diff --git a/config/docker/2022/HedgeDoc.yml b/config/docker/2022/HedgeDoc.yml new file mode 100644 index 0000000..8c37a45 --- /dev/null +++ b/config/docker/2022/HedgeDoc.yml @@ -0,0 +1,47 @@ +version: "3" +services: + mariadb: + image: lscr.io/linuxserver/mariadb:latest + container_name: hedgedoc_mariadb + restart: always + volumes: + - /gurulandia/data/docker/hedgedoc/db:/config + environment: + - MYSQL_ROOT_PASSWORD=SuperPassword + - MYSQL_DATABASE=hedgedoc + - MYSQL_USER=hedgedoc + - MYSQL_PASSWORD=hedgedoc + - PGID=1000 + - PUID=1000 + - TZ=Europe/Helsinki + adminer: + image: adminer:latest + container_name: adminer + environment: + ADMINER_DEFAULT_SERVER: mariadb + restart: always + ports: + - 7777:8080 + hedgedoc: + image: lscr.io/linuxserver/hedgedoc:latest + container_name: hedgedoc + restart: always + depends_on: + - mariadb + volumes: + - /gurulandia/data/docker/hedgedoc/config:/config + environment: + - DB_HOST=mariadb + - DB_USER=hedgedoc + - DB_PASS=hedgedoc + - DB_NAME=hedgedoc + - DB_PORT=3306 + - PGID=1000 + - PUID=1000 + - TZ=Europe/Helsinki + - CMD_DOMAIN=gl-v-l-srv-04.local.gurulandia.eu + - CMD_URL_ADDPORT=true #optional + - CMD_PROTOCOL_USESSL=false #optional + - CMD_PORT=3000 #optional + ports: + - 53000:3000 \ No newline at end of file diff --git a/config/docker/2022/base-stack.yml b/config/docker/2022/base-stack.yml new file mode 100644 index 0000000..26388f6 --- /dev/null +++ b/config/docker/2022/base-stack.yml @@ -0,0 +1,311 @@ +version: "3.7" +########################### NETWORKS +# There is no need to create any networks outside this docker-compose file. +# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. +# Docker Compose version 3.5 or higher required to define networks this way. +networks: + proxy: + name: proxy + driver: bridge + ipam: + config: + - subnet: $PROXY_SUBNET + gateway: $PROXY_GATEWAY + #default: + # driver: bridge + socket_proxy: + name: socket_proxy + driver: bridge + ipam: + config: + - subnet: $SOCKET_PROXY_SUBNET + gateway: $SOCKET_PROXY_GATEWAY +########################### VOLUMES +volumes: + traefik-logs: {} + traefik-acme: {} + portainer-data: {} + +########################### SECRETS +secrets: + htpasswd: + file: $SECRETSDIR/htpasswd + cloudflare_email: + file: $SECRETSDIR/cloudflare_email + cloudflare_api_key: + file: $SECRETSDIR/cloudflare_api_key + cloudflare_api_token: + file: $SECRETSDIR/cloudflare_api_token + authelia_jwt_secret: + file: $SECRETSDIR/authelia_jwt_secret + authelia_session_secret: + file: $SECRETSDIR/authelia_session_secret + authelia_ldap_password: + file: $SECRETSDIR/authelia_ldap_password + authelia_storage_encryption_key: + file: $SECRETSDIR/authelia_storage_encryption_key + authelia_storage_mysql_password: + file: $DOCKERDIR/secrets/authelia_storage_mysql_password +# authelia_notifier_smtp_password: +# file: $DOCKERDIR/secrets/authelia_notifier_smtp_password +# authelia_duo_api_secret_key: +# file: $DOCKERDIR/secrets/authelia_duo_api_secret_key +########################### SERVICES +services: + # Traefik 2 - Reverse Proxy + # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. + # touch $DOCKERDIR/traefik2/acme/acme.json + # chmod 600 $DOCKERDIR/traefik2/acme/acme.json + # touch $DOCKERDIR/traefik2/traefik.log + traefik: + container_name: traefik + image: traefik:latest + restart: always + command: # CLI arguments + - --global.checkNewVersion=true + - --global.sendAnonymousUsage=false + - --entryPoints.http.address=:80 + - --entryPoints.https.address=:443 + - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IP_RANGES + - --entryPoints.traefik.address=:8080 + - --entryPoints.metrics.address=:8082 + - --entryPoints.gelf.address=:12201 + - --entryPoints.syslog.address=:15514 + - --entryPoints.beats.address=:5050 + - --metrics.prometheus.entryPoint=metrics + #- --entryPoints.ping.address=:8081 + - --api=true + #- --api.insecure=true + - --api.dashboard=true + #- --ping=true + #- --ping.entryPoint=ping + #- --pilot.token=$TRAEFIK_PILOT_TOKEN + - --serversTransport.insecureSkipVerify=true + - --log=true + - --log.filePath=/var/log/traefik/debug.log + - --log.format=json + - --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC + - --accessLog=true + - --accessLog.filePath=/var/log/traefik/access.log + - --accessLog.format=json + #- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines + #- --accessLog.filters.statusCodes=400-499 + - --providers.docker=true + - --providers.docker.endpoint=$DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security + # Automatically set Host rule for services + # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`) + - --providers.docker.exposedByDefault=false + # - --entrypoints.https.http.middlewares=chain-oauth@file + - --entrypoints.https.http.tls.options=tls-opts@file + # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services + - --entrypoints.https.http.tls.certresolver=$CERTRESOLVER + - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0 + - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0 + - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain + - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain + - --providers.docker.network=proxy + - --providers.docker.swarmMode=false + - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory + # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file + - --providers.file.watch=true # Only works on top level files in the rules folder + #- --certificatesResolvers.$CERTRESOLVER.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing + - --certificatesResolvers.$CERTRESOLVER.acme.email=$CLOUDFLARE_EMAIL + - --certificatesResolvers.$CERTRESOLVER.acme.storage=/etc/traefik/acme/acme.json + - --certificatesresolvers.$CERTRESOLVER.acme.dnschallenge=true + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=$DNS_PROVIDER + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=$RESOLVER0 #,$RESOLVER1 + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate + networks: + proxy: + ipv4_address: $TRAEFIK_PROXY_IP # You can specify a static IP + socket_proxy: + ipv4_address: $TRAEFIK_SOCKET_PROXY_IP + security_opt: + - no-new-privileges:true + #healthcheck: + # test: wget --quiet --tries=1 --spider http://ping.127.0.0.1.nip.io/ping || exit 1 + # interval: 10s + # timeout: 1s + # retries: 3 + # start_period: 10s + #test: ["CMD", "traefik", "healthcheck", "--ping"] + #interval: 5s + #retries: 3 + ports: + - "80:80" + - "443:443" + - "8080:8080" + #- "8081:8081" + - "8082:8082" + - "12201:12201" + - "5050:5050" + - "15514:15514" + volumes: + - /etc/localtime:/etc/localtime:ro + - $DOCKERDIR/appdata/traefik2/rules:/rules # file provider directory + - traefik-logs:/var/log/traefik + - traefik-acme:/etc/traefik/acme + #- $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 + #- $DOCKERDIR/appdata/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container + - $DOCKERDIR/shared:/shared + environment: + - TZ=$TZ + - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email + - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key + - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token + - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere. + secrets: + - cloudflare_email + - cloudflare_api_key + - cloudflare_api_token + - htpasswd + labels: + #- "autoheal=true" + - "traefik.enable=true" + # HTTP-to-HTTPS Redirect + - "traefik.http.routers.http-catchall.entrypoints=http" + - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" + - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" + - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" + # HTTP Routers + - "traefik.http.routers.traefik-rtr.entrypoints=https" + - "traefik.http.routers.traefik-rtr.rule=Host(`$TRAEFIK_HOSTNAME$DOMAINNAME1`)" + ## Services - API + - "traefik.http.routers.traefik-rtr.service=api@internal" + ## Healthcheck/ping + #- "traefik.http.routers.ping.rule=Host(`ping.127.0.0.1.nip.io) && Path(`/ping`)" + #- "traefik.http.routers.ping.service=ping@internal" + #- "traefik.http.routers.ping.tls=false" + #- "traefik.http.routers.ping.entrypoints=ping" + ## Middlewares + - "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file" + #- "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file" + # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket + socket-proxy: + container_name: socket-proxy + image: ghcr.io/tecnativa/docker-socket-proxy:edge + restart: always + networks: + socket_proxy: + ipv4_address: $SOCKET_PROXY_IP # You can specify a static IP + privileged: true + #ports: + # - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line. + # I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network. + # - "2375:2375" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + environment: + - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg + ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). + # 0 to revoke access. + # 1 to grant access. + ## Granted by Default + - EVENTS=1 + - PING=1 + - VERSION=1 + ## Revoked by Default + # Security critical + - AUTH=0 + - SECRETS=0 + - POST=1 # Ouroboros + # Not always needed + - BUILD=0 + - COMMIT=0 + - CONFIGS=0 + - CONTAINERS=1 # Traefik, portainer, etc. + - DISTRIBUTION=0 + - EXEC=1 + - IMAGES=1 # Portainer + - INFO=1 # Portainer + - NETWORKS=1 # Portainer + - NODES=0 + - PLUGINS=0 + - SERVICES=1 # Portainer + - SESSION=0 + - SWARM=0 + - SYSTEM=0 + - TASKS=1 # Portaienr + - VOLUMES=1 # Portainer + + # Portainer - WebUI for Containers + portainer: + container_name: portainer + image: portainer/portainer-ce:latest + restart: unless-stopped + command: -H $DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security + networks: + proxy: + ipv4_address: $PORTAINER_PROXY_IP + socket_proxy: + ipv4_address: $PORTAINER_SOCKET_PROXY_IP + security_opt: + - no-new-privileges:true + ports: + - "9020:9000" + volumes: + - portainer-data:/data +# - $DOCKERDIR/appdata/portainer:/data # Change to local directory if you want to save/transfer config locally + environment: + - TZ=$TZ + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.portainer-rtr.entrypoints=https" + - "traefik.http.routers.portainer-rtr.rule=Host(`$PORTAINER_HOSTNAME$DOMAINNAME1`)" + ## Middlewares + - "traefik.http.routers.portainer-rtr.middlewares=chain-authelia@file" + #- "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth@file" + ## HTTP Services + - "traefik.http.routers.portainer-rtr.service=portainer-svc" + - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" + # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication + authelia: + container_name: authelia + # Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md + image: authelia/authelia:latest + restart: always + networks: + proxy: + ipv4_address: $AUTHELIA_IP # You can specify a static IP + #default: + # ports: + # - "9091:9091" + volumes: + - $DOCKERDIR/appdata/authelia:/config + environment: + - TZ=$TZ + - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret + - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret + - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key + - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/run/secrets/authelia_ldap_password + - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password +# - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password +# - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key +# - AUTHELIA_TLS_KEY_FILE +# - AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE +# - AUTHELIA_SESSION_REDIS_PASSWORD_FILE +# - AUTHELIA_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE +# - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE +# - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE + + secrets: + - authelia_jwt_secret + - authelia_session_secret + - authelia_storage_encryption_key + - authelia_ldap_password + - authelia_storage_mysql_password +# - authelia_notifier_smtp_password +# - authelia_duo_api_secret_key + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.authelia-rtr.entrypoints=https" + - "traefik.http.routers.authelia-rtr.rule=Host(`$AUTHELIA_HOSTNAME$DOMAINNAME1`)" + - "traefik.http.routers.authelia-rtr.tls=true" + ## Middlewares + - "traefik.http.routers.authelia-rtr.middlewares=chain-no-auth@file" + #chain-authelia@file" + ## HTTP Services + - "traefik.http.routers.authelia-rtr.service=authelia-svc" + - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091" diff --git a/config/docker/2022/zabbix.yml b/config/docker/2022/zabbix.yml new file mode 100644 index 0000000..9dbe5c3 --- /dev/null +++ b/config/docker/2022/zabbix.yml @@ -0,0 +1,546 @@ +# mkdir -P zabbix/{alertscripts,externalscripts,dbscripts,export,modules,enc,ssh_keys,mibs} +version: '3.5' +services: +# zabbix-server + zabbix-server: + image: zabbix/zabbix-server-mysql:alpine-6.2-latest + ports: + - "10051:10051" + volumes: + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + - /gurulandia/data/docker/zabbix/alertscripts:/usr/lib/zabbix/alertscripts:ro + - /gurulandia/data/docker/zabbix/externalscripts:/usr/lib/zabbix/externalscripts:ro + - /gurulandia/data/docker/zabbix/dbscripts:/var/lib/zabbix/dbscripts:ro + - /gurulandia/data/docker/zabbix/export:/var/lib/zabbix/export:rw + - /gurulandia/data/docker/zabbix/modules:/var/lib/zabbix/modules:ro + - /gurulandia/data/docker/zabbix/enc:/var/lib/zabbix/enc:ro + - /gurulandia/data/docker/zabbix/ssh_keys:/var/lib/zabbix/ssh_keys:ro + - /gurulandia/data/docker/zabbix/mibs:/var/lib/zabbix/mibs:ro + - snmptraps:/var/lib/zabbix/snmptraps:rw + ulimits: + nproc: 65535 + nofile: + soft: 20000 + hard: 40000 + deploy: + resources: + limits: + cpus: '0.70' + memory: 1G + reservations: + memory: 512M + environment: + DB_SERVER_HOST: mysql-server + DB_SERVER_PORT: 3306 + MYSQL_USER: zabbix + MYSQL_PASSWORD: zabbix + MYSQL_ROOT_PASSWORD: root_pwd + MYSQL_DATABASE: zabbix + ZBX_JAVAGATEWAY_ENABLE: "true" + ZBX_STARTJAVAPOLLERS: 5 + ZBX_ENABLE_SNMP_TRAPS: "true" +# env_file: +# - ./env_vars/.env_db_mysql +# - ./env_vars/.env_srv +# secrets: +# - MYSQL_USER +# - MYSQL_PASSWORD +# - MYSQL_ROOT_USER +# - MYSQL_ROOT_PASSWORD +# - client-key.pem +# - client-cert.pem +# - root-ca.pem + depends_on: + - mysql-server + networks: + zbx_net_backend: + aliases: + - zabbix-server + - zabbix-server-mysql + - zabbix-server-alpine-mysql + - zabbix-server-mysql-alpine + zbx_net_frontend: +# devices: +# - "/dev/ttyUSB0:/dev/ttyUSB0" + stop_grace_period: 30s + sysctls: + - net.ipv4.ip_local_port_range=1024 65000 + - net.ipv4.conf.all.accept_redirects=0 + - net.ipv4.conf.all.secure_redirects=0 + - net.ipv4.conf.all.send_redirects=0 + labels: + com.zabbix.description: "Zabbix server with MySQL database support" + com.zabbix.company: "Zabbix LLC" + com.zabbix.component: "zabbix-server" + com.zabbix.dbtype: "mysql" + com.zabbix.os: "alpine" +# zabbix-proxy-sqlite3 + zabbix-proxy-sqlite3: + image: zabbix/zabbix-proxy-sqlite3:alpine-6.2-latest + profiles: + - all + ports: + - "10061:10051" + volumes: + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + - /gurulandia/data/docker/zabbix/externalscripts:/usr/lib/zabbix/externalscripts:ro + - /gurulandia/data/docker/zabbix/modules:/var/lib/zabbix/modules:ro + - /gurulandia/data/docker/zabbix/enc:/var/lib/zabbix/enc:ro + - /gurulandia/data/docker/zabbix/ssh_keys:/var/lib/zabbix/ssh_keys:ro + - /gurulandia/data/docker/zabbix/mibs:/var/lib/zabbix/mibs:ro + - snmptraps:/var/lib/zabbix/snmptraps:rw + ulimits: + nproc: 65535 + nofile: + soft: 20000 + hard: 40000 + deploy: + resources: + limits: + cpus: '0.70' + memory: 512M + reservations: + memory: 256M + #env_file: + # - ./env_vars/.env_prx + # - ./env_vars/.env_prx_sqlite3 + depends_on: + - zabbix-java-gateway + - zabbix-snmptraps + networks: + zbx_net_backend: + aliases: + - zabbix-proxy-sqlite3 + - zabbix-proxy-alpine-sqlite3 + - zabbix-proxy-sqlite3-alpine + zbx_net_frontend: + stop_grace_period: 30s + labels: + com.zabbix.description: "Zabbix proxy with SQLite3 database support" + com.zabbix.company: "Zabbix LLC" + com.zabbix.component: "zabbix-proxy" + com.zabbix.dbtype: "sqlite3" + com.zabbix.os: "alpine" +#zabbix-proxy-mysql: + + zabbix-proxy-mysql: + image: zabbix/zabbix-proxy-mysql:alpine-6.2-latest + #profiles: + # - all + ports: + - "10071:10051" + volumes: + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + - /gurulandia/data/docker/zabbix/externalscripts:/usr/lib/zabbix/externalscripts:ro + - /gurulandia/data/docker/zabbix/modules:/var/lib/zabbix/modules:ro + - /gurulandia/data/docker/zabbix/enc:/var/lib/zabbix/enc:ro + - /gurulandia/data/docker/zabbix/ssh_keys:/var/lib/zabbix/ssh_keys:ro + - /gurulandia/data/docker/zabbix/mibs:/var/lib/zabbix/mibs:ro + - snmptraps:/var/lib/zabbix/snmptraps:rw + ulimits: + nproc: 65535 + nofile: + soft: 20000 + hard: 40000 + deploy: + resources: + limits: + cpus: '0.70' + memory: 512M + reservations: + memory: 256M + environment: + MYSQL_USER: zabbix + MYSQL_PASSWORD: zabbix + MYSQL_ROOT_PASSWORD: root_pwd + MYSQL_DATABASE: zabbix_proxy + #env_file: + # - ./env_vars/.env_db_mysql_proxy + # - ./env_vars/.env_prx + # - ./env_vars/.env_prx_mysql + depends_on: + - mysql-server + - zabbix-java-gateway + - zabbix-snmptraps +# secrets: +# - MYSQL_USER +# - MYSQL_PASSWORD +# - MYSQL_ROOT_USER +# - MYSQL_ROOT_PASSWORD +# - client-key.pem +# - client-cert.pem +# - root-ca.pem + networks: + zbx_net_backend: + aliases: + - zabbix-proxy-mysql + - zabbix-proxy-alpine-mysql + - zabbix-proxy-mysql-alpine + zbx_net_frontend: + stop_grace_period: 30s + labels: + com.zabbix.description: "Zabbix proxy with MySQL database support" + com.zabbix.company: "Zabbix LLC" + com.zabbix.component: "zabbix-proxy" + com.zabbix.dbtype: "mysql" + com.zabbix.os: "alpine" +# zabbix-web-apache-mysql: + zabbix-web-apache-mysql: + image: zabbix/zabbix-web-apache-mysql:alpine-6.2-latest + profiles: + - all + ports: + - "8081:8080" + - "8443:8443" + volumes: + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + - /gurulandia/data/docker/zabbix/etc/ssl/apache2:/etc/ssl/apache2:ro + - /gurulandia/data/docker/zabbix/usr/share/zabbix/modules/:/usr/share/zabbix/modules/:ro + deploy: + resources: + limits: + cpus: '0.70' + memory: 512M + reservations: + memory: 256M + environment: + DB_SERVER_HOST: mysql-server + DB_SERVER_PORT: 3306 + MYSQL_USER: zabbix + MYSQL_PASSWORD: zabbix + MYSQL_ROOT_PASSWORD: root_pwd + MYSQL_DATABASE: zabbix + ZBX_SERVER_HOST: zabbix-server + ZBX_SERVER_NAME: Composed installation + #env_file: + # - ./env_vars/.env_db_mysql + # - ./env_vars/.env_web +# secrets: +# - MYSQL_USER +# - MYSQL_PASSWORD +# - client-key.pem +# - client-cert.pem +# - root-ca.pem + depends_on: + - mysql-server + - zabbix-server + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:8080/"] + interval: 10s + timeout: 5s + retries: 3 + start_period: 30s + networks: + zbx_net_backend: + aliases: + - zabbix-web-apache-mysql + - zabbix-web-apache-alpine-mysql + - zabbix-web-apache-mysql-alpine + zbx_net_frontend: + stop_grace_period: 10s + sysctls: + - net.core.somaxconn=65535 + labels: + com.zabbix.description: "Zabbix frontend on Apache web-server with MySQL database support" + com.zabbix.company: "Zabbix LLC" + com.zabbix.component: "zabbix-frontend" + com.zabbix.webserver: "apache2" + com.zabbix.dbtype: "mysql" + com.zabbix.os: "alpine" +#zabbix-web-nginx-mysql: + zabbix-web-nginx-mysql: + image: zabbix/zabbix-web-nginx-mysql:alpine-6.2-latest + ports: + - "8300:8080" + - "8443:8443" + volumes: + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + - /gurulandia/data/docker/zabbix/etc/ssl/nginx:/etc/ssl/nginx:ro + - /gurulandia/data/docker/zabbix/usr/share/zabbix/modules/:/usr/share/zabbix/modules/:ro + deploy: + resources: + limits: + cpus: '0.70' + memory: 512M + reservations: + memory: 256M + environment: + DB_SERVER_HOST: mysql-server + DB_SERVER_PORT: 3306 + MYSQL_USER: zabbix + MYSQL_PASSWORD: zabbix + MYSQL_ROOT_PASSWORD: root_pwd + MYSQL_DATABASE: zabbix + ZBX_SERVER_HOST: zabbix-server + ZBX_SERVER_NAME: Composed installation +# env_file: +# - ./env_vars/.env_db_mysql +# secrets: +# - MYSQL_USER +# - MYSQL_PASSWORD +# - client-key.pem +# - client-cert.pem +# - root-ca.pem + depends_on: + - mysql-server + - zabbix-server + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:8080/ping"] + interval: 10s + timeout: 5s + retries: 3 + start_period: 30s + networks: + zbx_net_backend: + aliases: + - zabbix-web-nginx-mysql + - zabbix-web-nginx-alpine-mysql + - zabbix-web-nginx-mysql-alpine + zbx_net_frontend: + stop_grace_period: 10s + sysctls: + - net.core.somaxconn=65535 + labels: + com.zabbix.description: "Zabbix frontend on Nginx web-server with MySQL database support" + com.zabbix.company: "Zabbix LLC" + com.zabbix.component: "zabbix-frontend" + com.zabbix.webserver: "nginx" + com.zabbix.dbtype: "mysql" + com.zabbix.os: "alpine" + + zabbix-agent: + image: zabbix/zabbix-agent:alpine-6.2-latest + #profiles: + #- full + #- all + ports: + - "10050:10050" + volumes: + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + - /gurulandia/data/docker/zabbix/zabbix_agentd.d:/etc/zabbix/zabbix_agentd.d:ro + - /gurulandia/data/docker/zabbix/modules:/var/lib/zabbix/modules:ro + - /gurulandia/data/docker/zabbix/enc:/var/lib/zabbix/enc:ro + - /gurulandia/data/docker/zabbix/ssh_keys:/var/lib/zabbix/ssh_keys:ro + environment: + ZBX_SERVER_HOST: zabbix-server + deploy: + resources: + limits: + cpus: '0.2' + memory: 128M + reservations: + memory: 64M + mode: global + #env_file: + # - ./env_vars/.env_agent + privileged: true + pid: "host" + networks: + zbx_net_backend: + aliases: + - zabbix-agent + - zabbix-agent-passive + - zabbix-agent-alpine + stop_grace_period: 5s + labels: + com.zabbix.description: "Zabbix agent" + com.zabbix.company: "Zabbix LLC" + com.zabbix.component: "zabbix-agentd" + com.zabbix.os: "alpine" + + zabbix-java-gateway: + image: zabbix/zabbix-java-gateway:alpine-6.2-latest + #profiles: + #- full + #- all + ports: + - "10052:10052" + deploy: + resources: + limits: + cpus: '0.5' + memory: 512M + reservations: +# cpus: '0.25' + memory: 256M + #env_file: + # - ./env_vars/.env_java + networks: + zbx_net_backend: + aliases: + - zabbix-java-gateway + - zabbix-java-gateway-alpine + stop_grace_period: 5s + labels: + com.zabbix.description: "Zabbix Java Gateway" + com.zabbix.company: "Zabbix LLC" + com.zabbix.component: "java-gateway" + com.zabbix.os: "alpine" + + zabbix-snmptraps: + image: zabbix/zabbix-snmptraps:alpine-6.2-latest + #profiles: + # - full + # - all + ports: + - "162:1162/udp" + volumes: + - snmptraps:/var/lib/zabbix/snmptraps:rw + deploy: + resources: + limits: + cpus: '0.5' + memory: 256M + reservations: +# cpus: '0.25' + memory: 128M + networks: + zbx_net_frontend: + aliases: + - zabbix-snmptraps + zbx_net_backend: + stop_grace_period: 5s + labels: + com.zabbix.description: "Zabbix snmptraps" + com.zabbix.company: "Zabbix LLC" + com.zabbix.component: "snmptraps" + com.zabbix.os: "alpine" + + zabbix-web-service: + image: zabbix/zabbix-web-service:alpine-6.2-latest + #profiles: + # - full + # - all + ports: + - "10053:10053" + volumes: + - /gurulandia/data/docker/zabbix/enc:/var/lib/zabbix/enc:ro + security_opt: + - seccomp:/gurulandia/data/docker/zabbix/chrome_dp.json + deploy: + resources: + limits: + cpus: '0.5' + memory: 512M + reservations: +# cpus: '0.25' + memory: 256M + environment: + ZBX_ALLOWEDIP: zabbix-server +# env_file: +# - ./env_vars/.env_web_service + networks: + zbx_net_backend: + aliases: + - zabbix-web-service + - zabbix-web-service-alpine + stop_grace_period: 5s + labels: + com.zabbix.description: "Zabbix web service" + com.zabbix.company: "Zabbix LLC" + com.zabbix.component: "web-service" + com.zabbix.os: "alpine" + + mysql-server: + image: mysql:8.0-oracle + command: + - mysqld + - --character-set-server=utf8mb4 + - --collation-server=utf8mb4_bin + - --skip-character-set-client-handshake + - --default-authentication-plugin=mysql_native_password +# - --require-secure-transport +# - --ssl-ca=/run/secrets/root-ca.pem +# - --ssl-cert=/run/secrets/server-cert.pem +# - --ssl-key=/run/secrets/server-key.pem + volumes: + - /gurulandia/data/docker/zabbix/db:/var/lib/mysql:rw + environment: + DB_SERVER_HOST: mysql-server + DB_SERVER_PORT: 3306 + MYSQL_USER: zabbix + MYSQL_PASSWORD: zabbix + MYSQL_ROOT_PASSWORD: root_pwd + MYSQL_DATABASE: zabbix +# env_file: +# - ./env_vars/.env_db_mysql +# secrets: +# - MYSQL_USER +# - MYSQL_PASSWORD +# - MYSQL_ROOT_PASSWORD +# - server-key.pem +# - server-cert.pem +# - root-ca.pem + stop_grace_period: 1m + networks: + zbx_net_backend: + aliases: + - mysql-server + - zabbix-database + - mysql-database + + db_data_mysql: + image: busybox + volumes: + - /gurulandia/data/docker/zabbix/db:/var/lib/mysql:rw + +# elasticsearch: +# image: elasticsearch +# profiles: +# - full +# - all +# environment: +# - transport.host=0.0.0.0 +# - discovery.zen.minimum_master_nodes=1 +# networks: +# zbx_net_backend: +# aliases: +# - elasticsearch + +networks: + zbx_net_frontend: + driver: bridge + driver_opts: + com.docker.network.enable_ipv6: "false" + ipam: + driver: default + config: + - subnet: 172.16.238.0/24 + zbx_net_backend: + driver: bridge + driver_opts: + com.docker.network.enable_ipv6: "false" + internal: true + ipam: + driver: default + config: + - subnet: 172.16.239.0/24 + +volumes: + snmptraps: + +#secrets: +# MYSQL_USER: +# file: ./env_vars/.MYSQL_USER +# MYSQL_PASSWORD: +# file: ./env_vars/.MYSQL_PASSWORD +# MYSQL_ROOT_USER: +# file: ./env_vars/.MYSQL_ROOT_USER +# MYSQL_ROOT_PASSWORD: +# file: ./env_vars/.MYSQL_ROOT_PASSWORD +# client-key.pem: +# file: ./env_vars/.ZBX_DB_KEY_FILE +# client-cert.pem: +# file: ./env_vars/.ZBX_DB_CERT_FILE +# root-ca.pem: +# file: ./env_vars/.ZBX_DB_CA_FILE +# server-cert.pem: +# file: ./env_vars/.DB_CERT_FILE +# server-key.pem: +# file: ./env_vars/.DB_KEY_FILE \ No newline at end of file