version: "3.9" ######### IMPORTANT ############# # docker-compose-t2.yml is my main docker compose that runs on a dedicated cloud server with Proxmox. # You will find only a few apps (only those that I run on Synology NAS for my homelab use) in this docker-compose file. # You can copy-paste services from one docker-compose file in this repo to another to add other apps. ########################### SYSTEM DESCRIPTION # DOCKER-COMPOSE FOR SYNOLOGY DS918+ # 8 GB RAM, DSM 7.X # 1x4TB + 3x8TB # 2x256GB NVMe SSD Read-Write Cache # Google Drive mounted using Rclone Docker Container for media ########################### NETWORKS # There is no need to create any networks outside this docker-compose file. # You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. # Docker Compose version 3.5 or higher required to define networks this way. networks: t2_proxy: name: t2_proxy driver: bridge ipam: config: - subnet: 192.168.90.0/24 default: driver: bridge socket_proxy: name: socket_proxy driver: bridge ipam: config: - subnet: 192.168.91.0/24 ########################### SECRETS secrets: htpasswd: file: $DOCKERDIR/secrets/htpasswd cloudflare_email: file: $DOCKERDIR/secrets/cloudflare_email cloudflare_api_key: file: $DOCKERDIR/secrets/cloudflare_api_key cloudflare_api_token: file: $DOCKERDIR/secrets/cloudflare_api_token oauth_secret: file: $DOCKERDIR/secrets/oauth_secret google_client_secret: file: $DOCKERDIR/secrets/google_client_secret google_client_id: file: $DOCKERDIR/secrets/google_client_id my_email: file: $DOCKERDIR/secrets/my_email plex_claim: file: $DOCKERDIR/secrets/plex_claim mysql_root_password: file: $DOCKERDIR/secrets/mysql_root_password ########################### EXTENSION FIELDS # Helps eliminate repetition of sections # More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228 # Common environment values x-environment: &default-tz-puid-pgid TZ: $TZ PUID: $PUID PGID: $PGID # Proxy Network and Security x-network-and-security: &network-and-security networks: - t2_proxy security_opt: - no-new-privileges:true # Keys common to some of the services in basic-services.txt x-common-keys-basic: &common-keys-basic <<: *network-and-security restart: always # profiles: # - basic # Keys common to some of the dependent services/apps x-common-keys-apps: &common-keys-apps <<: *network-and-security restart: unless-stopped # profiles: # - apps # Keys common to some of the services in media-services.txt x-common-keys-media: &common-keys-media <<: *network-and-security restart: "no" # profiles: # - media ########################### SERVICES services: ############################# FRONTENDS # Traefik 2 - Reverse Proxy # touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. # touch $DOCKERDIR/traefik2/acme/acme.json # chmod 600 $DOCKERDIR/traefik2/acme/acme.json # touch $DOCKERDIR/traefik2/traefik.log traefik: <<: *common-keys-basic # See EXTENSION FIELDS at the top container_name: traefik image: traefik:2.5 command: # CLI arguments - --global.checkNewVersion=true - --global.sendAnonymousUsage=true - --entryPoints.http.address=:80 - --entryPoints.https.address=:443 # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/ - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22 - --entryPoints.traefik.address=:8080 # - --entryPoints.ping.address=:8081 - --api=true # - --api.insecure=true - --api.dashboard=true #- --ping=true #- --pilot.token=$TRAEFIK_PILOT_TOKEN # - --serversTransport.insecureSkipVerify=true - --log=true - --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC - --accessLog=false - --accessLog.filePath=/traefik.log - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines - --accessLog.filters.statusCodes=400-499 - --providers.docker=true # - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security - --providers.docker.endpoint=tcp://socket-proxy:2375 # Automatically set Host rule for services # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`) - --providers.docker.exposedByDefault=false # - --entrypoints.https.http.middlewares=chain-oauth-external@file - --entrypoints.https.http.tls.options=tls-opts@file # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services - --entrypoints.https.http.tls.certresolver=dns-cloudflare - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0 - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0 # - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME01 # Pulls main cert for second domain # - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME01 # Pulls wildcard cert for second domain - --providers.docker.network=t2_proxy - --providers.docker.swarmMode=false - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file - --providers.file.watch=true # Only works on top level files in the rules folder # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53 - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate networks: - t2_proxy - socket_proxy #healthcheck: # test: ["CMD", "traefik", "healthcheck", "--ping"] # interval: 5s # retries: 3 ports: - target: 80 published: 80 protocol: tcp mode: host - target: 443 published: 443 protocol: tcp mode: host # - target: 8080 # published: 8080 # protocol: tcp # mode: host volumes: - $DOCKERDIR/appdata/traefik2/rules:/rules # file provider directory # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 - $DOCKERDIR/appdata/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container environment: - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere. secrets: - cloudflare_email - cloudflare_api_key - htpasswd labels: #- "autoheal=true" - "traefik.enable=true" # HTTP-to-HTTPS Redirect - "traefik.http.routers.http-catchall.entrypoints=http" - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" # HTTP Routers - "traefik.http.routers.traefik-rtr.entrypoints=https" - "traefik.http.routers.traefik-rtr.rule=Host(`traefikh.$DOMAINNAME0`)" ## Services - API - "traefik.http.routers.traefik-rtr.service=api@internal" ## Healthcheck/ping #- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME0`) && Path(`/ping`)" #- "traefik.http.routers.ping.tls=true" #- "traefik.http.routers.ping.service=ping@internal" ## Middlewares - "traefik.http.routers.traefik-rtr.middlewares=chain-oauth-external@file" # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket socket-proxy: <<: *common-keys-basic # See EXTENSION FIELDS at the top container_name: socket-proxy image: fluencelabs/docker-socket-proxy networks: - socket_proxy privileged: true volumes: - "/var/run/docker.sock:/var/run/docker.sock" environment: - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). # 0 to revoke access. # 1 to grant access. ## Granted by Default - EVENTS=1 - PING=1 - VERSION=1 ## Revoked by Default # Security critical - AUTH=0 - SECRETS=0 - POST=1 # Watchtower - DELETE=1 # Watchtower # GET Optons - BUILD=0 - COMMIT=0 - CONFIGS=0 - CONTAINERS=1 # Traefik, portainer, etc. - DISTRIBUTION=0 - EXEC=0 - IMAGES=1 # Portainer, Watchtower - INFO=1 # Portainer - NETWORKS=1 # Portainer, Watchtower - NODES=0 - PLUGINS=0 - SERVICES=1 # Portainer - SESSION=0 - SWARM=0 - SYSTEM=0 - TASKS=1 # Portaienr - VOLUMES=1 # Portainer # POST Options - CONTAINERS_CREATE=1 # WatchTower - CONTAINERS_START=1 # WatchTower - CONTAINERS_UPDATE=1 # WatchTower # DELETE Options - CONTAINERS_DELETE=1 # WatchTower - IMAGES_DELETE=1 # WatchTower # Google OAuth - Single Sign On using OAuth 2.0 # Removed redundant Google OAuth forwarder. Forwarding all authentication requests to oauth:4181 on docker-compose-t2.yml (cloud server). See middlewares-oauth-external in middlewares.yml.example and chain-oauth-external in middlewares-chains.yml.example. # Portainer - WebUI for Containers portainer: <<: *common-keys-basic # See EXTENSION FIELDS at the top container_name: portainer image: portainer/portainer-ce:latest # command: -H unix:///var/run/docker.sock # # Use Docker Socket Proxy instead for improved security command: -H tcp://socket-proxy:2375 networks: - t2_proxy - socket_proxy #ports: # - "$PORTAINER_PORT:9000" volumes: # - /var/run/docker.sock:/var/run/docker.sock:ro # # Use Docker Socket Proxy instead for improved security - $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfer config locally environment: - TZ=$TZ labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.portainer-rtr.entrypoints=https" - "traefik.http.routers.portainer-rtr.rule=Host(`portainerh.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.portainer-rtr.middlewares=chain-oauth-external@file" ## HTTP Services - "traefik.http.routers.portainer-rtr.service=portainer-svc" - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" # Autoindex - Simple Directory Index autoindex: <<: *common-keys-apps # See EXTENSION FIELDS at the top container_name: autoindex image: dceoy/nginx-autoindex:latest # ports: # - "$AUTOINDEX_PORT:80" volumes: - /volume1:/var/lib/nginx/html:ro # Location you want to index labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.autoindex-rtr.entrypoints=https" - "traefik.http.routers.autoindex-rtr.rule=Host(`indexh.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.autoindex-rtr.middlewares=chain-oauth-external@file" ## HTTP Services - "traefik.http.routers.autoindex-rtr.service=autoindex-svc" - "traefik.http.services.autoindex-svc.loadbalancer.server.port=80" ############################# SMART HOME # Mosquitto - MQTT Broker # Create mosquitto.conf, passwd, mosquitto.log files and set permissions to 775 user:docker # dexec mosquitto /bin/sh -> mosquitto_passwd -b /mosquitto/config/passwd username passwd mosquitto: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: eclipse-mosquitto:latest container_name: mosquitto ports: - "$MOSQUITTO_HTTP_PORT:1883" #http - "9001:9001" #websockets # - "$MOSQUITTO_HTTPS_PORT:8883" #https volumes: - $DOCKERDIR/appdata/mosquitto/config/mosquitto.conf:/mosquitto/config/mosquitto.conf - $DOCKERDIR/appdata/mosquitto/config/passwd:/mosquitto/config/passwd - $DOCKERDIR/shared:/shared environment: PUID: $PUID PGID: $PGID TZ: $TZ ############################# DATABASE # MariaDB - MySQL Database # After starting container for first time dexec and mysqladmin -u root password mariadb: <<: *common-keys-basic # See EXTENSION FIELDS at the top container_name: mariadb image: linuxserver/mariadb:latest ports: - "$MARIADB_PORT:3306" volumes: - $DOCKERDIR/appdata/mariadb/data:/config - /etc/TZ:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro environment: - PUID=$PUID - PGID=$PGID - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password # Not taking this pw during initialization secrets: - mysql_root_password # InfluxDB - Database for sensor data # Create influxdb.conf influxdb: <<: *common-keys-basic # See EXTENSION FIELDS at the top image: influxdb:latest container_name: influxdb ports: - "$INFLUXDB_PORT:8086" volumes: # - $DOCKERDIR/appdata/influxdb/influxdb.conf:/etc/influxdb/influxdb.conf:ro - $DOCKERDIR/appdata/influxdb/db:/var/lib/influxdb # command: -config /etc/influxdb/influxdb.conf # phpMyAdmin - Database management # Create a new user with admin privileges. Cannot login as MySQL root for some reason. phpmyadmin: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: phpmyadmin/phpmyadmin:latest container_name: phpmyadmin # ports: # - "$PHPMYADMIN_PORT:80" # volumes: # - $DOCKERDIR/appdata/phpmyadmin:/etc/phpmyadmin environment: - PMA_HOST=mariadb #- PMA_PORT=$DB_PORT #- PMA_ARBITRARY=1 - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password secrets: - mysql_root_password labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.phpmyadmin-rtr.entrypoints=https" - "traefik.http.routers.phpmyadmin-rtr.rule=Host(`pmah.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.phpmyadmin-rtr.middlewares=chain-oauth-external@file" ## HTTP Services - "traefik.http.routers.phpmyadmin-rtr.service=phpmyadmin-svc" - "traefik.http.services.phpmyadmin-svc.loadbalancer.server.port=80" ############################# DOWNLOADERS # qBittorrent - Torrent downloader # Needs trailing / if using PathPrefixStrip qbittorrent: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: lscr.io/linuxserver/qbittorrent container_name: qbittorrent # ports: #- "$QBITTORRENT_PORT:8168" #- 6881:6881 #- 6881:6881/udp volumes: - $DOCKERDIR/appdata/qbittorrent:/config - $DOWNLOADSDIR:/downloads environment: PUID: $PUID PGID: $PGID TZ: $TZ UMASK: 002 WEBUI_PORT: 8168 labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.qbittorrent-rtr.entrypoints=https" - "traefik.http.routers.qbittorrent-rtr.rule=Host(`qbith.$DOMAINNAME0`)" - "traefik.http.routers.qbittorrent-rtr.tls=true" ## Middlewares - "traefik.http.routers.qbittorrent-rtr.middlewares=chain-oauth-external@file" ## HTTP Services - "traefik.http.routers.qbittorrent-rtr.service=qbittorrent-svc" - "traefik.http.services.qbittorrent-svc.loadbalancer.server.port=8168" ############################# MEDIA # Plex - Media Server plexms: <<: *common-keys-media # See EXTENSION FIELDS at the top image: plexinc/pms-docker:public container_name: plexms ports: - "$PLEX_PORT:32400/tcp" - "3005:3005/tcp" - "8324:8324/tcp" - "32469:32469/tcp" # - "1900:1900/udp" # conflicts with xTeVe and Synology default ports - "32410:32410/udp" - "32412:32412/udp" - "32413:32413/udp" - "32414:32414/udp" - "$PLEX_WEB_TOOLS_PORT:33400" devices: - /dev/dri:/dev/dri # for hardware transcoding volumes: - $DOCKERDIR/appdata/plexms:/config - $DOWNLOADSDIR:/downloads - $DS918/media:/media - /dev/shm:/transcode environment: TZ: $TZ HOSTNAME: "sPlex" PLEX_CLAIM_FILE: /run/secrets/plex_claim PLEX_UID: $PUID PLEX_GID: $PGID ADVERTISE_IP: http://$SERVER_IP1:32400/ secrets: - plex_claim labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.plexms-rtr.entrypoints=https" - "traefik.http.routers.plexms-rtr.rule=Host(`synplex.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.plexms-rtr.middlewares=chain-no-auth@file" ## HTTP Services - "traefik.http.routers.plexms-rtr.service=plexms-svc" - "traefik.http.services.plexms-svc.loadbalancer.server.port=32400" ############################# MEDIA FILE MANAGEMENT # Tdarr Server - Library Optimizer tdarr: <<: *common-keys-media # See EXTENSION FIELDS at the top image: haveagitgat/tdarr:latest container_name: tdarr #ports: # - "$TDARR_SERVER_PORT:8266" # - "$TDARR_WEB_PORT:8265" # - 8267:8267 # node port. It should be mapped on this container because the node container use the network from the main container volumes: - $DOCKERDIR/appdata/tdarr/server:/app/server - $DOCKERDIR/appdata/tdarr/configs:/app/configs - $DOCKERDIR/appdata/tdarr/logs:/app/logs - $DOWNLOADSDIR/transcode/tdarr:/data/temp - $DATADIR/Photos/zVideos:/data/media:ro - $DS918/media/zvideos:/data/output environment: PUID: $PUID PGID: $PGID TZ: $TZ serverIP: tdarr # or hostname serverPort: 8266 webUIPort: 8265 UMASK_SET: 002 labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.tdarr-rtr.entrypoints=https" - "traefik.http.routers.tdarr-rtr.rule=Host(`tdarr.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.tdarr-rtr.middlewares=chain-oauth-external@file" ## HTTP Services - "traefik.http.routers.tdarr-rtr.service=tdarr-svc" - "traefik.http.services.tdarr-svc.loadbalancer.server.port=8265" # Tdarr Node - Transcoder Node tdarr-node1: <<: *common-keys-media # See EXTENSION FIELDS at the top image: haveagitgat/tdarr_node:latest container_name: tdarr-node1 devices: - /dev/dri:/dev/dri # for hardware transcoding environment: PUID: $PUID PGID: $PGID TZ: $TZ UMASK_SET: 002 nodeID: Node1 nodeIP: tdarr-node1 # or hostname nodePort: 8267 serverIP: tdarr # or hostname serverPort: 8266 volumes: - $DOCKERDIR/appdata/tdarr/configs:/app/configs - $DOCKERDIR/appdata/tdarr/logs:/app/logs - $DOWNLOADSDIR/transcode/tdarr:/data/temp - $DATADIR/Photos/zVideos:/data/media:ro - $DS918/media/zvideos:/data/output ############################# FILES # Rclone - Google Drive Mount # https://github.com/openbridge/ob_bulkstash/issues/19 # https://github.com/romancin/rclonebrowser-docker # https://hub.docker.com/r/d2dyno/rclone-gui rclone-drive: <<: *common-keys-basic # See EXTENSION FIELDS at the top container_name: rclone-drive image: rclone/rclone:latest cap_add: - SYS_ADMIN security_opt: - apparmor:unconfined command: "mount drive: /data/drive \ --use-mmap \ --allow-other \ --no-modtime \ --allow-non-empty \ --dir-cache-time=1000h \ --poll-interval=15s \ --buffer-size=256M \ --umask=002 \ --uid=1026 \ --gid=100 \ --drive-chunk-size=256M \ --user-agent=DS918 \ --cache-dir=/data/cache/drive \ --vfs-cache-mode=full \ --vfs-cache-max-age=336h \ --vfs-cache-max-size=512G \ --vfs-read-chunk-size=32M \ --vfs-read-chunk-size-limit=2G \ --log-file /config/rclone/logs/drive.log \ --rc \ --rc-web-gui \ --rc-addr :5572 \ --rc-user=$RCLONE_WEBUI_USER \ --rc-pass=$RCLONE_WEBUI_PASS \ --log-level=INFO" #--bwlimit 150M \ #--bwlimit-file 40M \ devices: - /dev/fuse volumes: - $DOCKERDIR/appdata/rclone:/config/rclone - $DS918/rclone/drive:/data/drive:shared - $DS918/rclone/cache/drive:/data/cache/drive - /etc/passwd:/etc/passwd:ro - /etc/group:/etc/group:ro - /etc/fuse.conf:/etc/fuse.conf:ro environment: - TZ=$TZ - PUID=$PUID - PGID=$PGID labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.rclone-drive-rtr.entrypoints=https" - "traefik.http.routers.rclone-drive-rtr.rule=Host(`rcloneh.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.rclone-drive-rtr.middlewares=chain-oauth-external@file" ## HTTP Services - "traefik.http.routers.rclone-drive-rtr.service=rclone-drive-svc" - "traefik.http.services.rclone-drive-svc.loadbalancer.server.port=5572" # Rclone - Google Drive Mount rclone-crypt: <<: *common-keys-basic # See EXTENSION FIELDS at the top container_name: rclone-crypt image: rclone/rclone:latest cap_add: - SYS_ADMIN security_opt: - apparmor:unconfined command: "mount crypt: /data/crypt \ --use-mmap \ --allow-other \ --no-modtime \ --allow-non-empty \ --dir-cache-time=1000h \ --poll-interval=15s \ --buffer-size=256M \ --uid=1026 \ --gid=100 \ --umask=002 \ --drive-chunk-size=256M \ --user-agent=DS918 \ --cache-dir=/data/cache/crypt \ --vfs-cache-mode=full \ --vfs-cache-max-age=336h \ --vfs-cache-max-size=512G \ --vfs-read-chunk-size=32M \ --vfs-read-chunk-size-limit=2G \ --log-file /config/rclone/logs/crypt.log \ --log-level=NOTICE" #--bwlimit 3M \ # 3M approxmimately equals 253 GB limit per day # previously buffer 256 buffer 256 chunk size 128 read and limit off devices: - /dev/fuse volumes: - $DOCKERDIR/appdata/rclone:/config/rclone - $DS918/rclone/crypt:/data/crypt:shared - $DS918/rclone/cache/crypt:/data/cache/crypt - /etc/passwd:/etc/passwd:ro - /etc/group:/etc/group:ro - /etc/fuse.conf:/etc/fuse.conf:ro environment: - TZ=$TZ - PUID=$PUID - PGID=$PGID ############################# UTILITIES # Firefox - Web Broswer # VNC password not working - check firefox: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: jlesage/firefox:latest container_name: firefox security_opt: - no-new-privileges:true - seccomp:unconfined # October 15, 2020 https://github.com/jlesage/docker-firefox/blob/master/README.md#allowing-the-membarrier-system-call # ports: # - "$FIREFOX_PORT:5800" volumes: - $DOCKERDIR/appdata/firefox:/config - $DOWNLOADSDIR:/config/Downloads - /dev/shm:/dev/shm environment: USER_ID: $PUID GROUP_ID: $PGID TZ: $TZ UMASK: 002 KEEP_APP_RUNNING: 1 CLEAN_TMP_DIR: 1 DISPLAY_WIDTH: 1600 DISPLAY_HEIGHT: 960 # VNC_PASSWD: $FIREFOX_VNC_PASSWD # Since OAuth is enabled labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.firefox-rtr.entrypoints=https" - "traefik.http.routers.firefox-rtr.rule=Host(`firefoxh.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.firefox-rtr.middlewares=chain-oauth-external@file" ## HTTP Services - "traefik.http.routers.firefox-rtr.service=firefox-svc" - "traefik.http.services.firefox-svc.loadbalancer.server.port=5800" # Glances - System Information glances: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: nicolargo/glances:latest container_name: glances privileged: true # network_mode: host networks: - t2_proxy - socket_proxy ports: - "$GLANCES_PORT:61208" pid: host volumes: - $DOCKERDIR/appdata/glances/glances.conf:/glances/conf/glances.conf # Use this if you want to add a glances.conf file # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security environment: # GLANCES_OPT: "-C /glances/conf/glances.conf --quiet --export influxdb" GLANCES_OPT: "-w" DOCKER_HOST: tcp://socket-proxy:2375 labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.glances-rtr.entrypoints=https" - "traefik.http.routers.glances-rtr.rule=Host(`glancesh.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.glances-rtr.middlewares=chain-oauth-external@file" ## HTTP Services - "traefik.http.routers.glances-rtr.service=glances-svc" - "traefik.http.services.glances-svc.loadbalancer.server.port=61208" # qDirStat - Directory Statistics qdirstat: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: jlesage/qdirstat:latest container_name: qdirstat # ports: # - "$QDIRSTAT_PORT:5800" volumes: - /volume1:/storage:ro - $DOCKERDIR/appdata/qdirstat/config:/config:rw environment: USER_ID: $PUID GROUP_ID: $PGID UMASK: 002 TZ: $TZ KEEP_APP_RUNNING: 1 CLEAN_TMP_DIR: 1 DISPLAY_WIDTH: 1600 DISPLAY_HEIGHT: 960 VNC_PASSWORD: $QDIRSTAT_VNC_PASSWD labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.qdirstat-rtr.entrypoints=https" - "traefik.http.routers.qdirstat-rtr.rule=Host(`qdirh.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.qdirstat-rtr.middlewares=chain-oauth-external@file" ## HTTP Services - "traefik.http.routers.qdirstat-rtr.service=qdirstat-svc" - "traefik.http.services.qdirstat-svc.loadbalancer.server.port=5800" # SyncThing - Keep folders in Sync syncthing: <<: *common-keys-basic # See EXTENSION FIELDS at the top image: lscr.io/linuxserver/syncthing container_name: syncthing ports: - "8384:8384" - "22000:22000/tcp" - "22000:22000/udp" - "21027:21027/udp" volumes: - /volume1:/data - $DOCKERDIR/appdata/syncthing:/config environment: PUID: $PUID PGID: $PGID TZ: $TZ labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.syncthing-rtr.entrypoints=https" - "traefik.http.routers.syncthing-rtr.rule=Host(`stnas.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.syncthing-rtr.middlewares=chain-oauth-external@file" ## HTTP Services - "traefik.http.routers.syncthing-rtr.service=syncthing-svc" - "traefik.http.services.syncthing-svc.loadbalancer.server.port=8384" ############################# MAINTENANCE # WatchTower - Automatic Docker Container Updates watchtower: image: containrrr/watchtower container_name: watchtower restart: unless-stopped networks: - default - socket_proxy environment: TZ: $TZ WATCHTOWER_CLEANUP: "true" WATCHTOWER_REMOVE_VOLUMES: "true" WATCHTOWER_INCLUDE_STOPPED: "true" WATCHTOWER_NO_STARTUP_MESSAGE: "false" WATCHTOWER_SCHEDULE: "0 30 12 * * *" # Everyday at 12:30 WATCHTOWER_NOTIFICATIONS: shoutrrr WATCHTOWER_NOTIFICATION_URL: "telegram://$TGRAM_BOT_TOKEN@telegram?channels=$TGRAM_CHAT_ID" WATCHTOWER_NOTIFICATIONS_LEVEL: info DOCKER_HOST: tcp://socket-proxy:2375 DOCKER_API_VERSION: "1.40" # Docker-GC - Automatic Docker Garbage Collection # Create docker-gc-exclude file dockergc: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: clockworksoul/docker-gc-cron:latest container_name: docker-gc restart: unless-stopped networks: - socket_proxy volumes: # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security - $DOCKERDIR/appdata/docker-gc/docker-gc-exclude:/etc/docker-gc-exclude environment: CRON: 0 0 0 * * ? # Everyday at midnight. Previously 0 0 * * * FORCE_IMAGE_REMOVAL: 1 FORCE_CONTAINER_REMOVAL: 0 GRACE_PERIOD_SECONDS: 604800 DRY_RUN: 0 CLEAN_UP_VOLUMES: 1 TZ: $TZ DOCKER_HOST: tcp://socket-proxy:2375 # Cloudflare DDNS - Dynamic DNS Updater cf-ddns: <<: *common-keys-basic # See EXTENSION FIELDS at the top container_name: cf-ddns image: oznu/cloudflare-ddns:latest environment: API_KEY: $CLOUDFLARE_API_TOKEN ZONE: $DOMAINNAME0 SUBDOMAIN: home PROXIED: "true" RRTYPE: A DELETE_ON_STOP: "false" DNS_SERVER: 1.1.1.1 #secrets: # not working # - cloudflare_api_token # Cloudflare-Companion - Automatic CNAME DNS Creation cf-companion: <<: *common-keys-apps # See EXTENSION FIELDS at the top container_name: cf-companion image: tiredofit/traefik-cloudflare-companion:latest networks: - socket_proxy environment: - TIMEZONE=$TZ - TRAEFIK_VERSION=2 #- CF_EMAIL=$CLOUDFLARE_EMAIL - CF_TOKEN=$CLOUDFLARE_API_TOKEN - TARGET_DOMAIN=home.$DOMAINNAME0 - DOMAIN1=$DOMAINNAME0 - DOMAIN1_ZONE_ID=$CLOUDFLARE_ZONEID # Copy from Cloudflare Overview page - DOMAIN1_PROXIED=TRUE - DOCKER_HOST=tcp://socket-proxy:2375 secrets: # not working - cloudflare_api_token labels: # Add hosts specified in rules here to force cf-companion to create the CNAMEs # Since cf-companion creates CNAMEs based on host rules, this a workaround for non-docker/external apps - "traefik.http.routers.cf-companion-rtr.rule=Host(`webminh.$DOMAINNAME0`) || Host(`shellh.$DOMAINNAME0`) || Host(`syno.$DOMAINNAME0`) || Host(`ibox.$DOMAINNAME0`) || Host(`synplex.$DOMAINNAME0`) || Host(`pirpi.$DOMAINNAME0`) || Host(`pidoc.$DOMAINNAME0` || Host(`stpc.$DOMAINNAME0`)"