diff --git a/.gitignore b/.gitignore index d0759d6..bf220b8 100755 --- a/.gitignore +++ b/.gitignore @@ -12,7 +12,7 @@ !docker-compose-t2-obsolete.yml !docker-compose-t2-synology.yml !docker-compose-t2-web.yml -!docker-compose-t2-nuc.yml +!docker-compose.yml !.github .github/* diff --git a/CHANGELOG.md b/CHANGELOG.md index 19abda7..c8964a4 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ ## Planned (notes for future): -- Add projectsend, embystat, nextcloud, nut-upsd, HealthChecks, FileRun, fail2ban, ofelia, scrutiny to NUC, Wireguard, traktarr, listrr, Subliminal, netdata +- Add projectsend, embystat, nextcloud, nut-upsd, HealthChecks, FileRun, fail2ban, ofelia, scrutiny to NUC, Wireguard, traktarr, listrr, Subliminal, netdata, Exportarr, Unpackarr - Check Cloudbox/cloudbox - plex autoscan, cloudplow, plexdupefinder, plextraktsync - implement secrets and remove variables from .env - add prometheus, glances to influxdb, speedtest to influxdb diff --git a/README.md b/README.md index 3ab21e7..64abc0c 100755 --- a/README.md +++ b/README.md @@ -2,13 +2,16 @@ This is the updated docker-compose repo of all the media, home, and web server apps described in the following guides on our website: +- [Docker Media Server Ubuntu: Compose for 23 Awesome Apps](https://www.smarthomebeginner.com/docker-media-server-2022/) - [Docker Media Server with Traefik 2 Reverse Proxy](https://www.smarthomebeginner.com/traefik-2-docker-tutorial/) - [WordPress on Docker with Nginx, Traefik, LE SSL, Security, and Speed](https://www.smarthomebeginner.com/wordpress-on-docker-traefik/) - [Synology Docker Media Server with Traefik, Docker Compose, and Cloudflare](https://www.smarthomebeginner.com/synology-docker-media-server/)

IMPORTANT

-If you are going to start from scratch using this repo, be prepared to be patient and start slow. There are so many details to pay attention to. I strongly suggest getting Traefik and Traefik dashboard up and running before adding any other app. Here is the order I would recommend: +If you are going to start from scratch using this repo, be prepared to be patient and start slow. There are so many details to pay attention to. First start with the basic Docker Media Server guide linked above (with Nginx Proxy Manager instead of Traefik). + +When you are ready to upgrade to Traefik or prefer Traefik over Nginx Proxy Manager, I strongly suggest getting Traefik and Traefik dashboard up and running before adding any other app. Here is the order I would recommend:
  1. Traefik with HTTP Authentication. This requires:
    2. @@ -33,6 +36,8 @@ Go step-by-step. If you bite too big of a piece, I guarantee you will choke. Supporting Articles: +- [How to Install Docker and Docker Compose on Ubuntu 22.04 LTS](https://www.smarthomebeginner.com/install-docker-on-ubuntu-22-04/) +- [How to Install Docker and Docker Compose on Ubuntu 20.04 LTS](https://www.smarthomebeginner.com/install-docker-on-ubuntu-20-04/) - [Cloudflare Settings for Traefik Docker: DDNS, CNAMEs, & Tweaks](https://www.smarthomebeginner.com/cloudflare-settings-for-traefik-docker/) - [Google OAuth 2 MFA Protection for Docker](https://www.smarthomebeginner.com/google-oauth-with-traefik-docker/) - [Authelia MFA Protection for Docker](https://www.smarthomebeginner.com/docker-authelia-tutorial/) @@ -49,21 +54,20 @@ The following posts have been combined and updated for Traefik v2 (linked above) ## Docker, Docker Compose, and Traefik Versions (updated January 23, 2022) - Docker: 20.10.12 -- Docker Compose: 2.1.1 +- Docker Compose: v2.5.0 - Traefik: 2.6 -Known Issue: Cloudflare Companion does not seem to work with Docker Compose v2.2 and above. I could not figure out why. If someone figures it out please share. So at this point v2.1.1 is the highest version I can go for Docker Compose. - Update (September 13, 2021): I moved from TOML to YAML for Traefik 2 dynamic configurations. I have included example configuration files for both. However, since I do not use TOML anymore, there may be minor syntax errors or typos. ### Description of Compose Files in this Repo -- docker-compose-t2.yml - this stack has the most apps/services -- docker-compose-t2-web.yml - web server specific stack for WordPress and non-WordPress sites with Nginx +- docker-compose.yml - this is the basic media server stack with Nginx Proxy Manager instead of Traefik +- docker-compose-t2.yml - this is my main stack with most apps/services, including Traefik +- docker-compose-t2-web.yml - web server specific stack for WordPress and non-WordPress sites with Nginx and Traefik - docker-compose-t2-synology.yml - apps/services that I run on Synology NAS using Docker Compose for Homelab use - docker-compose-t2-obsolete.yml - apps/services that I once tried/used but don't use anymore (future compatibility not guaranteed) -Almost any app/service from the Traefik v2 docker-compose files listed above can be copy-pasted to any other compose file in this repo. +Almost any app/service from the docker-compose files listed above can be copy-pasted to any other compose file in this repo. ### Compose Files Archive (NOT ACTIVELY MAINTAINED) @@ -74,9 +78,9 @@ Almost any app/service from the Traefik v2 docker-compose files listed above can ## MY SETUP -- MAIN - Ubuntu 20.04 Virtual Machine on Intel Xeon 5420 Proxmox Host -- WEB - Ubuntu 20.04 LXC Container on Intel Xeon 5420 Proxmox Host -- SYNOLOGY - Synology DS918+ NAS +- MAIN - Ubuntu 22.04 Proxmox LXC Container on Intel Xeon E3-1240 V2. +- WEB - Ubuntu 22.04 Proxmox VM on Intel Xeon E3-1240 V2. +- SYNOLOGY - Synology DS918+ NAS. I use Syncthing to keep certain key files synched between various systems. @@ -87,6 +91,7 @@ The apps I use are scattered around in several different docker-compose files. S ### FRONTENDS - Traefik - Reverse Proxy +- Nginx Proxy Manager - Reverse Proxy - Docker Socket Proxy - Secure Proxy for Docker API - Traefik Custom Error Pages - OAuth - Google OAuth 2 Forward Authentication @@ -126,7 +131,7 @@ The apps I use are scattered around in several different docker-compose files. S ### INDEXERS -- NZBHydra2 - NZB meta search +- NZBHydra2 - NZB meta search - Jackett - Torrent proxy - Prowlarr - Torrent proxy @@ -199,32 +204,11 @@ The apps I use are scattered around in several different docker-compose files. S - Cloudflare DDNS - Dynamic IP Updater - Cloudflare Companion - Automatic CNAME creation for services -# Usage - ---------- ANYTHING THAT HAS "example" IN THE NAME WILL HAVE TO BE RENAMED APPROPRIATELY --------- - -## Installation +# Installation and Usage -First, install Docker and Docker Compose, as described in our Docker Media Server guide. +Follow the guides linked at the beginning of this readme. -1. Clone the repo. -2. Configure Traefik Docker-Compose snippet and CLI arguments. - -- Edit domain name. -- DNS Challenge (for LetsEncrypt verification) is enabled by default for cloudflare. Use the [Traefik Reverse Proxy guide](https://www.smarthomebeginner.com/traefik-reverse-proxy-tutorial-for-docker/) for help with this. -- For other providers other than cloudflare, [check here](https://docs.traefik.io/v2.0/https/acme/#providers). - -3. (Optional) Enable or use HTTP Basic Authentication by renaming the `secrets_example` folder to `secrets` adding username and hashed password to the `htpasswd` file. -4. Configure environmental variables (`.env` file) - -- Rename the included `.env.example` to `.env`. -- Edit variables in `.env` file. -- All variables (ie. `${XXX}`) in docker-compose.yml come from `.env` file stored in the same place as docker-compose.yml. -- Ensure good permissions for the `.env` file (recommended: 640). - -5. Edit `docker-compose-t2.yml` to include only the services you want or add additional services to it. Be sure to read the comments for each app and create any required files. You can copy snippets between any of the various docker-compose files in the repo. -6. Start and stop your docker stack as described in our [Docker Media Server guide](https://www.smarthomebeginner.com/docker-home-media-server-2018-basic/). -7. (Optional) Put non-docker apps behind Traefik proxy by creating traefik rules based on the examples provided. +--------- ANYTHING THAT HAS "example" IN THE NAME WILL HAVE TO BE RENAMED APPROPRIATELY --------- ## Starting and Stopping @@ -238,8 +222,14 @@ I use bash_aliases to simplify starting and stopping containers/stack. Included - dclogs2 - See real-time logs for the corresponding stack or service - dcpull2 - Pull new images for the corresponding stack or service -## Did this Repo help you? +## Join our Community +- Do you need support or just want to chat with like-minded people. Join our discord. +- The authors will try our best to help but support is not guaranteed. But you will find others who might have went through what you are going through and may be willing to pay it forward and help. + -Please consider buying us a coffee (or two) as a token of appreciation. +# Did this Repo help you? +- Become a patron and show us your strongest support. + - +- Please consider buying us a coffee (or two) as a token of appreciation. + diff --git a/appdata/php/php7/conf.d/extensions.ini.example b/appdata/php/php7/conf.d/extensions.ini.example old mode 100644 new mode 100755 diff --git a/appdata/php/php7/conf.d/opcache.ini.example b/appdata/php/php7/conf.d/opcache.ini.example old mode 100644 new mode 100755 diff --git a/docker-compose-t2-obsolete.yml b/docker-compose-t2-obsolete.yml index 333bf7c..c072ac8 100755 --- a/docker-compose-t2-obsolete.yml +++ b/docker-compose-t2-obsolete.yml @@ -1821,4 +1821,76 @@ services: - "traefik.http.routers.statping-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.statping-rtr.service=statping-svc" - - "traefik.http.services.statping-svc.loadbalancer.server.port=8080" \ No newline at end of file + - "traefik.http.services.statping-svc.loadbalancer.server.port=8080" + + # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication + authelia: + container_name: authelia + # Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md + image: authelia/authelia:latest + restart: always + networks: + - t2_proxy + - default + # ports: + # - "9091:9091" + volumes: + - $DOCKERDIR/appdata/authelia:/config + environment: + - TZ=$TZ + - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret + - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret + - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password + - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password + - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key + #- AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key + secrets: + - authelia_jwt_secret + - authelia_session_secret + - authelia_storage_mysql_password + - authelia_notifier_smtp_password + - authelia_duo_api_secret_key + #- authelia_storage_encryption_key + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.authelia-rtr.entrypoints=https" + - "traefik.http.routers.authelia-rtr.rule=Host(`authelia.$DOMAINNAME0`)" + - "traefik.http.routers.authelia-rtr.tls=true" + ## Middlewares + - "traefik.http.routers.authelia-rtr.middlewares=chain-authelia@file" + ## HTTP Services + - "traefik.http.routers.authelia-rtr.service=authelia-svc" + - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091" + + # DupeGuru - Duplicate File/Folder Remover + dupeguru: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: jlesage/dupeguru:latest + container_name: dupeguru + # ports: + # - "$dupeguru_PORT:5800" + volumes: + - $USERDIR:/data/home:ro + - $DOCKERDIR/appdata/dupeguru/config:/config:rw + - /media/data:/data/data:rw + environment: + USER_ID: $PUID + GROUP_ID: $PGID + UMASK: 002 + TZ: $TZ + KEEP_APP_RUNNING: 1 + CLEAN_TMP_DIR: 1 + DISPLAY_WIDTH: 1600 + DISPLAY_HEIGHT: 960 + VNC_PASSWORD: $DUPEGURU_VNC_PASSWD + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.dupeguru-rtr.entrypoints=https" + - "traefik.http.routers.dupeguru-rtr.rule=Host(`dupe.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.dupeguru-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.dupeguru-rtr.service=dupeguru-svc" + - "traefik.http.services.dupeguru-svc.loadbalancer.server.port=5800" \ No newline at end of file diff --git a/docker-compose-t2-synology.yml b/docker-compose-t2-synology.yml index 1feaf1d..0863e06 100755 --- a/docker-compose-t2-synology.yml +++ b/docker-compose-t2-synology.yml @@ -12,6 +12,9 @@ version: "3.9" # 2x256GB NVMe SSD Read-Write Cache # Google Drive mounted using Rclone Docker Container for media +# Docker: 20.10.3 +# Docker Compose: 1.29.2 + ########################### NETWORKS # There is no need to create any networks outside this docker-compose file. # You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. @@ -37,24 +40,18 @@ networks: secrets: htpasswd: file: $DOCKERDIR/secrets/htpasswd - cloudflare_email: - file: $DOCKERDIR/secrets/cloudflare_email - cloudflare_api_key: - file: $DOCKERDIR/secrets/cloudflare_api_key - cloudflare_api_token: - file: $DOCKERDIR/secrets/cloudflare_api_token - oauth_secret: - file: $DOCKERDIR/secrets/oauth_secret - google_client_secret: - file: $DOCKERDIR/secrets/google_client_secret - google_client_id: - file: $DOCKERDIR/secrets/google_client_id - my_email: - file: $DOCKERDIR/secrets/my_email - plex_claim: - file: $DOCKERDIR/secrets/plex_claim + cf_email: + file: $DOCKERDIR/secrets/cf_email + cf_api_key: + file: $DOCKERDIR/secrets/cf_api_key + cf_token: + file: $DOCKERDIR/secrets/cf_token + traefik_forward_auth: + file: $DOCKERDIR/secrets/traefik_forward_auth mysql_root_password: file: $DOCKERDIR/secrets/mysql_root_password + plex_claim: + file: $DOCKERDIR/secrets/plex_claim ########################### EXTENSION FIELDS # Helps eliminate repetition of sections @@ -80,6 +77,13 @@ x-common-keys-core: &common-keys-core # profiles: # - core +# Keys common to some of the services in basic-services.txt +x-common-keys-core: &common-keys-monitoring + <<: *network-and-security + restart: always + # profiles: + # - monitoring + # Keys common to some of the dependent services/apps x-common-keys-apps: &common-keys-apps <<: *network-and-security @@ -102,11 +106,11 @@ services: # touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. # touch $DOCKERDIR/traefik2/acme/acme.json # chmod 600 $DOCKERDIR/traefik2/acme/acme.json - # touch $DOCKERDIR/traefik2/traefik.log + # touch $DOCKERDIR/logs/synology//traefik.log traefik: <<: *common-keys-core # See EXTENSION FIELDS at the top container_name: traefik - image: traefik:2.5 + image: traefik:2.6 command: # CLI arguments - --global.checkNewVersion=true - --global.sendAnonymousUsage=true @@ -120,11 +124,10 @@ services: # - --api.insecure=true - --api.dashboard=true #- --ping=true - #- --pilot.token=$TRAEFIK_PILOT_TOKEN # - --serversTransport.insecureSkipVerify=true - --log=true - - --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC - - --accessLog=false + - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC + - --accessLog=true - --accessLog.filePath=/traefik.log - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines - --accessLog.filters.statusCodes=400-499 @@ -134,28 +137,35 @@ services: # Automatically set Host rule for services # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`) - --providers.docker.exposedByDefault=false - # - --entrypoints.https.http.middlewares=chain-oauth-external@file + # - --entrypoints.https.http.middlewares=chain-oauth@file - --entrypoints.https.http.tls.options=tls-opts@file # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services - --entrypoints.https.http.tls.certresolver=dns-cloudflare - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0 - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0 - # - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME01 # Pulls main cert for second domain - # - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME01 # Pulls wildcard cert for second domain + - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain + - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain + #- --entrypoints.https.http.tls.domains[2].main=$DOMAINNAME2 + #- --entrypoints.https.http.tls.domains[2].sans=*.$DOMAINNAME2 + #- --entrypoints.https.http.tls.domains[3].main=$DOMAINNAME3 + #- --entrypoints.https.http.tls.domains[3].sans=*.$DOMAINNAME3 - --providers.docker.network=t2_proxy - --providers.docker.swarmMode=false - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file - --providers.file.watch=true # Only works on top level files in the rules folder - # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing + #- --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53 - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate + # - --metrics.prometheus=true + # - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0 networks: - - t2_proxy - - socket_proxy + t2_proxy: + ipv4_address: 192.168.90.254 # You can specify a static IP + socket_proxy: #healthcheck: # test: ["CMD", "traefik", "healthcheck", "--ping"] # interval: 5s @@ -169,7 +179,7 @@ services: published: 443 protocol: tcp mode: host - # - target: 8080 + # - target: 8080 # insecure api wont work # published: 8080 # protocol: tcp # mode: host @@ -177,14 +187,14 @@ services: - $DOCKERDIR/appdata/traefik2/rules/synology:/rules # file provider directory # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 - - $DOCKERDIR/appdata/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container + - $DOCKERDIR/logs/synology/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container environment: - - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email - - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key + - CF_API_EMAIL_FILE=/run/secrets/cf_email + - CF_API_KEY_FILE=/run/secrets/cf_api_key - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere. secrets: - - cloudflare_email - - cloudflare_api_key + - cf_email + - cf_api_key - htpasswd labels: #- "autoheal=true" @@ -196,7 +206,7 @@ services: - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" # HTTP Routers - "traefik.http.routers.traefik-rtr.entrypoints=https" - - "traefik.http.routers.traefik-rtr.rule=Host(`traefikh.$DOMAINNAME0`)" + - "traefik.http.routers.traefik-rtr.rule=Host(`traefikh.$DOMAINNAME0` )" ## Services - API - "traefik.http.routers.traefik-rtr.service=api@internal" ## Healthcheck/ping @@ -204,16 +214,22 @@ services: #- "traefik.http.routers.ping.tls=true" #- "traefik.http.routers.ping.service=ping@internal" ## Middlewares - - "traefik.http.routers.traefik-rtr.middlewares=chain-oauth-external@file" + #- "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file" + - "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file" # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket socket-proxy: <<: *common-keys-core # See EXTENSION FIELDS at the top container_name: socket-proxy - image: fluencelabs/docker-socket-proxy + image: tecnativa/docker-socket-proxy networks: - - socket_proxy - privileged: true + socket_proxy: + ipv4_address: 192.168.91.254 # You can specify a static IP + # privileged: true # true for VM. False for unprivileged LXC container. + #ports: + # - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line. + # I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network. + # - "2375:2375" volumes: - "/var/run/docker.sock:/var/run/docker.sock" environment: @@ -230,35 +246,62 @@ services: - AUTH=0 - SECRETS=0 - POST=1 # Watchtower - - DELETE=1 # Watchtower - # GET Optons + # Not always needed - BUILD=0 - COMMIT=0 - CONFIGS=0 - CONTAINERS=1 # Traefik, portainer, etc. - DISTRIBUTION=0 - EXEC=0 - - IMAGES=1 # Portainer, Watchtower + - IMAGES=1 # Portainer - INFO=1 # Portainer - - NETWORKS=1 # Portainer, Watchtower + - NETWORKS=1 # Portainer - NODES=0 - PLUGINS=0 - SERVICES=1 # Portainer - SESSION=0 - SWARM=0 - SYSTEM=0 - - TASKS=1 # Portaienr + - TASKS=1 # Portainer - VOLUMES=1 # Portainer - # POST Options - - CONTAINERS_CREATE=1 # WatchTower - - CONTAINERS_START=1 # WatchTower - - CONTAINERS_UPDATE=1 # WatchTower - # DELETE Options - - CONTAINERS_DELETE=1 # WatchTower - - IMAGES_DELETE=1 # WatchTower # Google OAuth - Single Sign On using OAuth 2.0 - # Removed redundant Google OAuth forwarder. Forwarding all authentication requests to oauth:4181 on docker-compose-t2.yml (cloud server). See middlewares-oauth-external in middlewares.yml.example and chain-oauth-external in middlewares-chains.yml.example. + # https://www.smarthomebeginner.com/google-oauth-with-traefik-docker/ + # Also possible to forward all authentication requests to external service. See middlewares-oauth-external and chain-oauth-external. + oauth: + <<: *common-keys-core # See EXTENSION FIELDS at the top + container_name: oauth + image: thomseddon/traefik-forward-auth:latest + # image: thomseddon/traefik-forward-auth:2.1-arm # Use this image with Raspberry Pi + # Allow apps to bypass OAuth. Radarr example below will bypass OAuth if API key is present in the request (eg. from NZB360 mobile app). + # While this is one way, the recommended way is to bypass authentication using Traefik labels shown in some of the apps later. + # command: --rule.radarr.action=allow --rule.radarr.rule="Headers(`X-Api-Key`, `$RADARR_API_KEY`)" + # command: --rule.sabnzbd.action=allow --rule.sabnzbd.rule="HeadersRegexp(`X-Forwarded-Uri`, `$SABNZBD_API_KEY`)" + environment: + - CONFIG=/config + - COOKIE_DOMAIN=$DOMAINNAME0 + - INSECURE_COOKIE=false + - AUTH_HOST=oauthh.$DOMAINNAME0 + - URL_PATH=/_oauth + - LOG_LEVEL=warn + - LOG_FORMAT=text + - LIFETIME=86400 # 1 day + - DEFAULT_ACTION=auth + - DEFAULT_PROVIDER=google + secrets: + - source: traefik_forward_auth + target: /config + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.oauth-rtr.tls=true" + - "traefik.http.routers.oauth-rtr.entrypoints=https" + - "traefik.http.routers.oauth-rtr.rule=Host(`oauthh.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.oauth-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.oauth-rtr.service=oauth-svc" + - "traefik.http.services.oauth-svc.loadbalancer.server.port=4181" # Portainer - WebUI for Containers portainer: @@ -270,8 +313,8 @@ services: networks: - t2_proxy - socket_proxy - #ports: - # - "$PORTAINER_PORT:9000" + ports: + - "$PORTAINER_PORT:9000" volumes: # - /var/run/docker.sock:/var/run/docker.sock:ro # # Use Docker Socket Proxy instead for improved security - $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfer config locally @@ -283,7 +326,7 @@ services: - "traefik.http.routers.portainer-rtr.entrypoints=https" - "traefik.http.routers.portainer-rtr.rule=Host(`portainerh.$DOMAINNAME0`)" ## Middlewares - - "traefik.http.routers.portainer-rtr.middlewares=chain-oauth-external@file" + - "traefik.http.routers.portainer-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.portainer-rtr.service=portainer-svc" - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" @@ -303,7 +346,7 @@ services: - "traefik.http.routers.autoindex-rtr.entrypoints=https" - "traefik.http.routers.autoindex-rtr.rule=Host(`indexh.$DOMAINNAME0`)" ## Middlewares - - "traefik.http.routers.autoindex-rtr.middlewares=chain-oauth-external@file" + - "traefik.http.routers.autoindex-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.autoindex-rtr.service=autoindex-svc" - "traefik.http.services.autoindex-svc.loadbalancer.server.port=80" @@ -326,9 +369,7 @@ services: - $DOCKERDIR/appdata/mosquitto/config/passwd:/mosquitto/config/passwd - $DOCKERDIR/shared:/shared environment: - PUID: $PUID - PGID: $PGID - TZ: $TZ + <<: *default-tz-puid-pgid ############################# DATABASE @@ -337,47 +378,27 @@ services: mariadb: <<: *common-keys-core # See EXTENSION FIELDS at the top container_name: mariadb - image: linuxserver/mariadb:latest + image: lscr.io/linuxserver/mariadb ports: - "$MARIADB_PORT:3306" volumes: - $DOCKERDIR/appdata/mariadb/data:/config - - /etc/TZ:/etc/timezone:ro - - /etc/localtime:/etc/localtime:ro environment: - - PUID=$PUID - - PGID=$PGID - - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password # Not taking this pw during initialization + <<: *default-tz-puid-pgid + FILE__MYSQL_ROOT_PASSWORD: /run/secrets/mysql_root_password # Note FILE__ (double underscore) - Issue #127 secrets: - mysql_root_password - # InfluxDB - Database for sensor data - # Create influxdb.conf - influxdb: - <<: *common-keys-core # See EXTENSION FIELDS at the top - image: influxdb:latest - container_name: influxdb - ports: - - "$INFLUXDB_PORT:8086" - volumes: - # - $DOCKERDIR/appdata/influxdb/influxdb.conf:/etc/influxdb/influxdb.conf:ro - - $DOCKERDIR/appdata/influxdb/db:/var/lib/influxdb - # command: -config /etc/influxdb/influxdb.conf - # phpMyAdmin - Database management # Create a new user with admin privileges. Cannot login as MySQL root for some reason. phpmyadmin: <<: *common-keys-apps # See EXTENSION FIELDS at the top image: phpmyadmin/phpmyadmin:latest container_name: phpmyadmin - # ports: - # - "$PHPMYADMIN_PORT:80" - # volumes: - # - $DOCKERDIR/appdata/phpmyadmin:/etc/phpmyadmin environment: - - PMA_HOST=mariadb - #- PMA_PORT=$DB_PORT - #- PMA_ARBITRARY=1 + - PMA_HOST=$MARIADB_HOST + - PMA_PORT=$MARIADB_PORT + - PMA_ARBITRARY=1 - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password secrets: - mysql_root_password @@ -387,11 +408,45 @@ services: - "traefik.http.routers.phpmyadmin-rtr.entrypoints=https" - "traefik.http.routers.phpmyadmin-rtr.rule=Host(`pmah.$DOMAINNAME0`)" ## Middlewares - - "traefik.http.routers.phpmyadmin-rtr.middlewares=chain-oauth-external@file" + - "traefik.http.routers.phpmyadmin-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.phpmyadmin-rtr.service=phpmyadmin-svc" - "traefik.http.services.phpmyadmin-svc.loadbalancer.server.port=80" + # Redis - Key-value Store + redis: + <<: *common-keys-core # See EXTENSION FIELDS at the top + container_name: redis + image: redis:latest + entrypoint: redis-server --appendonly yes --requirepass $REDIS_PASSWORD --maxmemory 512mb --maxmemory-policy allkeys-lru + ports: + - "$REDIS_PORT:6379" + volumes: + - $DOCKERDIR/appdata/redis/data:/data + - /etc/TZ:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + + # Redis Commander - Redis Management Tool + rediscommander: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + container_name: rediscommander + image: rediscommander/redis-commander:latest + # ports: + # - "$REDISCOMMANDER_PORT:8081" + environment: + - REDIS_HOST=$REDIS_HOST + - REDIS_PASSWORD=$REDIS_PASSWORD + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.rediscommander-rtr.entrypoints=https" + - "traefik.http.routers.rediscommander-rtr.rule=Host(`rediscomh.$DOMAINNAME1`)" + ## Middlewares + - "traefik.http.routers.rediscommander-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.rediscommander-rtr.service=rediscommander-svc" + - "traefik.http.services.rediscommander-svc.loadbalancer.server.port=8081" + ############################# DOWNLOADERS # qBittorrent - Torrent downloader @@ -401,18 +456,15 @@ services: image: lscr.io/linuxserver/qbittorrent container_name: qbittorrent # ports: - #- "$QBITTORRENT_PORT:8168" + #- "$QBITTORRENT_PORT:8080" #- 6881:6881 #- 6881:6881/udp volumes: - $DOCKERDIR/appdata/qbittorrent:/config - $DOWNLOADSDIR:/downloads environment: - PUID: $PUID - PGID: $PGID - TZ: $TZ + <<: *default-tz-puid-pgid UMASK: 002 - WEBUI_PORT: 8168 labels: - "traefik.enable=true" ## HTTP Routers @@ -420,7 +472,7 @@ services: - "traefik.http.routers.qbittorrent-rtr.rule=Host(`qbith.$DOMAINNAME0`)" - "traefik.http.routers.qbittorrent-rtr.tls=true" ## Middlewares - - "traefik.http.routers.qbittorrent-rtr.middlewares=chain-oauth-external@file" + - "traefik.http.routers.qbittorrent-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.qbittorrent-rtr.service=qbittorrent-svc" - "traefik.http.services.qbittorrent-svc.loadbalancer.server.port=8168" @@ -489,9 +541,7 @@ services: - $DATADIR/Photos/zVideos:/data/media:ro - $DS918/media/zvideos:/data/output environment: - PUID: $PUID - PGID: $PGID - TZ: $TZ + <<: *default-tz-puid-pgid serverIP: tdarr # or hostname serverPort: 8266 webUIPort: 8265 @@ -502,7 +552,7 @@ services: - "traefik.http.routers.tdarr-rtr.entrypoints=https" - "traefik.http.routers.tdarr-rtr.rule=Host(`tdarr.$DOMAINNAME0`)" ## Middlewares - - "traefik.http.routers.tdarr-rtr.middlewares=chain-oauth-external@file" + - "traefik.http.routers.tdarr-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.tdarr-rtr.service=tdarr-svc" - "traefik.http.services.tdarr-svc.loadbalancer.server.port=8265" @@ -515,9 +565,7 @@ services: devices: - /dev/dri:/dev/dri # for hardware transcoding environment: - PUID: $PUID - PGID: $PGID - TZ: $TZ + <<: *default-tz-puid-pgid UMASK_SET: 002 nodeID: Node1 nodeIP: tdarr-node1 # or hostname @@ -584,16 +632,14 @@ services: - /etc/group:/etc/group:ro - /etc/fuse.conf:/etc/fuse.conf:ro environment: - - TZ=$TZ - - PUID=$PUID - - PGID=$PGID + <<: *default-tz-puid-pgid labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.rclone-drive-rtr.entrypoints=https" - "traefik.http.routers.rclone-drive-rtr.rule=Host(`rcloneh.$DOMAINNAME0`)" ## Middlewares - - "traefik.http.routers.rclone-drive-rtr.middlewares=chain-oauth-external@file" + - "traefik.http.routers.rclone-drive-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.rclone-drive-rtr.service=rclone-drive-svc" - "traefik.http.services.rclone-drive-svc.loadbalancer.server.port=5572" @@ -642,9 +688,7 @@ services: - /etc/group:/etc/group:ro - /etc/fuse.conf:/etc/fuse.conf:ro environment: - - TZ=$TZ - - PUID=$PUID - - PGID=$PGID + <<: *default-tz-puid-pgid ############################# UTILITIES @@ -679,42 +723,11 @@ services: - "traefik.http.routers.firefox-rtr.entrypoints=https" - "traefik.http.routers.firefox-rtr.rule=Host(`firefoxh.$DOMAINNAME0`)" ## Middlewares - - "traefik.http.routers.firefox-rtr.middlewares=chain-oauth-external@file" + - "traefik.http.routers.firefox-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.firefox-rtr.service=firefox-svc" - "traefik.http.services.firefox-svc.loadbalancer.server.port=5800" - # Glances - System Information - glances: - <<: *common-keys-apps # See EXTENSION FIELDS at the top - image: nicolargo/glances:latest - container_name: glances - privileged: true - # network_mode: host - networks: - - t2_proxy - - socket_proxy - ports: - - "$GLANCES_PORT:61208" - pid: host - volumes: - - $DOCKERDIR/appdata/glances/glances.conf:/glances/conf/glances.conf # Use this if you want to add a glances.conf file - # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security - environment: - # GLANCES_OPT: "-C /glances/conf/glances.conf --quiet --export influxdb" - GLANCES_OPT: "-w" - DOCKER_HOST: tcp://socket-proxy:2375 - labels: - - "traefik.enable=true" - ## HTTP Routers - - "traefik.http.routers.glances-rtr.entrypoints=https" - - "traefik.http.routers.glances-rtr.rule=Host(`glancesh.$DOMAINNAME0`)" - ## Middlewares - - "traefik.http.routers.glances-rtr.middlewares=chain-oauth-external@file" - ## HTTP Services - - "traefik.http.routers.glances-rtr.service=glances-svc" - - "traefik.http.services.glances-svc.loadbalancer.server.port=61208" - # qDirStat - Directory Statistics qdirstat: <<: *common-keys-apps # See EXTENSION FIELDS at the top @@ -741,7 +754,7 @@ services: - "traefik.http.routers.qdirstat-rtr.entrypoints=https" - "traefik.http.routers.qdirstat-rtr.rule=Host(`qdirh.$DOMAINNAME0`)" ## Middlewares - - "traefik.http.routers.qdirstat-rtr.middlewares=chain-oauth-external@file" + - "traefik.http.routers.qdirstat-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.qdirstat-rtr.service=qdirstat-svc" - "traefik.http.services.qdirstat-svc.loadbalancer.server.port=5800" @@ -760,42 +773,50 @@ services: - /volume1:/data - $DOCKERDIR/appdata/syncthing:/config environment: - PUID: $PUID - PGID: $PGID - TZ: $TZ + <<: *default-tz-puid-pgid labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.syncthing-rtr.entrypoints=https" - "traefik.http.routers.syncthing-rtr.rule=Host(`stnas.$DOMAINNAME0`)" ## Middlewares - - "traefik.http.routers.syncthing-rtr.middlewares=chain-oauth-external@file" + - "traefik.http.routers.syncthing-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.syncthing-rtr.service=syncthing-svc" - "traefik.http.services.syncthing-svc.loadbalancer.server.port=8384" - ############################# MAINTENANCE - - # WatchTower - Automatic Docker Container Updates - watchtower: - image: containrrr/watchtower - container_name: watchtower - restart: unless-stopped - networks: - - default - - socket_proxy + # VSCode - VSCode Editing + vscode: + <<: *common-keys-core # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/code-server:latest + container_name: vscode + ports: + - "$VSCODE_PORT:8443" + volumes: + - $DOCKERDIR:/data/docker + - $DOCKERDIR/appdata/vscode:/config + - $DS918:/data/ds918 environment: - TZ: $TZ - WATCHTOWER_CLEANUP: "true" - WATCHTOWER_REMOVE_VOLUMES: "true" - WATCHTOWER_INCLUDE_STOPPED: "true" - WATCHTOWER_NO_STARTUP_MESSAGE: "false" - WATCHTOWER_SCHEDULE: "0 30 12 * * *" # Everyday at 12:30 - WATCHTOWER_NOTIFICATIONS: shoutrrr - WATCHTOWER_NOTIFICATION_URL: "telegram://$TGRAM_BOT_TOKEN@telegram?channels=$TGRAM_CHAT_ID" - WATCHTOWER_NOTIFICATIONS_LEVEL: info - DOCKER_HOST: tcp://socket-proxy:2375 - DOCKER_API_VERSION: "1.40" + <<: *default-tz-puid-pgid + # DOCKER_HOST: tcp://socket-proxy:2375 + # PASSWORD: $VSCODE_PASSWORD + # HASHED_PASSWORD: #optional + # SUDO_PASSWORD: password #optional + # SUDO_PASSWORD_HASH: #optional + # PROXY_DOMAIN: code-server.my.domain #optional + DEFAULT_WORKSPACE: /config/data/User/Workspaces/AZ.code-workspace #optional + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.vscode-rtr.entrypoints=https" + - "traefik.http.routers.vscode-rtr.rule=Host(`codeh.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.vscode-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.vscode-rtr.service=vscode-svc" + - "traefik.http.services.vscode-svc.loadbalancer.server.port=8443" + + ############################# MAINTENANCE # Docker-GC - Automatic Docker Garbage Collection # Create docker-gc-exclude file @@ -836,8 +857,9 @@ services: # - cloudflare_api_token # Cloudflare-Companion - Automatic CNAME DNS Creation + # Docker Compose v2.1.1 maximum - see README cf-companion: - <<: *common-keys-apps # See EXTENSION FIELDS at the top + <<: *common-keys-core # See EXTENSION FIELDS at the top container_name: cf-companion image: tiredofit/traefik-cloudflare-companion:latest networks: @@ -845,15 +867,14 @@ services: environment: - TIMEZONE=$TZ - TRAEFIK_VERSION=2 - #- CF_EMAIL=$CLOUDFLARE_EMAIL - - CF_TOKEN=$CLOUDFLARE_API_TOKEN + - CF_TOKEN__FILE=/run/secrets/cf_token - TARGET_DOMAIN=home.$DOMAINNAME0 # Edit this. Either a subdomain or just $DOMAINNAME0 pointing to the IP will work. See: https://github.com/htpcBeginner/docker-traefik/issues/244. - DOMAIN1=$DOMAINNAME0 - DOMAIN1_ZONE_ID=$CLOUDFLARE_ZONEID # Copy from Cloudflare Overview page - DOMAIN1_PROXIED=TRUE - DOCKER_HOST=tcp://socket-proxy:2375 - secrets: # not working - - cloudflare_api_token + secrets: + - cf_token labels: # Add hosts specified in rules here to force cf-companion to create the CNAMEs # Since cf-companion creates CNAMEs based on host rules, this a workaround for non-docker/external apps diff --git a/docker-compose-t2-web.yml b/docker-compose-t2-web.yml index c311297..c97d361 100755 --- a/docker-compose-t2-web.yml +++ b/docker-compose-t2-web.yml @@ -7,9 +7,12 @@ version: "3.9" ########################### SYSTEM DESCRIPTION # DOCKER-COMPOSE FOR WORDPRESS / WEB SERVER -# PROXMOX HOST: Dual Intel Xeon 5420, 16 GB RAM, 240 GB SSD, and 2 TB HDD -# LXC CONTAINER: 4 CORES, 4 GB RAM, Ubuntu 20.04, and Docker -# 32 GB SSD for / +# PROXMOX HOST: Dual Intel Xeon E3-1240 V2, 16 GB RAM, 480 GB SSD, and 4 TB HDD +# Virtual Machine: 4 CORES, 4 GB RAM, Ubuntu 22.04, and Docker +# 64 GB SSD for / + +# Docker: 20.10.14 +# Docker Compose: 2.5.0 ########################### NETWORKS # There is no need to create any networks outside this docker-compose file. @@ -36,10 +39,12 @@ networks: secrets: htpasswd: file: $DOCKERDIR/secrets/htpasswd - cloudflare_email: - file: $SECRETSDIR/cloudflare_email - cloudflare_api_key: - file: $SECRETSDIR/cloudflare_api_key + cf_email: + file: $DOCKERDIR/secrets/cf_email + cf_api_key: + file: $DOCKERDIR/secrets/cf_api_key + cf_token: + file: $DOCKERDIR/secrets/cf_token traefik_forward_auth: file: $DOCKERDIR/secrets/traefik_forward_auth mysql_root_password: @@ -79,6 +84,13 @@ x-common-keys-core: &common-keys-core # profiles: # - core +# Keys common to some of the services in basic-services.txt +x-common-keys-core: &common-keys-monitoring + <<: *network-and-security + restart: always + # profiles: + # - monitoring + # Keys common to some of the dependent services/apps x-common-keys-apps: &common-keys-apps <<: *network-and-security @@ -101,11 +113,11 @@ services: # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. # touch $DOCKERDIR/traefik2/acme/acme.json # chmod 600 $DOCKERDIR/traefik2/acme/acme.json - # touch $DOCKERDIR/traefik2/traefik.log + # touch $DOCKERDIR/logs/web/traefik.log # customize this traefik: <<: *common-keys-core # See EXTENSION FIELDS at the top container_name: traefik - image: traefik:2.5 + image: traefik:2.6 command: # CLI arguments - --global.checkNewVersion=true - --global.sendAnonymousUsage=true @@ -119,11 +131,10 @@ services: # - --api.insecure=true - --api.dashboard=true #- --ping=true - #- --pilot.token=$TRAEFIK_PILOT_TOKEN # - --serversTransport.insecureSkipVerify=true - --log=true - --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC - - --accessLog=false + - --accessLog=true - --accessLog.filePath=/traefik.log - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines - --accessLog.filters.statusCodes=400-499 @@ -152,6 +163,8 @@ services: - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53 - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate + # - --metrics.prometheus=true + # - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0 networks: t2_proxy: ipv4_address: 192.168.90.254 # You can specify a static IP @@ -169,7 +182,7 @@ services: published: 443 protocol: tcp mode: host - # - target: 8080 + # - target: 8080 # insecure api wont work # published: 8080 # protocol: tcp # mode: host @@ -177,14 +190,14 @@ services: - $DOCKERDIR/appdata/traefik2/rules/web:/rules # file provider directory # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 - - $DOCKERDIR/appdata/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container + - $DOCKERDIR/logs/web/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container environment: - - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email - - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key + - CF_API_EMAIL_FILE=/run/secrets/cf_email + - CF_API_KEY_FILE=/run/secrets/cf_api_key - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere. secrets: - - cloudflare_email - - cloudflare_api_key + - cf_email + - cf_api_key - htpasswd labels: #- "autoheal=true" @@ -214,7 +227,7 @@ services: networks: socket_proxy: ipv4_address: 192.168.91.254 # You can specify a static IP - #privileged: true + # privileged: true # true for VM. False for unprivileged LXC container. #ports: # - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line. # I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network. @@ -251,7 +264,7 @@ services: - SESSION=0 - SWARM=0 - SYSTEM=0 - - TASKS=1 # Portaienr + - TASKS=1 # Portainer - VOLUMES=1 # Portainer # Google OAuth - Single Sign On using OAuth 2.0 @@ -291,46 +304,6 @@ services: - "traefik.http.routers.oauth-rtr.service=oauth-svc" - "traefik.http.services.oauth-svc.loadbalancer.server.port=4181" - # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication - authelia: - container_name: authelia - # Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md - image: authelia/authelia:latest - restart: always - networks: - - t2_proxy - - default - # ports: - # - "9091:9091" - volumes: - - $DOCKERDIR/appdata/authelia:/config - environment: - - TZ=$TZ - - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret - - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret - - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password - - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password - - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key - #- AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key - secrets: - - authelia_jwt_secret - - authelia_session_secret - - authelia_storage_mysql_password - - authelia_notifier_smtp_password - - authelia_duo_api_secret_key - #- authelia_storage_encryption_key - labels: - - "traefik.enable=true" - ## HTTP Routers - - "traefik.http.routers.authelia-rtr.entrypoints=https" - - "traefik.http.routers.authelia-rtr.rule=Host(`authelia.$DOMAINNAME0`)" - - "traefik.http.routers.authelia-rtr.tls=true" - ## Middlewares - - "traefik.http.routers.authelia-rtr.middlewares=chain-authelia@file" - ## HTTP Services - - "traefik.http.routers.authelia-rtr.service=authelia-svc" - - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091" - # Portainer - WebUI for Containers portainer: <<: *common-keys-core # See EXTENSION FIELDS at the top @@ -391,27 +364,11 @@ services: volumes: - $DOCKERDIR/appdata/mariadb/data:/config environment: - - PUID=$PUID - - PGID=$PGID - - TZ=$TZ - - FILE__MYSQL_ROOT_PASSWORD=/run/secrets/mysql_root_password # Note FILE__ (double underscore) - Issue #127 + <<: *default-tz-puid-pgid + FILE__MYSQL_ROOT_PASSWORD: /run/secrets/mysql_root_password # Note FILE__ (double underscore) - Issue #127 secrets: - mysql_root_password - # InfluxDB - Database for sensor data - # Create influxdb.conf - influxdb: - <<: *common-keys-core # See EXTENSION FIELDS at the top - image: influxdb:latest - container_name: influxdb - ports: - - "$INFLUXDB_PORT:8086" - - "$INFLUXDB_PORT_PROXMOX:8087/udp" - volumes: - - $DOCKERDIR/appdata/influxdb/etc/influxdb.conf:/etc/influxdb/influxdb.conf:ro - - $DOCKERDIR/appdata/influxdb/db:/var/lib/influxdb - # command: -config /etc/influxdb/influxdb.conf - # Redis - Key-value Store redis: <<: *common-keys-core # See EXTENSION FIELDS at the top @@ -425,27 +382,6 @@ services: - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro - # Redis Commander - Redis Management Tool - rediscommander: - <<: *common-keys-apps # See EXTENSION FIELDS at the top - container_name: rediscommander - image: rediscommander/redis-commander:latest - # ports: - # - "$REDISCOMMANDER_PORT:8081" - environment: - - REDIS_HOST=$REDIS_HOST - - REDIS_PASSWORD=$REDIS_PASSWORD - labels: - - "traefik.enable=true" - ## HTTP Routers - - "traefik.http.routers.rediscommander-rtr.entrypoints=https" - - "traefik.http.routers.rediscommander-rtr.rule=Host(`rediscom.$DOMAINNAME1`)" - ## Middlewares - - "traefik.http.routers.rediscommander-rtr.middlewares=chain-oauth@file" - ## HTTP Services - - "traefik.http.routers.rediscommander-rtr.service=rediscommander-svc" - - "traefik.http.services.rediscommander-svc.loadbalancer.server.port=8081" - # phpMyAdmin - Database management # Create a new user with admin privileges. Cannot login as MySQL root for some reason. phpmyadmin: @@ -479,6 +415,7 @@ services: image: nginx:1.20 # 1.18 # Updated 8/9/2021 depends_on: - php7 + - redis volumes: - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro @@ -553,18 +490,22 @@ services: # VSCode - VSCode Editing vscode: <<: *common-keys-core # See EXTENSION FIELDS at the top - image: codercom/code-server:latest + image: lscr.io/linuxserver/code-server:latest container_name: vscode volumes: - - $USERDIR/server:/home/coder/server - - $DOCKERDIR:/home/coder/docker - - $DOCKERDIR/appdata/vscode:/home/coder + - $DOCKERDIR:/data/docker + - $USERDIR/server:/data/server + - $DATADIR:/data/data + - $DOCKERDIR/appdata/vscode:/config environment: - PASSWORD: $VSCODE_PASSWORD - # Run as root first, create the directories, then change permissions to user:docker and 775. Disable run as root below. - user: $PUID:$PGID - #user: "0" - DOCKER_HOST: tcp://socket-proxy:2375 + <<: *default-tz-puid-pgid + # DOCKER_HOST: tcp://socket-proxy:2375 + # PASSWORD: $VSCODE_PASSWORD + # HASHED_PASSWORD: #optional + # SUDO_PASSWORD: password #optional + # SUDO_PASSWORD_HASH: #optional + # PROXY_DOMAIN: code-server.my.domain #optional + DEFAULT_WORKSPACE: /config/data/User/Workspaces/AZ.code-workspace #optional labels: - "traefik.enable=true" ## HTTP Routers @@ -574,7 +515,7 @@ services: - "traefik.http.routers.vscode-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.vscode-rtr.service=vscode-svc" - - "traefik.http.services.vscode-svc.loadbalancer.server.port=8080" + - "traefik.http.services.vscode-svc.loadbalancer.server.port=8443" ############################# MAINTENANCE diff --git a/docker-compose-t2.yml b/docker-compose-t2.yml index 6202c0d..72d6e4d 100755 --- a/docker-compose-t2.yml +++ b/docker-compose-t2.yml @@ -6,11 +6,14 @@ version: "3.9" ########################### SYSTEM DESCRIPTION # DOCKER-COMPOSE FOR HOME/MEDIA SERVER -# PROXMOX HOST: Dual Intel Xeon 5420, 16 GB RAM, 240 GB SSD, and 2 TB HDD -# VM: 6 CORES, 12 GB RAM, Ubuntu 20.04, and Docker -# 32 GB for /, 64 GB for /var/lib/docker and transcoding, and 1.5 TB for non-critical data and rclone cache. +# PROXMOX HOST: Dual Intel Xeon E3-1240 V2, 16 GB RAM, 480 GB SSD, and 4 TB HDD +# LXC: 2 CORES, 8 GB RAM, Ubuntu 20.04, and Docker +# 64 GB for / and 2 TB for non-critical data and rclone cache. # Google Drive mounted using Rclone Docker for media and Proxmox backups +# Docker: 20.10.14 +# Docker Compose: 2.5.0 + ########################### NETWORKS # There is no need to create any networks outside this docker-compose file. # You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. @@ -44,6 +47,8 @@ secrets: file: $DOCKERDIR/secrets/cf_token traefik_forward_auth: file: $DOCKERDIR/secrets/traefik_forward_auth + mysql_root_password: + file: $DOCKERDIR/secrets/mysql_root_password authelia_jwt_secret: file: $DOCKERDIR/secrets/authelia_jwt_secret authelia_session_secret: @@ -62,8 +67,6 @@ secrets: file: $DOCKERDIR/secrets/guac_mysql_user guac_mysql_password: file: $DOCKERDIR/secrets/guac_mysql_password - mysql_root_password: - file: $DOCKERDIR/secrets/mysql_root_password ########################### EXTENSION FIELDS # Helps eliminate repetition of sections @@ -87,7 +90,14 @@ x-common-keys-core: &common-keys-core <<: *network-and-security restart: always # profiles: - # - basic + # - core + +# Keys common to some of the services in basic-services.txt +x-common-keys-core: &common-keys-monitoring + <<: *network-and-security + restart: always + # profiles: + # - monitoring # Keys common to some of the dependent services/apps x-common-keys-apps: &common-keys-apps @@ -132,7 +142,7 @@ services: # - --serversTransport.insecureSkipVerify=true - --log=true - --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC - - --accessLog=false + - --accessLog=true - --accessLog.filePath=/traefik.log - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines - --accessLog.filters.statusCodes=400-499 @@ -161,6 +171,8 @@ services: - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53 - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate + # - --metrics.prometheus=true + # - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0 networks: t2_proxy: ipv4_address: 192.168.90.254 # You can specify a static IP @@ -178,7 +190,7 @@ services: published: 443 protocol: tcp mode: host - # - target: 8080 + # - target: 8080 # insecure api wont work # published: 8080 # protocol: tcp # mode: host @@ -367,7 +379,7 @@ services: - "traefik.http.routers.heimdall-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.heimdall-rtr.service=heimdall-svc" - - "traefik.http.services.heimdall-svc.loadbalancer.server.port=80" + - "traefik.http.services.heimdall-svc.loadbalancer.server.port=3000" ############################# DOWNLOADERS @@ -474,14 +486,13 @@ services: container_name: qbittorrent #network_mode: container:transmission-vpn # ports: - # - "$QBITTORRENT_PORT:8168" + # - "$QBITTORRENT_PORT:8080" volumes: - $DOCKERDIR/appdata/qbittorrent:/config - $DATADIR/downloads:/downloads environment: <<: *default-tz-puid-pgid UMASK_SET: 002 - WEBUI_PORT: 8168 labels: - "traefik.enable=true" ## HTTP Routers @@ -528,6 +539,32 @@ services: - "traefik.http.routers.nzbget-rtr-bypass.service=nzbget-svc" - "traefik.http.services.nzbget-svc.loadbalancer.server.port=6789" + youtubedl-material: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: tzahi12345/youtubedl-material:latest + container_name: youtubedl-material + # ports: + # - "$YOUTUBEDLMATERIAL_PORT:17442" + volumes: + - $DOCKERDIR/appdata/youtubedl-material/config:/app/appdata + - $DATADIR/downloads/youtubedl-material/audio:/app/audio + - $DATADIR/downloads/youtubedl-material/video:/app/video + - $DATADIR/downloads/youtubedl-material/subscriptions:/app/subscriptions + - $DOCKERDIR/appdata/youtubedl-material/users:/app/users + environment: + UID: $PUID + GID: $PGID + labels: + - "traefik.enable=true" + ## HTTP Routers + - "traefik.http.routers.youtubedl-material-rtr.entrypoints=https" + - "traefik.http.routers.youtubedl-material-rtr.rule=Host(`ytdl.$DOMAINNAME0`)" + ## Middlewares + - "traefik.http.routers.youtubedl-material-rtr.middlewares=chain-oauth@file" + ## HTTP Services + - "traefik.http.routers.youtubedl-material-rtr.service=youtubedl-material-svc" + - "traefik.http.services.youtubedl-material-svc.loadbalancer.server.port=17442" + ############################# INDEXERS # Prowlarr - Torrent proxy @@ -592,7 +629,7 @@ services: # Optional. See why MediaCover is mounted as volume https://github.com/htpcBeginner/docker-traefik/discussions/147 - $DATADIR/temp/appdata/lidarr/MediaCover:/config/MediaCover - $DATADIR/downloads:/data/downloads - - $DATADIR/media/music:/data/media/music + - $DATADIR/local/music:/data/media/music - "/etc/localtime:/etc/localtime:ro" environment: <<: *default-tz-puid-pgid @@ -697,7 +734,7 @@ services: image: hotio/readarr:nightly container_name: readarr # ports: - # - "$READARR_PORT:8989" + # - "$READARR_PORT:8787" volumes: - $DOCKERDIR/appdata/readarr:/config - $DATADIR/downloads:/data/downloads @@ -731,10 +768,8 @@ services: - $DOCKERDIR/appdata/airsonic/config:/config - $DATADIR/local/music:/data/music environment: - - PUID=$PUID - - PGID=$PGID - - TZ=$TZ - - JAVA_OPTS=-Dserver.forward-headers-strategy=NATIVE # FRAMEWORK or NATIVE + <<: *default-tz-puid-pgid + JAVA_OPTS: '-Dserver.forward-headers-strategy=native' # optional - if you use a reverse-proxy labels: - "traefik.enable=true" ## HTTP Routers @@ -945,7 +980,7 @@ services: - default # ports: # - "$GRAFANA_PORT:3000" - user: "0" + user: $PUID volumes: - $DOCKERDIR/appdata/grafana:/var/lib/grafana environment: @@ -1105,38 +1140,6 @@ services: - "traefik.http.routers.qdirstat-rtr.service=qdirstat-svc" - "traefik.http.services.qdirstat-svc.loadbalancer.server.port=5800" - # DupeGuru - Duplicate File/Folder Remover - dupeguru: - <<: *common-keys-apps # See EXTENSION FIELDS at the top - image: jlesage/dupeguru:latest - container_name: dupeguru - # ports: - # - "$dupeguru_PORT:5800" - volumes: - - $USERDIR:/data/home:ro - - $DOCKERDIR/appdata/dupeguru/config:/config:rw - - /media/data:/data/data:rw - environment: - USER_ID: $PUID - GROUP_ID: $PGID - UMASK: 002 - TZ: $TZ - KEEP_APP_RUNNING: 1 - CLEAN_TMP_DIR: 1 - DISPLAY_WIDTH: 1600 - DISPLAY_HEIGHT: 960 - VNC_PASSWORD: $DUPEGURU_VNC_PASSWD - labels: - - "traefik.enable=true" - ## HTTP Routers - - "traefik.http.routers.dupeguru-rtr.entrypoints=https" - - "traefik.http.routers.dupeguru-rtr.rule=Host(`dupe.$DOMAINNAME0`)" - ## Middlewares - - "traefik.http.routers.dupeguru-rtr.middlewares=chain-oauth@file" - ## HTTP Services - - "traefik.http.routers.dupeguru-rtr.service=dupeguru-svc" - - "traefik.http.services.dupeguru-svc.loadbalancer.server.port=5800" - # Dozzle - Real-time Docker Log Viewer dozzle: <<: *common-keys-apps # See EXTENSION FIELDS at the top @@ -1169,21 +1172,22 @@ services: # VSCode - VSCode Editing vscode: <<: *common-keys-core # See EXTENSION FIELDS at the top - image: codercom/code-server:latest + image: lscr.io/linuxserver/code-server:latest container_name: vscode - ports: - - "$VSCODE_PORT:8080" volumes: - - $USERDIR/server:/home/coder/server - - $DOCKERDIR:/home/coder/docker - - $DOCKERDIR/appdata/vscode:/home/coder - - $DATADIR:/home/coder/data + - $DOCKERDIR:/data/docker + - $USERDIR/server:/data/server + - $DATADIR:/data/data + - $DOCKERDIR/appdata/vscode:/config environment: - PASSWORD: $VSCODE_PASSWORD - # Run as root first, create the directories, then change permissions to user:docker and 775. Disable run as root below. - user: $PUID:$PGID - # user: "0" - DOCKER_HOST: tcp://socket-proxy:2375 + <<: *default-tz-puid-pgid + # DOCKER_HOST: tcp://socket-proxy:2375 + # PASSWORD: $VSCODE_PASSWORD + # HASHED_PASSWORD: #optional + # SUDO_PASSWORD: password #optional + # SUDO_PASSWORD_HASH: #optional + # PROXY_DOMAIN: code-server.my.domain #optional + DEFAULT_WORKSPACE: /config/data/User/Workspaces/AZ.code-workspace #optional labels: - "traefik.enable=true" ## HTTP Routers @@ -1193,7 +1197,7 @@ services: - "traefik.http.routers.vscode-rtr.middlewares=chain-oauth@file" ## HTTP Services - "traefik.http.routers.vscode-rtr.service=vscode-svc" - - "traefik.http.services.vscode-svc.loadbalancer.server.port=8080" + - "traefik.http.services.vscode-svc.loadbalancer.server.port=8443" # File Browser - Explorer filebrowser: @@ -1203,8 +1207,7 @@ services: #ports: # - "$FILEBROWSER_PORT:80" volumes: - - $DOCKERDIR/appdata/filebrowser/settings.json:/config/settings.json - - $DOCKERDIR/appdata/filebrowser/filebrowser.db:/config/filebrowser.db + - $DOCKERDIR/appdata/filebrowser:/config - /media:/data/media - $USERDIR:/data/home environment: @@ -1265,7 +1268,6 @@ services: DOCKER_HOST: tcp://socket-proxy:2375 # Cloudflare-Companion - Automatic CNAME DNS Creation - # Docker Compose v2.1.1 maximum - see README cf-companion: <<: *common-keys-core # See EXTENSION FIELDS at the top container_name: cf-companion @@ -1281,9 +1283,9 @@ services: - DOMAIN1_ZONE_ID=$CLOUDFLARE_ZONEID # Copy from Cloudflare Overview page - DOMAIN1_PROXIED=TRUE - DOCKER_HOST=tcp://socket-proxy:2375 - secrets: # not working + secrets: - cf_token labels: # Add hosts specified in rules here to force cf-companion to create the CNAMEs # Since cf-companion creates CNAMEs based on host rules, this a workaround for non-docker/external apps - - "traefik.http.routers.cf-companion-rtr.rule=Host(Host(`webmin.$DOMAINNAME0`) || Host(`shell.$DOMAINNAME0`)" + - "traefik.http.routers.cf-companion-rtr.rule=Host(Host(`webmin.$DOMAINNAME0`) || Host(`shell.$DOMAINNAME0`) || Host(`stcdoc.$DOMAINNAME0`) || Host(`ag.$DOMAINNAME0`)" diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..fb4f40c --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,498 @@ +version: "3.9" + +########################### NETWORKS +# You may customize the network subnet (192.168.89.0/24) below as you please. +# Docker Compose version 3.5 or higher required to define networks this way. + +networks: + default: + driver: bridge + npm_proxy: + name: npm_proxy + driver: bridge + ipam: + config: + - subnet: 192.168.89.0/24 + # If you decide to use Socket Proxy, you need socket_proxy network as we. See https://www.smarthomebeginner.com/traefik-docker-security-best-practices/#9_Use_a_Docker_Socket_Proxy + +########################### EXTENSION FIELDS +# Helps eliminate repetition of sections +# More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228 + +# Common environment values +x-environment: &default-tz-puid-pgid + TZ: $TZ + PUID: $PUID + PGID: $PGID + +# Network and Security +x-network-and-security: &network-and-security + networks: + - npm_proxy + security_opt: + - no-new-privileges:true + +# Keys common to some of the core services that we always to automatically restart on failure +x-common-keys-core: &common-keys-core + <<: *network-and-security + restart: always + +# Keys common to some of the dependent services/apps +x-common-keys-apps: &common-keys-apps + <<: *network-and-security + restart: unless-stopped + +# Keys common to some of the services in media-services.txt +x-common-keys-media: &common-keys-media + <<: *network-and-security + restart: "no" + +########################### SERVICES +services: + + ############################# FRONTENDS + + # Nginx Proxy Manager - Reverse Proxy with LetsEncrypt + npm: + <<: *common-keys-core # See EXTENSION FIELDS at the top + container_name: nginx-proxy-manager + image: 'jc21/nginx-proxy-manager:latest' + # For Static IP + networks: + # For Static IP + npm_proxy: + ipv4_address: 192.168.89.254 # You can specify a static IP + # For Dynamic IP + # networks: + # - npm_proxy + ports: + - '80:80' # Public HTTP Port. Port Forwarding on Router is ON. + - '443:443' # Public HTTPS Port. Port Forwarding on Router is ON. + - '81:81' # Admin Web Port. Port Forwarding on Router is OFF. Internal Home Network Access only - 192.168.89.254:81. + volumes: + - $DOCKERDIR/appdata/npm/config:/config + - $DOCKERDIR/appdata/npm/letsencrypt:/etc/letsencrypt + - $DOCKERDIR/appdata/npm/data:/data + environment: + DB_SQLITE_FILE: "/config/database.sqlite" + DISABLE_IPV6: 'true' + + # Portainer - WebUI for Containers + portainer: + <<: *common-keys-core # See EXTENSION FIELDS at the top + container_name: portainer + image: portainer/portainer-ce:latest + command: -H unix:///var/run/docker.sock # Use Docker Socket Proxy and comment this line out, for improved security. + # command: -H tcp://socket-proxy:2375 # Use this instead, if you have Socket Proxy enabled. + networks: + - npm_proxy + ports: # Commented out because we are going to use Nginx Proxy Manager to access portainer WebUI. + - "9000:9000" + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy and comment this line out, for improved security. + - $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfer config locally. + environment: + - TZ=$TZ + + # Heimdall - Application Dashboard + heimdall: + <<: *common-keys-core # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/heimdall + container_name: heimdall + ports: + - "3000:3000" + volumes: + - $DOCKERDIR/appdata/heimdall:/config + environment: + <<: *default-tz-puid-pgid + + ############################# DOWNLOADERS + + # nzbget - Binary newsgrabber (NZB downloader) + nzbget: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/nzbget + container_name: nzbget + networks: + npm_proxy: + ipv4_address: 192.168.89.216 + ports: + - "6789:6789" + volumes: + - $DOCKERDIR/appdata/nzbget:/config + - $DATADIR/downloads:/data/downloads + environment: + <<: *default-tz-puid-pgid + + # TransmissionBT - Torrent Downloader + # For Proxmox LXC Containers - https://pve.proxmox.com/wiki/OpenVPN_in_LXC + transmission-vpn: + image: haugene/transmission-openvpn:latest + container_name: transmission-vpn + restart: unless-stopped + networks: + npm_proxy: + ipv4_address: 192.168.89.169 + ports: + - "9091:9091" + cap_add: + - NET_ADMIN + devices: + - /dev/net/tun + volumes: + - /etc/localtime:/etc/localtime:ro + - $DOCKERDIR/appdata/transmission-vpn/data:/data + - $DOCKERDIR/appdata/transmission-vpn/config:/config + - $DATADIR/downloads:/data/downloads + environment: + <<: *default-tz-puid-pgid + OPENVPN_PROVIDER: FASTESTVPN + OPENVPN_USERNAME: $FASTEST_USERNAME + OPENVPN_PASSWORD: $FASTEST_PASSWORD + LOCAL_NETWORK: "$LOCAL_NETWORK" + UMASK_SET: 2 + TRANSMISSION_RPC_AUTHENTICATION_REQUIRED: "true" + TRANSMISSION_RPC_HOST_WHITELIST: "127.0.0.1,$SERVER_IP" + TRANSMISSION_RPC_PASSWORD: $TRANSMISSION_RPC_PASSWORD + TRANSMISSION_RPC_USERNAME: $TRANSMISSION_RPC_USERNAME + TRANSMISSION_UMASK: 002 + TRANSMISSION_RATIO_LIMIT: 1.00 + TRANSMISSION_RATIO_LIMIT_ENABLED: "true" + TRANSMISSION_ALT_SPEED_DOWN: 40000 + TRANSMISSION_ALT_SPEED_ENABLED: "false" + TRANSMISSION_ALT_SPEED_UP: 250 + TRANSMISSION_SPEED_LIMIT_DOWN: 80000 + TRANSMISSION_SPEED_LIMIT_DOWN_ENABLED: "true" + TRANSMISSION_SPEED_LIMIT_UP: 500 + TRANSMISSION_SPEED_LIMIT_UP_ENABLED: "true" + TRANSMISSION_INCOMPLETE_DIR: /data/downloads/torrents/incomplete + TRANSMISSION_INCOMPLETE_DIR_ENABLED: "true" + TRANSMISSION_WATCH_DIR: /data/downloads/torrents + TRANSMISSION_WATCH_DIR_ENABLED: "true" + TRANSMISSION_DOWNLOAD_DIR: /data/downloads/torrents + LOG_TO_STDOUT: "true" + + # qBittorrent - Torrent downloader without VPN + qbittorrent: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/qbittorrent:latest + container_name: qbittorrent + #network_mode: container:transmission-vpn # Passing network through Transmission Container if VPN is needed. + ports: + - "8080:8080" + volumes: + - $DOCKERDIR/appdata/qbittorrent:/config + - $DATADIR/downloads:/downloads + environment: + <<: *default-tz-puid-pgid + UMASK_SET: 002 + + ############################# PVRS + + # Prowlarr - Indexer Proxy + prowlarr: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: ghcr.io/linuxserver/prowlarr:develop + container_name: prowlarr + networks: + npm_proxy: + ipv4_address: 192.168.89.162 + ports: + - "9696:9696" + volumes: + - $DOCKERDIR/appdata/prowlarr:/config + - "/etc/localtime:/etc/localtime:ro" + environment: + <<: *default-tz-puid-pgid + + # Lidarr - Music Management + lidarr: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/lidarr:latest + container_name: lidarr + networks: + npm_proxy: + ipv4_address: 192.168.89.163 + ports: + - "8686:8686" + volumes: + - $DOCKERDIR/appdata/lidarr:/config + - $DATADIR/downloads:/data/downloads + - $DATADIR/local/music:/data/media/music + - "/etc/localtime:/etc/localtime:ro" + environment: + <<: *default-tz-puid-pgid + + # Radarr - Movie management + radarr: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/radarr:nightly # latest was causing "Error parsing column 45" + container_name: radarr + networks: + npm_proxy: + ipv4_address: 192.168.89.164 + ports: + - "7878:7878" + volumes: + - $DOCKERDIR/appdata/radarr:/config + - $DATADIR/downloads:/data/downloads + - $DATADIR/media:/data/media + - "/etc/localtime:/etc/localtime:ro" + environment: + <<: *default-tz-puid-pgid + + # Sonarr - TV Shows management + sonarr: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/sonarr + container_name: sonarr + networks: + npm_proxy: + ipv4_address: 192.168.89.167 + ports: + - "8989:8989" + volumes: + - $DOCKERDIR/appdata/sonarr:/config + - $DATADIR/downloads:/data/downloads + - $DATADIR/media:/data/media + - "/etc/localtime:/etc/localtime:ro" + environment: + <<: *default-tz-puid-pgid + + # Readarr - Books management + readarr: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: hotio/readarr:nightly + container_name: readarr + ports: + - "8987:8987" + volumes: + - $DOCKERDIR/appdata/readarr:/config + - $DATADIR/downloads:/data/downloads + - $DATADIR/media/books:/data/media/books + - "/etc/localtime:/etc/localtime:ro" + environment: + <<: *default-tz-puid-pgid + UMASK: 002 + #ARGS: "" + + ############################# MEDIA + + # Airsonic Advanced - Music Server + airsonic: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/airsonic-advanced + container_name: airsonic-advanced + ports: + - "4040:4040" + - "4041:4041" #UPnp + volumes: + - $DOCKERDIR/appdata/airsonic/podcasts:/data/podcasts + - $DOCKERDIR/appdata/airsonic/playlists:/data/playlists + - $DOCKERDIR/appdata/airsonic/config:/config + - $DATADIR/local/music:/data/music + environment: + <<: *default-tz-puid-pgid + JAVA_OPTS: '-Dserver.forward-headers-strategy=native' # Optional - if you use a reverse-proxy + + # Jellyfin - Media Server + jellyfin: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: jellyfin/jellyfin:latest + container_name: jellyfin + #devices: + # - /dev/dri:/dev/dri # for harware transcoding + ports: + - "8096:8096" + - "8920:8920" # Emby also uses same port if running both + environment: + <<: *default-tz-puid-pgid + UMASK_SET: 022 + volumes: + - $DOCKERDIR/appdata/jellyfin:/config + - $DATADIR/downloads:/data/downloads + - $DATADIR/media:/data/media + - /dev/shm:/data/transcode # Offload transcoding to RAM if you have enough RAM + + # Plex - Media Server + plexms: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: plexinc/pms-docker:public + container_name: plexms + ports: + - "32400:32400/tcp" + - "3005:3005/tcp" + - "8324:8324/tcp" + - "32469:32469/tcp" + # - "1900:1900/udp" # Conflicts with xTeVe and Synology default ports + - "32410:32410/udp" + - "32412:32412/udp" + - "32413:32413/udp" + - "32414:32414/udp" + # - "33400:33400" # If you use Plex Web Tools + #devices: + # - /dev/dri:/dev/dri # for harware transcoding + volumes: + - $DOCKERDIR/appdata/plexms:/config + - $DATADIR/media:/media + - /dev/shm:/transcode + environment: + TZ: $TZ + HOSTNAME: "dockerPlex" + PLEX_CLAIM_FILE: $PLEX_CLAIM + PLEX_UID: $PUID + PLEX_GID: $PGID + ADVERTISE_IP: http://$SERVER_IP:32400/ + + # Tautulli - Plex Stats and Monitoring + tautulli: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: linuxserver/tautulli:latest + container_name: tautulli + ports: + - "8181:8181" + volumes: + - $DOCKERDIR/appdata/tautulli/config:/config + - $DOCKERDIR/appdata/plexms/Library/Application Support/Plex Media Server/Logs:/logs:ro # For tautulli Plex log viewer + environment: + <<: *default-tz-puid-pgid + + # Ombi - Media Requests + ombi: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: linuxserver/ombi:latest + container_name: ombi + ports: + - "3579:3579" + volumes: + - $DOCKERDIR/appdata/ombi:/config + environment: + <<: *default-tz-puid-pgid + + ############################# MEDIA FILE MANAGEMENT + + # Bazarr - Subtitle Management + bazarr: + <<: *common-keys-media # See EXTENSION FIELDS at the top + image: lscr.io/linuxserver/bazarr + container_name: bazarr + ports: + - "6767:6767" + volumes: + - $DOCKERDIR/appdata/bazarr:/config + - $DATADIR/media:/data/media + environment: + <<: *default-tz-puid-pgid + + # Picard - Music Library Tagging and Management + picard: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: mikenye/picard:latest + container_name: picard + ports: + - "5800:5800" + volumes: + - $DATADIR:/data:rw + - $DOCKERDIR/appdata/picard:/config:rw + - /dev/shm:/dev/shm + environment: + USER_ID: $PUID + GROUP_ID: $PGID + TZ: $TZ + UMASK: 002 + DISPLAY_WIDTH: 1600 + DISPLAY_HEIGHT: 960 + + # Handbrake - Video Conversion (Transcoding and compression) + handbrake: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: jlesage/handbrake:latest + container_name: handbrake + ports: + - "5801:5800" + volumes: + - $DATADIR/downloads:/data/downloads + - $DOCKERDIR/appdata/handbrake/config:/config + - $DOCKERDIR/appdata/handbrake/watch:/watch + environment: + USER_ID: $PUID + GROUP_ID: $PGID + UMASK: 002 + TZ: $TZ + KEEP_APP_RUNNING: 1 + CLEAN_TMP_DIR: 1 + DISPLAY_WIDTH: 1600 + DISPLAY_HEIGHT: 960 + AUTOMATED_CONVERSION_KEEP_SOURCE: 1 + VNC_PASSWORD: $HANDBRAKE_VNC_PASSWD + + ############################# UTILITIES + + # Dozzle - Real-time Docker Log Viewer + dozzle: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: amir20/dozzle:latest + container_name: dozzle + networks: + - npm_proxy + ports: + - "8081:8080" # qBittorrent is using port 8080 + environment: + DOZZLE_LEVEL: info + DOZZLE_TAILSIZE: 300 + DOZZLE_FILTER: "status=running" + # DOZZLE_FILTER: "label=log_me" # limits logs displayed to containers with this label. + # DOCKER_HOST: tcp://socket-proxy:2375 # Use this instead if you have Socket Proxy enabled. + volumes: + - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy and comment this line for improved security. + + # File Browser - Explorer + filebrowser: + <<: *common-keys-core # See EXTENSION FIELDS at the top + image: filebrowser/filebrowser:s6 + container_name: filebrowser + ports: + - "82:80" # 80 and 81 are used by Nginx Proxy Manager + volumes: + - $DOCKERDIR/appdata/filebrowser:/config + - $USERDIR:/srv + environment: + <<: *default-tz-puid-pgid + + ############################# MAINTENANCE + + # Docker-GC - Automatic Docker Garbage Collection + # Create docker-gc-exclude file + dockergc: + <<: *common-keys-apps # See EXTENSION FIELDS at the top + image: clockworksoul/docker-gc-cron:latest + container_name: docker-gc + volumes: + - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy and comment this line for improved security. + - $DOCKERDIR/appdata/docker-gc/docker-gc-exclude:/etc/docker-gc-exclude # Create empty file + environment: + CRON: 0 0 0 * * ? # Everyday at midnight. Previously 0 0 * * * + FORCE_IMAGE_REMOVAL: 1 + FORCE_CONTAINER_REMOVAL: 0 + GRACE_PERIOD_SECONDS: 604800 + DRY_RUN: 0 + CLEAN_UP_VOLUMES: 1 + TZ: $TZ + # DOCKER_HOST: tcp://socket-proxy:2375 # Use this if you have Socket Proxy enabled. + + # WatchTower - Automatic Docker Container Updates + watchtower: + <<: *common-keys-core # See EXTENSION FIELDS at the top + image: containrrr/watchtower + container_name: watchtower + volumes: + - /var/run/docker.sock:/var/run/docker.sock + environment: + TZ: $TZ + WATCHTOWER_CLEANUP: "true" + WATCHTOWER_REMOVE_VOLUMES: "true" + WATCHTOWER_INCLUDE_STOPPED: "true" + WATCHTOWER_NO_STARTUP_MESSAGE: "false" + WATCHTOWER_SCHEDULE: "0 30 12 * * *" # Everyday at 12:30 + # DOCKER_HOST: tcp://socket-proxy:2375 # Use this if you have Socket Proxy enabled. + DOCKER_API_VERSION: "1.40" diff --git a/scripts/homeserver/upload-media.sh.example b/scripts/homeserver/upload-media.sh.example index 3257f03..0c94278 100644 --- a/scripts/homeserver/upload-media.sh.example +++ b/scripts/homeserver/upload-media.sh.example @@ -34,7 +34,7 @@ then ps -ef | grep "$pscheck" exit else - echo -e "\n### `date`: No currently running processes found. Starting rclone job.\n" >> $DOCKERFOLDER/logs/homeserver/upload-media.log + echo -e "\n\n### `date +'%Y-%m-%d %H:%M'`: No currently running processes found. Starting rclone job.\n" >> $DOCKERFOLDER/logs/homeserver/upload-media.log fi # Exclude File Check diff --git a/scripts/synology/increase_inotify_limits_syncthing.sh.example b/scripts/synology/increase_inotify_limits_syncthing.sh.example index 9132e10..1b95c49 100755 --- a/scripts/synology/increase_inotify_limits_syncthing.sh.example +++ b/scripts/synology/increase_inotify_limits_syncthing.sh.example @@ -6,4 +6,4 @@ # echo "fs.inotify.max_user_watches=204800" | tee -a /etc/sysctl.conf -echo 204800 | tee /proc/sys/fs/inotify/max_user_watches \ No newline at end of file +echo 524288 | tee /proc/sys/fs/inotify/max_user_watches \ No newline at end of file diff --git a/secrets_example/cloudflare_email b/secrets_example/cf_email similarity index 100% rename from secrets_example/cloudflare_email rename to secrets_example/cf_email diff --git a/shared/config/bash_aliases b/shared/config/bash_aliases index 586c9f4..c466321 100755 --- a/shared/config/bash_aliases +++ b/shared/config/bash_aliases @@ -35,7 +35,7 @@ case $HOSTNAME in cDoc|zDoc) alias dcrun2='sudo docker-compose -f /home/$BA_USERNAME/docker/docker-compose-t2.yml' ;; - cSHB|zSHB) + cSHB|zSHB|cshb) alias dcrun2='sudo docker-compose -f /home/$BA_USERNAME/docker/docker-compose-t2-web.yml' ;; zSyn) @@ -57,6 +57,11 @@ alias stopbasic='dcstop2 $(cat /home/$BA_USERNAME/docker/scripts/homeserver/basi alias stopmedia='dcstop2 $(cat /home/$BA_USERNAME/docker/scripts/homeserver/media-services.txt)' alias startmedia='dcup2 $(cat /home/$BA_USERNAME/docker/scripts/homeserver/media-services.txt)' +# MONITORING STACK +alias dcmlogs2='dcrun2 logs -tf --tail="50" $(cat /home/$BA_USERNAME/docker/scripts/monitoring-services.txt)' +alias dcmrec2='dcrun2 up -d --force-recreate $(cat /home/$BA_USERNAME/docker/scripts/monitoring-services.txt)' +alias dcmstop2='dcrun2 stop $(cat /home/$BA_USERNAME/docker/scripts/monitoring-services.txt)' + # DOCKER TRAEFIK 1 SWARM alias dslogs='sudo docker service logs -tf --tail="50"' alias dsps='sudo docker stack ps zstack' @@ -136,7 +141,7 @@ alias usage10='du -hsx * | sort -rh | head -10' # Gives you what is using the mo # BASH alias baupdate='. ~/.bashrc' alias baedit='nano /home/$BA_USERNAME/.bash_aliases' -alias bacopy='sudo cp /home/$BA_USERNAME/.bash_aliases* /root/' +#alias bacopy='sudo cp /home/$BA_USERNAME/.bash_aliases* /root/' alias badomain='echo $BA_DOMAINNAME' # for troubleshooting # GIT AND SITE MANAGEMENT