Skip to content

Instantly share code, notes, and snippets.

@wtw24
Forked from jerkovicl/docker-compose.yml
Created February 26, 2020 09:29
Show Gist options
  • Save wtw24/8f790c11fce4b8eedbe94306745b4c45 to your computer and use it in GitHub Desktop.
Save wtw24/8f790c11fce4b8eedbe94306745b4c45 to your computer and use it in GitHub Desktop.
#Reference: https://www.smarthomebeginner.com/traefik-reverse-proxy-tutorial-for-docker
# Setup bitwarden database
# docker exec -it mariadb mysql -uroot -p$MYSQL_ROOT_PASSWORD
# CREATE DATABASE bitwarden CHARACTER SET = utf8mb4 COLLATE = utf8mb4_unicode_ci;
# GRANT ALL PRIVILEGES ON bitwarden.* TO 'bitwarden'@'bitwarden.traefik_proxy' IDENTIFIED BY '<password>';
# FLUSH PRIVILEGES;
# exit
#Requirement: nano .env -> Set environmental variables: ${$USERDIR}, ${PUID}, ${PGID}, ${TZ}, ${DOMAINNAME}, ${CLOUDFLARE_EMAIL}, ${CLOUDFLARE_API_KEY}, ${HTTP_USERNAME}, ${HTTP_PASSWORD}, ${PLEX_CLAIM} etc. as explained in the reference.
version: "3.7"
services:
######### FRONTENDS ##########
# Traefik Reverse Proxy
traefik:
hostname: traefik
image: traefik:v1.7.17
container_name: traefik
restart: always
domainname: ${DOMAINNAME}
networks:
- default
- traefik_proxy
ports:
- "80:80"
- "443:443"
# - "XXXX:8080"
environment:
- CF_API_EMAIL=${CLOUDFLARE_EMAIL}
- CF_API_KEY=${CLOUDFLARE_API_KEY}
labels:
- "traefik.enable=true"
- "traefik.backend=traefik"
- "traefik.frontend.rule=Host:traefik.${DOMAINNAME}"
# - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /traefik"
- "traefik.port=8080"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=traefik.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
#- "traefik.frontend.auth.basic.users=${HTTP_USERNAME}:${HTTP_PASSWORD}"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${USERDIR}/docker/traefik:/etc/traefik
- ${USERDIR}/docker/shared:/shared
# The auth gate for SSO
traefik-forward-auth:
# thomseddeon's image doesnt support OIDC_ISSUER yet
# image: thomseddon/traefik-forward-auth
image: funkypenguin/traefik-forward-auth
container_name: traefik-forward-auth
networks:
- traefik_proxy
environment:
CLIENT_ID: ${AUTH_CLIENT_ID}
CLIENT_SECRET: ${AUTH_CLIENT_SECRET}
# This is based on using the Master realm. Create a new client, this will go into your CLIENT_ID, CLIENT_SECRET details.
OIDC_ISSUER: https://keycloak.${DOMAINNAME}/auth/realms/master
SECRET: ${HTTP_PASSWORD}
AUTH_HOST: auth.${DOMAINNAME}
COOKIE_DOMAINS: ${DOMAINNAME}
#WHITELIST: ${EMAIL}
COOKIE_SECURE: "true"
LIFETIME: "2592000"
restart: always
labels:
- "traefik.enable=true"
- "traefik.port=4181"
- "traefik.frontend.rule=Host:auth.${DOMAINNAME}"
- "traefik.backend=traefik-forward-auth"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
depends_on:
- keycloak
- traefik
# Keycloak - identity and access management solution
keycloak:
image: jboss/keycloak
container_name: keycloak
domainname: ${DOMAINNAME}
restart: always
# ports:
# - "8080:8080"
networks:
- traefik_proxy
- keycloak
volumes:
# - ${USERDIR}/docker/keycloak/config.json:/config.json
- /etc/localtime:/etc/localtime:ro
environment:
- PUID=${PUID}
- PGID=${PGID}
- KEYCLOAK_USER=${KEYCLOAK_USER}
- KEYCLOAK_PASSWORD=${KEYCLOAK_PASSWORD}
# - KEYCLOAK_IMPORT=/config.json
- DB_VENDOR=mariadb
- DB_DATABASE=keycloak
- DB_ADDR=mariadb
- DB_USER=keycloak
- DB_PASSWORD=${MYSQL_ROOT_PASSWORD}
# This is required to run keycloak behind traefik
- PROXY_ADDRESS_FORWARDING=true
- KEYCLOAK_HOSTNAME=keycloak.${DOMAINNAME}
# Tell MYSQL what user/password to create
- MYSQL_USER=keycloak
- MYSQL_PASSWORD=${MYSQL_ROOT_PASSWORD}
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_proxy"
- "traefik.backend=keycloak"
- "traefik.frontend.rule=Host:keycloak.${DOMAINNAME}"
# - "traefik.protocol: http"
- "traefik.port=8080"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=keycloak.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
depends_on:
- mariadb
#Portainer - WebUI for Containers
portainer:
image: portainer/portainer
container_name: portainer
restart: always
command: -H unix:///var/run/docker.sock
# ports:
# - "XXXX:9000"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${USERDIR}/docker/portainer/data:/data
- ${USERDIR}/docker/shared:/shared
environment:
- TZ=${TZ}
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=portainer"
- "traefik.frontend.rule=Host:portainer.${DOMAINNAME}"
# - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /portainer"
- "traefik.port=9000"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=portainer.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# Organizer - Unified HTPC/Home Server Web Interface
organizr:
container_name: organizr
restart: always
image: lsiocommunity/organizr
volumes:
- ${USERDIR}/docker/organizr:/config
- ${USERDIR}/docker/shared:/shared
# ports:
# - "XXXX:80"
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=organizr"
- "traefik.frontend.rule=Host:organizr.${DOMAINNAME}"
# - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /organizr"
- "traefik.port=80"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=organizr.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# phpMyAdmin - WebUI for MariaDB
phpmyadmin:
hostname: phpmyadmin
container_name: phpmyadmin
image: phpmyadmin/phpmyadmin
restart: always
depends_on:
- mariadb
# ports:
# - XXXX:80
environment:
- PMA_HOST=mariadb
- PMA_USER=root
- PMA_PASSWORD=${MYSQL_ROOT_PASSWORD}
- PMA_ABSOLUTE_URI=https://pma.${DOMAINNAME}
volumes:
- ${USERDIR}/docker/phpmyadmin/config.user.inc.php:/etc/phpmyadmin/config.user.inc.php
- ${USERDIR}/docker/phpmyadmin/php.ini:/usr/local/etc/php/conf.d/php.ini
- ${USERDIR}/docker/phpmyadmin/custom/phpmyadmin/theme:/www/themes/theme/
networks:
- traefik_proxy
- default
labels:
- "traefik.enable=true"
- "traefik.backend=pma"
- "traefik.frontend.rule=Host:pma.${DOMAINNAME}"
- "traefik.port=80"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=pma.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
######### DOCKER RELATED ##########
# Watchtower - Automatic Update of Containers/Apps
watchtower:
container_name: watchtower
hostname: watchtower
restart: always
image: containrrr/watchtower #v2tec/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- WATCHTOWER_NOTIFICATIONS=slack
- WATCHTOWER_NOTIFICATION_SLACK_HOOK_URL=${SLACK_WEBHOOK_URL}
- WATCHTOWER_NOTIFICATION_SLACK_IDENTIFIER=watchtower
- WATCHTOWER_NOTIFICATION_SLACK_CHANNEL=#docker
command: --schedule "0 0 4 * * *" --cleanup --debug
# Docker Garbage Collector
dockergc:
container_name: docker-gc
image: clockworksoul/docker-gc-cron:latest
#network_mode: "host"
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${USERDIR}/docker/shared/docker-gc-exclude:/etc/docker-gc-exclude
environment:
- CRON=0 9,21 * * *
- FORCE_IMAGE_REMOVAL=1
- FORCE_CONTAINER_REMOVAL=1
- MINIMUM_IMAGES_TO_SAVE=1
- GRACE_PERIOD_SECONDS=3600
- DRY_RUN=0
- CLEAN_UP_VOLUMES=1
- TZ=${TZ}
# Dozzle - realtime log viewer for docker containers
dozzle:
container_name: dozzle
image: amir20/dozzle:latest
restart: always
environment:
- DOZZLE_TAILSIZE=100
- DOZZLE_LEVEL=info
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /etc/localtime:/etc/localtime:ro
#ports:
# - 9999:8080
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=dozzle"
- "traefik.frontend.rule=Host:dozzle.${DOMAINNAME}"
- "traefik.port=8080"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=dozzle.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# Cloudflare DDNS
cloudddns:
container_name: cloudddns
restart: always
image: joshava/cloudflare-ddns
volumes:
- ${USERDIR}/docker/shared/config.yml:/app/config.yaml
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
# Traefik Certificate Extractor
#https://hub.docker.com/r/ldez/traefik-certs-dumper
certsdump:
container_name: certsdump
image: ldez/traefik-certs-dumper
command: file --source /acme.json --dest /dump/live --domain-subdir --crt-name=fullchain --key-name=privkey --crt-ext=.pem --key-ext=.pem
volumes:
- ${USERDIR}/docker/traefik/acme/acme.json:/acme.json:ro
- ${USERDIR}/docker/shared/letsencrypt/etc:/dump
restart: "no"
######### DOWNLOADERS ##########
# qBittorrent without VPN – Bittorrent Downloader
qbittorrent:
image: "linuxserver/qbittorrent"
container_name: "qbittorrent"
volumes:
- ${USERDIR}/docker/qbittorrent:/config
- ${USERDIR}/Downloads/completed:/downloads
- ${USERDIR}/docker/shared:/shared
ports:
- "8080:8080"
- "6881:6881"
- "6881:6881/udp"
restart: always
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- UMASK_SET=002
- WEBUI_PORT=8080
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=qbittorrent"
# - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /qbittorrent"
- "traefik.frontend.rule=Host:qbit.${DOMAINNAME}"
- "traefik.port=8080"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=qbit.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# SABnzbd – Usenet (NZB) Downloader
sabnzbd:
image: "linuxserver/sabnzbd"
container_name: "sabnzbd"
volumes:
- ${USERDIR}/docker/sabnzbd:/config
- ${USERDIR}/Downloads/completed:/downloads
- ${USERDIR}/Downloads/incomplete:/incomplete-downloads
- ${USERDIR}/docker/shared:/shared
# ports:
# - "XXXX:8080"
restart: always
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=sabnzbd"
- "traefik.frontend.rule=Host:sabnzbd.${DOMAINNAME}"
# - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /sabnzbd"
- "traefik.port=8080"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=sabnzbd.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
######### PERSONAL VIDEO RECORDERS ##########
# Radarr – Movie Download and Management
radarr:
image: "linuxserver/radarr"
container_name: "radarr"
volumes:
- ${USERDIR}/docker/radarr:/config
- ${USERDIR}/Downloads/completed:/downloads
- ${USERDIR}/media/movies:/movies
- /etc/localtime:/etc/localtime:ro
- ${USERDIR}/docker/shared:/shared
# ports:
# - "XXXX:7878"
restart: always
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=radarr"
# - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /radarr"
- "traefik.frontend.rule=Host:radarr.${DOMAINNAME}"
- "traefik.port=7878"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=radarr.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true" # set to false to show as tabs in organizr
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# Sonarr – TV Show Download and Management
sonarr:
image: "linuxserver/sonarr"
container_name: "sonarr"
volumes:
- ${USERDIR}/docker/sonarr:/config
- ${USERDIR}/Downloads/completed:/downloads
- ${USERDIR}/media/tvshows:/tv
- /etc/localtime:/etc/localtime:ro
- ${USERDIR}/docker/shared:/shared
# ports:
# - "XXXX:8989"
restart: always
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=sonarr"
# - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /sonarr"
- "traefik.frontend.rule=Host:sonarr.${DOMAINNAME}"
- "traefik.port=8989"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=sonarr.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# LIDARR - Music Download and Management
lidarr:
image: "linuxserver/lidarr"
hostname: lidarr
container_name: "lidarr"
volumes:
- ${USERDIR}/docker/lidarr:/config
- ${USERDIR}/Downloads/completed:/downloads
- ${USERDIR}/media/music:/music
- /etc/localtime:/etc/localtime:ro
- ${USERDIR}/docker/shared:/shared
# ports:
# - "XXXX:8686"
restart: always
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=lidarr"
# - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /lidarr"
- "traefik.frontend.rule=Host:lidarr.${DOMAINNAME}"
- "traefik.port=8686"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=lidarr.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# Bazarr - Subtitles download and managment
bazarr:
image: linuxserver/bazarr
container_name: bazarr
restart: always
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- UMASK_SET=022 #optional
volumes:
- ${USERDIR}/docker/bazarr:/config
- ${USERDIR}/media/movies:/movies
- /etc/localtime:/etc/localtime:ro
- ${USERDIR}/media/tvshows:/tv
# ports:
# - 6767:6767
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=bazarr"
# - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /bazarr"
- "traefik.frontend.rule=Host:bazarr.${DOMAINNAME}"
- "traefik.port=6767"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=bazarr.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# Lazylibrarian – Ebooks and Management
lazylibrarian:
image: "linuxserver/lazylibrarian"
container_name: "lazylibrarian"
volumes:
- ${USERDIR}/docker/lazylibrarian:/config
- ${USERDIR}/Downloads/completed:/downloads
- ${USERDIR}/media/books:/books
- /etc/localtime:/etc/localtime:ro
- ${USERDIR}/docker/shared:/shared
# ports:
# - "XXXX:5299"
restart: always
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- DOCKER_MODS=linuxserver/calibre-web:calibre # set the path to converter tool to /usr/bin/calibredb
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=lazylibrarian"
# - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /lazylibrarian"
- "traefik.frontend.rule=Host:lazylibrarian.${DOMAINNAME}"
- "traefik.port=5299"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=lazylibrarian.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
######### MEDIA SERVER APPS ##########
# Plex Media Server
plexms:
container_name: plexms
restart: always
image: plexinc/pms-docker
volumes:
- ${USERDIR}/docker/plexms:/config
- ${USERDIR}/Downloads/plex_tmp:/transcode
- ${USERDIR}/media:/media
- ${USERDIR}/docker/shared:/shared
ports:
- "32400:32400/tcp"
- "3005:3005/tcp"
- "8324:8324/tcp"
- "32469:32469/tcp"
- "1900:1900/udp"
- "32410:32410/udp"
- "32412:32412/udp"
- "32413:32413/udp"
- "32414:32414/udp"
environment:
- TZ=${TZ}
- HOSTNAME="Docker Plex"
- PLEX_CLAIM=${PLEX_CLAIM}
- PLEX_UID=${PUID}
- PLEX_GID=${PGID}
- ADVERTISE_IP="http://SERVER-IP:32400/" # IP Address of your server, run ifconfig
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=plexms"
- "traefik.frontend.rule=Host:plex.${DOMAINNAME}"
- "traefik.port=32400"
- "traefik.protocol=http"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=plex.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# Jellyfin - Media Server
jellyfin:
image: linuxserver/jellyfin
container_name: jellyfin
restart: always
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- UMASK_SET=022 #optional
volumes:
- ${USERDIR}/docker/jellyfin:/config
- ${USERDIR}/media/movies:/data/movies
- ${USERDIR}/media/tvshows:/data/tvshows
- /etc/localtime:/etc/localtime:ro
# - /path for transcoding:/transcode #optional
# - /opt/vc/lib:/opt/vc/lib #optional for raspberry pi
# ports:
# - 8096:8096
# - 8920:8920 #optional
devices:
- /dev/dri:/dev/dri #optional, if you want to use your Intel GPU for hardware accelerated video encoding
# - /dev/vchiq:/dev/vchiq #optional for raspberry pi
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=jellyfin"
# - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /jellyfin"
- "traefik.frontend.rule=Host:jellyfin.${DOMAINNAME}"
- "traefik.port=8096"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=jellyfin.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# Funkwhale - music streaming server
funkwhale:
image: thetarkus/funkwhale
container_name: funkwhale
restart: unless-stopped
networks:
- traefik_proxy
environment:
- TZ=${TZ}
- PUID=${PUID}
- PGID=${PGID}
- FUNKWHALE_HOSTNAME=funkwhale.${DOMAINNAME}
- LIBRARY_ID=${LIBRARY_ID}
volumes:
- ${USERDIR}/docker/funkwhale:/data
- ${USERDIR}/media/music:/music
labels:
- "traefik.enable=true"
- "traefik.backend=funkwhale"
- "traefik.frontend.rule=Host:funkwhale.${DOMAINNAME}"
- "traefik.port=80"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=funkwhale.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# MusicBrainz Picard – Music Management
picard:
container_name: picard
image: mikenye/picard
restart: always
networks:
- traefik_proxy
# ports:
# - "5800:5800"
volumes:
- $USERDIR/media/music:/storage:rw
- $USERDIR/docker/picard:/config:rw
environment:
- USER_ID=${PUID}
- GROUP_ID=${PGID}
- TZ=${TZ}
- UMASK=002
- DISPLAY_WIDTH=1280
- DISPLAY_HEIGHT=768
labels:
- "traefik.enable=true"
- "traefik.backend=picard"
- "traefik.frontend.rule=Host:picard.${DOMAINNAME}"
- "traefik.port=5800"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=picard.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# Ubooquity - home server for comics and ebooks library
ubooquity:
image: linuxserver/ubooquity
container_name: ubooquity
restart: always
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- MAXMEM=1024
volumes:
- ${USERDIR}/docker/ubooquity:/config
- ${USERDIR}/media/books:/books
- ${USERDIR}/media/comics:/comics
- ${USERDIR}/media/files:/files
ports:
- 2202:2202
- 2203:2203
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=ubooquity"
- "traefik.frontend.rule=Host:ubooquity.${DOMAINNAME}"
- "traefik.port=2202"
- "traefik.admin.frontend.rule=Host:ubooquity.${DOMAINNAME}; PathPrefix:/admin,/admin-res,/admin-api"
- "traefik.admin.port=2203"
- "traefik.protocol=http"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=ubooquity.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# Calibre-web – Ebooks and Management
calibre-web:
image: "linuxserver/calibre-web"
container_name: "calibre-web"
volumes:
- ${USERDIR}/docker/calibre_web:/config
- ${USERDIR}/media/books:/books
- /etc/localtime:/etc/localtime:ro
# ports:
# - "XXXX:8083"
restart: always
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
# - DOCKER_MODS=linuxserver/calibre-web:calibre # include for ebook conversion
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=calibre-web"
# - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /calibre-web"
- "traefik.frontend.rule=Host:calibre-web.${DOMAINNAME}"
- "traefik.port=8083"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=calibre-web.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
calibre:
image: "linuxserver/calibre"
container_name: "calibre"
volumes:
- ${USERDIR}/Downloads/completed:/import
- ${USERDIR}/media/books:/books
- ${USERDIR}/docker/calibre:/config
- /etc/localtime:/etc/localtime:ro
# ports:
# - "XXXX:8080"
# - "XXXX:8081"
restart: always
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=calibre"
# - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /calibre"
- "traefik.frontend.rule=Host:calibre.${DOMAINNAME}"
- "traefik.port=8081"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=calibre.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
######### SEARCHERS ##########
# Jackett – Torrent Proxy
jackett:
image: "linuxserver/jackett"
container_name: "jackett"
volumes:
- ${USERDIR}/docker/jackett:/config
- ${USERDIR}/Downloads/completed:/downloads
- /etc/localtime:/etc/localtime:ro
- ${USERDIR}/docker/shared:/shared
# ports:
# - "XXXX:9117"
restart: always
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=jackett"
- "traefik.frontend.rule=Host:jackett.${DOMAINNAME}"
# - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefix: /jackett"
- "traefik.port=9117"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=jackett.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
######### UTILITIES ##########
# MariaDB – Database Server for your Apps
mariadb:
image: "linuxserver/mariadb"
container_name: "mariadb"
hostname: mariadb
volumes:
- ${USERDIR}/docker/mariadb:/config
- ${USERDIR}/docker/mysql/scripts:/docker-entrypoint-initdb.d:ro
- ${USERDIR}/docker/mysql:/var/lib/mysql/data:rw
ports:
- target: 3306
published: 3306
protocol: tcp
mode: host
networks:
- traefik_proxy
- keycloak
restart: always
environment:
- MYSQL_DATABASE=keycloak
#- MYSQL_USER=keycloak
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
# mysql db backup
db-backup:
container_name: db-backup
image: tiredofit/db-backup
depends_on:
- mariadb
volumes:
- ${USERDIR}/docker/mariadb/backups:/backup
- /etc/localtime:/etc/localtime:ro
environment:
#- DB_SERVER=mariadb
- DB_TYPE=mariadb
- DB_HOST=mariadb
- DB_USER=root
- DB_PASS=${MYSQL_ROOT_PASSWORD}
- DB_DUMP_FREQ=1440
- DB_DUMP_BEGIN=+20
#- DB_DUMP_TARGET=${USERDIR}/docker/mariadb/backups
- DB_CLEANUP_TIME=8640
- COMPRESSION=XZ
- SPLIT_DB=TRUE
networks:
- traefik_proxy
restart: always
# Redis - Key-value Store
redis:
container_name: redis
image: redis
restart: always
entrypoint: redis-server --appendonly yes
networks:
- traefik_proxy
# ports:
# - "6379:6379"
sysctls:
net.core.somaxconn: '65535'
volumes:
- ${USERDIR}/docker/redis/data:/data
- /etc/localtime:/etc/localtime:ro
#- ${USERDIR}/docker/redis/redis.conf:/usr/local/etc/redis/redis.conf
labels:
- "traefik.enable=true"
- "traefik.port=6379"
- "traefik.backend=redis"
- "traefik.docker.network=traefik_proxy"
# Redis Commander - Redis Management Tool
rediscommander:
container_name: rediscommander
image: rediscommander/redis-commander
restart: always
depends_on:
- redis
networks:
- traefik_proxy
# ports:
# - "8081:8081"
environment:
- REDIS_HOST=redis
labels:
- "traefik.enable=true"
- "traefik.backend=rediscommander"
- "traefik.frontend.rule=Host:rediscmd.${DOMAINNAME}"
- "traefik.port=8081"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=rediscmd.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# CyberChef - the Cyber Swiss Army Knife web app for encryption, encoding, compression and data analysis
cyberchef:
container_name: cyberchef
image: mpepping/cyberchef
restart: always
networks:
- traefik_proxy
# ports:
# - "8000:8000"
labels:
- "traefik.enable=true"
- "traefik.backend=cyberchef"
- "traefik.frontend.rule=Host:cyberchef.${DOMAINNAME}"
- "traefik.port=8000"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=cyberchef.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# NextCloud – Your Own Cloud Storage
nextcloud:
container_name: nextcloud
restart: always
image: linuxserver/nextcloud
volumes:
- ${USERDIR}/docker/nextcloud:/config
- ${USERDIR}/shared_data:/data
- ${USERDIR}/docker/shared:/shared
# ports:
# - "XXXX:443"
environment:
- PUID=${PUID}
- PGID=${PGID}
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=nextcloud"
- "traefik.frontend.rule=Host:nextcloud.${DOMAINNAME}"
- "traefik.port=443"
- "traefik.protocol=https"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=nextcloud.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
#- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
#- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
#- "traefik.frontend.auth.forward.trustForwardHeader=true"
# Bitwarden - Password Vault
bitwarden:
container_name: bitwarden
image: bitwardenrs/server-mysql
restart: always
networks:
- traefik_proxy
# ports:
# - "8888:80"
volumes:
- $USERDIR/docker/bitwarden:/data
- /var/log/docker:/var/log/docker
- /etc/localtime:/etc/localtime:ro
environment:
- SIGNUPS_ALLOWED=false # Change to false after first login
- INVITATIONS_ALLOWED=false
- WEBSOCKET_ENABLED=false #true
- LOG_FILE=/var/log/docker/bitwarden.log
- SMTP_HOST=smtp.gmail.com
- SMTP_FROM=${SMTP_EMAIL}
- SMTP_PORT=587
- SMTP_SSL=true
- SMTP_USERNAME=${SMTP_EMAIL}
- SMTP_PASSWORD=${SMTP_PASSWORD}
- DOMAIN=https://bitwarden.$DOMAINNAME
- ADMIN_TOKEN=supersecret
- DATABASE_URL=mysql://bitwarden:${MYSQL_ROOT_PASSWORD}@mariadb/bitwarden
labels:
- "traefik.enable=true"
- "traefik.backend=bitwarden"
- "traefik.frontend.rule=Host:bitwarden.${DOMAINNAME}"
#- "traefik.web.frontend.rule=Host:bitwarden.${DOMAINNAME}"
- "traefik.port=80"
# - "traefik.web.port=80"
- "traefik.hub.frontend.rule=Host:bitwarden.${DOMAINNAME};Path:/notifications/hub"
- "traefik.hub.port=3012"
- "traefik.hub.protocol=ws"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=bitwarden.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
#- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
#- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
#- "traefik.frontend.auth.forward.trustForwardHeader=true"
# Guacamole – Clientless remote desktop gateway
guacd:
container_name: guacd
hostname: guacd
image: guacamole/guacd
networks:
- traefik_proxy
restart: always
volumes:
- ${USERDIR}/docker/guacamole/drive:/drive:rw
- ${USERDIR}/docker/guacamole/record:/record:rw
guacamole:
container_name: guacamole
depends_on:
- guacd
- mariadb
environment:
- GUACD_HOSTNAME=guacd
#- GUACD_PORT=4822
- MYSQL_HOSTNAME=mariadb
- MYSQL_PORT=3306
- MYSQL_DATABASE=guacamole
- MYSQL_USER=guac
- MYSQL_PASSWORD=${MYSQL_ROOT_PASSWORD}
- GUACAMOLE_HOME=/etc/guacamole
image: guacamole/guacamole
volumes:
- ${USERDIR}/docker/guacamole:/etc/guacamole:rw
- /var/log/guacamole:/usr/local/tomcat/logs
networks:
- traefik_proxy
- default
ports:
- 8082:8080/tcp
restart: always
labels:
- "traefik.enable=true"
- "traefik.backend=guacamole" #guacamole_docker
- "traefik.frontend.rule=Host:guac.${DOMAINNAME}"
#- "traefik.frontend.rule=Host:guac.${DOMAINNAME}; AddPrefix: /guacamole"
- "traefik.port=8080"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=guac.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# Netdata - real-time performance monitoring
netdata:
container_name: netdata
image: netdata/netdata
hostname: netdata
restart: always
cap_add:
- SYS_PTRACE
security_opt:
- apparmor:unconfined
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- NETDATA_PORT=19999
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=netdata"
- "traefik.frontend.rule=Host:netdata.${DOMAINNAME}"
- "traefik.port=19999"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=netdata.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# Glances - web-based top cmd
glances:
container_name: glances
hostname: glances
restart: always
image: vimagick/glances
#network_mode: host
pid: host
networks:
- traefik_proxy
volumes:
- ${USERDIR}/docker/glances:/etc/glances
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- GLANCES_OPT=-w
labels:
- "traefik.enable=true"
- "traefik.backend=glances"
- "traefik.frontend.rule=Host:glances.${DOMAINNAME}"
#- "traefik.frontend.rule=Host:glances.docker.localhost"
- "traefik.port=61208"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=glances.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# Heimdall - application dashboard
heimdall:
image: linuxserver/heimdall
container_name: heimdall
restart: always
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
volumes:
- ${USERDIR}/docker/heimdall:/config
labels:
- "traefik.enable=true"
- "traefik.backend=heim"
- "traefik.frontend.rule=Host:${DOMAINNAME}, www.${DOMAINNAME}, heimdall.${DOMAINNAME}"
- "traefik.port=80"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=heimdall.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
networks:
- traefik_proxy
# Cloud Commander - web file manager
cloudcmd:
image: coderaiser/cloudcmd
container_name: cloudcmd
restart: always
volumes:
- ${USERDIR}/docker/cloudcmd:/root
- ${USERDIR}/docker:/mnt/fs
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=cloudcmd"
- "traefik.frontend.rule=Host:cloudcmd.${DOMAINNAME}"
- "traefik.port=8000"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=cloudcmd.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# Duplicati - Backups cloud management
duplicati:
image: linuxserver/duplicati
container_name: duplicati
volumes:
- ${USERDIR}/docker/duplicati:/config
- ${USERDIR}/backups:/backups
- ${USERDIR}/docker:/source
- /etc/localtime:/etc/localtime:ro
- ${USERDIR}/docker/shared:/shared
# ports:
# - "XXXX:8200"
restart: always
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- CLI_ARGS= #optional
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=duplicati"
- "traefik.frontend.rule=Host:duplicati.${DOMAINNAME}"
- "traefik.port=8200"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=duplicati.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# code-server - vscode in a browser
code-server:
image: linuxserver/code-server
container_name: code-server
restart: always
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- PASSWORD=${KEYCLOAK_PASSWORD} #optional
- SUDO_PASSWORD=${KEYCLOAK_PASSWORD} #optional
volumes:
- ${USERDIR}/docker/vscode/config:/config # For github integration, drop your ssh key in to /config/.ssh.
#ports:
# - 8443:8443
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.backend=code-server"
- "traefik.frontend.rule=Host:code.${DOMAINNAME}"
- "traefik.port=8443"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.headers.SSLForceHost=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=code.${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
- "traefik.frontend.headers.customFrameOptionsValue=allow-from https://${DOMAINNAME}"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"
# fail2ban
fail2ban:
container_name: fail2ban
image: crazymax/fail2ban:latest
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
- /var/log:/var/log
- ${USERDIR}/docker/fail2ban:/data
- ${USERDIR}/docker/fail2ban/fail2ban.d:/etc/fail2ban/fail2ban.d
environment:
- TZ=${TZ}
- F2B_LOG_TARGET=STDOUT
- F2B_LOG_LEVEL=INFO
- F2B_DB_PURGE_AGE=1d
#- F2B_MAX_RETRY=3
#- [email protected]
#- [email protected]
#- F2B_ACTION=%(action_mw)s # %(action_mw)s or %(action_mwl)s to send mail
- F2B_IPTABLES_CHAIN=DOCKER-USER
- SSMTP_HOST=smtp.gmail.com
- SSMTP_PORT=587
#- SSMTP_HOSTNAME=example.com
- SSMTP_USER=${SMTP_EMAIL}
- SSMTP_PASSWORD=${SMTP_PASSWORD} # Create an "app password" if you use 2FA
- SSMTP_TLS=TLS
######### DNS ##########
# create network:
# docker network create --subnet 172.28.0.0/16 skynet
# healthcheck dig @${PIHOLEIP} google.com
# resolv.conf file:
# nameserver 127.0.0.1
# nameserver 172.28.0.3
# pihole dns settings - enable listen on all interfaces
## I've added the following blocklist in addition to the standard ones under Settings>Blocklists (copy the link, paste and update)
# https://dbl.oisd.nl/
## More info here: https://www.reddit.com/r/pihole/comments/bppug1/introducing_the/
## I've added the following whitelist entries (copy domains and paste all at once)
# https://github.com/anudeepND/whitelist/blob/master/domains/whitelist.txt
# https://github.com/anudeepND/whitelist/blob/master/domains/referral-sites.txt
## additional lists here: https://firebog.net/
# Pihole - A black hole for Internet advertisements
pihole:
container_name: pihole
image: pihole/pihole:latest
#domainname: ${DOMAINNAME}
hostname: pihole
restart: always
cap_add:
- NET_ADMIN
- NET_RAW
- NET_BIND_SERVICE
environment:
- TZ=${TZ}
- ServerIP=192.168.5.91
- DNS1=172.28.0.3
- DNS2=no
- VIRTUAL_HOST=pihole.${DOMAINNAME}
- VIRTUAL_PORT=80
- PROXY_LOCATION=pihole
- WEBPASSWORD=${KEYCLOAK_PASSWORD}
volumes:
- ${USERDIR}/docker/pihole:/etc/pihole
- ${USERDIR}/docker/pihole/resolv.conf/resolv.conf:/etc/resolv.conf:ro
- ${USERDIR}/docker/pihole/pihole.log:/var/log/pihole.log
- ${USERDIR}/docker/pihole/dnsmasq.d:/etc/dnsmasq.d
## More info on these scripts here: https://github.com/mmotti
- ${USERDIR}/docker/pihole/scripts/fetchFilterLists.sh:/usr/local/bin/fetchFilterLists.sh
- ${USERDIR}/docker/pihole/scripts/gravityOptimise.sh:/usr/local/bin/gravityOptimise.sh
- ${USERDIR}/docker/pihole/scripts/generateGravityWildcards.sh:/usr/local/bin/generateGravityWildcards.sh
- ${USERDIR}/docker/pihole/scripts/cron.d/fetchFilterLists:/etc/cron.d/fetchFilterLists
- ${USERDIR}/docker/pihole/scripts/cron.d/gravityOptimise:/etc/cron.d/gravityOptimise
- ${USERDIR}/docker/pihole/scripts/cron.d/generateGravityWildcards:/etc/cron.d/generateGravityWildcards
dns:
- 127.0.0.1
# Sets a backup server of your choosing in case DNSMasq has problems starting
- 1.1.1.1
depends_on:
- stubby
networks:
skynet:
ipv4_address: 172.28.0.2
ports:
# - 53:53/tcp
# - 53:53/udp
# - 67:67/udp
- 8053:80
# - 8183:443
labels:
- "traefik.enable=true"
- "traefik.frontend.rule=Host:pihole.${DOMAINNAME}"
- "traefik.port=80"
- "traefik.protocol=http"
- "traefik.docker.network=skynet"
#resolution_type: GETDNS_RESOLUTION_STUB
#dns_transport_list:
# NOTE: force forward request over TLS connection.
#- GETDNS_TRANSPORT_TLS
#tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
#tls_query_padding_blocksize: 128
#edns_client_subnet_private : 0
#round_robin_upstreams: 1
#idle_timeout: 10000
#listen_addresses:
#- 0.0.0.0
#- 0::1
#- 192.168.5.1 # router ip address
#dnssec: GETDNS_EXTENSION_TRUE
#appdata_dir: "/var/cache/stubby"
#upstream_recursive_servers:
# NOTE: adjust your needs accordingly.
# https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers
# https://raw.githubusercontent.com/getdnsapi/stubby/develop/stubby.yml.example
#- address_data: 1.1.1.1
# tls_auth_name: "cloudflare-dns.com" #"dns.google"
# Stubby - DNS Privacy stub resolver (using DNS-over-TLS)
stubby:
image: yegle/stubby-dns:latest
container_name: stubby
hostname: stubby
dns: 127.0.0.1
restart: always
volumes:
- ${USERDIR}/docker/stubby:/usr/local/etc/stubby
networks:
skynet:
ipv4_address: 172.28.0.3
# Corefile
#tls://.:853 https://.:443 {
# tls fullchain.pem privkey.pem
# forward . 172.28.0.2:53
# forward . dns://172.28.0.2:53 # check this
# log
# any
#}
# CoreDNS - DNS server, used here to terminate DoT
coredns:
image: coredns/coredns
container_name: coredns
hostname: coredns
command: -conf /root/Corefile
restart: always
environment:
- GODEBUG=tls13=1
volumes:
- ${USERDIR}/docker/coredns:/root:ro
- ${USERDIR}/docker/coredns:/plugin.cfg:ro
- ${USERDIR}/docker/shared/letsencrypt/etc/live/${DOMAINNAME}/fullchain.pem:/fullchain.pem:ro
- ${USERDIR}/docker/shared/letsencrypt/etc/live/${DOMAINNAME}/privkey.pem:/privkey.pem:ro
ports:
- target: 853
published: 853
protocol: tcp
mode: host
labels:
- "traefik.enable=false"
# OpenVPN server
# https://github.com/kylemanna/docker-openvpn/blob/master/docs/docker-compose.md
# https://github.com/mr-bolle/docker-openvpn-pihole/blob/master/docker-compose.yml
openvpn:
image: kylemanna/openvpn
container_name: openvpn
restart: always
cap_add:
- NET_ADMIN
environment:
# - VIRTUAL_PORT=${VIRTUAL_PORT_OPENVPN}
# - VIRTUAL_HOST=${VIRTUAL_HOST_OPENVPN}
# - LETSENCRYPT_HOST=${LETSENCRYPT_HOST_VPN}
# - LETSENCRYPT_EMAIL=${LETSENCRYPT_EMAIL}
# - OPENVPN_PROVIDER=${OPENVPN_PROVIDER}
# - OPENVPN_USERNAME=${OPENVPN_USERNAME}
# - OPENVPN_PASSWORD=${OPENVPN_PASSWORD}
# - LOCAL_NETWORK=192.168.0.0/24
# - DEBUG=1
OPENVPN_OPTS: --inactive 3600 --ping 10 --ping-exit 60 -–log-driver json-file --log-opt max-size=10m
ports:
- "1194:1194/udp"
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- ${USERDIR}/docker/openvpn:/etc/openvpn
networks:
skynet:
ipv4_address: 172.28.0.5
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
networks:
traefik_proxy:
external:
name: traefik_proxy
keycloak:
external:
name: keycloak
skynet:
external:
name: skynet
ipam:
config:
- subnet: 172.28.0.0/16
default:
driver: bridge
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment