POUSH

host_vars/scaleway_fr.yml

@@ -324,7 +324,9 @@ dockerapp_compose:
     # Down all containers and up all (docker-compose down/up -d), wait for news cert/key on acme.json
     # At this moment, cert/key are staging, you need to comment acme.caserver line and remove acme.json file then restart traefik 
     traefik:
-      #<<: *common-keys-core # See EXTENSION FIELDS at the top -> TODO
+      restart: always
+      security_opt:
+        - no-new-privileges:true
       container_name: traefik
       image: traefik:latest
       command: # CLI arguments
@@ -364,7 +366,9 @@ dockerapp_compose:
         socket_proxy:
           ipv4_address: 192.168.91.3
       environment:
-        #<<: *default-tz-puid-pgid -> TODO
+        TZ: Europe/Paris
+        PUID: 1000
+        PGID: 1000
       ports:
         - target: 80
           published: 80
@@ -416,3 +420,739 @@ dockerapp_compose:
         ## TLS 
         - "traefik.http.routers.traefik-rtr.tls.certresolver=letsencrypt-resolver"
         - "traefik.http.routers.prometheus.tls.certresolver=letsencrypt-resolver"
+    # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
+    socket-proxy:
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      container_name: socket-proxy
+      image: tecnativa/docker-socket-proxy:latest
+      networks:
+        socket_proxy:
+          ipv4_address: 192.168.91.254 # You can specify a static IP
+      volumes:
+        - "/var/run/docker.sock:/var/run/docker.sock"
+      environment:
+        - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
+        ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
+        # 0 to revoke access.
+        # 1 to grant access.
+        ## Granted by Default
+        - EVENTS=1
+        - PING=1
+        - VERSION=1
+        ## Revoked by Default
+        # Security critical
+        - AUTH=0
+        - SECRETS=0
+        - POST=0 # Watchtower
+        # Not always needed
+        - BUILD=0
+        - COMMIT=0
+        - CONFIGS=0
+        - CONTAINERS=1 # Traefik, portainer, etc.
+        - DISTRIBUTION=0
+        - EXEC=0
+        - IMAGES=1 # Portainer
+        - INFO=1 # Portainer
+        - NETWORKS=1 # Portainer
+        - NODES=0
+        - PLUGINS=0
+        - SERVICES=1 # Portainer
+        - SESSION=0
+        - SWARM=0
+        - SYSTEM=0
+        - TASKS=1 # Portainer
+        - VOLUMES=1 # Portainer
+
+    # Dozzle - Real-time Docker Log Viewer
+    dozzle:
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      image: amir20/dozzle:latest
+      container_name: dozzle
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.169
+        # Should connect to the docker engine socket to collect logs
+        socket_proxy:
+          ipv4_address: 192.168.91.2
+      environment:
+        TZ: Europe/Paris
+        PUID: 1000
+        PGID: 1000
+        DOZZLE_LEVEL: info
+        #DOZZLE_TAILSIZE: 300
+        DOZZLE_FILTER: "status=running"
+        DOCKER_HOST: tcp://socket-proxy:2375
+        #DOZZLE_ADDR: ":8181"
+      volumes:
+        - /etc/timezone:/etc/timezone:ro
+        - /etc/localtime:/etc/localtime:ro
+      labels:
+        - "traefik.enable=true"
+        ## HTTP Routers
+        - "traefik.http.routers.dozzle-rtr-http.entrypoints=http"
+        - "traefik.http.routers.dozzle-rtr-http.rule=Host(`dozzle.jingoh.fr`)"
+        - "traefik.http.routers.dozzle-rtr-http.middlewares=redirect-to-https"
+        ## HTTPS Routers
+        - "traefik.http.routers.dozzle-rtr.entrypoints=https"
+        - "traefik.http.routers.dozzle-rtr.rule=Host(`dozzle.jingoh.fr`)"
+        ##  Services
+        - "traefik.http.routers.dozzle-rtr.service=dozzle-svc"
+        - "traefik.http.services.dozzle-svc.loadbalancer.server.port=8080"
+        ## Middlewares
+        - "traefik.http.routers.dozzle-rtr.middlewares=dozzle-basic"
+        - "traefik.http.middlewares.dozzle-basic.basicauth.users=jingohdoz:$$2y$$05$$e5x192gFu6uBevLcZNNU9eEWnekh3p.F8cffX19EBTLMwBQoqHcwW"
+        ## TLS 
+        - "traefik.http.routers.dozzle-rtr.tls.certresolver=letsencrypt-resolver"
+
+  # conf file in appdata/gitea/gitea/gitea/conf/app.ini
+  # [metrics]
+  # [log]
+    gitea:
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      image: gitea/gitea:latest
+      container_name: gitea
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.170
+      environment:
+        TZ: Europe/Paris
+        PUID: 1000
+        PGID: 1000
+        GITEA__database__DB_TYPE: postgres
+        GITEA__database__HOST: gitea-db:5432
+        GITEA__server__DOMAIN: gitea.jingoh.fr
+        GITEA__server__ROOT_URL: https://gitea.jingoh.fr
+        GITEA__server__HTTP_PORT: 3000
+        GITEA__server__START_SSH_SERVER: "true"
+        GITEA__server__SSH_PORT: 443
+        GITEA__server__SSH_LISTEN_PORT: 2222
+        GITEA__server__SSH_DOMAIN: gitea.jingoh.fr
+        GITEA__repository__USE_COMPAT_SSH_URI: "false"
+        GITEA__database__NAME: gitea
+        GITEA__database__USER: root
+        GITEA__database__PASSWD: uu~Y8aic
+      volumes:
+        - ./logs/homeserver/gitea.log:/data/gitea/log/gitea.log
+        - ./appdata/gitea/gitea:/data
+        - /etc/timezone:/etc/timezone:ro
+        - /etc/localtime:/etc/localtime:ro
+      labels:
+        - "traefik.enable=true"
+        ## HTTP Routers
+        - "traefik.http.routers.gitea-rtr-http.entrypoints=http"
+        - "traefik.http.routers.gitea-rtr-http.rule=Host(`gitea.jingoh.fr`)"
+        - "traefik.http.routers.gitea-rtr-http.middlewares=redirect-to-https"
+        ## HTTPS Routers
+        - "traefik.http.routers.gitea-rtr.entrypoints=https"
+        - "traefik.http.routers.gitea-rtr.rule=Host(`gitea.jingoh.fr`)"
+        ## Middlewares
+        # git push doesn't work with basicauth
+        #- "traefik.http.routers.gitea-rtr.middlewares=gitea-basic"
+        #- "traefik.http.middlewares.gitea-basic.basicauth.users=jingohgit:$$2y$$05$$iBHOV.3zFZFTp4kRqD7.I.hQ/Rx3qeHoUjq/3KztwzyU8t1BIK/ne"  
+        ## Services
+        - "traefik.http.routers.gitea-rtr.service=gitea-svc"
+        - "traefik.http.services.gitea-svc.loadbalancer.server.port=3000"
+        ## SSH
+        - "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)"
+        - "traefik.tcp.routers.gitea-ssh.entrypoints=https"
+        - "traefik.tcp.routers.gitea-ssh.service=gitea-ssh-svc"
+        - "traefik.tcp.services.gitea-ssh-svc.loadbalancer.server.port=2222"   
+        ## TLS 
+        - "traefik.http.routers.gitea-rtr.tls.certresolver=letsencrypt-resolver"
+
+    gitea-db:
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      image: postgres:14
+      container_name: gitea-db
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.171
+      environment:
+        TZ: Europe/Paris
+        PUID: 1000
+        PGID: 1000
+        POSTGRES_USER: root
+        POSTGRES_PASSWORD: uu~Y8aic
+        POSTGRES_DB: gitea
+      volumes:
+        - ./appdata/gitea/gitea-db:/var/lib/postgresql/data
+        - /etc/timezone:/etc/timezone:ro
+        - /etc/localtime:/etc/localtime:ro
+      labels:
+        - traefik.enable=false
+
+  #https://github.com/ngoduykhanh/wireguard-ui/blob/master/docker-compose.yaml -> wireguard-ui
+    wireguard:
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      image: lscr.io/linuxserver/wireguard:latest
+      container_name: wireguard
+      cap_add:
+        - NET_ADMIN
+        - SYS_MODULE
+      environment:
+        TZ: Europe/Paris
+        PUID: 1000
+        PGID: 1000
+        SERVERURL: 163.172.84.28 #optional
+        SERVERPORT: 443 #optional
+        PEERS: 2 #optional
+        PEERDNS: auto #optional
+        INTERNAL_SUBNET: 10.13.13.0 #optional
+        ALLOWEDIPS: 0.0.0.0/0 #optional
+        LOG_CONFS: "true" #optional
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.173
+      volumes:
+        - ./appdata/wireguard/config:/config
+        - ./appdata/wireguard/lib/modules:/lib/modules
+        - /etc/timezone:/etc/timezone:ro
+        - /etc/localtime:/etc/localtime:ro
+      sysctls:
+        - net.ipv4.conf.all.src_valid_mark=1
+      labels:
+        - "traefik.enable=true"
+        ## UDP Routers
+        - "traefik.udp.routers.wireguard-rtr.entrypoints=wireguard"
+        - "traefik.udp.services.wireguard.loadbalancer.server.port=51820"
+      depends_on:
+        - traefik
+
+    # # Grafana - Graphical data visualization
+    ## Reset password command-line -> grafana-cli $username reset-admin-password $password
+    ## Enable log file with rotate (/etc/grafana/grafana.ini)
+    grafana:
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      image: grafana/grafana:latest
+      container_name: grafana
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.175
+      # ports:
+      #   - "$GRAFANA_PORT:3000"
+      user: root
+      volumes:
+        - ./appdata/grafana/lib:/var/lib/grafana
+        - ./logs/homeserver/grafana.log:/var/log/grafana/grafana.log
+      environment:
+        TZ: Europe/Paris
+        PUID: 1000
+        PGID: 1000
+        GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel"
+      labels:
+        - "traefik.enable=true"
+        ## HTTP Routers
+        - "traefik.http.routers.grafana-rtr-http.entrypoints=http"
+        - "traefik.http.routers.grafana-rtr-http.rule=Host(`grafana.jingoh.fr`)"
+        - "traefik.http.routers.grafana-rtr-http.middlewares=redirect-to-https"
+        ## HTTPS Routers
+        - "traefik.http.routers.grafana-rtr.entrypoints=https"
+        - "traefik.http.routers.grafana-rtr.rule=Host(`grafana.jingoh.fr`)"
+        ##  Services
+        - "traefik.http.routers.grafana-rtr.service=grafana-svc"
+        - "traefik.http.services.grafana-svc.loadbalancer.server.port=3000"
+        ## TLS 
+        - "traefik.http.routers.grafana-rtr.tls.certresolver=letsencrypt-resolver"
+        ## Middlewares
+        - "traefik.http.routers.grafana-rtr.middlewares=grafana-basic"
+        - "traefik.http.middlewares.grafana-basic.basicauth.users=jingohgraf:$$2y$$05$$DMxSbnKhLv0zW2qYzMpkj.idi88EsFsIdgKoYPzFpxo9ErDHLYCAi"  
+        # NEEDED IF CONFLICTS BETWEEN BASICAUTH AND APP LOGIN PAGE
+        - "traefik.http.middlewares.grafana-basic.basicauth.removeheader=true"      
+
+    prometheus:
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      image: prom/prometheus:latest
+      container_name: prometheus
+      user: root
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.176
+      volumes:
+        - ./appdata/prometheus/prometheus:/etc/prometheus/
+        - ./appdata/prometheus/prometheus_data:/prometheus
+      command:
+        - '--config.file=/etc/prometheus/prometheus.yml'
+        - '--storage.tsdb.path=/prometheus'
+        - '--web.console.libraries=/usr/share/prometheus/console_libraries'
+        - '--web.console.templates=/usr/share/prometheus/consoles'
+      labels:
+        - "traefik.enable=true"
+        ## HTTP Routers
+        - "traefik.http.routers.prometheus-rtr-http.entrypoints=http"
+        - "traefik.http.routers.prometheus-rtr-http.rule=Host(`prometheus.jingoh.fr`)"
+        - "traefik.http.routers.prometheus-rtr-http.middlewares=redirect-to-https"
+        # HTTPS
+        - "traefik.http.routers.prometheus-rtr.entrypoints=https"
+        - "traefik.http.routers.prometheus-rtr.rule=Host(`prometheus.jingoh.fr`)"
+        - "traefik.http.routers.prometheus-rtr.service=prometheus-svc"
+        - "traefik.http.services.prometheus-svc.loadbalancer.server.port=9090"
+        - "traefik.docker.network=t2_proxy"
+        ## Middlewares
+        - "traefik.http.routers.prometheus-rtr.middlewares=prometheus-basic"
+        - "traefik.http.middlewares.prometheus-basic.basicauth.users=jingohprom:$$2y$$05$$7cf/zuj8lI4Gt9K3xfWEKu.hKwzi1lxsjImgvSc9tHZ0QqHOxagH."    
+        ## TLS 
+        - "traefik.http.routers.prometheus-rtr.tls.certresolver=letsencrypt-resolver"
+
+  # https://pieterhollander.nl/post/bitwarden/
+  # https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
+  # https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples 
+    vaultwarden:
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      image: vaultwarden/server:latest
+      container_name: vault
+      environment:
+        TZ: Europe/Paris
+        PUID: 1000
+        PGID: 1000
+        WEBSOCKET_ENABLED: 1
+        ROCKET_PORT: 80
+        DOMAIN: https://vault.jingoh.fr
+        ADMIN_TOKEN: BwI1E5Sqb6clUpsAfXdlkMnQuzwTh7pFPpqK6V8RII/CuBqgbNhj325ynL40dfjs
+        LOG_FILE: /var/log/vaultwarden.log
+        SIGNUPS_ALLOWED: "false"
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.177
+      volumes:
+        - ./appdata/vaultwarden:/data
+        - ./logs/homeserver/vaultwarden.log:/var/log/vaultwarden.log
+      labels:
+        - traefik.enable=true
+        ## HTTP Routers
+        - "traefik.http.routers.bitwarden-rtr-http.entrypoints=http"
+        - "traefik.http.routers.bitwarden-rtr-http.rule=Host(`bitwarden.jingoh.fr`)"
+        - "traefik.http.routers.bitwarden-rtr-http.middlewares=redirect-to-https"
+        ## HTTPS Routers
+        - traefik.docker.network=t2_proxy
+        - traefik.http.routers.bitwarden-rtr.entrypoints=https
+        - traefik.http.routers.bitwarden-rtr.rule=Host(`vault.jingoh.fr`)
+        - traefik.http.routers.bitwarden-rtr.tls=true
+        - traefik.http.routers.bitwarden-rtr.service=bitwarden-svc
+        - traefik.http.services.bitwarden-svc.loadbalancer.server.port=80
+        - traefik.http.routers.bitwarden-websocket-rtr.entrypoints=https
+        - traefik.http.routers.bitwarden-websocket-rtr.rule=Host(`vault.jingoh.fr`) && Path(`/notifications/hub`)
+        - traefik.http.routers.bitwarden-websocket-rtr.service=bitwarden-websocket-svc
+        - traefik.http.services.bitwarden-websocket-svc.loadbalancer.server.port=3012
+        ## TLS 
+        - "traefik.http.routers.bitwarden-rtr.tls.certresolver=letsencrypt-resolver"
+        - "traefik.http.routers.bitwarden-websocket-rtr.tls.certresolver=letsencrypt-resolver"
+
+    homepage:
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      image: ghcr.io/gethomepage/homepage:latest
+      container_name: homepage
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.178
+      volumes:
+        - ./appdata/homepage/homepage:/app/config 
+        - ./appdata/homepage/icons:/app/public/icons
+        - "/var/run/docker.sock:/var/run/docker.sock"
+      labels:
+        - traefik.enable=true
+        ## HTTP Routers
+        - "traefik.http.routers.homepage-rtr-http.entrypoints=http"
+        - "traefik.http.routers.homepage-rtr-http.rule=Host(`homepage.jingoh.fr`)"
+        - "traefik.http.routers.homepage-rtr-http.middlewares=redirect-to-https"
+        ## HTTPS Routers
+        - traefik.docker.network=t2_proxy
+        - traefik.http.routers.homepage-rtr.entrypoints=https
+        - traefik.http.routers.homepage-rtr.rule=Host(`homepage.jingoh.fr`)
+        - traefik.http.routers.homepage-rtr.tls=true
+        - traefik.http.routers.homepage-rtr.service=homepage-svc
+        - traefik.http.services.homepage-svc.loadbalancer.server.port=3000
+        ## TLS 
+        - "traefik.http.routers.homepage-rtr.tls.certresolver=letsencrypt-resolver"
+
+    registry:
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      image: registry:2
+      container_name: registry
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.179
+      environment:
+        REGISTRY_STORAGE_DELETE_ENABLED: 'true'
+      volumes:
+        - ./appdata/registry/data:/var/lib/registry
+
+    registry-ui:
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      image: joxit/docker-registry-ui:latest
+      expose:
+        - 80
+      environment:
+        - DELETE_IMAGES=true
+        - NGINX_PROXY_PASS_URL=http://registry:5000
+        - SINGLE_REGISTRY=true
+        - REGISTRY_TITLE= 🧱 Jingoh Container Registry 🧱
+      container_name: registry-ui
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.180
+      depends_on: 
+        - registry
+      labels:
+        - traefik.enable=true
+        ## HTTP Routers
+        - traefik.http.routers.registry-rtr-http.entrypoints=http
+        - traefik.http.routers.registry-rtr-http.rule=Host(`registry.jingoh.fr`)
+        - traefik.http.routers.registry-rtr-http.middlewares=redirect-to-https
+        ## HTTPS Routers
+        - traefik.docker.network=t2_proxy
+        - traefik.http.routers.registry-rtr.entrypoints=https
+        - traefik.http.routers.registry-rtr.rule=Host(`registry.jingoh.fr`)
+        - traefik.http.routers.registry-rtr.tls=true
+        - traefik.http.routers.registry-rtr.service=registry-svc
+        - traefik.http.services.registry-svc.loadbalancer.server.port=80
+        ## TLS 
+        - traefik.http.routers.registry-rtr.tls.certresolver=letsencrypt-resolver
+        ## Middlewares
+        - "traefik.http.routers.registry-rtr.middlewares=registry-basic"
+        - "traefik.http.middlewares.registry-basic.basicauth.users=jingohdocker:$$2y$$05$$dEBjltxSmPyUuQG3ewQXSu8ez97J8562/XhoDw6AoLbmc3ZQTKg4C"    
+
+    alert:
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      image: binwiederhier/ntfy:latest
+      container_name: alert
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.181
+      volumes:
+        - ./appdata/alertmanager/config/alertmanager.yml:/etc/ntfy/server.yml
+        - ./appdata/alertmanager/cache/:/var/cache/ntfy/
+      command: serve
+      expose:
+        - 80
+      labels:
+        - traefik.enable=true
+        ## HTTP Routers
+        - traefik.http.routers.alertmanager-rtr-http.entrypoints=http
+        - traefik.http.routers.alertmanager-rtr-http.rule=Host(`alert.jingoh.fr`)
+        - traefik.http.routers.alertmanager-rtr-http.middlewares=redirect-to-https
+        ## HTTPS Routers
+        - traefik.docker.network=t2_proxy
+        - traefik.http.routers.alertmanager-rtr.entrypoints=https
+        - traefik.http.routers.alertmanager-rtr.rule=Host(`alert.jingoh.fr`)
+        - traefik.http.routers.alertmanager-rtr.tls=true
+        - traefik.http.routers.alertmanager-rtr.service=alertmanager-svc
+        - traefik.http.services.alertmanager-svc.loadbalancer.server.port=80
+        ## TLS 
+        - traefik.http.routers.alertmanager-rtr.tls.certresolver=letsencrypt-resolver
+        ## Middlewares
+        - "traefik.http.routers.alertmanager-rtr.middlewares=alertmanager-basic"
+        - "traefik.http.middlewares.alertmanager-basic.basicauth.users=jingohalert:$$2y$$05$$dEBjltxSmPyUuQG3ewQXSu8ez97J8562/XhoDw6AoLbmc3ZQTKg4C"    
+
+    exporter:
+      image: prom/node-exporter:latest
+      container_name: exporter
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      user: root
+      volumes:
+        - /:/host:ro
+      command:
+        - '--path.procfs=/host/proc'
+        - '--path.rootfs=/rootfs'
+        - '--path.sysfs=/host/sys'
+        - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.183
+      labels:
+        - traefik.enable=true
+        ## HTTP Routers
+        - traefik.http.routers.exporter-rtr-http.entrypoints=http
+        - traefik.http.routers.exporter-rtr-http.rule=Host(`exporter.jingoh.fr`)
+        - traefik.http.routers.exporter-rtr-http.middlewares=redirect-to-https
+        ## HTTPS Routers
+        - traefik.docker.network=t2_proxy
+        - traefik.http.routers.exporter-rtr.entrypoints=https
+        - traefik.http.routers.exporter-rtr.rule=Host(`exporter.jingoh.fr`)
+        - traefik.http.routers.exporter-rtr.tls=true
+        - traefik.http.routers.exporter-rtr.service=exporter-svc
+        - traefik.http.services.exporter-svc.loadbalancer.server.port=9100
+        ## TLS 
+        - traefik.http.routers.exporter-rtr.tls.certresolver=letsencrypt-resolver
+        ## Middlewares
+        - "traefik.http.routers.exporter-rtr.middlewares=exporter-basic"
+        - "traefik.http.middlewares.exporter-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C"  
+
+    ara-ui:
+      image: recordsansible/ara-api:latest
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      environment:
+        - ARA_ALLOWED_HOSTS=["ara.jingoh.fr", "localhost"]
+        - ARA_DATABASE_ENGINE=django.db.backends.postgresql
+        - ARA_DATABASE_HOST=ara-db
+        - ARA_DATABASE_NAME=ara
+        - ARA_DATABASE_PASSWORD=ara
+        - ARA_DATABASE_USER=ara
+        - ARA_DATABASE_PORT=5432
+      container_name: ara-ui
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.184
+      labels:
+        - traefik.enable=true
+        ## HTTP Routers
+        - traefik.http.routers.ansible-rtr-http.entrypoints=http
+        - traefik.http.routers.ansible-rtr-http.rule=Host(`ara.jingoh.fr`)
+        - traefik.http.routers.ansible-rtr-http.middlewares=redirect-to-https
+        ## HTTPS Routers
+        - traefik.docker.network=t2_proxy
+        - traefik.http.routers.ansible-rtr.entrypoints=https
+        - traefik.http.routers.ansible-rtr.rule=Host(`ara.jingoh.fr`)
+        - traefik.http.routers.ansible-rtr.tls=true
+        - traefik.http.routers.ansible-rtr.service=ansible-svc
+        - traefik.http.services.ansible-svc.loadbalancer.server.port=8000
+        ## TLS 
+        - traefik.http.routers.ansible-rtr.tls.certresolver=letsencrypt-resolver
+        ## Middlewares
+        - "traefik.http.routers.ansible-rtr.middlewares=ansible-basic"
+        - "traefik.http.middlewares.ansible-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C"  
+        - "traefik.http.middlewares.ansible-basic.basicauth.removeheader=true"   
+
+    ara-db:
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      image: postgres:14
+      container_name: ara-db
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.185
+      environment:
+        TZ: Europe/Paris
+        PUID: 1000
+        PGID: 1000
+        POSTGRES_USER: ara
+        POSTGRES_PASSWORD: ara
+        POSTGRES_DB: ara
+      volumes:
+        - ./appdata/ara:/var/lib/postgresql/data
+        - /etc/timezone:/etc/timezone:ro
+        - /etc/localtime:/etc/localtime:ro
+      labels:
+        - traefik.enable=false
+
+
+
+    semaphore-db:
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      container_name: semaphore-db
+      image: postgres:14
+      hostname: postgres
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.186
+      volumes: 
+      - ./appdata/semaphore/semaphore-db:/var/lib/postgresql/data
+      environment:
+      POSTGRES_USER: semaphore
+      POSTGRES_PASSWORD: uu~Y8aic
+      POSTGRES_DB: semaphore
+      labels:
+        - traefik.enable=false
+
+    semaphore:
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      expose:
+        - 3000
+      container_name: semaphore
+      image: semaphoreui/semaphore:latest
+      user: "${UID}:${GID}"
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.187
+      environment:
+        - SEMAPHORE_DB_USER=semaphore
+        - SEMAPHORE_DB_PASS=uu~Y8aic
+        - SEMAPHORE_DB_HOST=semaphore-db
+        - SEMAPHORE_DB_PORT=5432
+        - SEMAPHORE_DB_DIALECT=postgres
+        - SEMAPHORE_DB=semaphore
+        - SEMAPHORE_PLAYBOOK_PATH=/tmp/semaphore/
+        - SEMAPHORE_ADMIN_PASSWORD=uu~Y8aic
+        - SEMAPHORE_ADMIN_NAME=admin
+        - SEMAPHORE_ADMIN_EMAIL=admin@localhost
+        - SEMAPHORE_ADMIN=admin
+        - SEMAPHORE_ACCESS_KEY_ENCRYPTION=ShbKLtVWr5yB/G1WO3DOEU5Il0JBlcN//4mpErpSwpQ=  # add to your access key encryption !
+        - ANSIBLE_HOST_KEY_CHECKING=false  # (optional) change to true if you want to enable host key checking
+      volumes:
+        - ./appdata/semaphore/inventory/:/inventory:ro
+        - ./appdata/semaphore/authorized-keys/:/authorized-keys:ro
+        - ./appdata/semaphore/config/:/etc/semaphore:rw
+      depends_on:
+        - semaphore-db
+      labels:
+        - traefik.enable=true
+        ## HTTP Routers
+        - traefik.http.routers.semaphore-rtr-http.entrypoints=http
+        - traefik.http.routers.semaphore-rtr-http.rule=Host(`semaphore.jingoh.fr`)
+        - traefik.http.routers.semaphore-rtr-http.middlewares=redirect-to-https
+        ## HTTPS Routers
+        - traefik.docker.network=t2_proxy
+        - traefik.http.routers.semaphore-rtr.entrypoints=https
+        - traefik.http.routers.semaphore-rtr.rule=Host(`semaphore.jingoh.fr`)
+        - traefik.http.routers.semaphore-rtr.tls=true
+        - traefik.http.routers.semaphore-rtr.service=semaphore-svc
+        - traefik.http.services.semaphore-svc.loadbalancer.server.port=3000
+        # ## WEBSOCKET 
+        # - traefik.http.routers.semaphore-websocket-rtr.entrypoints=https
+        # - traefik.http.routers.semaphore-websocket-rtr.rule=Host(`semaphore.jingoh.fr`) && Path(`/api/ws`)
+        # - traefik.http.routers.semaphore-websocket-rtr.service=semaphore-websocket-svc
+        # - traefik.http.services.semaphore-websocket-svc.loadbalancer.server.port=3000
+        ## TLS 
+        - traefik.http.routers.semaphore-rtr.tls.certresolver=letsencrypt-resolver
+        # ## Middlewares
+        # - "traefik.http.routers.semaphore-rtr.middlewares=semaphore-basic"
+        # - "traefik.http.middlewares.semaphore-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C"  
+        # - "traefik.http.middlewares.semaphore-basic.basicauth.removeheader=true"   
+
+    # qBittorrent - Torrent downloader
+    # Needs trailing / if using PathPrefixStrip 
+    # qbittorrent:
+      # <<: *common-keys-apps # See EXTENSION FIELDS at the top
+      # image: lscr.io/linuxserver/qbittorrent:latest
+      # container_name: qbittorrent
+      # networks:
+      #   t2_proxy:
+      #     ipv4_address: 192.168.90.174
+      # volumes:
+      #   - ./appdata/qbittorrent:/config
+      #   - ./downloads:/downloads
+      # environment:
+      # #   TZ: Europe/Paris
+      #   PUID: 1000
+      #   PGID: 1000
+      # #   UMASK_SET: 002
+      # labels:
+      #   - "traefik.enable=true"
+      #   ## HTTP Routers
+      #   - "traefik.http.routers.qbittorrent-rtr.entrypoints=https"
+      #   - "traefik.http.routers.qbittorrent-rtr.rule=Host(`qbit.jingoh.fr`)"
+      #   ## Middlewares
+      #   - "traefik.http.routers.qbittorrent-rtr.middlewares=test-auth"
+      #   ##  Services
+      #   - "traefik.http.routers.qbittorrent-rtr.service=qbittorrent-svc"
+      #   - "traefik.http.services.qbittorrent-svc.loadbalancer.server.port=8168"
+      #   # Anti ddos
+      #   - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.average=10"
+      #   - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.burst=10"
+      #   - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.period=1"
+      #   - "traefik.http.routers.qbittorrent-rtr-ratelimit.middlewares=qbittorrent-rtr-ratelimit@docker"
+
+  # docker run -p 9925:80 -v ./mealie:/app/data/ hkotel/mealie:latest
+
+    mealie:
+      container_name: mealie
+      image: hkotel/mealie:latest
+      user: "${UID}:${GID}"
+      environment:
+        - DEFAULT_EMAIL=stephane.gratiasquiquandon@gmail.com
+        - DEFAULT_GROUP=manger
+        - BASE_URL=mealie.jingoh.fr
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.188
+      volumes:
+        - ./appdata/mealie/:/app/data/
+      restart: always
+      security_opt:
+        - no-new-privileges:true # See EXTENSION FIELDS at the top
+      labels:
+        - traefik.enable=true
+        ## HTTPS Routers
+        - traefik.docker.network=t2_proxy
+        - traefik.http.routers.mealie-rtr.entrypoints=https
+        - traefik.http.routers.mealie-rtr.rule=Host(`mealie.jingoh.fr`)
+        - traefik.http.routers.mealie-rtr.tls=true
+        - traefik.http.routers.mealie-rtr.service=mealie-svc
+        - traefik.http.services.mealie-svc.loadbalancer.server.port=80
+        ## TLS 
+        - traefik.http.routers.mealie-rtr.tls.certresolver=letsencrypt-resolver
+
+    # homarr:
+    #   container_name: homarr
+    #   image: ghcr.io/ajnart/homarr:latest
+    #   restart: unless-stopped
+    #   networks:
+    #     t2_proxy:
+    #       ipv4_address: 192.168.90.189
+    #   volumes:
+    #     - ./appdata/homarr/configs:/app/data/configs
+    #     - ./appdata/homarr/icons:/app/public/icons
+    #   labels:
+    #     - traefik.enable=true
+    #     ## HTTPS Routers
+    #     - traefik.docker.network=t2_proxy
+    #     - traefik.http.routers.homarr-rtr.entrypoints=https
+    #     - traefik.http.routers.homarr-rtr.rule=Host(`homarr.jingoh.fr`)
+    #     - traefik.http.routers.homarr-rtr.tls=true
+    #     - traefik.http.routers.homarr-rtr.service=homarr-svc
+    #     - traefik.http.services.homarr-svc.loadbalancer.server.port=7575
+    #     ## TLS 
+    #     - traefik.http.routers.homarr-rtr.tls.certresolver=letsencrypt-resolver
+    #     ## Middleware IP whitelist
+    #     - traefik.http.middlewares.dashboard-ipwhitelist.ipwhitelist.sourcerange=192.168.91.1/32
+    #     - traefik.http.routers.homarr-rtr.middlewares=dashboard-ipwhitelist
+
+    portainer:
+      container_name: portainer
+      image: portainer/portainer-ce:latest
+      restart: always
+      security_opt:
+        - no-new-privileges:true
+      networks:
+        t2_proxy:
+          ipv4_address: 192.168.90.190
+      volumes:
+        - /etc/localtime:/etc/localtime:ro
+        - /var/run/docker.sock:/var/run/docker.sock:ro
+        - ./appdata/portainer/:/data/
+      labels:
+        - traefik.enable=true
+        ## HTTPS Routers
+        - traefik.docker.network=t2_proxy
+        - traefik.http.routers.portainer-rtr.entrypoints=https
+        - traefik.http.routers.portainer-rtr.rule=Host(`docker.jingoh.fr`)
+        - traefik.http.routers.portainer-rtr.tls=true
+        - traefik.http.routers.portainer-rtr.service=portainer-svc
+        - traefik.http.services.portainer-svc.loadbalancer.server.port=9000
+        ## TLS 
+        - traefik.http.routers.homarr-rtr.tls.certresolver=letsencrypt-resolver
+        ## Middleware IP whitelist
+        # - traefik.http.middlewares.dashboard-ipwhitelist.ipwhitelist.sourcerange=192.168.91.1/32
+        # - traefik.http.routers.homarr-rtr.middlewares=dashboard-ipwhitelist