volumes: ssl-data: name: ssl wireguard-data: name: wireguard portainer-data: name: portainer networks: # Specific network for reverse proxy communication socket-ro-bridge: name: socket_ro_bridge internal: true socket-rw-bridge: name: socket_rw_bridge internal: true web-network: name: web_network internal: false external: false backup-network: name: backup_network external: false services: socket-ro: container_name: socket-ro image: lscr.io/linuxserver/socket-proxy:latest # Only grant read-only access to container metadata environment: - ALLOW_START=0 - ALLOW_STOP=0 - ALLOW_RESTARTS=0 - AUTH=0 - BUILD=0 - COMMIT=0 - CONFIGS=0 - CONTAINERS=1 - DISABLE_IPV6=0 - DISTRIBUTION=0 - EVENTS=1 - EXEC=0 - IMAGES=1 - INFO=1 - LOG_LEVEL=info - NETWORKS=1 - NODES=0 - PING=1 - PLUGINS=0 - POST=0 - SECRETS=0 - SERVICES=0 - SESSION=0 - SWARM=0 - SYSTEM=1 - TASKS=0 - TZ=Etc/UTC - VERSION=1 - VOLUMES=1 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro networks: - socket-ro-bridge socket-rw: container_name: socket-rw image: lscr.io/linuxserver/socket-proxy:latest # Only grant read-only access to container metadata environment: - ALLOW_START=0 - ALLOW_STOP=0 - ALLOW_RESTARTS=0 - AUTH=0 - BUILD=0 - COMMIT=0 - CONFIGS=0 - CONTAINERS=1 - DISABLE_IPV6=0 - DISTRIBUTION=0 - EVENTS=1 - EXEC=1 - IMAGES=1 - INFO=1 - LOG_LEVEL=info - NETWORKS=1 - NODES=0 - PING=1 - PLUGINS=0 - POST=1 - SECRETS=0 - SERVICES=0 - SESSION=0 - SWARM=0 - SYSTEM=1 - TASKS=0 - TZ=Etc/UTC - VERSION=1 - VOLUMES=1 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro networks: - socket-rw-bridge # socket-rw: # image: tecnativa/docker-socket-proxy:latest # container_name: socket-rw # environment: # - CONTAINERS=1 # - VOLUMES=1 # - POST=1 # volumes: # - /var/run/docker.sock:/var/run/docker.sock # networks: # - backup-network # -------------------------------- # Auto backup through S3 # -------------------------------- backup: container_name: backup image: offen/docker-volume-backup restart: unless-stopped environment: AWS_S3_BUCKET_NAME: ${AWS} AWS_ENDPOINT: ${ENDPOINT} AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY} BACKUP_CRON_EXPRESSION: "0 0 * * *" BACKUP_RETENTION_DAYS: 3 # Mounting docker socket to stop/pause containers # to prevent volume corruption. volumes: # Include container volumes in the backup process. - wireguard-data:/backup/wireguard:ro - ./synapse:/backup/synapse:ro - ssl-data:/backup/ssl:ro # Local directory for backup archives. - ./backup:/archive networks: - backup-network # -------------------------------- # Reverse Proxy # -------------------------------- nginx-proxy: image: nginxproxy/nginx-proxy:alpine container_name: nginx-proxy restart: unless-stopped ports: - "80:80" - "443:443" environment: # Grant access to Docker socket enables automated # proxy configuration based on container events. - DOCKER_HOST=tcp://socket-ro:2375 volumes: # Grant access to certification volume allow to # nginx to read and send SSL keys for security. - ssl-data:/etc/nginx/certs - ./nginx/default_html:/usr/share/nginx/html # - ./nginx/default.conf:/etc/nginx/conf.d/default.conf - ./nginx/vhost.d:/etc/nginx/vhost.d labels: - "docker-volume-backup.stop-during-backup=true" depends_on: - socket-ro networks: - socket-ro-bridge - web-network # -------------------------------- # ACME Companion for SSL certs # -------------------------------- acme-companion: image: nginxproxy/acme-companion container_name: acme-companion restart: unless-stopped environment: - DEFAULT_EMAIL=${EMAIL} - NGINX_PROXY_CONTAINER=nginx-proxy # Grant access to Docker socket enables automated # SSL certificate issuance. - DOCKER_HOST=tcp://socket-rw:2375 volumes: # Store SSL certifications into ssl-data volume. - ssl-data:/etc/nginx/certs # Required for ACME HTTP-01 challenges and domain validation. - ./nginx/vhost.d:/etc/nginx/vhost.d # Shared web root for serving ACME challenge files. - ./nginx/default_html:/usr/share/nginx/html # Prevent from recreate a Let's encrypt account # each restart. - ./nginx/acme_config:/etc/acme.sh labels: - "docker-volume-backup.stop-during-backup=true" depends_on: - nginx-proxy networks: - socket-rw-bridge - web-network web: container_name: web build: ./guezoloic/website # using guezoloic website repo restart: unless-stopped environment: - VIRTUAL_HOST=${HOSTNAME}, www.${HOSTNAME} - LETSENCRYPT_HOST=${HOSTNAME}, www.${HOSTNAME} - LETSENCRYPT_EMAIL=${EMAIL} volumes: - ./data:/usr/share/nginx/html/data depends_on: - nginx-proxy networks: - web-network portainer: container_name: portainer image: portainer/portainer-ce:lts restart: unless-stopped environment: - VIRTUAL_HOST=mtr.${HOSTNAME} - LETSENCRYPT_HOST=mtr.${HOSTNAME} - LETSENCRYPT_EMAIL=${EMAIL} - VIRTUAL_PORT=9000 - DOCKER_HOST=socket-ro:2375 volumes: - portainer-data:/data ports: - 9000:9000 # - 8000:8000 depends_on: - nginx-proxy networks: - web-network - socket-ro-bridge wg-easy: image: ghcr.io/wg-easy/wg-easy:15 container_name: wg-easy restart: unless-stopped cap_add: - NET_ADMIN - SYS_MODULE sysctls: - net.ipv4.ip_forward=1 - net.ipv4.conf.all.src_valid_mark=1 - net.ipv6.conf.all.disable_ipv6=0 - net.ipv6.conf.all.forwarding=1 - net.ipv6.conf.default.forwarding=1 environment: - TZ=Europe/Paris - VIRTUAL_HOST=vpn.${HOSTNAME} - LETSENCRYPT_HOST=vpn.${HOSTNAME} - LETSENCRYPT_EMAIL=${EMAIL} - VIRTUAL_PORT=51821 volumes: - wireguard-data:/etc/wireguard - /lib/modules:/lib/modules:ro ports: - "51820:51820/udp" labels: - "docker-volume-backup.stop-during-backup=true" depends_on: - nginx-proxy networks: - web-network synapse: # private chat server (useful for notifications) image: matrixdotorg/synapse:latest container_name: synapse restart: unless-stopped volumes: - ./synapse:/data environment: - SYNAPSE_CONFIG_PATH=/data/homeserver.yaml - VIRTUAL_HOST=msg.${HOSTNAME} - LETSENCRYPT_HOST=msg.${HOSTNAME} - LETSENCRYPT_EMAIL=${EMAIL} - VIRTUAL_PORT=8008 expose: - "8008" depends_on: - nginx-proxy networks: - web-network