From 287abfffd715720dd0a6a3a5c1d2cdc0304e2585 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20GUEZO?= Date: Fri, 23 Jan 2026 20:57:30 +0100 Subject: [PATCH] feat(./docker-compose.yml): add docker socket proxy --- docker-compose.yml | 191 +++++++++++++++++++++++++++++++++++---------- 1 file changed, 150 insertions(+), 41 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 863c150..9a1b4a1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,17 +3,116 @@ volumes: name: ssl wireguard-data: name: wireguard - portainer_data: + portainer-data: name: portainer networks: # Specific network for reverse proxy communication - rproxy-network: - name: rproxy - # We suppose the proxy is already running + socket-ro-bridge: + name: socket_ro_bridge + internal: true + socket-rw-bridge: + name: socket_rw_bridge + internal: true + web-network: + name: web_network + internal: false + external: false + backup-network: + name: backup_network external: false services: + socket-ro: + container_name: socket-ro + image: lscr.io/linuxserver/socket-proxy:latest + # Only grant read-only access to container metadata + environment: + - ALLOW_START=0 + - ALLOW_STOP=0 + - ALLOW_RESTARTS=0 + - AUTH=0 + - BUILD=0 + - COMMIT=0 + - CONFIGS=0 + - CONTAINERS=1 + - DISABLE_IPV6=0 + - DISTRIBUTION=0 + - EVENTS=1 + - EXEC=0 + - IMAGES=1 + - INFO=1 + - LOG_LEVEL=info + - NETWORKS=1 + - NODES=0 + - PING=1 + - PLUGINS=0 + - POST=0 + - SECRETS=0 + - SERVICES=0 + - SESSION=0 + - SWARM=0 + - SYSTEM=1 + - TASKS=0 + - TZ=Etc/UTC + - VERSION=1 + - VOLUMES=1 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + networks: + - socket-ro-bridge + + socket-rw: + container_name: socket-rw + image: lscr.io/linuxserver/socket-proxy:latest + # Only grant read-only access to container metadata + environment: + - ALLOW_START=0 + - ALLOW_STOP=0 + - ALLOW_RESTARTS=0 + - AUTH=0 + - BUILD=0 + - COMMIT=0 + - CONFIGS=0 + - CONTAINERS=1 + - DISABLE_IPV6=0 + - DISTRIBUTION=0 + - EVENTS=1 + - EXEC=1 + - IMAGES=1 + - INFO=1 + - LOG_LEVEL=info + - NETWORKS=1 + - NODES=0 + - PING=1 + - PLUGINS=0 + - POST=1 + - SECRETS=0 + - SERVICES=0 + - SESSION=0 + - SWARM=0 + - SYSTEM=1 + - TASKS=0 + - TZ=Etc/UTC + - VERSION=1 + - VOLUMES=1 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + networks: + - socket-rw-bridge + + # socket-rw: + # image: tecnativa/docker-socket-proxy:latest + # container_name: socket-rw + # environment: + # - CONTAINERS=1 + # - VOLUMES=1 + # - POST=1 + # volumes: + # - /var/run/docker.sock:/var/run/docker.sock + # networks: + # - backup-network + # -------------------------------- # Auto backup through S3 # -------------------------------- @@ -28,16 +127,17 @@ services: AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY} BACKUP_CRON_EXPRESSION: "0 0 * * *" BACKUP_RETENTION_DAYS: 3 - volumes: # Mounting docker socket to stop/pause containers # to prevent volume corruption. - - /var/run/docker.sock:/var/run/docker.sock:ro + volumes: # Include container volumes in the backup process. - wireguard-data:/backup/wireguard:ro - ./synapse:/backup/synapse:ro - ssl-data:/backup/ssl:ro # Local directory for backup archives. - ./backup:/archive + networks: + - backup-network # -------------------------------- # Reverse Proxy @@ -49,20 +149,24 @@ services: ports: - "80:80" - "443:443" - volumes: + environment: # Grant access to Docker socket enables automated # proxy configuration based on container events. - - /var/run/docker.sock:/tmp/docker.sock:ro + - DOCKER_HOST=tcp://socket-ro:2375 + volumes: # Grant access to certification volume allow to # nginx to read and send SSL keys for security. - ssl-data:/etc/nginx/certs - ./nginx/default_html:/usr/share/nginx/html - - ./nginx/default.conf:/etc/nginx/conf.d/default.conf + # - ./nginx/default.conf:/etc/nginx/conf.d/default.conf - ./nginx/vhost.d:/etc/nginx/vhost.d labels: - "docker-volume-backup.stop-during-backup=true" + depends_on: + - socket-ro networks: - - rproxy-network + - socket-ro-bridge + - web-network # -------------------------------- # ACME Companion for SSL certs @@ -74,56 +178,62 @@ services: environment: - DEFAULT_EMAIL=${EMAIL} - NGINX_PROXY_CONTAINER=nginx-proxy - volumes: # Grant access to Docker socket enables automated # SSL certificate issuance. - - /var/run/docker.sock:/var/run/docker.sock:ro + - DOCKER_HOST=tcp://socket-rw:2375 + volumes: # Store SSL certifications into ssl-data volume. - ssl-data:/etc/nginx/certs # Required for ACME HTTP-01 challenges and domain validation. - ./nginx/vhost.d:/etc/nginx/vhost.d # Shared web root for serving ACME challenge files. - ./nginx/default_html:/usr/share/nginx/html - # Prevent from recreate a Let's encrypt account + # Prevent from recreate a Let's encrypt account # each restart. - ./nginx/acme_config:/etc/acme.sh labels: - "docker-volume-backup.stop-during-backup=true" - networks: - - rproxy-network depends_on: - nginx-proxy + networks: + - socket-rw-bridge + - web-network - # web: - # container_name: web - # build: ./guezoloic/website # using guezoloic website repo - # restart: unless-stopped - # environment: - # - VIRTUAL_HOST=${HOSTNAME}, www.${HOSTNAME} - # - LETSENCRYPT_HOST=${HOSTNAME}, www.${HOSTNAME} - # - LETSENCRYPT_EMAIL=${EMAIL} - # volumes: - # - ./data:/usr/share/nginx/html/data - # networks: - # - rproxy-network - # depends_on: - # - nginx-proxy + web: + container_name: web + build: ./guezoloic/website # using guezoloic website repo + restart: unless-stopped + environment: + - VIRTUAL_HOST=${HOSTNAME}, www.${HOSTNAME} + - LETSENCRYPT_HOST=${HOSTNAME}, www.${HOSTNAME} + - LETSENCRYPT_EMAIL=${EMAIL} + volumes: + - ./data:/usr/share/nginx/html/data + depends_on: + - nginx-proxy + networks: + - web-network portainer: container_name: portainer image: portainer/portainer-ce:lts restart: unless-stopped environment: - - VIRTUAL_HOST=monitor.${HOSTNAME} - - LETSENCRYPT_HOST=monitor.${HOSTNAME} + - VIRTUAL_HOST=mtr.${HOSTNAME} + - LETSENCRYPT_HOST=mtr.${HOSTNAME} - LETSENCRYPT_EMAIL=${EMAIL} - - VIRTUAL_PORT=9443 + - VIRTUAL_PORT=9000 + - DOCKER_HOST=socket-ro:2375 volumes: - - /var/run/docker.sock:/var/run/docker.sock - - portainer_data:/data + - portainer-data:/data ports: - - 9443:9443 + - 9000:9000 # - 8000:8000 + depends_on: + - nginx-proxy + networks: + - web-network + - socket-ro-bridge wg-easy: image: ghcr.io/wg-easy/wg-easy:15 @@ -144,11 +254,8 @@ services: - LETSENCRYPT_HOST=vpn.${HOSTNAME} - LETSENCRYPT_EMAIL=${EMAIL} - VIRTUAL_PORT=51821 - networks: - - proxy-network - - vpn-network volumes: - - wireguard-volume:/etc/wireguard + - wireguard-data:/etc/wireguard - /lib/modules:/lib/modules:ro ports: - "51820:51820/udp" @@ -156,6 +263,8 @@ services: - "docker-volume-backup.stop-during-backup=true" depends_on: - nginx-proxy + networks: + - web-network synapse: # private chat server (useful for notifications) @@ -172,7 +281,7 @@ services: - VIRTUAL_PORT=8008 expose: - "8008" - networks: - - rproxy-network depends_on: - nginx-proxy + networks: + - web-network