API tools faq
paste
Advertisement
Nadonate

docker-compose

Nadonate
Mar 11th, 2023
993
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
XML 10.49 KB | None | 0 0
raw download clone embed print report
  1. version: "3.9"
  2.  
  3. ######### IMPORTANT #############
  4. # This is my main docker-compose file with most of the apps. I run docker on other systems with smaller stacks (web and synology).
  5. # You can copy-paste services from one docker-compose file in this repo to another to add other apps.
  6.  
  7. ########################### SYSTEM DESCRIPTION
  8. # DOCKER-COMPOSE FOR HOME/MEDIA SERVER
  9. # PROXMOX HOST: Dual Intel Xeon E3-1240 V2, 16 GB RAM, 480 GB SSD, and 4 TB HDD
  10. # LXC: 2 CORES, 8 GB RAM, Ubuntu 20.04, and Docker
  11. # 64 GB for / and 2 TB for non-critical data and rclone cache.
  12. # Google Drive mounted using Rclone Docker for media and Proxmox backups
  13.  
  14. # Docker: 20.10.23
  15. # Docker Compose: v2.15.1 (docker-compose-plugin for Docker)
  16.  
  17. ########################### NETWORKS
  18. # There is no need to create any networks outside this docker-compose file.
  19. # You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please.
  20. # Docker Compose version 3.5 or higher required to define networks this way.
  21.  
  22. networks:
  23.   default:
  24.     driver: bridge
  25.   t2_proxy:
  26.     name: t2_proxy
  27.     driver: bridge
  28.     ipam:
  29.       config:
  30.         - subnet: 192.168.90.0/24
  31.  
  32. ########################### SECRETS
  33. secrets:
  34.   htpasswd:
  35.     file: $SECRETSDIR/htpasswd
  36.   cloudflare_email:
  37.     file: $SECRETSDIR/cloudflare_email
  38.   cloudflare_api_key:
  39.     file: $SECRETSDIR/cloudflare_api_key
  40.   cloudflare_token:
  41.     file: $DOCKERDIR/secrets/cloudflare_token
  42.   traefik_forward_auth:
  43.     file: $DOCKERDIR/secrets/traefik_forward_auth
  44.   mysql_root_password:
  45.     file: $DOCKERDIR/secrets/mysql_root_password
  46.   authelia_jwt_secret:
  47.     file: $DOCKERDIR/secrets/authelia_jwt_secret
  48.   authelia_session_secret:
  49.     file: $DOCKERDIR/secrets/authelia_session_secret
  50.   authelia_storage_mysql_password:
  51.     file: $DOCKERDIR/secrets/authelia_storage_mysql_password
  52.   authelia_notifier_smtp_password:
  53.     file: $DOCKERDIR/secrets/authelia_notifier_smtp_password
  54.   authelia_duo_api_secret_key:
  55.     file: $DOCKERDIR/secrets/authelia_duo_api_secret_key
  56.   authelia_storage_encryption_key:
  57.     file: $DOCKERDIR/secrets/authelia_storage_encryption_key
  58.   guac_db_name:
  59.     file: $DOCKERDIR/secrets/guac_db_name
  60.   guac_mysql_user:
  61.     file: $DOCKERDIR/secrets/guac_mysql_user
  62.   guac_mysql_password:
  63.     file: $DOCKERDIR/secrets/guac_mysql_password
  64.   plex_claim:
  65.     file: $SECRETSDIR/plex_claim
  66.  
  67. ########################### EXTENSION FIELDS
  68. # Helps eliminate repetition of sections
  69. # More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228
  70.  
  71. # Common environment values
  72. x-environment: &default-tz-puid-pgid
  73.  TZ: $TZ
  74.  PUID: $PUID
  75.  PGID: $PGID
  76.  
  77. # Keys common to some of the services in basic-services.txt
  78. x-common-keys-core: &common-keys-core
  79.  networks:
  80.    - t2_proxy
  81.  security_opt:
  82.    - no-new-privileges:true
  83.  restart: always
  84.  # profiles:
  85.  # - core
  86.  
  87. # Keys common to some of the services in basic-services.txt
  88. x-common-keys-monitoring: &common-keys-monitoring
  89.  networks:
  90.    - t2_proxy
  91.  security_opt:
  92.    - no-new-privileges:true
  93.  restart: always
  94.  # profiles:
  95.  # - monitoring
  96.  
  97. # Keys common to some of the dependent services/apps
  98. x-common-keys-apps: &common-keys-apps
  99.  networks:
  100.    - t2_proxy
  101.  security_opt:
  102.    - no-new-privileges:true
  103.  restart: unless-stopped
  104.  # profiles:
  105.  # - apps
  106.  
  107. # Keys common to some of the services in media-services.txt
  108. x-common-keys-media: &common-keys-media
  109.  networks:
  110.    - t2_proxy
  111.  security_opt:
  112.    - no-new-privileges:true
  113.  restart: "no"
  114.  # profiles:
  115.  # - media
  116.  
  117. ########################### SERVICES
  118. services:
  119.  ############################# FRONTENDS
  120.  
  121.  # Traefik 2 - Reverse Proxy
  122.  # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
  123.  # touch $DOCKERDIR/appdata/traefik2/acme/acme.json
  124.  # chmod 600 $DOCKERDIR/appdata/traefik2/acme/acme.json
  125.  # touch $DOCKERDIR/logs/cloudserver/traefik.log
  126.  # touch $DOCKERDIR/logs/cloudserver/access.log
  127.  
  128.  traefik:
  129.    <<: *common-keys-core # See EXTENSION FIELDS at the top
  130.    container_name: traefik
  131.    image: traefik:2.9.8
  132.    command: # CLI arguments
  133.      - --global.checkNewVersion=true
  134.      - --global.sendAnonymousUsage=true
  135.      - --entryPoints.http.address=:80
  136.      - --entryPoints.https.address=:443
  137.      # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
  138.      - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
  139.      - --entryPoints.traefik.address=:8080
  140.      # - --entryPoints.ping.address=:8081
  141.      - --api=true
  142.      # - --api.insecure=true
  143.      - --api.dashboard=true
  144.      #- --ping=true
  145.      # - --serversTransport.insecureSkipVerify=true
  146.      - --log=true
  147.      - --log.filePath=/logs/traefik.log
  148.      - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
  149.      - --accessLog=true
  150.      - --accessLog.filePath=/logs/access.log
  151.      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
  152.      - --accessLog.filters.statusCodes=204-299,400-499,500-599
  153.      - --providers.docker=true
  154.      - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security
  155.      #- --providers.docker.endpoint=tcp://socket-proxy:2375
  156.      # Automatically set Host rule for services
  157.      # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME_CLOUD_SERVER`)
  158.      - --providers.docker.exposedByDefault=false
  159.      # - --entrypoints.https.http.middlewares=chain-oauth@file
  160.      - --entrypoints.https.http.tls.options=tls-opts@file
  161.      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
  162.      - --entrypoints.https.http.tls.certresolver=dns-cloudflare
  163.      - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER
  164.      - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER
  165.      # - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME2 # Pulls main cert for second domain
  166.      # - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME2 # Pulls wildcard cert for second domain
  167.      - --providers.docker.network=t2_proxy
  168.      - --providers.docker.swarmMode=false
  169.      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
  170.      # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file
  171.      - --providers.file.watch=true # Only works on top level files in the rules folder
  172.      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
  173.      - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
  174.      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
  175.      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
  176.      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
  177.      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
  178.      # - --metrics.prometheus=true
  179.      # - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0
  180.    networks:
  181.      t2_proxy:
  182.        ipv4_address: 192.168.90.254 # You can specify a static IP
  183.    ports:
  184.      - target: 80
  185.        published: 80
  186.        protocol: tcp
  187.        mode: host
  188.      - target: 443
  189.        published: 443
  190.        protocol: tcp
  191.        mode: host
  192.      # - target: 8080 # insecure api wont work
  193.      #   published: 8080
  194.      #   protocol: tcp
  195.      #   mode: host
  196.    volumes:
  197.      - $DOCKERDIR/appdata/traefik2/rules/cloudserver:/rules # file provider directory
  198.      - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security
  199.      - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must create this emtpy file and change permissions to 600
  200.      - $DOCKERDIR/logs/cloudserver/traefik:/logs # for fail2ban or crowdsec
  201.    environment:
  202.      - TZ=$TZ
  203.      - CF_API_EMAIL_FILE=$/run/secrets/cloudflare_email
  204.      - CF_API_KEY_FILE=$/run/secrets/cloudflare_api_key
  205.      - HTPASSWD_FILE=$/run/sercrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere.
  206.      - DOMAINNAME_CLOUD_SERVER # Passing the domain name to traefik container to be able to use the variable in rules.
  207.    secrets:
  208.      - cloudflare_email
  209.      - cloudflare_api_key
  210.      - htpasswd
  211.    labels:
  212.      #- "autoheal=true"
  213.      - "traefik.enable=true"
  214.      # HTTP-to-HTTPS Redirect
  215.      - "traefik.http.routers.http-catchall.entrypoints=http"
  216.      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
  217.      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
  218.      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
  219.      # HTTP Routers
  220.      - "traefik.http.routers.traefik-rtr.entrypoints=https"
  221.      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_CLOUD_SERVER`)"
  222.      - "traefik.http.routers.traefik-rtr.tls=true" # Some people had 404s without this
  223.      - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
  224.      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER"
  225.      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER"
  226.      # - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$DOMAINNAME2" # Pulls main cert for second domain
  227.      # - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$DOMAINNAME2" # Pulls wildcard cert for second domain
  228.      ## Services - API
  229.      - "traefik.http.routers.traefik-rtr.service=api@internal"
  230.      ## Healthcheck/ping
  231.      #- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME_CLOUD_SERVER`) && Path(`/ping`)"
  232.      #- "traefik.http.routers.ping.tls=true"
  233.      #- "traefik.http.routers.ping.service=ping@internal"
  234.      ## Middlewares
  235.      #- "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file" # For No Authentication
  236.      - "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file" # For Basic HTTP Authentication
  237.      #- "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file" # For Google OAuth
  238.      #- "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file" # For Authelia Authentication
  239.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!