ddp/docker-compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

committed to running traefik in network_mode: host, and fixed up where this then caused traefik labels to not knowthe loadbalancer port

Browse Source 
then realised hass needed to add ::1 ti trusted hosts as that was how traefik is using the explicit loadbalancer port setting with network_mode: host containers like hass, emby, etc.
upgrade to latest mail again, validated newer fail2ban defaults look okay, reduced comment appropriately, added rspamd* env vars (commented out), prepared to remove old env vars so we can switch to rspamd - doing this commit first

put back SASL auth, and updated LDAP_HOST use for mail container based on newer format - and Cams doc :)

removed last reference to prometheus (in a depends_on, which didnt exist clearly)

converted padb* containers back to native postgres:16 images, and used better model of overriding install scripts via entrypoint:

removed old reference to asuscomm.com

tried out and got working autodiscover, it worked for thunderbird but not our phones, so just getting rid of it - it seems to be a stale image / not maintained

convered from wikijs to bookstack (due to wikijs being unmaintained, and producing version 3 for something like 18 months and still being a mile from finished)

tweaked naming with myth container - still some work to fix up here I believe (remove network_mode: host, and put back DB server name to be container name - cant test until nothing is being recorded)

and myth* still has lame passwords, as does influxdb, to be finalised...
This commit is contained in:
Damien De Paoli
2024-01-19 17:55:26 +11:00
parent aa31f0a691
commit 7b1e2307f9
1 changed files with 169 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

273
docker-compose.yml
View File

@@ -31,6 +31,8 @@ services:
- "traefik.http.middlewares.dashboard.replacepathregex.replacement=/dashboard/$$1"
- "traefik.http.routers.dashboard.middlewares=dashboard"
- "traefik.http.routers.dashboard.entrypoints=web"
# need to ensure incoming traffic for traefik goes to port 8080 inside
# the container, too many other ports (80, 443) so we have to be explicit
- "traefik.http.services.dashboard.loadbalancer.server.port=8080"
- "traefik.http.routers.dashboard.service=api@internal"
depends_on:
@@ -205,25 +207,14 @@ services:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.emby.rule=Host(`emby.depaoli.id.au`)"
# to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8096"
- "traefik.http.services.emby.loadbalancer.server.port=8096"
- "traefik.http.routers.emby.tls=true"
- "traefik.http.routers.emby.entrypoints=secureweb"
#
# fail2ban is a bit jumpy from memory, so I've added a whitelist
# but its not going to survive a pull... and it seems if I mount
# the docker container before its initialised it ends up empty
# (timing?) so I have done this by hand
# for now, until I work out a solution:
## sudo docker exec -it mail bash
## root@mail:/etc/fail2ban/jail.d# cat > whitelist.conf
## [DEFAULT]
## ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
# sudo docker-compose restart mail
##### CAM/DDP: CHECK this with new mail version, seemed to be new fail2ban env options
#
# fail2ban might need a better whitelist? (I had internal docker ips in my quick fudge as well?)
mail:
image: docker.io/mailserver/docker-mailserver:12.1.0
image: docker.io/mailserver/docker-mailserver:latest
hostname: depaoli.id.au
domainname: depaoli.id.au
container_name: mail
@@ -249,32 +240,47 @@ services:
- /srv/docker/container/mail/mara-bin:/root/bin
- /srv/docker/container/mail/monitoring-results:/monitoring-results
environment:
##################################### del block ############################
- ENABLE_SPAMASSASSIN=1
- ENABLE_SPAMASSASSIN_KAM=1
- SPAMASSASIN_SPAM_TO_INBOX=1
- MOVE_SPAM_TO_JUNK=1
- SA_SPAM_SUBJECT=1
- AMAVIS_LOGLEVEL=-1
# enable rspam and delete this del block
##################################### del block ############################
- ENABLE_CLAMAV=1
- ENABLE_FAIL2BAN=1
- ENABLE_POSTGREY=0
- ENABLE_UPDATE_CHECK=1
# not sure if =0 disables these?
- ENABLE_POP3=0
# this allows users to manage their own sieves, not something we use at present
- ENABLE_MANAGESIEVE=0
# Adding these, for future testing
# - ENABLE_DNSBL=0
# don't know if this can go to 1 or not, seems more for postscreen than rspamd, so not sure if it has always been off?
- ENABLE_DNSBL=0
# enable rspamd be uncommenting block ############################
# # as per doco, enabling rspamd and disabling unneeded services (up to spamassassin)
# - ENABLE_RSPAMD=1
# - ENABLE_OPENDKIM=0
# - ENABLE_OPENDMARC=0
# - FAIL2BAN_BLOCKTYPE=drop
# - ENABLE_RSPAMD=1
# presume if we do the above, we should turn off the spamassassin checks, but could do both I guess?
# - ENABLE_POLICYD_SPF=0
# - ENABLE_AMAVIS=0
# - ENABLE_SPAMASSASSIN=0
# - MOVE_SPAM_TO_JUNK=1
# # only greylist spammy emails
# - RSPAMD_GREYLISTING=1
# # if ppl move mail to junk -> inbox (spam) or reverse (ham), learn from it
# - RSPAMD_LEARN=1
# # some hostname heuristics for dodgy mailservers using wrong syntax - adds header only at the moment, test and drop when we trust
# - RSPAMD_HFILTER=1
##################################### rspam block ############################
# spoof prot stops anyone sending with an email address that doesn't match what they connected with
- SPOOF_PROTECTION=1
- ONE_DIR=1
- DMS_DEBUG=0
- LOG_LEVEL=warn
- AMAVIS_LOGLEVEL=-1
- ACCOUNT_PROVISIONER=LDAP
- LDAP_SERVER_HOST=192.168.0.2 # using IP, as we changed over container names (openldap->openldapnew)
- LDAP_SERVER_HOST=ldap://openldap:1389 # using IP, as we changed over container names (openldap->openldapnew)
- LDAP_SEARCH_BASE=dc=depaoli,dc=id,dc=au
- LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
- LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
@@ -283,15 +289,12 @@ services:
- LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))
- DOVECOT_PASS_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n))
- DOVECOT_USER_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n))
# I can't get SASL auth to work with bitnami ldap for some reason,
# given its all internal/local traffic tolerate for now
- ENABLE_SASLAUTHD=0
# - ENABLE_SASLAUTHD=1
# - SASLAUTHD_MECHANISMS=ldap
# - SASLAUTHD_LDAP_SERVER=openldap
# - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
# - SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=depaoli,dc=id,dc=au
# - SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=person))
- ENABLE_SASLAUTHD=1
- SASLAUTHD_MECHANISMS=ldap
- SASLAUTHD_LDAP_SERVER=ldap://openldap:1389
- SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
- SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=depaoli,dc=id,dc=au
- SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=person))
- POSTMASTER_ADDRESS=postmaster@depaoli.id.au
- POSTFIX_MESSAGE_SIZE_LIMIT=100000000
- SSL_TYPE=letsencrypt
@@ -388,6 +391,7 @@ services:
- "traefik.http.middlewares.stripprefix-portainer.stripprefix.prefixes=/portainer"
- "traefik.http.routers.portainer.middlewares=stripprefix-portainer@docker"
- "traefik.http.routers.portainer.entrypoints=web"
# need to be explicit, as it also runs API ports, SSL ports, etc
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
# this is running network_mode: host so it is on the same subnet as the IoT
@@ -413,6 +417,13 @@ services:
- /run/dbus:/run/dbus:ro
labels:
- "com.centurylinklabs.watchtower.enable=false"
# to note traefik is used here, but handled via files due to use of "network_mode: host"
- "traefik.enable=true"
- "traefik.http.routers.hass.rule=Host(`hass.depaoli.id.au`)"
# to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8123"
- "traefik.http.services.hass.loadbalancer.server.port=8123"
- "traefik.http.routers.hass.tls=true"
- "traefik.http.routers.hass.entrypoints=secureweb"
# this runs in network_most host so that it can find the players automatically
mass:
@@ -434,6 +445,7 @@ services:
- "traefik.http.routers.mass.entrypoints=secureweb"
- "traefik.http.middlewares.stripprefix-mass.stripprefix.prefixes=/mass"
- "traefik.http.routers.mass.middlewares=stripprefix-mass@docker"
# to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8095"
- "traefik.http.services.mass.loadbalancer.server.port=8095"
mosquitto:
@@ -552,7 +564,7 @@ services:
container_name: grafana
restart: always
depends_on:
- prometheus
- influxdb
volumes:
- /srv/docker/container/grafana/grafana.ini:/etc/grafana/grafana.ini
- /srv/docker/container/grafana/data:/var/lib/grafana
@@ -595,6 +607,7 @@ services:
- "traefik.http.middlewares.replaceprefix-pihole.replacepathregex.regex=^/admin/$$"
- "traefik.http.middlewares.replaceprefix-pihole.replacepathregex.replacement=/pihole/admin/"
- "traefik.http.middlewares.stripprefix-pihole.stripprefix.prefixes=/pihole"
# we set this to port 80, pihole has many open ports (e.g. 53), so have to tell traefik which port to send http traffic too
- "traefik.http.services.pihole.loadbalancer.server.port=80"
- "traefik.http.routers.pihole.middlewares=replaceprefix-pihole@docker,stripprefix-pihole@docker"
@@ -676,9 +689,12 @@ services:
padb_dev:
container_name: padb_dev
build:
context: '/home/ddp/src/photoassistant/db-container'
image: postgres
restart: always
# replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls
entrypoint: /root/init/entrypoint-wrapper.sh
labels:
- "com.centurylinklabs.watchtower.enable=true"
environment:
POSTGRES_USER: pa
POSTGRES_DB: pa
@@ -691,13 +707,17 @@ services:
volumes:
- /srv/docker/container/padb_dev/data:/var/lib/postgresql/data
- /srv/docker/container/padb_dev/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
- /srv/docker/container/padb_dev/init:/root/init
- /etc/localtime:/etc/localtime:ro
padb:
container_name: padb
build:
context: '/home/ddp/src/photoassistant/db-container'
image: postgres:16
restart: always
# replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls
entrypoint: /root/init/entrypoint-wrapper.sh
labels:
- "com.centurylinklabs.watchtower.enable=true"
environment:
POSTGRES_USER: pa
POSTGRES_DB: pa
@@ -708,6 +728,7 @@ services:
volumes:
- /srv/docker/container/padb/data:/var/lib/postgresql/data
- /srv/docker/container/padb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
- /srv/docker/container/padb/init:/root/init
- /etc/localtime:/etc/localtime:ro
paweb:
@@ -764,7 +785,7 @@ services:
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.bitwarden_rs.rule=Host(`bw.depaoli.id.au`) || Host(`ddphome.asuscomm.com`)"
- "traefik.http.routers.bitwarden_rs.rule=Host(`bw.depaoli.id.au`)"
- "traefik.http.routers.bitwarden_rs.tls=true"
- "traefik.http.routers.bitwarden_rs.tls.options=tls12@file"
- "traefik.http.routers.bitwarden_rs.entrypoints=secureweb"
@@ -783,51 +804,51 @@ services:
- "/var/run/docker.sock:/var/run/docker.sock"
- "/etc/localtime:/etc/localtime:ro"
wikidb:
image: postgres:16
container_name: wikidb
environment:
POSTGRES_DB: wiki
POSTGRES_USER: wikijs
env_file:
- /srv/docker/config/secrets/wiki-common
logging:
driver: "none"
restart: always
depends_on:
- openldap
- pihole
labels:
- "com.centurylinklabs.watchtower.enable=true"
volumes:
- "/srv/docker/container/wikidb/data:/var/lib/postgresql/data"
- "/srv/docker/container/wikidb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d"
- "/etc/localtime:/etc/localtime:ro"
wiki:
image: requarks/wiki:latest
container_name: wiki
depends_on:
- openldap
- wikidb
environment:
DB_TYPE: postgres
DB_HOST: wikidb
DB_PORT: 5432
DB_USER: wikijs
DB_NAME: wiki
env_file:
- /srv/docker/config/secrets/wiki-common
restart: always
volumes:
- "/srv/docker/container/wiki/data/content:/wiki/data/content"
- "/etc/localtime:/etc/localtime:ro"
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.wiki.rule=Host(`wiki.depaoli.id.au`)"
- "traefik.http.routers.wiki.tls=true"
- "traefik.http.routers.wiki.entrypoints=secureweb"
# wikidb_old:
# image: postgres:16
# container_name: wikidb_old
# environment:
# POSTGRES_DB: wiki
# POSTGRES_USER: wikijs
# env_file:
# - /srv/docker/config/secrets/wiki-common_old
# logging:
# driver: "none"
# restart: always
# depends_on:
# - openldap
# - pihole
# labels:
# - "com.centurylinklabs.watchtower.enable=true"
# volumes:
# - "/srv/docker/container/wikidb_old/data:/var/lib/postgresql/data"
# - "/srv/docker/container/wikidb_old/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d"
# - "/etc/localtime:/etc/localtime:ro"
#
# wiki_old:
# image: requarks/wiki:latest
# container_name: wiki_old
# depends_on:
# - openldap
# - wikidb_old
# environment:
# DB_TYPE: postgres
# DB_HOST: wikidb_old
# DB_PORT: 5432
# DB_USER: wikijs
# DB_NAME: wiki
# env_file:
# - /srv/docker/config/secrets/wiki-common_old
# restart: always
# volumes:
# - "/srv/docker/container/wiki_old/data/content:/wiki/data/content"
# - "/etc/localtime:/etc/localtime:ro"
# labels:
# - "com.centurylinklabs.watchtower.enable=true"
# - "traefik.enable=true"
# - "traefik.http.routers.wiki.rule=Host(`wikitst.depaoli.id.au`)"
# - "traefik.http.routers.wiki.tls=true"
# - "traefik.http.routers.wiki.entrypoints=secureweb"
# used for hass (eufy) to get notifications from camera
eufy_security_ws:
@@ -869,25 +890,25 @@ services:
volumes:
- "/etc/localtime:/etc/localtime:ro"
autodiscover:
image: monogramm/autodiscover-email-settings:latest
container_name: autodiscover
environment:
- COMPANY_NAME=depaoli
- SUPPORT_URL=https://autodiscover.depaoli.id.au
- DOMAIN=depaoli.id.au
- IMAP_HOST=depaoli.id.au
- IMAP_PORT=993
- IMAP_SOCKET=SSL
- SMTP_HOST=depaoli.id.au
- SMTP_PORT=587
- SMTP_SOCKET=STARTTLS
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.autodiscover.rule=Host(`autodiscover.depaoli.id.au`)"
- "traefik.http.routers.autodiscover.tls=true"
- "traefik.http.routers.autodiscover.entrypoints=secureweb"
# autodiscover:
# image: monogramm/autodiscover-email-settings:latest
# container_name: autodiscover
# environment:
# - COMPANY_NAME=depaoli
# - SUPPORT_URL=https://autodiscover.depaoli.id.au
# - DOMAIN=depaoli.id.au
# - IMAP_HOST=depaoli.id.au
# - IMAP_PORT=993
# - IMAP_SOCKET=SSL
# - SMTP_HOST=depaoli.id.au
# - SMTP_PORT=587
# - SMTP_SOCKET=STARTTLS
# labels:
# - "com.centurylinklabs.watchtower.enable=true"
# - "traefik.enable=true"
# - "traefik.http.routers.autodiscover.rule=Host(`autodiscover.depaoli.id.au`)"
# - "traefik.http.routers.autodiscover.tls=true"
# - "traefik.http.routers.autodiscover.entrypoints=secureweb"
# ark-server:
# restart: always
@@ -972,11 +993,13 @@ services:
- /srv/docker/container/mythtv/db/mythtv.cnf:/etc/mysql/conf.d/mythtv.cnf
# hacked entrypoint to 'add' to this container so it works as mara needs
mythbackend:
container_name: mythtvbackend
myth:
container_name: myth
image: instantlinux/mythtv-backend:latest
hostname: ${HOSTNAME_MYTHTV:-mythtv}
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
# needed to renice / ionice just the mythbackend process inside this container
# (it also runs cron, shepherd and various binaries out of /usr/local/bin)
cap_add:
@@ -985,7 +1008,9 @@ services:
environment:
APACHE_LOG_DIR: /var/log/apache2
DBNAME: mythconverg
DBSERVER: mythdb
# needs to be ip not container name as the host network_mode and DNS dont work together
# test this as mythdb and remove network_mode host when I can
DBSERVER: 192.168.0.2
LANG: en_US.UTF-8
LANGUAGE: en_US.UTF-8
LOCALHOSTNAME: mara
@@ -1011,9 +1036,49 @@ services:
- /srv/docker/container/mythtv/monitoring-results:/monitoring-results
- /etc/localtime:/etc/localtime:ro
- /export/myth:/export/myth
- /export/docker/storage/other-videos:/export/myth/videos
devices:
- /dev/dvb:/dev/dvb
env_file:
- /srv/docker/config/secrets/mythtv
depends_on:
- mythdb
wiki:
image: lscr.io/linuxserver/bookstack
container_name: wiki
environment:
- PUID=1000
- PGID=1000
- APP_URL=https://wiki.depaoli.id.au
- DB_HOST=wikidb
- DB_PORT=3306
env_file:
- /srv/docker/config/secrets/wiki
volumes:
- /srv/docker/container/wiki:/config
restart: unless-stopped
depends_on:
- wikidb
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.wikitst.rule=Host(`wiki.depaoli.id.au`)"
- "traefik.http.routers.wikitst.tls=true"
- "traefik.http.routers.wikitst.entrypoints=secureweb"
wikidb:
image: lscr.io/linuxserver/mariadb
container_name: wikidb
environment:
- PUID=1000
- PGID=1000
- TZ=Australia/Melbourne
env_file:
- /srv/docker/config/secrets/wiki
volumes:
- /srv/docker/container/wikidb/config:/config
- /srv/docker/container/wikidb/data:/var/lib/mysql
restart: unless-stopped
labels:
- "com.centurylinklabs.watchtower.enable=true"