include: - apps.yml - developer.yml - llm.yml - monitoring.yml - vms.yml services: traefik: image: "traefik:v3.4" container_name: "traefik" restart: unless-stopped command: # HTTPS TSL stuff - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--entryPoints.websecure.address=:443" - "--certificatesresolvers.myresolver.acme.tlschallenge=true" - "--certificatesresolvers.myresolver.acme.email=adrien.bouvais.pro@gmail.com" - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json" # Relative path on SSD # Enable Traefik API and Dashboard (securely) - "--api.dashboard=true" - "--metrics.prometheus=true" - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0" - "--entryPoints.ssh.address=:2101" # Logs - Traefik will write its logs to /logs within the container, which maps to /data/logs on host - "--accesslog=true" - "--accesslog.format=json" - "--accesslog.filepath=/logs/access.log" - "--accesslog.bufferingSize=0" ports: - target: 443 published: 443 protocol: tcp mode: host - target: 2101 published: 2101 protocol: tcp mode: host volumes: - "./letsencrypt:/letsencrypt" - "/var/run/docker.sock:/var/run/docker.sock:ro" - "./config/users.cred:/users.cred" - "./hdd0/logs:/logs" labels: - "traefik.enable=true" # Dashboard Router - "traefik.http.routers.dashboard.rule=Host(`traefik.bouvais.lu`)" - "traefik.http.routers.dashboard.entrypoints=websecure" - "traefik.http.routers.dashboard.service=api@internal" - "traefik.http.routers.dashboard.middlewares=auth@docker" - "traefik.http.routers.dashboard.tls.certresolver=myresolver" # Traefik Middleware - "traefik.http.middlewares.auth.basicauth.usersfile=/users.cred" - "traefik.http.middlewares.ratelimit.ratelimit.average=20" - "traefik.http.middlewares.ratelimit.ratelimit.burst=40" # bouvais.lu redirection - "traefik.http.routers.bouvais-redirect.rule=Host(`bouvais.lu`)" - "traefik.http.routers.bouvais-redirect.entrypoints=websecure" - "traefik.http.routers.bouvais-redirect.middlewares=redirect-to-gitea@docker" - "traefik.http.routers.bouvais-redirect.tls.certresolver=myresolver" - "traefik.http.middlewares.redirect-to-gitea.redirectregex.regex=^https?://(www\\.)?bouvais\\.lu(.*)" - "traefik.http.middlewares.redirect-to-gitea.redirectregex.replacement=https://git.bouvais.lu$${2}" - "traefik.http.middlewares.redirect-to-gitea.redirectregex.permanent=true" fail2ban: image: crazymax/fail2ban:1.1.0 container_name: fail2ban restart: unless-stopped cap_add: - NET_ADMIN - NET_RAW network_mode: host volumes: - "./hdd0/fail2ban/data:/data" - "./hdd0/fail2ban/log:/var/log" - "./hdd0/logs:/logs:ro" - "/etc/localtime:/etc/localtime:ro" - "/etc/timezone:/etc/timezone:ro" environment: - F2B_IPTABLES_CHAIN=DOCKER-USER kopia: image: kopia/kopia:latest container_name: kopia restart: unless-stopped command: - server - start - --insecure - --address=0.0.0.0:51515 - --server-username=adrien - --server-password=${MASTER_PASSWORD} environment: KOPIA_PASSWORD: ${MASTER_PASSWORD} USER: "adrien" volumes: - ./config/kopia:/app/config - ./cache/kopia:/app/cache - ./hdd0/logs/:/app/logs - ./hdd0:/hdd0 - ./hdd0_backups/kopia/dir:/repository - ./hdd0_backups/kopia/shared:/tmp:shared labels: - "traefik.enable=true" - "traefik.http.routers.kopia.rule=Host(`kopia.bouvais.lu`)" - "traefik.http.routers.kopia.entrypoints=websecure" - "traefik.http.routers.kopia.tls.certresolver=myresolver" - "traefik.http.services.kopia.loadbalancer.server.port=51515" kopia-gcp: image: kopia/kopia:latest container_name: kopia-gcp restart: unless-stopped command: - server - start - --insecure - --address=0.0.0.0:51516 - --server-username=adrien - --server-password=${MASTER_PASSWORD} environment: KOPIA_PASSWORD: ${MASTER_PASSWORD} USER: "adrien" volumes: - ./config/kopia-gcp:/app/config - ./cache/kopia-gcp:/app/cache - ./hdd0/logs/gcp:/app/logs - ./hdd0:/hdd0 - ./kopia-gcp-key.json:/cred.json labels: - "traefik.enable=true" - "traefik.http.routers.kopia_gcp.rule=Host(`kopia-gcp.bouvais.lu`)" - "traefik.http.routers.kopia_gcp.entrypoints=websecure" - "traefik.http.routers.kopia_gcp.tls.certresolver=myresolver" - "traefik.http.services.kopia_gcp.loadbalancer.server.port=51516" minio: image: minio/minio:latest container_name: minio restart: unless-stopped environment: MINIO_ROOT_USER: adrien MINIO_ROOT_PASSWORD: ${MASTER_PASSWORD} command: server /data --console-address ":9001" volumes: - ./hdd0/minio_data:/data labels: - "traefik.enable=true" # Router and service for the MinIO API - "traefik.http.routers.minio-api.rule=Host(`minio-api.bouvais.lu`)" - "traefik.http.routers.minio-api.entrypoints=websecure" - "traefik.http.routers.minio-api.tls.certresolver=myresolver" - "traefik.http.services.minio-api-service.loadbalancer.server.port=9000" - "traefik.http.routers.minio-api.service=minio-api-service" # Router and service for the MinIO Console (WebUI) - "traefik.http.routers.minio-console.rule=Host(`minio-console.bouvais.lu`)" - "traefik.http.routers.minio-console.entrypoints=websecure" - "traefik.http.routers.minio-console.tls.certresolver=myresolver" - "traefik.http.services.minio-console-service.loadbalancer.server.port=9001" - "traefik.http.routers.minio-console.service=minio-console-service"