From 89aaad7b8a3cf3aeeb404415a7c98c4f70a3bab3 Mon Sep 17 00:00:00 2001 From: SmartHomeBeginner Date: Fri, 21 Aug 2020 07:25:51 -0400 Subject: [PATCH] Downgraded synology watchtower docker api to 1.39 (max supported). Added some comments. --- CHANGELOG.md | 3 +- docker-compose-t2-obsolete.yml | 101 +++++++++++++++++++++++---------- docker-compose-t2-synology.yml | 28 ++++----- docker-compose-t2-web.yml | 38 +------------ docker-compose-t2.yml | 54 +++++++++--------- 5 files changed, 113 insertions(+), 111 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b5fcdb..143f942 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,8 +9,9 @@ - implement secrets and remove variables from .env ## August 20, 2020 + - Replaced Ouroboros with Watchtower -- Changed Docker-Socket-Proxy from tecnativa to fluencelabs image - More granualirity on permissions +- Changed Docker-Socket-Proxy from tecnativa to fluencelabs image - More granularity on permissions ## August 17, 2020 diff --git a/docker-compose-t2-obsolete.yml b/docker-compose-t2-obsolete.yml index ec8a332..ed02d62 100755 --- a/docker-compose-t2-obsolete.yml +++ b/docker-compose-t2-obsolete.yml @@ -254,37 +254,6 @@ services: - PGID=$PGID - TZ=$TZ - # Watchtower - Automatic Docker Container Updates - # creating config.json https://github.com/containrrr/watchtower/issues/99 - watchtower: - image: containrrr/watchtower - container_name: watchtower - restart: unless-stopped - networks: - - socket_proxy - - t2_proxy - # depends_on: - # - socket-proxy - volumes: - # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security - - $DOCKERDIR/watchtower/config.json:/config.json # Only needed for private registries - environment: - - TZ=$TZ - # - WATCHTOWER_CLEANUP=true # Cleanup old images - - DOCKER_HOST=tcp://socket-proxy:2375 - # - WATCHTOWER_INCLUDE_STOPPED=false - - WATCHTOWER_NOTIFICATIONS_LEVEL=info # panic, fatal, error, warn, info (default), debug or trace - # - WATCHTOWER_POLL_INTERVAL=60 # 1 week in seconds 604800 - # - WATCHTOWER_SCHEDULE=0 0 1 * * SUN # Every Sunday at 1 am - - WATCHTOWER_RUN_ONCE=true - - WATCHTOWER_MONITOR_ONLY=true - # - WATCHTOWER_LABEL_ENABLE=true - - WATCHTOWER_DEBUG=true - # - WATCHTOWER_NOTIFICATIONS=shoutrrr - # - WATCHTOWER_NOTIFICATION_URL="telegram://$TGRAM_BOT_TOKEN@$TGRAM_CHAT_ID" - labels: - - "com.centurylinklabs.watchtower.enable=true" # Add this to services to enable updates - # SmokePing - Network latency Monitoring smokeping: image: linuxserver/smokeping:latest @@ -381,3 +350,73 @@ services: ## HTTP Services - "traefik.http.routers.unifi-rtr.service=unifi-svc" - "traefik.http.services.unifi-svc.loadbalancer.server.port=8443" + + # Ouroboros - Automatic Docker Container Updates + ouroboros: + image: pyouroboros/ouroboros:latest + container_name: ouroboros + restart: unless-stopped + networks: + - default + - socket_proxy + # depends_on: + # - socket-proxy + volumes: + # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security + - $DOCKERDIR/ouroboros/config.json:/root/.docker/config.json:ro + environment: + TZ: $TZ + INTERVAL: 86400 + LOG_LEVEL: info + SELF_UPDATE: "true" + CLEANUP: "true" + IGNORE: traefik influxdb hassio_dns homeassistant hassio_supervisor addon_core_check_config addon_62c7908d_autobackup plexms + NOTIFIERS: "tgram://$TGRAM_BOT_TOKEN/$TGRAM_CHAT_ID/" + DOCKER_SOCKETS: tcp://socket-proxy:2375 # POST to be enabled on Socket Proxy + + # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket + socket-proxy: + container_name: socket-proxy + image: tecnativa/docker-socket-proxy + restart: always + networks: + # t2_proxy: + socket_proxy: + ipv4_address: 192.168.91.254 # You can specify a static IP + privileged: true + ports: + - "2375:2375" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + environment: + - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg + ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). + # 0 to revoke access. + # 1 to grant access. + ## Granted by Default + - EVENTS=1 + - PING=1 + - VERSION=1 + ## Revoked by Default + # Security critical + - AUTH=0 + - SECRETS=0 + - POST=1 # Ouroboros + # Not always needed + - BUILD=0 + - COMMIT=0 + - CONFIGS=0 + - CONTAINERS=1 # Traefik, portainer, etc. + - DISTRIBUTION=0 + - EXEC=0 + - IMAGES=1 # Portainer + - INFO=1 # Portainer + - NETWORKS=1 # Portainer + - NODES=0 + - PLUGINS=0 + - SERVICES=1 # Portainer + - SESSION=0 + - SWARM=0 + - SYSTEM=0 + - TASKS=1 # Portaienr + - VOLUMES=1 # Portainer diff --git a/docker-compose-t2-synology.yml b/docker-compose-t2-synology.yml index a7c5266..fa0b4cc 100755 --- a/docker-compose-t2-synology.yml +++ b/docker-compose-t2-synology.yml @@ -30,6 +30,7 @@ services: # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket socket-proxy: container_name: socket-proxy + hostname: synology-soc image: fluencelabs/docker-socket-proxy restart: always networks: @@ -53,7 +54,7 @@ services: - SECRETS=0 - POST=1 # Watchtower - DELETE=1 # Watchtower - # GET Optons + # GET Optons - BUILD=0 - COMMIT=0 - CONFIGS=0 @@ -72,13 +73,12 @@ services: - TASKS=1 # Portaienr - VOLUMES=1 # Portainer # POST Options - - CONTAINERS_CREATE=1 # WatchTower - - CONTAINERS_START=1 # WatchTower - - CONTAINERS_UPDATE=1 # WatchTower + - CONTAINERS_CREATE=1 # WatchTower + - CONTAINERS_START=1 # WatchTower + - CONTAINERS_UPDATE=1 # WatchTower # DELETE Options - - CONTAINERS_DELETE=1 # WatchTower - - IMAGES_DELETE=1 # WatchTower - + - CONTAINERS_DELETE=1 # WatchTower + - IMAGES_DELETE=1 # WatchTower # Portainer - WebUI for Containers portainer: @@ -231,8 +231,8 @@ services: ############################# MAINTENANCE - # WatchTower - Automatic Docker Container Updates - watchtower: + # WatchTower - Automatic Docker Container Updates + watchtower: image: containrrr/watchtower container_name: watchtower restart: unless-stopped @@ -242,17 +242,17 @@ services: depends_on: - socket-proxy environment: - TZ: ${TZ} + TZ: $TZ WATCHTOWER_CLEANUP: "true" WATCHTOWER_REMOVE_VOLUMES: "true" WATCHTOWER_INCLUDE_STOPPED: "true" - WATCHTOWER_NO_STARTUP_MESSAGE: "true" - WATCHTOWER_SCHEDULE: "0 30 12 * * *" # Everyday at 12:30 + WATCHTOWER_NO_STARTUP_MESSAGE: "false" + WATCHTOWER_SCHEDULE: "0 30 1 * * *" # Everyday at 1:30 WATCHTOWER_NOTIFICATIONS: shoutrrr - WATCHTOWER_NOTIFICATION_URL: "telegram://${TGRAM_BOT_TOKEN}@telegram?channels=${TGRAM_CHAT_ID}" + WATCHTOWER_NOTIFICATION_URL: "telegram://$TGRAM_BOT_TOKEN@telegram?channels=$TGRAM_CHAT_ID" WATCHTOWER_NOTIFICATIONS_LEVEL: info DOCKER_HOST: tcp://socket-proxy:2375 - DOCKER_API_VERSION: "1.40" + DOCKER_API_VERSION: "1.39" # Docker-GC - Automatic Docker Garbage Collection # Create docker-gc-exclude file diff --git a/docker-compose-t2-web.yml b/docker-compose-t2-web.yml index 72597a8..107760d 100644 --- a/docker-compose-t2-web.yml +++ b/docker-compose-t2-web.yml @@ -390,7 +390,7 @@ services: - "traefik.enable=true" ## HTTP Routers SHB - "traefik.http.routers.nginx-shb-rtr.entrypoints=https" - - "traefik.http.routers.nginx-shb-rtr.rule=HostHeader(`shb20.$DOMAINNAME`)" + - "traefik.http.routers.nginx-shb-rtr.rule=HostHeader(`www.$DOMAINNAME`)" ## HTTP Routers SHB - "traefik.http.routers.nginx-dash-rtr.entrypoints=https" - "traefik.http.routers.nginx-dash-rtr.rule=HostHeader(`dash.$DOMAINNAME`)" @@ -429,44 +429,8 @@ services: - $DOCKERDIR/sites/khub/html:/var/www/html/khub - $DOCKERDIR/sites/dash/html:/var/www/html/dash - # Memcached - Object Cache - memcached: - container_name: memcached - image: memcached:alpine - restart: unless-stopped - networks: - - t2_proxy - ########################### MONITORING - # cAdvisor - Container Advisor - cadvisor: - image: gcr.io/google-containers/cadvisor:latest - container_name: cadvisor - restart: unless-stopped - networks: - - t2_proxy - #ports: - # - 8080:8080 - volumes: - - /:/rootfs:ro - - /var/run:/var/run:rw - - /sys:/sys:ro - - /var/lib/docker/:/var/lib/docker:ro - #depends_on: - # - redis - # privileged: true # Only needed for CentOS, Fedora, Red Hat, etc. - labels: - - "traefik.enable=true" - ## HTTP Routers - - "traefik.http.routers.cadvisor-rtr.entrypoints=https" - - "traefik.http.routers.cadvisor-rtr.rule=HostHeader(`cad.$DOMAINNAME`)" - ## Middlewares - - "traefik.http.routers.cadvisor-rtr.middlewares=chain-authelia@file" - ## HTTP Services - - "traefik.http.routers.cadvisor-rtr.service=cadvisor-svc" - - "traefik.http.services.cadvisor-svc.loadbalancer.server.port=8080" - # Glances - System Information glances: image: nicolargo/glances:latest diff --git a/docker-compose-t2.yml b/docker-compose-t2.yml index 6c8b645..6fdb206 100755 --- a/docker-compose-t2.yml +++ b/docker-compose-t2.yml @@ -161,8 +161,6 @@ services: - "traefik.http.routers.traefik-rtr.service=api@internal" ## Middlewares - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file" - ## Exclude From Watchtower - - "com.centurylinklabs.watchtower.enable=false" # Traefik - Custom Error Pages traefik-error-pages: @@ -215,7 +213,7 @@ services: - SECRETS=0 - POST=1 # Watchtower - DELETE=1 # Watchtower - # GET Optons + # GET Optons - BUILD=0 - COMMIT=0 - CONFIGS=0 @@ -234,12 +232,12 @@ services: - TASKS=1 # Portaienr - VOLUMES=1 # Portainer # POST Options - - CONTAINERS_CREATE=1 # WatchTower - - CONTAINERS_START=1 # WatchTower - - CONTAINERS_UPDATE=1 # WatchTower + - CONTAINERS_CREATE=1 # WatchTower + - CONTAINERS_START=1 # WatchTower + - CONTAINERS_UPDATE=1 # WatchTower # DELETE Options - - CONTAINERS_DELETE=1 # WatchTower - - IMAGES_DELETE=1 # WatchTower + - CONTAINERS_DELETE=1 # WatchTower + - IMAGES_DELETE=1 # WatchTower # Google OAuth - Single Sign On using OAuth 2.0 # https://hub.docker.com/r/thomseddon/traefik-forward-auth @@ -428,12 +426,12 @@ services: - /dev/ttyACM0:/dev/ttyACM0 privileged: true volumes: - - ${USERDIR}/docker/homeassistant:/config + - $USERDIR/docker/homeassistant:/config - /etc/localtime:/etc/localtime:ro environment: - - PUID=${PUID} - - PGID=${PGID} - - TZ=${TZ} + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ labels: ## Exclude From Watchtower - "com.centurylinklabs.watchtower.enable=false" @@ -457,14 +455,14 @@ services: mode: host privileged: true volumes: - - ${USERDIR}/docker/hassio/homeassistant:/config + - $USERDIR/docker/hassio/homeassistant:/config - /etc/localtime:/etc/localtime:ro - - ${USERDIR}/docker/shared:/shared - - ${USERDIR}/docker/open-zwave:/open-zwave + - $USERDIR/docker/shared:/shared + - $USERDIR/docker/open-zwave:/open-zwave environment: - - PUID=${PUID} - - PGID=${PGID} - - TZ=${TZ} + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ labels: ## Exclude From Watchtower - "com.centurylinklabs.watchtower.enable=false" @@ -1114,8 +1112,6 @@ services: ## HTTP Services - "traefik.http.routers.plexms-rtr.service=plexms-svc" - "traefik.http.services.plexms-svc.loadbalancer.server.port=32400" - ## Exclude From Watchtower - - "com.centurylinklabs.watchtower.enable=false" # Emby - Media Server embyms: @@ -1781,6 +1777,8 @@ services: - "traefik.http.routers.vscode-rtr.service=vscode-svc" - "traefik.http.services.vscode-svc.loadbalancer.server.port=8080" + # SMTP to Telegram - Send SMTP Notifications as Telegram Message + # Use case: https://github.com/htpcBeginner/docker-traefik/issues/78 smtp_to_telegram: image: kostyaesmukov/smtp_to_telegram container_name: smtp_to_telegram @@ -1788,9 +1786,9 @@ services: networks: - default environment: - TZ: ${TZ} - ST_TELEGRAM_CHAT_IDS: ${TGRAM_CHAT_ID} - ST_TELEGRAM_BOT_TOKEN: ${TGRAM_BOT_TOKEN} + TZ: $TZ + ST_TELEGRAM_CHAT_IDS: $TGRAM_CHAT_ID + ST_TELEGRAM_BOT_TOKEN: $TGRAM_BOT_TOKEN ST_TELEGRAM_MESSAGE_TEMPLATE: "{subject}\\n{body}" ############################# MAINTENANCE @@ -1806,14 +1804,14 @@ services: depends_on: - socket-proxy environment: - TZ: ${TZ} + TZ: $TZ WATCHTOWER_CLEANUP: "true" WATCHTOWER_REMOVE_VOLUMES: "true" WATCHTOWER_INCLUDE_STOPPED: "true" - WATCHTOWER_NO_STARTUP_MESSAGE: "true" + WATCHTOWER_NO_STARTUP_MESSAGE: "false" WATCHTOWER_SCHEDULE: "0 30 12 * * *" # Everyday at 12:30 WATCHTOWER_NOTIFICATIONS: shoutrrr - WATCHTOWER_NOTIFICATION_URL: "telegram://${TGRAM_BOT_TOKEN}@telegram?channels=${TGRAM_CHAT_ID}" + WATCHTOWER_NOTIFICATION_URL: "telegram://$TGRAM_BOT_TOKEN@telegram?channels=$TGRAM_CHAT_ID" WATCHTOWER_NOTIFICATIONS_LEVEL: info DOCKER_HOST: tcp://socket-proxy:2375 DOCKER_API_VERSION: "1.40" @@ -1876,8 +1874,8 @@ services: - TIMEZONE=$TZ - TRAEFIK_VERSION=2 - CF_EMAIL=$CLOUDFLARE_EMAIL # Same as traefik - - CF_TOKEN=$CLOUDFLARE_API_TOKEN # Scoped api token not working. Error 10000. - # - CF_TOKEN=$CLOUDFLARE_API_KEY # Same as traefik + # - CF_TOKEN=$CLOUDFLARE_API_TOKEN # Scoped api token not working. Error 10000. + - CF_TOKEN=$CLOUDFLARE_API_KEY # Same as traefik - TARGET_DOMAIN=$DOMAINNAME - DOMAIN1=$DOMAINNAME - DOMAIN1_ZONE_ID=$CLOUDFLARE_ZONEID # Copy from Cloudflare Overview page