x-logging: &logging options: max-size: 10m max-file: 5 services: dockerproxy: # https://github.com/wollomatic/socket-proxy for Traefik and other read-only needs container_name: dockerproxy image: wollomatic/socket-proxy:1 command: - "-loglevel=debug" - '-allowGET=(/v1\..{1,2})?/(version|containers/.*|events.*)' - "-allowHEAD=/_ping" - "-shutdowngracetime=5" - "-watchdoginterval=600" - "-stoponwatchdog" - "-proxysocketendpoint=/socket/docker.sock" - "-proxysocketendpointfilemode=0600" restart: unless-stopped read_only: true mem_limit: 64M cap_drop: - ALL security_opt: - no-new-privileges user: 65534:964 # replace 964 with the output of "grep docker /etc/group | awk -F: '{print $3}'" volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - dockerproxy:/socket/ logging: *logging dockerproxy_priv: # https://github.com/wollomatic/socket-proxy for Watchtower and other read-write needs container_name: dockerproxy_priv image: wollomatic/socket-proxy:1 command: - "-loglevel=debug" # set to debug for far more logging - '-allowGET=/v1\..{2}/(containers/.*|images/.*)' - '-allowPOST=/v1\..{2}/(containers/.*|images/.*|networks/.*)' - '-allowDELETE=/v1\..{2}/(containers/.*|images/.*)' - "-allowHEAD=/_ping" - "-shutdowngracetime=5" - "-watchdoginterval=600" - "-stoponwatchdog" - "-proxysocketendpoint=/socket/docker.sock" - "-proxysocketendpointfilemode=0600" restart: unless-stopped read_only: true mem_limit: 64M cap_drop: - ALL security_opt: - no-new-privileges user: 65534:964 # replace 964 with the output of "grep docker /etc/group | awk -F: '{print $3}'" volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - dockerproxy_priv:/socket/ logging: *logging watchtower: # https://github.com/Foxite/nicholas-fedor-watchtower container_name: watchtower privileged: true restart: unless-stopped image: nickfedor/watchtower environment: WATCHTOWER_CLEANUP: "true" WATCHTOWER_POLL_INTERVAL: 7200 DOCKER_HOST: "unix:///socket/docker.sock" volumes: - dockerproxy_priv:/socket/:ro depends_on: - dockerproxy_priv logging: *logging # Note: Original Watchtower unmaintained (https://github.com/containrrr/watchtower/issues/2067), this is a fork frpc: # https://github.com/fatedier/frp image: fatedier/frpc:v0.65.0 container_name: frpc restart: always volumes: - ./frpc.toml:/frpc.toml network_mode: host labels: - "com.centurylinklabs.watchtower.enable=false" command: "-c /frpc.toml" logging: *logging authelia: # https://github.com/authelia/authelia image: authelia/authelia container_name: authelia user: "1000:1000" depends_on: - authelia-db volumes: - ./authelia_config:/config networks: - traefik labels: - "traefik.enable=true" - "traefik.http.routers.authelia.rule=Host(`auth.imranr.cloud`)" - "traefik.http.routers.authelia.entryPoints=websecure" - "traefik.http.routers.authelia.tls.certresolver=le" - "traefik.http.routers.authelia.tls=true" - "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https%3A%2F%2Fauth.imranr.cloud%2F" - "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true" - "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" - "traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia:9091/api/verify?auth=basic" - "traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true" - "traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" expose: - 9091 restart: unless-stopped logging: *logging authelia-db: image: redis:alpine container_name: authelia-db user: "1000:1000" volumes: - authelia_db:/data networks: - traefik expose: - 6379 restart: unless-stopped logging: *logging crowdsec: # https://github.com/crowdsecurity/crowdsec image: crowdsecurity/crowdsec:latest container_name: crowdsec environment: GID: "${GID-1000}" COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik" depends_on: - traefik volumes: - ./crowdsec_config/acquis.yaml:/etc/crowdsec/acquis.yaml:ro - ./crowdsec_config/profiles.yaml:/etc/crowdsec/profiles.yaml:ro - crowdsec_db:/var/lib/crowdsec/data/ - traefik_access_logs:/var/log/traefik/:ro networks: - traefik restart: unless-stopped logging: *logging crowdsec-bouncer: image: docker.io/fbonalair/traefik-crowdsec-bouncer:latest container_name: crowdsec-bouncer environment: CROWDSEC_BOUNCER_API_KEY: "yRoByFyKf8q/mRg/gedtxE4XqJn+QdTBcSRsGLVx9b8" # cscli bouncers add crowdsecBouncer CROWDSEC_AGENT_HOST: crowdsec:8080 networks: - traefik depends_on: - crowdsec restart: unless-stopped logging: *logging crowdsec-dashboard: image: metabase/metabase # crowdsec@crowdsec.net !!Cr0wdS3c_M3t4b4s3?? container_name: crowdsec-dashboard depends_on: - crowdsec restart: unless-stopped environment: MB_DB_FILE: /data/metabase.db MGID: "${GID-1000}" networks: - traefik volumes: - ./crowdsec_dash_db:/data # Bootstrap dashboard DB from https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip - crowdsec_db:/metabase-data/ labels: - "traefik.enable=true" - "traefik.http.routers.crowdsec-dashboard.rule=Host(`crowdsec.imranr.cloud`)" - "traefik.http.routers.crowdsec-dashboard.entrypoints=websecure" - "traefik.http.routers.crowdsec-dashboard.tls.certresolver=le" - "traefik.http.routers.crowdsec-dashboard.tls=true" - "traefik.http.routers.crowdsec-dashboard.middlewares=authelia@docker,geoblock@file" - "traefik.http.services.crowdsec-dashboard.loadbalancer.server.port=3000" logging: *logging traefik: # https://github.com/traefik/traefik image: traefik:latest container_name: traefik depends_on: - authelia - dockerproxy command: - "--api=true" - "--api.dashboard=true" - "--api.insecure=false" - "--global.sendAnonymousUsage=false" - "--global.checkNewVersion=true" - "--log.level=DEBUG" - "--providers.docker=true" - "--providers.docker.exposedByDefault=false" - "--providers.docker.endpoint=unix:///socket/docker.sock" - "--entryPoints.web=true" - "--entryPoints.web.address=:80" - "--entryPoints.web.http.redirections.entryPoint.to=websecure" - "--entryPoints.web.http.redirections.entryPoint.scheme=https" - "--entrypoints.web.http.redirections.entrypoint.permanent=true" - "--entryPoints.websecure=true" - "--entryPoints.websecure.address=:443" - "--certificatesresolvers.le.acme.email=contact@imranr.dev" - "--certificatesresolvers.le.acme.storage=./acme/acme.json" - "--certificatesresolvers.le.acme.tlschallenge=true" - "--entryPoints.websecure.proxyProtocol.trustedIPs=172.19.0.1/32" - "--accesslog=true" - "--accesslog.filePath=/var/log/traefik/access.log" - "--providers.file.filename=/etc/traefik/dynamic-configuration.yaml" - "--entryPoints.websecure.http.middlewares=crowdsec-bouncer@file" - "--experimental.plugins.geoblock.modulename=github.com/PascalMinder/geoblock" - "--experimental.plugins.geoblock.version=v0.3.3" ports: - "80:80" - "443:443" volumes: - traefik_acme:/acme - traefik_access_logs:/var/log/traefik/ - ./traefik_dynamic_config.yaml:/etc/traefik/dynamic-configuration.yaml:ro - dockerproxy:/socket/:ro labels: - "traefik.enable=true" - "traefik.http.routers.api.rule=Host(`traefik.imranr.cloud`)" - "traefik.http.routers.api.entryPoints=websecure" - "traefik.http.routers.api.service=api@internal" - "traefik.http.routers.api.tls=true" - "traefik.http.routers.api.tls.certresolver=le" - "traefik.http.routers.api.middlewares=authelia@docker,geoblock@file" restart: unless-stopped networks: - traefik logging: *logging filebrowser: # https://github.com/filebrowser/filebrowser container_name: filebrowser image: filebrowser/filebrowser restart: unless-stopped user: "1000:1000" volumes: - ./filebrowser_storage:/srv # Create first - filebrowser_db:/database depends_on: - traefik networks: - traefik labels: - "traefik.enable=true" - "traefik.http.routers.filebrowser.rule=Host(`files.imranr.cloud`)" - "traefik.http.routers.filebrowser.entrypoints=websecure" - "traefik.http.routers.filebrowser.tls=true" - "traefik.http.services.filebrowser.loadbalancer.server.port=80" - "traefik.http.routers.filebrowser.tls.certresolver=le" - "traefik.http.routers.filebrowser.middlewares=authelia@docker" logging: *logging ollama: image: ollama/ollama container_name: ollama volumes: - ollama:/root/.ollama networks: - traefik tty: true restart: unless-stopped logging: *logging ollama-webui: image: ghcr.io/open-webui/open-webui:main container_name: ollama-webui environment: - OLLAMA_BASE_URL=http://ollama:11434 - WEBUI_URL=https://gpt.imranr.cloud - ENABLE_OAUTH_SIGNUP=true - OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true - OAUTH_CLIENT_ID=open-webui - OAUTH_CLIENT_SECRET=T9GGizmCpZCFp6mez~.kiB.1wxu~~VTi9m42IuqSC2q-xYlpsdlDPAd50~IMZGVQuInmgSkL # Corresponds to 'client_secret' in configuration.yml - OPENID_PROVIDER_URL=https://auth.imranr.cloud/.well-known/openid-configuration - OAUTH_PROVIDER_NAME=Authelia - OAUTH_SCOPES=openid email profile groups - ENABLE_OAUTH_ROLE_MANAGEMENT=true - OAUTH_ALLOWED_ROLES=admins,dev,family - OAUTH_ADMIN_ROLES=admins - OAUTH_ROLES_CLAIM=groups volumes: - ollama_webui:/app/backend/data networks: - traefik depends_on: - ollama - traefik restart: unless-stopped labels: - "traefik.enable=true" - "traefik.http.routers.ollama-webui.rule=Host(`gpt.imranr.cloud`)" - "traefik.http.routers.ollama-webui.entrypoints=websecure" - "traefik.http.routers.ollama-webui.tls.certresolver=le" - "traefik.http.routers.ollama-webui.tls=true" - "traefik.http.routers.ollama-webui.middlewares=authelia@docker,geoblock@file" - "traefik.http.services.ollama-webui.loadbalancer.server.port=8080" logging: *logging volumes: filebrowser_db: traefik_acme: authelia_db: crowdsec_db: traefik_access_logs: ollama: ollama_webui: dockerproxy: driver: local driver_opts: type: tmpfs device: tmpfs o: size=1k,uid=65534,gid=0,mode=0700,noexec dockerproxy_priv: driver: local driver_opts: type: tmpfs device: tmpfs o: size=1k,uid=65534,gid=0,mode=0700,noexec networks: traefik: ipam: config: - subnet: 172.19.0.0/16