diff --git a/config/docker/2022/yml-files/docker-compose.template.yml b/config/docker/2022/yml-files/docker-compose.template.yml new file mode 100644 index 0000000..d7795d8 --- /dev/null +++ b/config/docker/2022/yml-files/docker-compose.template.yml @@ -0,0 +1,66 @@ +version: "3.7" +########################### NETWORKS +# There is no need to create any networks outside this docker-compose file. +# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. +# Docker Compose version 3.5 or higher required to define networks this way. +networks: + gl_proxy: + name: gl_proxy + driver: bridge + ipam: + config: + - subnet: $GL_PROXY_SUBNET + - gateway: $GL_PROXY_GATEWAY + default: + driver: bridge + gl_socket_proxy: + name: gl_socket_proxy + driver: bridge + ipam: + config: + - subnet: $GL_SOCKET_PROXY_SUBNET + - gateway: $GL_SOCKET_PROXY_GATEWAY + +########################### SECRETS +#secrets: +# htpasswd: +# file: $SECRETSDIR/htpasswd +# authelia_jwt_secret: +# file: $SECRETSDIR/authelia_jwt_secret +# authelia_session_secret: +# file: $SECRETSDIR/authelia_session_secret +# authelia_storage_mysql_password: +# file: $DOCKERDIR/secrets/authelia_storage_mysql_password +# authelia_notifier_smtp_password: +# file: $DOCKERDIR/secrets/authelia_notifier_smtp_password +# authelia_duo_api_secret_key: +# file: $DOCKERDIR/secrets/authelia_duo_api_secret_key +########################### SERVICES +services: + $APP: + container_name: $CONTAINER_NAME + image: $IMAGE + restart: unless-stopped + networks: + gl_proxy: + ipv4_address: $APP_IP + security_opt: + - no-new-privileges:true + # ports: + # - "$HEIMDALL_PORT:80" + volumes: + - $DOCKERDIR/appdata/$APP:/config + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.$APP-rtr.entrypoints=https" + - "traefik.http.routers.$APP-rtr.rule=HostHeader(`$NAME.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.$APP-rtr.middlewares=chain-authelia@file" + ## HTTP Services + - "traefik.http.routers.$APP-rtr.service=$APP-svc" + - "traefik.http.services.$APP-svc.loadbalancer.server.port=$PORT" \ No newline at end of file diff --git a/config/docker/2022/yml-files/docker-compose.yml b/config/docker/2022/yml-files/docker-compose.yml new file mode 100644 index 0000000..7af8b05 --- /dev/null +++ b/config/docker/2022/yml-files/docker-compose.yml @@ -0,0 +1,364 @@ +version: "3.7" +########################### NETWORKS +# There is no need to create any networks outside this docker-compose file. +# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. +# Docker Compose version 3.5 or higher required to define networks this way. +networks: + gl_proxy: + name: gl_proxy + driver: bridge + ipam: + config: + - subnet: $GL_PROXY_SUBNET + - gateway: $GL_PROXY_GATEWAY + default: + driver: bridge + gl_socket_proxy: + name: gl_socket_proxy + driver: bridge + ipam: + config: + - subnet: $GL_SOCKET_PROXY_SUBNET + - gateway: $GL_SOCKET_PROXY_GATEWAY + +########################### SECRETS +secrets: + htpasswd: + file: $SECRETSDIR/htpasswd + cloudflare_email: + file: $SECRETSDIR/cloudflare_email + cloudflare_api_key: + file: $SECRETSDIR/cloudflare_api_key + cloudflare_api_token: + file: $SECRETSDIR/secrets/cloudflare_api_token + authelia_jwt_secret: + file: $SECRETSDIR/authelia_jwt_secret + authelia_session_secret: + file: $SECRETSDIR/authelia_session_secret +# authelia_storage_mysql_password: +# file: $DOCKERDIR/secrets/authelia_storage_mysql_password +# authelia_notifier_smtp_password: +# file: $DOCKERDIR/secrets/authelia_notifier_smtp_password +# authelia_duo_api_secret_key: +# file: $DOCKERDIR/secrets/authelia_duo_api_secret_key +# vscode_passwd: +# file: $SECRETSDIR/vscode_passwd +########################### SERVICES +services: + ############################# FRONTENDS + + # Traefik 2 - Reverse Proxy + # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. + # touch $DOCKERDIR/traefik2/acme/acme.json + # chmod 600 $DOCKERDIR/traefik2/acme/acme.json + # touch $DOCKERDIR/traefik2/traefik.log + traefik: + container_name: gl-traefik + image: traefik:latest + #image: traefik:livarot # picodon v2.3.x # chevrotin v2.2.x + restart: always + command: # CLI arguments + - --global.checkNewVersion=true + - --global.sendAnonymousUsage=true + - --entryPoints.http.address=:80 + - --entryPoints.https.address=:443 + #- --entrypoints.https.forwardedHeaders.trustedIPs=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 + - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IP_RANGES + - --entryPoints.traefik.address=:8080 + # - --entryPoints.ping.address=:8081 + - --api=true + # - --api.insecure=true + - --api.dashboard=true + #- --ping=true + #- --pilot.token=$TRAEFIK_PILOT_TOKEN + # - --serversTransport.insecureSkipVerify=true + #- --log=true + #- --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC + #- --accessLog=true + #- --accessLog.filePath=/traefik.log + #- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines + #- --accessLog.filters.statusCodes=400-499 + - --providers.docker=true + - --providers.docker.endpoint=$DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security + # Automatically set Host rule for services + # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`) + - --providers.docker.exposedByDefault=false + # - --entrypoints.https.http.middlewares=chain-oauth@file + - --entrypoints.https.http.tls.options=tls-opts@file + # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services + - --entrypoints.https.http.tls.certresolver=$CERTRESOLVER + - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0 + - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0 + # - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain + # - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain + - --providers.docker.network=gl_proxy + - --providers.docker.swarmMode=false + - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory + # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file + - --providers.file.watch=true # Only works on top level files in the rules folder + # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing + - --certificatesResolvers.$CERTRESOLVER.acme.email=$CLOUDFLARE_EMAIL + - --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=$DNS_PROVIDER + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=$RESOLVER0 #,$RESOLVER1 + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate + - --serversTransport.insecureSkipVerify=true + networks: + gl_proxy: + ipv4_address: $TRAEFIK_IP0 # You can specify a static IP + gl_socket_proxy: + ipv4_address: $TRAEFIK_IP1 + security_opt: + - no-new-privileges:true + #healthcheck: + # test: ["CMD", "traefik", "healthcheck", "--ping"] + # interval: 5s + # retries: 3 + ports: + - target: 80 + published: 80 + protocol: tcp + mode: host + - target: 443 + published: 443 + protocol: tcp + mode: host + # - target: 8080 + # published: 8080 + # protocol: tcp + # mode: host + volumes: + - $DOCKERDIR/appdata/traefik2/rules:/rules # file provider directory + - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 + #- $DOCKERDIR/appdata/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container + - $DOCKERDIR/shared:/shared + environment: + - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email + - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key + - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere. + #- DUCKDNS_TOKEN=$DUCKDNS_TOKEN + secrets: + - cloudflare_email + - cloudflare_api_key + - htpasswd + labels: + #- "autoheal=true" + - "traefik.enable=true" + # HTTP-to-HTTPS Redirect + - "traefik.http.routers.http-catchall.entrypoints=http" + - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" + - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" + - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" + # HTTP Routers + - "traefik.http.routers.traefik-rtr.entrypoints=https" + - "traefik.http.routers.traefik-rtr.rule=HostHeader(`traefik.$DOMAINNAME0`)" + ## Services - API + - "traefik.http.routers.traefik-rtr.service=api@internal" + ## Healthcheck/ping + #- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME0`) && Path(`/ping`)" + #- "traefik.http.routers.ping.tls=true" + #- "traefik.http.routers.ping.service=ping@internal" + ## Middlewares + - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file" + + # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket + socket-proxy: + container_name: gl-socket-proxy + image: tecnativa/docker-socket-proxy + restart: always + networks: + gl_socket_proxy: + ipv4_address: $SOCKET_PROXY_IP # You can specify a static IP + privileged: true + #ports: + # - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line. + # I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network. + # - "2375:2375" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + environment: + - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg + ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). + # 0 to revoke access. + # 1 to grant access. + ## Granted by Default + - EVENTS=1 + - PING=1 + - VERSION=1 + ## Revoked by Default + # Security critical + - AUTH=0 + - SECRETS=0 + - POST=1 # Ouroboros + # Not always needed + - BUILD=0 + - COMMIT=0 + - CONFIGS=0 + - CONTAINERS=1 # Traefik, portainer, etc. + - DISTRIBUTION=0 + - EXEC=1 + - IMAGES=1 # Portainer + - INFO=1 # Portainer + - NETWORKS=1 # Portainer + - NODES=0 + - PLUGINS=0 + - SERVICES=1 # Portainer + - SESSION=0 + - SWARM=0 + - SYSTEM=0 + - TASKS=1 # Portaienr + - VOLUMES=1 # Portainer + # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication + authelia: + container_name: gl-authelia + # Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md + image: authelia/authelia:latest + restart: always + networks: + gl_proxy: + ipv4_address: $AUTHELIA_IP # You can specify a static IP + default: + # ports: + # - "9091:9091" + volumes: + - $DOCKERDIR/appdata/authelia:/config + environment: + - TZ=$TZ + - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret + - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret +# - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password +# - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password +# - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key + secrets: + - authelia_jwt_secret + - authelia_session_secret +# - authelia_storage_mysql_password +# - authelia_notifier_smtp_password +# - authelia_duo_api_secret_key + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.authelia-rtr.entrypoints=https" + - "traefik.http.routers.authelia-rtr.rule=HostHeader(`auth.$DOMAINNAME0`)" + - "traefik.http.routers.authelia-rtr.tls=true" + ## Middlewares + - "traefik.http.routers.authelia-rtr.middlewares=chain-authelia@file" + ## HTTP Services + - "traefik.http.routers.authelia-rtr.service=authelia-svc" + - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091" + # Portainer - WebUI for Containers + portainer: + container_name: gl-portainer + image: portainer/portainer-ce:latest + restart: unless-stopped + command: -H $DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security + networks: + gl_proxy: + ipv4_address: $PORTAINER_IP0 + gl_socket_proxy: + ipv4_address: $PORTAINER_IP1 + security_opt: + - no-new-privileges:true + volumes: + - $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfer config locally + environment: + - TZ=$TZ + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.portainer-rtr.entrypoints=https" + - "traefik.http.routers.portainer-rtr.rule=HostHeader(`portainer.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.portainer-rtr.middlewares=chain-authelia@file" + ## HTTP Services + - "traefik.http.routers.portainer-rtr.service=portainer-svc" + - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" + # Heimdall - Unified Frontend Alternative + heimdall: + container_name: gl-heimdall + image: linuxserver/heimdall:latest + restart: unless-stopped + networks: + gl_proxy: + ipv4_address: $HEIMDALL_IP + security_opt: + - no-new-privileges:true + # ports: + # - "$HEIMDALL_PORT:80" + volumes: + - $DOCKERDIR/appdata/heimdall:/config + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.heimdall-rtr.entrypoints=https" + - "traefik.http.routers.heimdall-rtr.rule=HostHeader(`home.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.heimdall-rtr.middlewares=chain-authelia@file" + ## HTTP Services + - "traefik.http.routers.heimdall-rtr.service=heimdall-svc" + - "traefik.http.services.heimdall-svc.loadbalancer.server.port=80" + + # VSCode - VSCode Editing + # sudo chown -R 1000:1000 /home/coder/project + vscode: + image: codercom/code-server:latest + container_name: gl-vscode + restart: always + networks: + gl_proxy: + ipv4_address: $VSCODE_IP + # ports: + # - "$VSCODE_PORT:8080" + volumes: + - $USERDIR/server:/home/coder/server + - $DOCKERDIR:/home/coder/docker + - $DOCKERDIR/appdata/vscode:/home/coder + #- /media/hdd1:/home/coder/hdd1 + environment: + # - PASSWORD_FILE=/run/secrets/vscode_passwd + PASSWORD: $VSCODE_PASSWORD + # Run as root first, create the directories, then change permissions to user:docker and 775. Disable run as root below. + #user: $PUID:$PGID + user: "0" + DOCKER_HOST: $DOCKER_ENDPOINT + #secrets: + # - vscode_passwd + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.vscode-rtr.entrypoints=https" + - "traefik.http.routers.vscode-rtr.rule=Host(`code.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.vscode-rtr.middlewares=chain-authelia@file" + ## HTTP Services + - "traefik.http.routers.vscode-rtr.service=vscode-svc" + - "traefik.http.services.vscode-svc.loadbalancer.server.port=8080" + + ############################# MAINTENANCE + + # Docker-GC - Automatic Docker Garbage Collection + # Create docker-gc-exclude file + #dockergc: + # image: clockworksoul/docker-gc-cron:latest + # container_name: docker-gc + # restart: unless-stopped + # networks: + # - gl_socket_proxy + # depends_on: + # - socket-proxy + # volumes: + # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security + # - $DOCKERDIR/appdata/docker-gc/docker-gc-exclude:/etc/docker-gc-exclude + # environment: + # CRON: 0 0 0 * * ? # Everyday at midnight. Previously 0 0 * * * + # FORCE_IMAGE_REMOVAL: 1 + # FORCE_CONTAINER_REMOVAL: 0 + # GRACE_PERIOD_SECONDS: 604800 + # DRY_RUN: 0 + # CLEAN_UP_VOLUMES: 1 + # TZ: $TZ + # DOCKER_HOST: $DOCKER_ENDPOINT \ No newline at end of file diff --git a/config/docker/2022/yml-files/docker-compose_2022.yml b/config/docker/2022/yml-files/docker-compose_2022.yml new file mode 100644 index 0000000..bcab4fe --- /dev/null +++ b/config/docker/2022/yml-files/docker-compose_2022.yml @@ -0,0 +1,272 @@ +version: "3.7" +########################### NETWORKS +# There is no need to create any networks outside this docker-compose file. +# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. +# Docker Compose version 3.5 or higher required to define networks this way. +networks: + proxy: + name: proxy + driver: bridge + ipam: + config: + - subnet: $PROXY_SUBNET + gateway: $PROXY_GATEWAY + default: + driver: bridge + socket_proxy: + name: socket_proxy + driver: bridge + ipam: + config: + - subnet: $SOCKET_PROXY_SUBNET + gateway: $SOCKET_PROXY_GATEWAY + +########################### SECRETS +secrets: + htpasswd: + file: $SECRETSDIR/htpasswd + cloudflare_email: + file: $SECRETSDIR/cloudflare_email + cloudflare_api_key: + file: $SECRETSDIR/cloudflare_api_key + cloudflare_api_token: + file: $SECRETSDIR/secrets/cloudflare_api_token + authelia_jwt_secret: + file: $SECRETSDIR/authelia_jwt_secret + authelia_session_secret: + file: $SECRETSDIR/authelia_session_secret +# authelia_storage_mysql_password: +# file: $DOCKERDIR/secrets/authelia_storage_mysql_password +# authelia_notifier_smtp_password: +# file: $DOCKERDIR/secrets/authelia_notifier_smtp_password +# authelia_duo_api_secret_key: +# file: $DOCKERDIR/secrets/authelia_duo_api_secret_key +########################### SERVICES +services: + # Traefik 2 - Reverse Proxy + # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. + # touch $DOCKERDIR/traefik2/acme/acme.json + # chmod 600 $DOCKERDIR/traefik2/acme/acme.json + # touch $DOCKERDIR/traefik2/traefik.log + traefik: + container_name: traefik + image: traefik:latest + #image: traefik:livarot # picodon v2.3.x # chevrotin v2.2.x + restart: always + command: # CLI arguments + - --global.checkNewVersion=true + - --global.sendAnonymousUsage=true + - --entryPoints.http.address=:80 + - --entryPoints.https.address=:443 + #- --entrypoints.https.forwardedHeaders.trustedIPs=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 + - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IP_RANGES + - --entryPoints.traefik.address=:8080 + # - --entryPoints.ping.address=:8081 + - --api=true + # - --api.insecure=true + - --api.dashboard=true + #- --ping=true + #- --pilot.token=$TRAEFIK_PILOT_TOKEN + - --serversTransport.insecureSkipVerify=true + #- --log=true + #- --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC + #- --accessLog=true + #- --accessLog.filePath=/traefik.log + #- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines + #- --accessLog.filters.statusCodes=400-499 + - --providers.docker=true + - --providers.docker.endpoint=$DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security + # Automatically set Host rule for services + # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`) + - --providers.docker.exposedByDefault=false + # - --entrypoints.https.http.middlewares=chain-oauth@file + - --entrypoints.https.http.tls.options=tls-opts@file + # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services + - --entrypoints.https.http.tls.certresolver=$CERTRESOLVER + - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0 + - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0 + - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain + - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain + - --providers.docker.network=gl_proxy + - --providers.docker.swarmMode=false + - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory + # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file + - --providers.file.watch=true # Only works on top level files in the rules folder + # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing + - --certificatesResolvers.$CERTRESOLVER.acme.email=$CLOUDFLARE_EMAIL + - --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=$DNS_PROVIDER + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=$RESOLVER0 #,$RESOLVER1 + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate + networks: + proxy: + ipv4_address: $TRAEFIK_IP0 # You can specify a static IP + socket_proxy: + ipv4_address: $TRAEFIK_IP1 + security_opt: + - no-new-privileges:true + #healthcheck: + # test: ["CMD", "traefik", "healthcheck", "--ping"] + # interval: 5s + # retries: 3 + ports: + - target: 80 + published: 80 + protocol: tcp + mode: host + - target: 443 + published: 443 + protocol: tcp + mode: host + # - target: 8080 + # published: 8080 + # protocol: tcp + # mode: host + volumes: + - $DOCKERDIR/appdata/traefik2/rules:/rules # file provider directory + - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 + #- $DOCKERDIR/appdata/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container + - $DOCKERDIR/shared:/shared + environment: + - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email + - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key + - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere. + secrets: + - cloudflare_email + - cloudflare_api_key + - htpasswd + labels: + #- "autoheal=true" + - "traefik.enable=true" + # HTTP-to-HTTPS Redirect + - "traefik.http.routers.http-catchall.entrypoints=http" + - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" + - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" + - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" + # HTTP Routers + - "traefik.http.routers.traefik-rtr.entrypoints=https" + - "traefik.http.routers.traefik-rtr.rule=Host(`proxy.local.$DOMAINNAME0`)" + ## Services - API + - "traefik.http.routers.traefik-rtr.service=api@internal" + ## Healthcheck/ping + #- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME0`) && Path(`/ping`)" + #- "traefik.http.routers.ping.tls=true" + #- "traefik.http.routers.ping.service=ping@internal" + ## Middlewares + #- "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file" + - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file" + # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket + socket-proxy: + container_name: socket-proxy + image: tecnativa/docker-socket-proxy + restart: always + networks: + gl_socket_proxy: + ipv4_address: $SOCKET_PROXY_IP # You can specify a static IP + privileged: true + #ports: + # - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line. + # I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network. + # - "2375:2375" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + environment: + - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg + ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). + # 0 to revoke access. + # 1 to grant access. + ## Granted by Default + - EVENTS=1 + - PING=1 + - VERSION=1 + ## Revoked by Default + # Security critical + - AUTH=0 + - SECRETS=0 + - POST=1 # Ouroboros + # Not always needed + - BUILD=0 + - COMMIT=0 + - CONFIGS=0 + - CONTAINERS=1 # Traefik, portainer, etc. + - DISTRIBUTION=0 + - EXEC=1 + - IMAGES=1 # Portainer + - INFO=1 # Portainer + - NETWORKS=1 # Portainer + - NODES=0 + - PLUGINS=0 + - SERVICES=1 # Portainer + - SESSION=0 + - SWARM=0 + - SYSTEM=0 + - TASKS=1 # Portaienr + - VOLUMES=1 # Portainer + + # Portainer - WebUI for Containers + portainer: + container_name: portainer + image: portainer/portainer-ce:latest + restart: unless-stopped + command: -H $DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security + networks: + proxy: + ipv4_address: $PORTAINER_IP0 + socket_proxy: + ipv4_address: $PORTAINER_IP1 + security_opt: + - no-new-privileges:true + volumes: + - $DOCKERDIR/appdata/portainer:/data # Change to local directory if you want to save/transfer config locally + environment: + - TZ=$TZ + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.portainer-rtr.entrypoints=https" + - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.local.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.portainer-rtr.middlewares=chain-authelia@file" + #- "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth@file" + ## HTTP Services + - "traefik.http.routers.portainer-rtr.service=portainer-svc" + - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" + # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication + authelia: + container_name: authelia + # Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md + image: authelia/authelia:latest + restart: always + networks: + proxy: + ipv4_address: $AUTHELIA_IP # You can specify a static IP + #default: + # ports: + # - "9091:9091" + volumes: + - $DOCKERDIR/appdata/authelia:/config + environment: + - TZ=$TZ + - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret + - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret +# - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password +# - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password +# - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key + secrets: + - authelia_jwt_secret + - authelia_session_secret +# - authelia_storage_mysql_password +# - authelia_notifier_smtp_password +# - authelia_duo_api_secret_key + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.authelia-rtr.entrypoints=https" + - "traefik.http.routers.authelia-rtr.rule=Host(`auth.local.$DOMAINNAME0`)" + - "traefik.http.routers.authelia-rtr.tls=true" + ## Middlewares + - "traefik.http.routers.authelia-rtr.middlewares=chain-no-auth@file" + #chain-authelia@file" + ## HTTP Services + - "traefik.http.routers.authelia-rtr.service=authelia-svc" + - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091" \ No newline at end of file