From fca8dd449f79ff281c8cc78656b704e7ca526f02 Mon Sep 17 00:00:00 2001
From: Steffen Lange <git@stelas.de>
Date: Thu, 24 Apr 2025 16:20:41 +0000
Subject: [PATCH] Add Pangolin

---
 pangolin/.gitignore                        |  4 ++
 pangolin/config/config.yml                 | 59 ++++++++++++++++++++++
 pangolin/config/traefik/dynamic_config.yml | 53 +++++++++++++++++++
 pangolin/config/traefik/traefik_config.yml | 44 ++++++++++++++++
 pangolin/docker-compose.yml                | 53 +++++++++++++++++++
 5 files changed, 213 insertions(+)
 create mode 100644 pangolin/.gitignore
 create mode 100644 pangolin/config/config.yml
 create mode 100644 pangolin/config/traefik/dynamic_config.yml
 create mode 100644 pangolin/config/traefik/traefik_config.yml
 create mode 100644 pangolin/docker-compose.yml

diff --git a/pangolin/.gitignore b/pangolin/.gitignore
new file mode 100644
index 0000000..0ad4c12
--- /dev/null
+++ b/pangolin/.gitignore
@@ -0,0 +1,4 @@
+/config/db/*
+/config/logs/*
+/config/letsencrypt/*
+/config/key
diff --git a/pangolin/config/config.yml b/pangolin/config/config.yml
new file mode 100644
index 0000000..dd17578
--- /dev/null
+++ b/pangolin/config/config.yml
@@ -0,0 +1,59 @@
+app:
+  dashboard_url: "https://tunnel.abzw.de"
+  log_level: "info"
+  save_logs: false
+
+domains:
+  domain1:
+    base_domain: "abzw.de"
+    cert_resolver: "letsencrypt"
+    prefer_wildcard_cert: false
+
+server:
+  external_port: 3000
+  internal_port: 3001
+  next_port: 3002
+  internal_hostname: "pangolin"
+  session_cookie_name: "p_session_token"
+  resource_access_token_param: "p_token"
+  resource_access_token_headers:
+    id: "P-Access-Token-Id"
+    token: "P-Access-Token"
+  resource_session_request_param: "p_session_request"
+
+traefik:
+  cert_resolver: "letsencrypt"
+  http_entrypoint: "web"
+  https_entrypoint: "websecure"
+
+gerbil:
+  start_port: 51820
+  base_endpoint: "abzw.de"
+  use_subdomain: false
+  block_size: 24
+  site_block_size: 30
+  subnet_group: 100.89.137.0/20
+
+rate_limits:
+  global:
+    window_minutes: 1
+    max_requests: 100
+
+email:
+  smtp_host: "host.hoster.net"
+  smtp_port: 587
+  smtp_user: "no-reply@abzw.de"
+  smtp_pass: "aaaaaaaaaaaaaaaaaa"
+  no_reply: "no-reply@abzw.de"
+
+users:
+  server_admin:
+    email: "admin@abzw.de"
+    password: "Password123!"
+
+flags:
+  require_email_verification: true
+  disable_signup_without_invite: true
+  disable_user_create_org: true
+  allow_raw_resources: true
+  allow_base_domain_resources: true
diff --git a/pangolin/config/traefik/dynamic_config.yml b/pangolin/config/traefik/dynamic_config.yml
new file mode 100644
index 0000000..22127c0
--- /dev/null
+++ b/pangolin/config/traefik/dynamic_config.yml
@@ -0,0 +1,53 @@
+http:
+  middlewares:
+    redirect-to-https:
+      redirectScheme:
+        scheme: https
+
+  routers:
+    # HTTP to HTTPS redirect router
+    main-app-router-redirect:
+      rule: "Host(`tunnel.abzw.de`)" # REPLACE THIS WITH YOUR DOMAIN
+      service: next-service
+      entryPoints:
+        - web
+      middlewares:
+        - redirect-to-https
+
+    # Next.js router (handles everything except API and WebSocket paths)
+    next-router:
+      rule: "Host(`tunnel.abzw.de`) && !PathPrefix(`/api/v1`)" # REPLACE THIS WITH YOUR DOMAIN
+      service: next-service
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+
+    # API router (handles /api/v1 paths)
+    api-router:
+      rule: "Host(`tunnel.abzw.de`) && PathPrefix(`/api/v1`)" # REPLACE THIS WITH YOUR DOMAIN
+      service: api-service
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+
+    # WebSocket router
+    ws-router:
+      rule: "Host(`tunnel.abzw.de`)" # REPLACE THIS WITH YOUR DOMAIN
+      service: api-service
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+
+  services:
+    next-service:
+      loadBalancer:
+        servers:
+          - url: "http://pangolin:3002" # Next.js server
+
+    api-service:
+      loadBalancer:
+        servers:
+          - url: "http://pangolin:3000" # API/WebSocket server
diff --git a/pangolin/config/traefik/traefik_config.yml b/pangolin/config/traefik/traefik_config.yml
new file mode 100644
index 0000000..1f3e96a
--- /dev/null
+++ b/pangolin/config/traefik/traefik_config.yml
@@ -0,0 +1,44 @@
+api:
+  insecure: true
+  dashboard: true
+
+providers:
+  http:
+    endpoint: "http://pangolin:3001/api/v1/traefik-config"
+    pollInterval: "5s"
+  file:
+    filename: "/etc/traefik/dynamic_config.yml"
+
+experimental:
+  plugins:
+    badger:
+      moduleName: "github.com/fosrl/badger"
+      version: "v1.1.0"
+
+log:
+  level: "INFO"
+  format: "common"
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      httpChallenge:
+        entryPoint: web
+      email: admin@abzw.de # REPLACE THIS WITH YOUR EMAIL
+      storage: "/letsencrypt/acme.json"
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+
+entryPoints:
+  web:
+    address: ":80"
+  websecure:
+    address: ":443"
+    transport:
+      respondingTimeouts:
+        readTimeout: "30m"
+    http:
+      tls:
+        certResolver: "letsencrypt"
+
+serversTransport:
+  insecureSkipVerify: true
diff --git a/pangolin/docker-compose.yml b/pangolin/docker-compose.yml
new file mode 100644
index 0000000..86c45b6
--- /dev/null
+++ b/pangolin/docker-compose.yml
@@ -0,0 +1,53 @@
+services:
+  pangolin:
+    image: fosrl/pangolin:latest
+    container_name: pangolin
+    restart: unless-stopped
+    volumes:
+      - ./config:/app/config
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"]
+      interval: "3s"
+      timeout: "3s"
+      retries: 15
+
+  gerbil:
+    image: fosrl/gerbil:latest
+    container_name: gerbil
+    restart: unless-stopped
+    depends_on:
+      pangolin:
+        condition: service_healthy
+    command:
+      - --reachableAt=http://gerbil:3003
+      - --generateAndSaveKeyTo=/var/config/key
+      - --remoteConfig=http://pangolin:3001/api/v1/gerbil/get-config
+      - --reportBandwidthTo=http://pangolin:3001/api/v1/gerbil/receive-bandwidth
+    volumes:
+      - ./config/:/var/config
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    ports:
+      - 51820:51820/udp
+      - 443:443 # Port for traefik because of the network_mode
+      - 80:80 # Port for traefik because of the network_mode
+
+  traefik:
+    image: traefik:v3.3.3
+    container_name: traefik
+    restart: unless-stopped
+    network_mode: service:gerbil # Ports appear on the gerbil service
+    depends_on:
+      pangolin:
+        condition: service_healthy
+    command:
+      - --configFile=/etc/traefik/traefik_config.yml
+    volumes:
+      - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
+      - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
+
+networks:
+  default:
+    driver: bridge
+    name: pangolin