diff --git a/docker-compose.yml b/docker-compose.yml index cd85222..4e724c0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -31,6 +31,8 @@ services: - "traefik.http.middlewares.dashboard.replacepathregex.replacement=/dashboard/$$1" - "traefik.http.routers.dashboard.middlewares=dashboard" - "traefik.http.routers.dashboard.entrypoints=web" + # need to ensure incoming traffic for traefik goes to port 8080 inside + # the container, too many other ports (80, 443) so we have to be explicit - "traefik.http.services.dashboard.loadbalancer.server.port=8080" - "traefik.http.routers.dashboard.service=api@internal" depends_on: @@ -205,25 +207,14 @@ services: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.emby.rule=Host(`emby.depaoli.id.au`)" + # to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8096" - "traefik.http.services.emby.loadbalancer.server.port=8096" - "traefik.http.routers.emby.tls=true" - "traefik.http.routers.emby.entrypoints=secureweb" - # - # fail2ban is a bit jumpy from memory, so I've added a whitelist - # but its not going to survive a pull... and it seems if I mount - # the docker container before its initialised it ends up empty - # (timing?) so I have done this by hand - # for now, until I work out a solution: - ## sudo docker exec -it mail bash - ## root@mail:/etc/fail2ban/jail.d# cat > whitelist.conf - ## [DEFAULT] - ## ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 - # sudo docker-compose restart mail - ##### CAM/DDP: CHECK this with new mail version, seemed to be new fail2ban env options - # + # fail2ban might need a better whitelist? (I had internal docker ips in my quick fudge as well?) mail: - image: docker.io/mailserver/docker-mailserver:12.1.0 + image: docker.io/mailserver/docker-mailserver:latest hostname: depaoli.id.au domainname: depaoli.id.au container_name: mail @@ -249,32 +240,47 @@ services: - /srv/docker/container/mail/mara-bin:/root/bin - /srv/docker/container/mail/monitoring-results:/monitoring-results environment: +##################################### del block ############################ - ENABLE_SPAMASSASSIN=1 - ENABLE_SPAMASSASSIN_KAM=1 - SPAMASSASIN_SPAM_TO_INBOX=1 - MOVE_SPAM_TO_JUNK=1 - SA_SPAM_SUBJECT=1 + - AMAVIS_LOGLEVEL=-1 + # enable rspam and delete this del block +##################################### del block ############################ - ENABLE_CLAMAV=1 - ENABLE_FAIL2BAN=1 - ENABLE_POSTGREY=0 - ENABLE_UPDATE_CHECK=1 - # not sure if =0 disables these? - ENABLE_POP3=0 + # this allows users to manage their own sieves, not something we use at present - ENABLE_MANAGESIEVE=0 -# Adding these, for future testing -# - ENABLE_DNSBL=0 + # don't know if this can go to 1 or not, seems more for postscreen than rspamd, so not sure if it has always been off? + - ENABLE_DNSBL=0 +# enable rspamd be uncommenting block ############################ +# # as per doco, enabling rspamd and disabling unneeded services (up to spamassassin) +# - ENABLE_RSPAMD=1 # - ENABLE_OPENDKIM=0 # - ENABLE_OPENDMARC=0 -# - FAIL2BAN_BLOCKTYPE=drop -# - ENABLE_RSPAMD=1 -# presume if we do the above, we should turn off the spamassassin checks, but could do both I guess? +# - ENABLE_POLICYD_SPF=0 +# - ENABLE_AMAVIS=0 +# - ENABLE_SPAMASSASSIN=0 +# - MOVE_SPAM_TO_JUNK=1 +# # only greylist spammy emails +# - RSPAMD_GREYLISTING=1 +# # if ppl move mail to junk -> inbox (spam) or reverse (ham), learn from it +# - RSPAMD_LEARN=1 +# # some hostname heuristics for dodgy mailservers using wrong syntax - adds header only at the moment, test and drop when we trust +# - RSPAMD_HFILTER=1 +##################################### rspam block ############################ + # spoof prot stops anyone sending with an email address that doesn't match what they connected with - SPOOF_PROTECTION=1 - ONE_DIR=1 - DMS_DEBUG=0 - LOG_LEVEL=warn - - AMAVIS_LOGLEVEL=-1 - ACCOUNT_PROVISIONER=LDAP - - LDAP_SERVER_HOST=192.168.0.2 # using IP, as we changed over container names (openldap->openldapnew) + - LDAP_SERVER_HOST=ldap://openldap:1389 # using IP, as we changed over container names (openldap->openldapnew) - LDAP_SEARCH_BASE=dc=depaoli,dc=id,dc=au - LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au - LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE)) @@ -283,15 +289,12 @@ services: - LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward))) - DOVECOT_PASS_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n)) - DOVECOT_USER_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n)) -# I can't get SASL auth to work with bitnami ldap for some reason, -# given its all internal/local traffic tolerate for now - - ENABLE_SASLAUTHD=0 -# - ENABLE_SASLAUTHD=1 -# - SASLAUTHD_MECHANISMS=ldap -# - SASLAUTHD_LDAP_SERVER=openldap -# - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au -# - SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=depaoli,dc=id,dc=au -# - SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=person)) + - ENABLE_SASLAUTHD=1 + - SASLAUTHD_MECHANISMS=ldap + - SASLAUTHD_LDAP_SERVER=ldap://openldap:1389 + - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au + - SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=depaoli,dc=id,dc=au + - SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=person)) - POSTMASTER_ADDRESS=postmaster@depaoli.id.au - POSTFIX_MESSAGE_SIZE_LIMIT=100000000 - SSL_TYPE=letsencrypt @@ -388,6 +391,7 @@ services: - "traefik.http.middlewares.stripprefix-portainer.stripprefix.prefixes=/portainer" - "traefik.http.routers.portainer.middlewares=stripprefix-portainer@docker" - "traefik.http.routers.portainer.entrypoints=web" + # need to be explicit, as it also runs API ports, SSL ports, etc - "traefik.http.services.portainer.loadbalancer.server.port=9000" # this is running network_mode: host so it is on the same subnet as the IoT @@ -413,6 +417,13 @@ services: - /run/dbus:/run/dbus:ro labels: - "com.centurylinklabs.watchtower.enable=false" + # to note traefik is used here, but handled via files due to use of "network_mode: host" + - "traefik.enable=true" + - "traefik.http.routers.hass.rule=Host(`hass.depaoli.id.au`)" + # to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8123" + - "traefik.http.services.hass.loadbalancer.server.port=8123" + - "traefik.http.routers.hass.tls=true" + - "traefik.http.routers.hass.entrypoints=secureweb" # this runs in network_most host so that it can find the players automatically mass: @@ -434,6 +445,7 @@ services: - "traefik.http.routers.mass.entrypoints=secureweb" - "traefik.http.middlewares.stripprefix-mass.stripprefix.prefixes=/mass" - "traefik.http.routers.mass.middlewares=stripprefix-mass@docker" + # to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8095" - "traefik.http.services.mass.loadbalancer.server.port=8095" mosquitto: @@ -552,7 +564,7 @@ services: container_name: grafana restart: always depends_on: - - prometheus + - influxdb volumes: - /srv/docker/container/grafana/grafana.ini:/etc/grafana/grafana.ini - /srv/docker/container/grafana/data:/var/lib/grafana @@ -595,6 +607,7 @@ services: - "traefik.http.middlewares.replaceprefix-pihole.replacepathregex.regex=^/admin/$$" - "traefik.http.middlewares.replaceprefix-pihole.replacepathregex.replacement=/pihole/admin/" - "traefik.http.middlewares.stripprefix-pihole.stripprefix.prefixes=/pihole" + # we set this to port 80, pihole has many open ports (e.g. 53), so have to tell traefik which port to send http traffic too - "traefik.http.services.pihole.loadbalancer.server.port=80" - "traefik.http.routers.pihole.middlewares=replaceprefix-pihole@docker,stripprefix-pihole@docker" @@ -676,9 +689,12 @@ services: padb_dev: container_name: padb_dev - build: - context: '/home/ddp/src/photoassistant/db-container' + image: postgres restart: always + # replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls + entrypoint: /root/init/entrypoint-wrapper.sh + labels: + - "com.centurylinklabs.watchtower.enable=true" environment: POSTGRES_USER: pa POSTGRES_DB: pa @@ -691,13 +707,17 @@ services: volumes: - /srv/docker/container/padb_dev/data:/var/lib/postgresql/data - /srv/docker/container/padb_dev/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d + - /srv/docker/container/padb_dev/init:/root/init - /etc/localtime:/etc/localtime:ro padb: container_name: padb - build: - context: '/home/ddp/src/photoassistant/db-container' + image: postgres:16 restart: always + # replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls + entrypoint: /root/init/entrypoint-wrapper.sh + labels: + - "com.centurylinklabs.watchtower.enable=true" environment: POSTGRES_USER: pa POSTGRES_DB: pa @@ -708,6 +728,7 @@ services: volumes: - /srv/docker/container/padb/data:/var/lib/postgresql/data - /srv/docker/container/padb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d + - /srv/docker/container/padb/init:/root/init - /etc/localtime:/etc/localtime:ro paweb: @@ -764,7 +785,7 @@ services: labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - - "traefik.http.routers.bitwarden_rs.rule=Host(`bw.depaoli.id.au`) || Host(`ddphome.asuscomm.com`)" + - "traefik.http.routers.bitwarden_rs.rule=Host(`bw.depaoli.id.au`)" - "traefik.http.routers.bitwarden_rs.tls=true" - "traefik.http.routers.bitwarden_rs.tls.options=tls12@file" - "traefik.http.routers.bitwarden_rs.entrypoints=secureweb" @@ -783,51 +804,51 @@ services: - "/var/run/docker.sock:/var/run/docker.sock" - "/etc/localtime:/etc/localtime:ro" - wikidb: - image: postgres:16 - container_name: wikidb - environment: - POSTGRES_DB: wiki - POSTGRES_USER: wikijs - env_file: - - /srv/docker/config/secrets/wiki-common - logging: - driver: "none" - restart: always - depends_on: - - openldap - - pihole - labels: - - "com.centurylinklabs.watchtower.enable=true" - volumes: - - "/srv/docker/container/wikidb/data:/var/lib/postgresql/data" - - "/srv/docker/container/wikidb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d" - - "/etc/localtime:/etc/localtime:ro" - - wiki: - image: requarks/wiki:latest - container_name: wiki - depends_on: - - openldap - - wikidb - environment: - DB_TYPE: postgres - DB_HOST: wikidb - DB_PORT: 5432 - DB_USER: wikijs - DB_NAME: wiki - env_file: - - /srv/docker/config/secrets/wiki-common - restart: always - volumes: - - "/srv/docker/container/wiki/data/content:/wiki/data/content" - - "/etc/localtime:/etc/localtime:ro" - labels: - - "com.centurylinklabs.watchtower.enable=true" - - "traefik.enable=true" - - "traefik.http.routers.wiki.rule=Host(`wiki.depaoli.id.au`)" - - "traefik.http.routers.wiki.tls=true" - - "traefik.http.routers.wiki.entrypoints=secureweb" +# wikidb_old: +# image: postgres:16 +# container_name: wikidb_old +# environment: +# POSTGRES_DB: wiki +# POSTGRES_USER: wikijs +# env_file: +# - /srv/docker/config/secrets/wiki-common_old +# logging: +# driver: "none" +# restart: always +# depends_on: +# - openldap +# - pihole +# labels: +# - "com.centurylinklabs.watchtower.enable=true" +# volumes: +# - "/srv/docker/container/wikidb_old/data:/var/lib/postgresql/data" +# - "/srv/docker/container/wikidb_old/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d" +# - "/etc/localtime:/etc/localtime:ro" +# +# wiki_old: +# image: requarks/wiki:latest +# container_name: wiki_old +# depends_on: +# - openldap +# - wikidb_old +# environment: +# DB_TYPE: postgres +# DB_HOST: wikidb_old +# DB_PORT: 5432 +# DB_USER: wikijs +# DB_NAME: wiki +# env_file: +# - /srv/docker/config/secrets/wiki-common_old +# restart: always +# volumes: +# - "/srv/docker/container/wiki_old/data/content:/wiki/data/content" +# - "/etc/localtime:/etc/localtime:ro" +# labels: +# - "com.centurylinklabs.watchtower.enable=true" +# - "traefik.enable=true" +# - "traefik.http.routers.wiki.rule=Host(`wikitst.depaoli.id.au`)" +# - "traefik.http.routers.wiki.tls=true" +# - "traefik.http.routers.wiki.entrypoints=secureweb" # used for hass (eufy) to get notifications from camera eufy_security_ws: @@ -869,25 +890,25 @@ services: volumes: - "/etc/localtime:/etc/localtime:ro" - autodiscover: - image: monogramm/autodiscover-email-settings:latest - container_name: autodiscover - environment: - - COMPANY_NAME=depaoli - - SUPPORT_URL=https://autodiscover.depaoli.id.au - - DOMAIN=depaoli.id.au - - IMAP_HOST=depaoli.id.au - - IMAP_PORT=993 - - IMAP_SOCKET=SSL - - SMTP_HOST=depaoli.id.au - - SMTP_PORT=587 - - SMTP_SOCKET=STARTTLS - labels: - - "com.centurylinklabs.watchtower.enable=true" - - "traefik.enable=true" - - "traefik.http.routers.autodiscover.rule=Host(`autodiscover.depaoli.id.au`)" - - "traefik.http.routers.autodiscover.tls=true" - - "traefik.http.routers.autodiscover.entrypoints=secureweb" +# autodiscover: +# image: monogramm/autodiscover-email-settings:latest +# container_name: autodiscover +# environment: +# - COMPANY_NAME=depaoli +# - SUPPORT_URL=https://autodiscover.depaoli.id.au +# - DOMAIN=depaoli.id.au +# - IMAP_HOST=depaoli.id.au +# - IMAP_PORT=993 +# - IMAP_SOCKET=SSL +# - SMTP_HOST=depaoli.id.au +# - SMTP_PORT=587 +# - SMTP_SOCKET=STARTTLS +# labels: +# - "com.centurylinklabs.watchtower.enable=true" +# - "traefik.enable=true" +# - "traefik.http.routers.autodiscover.rule=Host(`autodiscover.depaoli.id.au`)" +# - "traefik.http.routers.autodiscover.tls=true" +# - "traefik.http.routers.autodiscover.entrypoints=secureweb" # ark-server: # restart: always @@ -972,11 +993,13 @@ services: - /srv/docker/container/mythtv/db/mythtv.cnf:/etc/mysql/conf.d/mythtv.cnf # hacked entrypoint to 'add' to this container so it works as mara needs - mythbackend: - container_name: mythtvbackend + myth: + container_name: myth image: instantlinux/mythtv-backend:latest hostname: ${HOSTNAME_MYTHTV:-mythtv} restart: always + labels: + - "com.centurylinklabs.watchtower.enable=true" # needed to renice / ionice just the mythbackend process inside this container # (it also runs cron, shepherd and various binaries out of /usr/local/bin) cap_add: @@ -985,7 +1008,9 @@ services: environment: APACHE_LOG_DIR: /var/log/apache2 DBNAME: mythconverg - DBSERVER: mythdb + # needs to be ip not container name as the host network_mode and DNS dont work together + # test this as mythdb and remove network_mode host when I can + DBSERVER: 192.168.0.2 LANG: en_US.UTF-8 LANGUAGE: en_US.UTF-8 LOCALHOSTNAME: mara @@ -1011,9 +1036,49 @@ services: - /srv/docker/container/mythtv/monitoring-results:/monitoring-results - /etc/localtime:/etc/localtime:ro - /export/myth:/export/myth + - /export/docker/storage/other-videos:/export/myth/videos devices: - /dev/dvb:/dev/dvb env_file: - /srv/docker/config/secrets/mythtv depends_on: - mythdb + + wiki: + image: lscr.io/linuxserver/bookstack + container_name: wiki + environment: + - PUID=1000 + - PGID=1000 + - APP_URL=https://wiki.depaoli.id.au + - DB_HOST=wikidb + - DB_PORT=3306 + env_file: + - /srv/docker/config/secrets/wiki + volumes: + - /srv/docker/container/wiki:/config + restart: unless-stopped + depends_on: + - wikidb + labels: + - "com.centurylinklabs.watchtower.enable=true" + - "traefik.enable=true" + - "traefik.http.routers.wikitst.rule=Host(`wiki.depaoli.id.au`)" + - "traefik.http.routers.wikitst.tls=true" + - "traefik.http.routers.wikitst.entrypoints=secureweb" + + wikidb: + image: lscr.io/linuxserver/mariadb + container_name: wikidb + environment: + - PUID=1000 + - PGID=1000 + - TZ=Australia/Melbourne + env_file: + - /srv/docker/config/secrets/wiki + volumes: + - /srv/docker/container/wikidb/config:/config + - /srv/docker/container/wikidb/data:/var/lib/mysql + restart: unless-stopped + labels: + - "com.centurylinklabs.watchtower.enable=true"