### Download Example Ban Page (Bash) Source: https://docs.digpangolin.com/self-host/community-guides/crowdsec This snippet downloads the official example ban.html file. Ensure you have wget installed to use this command. The file is intended to be placed in the Traefik configuration directory. ```bash wget https://raw.githubusercontent.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/refs/heads/main/ban.html ``` -------------------------------- ### Download Example Captcha Page (Bash) Source: https://docs.digpangolin.com/self-host/community-guides/crowdsec This snippet downloads the official example captcha.html file. It requires wget to be installed. The downloaded file should be placed in the Traefik configuration directory. ```bash wget https://raw.githubusercontent.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/refs/heads/main/captcha.html ``` -------------------------------- ### Start Development Server (npm) Source: https://docs.digpangolin.com/development/contributing Starts the local development server for the project. This command enables features like hot reloading and allows for active development. ```bash npm run dev ``` -------------------------------- ### Run Pangolin Installer Source: https://docs.digpangolin.com/self-host/quick-install-managed This command executes the downloaded Pangolin installer script with root privileges. The installer places all necessary files in the current directory. It is recommended to move the installer to the desired installation directory before running it. ```bash sudo ./installer ``` -------------------------------- ### Download and Install Olm Client (Bash) Source: https://docs.digpangolin.com/manage/clients/install-client Automatically installs the latest version of Olm, detects system architecture, and adds it to the PATH. This is the recommended method for a quick setup. Requires curl and bash. ```bash curl -fsSL https://digpangolin.com/get-olm.sh | bash ``` -------------------------------- ### Starting Docker Compose Services Source: https://docs.digpangolin.com/manage/sites/install-site Initiates the Docker Compose services defined in the `docker-compose.yml` file in detached mode. This command is used to bring up the Newt container and any other services specified in the configuration. ```bash docker compose up -d ``` -------------------------------- ### Download Pangolin Installer Script Source: https://docs.digpangolin.com/self-host/quick-install-managed This command downloads the automated installer script for Pangolin. It uses curl to fetch the script from the provided URL and pipes it directly to bash for execution. The script is designed to support both AMD64 and ARM64 architectures. ```bash curl -fsSL https://digpangolin.com/get-installer.sh | bash ``` -------------------------------- ### Start Pangolin Development Server with Docker Compose (Bash) Source: https://docs.digpangolin.com/development/contributing This command builds the Docker images if necessary and starts all the services defined in the Docker Compose file in development mode. Hot reloading is typically enabled. ```bash docker compose up --build ``` -------------------------------- ### Manage Olm Windows Service (Batch) Source: https://docs.digpangolin.com/manage/clients/install-client Commands to manage the Olm client as a Windows service. Includes installation, starting, stopping, checking status, and removal. Requires administrator privileges. ```batch olm.exe install olm.exe start olm.exe stop olm.exe status olm.exe remove olm.exe debug olm.exe help ``` -------------------------------- ### Install NPM Dependencies (Bash) Source: https://docs.digpangolin.com/development/contributing Installs all the necessary Node.js package dependencies for the Pangolin project using npm. ```bash npm install ``` -------------------------------- ### Clone and Navigate Pangolin Repository (Bash) Source: https://docs.digpangolin.com/development/contributing This snippet demonstrates how to clone the Pangolin repository from GitHub and navigate into its directory. It assumes you have Git installed and are authenticated with GitHub. ```bash git clone https://github.com/YOUR_USERNAME/pangolin.git cd pangolin/ ``` -------------------------------- ### Install CrowdSec Repositories (Bash) Source: https://docs.digpangolin.com/self-host/community-guides/crowdsec This command installs the CrowdSec package repositories on Debian/Ubuntu systems, preparing the system for installing CrowdSec and its related packages like firewall bouncers. ```bash curl -s https://install.crowdsec.net | sudo sh ``` -------------------------------- ### Build Component Locally (make) Source: https://docs.digpangolin.com/development/contributing Builds the specified component (Gerbil, Newt, or Olm) for local development using the `make local` command. This assumes Go v1.23.1 is installed. ```bash make local ``` -------------------------------- ### Docker Volume Mount (Bash) Source: https://docs.digpangolin.com/development/contributing An example of correctly mounting a local project directory into a Docker container using the `docker run` command. It highlights the use of the absolute Linux path from within WSL2. ```bash docker run -v /home//pangolin:/app my-image ``` -------------------------------- ### Install Olm Binary to PATH (Bash) Source: https://docs.digpangolin.com/manage/clients/install-client Moves the downloaded Olm binary to a system-wide executable path, typically requiring root privileges. This makes Olm accessible from any directory. ```bash mv ./olm /usr/local/bin ``` -------------------------------- ### Running Newt with Configuration Source: https://docs.digpangolin.com/manage/sites/install-site Executes the Newt binary with essential configuration parameters: site ID, secret key, and endpoint URL. These parameters are provided as command-line arguments. Ensure the Newt binary is in your PATH or specify its full path. ```bash newt \ --id 31frd0uzbjvp721 \ --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \ --endpoint https://example.com ``` -------------------------------- ### Set up PostgreSQL with Pangolin using Docker Compose Source: https://docs.digpangolin.com/self-host/advanced/database-options This Docker Compose example demonstrates how to configure Pangolin to use a PostgreSQL database. It includes service definitions for both Pangolin and PostgreSQL, with health checks to ensure the database is ready before Pangolin starts. It highlights the use of specific version tags over 'latest' for production. ```yaml name: pangolin services: pangolin: image: fosrl/pangolin:postgresql-latest # Don't use latest in production container_name: pangolin restart: unless-stopped depends_on: postgres: condition: service_healthy volumes: - ./config:/app/config healthcheck: test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"] interval: "10s" timeout: "10s" retries: 15 # ... other services ... postgres: image: postgres:17 container_name: postgres restart: unless-stopped environment: POSTGRES_USER: postgres POSTGRES_PASSWORD: postgres volumes: - ./config/postgres:/var/lib/postgresql/data healthcheck: test: ["CMD-SHELL", "pg_isready -U postgres"] interval: 10s timeout: 5s retries: 5 ``` -------------------------------- ### Pangolin Configuration File Structure Source: https://docs.digpangolin.com/self-host/manual/unraid This illustrates the directory structure for Pangolin's configuration file. The `config.yml` file is crucial for the Pangolin container to start correctly, and its content should be defined according to the project's configuration guidelines. ```file structure pangolin/ ├─ config/ │ ├─ config.yml ``` -------------------------------- ### Permanent Newt Binary Installation Source: https://docs.digpangolin.com/manage/sites/install-site Moves the Newt executable binary to a system-wide PATH directory, typically `/usr/local/bin`. This command may require root privileges to ensure the binary is accessible from any terminal location. The quick installer performs this step automatically. ```bash mv ./newt /usr/local/bin ``` -------------------------------- ### Docker Volume Mount (YAML) Source: https://docs.digpangolin.com/development/contributing An example of correctly mounting a local project directory into a Docker container using Docker Compose. It emphasizes using the absolute Linux path from within WSL2 for optimal performance and compatibility. ```yaml services: app: volumes: - /home//pangolin:/app ``` -------------------------------- ### Configure Gerbil WireGuard Port - YAML Source: https://docs.digpangolin.com/self-host/manual/unraid Specifies the default WireGuard start port for Gerbil within the Pangolin configuration. This is crucial for avoiding connection issues and ensuring compatibility with existing setups. The default port is 51822. ```yaml gerbil: start_port: 51822 ``` -------------------------------- ### Manually Download and Make Olm Executable (Bash) Source: https://docs.digpangolin.com/manage/clients/install-client Manually downloads a specific version of Olm for Linux/macOS. Replace `{version}` with the desired version and `{architecture}` with your system's architecture (e.g., amd64, arm64). Requires wget and chmod. ```bash wget -O olm "https://github.com/fosrl/olm/releases/download/{version}/olm_{architecture}" && chmod +x ./olm ``` -------------------------------- ### Creating API Keys Source: https://docs.digpangolin.com/manage/integration-api A step-by-step guide on how to create API keys, including accessing the admin panel, generating a new key, configuring permissions, and securing the generated key. ```APIDOC ## Creating API Keys Navigate to your admin panel: * **Organization keys**: Organization → API Keys * **Root keys**: Server Admin → API Keys (self-hosted only) Click "Create API Key" and provide a descriptive name for the key. Select the specific permissions your API key needs from the permissions selector. API Key Permissions Copy the generated API key immediately. It won't be shown again. Store API keys securely and never commit them to version control. Use environment variables or secure secret management. ``` -------------------------------- ### Create Docker Network in Unraid Source: https://docs.digpangolin.com/self-host/manual/unraid This command creates a new Docker network on an Unraid server, which is essential for enabling communication between containers. The network name 'mynetwork' is used as an example, but any name can be chosen. ```bash docker network create mynetwork ``` -------------------------------- ### Docker Compose Configuration using Environment Variables Source: https://docs.digpangolin.com/manage/sites/install-site Defines a Newt service within a `docker-compose.yml` file, using environment variables for configuration. This method is recommended for managing sensitive information like API keys and endpoints within a Docker Compose setup. ```yaml services: newt: image: fosrl/newt container_name: newt restart: unless-stopped environment: - PANGOLIN_ENDPOINT=https://example.com - NEWT_ID=2ix2t8xk22ubpfy - NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2 ``` -------------------------------- ### Systemd Service Configuration for Newt Source: https://docs.digpangolin.com/manage/sites/install-site Defines a systemd service unit file for Newt, enabling it to run as a background service. It specifies the executable path, necessary arguments, and restart policy. This configuration assumes the Newt binary has been moved to `/usr/local/bin`. ```ini [Unit] Description=Newt After=network.target [Service] ExecStart=/usr/local/bin/newt --id 31frd0uzbjvp721 --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 --endpoint https://example.com Restart=always User=root [Install] WantedBy=multi-user.target ``` -------------------------------- ### Docker Compose Configuration for Newt with CLI Arguments Source: https://docs.digpangolin.com/manage/sites/install-site Sets up the Newt service in `docker-compose.yml` to use command-line arguments for its configuration. This approach is suitable when you prefer specifying parameters directly in the compose file's command section. ```yaml services: newt: image: fosrl/newt container_name: newt restart: unless-stopped command: - --id 31frd0uzbjvp721 - --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 - --endpoint https://example.com ``` -------------------------------- ### Install CrowdSec IPTables Firewall Bouncer (Bash) Source: https://docs.digpangolin.com/self-host/community-guides/crowdsec Installs the CrowdSec firewall bouncer specifically for systems using IPTables on Debian/Ubuntu. This bouncer helps protect the host system by integrating with CrowdSec's IP reputation data. ```bash sudo apt install crowdsec-firewall-bouncer-iptables ``` -------------------------------- ### Start Docker Compose Stack Source: https://docs.digpangolin.com/self-host/how-to-update Command to start all services defined in the docker-compose.yml file in detached mode (-d). This launches the updated containers after pulling the new images. ```bash sudo docker compose up -d ``` -------------------------------- ### Configure Firewall Bouncer API Key (Bash) Source: https://docs.digpangolin.com/self-host/community-guides/crowdsec This command opens the CrowdSec firewall bouncer configuration file using 'nano' for editing. It is where the API key generated by 'cscli bouncers add' should be inserted to enable communication. ```bash nano /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml ``` -------------------------------- ### Docker Compose Configuration with Environment Variables Source: https://docs.digpangolin.com/manage/sites/configure-site Provides an example of setting up Newt within a Docker Compose environment using environment variables. This is the recommended approach for containerized deployments. ```yaml services: newt: image: fosrl/newt container_name: newt restart: unless-stopped environment: - PANGOLIN_ENDPOINT=https://example.com - NEWT_ID=2ix2t8xk22ubpfy - NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2 - HEALTH_FILE=/tmp/healthy ``` -------------------------------- ### Pulling the Newt Docker Image Source: https://docs.digpangolin.com/manage/sites/install-site Fetches the latest Newt Docker image from Docker Hub. This command ensures you have the most recent version of the Newt container available for deployment. ```bash docker pull fosrl/newt:latest ``` -------------------------------- ### Restart CrowdSec Firewall Bouncer (Bash) Source: https://docs.digpangolin.com/self-host/community-guides/crowdsec Restarts the CrowdSec firewall bouncer service using systemd. This ensures that any changes made to its configuration, such as the API key, are applied. ```bash systemctl restart crowdsec-firewall-bouncer ``` -------------------------------- ### Running Newt Container with CLI Arguments Source: https://docs.digpangolin.com/manage/sites/install-site Launches the Newt Docker container and passes configuration parameters directly as command-line arguments. This is a straightforward way to run Newt in a containerized environment with specific settings. ```bash docker run -it fosrl/newt --id 31frd0uzbjvp721 \ --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \ --endpoint https://example.com ``` -------------------------------- ### Python Example for API Blueprint Source: https://docs.digpangolin.com/manage/blueprints A Python example demonstrating how to encode and send a blueprint configuration to the Pangolin API. This involves base64 encoding the blueprint JSON. ```python # (Example code from linked GitHub repository) # This is a placeholder as the actual code was not provided in the text. # For the real implementation, please refer to the provided link: # https://github.com/fosrl/pangolin/blob/dev/blueprint.py ``` -------------------------------- ### Basic Olm Client Configuration Source: https://docs.digpangolin.com/manage/clients/configure-client This example demonstrates the fundamental command-line arguments required to configure the Olm client. It includes the client ID, secret for authentication, and the endpoint URL for connecting to the Pangolin service. ```bash olm \ --id 31frd0uzbjvp721 \ --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \ --endpoint https://example.com ``` -------------------------------- ### Olm Systemd Service Configuration (INI) Source: https://docs.digpangolin.com/manage/clients/install-client Configuration file for a systemd service to run Olm automatically on boot. Specifies the execution command, restart policy, and user. Assumes Olm is in `/usr/local/bin/`. ```ini [Unit] Description=Olm After=network.target [Service] ExecStart=/usr/local/bin/olm --id 31frd0uzbjvp721 --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 --endpoint https://example.com Restart=always User=root [Install] WantedBy=multi-user.target ``` -------------------------------- ### Start Updated Stack (Bash) Source: https://docs.digpangolin.com/self-host/convert-managed This command starts the entire Docker Compose stack with the updated configurations. It brings up all the services, including Pangolin, Gerbil, and Traefik, in detached mode. ```bash docker-compose up -d ``` -------------------------------- ### Monitor Docker Compose Logs Source: https://docs.digpangolin.com/self-host/how-to-update Command to stream the logs from all running Docker containers. This is used to monitor the update process and ensure that all services start correctly and without errors. ```bash sudo docker compose logs -f ``` -------------------------------- ### Newt Helm Chart Installation Source: https://docs.digpangolin.com/manage/sites/install-kubernetes This snippet illustrates the command to install the Newt Helm chart. It specifies the release name ('my-newt'), the chart name ('fossorial/newt'), the namespace ('newt') and creates the namespace if it doesn't exist. It also includes a custom values file ('values-newt.yaml') for configuration. ```bash helm install my-newt fossorial/newt \ -n newt --create-namespace \ -f values-newt.yaml ``` -------------------------------- ### mTLS Authentication using Newt CLI Source: https://docs.digpangolin.com/manage/sites/configure-site Example of configuring Newt with a client certificate for mutual TLS authentication. Requires a PKCS12 file containing the private key, public certificate, and CA certificate. ```bash newt \ --id 31frd0uzbjvp721 \ --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \ --endpoint https://example.com \ --tls-client-cert ./client.p12 ``` -------------------------------- ### Configure Custom Ban Page (YAML) Source: https://docs.digpangolin.com/self-host/community-guides/crowdsec This configuration snippet is for Traefik's dynamic configuration file (`dynamic_config.yml`). It enables the Crowdsec middleware and specifies the path to the custom ban HTML file. ```yaml http: middlewares: crowdsec: plugin: crowdsec: banHTMLFilePath: /etc/traefik/ban.html ``` -------------------------------- ### Log iptables to Journalctl (Bash) Source: https://docs.digpangolin.com/self-host/community-guides/crowdsec This command adds a rule to the host system's iptables to log all incoming traffic with a specific prefix. This log data can then be captured by CrowdSec via journalctl. ```bash iptables -A INPUT -j LOG --log-prefix "iptables: " ``` -------------------------------- ### Configure Traefik Static Settings Source: https://docs.digpangolin.com/self-host/manual/unraid This YAML configuration defines the static settings for Traefik, including API and dashboard access, dynamic configuration providers, logging levels, certificate resolvers for Let's Encrypt, and entry points for web and websecure traffic. It relies on a separate file for dynamic configurations. ```yaml api: insecure: true dashboard: true providers: http: endpoint: "http://pangolin:3001/api/v1/traefik-config" pollInterval: "5s" file: filename: "/etc/traefik/dynamic_config.yml" experimental: plugins: badger: moduleName: "github.com/fosrl/badger" version: "v1.2.0" log: level: "INFO" format: "common" certificatesResolvers: letsencrypt: acme: httpChallenge: entryPoint: web email: admin@example.com # REPLACE THIS WITH YOUR EMAIL storage: "/letsencrypt/acme.json" caServer: "https://acme-v02.api.letsencrypt.org/directory" entryPoints: web: address: ":80" websecure: address: ":443" transport: respondingTimeouts: readTimeout: "30m" http: tls: certResolver: "letsencrypt" serversTransport: insecureSkipVerify: true ``` -------------------------------- ### Minimal Pangolin Configuration (YAML) Source: https://docs.digpangolin.com/self-host/advanced/config-file This snippet shows the essential settings for a basic Pangolin deployment, including application dashboard URL, domain setup with SSL resolver, server secret, and basic flags. ```yaml app: dashboard_url: "https://pangolin.example.com" domains: domain1: base_domain: "pangolin.example.com" cert_resolver: "letsencrypt" server: secret: "your-strong-secret" gerbil: base_endpoint: "pangolin.example.com" flags: require_email_verification: false disable_signup_without_invite: true disable_user_create_org: true ``` -------------------------------- ### Add Firewall Bouncer to CrowdSec (Bash) Source: https://docs.digpangolin.com/self-host/community-guides/crowdsec Adds a new bouncer named 'vps-firewall' to the CrowdSec service running in a Docker container. This command is used to create an API key for the firewall bouncer to communicate with CrowdSec. ```bash docker exec -it crowdsec cscli bouncers add vps-firewall ``` -------------------------------- ### Verify CrowdSec Bouncer Metrics (Bash) Source: https://docs.digpangolin.com/self-host/community-guides/crowdsec This command executes 'cscli metrics' inside the CrowdSec Docker container to display metrics for registered bouncers. It's used to verify that bouncers, like 'vps-firewall', are successfully communicating with the CrowdSec API. ```bash docker exec crowdsec cscli metrics ``` -------------------------------- ### Register Gerbil as an Exit Node (Bash) Source: https://docs.digpangolin.com/development/contributing This command runs the Gerbil binary, specifying its reachable address, where to save its key, and the URL of the Pangolin API to register itself as an exit node. This is part of the initial setup for Gerbil to communicate with Pangolin. ```bash ./gerbil \ --reachableAt=http://gerbil:3003 \ --generateAndSaveKeyTo=/var/config/key \ --remoteConfig=http://pangolin:3001/api/v1/ ``` -------------------------------- ### Configure Traefik: Specify Config File Path (Bash) Source: https://docs.digpangolin.com/self-host/manual/unraid This command-line argument is used to tell Traefik where to find its configuration file within the container. It's a crucial step for ensuring Traefik loads the correct settings upon startup. ```bash --configFile=/etc/traefik/traefik_config.yml ``` -------------------------------- ### Configure Traefik Dynamic Routing and Services Source: https://docs.digpangolin.com/self-host/manual/unraid This YAML configuration defines dynamic routing rules and services for Traefik. It includes middleware for HTTPS redirection, routers for the main application, API, and WebSocket endpoints, and defines the backend services for the Next.js frontend and the API server. Users must replace placeholder domains and ensure DNS is correctly configured. ```yaml http: middlewares: redirect-to-https: redirectScheme: scheme: https routers: # HTTP to HTTPS redirect router main-app-router-redirect: rule: "Host(`pangolin.example.com`)" # REPLACE THIS WITH YOUR DOMAIN service: next-service entryPoints: - web middlewares: - redirect-to-https # Next.js router (handles everything except API and WebSocket paths) next-router: rule: "Host(`pangolin.example.com`) && !PathPrefix(`/api/v1`)" # REPLACE THIS WITH YOUR DOMAIN service: next-service entryPoints: - websecure tls: certResolver: letsencrypt # API router (handles /api/v1 paths) api-router: rule: "Host(`pangolin.example.com`) && PathPrefix(`/api/v1`)" # REPLACE THIS WITH YOUR DOMAIN service: api-service entryPoints: - websecure tls: certResolver: letsencrypt # WebSocket router ws-router: rule: "Host(`pangolin.example.com`)" # REPLACE THIS WITH YOUR DOMAIN service: api-service entryPoints: - websecure tls: certResolver: letsencrypt services: next-service: loadBalancer: servers: - url: "http://pangolin:3002" # Next.js server api-service: loadBalancer: servers: - url: "http://pangolin:3000" # API/WebSocket server ``` -------------------------------- ### Configure CrowdSec Syslog Acquisition (YAML) Source: https://docs.digpangolin.com/self-host/community-guides/crowdsec This snippet shows how to configure CrowdSec to acquire logs from Syslog by specifying log file paths and assigning a 'syslog' label. It requires access to log files like 'auth.log' and 'syslog'. ```yaml filenames: - /var/log/auth.log - /var/log/syslog labels: type: syslog ``` -------------------------------- ### Docker Compose Configuration using Secrets Source: https://docs.digpangolin.com/manage/sites/install-site Configures a Newt service in `docker-compose.yml` to use Docker Secrets for sensitive configuration data. A separate JSON file holds the configuration, which is then referenced as a secret, enhancing security by separating secrets from the main compose file. ```yaml services: newt: image: fosrl/newt container_name: newt restart: unless-stopped environment: - CONFIG_FILE=/run/secrets/newt-config secrets: - newt-config secrets: newt-config: file: ./newt-config.secret ``` -------------------------------- ### View Olm Windows Service Logs (PowerShell) Source: https://docs.digpangolin.com/manage/clients/install-client Retrieves the latest 10 log entries from the Application log in the Windows Event Viewer, specifically for the 'OlmWireguardService' source. Useful for debugging service issues. ```powershell Get-EventLog -LogName Application -Source "OlmWireguardService" -Newest 10 ``` -------------------------------- ### Trigger Captcha Challenge (Bash) Source: https://docs.digpangolin.com/self-host/community-guides/crowdsec This command uses the Crowdsec CLI to add a temporary captcha decision for a specified IP address. The challenge will be active for the duration specified (e.g., 1 minute). Replace `` with the target IP address. ```bash docker exec crowdsec cscli decisions add --ip -d 1m --type captcha ``` -------------------------------- ### Create Docker Compose Directories Source: https://docs.digpangolin.com/self-host/manual/docker-compose This bash command creates the necessary nested directories for Traefik, SQLite database, Let's Encrypt certificates, and logs within the 'config' directory. It ensures the directory structure is in place before proceeding with the Docker Compose setup. ```bash mkdir -p config/traefik config/db config/letsencrypt config/logs ``` -------------------------------- ### Generate and Push SQLite Database Schema (Bash) Source: https://docs.digpangolin.com/development/contributing These commands generate the database schema for SQLite and then push those changes to the database. This is typically done after configuration changes or when setting up the database for the first time. ```bash npm run db:sqlite:generate npm run db:sqlite:push ``` -------------------------------- ### Manually Download and Replace Newt Binary Source: https://docs.digpangolin.com/manage/sites/update-site For manual installations, download the latest Newt binary from GitHub releases and replace the existing binary on your system. Ensure you specify the correct version and architecture. This command also makes the downloaded binary executable. ```bash wget -O newt "https://github.com/fosrl/newt/releases/download/{version}/newt_{architecture}" && chmod +x ./newt ``` -------------------------------- ### YAML Configuration for Additional Targets Source: https://docs.digpangolin.com/manage/blueprints A simplified YAML configuration defining only target properties for a resource. Useful for adding targets to existing resources or for basic setups. ```yaml proxy-resources: additional-targets: targets: - site: another-site hostname: backend-server method: https port: 8443 - site: another-site hostname: backup-server method: http port: 8080 ``` -------------------------------- ### View pangctl Help Source: https://docs.digpangolin.com/self-host/advanced/container-cli-tool Displays all available commands and their usage for the pangctl CLI. This is useful for discovering the full range of management capabilities. ```bash docker exec -it pangolin pangctl --help ``` -------------------------------- ### Launch and Check Docker Compose Stack (Bash) Source: https://docs.digpangolin.com/self-host/community-guides/traefiklogsdashboard These bash commands are used to deploy and manage the Docker Compose stack for the Traefik Log Dashboard. `docker compose up -d` starts all services in detached mode, and `docker compose ps` lists the status of the running containers. ```bash docker compose up -d docker compose ps ``` -------------------------------- ### Rate Limiting Middleware Example Source: https://docs.digpangolin.com/self-host/community-guides/middlewaremanager This YAML snippet defines a Traefik rate limiting middleware. It specifies an average request rate and a burst rate to control traffic. ```yaml middlewares: - id: "rate-limit" type: "rateLimit" config: average: 100 burst: 50 ``` -------------------------------- ### List Running Docker Compose Services Source: https://docs.digpangolin.com/self-host/manual/managed This command lists the status of all services defined in the docker-compose.yml file. It is used to verify that all services have started successfully and are in the 'Up' state. ```bash sudo docker compose ps ``` -------------------------------- ### Rule Priority Example for Geo Blocking Source: https://docs.digpangolin.com/manage/geoblocking Illustrates a common rule priority configuration for geo blocking. This example allows access only from the United States, Canada, and the United Kingdom, while blocking all other countries. ```text Priority 1: Allow - Country: United States Priority 2: Allow - Country: Canada Priority 3: Allow - Country: United Kingdom Priority 4: Deny - Country: ALL ``` -------------------------------- ### Configure Traefik Networking with Gerbil Source: https://docs.digpangolin.com/self-host/manual/unraid This configuration snippet is used within the Traefik container settings to network Traefik through Gerbil. It involves adding extra parameters and setting the network type to 'None'. This ensures Traefik uses Gerbil's network namespace. ```bash --net=container:Gerbil ``` -------------------------------- ### DNS Configuration for Domain Delegation (NS Records) Source: https://docs.digpangolin.com/manage/domains Example NS records required for domain delegation in Pangolin. This configuration gives Pangolin full DNS control over the specified domain and its subdomains. ```dns Type: NS Name: test.example.com Value: ns-east.fossorial.io Value: ns-west.fossorial.io Value: ns-central.fossorial.io ``` -------------------------------- ### Managed Mode Configuration (YAML) Source: https://docs.digpangolin.com/self-host/advanced/config-file This snippet illustrates the configuration for Pangolin when operating in managed mode, including the starting port and base endpoint for Gerbil, and specific managed ID and secret. ```yaml gerbil: start_port: 51820 base_endpoint: "154.123.45.67" # REPLACE WITH YOUR IP OR DOMAIN managed: id: "he4g78wevj25msf" secret: "n7sd18twfko0q0vrb7wyclqzbvvnx1fqt7ezv8xewhdb9s7d" ``` -------------------------------- ### Pangolin Service Configuration Source: https://docs.digpangolin.com/self-host/manual/managed This YAML snippet provides the configuration for the Pangolin service. It specifies the starting port for Gerbil, the base endpoint IP address or domain that needs to be replaced with the user's actual value, and managed credentials including an ID and secret. These settings are crucial for the proper functioning and identification of the Pangolin service within the network. ```yaml gerbil: start_port: 51820 base_endpoint: "154.123.45.67" # REPLACE WITH YOUR IP OR DOMAIN managed: id: "he4g78wevj25msf" secret: "n7sd18twfko0q0vrb7wyclqzbvvnx1fqt7ezv8xewhdb9s7d" ``` -------------------------------- ### Configuration Arguments Reference Source: https://docs.digpangolin.com/manage/sites/configure-site Reference for all configuration arguments used in the digpangolin project. ```APIDOC ## Configuration Arguments Reference ### Description This section details the configuration arguments for the digpangolin project, covering their purpose, type, and usage. ### Parameters #### Request Body (Implied Configuration) - **id** (string) - Required - Newt ID generated by Pangolin to identify the client. **Example**: `31frd0uzbjvp721` - **secret** (string) - Required - A unique secret used to authenticate the client ID with the websocket. **Example**: `h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6` **Warning**: Keep this secret private and secure. It's used for authentication. - **endpoint** (string) - Required - The endpoint where both Gerbil and Pangolin reside for websocket connections. **Example**: `https://pangolin.example.com` - **mtu** (integer) - Optional - MTU for the internal WireGuard interface. **Default**: `1280` - **dns** (string) - Optional - DNS server to use for resolving the endpoint. **Default**: `8.8.8.8` - **log-level** (string) - Optional - The log level to use for Newt output. **Options**: `DEBUG`, `INFO`, `WARN`, `ERROR`, `FATAL`. **Default**: `INFO` - **ping-interval** (string) - Optional - Interval for pinging the server. **Default**: `3s` - **ping-timeout** (string) - Optional - Timeout for each ping. **Default**: `5s` - **docker-socket** (string) - Optional - Set the Docker socket path for container discovery integration. **Example**: `/var/run/docker.sock` - **docker-enforce-network-validation** (boolean) - Optional - Validate the container target is on the same network as the Newt process. **Default**: `false` - **health-file** (string) - Optional - Check if connection to WireGuard server (Pangolin) is ok. Creates a file if ok, removes it if not ok. Can be used with Docker healthcheck to restart Newt. **Example**: `/tmp/healthy` - **updown** (string) - Optional - Script to be called when targets are added or removed. **Example**: `/path/to/updown.sh` - **tls-client-cert** (string) - Optional - Client certificate (p12 or pfx) for mutual TLS (mTLS) authentication. **Example**: `/path/to/client.p12` - **accept-clients** (boolean) - Optional - Enable WireGuard server mode to accept incoming Olm client connections. **Default**: `false` - **generateAndSaveKeyTo** (string) - Optional - Path to save generated private key (used with accept-clients). **Example**: `/var/key` - **native** (boolean) - Optional - Use native WireGuard interface when accepting clients (requires WireGuard kernel module and Linux, must run as root). **Default**: `false` (uses userspace netstack) - **interface** (string) - Optional - Name of the WireGuard interface (used with native mode). **Default**: `newt` - **keep-interface** (boolean) - Optional - Keep the WireGuard interface after shutdown (used with native mode). **Default**: `false` ### Request Example ```json { "id": "31frd0uzbjvp721", "secret": "h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6", "endpoint": "https://pangolin.example.com", "mtu": 1280, "dns": "8.8.8.8", "log-level": "INFO", "ping-interval": "3s", "ping-timeout": "5s", "docker-socket": "/var/run/docker.sock", "docker-enforce-network-validation": false, "health-file": "/tmp/healthy", "updown": "/path/to/updown.sh", "tls-client-cert": "/path/to/client.p12", "accept-clients": false, "generateAndSaveKeyTo": "/var/key", "native": false, "interface": "newt", "keep-interface": false } ``` ### Response This section details potential responses, though specific endpoint responses are not defined in the provided text. #### Success Response (200) - **status** (string) - Indicates the success of the operation. #### Response Example ```json { "status": "Configuration applied successfully." } ``` ``` -------------------------------- ### Fixed Organization Selection with JMESPath Source: https://docs.digpangolin.com/manage/identity-providers/auto-provisioning This example demonstrates how to assign a user to a fixed organization using a JMESPath expression. The expression will always return 'home-lab', ensuring the user is added to this organization regardless of their group memberships. The expression is evaluated against identity provider data. ```json { ... "sub": "9590c3bfccd1b1a54b35845fb1bb950057dfa50fba43cb8bada58b462c80e207", "aud": "JJoSvHCZcxnXT2sn6CObj6a21MuKNRXs3kN5wbys", "exp": 1745790819, "iat": 1745789019, "auth_time": 1745789019, "email": "user@example.com", "email_verified": true, "name": "Example User", "groups": [ "home-lab", "admin" ] } ``` ```expression 'home-lab' ``` -------------------------------- ### Traefik Static Configuration (YAML) Source: https://docs.digpangolin.com/self-host/manual/docker-compose This YAML file configures Traefik's static settings, including API and dashboard enablement, provider configurations (HTTP and file), experimental plugins, logging level, Let's Encrypt certificate resolver setup, entry points, and insecure server transport options. ```yaml api: insecure: true dashboard: true providers: http: endpoint: "http://pangolin:3001/api/v1/traefik-config" pollInterval: "5s" file: filename: "/etc/traefik/dynamic_config.yml" experimental: plugins: badger: moduleName: "github.com/fosrl/badger" version: "v1.2.0" log: level: "INFO" format: "common" certificatesResolvers: letsencrypt: acme: httpChallenge: entryPoint: web email: admin@example.com # REPLACE WITH YOUR EMAIL storage: "/letsencrypt/acme.json" caServer: "https://acme-v02.api.letsencrypt.org/directory" entryPoints: web: address: ":80" websecure: address: ":443" transport: respondingTimeouts: readTimeout: "30m" http: tls: certResolver: "letsencrypt" serversTransport: insecureSkipVerify: true ping: entryPoint: "web" ``` -------------------------------- ### Enable Polling Mode for File Watchers (.env) Source: https://docs.digpangolin.com/development/contributing Configures file watchers to use polling mode by setting environment variables in a `.env` file. This is a workaround for potential issues with file change detection when project files are on the Windows filesystem. ```env WATCHPACK_POLLING=true CHOKIDAR_USEPOLLING=true ``` -------------------------------- ### DNS Configuration for Single Domain (CNAME Records) Source: https://docs.digpangolin.com/manage/domains Example CNAME records needed for configuring a single domain in Pangolin. This setup allows a specific domain to point to Pangolin resources without affecting subdomains. ```dns Record 1: Type: CNAME Name: test.example.com Value: 0nbn5rpcq4wthq6.cname.fossorial.io Record 2: Type: CNAME Name: _acme-challenge.test.example.com Value: _acme-challenge.0nbn5rpcq4wthq6.cname.fossorial.io ``` -------------------------------- ### Group-based Organization Selection with JMESPath Source: https://docs.digpangolin.com/manage/identity-providers/auto-provisioning This example shows how to select an organization based on user group membership using a JMESPath expression. It returns true if the user belongs to the 'home-lab' group. The expression is evaluated against identity provider data. ```json { ... "sub": "9590c3bfccd1b1a54b35845fb1bb950057dfa50fba43cb8bada58b462c80e207", "aud": "JJoSvHCZcxnXT2sn6CObj6a21MuKNRXs3kN5wbys", "exp": 1745790819, "iat": 1745789019, "auth_time": 1745789019, "email": "user@example.com", "email_verified": true, "name": "Example User", "groups": [ "home-lab", "admin" ] } ``` ```expression contains(groups, 'home-lab') ``` -------------------------------- ### Olm Client Configuration with Custom MTU and DNS Source: https://docs.digpangolin.com/manage/clients/configure-client This example shows how to customize the WireGuard interface's Maximum Transmission Unit (MTU) and specify a custom DNS server for resolving the endpoint. This can be useful for optimizing network performance or using specific DNS providers. ```bash olm \ --id 31frd0uzbjvp721 \ --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \ --endpoint https://example.com \ --mtu 1400 \ --dns 1.1.1.1 ``` -------------------------------- ### Configure Traefik Environment Variables for DNS Provider (YAML) Source: https://docs.digpangolin.com/self-host/advanced/wild-card-domains Sets environment variables for the Traefik service in a docker-compose file to authenticate with a DNS provider (e.g., Cloudflare). This allows Traefik to create the necessary DNS records for the ACME challenge. The example shows adding the Cloudflare API token. ```yaml traefik: image: traefik:v3.4.0 container_name: traefik restart: unless-stopped network_mode: service:gerbil depends_on: pangolin: condition: service_healthy command: - --configFile=/etc/traefik/traefik_config.yml # Add the environment variables for your DNS provider. environment: CLOUDFLARE_DNS_API_TOKEN: "your-cloudflare-api-token" volumes: - ./config/traefik:/etc/traefik:ro - ./config/letsencrypt:/letsencrypt ``` -------------------------------- ### Configure CrowdSec Journalctl Acquisition (YAML) Source: https://docs.digpangolin.com/self-host/community-guides/crowdsec This snippet configures CrowdSec to acquire logs from journalctl. It specifies the source as 'journalctl' and provides a directory filter for log files. This is useful for systems logging iptables events. ```yaml source: journalctl journalctl_filter: - "--directory=/var/log/host/" labels: type: syslog ``` -------------------------------- ### Add Syslog Volumes to Docker Compose (YAML) Source: https://docs.digpangolin.com/self-host/community-guides/crowdsec This YAML snippet adds volume mounts to the CrowdSec service in 'docker-compose.yml' to provide access to the host system's Syslog files. This is necessary for CrowdSec to read and parse Syslog data. ```yaml service: crowdsec: volumes: - /var/log/auth.log:/var/log/auth.log:ro - /var/log/syslog:/var/log/syslog:ro ``` -------------------------------- ### Update Docker Compose for Journalctl Logs (YAML) Source: https://docs.digpangolin.com/self-host/community-guides/crowdsec This YAML snippet updates the CrowdSec service in 'docker-compose.yml' to include necessary environment variables and volume mounts for processing journalctl logs. It mounts the host's journal directory into the container. ```yaml service: crowdsec: image: crowdsecurity/crowdsec:latest-debian environment: COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/linux crowdsecurity/iptables volumes: - ./config/crowdsec:/etc/crowdsec - ./config/crowdsec/db:/var/lib/crowdsec/data - ./config/traefik/logs:/var/log/traefik:ro - /var/log/journal:/var/log/host:ro ``` -------------------------------- ### Add Temporary Ban Decision (Bash) Source: https://docs.digpangolin.com/self-host/community-guides/crowdsec This command adds a temporary ban decision for a specified IP address using the Crowdsec CLI. The ban will last for the duration specified (e.g., 1 minute). Replace `` with the target IP address. ```bash docker exec crowdsec cscli decisions add --ip -d 1m --type ban ``` -------------------------------- ### Create Directories for Middleware Manager Configuration Source: https://docs.digpangolin.com/self-host/community-guides/middlewaremanager This command creates the necessary directories for storing Traefik rules and Middleware Manager configurations. It ensures that the system is ready to receive configuration files. ```bash mkdir -p ./config/traefik/rules mkdir -p ./config/middleware-manager ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.