sequentialread-caddy-config/docker-compose.yml

version: "3.3"
services:

  caddy:
    restart: always
    image: caddy:2.3.0
    networks:
      - blog
      - internet-access
      - sequentialread
      - gitea
    ports:
      - "80:80"
      - "443:443"
    command: ["/bin/sh", "-c", "rm -f /caddysocket/caddy.sock && caddy run -config /config/config.json"]
    volumes:
      - type: bind
        source: ./caddy/static
        target: /srv/static
        read_only: true
      - type: bind
        source: ./caddy/config
        target: /config
        read_only: true
      - type: bind
        source: ./caddy/data
        target: /data
      - type: bind
        source: ./caddy/log
        target: /var/log
      - type: volume
        source: caddy-socket-volume
        target: /caddysocket

  caddy-config:
    image: sequentialread/caddy-config:0.0.17-11b555a-2ff4
    restart: always
    #mem_limit: 50m
    networks:
      - sequentialread
    volumes:
      - type: bind
        source: ./security-gateway/
        target: /dockersocket/
      - type: volume
        source: caddy-socket-volume
        target: /caddysocket
    environment:
      - DOCKER_SOCKET=/dockersocket/docker.sock
      - CADDY_ACME_DOMAINS_CSV=*.sequentialread.com
      - CADDY_ACME_ISSUER_URL=https://acme-v02.api.letsencrypt.org/directory
      - CADDY_ACME_CLIENT_EMAIL_ADDRESS=forest.n.johnson@gmail.com

  docker-api-security-gateway:
    image: sequentialread/docker-api-security-gateway:0.0.16
    restart: always
    #mem_limit: 50m
    userns_mode: "host"
    volumes:
      - type: bind
        source: /var/run/docker.sock
        target: /var/run/docker.sock
        read_only: true
      - type: bind
        source: ./security-gateway/
        target: /var/run/docker-api-security-gateway/
    environment:
      DOCKER_API_PROXY_DEBUG: "false"
      DOCKER_API_PROXY_ALLOW_0_METHODREGEX: ^GET$$
      DOCKER_API_PROXY_ALLOW_0_URIREGEX: ^/info(\?)?$$
      DOCKER_API_PROXY_ALLOW_1_METHODREGEX: ^GET$$
      DOCKER_API_PROXY_ALLOW_1_URIREGEX: ^/containers/json(\?)?((filters=%7B%22status%22%3A%5B%22running%22%5D%7D&)?limit=0)?$$
      DOCKER_API_PROXY_ALLOW_2_METHODREGEX: ^GET$$
      DOCKER_API_PROXY_ALLOW_2_URIREGEX: ^/containers/[a-f0-9]+/stats(\?)?(stream=0)?$$
      DOCKER_API_PROXY_ALLOW_3_METHODREGEX: ^GET$$
      DOCKER_API_PROXY_ALLOW_3_URIREGEX: ^/containers/[a-f0-9]+/json(\?)?$$
      DOCKER_API_PROXY_RESULTFILTERS_0_METHODREGEX: .*
      DOCKER_API_PROXY_RESULTFILTERS_0_URIREGEX: ^/containers/[a-f0-9]+/json(\?)?$$
      DOCKER_API_PROXY_RESULTFILTERS_0_BLACKLIST_0_PATH: .Config.Env
      DOCKER_API_PROXY_HTTP_LISTENUNIXSOCKET: /var/run/docker-api-security-gateway/docker.sock
      DOCKER_API_PROXY_HTTP_LISTENUNIXSOCKETUID: 165536
      DOCKER_API_PROXY_HTTP_LISTENUNIXSOCKETGID: 165536
      DOCKER_HOST: unix:///var/run/docker.sock
      DOCKER_API_VERSION: '1.40'

  gandi-dns-updater:
    image: sequentialread/gandi-dns-updater:0.0.1
    restart: always
    networks:
      - internet-access
    environment:
      - GDU_GANDIAPIKEY=${GREENHOUSE_GANDI_API_KEY}
      - GDU_RESETAFTERCONSECUTIVEFAILURES=3
      - GDU_DOMAINS_0_DOMAIN=sequentialread.com
      - GDU_DOMAINS_0_RECORDS_0_NAME=@
      - GDU_DOMAINS_0_RECORDS_0_TYPE=A
      - GDU_DOMAINS_0_RECORDS_1_NAME=*
      - GDU_DOMAINS_0_RECORDS_1_TYPE=A
      - GDU_DOMAINS_1_DOMAIN=server.garden
      - GDU_DOMAINS_1_RECORDS_0_NAME=@
      - GDU_DOMAINS_1_RECORDS_0_TYPE=A
      - GDU_DOMAINS_1_RECORDS_1_NAME=www
      - GDU_DOMAINS_1_RECORDS_1_TYPE=A
      - GDU_DOMAINS_1_RECORDS_2_NAME=greenhouse
      - GDU_DOMAINS_1_RECORDS_2_TYPE=A
      - GDU_DOMAINS_1_RECORDS_3_NAME=www.greenhouse
      - GDU_DOMAINS_1_RECORDS_3_TYPE=A
      - GDU_DOMAINS_1_RECORDS_4_NAME=telemetry.greenhouse-alpha
      - GDU_DOMAINS_1_RECORDS_4_TYPE=A
  
  greenhouse:
    image: sequentialread/greenhouse:0.0.0-eee7d07-4608
    restart: always
    ports: 
      - 18080:8080
    volumes:
      - type: bind
        source: ./greenhouse/greenhouse-daemon
        target: /greenhouse/greenhouse-daemon
      - type: bind
        source: ./picopublish/data
        target: /greenhouse/releases
      - type: bind
        source: ./greenhouse/config
        target: /greenhouse/config
    networks:
      - internet-access
      - gitea
      - sequentialread
    environment:
      - GREENHOUSE_LOKI_URL=http://loki:3100
      - GREENHOUSE_HOMEPAGE_MARKDOWN_URL=http://gitea:3000/forest/greenhouse/raw/branch/main/readme/ALPHA.md
      - GREENHOUSE_ENABLE_REGISTRATION=true
      - GREENHOUSE_DIGITALOCEAN_API_KEY=${GREENHOUSE_DIGITALOCEAN_API_KEY}
      - GREENHOUSE_DATABASE_CONNECTION_STRING=${GREENHOUSE_DATABASE_CONNECTION_STRING}
      - GREENHOUSE_DATABASE_SCHEMA=public
      - GREENHOUSE_GANDI_API_KEY=${GREENHOUSE_GANDI_API_KEY}
      - GREENHOUSE_SSH_PRIVATE_KEY_FILE=/greenhouse/config/greenhouse_ed25519
      - GREENHOUSE_BACKBLAZE_BUCKET_NAME=greenhouse-cloud-provider
      - GREENHOUSE_BACKBLAZE_KEY_ID=0003ea77f5997840000000012
      - GREENHOUSE_BACKBLAZE_SECRET_KEY=${GREENHOUSE_BACKBLAZE_SECRET_KEY}
      - GREENHOUSE_SMTP_HOST=smtp.nullhex.com
      - GREENHOUSE_SMTP_PORT=465
      - GREENHOUSE_SMTP_USERNAME=noreply@server.garden
      - GREENHOUSE_SMTP_PASSWORD=${GREENHOUSE_SMTP_PASSWORD}
      - GREENHOUSE_SMTP_ENCRYPTION=SMTPS

  greenhouse-telemetry:
    image: sequentialread/greenhouse-telemetry:0.1.13
    restart: always
    networks:
      - sequentialread
    volumes:
      - type: bind
        source: ./greenhouse-telemetry/data
        target: /greenhouse-telemetry/data
    labels:
      sequentialread-8080-public-port: 443
      sequentialread-8080-public-protocol: https
      sequentialread-8080-public-hostnames: "greenhouse-telemetry.sequentialread.com,telemetry.greenhouse-alpha.server.garden"
      sequentialread-8080-container-protocol: http


  loki:
    image: grafana/loki:main-c4562f1
    restart: always
    networks:
      - internet-access
      - sequentialread
    volumes:
      - type: bind
        source: ./loki/data
        target: /tmp/loki
      - type: bind
        source: ./loki/config.yml
        target: /etc/loki/local-config.yaml

  servergardenwebsite:
    image: nginx
    restart: always
    networks:
      - blog
    volumes:
      - ./greenhouse-servergarden-site/usr-share-nginx-html:/usr/share/nginx/html:ro
      - ./greenhouse-servergarden-site/etc-nginx/nginx.conf:/etc/nginx/nginx.conf
      - ./greenhouse-servergarden-site/etc-nginx/conf.d:/etc/nginx/conf.d
    labels:
      sequentialread-80-public-port: 443
      sequentialread-80-public-protocol: https
      sequentialread-80-public-hostnames: "server.garden,www.server.garden,greenhouse.server.garden,www.greenhouse.server.garden"
      sequentialread-80-container-protocol: http

  pinafore:
    image: sequentialread/pinafore:v2.0.4-0616a2ba-2ecc
    restart: always
    networks:
      - internet-access
    labels:
      sequentialread-4002-public-port: 443
      sequentialread-4002-public-protocol: https
      sequentialread-4002-public-hostnames: "social.sequentialread.com"
      sequentialread-4002-container-protocol: http

  
  gotosocial:
    image: sequentialread/gotosocial:45ae71
    restart: always
    networks:
      - internet-access
    volumes:
      - type: bind
        source: ./gotosocial/storage
        target: /gotosocial/storage
    environment:
      GTS_LOG_LEVEL: 'trace'
      GTS_PORT: '8080'
      GTS_PROTOCOL: 'https'
      GTS_TRUSTED_PROXIES: '0.0.0.0/0'
      GTS_HOST: 'gotosocial.sequentialread.com'
      GTS_ACCOUNT_DOMAIN: 'gotosocial.sequentialread.com'
      GTS_DB_TYPE: 'sqlite'
      GTS_DB_ADDRESS: '/gotosocial/storage/database/sqlite.db'
      GTS_STORAGE_SERVE_PROTOCOL: 'https'
      GTS_STORAGE_SERVE_HOST: 'gotosocial.sequentialread.com'
      GTS_STORAGE_SERVE_BASE_PATH: '/media'
      GTS_ACCOUNTS_OPEN_REGISTRATION: 'true'
      GTS_ACCOUNTS_APPROVAL_REQUIRED: 'false'
      GTS_ACCOUNTS_REASON_REQUIRED: 'false'
      GTS_LETSENCRYPT_ENABLED: 'false'
      GTS_SMTP_HOST: 'smtp.nullhex.com'
      GTS_SMTP_PORT: '587'
      GTS_SMTP_USERNAME: 'forest@sequentialread.com'
      GTS_SMTP_PASSWORD: '${NULLHEX_PASSWORD}'
      GTS_SMTP_FROM: 'forest@sequentialread.com'
    labels:
      sequentialread-8080-public-port: 443
      sequentialread-8080-public-protocol: https
      sequentialread-8080-public-hostnames: "gotosocial.sequentialread.com"
      sequentialread-8080-container-protocol: http




  owncast:
    image: sequentialread/owncast:0.0.7-beta9
    restart: always
    command: ["/app/owncast"]
    networks:
      - blog
    extra_hosts:
      - "forest-laptop:${BLOG_NETWORK_EXTERNAL_SERVICE_IPV4}"
      - "directory.owncast.online:${BLOG_NETWORK_EXTERNAL_SERVICE_IPV4}"
    volumes:
      - type: bind
        source: ./owncast/data
        target: /app/data
    labels:
      sequentialread-8080-public-port: 443
      sequentialread-8080-public-protocol: https
      sequentialread-8080-public-hostnames: "stream.sequentialread.com,stream.beta.sequentialread.com"
      sequentialread-8080-container-protocol: http
  
  goatcounter:
    image: sequentialread/goatcounter:2.1.1-0
    restart: always
    entrypoint: ["/bin/sh"]
    command: ["-c", "/app/goatcounter db migrate -createdb all && /app/goatcounter serve -tls none -listen '*:8080'"]
    networks:
      sequentialread:
        ipv4_address: ${SEQUENTIALREAD_NETWORK_GOATCOUNTER_IPV4}
    extra_hosts:
      - "smtp.nullhex.com:${SEQUENTIALREAD_NETWORK_EXTERNAL_SERVICE_IPV4}"
    environment:
      - TMPDIR=/tmp/goatcounter-exports
    volumes:
      - type: bind
        source: ./goatcounter/db
        target: /app/db
      - type: bind
        source: ./goatcounter/exports
        target: /tmp/goatcounter-exports
    labels:
      sequentialread-8080-public-port: 443
      sequentialread-8080-public-protocol: https
      sequentialread-8080-public-hostnames: "goatcounter.sequentialread.com,goatcounter.beta.sequentialread.com"
      sequentialread-8080-container-protocol: http

  goatcounter-log-publisher:
    image: sequentialread/goatcounter:2.1.1-2
    restart: always
    entrypoint: ["/bin/sh"]
    command: ["-c", "tail -F /caddylog/caddy-goatcounter.log | ./goatcounter-caddy-log-adapter  | ./goatcounter import -site http://goatcounter.sequentialread.com:8080 -format combined-vhost -- -"]
    extra_hosts:
      - "goatcounter.beta.sequentialread.com:${SEQUENTIALREAD_NETWORK_GOATCOUNTER_IPV4}"
      - "goatcounter.sequentialread.com:${SEQUENTIALREAD_NETWORK_GOATCOUNTER_IPV4}"
    volumes:
      - type: bind
        source: ./goatcounter/db
        target: /app/db
      - type: bind
        source: ./caddy/log
        target: /caddylog
    networks:
      - sequentialread
    environment:
      - GOATCOUNTER_API_KEY=${GOATCOUNTER_API_KEY}
      - LOGADAPTER_INCLUDESUCCESSORFAILUREINKEY=false
      - LOGADAPTER_DEBUG=false
      - LOGADAPTER_ALWAYSINCLUDEURISCSV=,
      - LOGADAPTER_BLACKLISTIPSCSV=192.168.0.1,192.168.0.46,97.116.20.61,185.12.148.78
      - LOGADAPTER_DOMAINS_0_MATCHHOSTNAMEREGEX=^(www\.)?((grafana|git|stream|pwm|captcha|comments|gotosocial)\.)?(beta\.)?sequentialread.com
      - LOGADAPTER_DOMAINS_0_CONTENTTYPEWHITELISTREGEX=[^/]+/html
      - LOGADAPTER_DOMAINS_1_MATCHHOSTNAMEREGEX=^(www\.)?(greenhouse(-alpha)?\.)?server.garden
      - LOGADAPTER_DOMAINS_1_CONTENTTYPEWHITELISTREGEX=[^/]+/html
      - LOGADAPTER_DOMAINS_2_MATCHHOSTNAMEREGEX=(goatcounter|influxdb)
      - LOGADAPTER_DOMAINS_2_CONTENTTYPEWHITELISTREGEX=DROP_ALL

  influxdb:
    image: ghcr.io/terjesannum/influxdb-arm32:1.8.10-1
    restart: always
    networks:
      - sequentialread
    volumes:
      - type: bind
        source: ./influxdb/data/
        target: /var/lib/influxdb
    environment:
      - INFLUXDB_REPORTING_DISABLED=true
      - INFLUXDB_HTTP_AUTH_ENABLED=true
      - INFLUXDB_HTTP_PPROF_AUTH_ENABLED=true
      - INFLUXDB_HTTP_DEBUG_PPROF_ENABLED=true
    labels:
      sequentialread-8086-public-port: 443
      sequentialread-8086-public-protocol: https
      sequentialread-8086-public-hostnames: "influxdb.sequentialread.com,influxdb.beta.sequentialread.com"
      sequentialread-8086-container-protocol: http

  # the admin, telegraf, and grafana users on this influxdb were set up manually
  # the passwords/tokens in .env
  # also, had to manually create the dbrp afterwards, for v1 compatibility:
  # curl -H "Authorization: Token $INFLUXDB2_ADMIN_TOKEN" -X POST https://influxdb2.sequentialread.com/api/v2/dbrps -d '{
  #     "bucketID": "582ef43b7a3c3b39",
  #     "database": "sequentialread",
  #     "default": true,
  #     "org": "sequentialread",
  #     "retention_policy": "autogen"
  # }'
  # influxdb2:
  #   image: sequentialread/influxdb:2.1.1-armv7
  #   restart: always
  #   networks:
  #     - sequentialread
  #   volumes:
  #     - type: bind
  #       source: ./influxdb2/
  #       target: /root/.influxdbv2
  #   environment:
  #     - INFLUXD_REPORTING_DISABLED=true
  #     - INFLUXD_PPROF_DISABLED=true
  #   labels:
  #     sequentialread-8086-public-port: 443
  #     sequentialread-8086-public-protocol: https
  #     sequentialread-8086-public-hostnames: "influxdb2.sequentialread.com"
  #     sequentialread-8086-container-protocol: http

  telegraf: 
    image: telegraf:1.17.3
    restart: always
    # in order to get telegraf to report the host's network io correctly,
    # it has to run on the host network... and the only way to do that
    # would be to disable the user namespace remap. so we manually set it to the 
    # remapped UID and GID
    userns_mode: "host"
    network_mode: "host"
    user: 165536:165536
    # now that we are on the hosts network, in order to talk to influx we have to go in through the 
    # front door: Caddy, which is listening on 80 and 443 on localhost.
    extra_hosts:
      - "influxdb.beta.sequentialread.com:127.0.0.1"
      - "influxdb.sequentialread.com:127.0.0.1"
    entrypoint: /bin/sh
    # this runs telegraf and then ends the container process when telegraf logs "Cannot connect to the Docker daemon"
    # Just a simple way to forcing it to restart when the docker daemon socket file gets pulled out from under it
    command: 
      - "-c"
      - |
          echo '' > t.log
          sh -c '/entrypoint.sh --config /telegrafconfig/telegraf.conf 2>&1 | tee t.log' &
          tpid=$$?
          tail -f t.log | grep -q 'Cannot connect to the Docker daemon'
          kill $$tpid
    volumes:
      - type: bind
        source: ./security-gateway/
        target: /dockersocket/
      - type: bind
        source: /
        target: /hostfs
        read_only: true
      - type: bind
        source: ./telegraf
        target: /telegrafconfig
        read_only: true
    depends_on:
      - docker-api-security-gateway
    environment:
      - HOST_MOUNT_PREFIX=/hostfs
      - HOST_PROC=/hostfs/proc
      - TELEGRAF_DOCKER_SOCKET=/dockersocket/docker.sock
      - TELEGRAF_INFLUX_PASSWORD=${TELEGRAF_INFLUX_PASSWORD}
      - TELEGRAF_INFLUX_URL=https://influxdb.sequentialread.com
      - TELEGRAF_INFLUX2_TOKEN=${TELEGRAF_INFLUX2_TOKEN}
      - TELEGRAF_INFLUX2_URL=https://influxdb2.sequentialread.com

  grafana:
    image: grafana/grafana:7.4.3
    restart: always
    # The Grafana docker container is missing the /etc/nsswitch.conf file which
    # many things rely on in order to know how to properly look up domain names.
    # See: https://github.com/gliderlabs/docker-alpine/issues/367
    # without this file, grafana will only use the dns server to resolve names,
    # it won't look at the /etc/hosts file at all. 
    # Since grafana normally runs as a separate user, we have to override the container to run as root 1st
    # so it can write the nsswitch.conf file, then run the grafana start script as the grafana user.
    user: '0'
    entrypoint: /bin/sh
    command: ["-c", "echo 'hosts: files dns' > /etc/nsswitch.conf && su -s '/bin/sh' -c '/run.sh' grafana"]
    extra_hosts:
      - "smtp.nullhex.com:${SEQUENTIALREAD_NETWORK_EXTERNAL_SERVICE_IPV4}"
    networks:
      - sequentialread
    volumes:
      - type: bind
        source: ./grafana/data/
        target: /var/lib/grafana
    environment:
      GF_SERVER_ROOT_URL: 'https://grafana.sequentialread.com'
      GF_SERVER_ENABLE_GZIP: 'true'
      GF_SECURITY_ADMIN_USER: admin
      GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_ADMIN_PASSWORD}
      GF_SECURITY_DISABLE_GRAVATAR: 'true'
      GF_SECURITY_COOKIE_SECURE: 'true'
      GF_SECURITY_SECRET_KEY: ${GRAFANA_SECRET_KEY}
      GF_AUTH_ANONYMOUS_ENABLED: 'true'
      GF_AUTH_ANONYMOUS_ORG_NAME: sequentialread
      GF_AUTH_ANONYMOUS_ORG_ROLE: Viewer
      GF_SMTP_ENABLED: 'true'
      GF_SMTP_HOST: 'smtp.nullhex.com:465'
      GF_SMTP_PASSWORD: ${NULLHEX_PASSWORD}
      GF_SMTP_USER: forest@sequentialread.com
      GF_SMTP_FROM_ADDRESS: forest@sequentialread.com
      GF_SMTP_STARTTLS_POLICY: MandatoryStartTLS
    labels:
      sequentialread-3000-public-port: 443
      sequentialread-3000-public-protocol: https
      sequentialread-3000-public-hostnames: "grafana.sequentialread.com,grafana.beta.sequentialread.com"
      sequentialread-3000-container-protocol: http

  sequentialread-external-service:
    image: sequentialread/external-service:0.0.14
    restart: always
    networks:
      sequentialread:
        ipv4_address: ${SEQUENTIALREAD_NETWORK_EXTERNAL_SERVICE_IPV4}
      internet-access:
    environment:
      DEBUG_LOG: 'true'
      SERVICE_0_LISTEN: ':465'
      SERVICE_0_DIAL: 'smtp.nullhex.com:465'
      SERVICE_1_LISTEN: ':8226'
      SERVICE_1_DIAL: '192.168.0.140:8226'
    labels:
      sequentialread-8226-public-port: 443
      sequentialread-8226-public-protocol: https
      sequentialread-8226-public-hostnames: "mixtape.sequentialread.com"
      sequentialread-8226-container-protocol: http

  pwm:
    image: sequentialread/sequentialread-password-manager:2.0.10
    restart: always
    networks:
      - sequentialread
    environment:
      - SEQUENTIALREAD_PWM_BACKBLAZE_BUCKET_NAME=sequentialread-password-manager
      - SEQUENTIALREAD_PWM_BACKBLAZE_BUCKET_REGION=us-west-000
      - SEQUENTIALREAD_PWM_BACKBLAZE_ACCESS_KEY_ID=0003ea77f5997840000000015
      - SEQUENTIALREAD_PWM_BACKBLAZE_SECRET_ACCESS_KEY=${PWM_BACKBLAZE_SECRET_ACCESS_KEY}
    volumes:
      - type: bind
        source: ./pwm/data/
        target: /app/data/
    labels:
      sequentialread-8073-public-port: 443
      sequentialread-8073-public-protocol: https
      sequentialread-8073-public-hostnames: "pwm.sequentialread.com,pwm.beta.sequentialread.com"
      sequentialread-8073-container-protocol: http

  picopublish:
    image: sequentialread/picopublish:0.2.44-corstest
    restart: always
    networks:
      - blog
    environment:
      - PICOPUBLISH_PASSWORD=${PICOPUBLISH_PASSWORD}
      - PICOPUBLISH_CAPTCHA_API_TOKEN=${PICOPUBLISH_CAPTCHA_API_TOKEN}
      - PICOPUBLISH_CAPTCHA_API_URL=http://captcha:2370
      - PICOPUBLISH_CAPTCHA_PUBLIC_URL=https://captcha.sequentialread.com
    volumes:
      - type: bind
        source: ./picopublish/data
        target: /app/data
    labels:
      sequentialread-8080-public-port: 443
      sequentialread-8080-public-protocol: https
      sequentialread-8080-public-hostnames: "picopublish.sequentialread.com,picopublish.beta.sequentialread.com"
      sequentialread-8080-container-protocol: http

  webclip:
    image: sequentialread/webclip:0.0.2
    restart: always
    networks:
      - sequentialread
    labels:
      sequentialread-8080-public-port: 443
      sequentialread-8080-public-protocol: https
      sequentialread-8080-public-hostnames: "webclip.sequentialread.com,webclip.beta.sequentialread.com"
      sequentialread-8080-container-protocol: http


  gitea:
    image: sequentialread/gitea-armv7:1.16.7-3
    restart: always
    mem_limit: 1400m
    ports:
      - "10022:10022"
    extra_hosts:
      - "smtp.nullhex.com:${GITEA_NETWORK_EXTERNAL_SERVICE_IPV4}"
    networks:
      - gitea
      - internet-access
    volumes:
      - type: bind
        source: ./gitea/data
        target: /data
    environment:
      - GITEA_CUSTOM=/data/gitea
      - NOTE_THAT=these environment variables only apply the first time the gitea container is started
      - FOR_THE_REST_OF=the current config see the gitea/data/gitea/conf/app.ini file in this repository
    depends_on:
      - postgres
    labels:
      sequentialread-3000-public-port: 443
      sequentialread-3000-public-protocol: https
      sequentialread-3000-public-hostnames: "www.git.sequentialread.com,git.sequentialread.com,git.beta.sequentialread.com"
      sequentialread-3000-container-protocol: http

  gitea-external-service:
    image: sequentialread/external-service:0.0.14
    restart: always
    networks:
      gitea:
        ipv4_address: ${GITEA_NETWORK_EXTERNAL_SERVICE_IPV4}
      internet-access:
    environment:
      DEBUG_LOG: 'true'
      SERVICE_0_LISTEN: ':465'
      SERVICE_0_DIAL: 'smtp.nullhex.com:465'

  gitea-registration-proxy:
    image: sequentialread/gitea-registration-proxy:0.0.1
    restart: always
    networks:
      - gitea
      - blog
    environment:
      - DEBUG=gitea-registration-proxy
      - REGPROXY_GITEA=http://gitea:3000
      - REGPROXY_HOST=0.0.0.0
      - REGPROXY_INVITECODE=${REGPROXY_INVITECODE}
    depends_on:
      - gitea
      - captcha
    labels:
      sequentialread-8080-public-port: 443
      sequentialread-8080-public-protocol: https
      sequentialread-8080-public-hostnames: "www.git.sequentialread.com,git.sequentialread.com,git.beta.sequentialread.com"
      sequentialread-8080-public-paths: "/user/sign_up"
      sequentialread-8080-container-protocol: http

  postgres:
    image: postgres:13.3-alpine
    restart: always
    networks:
      - gitea
    volumes:
      - type: bind
        source: ./postgres/data
        target: /var/lib/postgresql/data
      - type: bind
        source: ./postgres/init/
        target: /docker-entrypoint-initdb.d
    environment:
      - POSTGRES_PASSWORD=${POSTGRES_ROOT_PASSWORD}

  radicale:
    image: tomsquest/docker-radicale
    networks:
      - sequentialread
    init: true
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - SETUID
      - SETGID
      - CHOWN
      - KILL
    healthcheck:
      test: curl -f http://127.0.0.1:5232 || exit 1
      interval: 30s
      retries: 3
    restart: unless-stopped
    volumes:
      - ./radicale/data:/data
      - ./radicale/config:/config:ro
      - ./radicale/etc-radicale:/etc/radicale
    labels:
      sequentialread-5232-public-port: 443
      sequentialread-5232-public-protocol: https
      sequentialread-5232-public-hostnames: "radicale.sequentialread.com"
      sequentialread-5232-container-protocol: http


  ghost:
    image: ghost:3.41-alpine
    restart: always
    extra_hosts:
      - "smtp.nullhex.com:${BLOG_NETWORK_EXTERNAL_SERVICE_IPV4}"
    networks:
      - blog
    volumes:
      - type: bind
        source: ./ghost
        target: /var/lib/ghost/content
    environment:
      - NODE_ENV=production
      - url=https://sequentialread.com
      - database__client=sqlite3 
      - database__connection__filename=content/data/ghost-prod.db 
      - database__useNullAsDefault=true
      - database__debug=false
      - mail__from=forest@sequentialread.com
      - mail__transport=SMTP
      - mail__options__host=smtp.nullhex.com
      - mail__options__port=465
      - mail__options__auth__user=forest@sequentialread.com
      - mail__options__auth__pass=${NULLHEX_PASSWORD}
    labels:
      sequentialread-2368-public-port: 443
      sequentialread-2368-public-protocol: https
      sequentialread-2368-public-hostnames: "sequentialread.com,www.sequentialread.com,beta.sequentialread.com,www.beta.sequentialread.com"
      sequentialread-2368-container-protocol: http

  webmentiond:
    image: sequentialread/webmentiond:d9db3a5
    restart: always
    networks:
      - internet-access
    volumes:
      - type: bind
        source: ./webmentiond/data
        target: /data
    command:
      - "--addr"
      - "0.0.0.0:8080"
      - "--auth-admin-emails"
      - "forest.n.johnson@gmail.com"
      - "--allowed-target-domains"
      - "sequentialread.com"
      - "--public-url"
      - "https://webmentiond.sequentialread.com"
      - "--send-notifications"
      - "true"
    environment:
      MAIL_HOST: 'smtp.nullhex.com'
      MAIL_PORT: '465'
      MAIL_USER: 'forest@sequentialread.com'
      MAIL_FROM: 'forest@sequentialread.com'
      MAIL_PASSWORD: '${NULLHEX_PASSWORD}'
      MAIL_NO_TLS: 'false'
      AUTH_JWT_SECRET: '${WEBMENTIOND_JWT_SECRET}'
    labels:
      sequentialread-8080-public-port: 443
      sequentialread-8080-public-protocol: https
      sequentialread-8080-public-hostnames: "webmentiond.sequentialread.com"
      sequentialread-8080-container-protocol: http


  comments:
    image: sequentialread/comments:0.1.50
    restart: always
    extra_hosts:
      - "smtp.nullhex.com:${BLOG_NETWORK_EXTERNAL_SERVICE_IPV4}"
      - "www.gravatar.com:${BLOG_NETWORK_EXTERNAL_SERVICE2_IPV4}"
    networks:
      - blog
    volumes:
      - type: bind
        source: ./comments
        target: /app/data
    environment:
      - COMMENTS_LISTEN_PORT=8080
      - COMMENTS_BASE_URL=https://comments.sequentialread.com
      - COMMENTS_HASH_SALT=klnv5ii043nbkjz__g34nnk_34wgn26lqlwqb7841mf
      - COMMENTS_CORS_ORIGINS=https://sequentialread.com,https://www.sequentialread.com,https://greenhouse-alpha.server.garden,https://greenhouse.server.garden
      - COMMENTS_CAPTCHA_API_TOKEN=${CAPTCHA_API_TOKEN}
      - COMMENTS_CAPTCHA_API_URL=http://captcha:2370
      - COMMENTS_CAPTCHA_PUBLIC_URL=https://captcha.sequentialread.com
      - COMMENTS_CAPTCHA_DIFFICULTY_LEVEL=8
      - COMMENTS_EMAIL_HOST=smtp.nullhex.com
      - COMMENTS_EMAIL_PORT=465
      - COMMENTS_EMAIL_USER=forest@sequentialread.com
      - COMMENTS_EMAIL_PASSWORD=${NULLHEX_PASSWORD}
      - COMMENTS_NOTIFICATION_TARGET=forest@sequentialread.com
      - COMMENTS_ADMIN_PASSWORD=${COMMENTS_ADMIN_PASSWORD}
    labels:
      sequentialread-8080-public-port: 443
      sequentialread-8080-public-protocol: https
      sequentialread-8080-public-hostnames: "comments.sequentialread.com,comments.beta.sequentialread.com"
      sequentialread-8080-container-protocol: http


  blog-external-service:
    image: sequentialread/external-service:0.0.14
    restart: always
    networks:
      blog:
        ipv4_address: ${BLOG_NETWORK_EXTERNAL_SERVICE_IPV4}
      internet-access:
    environment:
      DEBUG_LOG: 'true'
      SERVICE_0_LISTEN: ':465'
      SERVICE_0_DIAL: 'smtp.nullhex.com:465'
      SERVICE_1_LISTEN: ':443'
      SERVICE_1_DIAL: 'directory.owncast.online:443'
      SERVICE_2_LISTEN: ':445'
      SERVICE_2_DIAL: '192.168.0.46:445'
      SERVICE_3_LISTEN: ':139'
      SERVICE_3_DIAL: '192.168.0.46:139'

  blog-external-service2:
    image: sequentialread/external-service:0.0.14
    restart: always
    networks:
      blog:
        ipv4_address: ${BLOG_NETWORK_EXTERNAL_SERVICE2_IPV4}
      internet-access:
    environment:
      DEBUG_LOG: 'true'
      SERVICE_1_LISTEN: ':443'
      SERVICE_1_DIAL: 'www.gravatar.com:443'


  captcha:
    image: sequentialread/pow-captcha:0.0.13
    restart: always
    networks:
      - blog
    volumes:
      - type: bind
        source: ./captcha/tokens
        target: /app/PoW_Captcha_API_Tokens
    environment:
      - POW_CAPTCHA_ADMIN_API_TOKEN=${CAPTCHA_ADMIN_API_TOKEN}
    labels:
      sequentialread-2370-public-port: 443
      sequentialread-2370-public-protocol: https
      sequentialread-2370-public-hostnames: "captcha.sequentialread.com,captcha.beta.sequentialread.com"
      sequentialread-2370-container-protocol: http



networks:
  internet-access:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: "${INTERNET_ACCESS_NETWORK_CIDR}"
  gitea:
    driver: bridge
    internal: true
    ipam:
      driver: default
      config:
        - subnet: "${GITEA_NETWORK_CIDR}"
  sequentialread:
    driver: bridge
    internal: true
    ipam:
      driver: default
      config:
        - subnet: "${SEQUENTIALREAD_NETWORK_CIDR}"
  blog:
    driver: bridge
    internal: true
    ipam:
      driver: default
      config:
        - subnet: "${BLOG_NETWORK_CIDR}"

volumes:
  caddy-socket-volume: