feat(./docker-compose.yml): add docker socket proxy

2026-01-25 03:34:22 +00:00 · 2026-01-23 20:57:30 +01:00
parent 832dac63b8
commit 287abfffd7
1 changed files with 150 additions and 41 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,17 +3,116 @@ volumes:
    name: ssl
  wireguard-data:
    name: wireguard
-  portainer_data:
+  portainer-data:
    name: portainer

 networks:
  # Specific network for reverse proxy communication
-  rproxy-network:
-    name: rproxy
-    # We suppose the proxy is already running
+  socket-ro-bridge:
+    name: socket_ro_bridge
+    internal: true
+  socket-rw-bridge:
+    name: socket_rw_bridge
+    internal: true
+  web-network:
+    name: web_network
+    internal: false
+    external: false
+  backup-network:
+    name: backup_network
    external: false

 services:
+  socket-ro:
+    container_name: socket-ro
+    image: lscr.io/linuxserver/socket-proxy:latest
+    # Only grant read-only access to container metadata
+    environment:
+      - ALLOW_START=0
+      - ALLOW_STOP=0
+      - ALLOW_RESTARTS=0
+      - AUTH=0
+      - BUILD=0
+      - COMMIT=0
+      - CONFIGS=0
+      - CONTAINERS=1
+      - DISABLE_IPV6=0
+      - DISTRIBUTION=0
+      - EVENTS=1
+      - EXEC=0
+      - IMAGES=1
+      - INFO=1
+      - LOG_LEVEL=info
+      - NETWORKS=1
+      - NODES=0
+      - PING=1
+      - PLUGINS=0
+      - POST=0
+      - SECRETS=0
+      - SERVICES=0
+      - SESSION=0
+      - SWARM=0
+      - SYSTEM=1
+      - TASKS=0
+      - TZ=Etc/UTC
+      - VERSION=1
+      - VOLUMES=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - socket-ro-bridge
+
+  socket-rw:
+    container_name: socket-rw
+    image: lscr.io/linuxserver/socket-proxy:latest
+    # Only grant read-only access to container metadata
+    environment:
+      - ALLOW_START=0
+      - ALLOW_STOP=0
+      - ALLOW_RESTARTS=0
+      - AUTH=0
+      - BUILD=0
+      - COMMIT=0
+      - CONFIGS=0
+      - CONTAINERS=1
+      - DISABLE_IPV6=0
+      - DISTRIBUTION=0
+      - EVENTS=1
+      - EXEC=1
+      - IMAGES=1
+      - INFO=1
+      - LOG_LEVEL=info
+      - NETWORKS=1
+      - NODES=0
+      - PING=1
+      - PLUGINS=0
+      - POST=1
+      - SECRETS=0
+      - SERVICES=0
+      - SESSION=0
+      - SWARM=0
+      - SYSTEM=1
+      - TASKS=0
+      - TZ=Etc/UTC
+      - VERSION=1
+      - VOLUMES=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - socket-rw-bridge
+
+  # socket-rw:
+  #   image: tecnativa/docker-socket-proxy:latest
+  #   container_name: socket-rw
+  #   environment:
+  #     - CONTAINERS=1
+  #     - VOLUMES=1
+  #     - POST=1
+  #   volumes:
+  #     - /var/run/docker.sock:/var/run/docker.sock
+  #   networks:
+  #     - backup-network
+
  # --------------------------------
  #     Auto backup through S3
  # --------------------------------
@@ -28,16 +127,17 @@ services:
      AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
      BACKUP_CRON_EXPRESSION: "0 0 * * *"
      BACKUP_RETENTION_DAYS: 3
-    volumes:
      # Mounting docker socket to stop/pause containers
      # to prevent volume corruption.
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+    volumes:
      # Include container volumes in the backup process.
      - wireguard-data:/backup/wireguard:ro
      - ./synapse:/backup/synapse:ro
      - ssl-data:/backup/ssl:ro
      # Local directory for backup archives.
      - ./backup:/archive
+    networks:
+      - backup-network

  # --------------------------------
  #          Reverse Proxy
@@ -49,20 +149,24 @@ services:
    ports:
      - "80:80"
      - "443:443"
-    volumes:
+    environment:
      # Grant access to Docker socket enables automated
      # proxy configuration based on container events.
-      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - DOCKER_HOST=tcp://socket-ro:2375
+    volumes:
      # Grant access to certification volume allow to
      # nginx to read and send SSL keys for security.
      - ssl-data:/etc/nginx/certs
      - ./nginx/default_html:/usr/share/nginx/html
-      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf
+      # - ./nginx/default.conf:/etc/nginx/conf.d/default.conf
      - ./nginx/vhost.d:/etc/nginx/vhost.d
    labels:
      - "docker-volume-backup.stop-during-backup=true"
+    depends_on:
+      - socket-ro
    networks:
-      - rproxy-network
+      - socket-ro-bridge
+      - web-network

  # --------------------------------
  #   ACME Companion for SSL certs
@@ -74,56 +178,62 @@ services:
    environment:
      - DEFAULT_EMAIL=${EMAIL}
      - NGINX_PROXY_CONTAINER=nginx-proxy
-    volumes:
      # Grant access to Docker socket enables automated
      # SSL certificate issuance.
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - DOCKER_HOST=tcp://socket-rw:2375
+    volumes:
      # Store SSL certifications into ssl-data volume.
      - ssl-data:/etc/nginx/certs
      # Required for ACME HTTP-01 challenges and domain validation.
      - ./nginx/vhost.d:/etc/nginx/vhost.d
      # Shared web root for serving ACME challenge files.
      - ./nginx/default_html:/usr/share/nginx/html
-      # Prevent from recreate a Let's encrypt account 
+      # Prevent from recreate a Let's encrypt account
      # each restart.
      - ./nginx/acme_config:/etc/acme.sh
    labels:
      - "docker-volume-backup.stop-during-backup=true"
-    networks:
-      - rproxy-network
    depends_on:
      - nginx-proxy
+    networks:
+      - socket-rw-bridge
+      - web-network

-  # web:
-  #   container_name: web
-  #   build: ./guezoloic/website # using guezoloic website repo
-  #   restart: unless-stopped
-  #   environment:
-  #     - VIRTUAL_HOST=${HOSTNAME}, www.${HOSTNAME}
-  #     - LETSENCRYPT_HOST=${HOSTNAME}, www.${HOSTNAME}
-  #     - LETSENCRYPT_EMAIL=${EMAIL}
-  #   volumes:
-  #     - ./data:/usr/share/nginx/html/data
-  #   networks:
-  #     - rproxy-network
-  #   depends_on:
-  #     - nginx-proxy
+  web:
+    container_name: web
+    build: ./guezoloic/website # using guezoloic website repo
+    restart: unless-stopped
+    environment:
+      - VIRTUAL_HOST=${HOSTNAME}, www.${HOSTNAME}
+      - LETSENCRYPT_HOST=${HOSTNAME}, www.${HOSTNAME}
+      - LETSENCRYPT_EMAIL=${EMAIL}
+    volumes:
+      - ./data:/usr/share/nginx/html/data
+    depends_on:
+      - nginx-proxy
+    networks:
+      - web-network

  portainer:
    container_name: portainer
    image: portainer/portainer-ce:lts
    restart: unless-stopped
    environment:
-      - VIRTUAL_HOST=monitor.${HOSTNAME}
-      - LETSENCRYPT_HOST=monitor.${HOSTNAME}
+      - VIRTUAL_HOST=mtr.${HOSTNAME}
+      - LETSENCRYPT_HOST=mtr.${HOSTNAME}
      - LETSENCRYPT_EMAIL=${EMAIL}
-      - VIRTUAL_PORT=9443
+      - VIRTUAL_PORT=9000
+      - DOCKER_HOST=socket-ro:2375
    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - portainer_data:/data
+      - portainer-data:/data
    ports:
-      - 9443:9443
+      - 9000:9000
      # - 8000:8000
+    depends_on:
+      - nginx-proxy
+    networks:
+      - web-network
+      - socket-ro-bridge

  wg-easy:
    image: ghcr.io/wg-easy/wg-easy:15
@@ -144,11 +254,8 @@ services:
      - LETSENCRYPT_HOST=vpn.${HOSTNAME}
      - LETSENCRYPT_EMAIL=${EMAIL}
      - VIRTUAL_PORT=51821
-    networks:
-      - proxy-network
-      - vpn-network
    volumes:
-      - wireguard-volume:/etc/wireguard
+      - wireguard-data:/etc/wireguard
      - /lib/modules:/lib/modules:ro
    ports:
      - "51820:51820/udp"
@@ -156,6 +263,8 @@ services:
      - "docker-volume-backup.stop-during-backup=true"
    depends_on:
      - nginx-proxy
+    networks:
+      - web-network

  synapse:
    # private chat server (useful for notifications)
@@ -172,7 +281,7 @@ services:
      - VIRTUAL_PORT=8008
    expose:
      - "8008"
-    networks:
-      - rproxy-network
    depends_on:
      - nginx-proxy
+    networks:
+      - web-network