Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- version: "3.7"
- networks:
- proxy_net:
- external:
- name: proxy_net
- default:
- driver: bridge
- socket_proxy:
- external:
- name: socket_proxy
- secrets:
- cloudflare_email:
- file: $SECRETSDIR/cloudflare_email
- cloudflare_api_key:
- file: $SECRETSDIR/cloudflare_api_key
- cloudflare_api_token:
- file: $SECRETSDIR/cloudflare_api_token
- cloudflare_zoneid:
- file: $SECRETSDIR/cloudflare_zoneid
- authelia_jwt_secret:
- file: $SECRETSDIR/authelia_jwt_secret
- authelia_session_secret:
- file: $SECRETSDIR/authelia_session_secret
- authelia_notifier_smtp_password:
- file: $SECRETSDIR/authelia_notifier_smtp_password
- authelia_duo_api_secret_key:
- file: $SECRETSDIR/authelia_duo_api_secret_key
- services:
- # Traefik - Reverse Proxy
- traefik:
- container_name: traefik
- image: traefik:chevrotin
- restart: unless-stopped
- command: # CLI arguments
- - --global.checkNewVersion=true
- - --global.sendAnonymousUsage=true
- - --entryPoints.http.address=:80
- - --entryPoints.https.address=:443
- # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
- - --entryPoints.traefik.address=:8080
- - --api=true
- - --log=true
- - --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- - --accessLog=true
- - --accessLog.filePath=/traefik.log
- - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- - --accessLog.filters.statusCodes=400-499
- - --providers.docker=true
- - --providers.docker.endpoint=tcp://socket-proxy:2375
- - --providers.docker.exposedByDefault=false
- # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services.
- - --entrypoints.https.http.tls.certresolver=dns-cloudflare
- - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME
- - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME
- - --providers.docker.network=proxy_net
- - --providers.docker.swarmMode=false
- - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
- - --providers.file.watch=true # Only works on top level files in the rules folder
- # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
- - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
- networks:
- proxy_net:
- ipv4_address: 10.10.10.2
- socket_proxy:
- depends_on:
- - socket-proxy
- security_opt:
- - no-new-privileges:true
- ports:
- - target: 80
- published: 80
- protocol: tcp
- mode: host
- - target: 443
- published: 443
- protocol: tcp
- mode: host
- volumes:
- - $DOCKERDIR/traefik/rules:/rules
- - $DOCKERDIR/traefik/acme/acme.json:/acme.json # change permissions to 600
- - $DOCKERDIR/traefik/traefik.log:/var/log/docker/traefik.log
- environment:
- - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
- - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
- secrets:
- - cloudflare_email
- - cloudflare_api_key
- labels:
- - "traefik.enable=true"
- # HTTP-to-HTTPS Redirect
- - "traefik.http.routers.http-catchall.entrypoints=http"
- - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- # HTTP Routers
- - "traefik.http.routers.traefik-rtr.entrypoints=https"
- - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
- ## Services - API
- - "traefik.http.routers.traefik-rtr.service=api@internal"
- ## Middlewares
- - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file"
- # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
- socket-proxy:
- container_name: socket-proxy
- image: fluencelabs/docker-socket-proxy
- restart: always
- networks:
- socket_proxy:
- ipv4_address: 10.10.11.3 #different subnet to the other containers make sure you define all your networks first to use static ips
- privileged: true
- ports:
- - "2375:2375"
- volumes:
- - "/var/run/docker.sock:/var/run/docker.sock"
- environment:
- - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
- ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
- # 0 to revoke access.
- # 1 to grant access.
- ## Granted by Default
- - EVENTS=1
- - PING=1
- - VERSION=1
- ## Revoked by Default
- # Security critical
- - AUTH=0
- - SECRETS=0
- - POST=1 # Watchtower
- - DELETE=1 # Watchtower
- # GET Optons
- - BUILD=0
- - COMMIT=0
- - CONFIGS=0
- - CONTAINERS=1 # Traefik, portainer, etc.
- - DISTRIBUTION=0
- - EXEC=0
- - IMAGES=1 # Portainer, Watchtower
- - INFO=1 # Portainer
- - NETWORKS=1 # Portainer, Watchtower
- - NODES=0
- - PLUGINS=0
- - SERVICES=1 # Portainer
- - SESSION=0
- - SWARM=0
- - SYSTEM=0
- - TASKS=1 # Portaienr
- - VOLUMES=1 # Portainer
- # POST Options
- - CONTAINERS_CREATE=1 # WatchTower
- - CONTAINERS_START=1 # WatchTower
- - CONTAINERS_UPDATE=1 # WatchTower
- # DELETE Options
- - CONTAINERS_DELETE=1 # WatchTower
- - IMAGES_DELETE=1 # WatchTower
- # Traefik Certs Dumper - Extract LetsEncrypt Certificates - Traefik2 Compatible
- certdumper:
- container_name: traefik_certdumper
- image: humenius/traefik-certs-dumper:latest
- network_mode: none
- security_opt:
- - no-new-privileges:true
- # command: --restart-containers container1,container2,container3
- volumes:
- - $DOCKERDIR/traefik/acme:/traefik:ro
- - $DOCKERDIR/traefik/certs:/output:rw
- # - /var/run/docker.sock:/var/run/docker.sock:ro # only needed if restarting containers
- environment:
- DOMAIN: $DOMAINNAME
- # Cloudflare DDNS - Dynamic DNS Updater
- cf-ddns:
- container_name: cf-ddns
- image: gzecchi/cloudflare-ddns:latest
- restart: always
- environment:
- - API_KEY_FILE=/run/secrets/cloudflare_api_token
- - ZONE=$DOMAINNAME
- #- SUBDOMAIN=subdomain
- - PROXIED=true
- - DNS_SERVER=1.1.1.1
- secrets:
- - cloudflare_api_token
- # Cloudflare-Companion - Automatic CNAME DNS Creation
- cf-companion:
- container_name: cf-companion
- image: tiredofit/traefik-cloudflare-companion:latest
- restart: always
- networks:
- socket_proxy:
- depends_on:
- - socket-proxy
- environment:
- - TIMEZONE=$TZ
- - TRAEFIK_VERSION=2
- - CF_EMAIL=/run/secrets/cloudflare_email
- - CF_TOKEN=/run/secrets/cloudflare_api_key
- - TARGET_DOMAIN=$DOMAINNAME
- - DOMAIN1=$DOMAINNAME
- - DOMAIN1_ZONE_ID=/run/secrets/cloudflare_zoneid # Copy from Cloudflare Overview page
- - DOMAIN1_PROXIED=TRUE
- - DOCKER_HOST=tcp://socket-proxy:2375
- secrets: # not working
- - cloudflare_email
- - cloudflare_api_key
- - cloudflare_zoneid
- labels:
- # Add hosts specified in rules here to force cf-companion to create the CNAMEs
- # Since cf-companion creates CNAMEs based on host rules, this a workaround for non-docker/external apps
- - "traefik.http.routers.cf-companion-rtr.rule=HostHeader(`appname1.$DOMAINNAME`) || `appname2.$DOMAINNAME`)" # USE THIS TO ADD IN THE NONE DOCKER APPS IF YOU MADE THE RULE FILES
- # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication
- authelia:
- container_name: authelia
- image: authelia/authelia:4.21.0
- restart: always
- networks:
- proxy_net:
- ipv4_address: 10.10.10.4
- ports:
- - "$AUTHELIA_PORT:9091"
- volumes:
- - $DOCKERDIR/authelia/authelia:/var/lib/authelia
- - $DOCKERDIR/authelia/config:/config
- #- $DOCKERDIR/authelia/configuration.yml:/config/configuration.yml
- #- $DOCKERDIR/authelia/users_database.yml:/config/users_database.yml
- environment:
- - TZ=$TZ
- - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret
- - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret
- #- AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password
- - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password
- - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key
- secrets:
- - authelia_jwt_secret
- - authelia_session_secret
- #- authelia_storage_mysql_password
- - authelia_notifier_smtp_password
- - authelia_duo_api_secret_key
- labels:
- - "traefik.enable=true"
- ## HTTP Routers
- - "traefik.http.routers.authelia-rtr.entrypoints=https"
- - "traefik.http.routers.authelia-rtr.rule=Host(`authelia.$DOMAINNAME`)"
- ## Middlewares
- - "traefik.http.routers.authelia-rtr.middlewares=chain-authelia@file"
- ## HTTP Services
- - "traefik.http.routers.authelia-rtr.service=authelia-svc"
- - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"
- # Meta search for NZB Indexers
- nzbhydra2:
- image: binhex/arch-nzbhydra2:latest
- container_name: nzbhydra2
- restart: unless-stopped
- volumes:
- - $DOCKERDIR/nzbhydra2:/config
- ports:
- - "$NZBHYDRA_PORT:5076"
- environment:
- - PUID=$PUID
- - PGID=$PGID
- - TZ=$TZ
- networks:
- proxy_net:
- ipv4_address: 10.10.10.14
- security_opt:
- - no-new-privileges:true
- labels:
- - "traefik.enable=true"
- ## HTTP Routers Auth Bypass
- - "traefik.http.routers.hydra-rtr-bypass.entrypoints=https"
- - "traefik.http.routers.hydra-rtr-bypass.rule=Headers(`apikey`, `$HYDRA_API_KEY`) || Query(`apikey`, `$HYDRA_API_KEY`)"
- - "traefik.http.routers.hydra-rtr-bypass.priority=100"
- ## HTTP Routers
- - "traefik.http.routers.hydra-rtr.entrypoints=https"
- - "traefik.http.routers.hydra-rtr.rule=Host(`hydra.$DOMAINNAME`)"
- - "traefik.http.routers.hydra-rtr.priority=99"
- ## Middlewares
- - "traefik.http.routers.hydra-rtr-bypass.middlewares=chain-no-auth@file"
- - "traefik.http.routers.hydra-rtr.middlewares=chain-authelia@file"
- ## HTTP Services
- - "traefik.http.routers.hydra-rtr.service=hydra-svc"
- - "traefik.http.routers.hydra-rtr-bypass.service=hydra-svc"
- - "traefik.http.services.hydra-svc.loadbalancer.server.port=5076"
- # Radarr - Movie management
- radarr:
- image: "linuxserver/radarr:preview"
- container_name: "radarr"
- hostname: radarr
- restart: unless-stopped
- volumes:
- - $DOCKERLOCALDIR/radarr:/config
- - $SABDIR/Complete/Radarr:/radarr-completed
- - $MEDIADIR:/media
- - "/etc/localtime:/etc/localtime:ro"
- ports:
- - "$RADARR_PORT:7878"
- environment:
- - PUID=$PUID
- - PGID=$PGID
- - TZ=$TZ
- networks:
- proxy_net:
- ipv4_address: 10.10.10.10
- security_opt:
- - no-new-privileges:true
- labels:
- - "traefik.enable=true"
- ## HTTP Routers Auth Bypass
- - "traefik.http.routers.radarr-rtr-bypass.entrypoints=https"
- - "traefik.http.routers.radarr-rtr-bypass.rule=Headers(`X-Api-Key`, `$RADARR_API_KEY`) || Query(`apikey`, `$RADARR_API_KEY`)"
- - "traefik.http.routers.radarr-rtr-bypass.priority=100"
- ## HTTP Routers Auth
- - "traefik.http.routers.radarr-rtr.entrypoints=https"
- - "traefik.http.routers.radarr-rtr.rule=Host(`radarr.$DOMAINNAME`)"
- - "traefik.http.routers.radarr-rtr.priority=99"
- ## Middlewares
- - "traefik.http.routers.radarr-rtr-bypass.middlewares=chain-no-auth@file"
- - "traefik.http.routers.radarr-rtr.middlewares=chain-authelia@file"
- ## HTTP Services
- - "traefik.http.routers.radarr-rtr.service=radarr-svc"
- - "traefik.http.routers.radarr-rtr-bypass.service=radarr-svc"
- - "traefik.http.services.radarr-svc.loadbalancer.server.port=7878"
Add Comment
Please, Sign In to add comment