From e320ebd247104828e27f3769fb9d200612905584 Mon Sep 17 00:00:00 2001 From: git Date: Wed, 13 Aug 2025 19:55:00 +1000 Subject: [PATCH] modified: gitea/docker-compose.yml modified: nextcloud/docker-compose.yml modified: passbolt/docker-compose.yml modified: searxng/docker-compose.yml modified: traefik/docker-compose.yml --- gitea/docker-compose.yml | 20 ++++--- nextcloud/docker-compose.yml | 100 ++++++++++++++++++----------------- passbolt/docker-compose.yml | 41 ++++++++------ searxng/docker-compose.yml | 25 ++++----- traefik/docker-compose.yml | 31 +++++------ 5 files changed, 111 insertions(+), 106 deletions(-) diff --git a/gitea/docker-compose.yml b/gitea/docker-compose.yml index e6c347b..fcb116e 100644 --- a/gitea/docker-compose.yml +++ b/gitea/docker-compose.yml @@ -1,8 +1,6 @@ -#version: '3.8' services: gitea: - image: gitea/gitea:latest -# container_name: gitea + image: gitea/gitea:latest # change to 1-rootless once find out how to move data. restart: always environment: - USER_UID=1000 @@ -12,23 +10,23 @@ services: volumes: - ./data:/data networks: -# - proxy - - traefik_default + - traefik_reverse_proxy labels: - "traefik.enable=true" - - "traefik.docker.network=proxy" - "traefik.http.routers.gitea.rule=Host(`gitea.lan.ddnsgeek.com`)" - "traefik.http.routers.gitea.entrypoints=websecure" - "traefik.http.routers.gitea.tls=true" - "traefik.http.routers.gitea.tls.certresolver=myresolver" - "traefik.http.services.gitea.loadbalancer.server.port=3000" - "io.portainer.accesscontrol.public" - - -#volumes: -# gitea_data: + healthcheck: + test: ["CMD-SHELL", "wget -qO- http://127.0.0.1:3000/api/v1/version >/dev/null"] + interval: 15s + timeout: 5s + retries: 8 + start_period: 45s networks: - traefik_default: + traefik_reverse_proxy: external: true diff --git a/nextcloud/docker-compose.yml b/nextcloud/docker-compose.yml index dc26f5b..c6961c9 100644 --- a/nextcloud/docker-compose.yml +++ b/nextcloud/docker-compose.yml @@ -1,20 +1,10 @@ -#version: "3" services: webapp: - image: nextcloud + image: nextcloud:production deploy: -# resources: -# limits: -# cpus: '0.3' -# memory: 200m restart_policy: condition: on-failure max_attempts: 5 -# read_only: true -# tmpfs: -# - /tmp -# - /var -# - /run restart: always hostname: nextcloud.lan.ddnsgeek.com volumes: @@ -23,9 +13,6 @@ services: depends_on: - database - redis -# ports: -# - 8083:80 -# - 4433:443 environment: - MYSQL_PASSWORD=R1m@dmin - MYSQL_DATABASE=nextcloud @@ -45,9 +32,11 @@ services: - SMTP_PASSWORD=uscdbrjunqmkgglf - REDIS_HOST=redis -# - REDIS_HOST_PASSWORD=R1m@dmin + - REDIS_HOST_PORT=6379 + - REDIS_HOST_PASSWORD=${NEXTCLOUD_REDIS_PASSWORD} networks: - - traefik_default + - traefik_reverse_proxy + - internal labels: - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.lan.ddnsgeek.com`)" - "traefik.enable=true" @@ -62,7 +51,7 @@ services: - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.permanent=true" - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.regex=https://(.*)/.well-known/webfinger" - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.replacement=https://$${1}/nextcloud/index.php/.well-known/webfinger" - + - "traefik.docker.network=traefik_reverse_proxy" # - "traefik.http.middlewares.nextcloudHeader.headers.stsSeconds=15552000" # - "traefik.http.middlewares.nextcloudHeader.headers.stsIncludeSubdomains=true" # - "traefik.http.middlewares.nextcloudHeader.headers.stsPreload=true" @@ -73,23 +62,33 @@ services: # - "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.regex='https://(.*)/.well-known/(?:card|cal)dav'" # - "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.replacement='https://$${1}/remote.php/dav'" +# healthcheck: +# test: > +# CMD-SHELL +# php -r '$f=fsockopen("127.0.0.1",80,$e,$s,2); if(!$f) exit(1); +# fwrite($f,"GET /status.php HTTP/1.0\r\nHost: localhost\r\n\r\n"); +# $o=""; while(!feof($f)){$o.=fgets($f,128);} fclose($f); +# if(strpos($o,"\"installed\":true")===false) exit(1);' +# test: "curl -fsS http://127.0.0.1/status.php | grep -q '\"installed\":true'" +# test: > +# CMD-SHELL +# 'c=$(curl -fsS -o /dev/null -w "%{http_code}" http://127.0.0.1/status.php) \ +# && [ "$c" -ge 200 ] && [ "$c" -lt 400 ] \ +# && curl -fsS http://127.0.0.1/status.php | grep -q "\"installed\":true"' +# interval: 15s +# timeout: 5s +# retries: 10 +# start_period: 120s + + + + database: - image: mariadb:11.4 -# image: mariadb -# read_only: true -# tmpfs: -# - /tmp -# - /var -# - /run -# - /docker-entrypoint-initdb.d + image: mariadb:12 restart: always hostname: nextcloud_db command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW deploy: -# resources: -# limits: -# cpus: '0.3' -# memory: 300m restart_policy: condition: on-failure max_attempts: 5 @@ -104,41 +103,44 @@ services: - NEXTCLOUD_ADMIN_USER=admin - NEXTCLOUD_ADMIN_PASSWORD=R1m@dmin networks: - - traefik_default - healthcheck: - test: "/usr/bin/mysql --user=nextcloud --password=R1m@dmin --execute \"SHOW DATABASES;\"" + - internal +# healthcheck: +# test: "/usr/bin/mysql --user=nextcloud --password=R1m@dmin --execute \"SHOW DATABASES;\"" labels: - "io.portainer.accesscontrol.public" + healthcheck: + test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MARIADB_USER\" -p\"$$MARIADB_PASSWORD\" --silent"] + interval: 10s + timeout: 5s + retries: 12 + start_period: 60s + + redis: image: "redis" -# read_only: true -# tmpfs: -# - /tmp -# - /var -# - /run deploy: -# resources: -# limits: -# cpus: '0.3' -# memory: 150m restart_policy: condition: on-failure max_attempts: 5 - command: redis-server --save 60 1 --loglevel warning - environment: - - REDIS_OVERCOMMIT_MEMORY=1 - - REDIS_ARGS="--requirepass R1m@dmin --user redis on >password ~* allcommands --user default off nopass nocommands" + command: ["redis-server", "--requirepass", "${NEXTCLOUD_REDIS_PASSWORD}", "--appendonly", "yes", "--save", "60", "1000"] hostname: redis -# user: "linode" volumes: - ./data/redis:/data:rw -# - ./config.yaml:/opt/doods/config.yaml restart: unless-stopped networks: - - traefik_default + - internal labels: - "io.portainer.accesscontrol.public" + # healthcheck: + # test: ["CMD-SHELL", "redis-cli -a $$NEXTCLOUD_REDIS_PASSWORD PING | grep -q PONG"] + # interval: 10s + # timeout: 5s +# retries: 6 +# start_period: 10s + networks: - traefik_default: + traefik_reverse_proxy: external: true + internal: + driver: bridge diff --git a/passbolt/docker-compose.yml b/passbolt/docker-compose.yml index e1ec411..af0a5c6 100644 --- a/passbolt/docker-compose.yml +++ b/passbolt/docker-compose.yml @@ -1,7 +1,6 @@ -#version: "3.9" services: db: - image: mariadb:10.11 + image: mariadb:12 restart: unless-stopped environment: MYSQL_RANDOM_ROOT_PASSWORD: "true" @@ -11,12 +10,18 @@ services: volumes: - ./data/database:/var/lib/mysql networks: - - traefik_default + - internal + healthcheck: + test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MARIADB_USER\" -p\"$$MARIADB_PASSWORD\" --silent"] + interval: 10s + timeout: 5s + retries: 12 + start_period: 60s + webapp: image: passbolt/passbolt:latest-ce #Alternatively you can use rootless: - #image: passbolt/passbolt:latest-ce-non-root restart: unless-stopped depends_on: - db @@ -39,7 +44,8 @@ services: "/docker-entrypoint.sh", ] networks: - - traefik_default + - traefik_reverse_proxy + - internal labels: - "traefik.http.routers.passbolt.rule=Host(`passbolt.lan.ddnsgeek.com`)" - "traefik.enable=true" @@ -47,18 +53,21 @@ services: - "traefik.http.routers.passbolt.tls.certresolver=myresolver" - "io.portainer.accesscontrol.public" - "traefik.http.routers.passbolt.middlewares=error-pages-middleware" + - "traefik.docker.network=traefik_reverse_proxy" + +# healthcheck: +# test: > +# CMD-SHELL +# su -s /bin/sh -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data +# | grep -q "No error found" +# interval: 30s +# timeout: 10s +# retries: 6 +# start_period: 120s -# ports: -# - 8082:80 -# - 4432:443 - #Alternatively for non-root images: - # - 80:8080 - # - 443:4433 -#volumes: -# database_volume: -# gpg_volume: -# jwt_volume: networks: - traefik_default: + traefik_reverse_proxy: external: true + internal: + driver: bridge diff --git a/searxng/docker-compose.yml b/searxng/docker-compose.yml index 5b08795..479b60f 100644 --- a/searxng/docker-compose.yml +++ b/searxng/docker-compose.yml @@ -1,4 +1,3 @@ -#version: "3" services: webapp: image: searxng/searxng @@ -10,12 +9,8 @@ services: - /run hostname: searxng.lan.ddnsgeek.com networks: - - traefik_default + - traefik_reverse_proxy deploy: -# resources: -# limits: -# cpus: '0.05' -# memory: 100m restart_policy: condition: on-failure max_attempts: 5 @@ -26,12 +21,18 @@ services: - "traefik.http.routers.searxng.tls.certresolver=myresolver" - "io.portainer.accesscontrol.public" - "traefik.http.routers.searxng.middlewares=error-pages-middleware" -# - "traefik.http.services.searxng.loadbalancer.server.port=8888" -# ports: -# - 8081:8080 -# healthcheck: -# test: "curl --fail http://localhost || exit 1" + healthcheck: +# test: > +# CMD-SHELL +# python3 -c "import urllib.request,sys; +# u=urllib.request.urlopen('http://127.0.0.1:8080/', timeout=2); +# sys.exit(0 if u.status==200 else 1)" + test: ["CMD-SHELL", "python3 -c \"import urllib.request,sys; r=urllib.request.urlopen('http://127.0.0.1:8080/', timeout=3); sys.exit(0 if 200<=r.status<400 else 1)\""] + interval: 20s + timeout: 5s + retries: 8 + start_period: 30s networks: - traefik_default: + traefik_reverse_proxy: external: true diff --git a/traefik/docker-compose.yml b/traefik/docker-compose.yml index cd40424..593b289 100644 --- a/traefik/docker-compose.yml +++ b/traefik/docker-compose.yml @@ -1,15 +1,10 @@ -#version: '3' - services: reverse-proxy: restart: always # The official v2 Traefik docker image - image: traefik:latest + image: traefik:3 read_only: true hostname: traefik.lan.ddnsgeek.com -# build: -# context: . -# dockerfile: traefik.Dockerfile depends_on: - error-pages # Enables the web UI and tells Traefik to listen to docker @@ -29,27 +24,24 @@ services: - "--api=true" - "--api.dashboard=true" - "--providers.file.filename=/plugins.yaml" +# - "--ping=true" +# - "--ping.entrypoint=web" ports: # The HTTP port - "192.168.2.249:80:80" - "192.168.2.249:443:443" - # The Web UI (enabled by --api.insecure=true) -# - "8080:8080" volumes: # So that Traefik can listen to the Docker events - /var/run/docker.sock:/var/run/docker.sock:ro - ./data/letsencrypt:/letsencrypt:rw - ./data/plugins.yaml:/plugins.yaml:ro deploy: -# resources: -# limits: -# cpus: '0.05' -# memory: 200m restart_policy: condition: on-failure max_attempts: 5 healthcheck: - test: traefik healthcheck --ping + test: traefik healthcheck --ping + labels: - "traefik.enable=true" - "traefik.http.routers.traefik.rule=Host(`traefik.lan.ddnsgeek.com`)" @@ -60,9 +52,11 @@ services: - "traefik.http.routers.traefik.tls.certresolver=myresolver" - "traefik.http.routers.traefik.tls=true" - "io.portainer.accesscontrol.public" + networks: + - reverse_proxy error-pages: - image: tarampampam/error-pages:latest # Using the latest tag is highly discouraged. Please, use tags in X.Y.Z format + image: tarampampam/error-pages:3 # Using the latest tag is highly discouraged. Please, use tags in X.Y.Z format read_only: true environment: TEMPLATE_NAME: app-down # set the error pages template @@ -83,11 +77,12 @@ services: - "traefik.http.services.error-pages-service.loadbalancer.server.port=8080" - "io.portainer.accesscontrol.public" deploy: -# resources: -# limits: -# cpus: '0.05' -# memory: 100m restart_policy: condition: on-failure max_attempts: 5 + networks: + - reverse_proxy +networks: + reverse_proxy: + driver: bridge