Created
October 31, 2022 19:30
-
-
Save benaneesh/6321b590f54c3a8e2fe536f67511a4da to your computer and use it in GitHub Desktop.
Media Server Docker Compose
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: "3.9" | |
######### IMPORTANT ############# | |
# docker-compose-t2.yml is my main docker compose that runs on the same Proxmox host. | |
# You will find only a few apps in this web stack that hosts a few wordpress and non-wordpress sites. | |
# You can copy-paste services from one docker-compose file in this repo to another to add other apps. | |
########################### SYSTEM DESCRIPTION | |
# DOCKER-COMPOSE FOR WORDPRESS / WEB SERVER | |
# Digital Ocean: 1 vCPU, 2 GB RAM, and 50 GB NVME | |
# Use this Referral Link and get $100 Credit: https://m.do.co/c/5ae8e2c8f34b | |
# Docker: 20.10.17 | |
# Docker Compose: 2.6.0 (v2 https://docs.docker.com/compose/#compose-v2-and-the-new-docker-compose-command) | |
########################### NETWORKS | |
# There is no need to create any networks outside this docker-compose file. | |
# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. | |
# Docker Compose version 3.5 or higher required to define networks this way. | |
networks: | |
t2_proxy: | |
name: t2_proxy | |
driver: bridge | |
ipam: | |
config: | |
- subnet: 192.168.90.0/24 | |
default: | |
driver: bridge | |
socket_proxy: | |
name: socket_proxy | |
driver: bridge | |
ipam: | |
config: | |
- subnet: 192.168.91.0/24 | |
########################### SECRETS | |
secrets: | |
htpasswd: | |
file: $DOCKERDIR/secrets/htpasswd | |
cf_email: | |
file: $DOCKERDIR/secrets/cf_email | |
cf_api_key: | |
file: $DOCKERDIR/secrets/cf_api_key | |
cf_token: | |
file: $DOCKERDIR/secrets/cf_token | |
traefik_forward_auth: | |
file: $DOCKERDIR/secrets/traefik_forward_auth | |
mysql_root_password: | |
file: $SECRETSDIR/mysql_root_password | |
authelia_jwt_secret: | |
file: $SECRETSDIR/authelia_jwt_secret | |
authelia_session_secret: | |
file: $SECRETSDIR/authelia_session_secret | |
authelia_storage_mysql_password: | |
file: $SECRETSDIR/authelia_storage_mysql_password | |
authelia_notifier_smtp_password: | |
file: $SECRETSDIR/authelia_notifier_smtp_password | |
authelia_duo_api_secret_key: | |
file: $SECRETSDIR/authelia_duo_api_secret_key | |
########################### EXTENSION FIELDS | |
# Helps eliminate repetition of sections | |
# More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228 | |
# Common environment values | |
x-environment: &default-tz-puid-pgid | |
TZ: $TZ | |
PUID: $PUID | |
PGID: $PGID | |
# Keys common to some of the services in basic-services.txt | |
x-common-keys-core: &common-keys-core | |
networks: | |
- t2_proxy | |
security_opt: | |
- no-new-privileges:true | |
restart: always | |
# profiles: | |
# - core | |
# Keys common to some of the services in basic-services.txt | |
x-common-keys-core: &common-keys-monitoring | |
networks: | |
- t2_proxy | |
security_opt: | |
- no-new-privileges:true | |
restart: always | |
# profiles: | |
# - monitoring | |
# Keys common to some of the dependent services/apps | |
x-common-keys-apps: &common-keys-apps | |
networks: | |
- t2_proxy | |
security_opt: | |
- no-new-privileges:true | |
restart: unless-stopped | |
# profiles: | |
# - apps | |
########################### SERVICES | |
services: | |
############################# FRONTENDS | |
# Traefik 2 - Reverse Proxy | |
# Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. | |
# touch $DOCKERDIR/appdata/traefik2/acme/acme.json | |
# chmod 600 $DOCKERDIR/appdata/traefik2/acme/acme.json | |
# touch $DOCKERDIR/logs/web/traefik/traefik.log | |
# touch $DOCKERDIR/logs/web/traefik/access.log | |
traefik: | |
<<: *common-keys-core # See EXTENSION FIELDS at the top | |
container_name: traefik | |
image: traefik:2.8 | |
command: # CLI arguments | |
- --global.checkNewVersion=true | |
- --global.sendAnonymousUsage=true | |
- --entryPoints.http.address=:80 | |
- --entryPoints.https.address=:443 | |
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/ | |
- --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS | |
- --entryPoints.traefik.address=:8080 | |
# - --entryPoints.ping.address=:8081 | |
- --api=true | |
# - --api.insecure=true | |
- --api.dashboard=true | |
#- --ping=true | |
# - --serversTransport.insecureSkipVerify=true | |
- --log=true | |
- --log.filePath=/logs/traefik.log | |
- --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC | |
- --accessLog=true | |
- --accessLog.filePath=/logs/access.log | |
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines | |
- --accessLog.filters.statusCodes=204-299,400-499,500-599 | |
- --providers.docker=true | |
# - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security | |
- --providers.docker.endpoint=tcp://socket-proxy:2375 | |
# Automatically set Host rule for services | |
# - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME_SHB`) | |
- --providers.docker.exposedByDefault=false | |
# - --entrypoints.https.http.middlewares=chain-oauth@file | |
- --entrypoints.https.http.tls.options=tls-opts@file | |
# Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services | |
- --entrypoints.https.http.tls.certresolver=dns-cloudflare | |
- --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME_SHB | |
- --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME_SHB | |
# - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME_KHUB # Pulls main cert for second domain | |
# - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME_KHUB # Pulls wildcard cert for second domain | |
- --providers.docker.network=t2_proxy | |
- --providers.docker.swarmMode=false | |
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory | |
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file | |
- --providers.file.watch=true # Only works on top level files in the rules folder | |
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing | |
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL | |
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json | |
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare | |
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53 | |
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate | |
# - --metrics.prometheus=true | |
# - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0 | |
networks: | |
t2_proxy: | |
ipv4_address: 192.168.90.254 # You can specify a static IP | |
socket_proxy: | |
#healthcheck: | |
# test: ["CMD", "traefik", "healthcheck", "--ping"] | |
# interval: 5s | |
# retries: 3 | |
ports: | |
- target: 80 | |
published: 80 | |
protocol: tcp | |
mode: host | |
- target: 443 | |
published: 443 | |
protocol: tcp | |
mode: host | |
# - target: 8080 # insecure api wont work | |
# published: 8080 | |
# protocol: tcp | |
# mode: host | |
volumes: | |
- $DOCKERDIR/appdata/traefik2/rules/web:/rules # file provider directory | |
# - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security | |
- $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 | |
- $DOCKERDIR/logs/web/traefik:/logs # for fail2ban or crowdsec | |
environment: | |
- TZ=$TZ | |
- CF_API_EMAIL_FILE=/run/secrets/cf_email | |
- CF_API_KEY_FILE=/run/secrets/cf_api_key | |
- HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere. | |
- DOMAINNAME_SHB # Passing the domain name to traefik container to be able to use the variable in rules. | |
secrets: | |
- cf_email | |
- cf_api_key | |
- htpasswd | |
labels: | |
#- "autoheal=true" | |
- "traefik.enable=true" | |
# HTTP-to-HTTPS Redirect | |
- "traefik.http.routers.http-catchall.entrypoints=http" | |
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" | |
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https" | |
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" | |
# HTTP Routers | |
- "traefik.http.routers.traefik-rtr.entrypoints=https" | |
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_SHB`)" | |
## Services - API | |
- "traefik.http.routers.traefik-rtr.service=api@internal" | |
## Healthcheck/ping | |
#- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME_SHB`) && Path(`/ping`)" | |
#- "traefik.http.routers.ping.tls=true" | |
#- "traefik.http.routers.ping.service=ping@internal" | |
## Middlewares | |
- "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file" | |
# Docker Socket Proxy - Security Enchanced Proxy for Docker Socket | |
socket-proxy: | |
<<: *common-keys-core # See EXTENSION FIELDS at the top | |
container_name: socket-proxy | |
image: tecnativa/docker-socket-proxy | |
networks: | |
socket_proxy: | |
ipv4_address: 192.168.91.254 # You can specify a static IP | |
# privileged: true # true for VM. False for unprivileged LXC container. | |
#ports: | |
# - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line. | |
# I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network. | |
# - "2375:2375" | |
volumes: | |
- "/var/run/docker.sock:/var/run/docker.sock" | |
environment: | |
- LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg | |
## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). | |
# 0 to revoke access. | |
# 1 to grant access. | |
## Granted by Default | |
- EVENTS=1 | |
- PING=1 | |
- VERSION=1 | |
## Revoked by Default | |
# Security critical | |
- AUTH=0 | |
- SECRETS=0 | |
- POST=1 # Watchtower | |
# Not always needed | |
- BUILD=0 | |
- COMMIT=0 | |
- CONFIGS=0 | |
- CONTAINERS=1 # Traefik, portainer, etc. | |
- DISTRIBUTION=0 | |
- EXEC=0 | |
- IMAGES=1 # Portainer | |
- INFO=1 # Portainer | |
- NETWORKS=1 # Portainer | |
- NODES=0 | |
- PLUGINS=0 | |
- SERVICES=1 # Portainer | |
- SESSION=0 | |
- SWARM=0 | |
- SYSTEM=0 | |
- TASKS=1 # Portainer | |
- VOLUMES=1 # Portainer | |
# Google OAuth - Single Sign On using OAuth 2.0 | |
# https://www.smarthomebeginner.com/google-oauth-with-traefik-docker/ | |
oauth: | |
<<: *common-keys-core # See EXTENSION FIELDS at the top | |
container_name: oauth | |
image: thomseddon/traefik-forward-auth:latest | |
# image: thomseddon/traefik-forward-auth:2.1-arm # Use this image with Raspberry Pi | |
# Allow apps to bypass OAuth. Radarr example below will bypass OAuth if API key is present in the request (eg. from NZB360 mobile app). | |
# While this is one way, the recommended way is to bypass authentication using Traefik labels shown in some of the apps later. | |
# command: --rule.radarr.action=allow --rule.radarr.rule="Headers(`X-Api-Key`, `$RADARR_API_KEY`)" | |
# command: --rule.sabnzbd.action=allow --rule.sabnzbd.rule="HeadersRegexp(`X-Forwarded-Uri`, `$SABNZBD_API_KEY`)" | |
environment: | |
- CONFIG=/config | |
- COOKIE_DOMAIN=$DOMAINNAME_SHB | |
- INSECURE_COOKIE=false | |
- AUTH_HOST=oauth.$DOMAINNAME_SHB | |
- URL_PATH=/_oauth | |
- LOG_LEVEL=warn | |
- LOG_FORMAT=text | |
- LIFETIME=86400 # 1 day | |
- DEFAULT_ACTION=auth | |
- DEFAULT_PROVIDER=google | |
secrets: | |
- source: traefik_forward_auth | |
target: /config | |
labels: | |
- "traefik.enable=true" | |
## HTTP Routers | |
- "traefik.http.routers.oauth-rtr.tls=true" | |
- "traefik.http.routers.oauth-rtr.entrypoints=https" | |
- "traefik.http.routers.oauth-rtr.rule=Host(`oauth.$DOMAINNAME_SHB`)" | |
## Middlewares | |
- "traefik.http.routers.oauth-rtr.middlewares=chain-oauth@file" | |
## HTTP Services | |
- "traefik.http.routers.oauth-rtr.service=oauth-svc" | |
- "traefik.http.services.oauth-svc.loadbalancer.server.port=4181" | |
# Portainer - WebUI for Containers | |
portainer: | |
<<: *common-keys-core # See EXTENSION FIELDS at the top | |
container_name: portainer | |
image: portainer/portainer-ce:latest | |
# command: -H unix:///var/run/docker.sock # # Use Docker Socket Proxy instead for improved security | |
command: -H tcp://socket-proxy:2375 | |
networks: | |
- t2_proxy | |
- socket_proxy | |
volumes: | |
# - /var/run/docker.sock:/var/run/docker.sock:ro # # Use Docker Socket Proxy instead for improved security | |
- $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfer config locally | |
environment: | |
- TZ=$TZ | |
labels: | |
- "traefik.enable=true" | |
## HTTP Routers | |
- "traefik.http.routers.portainer-rtr.entrypoints=https" | |
- "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME_SHB`)" | |
## Middlewares | |
- "traefik.http.routers.portainer-rtr.middlewares=chain-oauth@file" | |
## HTTP Services | |
- "traefik.http.routers.portainer-rtr.service=portainer-svc" | |
- "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" | |
# Autoindex - Simple Directory Index | |
autoindex: | |
<<: *common-keys-apps # See EXTENSION FIELDS at the top | |
container_name: autoindex | |
image: dceoy/nginx-autoindex:latest | |
# ports: | |
# - "$AUTOINDEX_PORT:80" | |
volumes: | |
- $USERDIR:/var/lib/nginx/html:ro # Location you want to index | |
labels: | |
- "traefik.enable=true" | |
## HTTP Routers | |
- "traefik.http.routers.autoindex-rtr.entrypoints=https" | |
- "traefik.http.routers.autoindex-rtr.rule=Host(`index.$DOMAINNAME_SHB`)" | |
## Middlewares | |
- "traefik.http.routers.autoindex-rtr.middlewares=chain-oauth@file" | |
## HTTP Services | |
- "traefik.http.routers.autoindex-rtr.service=autoindex-svc" | |
- "traefik.http.services.autoindex-svc.loadbalancer.server.port=80" | |
# CrowdSec - Open-source & collaborative security IPS | |
crowdsec: | |
<<: *common-keys-core # See EXTENSION FIELDS at the top | |
image: crowdsecurity/crowdsec | |
container_name: crowdsec | |
ports: | |
- "$CROWDSEC_API_PORT:8080" | |
- "$ZEROTIER_IP_WEBSERVER:$CROWDSEC_PROMETHEUS_EXPORT:6060" # If you don't use ZeroTier remove use just $CROWDSEC_PROMETHEUS_EXPORT:6060 | |
environment: | |
COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux crowdsecurity/nginx crowdsecurity/sshd" | |
GID: "${GID-1000}" | |
CUSTOM_HOSTNAME: dSHB | |
volumes: | |
- $DOCKERDIR/logs/web:/logs/web:ro | |
- /var/log:/var/log:ro | |
- $DOCKERDIR/appdata/crowdsec/data:/var/lib/crowdsec/data | |
- $DOCKERDIR/appdata/crowdsec/config:/etc/crowdsec | |
# CrowdSec Bouncer - Traefik | |
traefik-bouncer: | |
<<: *common-keys-core # See EXTENSION FIELDS at the top | |
image: fbonalair/traefik-crowdsec-bouncer | |
container_name: traefik-bouncer | |
#ports: | |
# - "$TRAEFIK_BOUNCER_PORT:8080" | |
environment: | |
GIN_MODE: release # default is debug (more logs) | |
CROWDSEC_BOUNCER_API_KEY: $CROWDSEC_BOUNCER_TRAEFIK_API_KEY # sudo docker exec crowdsec cscli bouncers add traefik-bouncer | |
CROWDSEC_AGENT_HOST: crowdsec:8080 # CrowdSec host and port | |
CROWDSEC_BOUNCER_LOG_LEVEL: 1 # 1 INFO 2 WARN https://pkg.go.dev/github.com/rs/zerolog#readme-leveled-logging | |
# CrowdSec Bouncer - Cloudflare | |
# sudo docker exec crowdsec cscli bouncer add cloudflare-bouncer | |
# Set max ip number right the first time (max 10000). Recreating container deletes all ips and readds them causing cloudflare 429 rate limiting. | |
cloudflare-bouncer: | |
<<: *common-keys-core # See EXTENSION FIELDS at the top | |
image: crowdsecurity/cloudflare-bouncer | |
container_name: cloudflare-bouncer | |
#ports: | |
# - "$CLOUDFLARE_BOUNCER_PORT:2112" | |
volumes: | |
- $DOCKERDIR/appdata/cloudflare-bouncer/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml | |
- $DOCKERDIR/appdata/cloudflare-bouncer/cf-bouncer:/cf-bouncer | |
############################# DATABASE | |
# MariaDB - MySQL Database | |
# After starting container for first time dexec and mysqladmin -u root password <password> | |
mariadb: | |
<<: *common-keys-core # See EXTENSION FIELDS at the top | |
container_name: mariadb | |
image: lscr.io/linuxserver/mariadb | |
#ports: | |
# - "$MARIADB_PORT:3306" | |
volumes: | |
- $DOCKERDIR/appdata/mariadb/data:/config | |
environment: | |
<<: *default-tz-puid-pgid | |
FILE__MYSQL_ROOT_PASSWORD: /run/secrets/mysql_root_password # Note FILE__ (double underscore) - Issue #127 | |
secrets: | |
- mysql_root_password | |
# Redis - Key-value Store | |
redis: | |
<<: *common-keys-core # See EXTENSION FIELDS at the top | |
container_name: redis | |
image: redis:latest | |
entrypoint: redis-server --appendonly yes --requirepass $REDIS_PASSWORD --maxmemory 512mb --maxmemory-policy allkeys-lru | |
#ports: | |
# - "$REDIS_PORT:6379" | |
volumes: | |
- $DOCKERDIR/appdata/redis/data:/data | |
- /etc/timezone:/etc/timezone:ro | |
- /etc/localtime:/etc/localtime:ro | |
# phpMyAdmin - Database management | |
# Create a new user with admin privileges. Cannot login as MySQL root for some reason. | |
phpmyadmin: | |
<<: *common-keys-apps # See EXTENSION FIELDS at the top | |
image: phpmyadmin/phpmyadmin:latest | |
container_name: phpmyadmin | |
environment: | |
- PMA_HOST=$MARIADB_HOST | |
- PMA_PORT=$MARIADB_PORT | |
#- PMA_ARBITRARY=1 | |
- MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password | |
secrets: | |
- mysql_root_password | |
labels: | |
- "traefik.enable=true" | |
## HTTP Routers | |
- "traefik.http.routers.phpmyadmin-rtr.entrypoints=https" | |
- "traefik.http.routers.phpmyadmin-rtr.rule=Host(`pma.$DOMAINNAME_SHB`)" | |
## Middlewares | |
- "traefik.http.routers.phpmyadmin-rtr.middlewares=chain-oauth@file" | |
## HTTP Services | |
- "traefik.http.routers.phpmyadmin-rtr.service=phpmyadmin-svc" | |
- "traefik.http.services.phpmyadmin-svc.loadbalancer.server.port=80" | |
########################### WEB | |
# Nginx - Web Server | |
nginx: | |
<<: *common-keys-core # See EXTENSION FIELDS at the top | |
container_name: nginx | |
image: nginx:1.20 # 1.18 # Updated 8/9/2021 | |
depends_on: | |
- php7 | |
- redis | |
volumes: | |
- /etc/localtime:/etc/localtime:ro | |
- /etc/timezone:/etc/timezone:ro | |
- $DOCKERDIR/logs/web/nginx:/var/log/nginx | |
- $DOCKERDIR/appdata/nginx:/etc/nginx | |
- $DOCKERDIR/appdata/sites/shb/html:/var/www/html/shb | |
#- $DOCKERDIR/appdata/sites/shb/beta:/var/www/html/beta | |
- $DOCKERDIR/appdata/sites/khub/html:/var/www/html/khub | |
- $DOCKERDIR/appdata/sites/dash/html:/var/www/html/dash | |
secrets: | |
- htpasswd | |
labels: | |
- "traefik.enable=true" | |
## HTTP Routers SHB (WordPress) Auth | |
- "traefik.http.routers.nginx-shb-auth-rtr.entrypoints=https" | |
- "traefik.http.routers.nginx-shb-auth-rtr.rule=Host(`www.$DOMAINNAME_SHB`) && Path(`/wp-login.php`)" | |
- "traefik.http.routers.nginx-shb-auth-rtr.priority=100" | |
## HTTP Routers SHB (WordPress) Bypass | |
- "traefik.http.routers.nginx-shb-rtr.entrypoints=https" | |
- "traefik.http.routers.nginx-shb-rtr.rule=Host(`$DOMAINNAME_SHB`) || Host(`www.$DOMAINNAME_SHB`)" | |
- "traefik.http.routers.nginx-shb-rtr.priority=99" | |
## HTTP Routers SHB Beta (WordPress) | |
#- "traefik.http.routers.nginx-shb-beta-rtr.entrypoints=https" | |
#- "traefik.http.routers.nginx-shb-beta-rtr.rule=Host(`beta.$DOMAINNAME_SHB`)" | |
## HTTP Routers DASH (non-WordPress) | |
- "traefik.http.routers.nginx-dash-rtr.entrypoints=https" | |
- "traefik.http.routers.nginx-dash-rtr.rule=Host(`dash.$DOMAINNAME_SHB`)" | |
## HTTP Routers KHUB (non-WordPress) | |
- "traefik.http.routers.nginx-khub-rtr.entrypoints=https" | |
- "traefik.http.routers.nginx-khub-rtr.rule=Host(`$DOMAINNAME_KHUB`) || Host(`www.$DOMAINNAME_KHUB`)" | |
# Redirect shb non-www to www middleware | |
- "traefik.http.middlewares.shb-redirect.redirectregex.regex=^https?://$DOMAINNAME_SHB/(.*)" | |
- "traefik.http.middlewares.shb-redirect.redirectregex.replacement=https://www.$DOMAINNAME_SHB/$${1}" | |
- "traefik.http.middlewares.shb-redirect.redirectregex.permanent=true" | |
# Redirect khub non-www to www middleware | |
- "traefik.http.middlewares.khub-redirect.redirectregex.regex=^https?://$DOMAINNAME_KHUB/(.*)" | |
- "traefik.http.middlewares.khub-redirect.redirectregex.replacement=https://www.$DOMAINNAME_KHUB/$${1}" | |
- "traefik.http.middlewares.khub-redirect.redirectregex.permanent=true" | |
## Middlewares | |
- "traefik.http.routers.nginx-khub-rtr.middlewares=khub-redirect,chain-no-auth@file" | |
- "traefik.http.routers.nginx-shb-rtr.middlewares=shb-redirect,chain-no-auth-wp@file" | |
#- "traefik.http.routers.nginx-shb-auth-rtr.middlewares=shb-redirect,chain-oauth-wp@file" | |
- "traefik.http.routers.nginx-shb-auth-rtr.middlewares=shb-redirect,chain-no-auth-wp@file" | |
- "traefik.http.routers.nginx-dash-rtr.middlewares=chain-oauth@file" | |
#- "traefik.http.routers.nginx-shb-beta-rtr.middlewares=chain-oauth@file" | |
## HTTP Services | |
- "traefik.http.routers.nginx-shb-rtr.service=nginx-svc" | |
- "traefik.http.routers.nginx-shb-auth-rtr.service=nginx-svc" | |
- "traefik.http.routers.nginx-khub-rtr.service=nginx-svc" | |
- "traefik.http.routers.nginx-dash-rtr.service=nginx-svc" | |
#- "traefik.http.routers.nginx-shb-beta-rtr.service=nginx-svc" | |
- "traefik.http.services.nginx-svc.loadbalancer.server.port=80" | |
# PHP - Hypertext Preprocessor | |
php7: | |
<<: *common-keys-core # See EXTENSION FIELDS at the top | |
container_name: php7 | |
image: php:7.4-fpm-custom | |
build: | |
context: $DOCKERDIR/custom/ | |
dockerfile: Dockerfile-php7 | |
user: $PUID:$PGID # allows upgrading WP and plugins | |
volumes: | |
- $DOCKERDIR/appdata/sites/shb/html:/var/www/html/shb | |
#- $DOCKERDIR/appdata/sites/shb/beta:/var/www/html/beta | |
- $DOCKERDIR/appdata/php/php7:/usr/local/etc/php | |
- $DOCKERDIR/appdata/sites/khub/html:/var/www/html/khub | |
- $DOCKERDIR/appdata/sites/dash/html:/var/www/html/dash | |
########################### UTILITIES | |
# VSCode - VSCode Editing | |
vscode: | |
<<: *common-keys-core # See EXTENSION FIELDS at the top | |
image: lscr.io/linuxserver/code-server:latest | |
container_name: vscode | |
volumes: | |
- $DOCKERDIR:/data/docker | |
- $USERDIR/server:/data/server | |
- $DATADIR:/data/data | |
- $DOCKERDIR/appdata/vscode:/config | |
environment: | |
<<: *default-tz-puid-pgid | |
# DOCKER_HOST: tcp://socket-proxy:2375 | |
# PASSWORD: $VSCODE_PASSWORD | |
# HASHED_PASSWORD: #optional | |
# SUDO_PASSWORD: password #optional | |
# SUDO_PASSWORD_HASH: #optional | |
# PROXY_DOMAIN: code-server.my.domain #optional | |
DEFAULT_WORKSPACE: /config/data/User/Workspaces/AZ.code-workspace #optional | |
labels: | |
- "traefik.enable=true" | |
## HTTP Routers | |
- "traefik.http.routers.vscode-rtr.entrypoints=https" | |
- "traefik.http.routers.vscode-rtr.rule=Host(`code.$DOMAINNAME_SHB`)" | |
## Middlewares | |
- "traefik.http.routers.vscode-rtr.middlewares=chain-oauth@file" | |
## HTTP Services | |
- "traefik.http.routers.vscode-rtr.service=vscode-svc" | |
- "traefik.http.services.vscode-svc.loadbalancer.server.port=8443" | |
wg-easy: | |
image: weejewel/wg-easy | |
container_name: wg-easy | |
restart: unless-stopped | |
networks: | |
- default | |
- t2_proxy | |
cap_add: | |
- NET_ADMIN | |
- SYS_MODULE | |
sysctls: | |
- net.ipv4.ip_forward=1 | |
- net.ipv4.conf.all.src_valid_mark=1 | |
ports: | |
- "51820:51820/udp" | |
- "51821:51821/tcp" | |
volumes: | |
- $DOCKERDIR/appdata/wireguard:/etc/wireguard | |
environment: | |
# ⚠️ Required: | |
# Change this to your host's public address | |
- WG_HOST=$SERVER_IP | |
- PASSWORD=$WGEASY_PASSWORD | |
# Optional: | |
# - PASSWORD=foobar123 | |
# - WG_PORT=51820 | |
# - WG_DEFAULT_ADDRESS=10.8.0.x | |
# - WG_DEFAULT_DNS=1.1.1.1 | |
# - WG_MTU=1420 | |
# - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24 | |
# - WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt | |
# - WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt | |
# - WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt | |
# - WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt | |
############################# MAINTENANCE | |
# Docker-GC - Automatic Docker Garbage Collection | |
# Create docker-gc-exclude file | |
dockergc: | |
<<: *common-keys-apps # See EXTENSION FIELDS at the top | |
image: clockworksoul/docker-gc-cron:latest | |
container_name: docker-gc | |
networks: | |
- socket_proxy | |
volumes: | |
# - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security | |
- $DOCKERDIR/appdata/docker-gc/docker-gc-exclude:/etc/docker-gc-exclude | |
environment: | |
CRON: 12 0 0 * * ? # Everyday at midnight. | |
FORCE_IMAGE_REMOVAL: 1 | |
FORCE_CONTAINER_REMOVAL: 0 | |
GRACE_PERIOD_SECONDS: 604800 | |
DRY_RUN: 0 | |
CLEAN_UP_VOLUMES: 1 | |
TZ: $TZ | |
DOCKER_HOST: tcp://socket-proxy:2375 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment