From e519ae14936d06e7dfd321ead1c732bea7ab4285 Mon Sep 17 00:00:00 2001 From: Damien De Paoli Date: Sat, 4 Jan 2025 22:35:14 +1100 Subject: [PATCH] explicit use of 0.0.0.0 in port stanzas to force only opening up ipv4, added heimdall and adguard. For now pihole is still there, just the ports have been hidden so adguard is active dns. Using heimdall as mara.ddp.net default web content now, moved mythweb to myth.ddp.net. Finally, just use user root (no group docker) for telegraf --- docker-compose.yml | 126 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 96 insertions(+), 30 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 4baed2f..8af19e6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -44,6 +44,25 @@ services: - /srv/docker/container/letsencrypt/etc:/letsencrypt - /etc/localtime:/etc/localtime:ro + heimdall: + container_name: heimdall + image: lscr.io/linuxserver/heimdall:latest + restart: unless-stopped + environment: + - TZ=Australia/Melbourne + volumes: + - /srv/docker/container/heimdall:/config + - /etc/localtime:/etc/localtime:ro + ports: + - 10080:80 + - 10443:443 + labels: + - "com.centurylinklabs.watchtower.enable=true" + - "traefik.enable=true" + - "traefik.http.routers.heimdall.rule=Host(`heimdall.ddp.net`) || Host(`mara.ddp.net`)" + - "traefik.http.routers.heimdall.entrypoints=web" + - "last.commit.url=https://api.github.com/repos/linuxserver/docker-heimdall/commits" + sonarr: container_name: sonarr image: linuxserver/sonarr:latest @@ -145,7 +164,7 @@ services: emby: container_name: emby # image: emby/embyserver:latest - image: emby/embyserver:4.9.0.32 + image: emby/embyserver:4.9.0.34 restart: always network_mode: host environment: @@ -182,10 +201,10 @@ services: container_name: mail restart: always ports: - - "25:25" - - "465:465" - - "587:587" - - "993:993" + - "0.0.0.0:25:25" + - "0.0.0.0:465:465" + - "0.0.0.0:587:587" + - "0.0.0.0:993:993" labels: # somehow watchtower keeps restarting mail even without an update AND the mailserver emails me with updates anyway - "com.centurylinklabs.watchtower.enable=true" @@ -289,7 +308,7 @@ services: - /srv/docker/container/ldap/bootstrap-ldifs:/ldifs - /etc/localtime:/etc/localtime:ro ports: - - "389:1389" + - "0.0.0.0:389:1389" # webmail webmail: @@ -411,7 +430,7 @@ services: - "com.centurylinklabs.watchtower.enable=true" - "last.commit.url=https://api.github.com/repos/eclipse/mosquitto/commits" ports: - - "1883:1883" + - "0.0.0.0:1883:1883" esphome: container_name: esphome @@ -432,7 +451,6 @@ services: privileged: true sabnzbd: -# image: linuxserver/sabnzbd:4.2.2-ls151 image: linuxserver/sabnzbd:latest container_name: sabnzbd restart: always @@ -481,9 +499,9 @@ services: telegraf: image: telegraf:latest container_name: telegraf - # needs to be 0 / root to run smartmontools / nvme, and 124/docker to read docker.sock - #user: "root:docker" - user: "root:124" + # needs to be 0 / root to run smartmontools / nvme + user: "root" + # this is used to add docker group to telegraf user for reading docker.sock and installing smartmontools, etc. entrypoint: /root/mara-init/entrypoint-wrapper.sh volumes: - /srv/docker/container/telegraf:/etc/telegraf @@ -541,12 +559,33 @@ services: - "traefik.http.routers.grafana.entrypoints=web" - "last.commit.url=https://api.github.com/repos/grafana/grafana/commits" - pihole: - container_name: pihole - image: pihole/pihole:latest + adguard: + container_name: adguard + image: adguard/adguardhome ports: - "192.168.0.2:53:53/tcp" - "192.168.0.2:53:53/udp" + environment: + TZ: 'Australia/Melbourne' + volumes: + - /srv/docker/container/adguard/conf:/opt/adguardhome/conf + - /srv/docker/container/adguard/work:/opt/adguardhome/work + - /etc/localtime:/etc/localtime:ro + restart: always + labels: + - "com.centurylinklabs.watchtower.enable=true" + - "traefik.enable=true" + - "traefik.http.routers.adguard.rule=Host(`adguard.ddp.net`)" + - "traefik.http.routers.adguard.entrypoints=web" + - "traefik.http.services.adguard.loadbalancer.server.port=80" + - "last.commit.url=https://api.github.com/repos/AdguardTeam/AdGuardHome/commits" + + pihole: + container_name: pihole + image: pihole/pihole:latest +# ports: +# - "192.168.0.2:53:53/tcp" +# - "192.168.0.2:53:53/udp" environment: TZ: 'Australia/Melbourne' PIHOLE_DNS_: '208.67.222.222;208.67.220.220' @@ -847,7 +886,7 @@ services: env_file: - /srv/docker/config/secrets/eufy_security_ws ports: - - "3000:3000" + - "0.0.0.0:3000:3000" labels: - "com.centurylinklabs.watchtower.enable=true" - "last.commit.url=https://api.github.com/repos/bropat/eufy-security-ws/commits" @@ -866,8 +905,8 @@ services: environment: - "RTSP_PROTOCOLS=tcp" ports: - - "1935:1935" - - "8554:8554" + - "0.0.0.0:1935:1935" + - "0.0.0.0:8554:8554" labels: - "com.centurylinklabs.watchtower.enable=true" - "last.commit.url=https://api.github.com/repos/bluenviron/mediamtx/commits" @@ -875,6 +914,31 @@ services: - pihole volumes: - "/etc/localtime:/etc/localtime:ro" + +# NOT YET - API calls don't match DB, need to wait +# mon: +# image: louislam/uptime-kuma:beta-slim +# container_name: mon +# volumes: +# - /srv/docker/container/mon/data:/app/data +# - /srv/docker/container/mon/mara-bin:/root/mara-bin/ +# - /srv/docker/container/mon/mara-init:/root/mara-init/ +# - /var/run/docker.sock:/var/run/docker.sock:ro +# # used to transfer which containers we monitor through to telegraf +# - /srv/docker/container/mon/monitoring-results:/monitoring-results +# - /etc/localtime:/etc/localtime:ro +# entrypoint: /root/mara-init/entrypoint-wrapper.sh +# ports: +# - "0.0.0.0:13001:3001" +# labels: +# - "com.centurylinklabs.watchtower.enable=true" +# - "traefik.enable=true" +## - "traefik.http.routers.kuma.rule=Host(`mon.depaoli.id.au`)" +## - "traefik.http.routers.kuma.tls=true" +## - "traefik.http.routers.kuma.entrypoints=secureweb" +## - "traefik.http.routers.kuma.tls.certresolver=myresolver" +# - "last.commit.url=https://api.github.com/repos/louislam/uptime-kuma/commits" +# restart: always kuma: image: louislam/uptime-kuma:latest @@ -888,6 +952,8 @@ services: - /srv/docker/container/kuma/monitoring-results:/monitoring-results - /etc/localtime:/etc/localtime:ro entrypoint: /root/mara-init/entrypoint-wrapper.sh + ports: + - "0.0.0.0:3001:3001" labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" @@ -933,7 +999,7 @@ services: env_file: - /srv/docker/config/secrets/mythtv ports: - - "3306:3306" + - "0.0.0.0:3306:3306" volumes: - /srv/docker/container/mythtv/db_tst/sql:/docker-entrypoint-initdb.d - /srv/docker/container/mythtv/db_tst/data:/var/lib/mysql @@ -962,10 +1028,10 @@ services: LANGUAGE: en_US.UTF-8 TZ: Australia/Melbourne ports: - - "6543:6543" - - "6544:6544" - - "6549:6549" - - "6760:6760" + - "0.0.0.0:6543:6543" + - "0.0.0.0:6544:6544" + - "0.0.0.0:6549:6549" + - "0.0.0.0:6760:6760" entrypoint: /root/mara-init/entrypoint-wrapper.sh volumes: - /srv/docker/container/mythtv/apache2:/var/log/apache2 @@ -1044,7 +1110,7 @@ services: labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - - "traefik.http.routers.web.rule=Host(`mara.ddp.net`) && ( Path(`/`) || PathPrefix(`/images` ) || PathPrefix(`/mythweb`) )" + - "traefik.http.routers.web.rule=Host(`myth.ddp.net`) && ( Path(`/`) || PathPrefix(`/images` ) || PathPrefix(`/mythweb`) )" - "traefik.http.routers.web.entrypoints=web" - "last.commit.url=https://api.github.com/repos/docker-library/php/commits" @@ -1074,8 +1140,8 @@ services: # forcing hostname so the samba sid is reliable hostname: sambacontainer ports: - - "139:139" - - "445:445" + - "0.0.0.0:139:139" + - "0.0.0.0:445:445" volumes: - /export:/export - /srv/docker/container/samba/monitoring-results:/monitoring-results @@ -1095,12 +1161,12 @@ services: restart: always ports: # active ports - - "20:20" - - "21:21" + - "0.0.0.0:20:20" + - "0.0.0.0:21:21" # passive ports - - "10090:10090" - - "10091:10091" - - "10092:10092" + - "0.0.0.0:10090:10090" + - "0.0.0.0:10091:10091" + - "0.0.0.0:10092:10092" volumes: - /home:/home - /srv/docker/container/ftp/monitoring-results:/monitoring-results