API tools faq
paste
Guest User

Docker-Compose.yml

a guest
Sep 20th, 2020
369
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.86 KB | None | 0 0
raw download clone embed print report
  1. version: "3.7"
  2.  
  3. networks:
  4. proxy_net:
  5. external:
  6. name: proxy_net
  7. default:
  8. driver: bridge
  9. socket_proxy:
  10. external:
  11. name: socket_proxy
  12.  
  13. secrets:
  14. cloudflare_email:
  15. file: $SECRETSDIR/cloudflare_email
  16. cloudflare_api_key:
  17. file: $SECRETSDIR/cloudflare_api_key
  18. cloudflare_api_token:
  19. file: $SECRETSDIR/cloudflare_api_token
  20. cloudflare_zoneid:
  21. file: $SECRETSDIR/cloudflare_zoneid
  22. authelia_jwt_secret:
  23. file: $SECRETSDIR/authelia_jwt_secret
  24. authelia_session_secret:
  25. file: $SECRETSDIR/authelia_session_secret
  26. authelia_notifier_smtp_password:
  27. file: $SECRETSDIR/authelia_notifier_smtp_password
  28. authelia_duo_api_secret_key:
  29. file: $SECRETSDIR/authelia_duo_api_secret_key
  30.  
  31. services:
  32. # Traefik - Reverse Proxy
  33. traefik:
  34. container_name: traefik
  35. image: traefik:chevrotin
  36. restart: unless-stopped
  37. command: # CLI arguments
  38. - --global.checkNewVersion=true
  39. - --global.sendAnonymousUsage=true
  40. - --entryPoints.http.address=:80
  41. - --entryPoints.https.address=:443
  42. # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
  43. - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
  44. - --entryPoints.traefik.address=:8080
  45. - --api=true
  46. - --log=true
  47. - --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
  48. - --accessLog=true
  49. - --accessLog.filePath=/traefik.log
  50. - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
  51. - --accessLog.filters.statusCodes=400-499
  52. - --providers.docker=true
  53. - --providers.docker.endpoint=tcp://socket-proxy:2375
  54. - --providers.docker.exposedByDefault=false
  55. # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services.
  56. - --entrypoints.https.http.tls.certresolver=dns-cloudflare
  57. - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME
  58. - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME
  59. - --providers.docker.network=proxy_net
  60. - --providers.docker.swarmMode=false
  61. - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
  62. - --providers.file.watch=true # Only works on top level files in the rules folder
  63. # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
  64. - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
  65. - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
  66. - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
  67. - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
  68. - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
  69. networks:
  70. proxy_net:
  71. ipv4_address: 10.10.10.2
  72. socket_proxy:
  73. depends_on:
  74. - socket-proxy
  75. security_opt:
  76. - no-new-privileges:true
  77. ports:
  78. - target: 80
  79. published: 80
  80. protocol: tcp
  81. mode: host
  82. - target: 443
  83. published: 443
  84. protocol: tcp
  85. mode: host
  86. volumes:
  87. - $DOCKERDIR/traefik/rules:/rules
  88. - $DOCKERDIR/traefik/acme/acme.json:/acme.json # change permissions to 600
  89. - $DOCKERDIR/traefik/traefik.log:/var/log/docker/traefik.log
  90. environment:
  91. - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
  92. - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
  93. secrets:
  94. - cloudflare_email
  95. - cloudflare_api_key
  96. labels:
  97. - "traefik.enable=true"
  98. # HTTP-to-HTTPS Redirect
  99. - "traefik.http.routers.http-catchall.entrypoints=http"
  100. - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
  101. - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
  102. - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
  103. # HTTP Routers
  104. - "traefik.http.routers.traefik-rtr.entrypoints=https"
  105. - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
  106. ## Services - API
  107. - "traefik.http.routers.traefik-rtr.service=api@internal"
  108. ## Middlewares
  109. - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file"
  110.  
  111. # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
  112. socket-proxy:
  113. container_name: socket-proxy
  114. image: fluencelabs/docker-socket-proxy
  115. restart: always
  116. networks:
  117. socket_proxy:
  118. ipv4_address: 10.10.11.3 #different subnet to the other containers make sure you define all your networks first to use static ips
  119. privileged: true
  120. ports:
  121. - "2375:2375"
  122. volumes:
  123. - "/var/run/docker.sock:/var/run/docker.sock"
  124. environment:
  125. - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
  126. ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
  127. # 0 to revoke access.
  128. # 1 to grant access.
  129. ## Granted by Default
  130. - EVENTS=1
  131. - PING=1
  132. - VERSION=1
  133. ## Revoked by Default
  134. # Security critical
  135. - AUTH=0
  136. - SECRETS=0
  137. - POST=1 # Watchtower
  138. - DELETE=1 # Watchtower
  139. # GET Optons
  140. - BUILD=0
  141. - COMMIT=0
  142. - CONFIGS=0
  143. - CONTAINERS=1 # Traefik, portainer, etc.
  144. - DISTRIBUTION=0
  145. - EXEC=0
  146. - IMAGES=1 # Portainer, Watchtower
  147. - INFO=1 # Portainer
  148. - NETWORKS=1 # Portainer, Watchtower
  149. - NODES=0
  150. - PLUGINS=0
  151. - SERVICES=1 # Portainer
  152. - SESSION=0
  153. - SWARM=0
  154. - SYSTEM=0
  155. - TASKS=1 # Portaienr
  156. - VOLUMES=1 # Portainer
  157. # POST Options
  158. - CONTAINERS_CREATE=1 # WatchTower
  159. - CONTAINERS_START=1 # WatchTower
  160. - CONTAINERS_UPDATE=1 # WatchTower
  161. # DELETE Options
  162. - CONTAINERS_DELETE=1 # WatchTower
  163. - IMAGES_DELETE=1 # WatchTower
  164.  
  165. # Traefik Certs Dumper - Extract LetsEncrypt Certificates - Traefik2 Compatible
  166. certdumper:
  167. container_name: traefik_certdumper
  168. image: humenius/traefik-certs-dumper:latest
  169. network_mode: none
  170. security_opt:
  171. - no-new-privileges:true
  172. # command: --restart-containers container1,container2,container3
  173. volumes:
  174. - $DOCKERDIR/traefik/acme:/traefik:ro
  175. - $DOCKERDIR/traefik/certs:/output:rw
  176. # - /var/run/docker.sock:/var/run/docker.sock:ro # only needed if restarting containers
  177. environment:
  178. DOMAIN: $DOMAINNAME
  179.  
  180. # Cloudflare DDNS - Dynamic DNS Updater
  181. cf-ddns:
  182. container_name: cf-ddns
  183. image: gzecchi/cloudflare-ddns:latest
  184. restart: always
  185. environment:
  186. - API_KEY_FILE=/run/secrets/cloudflare_api_token
  187. - ZONE=$DOMAINNAME
  188. #- SUBDOMAIN=subdomain
  189. - PROXIED=true
  190. - DNS_SERVER=1.1.1.1
  191. secrets:
  192. - cloudflare_api_token
  193.  
  194. # Cloudflare-Companion - Automatic CNAME DNS Creation
  195. cf-companion:
  196. container_name: cf-companion
  197. image: tiredofit/traefik-cloudflare-companion:latest
  198. restart: always
  199. networks:
  200. socket_proxy:
  201. depends_on:
  202. - socket-proxy
  203. environment:
  204. - TIMEZONE=$TZ
  205. - TRAEFIK_VERSION=2
  206. - CF_EMAIL=/run/secrets/cloudflare_email
  207. - CF_TOKEN=/run/secrets/cloudflare_api_key
  208. - TARGET_DOMAIN=$DOMAINNAME
  209. - DOMAIN1=$DOMAINNAME
  210. - DOMAIN1_ZONE_ID=/run/secrets/cloudflare_zoneid # Copy from Cloudflare Overview page
  211. - DOMAIN1_PROXIED=TRUE
  212. - DOCKER_HOST=tcp://socket-proxy:2375
  213. secrets: # not working
  214. - cloudflare_email
  215. - cloudflare_api_key
  216. - cloudflare_zoneid
  217. labels:
  218. # Add hosts specified in rules here to force cf-companion to create the CNAMEs
  219. # Since cf-companion creates CNAMEs based on host rules, this a workaround for non-docker/external apps
  220. - "traefik.http.routers.cf-companion-rtr.rule=HostHeader(`appname1.$DOMAINNAME`) || `appname2.$DOMAINNAME`)" # USE THIS TO ADD IN THE NONE DOCKER APPS IF YOU MADE THE RULE FILES
  221.  
  222. # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication
  223. authelia:
  224. container_name: authelia
  225. image: authelia/authelia:4.21.0
  226. restart: always
  227. networks:
  228. proxy_net:
  229. ipv4_address: 10.10.10.4
  230. ports:
  231. - "$AUTHELIA_PORT:9091"
  232. volumes:
  233. - $DOCKERDIR/authelia/authelia:/var/lib/authelia
  234. - $DOCKERDIR/authelia/config:/config
  235. #- $DOCKERDIR/authelia/configuration.yml:/config/configuration.yml
  236. #- $DOCKERDIR/authelia/users_database.yml:/config/users_database.yml
  237. environment:
  238. - TZ=$TZ
  239. - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret
  240. - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret
  241. #- AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password
  242. - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password
  243. - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key
  244. secrets:
  245. - authelia_jwt_secret
  246. - authelia_session_secret
  247. #- authelia_storage_mysql_password
  248. - authelia_notifier_smtp_password
  249. - authelia_duo_api_secret_key
  250. labels:
  251. - "traefik.enable=true"
  252. ## HTTP Routers
  253. - "traefik.http.routers.authelia-rtr.entrypoints=https"
  254. - "traefik.http.routers.authelia-rtr.rule=Host(`authelia.$DOMAINNAME`)"
  255. ## Middlewares
  256. - "traefik.http.routers.authelia-rtr.middlewares=chain-authelia@file"
  257. ## HTTP Services
  258. - "traefik.http.routers.authelia-rtr.service=authelia-svc"
  259. - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"
  260.  
  261. # Meta search for NZB Indexers
  262. nzbhydra2:
  263. image: binhex/arch-nzbhydra2:latest
  264. container_name: nzbhydra2
  265. restart: unless-stopped
  266. volumes:
  267. - $DOCKERDIR/nzbhydra2:/config
  268. ports:
  269. - "$NZBHYDRA_PORT:5076"
  270. environment:
  271. - PUID=$PUID
  272. - PGID=$PGID
  273. - TZ=$TZ
  274. networks:
  275. proxy_net:
  276. ipv4_address: 10.10.10.14
  277. security_opt:
  278. - no-new-privileges:true
  279. labels:
  280. - "traefik.enable=true"
  281. ## HTTP Routers Auth Bypass
  282. - "traefik.http.routers.hydra-rtr-bypass.entrypoints=https"
  283. - "traefik.http.routers.hydra-rtr-bypass.rule=Headers(`apikey`, `$HYDRA_API_KEY`) || Query(`apikey`, `$HYDRA_API_KEY`)"
  284. - "traefik.http.routers.hydra-rtr-bypass.priority=100"
  285. ## HTTP Routers
  286. - "traefik.http.routers.hydra-rtr.entrypoints=https"
  287. - "traefik.http.routers.hydra-rtr.rule=Host(`hydra.$DOMAINNAME`)"
  288. - "traefik.http.routers.hydra-rtr.priority=99"
  289. ## Middlewares
  290. - "traefik.http.routers.hydra-rtr-bypass.middlewares=chain-no-auth@file"
  291. - "traefik.http.routers.hydra-rtr.middlewares=chain-authelia@file"
  292. ## HTTP Services
  293. - "traefik.http.routers.hydra-rtr.service=hydra-svc"
  294. - "traefik.http.routers.hydra-rtr-bypass.service=hydra-svc"
  295. - "traefik.http.services.hydra-svc.loadbalancer.server.port=5076"
  296.  
  297. # Radarr - Movie management
  298. radarr:
  299. image: "linuxserver/radarr:preview"
  300. container_name: "radarr"
  301. hostname: radarr
  302. restart: unless-stopped
  303. volumes:
  304. - $DOCKERLOCALDIR/radarr:/config
  305. - $SABDIR/Complete/Radarr:/radarr-completed
  306. - $MEDIADIR:/media
  307. - "/etc/localtime:/etc/localtime:ro"
  308. ports:
  309. - "$RADARR_PORT:7878"
  310. environment:
  311. - PUID=$PUID
  312. - PGID=$PGID
  313. - TZ=$TZ
  314. networks:
  315. proxy_net:
  316. ipv4_address: 10.10.10.10
  317. security_opt:
  318. - no-new-privileges:true
  319. labels:
  320. - "traefik.enable=true"
  321. ## HTTP Routers Auth Bypass
  322. - "traefik.http.routers.radarr-rtr-bypass.entrypoints=https"
  323. - "traefik.http.routers.radarr-rtr-bypass.rule=Headers(`X-Api-Key`, `$RADARR_API_KEY`) || Query(`apikey`, `$RADARR_API_KEY`)"
  324. - "traefik.http.routers.radarr-rtr-bypass.priority=100"
  325. ## HTTP Routers Auth
  326. - "traefik.http.routers.radarr-rtr.entrypoints=https"
  327. - "traefik.http.routers.radarr-rtr.rule=Host(`radarr.$DOMAINNAME`)"
  328. - "traefik.http.routers.radarr-rtr.priority=99"
  329. ## Middlewares
  330. - "traefik.http.routers.radarr-rtr-bypass.middlewares=chain-no-auth@file"
  331. - "traefik.http.routers.radarr-rtr.middlewares=chain-authelia@file"
  332. ## HTTP Services
  333. - "traefik.http.routers.radarr-rtr.service=radarr-svc"
  334. - "traefik.http.routers.radarr-rtr-bypass.service=radarr-svc"
  335. - "traefik.http.services.radarr-svc.loadbalancer.server.port=7878"
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!