diff --git a/docker-compose.yml b/docker-compose.yml index 2de0f3b..fc5521b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,6 @@ -# To note, if I am using an env_file to /srv/docker/config/secrets/*, then I have taken the ENV variable with a password for that -# container and put it into a separate file (1 place for common pwds like for ldap, but also so this file can be shared safely) +# To note, if I am using an env_file to /srv/docker/config/secrets/*, +# then I have taken the ENV variable with a password for that container and +# put it into a separate file (1 place for common pwds like for ldap, but also so this file can be shared safely) version: '3.7' services: traefik: @@ -12,7 +13,6 @@ services: - "--api.dashboard=true" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - - "--providers.docker.useBindPortIP=true" - "--providers.file=true" - "--providers.file.directory=/configuration/" - "--providers.file.watch=true" @@ -23,13 +23,16 @@ services: - "--accesslog.fields.names.StartUTC=drop" - "--accesslog.filters.statuscodes=400-599" - "--accesslog.filters.minduration=50ms" + # cert resolver (PROD) + - "--certificatesresolvers.myresolver.acme.tlschallenge=true" + - "--certificatesresolvers.myresolver.acme.email=postmaster@depaoli.id.au" + - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json" labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.dashboard.rule=Host(`traefik.ddp.net`)" - "traefik.http.routers.dashboard.entrypoints=web" - # need to ensure incoming traffic for traefik goes to port 8080 inside - # the container, too many other ports (80, 443) so we have to be explicit + # too many other ports (80, 443) so we have to be explicit & with network_mode: host traefik routes to localhost:8080 - "traefik.http.services.dashboard.loadbalancer.server.port=8080" - "traefik.http.routers.dashboard.service=api@internal" depends_on: @@ -55,6 +58,7 @@ services: - "traefik.http.routers.sonarr.rule=Host(`son.depaoli.id.au`)" - "traefik.http.routers.sonarr.tls=true" - "traefik.http.routers.sonarr.entrypoints=secureweb" + - "traefik.http.routers.sonarr.tls.certresolver=myresolver" depends_on: - pihole volumes: @@ -98,6 +102,7 @@ services: - "traefik.http.routers.radarr.rule=Host(`rad.depaoli.id.au`)" - "traefik.http.routers.radarr.tls=true" - "traefik.http.routers.radarr.entrypoints=secureweb" + - "traefik.http.routers.radarr.tls.certresolver=myresolver" depends_on: - pihole volumes: @@ -181,31 +186,35 @@ services: # direct play on tv works (from memory) emby: container_name: emby - image: emby/embyserver +# image: emby/embyserver + image: emby/embyserver:beta restart: always network_mode: host environment: - UID=500 - GID=500 - # 44 is video for nvidia driver support / transcoding - - GIDLIST=44 + # 44 is for /dev/dri/card driver support / 110 for AMD transcoding + - GIDLIST=44,110 - TZ=Australia/Melbourne volumes: - /srv/docker/container/emby/config:/config - - /export/docker/storage/transcode:/transcode + - /srv/docker/container/emby/transcode:/transcode - /export/docker/storage:/data - /export/myth/tv:/myth-recordings - /etc/localtime:/etc/localtime:ro + devices: + - /dev/dri:/dev/dri depends_on: - pihole labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.emby.rule=Host(`emby.depaoli.id.au`)" - # to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8096" + # to note with network_mode: host, this works via localhost --> traefik routes this to http://localhost:8096" - "traefik.http.services.emby.loadbalancer.server.port=8096" - "traefik.http.routers.emby.tls=true" - "traefik.http.routers.emby.entrypoints=secureweb" + - "traefik.http.routers.emby.tls.certresolver=myresolver" # fail2ban might need a better whitelist? (I had internal docker ips in my quick fudge as well?) mail: @@ -233,11 +242,12 @@ services: - /srv/docker/container/mail/state:/var/mail-state - /srv/docker/container/mail/log:/var/log/mail - /srv/docker/container/mail/config/:/tmp/docker-mailserver/ - - /srv/docker/container/letsencrypt/etc:/etc/letsencrypt - /etc/localtime:/etc/localtime:ro # used (via .../mail/config/user-patches.sh) to insert a cron job running from .../mara-bin, and writing to .../monitoring-results) - /srv/docker/container/mail/mara-bin:/root/bin - /srv/docker/container/mail/monitoring-results:/monitoring-results + # NOTE: depweb container gets traefik to manage depaoli.id.au cert (and store it into acme.json) + - /srv/docker/container/letsencrypt/etc/acme.json:/etc/letsencrypt/acme.json:ro environment: - ENABLE_CLAMAV=1 - ENABLE_FAIL2BAN=1 @@ -332,16 +342,17 @@ services: - "389:1389" # webmail - roundcubemail: + webmail: image: roundcube/roundcubemail - container_name: roundcubemail + container_name: webmail restart: always labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - - "traefik.http.routers.roundcube.rule=Host(`webmail.depaoli.id.au`)" - - "traefik.http.routers.roundcube.entrypoints=secureweb" - - "traefik.http.routers.roundcube.tls=true" + - "traefik.http.routers.webmail.rule=Host(`webmail.depaoli.id.au`)" + - "traefik.http.routers.webmail.entrypoints=secureweb" + - "traefik.http.routers.webmail.tls=true" + - "traefik.http.routers.webmail.tls.certresolver=myresolver" volumes: - /srv/docker/container/roundcubemail/www:/var/www/html - /srv/docker/container/roundcubemail/db/sqlite:/var/roundcube/db @@ -404,10 +415,11 @@ services: # to note traefik is used here, but handled via files due to use of "network_mode: host" - "traefik.enable=true" - "traefik.http.routers.hass.rule=Host(`hass.depaoli.id.au`)" - # to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8123" + # to note with network_mode: host, this works via localhost --> traefik routes this to http://localhost:8123" - "traefik.http.services.hass.loadbalancer.server.port=8123" - "traefik.http.routers.hass.tls=true" - "traefik.http.routers.hass.entrypoints=secureweb" + - "traefik.http.routers.hass.tls.certresolver=myresolver" # this runs in network_most host so that it can find the players automatically mass: @@ -429,7 +441,8 @@ services: - "traefik.http.routers.mass.entrypoints=secureweb" - "traefik.http.middlewares.stripprefix-mass.stripprefix.prefixes=/mass" - "traefik.http.routers.mass.middlewares=stripprefix-mass@docker" - # to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8095" + - "traefik.http.routers.mass.tls.certresolver=myresolver" + # to note with network_mode: host, this works via localhost --> traefik routes this to http://127.0.0.1:8095" - "traefik.http.services.mass.loadbalancer.server.port=8095" mosquitto: @@ -458,11 +471,8 @@ services: labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - - "traefik.http.routers.esphome.rule=Host(`hass.depaoli.id.au`) && PathPrefix(`/esphome/`)" - - "traefik.http.routers.esphome.tls=true" - - "traefik.http.routers.esphome.entrypoints=secureweb" - - "traefik.http.middlewares.stripprefix-esphome.stripprefix.prefixes=/esphome" - - "traefik.http.routers.esphome.middlewares=stripprefix-esphome@docker" + - "traefik.http.routers.esphome.rule=Host(`esphome.ddp.net`)" + - "traefik.http.routers.esphome.entrypoints=web" restart: always privileged: true @@ -517,16 +527,16 @@ services: container_name: telegraf # needs to be 0 / root to run smartmontools / nvme user: 0:139 - entrypoint: /entrypoint-wrapper.sh + entrypoint: /root/mara-init/entrypoint-wrapper.sh volumes: - /srv/docker/container/telegraf:/etc/telegraf - /srv/docker/container/telegraf/sudoers/smart:/etc/sudoers.d/smart - - /srv/docker/container/telegraf/entrypoint-wrapper.sh:/root/entrypoint-wrapper.sh - - /srv/docker/container/telegraf/monitoring-results:/usr/local/external-results/mara - - /srv/docker/container/telegraf/entrypoint-wrapper.sh:/entrypoint-wrapper.sh + - /srv/docker/container/telegraf/mara-init/entrypoint-wrapper.sh:/root/mara-init/entrypoint-wrapper.sh # for telegraf to get external script output + - /srv/docker/container/telegraf/monitoring-results:/usr/local/external-results/mara - /srv/docker/container/mythtv/monitoring-results:/usr/local/external-results/myth - /srv/docker/container/mail/monitoring-results:/usr/local/external-results/mail + - /srv/docker/container/kuma/monitoring-results:/usr/local/external-results/kuma # for telegraf to see host details - /var/run/docker.sock:/var/run/docker.sock:ro - /:/host:ro @@ -553,18 +563,21 @@ services: - influxdb volumes: - /srv/docker/container/grafana/grafana.ini:/etc/grafana/grafana.ini + - /srv/docker/container/grafana/ldap.toml:/etc/grafana/ldap.toml - /srv/docker/container/grafana/data:/var/lib/grafana - /srv/docker/container/grafana/dashboards:/var/lib/grafana/dashboards - /srv/docker/container/grafana/grafana/provisioning:/etc/grafana/provisioning - /etc/localtime:/etc/localtime:ro env_file: - /srv/docker/container/grafana/config.monitoring + - /srv/docker/config/secrets/ldap-mail-common labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.grafana_ssl.rule=Host(`graf.depaoli.id.au`)" - "traefik.http.routers.grafana_ssl.tls=true" - "traefik.http.routers.grafana_ssl.entrypoints=secureweb" + - "traefik.http.routers.grafana_ssl.tls.certresolver=myresolver" - "traefik.http.routers.grafana.rule=PathPrefix(`/grafana/`)" - "traefik.http.routers.grafana.entrypoints=web" @@ -664,21 +677,21 @@ services: - bookdb - pihole volumes: - - /srv/docker/container/letsencrypt/etc:/etc/letsencrypt - /etc/localtime:/etc/localtime:ro labels: - "com.centurylinklabs.watchtower.enable=false" - "traefik.enable=true" - - "traefik.tcp.routers.bookdb_web-tcp.rule=HostSNI(`book.depaoli.id.au`)" - - "traefik.tcp.routers.bookdb_web-tcp.tls.passthrough=true" - - "traefik.tcp.routers.bookdb_web-tcp.entrypoints=secureweb" + - "traefik.http.routers.bookdb_web.rule=Host(`book.depaoli.id.au`)" + - "traefik.http.routers.bookdb_web.tls=true" + - "traefik.http.routers.bookdb_web.entrypoints=secureweb" + - "traefik.http.routers.bookdb_web.tls.certresolver=myresolver" padb_dev: container_name: padb_dev image: postgres restart: always # replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls - entrypoint: /root/init/entrypoint-wrapper.sh + entrypoint: /root/mara-init/entrypoint-wrapper.sh labels: - "com.centurylinklabs.watchtower.enable=true" environment: @@ -693,7 +706,8 @@ services: volumes: - /srv/docker/container/padb_dev/data:/var/lib/postgresql/data - /srv/docker/container/padb_dev/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d - - /srv/docker/container/padb_dev/init:/root/init + - /srv/docker/container/padb_dev/mara-init:/root/mara-init + - /srv/docker/container/padb_dev/mara-bin:/root/mara-bin - /etc/localtime:/etc/localtime:ro padb: @@ -701,7 +715,7 @@ services: image: postgres:16 restart: always # replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls - entrypoint: /root/init/entrypoint-wrapper.sh + entrypoint: /root/mara-init/entrypoint-wrapper.sh labels: - "com.centurylinklabs.watchtower.enable=true" environment: @@ -714,7 +728,8 @@ services: volumes: - /srv/docker/container/padb/data:/var/lib/postgresql/data - /srv/docker/container/padb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d - - /srv/docker/container/padb/init:/root/init + - /srv/docker/container/padb/mara-init:/root/mara-init + - /srv/docker/container/padb/mara-bin:/root/mara-bin - /etc/localtime:/etc/localtime:ro paweb: @@ -725,18 +740,20 @@ services: args: PJM_UID: 500 PJM_GID: 500 + environment: + ENV: "production" depends_on: - padb volumes: - - /srv/docker/container/letsencrypt/etc:/etc/letsencrypt - /export/docker/storage:/export/docker/storage - /etc/localtime:/etc/localtime:ro labels: - "com.centurylinklabs.watchtower.enable=false" - "traefik.enable=true" - - "traefik.tcp.routers.paweb-tcp.rule=HostSNI(`pa.depaoli.id.au`)" - - "traefik.tcp.routers.paweb-tcp.tls.passthrough=true" - - "traefik.tcp.routers.paweb-tcp.entrypoints=secureweb" + - "traefik.http.routers.paweb.rule=Host(`pa.depaoli.id.au`)" + - "traefik.http.routers.paweb.tls=true" + - "traefik.http.routers.paweb.entrypoints=secureweb" + - "traefik.http.routers.paweb.tls.certresolver=myresolver" tix: container_name: tix @@ -746,15 +763,15 @@ services: build: context: '/home/ddp/src/snow-ticket-analysis' volumes: - - /srv/docker/container/letsencrypt/etc:/etc/letsencrypt - /home/ddp/src/snow-ticket-analysis/stats.db:/stats.db - /etc/localtime:/etc/localtime:ro labels: - "com.centurylinklabs.watchtower.enable=false" - "traefik.enable=true" - - "traefik.tcp.routers.tix-tcp.rule=HostSNI(`tix.depaoli.id.au`)" - - "traefik.tcp.routers.tix-tcp.tls.passthrough=true" - - "traefik.tcp.routers.tix-tcp.entrypoints=secureweb" + - "traefik.http.routers.tix.rule=Host(`tix.depaoli.id.au`)" + - "traefik.http.routers.tix.tls=true" + - "traefik.http.routers.tix.entrypoints=secureweb" + - "traefik.http.routers.tix.tls.certresolver=myresolver" vaultwarden: container_name: vaultwarden @@ -775,6 +792,7 @@ services: - "traefik.http.routers.vaultwarden.tls=true" - "traefik.http.routers.vaultwarden.tls.options=tls12@file" - "traefik.http.routers.vaultwarden.entrypoints=secureweb" + - "traefik.http.routers.vaultwarden.tls.certresolver=myresolver" # auto-update docker images watchtower: @@ -862,9 +880,14 @@ services: image: louislam/uptime-kuma container_name: kuma volumes: - - /srv/docker/container/kuma:/app/data + - /srv/docker/container/kuma/data:/app/data + - /srv/docker/container/kuma/mara-bin:/root/mara-bin/ + - /srv/docker/container/kuma/mara-init:/root/mara-init/ - /var/run/docker.sock:/var/run/docker.sock:ro + # used to transfer which containers we monitor through to telegraf + - /srv/docker/container/kuma/monitoring-results:/monitoring-results - /etc/localtime:/etc/localtime:ro + entrypoint: /root/mara-init/entrypoint-wrapper.sh ports: - 3001:3001 # leave these in case mon.depaoli.id.au is inaccessible labels: @@ -873,6 +896,7 @@ services: - "traefik.http.routers.kuma.rule=Host(`mon.depaoli.id.au`)" - "traefik.http.routers.kuma.tls=true" - "traefik.http.routers.kuma.entrypoints=secureweb" + - "traefik.http.routers.kuma.tls.certresolver=myresolver" restart: always sshwifty: @@ -886,6 +910,7 @@ services: - "traefik.http.routers.sshwifty.rule=Host(`ssh.depaoli.id.au`)" - "traefik.http.routers.sshwifty.tls=true" - "traefik.http.routers.sshwifty.entrypoints=secureweb" + - "traefik.http.routers.sshwifty.tls.certresolver=myresolver" stdin_open: true tty: true volumes: @@ -904,9 +929,10 @@ services: MYSQL_PASSWORD: 'mythtv' MYSQL_UID: 133 MYSQL_GID: 140 - MYSQL_ROOT_PASSWORD: 'NWNlfa01' + env_file: + - /srv/docker/config/secrets/mythtv ports: - - '3306:3306' + - "3306:3306" volumes: - /srv/docker/container/mythtv/db/sql:/docker-entrypoint-initdb.d - /srv/docker/container/mythtv/db/data:/var/lib/mysql @@ -932,26 +958,17 @@ services: DBNAME: mythconverg # needs to be ip not container name as the host network_mode and DNS dont work together # test this as mythdb and remove network_mode host when I can - DBSERVER: 192.168.0.2 + DBSERVER: mythdb LANG: en_US.UTF-8 LANGUAGE: en_US.UTF-8 LOCALHOSTNAME: mara TZ: Australia/Melbourne - network_mode: host -# ports: -# - "6543:6543" -# - "6544:6544" -# - "6549:6549" -# - "6744:6744" -# these are open in network_mode: host -# 2022/tcp, 5000/udp, 5002/udp, 5004/udp, 65001/tcp, 65001/udp, 6543/tcp, 6544/tcp, 6549/tcp, 6760/tcp - entrypoint: > - /bin/bash -c " - /root/mara-init/fix_uids.sh - /root/mara-init/fix_apache2.sh - /root/mara-init/install_shepherd.sh - /root/mara-init/install_cron.sh - /root/entrypoint.sh" + ports: + - "6543:6543" + - "6544:6544" + - "6549:6549" + - "6760:6760" + entrypoint: /root/mara-init/entrypoint-wrapper.sh volumes: - /srv/docker/container/mythtv/apache2:/var/log/apache2 - /srv/docker/container/mythtv/data:/var/mythdata @@ -959,7 +976,7 @@ services: - /srv/docker/container/mythtv/ssh-config:/etc/ssh - /srv/docker/container/mythtv/var/log:/var/log/mythtv - /srv/docker/container/mythtv/mara-init:/root/mara-init - - /srv/docker/container/mythtv/mara-bin:/usr/local/bin + - /srv/docker/container/mythtv/mara-bin:/root/mara-bin - /srv/docker/container/mythtv/db/sql:/db-container/sql - /srv/docker/container/mythtv/db/backups:/db-container/backups - /srv/docker/container/mythtv/monitoring-results:/monitoring-results @@ -969,7 +986,7 @@ services: devices: - /dev/dvb:/dev/dvb env_file: - - /srv/docker/config/secrets/mythtv + - /srv/docker/config/secrets/mythtv depends_on: - mythdb @@ -993,9 +1010,10 @@ services: labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - - "traefik.http.routers.wikitst.rule=Host(`wiki.depaoli.id.au`)" - - "traefik.http.routers.wikitst.tls=true" - - "traefik.http.routers.wikitst.entrypoints=secureweb" + - "traefik.http.routers.wiki.rule=Host(`wiki.depaoli.id.au`)" + - "traefik.http.routers.wiki.tls=true" + - "traefik.http.routers.wiki.entrypoints=secureweb" + - "traefik.http.routers.wiki.tls.certresolver=myresolver" wikidb: image: lscr.io/linuxserver/mariadb @@ -1028,3 +1046,21 @@ services: - "traefik.enable=true" - "traefik.http.routers.web.rule=Host(`mara.ddp.net`) && ( Path(`/`) || PathPrefix(`/images` ) || PathPrefix(`/mythweb`) )" - "traefik.http.routers.web.entrypoints=web" + + # this container exists solely to have traefik manage the depaoli.id.au SSL + # cert - the web server has no web content to serve + depweb: + image: php:apache + container_name: depweb + volumes: + - /srv/docker/container/depweb/data:/var/www/html + - /etc/localtime:/etc/localtime:ro + restart: unless-stopped + labels: + - "com.centurylinklabs.watchtower.enable=true" + - "traefik.enable=true" + - "traefik.http.routers.depweb.rule=Host(`depaoli.id.au`)" + - "traefik.http.routers.depweb.tls=true" + - "traefik.http.routers.depweb.entrypoints=secureweb" + - "traefik.http.routers.depweb.tls.certresolver=myresolver" +