version: "3.3" secrets: nextcloud_db_password: file: ./secrets/nextcloud_db_password nextcloud_db_root_password: file: ./secrets/nextcloud_db_root_password nextcloud_admin_password: file: ./secrets/nextcloud_admin_password forgejo_db_root_password: file: ./secrets/forgejo_db_root_password # logger driver - change this driver to ship all container logs to a different location x-logging: &logging logging: driver: loki options: loki-url: "http://localhost:3100/loki/api/v1/push" services: traefik: image: "traefik:v2.10" container_name: "traefik" restart: unless-stopped <<: *logging command: - "--log.level=INFO" - "--accesslog=true" - "--accesslog.filePath=/logs/access.log" - "--api.insecure=false" - "--api.dashboard=true" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--providers.file.directory=/conf" - "--entrypoints.websecure.address=:443" - "--metrics.prometheus=true" #- "--entrypoints.forge.address=:3000" - "--certificatesresolvers.myresolver.acme.tlschallenge=true" #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" - "--certificatesresolvers.myresolver.acme.email=badctoxymoron@gmx.de" - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json" ports: - "443:443" #- "3000:3000" #- "8080:8080" volumes: - ./letsencrypt:/letsencrypt - ./traefik/logs:/logs - ./traefik/conf:/conf - /var/run/docker.sock:/var/run/docker.sock:ro - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro labels: - "traefik.enable=true" # Make the traefik dashboard available under https://oxmox.root.sx/traefik/dashboard/ # For some reason it's slow when used this way. It's fast when exposed via port 8080 and api.insecure=true. - "traefik.http.routers.traefik_api.rule=Host(`oxmox.root.sx`) && (PathPrefix(`/api`) || PathPrefix(`/traefik`))" - "traefik.http.routers.traefik_api.entrypoints=websecure" - "traefik.http.routers.traefik_api.tls.certresolver=myresolver" - "traefik.http.routers.traefik_api.service=api@internal" - "traefik.http.routers.traefik_api.middlewares=traefik_api_auth,traefik_api_strip" - "traefik.http.middlewares.traefik_api_auth.basicauth.users=florian:$$apr1$$x/GrMMGU$$Dn7yVliaRFEwlW17SNh6s." - "traefik.http.middlewares.traefik_api_strip.stripprefix.prefixes=/traefik" whoami: image: "traefik/whoami" container_name: "simple-service" labels: - "traefik.enable=true" - "traefik.http.routers.whoami.rule=Host(`oxmox.root.sx`) && Path(`/whoami`)" - "traefik.http.routers.whoami.entrypoints=websecure" - "traefik.http.routers.whoami.tls.certresolver=myresolver" nextcloud-db: image: mariadb:latest container_name: "nextcloud-db" restart: unless-stopped <<: *logging command: - --transaction-isolation=READ-COMMITTED - --log-bin=binlog - --binlog-format=ROW # Memory usage tuning. - --max-connections=100 - --thread-cache-size=2 - --query-cache-size=1048576 - --sort-buffer-size=1048576 - --bulk-insert-buffer-size=0 - --tmp-table-size=4194304 - --max-heap-table-size=4194304 - --key-buffer-size=4194304 - --read-buffer-size=131072 - --read-rnd-buffer-size=262144 - --innodb-buffer-pool-size=10485760 - --innodb-log-buffer-size=4194304 volumes: - ./nextcloud-db:/var/lib/mysql - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro environment: - PUID=1000 - PGID=1000 - MYSQL_DATABASE=nextcloud - MYSQL_USER=nextcloud - MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/nextcloud_db_root_password secrets: - nextcloud_db_password - nextcloud_db_root_password labels: - "traefik.enable=false" nextcloud-app: image: nextcloud:stable container_name: "nextcloud-app" restart: unless-stopped <<: *logging links: - nextcloud-db volumes: - ./nextcloud-app/nextcloud:/var/www/html - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro environment: - MYSQL_DATABASE=nextcloud - MYSQL_USER=nextcloud - MYSQL_HOST=nextcloud-db - MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/nextcloud_db_root_password # reverse proxy setup - APACHE_DISABLE_REWRITE_IP=1 - TRUSTED_PROXIES=192.168.128.0/24 - NEXTCLOUD_TRUSTED_DOMAINS=* # PHP tuning - PHP_MEMORY_LIMIT=256M # default=512M - PHP_UPLOAD_LIMIT=512M # default=512M # Sadly this did not work for me. #- NEXTCLOUD_ADMIN_USER=admin #- NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/nextcloud_admin_password secrets: - nextcloud_db_password - nextcloud_db_root_password - nextcloud_admin_password labels: - "traefik.enable=true" - "traefik.http.routers.nextcloud_app.rule=Host(`oxmox.root.sx`) && PathPrefix(`/nextcloud`)" - "traefik.http.routers.nextcloud_app.entrypoints=websecure" - "traefik.http.routers.nextcloud_app.tls.certresolver=myresolver" - "traefik.http.routers.nextcloud_app.middlewares=nextcloud_app_strip" - "traefik.http.middlewares.nextcloud_app_strip.stripprefix.prefixes=/nextcloud" - "traefik.http.routers.nextcloud_dav.rule=Host(`oxmox.root.sx`) && PathPrefix(`/.well-known/`)" - "traefik.http.routers.nextcloud_dav.entrypoints=websecure" - "traefik.http.routers.nextcloud_dav.tls.certresolver=myresolver" - "traefik.http.routers.nextcloud_dav.middlewares=nextcloud_app_dav" - "traefik.http.middlewares.nextcloud_app_dav.replacepathregex.regex=^/.well-known/ca(l|rd)dav" - "traefik.http.middlewares.nextcloud_app_dav.replacepathregex.replacement=/remote.php/dav/" forgejo-db: image: mariadb:latest container_name: "forgejo-db" restart: unless-stopped <<: *logging command: - --transaction-isolation=READ-COMMITTED - --log-bin=binlog - --binlog-format=ROW # Memory usage tuning. - --max-connections=100 - --thread-cache-size=2 - --query-cache-size=1048576 - --sort-buffer-size=1048576 - --bulk-insert-buffer-size=0 - --tmp-table-size=4194304 - --max-heap-table-size=4194304 - --key-buffer-size=4194304 - --read-buffer-size=131072 - --read-rnd-buffer-size=262144 - --innodb-buffer-pool-size=10485760 - --innodb-log-buffer-size=4194304 volumes: - ./forgejo/db:/var/lib/mysql - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro environment: - PUID=1000 - PGID=1000 - MYSQL_DATABASE=forgejo - MYSQL_USER=forgejo - MYSQL_PASSWORD=forgejo1234 - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/forgejo_db_root_password secrets: - forgejo_db_root_password labels: - "traefik.enable=false" forgejo-app: image: codeberg.org/forgejo/forgejo:1.20.3-0 container_name: "forgejo-app" restart: unless-stopped <<: *logging links: - forgejo-db volumes: - ./forgejo/data:/data - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro environment: - USER_UID=1000 - USER_GID=1000 - FORGEJO__database__DB_TYPE=mysql - FORGEJO__database__HOST=forgejo-db:3306 - FORGEJO__database__NAME=forgejo - FORGEJO__database__USER=forgejo - FORGEJO__database__PASSWD=forgejo1234 labels: - "traefik.enable=true" - "traefik.http.routers.forgejo_app.rule=Host(`oxmox.root.sx`) && PathPrefix(`/forge`)" - "traefik.http.routers.forgejo_app.entrypoints=websecure" - "traefik.http.routers.forgejo_app.tls.certresolver=myresolver" - "traefik.http.routers.forgejo_app.middlewares=forgejo_app_strip" - "traefik.http.middlewares.forgejo_app_strip.stripprefix.prefixes=/forge" - "traefik.http.services.forgejo-app.loadbalancer.server.port=3000" prometheus: image: prom/prometheus container_name: "prometheus" restart: unless-stopped <<: *logging command: - '--web.external-url=/prometheus/' - '--web.route-prefix=/prometheus/' - '--storage.tsdb.path=/prometheus/tsdb' volumes: - ./prometheus:/prometheus - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro environment: - PUID=1000 - PGID=1000 labels: - "traefik.enable=true" - "traefik.http.routers.prometheus_app.rule=Host(`oxmox.root.sx`) && PathPrefix(`/prometheus`)" - "traefik.http.routers.prometheus_app.entrypoints=websecure" - "traefik.http.routers.prometheus_app.tls.certresolver=myresolver" - "traefik.http.routers.prometheus_app.middlewares=traefik_api_auth" - "traefik.http.services.prometheus_app.loadbalancer.server.port=9090" grafana: image: grafana/grafana container_name: "grafana" restart: unless-stopped <<: *logging depends_on: - prometheus volumes: - ./grafana/data:/var/lib/grafana - ./grafana/etc:/etc/grafana - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro environment: - PUID=1000 - PGID=1000 #- GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION=true - GF_INSTALL_PLUGINS=grafana-piechart-panel labels: - "traefik.enable=true" - "traefik.http.routers.grafana_app.rule=Host(`oxmox.root.sx`) && PathPrefix(`/grafana`)" - "traefik.http.routers.grafana_app.entrypoints=websecure" - "traefik.http.routers.grafana_app.tls.certresolver=myresolver" - "traefik.http.routers.grafana_app.middlewares=traefik_api_auth,grafana_app_strip" - "traefik.http.middlewares.grafana_app_strip.stripprefix.prefixes=/grafana" - "traefik.http.services.grafana_app.loadbalancer.server.port=3000" node-exporter: #image: quay.io/prometheus/node-exporter:latest image: prom/node-exporter:latest container_name: node-exporter restart: unless-stopped <<: *logging #network_mode: host pid: host volumes: #- /proc:/host/proc:ro #- /sys:/host/sys:ro - /:/rootfs:ro,rslave - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro command: #- '--path.procfs=/host/proc' - '--path.rootfs=/rootfs' #- '--path.sysfs=/host/sys' #- '--dollector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)' expose: - 9100 loki-app: image: grafana/loki:2.8.4 container_name: "loki-app" restart: unless-stopped <<: *logging volumes: - ./loki/etc:/etc/loki - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro environment: - PUID=1000 - PGID=1000 command: -config.file=/etc/loki/loki-config.yml ports: - "127.0.0.1:3100:3100" labels: - "traefik.enable=true" - "traefik.http.routers.loki_app.rule=Host(`oxmox.root.sx`) && PathPrefix(`/loki`)" - "traefik.http.routers.loki_app.entrypoints=websecure" - "traefik.http.routers.loki_app.tls.certresolver=myresolver" - "traefik.http.routers.loki_app.middlewares=traefik_api_auth,loki_app_strip" - "traefik.http.middlewares.loki_app_strip.stripprefix.prefixes=/loki" - "traefik.http.services.loki_app.loadbalancer.server.port=3100" loki-promtail: image: grafana/promtail:2.8.4 container_name: "loki-promtail" restart: unless-stopped <<: *logging volumes: - ./loki/etc:/etc/promtail - /var/log:/var/log - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro environment: - PUID=1000 - PGID=1000 command: -config.file=/etc/promtail/promtail-config.yml labels: - "traefik.enable=false" #wireguard: # image: lscr.io/linuxserver/wireguard:latest # container_name: wireguard # labels: # - "traefik.enable=true" # cap_add: # - NET_ADMIN # #- SYS_MODULE # environment: # - PUID=1000 # - PGID=1000 # #- SERVERURL=wireguard.oxmox.root.sx #optional # - SERVERPORT=51820 #optional # - PEERS=1 #optional # - PEERDNS=auto #optional # - INTERNAL_SUBNET=10.42.23.0 #optional # - ALLOWEDIPS=10.42.23.0/24 #optional # - PERSISTENTKEEPALIVE_PEERS= #optional # - LOG_CONFS=true #optional # volumes: # - ./wireguard:/config # #- /lib/modules:/lib/modules #optional # ports: # - 51820:51820/udp # sysctls: # - net.ipv4.conf.all.src_valid_mark=1 # restart: unless-stopped