brettinternet/docker-compose.yml

## docker-compose.yml
---
version: "3.7"

networks:
  traefik_proxy:
    name: traefik_proxy
    driver: bridge

services:
  traefik:
    image: traefik
    container_name: traefik
    restart: unless-stopped
    networks:
      - traefik_proxy
    environment:
      - TZ=${TZ}
      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
      - CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${APPDATA_DIR}/traefik:/etc/traefik:rw
    ports:
      - "80:80"
      - "443:443"
    command:
      - "--logLevel=INFO"
      - "--api"
      - "--defaultentrypoints=http,https"
      - "--entrypoints=Name:http Address::80 Compress:true ForwardedHeaders.TrustedIPs:10.0.0.2 Redirect.EntryPoint:https"
      - "--entrypoints=Name:https Address::443 TLS Compress:true ForwardedHeaders.TrustedIPs:10.0.0.2 TLS.SniStrict:true TLS.MinVersion:VersionTLS12 CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
      - "--acme"
      - "--acme.storage=/etc/traefik/acme.json"
      - "--acme.entryPoint=https"
      - "--acme.dnsChallenge=true"
      - "--acme.dnsChallenge.provider=cloudflare"
      - "--acme.dnsChallenge.delayBeforeCheck=60"
      - "--acme.dnsChallenge.resolvers=1.1.1.1,1.0.0.1"
      - "--acme.onHostRule=true"
      - "--acme.email=${CLOUDFLARE_EMAIL}"
      - "--acme.acmeLogging=true"
      # - "--acme.domains=${ROOT_DOMAIN},*.${ROOT_DOMAIN},"
      - "--acme.domains=*.${ROOT_DOMAIN},"
      - "--acme.KeyType=RSA4096"
      - "--docker"
      - "--docker.domain=${ROOT_DOMAIN}"
      - "--docker.watch"
      - "--docker.exposedbydefault=false"
      - "--retry"
    labels:
      traefik.enable: true
      traefik.docker.network: traefik_proxy
      traefik.backend: traefik
      traefik.port: 8080
      traefik.frontend.rule: Host:traefik.${ROOT_DOMAIN}
      traefik.frontend.headers.SSLRedirect: true
      traefik.frontend.headers.STSSeconds: 315360000
      traefik.frontend.headers.browserXSSFilter: true
      traefik.frontend.headers.contentTypeNosniff: true
      traefik.frontend.headers.forceSTSHeader: true
      traefik.frontend.headers.SSLHost: traefik.${ROOT_DOMAIN}
      traefik.frontend.headers.SSLForceHost: true
      traefik.frontend.headers.STSIncludeSubdomains: true
      traefik.frontend.headers.STSPreload: true
      traefik.frontend.headers.customResponseHeaders: X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex
      traefik.frontend.headers.frameDeny: true
      # traefik.frontend.auth.basic.users: ${HTPASSWD}
      traefik.frontend.auth.forward.address: http://oauth:4181
      traefik.frontend.auth.forward.authResponseHeaders: X-Forwarded-User
      traefik.frontend.auth.forward.trustForwardHeader: true

  # https://github.com/thomseddon/traefik-forward-auth
  oauth:
    # https://hub.docker.com/r/thomseddon/traefik-forward-auth
    image: thomseddon/traefik-forward-auth
    container_name: oauth
    restart: unless-stopped
    networks:
      - traefik_proxy
    environment:
      - CLIENT_ID=${OAUTH_CLIENT_ID}
      - CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
      - SECRET=${OAUTH_SECRET}
      - INSECURE_COOKIE=false
      - COOKIE_DOMAIN=${ROOT_DOMAIN}
      - AUTH_HOST=oauth.${ROOT_DOMAIN}
      - WHITELIST=${OAUTH_WHITELIST}
      - LOG_LEVEL=warn
      - LOG_FORMAT=text
    labels:
      traefik.enable: true
      traefik.backend: oauth
      traefik.frontend.rule: Host:oauth.${ROOT_DOMAIN}
      traefik.port: 4181
      traefik.docker.network: traefik_proxy
      traefik.frontend.headers.SSLRedirect: true
      traefik.frontend.headers.STSSeconds: 315360000
      traefik.frontend.headers.browserXSSFilter: true
      traefik.frontend.headers.contentTypeNosniff: true
      traefik.frontend.headers.forceSTSHeader: true
      traefik.frontend.headers.SSLHost: oauth.${ROOT_DOMAIN}
      traefik.frontend.headers.SSLForceHost: true
      traefik.frontend.headers.STSIncludeSubdomains: true
      traefik.frontend.headers.STSPreload: true
      traefik.frontend.headers.customResponseHeaders: X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex
      traefik.frontend.headers.frameDeny: true
      # add this to any containers you want to protect (if possible, sometimes mobile apps dont work)
      traefik.frontend.auth.forward.address: http://oauth:4181
      traefik.frontend.auth.forward.authResponseHeaders: X-Forwarded-User
      traefik.frontend.auth.forward.trustForwardHeader: true

  # https://github.com/plexinc/pms-docker
  plex:
    # https://hub.docker.com/r/plexinc/pms-docker
    image: plexinc/pms-docker
    container_name: plex
    hostname: ${PLEX_HOSTNAME}
    restart: unless-stopped
    networks:
      - traefik_proxy
    environment:
      - PLEX_UID=${PUID}
      - PLEX_GID=${PGID}
      - TZ=${TZ}
      - PLEX_CLAIM=${PLEX_CLAIM_CODE}
      - ADVERTISE_IP=https://plex.${ROOT_DOMAIN}:443
    volumes:
      - ${APPDATA_DIR}/plex:/config
      - ${STORAGE_DIR}/music:/data/Music
      - ${STORAGE_DIR}/movies:/data/Movies
      - ${STORAGE_DIR}/tv:/data/TV
      # - ${STORAGE_DIR}/tmp/transcode:/transcode
      - /tmp:/transcode
    ports:
      # Plex ports - source: https://support.plex.tv/articles/201543147-what-network-ports-do-i-need-to-allow-through-my-firewall/
      - "32400:32400" # Plex Media Server
      - "3005:3005" # Plex Companion
      - "8324:8324" # Roku via Plex Companion
      - "32469:32649" # Plex DLNA Server
      - "1900:1900/udp" # Plex DLNA Server
      - "32410:32410/udp" # network discovery
      - "32412:32412/udp" # network discovery
      - "32413:32413/udp" # network discovery
      - "32414:32414/udp" # network discovery
    labels:
      traefik.enable: true
      traefik.docker.network: traefik_proxy
      traefik.backend: plex
      # traefik.protocol: https # fixes remote access, but lose dashboard access probably because unsigned?
      traefik.port: 32400
      traefik.frontend.rule: Host:plex.${ROOT_DOMAIN}
      traefik.frontend.headers.SSLRedirect: true
      traefik.frontend.headers.STSSeconds: 315360000
      traefik.frontend.headers.browserXSSFilter: true
      traefik.frontend.headers.contentTypeNosniff: true
      traefik.frontend.headers.forceSTSHeader: true
      traefik.frontend.headers.SSLHost: plex.${ROOT_DOMAIN}
      traefik.frontend.headers.SSLForceHost: true
      traefik.frontend.headers.STSIncludeSubdomains: true
      traefik.frontend.headers.STSPreload: true
      traefik.frontend.headers.frameDeny: true
	---
	version: "3.7"

	networks:
	traefik_proxy:
	name: traefik_proxy
	driver: bridge

	services:
	traefik:
	image: traefik
	container_name: traefik
	restart: unless-stopped
	networks:
	- traefik_proxy
	environment:
	- TZ=${TZ}
	- CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
	- CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY}
	volumes:
	- /var/run/docker.sock:/var/run/docker.sock:ro
	- ${APPDATA_DIR}/traefik:/etc/traefik:rw
	ports:
	- "80:80"
	- "443:443"
	command:
	- "--logLevel=INFO"
	- "--api"
	- "--defaultentrypoints=http,https"
	- "--entrypoints=Name:http Address::80 Compress:true ForwardedHeaders.TrustedIPs:10.0.0.2 Redirect.EntryPoint:https"
	- "--entrypoints=Name:https Address::443 TLS Compress:true ForwardedHeaders.TrustedIPs:10.0.0.2 TLS.SniStrict:true TLS.MinVersion:VersionTLS12 CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
	- "--acme"
	- "--acme.storage=/etc/traefik/acme.json"
	- "--acme.entryPoint=https"
	- "--acme.dnsChallenge=true"
	- "--acme.dnsChallenge.provider=cloudflare"
	- "--acme.dnsChallenge.delayBeforeCheck=60"
	- "--acme.dnsChallenge.resolvers=1.1.1.1,1.0.0.1"
	- "--acme.onHostRule=true"
	- "--acme.email=${CLOUDFLARE_EMAIL}"
	- "--acme.acmeLogging=true"
	# - "--acme.domains=${ROOT_DOMAIN},*.${ROOT_DOMAIN},"
	- "--acme.domains=*.${ROOT_DOMAIN},"
	- "--acme.KeyType=RSA4096"
	- "--docker"
	- "--docker.domain=${ROOT_DOMAIN}"
	- "--docker.watch"
	- "--docker.exposedbydefault=false"
	- "--retry"
	labels:
	traefik.enable: true
	traefik.docker.network: traefik_proxy
	traefik.backend: traefik
	traefik.port: 8080
	traefik.frontend.rule: Host:traefik.${ROOT_DOMAIN}
	traefik.frontend.headers.SSLRedirect: true
	traefik.frontend.headers.STSSeconds: 315360000
	traefik.frontend.headers.browserXSSFilter: true
	traefik.frontend.headers.contentTypeNosniff: true
	traefik.frontend.headers.forceSTSHeader: true
	traefik.frontend.headers.SSLHost: traefik.${ROOT_DOMAIN}
	traefik.frontend.headers.SSLForceHost: true
	traefik.frontend.headers.STSIncludeSubdomains: true
	traefik.frontend.headers.STSPreload: true
	traefik.frontend.headers.customResponseHeaders: X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex
	traefik.frontend.headers.frameDeny: true
	# traefik.frontend.auth.basic.users: ${HTPASSWD}
	traefik.frontend.auth.forward.address: http://oauth:4181
	traefik.frontend.auth.forward.authResponseHeaders: X-Forwarded-User
	traefik.frontend.auth.forward.trustForwardHeader: true

	# https://github.com/thomseddon/traefik-forward-auth
	oauth:
	# https://hub.docker.com/r/thomseddon/traefik-forward-auth
	image: thomseddon/traefik-forward-auth
	container_name: oauth
	restart: unless-stopped
	networks:
	- traefik_proxy
	environment:
	- CLIENT_ID=${OAUTH_CLIENT_ID}
	- CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
	- SECRET=${OAUTH_SECRET}
	- INSECURE_COOKIE=false
	- COOKIE_DOMAIN=${ROOT_DOMAIN}
	- AUTH_HOST=oauth.${ROOT_DOMAIN}
	- WHITELIST=${OAUTH_WHITELIST}
	- LOG_LEVEL=warn
	- LOG_FORMAT=text
	labels:
	traefik.enable: true
	traefik.backend: oauth
	traefik.frontend.rule: Host:oauth.${ROOT_DOMAIN}
	traefik.port: 4181
	traefik.docker.network: traefik_proxy
	traefik.frontend.headers.SSLRedirect: true
	traefik.frontend.headers.STSSeconds: 315360000
	traefik.frontend.headers.browserXSSFilter: true
	traefik.frontend.headers.contentTypeNosniff: true
	traefik.frontend.headers.forceSTSHeader: true
	traefik.frontend.headers.SSLHost: oauth.${ROOT_DOMAIN}
	traefik.frontend.headers.SSLForceHost: true
	traefik.frontend.headers.STSIncludeSubdomains: true
	traefik.frontend.headers.STSPreload: true
	traefik.frontend.headers.customResponseHeaders: X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex
	traefik.frontend.headers.frameDeny: true
	# add this to any containers you want to protect (if possible, sometimes mobile apps dont work)
	traefik.frontend.auth.forward.address: http://oauth:4181
	traefik.frontend.auth.forward.authResponseHeaders: X-Forwarded-User
	traefik.frontend.auth.forward.trustForwardHeader: true

	# https://github.com/plexinc/pms-docker
	plex:
	# https://hub.docker.com/r/plexinc/pms-docker
	image: plexinc/pms-docker
	container_name: plex
	hostname: ${PLEX_HOSTNAME}
	restart: unless-stopped
	networks:
	- traefik_proxy
	environment:
	- PLEX_UID=${PUID}
	- PLEX_GID=${PGID}
	- TZ=${TZ}
	- PLEX_CLAIM=${PLEX_CLAIM_CODE}
	- ADVERTISE_IP=https://plex.${ROOT_DOMAIN}:443
	volumes:
	- ${APPDATA_DIR}/plex:/config
	- ${STORAGE_DIR}/music:/data/Music
	- ${STORAGE_DIR}/movies:/data/Movies
	- ${STORAGE_DIR}/tv:/data/TV
	# - ${STORAGE_DIR}/tmp/transcode:/transcode
	- /tmp:/transcode
	ports:
	# Plex ports - source: https://support.plex.tv/articles/201543147-what-network-ports-do-i-need-to-allow-through-my-firewall/
	- "32400:32400" # Plex Media Server
	- "3005:3005" # Plex Companion
	- "8324:8324" # Roku via Plex Companion
	- "32469:32649" # Plex DLNA Server
	- "1900:1900/udp" # Plex DLNA Server
	- "32410:32410/udp" # network discovery
	- "32412:32412/udp" # network discovery
	- "32413:32413/udp" # network discovery
	- "32414:32414/udp" # network discovery
	labels:
	traefik.enable: true
	traefik.docker.network: traefik_proxy
	traefik.backend: plex
	# traefik.protocol: https # fixes remote access, but lose dashboard access probably because unsigned?
	traefik.port: 32400
	traefik.frontend.rule: Host:plex.${ROOT_DOMAIN}
	traefik.frontend.headers.SSLRedirect: true
	traefik.frontend.headers.STSSeconds: 315360000
	traefik.frontend.headers.browserXSSFilter: true
	traefik.frontend.headers.contentTypeNosniff: true
	traefik.frontend.headers.forceSTSHeader: true
	traefik.frontend.headers.SSLHost: plex.${ROOT_DOMAIN}
	traefik.frontend.headers.SSLForceHost: true
	traefik.frontend.headers.STSIncludeSubdomains: true
	traefik.frontend.headers.STSPreload: true
	traefik.frontend.headers.frameDeny: true