docker-compose-t2-web.yml

version: "3.9"

######### IMPORTANT #############
# docker-compose-t2.yml is my main docker compose that runs on the same Proxmox host.
# You will find only a few apps in this web stack that hosts a few wordpress and non-wordpress sites.
# You can copy-paste services from one docker-compose file in this repo to another to add other apps.

########################### SYSTEM DESCRIPTION
# DOCKER-COMPOSE FOR WORDPRESS / WEB SERVER
# Digital Ocean: 1 vCPU, 2 GB RAM, and 50 GB NVME
# Use this Referral Link and get $100 Credit: https://m.do.co/c/5ae8e2c8f34b

# Docker: 20.10.17
# Docker Compose: 2.6.0 (v2 https://docs.docker.com/compose/#compose-v2-and-the-new-docker-compose-command)

########################### NETWORKS
# There is no need to create any networks outside this docker-compose file.
# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please.
# Docker Compose version 3.5 or higher required to define networks this way.

networks:
  t2_proxy:
    name: t2_proxy
    driver: bridge
    ipam:
      config:
        - subnet: 192.168.90.0/24
  default:
    driver: bridge
  socket_proxy:
    name: socket_proxy
    driver: bridge
    ipam:
      config:
        - subnet: 192.168.91.0/24

########################### SECRETS
secrets:
  htpasswd:
    file: $DOCKERDIR/secrets/htpasswd
  cf_email:
    file: $DOCKERDIR/secrets/cf_email
  cf_api_key:
    file: $DOCKERDIR/secrets/cf_api_key
  cf_token:
    file: $DOCKERDIR/secrets/cf_token
  traefik_forward_auth:
    file: $DOCKERDIR/secrets/traefik_forward_auth
  mysql_root_password:
    file: $SECRETSDIR/mysql_root_password
  authelia_jwt_secret:
    file: $SECRETSDIR/authelia_jwt_secret
  authelia_session_secret:
    file: $SECRETSDIR/authelia_session_secret
  authelia_storage_mysql_password:
    file: $SECRETSDIR/authelia_storage_mysql_password
  authelia_notifier_smtp_password:
    file: $SECRETSDIR/authelia_notifier_smtp_password
  authelia_duo_api_secret_key:
    file: $SECRETSDIR/authelia_duo_api_secret_key

########################### EXTENSION FIELDS
# Helps eliminate repetition of sections
# More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228

# Common environment values
x-environment: &default-tz-puid-pgid
  TZ: $TZ
  PUID: $PUID
  PGID: $PGID

# Keys common to some of the services in basic-services.txt
x-common-keys-core: &common-keys-core
  networks:
    - t2_proxy
  security_opt:
    - no-new-privileges:true
  restart: always
  # profiles:
  # - core

# Keys common to some of the services in basic-services.txt
x-common-keys-core: &common-keys-monitoring
  networks:
    - t2_proxy
  security_opt:
    - no-new-privileges:true
  restart: always
  # profiles:
  # - monitoring

# Keys common to some of the dependent services/apps
x-common-keys-apps: &common-keys-apps
  networks:
    - t2_proxy
  security_opt:
    - no-new-privileges:true
  restart: unless-stopped
  # profiles:
  # - apps

########################### SERVICES
services:
  ############################# FRONTENDS

  # Traefik 2 - Reverse Proxy
  # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
  # touch $DOCKERDIR/appdata/traefik2/acme/acme.json
  # chmod 600 $DOCKERDIR/appdata/traefik2/acme/acme.json
  # touch $DOCKERDIR/logs/web/traefik/traefik.log
  # touch $DOCKERDIR/logs/web/traefik/access.log

  traefik:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    container_name: traefik
    image: traefik:2.8
    command: # CLI arguments
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=true
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
      # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
      - --entryPoints.traefik.address=:8080
      # - --entryPoints.ping.address=:8081
      - --api=true
      # - --api.insecure=true
      - --api.dashboard=true
      #- --ping=true
      # - --serversTransport.insecureSkipVerify=true
      - --log=true
      - --log.filePath=/logs/traefik.log
      - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/logs/access.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=204-299,400-499,500-599
      - --providers.docker=true
      # - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security
      - --providers.docker.endpoint=tcp://socket-proxy:2375
      # Automatically set Host rule for services
      # - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME_SHB`)
      - --providers.docker.exposedByDefault=false
      # - --entrypoints.https.http.middlewares=chain-oauth@file
      - --entrypoints.https.http.tls.options=tls-opts@file
      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
      - --entrypoints.https.http.tls.certresolver=dns-cloudflare
      - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME_SHB
      - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME_SHB
      # - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME_KHUB # Pulls main cert for second domain
      # - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME_KHUB # Pulls wildcard cert for second domain
      - --providers.docker.network=t2_proxy
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
      # - --providers.file.filename=/path/to/file # Load dynamic configuration from a file
      - --providers.file.watch=true # Only works on top level files in the rules folder
      # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
      # - --metrics.prometheus=true
      # - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0
    networks:
      t2_proxy:
        ipv4_address: 192.168.90.254 # You can specify a static IP
      socket_proxy:
    #healthcheck:
    #  test: ["CMD", "traefik", "healthcheck", "--ping"]
    #  interval: 5s
    #  retries: 3
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      # - target: 8080 # insecure api wont work
      #   published: 8080
      #   protocol: tcp
      #   mode: host
    volumes:
      - $DOCKERDIR/appdata/traefik2/rules/web:/rules # file provider directory
      # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security
      - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
      - $DOCKERDIR/logs/web/traefik:/logs # for fail2ban or crowdsec
    environment:
      - TZ=$TZ
      - CF_API_EMAIL_FILE=/run/secrets/cf_email
      - CF_API_KEY_FILE=/run/secrets/cf_api_key
      - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere.
      - DOMAINNAME_SHB # Passing the domain name to traefik container to be able to use the variable in rules. 
    secrets:
      - cf_email
      - cf_api_key
      - htpasswd
    labels:
      #- "autoheal=true"
      - "traefik.enable=true"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_SHB`)"
      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      ## Healthcheck/ping
      #- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME_SHB`) && Path(`/ping`)"
      #- "traefik.http.routers.ping.tls=true"
      #- "traefik.http.routers.ping.service=ping@internal"
      ## Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file"

  # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
  socket-proxy:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    container_name: socket-proxy
    image: tecnativa/docker-socket-proxy
    networks:
      socket_proxy:
        ipv4_address: 192.168.91.254 # You can specify a static IP
    # privileged: true # true for VM. False for unprivileged LXC container.
    #ports:
    # - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line.
    # I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network.
    # - "2375:2375"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
      ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
      # 0 to revoke access.
      # 1 to grant access.
      ## Granted by Default
      - EVENTS=1
      - PING=1
      - VERSION=1
      ## Revoked by Default
      # Security critical
      - AUTH=0
      - SECRETS=0
      - POST=1 # Watchtower
      # Not always needed
      - BUILD=0
      - COMMIT=0
      - CONFIGS=0
      - CONTAINERS=1 # Traefik, portainer, etc.
      - DISTRIBUTION=0
      - EXEC=0
      - IMAGES=1 # Portainer
      - INFO=1 # Portainer
      - NETWORKS=1 # Portainer
      - NODES=0
      - PLUGINS=0
      - SERVICES=1 # Portainer
      - SESSION=0
      - SWARM=0
      - SYSTEM=0
      - TASKS=1 # Portainer
      - VOLUMES=1 # Portainer

  # Google OAuth - Single Sign On using OAuth 2.0
  # https://www.smarthomebeginner.com/google-oauth-with-traefik-docker/
  oauth:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    container_name: oauth
    image: thomseddon/traefik-forward-auth:latest
    # image: thomseddon/traefik-forward-auth:2.1-arm # Use this image with Raspberry Pi
    # Allow apps to bypass OAuth. Radarr example below will bypass OAuth if API key is present in the request (eg. from NZB360 mobile app).
    # While this is one way, the recommended way is to bypass authentication using Traefik labels shown in some of the apps later.
    # command: --rule.radarr.action=allow --rule.radarr.rule="Headers(`X-Api-Key`, `$RADARR_API_KEY`)"
    # command: --rule.sabnzbd.action=allow --rule.sabnzbd.rule="HeadersRegexp(`X-Forwarded-Uri`, `$SABNZBD_API_KEY`)"
    environment:
      - CONFIG=/config
      - COOKIE_DOMAIN=$DOMAINNAME_SHB
      - INSECURE_COOKIE=false
      - AUTH_HOST=oauth.$DOMAINNAME_SHB
      - URL_PATH=/_oauth
      - LOG_LEVEL=warn
      - LOG_FORMAT=text
      - LIFETIME=86400 # 1 day
      - DEFAULT_ACTION=auth
      - DEFAULT_PROVIDER=google
    secrets:
      - source: traefik_forward_auth
        target: /config
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.oauth-rtr.tls=true"
      - "traefik.http.routers.oauth-rtr.entrypoints=https"
      - "traefik.http.routers.oauth-rtr.rule=Host(`oauth.$DOMAINNAME_SHB`)"
      ## Middlewares
      - "traefik.http.routers.oauth-rtr.middlewares=chain-oauth@file"
      ## HTTP Services
      - "traefik.http.routers.oauth-rtr.service=oauth-svc"
      - "traefik.http.services.oauth-svc.loadbalancer.server.port=4181"

  # Portainer - WebUI for Containers
  portainer:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    container_name: portainer
    image: portainer/portainer-ce:latest
    # command: -H unix:///var/run/docker.sock # # Use Docker Socket Proxy instead for improved security
    command: -H tcp://socket-proxy:2375
    networks:
      - t2_proxy
      - socket_proxy
    volumes:
      # - /var/run/docker.sock:/var/run/docker.sock:ro # # Use Docker Socket Proxy instead for improved security
      - $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfer config locally
    environment:
      - TZ=$TZ
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.portainer-rtr.entrypoints=https"
      - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME_SHB`)"
      ## Middlewares
      - "traefik.http.routers.portainer-rtr.middlewares=chain-oauth@file"
      ## HTTP Services
      - "traefik.http.routers.portainer-rtr.service=portainer-svc"
      - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"

  # Autoindex - Simple Directory Index
  autoindex:
    <<: *common-keys-apps # See EXTENSION FIELDS at the top
    container_name: autoindex
    image: dceoy/nginx-autoindex:latest
    # ports:
    #   - "$AUTOINDEX_PORT:80"
    volumes:
      - $USERDIR:/var/lib/nginx/html:ro # Location you want to index
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.autoindex-rtr.entrypoints=https"
      - "traefik.http.routers.autoindex-rtr.rule=Host(`index.$DOMAINNAME_SHB`)"
      ## Middlewares
      - "traefik.http.routers.autoindex-rtr.middlewares=chain-oauth@file"
      ## HTTP Services
      - "traefik.http.routers.autoindex-rtr.service=autoindex-svc"
      - "traefik.http.services.autoindex-svc.loadbalancer.server.port=80"

  # CrowdSec - Open-source & collaborative security IPS
  crowdsec:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    image: crowdsecurity/crowdsec
    container_name: crowdsec
    ports:
      - "$CROWDSEC_API_PORT:8080"
      - "$ZEROTIER_IP_WEBSERVER:$CROWDSEC_PROMETHEUS_EXPORT:6060" # If you don't use ZeroTier remove use just $CROWDSEC_PROMETHEUS_EXPORT:6060
    environment:
      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux crowdsecurity/nginx crowdsecurity/sshd"
      GID: "${GID-1000}"
      CUSTOM_HOSTNAME: dSHB
    volumes:
      - $DOCKERDIR/logs/web:/logs/web:ro
      - /var/log:/var/log:ro
      - $DOCKERDIR/appdata/crowdsec/data:/var/lib/crowdsec/data
      - $DOCKERDIR/appdata/crowdsec/config:/etc/crowdsec

  # CrowdSec Bouncer - Traefik
  traefik-bouncer:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    image: fbonalair/traefik-crowdsec-bouncer
    container_name: traefik-bouncer
    #ports:
    #  - "$TRAEFIK_BOUNCER_PORT:8080"
    environment:
      GIN_MODE: release # default is debug (more logs)
      CROWDSEC_BOUNCER_API_KEY: $CROWDSEC_BOUNCER_TRAEFIK_API_KEY # sudo docker exec crowdsec cscli bouncers add traefik-bouncer
      CROWDSEC_AGENT_HOST: crowdsec:8080 # CrowdSec host and port
      CROWDSEC_BOUNCER_LOG_LEVEL: 1 # 1 INFO 2 WARN https://pkg.go.dev/github.com/rs/zerolog#readme-leveled-logging

  # CrowdSec Bouncer - Cloudflare
  # sudo docker exec crowdsec cscli bouncer add cloudflare-bouncer
  # Set max ip number right the first time (max 10000). Recreating container deletes all ips and readds them causing cloudflare 429 rate limiting.
  cloudflare-bouncer:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    image: crowdsecurity/cloudflare-bouncer
    container_name: cloudflare-bouncer
    #ports:
    #  - "$CLOUDFLARE_BOUNCER_PORT:2112"
    volumes:
      - $DOCKERDIR/appdata/cloudflare-bouncer/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml
      - $DOCKERDIR/appdata/cloudflare-bouncer/cf-bouncer:/cf-bouncer

  ############################# DATABASE

  # MariaDB - MySQL Database
  # After starting container for first time dexec and mysqladmin -u root password <password>
  mariadb:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    container_name: mariadb
    image: lscr.io/linuxserver/mariadb
    #ports:
    #  - "$MARIADB_PORT:3306"
    volumes:
      - $DOCKERDIR/appdata/mariadb/data:/config
    environment:
      <<: *default-tz-puid-pgid
      FILE__MYSQL_ROOT_PASSWORD: /run/secrets/mysql_root_password # Note FILE__ (double underscore) - Issue #127
    secrets:
      - mysql_root_password

  # Redis - Key-value Store
  redis:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    container_name: redis
    image: redis:latest
    entrypoint: redis-server --appendonly yes --requirepass $REDIS_PASSWORD --maxmemory 512mb --maxmemory-policy allkeys-lru
    #ports:
    #  - "$REDIS_PORT:6379"
    volumes:
      - $DOCKERDIR/appdata/redis/data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro

  # phpMyAdmin - Database management
  # Create a new user with admin privileges. Cannot login as MySQL root for some reason.
  phpmyadmin:
    <<: *common-keys-apps # See EXTENSION FIELDS at the top
    image: phpmyadmin/phpmyadmin:latest
    container_name: phpmyadmin
    environment:
      - PMA_HOST=$MARIADB_HOST
      - PMA_PORT=$MARIADB_PORT
      #- PMA_ARBITRARY=1
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password
    secrets:
      - mysql_root_password
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.phpmyadmin-rtr.entrypoints=https"
      - "traefik.http.routers.phpmyadmin-rtr.rule=Host(`pma.$DOMAINNAME_SHB`)"
      ## Middlewares
      - "traefik.http.routers.phpmyadmin-rtr.middlewares=chain-oauth@file"
      ## HTTP Services
      - "traefik.http.routers.phpmyadmin-rtr.service=phpmyadmin-svc"
      - "traefik.http.services.phpmyadmin-svc.loadbalancer.server.port=80"

  ########################### WEB

  # Nginx - Web Server
  nginx:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    container_name: nginx
    image: nginx:1.20 # 1.18 # Updated 8/9/2021
    depends_on:
      - php7
      - redis
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
      - $DOCKERDIR/logs/web/nginx:/var/log/nginx
      - $DOCKERDIR/appdata/nginx:/etc/nginx
      - $DOCKERDIR/appdata/sites/shb/html:/var/www/html/shb
      #- $DOCKERDIR/appdata/sites/shb/beta:/var/www/html/beta
      - $DOCKERDIR/appdata/sites/khub/html:/var/www/html/khub
      - $DOCKERDIR/appdata/sites/dash/html:/var/www/html/dash
    secrets:
      - htpasswd
    labels:
      - "traefik.enable=true"
      ## HTTP Routers SHB (WordPress) Auth
      - "traefik.http.routers.nginx-shb-auth-rtr.entrypoints=https"
      - "traefik.http.routers.nginx-shb-auth-rtr.rule=Host(`www.$DOMAINNAME_SHB`) && Path(`/wp-login.php`)"
      - "traefik.http.routers.nginx-shb-auth-rtr.priority=100"
      ## HTTP Routers SHB (WordPress) Bypass
      - "traefik.http.routers.nginx-shb-rtr.entrypoints=https"
      - "traefik.http.routers.nginx-shb-rtr.rule=Host(`$DOMAINNAME_SHB`) || Host(`www.$DOMAINNAME_SHB`)"
      - "traefik.http.routers.nginx-shb-rtr.priority=99"
      ## HTTP Routers SHB Beta (WordPress)
      #- "traefik.http.routers.nginx-shb-beta-rtr.entrypoints=https"
      #- "traefik.http.routers.nginx-shb-beta-rtr.rule=Host(`beta.$DOMAINNAME_SHB`)"
      ## HTTP Routers DASH (non-WordPress)
      - "traefik.http.routers.nginx-dash-rtr.entrypoints=https"
      - "traefik.http.routers.nginx-dash-rtr.rule=Host(`dash.$DOMAINNAME_SHB`)"
      ## HTTP Routers KHUB (non-WordPress)
      - "traefik.http.routers.nginx-khub-rtr.entrypoints=https"
      - "traefik.http.routers.nginx-khub-rtr.rule=Host(`$DOMAINNAME_KHUB`) || Host(`www.$DOMAINNAME_KHUB`)"
      # Redirect shb non-www to www middleware
      - "traefik.http.middlewares.shb-redirect.redirectregex.regex=^https?://$DOMAINNAME_SHB/(.*)"
      - "traefik.http.middlewares.shb-redirect.redirectregex.replacement=https://www.$DOMAINNAME_SHB/$${1}"
      - "traefik.http.middlewares.shb-redirect.redirectregex.permanent=true"
      # Redirect khub non-www to www middleware
      - "traefik.http.middlewares.khub-redirect.redirectregex.regex=^https?://$DOMAINNAME_KHUB/(.*)"
      - "traefik.http.middlewares.khub-redirect.redirectregex.replacement=https://www.$DOMAINNAME_KHUB/$${1}"
      - "traefik.http.middlewares.khub-redirect.redirectregex.permanent=true"
      ## Middlewares
      - "traefik.http.routers.nginx-khub-rtr.middlewares=khub-redirect,chain-no-auth@file"
      - "traefik.http.routers.nginx-shb-rtr.middlewares=shb-redirect,chain-no-auth-wp@file"
      #- "traefik.http.routers.nginx-shb-auth-rtr.middlewares=shb-redirect,chain-oauth-wp@file"
      - "traefik.http.routers.nginx-shb-auth-rtr.middlewares=shb-redirect,chain-no-auth-wp@file"
      - "traefik.http.routers.nginx-dash-rtr.middlewares=chain-oauth@file"
      #- "traefik.http.routers.nginx-shb-beta-rtr.middlewares=chain-oauth@file"
      ## HTTP Services
      - "traefik.http.routers.nginx-shb-rtr.service=nginx-svc"
      - "traefik.http.routers.nginx-shb-auth-rtr.service=nginx-svc"
      - "traefik.http.routers.nginx-khub-rtr.service=nginx-svc"
      - "traefik.http.routers.nginx-dash-rtr.service=nginx-svc"
      #- "traefik.http.routers.nginx-shb-beta-rtr.service=nginx-svc"
      - "traefik.http.services.nginx-svc.loadbalancer.server.port=80"

  # PHP - Hypertext Preprocessor
  php7:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    container_name: php7
    image: php:7.4-fpm-custom
    build:
      context: $DOCKERDIR/custom/
      dockerfile: Dockerfile-php7
    user: $PUID:$PGID # allows upgrading WP and plugins
    volumes:
      - $DOCKERDIR/appdata/sites/shb/html:/var/www/html/shb
      #- $DOCKERDIR/appdata/sites/shb/beta:/var/www/html/beta
      - $DOCKERDIR/appdata/php/php7:/usr/local/etc/php
      - $DOCKERDIR/appdata/sites/khub/html:/var/www/html/khub
      - $DOCKERDIR/appdata/sites/dash/html:/var/www/html/dash

  ########################### UTILITIES

  # VSCode - VSCode Editing
  vscode:
    <<: *common-keys-core # See EXTENSION FIELDS at the top
    image: lscr.io/linuxserver/code-server:latest
    container_name: vscode
    volumes:
      - $DOCKERDIR:/data/docker
      - $USERDIR/server:/data/server
      - $DATADIR:/data/data
      - $DOCKERDIR/appdata/vscode:/config
    environment:
      <<: *default-tz-puid-pgid
      # DOCKER_HOST: tcp://socket-proxy:2375
      # PASSWORD: $VSCODE_PASSWORD
      # HASHED_PASSWORD: #optional
      # SUDO_PASSWORD: password #optional
      # SUDO_PASSWORD_HASH: #optional
      # PROXY_DOMAIN: code-server.my.domain #optional
      DEFAULT_WORKSPACE: /config/data/User/Workspaces/AZ.code-workspace #optional
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.vscode-rtr.entrypoints=https"
      - "traefik.http.routers.vscode-rtr.rule=Host(`code.$DOMAINNAME_SHB`)"
      ## Middlewares
      - "traefik.http.routers.vscode-rtr.middlewares=chain-oauth@file"
      ## HTTP Services
      - "traefik.http.routers.vscode-rtr.service=vscode-svc"
      - "traefik.http.services.vscode-svc.loadbalancer.server.port=8443"

  wg-easy:
    image: weejewel/wg-easy
    container_name: wg-easy
    restart: unless-stopped
    networks:
      - default
      - t2_proxy
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    ports:
      - "51820:51820/udp"
      - "51821:51821/tcp"
    volumes:
      - $DOCKERDIR/appdata/wireguard:/etc/wireguard
    environment:
      # ⚠️ Required:
      # Change this to your host's public address
      - WG_HOST=$SERVER_IP
      - PASSWORD=$WGEASY_PASSWORD
      # Optional:
      # - PASSWORD=foobar123
      # - WG_PORT=51820
      # - WG_DEFAULT_ADDRESS=10.8.0.x
      # - WG_DEFAULT_DNS=1.1.1.1
      # - WG_MTU=1420
      # - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24
      # - WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt
      # - WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt
      # - WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt
      # - WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt

  ############################# MAINTENANCE

  # Docker-GC - Automatic Docker Garbage Collection
  # Create docker-gc-exclude file
  dockergc:
    <<: *common-keys-apps # See EXTENSION FIELDS at the top
    image: clockworksoul/docker-gc-cron:latest
    container_name: docker-gc
    networks:
      - socket_proxy
    volumes:
      # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security
      - $DOCKERDIR/appdata/docker-gc/docker-gc-exclude:/etc/docker-gc-exclude
    environment:
      CRON: 12 0 0 * * ? # Everyday at midnight.
      FORCE_IMAGE_REMOVAL: 1
      FORCE_CONTAINER_REMOVAL: 0
      GRACE_PERIOD_SECONDS: 604800
      DRY_RUN: 0
      CLEAN_UP_VOLUMES: 1
      TZ: $TZ
      DOCKER_HOST: tcp://socket-proxy:2375