Last active
August 21, 2019 03:03
-
-
Save brettinternet/94c7f160fa6474eecbd422580faf62ad to your computer and use it in GitHub Desktop.
homelab setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
version: "3.7" | |
networks: | |
traefik_proxy: | |
name: traefik_proxy | |
driver: bridge | |
services: | |
traefik: | |
image: traefik | |
container_name: traefik | |
restart: unless-stopped | |
networks: | |
- traefik_proxy | |
environment: | |
- TZ=${TZ} | |
- CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL} | |
- CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY} | |
volumes: | |
- /var/run/docker.sock:/var/run/docker.sock:ro | |
- ${APPDATA_DIR}/traefik:/etc/traefik:rw | |
ports: | |
- "80:80" | |
- "443:443" | |
command: | |
- "--logLevel=INFO" | |
- "--api" | |
- "--defaultentrypoints=http,https" | |
- "--entrypoints=Name:http Address::80 Compress:true ForwardedHeaders.TrustedIPs:10.0.0.2 Redirect.EntryPoint:https" | |
- "--entrypoints=Name:https Address::443 TLS Compress:true ForwardedHeaders.TrustedIPs:10.0.0.2 TLS.SniStrict:true TLS.MinVersion:VersionTLS12 CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" | |
- "--acme" | |
- "--acme.storage=/etc/traefik/acme.json" | |
- "--acme.entryPoint=https" | |
- "--acme.dnsChallenge=true" | |
- "--acme.dnsChallenge.provider=cloudflare" | |
- "--acme.dnsChallenge.delayBeforeCheck=60" | |
- "--acme.dnsChallenge.resolvers=1.1.1.1,1.0.0.1" | |
- "--acme.onHostRule=true" | |
- "--acme.email=${CLOUDFLARE_EMAIL}" | |
- "--acme.acmeLogging=true" | |
# - "--acme.domains=${ROOT_DOMAIN},*.${ROOT_DOMAIN}," | |
- "--acme.domains=*.${ROOT_DOMAIN}," | |
- "--acme.KeyType=RSA4096" | |
- "--docker" | |
- "--docker.domain=${ROOT_DOMAIN}" | |
- "--docker.watch" | |
- "--docker.exposedbydefault=false" | |
- "--retry" | |
labels: | |
traefik.enable: true | |
traefik.docker.network: traefik_proxy | |
traefik.backend: traefik | |
traefik.port: 8080 | |
traefik.frontend.rule: Host:traefik.${ROOT_DOMAIN} | |
traefik.frontend.headers.SSLRedirect: true | |
traefik.frontend.headers.STSSeconds: 315360000 | |
traefik.frontend.headers.browserXSSFilter: true | |
traefik.frontend.headers.contentTypeNosniff: true | |
traefik.frontend.headers.forceSTSHeader: true | |
traefik.frontend.headers.SSLHost: traefik.${ROOT_DOMAIN} | |
traefik.frontend.headers.SSLForceHost: true | |
traefik.frontend.headers.STSIncludeSubdomains: true | |
traefik.frontend.headers.STSPreload: true | |
traefik.frontend.headers.customResponseHeaders: X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex | |
traefik.frontend.headers.frameDeny: true | |
# traefik.frontend.auth.basic.users: ${HTPASSWD} | |
traefik.frontend.auth.forward.address: http://oauth:4181 | |
traefik.frontend.auth.forward.authResponseHeaders: X-Forwarded-User | |
traefik.frontend.auth.forward.trustForwardHeader: true | |
# https://github.com/thomseddon/traefik-forward-auth | |
oauth: | |
# https://hub.docker.com/r/thomseddon/traefik-forward-auth | |
image: thomseddon/traefik-forward-auth | |
container_name: oauth | |
restart: unless-stopped | |
networks: | |
- traefik_proxy | |
environment: | |
- CLIENT_ID=${OAUTH_CLIENT_ID} | |
- CLIENT_SECRET=${OAUTH_CLIENT_SECRET} | |
- SECRET=${OAUTH_SECRET} | |
- INSECURE_COOKIE=false | |
- COOKIE_DOMAIN=${ROOT_DOMAIN} | |
- AUTH_HOST=oauth.${ROOT_DOMAIN} | |
- WHITELIST=${OAUTH_WHITELIST} | |
- LOG_LEVEL=warn | |
- LOG_FORMAT=text | |
labels: | |
traefik.enable: true | |
traefik.backend: oauth | |
traefik.frontend.rule: Host:oauth.${ROOT_DOMAIN} | |
traefik.port: 4181 | |
traefik.docker.network: traefik_proxy | |
traefik.frontend.headers.SSLRedirect: true | |
traefik.frontend.headers.STSSeconds: 315360000 | |
traefik.frontend.headers.browserXSSFilter: true | |
traefik.frontend.headers.contentTypeNosniff: true | |
traefik.frontend.headers.forceSTSHeader: true | |
traefik.frontend.headers.SSLHost: oauth.${ROOT_DOMAIN} | |
traefik.frontend.headers.SSLForceHost: true | |
traefik.frontend.headers.STSIncludeSubdomains: true | |
traefik.frontend.headers.STSPreload: true | |
traefik.frontend.headers.customResponseHeaders: X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex | |
traefik.frontend.headers.frameDeny: true | |
# add this to any containers you want to protect (if possible, sometimes mobile apps dont work) | |
traefik.frontend.auth.forward.address: http://oauth:4181 | |
traefik.frontend.auth.forward.authResponseHeaders: X-Forwarded-User | |
traefik.frontend.auth.forward.trustForwardHeader: true | |
# https://github.com/plexinc/pms-docker | |
plex: | |
# https://hub.docker.com/r/plexinc/pms-docker | |
image: plexinc/pms-docker | |
container_name: plex | |
hostname: ${PLEX_HOSTNAME} | |
restart: unless-stopped | |
networks: | |
- traefik_proxy | |
environment: | |
- PLEX_UID=${PUID} | |
- PLEX_GID=${PGID} | |
- TZ=${TZ} | |
- PLEX_CLAIM=${PLEX_CLAIM_CODE} | |
- ADVERTISE_IP=https://plex.${ROOT_DOMAIN}:443 | |
volumes: | |
- ${APPDATA_DIR}/plex:/config | |
- ${STORAGE_DIR}/music:/data/Music | |
- ${STORAGE_DIR}/movies:/data/Movies | |
- ${STORAGE_DIR}/tv:/data/TV | |
# - ${STORAGE_DIR}/tmp/transcode:/transcode | |
- /tmp:/transcode | |
ports: | |
# Plex ports - source: https://support.plex.tv/articles/201543147-what-network-ports-do-i-need-to-allow-through-my-firewall/ | |
- "32400:32400" # Plex Media Server | |
- "3005:3005" # Plex Companion | |
- "8324:8324" # Roku via Plex Companion | |
- "32469:32649" # Plex DLNA Server | |
- "1900:1900/udp" # Plex DLNA Server | |
- "32410:32410/udp" # network discovery | |
- "32412:32412/udp" # network discovery | |
- "32413:32413/udp" # network discovery | |
- "32414:32414/udp" # network discovery | |
labels: | |
traefik.enable: true | |
traefik.docker.network: traefik_proxy | |
traefik.backend: plex | |
# traefik.protocol: https # fixes remote access, but lose dashboard access probably because unsigned? | |
traefik.port: 32400 | |
traefik.frontend.rule: Host:plex.${ROOT_DOMAIN} | |
traefik.frontend.headers.SSLRedirect: true | |
traefik.frontend.headers.STSSeconds: 315360000 | |
traefik.frontend.headers.browserXSSFilter: true | |
traefik.frontend.headers.contentTypeNosniff: true | |
traefik.frontend.headers.forceSTSHeader: true | |
traefik.frontend.headers.SSLHost: plex.${ROOT_DOMAIN} | |
traefik.frontend.headers.SSLForceHost: true | |
traefik.frontend.headers.STSIncludeSubdomains: true | |
traefik.frontend.headers.STSPreload: true | |
traefik.frontend.headers.frameDeny: true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment