264 lines
8.0 KiB
YAML
264 lines
8.0 KiB
YAML
version: '3.2'
|
|
|
|
services:
|
|
traefik:
|
|
image: traefik:v2.9
|
|
container_name: traefik
|
|
command:
|
|
- "--providers.docker=true"
|
|
- "--api.insecure=true"
|
|
- "--api.debug=true"
|
|
- "--providers.docker.exposedbydefault=false"
|
|
- "--providers.docker.network=external"
|
|
- "--entrypoints.web.address=:80"
|
|
- "--entrypoints.websecure.address=:443"
|
|
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
|
|
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
|
|
- "--entrypoints.web.http.redirections.entryPoint.permanent=true"
|
|
- "--certificatesresolvers.http.acme.httpchallenge=true"
|
|
- "--certificatesresolvers.http.acme.httpchallenge.entrypoint=web"
|
|
- "--certificatesresolvers.http.acme.email=acme@bhasher.com"
|
|
- "--certificatesresolvers.http.acme.storage=acme.json"
|
|
- "--log.level=DEBUG"
|
|
environment:
|
|
- TZ=Europe/Paris
|
|
restart: always
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- type: bind
|
|
source: /etc/letsencrypt/acme.json
|
|
target: /acme.json
|
|
networks:
|
|
- external
|
|
|
|
portainer:
|
|
container_name: portainer
|
|
image: portainer/portainer-ce:latest
|
|
restart: on-failure
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.portainer.rule=Host(`portainer.vps.bhasher.com`)"
|
|
- "traefik.http.routers.portainer.entrypoints=websecure"
|
|
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
|
|
- "traefik.http.routers.portainer.tls=true"
|
|
- "traefik.http.routers.portainer.tls.certresolver=http"
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- /home/debian/containers/portainer:/data
|
|
networks:
|
|
- external
|
|
|
|
mailserver:
|
|
image: docker.io/mailserver/docker-mailserver:latest
|
|
container_name: mailserver
|
|
hostname: mail
|
|
domainname: bdubois.io
|
|
ports:
|
|
- "25:25"
|
|
- 143:143
|
|
- 465:465
|
|
- 587:587
|
|
- 993:993
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.sieve.rule=Host(`sieve.bdubois.io`)"
|
|
- "traefik.http.routers.sieve.entrypoints=websecure"
|
|
- "traefik.http.services.sieve.loadbalancer.server.port=4190"
|
|
- "traefik.http.routers.sieve.tls=true"
|
|
- "traefik.http.routers.sieve.tls.certresolver=http"
|
|
volumes:
|
|
- /home/debian/containers/mailserver/mail-data/:/var/mail/:rw
|
|
- /home/debian/containers/mailserver/docker-data/mail-state/:/var/mail-state/:rw
|
|
- /home/debian/containers/mailserver/mail-logs/:/var/log/mail/:rw
|
|
- /home/debian/containers/mailserver/config/:/tmp/docker-mailserver/:rw
|
|
- /home/debian/containers/stepca/issued/bdubois.io:/certs:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
- type: bind
|
|
source: /etc/letsencrypt/acme.json
|
|
target: /etc/letsencrypt/acme.json
|
|
cap_add:
|
|
- NET_ADMIN
|
|
- SYS_PTRACE
|
|
restart: on-failure
|
|
environment:
|
|
# SSL
|
|
- SSL_TYPE=letsencrypt
|
|
- SSL_DOMAIN=bdubois.io
|
|
- LETSENCRYPT_DOMAIN=bdubois.io
|
|
- TLS_LEVEL=modern
|
|
|
|
# DEBUGING
|
|
- LOG_LEVEL=info
|
|
- SUPERVISOR_LOGLEVEL=info
|
|
- AMAVIS_LOGLEVEL=0
|
|
- PFLOGSUMM_TRIGGER=logrotate
|
|
- LOGROTATE_INTERVAL=weekly
|
|
- PFLOGSUMM_RECIPIENT=pflog@bdubois.io
|
|
- PFLOGSUMM_SENDER=report@bdubois.io
|
|
- LOGWATCH_INTERVAL=weekly
|
|
- LOGWATCH_RECIPIENT=watchlog@bdubois.io
|
|
- LOGWATCH_SENDER=report@bdubois.io
|
|
|
|
# UPDATE
|
|
- ENABLE_UPDATE_CHECK=1
|
|
- UPDATE_CHECK_INTERVAL=7d
|
|
|
|
# NETWORKING
|
|
- NETWORK_INTERFACE=eth0
|
|
- PERMIT_DOCKER=none
|
|
- POSTFIX_INET_PROTOCOLS=ipv4
|
|
- DOVECOT_INET_PROTOCOLS=ipv4
|
|
|
|
# PERSISTENCE
|
|
- ONE_DIR=1
|
|
|
|
# FILTERING
|
|
- ENABLE_AMAVIS=0
|
|
- ENABLE_SPAMASSASSIN=0
|
|
- ENABLE_CLAMAV=0
|
|
- ENABLE_MANAGESIEVE=1
|
|
#- ENABLE_AMAVIS=1 # Link between MTA & ClamAV/SpamAssassin
|
|
- ENABLE_DNSBL=0 # DNS-based source rejection
|
|
#- ENABLE_CLAMAV=1 # Antivirus
|
|
- VIRUSMAILS_DELETE_DELAY=7
|
|
- POSTSCREEN_ACTION=enforce
|
|
#- ENABLE_SPAMASSASSIN=1 # Antispam
|
|
- SPAMASSASSIN_SPAM_TO_INBOX=1
|
|
#- ENABLE_SPAMASSASSIN_KAM=1 # Extended rules set
|
|
- MOVE_SPAM_TO_JUNK=1
|
|
- SA_TAG=2.0 # Spam info header level
|
|
- SA_TAG2=6.31 # Spam level
|
|
- SA_KILL=6.31
|
|
- SA_SPAM_SUBJECT=***SPAM*****
|
|
|
|
# SECURITY
|
|
- ENABLE_FAIL2BAN=1
|
|
- FAIL2BAN_BLOCKTYPE=drop
|
|
- SPOOF_PROTECTION=0 # 1
|
|
|
|
# CONNECTIVITY
|
|
- ENABLE_POP3=
|
|
- SMTP_ONLY=
|
|
- ENABLE_SRS=0
|
|
- ENABLE_POSTFIX_VIRTUAL_TRANSPORT=
|
|
- ENABLE_LDAP=
|
|
- ENABLE_POSTGREY=0
|
|
- ENABLE_SASLAUTHD=0
|
|
|
|
# LIMITATIONS
|
|
#POSTFIX_MAILBOX_SIZE_LIMIT=
|
|
- ENABLE_QUOTAS=1
|
|
- POSTFIX_MESSAGE_SIZE_LIMIT=104857600 # 100 MB
|
|
#CLAMAV_MESSAGE_SIZE_LIMIT=
|
|
|
|
# CONFIGURATION
|
|
- POSTMASTER_ADDRESS=
|
|
- DOVECOT_MAILBOX_FORMAT=maildir # One mail per file
|
|
networks:
|
|
- external
|
|
|
|
autodiscover:
|
|
image: jsmitsnl/docker-email-autodiscover:latest
|
|
hostname: autodiscover
|
|
domainname: bdubois.io
|
|
container_name: autodiscover
|
|
restart: unless-stopped
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.autodiscover.rule=Host(`autodiscover.bdubois.io`, `autodiscover.bhasher.com`)"
|
|
- "traefik.http.services.autodiscover.loadbalancer.server.port=80"
|
|
- "traefik.http.routers.autodiscover.tls=true"
|
|
- "traefik.http.routers.autodiscover.tls.certresolver=http"
|
|
- "traefik.http.routers.autodiscover.entrypoints=websecure"
|
|
environment:
|
|
- COMPANY_NAME=BDUBOIS
|
|
#- SUPPORT_URL=https://support.domain.com
|
|
- DOMAIN=bdubois.io
|
|
- IMAP_HOST=imap.bdubois.io
|
|
- IMAP_SOCKET=SSL
|
|
- SMTP_HOST=smtp.bdubois.io
|
|
- SMTP_SOCKET=SSL
|
|
networks:
|
|
- external
|
|
|
|
whoami:
|
|
container_name: whoami
|
|
image: docker.io/traefik/whoami:latest
|
|
labels:
|
|
- "traefik.http.routers.whoami.tls.domains[0].main=bdubois.io"
|
|
- "traefik.http.routers.whoami.tls.domains[0].sans=*.bdubois.io"
|
|
#- "traefik.http.routers.whoami.rule=Host(`*.bdubois.io`)"
|
|
- "traefik.http.routers.whoami.tls=true"
|
|
- "traefik.http.routers.whoami.tls.certresolver=http"
|
|
networks:
|
|
- external
|
|
|
|
invoicenginx:
|
|
container_name: invoice_nginx
|
|
image: nginx:latest
|
|
restart: on-failure
|
|
volumes:
|
|
- /home/debian/containers/invoiceninja/in-vhost.conf:/etc/nginx/conf.d/in-vhost.conf:ro
|
|
- /home/debian/containers/invoiceninja/app/public:/var/www/app/public:ro
|
|
environment:
|
|
- TRUSTED_PROXIES='*'
|
|
depends_on:
|
|
- invoiceninja
|
|
networks:
|
|
- invoice
|
|
- external
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.invoice.rule=Host(`invoice.vps.bhasher.com`)"
|
|
- "traefik.http.services.invoice.loadbalancer.server.port=80"
|
|
- "traefik.http.routers.invoice.tls=true"
|
|
- "traefik.http.routers.invoice.tls.certresolver=http"
|
|
- "traefik.http.routers.invoice.entrypoints=websecure"
|
|
|
|
invoiceninja:
|
|
image: invoiceninja/invoiceninja:5
|
|
container_name: invoice_ninja
|
|
environment:
|
|
- APP_URL=https://invoice.vps.bhasher.com
|
|
- APP_KEY=base64:p4rqG3iLEKieXE6D84hVdjkwJK3TDPSDOu5AdH0XEu8=
|
|
- REQUIRE_HTTPS=true
|
|
- PHANTOMJS_PDF_GENERATION=false
|
|
- PDF_GENERATOR=snappdf
|
|
- QUEUE_CONNECTION=database
|
|
- DB_HOST=invoicedb
|
|
- DB_DATABASE=ninja
|
|
- DB_USERNAME=ninja
|
|
- DB_PASSWORD=ninja
|
|
- IN_USER_EMAIL=invoice@bhasher.com
|
|
- IN_PASSWORD=zDcUZAVQk03aDHJJo4QccSpHXQMxgTEI
|
|
- TRUSTED_PROXIES='*'
|
|
restart: on-failure
|
|
volumes:
|
|
- /home/debian/containers/invoiceninja/app/public:/var/www/app/public:rw
|
|
- /home/debian/containers/invoiceninja/app/storage:/var/www/app/storage:rw
|
|
depends_on:
|
|
- invoicedb
|
|
networks:
|
|
- invoice
|
|
|
|
invoicedb:
|
|
container_name: invoice_db
|
|
image: mariadb:latest
|
|
restart: on-failure
|
|
environment:
|
|
- MYSQL_ROOT_PASSWORD=ninjaAdm1nPassword
|
|
- MYSQL_USER=ninja
|
|
- MYSQL_PASSWORD=ninja
|
|
- MYSQL_DATABASE=ninja
|
|
volumes:
|
|
- /home/debian/containers/invoiceninja/mariadb/data:/var/lib/mysql:rw
|
|
networks:
|
|
- invoice
|
|
|
|
networks:
|
|
external:
|
|
invoice:
|