EZ-Homelab/docker-compose/core/docker-compose.yml

# Core Infrastructure Services
# These services form the foundation of the homelab and should always be running
# Place in /opt/stacks/core/docker-compose.yml

# RESTART POLICY GUIDE:
# - unless-stopped: Core infrastructure services that should always run
# - no: Services with Sablier lazy loading (start on-demand)
# - See individual service comments for specific reasoning

# Service Access URLs:
# - Traefik Dashboard: https://traefik.${DOMAIN}
# - Authelia: https://auth.${DOMAIN}

x-dockge:
  urls:
    - https://auth.${DOMAIN}

services:
  
  duckdns:
    # Dynamic DNS service - must always run to maintain domain resolution
    image: lscr.io/linuxserver/duckdns:latest
    container_name: duckdns
    restart: unless-stopped
    environment:
      - PUID=${PUID:-1000}
      - PGID=${PGID:-1000}
      - TZ=${TZ}
      - SUBDOMAINS=${DUCKDNS_SUBDOMAINS}
      - TOKEN=${DUCKDNS_TOKEN}
    volumes:
      - ./duckdns/config:/config
    networks:
      - traefik-network
  
  traefik:
    # Reverse proxy and SSL termination - core routing service, must always run
    image: traefik:v3
    container_name: traefik
    restart: unless-stopped
    command: ["--configFile=/config/traefik.yml"]
    environment:
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - ./traefik/config:/config
      - ./traefik/letsencrypt:/letsencrypt
      - ./traefik/dynamic:/dynamic
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik-network
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.middlewares=authelia@docker"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
      - "homelab.category=dashboards"
      - "homelab.description=Personal dashboard and service overview"
      - "x-dockge.url=https://traefik.${DOMAIN}"

  authelia:
    # Single sign-on authentication service - must always run for user authentication
    image: authelia/authelia:latest
    container_name: authelia
    restart: unless-stopped
    environment:
      - TZ=${TZ}
    volumes:
      - ./authelia/config:/config
      - ./authelia/secrets:/secrets
    networks:
      - traefik-network
    depends_on:
      - traefik
    labels:
      - traefik.enable=true
      - traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)
      - traefik.http.routers.authelia.entrypoints=websecure
      - traefik.http.routers.authelia.tls.certresolver=letsencrypt
      - traefik.http.routers.authelia.service=authelia
      - traefik.http.services.authelia.loadbalancer.server.port=9091
      - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/
      - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=X-Secret
      - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
      - x-dockge.url=https://auth.${DOMAIN}

  # Sablier - Lazy loading service for Docker containers
  # Controls startup/shutdown of lazy-loaded services, must always run
  sablier-service:
    image: sablierapp/sablier:latest
    container_name: sablier-service
    restart: unless-stopped
    networks:
      - traefik-network
    environment:
      - SABLIER_PROVIDER=docker
      - SABLIER_DOCKER_API_VERSION=1.53
      - SABLIER_DOCKER_NETWORK=traefik-network
      - SABLIER_LOG_LEVEL=debug
      - DOCKER_HOST=tcp://192.168.4.11:2375
    ports:
      - 10000:10000
    labels:
      - homelab.category=infrastructure
      - homelab.description=Lazy loading service for Docker containers

networks:
  traefik-network:
    external: true