HomeServer/docker-compose.admin.yaml at main · Pyxxil/HomeServer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
x-common-admin: &admin
  traefik:
    container_name: dash
    image: traefik
    <<: *common
    networks:
      - frontend
    command:
      - --accesslog=true
      - --accesslog.addinternals
      - --accesslog.bufferingsize=100
      - --accesslog.filepath=/var/log/traefik/access-log.json
      - --accesslog.format=json
      - --accesslog.fields.defaultmode=keep
      - --accesslog.fields.headers.defaultmode=keep
      - --accesslog.fields.headers.names.User-Agent=keep
      - --accesslog.fields.headers.names.Referer=keep
      - --api=true
      - --api.dashboard=true
      - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=0
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53,9.9.9.9:53
      - --certificatesresolvers.letsencrypt.acme.email=${ADMIN_EMAIL}
      - --certificatesresolvers.letsencrypt.acme.storage=/config/acme.json
      - --entryPoints.ldaps.address=:636/tcp
      - --entryPoints.mqtts.address=:8883
      - --entryPoints.websecure.address=:443
      - --entryPoints.websecure.http.middlewares=compress@file,security@file,ratelimit@file,inflight@file,autodetect@file
      - --entryPoints.websecure.http.tls.certResolver=letsencrypt
      - --entryPoints.websecure.http.tls.domains[0].main=${DOMAIN}
      - --entryPoints.websecure.http.tls.domains[0].sans=*.${DOMAIN}
      - --entryPoints.websecure.http3
      - --entryPoints.websecure.http3.advertisedport=443
      - --entryPoints.websecure.forwardedHeaders.trustedIPs=${TRUSTED_IPS}
      - --entryPoints.websecure.proxyProtocol.trustedIPs=${TRUSTED_IPS}
      - --entryPoints.websecure.forwardedHeaders.insecure=false
      - --entryPoints.websecure.proxyProtocol.insecure=false
      - --entryPoints.websecure.transport.respondingTimeouts.readTimeout=0s
      - --log.compress=true
      - --log.format=json
      - --log.level=info
      - --ping=true
      - --metrics.prometheus=true
      - --metrics.prometheus.addServicesLabels=true
      - --metrics.prometheus.addrouterslabels=true
      - --metrics.prometheus.addEntryPointsLabels=true
      - --metrics.addinternals
      - --providers.docker.defaultRule=Host(`{{ .ContainerName }}.${DOMAIN}`)
      - --providers.docker=true
      - --providers.docker.watch=true
      - --providers.docker.exposedbydefault=true
      - --providers.docker.network=frontend
      - --providers.file.directory=/config
    environment:
      <<: *env-vars
      CLOUDFLARE_DNS_API_TOKEN: ${CLOUDFLARE_DNS_API_TOKEN}
      DOMAIN: ${DOMAIN}
      RESTRICTED: ${RESTRICTED}
    ports:
      - ${IP}:443:443/udp
      - ${VPN_IP}:443:443/udp
      - ${IP}:443:443/tcp
      - ${VPN_IP}:443:443/tcp
      - ${IP}:636:636/tcp
      - ${VPN_IP}:636:636/tcp
      - ${IP}:8883:8883
      - ${VPN_IP}:8883:8883
      - ${IPV6}:443:443/udp
      - ${IPV6}:443:443/tcp
      - ${IPV6}:636:636/tcp
      - ${IPV6}:8883:8883
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - config-traefik:/config
      - /var/log/traefik:/var/log/traefik
    healthcheck:
      test: ["CMD", "traefik", "healthcheck", "--ping"]
      <<: *healthcheck
    depends_on:
      - auth
    labels:
      traefik.http.routers.dashboard.rule: Host(`dash.${DOMAIN}`) && $RESTRICTED
      traefik.http.routers.dashboard.service: api@internal
      traefik.http.routers.dashboard.tls: true
      traefik.http.routers.dashboard.tls.certResolver: letsencrypt
      traefik.http.routers.dashboard.entryPoints: websecure
      traefik.http.routers.dashboard.middlewares: auth@file

  whoami:
    image: traefik/whoami
    container_name: whoami
    <<: *common
    labels:
      traefik.http.routers.whoami.entryPoints: websecure
      traefik.http.routers.whoami.tls: true
      traefik.http.routers.whoami.tls.certResolver: letsencrypt

  auth:
    image: authelia/authelia
    container_name: auth
    <<: *common
    depends_on:
      - ldap
    volumes:
      - config-authelia:/config
    labels:
      traefik.http.services.auth.loadbalancer.server.port: 9091
      traefik.http.routers.auth.entryPoints: websecure
      traefik.http.routers.auth.tls: true
      traefik.http.routers.auth.tls.certResolver: letsencrypt

  ldap:
    image: osixia/openldap
    container_name: ldap
    <<: *common
    hostname: ldap.${DOMAIN}
    restart: always
    volumes:
      - config-ldap-db:/var/lib/ldap
      - config-ldap:/etc/ldap/slapd.d
    healthcheck:
      test: ["CMD-SHELL", "ldapsearch -Y EXTERNAL -H ldapi:/// | grep -i 'numresponses' || exit 1"]
      <<: *healthcheck
    environment:
      <<: *env-vars
      LDAP_ORGANISATION: ${ORGANISATION}
      LDAP_DOMAIN: ${DOMAIN}
      LDAP_BASE_DN: dc=${DC_DOMAIN},dc=${TLD}
      LDAP_RFC2307BIS_SCHEMA: true
      LDAP_ADMIN_PASSWORD: ${LDAP_PASSWORD}
      LDAP_READONLY_USER: false
      LDAP_TLS: true
      LDAP_TLS_VERIFY_CLIENT: 'never'
    labels:
      traefik.tcp.routers.ldap.rule: HostSNI(`${DOMAIN}`)
      traefik.tcp.services.ldap.loadbalancer.server.port: 389
      traefik.tcp.routers.ldap.entryPoints: ldaps
      traefik.tcp.routers.ldap.tls: true
      traefik.tcp.routers.ldap.tls.certResolver: letsencrypt

  ldap-user-manager:
    image: wheelybird/ldap-user-manager
    container_name: account
    hostname: account.${DOMAIN}
    <<: *common
    depends_on:
      - ldap
    healthcheck:
      test: ["CMD-SHELL", "curl --fail localhost:80"]
      <<: *healthcheck
    environment:
      <<: *env-vars
      SERVER_HOSTNAME: account.${DOMAIN}
      ORGANISATION_NAME: ${ORGANISATION}
      LDAP_URI: "ldaps://${DOMAIN}"
      LDAP_BASE_DN: dc=${DC_DOMAIN},dc=${TLD}
      LDAP_ADMINS_GROUP: "admins"
      LDAP_ADMIN_BIND_DN: "cn=admin,dc=${DC_DOMAIN},dc=${TLD}"
      LDAP_ADMIN_BIND_PWD: ${LDAP_PASSWORD}
      LDAP_USES_NIS_SCHEMA: false
      LDAP_REQUIRE_STARTTLS: false
      LDAP_IGNORE_CERT_ERRORS: false
      LDAP_DEBUG: true
      NO_HTTPS: true
      SMTP_LOG_LEVEL: 3
      SMTP_HOSTNAME: ${SMTP_HOST}
      SMTP_HOST_PORT: 25
      SMTP_USE_TLS: true
      SMTP_USERNAME: ${SMTP_USER}
      SMTP_PASSWORD: ${SMTP_PASS}
      EMAIL_FROM_ADDRESS: account@${DOMAIN}
      EMAIL_DOMAIN: ${DOMAIN}
    labels:
      traefik.http.services.ldap-user-manager.loadbalancer.server.port: 80
      traefik.http.routers.ldap-user-manager.entryPoints: websecure
      traefik.http.routers.ldap-user-manager.tls: true
      traefik.http.routers.ldap-user-manager.tls.certResolver: letsencrypt

  ntfy:
    image: binwiederhier/ntfy
    container_name: ntfy
    <<: *common
    command:
      - serve
    volumes:
      - config-ntfy-cache:/var/cache/ntfy
      - config-ntfy:/etc/ntfy
    healthcheck:
      test: ["CMD-SHELL", "wget -q --tries=1 http://localhost:80/v1/health -O - | grep -Eo '\"healthy\"\\s*:\\s*true' || exit 1"]
      <<: *healthcheck
    labels:
      traefik.http.routers.ntfy.rule: Host(`ntfy.${DOMAIN}`) && $RESTRICTED
      traefik.http.routers.ntfy.entryPoints: websecure
      traefik.http.services.ntfy.loadbalancer.server.port: 80
      traefik.http.routers.ntfy.tls: true
      traefik.http.routers.ntfy.tls.certresolver: letsencrypt

  vpn:
    image: qmcgaw/gluetun
    container_name: vpn
    <<: *common
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
    environment:
      <<: *env-vars
      VPN_TYPE: wireguard
      VPN_SERVICE_PROVIDER: mullvad
      WIREGUARD_PRIVATE_KEY: ${MULLVAD_PRIVATE_KEY}
      WIREGUARD_ADDRESSES: ${MULLVAD_ADDRESSES}
      WIREGUARD_ENDPOINT_PORT: ${MULLVAD_ENDPOINT_PORT}
      SERVER_COUNTRIES: Switzerland,Sweden,Netherlands,Denmark,Finland,Germany
      OWNED_ONLY: yes
      FIREWALL_OUTBOUND_SUBNETS: 172.20.0.0/14,fd00::/112
      DOT_PROVIDERS: cloudflare,quad9
      DOT_IPV6: on
    labels:
      # Torrents
      traefik.http.routers.qbittorrent.rule: Host(`downloads.${DOMAIN}`) && $RESTRICTED
      traefik.http.routers.qbittorrent.entryPoints: websecure
      traefik.http.services.qbittorrent.loadbalancer.server.port: 8980
      traefik.http.services.qbittorrent.loadbalancer.passhostheader: false
      traefik.http.routers.qbittorrent.tls: true
      traefik.http.routers.qbittorrent.tls.certResolver: letsencrypt
      traefik.http.middlewares.qbittorrent-headers.headers.customrequestheaders.X-Frame-Options: SAMEORIGIN
      traefik.http.middlewares.qbittorrent-headers.headers.customrequestheaders.Referer: ""
      traefik.http.middlewares.qbittorrent-headers.headers.customrequestheaders.Origin: ""
      traefik.http.routers.qbittorrent.middlewares: qbittorrent-headers,auth@file,security@file
      traefik.http.routers.qbittorrent.service: qbittorrent
      # RSS
      traefik.http.routers.freshrss.rule: Host(`rss.${DOMAIN}`) && $RESTRICTED
      traefik.http.routers.freshrss.entryPoints: websecure
      traefik.http.routers.freshrss.tls: true
      traefik.http.routers.freshrss.tls.certResolver: letsencrypt
      traefik.http.routers.freshrss.middlewares: auth@file,security@file
      traefik.http.services.freshrss.loadbalancer.server.port: 80
      traefik.http.routers.freshrss.service: freshrss