version: "3.9" ######### IMPORTANT ############# # This is my main docker-compose file with most of the apps. I run docker on other systems with smaller stacks (web and synology). # You can copy-paste services from one docker-compose file in this repo to another to add other apps. ########################### SYSTEM DESCRIPTION # DOCKER-COMPOSE FOR HOME/MEDIA SERVER # PROXMOX HOST: Dual Intel Xeon 5420, 16 GB RAM, 240 GB SSD, and 2 TB HDD # VM: 6 CORES, 12 GB RAM, Ubuntu 20.04, and Docker # 32 GB for /, 64 GB for /var/lib/docker and transcoding, and 1.5 TB for non-critical data and rclone cache. # Google Drive mounted using Rclone Docker for media and Proxmox backups ########################### NETWORKS # There is no need to create any networks outside this docker-compose file. # You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. # Docker Compose version 3.5 or higher required to define networks this way. networks: t2_proxy: name: t2_proxy driver: bridge ipam: config: - subnet: 192.168.90.0/24 default: driver: bridge socket_proxy: name: socket_proxy driver: bridge ipam: config: - subnet: 192.168.91.0/24 ########################### SECRETS secrets: htpasswd: file: $DOCKERDIR/secrets/htpasswd cloudflare_email: file: $DOCKERDIR/secrets/cloudflare_email cloudflare_api_key: file: $DOCKERDIR/secrets/cloudflare_api_key cloudflare_api_token: file: $DOCKERDIR/secrets/cloudflare_api_token authelia_jwt_secret: file: $DOCKERDIR/secrets/authelia_jwt_secret authelia_session_secret: file: $DOCKERDIR/secrets/authelia_session_secret authelia_storage_mysql_password: file: $DOCKERDIR/secrets/authelia_storage_mysql_password authelia_notifier_smtp_password: file: $DOCKERDIR/secrets/authelia_notifier_smtp_password authelia_duo_api_secret_key: file: $DOCKERDIR/secrets/authelia_duo_api_secret_key authelia_storage_encryption_key: file: $DOCKERDIR/secrets/authelia_storage_encryption_key oauth_secret: file: $DOCKERDIR/secrets/oauth_secret google_client_secret: file: $DOCKERDIR/secrets/google_client_secret google_client_id: file: $DOCKERDIR/secrets/google_client_id my_email: file: $DOCKERDIR/secrets/my_email guac_db_name: file: $DOCKERDIR/secrets/guac_db_name guac_mysql_user: file: $DOCKERDIR/secrets/guac_mysql_user guac_mysql_password: file: $DOCKERDIR/secrets/guac_mysql_password mysql_root_password: file: $DOCKERDIR/secrets/mysql_root_password ########################### EXTENSION FIELDS # Helps eliminate repetition of sections # More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228 # Common environment values x-environment: &default-tz-puid-pgid TZ: $TZ PUID: $PUID PGID: $PGID # Proxy Network and Security x-network-and-security: &network-and-security networks: - t2_proxy security_opt: - no-new-privileges:true # Keys common to some of the services in basic-services.txt x-common-keys-basic: &common-keys-basic <<: *network-and-security restart: always # profiles: # - basic # Keys common to some of the dependent services/apps x-common-keys-apps: &common-keys-apps <<: *network-and-security restart: unless-stopped # profiles: # - apps # Keys common to some of the services in media-services.txt x-common-keys-media: &common-keys-media <<: *network-and-security restart: "no" # profiles: # - media ########################### SERVICES services: ############################# FRONTENDS # Traefik 2 - Reverse Proxy # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. # touch $DOCKERDIR/traefik2/acme/acme.json # chmod 600 $DOCKERDIR/traefik2/acme/acme.json # touch $DOCKERDIR/traefik2/traefik.log traefik: <<: *common-keys-basic # See EXTENSION FIELDS at the top container_name: traefik image: traefik:2.5 command: # CLI arguments - --global.checkNewVersion=true - --global.sendAnonymousUsage=true - --entryPoints.http.address=:80 - --entryPoints.https.address=:443 # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/ - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22 - --entryPoints.traefik.address=:8080 # - --entryPoints.ping.address=:8081 - --api=true # - --api.insecure=true - --api.dashboard=true #- --ping=true #- --pilot.token=$TRAEFIK_PILOT_TOKEN # - --serversTransport.insecureSkipVerify=true - --log=true - --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC - --accessLog=false - --accessLog.filePath=/traefik.log - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines - --accessLog.filters.statusCodes=400-499 - --providers.docker=true # - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security - --providers.docker.endpoint=tcp://socket-proxy:2375 # Automatically set Host rule for services # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`) - --providers.docker.exposedByDefault=false # - --entrypoints.https.http.middlewares=chain-oauth@file - --entrypoints.https.http.tls.options=tls-opts@file # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services - --entrypoints.https.http.tls.certresolver=dns-cloudflare - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0 - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0 # - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain # - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain - --providers.docker.network=t2_proxy - --providers.docker.swarmMode=false - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file - --providers.file.watch=true # Only works on top level files in the rules folder # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53 - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate networks: t2_proxy: ipv4_address: 192.168.90.254 # You can specify a static IP socket_proxy: #healthcheck: # test: ["CMD", "traefik", "healthcheck", "--ping"] # interval: 5s # retries: 3 ports: - target: 80 published: 80 protocol: tcp mode: host - target: 443 published: 443 protocol: tcp mode: host # - target: 8080 # published: 8080 # protocol: tcp # mode: host volumes: - $DOCKERDIR/appdata/traefik2/rules:/rules # file provider directory # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 - $DOCKERDIR/appdata/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container environment: - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere. secrets: - cloudflare_email - cloudflare_api_key - htpasswd labels: #- "autoheal=true" - "traefik.enable=true" # HTTP-to-HTTPS Redirect - "traefik.http.routers.http-catchall.entrypoints=http" - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" # HTTP Routers - "traefik.http.routers.traefik-rtr.entrypoints=https" - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME0`)" ## Services - API - "traefik.http.routers.traefik-rtr.service=api@internal" ## Healthcheck/ping #- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME0`) && Path(`/ping`)" #- "traefik.http.routers.ping.tls=true" #- "traefik.http.routers.ping.service=ping@internal" ## Middlewares - "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file" # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket socket-proxy: <<: *common-keys-basic # See EXTENSION FIELDS at the top container_name: socket-proxy image: tecnativa/docker-socket-proxy networks: socket_proxy: ipv4_address: 192.168.91.254 # You can specify a static IP privileged: true #ports: # - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line. # I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network. # - "2375:2375" volumes: - "/var/run/docker.sock:/var/run/docker.sock" environment: - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). # 0 to revoke access. # 1 to grant access. ## Granted by Default - EVENTS=1 - PING=1 - VERSION=1 ## Revoked by Default # Security critical - AUTH=0 - SECRETS=0 - POST=1 # Watchtower # Not always needed - BUILD=0 - COMMIT=0 - CONFIGS=0 - CONTAINERS=1 # Traefik, portainer, etc. - DISTRIBUTION=0 - EXEC=0 - IMAGES=1 # Portainer - INFO=1 # Portainer - NETWORKS=1 # Portainer - NODES=0 - PLUGINS=0 - SERVICES=1 # Portainer - SESSION=0 - SWARM=0 - SYSTEM=0 - TASKS=1 # Portainer - VOLUMES=1 # Portainer # Google OAuth - Single Sign On using OAuth 2.0 # https://www.smarthomebeginner.com/google-oauth-with-traefik-docker/ oauth: <<: *common-keys-basic # See EXTENSION FIELDS at the top container_name: oauth image: thomseddon/traefik-forward-auth:latest # image: thomseddon/traefik-forward-auth:2.1-arm # Use this image with Raspberry Pi # Allow apps to bypass OAuth. Radarr example below will bypass OAuth if API key is present in the request (eg. from NZB360 mobile app). # While this is one way, the recommended way is to bypass authentication using Traefik labels shown in some of the apps later. # command: --rule.radarr.action=allow --rule.radarr.rule="Headers(`X-Api-Key`, `$RADARR_API_KEY`)" # command: --rule.sabnzbd.action=allow --rule.sabnzbd.rule="HeadersRegexp(`X-Forwarded-Uri`, `$SABNZBD_API_KEY`)" environment: - PROVIDERS_GOOGLE_CLIENT_ID=$GOOGLE_CLIENT_ID - PROVIDERS_GOOGLE_CLIENT_SECRET=$GOOGLE_CLIENT_SECRET - SECRET=$OAUTH_SECRET - COOKIE_DOMAIN=$DOMAINNAME0 - INSECURE_COOKIE=false - AUTH_HOST=oauth.$DOMAINNAME0 - URL_PATH=/_oauth - WHITELIST=$MY_EMAIL - LOG_LEVEL=warn - LOG_FORMAT=text - LIFETIME=86400 # 1 day - DEFAULT_ACTION=auth - DEFAULT_PROVIDER=google secrets: - source: traefik-forward-auth target: /config labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.oauth-rtr.tls=true" - "traefik.http.routers.oauth-rtr.entrypoints=https" - "traefik.http.routers.oauth-rtr.rule=Host(`oauth.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.oauth-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.oauth-rtr.service=oauth-svc" - "traefik.http.services.oauth-svc.loadbalancer.server.port=4181" # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication authelia: container_name: authelia # Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md image: authelia/authelia:latest restart: always # profiles: # - core networks: - t2_proxy - default # ports: # - "9091:9091" volumes: - $DOCKERDIR/appdata/authelia:/config environment: - TZ=$TZ - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key secrets: - authelia_jwt_secret - authelia_session_secret - authelia_storage_mysql_password - authelia_notifier_smtp_password - authelia_duo_api_secret_key - authelia_storage_encryption_key labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.authelia-rtr.entrypoints=https" - "traefik.http.routers.authelia-rtr.rule=Host(`authelia.$DOMAINNAME0`)" - "traefik.http.routers.authelia-rtr.tls=true" ## Middlewares - "traefik.http.routers.authelia-rtr.middlewares=chain-authelia@file" ## HTTP Services - "traefik.http.routers.authelia-rtr.service=authelia-svc" - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091" # Portainer - WebUI for Containers portainer: <<: *common-keys-basic # See EXTENSION FIELDS at the top container_name: portainer image: portainer/portainer-ce:latest # command: -H unix:///var/run/docker.sock # # Use Docker Socket Proxy instead for improved security command: -H tcp://socket-proxy:2375 networks: - t2_proxy - socket_proxy volumes: # - /var/run/docker.sock:/var/run/docker.sock:ro # # Use Docker Socket Proxy instead for improved security - $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfer config locally environment: - TZ=$TZ labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.portainer-rtr.entrypoints=https" - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.portainer-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.portainer-rtr.service=portainer-svc" - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" # Autoindex - Simple Directory Index autoindex: <<: *common-keys-apps # See EXTENSION FIELDS at the top container_name: autoindex image: dceoy/nginx-autoindex:latest # ports: # - "$AUTOINDEX_PORT:80" volumes: #- $USERDIR:/var/lib/nginx/html:ro # Location you want to index - /media/data:/var/lib/nginx/html:ro # Location you want to index labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.autoindex-rtr.entrypoints=https" - "traefik.http.routers.autoindex-rtr.rule=Host(`index.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.autoindex-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.autoindex-rtr.service=autoindex-svc" - "traefik.http.services.autoindex-svc.loadbalancer.server.port=80" ############################# DOWNLOADERS # jDownloader - Download management jdownloader: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: jlesage/jdownloader-2:latest container_name: jdownloader # ports: # - "$JDOWNLOADER_PORT:5800" volumes: - $DATADIR/downloads:/data/downloads - $DOCKERDIR/appdata/jdownloader:/config environment: USER_ID: $PUID GROUP_ID: $PGID TZ: $TZ UMASK: 002 KEEP_APP_RUNNING: 1 CLEAN_TMP_DIR: 1 DISPLAY_WIDTH: 1600 DISPLAY_HEIGHT: 960 VNC_PASSWORD: $JDOWN_VNC_PASSWD labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.jdownloader-rtr.entrypoints=https" - "traefik.http.routers.jdownloader-rtr.rule=Host(`jdown.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.jdownloader-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.jdownloader-rtr.service=jdownloader-svc" - "traefik.http.services.jdownloader-svc.loadbalancer.server.port=5800" # TransmissionBT - Torrent Downloader # ONLY ACCESSIBLE THROUGH https://domain.com/transmission/web/ if using PathPrefix transmission-vpn: image: haugene/transmission-openvpn:latest container_name: transmission-vpn restart: unless-stopped networks: t2_proxy: ipv4_address: 192.168.90.169 # ports: # - "$TRANSMISSION_PORT:9091" cap_add: - NET_ADMIN #devices: # - /dev/net/tun #dns: # - 1.1.1.1 # - 1.0.0.1 volumes: - /etc/localtime:/etc/localtime:ro - $DOCKERDIR/appdata/transmission-vpn/data:/data - $DOCKERDIR/appdata/transmission-vpn/config:/config - $DATADIR/downloads:/data/downloads environment: <<: *default-tz-puid-pgid OPENVPN_PROVIDER: FASTESTVPN OPENVPN_USERNAME: $FASTEST_USERNAME OPENVPN_PASSWORD: $FASTEST_PASSWORD #OPENVPN_CONFIG: "Switzerland-UDP" #OPENVPN_OPTS: --inactive 3600 --ping 10 --ping-exit 60 LOCAL_NETWORK: "$LOCAL_NETWORK" UMASK_SET: 2 TRANSMISSION_RPC_AUTHENTICATION_REQUIRED: "true" TRANSMISSION_RPC_HOST_WHITELIST: "127.0.0.1,$SERVER_IP" TRANSMISSION_RPC_PASSWORD: $TRANSMISSION_RPC_PASSWORD TRANSMISSION_RPC_USERNAME: $TRANSMISSION_RPC_USERNAME TRANSMISSION_UMASK: 002 TRANSMISSION_RATIO_LIMIT: 0.01 TRANSMISSION_RATIO_LIMIT_ENABLED: "true" TRANSMISSION_ALT_SPEED_DOWN: 40000 TRANSMISSION_ALT_SPEED_ENABLED: "false" TRANSMISSION_ALT_SPEED_UP: 250 TRANSMISSION_SPEED_LIMIT_DOWN: 80000 TRANSMISSION_SPEED_LIMIT_DOWN_ENABLED: "true" TRANSMISSION_SPEED_LIMIT_UP: 500 TRANSMISSION_SPEED_LIMIT_UP_ENABLED: "true" TRANSMISSION_INCOMPLETE_DIR: /data/downloads/torrents/incomplete TRANSMISSION_INCOMPLETE_DIR_ENABLED: "true" TRANSMISSION_WATCH_DIR: /data/downloads/torrents TRANSMISSION_WATCH_DIR_ENABLED: "true" TRANSMISSION_DOWNLOAD_DIR: /data/downloads/torrents LOG_TO_STDOUT: "true" labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.transmission-vpn-rtr.entrypoints=https" - "traefik.http.routers.transmission-vpn-rtr.rule=Host(`trans.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.transmission-vpn-rtr.middlewares=middlewares-rate-limit@file" ## HTTP Services - "traefik.http.routers.transmission-vpn-rtr.service=transmission-vpn-svc" - "traefik.http.services.transmission-vpn-svc.loadbalancer.server.port=9091" # qBittorrent - Torrent downloader # Needs trailing / if using PathPrefixStrip qbittorrent: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: lscr.io/linuxserver/qbittorrent:latest container_name: qbittorrent #network_mode: container:transmission-vpn # ports: # - "$QBITTORRENT_PORT:8168" volumes: - $DOCKERDIR/appdata/qbittorrent:/config - $DATADIR/downloads:/downloads environment: <<: *default-tz-puid-pgid UMASK_SET: 002 WEBUI_PORT: 8168 labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.qbittorrent-rtr.entrypoints=https" - "traefik.http.routers.qbittorrent-rtr.rule=Host(`qbit.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.qbittorrent-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.qbittorrent-rtr.service=qbittorrent-svc" - "traefik.http.services.qbittorrent-svc.loadbalancer.server.port=8168" # nzbget - Binary newsgrabber (NZB downloader) nzbget: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: lscr.io/linuxserver/nzbget container_name: nzbget networks: t2_proxy: ipv4_address: 192.168.90.216 ports: - "$NZBGET_PORT:6789" volumes: - $DOCKERDIR/appdata/nzbget:/config - $DATADIR/downloads:/data/downloads environment: <<: *default-tz-puid-pgid labels: - "traefik.enable=true" ## HTTP Routers Auth Bypass - "traefik.http.routers.nzbget-rtr-bypass.entrypoints=https" # BYPASS IS NOT WORKING YET. NEED TO FIGURE THIS OUT. - "traefik.http.routers.nzbget-rtr-bypass.rule=Host(`nzbget.$DOMAINNAME0`)" #- "traefik.http.routers.nzbget-rtr-bypass.rule=Host(`nzbget.$DOMAINNAME0`) && Query(`apikey`, `$NZBGET_API_KEY`)" - "traefik.http.routers.nzbget-rtr-bypass.priority=100" ## HTTP Routers Auth - "traefik.http.routers.nzbget-rtr.entrypoints=https" - "traefik.http.routers.nzbget-rtr.rule=Host(`nzbget.$DOMAINNAME0`)" - "traefik.http.routers.nzbget-rtr.priority=99" ## Middlewares - "traefik.http.routers.nzbget-rtr-bypass.middlewares=chain-no-auth@file" - "traefik.http.routers.nzbget-rtr.middlewares=chain-no-auth@file" ## HTTP Services - "traefik.http.routers.nzbget-rtr.service=nzbget-svc" - "traefik.http.routers.nzbget-rtr-bypass.service=nzbget-svc" - "traefik.http.services.nzbget-svc.loadbalancer.server.port=6789" ############################# INDEXERS # Jackett - Torrent proxy # Set url_base in Jackett settings if using PathPrefix jackett: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: lscr.io/linuxserver/jackett:latest container_name: jackett # network_mode: container:transmission-vpn networks: t2_proxy: ipv4_address: 192.168.90.161 # ports: # - "$JACKETT_PORT:9117" volumes: - $DOCKERDIR/appdata/jackett:/config - $DATADIR/downloads:/data/downloads - "/etc/localtime:/etc/localtime:ro" environment: <<: *default-tz-puid-pgid labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.jackett-rtr.entrypoints=https" - "traefik.http.routers.jackett-rtr.rule=Host(`jackett.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.jackett-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.jackett-rtr.service=jackett-svc" - "traefik.http.services.jackett-svc.loadbalancer.server.port=9117" # Prowlarr - Torrent proxy prowlarr: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: ghcr.io/linuxserver/prowlarr:develop container_name: prowlarr networks: t2_proxy: ipv4_address: 192.168.90.162 # ports: # - "$PROWLARR_PORT:9696" volumes: - $DOCKERDIR/appdata/prowlarr:/config - "/etc/localtime:/etc/localtime:ro" environment: <<: *default-tz-puid-pgid labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.prowlarr-rtr.entrypoints=https" - "traefik.http.routers.prowlarr-rtr.rule=Host(`prowlarr.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.prowlarr-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.prowlarr-rtr.service=prowlarr-svc" - "traefik.http.services.prowlarr-svc.loadbalancer.server.port=9696" # NZBHydra2 - NZB meta search hydra: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: linuxserver/nzbhydra2:latest container_name: hydra ports: - "$NZBHYDRA_PORT:5076" volumes: - $DOCKERDIR/appdata/hydra2:/config - $DATADIR/downloads:/data/downloads environment: <<: *default-tz-puid-pgid labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.hydra-rtr.entrypoints=https" - "traefik.http.routers.hydra-rtr.rule=Host(`hydra.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.hydra-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.hydra-rtr.service=hydra-svc" - "traefik.http.services.hydra-svc.loadbalancer.server.port=5076" ############################# PVRS # Lidarr - Music Management # Set url_base in lidarr settings if using PathPrefix lidarr: <<: *common-keys-media # See EXTENSION FIELDS at the top image: lscr.io/linuxserver/lidarr:latest container_name: lidarr networks: t2_proxy: ipv4_address: 192.168.90.163 ports: - "$LIDARR_PORT:8686" volumes: - $DOCKERDIR/appdata/lidarr:/config # Optional. See why MediaCover is mounted as volume https://github.com/htpcBeginner/docker-traefik/discussions/147 - $DATADIR/temp/docker/appdata/lidarr/MediaCover:/config/MediaCover - $DATADIR/downloads:/data/downloads - $DATADIR/media/music:/data/media/music - "/etc/localtime:/etc/localtime:ro" environment: <<: *default-tz-puid-pgid labels: - "traefik.enable=true" ## HTTP Routers Auth Bypass - "traefik.http.routers.lidarr-rtr-bypass.entrypoints=https" - "traefik.http.routers.lidarr-rtr-bypass.rule=Host(`lidarr.$DOMAINNAME0`) && (Headers(`X-Api-Key`, `$LIDARR_API_KEY`) || Query(`apikey`, `$LIDARR_API_KEY`))" - "traefik.http.routers.lidarr-rtr-bypass.priority=100" ## HTTP Routers Auth - "traefik.http.routers.lidarr-rtr.entrypoints=https" - "traefik.http.routers.lidarr-rtr.rule=Host(`lidarr.$DOMAINNAME0`)" - "traefik.http.routers.lidarr-rtr.priority=99" ## Middlewares - "traefik.http.routers.lidarr-rtr-bypass.middlewares=chain-no-auth@file" - "traefik.http.routers.lidarr-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.lidarr-rtr.service=lidarr-svc" - "traefik.http.routers.lidarr-rtr-bypass.service=lidarr-svc" - "traefik.http.services.lidarr-svc.loadbalancer.server.port=8686" # Radarr - Movie management # Set url_base in radarr settings if using PathPrefix radarr: <<: *common-keys-media # See EXTENSION FIELDS at the top image: lscr.io/linuxserver/radarr:nightly # latest was causing "Error parsing column 45" container_name: radarr networks: t2_proxy: ipv4_address: 192.168.90.164 ports: - "$RADARR_PORT:7878" volumes: - $DOCKERDIR/appdata/radarr:/config # Optional. See why MediaCover is mounted as volume https://github.com/htpcBeginner/docker-traefik/discussions/147 - $DATADIR/temp/docker/appdata/radarr/MediaCover:/config/MediaCover - $DATADIR/downloads:/data/downloads - $DATADIR/media:/data/media - "/etc/localtime:/etc/localtime:ro" environment: <<: *default-tz-puid-pgid labels: - "traefik.enable=true" ## HTTP Routers Auth Bypass - "traefik.http.routers.radarr-rtr-bypass.entrypoints=https" - "traefik.http.routers.radarr-rtr-bypass.rule=Host(`radarr.$DOMAINNAME0`) && (Headers(`X-Api-Key`, `$RADARR_API_KEY`) || Query(`apikey`, `$RADARR_API_KEY`))" - "traefik.http.routers.radarr-rtr-bypass.priority=100" ## HTTP Routers Auth - "traefik.http.routers.radarr-rtr.entrypoints=https" - "traefik.http.routers.radarr-rtr.rule=Host(`radarr.$DOMAINNAME0`)" - "traefik.http.routers.radarr-rtr.priority=99" ## Middlewares - "traefik.http.routers.radarr-rtr-bypass.middlewares=chain-no-auth@file" - "traefik.http.routers.radarr-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.radarr-rtr.service=radarr-svc" - "traefik.http.routers.radarr-rtr-bypass.service=radarr-svc" - "traefik.http.services.radarr-svc.loadbalancer.server.port=7878" # Sonarr - TV Shows management # Set url_base in sonarr settings if using PathPrefix sonarr: <<: *common-keys-media # See EXTENSION FIELDS at the top image: lscr.io/linuxserver/sonarr container_name: sonarr networks: t2_proxy: ipv4_address: 192.168.90.167 ports: - "$SONARR_PORT:8989" volumes: - $DOCKERDIR/appdata/sonarr:/config # Optional. See why MediaCover is mounted as volume https://github.com/htpcBeginner/docker-traefik/discussions/147 - $DATADIR/temp/docker/appdata/sonarr/MediaCover:/config/MediaCover - $DATADIR/downloads:/data/downloads - $DATADIR/media:/data/media - "/etc/localtime:/etc/localtime:ro" environment: <<: *default-tz-puid-pgid labels: - "traefik.enable=true" ## HTTP Routers Auth Bypass - "traefik.http.routers.sonarr-rtr-bypass.entrypoints=https" - "traefik.http.routers.sonarr-rtr-bypass.rule=Host(`sonarr.$DOMAINNAME0`) && (Headers(`X-Api-Key`, `$SONARR_API_KEY`) || Query(`apikey`, `$SONARR_API_KEY`))" - "traefik.http.routers.sonarr-rtr-bypass.priority=100" ## HTTP Routers Auth - "traefik.http.routers.sonarr-rtr.entrypoints=https" - "traefik.http.routers.sonarr-rtr.rule=Host(`sonarr.$DOMAINNAME0`)" - "traefik.http.routers.sonarr-rtr.priority=99" ## Middlewares - "traefik.http.routers.sonarr-rtr-bypass.middlewares=chain-no-auth@file" - "traefik.http.routers.sonarr-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.sonarr-rtr.service=sonarr-svc" - "traefik.http.routers.sonarr-rtr-bypass.service=sonarr-svc" - "traefik.http.services.sonarr-svc.loadbalancer.server.port=8989" # Readarr - Books management # Set url_base in readarr settings if using PathPrefix readarr: <<: *common-keys-media # See EXTENSION FIELDS at the top image: hotio/readarr:nightly container_name: readarr # ports: # - "$READARR_PORT:8989" volumes: - $DOCKERDIR/appdata/readarr:/config - $DATADIR/downloads:/data/downloads - $DATADIR/media/books:/data/media/books - "/etc/localtime:/etc/localtime:ro" environment: <<: *default-tz-puid-pgid UMASK: 002 #ARGS: "" labels: - "traefik.enable=true" ## HTTP Routers Auth - "traefik.http.routers.readarr-rtr.entrypoints=https" - "traefik.http.routers.readarr-rtr.rule=Host(`readarr.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.readarr-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.readarr-rtr.service=readarr-svc" - "traefik.http.services.readarr-svc.loadbalancer.server.port=8787" ############################# MEDIA # Navidrome - Music Server navidrome: <<: *common-keys-media # See EXTENSION FIELDS at the top container_name: navidrome image: deluan/navidrome:latest # ports: # - "$FUNKWHALE_PORT:4533" user: $PUID:$PGID volumes: - $DOCKERDIR/appdata/navidrome:/data - $DATADIR/media/music/English:/music/English:ro - $DATADIR/media/music/Kids:/music/Kids:ro environment: - TZ=$TZ - ND_SCANSCHEDULE=1h - ND_LOGLEVEL=info #- ND_BASEURL="" - ND_SESSIONTIMEOUT=24h labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.navidrome-rtr.entrypoints=https" - "traefik.http.routers.navidrome-rtr.rule=Host(`proxnd.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.navidrome-rtr.middlewares=chain-no-auth@file" ## HTTP Services - "traefik.http.routers.navidrome-rtr.service=navidrome-svc" - "traefik.http.services.navidrome-svc.loadbalancer.server.port=4533" # FunkWhale - Music Server funkwhale: <<: *common-keys-media # See EXTENSION FIELDS at the top container_name: funkwhale image: thetarkus/funkwhale # ports: # - "$FUNKWHALE_PORT:80" volumes: - $DOCKERDIR/appdata/funkwhale:/data - $DATADIR/media/music:/music:ro environment: - PUID=$PUID - PGID=$PGID - FUNKWHALE_HOSTNAME=proxfw.$DOMAINNAME0 - NESTED_PROXY=1 labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.funkwhale-rtr.entrypoints=https" - "traefik.http.routers.funkwhale-rtr.rule=Host(`proxfw.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.funkwhale-rtr.middlewares=chain-no-auth@file" ## HTTP Services - "traefik.http.routers.funkwhale-rtr.service=funkwhale-svc" - "traefik.http.services.funkwhale-svc.loadbalancer.server.port=80" # Jellyfin - Media Server jellyfin: <<: *common-keys-media # See EXTENSION FIELDS at the top image: jellyfin/jellyfin:latest container_name: jellyfin devices: - /dev/dri:/dev/dri # for harware transcoding ports: - "$JELLYFIN_PORT:8096" - "8920:8920" # Emby also uses same port if running both environment: <<: *default-tz-puid-pgid UMASK_SET: 022 volumes: - $DOCKERDIR/appdata/jellyfin:/config - $DATADIR/temp/docker/appdata/jellyfin/metadata:/config/metadata - $DATADIR/downloads:/data/downloads - $DATADIR/media:/data/media - /dev/shm:/data/transcode # Offload transcoding to RAM if you have enough RAM labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.jellyfin-rtr.entrypoints=https" - "traefik.http.routers.jellyfin-rtr.rule=Host(`proxjf.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.jellyfin-rtr.middlewares=chain-no-auth@file" ## HTTP Services - "traefik.http.routers.jellyfin-rtr.service=jellyfin-svc" - "traefik.http.services.jellyfin-svc.loadbalancer.server.port=8096" # Photoshow - Simple Photo Viewer photoshow: <<: *common-keys-media # See EXTENSION FIELDS at the top image: lscr.io/linuxserver/photoshow container_name: photoshow volumes: - $DATADIR/media/misc:/Pictures - $DOCKERDIR/appdata/photoshow:/config - $DATADIR/temp/docker/appdata/photoshow:/Thumbs environment: <<: *default-tz-puid-pgid labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.photoshow-rtr.entrypoints=https" - "traefik.http.routers.photoshow-rtr.rule=Host(`photoshow.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.photoshow-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.photoshow-rtr.service=photoshow-svc" - "traefik.http.services.photoshow-svc.loadbalancer.server.port=80" ############################# MEDIA FILE MANAGEMENT # Bazarr - Subtitle Management bazarr: <<: *common-keys-media # See EXTENSION FIELDS at the top image: lscr.io/linuxserver/bazarr container_name: bazarr ports: - "$BAZARR_PORT:6767" volumes: - $DOCKERDIR/appdata/bazarr:/config - $DATADIR/media:/data/media environment: <<: *default-tz-puid-pgid labels: - "traefik.enable=true" ## HTTP Routers Auth Bypass - "traefik.http.routers.bazarr-rtr-bypass.entrypoints=https" - "traefik.http.routers.bazarr-rtr-bypass.rule=Host(`bazarr.$DOMAINNAME0`) && (Headers(`X-Api-Key`, `$BAZARR_API_KEY`) || Query(`apikey`, `$BAZARR_API_KEY`))" - "traefik.http.routers.bazarr-rtr-bypass.priority=100" ## HTTP Routers Auth - "traefik.http.routers.bazarr-rtr.entrypoints=https" - "traefik.http.routers.bazarr-rtr.rule=Host(`bazarr.$DOMAINNAME0`)" - "traefik.http.routers.bazarr-rtr.priority=99" ## Middlewares - "traefik.http.routers.bazarr-rtr-bypass.middlewares=chain-no-auth@file" - "traefik.http.routers.bazarr-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.bazarr-rtr.service=bazarr-svc" - "traefik.http.routers.bazarr-rtr-bypass.service=bazarr-svc" - "traefik.http.services.bazarr-svc.loadbalancer.server.port=6767" # Picard - Music Library Tagging and Management picard: <<: *common-keys-media # See EXTENSION FIELDS at the top image: mikenye/picard:latest container_name: picard # ports: # - "$PICARD_PORT:5800" volumes: - $DATADIR/downloads:/data/downloads:rw - $DOCKERDIR/appdata/picard:/config:rw # - $DATADIR/media/music:/data/media/music:rw - /dev/shm:/dev/shm environment: USER_ID: $PUID GROUP_ID: $PGID TZ: $TZ UMASK: 002 DISPLAY_WIDTH: 1600 DISPLAY_HEIGHT: 960 labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.picard-rtr.entrypoints=https" - "traefik.http.routers.picard-rtr.rule=Host(`picard.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.picard-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.picard-rtr.service=picard-svc" - "traefik.http.services.picard-svc.loadbalancer.server.port=5800" # Handbrake - Video Conversion (Transcoding and compression) handbrake: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: jlesage/handbrake:latest container_name: handbrake # ports: # - "$HANDBRAKE_PORT:5800" volumes: - $DATADIR/downloads:/data/downloads - $DOCKERDIR/appdata/handbrake/config:/config - $DOCKERDIR/appdata/handbrake/watch:/watch environment: USER_ID: $PUID GROUP_ID: $PGID UMASK: 002 TZ: $TZ KEEP_APP_RUNNING: 1 CLEAN_TMP_DIR: 1 DISPLAY_WIDTH: 1600 DISPLAY_HEIGHT: 960 AUTOMATED_CONVERSION_KEEP_SOURCE: 1 VNC_PASSWORD: $HANDBRAKE_VNC_PASSWD labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.handbrake-rtr.entrypoints=https" - "traefik.http.routers.handbrake-rtr.rule=Host(`handbrake.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.handbrake-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.handbrake-rtr.service=handbrake-svc" - "traefik.http.services.handbrake-svc.loadbalancer.server.port=5800" # MKVToolNix - Video Editing (Remuxing - changing media container while keeping original source quality) mkvtoolnix: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: jlesage/mkvtoolnix:latest container_name: mkvtoolnix # ports: # - "$MKVTOOLNIX_PORT:5800" volumes: - $DATADIR/downloads:/data/downloads - $DOCKERDIR/appdata/mkvtoolnix/config:/config:rw environment: USER_ID: $PUID GROUP_ID: $PGID UMASK: 002 TZ: $TZ KEEP_APP_RUNNING: 1 CLEAN_TMP_DIR: 1 DISPLAY_WIDTH: 1600 DISPLAY_HEIGHT: 960 VNC_PASSWORD: $MKVTOOLNIX_VNC_PASSWD labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.mkvtoolnix-rtr.entrypoints=https" - "traefik.http.routers.mkvtoolnix-rtr.rule=Host(`mkvtoolnix.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.mkvtoolnix-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.mkvtoolnix-rtr.service=mkvtoolnix-svc" - "traefik.http.services.mkvtoolnix-svc.loadbalancer.server.port=5800" # MakeMKV - Video Editing (Ripping from Disks) makemkv: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: jlesage/makemkv:latest container_name: makemkv # ports: # - "$MAKEMKV_PORT:5800" volumes: - $DATADIR/downloads:/data/downloads - $DOCKERDIR/appdata/makemkv/config:/config - /dev/shm:/dev/shm environment: USER_ID: $PUID GROUP_ID: $PGID UMASK: 002 TZ: $TZ KEEP_APP_RUNNING: 1 CLEAN_TMP_DIR: 1 DISPLAY_WIDTH: 1600 DISPLAY_HEIGHT: 960 VNC_PASSWORD: $MAKEMKV_VNC_PASSWD labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.makemkv-rtr.entrypoints=https" - "traefik.http.routers.makemkv-rtr.rule=Host(`makemkv.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.makemkv-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.makemkv-rtr.service=makemkv-svc" - "traefik.http.services.makemkv-svc.loadbalancer.server.port=5800" ############################# UTILITIES # Grafana - Graphical data visualization for InfluxDB data grafana: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: grafana/grafana:latest container_name: grafana networks: - t2_proxy - default # ports: # - "$GRAFANA_PORT:3000" user: "0" volumes: - $DOCKERDIR/appdata/grafana:/var/lib/grafana environment: GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel" labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.grafana-rtr.entrypoints=https" - "traefik.http.routers.grafana-rtr.rule=Host(`grafana.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.grafana-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.grafana-rtr.service=grafana-svc" - "traefik.http.services.grafana-svc.loadbalancer.server.port=3000" # Guacamole - Remote desktop, SSH, on Telnet on any HTML5 Browser # Create all databases and tables first guacamole: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: guacamole/guacamole:latest container_name: guacamole networks: - t2_proxy - default # ports: # - "$GUACAMOLE_PORT:8080" environment: GUACD_HOSTNAME: guacd MYSQL_HOSTNAME: $MARIADB_HOST MYSQL_PORT: $MARIADB_PORT MYSQL_DATABASE_FILE: /run/secrets/guac_db_name MYSQL_USER_FILE: /run/secrets/guac_mysql_user MYSQL_PASSWORD_FILE: /run/secrets/guac_mysql_password secrets: - guac_db_name - guac_mysql_user - guac_mysql_password labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.guacamole-rtr.entrypoints=https" - "traefik.http.routers.guacamole-rtr.rule=Host(`guac.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.guacamole-rtr.middlewares=chain-oauth@file,add-guacamole" - "traefik.http.middlewares.add-guacamole.addPrefix.prefix=/guacamole" ## HTTP Services - "traefik.http.routers.guacamole-rtr.service=guacamole-svc" - "traefik.http.services.guacamole-svc.loadbalancer.server.port=8080" # Guacamole Daemon - Needed for Guacamole guacd: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: guacamole/guacd container_name: guacd restart: unless-stopped # Firefox - Web Broswer # VNC password not working - check firefox: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: jlesage/firefox:latest container_name: firefox security_opt: - no-new-privileges:true - seccomp:unconfined # October 15, 2020 https://github.com/jlesage/docker-firefox/blob/master/README.md#allowing-the-membarrier-system-call # ports: # - "$FIREFOX_PORT:5800" volumes: - $DOCKERDIR/appdata/firefox:/config - $DATADIR/downloads:/data/downloads - /dev/shm:/dev/shm environment: USER_ID: $PUID GROUP_ID: $PGID TZ: $TZ UMASK: 002 KEEP_APP_RUNNING: 1 CLEAN_TMP_DIR: 1 DISPLAY_WIDTH: 1920 DISPLAY_HEIGHT: 1080 VNC_PASSWD: $FIREFOX_VNC_PASSWD labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.firefox-rtr.entrypoints=https" - "traefik.http.routers.firefox-rtr.rule=Host(`firefox.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.firefox-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.firefox-rtr.service=firefox-svc" - "traefik.http.services.firefox-svc.loadbalancer.server.port=5800" # Glances - System Information glances: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: nicolargo/glances:latest container_name: glances privileged: true # network_mode: host networks: - t2_proxy - socket_proxy - default # ports: # - "$GLANCES_PORT:61208" pid: host volumes: - $DOCKERDIR/appdata/glances/glances.conf:/glances/conf/glances.conf # Use this if you want to add a glances.conf file - $USERDIR:/data/home:ro - /media/data:/data/data:ro # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security environment: # GLANCES_OPT: "-C /glances/conf/glances.conf --quiet --export influxdb" # GLANCES_OPT: "--export influxdb" GLANCES_OPT: "-w" DOCKER_HOST: tcp://socket-proxy:2375 labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.glances-rtr.entrypoints=https" - "traefik.http.routers.glances-rtr.rule=Host(`glances.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.glances-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.glances-rtr.service=glances-svc" - "traefik.http.services.glances-svc.loadbalancer.server.port=61208" # qDirStat - Directory Statistics qdirstat: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: jlesage/qdirstat:latest container_name: qdirstat # ports: # - "$QDIRSTAT_PORT:5800" volumes: - $USERDIR:/data/home:ro - $DOCKERDIR/appdata/qdirstat/config:/config:rw - /media/data:/data/data:ro environment: USER_ID: $PUID GROUP_ID: $PGID UMASK: 002 TZ: $TZ KEEP_APP_RUNNING: 1 CLEAN_TMP_DIR: 1 DISPLAY_WIDTH: 1600 DISPLAY_HEIGHT: 960 VNC_PASSWORD: $QDIRSTAT_VNC_PASSWD labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.qdirstat-rtr.entrypoints=https" - "traefik.http.routers.qdirstat-rtr.rule=Host(`qdirstat.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.qdirstat-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.qdirstat-rtr.service=qdirstat-svc" - "traefik.http.services.qdirstat-svc.loadbalancer.server.port=5800" # Dozzle - Real-time Docker Log Viewer dozzle: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: amir20/dozzle:latest container_name: dozzle networks: - t2_proxy - socket_proxy # ports: # - "$DOZZLE_PORT:8080" environment: DOZZLE_LEVEL: info DOZZLE_TAILSIZE: 300 DOZZLE_FILTER: "status=running" # DOZZLE_FILTER: "label=log_me" # limits logs displayed to containers with this label DOCKER_HOST: tcp://socket-proxy:2375 # volumes: # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.dozzle-rtr.entrypoints=https" - "traefik.http.routers.dozzle-rtr.rule=Host(`dozzle.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.dozzle-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.dozzle-rtr.service=dozzle-svc" - "traefik.http.services.dozzle-svc.loadbalancer.server.port=8080" # VSCode - VSCode Editing vscode: <<: *common-keys-basic # See EXTENSION FIELDS at the top image: codercom/code-server:latest container_name: vscode ports: - "$VSCODE_PORT:8080" volumes: - $USERDIR/server:/home/coder/server - $DOCKERDIR:/home/coder/docker - $DOCKERDIR/appdata/vscode:/home/coder - $DATADIR:/home/coder/data environment: PASSWORD: $VSCODE_PASSWORD # Run as root first, create the directories, then change permissions to user:docker and 775. Disable run as root below. user: $PUID:$PGID # user: "0" DOCKER_HOST: tcp://socket-proxy:2375 labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.vscode-rtr.entrypoints=https" - "traefik.http.routers.vscode-rtr.rule=Host(`code.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.vscode-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.vscode-rtr.service=vscode-svc" - "traefik.http.services.vscode-svc.loadbalancer.server.port=8080" # SyncThing - Keep folders in Sync syncthing: <<: *common-keys-basic # See EXTENSION FIELDS at the top image: lscr.io/linuxserver/syncthing container_name: syncthing ports: #- 8384:8384 - 22000:22000/tcp - 22000:22000/udp - 21027:21027/udp volumes: - /media:/data/mounts - $USERDIR:/data/home - $DOCKERDIR/appdata/syncthing:/config environment: <<: *default-tz-puid-pgid labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.syncthing-rtr.entrypoints=https" - "traefik.http.routers.syncthing-rtr.rule=Host(`stcdoc.$DOMAINNAME0`)" ## Middlewares - "traefik.http.routers.syncthing-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.syncthing-rtr.service=syncthing-svc" - "traefik.http.services.syncthing-svc.loadbalancer.server.port=8384" ############################# MAINTENANCE # Docker-GC - Automatic Docker Garbage Collection # Create docker-gc-exclude file dockergc: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: clockworksoul/docker-gc-cron:latest container_name: docker-gc networks: - socket_proxy volumes: # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security - $DOCKERDIR/appdata/docker-gc/docker-gc-exclude:/etc/docker-gc-exclude environment: CRON: 0 0 0 * * ? # Everyday at midnight. Previously 0 0 * * * FORCE_IMAGE_REMOVAL: 1 FORCE_CONTAINER_REMOVAL: 0 GRACE_PERIOD_SECONDS: 604800 DRY_RUN: 0 CLEAN_UP_VOLUMES: 1 TZ: $TZ DOCKER_HOST: tcp://socket-proxy:2375 # Cloudflare-Companion - Automatic CNAME DNS Creation cf-companion: <<: *common-keys-apps # See EXTENSION FIELDS at the top container_name: cf-companion image: tiredofit/traefik-cloudflare-companion:latest networks: - socket_proxy environment: - TIMEZONE=$TZ - TRAEFIK_VERSION=2 #- CF_EMAIL=$CLOUDFLARE_EMAIL - CF_TOKEN=$CLOUDFLARE_API_TOKEN - TARGET_DOMAIN=cdoc.$DOMAINNAME0 - DOMAIN1=$DOMAINNAME0 - DOMAIN1_ZONE_ID=$CLOUDFLARE_ZONEID # Copy from Cloudflare Overview page - DOMAIN1_PROXIED=TRUE - DOCKER_HOST=tcp://socket-proxy:2375 secrets: # not working - cloudflare_api_token labels: # Add hosts specified in rules here to force cf-companion to create the CNAMEs # Since cf-companion creates CNAMEs based on host rules, this a workaround for non-docker/external apps - "traefik.http.routers.cf-companion-rtr.rule=Host(Host(`webmin.$DOMAINNAME0`) || Host(`shell.$DOMAINNAME0`)"