diff --git a/swarm/traefik.yml b/swarm/core.yml similarity index 77% rename from swarm/traefik.yml rename to swarm/core.yml index 7419d61..9c9a507 100644 --- a/swarm/traefik.yml +++ b/swarm/core.yml @@ -11,10 +11,10 @@ services: published: 443 mode: host # - "7687:7687" - # - "8083:8083" - # - "8084:8084" - # - "8883:8883" - # - "5432:5432" + - "8083:8083" + - "8084:8084" + - "8883:8883" + - "5432:5432" deploy: placement: constraints: @@ -33,7 +33,22 @@ services: # admin-auth middleware with HTTP Basic auth # Using the environment variables USERNAME and HASHED_PASSWORD - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set} - - traefik.http.middlewares.csrf.headers.hostsProxyHeaders=["X-CSRFToken"] + - traefik.http.middlewares.csrf.headers.hostsProxyHeaders=["X-CSRF-Token"] + - traefik.http.middlewares.no-www.redirectregex.regex=^https://www.(.*)$$ + - traefik.http.middlewares.no-www.redirectregex.replacement=https://$$1 + - traefik.http.middlewares.no-www.redirectregex.permanent=true + - traefik.http.middlewares.sslheader.headers.sslProxyHeaders.X-Forwarded-Proto="https,wss" + - traefik.http.middlewares.sslheader.headers.sslRedirect=true + - traefik.http.middlewares.redirect-resume.redirectregex.regex=^https://resume.${DOMAIN?Variable not set}/(.*) + - traefik.http.middlewares.redirect-resume.redirectregex.replacement=https://info.${DOMAIN?Variable not set}/resume/$$1 + - traefik.http.middlewares.redirect-resume.redirectregex.permanent=true + - traefik.http.middlewares.redirect-blog.redirectregex.regex=^https://blog.${DOMAIN?Variable not set}/(.*) + - traefik.http.middlewares.redirect-blog.redirectregex.replacement=https://furyhawk.github.io/124c41/$$1 + - traefik.http.middlewares.redirect-blog.redirectregex.permanent=true + - traefik.http.middlewares.rate-limit.ratelimit.average=384 + - traefik.http.middlewares.rate-limit.ratelimit.burst=128 + - traefik.http.middlewares.rate-limit.ratelimit.period=10s + - treafik.http.middlewares.neo4j_strip.stripprefix.prefixes=/neo4j # traefik-https the actual router using HTTPS - traefik.http.routers.traefik-public-https.rule=Host(`dashboard.${DOMAIN?Variable not set}`) - traefik.http.routers.traefik-public-https.entrypoints=https @@ -58,7 +73,9 @@ services: - --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`) # Do not expose all Docker services, only the ones explicitly exposed - --providers.docker.exposedbydefault=false + - --providers.docker.endpoint=unix:///var/run/docker.sock # Enable Docker Swarm mode + - --providers.swarm.exposedbydefault=false - --providers.swarm.endpoint=unix:///var/run/docker.sock # Create an entrypoint "http" listening on port 80 - --entrypoints.http.address=:80 diff --git a/swarm/emqx.yml b/swarm/emqx.yml index d88fadb..aef1498 100644 --- a/swarm/emqx.yml +++ b/swarm/emqx.yml @@ -17,15 +17,34 @@ services: volumes: - emqx-data1:/opt/emqx/data deploy: - mode: replicated - replicas: 1 labels: - - "traefik.enable=true" - - "traefik.http.routers.emqx1.entrypoints=web-secure" - - "traefik.http.routers.emqx1.rule=Host(`mqtt.${DOMAINNAME}`)" - - "traefik.http.routers.emqx1.tls.certresolver=letsencrypt" - - "traefik.http.routers.emqx1.service=emqx-dashboard" - - "traefik.http.services.emqx-dashboard.loadbalancer.server.port=18083" + - traefik.enable=true + - traefik.docker.network=traefik-public + - traefik.constraint-label=traefik-public + - traefik.tcp.routers.emqx1-tcp-ws.entrypoints=web-socket + - traefik.tcp.routers.emqx1-tcp-ws.rule=HostSNI(`*`) + - traefik.tcp.routers.emqx1-tcp-ws.service=emqx1-tcp-ws + - traefik.tcp.services.emqx1-tcp-ws.loadbalancer.server.port=8083 + - traefik.tcp.routers.emqx1-tcp-wss.entrypoints=web-socket-secure + - traefik.tcp.routers.emqx1-tcp-wss.rule=HostSNIRegexp(`^.+\\.${DOMAIN}$`) + - traefik.tcp.routers.emqx1-tcp-wss.tls.certresolver=le + - traefik.tcp.routers.emqx1-tcp-wss.service=emqx1-tcp-wss + - traefik.tcp.services.emqx1-tcp-wss.loadbalancer.server.port=8084 + - traefik.http.routers.emqx1.entrypoints=https + - traefik.http.routers.emqx1.rule=Host(`mqtt.${DOMAIN}`) + - traefik.http.routers.emqx1.tls.certresolver=le + - traefik.http.routers.emqx1.service=emqx-dashboard + - traefik.http.services.emqx-dashboard.loadbalancer.server.port=18083 + - traefik.http.routers.emqx1-web.entrypoints=web-socket + - traefik.http.routers.emqx1-web.rule=Host(`broker.${DOMAIN}`) || Host(`mqtt.${DOMAIN}`) || Host(`mqttx.${DOMAIN}`) + - traefik.http.routers.emqx1-web.tls.certresolver=le + - traefik.http.routers.emqx1-web.service=emqx1-web + - traefik.http.services.emqx1-web.loadbalancer.server.port=8083 + - traefik.http.routers.emqx1-wss.entrypoints=web-socket-secure + - traefik.http.routers.emqx1-wss.rule=Host(`broker.${DOMAIN}`) || Host(`mqtt.${DOMAIN}`) || Host(`mqttx.${DOMAIN}`) + - traefik.http.routers.emqx1-wss.tls.certresolver=le + - traefik.http.routers.emqx1-wss.service=emqx1-wss + - traefik.http.services.emqx1-wss.loadbalancer.server.port=8084 mqttx-web: image: emqx/mqttx-web:latest @@ -34,12 +53,14 @@ services: - traefik-public deploy: labels: - - "traefik.enable=true" - - "traefik.http.routers.mqttx-web.entrypoints=web-secure" - - "traefik.http.routers.mqttx-web.rule=Host(`mqttx.${DOMAINNAME}`)" - - "traefik.http.routers.mqttx-web.tls.certresolver=letsencrypt" - - "traefik.http.routers.mqttx-web.service=mqttx-web-service" - - "traefik.http.services.mqttx-web-service.loadbalancer.server.port=80" + - traefik.enable=true + - traefik.docker.network=traefik-public + - traefik.constraint-label=traefik-public + - traefik.http.routers.mqttx-web.entrypoints=https + - traefik.http.routers.mqttx-web.rule=Host(`mqttx.${DOMAIN}`) + - traefik.http.routers.mqttx-web.tls.certresolver=le + - traefik.http.routers.mqttx-web.service=mqttx-web-service + - traefik.http.services.mqttx-web-service.loadbalancer.server.port=80 networks: traefik-public: diff --git a/swarm/services-all.yml b/swarm/services-all.yml new file mode 100644 index 0000000..0346254 --- /dev/null +++ b/swarm/services-all.yml @@ -0,0 +1,253 @@ +volumes: + minio_data: {} + neo4j_data: {} + neo4j_logs: {} + postgres_data: {} + +services: + api_server: + image: furyhawk/listen:latest + restart: always + depends_on: + - postgres + environment: + DATABASE__HOSTNAME: ${DATABASE__HOSTNAME} + DATABASE__USERNAME: ${POSTGRES_USER} + DATABASE__PASSWORD: ${POSTGRES_PASSWORD} + DATABASE__PORT: ${DATABASE__PORT} + DATABASE__DB: ${DATABASE__DB} + SECURITY__JWT_SECRET_KEY: ${SECURITY__JWT_SECRET_KEY} + SECURITY__BACKEND_CORS_ORIGINS: ${SECURITY__BACKEND_CORS_ORIGINS} + SECURITY__ALLOWED_HOSTS: ${SECURITY__ALLOWED_HOSTS} + DOMAINNAME: ${DOMAINNAME} + ports: + - "8000:8000" + networks: + - net + labels: + - "traefik.enable=true" + - "traefik.http.routers.api_server.entrypoints=web-secure" + - "traefik.http.routers.api_server.rule=Host(`api.${DOMAINNAME}`)" + - "traefik.http.routers.api_server.middlewares=csrf@file, rate-limit@file" + - "traefik.http.routers.api_server.tls.certresolver=letsencrypt" + - "traefik.http.routers.api_server.service=api_server_service" + - "traefik.http.services.api_server_service.loadbalancer.server.port=8000" + + postgres: + image: postgres + environment: + POSTGRES_DB: ${POSTGRES_DB} + POSTGRES_USER: ${POSTGRES_USER} + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} + PGDATA: "/var/lib/postgresql/data" + LANG: en_US.utf8 + TZ: Asia/Singapore + # DOMAINNAME: ${DOMAINNAME} + command: ["postgres", "-c", "log_connections=on"] + volumes: + - postgres_data:/var/lib/postgresql/data + # - ./config/postgresql.conf:/etc/postgresql.conf + healthcheck: + test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] + interval: 30s + timeout: 10s + retries: 10 + # ports: + # - "5432:5432" + expose: + - 5432 + networks: + - net + labels: + - "traefik.enable=true" + - "traefik.tcp.routers.postgres.entrypoints=postgres-socket" + - "traefik.tcp.routers.postgres.rule=HostSNI(`*`)" + - "traefik.tcp.routers.postgres.service=postgres_service" + - "traefik.tcp.services.postgres_service.loadbalancer.server.port=5432" + # - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10" + # - "traefik.tcp.routers.postgres.rule=HostSNIRegexp(`^.+\\.furyhawk\\.lol$`)" + # - "traefik.tcp.routers.postgres.tls=true" + # - "traefik.tcp.routers.postgres.tls.certresolver=letsencrypt" + # - "traefik.tcp.routers.postgres.middlewares=test-inflightconn" + # - "traefik.http.routers.postgres.entrypoints=web-secure" + # - "traefik.http.routers.postgres.rule=Host(`db.${DOMAINNAME}`)" + # - "traefik.http.routers.postgres.middlewares=rate-limit@file, csrf@file" + # - "traefik.http.routers.postgres.tls.certresolver=letsencrypt" + # - "traefik.http.routers.postgres.service=postgres_service" + # - "traefik.http.services.postgres_service.loadbalancer.server.port=5432" + + osrm-backend: + environment: + # OSRM manager setup + - OSRM_ALGORITHM=mld + - OSRM_THREADS=2 + - OSRM_PORT=${OSRM_PORT:-5000} + - OSRM_PROFILE=/opt/car.lua + - OSRM_MAP_NAME=${OSRM_MAP_NAME} + - OSRM_GEOFABRIK_PATH=${OSRM_GEOFABRIK_PATH} + # Notify OSRM Manager to restart without stopping container + - OSRM_NOTIFY_FILEPATH=/data/osrm_notify.txt + - DOMAINNAME=${DOMAINNAME} + image: furyhawk/osrm-backend:${OSRM_VERSION:-latest} + restart: unless-stopped + expose: + - ${OSRM_PORT:-5000} + networks: + - net + labels: + - "traefik.enable=true" + - "traefik.http.routers.osrm-backend.entrypoints=web-secure" + - "traefik.http.routers.osrm-backend.rule=Host(`osrm.${DOMAINNAME}`)" + - "traefik.http.routers.osrm-backend.middlewares=csrf@file" + - "traefik.http.routers.osrm-backend.tls.certresolver=letsencrypt" + - "traefik.http.routers.osrm-backend.service=osrm_backend_service" + - "traefik.http.services.osrm_backend_service.loadbalancer.server.port=${OSRM_PORT:-5000}" + + minio-common: + image: minio/minio:latest + environment: + MINIO_ROOT_USER: "${MINIO_ROOT_USER:-minioadmin}" + MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD:-minioadmin}" + MINIO_OPTS: "--console-address :9001" + MINIO_SERVER_URL: https://minio.${DOMAINNAME} + DOMAINNAME: ${DOMAINNAME} + # user: "1000:1000" + restart: unless-stopped + command: server /data --address :9000 --console-address :9001 + healthcheck: + test: ["CMD", "mc", "ready", "local"] + interval: 60s + timeout: 5s + retries: 5 + volumes: + - minio_data:/data + expose: + - 9000 + - 9001 + networks: + - net + labels: + - "traefik.enable=true" + - "traefik.http.routers.minio-router.entrypoints=web-secure" + - "traefik.http.routers.minio-router.rule=Host(`drive.${DOMAINNAME}`) || Host(`storage.${DOMAINNAME}`)" + - "traefik.http.routers.minio-router.middlewares=csrf@file" + - "traefik.http.routers.minio-router.tls.certresolver=letsencrypt" + - "traefik.http.routers.minio-router.service=minio_common_service" + - "traefik.http.services.minio_common_service.loadbalancer.server.port=9001" + - "traefik.http.routers.minio-api-router.entrypoints=web-secure" + - "traefik.http.routers.minio-api-router.rule=Host(`minio.${DOMAINNAME}`) || Host(`s3.${DOMAINNAME}`)" + - "traefik.http.routers.minio-api-router.middlewares=csrf@file" + - "traefik.http.routers.minio-api-router.tls.certresolver=letsencrypt" + - "traefik.http.routers.minio-api-router.service=minio_api_service" + - "traefik.http.services.minio_api_service.loadbalancer.server.port=9000" + + neo4j_server: + # Docker image to be used + image: ${NEO4J_DOCKER_IMAGE:-neo4j:latest} + restart: unless-stopped + # Environment variables + environment: + NEO4J_AUTH: neo4j/${NEO4J_PASSWORD:-12345678} + NEO4J_dbms.default_listen_address: "0.0.0.0" + NEO4J_dbms.default_advertised_address: "neo4j.${DOMAINNAME}" + NEO4J_dbms.connector.bolt.advertised_address: ":443" + NEO4J_PLUGINS: '["apoc"]' + NEO4J_dbms_security_procedures_unrestricted: "apoc.*" + NEO4J_dbms_security_procedures_allowlist: "apoc.*" + NEO4J_server_memory_pagecache_size: 512M + NEO4J_server_memory_heap_max__size: 2G + DOMAINNAME: ${DOMAINNAME} + user: "1000:1000" + depends_on: + - traefik + volumes: + - neo4j_data:/data + - neo4j_logs:/logs + # Expose ports + expose: + - 7474 + - 7687 + networks: + - net + labels: + - "traefik.enable=true" + - "traefik.http.routers.neo4j-router.entrypoints=web-secure" + - "traefik.http.routers.neo4j-router.rule=Host(`neo4j.${DOMAINNAME}`) && PathPrefix(`/neo4j`)||PathPrefix(`/browser`)" + - "traefik.http.routers.neo4j-router.middlewares=csrf@file, neo4j_strip@file" + - "traefik.http.routers.neo4j-router.tls.certresolver=letsencrypt" + - "traefik.http.routers.neo4j-router.service=neo4j_browser" + - "traefik.http.services.neo4j_browser.loadbalancer.server.port=7474" + - "traefik.http.routers.neo4j-bolt-router.entrypoints=web-secure" + - "traefik.http.routers.neo4j-bolt-router.rule=Host(`neo4j.${DOMAINNAME}`)" + - "traefik.http.routers.neo4j-bolt-router.middlewares=csrf@file" + - "traefik.http.routers.neo4j-bolt-router.tls.certresolver=letsencrypt" + - "traefik.http.routers.neo4j-bolt-router.service=neo4j_bolt" + - "traefik.http.services.neo4j_bolt.loadbalancer.server.port=7687" + - "traefik.tcp.routers.neo4j-bolt-router.entrypoints=bolt-socket" + - "traefik.tcp.routers.neo4j-bolt-router.rule=HostSNIRegexp(`^.+\\.furyhawk\\.lol$`)" + - "traefik.tcp.routers.neo4j-bolt-router.tls=true" + - "traefik.tcp.routers.neo4j-bolt-router.tls.certresolver=letsencrypt" + - "traefik.tcp.routers.neo4j-bolt-router.service=neo4j_bolt" + - "traefik.tcp.services.neo4j_bolt.loadbalancer.server.port=7687" + + syncthing: + image: syncthing/syncthing + environment: + - PUID=1000 + - PGID=1000 + - DOMAINNAME=${DOMAINNAME} + restart: unless-stopped + volumes: + - ~/st-sync:/var/syncthing + ports: + - "8384:8384" # Web UI + - "22000:22000/tcp" # TCP file transfers + - "22000:22000/udp" # QUIC file transfers + - "21027:21027/udp" # Receive local discovery broadcasts + networks: + - net + labels: + - "traefik.enable=true" + - "traefik.http.routers.syncthing.entrypoints=web-secure" + - "traefik.http.routers.syncthing.rule=Host(`sync.${DOMAINNAME}`)" + - "traefik.http.routers.syncthing.middlewares=csrf@file" + - "traefik.http.routers.syncthing.tls.certresolver=letsencrypt" + - "traefik.http.routers.syncthing.service=syncthing_service" + - "traefik.http.services.syncthing_service.loadbalancer.server.port=8384" + + dozzle: + image: amir20/dozzle:latest + restart: always + environment: + - DOMAINNAME=${DOMAINNAME} + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + expose: + - 8080 + networks: + - net + labels: + - "traefik.enable=true" + - "traefik.http.routers.dozzle.entrypoints=web-secure" + - "traefik.http.routers.dozzle.rule=Host(`log.${DOMAINNAME}`)" + - "traefik.http.routers.dozzle.middlewares=auth@file, csrf@file" + - "traefik.http.routers.dozzle.tls.certresolver=letsencrypt" + - "traefik.http.routers.dozzle.service=dozzle_service" + - "traefik.http.services.dozzle_service.loadbalancer.server.port=8080" + + # WhoAmI - For Testing and Troubleshooting + whoami: + image: traefik/whoami + security_opt: + - no-new-privileges:true + restart: unless-stopped + networks: + - net + labels: + - "traefik.enable=true" + - "traefik.http.routers.whoami-rtr.entrypoints=web-secure" + - "traefik.http.routers.whoami-rtr.rule=Host(`whoami.$DOMAINNAME`)" + - "traefik.http.routers.whoami-rtr.middlewares=csrf@file" + - "traefik.http.routers.whoami-rtr.tls.certresolver=letsencrypt" + - "traefik.http.routers.whoami-rtr.service=whoami-svc" + - "traefik.http.services.whoami-svc.loadbalancer.server.port=80" diff --git a/swarm/services.yml b/swarm/services.yml index 0346254..c203ec5 100644 --- a/swarm/services.yml +++ b/swarm/services.yml @@ -1,9 +1,3 @@ -volumes: - minio_data: {} - neo4j_data: {} - neo4j_logs: {} - postgres_data: {} - services: api_server: image: furyhawk/listen:latest @@ -19,19 +13,22 @@ services: SECURITY__JWT_SECRET_KEY: ${SECURITY__JWT_SECRET_KEY} SECURITY__BACKEND_CORS_ORIGINS: ${SECURITY__BACKEND_CORS_ORIGINS} SECURITY__ALLOWED_HOSTS: ${SECURITY__ALLOWED_HOSTS} - DOMAINNAME: ${DOMAINNAME} + DOMAIN: ${DOMAIN} ports: - "8000:8000" networks: - - net - labels: - - "traefik.enable=true" - - "traefik.http.routers.api_server.entrypoints=web-secure" - - "traefik.http.routers.api_server.rule=Host(`api.${DOMAINNAME}`)" - - "traefik.http.routers.api_server.middlewares=csrf@file, rate-limit@file" - - "traefik.http.routers.api_server.tls.certresolver=letsencrypt" - - "traefik.http.routers.api_server.service=api_server_service" - - "traefik.http.services.api_server_service.loadbalancer.server.port=8000" + - traefik-public + deploy: + labels: + - traefik.enable=true + - traefik.docker.network=traefik-public + - traefik.constraint-label=traefik-public + - traefik.http.routers.api_server.entrypoints=https + - traefik.http.routers.api_server.rule=Host(`api.${DOMAIN}`) + - traefik.http.routers.api_server.middlewares=rate-limit + - traefik.http.routers.api_server.tls.certresolver=le + - traefik.http.routers.api_server.service=api_server_service + - traefik.http.services.api_server_service.loadbalancer.server.port=8000 postgres: image: postgres @@ -42,7 +39,6 @@ services: PGDATA: "/var/lib/postgresql/data" LANG: en_US.utf8 TZ: Asia/Singapore - # DOMAINNAME: ${DOMAINNAME} command: ["postgres", "-c", "log_connections=on"] volumes: - postgres_data:/var/lib/postgresql/data @@ -52,29 +48,17 @@ services: interval: 30s timeout: 10s retries: 10 - # ports: - # - "5432:5432" - expose: - - 5432 networks: - - net - labels: - - "traefik.enable=true" - - "traefik.tcp.routers.postgres.entrypoints=postgres-socket" - - "traefik.tcp.routers.postgres.rule=HostSNI(`*`)" - - "traefik.tcp.routers.postgres.service=postgres_service" - - "traefik.tcp.services.postgres_service.loadbalancer.server.port=5432" - # - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10" - # - "traefik.tcp.routers.postgres.rule=HostSNIRegexp(`^.+\\.furyhawk\\.lol$`)" - # - "traefik.tcp.routers.postgres.tls=true" - # - "traefik.tcp.routers.postgres.tls.certresolver=letsencrypt" - # - "traefik.tcp.routers.postgres.middlewares=test-inflightconn" - # - "traefik.http.routers.postgres.entrypoints=web-secure" - # - "traefik.http.routers.postgres.rule=Host(`db.${DOMAINNAME}`)" - # - "traefik.http.routers.postgres.middlewares=rate-limit@file, csrf@file" - # - "traefik.http.routers.postgres.tls.certresolver=letsencrypt" - # - "traefik.http.routers.postgres.service=postgres_service" - # - "traefik.http.services.postgres_service.loadbalancer.server.port=5432" + - traefik-public + deploy: + labels: + - traefik.enable=true + - traefik.docker.network=traefik-public + - traefik.constraint-label=traefik-public + - traefik.tcp.routers.postgres.entrypoints=postgres-socket + - traefik.tcp.routers.postgres.rule=HostSNI(`*`) + - traefik.tcp.routers.postgres.service=postgres_service + - traefik.tcp.services.postgres_service.loadbalancer.server.port=5432 osrm-backend: environment: @@ -87,153 +71,46 @@ services: - OSRM_GEOFABRIK_PATH=${OSRM_GEOFABRIK_PATH} # Notify OSRM Manager to restart without stopping container - OSRM_NOTIFY_FILEPATH=/data/osrm_notify.txt - - DOMAINNAME=${DOMAINNAME} + - DOMAIN=${DOMAIN} image: furyhawk/osrm-backend:${OSRM_VERSION:-latest} restart: unless-stopped - expose: - - ${OSRM_PORT:-5000} networks: - - net - labels: - - "traefik.enable=true" - - "traefik.http.routers.osrm-backend.entrypoints=web-secure" - - "traefik.http.routers.osrm-backend.rule=Host(`osrm.${DOMAINNAME}`)" - - "traefik.http.routers.osrm-backend.middlewares=csrf@file" - - "traefik.http.routers.osrm-backend.tls.certresolver=letsencrypt" - - "traefik.http.routers.osrm-backend.service=osrm_backend_service" - - "traefik.http.services.osrm_backend_service.loadbalancer.server.port=${OSRM_PORT:-5000}" - - minio-common: - image: minio/minio:latest - environment: - MINIO_ROOT_USER: "${MINIO_ROOT_USER:-minioadmin}" - MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD:-minioadmin}" - MINIO_OPTS: "--console-address :9001" - MINIO_SERVER_URL: https://minio.${DOMAINNAME} - DOMAINNAME: ${DOMAINNAME} - # user: "1000:1000" - restart: unless-stopped - command: server /data --address :9000 --console-address :9001 - healthcheck: - test: ["CMD", "mc", "ready", "local"] - interval: 60s - timeout: 5s - retries: 5 - volumes: - - minio_data:/data - expose: - - 9000 - - 9001 - networks: - - net - labels: - - "traefik.enable=true" - - "traefik.http.routers.minio-router.entrypoints=web-secure" - - "traefik.http.routers.minio-router.rule=Host(`drive.${DOMAINNAME}`) || Host(`storage.${DOMAINNAME}`)" - - "traefik.http.routers.minio-router.middlewares=csrf@file" - - "traefik.http.routers.minio-router.tls.certresolver=letsencrypt" - - "traefik.http.routers.minio-router.service=minio_common_service" - - "traefik.http.services.minio_common_service.loadbalancer.server.port=9001" - - "traefik.http.routers.minio-api-router.entrypoints=web-secure" - - "traefik.http.routers.minio-api-router.rule=Host(`minio.${DOMAINNAME}`) || Host(`s3.${DOMAINNAME}`)" - - "traefik.http.routers.minio-api-router.middlewares=csrf@file" - - "traefik.http.routers.minio-api-router.tls.certresolver=letsencrypt" - - "traefik.http.routers.minio-api-router.service=minio_api_service" - - "traefik.http.services.minio_api_service.loadbalancer.server.port=9000" - - neo4j_server: - # Docker image to be used - image: ${NEO4J_DOCKER_IMAGE:-neo4j:latest} - restart: unless-stopped - # Environment variables - environment: - NEO4J_AUTH: neo4j/${NEO4J_PASSWORD:-12345678} - NEO4J_dbms.default_listen_address: "0.0.0.0" - NEO4J_dbms.default_advertised_address: "neo4j.${DOMAINNAME}" - NEO4J_dbms.connector.bolt.advertised_address: ":443" - NEO4J_PLUGINS: '["apoc"]' - NEO4J_dbms_security_procedures_unrestricted: "apoc.*" - NEO4J_dbms_security_procedures_allowlist: "apoc.*" - NEO4J_server_memory_pagecache_size: 512M - NEO4J_server_memory_heap_max__size: 2G - DOMAINNAME: ${DOMAINNAME} - user: "1000:1000" - depends_on: - - traefik - volumes: - - neo4j_data:/data - - neo4j_logs:/logs - # Expose ports - expose: - - 7474 - - 7687 - networks: - - net - labels: - - "traefik.enable=true" - - "traefik.http.routers.neo4j-router.entrypoints=web-secure" - - "traefik.http.routers.neo4j-router.rule=Host(`neo4j.${DOMAINNAME}`) && PathPrefix(`/neo4j`)||PathPrefix(`/browser`)" - - "traefik.http.routers.neo4j-router.middlewares=csrf@file, neo4j_strip@file" - - "traefik.http.routers.neo4j-router.tls.certresolver=letsencrypt" - - "traefik.http.routers.neo4j-router.service=neo4j_browser" - - "traefik.http.services.neo4j_browser.loadbalancer.server.port=7474" - - "traefik.http.routers.neo4j-bolt-router.entrypoints=web-secure" - - "traefik.http.routers.neo4j-bolt-router.rule=Host(`neo4j.${DOMAINNAME}`)" - - "traefik.http.routers.neo4j-bolt-router.middlewares=csrf@file" - - "traefik.http.routers.neo4j-bolt-router.tls.certresolver=letsencrypt" - - "traefik.http.routers.neo4j-bolt-router.service=neo4j_bolt" - - "traefik.http.services.neo4j_bolt.loadbalancer.server.port=7687" - - "traefik.tcp.routers.neo4j-bolt-router.entrypoints=bolt-socket" - - "traefik.tcp.routers.neo4j-bolt-router.rule=HostSNIRegexp(`^.+\\.furyhawk\\.lol$`)" - - "traefik.tcp.routers.neo4j-bolt-router.tls=true" - - "traefik.tcp.routers.neo4j-bolt-router.tls.certresolver=letsencrypt" - - "traefik.tcp.routers.neo4j-bolt-router.service=neo4j_bolt" - - "traefik.tcp.services.neo4j_bolt.loadbalancer.server.port=7687" - - syncthing: - image: syncthing/syncthing - environment: - - PUID=1000 - - PGID=1000 - - DOMAINNAME=${DOMAINNAME} - restart: unless-stopped - volumes: - - ~/st-sync:/var/syncthing - ports: - - "8384:8384" # Web UI - - "22000:22000/tcp" # TCP file transfers - - "22000:22000/udp" # QUIC file transfers - - "21027:21027/udp" # Receive local discovery broadcasts - networks: - - net - labels: - - "traefik.enable=true" - - "traefik.http.routers.syncthing.entrypoints=web-secure" - - "traefik.http.routers.syncthing.rule=Host(`sync.${DOMAINNAME}`)" - - "traefik.http.routers.syncthing.middlewares=csrf@file" - - "traefik.http.routers.syncthing.tls.certresolver=letsencrypt" - - "traefik.http.routers.syncthing.service=syncthing_service" - - "traefik.http.services.syncthing_service.loadbalancer.server.port=8384" + - traefik-public + deploy: + labels: + - traefik.enable=true + - traefik.docker.network=traefik-public + - traefik.constraint-label=traefik-public + - traefik.http.routers.osrm-backend.entrypoints=https + - traefik.http.routers.osrm-backend.rule=Host(`osrm.${DOMAIN}`) + - traefik.http.routers.osrm-backend.middlewares=ratelimit + - traefik.http.routers.osrm-backend.tls.certresolver=le + - traefik.http.routers.osrm-backend.service=osrm_backend_service + - traefik.http.services.osrm_backend_service.loadbalancer.server.port=${OSRM_PORT:-5000} dozzle: image: amir20/dozzle:latest restart: always environment: - - DOMAINNAME=${DOMAINNAME} + - DOMAIN=${DOMAIN} volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - expose: - - 8080 networks: - - net - labels: - - "traefik.enable=true" - - "traefik.http.routers.dozzle.entrypoints=web-secure" - - "traefik.http.routers.dozzle.rule=Host(`log.${DOMAINNAME}`)" - - "traefik.http.routers.dozzle.middlewares=auth@file, csrf@file" - - "traefik.http.routers.dozzle.tls.certresolver=letsencrypt" - - "traefik.http.routers.dozzle.service=dozzle_service" - - "traefik.http.services.dozzle_service.loadbalancer.server.port=8080" + - traefik-public + deploy: + placement: + constraints: + - node.role == manager + labels: + - traefik.enable=true + - traefik.docker.network=traefik-public + - traefik.constraint-label=traefik-public + - traefik.http.routers.dozzle.entrypoints=https + - traefik.http.routers.dozzle.rule=Host(`log.${DOMAIN}`) + - traefik.http.routers.dozzle.middlewares=auth@file + - traefik.http.routers.dozzle.tls.certresolver=le + - traefik.http.routers.dozzle.service=dozzle_service + - traefik.http.services.dozzle_service.loadbalancer.server.port=8080 # WhoAmI - For Testing and Troubleshooting whoami: @@ -242,12 +119,20 @@ services: - no-new-privileges:true restart: unless-stopped networks: - - net - labels: - - "traefik.enable=true" - - "traefik.http.routers.whoami-rtr.entrypoints=web-secure" - - "traefik.http.routers.whoami-rtr.rule=Host(`whoami.$DOMAINNAME`)" - - "traefik.http.routers.whoami-rtr.middlewares=csrf@file" - - "traefik.http.routers.whoami-rtr.tls.certresolver=letsencrypt" - - "traefik.http.routers.whoami-rtr.service=whoami-svc" - - "traefik.http.services.whoami-svc.loadbalancer.server.port=80" + - traefik-public + deploy: + labels: + - traefik.enable=true + - traefik.docker.network=traefik-public + - traefik.constraint-label=traefik-public + - traefik.http.routers.whoami-rtr.entrypoints=https + - traefik.http.routers.whoami-rtr.rule=Host(`whoami.$DOMAIN`) + - traefik.http.routers.whoami-rtr.tls.certresolver=le + - traefik.http.routers.whoami-rtr.service=whoami-svc + - traefik.http.services.whoami-svc.loadbalancer.server.port=80 + +volumes: + postgres_data: {} +networks: + traefik-public: + external: true