services: watchtower: # https://github.com/Foxite/nicholas-fedor-watchtower container_name: watchtower privileged: true restart: unless-stopped image: nickfedor/watchtower environment: WATCHTOWER_CLEANUP: "true" WATCHTOWER_POLL_INTERVAL: 7200 volumes: - /var/run/docker.sock:/var/run/docker.sock # Note: Original Watchtower unmaintained (https://github.com/containrrr/watchtower/issues/2067), this is a fork frpc: # https://github.com/fatedier/frp image: fatedier/frpc:v0.65.0 container_name: frpc restart: always volumes: - ./frpc.toml:/frpc.toml network_mode: host labels: - "com.centurylinklabs.watchtower.enable=false" command: "-c /frpc.toml" authelia: # https://github.com/authelia/authelia image: authelia/authelia container_name: authelia user: "1000:1000" depends_on: - authelia-db volumes: - ./authelia_config:/config networks: - traefik labels: - "traefik.enable=true" - "traefik.http.routers.authelia.rule=Host(`auth.imranr.cloud`)" - "traefik.http.routers.authelia.entryPoints=websecure" - "traefik.http.routers.authelia.tls.certresolver=le" - "traefik.http.routers.authelia.tls=true" - "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https%3A%2F%2Fauth.imranr.cloud%2F" - "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true" - "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" - "traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia:9091/api/verify?auth=basic" - "traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true" - "traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" expose: - 9091 restart: unless-stopped authelia-db: image: redis:alpine container_name: authelia-db user: "1000:1000" volumes: - authelia_db:/data networks: - traefik expose: - 6379 restart: unless-stopped crowdsec: # https://github.com/crowdsecurity/crowdsec image: crowdsecurity/crowdsec:latest container_name: crowdsec environment: GID: "${GID-1000}" COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik" depends_on: - traefik volumes: - ./crowdsec_config/acquis.yaml:/etc/crowdsec/acquis.yaml:ro - ./crowdsec_config/profiles.yaml:/etc/crowdsec/profiles.yaml:ro - crowdsec_db:/var/lib/crowdsec/data/ - traefik_access_logs:/var/log/traefik/:ro networks: - traefik restart: unless-stopped crowdsec-bouncer: image: docker.io/fbonalair/traefik-crowdsec-bouncer:latest container_name: crowdsec-bouncer environment: CROWDSEC_BOUNCER_API_KEY: "yRoByFyKf8q/mRg/gedtxE4XqJn+QdTBcSRsGLVx9b8" # cscli bouncers add crowdsecBouncer CROWDSEC_AGENT_HOST: crowdsec:8080 networks: - traefik depends_on: - crowdsec restart: unless-stopped crowdsec-dashboard: image: metabase/metabase # crowdsec@crowdsec.net !!Cr0wdS3c_M3t4b4s3?? container_name: crowdsec-dashboard depends_on: - crowdsec restart: unless-stopped environment: MB_DB_FILE: /data/metabase.db MGID: "${GID-1000}" networks: - traefik volumes: - ./crowdsec_dash_db:/data # Bootstrap dashboard DB from https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip - crowdsec_db:/metabase-data/ labels: - "traefik.enable=true" - "traefik.http.routers.crowdsec-dashboard.rule=Host(`crowdsec.imranr.cloud`)" - "traefik.http.routers.crowdsec-dashboard.entrypoints=websecure" - "traefik.http.routers.crowdsec-dashboard.tls.certresolver=le" - "traefik.http.routers.crowdsec-dashboard.tls=true" - "traefik.http.routers.crowdsec-dashboard.middlewares=authelia@docker,geoblock@file" - "traefik.http.services.crowdsec-dashboard.loadbalancer.server.port=3000" traefik: # https://github.com/traefik/traefik image: traefik:latest container_name: traefik depends_on: - authelia command: - "--api=true" - "--api.dashboard=true" - "--api.insecure=false" - "--global.sendAnonymousUsage=false" - "--global.checkNewVersion=true" - "--log.level=DEBUG" - "--providers.docker=true" - "--providers.docker.exposedByDefault=false" - "--entryPoints.web=true" - "--entryPoints.web.address=:80" - "--entryPoints.web.http.redirections.entryPoint.to=websecure" - "--entryPoints.web.http.redirections.entryPoint.scheme=https" - "--entrypoints.web.http.redirections.entrypoint.permanent=true" - "--entryPoints.websecure=true" - "--entryPoints.websecure.address=:443" - "--certificatesresolvers.le.acme.email=contact@imranr.dev" - "--certificatesresolvers.le.acme.storage=./acme/acme.json" - "--certificatesresolvers.le.acme.tlschallenge=true" - "--entryPoints.websecure.proxyProtocol.trustedIPs=172.19.0.1/32" - "--accesslog=true" - "--accesslog.filePath=/var/log/traefik/access.log" - "--providers.file.filename=/etc/traefik/dynamic-configuration.yaml" - "--entryPoints.websecure.http.middlewares=crowdsec-bouncer@file" - "--experimental.plugins.geoblock.modulename=github.com/PascalMinder/geoblock" - "--experimental.plugins.geoblock.version=v0.3.3" ports: - "80:80" - "443:443" volumes: - /var/run/docker.sock:/var/run/docker.sock - traefik_acme:/acme - traefik_access_logs:/var/log/traefik/ - ./traefik_dynamic_config.yaml:/etc/traefik/dynamic-configuration.yaml:ro labels: - "traefik.enable=true" - "traefik.http.routers.api.rule=Host(`traefik.imranr.cloud`)" - "traefik.http.routers.api.entryPoints=websecure" - "traefik.http.routers.api.service=api@internal" - "traefik.http.routers.api.tls=true" - "traefik.http.routers.api.tls.certresolver=le" - "traefik.http.routers.api.middlewares=authelia@docker,geoblock@file" restart: unless-stopped networks: - traefik filebrowser: # https://github.com/filebrowser/filebrowser container_name: filebrowser image: filebrowser/filebrowser restart: unless-stopped user: "1000:1000" volumes: - ./filebrowser_storage:/srv # Create first - filebrowser_db:/database depends_on: - traefik networks: - traefik labels: - "traefik.enable=true" - "traefik.http.routers.filebrowser.rule=Host(`files.imranr.cloud`)" - "traefik.http.routers.filebrowser.entrypoints=websecure" - "traefik.http.routers.filebrowser.tls=true" - "traefik.http.services.filebrowser.loadbalancer.server.port=80" - "traefik.http.routers.filebrowser.tls.certresolver=le" - "traefik.http.routers.filebrowser.middlewares=authelia@docker" ollama: image: ollama/ollama container_name: ollama volumes: - ollama:/root/.ollama networks: - traefik tty: true restart: unless-stopped ollama-webui: image: ghcr.io/open-webui/open-webui:main container_name: ollama-webui environment: - OLLAMA_BASE_URL=http://ollama:11434 - WEBUI_URL=https://gpt.imranr.cloud - ENABLE_OAUTH_SIGNUP=true - OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true - OAUTH_CLIENT_ID=open-webui - OAUTH_CLIENT_SECRET=T9GGizmCpZCFp6mez~.kiB.1wxu~~VTi9m42IuqSC2q-xYlpsdlDPAd50~IMZGVQuInmgSkL # Corresponds to 'client_secret' in configuration.yml - OPENID_PROVIDER_URL=https://auth.imranr.cloud/.well-known/openid-configuration - OAUTH_PROVIDER_NAME=Authelia - OAUTH_SCOPES=openid email profile groups - ENABLE_OAUTH_ROLE_MANAGEMENT=true - OAUTH_ALLOWED_ROLES=admins,dev,family - OAUTH_ADMIN_ROLES=admins - OAUTH_ROLES_CLAIM=groups volumes: - ollama_webui:/app/backend/data networks: - traefik depends_on: - ollama - traefik restart: unless-stopped labels: - "traefik.enable=true" - "traefik.http.routers.ollama-webui.rule=Host(`gpt.imranr.cloud`)" - "traefik.http.routers.ollama-webui.entrypoints=websecure" - "traefik.http.routers.ollama-webui.tls.certresolver=le" - "traefik.http.routers.ollama-webui.tls=true" - "traefik.http.routers.ollama-webui.middlewares=authelia@docker,geoblock@file" - "traefik.http.services.ollama-webui.loadbalancer.server.port=8080" volumes: filebrowser_db: traefik_acme: authelia_db: crowdsec_db: traefik_access_logs: ollama: ollama_webui: networks: traefik: ipam: config: - subnet: 172.19.0.0/16