Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- version: "3.9"
- ######### IMPORTANT #############
- # This is my main docker-compose file with most of the apps. I run docker on other systems with smaller stacks (web and synology).
- # You can copy-paste services from one docker-compose file in this repo to another to add other apps.
- ########################### SYSTEM DESCRIPTION
- # DOCKER-COMPOSE FOR HOME/MEDIA SERVER
- # PROXMOX HOST: Dual Intel Xeon E3-1240 V2, 16 GB RAM, 480 GB SSD, and 4 TB HDD
- # LXC: 2 CORES, 8 GB RAM, Ubuntu 20.04, and Docker
- # 64 GB for / and 2 TB for non-critical data and rclone cache.
- # Google Drive mounted using Rclone Docker for media and Proxmox backups
- # Docker: 20.10.23
- # Docker Compose: v2.15.1 (docker-compose-plugin for Docker)
- ########################### NETWORKS
- # There is no need to create any networks outside this docker-compose file.
- # You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please.
- # Docker Compose version 3.5 or higher required to define networks this way.
- networks:
- default:
- driver: bridge
- t2_proxy:
- name: t2_proxy
- driver: bridge
- ipam:
- config:
- - subnet: 192.168.90.0/24
- ########################### SECRETS
- secrets:
- htpasswd:
- file: $SECRETSDIR/htpasswd
- cloudflare_email:
- file: $SECRETSDIR/cloudflare_email
- cloudflare_api_key:
- file: $SECRETSDIR/cloudflare_api_key
- cloudflare_token:
- file: $DOCKERDIR/secrets/cloudflare_token
- traefik_forward_auth:
- file: $DOCKERDIR/secrets/traefik_forward_auth
- mysql_root_password:
- file: $DOCKERDIR/secrets/mysql_root_password
- authelia_jwt_secret:
- file: $DOCKERDIR/secrets/authelia_jwt_secret
- authelia_session_secret:
- file: $DOCKERDIR/secrets/authelia_session_secret
- authelia_storage_mysql_password:
- file: $DOCKERDIR/secrets/authelia_storage_mysql_password
- authelia_notifier_smtp_password:
- file: $DOCKERDIR/secrets/authelia_notifier_smtp_password
- authelia_duo_api_secret_key:
- file: $DOCKERDIR/secrets/authelia_duo_api_secret_key
- authelia_storage_encryption_key:
- file: $DOCKERDIR/secrets/authelia_storage_encryption_key
- guac_db_name:
- file: $DOCKERDIR/secrets/guac_db_name
- guac_mysql_user:
- file: $DOCKERDIR/secrets/guac_mysql_user
- guac_mysql_password:
- file: $DOCKERDIR/secrets/guac_mysql_password
- plex_claim:
- file: $SECRETSDIR/plex_claim
- ########################### EXTENSION FIELDS
- # Helps eliminate repetition of sections
- # More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228
- # Common environment values
- x-environment: &default-tz-puid-pgid
- TZ: $TZ
- PUID: $PUID
- PGID: $PGID
- # Keys common to some of the services in basic-services.txt
- x-common-keys-core: &common-keys-core
- networks:
- - t2_proxy
- security_opt:
- - no-new-privileges:true
- restart: always
- # profiles:
- # - core
- # Keys common to some of the services in basic-services.txt
- x-common-keys-monitoring: &common-keys-monitoring
- networks:
- - t2_proxy
- security_opt:
- - no-new-privileges:true
- restart: always
- # profiles:
- # - monitoring
- # Keys common to some of the dependent services/apps
- x-common-keys-apps: &common-keys-apps
- networks:
- - t2_proxy
- security_opt:
- - no-new-privileges:true
- restart: unless-stopped
- # profiles:
- # - apps
- # Keys common to some of the services in media-services.txt
- x-common-keys-media: &common-keys-media
- networks:
- - t2_proxy
- security_opt:
- - no-new-privileges:true
- restart: "no"
- # profiles:
- # - media
- ########################### SERVICES
- services:
- ############################# FRONTENDS
- # Traefik 2 - Reverse Proxy
- # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
- # touch $DOCKERDIR/appdata/traefik2/acme/acme.json
- # chmod 600 $DOCKERDIR/appdata/traefik2/acme/acme.json
- # touch $DOCKERDIR/logs/cloudserver/traefik.log
- # touch $DOCKERDIR/logs/cloudserver/access.log
- traefik:
- <<: *common-keys-core # See EXTENSION FIELDS at the top
- container_name: traefik
- image: traefik:2.9.8
- command: # CLI arguments
- - --global.checkNewVersion=true
- - --global.sendAnonymousUsage=true
- - --entryPoints.http.address=:80
- - --entryPoints.https.address=:443
- # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
- - --entryPoints.traefik.address=:8080
- # - --entryPoints.ping.address=:8081
- - --api=true
- # - --api.insecure=true
- - --api.dashboard=true
- #- --ping=true
- # - --serversTransport.insecureSkipVerify=true
- - --log=true
- - --log.filePath=/logs/traefik.log
- - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- - --accessLog=true
- - --accessLog.filePath=/logs/access.log
- - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- - --accessLog.filters.statusCodes=204-299,400-499,500-599
- - --providers.docker=true
- - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security
- #- --providers.docker.endpoint=tcp://socket-proxy:2375
- # Automatically set Host rule for services
- # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME_CLOUD_SERVER`)
- - --providers.docker.exposedByDefault=false
- # - --entrypoints.https.http.middlewares=chain-oauth@file
- - --entrypoints.https.http.tls.options=tls-opts@file
- # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
- - --entrypoints.https.http.tls.certresolver=dns-cloudflare
- - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER
- - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER
- # - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME2 # Pulls main cert for second domain
- # - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME2 # Pulls wildcard cert for second domain
- - --providers.docker.network=t2_proxy
- - --providers.docker.swarmMode=false
- - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
- # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file
- - --providers.file.watch=true # Only works on top level files in the rules folder
- - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
- # - --metrics.prometheus=true
- # - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0
- networks:
- t2_proxy:
- ipv4_address: 192.168.90.254 # You can specify a static IP
- ports:
- - target: 80
- published: 80
- protocol: tcp
- mode: host
- - target: 443
- published: 443
- protocol: tcp
- mode: host
- # - target: 8080 # insecure api wont work
- # published: 8080
- # protocol: tcp
- # mode: host
- volumes:
- - $DOCKERDIR/appdata/traefik2/rules/cloudserver:/rules # file provider directory
- - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security
- - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must create this emtpy file and change permissions to 600
- - $DOCKERDIR/logs/cloudserver/traefik:/logs # for fail2ban or crowdsec
- environment:
- - TZ=$TZ
- - CF_API_EMAIL_FILE=$/run/secrets/cloudflare_email
- - CF_API_KEY_FILE=$/run/secrets/cloudflare_api_key
- - HTPASSWD_FILE=$/run/sercrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere.
- - DOMAINNAME_CLOUD_SERVER # Passing the domain name to traefik container to be able to use the variable in rules.
- secrets:
- - cloudflare_email
- - cloudflare_api_key
- - htpasswd
- labels:
- #- "autoheal=true"
- - "traefik.enable=true"
- # HTTP-to-HTTPS Redirect
- - "traefik.http.routers.http-catchall.entrypoints=http"
- - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- # HTTP Routers
- - "traefik.http.routers.traefik-rtr.entrypoints=https"
- - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_CLOUD_SERVER`)"
- - "traefik.http.routers.traefik-rtr.tls=true" # Some people had 404s without this
- - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
- - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER"
- - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER"
- # - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$DOMAINNAME2" # Pulls main cert for second domain
- # - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$DOMAINNAME2" # Pulls wildcard cert for second domain
- ## Services - API
- - "traefik.http.routers.traefik-rtr.service=api@internal"
- ## Healthcheck/ping
- #- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME_CLOUD_SERVER`) && Path(`/ping`)"
- #- "traefik.http.routers.ping.tls=true"
- #- "traefik.http.routers.ping.service=ping@internal"
- ## Middlewares
- #- "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file" # For No Authentication
- - "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file" # For Basic HTTP Authentication
- #- "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file" # For Google OAuth
- #- "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file" # For Authelia Authentication
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement