ddp/docker-compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f2da5f4e861ca4767fb9cff90aede4ddba752425
docker-compose/docker-compose.yml
Damien De Paoli f2da5f4e86 updated emby to 4.9.1.0 
updated mythweb to only work on myth.ddp.net
updated vaultwarden to allow redirect to work behind traefik, and also disabled
ability for anyone new to register an account
2025-05-27 18:16:54 +10:00

1204 lines
43 KiB
YAML
Raw Blame History

# To note, if I am using an env_file to /srv/docker/config/secrets/*,
# then I have taken the ENV variable with a password for that container and
# put it into a separate file (1 place for common pwds like for ldap, but also so this file can be shared safely)
services:
traefik:
container_name: traefik
image: traefik:latest
restart: always
network_mode: host
command:
# - "--log.level=DEBUG"
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.file=true"
- "--providers.file.directory=/configuration/"
- "--providers.file.watch=true"
- "--entrypoints.web.address=:80"
- "--entrypoints.secureweb.address=:443"
- "--accessLog"
- "--accessLog.filePath=/var/log/access.log"
- "--accesslog.fields.names.StartUTC=drop"
- "--accesslog.filters.statuscodes=400-599"
- "--accesslog.filters.minduration=50ms"
# cert resolver (PROD)
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "--certificatesresolvers.myresolver.acme.email=postmaster@depaoli.id.au"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`traefik.ddp.net`)"
- "traefik.http.routers.dashboard.entrypoints=web"
# too many other ports (80, 443) so we have to be explicit & with network_mode: host traefik routes to localhost:8080
- "traefik.http.services.dashboard.loadbalancer.server.port=8080"
- "traefik.http.routers.dashboard.service=api@internal"
- "last.commit.url=https://api.github.com/repos/traefik/traefik/commits"
depends_on:
- adguard
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /srv/docker/container/traefik/:/configuration
- /srv/docker/container/traefik/var/log/:/var/log/
- /srv/docker/container/letsencrypt/etc:/letsencrypt
- /etc/localtime:/etc/localtime:ro
sonarr:
container_name: sonarr
image: linuxserver/sonarr:latest
restart: always
environment:
- TZ=Australia/Melbourne
- PUID=500
- PGID=500
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.sonarr.rule=Host(`son.depaoli.id.au`)"
- "traefik.http.routers.sonarr.tls=true"
- "traefik.http.routers.sonarr.entrypoints=secureweb"
- "traefik.http.routers.sonarr.tls.certresolver=myresolver"
- "last.commit.url=https://api.github.com/repos/linuxserver/docker-sonarr/commits"
depends_on:
- adguard
volumes:
- /srv/docker/container/sonarr/config:/config
- /export/docker/storage/downloads:/downloads
- /export/docker/storage/series:/tv
- /etc/localtime:/etc/localtime:ro
radarr:
container_name: radarr
image: linuxserver/radarr:latest
restart: always
environment:
- TZ=Australia/Melbourne
- PUID=500
- PGID=500
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.radarr.rule=Host(`rad.depaoli.id.au`)"
- "traefik.http.routers.radarr.tls=true"
- "traefik.http.routers.radarr.entrypoints=secureweb"
- "traefik.http.routers.radarr.tls.certresolver=myresolver"
- "last.commit.url=https://api.github.com/repos/linuxserver/docker-radarr/commits"
depends_on:
- adguard
volumes:
- /srv/docker/container/radarr/config:/config
- /export/docker/storage/downloads:/downloads
- /export/docker/storage/movies:/movies
- /etc/localtime:/etc/localtime:ro
readarr:
container_name: readarr
image: linuxserver/readarr:nightly
restart: always
environment:
- TZ=Australia/Melbourne
- PUID=500
- PGID=500
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.readarr.rule=Host(`readarr.ddp.net`)"
- "traefik.http.routers.readarr.entrypoints=web"
- "last.commit.url=https://api.github.com/repos/Readarr/Readarr/commits"
depends_on:
- adguard
volumes:
- /srv/docker/container/readarr/config:/config
- /export/docker/storage/downloads:/downloads
- /export/docker/storage/books:/books
- /etc/localtime:/etc/localtime:ro
calibre:
container_name: calibre
image: linuxserver/calibre:latest
restart: always
environment:
- TZ=Australia/Melbourne
- PUID=500
- PGID=500
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.calibre.service=calibre"
- "traefik.http.routers.calibre.rule=Host(`calibre.ddp.net`)"
- "traefik.http.services.calibre.loadbalancer.server.port=8080"
- "traefik.http.routers.calibre.entrypoints=web"
- "traefik.http.routers.calibreweb.service=calibreweb"
- "traefik.http.routers.calibreweb.rule=Host(`calibreweb.ddp.net`)"
- "traefik.http.services.calibreweb.loadbalancer.server.port=8081"
- "traefik.http.routers.calibreweb.entrypoints=web"
- "last.commit.url=https://api.github.com/repos/linuxserver/docker-calibre/commits"
depends_on:
- adguard
volumes:
- /srv/docker/container/calibre/config:/config
- /etc/localtime:/etc/localtime:ro
# this is running network_mode: host to be on 192.168.0/24 subnet, so that
# direct play on tv works (from memory)
emby:
container_name: emby
# image: emby/embyserver:latest
image: emby/embyserver:4.9.1.0
restart: always
network_mode: host
environment:
- UID=500
- GID=500
# 44 is for /dev/dri/card driver support / 110 for AMD transcoding
- GIDLIST=44,110
- TZ=Australia/Melbourne
volumes:
- /srv/docker/container/emby/config:/config
- /srv/docker/container/emby/transcode:/transcode
- /export/docker/storage:/data
- /export/myth/tv:/myth-recordings
- /etc/localtime:/etc/localtime:ro
devices:
- /dev/dri:/dev/dri
depends_on:
- adguard
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.emby.rule=Host(`emby.depaoli.id.au`)"
# to note with network_mode: host, this works via localhost --> traefik routes this to http://localhost:8096"
- "traefik.http.services.emby.loadbalancer.server.port=8096"
- "traefik.http.routers.emby.tls=true"
- "traefik.http.routers.emby.entrypoints=secureweb"
- "traefik.http.routers.emby.tls.certresolver=myresolver"
- "last.commit.url=https://api.github.com/repos/MediaBrowser/Emby.Releases/commits"
# fail2ban might need a better whitelist? (I had internal docker ips in my quick fudge as well?)
mail:
image: docker.io/mailserver/docker-mailserver:15.0.2
hostname: depaoli.id.au
domainname: depaoli.id.au
container_name: mail
restart: always
ports:
- "0.0.0.0:25:25"
- "0.0.0.0:465:465"
- "0.0.0.0:587:587"
- "0.0.0.0:993:993"
labels:
# somehow watchtower keeps restarting mail even without an update AND the mailserver emails me with updates anyway
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.mail.rule=Host(`rspamd.ddp.net`)"
- "traefik.http.services.mail.loadbalancer.server.port=11334"
- "traefik.http.routers.mail.entrypoints=web"
- "last.commit.url=https://api.github.com/repos/docker-mailserver/docker-mailserver/commits"
depends_on:
- adguard
- openldap
volumes:
- /srv/docker/container/mail/data:/var/mail
- /srv/docker/container/mail/state:/var/mail-state
- /srv/docker/container/mail/log:/var/log/mail
- /srv/docker/container/mail/config/:/tmp/docker-mailserver/
- /etc/localtime:/etc/localtime:ro
# used (via .../mail/config/user-patches.sh) to insert a cron job running from .../mara-bin, and writing to .../monitoring-results)
- /srv/docker/container/mail/mara-bin:/root/bin
- /srv/docker/container/mail/monitoring-results:/monitoring-results
# NOTE: depweb container gets traefik to manage depaoli.id.au cert (and store it into acme.json)
- /srv/docker/container/letsencrypt/etc/acme.json:/etc/letsencrypt/acme.json:ro
environment:
- ENABLE_CLAMAV=1
- ENABLE_FAIL2BAN=1
- ENABLE_POSTGREY=0
- ENABLE_UPDATE_CHECK=1
- ENABLE_POP3=0
# this allows users to manage their own sieves, not something we use at present
- ENABLE_MANAGESIEVE=0
# don't know if this can go to 1 or not, seems more for postscreen than rspamd, so not sure if it has always been off?
- ENABLE_DNSBL=0
# as per doco, enabling rspamd and disabling unneeded services (up to spamassassin)
- ENABLE_RSPAMD=1
- ENABLE_OPENDKIM=0
- ENABLE_OPENDMARC=0
- ENABLE_POLICYD_SPF=0
- ENABLE_AMAVIS=0
- ENABLE_SPAMASSASSIN=0
- MOVE_SPAM_TO_JUNK=1
# only greylist spammy emails
- RSPAMD_GREYLISTING=1
# if ppl move mail to junk -> inbox (spam) or reverse (ham), learn from it
- RSPAMD_LEARN=1
# some hostname heuristics for dodgy mailservers using wrong syntax - adds header only at the moment, test and drop when we trust
- RSPAMD_HFILTER=1
# spoof prot stops anyone sending with an email address that doesn't match what they connected with
- SPOOF_PROTECTION=1
- ONE_DIR=1
- DMS_DEBUG=0
- LOG_LEVEL=warn
- ACCOUNT_PROVISIONER=LDAP
- LDAP_SERVER_HOST=ldap://openldap:1389 # using IP, as we changed over container names (openldap->openldapnew)
- LDAP_SEARCH_BASE=dc=depaoli,dc=id,dc=au
- LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
- LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
- LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE))
- LDAP_QUERY_FILTER_ALIAS=(mailAlias=%s)
- LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))
- DOVECOT_PASS_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n))
- DOVECOT_USER_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n))
- ENABLE_SASLAUTHD=1
- SASLAUTHD_MECHANISMS=ldap
- SASLAUTHD_LDAP_SERVER=ldap://openldap:1389
- SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
- SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=depaoli,dc=id,dc=au
- SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=person))
- POSTMASTER_ADDRESS=postmaster@depaoli.id.au
- POSTFIX_MESSAGE_SIZE_LIMIT=100000000
- SSL_TYPE=letsencrypt
env_file:
- /srv/docker/config/secrets/ldap-mail-common
cap_add:
- NET_ADMIN
openldap:
image: bitnami/openldap:latest
user: "2000"
container_name: openldap
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "last.commit.url=https://api.github.com/repos/bitnami/containers/commits?path=bitnami/openldap"
environment:
BITNAMI_DEBUG: "true"
LDAP_ROOT: "dc=depaoli,dc=id,dc=au"
LDAP_ADMIN_USERNAME: "admin"
LDAP_SKIP_DEFAULT_TREE: "yes"
LDAP_CUSTOM_SCHEMA_DIR: "/schemas"
LDAP_CUSTOM_LDIF_DIR: "/ldifs"
LDAP_LOGLEVEL: "256"
env_file:
- /srv/docker/config/secrets/ldap-mail-common
tty: true
stdin_open: true
depends_on:
- adguard
volumes:
- /srv/docker/container/ldap/:/bitnami/openldap/
- /srv/docker/container/ldap/bootstrap-schema:/schemas
- /srv/docker/container/ldap/bootstrap-ldifs:/ldifs
- /etc/localtime:/etc/localtime:ro
ports:
- "0.0.0.0:389:1389"
# webmail
webmail:
image: roundcube/roundcubemail:latest
container_name: webmail
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.webmail.rule=Host(`webmail.depaoli.id.au`)"
- "traefik.http.routers.webmail.entrypoints=secureweb"
- "traefik.http.routers.webmail.tls=true"
- "traefik.http.routers.webmail.tls.certresolver=myresolver"
- "last.commit.url=https://api.github.com/repos/roundcube/roundcubemail/commits"
volumes:
- /srv/docker/container/roundcubemail/www:/var/www/html
- /srv/docker/container/roundcubemail/db/sqlite:/var/roundcube/db
- /srv/docker/container/roundcubemail/tmp/roundcube-temp:/tmp/roundcube-temp
- /srv/docker/container/roundcubemail/var/roundcube/config:/var/roundcube/config
- /etc/localtime:/etc/localtime:ro
depends_on:
- adguard
- mail
- openldap
environment:
- ROUNDCUBEMAIL_DB_TYPE=sqlite
- ROUNDCUBEMAIL_SKIN=elastic
- ROUNDCUBEMAIL_DEFAULT_HOST=ssl://depaoli.id.au
- ROUNDCUBEMAIL_DEFAULT_PORT=993
- ROUNDCUBEMAIL_SMTP_SERVER=ssl://depaoli.id.au
- ROUNDCUBEMAIL_SMTP_PORT=465
portainer:
container_name: portainer
image: portainer/portainer-ce:latest
restart: always
depends_on:
- adguard
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /srv/docker/container/portainer/data:/data
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`portainer.ddp.net`)"
# need to be explicit, as it also runs API ports, SSL ports, etc
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
- "last.commit.url=https://api.github.com/repos/portainer/portainer/commits"
# this is running network_mode: host so it is on the same subnet as the IoT
# devices and can see/discover them
hass:
image: ghcr.io/home-assistant/home-assistant:latest
container_name: hass
privileged: true
network_mode: host
restart: always
security_opt:
- seccomp:unconfined
depends_on:
- adguard
- openldap
volumes:
- /srv/docker/container/hass:/config
# this line adds known hosts file to /root's .ssh so the 'command line authenticaion' works on login on every new container
- /srv/docker/container/hass/ssh/known_hosts:/root/.ssh/known_hosts
- /var/run/docker.sock:/var/run/docker.sock
- /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket
- /etc/localtime:/etc/localtime:ro
- /run/dbus:/run/dbus:ro
labels:
- "com.centurylinklabs.watchtower.enable=false"
# to note traefik is used here, but handled via files due to use of "network_mode: host"
- "traefik.enable=true"
- "traefik.http.routers.hass.rule=Host(`hass.depaoli.id.au`)"
# to note with network_mode: host, this works via localhost --> traefik routes this to http://localhost:8123"
- "traefik.http.services.hass.loadbalancer.server.port=8123"
- "traefik.http.routers.hass.tls=true"
- "traefik.http.routers.hass.entrypoints=secureweb"
- "traefik.http.routers.hass.tls.certresolver=myresolver"
- "last.commit.url=https://api.github.com/repos/home-assistant/core/commits"
# this runs in network_most host so that it can find the players automatically
mass:
image: ghcr.io/music-assistant/server:latest
container_name: mass
restart: always
network_mode: host
cap_add:
- SYS_ADMIN
- DAC_READ_SEARCH
security_opt:
- apparmor:unconfined
depends_on:
- adguard
- emby
volumes:
- /srv/docker/container/mass/data:/data
- /export/docker/storage/music:/music
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.mass.rule=Host(`hass.depaoli.id.au`) && PathPrefix(`/mass/`)"
- "traefik.http.routers.mass.tls=true"
- "traefik.http.routers.mass.entrypoints=secureweb"
- "traefik.http.middlewares.stripprefix-mass.stripprefix.prefixes=/mass"
- "traefik.http.routers.mass.middlewares=stripprefix-mass@docker"
- "traefik.http.routers.mass.tls.certresolver=myresolver"
# to note with network_mode: host, this works via localhost --> traefik routes this to http://127.0.0.1:8095"
- "traefik.http.services.mass.loadbalancer.server.port=8095"
mosquitto:
container_name: mosquitto
image: eclipse-mosquitto:latest
restart: always
volumes:
- /srv/docker/container/mosquitto:/mosquitto
- /srv/docker/container/mosquitto/data:/mosquitto/data
- /srv/docker/container/mosquitto/log:/mosquitto/log
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "last.commit.url=https://api.github.com/repos/eclipse/mosquitto/commits"
ports:
- "0.0.0.0:1883:1883"
esphome:
container_name: esphome
image: esphome/esphome
environment:
- ESPHOME_DASHBOARD_USE_PING=true
volumes:
- /srv/docker/container/esphome/config:/config
- /dev:/dev
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.esphome.rule=Host(`esphome.ddp.net`)"
- "traefik.http.routers.esphome.entrypoints=web"
- "last.commit.url=https://api.github.com/repos/esphome/esphome/commits"
restart: always
privileged: true
sabnzbd:
image: linuxserver/sabnzbd:latest
container_name: sabnzbd
restart: always
environment:
- PUID=500
- PGID=500
- TZ=Australia/Melbourne
depends_on:
- adguard
volumes:
- /srv/docker/container/sabnzbd/:/config
- /export/docker/storage/downloads:/downloads
- /export/docker/storage/incomplete-downloads:/incomplete-downloads
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.sabnzbd.rule=Host(`sab.ddp.net`)"
- "traefik.http.routers.sabnzbd.entrypoints=web"
- "last.commit.url=https://api.github.com/repos/linuxserver/docker-sabnzbd/commits"
influxdb:
image: influxdb:latest
container_name: influxdb
environment:
- DOCKER_INFLUXDB_INIT_MODE=setup
- DOCKER_INFLUXDB_INIT_ORG=mara
- DOCKER_INFLUXDB_INIT_USERNAME=telegraf
- DOCKER_INFLUXDB_INIT_BUCKET=telegraf
- DOCKER_INFLUXDB_INIT_RETENTION=2w
- DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=3qBckkybwMWoyZ16dqVD9gufoYYLwKkX_i296J30wekVpwxuCQe8p
env_file:
- /srv/docker/config/secrets/influxdb
volumes:
- /srv/docker/container/influxdb/data:/var/lib/influxdb2
- /srv/docker/container/influxdb/config:/etc/influxdb2
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.influxdb.rule=Host(`influx.ddp.net`)"
- "traefik.http.routers.influxdb.entrypoints=web"
- "last.commit.url=https://api.github.com/repos/influxdata/influxdb/commits"
restart: always
telegraf:
image: telegraf:latest
container_name: telegraf
# needs to be 0 / root to run smartmontools / nvme
user: "root"
# this is used to add docker group to telegraf user for reading docker.sock and installing smartmontools, etc.
entrypoint: /root/mara-init/entrypoint-wrapper.sh
volumes:
- /srv/docker/container/telegraf:/etc/telegraf
- /srv/docker/container/telegraf/sudoers/smart:/etc/sudoers.d/smart
- /srv/docker/container/telegraf/mara-init/entrypoint-wrapper.sh:/root/mara-init/entrypoint-wrapper.sh
# for telegraf to get external script output
- /srv/docker/container/telegraf/monitoring-results:/usr/local/external-results/mara
- /srv/docker/container/mythtv/monitoring-results:/usr/local/external-results/myth
- /srv/docker/container/mail/monitoring-results:/usr/local/external-results/mail
- /srv/docker/container/mon/monitoring-results:/usr/local/external-results/kuma
- /srv/docker/container/samba/monitoring-results:/usr/local/external-results/samba
# for telegraf to see host details
- /var/run/docker.sock:/var/run/docker.sock:ro
- /:/host:ro
- /run/udev:/run/udev:ro
- /etc/localtime:/etc/localtime:ro
privileged: true
devices:
- /dev:ro
environment:
- HOST_MOUNT_PREFIX=/host
- HOST_PROC=/host/proc
- HOST_SYS=/host/sys
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "last.commit.url=https://api.github.com/repos/influxdata/telegraf/commits"
depends_on:
- influxdb
restart: always
grafana:
image: grafana/grafana:latest
container_name: grafana
restart: always
depends_on:
- influxdb
volumes:
- /srv/docker/container/grafana/grafana.ini:/etc/grafana/grafana.ini
- /srv/docker/container/grafana/ldap.toml:/etc/grafana/ldap.toml
- /srv/docker/container/grafana/data:/var/lib/grafana
- /srv/docker/container/grafana/dashboards:/var/lib/grafana/dashboards
- /srv/docker/container/grafana/grafana/provisioning:/etc/grafana/provisioning
- /etc/localtime:/etc/localtime:ro
env_file:
- /srv/docker/container/grafana/config.monitoring
- /srv/docker/config/secrets/ldap-mail-common
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.grafana_ssl.rule=Host(`graf.depaoli.id.au`)"
- "traefik.http.routers.grafana_ssl.tls=true"
- "traefik.http.routers.grafana_ssl.entrypoints=secureweb"
- "traefik.http.routers.grafana_ssl.tls.certresolver=myresolver"
- "traefik.http.routers.grafana.rule=Host(`grafana.ddp.net`)"
- "traefik.http.routers.grafana.entrypoints=web"
- "last.commit.url=https://api.github.com/repos/grafana/grafana/commits"
adguard:
container_name: adguard
image: adguard/adguardhome
ports:
- "192.168.0.2:53:53/tcp"
- "192.168.0.2:53:53/udp"
environment:
TZ: 'Australia/Melbourne'
volumes:
- /srv/docker/container/adguard/conf:/opt/adguardhome/conf
- /srv/docker/container/adguard/work:/opt/adguardhome/work
- /etc/localtime:/etc/localtime:ro
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.adguard.rule=Host(`adguard.ddp.net`)"
- "traefik.http.routers.adguard.entrypoints=web"
- "traefik.http.services.adguard.loadbalancer.server.port=80"
- "last.commit.url=https://api.github.com/repos/AdguardTeam/AdGuardHome/commits"
bookdb_dev:
container_name: bookdb_dev
image: postgres:latest
restart: always
environment:
POSTGRES_USER: ddp
POSTGRES_DB: library
env_file:
- /srv/docker/config/secrets/bookdb-common
depends_on:
- adguard
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "last.commit.url=https://api.github.com/repos/postgres/postgres/commits"
volumes:
- /srv/docker/container/bookdb_dev/data:/var/lib/postgresql/data
- /srv/docker/container/bookdb_dev/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
- /etc/localtime:/etc/localtime:ro
bookdb:
container_name: bookdb
image: postgres:17
restart: always
environment:
POSTGRES_USER: ddp
POSTGRES_DB: library
env_file:
- /srv/docker/config/secrets/bookdb-common
depends_on:
- adguard
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "last.commit.url=https://api.github.com/repos/postgres/postgres/commits"
volumes:
- /srv/docker/container/bookdb/data:/var/lib/postgresql/data
- /srv/docker/container/bookdb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
- /etc/localtime:/etc/localtime:ro
bookdev:
container_name: bookdev
restart: always
environment:
FLASK_ENV: "container"
build:
context: '/home/ddp/src/pybook'
args:
ENV: "container"
BOOK_UID: "1000"
BOOK_GID: "1000"
depends_on:
- bookdb_dev
- adguard
volumes:
- /home/ddp/src/pybook/:/pybook_mapped_volume
- /export/docker/storage/books/:/books
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=false"
- "traefik.enable=true"
- "traefik.http.routers.bookdev.rule=Host(`bookdev.ddp.net`)"
- "traefik.http.routers.bookdev.entrypoints=web"
book:
container_name: book
restart: always
environment:
FLASK_ENV: "production"
build:
context: '/home/ddp/src/pybook'
args:
ENV: "production"
BOOK_UID: "1000"
BOOK_GID: "1000"
depends_on:
- bookdb
- adguard
volumes:
- /export/docker/storage/books:/books
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=false"
- "traefik.enable=true"
- "traefik.http.routers.book.rule=Host(`book.depaoli.id.au`)"
- "traefik.http.routers.book.tls=true"
- "traefik.http.routers.book.entrypoints=secureweb"
- "traefik.http.routers.book.tls.certresolver=myresolver"
padb_dev:
container_name: padb_dev
image: postgres:latest
restart: always
# replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls
entrypoint: /root/mara-init/entrypoint-wrapper.sh
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "last.commit.url=https://api.github.com/repos/postgres/postgres/commits"
environment:
POSTGRES_USER: pa
POSTGRES_DB: pa
env_file:
- /srv/docker/config/secrets/padb-common
depends_on:
- adguard
volumes:
- /srv/docker/container/padb_dev/data:/var/lib/postgresql/data
- /srv/docker/container/padb_dev/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
- /srv/docker/container/padb_dev/mara-init:/root/mara-init
- /srv/docker/container/padb_dev/mara-bin:/root/mara-bin
- /etc/localtime:/etc/localtime:ro
healthcheck:
test: ["CMD", "pg_isready", "-U", "pa"]
interval: 30s
timeout: 10s
retries: 5
padb:
container_name: padb
image: postgres:17
restart: always
# replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls
entrypoint: /root/mara-init/entrypoint-wrapper.sh
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "last.commit.url=https://api.github.com/repos/postgres/postgres/commits"
environment:
POSTGRES_USER: pa
POSTGRES_DB: pa
env_file:
- /srv/docker/config/secrets/padb-common
depends_on:
- adguard
volumes:
- /srv/docker/container/padb/data:/var/lib/postgresql/data
- /srv/docker/container/padb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
- /srv/docker/container/padb/mara-init:/root/mara-init
- /srv/docker/container/padb/mara-bin:/root/mara-bin
- /etc/localtime:/etc/localtime:ro
healthcheck:
test: ["CMD", "pg_isready", "-U", "pa"]
interval: 30s
timeout: 10s
retries: 5
padev:
container_name: padev
restart: always
build:
context: '/home/ddp/src/photoassistant'
args:
# uid for ddp (for dev/container)
PA_ID: "1000"
environment:
ENV: "container"
depends_on:
padb_dev:
condition: service_healthy
volumes:
- /home/ddp/src/photoassistant:/home/ddp/src/photoassistant
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=false"
- "traefik.enable=true"
- "traefik.http.routers.padev.rule=Host(`padev.ddp.net`)"
- "traefik.http.routers.padev.entrypoints=web"
pa:
container_name: pa
restart: always
build:
context: '/home/ddp/src/photoassistant'
args:
# uid for mythtv (for prod)
PA_ID: "500"
environment:
ENV: "production"
depends_on:
padb:
condition: service_healthy
volumes:
- /export/docker/storage:/export/docker/storage
- /etc/localtime:/etc/localtime:ro
labels:
- "com.centurylinklabs.watchtower.enable=false"
- "traefik.enable=true"
- "traefik.http.routers.pa.rule=Host(`pa.depaoli.id.au`)"
- "traefik.http.routers.pa.tls=true"
- "traefik.http.routers.pa.entrypoints=secureweb"
- "traefik.http.routers.pa.tls.certresolver=myresolver"
finplan:
container_name: finplan
restart: always
environment:
ENV: "production"
# force using uid/gid of 1000/1000 so we can share dev/prod for now - may care enough 1 day to fix
build:
context: '/home/ddp/src/finplan'
args:
USERID: "1000"
GROUPID: "1000"
user: "1000:1000"
volumes:
- /etc/localtime:/etc/localtime:ro
- /srv/docker/container/finplan:/data
labels:
- "com.centurylinklabs.watchtower.enable=false"
- "traefik.enable=true"
- "traefik.http.routers.finplan.rule=Host(`finplan.ddp.net`)"
- "traefik.http.routers.finplan.entrypoints=web"
vaultwarden:
container_name: vaultwarden
restart: always
image: vaultwarden/server:latest
depends_on:
- adguard
- openldap
volumes:
- /srv/docker/container/vaultwarden:/data
- /etc/localtime:/etc/localtime:ro
environment:
- "ORG_EVENTS_ENABLED=true"
- "DOMAIN=https://bw.depaoli.id.au"
- "SIGNUPS_ALLOWED=false"
env_file:
- /srv/docker/config/secrets/vaultwarden
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.vaultwarden.rule=Host(`bw.depaoli.id.au`)"
- "traefik.http.routers.vaultwarden.tls=true"
- "traefik.http.routers.vaultwarden.tls.options=tls12@file"
- "traefik.http.routers.vaultwarden.entrypoints=secureweb"
- "traefik.http.routers.vaultwarden.tls.certresolver=myresolver"
- "last.commit.url=https://api.github.com/repos/dani-garcia/vaultwarden/commits"
# auto-update docker images
watchtower:
container_name: watchtower
image: containrrr/watchtower:latest-dev
command: --schedule "0 0 3 * * *" --debug --stop-timeout 60s --label-enable --cleanup
restart: always
depends_on:
- adguard
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "last.commit.url=https://api.github.com/repos/containrrr/watchtower/commits"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "/etc/localtime:/etc/localtime:ro"
# used for hass (eufy) to get notifications from camera
eufy_security_ws:
image: bropat/eufy-security-ws:latest
container_name: eufy_security_ws
restart: always
environment:
- "USERNAME=eufy_hass@depaoli.id.au"
- "COUNTRY=AU"
- "DEBUG=-v"
- "TRUSTED_DEVICE_NAME=Pixel Pro 7"
env_file:
- /srv/docker/config/secrets/eufy_security_ws
ports:
- "0.0.0.0:3000:3000"
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "last.commit.url=https://api.github.com/repos/bropat/eufy-security-ws/commits"
depends_on:
- adguard
volumes:
- "/srv/docker/container/eufy_security_ws/data:/data"
- "/etc/localtime:/etc/localtime:ro"
- "/etc/timezone:/etc/timezone:ro"
# used for hass (eufy) to stream from camera
rtsp_simple_server:
image: aler9/rtsp-simple-server:latest
container_name: rtsp_simple_server
restart: always
environment:
- "RTSP_PROTOCOLS=tcp"
ports:
- "0.0.0.0:1935:1935"
- "0.0.0.0:8554:8554"
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "last.commit.url=https://api.github.com/repos/bluenviron/mediamtx/commits"
depends_on:
- adguard
volumes:
- "/etc/localtime:/etc/localtime:ro"
# NOT YET - API calls don't match DB, need to wait
mon:
image: louislam/uptime-kuma:beta
container_name: mon
restart: always
volumes:
- /srv/docker/container/mon/data:/app/data
- /srv/docker/container/mon/mara-bin:/root/mara-bin/
- /srv/docker/container/mon/mara-init:/root/mara-init/
- /var/run/docker.sock:/var/run/docker.sock:ro
# used to transfer which containers we monitor through to telegraf
- /srv/docker/container/mon/monitoring-results:/monitoring-results
- /etc/localtime:/etc/localtime:ro
entrypoint: /root/mara-init/entrypoint-wrapper.sh
ports:
- "0.0.0.0:3001:3001"
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.mon.rule=Host(`mon.depaoli.id.au`)"
- "traefik.http.routers.mon.tls=true"
- "traefik.http.routers.mon.entrypoints=secureweb"
- "traefik.http.routers.mon.tls.certresolver=myresolver"
- "last.commit.url=https://api.github.com/repos/louislam/uptime-kuma/commits"
sshwifty:
image: niruix/sshwifty:latest
container_name: sshwifty
user: "nobody:nobody"
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.sshwifty.rule=Host(`ssh.depaoli.id.au`)"
- "traefik.http.routers.sshwifty.tls=true"
- "traefik.http.routers.sshwifty.entrypoints=secureweb"
- "traefik.http.routers.sshwifty.tls.certresolver=myresolver"
- "last.commit.url=https://api.github.com/repos/niruix/sshwifty/commits"
stdin_open: true
tty: true
volumes:
- "/srv/docker/container/sshwifty/:/etc/"
- "/etc/localtime:/etc/localtime:ro"
mythdb:
container_name: mythdb
image: mariadb:latest
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "last.commit.url=https://api.github.com/repos/MariaDB/mariadb-docker/commits"
environment:
MYSQL_DATABASE: 'mythconverg'
MYSQL_USER: 'mythtv'
MYSQL_PASSWORD: 'mythtv'
MYSQL_UID: 133
MYSQL_GID: 140
env_file:
- /srv/docker/config/secrets/mythtv
ports:
- "0.0.0.0:3306:3306"
volumes:
- /srv/docker/container/mythtv/db/sql:/docker-entrypoint-initdb.d
- /srv/docker/container/mythtv/db/data:/var/lib/mysql
- /srv/docker/container/mythtv/db/log:/var/log/mysql
- /srv/docker/container/mythtv/db/mythtv.cnf:/etc/mysql/mariadb.conf.d/mythtv.cnf
- /etc/localtime:/etc/localtime:ro
mythweb:
container_name: mythweb
image: ubuntu:latest
hostname: mythweb
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
entrypoint: /root/mara-init/entrypoint-wrapper.sh
environment:
APACHE_LOG_DIR: /var/log/apache2
DBNAME: mythconverg
DBSERVER: mythdb
LANG: en_US.UTF-8
LANGUAGE: en_US.UTF-8
TZ: Australia/Melbourne
volumes:
- /srv/docker/container/mythtv/apache2:/var/log/apache2
- /srv/docker/container/mythtv/data:/var/mythdata
- /srv/docker/container/mythtv/home:/home/mythtv
- /srv/docker/container/mythtv/ssh-config:/etc/ssh
- /srv/docker/container/mythtv/var/log:/var/log/mythtv
- /srv/docker/container/mythtv/mythweb/mara-init:/root/mara-init
- /srv/docker/container/mythtv/mythweb/mara-bin:/root/mara-bin
- /srv/docker/container/mythtv/monitoring-results:/monitoring-results
# - /etc/localtime:/etc/localtime:ro
- /export/myth:/export/myth
ports:
- "0.0.0.0:16543:80"
env_file:
- /srv/docker/config/secrets/mythtv
depends_on:
- mythdb
# hacked entrypoint to 'add' to this container so it works as mara needs
myth:
container_name: myth
image: ubuntu:latest
hostname: ${HOSTNAME_MYTHTV:-mythtv}
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
# needed to renice / ionice just the mythbackend process inside this container
# (it also runs cron, shepherd and various binaries out of /usr/local/bin)
cap_add:
- sys_nice
- sys_admin
environment:
APACHE_LOG_DIR: /var/log/apache2
DBNAME: mythconverg
DBSERVER: mythdb
LANG: en_US.UTF-8
LANGUAGE: en_US.UTF-8
TZ: Australia/Melbourne
ports:
- "0.0.0.0:6543:6543"
- "0.0.0.0:6544:6544"
- "0.0.0.0:6549:6549"
- "0.0.0.0:6760:6760"
entrypoint: /root/mara-init/entrypoint-wrapper.sh
volumes:
- /srv/docker/container/mythtv/apache2:/var/log/apache2
- /srv/docker/container/mythtv/data:/var/mythdata
- /srv/docker/container/mythtv/home:/home/mythtv
- /srv/docker/container/mythtv/ssh-config:/etc/ssh
- /srv/docker/container/mythtv/var/log:/var/log/mythtv
- /srv/docker/container/mythtv/mara-init:/root/mara-init
- /srv/docker/container/mythtv/mara-bin:/root/mara-bin
- /srv/docker/container/mythtv/db/sql:/db-container/sql
- /srv/docker/container/mythtv/db/backups:/db-container/backups
- /srv/docker/container/mythtv/monitoring-results:/monitoring-results
# - /etc/localtime:/etc/localtime:ro
- /export/myth:/export/myth
- /export/docker/storage/other-videos:/export/myth/videos
devices:
- /dev/dvb:/dev/dvb
env_file:
- /srv/docker/config/secrets/mythtv
depends_on:
- mythdb
wiki:
image: lscr.io/linuxserver/bookstack:latest
container_name: wiki
environment:
- PUID=1000
- PGID=1000
- APP_URL=https://wiki.depaoli.id.au
- DB_HOST=wikidb
- DB_PORT=3306
env_file:
- /srv/docker/config/secrets/wiki
volumes:
- /srv/docker/container/wiki:/config
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped
depends_on:
- wikidb
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.wiki.rule=Host(`wiki.depaoli.id.au`)"
- "traefik.http.routers.wiki.tls=true"
- "traefik.http.routers.wiki.entrypoints=secureweb"
- "traefik.http.routers.wiki.tls.certresolver=myresolver"
- "last.commit.url=https://api.github.com/repos/linuxserver/docker-bookstack/commits"
wikidb:
image: lscr.io/linuxserver/mariadb:latest
container_name: wikidb
environment:
- PUID=1000
- PGID=1000
- TZ=Australia/Melbourne
env_file:
- /srv/docker/config/secrets/wiki
volumes:
- /srv/docker/container/wikidb/config:/config
- /srv/docker/container/wikidb/data:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "last.commit.url=https://api.github.com/repos/linuxserver/docker-mariadb/commits"
# shitster:
# image: node:19-bullseye
# container_name: shitster
# working_dir: /app
# volumes:
# - /srv/docker/container/shitster:/app
# labels:
# - "com.centurylinklabs.watchtower.enable=false"
web:
image: php:apache
container_name: web
volumes:
- /srv/docker/container/web/data:/var/www/html
- /srv/docker/container/web/mara-init:/root/mara-init
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped
entrypoint: "/root/mara-init/entrypoint-wrapper.sh"
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.web.rule=Host(`myth.ddp.net`)"
- "traefik.http.routers.web.entrypoints=web"
- "last.commit.url=https://api.github.com/repos/docker-library/php/commits"
# this container exists solely to have traefik manage the depaoli.id.au SSL
# cert - the web server has no web content to serve
depweb:
image: php:apache
container_name: depweb
volumes:
- /srv/docker/container/depweb/data:/var/www/html
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.depweb.rule=Host(`depaoli.id.au`)"
- "traefik.http.routers.depweb.tls=true"
- "traefik.http.routers.depweb.entrypoints=secureweb"
- "traefik.http.routers.depweb.tls.certresolver=myresolver"
- "last.commit.url=https://api.github.com/repos/docker-library/php/commits"
samba:
image: ubuntu:latest
container_name: samba
entrypoint: /root/mara-init/entrypoint.sh
restart: always
# forcing hostname so the samba sid is reliable
hostname: sambacontainer
ports:
- "0.0.0.0:139:139"
- "0.0.0.0:445:445"
volumes:
- /export:/export
- /srv/docker/container/samba/monitoring-results:/monitoring-results
- /srv/docker/container/samba/mara-init:/root/mara-init
- /srv/docker/container/samba/mara-bin:/root/mara-bin
depends_on:
- adguard
- openldap
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=false"
ftp:
image: ubuntu:latest
container_name: ftp
entrypoint: /root/mara-init/entrypoint.sh
restart: always
ports:
# active ports
- "0.0.0.0:20:20"
- "0.0.0.0:21:21"
# passive ports
- "0.0.0.0:10090:10090"
- "0.0.0.0:10091:10091"
- "0.0.0.0:10092:10092"
volumes:
- /home:/home
- /srv/docker/container/ftp/monitoring-results:/monitoring-results
- /srv/docker/container/ftp/mara-init:/root/mara-init
- /srv/docker/container/ftp/mara-bin:/root/mara-bin
depends_on:
- adguard
- openldap
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=false"
ftps:
build: /srv/docker/container/ftps
container_name: ftps
restart: always
#restart: unless-stopped
#network_mode: host
ports:
# active ports
- "40021:21"
# passive ports
- "30000-30010:30000-30010"
volumes:
- /home:/home
- /srv/docker/container/ftps/certs:/etc/vsftpd/certs
- /srv/docker/container/ftps/ftp_data:/var/ftp
- /srv/docker/container/ftps/nslcd.conf.template:/etc/nslcd.conf.template
- /srv/docker/container/ftps/vsftpd.conf:/etc/vsftpd.conf
- /srv/docker/container/ftps/pam.d/vsftpd:/etc/pam.d/vsftpd
env_file:
- /srv/docker/container/ftps/.env
depends_on:
- adguard
labels:
- "com.centurylinklabs.watchtower.enable=false"
cdpdev:
image: node:latest
container_name: cdpdev
volumes:
- /home/cam/code/quizzington-city:/app
entrypoint: /app/init.sh
environment:
- CLIENT_URL=https://cdp.dev.depaoli.id.au
- SERVER_PORT=3001
labels:
- "traefik.enable=true"
- "traefik.http.routers.cdpdev.rule=Host(`cdp.dev.depaoli.id.au`)"
- "traefik.http.routers.cdpdev.tls=true"
- "traefik.http.routers.cdpdev.entrypoints=secureweb"
- "traefik.http.routers.cdpdev.tls.certresolver=myresolver"
- "traefik.http.services.cdpdev.loadbalancer.server.port=5173"
homarr:
container_name: homarr
image: ghcr.io/homarr-labs/homarr:latest
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock # Optional, only if you want docker integration
- /srv/docker/container/homarr/appdata:/appdata
env_file:
- /srv/docker/config/secrets/homarr
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.homarr.rule=Host(`homarr.ddp.net`) || Host(`mara.ddp.net`)"
- "traefik.http.routers.homarr.entrypoints=web"
- "traefik.http.services.homarr.loadbalancer.server.port=7575"
- "last.commit.url=https://api.github.com/repos/homarr-labs/homarr/commits"
Reference in New Issue View Git Blame Copy Permalink