16f7eaa703
The previous commit removed labels from templates, breaking Option 2 (Core Server) deployments. This commit restores the proper architecture: Templates (docker-compose files): - Restore all Traefik labels to dockge/docker-compose.yml - Restore all Traefik labels to infrastructure services (dozzle, glances, code-server) - Restore traefik-network references - Templates now work correctly for Option 2 (Core Server) Scripts (ez-homelab.sh): - Rewrite configure_remote_server_routing() to strip labels for Option 3 - Re-add configure_remote_server_routing() call to deploy_remote_server() - Add as Step 5 (after copying stacks, before deploying them) - Update remaining step numbers (6-9) Architecture flow: Option 2 (Core Server): - Uses templates as-is with Traefik labels - Local Traefik discovers services via Docker labels - Services accessible at https://service.domain Option 3 (Additional Server): - Copies templates with labels (Step 4) - Strips out labels and traefik-network (Step 5) - Deploys labelless services with exposed ports (Steps 6-8) - Core Traefik routes via manual HTTP configs to IP:PORT - Services accessible at https://service.hostname.domain
271 lines
8.9 KiB
YAML
271 lines
8.9 KiB
YAML
# Infrastructure Services
|
|
# SABLIER SESSION DURATION: Set to 5m for testing. Increase to 30m for production in config-templates/traefik/dynamic/sablier.yml
|
|
# RESTART POLICY GUIDE:
|
|
# - unless-stopped: Core infrastructure services that should always run
|
|
# - no: Services with Sablier lazy loading (start on-demand)
|
|
# - See individual service comments for specific reasoning
|
|
|
|
services:
|
|
dockerproxy:
|
|
# Docker socket proxy for security - provides safe Docker API access, must always run
|
|
# REQUIREMENTS FOR SABLIER INTEGRATION:
|
|
# 1. Docker daemon must be configured to listen on TCP port 2375 (not just unix socket)
|
|
# 2. Firewall must allow access to port 2375 from Sablier service
|
|
# 3. Docker daemon config should include: 'hosts': ['tcp://0.0.0.0:2375', 'unix:///var/run/docker.sock']
|
|
# 4. For security, consider restricting access to specific IP ranges or using TLS
|
|
# 5. dockerproxy runs for additional security but doesn't expose port 2375 (handled by Docker daemon)
|
|
image: tecnativa/docker-socket-proxy:latest
|
|
container_name: dockerproxy
|
|
privileged: true
|
|
restart: unless-stopped
|
|
# Note: Port 2375 is handled directly by Docker daemon for Sablier access
|
|
# dockerproxy provides additional security features but doesn't expose the port
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
environment:
|
|
- CONTAINERS=1
|
|
- SERVICES=1
|
|
- TASKS=1
|
|
- NETWORKS=1
|
|
- NODES=1
|
|
- EXEC=1
|
|
- IMAGES=1
|
|
- VOLUMES=1
|
|
- SWARM=1
|
|
labels:
|
|
- homelab.category=infrastructure
|
|
- homelab.description=Docker socket proxy for security
|
|
|
|
# Pi-hole - Network-wide ad blocker and DNS server
|
|
# DNS service must always run for network-wide ad blocking
|
|
pihole:
|
|
image: pihole/pihole:2024.01.0
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '0.25'
|
|
memory: 128M
|
|
pids: 256
|
|
reservations:
|
|
cpus: '0.10'
|
|
memory: 64M
|
|
container_name: pihole
|
|
restart: unless-stopped
|
|
networks:
|
|
- homelab-network
|
|
- traefik-network
|
|
ports:
|
|
- '53:53/tcp' # DNS TCP
|
|
- '53:53/udp' # DNS UDP
|
|
volumes:
|
|
- ./pihole/etc-pihole:/etc/pihole
|
|
- ./pihole/etc-dnsmasq.d:/etc/dnsmasq.d
|
|
environment:
|
|
- TZ=America/New_York
|
|
- WEBPASSWORD=${PIHOLE_PASSWORD}
|
|
- FTLCONF_LOCAL_IPV4=192.168.4.4
|
|
dns:
|
|
- 127.0.0.1
|
|
- 1.1.1.1
|
|
cap_add:
|
|
- NET_ADMIN
|
|
labels:
|
|
# TRAEFIK CONFIGURATION
|
|
# ==========================================
|
|
# Service metadata
|
|
- 'homelab.category=infrastructure'
|
|
- 'homelab.description=Network-wide ad blocking and DNS'
|
|
# Traefik reverse proxy (comment/uncomment to disable/enable)
|
|
# IMPORTANT: On REMOTE SERVERS (where Traefik runs elsewhere):
|
|
# - COMMENT OUT all traefik.* labels below (don't delete them)
|
|
# - Routes are configured via external YAML files on the core server
|
|
# - This prevents conflicts between Docker labels and file provider
|
|
- 'traefik.enable=true'
|
|
- 'traefik.docker.network=traefik-network'
|
|
- 'traefik.http.routers.pihole.rule=Host(`pihole.${DOMAIN}`)'
|
|
- 'traefik.http.routers.pihole.entrypoints=websecure'
|
|
- 'traefik.http.routers.pihole.tls.certresolver=letsencrypt'
|
|
- 'traefik.http.routers.pihole.middlewares=authelia@docker'
|
|
- 'traefik.http.services.pihole.loadbalancer.server.port=80'
|
|
|
|
# Watchtower - Automatic container updates
|
|
watchtower:
|
|
image: containrrr/watchtower:latest
|
|
container_name: watchtower
|
|
restart: unless-stopped
|
|
networks:
|
|
- homelab-network
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
environment:
|
|
- DOCKER_API_VERSION=1.52
|
|
- WATCHTOWER_CLEANUP=true
|
|
- WATCHTOWER_INCLUDE_RESTARTING=true
|
|
- WATCHTOWER_SCHEDULE=0 0 4 * * * # 4 AM daily
|
|
- WATCHTOWER_NOTIFICATIONS=shoutrrr
|
|
- WATCHTOWER_NOTIFICATION_URL=${WATCHTOWER_NOTIFICATION_URL}
|
|
labels:
|
|
- 'homelab.category=infrastructure'
|
|
- 'homelab.description=Automatic Docker container updates'
|
|
|
|
# Dozzle - Real-time Docker log viewer
|
|
# Uses Sablier lazy loading - starts on-demand, stops after 5min inactivity
|
|
dozzle:
|
|
image: amir20/dozzle:latest
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '0.50'
|
|
memory: 256M
|
|
pids: 512
|
|
reservations:
|
|
cpus: '0.25'
|
|
memory: 128M
|
|
container_name: dozzle
|
|
restart: no
|
|
networks:
|
|
- homelab-network
|
|
- traefik-network
|
|
ports:
|
|
- '8085:8080'
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
environment:
|
|
- DOZZLE_LEVEL=info
|
|
- DOZZLE_TAILSIZE=300
|
|
- DOZZLE_FILTER=status=running
|
|
healthcheck:
|
|
test: ['CMD', '/dozzle', 'healthcheck']
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 30s
|
|
labels:
|
|
- 'com.centurylinklabs.watchtower.enable=true'
|
|
- 'homelab.category=infrastructure'
|
|
- 'homelab.description=Real-time Docker log viewer'
|
|
- 'traefik.enable=true'
|
|
- 'traefik.docker.network=traefik-network'
|
|
- 'traefik.http.routers.dozzle.rule=Host(`dozzle.${DOMAIN}`)'
|
|
- 'traefik.http.routers.dozzle.entrypoints=websecure'
|
|
- 'traefik.http.routers.dozzle.tls.certresolver=letsencrypt'
|
|
- 'traefik.http.routers.dozzle.middlewares=authelia@docker'
|
|
- 'traefik.http.services.dozzle.loadbalancer.server.port=8080'
|
|
- 'sablier.enable=true'
|
|
- 'sablier.group=dozzle'
|
|
|
|
# Glances - System monitoring
|
|
# Uses Sablier lazy loading - starts on-demand, stops after 30min inactivity
|
|
glances:
|
|
image: nicolargo/glances:latest-full
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '0.50'
|
|
memory: 256M
|
|
pids: 512
|
|
reservations:
|
|
cpus: '0.25'
|
|
memory: 128M
|
|
container_name: glances
|
|
restart: no
|
|
networks:
|
|
- homelab-network
|
|
- traefik-network
|
|
ports:
|
|
- '61208:61208'
|
|
pid: host
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- ./glances/config:/glances/conf
|
|
environment:
|
|
- GLANCES_OPT=-w
|
|
healthcheck:
|
|
test: ['CMD', 'curl', '-f', 'http://localhost:61208/']
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 30s
|
|
labels:
|
|
- 'com.centurylinklabs.watchtower.enable=true'
|
|
- 'homelab.category=infrastructure'
|
|
- 'homelab.description=System and Docker monitoring'
|
|
- 'traefik.enable=true'
|
|
- 'traefik.docker.network=traefik-network'
|
|
- 'traefik.http.routers.glances.rule=Host(`glances.${DOMAIN}`)'
|
|
- 'traefik.http.routers.glances.entrypoints=websecure'
|
|
- 'traefik.http.routers.glances.tls.certresolver=letsencrypt'
|
|
- 'traefik.http.routers.glances.middlewares=authelia@docker'
|
|
- 'traefik.http.services.glances.loadbalancer.server.port=61208'
|
|
- 'sablier.enable=true'
|
|
- 'sablier.group=glances'
|
|
|
|
# Code Server - VS Code in browser
|
|
# Uses Sablier lazy loading - starts on-demand, stops after 30min inactivity
|
|
code-server:
|
|
image: lscr.io/linuxserver/code-server:latest
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '1.5'
|
|
memory: 1G
|
|
pids: 2048
|
|
reservations:
|
|
cpus: '0.75'
|
|
memory: 512M
|
|
container_name: code-server
|
|
restart: no
|
|
networks:
|
|
- homelab-network
|
|
- traefik-network
|
|
ports:
|
|
- '8079:8443'
|
|
volumes:
|
|
- ./code-server/config:/config
|
|
- /opt/stacks:/opt/stacks # Access to all stacks
|
|
- /mnt:/mnt:ro # Read-only access to data
|
|
environment:
|
|
- PUID=1000
|
|
- PGID=1000
|
|
- TZ=America/New_York
|
|
- PASSWORD=${CODE_SERVER_PASSWORD}
|
|
- SUDO_PASSWORD=${CODE_SERVER_SUDO_PASSWORD}
|
|
healthcheck:
|
|
test: ['CMD', 'curl', '-f', 'http://localhost:8443/']
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 60s
|
|
labels:
|
|
- 'com.centurylinklabs.watchtower.enable=true'
|
|
- 'homelab.category=infrastructure'
|
|
- 'homelab.description=VS Code in browser'
|
|
- 'traefik.enable=true'
|
|
- 'traefik.docker.network=traefik-network'
|
|
- 'traefik.http.routers.code-server.rule=Host(`code.${DOMAIN}`)'
|
|
- 'traefik.http.routers.code-server.entrypoints=websecure'
|
|
- 'traefik.http.routers.code-server.tls.certresolver=letsencrypt'
|
|
- 'traefik.http.routers.code-server.middlewares=authelia@docker'
|
|
- 'traefik.http.services.code-server.loadbalancer.server.port=8443'
|
|
- 'sablier.enable=true'
|
|
- 'sablier.group=code-server'
|
|
|
|
x-dockge:
|
|
urls:
|
|
- https://pihole.${DOMAIN}
|
|
- https://192.168.4.4:53
|
|
- https://dozzle.${DOMAIN}
|
|
- https://192.168.4.4:8085
|
|
- https://glances.${DOMAIN}
|
|
- https://192.168.4.4:61208
|
|
- https://code.${DOMAIN}
|
|
- https://192.168.4.4:8079
|
|
- http://192.168.4.4:2375 # Docker Proxy
|
|
- http://192.168.4.4:19999 # Netdata
|
|
|
|
networks:
|
|
homelab-network:
|
|
external: true
|
|
traefik-network:
|
|
external: true
|