ddp/docker-compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

converted over from manual certbot to traefik automatically handling certs

Browse Source 
updated doco around when we use loadbalancer port
emby now has group 110 (radeon) as well, so it can do hardware acceleration from new AMD 5600G cpu
  and added /dev/dri to access the hardware
change roundcubemail to webmail
converted mail container to use traefik's acme.json
moved esphome to its own esphome.ddp.net (aka removed internet access as I could not get a password in front of it via traefik as yet)
convert telegraf to use mara-init / entrypoint standar
added ldap to grafana so password is now taken from secrets/ldap*
converted bookdb_web, paweb, tix away from SSL passthrough to normal traefik ssl offload (also making it easier to traefik to manage certs as I had issues with some with HostSNI / passthrough
converted padb* to use entrypoint standard, rather than using a separate DockerFile to have the postgres image and then my own customising
converted kuma to have a new data dir and to adopt new mara-init/mara-bin/entrypoint.sh standard
moved mythtv root pwd out into secrets / env file
update mythtv to new mara-init, mara-bin, entrypoint.sh standard, removed use of network_mode: host, and go direct to mythdb via local dns / container name, instead of ip or mara
finalised move from wikijs to bookstack (renaming wikitst to wiki)
added depweb basic web service, solely to allow traefik to handle depaoli.id.au SSL domain (for mail which does not route traffic there itself)
This commit is contained in:
Damien De Paoli
2024-02-17 18:48:39 +11:00
parent 586e00108b
commit 7e52aa8d50
1 changed files with 103 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

170
docker-compose.yml
View File

@@ -1,5 +1,6 @@
# To note, if I am using an env_file to /srv/docker/config/secrets/*, then I have taken the ENV variable with a password for that
# container and put it into a separate file (1 place for common pwds like for ldap, but also so this file can be shared safely)
# To note, if I am using an env_file to /srv/docker/config/secrets/*,
# then I have taken the ENV variable with a password for that container and
# put it into a separate file (1 place for common pwds like for ldap, but also so this file can be shared safely)
version: '3.7'
services:
traefik:
@@ -12,7 +13,6 @@ services:
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.useBindPortIP=true"
- "--providers.file=true"
- "--providers.file.directory=/configuration/"
- "--providers.file.watch=true"
@@ -23,13 +23,16 @@ services:
- "--accesslog.fields.names.StartUTC=drop"
- "--accesslog.filters.statuscodes=400-599"
- "--accesslog.filters.minduration=50ms"
# cert resolver (PROD)
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "--certificatesresolvers.myresolver.acme.email=postmaster@depaoli.id.au"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`traefik.ddp.net`)"
- "traefik.http.routers.dashboard.entrypoints=web"
# need to ensure incoming traffic for traefik goes to port 8080 inside
# the container, too many other ports (80, 443) so we have to be explicit
# too many other ports (80, 443) so we have to be explicit & with network_mode: host traefik routes to localhost:8080
- "traefik.http.services.dashboard.loadbalancer.server.port=8080"
- "traefik.http.routers.dashboard.service=api@internal"
depends_on:
@@ -55,6 +58,7 @@ services:
- "traefik.http.routers.sonarr.rule=Host(`son.depaoli.id.au`)"
- "traefik.http.routers.sonarr.tls=true"
- "traefik.http.routers.sonarr.entrypoints=secureweb"
- "traefik.http.routers.sonarr.tls.certresolver=myresolver"
depends_on:
- pihole
volumes:
@@ -98,6 +102,7 @@ services:
- "traefik.http.routers.radarr.rule=Host(`rad.depaoli.id.au`)"
- "traefik.http.routers.radarr.tls=true"
- "traefik.http.routers.radarr.entrypoints=secureweb"
- "traefik.http.routers.radarr.tls.certresolver=myresolver"
depends_on:
- pihole
volumes:
@@ -181,31 +186,35 @@ services:
# direct play on tv works (from memory)
emby:
container_name: emby
image: emby/embyserver
# image: emby/embyserver
image: emby/embyserver:beta
restart: always
network_mode: host
environment:
- UID=500
- GID=500
# 44 is video for nvidia driver support / transcoding
- GIDLIST=44
# 44 is for /dev/dri/card driver support / 110 for AMD transcoding
- GIDLIST=44,110
- TZ=Australia/Melbourne
volumes:
- /srv/docker/container/emby/config:/config
- /export/docker/storage/transcode:/transcode
- /srv/docker/container/emby/transcode:/transcode
- /export/docker/storage:/data
- /export/myth/tv:/myth-recordings
- /etc/localtime:/etc/localtime:ro
devices:
- /dev/dri:/dev/dri
depends_on:
- pihole
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.emby.rule=Host(`emby.depaoli.id.au`)"
# to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8096"
# to note with network_mode: host, this works via localhost --> traefik routes this to http://localhost:8096"
- "traefik.http.services.emby.loadbalancer.server.port=8096"
- "traefik.http.routers.emby.tls=true"
- "traefik.http.routers.emby.entrypoints=secureweb"
- "traefik.http.routers.emby.tls.certresolver=myresolver"
# fail2ban might need a better whitelist? (I had internal docker ips in my quick fudge as well?)
mail:
@@ -233,11 +242,12 @@ services:
- /srv/docker/container/mail/state:/var/mail-state
- /srv/docker/container/mail/log:/var/log/mail
- /srv/docker/container/mail/config/:/tmp/docker-mailserver/
- /srv/docker/container/letsencrypt/etc:/etc/letsencrypt
- /etc/localtime:/etc/localtime:ro
# used (via .../mail/config/user-patches.sh) to insert a cron job running from .../mara-bin, and writing to .../monitoring-results)
- /srv/docker/container/mail/mara-bin:/root/bin
- /srv/docker/container/mail/monitoring-results:/monitoring-results
# NOTE: depweb container gets traefik to manage depaoli.id.au cert (and store it into acme.json)
- /srv/docker/container/letsencrypt/etc/acme.json:/etc/letsencrypt/acme.json:ro
environment:
- ENABLE_CLAMAV=1
- ENABLE_FAIL2BAN=1
@@ -332,16 +342,17 @@ services:
- "389:1389"
# webmail
roundcubemail:
webmail:
image: roundcube/roundcubemail
container_name: roundcubemail
container_name: webmail
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.roundcube.rule=Host(`webmail.depaoli.id.au`)"
- "traefik.http.routers.roundcube.entrypoints=secureweb"
- "traefik.http.routers.roundcube.tls=true"
- "traefik.http.routers.webmail.rule=Host(`webmail.depaoli.id.au`)"
- "traefik.http.routers.webmail.entrypoints=secureweb"
- "traefik.http.routers.webmail.tls=true"
- "traefik.http.routers.webmail.tls.certresolver=myresolver"
volumes:
- /srv/docker/container/roundcubemail/www:/var/www/html
- /srv/docker/container/roundcubemail/db/sqlite:/var/roundcube/db
@@ -404,10 +415,11 @@ services:
# to note traefik is used here, but handled via files due to use of "network_mode: host"
- "traefik.enable=true"
- "traefik.http.routers.hass.rule=Host(`hass.depaoli.id.au`)"
# to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8123"
# to note with network_mode: host, this works via localhost --> traefik routes this to http://localhost:8123"
- "traefik.http.services.hass.loadbalancer.server.port=8123"
- "traefik.http.routers.hass.tls=true"
- "traefik.http.routers.hass.entrypoints=secureweb"
- "traefik.http.routers.hass.tls.certresolver=myresolver"
# this runs in network_most host so that it can find the players automatically
mass:
@@ -429,7 +441,8 @@ services:
- "traefik.http.routers.mass.entrypoints=secureweb"
- "traefik.http.middlewares.stripprefix-mass.stripprefix.prefixes=/mass"
- "traefik.http.routers.mass.middlewares=stripprefix-mass@docker"
# to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8095"
- "traefik.http.routers.mass.tls.certresolver=myresolver"
# to note with network_mode: host, this works via localhost --> traefik routes this to http://127.0.0.1:8095"
- "traefik.http.services.mass.loadbalancer.server.port=8095"
mosquitto:
@@ -458,11 +471,8 @@ services:
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.esphome.rule=Host(`hass.depaoli.id.au`) && PathPrefix(`/esphome/`)"
- "traefik.http.routers.esphome.tls=true"
- "traefik.http.routers.esphome.entrypoints=secureweb"
- "traefik.http.middlewares.stripprefix-esphome.stripprefix.prefixes=/esphome"
- "traefik.http.routers.esphome.middlewares=stripprefix-esphome@docker"
- "traefik.http.routers.esphome.rule=Host(`esphome.ddp.net`)"
- "traefik.http.routers.esphome.entrypoints=web"
restart: always
privileged: true
@@ -517,16 +527,16 @@ services:
container_name: telegraf
# needs to be 0 / root to run smartmontools / nvme
user: 0:139
entrypoint: /entrypoint-wrapper.sh
entrypoint: /root/mara-init/entrypoint-wrapper.sh
volumes:
- /srv/docker/container/telegraf:/etc/telegraf
- /srv/docker/container/telegraf/sudoers/smart:/etc/sudoers.d/smart
- /srv/docker/container/telegraf/entrypoint-wrapper.sh:/root/entrypoint-wrapper.sh
- /srv/docker/container/telegraf/monitoring-results:/usr/local/external-results/mara
- /srv/docker/container/telegraf/entrypoint-wrapper.sh:/entrypoint-wrapper.sh
- /srv/docker/container/telegraf/mara-init/entrypoint-wrapper.sh:/root/mara-init/entrypoint-wrapper.sh
# for telegraf to get external script output
- /srv/docker/container/telegraf/monitoring-results:/usr/local/external-results/mara
- /srv/docker/container/mythtv/monitoring-results:/usr/local/external-results/myth
- /srv/docker/container/mail/monitoring-results:/usr/local/external-results/mail
- /srv/docker/container/kuma/monitoring-results:/usr/local/external-results/kuma
# for telegraf to see host details
- /var/run/docker.sock:/var/run/docker.sock:ro
- /:/host:ro
@@ -553,18 +563,21 @@ services:
- influxdb
volumes:
- /srv/docker/container/grafana/grafana.ini:/etc/grafana/grafana.ini
- /srv/docker/container/grafana/ldap.toml:/etc/grafana/ldap.toml
- /srv/docker/container/grafana/data:/var/lib/grafana
- /srv/docker/container/grafana/dashboards:/var/lib/grafana/dashboards
- /srv/docker/container/grafana/grafana/provisioning:/etc/grafana/provisioning
- /etc/localtime:/etc/localtime:ro
env_file:
- /srv/docker/container/grafana/config.monitoring
- /srv/docker/config/secrets/ldap-mail-common
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.grafana_ssl.rule=Host(`graf.depaoli.id.au`)"
- "traefik.http.routers.grafana_ssl.tls=true"
- "traefik.http.routers.grafana_ssl.entrypoints=secureweb"
- "traefik.http.routers.grafana_ssl.tls.certresolver=myresolver"
- "traefik.http.routers.grafana.rule=PathPrefix(`/grafana/`)"
- "traefik.http.routers.grafana.entrypoints=web"
@@ -664,21 +677,21 @@ services:
- bookdb
- pihole
volumes:
- /srv/docker/container/letsencrypt/etc:/etc/letsencrypt
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=false"
- "traefik.enable=true"
- "traefik.tcp.routers.bookdb_web-tcp.rule=HostSNI(`book.depaoli.id.au`)"
- "traefik.tcp.routers.bookdb_web-tcp.tls.passthrough=true"
- "traefik.tcp.routers.bookdb_web-tcp.entrypoints=secureweb"
- "traefik.http.routers.bookdb_web.rule=Host(`book.depaoli.id.au`)"
- "traefik.http.routers.bookdb_web.tls=true"
- "traefik.http.routers.bookdb_web.entrypoints=secureweb"
- "traefik.http.routers.bookdb_web.tls.certresolver=myresolver"
padb_dev:
container_name: padb_dev
image: postgres
restart: always
# replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls
entrypoint: /root/init/entrypoint-wrapper.sh
entrypoint: /root/mara-init/entrypoint-wrapper.sh
labels:
- "com.centurylinklabs.watchtower.enable=true"
environment:
@@ -693,7 +706,8 @@ services:
volumes:
- /srv/docker/container/padb_dev/data:/var/lib/postgresql/data
- /srv/docker/container/padb_dev/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
- /srv/docker/container/padb_dev/init:/root/init
- /srv/docker/container/padb_dev/mara-init:/root/mara-init
- /srv/docker/container/padb_dev/mara-bin:/root/mara-bin
- /etc/localtime:/etc/localtime:ro
padb:
@@ -701,7 +715,7 @@ services:
image: postgres:16
restart: always
# replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls
entrypoint: /root/init/entrypoint-wrapper.sh
entrypoint: /root/mara-init/entrypoint-wrapper.sh
labels:
- "com.centurylinklabs.watchtower.enable=true"
environment:
@@ -714,7 +728,8 @@ services:
volumes:
- /srv/docker/container/padb/data:/var/lib/postgresql/data
- /srv/docker/container/padb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
- /srv/docker/container/padb/init:/root/init
- /srv/docker/container/padb/mara-init:/root/mara-init
- /srv/docker/container/padb/mara-bin:/root/mara-bin
- /etc/localtime:/etc/localtime:ro
paweb:
@@ -725,18 +740,20 @@ services:
args:
PJM_UID: 500
PJM_GID: 500
environment:
ENV: "production"
depends_on:
- padb
volumes:
- /srv/docker/container/letsencrypt/etc:/etc/letsencrypt
- /export/docker/storage:/export/docker/storage
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=false"
- "traefik.enable=true"
- "traefik.tcp.routers.paweb-tcp.rule=HostSNI(`pa.depaoli.id.au`)"
- "traefik.tcp.routers.paweb-tcp.tls.passthrough=true"
- "traefik.tcp.routers.paweb-tcp.entrypoints=secureweb"
- "traefik.http.routers.paweb.rule=Host(`pa.depaoli.id.au`)"
- "traefik.http.routers.paweb.tls=true"
- "traefik.http.routers.paweb.entrypoints=secureweb"
- "traefik.http.routers.paweb.tls.certresolver=myresolver"
tix:
container_name: tix
@@ -746,15 +763,15 @@ services:
build:
context: '/home/ddp/src/snow-ticket-analysis'
volumes:
- /srv/docker/container/letsencrypt/etc:/etc/letsencrypt
- /home/ddp/src/snow-ticket-analysis/stats.db:/stats.db
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=false"
- "traefik.enable=true"
- "traefik.tcp.routers.tix-tcp.rule=HostSNI(`tix.depaoli.id.au`)"
- "traefik.tcp.routers.tix-tcp.tls.passthrough=true"
- "traefik.tcp.routers.tix-tcp.entrypoints=secureweb"
- "traefik.http.routers.tix.rule=Host(`tix.depaoli.id.au`)"
- "traefik.http.routers.tix.tls=true"
- "traefik.http.routers.tix.entrypoints=secureweb"
- "traefik.http.routers.tix.tls.certresolver=myresolver"
vaultwarden:
container_name: vaultwarden
@@ -775,6 +792,7 @@ services:
- "traefik.http.routers.vaultwarden.tls=true"
- "traefik.http.routers.vaultwarden.tls.options=tls12@file"
- "traefik.http.routers.vaultwarden.entrypoints=secureweb"
- "traefik.http.routers.vaultwarden.tls.certresolver=myresolver"
# auto-update docker images
watchtower:
@@ -862,9 +880,14 @@ services:
image: louislam/uptime-kuma
container_name: kuma
volumes:
- /srv/docker/container/kuma:/app/data
- /srv/docker/container/kuma/data:/app/data
- /srv/docker/container/kuma/mara-bin:/root/mara-bin/
- /srv/docker/container/kuma/mara-init:/root/mara-init/
- /var/run/docker.sock:/var/run/docker.sock:ro
# used to transfer which containers we monitor through to telegraf
- /srv/docker/container/kuma/monitoring-results:/monitoring-results
- /etc/localtime:/etc/localtime:ro
entrypoint: /root/mara-init/entrypoint-wrapper.sh
ports:
- 3001:3001 # leave these in case mon.depaoli.id.au is inaccessible
labels:
@@ -873,6 +896,7 @@ services:
- "traefik.http.routers.kuma.rule=Host(`mon.depaoli.id.au`)"
- "traefik.http.routers.kuma.tls=true"
- "traefik.http.routers.kuma.entrypoints=secureweb"
- "traefik.http.routers.kuma.tls.certresolver=myresolver"
restart: always
sshwifty:
@@ -886,6 +910,7 @@ services:
- "traefik.http.routers.sshwifty.rule=Host(`ssh.depaoli.id.au`)"
- "traefik.http.routers.sshwifty.tls=true"
- "traefik.http.routers.sshwifty.entrypoints=secureweb"
- "traefik.http.routers.sshwifty.tls.certresolver=myresolver"
stdin_open: true
tty: true
volumes:
@@ -904,9 +929,10 @@ services:
MYSQL_PASSWORD: 'mythtv'
MYSQL_UID: 133
MYSQL_GID: 140
MYSQL_ROOT_PASSWORD: 'NWNlfa01'
env_file:
- /srv/docker/config/secrets/mythtv
ports:
- '3306:3306'
- "3306:3306"
volumes:
- /srv/docker/container/mythtv/db/sql:/docker-entrypoint-initdb.d
- /srv/docker/container/mythtv/db/data:/var/lib/mysql
@@ -932,26 +958,17 @@ services:
DBNAME: mythconverg
# needs to be ip not container name as the host network_mode and DNS dont work together
# test this as mythdb and remove network_mode host when I can
DBSERVER: 192.168.0.2
DBSERVER: mythdb
LANG: en_US.UTF-8
LANGUAGE: en_US.UTF-8
LOCALHOSTNAME: mara
TZ: Australia/Melbourne
network_mode: host
# ports:
# - "6543:6543"
# - "6544:6544"
# - "6549:6549"
# - "6744:6744"
# these are open in network_mode: host
# 2022/tcp, 5000/udp, 5002/udp, 5004/udp, 65001/tcp, 65001/udp, 6543/tcp, 6544/tcp, 6549/tcp, 6760/tcp
entrypoint: >
/bin/bash -c "
/root/mara-init/fix_uids.sh
/root/mara-init/fix_apache2.sh
/root/mara-init/install_shepherd.sh
/root/mara-init/install_cron.sh
/root/entrypoint.sh"
ports:
- "6543:6543"
- "6544:6544"
- "6549:6549"
- "6760:6760"
entrypoint: /root/mara-init/entrypoint-wrapper.sh
volumes:
- /srv/docker/container/mythtv/apache2:/var/log/apache2
- /srv/docker/container/mythtv/data:/var/mythdata
@@ -959,7 +976,7 @@ services:
- /srv/docker/container/mythtv/ssh-config:/etc/ssh
- /srv/docker/container/mythtv/var/log:/var/log/mythtv
- /srv/docker/container/mythtv/mara-init:/root/mara-init
- /srv/docker/container/mythtv/mara-bin:/usr/local/bin
- /srv/docker/container/mythtv/mara-bin:/root/mara-bin
- /srv/docker/container/mythtv/db/sql:/db-container/sql
- /srv/docker/container/mythtv/db/backups:/db-container/backups
- /srv/docker/container/mythtv/monitoring-results:/monitoring-results
@@ -969,7 +986,7 @@ services:
devices:
- /dev/dvb:/dev/dvb
env_file:
- /srv/docker/config/secrets/mythtv
- /srv/docker/config/secrets/mythtv
depends_on:
- mythdb
@@ -993,9 +1010,10 @@ services:
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.wikitst.rule=Host(`wiki.depaoli.id.au`)"
- "traefik.http.routers.wikitst.tls=true"
- "traefik.http.routers.wikitst.entrypoints=secureweb"
- "traefik.http.routers.wiki.rule=Host(`wiki.depaoli.id.au`)"
- "traefik.http.routers.wiki.tls=true"
- "traefik.http.routers.wiki.entrypoints=secureweb"
- "traefik.http.routers.wiki.tls.certresolver=myresolver"
wikidb:
image: lscr.io/linuxserver/mariadb
@@ -1028,3 +1046,21 @@ services:
- "traefik.enable=true"
- "traefik.http.routers.web.rule=Host(`mara.ddp.net`) && ( Path(`/`) || PathPrefix(`/images` ) || PathPrefix(`/mythweb`) )"
- "traefik.http.routers.web.entrypoints=web"
# this container exists solely to have traefik manage the depaoli.id.au SSL
# cert - the web server has no web content to serve
depweb:
image: php:apache
container_name: depweb
volumes:
- /srv/docker/container/depweb/data:/var/www/html
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.depweb.rule=Host(`depaoli.id.au`)"
- "traefik.http.routers.depweb.tls=true"
- "traefik.http.routers.depweb.entrypoints=secureweb"
- "traefik.http.routers.depweb.tls.certresolver=myresolver"