From 6033bebef3f3a16796e7f3204642164e085d2323 Mon Sep 17 00:00:00 2001 From: BhasherBEL Date: Sun, 16 Apr 2023 18:16:59 +0200 Subject: [PATCH] Split docker compose --- bxl-rpi/apps/docker-compose.baikal.yaml | 23 + bxl-rpi/apps/docker-compose.matrix.yaml | 39 ++ bxl-rpi/apps/docker-compose.mediaserver.yaml | 188 ++++++ bxl-rpi/apps/docker-compose.pihole.yaml | 38 ++ bxl-rpi/apps/docker-compose.syncthing.yaml | 31 + bxl-rpi/apps/docker-compose.wireguard.yaml | 23 + bxl-rpi/deploy.sh | 5 + bxl-rpi/docker-compose.yaml | 556 ------------------ bxl-rpi/system/docker-compose.auth.yaml | 99 ++++ bxl-rpi/system/docker-compose.backup.yaml | 25 + bxl-rpi/system/docker-compose.monitoring.yaml | 101 ++++ bxl-rpi/system/docker-compose.portainer.yaml | 23 + bxl-rpi/system/docker-compose.storage.yaml | 23 + bxl-rpi/system/docker-compose.traefik.yaml | 48 ++ 14 files changed, 666 insertions(+), 556 deletions(-) create mode 100644 bxl-rpi/apps/docker-compose.baikal.yaml create mode 100644 bxl-rpi/apps/docker-compose.matrix.yaml create mode 100644 bxl-rpi/apps/docker-compose.mediaserver.yaml create mode 100644 bxl-rpi/apps/docker-compose.pihole.yaml create mode 100644 bxl-rpi/apps/docker-compose.syncthing.yaml create mode 100644 bxl-rpi/apps/docker-compose.wireguard.yaml create mode 100755 bxl-rpi/deploy.sh delete mode 100644 bxl-rpi/docker-compose.yaml create mode 100644 bxl-rpi/system/docker-compose.auth.yaml create mode 100644 bxl-rpi/system/docker-compose.backup.yaml create mode 100644 bxl-rpi/system/docker-compose.monitoring.yaml create mode 100644 bxl-rpi/system/docker-compose.portainer.yaml create mode 100644 bxl-rpi/system/docker-compose.storage.yaml create mode 100644 bxl-rpi/system/docker-compose.traefik.yaml diff --git a/bxl-rpi/apps/docker-compose.baikal.yaml b/bxl-rpi/apps/docker-compose.baikal.yaml new file mode 100644 index 0000000..395cd84 --- /dev/null +++ b/bxl-rpi/apps/docker-compose.baikal.yaml @@ -0,0 +1,23 @@ +services: + baikal: + container_name: baikal + image: ckulka/baikal:nginx + restart: on-failure + environment: + - TZ=Europe/Paris + volumes: + - $DATA/baikal/config:/var/www/baikal/config + - $DATA/baikal/data:/var/www/baikal/Specific + labels: + - "traefik.enable=true" + - "traefik.http.routers.baikal.rule=Host(`baikal.bxl.bhasher.com`)" + - "traefik.http.services.baikal.loadbalancer.server.port=80" + - "traefik.http.routers.baikal.tls=true" + - "traefik.http.routers.baikal.tls.certresolver=http" + - "traefik.http.routers.baikal.entrypoints=internalsecure,externalsecure" + networks: + - external + +networks: + external: + external: true diff --git a/bxl-rpi/apps/docker-compose.matrix.yaml b/bxl-rpi/apps/docker-compose.matrix.yaml new file mode 100644 index 0000000..31ac056 --- /dev/null +++ b/bxl-rpi/apps/docker-compose.matrix.yaml @@ -0,0 +1,39 @@ +services: + matrix-synapse: + container_name: matrix-synapse + image: matrixdotorg/synapse:latest + restart: unless-stopped + environment: + - SYNAPSE_SERVER_NAME=matrix.bhasher.com + - SYNAPSE_REPORT_STATS=no + volumes: + - $DATA/matrix/synapse:/data:rw + labels: + - "traefik.enable=true" + - "traefik.http.routers.matrix-synapse.rule=Host(`matrix.bhasher.com`)" + - "traefik.http.routers.matrix-synapse.tls=true" + - "traefik.http.routers.matrix-synapse.tls.certresolver=http" + - "traefik.http.routers.matrix-synapse.entrypoints=internalsecure,externalsecure" + - "traefik.http.services.matrix-synapse.loadbalancer.server.port=8008" + networks: + - external + + matrix-riot: + container_name: matrix-element + image: ghcr.io/bubuntux/element-web + restart: unless-stopped + volumes: + - $CONFIG/riot/config.json:/etc/element-web/config.json:ro + labels: + - "traefik.enable=true" + - "traefik.http.routers.matrix-riot.rule=Host(`element.bhasher.com`)" + - "traefik.http.routers.matrix-riot.tls=true" + - "traefik.http.routers.matrix-riot.tls.certresolver=http" + - "traefik.http.routers.matrix-riot.entrypoints=internalsecure,externalsecure" + - "traefik.http.services.matrix-riot.loadbalancer.server.port=80" + networks: + - external + +networks: + external: + external: true diff --git a/bxl-rpi/apps/docker-compose.mediaserver.yaml b/bxl-rpi/apps/docker-compose.mediaserver.yaml new file mode 100644 index 0000000..ffb5895 --- /dev/null +++ b/bxl-rpi/apps/docker-compose.mediaserver.yaml @@ -0,0 +1,188 @@ +services: + jellyfin: + container_name: jellyfin + image: linuxserver/jellyfin:latest + volumes: + - $DATA/mediaserver/jellyfin:/config + - /mnt/movies/series:/data/tvshows + - /mnt/movies/movies:/data/movies + - /mnt/movies/musics:/data/musics + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Paris + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.bhasher.com`)" + - "traefik.http.routers.jellyfin.entrypoints=internalsecure,externalsecure" + - "traefik.http.services.jellyfin.loadbalancer.server.port=8096" + - "traefik.http.routers.jellyfin.tls=true" + - "traefik.http.routers.jellyfin.tls.certresolver=http" + networks: + - external + + radarr: + container_name: radarr + image: lscr.io/linuxserver/radarr:latest + environment: + - TZ=Europe/Paris + - PUID=1000 + - PGID=1000 + volumes: + - $DATA/mediaserver/radarr:/config + - /mnt/movies/movies:/movies + - /mnt/movies/tmp:/downloads + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.radarr.rule=Host(`radarr.bhasher.com`)" + - "traefik.http.services.radarr.loadbalancer.server.port=7878" + - "traefik.http.routers.radarr.tls=true" + - "traefik.http.routers.radarr.tls.certresolver=http" + - "traefik.http.routers.radarr.entrypoints=internalsecure" + - "traefik.http.routers.radarr.middlewares=authelia@docker" + networks: + - mediaserver + - external + + sonarr: + container_name: sonarr + image: lscr.io/linuxserver/sonarr:latest + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Paris + volumes: + - $DATA/mediaserver/sonarr:/config + - /mnt/movies/series:/tv + - /mnt/movies/tmp:/downloads + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.sonarr.rule=Host(`sonarr.bhasher.com`)" + - "traefik.http.services.sonarr.loadbalancer.server.port=8989" + - "traefik.http.routers.sonarr.tls=true" + - "traefik.http.routers.sonarr.tls.certresolver=http" + - "traefik.http.routers.sonarr.entrypoints=internalsecure" + - "traefik.http.routers.sonarr.middlewares=authelia@docker" + networks: + - mediaserver + - external + + lidarr: + container_name: lidarr + image: lscr.io/linuxserver/lidarr:latest + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Paris + volumes: + - $DATA/mediaserver/lidarr:/config + - /mnt/movies/musics:/music + - /mnt/movies/tmp:/downloads + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.lidarr.rule=Host(`lidarr.bhasher.com`)" + - "traefik.http.services.lidarr.loadbalancer.server.port=8686" + - "traefik.http.routers.lidarr.tls=true" + - "traefik.http.routers.lidarr.tls.certresolver=http" + - "traefik.http.routers.lidarr.entrypoints=internalsecure" + - "traefik.http.routers.lidarr.middlewares=authelia@docker" + networks: + - mediaserver + - external + + transmission: + container_name: transmission + image: lscr.io/linuxserver/transmission:latest + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Paris + volumes: + - $DATA/mediaserver/transmission:/config + - /mnt/movies/tmp:/downloads + - /mnt/movies/torrents:/watch + ports: + - 51413:51413/tcp + - 51413:51413/udp + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.transmission.rule=Host(`transmission.bhasher.com`)" + - "traefik.http.services.transmission.loadbalancer.server.port=9091" + - "traefik.http.routers.transmission.tls=true" + - "traefik.http.routers.transmission.tls.certresolver=http" + - "traefik.http.routers.transmission.entrypoints=internalsecure" + - "traefik.http.routers.transmission.middlewares=authelia@docker" + networks: + - mediaserver + - external + + jackett: + container_name: jackett + image: lscr.io/linuxserver/jackett:latest + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Paris + - AUTO_UPDATE=true + volumes: + - $DATA/mediaserver/jackett:/config + - /mnt/movies/torrents:/downloads + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.jackett.rule=Host(`jackett.bhasher.com`)" + - "traefik.http.services.jackett.loadbalancer.server.port=9117" + - "traefik.http.routers.jackett.tls=true" + - "traefik.http.routers.jackett.tls.certresolver=http" + - "traefik.http.routers.jackett.entrypoints=internalsecure" + - "traefik.http.routers.jackett.middlewares=authelia@docker" + networks: + - mediaserver + - external + + flaresolverr: + container_name: flaresolverr + image: ghcr.io/flaresolverr/flaresolverr:latest + environment: + - LOG_LEVEL=info + - LOG_HTML=false + - CAPTCHA_SOLVER=none + - TZ=Europe/Paris + restart: unless-stopped + networks: + - mediaserver + + bazarr: + container_name: bazarr + image: lscr.io/linuxserver/bazarr + environment: + - TZ=Europe/Paris + - PUID=1000 + - PGID=1000 + volumes: + - $DATA/mediaserver/bazarr:/config + - /mnt/movies/movies:/movies + - /mnt/movies/series:/tv + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.bazarr.rule=Host(`bazarr.bhasher.com`)" + - "traefik.http.services.bazarr.loadbalancer.server.port=6767" + - "traefik.http.routers.bazarr.tls=true" + - "traefik.http.routers.bazarr.tls.certresolver=http" + - "traefik.http.routers.bazarr.entrypoints=internalsecure" + - "traefik.http.routers.bazarr.middlewares=authelia@docker" + networks: + - mediaserver + - external + +networks: + mediaserver: + external: + external: true + diff --git a/bxl-rpi/apps/docker-compose.pihole.yaml b/bxl-rpi/apps/docker-compose.pihole.yaml new file mode 100644 index 0000000..9b8596a --- /dev/null +++ b/bxl-rpi/apps/docker-compose.pihole.yaml @@ -0,0 +1,38 @@ +services: + pihole: + container_name: pihole + image: cbcrowe/pihole-unbound:latest + ports: + - 53:53/tcp + - 53:53/udp + environment: + - TZ=Europe/Paris + - WEBPASSWORD= + - WEBTHEME=default-dark + - REV_SERVER=false + - PIHOLE_DNS_=127.0.0.1#5335 + - DNSSEC=true + - DNSMASQ_LISTENING=all + - FTLCONF_LOCAL_IPV4=192.168.1.220 + - FTLCONF_RATE_LIMIT=0/0 + - FTL_CMD=debug + - DNSMASQ_USER=root + volumes: + - $DATA/pihole/config:/etc/pihole + - $DATA/pihole/dnsmasq.d:/etc/dnsmasq.d + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.pihole.rule=Host(`pihole.bhasher.com`)" + - "traefik.http.routers.pihole.entrypoints=internalsecure" + - "traefik.http.services.pihole.loadbalancer.server.port=80" + - "traefik.http.routers.pihole.tls=true" + - "traefik.http.routers.pihole.tls.certresolver=http" + - "traefik.http.routers.pihole.middlewares=pihole-strip,authelia@docker" + - "traefik.http.middlewares.pihole-strip.addprefix.prefix=/admin" + networks: + - external + +networks: + external: + external: true diff --git a/bxl-rpi/apps/docker-compose.syncthing.yaml b/bxl-rpi/apps/docker-compose.syncthing.yaml new file mode 100644 index 0000000..9e9d4ce --- /dev/null +++ b/bxl-rpi/apps/docker-compose.syncthing.yaml @@ -0,0 +1,31 @@ +services: + syncthing: + container_name: syncthing + image: syncthing/syncthing:latest + hostname: snode0 + environment: + - PUID=33 + - PGID=33 + volumes: + - $DATA/syncthing:/var/syncthing:rw + - /mnt/syncDocuments:/mnt/SyncDocuments:rw + - /mnt/brieuc-pictures:/mnt/pictures:rw + labels: + - "traefik.enable=true" + - "traefik.http.routers.syncthing.rule=Host(`syncthing.bhasher.com`)" + - "traefik.http.routers.syncthing.entrypoints=internalsecure" + - "traefik.http.services.syncthing.loadbalancer.server.port=8384" + - "traefik.http.routers.syncthing.tls=true" + - "traefik.http.routers.syncthing.tls.certresolver=http" + - "traefik.http.routers.syncthing.middlewares=authelia@docker" + ports: + - 22000:22000/tcp # TCP file transfers + - 22000:22000/udp # QUIC file transfers + - 21027:21027/udp # Receive local discovery broadcasts + restart: unless-stopped + networks: + - external + +networks: + external: + external: true diff --git a/bxl-rpi/apps/docker-compose.wireguard.yaml b/bxl-rpi/apps/docker-compose.wireguard.yaml new file mode 100644 index 0000000..c951214 --- /dev/null +++ b/bxl-rpi/apps/docker-compose.wireguard.yaml @@ -0,0 +1,23 @@ +services: + wireguard: + container_name: wireguard + image: lscr.io/linuxserver/wireguard:latest + restart: always + volumes: + - $DATA/wireguard:/config + - /lib/modules:/lib/modules + ports: + - 51821:51820/udp + environment: + - TZ=Europe/Paris + - SERVERURL=vpn.bhasher.com + - SERVERPORT=51821 + - PEERS=5 + - PEERDNS=auto + - INTERNAL_SUBNET=10.13.14.0 + - ALLOWEDIPS=0.0.0.0/0 + cap_add: + - NET_ADMIN + - SYS_MODULE + sysctls: + - net.ipv4.conf.all.src_valid_mark=1 diff --git a/bxl-rpi/deploy.sh b/bxl-rpi/deploy.sh new file mode 100755 index 0000000..9010373 --- /dev/null +++ b/bxl-rpi/deploy.sh @@ -0,0 +1,5 @@ +cd ~/homelab/bxl-rpi +cmd=$(find . -type f \( -name "docker-compose.*.yaml" \) | awk '{printf "-f %s \0", $0}' | xargs -0 -I{} echo "docker compose {} --env-file .env up -d") +echo $cmd +eval $cmd +# -name "docker-compose.yaml" -o diff --git a/bxl-rpi/docker-compose.yaml b/bxl-rpi/docker-compose.yaml deleted file mode 100644 index 6e478ae..0000000 --- a/bxl-rpi/docker-compose.yaml +++ /dev/null @@ -1,556 +0,0 @@ -services: - traefik: - container_name: traefik - image: traefik:v2.9 - command: - - "--api.insecure=true" - - "--providers.docker=true" - - "--providers.docker.exposedbydefault=false" - - "--providers.docker.network=external" - - "--entrypoints.internal.address=:80" - - "--entrypoints.internalsecure.address=:443" - - "--entrypoints.internal.http.redirections.entryPoint.to=internalsecure" - - "--entrypoints.internal.http.redirections.entryPoint.scheme=https" - - "--entrypoints.internal.http.redirections.entryPoint.permanent=true" - - "--certificatesresolvers.http.acme.httpchallenge=true" - - "--certificatesresolvers.http.acme.httpchallenge.entrypoint=external" - - "--certificatesresolvers.http.acme.email=acme@bhasher.com" - - "--certificatesresolvers.http.acme.storage=acme.json" - - "--entrypoints.external.address=:81" - - "--entrypoints.externalsecure.address=:444" - - "--entrypoints.external.http.redirections.entryPoint.to=externalsecure" - - "--entrypoints.external.http.redirections.entryPoint.scheme=https" - - "--entrypoints.external.http.redirections.entryPoint.permanent=true" - #- "--log.level=DEBUG" - - "--metrics.prometheus=true" - environment: - - TZ=Europe/Paris - ports: - - "80:80" - - "443:443" - - "81:81" - - "444:444" - #- "8080:8080" - volumes: - - /var/run/docker.sock:/var/run/docker.sock:ro - - type: bind - source: $DATA/traefik/acme.json - target: /acme.json - - type: bind - source: $DATA/traefik/rules.toml - target: /rules.toml - restart: always - - portainer: - container_name: portainer - image: portainer/portainer-ce:latest - #command: -H tcp://tasks.agent:9001 --tlsskipverify - ports: - - "9443:9443" - volumes: - - $DATA/portainer:/data:rw - - /var/run/docker.sock:/var/run/docker.sock - labels: - - "traefik.enable=true" - - "traefik.http.routers.portainer.rule=Host(`portainer.bxl.bhasher.com`)" - - "traefik.http.routers.portainer.entrypoints=externalsecure,internalsecure" - - "traefik.http.services.portainer.loadbalancer.server.port=9000" - - "traefik.http.routers.portainer.tls=true" - - "traefik.http.routers.portainer.tls.certresolver=http" - restart: always - - matrix-synapse: - container_name: matrix-synapse - image: matrixdotorg/synapse:latest - restart: unless-stopped - environment: - - SYNAPSE_SERVER_NAME=matrix.bhasher.com - - SYNAPSE_REPORT_STATS=no - volumes: - - $DATA/matrix/synapse:/data:rw - labels: - - "traefik.enable=true" - - "traefik.http.routers.matrix-synapse.rule=Host(`matrix.bhasher.com`)" - - "traefik.http.routers.matrix-synapse.tls=true" - - "traefik.http.routers.matrix-synapse.tls.certresolver=http" - - "traefik.http.routers.matrix-synapse.entrypoints=internalsecure,externalsecure" - - "traefik.http.services.matrix-synapse.loadbalancer.server.port=8008" - - wireguard: - container_name: wireguard - image: lscr.io/linuxserver/wireguard:latest - restart: always - volumes: - - $DATA/wireguard:/config - - /lib/modules:/lib/modules - ports: - - 51821:51820/udp - environment: - - TZ=Europe/Paris - - SERVERURL=vpn.bhasher.com - - SERVERPORT=51821 - - PEERS=5 - - PEERDNS=auto - - INTERNAL_SUBNET=10.13.14.0 - - ALLOWEDIPS=0.0.0.0/0 - cap_add: - - NET_ADMIN - - SYS_MODULE - sysctls: - - net.ipv4.conf.all.src_valid_mark=1 - - matrix-riot: - container_name: matrix-element - image: ghcr.io/bubuntux/element-web - restart: unless-stopped - volumes: - - ./config/riot/config.json:/etc/element-web/config.json:ro - labels: - - "traefik.enable=true" - - "traefik.http.routers.matrix-riot.rule=Host(`element.bhasher.com`)" - - "traefik.http.routers.matrix-riot.tls=true" - - "traefik.http.routers.matrix-riot.tls.certresolver=http" - - "traefik.http.routers.matrix-riot.entrypoints=internalsecure,externalsecure" - - "traefik.http.services.matrix-riot.loadbalancer.server.port=80" - - prom_monitoring: - container_name: prom_monitoring - image: prom/prometheus:latest - restart: unless-stopped - labels: - - "traefik.enable=true" - - "traefik.http.routers.prom.rule=Host(`prometheus.bhasher.com`)" - - "traefik.http.routers.prom.entrypoints=internalsecure" - - "traefik.http.services.prom.loadbalancer.server.port=9090" - - "traefik.http.routers.prom.tls=true" - - "traefik.http.routers.prom.tls.certresolver=http" - extra_hosts: - - "host.docker.internal:host-gateway" - volumes: - - ./config/monitoring/prometheus.yaml:/etc/prometheus/prometheus.yml:ro - - $DATA/monitoring/prometheus:/prometheus - - grafana: - container_name: grafana - image: grafana/grafana - restart: unless-stopped - labels: - - "traefik.enable=true" - - "traefik.http.routers.grafana.rule=Host(`grafana.bhasher.com`)" - - "traefik.http.routers.grafana.entrypoints=internalsecure" - - "traefik.http.services.grafana.loadbalancer.server.port=3000" - - "traefik.http.routers.grafana.tls=true" - - "traefik.http.routers.grafana.tls.certresolver=http" - environment: - - GF_SERVER_ROOT_URL=https://grafana.bhasher.com - - GF_SMTP_ENABLED=true - - GF_SMTP_HOST=bdubois.io:465 - - GF_SMTP_USER=${SMTP_USER} - - GF_SMTP_PASSWORD=${SMTP_PASSWORD} - - GF_SMTP_FROM_ADDRESS=grafana@bhasher.com - - GF_AUTH_LOGIN_DISABLE_LOGIN_FORM=true - - GF_AUTH_DISABLE_SIGNOUT_MENU=true - - GF_AUTH_OAUTH_AUTO_LOGIN=true - - GF_AUTH_GENERIC_OAUTH_ENABLED=true - - GF_AUTH_GENERIC_OAUTH_ICON=signin - - GF_AUTH_GENERIC_OAUTH_NAME=Authelia - - GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana - - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=${GRAFANA_OAUTH} - - GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email groups - - GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES=false - - GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://idp.bhasher.com/api/oidc/authorization - - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://idp.bhasher.com/api/oidc/token - - GF_AUTH_GENERIC_OAUTH_API_URL=https://idp.bhasher.com/api/oidc/userinfo - - GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username - - GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH=groups - - GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=name - - GF_AUTH_GENERIC_OAUTH_USE_PKCE=false - - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(roles[*], 'admin') && 'Admin' || 'Viewer' - - GF_AUTH_GENERIC_OAUTH_GROUPS_PATH=groups - - GF_AUTH_GENERIC_OAUTH_ALLOWED_GROUPS=admin - volumes: - - $DATA/monitoring/grafana:/var/lib/grafana - - cadvisor: - container_name: cadvisor - image: gcr.io/cadvisor/cadvisor:v0.47.1 - volumes: - - /:/rootfs:ro - - /var/run:/var/run:rw - - /sys:/sys:ro - - /var/lib/docker/:/var/lib/docker:ro - restart: always - - node-exporter: - container_name: node-exporter - image: quay.io/prometheus/node-exporter:latest - volumes: - - /proc:/host/proc:ro - - /sys:/host/sys:ro - - /:/rootfs:ro - - /:/host:ro,rslave - command: - - '--path.rootfs=/host' - - '--path.procfs=/host/proc' - - '--path.sysfs=/host/sys' - - --collector.filesystem.ignored-mount-points - - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)" - restart: always - - jellyfin: - container_name: jellyfin - image: linuxserver/jellyfin:latest - volumes: - - $DATA/mediaserver/jellyfin:/config - - /mnt/movies/series:/data/tvshows - - /mnt/movies/movies:/data/movies - - /mnt/movies/musics:/data/musics - environment: - - PUID=1000 - - PGID=1000 - - TZ=Europe/Paris - restart: unless-stopped - labels: - - "traefik.enable=true" - - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.bhasher.com`)" - - "traefik.http.routers.jellyfin.entrypoints=internalsecure,externalsecure" - - "traefik.http.services.jellyfin.loadbalancer.server.port=8096" - - "traefik.http.routers.jellyfin.tls=true" - - "traefik.http.routers.jellyfin.tls.certresolver=http" - - radarr: - container_name: radarr - image: lscr.io/linuxserver/radarr:latest - environment: - - TZ=Europe/Paris - - PUID=1000 - - PGID=1000 - volumes: - - $DATA/mediaserver/radarr:/config - - /mnt/movies/movies:/movies - - /mnt/movies/tmp:/downloads - restart: unless-stopped - labels: - - "traefik.enable=true" - - "traefik.http.routers.radarr.rule=Host(`radarr.bhasher.com`)" - - "traefik.http.services.radarr.loadbalancer.server.port=7878" - - "traefik.http.routers.radarr.tls=true" - - "traefik.http.routers.radarr.tls.certresolver=http" - - "traefik.http.routers.radarr.entrypoints=internalsecure" - - "traefik.http.routers.radarr.middlewares=authelia@docker" - - sonarr: - container_name: sonarr - image: lscr.io/linuxserver/sonarr:latest - environment: - - PUID=1000 - - PGID=1000 - - TZ=Europe/Paris - volumes: - - $DATA/mediaserver/sonarr:/config - - /mnt/movies/series:/tv - - /mnt/movies/tmp:/downloads - restart: unless-stopped - labels: - - "traefik.enable=true" - - "traefik.http.routers.sonarr.rule=Host(`sonarr.bhasher.com`)" - - "traefik.http.services.sonarr.loadbalancer.server.port=8989" - - "traefik.http.routers.sonarr.tls=true" - - "traefik.http.routers.sonarr.tls.certresolver=http" - - "traefik.http.routers.sonarr.entrypoints=internalsecure" - - "traefik.http.routers.sonarr.middlewares=authelia@docker" - - lidarr: - container_name: lidarr - image: lscr.io/linuxserver/lidarr:latest - environment: - - PUID=1000 - - PGID=1000 - - TZ=Europe/Paris - volumes: - - $DATA/mediaserver/lidarr:/config - - /mnt/movies/musics:/music - - /mnt/movies/tmp:/downloads - restart: unless-stopped - labels: - - "traefik.enable=true" - - "traefik.http.routers.lidarr.rule=Host(`lidarr.bhasher.com`)" - - "traefik.http.services.lidarr.loadbalancer.server.port=8686" - - "traefik.http.routers.lidarr.tls=true" - - "traefik.http.routers.lidarr.tls.certresolver=http" - - "traefik.http.routers.lidarr.entrypoints=internalsecure" - - "traefik.http.routers.lidarr.middlewares=authelia@docker" - - transmission: - container_name: transmission - image: lscr.io/linuxserver/transmission:latest - environment: - - PUID=1000 - - PGID=1000 - - TZ=Europe/Paris - volumes: - - $DATA/mediaserver/transmission:/config - - /mnt/movies/tmp:/downloads - - /mnt/movies/torrents:/watch - ports: - - 51413:51413/tcp - - 51413:51413/udp - restart: unless-stopped - labels: - - "traefik.enable=true" - - "traefik.http.routers.transmission.rule=Host(`transmission.bhasher.com`)" - - "traefik.http.services.transmission.loadbalancer.server.port=9091" - - "traefik.http.routers.transmission.tls=true" - - "traefik.http.routers.transmission.tls.certresolver=http" - - "traefik.http.routers.transmission.entrypoints=internalsecure" - - "traefik.http.routers.transmission.middlewares=authelia@docker" - - jackett: - container_name: jackett - image: lscr.io/linuxserver/jackett:latest - environment: - - PUID=1000 - - PGID=1000 - - TZ=Europe/Paris - - AUTO_UPDATE=true - volumes: - - $DATA/mediaserver/jackett:/config - - /mnt/movies/torrents:/downloads - restart: unless-stopped - labels: - - "traefik.enable=true" - - "traefik.http.routers.jackett.rule=Host(`jackett.bhasher.com`)" - - "traefik.http.services.jackett.loadbalancer.server.port=9117" - - "traefik.http.routers.jackett.tls=true" - - "traefik.http.routers.jackett.tls.certresolver=http" - - "traefik.http.routers.jackett.entrypoints=internalsecure" - - "traefik.http.routers.jackett.middlewares=authelia@docker" - - flaresolverr: - container_name: flaresolverr - image: ghcr.io/flaresolverr/flaresolverr:latest - environment: - - LOG_LEVEL=info - - LOG_HTML=false - - CAPTCHA_SOLVER=none - - TZ=Europe/Paris - restart: unless-stopped - - bazarr: - container_name: bazarr - image: lscr.io/linuxserver/bazarr - environment: - - TZ=Europe/Paris - - PUID=1000 - - PGID=1000 - volumes: - - $DATA/mediaserver/bazarr:/config - - /mnt/movies/movies:/movies - - /mnt/movies/series:/tv - restart: unless-stopped - labels: - - "traefik.enable=true" - - "traefik.http.routers.bazarr.rule=Host(`bazarr.bhasher.com`)" - - "traefik.http.services.bazarr.loadbalancer.server.port=6767" - - "traefik.http.routers.bazarr.tls=true" - - "traefik.http.routers.bazarr.tls.certresolver=http" - - "traefik.http.routers.bazarr.entrypoints=internalsecure" - - "traefik.http.routers.bazarr.middlewares=authelia@docker" - - baikal: - container_name: baikal - image: ckulka/baikal:nginx - restart: on-failure - environment: - - TZ=Europe/Paris - volumes: - - $DATA/baikal/config:/var/www/baikal/config - - $DATA/baikal/data:/var/www/baikal/Specific - labels: - - "traefik.enable=true" - - "traefik.http.routers.baikal.rule=Host(`baikal.bxl.bhasher.com`)" - - "traefik.http.services.baikal.loadbalancer.server.port=80" - - "traefik.http.routers.baikal.tls=true" - - "traefik.http.routers.baikal.tls.certresolver=http" - - "traefik.http.routers.baikal.entrypoints=internalsecure,externalsecure" - - borg: - container_name: borg - image: pschiffe/borg - volumes: - - /mnt/borg:/borg/repo - - $DATA/borg/config:/root - - $DATA:/borg/data/docker-data:ro - - /etc/localtime:/etc/localtime:ro - environment: - - BORG_REPO=/borg/repo - - BORG_PASSPHRASE=${BORG_PASSPHRASE} - - BACKUP_DIRS=/borg/data - - COMPRESSION=lz4 - - PRUNE=1 - restart: 'no' - - cron: - container_name: cron-scheduling - image: alpine:latest - volumes: - - ./config/cron:/etc/cron.d:ro - - /etc/localtime:/etc/localtime:ro - command: crond -f - restart: unless-stopped - - pihole: - container_name: pihole - image: cbcrowe/pihole-unbound:latest - ports: - - 53:53/tcp - - 53:53/udp - environment: - - TZ=Europe/Paris - - WEBPASSWORD= - - WEBTHEME=default-dark - - REV_SERVER=false - - PIHOLE_DNS_=127.0.0.1#5335 - - DNSSEC=true - - DNSMASQ_LISTENING=all - - FTLCONF_LOCAL_IPV4=192.168.1.220 - - FTLCONF_RATE_LIMIT=0/0 - - FTL_CMD=debug - - DNSMASQ_USER=root - volumes: - - $DATA/pihole/config:/etc/pihole - - $DATA/pihole/dnsmasq.d:/etc/dnsmasq.d - restart: unless-stopped - labels: - - "traefik.enable=true" - - "traefik.http.routers.pihole.rule=Host(`pihole.bhasher.com`)" - - "traefik.http.routers.pihole.entrypoints=internalsecure" - - "traefik.http.services.pihole.loadbalancer.server.port=80" - - "traefik.http.routers.pihole.tls=true" - - "traefik.http.routers.pihole.tls.certresolver=http" - - "traefik.http.routers.pihole.middlewares=pihole-strip,authelia@docker" - #- "traefik.http.middlewares.pihole-strip.stripprefix.prefixes=/admin" - - "traefik.http.middlewares.pihole-strip.addprefix.prefix=/admin" - - postgres: - container_name: postgres - image: postgres:latest - restart: unless-stopped - environment: - - POSTGRES_USER=postgres - - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - volumes: - - $DATA/postgres:/var/lib/postgresql/data - - redis: - container_name: redis - image: redis:latest - restart: unless-stopped - - openldap: - container_name: openldap - image: osixia/openldap:latest - restart: unless-stopped - environment: - - LDAP_ADMIN_USERNAME=admin - - LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD} - - LDAP_READONLY_USER=true - - LDAP_READONLY_USER_USERNAME=readonly - - LDAP_READONLY_USER_PASSWORD=${LDAP_READONLY_PASSWORD} - - LDAP_DOMAIN=bhasher.com - - LDAP_ORGANISATION=Bhasher - - LDAP_RFC2307BIS_SCHEMA=true - - LDAP_TLS=false - volumes: - - $DATA/openldap/ldap:/var/lib/ldap - - $DATA/openldap/slapd.d:/etc/ldap/slapd.d - - ldapusermanager: - container_name: ldapusermanager - image: wheelybird/ldap-user-manager:latest - restart: unless-stopped - environment: - - LDAP_URI=ldap://openldap - - LDAP_BASE_DN=dc=bhasher,dc=com - - LDAP_ADMIN_BIND_DN=cn=admin,dc=bhasher,dc=com - - LDAP_ADMINS_GROUP=admin - - SERVER_HOSTNAME=lum.bhasher.com - - NO_HTTPS=true - - ORGANISATION_NAME=Bhasher - - LDAP_REQUIRE_STARTTLS=false - - FORCE_RFC2307BIS=true - - SHOW_POSIX_ATTRIBUTES=false - - LDAP_ADMIN_BIND_PWD=${LDAP_ADMIN_PASSWORD} - - LDAP_USER_OU=users - - LDAP_GROUP_OU=groups - - LDAP_ACCOUNT_ATTRIBUTE=uid - - LDAP_GROUP_ATTRIBUTE=cn - - USERNAME_FORMAT={first_name}.{last_name} - - ENFORCE_SAFE_SYSTEM_NAMES=false - - PASSWORD_HASH=SHA512CRYPT - - ACCEPT_WEAK_PASSWORDS=false - - LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES=jpegPhoto^:Profile picture,sshpubkey^+:SSH public key - - REMOTE_HTTP_HEADERS_LOGIN=true - labels: - - "traefik.enable=true" - - "traefik.http.routers.lum.rule=Host(`lum.bhasher.com`)" - - "traefik.http.routers.lum.entrypoints=internalsecure" - - "traefik.http.services.lum.loadbalancer.server.port=80" - - "traefik.http.routers.lum.tls=true" - - "traefik.http.routers.lum.tls.certresolver=http" - - "traefik.http.routers.lum.middlewares=authelia@docker" - - authelia: - container_name: authelia - image: authelia/authelia:latest - restart: unless-stopped - environment: - - TZ=Europe/Paris - - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD=${LDAP_READONLY_PASSWORD} - - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET} - - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET} - - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_ENCRYPTION_KEY} - - AUTHELIA_STORAGE_POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - - AUTHELIA_NOTIFIER_SMTP_PASSWORD=${SMTP_PASSWORD} - - AUTHELIA_NOTIFIER_SMTP_USERNAME=${SMTP_USER} - - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/secrets/oidc_certificate.pem - - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=${AUTHELIA_OIDC_HMAC} - labels: - - "traefik.enable=true" - - "traefik.http.routers.authelia.rule=Host(`idp.bhasher.com`)" - - "traefik.http.routers.authelia.entrypoints=internalsecure,externalsecure" - - "traefik.http.services.authelia.loadbalancer.server.port=9091" - - "traefik.http.routers.authelia.tls=true" - - "traefik.http.routers.authelia.tls.certresolver=http" - - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https%3A%2F%2Fidp.bhasher.com%2F' - - 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true' - - 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' - volumes: - - ./config/idp/authelia.configuration.yaml:/config/configuration.yml:ro - - $DATA/authelia:/secrets:ro - - syncthing: - container_name: syncthing - image: syncthing/syncthing:latest - hostname: snode0 - environment: - - PUID=33 - - PGID=33 - volumes: - - $DATA/syncthing:/var/syncthing:rw - - /mnt/syncDocuments:/mnt/SyncDocuments:rw - - /mnt/brieuc-pictures:/mnt/pictures:rw - labels: - - "traefik.enable=true" - - "traefik.http.routers.syncthing.rule=Host(`syncthing.bhasher.com`)" - - "traefik.http.routers.syncthing.entrypoints=internalsecure" - - "traefik.http.services.syncthing.loadbalancer.server.port=8384" - - "traefik.http.routers.syncthing.tls=true" - - "traefik.http.routers.syncthing.tls.certresolver=http" - - "traefik.http.routers.syncthing.middlewares=authelia@docker" - ports: - - 22000:22000/tcp # TCP file transfers - - 22000:22000/udp # QUIC file transfers - - 21027:21027/udp # Receive local discovery broadcasts - restart: unless-stopped - diff --git a/bxl-rpi/system/docker-compose.auth.yaml b/bxl-rpi/system/docker-compose.auth.yaml new file mode 100644 index 0000000..9a14b93 --- /dev/null +++ b/bxl-rpi/system/docker-compose.auth.yaml @@ -0,0 +1,99 @@ +services: + openldap: + container_name: openldap + image: osixia/openldap:latest + restart: unless-stopped + environment: + - LDAP_ADMIN_USERNAME=admin + - LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD} + - LDAP_READONLY_USER=true + - LDAP_READONLY_USER_USERNAME=readonly + - LDAP_READONLY_USER_PASSWORD=${LDAP_READONLY_PASSWORD} + - LDAP_DOMAIN=bhasher.com + - LDAP_ORGANISATION=Bhasher + - LDAP_RFC2307BIS_SCHEMA=true + - LDAP_TLS=false + volumes: + - $DATA/openldap/ldap:/var/lib/ldap + - $DATA/openldap/slapd.d:/etc/ldap/slapd.d + networks: + - auth + + ldapusermanager: + container_name: ldapusermanager + image: wheelybird/ldap-user-manager:latest + restart: unless-stopped + environment: + - LDAP_URI=ldap://openldap + - LDAP_BASE_DN=dc=bhasher,dc=com + - LDAP_ADMIN_BIND_DN=cn=admin,dc=bhasher,dc=com + - LDAP_ADMINS_GROUP=admin + - SERVER_HOSTNAME=lum.bhasher.com + - NO_HTTPS=true + - ORGANISATION_NAME=Bhasher + - LDAP_REQUIRE_STARTTLS=false + - FORCE_RFC2307BIS=true + - SHOW_POSIX_ATTRIBUTES=false + - LDAP_ADMIN_BIND_PWD=${LDAP_ADMIN_PASSWORD} + - LDAP_USER_OU=users + - LDAP_GROUP_OU=groups + - LDAP_ACCOUNT_ATTRIBUTE=uid + - LDAP_GROUP_ATTRIBUTE=cn + - USERNAME_FORMAT={first_name}.{last_name} + - ENFORCE_SAFE_SYSTEM_NAMES=false + - PASSWORD_HASH=SHA512CRYPT + - ACCEPT_WEAK_PASSWORDS=false + - LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES=jpegPhoto^:Profile picture,sshpubkey^+:SSH public key + - REMOTE_HTTP_HEADERS_LOGIN=true + labels: + - "traefik.enable=true" + - "traefik.http.routers.lum.rule=Host(`lum.bhasher.com`)" + - "traefik.http.routers.lum.entrypoints=internalsecure" + - "traefik.http.services.lum.loadbalancer.server.port=80" + - "traefik.http.routers.lum.tls=true" + - "traefik.http.routers.lum.tls.certresolver=http" + - "traefik.http.routers.lum.middlewares=authelia@docker" + networks: + - auth + - external + + authelia: + container_name: authelia + image: authelia/authelia:latest + restart: unless-stopped + environment: + - TZ=Europe/Paris + - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD=${LDAP_READONLY_PASSWORD} + - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET} + - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET} + - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_ENCRYPTION_KEY} + - AUTHELIA_STORAGE_POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + - AUTHELIA_NOTIFIER_SMTP_PASSWORD=${SMTP_PASSWORD} + - AUTHELIA_NOTIFIER_SMTP_USERNAME=${SMTP_USER} + - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/secrets/oidc_certificate.pem + - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=${AUTHELIA_OIDC_HMAC} + labels: + - "traefik.enable=true" + - "traefik.http.routers.authelia.rule=Host(`idp.bhasher.com`)" + - "traefik.http.routers.authelia.entrypoints=internalsecure,externalsecure" + - "traefik.http.services.authelia.loadbalancer.server.port=9091" + - "traefik.http.routers.authelia.tls=true" + - "traefik.http.routers.authelia.tls.certresolver=http" + - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https%3A%2F%2Fidp.bhasher.com%2F' + - 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true' + - 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' + volumes: + - $CONFIG/idp/authelia.configuration.yaml:/config/configuration.yml:ro + - $DATA/authelia:/secrets:ro + networks: + - auth + - storage + - external + +networks: + auth: + name: auth + external: + external: true + storage: + external: true diff --git a/bxl-rpi/system/docker-compose.backup.yaml b/bxl-rpi/system/docker-compose.backup.yaml new file mode 100644 index 0000000..f642723 --- /dev/null +++ b/bxl-rpi/system/docker-compose.backup.yaml @@ -0,0 +1,25 @@ +services: + borg: + container_name: borg + image: pschiffe/borg + volumes: + - /mnt/borg:/borg/repo + - $DATA/borg/config:/root + - $DATA:/borg/data/docker-data:ro + - /etc/localtime:/etc/localtime:ro + environment: + - BORG_REPO=/borg/repo + - BORG_PASSPHRASE=${BORG_PASSPHRASE} + - BACKUP_DIRS=/borg/data + - COMPRESSION=lz4 + - PRUNE=1 + restart: "no" + + cron: + container_name: cron-scheduling + image: alpine:latest + volumes: + - ./config/cron:/etc/cron.d:ro + - /etc/localtime:/etc/localtime:ro + command: crond -f + restart: unless-stopped diff --git a/bxl-rpi/system/docker-compose.monitoring.yaml b/bxl-rpi/system/docker-compose.monitoring.yaml new file mode 100644 index 0000000..cd05fc1 --- /dev/null +++ b/bxl-rpi/system/docker-compose.monitoring.yaml @@ -0,0 +1,101 @@ +services: + prom_monitoring: + container_name: prom_monitoring + image: prom/prometheus:latest + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.prom.rule=Host(`prometheus.bhasher.com`)" + - "traefik.http.routers.prom.entrypoints=internalsecure" + - "traefik.http.services.prom.loadbalancer.server.port=9090" + - "traefik.http.routers.prom.tls=true" + - "traefik.http.routers.prom.tls.certresolver=http" + - "traefik.http.routers.prom.middlewares=authelia@docker" + extra_hosts: + - "host.docker.internal:host-gateway" + volumes: + - $CONFIG/monitoring/prometheus.yaml:/etc/prometheus/prometheus.yml:ro + - $DATA/monitoring/prometheus:/prometheus + networks: + - monitoring + - external + + grafana: + container_name: grafana + image: grafana/grafana + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.grafana.rule=Host(`grafana.bhasher.com`)" + - "traefik.http.routers.grafana.entrypoints=internalsecure" + - "traefik.http.services.grafana.loadbalancer.server.port=3000" + - "traefik.http.routers.grafana.tls=true" + - "traefik.http.routers.grafana.tls.certresolver=http" + environment: + - GF_SERVER_ROOT_URL=https://grafana.bhasher.com + - GF_SMTP_ENABLED=true + - GF_SMTP_HOST=bdubois.io:465 + - GF_SMTP_USER=${SMTP_USER} + - GF_SMTP_PASSWORD=${SMTP_PASSWORD} + - GF_SMTP_FROM_ADDRESS=grafana@bhasher.com + - GF_AUTH_LOGIN_DISABLE_LOGIN_FORM=true + - GF_AUTH_DISABLE_SIGNOUT_MENU=true + - GF_AUTH_OAUTH_AUTO_LOGIN=true + - GF_AUTH_GENERIC_OAUTH_ENABLED=true + - GF_AUTH_GENERIC_OAUTH_ICON=signin + - GF_AUTH_GENERIC_OAUTH_NAME=Authelia + - GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana + - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=${GRAFANA_OAUTH} + - GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email groups + - GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES=false + - GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://idp.bhasher.com/api/oidc/authorization + - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://idp.bhasher.com/api/oidc/token + - GF_AUTH_GENERIC_OAUTH_API_URL=https://idp.bhasher.com/api/oidc/userinfo + - GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username + - GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH=groups + - GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=name + - GF_AUTH_GENERIC_OAUTH_USE_PKCE=false + - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(roles[*], 'admin') && 'Admin' || 'Viewer' + - GF_AUTH_GENERIC_OAUTH_GROUPS_PATH=groups + - GF_AUTH_GENERIC_OAUTH_ALLOWED_GROUPS=admin + volumes: + - $DATA/monitoring/grafana:/var/lib/grafana + networks: + - external + - monitoring + + cadvisor: + container_name: cadvisor + image: gcr.io/cadvisor/cadvisor:v0.47.1 + volumes: + - /:/rootfs:ro + - /var/run:/var/run:rw + - /sys:/sys:ro + - /var/lib/docker/:/var/lib/docker:ro + restart: always + networks: + - monitoring + + node-exporter: + container_name: node-exporter + image: quay.io/prometheus/node-exporter:latest + volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /:/rootfs:ro + - /:/host:ro,rslave + command: + - '--path.rootfs=/host' + - '--path.procfs=/host/proc' + - '--path.sysfs=/host/sys' + - --collector.filesystem.ignored-mount-points + - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)" + restart: always + networks: + - monitoring + + +networks: + monitoring: + external: + external: true diff --git a/bxl-rpi/system/docker-compose.portainer.yaml b/bxl-rpi/system/docker-compose.portainer.yaml new file mode 100644 index 0000000..7c7a695 --- /dev/null +++ b/bxl-rpi/system/docker-compose.portainer.yaml @@ -0,0 +1,23 @@ +services: + portainer: + container_name: portainer + image: portainer/portainer-ce:latest + ports: + - "9443:9443" + volumes: + - $DATA/portainer:/data:rw + - /var/run/docker.sock:/var/run/docker.sock + labels: + - "traefik.enable=true" + - "traefik.http.routers.portainer.rule=Host(`portainer.bxl.bhasher.com`)" + - "traefik.http.routers.portainer.entrypoints=externalsecure,internalsecure" + - "traefik.http.services.portainer.loadbalancer.server.port=9000" + - "traefik.http.routers.portainer.tls=true" + - "traefik.http.routers.portainer.tls.certresolver=http" + restart: unless-stopped + networks: + - external + +networks: + external: + external: true diff --git a/bxl-rpi/system/docker-compose.storage.yaml b/bxl-rpi/system/docker-compose.storage.yaml new file mode 100644 index 0000000..e6b3157 --- /dev/null +++ b/bxl-rpi/system/docker-compose.storage.yaml @@ -0,0 +1,23 @@ +services: + postgres: + container_name: postgres + image: postgres:latest + restart: unless-stopped + environment: + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + volumes: + - $DATA/postgres:/var/lib/postgresql/data + networks: + - storage + + redis: + container_name: redis + image: redis:latest + restart: unless-stopped + networks: + - storage + +networks: + storage: + name: storage diff --git a/bxl-rpi/system/docker-compose.traefik.yaml b/bxl-rpi/system/docker-compose.traefik.yaml new file mode 100644 index 0000000..08ca0fd --- /dev/null +++ b/bxl-rpi/system/docker-compose.traefik.yaml @@ -0,0 +1,48 @@ +services: + traefik: + container_name: traefik + image: traefik:v2.9 + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--providers.docker.exposedbydefault=false" + - "--providers.docker.network=external" + - "--entrypoints.internal.address=:80" + - "--entrypoints.internalsecure.address=:443" + - "--entrypoints.internal.http.redirections.entryPoint.to=internalsecure" + - "--entrypoints.internal.http.redirections.entryPoint.scheme=https" + - "--entrypoints.internal.http.redirections.entryPoint.permanent=true" + - "--certificatesresolvers.http.acme.httpchallenge=true" + - "--certificatesresolvers.http.acme.httpchallenge.entrypoint=external" + - "--certificatesresolvers.http.acme.email=acme@bhasher.com" + - "--certificatesresolvers.http.acme.storage=acme.json" + - "--entrypoints.external.address=:81" + - "--entrypoints.externalsecure.address=:444" + - "--entrypoints.external.http.redirections.entryPoint.to=externalsecure" + - "--entrypoints.external.http.redirections.entryPoint.scheme=https" + - "--entrypoints.external.http.redirections.entryPoint.permanent=true" + #- "--log.level=DEBUG" + - "--metrics.prometheus=true" + environment: + - TZ=Europe/Paris + ports: + - "80:80" + - "443:443" + - "81:81" + - "444:444" + #- "8080:8080" + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - type: bind + source: $DATA/traefik/acme.json + target: /acme.json + - type: bind + source: $DATA/traefik/rules.toml + target: /rules.toml + restart: always + networks: + - external + +networks: + external: + name: external