version: '3.5' networks: default: driver: bridge ipam: config: - subnet: 172.27.0.0/24 socket_proxy: name: socket_proxy services: # Only accept needed incoming docker API calls socket-proxy: container_name: socket-proxy environment: - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.). # 0 to revoke access. # 1 to grant access. ## Granted by Default - EVENTS=1 - PING=1 - VERSION=1 ## Revoked by Default # Security critical - AUTH=0 - SECRETS=0 - POST=1 # Watchtower - DELETE=1 # Watchtower # GET Optons - BUILD=0 - COMMIT=0 - CONFIGS=0 - CONTAINERS=1 # Traefik, portainer, etc. - DISTRIBUTION=0 - EXEC=0 - IMAGES=1 # Portainer, Watchtower - INFO=1 # Portainer - NETWORKS=1 # Portainer, Watchtower - NODES=0 - PLUGINS=0 - SERVICES=1 # Portainer - SESSION=0 - SWARM=0 - SYSTEM=0 - TASKS=1 # Portaienr - VOLUMES=1 # Portainer # POST Options - CONTAINERS_CREATE=1 # WatchTower - CONTAINERS_START=1 # WatchTower - CONTAINERS_UPDATE=1 # WatchTower # DELETE Options - CONTAINERS_DELETE=1 # WatchTower - IMAGES_DELETE=1 # WatchTower image: tecnativa/docker-socket-proxy:latest labels: - "com.centurylinklabs.watchtower.enable=true" networks: - socket_proxy ports: - "127.0.0.1:2375:2375" # Always restart if server restart etc. restart: unless-stopped volumes: - "/var/run/docker.sock:/var/run/docker.sock" # watchtower keeps docker iamges automatically up to date watchtower: container_name: watchtower depends_on: - socket-proxy environment: WATCHTOWER_CLEANUP: "true" WATCHTOWER_REMOVE_VOLUMES: "true" WATCHTOWER_INCLUDE_STOPPED: "true" WATCHTOWER_NO_STARTUP_MESSAGE: "false" WATCHTOWER_SCHEDULE: "0 30 12 * * *" # Everyday at 12:30 DOCKER_HOST: tcp://socket-proxy:2375 image: containrrr/watchtower:latest labels: - "com.centurylinklabs.watchtower.enable=true" networks: - default - socket_proxy restart: unless-stopped traefik: depends_on: - watchtower # Always restart also at boot unless manually stopped restart: unless-stopped # The official v2 Traefik docker image image: traefik:3.0 networks: default: ipv4_address: 172.27.0.100 socket_proxy: null env_file: live.env container_name: "traefik" # Enables the web UI and tells Traefik to listen to docker command: # logging - "--log.filePath=/logs/traefik.log" - "--log.level=DEBUG" # API and Dashboard #- "--api.insecure=true" - "--api=true" - "--api.dashboard=true" # Docker as provider - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" # Entrypoints (not HTTPS) - "--entrypoints.web.address=:80" # HTTPS (websecure entrypoint) - "--entrypoints.websecure.address=:443" # TS3 entrypoints - "--entrypoints.ts-udp.address=:9987/udp" - "--entrypoints.ts-tcp.address=:30033" # OSP rtmp entrypoints #- "--entrypoints.rtmp.address=:1935" # Use this CA server for testing # - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" - "--certificatesresolvers.myresolver.acme.email=${EMAIL}" - "--certificatesresolvers.myresolver.acme.httpchallenge=true" - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web" - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json" # Docker socket proxy cli commands - "--providers.docker.endpoint=tcp://socket-proxy:2375" labels: # enable watchtower for traefik - "com.centurylinklabs.watchtower.enable=true" # Dashboard stuff - "traefik.enable=true" - "traefik.http.routers.traefik-https.rule=Host(`traefik.${DOMAIN}`)" - "traefik.http.routers.traefik-https.entrypoints=websecure" - "traefik.http.routers.traefik-https.middlewares=auth" - "traefik.http.routers.traefik-https.service=api@internal" - "traefik.http.routers.traefik-https.tls=true" - "traefik.http.routers.traefik-https.tls.certresolver=myresolver" - "traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASSWORD_HASH}" # http to https redirect - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https" - "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true" - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)" - "traefik.http.routers.http_catchall.entrypoints=web" - "traefik.http.routers.http_catchall.middlewares=https-redirect" ports: # The HTTP port - "80:80" # The HTTPS port - "443:443" # The Web UI (enabled by --api.insecure=true) #- "8080:8080" # TS3 ports - "9987:9987/udp" #- "10011:10011" - "30033:30033" # OSP rtmp ports #- "1935:1935" volumes: # For certificate - "./volumes/letsencrypt/acme.json:/letsencrypt/acme.json" # For logging - "./volumes/logs/traefik.log:/logs/traefik.log"