Panel

Below you will find my live Pelican compose file. I recommend placing this in your Github repo and use GitOps to manage updating the container versions

Deploy the Compose File

Combine the Shared env file with below and fill the blanks

# --- Passwords ---
## The longer the better. Feel free to use passphrases
MYSQL_ROOT_PASS=
MYSQL_PASS=

# --- Mail Configuration ---
## Defaults to Gmail - you can review the compose file for the variables and edit for other SMTP servers if needed
MAIL_FROM=
MAIL_USERNAME=
MAIL_PASSWORD=

https://github.com/trentnbauer/HomelabPublic/blob/main/docker-compose/pelican.yml

services:
  panel:
    image: ghcr.io/pelican-dev/panel:v1.0.0-beta33
    deploy:
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s
      resources:
        limits:
          cpus: ${PANEL_CPULIMIT:-2}
          #memory: 50M
    depends_on:
      database:
        condition: service_started
        restart: true
      cache:
        condition: service_started
        restart: true
    restart: unless-stopped
    healthcheck:
       test: wget --no-verbose --tries=1 --spider http://127.0.0.1/up || exit 1
       interval: 30s
       timeout: 25s
       retries: 3
       start_period: 30s
    networks:
      Management:
        aliases:
          - panel
    volumes:
      - panel-data:/pelican-data
      - panel-logs:/var/www/html/storage/logs
    environment:
      TZ: ${TZ:-UTC}
      APP_URL: https://${PANEL_SUBDOMAIN:-panel}.${DOMAIN}
      APP_NAME: ${APP_NAME:-Pelican}
      APP_KEY: ${APP_KEY}
      APP_DEBUG: ${DEBUG:-false}
      APP_ENV: production
      APP_LOCALE: ${LOCALE:-en}
      BEHIND_PROXY: true
      TRUSTED_PROXIES: '192.168.253.0/24,0.0.0.0/0'
      DB_CONNECTION: mariadb
      DB_HOST: database
      DB_PORT: 3306
      DB_DATABASE: pelican
      MYSQL_DATABASE: pelican
      DB_USERNAME: pelican
      DB_PASSWORD: ${MYSQL_PASS}
      CACHE_STORE: redis
      SESSION_DRIVER: redis
      QUEUE_CONNECTION: redis
      REDIS_HOST: cache
      MAIL_DRIVER: ${MAIL_DRIVER:-smtp}
      MAIL_MAILER: ${MAIL_DRIVER:-smtp}
      MAIL_HOST: ${MAIL_SERVER:-smtp.gmail.com}
      MAIL_PORT: ${MAIL_PORT:-465}
      MAIL_FROM: ${MAIL_FROM}
      MAIL_FROM_ADDRESS: ${MAIL_FROM}
      MAIL_FROM_NAME: ${MAIL_FROM_NAME:-Pelican}
      MAIL_USERNAME: ${MAIL_USERNAME}
      MAIL_PASSWORD: ${MAIL_PASSWORD}
      MAIL_SCHEME: ${MAIL_SCHEME:-smtps}
      SKIP_CADDY: ${SKIP_CADDY:-false} # enable when not using caddy.
    logging:
      driver: "json-file"
      options:
        max-size: "5m"
        max-file: "3"
    labels:
      - dfpelican.enable=true
      - dfpelican.0.hostname=${PANEL_SUBDOMAIN:-panel}.${DOMAIN}
      - dfpelican.0.service=http://panel:80
      - dfpelican.0.access.policy=bypass
      - dfpelican.0.zonename=${DOMAIN}
      - AutohealPelican=true

  database:
    image: mariadb:12.2
    restart: unless-stopped
    command: --default-authentication-plugin=mysql_native_password
    deploy:
      restart_policy:
        condition: on-failure
        delay: 30s
        max_attempts: 5
        window: 120s
    volumes:
      - database:/var/lib/mysql
    networks:
      Management:
        aliases:
          - database
    healthcheck:
      test: ["CMD", "healthcheck.sh", "--su-mysql", "--connect", "--innodb_initialized"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
    environment:
      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASS}
      MYSQL_PASSWORD: ${MYSQL_PASS}
      MYSQL_DATABASE: "pelican"
      MYSQL_USER: "pelican"
      MARIADB_AUTO_UPGRADE: true
    logging:
      driver: "json-file"
      options:
        max-size: "5m"
        max-file: "3"
    labels:
      - AutohealPelican=true

  cache:
    image: redis:alpine
    restart: unless-stopped
    deploy:
      restart_policy:
        condition: on-failure
        delay: 30s
        max_attempts: 5
        window: 120s
    networks:
      Management:
        aliases:
          - cache
    logging:
      driver: "json-file"
      options:
        max-size: "5m"
        max-file: "3"
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 15s
    labels:
      - AutohealPelican=true

  dockflare:
    image: alplat/dockflare:v2.0.4
    restart: unless-stopped
    deploy:
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s
      resources:
        limits:
          cpus: ${DOCKFLARE_CPULIMIT:-2}
    networks:
      Management:
        aliases:
          - dockflare
    healthcheck:
      test: wget --no-verbose --tries=1 --spider http://localhost:5000 -O /dev/null || exit 1
      interval: 30s
      retries: 3
      start_period: 30s
      timeout: 20s 
    environment:
      - TUNNEL_NAME=pelican
      - LABEL_PREFIX=dfpelican
      - CLOUDFLARED_NETWORK_NAME=pelican-mgmt
      - CLOUDFLARED_IMAGE=cloudflare/cloudflared:latest
      - TZ=${TZ:-Australia/Melbourne}
      - CF_API_TOKEN=${CF_APITOKEN}
      - CF_ACCOUNT_ID=${CF_ACCOUNTID}
      - AGENT_STATUS_UPDATE_INTERVAL_SECONDS=5
      - SYNC_ALL_CLOUDFLARE_POLICIES=true
      - TZ=${TZ:-UTC}
      - GRACE_PERIOD_SECONDS=28800
      - CLEANUP_INTERVAL_SECONDS=900
      - SCAN_ALL_NETWORKS=false
      - MAX_CONCURRENT_DNS_OPS=${DOCKFLARE_DNSOPS:-2}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - dockflare:/app/data
    labels:
      - AutohealPelican=true

  crowdsec-engine:
    image: crowdsecurity/crowdsec:v1.7.8@sha256:2f527c9bb8b367120eb08b82890aa912ce96bfa1ada93dda0721700e4b4e0dde
    deploy:
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s
      resources:
        limits:
          cpus: ${CROWDSEC_CPULIMIT:-2}
    restart: unless-stopped
    depends_on:
      init-crowdsec:
        condition: service_completed_successfully
    environment:
      - COLLECTIONS=crowdsecurity/linux
      - BOUNCER_KEY_CLOUDFLARE=Heroics9HeadrestQuenchHullPatriot
      - ENROLL_INSTANCE_NAME=PelicanPanel
      - DISABLE_LOCAL_API=false
      - DISABLE_ONLINE_API=false
      - ENROLL_KEY=${CROWDSEC_ENROLL_KEY}
      - BLOCKLISTPASSWORD=${BLOCKLISTPASSWORD:-OccupantCorporalVividness9DiabetesCrumb}
    volumes:
      - crowdsec-data:/var/lib/crowdsec/data
      - crowdsec-config:/etc/crowdsec
      - bouncer-config:/etc/bouncer-shared
      - panel-logs:/var/www/html/storage/logs
    healthcheck:  
      test: ["CMD", "cscli", "version"]
    labels:
      - PelicanAutoheal=true
    networks:
      Management:
        aliases:
          - crowdsec
    #entrypoint: >
    #  /bin/bash -c "
    #  cscli machines add blocklist --password $$BLOCKLISTPASSWORD -f /etc/crowdsec/blocklist_credentials.yaml --force && 
    #  /bin/bash /docker_start.sh" 

  crowdsecbouncer-cloudflare:
    image: ghcr.io/crowdsecurity/cloudflare-bouncer:v0.3.0@sha256:39719a070c154866ebc81335e70fdfa1c61eac45025fee7d9bbf8da689fbb2c6
    deploy:
      restart_policy:
        condition: on-failure
        delay: 30s
        max_attempts: 6
        window: 60s
      resources:
        limits:
          cpus: ${CROWDSEC_CPULIMIT:-2}
    restart: unless-stopped
    depends_on:
      crowdsec-engine:
        condition: service_healthy
    environment:
      API_URL: http://crowdsec:8080
      API_KEY: Heroics9HeadrestQuenchHullPatriot
      CF_APITOKEN: ${CF_APITOKEN}
      CF_ACCOUNTID: ${CF_ACCOUNTID}
      CF_ZONE_ID: ${CF_ZONE_ID}
    labels:
      - PelicanAutoheal=true
    volumes:
      - bouncer-config:/etc/crowdsec/bouncers/:rw
      - /etc/localtime:/etc/localtime:ro
    networks:
      - Management

  crowdsec-blocklist:
    image: ghcr.io/wolffcatskyy/crowdsec-blocklist-import:3.3.2@sha256:dc562b89ec4642f5e587641408059b0e880cc4b460546527cc3831470e809538
    depends_on:
      crowdsec-engine:
        condition: service_healthy
    restart: unless-stopped
    labels:
      - PelicanAutoheal=true
    environment:
      - CROWDSEC_LAPI_URL=http://crowdsec:8080
      - CROWDSEC_MACHINE_ID=blocklist
      - CROWDSEC_MACHINE_PASSWORD=${BLOCKLISTPASSWORD:-OccupantCorporalVividness9DiabetesCrumb}
      - MODE=lapi
      - DECISION_DURATION=24h
      - TZ=${TZ:-UTC}
      #- MAX_DECISIONS=${MAX_DECISIONS:-8000} # USG3P=8000, UDR=15000, UDM Pro=50000
    entrypoint: /bin/sh -c "while true; do /usr/local/bin/import.sh; echo 'Sleeping for 6 hours...'; sleep 21600; done"
    # This container is designed to be re-ran manually by the user or manually via a CRON job. I've altered the entrypoint command to sleep the container for 6 hours instead.
    networks:
      Management:
        aliases:
          - blocklist

  autoheal:
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
        delay: 30s
        max_attempts: 5
        window: 120s
    network_mode: "none"
    environment:
      AUTOHEAL_CONTAINER_LABEL: AutohealPelican
      AUTOHEAL_INTERVAL: 60
      AUTOHEAL_START_PERIOD: 240
      AUTOHEAL_DEFAULT_STOP_TIMEOUT: 60
      WEBHOOK_URL: ${AUTOHEAL_WEBHOOK:-}
    image: willfarrell/autoheal@sha256:1cd6ebc52f4c2b29e6783fdfa44cdbe68ba03ad39e3db6acfd5b7988d9c3ce3d
    restart: always
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock

  init-crowdsec:
    image: alpine:latest
    volumes:
      - crowdsec-config:/etc/crowdsec
      - bouncer-config:/etc/crowdsec/bouncers
    command: >
      sh -c "apk add --no-cache wget ca-certificates &&
             mkdir -p /etc/crowdsec/acquisitions.d /etc/crowdsec/bouncers &&
             wget -qO /etc/crowdsec/acquis.yaml https://raw.githubusercontent.com/trentnbauer/HomelabPublic/main/crowdsec/pterodactyl.yaml &&
             wget -qO /etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml https://raw.githubusercontent.com/trentnbauer/HomelabPublic/main/crowdsec/crowdsec-cloudflare-bouncer.yaml &&
             wget -qO /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml https://raw.githubusercontent.com/trentnbauer/HomelabPublic/main/crowdsec/crowdsec-firewall-bouncer.yaml"
     
volumes:
  panel-data:
  panel-logs:
  database:
  dockflare:
  crowdsec-data:
  crowdsec-config:
  bouncer-config:
  
networks:
  Management:
    name: pelican-mgmt
    ipam:
       config:
       - subnet: 192.168.253.0/24
         gateway: 192.168.253.1

Set and backup your app key

Open the logs for the Panel container
Take note of your App Key - save it into your password vault and add it to your .env as APP_KEY=
Restart the panel container

This is to reduce the risk of The MAC key is invalid bricking your panel - if its occurs and you don't have the key, you will need to reinstall Pelican

Generate Database and Administrator account

Enter the Console for the Panel container, by using either docker exec or by using your flavour of Docker webUI

Run the below command to generate the database tables and a generic admin account

php artisan p:environment:setup
php artisan migrate --force
php artisan p:user:make --email="[email protected]" --username="admin" --password="admin" --admin=1

These credentials need to be changed ASAP

Navigate to your panel URL
Log in with the generic admin credentials created above (admin/admin)
Click on the profile picture in the top right, then select profile
Update the username and password to be random generated
Save these in your password vault
Update the email address

As the front end of the panel is public facing, it is best to randomly generate BOTH the username and password to reduce the risk of someone breaking in

Panel Configuration

Fix the proxy address

Click on the profile picture in the top right, then select admin
On the left, select settings
Under Trusted Proxies, click on 'Set to Cloudflare IPs'
Add 192.168.253.0/24
This is the IP range of the Pelican management network, which contains the Cloudflare tunnel container.
This resolves some upload failure errors
Click on save

Create your user roles

Navigate to your panel URL and access the admin side
On the left, select Roles

These are my settings:

Tick everything!

My settings may not work for your use-case, but they will be a good starting point

Set up Gmail SMTP

Create your Gmail SMTP credentials per Gmail SMTP
Log into the Pelican admin panel
Select settings, the mail
1. Set to STMP
2. Add your details
3. Click on test

Set up OAuth

On the left, click on settings, then Oauth
Configure any OAuth methods you wish to use - Pelican will provide you with steps on how to configure each one. I recommend Discord and Steam I would also recommend enabling automatic linking but not account creation
Click on Save

Cloudflare Turnstile (Captcha)

Click on the Captcha tab and expand turnstile
Navigate to https://www.cloudflare.com/en-au/application-services/products/turnstile/#turnstile-pricing
Select the free version You may need to go through some sort of sign up process
Click on Add Widget
Name your widget (Pelican Panel is fine)
Click on Add hostname
1. Add a custom hostname for your Panel domain
Widget mode: managed
Click on Create
Copy the site and secret key provided into Pelican Panel
Click on save

Sometimes appears to not save the OAuth details - restart your panel if so

PreviousShared env file NextWings

Last updated 3 months ago

hashtagDeploy the Compose File

hashtagSet and backup your app key

hashtagGenerate Database and Administrator account

hashtagPanel Configuration

hashtagFix the proxy address

hashtagCreate your user roles

hashtagSet up Gmail SMTP

hashtagSet up OAuth

hashtagCloudflare Turnstile (Captcha)

Deploy the Compose File

Set and backup your app key

Generate Database and Administrator account

Panel Configuration

Fix the proxy address

Create your user roles

Set up Gmail SMTP

Set up OAuth

Cloudflare Turnstile (Captcha)