docker-compose.host.yml

services:
  # MongoDB: https://hub.docker.com/_/mongo/
  mongo:
    image: mongo:6.0
    container_name: mongodb
    restart: unless-stopped
    volumes:
      - mongo-data:/data/db
    networks:
      - graylog-net

  opensearch:
    image: opensearchproject/opensearch:2.15.0
    container_name: opensearch-node1
    restart: unless-stopped
    env_file:
      - .env.opensearch
    environment:
      - plugins.security.disabled=true
      - discovery.type=single-node
      - cluster.name=opensearch-cluster
      - node.name=opensearch-node1
      - bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
    volumes:
      - opensearch-data:/usr/share/opensearch/data
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536 # maximum number of open files for the OpenSearch user, set to at least 65536 on modern systems
        hard: 65536
    ports:
      - 9200:9200
      - 9600:9600 # required for Performance Analyzer
    networks:
      - opensearch-net
      - graylog-net

  opensearch-dashboards:

    # Initial username and password:
    # admin
    # admin
    # TODO How to change initial password?
    image: opensearchproject/opensearch-dashboards:2.15.0
    container_name: opensearch-dashboards
    restart: unless-stopped
    ports:
      - 5601:5601
    expose:
      - "5601"
    environment:
      OPENSEARCH_HOSTS: '["http://opensearch-node1:9200"]'
#      DISABLE_SECURITY_DASHBOARDS_PLUGIN: true # disables security dashboards plugin in OpenSearch Dashboards
    networks:
      - opensearch-net
      - traefik-net
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik-net" # in case of multiple nets this forces to select the correct one
      # ROUTER http and http to https redirect MIDDLEWARE
      - "traefik.http.middlewares.os-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.os-router.middlewares=os-redirect"
      - "traefik.http.routers.os-router.rule=Host('os.placeholderdomain.com')"
      - "traefik.http.routers.os-router.entrypoints=web"
      # ROUTER https
      - "traefik.http.routers.os-router-secure.rule=Host(`os.placeholderdomain.com`)"
      - "traefik.http.routers.os-router-secure.entrypoints=websecure"
      - "traefik.http.routers.os-router-secure.tls.certresolver=mytlschallenge"
      - "traefik.http.services.os-service.loadbalancer.server.port=5601"

  # Graylog: https://hub.docker.com/r/graylog/graylog/
  graylog:
    image: graylog/graylog:5.2
    container_name: graylog
    restart: unless-stopped
    user: root
    volumes:
      - graylog-data:/usr/share/graylog/data
      - ./plugins:/usr/share/graylog/plugin/
      # TLS certs
      # Important: use *_full.crt in Graylog Input (also includes CA cert)
      - ./certs:/usr/share/graylog/certs:ro
    env_file:
      - .env.graylog
    environment:
      - GRAYLOG_ROOT_TIMEZONE=Europe/Berlin # replace with your time zone
      - GRAYLOG_ELASTICSEARCH_HOSTS=http://opensearch-node1:9200
      - GRAYLOG_HTTP_EXTERNAL_URI=https://logs.placeholderdomain.com/

    entrypoint: /usr/bin/tini -- wait-for-it opensearch-node1:9200 --  /docker-entrypoint.sh
    networks:
      - traefik-net
      - graylog-net
    depends_on:
      - mongo
      - opensearch
    ports:
      # Syslog TCP
      - "1514:1514"
      # Syslog UDP
      - "1514:1514/udp"
      # GELF TCP
      - "12201:12201"
      # GELF UDP
      - "12201:12201/udp"
      # Beats TCP
      - "5044:5044"
      # Beats TCP
      - "5044:5044/udp"
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik-net" # in case of multiple nets this forces to select the correct one
      # ROUTER http and http to https redirect MIDDLEWARE
      - "traefik.http.middlewares.graylog-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.graylog-router.middlewares=graylog-redirect"
      - "traefik.http.routers.graylog-router.rule=Host(`logs.placeholderdomain.com`)"
      - "traefik.http.routers.graylog-router.entrypoints=web"
      # ROUTER https
      - "traefik.http.routers.graylog-router-secure.rule=Host(`logs.placeholderdomain.com`)"
      - "traefik.http.routers.graylog-router-secure.entrypoints=websecure"
      - "traefik.http.routers.graylog-router-secure.tls.certresolver=mytlschallenge"
      - "traefik.http.services.graylog-service.loadbalancer.server.port=9000"


  # Get certificates from Traefik reverse proxy.
  # This enables Graylog to secure Syslog, FileBeat, etc endpoints.
  # For that select certificate in Input config in Graylog.
  cert-extract:
    image: soerenmetje/acme-certs-extract:latest
    restart: unless-stopped
    volumes:
      # CHANGE PATH TO acme.json dir
      - /var/www/traefik/letsencrypt:/acme:ro
      - ./certs:/certs

networks:
  traefik-net:
    external: true
  graylog-net:
    driver: bridge
  opensearch-net:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.enable_icc: "true"

# Volumes for persisting data, see https://docs.docker.com/engine/admin/volumes/volumes/
volumes:
  mongo-data:
    driver: local
  graylog-data:
    driver: local
  opensearch-data:
    driver: local