committed to running traefik in network_mode: host, and fixed up where this then caused traefik labels to not knowthe loadbalancer port

then realised hass needed to add ::1 ti trusted hosts as that was how traefik is using the explicit loadbalancer port setting with network_mode: host containers like hass, emby, etc.
upgrade to latest mail again, validated newer fail2ban defaults look okay, reduced comment appropriately, added rspamd* env vars (commented out), prepared to remove old env vars so we can switch to rspamd - doing this commit first

put back SASL auth, and updated LDAP_HOST use for mail container based on newer format - and Cams doc :)

removed last reference to prometheus (in a depends_on, which didnt exist clearly)

converted padb* containers back to native postgres:16 images, and used better model of overriding install scripts via entrypoint:

removed old reference to asuscomm.com

tried out and got working autodiscover, it worked for thunderbird but not our phones, so just getting rid of it - it seems to be a stale image / not maintained

convered from wikijs to bookstack (due to wikijs being unmaintained, and producing version 3 for something like 18 months and still being a mile from finished)

tweaked naming with myth container - still some work to fix up here I believe (remove network_mode: host, and put back DB server name to be container name - cant test until nothing is being recorded)

and myth* still has lame passwords, as does influxdb, to be finalised...

docker-compose.yml

@@ -31,6 +31,8 @@ services:
       - "traefik.http.middlewares.dashboard.replacepathregex.replacement=/dashboard/$$1"
       - "traefik.http.routers.dashboard.middlewares=dashboard"
       - "traefik.http.routers.dashboard.entrypoints=web"
+      # need to ensure incoming traffic for traefik goes to port 8080 inside
+      # the container, too many other ports (80, 443) so we have to be explicit
       - "traefik.http.services.dashboard.loadbalancer.server.port=8080"
       - "traefik.http.routers.dashboard.service=api@internal"
     depends_on:
@@ -205,25 +207,14 @@ services:
       - "com.centurylinklabs.watchtower.enable=true"
       - "traefik.enable=true"
       - "traefik.http.routers.emby.rule=Host(`emby.depaoli.id.au`)"
+      # to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8096"
       - "traefik.http.services.emby.loadbalancer.server.port=8096"
       - "traefik.http.routers.emby.tls=true"
       - "traefik.http.routers.emby.entrypoints=secureweb"
 
-  #
+  # fail2ban might need a better whitelist? (I had internal docker ips in my quick fudge as well?)
-  # fail2ban is a bit jumpy from memory, so I've added a whitelist
-  # but its not going to survive a pull... and it seems if I mount 
-  # the docker container before its initialised it ends up empty 
-  # (timing?) so I have done this by hand
-  # for now, until I work out a solution:
-  ## sudo docker exec -it mail bash
-  ## root@mail:/etc/fail2ban/jail.d# cat > whitelist.conf
-  ## [DEFAULT]
-  ## ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
-  # sudo docker-compose restart mail
-  ##### CAM/DDP: CHECK this with new mail version, seemed to be new fail2ban env options
-  #
   mail:
-    image: docker.io/mailserver/docker-mailserver:12.1.0
+    image: docker.io/mailserver/docker-mailserver:latest
     hostname: depaoli.id.au
     domainname: depaoli.id.au
     container_name: mail
@@ -249,32 +240,47 @@ services:
       - /srv/docker/container/mail/mara-bin:/root/bin
       - /srv/docker/container/mail/monitoring-results:/monitoring-results
     environment:
+##################################### del block ############################
       - ENABLE_SPAMASSASSIN=1
       - ENABLE_SPAMASSASSIN_KAM=1
       - SPAMASSASIN_SPAM_TO_INBOX=1
       - MOVE_SPAM_TO_JUNK=1
       - SA_SPAM_SUBJECT=1
+      - AMAVIS_LOGLEVEL=-1
+      # enable rspam and delete this del block
+##################################### del block ############################
       - ENABLE_CLAMAV=1
       - ENABLE_FAIL2BAN=1
       - ENABLE_POSTGREY=0
       - ENABLE_UPDATE_CHECK=1
-      # not sure if =0 disables these?
       - ENABLE_POP3=0
+      # this allows users to manage their own sieves, not something we use at present
       - ENABLE_MANAGESIEVE=0
-#     Adding these, for future testing
+      # don't know if this can go to 1 or not, seems more for postscreen than rspamd, so not sure if it has always been off?
-#      - ENABLE_DNSBL=0
+      - ENABLE_DNSBL=0
+# enable rspamd be uncommenting block ############################
+#      # as per doco, enabling rspamd and disabling unneeded services (up to spamassassin)
+#      - ENABLE_RSPAMD=1
 #      - ENABLE_OPENDKIM=0
 #      - ENABLE_OPENDMARC=0
-#      - FAIL2BAN_BLOCKTYPE=drop
+#      - ENABLE_POLICYD_SPF=0
-#      - ENABLE_RSPAMD=1
+#      - ENABLE_AMAVIS=0
-# presume if we do the above, we should turn off the spamassassin checks, but could do both I guess?
+#      - ENABLE_SPAMASSASSIN=0
+#      - MOVE_SPAM_TO_JUNK=1
+#      # only greylist spammy emails
+#      - RSPAMD_GREYLISTING=1
+#      # if ppl move mail to junk -> inbox (spam) or reverse (ham), learn from it
+#      - RSPAMD_LEARN=1
+#      # some hostname heuristics for dodgy mailservers using wrong syntax - adds header only at the moment, test and drop when we trust
+#      - RSPAMD_HFILTER=1
+##################################### rspam block ############################
+      # spoof prot stops anyone sending with an email address that doesn't match what they connected with 
       - SPOOF_PROTECTION=1
       - ONE_DIR=1
       - DMS_DEBUG=0
       - LOG_LEVEL=warn
-      - AMAVIS_LOGLEVEL=-1
       - ACCOUNT_PROVISIONER=LDAP
-      - LDAP_SERVER_HOST=192.168.0.2 # using IP, as we changed over container names (openldap->openldapnew)
+      - LDAP_SERVER_HOST=ldap://openldap:1389 # using IP, as we changed over container names (openldap->openldapnew)
       - LDAP_SEARCH_BASE=dc=depaoli,dc=id,dc=au
       - LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
       - LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
@@ -283,15 +289,12 @@ services:
       - LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))
       - DOVECOT_PASS_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n))
       - DOVECOT_USER_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n))
-#       I can't get SASL auth to work with bitnami ldap for some reason,
+      - ENABLE_SASLAUTHD=1
-#       given its all internal/local traffic tolerate for now
+      - SASLAUTHD_MECHANISMS=ldap
-      - ENABLE_SASLAUTHD=0
+      - SASLAUTHD_LDAP_SERVER=ldap://openldap:1389
-#      - ENABLE_SASLAUTHD=1
+      - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
-#      - SASLAUTHD_MECHANISMS=ldap
+      - SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=depaoli,dc=id,dc=au
-#      - SASLAUTHD_LDAP_SERVER=openldap
+      - SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=person))
-#      - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
-#      - SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=depaoli,dc=id,dc=au
-#      - SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=person))
       - POSTMASTER_ADDRESS=postmaster@depaoli.id.au
       - POSTFIX_MESSAGE_SIZE_LIMIT=100000000
       - SSL_TYPE=letsencrypt
@@ -388,6 +391,7 @@ services:
       - "traefik.http.middlewares.stripprefix-portainer.stripprefix.prefixes=/portainer"
       - "traefik.http.routers.portainer.middlewares=stripprefix-portainer@docker"
       - "traefik.http.routers.portainer.entrypoints=web"
+      # need to be explicit, as it also runs API ports, SSL ports, etc
       - "traefik.http.services.portainer.loadbalancer.server.port=9000"
 
   # this is running network_mode: host so it is on the same subnet as the IoT
@@ -413,6 +417,13 @@ services:
       - /run/dbus:/run/dbus:ro
     labels:
       - "com.centurylinklabs.watchtower.enable=false"
+      # to note traefik is used here, but handled via files due to use of "network_mode: host"
+      - "traefik.enable=true"
+      - "traefik.http.routers.hass.rule=Host(`hass.depaoli.id.au`)"
+      # to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8123"
+      - "traefik.http.services.hass.loadbalancer.server.port=8123"
+      - "traefik.http.routers.hass.tls=true"
+      - "traefik.http.routers.hass.entrypoints=secureweb"
 
   # this runs in network_most host so that it can find the players automatically
   mass:
@@ -434,6 +445,7 @@ services:
       - "traefik.http.routers.mass.entrypoints=secureweb"
       - "traefik.http.middlewares.stripprefix-mass.stripprefix.prefixes=/mass"
       - "traefik.http.routers.mass.middlewares=stripprefix-mass@docker"
+      # to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8095"
       - "traefik.http.services.mass.loadbalancer.server.port=8095"
 
   mosquitto:
@@ -552,7 +564,7 @@ services:
     container_name: grafana
     restart: always
     depends_on:
-      - prometheus
+      - influxdb
     volumes:
       - /srv/docker/container/grafana/grafana.ini:/etc/grafana/grafana.ini
       - /srv/docker/container/grafana/data:/var/lib/grafana
@@ -595,6 +607,7 @@ services:
       - "traefik.http.middlewares.replaceprefix-pihole.replacepathregex.regex=^/admin/$$"
       - "traefik.http.middlewares.replaceprefix-pihole.replacepathregex.replacement=/pihole/admin/"
       - "traefik.http.middlewares.stripprefix-pihole.stripprefix.prefixes=/pihole"
+      # we set this to port 80, pihole has many open ports (e.g. 53), so have to tell traefik which port to send http traffic too
       - "traefik.http.services.pihole.loadbalancer.server.port=80"
       - "traefik.http.routers.pihole.middlewares=replaceprefix-pihole@docker,stripprefix-pihole@docker"
 
@@ -676,9 +689,12 @@ services:
 
   padb_dev:
     container_name: padb_dev
-    build:
+    image: postgres
-      context: '/home/ddp/src/photoassistant/db-container'
     restart: always
+    # replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls
+    entrypoint: /root/init/entrypoint-wrapper.sh
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
     environment:
       POSTGRES_USER: pa
       POSTGRES_DB: pa
@@ -691,13 +707,17 @@ services:
     volumes:
       - /srv/docker/container/padb_dev/data:/var/lib/postgresql/data
       - /srv/docker/container/padb_dev/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
+      - /srv/docker/container/padb_dev/init:/root/init
       - /etc/localtime:/etc/localtime:ro
 
   padb:
     container_name: padb
-    build:
+    image: postgres:16
-      context: '/home/ddp/src/photoassistant/db-container'
     restart: always
+    # replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls
+    entrypoint: /root/init/entrypoint-wrapper.sh
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
     environment:
       POSTGRES_USER: pa
       POSTGRES_DB: pa
@@ -708,6 +728,7 @@ services:
     volumes:
       - /srv/docker/container/padb/data:/var/lib/postgresql/data
       - /srv/docker/container/padb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
+      - /srv/docker/container/padb/init:/root/init
       - /etc/localtime:/etc/localtime:ro
 
   paweb:
@@ -764,7 +785,7 @@ services:
     labels:
       - "com.centurylinklabs.watchtower.enable=true"
       - "traefik.enable=true"
-      - "traefik.http.routers.bitwarden_rs.rule=Host(`bw.depaoli.id.au`) || Host(`ddphome.asuscomm.com`)"
+      - "traefik.http.routers.bitwarden_rs.rule=Host(`bw.depaoli.id.au`)"
       - "traefik.http.routers.bitwarden_rs.tls=true"
       - "traefik.http.routers.bitwarden_rs.tls.options=tls12@file"
       - "traefik.http.routers.bitwarden_rs.entrypoints=secureweb"
@@ -783,51 +804,51 @@ services:
       - "/var/run/docker.sock:/var/run/docker.sock"
       - "/etc/localtime:/etc/localtime:ro"
 
-  wikidb:
+#  wikidb_old:
-    image: postgres:16
+#    image: postgres:16
-    container_name: wikidb
+#    container_name: wikidb_old
-    environment:
+#    environment:
-      POSTGRES_DB: wiki
+#      POSTGRES_DB: wiki
-      POSTGRES_USER: wikijs
+#      POSTGRES_USER: wikijs
-    env_file:
+#    env_file:
-        - /srv/docker/config/secrets/wiki-common
+#        - /srv/docker/config/secrets/wiki-common_old
-    logging:
+#    logging:
-      driver: "none"
+#      driver: "none"
-    restart: always
+#    restart: always
-    depends_on:
+#    depends_on:
-      - openldap
+#      - openldap
-      - pihole
+#      - pihole
-    labels:
+#    labels:
-      - "com.centurylinklabs.watchtower.enable=true"
+#      - "com.centurylinklabs.watchtower.enable=true"
-    volumes:
+#    volumes:
-      - "/srv/docker/container/wikidb/data:/var/lib/postgresql/data"
+#      - "/srv/docker/container/wikidb_old/data:/var/lib/postgresql/data"
-      - "/srv/docker/container/wikidb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d"
+#      - "/srv/docker/container/wikidb_old/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d"
-      - "/etc/localtime:/etc/localtime:ro"
+#      - "/etc/localtime:/etc/localtime:ro"
-
+#
-  wiki:
+#  wiki_old:
-    image: requarks/wiki:latest
+#    image: requarks/wiki:latest
-    container_name: wiki
+#    container_name: wiki_old
-    depends_on:
+#    depends_on:
-      - openldap
+#      - openldap
-      - wikidb
+#      - wikidb_old
-    environment:
+#    environment:
-      DB_TYPE: postgres
+#      DB_TYPE: postgres
-      DB_HOST: wikidb
+#      DB_HOST: wikidb_old
-      DB_PORT: 5432
+#      DB_PORT: 5432
-      DB_USER: wikijs
+#      DB_USER: wikijs
-      DB_NAME: wiki
+#      DB_NAME: wiki
-    env_file:
+#    env_file:
-        - /srv/docker/config/secrets/wiki-common
+#        - /srv/docker/config/secrets/wiki-common_old
-    restart: always
+#    restart: always
-    volumes:
+#    volumes:
-      - "/srv/docker/container/wiki/data/content:/wiki/data/content"
+#      - "/srv/docker/container/wiki_old/data/content:/wiki/data/content"
-      - "/etc/localtime:/etc/localtime:ro"
+#      - "/etc/localtime:/etc/localtime:ro"
-    labels:
+#    labels:
-      - "com.centurylinklabs.watchtower.enable=true"
+#      - "com.centurylinklabs.watchtower.enable=true"
-      - "traefik.enable=true"
+#      - "traefik.enable=true"
-      - "traefik.http.routers.wiki.rule=Host(`wiki.depaoli.id.au`)"
+#      - "traefik.http.routers.wiki.rule=Host(`wikitst.depaoli.id.au`)"
-      - "traefik.http.routers.wiki.tls=true"
+#      - "traefik.http.routers.wiki.tls=true"
-      - "traefik.http.routers.wiki.entrypoints=secureweb"
+#      - "traefik.http.routers.wiki.entrypoints=secureweb"
 
   # used for hass (eufy) to get notifications from camera
   eufy_security_ws:
@@ -869,25 +890,25 @@ services:
     volumes:
       - "/etc/localtime:/etc/localtime:ro"
 
-  autodiscover:
+#  autodiscover:
-    image: monogramm/autodiscover-email-settings:latest
+#    image: monogramm/autodiscover-email-settings:latest
-    container_name: autodiscover
+#    container_name: autodiscover
-    environment:
+#    environment:
-      - COMPANY_NAME=depaoli
+#      - COMPANY_NAME=depaoli
-      - SUPPORT_URL=https://autodiscover.depaoli.id.au
+#      - SUPPORT_URL=https://autodiscover.depaoli.id.au
-      - DOMAIN=depaoli.id.au
+#      - DOMAIN=depaoli.id.au
-      - IMAP_HOST=depaoli.id.au
+#      - IMAP_HOST=depaoli.id.au
-      - IMAP_PORT=993
+#      - IMAP_PORT=993
-      - IMAP_SOCKET=SSL
+#      - IMAP_SOCKET=SSL
-      - SMTP_HOST=depaoli.id.au
+#      - SMTP_HOST=depaoli.id.au
-      - SMTP_PORT=587
+#      - SMTP_PORT=587
-      - SMTP_SOCKET=STARTTLS
+#      - SMTP_SOCKET=STARTTLS
-    labels:
+#    labels:
-      - "com.centurylinklabs.watchtower.enable=true"
+#      - "com.centurylinklabs.watchtower.enable=true"
-      - "traefik.enable=true"
+#      - "traefik.enable=true"
-      - "traefik.http.routers.autodiscover.rule=Host(`autodiscover.depaoli.id.au`)"
+#      - "traefik.http.routers.autodiscover.rule=Host(`autodiscover.depaoli.id.au`)"
-      - "traefik.http.routers.autodiscover.tls=true"
+#      - "traefik.http.routers.autodiscover.tls=true"
-      - "traefik.http.routers.autodiscover.entrypoints=secureweb"
+#      - "traefik.http.routers.autodiscover.entrypoints=secureweb"
 
 #  ark-server:
 #    restart: always
@@ -972,11 +993,13 @@ services:
       - /srv/docker/container/mythtv/db/mythtv.cnf:/etc/mysql/conf.d/mythtv.cnf
 
   # hacked entrypoint to 'add' to this container so it works as mara needs
-  mythbackend:
+  myth:
-    container_name: mythtvbackend
+    container_name: myth
     image: instantlinux/mythtv-backend:latest
     hostname: ${HOSTNAME_MYTHTV:-mythtv}
     restart: always
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
     # needed to renice / ionice just the mythbackend process inside this container 
     # (it also runs cron, shepherd and various binaries out of /usr/local/bin)
     cap_add:
@@ -985,7 +1008,9 @@ services:
     environment:
       APACHE_LOG_DIR: /var/log/apache2
       DBNAME: mythconverg
-      DBSERVER: mythdb
+      # needs to be ip not container name as the host network_mode and DNS dont work together
+      # test this as mythdb and remove network_mode host when I can
+      DBSERVER: 192.168.0.2
       LANG: en_US.UTF-8
       LANGUAGE: en_US.UTF-8
       LOCALHOSTNAME: mara
@@ -1011,9 +1036,49 @@ services:
       - /srv/docker/container/mythtv/monitoring-results:/monitoring-results
       - /etc/localtime:/etc/localtime:ro
       - /export/myth:/export/myth
+      - /export/docker/storage/other-videos:/export/myth/videos
     devices:
       - /dev/dvb:/dev/dvb
     env_file:
         - /srv/docker/config/secrets/mythtv
     depends_on:
       - mythdb
+
+  wiki:
+    image: lscr.io/linuxserver/bookstack
+    container_name: wiki
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - APP_URL=https://wiki.depaoli.id.au
+      - DB_HOST=wikidb
+      - DB_PORT=3306
+    env_file:
+        - /srv/docker/config/secrets/wiki
+    volumes:
+      - /srv/docker/container/wiki:/config
+    restart: unless-stopped
+    depends_on:
+      - wikidb
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
+      - "traefik.enable=true"
+      - "traefik.http.routers.wikitst.rule=Host(`wiki.depaoli.id.au`)"
+      - "traefik.http.routers.wikitst.tls=true"
+      - "traefik.http.routers.wikitst.entrypoints=secureweb"
+
+  wikidb:
+    image: lscr.io/linuxserver/mariadb
+    container_name: wikidb
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Australia/Melbourne
+    env_file:
+        - /srv/docker/config/secrets/wiki
+    volumes:
+      - /srv/docker/container/wikidb/config:/config
+      - /srv/docker/container/wikidb/data:/var/lib/mysql
+    restart: unless-stopped
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"