version: "3.9" secrets: authelia_jwt_secret: file: $SECRETSDIR/authelia_jwt_secret authelia_session_secret: file: $SECRETSDIR/authelia_session_secret authelia_storage_postgres_password: file: $SECRETSDIR/authelia_storage_postgres_password authelia_storage_encryption_key_file: file: $SECRETSDIR/authelia_storage_encryption_key_file authelia_notifier_smtp_password: file: $SECRETSDIR/authelia_notifier_smtp_password authelia_duo_api_secret_key: file: $SECRETSDIR/authelia_duo_api_secret_key vwfriend_password: file: $SECRETSDIR/vwfriend_password vwconnect_password: file: $SECRETSDIR/vwconnect_password ########################### EXTENSION FIELDS ########################## # Helps eliminate repetition of sections # More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228 ####################################################################### x-environment: &default-tz-puid-pgid - TZ=$TZ - PUID=${UID} - PGID=${GID} x-common-keys-monitoring: &common-keys-monitoring networks: - backend security_opt: - no-new-privileges:true restart: always services: reverse-proxy: # The official v2.0 Traefik docker image image: traefik:v2.10 container_name: "traefik" logging: driver: "json-file" options: max-size: "5m" max-file: "3" restart: unless-stopped networks: - backend - frontend ports: # The HTTP port - "80:80" - "443:443" # Influx - "8086:8086" # Mqtt - "9001:9001" - "8883:8883" volumes: # So that Traefik can listen to the Docker events - /var/run/docker.sock:/var/run/docker.sock - ./traefik.yml:/etc/traefik/traefik.yml - ./traefik:/rules - ./static_config.yml:/etc/traefik/static_config.yml # - "./log.json:/etc/traefik/log.json" #- ./acme.json:/acme.json - ./letsencrypt/acme.json:/letsencrypt/acme.json - ${DIR}/traefik/log:/log environment: - CF_API_EMAIL=simon@milvert.com - CF_API_KEY=48d9ae3752afb6e73d99d23c432ba8e38b24c - CLOUDFLARE_IPS - LOCAL_IPS labels: - diun.enable=true - "traefik.http.routers.zighome-secure.middlewares=chain-authelia@file" dns: - 8.8.8.8 authelia: image: authelia/authelia:4 container_name: authelia volumes: - ./authelia:/config - ./notify.txt:/tmp/authelia/notification.txt networks: - backend ports: # The HTTP port - "9091:9091" environment: - TZ=$TZ - PUID=$PUID - PGID=$PGID - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret - AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE=/run/secrets/authelia_storage_postgres_password #- AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key_file labels: - diun.enable=true - "traefik.enable=true" - "traefik.http.routers.authelia.entrypoints=web-secure" - "traefik.http.routers.authelia.rule=Host(`authelia.${DOMAIN}`)" - "traefik.http.services.authelia-service.loadbalancer.server.port=9091" - "traefik.http.routers.authelia.tls.certresolver=milvert_dns" - "traefik.http.routers.authelia.tls=true" - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth?authelia_url=https://authelia.${DOMAIN}" # yamllint disable-line rule:line-length - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true" - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" # yamllint disable-line rule:line-length secrets: - authelia_jwt_secret - authelia_session_secret - authelia_storage_postgres_password - authelia_notifier_smtp_password - authelia_duo_api_secret_key - authelia_storage_encryption_key_file adguard: container_name: adguard image: adguard/adguardhome:v0.107.40 restart: unless-stopped networks: docker_vlan: ipv4_address: 10.0.0.204 ports: - 53/udp - 67/udp - 68/tcp - 68/udp - 80/tcp - 443/tcp - 853/tcp - 3000/tcp volumes: - ./adguard/conf:/opt/adguardhome/conf - ./adguard/work:/opt/adguardhome/work labels: - diun.enable=true - "traefik.enable=true" - "traefik.http.services.adguard.loadbalancer.server.port=3000" - "traefik.http.routers.adguard.entrypoints=web-secure" - "traefik.http.routers.adguard.rule=Host(`vwgrafana.${DOMAIN}`)" - "traefik.http.routers.adguard.middlewares=chain-authelia@file" - "traefik.http.routers.adguard.tls.certresolver=milvert_dns" - "traefik.http.routers.adguard.tls=true" ######################### DATABASE ############################ # # DATABASE # ############################################################### db: image: mariadb:10.5.6 container_name: mariaDB logging: driver: "json-file" options: max-size: "5m" max-file: "3" restart: always networks: - backend volumes: - ${DIR}/database:/var/lib/mysql:rw ports: - "3307:3306" labels: - diun.enable=true - "traefik.enable=false" environment: - PUID=${UID} - PGID=${GID} - TZ=${TZ} - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} - MYSQL_USER=${MYSQL_USERNAME} - MYSQL_PASSWORD=${MYSQL_PASSWORD} web_db: image: adminer container_name: adminer logging: driver: "json-file" options: max-size: "5m" max-file: "3" restart: always networks: - backend labels: - diun.enable=true - "traefik.enable=true" - "traefik.http.middlewares.webdb-mid.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.1/24" - "traefik.http.routers.webdb-secure.middlewares=webdb-mid" - "traefik.http.routers.webdb-secure.entrypoints=web-secure" - "traefik.http.routers.webdb-secure.rule=Host(`webdb.${DOMAIN}`)" - "traefik.http.routers.webdb-secure.tls.certresolver=milvert_dns" - "traefik.http.routers.webdb-secure.tls=true" - "traefik.http.services.webdb-service.loadbalancer.server.port=8080" depends_on: - db environment: - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} - MYSQL_USER=${MYSQL_USERNAME} - MYSQL_PASSWORD=${MYSQL_PASSWORD} - PMA_ARBITRARY=1 postgres: image: postgres:15 container_name: postgres logging: driver: "json-file" options: max-size: "5m" max-file: "3" restart: always networks: - backend volumes: - ${DIR}/database_pg/data:/var/lib/postgresql/data labels: - diun.enable=true - "traefik.enable=false" environment: - PUID=${UID} - PGID=${GID} - TZ=${TZ} - POSTGRES_USER=${POSTGRES_USER} - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} pgadmin: container_name: pgadmin_container image: dpage/pgadmin4 logging: driver: "json-file" options: max-size: "5m" max-file: "3" environment: PUID: ${UID} PGID: ${GID} TZ: ${TZ} PGADMIN_DEFAULT_EMAIL: ${PGADMIN_DEFAULT_EMAIL} PGADMIN_DEFAULT_PASSWORD: ${PGADMIN_DEFAULT_PASSWORD} volumes: - ${DIR}/database_pg/pgadmin:/root/.pgadmin networks: - backend restart: unless-stopped depends_on: - postgres labels: - diun.enable=true - "traefik.enable=true" #- "traefik.http.middlewares.webpg-mid.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.1/24" # # # - "traefik.http.routers.webpg-secure.middlewares=webpg-mid" - "traefik.http.routers.webpg-secure.entrypoints=web-secure" - "traefik.http.routers.webpg-secure.rule=Host(`webpg.${DOMAIN}`)" - "traefik.http.routers.webpg-secure.tls.certresolver=milvert_dns" - "traefik.http.routers.webpg-secure.tls=true" #- "traefik.http.services.webpg-service.loadbalancer.server.port=8080" redis: image: redis:7.0-alpine container_name: redis logging: driver: "json-file" options: max-size: "5m" max-file: "3" restart: always networks: - backend volumes: - ${DIR}/redis:/var/lib/redis #entrypoint: redis-server --appendonly yes --requirepass $REDIS_PASSWORD --maxmemory 512mb --maxmemory-policy allkeys-lru labels: - diun.enable=true ######################### HOME ############################ # # HOME # ############################################################### ha: container_name: ha image: homeassistant/home-assistant:2023.11 restart: always privileged: true networks: backend: docker_vlan: ipv4_address: 10.0.0.203 depends_on: - postgres ports: - 8123:8123 volumes: - ./ha/config:/config - /etc/localtime:/etc/localtime:ro environment: - PUID=${UUID} - PGID=${PGID} - TZ=${TZ} labels: - diun.enable=true - "traefik.enable=true" - "traefik.http.routers.ha.entrypoints=web-secure" - "traefik.http.routers.ha.rule=Host(`ha.${DOMAIN}`)" - "traefik.http.routers.ha.middlewares=chain-no-auth@file" - "traefik.http.routers.ha.tls.certresolver=milvert_dns" - "traefik.http.routers.ha.tls=true" - "traefik.http.services.ha.loadbalancer.server.port=8123" hassconf: container_name: hassconf image: causticlab/hass-configurator-docker:0.5.2 restart: unless-stopped networks: - backend ports: - 3218:3218 volumes: - ./ha/hass_config:/config - ./ha/config:/hass-config depends_on: - ha labels: - diun.enable=true environment: - PUID=${UUID} - PGID=${PGID} - TZ=${TZ} appdaemon: container_name: appdaemon image: acockburn/appdaemon:4.4.2 restart: unless-stopped depends_on: - ha labels: - diun.enable=true volumes: - ./ha/appdaemon_config:/conf - /etc/localtime:/etc/localtime:ro ports: - 5050:5050 networks: - backend environment: - PUID=${UUID} - PGID=${PGID} - TZ=${TZ} # The following values ar overridden in docker-compose.override.yml - HA_URL=http://ha:8123 - DASH_URL=http://appdaemon:5050 - TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJmZmM0YTI1ZjVlYWM0NGY5OTA3OGFmOWJiMTJmYmUzZCIsImlhdCI6MTY5MzczMDQwNSwiZXhwIjoyMDA5MDkwNDA1fQ.YVH8WhH6FMvTkecJ-taCACP6kVG9is2hHmTR3tk3cns zwave-js: container_name: zwave-js image: zwavejs/zwave-js-ui:9 restart: always tty: true stop_signal: SIGINT environment: - SESSION_SECRET=${ZWAVE_SECRET} - ZWAVEJS_EXTERNAL_CONFIG=/usr/src/app/store/.config-db - PUID=${UUID} - PGID=${PGID} - TZ=${TZ} networks: - backend devices: - '/dev/serial/by-id/usb-0658_0200-if00:/dev/zwave' volumes: - ./ha/zwave-config:/usr/src/app/store ports: - '8091:8091' # port for web interface - '3002:3000' # port for Z-Wave JS websocket server labels: - diun.enable=true evcc: command: - evcc container_name: evcc image: evcc/evcc:0.123.7 ports: - 7070:7070/tcp dns: - 8.8.8.8 volumes: - "./evcc/evcc.yaml:/etc/evcc.yaml:ro" - ./evcc/evcc:/root/.evcc restart: unless-stopped networks: - backend labels: - diun.enable=true - "traefik.enable=true" - "traefik.http.routers.evcc.entrypoints=web-secure" - "traefik.http.routers.evcc.rule=Host(`box.${DOMAIN}`)" - "traefik.http.services.evcc.loadbalancer.server.port=7070" - "traefik.http.routers.evcc.middlewares=chain-no-auth@file" - "traefik.http.routers.evcc.tls.certresolver=milvert_dns" - "traefik.http.routers.evcc.tls=true" grafana: image: grafana/grafana:10.0.0 container_name: grafana logging: driver: "json-file" options: max-size: "10m" max-file: "5" restart: always networks: - backend volumes: - ./grafana/grafana.ini:/etc/grafana/grafana.ini # Data persistency # sudo mkdir -p /srv/docker/grafana/data; chown 472:472 /srv/docker/grafana/data - "${DIR}/grafana:/var/lib/grafana" labels: - diun.enable=true - "traefik.enable=true" - "traefik.http.routers.grafana-secure.entrypoints=web-secure" - "traefik.http.routers.grafana-secure.rule=Host(`data.${DOMAIN}`)" - "traefik.http.routers.grafana-secure.middlewares=chain-no-auth@file" - "traefik.http.routers.grafana-secure.tls.certresolver=milvert_dns" - "traefik.http.routers.grafana-secure.tls=true" ######################### WEB ############################ # # WEB # ############################################################### librespeed: image: ghcr.io/linuxserver/librespeed:5.2.5 container_name: librespeed environment: - PUID=${UUID} - PGID=${PGID} - TZ=${TZ} - PASSWORD=${LIBRESPEED_PW} - CUSTOM_RESULTS=false - DB_TYPE=sqlite volumes: - ./librespeed/config:/config restart: unless-stopped networks: - backend labels: - diun.enable=true - "traefik.enable=true" - "traefik.http.routers.librespeed.entrypoints=web-secure" - "traefik.http.routers.librespeed.rule=Host(`librespeed.${DOMAIN}`)" - "traefik.http.routers.librespeed.middlewares=chain-authelia@file" - "traefik.http.routers.librespeed.tls.certresolver=milvert_dns" - "traefik.http.routers.librespeed.tls=true" vwsfriend: image: tillsteinbach/vwsfriend:0.24.2 container_name: vwfriend ports: - ${VWSFRIEND_PORT-4000}:${VWSFRIEND_PORT-4000} networks: - backend volumes: - ./vwsfriend_data:/config environment: - VWSFRIEND_USERNAME=${VWSFRIEND_USERNAME-admin} - VWSFRIEND_PASSWORD=${VWSFRIEND_PASSWORD} - VWSFRIEND_PORT=${VWSFRIEND_PORT-4000} - WECONNECT_USER - WECONNECT_PASSWORD - WECONNECT_SPIN - WECONNECT_INTERVAL - DATABASE_URL=postgresql://${VW_DB_USER}:${VW_DB_PASSWORD}@${VW_DB_HOSTNAME}:5432/${VW_DB_NAME} - ADDITIONAL_PARAMETERS=--with-database --with-abrp ${ADDITIONAL_PARAMETERS} depends_on: - postgres restart: unless-stopped dns: - 8.8.8.8 healthcheck: test: (wget -qO- http://localhost:${VWSFRIEND_PORT-4000}/healthcheck | grep "ok" -q) || exit 1 interval: 60s timeout: 10s retries: 3 secrets: - vwfriend_password - vwconnect_password labels: - diun.enable=true - "traefik.enable=true" - "traefik.http.services.vwsfriend-service.loadbalancer.server.port=4000" - "traefik.http.routers.vwsfriend.entrypoints=web-secure" - "traefik.http.routers.vwsfriend.rule=Host(`vw.${DOMAIN}`)" - "traefik.http.routers.vwsfriend.middlewares=chain-no-auth@file" - "traefik.http.routers.vwsfriend.tls.certresolver=milvert_dns" - "traefik.http.routers.vwsfriend.tls=true" vwgrafana: image: tillsteinbach/vwsfriend-grafana:0.24.2 container_name: vwgrafana ports: - ${GF_SERVER_HTTP_PORT-3001}:${GF_SERVER_HTTP_PORT-3000} networks: backend: volumes: - ./vwfriend_grafana/data:/var/lib/grafana - ./vwfriend_grafana/dashboard:/home/grafana/dummy environment: - PUID=${UUID} - PGID=${PGID} - TZ=${TZ} - GF_SECURITY_ADMIN_USER=${VWSFRIEND_USERNAME-admin} - GF_SECURITY_ADMIN_PASSWORD=${VWSFRIEND_PASSWORD-secret} - GF_SERVER_HTTP_PORT=${GF_SERVER_HTTP_PORT-3000} - DB_USER=${VW_DB_USER-admin} - DB_PASSWORD=${VW_DB_PASSWORD-secret} - DB_HOSTNAME=${vw_DB_HOSTNAME-postgres} - DB_PORT=${DB_PORT-5432} - DB_NAME=${VW_DB_NAME-vwsfriend} - VWSFRIEND_USERNAME=${VWSFRIEND_USERNAME-admin} - VWSFRIEND_PASSWORD=${VWSFRIEND_PASSWORD-secret} - VWSFRIEND_HOSTNAME=${VWSFRIEND_HOSTNAME-vwsfriendbackend} - VWSFRIEND_PORT=${VWSFRIEND_PORT-4000} restart: unless-stopped healthcheck: test: ["CMD-SHELL", "(wget -qO- http://localhost:${GF_SERVER_HTTP_PORT-3000}/api/health | grep '\"database\": \"ok\"' -q) || exit 1"] interval: 60s timeout: 10s retries: 3 labels: - diun.enable=true - "traefik.enable=true" - "traefik.http.services.vwgrafana.loadbalancer.server.port=3000" - "traefik.http.routers.vwgrafana.entrypoints=web-secure" - "traefik.http.routers.vwgrafana.rule=Host(`vwgrafana.${DOMAIN}`)" - "traefik.http.routers.vwgrafana.middlewares=chain-no-auth@file" - "traefik.http.routers.vwgrafana.tls.certresolver=milvert_dns" - "traefik.http.routers.vwgrafana.tls=true" networks: frontend: external: true backend: external: false # MACVLAN guide: https://blog.oddbit.com/post/2018-03-12-using-docker-macvlan-networks/ # ip link add vlan-shim link eno1 type macvlan mode bridge # ip addr add 10.0.0.223/32 dev vlan-shim # ip link set vlan-shim up # ip route add 10.0.0.192/27 dev vlan-shim docker_vlan: external: true driver: macvlan driver_opts: parent: eno1 ipam: config: - subnet: 10.0.0.200/27 volumes: vwfriend_grafana: