt certificates
- Wildcard certificates for subdomains
- Modern TLS 1.3 configuration
5. Security Headers
- HSTS (1 year)
- CSP (Content Security Policy)
- X-Frame-Options, X-Content-Type-Options
- Referrer-Policy
Directory Structure
LemonSec/
├── docker-compose.yml # Main stack
├── .env # Your secrets (gitignored)
├── .env.example # Template
├── setup.ps1 # Windows setup
├── traefik/
│ ├── traefik.yml # Static config
│ ├── dynamic/ # Dynamic config
│ │ ├── middlewares.yml # Security middlewares
│ │ └── tls.yml # TLS options
│ ├── crowdsec/ # CrowdSec bouncer config
│ └── logs/ # Access logs
├── authelia/
│ ├── configuration.yml # Authelia settings
│ └── users_database.yml # User accounts
├── crowdsec/
│ └── acquis.yaml # Log sources
├── adguard/ # AdGuard data (volumes)
├── monitoring/ # Prometheus/Grafana configs
├── examples/ # Service examples
└── docs/ # Documentation
Common Operations
View Logs
# All services
docker-compose logs -f
# Specific service
docker-compose logs -f traefik
# CrowdSec decisions
docker-compose exec crowdsec cscli decisions list
# CrowdSec metrics
docker-compose exec crowdsec cscli metrics
Update
# Pull latest images
docker-compose pull
# Recreate containers
docker-compose up -d
Backup
# Backup volumes
docker run --rm -v lemonsec_authelia-data:/data -v $(pwd):/backup alpine tar czf /backup/authelia-backup.tar.gz -C /data .
docker run --rm -v lemonsec_crowdsec-data:/data -v $(pwd):/backup alpine tar czf /backup/crowdsec-backup.tar.gz -C /data .
# Backup configs
tar czf lemonsec-config-backup.tar.gz traefik/ authelia/ crowdsec/ .env
Add User to Authelia
# Generate password hash
docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'NEWPASSWORD'
# Edit authelia/users_database.yml
# Add user entry with hash
# Restart authelia
docker-compose restart authelia
Troubleshooting
Traefik not getting certificates
- Check Cloudflare API credentials in
.env - Verify DNS records point to your IP
- Check Traefik logs:
docker-compose logs traefik - Test with staging first: change
certresolvertoletsencrypt-staging
Authelia redirect loops
- Check
session.domainmatches your domain - Verify cookies aren't blocked
- Check time sync on server:
ntpdate -s time.cloudflare.com
CrowdSec blocking legitimate traffic
# Check decisions
docker-compose exec crowdsec cscli decisions list
# Remove false positive
docker-compose exec crowdsec cscli decisions delete --ip YOUR_IP
# Add whitelist
docker-compose exec crowdsec cscli parsers install crowdsecurity/whitelists
Security Checklist
- Change all default passwords
- Enable 2FA for all users
- Set up email notifications for Authelia
- Configure CrowdSec notifications
- Review Cloudflare security settings
- Enable fail2ban on host (optional)
- Regular backups
- Update images monthly
License
MIT - Use at your own risk. This is a homelab security stack, not enterprise-grade.