Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- version: "3.9"
- ########################### NETWORKS
- # You may customize the network subnet (192.168.90.0/24) below as you please.
- # Docker Compose version 3.5 or higher required to define networks this way.
- networks:
- t2_proxy:
- name: t2_proxy
- driver: bridge
- ipam:
- config:
- - subnet: 192.168.90.0/24
- default:
- driver: bridge
- # socket_proxy:
- # name: socket_proxy
- # driver: bridge
- # ipam:
- # config:
- # - subnet: 192.168.91.0/24
- ########################### EXTENSION FIELDS
- # Helps eliminate repetition of sections
- # More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228
- # Common environment values
- x-environment: &default-tz-puid-pgid
- TZ: $TZ
- PUID: $PUID
- PGID: $PGID
- # Keys common to some of the core services that we always to automatically restart on failure
- x-common-keys-core: &common-keys-core
- networks:
- - t2_proxy
- security_opt:
- - no-new-privileges:true
- restart: always
- # Keys common to some of the dependent services/apps
- x-common-keys-apps: &common-keys-apps
- networks:
- - t2_proxy
- security_opt:
- - no-new-privileges:true
- restart: unless-stopped
- # Keys common to some of the services in media-services.txt
- x-common-keys-media: &common-keys-media
- networks:
- - t2_proxy
- security_opt:
- - no-new-privileges:true
- restart: "no"
- ########################### SERVICES
- services:
- # Traefik 2 - Reverse Proxy
- traefik:
- <<: *common-keys-core # See EXTENSION FIELDS at the top
- container_name: traefik
- image: traefik:2.7
- command: # CLI arguments
- - --global.checkNewVersion=true
- - --global.sendAnonymousUsage=true
- - --entryPoints.http.address=:80
- - --entryPoints.https.address=:443
- # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
- - --entryPoints.traefik.address=:8080
- - --api=true
- # - --api.insecure=true
- - --api.dashboard=true
- # - --serversTransport.insecureSkipVerify=true
- - --log=true
- - --log.filePath=/logs/traefik.log
- - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- - --accessLog=true
- - --accessLog.filePath=/logs/access.log
- - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- - --accessLog.filters.statusCodes=204-299,400-499,500-599
- - --providers.docker=true
- - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security
- # - --providers.docker.endpoint=tcp://socket-proxy:2375 # Use this instead of the previous line if you have socket proxy.
- - --providers.docker.exposedByDefault=false
- - --entrypoints.https.http.tls.options=tls-opts@file
- # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
- - --entrypoints.https.http.tls.certresolver=dns-cloudflare
- - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER
- - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER
- # - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME2 # Pulls main cert for second domain
- # - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME2 # Pulls wildcard cert for second domain
- - --providers.docker.network=t2_proxy
- - --providers.docker.swarmMode=false
- - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
- # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file
- - --providers.file.watch=true # Only works on top level files in the rules folder
- #- --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
- networks:
- t2_proxy:
- # ipv4_address: 192.168.90.254 # You can specify a static IP
- # socket_proxy:
- # networks:
- # - t2_proxy
- ports:
- - target: 80
- published: 80
- protocol: tcp
- mode: host
- - target: 443
- published: 443
- protocol: tcp
- mode: host
- # - "8080:8080"
- #- target: 8080 # insecure api wont work
- # published: 8080
- # protocol: tcp
- # mode: host
- volumes:
- - $DOCKERDIR/appdata/traefik2/rules/cloudserver:/rules # file provider directory
- - /var/run/docker.sock:/var/run/docker.sock:ro # If you use Docker Socket Proxy, comment this line out
- - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must create this empty file and change permissions to 600
- - $DOCKERDIR/logs/cloudserver/traefik:/logs # for fail2ban or crowdsec
- - $DOCKERDIR/shared:/shared
- environment:
- - TZ=$TZ
- - CF_API_EMAIL=$CLOUDFLARE_EMAIL
- - CF_API_KEY=$CLOUDFLARE_API_KEY
- - DOMAINNAME_CLOUD_SERVER # Passing the domain name to the traefik container to be able to use the variable in rules.
- labels:
- - "traefik.enable=true"
- # HTTP-to-HTTPS Redirect
- - "traefik.http.routers.http-catchall.entrypoints=http"
- - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- # HTTP Routers
- - "traefik.http.routers.traefik-rtr.entrypoints=https"
- - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_CLOUD_SERVER`)"
- - "traefik.http.routers.traefik-rtr.tls=true" # Some people had 404s without this
- # - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
- - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER"
- - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER"
- # - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$DOMAINNAME2" # Pulls main cert for second domain
- # - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$DOMAINNAME2" # Pulls wildcard cert for second domain
- ## Services - API
- - "traefik.http.routers.traefik-rtr.service=api@internal"
- ## Middlewares
- - "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit@file,middlewares-https-redirectscheme@file,middlewares-secure-headers@file,middlewares-basic-auth@file,middlewares-compress@file"
- # Dozzle - Real-time Docker Log Viewer
- dozzle:
- image: amir20/dozzle:latest
- container_name: dozzle
- security_opt:
- - no-new-privileges:true
- restart: unless-stopped
- networks:
- - t2_proxy
- # - socket_proxy
- ports:
- - "8082:8080"
- #environment:
- # DOZZLE_LEVEL: debug
- # DOZZLE_TAILSIZE: 300
- # DOZZLE_FILTER: "status=running"
- # DOZZLE_FILTER: "label=log_me" # limits logs displayed to containers with this label
- # DOCKER_HOST: tcp://socket-proxy:2375
- volumes:
- - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security
- labels:
- - "traefik.enable=true"
- ## HTTP Routers
- - "traefik.http.routers.dozzle-rtr.entrypoints=https"
- - "traefik.http.routers.dozzle-rtr.rule=Host(`dozzle.$DOMAINNAME_CLOUD_SERVER`)"
- ## Middlewares
- - "traefik.http.routers.dozzle-rtr.middlewares=chain-basic-auth@file"
- ## HTTP Services
- - "traefik.http.routers.dozzle-rtr.service=dozzle-svc"
- - "traefik.http.services.dozzle-svc.loadbalancer.server.port=8080"
- # Portainer - WebUI for Containers
- portainer:
- <<: *common-keys-core # See EXTENSION FIELDS at the top
- container_name: portainer
- image: portainer/portainer-ee:latest
- # command: -H unix:///var/run/docker.sock # Use Docker Socket Proxy and comment this line out, for improved security.
- # command: -H tcp://socket-proxy:2375 # Use this instead, if you have Socket Proxy enabled.
- networks:
- - t2_proxy
- ports: # Commented out because we are going to use Traefik to access portainer WebUI.
- # - "$PORTAINER_PORT:9000"
- - 9000:9000
- volumes:
- - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy and comment this line out, for improved security.
- - $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfer config locally.
- environment:
- - TZ=$TZ
- labels:
- - "traefik.enable=true"
- ## HTTP Routers
- - "traefik.http.routers.portainer-rtr.entrypoints=https"
- - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME_CLOUD_SERVER`)"
- # - "traefik.http.routers.portainer-rtr.tls=true"
- ## Middlewares
- - "traefik.http.routers.portainer-rtr.middlewares=chain-basic-auth@file"
- ## HTTP Services
- - "traefik.http.routers.portainer-rtr.service=portainer-svc"
- - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement