converted over from manual certbot to traefik automatically handling certs

updated doco around when we use loadbalancer port emby now has group 110 (radeon) as well, so it can do hardware acceleration from new AMD 5600G cpu and added /dev/dri to access the hardware change roundcubemail to webmail converted mail container to use traefik's acme.json moved esphome to its own esphome.ddp.net (aka removed internet access as I could not get a password in front of it via traefik as yet) convert telegraf to use mara-init / entrypoint standar added ldap to grafana so password is now taken from secrets/ldap* converted bookdb_web, paweb, tix away from SSL passthrough to normal traefik ssl offload (also making it easier to traefik to manage certs as I had issues with some with HostSNI / passthrough converted padb* to use entrypoint standard, rather than using a separate DockerFile to have the postgres image and then my own customising converted kuma to have a new data dir and to adopt new mara-init/mara-bin/entrypoint.sh standard moved mythtv root pwd out into secrets / env file update mythtv to new mara-init, mara-bin, entrypoint.sh standard, removed use of network_mode: host, and go direct to mythdb via local dns / container name, instead of ip or mara finalised move from wikijs to bookstack (renaming wikitst to wiki) added depweb basic web service, solely to allow traefik to handle depaoli.id.au SSL domain (for mail which does not route traffic there itself)
2024-02-17 18:48:39 +11:00
parent 586e00108b
commit 7e52aa8d50
1 changed files with 103 additions and 67 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,5 +1,6 @@
-# To note, if I am using an env_file to /srv/docker/config/secrets/*, then I have taken the ENV variable with a password for that 
+# To note, if I am using an env_file to /srv/docker/config/secrets/*,
-# container and put it into a separate file (1 place for common pwds like for ldap, but also so this file can be shared safely)
+# then I have taken the ENV variable with a password for that container and 
 # put it into a separate file (1 place for common pwds like for ldap, but also so this file can be shared safely)
 version: '3.7'
 services:
  traefik:
@@ -12,7 +13,6 @@ services:
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.useBindPortIP=true"
      - "--providers.file=true"
      - "--providers.file.directory=/configuration/"
      - "--providers.file.watch=true"
@@ -23,13 +23,16 @@ services:
      - "--accesslog.fields.names.StartUTC=drop"
      - "--accesslog.filters.statuscodes=400-599"
      - "--accesslog.filters.minduration=50ms"
      # cert resolver (PROD)
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=postmaster@depaoli.id.au"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.ddp.net`)"
      - "traefik.http.routers.dashboard.entrypoints=web"
-      # need to ensure incoming traffic for traefik goes to port 8080 inside
+      # too many other ports (80, 443) so we have to be explicit & with network_mode: host traefik routes to localhost:8080
      # the container, too many other ports (80, 443) so we have to be explicit
      - "traefik.http.services.dashboard.loadbalancer.server.port=8080"
      - "traefik.http.routers.dashboard.service=api@internal"
    depends_on:
@@ -55,6 +58,7 @@ services:
      - "traefik.http.routers.sonarr.rule=Host(`son.depaoli.id.au`)"
      - "traefik.http.routers.sonarr.tls=true"
      - "traefik.http.routers.sonarr.entrypoints=secureweb"
      - "traefik.http.routers.sonarr.tls.certresolver=myresolver"
    depends_on:
      - pihole
    volumes:
@@ -98,6 +102,7 @@ services:
      - "traefik.http.routers.radarr.rule=Host(`rad.depaoli.id.au`)"
      - "traefik.http.routers.radarr.tls=true"
      - "traefik.http.routers.radarr.entrypoints=secureweb"
      - "traefik.http.routers.radarr.tls.certresolver=myresolver"
    depends_on:
      - pihole
    volumes:
@@ -181,31 +186,35 @@ services:
  # direct play on tv works (from memory)
  emby:
    container_name: emby
-    image:  emby/embyserver
+#    image:  emby/embyserver
    image:  emby/embyserver:beta
    restart: always
    network_mode: host
    environment:
      - UID=500
      - GID=500
-      # 44 is video for nvidia driver support / transcoding
+      # 44 is for /dev/dri/card driver support / 110 for AMD transcoding
-      - GIDLIST=44
+      - GIDLIST=44,110
      - TZ=Australia/Melbourne
    volumes:
      - /srv/docker/container/emby/config:/config
-      - /export/docker/storage/transcode:/transcode
+      - /srv/docker/container/emby/transcode:/transcode
      - /export/docker/storage:/data
      - /export/myth/tv:/myth-recordings
      - /etc/localtime:/etc/localtime:ro
    devices:
      - /dev/dri:/dev/dri
    depends_on:
      - pihole
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.emby.rule=Host(`emby.depaoli.id.au`)"
-      # to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8096"
+      # to note with network_mode: host, this works via localhost --> traefik routes this to http://localhost:8096"
      - "traefik.http.services.emby.loadbalancer.server.port=8096"
      - "traefik.http.routers.emby.tls=true"
      - "traefik.http.routers.emby.entrypoints=secureweb"
      - "traefik.http.routers.emby.tls.certresolver=myresolver"
  # fail2ban might need a better whitelist? (I had internal docker ips in my quick fudge as well?)
  mail:
@@ -233,11 +242,12 @@ services:
      - /srv/docker/container/mail/state:/var/mail-state
      - /srv/docker/container/mail/log:/var/log/mail
      - /srv/docker/container/mail/config/:/tmp/docker-mailserver/
      - /srv/docker/container/letsencrypt/etc:/etc/letsencrypt
      - /etc/localtime:/etc/localtime:ro
      # used (via .../mail/config/user-patches.sh) to insert a cron job running from .../mara-bin, and writing to .../monitoring-results)
      - /srv/docker/container/mail/mara-bin:/root/bin
      - /srv/docker/container/mail/monitoring-results:/monitoring-results
      # NOTE: depweb container gets traefik to manage depaoli.id.au cert (and store it into acme.json)
      - /srv/docker/container/letsencrypt/etc/acme.json:/etc/letsencrypt/acme.json:ro
    environment:
      - ENABLE_CLAMAV=1
      - ENABLE_FAIL2BAN=1
@@ -332,16 +342,17 @@ services:
      - "389:1389"
  # webmail
-  roundcubemail:
+  webmail:
    image: roundcube/roundcubemail
-    container_name: roundcubemail
+    container_name: webmail
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
-      - "traefik.http.routers.roundcube.rule=Host(`webmail.depaoli.id.au`)"
+      - "traefik.http.routers.webmail.rule=Host(`webmail.depaoli.id.au`)"
-      - "traefik.http.routers.roundcube.entrypoints=secureweb"
+      - "traefik.http.routers.webmail.entrypoints=secureweb"
-      - "traefik.http.routers.roundcube.tls=true"
+      - "traefik.http.routers.webmail.tls=true"
      - "traefik.http.routers.webmail.tls.certresolver=myresolver"
    volumes:
      - /srv/docker/container/roundcubemail/www:/var/www/html
      - /srv/docker/container/roundcubemail/db/sqlite:/var/roundcube/db
@@ -404,10 +415,11 @@ services:
      # to note traefik is used here, but handled via files due to use of "network_mode: host"
      - "traefik.enable=true"
      - "traefik.http.routers.hass.rule=Host(`hass.depaoli.id.au`)"
-      # to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8123"
+      # to note with network_mode: host, this works via localhost --> traefik routes this to http://localhost:8123"
      - "traefik.http.services.hass.loadbalancer.server.port=8123"
      - "traefik.http.routers.hass.tls=true"
      - "traefik.http.routers.hass.entrypoints=secureweb"
      - "traefik.http.routers.hass.tls.certresolver=myresolver"
  # this runs in network_most host so that it can find the players automatically
  mass:
@@ -429,7 +441,8 @@ services:
      - "traefik.http.routers.mass.entrypoints=secureweb"
      - "traefik.http.middlewares.stripprefix-mass.stripprefix.prefixes=/mass"
      - "traefik.http.routers.mass.middlewares=stripprefix-mass@docker"
-      # to note with network_mode: host, this only works via ipv6! --> traefik routes this to http://[::]:8095"
+      - "traefik.http.routers.mass.tls.certresolver=myresolver"
      # to note with network_mode: host, this works via localhost --> traefik routes this to http://127.0.0.1:8095"
      - "traefik.http.services.mass.loadbalancer.server.port=8095"
  mosquitto:
@@ -458,11 +471,8 @@ services:
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
-      - "traefik.http.routers.esphome.rule=Host(`hass.depaoli.id.au`) && PathPrefix(`/esphome/`)"
+      - "traefik.http.routers.esphome.rule=Host(`esphome.ddp.net`)"
-      - "traefik.http.routers.esphome.tls=true"
+      - "traefik.http.routers.esphome.entrypoints=web"
      - "traefik.http.routers.esphome.entrypoints=secureweb"
      - "traefik.http.middlewares.stripprefix-esphome.stripprefix.prefixes=/esphome"
      - "traefik.http.routers.esphome.middlewares=stripprefix-esphome@docker"
    restart: always
    privileged: true
@@ -517,16 +527,16 @@ services:
    container_name: telegraf
    # needs to be 0 / root to run smartmontools / nvme
    user: 0:139
-    entrypoint: /entrypoint-wrapper.sh
+    entrypoint: /root/mara-init/entrypoint-wrapper.sh
    volumes:
      - /srv/docker/container/telegraf:/etc/telegraf
      - /srv/docker/container/telegraf/sudoers/smart:/etc/sudoers.d/smart
-      - /srv/docker/container/telegraf/entrypoint-wrapper.sh:/root/entrypoint-wrapper.sh
+      - /srv/docker/container/telegraf/mara-init/entrypoint-wrapper.sh:/root/mara-init/entrypoint-wrapper.sh
      - /srv/docker/container/telegraf/monitoring-results:/usr/local/external-results/mara
      - /srv/docker/container/telegraf/entrypoint-wrapper.sh:/entrypoint-wrapper.sh
      # for telegraf to get external script output
      - /srv/docker/container/telegraf/monitoring-results:/usr/local/external-results/mara
      - /srv/docker/container/mythtv/monitoring-results:/usr/local/external-results/myth
      - /srv/docker/container/mail/monitoring-results:/usr/local/external-results/mail
      - /srv/docker/container/kuma/monitoring-results:/usr/local/external-results/kuma
      # for telegraf to see host details
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /:/host:ro
@@ -553,18 +563,21 @@ services:
      - influxdb
    volumes:
      - /srv/docker/container/grafana/grafana.ini:/etc/grafana/grafana.ini
      - /srv/docker/container/grafana/ldap.toml:/etc/grafana/ldap.toml
      - /srv/docker/container/grafana/data:/var/lib/grafana
      - /srv/docker/container/grafana/dashboards:/var/lib/grafana/dashboards
      - /srv/docker/container/grafana/grafana/provisioning:/etc/grafana/provisioning
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - /srv/docker/container/grafana/config.monitoring
      - /srv/docker/config/secrets/ldap-mail-common
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.grafana_ssl.rule=Host(`graf.depaoli.id.au`)"
      - "traefik.http.routers.grafana_ssl.tls=true"
      - "traefik.http.routers.grafana_ssl.entrypoints=secureweb"
      - "traefik.http.routers.grafana_ssl.tls.certresolver=myresolver"
      - "traefik.http.routers.grafana.rule=PathPrefix(`/grafana/`)"
      - "traefik.http.routers.grafana.entrypoints=web"
@@ -664,21 +677,21 @@ services:
      - bookdb
      - pihole
    volumes:
     - /srv/docker/container/letsencrypt/etc:/etc/letsencrypt
     - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
      - "traefik.enable=true"
-      - "traefik.tcp.routers.bookdb_web-tcp.rule=HostSNI(`book.depaoli.id.au`)"
+      - "traefik.http.routers.bookdb_web.rule=Host(`book.depaoli.id.au`)"
-      - "traefik.tcp.routers.bookdb_web-tcp.tls.passthrough=true"
+      - "traefik.http.routers.bookdb_web.tls=true"
-      - "traefik.tcp.routers.bookdb_web-tcp.entrypoints=secureweb"
+      - "traefik.http.routers.bookdb_web.entrypoints=secureweb"
      - "traefik.http.routers.bookdb_web.tls.certresolver=myresolver"
  padb_dev:
    container_name: padb_dev
    image: postgres
    restart: always
    # replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls
-    entrypoint: /root/init/entrypoint-wrapper.sh
+    entrypoint: /root/mara-init/entrypoint-wrapper.sh
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
    environment:
@@ -693,7 +706,8 @@ services:
    volumes:
      - /srv/docker/container/padb_dev/data:/var/lib/postgresql/data
      - /srv/docker/container/padb_dev/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
-      - /srv/docker/container/padb_dev/init:/root/init
+      - /srv/docker/container/padb_dev/mara-init:/root/mara-init
      - /srv/docker/container/padb_dev/mara-bin:/root/mara-bin
      - /etc/localtime:/etc/localtime:ro
  padb:
@@ -701,7 +715,7 @@ services:
    image: postgres:16
    restart: always
    # replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls
-    entrypoint: /root/init/entrypoint-wrapper.sh
+    entrypoint: /root/mara-init/entrypoint-wrapper.sh
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
    environment:
@@ -714,7 +728,8 @@ services:
    volumes:
      - /srv/docker/container/padb/data:/var/lib/postgresql/data
      - /srv/docker/container/padb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
-      - /srv/docker/container/padb/init:/root/init
+      - /srv/docker/container/padb/mara-init:/root/mara-init
      - /srv/docker/container/padb/mara-bin:/root/mara-bin
      - /etc/localtime:/etc/localtime:ro
  paweb:
@@ -725,18 +740,20 @@ services:
      args:
        PJM_UID: 500
        PJM_GID: 500
    environment:
        ENV: "production"
    depends_on:
      - padb
    volumes:
      - /srv/docker/container/letsencrypt/etc:/etc/letsencrypt
      - /export/docker/storage:/export/docker/storage
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
      - "traefik.enable=true"
-      - "traefik.tcp.routers.paweb-tcp.rule=HostSNI(`pa.depaoli.id.au`)"
+      - "traefik.http.routers.paweb.rule=Host(`pa.depaoli.id.au`)"
-      - "traefik.tcp.routers.paweb-tcp.tls.passthrough=true"
+      - "traefik.http.routers.paweb.tls=true"
-      - "traefik.tcp.routers.paweb-tcp.entrypoints=secureweb"
+      - "traefik.http.routers.paweb.entrypoints=secureweb"
      - "traefik.http.routers.paweb.tls.certresolver=myresolver"
  tix:
    container_name: tix
@@ -746,15 +763,15 @@ services:
    build: 
      context: '/home/ddp/src/snow-ticket-analysis'
    volumes:
      - /srv/docker/container/letsencrypt/etc:/etc/letsencrypt
      - /home/ddp/src/snow-ticket-analysis/stats.db:/stats.db
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
      - "traefik.enable=true"
-      - "traefik.tcp.routers.tix-tcp.rule=HostSNI(`tix.depaoli.id.au`)"
+      - "traefik.http.routers.tix.rule=Host(`tix.depaoli.id.au`)"
-      - "traefik.tcp.routers.tix-tcp.tls.passthrough=true"
+      - "traefik.http.routers.tix.tls=true"
-      - "traefik.tcp.routers.tix-tcp.entrypoints=secureweb"
+      - "traefik.http.routers.tix.entrypoints=secureweb"
      - "traefik.http.routers.tix.tls.certresolver=myresolver"
  vaultwarden:
    container_name: vaultwarden
@@ -775,6 +792,7 @@ services:
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.routers.vaultwarden.tls.options=tls12@file"
      - "traefik.http.routers.vaultwarden.entrypoints=secureweb"
      - "traefik.http.routers.vaultwarden.tls.certresolver=myresolver"
  # auto-update docker images
  watchtower:
@@ -862,9 +880,14 @@ services:
    image: louislam/uptime-kuma
    container_name: kuma
    volumes:
-      - /srv/docker/container/kuma:/app/data
+      - /srv/docker/container/kuma/data:/app/data
      - /srv/docker/container/kuma/mara-bin:/root/mara-bin/
      - /srv/docker/container/kuma/mara-init:/root/mara-init/
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # used to transfer which containers we monitor through to telegraf
      - /srv/docker/container/kuma/monitoring-results:/monitoring-results
      - /etc/localtime:/etc/localtime:ro
    entrypoint: /root/mara-init/entrypoint-wrapper.sh
    ports:
      - 3001:3001  # leave these in case mon.depaoli.id.au is inaccessible
    labels:
@@ -873,6 +896,7 @@ services:
      - "traefik.http.routers.kuma.rule=Host(`mon.depaoli.id.au`)"
      - "traefik.http.routers.kuma.tls=true"
      - "traefik.http.routers.kuma.entrypoints=secureweb"
      - "traefik.http.routers.kuma.tls.certresolver=myresolver"
    restart: always
  sshwifty:
@@ -886,6 +910,7 @@ services:
      - "traefik.http.routers.sshwifty.rule=Host(`ssh.depaoli.id.au`)"
      - "traefik.http.routers.sshwifty.tls=true"
      - "traefik.http.routers.sshwifty.entrypoints=secureweb"
      - "traefik.http.routers.sshwifty.tls.certresolver=myresolver"
    stdin_open: true
    tty: true
    volumes:
@@ -904,9 +929,10 @@ services:
      MYSQL_PASSWORD: 'mythtv'
      MYSQL_UID: 133
      MYSQL_GID: 140
-      MYSQL_ROOT_PASSWORD: 'NWNlfa01'
+    env_file:
        - /srv/docker/config/secrets/mythtv
    ports:
-      - '3306:3306'
+        - "3306:3306"
    volumes:
      - /srv/docker/container/mythtv/db/sql:/docker-entrypoint-initdb.d
      - /srv/docker/container/mythtv/db/data:/var/lib/mysql
@@ -932,26 +958,17 @@ services:
      DBNAME: mythconverg
      # needs to be ip not container name as the host network_mode and DNS dont work together
      # test this as mythdb and remove network_mode host when I can
-      DBSERVER: 192.168.0.2
+      DBSERVER: mythdb
      LANG: en_US.UTF-8
      LANGUAGE: en_US.UTF-8
      LOCALHOSTNAME: mara
      TZ: Australia/Melbourne
-    network_mode: host
+    ports:
-#    ports:
+      - "6543:6543"
-#      - "6543:6543"
+      - "6544:6544"
-#      - "6544:6544"
+      - "6549:6549"
-#      - "6549:6549"
+      - "6760:6760"
-#      - "6744:6744"
+    entrypoint: /root/mara-init/entrypoint-wrapper.sh
 # these are open in network_mode: host
 #      2022/tcp, 5000/udp, 5002/udp, 5004/udp, 65001/tcp, 65001/udp, 6543/tcp, 6544/tcp, 6549/tcp, 6760/tcp
    entrypoint: >
      /bin/bash -c "
        /root/mara-init/fix_uids.sh
        /root/mara-init/fix_apache2.sh
        /root/mara-init/install_shepherd.sh
        /root/mara-init/install_cron.sh
        /root/entrypoint.sh"
    volumes:
      - /srv/docker/container/mythtv/apache2:/var/log/apache2
      - /srv/docker/container/mythtv/data:/var/mythdata
@@ -959,7 +976,7 @@ services:
      - /srv/docker/container/mythtv/ssh-config:/etc/ssh
      - /srv/docker/container/mythtv/var/log:/var/log/mythtv
      - /srv/docker/container/mythtv/mara-init:/root/mara-init
-      - /srv/docker/container/mythtv/mara-bin:/usr/local/bin
+      - /srv/docker/container/mythtv/mara-bin:/root/mara-bin
      - /srv/docker/container/mythtv/db/sql:/db-container/sql
      - /srv/docker/container/mythtv/db/backups:/db-container/backups
      - /srv/docker/container/mythtv/monitoring-results:/monitoring-results
@@ -969,7 +986,7 @@ services:
    devices:
      - /dev/dvb:/dev/dvb
    env_file:
-        - /srv/docker/config/secrets/mythtv
+      - /srv/docker/config/secrets/mythtv
    depends_on:
      - mythdb
@@ -993,9 +1010,10 @@ services:
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
-      - "traefik.http.routers.wikitst.rule=Host(`wiki.depaoli.id.au`)"
+      - "traefik.http.routers.wiki.rule=Host(`wiki.depaoli.id.au`)"
-      - "traefik.http.routers.wikitst.tls=true"
+      - "traefik.http.routers.wiki.tls=true"
-      - "traefik.http.routers.wikitst.entrypoints=secureweb"
+      - "traefik.http.routers.wiki.entrypoints=secureweb"
      - "traefik.http.routers.wiki.tls.certresolver=myresolver"
  wikidb:
    image: lscr.io/linuxserver/mariadb
@@ -1028,3 +1046,21 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.web.rule=Host(`mara.ddp.net`) && ( Path(`/`) || PathPrefix(`/images` ) || PathPrefix(`/mythweb`) )"
      - "traefik.http.routers.web.entrypoints=web"
  # this container exists solely to have traefik manage the depaoli.id.au SSL
  # cert - the web server has no web content to serve
  depweb:
    image: php:apache
    container_name: depweb
    volumes:
      - /srv/docker/container/depweb/data:/var/www/html
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.depweb.rule=Host(`depaoli.id.au`)"
      - "traefik.http.routers.depweb.tls=true"
      - "traefik.http.routers.depweb.entrypoints=secureweb"
      - "traefik.http.routers.depweb.tls.certresolver=myresolver"