# Core Infrastructure Services # These services form the foundation of the homelab and should always be running # Place in /opt/stacks/core/docker-compose.yml # RESTART POLICY GUIDE: # - unless-stopped: Core infrastructure services that should always run # - no: Services with Sablier lazy loading (start on-demand) # - See individual service comments for specific reasoning # Service Access URLs: # - Traefik Dashboard: https://traefik.${DOMAIN} # - Authelia: https://auth.${DOMAIN} x-dockge: urls: - https://auth.${DOMAIN} services: duckdns: # Dynamic DNS service - must always run to maintain domain resolution image: lscr.io/linuxserver/duckdns:latest container_name: duckdns restart: unless-stopped environment: - PUID=${PUID:-1000} - PGID=${PGID:-1000} - TZ=${TZ} - SUBDOMAINS=${DUCKDNS_SUBDOMAINS} - TOKEN=${DUCKDNS_TOKEN} volumes: - ./duckdns/config:/config networks: - traefik-network traefik: # Reverse proxy and SSL termination - core routing service, must always run image: traefik:v3 container_name: traefik restart: unless-stopped command: ["--configFile=/config/traefik.yml"] environment: - DUCKDNS_TOKEN=${DUCKDNS_TOKEN} ports: - 80:80 - 443:443 - 8080:8080 volumes: - ./traefik/config:/config - ./traefik/letsencrypt:/letsencrypt - ./traefik/dynamic:/dynamic - /var/run/docker.sock:/var/run/docker.sock:ro networks: - traefik-network labels: # TRAEFIK CONFIGURATION # ========================================== # Service metadata - "homelab.category=core" - "homelab.description=Reverse proxy and SSL termination" # Traefik reverse proxy (comment/uncomment to disable/enable) # If Traefik is on a remote server: these labels are NOT USED; # configure external yml files in /traefik/dynamic folder instead. - "traefik.enable=true" - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)" - "traefik.http.routers.traefik.entrypoints=websecure" - "traefik.http.routers.traefik.tls.certresolver=letsencrypt" - "traefik.http.routers.traefik.middlewares=authelia@docker" - "traefik.http.services.traefik.loadbalancer.server.port=8080" authelia: # Single sign-on authentication service - must always run for user authentication image: authelia/authelia:latest container_name: authelia restart: unless-stopped environment: - TZ=${TZ} ports: - "9091:9091" volumes: - ./authelia/config:/config - ./authelia/secrets:/secrets networks: - traefik-network depends_on: - traefik labels: # TRAEFIK CONFIGURATION # ========================================== # Service metadata - "homelab.category=core" - "homelab.description=Single sign-on authentication" # Traefik reverse proxy (comment/uncomment to disable/enable) # If Traefik is on a remote server: these labels are NOT USED; # configure external yml files in /traefik/dynamic folder instead. - "traefik.enable=true" - "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)" - "traefik.http.routers.authelia.entrypoints=websecure" - "traefik.http.routers.authelia.tls.certresolver=letsencrypt" - "traefik.http.routers.authelia.service=authelia" - "traefik.http.services.authelia.loadbalancer.server.port=9091" # Authelia forward auth middleware configuration - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/" - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=X-Secret" - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true" # Sablier - Lazy loading service for Docker containers # Controls startup/shutdown of lazy-loaded services, must always run sablier-service: image: sablierapp/sablier:latest container_name: sablier-service restart: unless-stopped networks: - traefik-network environment: - SABLIER_PROVIDER=docker - SABLIER_DOCKER_API_VERSION=1.53 - SABLIER_DOCKER_NETWORK=traefik-network - SABLIER_LOG_LEVEL=debug - DOCKER_HOST=tcp://192.168.4.11:2375 ports: - 10000:10000 labels: # Service metadata - "homelab.category=core" - "homelab.description=Lazy loading service for Docker containers" networks: traefik-network: external: true