Merge pull request #1 from kianby/feature-network-isolation

Feature network isolation
This commit is contained in:
Yax 2021-12-12 18:35:46 +01:00 committed by GitHub
commit 13f3ddbfd1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
22 changed files with 184 additions and 74 deletions

41
0/docker-compose.networks.yml Executable file
View file

@ -0,0 +1,41 @@
version: '3'
networks:
dmz:
name: dmz
baikal-frontend:
name: baikal-frontend
blog-frontend:
name: blog-frontend
blog-backend:
name: blog-backend
deluge-frontend:
name: deluge-frontend
dokuwiki-frontend:
name: dokuwiki-frontend
glances-frontend:
name: glances-frontend
netdata-frontend:
name: netdata-frontend
netdata-backend:
name: netdata-backend
photo-frontend:
name: photo-frontend
photo-backend:
name: photo-backend
portainer-frontend:
name: portainer-frontend
posteio-frontend:
name: portainer-frontend
seafile-frontend:
name: seafile-frontend
seafile-backend:
name: seafile-backend
selfoss-frontend:
name: selfoss-frontend
shaarli-frontend:
name: shaarli-frontend
wallabag-frontend:
name: wallabag-frontend
wwww-frontend:
name: wwww-frontend

View file

@ -1,5 +0,0 @@
version: '3'
networks:
srv:

View file

@ -5,7 +5,7 @@ services:
container_name: baikal
image: ckulka/baikal:nginx
networks:
- srv
- baikal-frontend
expose:
- 80
restart: unless-stopped
@ -17,6 +17,7 @@ services:
- traefik.http.routers.baikal.rule=Host(`${HOST_BAIKAL}.${DOMAIN}`)
- traefik.http.routers.baikal.entrypoints=https
- traefik.http.routers.baikal.tls=true
- traefik.docker.network=baikal-frontend
volumes:
baikal_config:

View file

@ -7,7 +7,7 @@ services:
volumes:
- ${ROOT_INSTALL}/data/stacosys:/config
networks:
- srv
- blog-backend
restart: unless-stopped
expose:
- 8100
@ -17,7 +17,8 @@ services:
depends_on:
- stacosys
networks:
- srv
- blog-backend
- blog-frontend
restart: unless-stopped
expose:
- 80
@ -25,4 +26,5 @@ services:
- traefik.enable=true
- traefik.http.routers.blog.rule=Host(`${HOST_BLOG}.${DOMAIN}`)
- traefik.http.routers.blog.entrypoints=https
- traefik.http.routers.blog.tls=true
- traefik.http.routers.blog.tls=true
- traefik.docker.network=blog-frontend

21
configure vendored
View file

@ -5,26 +5,11 @@
# override docker-compose
# non executable YAML files are skipped (aka disabled services)
export DOCKER_COMPOSE_BIN='/usr/bin/docker compose'
export DOCKER_COMPOSE_BIN='/usr/local/bin/docker-compose'
docker-compose ()
{
$DOCKER_COMPOSE_BIN $(find -name 'docker-compose*.yml' -type f -perm -u+x -printf '%p\t%d\n' 2>/dev/null | sort -n -k2 | cut -f 1 | awk '{print "-f "$0}') $@
}
#alias up='docker-compose --env-file /srv/selfhosting/.env up -d'
#alias down='docker-compose --env-file /srv/selfhosting/.env down'
# ===========================================================================
# Configure
# disable unused services
chmod -x baikal/docker-compose.baikal.yml
chmod -x posteio/docker-compose.posteio.yml
chmod -x netdata/docker-compose.netdata.yml
chmod -x photo/docker-compose.pigallery.yml
# A/ local testing
chmod -x traefik/docker-compose.traefik.yml
# B/ live server
chmod -x traefik/docker-compose.traefik-local.yml
alias up='docker-compose --env-file /srv/selfhosting/.env up -d'
alias down='docker-compose --env-file /srv/selfhosting/.env down'

View file

@ -6,7 +6,7 @@ services:
image: linuxserver/deluge
restart: unless-stopped
networks:
- srv
- deluge-frontend
environment:
DELUGE_LOGLEVEL: info
TZ: ${TZ}
@ -29,14 +29,15 @@ services:
- traefik.http.middlewares.sameOriginHeader.headers.customrequestheaders.X-Frame-Options=SAMEORIGIN
- traefik.http.middlewares.delugePStrip.stripprefix.prefixes=${PATH_DELUGE}
- traefik.http.middlewares.delugeRedir.redirectregex.regex=^(.*)${PATH_DELUGE}$$
- traefik.http.middlewares.delugeRedir.redirectregex.replacement=$${1}${PATH_DELUGE}/
- traefik.http.middlewares.delugeRedir.redirectregex.replacement=$${1}${PATH_DELUGE}/
- traefik.docker.network=deluge-frontend
torrent:
container_name: torrent
image: kianby/nginx-streaming
restart: unless-stopped
networks:
- srv
- dmz
volumes:
- deluge_downloads:/downloads:ro
expose:

View file

@ -13,11 +13,11 @@ services:
volumes:
- ${ROOT_INSTALL}/data/dokuwiki:/config
networks:
- srv
- dokuwiki-frontend
labels:
- traefik.enable=true
- traefik.http.routers.dokuwiki.rule=Host(`${HOST_DOKUWIKI}.${DOMAIN}`)
- traefik.http.routers.dokuwiki.entrypoints=https
- traefik.http.routers.dokuwiki.tls=true
- traefik.http.routers.dokuwiki.tls=true
- traefik.docker.network=dokuwiki-frontend

View file

@ -10,7 +10,7 @@ services:
- GLANCES_OPT=-w
pid: host
networks:
- srv
- glances-frontend
expose:
- 61208
labels:
@ -21,5 +21,6 @@ services:
- traefik.http.routers.glances.middlewares=glancesRedir,glancesPStrip
- traefik.http.middlewares.glancesPStrip.stripprefix.prefixes=${PATH_GLANCES}
- traefik.http.middlewares.glancesRedir.redirectregex.regex=^(.*)${PATH_GLANCES}$$
- traefik.http.middlewares.glancesRedir.redirectregex.replacement=$${1}${PATH_GLANCES}/
- traefik.http.middlewares.glancesRedir.redirectregex.replacement=$${1}${PATH_GLANCES}/
- traefik.docker.network=glances-frontend

View file

@ -23,14 +23,16 @@ services:
- /sys:/host/sys:ro
- /etc/os-release:/host/etc/os-release:ro
networks:
- srv
- netdata-frontend
- netdata-backend
labels:
- traefik.enable=true
- traefik.http.routers.netdata.rule=Host(`${HOST_NETDATA}.${DOMAIN}`)
- traefik.http.routers.netdata.entrypoints=https
- traefik.http.routers.netdata.tls=true
- traefik.http.routers.netdata.middlewares=auth
- traefik.http.middlewares.auth.basicauth.users=${BASIC_AUTH}
- traefik.http.middlewares.auth.basicauth.users=${BASIC_AUTH}
- traefik.docker.network=netdata-frontend
healthcheck:
disable: true
docker-proxy:
@ -41,7 +43,7 @@ services:
environment:
- CONTAINERS=1
networks:
- srv
- netdata-backend
volumes:
netdataconfig:

View file

@ -13,7 +13,7 @@ services:
volumes:
- photoview_db_data:/var/lib/mysql
networks:
- srv
- photo-backend
photoview:
container_name: photoview
@ -24,7 +24,8 @@ services:
depends_on:
- photoview-db
networks:
- srv
- photo-backend
- photo-frontend
environment:
- PHOTOVIEW_DATABASE_DRIVER=mysql
- PHOTOVIEW_MYSQL_URL=photoview:photosecret@tcp(photoview-db)/photoview
@ -60,9 +61,10 @@ services:
- SYS_ADMIN
labels:
- traefik.enable=true
- traefik.http.routers.pigallery_config.rule=Host(`${HOST_PHOTOVIEW}.${DOMAIN}`)
- traefik.http.routers.pigallery_config.entrypoints=https
- traefik.http.routers.pigallery_config.tls=true
- traefik.http.routers.photo.rule=Host(`${HOST_PHOTOVIEW}.${DOMAIN}`)
- traefik.http.routers.photo.entrypoints=https
- traefik.http.routers.photo.tls=true
- traefik.docker.network=photo-frontend
volumes:
photoview_db_data:

View file

@ -27,9 +27,10 @@ services:
disable: true
labels:
- traefik.enable=true
- traefik.http.routers.pigallery_config.rule=Host(`${HOST_PIGALLERY}.${DOMAIN}`)
- traefik.http.routers.pigallery_config.entrypoints=https
- traefik.http.routers.pigallery_config.tls=true
- traefik.http.routers.photo.rule=Host(`${HOST_PIGALLERY}.${DOMAIN}`)
- traefik.http.routers.photo.entrypoints=https
- traefik.http.routers.photo.tls=true
- traefik.docker.network=photo-frontend
volumes:
pigallerydb_data:

View file

@ -9,7 +9,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock
- portainer_data:/data
networks:
- srv
- portainer-frontend
restart: unless-stopped
expose:
- 9000
@ -23,6 +23,7 @@ services:
- traefik.http.middlewares.portainerPStrip.stripprefix.prefixes=${PATH_PORTAINER}
- traefik.http.middlewares.portainerRedir.redirectregex.regex=^(.*)${PATH_PORTAINER}$$
- traefik.http.middlewares.portainerRedir.redirectregex.replacement=$${1}${PATH_PORTAINER}/
- traefik.docker.network=portainer-frontend
volumes:
portainer_data:

View file

@ -21,7 +21,8 @@ services:
- traefik.http.routers.posteio.rule=Host(`${HOST_MAIL}.${DOMAIN}`)
- traefik.http.routers.posteio.entrypoints=https
- traefik.http.routers.posteio.tls=true
- traefik.docker.network=posteio-frontend
networks:
- srv
- posteio-frontend
healthcheck:
disable: true

View file

@ -8,7 +8,7 @@ services:
MYSQL_ROOT_PASSWORD: ${SEAFILE_DB_ROOT_PASSWORD}
image: mariadb:10.1
networks:
- srv
- seafile-backend
volumes:
- seafile_db:/var/lib/mysql:rw
restart: unless-stopped
@ -17,7 +17,7 @@ services:
entrypoint: memcached -m 256
image: memcached:1.5.6
networks:
- srv
- seafile-backend
restart: unless-stopped
seafile:
container_name: seafile
@ -34,7 +34,8 @@ services:
TIME_ZONE: ${TZ}
image: seafileltd/seafile-mc:latest
networks:
- srv
- seafile-backend
- seafile-frontend
restart: unless-stopped
expose:
- 80
@ -53,7 +54,8 @@ services:
- traefik.enable=true
- traefik.http.routers.seafile.rule=Host(`${HOST_SEAFILE}.${DOMAIN}`)
- traefik.http.routers.seafile.entrypoints=https
- traefik.http.routers.seafile.tls=true
- traefik.http.routers.seafile.tls=true
- traefik.docker.network=seafile-frontend
volumes:
seafile_db:

View file

@ -7,7 +7,7 @@ services:
volumes:
- selfoss_data:/selfoss/data
networks:
- srv
- selfoss-frontend
restart: unless-stopped
expose:
- 8888
@ -20,7 +20,7 @@ services:
- traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000
- traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=134217728
- traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000
- traefik.docker.network=selfoss-frontend
volumes:
selfoss_data:

View file

@ -9,11 +9,33 @@ docker-compose ()
# ===========================================================================
# Configure
# disable unused services
chmod -x baikal/docker-compose.baikal.yml
chmod -x posteio/docker-compose.posteio.yml
chmod -x netdata/docker-compose.netdata.yml
chmod -x photo/docker-compose.pigallery.yml
if [[ $# -eq 0 ]] ; then
echo 'Nothing to do'
exit 0
fi
case "$1" in
"on")
# disable unused services
chmod -x baikal/docker-compose.baikal.yml
chmod -x posteio/docker-compose.posteio.yml
chmod -x netdata/docker-compose.netdata.yml
chmod -x photo/docker-compose.pigallery.yml
# local testing
chmod -x traefik/docker-compose.traefik.yml
exit 0;;
"off")
# restore state
chmod +x baikal/docker-compose.baikal.yml
chmod +x posteio/docker-compose.posteio.yml
chmod +x netdata/docker-compose.netdata.yml
chmod +x photo/docker-compose.pigallery.yml
chmod +x traefik/docker-compose.traefik.yml
exit 0;;
*)
echo "Unknown command: on/off are valid values"
exit 1;;
esac
# local testing
chmod -x traefik/docker-compose.traefik.yml

View file

@ -1,10 +1,32 @@
#!/bin/bash
# disable unused services
chmod -x baikal/docker-compose.baikal.yml
chmod -x posteio/docker-compose.posteio.yml
chmod -x netdata/docker-compose.netdata.yml
chmod -x photo/docker-compose.pigallery.yml
if [[ $# -eq 0 ]] ; then
echo 'Nothing to do'
exit 0
fi
case "$1" in
"on")
# disable unused services
chmod -x baikal/docker-compose.baikal.yml
chmod -x posteio/docker-compose.posteio.yml
chmod -x netdata/docker-compose.netdata.yml
chmod -x photo/docker-compose.pigallery.yml
# live server
chmod -x traefik/docker-compose.traefik-local.yml
exit 0;;
"off")
# restore state
chmod +x baikal/docker-compose.baikal.yml
chmod +x posteio/docker-compose.posteio.yml
chmod +x netdata/docker-compose.netdata.yml
chmod +x photo/docker-compose.pigallery.yml
chmod +x traefik/docker-compose.traefik-local.yml
exit 0;;
*)
echo "Unknown command: on/off are valid values"
exit 1;;
esac
# live server
chmod -x traefik/docker-compose.traefik-local.yml

View file

@ -8,7 +8,7 @@ services:
- shaarli-cache:/var/www/shaarli/cache
- ${ROOT_INSTALL}/data/shaarli:/var/www/shaarli/data
networks:
- srv
- shaarli-frontend
restart: unless-stopped
expose:
- 80
@ -16,7 +16,8 @@ services:
- traefik.enable=true
- traefik.http.routers.shaarli.rule=Host(`${HOST_SHAARLI}.${DOMAIN}`)
- traefik.http.routers.shaarli.entrypoints=https
- traefik.http.routers.shaarli.tls=true
- traefik.http.routers.shaarli.tls=true
- traefik.docker.network=shaarli-frontend
volumes:
shaarli-cache:

View file

@ -13,7 +13,21 @@ services:
labels:
- traefik.enable=true
networks:
- srv
- dmz
- baikal-frontend
- blog-frontend
- deluge-frontend
- dokuwiki-frontend
- glances-frontend
- netdata-frontend
- photo-frontend
- portainer-frontend
- posteio-frontend
- seafile-frontend
- selfoss-frontend
- shaarli-frontend
- wallabag-frontend
- wwww-frontend
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro

View file

@ -43,7 +43,21 @@ services:
- 80:80
- 443:443
networks:
- srv
- dmz
- baikal-frontend
- blog-frontend
- deluge-frontend
- dokuwiki-frontend
- glances-frontend
- netdata-frontend
- photo-frontend
- portainer-frontend
- posteio-frontend
- seafile-frontend
- selfoss-frontend
- shaarli-frontend
- wallabag-frontend
- wwww-frontend
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro

View file

@ -5,7 +5,7 @@ services:
container_name: wallabag
image: wallabag/wallabag
networks:
- srv
- wallabag-frontend
expose:
- 80
volumes:
@ -19,6 +19,7 @@ services:
- traefik.http.routers.wallabag.rule=Host(`${HOST_WALLABAG}.${DOMAIN}`)
- traefik.http.routers.wallabag.entrypoints=https
- traefik.http.routers.wallabag.tls=true
- traefik.docker.network=wallabag-frontend
volumes:
wallabag_data:

View file

@ -6,7 +6,7 @@ services:
image: kianby/www-madyanne
restart: unless-stopped
networks:
- srv
- wwww-frontend
expose:
- 80
labels:
@ -14,4 +14,5 @@ services:
- traefik.http.routers.www.rule=Host(`${HOST_WWW}.${DOMAIN}`)
- traefik.http.routers.www.entrypoints=https
- traefik.http.routers.www.tls=true
- traefik.docker.network=wwww-frontend