#Reference: https://www.smarthomebeginner.com/traefik-reverse-proxy-tutorial-for-docker #Requirement: nano .env -> Set environmental variables: ${$USERDIR}, ${PUID}, ${PGID}, ${TZ}, ${DOMAINNAME}, ${CLOUDFLARE_EMAIL}, ${CLOUDFLARE_API_KEY}, ${HTTP_USERNAME}, ${HTTP_PASSWORD}, ${PLEX_CLAIM} etc. as explained in the reference. version: "3.7" services: ######### FRONTENDS ########## # Traefik Reverse Proxy traefik: hostname: traefik image: traefik:v1.7.21 container_name: traefik restart: always domainname: ${DOMAINNAME} networks: - default - traefik_proxy ports: - "80:80" - "443:443" # - "XXXX:8080" environment: - CF_API_EMAIL=${CLOUDFLARE_EMAIL} - CF_API_KEY=${CLOUDFLARE_API_KEY} labels: - "traefik.enable=true" - "traefik.backend=traefik" - "traefik.frontend.rule=Host:traefik.${DOMAINNAME}" # - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /traefik" - "traefik.port=8080" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=traefik.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" #- "traefik.frontend.auth.basic.users=${HTTP_USERNAME}:${HTTP_PASSWORD}" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ${USERDIR}/docker/traefik:/etc/traefik - ${USERDIR}/docker/shared:/shared - /var/log/docker/traefik.log:/var/log/docker/traefik.log # for fail2ban - make sure to touch file before starting container # The auth gate for SSO traefik-forward-auth: # thomseddeon's image doesnt support OIDC_ISSUER yet # image: thomseddon/traefik-forward-auth image: funkypenguin/traefik-forward-auth container_name: traefik-forward-auth networks: - traefik_proxy environment: CLIENT_ID: ${AUTH_CLIENT_ID} CLIENT_SECRET: ${AUTH_CLIENT_SECRET} # This is based on using the Master realm. Create a new client, this will go into your CLIENT_ID, CLIENT_SECRET details. OIDC_ISSUER: https://keycloak.${DOMAINNAME}/auth/realms/master SECRET: ${HTTP_PASSWORD} AUTH_HOST: auth.${DOMAINNAME} COOKIE_DOMAINS: ${DOMAINNAME} #WHITELIST: ${EMAIL} COOKIE_SECURE: "true" LIFETIME: "2592000" restart: always labels: - "traefik.enable=true" - "traefik.port=4181" - "traefik.frontend.rule=Host:auth.${DOMAINNAME}" - "traefik.backend=traefik-forward-auth" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.trustForwardHeader=true" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" depends_on: - keycloak - traefik # Keycloak - identity and access management solution keycloak: image: jboss/keycloak container_name: keycloak domainname: ${DOMAINNAME} restart: always # ports: # - "8080:8080" networks: - traefik_proxy - keycloak volumes: # - ${USERDIR}/docker/keycloak/config.json:/config.json - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro - /var/log/docker/keycloak:/opt/jboss/keycloak/standalone/log environment: - PUID=${PUID} - PGID=${PGID} - KEYCLOAK_USER=${KEYCLOAK_USER} - KEYCLOAK_PASSWORD=${KEYCLOAK_PASSWORD} # - KEYCLOAK_IMPORT=/config.json - DB_VENDOR=mariadb - DB_DATABASE=keycloak - DB_ADDR=mariadb - DB_USER=keycloak - DB_PASSWORD=${MYSQL_ROOT_PASSWORD} # - JBOSS_LOG_DIR=/opt/wildfly/logs # This is required to run keycloak behind traefik - PROXY_ADDRESS_FORWARDING=true - KEYCLOAK_HOSTNAME=keycloak.${DOMAINNAME} # Tell MYSQL what user/password to create - MYSQL_USER=keycloak - MYSQL_PASSWORD=${MYSQL_ROOT_PASSWORD} labels: - "traefik.enable=true" - "traefik.docker.network=traefik_proxy" - "traefik.backend=keycloak" - "traefik.frontend.rule=Host:keycloak.${DOMAINNAME}" # - "traefik.protocol: http" - "traefik.port=8080" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=keycloak.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" # depends_on: # - mariadb #Portainer - WebUI for Containers portainer: image: portainer/portainer container_name: portainer restart: always command: -H unix:///var/run/docker.sock # ports: # - "XXXX:9000" volumes: - /var/run/docker.sock:/var/run/docker.sock - ${USERDIR}/docker/portainer/data:/data - ${USERDIR}/docker/shared:/shared environment: - TZ=${TZ} networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=portainer" - "traefik.frontend.rule=Host:portainer.${DOMAINNAME}" # - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /portainer" - "traefik.port=9000" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=portainer.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # Organizer - Unified HTPC/Home Server Web Interface organizr: container_name: organizr restart: always image: lsiocommunity/organizr volumes: - ${USERDIR}/docker/organizr:/config - ${USERDIR}/docker/shared:/shared # ports: # - "XXXX:80" environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=organizr" - "traefik.frontend.rule=Host:organizr.${DOMAINNAME}" # - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /organizr" - "traefik.port=80" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=organizr.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # phpMyAdmin - WebUI for MariaDB phpmyadmin: hostname: phpmyadmin container_name: phpmyadmin image: phpmyadmin/phpmyadmin restart: always depends_on: - mariadb # ports: # - XXXX:80 environment: - PMA_HOST=mariadb - PMA_USER=root - PMA_PASSWORD=${MYSQL_ROOT_PASSWORD} - PMA_ABSOLUTE_URI=https://pma.${DOMAINNAME} volumes: - ${USERDIR}/docker/phpmyadmin/config.user.inc.php:/etc/phpmyadmin/config.user.inc.php - ${USERDIR}/docker/phpmyadmin/php.ini:/usr/local/etc/php/conf.d/php.ini - ${USERDIR}/docker/phpmyadmin/custom/phpmyadmin/theme:/www/themes/theme/ networks: - traefik_proxy - default labels: - "traefik.enable=true" - "traefik.backend=pma" - "traefik.frontend.rule=Host:pma.${DOMAINNAME}" - "traefik.port=80" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=pma.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" ######### DOCKER RELATED ########## # Watchtower - Automatic Update of Containers/Apps watchtower: container_name: watchtower hostname: watchtower restart: always image: containrrr/watchtower #v2tec/watchtower volumes: - /var/run/docker.sock:/var/run/docker.sock environment: - WATCHTOWER_NOTIFICATIONS=slack - WATCHTOWER_NOTIFICATION_SLACK_HOOK_URL=${SLACK_WEBHOOK_URL} - WATCHTOWER_NOTIFICATION_SLACK_IDENTIFIER=watchtower - WATCHTOWER_NOTIFICATION_SLACK_CHANNEL=#docker command: --schedule "0 0 4 * * *" --cleanup --debug # Docker Garbage Collector dockergc: container_name: docker-gc image: clockworksoul/docker-gc-cron:latest #network_mode: "host" restart: always volumes: - /var/run/docker.sock:/var/run/docker.sock - ${USERDIR}/docker/shared/docker-gc-exclude:/etc/docker-gc-exclude environment: - CRON=0 9,21 * * * - FORCE_IMAGE_REMOVAL=1 - FORCE_CONTAINER_REMOVAL=1 - MINIMUM_IMAGES_TO_SAVE=1 - GRACE_PERIOD_SECONDS=3600 - DRY_RUN=0 - CLEAN_UP_VOLUMES=1 - TZ=${TZ} # Dozzle - realtime log viewer for docker containers dozzle: container_name: dozzle image: amir20/dozzle:latest restart: always environment: - DOZZLE_TAILSIZE=100 - DOZZLE_LEVEL=info volumes: - /var/run/docker.sock:/var/run/docker.sock - /etc/localtime:/etc/localtime:ro #ports: # - 9999:8080 networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=dozzle" - "traefik.frontend.rule=Host:dozzle.${DOMAINNAME}" - "traefik.port=8080" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=dozzle.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # Cloudflare DDNS cloudddns: container_name: cloudddns restart: always image: joshava/cloudflare-ddns volumes: - ${USERDIR}/docker/shared/config.yml:/app/config.yaml environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} # Traefik Certificate Extractor #https://hub.docker.com/r/ldez/traefik-certs-dumper certsdump: container_name: certsdump image: ldez/traefik-certs-dumper command: file --source /acme.json --dest /dump/live --domain-subdir --crt-name=fullchain --key-name=privkey --crt-ext=.pem --key-ext=.pem volumes: - ${USERDIR}/docker/traefik/acme/acme.json:/acme.json:ro - ${USERDIR}/docker/shared/letsencrypt/etc:/dump restart: "no" ######### DOWNLOADERS ########## # qBittorrent without VPN – Bittorrent Downloader qbittorrent: image: "linuxserver/qbittorrent" container_name: "qbittorrent" volumes: - ${USERDIR}/docker/qbittorrent:/config - ${USERDIR}/Downloads/completed:/downloads - ${USERDIR}/docker/shared:/shared ports: - "8080:8080" - "6881:6881" - "6881:6881/udp" restart: always environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} - UMASK_SET=002 - WEBUI_PORT=8080 networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=qbittorrent" # - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /qbittorrent" - "traefik.frontend.rule=Host:qbit.${DOMAINNAME}" - "traefik.port=8080" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=qbit.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # SABnzbd – Usenet (NZB) Downloader sabnzbd: image: "linuxserver/sabnzbd" container_name: "sabnzbd" volumes: - ${USERDIR}/docker/sabnzbd:/config - ${USERDIR}/Downloads/completed:/downloads - ${USERDIR}/Downloads/incomplete:/incomplete-downloads - ${USERDIR}/docker/shared:/shared # ports: # - "XXXX:8080" restart: always environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=sabnzbd" - "traefik.frontend.rule=Host:sabnzbd.${DOMAINNAME}" # - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /sabnzbd" - "traefik.port=8080" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=sabnzbd.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" ######### PERSONAL VIDEO RECORDERS ########## # Radarr – Movie Download and Management radarr: image: "linuxserver/radarr" container_name: "radarr" volumes: - ${USERDIR}/docker/radarr:/config - ${USERDIR}/Downloads/completed:/downloads - ${USERDIR}/media/movies:/movies - /etc/localtime:/etc/localtime:ro - ${USERDIR}/docker/shared:/shared # ports: # - "XXXX:7878" restart: always environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=radarr" # - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /radarr" - "traefik.frontend.rule=Host:radarr.${DOMAINNAME}" - "traefik.port=7878" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=radarr.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" # set to false to show as tabs in organizr - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # Sonarr – TV Show Download and Management sonarr: image: "linuxserver/sonarr" container_name: "sonarr" volumes: - ${USERDIR}/docker/sonarr:/config - ${USERDIR}/Downloads/completed:/downloads - ${USERDIR}/media/tvshows:/tv - /etc/localtime:/etc/localtime:ro - ${USERDIR}/docker/shared:/shared # ports: # - "XXXX:8989" restart: always environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=sonarr" # - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /sonarr" - "traefik.frontend.rule=Host:sonarr.${DOMAINNAME}" - "traefik.port=8989" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=sonarr.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # LIDARR - Music Download and Management lidarr: image: "linuxserver/lidarr" hostname: lidarr container_name: "lidarr" volumes: - ${USERDIR}/docker/lidarr:/config - ${USERDIR}/Downloads/completed:/downloads - ${USERDIR}/media/music:/music - /etc/localtime:/etc/localtime:ro - ${USERDIR}/docker/shared:/shared # ports: # - "XXXX:8686" restart: always environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=lidarr" # - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /lidarr" - "traefik.frontend.rule=Host:lidarr.${DOMAINNAME}" - "traefik.port=8686" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=lidarr.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # Bazarr - Subtitles download and managment bazarr: image: linuxserver/bazarr container_name: bazarr restart: always environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} - UMASK_SET=022 #optional volumes: - ${USERDIR}/docker/bazarr:/config - ${USERDIR}/media/movies:/movies - /etc/localtime:/etc/localtime:ro - ${USERDIR}/media/tvshows:/tv # ports: # - 6767:6767 networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=bazarr" # - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /bazarr" - "traefik.frontend.rule=Host:bazarr.${DOMAINNAME}" - "traefik.port=6767" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=bazarr.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # Lazylibrarian – Ebooks and Management lazylibrarian: image: "linuxserver/lazylibrarian" container_name: "lazylibrarian" volumes: - ${USERDIR}/docker/lazylibrarian:/config - ${USERDIR}/Downloads/completed:/downloads - ${USERDIR}/media/books:/books - /etc/localtime:/etc/localtime:ro - ${USERDIR}/docker/shared:/shared # ports: # - "XXXX:5299" restart: always environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} - DOCKER_MODS=linuxserver/calibre-web:calibre # set the path to converter tool to /usr/bin/calibredb networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=lazylibrarian" # - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /lazylibrarian" - "traefik.frontend.rule=Host:lazylibrarian.${DOMAINNAME}" - "traefik.port=5299" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=lazylibrarian.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" ######### MEDIA SERVER APPS ########## # Plex Media Server plexms: container_name: plexms restart: always image: plexinc/pms-docker #devices: # - /dev/dri:/dev/dri # have a Plex Pass and an Intel processor with QuickSync for harware transcoding security_opt: - no-new-privileges:true volumes: - ${USERDIR}/docker/plexms:/config - ${USERDIR}/Downloads/plex_tmp:/transcode #- /dev/shm:/transcode # Offload transcoding to RAM if you have enough RAM - ${USERDIR}/media:/media - ${USERDIR}/docker/shared:/shared ports: - "32400:32400/tcp" - "3005:3005/tcp" # controlling Plex Home Theater via Plex Companion - "8324:8324/tcp" # controlling Plex for Roku via Plex Companion - "32469:32469/tcp" - "1900:1900/udp" # access to the Plex DLNA Server - "32410:32410/udp" # GDM network discovery - "32412:32412/udp" # GDM network discovery - "32413:32413/udp" # GDM network discovery - "32414:32414/udp" # GDM network discovery environment: - TZ=${TZ} - HOSTNAME="Docker Plex" - PLEX_CLAIM=${PLEX_CLAIM} - PLEX_UID=${PUID} - PLEX_GID=${PGID} - ADVERTISE_IP="http://SERVER-IP:32400/" # IP Address of your server, run ifconfig networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=plexms" - "traefik.frontend.rule=Host:plex.${DOMAINNAME}" - "traefik.port=32400" - "traefik.protocol=http" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=plex.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # Jellyfin - Media Server jellyfin: image: linuxserver/jellyfin container_name: jellyfin restart: always environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} - UMASK_SET=022 #optional volumes: - ${USERDIR}/docker/jellyfin:/config - ${USERDIR}/media/movies:/data/movies - ${USERDIR}/media/tvshows:/data/tvshows - /etc/localtime:/etc/localtime:ro # - /path for transcoding:/transcode #optional # - /opt/vc/lib:/opt/vc/lib #optional for raspberry pi # ports: # - 8096:8096 # - 8920:8920 #optional devices: - /dev/dri:/dev/dri #optional, if you want to use your Intel GPU for hardware accelerated video encoding # - /dev/vchiq:/dev/vchiq #optional for raspberry pi networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=jellyfin" # - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /jellyfin" - "traefik.frontend.rule=Host:jellyfin.${DOMAINNAME}" - "traefik.port=8096" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=jellyfin.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" #- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" #- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" #- "traefik.frontend.auth.forward.trustForwardHeader=true" # Funkwhale - music streaming server funkwhale: image: funkwhale/all-in-one:latest container_name: funkwhale restart: unless-stopped networks: - traefik_proxy environment: - TZ=${TZ} - PUID=${PUID} - PGID=${PGID} - FUNKWHALE_HOSTNAME=funkwhale.${DOMAINNAME} - LIBRARY_ID=${LIBRARY_ID} volumes: - ${USERDIR}/docker/funkwhale:/data - ${USERDIR}/media/music:/music labels: - "traefik.enable=true" - "traefik.backend=funkwhale" - "traefik.frontend.rule=Host:funkwhale.${DOMAINNAME}" - "traefik.port=80" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=funkwhale.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # MusicBrainz Picard – Music Management picard: container_name: picard image: mikenye/picard restart: always networks: - traefik_proxy # ports: # - "5800:5800" volumes: - $USERDIR/media/music:/storage:rw - $USERDIR/docker/picard:/config:rw environment: - USER_ID=${PUID} - GROUP_ID=${PGID} - TZ=${TZ} - UMASK=002 - DISPLAY_WIDTH=1280 - DISPLAY_HEIGHT=768 labels: - "traefik.enable=true" - "traefik.backend=picard" - "traefik.frontend.rule=Host:picard.${DOMAINNAME}" - "traefik.port=5800" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=picard.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # Ubooquity - home server for comics and ebooks library ubooquity: image: linuxserver/ubooquity container_name: ubooquity restart: always environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} - MAXMEM=1024 volumes: - ${USERDIR}/docker/ubooquity:/config - ${USERDIR}/media/books:/books - ${USERDIR}/media/comics:/comics - ${USERDIR}/media/files:/files ports: - 2202:2202 - 2203:2203 networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=ubooquity" - "traefik.frontend.rule=Host:ubooquity.${DOMAINNAME}" - "traefik.port=2202" - "traefik.admin.frontend.rule=Host:ubooquity.${DOMAINNAME}; PathPrefix:/admin,/admin-res,/admin-api" - "traefik.admin.port=2203" - "traefik.protocol=http" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=ubooquity.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # Calibre-web – Ebooks and Management calibre-web: image: "linuxserver/calibre-web" container_name: "calibre-web" volumes: - ${USERDIR}/docker/calibre_web:/config - ${USERDIR}/media/books:/books - /etc/localtime:/etc/localtime:ro # ports: # - "XXXX:8083" restart: always environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} # - DOCKER_MODS=linuxserver/calibre-web:calibre # include for ebook conversion networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=calibre-web" # - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /calibre-web" - "traefik.frontend.rule=Host:calibre-web.${DOMAINNAME}" - "traefik.port=8083" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=calibre-web.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" calibre: image: "linuxserver/calibre" container_name: "calibre" volumes: - ${USERDIR}/Downloads/completed:/import - ${USERDIR}/media/books:/books - ${USERDIR}/docker/calibre:/config - /etc/localtime:/etc/localtime:ro # ports: # - "XXXX:8080" # - "XXXX:8081" restart: always environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=calibre" # - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /calibre" - "traefik.frontend.rule=Host:calibre.${DOMAINNAME}" - "traefik.port=8081" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=calibre.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" ######### SEARCHERS ########## # Jackett – Torrent Proxy jackett: image: "linuxserver/jackett" container_name: "jackett" volumes: - ${USERDIR}/docker/jackett:/config - ${USERDIR}/Downloads/completed:/downloads - /etc/localtime:/etc/localtime:ro - ${USERDIR}/docker/shared:/shared # ports: # - "XXXX:9117" restart: always environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=jackett" - "traefik.frontend.rule=Host:jackett.${DOMAINNAME}" # - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /jackett" - "traefik.port=9117" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=jackett.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" ######### UTILITIES ########## # MariaDB – Database Server for your Apps mariadb: image: "linuxserver/mariadb" container_name: "mariadb" hostname: mariadb volumes: - ${USERDIR}/docker/mariadb:/config - ${USERDIR}/docker/mysql/scripts:/docker-entrypoint-initdb.d:ro - ${USERDIR}/docker/mysql:/var/lib/mysql/data:rw ports: - target: 3306 published: 3306 protocol: tcp mode: host networks: - traefik_proxy - keycloak restart: always environment: - MYSQL_DATABASE=keycloak #- MYSQL_USER=keycloak - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} # Copy-pasted from https://github.com/docker-library/mariadb/issues/94 healthcheck: test: ["CMD", "mysqladmin", "ping", "--silent"] # mysql db backup db-backup: container_name: db-backup image: tiredofit/db-backup depends_on: - mariadb volumes: - ${USERDIR}/docker/mariadb/backups:/backup - /etc/localtime:/etc/localtime:ro environment: #- DB_SERVER=mariadb - DB_TYPE=mariadb - DB_HOST=mariadb - DB_USER=root - DB_PASS=${MYSQL_ROOT_PASSWORD} - DB_DUMP_FREQ=1440 - DB_DUMP_BEGIN=+20 #- DB_DUMP_TARGET=${USERDIR}/docker/mariadb/backups - DB_CLEANUP_TIME=8640 - COMPRESSION=XZ - SPLIT_DB=TRUE networks: - traefik_proxy restart: always # Redis - Key-value Store redis: container_name: redis image: redis restart: always entrypoint: redis-server --appendonly yes networks: - traefik_proxy # ports: # - "6379:6379" sysctls: net.core.somaxconn: '65535' volumes: - ${USERDIR}/docker/redis/data:/data - /etc/localtime:/etc/localtime:ro #- ${USERDIR}/docker/redis/redis.conf:/usr/local/etc/redis/redis.conf labels: - "traefik.enable=true" - "traefik.port=6379" - "traefik.backend=redis" - "traefik.docker.network=traefik_proxy" # Redis Commander - Redis Management Tool rediscommander: container_name: rediscommander image: rediscommander/redis-commander restart: always depends_on: - redis networks: - traefik_proxy # ports: # - "8081:8081" environment: - REDIS_HOST=redis labels: - "traefik.enable=true" - "traefik.backend=rediscommander" - "traefik.frontend.rule=Host:rediscmd.${DOMAINNAME}" - "traefik.port=8081" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=rediscmd.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # CyberChef - the Cyber Swiss Army Knife web app for encryption, encoding, compression and data analysis cyberchef: container_name: cyberchef image: mpepping/cyberchef restart: always networks: - traefik_proxy # ports: # - "8000:8000" labels: - "traefik.enable=true" - "traefik.backend=cyberchef" - "traefik.frontend.rule=Host:cyberchef.${DOMAINNAME}" - "traefik.port=8000" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=cyberchef.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # NextCloud – Your Own Cloud Storage nextcloud: container_name: nextcloud restart: always image: linuxserver/nextcloud volumes: - ${USERDIR}/docker/nextcloud:/config - ${USERDIR}/shared_data:/data - ${USERDIR}/docker/shared:/shared # ports: # - "XXXX:443" environment: - PUID=${PUID} - PGID=${PGID} networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=nextcloud" - "traefik.frontend.rule=Host:nextcloud.${DOMAINNAME}" - "traefik.port=443" - "traefik.protocol=https" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=nextcloud.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" #- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" #- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" #- "traefik.frontend.auth.forward.trustForwardHeader=true" # Bitwarden - Password Vault bitwarden: container_name: bitwarden image: bitwardenrs/server-mysql restart: always networks: - traefik_proxy # ports: # - "8888:80" volumes: - $USERDIR/docker/bitwarden:/data - /var/log/docker:/var/log/docker - /etc/localtime:/etc/localtime:ro environment: - SIGNUPS_ALLOWED=false # Change to false after first login - INVITATIONS_ALLOWED=false - WEBSOCKET_ENABLED=false #true - LOG_FILE=/var/log/docker/bitwarden.log - SMTP_HOST=smtp.gmail.com - SMTP_FROM=${SMTP_EMAIL} - SMTP_PORT=587 - SMTP_SSL=true - SMTP_USERNAME=${SMTP_EMAIL} - SMTP_PASSWORD=${SMTP_PASSWORD} - DOMAIN=https://bitwarden.$DOMAINNAME - ADMIN_TOKEN=supersecret - DATABASE_URL=mysql://bitwarden:${MYSQL_ROOT_PASSWORD}@mariadb/bitwarden labels: - "traefik.enable=true" - "traefik.backend=bitwarden" - "traefik.frontend.rule=Host:bitwarden.${DOMAINNAME}" #- "traefik.web.frontend.rule=Host:bitwarden.${DOMAINNAME}" - "traefik.port=80" # - "traefik.web.port=80" - "traefik.hub.frontend.rule=Host:bitwarden.${DOMAINNAME};Path:/notifications/hub" - "traefik.hub.port=3012" - "traefik.hub.protocol=ws" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=bitwarden.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" #- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" #- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" #- "traefik.frontend.auth.forward.trustForwardHeader=true" # Guacamole – Clientless remote desktop gateway guacd: container_name: guacd hostname: guacd image: guacamole/guacd networks: - traefik_proxy restart: always volumes: - ${USERDIR}/docker/guacamole/drive:/drive:rw - ${USERDIR}/docker/guacamole/record:/record:rw guacamole: container_name: guacamole depends_on: - guacd - mariadb environment: - GUACD_HOSTNAME=guacd #- GUACD_PORT=4822 - MYSQL_HOSTNAME=mariadb - MYSQL_PORT=3306 - MYSQL_DATABASE=guacamole - MYSQL_USER=guac - MYSQL_PASSWORD=${MYSQL_ROOT_PASSWORD} - GUACAMOLE_HOME=/etc/guacamole - TZ=${TZ} image: guacamole/guacamole volumes: - ${USERDIR}/docker/guacamole:/etc/guacamole:rw - /var/log/docker/guacamole:/usr/local/tomcat/logs networks: - traefik_proxy - default ports: - 8082:8080/tcp restart: always labels: - "traefik.enable=true" - "traefik.backend=guacamole" #guacamole_docker - "traefik.frontend.rule=Host:guac.${DOMAINNAME}" #- "traefik.frontend.rule=Host:guac.${DOMAINNAME}; AddPrefix: /guacamole" - "traefik.port=8080" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=guac.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # Netdata - real-time performance monitoring netdata: container_name: netdata image: netdata/netdata hostname: netdata restart: always cap_add: - SYS_PTRACE security_opt: - apparmor:unconfined environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} - NETDATA_PORT=19999 volumes: - /proc:/host/proc:ro - /sys:/host/sys:ro - /var/run/docker.sock:/var/run/docker.sock:ro networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=netdata" - "traefik.frontend.rule=Host:netdata.${DOMAINNAME}" - "traefik.port=19999" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=netdata.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # Glances - web-based top cmd glances: container_name: glances hostname: glances restart: always image: vimagick/glances #network_mode: host pid: host networks: - traefik_proxy volumes: - ${USERDIR}/docker/glances:/etc/glances - /var/run/docker.sock:/var/run/docker.sock:ro environment: - GLANCES_OPT=-w labels: - "traefik.enable=true" - "traefik.backend=glances" - "traefik.frontend.rule=Host:glances.${DOMAINNAME}" #- "traefik.frontend.rule=Host:glances.docker.localhost" - "traefik.port=61208" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=glances.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # Heimdall - application dashboard heimdall: image: linuxserver/heimdall container_name: heimdall restart: always environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} volumes: - ${USERDIR}/docker/heimdall:/config labels: - "traefik.enable=true" - "traefik.backend=heim" - "traefik.frontend.rule=Host:${DOMAINNAME}, www.${DOMAINNAME}, heimdall.${DOMAINNAME}" - "traefik.port=80" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=heimdall.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" networks: - traefik_proxy # Cloud Commander - web file manager cloudcmd: image: coderaiser/cloudcmd container_name: cloudcmd restart: always volumes: - ${USERDIR}/docker/cloudcmd:/root - ${USERDIR}/docker:/mnt/fs environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=cloudcmd" - "traefik.frontend.rule=Host:cloudcmd.${DOMAINNAME}" - "traefik.port=8000" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=cloudcmd.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # Duplicati - Backups cloud management duplicati: image: linuxserver/duplicati container_name: duplicati volumes: - ${USERDIR}/docker/duplicati:/config - ${USERDIR}/backups:/backups - ${USERDIR}/docker:/source - /etc/localtime:/etc/localtime:ro - ${USERDIR}/docker/shared:/shared # ports: # - "XXXX:8200" restart: always environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} - CLI_ARGS= #optional networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=duplicati" - "traefik.frontend.rule=Host:duplicati.${DOMAINNAME}" - "traefik.port=8200" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=duplicati.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # code-server - vscode in a browser code-server: image: linuxserver/code-server container_name: code-server restart: always environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} - PASSWORD=${KEYCLOAK_PASSWORD} #optional - SUDO_PASSWORD=${KEYCLOAK_PASSWORD} #optional volumes: - ${USERDIR}/docker/vscode/config:/config # For github integration, drop your ssh key in to /config/.ssh. #ports: # - 8443:8443 networks: - traefik_proxy labels: - "traefik.enable=true" - "traefik.backend=code-server" - "traefik.frontend.rule=Host:code.${DOMAINNAME}" - "traefik.port=8443" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=code.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" # fail2ban fail2ban: container_name: fail2ban image: crazymax/fail2ban:latest restart: always network_mode: "host" cap_add: - NET_ADMIN - NET_RAW volumes: - /var/log/docker:/var/log/docker - ${USERDIR}/docker/fail2ban:/data - ${USERDIR}/docker/fail2ban/fail2ban.d:/etc/fail2ban/fail2ban.d environment: - TZ=${TZ} - F2B_LOG_TARGET=/var/log/docker/fail2ban.log - F2B_LOG_LEVEL=INFO - F2B_DB_PURGE_AGE=1d #- F2B_ACTION=%(action_mw)s # %(action_mw)s or %(action_mwl)s to send mail - F2B_IPTABLES_CHAIN=DOCKER-USER - SSMTP_HOST=smtp.gmail.com - SSMTP_PORT=587 #- SSMTP_HOSTNAME=example.com - SSMTP_USER=${SMTP_EMAIL} - SSMTP_PASSWORD=${SMTP_PASSWORD} # Create an "app password" if you use 2FA - SSMTP_TLS=TLS # Paperless - Documents Storage # https://paperless.readthedocs.io/en/latest/utilities.html#the-exporter # extra env vars: https://github.com/the-paperless-project/paperless/blob/master/paperless.conf.example # to create admin account run this command: docker-compose run --rm paperless createsuperuser paperless: image: thepaperlessproject/paperless container_name: paperless restart: always networks: - traefik_proxy #ports: # - "8325:8000" healthcheck: test: ["CMD", "curl", "-f", "http://localhost:8000"] interval: 30s timeout: 10s retries: 5 volumes: - ${USERDIR}/docker/paperless/data:/usr/src/paperless/data - ${USERDIR}/docker/paperless/media:/usr/src/paperless/media - ${USERDIR}/shared_data/djlujo/files/scans/consume:/consume - ${USERDIR}/shared_data/djlujo/files/scans/export:/export environment: - PAPERLESS_OCR_LANGUAGES=eng hrv - PAPERLESS_PASSPHRASE=${PAPERLESS_PASSWORD} # document encryption - USERMAP_UID=${PUID} - USERMAP_GID=${PGID} #- PAPERLESS_USE_SSL command: ["gunicorn", "-b", "0.0.0.0:8000"] labels: - "traefik.enable=true" - "traefik.backend=paperless" # - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /paperless" - "traefik.frontend.rule=Host:paperless.${DOMAINNAME}" - "traefik.port=8000" - "traefik.docker.network=traefik_proxy" - "traefik.frontend.passHostHeader=true" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=paperless.${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" - "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}" - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181" - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User" - "traefik.frontend.auth.forward.trustForwardHeader=true" paperless_consumer: image: thepaperlessproject/paperless container_name: paperless_consumer restart: always networks: - traefik_proxy depends_on: - paperless volumes: - ${USERDIR}/docker/paperless/data:/usr/src/paperless/data - ${USERDIR}/docker/paperless/media:/usr/src/paperless/media - ${USERDIR}/shared_data/djlujo/files/scans/consume:/consume - ${USERDIR}/shared_data/djlujo/files/scans/export:/export environment: - PAPERLESS_OCR_LANGUAGES=eng hrv - PAPERLESS_PASSPHRASE=${PAPERLESS_PASSWORD} # document encryption - USERMAP_UID=${PUID} - USERMAP_GID=${PGID} command: ["document_consumer"] ######### DNS ########## # create network: # docker network create --subnet 172.28.0.0/16 skynet # healthcheck dig @${PIHOLEIP} google.com # resolv.conf file: # nameserver 127.0.0.1 # nameserver 172.28.0.3 # pihole dns settings - enable listen on all interfaces ## I've added the following blocklist in addition to the standard ones under Settings>Blocklists (copy the link, paste and update) # https://dbl.oisd.nl/ ## More info here: https://www.reddit.com/r/pihole/comments/bppug1/introducing_the/ ## I've added the following whitelist entries (copy domains and paste all at once) # https://github.com/anudeepND/whitelist/blob/master/domains/whitelist.txt # https://github.com/anudeepND/whitelist/blob/master/domains/referral-sites.txt ## additional lists here: https://firebog.net/ # Pihole - A black hole for Internet advertisements pihole: container_name: pihole image: pihole/pihole:latest #domainname: ${DOMAINNAME} hostname: pihole restart: always cap_add: - NET_ADMIN - NET_RAW - NET_BIND_SERVICE environment: - TZ=${TZ} - ServerIP=192.168.5.91 - DNS1=172.28.0.3 - DNS2=no - VIRTUAL_HOST=pihole.${DOMAINNAME} - VIRTUAL_PORT=80 - PROXY_LOCATION=pihole - WEBPASSWORD=${KEYCLOAK_PASSWORD} volumes: - ${USERDIR}/docker/pihole:/etc/pihole - ${USERDIR}/docker/pihole/resolv.conf/resolv.conf:/etc/resolv.conf:ro - ${USERDIR}/docker/pihole/pihole.log:/var/log/pihole.log - ${USERDIR}/docker/pihole/dnsmasq.d:/etc/dnsmasq.d ## More info on these scripts here: https://github.com/mmotti - ${USERDIR}/docker/pihole/scripts/fetchFilterLists.sh:/usr/local/bin/fetchFilterLists.sh - ${USERDIR}/docker/pihole/scripts/gravityOptimise.sh:/usr/local/bin/gravityOptimise.sh - ${USERDIR}/docker/pihole/scripts/generateGravityWildcards.sh:/usr/local/bin/generateGravityWildcards.sh - ${USERDIR}/docker/pihole/scripts/cron.d/fetchFilterLists:/etc/cron.d/fetchFilterLists - ${USERDIR}/docker/pihole/scripts/cron.d/gravityOptimise:/etc/cron.d/gravityOptimise - ${USERDIR}/docker/pihole/scripts/cron.d/generateGravityWildcards:/etc/cron.d/generateGravityWildcards dns: - 127.0.0.1 # Sets a backup server of your choosing in case DNSMasq has problems starting - 1.1.1.1 depends_on: - stubby networks: skynet: ipv4_address: 172.28.0.2 ports: # - 53:53/tcp # - 53:53/udp # - 67:67/udp - 8053:80 # - 8183:443 labels: - "traefik.enable=true" - "traefik.frontend.rule=Host:pihole.${DOMAINNAME}" - "traefik.port=80" - "traefik.protocol=http" - "traefik.docker.network=skynet" #resolution_type: GETDNS_RESOLUTION_STUB #dns_transport_list: # NOTE: force forward request over TLS connection. #- GETDNS_TRANSPORT_TLS #tls_authentication: GETDNS_AUTHENTICATION_REQUIRED #tls_query_padding_blocksize: 128 #edns_client_subnet_private : 0 #round_robin_upstreams: 1 #idle_timeout: 10000 #listen_addresses: #- 0.0.0.0 #- 0::1 #- 192.168.5.1 # router ip address #dnssec: GETDNS_EXTENSION_TRUE #appdata_dir: "/var/cache/stubby" #upstream_recursive_servers: # NOTE: adjust your needs accordingly. # https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers # https://raw.githubusercontent.com/getdnsapi/stubby/develop/stubby.yml.example #- address_data: 1.1.1.1 # tls_auth_name: "cloudflare-dns.com" #"dns.google" # Stubby - DNS Privacy stub resolver (using DNS-over-TLS) stubby: image: yegle/stubby-dns:latest container_name: stubby hostname: stubby dns: 127.0.0.1 restart: always volumes: - ${USERDIR}/docker/stubby:/usr/local/etc/stubby networks: skynet: ipv4_address: 172.28.0.3 # Corefile #tls://.:853 https://.:443 { # tls fullchain.pem privkey.pem # forward . 172.28.0.2:53 # forward . dns://172.28.0.2:53 # check this # log # any #} # CoreDNS - DNS server, used here to terminate DoT coredns: image: coredns/coredns container_name: coredns hostname: coredns command: -conf /root/Corefile restart: always environment: - GODEBUG=tls13=1 volumes: - ${USERDIR}/docker/coredns:/root:ro - ${USERDIR}/docker/coredns:/plugin.cfg:ro - ${USERDIR}/docker/shared/letsencrypt/etc/live/${DOMAINNAME}/fullchain.pem:/fullchain.pem:ro - ${USERDIR}/docker/shared/letsencrypt/etc/live/${DOMAINNAME}/privkey.pem:/privkey.pem:ro ports: - target: 853 published: 853 protocol: tcp mode: host labels: - "traefik.enable=false" # OpenVPN server # https://github.com/kylemanna/docker-openvpn/blob/master/docs/docker-compose.md # https://github.com/mr-bolle/docker-openvpn-pihole/blob/master/docker-compose.yml openvpn: image: kylemanna/openvpn container_name: openvpn restart: always cap_add: - NET_ADMIN environment: # - VIRTUAL_PORT=${VIRTUAL_PORT_OPENVPN} # - VIRTUAL_HOST=${VIRTUAL_HOST_OPENVPN} # - LETSENCRYPT_HOST=${LETSENCRYPT_HOST_VPN} # - LETSENCRYPT_EMAIL=${LETSENCRYPT_EMAIL} # - OPENVPN_PROVIDER=${OPENVPN_PROVIDER} # - OPENVPN_USERNAME=${OPENVPN_USERNAME} # - OPENVPN_PASSWORD=${OPENVPN_PASSWORD} # - LOCAL_NETWORK=192.168.0.0/24 # - DEBUG=1 OPENVPN_OPTS: --inactive 3600 --ping 10 --ping-exit 60 -–log-driver json-file --log-opt max-size=10m ports: - "1194:1194/udp" volumes: - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro - ${USERDIR}/docker/openvpn:/etc/openvpn networks: skynet: ipv4_address: 172.28.0.5 logging: driver: "json-file" options: max-size: "10m" max-file: "3" networks: traefik_proxy: external: name: traefik_proxy keycloak: external: name: keycloak skynet: external: name: skynet ipam: config: - subnet: 172.28.0.0/16 default: driver: bridge