mirror of
https://github.com/ImranR98/selfhostingfromscratch.git
synced 2026-04-23 22:38:01 -04:00
322 lines
13 KiB
YAML
322 lines
13 KiB
YAML
x-logging:
|
|
&logging
|
|
options:
|
|
max-size: 10m
|
|
max-file: 5
|
|
|
|
services:
|
|
|
|
dockerproxy: # https://github.com/wollomatic/socket-proxy for Traefik and other read-only needs
|
|
container_name: dockerproxy
|
|
image: wollomatic/socket-proxy:1
|
|
command:
|
|
- "-loglevel=debug"
|
|
- '-allowGET=(/v1\..{1,2})?/(version|containers/.*|events.*)'
|
|
- "-allowHEAD=/_ping"
|
|
- "-shutdowngracetime=5"
|
|
- "-watchdoginterval=600"
|
|
- "-stoponwatchdog"
|
|
- "-proxysocketendpoint=/socket/docker.sock"
|
|
- "-proxysocketendpointfilemode=0600"
|
|
restart: unless-stopped
|
|
read_only: true
|
|
mem_limit: 64M
|
|
cap_drop:
|
|
- ALL
|
|
security_opt:
|
|
- no-new-privileges
|
|
user: 65534:964 # replace 964 with the output of "grep docker /etc/group | awk -F: '{print $3}'"
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- dockerproxy:/socket/
|
|
logging: *logging
|
|
|
|
dockerproxy_priv: # https://github.com/wollomatic/socket-proxy for Watchtower and other read-write needs
|
|
container_name: dockerproxy_priv
|
|
image: wollomatic/socket-proxy:1
|
|
command:
|
|
- "-loglevel=debug" # set to debug for far more logging
|
|
- '-allowGET=/v1\..{2}/(containers/.*|images/.*)'
|
|
- '-allowPOST=/v1\..{2}/(containers/.*|images/.*|networks/.*)'
|
|
- '-allowDELETE=/v1\..{2}/(containers/.*|images/.*)'
|
|
- "-allowHEAD=/_ping"
|
|
- "-shutdowngracetime=5"
|
|
- "-watchdoginterval=600"
|
|
- "-stoponwatchdog"
|
|
- "-proxysocketendpoint=/socket/docker.sock"
|
|
- "-proxysocketendpointfilemode=0600"
|
|
restart: unless-stopped
|
|
read_only: true
|
|
mem_limit: 64M
|
|
cap_drop:
|
|
- ALL
|
|
security_opt:
|
|
- no-new-privileges
|
|
user: 65534:964 # replace 964 with the output of "grep docker /etc/group | awk -F: '{print $3}'"
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- dockerproxy_priv:/socket/
|
|
logging: *logging
|
|
|
|
watchtower: # https://github.com/Foxite/nicholas-fedor-watchtower
|
|
container_name: watchtower
|
|
privileged: true
|
|
restart: unless-stopped
|
|
image: nickfedor/watchtower
|
|
environment:
|
|
WATCHTOWER_CLEANUP: "true"
|
|
WATCHTOWER_POLL_INTERVAL: 7200
|
|
DOCKER_HOST: "unix:///socket/docker.sock"
|
|
volumes:
|
|
- dockerproxy_priv:/socket/:ro
|
|
depends_on:
|
|
- dockerproxy_priv
|
|
logging: *logging
|
|
# Note: Original Watchtower unmaintained (https://github.com/containrrr/watchtower/issues/2067), this is a fork
|
|
|
|
frpc: # https://github.com/fatedier/frp
|
|
image: fatedier/frpc:v0.65.0
|
|
container_name: frpc
|
|
restart: always
|
|
volumes:
|
|
- ./frpc.toml:/frpc.toml
|
|
network_mode: host
|
|
labels:
|
|
- "com.centurylinklabs.watchtower.enable=false"
|
|
command: "-c /frpc.toml"
|
|
logging: *logging
|
|
|
|
authelia: # https://github.com/authelia/authelia
|
|
image: authelia/authelia
|
|
container_name: authelia
|
|
user: "1000:1000"
|
|
depends_on:
|
|
- authelia-db
|
|
volumes:
|
|
- ./authelia_config:/config
|
|
networks:
|
|
- traefik
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.authelia.rule=Host(`auth.imranr.cloud`)"
|
|
- "traefik.http.routers.authelia.entryPoints=websecure"
|
|
- "traefik.http.routers.authelia.tls.certresolver=le"
|
|
- "traefik.http.routers.authelia.tls=true"
|
|
- "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https%3A%2F%2Fauth.imranr.cloud%2F"
|
|
- "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true"
|
|
- "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
|
|
- "traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia:9091/api/verify?auth=basic"
|
|
- "traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true"
|
|
- "traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
|
|
expose:
|
|
- 9091
|
|
restart: unless-stopped
|
|
logging: *logging
|
|
authelia-db:
|
|
image: redis:alpine
|
|
container_name: authelia-db
|
|
user: "1000:1000"
|
|
volumes:
|
|
- authelia_db:/data
|
|
networks:
|
|
- traefik
|
|
expose:
|
|
- 6379
|
|
restart: unless-stopped
|
|
logging: *logging
|
|
|
|
crowdsec: # https://github.com/crowdsecurity/crowdsec
|
|
image: crowdsecurity/crowdsec:latest
|
|
container_name: crowdsec
|
|
environment:
|
|
GID: "${GID-1000}"
|
|
COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules"
|
|
BOUNCER_KEY_TRAEFIK: "yRoByFyKf8q/mRg/gedtxE4XqJn+QdTBcSRsGLVx9b8"
|
|
volumes:
|
|
- ./crowdsec_config/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
|
|
- ./crowdsec_config/profiles.yaml:/etc/crowdsec/profiles.yaml:ro
|
|
- crowdsec_db:/var/lib/crowdsec/data/
|
|
- traefik_access_logs:/var/log/traefik/:ro
|
|
networks:
|
|
- traefik
|
|
restart: unless-stopped
|
|
logging: *logging
|
|
crowdsec-dashboard:
|
|
image: metabase/metabase # crowdsec@crowdsec.net !!Cr0wdS3c_M3t4b4s3??
|
|
container_name: crowdsec-dashboard
|
|
depends_on:
|
|
- crowdsec
|
|
- traefik
|
|
restart: unless-stopped
|
|
environment:
|
|
MB_DB_FILE: /data/metabase.db
|
|
MGID: "${GID-1000}"
|
|
networks:
|
|
- traefik
|
|
volumes:
|
|
- ./crowdsec_dash_db:/data # Bootstrap dashboard DB from https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip
|
|
- crowdsec_db:/metabase-data/
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.crowdsec-dashboard.rule=Host(`crowdsec.imranr.cloud`)"
|
|
- "traefik.http.routers.crowdsec-dashboard.entrypoints=websecure"
|
|
- "traefik.http.routers.crowdsec-dashboard.tls.certresolver=le"
|
|
- "traefik.http.routers.crowdsec-dashboard.tls=true"
|
|
- "traefik.http.routers.crowdsec-dashboard.middlewares=authelia@docker,geoblock@file"
|
|
- "traefik.http.services.crowdsec-dashboard.loadbalancer.server.port=3000"
|
|
logging: *logging
|
|
|
|
traefik: # https://github.com/traefik/traefik
|
|
image: traefik:latest
|
|
container_name: traefik
|
|
depends_on:
|
|
- authelia
|
|
- dockerproxy
|
|
- crowdsec
|
|
command:
|
|
- "--api=true"
|
|
- "--api.dashboard=true"
|
|
- "--api.insecure=false"
|
|
- "--global.sendAnonymousUsage=false"
|
|
- "--global.checkNewVersion=true"
|
|
- "--log.level=DEBUG"
|
|
- "--providers.docker=true"
|
|
- "--providers.docker.exposedByDefault=false"
|
|
- "--providers.docker.endpoint=unix:///socket/docker.sock"
|
|
- "--entryPoints.web=true"
|
|
- "--entryPoints.web.address=:80"
|
|
- "--entryPoints.web.http.redirections.entryPoint.to=websecure"
|
|
- "--entryPoints.web.http.redirections.entryPoint.scheme=https"
|
|
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
|
|
- "--entryPoints.websecure=true"
|
|
- "--entryPoints.websecure.address=:443"
|
|
- "--certificatesresolvers.le.acme.email=contact@imranr.dev"
|
|
- "--certificatesresolvers.le.acme.storage=./acme/acme.json"
|
|
- "--certificatesresolvers.le.acme.tlschallenge=true"
|
|
- "--entryPoints.websecure.proxyProtocol.trustedIPs=172.19.0.1/32"
|
|
- "--accesslog=true"
|
|
- "--accesslog.filePath=/var/log/traefik/access.log"
|
|
- "--providers.file.filename=/etc/traefik/dynamic-configuration.yaml"
|
|
- "--entryPoints.websecure.http.middlewares=crowdsec@docker"
|
|
- "--experimental.plugins.geoblock.modulename=github.com/PascalMinder/geoblock"
|
|
- "--experimental.plugins.geoblock.version=v0.3.3"
|
|
- "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
|
|
- "--experimental.plugins.bouncer.version=v1.4.6"
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
volumes:
|
|
- traefik_acme:/acme
|
|
- traefik_access_logs:/var/log/traefik/
|
|
- ./traefik_dynamic_config.yaml:/etc/traefik/dynamic-configuration.yaml:ro
|
|
- dockerproxy:/socket/:ro
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.api.rule=Host(`traefik.imranr.cloud`)"
|
|
- "traefik.http.routers.api.entryPoints=websecure"
|
|
- "traefik.http.routers.api.service=api@internal"
|
|
- "traefik.http.routers.api.tls=true"
|
|
- "traefik.http.routers.api.tls.certresolver=le"
|
|
- "traefik.http.routers.api.middlewares=authelia@docker,geoblock@file"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapikey=yRoByFyKf8q/mRg/gedtxE4XqJn+QdTBcSRsGLVx9b8"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecappsecenabled=true"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.forwardedheaderstrustedips=172.19.0.1"
|
|
restart: unless-stopped
|
|
networks:
|
|
- traefik
|
|
logging: *logging
|
|
|
|
filebrowser: # https://github.com/filebrowser/filebrowser
|
|
container_name: filebrowser
|
|
image: filebrowser/filebrowser
|
|
restart: unless-stopped
|
|
user: "1000:1000"
|
|
volumes:
|
|
- ./filebrowser_storage:/srv # Create first
|
|
- filebrowser_db:/database
|
|
depends_on:
|
|
- traefik
|
|
networks:
|
|
- traefik
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.filebrowser.rule=Host(`files.imranr.cloud`)"
|
|
- "traefik.http.routers.filebrowser.entrypoints=websecure"
|
|
- "traefik.http.routers.filebrowser.tls=true"
|
|
- "traefik.http.services.filebrowser.loadbalancer.server.port=80"
|
|
- "traefik.http.routers.filebrowser.tls.certresolver=le"
|
|
- "traefik.http.routers.filebrowser.middlewares=authelia@docker"
|
|
logging: *logging
|
|
|
|
ollama:
|
|
image: ollama/ollama
|
|
container_name: ollama
|
|
volumes:
|
|
- ollama:/root/.ollama
|
|
networks:
|
|
- traefik
|
|
tty: true
|
|
restart: unless-stopped
|
|
logging: *logging
|
|
ollama-webui:
|
|
image: ghcr.io/open-webui/open-webui:main
|
|
container_name: ollama-webui
|
|
environment:
|
|
- OLLAMA_BASE_URL=http://ollama:11434
|
|
- WEBUI_URL=https://gpt.imranr.cloud
|
|
- ENABLE_OAUTH_SIGNUP=true
|
|
- OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true
|
|
- OAUTH_CLIENT_ID=open-webui
|
|
- OAUTH_CLIENT_SECRET=T9GGizmCpZCFp6mez~.kiB.1wxu~~VTi9m42IuqSC2q-xYlpsdlDPAd50~IMZGVQuInmgSkL # Corresponds to 'client_secret' in configuration.yml
|
|
- OPENID_PROVIDER_URL=https://auth.imranr.cloud/.well-known/openid-configuration
|
|
- OAUTH_PROVIDER_NAME=Authelia
|
|
- OAUTH_SCOPES=openid email profile groups
|
|
- ENABLE_OAUTH_ROLE_MANAGEMENT=true
|
|
- OAUTH_ALLOWED_ROLES=admins,dev,family
|
|
- OAUTH_ADMIN_ROLES=admins
|
|
- OAUTH_ROLES_CLAIM=groups
|
|
volumes:
|
|
- ollama_webui:/app/backend/data
|
|
networks:
|
|
- traefik
|
|
depends_on:
|
|
- ollama
|
|
- traefik
|
|
restart: unless-stopped
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.ollama-webui.rule=Host(`gpt.imranr.cloud`)"
|
|
- "traefik.http.routers.ollama-webui.entrypoints=websecure"
|
|
- "traefik.http.routers.ollama-webui.tls.certresolver=le"
|
|
- "traefik.http.routers.ollama-webui.tls=true"
|
|
- "traefik.http.routers.ollama-webui.middlewares=authelia@docker,geoblock@file"
|
|
- "traefik.http.services.ollama-webui.loadbalancer.server.port=8080"
|
|
logging: *logging
|
|
|
|
volumes:
|
|
filebrowser_db:
|
|
traefik_acme:
|
|
authelia_db:
|
|
crowdsec_db:
|
|
traefik_access_logs:
|
|
ollama:
|
|
ollama_webui:
|
|
dockerproxy:
|
|
driver: local
|
|
driver_opts:
|
|
type: tmpfs
|
|
device: tmpfs
|
|
o: size=1k,uid=65534,gid=0,mode=0700,noexec
|
|
dockerproxy_priv:
|
|
driver: local
|
|
driver_opts:
|
|
type: tmpfs
|
|
device: tmpfs
|
|
o: size=1k,uid=65534,gid=0,mode=0700,noexec
|
|
|
|
networks:
|
|
traefik:
|
|
ipam:
|
|
config:
|
|
- subnet: 172.19.0.0/16 |