9e71d202cb
Changes: - docker-compose/core/docker-compose.yml: Added pihole service with full Traefik configuration - docker-compose/infrastructure/docker-compose.yml: Removed pihole service - docker-compose/dockge/docker-compose.yml.template: Deleted (no longer needed) Pihole is now part of core infrastructure alongside Traefik, Authelia, and DuckDNS. This ensures DNS services are always available on the core server.
220 lines
7.1 KiB
YAML
220 lines
7.1 KiB
YAML
# Infrastructure Services
|
|
# SABLIER SESSION DURATION: Set to 5m for testing. Increase to 30m for production in config-templates/traefik/dynamic/sablier.yml
|
|
# RESTART POLICY GUIDE:
|
|
# - unless-stopped: Core infrastructure services that should always run
|
|
# - no: Services with Sablier lazy loading (start on-demand)
|
|
# - See individual service comments for specific reasoning
|
|
|
|
services:
|
|
dockerproxy:
|
|
# Docker socket proxy for security - provides safe Docker API access, must always run
|
|
# REQUIREMENTS FOR SABLIER INTEGRATION:
|
|
# 1. Docker daemon must be configured to listen on TCP port 2375 (not just unix socket)
|
|
# 2. Firewall must allow access to port 2375 from Sablier service
|
|
# 3. Docker daemon config should include: 'hosts': ['tcp://0.0.0.0:2375', 'unix:///var/run/docker.sock']
|
|
# 4. For security, consider restricting access to specific IP ranges or using TLS
|
|
# 5. dockerproxy runs for additional security but doesn't expose port 2375 (handled by Docker daemon)
|
|
image: tecnativa/docker-socket-proxy:latest
|
|
container_name: dockerproxy
|
|
privileged: true
|
|
restart: unless-stopped
|
|
# Note: Port 2375 is handled directly by Docker daemon for Sablier access
|
|
# dockerproxy provides additional security features but doesn't expose the port
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
environment:
|
|
- CONTAINERS=1
|
|
- SERVICES=1
|
|
- TASKS=1
|
|
- NETWORKS=1
|
|
- NODES=1
|
|
- EXEC=1
|
|
- IMAGES=1
|
|
- VOLUMES=1
|
|
- SWARM=1
|
|
labels:
|
|
- homelab.category=infrastructure
|
|
- homelab.description=Docker socket proxy for security
|
|
|
|
|
|
# Watchtower - Automatic container updates
|
|
watchtower:
|
|
image: containrrr/watchtower:latest
|
|
container_name: watchtower
|
|
restart: unless-stopped
|
|
networks:
|
|
- homelab-network
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
environment:
|
|
- DOCKER_API_VERSION=1.52
|
|
- WATCHTOWER_CLEANUP=true
|
|
- WATCHTOWER_INCLUDE_RESTARTING=true
|
|
- WATCHTOWER_SCHEDULE=0 0 4 * * * # 4 AM daily
|
|
- WATCHTOWER_NOTIFICATIONS=shoutrrr
|
|
- WATCHTOWER_NOTIFICATION_URL=${WATCHTOWER_NOTIFICATION_URL}
|
|
labels:
|
|
- 'homelab.category=infrastructure'
|
|
- 'homelab.description=Automatic Docker container updates'
|
|
|
|
# Dozzle - Real-time Docker log viewer
|
|
# Uses Sablier lazy loading - starts on-demand, stops after 5min inactivity
|
|
dozzle:
|
|
image: amir20/dozzle:latest
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '0.50'
|
|
memory: 256M
|
|
pids: 512
|
|
reservations:
|
|
cpus: '0.25'
|
|
memory: 128M
|
|
container_name: dozzle
|
|
restart: no
|
|
networks:
|
|
- homelab-network
|
|
- traefik-network
|
|
ports:
|
|
- '8085:8080'
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
environment:
|
|
- DOZZLE_LEVEL=info
|
|
- DOZZLE_TAILSIZE=300
|
|
- DOZZLE_FILTER=status=running
|
|
healthcheck:
|
|
test: ['CMD', '/dozzle', 'healthcheck']
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 30s
|
|
labels:
|
|
- 'com.centurylinklabs.watchtower.enable=true'
|
|
- 'homelab.category=infrastructure'
|
|
- 'homelab.description=Real-time Docker log viewer'
|
|
- 'traefik.enable=true'
|
|
- 'traefik.docker.network=traefik-network'
|
|
- 'traefik.http.routers.dozzle.rule=Host(`dozzle.${DOMAIN}`)'
|
|
- 'traefik.http.routers.dozzle.entrypoints=websecure'
|
|
- 'traefik.http.routers.dozzle.tls.certresolver=letsencrypt'
|
|
- 'traefik.http.routers.dozzle.middlewares=authelia@docker'
|
|
- 'traefik.http.services.dozzle.loadbalancer.server.port=8080'
|
|
- 'sablier.enable=true'
|
|
- 'sablier.group=dozzle'
|
|
|
|
# Glances - System monitoring
|
|
# Uses Sablier lazy loading - starts on-demand, stops after 30min inactivity
|
|
glances:
|
|
image: nicolargo/glances:latest-full
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '0.50'
|
|
memory: 256M
|
|
pids: 512
|
|
reservations:
|
|
cpus: '0.25'
|
|
memory: 128M
|
|
container_name: glances
|
|
restart: no
|
|
networks:
|
|
- homelab-network
|
|
- traefik-network
|
|
ports:
|
|
- '61208:61208'
|
|
pid: host
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- ./glances/config:/glances/conf
|
|
environment:
|
|
- GLANCES_OPT=-w
|
|
healthcheck:
|
|
test: ['CMD', 'curl', '-f', 'http://localhost:61208/']
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 30s
|
|
labels:
|
|
- 'com.centurylinklabs.watchtower.enable=true'
|
|
- 'homelab.category=infrastructure'
|
|
- 'homelab.description=System and Docker monitoring'
|
|
- 'traefik.enable=true'
|
|
- 'traefik.docker.network=traefik-network'
|
|
- 'traefik.http.routers.glances.rule=Host(`glances.${DOMAIN}`)'
|
|
- 'traefik.http.routers.glances.entrypoints=websecure'
|
|
- 'traefik.http.routers.glances.tls.certresolver=letsencrypt'
|
|
- 'traefik.http.routers.glances.middlewares=authelia@docker'
|
|
- 'traefik.http.services.glances.loadbalancer.server.port=61208'
|
|
- 'sablier.enable=true'
|
|
- 'sablier.group=glances'
|
|
|
|
# Code Server - VS Code in browser
|
|
# Uses Sablier lazy loading - starts on-demand, stops after 30min inactivity
|
|
code-server:
|
|
image: lscr.io/linuxserver/code-server:latest
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '1.5'
|
|
memory: 1G
|
|
pids: 2048
|
|
reservations:
|
|
cpus: '0.75'
|
|
memory: 512M
|
|
container_name: code-server
|
|
restart: no
|
|
networks:
|
|
- homelab-network
|
|
- traefik-network
|
|
ports:
|
|
- '8079:8443'
|
|
volumes:
|
|
- ./code-server/config:/config
|
|
- /opt/stacks:/opt/stacks # Access to all stacks
|
|
- /mnt:/mnt:ro # Read-only access to data
|
|
environment:
|
|
- PUID=1000
|
|
- PGID=1000
|
|
- TZ=America/New_York
|
|
- PASSWORD=${CODE_SERVER_PASSWORD}
|
|
- SUDO_PASSWORD=${CODE_SERVER_SUDO_PASSWORD}
|
|
healthcheck:
|
|
test: ['CMD', 'curl', '-f', 'http://localhost:8443/']
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 60s
|
|
labels:
|
|
- 'com.centurylinklabs.watchtower.enable=true'
|
|
- 'homelab.category=infrastructure'
|
|
- 'homelab.description=VS Code in browser'
|
|
- 'traefik.enable=true'
|
|
- 'traefik.docker.network=traefik-network'
|
|
- 'traefik.http.routers.code-server.rule=Host(`code.${DOMAIN}`)'
|
|
- 'traefik.http.routers.code-server.entrypoints=websecure'
|
|
- 'traefik.http.routers.code-server.tls.certresolver=letsencrypt'
|
|
- 'traefik.http.routers.code-server.middlewares=authelia@docker'
|
|
- 'traefik.http.services.code-server.loadbalancer.server.port=8443'
|
|
- 'sablier.enable=true'
|
|
- 'sablier.group=code-server'
|
|
|
|
x-dockge:
|
|
urls:
|
|
- https://pihole.${DOMAIN}
|
|
- https://192.168.4.4:53
|
|
- https://dozzle.${DOMAIN}
|
|
- https://192.168.4.4:8085
|
|
- https://glances.${DOMAIN}
|
|
- https://192.168.4.4:61208
|
|
- https://code.${DOMAIN}
|
|
- https://192.168.4.4:8079
|
|
- http://192.168.4.4:2375 # Docker Proxy
|
|
- http://192.168.4.4:19999 # Netdata
|
|
|
|
networks:
|
|
homelab-network:
|
|
external: true
|
|
traefik-network:
|
|
external: true
|