|
|
|
version: "3.3"
|
|
|
|
services:
|
|
|
|
|
|
|
|
caddy:
|
|
|
|
restart: always
|
|
|
|
image: caddy:2.3.0
|
|
|
|
networks:
|
|
|
|
- blog
|
|
|
|
- internet-access
|
|
|
|
- sequentialread
|
|
|
|
- gitea
|
|
|
|
ports:
|
|
|
|
- "80:80"
|
|
|
|
- "443:443"
|
|
|
|
command: ["/bin/sh", "-c", "rm -f /caddysocket/caddy.sock && caddy run -config /config/config.json"]
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./caddy/static
|
|
|
|
target: /srv/static
|
|
|
|
read_only: true
|
|
|
|
- type: bind
|
|
|
|
source: ./caddy/config
|
|
|
|
target: /config
|
|
|
|
read_only: true
|
|
|
|
- type: bind
|
|
|
|
source: ./caddy/data
|
|
|
|
target: /data
|
|
|
|
- type: bind
|
|
|
|
source: ./caddy/log
|
|
|
|
target: /var/log
|
|
|
|
- type: volume
|
|
|
|
source: caddy-socket-volume
|
|
|
|
target: /caddysocket
|
|
|
|
|
|
|
|
caddy-config:
|
|
|
|
image: sequentialread/caddy-config:0.0.17-11b555a-2ff4
|
|
|
|
restart: always
|
|
|
|
#mem_limit: 50m
|
|
|
|
networks:
|
|
|
|
- sequentialread
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./security-gateway/
|
|
|
|
target: /dockersocket/
|
|
|
|
- type: volume
|
|
|
|
source: caddy-socket-volume
|
|
|
|
target: /caddysocket
|
|
|
|
environment:
|
|
|
|
- DOCKER_SOCKET=/dockersocket/docker.sock
|
|
|
|
- CADDY_ACME_DOMAINS_CSV=*.sequentialread.com
|
|
|
|
- CADDY_ACME_ISSUER_URL=https://acme-v02.api.letsencrypt.org/directory
|
|
|
|
- CADDY_ACME_CLIENT_EMAIL_ADDRESS=forest.n.johnson@gmail.com
|
|
|
|
|
|
|
|
docker-api-security-gateway:
|
|
|
|
image: sequentialread/docker-api-security-gateway:0.0.16
|
|
|
|
restart: always
|
|
|
|
#mem_limit: 50m
|
|
|
|
userns_mode: "host"
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: /var/run/docker.sock
|
|
|
|
target: /var/run/docker.sock
|
|
|
|
read_only: true
|
|
|
|
- type: bind
|
|
|
|
source: ./security-gateway/
|
|
|
|
target: /var/run/docker-api-security-gateway/
|
|
|
|
environment:
|
|
|
|
DOCKER_API_PROXY_DEBUG: "false"
|
|
|
|
DOCKER_API_PROXY_ALLOW_0_METHODREGEX: ^GET$$
|
|
|
|
DOCKER_API_PROXY_ALLOW_0_URIREGEX: ^/info(\?)?$$
|
|
|
|
DOCKER_API_PROXY_ALLOW_1_METHODREGEX: ^GET$$
|
|
|
|
DOCKER_API_PROXY_ALLOW_1_URIREGEX: ^/containers/json(\?)?((filters=%7B%22status%22%3A%5B%22running%22%5D%7D&)?limit=0)?$$
|
|
|
|
DOCKER_API_PROXY_ALLOW_2_METHODREGEX: ^GET$$
|
|
|
|
DOCKER_API_PROXY_ALLOW_2_URIREGEX: ^/containers/[a-f0-9]+/stats(\?)?(stream=0)?$$
|
|
|
|
DOCKER_API_PROXY_ALLOW_3_METHODREGEX: ^GET$$
|
|
|
|
DOCKER_API_PROXY_ALLOW_3_URIREGEX: ^/containers/[a-f0-9]+/json(\?)?$$
|
|
|
|
DOCKER_API_PROXY_RESULTFILTERS_0_METHODREGEX: .*
|
|
|
|
DOCKER_API_PROXY_RESULTFILTERS_0_URIREGEX: ^/containers/[a-f0-9]+/json(\?)?$$
|
|
|
|
DOCKER_API_PROXY_RESULTFILTERS_0_BLACKLIST_0_PATH: .Config.Env
|
|
|
|
DOCKER_API_PROXY_HTTP_LISTENUNIXSOCKET: /var/run/docker-api-security-gateway/docker.sock
|
|
|
|
DOCKER_API_PROXY_HTTP_LISTENUNIXSOCKETUID: 165536
|
|
|
|
DOCKER_API_PROXY_HTTP_LISTENUNIXSOCKETGID: 165536
|
|
|
|
DOCKER_HOST: unix:///var/run/docker.sock
|
|
|
|
DOCKER_API_VERSION: '1.40'
|
|
|
|
|
|
|
|
gandi-dns-updater:
|
|
|
|
image: sequentialread/gandi-dns-updater:0.0.1
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
- internet-access
|
|
|
|
environment:
|
|
|
|
- GDU_GANDIAPIKEY=${GREENHOUSE_GANDI_API_KEY}
|
|
|
|
- GDU_RESETAFTERCONSECUTIVEFAILURES=3
|
|
|
|
- GDU_DOMAINS_0_DOMAIN=sequentialread.com
|
|
|
|
- GDU_DOMAINS_0_RECORDS_0_NAME=@
|
|
|
|
- GDU_DOMAINS_0_RECORDS_0_TYPE=A
|
|
|
|
- GDU_DOMAINS_0_RECORDS_1_NAME=*
|
|
|
|
- GDU_DOMAINS_0_RECORDS_1_TYPE=A
|
|
|
|
- GDU_DOMAINS_1_DOMAIN=server.garden
|
|
|
|
- GDU_DOMAINS_1_RECORDS_0_NAME=@
|
|
|
|
- GDU_DOMAINS_1_RECORDS_0_TYPE=A
|
|
|
|
- GDU_DOMAINS_1_RECORDS_1_NAME=www
|
|
|
|
- GDU_DOMAINS_1_RECORDS_1_TYPE=A
|
|
|
|
- GDU_DOMAINS_1_RECORDS_2_NAME=greenhouse
|
|
|
|
- GDU_DOMAINS_1_RECORDS_2_TYPE=A
|
|
|
|
- GDU_DOMAINS_1_RECORDS_3_NAME=www.greenhouse
|
|
|
|
- GDU_DOMAINS_1_RECORDS_3_TYPE=A
|
|
|
|
- GDU_DOMAINS_1_RECORDS_4_NAME=telemetry.greenhouse-alpha
|
|
|
|
- GDU_DOMAINS_1_RECORDS_4_TYPE=A
|
|
|
|
|
|
|
|
greenhouse:
|
|
|
|
image: sequentialread/greenhouse:0.0.0-eee7d07-4608
|
|
|
|
restart: always
|
|
|
|
ports:
|
|
|
|
- 18080:8080
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./greenhouse/greenhouse-daemon
|
|
|
|
target: /greenhouse/greenhouse-daemon
|
|
|
|
- type: bind
|
|
|
|
source: ./picopublish/data
|
|
|
|
target: /greenhouse/releases
|
|
|
|
- type: bind
|
|
|
|
source: ./greenhouse/config
|
|
|
|
target: /greenhouse/config
|
|
|
|
networks:
|
|
|
|
- internet-access
|
|
|
|
- gitea
|
|
|
|
- sequentialread
|
|
|
|
environment:
|
|
|
|
- GREENHOUSE_LOKI_URL=http://loki:3100
|
|
|
|
- GREENHOUSE_HOMEPAGE_MARKDOWN_URL=http://gitea:3000/forest/greenhouse/raw/branch/main/readme/ALPHA.md
|
|
|
|
- GREENHOUSE_ENABLE_REGISTRATION=true
|
|
|
|
- GREENHOUSE_DIGITALOCEAN_API_KEY=${GREENHOUSE_DIGITALOCEAN_API_KEY}
|
|
|
|
- GREENHOUSE_DATABASE_CONNECTION_STRING=${GREENHOUSE_DATABASE_CONNECTION_STRING}
|
|
|
|
- GREENHOUSE_DATABASE_SCHEMA=public
|
|
|
|
- GREENHOUSE_GANDI_API_KEY=${GREENHOUSE_GANDI_API_KEY}
|
|
|
|
- GREENHOUSE_SSH_PRIVATE_KEY_FILE=/greenhouse/config/greenhouse_ed25519
|
|
|
|
- GREENHOUSE_BACKBLAZE_BUCKET_NAME=greenhouse-cloud-provider
|
|
|
|
- GREENHOUSE_BACKBLAZE_KEY_ID=0003ea77f5997840000000012
|
|
|
|
- GREENHOUSE_BACKBLAZE_SECRET_KEY=${GREENHOUSE_BACKBLAZE_SECRET_KEY}
|
|
|
|
- GREENHOUSE_SMTP_HOST=smtp.nullhex.com
|
|
|
|
- GREENHOUSE_SMTP_PORT=465
|
|
|
|
- GREENHOUSE_SMTP_USERNAME=noreply@server.garden
|
|
|
|
- GREENHOUSE_SMTP_PASSWORD=${GREENHOUSE_SMTP_PASSWORD}
|
|
|
|
- GREENHOUSE_SMTP_ENCRYPTION=SMTPS
|
|
|
|
|
|
|
|
greenhouse-telemetry:
|
|
|
|
image: sequentialread/greenhouse-telemetry:0.1.13
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
- sequentialread
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./greenhouse-telemetry/data
|
|
|
|
target: /greenhouse-telemetry/data
|
|
|
|
labels:
|
|
|
|
sequentialread-8080-public-port: 443
|
|
|
|
sequentialread-8080-public-protocol: https
|
|
|
|
sequentialread-8080-public-hostnames: "greenhouse-telemetry.sequentialread.com,telemetry.greenhouse-alpha.server.garden"
|
|
|
|
sequentialread-8080-container-protocol: http
|
|
|
|
|
|
|
|
|
|
|
|
loki:
|
|
|
|
image: grafana/loki:main-c4562f1
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
- internet-access
|
|
|
|
- sequentialread
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./loki/data
|
|
|
|
target: /tmp/loki
|
|
|
|
- type: bind
|
|
|
|
source: ./loki/config.yml
|
|
|
|
target: /etc/loki/local-config.yaml
|
|
|
|
|
|
|
|
servergardenwebsite:
|
|
|
|
image: nginx
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
- blog
|
|
|
|
volumes:
|
|
|
|
- ./greenhouse-servergarden-site/usr-share-nginx-html:/usr/share/nginx/html:ro
|
|
|
|
- ./greenhouse-servergarden-site/etc-nginx/nginx.conf:/etc/nginx/nginx.conf
|
|
|
|
- ./greenhouse-servergarden-site/etc-nginx/conf.d:/etc/nginx/conf.d
|
|
|
|
labels:
|
|
|
|
sequentialread-80-public-port: 443
|
|
|
|
sequentialread-80-public-protocol: https
|
|
|
|
sequentialread-80-public-hostnames: "server.garden,www.server.garden,greenhouse.server.garden,www.greenhouse.server.garden"
|
|
|
|
sequentialread-80-container-protocol: http
|
|
|
|
|
|
|
|
pinafore:
|
|
|
|
image: sequentialread/pinafore:v2.0.4-0616a2ba-2ecc
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
- internet-access
|
|
|
|
labels:
|
|
|
|
sequentialread-4002-public-port: 443
|
|
|
|
sequentialread-4002-public-protocol: https
|
|
|
|
sequentialread-4002-public-hostnames: "social.sequentialread.com"
|
|
|
|
sequentialread-4002-container-protocol: http
|
|
|
|
|
|
|
|
|
|
|
|
gotosocial:
|
|
|
|
image: sequentialread/gotosocial:45ae71
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
- internet-access
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./gotosocial/storage
|
|
|
|
target: /gotosocial/storage
|
|
|
|
environment:
|
|
|
|
GTS_LOG_LEVEL: 'trace'
|
|
|
|
GTS_PORT: '8080'
|
|
|
|
GTS_PROTOCOL: 'https'
|
|
|
|
GTS_TRUSTED_PROXIES: '0.0.0.0/0'
|
|
|
|
GTS_HOST: 'gotosocial.sequentialread.com'
|
|
|
|
GTS_ACCOUNT_DOMAIN: 'gotosocial.sequentialread.com'
|
|
|
|
GTS_DB_TYPE: 'sqlite'
|
|
|
|
GTS_DB_ADDRESS: '/gotosocial/storage/database/sqlite.db'
|
|
|
|
GTS_STORAGE_SERVE_PROTOCOL: 'https'
|
|
|
|
GTS_STORAGE_SERVE_HOST: 'gotosocial.sequentialread.com'
|
|
|
|
GTS_STORAGE_SERVE_BASE_PATH: '/media'
|
|
|
|
GTS_ACCOUNTS_OPEN_REGISTRATION: 'true'
|
|
|
|
GTS_ACCOUNTS_APPROVAL_REQUIRED: 'false'
|
|
|
|
GTS_ACCOUNTS_REASON_REQUIRED: 'false'
|
|
|
|
GTS_LETSENCRYPT_ENABLED: 'false'
|
|
|
|
GTS_SMTP_HOST: 'smtp.nullhex.com'
|
|
|
|
GTS_SMTP_PORT: '587'
|
|
|
|
GTS_SMTP_USERNAME: 'forest@sequentialread.com'
|
|
|
|
GTS_SMTP_PASSWORD: '${NULLHEX_PASSWORD}'
|
|
|
|
GTS_SMTP_FROM: 'forest@sequentialread.com'
|
|
|
|
labels:
|
|
|
|
sequentialread-8080-public-port: 443
|
|
|
|
sequentialread-8080-public-protocol: https
|
|
|
|
sequentialread-8080-public-hostnames: "gotosocial.sequentialread.com"
|
|
|
|
sequentialread-8080-container-protocol: http
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
owncast:
|
|
|
|
image: sequentialread/owncast:0.0.7-beta9
|
|
|
|
restart: always
|
|
|
|
command: ["/app/owncast"]
|
|
|
|
networks:
|
|
|
|
- blog
|
|
|
|
extra_hosts:
|
|
|
|
- "forest-laptop:${BLOG_NETWORK_EXTERNAL_SERVICE_IPV4}"
|
|
|
|
- "directory.owncast.online:${BLOG_NETWORK_EXTERNAL_SERVICE_IPV4}"
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./owncast/data
|
|
|
|
target: /app/data
|
|
|
|
labels:
|
|
|
|
sequentialread-8080-public-port: 443
|
|
|
|
sequentialread-8080-public-protocol: https
|
|
|
|
sequentialread-8080-public-hostnames: "stream.sequentialread.com,stream.beta.sequentialread.com"
|
|
|
|
sequentialread-8080-container-protocol: http
|
|
|
|
|
|
|
|
goatcounter:
|
|
|
|
image: sequentialread/goatcounter:2.1.1-0
|
|
|
|
restart: always
|
|
|
|
entrypoint: ["/bin/sh"]
|
|
|
|
command: ["-c", "/app/goatcounter db migrate -createdb all && /app/goatcounter serve -tls none -listen '*:8080'"]
|
|
|
|
networks:
|
|
|
|
sequentialread:
|
|
|
|
ipv4_address: ${SEQUENTIALREAD_NETWORK_GOATCOUNTER_IPV4}
|
|
|
|
extra_hosts:
|
|
|
|
- "smtp.nullhex.com:${SEQUENTIALREAD_NETWORK_EXTERNAL_SERVICE_IPV4}"
|
|
|
|
environment:
|
|
|
|
- TMPDIR=/tmp/goatcounter-exports
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./goatcounter/db
|
|
|
|
target: /app/db
|
|
|
|
- type: bind
|
|
|
|
source: ./goatcounter/exports
|
|
|
|
target: /tmp/goatcounter-exports
|
|
|
|
labels:
|
|
|
|
sequentialread-8080-public-port: 443
|
|
|
|
sequentialread-8080-public-protocol: https
|
|
|
|
sequentialread-8080-public-hostnames: "goatcounter.sequentialread.com,goatcounter.beta.sequentialread.com"
|
|
|
|
sequentialread-8080-container-protocol: http
|
|
|
|
|
|
|
|
goatcounter-log-publisher:
|
|
|
|
image: sequentialread/goatcounter:2.1.1-2
|
|
|
|
restart: always
|
|
|
|
entrypoint: ["/bin/sh"]
|
|
|
|
command: ["-c", "tail -F /caddylog/caddy-goatcounter.log | ./goatcounter-caddy-log-adapter | ./goatcounter import -site http://goatcounter.sequentialread.com:8080 -format combined-vhost -- -"]
|
|
|
|
extra_hosts:
|
|
|
|
- "goatcounter.beta.sequentialread.com:${SEQUENTIALREAD_NETWORK_GOATCOUNTER_IPV4}"
|
|
|
|
- "goatcounter.sequentialread.com:${SEQUENTIALREAD_NETWORK_GOATCOUNTER_IPV4}"
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./goatcounter/db
|
|
|
|
target: /app/db
|
|
|
|
- type: bind
|
|
|
|
source: ./caddy/log
|
|
|
|
target: /caddylog
|
|
|
|
networks:
|
|
|
|
- sequentialread
|
|
|
|
environment:
|
|
|
|
- GOATCOUNTER_API_KEY=${GOATCOUNTER_API_KEY}
|
|
|
|
- LOGADAPTER_INCLUDESUCCESSORFAILUREINKEY=false
|
|
|
|
- LOGADAPTER_DEBUG=false
|
|
|
|
- LOGADAPTER_ALWAYSINCLUDEURISCSV=,
|
|
|
|
- LOGADAPTER_BLACKLISTIPSCSV=192.168.0.1,192.168.0.46,97.116.20.61,185.12.148.78
|
|
|
|
- LOGADAPTER_DOMAINS_0_MATCHHOSTNAMEREGEX=^(www\.)?((grafana|git|stream|pwm|captcha|comments|gotosocial)\.)?(beta\.)?sequentialread.com
|
|
|
|
- LOGADAPTER_DOMAINS_0_CONTENTTYPEWHITELISTREGEX=[^/]+/html
|
|
|
|
- LOGADAPTER_DOMAINS_1_MATCHHOSTNAMEREGEX=^(www\.)?(greenhouse(-alpha)?\.)?server.garden
|
|
|
|
- LOGADAPTER_DOMAINS_1_CONTENTTYPEWHITELISTREGEX=[^/]+/html
|
|
|
|
- LOGADAPTER_DOMAINS_2_MATCHHOSTNAMEREGEX=(goatcounter|influxdb)
|
|
|
|
- LOGADAPTER_DOMAINS_2_CONTENTTYPEWHITELISTREGEX=DROP_ALL
|
|
|
|
|
|
|
|
influxdb:
|
|
|
|
image: ghcr.io/terjesannum/influxdb-arm32:1.8.10-1
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
- sequentialread
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./influxdb/data/
|
|
|
|
target: /var/lib/influxdb
|
|
|
|
environment:
|
|
|
|
- INFLUXDB_REPORTING_DISABLED=true
|
|
|
|
- INFLUXDB_HTTP_AUTH_ENABLED=true
|
|
|
|
- INFLUXDB_HTTP_PPROF_AUTH_ENABLED=true
|
|
|
|
- INFLUXDB_HTTP_DEBUG_PPROF_ENABLED=true
|
|
|
|
labels:
|
|
|
|
sequentialread-8086-public-port: 443
|
|
|
|
sequentialread-8086-public-protocol: https
|
|
|
|
sequentialread-8086-public-hostnames: "influxdb.sequentialread.com,influxdb.beta.sequentialread.com"
|
|
|
|
sequentialread-8086-container-protocol: http
|
|
|
|
|
|
|
|
# the admin, telegraf, and grafana users on this influxdb were set up manually
|
|
|
|
# the passwords/tokens in .env
|
|
|
|
# also, had to manually create the dbrp afterwards, for v1 compatibility:
|
|
|
|
# curl -H "Authorization: Token $INFLUXDB2_ADMIN_TOKEN" -X POST https://influxdb2.sequentialread.com/api/v2/dbrps -d '{
|
|
|
|
# "bucketID": "582ef43b7a3c3b39",
|
|
|
|
# "database": "sequentialread",
|
|
|
|
# "default": true,
|
|
|
|
# "org": "sequentialread",
|
|
|
|
# "retention_policy": "autogen"
|
|
|
|
# }'
|
|
|
|
# influxdb2:
|
|
|
|
# image: sequentialread/influxdb:2.1.1-armv7
|
|
|
|
# restart: always
|
|
|
|
# networks:
|
|
|
|
# - sequentialread
|
|
|
|
# volumes:
|
|
|
|
# - type: bind
|
|
|
|
# source: ./influxdb2/
|
|
|
|
# target: /root/.influxdbv2
|
|
|
|
# environment:
|
|
|
|
# - INFLUXD_REPORTING_DISABLED=true
|
|
|
|
# - INFLUXD_PPROF_DISABLED=true
|
|
|
|
# labels:
|
|
|
|
# sequentialread-8086-public-port: 443
|
|
|
|
# sequentialread-8086-public-protocol: https
|
|
|
|
# sequentialread-8086-public-hostnames: "influxdb2.sequentialread.com"
|
|
|
|
# sequentialread-8086-container-protocol: http
|
|
|
|
|
|
|
|
telegraf:
|
|
|
|
image: telegraf:1.17.3
|
|
|
|
restart: always
|
|
|
|
# in order to get telegraf to report the host's network io correctly,
|
|
|
|
# it has to run on the host network... and the only way to do that
|
|
|
|
# would be to disable the user namespace remap. so we manually set it to the
|
|
|
|
# remapped UID and GID
|
|
|
|
userns_mode: "host"
|
|
|
|
network_mode: "host"
|
|
|
|
user: 165536:165536
|
|
|
|
# now that we are on the hosts network, in order to talk to influx we have to go in through the
|
|
|
|
# front door: Caddy, which is listening on 80 and 443 on localhost.
|
|
|
|
extra_hosts:
|
|
|
|
- "influxdb.beta.sequentialread.com:127.0.0.1"
|
|
|
|
- "influxdb.sequentialread.com:127.0.0.1"
|
|
|
|
entrypoint: /bin/sh
|
|
|
|
# this runs telegraf and then ends the container process when telegraf logs "Cannot connect to the Docker daemon"
|
|
|
|
# Just a simple way to forcing it to restart when the docker daemon socket file gets pulled out from under it
|
|
|
|
command:
|
|
|
|
- "-c"
|
|
|
|
- |
|
|
|
|
echo '' > t.log
|
|
|
|
sh -c '/entrypoint.sh --config /telegrafconfig/telegraf.conf 2>&1 | tee t.log' &
|
|
|
|
tpid=$$?
|
|
|
|
tail -f t.log | grep -q 'Cannot connect to the Docker daemon'
|
|
|
|
kill $$tpid
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./security-gateway/
|
|
|
|
target: /dockersocket/
|
|
|
|
- type: bind
|
|
|
|
source: /
|
|
|
|
target: /hostfs
|
|
|
|
read_only: true
|
|
|
|
- type: bind
|
|
|
|
source: ./telegraf
|
|
|
|
target: /telegrafconfig
|
|
|
|
read_only: true
|
|
|
|
depends_on:
|
|
|
|
- docker-api-security-gateway
|
|
|
|
environment:
|
|
|
|
- HOST_MOUNT_PREFIX=/hostfs
|
|
|
|
- HOST_PROC=/hostfs/proc
|
|
|
|
- TELEGRAF_DOCKER_SOCKET=/dockersocket/docker.sock
|
|
|
|
- TELEGRAF_INFLUX_PASSWORD=${TELEGRAF_INFLUX_PASSWORD}
|
|
|
|
- TELEGRAF_INFLUX_URL=https://influxdb.sequentialread.com
|
|
|
|
- TELEGRAF_INFLUX2_TOKEN=${TELEGRAF_INFLUX2_TOKEN}
|
|
|
|
- TELEGRAF_INFLUX2_URL=https://influxdb2.sequentialread.com
|
|
|
|
|
|
|
|
grafana:
|
|
|
|
image: grafana/grafana:7.4.3
|
|
|
|
restart: always
|
|
|
|
# The Grafana docker container is missing the /etc/nsswitch.conf file which
|
|
|
|
# many things rely on in order to know how to properly look up domain names.
|
|
|
|
# See: https://github.com/gliderlabs/docker-alpine/issues/367
|
|
|
|
# without this file, grafana will only use the dns server to resolve names,
|
|
|
|
# it won't look at the /etc/hosts file at all.
|
|
|
|
# Since grafana normally runs as a separate user, we have to override the container to run as root 1st
|
|
|
|
# so it can write the nsswitch.conf file, then run the grafana start script as the grafana user.
|
|
|
|
user: '0'
|
|
|
|
entrypoint: /bin/sh
|
|
|
|
command: ["-c", "echo 'hosts: files dns' > /etc/nsswitch.conf && su -s '/bin/sh' -c '/run.sh' grafana"]
|
|
|
|
extra_hosts:
|
|
|
|
- "smtp.nullhex.com:${SEQUENTIALREAD_NETWORK_EXTERNAL_SERVICE_IPV4}"
|
|
|
|
networks:
|
|
|
|
- sequentialread
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./grafana/data/
|
|
|
|
target: /var/lib/grafana
|
|
|
|
environment:
|
|
|
|
GF_SERVER_ROOT_URL: 'https://grafana.sequentialread.com'
|
|
|
|
GF_SERVER_ENABLE_GZIP: 'true'
|
|
|
|
GF_SECURITY_ADMIN_USER: admin
|
|
|
|
GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_ADMIN_PASSWORD}
|
|
|
|
GF_SECURITY_DISABLE_GRAVATAR: 'true'
|
|
|
|
GF_SECURITY_COOKIE_SECURE: 'true'
|
|
|
|
GF_SECURITY_SECRET_KEY: ${GRAFANA_SECRET_KEY}
|
|
|
|
GF_AUTH_ANONYMOUS_ENABLED: 'true'
|
|
|
|
GF_AUTH_ANONYMOUS_ORG_NAME: sequentialread
|
|
|
|
GF_AUTH_ANONYMOUS_ORG_ROLE: Viewer
|
|
|
|
GF_SMTP_ENABLED: 'true'
|
|
|
|
GF_SMTP_HOST: 'smtp.nullhex.com:465'
|
|
|
|
GF_SMTP_PASSWORD: ${NULLHEX_PASSWORD}
|
|
|
|
GF_SMTP_USER: forest@sequentialread.com
|
|
|
|
GF_SMTP_FROM_ADDRESS: forest@sequentialread.com
|
|
|
|
GF_SMTP_STARTTLS_POLICY: MandatoryStartTLS
|
|
|
|
labels:
|
|
|
|
sequentialread-3000-public-port: 443
|
|
|
|
sequentialread-3000-public-protocol: https
|
|
|
|
sequentialread-3000-public-hostnames: "grafana.sequentialread.com,grafana.beta.sequentialread.com"
|
|
|
|
sequentialread-3000-container-protocol: http
|
|
|
|
|
|
|
|
sequentialread-external-service:
|
|
|
|
image: sequentialread/external-service:0.0.14
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
sequentialread:
|
|
|
|
ipv4_address: ${SEQUENTIALREAD_NETWORK_EXTERNAL_SERVICE_IPV4}
|
|
|
|
internet-access:
|
|
|
|
environment:
|
|
|
|
DEBUG_LOG: 'true'
|
|
|
|
SERVICE_0_LISTEN: ':465'
|
|
|
|
SERVICE_0_DIAL: 'smtp.nullhex.com:465'
|
|
|
|
SERVICE_1_LISTEN: ':8226'
|
|
|
|
SERVICE_1_DIAL: '192.168.0.140:8226'
|
|
|
|
labels:
|
|
|
|
sequentialread-8226-public-port: 443
|
|
|
|
sequentialread-8226-public-protocol: https
|
|
|
|
sequentialread-8226-public-hostnames: "mixtape.sequentialread.com"
|
|
|
|
sequentialread-8226-container-protocol: http
|
|
|
|
|
|
|
|
pwm:
|
|
|
|
image: sequentialread/sequentialread-password-manager:2.0.10
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
- sequentialread
|
|
|
|
environment:
|
|
|
|
- SEQUENTIALREAD_PWM_BACKBLAZE_BUCKET_NAME=sequentialread-password-manager
|
|
|
|
- SEQUENTIALREAD_PWM_BACKBLAZE_BUCKET_REGION=us-west-000
|
|
|
|
- SEQUENTIALREAD_PWM_BACKBLAZE_ACCESS_KEY_ID=0003ea77f5997840000000015
|
|
|
|
- SEQUENTIALREAD_PWM_BACKBLAZE_SECRET_ACCESS_KEY=${PWM_BACKBLAZE_SECRET_ACCESS_KEY}
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./pwm/data/
|
|
|
|
target: /app/data/
|
|
|
|
labels:
|
|
|
|
sequentialread-8073-public-port: 443
|
|
|
|
sequentialread-8073-public-protocol: https
|
|
|
|
sequentialread-8073-public-hostnames: "pwm.sequentialread.com,pwm.beta.sequentialread.com"
|
|
|
|
sequentialread-8073-container-protocol: http
|
|
|
|
|
|
|
|
picopublish:
|
|
|
|
image: sequentialread/picopublish:0.2.44-corstest
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
- blog
|
|
|
|
environment:
|
|
|
|
- PICOPUBLISH_PASSWORD=${PICOPUBLISH_PASSWORD}
|
|
|
|
- PICOPUBLISH_CAPTCHA_API_TOKEN=${PICOPUBLISH_CAPTCHA_API_TOKEN}
|
|
|
|
- PICOPUBLISH_CAPTCHA_API_URL=http://captcha:2370
|
|
|
|
- PICOPUBLISH_CAPTCHA_PUBLIC_URL=https://captcha.sequentialread.com
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./picopublish/data
|
|
|
|
target: /app/data
|
|
|
|
labels:
|
|
|
|
sequentialread-8080-public-port: 443
|
|
|
|
sequentialread-8080-public-protocol: https
|
|
|
|
sequentialread-8080-public-hostnames: "picopublish.sequentialread.com,picopublish.beta.sequentialread.com"
|
|
|
|
sequentialread-8080-container-protocol: http
|
|
|
|
|
|
|
|
webclip:
|
|
|
|
image: sequentialread/webclip:0.0.2
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
- sequentialread
|
|
|
|
labels:
|
|
|
|
sequentialread-8080-public-port: 443
|
|
|
|
sequentialread-8080-public-protocol: https
|
|
|
|
sequentialread-8080-public-hostnames: "webclip.sequentialread.com,webclip.beta.sequentialread.com"
|
|
|
|
sequentialread-8080-container-protocol: http
|
|
|
|
|
|
|
|
|
|
|
|
gitea:
|
|
|
|
image: sequentialread/gitea-armv7:1.16.7-3
|
|
|
|
restart: always
|
|
|
|
mem_limit: 1400m
|
|
|
|
ports:
|
|
|
|
- "10022:10022"
|
|
|
|
extra_hosts:
|
|
|
|
- "smtp.nullhex.com:${GITEA_NETWORK_EXTERNAL_SERVICE_IPV4}"
|
|
|
|
networks:
|
|
|
|
- gitea
|
|
|
|
- internet-access
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./gitea/data
|
|
|
|
target: /data
|
|
|
|
environment:
|
|
|
|
- GITEA_CUSTOM=/data/gitea
|
|
|
|
- NOTE_THAT=these environment variables only apply the first time the gitea container is started
|
|
|
|
- FOR_THE_REST_OF=the current config see the gitea/data/gitea/conf/app.ini file in this repository
|
|
|
|
depends_on:
|
|
|
|
- postgres
|
|
|
|
labels:
|
|
|
|
sequentialread-3000-public-port: 443
|
|
|
|
sequentialread-3000-public-protocol: https
|
|
|
|
sequentialread-3000-public-hostnames: "www.git.sequentialread.com,git.sequentialread.com,git.beta.sequentialread.com"
|
|
|
|
sequentialread-3000-container-protocol: http
|
|
|
|
|
|
|
|
gitea-external-service:
|
|
|
|
image: sequentialread/external-service:0.0.14
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
gitea:
|
|
|
|
ipv4_address: ${GITEA_NETWORK_EXTERNAL_SERVICE_IPV4}
|
|
|
|
internet-access:
|
|
|
|
environment:
|
|
|
|
DEBUG_LOG: 'true'
|
|
|
|
SERVICE_0_LISTEN: ':465'
|
|
|
|
SERVICE_0_DIAL: 'smtp.nullhex.com:465'
|
|
|
|
|
|
|
|
gitea-registration-proxy:
|
|
|
|
image: sequentialread/gitea-registration-proxy:0.0.1
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
- gitea
|
|
|
|
- blog
|
|
|
|
environment:
|
|
|
|
- DEBUG=gitea-registration-proxy
|
|
|
|
- REGPROXY_GITEA=http://gitea:3000
|
|
|
|
- REGPROXY_HOST=0.0.0.0
|
|
|
|
- REGPROXY_INVITECODE=${REGPROXY_INVITECODE}
|
|
|
|
depends_on:
|
|
|
|
- gitea
|
|
|
|
- captcha
|
|
|
|
labels:
|
|
|
|
sequentialread-8080-public-port: 443
|
|
|
|
sequentialread-8080-public-protocol: https
|
|
|
|
sequentialread-8080-public-hostnames: "www.git.sequentialread.com,git.sequentialread.com,git.beta.sequentialread.com"
|
|
|
|
sequentialread-8080-public-paths: "/user/sign_up"
|
|
|
|
sequentialread-8080-container-protocol: http
|
|
|
|
|
|
|
|
postgres:
|
|
|
|
image: postgres:13.3-alpine
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
- gitea
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./postgres/data
|
|
|
|
target: /var/lib/postgresql/data
|
|
|
|
- type: bind
|
|
|
|
source: ./postgres/init/
|
|
|
|
target: /docker-entrypoint-initdb.d
|
|
|
|
environment:
|
|
|
|
- POSTGRES_PASSWORD=${POSTGRES_ROOT_PASSWORD}
|
|
|
|
|
|
|
|
radicale:
|
|
|
|
image: tomsquest/docker-radicale
|
|
|
|
networks:
|
|
|
|
- sequentialread
|
|
|
|
init: true
|
|
|
|
read_only: true
|
|
|
|
security_opt:
|
|
|
|
- no-new-privileges:true
|
|
|
|
cap_drop:
|
|
|
|
- ALL
|
|
|
|
cap_add:
|
|
|
|
- SETUID
|
|
|
|
- SETGID
|
|
|
|
- CHOWN
|
|
|
|
- KILL
|
|
|
|
healthcheck:
|
|
|
|
test: curl -f http://127.0.0.1:5232 || exit 1
|
|
|
|
interval: 30s
|
|
|
|
retries: 3
|
|
|
|
restart: unless-stopped
|
|
|
|
volumes:
|
|
|
|
- ./radicale/data:/data
|
|
|
|
- ./radicale/config:/config:ro
|
|
|
|
- ./radicale/etc-radicale:/etc/radicale
|
|
|
|
labels:
|
|
|
|
sequentialread-5232-public-port: 443
|
|
|
|
sequentialread-5232-public-protocol: https
|
|
|
|
sequentialread-5232-public-hostnames: "radicale.sequentialread.com"
|
|
|
|
sequentialread-5232-container-protocol: http
|
|
|
|
|
|
|
|
|
|
|
|
ghost:
|
|
|
|
image: ghost:3.41-alpine
|
|
|
|
restart: always
|
|
|
|
extra_hosts:
|
|
|
|
- "smtp.nullhex.com:${BLOG_NETWORK_EXTERNAL_SERVICE_IPV4}"
|
|
|
|
networks:
|
|
|
|
- blog
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./ghost
|
|
|
|
target: /var/lib/ghost/content
|
|
|
|
environment:
|
|
|
|
- NODE_ENV=production
|
|
|
|
- url=https://sequentialread.com
|
|
|
|
- database__client=sqlite3
|
|
|
|
- database__connection__filename=content/data/ghost-prod.db
|
|
|
|
- database__useNullAsDefault=true
|
|
|
|
- database__debug=false
|
|
|
|
- mail__from=forest@sequentialread.com
|
|
|
|
- mail__transport=SMTP
|
|
|
|
- mail__options__host=smtp.nullhex.com
|
|
|
|
- mail__options__port=465
|
|
|
|
- mail__options__auth__user=forest@sequentialread.com
|
|
|
|
- mail__options__auth__pass=${NULLHEX_PASSWORD}
|
|
|
|
labels:
|
|
|
|
sequentialread-2368-public-port: 443
|
|
|
|
sequentialread-2368-public-protocol: https
|
|
|
|
sequentialread-2368-public-hostnames: "sequentialread.com,www.sequentialread.com,beta.sequentialread.com,www.beta.sequentialread.com"
|
|
|
|
sequentialread-2368-container-protocol: http
|
|
|
|
|
|
|
|
webmentiond:
|
|
|
|
image: sequentialread/webmentiond:d9db3a5
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
- internet-access
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./webmentiond/data
|
|
|
|
target: /data
|
|
|
|
command:
|
|
|
|
- "--addr"
|
|
|
|
- "0.0.0.0:8080"
|
|
|
|
- "--auth-admin-emails"
|
|
|
|
- "forest.n.johnson@gmail.com"
|
|
|
|
- "--allowed-target-domains"
|
|
|
|
- "sequentialread.com"
|
|
|
|
- "--public-url"
|
|
|
|
- "https://webmentiond.sequentialread.com"
|
|
|
|
- "--send-notifications"
|
|
|
|
- "true"
|
|
|
|
environment:
|
|
|
|
MAIL_HOST: 'smtp.nullhex.com'
|
|
|
|
MAIL_PORT: '465'
|
|
|
|
MAIL_USER: 'forest@sequentialread.com'
|
|
|
|
MAIL_FROM: 'forest@sequentialread.com'
|
|
|
|
MAIL_PASSWORD: '${NULLHEX_PASSWORD}'
|
|
|
|
MAIL_NO_TLS: 'false'
|
|
|
|
AUTH_JWT_SECRET: '${WEBMENTIOND_JWT_SECRET}'
|
|
|
|
labels:
|
|
|
|
sequentialread-8080-public-port: 443
|
|
|
|
sequentialread-8080-public-protocol: https
|
|
|
|
sequentialread-8080-public-hostnames: "webmentiond.sequentialread.com"
|
|
|
|
sequentialread-8080-container-protocol: http
|
|
|
|
|
|
|
|
|
|
|
|
comments:
|
|
|
|
image: sequentialread/comments:0.1.50
|
|
|
|
restart: always
|
|
|
|
extra_hosts:
|
|
|
|
- "smtp.nullhex.com:${BLOG_NETWORK_EXTERNAL_SERVICE_IPV4}"
|
|
|
|
- "www.gravatar.com:${BLOG_NETWORK_EXTERNAL_SERVICE2_IPV4}"
|
|
|
|
networks:
|
|
|
|
- blog
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./comments
|
|
|
|
target: /app/data
|
|
|
|
environment:
|
|
|
|
- COMMENTS_LISTEN_PORT=8080
|
|
|
|
- COMMENTS_BASE_URL=https://comments.sequentialread.com
|
|
|
|
- COMMENTS_HASH_SALT=klnv5ii043nbkjz__g34nnk_34wgn26lqlwqb7841mf
|
|
|
|
- COMMENTS_CORS_ORIGINS=https://sequentialread.com,https://www.sequentialread.com,https://greenhouse-alpha.server.garden,https://greenhouse.server.garden
|
|
|
|
- COMMENTS_CAPTCHA_API_TOKEN=${CAPTCHA_API_TOKEN}
|
|
|
|
- COMMENTS_CAPTCHA_API_URL=http://captcha:2370
|
|
|
|
- COMMENTS_CAPTCHA_PUBLIC_URL=https://captcha.sequentialread.com
|
|
|
|
- COMMENTS_CAPTCHA_DIFFICULTY_LEVEL=8
|
|
|
|
- COMMENTS_EMAIL_HOST=smtp.nullhex.com
|
|
|
|
- COMMENTS_EMAIL_PORT=465
|
|
|
|
- COMMENTS_EMAIL_USER=forest@sequentialread.com
|
|
|
|
- COMMENTS_EMAIL_PASSWORD=${NULLHEX_PASSWORD}
|
|
|
|
- COMMENTS_NOTIFICATION_TARGET=forest@sequentialread.com
|
|
|
|
- COMMENTS_ADMIN_PASSWORD=${COMMENTS_ADMIN_PASSWORD}
|
|
|
|
labels:
|
|
|
|
sequentialread-8080-public-port: 443
|
|
|
|
sequentialread-8080-public-protocol: https
|
|
|
|
sequentialread-8080-public-hostnames: "comments.sequentialread.com,comments.beta.sequentialread.com"
|
|
|
|
sequentialread-8080-container-protocol: http
|
|
|
|
|
|
|
|
|
|
|
|
blog-external-service:
|
|
|
|
image: sequentialread/external-service:0.0.14
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
blog:
|
|
|
|
ipv4_address: ${BLOG_NETWORK_EXTERNAL_SERVICE_IPV4}
|
|
|
|
internet-access:
|
|
|
|
environment:
|
|
|
|
DEBUG_LOG: 'true'
|
|
|
|
SERVICE_0_LISTEN: ':465'
|
|
|
|
SERVICE_0_DIAL: 'smtp.nullhex.com:465'
|
|
|
|
SERVICE_1_LISTEN: ':443'
|
|
|
|
SERVICE_1_DIAL: 'directory.owncast.online:443'
|
|
|
|
SERVICE_2_LISTEN: ':445'
|
|
|
|
SERVICE_2_DIAL: '192.168.0.46:445'
|
|
|
|
SERVICE_3_LISTEN: ':139'
|
|
|
|
SERVICE_3_DIAL: '192.168.0.46:139'
|
|
|
|
|
|
|
|
blog-external-service2:
|
|
|
|
image: sequentialread/external-service:0.0.14
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
blog:
|
|
|
|
ipv4_address: ${BLOG_NETWORK_EXTERNAL_SERVICE2_IPV4}
|
|
|
|
internet-access:
|
|
|
|
environment:
|
|
|
|
DEBUG_LOG: 'true'
|
|
|
|
SERVICE_1_LISTEN: ':443'
|
|
|
|
SERVICE_1_DIAL: 'www.gravatar.com:443'
|
|
|
|
|
|
|
|
|
|
|
|
captcha:
|
|
|
|
image: sequentialread/pow-captcha:0.0.13
|
|
|
|
restart: always
|
|
|
|
networks:
|
|
|
|
- blog
|
|
|
|
volumes:
|
|
|
|
- type: bind
|
|
|
|
source: ./captcha/tokens
|
|
|
|
target: /app/PoW_Captcha_API_Tokens
|
|
|
|
environment:
|
|
|
|
- POW_CAPTCHA_ADMIN_API_TOKEN=${CAPTCHA_ADMIN_API_TOKEN}
|
|
|
|
labels:
|
|
|
|
sequentialread-2370-public-port: 443
|
|
|
|
sequentialread-2370-public-protocol: https
|
|
|
|
sequentialread-2370-public-hostnames: "captcha.sequentialread.com,captcha.beta.sequentialread.com"
|
|
|
|
sequentialread-2370-container-protocol: http
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
networks:
|
|
|
|
internet-access:
|
|
|
|
driver: bridge
|
|
|
|
ipam:
|
|
|
|
driver: default
|
|
|
|
config:
|
|
|
|
- subnet: "${INTERNET_ACCESS_NETWORK_CIDR}"
|
|
|
|
gitea:
|
|
|
|
driver: bridge
|
|
|
|
internal: true
|
|
|
|
ipam:
|
|
|
|
driver: default
|
|
|
|
config:
|
|
|
|
- subnet: "${GITEA_NETWORK_CIDR}"
|
|
|
|
sequentialread:
|
|
|
|
driver: bridge
|
|
|
|
internal: true
|
|
|
|
ipam:
|
|
|
|
driver: default
|
|
|
|
config:
|
|
|
|
- subnet: "${SEQUENTIALREAD_NETWORK_CIDR}"
|
|
|
|
blog:
|
|
|
|
driver: bridge
|
|
|
|
internal: true
|
|
|
|
ipam:
|
|
|
|
driver: default
|
|
|
|
config:
|
|
|
|
- subnet: "${BLOG_NETWORK_CIDR}"
|
|
|
|
|
|
|
|
volumes:
|
|
|
|
caddy-socket-volume:
|