modified: gitea/docker-compose.yml

modified: nextcloud/docker-compose.yml modified: passbolt/docker-compose.yml modified: searxng/docker-compose.yml modified: traefik/docker-compose.yml
2025-08-13 19:55:00 +10:00
parent a134423c9f
commit e320ebd247
5 changed files with 111 additions and 106 deletions
@@ -1,8 +1,6 @@
-#version: '3.8'
 services:
  gitea:
-    image: gitea/gitea:latest
-#    container_name: gitea
+    image: gitea/gitea:latest # change to 1-rootless once find out how to move data. 
    restart: always
    environment:
      - USER_UID=1000
@@ -12,23 +10,23 @@ services:
    volumes:
      - ./data:/data
    networks:
-#      - proxy
-      - traefik_default
+      - traefik_reverse_proxy

    labels:
      - "traefik.enable=true"
-      - "traefik.docker.network=proxy"
      - "traefik.http.routers.gitea.rule=Host(`gitea.lan.ddnsgeek.com`)"
      - "traefik.http.routers.gitea.entrypoints=websecure"
      - "traefik.http.routers.gitea.tls=true"
      - "traefik.http.routers.gitea.tls.certresolver=myresolver"
      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
      - "io.portainer.accesscontrol.public"
-
-
-#volumes:
-#  gitea_data:
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://127.0.0.1:3000/api/v1/version >/dev/null"]
+      interval: 15s
+      timeout: 5s
+      retries: 8
+      start_period: 45s

 networks:
-  traefik_default:
+  traefik_reverse_proxy:
    external: true
@@ -1,20 +1,10 @@
-#version: "3"
 services:
  webapp:
-    image: nextcloud
+    image: nextcloud:production
    deploy:
-#      resources:
-#        limits:
-#          cpus: '0.3'
-#          memory: 200m
      restart_policy:
        condition: on-failure
        max_attempts: 5
-#    read_only: true
-#    tmpfs:
-#      - /tmp
-#      - /var
-#      - /run
    restart: always
    hostname: nextcloud.lan.ddnsgeek.com
    volumes:
@@ -23,9 +13,6 @@ services:
    depends_on:
      - database
      - redis
-#    ports:
-#      - 8083:80
-#      - 4433:443
    environment:
      - MYSQL_PASSWORD=R1m@dmin
      - MYSQL_DATABASE=nextcloud
@@ -45,9 +32,11 @@ services:
      - SMTP_PASSWORD=uscdbrjunqmkgglf

      - REDIS_HOST=redis
-#      - REDIS_HOST_PASSWORD=R1m@dmin
+      - REDIS_HOST_PORT=6379
+      - REDIS_HOST_PASSWORD=${NEXTCLOUD_REDIS_PASSWORD}
    networks:
-      - traefik_default
+      - traefik_reverse_proxy
+      - internal
    labels:
      - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.lan.ddnsgeek.com`)"
      - "traefik.enable=true"
@@ -62,7 +51,7 @@ services:
      - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.regex=https://(.*)/.well-known/webfinger"
      - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.replacement=https://$${1}/nextcloud/index.php/.well-known/webfinger"
-
+      - "traefik.docker.network=traefik_reverse_proxy"
 #      - "traefik.http.middlewares.nextcloudHeader.headers.stsSeconds=15552000"
 #      - "traefik.http.middlewares.nextcloudHeader.headers.stsIncludeSubdomains=true"
 #      - "traefik.http.middlewares.nextcloudHeader.headers.stsPreload=true"
@@ -73,23 +62,33 @@ services:
 #      - "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.regex='https://(.*)/.well-known/(?:card|cal)dav'"
 #      - "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.replacement='https://$${1}/remote.php/dav'"

+#    healthcheck:
+#      test: >
+#        CMD-SHELL
+#        php -r '$f=fsockopen("127.0.0.1",80,$e,$s,2); if(!$f) exit(1);
+#        fwrite($f,"GET /status.php HTTP/1.0\r\nHost: localhost\r\n\r\n");
+#        $o=""; while(!feof($f)){$o.=fgets($f,128);} fclose($f);
+#        if(strpos($o,"\"installed\":true")===false) exit(1);'
+#      test: "curl -fsS http://127.0.0.1/status.php | grep -q '\"installed\":true'"
+#      test: >
+#        CMD-SHELL
+#        'c=$(curl -fsS -o /dev/null -w "%{http_code}" http://127.0.0.1/status.php) \
+#         && [ "$c" -ge 200 ] && [ "$c" -lt 400 ] \
+#         && curl -fsS http://127.0.0.1/status.php | grep -q "\"installed\":true"'
+#      interval: 15s
+#      timeout: 5s
+#      retries: 10
+#      start_period: 120s
+
+
+
+
  database:
-    image: mariadb:11.4
-#    image: mariadb
-#    read_only: true
-#    tmpfs:
-#      - /tmp
-#      - /var
-#      - /run
-#      - /docker-entrypoint-initdb.d
+    image: mariadb:12
    restart: always
    hostname: nextcloud_db
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    deploy:
-#      resources:
-#        limits:
-#          cpus: '0.3'
-#          memory: 300m
      restart_policy:
        condition: on-failure
        max_attempts: 5
@@ -104,41 +103,44 @@ services:
      - NEXTCLOUD_ADMIN_USER=admin
      - NEXTCLOUD_ADMIN_PASSWORD=R1m@dmin
    networks:
-      - traefik_default
-    healthcheck:
-      test: "/usr/bin/mysql --user=nextcloud --password=R1m@dmin --execute \"SHOW DATABASES;\""
+      - internal
+#    healthcheck:
+#      test: "/usr/bin/mysql --user=nextcloud --password=R1m@dmin --execute \"SHOW DATABASES;\""
    labels:
      - "io.portainer.accesscontrol.public"
+    healthcheck:
+      test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MARIADB_USER\" -p\"$$MARIADB_PASSWORD\" --silent"]
+      interval: 10s
+      timeout: 5s
+      retries: 12
+      start_period: 60s
+
+
  redis:
    image: "redis"
-#    read_only: true
-#    tmpfs:
-#      - /tmp
-#      - /var
-#      - /run
    deploy:
-#      resources:
-#        limits:
-#          cpus: '0.3'
-#          memory: 150m
      restart_policy:
        condition: on-failure
        max_attempts: 5
-    command: redis-server --save 60 1 --loglevel warning
-    environment:
-      - REDIS_OVERCOMMIT_MEMORY=1
-      - REDIS_ARGS="--requirepass R1m@dmin --user redis on >password ~* allcommands --user default off nopass nocommands"
+    command: ["redis-server", "--requirepass", "${NEXTCLOUD_REDIS_PASSWORD}", "--appendonly", "yes", "--save", "60", "1000"]
    hostname: redis
-#    user: "linode"
    volumes:
      - ./data/redis:/data:rw
-#      - ./config.yaml:/opt/doods/config.yaml
    restart: unless-stopped
    networks:
-      - traefik_default
+      - internal
    labels:
      - "io.portainer.accesscontrol.public"
+ #   healthcheck:
+ #     test: ["CMD-SHELL", "redis-cli -a $$NEXTCLOUD_REDIS_PASSWORD PING | grep -q PONG"]
+ #     interval: 10s
+ #     timeout: 5s
+#      retries: 6
+#      start_period: 10s
+

 networks:
-  traefik_default:
+  traefik_reverse_proxy:
    external: true
+  internal:
+    driver: bridge
@@ -1,7 +1,6 @@
-#version: "3.9"
 services:
  db:
-    image: mariadb:10.11
+    image: mariadb:12
    restart: unless-stopped
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
@@ -11,12 +10,18 @@ services:
    volumes:
      - ./data/database:/var/lib/mysql
    networks:
-      - traefik_default
+      - internal
+    healthcheck:
+      test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MARIADB_USER\" -p\"$$MARIADB_PASSWORD\" --silent"]
+      interval: 10s
+      timeout: 5s
+      retries: 12
+      start_period: 60s
+

  webapp:
    image: passbolt/passbolt:latest-ce
    #Alternatively you can use rootless:
-    #image: passbolt/passbolt:latest-ce-non-root
    restart: unless-stopped
    depends_on:
      - db
@@ -39,7 +44,8 @@ services:
        "/docker-entrypoint.sh",
      ]
    networks:
-      - traefik_default
+      - traefik_reverse_proxy
+      - internal
    labels:
      - "traefik.http.routers.passbolt.rule=Host(`passbolt.lan.ddnsgeek.com`)"
      - "traefik.enable=true"
@@ -47,18 +53,21 @@ services:
      - "traefik.http.routers.passbolt.tls.certresolver=myresolver"
      - "io.portainer.accesscontrol.public"
      - "traefik.http.routers.passbolt.middlewares=error-pages-middleware"
+      - "traefik.docker.network=traefik_reverse_proxy"
+
+#    healthcheck:
+#      test: >
+#        CMD-SHELL
+#        su -s /bin/sh -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data
+#        | grep -q "No error found"
+#      interval: 30s
+#      timeout: 10s
+#      retries: 6
+#      start_period: 120s

-#    ports:
-#      - 8082:80
-#      - 4432:443
-    #Alternatively for non-root images:
-    # - 80:8080
-    # - 443:4433

-#volumes:
-#  database_volume:
-#  gpg_volume:
-#  jwt_volume:
 networks:
-  traefik_default:
+  traefik_reverse_proxy:
    external: true
+  internal:
+    driver: bridge
@@ -1,4 +1,3 @@
-#version: "3"
 services:
  webapp:
    image: searxng/searxng
@@ -10,12 +9,8 @@ services:
      - /run
    hostname: searxng.lan.ddnsgeek.com
    networks:
-      - traefik_default
+      - traefik_reverse_proxy
    deploy:
-#      resources:
-#        limits:
-#          cpus: '0.05'
-#          memory: 100m
      restart_policy:
        condition: on-failure
        max_attempts: 5
@@ -26,12 +21,18 @@ services:
       - "traefik.http.routers.searxng.tls.certresolver=myresolver"
       - "io.portainer.accesscontrol.public"
       - "traefik.http.routers.searxng.middlewares=error-pages-middleware"
-#       - "traefik.http.services.searxng.loadbalancer.server.port=8888"
-#    ports:
-#      - 8081:8080
-#    healthcheck:
-#      test: "curl --fail http://localhost || exit 1"
+    healthcheck:
+#      test: >
+#        CMD-SHELL
+#        python3 -c "import urllib.request,sys;
+#        u=urllib.request.urlopen('http://127.0.0.1:8080/', timeout=2);
+#        sys.exit(0 if u.status==200 else 1)"
+      test: ["CMD-SHELL", "python3 -c \"import urllib.request,sys; r=urllib.request.urlopen('http://127.0.0.1:8080/', timeout=3); sys.exit(0 if 200<=r.status<400 else 1)\""]
+      interval: 20s
+      timeout: 5s
+      retries: 8
+      start_period: 30s

 networks:
-  traefik_default:
+  traefik_reverse_proxy:
    external: true
@@ -1,15 +1,10 @@
-#version: '3'
-
 services:
  reverse-proxy:
    restart: always
    # The official v2 Traefik docker image
-    image: traefik:latest
+    image: traefik:3
    read_only: true
    hostname: traefik.lan.ddnsgeek.com
-#    build:
-#      context: .
-#      dockerfile: traefik.Dockerfile
    depends_on:
      - error-pages
    # Enables the web UI and tells Traefik to listen to docker
@@ -29,27 +24,24 @@ services:
      - "--api=true"
      - "--api.dashboard=true"
      - "--providers.file.filename=/plugins.yaml"
+#      - "--ping=true"
+#      - "--ping.entrypoint=web"
    ports:
      # The HTTP port
      - "192.168.2.249:80:80"
      - "192.168.2.249:443:443"
-      # The Web UI (enabled by --api.insecure=true)
-#      - "8080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/letsencrypt:/letsencrypt:rw
      - ./data/plugins.yaml:/plugins.yaml:ro
    deploy:
-#      resources:
-#        limits:
-#          cpus: '0.05'
-#          memory: 200m
      restart_policy:
        condition: on-failure
        max_attempts: 5
    healthcheck:
-      test: traefik healthcheck --ping 
+      test: traefik healthcheck --ping
+
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.lan.ddnsgeek.com`)"
@@ -60,9 +52,11 @@ services:
      - "traefik.http.routers.traefik.tls.certresolver=myresolver"
      - "traefik.http.routers.traefik.tls=true"
      - "io.portainer.accesscontrol.public"
+    networks:
+      - reverse_proxy

  error-pages:
-    image: tarampampam/error-pages:latest # Using the latest tag is highly discouraged. Please, use tags in X.Y.Z format
+    image: tarampampam/error-pages:3 # Using the latest tag is highly discouraged. Please, use tags in X.Y.Z format
    read_only: true
    environment:
      TEMPLATE_NAME: app-down # set the error pages template
@@ -83,11 +77,12 @@ services:
      - "traefik.http.services.error-pages-service.loadbalancer.server.port=8080"
      - "io.portainer.accesscontrol.public"
    deploy:
-#      resources:
-#        limits:
-#          cpus: '0.05'
-#          memory: 100m
      restart_policy:
        condition: on-failure
        max_attempts: 5
+    networks:
+      - reverse_proxy

+networks:
+  reverse_proxy:
+    driver: bridge