services: traefik: container_name: traefik image: traefik:v2.9 command: - "--api.insecure=true" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--providers.docker.network=external" - "--entrypoints.internal.address=:80" - "--entrypoints.internalsecure.address=:443" - "--entrypoints.internal.http.redirections.entryPoint.to=internalsecure" - "--entrypoints.internal.http.redirections.entryPoint.scheme=https" - "--entrypoints.internal.http.redirections.entryPoint.permanent=true" - "--certificatesresolvers.http.acme.httpchallenge=true" - "--certificatesresolvers.http.acme.httpchallenge.entrypoint=external" - "--certificatesresolvers.http.acme.email=acme@bhasher.com" - "--certificatesresolvers.http.acme.storage=acme.json" - "--entrypoints.external.address=:81" - "--entrypoints.externalsecure.address=:444" - "--entrypoints.external.http.redirections.entryPoint.to=externalsecure" - "--entrypoints.external.http.redirections.entryPoint.scheme=https" - "--entrypoints.external.http.redirections.entryPoint.permanent=true" #- "--log.level=DEBUG" - "--metrics.prometheus=true" environment: - TZ=Europe/Paris ports: - "80:80" - "443:443" - "81:81" - "444:444" #- "8080:8080" volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - type: bind source: $DATA/traefik/acme.json target: /acme.json - type: bind source: $DATA/traefik/rules.toml target: /rules.toml restart: always portainer: container_name: portainer image: portainer/portainer-ce:latest #command: -H tcp://tasks.agent:9001 --tlsskipverify ports: - "9443:9443" volumes: - $DATA/portainer:/data:rw - /var/run/docker.sock:/var/run/docker.sock labels: - "traefik.enable=true" - "traefik.http.routers.portainer.rule=Host(`portainer.bxl.bhasher.com`)" - "traefik.http.routers.portainer.entrypoints=externalsecure,internalsecure" - "traefik.http.services.portainer.loadbalancer.server.port=9000" - "traefik.http.routers.portainer.tls=true" - "traefik.http.routers.portainer.tls.certresolver=http" restart: always matrix-synapse: container_name: matrix-synapse image: matrixdotorg/synapse:latest restart: unless-stopped environment: - SYNAPSE_SERVER_NAME=matrix.bhasher.com - SYNAPSE_REPORT_STATS=no volumes: - $DATA/matrix/synapse:/data:rw labels: - "traefik.enable=true" - "traefik.http.routers.matrix-synapse.rule=Host(`matrix.bhasher.com`)" - "traefik.http.routers.matrix-synapse.tls=true" - "traefik.http.routers.matrix-synapse.tls.certresolver=http" - "traefik.http.routers.matrix-synapse.entrypoints=internalsecure,externalsecure" - "traefik.http.services.matrix-synapse.loadbalancer.server.port=8008" wireguard: container_name: wireguard image: lscr.io/linuxserver/wireguard:latest restart: always volumes: - $DATA/wireguard:/config - /lib/modules:/lib/modules ports: - 51821:51820/udp environment: - TZ=Europe/Paris - SERVERURL=vpn.bhasher.com - SERVERPORT=51821 - PEERS=5 - PEERDNS=auto - INTERNAL_SUBNET=10.13.14.0 - ALLOWEDIPS=0.0.0.0/0 cap_add: - NET_ADMIN - SYS_MODULE sysctls: - net.ipv4.conf.all.src_valid_mark=1 matrix-riot: container_name: matrix-element image: ghcr.io/bubuntux/element-web restart: unless-stopped volumes: - ./config/riot/config.json:/etc/element-web/config.json:ro labels: - "traefik.enable=true" - "traefik.http.routers.matrix-riot.rule=Host(`element.bhasher.com`)" - "traefik.http.routers.matrix-riot.tls=true" - "traefik.http.routers.matrix-riot.tls.certresolver=http" - "traefik.http.routers.matrix-riot.entrypoints=internalsecure,externalsecure" - "traefik.http.services.matrix-riot.loadbalancer.server.port=80" prom_monitoring: container_name: prom_monitoring image: prom/prometheus:latest restart: unless-stopped labels: - "traefik.enable=true" - "traefik.http.routers.prom.rule=Host(`prometheus.bhasher.com`)" - "traefik.http.routers.prom.entrypoints=internalsecure" - "traefik.http.services.prom.loadbalancer.server.port=9090" - "traefik.http.routers.prom.tls=true" - "traefik.http.routers.prom.tls.certresolver=http" extra_hosts: - "host.docker.internal:host-gateway" volumes: - ./config/monitoring/prometheus.yaml:/etc/prometheus/prometheus.yml:ro - $DATA/monitoring/prometheus:/prometheus grafana: container_name: grafana image: grafana/grafana restart: unless-stopped labels: - "traefik.enable=true" - "traefik.http.routers.grafana.rule=Host(`grafana.bhasher.com`)" - "traefik.http.routers.grafana.entrypoints=internalsecure" - "traefik.http.services.grafana.loadbalancer.server.port=3000" - "traefik.http.routers.grafana.tls=true" - "traefik.http.routers.grafana.tls.certresolver=http" environment: - GF_SERVER_ROOT_URL=https://grafana.bhasher.com - GF_SMTP_ENABLED=true - GF_SMTP_HOST=bdubois.io:465 - GF_SMTP_USER=${SMTP_USER} - GF_SMTP_PASSWORD=${SMTP_PASSWORD} - GF_SMTP_FROM_ADDRESS=grafana@bhasher.com - GF_AUTH_LOGIN_DISABLE_LOGIN_FORM=true - GF_AUTH_DISABLE_SIGNOUT_MENU=true - GF_AUTH_OAUTH_AUTO_LOGIN=true - GF_AUTH_GENERIC_OAUTH_ENABLED=true - GF_AUTH_GENERIC_OAUTH_ICON=signin - GF_AUTH_GENERIC_OAUTH_NAME=Authelia - GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=${GRAFANA_OAUTH} - GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email groups - GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES=false - GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://idp.bhasher.com/api/oidc/authorization - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://idp.bhasher.com/api/oidc/token - GF_AUTH_GENERIC_OAUTH_API_URL=https://idp.bhasher.com/api/oidc/userinfo - GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username - GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH=groups - GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=name - GF_AUTH_GENERIC_OAUTH_USE_PKCE=false - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(roles[*], 'admin') && 'Admin' || 'Viewer' - GF_AUTH_GENERIC_OAUTH_GROUPS_PATH=groups - GF_AUTH_GENERIC_OAUTH_ALLOWED_GROUPS=admin volumes: - $DATA/monitoring/grafana:/var/lib/grafana cadvisor: container_name: cadvisor image: gcr.io/cadvisor/cadvisor:v0.47.1 volumes: - /:/rootfs:ro - /var/run:/var/run:rw - /sys:/sys:ro - /var/lib/docker/:/var/lib/docker:ro restart: always node-exporter: container_name: node-exporter image: quay.io/prometheus/node-exporter:latest volumes: - /proc:/host/proc:ro - /sys:/host/sys:ro - /:/rootfs:ro - /:/host:ro,rslave command: - '--path.rootfs=/host' - '--path.procfs=/host/proc' - '--path.sysfs=/host/sys' - --collector.filesystem.ignored-mount-points - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)" restart: always jellyfin: container_name: jellyfin image: linuxserver/jellyfin:latest volumes: - $DATA/mediaserver/jellyfin:/config - /mnt/movies/series:/data/tvshows - /mnt/movies/movies:/data/movies - /mnt/movies/musics:/data/musics environment: - PUID=1000 - PGID=1000 - TZ=Europe/Paris restart: unless-stopped labels: - "traefik.enable=true" - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.bhasher.com`)" - "traefik.http.routers.jellyfin.entrypoints=internalsecure,externalsecure" - "traefik.http.services.jellyfin.loadbalancer.server.port=8096" - "traefik.http.routers.jellyfin.tls=true" - "traefik.http.routers.jellyfin.tls.certresolver=http" radarr: container_name: radarr image: lscr.io/linuxserver/radarr:latest environment: - TZ=Europe/Paris - PUID=1000 - PGID=1000 volumes: - $DATA/mediaserver/radarr:/config - /mnt/movies/movies:/movies - /mnt/movies/tmp:/downloads restart: unless-stopped labels: - "traefik.enable=true" - "traefik.http.routers.radarr.rule=Host(`radarr.bhasher.com`)" - "traefik.http.services.radarr.loadbalancer.server.port=7878" - "traefik.http.routers.radarr.tls=true" - "traefik.http.routers.radarr.tls.certresolver=http" - "traefik.http.routers.radarr.entrypoints=internalsecure" - "traefik.http.routers.radarr.middlewares=authelia@docker" sonarr: container_name: sonarr image: lscr.io/linuxserver/sonarr:latest environment: - PUID=1000 - PGID=1000 - TZ=Europe/Paris volumes: - $DATA/mediaserver/sonarr:/config - /mnt/movies/series:/tv - /mnt/movies/tmp:/downloads restart: unless-stopped labels: - "traefik.enable=true" - "traefik.http.routers.sonarr.rule=Host(`sonarr.bhasher.com`)" - "traefik.http.services.sonarr.loadbalancer.server.port=8989" - "traefik.http.routers.sonarr.tls=true" - "traefik.http.routers.sonarr.tls.certresolver=http" - "traefik.http.routers.sonarr.entrypoints=internalsecure" - "traefik.http.routers.sonarr.middlewares=authelia@docker" lidarr: container_name: lidarr image: lscr.io/linuxserver/lidarr:latest environment: - PUID=1000 - PGID=1000 - TZ=Europe/Paris volumes: - $DATA/mediaserver/lidarr:/config - /mnt/movies/musics:/music - /mnt/movies/tmp:/downloads restart: unless-stopped labels: - "traefik.enable=true" - "traefik.http.routers.lidarr.rule=Host(`lidarr.bhasher.com`)" - "traefik.http.services.lidarr.loadbalancer.server.port=8686" - "traefik.http.routers.lidarr.tls=true" - "traefik.http.routers.lidarr.tls.certresolver=http" - "traefik.http.routers.lidarr.entrypoints=internalsecure" - "traefik.http.routers.lidarr.middlewares=authelia@docker" transmission: container_name: transmission image: lscr.io/linuxserver/transmission:latest environment: - PUID=1000 - PGID=1000 - TZ=Europe/Paris volumes: - $DATA/mediaserver/transmission:/config - /mnt/movies/tmp:/downloads - /mnt/movies/torrents:/watch ports: - 51413:51413/tcp - 51413:51413/udp restart: unless-stopped labels: - "traefik.enable=true" - "traefik.http.routers.transmission.rule=Host(`transmission.bhasher.com`)" - "traefik.http.services.transmission.loadbalancer.server.port=9091" - "traefik.http.routers.transmission.tls=true" - "traefik.http.routers.transmission.tls.certresolver=http" - "traefik.http.routers.transmission.entrypoints=internalsecure" - "traefik.http.routers.transmission.middlewares=authelia@docker" jackett: container_name: jackett image: lscr.io/linuxserver/jackett:latest environment: - PUID=1000 - PGID=1000 - TZ=Europe/Paris - AUTO_UPDATE=true volumes: - $DATA/mediaserver/jackett:/config - /mnt/movies/torrents:/downloads restart: unless-stopped labels: - "traefik.enable=true" - "traefik.http.routers.jackett.rule=Host(`jackett.bhasher.com`)" - "traefik.http.services.jackett.loadbalancer.server.port=9117" - "traefik.http.routers.jackett.tls=true" - "traefik.http.routers.jackett.tls.certresolver=http" - "traefik.http.routers.jackett.entrypoints=internalsecure" - "traefik.http.routers.jackett.middlewares=authelia@docker" flaresolverr: container_name: flaresolverr image: ghcr.io/flaresolverr/flaresolverr:latest environment: - LOG_LEVEL=info - LOG_HTML=false - CAPTCHA_SOLVER=none - TZ=Europe/Paris restart: unless-stopped bazarr: container_name: bazarr image: lscr.io/linuxserver/bazarr environment: - TZ=Europe/Paris - PUID=1000 - PGID=1000 volumes: - $DATA/mediaserver/bazarr:/config - /mnt/movies/movies:/movies - /mnt/movies/series:/tv restart: unless-stopped labels: - "traefik.enable=true" - "traefik.http.routers.bazarr.rule=Host(`bazarr.bhasher.com`)" - "traefik.http.services.bazarr.loadbalancer.server.port=6767" - "traefik.http.routers.bazarr.tls=true" - "traefik.http.routers.bazarr.tls.certresolver=http" - "traefik.http.routers.bazarr.entrypoints=internalsecure" - "traefik.http.routers.bazarr.middlewares=authelia@docker" baikal: container_name: baikal image: ckulka/baikal:nginx restart: on-failure environment: - TZ=Europe/Paris volumes: - $DATA/baikal/config:/var/www/baikal/config - $DATA/baikal/data:/var/www/baikal/Specific labels: - "traefik.enable=true" - "traefik.http.routers.baikal.rule=Host(`baikal.bxl.bhasher.com`)" - "traefik.http.services.baikal.loadbalancer.server.port=80" - "traefik.http.routers.baikal.tls=true" - "traefik.http.routers.baikal.tls.certresolver=http" - "traefik.http.routers.baikal.entrypoints=internalsecure,externalsecure" borg: container_name: borg image: pschiffe/borg volumes: - /mnt/borg:/borg/repo - $DATA/borg/config:/root - $DATA:/borg/data/docker-data:ro - /etc/localtime:/etc/localtime:ro environment: - BORG_REPO=/borg/repo - BORG_PASSPHRASE=${BORG_PASSPHRASE} - BACKUP_DIRS=/borg/data - COMPRESSION=lz4 - PRUNE=1 restart: 'no' cron: container_name: cron-scheduling image: alpine:latest volumes: - ./config/cron:/etc/cron.d:ro - /etc/localtime:/etc/localtime:ro command: crond -f restart: unless-stopped pihole: container_name: pihole image: cbcrowe/pihole-unbound:latest ports: - 53:53/tcp - 53:53/udp environment: - TZ=Europe/Paris - WEBPASSWORD= - WEBTHEME=default-dark - REV_SERVER=false - PIHOLE_DNS_=127.0.0.1#5335 - DNSSEC=true - DNSMASQ_LISTENING=all - FTLCONF_LOCAL_IPV4=192.168.1.220 - FTLCONF_RATE_LIMIT=0/0 - FTL_CMD=debug - DNSMASQ_USER=root volumes: - $DATA/pihole/config:/etc/pihole - $DATA/pihole/dnsmasq.d:/etc/dnsmasq.d restart: unless-stopped labels: - "traefik.enable=true" - "traefik.http.routers.pihole.rule=Host(`pihole.bhasher.com`)" - "traefik.http.routers.pihole.entrypoints=internalsecure" - "traefik.http.services.pihole.loadbalancer.server.port=80" - "traefik.http.routers.pihole.tls=true" - "traefik.http.routers.pihole.tls.certresolver=http" - "traefik.http.routers.pihole.middlewares=pihole-strip,authelia@docker" #- "traefik.http.middlewares.pihole-strip.stripprefix.prefixes=/admin" - "traefik.http.middlewares.pihole-strip.addprefix.prefix=/admin" postgres: container_name: postgres image: postgres:latest restart: unless-stopped environment: - POSTGRES_USER=postgres - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} volumes: - $DATA/postgres:/var/lib/postgresql/data redis: container_name: redis image: redis:latest restart: unless-stopped openldap: container_name: openldap image: osixia/openldap:latest restart: unless-stopped environment: - LDAP_ADMIN_USERNAME=admin - LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD} - LDAP_READONLY_USER=true - LDAP_READONLY_USER_USERNAME=readonly - LDAP_READONLY_USER_PASSWORD=${LDAP_READONLY_PASSWORD} - LDAP_DOMAIN=bhasher.com - LDAP_ORGANISATION=Bhasher - LDAP_RFC2307BIS_SCHEMA=true - LDAP_TLS=false volumes: - $DATA/openldap/ldap:/var/lib/ldap - $DATA/openldap/slapd.d:/etc/ldap/slapd.d ldapusermanager: container_name: ldapusermanager image: wheelybird/ldap-user-manager:latest restart: unless-stopped environment: - LDAP_URI=ldap://openldap - LDAP_BASE_DN=dc=bhasher,dc=com - LDAP_ADMIN_BIND_DN=cn=admin,dc=bhasher,dc=com - LDAP_ADMINS_GROUP=admin - SERVER_HOSTNAME=lum.bhasher.com - NO_HTTPS=true - ORGANISATION_NAME=Bhasher - LDAP_REQUIRE_STARTTLS=false - FORCE_RFC2307BIS=true - SHOW_POSIX_ATTRIBUTES=false - LDAP_ADMIN_BIND_PWD=${LDAP_ADMIN_PASSWORD} - LDAP_USER_OU=users - LDAP_GROUP_OU=groups - LDAP_ACCOUNT_ATTRIBUTE=uid - LDAP_GROUP_ATTRIBUTE=cn - USERNAME_FORMAT={first_name}.{last_name} - ENFORCE_SAFE_SYSTEM_NAMES=false - PASSWORD_HASH=SHA512CRYPT - ACCEPT_WEAK_PASSWORDS=false - LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES=jpegPhoto^:Profile picture,sshpubkey^+:SSH public key - REMOTE_HTTP_HEADERS_LOGIN=true labels: - "traefik.enable=true" - "traefik.http.routers.lum.rule=Host(`lum.bhasher.com`)" - "traefik.http.routers.lum.entrypoints=internalsecure" - "traefik.http.services.lum.loadbalancer.server.port=80" - "traefik.http.routers.lum.tls=true" - "traefik.http.routers.lum.tls.certresolver=http" - "traefik.http.routers.lum.middlewares=authelia@docker" authelia: container_name: authelia image: authelia/authelia:latest restart: unless-stopped environment: - TZ=Europe/Paris - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD=${LDAP_READONLY_PASSWORD} - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET} - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET} - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_ENCRYPTION_KEY} - AUTHELIA_STORAGE_POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - AUTHELIA_NOTIFIER_SMTP_PASSWORD=${SMTP_PASSWORD} - AUTHELIA_NOTIFIER_SMTP_USERNAME=${SMTP_USER} - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/secrets/oidc_certificate.pem - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=${AUTHELIA_OIDC_HMAC} labels: - "traefik.enable=true" - "traefik.http.routers.authelia.rule=Host(`idp.bhasher.com`)" - "traefik.http.routers.authelia.entrypoints=internalsecure,externalsecure" - "traefik.http.services.authelia.loadbalancer.server.port=9091" - "traefik.http.routers.authelia.tls=true" - "traefik.http.routers.authelia.tls.certresolver=http" - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https%3A%2F%2Fidp.bhasher.com%2F' - 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true' - 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' volumes: - ./config/idp/authelia.configuration.yaml:/config/configuration.yml:ro - $DATA/authelia:/secrets:ro