diff --git a/config/docker/2023/New-Docker-Deployment/home/user/.env b/config/docker/2023/New-Docker-Deployment/home/user/.env new file mode 100644 index 0000000..046cbbf --- /dev/null +++ b/config/docker/2023/New-Docker-Deployment/home/user/.env @@ -0,0 +1,115 @@ +#### Comment out or delete any unused entries + +#### EXAMPLE +# DO NOT USE QUOTES TO ENCLOSE THE VALUES +EXAMPLE_VARIABLE=true +EXAMPLE_PORT=1234 +EXAMPLE_PASSWORD=kdos9lsk@1l1! +EXAMPLE_EMAIL=myemail@domain.com +EXAMPLE_IP=123.123.123.123 + +#### BELOW ARE SOME OF THE VARIABLES USED IN docker-compose.yml + +##### PORTS + +APCUPSD_PORT= +BAZARR_PORT= +EMBY_PORT= +GUACAMOLE_PORT= +HA_DOCKERMON_PORT= +HEIMDALL_PORT= +INFLUXDB_PORT= +IPVANISH_PROXY_PORT= +IPVANISH_REMOTE_SERVER= +JACKETT_PORT= +JDOWNLOADER_PORT= +LIDARR_PORT= +MOSQUITTO_HTTP_PORT= +MOSQUITTO_HTTPS_PORT= +NZBHYDRA_PORT= +ORGANIZER_PORT= +PHPMYADMIN_PORT= +PLEX_PORT= +PLEX_WEB_TOOLS_PORT= +QBITTORRENT_PORT= +RADARR_PORT= #If you change radarr port then update plex meta agent +SABNZBD_PORT= +SONARR_PORT= #If you change sonarr port then update plex meta agent +TAUTULLI_PORT= +TRANSMISSION_PORT= +ZONEMINDER_HTTP_PORT= +ZONEMINDER_HTTPS_PORT= + +##### SYSTEM + +PUID= +PGID= +TZ=America/New_York +USERDIR=/home/username +DOCKERDIR=/home/username/docker +SECRETSDIR=/home/username/docker/secrets +SERVER_IP= +PIHOLE_IP= +LOCAL_NETWORK= + +##### DOMAIN + +DOMAINNAME= +CLOUDFLARE_EMAIL= +CLOUDFLARE_API_KEY= +CLOUDFLARE_API_TOKEN= +CLOUDFLARE_ZONEID= +DUCKDNS_TOKEN= + +##### DATABASE + +DB_HOST= +DB_PORT= +MYSQL_ROOT_PASSWORD= + +##### SECURITY AND PRIVACY + +IPVANISH_USERNAME= +IPVANISH_PASSWORD= +HTTP_USERNAME= +HTTP_PASSWORD= +GOOGLE_CLIENT_ID= +GOOGLE_CLIENT_SECRET= +OAUTH_SECRET= +LIDARR_API_KEY= +RADARR_API_KEY= +SONARR_API_KEY= +SABNZBD_API_KEY= + +##### NOTIFICATIONS + +TGRAM_BOT_TOKEN= +TGRAM_CHAT_ID= +MY_EMAIL= + +##### APPS + +JDOWN_VNC_PASSWD= +HANDBRAKE_VNC_PASSWD= +FIREFOX_VNC_PASSWD= +FILEBOT_VNC_PASSWD= +QDIRSTAT_VNC_PASSWD= +MKVTOOLNIX_VNC_PASSWD= +MAKEMKV_VNC_PASSWD= +GUAC_MYSQL_USER= +GUAC_MYSQL_PASSWORD= +TRANSMISSION_RPC_PASSWORD= +TRANSMISSION_RPC_USERNAME= +PIHOLE_WEBPASSWORD= + +##### PLEX + +PLEX_CLAIM= +SYN_PLEX=ACCESS-TOKEN@PLEX_SERVER_IP +NUC_PLEX=ACCESS-TOKEN@PLEX_SERVER_IP +# Plex libraries section id. Remember to change the numbers below to reflect your library. Add more as needed. +# ALWAYS DO A DRY RUN TO VERIFY BEFORE SYNCING +SYN_PLEX_HOLLYWOOD=1 +NUC_PLEX_HOLLYWOOD=2 +SYN_PLEX_TVSHOWS=2 +NUC_PLEX_TVSHOWS=16 diff --git a/config/docker/2023/New-Docker-Deployment/home/user/base.env b/config/docker/2023/New-Docker-Deployment/home/user/base.env new file mode 100644 index 0000000..e7982f3 --- /dev/null +++ b/config/docker/2023/New-Docker-Deployment/home/user/base.env @@ -0,0 +1,77 @@ +##### HOSTNAMES +#TRAEFIK_HOSTNAME=proxy. +#PORTAINER_HOSTNAME=portainer. +#AUTHELIA_HOSTNAME=auth. + +TRAEFIK_HOSTNAME=testproxy. +PORTAINER_HOSTNAME=testportainer. +AUTHELIA_HOSTNAME=testauth. + +##### NETWORKS + +PROXY_SUBNET=192.168.91.0/24 +PROXY_GATEWAY=192.168.91.1 + +TRAEFIK_PROXY_IP=192.168.91.254 +PORTAINER_PROXY_IP=192.168.91.253 +AUTHELIA_IP=192.168.91.252 + +SOCKET_PROXY_SUBNET=192.168.92.0/24 +SOCKET_PROXY_GATEWAY=192.168.92.1 + +SOCKET_PROXY_IP=192.168.92.254 +TRAEFIK_SOCKET_PROXY_IP=192.168.92.252 +PORTAINER_SOCKET_PROXY_IP=192.168.92.253 + +##### DOMAIN + +DOMAINNAME0=gurulandia.eu +DOMAINNAME1=local.gurulandia.eu + +##### CLOUDFLARE + +CLOUDFLARE_EMAIL=gurulandia@outlook.com +CLOUDFLARE_IP_RANGES=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,172.64.0.0/13,131.0.72.0/22,104.16.0.0/13,104.24.0.0/14 + +##### Certificate + +CERTRESOLVER=dns-cloudflare +DNS_PROVIDER=cloudflare +RESOLVER0=1.1.1.1:53 +RESOLVER1=1.0.0.1:53 + + +##### DATABASE + +DB_HOST=192.168.99.60 +DB_PORT=3306 +MYSQL_ROOT_PASSWORD= + + +##### IP ADDRESSES + +# HEIMDALL_IP=192.168.91.2 +# VSCODE_IP=192.168.91.3 +# YOURLS_IP=192.168.91.4 +# LIBRESPEED_IP=192.168.91.5 +# ADMINER_IP=192.168.91.6 +# DOZZLE_IP0=192.168.91.7 +# GLANCES_IP0=192.168.91.8 +# CLOUDDNS_IP=192.168.91.9 +# CERTDUMPER_IP=192.168.91.10 + +# DOZZLE_IP1=192.168.92.7 +# GLANCES_IP1=192.168.92.8 + +#SERVER_IP= +#PIHOLE_IP= +#LOCAL_NETWORK= + +##### PORTS + +# LIBRESPEED_PORT=30001 + +# VSCODE_PASSWORD=glvscode + +# GUAC_MYSQL_USER=guacamole +# GUAC_MYSQL_PASSWORD=guacamole \ No newline at end of file diff --git a/config/docker/2023/New-Docker-Deployment/home/user/base.yml b/config/docker/2023/New-Docker-Deployment/home/user/base.yml new file mode 100644 index 0000000..9e57ce1 --- /dev/null +++ b/config/docker/2023/New-Docker-Deployment/home/user/base.yml @@ -0,0 +1,330 @@ +version: "3.9" +#env_file: ./base.env +########################### NETWORKS +# There is no need to create any networks outside this docker-compose file. +# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. +# Docker Compose version 3.5 or higher required to define networks this way. +networks: + proxy: + name: proxy + driver: bridge + ipam: + config: + - subnet: $PROXY_SUBNET + gateway: $PROXY_GATEWAY + #default: + # driver: bridge + socket_proxy: + name: socket_proxy + driver: bridge + ipam: + config: + - subnet: $SOCKET_PROXY_SUBNET + gateway: $SOCKET_PROXY_GATEWAY +########################### VOLUMES +volumes: + traefik-logs: {} + traefik-acme: {} + portainer-data: {} + +########################### SECRETS +secrets: + htpasswd: + file: $SECRETSDIR/htpasswd + cloudflare_email: + file: $SECRETSDIR/cloudflare_email + cloudflare_api_key: + file: $SECRETSDIR/cloudflare_api_key + cloudflare_api_token: + file: $SECRETSDIR/cloudflare_api_token + authelia_jwt_secret: + file: $SECRETSDIR/authelia_jwt_secret + authelia_session_secret: + file: $SECRETSDIR/authelia_session_secret + authelia_ldap_password: + file: $SECRETSDIR/authelia_ldap_password + authelia_storage_encryption_key: + file: $SECRETSDIR/authelia_storage_encryption_key + authelia_storage_mysql_password: + file: $DOCKERDIR/secrets/authelia_storage_mysql_password +# authelia_notifier_smtp_password: +# file: $DOCKERDIR/secrets/authelia_notifier_smtp_password +# authelia_duo_api_secret_key: +# file: $DOCKERDIR/secrets/authelia_duo_api_secret_key + +########################### EXTENSION FIELDS +# Helps eliminate repetition of sections +# More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228 + +# Common environment values +x-environment: &default-tz-puid-pgid + TZ: $TZ + PUID: $PUID + PGID: $PGID + +# Proxy Network and Security +x-network-and-security: &network-and-security + networks: + - t2_proxy + security_opt: + - no-new-privileges:true + +# Keys common to some of the services in basic-services.txt +x-common-keys-basic: &common-keys-basic + <<: *network-and-security + restart: always + # profiles: + # - basic + +# Keys common to some of the dependent services/apps +x-common-keys-apps: &common-keys-apps + <<: *network-and-security + restart: unless-stopped + # profiles: + # - apps + +# Keys common to some of the services in media-services.txt +x-common-keys-media: &common-keys-media + <<: *network-and-security + restart: "no" + # profiles: + # - media + +########################### SERVICES +services: + # Traefik 2 - Reverse Proxy + # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. + # touch $DOCKERDIR/traefik2/acme/acme.json + # chmod 600 $DOCKERDIR/traefik2/acme/acme.json + # touch $DOCKERDIR/traefik2/traefik.log + traefik: + container_name: traefik + image: traefik:latest + restart: always + command: # CLI arguments + - --global.checkNewVersion=true + - --global.sendAnonymousUsage=false + - --entryPoints.http.address=:80 + - --entryPoints.https.address=:443 + - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IP_RANGES + - --entryPoints.traefik.address=:8080 + - --entryPoints.metrics.address=:8082 + - --entryPoints.gelf.address=:12201 + - --entryPoints.syslog.address=:15514 + - --entryPoints.beats.address=:5050 + - --metrics.prometheus.entryPoint=metrics + - --api=true + #- --api.insecure=true + - --api.dashboard=true + - --serversTransport.insecureSkipVerify=true + - --log=true + - --log.filePath=/var/log/traefik/debug.log + - --log.format=json + - --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC + - --accessLog=true + - --accessLog.filePath=/var/log/traefik/access.log + - --accessLog.format=json + #- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines + #- --accessLog.filters.statusCodes=400-499 + - --providers.docker=true + - --providers.docker.endpoint=$DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security + # Automatically set Host rule for services + # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`) + - --providers.docker.exposedByDefault=false + # - --entrypoints.https.http.middlewares=chain-oauth@file + - --entrypoints.https.http.tls.options=tls-opts@file + # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services + - --entrypoints.https.http.tls.certresolver=$CERTRESOLVER + - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0 + - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0 + - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain + - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain + - --providers.docker.network=proxy + - --providers.docker.swarmMode=false + - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory + # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file + - --providers.file.watch=true # Only works on top level files in the rules folder + #- --certificatesResolvers.$CERTRESOLVER.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing + - --certificatesResolvers.$CERTRESOLVER.acme.email=$CLOUDFLARE_EMAIL + - --certificatesResolvers.$CERTRESOLVER.acme.storage=/etc/traefik/acme/acme.json + - --certificatesresolvers.$CERTRESOLVER.acme.dnschallenge=true + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=$DNS_PROVIDER + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=$RESOLVER0 #,$RESOLVER1 + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate + networks: + proxy: + ipv4_address: $TRAEFIK_PROXY_IP # You can specify a static IP + socket_proxy: + ipv4_address: $TRAEFIK_SOCKET_PROXY_IP + security_opt: + - no-new-privileges:true + ports: + - "80:80" + - "443:443" +# - "8080:8080" +# - "8082:8082" +# - "12201:12201" +# - "5050:5050" +# - "15514:15514" + volumes: + - /etc/localtime:/etc/localtime:ro + - $DOCKERDIR/appdata/traefik2/rules:/rules # file provider directory + - traefik-logs:/var/log/traefik + - traefik-acme:/etc/traefik/acme + #- $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 + #- $DOCKERDIR/appdata/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container + - $DOCKERDIR/shared:/shared + environment: + - TZ=$TZ + - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email + - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key + - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token + - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere. + secrets: + - cloudflare_email + - cloudflare_api_key + - cloudflare_api_token + - htpasswd + labels: + #- "autoheal=true" + - "traefik.enable=true" + # HTTP-to-HTTPS Redirect + - "traefik.http.routers.http-catchall.entrypoints=http" + - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" + - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" + - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" + # HTTP Routers + - "traefik.http.routers.traefik-rtr.entrypoints=https" + - "traefik.http.routers.traefik-rtr.rule=Host(`$TRAEFIK_HOSTNAME$DOMAINNAME1`)" + ## Services - API + - "traefik.http.routers.traefik-rtr.service=api@internal" + ## Middlewares + - "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file" + #- "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file" + # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket + socket-proxy: + container_name: socket-proxy + image: tecnativa/docker-socket-proxy + restart: always + networks: + socket_proxy: + ipv4_address: $SOCKET_PROXY_IP # You can specify a static IP + privileged: true + #ports: + # - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line. + # I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network. + # - "2375:2375" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + environment: + - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg + ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). + # 0 to revoke access. + # 1 to grant access. + ## Granted by Default + - EVENTS=1 + - PING=1 + - VERSION=1 + ## Revoked by Default + # Security critical + - AUTH=0 + - SECRETS=0 + - POST=1 # Ouroboros + # Not always needed + - BUILD=0 + - COMMIT=0 + - CONFIGS=0 + - CONTAINERS=1 # Traefik, portainer, etc. + - DISTRIBUTION=0 + - EXEC=1 + - IMAGES=1 # Portainer + - INFO=1 # Portainer + - NETWORKS=1 # Portainer + - NODES=0 + - PLUGINS=0 + - SERVICES=1 # Portainer + - SESSION=0 + - SWARM=0 + - SYSTEM=0 + - TASKS=1 # Portaienr + - VOLUMES=1 # Portainer + + # Portainer - WebUI for Containers + portainer: + container_name: portainer + image: portainer/portainer-ce:latest + restart: unless-stopped + command: -H $DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security + networks: + proxy: + ipv4_address: $PORTAINER_PROXY_IP + socket_proxy: + ipv4_address: $PORTAINER_SOCKET_PROXY_IP + security_opt: + - no-new-privileges:true + volumes: + - portainer-data:/data +# - $DOCKERDIR/appdata/portainer:/data # Change to local directory if you want to save/transfer config locally + environment: + - TZ=$TZ + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.portainer-rtr.entrypoints=https" + - "traefik.http.routers.portainer-rtr.rule=Host(`$PORTAINER_HOSTNAME$DOMAINNAME1`)" + ## Middlewares + - "traefik.http.routers.portainer-rtr.middlewares=chain-authelia@file" + #- "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth@file" + ## HTTP Services + - "traefik.http.routers.portainer-rtr.service=portainer-svc" + - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" + # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication + authelia: + container_name: authelia + # Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md + image: authelia/authelia:latest + restart: always + networks: + proxy: + ipv4_address: $AUTHELIA_IP # You can specify a static IP + #default: + # ports: + # - "9091:9091" + volumes: + - $DOCKERDIR/appdata/authelia:/config + environment: + - TZ=$TZ + - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret + - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret + - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key + - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/run/secrets/authelia_ldap_password + - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password +# - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password +# - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key +# - AUTHELIA_TLS_KEY_FILE +# - AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE +# - AUTHELIA_SESSION_REDIS_PASSWORD_FILE +# - AUTHELIA_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE +# - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE +# - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE + + secrets: + - authelia_jwt_secret + - authelia_session_secret + - authelia_storage_encryption_key + - authelia_ldap_password + - authelia_storage_mysql_password +# - authelia_notifier_smtp_password +# - authelia_duo_api_secret_key + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.authelia-rtr.entrypoints=https" + - "traefik.http.routers.authelia-rtr.rule=Host(`$AUTHELIA_HOSTNAME$DOMAINNAME1`)" + - "traefik.http.routers.authelia-rtr.tls=true" + ## Middlewares + - "traefik.http.routers.authelia-rtr.middlewares=chain-no-auth@file" + #chain-authelia@file" + ## HTTP Services + - "traefik.http.routers.authelia-rtr.service=authelia-svc" + - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091" \ No newline at end of file diff --git a/config/docker/2023/New-Docker-Deployment/home/user/docker-compose-t2.yml b/config/docker/2023/New-Docker-Deployment/home/user/docker-compose-t2.yml new file mode 100644 index 0000000..1cad22b --- /dev/null +++ b/config/docker/2023/New-Docker-Deployment/home/user/docker-compose-t2.yml @@ -0,0 +1,1353 @@ +version: "3.9" + +######### IMPORTANT ############# +# This is my main docker-compose file with most of the apps. I run docker on other systems with smaller stacks (web and synology). +# You can copy-paste services from one docker-compose file in this repo to another to add other apps. + +########################### SYSTEM DESCRIPTION +# DOCKER-COMPOSE FOR HOME/MEDIA SERVER +# PROXMOX HOST: Dual Intel Xeon 5420, 16 GB RAM, 240 GB SSD, and 2 TB HDD +# VM: 6 CORES, 12 GB RAM, Ubuntu 20.04, and Docker +# 32 GB for /, 64 GB for /var/lib/docker and transcoding, and 1.5 TB for non-critical data and rclone cache. +# Google Drive mounted using Rclone Docker for media and Proxmox backups + +########################### NETWORKS +# There is no need to create any networks outside this docker-compose file. +# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. +# Docker Compose version 3.5 or higher required to define networks this way. + +networks: + t2_proxy: + name: t2_proxy + driver: bridge + ipam: + config: + - subnet: 192.168.90.0/24 + default: + driver: bridge + socket_proxy: + name: socket_proxy + driver: bridge + ipam: + config: + - subnet: 192.168.91.0/24 + +########################### SECRETS +secrets: + htpasswd: + file: $DOCKERDIR/secrets/htpasswd + cloudflare_email: + file: $DOCKERDIR/secrets/cloudflare_email + cloudflare_api_key: + file: $DOCKERDIR/secrets/cloudflare_api_key + cloudflare_api_token: + file: $DOCKERDIR/secrets/cloudflare_api_token + authelia_jwt_secret: + file: $DOCKERDIR/secrets/authelia_jwt_secret + authelia_session_secret: + file: $DOCKERDIR/secrets/authelia_session_secret + authelia_storage_mysql_password: + file: $DOCKERDIR/secrets/authelia_storage_mysql_password + authelia_notifier_smtp_password: + file: $DOCKERDIR/secrets/authelia_notifier_smtp_password + authelia_duo_api_secret_key: + file: $DOCKERDIR/secrets/authelia_duo_api_secret_key + authelia_storage_encryption_key: + file: $DOCKERDIR/secrets/authelia_storage_encryption_key + oauth_secret: + file: $DOCKERDIR/secrets/oauth_secret + google_client_secret: + file: $DOCKERDIR/secrets/google_client_secret + google_client_id: + file: $DOCKERDIR/secrets/google_client_id + my_email: + file: $DOCKERDIR/secrets/my_email + guac_db_name: + file: $DOCKERDIR/secrets/guac_db_name + guac_mysql_user: + file: $DOCKERDIR/secrets/guac_mysql_user + guac_mysql_password: + file: $DOCKERDIR/secrets/guac_mysql_password + mysql_root_password: + file: $DOCKERDIR/secrets/mysql_root_password + +########################### EXTENSION FIELDS +# Helps eliminate repetition of sections +# More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228 + +# Common environment values +x-environment: &default-tz-puid-pgid + TZ: $TZ + PUID: $PUID + PGID: $PGID + +# Proxy Network and Security +x-network-and-security: &network-and-security + networks: + - t2_proxy + security_opt: + - no-new-privileges:true + +# Keys common to some of the services in basic-services.txt +x-common-keys-basic: &common-keys-basic + <<: *network-and-security + restart: always + # profiles: + # - basic + +# Keys common to some of the dependent services/apps +x-common-keys-apps: &common-keys-apps + <<: *network-and-security + restart: unless-stopped + # profiles: + # - apps + +# Keys common to some of the services in media-services.txt +x-common-keys-media: &common-keys-media + <<: *network-and-security + restart: "no" + # profiles: + # - media + +########################### SERVICES +services: + ############################# FRONTENDS + + # Traefik 2 - Reverse Proxy + # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. + # touch $DOCKERDIR/traefik2/acme/acme.json + # chmod 600 $DOCKERDIR/traefik2/acme/acme.json + # touch $DOCKERDIR/traefik2/traefik.log + traefik: + <<: *common-keys-basic # See EXTENSION FIELDS at the top + container_name: traefik + image: traefik:2.5 + command: # CLI arguments + - --global.checkNewVersion=true + - --global.sendAnonymousUsage=true + - --entryPoints.http.address=:80 + - --entryPoints.https.address=:443 + # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/ + - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22 + - --entryPoints.traefik.address=:8080 + # - --entryPoints.ping.address=:8081 + - --api=true + # - --api.insecure=true + - --api.dashboard=true + #- --ping=true + #- --pilot.token=$TRAEFIK_PILOT_TOKEN + # - --serversTransport.insecureSkipVerify=true + - --log=true + - --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC + - --accessLog=false + - --accessLog.filePath=/traefik.log + - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines + - --accessLog.filters.statusCodes=400-499 + - --providers.docker=true + # - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security + - --providers.docker.endpoint=tcp://socket-proxy:2375 + # Automatically set Host rule for services + # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`) + - --providers.docker.exposedByDefault=false + # - --entrypoints.https.http.middlewares=chain-oauth@file + - --entrypoints.https.http.tls.options=tls-opts@file + # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services + - --entrypoints.https.http.tls.certresolver=dns-cloudflare + - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0 + - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0 + # - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain + # - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain + - --providers.docker.network=t2_proxy + - --providers.docker.swarmMode=false + - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory + # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file + - --providers.file.watch=true # Only works on top level files in the rules folder + # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing + - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL + - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json + - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare + - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53 + - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate + networks: + t2_proxy: + ipv4_address: 192.168.90.254 # You can specify a static IP + socket_proxy: + #healthcheck: + # test: ["CMD", "traefik", "healthcheck", "--ping"] + # interval: 5s + # retries: 3 + ports: + - target: 80 + published: 80 + protocol: tcp + mode: host + - target: 443 + published: 443 + protocol: tcp + mode: host + # - target: 8080 + # published: 8080 + # protocol: tcp + # mode: host + volumes: + - $DOCKERDIR/appdata/traefik2/rules:/rules # file provider directory + # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security + - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 + - $DOCKERDIR/appdata/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container + environment: + - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email + - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key + - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere. + secrets: + - cloudflare_email + - cloudflare_api_key + - htpasswd + labels: + #- "autoheal=true" + - "traefik.enable=true" + # HTTP-to-HTTPS Redirect + - "traefik.http.routers.http-catchall.entrypoints=http" + - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" + - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" + - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" + # HTTP Routers + - "traefik.http.routers.traefik-rtr.entrypoints=https" + - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME0`)" + ## Services - API + - "traefik.http.routers.traefik-rtr.service=api@internal" + ## Healthcheck/ping + #- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME0`) && Path(`/ping`)" + #- "traefik.http.routers.ping.tls=true" + #- "traefik.http.routers.ping.service=ping@internal" + ## Middlewares + - "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file" + + # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket + socket-proxy: + <<: *common-keys-basic # See EXTENSION FIELDS at the top + container_name: socket-proxy + image: tecnativa/docker-socket-proxy + networks: + socket_proxy: + ipv4_address: 192.168.91.254 # You can specify a static IP + privileged: true + #ports: + # - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line. + # I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network. + # - "2375:2375" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + environment: + - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg + ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). + # 0 to revoke access. + # 1 to grant access. + ## Granted by Default + - EVENTS=1 + - PING=1 + - VERSION=1 + ## Revoked by Default + # Security critical + - AUTH=0 + - SECRETS=0 + - POST=1 # Watchtower + # Not always needed + - BUILD=0 + - COMMIT=0 + - CONFIGS=0 + - CONTAINERS=1 # Traefik, portainer, etc. + - DISTRIBUTION=0 + - EXEC=0 + - IMAGES=1 # Portainer + - INFO=1 # Portainer + - NETWORKS=1 # Portainer + - NODES=0 + - PLUGINS=0 + - SERVICES=1 # Portainer + - SESSION=0 + - SWARM=0 + - SYSTEM=0 + - TASKS=1 # Portainer + - VOLUMES=1 # Portainer + + # Google OAuth - Single Sign On using OAuth 2.0 + # https://www.smarthomebeginner.com/google-oauth-with-traefik-docker/ + oauth: + <<: *common-keys-basic # See EXTENSION FIELDS at the top + container_name: oauth + image: thomseddon/traefik-forward-auth:latest + # image: thomseddon/traefik-forward-auth:2.1-arm # Use this image with Raspberry Pi + # Allow apps to bypass OAuth. Radarr example below will bypass OAuth if API key is present in the request (eg. from NZB360 mobile app). + # While this is one way, the recommended way is to bypass authentication using Traefik labels shown in some of the apps later. + # command: --rule.radarr.action=allow --rule.radarr.rule="Headers(`X-Api-Key`, `$RADARR_API_KEY`)" + # command: --rule.sabnzbd.action=allow --rule.sabnzbd.rule="HeadersRegexp(`X-Forwarded-Uri`, `$SABNZBD_API_KEY`)" + environment: + - PROVIDERS_GOOGLE_CLIENT_ID=$GOOGLE_CLIENT_ID + - PROVIDERS_GOOGLE_CLIENT_SECRET=$GOOGLE_CLIENT_SECRET + - SECRET=$OAUTH_SECRET + - COOKIE_DOMAIN=$DOMAINNAME0 + - INSECURE_COOKIE=false + - AUTH_HOST=oauth.$DOMAINNAME0 + - URL_PATH=/_oauth + - WHITELIST=$MY_EMAIL + - LOG_LEVEL=warn + - LOG_FORMAT=text + - LIFETIME=86400 # 1 day + - DEFAULT_ACTION=auth + - DEFAULT_PROVIDER=google + secrets: + - source: traefik-forward-auth + target: /config + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.oauth-rtr.tls=true" + - "traefik.http.routers.oauth-rtr.entrypoints=https" + - "traefik.http.routers.oauth-rtr.rule=Host(`oauth.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.oauth-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.oauth-rtr.service=oauth-svc" + - "traefik.http.services.oauth-svc.loadbalancer.server.port=4181" + + # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication + authelia: + container_name: authelia + # Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md + image: authelia/authelia:latest + restart: always + # profiles: + # - core + networks: + - t2_proxy + - default + # ports: + # - "9091:9091" + volumes: + - $DOCKERDIR/appdata/authelia:/config + environment: + - TZ=$TZ + - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret + - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret + - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password + - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password + - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key + - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key + secrets: + - authelia_jwt_secret + - authelia_session_secret + - authelia_storage_mysql_password + - authelia_notifier_smtp_password + - authelia_duo_api_secret_key + - authelia_storage_encryption_key + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.authelia-rtr.entrypoints=https" + - "traefik.http.routers.authelia-rtr.rule=Host(`authelia.$DOMAINNAME0`)" + - "traefik.http.routers.authelia-rtr.tls=true" + ## Middlewares + - "traefik.http.routers.authelia-rtr.middlewares=chain-authelia@file" + ## HTTP Services + - "traefik.http.routers.authelia-rtr.service=authelia-svc" + - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091" + + # Portainer - WebUI for Containers + portainer: + <<: *common-keys-basic # See EXTENSION FIELDS at the top + container_name: portainer + image: portainer/portainer-ce:latest + # command: -H unix:///var/run/docker.sock # # Use Docker Socket Proxy instead for improved security + command: -H tcp://socket-proxy:2375 + networks: + - t2_proxy + - socket_proxy + volumes: + # - /var/run/docker.sock:/var/run/docker.sock:ro # # Use Docker Socket Proxy instead for improved security + - $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfer config locally + environment: + - TZ=$TZ + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.portainer-rtr.entrypoints=https" + - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.portainer-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.portainer-rtr.service=portainer-svc" + - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" + + # Autoindex - Simple Directory Index + autoindex: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + container_name: autoindex + image: dceoy/nginx-autoindex:latest + # ports: + # - "$AUTOINDEX_PORT:80" + volumes: + #- $USERDIR:/var/lib/nginx/html:ro # Location you want to index + - /media/data:/var/lib/nginx/html:ro # Location you want to index + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.autoindex-rtr.entrypoints=https" + - "traefik.http.routers.autoindex-rtr.rule=Host(`index.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.autoindex-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.autoindex-rtr.service=autoindex-svc" + - "traefik.http.services.autoindex-svc.loadbalancer.server.port=80" + + ############################# DOWNLOADERS + + # jDownloader - Download management + jdownloader: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: jlesage/jdownloader-2:latest + container_name: jdownloader + # ports: + # - "$JDOWNLOADER_PORT:5800" + volumes: + - $DATADIR/downloads:/data/downloads + - $DOCKERDIR/appdata/jdownloader:/config + environment: + USER_ID: $PUID + GROUP_ID: $PGID + TZ: $TZ + UMASK: 002 + KEEP_APP_RUNNING: 1 + CLEAN_TMP_DIR: 1 + DISPLAY_WIDTH: 1600 + DISPLAY_HEIGHT: 960 + VNC_PASSWORD: $JDOWN_VNC_PASSWD + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.jdownloader-rtr.entrypoints=https" + - "traefik.http.routers.jdownloader-rtr.rule=Host(`jdown.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.jdownloader-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.jdownloader-rtr.service=jdownloader-svc" + - "traefik.http.services.jdownloader-svc.loadbalancer.server.port=5800" + + # TransmissionBT - Torrent Downloader + # ONLY ACCESSIBLE THROUGH https://domain.com/transmission/web/ if using PathPrefix + transmission-vpn: + image: haugene/transmission-openvpn:latest + container_name: transmission-vpn + restart: unless-stopped + networks: + t2_proxy: + ipv4_address: 192.168.90.169 + # ports: + # - "$TRANSMISSION_PORT:9091" + cap_add: + - NET_ADMIN + #devices: + # - /dev/net/tun + #dns: + # - 1.1.1.1 + # - 1.0.0.1 + volumes: + - /etc/localtime:/etc/localtime:ro + - $DOCKERDIR/appdata/transmission-vpn/data:/data + - $DOCKERDIR/appdata/transmission-vpn/config:/config + - $DATADIR/downloads:/data/downloads + environment: + <<: *default-tz-puid-pgid + OPENVPN_PROVIDER: FASTESTVPN + OPENVPN_USERNAME: $FASTEST_USERNAME + OPENVPN_PASSWORD: $FASTEST_PASSWORD + #OPENVPN_CONFIG: "Switzerland-UDP" + #OPENVPN_OPTS: --inactive 3600 --ping 10 --ping-exit 60 + LOCAL_NETWORK: "$LOCAL_NETWORK" + UMASK_SET: 2 + TRANSMISSION_RPC_AUTHENTICATION_REQUIRED: "true" + TRANSMISSION_RPC_HOST_WHITELIST: "127.0.0.1,$SERVER_IP" + TRANSMISSION_RPC_PASSWORD: $TRANSMISSION_RPC_PASSWORD + TRANSMISSION_RPC_USERNAME: $TRANSMISSION_RPC_USERNAME + TRANSMISSION_UMASK: 002 + TRANSMISSION_RATIO_LIMIT: 0.01 + TRANSMISSION_RATIO_LIMIT_ENABLED: "true" + TRANSMISSION_ALT_SPEED_DOWN: 40000 + TRANSMISSION_ALT_SPEED_ENABLED: "false" + TRANSMISSION_ALT_SPEED_UP: 250 + TRANSMISSION_SPEED_LIMIT_DOWN: 80000 + TRANSMISSION_SPEED_LIMIT_DOWN_ENABLED: "true" + TRANSMISSION_SPEED_LIMIT_UP: 500 + TRANSMISSION_SPEED_LIMIT_UP_ENABLED: "true" + TRANSMISSION_INCOMPLETE_DIR: /data/downloads/torrents/incomplete + TRANSMISSION_INCOMPLETE_DIR_ENABLED: "true" + TRANSMISSION_WATCH_DIR: /data/downloads/torrents + TRANSMISSION_WATCH_DIR_ENABLED: "true" + TRANSMISSION_DOWNLOAD_DIR: /data/downloads/torrents + LOG_TO_STDOUT: "true" + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.transmission-vpn-rtr.entrypoints=https" + - "traefik.http.routers.transmission-vpn-rtr.rule=Host(`trans.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.transmission-vpn-rtr.middlewares=middlewares-rate-limit@file" + ## HTTP Services + - "traefik.http.routers.transmission-vpn-rtr.service=transmission-vpn-svc" + - "traefik.http.services.transmission-vpn-svc.loadbalancer.server.port=9091" + + # qBittorrent - Torrent downloader + # Needs trailing / if using PathPrefixStrip + qbittorrent: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/qbittorrent:latest + container_name: qbittorrent + #network_mode: container:transmission-vpn + # ports: + # - "$QBITTORRENT_PORT:8168" + volumes: + - $DOCKERDIR/appdata/qbittorrent:/config + - $DATADIR/downloads:/downloads + environment: + <<: *default-tz-puid-pgid + UMASK_SET: 002 + WEBUI_PORT: 8168 + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.qbittorrent-rtr.entrypoints=https" + - "traefik.http.routers.qbittorrent-rtr.rule=Host(`qbit.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.qbittorrent-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.qbittorrent-rtr.service=qbittorrent-svc" + - "traefik.http.services.qbittorrent-svc.loadbalancer.server.port=8168" + + # nzbget - Binary newsgrabber (NZB downloader) + nzbget: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/nzbget + container_name: nzbget + networks: + t2_proxy: + ipv4_address: 192.168.90.216 + ports: + - "$NZBGET_PORT:6789" + volumes: + - $DOCKERDIR/appdata/nzbget:/config + - $DATADIR/downloads:/data/downloads + environment: + <<: *default-tz-puid-pgid + labels: + - "traefik.enable=true" + ## HTTP Routers Auth Bypass + - "traefik.http.routers.nzbget-rtr-bypass.entrypoints=https" + # BYPASS IS NOT WORKING YET. NEED TO FIGURE THIS OUT. + - "traefik.http.routers.nzbget-rtr-bypass.rule=Host(`nzbget.$DOMAINNAME0`)" + #- "traefik.http.routers.nzbget-rtr-bypass.rule=Host(`nzbget.$DOMAINNAME0`) && Query(`apikey`, `$NZBGET_API_KEY`)" + - "traefik.http.routers.nzbget-rtr-bypass.priority=100" + ## HTTP Routers Auth + - "traefik.http.routers.nzbget-rtr.entrypoints=https" + - "traefik.http.routers.nzbget-rtr.rule=Host(`nzbget.$DOMAINNAME0`)" + - "traefik.http.routers.nzbget-rtr.priority=99" + ## Middlewares + - "traefik.http.routers.nzbget-rtr-bypass.middlewares=chain-no-auth@file" + - "traefik.http.routers.nzbget-rtr.middlewares=chain-no-auth@file" + ## HTTP Services + - "traefik.http.routers.nzbget-rtr.service=nzbget-svc" + - "traefik.http.routers.nzbget-rtr-bypass.service=nzbget-svc" + - "traefik.http.services.nzbget-svc.loadbalancer.server.port=6789" + + ############################# INDEXERS + + # Jackett - Torrent proxy + # Set url_base in Jackett settings if using PathPrefix + jackett: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/jackett:latest + container_name: jackett + # network_mode: container:transmission-vpn + networks: + t2_proxy: + ipv4_address: 192.168.90.161 + # ports: + # - "$JACKETT_PORT:9117" + volumes: + - $DOCKERDIR/appdata/jackett:/config + - $DATADIR/downloads:/data/downloads + - "/etc/localtime:/etc/localtime:ro" + environment: + <<: *default-tz-puid-pgid + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.jackett-rtr.entrypoints=https" + - "traefik.http.routers.jackett-rtr.rule=Host(`jackett.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.jackett-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.jackett-rtr.service=jackett-svc" + - "traefik.http.services.jackett-svc.loadbalancer.server.port=9117" + + # Prowlarr - Torrent proxy + prowlarr: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: ghcr.io/linuxserver/prowlarr:develop + container_name: prowlarr + networks: + t2_proxy: + ipv4_address: 192.168.90.162 + # ports: + # - "$PROWLARR_PORT:9696" + volumes: + - $DOCKERDIR/appdata/prowlarr:/config + - "/etc/localtime:/etc/localtime:ro" + environment: + <<: *default-tz-puid-pgid + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.prowlarr-rtr.entrypoints=https" + - "traefik.http.routers.prowlarr-rtr.rule=Host(`prowlarr.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.prowlarr-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.prowlarr-rtr.service=prowlarr-svc" + - "traefik.http.services.prowlarr-svc.loadbalancer.server.port=9696" + + # NZBHydra2 - NZB meta search + hydra: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: linuxserver/nzbhydra2:latest + container_name: hydra + ports: + - "$NZBHYDRA_PORT:5076" + volumes: + - $DOCKERDIR/appdata/hydra2:/config + - $DATADIR/downloads:/data/downloads + environment: + <<: *default-tz-puid-pgid + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.hydra-rtr.entrypoints=https" + - "traefik.http.routers.hydra-rtr.rule=Host(`hydra.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.hydra-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.hydra-rtr.service=hydra-svc" + - "traefik.http.services.hydra-svc.loadbalancer.server.port=5076" + + ############################# PVRS + + # Lidarr - Music Management + # Set url_base in lidarr settings if using PathPrefix + lidarr: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/lidarr:latest + container_name: lidarr + networks: + t2_proxy: + ipv4_address: 192.168.90.163 + ports: + - "$LIDARR_PORT:8686" + volumes: + - $DOCKERDIR/appdata/lidarr:/config + # Optional. See why MediaCover is mounted as volume https://github.com/htpcBeginner/docker-traefik/discussions/147 + - $DATADIR/temp/docker/appdata/lidarr/MediaCover:/config/MediaCover + - $DATADIR/downloads:/data/downloads + - $DATADIR/media/music:/data/media/music + - "/etc/localtime:/etc/localtime:ro" + environment: + <<: *default-tz-puid-pgid + labels: + - "traefik.enable=true" + ## HTTP Routers Auth Bypass + - "traefik.http.routers.lidarr-rtr-bypass.entrypoints=https" + - "traefik.http.routers.lidarr-rtr-bypass.rule=Host(`lidarr.$DOMAINNAME0`) && (Headers(`X-Api-Key`, `$LIDARR_API_KEY`) || Query(`apikey`, `$LIDARR_API_KEY`))" + - "traefik.http.routers.lidarr-rtr-bypass.priority=100" + ## HTTP Routers Auth + - "traefik.http.routers.lidarr-rtr.entrypoints=https" + - "traefik.http.routers.lidarr-rtr.rule=Host(`lidarr.$DOMAINNAME0`)" + - "traefik.http.routers.lidarr-rtr.priority=99" + ## Middlewares + - "traefik.http.routers.lidarr-rtr-bypass.middlewares=chain-no-auth@file" + - "traefik.http.routers.lidarr-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.lidarr-rtr.service=lidarr-svc" + - "traefik.http.routers.lidarr-rtr-bypass.service=lidarr-svc" + - "traefik.http.services.lidarr-svc.loadbalancer.server.port=8686" + + # Radarr - Movie management + # Set url_base in radarr settings if using PathPrefix + radarr: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/radarr:nightly # latest was causing "Error parsing column 45" + container_name: radarr + networks: + t2_proxy: + ipv4_address: 192.168.90.164 + ports: + - "$RADARR_PORT:7878" + volumes: + - $DOCKERDIR/appdata/radarr:/config + # Optional. See why MediaCover is mounted as volume https://github.com/htpcBeginner/docker-traefik/discussions/147 + - $DATADIR/temp/docker/appdata/radarr/MediaCover:/config/MediaCover + - $DATADIR/downloads:/data/downloads + - $DATADIR/media:/data/media + - "/etc/localtime:/etc/localtime:ro" + environment: + <<: *default-tz-puid-pgid + labels: + - "traefik.enable=true" + ## HTTP Routers Auth Bypass + - "traefik.http.routers.radarr-rtr-bypass.entrypoints=https" + - "traefik.http.routers.radarr-rtr-bypass.rule=Host(`radarr.$DOMAINNAME0`) && (Headers(`X-Api-Key`, `$RADARR_API_KEY`) || Query(`apikey`, `$RADARR_API_KEY`))" + - "traefik.http.routers.radarr-rtr-bypass.priority=100" + ## HTTP Routers Auth + - "traefik.http.routers.radarr-rtr.entrypoints=https" + - "traefik.http.routers.radarr-rtr.rule=Host(`radarr.$DOMAINNAME0`)" + - "traefik.http.routers.radarr-rtr.priority=99" + ## Middlewares + - "traefik.http.routers.radarr-rtr-bypass.middlewares=chain-no-auth@file" + - "traefik.http.routers.radarr-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.radarr-rtr.service=radarr-svc" + - "traefik.http.routers.radarr-rtr-bypass.service=radarr-svc" + - "traefik.http.services.radarr-svc.loadbalancer.server.port=7878" + + # Sonarr - TV Shows management + # Set url_base in sonarr settings if using PathPrefix + sonarr: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/sonarr + container_name: sonarr + networks: + t2_proxy: + ipv4_address: 192.168.90.167 + ports: + - "$SONARR_PORT:8989" + volumes: + - $DOCKERDIR/appdata/sonarr:/config + # Optional. See why MediaCover is mounted as volume https://github.com/htpcBeginner/docker-traefik/discussions/147 + - $DATADIR/temp/docker/appdata/sonarr/MediaCover:/config/MediaCover + - $DATADIR/downloads:/data/downloads + - $DATADIR/media:/data/media + - "/etc/localtime:/etc/localtime:ro" + environment: + <<: *default-tz-puid-pgid + labels: + - "traefik.enable=true" + ## HTTP Routers Auth Bypass + - "traefik.http.routers.sonarr-rtr-bypass.entrypoints=https" + - "traefik.http.routers.sonarr-rtr-bypass.rule=Host(`sonarr.$DOMAINNAME0`) && (Headers(`X-Api-Key`, `$SONARR_API_KEY`) || Query(`apikey`, `$SONARR_API_KEY`))" + - "traefik.http.routers.sonarr-rtr-bypass.priority=100" + ## HTTP Routers Auth + - "traefik.http.routers.sonarr-rtr.entrypoints=https" + - "traefik.http.routers.sonarr-rtr.rule=Host(`sonarr.$DOMAINNAME0`)" + - "traefik.http.routers.sonarr-rtr.priority=99" + ## Middlewares + - "traefik.http.routers.sonarr-rtr-bypass.middlewares=chain-no-auth@file" + - "traefik.http.routers.sonarr-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.sonarr-rtr.service=sonarr-svc" + - "traefik.http.routers.sonarr-rtr-bypass.service=sonarr-svc" + - "traefik.http.services.sonarr-svc.loadbalancer.server.port=8989" + + # Readarr - Books management + # Set url_base in readarr settings if using PathPrefix + readarr: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: hotio/readarr:nightly + container_name: readarr + # ports: + # - "$READARR_PORT:8989" + volumes: + - $DOCKERDIR/appdata/readarr:/config + - $DATADIR/downloads:/data/downloads + - $DATADIR/media/books:/data/media/books + - "/etc/localtime:/etc/localtime:ro" + environment: + <<: *default-tz-puid-pgid + UMASK: 002 + #ARGS: "" + labels: + - "traefik.enable=true" + ## HTTP Routers Auth + - "traefik.http.routers.readarr-rtr.entrypoints=https" + - "traefik.http.routers.readarr-rtr.rule=Host(`readarr.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.readarr-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.readarr-rtr.service=readarr-svc" + - "traefik.http.services.readarr-svc.loadbalancer.server.port=8787" + + ############################# MEDIA + + # Navidrome - Music Server + navidrome: + <<: *common-keys-media # See EXTENSION FIELDS at the top + container_name: navidrome + image: deluan/navidrome:latest + # ports: + # - "$FUNKWHALE_PORT:4533" + user: $PUID:$PGID + volumes: + - $DOCKERDIR/appdata/navidrome:/data + - $DATADIR/media/music/English:/music/English:ro + - $DATADIR/media/music/Kids:/music/Kids:ro + environment: + - TZ=$TZ + - ND_SCANSCHEDULE=1h + - ND_LOGLEVEL=info + #- ND_BASEURL="" + - ND_SESSIONTIMEOUT=24h + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.navidrome-rtr.entrypoints=https" + - "traefik.http.routers.navidrome-rtr.rule=Host(`proxnd.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.navidrome-rtr.middlewares=chain-no-auth@file" + ## HTTP Services + - "traefik.http.routers.navidrome-rtr.service=navidrome-svc" + - "traefik.http.services.navidrome-svc.loadbalancer.server.port=4533" + + # FunkWhale - Music Server + funkwhale: + <<: *common-keys-media # See EXTENSION FIELDS at the top + container_name: funkwhale + image: thetarkus/funkwhale + # ports: + # - "$FUNKWHALE_PORT:80" + volumes: + - $DOCKERDIR/appdata/funkwhale:/data + - $DATADIR/media/music:/music:ro + environment: + - PUID=$PUID + - PGID=$PGID + - FUNKWHALE_HOSTNAME=proxfw.$DOMAINNAME0 + - NESTED_PROXY=1 + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.funkwhale-rtr.entrypoints=https" + - "traefik.http.routers.funkwhale-rtr.rule=Host(`proxfw.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.funkwhale-rtr.middlewares=chain-no-auth@file" + ## HTTP Services + - "traefik.http.routers.funkwhale-rtr.service=funkwhale-svc" + - "traefik.http.services.funkwhale-svc.loadbalancer.server.port=80" + + # Jellyfin - Media Server + jellyfin: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: jellyfin/jellyfin:latest + container_name: jellyfin + devices: + - /dev/dri:/dev/dri # for harware transcoding + ports: + - "$JELLYFIN_PORT:8096" + - "8920:8920" # Emby also uses same port if running both + environment: + <<: *default-tz-puid-pgid + UMASK_SET: 022 + volumes: + - $DOCKERDIR/appdata/jellyfin:/config + - $DATADIR/temp/docker/appdata/jellyfin/metadata:/config/metadata + - $DATADIR/downloads:/data/downloads + - $DATADIR/media:/data/media + - /dev/shm:/data/transcode # Offload transcoding to RAM if you have enough RAM + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.jellyfin-rtr.entrypoints=https" + - "traefik.http.routers.jellyfin-rtr.rule=Host(`proxjf.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.jellyfin-rtr.middlewares=chain-no-auth@file" + ## HTTP Services + - "traefik.http.routers.jellyfin-rtr.service=jellyfin-svc" + - "traefik.http.services.jellyfin-svc.loadbalancer.server.port=8096" + + # Photoshow - Simple Photo Viewer + photoshow: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/photoshow + container_name: photoshow + volumes: + - $DATADIR/media/misc:/Pictures + - $DOCKERDIR/appdata/photoshow:/config + - $DATADIR/temp/docker/appdata/photoshow:/Thumbs + environment: + <<: *default-tz-puid-pgid + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.photoshow-rtr.entrypoints=https" + - "traefik.http.routers.photoshow-rtr.rule=Host(`photoshow.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.photoshow-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.photoshow-rtr.service=photoshow-svc" + - "traefik.http.services.photoshow-svc.loadbalancer.server.port=80" + + ############################# MEDIA FILE MANAGEMENT + + # Bazarr - Subtitle Management + bazarr: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/bazarr + container_name: bazarr + ports: + - "$BAZARR_PORT:6767" + volumes: + - $DOCKERDIR/appdata/bazarr:/config + - $DATADIR/media:/data/media + environment: + <<: *default-tz-puid-pgid + labels: + - "traefik.enable=true" + ## HTTP Routers Auth Bypass + - "traefik.http.routers.bazarr-rtr-bypass.entrypoints=https" + - "traefik.http.routers.bazarr-rtr-bypass.rule=Host(`bazarr.$DOMAINNAME0`) && (Headers(`X-Api-Key`, `$BAZARR_API_KEY`) || Query(`apikey`, `$BAZARR_API_KEY`))" + - "traefik.http.routers.bazarr-rtr-bypass.priority=100" + ## HTTP Routers Auth + - "traefik.http.routers.bazarr-rtr.entrypoints=https" + - "traefik.http.routers.bazarr-rtr.rule=Host(`bazarr.$DOMAINNAME0`)" + - "traefik.http.routers.bazarr-rtr.priority=99" + ## Middlewares + - "traefik.http.routers.bazarr-rtr-bypass.middlewares=chain-no-auth@file" + - "traefik.http.routers.bazarr-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.bazarr-rtr.service=bazarr-svc" + - "traefik.http.routers.bazarr-rtr-bypass.service=bazarr-svc" + - "traefik.http.services.bazarr-svc.loadbalancer.server.port=6767" + + # Picard - Music Library Tagging and Management + picard: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: mikenye/picard:latest + container_name: picard + # ports: + # - "$PICARD_PORT:5800" + volumes: + - $DATADIR/downloads:/data/downloads:rw + - $DOCKERDIR/appdata/picard:/config:rw + # - $DATADIR/media/music:/data/media/music:rw + - /dev/shm:/dev/shm + environment: + USER_ID: $PUID + GROUP_ID: $PGID + TZ: $TZ + UMASK: 002 + DISPLAY_WIDTH: 1600 + DISPLAY_HEIGHT: 960 + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.picard-rtr.entrypoints=https" + - "traefik.http.routers.picard-rtr.rule=Host(`picard.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.picard-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.picard-rtr.service=picard-svc" + - "traefik.http.services.picard-svc.loadbalancer.server.port=5800" + + # Handbrake - Video Conversion (Transcoding and compression) + handbrake: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: jlesage/handbrake:latest + container_name: handbrake + # ports: + # - "$HANDBRAKE_PORT:5800" + volumes: + - $DATADIR/downloads:/data/downloads + - $DOCKERDIR/appdata/handbrake/config:/config + - $DOCKERDIR/appdata/handbrake/watch:/watch + environment: + USER_ID: $PUID + GROUP_ID: $PGID + UMASK: 002 + TZ: $TZ + KEEP_APP_RUNNING: 1 + CLEAN_TMP_DIR: 1 + DISPLAY_WIDTH: 1600 + DISPLAY_HEIGHT: 960 + AUTOMATED_CONVERSION_KEEP_SOURCE: 1 + VNC_PASSWORD: $HANDBRAKE_VNC_PASSWD + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.handbrake-rtr.entrypoints=https" + - "traefik.http.routers.handbrake-rtr.rule=Host(`handbrake.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.handbrake-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.handbrake-rtr.service=handbrake-svc" + - "traefik.http.services.handbrake-svc.loadbalancer.server.port=5800" + + # MKVToolNix - Video Editing (Remuxing - changing media container while keeping original source quality) + mkvtoolnix: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: jlesage/mkvtoolnix:latest + container_name: mkvtoolnix + # ports: + # - "$MKVTOOLNIX_PORT:5800" + volumes: + - $DATADIR/downloads:/data/downloads + - $DOCKERDIR/appdata/mkvtoolnix/config:/config:rw + environment: + USER_ID: $PUID + GROUP_ID: $PGID + UMASK: 002 + TZ: $TZ + KEEP_APP_RUNNING: 1 + CLEAN_TMP_DIR: 1 + DISPLAY_WIDTH: 1600 + DISPLAY_HEIGHT: 960 + VNC_PASSWORD: $MKVTOOLNIX_VNC_PASSWD + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.mkvtoolnix-rtr.entrypoints=https" + - "traefik.http.routers.mkvtoolnix-rtr.rule=Host(`mkvtoolnix.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.mkvtoolnix-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.mkvtoolnix-rtr.service=mkvtoolnix-svc" + - "traefik.http.services.mkvtoolnix-svc.loadbalancer.server.port=5800" + + # MakeMKV - Video Editing (Ripping from Disks) + makemkv: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: jlesage/makemkv:latest + container_name: makemkv + # ports: + # - "$MAKEMKV_PORT:5800" + volumes: + - $DATADIR/downloads:/data/downloads + - $DOCKERDIR/appdata/makemkv/config:/config + - /dev/shm:/dev/shm + environment: + USER_ID: $PUID + GROUP_ID: $PGID + UMASK: 002 + TZ: $TZ + KEEP_APP_RUNNING: 1 + CLEAN_TMP_DIR: 1 + DISPLAY_WIDTH: 1600 + DISPLAY_HEIGHT: 960 + VNC_PASSWORD: $MAKEMKV_VNC_PASSWD + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.makemkv-rtr.entrypoints=https" + - "traefik.http.routers.makemkv-rtr.rule=Host(`makemkv.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.makemkv-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.makemkv-rtr.service=makemkv-svc" + - "traefik.http.services.makemkv-svc.loadbalancer.server.port=5800" + + ############################# UTILITIES + + # Grafana - Graphical data visualization for InfluxDB data + grafana: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: grafana/grafana:latest + container_name: grafana + networks: + - t2_proxy + - default + # ports: + # - "$GRAFANA_PORT:3000" + user: "0" + volumes: + - $DOCKERDIR/appdata/grafana:/var/lib/grafana + environment: + GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel" + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.grafana-rtr.entrypoints=https" + - "traefik.http.routers.grafana-rtr.rule=Host(`grafana.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.grafana-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.grafana-rtr.service=grafana-svc" + - "traefik.http.services.grafana-svc.loadbalancer.server.port=3000" + + # Guacamole - Remote desktop, SSH, on Telnet on any HTML5 Browser + # Create all databases and tables first + guacamole: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: guacamole/guacamole:latest + container_name: guacamole + networks: + - t2_proxy + - default + # ports: + # - "$GUACAMOLE_PORT:8080" + environment: + GUACD_HOSTNAME: guacd + MYSQL_HOSTNAME: $MARIADB_HOST + MYSQL_PORT: $MARIADB_PORT + MYSQL_DATABASE_FILE: /run/secrets/guac_db_name + MYSQL_USER_FILE: /run/secrets/guac_mysql_user + MYSQL_PASSWORD_FILE: /run/secrets/guac_mysql_password + secrets: + - guac_db_name + - guac_mysql_user + - guac_mysql_password + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.guacamole-rtr.entrypoints=https" + - "traefik.http.routers.guacamole-rtr.rule=Host(`guac.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.guacamole-rtr.middlewares=chain-oauth@file,add-guacamole" + - "traefik.http.middlewares.add-guacamole.addPrefix.prefix=/guacamole" + ## HTTP Services + - "traefik.http.routers.guacamole-rtr.service=guacamole-svc" + - "traefik.http.services.guacamole-svc.loadbalancer.server.port=8080" + + # Guacamole Daemon - Needed for Guacamole + guacd: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: guacamole/guacd + container_name: guacd + restart: unless-stopped + + # Firefox - Web Broswer + # VNC password not working - check + firefox: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: jlesage/firefox:latest + container_name: firefox + security_opt: + - no-new-privileges:true + - seccomp:unconfined # October 15, 2020 https://github.com/jlesage/docker-firefox/blob/master/README.md#allowing-the-membarrier-system-call + # ports: + # - "$FIREFOX_PORT:5800" + volumes: + - $DOCKERDIR/appdata/firefox:/config + - $DATADIR/downloads:/data/downloads + - /dev/shm:/dev/shm + environment: + USER_ID: $PUID + GROUP_ID: $PGID + TZ: $TZ + UMASK: 002 + KEEP_APP_RUNNING: 1 + CLEAN_TMP_DIR: 1 + DISPLAY_WIDTH: 1920 + DISPLAY_HEIGHT: 1080 + VNC_PASSWD: $FIREFOX_VNC_PASSWD + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.firefox-rtr.entrypoints=https" + - "traefik.http.routers.firefox-rtr.rule=Host(`firefox.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.firefox-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.firefox-rtr.service=firefox-svc" + - "traefik.http.services.firefox-svc.loadbalancer.server.port=5800" + + # Glances - System Information + glances: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: nicolargo/glances:latest + container_name: glances + privileged: true + # network_mode: host + networks: + - t2_proxy + - socket_proxy + - default + # ports: + # - "$GLANCES_PORT:61208" + pid: host + volumes: + - $DOCKERDIR/appdata/glances/glances.conf:/glances/conf/glances.conf # Use this if you want to add a glances.conf file + - $USERDIR:/data/home:ro + - /media/data:/data/data:ro + # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security + environment: + # GLANCES_OPT: "-C /glances/conf/glances.conf --quiet --export influxdb" + # GLANCES_OPT: "--export influxdb" + GLANCES_OPT: "-w" + DOCKER_HOST: tcp://socket-proxy:2375 + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.glances-rtr.entrypoints=https" + - "traefik.http.routers.glances-rtr.rule=Host(`glances.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.glances-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.glances-rtr.service=glances-svc" + - "traefik.http.services.glances-svc.loadbalancer.server.port=61208" + + # qDirStat - Directory Statistics + qdirstat: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: jlesage/qdirstat:latest + container_name: qdirstat + # ports: + # - "$QDIRSTAT_PORT:5800" + volumes: + - $USERDIR:/data/home:ro + - $DOCKERDIR/appdata/qdirstat/config:/config:rw + - /media/data:/data/data:ro + environment: + USER_ID: $PUID + GROUP_ID: $PGID + UMASK: 002 + TZ: $TZ + KEEP_APP_RUNNING: 1 + CLEAN_TMP_DIR: 1 + DISPLAY_WIDTH: 1600 + DISPLAY_HEIGHT: 960 + VNC_PASSWORD: $QDIRSTAT_VNC_PASSWD + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.qdirstat-rtr.entrypoints=https" + - "traefik.http.routers.qdirstat-rtr.rule=Host(`qdirstat.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.qdirstat-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.qdirstat-rtr.service=qdirstat-svc" + - "traefik.http.services.qdirstat-svc.loadbalancer.server.port=5800" + + # Dozzle - Real-time Docker Log Viewer + dozzle: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: amir20/dozzle:latest + container_name: dozzle + networks: + - t2_proxy + - socket_proxy + # ports: + # - "$DOZZLE_PORT:8080" + environment: + DOZZLE_LEVEL: info + DOZZLE_TAILSIZE: 300 + DOZZLE_FILTER: "status=running" + # DOZZLE_FILTER: "label=log_me" # limits logs displayed to containers with this label + DOCKER_HOST: tcp://socket-proxy:2375 + # volumes: + # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.dozzle-rtr.entrypoints=https" + - "traefik.http.routers.dozzle-rtr.rule=Host(`dozzle.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.dozzle-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.dozzle-rtr.service=dozzle-svc" + - "traefik.http.services.dozzle-svc.loadbalancer.server.port=8080" + + # VSCode - VSCode Editing + vscode: + <<: *common-keys-basic # See EXTENSION FIELDS at the top + image: codercom/code-server:latest + container_name: vscode + ports: + - "$VSCODE_PORT:8080" + volumes: + - $USERDIR/server:/home/coder/server + - $DOCKERDIR:/home/coder/docker + - $DOCKERDIR/appdata/vscode:/home/coder + - $DATADIR:/home/coder/data + environment: + PASSWORD: $VSCODE_PASSWORD + # Run as root first, create the directories, then change permissions to user:docker and 775. Disable run as root below. + user: $PUID:$PGID + # user: "0" + DOCKER_HOST: tcp://socket-proxy:2375 + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.vscode-rtr.entrypoints=https" + - "traefik.http.routers.vscode-rtr.rule=Host(`code.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.vscode-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.vscode-rtr.service=vscode-svc" + - "traefik.http.services.vscode-svc.loadbalancer.server.port=8080" + + # SyncThing - Keep folders in Sync + syncthing: + <<: *common-keys-basic # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/syncthing + container_name: syncthing + ports: + #- 8384:8384 + - 22000:22000/tcp + - 22000:22000/udp + - 21027:21027/udp + volumes: + - /media:/data/mounts + - $USERDIR:/data/home + - $DOCKERDIR/appdata/syncthing:/config + environment: + <<: *default-tz-puid-pgid + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.syncthing-rtr.entrypoints=https" + - "traefik.http.routers.syncthing-rtr.rule=Host(`stcdoc.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.syncthing-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.syncthing-rtr.service=syncthing-svc" + - "traefik.http.services.syncthing-svc.loadbalancer.server.port=8384" + + ############################# MAINTENANCE + + # Docker-GC - Automatic Docker Garbage Collection + # Create docker-gc-exclude file + dockergc: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: clockworksoul/docker-gc-cron:latest + container_name: docker-gc + networks: + - socket_proxy + volumes: + # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security + - $DOCKERDIR/appdata/docker-gc/docker-gc-exclude:/etc/docker-gc-exclude + environment: + CRON: 0 0 0 * * ? # Everyday at midnight. Previously 0 0 * * * + FORCE_IMAGE_REMOVAL: 1 + FORCE_CONTAINER_REMOVAL: 0 + GRACE_PERIOD_SECONDS: 604800 + DRY_RUN: 0 + CLEAN_UP_VOLUMES: 1 + TZ: $TZ + DOCKER_HOST: tcp://socket-proxy:2375 + + # Cloudflare-Companion - Automatic CNAME DNS Creation + cf-companion: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + container_name: cf-companion + image: tiredofit/traefik-cloudflare-companion:latest + networks: + - socket_proxy + environment: + - TIMEZONE=$TZ + - TRAEFIK_VERSION=2 + #- CF_EMAIL=$CLOUDFLARE_EMAIL + - CF_TOKEN=$CLOUDFLARE_API_TOKEN + - TARGET_DOMAIN=cdoc.$DOMAINNAME0 + - DOMAIN1=$DOMAINNAME0 + - DOMAIN1_ZONE_ID=$CLOUDFLARE_ZONEID # Copy from Cloudflare Overview page + - DOMAIN1_PROXIED=TRUE + - DOCKER_HOST=tcp://socket-proxy:2375 + secrets: # not working + - cloudflare_api_token + labels: + # Add hosts specified in rules here to force cf-companion to create the CNAMEs + # Since cf-companion creates CNAMEs based on host rules, this a workaround for non-docker/external apps + - "traefik.http.routers.cf-companion-rtr.rule=Host(Host(`webmin.$DOMAINNAME0`) || Host(`shell.$DOMAINNAME0`)"