* Several updates 2023_09_24. See full commit log.

* Changed docker-compose-t2-media-db.yml to docker-compose-media-db.yml as this stack was not using Traefik.
* Updated docker and docker compose versions in all stacks.
* Docker extension fields were partially removed in my previous commit. Not its been removed from all my other stacks - due to readability issues.
* Implemented Docker profiles to start and stop cntainers as a group - e.g. those that depend on mounts will be started using a bash script after the mounts become available.
* No use for media-services.txt anymore after implementation of docker profiles.
* Modified start-media-after-boot.sh to reflect the use of docker profiles.
* Added addition PHP extensions to Docekrfile-php7 for my web stack.
* Updated bash_aliases to use docker profiles.
* Added prometheus and influxdb2 metrics for Traefik.
* Exposes socket proxy port 2375 to local network - manage containers from home assistant
* Some changes due to Plex now using media stored on Synology instead of Google Drive (Rclone)
* Added node-exporter and glances to web stack for Grafana monitoring
* Removed crowdsec-blocklists container. Could not find a use.
* Testing mergerfs container on Synology
* Updated traefik to 2.10

.gitignore

@@ -13,7 +13,7 @@
 !docker-compose-t2-synology.yml
 !docker-compose-t2-web.yml
 !docker-compose-npm.yml
-!docker-compose-t2-media-db.yml
+!docker-compose-media-db.yml
 
 !.github
 .github/*

appdata/traefik2/rules/cloudserver/app-hassos-no-auth.yml.example

@@ -0,0 +1,16 @@
+http:
+  routers:
+    hassos-rtr:
+      rule: "Host(`hassos.{{env "DOMAINNAME_CLOUD_SERVER"}}`)" 
+      entryPoints:
+        - https
+      middlewares:
+        - chain-no-auth
+      service: hassos-svc
+      tls:
+        certResolver: dns-cloudflare
+  services:
+    hassos-svc:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.5.90:8123"  # or whatever your external host's IP:port is 

appdata/traefik2/rules/cloudserver/middlewares-chains.yml

@@ -3,7 +3,7 @@ http:
     chain-no-auth:
       chain:
         middlewares:
-          - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec
+          #- middlewares-traefik-bouncer # leave this out if you are not using CrowdSec
           - middlewares-rate-limit
           - middlewares-https-redirectscheme
           - middlewares-secure-headers
@@ -30,7 +30,16 @@ http:
     chain-oauth:
       chain:
         middlewares:
-          - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec        
+          #- middlewares-traefik-bouncer # leave this out if you are not using CrowdSec        
+          - middlewares-rate-limit
+          - middlewares-https-redirectscheme
+          - middlewares-secure-headers
+          - middlewares-oauth
+          - middlewares-compress
+
+    chain-oauth-no-crowdsec:
+      chain:
+        middlewares:
           - middlewares-rate-limit
           - middlewares-https-redirectscheme
           - middlewares-secure-headers

archives/autoindex.yml

@@ -0,0 +1,19 @@
+  # Autoindex - Simple Directory Index
+  autoindex:
+    <<: *common-keys-apps # See EXTENSION FIELDS at the top
+    container_name: autoindex
+    image: dceoy/nginx-autoindex:latest
+    # ports:
+    #   - "$AUTOINDEX_PORT:80"
+    volumes:
+      - /volume1:/var/lib/nginx/html:ro # Location you want to index
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.autoindex-rtr.entrypoints=https"
+      - "traefik.http.routers.autoindex-rtr.rule=Host(`indexh.$DOMAINNAME0`)"
+      ## Middlewares
+      - "traefik.http.routers.autoindex-rtr.middlewares=chain-oauth@file"
+      ## HTTP Services
+      - "traefik.http.routers.autoindex-rtr.service=autoindex-svc"
+      - "traefik.http.services.autoindex-svc.loadbalancer.server.port=80"

archives/crowdsec-blocklist.yml

@@ -0,0 +1,23 @@
+  # CrowdSec Blocklist Mirror - For PiHole/AdGuard Use
+  # sudo docker exec crowdsec cscli bouncer add cloudflare-bouncer
+  crowdsec-blocklist:
+    image: crowdsecurity/blocklist-mirror
+    container_name: crowdsec-blocklist
+    security_opt:
+      - no-new-privileges:true
+    restart: unless-stopped
+    profiles: ["apps", "all"]
+    networks:
+      - t2_proxy
+    volumes:
+      - $DOCKERDIR/appdata/crowdsec-blocklist/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-blocklist-mirror.yaml
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.crowdsec-blocklist-rtr.entrypoints=https"
+      - "traefik.http.routers.crowdsec-blocklist-rtr.rule=Host(`blocklist.$DOMAINNAME_SHB`)" # https://domain.com/security/blocklist
+      ## Middlewares
+      - "traefik.http.routers.crowdsec-blocklist-rtr.middlewares=chain-oauth@file"
+      ## HTTP Services
+      - "traefik.http.routers.crowdsec-blocklist-rtr.service=crowdsec-blocklist-svc"
+      - "traefik.http.services.crowdsec-blocklist-svc.loadbalancer.server.port=41412"

archives/firefox.yml

@@ -0,0 +1,35 @@
+  # Firefox - Web Broswer
+  # VNC password not working - check
+  firefox:
+    <<: *common-keys-apps # See EXTENSION FIELDS at the top
+    image: jlesage/firefox:latest
+    container_name: firefox
+    security_opt:
+      - no-new-privileges:true
+      - seccomp:unconfined # October 15, 2020 https://github.com/jlesage/docker-firefox/blob/master/README.md#allowing-the-membarrier-system-call
+    # ports:
+    #   - "$FIREFOX_PORT:5800"
+    volumes:
+      - $DOCKERDIR/appdata/firefox:/config
+      - $DOWNLOADSDIR:/config/Downloads
+      - /dev/shm:/dev/shm
+    environment:
+      USER_ID: $PUID
+      GROUP_ID: $PGID
+      TZ: $TZ
+      UMASK: 002
+      KEEP_APP_RUNNING: 1
+      CLEAN_TMP_DIR: 1
+      DISPLAY_WIDTH: 1600
+      DISPLAY_HEIGHT: 960
+      # VNC_PASSWD: $FIREFOX_VNC_PASSWD # Since OAuth is enabled
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.firefox-rtr.entrypoints=https"
+      - "traefik.http.routers.firefox-rtr.rule=Host(`firefoxh.$DOMAINNAME0`)"
+      ## Middlewares
+      - "traefik.http.routers.firefox-rtr.middlewares=chain-oauth@file"
+      ## HTTP Services
+      - "traefik.http.routers.firefox-rtr.service=firefox-svc"
+      - "traefik.http.services.firefox-svc.loadbalancer.server.port=5800"

archives/mosquitto.yml

@@ -0,0 +1,19 @@
+  # Mosquitto - MQTT Broker
+  # Create mosquitto.conf, passwd, mosquitto.log files  and set permissions to 775 user:docker
+  # dexec mosquitto /bin/sh -> mosquitto_passwd -b /mosquitto/config/passwd username passwd
+  mosquitto:
+    <<: *common-keys-apps # See EXTENSION FIELDS at the top
+    image: eclipse-mosquitto:latest
+    container_name: mosquitto
+    ports:
+      - "$MOSQUITTO_HTTP_PORT:1883" #http
+      - "9001:9001" #websockets
+      # - "$MOSQUITTO_HTTPS_PORT:8883" #https
+    volumes:
+      - $DOCKERDIR/appdata/mosquitto/config/mosquitto.conf:/mosquitto/config/mosquitto.conf
+      - $DOCKERDIR/appdata/mosquitto/config/passwd:/mosquitto/config/passwd
+      - $DOCKERDIR/shared:/shared
+    environment:
+      PUID: $PUID
+      PGID: $PGID
+      TZ: $TZ

custom/Dockerfile-php7

@@ -8,7 +8,7 @@ ADD https://github.com/mlocati/docker-php-extension-installer/releases/latest/do
 
 
 RUN chmod uga+x /usr/local/bin/install-php-extensions && sync && \
-    install-php-extensions gd mysqli pdo_mysql opcache imagick exif zip mcrypt pspell redis sockets ssh2 bcmath intl
+    install-php-extensions gd mysqli pdo_mysql opcache imagick exif zip mcrypt pspell redis sockets ssh2 bcmath intl calendar
 
 # ADDED AUGUST 18, 2022 BECAUSE ERRORS IN PHP7 DOCKER LOGS TO INCREASE MAX_CHILDREN
 # https://serverfault.com/questions/884256/how-and-where-to-configure-pm-max-children-for-php-fpm-with-docker

docker-compose-t2-media-db.yml → docker-compose-media-db.yml

@@ -54,12 +54,13 @@ services:
       - default
     security_opt:
       - no-new-privileges:true
-    restart: unless-stopped
+    restart: "no"
+    profiles: ["media", "all"]
     volumes:
       - $DOCKERDIR/appdata/airsonic/podcasts:/data/podcasts
       - $DOCKERDIR/appdata/airsonic/playlists:/data/playlists
       - $DOCKERDIR/appdata/airsonic/config:/config
-      - $EXTDIR/ssd/home-server/local/music:/data/music
+      - $DATADIR/media/music:/data/music
     ports:
       - "4040:4040"
     environment:
@@ -76,7 +77,8 @@ services:
       - default
     security_opt:
       - no-new-privileges:true
-    restart: unless-stopped
+    restart: "no"
+    profiles: ["media", "all"]
     user: $PUID:$PGID
     devices:
       - /dev/dri:/dev/dri # for harware transcoding
@@ -100,7 +102,8 @@ services:
       - default
     security_opt:
       - no-new-privileges:true
-    restart: unless-stopped
+    restart: "no"
+    profiles: ["media", "all"]
     devices:
       - /dev/dri:/dev/dri # for harware transcoding
     ports:
@@ -117,7 +120,7 @@ services:
     volumes:
       - $DOCKERDIR/appdata/plex:/config
       - $DATADIR/media:/data/media
-      # - $DATADIR/nas_media:/data/nas_media
+      # - $DATADIR/media:/data/media
       - $EXTDIR/ssd/home-server/downloads:/data/downloads
       - /dev/shm:/data/transcode # Offload transcoding to RAM if you have enough RAM
     environment:
@@ -143,6 +146,7 @@ services:
     security_opt:
       - no-new-privileges:true
     restart: unless-stopped
+    profiles: ["dbs", "all"]
     ports:
       - "3306:3306"
     volumes:
@@ -164,6 +168,7 @@ services:
     security_opt:
       - no-new-privileges:true
     restart: unless-stopped
+    profiles: ["dbs", "all"]
     ports:
       - "9090:9090"
     volumes:
@@ -187,12 +192,15 @@ services:
     security_opt:
       - no-new-privileges:true
     restart: unless-stopped
+    profiles: ["dbs", "all"]
     ports:
       - "8086:8086"
     volumes:
       - $DOCKERDIR/appdata/influxdb2/config:/etc/influxdb2
       - $DOCKERDIR/appdata/influxdb2/db:/var/lib/influxdb2
 
+  ############################# DATABASE
+
   # Node Exporter - Metrics to Prometheus
   node-exporter:
     container_name: node-exporter