API tools faq
paste
Advertisement
moltra

Docker Compose

moltra
Jun 2nd, 2023 (edited)
1,799
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
YAML 9.64 KB | None | 0 0
raw download clone embed print report
  1. version: "3.9"
  2. ########################### NETWORKS
  3. # You may customize the network subnet (192.168.90.0/24) below as you please.
  4. # Docker Compose version 3.5 or higher required to define networks this way.
  5.  
  6. networks:
  8.   t2_proxy:
  9.     name: t2_proxy
  10.     driver: bridge
  11.     ipam:
  12.       config:
  13.         - subnet: 192.168.90.0/24
  14.   default:
  15.     driver: bridge
  16.   # socket_proxy:
  17.   #   name: socket_proxy
  18.   #   driver: bridge
  19.   #   ipam:
  20.   #     config:
  21.   #       - subnet: 192.168.91.0/24
  22.  
  23. ########################### EXTENSION FIELDS
  24. # Helps eliminate repetition of sections
  25. # More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228
  26.  
  27. # Common environment values
  28. x-environment: &default-tz-puid-pgid
  29.   TZ: $TZ
  30.   PUID: $PUID
  31.   PGID: $PGID
  32.  
  33. # Keys common to some of the core services that we always to automatically restart on failure
  34. x-common-keys-core: &common-keys-core
  35.   networks:
  36.    - t2_proxy
  37.   security_opt:
  38.    - no-new-privileges:true
  39.   restart: always
  40.  
  41. # Keys common to some of the dependent services/apps
  42. x-common-keys-apps: &common-keys-apps
  43.   networks:
  44.    - t2_proxy
  45.   security_opt:
  46.    - no-new-privileges:true
  47.   restart: unless-stopped
  48.  
  49. # Keys common to some of the services in media-services.txt
  50. x-common-keys-media: &common-keys-media
  51.   networks:
  52.    - t2_proxy
  53.   security_opt:
  54.    - no-new-privileges:true
  55.   restart: "no"
  56.  
  57. ########################### SERVICES
  58. services:
  59. # Traefik 2 - Reverse Proxy
  60.   traefik:
  61.     <<: *common-keys-core # See EXTENSION FIELDS at the top
  62.     container_name: traefik
  63.     image: traefik:2.7
  64.     command: # CLI arguments
  65.       - --global.checkNewVersion=true
  66.       - --global.sendAnonymousUsage=true
  67.       - --entryPoints.http.address=:80
  68.       - --entryPoints.https.address=:443
  69.       # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
  70.       - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
  71.       - --entryPoints.traefik.address=:8080
  72.       - --api=true
  73.       # - --api.insecure=true
  74.       - --api.dashboard=true
  75.       # - --serversTransport.insecureSkipVerify=true
  76.       - --log=true
  77.       - --log.filePath=/logs/traefik.log
  78.       - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
  79.       - --accessLog=true
  80.       - --accessLog.filePath=/logs/access.log
  81.       - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
  82.       - --accessLog.filters.statusCodes=204-299,400-499,500-599
  83.       - --providers.docker=true
  84.       - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security
  85.       # - --providers.docker.endpoint=tcp://socket-proxy:2375 # Use this instead of the previous line if you have socket proxy.
  86.       - --providers.docker.exposedByDefault=false
  87.       - --entrypoints.https.http.tls.options=tls-opts@file
  88.       # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
  89.       - --entrypoints.https.http.tls.certresolver=dns-cloudflare
  90.       - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER
  91.       - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER
  92.       # - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME2 # Pulls main cert for second domain
  93.       # - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME2 # Pulls wildcard cert for second domain
  94.       - --providers.docker.network=t2_proxy
  95.       - --providers.docker.swarmMode=false
  96.       - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
  97.       # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file
  98.       - --providers.file.watch=true # Only works on top level files in the rules folder
  99.       #- --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
  100.       - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
  101.       - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
  102.       - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
  103.       - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
  104.       - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
  105.     networks:
  106.       t2_proxy:
  107.      # ipv4_address: 192.168.90.254 # You can specify a static IP
  108.       # socket_proxy:
  109.     # networks:
  110.     #  - t2_proxy
  111.     ports:
  112.       - target: 80
  113.         published: 80
  114.         protocol: tcp
  115.         mode: host
  116.       - target: 443
  117.         published: 443
  118.         protocol: tcp
  119.         mode: host
  120.       #  - "8080:8080"
  121.       #- target: 8080 # insecure api wont work
  122.       #   published: 8080
  123.       #   protocol: tcp
  124.       #   mode: host
  125.     volumes:
  126.      - $DOCKERDIR/appdata/traefik2/rules/cloudserver:/rules # file provider directory
  127.       - /var/run/docker.sock:/var/run/docker.sock:ro # If you use Docker Socket Proxy, comment this line out
  128.       - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must create this empty file and change permissions to 600
  129.       - $DOCKERDIR/logs/cloudserver/traefik:/logs # for fail2ban or crowdsec
  130.       - $DOCKERDIR/shared:/shared
  131.     environment:
  132.      - TZ=$TZ
  133.       - CF_API_EMAIL=$CLOUDFLARE_EMAIL
  134.       - CF_API_KEY=$CLOUDFLARE_API_KEY
  135.       - DOMAINNAME_CLOUD_SERVER # Passing the domain name to the traefik container to be able to use the variable in rules.
  136.     labels:
  137.      - "traefik.enable=true"
  138.       # HTTP-to-HTTPS Redirect
  139.       - "traefik.http.routers.http-catchall.entrypoints=http"
  140.       - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
  141.       - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
  142.       - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
  143.       # HTTP Routers
  144.       - "traefik.http.routers.traefik-rtr.entrypoints=https"
  145.       - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_CLOUD_SERVER`)"
  146.       - "traefik.http.routers.traefik-rtr.tls=true" # Some people had 404s without this
  147.       # - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
  148.       - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER"
  149.       - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER"
  150.       # - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$DOMAINNAME2" # Pulls main cert for second domain
  151.       # - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$DOMAINNAME2" # Pulls wildcard cert for second domain
  152.       ## Services - API
  153.       - "traefik.http.routers.traefik-rtr.service=api@internal"
  154.       ## Middlewares
  155.       - "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit@file,middlewares-https-redirectscheme@file,middlewares-secure-headers@file,middlewares-basic-auth@file,middlewares-compress@file"
  156.      
  157.  
  158.  
  159.   # Dozzle - Real-time Docker Log Viewer
  160.   dozzle:
  161.     image: amir20/dozzle:latest
  162.     container_name: dozzle
  163.     security_opt:
  164.      - no-new-privileges:true
  165.     restart: unless-stopped
  166.     networks:
  167.      - t2_proxy
  168.       # - socket_proxy
  169.     ports:
  170.      - "8082:8080"
  171.     #environment:
  172.       # DOZZLE_LEVEL: debug
  173.       # DOZZLE_TAILSIZE: 300
  174.       # DOZZLE_FILTER: "status=running"
  175.       # DOZZLE_FILTER: "label=log_me" # limits logs displayed to containers with this label
  176.       # DOCKER_HOST: tcp://socket-proxy:2375
  177.     volumes:
  178.      - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security
  179.     labels:
  180.      - "traefik.enable=true"
  181.       ## HTTP Routers
  182.       - "traefik.http.routers.dozzle-rtr.entrypoints=https"
  183.       - "traefik.http.routers.dozzle-rtr.rule=Host(`dozzle.$DOMAINNAME_CLOUD_SERVER`)"
  184.       ## Middlewares
  185.       - "traefik.http.routers.dozzle-rtr.middlewares=chain-basic-auth@file"
  186.       ## HTTP Services
  187.       - "traefik.http.routers.dozzle-rtr.service=dozzle-svc"
  188.       - "traefik.http.services.dozzle-svc.loadbalancer.server.port=8080"
  189.  
  190. # Portainer - WebUI for Containers
  191.   portainer:
  192.     <<: *common-keys-core # See EXTENSION FIELDS at the top
  193.     container_name: portainer
  194.     image: portainer/portainer-ee:latest
  195.     # command: -H unix:///var/run/docker.sock # Use Docker Socket Proxy and comment this line out, for improved security.
  196.     # command: -H tcp://socket-proxy:2375 # Use this instead, if you have Socket Proxy enabled.
  197.     networks:
  198.      - t2_proxy
  199.     ports: # Commented out because we are going to use Traefik to access portainer WebUI.
  200.     #  - "$PORTAINER_PORT:9000"
  201.       - 9000:9000
  202.     volumes:
  203.      - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy and comment this line out, for improved security.
  204.       - $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfer config locally.
  205.     environment:
  206.      - TZ=$TZ
  207.     labels:
  208.      - "traefik.enable=true"
  209.       ## HTTP Routers
  210.       - "traefik.http.routers.portainer-rtr.entrypoints=https"
  211.       - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME_CLOUD_SERVER`)"
  212.       # - "traefik.http.routers.portainer-rtr.tls=true"
  213.       ## Middlewares
  214.       - "traefik.http.routers.portainer-rtr.middlewares=chain-basic-auth@file"
  215.       ## HTTP Services
  216.       - "traefik.http.routers.portainer-rtr.service=portainer-svc"
  217.       - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!