# --- # #* NETBIRD # netbird_setup_key: F234BD1F-385B-4BEA-8234-608CCB1062ED # netbird_register: true # #* TLS # node_exporter_tls_server_config: # cert_file: /etc/node_exporter/tls.cert # key_file: /etc/node_exporter/tls.key # #* NODE_EXPORTER # # node_exporter_basic_auth_users: # # randomuser: examplepassword # node_exporter_web_listen_address: "{{ host_private_address }}:9100" # ######## # # USER # # ######## # management_user_list: # - name: stephane # shell: '/bin/bash' # authorized_keys: # - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" # exclusive: yes # sudo: # hosts: ALL # as: ALL # commands: ALL # nopasswd: ALL # ####### # # APT # # ####### # apt_repositories_sources: # - deb http://mirrors.online.net/ubuntu focal main restricted # - deb http://mirrors.online.net/ubuntu focal-updates main restricted # - deb http://mirrors.online.net/ubuntu focal universe # - deb http://mirrors.online.net/ubuntu focal-updates universe # - deb http://mirrors.online.net/ubuntu focal multiverse # - deb http://mirrors.online.net/ubuntu focal-updates multiverse # - deb http://mirrors.online.net/ubuntu focal-backports main restricted universe multiverse # - deb http://security.ubuntu.com/ubuntu focal-security main restricted # - deb http://security.ubuntu.com/ubuntu focal-security universe # - deb http://security.ubuntu.com/ubuntu focal-security multiverse # apt_packages: # - name: openssh-server # - name: proxychains # ############ # # ALERTING # # ############ # alerts_cron: # - name: storage # weekday: 0 # minute: 0 # hour: 15 # user: root # job: "/usr/local/scripts/alerts.sh storage >/dev/null 2>&1" # cron_file: alerts # - name: load # weekday: "*" # minute: "*/5" # hour: "*" # user: root # job: "/usr/local/scripts/alerts.sh load >/dev/null 2>&1" # cron_file: alerts # - name: cpu # weekday: "*" # minute: "*/5" # hour: "*" # user: root # job: "/usr/local/scripts/alerts.sh cpu >/dev/null 2>&1" # cron_file: alerts # - name: ping # weekday: "*" # minute: "*" # hour: 12 # user: root # job: "/usr/local/scripts/alerts.sh ping >/dev/null 2>&1" # cron_file: alerts # - name: ssl # weekday: "*" # minute: 0 # hour: 15 # user: root # job: "/usr/local/scripts/alerts.sh ssl >/dev/null 2>&1" # cron_file: alerts # - name: storage # weekday: 0 # minute: 0 # hour: 15 # user: root # job: "/usr/local/scripts/alerts.sh storage >/dev/null 2>&1" # cron_file: alerts # - name: backup_git # weekday: "*" # minute: 0 # hour: 18 # user: root # job: "/usr/local/scripts/alerts.sh backup_git >/dev/null 2>&1" # cron_file: alerts # - name: backup_vault # weekday: "*" # minute: 0 # hour: 20 # user: root # job: "/usr/local/scripts/alerts.sh backup_vault >/dev/null 2>&1" # cron_file: alerts # alerts_storage: scaleway # alerts_load: scaleway # alerts_ping: ovh # alerts_health: scaleway # alerts_backup_gitea: scaleway # alerts_backup_vault: scaleway # alerts_cpu: scaleway # alerts_ssl: scaleway # ############## # # LOG ROTATE # # ############## # logrotate_scripts: # - name: backup # paths: # - /opt/dockerapps/backup/*.zip # - /opt/dockerapps/vaultwarden/backup/*.tar.xz.gpg # options: # - daily # - rotate 4 # - compress # - missingok # - notifempty # - create 0644 root root # - name: dockerapps-git # path: /opt/dockerapps/logs/homeserver/git*.log # options: # - rotate 12 # - monthly # - compress # - missingok # - delaycompress # scripts: # postrotate: docker-compose restart gitea # - name: dockerapps-grafa # path: /opt/dockerapps/logs/homeserver/grafa*.log # options: # - rotate 12 # - monthly # - compress # - missingok # - delaycompress # scripts: # postrotate: docker-compose restart grafana # - name: dockerapps-traef # path: /opt/dockerapps/logs/homeserver/traef*.log # options: # - rotate 12 # - monthly # - compress # - missingok # - delaycompress # scripts: # postrotate: docker-compose restart traefik # - name: dockerapps-vault # path: /opt/dockerapps/logs/homeserver/vault*.log # options: # - rotate 12 # - monthly # - compress # - missingok # - delaycompress # scripts: # postrotate: docker-compose restart vault # # name: restart gitea # # script: docker-compose restart gitea # # - postrotate: docker-compose restart vaultwarden # # - postrotate: docker-compose restart grafana # - name: dockerapps-backup # paths: # - /opt/dockerapps/backup/gitea-dump-*.zip.1.gz # - /opt/dockerapps/vaultwarden/backup/*gpg.1.gz # options: # - rotate 6 # - monthly # - compress # - missingok # - delaycompress # ########## # # CHISEL # # ########## # # SHOULD BE IN [server] GROUP # chisel_server: true # chisel_basic_auth: "{{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" # chisel_service_name: chisel-server # chisel_config_name: chisel-server # chisel_proxychains_conf: # # chisel enable socks5, reverse and basic auth # - path: "/etc/chisel/{{ chisel_config_name }}.conf" # regexp: "^SOCK5=--socks5" # state: present # line: "SOCK5=--socks5" # - path: "/etc/chisel/{{ chisel_config_name }}.conf" # regexp: "^PID=--reverse" # state: present # line: "PID=--reverse" # - path: "/etc/chisel/{{ chisel_config_name }}.conf" # regexp: "^AUTH=--auth {{ chisel_basic_auth }}" # state: present # line: "AUTH=--auth {{ chisel_basic_auth }}" # - path: "/etc/chisel/{{ chisel_config_name }}.conf" # regexp: "^HOST=--host {{ chisel_server_host }}" # state: present # line: "HOST=--host {{ chisel_server_host }}" # # proxychains replace socks4 to socks5 # - path: "/etc/proxychains.conf" # regexp: "^socks4 127.0.0.1 9050" # state: "absent" # - path: "/etc/proxychains.conf" # regexp: "^socks5 {{ chisel_server_host }} 1080" # state: present # line: "socks5 {{ chisel_server_host }} 1080" # ################## # # DOCKER-COMPOSE # # ################## # dockerapp_tree_volumes: # # ALERT # - alertmanager # - alertmanager/cache # - alertmanager/config # #ARA # - ara # #BLACKBOX # - blackbox # - blackbox/config # #GIT # - gitea # - gitea/gitea # - gitea/db # - gitea/runner # #GRAF # - grafana # - grafana/etc # - grafana/lib # #HOMARR # - homarr # - homarr/configs # - homarr/icons # #HOME # - homepage # - homepage/homepage # - homepage/icons # #MEALIE # - mealie # #PORT # - portainer # #PROM # - prometheus # - prometheus/prometheus # - prometheus/prometheus_data # #REGISTRY # - registry # - registry/data # #SEMA # - semaphore # #TRAF # - traefik2 # - traefik2/acme # - traefik2/rules # #VAULT # - vaultwarden # #WIRE # - wireguard # - wireguard/config # - wireguard/lib # - wireguard/lib/modules # dockerapp_tree_base_dir: # - "/opt/" # dockerapp_service: dockerapps # docker_install_compose: false # pip_executable: pip3 # pip_install_packages: # - docker-compose # dockerapp_compose: # version: "3.9" # ######### IMPORTANT ############# # # This is my main docker-compose file with most of the apps. I run docker on other systems with smaller stacks (web and synology). # # You can copy-paste services from one docker-compose file in this repo to another to add other apps. # # 90+ Open source docker stacks # #https://github.com/ethibox/awesome-stacks # #FROM # #https://github.com/htpcBeginner/docker-traefik/blob/master/docker-compose-t2.yml # ########################### SYSTEM DESCRIPTION # # DOCKER-COMPOSE FOR HOME/MEDIA SERVER # # PROXMOX HOST: Dual Intel Xeon 5420, 16 GB RAM, 240 GB SSD, and 2 TB HDD # # VM: 6 CORES, 12 GB RAM, Ubuntu 20.04, and Docker # # 32 GB for /, 64 GB for /var/lib/docker and transcoding, and 1.5 TB for non-critical data and rclone cache. # # Google Drive mounted using Rclone Docker for media and Proxmox backups # ########################### NETWORKS # # There is no need to create any networks outside this docker-compose file. # # You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. # # Docker Compose version 3.5 or higher required to define networks this way. # networks: # t2_proxy: # name: t2_proxy # driver: bridge # ipam: # config: # - subnet: 192.168.90.0/24 # default: # driver: bridge # socket_proxy: # name: socket_proxy # driver: bridge # ipam: # config: # - subnet: 192.168.91.0/24 # ########################### EXTENSION FIELDS # # Helps eliminate repetition of sections # # More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228 # # # Common environment values # # x-environment: &default-tz-puid-pgid # # TZ: Europe/Paris # # PUID: 1000 # # PGID: 1000 # # # Proxy Network and Security # # x-network-and-security: &network-and-security # # networks: # # - t2_proxy # # security_opt: # # - no-new-privileges:true # # # Keys common to some of the services in basic-services.txt # # x-common-keys-core: &common-keys-core # # <<: *network-and-security # # restart: always # # # profiles: # # # - basic # # # Keys common to some of the dependent services/apps # # x-common-keys-apps: &common-keys-apps # # <<: *network-and-security # # restart: unless-stopped # # # profiles: # # # - apps # # # Keys common to some of the services in media-services.txt # # x-common-keys-media: &common-keys-media # # <<: *network-and-security # # restart: "no" # # # profiles: # # # - media # ########################### SERVICES # services: # ############################# FRONTENDS # # Traefik 2 - Reverse Proxy # # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. # # touch $DOCKERDIR/traefik2/acme/acme.json # # chmod 600 $DOCKERDIR/traefik2/acme/acme.json # # touch $DOCKERDIR/logs/homeserver/traefik.log # customize this # #### LETSENCRYPT CHALLENGE ###### # # https://doc.traefik.io/traefik/user-guides/docker-compose/acme-http/ # # Add new https services/fqdn # # uncomment acme.caserver line and remove/traefik2/acme/letsencrypt/acme.json file # # Down all containers and up all (docker-compose down/up -d), wait for news cert/key on acme.json # # At this moment, cert/key are staging, you need to comment acme.caserver line and remove acme.json file then restart traefik # traefik: # restart: always # security_opt: # - no-new-privileges:true # container_name: traefik # image: traefik:latest # command: # CLI arguments # - --global.checkNewVersion=true # - --global.sendAnonymousUsage=true # - --entryPoints.http.address=:80/tcp # - --entryPoints.https.address=:443/tcp # - --entryPoints.wireguard.address=:443/udp # - --api=true # - --api.dashboard=true # - --log=true # - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC # - --accessLog=true # - --accessLog.filePath=/traefik.log # - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines # - --providers.docker=true # - --providers.docker.endpoint=tcp://socket-proxy:2375 # - --providers.docker.exposedByDefault=false # - --providers.docker.network=t2_proxy # - --providers.docker.swarmMode=false # - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory # - --providers.file.watch=true # Only works on top level files in the rules folder # - --metrics.prometheus=true # - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0 # - --metrics.prometheus.addEntryPointsLabels=true # - --metrics.prometheus.addrouterslabels=true # - --metrics.prometheus.addServicesLabels=true # - --metrics.prometheus.manualrouting=true # - --certificatesresolvers.letsencrypt-resolver.acme.tlschallenge=true # # - --certificatesresolvers.letsencrypt-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory # - --certificatesresolvers.letsencrypt-resolver.acme.email=stephane.gratiasquiquandon@gmail.com # - --certificatesresolvers.letsencrypt-resolver.acme.storage=/letsencrypt/acme.json # networks: # t2_proxy: # ipv4_address: 192.168.90.254 # You can specify a static IP # # Should connect to the docker socket # socket_proxy: # ipv4_address: 192.168.91.3 # environment: # TZ: Europe/Paris # PUID: 1000 # PGID: 1000 # ports: # - target: 80 # published: 80 # protocol: tcp # mode: host # - target: 443 # published: 443 # protocol: tcp # mode: host # - target: 443 # published: 443 # protocol: udp # mode: host # volumes: # - ./traefik2/rules/homeserver:/rules # file provider directory # - ./traefik2/acme/letsencrypt:/letsencrypt # #- ./traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 # - ./logs/homeserver/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container # - /etc/timezone:/etc/timezone:ro # - /etc/localtime:/etc/localtime:ro # labels: # - "traefik.enable=true" # # HTTP-to-HTTPS Redirect # - "traefik.http.routers.http-catchall.entrypoints=http" # - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" # - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" # - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" # - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true" # # HTTP Routers # - "traefik.http.routers.traefik-rtr.entrypoints=https" # - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.jingoh.fr`)" # ## Services - API # - "traefik.http.routers.traefik-rtr.service=api@internal" # - "traefik.http.routers.traefik-rtr.tls=true" # ## MONITORING # - traefik.http.routers.prometheus.entrypoints=https # - traefik.http.routers.prometheus.rule=Host(`traefik.jingoh.fr`) && PathPrefix(`/metrics`) # - traefik.http.routers.prometheus.service=prometheus@internal # - traefik.http.routers.prometheus.middlewares=traefik-basic # ## Middlewares # # echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g # ## Middlewares # - "traefik.http.routers.traefik-rtr.middlewares=traefik-basic" # - "traefik.http.middlewares.traefik-basic.basicauth.users=jingohtraf:$$2y$$05$$JO8mJnOV2PARzEcVj.Grp.H.JbkWYneAIjgMt7c0.5NTyBNDkRIiW" # #- "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.average=10" # # - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.burst=10" # # - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.period=1" # # - "traefik.http.routers.traefik-rtr-ratelimit.middlewares=traefik-rtr-ratelimit@docker" # ## TLS # - "traefik.http.routers.traefik-rtr.tls.certresolver=letsencrypt-resolver" # - "traefik.http.routers.prometheus.tls.certresolver=letsencrypt-resolver" # # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket # socket-proxy: # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # container_name: socket-proxy # image: tecnativa/docker-socket-proxy:latest # networks: # socket_proxy: # ipv4_address: 192.168.91.254 # You can specify a static IP # volumes: # - "/var/run/docker.sock:/var/run/docker.sock" # environment: # - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg # ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). # # 0 to revoke access. # # 1 to grant access. # ## Granted by Default # - EVENTS=1 # - PING=1 # - VERSION=1 # ## Revoked by Default # # Security critical # - AUTH=0 # - SECRETS=0 # - POST=0 # Watchtower # # Not always needed # - BUILD=0 # - COMMIT=0 # - CONFIGS=0 # - CONTAINERS=1 # Traefik, portainer, etc. # - DISTRIBUTION=0 # - EXEC=0 # - IMAGES=1 # Portainer # - INFO=1 # Portainer # - NETWORKS=1 # Portainer # - NODES=0 # - PLUGINS=0 # - SERVICES=1 # Portainer # - SESSION=0 # - SWARM=0 # - SYSTEM=0 # - TASKS=1 # Portainer # - VOLUMES=1 # Portainer # # Dozzle - Real-time Docker Log Viewer # dozzle: # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # image: amir20/dozzle:latest # container_name: dozzle # networks: # t2_proxy: # ipv4_address: 192.168.90.169 # # Should connect to the docker engine socket to collect logs # socket_proxy: # ipv4_address: 192.168.91.2 # environment: # TZ: Europe/Paris # PUID: 1000 # PGID: 1000 # DOZZLE_LEVEL: info # #DOZZLE_TAILSIZE: 300 # DOZZLE_FILTER: "status=running" # DOCKER_HOST: tcp://socket-proxy:2375 # #DOZZLE_ADDR: ":8181" # volumes: # - /etc/timezone:/etc/timezone:ro # - /etc/localtime:/etc/localtime:ro # labels: # - "traefik.enable=true" # ## HTTP Routers # - "traefik.http.routers.dozzle-rtr-http.entrypoints=http" # - "traefik.http.routers.dozzle-rtr-http.rule=Host(`dozzle.jingoh.fr`)" # - "traefik.http.routers.dozzle-rtr-http.middlewares=redirect-to-https" # ## HTTPS Routers # - "traefik.http.routers.dozzle-rtr.entrypoints=https" # - "traefik.http.routers.dozzle-rtr.rule=Host(`dozzle.jingoh.fr`)" # ## Services # - "traefik.http.routers.dozzle-rtr.service=dozzle-svc" # - "traefik.http.services.dozzle-svc.loadbalancer.server.port=8080" # ## Middlewares # - "traefik.http.routers.dozzle-rtr.middlewares=dozzle-basic" # - "traefik.http.middlewares.dozzle-basic.basicauth.users=jingohdoz:$$2y$$05$$e5x192gFu6uBevLcZNNU9eEWnekh3p.F8cffX19EBTLMwBQoqHcwW" # ## TLS # - "traefik.http.routers.dozzle-rtr.tls.certresolver=letsencrypt-resolver" # # conf file in/gitea/gitea/gitea/conf/app.ini # # [metrics] # # [log] # gitea: # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # image: gitea/gitea:latest # container_name: gitea # networks: # t2_proxy: # ipv4_address: 192.168.90.170 # environment: # TZ: Europe/Paris # PUID: 1000 # PGID: 1000 # GITEA__database__DB_TYPE: postgres # GITEA__database__HOST: gitea-db:5432 # GITEA__server__DOMAIN: gitea.jingoh.fr # GITEA__server__ROOT_URL: https://gitea.jingoh.fr # GITEA__server__HTTP_PORT: 3000 # GITEA__server__START_SSH_SERVER: "true" # GITEA__server__SSH_PORT: 443 # GITEA__server__SSH_LISTEN_PORT: 2222 # GITEA__server__SSH_DOMAIN: gitea.jingoh.fr # GITEA__repository__USE_COMPAT_SSH_URI: "false" # GITEA__database__NAME: gitea # GITEA__database__USER: root # GITEA__database__PASSWD: uu~Y8aic # volumes: # - ./logs/homeserver/gitea.log:/data/gitea/log/gitea.log # - ./gitea/gitea:/data # - /etc/timezone:/etc/timezone:ro # - /etc/localtime:/etc/localtime:ro # labels: # - "traefik.enable=true" # ## HTTP Routers # - "traefik.http.routers.gitea-rtr-http.entrypoints=http" # - "traefik.http.routers.gitea-rtr-http.rule=Host(`gitea.jingoh.fr`)" # - "traefik.http.routers.gitea-rtr-http.middlewares=redirect-to-https" # ## HTTPS Routers # - "traefik.http.routers.gitea-rtr.entrypoints=https" # - "traefik.http.routers.gitea-rtr.rule=Host(`gitea.jingoh.fr`)" # ## Middlewares # # git push doesn't work with basicauth # #- "traefik.http.routers.gitea-rtr.middlewares=gitea-basic" # #- "traefik.http.middlewares.gitea-basic.basicauth.users=jingohgit:$$2y$$05$$iBHOV.3zFZFTp4kRqD7.I.hQ/Rx3qeHoUjq/3KztwzyU8t1BIK/ne" # ## Services # - "traefik.http.routers.gitea-rtr.service=gitea-svc" # - "traefik.http.services.gitea-svc.loadbalancer.server.port=3000" # ## SSH # - "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)" # - "traefik.tcp.routers.gitea-ssh.entrypoints=https" # - "traefik.tcp.routers.gitea-ssh.service=gitea-ssh-svc" # - "traefik.tcp.services.gitea-ssh-svc.loadbalancer.server.port=2222" # ## TLS # - "traefik.http.routers.gitea-rtr.tls.certresolver=letsencrypt-resolver" # gitea-db: # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # image: postgres:14 # container_name: gitea-db # networks: # t2_proxy: # ipv4_address: 192.168.90.171 # environment: # TZ: Europe/Paris # PUID: 1000 # PGID: 1000 # POSTGRES_USER: root # POSTGRES_PASSWORD: uu~Y8aic # POSTGRES_DB: gitea # volumes: # - ./gitea/gitea-db:/var/lib/postgresql/data # - /etc/timezone:/etc/timezone:ro # - /etc/localtime:/etc/localtime:ro # labels: # - traefik.enable=false # #https://github.com/ngoduykhanh/wireguard-ui/blob/master/docker-compose.yaml -> wireguard-ui # wireguard: # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # image: lscr.io/linuxserver/wireguard:latest # container_name: wireguard # cap_add: # - NET_ADMIN # - SYS_MODULE # environment: # TZ: Europe/Paris # PUID: 1000 # PGID: 1000 # SERVERURL: 163.172.84.28 #optional # SERVERPORT: 443 #optional # PEERS: 2 #optional # PEERDNS: auto #optional # INTERNAL_SUBNET: 10.13.13.0 #optional # ALLOWEDIPS: 0.0.0.0/0 #optional # LOG_CONFS: "true" #optional # networks: # t2_proxy: # ipv4_address: 192.168.90.173 # volumes: # - ./wireguard/config:/config # - ./wireguard/lib/modules:/lib/modules # - /etc/timezone:/etc/timezone:ro # - /etc/localtime:/etc/localtime:ro # sysctls: # - net.ipv4.conf.all.src_valid_mark=1 # labels: # - "traefik.enable=true" # ## UDP Routers # - "traefik.udp.routers.wireguard-rtr.entrypoints=wireguard" # - "traefik.udp.services.wireguard.loadbalancer.server.port=51820" # depends_on: # - traefik # # # Grafana - Graphical data visualization # ## Reset password command-line -> grafana-cli $username reset-admin-password $password # ## Enable log file with rotate (/etc/grafana/grafana.ini) # grafana: # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # image: grafana/grafana:latest # container_name: grafana # networks: # t2_proxy: # ipv4_address: 192.168.90.175 # # ports: # # - "$GRAFANA_PORT:3000" # user: root # volumes: # - ./grafana/lib:/var/lib/grafana # - ./logs/homeserver/grafana.log:/var/log/grafana/grafana.log # environment: # TZ: Europe/Paris # PUID: 1000 # PGID: 1000 # GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel" # labels: # - "traefik.enable=true" # ## HTTP Routers # - "traefik.http.routers.grafana-rtr-http.entrypoints=http" # - "traefik.http.routers.grafana-rtr-http.rule=Host(`grafana.jingoh.fr`)" # - "traefik.http.routers.grafana-rtr-http.middlewares=redirect-to-https" # ## HTTPS Routers # - "traefik.http.routers.grafana-rtr.entrypoints=https" # - "traefik.http.routers.grafana-rtr.rule=Host(`grafana.jingoh.fr`)" # ## Services # - "traefik.http.routers.grafana-rtr.service=grafana-svc" # - "traefik.http.services.grafana-svc.loadbalancer.server.port=3000" # ## TLS # - "traefik.http.routers.grafana-rtr.tls.certresolver=letsencrypt-resolver" # ## Middlewares # - "traefik.http.routers.grafana-rtr.middlewares=grafana-basic" # - "traefik.http.middlewares.grafana-basic.basicauth.users=jingohgraf:$$2y$$05$$DMxSbnKhLv0zW2qYzMpkj.idi88EsFsIdgKoYPzFpxo9ErDHLYCAi" # # NEEDED IF CONFLICTS BETWEEN BASICAUTH AND APP LOGIN PAGE # - "traefik.http.middlewares.grafana-basic.basicauth.removeheader=true" # prometheus: # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # image: prom/prometheus:latest # container_name: prometheus # user: root # networks: # t2_proxy: # ipv4_address: 192.168.90.176 # volumes: # - ./prometheus/prometheus:/etc/prometheus/ # - ./prometheus/prometheus_data:/prometheus # command: # - '--config.file=/etc/prometheus/prometheus.yml' # - '--storage.tsdb.path=/prometheus' # - '--web.console.libraries=/usr/share/prometheus/console_libraries' # - '--web.console.templates=/usr/share/prometheus/consoles' # labels: # - "traefik.enable=true" # ## HTTP Routers # - "traefik.http.routers.prometheus-rtr-http.entrypoints=http" # - "traefik.http.routers.prometheus-rtr-http.rule=Host(`prometheus.jingoh.fr`)" # - "traefik.http.routers.prometheus-rtr-http.middlewares=redirect-to-https" # # HTTPS # - "traefik.http.routers.prometheus-rtr.entrypoints=https" # - "traefik.http.routers.prometheus-rtr.rule=Host(`prometheus.jingoh.fr`)" # - "traefik.http.routers.prometheus-rtr.service=prometheus-svc" # - "traefik.http.services.prometheus-svc.loadbalancer.server.port=9090" # - "traefik.docker.network=t2_proxy" # ## Middlewares # - "traefik.http.routers.prometheus-rtr.middlewares=prometheus-basic" # - "traefik.http.middlewares.prometheus-basic.basicauth.users=jingohprom:$$2y$$05$$7cf/zuj8lI4Gt9K3xfWEKu.hKwzi1lxsjImgvSc9tHZ0QqHOxagH." # ## TLS # - "traefik.http.routers.prometheus-rtr.tls.certresolver=letsencrypt-resolver" # # https://pieterhollander.nl/post/bitwarden/ # # https://github.com/dani-garcia/vaultwarden/blob/main/.env.template # # https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples # vaultwarden: # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # image: vaultwarden/server:latest # container_name: vault # environment: # TZ: Europe/Paris # PUID: 1000 # PGID: 1000 # WEBSOCKET_ENABLED: 1 # ROCKET_PORT: 80 # DOMAIN: https://vault.jingoh.fr # ADMIN_TOKEN: BwI1E5Sqb6clUpsAfXdlkMnQuzwTh7pFPpqK6V8RII/CuBqgbNhj325ynL40dfjs # LOG_FILE: /var/log/vaultwarden.log # SIGNUPS_ALLOWED: "false" # networks: # t2_proxy: # ipv4_address: 192.168.90.177 # volumes: # - ./vaultwarden:/data # - ./logs/homeserver/vaultwarden.log:/var/log/vaultwarden.log # labels: # - traefik.enable=true # ## HTTP Routers # - "traefik.http.routers.bitwarden-rtr-http.entrypoints=http" # - "traefik.http.routers.bitwarden-rtr-http.rule=Host(`bitwarden.jingoh.fr`)" # - "traefik.http.routers.bitwarden-rtr-http.middlewares=redirect-to-https" # ## HTTPS Routers # - traefik.docker.network=t2_proxy # - traefik.http.routers.bitwarden-rtr.entrypoints=https # - traefik.http.routers.bitwarden-rtr.rule=Host(`vault.jingoh.fr`) # - traefik.http.routers.bitwarden-rtr.tls=true # - traefik.http.routers.bitwarden-rtr.service=bitwarden-svc # - traefik.http.services.bitwarden-svc.loadbalancer.server.port=80 # - traefik.http.routers.bitwarden-websocket-rtr.entrypoints=https # - traefik.http.routers.bitwarden-websocket-rtr.rule=Host(`vault.jingoh.fr`) && Path(`/notifications/hub`) # - traefik.http.routers.bitwarden-websocket-rtr.service=bitwarden-websocket-svc # - traefik.http.services.bitwarden-websocket-svc.loadbalancer.server.port=3012 # ## TLS # - "traefik.http.routers.bitwarden-rtr.tls.certresolver=letsencrypt-resolver" # - "traefik.http.routers.bitwarden-websocket-rtr.tls.certresolver=letsencrypt-resolver" # homepage: # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # image: ghcr.io/gethomepage/homepage:latest # container_name: homepage # networks: # t2_proxy: # ipv4_address: 192.168.90.178 # volumes: # - ./homepage/homepage:/app/config # - ./homepage/icons:/app/public/icons # - "/var/run/docker.sock:/var/run/docker.sock" # labels: # - traefik.enable=true # ## HTTP Routers # - "traefik.http.routers.homepage-rtr-http.entrypoints=http" # - "traefik.http.routers.homepage-rtr-http.rule=Host(`homepage.jingoh.fr`)" # - "traefik.http.routers.homepage-rtr-http.middlewares=redirect-to-https" # ## HTTPS Routers # - traefik.docker.network=t2_proxy # - traefik.http.routers.homepage-rtr.entrypoints=https # - traefik.http.routers.homepage-rtr.rule=Host(`homepage.jingoh.fr`) # - traefik.http.routers.homepage-rtr.tls=true # - traefik.http.routers.homepage-rtr.service=homepage-svc # - traefik.http.services.homepage-svc.loadbalancer.server.port=3000 # ## TLS # - "traefik.http.routers.homepage-rtr.tls.certresolver=letsencrypt-resolver" # registry: # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # image: registry:2 # container_name: registry # networks: # t2_proxy: # ipv4_address: 192.168.90.179 # environment: # REGISTRY_STORAGE_DELETE_ENABLED: 'true' # volumes: # - ./registry/data:/var/lib/registry # registry-ui: # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # image: joxit/docker-registry-ui:latest # expose: # - 80 # environment: # - DELETE_IMAGES=true # - NGINX_PROXY_PASS_URL=http://registry:5000 # - SINGLE_REGISTRY=true # - REGISTRY_TITLE= 🧱 Jingoh Container Registry 🧱 # container_name: registry-ui # networks: # t2_proxy: # ipv4_address: 192.168.90.180 # depends_on: # - registry # labels: # - traefik.enable=true # ## HTTP Routers # - traefik.http.routers.registry-rtr-http.entrypoints=http # - traefik.http.routers.registry-rtr-http.rule=Host(`registry.jingoh.fr`) # - traefik.http.routers.registry-rtr-http.middlewares=redirect-to-https # ## HTTPS Routers # - traefik.docker.network=t2_proxy # - traefik.http.routers.registry-rtr.entrypoints=https # - traefik.http.routers.registry-rtr.rule=Host(`registry.jingoh.fr`) # - traefik.http.routers.registry-rtr.tls=true # - traefik.http.routers.registry-rtr.service=registry-svc # - traefik.http.services.registry-svc.loadbalancer.server.port=80 # ## TLS # - traefik.http.routers.registry-rtr.tls.certresolver=letsencrypt-resolver # ## Middlewares # - "traefik.http.routers.registry-rtr.middlewares=registry-basic" # - "traefik.http.middlewares.registry-basic.basicauth.users=jingohdocker:$$2y$$05$$dEBjltxSmPyUuQG3ewQXSu8ez97J8562/XhoDw6AoLbmc3ZQTKg4C" # alert: # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # image: binwiederhier/ntfy:latest # container_name: alert # networks: # t2_proxy: # ipv4_address: 192.168.90.181 # volumes: # - ./alertmanager/config/alertmanager.yml:/etc/ntfy/server.yml # - ./alertmanager/cache/:/var/cache/ntfy/ # command: serve # expose: # - 80 # labels: # - traefik.enable=true # ## HTTP Routers # - traefik.http.routers.alertmanager-rtr-http.entrypoints=http # - traefik.http.routers.alertmanager-rtr-http.rule=Host(`alert.jingoh.fr`) # - traefik.http.routers.alertmanager-rtr-http.middlewares=redirect-to-https # ## HTTPS Routers # - traefik.docker.network=t2_proxy # - traefik.http.routers.alertmanager-rtr.entrypoints=https # - traefik.http.routers.alertmanager-rtr.rule=Host(`alert.jingoh.fr`) # - traefik.http.routers.alertmanager-rtr.tls=true # - traefik.http.routers.alertmanager-rtr.service=alertmanager-svc # - traefik.http.services.alertmanager-svc.loadbalancer.server.port=80 # ## TLS # - traefik.http.routers.alertmanager-rtr.tls.certresolver=letsencrypt-resolver # ## Middlewares # - "traefik.http.routers.alertmanager-rtr.middlewares=alertmanager-basic" # - "traefik.http.middlewares.alertmanager-basic.basicauth.users=jingohalert:$$2y$$05$$dEBjltxSmPyUuQG3ewQXSu8ez97J8562/XhoDw6AoLbmc3ZQTKg4C" # exporter: # image: prom/node-exporter:latest # container_name: exporter # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # user: root # volumes: # - /:/host:ro # command: # - '--path.procfs=/host/proc' # - '--path.rootfs=/rootfs' # - '--path.sysfs=/host/sys' # - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)' # networks: # t2_proxy: # ipv4_address: 192.168.90.183 # labels: # - traefik.enable=true # ## HTTP Routers # - traefik.http.routers.exporter-rtr-http.entrypoints=http # - traefik.http.routers.exporter-rtr-http.rule=Host(`exporter.jingoh.fr`) # - traefik.http.routers.exporter-rtr-http.middlewares=redirect-to-https # ## HTTPS Routers # - traefik.docker.network=t2_proxy # - traefik.http.routers.exporter-rtr.entrypoints=https # - traefik.http.routers.exporter-rtr.rule=Host(`exporter.jingoh.fr`) # - traefik.http.routers.exporter-rtr.tls=true # - traefik.http.routers.exporter-rtr.service=exporter-svc # - traefik.http.services.exporter-svc.loadbalancer.server.port=9100 # ## TLS # - traefik.http.routers.exporter-rtr.tls.certresolver=letsencrypt-resolver # ## Middlewares # - "traefik.http.routers.exporter-rtr.middlewares=exporter-basic" # - "traefik.http.middlewares.exporter-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C" # ara-ui: # image: recordsansible/ara-api:latest # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # environment: # - ARA_ALLOWED_HOSTS=["ara.jingoh.fr", "localhost"] # - ARA_DATABASE_ENGINE=django.db.backends.postgresql # - ARA_DATABASE_HOST=ara-db # - ARA_DATABASE_NAME=ara # - ARA_DATABASE_PASSWORD=ara # - ARA_DATABASE_USER=ara # - ARA_DATABASE_PORT=5432 # container_name: ara-ui # networks: # t2_proxy: # ipv4_address: 192.168.90.184 # labels: # - traefik.enable=true # ## HTTP Routers # - traefik.http.routers.ansible-rtr-http.entrypoints=http # - traefik.http.routers.ansible-rtr-http.rule=Host(`ara.jingoh.fr`) # - traefik.http.routers.ansible-rtr-http.middlewares=redirect-to-https # ## HTTPS Routers # - traefik.docker.network=t2_proxy # - traefik.http.routers.ansible-rtr.entrypoints=https # - traefik.http.routers.ansible-rtr.rule=Host(`ara.jingoh.fr`) # - traefik.http.routers.ansible-rtr.tls=true # - traefik.http.routers.ansible-rtr.service=ansible-svc # - traefik.http.services.ansible-svc.loadbalancer.server.port=8000 # ## TLS # - traefik.http.routers.ansible-rtr.tls.certresolver=letsencrypt-resolver # ## Middlewares # - "traefik.http.routers.ansible-rtr.middlewares=ansible-basic" # - "traefik.http.middlewares.ansible-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C" # - "traefik.http.middlewares.ansible-basic.basicauth.removeheader=true" # ara-db: # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # image: postgres:14 # container_name: ara-db # networks: # t2_proxy: # ipv4_address: 192.168.90.185 # environment: # TZ: Europe/Paris # PUID: 1000 # PGID: 1000 # POSTGRES_USER: ara # POSTGRES_PASSWORD: ara # POSTGRES_DB: ara # volumes: # - ./ara:/var/lib/postgresql/data # - /etc/timezone:/etc/timezone:ro # - /etc/localtime:/etc/localtime:ro # labels: # - traefik.enable=false # semaphore-db: # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # container_name: semaphore-db # image: postgres:14 # hostname: postgres # networks: # t2_proxy: # ipv4_address: 192.168.90.186 # volumes: # - ./semaphore/semaphore-db:/var/lib/postgresql/data # environment: # POSTGRES_USER: semaphore # POSTGRES_PASSWORD: uu~Y8aic # POSTGRES_DB: semaphore # labels: # - traefik.enable=false # semaphore: # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # expose: # - 3000 # container_name: semaphore # image: semaphoreui/semaphore:latest # user: "${UID}:${GID}" # networks: # t2_proxy: # ipv4_address: 192.168.90.187 # environment: # - SEMAPHORE_DB_USER=semaphore # - SEMAPHORE_DB_PASS=uu~Y8aic # - SEMAPHORE_DB_HOST=semaphore-db # - SEMAPHORE_DB_PORT=5432 # - SEMAPHORE_DB_DIALECT=postgres # - SEMAPHORE_DB=semaphore # - SEMAPHORE_PLAYBOOK_PATH=/tmp/semaphore/ # - SEMAPHORE_ADMIN_PASSWORD=uu~Y8aic # - SEMAPHORE_ADMIN_NAME=admin # - SEMAPHORE_ADMIN_EMAIL=admin@localhost # - SEMAPHORE_ADMIN=admin # - SEMAPHORE_ACCESS_KEY_ENCRYPTION=ShbKLtVWr5yB/G1WO3DOEU5Il0JBlcN//4mpErpSwpQ= # add to your access key encryption ! # - ANSIBLE_HOST_KEY_CHECKING=false # (optional) change to true if you want to enable host key checking # volumes: # - ./semaphore/inventory/:/inventory:ro # - ./semaphore/authorized-keys/:/authorized-keys:ro # - ./semaphore/config/:/etc/semaphore:rw # depends_on: # - semaphore-db # labels: # - traefik.enable=true # ## HTTP Routers # - traefik.http.routers.semaphore-rtr-http.entrypoints=http # - traefik.http.routers.semaphore-rtr-http.rule=Host(`semaphore.jingoh.fr`) # - traefik.http.routers.semaphore-rtr-http.middlewares=redirect-to-https # ## HTTPS Routers # - traefik.docker.network=t2_proxy # - traefik.http.routers.semaphore-rtr.entrypoints=https # - traefik.http.routers.semaphore-rtr.rule=Host(`semaphore.jingoh.fr`) # - traefik.http.routers.semaphore-rtr.tls=true # - traefik.http.routers.semaphore-rtr.service=semaphore-svc # - traefik.http.services.semaphore-svc.loadbalancer.server.port=3000 # # ## WEBSOCKET # # - traefik.http.routers.semaphore-websocket-rtr.entrypoints=https # # - traefik.http.routers.semaphore-websocket-rtr.rule=Host(`semaphore.jingoh.fr`) && Path(`/api/ws`) # # - traefik.http.routers.semaphore-websocket-rtr.service=semaphore-websocket-svc # # - traefik.http.services.semaphore-websocket-svc.loadbalancer.server.port=3000 # ## TLS # - traefik.http.routers.semaphore-rtr.tls.certresolver=letsencrypt-resolver # # ## Middlewares # # - "traefik.http.routers.semaphore-rtr.middlewares=semaphore-basic" # # - "traefik.http.middlewares.semaphore-basic.basicauth.users=jingohblack:$$2y$$05$$Y8dT7mF46c0aSOyDb7Jq9.TisInl3dzuWSSwkXM08r1Q331HQ/b.C" # # - "traefik.http.middlewares.semaphore-basic.basicauth.removeheader=true" # # qBittorrent - Torrent downloader # # Needs trailing / if using PathPrefixStrip # # qbittorrent: # # <<: *common-keys-apps # See EXTENSION FIELDS at the top # # image: lscr.io/linuxserver/qbittorrent:latest # # container_name: qbittorrent # # networks: # # t2_proxy: # # ipv4_address: 192.168.90.174 # # volumes: # # - ./qbittorrent:/config # # - ./downloads:/downloads # # environment: # # # TZ: Europe/Paris # # PUID: 1000 # # PGID: 1000 # # # UMASK_SET: 002 # # labels: # # - "traefik.enable=true" # # ## HTTP Routers # # - "traefik.http.routers.qbittorrent-rtr.entrypoints=https" # # - "traefik.http.routers.qbittorrent-rtr.rule=Host(`qbit.jingoh.fr`)" # # ## Middlewares # # - "traefik.http.routers.qbittorrent-rtr.middlewares=test-auth" # # ## Services # # - "traefik.http.routers.qbittorrent-rtr.service=qbittorrent-svc" # # - "traefik.http.services.qbittorrent-svc.loadbalancer.server.port=8168" # # # Anti ddos # # - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.average=10" # # - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.burst=10" # # - "traefik.http.middlewares.qbittorrent-rtr-ratelimit.ratelimit.period=1" # # - "traefik.http.routers.qbittorrent-rtr-ratelimit.middlewares=qbittorrent-rtr-ratelimit@docker" # # docker run -p 9925:80 -v ./mealie:/app/data/ hkotel/mealie:latest # mealie: # container_name: mealie # image: hkotel/mealie:latest # user: "${UID}:${GID}" # environment: # - DEFAULT_EMAIL=stephane.gratiasquiquandon@gmail.com # - DEFAULT_GROUP=manger # - BASE_URL=mealie.jingoh.fr # networks: # t2_proxy: # ipv4_address: 192.168.90.188 # volumes: # - ./mealie/:/app/data/ # restart: always # security_opt: # - no-new-privileges:true # See EXTENSION FIELDS at the top # labels: # - traefik.enable=true # ## HTTPS Routers # - traefik.docker.network=t2_proxy # - traefik.http.routers.mealie-rtr.entrypoints=https # - traefik.http.routers.mealie-rtr.rule=Host(`mealie.jingoh.fr`) # - traefik.http.routers.mealie-rtr.tls=true # - traefik.http.routers.mealie-rtr.service=mealie-svc # - traefik.http.services.mealie-svc.loadbalancer.server.port=80 # ## TLS # - traefik.http.routers.mealie-rtr.tls.certresolver=letsencrypt-resolver # # homarr: # # container_name: homarr # # image: ghcr.io/ajnart/homarr:latest # # restart: unless-stopped # # networks: # # t2_proxy: # # ipv4_address: 192.168.90.189 # # volumes: # # - ./homarr/configs:/app/data/configs # # - ./homarr/icons:/app/public/icons # # labels: # # - traefik.enable=true # # ## HTTPS Routers # # - traefik.docker.network=t2_proxy # # - traefik.http.routers.homarr-rtr.entrypoints=https # # - traefik.http.routers.homarr-rtr.rule=Host(`homarr.jingoh.fr`) # # - traefik.http.routers.homarr-rtr.tls=true # # - traefik.http.routers.homarr-rtr.service=homarr-svc # # - traefik.http.services.homarr-svc.loadbalancer.server.port=7575 # # ## TLS # # - traefik.http.routers.homarr-rtr.tls.certresolver=letsencrypt-resolver # # ## Middleware IP whitelist # # - traefik.http.middlewares.dashboard-ipwhitelist.ipwhitelist.sourcerange=192.168.91.1/32 # # - traefik.http.routers.homarr-rtr.middlewares=dashboard-ipwhitelist # portainer: # container_name: portainer # image: portainer/portainer-ce:latest # restart: always # security_opt: # - no-new-privileges:true # networks: # t2_proxy: # ipv4_address: 192.168.90.190 # volumes: # - /etc/localtime:/etc/localtime:ro # - /var/run/docker.sock:/var/run/docker.sock:ro # - ./portainer/:/data/ # labels: # - traefik.enable=true # ## HTTPS Routers # - traefik.docker.network=t2_proxy # - traefik.http.routers.portainer-rtr.entrypoints=https # - traefik.http.routers.portainer-rtr.rule=Host(`docker.jingoh.fr`) # - traefik.http.routers.portainer-rtr.tls=true # - traefik.http.routers.portainer-rtr.service=portainer-svc # - traefik.http.services.portainer-svc.loadbalancer.server.port=9000 # ## TLS # - traefik.http.routers.homarr-rtr.tls.certresolver=letsencrypt-resolver # ## Middleware IP whitelist # # - traefik.http.middlewares.dashboard-ipwhitelist.ipwhitelist.sourcerange=192.168.91.1/32 # # - traefik.http.routers.homarr-rtr.middlewares=dashboard-ipwhitelist