Merge pull request #1 from kianby/feature-network-isolation
Feature network isolation
This commit is contained in:
Yax
GitHub
commit
13f3ddbfd1
22 changed files with 184 additions and 74 deletions
41
0/docker-compose.networks.yml
Executable file
41
0/docker-compose.networks.yml
Executable file
|
|
@ -0,0 +1,41 @@
|
|||
version: '3'
|
||||
|
||||
networks:
|
||||
dmz:
|
||||
name: dmz
|
||||
baikal-frontend:
|
||||
name: baikal-frontend
|
||||
blog-frontend:
|
||||
name: blog-frontend
|
||||
blog-backend:
|
||||
name: blog-backend
|
||||
deluge-frontend:
|
||||
name: deluge-frontend
|
||||
dokuwiki-frontend:
|
||||
name: dokuwiki-frontend
|
||||
glances-frontend:
|
||||
name: glances-frontend
|
||||
netdata-frontend:
|
||||
name: netdata-frontend
|
||||
netdata-backend:
|
||||
name: netdata-backend
|
||||
photo-frontend:
|
||||
name: photo-frontend
|
||||
photo-backend:
|
||||
name: photo-backend
|
||||
portainer-frontend:
|
||||
name: portainer-frontend
|
||||
posteio-frontend:
|
||||
name: portainer-frontend
|
||||
seafile-frontend:
|
||||
name: seafile-frontend
|
||||
seafile-backend:
|
||||
name: seafile-backend
|
||||
selfoss-frontend:
|
||||
name: selfoss-frontend
|
||||
shaarli-frontend:
|
||||
name: shaarli-frontend
|
||||
wallabag-frontend:
|
||||
name: wallabag-frontend
|
||||
wwww-frontend:
|
||||
name: wwww-frontend
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
version: '3'
|
||||
|
||||
networks:
|
||||
srv:
|
||||
|
||||
|
|
@ -5,7 +5,7 @@ services:
|
|||
container_name: baikal
|
||||
image: ckulka/baikal:nginx
|
||||
networks:
|
||||
- srv
|
||||
- baikal-frontend
|
||||
expose:
|
||||
- 80
|
||||
restart: unless-stopped
|
||||
|
|
@ -17,6 +17,7 @@ services:
|
|||
- traefik.http.routers.baikal.rule=Host(`${HOST_BAIKAL}.${DOMAIN}`)
|
||||
- traefik.http.routers.baikal.entrypoints=https
|
||||
- traefik.http.routers.baikal.tls=true
|
||||
- traefik.docker.network=baikal-frontend
|
||||
|
||||
volumes:
|
||||
baikal_config:
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ services:
|
|||
volumes:
|
||||
- ${ROOT_INSTALL}/data/stacosys:/config
|
||||
networks:
|
||||
- srv
|
||||
- blog-backend
|
||||
restart: unless-stopped
|
||||
expose:
|
||||
- 8100
|
||||
|
|
@ -17,7 +17,8 @@ services:
|
|||
depends_on:
|
||||
- stacosys
|
||||
networks:
|
||||
- srv
|
||||
- blog-backend
|
||||
- blog-frontend
|
||||
restart: unless-stopped
|
||||
expose:
|
||||
- 80
|
||||
|
|
@ -25,4 +26,5 @@ services:
|
|||
- traefik.enable=true
|
||||
- traefik.http.routers.blog.rule=Host(`${HOST_BLOG}.${DOMAIN}`)
|
||||
- traefik.http.routers.blog.entrypoints=https
|
||||
- traefik.http.routers.blog.tls=true
|
||||
- traefik.http.routers.blog.tls=true
|
||||
- traefik.docker.network=blog-frontend
|
||||
|
|
|
|||
21
configure
vendored
21
configure
vendored
|
|
@ -5,26 +5,11 @@
|
|||
|
||||
# override docker-compose
|
||||
# non executable YAML files are skipped (aka disabled services)
|
||||
export DOCKER_COMPOSE_BIN='/usr/bin/docker compose'
|
||||
export DOCKER_COMPOSE_BIN='/usr/local/bin/docker-compose'
|
||||
docker-compose ()
|
||||
{
|
||||
$DOCKER_COMPOSE_BIN $(find -name 'docker-compose*.yml' -type f -perm -u+x -printf '%p\t%d\n' 2>/dev/null | sort -n -k2 | cut -f 1 | awk '{print "-f "$0}') $@
|
||||
}
|
||||
|
||||
#alias up='docker-compose --env-file /srv/selfhosting/.env up -d'
|
||||
#alias down='docker-compose --env-file /srv/selfhosting/.env down'
|
||||
|
||||
# ===========================================================================
|
||||
# Configure
|
||||
|
||||
# disable unused services
|
||||
chmod -x baikal/docker-compose.baikal.yml
|
||||
chmod -x posteio/docker-compose.posteio.yml
|
||||
chmod -x netdata/docker-compose.netdata.yml
|
||||
chmod -x photo/docker-compose.pigallery.yml
|
||||
|
||||
# A/ local testing
|
||||
chmod -x traefik/docker-compose.traefik.yml
|
||||
|
||||
# B/ live server
|
||||
chmod -x traefik/docker-compose.traefik-local.yml
|
||||
alias up='docker-compose --env-file /srv/selfhosting/.env up -d'
|
||||
alias down='docker-compose --env-file /srv/selfhosting/.env down'
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ services:
|
|||
image: linuxserver/deluge
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
- srv
|
||||
- deluge-frontend
|
||||
environment:
|
||||
DELUGE_LOGLEVEL: info
|
||||
TZ: ${TZ}
|
||||
|
|
@ -29,14 +29,15 @@ services:
|
|||
- traefik.http.middlewares.sameOriginHeader.headers.customrequestheaders.X-Frame-Options=SAMEORIGIN
|
||||
- traefik.http.middlewares.delugePStrip.stripprefix.prefixes=${PATH_DELUGE}
|
||||
- traefik.http.middlewares.delugeRedir.redirectregex.regex=^(.*)${PATH_DELUGE}$$
|
||||
- traefik.http.middlewares.delugeRedir.redirectregex.replacement=$${1}${PATH_DELUGE}/
|
||||
- traefik.http.middlewares.delugeRedir.redirectregex.replacement=$${1}${PATH_DELUGE}/
|
||||
- traefik.docker.network=deluge-frontend
|
||||
|
||||
torrent:
|
||||
container_name: torrent
|
||||
image: kianby/nginx-streaming
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
- srv
|
||||
- dmz
|
||||
volumes:
|
||||
- deluge_downloads:/downloads:ro
|
||||
expose:
|
||||
|
|
|
|||
|
|
@ -13,11 +13,11 @@ services:
|
|||
volumes:
|
||||
- ${ROOT_INSTALL}/data/dokuwiki:/config
|
||||
networks:
|
||||
- srv
|
||||
- dokuwiki-frontend
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.http.routers.dokuwiki.rule=Host(`${HOST_DOKUWIKI}.${DOMAIN}`)
|
||||
- traefik.http.routers.dokuwiki.entrypoints=https
|
||||
- traefik.http.routers.dokuwiki.tls=true
|
||||
|
||||
- traefik.http.routers.dokuwiki.tls=true
|
||||
- traefik.docker.network=dokuwiki-frontend
|
||||
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ services:
|
|||
- GLANCES_OPT=-w
|
||||
pid: host
|
||||
networks:
|
||||
- srv
|
||||
- glances-frontend
|
||||
expose:
|
||||
- 61208
|
||||
labels:
|
||||
|
|
@ -21,5 +21,6 @@ services:
|
|||
- traefik.http.routers.glances.middlewares=glancesRedir,glancesPStrip
|
||||
- traefik.http.middlewares.glancesPStrip.stripprefix.prefixes=${PATH_GLANCES}
|
||||
- traefik.http.middlewares.glancesRedir.redirectregex.regex=^(.*)${PATH_GLANCES}$$
|
||||
- traefik.http.middlewares.glancesRedir.redirectregex.replacement=$${1}${PATH_GLANCES}/
|
||||
- traefik.http.middlewares.glancesRedir.redirectregex.replacement=$${1}${PATH_GLANCES}/
|
||||
- traefik.docker.network=glances-frontend
|
||||
|
||||
|
|
|
|||
|
|
@ -23,14 +23,16 @@ services:
|
|||
- /sys:/host/sys:ro
|
||||
- /etc/os-release:/host/etc/os-release:ro
|
||||
networks:
|
||||
- srv
|
||||
- netdata-frontend
|
||||
- netdata-backend
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.http.routers.netdata.rule=Host(`${HOST_NETDATA}.${DOMAIN}`)
|
||||
- traefik.http.routers.netdata.entrypoints=https
|
||||
- traefik.http.routers.netdata.tls=true
|
||||
- traefik.http.routers.netdata.middlewares=auth
|
||||
- traefik.http.middlewares.auth.basicauth.users=${BASIC_AUTH}
|
||||
- traefik.http.middlewares.auth.basicauth.users=${BASIC_AUTH}
|
||||
- traefik.docker.network=netdata-frontend
|
||||
healthcheck:
|
||||
disable: true
|
||||
docker-proxy:
|
||||
|
|
@ -41,7 +43,7 @@ services:
|
|||
environment:
|
||||
- CONTAINERS=1
|
||||
networks:
|
||||
- srv
|
||||
- netdata-backend
|
||||
|
||||
volumes:
|
||||
netdataconfig:
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ services:
|
|||
volumes:
|
||||
- photoview_db_data:/var/lib/mysql
|
||||
networks:
|
||||
- srv
|
||||
- photo-backend
|
||||
|
||||
photoview:
|
||||
container_name: photoview
|
||||
|
|
@ -24,7 +24,8 @@ services:
|
|||
depends_on:
|
||||
- photoview-db
|
||||
networks:
|
||||
- srv
|
||||
- photo-backend
|
||||
- photo-frontend
|
||||
environment:
|
||||
- PHOTOVIEW_DATABASE_DRIVER=mysql
|
||||
- PHOTOVIEW_MYSQL_URL=photoview:photosecret@tcp(photoview-db)/photoview
|
||||
|
|
@ -60,9 +61,10 @@ services:
|
|||
- SYS_ADMIN
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.http.routers.pigallery_config.rule=Host(`${HOST_PHOTOVIEW}.${DOMAIN}`)
|
||||
- traefik.http.routers.pigallery_config.entrypoints=https
|
||||
- traefik.http.routers.pigallery_config.tls=true
|
||||
- traefik.http.routers.photo.rule=Host(`${HOST_PHOTOVIEW}.${DOMAIN}`)
|
||||
- traefik.http.routers.photo.entrypoints=https
|
||||
- traefik.http.routers.photo.tls=true
|
||||
- traefik.docker.network=photo-frontend
|
||||
|
||||
volumes:
|
||||
photoview_db_data:
|
||||
|
|
|
|||
|
|
@ -27,9 +27,10 @@ services:
|
|||
disable: true
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.http.routers.pigallery_config.rule=Host(`${HOST_PIGALLERY}.${DOMAIN}`)
|
||||
- traefik.http.routers.pigallery_config.entrypoints=https
|
||||
- traefik.http.routers.pigallery_config.tls=true
|
||||
- traefik.http.routers.photo.rule=Host(`${HOST_PIGALLERY}.${DOMAIN}`)
|
||||
- traefik.http.routers.photo.entrypoints=https
|
||||
- traefik.http.routers.photo.tls=true
|
||||
- traefik.docker.network=photo-frontend
|
||||
|
||||
volumes:
|
||||
pigallerydb_data:
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ services:
|
|||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- portainer_data:/data
|
||||
networks:
|
||||
- srv
|
||||
- portainer-frontend
|
||||
restart: unless-stopped
|
||||
expose:
|
||||
- 9000
|
||||
|
|
@ -23,6 +23,7 @@ services:
|
|||
- traefik.http.middlewares.portainerPStrip.stripprefix.prefixes=${PATH_PORTAINER}
|
||||
- traefik.http.middlewares.portainerRedir.redirectregex.regex=^(.*)${PATH_PORTAINER}$$
|
||||
- traefik.http.middlewares.portainerRedir.redirectregex.replacement=$${1}${PATH_PORTAINER}/
|
||||
- traefik.docker.network=portainer-frontend
|
||||
|
||||
volumes:
|
||||
portainer_data:
|
||||
|
|
|
|||
|
|
@ -21,7 +21,8 @@ services:
|
|||
- traefik.http.routers.posteio.rule=Host(`${HOST_MAIL}.${DOMAIN}`)
|
||||
- traefik.http.routers.posteio.entrypoints=https
|
||||
- traefik.http.routers.posteio.tls=true
|
||||
- traefik.docker.network=posteio-frontend
|
||||
networks:
|
||||
- srv
|
||||
- posteio-frontend
|
||||
healthcheck:
|
||||
disable: true
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ services:
|
|||
MYSQL_ROOT_PASSWORD: ${SEAFILE_DB_ROOT_PASSWORD}
|
||||
image: mariadb:10.1
|
||||
networks:
|
||||
- srv
|
||||
- seafile-backend
|
||||
volumes:
|
||||
- seafile_db:/var/lib/mysql:rw
|
||||
restart: unless-stopped
|
||||
|
|
@ -17,7 +17,7 @@ services:
|
|||
entrypoint: memcached -m 256
|
||||
image: memcached:1.5.6
|
||||
networks:
|
||||
- srv
|
||||
- seafile-backend
|
||||
restart: unless-stopped
|
||||
seafile:
|
||||
container_name: seafile
|
||||
|
|
@ -34,7 +34,8 @@ services:
|
|||
TIME_ZONE: ${TZ}
|
||||
image: seafileltd/seafile-mc:latest
|
||||
networks:
|
||||
- srv
|
||||
- seafile-backend
|
||||
- seafile-frontend
|
||||
restart: unless-stopped
|
||||
expose:
|
||||
- 80
|
||||
|
|
@ -53,7 +54,8 @@ services:
|
|||
- traefik.enable=true
|
||||
- traefik.http.routers.seafile.rule=Host(`${HOST_SEAFILE}.${DOMAIN}`)
|
||||
- traefik.http.routers.seafile.entrypoints=https
|
||||
- traefik.http.routers.seafile.tls=true
|
||||
- traefik.http.routers.seafile.tls=true
|
||||
- traefik.docker.network=seafile-frontend
|
||||
|
||||
volumes:
|
||||
seafile_db:
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ services:
|
|||
volumes:
|
||||
- selfoss_data:/selfoss/data
|
||||
networks:
|
||||
- srv
|
||||
- selfoss-frontend
|
||||
restart: unless-stopped
|
||||
expose:
|
||||
- 8888
|
||||
|
|
@ -20,7 +20,7 @@ services:
|
|||
- traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000
|
||||
- traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=134217728
|
||||
- traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000
|
||||
|
||||
- traefik.docker.network=selfoss-frontend
|
||||
|
||||
volumes:
|
||||
selfoss_data:
|
||||
|
|
|
|||
|
|
@ -9,11 +9,33 @@ docker-compose ()
|
|||
# ===========================================================================
|
||||
# Configure
|
||||
|
||||
# disable unused services
|
||||
chmod -x baikal/docker-compose.baikal.yml
|
||||
chmod -x posteio/docker-compose.posteio.yml
|
||||
chmod -x netdata/docker-compose.netdata.yml
|
||||
chmod -x photo/docker-compose.pigallery.yml
|
||||
if [[ $# -eq 0 ]] ; then
|
||||
echo 'Nothing to do'
|
||||
exit 0
|
||||
fi
|
||||
|
||||
case "$1" in
|
||||
"on")
|
||||
# disable unused services
|
||||
chmod -x baikal/docker-compose.baikal.yml
|
||||
chmod -x posteio/docker-compose.posteio.yml
|
||||
chmod -x netdata/docker-compose.netdata.yml
|
||||
chmod -x photo/docker-compose.pigallery.yml
|
||||
# local testing
|
||||
chmod -x traefik/docker-compose.traefik.yml
|
||||
exit 0;;
|
||||
"off")
|
||||
# restore state
|
||||
chmod +x baikal/docker-compose.baikal.yml
|
||||
chmod +x posteio/docker-compose.posteio.yml
|
||||
chmod +x netdata/docker-compose.netdata.yml
|
||||
chmod +x photo/docker-compose.pigallery.yml
|
||||
chmod +x traefik/docker-compose.traefik.yml
|
||||
exit 0;;
|
||||
*)
|
||||
echo "Unknown command: on/off are valid values"
|
||||
exit 1;;
|
||||
esac
|
||||
|
||||
|
||||
|
||||
# local testing
|
||||
chmod -x traefik/docker-compose.traefik.yml
|
||||
|
|
|
|||
|
|
@ -1,10 +1,32 @@
|
|||
#!/bin/bash
|
||||
|
||||
# disable unused services
|
||||
chmod -x baikal/docker-compose.baikal.yml
|
||||
chmod -x posteio/docker-compose.posteio.yml
|
||||
chmod -x netdata/docker-compose.netdata.yml
|
||||
chmod -x photo/docker-compose.pigallery.yml
|
||||
if [[ $# -eq 0 ]] ; then
|
||||
echo 'Nothing to do'
|
||||
exit 0
|
||||
fi
|
||||
|
||||
case "$1" in
|
||||
"on")
|
||||
# disable unused services
|
||||
chmod -x baikal/docker-compose.baikal.yml
|
||||
chmod -x posteio/docker-compose.posteio.yml
|
||||
chmod -x netdata/docker-compose.netdata.yml
|
||||
chmod -x photo/docker-compose.pigallery.yml
|
||||
# live server
|
||||
chmod -x traefik/docker-compose.traefik-local.yml
|
||||
exit 0;;
|
||||
"off")
|
||||
# restore state
|
||||
chmod +x baikal/docker-compose.baikal.yml
|
||||
chmod +x posteio/docker-compose.posteio.yml
|
||||
chmod +x netdata/docker-compose.netdata.yml
|
||||
chmod +x photo/docker-compose.pigallery.yml
|
||||
chmod +x traefik/docker-compose.traefik-local.yml
|
||||
exit 0;;
|
||||
*)
|
||||
echo "Unknown command: on/off are valid values"
|
||||
exit 1;;
|
||||
esac
|
||||
|
||||
|
||||
|
||||
# live server
|
||||
chmod -x traefik/docker-compose.traefik-local.yml
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ services:
|
|||
- shaarli-cache:/var/www/shaarli/cache
|
||||
- ${ROOT_INSTALL}/data/shaarli:/var/www/shaarli/data
|
||||
networks:
|
||||
- srv
|
||||
- shaarli-frontend
|
||||
restart: unless-stopped
|
||||
expose:
|
||||
- 80
|
||||
|
|
@ -16,7 +16,8 @@ services:
|
|||
- traefik.enable=true
|
||||
- traefik.http.routers.shaarli.rule=Host(`${HOST_SHAARLI}.${DOMAIN}`)
|
||||
- traefik.http.routers.shaarli.entrypoints=https
|
||||
- traefik.http.routers.shaarli.tls=true
|
||||
- traefik.http.routers.shaarli.tls=true
|
||||
- traefik.docker.network=shaarli-frontend
|
||||
|
||||
volumes:
|
||||
shaarli-cache:
|
||||
|
|
|
|||
|
|
@ -13,7 +13,21 @@ services:
|
|||
labels:
|
||||
- traefik.enable=true
|
||||
networks:
|
||||
- srv
|
||||
- dmz
|
||||
- baikal-frontend
|
||||
- blog-frontend
|
||||
- deluge-frontend
|
||||
- dokuwiki-frontend
|
||||
- glances-frontend
|
||||
- netdata-frontend
|
||||
- photo-frontend
|
||||
- portainer-frontend
|
||||
- posteio-frontend
|
||||
- seafile-frontend
|
||||
- selfoss-frontend
|
||||
- shaarli-frontend
|
||||
- wallabag-frontend
|
||||
- wwww-frontend
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
|
|
|
|||
|
|
@ -43,7 +43,21 @@ services:
|
|||
- 80:80
|
||||
- 443:443
|
||||
networks:
|
||||
- srv
|
||||
- dmz
|
||||
- baikal-frontend
|
||||
- blog-frontend
|
||||
- deluge-frontend
|
||||
- dokuwiki-frontend
|
||||
- glances-frontend
|
||||
- netdata-frontend
|
||||
- photo-frontend
|
||||
- portainer-frontend
|
||||
- posteio-frontend
|
||||
- seafile-frontend
|
||||
- selfoss-frontend
|
||||
- shaarli-frontend
|
||||
- wallabag-frontend
|
||||
- wwww-frontend
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ services:
|
|||
container_name: wallabag
|
||||
image: wallabag/wallabag
|
||||
networks:
|
||||
- srv
|
||||
- wallabag-frontend
|
||||
expose:
|
||||
- 80
|
||||
volumes:
|
||||
|
|
@ -19,6 +19,7 @@ services:
|
|||
- traefik.http.routers.wallabag.rule=Host(`${HOST_WALLABAG}.${DOMAIN}`)
|
||||
- traefik.http.routers.wallabag.entrypoints=https
|
||||
- traefik.http.routers.wallabag.tls=true
|
||||
- traefik.docker.network=wallabag-frontend
|
||||
|
||||
volumes:
|
||||
wallabag_data:
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ services:
|
|||
image: kianby/www-madyanne
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
- srv
|
||||
- wwww-frontend
|
||||
expose:
|
||||
- 80
|
||||
labels:
|
||||
|
|
@ -14,4 +14,5 @@ services:
|
|||
- traefik.http.routers.www.rule=Host(`${HOST_WWW}.${DOMAIN}`)
|
||||
- traefik.http.routers.www.entrypoints=https
|
||||
- traefik.http.routers.www.tls=true
|
||||
- traefik.docker.network=wwww-frontend
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue