--- ####### # APT # ####### apt_packages: - name: openssh-server - name: proxychains apt_repositories_sources: - deb http://mirrors.online.net/ubuntu focal main restricted - deb http://mirrors.online.net/ubuntu focal-updates main restricted - deb http://mirrors.online.net/ubuntu focal universe - deb http://mirrors.online.net/ubuntu focal-updates universe - deb http://mirrors.online.net/ubuntu focal multiverse - deb http://mirrors.online.net/ubuntu focal-updates multiverse - deb http://mirrors.online.net/ubuntu focal-backports main restricted universe multiverse - deb http://security.ubuntu.com/ubuntu focal-security main restricted - deb http://security.ubuntu.com/ubuntu focal-security universe - deb http://security.ubuntu.com/ubuntu focal-security multiverse ############ # ALERTING # ############ alerts_cron: - name: storage weekday: 0 minute: 0 hour: 15 user: root job: "/usr/local/scripts/alerts.sh storage >/dev/null 2>&1" cron_file: alerts - name: load weekday: "*" minute: "*/5" hour: "*" user: root job: "/usr/local/scripts/alerts.sh load >/dev/null 2>&1" cron_file: alerts - name: cpu weekday: "*" minute: "*/5" hour: "*" user: root job: "/usr/local/scripts/alerts.sh cpu >/dev/null 2>&1" cron_file: alerts - name: ping weekday: "*" minute: "*" hour: 12 user: root job: "/usr/local/scripts/alerts.sh ping >/dev/null 2>&1" cron_file: alerts - name: ssl weekday: "*" minute: 0 hour: 15 user: root job: "/usr/local/scripts/alerts.sh ssl >/dev/null 2>&1" cron_file: alerts - name: storage weekday: 0 minute: 0 hour: 15 user: root job: "/usr/local/scripts/alerts.sh storage >/dev/null 2>&1" cron_file: alerts - name: backup_git weekday: "*" minute: 0 hour: 18 user: root job: "/usr/local/scripts/alerts.sh backup_git >/dev/null 2>&1" cron_file: alerts - name: backup_vault weekday: "*" minute: 0 hour: 20 user: root job: "/usr/local/scripts/alerts.sh backup_vault >/dev/null 2>&1" cron_file: alerts alerts_storage: scaleway alerts_load: scaleway alerts_ping: ovh alerts_health: scaleway alerts_backup_gitea: scaleway alerts_backup_vault: scaleway alerts_cpu: scaleway alerts_ssl: scaleway ############## # LOG ROTATE # ############## logrotate_scripts: - name: backup paths: - /opt/dockerapps/backup/*.zip - /opt/dockerapps/appdata/vaultwarden/backup/*.tar.xz.gpg options: - daily - rotate 4 - compress - missingok - notifempty - create 0644 root root - name: dockerapps-git path: /opt/dockerapps/logs/homeserver/git*.log options: - rotate 12 - monthly - compress - missingok - delaycompress scripts: postrotate: docker-compose restart gitea - name: dockerapps-grafa path: /opt/dockerapps/logs/homeserver/grafa*.log options: - rotate 12 - monthly - compress - missingok - delaycompress scripts: postrotate: docker-compose restart grafana - name: dockerapps-traef path: /opt/dockerapps/logs/homeserver/traef*.log options: - rotate 12 - monthly - compress - missingok - delaycompress scripts: postrotate: docker-compose restart traefik - name: dockerapps-vault path: /opt/dockerapps/logs/homeserver/vault*.log options: - rotate 12 - monthly - compress - missingok - delaycompress scripts: postrotate: docker-compose restart vault # name: restart gitea # script: docker-compose restart gitea # - postrotate: docker-compose restart vaultwarden # - postrotate: docker-compose restart grafana - name: dockerapps-backup paths: - /opt/dockerapps/backup/gitea-dump-*.zip - /opt/dockerapps/appdata/vaultwarden/backup/*.gpg - /opt/dockerapps/appdata/vaultwarden/backup/*gpg.1.gz options: - rotate 6 - monthly - compress - missingok - delaycompress ########## # CHISEL # ########## # SHOULD BE IN [server] GROUP chisel_server: true chisel_basic_auth: "{{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" chisel_service_name: chisel-server chisel_config_name: chisel-server chisel_proxychains_conf: # chisel enable socks5, reverse and basic auth - path: "/etc/chisel/{{ chisel_config_name }}.conf" regexp: "^SOCK5=--socks5" state: present line: "SOCK5=--socks5" - path: "/etc/chisel/{{ chisel_config_name }}.conf" regexp: "^PID=--reverse" state: present line: "PID=--reverse" - path: "/etc/chisel/{{ chisel_config_name }}.conf" regexp: "^AUTH=--auth {{ chisel_basic_auth }}" state: present line: "AUTH=--auth {{ chisel_basic_auth }}" - path: "/etc/chisel/{{ chisel_config_name }}.conf" regexp: "^HOST=--host {{ chisel_server_host }}" state: present line: "HOST=--host {{ chisel_server_host }}" # proxychains replace socks4 to socks5 - path: "/etc/proxychains.conf" regexp: "^socks4 127.0.0.1 9050" state: "absent" - path: "/etc/proxychains.conf" regexp: "^socks5 {{ chisel_server_host }} 1080" state: present line: "socks5 {{ chisel_server_host }} 1080" ################## # DOCKER-COMPOSE # ################## dockerapp_tree_volumes: - alertmanager - ara - blackbox - gitea - grafana - homarr - homepage - mealie - portainer - prometheus - registry - semaphore - traefik2 - vaultwarden - wireguard dockerapp_tree_base_dir: - "/opt/" dockerapp_service: dockerapps docker_install_compose: false pip_executable: pip3 pip_install_packages: - docker-compose dockerapp_compose: version: "3.9" ######### IMPORTANT ############# # This is my main docker-compose file with most of the apps. I run docker on other systems with smaller stacks (web and synology). # You can copy-paste services from one docker-compose file in this repo to another to add other apps. # 90+ Open source docker stacks #https://github.com/ethibox/awesome-stacks #FROM #https://github.com/htpcBeginner/docker-traefik/blob/master/docker-compose-t2.yml ########################### SYSTEM DESCRIPTION # DOCKER-COMPOSE FOR HOME/MEDIA SERVER # PROXMOX HOST: Dual Intel Xeon 5420, 16 GB RAM, 240 GB SSD, and 2 TB HDD # VM: 6 CORES, 12 GB RAM, Ubuntu 20.04, and Docker # 32 GB for /, 64 GB for /var/lib/docker and transcoding, and 1.5 TB for non-critical data and rclone cache. # Google Drive mounted using Rclone Docker for media and Proxmox backups ########################### NETWORKS # There is no need to create any networks outside this docker-compose file. # You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. # Docker Compose version 3.5 or higher required to define networks this way. networks: t2_proxy: name: t2_proxy driver: bridge ipam: config: - subnet: 192.168.90.0/24 default: driver: bridge socket_proxy: name: socket_proxy driver: bridge ipam: config: - subnet: 192.168.91.0/24 ########################### EXTENSION FIELDS # Helps eliminate repetition of sections # More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228 # # Common environment values # x-environment: &default-tz-puid-pgid # TZ: Europe/Paris # PUID: 1000 # PGID: 1000 # # Proxy Network and Security # x-network-and-security: &network-and-security # networks: # - t2_proxy # security_opt: # - no-new-privileges:true # # Keys common to some of the services in basic-services.txt # x-common-keys-core: &common-keys-core # <<: *network-and-security # restart: always # # profiles: # # - basic # # Keys common to some of the dependent services/apps # x-common-keys-apps: &common-keys-apps # <<: *network-and-security # restart: unless-stopped # # profiles: # # - apps # # Keys common to some of the services in media-services.txt # x-common-keys-media: &common-keys-media # <<: *network-and-security # restart: "no" # # profiles: # # - media ########################### SERVICES services: ############################# FRONTENDS # Traefik 2 - Reverse Proxy # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. # touch $DOCKERDIR/traefik2/acme/acme.json # chmod 600 $DOCKERDIR/traefik2/acme/acme.json # touch $DOCKERDIR/logs/homeserver/traefik.log # customize this #### LETSENCRYPT CHALLENGE ###### # https://doc.traefik.io/traefik/user-guides/docker-compose/acme-http/ # Add new https services/fqdn # uncomment acme.caserver line and remove appdata/traefik2/acme/letsencrypt/acme.json file # Down all containers and up all (docker-compose down/up -d), wait for news cert/key on acme.json # At this moment, cert/key are staging, you need to comment acme.caserver line and remove acme.json file then restart traefik traefik: #<<: *common-keys-core # See EXTENSION FIELDS at the top -> TODO container_name: traefik image: traefik:latest command: # CLI arguments - --global.checkNewVersion=true - --global.sendAnonymousUsage=true - --entryPoints.http.address=:80/tcp - --entryPoints.https.address=:443/tcp - --entryPoints.wireguard.address=:443/udp - --api=true - --api.dashboard=true - --log=true - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC - --accessLog=true - --accessLog.filePath=/traefik.log - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines - --providers.docker=true - --providers.docker.endpoint=tcp://socket-proxy:2375 - --providers.docker.exposedByDefault=false - --providers.docker.network=t2_proxy - --providers.docker.swarmMode=false - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory - --providers.file.watch=true # Only works on top level files in the rules folder - --metrics.prometheus=true - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0 - --metrics.prometheus.addEntryPointsLabels=true - --metrics.prometheus.addrouterslabels=true - --metrics.prometheus.addServicesLabels=true - --metrics.prometheus.manualrouting=true - --certificatesresolvers.letsencrypt-resolver.acme.tlschallenge=true # - --certificatesresolvers.letsencrypt-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory - --certificatesresolvers.letsencrypt-resolver.acme.email=stephane.gratiasquiquandon@gmail.com - --certificatesresolvers.letsencrypt-resolver.acme.storage=/letsencrypt/acme.json networks: t2_proxy: ipv4_address: 192.168.90.254 # You can specify a static IP # Should connect to the docker socket socket_proxy: ipv4_address: 192.168.91.3 environment: #<<: *default-tz-puid-pgid -> TODO ports: - target: 80 published: 80 protocol: tcp mode: host - target: 443 published: 443 protocol: tcp mode: host - target: 443 published: 443 protocol: udp mode: host volumes: - ./appdata/traefik2/rules/homeserver:/rules # file provider directory - ./appdata/traefik2/acme/letsencrypt:/letsencrypt #- ./appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 - ./logs/homeserver/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro labels: - "traefik.enable=true" # HTTP-to-HTTPS Redirect - "traefik.http.routers.http-catchall.entrypoints=http" - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true" # HTTP Routers - "traefik.http.routers.traefik-rtr.entrypoints=https" - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.jingoh.fr`)" ## Services - API - "traefik.http.routers.traefik-rtr.service=api@internal" - "traefik.http.routers.traefik-rtr.tls=true" ## MONITORING - traefik.http.routers.prometheus.entrypoints=https - traefik.http.routers.prometheus.rule=Host(`traefik.jingoh.fr`) && PathPrefix(`/metrics`) - traefik.http.routers.prometheus.service=prometheus@internal - traefik.http.routers.prometheus.middlewares=traefik-basic ## Middlewares # echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g ## Middlewares - "traefik.http.routers.traefik-rtr.middlewares=traefik-basic" - "traefik.http.middlewares.traefik-basic.basicauth.users=jingohtraf:$$2y$$05$$JO8mJnOV2PARzEcVj.Grp.H.JbkWYneAIjgMt7c0.5NTyBNDkRIiW" #- "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.average=10" # - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.burst=10" # - "traefik.http.middlewares.traefik-rtr-ratelimit.ratelimit.period=1" # - "traefik.http.routers.traefik-rtr-ratelimit.middlewares=traefik-rtr-ratelimit@docker" ## TLS - "traefik.http.routers.traefik-rtr.tls.certresolver=letsencrypt-resolver" - "traefik.http.routers.prometheus.tls.certresolver=letsencrypt-resolver"