527 lines
16 KiB
YAML
527 lines
16 KiB
YAML
version: "3.9"
|
|
|
|
secrets:
|
|
authelia_jwt_secret:
|
|
file: $SECRETSDIR/authelia_jwt_secret
|
|
authelia_session_secret:
|
|
file: $SECRETSDIR/authelia_session_secret
|
|
authelia_storage_postgres_password:
|
|
file: $SECRETSDIR/authelia_storage_postgres_password
|
|
authelia_storage_encryption_key_file:
|
|
file: $SECRETSDIR/authelia_storage_encryption_key_file
|
|
authelia_notifier_smtp_password:
|
|
file: $SECRETSDIR/authelia_notifier_smtp_password
|
|
authelia_duo_api_secret_key:
|
|
file: $SECRETSDIR/authelia_duo_api_secret_key
|
|
vwfriend_password:
|
|
file: $SECRETSDIR/vwfriend_password
|
|
vwconnect_password:
|
|
file: $SECRETSDIR/vwconnect_password
|
|
|
|
|
|
########################### EXTENSION FIELDS ##########################
|
|
# Helps eliminate repetition of sections
|
|
# More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228
|
|
#######################################################################
|
|
x-environment: &default-tz-puid-pgid
|
|
- TZ=$TZ
|
|
- PUID=${UID}
|
|
- PGID=${GID}
|
|
|
|
x-common-keys-monitoring: &common-keys-monitoring
|
|
networks:
|
|
- backend
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
restart: always
|
|
|
|
services:
|
|
|
|
|
|
reverse-proxy:
|
|
# The official v2.0 Traefik docker image
|
|
image: traefik:v2.9
|
|
container_name: "traefik"
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "5m"
|
|
max-file: "3"
|
|
restart: unless-stopped
|
|
networks:
|
|
- backend
|
|
- frontend
|
|
ports:
|
|
# The HTTP port
|
|
- "80:80"
|
|
- "443:443"
|
|
# Influx
|
|
- "8086:8086"
|
|
# Mqtt
|
|
- "9001:9001"
|
|
- "8883:8883"
|
|
volumes:
|
|
# So that Traefik can listen to the Docker events
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
- ./traefik.yml:/etc/traefik/traefik.yml
|
|
- ./traefik:/rules
|
|
- ./static_config.yml:/etc/traefik/static_config.yml
|
|
# - "./log.json:/etc/traefik/log.json"
|
|
#- ./acme.json:/acme.json
|
|
- ./letsencrypt/acme.json:/letsencrypt/acme.json
|
|
- ${DIR}/traefik/log:/log
|
|
environment:
|
|
- CF_API_EMAIL=simon@milvert.com
|
|
- CF_API_KEY=48d9ae3752afb6e73d99d23c432ba8e38b24c
|
|
- CLOUDFLARE_IPS
|
|
- LOCAL_IPS
|
|
labels:
|
|
- diun.enable=true
|
|
- "traefik.http.routers.zighome-secure.middlewares=chain-authelia@file"
|
|
dns:
|
|
- 8.8.8.8
|
|
|
|
authelia:
|
|
image: authelia/authelia:4
|
|
container_name: authelia
|
|
volumes:
|
|
- ./authelia:/config
|
|
- ./notify.txt:/tmp/authelia/notification.txt
|
|
networks:
|
|
- backend
|
|
ports:
|
|
# The HTTP port
|
|
- "9091:9091"
|
|
environment:
|
|
- TZ=$TZ
|
|
- PUID=$PUID
|
|
- PGID=$PGID
|
|
- AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret
|
|
- AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret
|
|
- AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE=/run/secrets/authelia_storage_postgres_password
|
|
#- AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password
|
|
- AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key
|
|
- AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key_file
|
|
labels:
|
|
- diun.enable=true
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.authelia.entrypoints=web-secure"
|
|
- "traefik.http.routers.authelia.rule=Host(`authelia.${DOMAIN}`)"
|
|
- "traefik.http.services.authelia-service.loadbalancer.server.port=9091"
|
|
- "traefik.http.routers.authelia.tls.certresolver=milvert_dns"
|
|
- "traefik.http.routers.authelia.tls=true"
|
|
- "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth?authelia_url=https://authelia.${DOMAIN}" # yamllint disable-line rule:line-length
|
|
- "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
|
|
- "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" # yamllint disable-line rule:line-length
|
|
secrets:
|
|
- authelia_jwt_secret
|
|
- authelia_session_secret
|
|
- authelia_storage_postgres_password
|
|
- authelia_notifier_smtp_password
|
|
- authelia_duo_api_secret_key
|
|
- authelia_storage_encryption_key_file
|
|
|
|
|
|
######################### DATABASE ############################
|
|
#
|
|
# DATABASE
|
|
#
|
|
###############################################################
|
|
|
|
db:
|
|
image: mariadb:10.5.6
|
|
container_name: mariaDB
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "5m"
|
|
max-file: "3"
|
|
restart: always
|
|
networks:
|
|
- backend
|
|
volumes:
|
|
- ${DIR}/database:/var/lib/mysql:rw
|
|
ports:
|
|
- "3307:3306"
|
|
labels:
|
|
- diun.enable=true
|
|
- "traefik.enable=false"
|
|
environment:
|
|
- PUID=${UID}
|
|
- PGID=${GID}
|
|
- TZ=${TZ}
|
|
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
|
|
- MYSQL_USER=${MYSQL_USERNAME}
|
|
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
|
|
|
|
web_db:
|
|
image: adminer
|
|
container_name: adminer
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "5m"
|
|
max-file: "3"
|
|
restart: always
|
|
networks:
|
|
- backend
|
|
labels:
|
|
- diun.enable=true
|
|
- "traefik.enable=true"
|
|
- "traefik.http.middlewares.webdb-mid.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.1/24"
|
|
- "traefik.http.routers.webdb-secure.middlewares=webdb-mid"
|
|
- "traefik.http.routers.webdb-secure.entrypoints=web-secure"
|
|
- "traefik.http.routers.webdb-secure.rule=Host(`webdb.${DOMAIN}`)"
|
|
- "traefik.http.routers.webdb-secure.tls.certresolver=milvert_dns"
|
|
- "traefik.http.routers.webdb-secure.tls=true"
|
|
- "traefik.http.services.webdb-service.loadbalancer.server.port=8080"
|
|
depends_on:
|
|
- db
|
|
environment:
|
|
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
|
|
- MYSQL_USER=${MYSQL_USERNAME}
|
|
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
|
|
- PMA_ARBITRARY=1
|
|
|
|
postgres:
|
|
image: postgres:15
|
|
container_name: postgres
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "5m"
|
|
max-file: "3"
|
|
restart: always
|
|
networks:
|
|
- backend
|
|
volumes:
|
|
- ${DIR}/database_pg/data:/var/lib/postgresql/data
|
|
labels:
|
|
- diun.enable=true
|
|
- "traefik.enable=false"
|
|
environment:
|
|
- PUID=${UID}
|
|
- PGID=${GID}
|
|
- TZ=${TZ}
|
|
- POSTGRES_USER=${POSTGRES_USER}
|
|
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
|
|
|
|
|
|
pgadmin:
|
|
container_name: pgadmin_container
|
|
image: dpage/pgadmin4
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "5m"
|
|
max-file: "3"
|
|
environment:
|
|
PUID: ${UID}
|
|
PGID: ${GID}
|
|
TZ: ${TZ}
|
|
PGADMIN_DEFAULT_EMAIL: ${PGADMIN_DEFAULT_EMAIL}
|
|
PGADMIN_DEFAULT_PASSWORD: ${PGADMIN_DEFAULT_PASSWORD}
|
|
volumes:
|
|
- ${DIR}/database_pg/pgadmin:/root/.pgadmin
|
|
networks:
|
|
- backend
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- postgres
|
|
labels:
|
|
- diun.enable=true
|
|
- "traefik.enable=true"
|
|
#- "traefik.http.middlewares.webpg-mid.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.1/24"
|
|
# # # - "traefik.http.routers.webpg-secure.middlewares=webpg-mid"
|
|
- "traefik.http.routers.webpg-secure.entrypoints=web-secure"
|
|
- "traefik.http.routers.webpg-secure.rule=Host(`webpg.${DOMAIN}`)"
|
|
- "traefik.http.routers.webpg-secure.tls.certresolver=milvert_dns"
|
|
- "traefik.http.routers.webpg-secure.tls=true"
|
|
#- "traefik.http.services.webpg-service.loadbalancer.server.port=8080"
|
|
|
|
redis:
|
|
image: redis:7.0-alpine
|
|
container_name: redis
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "5m"
|
|
max-file: "3"
|
|
restart: always
|
|
networks:
|
|
- backend
|
|
volumes:
|
|
- ${DIR}/redis:/var/lib/redis
|
|
#entrypoint: redis-server --appendonly yes --requirepass $REDIS_PASSWORD --maxmemory 512mb --maxmemory-policy allkeys-lru
|
|
labels:
|
|
- diun.enable=true
|
|
|
|
######################### HOME ############################
|
|
#
|
|
# HOME
|
|
#
|
|
###############################################################
|
|
|
|
ha:
|
|
container_name: ha
|
|
image: homeassistant/home-assistant:2023.8
|
|
restart: always
|
|
privileged: true
|
|
networks:
|
|
backend:
|
|
docker_vlan:
|
|
ipv4_address: 10.0.0.203
|
|
depends_on:
|
|
- postgres
|
|
ports:
|
|
- 8123:8123
|
|
volumes:
|
|
- ./ha/config:/config
|
|
- /etc/localtime:/etc/localtime:ro
|
|
environment:
|
|
- PUID=${UUID}
|
|
- PGID=${PGID}
|
|
- TZ=${TZ}
|
|
labels:
|
|
- diun.enable=true
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.ha.entrypoints=web-secure"
|
|
- "traefik.http.routers.ha.rule=Host(`ha.${DOMAIN}`)"
|
|
- "traefik.http.routers.ha.middlewares=chain-no-auth@file"
|
|
- "traefik.http.routers.ha.tls.certresolver=milvert_dns"
|
|
- "traefik.http.routers.ha.tls=true"
|
|
- "traefik.http.services.ha.loadbalancer.server.port=8123"
|
|
|
|
hassconf:
|
|
container_name: hassconf
|
|
image: causticlab/hass-configurator-docker:0.5.2
|
|
restart: unless-stopped
|
|
networks:
|
|
- backend
|
|
ports:
|
|
- 3218:3218
|
|
volumes:
|
|
- ./ha/hass_config:/config
|
|
- ./ha/config:/hass-config
|
|
depends_on:
|
|
- ha
|
|
labels:
|
|
- diun.enable=true
|
|
environment:
|
|
- PUID=${UUID}
|
|
- PGID=${PGID}
|
|
- TZ=${TZ}
|
|
|
|
appdaemon:
|
|
container_name: appdaemon
|
|
image: acockburn/appdaemon:4.4.2
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- ha
|
|
labels:
|
|
- diun.enable=true
|
|
volumes:
|
|
- ./ha/appdaemon_config:/conf
|
|
- /etc/localtime:/etc/localtime:ro
|
|
ports:
|
|
- 5050:5050
|
|
networks:
|
|
- backend
|
|
environment:
|
|
- PUID=${UUID}
|
|
- PGID=${PGID}
|
|
- TZ=${TZ}
|
|
# The following values ar overridden in docker-compose.override.yml
|
|
- HA_URL=http://ha:8123
|
|
- DASH_URL=http://appdaemon:5050
|
|
- TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJmZmM0YTI1ZjVlYWM0NGY5OTA3OGFmOWJiMTJmYmUzZCIsImlhdCI6MTY5MzczMDQwNSwiZXhwIjoyMDA5MDkwNDA1fQ.YVH8WhH6FMvTkecJ-taCACP6kVG9is2hHmTR3tk3cns
|
|
|
|
evcc:
|
|
command:
|
|
- evcc
|
|
container_name: evcc
|
|
image: evcc/evcc:0.120.0
|
|
ports:
|
|
- 7070:7070/tcp
|
|
dns:
|
|
- 8.8.8.8
|
|
volumes:
|
|
- "./evcc/evcc.yaml:/etc/evcc.yaml:ro"
|
|
- ./evcc/evcc:/root/.evcc
|
|
restart: unless-stopped
|
|
networks:
|
|
- backend
|
|
labels:
|
|
- diun.enable=true
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.evcc.entrypoints=web-secure"
|
|
- "traefik.http.routers.evcc.rule=Host(`box.${DOMAIN}`)"
|
|
- "traefik.http.services.evcc.loadbalancer.server.port=7070"
|
|
- "traefik.http.routers.evcc.middlewares=chain-no-auth@file"
|
|
- "traefik.http.routers.evcc.tls.certresolver=milvert_dns"
|
|
- "traefik.http.routers.evcc.tls=true"
|
|
|
|
grafana:
|
|
image: grafana/grafana:10.0.0
|
|
container_name: grafana
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "10m"
|
|
max-file: "5"
|
|
restart: always
|
|
networks:
|
|
- backend
|
|
volumes:
|
|
- ./grafana/grafana.ini:/etc/grafana/grafana.ini
|
|
# Data persistency
|
|
# sudo mkdir -p /srv/docker/grafana/data; chown 472:472 /srv/docker/grafana/data
|
|
- "${DIR}/grafana:/var/lib/grafana"
|
|
labels:
|
|
- diun.enable=true
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.grafana-secure.entrypoints=web-secure"
|
|
- "traefik.http.routers.grafana-secure.rule=Host(`data.${DOMAIN}`)"
|
|
- "traefik.http.routers.grafana-secure.middlewares=chain-no-auth@file"
|
|
- "traefik.http.routers.grafana-secure.tls.certresolver=milvert_dns"
|
|
- "traefik.http.routers.grafana-secure.tls=true"
|
|
|
|
######################### WEB ############################
|
|
#
|
|
# WEB
|
|
#
|
|
###############################################################
|
|
|
|
librespeed:
|
|
image: ghcr.io/linuxserver/librespeed:5.2.5
|
|
container_name: librespeed
|
|
environment:
|
|
- PUID=${UUID}
|
|
- PGID=${PGID}
|
|
- TZ=${TZ}
|
|
- PASSWORD=${LIBRESPEED_PW}
|
|
- CUSTOM_RESULTS=false
|
|
- DB_TYPE=sqlite
|
|
volumes:
|
|
- ./librespeed/config:/config
|
|
restart: unless-stopped
|
|
networks:
|
|
- backend
|
|
labels:
|
|
- diun.enable=true
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.librespeed.entrypoints=web-secure"
|
|
- "traefik.http.routers.librespeed.rule=Host(`librespeed.${DOMAIN}`)"
|
|
- "traefik.http.routers.librespeed.middlewares=chain-authelia@file"
|
|
- "traefik.http.routers.librespeed.tls.certresolver=milvert_dns"
|
|
- "traefik.http.routers.librespeed.tls=true"
|
|
|
|
|
|
vwsfriend:
|
|
image: tillsteinbach/vwsfriend:0.23.11
|
|
container_name: vwfriend
|
|
ports:
|
|
- ${VWSFRIEND_PORT-4000}:${VWSFRIEND_PORT-4000}
|
|
networks:
|
|
- backend
|
|
volumes:
|
|
- ./vwsfriend_data:/config
|
|
environment:
|
|
- VWSFRIEND_USERNAME=${VWSFRIEND_USERNAME-admin}
|
|
- VWSFRIEND_PASSWORD=${VWSFRIEND_PASSWORD}
|
|
- VWSFRIEND_PORT=${VWSFRIEND_PORT-4000}
|
|
- WECONNECT_USER
|
|
- WECONNECT_PASSWORD
|
|
- WECONNECT_SPIN
|
|
- WECONNECT_INTERVAL
|
|
- DATABASE_URL=postgresql://${VW_DB_USER}:${VW_DB_PASSWORD}@${VW_DB_HOSTNAME}:5432/${VW_DB_NAME}
|
|
- ADDITIONAL_PARAMETERS=--with-database --with-abrp ${ADDITIONAL_PARAMETERS}
|
|
depends_on:
|
|
- postgres
|
|
restart: unless-stopped
|
|
dns:
|
|
- 8.8.8.8
|
|
healthcheck:
|
|
test: (wget -qO- http://localhost:${VWSFRIEND_PORT-4000}/healthcheck | grep "ok" -q) || exit 1
|
|
interval: 60s
|
|
timeout: 10s
|
|
retries: 3
|
|
secrets:
|
|
- vwfriend_password
|
|
- vwconnect_password
|
|
labels:
|
|
- diun.enable=true
|
|
- "traefik.enable=true"
|
|
- "traefik.http.services.vwsfriend-service.loadbalancer.server.port=4000"
|
|
- "traefik.http.routers.vwsfriend.entrypoints=web-secure"
|
|
- "traefik.http.routers.vwsfriend.rule=Host(`vw.${DOMAIN}`)"
|
|
- "traefik.http.routers.vwsfriend.middlewares=chain-no-auth@file"
|
|
- "traefik.http.routers.vwsfriend.tls.certresolver=milvert_dns"
|
|
- "traefik.http.routers.vwsfriend.tls=true"
|
|
|
|
vwgrafana:
|
|
image: tillsteinbach/vwsfriend-grafana:0.23.11
|
|
container_name: vwgrafana
|
|
ports:
|
|
- ${GF_SERVER_HTTP_PORT-3001}:${GF_SERVER_HTTP_PORT-3000}
|
|
networks:
|
|
backend:
|
|
volumes:
|
|
- ./vwfriend_grafana/data:/var/lib/grafana
|
|
- ./vwfriend_grafana/dashboard:/home/grafana/dummy
|
|
environment:
|
|
- PUID=${UUID}
|
|
- PGID=${PGID}
|
|
- TZ=${TZ}
|
|
- GF_SECURITY_ADMIN_USER=${VWSFRIEND_USERNAME-admin}
|
|
- GF_SECURITY_ADMIN_PASSWORD=${VWSFRIEND_PASSWORD-secret}
|
|
- GF_SERVER_HTTP_PORT=${GF_SERVER_HTTP_PORT-3000}
|
|
- DB_USER=${VW_DB_USER-admin}
|
|
- DB_PASSWORD=${VW_DB_PASSWORD-secret}
|
|
- DB_HOSTNAME=${vw_DB_HOSTNAME-postgres}
|
|
- DB_PORT=${DB_PORT-5432}
|
|
- DB_NAME=${VW_DB_NAME-vwsfriend}
|
|
- VWSFRIEND_USERNAME=${VWSFRIEND_USERNAME-admin}
|
|
- VWSFRIEND_PASSWORD=${VWSFRIEND_PASSWORD-secret}
|
|
- VWSFRIEND_HOSTNAME=${VWSFRIEND_HOSTNAME-vwsfriendbackend}
|
|
- VWSFRIEND_PORT=${VWSFRIEND_PORT-4000}
|
|
restart: unless-stopped
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "(wget -qO- http://localhost:${GF_SERVER_HTTP_PORT-3000}/api/health | grep '\"database\": \"ok\"' -q) || exit 1"]
|
|
interval: 60s
|
|
timeout: 10s
|
|
retries: 3
|
|
labels:
|
|
- diun.enable=true
|
|
- "traefik.enable=true"
|
|
- "traefik.http.services.vwgrafana.loadbalancer.server.port=3000"
|
|
- "traefik.http.routers.vwgrafana.entrypoints=web-secure"
|
|
- "traefik.http.routers.vwgrafana.rule=Host(`vwgrafana.${DOMAIN}`)"
|
|
- "traefik.http.routers.vwgrafana.middlewares=chain-no-auth@file"
|
|
- "traefik.http.routers.vwgrafana.tls.certresolver=milvert_dns"
|
|
- "traefik.http.routers.vwgrafana.tls=true"
|
|
|
|
|
|
networks:
|
|
frontend:
|
|
external: true
|
|
backend:
|
|
external: false
|
|
|
|
# MACVLAN guide: https://blog.oddbit.com/post/2018-03-12-using-docker-macvlan-networks/
|
|
# ip link add vlan-shim link eno1 type macvlan mode bridge
|
|
# ip addr add 10.0.0.223/32 dev vlan-shim
|
|
# ip link set vlan-shim up
|
|
# ip route add 10.0.0.192/27 dev vlan-shim
|
|
docker_vlan:
|
|
external: true
|
|
driver: macvlan
|
|
driver_opts:
|
|
parent: eno1
|
|
ipam:
|
|
config:
|
|
- subnet: 10.0.0.200/27
|
|
|
|
volumes:
|
|
vwfriend_grafana:
|