trying out wud

trying out wud, added secrets for it
added a patst while we work on a new branch for PA, also a more timely health check so traefik is faster to notice its back after a restart
2025-12-11 22:27:20 +11:00 · 2025-12-11 22:26:59 +11:00 · 2025-10-25 21:55:48 +11:00 · 2025-10-10 23:55:32 +11:00 · 2025-09-28 10:35:43 +10:00 · 2025-09-23 20:07:29 +10:00
4 changed files with 83 additions and 60 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,25 +7,11 @@ services:
    image: traefik:latest
    restart: always
    network_mode: host
-    command:
-#      - "--log.level=DEBUG"
-      - "--api.dashboard=true"
-      - "--providers.docker=true"
-      - "--providers.docker.exposedbydefault=false"
-      - "--providers.file=true"
-      - "--providers.file.directory=/configuration/"
-      - "--providers.file.watch=true"
-      - "--entrypoints.web.address=:80"
-      - "--entrypoints.secureweb.address=:443"
-      - "--accessLog"
-      - "--accessLog.filePath=/var/log/access.log"
-      - "--accesslog.fields.names.StartUTC=drop"
-      - "--accesslog.filters.statuscodes=400-599"
-      - "--accesslog.filters.minduration=50ms"
-      # cert resolver (PROD)
-      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
-      - "--certificatesresolvers.myresolver.acme.email=postmaster@depaoli.id.au"
-      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+    logging:
+        driver: "json-file"
+        options:
+            max-size: "100m"  # Maximum size of each log file (e.g., 10 megabytes)
+            max-file: "5"    # Maximum number of log files to keep
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
@@ -39,7 +25,8 @@ services:
      - adguard
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - /srv/docker/container/traefik/:/configuration
+      - /srv/docker/container/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
+      - /srv/docker/container/traefik/configuration/:/configuration
      - /srv/docker/container/traefik/var/log/:/var/log/
      - /srv/docker/container/letsencrypt/etc:/letsencrypt
      - /etc/localtime:/etc/localtime:ro
@@ -152,8 +139,7 @@ services:
  # direct play on tv works (from memory)
  emby:
    container_name: emby
-#    image:  emby/embyserver:latest
-    image: emby/embyserver:4.9.1.31
+    image:  emby/embyserver:latest
    restart: always
    network_mode: host
    environment:
@@ -277,6 +263,7 @@ services:
    restart: unless-stopped
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
+      - "last.commit.url=https://api.github.com/repos/tiredofit/docker-openldap/releases/latest"
    environment:
      DOMAIN: "depaoli.id.au"
      BASE_DN: "dc=depaoli,dc=id,dc=au"
@@ -304,6 +291,7 @@ services:
    restart: unless-stopped
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
+      - "last.commit.url=https://api.github.com/repos/tiredofit/docker-openldap/releases/latest"
    environment:
      DOMAIN: "depaoli.id.au"
      BASE_DN: "dc=depaoli,dc=id,dc=au"
@@ -371,6 +359,7 @@ services:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.portainer.rule=Host(`portainer.ddp.net`)"
+      - "traefik.http.routers.portainer.entrypoints=web"
      # need to be explicit, as it also runs API ports, SSL ports, etc
      - "traefik.http.services.portainer.loadbalancer.server.port=9000"
      - "last.commit.url=https://api.github.com/repos/portainer/portainer/commits"
@@ -398,6 +387,7 @@ services:
      - /run/dbus:/run/dbus:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
+      - "wud.watch=false"
      # to note traefik is used here, but handled via files due to use of "network_mode: host"
      - "traefik.enable=true"
      - "traefik.http.routers.hass.rule=Host(`hass.depaoli.id.au`)"
@@ -617,12 +607,12 @@ services:
      - "com.centurylinklabs.watchtower.enable=true"
      - "last.commit.url=https://api.github.com/repos/postgres/postgres/commits"
    volumes:
-      - /srv/docker/container/bookdb_dev/data:/var/lib/postgresql/data
+      - /srv/docker/container/bookdb_dev/data:/var/lib/postgresql
      - /srv/docker/container/bookdb_dev/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
      - /etc/localtime:/etc/localtime:ro

  bookdb:
-    image: postgres:17
+    image: postgres:18
    container_name: bookdb
    restart: always
    environment:
@@ -633,10 +623,13 @@ services:
    depends_on:
      - adguard
    labels:
-      - "com.centurylinklabs.watchtower.enable=true"
+      - "com.centurylinklabs.watchtower.enable=false"
+      - "wud.watch=false"
      - "last.commit.url=https://api.github.com/repos/postgres/postgres/commits"
+      - "wud.watch=true"
+      - "wud.update=true"
    volumes:
-      - /srv/docker/container/bookdb/data:/var/lib/postgresql/data
+      - /srv/docker/container/bookdb/data:/var/lib/postgresql/
      - /srv/docker/container/bookdb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
      - /etc/localtime:/etc/localtime:ro

@@ -660,6 +653,7 @@ services:
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
+      - "wud.watch=false"
      - "traefik.enable=true"
      - "traefik.http.routers.bookdev.rule=Host(`bookdev.ddp.net`)"
      - "traefik.http.routers.bookdev.entrypoints=web"
@@ -683,6 +677,7 @@ services:
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
+      - "wud.watch=false"
      - "traefik.enable=true"
      - "traefik.http.routers.book.rule=Host(`book.depaoli.id.au`)"
      - "traefik.http.routers.book.tls=true"
@@ -706,20 +701,21 @@ services:
    depends_on:
      - adguard
    volumes:
-      - /srv/docker/container/padb_dev/data:/var/lib/postgresql/data
+      - /srv/docker/container/padb_dev/data:/var/lib/postgresql
      - /srv/docker/container/padb_dev/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
      - /srv/docker/container/padb_dev/mara-init:/root/mara-init
      - /srv/docker/container/padb_dev/mara-bin:/root/mara-bin
      - /etc/localtime:/etc/localtime:ro
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "pa"]
-      interval: 30s
-      timeout: 10s
-      retries: 5
+      interval: 5s
+      timeout: 2s
+      retries: 10
+      start_period: 2s

  padb:
    container_name: padb
-    image: postgres:17
+    image: postgres:18
    restart: always
    # replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls
    entrypoint: /root/mara-init/entrypoint-wrapper.sh
@@ -734,16 +730,17 @@ services:
    depends_on:
      - adguard
    volumes:
-      - /srv/docker/container/padb/data:/var/lib/postgresql/data
+      - /srv/docker/container/padb/data:/var/lib/postgresql
      - /srv/docker/container/padb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
      - /srv/docker/container/padb/mara-init:/root/mara-init
      - /srv/docker/container/padb/mara-bin:/root/mara-bin
      - /etc/localtime:/etc/localtime:ro
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "pa"]
-      interval: 30s
-      timeout: 10s
+      interval: 5s
+      timeout: 2s
      retries: 5
+      start_period: 2s

  padev:
    container_name: padev
@@ -753,16 +750,26 @@ services:
      args:
        # uid for ddp (for dev/container)
        PA_ID: "1000"
+    # used to force output to be unbuffered - also combine with PYTHONUNBUFFERED below
+    tty: true
    environment:
      ENV: "container"
+      PYTHONUNBUFFERED: 1
    depends_on:
      padb_dev:
        condition: service_healthy
    volumes:
      - /home/ddp/src/photoassistant:/home/ddp/src/photoassistant
      - /etc/localtime:/etc/localtime:ro
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://localhost/health || (echo 'Healthcheck failed'; exit 1)"]
+      interval: 5s
+      timeout: 2s
+      retries: 10
+      start_period: 2s
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
+      - "wud.watch=false"
      - "traefik.enable=true"
      - "traefik.http.routers.padev.rule=Host(`padev.ddp.net`)"
      - "traefik.http.routers.padev.entrypoints=web"
@@ -785,11 +792,18 @@ services:
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
+      - "wud.watch=false"
      - "traefik.enable=true"
      - "traefik.http.routers.pa.rule=Host(`pa.depaoli.id.au`)"
      - "traefik.http.routers.pa.tls=true"
      - "traefik.http.routers.pa.entrypoints=secureweb"
      - "traefik.http.routers.pa.tls.certresolver=myresolver"
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://localhost/health || (echo 'Healthcheck failed'; exit 1)"]
+      interval: 5s
+      timeout: 2s
+      retries: 2
+      start_period: 2s

  finplan:
    container_name: finplan
@@ -808,9 +822,19 @@ services:
      - /srv/docker/container/finplan:/data
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
+      - "wud.watch=false"
      - "traefik.enable=true"
      - "traefik.http.routers.finplan.rule=Host(`finplan.ddp.net`)"
      - "traefik.http.routers.finplan.entrypoints=web"
+      # --- Traefik-level healthcheck ---
+      - "traefik.http.services.finplan.loadbalancer.server.port=8080"
+      - "traefik.http.services.finplan.loadbalancer.healthcheck.path=/health"
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://localhost:8080/health || (echo 'Healthcheck failed'; exit 1)"]
+      interval: 5s
+      timeout: 2s
+      retries: 1
+      start_period: 1s

  vaultwarden:
    image: vaultwarden/server:latest
@@ -840,7 +864,7 @@ services:

  # auto-update docker images
  watchtower:
-    image: containrrr/watchtower:latest-dev
+    image: beatkind/watchtower:latest
    container_name: watchtower
    restart: "always"
    command: --schedule "0 0 3 * * *" --debug --stop-timeout 60s --label-enable --cleanup
@@ -848,7 +872,7 @@ services:
      - adguard
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
-      - "last.commit.url=https://api.github.com/repos/containrrr/watchtower/commits"
+      - "last.commit.url=https://api.github.com/repos/beatkind/watchtower/commits"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "/etc/localtime:/etc/localtime:ro"
@@ -896,7 +920,7 @@ services:
      - "/etc/localtime:/etc/localtime:ro"
    
  mon:
-    image: louislam/uptime-kuma:beta
+    image: louislam/uptime-kuma:2.0.2
    container_name: mon
    restart: always
    volumes:
@@ -1199,6 +1223,7 @@ services:
      - adguard
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
+      - "wud.watch=true"

  cdpdev:
    image: node:latest
@@ -1235,27 +1260,20 @@ services:
      - "traefik.http.services.homarr.loadbalancer.server.port=7575"
      - "last.commit.url=https://api.github.com/repos/homarr-labs/homarr/commits"

-  splunk:
-    image: splunk/splunk:latest
-    container_name: splunk
-    environment:
-      - SPLUNK_LICENSE_URI=Free
-      - SPLUNK_START_ARGS=--accept-license
-      - SPLUNK_GENERAL_TERMS=--accept-sgt-current-at-splunk-com
-    ports:
-      - "8000:8000"   # Splunk Web
-      - "8088:8088"   # HTTP Event Collector (optional)
-      - "9997:9997"   # Splunk Indexing
-      - "514:514/udp" # Syslog (UDP)
-    volumes:
-      - /srv/docker/container/splunk/data:/opt/splunk/var
-      - /srv/docker/container/splunk/etc:/opt/splunk/etc
-    env_file:
-      - /srv/docker/config/secrets/splunk
+  wud:
+    image: getwud/wud
+    container_name: wud
    restart: unless-stopped
-    labels:
-      - "com.centurylinklabs.watchtower.enable=true"
-      - "traefik.enable=true"
-      - "traefik.http.routers.splunk.rule=Host(`splunk.ddp.net`)"
-      - "traefik.http.routers.splunk.entrypoints=web"
-      - "traefik.http.services.splunk.loadbalancer.server.port=8000"
+    ports:
+      - "13000:3000"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    env_file:
+      - /srv/docker/config/secrets/wud
+    environment:
+      - WUD_WATCHER_DOCKER_WATCHBYDEFAULT=true
+      - WUD_TRIGGER_DOCKER_UPDATE_AUTO=false
+      - WUD_TRIGGER_DOCKER_UPDATE_PRUNE=false
+      - WUD_REGISTRY_HUB_PUBLIC_LOGIN=dockerhubaccdep
+      - WUD_REGISTRY_HUB_PUBLIC_TOKEN=dckr_pat_zQ5Gv3n2MzI6qu9l2ILV0hRc74Y
+      - WUD_WATCHER_DOCKER_CRON=0 3 * * *
--- a/secrets/ldap-mail-common
+++ b/secrets/ldap-mail-common
@@ -1,4 +1,7 @@
+# needed for bitnami containers
 LDAP_ADMIN_PASSWORD=a_real_admin_pass_word_for_2o20
 LDAP_BIND_PW=${LDAP_ADMIN_PASSWORD}
+# needed for tiredofit containers
+ADMIN_PASS=${LDAP_ADMIN_PASSWORD}
 # to note, this is unused at the moment as SASL doesnt work, but leaving this set as it wont impact anything
 SASLAUTHD_LDAP_PASSWORD=${LDAP_ADMIN_PASSWORD}
--- a/secrets/splunk
+++ b/secrets/splunk
@@ -0,0 +1 @@
+SPLUNK_PASSWORD="2s&i*gE9nho!1Sz4UzJ*8#rc$9P@ahbI"
--- a/secrets/wud
+++ b/secrets/wud
@@ -0,0 +1 @@
+WUD_REGISTRY_HUB_PUBLIC_TOKEN=dckr_pat_zQ5Gv3n2MzI6qu9l2ILV0hRc74Y
Author	SHA1	Message	Date
Damien De Paoli	9241b4091f	trying out wud	2025-12-11 22:27:20 +11:00
Damien De Paoli	af0a5cd2bd	trying out wud, added secrets for it	2025-12-11 22:26:59 +11:00
Damien De Paoli	dc1c2681fe	added a patst while we work on a new branch for PA, also a more timely health check so traefik is faster to notice its back after a restart	2025-10-25 21:55:48 +11:00
Damien De Paoli	43719b968a	trying to place a health check/url on padev to fix the weird slow restart, not sure it was not just traefik needing a rebuild??? also finally have moved embyserver off the beta versions back to mainline :latest	2025-10-10 23:55:32 +11:00
Damien De Paoli	ef24976947	bump emby, deal with postgres 18 upgrade - including annoying "18" now being in path for data	2025-09-28 10:35:43 +10:00
Damien De Paoli	adfe4f9ce4	bump emby, change commit url for new openldap, added tty: true and PYTHONUNBUFFERED: 1 to make python dev container instantly show output	2025-09-23 20:07:29 +10:00
Damien De Paoli	e7915b2050	add last commit url for new ldap repo	2025-09-15 22:23:42 +10:00
Damien De Paoli	d7fb7c6ae8	add splunk pwd	2025-09-15 22:23:22 +10:00
Damien De Paoli	35dfb3c914	update/add newer LDAP env vars	2025-09-15 22:23:10 +10:00
				`@@ -0,0 +1 @@`
				`SPLUNK_PASSWORD="2s&igE9nho!1Sz4UzJ8#rc$9P@ahbI"`
				`@@ -0,0 +1 @@`
				`WUD_REGISTRY_HUB_PUBLIC_TOKEN=dckr_pat_zQ5Gv3n2MzI6qu9l2ILV0hRc74Y`