network isolation

This commit is contained in:
Yax 2021-12-12 12:02:11 +01:00
parent f8c8767a83
commit 2ea59dfae3
19 changed files with 121 additions and 42 deletions

39
0/docker-compose.networks.yml Executable file
View file

@ -0,0 +1,39 @@
version: '3'
networks:
dmz:
name: dmz
baikal-frontend:
name: baikal-frontend
blog-frontend:
name: blog-frontend
blog-backend:
name: blog-backend
deluge-frontend:
name: deluge-frontend
dokuwiki-frontend:
name: dokuwiki-frontend
glances-frontend:
name: glances-frontend
netdata-frontend:
name: netdata-frontend
netdata-backend:
name: netdata-backend
photo-frontend:
name: photo-frontend
photo-backend:
name: photo-backend
portainer-frontend:
name: portainer-frontend
posteio-frontend:
name: portainer-frontend
seafile-frontend:
name: seafile-frontend
selfoss-frontend:
name: selfoss-frontend
shaarli-frontend:
name: shaarli-frontend
wallabag-frontend:
name: wallabag-frontend
wwww-frontend:
name: wwww-frontend

View file

@ -1,5 +0,0 @@
version: '3'
networks:
srv:

View file

@ -5,7 +5,7 @@ services:
container_name: baikal
image: ckulka/baikal:nginx
networks:
- srv
- baikal-frontend
expose:
- 80
restart: unless-stopped
@ -17,6 +17,7 @@ services:
- traefik.http.routers.baikal.rule=Host(`${HOST_BAIKAL}.${DOMAIN}`)
- traefik.http.routers.baikal.entrypoints=https
- traefik.http.routers.baikal.tls=true
- traefik.docker.network=baikal-frontend
volumes:
baikal_config:

View file

@ -7,7 +7,7 @@ services:
volumes:
- ${ROOT_INSTALL}/data/stacosys:/config
networks:
- srv
- blog-backend
restart: unless-stopped
expose:
- 8100
@ -17,7 +17,8 @@ services:
depends_on:
- stacosys
networks:
- srv
- blog-backend
- blog-frontend
restart: unless-stopped
expose:
- 80
@ -25,4 +26,5 @@ services:
- traefik.enable=true
- traefik.http.routers.blog.rule=Host(`${HOST_BLOG}.${DOMAIN}`)
- traefik.http.routers.blog.entrypoints=https
- traefik.http.routers.blog.tls=true
- traefik.http.routers.blog.tls=true
- traefik.docker.network=blog-frontend

View file

@ -6,7 +6,7 @@ services:
image: linuxserver/deluge
restart: unless-stopped
networks:
- srv
- deluge-frontend
environment:
DELUGE_LOGLEVEL: info
TZ: ${TZ}
@ -29,14 +29,15 @@ services:
- traefik.http.middlewares.sameOriginHeader.headers.customrequestheaders.X-Frame-Options=SAMEORIGIN
- traefik.http.middlewares.delugePStrip.stripprefix.prefixes=${PATH_DELUGE}
- traefik.http.middlewares.delugeRedir.redirectregex.regex=^(.*)${PATH_DELUGE}$$
- traefik.http.middlewares.delugeRedir.redirectregex.replacement=$${1}${PATH_DELUGE}/
- traefik.http.middlewares.delugeRedir.redirectregex.replacement=$${1}${PATH_DELUGE}/
- traefik.docker.network=deluge-frontend
torrent:
container_name: torrent
image: kianby/nginx-streaming
restart: unless-stopped
networks:
- srv
- dmz
volumes:
- deluge_downloads:/downloads:ro
expose:

View file

@ -13,11 +13,11 @@ services:
volumes:
- ${ROOT_INSTALL}/data/dokuwiki:/config
networks:
- srv
- dokuwiki-frontend
labels:
- traefik.enable=true
- traefik.http.routers.dokuwiki.rule=Host(`${HOST_DOKUWIKI}.${DOMAIN}`)
- traefik.http.routers.dokuwiki.entrypoints=https
- traefik.http.routers.dokuwiki.tls=true
- traefik.http.routers.dokuwiki.tls=true
- traefik.docker.network=dokuwiki-frontend

View file

@ -10,7 +10,7 @@ services:
- GLANCES_OPT=-w
pid: host
networks:
- srv
- glances-frontend
expose:
- 61208
labels:
@ -21,5 +21,6 @@ services:
- traefik.http.routers.glances.middlewares=glancesRedir,glancesPStrip
- traefik.http.middlewares.glancesPStrip.stripprefix.prefixes=${PATH_GLANCES}
- traefik.http.middlewares.glancesRedir.redirectregex.regex=^(.*)${PATH_GLANCES}$$
- traefik.http.middlewares.glancesRedir.redirectregex.replacement=$${1}${PATH_GLANCES}/
- traefik.http.middlewares.glancesRedir.redirectregex.replacement=$${1}${PATH_GLANCES}/
- traefik.docker.network=glances-frontend

View file

@ -23,14 +23,16 @@ services:
- /sys:/host/sys:ro
- /etc/os-release:/host/etc/os-release:ro
networks:
- srv
- netdata-frontend
- netdata-backend
labels:
- traefik.enable=true
- traefik.http.routers.netdata.rule=Host(`${HOST_NETDATA}.${DOMAIN}`)
- traefik.http.routers.netdata.entrypoints=https
- traefik.http.routers.netdata.tls=true
- traefik.http.routers.netdata.middlewares=auth
- traefik.http.middlewares.auth.basicauth.users=${BASIC_AUTH}
- traefik.http.middlewares.auth.basicauth.users=${BASIC_AUTH}
- traefik.docker.network=netdata-frontend
healthcheck:
disable: true
docker-proxy:
@ -41,7 +43,7 @@ services:
environment:
- CONTAINERS=1
networks:
- srv
- netdata-backend
volumes:
netdataconfig:

View file

@ -13,7 +13,7 @@ services:
volumes:
- photoview_db_data:/var/lib/mysql
networks:
- srv
- photo-backend
photoview:
container_name: photoview
@ -24,7 +24,8 @@ services:
depends_on:
- photoview-db
networks:
- srv
- photo-backend
- photo-frontend
environment:
- PHOTOVIEW_DATABASE_DRIVER=mysql
- PHOTOVIEW_MYSQL_URL=photoview:photosecret@tcp(photoview-db)/photoview
@ -60,9 +61,10 @@ services:
- SYS_ADMIN
labels:
- traefik.enable=true
- traefik.http.routers.pigallery_config.rule=Host(`${HOST_PHOTOVIEW}.${DOMAIN}`)
- traefik.http.routers.pigallery_config.entrypoints=https
- traefik.http.routers.pigallery_config.tls=true
- traefik.http.routers.photo.rule=Host(`${HOST_PHOTOVIEW}.${DOMAIN}`)
- traefik.http.routers.photo.entrypoints=https
- traefik.http.routers.photo.tls=true
- traefik.docker.network=photo-frontend
volumes:
photoview_db_data:

View file

@ -27,9 +27,10 @@ services:
disable: true
labels:
- traefik.enable=true
- traefik.http.routers.pigallery_config.rule=Host(`${HOST_PIGALLERY}.${DOMAIN}`)
- traefik.http.routers.pigallery_config.entrypoints=https
- traefik.http.routers.pigallery_config.tls=true
- traefik.http.routers.photo.rule=Host(`${HOST_PIGALLERY}.${DOMAIN}`)
- traefik.http.routers.photo.entrypoints=https
- traefik.http.routers.photo.tls=true
- traefik.docker.network=photo-frontend
volumes:
pigallerydb_data:

View file

@ -9,7 +9,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock
- portainer_data:/data
networks:
- srv
- portainer-frontend
restart: unless-stopped
expose:
- 9000
@ -23,6 +23,7 @@ services:
- traefik.http.middlewares.portainerPStrip.stripprefix.prefixes=${PATH_PORTAINER}
- traefik.http.middlewares.portainerRedir.redirectregex.regex=^(.*)${PATH_PORTAINER}$$
- traefik.http.middlewares.portainerRedir.redirectregex.replacement=$${1}${PATH_PORTAINER}/
- traefik.docker.network=portainer-frontend
volumes:
portainer_data:

View file

@ -21,7 +21,8 @@ services:
- traefik.http.routers.posteio.rule=Host(`${HOST_MAIL}.${DOMAIN}`)
- traefik.http.routers.posteio.entrypoints=https
- traefik.http.routers.posteio.tls=true
- traefik.docker.network=posteio-frontend
networks:
- srv
- posteio-frontend
healthcheck:
disable: true

View file

@ -8,7 +8,7 @@ services:
MYSQL_ROOT_PASSWORD: ${SEAFILE_DB_ROOT_PASSWORD}
image: mariadb:10.1
networks:
- srv
- seafile-backend
volumes:
- seafile_db:/var/lib/mysql:rw
restart: unless-stopped
@ -17,7 +17,7 @@ services:
entrypoint: memcached -m 256
image: memcached:1.5.6
networks:
- srv
- seafile-backend
restart: unless-stopped
seafile:
container_name: seafile
@ -34,7 +34,8 @@ services:
TIME_ZONE: ${TZ}
image: seafileltd/seafile-mc:latest
networks:
- srv
- seafile-backend
- seafile-frontend
restart: unless-stopped
expose:
- 80
@ -53,7 +54,8 @@ services:
- traefik.enable=true
- traefik.http.routers.seafile.rule=Host(`${HOST_SEAFILE}.${DOMAIN}`)
- traefik.http.routers.seafile.entrypoints=https
- traefik.http.routers.seafile.tls=true
- traefik.http.routers.seafile.tls=true
- traefik.docker.network=seafile-frontend
volumes:
seafile_db:

View file

@ -7,7 +7,7 @@ services:
volumes:
- selfoss_data:/selfoss/data
networks:
- srv
- selfoss-frontend
restart: unless-stopped
expose:
- 8888
@ -20,7 +20,7 @@ services:
- traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000
- traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=134217728
- traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000
- traefik.docker.network=selfoss-frontend
volumes:
selfoss_data:

View file

@ -8,7 +8,7 @@ services:
- shaarli-cache:/var/www/shaarli/cache
- ${ROOT_INSTALL}/data/shaarli:/var/www/shaarli/data
networks:
- srv
- shaarli-frontend
restart: unless-stopped
expose:
- 80
@ -16,7 +16,8 @@ services:
- traefik.enable=true
- traefik.http.routers.shaarli.rule=Host(`${HOST_SHAARLI}.${DOMAIN}`)
- traefik.http.routers.shaarli.entrypoints=https
- traefik.http.routers.shaarli.tls=true
- traefik.http.routers.shaarli.tls=true
- traefik.docker.network=shaarli-frontend
volumes:
shaarli-cache:

View file

@ -13,7 +13,21 @@ services:
labels:
- traefik.enable=true
networks:
- srv
- dmz
- baikal-frontend
- blog-frontend
- deluge-frontend
- dokuwiki-frontend
- glances-frontend
- netdata-frontend
- photo-frontend
- portainer-frontend
- posteio-frontend
- seafile-frontend
- selfoss-frontend
- shaarli-frontend
- wallabag-frontend
- wwww-frontend
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro

View file

@ -43,7 +43,21 @@ services:
- 80:80
- 443:443
networks:
- srv
- dmz
- baikal-frontend
- blog-frontend
- deluge-frontend
- dokuwiki-frontend
- glances-frontend
- netdata-frontend
- photo-frontend
- portainer-frontend
- posteio-frontend
- seafile-frontend
- selfoss-frontend
- shaarli-frontend
- wallabag-frontend
- wwww-frontend
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro

View file

@ -5,7 +5,7 @@ services:
container_name: wallabag
image: wallabag/wallabag
networks:
- srv
- wallabag-frontend
expose:
- 80
volumes:
@ -19,6 +19,7 @@ services:
- traefik.http.routers.wallabag.rule=Host(`${HOST_WALLABAG}.${DOMAIN}`)
- traefik.http.routers.wallabag.entrypoints=https
- traefik.http.routers.wallabag.tls=true
- traefik.docker.network=wallabag-frontend
volumes:
wallabag_data:

View file

@ -6,7 +6,7 @@ services:
image: kianby/www-madyanne
restart: unless-stopped
networks:
- srv
- wwww-frontend
expose:
- 80
labels:
@ -14,4 +14,5 @@ services:
- traefik.http.routers.www.rule=Host(`${HOST_WWW}.${DOMAIN}`)
- traefik.http.routers.www.entrypoints=https
- traefik.http.routers.www.tls=true
- traefik.docker.network=wwww-frontend