name: core services: authelia: profiles: - core - all - authelia - traefik build: context: /home/nixos/docker/core/authelia dockerfile: Dockerfile container_name: authelia image: authelia/authelia labels: io.portainer.accesscontrol.public: "" traefik.enable: "true" traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/verify?rd=https://auth.lan.ddnsgeek.com/ traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups traefik.http.middlewares.authelia.forwardauth.maxResponseBodySize: "2097152" traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: "true" traefik.http.routers.authelia.entrypoints: websecure traefik.http.routers.authelia.rule: Host(`auth.lan.ddnsgeek.com`) traefik.http.routers.authelia.tls: "true" traefik.http.routers.authelia.tls.certresolver: myresolver networks: traefik: null restart: always volumes: - type: bind source: /home/nixos/docker/core/authelia target: /config bind: create_host_path: true crowdsec: profiles: - core - all - crowdsec - traefik build: context: /home/nixos/docker/core/crowdsec dockerfile: Dockerfile container_name: crowdsec environment: COLLECTIONS: crowdsecurity/traefik healthcheck: test: - CMD-SHELL - cscli metrics || exit 1 timeout: 10s interval: 30s retries: 3 start_period: 15s networks: traefik: null restart: always volumes: - type: bind source: /home/nixos/docker/core/crowdsec/logs target: /logs read_only: true bind: create_host_path: true - type: bind source: /home/nixos/docker/core/crowdsec/data target: /var/lib/crowdsec/data bind: create_host_path: true - type: bind source: /home/nixos/docker/core/crowdsec/config target: /etc/crowdsec bind: create_host_path: true docker-socket-proxy: profiles: - monitoring - all - docker-socket-proxy - core - traefik - prometheus cap_drop: - ALL container_name: docker-socket-proxy environment: ALLOW_RESTARTS: "1" ALLOW_START: "1" ALLOW_STOP: "1" AUTH: "1" BUILD: "0" COMMIT: "0" CONFIGS: "0" CONTAINERS: "1" DELETE: "1" DISABLE_IPV6: "0" DISTRIBUTION: "1" EVENTS: "1" EXEC: "1" IMAGES: "1" INFO: "1" LOG_LEVEL: info NETWORKS: "1" NODES: "1" PING: "1" PLUGINS: "0" POST: "1" SECRETS: "1" SERVICES: "1" SESSION: "0" SWARM: "1" SYSTEM: "1" TASKS: "1" VERSION: "1" VOLUMES: "1" hostname: docker-socket-proxy image: tecnativa/docker-socket-proxy:latest networks: monitor: null traefik: null restart: unless-stopped security_opt: - no-new-privileges:true volumes: - type: bind source: /var/run/docker.sock target: /var/run/docker.sock read_only: true bind: create_host_path: true docker-update-exporter: profiles: - monitoring - all - docker-exporter - prometheus build: context: /home/nixos/docker/monitoring/docker-exporter dockerfile: Dockerfile cap_drop: - ALL container_name: docker-update-exporter depends_on: docker-socket-proxy: condition: service_started required: true environment: DOCKER_HOST: tcp://docker-socket-proxy:2375 LOG_LEVEL: INFO healthcheck: test: - CMD - python - -c - import urllib.request; urllib.request.urlopen('http://localhost:9105/metrics') timeout: 5s interval: 30s retries: 3 start_period: 10s networks: monitor: null restart: unless-stopped security_opt: - no-new-privileges:true volumes: - type: bind source: /root/.docker/config.json target: /root/.docker/config.json read_only: true bind: create_host_path: true - type: bind source: /home/nixos/docker/monitoring/docker-exporter/data target: /data bind: create_host_path: true - type: bind source: /home/nixos/docker target: /compose read_only: true bind: create_host_path: true error-pages: profiles: - core - all - error-pages - traefik container_name: error-pages environment: TEMPLATE_NAME: app-down hostname: error-pages image: tarampampam/error-pages:3 labels: io.portainer.accesscontrol.public: "" traefik.enable: "true" traefik.http.middlewares.error-pages-middleware.errors.query: /{status}.html traefik.http.middlewares.error-pages-middleware.errors.service: error-pages-service traefik.http.middlewares.error-pages-middleware.errors.status: 400-599 traefik.http.routers.error-pages-router.entrypoints: web traefik.http.routers.error-pages-router.middlewares: error-pages-middleware traefik.http.routers.error-pages-router.rule: HostRegexp(`{host:.+}`) traefik.http.services.error-pages-service.loadbalancer.server.port: "8080" networks: traefik: null read_only: true restart: always gitea: profiles: - apps - all - gitea container_name: gitea environment: GITEA__actions__ENABLED: "true" GITEA__database__DB_TYPE: sqlite3 GITEA__server__ROOT_URL: https://gitea.lan.ddnsgeek.com/ USER_GID: "1000" USER_UID: "1000" healthcheck: test: - CMD-SHELL - curl -fsS http://localhost:3000/api/healthz >/dev/null timeout: 5s interval: 30s retries: 6 start_period: 2m0s image: gitea/gitea:latest labels: io.portainer.accesscontrol.public: "" traefik.docker.network: core_traefik traefik.enable: "true" traefik.http.routers.gitea.entrypoints: websecure traefik.http.routers.gitea.rule: Host(`gitea.lan.ddnsgeek.com`) traefik.http.routers.gitea.tls: "true" traefik.http.routers.gitea.tls.certresolver: myresolver traefik.http.services.gitea.loadbalancer.server.port: "3000" networks: traefik: null restart: always volumes: - type: bind source: /home/nixos/docker/apps/gitea/data target: /data bind: create_host_path: true gitea-runner: profiles: - apps - all - gitea - ci container_name: gitea-runner depends_on: docker-socket-proxy: condition: service_started required: true gitea: condition: service_started required: true environment: DOCKER_HOST: tcp://docker-socket-proxy:2375 GITEA_INSTANCE_URL: https://gitea.lan.ddnsgeek.com/ GITEA_RUNNER_LABELS: ubuntu-latest:docker://node:20-bookworm,ubuntu-22.04:docker://node:20-bookworm,linux:docker://node:20-bookworm,docker:docker://docker:cli GITEA_RUNNER_NAME: docker-runner-01 GITEA_RUNNER_REGISTRATION_TOKEN: vYDNxzMvayREkXoaAR3x3UREkxQB2PU4eORzmkZ9 image: gitea/act_runner:latest networks: traefik: null restart: always volumes: - type: bind source: /home/nixos/docker/apps/gitea/runner-data target: /data bind: create_host_path: true gotify: profiles: - monitoring - all - gotify container_name: gotify environment: GOTIFY_DEFAULTUSER_NAME: dummy-user GOTIFY_DEFAULTUSER_PASS: dummy-user GOTIFY_REGISTRATION: "false" TZ: Australia/Brisbane image: gotify/server:latest labels: io.portainer.accesscontrol.public: "" traefik.docker.network: core_traefik traefik.enable: "true" traefik.http.routers.gotify.entrypoints: websecure traefik.http.routers.gotify.rule: Host(`gotify.lan.ddnsgeek.com`) traefik.http.routers.gotify.tls.certresolver: myresolver traefik.http.routers.gotify.tls.options: mtls-private-admin@file traefik.http.services.gotify.loadbalancer.server.port: "80" networks: traefik: null restart: always volumes: - type: bind source: /home/nixos/docker/monitoring/gotify/data target: /app/data bind: create_host_path: true grafana: profiles: - monitoring - all - grafana container_name: grafana environment: GF_SERVER_ROOT_URL: https://grafana.lan.ddnsgeek.com/ healthcheck: test: - CMD - wget - --spider - -q - http://localhost:3000/api/health timeout: 10s interval: 30s retries: 3 start_period: 30s image: grafana/grafana:latest labels: io.portainer.accesscontrol.public: "" traefik.docker.network: core_traefik traefik.enable: "true" traefik.http.routers.grafana.entrypoints: websecure traefik.http.routers.grafana.rule: Host(`grafana.lan.ddnsgeek.com`) traefik.http.routers.grafana.tls.certresolver: myresolver traefik.http.routers.grafana.tls.options: mtls-private-admin@file traefik.http.services.grafana.loadbalancer.server.port: "3000" networks: monitor: null traefik: null restart: unless-stopped volumes: - type: bind source: /home/nixos/docker/monitoring/grafana/data target: /var/lib/grafana bind: create_host_path: true gramps-redis: profiles: - apps - all - gramps container_name: gramps-redis healthcheck: test: - CMD-SHELL - valkey-cli -h 127.0.0.1 -p 6379 ping | grep -q PONG timeout: 5s interval: 10s retries: 6 start_period: 10s image: valkey/valkey:8-alpine networks: gramps: null restart: always grampsweb: profiles: - apps - all - gramps container_name: gramps-web depends_on: gramps-redis: condition: service_started required: true grampsweb_celery: condition: service_started required: true environment: GRAMPSWEB_BASE_URL: https://familytree.lan.ddnsgeek.com GRAMPSWEB_CELERY_CONFIG__broker_url: redis://gramps-redis:6379/0 GRAMPSWEB_CELERY_CONFIG__result_backend: redis://gramps-redis:6379/0 GRAMPSWEB_DEFAULT_FROM_EMAIL: beatz174@gmail.com GRAMPSWEB_EMAIL_HOST: smtp.gmail.com GRAMPSWEB_EMAIL_HOST_PASSWORD: dummy@example.com GRAMPSWEB_EMAIL_HOST_USER: dummy@example.com GRAMPSWEB_EMAIL_PORT: "587" GRAMPSWEB_EMAIL_USE_SSL: "false" GRAMPSWEB_EMAIL_USE_STARTTLS: "true" GRAMPSWEB_RATELIMIT_STORAGE_URI: redis://gramps-redis:6379/1 GRAMPSWEB_REGISTRATION_DISABLED: "true" GRAMPSWEB_SECRET_KEY: dummy-grampsweb_secret_key GRAMPSWEB_TREE: main TZ: Australia/Brisbane healthcheck: test: - CMD-SHELL - wget -qO- http://127.0.0.1:5000/ >/dev/null timeout: 5s interval: 30s retries: 6 start_period: 1m0s image: ghcr.io/gramps-project/grampsweb:latest labels: io.portainer.accesscontrol.public: "" traefik.docker.network: core_traefik traefik.enable: "true" traefik.http.routers.gramps.entrypoints: websecure traefik.http.routers.gramps.rule: Host(`familytree.lan.ddnsgeek.com`) traefik.http.routers.gramps.tls.certresolver: myresolver traefik.http.services.gramps.loadbalancer.server.port: "5000" networks: gramps: null traefik: null restart: always volumes: - type: bind source: /home/nixos/docker/apps/gramps/data/users target: /app/users bind: create_host_path: true - type: bind source: /home/nixos/docker/apps/gramps/data/index target: /app/indexdir bind: create_host_path: true - type: bind source: /home/nixos/docker/apps/gramps/data/thumbnail_cache target: /app/thumbnail_cache bind: create_host_path: true - type: bind source: /home/nixos/docker/apps/gramps/data/cache target: /app/cache bind: create_host_path: true - type: bind source: /home/nixos/docker/apps/gramps/data/secret target: /app/secret bind: create_host_path: true - type: bind source: /home/nixos/docker/apps/gramps/data/db target: /root/.gramps/grampsdb bind: create_host_path: true - type: bind source: /home/nixos/docker/apps/gramps/data/media target: /app/media bind: create_host_path: true - type: bind source: /home/nixos/docker/apps/gramps/data/tmp target: /tmp bind: create_host_path: true grampsweb_celery: profiles: - apps - all - gramps command: - celery - -A - gramps_webapi.celery - worker - --loglevel=INFO - --concurrency=2 container_name: gramps-web-celery depends_on: gramps-redis: condition: service_started required: true environment: GRAMPSWEB_BASE_URL: https://familytree.lan.ddnsgeek.com GRAMPSWEB_CELERY_CONFIG__broker_url: redis://gramps-redis:6379/0 GRAMPSWEB_CELERY_CONFIG__result_backend: redis://gramps-redis:6379/0 GRAMPSWEB_DEFAULT_FROM_EMAIL: beatz174@gmail.com GRAMPSWEB_EMAIL_HOST: smtp.gmail.com GRAMPSWEB_EMAIL_HOST_PASSWORD: dummy@example.com GRAMPSWEB_EMAIL_HOST_USER: dummy@example.com GRAMPSWEB_EMAIL_PORT: "587" GRAMPSWEB_EMAIL_USE_SSL: "false" GRAMPSWEB_EMAIL_USE_STARTTLS: "true" GRAMPSWEB_RATELIMIT_STORAGE_URI: redis://gramps-redis:6379/1 GRAMPSWEB_REGISTRATION_DISABLED: "true" GRAMPSWEB_SECRET_KEY: dummy-grampsweb_secret_key GRAMPSWEB_TREE: main TZ: Australia/Brisbane healthcheck: test: - CMD-SHELL - pgrep -f "celery.*gramps_webapi.celery.*worker" >/dev/null timeout: 5s interval: 30s retries: 6 start_period: 1m0s image: ghcr.io/gramps-project/grampsweb:latest networks: gramps: null restart: always volumes: - type: bind source: /home/nixos/docker/apps/gramps/data/users target: /app/users bind: create_host_path: true - type: bind source: /home/nixos/docker/apps/gramps/data/index target: /app/indexdir bind: create_host_path: true - type: bind source: /home/nixos/docker/apps/gramps/data/thumbnail_cache target: /app/thumbnail_cache bind: create_host_path: true - type: bind source: /home/nixos/docker/apps/gramps/data/cache target: /app/cache bind: create_host_path: true - type: bind source: /home/nixos/docker/apps/gramps/data/secret target: /app/secret bind: create_host_path: true - type: bind source: /home/nixos/docker/apps/gramps/data/db target: /root/.gramps/grampsdb bind: create_host_path: true - type: bind source: /home/nixos/docker/apps/gramps/data/media target: /app/media bind: create_host_path: true - type: bind source: /home/nixos/docker/apps/gramps/data/tmp target: /tmp bind: create_host_path: true influxdb: profiles: - monitoring - all - influxdb - prometheus container_name: influxdb environment: DOCKER_INFLUXDB_INIT_BUCKET: telemetry DOCKER_INFLUXDB_INIT_MODE: setup DOCKER_INFLUXDB_INIT_ORG: pbs DOCKER_INFLUXDB_INIT_PASSWORD_FILE: /run/secrets/influxdb_init_password DOCKER_INFLUXDB_INIT_USERNAME: dummy-user healthcheck: test: - CMD-SHELL - curl -f http://localhost:8086/health || exit 1 timeout: 5s interval: 30s retries: 3 start_period: 10s image: influxdb:2.7 labels: io.portainer.accesscontrol.public: "" traefik.docker.network: core_traefik traefik.enable: "true" traefik.http.routers.influxdb.entrypoints: websecure traefik.http.routers.influxdb.middlewares: authelia traefik.http.routers.influxdb.rule: Host(`influxdb.lan.ddnsgeek.com`) traefik.http.routers.influxdb.tls.certresolver: myresolver traefik.http.routers.influxdb.tls.options: mtls-private-admin@file traefik.http.services.influxdb.loadbalancer.server.port: "8086" networks: monitor: null traefik: null restart: unless-stopped secrets: - source: influxdb_init_password target: /run/secrets/influxdb_init_password volumes: - type: bind source: /home/nixos/docker/monitoring/influxdb target: /var/lib/influxdb2 bind: create_host_path: true monitor-kuma: profiles: - monitoring - all - uptime-kuma container_name: monitor-kuma depends_on: docker-socket-proxy: condition: service_started required: true environment: DOCKER_HOST: tcp://docker-socket-proxy:2375 image: louislam/uptime-kuma:2.1.1 labels: io.portainer.accesscontrol.public: "" traefik.docker.network: core_traefik traefik.enable: "true" traefik.http.routers.monitor.entrypoints: websecure traefik.http.routers.monitor.rule: Host(`monitor-kuma.lan.ddnsgeek.com`) traefik.http.routers.monitor.tls: "true" traefik.http.routers.monitor.tls.certresolver: myresolver traefik.http.routers.monitor.tls.options: mtls-private-admin@file traefik.http.services.monitor.loadbalancer.server.port: "3001" networks: monitor: null traefik: null restart: always volumes: - type: bind source: /home/nixos/docker/monitoring/uptime-kuma/data target: /app/data bind: create_host_path: true mtls-bridge: profiles: - monitoring - all - mtls-bridge build: context: /home/nixos/docker/monitoring/mtls-bridge dockerfile: Dockerfile container_name: mtls-bridge environment: ALLOWED_PATHS_FILE: "" CLIENT_CERT: /certs/clients/office-pc/office-pc.crt CLIENT_KEY: /certs/clients/office-pc/office-pc.key LOG_LEVEL: DEBUG TARGET_URL: http://node-red:1880 TIMEOUT: "5" UPSTREAM_CA_CERT: "" hostname: mtls-bridge.lan.ddnsgeek.com healthcheck: test: - CMD - python - -c - import urllib.request; urllib.request.urlopen('http://localhost:8080/_mtls_bridge/health', timeout=3).read() timeout: 5s interval: 30s retries: 3 start_period: 10s labels: io.portainer.accesscontrol.public: "" traefik.docker.network: core_traefik traefik.enable: "true" traefik.http.middlewares.mtls-bridge-auth.basicauth.users: "" traefik.http.middlewares.mtls-bridge-cors.headers.accesscontrolallowcredentials: "true" traefik.http.middlewares.mtls-bridge-cors.headers.accesscontrolallowheaders: authorization,content-type,x-grafana-action,x-grafana-device-id traefik.http.middlewares.mtls-bridge-cors.headers.accesscontrolallowmethods: GET,POST,PUT,PATCH,DELETE,OPTIONS traefik.http.middlewares.mtls-bridge-cors.headers.accesscontrolalloworiginlist: https://grafana.lan.ddnsgeek.com traefik.http.middlewares.mtls-bridge-cors.headers.addvaryheader: "true" traefik.http.routers.mtls-bridge-preflight.entrypoints: websecure traefik.http.routers.mtls-bridge-preflight.middlewares: mtls-bridge-cors traefik.http.routers.mtls-bridge-preflight.priority: "100" traefik.http.routers.mtls-bridge-preflight.rule: Host(`mtls-bridge.lan.ddnsgeek.com`) && Method(`OPTIONS`) traefik.http.routers.mtls-bridge-preflight.service: mtls-bridge traefik.http.routers.mtls-bridge-preflight.tls.certresolver: myresolver traefik.http.routers.mtls-bridge.entrypoints: websecure traefik.http.routers.mtls-bridge.middlewares: mtls-bridge-auth,mtls-bridge-cors traefik.http.routers.mtls-bridge.rule: Host(`mtls-bridge.lan.ddnsgeek.com`) traefik.http.routers.mtls-bridge.tls.certresolver: myresolver traefik.http.services.mtls-bridge.loadbalancer.server.port: "8080" networks: monitor: null traefik: null restart: unless-stopped volumes: - type: bind source: /home/nixos/docker/core/traefik/certs target: /certs read_only: true bind: create_host_path: true nextcloud-db: profiles: - apps - all - nextcloud command: - --transaction-isolation=READ-COMMITTED - --log-bin=binlog - --binlog-format=ROW container_name: nextcloud-db environment: MARIADB_AUTO_UPGRADE: "1" MYSQL_DATABASE: nextcloud MYSQL_PASSWORD_FILE: /run/secrets/nextcloud_db_password MYSQL_ROOT_PASSWORD_FILE: /run/secrets/nextcloud_db_root_password MYSQL_USER: dummyuser NEXTCLOUD_ADMIN_PASSWORD_FILE: /run/secrets/nextcloud_admin_password NEXTCLOUD_ADMIN_USER: dummy-user hostname: nextcloud_db healthcheck: test: - CMD-SHELL - mariadb-admin ping -u $$MYSQL_USER --password=$$(cat /run/secrets/nextcloud_db_password) --silent timeout: 5s interval: 10s retries: 12 start_period: 1m0s image: mariadb:11.4 labels: io.portainer.accesscontrol.public: "" networks: nextcloud: null restart: always secrets: - source: nextcloud_db_root_password target: /run/secrets/nextcloud_db_root_password - source: nextcloud_db_password target: /run/secrets/nextcloud_db_password - source: nextcloud_admin_password target: /run/secrets/nextcloud_admin_password volumes: - type: bind source: /home/nixos/docker/apps/nextcloud/database target: /var/lib/mysql bind: create_host_path: true nextcloud-redis: profiles: - apps - all - nextcloud command: - sh - -c - redis-server --requirepass "$$(cat /run/secrets/nextcloud_redis_password)" --appendonly yes --save 60 1000 container_name: nextcloud-redis hostname: redis healthcheck: test: - CMD-SHELL - redis-cli -a "$$(cat /run/secrets/nextcloud_redis_password)" PING | grep -q PONG timeout: 5s interval: 10s retries: 6 start_period: 10s image: redis labels: io.portainer.accesscontrol.public: "" networks: nextcloud: null restart: always secrets: - source: nextcloud_redis_password target: /run/secrets/nextcloud_redis_password volumes: - type: bind source: /home/nixos/docker/apps/nextcloud/data/redis target: /data bind: create_host_path: true nextcloud-webapp: profiles: - apps - all - nextcloud build: context: /home/nixos/docker/apps/nextcloud dockerfile: Dockerfile container_name: nextcloud-webapp depends_on: nextcloud-db: condition: service_started required: true nextcloud-redis: condition: service_started required: true environment: MAIL_DOMAIN: example.lan.ddnsgeek.com MAIL_FROM_ADDRESS: dummy MYSQL_DATABASE: nextcloud MYSQL_HOST: nextcloud_db:3306 MYSQL_PASSWORD_FILE: /run/secrets/nextcloud_db_password MYSQL_USER: dummyuser NEXTCLOUD_TRUSTED_DOMAINS: nextcloud.lan.ddnsgeek.com OVERWRITECLIURL: https://nextcloud.lan.ddnsgeek.com OVERWRITEPROTOCOL: https REDIS_HOST: redis REDIS_HOST_PASSWORD_FILE: /run/secrets/nextcloud_redis_password REDIS_HOST_PORT: "6379" SMTP_AUTHTYPE: login SMTP_HOST: smtp.gmail.com SMTP_NAME: dummy-name SMTP_PASSWORD_FILE: /run/secrets/nextcloud_smtp_password SMTP_PORT: "587" SMTP_SECURE: tls hostname: nextcloud.lan.ddnsgeek.com healthcheck: test: - CMD-SHELL - 'php -r ''$$f=@fsockopen("127.0.0.1",80,$$e,$$s,2); if(!$$f) exit(1); fwrite($$f,"GET /status.php HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n"); $$o=""; while(!feof($$f)){$$o.=fgets($$f,1024);} fclose($$f); if(strpos($$o,"\"installed\":true")===false) exit(1);''' timeout: 5s interval: 30s retries: 6 start_period: 3m0s labels: io.portainer.accesscontrol.public: "" traefik.docker.network: core_traefik traefik.enable: "true" traefik.http.middlewares.nextcloud-dav.replacepathregex.regex: ^/.well-known/ca(l|rd)dav traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement: /remote.php/dav/ traefik.http.middlewares.nextcloud-nodeinfo.replacepathregex.regex: ^/.well-known/nodeinfo traefik.http.middlewares.nextcloud-nodeinfo.replacepathregex.replacement: /nextcloud/index.php/.well-known/nodeinfo/ traefik.http.middlewares.nextcloud-webfinger.redirectregex.permanent: "true" traefik.http.middlewares.nextcloud-webfinger.redirectregex.regex: https://(.*)/.well-known/webfinger traefik.http.middlewares.nextcloud-webfinger.redirectregex.replacement: https://$${1}/nextcloud/index.php/.well-known/webfinger traefik.http.routers.nextcloud.entrypoints: websecure traefik.http.routers.nextcloud.middlewares: nextcloud-dav, nextcloud-webfinger traefik.http.routers.nextcloud.rule: Host(`nextcloud.lan.ddnsgeek.com`) traefik.http.routers.nextcloud.tls.certresolver: myresolver networks: nextcloud: null traefik: null restart: always secrets: - source: nextcloud_db_password target: /run/secrets/nextcloud_db_password - source: nextcloud_smtp_password target: /run/secrets/nextcloud_smtp_password - source: nextcloud_redis_password target: /run/secrets/nextcloud_redis_password volumes: - type: bind source: /home/nixos/docker/apps/nextcloud/data target: /var/www/html/data bind: create_host_path: true - type: bind source: /home/nixos/docker/apps/nextcloud/config target: /var/www/html/config bind: create_host_path: true - type: tmpfs target: /tmp:exec node-exporter: profiles: - monitoring - all - node-exporter - prometheus command: - --path.procfs=/host/proc - --path.sysfs=/host/sys - --path.rootfs=/rootfs container_name: node-exporter healthcheck: test: - CMD - wget - --spider - -q - http://localhost:9100/metrics timeout: 10s interval: 30s retries: 3 image: prom/node-exporter:latest networks: monitor: null pid: host restart: unless-stopped volumes: - type: bind source: /proc target: /host/proc read_only: true bind: create_host_path: true - type: bind source: /sys target: /host/sys read_only: true bind: create_host_path: true - type: bind source: / target: /rootfs read_only: true bind: create_host_path: true node-red: profiles: - monitoring - all - node-red build: context: /home/nixos/docker/monitoring/node-red dockerfile: Dockerfile cap_drop: - ALL container_name: node-red depends_on: docker-socket-proxy: condition: service_started required: true environment: DOCKER_HOST: tcp://docker-socket-proxy:2375 PROJECT_ROOT: /compose TZ: Australia/Brisbane labels: io.portainer.accesscontrol.public: "" traefik.docker.network: core_traefik traefik.enable: "true" traefik.http.routers.node-red.entrypoints: websecure traefik.http.routers.node-red.middlewares: authelia traefik.http.routers.node-red.rule: Host(`node-red.lan.ddnsgeek.com`) traefik.http.routers.node-red.tls.certresolver: myresolver traefik.http.routers.node-red.tls.options: mtls-private-admin@file traefik.http.services.node-red.loadbalancer.server.port: "1880" networks: monitor: null traefik: null restart: unless-stopped security_opt: - no-new-privileges:true volumes: - type: bind source: /home/nixos/docker/monitoring/node-red/data target: /data bind: create_host_path: true - type: bind source: /home/nixos/docker target: /compose/docker read_only: true bind: create_host_path: true - type: bind source: /home/nixos/raspi target: /compose/raspi read_only: true bind: create_host_path: true passbolt-db: profiles: - apps - all - passbolt container_name: passbolt-db environment: MYSQL_DATABASE: dummy-passbolt_db_name MYSQL_PASSWORD_FILE: /run/secrets/passbolt_db_password MYSQL_RANDOM_ROOT_PASSWORD: "true" MYSQL_USER: dummyuser healthcheck: test: - CMD-SHELL - mariadb-admin ping -h 127.0.0.1 -u"$$MYSQL_USER" -p"$$(cat /run/secrets/passbolt_db_password)" --silent timeout: 5s interval: 10s retries: 12 start_period: 1m0s image: mariadb:12 labels: io.portainer.accesscontrol.public: "" networks: passbolt: null restart: always secrets: - source: passbolt_db_password target: /run/secrets/passbolt_db_password volumes: - type: bind source: /home/nixos/docker/apps/passbolt/data/database target: /var/lib/mysql bind: create_host_path: true passbolt-webapp: profiles: - apps - all - passbolt command: - /usr/bin/wait-for.sh - -t - "0" - passbolt-db:3306 - -- - /docker-entrypoint.sh container_name: passbolt-webapp depends_on: passbolt-db: condition: service_started required: true environment: APP_FULL_BASE_URL: https://passbolt.lan.ddnsgeek.com DATASOURCES_DEFAULT_DATABASE: dummy-passbolt_db_name DATASOURCES_DEFAULT_HOST: passbolt-db DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/passbolt_db_password DATASOURCES_DEFAULT_USERNAME: dummyuser PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: dummy-passbolt_gpg_server_key_fingerprint healthcheck: test: - CMD-SHELL - curl -fsS http://localhost/healthcheck/status | grep -qx OK timeout: 10s interval: 30s retries: 6 start_period: 2m0s image: passbolt/passbolt:latest-ce labels: io.portainer.accesscontrol.public: "" traefik.docker.network: core_traefik traefik.enable: "true" traefik.http.routers.passbolt.entrypoints: websecure traefik.http.routers.passbolt.rule: Host(`passbolt.lan.ddnsgeek.com`) traefik.http.routers.passbolt.tls.certresolver: myresolver networks: passbolt: null traefik: null restart: always secrets: - source: passbolt_db_password target: /run/secrets/passbolt_db_password volumes: - type: bind source: /home/nixos/docker/apps/passbolt/data/gpg target: /etc/passbolt/gpg bind: create_host_path: true - type: bind source: /home/nixos/docker/apps/passbolt/data/jwt target: /etc/passbolt/jwt bind: create_host_path: true pihole-exporter: profiles: - monitoring - all - pihole-exporter - prometheus container_name: pihole-exporter environment: PIHOLE_HOSTNAME: pihole.sweet.home PIHOLE_PASSWORD: dummy-pihole_password PORT: "9617" image: ekofr/pihole-exporter:latest networks: monitor: null ports: - mode: ingress target: 9617 published: "9617" protocol: tcp restart: unless-stopped portainer: profiles: - monitoring - all - portainer command: - -H - tcp://docker-socket-proxy:2375 container_name: portainer depends_on: docker-socket-proxy: condition: service_started required: true environment: DOCKER_HOST: tcp://docker-socket-proxy:2375 GODEBUG: netdns=cgo TZ: Australia/Brisbane image: portainer/portainer-ce:latest labels: io.portainer.accesscontrol.public: "" traefik.enable: "true" traefik.http.routers.portainer.entrypoints: websecure traefik.http.routers.portainer.rule: Host(`portainer.lan.ddnsgeek.com`) traefik.http.routers.portainer.tls: "true" traefik.http.routers.portainer.tls.certresolver: myresolver traefik.http.routers.portainer.tls.options: mtls-private-admin@file traefik.http.services.portainer.loadbalancer.server.port: "9000" networks: traefik: null restart: unless-stopped volumes: - type: bind source: /home/nixos/docker/monitoring/portainer/data target: /data bind: create_host_path: true prometheus: profiles: - monitoring - all - prometheus command: - --config.file=/etc/prometheus/prometheus.yml - --storage.tsdb.path=/prometheus - --storage.tsdb.retention.time=15d container_name: prometheus depends_on: docker-update-exporter: condition: service_started required: true influxdb: condition: service_started required: true node-exporter: condition: service_started required: true pihole-exporter: condition: service_started required: true telegraf: condition: service_started required: true healthcheck: test: - CMD - wget - --spider - -q - http://localhost:9090/-/healthy timeout: 10s interval: 30s retries: 3 start_period: 30s image: prom/prometheus:latest labels: io.portainer.accesscontrol.public: "" traefik.docker.network: core_traefik traefik.enable: "true" traefik.http.routers.prometheus.entrypoints: websecure traefik.http.routers.prometheus.middlewares: authelia traefik.http.routers.prometheus.rule: Host(`prometheus.lan.ddnsgeek.com`) traefik.http.routers.prometheus.tls.certresolver: myresolver traefik.http.routers.prometheus.tls.options: mtls-private-admin@file traefik.http.services.prometheus.loadbalancer.server.port: "9090" networks: monitor: null traefik: null restart: unless-stopped volumes: - type: bind source: /home/nixos/docker/monitoring/prometheus/prometheus.yml target: /etc/prometheus/prometheus.yml read_only: true bind: create_host_path: true - type: bind source: /home/nixos/docker/monitoring/prometheus/data target: /prometheus bind: create_host_path: true - type: bind source: /home/nixos/docker/monitoring/prometheus/rules target: /etc/prometheus/rules read_only: true bind: create_host_path: true - type: bind source: /home/nixos/docker/secrets/prometheus_kuma_basic_auth_password.txt target: /run/secrets/prometheus_kuma_basic_auth_password read_only: true bind: create_host_path: true searxng-webapp: profiles: - apps - all - searxng container_name: searxng-webapp hostname: searxng.lan.ddnsgeek.com healthcheck: test: - CMD-SHELL - python3 -c "import urllib.request,sys; r=urllib.request.urlopen('http://127.0.0.1:8080/', timeout=3); sys.exit(0 if 200<=r.status<400 else 1)" timeout: 5s interval: 20s retries: 8 start_period: 30s image: searxng/searxng labels: io.portainer.accesscontrol.public: "" traefik.enable: "true" traefik.http.routers.searxng.entrypoints: websecure traefik.http.routers.searxng.rule: Host(`searxng.lan.ddnsgeek.com`) traefik.http.routers.searxng.tls.certresolver: myresolver traefik.http.services.searxng.loadbalancer.server.port: "8080" networks: traefik: null read_only: true restart: always tmpfs: - /tmp - /var - /run telegraf: profiles: - monitoring - all - telegraf - prometheus container_name: telegraf depends_on: docker-socket-proxy: condition: service_started required: true healthcheck: test: - CMD-SHELL - curl -f http://localhost:9273/metrics || exit 1 timeout: 5s interval: 30s retries: 3 start_period: 10s image: telegraf:latest networks: monitor: null restart: unless-stopped security_opt: - no-new-privileges:true volumes: - type: bind source: /home/nixos/docker/monitoring/telegraf/telegraf.conf target: /etc/telegraf/telegraf.conf read_only: true bind: create_host_path: true - type: bind source: /home/nixos/docker/monitoring/node-red/data target: /var/log/node-red read_only: true bind: create_host_path: true traefik: profiles: - core - all - traefik build: context: /home/nixos/docker/core dockerfile: Dockerfile container_name: traefik depends_on: authelia: condition: service_started required: true crowdsec: condition: service_started required: true docker-socket-proxy: condition: service_started required: true error-pages: condition: service_started required: true hostname: traefik.lan.ddnsgeek.com healthcheck: test: - CMD-SHELL - traefik healthcheck --ping image: traefik:3 labels: io.portainer.accesscontrol.public: "" traefik.docker.network: core_traefik traefik.enable: "true" traefik.http.routers.traefik.entrypoints: websecure traefik.http.routers.traefik.middlewares: authelia traefik.http.routers.traefik.observability.tracing: "true" traefik.http.routers.traefik.rule: Host(`traefik.lan.ddnsgeek.com`) traefik.http.routers.traefik.service: api@internal traefik.http.routers.traefik.tls.certresolver: myresolver traefik.http.routers.traefik.tls.options: mtls-private-admin@file networks: traefik: null ports: - mode: ingress target: 80 published: "80" protocol: tcp - mode: ingress target: 443 published: "443" protocol: tcp read_only: true restart: always volumes: - type: bind source: /home/nixos/docker/core/traefik/data/letsencrypt target: /letsencrypt bind: create_host_path: true - type: bind source: /home/nixos/docker/core/traefik/data/logs target: /logs bind: create_host_path: true - type: bind source: /home/nixos/docker/core/traefik/certs target: /etc/traefik/certs read_only: true bind: create_host_path: true - type: bind source: /home/nixos/docker/core/traefik/dynamic.yml target: /etc/traefik/dynamic.yml read_only: true bind: create_host_path: true - type: bind source: /home/nixos/docker/core/traefik/traefik.yml target: /etc/traefik/traefik.yml read_only: true bind: create_host_path: true - type: bind source: /home/nixos/docker/core/traefik/data/plugins target: /plugins-storage bind: create_host_path: true networks: gramps: name: core_gramps monitor: name: core_monitor nextcloud: name: core_nextcloud passbolt: name: core_passbolt traefik: name: core_traefik driver: bridge ipam: config: - subnet: 172.21.0.0/16 secrets: influxdb_init_password: name: core_influxdb_init_password file: /home/nixos/docker/secrets/influxdb_init_password.txt nextcloud_admin_password: name: core_nextcloud_admin_password file: /home/nixos/docker/secrets/nextcloud_admin_password.txt nextcloud_db_password: name: core_nextcloud_db_password file: /home/nixos/docker/secrets/nextcloud_db_password.txt nextcloud_db_root_password: name: core_nextcloud_db_root_password file: /home/nixos/docker/secrets/nextcloud_db_root_password.txt nextcloud_redis_password: name: core_nextcloud_redis_password file: /home/nixos/docker/secrets/nextcloud_redis_password.txt nextcloud_smtp_password: name: core_nextcloud_smtp_password file: /home/nixos/docker/secrets/nextcloud_smtp_password.txt passbolt_db_password: name: core_passbolt_db_password file: /home/nixos/docker/secrets/passbolt_db_password.txt