removed plex, oxisia openldap, wetty -> migrated to bitnami openldap and sshwifty, mail does not use SASL anymore (bitnami doesnt work with it), updated mail ENV var to newer format for ldap, added some comments around network_mode: host and why I have it set

docker-compose.yml

@@ -152,6 +152,8 @@ services:
       - /srv/docker/container/calibre/config:/config
       - /etc/localtime:/etc/localtime:ro
 
+  # this is running network_mode: host to be on 192.168.0/24 subnet, so that
+  # direct play on tv works (from memory)
   emby:
     container_name: emby
     image:  emby/embyserver
@@ -232,8 +234,8 @@ services:
       # in theory these next 2 being empty disables them, but that does not seem to work
       - ENABLE_POP3
       - ENABLE_MANAGESIEVE
-      - ENABLE_LDAP=1
+      - ACCOUNT_PROVISIONER=LDAP
-      - LDAP_SERVER_HOST=openldap # your ldap container/IP/ServerName
+      - LDAP_SERVER_HOST=192.168.0.2 # your ldap container/IP/ServerName
       - LDAP_SEARCH_BASE=dc=depaoli,dc=id,dc=au
       - LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
       - LDAP_BIND_PW=a_real_admin_pass_word_for_2o20
@@ -243,13 +245,14 @@ services:
       - LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))
       - DOVECOT_PASS_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n))
       - DOVECOT_USER_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n))
-      - ENABLE_SASLAUTHD=1
+#      - ENABLE_SASLAUTHD=1
-      - SASLAUTHD_MECHANISMS=ldap
+      - ENABLE_SASLAUTHD=0
-      - SASLAUTHD_LDAP_SERVER=openldap
+#      - SASLAUTHD_MECHANISMS=ldap
-      - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
+#      - SASLAUTHD_LDAP_SERVER=openldap
-      - SASLAUTHD_LDAP_PASSWORD=a_real_admin_pass_word_for_2o20
+#      - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
-      - SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=depaoli,dc=id,dc=au
+#      - SASLAUTHD_LDAP_PASSWORD=a_real_admin_pass_word_for_2o20
-      - SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=person))
+#      - SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=depaoli,dc=id,dc=au
+#      - SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=person))
       - POSTMASTER_ADDRESS=postmaster@depaoli.id.au
       - POSTFIX_MESSAGE_SIZE_LIMIT=100000000
       - SSL_TYPE=letsencrypt
@@ -257,103 +260,44 @@ services:
       - NET_ADMIN
       - SYS_PTRACE
 
-  openldapnew:
+  openldap:
     image: bitnami/openldap
-    container_name: openldapnew
+    user: "2000"
-#    command: "--loglevel debug"
+    container_name: openldap
     restart: always
     labels:
       - "com.centurylinklabs.watchtower.enable=true"
     environment:
-      LDAP_LOG_LEVEL: "-1"
+      BITNAMI_DEBUG: "true"
-      LDAP_ORGANISATION: "Depaoli home ldap"
-      LDAP_DOMAIN: "depaoli.id.au"
-      LDAP_BASE_DN: ""
       LDAP_ROOT: "dc=depaoli,dc=id,dc=au"
       LDAP_ADMIN_USERNAME: "admin"
       LDAP_ADMIN_PASSWORD: "a_real_admin_pass_word_for_2o20"
-      LDAP_CONFIG_ADMIN_ENABLED: "yes"
+      LDAP_SKIP_DEFAULT_TREE: "yes"
-      LDAP_CONFIG_USERNAME: "admin"
+      LDAP_CUSTOM_SCHEMA_FILE: "/schema/postfix-book.ldif"
-      LDAP_CONFIG_PASSWORD: "in_2021_yet_another_real_pwd_for_adm"
+      LDAP_CUSTOM_LDIF_DIR: "/ldifs"
-      LDAP_READONLY_USER: "false"
+      LDAP_LOGLEVEL: "256"
-      LDAP_RFC2307BIS_SCHEMA: "false"
+      # below not validated
-      LDAP_BACKEND: "mdb"
+      LDAP_ENABLE_TLS: "yes"
-      LDAP_TLS: "true"
+      LDAP_TLS_CERT_FILE: "/opt/bitnami/openldap/certs/cert.pem"
-      LDAP_TLS_CRT_FILENAME: "cert.pem"
+      LDAP_TLS_KEY_FILE: "/opt/bitnami/openldap/certs/privkey.pem"
-      LDAP_TLS_KEY_FILENAME: "privkey.pem"
+      LDAP_TLS_CA_FILE: "/opt/bitnami/openldap/certs/fullchain.pem"
-      LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem"
+      LDAP_TLS_DH_PARAMS_FILE: "/opt/bitnami/openldap/certs/dhparam.pem"
-      LDAP_TLS_CA_CRT_FILENAME: "fullchain.pem"
+#      LDAP_TLS_CIPHER_SUITE: "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"
-      LDAP_TLS_ENFORCE: "false"
+#      LDAP_TLS_PROTOCOL_MIN: "3.1"
-      LDAP_TLS_CIPHER_SUITE: "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"
+#      LDAP_TLS_VERIFY_CLIENT: "try"
-      LDAP_TLS_PROTOCOL_MIN: "3.1"
-      LDAP_TLS_VERIFY_CLIENT: "try"
-      LDAP_REPLICATION: "false"
-      KEEP_EXISTING_CONFIG: "false"
-      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
-      LDAP_SSL_HELPER_PREFIX: "ldap"
-#  get an ldap.depaoli.id.au cert, and put it into /srv/docker/container/ldap/certs
-#    hostname: "ldap"
-#    domainname: "depaoli.id.au"
     tty: true
     stdin_open: true
     depends_on:
       - pihole
     volumes:
-      - /srv/docker/container/ldap2/var/lib/ldap:/var/lib/ldap
+      - /srv/docker/container/ldap/:/bitnami/openldap/
-      - /srv/docker/container/ldap2/etc/ldap/slapd.d:/etc/ldap/slapd.d
+      - /srv/docker/container/ldap/certs:/opt/bitnami/openldap/certs/
-      - /srv/docker/container/ldap2/certs/:/container/service/slapd/assets/certs
+      - /srv/docker/container/ldap/bootstrap-schema:/schema
-      - /srv/docker/container/ldap2/ldifs/:/ldifs/
+      - /srv/docker/container/ldap/bootstrap-ldifs:/ldifs
       - /etc/localtime:/etc/localtime:ro
     ports:
-      - "1389:1389"
+      - "389:1389"
-      - "1636:1636"
+#      - "1636:1636"
-
-  openldap:
-    image: osixia/openldap
-    container_name: openldap
-#    command: "--loglevel debug"
-    restart: always
-    labels:
-      - "com.centurylinklabs.watchtower.enable=true"
-    environment:
-      LDAP_LOG_LEVEL: "32768"
-      LDAP_ORGANISATION: "Depaoli home ldap"
-      LDAP_DOMAIN: "depaoli.id.au"
-      LDAP_BASE_DN: ""
-      LDAP_ADMIN_PASSWORD: "a_real_admin_pass_word_for_2o20"
-      LDAP_CONFIG_PASSWORD: "in_2021_yet_another_real_pwd_for_adm"
-      LDAP_READONLY_USER: "false"
-      LDAP_RFC2307BIS_SCHEMA: "false"
-      LDAP_BACKEND: "mdb"
-      LDAP_TLS: "true"
-      LDAP_TLS_CRT_FILENAME: "cert.pem"
-      LDAP_TLS_KEY_FILENAME: "privkey.pem"
-      LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem"
-      LDAP_TLS_CA_CRT_FILENAME: "fullchain.pem"
-      LDAP_TLS_ENFORCE: "false"
-      LDAP_TLS_CIPHER_SUITE: "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"
-      LDAP_TLS_PROTOCOL_MIN: "3.1"
-      LDAP_TLS_VERIFY_CLIENT: "try"
-      LDAP_REPLICATION: "false"
-      KEEP_EXISTING_CONFIG: "false"
-      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
-      LDAP_SSL_HELPER_PREFIX: "ldap"
-#  get an ldap.depaoli.id.au cert, and put it into /srv/docker/container/ldap/certs
-#    hostname: "ldap"
-#    domainname: "depaoli.id.au"
-    tty: true
-    stdin_open: true
-    depends_on:
-      - pihole
-    volumes:
-      - /srv/docker/container/ldap/var/lib/ldap:/var/lib/ldap
-      - /srv/docker/container/ldap/etc/ldap/slapd.d:/etc/ldap/slapd.d
-      - /srv/docker/container/ldap/certs/:/container/service/slapd/assets/certs
-      - /srv/docker/container/ldap/ldifs/:/ldifs/
-      - /etc/localtime:/etc/localtime:ro
-    ports:
-      - "389:389"
-      - "636:636"
 
   phpldapadmin:
     image: ghcr.io/colibris-xyz/phpldapadmin
@@ -427,28 +371,8 @@ services:
       - "traefik.http.routers.portainer.entrypoints=web"
       - "traefik.http.services.portainer.loadbalancer.server.port=9000"
 
-  plex:
+  # this is running network_mode: host so it is on the same subnet as the IoT
-    container_name: plex
+  # devices and can see/discover them
-    image: plexinc/pms-docker
-    restart: always
-    environment:
-      - TZ=Australia/Melbourne
-      - PLEX_CLAIM=claim-Mgs3KDD_zM-rheXvz6FJ
-      - PLEX_UID=500
-      - PLEX_GID=500
-    hostname: plex_dp
-    labels:
-      - "com.centurylinklabs.watchtower.enable=true"
-    depends_on:
-      - pihole
-    volumes:
-      - /myth/opt/plex/config:/config
-      - /myth/opt/plex/transcode:/transcode
-      - /myth/opt/storage:/data
-      - /etc/localtime:/etc/localtime:ro
-    ports:
-      - "32400:32400"
-
   hass:
     image: ghcr.io/home-assistant/home-assistant:stable
     container_name: hass
@@ -471,6 +395,7 @@ services:
     labels:
       - "com.centurylinklabs.watchtower.enable=false"
 
+  # this runs in network_most host so that it can find the players automatically
   mass:
     image: ghcr.io/music-assistant/server
     container_name: mass
@@ -597,9 +522,12 @@ services:
       - /:/rootfs:ro
       - /srv/docker/container/node-exporter/textfile_collector:/var/lib/node_exporter/textfile_collector
       - /etc/localtime:/etc/localtime:ro
+      - /export:/export:ro
+      - /boot:/boot:ro
     labels:
       - "com.centurylinklabs.watchtower.enable=true"
     command:
+      - '--path.rootfs=/rootfs'
       - '--path.procfs=/host/proc'
       - '--path.sysfs=/host/sys'
       - --collector.filesystem.ignored-mount-points
@@ -609,8 +537,8 @@ services:
     restart: always
 
   cadvisor:
-#    image: gcr.io/cadvisor/cadvisor:v0.38.6
     image: gcr.io/cadvisor/cadvisor:v0.47.2
+# seems latest is way older than the above
 #    image: gcr.io/cadvisor/cadvisor:latest
     container_name: cadvisor
     privileged: true
@@ -622,10 +550,13 @@ services:
       - "com.centurylinklabs.watchtower.enable=true"
     volumes:
       - /:/rootfs:ro
-      - /var/run:/var/run:rw
+      - /var/run:/var/run:ro
       - /sys:/sys:ro
       - /var/lib/docker/:/var/lib/docker:ro
+      - /dev/disk/:/dev/disk:ro
       - /etc/localtime:/etc/localtime:ro
+    devices:
+      - "/dev/kmsg"
     restart: always
 
   blackbox_exporter:
@@ -921,25 +852,6 @@ services:
       - "traefik.http.routers.wiki.tls=true"
       - "traefik.http.routers.wiki.entrypoints=secureweb"
 
-  wetty:
-    image: wettyoss/wetty
-    container_name: wetty
-    restart: always
-    command:
-      - --base=/
-      - --ssh-host=192.168.0.2
-    labels:
-      - "com.centurylinklabs.watchtower.enable=true"
-      - "traefik.enable=true"
-      - "traefik.http.routers.wetty.rule=Host(`ssh.depaoli.id.au`)"
-      - "traefik.http.routers.wetty.tls=true"
-      - "traefik.http.routers.wetty.entrypoints=secureweb"
-    depends_on:
-      - pihole
-      - openldap
-    volumes:
-      - "/etc/localtime:/etc/localtime:ro"
-
   # used for hass (eufy) to get notifications from camera
   eufy_security_ws:
     image: bropat/eufy-security-ws
@@ -1064,6 +976,24 @@ services:
       - "traefik.http.routers.kuma.entrypoints=secureweb"
     restart: always
 
+  sshwifty:
+    image: niruix/sshwifty:latest
+    container_name: sshwifty
+    user: "nobody:nobody"
+    restart: always
+    ports:
+      - "8182:8182/tcp"
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
+      - "traefik.enable=true"
+      - "traefik.http.routers.sshwifty.rule=Host(`ssh.depaoli.id.au`)"
+      - "traefik.http.routers.sshwifty.tls=true"
+    stdin_open: true
+    tty: true
+    volumes:
+      - "/srv/docker/container/sshwifty/:/etc/"
+      - "/etc/localtime:/etc/localtime:ro"
+
 # myth?
 # this: https://github.com/delnaught/mythtv-containers/blob/main/compose-mythtv/docker-compose.yml
 #         in this link, there is also up a dir, docker/* that proivide Docker files, rather than compose to this guys repo?