ddp/docker-compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7e52aa8d5006704ceeceb42e6e84f8b3e9567b15
docker-compose/docker-compose.yml
Damien De Paoli 7e52aa8d50 converted over from manual certbot to traefik automatically handling certs 
updated doco around when we use loadbalancer port
emby now has group 110 (radeon) as well, so it can do hardware acceleration from new AMD 5600G cpu
  and added /dev/dri to access the hardware
change roundcubemail to webmail
converted mail container to use traefik's acme.json
moved esphome to its own esphome.ddp.net (aka removed internet access as I could not get a password in front of it via traefik as yet)
convert telegraf to use mara-init / entrypoint standar
added ldap to grafana so password is now taken from secrets/ldap*
converted bookdb_web, paweb, tix away from SSL passthrough to normal traefik ssl offload (also making it easier to traefik to manage certs as I had issues with some with HostSNI / passthrough
converted padb* to use entrypoint standard, rather than using a separate DockerFile to have the postgres image and then my own customising
converted kuma to have a new data dir and to adopt new mara-init/mara-bin/entrypoint.sh standard
moved mythtv root pwd out into secrets / env file
update mythtv to new mara-init, mara-bin, entrypoint.sh standard, removed use of network_mode: host, and go direct to mythdb via local dns / container name, instead of ip or mara
finalised move from wikijs to bookstack (renaming wikitst to wiki)
added depweb basic web service, solely to allow traefik to handle depaoli.id.au SSL domain (for mail which does not route traffic there itself)
2024-02-17 18:48:39 +11:00

1067 lines
38 KiB
YAML
Raw Blame History

# To note, if I am using an env_file to /srv/docker/config/secrets/*,
# then I have taken the ENV variable with a password for that container and
# put it into a separate file (1 place for common pwds like for ldap, but also so this file can be shared safely)
version: '3.7'
services:
traefik:
container_name: traefik
image: "traefik"
restart: always
network_mode: host
command:
# - "--log.level=DEBUG"
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.file=true"
- "--providers.file.directory=/configuration/"
- "--providers.file.watch=true"
- "--entrypoints.web.address=:80"
- "--entrypoints.secureweb.address=:443"
- "--accessLog"
- "--accessLog.filePath=/var/log/access.log"
- "--accesslog.fields.names.StartUTC=drop"
- "--accesslog.filters.statuscodes=400-599"
- "--accesslog.filters.minduration=50ms"
# cert resolver (PROD)
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "--certificatesresolvers.myresolver.acme.email=postmaster@depaoli.id.au"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`traefik.ddp.net`)"
- "traefik.http.routers.dashboard.entrypoints=web"
# too many other ports (80, 443) so we have to be explicit & with network_mode: host traefik routes to localhost:8080
- "traefik.http.services.dashboard.loadbalancer.server.port=8080"
- "traefik.http.routers.dashboard.service=api@internal"
depends_on:
- pihole
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /srv/docker/container/traefik/:/configuration
- /srv/docker/container/traefik/var/log/:/var/log/
- /srv/docker/container/letsencrypt/etc:/letsencrypt
- /etc/localtime:/etc/localtime:ro
sonarr:
container_name: sonarr
image: linuxserver/sonarr
restart: always
environment:
- TZ=Australia/Melbourne
- PUID=500
- PGID=500
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.sonarr.rule=Host(`son.depaoli.id.au`)"
- "traefik.http.routers.sonarr.tls=true"
- "traefik.http.routers.sonarr.entrypoints=secureweb"
- "traefik.http.routers.sonarr.tls.certresolver=myresolver"
depends_on:
- pihole
volumes:
- /srv/docker/container/sonarr/config:/config
- /export/docker/storage/downloads:/downloads
- /export/docker/storage/series:/tv
- /etc/localtime:/etc/localtime:ro
lidarr:
container_name: lidarr
image: linuxserver/lidarr
restart: always
environment:
- TZ=Australia/Melbourne
- PUID=500
- PGID=500
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.lidarr.rule=Host(`lidarr.ddp.net`)"
- "traefik.http.routers.lidarr.entrypoints=web"
depends_on:
- pihole
volumes:
- /srv/docker/container/lidarr/config:/config
- /export/docker/storage/downloads:/downloads
- /export/docker/storage/music:/music
- /etc/localtime:/etc/localtime:ro
radarr:
container_name: radarr
image: linuxserver/radarr
restart: always
environment:
- TZ=Australia/Melbourne
- PUID=500
- PGID=500
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.radarr.rule=Host(`rad.depaoli.id.au`)"
- "traefik.http.routers.radarr.tls=true"
- "traefik.http.routers.radarr.entrypoints=secureweb"
- "traefik.http.routers.radarr.tls.certresolver=myresolver"
depends_on:
- pihole
volumes:
- /srv/docker/container/radarr/config:/config
- /export/docker/storage/downloads:/downloads
- /export/docker/storage/movies:/movies
- /etc/localtime:/etc/localtime:ro
readarr:
container_name: readarr
image: linuxserver/readarr:nightly
restart: always
environment:
- TZ=Australia/Melbourne
- PUID=500
- PGID=500
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.readarr.rule=Host(`readarr.ddp.net`)"
- "traefik.http.routers.readarr.entrypoints=web"
depends_on:
- pihole
volumes:
- /srv/docker/container/readarr/config:/config
- /export/docker/storage/downloads:/downloads
- /export/docker/storage/books:/books
- /etc/localtime:/etc/localtime:ro
calibre:
container_name: calibre
image: linuxserver/calibre
restart: always
environment:
- TZ=Australia/Melbourne
- PUID=500
- PGID=500
ports:
- 18080:8080
- 18081:8081
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.calibre.service=calibre"
- "traefik.http.routers.calibre.rule=Host(`calibre.ddp.net`)"
- "traefik.http.services.calibre.loadbalancer.server.port=8080"
- "traefik.http.routers.calibre.entrypoints=web"
- "traefik.http.routers.calibreweb.service=calibreweb"
- "traefik.http.routers.calibreweb.rule=Host(`calibreweb.ddp.net`)"
- "traefik.http.services.calibreweb.loadbalancer.server.port=8081"
- "traefik.http.routers.calibreweb.entrypoints=web"
depends_on:
- pihole
volumes:
- /srv/docker/container/calibre/config:/config
- /etc/localtime:/etc/localtime:ro
# plex:
# container_name: plex
# image: plexinc/pms-docker
# restart: always
# environment:
# - TZ=Australia/Melbourne
# - PLEX_CLAIM=claim-Mgs3KDD_zM-rheXvz6FJ
# - PLEX_UID=500
# - PLEX_GID=500
# hostname: plex_dp
# labels:
# - "com.centurylinklabs.watchtower.enable=true"
# depends_on:
# - pihole
# volumes:
# - /srv/docker/container/plex/config:/config
# - /srv/docker/container/plex/transcode:/transcode
# - /srv/docker/container/plex/storage:/data
# - /etc/localtime:/etc/localtime:ro
# ports:
# - "32400:32400"
# this is running network_mode: host to be on 192.168.0/24 subnet, so that
# direct play on tv works (from memory)
emby:
container_name: emby
# image: emby/embyserver
image: emby/embyserver:beta
restart: always
network_mode: host
environment:
- UID=500
- GID=500
# 44 is for /dev/dri/card driver support / 110 for AMD transcoding
- GIDLIST=44,110
- TZ=Australia/Melbourne
volumes:
- /srv/docker/container/emby/config:/config
- /srv/docker/container/emby/transcode:/transcode
- /export/docker/storage:/data
- /export/myth/tv:/myth-recordings
- /etc/localtime:/etc/localtime:ro
devices:
- /dev/dri:/dev/dri
depends_on:
- pihole
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.emby.rule=Host(`emby.depaoli.id.au`)"
# to note with network_mode: host, this works via localhost --> traefik routes this to http://localhost:8096"
- "traefik.http.services.emby.loadbalancer.server.port=8096"
- "traefik.http.routers.emby.tls=true"
- "traefik.http.routers.emby.entrypoints=secureweb"
- "traefik.http.routers.emby.tls.certresolver=myresolver"
# fail2ban might need a better whitelist? (I had internal docker ips in my quick fudge as well?)
mail:
image: docker.io/mailserver/docker-mailserver:latest
hostname: depaoli.id.au
domainname: depaoli.id.au
container_name: mail
restart: always
ports:
- "25:25"
- "465:465"
- "587:587"
- "993:993"
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.mail.rule=Host(`rspamd.ddp.net`)"
- "traefik.http.services.mail.loadbalancer.server.port=11334"
- "traefik.http.routers.mail.entrypoints=web"
depends_on:
- pihole
- openldap
volumes:
- /srv/docker/container/mail/data:/var/mail
- /srv/docker/container/mail/state:/var/mail-state
- /srv/docker/container/mail/log:/var/log/mail
- /srv/docker/container/mail/config/:/tmp/docker-mailserver/
- /etc/localtime:/etc/localtime:ro
# used (via .../mail/config/user-patches.sh) to insert a cron job running from .../mara-bin, and writing to .../monitoring-results)
- /srv/docker/container/mail/mara-bin:/root/bin
- /srv/docker/container/mail/monitoring-results:/monitoring-results
# NOTE: depweb container gets traefik to manage depaoli.id.au cert (and store it into acme.json)
- /srv/docker/container/letsencrypt/etc/acme.json:/etc/letsencrypt/acme.json:ro
environment:
- ENABLE_CLAMAV=1
- ENABLE_FAIL2BAN=1
- ENABLE_POSTGREY=0
- ENABLE_UPDATE_CHECK=1
- ENABLE_POP3=0
# this allows users to manage their own sieves, not something we use at present
- ENABLE_MANAGESIEVE=0
# don't know if this can go to 1 or not, seems more for postscreen than rspamd, so not sure if it has always been off?
- ENABLE_DNSBL=0
# as per doco, enabling rspamd and disabling unneeded services (up to spamassassin)
- ENABLE_RSPAMD=1
- ENABLE_OPENDKIM=0
- ENABLE_OPENDMARC=0
- ENABLE_POLICYD_SPF=0
- ENABLE_AMAVIS=0
- ENABLE_SPAMASSASSIN=0
- MOVE_SPAM_TO_JUNK=1
# only greylist spammy emails
- RSPAMD_GREYLISTING=1
# if ppl move mail to junk -> inbox (spam) or reverse (ham), learn from it
- RSPAMD_LEARN=1
# some hostname heuristics for dodgy mailservers using wrong syntax - adds header only at the moment, test and drop when we trust
- RSPAMD_HFILTER=1
# spoof prot stops anyone sending with an email address that doesn't match what they connected with
- SPOOF_PROTECTION=1
- ONE_DIR=1
- DMS_DEBUG=0
- LOG_LEVEL=warn
- ACCOUNT_PROVISIONER=LDAP
- LDAP_SERVER_HOST=ldap://openldap:1389 # using IP, as we changed over container names (openldap->openldapnew)
- LDAP_SEARCH_BASE=dc=depaoli,dc=id,dc=au
- LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
- LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
- LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE))
- LDAP_QUERY_FILTER_ALIAS=(mailAlias=%s)
- LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))
- DOVECOT_PASS_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n))
- DOVECOT_USER_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n))
- ENABLE_SASLAUTHD=1
- SASLAUTHD_MECHANISMS=ldap
- SASLAUTHD_LDAP_SERVER=ldap://openldap:1389
- SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
- SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=depaoli,dc=id,dc=au
- SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=person))
- POSTMASTER_ADDRESS=postmaster@depaoli.id.au
- POSTFIX_MESSAGE_SIZE_LIMIT=100000000
- SSL_TYPE=letsencrypt
env_file:
- /srv/docker/config/secrets/ldap-mail-common
cap_add:
- NET_ADMIN
openldap:
image: bitnami/openldap
user: "2000"
container_name: openldap
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
environment:
BITNAMI_DEBUG: "true"
LDAP_ROOT: "dc=depaoli,dc=id,dc=au"
LDAP_ADMIN_USERNAME: "admin"
LDAP_SKIP_DEFAULT_TREE: "yes"
LDAP_CUSTOM_SCHEMA_FILE: "/schema/postfix-book.ldif"
LDAP_CUSTOM_LDIF_DIR: "/ldifs"
LDAP_LOGLEVEL: "256"
# below not validated
LDAP_ENABLE_TLS: "yes"
LDAP_TLS_CERT_FILE: "/opt/bitnami/openldap/certs/cert.pem"
LDAP_TLS_KEY_FILE: "/opt/bitnami/openldap/certs/privkey.pem"
LDAP_TLS_CA_FILE: "/opt/bitnami/openldap/certs/fullchain.pem"
LDAP_TLS_DH_PARAMS_FILE: "/opt/bitnami/openldap/certs/dhparam.pem"
# these options were from osixia's container, doesn't seem to be an equiv in bitnami, not critical for now as no SASL anyway
# LDAP_TLS_CIPHER_SUITE: "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"
# LDAP_TLS_PROTOCOL_MIN: "3.1"
# LDAP_TLS_VERIFY_CLIENT: "try"
env_file:
- /srv/docker/config/secrets/ldap-mail-common
tty: true
stdin_open: true
depends_on:
- pihole
volumes:
- /srv/docker/container/ldap/:/bitnami/openldap/
- /srv/docker/container/ldap/certs:/opt/bitnami/openldap/certs/
- /srv/docker/container/ldap/bootstrap-schema:/schema
- /srv/docker/container/ldap/bootstrap-ldifs:/ldifs
- /etc/localtime:/etc/localtime:ro
ports:
- "389:1389"
# webmail
webmail:
image: roundcube/roundcubemail
container_name: webmail
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.webmail.rule=Host(`webmail.depaoli.id.au`)"
- "traefik.http.routers.webmail.entrypoints=secureweb"
- "traefik.http.routers.webmail.tls=true"
- "traefik.http.routers.webmail.tls.certresolver=myresolver"
volumes:
- /srv/docker/container/roundcubemail/www:/var/www/html
- /srv/docker/container/roundcubemail/db/sqlite:/var/roundcube/db
- /srv/docker/container/roundcubemail/tmp/roundcube-temp:/tmp/roundcube-temp
- /srv/docker/container/roundcubemail/var/roundcube/config:/var/roundcube/config
- /etc/localtime:/etc/localtime:ro
depends_on:
- pihole
- mail
- openldap
environment:
- ROUNDCUBEMAIL_DB_TYPE=sqlite
- ROUNDCUBEMAIL_SKIN=elastic
- ROUNDCUBEMAIL_DEFAULT_HOST=ssl://depaoli.id.au
- ROUNDCUBEMAIL_DEFAULT_PORT=993
- ROUNDCUBEMAIL_SMTP_SERVER=ssl://depaoli.id.au
- ROUNDCUBEMAIL_SMTP_PORT=465
portainer:
container_name: portainer
image: portainer/portainer-ce
restart: always
depends_on:
- pihole
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /srv/docker/container/portainer/data:/data
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`portainer.ddp.net`)"
# need to be explicit, as it also runs API ports, SSL ports, etc
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
# this is running network_mode: host so it is on the same subnet as the IoT
# devices and can see/discover them
hass:
image: ghcr.io/home-assistant/home-assistant:stable
container_name: hass
privileged: true
network_mode: host
restart: always
security_opt:
- seccomp:unconfined
depends_on:
- pihole
- openldap
volumes:
- /srv/docker/container/hass:/config
# this line adds known hosts file to /root's .ssh so the 'command line authenticaion' works on login on every new container
- /srv/docker/container/hass/ssh/known_hosts:/root/.ssh/known_hosts
- /var/run/docker.sock:/var/run/docker.sock
- /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket
- /etc/localtime:/etc/localtime:ro
- /run/dbus:/run/dbus:ro
labels:
- "com.centurylinklabs.watchtower.enable=false"
# to note traefik is used here, but handled via files due to use of "network_mode: host"
- "traefik.enable=true"
- "traefik.http.routers.hass.rule=Host(`hass.depaoli.id.au`)"
# to note with network_mode: host, this works via localhost --> traefik routes this to http://localhost:8123"
- "traefik.http.services.hass.loadbalancer.server.port=8123"
- "traefik.http.routers.hass.tls=true"
- "traefik.http.routers.hass.entrypoints=secureweb"
- "traefik.http.routers.hass.tls.certresolver=myresolver"
# this runs in network_most host so that it can find the players automatically
mass:
image: ghcr.io/music-assistant/server
container_name: mass
restart: always
network_mode: host
depends_on:
- pihole
volumes:
- /srv/docker/container/mass/data:/data
- /export/docker/storage/music:/music
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.mass.rule=Host(`hass.depaoli.id.au`) && PathPrefix(`/mass/`)"
- "traefik.http.routers.mass.tls=true"
- "traefik.http.routers.mass.entrypoints=secureweb"
- "traefik.http.middlewares.stripprefix-mass.stripprefix.prefixes=/mass"
- "traefik.http.routers.mass.middlewares=stripprefix-mass@docker"
- "traefik.http.routers.mass.tls.certresolver=myresolver"
# to note with network_mode: host, this works via localhost --> traefik routes this to http://127.0.0.1:8095"
- "traefik.http.services.mass.loadbalancer.server.port=8095"
mosquitto:
container_name: mosquitto
image: eclipse-mosquitto
restart: always
volumes:
- /srv/docker/container/mosquitto:/mosquitto
- /srv/docker/container/mosquitto/data:/mosquitto/data
- /srv/docker/container/mosquitto/log:/mosquitto/log
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=true"
ports:
- "1883:1883"
esphome:
container_name: esphome
image: esphome/esphome
environment:
- ESPHOME_DASHBOARD_USE_PING=true
volumes:
- /srv/docker/container/esphome/config:/config
- /dev:/dev
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.esphome.rule=Host(`esphome.ddp.net`)"
- "traefik.http.routers.esphome.entrypoints=web"
restart: always
privileged: true
sabnzbd:
image: linuxserver/sabnzbd
container_name: sabnzbd
restart: always
environment:
- PUID=500
- PGID=500
- TZ=Australia/Melbourne
depends_on:
- pihole
volumes:
- /srv/docker/container/sabnzbd/:/config
- /export/docker/storage/downloads:/downloads
- /export/docker/storage/incomplete-downloads:/incomplete-downloads
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.sabnzbd.rule=Host(`sab.ddp.net`)"
- "traefik.http.routers.sabnzbd.entrypoints=web"
influxdb:
image: influxdb:latest
container_name: influxdb
ports:
- "8086:8086"
environment:
- DOCKER_INFLUXDB_INIT_MODE=setup
- DOCKER_INFLUXDB_INIT_ORG=mara
- DOCKER_INFLUXDB_INIT_USERNAME=telegraf
- DOCKER_INFLUXDB_INIT_BUCKET=telegraf
- DOCKER_INFLUXDB_INIT_RETENTION=2w
- DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=3qBckkybwMWoyZ16dqVD9gufoYYLwKkX_i296J30wekVpwxuCQe8p
env_file:
- /srv/docker/config/secrets/influxdb
volumes:
- /srv/docker/container/influxdb/data:/var/lib/influxdb2
- /srv/docker/container/influxdb/config:/etc/influxdb2
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.influxdb.rule=Host(`influx.ddp.net`)"
- "traefik.http.routers.influxdb.entrypoints=web"
restart: always
telegraf:
image: telegraf:latest
container_name: telegraf
# needs to be 0 / root to run smartmontools / nvme
user: 0:139
entrypoint: /root/mara-init/entrypoint-wrapper.sh
volumes:
- /srv/docker/container/telegraf:/etc/telegraf
- /srv/docker/container/telegraf/sudoers/smart:/etc/sudoers.d/smart
- /srv/docker/container/telegraf/mara-init/entrypoint-wrapper.sh:/root/mara-init/entrypoint-wrapper.sh
# for telegraf to get external script output
- /srv/docker/container/telegraf/monitoring-results:/usr/local/external-results/mara
- /srv/docker/container/mythtv/monitoring-results:/usr/local/external-results/myth
- /srv/docker/container/mail/monitoring-results:/usr/local/external-results/mail
- /srv/docker/container/kuma/monitoring-results:/usr/local/external-results/kuma
# for telegraf to see host details
- /var/run/docker.sock:/var/run/docker.sock:ro
- /:/host:ro
- /run/udev:/run/udev:ro
- /etc/localtime:/etc/localtime:ro
privileged: true
devices:
- /dev:ro
environment:
- HOST_MOUNT_PREFIX=/host
- HOST_PROC=/host/proc
- HOST_SYS=/host/sys
labels:
- "com.centurylinklabs.watchtower.enable=true"
depends_on:
- influxdb
restart: always
grafana:
image: grafana/grafana
container_name: grafana
restart: always
depends_on:
- influxdb
volumes:
- /srv/docker/container/grafana/grafana.ini:/etc/grafana/grafana.ini
- /srv/docker/container/grafana/ldap.toml:/etc/grafana/ldap.toml
- /srv/docker/container/grafana/data:/var/lib/grafana
- /srv/docker/container/grafana/dashboards:/var/lib/grafana/dashboards
- /srv/docker/container/grafana/grafana/provisioning:/etc/grafana/provisioning
- /etc/localtime:/etc/localtime:ro
env_file:
- /srv/docker/container/grafana/config.monitoring
- /srv/docker/config/secrets/ldap-mail-common
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.grafana_ssl.rule=Host(`graf.depaoli.id.au`)"
- "traefik.http.routers.grafana_ssl.tls=true"
- "traefik.http.routers.grafana_ssl.entrypoints=secureweb"
- "traefik.http.routers.grafana_ssl.tls.certresolver=myresolver"
- "traefik.http.routers.grafana.rule=PathPrefix(`/grafana/`)"
- "traefik.http.routers.grafana.entrypoints=web"
pihole:
container_name: pihole
image: pihole/pihole
ports:
- "192.168.0.2:53:53/tcp"
- "192.168.0.2:53:53/udp"
- "9999:80"
environment:
TZ: 'Australia/Melbourne'
PIHOLE_DNS_: '208.67.222.222;208.67.220.220'
env_file:
- /srv/docker/config/secrets/pihole
volumes:
- /srv/docker/container/pihole/etc/:/etc/pihole/
- /srv/docker/container/pihole/dnsmasq.d/:/etc/dnsmasq.d/
- /etc/localtime:/etc/localtime:ro
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.pihole.entrypoints=web"
- "traefik.http.routers.pihole.rule=Host(`pihole.ddp.net`)"
# pihole is a mess, it does not redirect, but requires /admin to login, then it does redirect back to / -- the strip & add fixes this mess
- "traefik.http.middlewares.pihole-add.addprefix.prefix=/admin"
- "traefik.http.middlewares.pihole-strip.stripprefix.prefixes=/admin"
- "traefik.http.routers.pihole.middlewares=pihole-strip,pihole-add"
# we set this to port 80, pihole has many open ports (e.g. 53), so have to tell traefik which port to send http traffic too
- "traefik.http.services.pihole.loadbalancer.server.port=80"
bookdb_dev:
container_name: bookdb_dev
image: postgres
restart: always
environment:
POSTGRES_USER: ddp
POSTGRES_DB: library
env_file:
- /srv/docker/config/secrets/bookdb-common
depends_on:
- pihole
labels:
- "com.centurylinklabs.watchtower.enable=true"
ports:
- '55432:5432'
volumes:
- /srv/docker/container/bookdb_dev/data:/var/lib/postgresql/data
- /srv/docker/container/bookdb_dev/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
- /etc/localtime:/etc/localtime:ro
bookdb:
container_name: bookdb
image: postgres:16
restart: always
environment:
POSTGRES_USER: ddp
POSTGRES_DB: library
env_file:
- /srv/docker/config/secrets/bookdb-common
depends_on:
- pihole
labels:
- "com.centurylinklabs.watchtower.enable=true"
volumes:
- /srv/docker/container/bookdb/data:/var/lib/postgresql/data
- /srv/docker/container/bookdb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
- /etc/localtime:/etc/localtime:ro
bookdb_webdev:
container_name: bookdb_webdev
restart: always
environment:
FLASK_ENV: "container"
build:
context: '/home/ddp/src/pybook'
depends_on:
- bookdb_dev
- pihole
ports:
- '5001:5000'
volumes:
- /home/ddp/src/pybook/:/pybook_mapped_volume
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=false"
bookdb_web:
container_name: bookdb_web
restart: always
environment:
FLASK_ENV: "production"
build:
context: '/home/ddp/src/pybook'
depends_on:
- bookdb
- pihole
volumes:
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=false"
- "traefik.enable=true"
- "traefik.http.routers.bookdb_web.rule=Host(`book.depaoli.id.au`)"
- "traefik.http.routers.bookdb_web.tls=true"
- "traefik.http.routers.bookdb_web.entrypoints=secureweb"
- "traefik.http.routers.bookdb_web.tls.certresolver=myresolver"
padb_dev:
container_name: padb_dev
image: postgres
restart: always
# replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls
entrypoint: /root/mara-init/entrypoint-wrapper.sh
labels:
- "com.centurylinklabs.watchtower.enable=true"
environment:
POSTGRES_USER: pa
POSTGRES_DB: pa
env_file:
- /srv/docker/config/secrets/padb-common
ports:
- '65432:5432'
depends_on:
- pihole
volumes:
- /srv/docker/container/padb_dev/data:/var/lib/postgresql/data
- /srv/docker/container/padb_dev/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
- /srv/docker/container/padb_dev/mara-init:/root/mara-init
- /srv/docker/container/padb_dev/mara-bin:/root/mara-bin
- /etc/localtime:/etc/localtime:ro
padb:
container_name: padb
image: postgres:16
restart: always
# replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls
entrypoint: /root/mara-init/entrypoint-wrapper.sh
labels:
- "com.centurylinklabs.watchtower.enable=true"
environment:
POSTGRES_USER: pa
POSTGRES_DB: pa
env_file:
- /srv/docker/config/secrets/padb-common
depends_on:
- pihole
volumes:
- /srv/docker/container/padb/data:/var/lib/postgresql/data
- /srv/docker/container/padb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
- /srv/docker/container/padb/mara-init:/root/mara-init
- /srv/docker/container/padb/mara-bin:/root/mara-bin
- /etc/localtime:/etc/localtime:ro
paweb:
container_name: paweb
restart: always
build:
context: '/home/ddp/src/photoassistant'
args:
PJM_UID: 500
PJM_GID: 500
environment:
ENV: "production"
depends_on:
- padb
volumes:
- /export/docker/storage:/export/docker/storage
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=false"
- "traefik.enable=true"
- "traefik.http.routers.paweb.rule=Host(`pa.depaoli.id.au`)"
- "traefik.http.routers.paweb.tls=true"
- "traefik.http.routers.paweb.entrypoints=secureweb"
- "traefik.http.routers.paweb.tls.certresolver=myresolver"
tix:
container_name: tix
restart: always
environment:
ENV: "production"
build:
context: '/home/ddp/src/snow-ticket-analysis'
volumes:
- /home/ddp/src/snow-ticket-analysis/stats.db:/stats.db
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=false"
- "traefik.enable=true"
- "traefik.http.routers.tix.rule=Host(`tix.depaoli.id.au`)"
- "traefik.http.routers.tix.tls=true"
- "traefik.http.routers.tix.entrypoints=secureweb"
- "traefik.http.routers.tix.tls.certresolver=myresolver"
vaultwarden:
container_name: vaultwarden
restart: always
image: vaultwarden/server
depends_on:
- pihole
- openldap
volumes:
- /srv/docker/container/vaultwarden:/data
- /etc/localtime:/etc/localtime:ro
environment:
- "ORG_EVENTS_ENABLED=true"
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.vaultwarden.rule=Host(`bw.depaoli.id.au`)"
- "traefik.http.routers.vaultwarden.tls=true"
- "traefik.http.routers.vaultwarden.tls.options=tls12@file"
- "traefik.http.routers.vaultwarden.entrypoints=secureweb"
- "traefik.http.routers.vaultwarden.tls.certresolver=myresolver"
# auto-update docker images
watchtower:
container_name: watchtower
image: containrrr/watchtower:latest-dev
command: --schedule "0 0 3 * * *" --debug --stop-timeout 60s --label-enable --cleanup
restart: always
depends_on:
- pihole
labels:
- "com.centurylinklabs.watchtower.enable=true"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "/etc/localtime:/etc/localtime:ro"
# used for hass (eufy) to get notifications from camera
eufy_security_ws:
image: bropat/eufy-security-ws
container_name: eufy_security_ws
restart: always
environment:
- "USERNAME=eufy_hass@depaoli.id.au"
- "COUNTRY=AU"
- "DEBUG=-v"
- "TRUSTED_DEVICE_NAME=Pixel Pro 7"
env_file:
- /srv/docker/config/secrets/eufy_security_ws
ports:
- "3000:3000"
labels:
- "com.centurylinklabs.watchtower.enable=true"
depends_on:
- pihole
volumes:
- "/srv/docker/container/eufy_security_ws/data:/data"
- "/etc/localtime:/etc/localtime:ro"
- "/etc/timezone:/etc/timezone:ro"
# used for hass (eufy) to stream from camera
rtsp_simple_server:
image: aler9/rtsp-simple-server
container_name: rtsp_simple_server
restart: always
environment:
- "RTSP_PROTOCOLS=tcp"
ports:
- "1935:1935"
- "8554:8554"
labels:
- "com.centurylinklabs.watchtower.enable=true"
depends_on:
- pihole
volumes:
- "/etc/localtime:/etc/localtime:ro"
# ark-server:
# restart: always
# image: hermsi/ark-server
# container_name: ark-server
# volumes:
# - /srv/docker/container/ark-server:/app
# - /srv/docker/container/ark-server-backups:/home/steam/ARK-Backups
# environment:
# - "SESSION_NAME=The Island - ARK"
# - "SERVER_MAP=TheIsland"
# - "SERVER_PASSWORD=bagrid"
# - "ADMIN_PASSWORD=arkadminpassword"
# - "MAX_PLAYERS=5"
# - "UPDATE_ON_START=false"
# - "BACKUP_ON_STOP=true"
# - "PRE_UPDATE_BACKUP=true"
# - "WARN_ON_STOP=true"
# - "GAME_MOD_IDS=1404697612,1428596566,772235118,895711211"
# ports:
# # Port for connections from ARK game client
# - "7777:7777/udp"
# # Raw UDP socket port (always Game client port +1)
# - "7778:7778/udp"
# # RCON management port
# - "27020:27020/tcp"
# # Steam's server-list port
# - "27015:27015/udp"
kuma:
image: louislam/uptime-kuma
container_name: kuma
volumes:
- /srv/docker/container/kuma/data:/app/data
- /srv/docker/container/kuma/mara-bin:/root/mara-bin/
- /srv/docker/container/kuma/mara-init:/root/mara-init/
- /var/run/docker.sock:/var/run/docker.sock:ro
# used to transfer which containers we monitor through to telegraf
- /srv/docker/container/kuma/monitoring-results:/monitoring-results
- /etc/localtime:/etc/localtime:ro
entrypoint: /root/mara-init/entrypoint-wrapper.sh
ports:
- 3001:3001 # leave these in case mon.depaoli.id.au is inaccessible
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.kuma.rule=Host(`mon.depaoli.id.au`)"
- "traefik.http.routers.kuma.tls=true"
- "traefik.http.routers.kuma.entrypoints=secureweb"
- "traefik.http.routers.kuma.tls.certresolver=myresolver"
restart: always
sshwifty:
image: niruix/sshwifty:latest
container_name: sshwifty
user: "nobody:nobody"
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.sshwifty.rule=Host(`ssh.depaoli.id.au`)"
- "traefik.http.routers.sshwifty.tls=true"
- "traefik.http.routers.sshwifty.entrypoints=secureweb"
- "traefik.http.routers.sshwifty.tls.certresolver=myresolver"
stdin_open: true
tty: true
volumes:
- "/srv/docker/container/sshwifty/:/etc/"
- "/etc/localtime:/etc/localtime:ro"
mythdb:
container_name: mythdb
image: mysql:latest
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
environment:
MYSQL_DATABASE: 'mythconverg'
MYSQL_USER: 'mythtv'
MYSQL_PASSWORD: 'mythtv'
MYSQL_UID: 133
MYSQL_GID: 140
env_file:
- /srv/docker/config/secrets/mythtv
ports:
- "3306:3306"
volumes:
- /srv/docker/container/mythtv/db/sql:/docker-entrypoint-initdb.d
- /srv/docker/container/mythtv/db/data:/var/lib/mysql
- /srv/docker/container/mythtv/db/log:/var/log/mysql
- /srv/docker/container/mythtv/db/mythtv.cnf:/etc/mysql/conf.d/mythtv.cnf
- /etc/localtime:/etc/localtime:ro
# hacked entrypoint to 'add' to this container so it works as mara needs
myth:
container_name: myth
image: instantlinux/mythtv-backend:latest
hostname: ${HOSTNAME_MYTHTV:-mythtv}
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
# needed to renice / ionice just the mythbackend process inside this container
# (it also runs cron, shepherd and various binaries out of /usr/local/bin)
cap_add:
- sys_nice
- sys_admin
environment:
APACHE_LOG_DIR: /var/log/apache2
DBNAME: mythconverg
# needs to be ip not container name as the host network_mode and DNS dont work together
# test this as mythdb and remove network_mode host when I can
DBSERVER: mythdb
LANG: en_US.UTF-8
LANGUAGE: en_US.UTF-8
LOCALHOSTNAME: mara
TZ: Australia/Melbourne
ports:
- "6543:6543"
- "6544:6544"
- "6549:6549"
- "6760:6760"
entrypoint: /root/mara-init/entrypoint-wrapper.sh
volumes:
- /srv/docker/container/mythtv/apache2:/var/log/apache2
- /srv/docker/container/mythtv/data:/var/mythdata
- /srv/docker/container/mythtv/home:/home/mythtv
- /srv/docker/container/mythtv/ssh-config:/etc/ssh
- /srv/docker/container/mythtv/var/log:/var/log/mythtv
- /srv/docker/container/mythtv/mara-init:/root/mara-init
- /srv/docker/container/mythtv/mara-bin:/root/mara-bin
- /srv/docker/container/mythtv/db/sql:/db-container/sql
- /srv/docker/container/mythtv/db/backups:/db-container/backups
- /srv/docker/container/mythtv/monitoring-results:/monitoring-results
- /etc/localtime:/etc/localtime:ro
- /export/myth:/export/myth
- /export/docker/storage/other-videos:/export/myth/videos
devices:
- /dev/dvb:/dev/dvb
env_file:
- /srv/docker/config/secrets/mythtv
depends_on:
- mythdb
wiki:
image: lscr.io/linuxserver/bookstack
container_name: wiki
environment:
- PUID=1000
- PGID=1000
- APP_URL=https://wiki.depaoli.id.au
- DB_HOST=wikidb
- DB_PORT=3306
env_file:
- /srv/docker/config/secrets/wiki
volumes:
- /srv/docker/container/wiki:/config
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped
depends_on:
- wikidb
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.wiki.rule=Host(`wiki.depaoli.id.au`)"
- "traefik.http.routers.wiki.tls=true"
- "traefik.http.routers.wiki.entrypoints=secureweb"
- "traefik.http.routers.wiki.tls.certresolver=myresolver"
wikidb:
image: lscr.io/linuxserver/mariadb
container_name: wikidb
environment:
- PUID=1000
- PGID=1000
- TZ=Australia/Melbourne
env_file:
- /srv/docker/config/secrets/wiki
volumes:
- /srv/docker/container/wikidb/config:/config
- /srv/docker/container/wikidb/data:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped
labels:
- "com.centurylinklabs.watchtower.enable=true"
web:
image: php:apache
container_name: web
volumes:
- /srv/docker/container/web/data:/var/www/html
- /srv/docker/container/web/mara-init:/root/mara-init
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped
entrypoint: "/root/mara-init/entrypoint-wrapper.sh"
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.web.rule=Host(`mara.ddp.net`) && ( Path(`/`) || PathPrefix(`/images` ) || PathPrefix(`/mythweb`) )"
- "traefik.http.routers.web.entrypoints=web"
# this container exists solely to have traefik manage the depaoli.id.au SSL
# cert - the web server has no web content to serve
depweb:
image: php:apache
container_name: depweb
volumes:
- /srv/docker/container/depweb/data:/var/www/html
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.depweb.rule=Host(`depaoli.id.au`)"
- "traefik.http.routers.depweb.tls=true"
- "traefik.http.routers.depweb.entrypoints=secureweb"
- "traefik.http.routers.depweb.tls.certresolver=myresolver"
Reference in New Issue View Git Blame Copy Permalink