general update oon docker config

2024-07-19 12:38:32 +02:00
parent 2da547bcc2
commit fd083af6d3
34 changed files with 125 additions and 46 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -40,8 +40,10 @@ include:
    env_file: ${MEDIA_PATH}/.env
  - path:
      - ${SERVICE_PATH}/freshrss/freshrss.yml
      - ${SERVICE_PATH}/gitea/gitea.yml
      - ${SERVICE_PATH}/home-assistant/home-assistant.yml
      - ${SERVICE_PATH}/home-assistant/ha-addon/ha-ewelink-addon.yml
      - ${SERVICE_PATH}/it-tools/it-tools.yml
      - ${SERVICE_PATH}/jupyter-notebook/jupyter-notebook.yml
      - ${SERVICE_PATH}/mealie/mealie.yml
@@ -53,17 +55,19 @@ include:
    env_file: ${SERVICE_PATH}/.env
 networks:
-  private:
+  ip4net:
    driver: bridge
-    name: private
+    name: ip4net
    ipam:
      config:
        - subnet: 10.5.0.0/16
          gateway: 10.5.0.1
  public:
    driver: bridge
    name: public
    ipam:
      config:
        - subnet: 10.6.0.0/16
-          gateway: 10.6.0.1
+  ip6net:
    driver: bridge
    name: ip6net
    enable_ipv6: true
    ipam:
      driver: default
      # config: 
      #   # - subnet: "2a04:ee41:86:9397::/64"
      #   - subnet: "2001:db8:2:/64"
      #   - gateway: "2001:db8:2::1"
--- a/project/db/adminer/adminer.yml
+++ b/project/db/adminer/adminer.yml
@@ -7,6 +7,8 @@ services:
    container_name: adminer
    ports:
      - 8085:8080
    networks: 
      - ip4net
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
--- a/project/db/lldap/lldap.yml
+++ b/project/db/lldap/lldap.yml
@@ -18,6 +18,9 @@ services:
      # - "6360:6360"
      # For the web front-end
      - "17170:17170"
    networks: 
      - ip6net
      - ip4net
    volumes:
      - "${DB_PATH}/lldap/data:/data"
    environment:
@@ -43,4 +46,4 @@ services:
      - "traefik.http.services.lldap-service.loadbalancer.server.port=17170"
      - "traefik.http.services.lldap-service.loadbalancer.server.scheme=http"
      # middlewares
-      - "traefik.http.routers.lldap.middlewares=crowdsec-bouncer@file"
+      # - "traefik.http.routers.lldap.middlewares=crowdsec-bouncer@file"
--- a/project/db/mariadb/mariadb.yml
+++ b/project/db/mariadb/mariadb.yml
@@ -6,6 +6,8 @@ services:
    image: mariadb:latest
    container_name: mariadb
    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
    networks: 
      - ip4net
    environment:
      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
    volumes:
--- a/project/db/pgadmin/pgadmin.yml
+++ b/project/db/pgadmin/pgadmin.yml
@@ -10,6 +10,8 @@ services:
    image: dpage/pgadmin4:latest
    ports:
      - 8082:80
    networks: 
      - ip4net
    secrets: [pgadmin_default_password]
    volumes:
      - ${DB_PATH}/pgadmin/data:/var/lib/pgadmin
--- a/project/db/postgres/postgres.yml
+++ b/project/db/postgres/postgres.yml
@@ -10,6 +10,9 @@ services:
    image: postgres:latest
    ports:
      - 5432:5432
    networks: 
      - ip4net
      - ip6net
    secrets: [postgres_default_password]
    environment:
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_default_password
@@ -32,6 +35,9 @@ services:
    image: tensorchord/pgvecto-rs:pg16-v0.2.1-alpha.2
    ports:
      - 5433:5432
    networks: 
      - ip4net
      - ip6net
    secrets: [postgres_default_password]
    environment:
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_default_password
--- a/project/db/redis/redis.yml
+++ b/project/db/redis/redis.yml
@@ -5,6 +5,9 @@ services:
      service: default
    container_name: redis
    image: redis:latest
    networks: 
      - ip4net
      - ip6net
    volumes:
      - ${DB_PATH}/redis/data:/data
    labels:
--- a/project/infrastructure/authelia/authelia.yml
+++ b/project/infrastructure/authelia/authelia.yml
@@ -16,6 +16,8 @@ services:
    image: authelia/authelia:latest
    ports:
      - 9959:9959 # metrics prometheus
    networks: 
      - ip6net
    expose:
      - 9091
    secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
@@ -40,4 +42,4 @@ services:
      - 'traefik.http.routers.authelia.service=authelia-svc'
      - 'traefik.http.services.authelia-svc.loadbalancer.server.port=9091'
      # Middleware
-      - "traefik.http.routers.authelia.middlewares=crowdsec-bouncer@file"
+      #- "traefik.http.routers.authelia.middlewares=crowdsec-bouncer@file"
--- a/project/infrastructure/crowdsec/crowdsec.yml
+++ b/project/infrastructure/crowdsec/crowdsec.yml
@@ -6,34 +6,21 @@ services:
    container_name: crowdsec
    image: crowdsecurity/crowdsec:latest
    environment:
-      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve"
+      COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/http-cve
      CROWDSEC_BOUNCER_API_KEY: ${CROWDSEC_API_KEY}
      CUSTOM_HOSTNAME: crowdsec
    expose:
      - 8080
    ports:
      - 6060:6060
    networks: 
      - ip4net
      - ip6net
    volumes:
      - ${INFRA_PATH}/crowdsec/data:/var/lib/crowdsec/data
      - ${INFRA_PATH}/crowdsec/config:/etc/crowdsec
      - /var/log/auth.log:/var/log/auth.log:ro
      - /var/log/crowdsec:/var/log/crowdsec:ro
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
  crowdsec-traefik-bouncer:
    extends:
      file: ${TEMPLATES_PATH}
      service: default
    image: fbonalair/traefik-crowdsec-bouncer:latest
    container_name: bouncer-traefik
    environment:
      CROWDSEC_BOUNCER_API_KEY: ${CROWDSEC_API_KEY}
      CROWDSEC_AGENT_HOST: crowdsec:8080
      GIN_MODE: release
    expose:
      - 8080
    depends_on:
      - crowdsec
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
--- a/project/infrastructure/homepage/homepage.yml
+++ b/project/infrastructure/homepage/homepage.yml
@@ -7,6 +7,8 @@ services:
    container_name: homepage
    ports:
      - 3030:3000
    networks: 
      - ip4net
    environment:
      HOMEPAGE_VAR_LOCAL_DOMAIN: ${LOCAL_DOMAIN}
      HOMEPAGE_VAR_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
--- a/project/infrastructure/speedtest/speedtest.yml
+++ b/project/infrastructure/speedtest/speedtest.yml
@@ -18,6 +18,8 @@ services:
      #WEBPORT: 80
    ports:
      - "4001:80" # webport mapping (host:container)
    networks: 
      - ip4net
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
--- a/project/infrastructure/syncthing/syncthing.yml
+++ b/project/infrastructure/syncthing/syncthing.yml
@@ -12,6 +12,9 @@ services:
      - 22000:22000/tcp # TCP file transfers
      - 22000:22000/udp # QUIC file transfers
      - 21027:21027/udp # Receive local discovery broadcasts
    networks: 
      - ip4net
      - ip6net
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
--- a/project/infrastructure/traefik/traefik.yml
+++ b/project/infrastructure/traefik/traefik.yml
@@ -9,16 +9,22 @@ services:
      - "80:80"
      - "443:443"
      - "8079:8080"
    networks:
      - ip6net
      - ip4net
    environment:
      TRAEFIK_LOCAL_DOMAIN: ${LOCAL_DOMAIN}
      TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
      TRAEFIK_AUTH_PUBLIC_DOMAIN: auth.${PUBLIC_DOMAIN}
      TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
    volumes:
      - "/var/log/crowdsec/:/var/log/crowdsec/"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "${INFRA_PATH}/traefik/letsencrypt:/letsencrypt"
      - "${INFRA_PATH}/traefik/config:/etc/traefik"
      - "${INFRA_PATH}/traefik/certs:/etc/certs"
      - "${INFRA_PATH}/traefik/html/ban.html:/ban.html"
      - "${INFRA_PATH}/traefik/html/captcha.html:/captcha.html"
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
@@ -35,6 +41,8 @@ services:
      service: default
    image: traefik/whoami:latest
    container_name: "traefik-whoami"
    networks: 
      - ip4net
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
--- a/project/infrastructure/uptime-kuma/uptime-kuma.yml
+++ b/project/infrastructure/uptime-kuma/uptime-kuma.yml
@@ -1,14 +1,24 @@
 services:
  uptime-kuma:
-    extends:
+    # not using the template because ncsd is not configured to support changing PUID/PGID
-      file: ${TEMPLATES_PATH}
+    # https://github.com/louislam/uptime-kuma/issues/4743
-      service: default
+    # extends:
    #   file: ${TEMPLATES_PATH}
    #   service: default
    image: louislam/uptime-kuma:latest
    container_name: uptime-kuma
    restart: unless-stopped
    security_opt:
      - no-new-privileges=true
    environment:
      TZ: ${TZ}
    volumes:
      - ${INFRA_PATH}/uptime-kuma/config:/app/data
    ports:
      - 5001:3001
    networks:
      - ip4net
      - ip6net
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
--- a/project/infrastructure/watchtower/watchtower.yml
+++ b/project/infrastructure/watchtower/watchtower.yml
@@ -16,6 +16,8 @@ services:
      - WATCHTOWER_HTTP_API_PERIODIC_POLLS=true
    ports:
      - 7999:8080
    networks:
      - ip4net
    volumes:
      # - ${INFRA_PATH}/watchtower/config:/config.json
      - /var/run/docker.sock:/var/run/docker.sock
--- a/project/media/audiobookshelf/audiobookshelf.yml
+++ b/project/media/audiobookshelf/audiobookshelf.yml
@@ -7,6 +7,8 @@ services:
    container_name: audiobookshelf
    ports:
      - 13378:80
    networks:
      - ip6net
    volumes:
      # - ${AUDIOBOOKSHELF_EXTERNAL_PATH}/audiobooks:/audiobooks
      # - ${AUDIOBOOKSHELF_EXTERNAL_PATH}/podcasts:/podcasts
@@ -23,4 +25,4 @@ services:
      - "traefik.http.routers.audiobookshelf.tls.certresolver=myresolver"
      - 'traefik.http.routers.audiobookshelf.tls=true'
      # Middlewares
-      - "traefik.http.routers.audiobookshelf.middlewares=crowdsec-bouncer@file"
+      # - "traefik.http.routers.audiobookshelf.middlewares=crowdsec-bouncer@file"
--- a/project/media/immich/immich.yml
+++ b/project/media/immich/immich.yml
@@ -5,7 +5,6 @@ services:
      service: default
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:release
    command: [ "start.sh", "immich" ]
    environment:
      DB_PASSWORD: ${IMMICH_DB_PASSWORD}
      DB_HOSTNAME: postgres-with-pg-vector
@@ -18,6 +17,8 @@ services:
      - /etc/localtime:/etc/localtime:ro
    ports:
      - 2283:3001
    networks:
      - ip6net
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
@@ -28,7 +29,7 @@ services:
      - "traefik.http.routers.immich-server.tls.certresolver=myresolver"
      - 'traefik.http.routers.immich-server.tls=true'
      # Middlewares
-      - "traefik.http.routers.immich-server.middlewares=crowdsec-bouncer@file"
+      # - "traefik.http.routers.immich-server.middlewares=crowdsec-bouncer@file"
  immich-microservices:
    extends:
@@ -43,6 +44,8 @@ services:
      DB_USERNAME: immich
      DB_DATABASE_NAME: immich
      REDIS_HOSTNAME: redis
    networks:
      - ip6net
    volumes:
      - ${IMMICH_EXTERNAL_PATH}:/usr/src/app/external
      - ${MEDIA_PATH}/immich/data/library:/usr/src/app/upload
--- a/project/media/prowlarr/prowlarr.yml
+++ b/project/media/prowlarr/prowlarr.yml
@@ -6,7 +6,9 @@ services:
    image: lscr.io/linuxserver/prowlarr:develop
    container_name: prowlarr
    ports:
-    - 2004:9696
+      - 2004:9696
    networks:
      - ip4net
    volumes:
      - ${MEDIA_PATH}/prowlarr/config:/config
    labels:
--- a/project/media/qbittorrent/qbittorrent.yml
+++ b/project/media/qbittorrent/qbittorrent.yml
@@ -9,6 +9,8 @@ services:
      - 2002:2002
      - 6881:6881
      - 6881:6881/udp
    networks:
      - ip4net
    environment:
      - WEBUI_PORT=2002
      - TORRENTING_PORT=6881
--- a/project/media/readarr/readarr.yml
+++ b/project/media/readarr/readarr.yml
@@ -6,7 +6,9 @@ services:
    image: lscr.io/linuxserver/readarr:develop
    container_name: readarr
    ports:
-    - 2003:8787
+      - 2003:8787
    networks:
      - ip4net
    volumes:
      - ${MEDIA_PATH}/readarr/config:/config
      - ${MEDIA_PATH}/data:/data
--- a/project/monitoring/dozzle/dozzle.yml
+++ b/project/monitoring/dozzle/dozzle.yml
@@ -7,6 +7,8 @@ services:
    image: amir20/dozzle:latest
    ports:
      - 8083:8080
    networks: 
      - ip4net
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
--- a/project/monitoring/grafana/grafana.yml
+++ b/project/monitoring/grafana/grafana.yml
@@ -7,6 +7,8 @@ services:
    image: grafana/grafana-oss:latest
    ports:
      - 8090:3000
    networks:
      - ip4net
    volumes:
      - ${MONITORING_PATH}/grafana/data:/var/lib/grafana
    labels:
--- a/project/monitoring/prometheus/prometheus.yml
+++ b/project/monitoring/prometheus/prometheus.yml
@@ -7,6 +7,8 @@ services:
    image: prom/prometheus:latest
    ports:
      - 9090:9090
    networks:
      - ip4net
    volumes:
      - ${MONITORING_PATH}/prometheus/config:/etc/prometheus
    labels:
--- a/project/service/freshrss/freshrss.yml
+++ b/project/service/freshrss/freshrss.yml
@@ -7,6 +7,8 @@ services:
    container_name: freshrss
    ports:
      - 4014:80
    networks:
      - ip4net
    volumes:
      - ${SERVICE_PATH}/freshrss/data:/var/www/FreshRSS/data
      - ${SERVICE_PATH}/freshrss/extensions:/var/www/FreshRSS/extensions
--- a/project/service/gitea/gitea.yml
+++ b/project/service/gitea/gitea.yml
@@ -32,6 +32,8 @@ services:
      - /etc/localtime:/etc/localtime:ro
    ports:
      - 2001:22
    networks:
      - ip6net
    expose:
      - 4002
    labels:
@@ -45,6 +47,5 @@ services:
      - "traefik.http.routers.gitea.tls=true"
      - "traefik.http.routers.gitea.service=gitea-service"
      - "traefik.http.services.gitea-service.loadbalancer.server.port=4002"
      # Middlewares
-      - "traefik.http.routers.gitea.middlewares=crowdsec-bouncer@file"
+      # - "traefik.http.routers.gitea.middlewares=crowdsec-bouncer@file"
--- a/project/service/home-assistant/home-assistant.yml
+++ b/project/service/home-assistant/home-assistant.yml
@@ -5,8 +5,10 @@ services:
      service: default
    image: ghcr.io/home-assistant/home-assistant:stable
    container_name: home-assistant
    networks:
      - ip4net
    ports:
-      - 4012:8123
+      - 4012:8123  
    volumes:
      - ${SERVICE_PATH}/home-assistant/config:/config
      - /etc/localtime:/etc/localtime:ro
--- a/project/service/it-tools/it-tools.yml
+++ b/project/service/it-tools/it-tools.yml
@@ -7,6 +7,8 @@ services:
    container_name: it-tools
    ports:
      - '4007:80'
    networks:
      - ip4net
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
--- a/project/service/jupyter-notebook/jupyter-notebook.yml
+++ b/project/service/jupyter-notebook/jupyter-notebook.yml
@@ -9,6 +9,8 @@ services:
      - ${SERVICE_PATH}/jupyter-notebook/data:/home/jovyan/work
    ports:
      - 4013:8888 # Web UI
    networks:
      - ip4net
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
--- a/project/service/mealie/mealie.yml
+++ b/project/service/mealie/mealie.yml
@@ -7,6 +7,8 @@ services:
    container_name: mealie
    ports:
      - "4006:9000"
    networks:
      - ip6net
    volumes:
      - ${SERVICE_PATH}/mealie/data:/app/data/
    environment:
@@ -41,4 +43,4 @@ services:
      - "traefik.http.routers.mealie.tls.certresolver=myresolver"
      - "traefik.http.routers.mealie.tls=true"
      # Middlewares
-      - "traefik.http.routers.mealie.middlewares=crowdsec-bouncer@file"
+      # - "traefik.http.routers.mealie.middlewares=crowdsec-bouncer@file"
--- a/project/service/paperless-ngx/paperless-ngx.yml
+++ b/project/service/paperless-ngx/paperless-ngx.yml
@@ -7,6 +7,8 @@ services:
    container_name: paperless-ngx
    ports:
      - "4009:8000"
    networks:
      - ip4net
    volumes:
      - ${EXTERNAL_STORAGE}/paperless-ngx/data:/usr/src/paperless/data
      - ${EXTERNAL_STORAGE}/paperless-ngx/media:/usr/src/paperless/media
--- a/project/service/shlink/shlink.yml
+++ b/project/service/shlink/shlink.yml
@@ -7,6 +7,8 @@ services:
    container_name: shlink-backend
    ports:
      - '4004:8080'
    networks:
      - ip6net
    volumes:
      - ${SERVICE_PATH}/shlink/data:/usr/share/tesseract-ocr/4.00/tessdata #Required for extra OCR languages
      - ${SERVICE_PATH}/shlink/config:/configs
@@ -41,6 +43,8 @@ services:
    container_name: shlink-frontend
    ports:
      - '4005:8080'
    networks: 
      - ip6net
    environment:
      SHLINK_SERVER_URL: https://shlink.${PUBLIC_DOMAIN}
      SHLINK_SERVER_API_KEY: ${SHLINK_SERVER_API_KEY}
--- a/project/service/sponsorblock/sponsorblock.yml
+++ b/project/service/sponsorblock/sponsorblock.yml
@@ -5,5 +5,7 @@ services:
      service: default
    image: ghcr.io/dmunozv04/isponsorblocktv
    container_name: sponsorblock
    networks:
      - ip4net
    volumes:
    - ${SERVICE_PATH}/sponsorblock/data:/app/data
--- a/project/service/stirling-pdf/stirling-pdf.yml
+++ b/project/service/stirling-pdf/stirling-pdf.yml
@@ -7,10 +7,12 @@ services:
    container_name: stirling-pdf
    ports:
      - '4003:8080'
    networks:
      - ip6net
    volumes:
      - ${SERVICE_PATH}/stirling-pdf/data:/usr/share/tesseract-ocr/4.00/tessdata #Required for extra OCR languages
      - ${SERVICE_PATH}/stirling-pdf/config:/configs
-#      - /location/of/customFiles:/customFiles/
+    #  - /location/of/customFiles:/customFiles/
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
@@ -21,4 +23,5 @@ services:
      - "traefik.http.routers.stirling-pdf.tls.certresolver=myresolver"
      - "traefik.http.routers.stirling-pdf.tls=true"
      # Middlewares
-      - "traefik.http.routers.stirling-pdf.middlewares=crowdsec-bouncer@file,authelia@file"
+      # - "traefik.http.routers.stirling-pdf.middlewares=crowdsec-bouncer@file, authelia@file"
      - "traefik.http.routers.stirling-pdf.middlewares=authelia@file"
--- a/project/service/vikunja/vikunja.yml
+++ b/project/service/vikunja/vikunja.yml
@@ -17,6 +17,8 @@ services:
      VIKUNJA_DATABASE_DATABASE: vikunja
      VIKUNJA_SERVICE_JWTSECRET: /run/secrets/vikunja_jwt_secret
      VIKUNJA_SERVICE_PUBLICURL: https://vikunja.${PUBLIC_DOMAIN}
    networks:
      - ip6net
    volumes: 
      - ${SERVICE_PATH}/vikunja/data:/app/vikunja/files
      - ${SERVICE_PATH}/vikunja/config:/etc/vikunja
@@ -30,4 +32,4 @@ services:
      - "traefik.http.routers.vikunja.tls.certresolver=myresolver"
      - 'traefik.http.routers.vikunja.tls=true'
      # Middlewares
-      - "traefik.http.routers.vikunja.middlewares=crowdsec-bouncer@file"
+      # - "traefik.http.routers.vikunja.middlewares=crowdsec-bouncer@file"