# To note, if I am using an env_file to /srv/docker/config/secrets/*, # then I have taken the ENV variable with a password for that container and # put it into a separate file (1 place for common pwds like for ldap, but also so this file can be shared safely) services: traefik: container_name: traefik image: traefik:latest restart: always network_mode: host command: # - "--log.level=DEBUG" - "--api.dashboard=true" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--providers.file=true" - "--providers.file.directory=/configuration/" - "--providers.file.watch=true" - "--entrypoints.web.address=:80" - "--entrypoints.secureweb.address=:443" - "--accessLog" - "--accessLog.filePath=/var/log/access.log" - "--accesslog.fields.names.StartUTC=drop" - "--accesslog.filters.statuscodes=400-599" - "--accesslog.filters.minduration=50ms" # cert resolver (PROD) - "--certificatesresolvers.myresolver.acme.tlschallenge=true" - "--certificatesresolvers.myresolver.acme.email=postmaster@depaoli.id.au" - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json" labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.dashboard.rule=Host(`traefik.ddp.net`)" - "traefik.http.routers.dashboard.entrypoints=web" # too many other ports (80, 443) so we have to be explicit & with network_mode: host traefik routes to localhost:8080 - "traefik.http.services.dashboard.loadbalancer.server.port=8080" - "traefik.http.routers.dashboard.service=api@internal" - "last.commit.url=https://api.github.com/repos/traefik/traefik/commits" depends_on: - pihole volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - /srv/docker/container/traefik/:/configuration - /srv/docker/container/traefik/var/log/:/var/log/ - /srv/docker/container/letsencrypt/etc:/letsencrypt - /etc/localtime:/etc/localtime:ro heimdall: container_name: heimdall image: lscr.io/linuxserver/heimdall:latest restart: unless-stopped environment: - TZ=Australia/Melbourne volumes: - /srv/docker/container/heimdall:/config - /etc/localtime:/etc/localtime:ro ports: - 10080:80 - 10443:443 labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.heimdall.rule=Host(`heimdall.ddp.net`) || Host(`mara.ddp.net`)" - "traefik.http.routers.heimdall.entrypoints=web" - "last.commit.url=https://api.github.com/repos/linuxserver/docker-heimdall/commits" sonarr: container_name: sonarr image: linuxserver/sonarr:latest restart: always environment: - TZ=Australia/Melbourne - PUID=500 - PGID=500 labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.sonarr.rule=Host(`son.depaoli.id.au`)" - "traefik.http.routers.sonarr.tls=true" - "traefik.http.routers.sonarr.entrypoints=secureweb" - "traefik.http.routers.sonarr.tls.certresolver=myresolver" - "last.commit.url=https://api.github.com/repos/linuxserver/docker-sonarr/commits" depends_on: - pihole volumes: - /srv/docker/container/sonarr/config:/config - /export/docker/storage/downloads:/downloads - /export/docker/storage/series:/tv - /etc/localtime:/etc/localtime:ro radarr: container_name: radarr image: linuxserver/radarr:latest restart: always environment: - TZ=Australia/Melbourne - PUID=500 - PGID=500 labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.radarr.rule=Host(`rad.depaoli.id.au`)" - "traefik.http.routers.radarr.tls=true" - "traefik.http.routers.radarr.entrypoints=secureweb" - "traefik.http.routers.radarr.tls.certresolver=myresolver" - "last.commit.url=https://api.github.com/repos/linuxserver/docker-radarr/commits" depends_on: - pihole volumes: - /srv/docker/container/radarr/config:/config - /export/docker/storage/downloads:/downloads - /export/docker/storage/movies:/movies - /etc/localtime:/etc/localtime:ro readarr: container_name: readarr image: linuxserver/readarr:nightly restart: always environment: - TZ=Australia/Melbourne - PUID=500 - PGID=500 labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.readarr.rule=Host(`readarr.ddp.net`)" - "traefik.http.routers.readarr.entrypoints=web" - "last.commit.url=https://api.github.com/repos/Readarr/Readarr/commits" depends_on: - pihole volumes: - /srv/docker/container/readarr/config:/config - /export/docker/storage/downloads:/downloads - /export/docker/storage/books:/books - /etc/localtime:/etc/localtime:ro calibre: container_name: calibre image: linuxserver/calibre:latest restart: always environment: - TZ=Australia/Melbourne - PUID=500 - PGID=500 labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.calibre.service=calibre" - "traefik.http.routers.calibre.rule=Host(`calibre.ddp.net`)" - "traefik.http.services.calibre.loadbalancer.server.port=8080" - "traefik.http.routers.calibre.entrypoints=web" - "traefik.http.routers.calibreweb.service=calibreweb" - "traefik.http.routers.calibreweb.rule=Host(`calibreweb.ddp.net`)" - "traefik.http.services.calibreweb.loadbalancer.server.port=8081" - "traefik.http.routers.calibreweb.entrypoints=web" - "last.commit.url=https://api.github.com/repos/linuxserver/docker-calibre/commits" depends_on: - pihole volumes: - /srv/docker/container/calibre/config:/config - /etc/localtime:/etc/localtime:ro # this is running network_mode: host to be on 192.168.0/24 subnet, so that # direct play on tv works (from memory) emby: container_name: emby # image: emby/embyserver:latest image: emby/embyserver:4.9.0.34 restart: always network_mode: host environment: - UID=500 - GID=500 # 44 is for /dev/dri/card driver support / 110 for AMD transcoding - GIDLIST=44,110 - TZ=Australia/Melbourne volumes: - /srv/docker/container/emby/config:/config - /srv/docker/container/emby/transcode:/transcode - /export/docker/storage:/data - /export/myth/tv:/myth-recordings - /etc/localtime:/etc/localtime:ro devices: - /dev/dri:/dev/dri depends_on: - pihole labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.emby.rule=Host(`emby.depaoli.id.au`)" # to note with network_mode: host, this works via localhost --> traefik routes this to http://localhost:8096" - "traefik.http.services.emby.loadbalancer.server.port=8096" - "traefik.http.routers.emby.tls=true" - "traefik.http.routers.emby.entrypoints=secureweb" - "traefik.http.routers.emby.tls.certresolver=myresolver" - "last.commit.url=https://api.github.com/repos/MediaBrowser/Emby.Releases/commits" # fail2ban might need a better whitelist? (I had internal docker ips in my quick fudge as well?) mail: image: docker.io/mailserver/docker-mailserver:14.0.0 domainname: depaoli.id.au container_name: mail restart: always ports: - "0.0.0.0:25:25" - "0.0.0.0:465:465" - "0.0.0.0:587:587" - "0.0.0.0:993:993" labels: # somehow watchtower keeps restarting mail even without an update AND the mailserver emails me with updates anyway - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.mail.rule=Host(`rspamd.ddp.net`)" - "traefik.http.services.mail.loadbalancer.server.port=11334" - "traefik.http.routers.mail.entrypoints=web" - "last.commit.url=https://api.github.com/repos/docker-mailserver/docker-mailserver/commits" depends_on: - pihole - openldap volumes: - /srv/docker/container/mail/data:/var/mail - /srv/docker/container/mail/state:/var/mail-state - /srv/docker/container/mail/log:/var/log/mail - /srv/docker/container/mail/config/:/tmp/docker-mailserver/ - /etc/localtime:/etc/localtime:ro # used (via .../mail/config/user-patches.sh) to insert a cron job running from .../mara-bin, and writing to .../monitoring-results) - /srv/docker/container/mail/mara-bin:/root/bin - /srv/docker/container/mail/monitoring-results:/monitoring-results # NOTE: depweb container gets traefik to manage depaoli.id.au cert (and store it into acme.json) - /srv/docker/container/letsencrypt/etc/acme.json:/etc/letsencrypt/acme.json:ro environment: - ENABLE_CLAMAV=1 - ENABLE_FAIL2BAN=1 - ENABLE_POSTGREY=0 - ENABLE_UPDATE_CHECK=1 - ENABLE_POP3=0 # this allows users to manage their own sieves, not something we use at present - ENABLE_MANAGESIEVE=0 # don't know if this can go to 1 or not, seems more for postscreen than rspamd, so not sure if it has always been off? - ENABLE_DNSBL=0 # as per doco, enabling rspamd and disabling unneeded services (up to spamassassin) - ENABLE_RSPAMD=1 - ENABLE_OPENDKIM=0 - ENABLE_OPENDMARC=0 - ENABLE_POLICYD_SPF=0 - ENABLE_AMAVIS=0 - ENABLE_SPAMASSASSIN=0 - MOVE_SPAM_TO_JUNK=1 # only greylist spammy emails - RSPAMD_GREYLISTING=1 # if ppl move mail to junk -> inbox (spam) or reverse (ham), learn from it - RSPAMD_LEARN=1 # some hostname heuristics for dodgy mailservers using wrong syntax - adds header only at the moment, test and drop when we trust - RSPAMD_HFILTER=1 # spoof prot stops anyone sending with an email address that doesn't match what they connected with - SPOOF_PROTECTION=1 - ONE_DIR=1 - DMS_DEBUG=0 - LOG_LEVEL=warn - ACCOUNT_PROVISIONER=LDAP - LDAP_SERVER_HOST=ldap://openldap:1389 # using IP, as we changed over container names (openldap->openldapnew) - LDAP_SEARCH_BASE=dc=depaoli,dc=id,dc=au - LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au - LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE)) - LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE)) - LDAP_QUERY_FILTER_ALIAS=(mailAlias=%s) - LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward))) - DOVECOT_PASS_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n)) - DOVECOT_USER_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n)) - ENABLE_SASLAUTHD=1 - SASLAUTHD_MECHANISMS=ldap - SASLAUTHD_LDAP_SERVER=ldap://openldap:1389 - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au - SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=depaoli,dc=id,dc=au - SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=person)) - POSTMASTER_ADDRESS=postmaster@depaoli.id.au - POSTFIX_MESSAGE_SIZE_LIMIT=100000000 - SSL_TYPE=letsencrypt env_file: - /srv/docker/config/secrets/ldap-mail-common cap_add: - NET_ADMIN openldap: image: bitnami/openldap:latest user: "2000" container_name: openldap restart: always labels: - "com.centurylinklabs.watchtower.enable=true" - "last.commit.url=https://api.github.com/repos/bitnami/containers/commits?path=bitnami/openldap" environment: BITNAMI_DEBUG: "true" LDAP_ROOT: "dc=depaoli,dc=id,dc=au" LDAP_ADMIN_USERNAME: "admin" LDAP_SKIP_DEFAULT_TREE: "yes" LDAP_CUSTOM_SCHEMA_DIR: "/schemas" LDAP_CUSTOM_LDIF_DIR: "/ldifs" LDAP_LOGLEVEL: "256" env_file: - /srv/docker/config/secrets/ldap-mail-common tty: true stdin_open: true depends_on: - pihole volumes: - /srv/docker/container/ldap/:/bitnami/openldap/ - /srv/docker/container/ldap/bootstrap-schema:/schemas - /srv/docker/container/ldap/bootstrap-ldifs:/ldifs - /etc/localtime:/etc/localtime:ro ports: - "0.0.0.0:389:1389" # webmail webmail: image: roundcube/roundcubemail:latest container_name: webmail restart: always labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.webmail.rule=Host(`webmail.depaoli.id.au`)" - "traefik.http.routers.webmail.entrypoints=secureweb" - "traefik.http.routers.webmail.tls=true" - "traefik.http.routers.webmail.tls.certresolver=myresolver" - "last.commit.url=https://api.github.com/repos/roundcube/roundcubemail/commits" volumes: - /srv/docker/container/roundcubemail/www:/var/www/html - /srv/docker/container/roundcubemail/db/sqlite:/var/roundcube/db - /srv/docker/container/roundcubemail/tmp/roundcube-temp:/tmp/roundcube-temp - /srv/docker/container/roundcubemail/var/roundcube/config:/var/roundcube/config - /etc/localtime:/etc/localtime:ro depends_on: - pihole - mail - openldap environment: - ROUNDCUBEMAIL_DB_TYPE=sqlite - ROUNDCUBEMAIL_SKIN=elastic - ROUNDCUBEMAIL_DEFAULT_HOST=ssl://depaoli.id.au - ROUNDCUBEMAIL_DEFAULT_PORT=993 - ROUNDCUBEMAIL_SMTP_SERVER=ssl://depaoli.id.au - ROUNDCUBEMAIL_SMTP_PORT=465 portainer: container_name: portainer image: portainer/portainer-ce:latest restart: always depends_on: - pihole volumes: - /var/run/docker.sock:/var/run/docker.sock - /srv/docker/container/portainer/data:/data - /etc/localtime:/etc/localtime:ro labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.portainer.rule=Host(`portainer.ddp.net`)" # need to be explicit, as it also runs API ports, SSL ports, etc - "traefik.http.services.portainer.loadbalancer.server.port=9000" - "last.commit.url=https://api.github.com/repos/portainer/portainer/commits" # this is running network_mode: host so it is on the same subnet as the IoT # devices and can see/discover them hass: image: ghcr.io/home-assistant/home-assistant:latest container_name: hass privileged: true network_mode: host restart: always security_opt: - seccomp:unconfined depends_on: - pihole - openldap volumes: - /srv/docker/container/hass:/config # this line adds known hosts file to /root's .ssh so the 'command line authenticaion' works on login on every new container - /srv/docker/container/hass/ssh/known_hosts:/root/.ssh/known_hosts - /var/run/docker.sock:/var/run/docker.sock - /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket - /etc/localtime:/etc/localtime:ro - /run/dbus:/run/dbus:ro labels: - "com.centurylinklabs.watchtower.enable=false" # to note traefik is used here, but handled via files due to use of "network_mode: host" - "traefik.enable=true" - "traefik.http.routers.hass.rule=Host(`hass.depaoli.id.au`)" # to note with network_mode: host, this works via localhost --> traefik routes this to http://localhost:8123" - "traefik.http.services.hass.loadbalancer.server.port=8123" - "traefik.http.routers.hass.tls=true" - "traefik.http.routers.hass.entrypoints=secureweb" - "traefik.http.routers.hass.tls.certresolver=myresolver" - "last.commit.url=https://api.github.com/repos/home-assistant/core/commits" # this runs in network_most host so that it can find the players automatically # mass: # image: ghcr.io/music-assistant/server:latest # container_name: mass # restart: always # network_mode: host # depends_on: # - pihole # - emby # volumes: # - /srv/docker/container/mass/data:/data # - /export/docker/storage/music:/music # - /etc/localtime:/etc/localtime:ro # labels: # - "com.centurylinklabs.watchtower.enable=true" # - "traefik.enable=true" # - "traefik.http.routers.mass.rule=Host(`hass.depaoli.id.au`) && PathPrefix(`/mass/`)" # - "traefik.http.routers.mass.tls=true" # - "traefik.http.routers.mass.entrypoints=secureweb" # - "traefik.http.middlewares.stripprefix-mass.stripprefix.prefixes=/mass" # - "traefik.http.routers.mass.middlewares=stripprefix-mass@docker" # - "traefik.http.routers.mass.tls.certresolver=myresolver" # # to note with network_mode: host, this works via localhost --> traefik routes this to http://127.0.0.1:8095" # - "traefik.http.services.mass.loadbalancer.server.port=8095" mosquitto: container_name: mosquitto image: eclipse-mosquitto:latest restart: always volumes: - /srv/docker/container/mosquitto:/mosquitto - /srv/docker/container/mosquitto/data:/mosquitto/data - /srv/docker/container/mosquitto/log:/mosquitto/log - /etc/localtime:/etc/localtime:ro labels: - "com.centurylinklabs.watchtower.enable=true" - "last.commit.url=https://api.github.com/repos/eclipse/mosquitto/commits" ports: - "0.0.0.0:1883:1883" esphome: container_name: esphome image: esphome/esphome environment: - ESPHOME_DASHBOARD_USE_PING=true volumes: - /srv/docker/container/esphome/config:/config - /dev:/dev - /etc/localtime:/etc/localtime:ro labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.esphome.rule=Host(`esphome.ddp.net`)" - "traefik.http.routers.esphome.entrypoints=web" - "last.commit.url=https://api.github.com/repos/esphome/esphome/commits" restart: always privileged: true sabnzbd: image: linuxserver/sabnzbd:latest container_name: sabnzbd restart: always environment: - PUID=500 - PGID=500 - TZ=Australia/Melbourne depends_on: - pihole volumes: - /srv/docker/container/sabnzbd/:/config - /export/docker/storage/downloads:/downloads - /export/docker/storage/incomplete-downloads:/incomplete-downloads - /etc/localtime:/etc/localtime:ro labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.sabnzbd.rule=Host(`sab.ddp.net`)" - "traefik.http.routers.sabnzbd.entrypoints=web" - "last.commit.url=https://api.github.com/repos/linuxserver/docker-sabnzbd/commits" influxdb: image: influxdb:latest container_name: influxdb environment: - DOCKER_INFLUXDB_INIT_MODE=setup - DOCKER_INFLUXDB_INIT_ORG=mara - DOCKER_INFLUXDB_INIT_USERNAME=telegraf - DOCKER_INFLUXDB_INIT_BUCKET=telegraf - DOCKER_INFLUXDB_INIT_RETENTION=2w - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=3qBckkybwMWoyZ16dqVD9gufoYYLwKkX_i296J30wekVpwxuCQe8p env_file: - /srv/docker/config/secrets/influxdb volumes: - /srv/docker/container/influxdb/data:/var/lib/influxdb2 - /srv/docker/container/influxdb/config:/etc/influxdb2 - /etc/localtime:/etc/localtime:ro labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.influxdb.rule=Host(`influx.ddp.net`)" - "traefik.http.routers.influxdb.entrypoints=web" - "last.commit.url=https://api.github.com/repos/influxdata/influxdb/commits" restart: always telegraf: image: telegraf:latest container_name: telegraf # needs to be 0 / root to run smartmontools / nvme user: "root" # this is used to add docker group to telegraf user for reading docker.sock and installing smartmontools, etc. entrypoint: /root/mara-init/entrypoint-wrapper.sh volumes: - /srv/docker/container/telegraf:/etc/telegraf - /srv/docker/container/telegraf/sudoers/smart:/etc/sudoers.d/smart - /srv/docker/container/telegraf/mara-init/entrypoint-wrapper.sh:/root/mara-init/entrypoint-wrapper.sh # for telegraf to get external script output - /srv/docker/container/telegraf/monitoring-results:/usr/local/external-results/mara - /srv/docker/container/mythtv/monitoring-results:/usr/local/external-results/myth - /srv/docker/container/mail/monitoring-results:/usr/local/external-results/mail - /srv/docker/container/kuma/monitoring-results:/usr/local/external-results/kuma - /srv/docker/container/samba/monitoring-results:/usr/local/external-results/samba # for telegraf to see host details - /var/run/docker.sock:/var/run/docker.sock:ro - /:/host:ro - /run/udev:/run/udev:ro - /etc/localtime:/etc/localtime:ro privileged: true devices: - /dev:ro environment: - HOST_MOUNT_PREFIX=/host - HOST_PROC=/host/proc - HOST_SYS=/host/sys labels: - "com.centurylinklabs.watchtower.enable=true" - "last.commit.url=https://api.github.com/repos/influxdata/telegraf/commits" depends_on: - influxdb restart: always grafana: image: grafana/grafana:latest container_name: grafana restart: always depends_on: - influxdb volumes: - /srv/docker/container/grafana/grafana.ini:/etc/grafana/grafana.ini - /srv/docker/container/grafana/ldap.toml:/etc/grafana/ldap.toml - /srv/docker/container/grafana/data:/var/lib/grafana - /srv/docker/container/grafana/dashboards:/var/lib/grafana/dashboards - /srv/docker/container/grafana/grafana/provisioning:/etc/grafana/provisioning - /etc/localtime:/etc/localtime:ro env_file: - /srv/docker/container/grafana/config.monitoring - /srv/docker/config/secrets/ldap-mail-common labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.grafana_ssl.rule=Host(`graf.depaoli.id.au`)" - "traefik.http.routers.grafana_ssl.tls=true" - "traefik.http.routers.grafana_ssl.entrypoints=secureweb" - "traefik.http.routers.grafana_ssl.tls.certresolver=myresolver" - "traefik.http.routers.grafana.rule=Host(`grafana.ddp.net`)" - "traefik.http.routers.grafana.entrypoints=web" - "last.commit.url=https://api.github.com/repos/grafana/grafana/commits" adguard: container_name: adguard image: adguard/adguardhome ports: - "192.168.0.2:53:53/tcp" - "192.168.0.2:53:53/udp" environment: TZ: 'Australia/Melbourne' volumes: - /srv/docker/container/adguard/conf:/opt/adguardhome/conf - /srv/docker/container/adguard/work:/opt/adguardhome/work - /etc/localtime:/etc/localtime:ro restart: always labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.adguard.rule=Host(`adguard.ddp.net`)" - "traefik.http.routers.adguard.entrypoints=web" - "traefik.http.services.adguard.loadbalancer.server.port=80" - "last.commit.url=https://api.github.com/repos/AdguardTeam/AdGuardHome/commits" pihole: container_name: pihole image: pihole/pihole:latest # ports: # - "192.168.0.2:53:53/tcp" # - "192.168.0.2:53:53/udp" environment: TZ: 'Australia/Melbourne' PIHOLE_DNS_: '208.67.222.222;208.67.220.220' env_file: - /srv/docker/config/secrets/pihole volumes: - /srv/docker/container/pihole/etc/:/etc/pihole/ - /srv/docker/container/pihole/dnsmasq.d/:/etc/dnsmasq.d/ - /etc/localtime:/etc/localtime:ro restart: always labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.pihole.entrypoints=web" - "traefik.http.routers.pihole.rule=Host(`pihole.ddp.net`)" # pihole is a mess, it does not redirect, but requires /admin to login, then it does redirect back to / -- the strip & add fixes this mess - "traefik.http.middlewares.pihole-add.addprefix.prefix=/admin" - "traefik.http.middlewares.pihole-strip.stripprefix.prefixes=/admin" - "traefik.http.routers.pihole.middlewares=pihole-strip,pihole-add" # we set this to port 80, pihole has many open ports (e.g. 53), so have to tell traefik which port to send http traffic too - "traefik.http.services.pihole.loadbalancer.server.port=80" - "last.commit.url=https://api.github.com/repos/pi-hole/pi-hole/commits" bookdb_dev: container_name: bookdb_dev image: postgres:latest restart: always environment: POSTGRES_USER: ddp POSTGRES_DB: library env_file: - /srv/docker/config/secrets/bookdb-common depends_on: - pihole labels: - "com.centurylinklabs.watchtower.enable=true" - "last.commit.url=https://api.github.com/repos/postgres/postgres/commits" volumes: - /srv/docker/container/bookdb_dev/data:/var/lib/postgresql/data - /srv/docker/container/bookdb_dev/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d - /etc/localtime:/etc/localtime:ro bookdb: container_name: bookdb image: postgres:17 restart: always environment: POSTGRES_USER: ddp POSTGRES_DB: library env_file: - /srv/docker/config/secrets/bookdb-common depends_on: - pihole labels: - "com.centurylinklabs.watchtower.enable=true" - "last.commit.url=https://api.github.com/repos/postgres/postgres/commits" volumes: - /srv/docker/container/bookdb/data:/var/lib/postgresql/data - /srv/docker/container/bookdb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d - /etc/localtime:/etc/localtime:ro bookdev: container_name: bookdev restart: always environment: FLASK_ENV: "container" build: context: '/home/ddp/src/pybook' args: ENV: "container" BOOK_UID: "1000" BOOK_GID: "1000" depends_on: - bookdb_dev - pihole volumes: - /home/ddp/src/pybook/:/pybook_mapped_volume - /export/docker/storage/books/:/books - /etc/localtime:/etc/localtime:ro labels: - "com.centurylinklabs.watchtower.enable=false" - "traefik.enable=true" - "traefik.http.routers.bookdev.rule=Host(`bookdev.ddp.net`)" - "traefik.http.routers.bookdev.entrypoints=web" book: container_name: book restart: always environment: FLASK_ENV: "production" build: context: '/home/ddp/src/pybook' args: ENV: "production" BOOK_UID: "1000" BOOK_GID: "1000" depends_on: - bookdb - pihole volumes: - /export/docker/storage/books:/books - /etc/localtime:/etc/localtime:ro labels: - "com.centurylinklabs.watchtower.enable=false" - "traefik.enable=true" - "traefik.http.routers.book.rule=Host(`book.depaoli.id.au`)" - "traefik.http.routers.book.tls=true" - "traefik.http.routers.book.entrypoints=secureweb" - "traefik.http.routers.book.tls.certresolver=myresolver" padb_dev: container_name: padb_dev image: postgres:latest restart: always # replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls entrypoint: /root/mara-init/entrypoint-wrapper.sh labels: - "com.centurylinklabs.watchtower.enable=true" - "last.commit.url=https://api.github.com/repos/postgres/postgres/commits" environment: POSTGRES_USER: pa POSTGRES_DB: pa env_file: - /srv/docker/config/secrets/padb-common depends_on: - pihole volumes: - /srv/docker/container/padb_dev/data:/var/lib/postgresql/data - /srv/docker/container/padb_dev/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d - /srv/docker/container/padb_dev/mara-init:/root/mara-init - /srv/docker/container/padb_dev/mara-bin:/root/mara-bin - /etc/localtime:/etc/localtime:ro healthcheck: test: ["CMD", "pg_isready", "-U", "pa"] interval: 30s timeout: 10s retries: 5 padb: container_name: padb image: postgres:17 restart: always # replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls entrypoint: /root/mara-init/entrypoint-wrapper.sh labels: - "com.centurylinklabs.watchtower.enable=true" - "last.commit.url=https://api.github.com/repos/postgres/postgres/commits" environment: POSTGRES_USER: pa POSTGRES_DB: pa env_file: - /srv/docker/config/secrets/padb-common depends_on: - pihole volumes: - /srv/docker/container/padb/data:/var/lib/postgresql/data - /srv/docker/container/padb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d - /srv/docker/container/padb/mara-init:/root/mara-init - /srv/docker/container/padb/mara-bin:/root/mara-bin - /etc/localtime:/etc/localtime:ro padev: container_name: padev restart: always build: context: '/home/ddp/src/photoassistant' args: # uid for ddp (for dev/container) PA_ID: "1000" environment: ENV: "container" depends_on: padb_dev: condition: service_healthy volumes: - /home/ddp/src/photoassistant:/home/ddp/src/photoassistant - /etc/localtime:/etc/localtime:ro labels: - "com.centurylinklabs.watchtower.enable=false" - "traefik.enable=true" - "traefik.http.routers.padev.rule=Host(`padev.ddp.net`)" - "traefik.http.routers.padev.entrypoints=web" pa: container_name: pa restart: always build: context: '/home/ddp/src/photoassistant' args: # uid for mythtv (for prod) PA_ID: "500" environment: ENV: "production" depends_on: - padb volumes: - /export/docker/storage:/export/docker/storage - /etc/localtime:/etc/localtime:ro labels: - "com.centurylinklabs.watchtower.enable=false" - "traefik.enable=true" - "traefik.http.routers.pa.rule=Host(`pa.depaoli.id.au`)" - "traefik.http.routers.pa.tls=true" - "traefik.http.routers.pa.entrypoints=secureweb" - "traefik.http.routers.pa.tls.certresolver=myresolver" tix: container_name: tix restart: always environment: ENV: "production" # force using uid/gid of 1000/1000 so we can share dev/prod for now - may care enough 1 day to fix build: context: '/home/ddp/src/tix' args: USERID: "1000" GROUPID: "1000" user: "1000:1000" volumes: - /home/ddp/src/tix/:/tix - /etc/localtime:/etc/localtime:ro labels: - "com.centurylinklabs.watchtower.enable=false" - "traefik.enable=true" - "traefik.http.routers.tix.rule=Host(`tix.depaoli.id.au`)" - "traefik.http.routers.tix.tls=true" - "traefik.http.routers.tix.entrypoints=secureweb" - "traefik.http.routers.tix.tls.certresolver=myresolver" # this runs cron to invoke the snow-ticket-analysis.py once a day to extract # the next pdfs and add data to stats.db - then used by tix: to graph the data tixbkend: container_name: tixbkend restart: always environment: ENV: "production" # force using uid/gid of 1000/1000 so we can share dev/prod for now - may care enough 1 day to fix build: context: '/home/ddp/src/snow-ticket-analysis' args: USERID: "1000" GROUPID: "1000" volumes: - /home/ddp/src/tix/:/tix/ - /etc/localtime:/etc/localtime:ro labels: - "com.centurylinklabs.watchtower.enable=false" vaultwarden: container_name: vaultwarden restart: always image: vaultwarden/server:latest depends_on: - pihole - openldap volumes: - /srv/docker/container/vaultwarden:/data - /etc/localtime:/etc/localtime:ro environment: - "ORG_EVENTS_ENABLED=true" env_file: - /srv/docker/config/secrets/vaultwarden labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.vaultwarden.rule=Host(`bw.depaoli.id.au`)" - "traefik.http.routers.vaultwarden.tls=true" - "traefik.http.routers.vaultwarden.tls.options=tls12@file" - "traefik.http.routers.vaultwarden.entrypoints=secureweb" - "traefik.http.routers.vaultwarden.tls.certresolver=myresolver" - "last.commit.url=https://api.github.com/repos/dani-garcia/vaultwarden/commits" # auto-update docker images watchtower: container_name: watchtower image: containrrr/watchtower:latest-dev command: --schedule "0 0 3 * * *" --debug --stop-timeout 60s --label-enable --cleanup restart: always depends_on: - pihole labels: - "com.centurylinklabs.watchtower.enable=true" - "last.commit.url=https://api.github.com/repos/containrrr/watchtower/commits" volumes: - "/var/run/docker.sock:/var/run/docker.sock" - "/etc/localtime:/etc/localtime:ro" # used for hass (eufy) to get notifications from camera eufy_security_ws: image: bropat/eufy-security-ws:latest container_name: eufy_security_ws restart: always environment: - "USERNAME=eufy_hass@depaoli.id.au" - "COUNTRY=AU" - "DEBUG=-v" - "TRUSTED_DEVICE_NAME=Pixel Pro 7" env_file: - /srv/docker/config/secrets/eufy_security_ws ports: - "0.0.0.0:3000:3000" labels: - "com.centurylinklabs.watchtower.enable=true" - "last.commit.url=https://api.github.com/repos/bropat/eufy-security-ws/commits" depends_on: - pihole volumes: - "/srv/docker/container/eufy_security_ws/data:/data" - "/etc/localtime:/etc/localtime:ro" - "/etc/timezone:/etc/timezone:ro" # used for hass (eufy) to stream from camera rtsp_simple_server: image: aler9/rtsp-simple-server:latest container_name: rtsp_simple_server restart: always environment: - "RTSP_PROTOCOLS=tcp" ports: - "0.0.0.0:1935:1935" - "0.0.0.0:8554:8554" labels: - "com.centurylinklabs.watchtower.enable=true" - "last.commit.url=https://api.github.com/repos/bluenviron/mediamtx/commits" depends_on: - pihole volumes: - "/etc/localtime:/etc/localtime:ro" # NOT YET - API calls don't match DB, need to wait # mon: # image: louislam/uptime-kuma:beta-slim # container_name: mon # volumes: # - /srv/docker/container/mon/data:/app/data # - /srv/docker/container/mon/mara-bin:/root/mara-bin/ # - /srv/docker/container/mon/mara-init:/root/mara-init/ # - /var/run/docker.sock:/var/run/docker.sock:ro # # used to transfer which containers we monitor through to telegraf # - /srv/docker/container/mon/monitoring-results:/monitoring-results # - /etc/localtime:/etc/localtime:ro # entrypoint: /root/mara-init/entrypoint-wrapper.sh # ports: # - "0.0.0.0:13001:3001" # labels: # - "com.centurylinklabs.watchtower.enable=true" # - "traefik.enable=true" ## - "traefik.http.routers.kuma.rule=Host(`mon.depaoli.id.au`)" ## - "traefik.http.routers.kuma.tls=true" ## - "traefik.http.routers.kuma.entrypoints=secureweb" ## - "traefik.http.routers.kuma.tls.certresolver=myresolver" # - "last.commit.url=https://api.github.com/repos/louislam/uptime-kuma/commits" # restart: always kuma: image: louislam/uptime-kuma:latest container_name: kuma volumes: - /srv/docker/container/kuma/data:/app/data - /srv/docker/container/kuma/mara-bin:/root/mara-bin/ - /srv/docker/container/kuma/mara-init:/root/mara-init/ - /var/run/docker.sock:/var/run/docker.sock:ro # used to transfer which containers we monitor through to telegraf - /srv/docker/container/kuma/monitoring-results:/monitoring-results - /etc/localtime:/etc/localtime:ro entrypoint: /root/mara-init/entrypoint-wrapper.sh ports: - "0.0.0.0:3001:3001" labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.kuma.rule=Host(`mon.depaoli.id.au`)" - "traefik.http.routers.kuma.tls=true" - "traefik.http.routers.kuma.entrypoints=secureweb" - "traefik.http.routers.kuma.tls.certresolver=myresolver" - "last.commit.url=https://api.github.com/repos/louislam/uptime-kuma/commits" restart: always sshwifty: image: niruix/sshwifty:latest container_name: sshwifty user: "nobody:nobody" restart: always labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.sshwifty.rule=Host(`ssh.depaoli.id.au`)" - "traefik.http.routers.sshwifty.tls=true" - "traefik.http.routers.sshwifty.entrypoints=secureweb" - "traefik.http.routers.sshwifty.tls.certresolver=myresolver" - "last.commit.url=https://api.github.com/repos/niruix/sshwifty/commits" stdin_open: true tty: true volumes: - "/srv/docker/container/sshwifty/:/etc/" - "/etc/localtime:/etc/localtime:ro" mythdb: container_name: mythdb image: mariadb:latest restart: always labels: - "com.centurylinklabs.watchtower.enable=true" - "last.commit.url=https://api.github.com/repos/MariaDB/mariadb-docker/commits" environment: MYSQL_DATABASE: 'mythconverg' MYSQL_USER: 'mythtv' MYSQL_PASSWORD: 'mythtv' MYSQL_UID: 133 MYSQL_GID: 140 env_file: - /srv/docker/config/secrets/mythtv ports: - "0.0.0.0:3306:3306" volumes: - /srv/docker/container/mythtv/db_tst/sql:/docker-entrypoint-initdb.d - /srv/docker/container/mythtv/db_tst/data:/var/lib/mysql - /srv/docker/container/mythtv/db_tst/log:/var/log/mysql - /srv/docker/container/mythtv/db_tst/mythtv.cnf:/etc/mysql/mariadb.conf.d/mythtv.cnf - /etc/localtime:/etc/localtime:ro # hacked entrypoint to 'add' to this container so it works as mara needs myth: container_name: myth image: ubuntu:latest hostname: ${HOSTNAME_MYTHTV:-mythtv} restart: always labels: - "com.centurylinklabs.watchtower.enable=true" # needed to renice / ionice just the mythbackend process inside this container # (it also runs cron, shepherd and various binaries out of /usr/local/bin) cap_add: - sys_nice - sys_admin environment: APACHE_LOG_DIR: /var/log/apache2 DBNAME: mythconverg DBSERVER: mythdb LANG: en_US.UTF-8 LANGUAGE: en_US.UTF-8 TZ: Australia/Melbourne ports: - "0.0.0.0:6543:6543" - "0.0.0.0:6544:6544" - "0.0.0.0:6549:6549" - "0.0.0.0:6760:6760" entrypoint: /root/mara-init/entrypoint-wrapper.sh volumes: - /srv/docker/container/mythtv/apache2:/var/log/apache2 - /srv/docker/container/mythtv/data:/var/mythdata - /srv/docker/container/mythtv/home:/home/mythtv - /srv/docker/container/mythtv/ssh-config:/etc/ssh - /srv/docker/container/mythtv/var/log:/var/log/mythtv - /srv/docker/container/mythtv/mara-init:/root/mara-init - /srv/docker/container/mythtv/mara-bin:/root/mara-bin - /srv/docker/container/mythtv/db/sql:/db-container/sql - /srv/docker/container/mythtv/db/backups:/db-container/backups - /srv/docker/container/mythtv/monitoring-results:/monitoring-results # - /etc/localtime:/etc/localtime:ro - /export/myth:/export/myth - /export/docker/storage/other-videos:/export/myth/videos devices: - /dev/dvb:/dev/dvb env_file: - /srv/docker/config/secrets/mythtv depends_on: - mythdb wiki: image: lscr.io/linuxserver/bookstack:latest container_name: wiki environment: - PUID=1000 - PGID=1000 - APP_URL=https://wiki.depaoli.id.au - DB_HOST=wikidb - DB_PORT=3306 env_file: - /srv/docker/config/secrets/wiki volumes: - /srv/docker/container/wiki:/config - /etc/localtime:/etc/localtime:ro restart: unless-stopped depends_on: - wikidb labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.wiki.rule=Host(`wiki.depaoli.id.au`)" - "traefik.http.routers.wiki.tls=true" - "traefik.http.routers.wiki.entrypoints=secureweb" - "traefik.http.routers.wiki.tls.certresolver=myresolver" - "last.commit.url=https://api.github.com/repos/linuxserver/docker-bookstack/commits" wikidb: image: lscr.io/linuxserver/mariadb:latest container_name: wikidb environment: - PUID=1000 - PGID=1000 - TZ=Australia/Melbourne env_file: - /srv/docker/config/secrets/wiki volumes: - /srv/docker/container/wikidb/config:/config - /srv/docker/container/wikidb/data:/var/lib/mysql - /etc/localtime:/etc/localtime:ro restart: unless-stopped labels: - "com.centurylinklabs.watchtower.enable=true" - "last.commit.url=https://api.github.com/repos/linuxserver/docker-mariadb/commits" web: image: php:apache container_name: web volumes: - /srv/docker/container/web/data:/var/www/html - /srv/docker/container/web/mara-init:/root/mara-init - /etc/localtime:/etc/localtime:ro restart: unless-stopped entrypoint: "/root/mara-init/entrypoint-wrapper.sh" labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.web.rule=Host(`myth.ddp.net`) && ( Path(`/`) || PathPrefix(`/images` ) || PathPrefix(`/mythweb`) )" - "traefik.http.routers.web.entrypoints=web" - "last.commit.url=https://api.github.com/repos/docker-library/php/commits" # this container exists solely to have traefik manage the depaoli.id.au SSL # cert - the web server has no web content to serve depweb: image: php:apache container_name: depweb volumes: - /srv/docker/container/depweb/data:/var/www/html - /etc/localtime:/etc/localtime:ro restart: unless-stopped labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.depweb.rule=Host(`depaoli.id.au`)" - "traefik.http.routers.depweb.tls=true" - "traefik.http.routers.depweb.entrypoints=secureweb" - "traefik.http.routers.depweb.tls.certresolver=myresolver" - "last.commit.url=https://api.github.com/repos/docker-library/php/commits" samba: image: ubuntu:latest container_name: samba entrypoint: /root/mara-init/entrypoint.sh restart: always # forcing hostname so the samba sid is reliable hostname: sambacontainer ports: - "0.0.0.0:139:139" - "0.0.0.0:445:445" volumes: - /export:/export - /srv/docker/container/samba/monitoring-results:/monitoring-results - /srv/docker/container/samba/mara-init:/root/mara-init - /srv/docker/container/samba/mara-bin:/root/mara-bin depends_on: - pihole - openldap labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=false" ftp: image: ubuntu:latest container_name: ftp entrypoint: /root/mara-init/entrypoint.sh restart: always ports: # active ports - "0.0.0.0:20:20" - "0.0.0.0:21:21" # passive ports - "0.0.0.0:10090:10090" - "0.0.0.0:10091:10091" - "0.0.0.0:10092:10092" volumes: - /home:/home - /srv/docker/container/ftp/monitoring-results:/monitoring-results - /srv/docker/container/ftp/mara-init:/root/mara-init - /srv/docker/container/ftp/mara-bin:/root/mara-bin depends_on: - pihole - openldap labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=false"