├── .env.example ├── CHANGELOG.md ├── LICENSE ├── README.md ├── appdata └── traefik2 │ └── rules │ ├── app-pihole.yml │ ├── app-readsb.yml │ ├── middlewares-chains.yml │ ├── middlewares.yml │ └── tls-opts.yml ├── dhcp-helper └── Dockerfile └── docker-compose.yml /.env.example: -------------------------------------------------------------------------------- 1 | #### Comment out or delete any unused entries 2 | 3 | #### BELOW ARE SOME OF THE VARIABLES USED IN docker-compose.yml 4 | 5 | ##### PORTS 6 | 7 | PORTAINER_PORT=9000 8 | PHPMYADMIN_PORT=9001 9 | #INFLUXDB_PORT= 10 | JACKETT_PORT=9002 11 | #NZBHYDRA_PORT= 12 | #LIDARR_PORT= 13 | #If you change radarr and sonarr port then update plex meta agent 14 | RADARR_PORT=9003 15 | SONARR_PORT=9004 16 | #JDOWNLOADER_PORT= 17 | #SABNZBD_PORT= 18 | #QBITTORRENT_PORT=9005 19 | #TRANSMISSION_PORT= 20 | PLEX_PORT=32400 21 | #PLEX_WEB_TOOLS_PORT= 22 | #EMBY_PORT= 23 | #BAZARR_PORT= 24 | TAUTULLI_PORT=9006 25 | PIWIGO_PORT=9007 26 | #APCUPSD_PORT= 27 | #GUACAMOLE_PORT= 28 | #IPVANISH_REMOTE_SERVER= 29 | #IPVANISH_PROXY_PORT= 30 | #JDOWNLOADER_PORT= 31 | 32 | ##### SYSTEM 33 | 34 | PUID=1000 35 | PGID=999 36 | TZ=America/Phoenix 37 | USERDIR=/home/ 38 | SERVER_IP= 39 | #PIHOLE_IP= 40 | PIHOLE_TRAEFIK_IP= 41 | #LOCAL_NETWORK= 42 | 43 | ##### DOMAIN 44 | 45 | DOMAINNAME= #external name 46 | CLOUDFLARE_EMAIL= 47 | CLOUDFLARE_API_KEY= 48 | #DUCKDNS_TOKEN= 49 | 50 | ##### DATABASE 51 | 52 | DB_HOST=mariadb 53 | DB_PORT=3306 54 | MYSQL_ROOT_PASSWORD= 55 | 56 | ##### SECURITY AND PRIVACY 57 | 58 | #IPVANISH_USERNAME= 59 | #IPVANISH_PASSWORD= 60 | #HTTP_USERNAME= 61 | #HTTP_PASSWORD= 62 | GOOGLE_CLIENT_ID= 63 | GOOGLE_CLIENT_SECRET= 64 | OAUTH_SECRET= 65 | 66 | ##### NOTIFICATIONS 67 | 68 | #TGRAM_BOT_TOKEN= 69 | #TGRAM_CHAT_ID= 70 | MY_EMAIL= 71 | 72 | ##### APPS 73 | 74 | #JDOWN_VNC_PASSWD= 75 | #HANDBRAKE_VNC_PASSWD= 76 | #FIREFOX_VNC_PASSWD= 77 | #FILEBOT_VNC_PASSWD= 78 | #QDIRSTAT_VNC_PASSWD= 79 | #MKVTOOLNIX_VNC_PASSWD= 80 | #MAKEMKV_VNC_PASSWD= 81 | #GUAC_MYSQL_USER= 82 | #GUAC_MYSQL_PASSWORD= 83 | #TRANSMISSION_RPC_PASSWORD= 84 | #TRANSMISSION_RPC_USERNAME= 85 | #PIHOLE_WEBPASSWORD= 86 | 87 | ##### PLEX 88 | 89 | PLEX_CLAIM= 90 | #SYN_PLEX=ACCESS-TOKEN@PLEX_SERVER_IP 91 | #NUC_PLEX=ACCESS-TOKEN@PLEX_SERVER_IP 92 | # Plex libraries section id. Remember to change the numbers below to reflect your library. Add more as needed. 93 | # ALWAYS DO A DRY RUN TO VERIFY BEFORE SYNCING 94 | #SYN_PLEX_HOLLYWOOD=1 95 | #NUC_PLEX_HOLLYWOOD=2 96 | #SYN_PLEX_TVSHOWS=2 97 | #NUC_PLEX_TVSHOWS=16 98 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | ## Planned: 3 | * Find a photo organzir that supports HEIC. 4 | 5 | ## October 5, 2020 6 | * Updated readme with missing steps. 7 | ## September 10, 2020 8 | * Switched to authelia, removed google auth 9 | * Added Secrets 10 | * Added Guacamole 11 | * Added Cloudflare Companian 12 | * Added Cloudflare DDNS 13 | ## April 23, 2020 14 | * Added a section for qbittorrent with vpn built into the same container 15 | * Added configuration for Jackett to use VPN 16 | ## April 22, 2020 17 | * Cleaned up Pihole traefik2 labels 18 | * Enabled CloudFlared for PiHole 19 | * Added Dark Theme for PiHole 20 | ## April 17, 2020 21 | * Issues with Pihole not able to whitelist domains. Removed security_opt: no-new-privileges:true 22 | ## April 14, 2020 23 | * Updated README.md with a better walkthrough guide. 24 | * Fixed direcory from /$USERDIR/docker to /$USERDIR/docker-HTPC 25 | * Glances - moved glances.conf glances/glances.conf 26 | * Pihole - add instruction to `touch pihole/pihhole.log` before runing pihole container as it cause pihole to not start properly 27 | * CloudFlared - changed dns to defaul 1.1.1.1 and 1.0.0.1 instead of 1.1.1.2 and 1.0.0.2 as they don't work. 28 | ## April 9, 2020 29 | * Fixed missing traefik2\rules folder and files 30 | * Fixed Google Auth for traeffik dashboard 31 | * Added info to add darkmode for Pihole Dashboard in readme 32 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | This is free and unencumbered software released into the public domain. 2 | 3 | Anyone is free to copy, modify, publish, use, compile, sell, or 4 | distribute this software, either in source code form or as a compiled 5 | binary, for any purpose, commercial or non-commercial, and by any 6 | means. 7 | 8 | In jurisdictions that recognize copyright laws, the author or authors 9 | of this software dedicate any and all copyright interest in the 10 | software to the public domain. We make this dedication for the benefit 11 | of the public at large and to the detriment of our heirs and 12 | successors. We intend this dedication to be an overt act of 13 | relinquishment in perpetuity of all present and future rights to this 14 | software under copyright law. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 19 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 20 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 21 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 22 | OTHER DEALINGS IN THE SOFTWARE. 23 | 24 | For more information, please refer to 25 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # **Docker HTPC** 2 | 3 | ## This is built on Ubuntu 4 | The following containers are in the the docker-compose-t2.yml file 5 | 6 | #### FRONTENDS 7 | 8 | * Traefik V2 - used for reverse proxy 9 | * Authelia - private forwad auth with DUO push 10 | * Portainer - Web GUI to manage docker stacks/containers/images/networks 11 | * Heimdall - for having all mgmt urls in one place 12 | 13 | #### DATABASE 14 | 15 | * MariaDB - DB for some of the containers 16 | * phpMyAdmin - Manage MariaDB 17 | 18 | #### DOWNLOADERS 19 | 20 | * qBittorrent - torrent downloader 21 | 22 | #### INDEXERS 23 | * Jackett - Torrent Proxy 24 | 25 | #### PVRS 26 | * Radarr - Movie Managment 27 | * Sonarr - TV Shows Management 28 | 29 | #### MEDIA SERVER 30 | * Plex - Media Server 31 | * Tautulli - Plex stats and monitoring 32 | * Piwigo - Photo album 33 | 34 | #### SYSTEM 35 | 36 | * Firefox - web browser 37 | * Glances - system monitor 38 | * PiHole - ad blocker 39 | * dchphelper - used with pihole to allow for dhcp 40 | 41 | #### MAINTENANCE 42 | 43 | * Ouroboros - Automatic Docker Container Updates 44 | * Docker-GC - Automatic Docker Garbage Collection 45 | 46 | ## Usage 47 | 48 | ### Installation 49 | Install Ubuntu, Docker and Docker Compose 50 | 51 | ### Docker Install 52 | * `sudo apt-get install apt-transport-https ca-certificates curl software-properties-common` 53 | * `curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -` 54 | * `sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"` 55 | * `sudo apt update` 56 | * `sudo apt install docker-ce` 57 | * `sudo docker run hello-world` To test docker 58 | * `sudo useradd -m username` optional to create a different user 59 | * `sudo passwd username` to set password 60 | * `sudo usermod -aG docker ${USER}` to assign to docker group 61 | 62 | ### Clone the repo. 63 | 1. Create .env file for environmental variables, make sure to change USER to your username 64 | * `mv $USERDIR/docker-HTPC/.env.example $USERDIR/docker-HTPC/.env` 65 | * edit the variables to your liking, comment out ones you don't need and vice versa 66 | 2. Create files for Traefik 67 | * mkdir $USERDIR/docker-HTPC/traefik2/ 68 | * mkdir $USERDIR/docker-HTPC/traefik2/acme 69 | * touch $USERDIR/docker-HTPC/traefik2/acme/acme.json 70 | * chmod 600 $USERDIR/docker-HTPC/traefik2/acme/acme.json 71 | * touch $USERDIR/docker-HTPC/traefik2/traefik.log 72 | * For other providers other than cloudflare, [check here](https://docs.traefik.io/v2.0/https/acme/#providers). 73 | 74 | 3. You will have to put your sensitive information in files. Create folder/files for Docker Secrets 75 | * mkdir $USERDIR/docker-HTPC/secrets 76 | * chmod 600 $USERDIR/docker-HTPC/secrets 77 | * sudo su 78 | * cd $USERDIR/docker-HTPC/secrets 79 | * make your files for each individual credentials or APIs that you want to use. I have created the following files and entered in the corresponding info: 80 | * authelia_duo_api_secret_key 81 | * authelia_jwt_secret 82 | * authelia_notifier_smtp_password 83 | * authelia_session_secret 84 | * authelia_storage_mysql_password 85 | * cloudflare_api_key 86 | * cloudflare_email 87 | * cloudflare_zoneid 88 | * google_client_id 89 | * google_client_secret 90 | * guac_db_name 91 | * guac_mysql_password 92 | * guac_mysql_user 93 | * my_email 94 | * mysql_root_password 95 | * oauth_secret 96 | * plex_claim 97 | * RADARR_API_KEY 98 | 99 | 4. (Optional) Enable or use HTTP Basic Authentication by renaming `shared\.htpasswd.example` to `shared\.htpasswd` in the folder and adding username and hashed password to it. 100 | 5. Configure environmental variables (`.env` file) 101 | * Rename the included `.env.example` to `.env`. 102 | * Edit variables in `.env` file. 103 | * All variables (ie. `${XXX}`) in docker-compose.yml come from `.env` file stored in the same place as docker-compose.yml. 104 | * Ensure good permissions for the `.env` file (recommended: 640). 105 | 6. Edit `docker-compose-t2.yml` to include only the services you want or add additional services to it. 106 | 7. If using pihole ensure you create the files indicated below for dhcphelper, also if you have host DNS issues read below to troubleshoot/fix 107 | 8. Start your docker stack "docker-compose -f docker-compose-t2.yml up -d" 108 | 109 | ### Configuration Files: 110 | #### Environment 111 | 112 | Configure .env with the variables. see .env.example 113 | Use .env file now for variables instead of /etc/environment 114 | 115 | #### DHCP-Helper for use with PiHole 116 | 117 | 1. Create folder dhcp-helper under ~/docker 118 | 2. Create file Dockerfile in ~/docker-HTPC/dhcp-helper 119 | 3. Add: 120 | 121 | `FROM alpine:latest` 122 | `RUN apk --no-cache add dhcp-helper` 123 | `EXPOSE 67 67/udp` 124 | `ENTRYPOINT ["dhcp-helper", "-n"]` 125 | 126 | 127 | ## HOW TO FIX HOST DNS ISSUES 128 | 129 | #### disable systemd-resolved service. 130 | sudo systemctl disable systemd-resolved.service 131 | 132 | #### Stop the service 133 | sudo systemctl stop systemd-resolved.service 134 | 135 | ##### Then, remove the link to /run/systemd/resolve/stub-resolv.conf in /etc/resolv.conf 136 | sudo rm /etc/resolv.conf 137 | 138 | #### Add a manually created resolv.conf in /etc/ 139 | sudo vim /etc/resolv.conf 140 | 141 | #### Add your prefered DNS server there 142 | nameserver 143 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/app-pihole.yml: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | pihole-rtr: 4 | rule: "Host(`pihole.adamradloff.com`)" 5 | entryPoints: 6 | - https 7 | middlewares: 8 | - chain-authelia 9 | - pihole-add-admin 10 | service: pihole-svc 11 | tls: 12 | certResolver: dns-cloudflare 13 | middlewares: 14 | pihole-add-admin: 15 | addPrefix: 16 | prefix: "/admin" 17 | services: 18 | pihole-svc: 19 | loadBalancer: 20 | servers: 21 | - url: "http://172.16.0.2:80" # or whatever your external host's IP:port is 22 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/app-readsb.yml: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | readsb-rtr: 4 | rule: "Host(`readsb.adamradloff.com`)" 5 | entryPoints: 6 | - https 7 | middlewares: 8 | - chain-authelia 9 | service: readsb-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | services: 13 | readsb-svc: 14 | loadBalancer: 15 | servers: 16 | - url: "http://10.100.255.218:8080" # or whatever your external host's IP:port is 17 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/middlewares-chains.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-https-redirectscheme 8 | - middlewares-secure-headers 9 | - middlewares-compress 10 | chain-basic-auth: 11 | chain: 12 | middlewares: 13 | - middlewares-rate-limit 14 | - middlewares-https-redirectscheme 15 | - middlewares-secure-headers 16 | - middlewares-basic-auth 17 | - middlewares-compress 18 | 19 | chain-oauth: 20 | chain: 21 | middlewares: 22 | - middlewares-rate-limit 23 | - middlewares-https-redirectscheme 24 | - middlewares-secure-headers 25 | - middlewares-oauth 26 | - middlewares-compress 27 | 28 | chain-oauth-external: 29 | chain: 30 | middlewares: 31 | - middlewares-rate-limit 32 | - middlewares-https-redirectscheme 33 | - middlewares-secure-headers 34 | - middlewares-oauth-external 35 | - middlewares-compress 36 | 37 | chain-authelia: 38 | chain: 39 | middlewares: 40 | - middlewares-rate-limit 41 | - middlewares-https-redirectscheme 42 | - middlewares-secure-headers 43 | - middlewares-authelia 44 | - middlewares-compress 45 | chain-vrs-no-auth: 46 | chain: 47 | middlewares: 48 | - middlewares-rate-limit 49 | - middlewares-https-redirectscheme 50 | - middlewares-vrs-headers 51 | - middlewares-compress 52 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/middlewares.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-basic-auth: 4 | basicAuth: 5 | # users: 6 | # - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1" 7 | usersFile: "/shared/.htpasswd" #be sure to mount the volume through docker-compose.yml 8 | realm: "Traefik 2 Basic Auth" 9 | 10 | middlewares-rate-limit: 11 | rateLimit: 12 | average: 500 13 | burst: 1000 14 | 15 | middlewares-https-redirectscheme: 16 | redirectscheme: 17 | scheme: https 18 | permanent: true 19 | 20 | middlewares-secure-headers: 21 | headers: 22 | accessControlAllowMethods: 23 | - GET 24 | - OPTIONS 25 | - PUT 26 | accessControlMaxAge: 100 27 | hostsProxyHeaders: 28 | - "X-Forwarded-Host" 29 | #sslRedirect: true 30 | stsSeconds: 63072000 31 | stsIncludeSubdomains: true 32 | stsPreload: true 33 | forceSTSHeader: true 34 | # frameDeny: true #overwritten by customFrameOptionsValue 35 | customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr. 36 | contentTypeNosniff: true 37 | browserXssFilter: true 38 | # sslForceHost: true # add sslHost to all of the services 39 | # sslHost: "example.com" 40 | referrerPolicy: "same-origin" 41 | # Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk. 42 | # the below line also breaks some apps due to 'none' - sonarr, radarr, etc. 43 | # contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';" 44 | # Line below, featurePolicy, was deprecated in v2.5.x in favor permissionPolicy 45 | # featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';" 46 | permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()" 47 | customResponseHeaders: 48 | X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," 49 | server: "" 50 | 51 | middlewares-oauth: 52 | forwardAuth: 53 | address: "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml 54 | trustForwardHeader: true 55 | authResponseHeaders: 56 | - "X-Forwarded-User" 57 | 58 | middlewares-authelia: 59 | forwardAuth: 60 | address: "http://authelia:9091/api/verify?rd=https://authelia.{{env "DOMAINNAME"}}" 61 | trustForwardHeader: true 62 | authResponseHeaders: 63 | - "Remote-User" 64 | - "Remote-Groups" 65 | 66 | middlewares-compress: 67 | compress: 68 | excludedContentTypes: 69 | - text/javascript 70 | 71 | # https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik 72 | middlewares-buffering: 73 | buffering: 74 | maxResponseBodyBytes: 2000000 75 | maxRequestBodyBytes: 10485760 76 | memRequestBodyBytes: 2097152 77 | memResponseBodyBytes: 2097152 78 | retryExpression: "IsNetworkError() && Attempts() <= 2" 79 | 80 | middlewares-vrs-headers: 81 | headers: 82 | accessControlAllowMethods: 83 | - GET 84 | - OPTIONS 85 | - PUT 86 | accessControlMaxAge: 100 87 | hostsProxyHeaders: 88 | - "X-Forwarded-Host" 89 | #sslRedirect: true 90 | stsSeconds: 63072000 91 | stsIncludeSubdomains: true 92 | stsPreload: true 93 | forceSTSHeader: true 94 | # frameDeny: true #overwritten by customFrameOptionsValue 95 | customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr. 96 | #contentTypeNosniff: true 97 | browserXssFilter: true 98 | # sslForceHost: true # add sslHost to all of the services 99 | # sslHost: "example.com" 100 | referrerPolicy: "same-origin" 101 | # Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk. 102 | # the below line also breaks some apps due to 'none' - sonarr, radarr, etc. 103 | # contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';" 104 | # Line below, featurePolicy, was deprecated in v2.5.x in favor permissionPolicy 105 | # featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';" 106 | permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()" 107 | customResponseHeaders: 108 | X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," 109 | server: "" 110 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/tls-opts.yml: -------------------------------------------------------------------------------- 1 | tls: 2 | options: 3 | tls-opts: 4 | minVersion: VersionTLS12 5 | cipherSuites: 6 | - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 7 | - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 8 | - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 9 | - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 10 | - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 11 | - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 12 | - TLS_AES_128_GCM_SHA256 13 | - TLS_AES_256_GCM_SHA384 14 | - TLS_CHACHA20_POLY1305_SHA256 15 | - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507 16 | curvePreferences: 17 | - CurveP521 18 | - CurveP384 19 | sniStrict: true 20 | -------------------------------------------------------------------------------- /dhcp-helper/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:latest 2 | RUN apk --no-cache add dhcp-helper 3 | EXPOSE 67 67/udp 4 | ENTRYPOINT ["dhcp-helper", "-n"] 5 | 6 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | ######### IMPORTANT ############# 2 | # This is my main docker-compose file with most of the apps. I run docker on other systems with smaller stacks (web and synology). 3 | # You can copy-paste services from one docker-compose file in this repo to another to add other apps. 4 | 5 | ########################### NETWORKS 6 | # There is no need to create any networks outside this docker-compose file. 7 | # You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please. 8 | # Docker Compose version 3.5 or higher required to define networks this way. 9 | 10 | networks: 11 | t2_proxy: 12 | name: t2_proxy 13 | driver: bridge 14 | ipam: 15 | config: 16 | - subnet: 192.168.90.0/24 17 | default: 18 | driver: bridge 19 | zsocket_proxy: 20 | name: zsocket_proxy 21 | driver: bridge 22 | ipam: 23 | config: 24 | - subnet: 192.168.91.0/24 25 | 26 | ########################### SECRETS 27 | secrets: 28 | htpasswd: 29 | file: $DOCKERDIR/secrets/htpasswd 30 | cf_email: 31 | file: $DOCKERDIR/secrets/cf_email 32 | cf_api_key: 33 | file: $DOCKERDIR/secrets/cf_api_key 34 | cf_token: 35 | file: $DOCKERDIR/secrets/cf_token 36 | traefik_forward_auth: 37 | file: $DOCKERDIR/secrets/traefik_forward_auth 38 | authelia_jwt_secret: 39 | file: $DOCKERDIR/secrets/authelia_jwt_secret 40 | authelia_session_secret: 41 | file: $DOCKERDIR/secrets/authelia_session_secret 42 | authelia_storage_mysql_password: 43 | file: $DOCKERDIR/secrets/authelia_storage_mysql_password 44 | authelia_notifier_smtp_password: 45 | file: $DOCKERDIR/secrets/authelia_notifier_smtp_password 46 | authelia_duo_api_secret_key: 47 | file: $DOCKERDIR/secrets/authelia_duo_api_secret_key 48 | authelia_storage_encryption_key: 49 | file: $DOCKERDIR/secrets/authelia_storage_encryption_key 50 | guac_db_name: 51 | file: $DOCKERDIR/secrets/guac_db_name 52 | guac_mysql_user: 53 | file: $DOCKERDIR/secrets/guac_mysql_user 54 | guac_mysql_password: 55 | file: $DOCKERDIR/secrets/guac_mysql_password 56 | mysql_root_password: 57 | file: $DOCKERDIR/secrets/mysql_root_password 58 | my_email: 59 | file: $DOCKERDIR/secrets/my_email 60 | plex_claim: 61 | file: $DOCKERDIR/secrets/plex_claim 62 | 63 | ########################### EXTENSION FIELDS 64 | # Helps eliminate repetition of sections 65 | # More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228 66 | 67 | # Common environment values 68 | x-environment: &default-tz-puid-pgid 69 | TZ: $TZ 70 | PUID: $PUID 71 | PGID: $PGID 72 | 73 | # Keys common to some of the services in basic-services.txt 74 | x-common-keys-core: &common-keys-core 75 | networks: 76 | - t2_proxy 77 | security_opt: 78 | - no-new-privileges:true 79 | restart: always 80 | profiles: 81 | - core 82 | 83 | x-common-keys-monitoring: &common-keys-monitoring 84 | networks: 85 | - t2_proxy 86 | security_opt: 87 | - no-new-privileges:true 88 | restart: always 89 | profiles: 90 | - monitoring 91 | 92 | # Keys common to some of the dependent services/apps 93 | x-common-keys-apps: &common-keys-apps 94 | networks: 95 | - t2_proxy 96 | security_opt: 97 | - no-new-privileges:true 98 | restart: unless-stopped 99 | profiles: 100 | - apps 101 | # Keys common to some of the services in media-services.txt 102 | x-common-keys-media: &common-keys-media 103 | networks: 104 | - t2_proxy 105 | security_opt: 106 | - no-new-privileges:true 107 | restart: "no" 108 | profiles: 109 | - media 110 | # Keys common to some of the services in ADS-B-services.txt 111 | x-common-keys-adsb: &common-keys-adsb 112 | networks: 113 | - t2_proxy 114 | security_opt: 115 | - no-new-privileges:true 116 | restart: "no" 117 | profiles: 118 | - adsb 119 | ########################### SERVICES 120 | services: 121 | ############################# FRONTENDS 122 | 123 | # Traefik 2 - Reverse Proxy 124 | # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. 125 | # touch $DOCKERDIR/traefik2/acme/acme.json 126 | # chmod 600 $DOCKERDIR/traefik2/acme/acme.json 127 | # touch $DOCKERDIR/logs/traefik.log 128 | # touch $DOCKERDIR/logs/access.log 129 | 130 | traefik: 131 | <<: *common-keys-core # See EXTENSION FIELDS at the top 132 | container_name: traefik 133 | image: traefik:latest 134 | command: # CLI arguments 135 | - --global.checkNewVersion=true 136 | - --global.sendAnonymousUsage=true 137 | - --entryPoints.http.address=:80 138 | - --entryPoints.https.address=:443 139 | # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/ 140 | - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS 141 | - --entryPoints.traefik.address=:8080 142 | - --api=true 143 | - --api.dashboard=true 144 | - --log=true 145 | - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC 146 | - --accessLog=true 147 | - --accessLog.filePath=/logs/access.log 148 | - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines 149 | - --accessLog.filters.statusCodes=204-299,400-499,500-599 150 | - --providers.docker=true 151 | # - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security 152 | - --providers.docker.endpoint=tcp://socket-proxy:2375 153 | # Automatically set Host rule for services 154 | # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`) 155 | - --providers.docker.exposedByDefault=false 156 | #- --providers.docker.disableStrictMIMETICheck=true 157 | - --entrypoints.https.http.tls.options=tls-opts@file 158 | # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services 159 | - --entrypoints.https.http.tls.certresolver=dns-cloudflare 160 | - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME 161 | - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME 162 | - --providers.docker.network=t2_proxy 163 | - --providers.docker.swarmMode=false 164 | - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory 165 | # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file 166 | - --providers.file.watch=true # Only works on top level files in the rules folder 167 | # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing 168 | - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL 169 | - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json 170 | - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare 171 | - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53 172 | - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate 173 | - --serversTransport.insecureSkipVerify=true 174 | networks: 175 | t2_proxy: 176 | ipv4_address: 192.168.90.254 # You can specify a static IP 177 | zsocket_proxy: 178 | ports: 179 | - target: 80 180 | published: 80 181 | protocol: tcp 182 | mode: host 183 | - target: 443 184 | published: 443 185 | protocol: tcp 186 | mode: host 187 | volumes: 188 | - $DOCKERDIR/appdata/traefik2/rules:/rules # file provider directory 189 | # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security 190 | - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 191 | - $DOCKERDIR/logs/cloudserver/traefik:/logs # for fail2ban - make sure to touch file before starting container 192 | - $DOCKERDIR/shared:/shared 193 | environment: 194 | - TZ=$TZ 195 | - CF_API_EMAIL_FILE=/run/secrets/cf_email 196 | - CF_API_KEY_FILE=/run/secrets/cf_api_key 197 | - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere. 198 | - DOMAINNAME 199 | secrets: 200 | - cf_email 201 | - cf_api_key 202 | - htpasswd 203 | labels: 204 | - "traefik.enable=true" 205 | # HTTP-to-HTTPS Redirect 206 | - "traefik.http.routers.http-catchall.entrypoints=http" 207 | - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" 208 | - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" 209 | - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" 210 | # HTTP Routers 211 | #- "traefik.http.routers.traefik-rtr.tls=true" 212 | - "traefik.http.routers.traefik-rtr.entrypoints=https" 213 | - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)" 214 | - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME" 215 | - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME" 216 | ## Services - API 217 | - "traefik.http.routers.traefik-rtr.service=api@internal" 218 | ## Middlewares 219 | - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file" 220 | 221 | # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket 222 | socket-proxy: 223 | <<: *common-keys-core 224 | container_name: socket-proxy 225 | image: tecnativa/docker-socket-proxy 226 | networks: 227 | zsocket_proxy: 228 | ipv4_address: 192.168.91.254 # You can specify a static IP 229 | #privileged: true 230 | volumes: 231 | - "/var/run/docker.sock:/var/run/docker.sock" 232 | environment: 233 | - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg 234 | ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). 235 | # 0 to revoke access. 236 | # 1 to grant access. 237 | ## Granted by Default 238 | - EVENTS=1 239 | - PING=1 240 | - VERSION=1 241 | ## Revoked by Default 242 | # Security critical 243 | - AUTH=0 244 | - SECRETS=0 245 | - POST=1 # Watchtower 246 | # Not always needed 247 | - BUILD=0 248 | - COMMIT=0 249 | - CONFIGS=0 250 | - CONTAINERS=1 # Traefik, portainer, etc. 251 | - DISTRIBUTION=0 252 | - EXEC=0 253 | - IMAGES=1 # Portainer 254 | - INFO=1 # Portainer 255 | - NETWORKS=1 # Portainer 256 | - NODES=0 257 | - PLUGINS=0 258 | - SERVICES=1 # Portainer 259 | - SESSION=0 260 | - SWARM=0 261 | - SYSTEM=0 262 | - TASKS=1 # Portainer 263 | - VOLUMES=1 # Portainer 264 | 265 | #### Watchtower 266 | watchtower: 267 | container_name: watchtower 268 | image: containrrr/watchtower 269 | restart: always 270 | volumes: 271 | - /var/run/docker.sock:/var/run/docker.sock 272 | environment: 273 | - TZ=$TZ 274 | - WATCHTOWER_CLEANUP=true 275 | - WATCHTOWER_INCLUDE_RESTARTING=true 276 | - WATCHTOWER_POLL_INTERVAL=36000 277 | #- WATCHTOWER_SCHEDULE=0 0 9 * * * 278 | #- WATCHTOWER_DEBUG=true 279 | 280 | #### AUTHENTICATION 281 | # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication 282 | authelia: 283 | container_name: authelia 284 | # Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md 285 | image: authelia/authelia 286 | restart: always 287 | networks: 288 | - t2_proxy 289 | - default 290 | # ports: 291 | # - "9091:9091" 292 | volumes: 293 | - $DOCKERDIR/appdata/authelia:/config 294 | environment: 295 | - TZ=$TZ 296 | - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret 297 | - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret 298 | - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password 299 | #- AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password 300 | - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key 301 | #- AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key 302 | #- read_buffer_size=10485760 303 | secrets: 304 | - authelia_jwt_secret 305 | - authelia_session_secret 306 | - authelia_storage_mysql_password 307 | # - authelia_notifier_smtp_password 308 | - authelia_duo_api_secret_key 309 | #- authelia_storage_encryption_key 310 | labels: 311 | - "traefik.enable=true" 312 | ## HTTP Routers 313 | - "traefik.http.routers.authelia-rtr.entrypoints=https" 314 | - "traefik.http.routers.authelia-rtr.rule=Host(`authelia.$DOMAINNAME`)" 315 | - "traefik.http.routers.authelia-rtr.tls=true" 316 | ## Middlewares 317 | - "traefik.http.routers.authelia-rtr.middlewares=chain-no-auth@file" 318 | ## HTTP Services 319 | - "traefik.http.routers.authelia-rtr.service=authelia-svc" 320 | - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091" 321 | 322 | # Portainer - WebUI for Containers 323 | portainer: 324 | <<: *common-keys-core 325 | container_name: portainer 326 | image: portainer/portainer-ce:latest 327 | # command: -H unix:///var/run/docker.sock # # Use Docker Socket Proxy instead for improved security 328 | command: -H tcp://socket-proxy:2375 329 | networks: 330 | - t2_proxy 331 | - zsocket_proxy 332 | volumes: 333 | - $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfer config locally 334 | environment: 335 | - TZ=$TZ 336 | labels: 337 | - "traefik.enable=true" 338 | ## HTTP Routers 339 | - "traefik.http.routers.portainer-rtr.entrypoints=https" 340 | - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME`)" 341 | ## Middlewares 342 | - "traefik.http.routers.portainer-rtr.middlewares=chain-authelia@file" 343 | ## HTTP Services 344 | - "traefik.http.routers.portainer-rtr.service=portainer-svc" 345 | - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" 346 | 347 | ############################# DATABASE 348 | 349 | # MariaDB - MySQL Database 350 | # After starting container for first time dexec and mysqladmin -u root password 351 | mariadb: 352 | <<: *common-keys-core 353 | container_name: mariadb 354 | image: lscr.io/linuxserver/mariadb 355 | ports: 356 | - "$MARIADB_PORT:3306" 357 | volumes: 358 | - $DOCKERDIR/appdata/mariadb:/config 359 | environment: 360 | <<: *default-tz-puid-pgid 361 | FILE__MYSQL_ROOT_PASSWORD: /run/secrets/mysql_root_password 362 | secrets: 363 | - mysql_root_password 364 | 365 | # phpMyAdmin - Database management 366 | # Create a new user with admin privileges. Cannot login as MySQL root for some reason. 367 | phpmyadmin: 368 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 369 | image: phpmyadmin/phpmyadmin:latest 370 | container_name: phpmyadmin 371 | environment: 372 | - PMA_HOST=$DB_HOST 373 | - PMA_PORT=$DB_PORT 374 | #- PMA_ARBITRARY=1 375 | - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password 376 | secrets: 377 | - mysql_root_password 378 | labels: 379 | - "traefik.enable=true" 380 | ## HTTP Routers 381 | - "traefik.http.routers.phpmyadmin-rtr.entrypoints=https" 382 | - "traefik.http.routers.phpmyadmin-rtr.rule=Host(`pma.$DOMAINNAME`)" 383 | ## Middlewares 384 | - "traefik.http.routers.phpmyadmin-rtr.middlewares=chain-authelia@file" 385 | ## HTTP Services 386 | - "traefik.http.routers.phpmyadmin-rtr.service=phpmyadmin-svc" 387 | - "traefik.http.services.phpmyadmin-svc.loadbalancer.server.port=80" 388 | 389 | ############################# DOWNLOADERS 390 | 391 | # qBittorrent - Torrent downloader 392 | qbittorrent: 393 | <<: *common-keys-apps 394 | image: lscr.io/linuxserver/qbittorrent:latest 395 | container_name: qbittorrent 396 | ports: 397 | - "6881:6881" 398 | - "6881:6881/udp" 399 | volumes: 400 | - $DOCKERDIR/appdata/qbittorrent:/config 401 | - $DATADIR/Downloads:/downloads 402 | environment: 403 | <<: *default-tz-puid-pgid 404 | UMASK_SET: 002 405 | WEBUI_PORT: 8168 406 | labels: 407 | - "traefik.enable=true" 408 | ## HTTP Routers 409 | - "traefik.http.routers.qbittorrent-rtr.entrypoints=https" 410 | - "traefik.http.routers.qbittorrent-rtr.rule=Host(`qbit.$DOMAINNAME`)" 411 | ## Middlewares 412 | - "traefik.http.routers.qbittorrent-rtr.middlewares=chain-authelia@file" 413 | ## HTTP Services 414 | - "traefik.http.routers.qbittorrent-rtr.service=qbittorrent-svc" 415 | - "traefik.http.services.qbittorrent-svc.loadbalancer.server.port=8168" 416 | 417 | ############################# INDEXERS 418 | 419 | # Jackett - Torrent proxy 420 | # Set url_base in Jackett settings if using PathPrefix 421 | jackett: 422 | <<: *common-keys-apps 423 | image: lscr.io/linuxserver/jackett:latest 424 | container_name: jackett 425 | # network_mode: container:transmission-vpn 426 | networks: 427 | t2_proxy: 428 | ipv4_address: 192.168.90.200 429 | volumes: 430 | - $DOCKERDIR/appdata/jackett:/config 431 | - $DATADIR/Downloads/completed:/downloads 432 | - "/etc/localtime:/etc/localtime:ro" 433 | environment: 434 | <<: *default-tz-puid-pgid 435 | labels: 436 | - "traefik.enable=true" 437 | ## HTTP Routers 438 | - "traefik.http.routers.jackett-rtr.entrypoints=https" 439 | - "traefik.http.routers.jackett-rtr.rule=Host(`jackett.$DOMAINNAME`)" 440 | ## Middlewares 441 | - "traefik.http.routers.jackett-rtr.middlewares=chain-authelia@file" 442 | ## HTTP Services 443 | - "traefik.http.routers.jackett-rtr.service=jackett-svc" 444 | - "traefik.http.services.jackett-svc.loadbalancer.server.port=9117" 445 | 446 | 447 | ############################# PVRS 448 | 449 | # Radarr - Movie management 450 | # Set url_base in radarr settings if using PathPrefix 451 | radarr: 452 | <<: *common-keys-media 453 | image: lscr.io/linuxserver/radarr:latest 454 | container_name: radarr 455 | networks: 456 | t2_proxy: 457 | ipv4_address: 192.168.90.201 458 | ports: 459 | - "$RADARR_PORT:7878" 460 | volumes: 461 | - $DOCKERDIR/appdata/radarr:/config 462 | - $DATADIR/Downloads:/downloads 463 | - $DATADIR/Movies:/movies 464 | - "/etc/localtime:/etc/localtime:ro" 465 | environment: 466 | <<: *default-tz-puid-pgid 467 | labels: 468 | - "traefik.enable=true" 469 | ## HTTP Routers Auth Bypass 470 | - "traefik.http.routers.radarr-rtr-bypass.entrypoints=https" 471 | - "traefik.http.routers.radarr-rtr-bypass.rule=Host(`movies.$DOMAINNAME`) && (Headers(`X-Api-Key`, `$RADARR_API_KEY`) || Query(`apikey`, `$RADARR_API_KEY`))" 472 | - "traefik.http.routers.radarr-rtr-bypass.priority=100" 473 | ## HTTP Routers Auth 474 | - "traefik.http.routers.radarr-rtr.entrypoints=https" 475 | - "traefik.http.routers.radarr-rtr.rule=Host(`movies.$DOMAINNAME`)" 476 | - "traefik.http.routers.radarr-rtr.priority=99" 477 | ## Middlewares 478 | - "traefik.http.routers.radarr-rtr-bypass.middlewares=chain-no-auth@file" 479 | - "traefik.http.routers.radarr-rtr.middlewares=chain-authelia@file" 480 | ## HTTP Services 481 | - "traefik.http.routers.radarr-rtr.service=radarr-svc" 482 | - "traefik.http.routers.radarr-rtr-bypass.service=radarr-svc" 483 | - "traefik.http.services.radarr-svc.loadbalancer.server.port=7878" 484 | 485 | # Sonarr - TV Shows management 486 | # Set url_base in sonarr settings if using PathPrefix 487 | sonarr: 488 | <<: *common-keys-media 489 | image: lscr.io/linuxserver/sonarr:latest 490 | container_name: sonarr 491 | networks: 492 | t2_proxy: 493 | ipv4_address: 192.168.90.202 494 | ports: 495 | - "$SONARR_PORT:8989" 496 | volumes: 497 | - $DOCKERDIR/appdata/sonarr:/config 498 | - $DATADIR/Downloads:/downloads 499 | - $DATADIR/Shows:/tv 500 | - "/etc/localtime:/etc/localtime:ro" 501 | environment: 502 | <<: *default-tz-puid-pgid 503 | labels: 504 | - "traefik.enable=true" 505 | ## HTTP Routers Auth Bypass 506 | - "traefik.http.routers.sonarr-rtr-bypass.entrypoints=https" 507 | - "traefik.http.routers.sonarr-rtr-bypass.rule=Host(`tv.$DOMAINNAME`) && (Headers(`X-Api-Key`, `$SONARR_API_KEY`) || Query(`apikey`, `$SONARR_API_KEY`))" 508 | - "traefik.http.routers.sonarr-rtr-bypass.priority=100" 509 | ## HTTP Routers Auth 510 | - "traefik.http.routers.sonarr-rtr.entrypoints=https" 511 | - "traefik.http.routers.sonarr-rtr.rule=Host(`tv.$DOMAINNAME`)" 512 | - "traefik.http.routers.sonarr-rtr.priority=99" 513 | ## Middlewares 514 | - "traefik.http.routers.sonarr-rtr-bypass.middlewares=chain-no-auth@file" 515 | - "traefik.http.routers.sonarr-rtr.middlewares=chain-authelia@file" 516 | ## HTTP Services 517 | - "traefik.http.routers.sonarr-rtr.service=sonarr-svc" 518 | - "traefik.http.routers.sonarr-rtr-bypass.service=sonarr-svc" 519 | - "traefik.http.services.sonarr-svc.loadbalancer.server.port=8989" 520 | 521 | ############################# MEDIA 522 | 523 | # Plex - Media Server 524 | plexms: 525 | <<: *common-keys-media 526 | image: plexinc/pms-docker:plexpass 527 | container_name: plexms 528 | ports: 529 | - "$PLEX_PORT:32400/tcp" 530 | - "3005:3005/tcp" 531 | - "8324:8324/tcp" 532 | - "32469:32469/tcp" 533 | - "1900:1900/udp" 534 | - "32410:32410/udp" 535 | - "32412:32412/udp" 536 | - "32413:32413/udp" 537 | - "32414:32414/udp" 538 | - "$PLEX_WEB_TOOLS_PORT:33400" 539 | devices: 540 | - /dev/dri:/dev/dri # for hardware transcoding 541 | volumes: 542 | - $DOCKERDIR/appdata/plexms:/config 543 | - $DATADIR:/media 544 | - /dev/shm:/transcode 545 | environment: 546 | TZ: $TZ 547 | HOSTNAME: "Silky Plex" 548 | PLEX_CLAIM_FILE: /run/secrets/plex_claim 549 | PLEX_UID: $PUID 550 | PLEX_GID: $PGID 551 | ADVERTISE_IP: http://$SERVER_IP:$PLEX_PORT/,https://plex.$DOMAINNAME 552 | secrets: 553 | - plex_claim 554 | labels: 555 | - "traefik.enable=true" 556 | ## HTTP Routers 557 | - "traefik.http.routers.plexms-rtr.entrypoints=https" 558 | - "traefik.http.routers.plexms-rtr.rule=Host(`plex.$DOMAINNAME`)" 559 | ## Middlewares 560 | - "traefik.http.routers.plexms-rtr.middlewares=chain-no-auth@file" 561 | ## HTTP Services 562 | - "traefik.http.routers.plexms-rtr.service=plexms-svc" 563 | - "traefik.http.services.plexms-svc.loadbalancer.server.port=32400" 564 | 565 | # Tautulli - Previously PlexPy. Plex statistics and monitoring 566 | # Set HTTP Root in Tautulli settings if using PathPrefix 567 | tautulli: 568 | <<: *common-keys-media 569 | image: lscr.io/linuxserver/tautulli:latest 570 | container_name: tautulli 571 | volumes: 572 | - $DOCKERDIR/appdata/tautulli/config:/config 573 | - $DOCKERDIR/appdata/plexms/Library/Application Support/Plex Media Server/Logs:/logs:ro 574 | environment: 575 | <<: *default-tz-puid-pgid 576 | labels: 577 | - "traefik.enable=true" 578 | ## HTTP Routers Auth Bypass 579 | - "traefik.http.routers.tautulli-rtr-bypass.entrypoints=https" 580 | - "traefik.http.routers.tautulli-rtr-bypass.rule=Host(`tautulli.$DOMAINNAME`) && (Headers(`X-Api-Key`, `$TAUTULLI_DEVICE_KEY`) || Query(`apikey`, `$TAUTULLI_DEVICE_KEY`))" 581 | - "traefik.http.routers.tautulli-rtr-bypass.priority=100" 582 | ## HTTP Routers 583 | - "traefik.http.routers.tautulli-rtr.entrypoints=https" 584 | - "traefik.http.routers.tautulli-rtr.rule=Host(`tautulli.$DOMAINNAME`)" 585 | - "traefik.http.routers.tautulli-rtr.priority=99" 586 | ## Middlewares 587 | - "traefik.http.routers.tautulli-rtr-bypass.middlewares=chain-no-auth@file" 588 | - "traefik.http.routers.tautulli-rtr.middlewares=chain-authelia@file" 589 | ## HTTP Services 590 | - "traefik.http.routers.tautulli-rtr.service=tautulli-svc" 591 | - "traefik.http.routers.tautulli-rtr-bypass.service=tautulli-svc" 592 | - "traefik.http.services.tautulli-svc.loadbalancer.server.port=8181" 593 | 594 | ############################# MEDIA FILE MANAGEMENT 595 | #Photo album 596 | piwigo: 597 | image: lscr.io/linuxserver/piwigo:latest 598 | container_name: piwigo 599 | restart: always 600 | environment: 601 | - PUID=$PUID 602 | - PGID=$PGID 603 | - TZ=$TZ 604 | volumes: 605 | - $DOCKERDIR/appdata/piwigo/config:/config 606 | - /mnt/Media/Photos:/gallery/upload 607 | networks: 608 | - t2_proxy 609 | security_opt: 610 | - no-new-privileges:true 611 | labels: 612 | - "traefik.enable=true" 613 | ## HTTP Routers 614 | - "traefik.http.routers.piwigo-rtr.entrypoints=https" 615 | - "traefik.http.routers.piwigo-rtr.rule=Host(`photos.$DOMAINNAME`)" 616 | - "traefik.http.routers.piwigo-rtr.tls=true" 617 | ## Middlewares 618 | - "traefik.http.routers.piwigo-rtr.middlewares=chain-no-auth@file" 619 | ## HTTP Services 620 | - "traefik.http.routers.piwigo-rtr.service=piwigo-svc" 621 | - "traefik.http.services.piwigo-svc.loadbalancer.server.port=80" 622 | 623 | ############################# UTILITIES 624 | pihole_exporter: 625 | #build: 626 | # context: ./ 627 | #args: 628 | # ARCH: CHANGE_ME 629 | #dockerfile: Dockerfile 630 | image: ekofr/pihole-exporter:latest 631 | container_name: pihole_exporter 632 | <<: *common-keys-apps 633 | #expose: 634 | # - 9617 635 | environment: 636 | PIHOLE_HOSTNAME: 172.16.0.2 637 | PIHOLE_PORT: 80 638 | #PIHOLE_PASSWORD: CHANGE_ME 639 | INTERVAL: 30s 640 | PORT: 9617 641 | 642 | # Glances - System Information 643 | glances: 644 | <<: *common-keys-apps 645 | image: nicolargo/glances:latest 646 | container_name: glances 647 | # network_mode: host 648 | networks: 649 | - t2_proxy 650 | - zsocket_proxy 651 | - default 652 | pid: host 653 | volumes: 654 | - $DOCKERDIR/appdata/glances/glances.conf:/glances/conf/glances.conf # Use this if you want to add a glances.conf file 655 | - $USERDIR:/data/home:ro 656 | - $DATADIR:/RAID:ro 657 | environment: 658 | GLANCES_OPT: "-w" 659 | DOCKER_HOST: tcp://socket-proxy:2375 660 | labels: 661 | - "traefik.enable=true" 662 | ## HTTP Routers 663 | - "traefik.http.routers.glances-rtr.entrypoints=https" 664 | - "traefik.http.routers.glances-rtr.rule=Host(`glances.$DOMAINNAME`)" 665 | ## Middlewares 666 | - "traefik.http.routers.glances-rtr.middlewares=chain-authelia@file" 667 | ## HTTP Services 668 | - "traefik.http.routers.glances-rtr.service=glances-svc" 669 | - "traefik.http.services.glances-svc.loadbalancer.server.port=61208" 670 | 671 | # Dozzle - Real-time Docker Log Viewer 672 | dozzle: 673 | <<: *common-keys-apps 674 | image: amir20/dozzle:latest 675 | container_name: dozzle 676 | networks: 677 | - t2_proxy 678 | - zsocket_proxy 679 | environment: 680 | DOZZLE_LEVEL: info 681 | DOZZLE_TAILSIZE: 300 682 | DOZZLE_FILTER: "status=running" 683 | # DOZZLE_FILTER: "label=log_me" # limits logs displayed to containers with this label 684 | DOCKER_HOST: tcp://socket-proxy:2375 685 | # volumes: 686 | # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security 687 | labels: 688 | - "traefik.enable=true" 689 | ## HTTP Routers 690 | - "traefik.http.routers.dozzle-rtr.entrypoints=https" 691 | - "traefik.http.routers.dozzle-rtr.rule=Host(`dozzle.$DOMAINNAME`)" 692 | ## Middlewares 693 | - "traefik.http.routers.dozzle-rtr.middlewares=chain-authelia@file" 694 | ## HTTP Services 695 | - "traefik.http.routers.dozzle-rtr.service=dozzle-svc" 696 | - "traefik.http.services.dozzle-svc.loadbalancer.server.port=8080" 697 | 698 | ############################# MAINTENANCE 699 | 700 | # Docker-GC - Automatic Docker Garbage Collection 701 | # Create docker-gc-exclude file 702 | dockergc: 703 | <<: *common-keys-apps 704 | image: clockworksoul/docker-gc-cron:latest 705 | container_name: docker-gc 706 | networks: 707 | - zsocket_proxy 708 | volumes: 709 | # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security 710 | - $DOCKERDIR/appdata/docker-gc/docker-gc-exclude:/etc/docker-gc-exclude 711 | environment: 712 | CRON: 0 0 0 * * ? # Everyday at midnight. Previously 0 0 * * * 713 | FORCE_IMAGE_REMOVAL: 1 714 | FORCE_CONTAINER_REMOVAL: 0 715 | GRACE_PERIOD_SECONDS: 604800 716 | DRY_RUN: 0 717 | CLEAN_UP_VOLUMES: 1 718 | TZ: $TZ 719 | DOCKER_HOST: tcp://socket-proxy:2375 720 | 721 | # Cloudflare DDNS - Dynamic DNS Updater 722 | cf-ddns: 723 | <<: *common-keys-core 724 | container_name: cf-ddns 725 | image: oznu/cloudflare-ddns:latest 726 | environment: 727 | API_KEY: $CLOUDFLARE_API_TOKEN 728 | ZONE: $DOMAINNAME 729 | PROXIED: "true" 730 | RRTYPE: A 731 | DELETE_ON_STOP: "false" 732 | DNS_SERVER: 1.1.1.1 733 | 734 | ### UniFi Controller - Managing UniFi Network 735 | traefik-ssl-certificate-exporter: 736 | image: rafi0101/traefik-ssl-certificate-exporter:latest 737 | environment: 738 | CRON_TIME: "* * * * *" 739 | CERT_OWNER_ID: "0" 740 | CERT_GROUP_ID: "1000" 741 | volumes: 742 | - $DOCKERDIR/appdata/traefik2/acme/acme.json:/app/traefik/acme.json 743 | - $DOCKERDIR/appdata/unifi/cert:/app/certs 744 | restart: unless-stopped 745 | unifi: 746 | container_name: unifi 747 | image: jacobalberty/unifi:latest 748 | restart: unless-stopped 749 | networks: 750 | t2_proxy: 751 | ipv4_address: 192.168.90.100 752 | security_opt: 753 | - no-new-privileges:true 754 | ports: 755 | - "8080:8080" 756 | - "8443:8443" 757 | - "3478:3478/udp" 758 | - "10001:10001/udp" 759 | - "6789:6789" 760 | volumes: 761 | #- $DOCKERDIR/appdata/unifi:/unifi 762 | - $DOCKERDIR/appdata/unifi/data/lib:/var/lib/unifi 763 | - $DOCKERDIR/appdata/unifi/log:/var/log/unifi 764 | - $DOCKERDIR/appdata/unifi/cert/adamradloff.com:/unifi/cert 765 | #- $DOCKERDIR/appdata/unifi/init:/unifi/init.d 766 | - $DOCKERDIR/appdata/unifi/run:/var/run/unifi 767 | - $DOCKERDIR/appdata/unifi/backup:/unifi/data/backup 768 | #- $DOCKERDIR/shared/certs/key.pem:/unifi/cert/privkey.pem 769 | #- $DOCKERDIR/shared/certs/cert.pem:/unifi/cert/cert.pem 770 | environment: 771 | UNIFI_UID: $PUID 772 | UNIFI_GID: $PGID 773 | TZ: America/Phoenix 774 | labels: 775 | - "traefik.enable=true" 776 | ## HTTP Routers 777 | - "traefik.http.routers.unifi-rtr.entrypoints=https" 778 | - "traefik.http.routers.unifi-rtr.rule=Host(`uni.$DOMAINNAME`)" 779 | ## Middlewares 780 | - "traefik.http.routers.unifi-rtr.middlewares=chain-authelia@file" 781 | ## HTTP Services 782 | - "traefik.http.routers.unifi-rtr.service=unifi-svc" 783 | - "traefik.http.services.unifi-svc.loadbalancer.server.port=8443" 784 | - "traefik.http.services.unifi-svc.loadbalancer.server.scheme=https" 785 | 786 | flaresolverr: 787 | # DockerHub mirror flaresolverr/flaresolverr:latest 788 | <<: *common-keys-apps 789 | image: ghcr.io/flaresolverr/flaresolverr:latest 790 | container_name: flaresolverr 791 | environment: 792 | LOG_LEVEL: info 793 | LOG_HTML: false 794 | CAPTCHA_SOLVER: none 795 | TZ: $TZ 796 | networks: 797 | t2_proxy: 798 | ipv4_address: 192.168.90.199 799 | #ports: 800 | # - "${PORT:-8191}:8191" 801 | 802 | # Grafana - Graphical data visualization for InfluxDB data 803 | grafana: 804 | <<: *common-keys-monitoring # See EXTENSION FIELDS at the top 805 | image: grafana/grafana:latest 806 | container_name: grafana 807 | ports: 808 | - "$GRAFANA_PORT:3000" 809 | user: ${PUID}:${PGID} 810 | volumes: 811 | - $DOCKERDIR/appdata/grafana:/var/lib/grafana 812 | - $DOCKERDIR/appdata/grafana/provisioning/:/etc/grafana/provisioning/ 813 | - $DOCKERDIR/appdata/grafana/dashboards/:/var/lib/grafana/dashboards/ 814 | - $DOCKERDIR/appdata/grafana/grafana.ini:/etc/grafana/grafana.ini 815 | - $DOCKERDIR/appdata/vrs/root:/var/lib/vrsdb/:ro 816 | environment: 817 | GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel" 818 | GF_PANELS_DISABLE_SANITIZE_HTML: true 819 | labels: 820 | - "traefik.enable=true" 821 | ## HTTP Routers 822 | - "traefik.http.routers.grafana-rtr.entrypoints=https" 823 | - "traefik.http.routers.grafana-rtr.rule=Host(`grafana.$DOMAINNAME`)" 824 | ## Middlewares 825 | - "traefik.http.routers.grafana-rtr.middlewares=chain-no-auth@file" 826 | ## HTTP Services 827 | - "traefik.http.routers.grafana-rtr.service=grafana-svc" 828 | - "traefik.http.services.grafana-svc.loadbalancer.server.port=3000" 829 | 830 | sql-server-db: 831 | container_name: sql 832 | image: mcr.microsoft.com/mssql/server:2019-latest 833 | networks: 834 | - t2_proxy 835 | ports: 836 | - "1433:1433" 837 | user: root 838 | volumes: 839 | - ${DOCKERDIR}/appdata/mssql/data:/var/opt/mssql/data 840 | - ${DATADIR}/mssql:/var/opt/mssql/data/bak 841 | environment: 842 | PUID: ${PUID} 843 | PGID: ${PGID} 844 | SA_PASSWORD: "!!54testpassword45!!" 845 | ACCEPT_EULA: "Y" 846 | TZ: Etc/UTC 847 | MSSQL_AGENT_ENABLED: true 848 | 849 | prometheus: 850 | <<: *common-keys-monitoring # See EXTENSION FIELDS at the top 851 | image: prom/prometheus:latest 852 | container_name: prometheus 853 | ports: 854 | - "9090:9090" 855 | volumes: 856 | - $DOCKERDIR/appdata/prometheus/config:/etc/prometheus 857 | - $DOCKERDIR/appdata/prometheus/data:/prometheus 858 | user: $PUID:$PGID 859 | command: 860 | - '--config.file=/etc/prometheus/prometheus.yml' 861 | - '--storage.tsdb.path=/prometheus' 862 | - '--web.console.libraries=/usr/share/prometheus/console_libraries' 863 | - '--web.console.templates=/usr/share/prometheus/consoles' 864 | - '--web.enable-lifecycle' 865 | - '--web.enable-admin-api' 866 | - '--web.listen-address=:9090' 867 | labels: 868 | - "traefik.enable=true" 869 | ## HTTP Routers 870 | - "traefik.http.routers.prometheus-rtr.entrypoints=https" 871 | - "traefik.http.routers.prometheus-rtr.rule=Host(`prom.$DOMAINNAME`)" 872 | ## Middlewares 873 | - "traefik.http.routers.prometheus-rtr.middlewares=chain-no-auth@file" 874 | ## HTTP Services 875 | - "traefik.http.routers.prometheus-rtr.service=prometheus-svc" 876 | - "traefik.http.services.prometheus-svc.loadbalancer.server.port=9090" 877 | 878 | influxdb: 879 | image: influxdb:latest 880 | container_name: influxdb 881 | <<: *common-keys-monitoring 882 | environment: 883 | - DOCKER_INFLUXDB_INIT_MODE=setup 884 | - DOCKER_INFLUXDB_INIT_BUCKET=ultrafeeder 885 | - DOCKER_INFLUXDB_INIT_ORG=ultrafeeder 886 | #- DOCKER_INFLUXDB_INIT_RETENTION=1y 887 | - DOCKER_INFLUXDB_INIT_USERNAME=${INFLUXDB_USER} 888 | - DOCKER_INFLUXDB_INIT_PASSWORD=${INFLUXDB_PASSWORD} 889 | - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=${INFLUXDB_ADMIN_TOKEN} 890 | ports: 891 | - '8086:8086' 892 | volumes: 893 | - $DOCKERDIR/appdata/influx/influxdb_data:/var/lib/influxdb 894 | - $DOCKERDIR/appdata/influx/influxdb_config:/etc/influxdb 895 | labels: 896 | - "traefik.enable=true" 897 | ## HTTP Routers 898 | - "traefik.http.routers.influx-rtr.entrypoints=https" 899 | - "traefik.http.routers.influx-rtr.rule=Host(`influx.$DOMAINNAME`)" 900 | ## Middlewares 901 | - "traefik.http.routers.influx-rtr.middlewares=chain-no-auth@file" 902 | ## HTTP Services 903 | - "traefik.http.routers.influx-rtr.service=influx-svc" 904 | - "traefik.http.services.influx-svc.loadbalancer.server.port=8086" 905 | 906 | node-exporter: 907 | container_name: node_exporter 908 | image: quay.io/prometheus/node-exporter:latest 909 | <<: *common-keys-monitoring 910 | command: [ 911 | "--path.rootfs=/host", 912 | "--web.listen-address=:9100", 913 | ] 914 | #ports: 915 | #- 9100:9100 916 | volumes: 917 | - "/:/host:ro,rslave" 918 | 919 | piaware-exporter: 920 | container_name: piaware_exporter 921 | image: piaware_exporter:2.0 922 | <<: *common-keys-monitoring 923 | #ports: 924 | #- 9101:9101 925 | command: [ 926 | "--piaware_host", 927 | "piaware" 928 | ] 929 | 930 | ######## ADSB ####### 931 | 932 | fr24: 933 | image: ghcr.io/sdr-enthusiasts/docker-flightradar24:latest 934 | tty: true 935 | container_name: fr24 936 | <<: *common-keys-adsb 937 | environment: 938 | - BEASTHOST=beast.${DOMAINLOCAL} 939 | - TZ=${TZ} 940 | - FR24KEY=${FR24_SHARING_KEY} 941 | - FR24KEY_UAT=${FR24_UAT_KEY} 942 | - UATHOST=beast.${DOMAINLOCAL} 943 | - UATPORT=30978 944 | - MLAT=yes 945 | healthcheck: 946 | disable: true 947 | tmpfs: 948 | - /var/log 949 | labels: 950 | #- "autoheal=true" 951 | - "traefik.enable=true" 952 | ## HTTP Routers 953 | - "traefik.http.routers.fr-rtr.entrypoints=https" 954 | - "traefik.http.routers.fr-rtr.rule=Host(`fr.$DOMAINNAME`)" 955 | ## Middlewares 956 | - "traefik.http.routers.fr-rtr.middlewares=chain-authelia@file" 957 | ## HTTP Services 958 | - "traefik.http.routers.fr-rtr.service=fr-svc" 959 | - "traefik.http.services.fr-svc.loadbalancer.server.port=8754" 960 | 961 | piaware: 962 | image: ghcr.io/sdr-enthusiasts/docker-piaware:latest 963 | tty: true 964 | container_name: piaware 965 | <<: *common-keys-adsb 966 | ports: 967 | - 44441:30105 968 | environment: 969 | - PUID=$PUID 970 | - PGID=$PGID 971 | - BEASTHOST=beast.${DOMAINLOCAL} 972 | - RECEIVER_TYPE=relay 973 | - VERBOSE_LOGGING=true 974 | - LAT=${FEEDER_LAT} 975 | - LONG=${FEEDER_LONG} 976 | - TZ=${TZ} 977 | - FEEDER_ID=${PIAWARE_FEEDER_ID} 978 | - UAT_RECEIVER_TYPE=relay 979 | - UAT_RECEIVER_HOST=beast.${DOMAINLOCAL} 980 | - UAT_RECEIVER_PORT=30978 981 | - MLAT_RESULTS_BEASTHOST=mlat.adamradloff.local 982 | healthcheck: 983 | disable: true 984 | volumes: 985 | - $DOCKERDIR/appdata/piaware/piaware.conf:/etc/piaware.conf 986 | tmpfs: 987 | - /run:exec,size=64M 988 | - /var/log 989 | labels: 990 | #- "autoheal=true" 991 | - "traefik.enable=true" 992 | ## HTTP Routers 993 | - "traefik.http.routers.sa-rtr.entrypoints=https" 994 | - "traefik.http.routers.sa-rtr.rule=Host(`sa.$DOMAINNAME`)" 995 | ## Middlewares 996 | - "traefik.http.routers.sa-rtr.middlewares=chain-authelia@file" 997 | ## HTTP Services 998 | - "traefik.http.routers.sa-rtr.service=sa-svc" 999 | - "traefik.http.services.sa-svc.loadbalancer.server.port=8080" 1000 | 1001 | adsbhub: 1002 | image: ghcr.io/sdr-enthusiasts/docker-adsbhub:latest 1003 | tty: true 1004 | container_name: adsbhub 1005 | <<: *common-keys-adsb 1006 | environment: 1007 | - TZ=${TZ} 1008 | - SBSHOST=beast.${DOMAINLOCAL} 1009 | - CLIENTKEY=${ADSBHUB_STATION_KEY} 1010 | 1011 | rbfeeder: 1012 | image: ghcr.io/sdr-enthusiasts/docker-radarbox:latest 1013 | tty: true 1014 | container_name: rbfeeder 1015 | <<: *common-keys-adsb 1016 | ports: 1017 | - 44442:30105 1018 | environment: 1019 | - BEASTHOST=beast.${DOMAINLOCAL} 1020 | - LAT=${FEEDER_LAT} 1021 | - LONG=${FEEDER_LONG} 1022 | - ALT=${FEEDER_ALT_M} 1023 | - TZ=${TZ} 1024 | - SHARING_KEY=${RADARBOX_SHARING_KEY} 1025 | - UAT_RECEIVER_HOST=beast.${DOMAINLOCAL} 1026 | volumes: 1027 | - "$DOCKERDIR/appdata/rbfeeder/fake_cpuinfo:/proc/cpuinfo" 1028 | tmpfs: 1029 | - /run:exec,size=64M 1030 | - /var/log 1031 | 1032 | radarvirtuel: 1033 | image: ghcr.io/sdr-enthusiasts/docker-radarvirtuel:latest 1034 | tty: true 1035 | container_name: radarvirtuel 1036 | <<: *common-keys-adsb 1037 | ports: 1038 | - 44443:30105 1039 | environment: 1040 | - FEEDER_KEY=${RV_FEEDER_KEY} 1041 | - SOURCE_HOST=beast.${DOMAINLOCAL}:30002 1042 | - RV_SERVER=mg22.adsbnetwork.com:50050 1043 | - VERBOSE=OFF 1044 | - MLAT_SERVER=mlat.adsbnetwork.com:50000 1045 | - MLAT_HOST=beast.${DOMAINLOCAL}:30005 1046 | - LAT=${FEEDER_LAT} 1047 | - LON=${FEEDER_LONG} 1048 | - ALT=${FEEDER_ALT_M} 1049 | tmpfs: 1050 | - /tmp:rw,nosuid,nodev,noexec,relatime,size=128M 1051 | volumes: 1052 | - "/etc/localtime:/etc/localtime:ro" 1053 | - "/etc/timezone:/etc/timezone:ro" 1054 | 1055 | opensky: 1056 | image: ghcr.io/sdr-enthusiasts/docker-opensky-network:latest 1057 | tty: true 1058 | container_name: opensky 1059 | <<: *common-keys-adsb 1060 | environment: 1061 | - TZ=${TZ} 1062 | - BEASTHOST=beast.${DOMAINLOCAL} 1063 | - LAT=${FEEDER_LAT} 1064 | - LONG=${FEEDER_LONG} 1065 | - ALT=${FEEDER_ALT_M} 1066 | - OPENSKY_USERNAME=${OPENSKY_USERNAME} 1067 | - OPENSKY_SERIAL=${OPENSKY_SERIAL} 1068 | tmpfs: 1069 | - /run:exec,size=64M 1070 | - /var/log 1071 | 1072 | pfclient: 1073 | image: ghcr.io/sdr-enthusiasts/docker-planefinder:latest 1074 | tty: true 1075 | container_name: pfclient 1076 | <<: *common-keys-adsb 1077 | environment: 1078 | - TZ=${TZ} 1079 | - BEASTHOST=beast.${DOMAINLOCAL} 1080 | - LAT=${FEEDER_LAT} 1081 | - LONG=${FEEDER_LONG} 1082 | - SHARECODE=${PLANEFINDER_SHARECODE} 1083 | tmpfs: 1084 | - /run:exec,size=64M 1085 | - /var/log/pfclienot 1086 | labels: 1087 | #- "autoheal=true" 1088 | - "traefik.enable=true" 1089 | ## HTTP Routers 1090 | - "traefik.http.routers.pf-rtr.entrypoints=https" 1091 | - "traefik.http.routers.pf-rtr.rule=Host(`pf.$DOMAINNAME`)" 1092 | ## Middlewares 1093 | - "traefik.http.routers.pf-rtr.middlewares=chain-authelia@file" 1094 | ## HTTP Services 1095 | - "traefik.http.routers.pf-rtr.service=pf-svc" 1096 | - "traefik.http.services.pf-svc.loadbalancer.server.port=30053" 1097 | 1098 | planewatch: 1099 | image: ghcr.io/plane-watch/docker-plane-watch:latest 1100 | tty: true 1101 | container_name: planewatch 1102 | <<: *common-keys-adsb 1103 | environment: 1104 | - BEASTHOST=beast.${DOMAINLOCAL} 1105 | - LAT=${FEEDER_LAT} 1106 | - LONG=${FEEDER_LONG} 1107 | - ALT=${FEEDER_ALT_M}m 1108 | - TZ=${TZ} 1109 | - API_KEY=${PW_API_KEY} 1110 | tmpfs: 1111 | - /run:exec,size=64M 1112 | - /var/log 1113 | vrs: 1114 | image: ghcr.io/sdr-enthusiasts/vrs:dev 1115 | tty: true 1116 | container_name: vrs 1117 | <<: *common-keys-adsb 1118 | environment: 1119 | - VRS_ADMIN_USERNAME=${VRS_USER} 1120 | - VRS_ADMIN_PASSWORD=${VRS_PASSWORD} 1121 | - VRS_CULTURE=en-US 1122 | - VRS_DB_UPDATE_POLICY_FULLAUTO=yes 1123 | - VRS_ENHANCED_LAYERS_COUNTRY=USAAZ 1124 | - VRS_ENHANCED_MARKERS=normal 1125 | - VRS_ENHANCED_LAYERS_OPENWX_APIKEY=ed74f5f1692d5c51333fb52647ed1a72 1126 | - VRS_ENHANCED_LAYERS_OPENAIP_APIKEY=8c48c5bab93ab7426e33c63e0f2da961 1127 | tmpfs: 1128 | - /tmp:rw,nosuid,nodev,noexec,relatime,size=128M 1129 | ports: 1130 | - 8181:8080 1131 | volumes: 1132 | - "$DOCKERDIR/appdata/vrs:/root/.local/share/VirtualRadar" 1133 | #- "$DOCKERDIR/appdata/vrs/config:/config" 1134 | # - "/etc/localtime:/etc/localtime:ro" 1135 | # - "/etc/timezone:/etc/timezone:ro" 1136 | labels: 1137 | - "traefik.enable=true" 1138 | ## HTTP Routers 1139 | #- "traefik.http.routers.vrs-rtr.tls=true" 1140 | - "traefik.http.routers.vrs-rtr.entrypoints=https" 1141 | - "traefik.http.routers.vrs-rtr.rule=Host(`vrs.$DOMAINNAME`)" 1142 | ## Middlewares 1143 | - "traefik.http.routers.vrs-rtr.middlewares=chain-vrs-no-auth@file" 1144 | ## HTTP Services 1145 | - "traefik.http.routers.vrs-rtr.service=vrs-svc" 1146 | - "traefik.http.services.vrs-svc.loadbalancer.server.port=8080" 1147 | 1148 | planefence: 1149 | image: ghcr.io/sdr-enthusiasts/docker-planefence:dev 1150 | tty: true 1151 | container_name: planefence 1152 | # host and your internal network: 1153 | <<: *common-keys-adsb 1154 | # we are phasing out the .env file in favor of a similar file named 1155 | # ~/.planefence/planefence.config. A template of that file will be 1156 | # generated automatically when you start the container for the first 1157 | # time. Planefence will not work unless you have either a .env file or 1158 | # a planefence.config file. Any values defined in planefence.config 1159 | # will take priority over those in .env. Uncomment the line below if you 1160 | # really want to continue to use your pre-existing .env file. 1161 | # Also, update TZ=America/New_York to your own timezone. 1162 | # 1163 | # LOGLEVEL can be "INFO" (default - all logs) or "ERROR" (only errors) 1164 | environment: 1165 | - TZ=$TZ 1166 | - LOGLEVEL=INFO 1167 | volumes: 1168 | # adopt this one to point at your home directory if it is not /home/pi 1169 | - $DOCKERDIR/appdata/planefence/persist:/usr/share/planefence/persist 1170 | # the following exposes the html directory to the host, in case you 1171 | # want to use an external http daemon (lighttpd, nginx, etc) 1172 | - $DOCKERDIR/appdata/planefence/html:/usr/share/planefence/html 1173 | tmpfs: 1174 | - /run:rw,nosuid,nodev,exec,relatime,size=512M 1175 | - /tmp:rw,nosuid,nodev,noexec,relatime,size=128M 1176 | labels: 1177 | - "traefik.enable=true" 1178 | ## HTTP Routers 1179 | - "traefik.http.routers.planefence-rtr.entrypoints=https" 1180 | - "traefik.http.routers.planefence-rtr.rule=Host(`planefence.$DOMAINNAME`)" 1181 | ## Middlewares 1182 | - "traefik.http.routers.planefence-rtr.middlewares=chain-no-auth@file" 1183 | ## HTTP Services 1184 | - "traefik.http.routers.planefence-rtr.service=planefence-svc" 1185 | - "traefik.http.services.planefence-svc.loadbalancer.server.port=80" 1186 | 1187 | screenshot: 1188 | image: tedder42/browser-screenshot-service:latest 1189 | tty: true 1190 | container_name: screenshot 1191 | <<: *common-keys-adsb 1192 | shm_size: 1gb 1193 | environment: 1194 | - MAP_ARGS=zoom=11.5&hideSidebar&hideButtons&mapDim=0.2&monochromeMarkers=ff0000&outlineColor=505050&iconScale=1.5&enableLabels&extendedLabels=2&trackLabels 1195 | # - MAP_ARGS=zoom=11&hideSidebar&hideButtons&mapDim=2.0&monochromeMarkers=ff0000&outlineColor=505050&iconScale=1.5 1196 | #- MAP_ARGS=zoom=11&hideSidebar&hideButtons&mapDim=0.4&monochromeMarkers=00066&monochromeTracks=010101&outlineColor=505050&iconScale=1.5 1197 | - LOAD_SLEEP_TIME=25 1198 | - BASE_URL=http://beast.adamradloff.local:8080 1199 | - MAXTIME=60 1200 | labels: 1201 | - "traefik.enable=true" 1202 | ## HTTP Routers 1203 | - "traefik.http.routers.pss-rtr.entrypoints=https" 1204 | - "traefik.http.routers.pss-rtr.rule=Host(`pss.$DOMAINNAME`)" 1205 | ## Middlewares 1206 | - "traefik.http.routers.pss-rtr.middlewares=chain-authelia@file" 1207 | ## HTTP Services 1208 | - "traefik.http.routers.pss-rtr.service=pss-svc" 1209 | - "traefik.http.services.pss-svc.loadbalancer.server.port=80" 1210 | 1211 | ####### testing web landing page ######### 1212 | 1213 | webproxy: 1214 | image: ghcr.io/sdr-enthusiasts/docker-reversewebproxy:latest 1215 | tty: true 1216 | container_name: webproxy 1217 | restart: always 1218 | networks: 1219 | - t2_proxy 1220 | #ports: 1221 | # - 80:80 1222 | # - 443:443 1223 | environment: 1224 | # ---------------------------------------------------------------------------------------- 1225 | # if AUTOGENERATE is set to ON, it will automatically create a config based on the REVPROXY and REDIRECT parameters below 1226 | # if it is set to OFF, you should map the volume as shown in the "volumes" section below, and you can edit the "locations.conf" file in that directory. 1227 | # 1228 | # If you want to have the system auto-generate a locations.conf file that you will subsequently edit, you can set 1229 | # AUTOGENERATE=ON, then start the container once, stop the container again, and edit the system generated 1230 | # locations.conf file. Then, before restarting, please make sure to set AUTOGENERATE=OFF below. 1231 | - AUTOGENERATE=ON 1232 | # ---------------------------------------------------------------------------------------- 1233 | # VERBOSELOGS indicates if the web server logs are written to the Docker Container logs 1234 | # (accessible with `docker logs webproxy`) or that they are discarded. Values are ON (default) or OFF 1235 | - VERBOSELOG=ON 1236 | # ---------------------------------------------------------------------------------------- 1237 | # REVPROXY has the following format: 1238 | # urltarget,destination 1239 | # For example, for REVPROXY=readsb|http://10.0.0.191:8080, 1240 | # a user browsing to http://mydomain/readsb will be proxied to http://10.0.0.191:8080 1241 | # The user's browser will *never* see the internal IP address. 1242 | # Note - both the urltarget and the destination must be URLs or directories, and cannot be 1243 | # a file name 1244 | # Optionally, you can add Basic Authentication username(s)/password(s) as well. If the AUTH parameter is set to ON, 1245 | # any REVPROXY entries that have one or more username/password combinations will only be proxied after the web browser 1246 | # furnishes the correct credentials. If AUTH is not set to ON, these credentials will be ignored. 1247 | # Usernames and passwords should not contain any field separators or special characters like ,'"|; or whitespace characters 1248 | # For example: REVPROXY=readsb|http://10.0.0.191:8080|username1;password1|username2;password2, 1249 | - REVPROXY= 1250 | readsb|https://readsb.$DOMAINNAME, 1251 | piaware|https://pi.$DOMAINNAME, 1252 | tar1090|https://1090.$DOMAINNAME, 1253 | planefence|https://planefence.$DOMAINNAME, 1254 | planefinder|https://pf.$DOMAINNAME 1255 | # ---------------------------------------------------------------------------------------- 1256 | # REDIRECT has the following format: 1257 | # urltarget|redirection 1258 | # For example, for REDIRECT=/planefinder/setup.html|http://10.0.0.191:8086/setup.html, 1259 | # a user browing to http://mydomain/planefinder/setup.html will be redirected to http://10.0.0.191:8086/setup.html 1260 | # The user's browser will show the redirection address and try to reach it. If the destination is not reachable (for example 1261 | # because it is on a isolated subnet), the browser won't be able to render the page. 1262 | # This can be useful if you want to protect certain pages from view outside your internal network, while exposing 1263 | # others. See for example the planefinder setup in REVPROXY and REDIRECT. 1264 | # Note - both the urltarget and the redirection MAY BE a URL or a file names. 1265 | - REDIRECT= 1266 | /planefinder/setup.html|http://10.0.0.191:8086/setup.html, 1267 | /planefinder/logs.html|http://10.0.0.191:8086/logs.html 1268 | # 1269 | # ---------------------------------------------------------------------------------------- 1270 | # The following settings will enable SSL to be part of the reverse proxy. 1271 | # 1272 | # SSL: enable SSL. Accepted values: [ENABLED|DISABLED]. Default: DISABLED 1273 | # SSL_EMAIL is used to request an SSL certificate from Let's Encrypt. The container 1274 | # will automatically renew them before the expire as long as you keep the container running. 1275 | # 1276 | # Change SSL_TOS=REJECT to SSL_TOS=ACCEPT to indicate you accept the T&S's for the SSL certificate 1277 | # set forth at https://letsencrypt.org/repository/#let-s-encrypt-subscriber-agreement 1278 | # 1279 | # If SSL_REDIRECT=ENABLED then all incoming non-SSL requests will automatically be redirected to a https:// request 1280 | # 1281 | # Put 1 or more domain names in SSL_DOMAIN. Note that *ALL OF THESE DOMAINS* must be reachable from the internet 1282 | # and render a website that is served from the container upon the start of the container, 1283 | # otherwise the request to get a certificate for them will fail! 1284 | # 1285 | # Also note that more than 5 (failed) requests will cause you to be locked out from getting new certificates for 1286 | # 1 week. We, nor LetsEncrypt, can "unlock" you. More info: https://letsencrypt.org/docs/rate-limits/ 1287 | # 1288 | - SSL=DISABLED 1289 | #- SSL_EMAIL=your@email.com 1290 | #- SSL_DOMAIN= 1291 | # my.domain.com, 1292 | # my.second.domain.com, 1293 | # my.third.domain.com 1294 | #- SSL_TOS=ACCEPT 1295 | #- SSL_REDIRECT=ENABLED 1296 | # 1297 | # These settings will enable GeoIP inclusion or exclusion of requests based on country. 1298 | # Country names are two-letter abbreviations corresponding to the country suffix used in domain names. 1299 | # GEOIP_DEFAULT is "allow" (allow all except for country list) 1300 | # "block" (block all except for country list) 1301 | # no GeoIP blocking 1302 | # GEOIP_RESPONSECODE indicates which HTTP response is sent when a bot is blocked. 1303 | # Default code if omitted is 403 (Forbidden). Other codes that may be useful: 1304 | # 402 (payment required, hehe), 404 (doesnt exist), 418 (I am a teapot - used to tell requestors to go away), 410 (Gone), 500 (Internal Server Error), 1305 | # 503 (service unavailable), etc - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Status 1306 | - GEOIP_RESPONSECODE=418 1307 | - GEOIP_DEFAULT=allow 1308 | - GEOIP_COUNTRIES=cn,ru 1309 | # 1310 | # AUTH -- a basic mechanism to use basic authentication 1311 | # 1312 | # Although it's possible to put the usernames and passwords here, we strongly advice to put them in a variable in a `.env` file 1313 | # AUTH=ON -- Basic Authentication is enabled 1314 | # AUTH=OFF or not defined or empty -- Basic Authentication is disabled 1315 | # 1316 | # Add credentials usernames for the local web serverlike this: (note -- this parameter structure is not yet future proof and may change when we add per-website authentication) 1317 | # LOCA_CREDS=|,|,... 1318 | # Local Credentials work only for the local website. If you want to define a credential for a specific 1319 | # REVPROXY destination, you can do so with the REVPROXY parameter (see above). 1320 | # You cannot use Basic Authentication for a REDIRECT entry; this should be implemented by the target website instead. 1321 | # 1322 | # 1323 | - AUTH=OFF 1324 | #LOCAL_CREDS= 1325 | # 1326 | # BLOCKBOT blocks bots of which the User Agent contains all or part of these comma-separated strings: 1327 | - BLOCKBOT= 1328 | bot,LieBaoFast,UCBrowser,MQQBrowser,Mb2345Browser,https://gdnplus.com,facebookexternalhit,google,bing,yandex,msnbot,wp-login.php,zgrab,zgrab2, 1329 | AltaVista,Googlebot,Slurp,BlackWidow,Bot,ChinaClaw,Custo,DISCo,Download,Demon,eCatch,EirGrabber,EmailSiphon,EmailWolf,SuperHTTP,Surfbot,WebWhacker, 1330 | Express,WebPictures,ExtractorPro,EyeNetIE,FlashGet,GetRight,GetWeb!,Go!Zilla,Go-Ahead-Got-It,GrabNet,Grafula,HMView,Go!Zilla,Go-Ahead-Got-It, 1331 | rafula,HMView,HTTrack,Stripper,Sucker,Indy,InterGET,Ninja,JetCar,Spider,larbin,LeechFTP,Downloader,tool,Navroad,NearSite,NetAnts,tAkeOut,WWWOFFLE, 1332 | GrabNet,NetSpider,Vampire,NetZIP,Octopus,Offline,PageGrabber,Foto,pavuk,pcBrowser,RealDownload,ReGet,SiteSnagger,SmartDownload,SuperBot,WebSpider, 1333 | Teleport,VoidEYE,Collector,WebAuto,WebCopier,WebFetch,WebGo,WebLeacher,WebReaper,WebSauger,eXtractor,Quester,WebStripper,WebZIP,Widow,Zeus, 1334 | Twengabot,htmlparser,libwww,Python,perl,urllib,scan,email,PycURL,Pyth,PyQ,WebCollector,WebCopy,webcraw,PetalBot,ubermetrics,Firefox/45, 1335 | Vert.x-WebClient,jsonlite,rv:45.0,Nexgate Ruby Client,scoop.it,NetSystemsResearch,Barkrowler,Python-Requests,Expanse,Go-http-client,scpitspi-rs 1336 | # 1337 | # BLOCKBOT_RESPONSECODE indicates which HTTP response is sent when a bot is blocked. 1338 | # Default code if omitted is 403 (Forbidden). Other codes that may be useful: 1339 | # 402 (payment required, hehe), 404 (doesnt exist), 418 (I am a teapot - used to tell requestors to go away), 410 (Gone), 500 (Internal Server Error), 1340 | # 503 (service unavailable), etc - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Status 1341 | - BLOCKBOT_RESPONSECODE=403 1342 | # 1343 | # IPV6 indicates if IPV6 is enabled or disabled on the host and/or docker system. 1344 | # If you disable IPV6 on your system, you may see a container error if you don't set this parameter to "OFF" or "DISABLED" (case insensitive). 1345 | # If the parameter is omitted, the system will assume that IPV6 is enabled. 1346 | - IPV6=ENABLED 1347 | # 1348 | # IPTABLES_BLOCK switches `iptables` based blocking of IP addresses on or off. Default when omitted = off. 1349 | # See README.md for more explanation. Note -- in order for this to work, you MUST add the NET_ADMIN capacity to the container as shown below. 1350 | - IPTABLES_BLOCK=ENABLED 1351 | - IPJAILTIME=21600 1352 | cap_add: 1353 | - NET_ADMIN 1354 | tmpfs: 1355 | - /tmp:rw,nosuid,nodev,noexec,relatime,size=128M 1356 | #- /var/log/nginx:rw,nosuid,nodev,noexec,relatime,size=128M 1357 | volumes: 1358 | - $DOCKERDIR/appdata/webproxy:/run/nginx 1359 | - $DOCKERDIR/appdata/webproxy/log:/var/log/nginx 1360 | - "/etc/localtime:/etc/localtime:ro" 1361 | - "/etc/timezone:/etc/timezone:ro" 1362 | labels: 1363 | - "traefik.enable=true" 1364 | ## HTTP Routers 1365 | - "traefik.http.routers.www-rtr.entrypoints=https" 1366 | - "traefik.http.routers.www-rtr.rule=Host(`www.$DOMAINNAME`, `www.$DOMAINNAME`)" 1367 | ## Middlewares 1368 | - "traefik.http.routers.www-rtr.middlewares=chain-no-auth@file" 1369 | ## HTTP Services 1370 | - "traefik.http.routers.www-rtr.service=www-svc" 1371 | - "traefik.http.services.www-svc.loadbalancer.server.port=80" 1372 | 1373 | 13ft: 1374 | image: wasimaster/13ft:0.2.3 1375 | container_name: 13ft 1376 | #ports: 1377 | #- "5000:5000" 1378 | <<: *common-keys-apps 1379 | labels: 1380 | - "traefik.enable=true" 1381 | ## HTTP Routers 1382 | - "traefik.http.routers.13ft-rtr.entrypoints=https" 1383 | - "traefik.http.routers.13ft-rtr.rule=Host(`13ft.$DOMAINNAME`, `13ft.$DOMAINNAME`)" 1384 | ## Middlewares 1385 | - "traefik.http.routers.13ft-rtr.middlewares=chain-no-auth@file" 1386 | ## HTTP Services 1387 | - "traefik.http.routers.13ft-rtr.service=13ft-svc" 1388 | - "traefik.http.services.13ft-svc.loadbalancer.server.port=5000" 1389 | 1390 | --------------------------------------------------------------------------------