forked from anandslab/docker-traefik
-
Notifications
You must be signed in to change notification settings - Fork 0
/
docker-compose-t2-web.yml
executable file
·618 lines (585 loc) · 24.9 KB
/
docker-compose-t2-web.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
version: "3.9"
######### IMPORTANT #############
# docker-compose-t2.yml is my main docker compose that runs on the same Proxmox host.
# You will find only a few apps in this web stack that hosts a few wordpress and non-wordpress sites.
# You can copy-paste services from one docker-compose file in this repo to another to add other apps.
########################### SYSTEM DESCRIPTION
# DOCKER-COMPOSE FOR WORDPRESS / WEB SERVER
# Digital Ocean: 1 vCPU, 2 GB RAM, and 50 GB NVME
# Use this Referral Link and get $100 Credit: https://m.do.co/c/5ae8e2c8f34b
# Docker: 20.10.17
# Docker Compose: 2.6.0 (v2 https://docs.docker.com/compose/#compose-v2-and-the-new-docker-compose-command)
########################### NETWORKS
# There is no need to create any networks outside this docker-compose file.
# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please.
# Docker Compose version 3.5 or higher required to define networks this way.
networks:
t2_proxy:
name: t2_proxy
driver: bridge
ipam:
config:
- subnet: 192.168.90.0/24
default:
driver: bridge
socket_proxy:
name: socket_proxy
driver: bridge
ipam:
config:
- subnet: 192.168.91.0/24
########################### SECRETS
secrets:
htpasswd:
file: $DOCKERDIR/secrets/htpasswd
cf_email:
file: $DOCKERDIR/secrets/cf_email
cf_api_key:
file: $DOCKERDIR/secrets/cf_api_key
cf_token:
file: $DOCKERDIR/secrets/cf_token
traefik_forward_auth:
file: $DOCKERDIR/secrets/traefik_forward_auth
mysql_root_password:
file: $SECRETSDIR/mysql_root_password
authelia_jwt_secret:
file: $SECRETSDIR/authelia_jwt_secret
authelia_session_secret:
file: $SECRETSDIR/authelia_session_secret
authelia_storage_mysql_password:
file: $SECRETSDIR/authelia_storage_mysql_password
authelia_notifier_smtp_password:
file: $SECRETSDIR/authelia_notifier_smtp_password
authelia_duo_api_secret_key:
file: $SECRETSDIR/authelia_duo_api_secret_key
########################### EXTENSION FIELDS
# Helps eliminate repetition of sections
# More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228
# Common environment values
x-environment: &default-tz-puid-pgid
TZ: $TZ
PUID: $PUID
PGID: $PGID
# Keys common to some of the services in basic-services.txt
x-common-keys-core: &common-keys-core
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
restart: always
# profiles:
# - core
# Keys common to some of the services in basic-services.txt
x-common-keys-core: &common-keys-monitoring
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
restart: always
# profiles:
# - monitoring
# Keys common to some of the dependent services/apps
x-common-keys-apps: &common-keys-apps
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
restart: unless-stopped
# profiles:
# - apps
########################### SERVICES
services:
############################# FRONTENDS
# Traefik 2 - Reverse Proxy
# Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
# touch $DOCKERDIR/appdata/traefik2/acme/acme.json
# chmod 600 $DOCKERDIR/appdata/traefik2/acme/acme.json
# touch $DOCKERDIR/logs/web/traefik/traefik.log
# touch $DOCKERDIR/logs/web/traefik/access.log
traefik:
<<: *common-keys-core # See EXTENSION FIELDS at the top
container_name: traefik
image: traefik:2.8
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
- --entryPoints.traefik.address=:8080
# - --entryPoints.ping.address=:8081
- --api=true
# - --api.insecure=true
- --api.dashboard=true
#- --ping=true
# - --serversTransport.insecureSkipVerify=true
- --log=true
- --log.filePath=/logs/traefik.log
- --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/logs/access.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=204-299,400-499,500-599
- --providers.docker=true
# - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security
- --providers.docker.endpoint=tcp://socket-proxy:2375
# Automatically set Host rule for services
# - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME_SHB`)
- --providers.docker.exposedByDefault=false
# - --entrypoints.https.http.middlewares=chain-oauth@file
- --entrypoints.https.http.tls.options=tls-opts@file
# Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
- --entrypoints.https.http.tls.certresolver=dns-cloudflare
- --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME_SHB
- --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME_SHB
# - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME_KHUB # Pulls main cert for second domain
# - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME_KHUB # Pulls wildcard cert for second domain
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file
- --providers.file.watch=true # Only works on top level files in the rules folder
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
# - --metrics.prometheus=true
# - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0
networks:
t2_proxy:
ipv4_address: 192.168.90.254 # You can specify a static IP
socket_proxy:
#healthcheck:
# test: ["CMD", "traefik", "healthcheck", "--ping"]
# interval: 5s
# retries: 3
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
# - target: 8080 # insecure api wont work
# published: 8080
# protocol: tcp
# mode: host
volumes:
- $DOCKERDIR/appdata/traefik2/rules/web:/rules # file provider directory
# - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security
- $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
- $DOCKERDIR/logs/web/traefik:/logs # for fail2ban or crowdsec
environment:
- TZ=$TZ
- CF_API_EMAIL_FILE=/run/secrets/cf_email
- CF_API_KEY_FILE=/run/secrets/cf_api_key
- HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere.
- DOMAINNAME_SHB # Passing the domain name to traefik container to be able to use the variable in rules.
secrets:
- cf_email
- cf_api_key
- htpasswd
labels:
#- "autoheal=true"
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_SHB`)"
## Services - API
- "traefik.http.routers.traefik-rtr.service=api@internal"
## Healthcheck/ping
#- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME_SHB`) && Path(`/ping`)"
#- "traefik.http.routers.ping.tls=true"
#- "traefik.http.routers.ping.service=ping@internal"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file"
# Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
socket-proxy:
<<: *common-keys-core # See EXTENSION FIELDS at the top
container_name: socket-proxy
image: tecnativa/docker-socket-proxy
networks:
socket_proxy:
ipv4_address: 192.168.91.254 # You can specify a static IP
# privileged: true # true for VM. False for unprivileged LXC container.
#ports:
# - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line.
# I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network.
# - "2375:2375"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
- LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
# 0 to revoke access.
# 1 to grant access.
## Granted by Default
- EVENTS=1
- PING=1
- VERSION=1
## Revoked by Default
# Security critical
- AUTH=0
- SECRETS=0
- POST=1 # Watchtower
# Not always needed
- BUILD=0
- COMMIT=0
- CONFIGS=0
- CONTAINERS=1 # Traefik, portainer, etc.
- DISTRIBUTION=0
- EXEC=0
- IMAGES=1 # Portainer
- INFO=1 # Portainer
- NETWORKS=1 # Portainer
- NODES=0
- PLUGINS=0
- SERVICES=1 # Portainer
- SESSION=0
- SWARM=0
- SYSTEM=0
- TASKS=1 # Portainer
- VOLUMES=1 # Portainer
# Google OAuth - Single Sign On using OAuth 2.0
# https://www.smarthomebeginner.com/google-oauth-with-traefik-docker/
oauth:
<<: *common-keys-core # See EXTENSION FIELDS at the top
container_name: oauth
image: thomseddon/traefik-forward-auth:latest
# image: thomseddon/traefik-forward-auth:2.1-arm # Use this image with Raspberry Pi
# Allow apps to bypass OAuth. Radarr example below will bypass OAuth if API key is present in the request (eg. from NZB360 mobile app).
# While this is one way, the recommended way is to bypass authentication using Traefik labels shown in some of the apps later.
# command: --rule.radarr.action=allow --rule.radarr.rule="Headers(`X-Api-Key`, `$RADARR_API_KEY`)"
# command: --rule.sabnzbd.action=allow --rule.sabnzbd.rule="HeadersRegexp(`X-Forwarded-Uri`, `$SABNZBD_API_KEY`)"
environment:
- CONFIG=/config
- COOKIE_DOMAIN=$DOMAINNAME_SHB
- INSECURE_COOKIE=false
- AUTH_HOST=oauth.$DOMAINNAME_SHB
- URL_PATH=/_oauth
- LOG_LEVEL=warn
- LOG_FORMAT=text
- LIFETIME=86400 # 1 day
- DEFAULT_ACTION=auth
- DEFAULT_PROVIDER=google
secrets:
- source: traefik_forward_auth
target: /config
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.oauth-rtr.tls=true"
- "traefik.http.routers.oauth-rtr.entrypoints=https"
- "traefik.http.routers.oauth-rtr.rule=Host(`oauth.$DOMAINNAME_SHB`)"
## Middlewares
- "traefik.http.routers.oauth-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.oauth-rtr.service=oauth-svc"
- "traefik.http.services.oauth-svc.loadbalancer.server.port=4181"
# Portainer - WebUI for Containers
portainer:
<<: *common-keys-core # See EXTENSION FIELDS at the top
container_name: portainer
image: portainer/portainer-ce:latest
# command: -H unix:///var/run/docker.sock # # Use Docker Socket Proxy instead for improved security
command: -H tcp://socket-proxy:2375
networks:
- t2_proxy
- socket_proxy
volumes:
# - /var/run/docker.sock:/var/run/docker.sock:ro # # Use Docker Socket Proxy instead for improved security
- $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfer config locally
environment:
- TZ=$TZ
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.portainer-rtr.entrypoints=https"
- "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME_SHB`)"
## Middlewares
- "traefik.http.routers.portainer-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.portainer-rtr.service=portainer-svc"
- "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"
# Autoindex - Simple Directory Index
autoindex:
<<: *common-keys-apps # See EXTENSION FIELDS at the top
container_name: autoindex
image: dceoy/nginx-autoindex:latest
# ports:
# - "$AUTOINDEX_PORT:80"
volumes:
- $USERDIR:/var/lib/nginx/html:ro # Location you want to index
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.autoindex-rtr.entrypoints=https"
- "traefik.http.routers.autoindex-rtr.rule=Host(`index.$DOMAINNAME_SHB`)"
## Middlewares
- "traefik.http.routers.autoindex-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.autoindex-rtr.service=autoindex-svc"
- "traefik.http.services.autoindex-svc.loadbalancer.server.port=80"
# CrowdSec - Open-source & collaborative security IPS
crowdsec:
<<: *common-keys-core # See EXTENSION FIELDS at the top
image: crowdsecurity/crowdsec
container_name: crowdsec
ports:
- "$CROWDSEC_API_PORT:8080"
- "$ZEROTIER_IP_WEBSERVER:$CROWDSEC_PROMETHEUS_EXPORT:6060" # If you don't use ZeroTier remove use just $CROWDSEC_PROMETHEUS_EXPORT:6060
environment:
COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux crowdsecurity/nginx crowdsecurity/sshd"
GID: "${GID-1000}"
CUSTOM_HOSTNAME: dSHB
volumes:
- $DOCKERDIR/logs/web:/logs/web:ro
- /var/log:/var/log:ro
- $DOCKERDIR/appdata/crowdsec/data:/var/lib/crowdsec/data
- $DOCKERDIR/appdata/crowdsec/config:/etc/crowdsec
# CrowdSec Bouncer - Traefik
traefik-bouncer:
<<: *common-keys-core # See EXTENSION FIELDS at the top
image: fbonalair/traefik-crowdsec-bouncer
container_name: traefik-bouncer
#ports:
# - "$TRAEFIK_BOUNCER_PORT:8080"
environment:
GIN_MODE: release # default is debug (more logs)
CROWDSEC_BOUNCER_API_KEY: $CROWDSEC_BOUNCER_TRAEFIK_API_KEY # sudo docker exec crowdsec cscli bouncers add traefik-bouncer
CROWDSEC_AGENT_HOST: crowdsec:8080 # CrowdSec host and port
CROWDSEC_BOUNCER_LOG_LEVEL: 1 # 1 INFO 2 WARN https://pkg.go.dev/github.com/rs/zerolog#readme-leveled-logging
# CrowdSec Bouncer - Cloudflare
# sudo docker exec crowdsec cscli bouncer add cloudflare-bouncer
# Set max ip number right the first time (max 10000). Recreating container deletes all ips and readds them causing cloudflare 429 rate limiting.
cloudflare-bouncer:
<<: *common-keys-core # See EXTENSION FIELDS at the top
image: crowdsecurity/cloudflare-bouncer
container_name: cloudflare-bouncer
#ports:
# - "$CLOUDFLARE_BOUNCER_PORT:2112"
volumes:
- $DOCKERDIR/appdata/cloudflare-bouncer/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml
- $DOCKERDIR/appdata/cloudflare-bouncer/cf-bouncer:/cf-bouncer
############################# DATABASE
# MariaDB - MySQL Database
# After starting container for first time dexec and mysqladmin -u root password <password>
mariadb:
<<: *common-keys-core # See EXTENSION FIELDS at the top
container_name: mariadb
image: lscr.io/linuxserver/mariadb
#ports:
# - "$MARIADB_PORT:3306"
volumes:
- $DOCKERDIR/appdata/mariadb/data:/config
environment:
<<: *default-tz-puid-pgid
FILE__MYSQL_ROOT_PASSWORD: /run/secrets/mysql_root_password # Note FILE__ (double underscore) - Issue #127
secrets:
- mysql_root_password
# Redis - Key-value Store
redis:
<<: *common-keys-core # See EXTENSION FIELDS at the top
container_name: redis
image: redis:latest
entrypoint: redis-server --appendonly yes --requirepass $REDIS_PASSWORD --maxmemory 512mb --maxmemory-policy allkeys-lru
#ports:
# - "$REDIS_PORT:6379"
volumes:
- $DOCKERDIR/appdata/redis/data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
# phpMyAdmin - Database management
# Create a new user with admin privileges. Cannot login as MySQL root for some reason.
phpmyadmin:
<<: *common-keys-apps # See EXTENSION FIELDS at the top
image: phpmyadmin/phpmyadmin:latest
container_name: phpmyadmin
environment:
- PMA_HOST=$MARIADB_HOST
- PMA_PORT=$MARIADB_PORT
#- PMA_ARBITRARY=1
- MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password
secrets:
- mysql_root_password
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.phpmyadmin-rtr.entrypoints=https"
- "traefik.http.routers.phpmyadmin-rtr.rule=Host(`pma.$DOMAINNAME_SHB`)"
## Middlewares
- "traefik.http.routers.phpmyadmin-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.phpmyadmin-rtr.service=phpmyadmin-svc"
- "traefik.http.services.phpmyadmin-svc.loadbalancer.server.port=80"
########################### WEB
# Nginx - Web Server
nginx:
<<: *common-keys-core # See EXTENSION FIELDS at the top
container_name: nginx
image: nginx:1.20 # 1.18 # Updated 8/9/2021
depends_on:
- php7
- redis
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- $DOCKERDIR/logs/web/nginx:/var/log/nginx
- $DOCKERDIR/appdata/nginx:/etc/nginx
- $DOCKERDIR/appdata/sites/shb/html:/var/www/html/shb
#- $DOCKERDIR/appdata/sites/shb/beta:/var/www/html/beta
- $DOCKERDIR/appdata/sites/khub/html:/var/www/html/khub
- $DOCKERDIR/appdata/sites/dash/html:/var/www/html/dash
secrets:
- htpasswd
labels:
- "traefik.enable=true"
## HTTP Routers SHB (WordPress) Auth
- "traefik.http.routers.nginx-shb-auth-rtr.entrypoints=https"
- "traefik.http.routers.nginx-shb-auth-rtr.rule=Host(`www.$DOMAINNAME_SHB`) && Path(`/wp-login.php`)"
- "traefik.http.routers.nginx-shb-auth-rtr.priority=100"
## HTTP Routers SHB (WordPress) Bypass
- "traefik.http.routers.nginx-shb-rtr.entrypoints=https"
- "traefik.http.routers.nginx-shb-rtr.rule=Host(`$DOMAINNAME_SHB`) || Host(`www.$DOMAINNAME_SHB`)"
- "traefik.http.routers.nginx-shb-rtr.priority=99"
## HTTP Routers SHB Beta (WordPress)
#- "traefik.http.routers.nginx-shb-beta-rtr.entrypoints=https"
#- "traefik.http.routers.nginx-shb-beta-rtr.rule=Host(`beta.$DOMAINNAME_SHB`)"
## HTTP Routers DASH (non-WordPress)
- "traefik.http.routers.nginx-dash-rtr.entrypoints=https"
- "traefik.http.routers.nginx-dash-rtr.rule=Host(`dash.$DOMAINNAME_SHB`)"
## HTTP Routers KHUB (non-WordPress)
- "traefik.http.routers.nginx-khub-rtr.entrypoints=https"
- "traefik.http.routers.nginx-khub-rtr.rule=Host(`$DOMAINNAME_KHUB`) || Host(`www.$DOMAINNAME_KHUB`)"
# Redirect shb non-www to www middleware
- "traefik.http.middlewares.shb-redirect.redirectregex.regex=^https?://$DOMAINNAME_SHB/(.*)"
- "traefik.http.middlewares.shb-redirect.redirectregex.replacement=https://www.$DOMAINNAME_SHB/$${1}"
- "traefik.http.middlewares.shb-redirect.redirectregex.permanent=true"
# Redirect khub non-www to www middleware
- "traefik.http.middlewares.khub-redirect.redirectregex.regex=^https?://$DOMAINNAME_KHUB/(.*)"
- "traefik.http.middlewares.khub-redirect.redirectregex.replacement=https://www.$DOMAINNAME_KHUB/$${1}"
- "traefik.http.middlewares.khub-redirect.redirectregex.permanent=true"
## Middlewares
- "traefik.http.routers.nginx-khub-rtr.middlewares=khub-redirect,chain-no-auth@file"
- "traefik.http.routers.nginx-shb-rtr.middlewares=shb-redirect,chain-no-auth-wp@file"
#- "traefik.http.routers.nginx-shb-auth-rtr.middlewares=shb-redirect,chain-oauth-wp@file"
- "traefik.http.routers.nginx-shb-auth-rtr.middlewares=shb-redirect,chain-no-auth-wp@file"
- "traefik.http.routers.nginx-dash-rtr.middlewares=chain-oauth@file"
#- "traefik.http.routers.nginx-shb-beta-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.nginx-shb-rtr.service=nginx-svc"
- "traefik.http.routers.nginx-shb-auth-rtr.service=nginx-svc"
- "traefik.http.routers.nginx-khub-rtr.service=nginx-svc"
- "traefik.http.routers.nginx-dash-rtr.service=nginx-svc"
#- "traefik.http.routers.nginx-shb-beta-rtr.service=nginx-svc"
- "traefik.http.services.nginx-svc.loadbalancer.server.port=80"
# PHP - Hypertext Preprocessor
php7:
<<: *common-keys-core # See EXTENSION FIELDS at the top
container_name: php7
image: php:7.4-fpm-custom
build:
context: $DOCKERDIR/custom/
dockerfile: Dockerfile-php7
user: $PUID:$PGID # allows upgrading WP and plugins
volumes:
- $DOCKERDIR/appdata/sites/shb/html:/var/www/html/shb
#- $DOCKERDIR/appdata/sites/shb/beta:/var/www/html/beta
- $DOCKERDIR/appdata/php/php7:/usr/local/etc/php
- $DOCKERDIR/appdata/sites/khub/html:/var/www/html/khub
- $DOCKERDIR/appdata/sites/dash/html:/var/www/html/dash
########################### UTILITIES
# VSCode - VSCode Editing
vscode:
<<: *common-keys-core # See EXTENSION FIELDS at the top
image: lscr.io/linuxserver/code-server:latest
container_name: vscode
volumes:
- $DOCKERDIR:/data/docker
- $USERDIR/server:/data/server
- $DATADIR:/data/data
- $DOCKERDIR/appdata/vscode:/config
environment:
<<: *default-tz-puid-pgid
# DOCKER_HOST: tcp://socket-proxy:2375
# PASSWORD: $VSCODE_PASSWORD
# HASHED_PASSWORD: #optional
# SUDO_PASSWORD: password #optional
# SUDO_PASSWORD_HASH: #optional
# PROXY_DOMAIN: code-server.my.domain #optional
DEFAULT_WORKSPACE: /config/data/User/Workspaces/AZ.code-workspace #optional
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.vscode-rtr.entrypoints=https"
- "traefik.http.routers.vscode-rtr.rule=Host(`code.$DOMAINNAME_SHB`)"
## Middlewares
- "traefik.http.routers.vscode-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.vscode-rtr.service=vscode-svc"
- "traefik.http.services.vscode-svc.loadbalancer.server.port=8443"
wg-easy:
image: weejewel/wg-easy
container_name: wg-easy
restart: unless-stopped
networks:
- default
- t2_proxy
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
ports:
- "51820:51820/udp"
- "51821:51821/tcp"
volumes:
- $DOCKERDIR/appdata/wireguard:/etc/wireguard
environment:
# ⚠️ Required:
# Change this to your host's public address
- WG_HOST=$SERVER_IP
- PASSWORD=$WGEASY_PASSWORD
# Optional:
# - PASSWORD=foobar123
# - WG_PORT=51820
# - WG_DEFAULT_ADDRESS=10.8.0.x
# - WG_DEFAULT_DNS=1.1.1.1
# - WG_MTU=1420
# - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24
# - WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt
# - WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt
# - WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt
# - WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt
############################# MAINTENANCE
# Docker-GC - Automatic Docker Garbage Collection
# Create docker-gc-exclude file
dockergc:
<<: *common-keys-apps # See EXTENSION FIELDS at the top
image: clockworksoul/docker-gc-cron:latest
container_name: docker-gc
networks:
- socket_proxy
volumes:
# - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security
- $DOCKERDIR/appdata/docker-gc/docker-gc-exclude:/etc/docker-gc-exclude
environment:
CRON: 12 0 0 * * ? # Everyday at midnight.
FORCE_IMAGE_REMOVAL: 1
FORCE_CONTAINER_REMOVAL: 0
GRACE_PERIOD_SECONDS: 604800
DRY_RUN: 0
CLEAN_UP_VOLUMES: 1
TZ: $TZ
DOCKER_HOST: tcp://socket-proxy:2375