feat(./docker-compose.yml): add docker socket proxy

docker-compose.yml

@@ -3,17 +3,116 @@ volumes:
     name: ssl
   wireguard-data:
     name: wireguard
-  portainer_data:
+  portainer-data:
     name: portainer
 
 networks:
   # Specific network for reverse proxy communication
-  rproxy-network:
+  socket-ro-bridge:
-    name: rproxy
+    name: socket_ro_bridge
-    # We suppose the proxy is already running
+    internal: true
+  socket-rw-bridge:
+    name: socket_rw_bridge
+    internal: true
+  web-network:
+    name: web_network
+    internal: false
+    external: false
+  backup-network:
+    name: backup_network
     external: false
 
 services:
+  socket-ro:
+    container_name: socket-ro
+    image: lscr.io/linuxserver/socket-proxy:latest
+    # Only grant read-only access to container metadata
+    environment:
+      - ALLOW_START=0
+      - ALLOW_STOP=0
+      - ALLOW_RESTARTS=0
+      - AUTH=0
+      - BUILD=0
+      - COMMIT=0
+      - CONFIGS=0
+      - CONTAINERS=1
+      - DISABLE_IPV6=0
+      - DISTRIBUTION=0
+      - EVENTS=1
+      - EXEC=0
+      - IMAGES=1
+      - INFO=1
+      - LOG_LEVEL=info
+      - NETWORKS=1
+      - NODES=0
+      - PING=1
+      - PLUGINS=0
+      - POST=0
+      - SECRETS=0
+      - SERVICES=0
+      - SESSION=0
+      - SWARM=0
+      - SYSTEM=1
+      - TASKS=0
+      - TZ=Etc/UTC
+      - VERSION=1
+      - VOLUMES=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - socket-ro-bridge
+
+  socket-rw:
+    container_name: socket-rw
+    image: lscr.io/linuxserver/socket-proxy:latest
+    # Only grant read-only access to container metadata
+    environment:
+      - ALLOW_START=0
+      - ALLOW_STOP=0
+      - ALLOW_RESTARTS=0
+      - AUTH=0
+      - BUILD=0
+      - COMMIT=0
+      - CONFIGS=0
+      - CONTAINERS=1
+      - DISABLE_IPV6=0
+      - DISTRIBUTION=0
+      - EVENTS=1
+      - EXEC=1
+      - IMAGES=1
+      - INFO=1
+      - LOG_LEVEL=info
+      - NETWORKS=1
+      - NODES=0
+      - PING=1
+      - PLUGINS=0
+      - POST=1
+      - SECRETS=0
+      - SERVICES=0
+      - SESSION=0
+      - SWARM=0
+      - SYSTEM=1
+      - TASKS=0
+      - TZ=Etc/UTC
+      - VERSION=1
+      - VOLUMES=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - socket-rw-bridge
+
+  # socket-rw:
+  #   image: tecnativa/docker-socket-proxy:latest
+  #   container_name: socket-rw
+  #   environment:
+  #     - CONTAINERS=1
+  #     - VOLUMES=1
+  #     - POST=1
+  #   volumes:
+  #     - /var/run/docker.sock:/var/run/docker.sock
+  #   networks:
+  #     - backup-network
+
   # --------------------------------
   #     Auto backup through S3
   # --------------------------------
@@ -28,16 +127,17 @@ services:
       AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
       BACKUP_CRON_EXPRESSION: "0 0 * * *"
       BACKUP_RETENTION_DAYS: 3
-    volumes:
       # Mounting docker socket to stop/pause containers
       # to prevent volume corruption.
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+    volumes:
       # Include container volumes in the backup process.
       - wireguard-data:/backup/wireguard:ro
       - ./synapse:/backup/synapse:ro
       - ssl-data:/backup/ssl:ro
       # Local directory for backup archives.
       - ./backup:/archive
+    networks:
+      - backup-network
 
   # --------------------------------
   #          Reverse Proxy
@@ -49,20 +149,24 @@ services:
     ports:
       - "80:80"
       - "443:443"
-    volumes:
+    environment:
       # Grant access to Docker socket enables automated
       # proxy configuration based on container events.
-      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - DOCKER_HOST=tcp://socket-ro:2375
+    volumes:
       # Grant access to certification volume allow to
       # nginx to read and send SSL keys for security.
       - ssl-data:/etc/nginx/certs
       - ./nginx/default_html:/usr/share/nginx/html
-      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf
+      # - ./nginx/default.conf:/etc/nginx/conf.d/default.conf
       - ./nginx/vhost.d:/etc/nginx/vhost.d
     labels:
       - "docker-volume-backup.stop-during-backup=true"
+    depends_on:
+      - socket-ro
     networks:
-      - rproxy-network
+      - socket-ro-bridge
+      - web-network
 
   # --------------------------------
   #   ACME Companion for SSL certs
@@ -74,10 +178,10 @@ services:
     environment:
       - DEFAULT_EMAIL=${EMAIL}
       - NGINX_PROXY_CONTAINER=nginx-proxy
-    volumes:
       # Grant access to Docker socket enables automated
       # SSL certificate issuance.
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - DOCKER_HOST=tcp://socket-rw:2375
+    volumes:
       # Store SSL certifications into ssl-data volume.
       - ssl-data:/etc/nginx/certs
       # Required for ACME HTTP-01 challenges and domain validation.
@@ -89,41 +193,47 @@ services:
       - ./nginx/acme_config:/etc/acme.sh
     labels:
       - "docker-volume-backup.stop-during-backup=true"
-    networks:
-      - rproxy-network
     depends_on:
       - nginx-proxy
+    networks:
+      - socket-rw-bridge
+      - web-network
 
-  # web:
+  web:
-  #   container_name: web
+    container_name: web
-  #   build: ./guezoloic/website # using guezoloic website repo
+    build: ./guezoloic/website # using guezoloic website repo
-  #   restart: unless-stopped
+    restart: unless-stopped
-  #   environment:
+    environment:
-  #     - VIRTUAL_HOST=${HOSTNAME}, www.${HOSTNAME}
+      - VIRTUAL_HOST=${HOSTNAME}, www.${HOSTNAME}
-  #     - LETSENCRYPT_HOST=${HOSTNAME}, www.${HOSTNAME}
+      - LETSENCRYPT_HOST=${HOSTNAME}, www.${HOSTNAME}
-  #     - LETSENCRYPT_EMAIL=${EMAIL}
+      - LETSENCRYPT_EMAIL=${EMAIL}
-  #   volumes:
+    volumes:
-  #     - ./data:/usr/share/nginx/html/data
+      - ./data:/usr/share/nginx/html/data
-  #   networks:
+    depends_on:
-  #     - rproxy-network
+      - nginx-proxy
-  #   depends_on:
+    networks:
-  #     - nginx-proxy
+      - web-network
 
   portainer:
     container_name: portainer
     image: portainer/portainer-ce:lts
     restart: unless-stopped
     environment:
-      - VIRTUAL_HOST=monitor.${HOSTNAME}
+      - VIRTUAL_HOST=mtr.${HOSTNAME}
-      - LETSENCRYPT_HOST=monitor.${HOSTNAME}
+      - LETSENCRYPT_HOST=mtr.${HOSTNAME}
       - LETSENCRYPT_EMAIL=${EMAIL}
-      - VIRTUAL_PORT=9443
+      - VIRTUAL_PORT=9000
+      - DOCKER_HOST=socket-ro:2375
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
+      - portainer-data:/data
-      - portainer_data:/data
     ports:
-      - 9443:9443
+      - 9000:9000
       # - 8000:8000
+    depends_on:
+      - nginx-proxy
+    networks:
+      - web-network
+      - socket-ro-bridge
 
   wg-easy:
     image: ghcr.io/wg-easy/wg-easy:15
@@ -144,11 +254,8 @@ services:
       - LETSENCRYPT_HOST=vpn.${HOSTNAME}
       - LETSENCRYPT_EMAIL=${EMAIL}
       - VIRTUAL_PORT=51821
-    networks:
-      - proxy-network
-      - vpn-network
     volumes:
-      - wireguard-volume:/etc/wireguard
+      - wireguard-data:/etc/wireguard
       - /lib/modules:/lib/modules:ro
     ports:
       - "51820:51820/udp"
@@ -156,6 +263,8 @@ services:
       - "docker-volume-backup.stop-during-backup=true"
     depends_on:
       - nginx-proxy
+    networks:
+      - web-network
 
   synapse:
     # private chat server (useful for notifications)
@@ -172,7 +281,7 @@ services:
       - VIRTUAL_PORT=8008
     expose:
       - "8008"
-    networks:
-      - rproxy-network
     depends_on:
       - nginx-proxy
+    networks:
+      - web-network