rnsrk/open-productive-stack
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
open-productive-stack/core/docker-compose.yml

177 lines
6.1 KiB
YAML
Raw Blame History

services:
# VPN — WireGuard server. Clients must connect before SSH is reachable.
# network_mode: host is required so wg0 is created on the host network stack,
# making 10.13.13.1 reachable by sshd and other host services.
wireguard:
image: linuxserver/wireguard:latest
container_name: wireguard
network_mode: host
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=${TZ:-Europe/Berlin}
- SERVERURL=${WG_SERVERURL}
- SERVERPORT=51820
- PEERS=${WG_PEERS}
- PEERDNS=auto
- INTERNAL_SUBNET=10.13.13.0
- ALLOWEDIPS=10.13.13.0/24
- LOG_CONFS=false
volumes:
- ./volumes/wireguard/config:/config
- /lib/modules:/lib/modules:ro
restart: no
# Database-Stack
adminer:
image: adminer:5
container_name: adminer
depends_on:
- mariadb
- traefik
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.adminer.rule=Host(`adminer.${DOMAIN}`)"
- "traefik.http.routers.adminer.entrypoints=websecure"
- "traefik.http.routers.adminer.middlewares=https-redirect"
- "traefik.http.routers.adminer.tls=true"
- "traefik.http.routers.adminer.tls.certresolver=le"
- "traefik.http.services.adminer.loadbalancer.server.port=8080"
networks:
- database
- traefik
restart: unless-stopped
mariadb:
image: mariadb:12
container_name: mariadb
environment:
MARIADB_ROOT_PASSWORD: ${MARIADB_ROOT_PASSWORD}
MARIADB_USER: ${MARIADB_USER}
MARIADB_PASSWORD: ${MARIADB_PASSWORD}
labels:
- "traefik.enable=false"
volumes:
- ./volumes/mariadb/data:/var/lib/mysql
networks:
- database
restart: unless-stopped
postgres:
image: postgres:17
container_name: postgres
environment:
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
volumes:
- ./volumes/postgres/data:/var/lib/postgresql/data
networks:
- database
restart: unless-stopped
# Traefik
traefik:
image: traefik:3
container_name: traefik
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
# Middlewares
- "traefik.http.middlewares.admin-auth.basicauth.users=${TRAEFIK_USERNAME}:${TRAEFIK_HASHED_PASSWORD}"
- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
- "traefik.http.middlewares.https-redirect.redirectscheme.port=443"
- "traefik.http.middlewares.nextcloud-headers.headers.stsSeconds=15552000"
- "traefik.http.middlewares.nextcloud-headers.headers.stsIncludeSubdomains=true"
- "traefik.http.middlewares.nextcloud-headers.headers.stsPreload=true"
- "traefik.http.middlewares.nextcloud-headers.headers.forceSTSHeader=true"
# Timeout middlewares
- "traefik.http.middlewares.timeout.headers.customrequestheaders.X-Forwarded-Timeout=120"
- "traefik.http.middlewares.timeout.headers.customresponseheaders.X-Response-Timeout=120"
# routers
- "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
- "traefik.http.routers.traefik.entrypoints=web,websecure"
- "traefik.http.routers.traefik.middlewares=admin-auth,https-redirect"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=le"
- "traefik.http.routers.traefik.service=api@internal"
# Services
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
command:
# Enable Docker provider
- --providers.docker
# Disable exposing services without Traefik labels
- --providers.docker.exposedbydefault=false
# Listen on port 2424 for Forgejo SSH requests
- --entrypoints.forgejo-ssh.address=:2424
# Listen on port 80 for HTTP requests
- --entrypoints.web.address=:80
# Listen on port 443 for HTTPS requests
- --entrypoints.websecure.address=:443
# Redirect HTTP requests to HTTPS
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.web.http.redirections.entryPoint.permanent=true
# Use the specified email address for Let's Encrypt certificate requests
- --certificatesresolvers.le.acme.email=${TRAEFIK_EMAIL}
# Use the HTTP challenge for Let's Encrypt certificate requests
- --certificatesresolvers.le.acme.httpchallenge.entrypoint=web
# Use the specified storage location for Let's Encrypt certificates
- --certificatesresolvers.le.acme.storage=/certificates/acme.json
# Use the TLS-ALPN-01 challenge for Let's Encrypt certificate requests
- --certificatesresolvers.le.acme.tlschallenge=true
# Enable access log output
- --accesslog
# Enable general log output
- --log.level=INFO
# Enable the Traefik API
- --api
# Set global timeouts
- --serverstransport.forwardingtimeouts.dialtimeout=120s
- --serverstransport.forwardingtimeouts.responseheadertimeout=120s
- --serverstransport.forwardingtimeouts.idleconntimeout=120s
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- server-certificates:/certificates
ports:
- 2424:2424
- 80:80
- 443:443
networks:
- traefik
restart: unless-stopped
mta-sts:
image: nginx:1.27-alpine
container_name: mta-sts
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.mta-sts.rule=Host(`mta-sts.${DOMAIN}`)"
- "traefik.http.routers.mta-sts.entrypoints=websecure"
- "traefik.http.routers.mta-sts.tls=true"
- "traefik.http.routers.mta-sts.tls.certresolver=le"
- "traefik.http.services.mta-sts.loadbalancer.server.port=80"
volumes:
- ./mta-sts:/usr/share/nginx/html:ro
networks:
- traefik
restart: unless-stopped
volumes:
server-certificates:
name: server-certificates
networks:
database:
name: database
traefik:
name: traefik
Reference in a new issue View git blame Copy permalink