version: "3.7" ########################### NETWORKS # There is no need to create any networks outside this docker-compose file. # You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. # Docker Compose version 3.5 or higher required to define networks this way. networks: gl_proxy: name: gl_proxy driver: bridge ipam: config: - subnet: $GL_PROXY_SUBNET gateway: $GL_PROXY_GATEWAY default: driver: bridge gl_socket_proxy: name: gl_socket_proxy driver: bridge ipam: config: - subnet: $GL_SOCKET_PROXY_SUBNET gateway: $GL_SOCKET_PROXY_GATEWAY ########################### SECRETS secrets: htpasswd: file: $SECRETSDIR/htpasswd cloudflare_email: file: $SECRETSDIR/cloudflare_email cloudflare_api_key: file: $SECRETSDIR/cloudflare_api_key cloudflare_api_token: file: $SECRETSDIR/secrets/cloudflare_api_token authelia_jwt_secret: file: $SECRETSDIR/authelia_jwt_secret authelia_session_secret: file: $SECRETSDIR/authelia_session_secret authelia_storage_mysql_password: file: $SECRETSDIR/authelia_storage_mysql_password authelia_storage_encryption_key: file: $SECRETSDIR/authelia_storage_encryption_key authelia_ldap_password: file: $SECRETSDIR/authelia_ldap_password # authelia_notifier_smtp_password: # file: $DOCKERDIR/secrets/authelia_notifier_smtp_password # authelia_duo_api_secret_key: # file: $DOCKERDIR/secrets/authelia_duo_api_secret_key ########################### SERVICES services: # Traefik 2 - Reverse Proxy # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. # touch $DOCKERDIR/traefik2/acme/acme.json # chmod 600 $DOCKERDIR/traefik2/acme/acme.json # touch $DOCKERDIR/traefik2/traefik.log traefik: container_name: gl-traefik image: traefik:latest #image: traefik:livarot # picodon v2.3.x # chevrotin v2.2.x restart: always command: # CLI arguments - --global.checkNewVersion=true - --global.sendAnonymousUsage=true - --entryPoints.http.address=:80 - --entryPoints.https.address=:443 #- --entrypoints.https.forwardedHeaders.trustedIPs=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IP_RANGES - --entryPoints.traefik.address=:8080 # - --entryPoints.ping.address=:8081 - --api=true # - --api.insecure=true - --api.dashboard=true #- --ping=true #- --pilot.token=$TRAEFIK_PILOT_TOKEN - --serversTransport.insecureSkipVerify=true #- --log=true #- --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC #- --accessLog=true #- --accessLog.filePath=/traefik.log #- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines #- --accessLog.filters.statusCodes=400-499 - --providers.docker=true - --providers.docker.endpoint=$DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security # Automatically set Host rule for services # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`) - --providers.docker.exposedByDefault=false # - --entrypoints.https.http.middlewares=chain-oauth@file - --entrypoints.https.http.tls.options=tls-opts@file # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services - --entrypoints.https.http.tls.certresolver=$CERTRESOLVER - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0 - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0 - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain - --providers.docker.network=gl_proxy - --providers.docker.swarmMode=false - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file - --providers.file.watch=true # Only works on top level files in the rules folder # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing - --certificatesResolvers.$CERTRESOLVER.acme.email=$CLOUDFLARE_EMAIL - --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=$DNS_PROVIDER - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=$RESOLVER0 #,$RESOLVER1 - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate networks: gl_proxy: ipv4_address: $TRAEFIK_IP0 # You can specify a static IP gl_socket_proxy: ipv4_address: $TRAEFIK_IP1 security_opt: - no-new-privileges:true #healthcheck: # test: ["CMD", "traefik", "healthcheck", "--ping"] # interval: 5s # retries: 3 ports: - target: 80 published: 80 protocol: tcp mode: host - target: 443 published: 443 protocol: tcp mode: host # - target: 8080 # published: 8080 # protocol: tcp # mode: host volumes: - $DOCKERDIR/appdata/traefik2/rules:/rules # file provider directory - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 #- $DOCKERDIR/appdata/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container - $DOCKERDIR/shared:/shared environment: - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere. secrets: - cloudflare_email - cloudflare_api_key - htpasswd labels: #- "autoheal=true" - "traefik.enable=true" # HTTP-to-HTTPS Redirect - "traefik.http.routers.http-catchall.entrypoints=http" - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" # HTTP Routers - "traefik.http.routers.traefik-rtr.entrypoints=https" - "traefik.http.routers.traefik-rtr.rule=Host(`proxy.local.$DOMAINNAME0`)" ## Services - API - "traefik.http.routers.traefik-rtr.service=api@internal" ## Healthcheck/ping #- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME0`) && Path(`/ping`)" #- "traefik.http.routers.ping.tls=true" #- "traefik.http.routers.ping.service=ping@internal" ## Middlewares #- "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file" - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file" # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket socket-proxy: container_name: gl-socket-proxy image: tecnativa/docker-socket-proxy restart: always networks: gl_socket_proxy: ipv4_address: $SOCKET_PROXY_IP # You can specify a static IP privileged: true #ports: # - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line. # I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network. # - "2375:2375" volumes: - "/var/run/docker.sock:/var/run/docker.sock" environment: - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). # 0 to revoke access. # 1 to grant access. ## Granted by Default - EVENTS=1 - PING=1 - VERSION=1 ## Revoked by Default # Security critical - AUTH=0 - SECRETS=0 - POST=1 # Ouroboros # Not always needed - BUILD=0 - COMMIT=0 - CONFIGS=0 - CONTAINERS=1 # Traefik, portainer, etc. - DISTRIBUTION=0 - EXEC=1 - IMAGES=1 # Portainer - INFO=1 # Portainer - NETWORKS=1 # Portainer - NODES=0 - PLUGINS=0 - SERVICES=1 # Portainer - SESSION=0 - SWARM=0 - SYSTEM=0 - TASKS=1 # Portaienr - VOLUMES=1 # Portainer # Portainer - WebUI for Containers portainer: container_name: gl-portainer image: portainer/portainer-ce:latest restart: unless-stopped command: -H $DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security networks: gl_proxy: ipv4_address: $PORTAINER_IP0 gl_socket_proxy: ipv4_address: $PORTAINER_IP1 security_opt: - no-new-privileges:true # ports: # - "9000:9000" volumes: - $DOCKERDIR/appdata/portainer:/data # Change to local directory if you want to save/transfer config locally environment: - TZ=$TZ labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.portainer-rtr.entrypoints=https" - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.local.$DOMAINNAME0`)" ## Middlewares #- "traefik.http.routers.portainer-rtr.middlewares=chain-authelia@file" - "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth@file" ## HTTP Services - "traefik.http.routers.portainer-rtr.service=portainer-svc" - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication authelia: container_name: gl-authelia # Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md image: authelia/authelia:latest restart: always networks: gl_proxy: ipv4_address: $AUTHELIA_IP # You can specify a static IP default: # ports: # - "9091:9091" volumes: - $DOCKERDIR/appdata/authelia:/config environment: - TZ=$TZ - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/run/secrets/authelia_ldap_password # - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password # - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key secrets: - authelia_jwt_secret - authelia_session_secret - authelia_storage_mysql_password - authelia_storage_encryption_key # - authelia_notifier_smtp_password # - authelia_duo_api_secret_key labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.authelia-rtr.entrypoints=https" - "traefik.http.routers.authelia-rtr.rule=Host(`auth.local.$DOMAINNAME0`)" - "traefik.http.routers.authelia-rtr.tls=true" ## Middlewares - "traefik.http.routers.authelia-rtr.middlewares=chain-no-auth@file" #chain-authelia@file" ## HTTP Services - "traefik.http.routers.authelia-rtr.service=authelia-svc" - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"