Downgraded synology watchtower docker api to 1.39 (max supported). Ad…

…ded some comments.

CHANGELOG.md

@@ -9,8 +9,9 @@
 - implement secrets and remove variables from .env
 
 ## August 20, 2020
+
 - Replaced Ouroboros with Watchtower
-- Changed Docker-Socket-Proxy from tecnativa to fluencelabs image - More granualirity on permissions
+- Changed Docker-Socket-Proxy from tecnativa to fluencelabs image - More granularity on permissions
 
 ## August 17, 2020
 

docker-compose-t2-obsolete.yml

@@ -254,37 +254,6 @@ services:
       - PGID=$PGID
       - TZ=$TZ
 
-  # Watchtower - Automatic Docker Container Updates
-  # creating config.json https://github.com/containrrr/watchtower/issues/99
-  watchtower:
-    image: containrrr/watchtower
-    container_name: watchtower
-    restart: unless-stopped
-    networks:
-      - socket_proxy
-      - t2_proxy
-    # depends_on:
-    #  - socket-proxy
-    volumes:
-      # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security
-      - $DOCKERDIR/watchtower/config.json:/config.json # Only needed for private registries
-    environment:
-      - TZ=$TZ
-      # - WATCHTOWER_CLEANUP=true # Cleanup old images
-      - DOCKER_HOST=tcp://socket-proxy:2375
-      # - WATCHTOWER_INCLUDE_STOPPED=false
-      - WATCHTOWER_NOTIFICATIONS_LEVEL=info # panic, fatal, error, warn, info (default), debug or trace
-      # - WATCHTOWER_POLL_INTERVAL=60 # 1 week in seconds 604800
-      # - WATCHTOWER_SCHEDULE=0 0 1 * * SUN # Every Sunday at 1 am
-      - WATCHTOWER_RUN_ONCE=true
-      - WATCHTOWER_MONITOR_ONLY=true
-      # - WATCHTOWER_LABEL_ENABLE=true
-      - WATCHTOWER_DEBUG=true
-      # - WATCHTOWER_NOTIFICATIONS=shoutrrr
-      # - WATCHTOWER_NOTIFICATION_URL="telegram://$TGRAM_BOT_TOKEN@$TGRAM_CHAT_ID"
-    labels:
-      - "com.centurylinklabs.watchtower.enable=true" # Add this to services to enable updates
-
   # SmokePing - Network latency Monitoring
   smokeping:
     image: linuxserver/smokeping:latest
@@ -381,3 +350,73 @@ services:
       ## HTTP Services
       - "traefik.http.routers.unifi-rtr.service=unifi-svc"
       - "traefik.http.services.unifi-svc.loadbalancer.server.port=8443"
+
+  # Ouroboros - Automatic Docker Container Updates
+  ouroboros:
+    image: pyouroboros/ouroboros:latest
+    container_name: ouroboros
+    restart: unless-stopped
+    networks:
+      - default
+      - socket_proxy
+    # depends_on:
+    #  - socket-proxy
+    volumes:
+      # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security
+      - $DOCKERDIR/ouroboros/config.json:/root/.docker/config.json:ro
+    environment:
+      TZ: $TZ
+      INTERVAL: 86400
+      LOG_LEVEL: info
+      SELF_UPDATE: "true"
+      CLEANUP: "true"
+      IGNORE: traefik influxdb hassio_dns homeassistant hassio_supervisor addon_core_check_config addon_62c7908d_autobackup plexms
+      NOTIFIERS: "tgram://$TGRAM_BOT_TOKEN/$TGRAM_CHAT_ID/"
+      DOCKER_SOCKETS: tcp://socket-proxy:2375 # POST to be enabled on Socket Proxy
+
+  # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
+  socket-proxy:
+    container_name: socket-proxy
+    image: tecnativa/docker-socket-proxy
+    restart: always
+    networks:
+      # t2_proxy:
+      socket_proxy:
+        ipv4_address: 192.168.91.254 # You can specify a static IP
+    privileged: true
+    ports:
+      - "2375:2375"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+    environment:
+      - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
+      ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
+      # 0 to revoke access.
+      # 1 to grant access.
+      ## Granted by Default
+      - EVENTS=1
+      - PING=1
+      - VERSION=1
+      ## Revoked by Default
+      # Security critical
+      - AUTH=0
+      - SECRETS=0
+      - POST=1 # Ouroboros
+      # Not always needed
+      - BUILD=0
+      - COMMIT=0
+      - CONFIGS=0
+      - CONTAINERS=1 # Traefik, portainer, etc.
+      - DISTRIBUTION=0
+      - EXEC=0
+      - IMAGES=1 # Portainer
+      - INFO=1 # Portainer
+      - NETWORKS=1 # Portainer
+      - NODES=0
+      - PLUGINS=0
+      - SERVICES=1 # Portainer
+      - SESSION=0
+      - SWARM=0
+      - SYSTEM=0
+      - TASKS=1 # Portaienr
+      - VOLUMES=1 # Portainer

docker-compose-t2-synology.yml

@@ -30,6 +30,7 @@ services:
   # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
   socket-proxy:
     container_name: socket-proxy
+    hostname: synology-soc
     image: fluencelabs/docker-socket-proxy
     restart: always
     networks:
@@ -53,7 +54,7 @@ services:
       - SECRETS=0
       - POST=1 # Watchtower
       - DELETE=1 # Watchtower
-       # GET Optons
+        # GET Optons
       - BUILD=0
       - COMMIT=0
       - CONFIGS=0
@@ -72,13 +73,12 @@ services:
       - TASKS=1 # Portaienr
       - VOLUMES=1 # Portainer
       # POST Options
-      - CONTAINERS_CREATE=1   # WatchTower
-      - CONTAINERS_START=1    # WatchTower
-      - CONTAINERS_UPDATE=1   # WatchTower
+      - CONTAINERS_CREATE=1 # WatchTower
+      - CONTAINERS_START=1 # WatchTower
+      - CONTAINERS_UPDATE=1 # WatchTower
       # DELETE Options
-      - CONTAINERS_DELETE=1   # WatchTower
-      - IMAGES_DELETE=1       # WatchTower
-
+      - CONTAINERS_DELETE=1 # WatchTower
+      - IMAGES_DELETE=1 # WatchTower
 
   # Portainer - WebUI for Containers
   portainer:
@@ -231,8 +231,8 @@ services:
 
   ############################# MAINTENANCE
 
-   # WatchTower - Automatic Docker Container Updates
-   watchtower:
+  # WatchTower - Automatic Docker Container Updates
+  watchtower:
     image: containrrr/watchtower
     container_name: watchtower
     restart: unless-stopped
@@ -242,17 +242,17 @@ services:
     depends_on:
       - socket-proxy
     environment:
-      TZ: ${TZ}
+      TZ: $TZ
       WATCHTOWER_CLEANUP: "true"
       WATCHTOWER_REMOVE_VOLUMES: "true"
       WATCHTOWER_INCLUDE_STOPPED: "true"
-      WATCHTOWER_NO_STARTUP_MESSAGE: "true"
-      WATCHTOWER_SCHEDULE: "0 30 12 * * *" # Everyday at 12:30
+      WATCHTOWER_NO_STARTUP_MESSAGE: "false"
+      WATCHTOWER_SCHEDULE: "0 30 1 * * *" # Everyday at 1:30
       WATCHTOWER_NOTIFICATIONS: shoutrrr
-      WATCHTOWER_NOTIFICATION_URL: "telegram://${TGRAM_BOT_TOKEN}@telegram?channels=${TGRAM_CHAT_ID}"
+      WATCHTOWER_NOTIFICATION_URL: "telegram://$TGRAM_BOT_TOKEN@telegram?channels=$TGRAM_CHAT_ID"
       WATCHTOWER_NOTIFICATIONS_LEVEL: info
       DOCKER_HOST: tcp://socket-proxy:2375
-      DOCKER_API_VERSION: "1.40"
+      DOCKER_API_VERSION: "1.39"
 
   # Docker-GC - Automatic Docker Garbage Collection
   # Create docker-gc-exclude file

docker-compose-t2-web.yml

@@ -390,7 +390,7 @@ services:
       - "traefik.enable=true"
       ## HTTP Routers SHB
       - "traefik.http.routers.nginx-shb-rtr.entrypoints=https"
-      - "traefik.http.routers.nginx-shb-rtr.rule=HostHeader(`shb20.$DOMAINNAME`)"
+      - "traefik.http.routers.nginx-shb-rtr.rule=HostHeader(`www.$DOMAINNAME`)"
       ## HTTP Routers SHB
       - "traefik.http.routers.nginx-dash-rtr.entrypoints=https"
       - "traefik.http.routers.nginx-dash-rtr.rule=HostHeader(`dash.$DOMAINNAME`)"
@@ -429,44 +429,8 @@ services:
       - $DOCKERDIR/sites/khub/html:/var/www/html/khub
       - $DOCKERDIR/sites/dash/html:/var/www/html/dash
 
-  # Memcached - Object Cache
-  memcached:
-    container_name: memcached
-    image: memcached:alpine
-    restart: unless-stopped
-    networks:
-      - t2_proxy
-
   ########################### MONITORING
 
-  # cAdvisor - Container Advisor
-  cadvisor:
-    image: gcr.io/google-containers/cadvisor:latest
-    container_name: cadvisor
-    restart: unless-stopped
-    networks:
-      - t2_proxy
-    #ports:
-    #  - 8080:8080
-    volumes:
-      - /:/rootfs:ro
-      - /var/run:/var/run:rw
-      - /sys:/sys:ro
-      - /var/lib/docker/:/var/lib/docker:ro
-    #depends_on:
-    #  - redis
-    # privileged: true # Only needed for CentOS, Fedora, Red Hat, etc.
-    labels:
-      - "traefik.enable=true"
-      ## HTTP Routers
-      - "traefik.http.routers.cadvisor-rtr.entrypoints=https"
-      - "traefik.http.routers.cadvisor-rtr.rule=HostHeader(`cad.$DOMAINNAME`)"
-      ## Middlewares
-      - "traefik.http.routers.cadvisor-rtr.middlewares=chain-authelia@file"
-      ## HTTP Services
-      - "traefik.http.routers.cadvisor-rtr.service=cadvisor-svc"
-      - "traefik.http.services.cadvisor-svc.loadbalancer.server.port=8080"
-
   # Glances - System Information
   glances:
     image: nicolargo/glances:latest

docker-compose-t2.yml

@@ -161,8 +161,6 @@ services:
       - "traefik.http.routers.traefik-rtr.service=api@internal"
       ## Middlewares
       - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file"
-      ## Exclude From Watchtower
-      - "com.centurylinklabs.watchtower.enable=false"
 
   # Traefik - Custom Error Pages
   traefik-error-pages:
@@ -215,7 +213,7 @@ services:
       - SECRETS=0
       - POST=1 # Watchtower
       - DELETE=1 # Watchtower
-       # GET Optons
+        # GET Optons
       - BUILD=0
       - COMMIT=0
       - CONFIGS=0
@@ -234,12 +232,12 @@ services:
       - TASKS=1 # Portaienr
       - VOLUMES=1 # Portainer
       # POST Options
-      - CONTAINERS_CREATE=1   # WatchTower
-      - CONTAINERS_START=1    # WatchTower
-      - CONTAINERS_UPDATE=1   # WatchTower
+      - CONTAINERS_CREATE=1 # WatchTower
+      - CONTAINERS_START=1 # WatchTower
+      - CONTAINERS_UPDATE=1 # WatchTower
       # DELETE Options
-      - CONTAINERS_DELETE=1   # WatchTower
-      - IMAGES_DELETE=1       # WatchTower
+      - CONTAINERS_DELETE=1 # WatchTower
+      - IMAGES_DELETE=1 # WatchTower
 
   # Google OAuth - Single Sign On using OAuth 2.0
   # https://hub.docker.com/r/thomseddon/traefik-forward-auth
@@ -428,12 +426,12 @@ services:
       - /dev/ttyACM0:/dev/ttyACM0
     privileged: true
     volumes:
-      - ${USERDIR}/docker/homeassistant:/config
+      - $USERDIR/docker/homeassistant:/config
       - /etc/localtime:/etc/localtime:ro
     environment:
-      - PUID=${PUID}
-      - PGID=${PGID}
-      - TZ=${TZ}
+      - PUID=$PUID
+      - PGID=$PGID
+      - TZ=$TZ
     labels:
       ## Exclude From Watchtower
       - "com.centurylinklabs.watchtower.enable=false"
@@ -457,14 +455,14 @@ services:
         mode: host
     privileged: true
     volumes:
-      - ${USERDIR}/docker/hassio/homeassistant:/config
+      - $USERDIR/docker/hassio/homeassistant:/config
       - /etc/localtime:/etc/localtime:ro
-      - ${USERDIR}/docker/shared:/shared
-      - ${USERDIR}/docker/open-zwave:/open-zwave
+      - $USERDIR/docker/shared:/shared
+      - $USERDIR/docker/open-zwave:/open-zwave
     environment:
-      - PUID=${PUID}
-      - PGID=${PGID}
-      - TZ=${TZ}
+      - PUID=$PUID
+      - PGID=$PGID
+      - TZ=$TZ
     labels:
       ## Exclude From Watchtower
       - "com.centurylinklabs.watchtower.enable=false"
@@ -1114,8 +1112,6 @@ services:
       ## HTTP Services
       - "traefik.http.routers.plexms-rtr.service=plexms-svc"
       - "traefik.http.services.plexms-svc.loadbalancer.server.port=32400"
-      ## Exclude From Watchtower
-      - "com.centurylinklabs.watchtower.enable=false"
 
   # Emby - Media Server
   embyms:
@@ -1781,16 +1777,18 @@ services:
       - "traefik.http.routers.vscode-rtr.service=vscode-svc"
       - "traefik.http.services.vscode-svc.loadbalancer.server.port=8080"
 
+  # SMTP to Telegram - Send SMTP Notifications as Telegram Message
+  # Use case: https://github.com/htpcBeginner/docker-traefik/issues/78
   smtp_to_telegram:
     image: kostyaesmukov/smtp_to_telegram
     container_name: smtp_to_telegram
     restart: always
     networks:
       - default
     environment:
-      TZ: ${TZ}
-      ST_TELEGRAM_CHAT_IDS: ${TGRAM_CHAT_ID}
-      ST_TELEGRAM_BOT_TOKEN: ${TGRAM_BOT_TOKEN}
+      TZ: $TZ
+      ST_TELEGRAM_CHAT_IDS: $TGRAM_CHAT_ID
+      ST_TELEGRAM_BOT_TOKEN: $TGRAM_BOT_TOKEN
       ST_TELEGRAM_MESSAGE_TEMPLATE: "{subject}\\n{body}"
 
   ############################# MAINTENANCE
@@ -1806,14 +1804,14 @@ services:
     depends_on:
       - socket-proxy
     environment:
-      TZ: ${TZ}
+      TZ: $TZ
       WATCHTOWER_CLEANUP: "true"
       WATCHTOWER_REMOVE_VOLUMES: "true"
       WATCHTOWER_INCLUDE_STOPPED: "true"
-      WATCHTOWER_NO_STARTUP_MESSAGE: "true"
+      WATCHTOWER_NO_STARTUP_MESSAGE: "false"
       WATCHTOWER_SCHEDULE: "0 30 12 * * *" # Everyday at 12:30
       WATCHTOWER_NOTIFICATIONS: shoutrrr
-      WATCHTOWER_NOTIFICATION_URL: "telegram://${TGRAM_BOT_TOKEN}@telegram?channels=${TGRAM_CHAT_ID}"
+      WATCHTOWER_NOTIFICATION_URL: "telegram://$TGRAM_BOT_TOKEN@telegram?channels=$TGRAM_CHAT_ID"
       WATCHTOWER_NOTIFICATIONS_LEVEL: info
       DOCKER_HOST: tcp://socket-proxy:2375
       DOCKER_API_VERSION: "1.40"
@@ -1876,8 +1874,8 @@ services:
       - TIMEZONE=$TZ
       - TRAEFIK_VERSION=2
       - CF_EMAIL=$CLOUDFLARE_EMAIL # Same as traefik
-      - CF_TOKEN=$CLOUDFLARE_API_TOKEN # Scoped api token not working. Error 10000.
-      # - CF_TOKEN=$CLOUDFLARE_API_KEY # Same as traefik
+      # - CF_TOKEN=$CLOUDFLARE_API_TOKEN # Scoped api token not working. Error 10000.
+      - CF_TOKEN=$CLOUDFLARE_API_KEY # Same as traefik
       - TARGET_DOMAIN=$DOMAINNAME
       - DOMAIN1=$DOMAINNAME
       - DOMAIN1_ZONE_ID=$CLOUDFLARE_ZONEID # Copy from Cloudflare Overview page