166 lines
5.5 KiB
YAML
166 lines
5.5 KiB
YAML
version: '3.5'
|
|
|
|
networks:
|
|
default:
|
|
driver: bridge
|
|
ipam:
|
|
config:
|
|
- subnet: 172.27.0.0/24
|
|
socket_proxy:
|
|
name: socket_proxy
|
|
|
|
services:
|
|
# Only accept needed incoming docker API calls
|
|
socket-proxy:
|
|
container_name: socket-proxy
|
|
environment:
|
|
- LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
|
|
## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
|
|
# 0 to revoke access.
|
|
# 1 to grant access.
|
|
## Granted by Default
|
|
- EVENTS=1
|
|
- PING=1
|
|
- VERSION=1
|
|
## Revoked by Default
|
|
# Security critical
|
|
- AUTH=0
|
|
- SECRETS=0
|
|
- POST=1 # Watchtower
|
|
- DELETE=1 # Watchtower
|
|
# GET Optons
|
|
- BUILD=0
|
|
- COMMIT=0
|
|
- CONFIGS=0
|
|
- CONTAINERS=1 # Traefik, portainer, etc.
|
|
- DISTRIBUTION=0
|
|
- EXEC=0
|
|
- IMAGES=1 # Portainer, Watchtower
|
|
- INFO=1 # Portainer
|
|
- NETWORKS=1 # Portainer, Watchtower
|
|
- NODES=0
|
|
- PLUGINS=0
|
|
- SERVICES=1 # Portainer
|
|
- SESSION=0
|
|
- SWARM=0
|
|
- SYSTEM=0
|
|
- TASKS=1 # Portaienr
|
|
- VOLUMES=1 # Portainer
|
|
# POST Options
|
|
- CONTAINERS_CREATE=1 # WatchTower
|
|
- CONTAINERS_START=1 # WatchTower
|
|
- CONTAINERS_UPDATE=1 # WatchTower
|
|
# DELETE Options
|
|
- CONTAINERS_DELETE=1 # WatchTower
|
|
- IMAGES_DELETE=1 # WatchTower
|
|
image: fluencelabs/docker-socket-proxy
|
|
labels:
|
|
- "com.centurylinklabs.watchtower.enable=true"
|
|
networks:
|
|
- socket_proxy
|
|
ports:
|
|
- "127.0.0.1:2375:2375"
|
|
# Always restart if server restart etc.
|
|
restart: unless-stopped
|
|
volumes:
|
|
- "/var/run/docker.sock:/var/run/docker.sock"
|
|
|
|
# watchtower keeps docker iamges automatically up to date
|
|
watchtower:
|
|
container_name: watchtower
|
|
depends_on:
|
|
- socket-proxy
|
|
environment:
|
|
WATCHTOWER_CLEANUP: "true"
|
|
WATCHTOWER_REMOVE_VOLUMES: "true"
|
|
WATCHTOWER_INCLUDE_STOPPED: "true"
|
|
WATCHTOWER_NO_STARTUP_MESSAGE: "false"
|
|
WATCHTOWER_SCHEDULE: "0 30 12 * * *" # Everyday at 12:30
|
|
DOCKER_HOST: tcp://socket-proxy:2375
|
|
image: containrrr/watchtower
|
|
labels:
|
|
- "com.centurylinklabs.watchtower.enable=true"
|
|
networks:
|
|
- default
|
|
- socket_proxy
|
|
restart: unless-stopped
|
|
|
|
traefik:
|
|
depends_on:
|
|
- watchtower
|
|
# Always restart also at boot unless manually stopped
|
|
restart: unless-stopped
|
|
# The official v2 Traefik docker image
|
|
image: traefik:v2.3
|
|
networks:
|
|
default:
|
|
ipv4_address: 172.27.0.100
|
|
socket_proxy: null
|
|
env_file: live.env
|
|
container_name: "traefik"
|
|
# Enables the web UI and tells Traefik to listen to docker
|
|
command:
|
|
# logging
|
|
- "--log.filePath=/logs/traefik.log"
|
|
- "--log.level=DEBUG"
|
|
# API and Dashboard
|
|
#- "--api.insecure=true"
|
|
- "--api=true"
|
|
- "--api.dashboard=true"
|
|
# Docker as provider
|
|
- "--providers.docker=true"
|
|
- "--providers.docker.exposedbydefault=false"
|
|
# Entrypoints (not HTTPS)
|
|
- "--entrypoints.web.address=:80"
|
|
# HTTPS (websecure entrypoint)
|
|
- "--entrypoints.websecure.address=:443"
|
|
# TS3 entrypoints
|
|
- "--entrypoints.ts-udp.address=:9987/udp"
|
|
- "--entrypoints.ts-tcp.address=:30033"
|
|
# OSP rtmp entrypoints
|
|
#- "--entrypoints.rtmp.address=:1935"
|
|
# Use this CA server for testing
|
|
# - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
- "--certificatesresolvers.myresolver.acme.email=${EMAIL}"
|
|
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
|
|
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
|
|
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
|
|
# Docker socket proxy cli commands
|
|
- "--providers.docker.endpoint=tcp://socket-proxy:2375"
|
|
labels:
|
|
# enable watchtower for traefik
|
|
- "com.centurylinklabs.watchtower.enable=true"
|
|
# Dashboard stuff
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.traefik-https.rule=Host(`traefik.${DOMAIN}`)"
|
|
- "traefik.http.routers.traefik-https.entrypoints=websecure"
|
|
- "traefik.http.routers.traefik-https.middlewares=auth"
|
|
- "traefik.http.routers.traefik-https.service=api@internal"
|
|
- "traefik.http.routers.traefik-https.tls=true"
|
|
- "traefik.http.routers.traefik-https.tls.certresolver=myresolver"
|
|
- "traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASSWORD_HASH}"
|
|
# http to https redirect
|
|
- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
|
|
- "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
|
|
- "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
|
|
- "traefik.http.routers.http_catchall.entrypoints=web"
|
|
- "traefik.http.routers.http_catchall.middlewares=https-redirect"
|
|
ports:
|
|
# The HTTP port
|
|
- "80:80"
|
|
# The HTTPS port
|
|
- "443:443"
|
|
# The Web UI (enabled by --api.insecure=true)
|
|
#- "8080:8080"
|
|
# TS3 ports
|
|
- "9987:9987/udp"
|
|
#- "10011:10011"
|
|
- "30033:30033"
|
|
# OSP rtmp ports
|
|
#- "1935:1935"
|
|
volumes:
|
|
# For certificate
|
|
- "./volumes/letsencrypt/acme.json:/letsencrypt/acme.json"
|
|
# For logging
|
|
- "./volumes/logs/traefik.log:/logs/traefik.log"
|