Mikrotik container : PowerDNS DNSdist

/interface veth

add address=10.0.0.20/24 gateway=10.0.0.1 name=veth-dnsdist

/interface bridge port

add bridge=br-lan interface=veth-dnsdist

/file

add name="/dnsdist-conf/dnsdist.conf" \

contents="setLocal('0.0.0.0:53')\n\

\n\

setACL(\"0.0.0.0/0\")\n\

\n\

webserver(\"0.0.0.0:8083\")\n\

setWebserverConfig({\n\

\tpassword=hashPassword(\"admin\"),\n\

\tapiKey=hashPassword(\"admin\"),\n\

\tacl=\"0.0.0.0/0\"\n\

})\n\

\n\

newServer({\n\

\tname=\"cloudflare-DoT\",\n\

\taddress=\"1.1.1.1:853\",\n\

\ttls=\"openssl\",\n\

\tsubjectName=\"1.1.1.1\",\n\

\tvalidateCertificates=true,\n\

\tpool=\"main-pool\",\n\

\n\

\thealthCheckMode = \"lazy\",\n\

\tcheckInterval = 30,\n\

\tmaxCheckFailures = 3,\n\

\trise = 2,\n\

\tcheckName = \"cloudflare-dns.com\"\n\

})\n\

\n\

newServer({\n\

\tname=\"google-DoT\",\n\

\taddress=\"8.8.8.8:853\",\n\

\ttls=\"openssl\",\n\

\tsubjectName=\"8.8.8.8\",\n\

\tvalidateCertificates=true,\n\

\tpool=\"main-pool\",\n\

\n\

\thealthCheckMode = \"lazy\",\n\

\tcheckInterval = 30,\n\

\tmaxCheckFailures = 3,\n\

\trise = 2,\n\

\tcheckName = \"dns.google\"\n\

})\n\

\n\

newServer({\n\

\tname=\"quad9-DoT\",\n\

\taddress=\"9.9.9.9:853\",\n\

\ttls=\"openssl\",\n\

\tsubjectName=\"9.9.9.9\",\n\

\tvalidateCertificates=true,\n\

\tpool=\"main-pool\",\n\

\n\

\thealthCheckMode = \"lazy\",\n\

\tcheckInterval = 30,\n\

\tmaxCheckFailures = 3,\n\

\trise = 2,\n\

\tcheckName = \"dns.quad9.com\"\n\

})\n\

\n\

newServer({\n\

\tname=\"cloudflare-DoH\",\n\

\taddress=\"1.1.1.1:443\",\n\

\ttls=\"openssl\",\n\

\tsubjectName=\"1.1.1.1\",\n\

\tdohPath=\"/dns-query\",\n\

\tvalidateCertificates=true,\n\

\tpool=\"main-pool\",\n\

\n\

\thealthCheckMode = \"lazy\",\n\

\tcheckInterval = 30,\n\

\tmaxCheckFailures = 3,\n\

\trise = 2,\n\

\tcheckName = \"cloudflare-dns.com\"\n\

})\n\

\n\

newServer({\n\

\tname=\"google-DoH\",\n\

\taddress=\"8.8.8.8:443\",\n\

\ttls=\"openssl\",\n\

\tsubjectName=\"8.8.8.8\",\n\

\tdohPath=\"/dns-query\",\n\

\tvalidateCertificates=true,\n\

\tpool=\"main-pool\",\n\

\n\

\thealthCheckMode = \"lazy\",\n\

\tcheckInterval = 30,\n\

\tmaxCheckFailures = 3,\n\

\trise = 2,\n\

\tcheckName = \"dns.google\"\n\

})\n\

\n\

newServer({\n\

\tname=\"quad9-DoH\",\n\

\taddress=\"9.9.9.9:443\",\n\

\ttls=\"openssl\",\n\

\tsubjectName=\"9.9.9.9\",\n\

\tdohPath=\"/dns-query\",\n\

\tvalidateCertificates=true,\n\

\tpool=\"main-pool\",\n\

\n\

\thealthCheckMode = \"lazy\",\n\

\tcheckInterval = 30,\n\

\tmaxCheckFailures = 3,\n\

\trise = 2,\n\

\tcheckName = \"dns.quad9.com\"\n\

})\n\

\n\

setServerPolicy(leastOutstanding)\n\

\n\

global_cache = newPacketCache(10000)\n\

getPool(\"main-pool\"):setCache(global_cache)\n\

\n\

addAction(AllRule(), PoolAction(\"main-pool\"))\n"

/container/mounts

add list=dnsdist-conf src="/dnsdist-conf/dnsdist.conf" dst="/etc/dnsdist/dnsdist.conf"

/container

add name=dnsdist \

interface=veth-dnsdist \

remote-image="registry-1.docker.io/powerdns/dnsdist-19:latest" \

mountlists=dnsdist-conf \

root-dir="/dnsdist-root" \

user=0 \

start-on-boot=yes \

logging=yes

Mikrotik container : AdGuard DNS Proxy

/interface veth

add address=10.0.0.20/24 gateway=10.0.0.1 name=veth-dnsproxy

/interface bridge port

add bridge=br-lan interface=veth-dnsproxy

/container

add name=dnsproxy \

interface=veth-dnsproxy \

remote-image=registry-1.docker.io/adguard/dnsproxy:latest \

root-dir=/dnsproxy \

cmd="--upstream-mode parallel \

-u https://1.1.1.1/dns-query \

-u https://8.8.8.8/dns-query \

-u https://9.9.9.9/dns-query \

-u tls://1.1.1.1 \

-u tls://8.8.8.8 \

-u tls://9.9.9.9" \

start-on-boot=yes \

logging=yes

Mikrotik container : ZeroTier One

/interface/bridge/add name=containers
/ip/address/add address=172.17.0.1/24 interface=containers
/interface/veth/add name=veth-zt address=172.17.0.2/24 gateway=172.17.0.1
/interface/bridge/port add bridge=containers interface=veth-zt
/ip/firewall/nat/add chain=srcnat action=masquerade src-address=172.17.0.0/24

/container/config/set registry-url=https://registry-1.docker.io tmpdir=disk1/pull
/container/envs/add list=zt_envs key=ZT_NETWORK_ID value=0d66ea7479dd0d63
/container/add remote-image=zyclonite/zerotier:latest interface=veth-zt root-dir=disk1/zerotier envlist=zt_envs

/container/shell zerotier:latest
zerotier-cli join 0d66ea7479dd0d63
 

Crowdsec command

cscli decisions list

ดูรายชื่อ IP ที่โดนแบนอยู่ทั้งหมด (Local + CAPI)

cscli decisions list --origin CAPI

cscli decisions list --origin CAPI | wc -l 

ดูเฉพาะ IP มหาโจรจากส่วนกลาง (Community List)

cscli decisions add --ip 1.2.3.4 --duration 1h

สั่งแบน IP 1.2.3.4 เป็นเวลา 1 ชั่วโมง

cscli decisions delete --ip 1.2.3.4

ปลดแบน IP 1.2.3.4 (Whitelist คืนมา)

cscli decisions delete --all

ล้างรายการแบนทั้งหมด (ใช้ตอนเผลอบล็อกตัวเองยกแผง)

cscli bouncers list

เช็คว่า Traefik Bouncer ยัง Online (✔️) อยู่ไหม

cscli bouncers add <name>

สร้าง API Key ชุดใหม่ (เอาไปใส่ใน Traefik Middleware)

cscli bouncers delete <name>

ลบ Bouncer ที่ไม่ได้ใช้งานแล้ว

cscli capi register

ลงทะเบียนเครื่องนี้กับส่วนกลาง (ทำครั้งแรกครั้งเดียว)

cscli capi status

เพื่อเช็คการเชื่อมต่อส่วนกลาง

cscli metrics

สำคัญมาก! ดูว่า CrowdSec อ่าน Log ไปกี่บรรทัด และบล็อกไปกี่ครั้ง

cscli alerts list

ดูเหตุการณ์ที่ CrowdSec ตรวจพบ (ใคร ทำอะไร ที่ไหน)

cscli alerts inspect <ID>

ดูรายละเอียดเชิงลึกของ Alert นั้นๆ (เช่น Log บรรทัดที่เป็นปัญหา)

cscli hub update

อัปเดตรายชื่อ Scenario ล่าสุด (เหมือน Update Antivirus)

cscli hub upgrade

สังอัปเกรด Scenario ที่ติดตั้งไว้ให้เป็นเวอร์ชันใหม่

cscli collections list

"ดูว่าเราติดตั้งการป้องกันอะไรไว้บ้าง (Traefik, HTTP, etc.)"

cscli collections install <name>

ติดตั้งการป้องกันเพิ่ม (เช่น crowdsecurity/wordpress)

traefix wildcard SSL with muli provider

docker-compose.yml

services:

  traefik:

    image: traefik:v3.6

    container_name: traefik-test

    restart: unless-stopped

    networks:

      - traefik_net

    ports:

      - "80:80"

      - "443:443"

      - "8080:8080"

    environment:

      - CF_DNS_API_TOKEN=${CLOUDFLARE_TOKEN}

      - SPACESHIP_API_KEY=${SPACESHIP_API_KEY}

      - SPACESHIP_API_SECRET=${SPACESHIP_API_SECRET}

    volumes:

      - ./traefik:/etc/traefik:ro

      - ./letsencrypt:/letsencrypt

    command:

      - --configFile=/etc/traefik/traefik_config.yml

  php-apache:

    image: php:8.4-apache

    container_name: php-apache-test

    restart: unless-stopped

    networks:

      - traefik_net

    volumes:

      - ./php-src:/var/www/html

networks:

  traefik_net:

    driver: bridge

traefik_config.yml

entryPoints:

  websecure:

    address: ":443"

    http:

      tls:

        certResolver: cloudflare-resolver

        domains:

          - main: "domain1.com"

            sans:

              - "*.domain1.com"

providers:

  file:

    filename: "/etc/traefik/dynamic_conf.yml"

    watch: true

certificatesResolvers:

  cloudflare-resolver:

    acme:

      email: your-email@example.com

      storage: /etc/traefik/acme-cloudflare.json

      dnsChallenge:

        provider: cloudflare

  spaceship-resolver:

    acme:

      email: your-email@example.com

      storage: /etc/traefik/acme-spaceship.json

      dnsChallenge:

        provider: spaceship # New in lego/traefik 2025

dynamic_config.yml

http:

  routers:

    # --- CLOUDFLARE DOMAIN (Inherits from Entrypoint) ---

    router1:

      rule: "Host(`app1.domain1.com`)"

      entryPoints: ["websecure"]

      service: "service1"

      tls: {} # Uses cloudflare-resolver & wildcard automatically

    router2:

      rule: "Host(`app2.domain1.com`)"

      entryPoints: ["websecure"]

      service: "service2"

      tls: {} # Uses cloudflare-resolver & wildcard automatically

    # --- SPACESHIP DOMAIN (Manual Override) ---

    router3:

      rule: "Host(`app3.domain2.com`)"

      entryPoints: ["websecure"]

      service: "service3"

      tls:

        certResolver: "spaceship-resolver"

        domains:

          - main: "domain2.com"

            sans: ["*.domain2.com"] # Triggers wildcard issuance

    router4:

      rule: "Host(`app4.domain2.com`)"

      entryPoints: ["websecure"]

      service: "service4"

      tls:

        certResolver: "spaceship-resolver"

        # No domains block needed! It reuses the cert from Router 3

        

  services:

    service1:

      loadBalancer:

        servers: [{ url: "http://172.18.0.11:80" }]

    service2:

      loadBalancer:

        servers: [{ url: "http://172.18.0.12:80" }]

    service3:

      loadBalancer:

        servers: [{ url: "http://172.18.0.13:80" }]

    service4:

      loadBalancer:

        servers: [{ url: "http://172.18.0.14:80" }]

Unifi Network Application docker compose

 name: unifi-network-application

services:

  unifi-db:

    container_name: unifi-db

    image: docker.io/mongo:8.0

    configs:

      - source: init-mongo.js

        target: /docker-entrypoint-initdb.d/init-mongo.js

    environment:

      - PGID=1000

      - PUID=1000

      - TZ=Asia/Bangkok

    restart: unless-stopped

    volumes:

      - type: bind

        source: ./unifi-db

        target: /data/db

    networks:

     - unifi-bridge

    privileged: false

  unifi-network-application:

    container_name: unifi-network-application

    depends_on:

      unifi-db:

        condition: service_started

        required: true

    environment:

      - MONGO_DBNAME=unifi-db

      - MONGO_HOST=unifi-db

      - MONGO_PASS=pass

      - MONGO_PORT=27017

      - MONGO_USER=unifi

      - PGID=1000

      - PUID=1000

      - TZ=Asia/Bangkok

    image: lscr.io/linuxserver/unifi-network-application:latest

    ports:

      - target: 8443

        published: "8443"

        protocol: tcp

      - target: 3478

        published: "3478"

        protocol: udp

      - target: 10001

        published: "10001"

        protocol: udp

      - target: 8080

        published: "8080"

        protocol: tcp

      - target: 1900 #optional

        published: "1900"

        protocol: udp

      - target: 8843 #optional

        published: "8843"

        protocol: tcp

      - target: 8880 #optional

        published: "8880"

        protocol: tcp

      - target: 6789 #optional

        published: "6789"

        protocol: tcp

      - target: 5514 #optional

        published: "5514"

        protocol: udp

    restart: unless-stopped

    volumes:

      - type: bind

        source: ./unifi-network-application

        target: /config

    networks:

     - unifi-bridge

    privileged: false

networks:

  unifi-bridge:

    driver: bridge

configs:

  init-mongo.js:

    content: |

      db.getSiblingDB("unifi-db").createUser({user: "unifi", pwd: "pass", roles: [{role: "dbOwner", db: "unifi-db"}]}); 

      db.getSiblingDB("unifi-db_stat").createUser({user: "unifi", pwd: "pass", roles: [{role: "dbOwner", db: "unifi-db_stat"}]});

P.S. Override inform host with host ip

UniFi Devices -> Device Updates and Settings -> Inform Host Override

Enable IPv6 in docker compose

sudo tee /etc/sysctl.d/99-docker-ipv6.conf <<EOF

net.ipv6.conf.all.forwarding = 1

net.ipv6.conf.default.forwarding = 1

EOF

Configure the Docker Daemon

/etc/docker/daemon.json

{

  "ipv6": true,

  "ip6tables": true 

}

Add IPv6 to Docker Compose Files

docker-compose.yml

    cap_add:

      - NET_ADMIN

networks:

  custom_network:

    driver: bridge

    enable_ipv6: true