explicit use of 0.0.0.0 in port stanzas to force only opening up ipv4, added heimdall and adguard. For now pihole is still there, just the ports have been hidden so adguard is active dns. Using heimdall as mara.ddp.net default web content now, moved mythweb to myth.ddp.net. Finally, just use user root (no group docker) for telegraf

docker-compose.yml

@@ -44,6 +44,25 @@ services:
       - /srv/docker/container/letsencrypt/etc:/letsencrypt
       - /etc/localtime:/etc/localtime:ro
 
+  heimdall:
+    container_name: heimdall
+    image: lscr.io/linuxserver/heimdall:latest
+    restart: unless-stopped
+    environment:
+      - TZ=Australia/Melbourne
+    volumes:
+      - /srv/docker/container/heimdall:/config
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - 10080:80
+      - 10443:443
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
+      - "traefik.enable=true"
+      - "traefik.http.routers.heimdall.rule=Host(`heimdall.ddp.net`) || Host(`mara.ddp.net`)"
+      - "traefik.http.routers.heimdall.entrypoints=web"
+      - "last.commit.url=https://api.github.com/repos/linuxserver/docker-heimdall/commits"
+
   sonarr:
     container_name: sonarr
     image: linuxserver/sonarr:latest
@@ -145,7 +164,7 @@ services:
   emby:
     container_name: emby
 #    image:  emby/embyserver:latest
-    image: emby/embyserver:4.9.0.32
+    image: emby/embyserver:4.9.0.34
     restart: always
     network_mode: host
     environment:
@@ -182,10 +201,10 @@ services:
     container_name: mail
     restart: always
     ports:
-      - "25:25"
+      - "0.0.0.0:25:25"
-      - "465:465"
+      - "0.0.0.0:465:465"
-      - "587:587"
+      - "0.0.0.0:587:587"
-      - "993:993"
+      - "0.0.0.0:993:993"
     labels:
       # somehow watchtower keeps restarting mail even without an update AND the mailserver emails me with updates anyway
       - "com.centurylinklabs.watchtower.enable=true"
@@ -289,7 +308,7 @@ services:
       - /srv/docker/container/ldap/bootstrap-ldifs:/ldifs
       - /etc/localtime:/etc/localtime:ro
     ports:
-      - "389:1389"
+      - "0.0.0.0:389:1389"
 
   # webmail
   webmail:
@@ -411,7 +430,7 @@ services:
       - "com.centurylinklabs.watchtower.enable=true"
       - "last.commit.url=https://api.github.com/repos/eclipse/mosquitto/commits"
     ports:
-      - "1883:1883"    
+      - "0.0.0.0:1883:1883"    
     
   esphome:
     container_name: esphome
@@ -432,7 +451,6 @@ services:
     privileged: true
     
   sabnzbd:
-#    image: linuxserver/sabnzbd:4.2.2-ls151
     image: linuxserver/sabnzbd:latest
     container_name: sabnzbd
     restart: always
@@ -481,9 +499,9 @@ services:
   telegraf:
     image: telegraf:latest
     container_name: telegraf
-    # needs to be 0 / root to run smartmontools / nvme, and 124/docker to read docker.sock
+    # needs to be 0 / root to run smartmontools / nvme
-    #user: "root:docker"
+    user: "root"
-    user: "root:124"
+    # this is used to add docker group to telegraf user for reading docker.sock and installing smartmontools, etc.
     entrypoint: /root/mara-init/entrypoint-wrapper.sh
     volumes:
       - /srv/docker/container/telegraf:/etc/telegraf
@@ -541,12 +559,33 @@ services:
       - "traefik.http.routers.grafana.entrypoints=web"
       - "last.commit.url=https://api.github.com/repos/grafana/grafana/commits"
 
-  pihole:
+  adguard:
-    container_name: pihole
+    container_name: adguard
-    image: pihole/pihole:latest
+    image: adguard/adguardhome
     ports:
       - "192.168.0.2:53:53/tcp"
       - "192.168.0.2:53:53/udp"
+    environment:
+      TZ: 'Australia/Melbourne'
+    volumes:
+      - /srv/docker/container/adguard/conf:/opt/adguardhome/conf
+      - /srv/docker/container/adguard/work:/opt/adguardhome/work
+      - /etc/localtime:/etc/localtime:ro
+    restart: always
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
+      - "traefik.enable=true"
+      - "traefik.http.routers.adguard.rule=Host(`adguard.ddp.net`)"
+      - "traefik.http.routers.adguard.entrypoints=web"
+      - "traefik.http.services.adguard.loadbalancer.server.port=80"
+      - "last.commit.url=https://api.github.com/repos/AdguardTeam/AdGuardHome/commits"
+
+  pihole:
+    container_name: pihole
+    image: pihole/pihole:latest
+#    ports:
+#      - "192.168.0.2:53:53/tcp"
+#      - "192.168.0.2:53:53/udp"
     environment:
       TZ: 'Australia/Melbourne'
       PIHOLE_DNS_: '208.67.222.222;208.67.220.220'
@@ -847,7 +886,7 @@ services:
     env_file:
         - /srv/docker/config/secrets/eufy_security_ws
     ports:
-      - "3000:3000"
+      - "0.0.0.0:3000:3000"
     labels:
       - "com.centurylinklabs.watchtower.enable=true"
       - "last.commit.url=https://api.github.com/repos/bropat/eufy-security-ws/commits"
@@ -866,8 +905,8 @@ services:
     environment:
       - "RTSP_PROTOCOLS=tcp"
     ports:
-      - "1935:1935"
+      - "0.0.0.0:1935:1935"
-      - "8554:8554"
+      - "0.0.0.0:8554:8554"
     labels:
       - "com.centurylinklabs.watchtower.enable=true"
       - "last.commit.url=https://api.github.com/repos/bluenviron/mediamtx/commits"
@@ -876,6 +915,31 @@ services:
     volumes:
       - "/etc/localtime:/etc/localtime:ro"
     
+# NOT YET - API calls don't match DB, need to wait
+#  mon:
+#    image: louislam/uptime-kuma:beta-slim
+#    container_name: mon
+#    volumes:
+#      - /srv/docker/container/mon/data:/app/data
+#      - /srv/docker/container/mon/mara-bin:/root/mara-bin/
+#      - /srv/docker/container/mon/mara-init:/root/mara-init/
+#      - /var/run/docker.sock:/var/run/docker.sock:ro
+#      # used to transfer which containers we monitor through to telegraf
+#      - /srv/docker/container/mon/monitoring-results:/monitoring-results
+#      - /etc/localtime:/etc/localtime:ro
+#    entrypoint: /root/mara-init/entrypoint-wrapper.sh
+#    ports:
+#      - "0.0.0.0:13001:3001"
+#    labels:
+#      - "com.centurylinklabs.watchtower.enable=true"
+#      - "traefik.enable=true"
+##      - "traefik.http.routers.kuma.rule=Host(`mon.depaoli.id.au`)"
+##      - "traefik.http.routers.kuma.tls=true"
+##      - "traefik.http.routers.kuma.entrypoints=secureweb"
+##      - "traefik.http.routers.kuma.tls.certresolver=myresolver"
+#      - "last.commit.url=https://api.github.com/repos/louislam/uptime-kuma/commits"
+#    restart: always
+
   kuma:
     image: louislam/uptime-kuma:latest
     container_name: kuma
@@ -888,6 +952,8 @@ services:
       - /srv/docker/container/kuma/monitoring-results:/monitoring-results
       - /etc/localtime:/etc/localtime:ro
     entrypoint: /root/mara-init/entrypoint-wrapper.sh
+    ports:
+      - "0.0.0.0:3001:3001"
     labels:
       - "com.centurylinklabs.watchtower.enable=true"
       - "traefik.enable=true"
@@ -933,7 +999,7 @@ services:
     env_file:
         - /srv/docker/config/secrets/mythtv
     ports:
-        - "3306:3306"
+        - "0.0.0.0:3306:3306"
     volumes:
       - /srv/docker/container/mythtv/db_tst/sql:/docker-entrypoint-initdb.d
       - /srv/docker/container/mythtv/db_tst/data:/var/lib/mysql
@@ -962,10 +1028,10 @@ services:
       LANGUAGE: en_US.UTF-8
       TZ: Australia/Melbourne
     ports:
-      - "6543:6543"
+      - "0.0.0.0:6543:6543"
-      - "6544:6544"
+      - "0.0.0.0:6544:6544"
-      - "6549:6549"
+      - "0.0.0.0:6549:6549"
-      - "6760:6760"
+      - "0.0.0.0:6760:6760"
     entrypoint: /root/mara-init/entrypoint-wrapper.sh
     volumes:
       - /srv/docker/container/mythtv/apache2:/var/log/apache2
@@ -1044,7 +1110,7 @@ services:
     labels:
       - "com.centurylinklabs.watchtower.enable=true"
       - "traefik.enable=true"
-      - "traefik.http.routers.web.rule=Host(`mara.ddp.net`) && ( Path(`/`) || PathPrefix(`/images` ) || PathPrefix(`/mythweb`) )"
+      - "traefik.http.routers.web.rule=Host(`myth.ddp.net`) && ( Path(`/`) || PathPrefix(`/images` ) || PathPrefix(`/mythweb`) )"
       - "traefik.http.routers.web.entrypoints=web"
       - "last.commit.url=https://api.github.com/repos/docker-library/php/commits"
 
@@ -1074,8 +1140,8 @@ services:
     # forcing hostname so the samba sid is reliable
     hostname: sambacontainer
     ports:
-      - "139:139"
+      - "0.0.0.0:139:139"
-      - "445:445"
+      - "0.0.0.0:445:445"
     volumes:
       - /export:/export
       - /srv/docker/container/samba/monitoring-results:/monitoring-results
@@ -1095,12 +1161,12 @@ services:
     restart: always
     ports:
       # active ports
-      - "20:20"
+      - "0.0.0.0:20:20"
-      - "21:21"
+      - "0.0.0.0:21:21"
       # passive ports
-      - "10090:10090"
+      - "0.0.0.0:10090:10090"
-      - "10091:10091"
+      - "0.0.0.0:10091:10091"
-      - "10092:10092"
+      - "0.0.0.0:10092:10092"
     volumes:
       - /home:/home
       - /srv/docker/container/ftp/monitoring-results:/monitoring-results