From c8ffce26113d538d58e20f0b1a6dfb93e6abdc37 Mon Sep 17 00:00:00 2001 From: EZ-Homelab Date: Fri, 23 Jan 2026 17:31:23 -0500 Subject: [PATCH] feat: standardize Traefik/Sablier labels across all stacks - Add consistent # TRAEFIK CONFIGURATION headers to all services - Standardize label structure with service metadata, router config, and Sablier settings - Update dockerproxy and sablier-service with Docker API requirements documentation - Fix YAML validation issues in productivity stack - Ensure all stacks have uniform labeling for easy management Resolves Docker API connectivity issues for Sablier lazy loading --- docker-compose/core/docker-compose.yml | 8 +++++- docker-compose/dockge/docker-compose.yml | 9 +++++-- .../infrastructure/docker-compose.yml | 13 +++++++-- docker-compose/media/docker-compose.yml | 23 +++++++--------- .../productivity/docker-compose.yml | 27 ++++++++++--------- docker-compose/vpn/docker-compose.yml | 11 +++++++- 6 files changed, 59 insertions(+), 32 deletions(-) diff --git a/docker-compose/core/docker-compose.yml b/docker-compose/core/docker-compose.yml index 655a70c..03e27a4 100644 --- a/docker-compose/core/docker-compose.yml +++ b/docker-compose/core/docker-compose.yml @@ -106,6 +106,12 @@ services: # Sablier - Lazy loading service for Docker containers # Controls startup/shutdown of lazy-loaded services, must always run + # REQUIREMENTS FOR DOCKER API ACCESS: + # 1. Docker daemon must be configured to listen on TCP port 2375 + # 2. DOCKER_HOST environment variable must point to accessible Docker API endpoint + # 3. Firewall must allow TCP connections to Docker API port (default 2375) + # 4. For production, consider using TLS for Docker API communication + # 5. Ensure dockerproxy service is running and accessible sablier-service: image: sablierapp/sablier:latest container_name: sablier-service @@ -114,7 +120,7 @@ services: - traefik-network environment: - SABLIER_PROVIDER=docker - - SABLIER_DOCKER_API_VERSION=1.53 + - SABLIER_DOCKER_API_VERSION=1.51 - SABLIER_DOCKER_NETWORK=traefik-network - SABLIER_LOG_LEVEL=debug - DOCKER_HOST=tcp://192.168.4.11:2375 diff --git a/docker-compose/dockge/docker-compose.yml b/docker-compose/dockge/docker-compose.yml index b45bc21..52cea6f 100644 --- a/docker-compose/dockge/docker-compose.yml +++ b/docker-compose/dockge/docker-compose.yml @@ -41,15 +41,20 @@ services: - DOCKGE_STACKS_DIR=/opt/stacks - DOCKGE_ENABLE_CONSOLE=true labels: + # TRAEFIK CONFIGURATION + # ========================================== + # Service metadata - "homelab.category=infrastructure" - "homelab.description=Docker Compose stack manager (PRIMARY)" + # Traefik reverse proxy (comment/uncomment to disable/enable) + # If Traefik is on a remote server: these labels are NOT USED; + # configure external yml files in /traefik/dynamic folder instead. - "traefik.enable=true" - "traefik.http.routers.dockge.rule=Host(`dockge.${DOMAIN}`)" - "traefik.http.routers.dockge.entrypoints=websecure" - - "traefik.http.routers.dockge.tls=true" + - "traefik.http.routers.dockge.tls.certresolver=letsencrypt" - "traefik.http.routers.dockge.middlewares=authelia@docker" - "traefik.http.services.dockge.loadbalancer.server.port=5001" - - "x-dockge.url=https://dockge.${DOMAIN}" networks: homelab-network: diff --git a/docker-compose/infrastructure/docker-compose.yml b/docker-compose/infrastructure/docker-compose.yml index 005beb0..01667dd 100644 --- a/docker-compose/infrastructure/docker-compose.yml +++ b/docker-compose/infrastructure/docker-compose.yml @@ -21,6 +21,11 @@ services: dockerproxy: # Docker socket proxy for security - provides safe Docker API access, must always run + # REQUIREMENTS FOR SABLIER INTEGRATION: + # 1. Docker daemon must be configured to listen on TCP port 2375 (not just unix socket) + # 2. Firewall must allow access to port 2375 from Sablier service + # 3. Docker daemon config should include: "hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"] + # 4. For security, consider restricting access to specific IP ranges or using TLS image: tecnativa/docker-socket-proxy:latest container_name: dockerproxy privileged: true @@ -78,16 +83,20 @@ services: cap_add: - NET_ADMIN labels: + # TRAEFIK CONFIGURATION + # ========================================== + # Service metadata - "homelab.category=infrastructure" - "homelab.description=Network-wide ad blocking and DNS" + # Traefik reverse proxy (comment/uncomment to disable/enable) + # If Traefik is on a remote server: these labels are NOT USED; + # configure external yml files in /traefik/dynamic folder instead. - "traefik.enable=true" - "traefik.http.routers.pihole.rule=Host(`pihole.${DOMAIN}`)" - "traefik.http.routers.pihole.entrypoints=websecure" - - "traefik.http.routers.pihole.tls=true" - "traefik.http.routers.pihole.tls.certresolver=letsencrypt" - "traefik.http.routers.pihole.middlewares=authelia@docker" - "traefik.http.services.pihole.loadbalancer.server.port=80" - - "x-dockge.url=https://pihole.${DOMAIN}" # Watchtower - Automatic container updates # Monitors and updates Docker containers to latest versions diff --git a/docker-compose/media/docker-compose.yml b/docker-compose/media/docker-compose.yml index b2f4f98..4c021c0 100644 --- a/docker-compose/media/docker-compose.yml +++ b/docker-compose/media/docker-compose.yml @@ -55,23 +55,21 @@ services: # Uncomment for hardware transcoding # devices: # - /dev/dri:/dev/dri + # TRAEFIK CONFIGURATION labels: - # TRAEFIK & SABLIER CONFIGURATION - # ========================================== # Service metadata + - "com.centurylinklabs.watchtower.enable=true" - "homelab.category=media" - "homelab.description=Open-source media streaming server" - # Traefik reverse proxy (comment/uncomment to disable/enable) - # If Traefik is on a remote server: these labels are NOT USED; - # configure external yml files in /traefik/dynamic folder instead. - "traefik.enable=true" + # Router configuration - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.${DOMAIN}`)" - "traefik.http.routers.jellyfin.entrypoints=websecure" - "traefik.http.routers.jellyfin.tls=true" - "traefik.http.routers.jellyfin.tls.certresolver=letsencrypt" - # - "traefik.http.routers.jellyfin.middlewares=authelia@docker" # Disabled for app access + # Service configuration - "traefik.http.services.jellyfin.loadbalancer.server.port=8096" - # Sablier lazy loading (enabled by default - comment out to disable) + # Sablier configuration - "sablier.enable=true" - "sablier.group=${SERVER_HOSTNAME:-debian}-jellyfin" - "sablier.start-on-demand=true" @@ -106,22 +104,21 @@ services: - PGID=${PGID:-1000} - TZ=${TZ:-America/New_York} - DOCKER_MODS=linuxserver/mods:universal-calibre + # TRAEFIK CONFIGURATION labels: - # TRAEFIK & SABLIER CONFIGURATION - # ========================================== # Service metadata + - "com.centurylinklabs.watchtower.enable=true" - "homelab.category=media" - "homelab.description=Ebook reader and library management" - # Traefik reverse proxy (comment/uncomment to disable/enable) - # If Traefik is on a remote server: these labels are NOT USED; - # configure external yml files in /traefik/dynamic folder instead. - "traefik.enable=true" + # Router configuration - "traefik.http.routers.calibre.rule=Host(`calibre.${DOMAIN}`)" - "traefik.http.routers.calibre.entrypoints=websecure" - "traefik.http.routers.calibre.tls.certresolver=letsencrypt" - "traefik.http.routers.calibre.middlewares=authelia@docker" + # Service configuration - "traefik.http.services.calibre.loadbalancer.server.port=8083" - # Sablier lazy loading (disabled by default - uncomment to enable) + # Sablier configuration (disabled by default) # - "sablier.enable=true" # - "sablier.group=${SERVER_HOSTNAME:-debian}-calibre-web" # - "sablier.start-on-demand=true" diff --git a/docker-compose/productivity/docker-compose.yml b/docker-compose/productivity/docker-compose.yml index f38e99a..1a99ca1 100644 --- a/docker-compose/productivity/docker-compose.yml +++ b/docker-compose/productivity/docker-compose.yml @@ -77,7 +77,6 @@ services: - "sablier.start-on-demand=true" nextcloud-db: - restart: unless-stopped image: mariadb:10.11 container_name: nextcloud-db restart: no @@ -176,7 +175,6 @@ services: - "sablier.start-on-demand=true" wordpress-db: - restart: unless-stopped image: mariadb:10.11 container_name: wordpress-db restart: no @@ -249,7 +247,6 @@ services: - "sablier.start-on-demand=true" gitea-db: - restart: unless-stopped image: postgres:14-alpine container_name: gitea-db restart: no @@ -351,7 +348,6 @@ services: - "sablier.start-on-demand=true" bookstack-db: - restart: unless-stopped image: mariadb:10.11 container_name: bookstack-db restart: no @@ -411,7 +407,6 @@ services: - "sablier.start-on-demand=true" mediawiki-db: - restart: unless-stopped image: mariadb:10.11 container_name: mediawiki-db restart: no @@ -456,14 +451,20 @@ services: # - NVIDIA_VISIBLE_DEVICES=all # - NVIDIA_DRIVER_CAPABILITIES=compute,utility labels: - - homelab.category=productivity - - homelab.description=Jupyter Lab for data science and ML - - traefik.enable=true - - traefik.http.routers.jupyter.rule=Host(`jupyter.${DOMAIN}`) - - traefik.http.routers.jupyter.entrypoints=websecure - - traefik.http.routers.jupyter.tls.certresolver=letsencrypt - - traefik.http.routers.jupyter.middlewares=authelia@docker - - traefik.http.services.jupyter.loadbalancer.server.port=8888 + # TRAEFIK CONFIGURATION + # ========================================== + # Service metadata + - "homelab.category=productivity" + - "homelab.description=Jupyter Lab for data science and ML" + # Traefik reverse proxy (comment/uncomment to disable/enable) + # If Traefik is on a remote server: these labels are NOT USED; + # configure external yml files in /traefik/dynamic folder instead. + - "traefik.enable=true" + - "traefik.http.routers.jupyter.rule=Host(`jupyter.${DOMAIN}`)" + - "traefik.http.routers.jupyter.entrypoints=websecure" + - "traefik.http.routers.jupyter.tls.certresolver=letsencrypt" + - "traefik.http.routers.jupyter.middlewares=authelia@docker" + - "traefik.http.services.jupyter.loadbalancer.server.port=8888" volumes: nextcloud-db-data: diff --git a/docker-compose/vpn/docker-compose.yml b/docker-compose/vpn/docker-compose.yml index cb078d1..78a9d10 100644 --- a/docker-compose/vpn/docker-compose.yml +++ b/docker-compose/vpn/docker-compose.yml @@ -41,15 +41,24 @@ services: - OPENVPN_PASSWORD=${SURFSHARK_PASSWORD} - SERVER_COUNTRIES=${VPN_SERVER_COUNTRIES:-Netherlands} - TZ=${TZ} + # TRAEFIK CONFIGURATION labels: + # Service metadata + - "com.centurylinklabs.watchtower.enable=true" - "homelab.category=downloaders" - "homelab.description=VPN client for secure downloads" - "traefik.enable=true" + # Router configuration - "traefik.http.routers.qbittorrent.rule=Host(`qbit.${DOMAIN}`)" - "traefik.http.routers.qbittorrent.entrypoints=websecure" - "traefik.http.routers.qbittorrent.tls=true" - "traefik.http.routers.qbittorrent.middlewares=authelia@docker" - - "traefik.http.services.qbittorrent.loadbalancer.server.port=8080" + # Service configuration + - "traefik.http.services.qbittorrent.loadbalancer.server.port=8081" + # Sablier configuration + - "sablier.enable=true" + - "sablier.group=qbittorrent" + - "sablier.sessionDuration=1h" # qBittorrent - Torrent client # Routes through Gluetun VPN