docker-compose.yml

version: "3.7"
# Prepare: Step 1
# mkdir -p ~/docker/{traefik2/acme,traefik2/rules,shared/certs}
# touch ~/docker/{docker-gc/docker-gc-exclude,traefik2/traefik.log,traefik2/acme/acme.json}
# 
# Prepare: Step 2
# docker network create --gateway 192.168.90.1 --subnet 192.168.90.0/24 t2_proxy
# 
# docker network create --gateway 192.168.80.1 --subnet --internal 192.168.100.0/24 t2_local
#
# Prepare: Step 3
# create .env file with all parameters in same directory in which .yml file is stored

networks:
  t2_proxy:
    external:
      name: t2_proxy
  t2_local:
    name: t2_local

########################### SERVICES
services:
############################# FRONTENDS

# Traefik 2 - Reverse Proxy
# Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. 
# touch ${USERDIR}/docker/traefik2/acme/acme.json
# chmod 600 ${USERDIR}/docker/traefik2/acme/acme.json
# touch ${USERDIR}/docker/traefik2/traefik.log
  traefik:
    container_name: traefik
    image: traefik:chevrotin # the chevrotin tag refers to v2.2.x
    restart: unless-stopped
    command: # CLI arguments
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=false
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
#      - --entryPoints.bitbucket.address=:7999
        # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22,127.0.0.0/8,192.168.0.0/16,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32
      - --api=true
#      - --api.insecure=true
      - --serversTransport.insecureSkipVerify=true
      - --log=true
      - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/traefik.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=400-499
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.${DOMAINNAME}`)
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=t2_proxy
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
#      - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
      - --providers.file.watch=true # Only works on top level files in the rules folder
#      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.dns-cloudflare.acme.email=${CLOUDFLARE_EMAIL}
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53,8.8.8.8:53,8.8.4.4:53
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
    networks:
      t2_proxy:
        ipv4_address: 192.168.90.100 # You can specify a static IP
      # t2_socket:
    security_opt:
      - no-new-privileges:true
    ports:
      # https://www.reddit.com/r/docker/comments/c1wrep/traefik_reverse_proxy_question_docker_overlay/
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
#      - target: 7999
#        published: 7999
#        protocol: tcp
#        mode: host
    volumes:
      - ${USERDIR}/docker/traefik2/rules:/rules # file provider directory
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${USERDIR}/docker/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
      - ${USERDIR}/docker/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container
      - ${USERDIR}/docker/shared:/shared
    environment:
      - CF_API_EMAIL=${CLOUDFLARE_EMAIL}
      - CF_API_KEY=${CLOUDFLARE_API_KEY}
    labels:
      - "traefik.enable=true"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.${DOMAINNAME}`)"
      - "traefik.http.routers.traefik-rtr.tls=true"
      - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" 
      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=${DOMAINNAME}"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.${DOMAINNAME}"
#      - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$DOMAIN" # Pulls main cert for second domain
#      - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$DOMAIN" # Pulls wildcard cert for second domain
      - "traefik.http.routers.traefik-rtr.tls.domains[2].main=${INLETS_DOMAIN}"
      - "traefik.http.routers.traefik-rtr.tls.domains[2].sans=*.${INLETS_DOMAIN}"
      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      ## Middlewares
#      - "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file"
      - "traefik.http.routers.traefik-rtr.middlewares=no-oauth@file"

############################# INLETS

  inlets:
    image: kumekay/inlets:latest 
#    image: inlets/inlets:2.7.9 # (OFFICIAL LATEST)
    restart: always
    container_name: inlets
    hostname: ${SUBDOMAINPREFIX:-exit}.${DOMAINNAME}
    networks:
      - t2_proxy
    expose:
      - "9009"
    entrypoint: ["inlets"]
    command:
      - "server"
      - "--port=9009"
      - "--token=${INLETS_TOKEN}"
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.inlets-rtr.entrypoints=https,http"
#      - "traefik.http.routers.inlets-rtr.rule=Host(`${INLETS_DOMAIN}`)"
      - "traefik.http.routers.inlets-rtr.rule=HostRegexp(`${INLETS_DOMAIN}`, `{subdomain:[a-z1-9-]+}.${INLETS_DOMAIN}`)"
      - "traefik.http.routers.inlets-rtr.tls=true"
      - "traefik.tcp.routers.inlets-rtr.tls.passthrough=true"
#      - "traefik.http.routers.inlets-rtr.tls.certresolver=dns-cloudflare"
      ## Middlewares
      - "traefik.http.routers.inlets-rtr.middlewares=chain-no-auth@file"
      ## HTTP Services
      - "traefik.http.routers.inlets-rtr.service=inlets-svc"
      - "traefik.http.services.inlets-svc.loadbalancer.server.port=9009"
      - "traefik.tcp.routers.inlets-rtr.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.inlets-rtr.service=inlets-svc"
      - "traefik.tcp.services.inlets-svc.loadbalancer.server.port=9009"


############################# Utilities

# Dozzle - Real-time Docker Log Viewer
  dozzle:
    image: amir20/dozzle:latest
    container_name: dozzle
    restart: unless-stopped
    networks:
      t2_proxy:
        ipv4_address: 192.168.90.140 # You can specify a static IP
    security_opt:
      - no-new-privileges:true
#    ports:
#      - "$DOZZLE_PORT:8080"
    environment:
      DOZZLE_LEVEL: info
      DOZZLE_TAILSIZE: 300
      DOZZLE_FILTER: "status=running"
#      DOZZLE_FILTER: "label=log_me" # limits logs displayed to containers with this label
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.dozzle-rtr.entrypoints=https"
      - "traefik.http.routers.dozzle-rtr.rule=Host(`dozzle.${DOMAINNAME}`)"
      - "traefik.http.routers.dozzle-rtr.tls=true"
#      - "traefik.http.routers.dozzle-rtr.tls.certresolver=dns-cloudflare"
      ## Middlewares
      - "traefik.http.routers.dozzle-rtr.middlewares=chain-basic@file"
      ## HTTP Services
      - "traefik.http.routers.dozzle-rtr.service=dozzle-svc"
      - "traefik.http.services.dozzle-svc.loadbalancer.server.port=8080"

# Glances - System Information
  glances:
    image: nicolargo/glances:latest
    container_name: glances
    restart: unless-stopped
    privileged: true
#    network_mode: host
    networks:
      t2_proxy:
        ipv4_address: 192.168.90.141 # You can specify a static IP
    security_opt:
      - no-new-privileges:true
#    ports:
#      - "$GLANCES_PORT:61208"
    pid: host
    volumes:
#      - $USERDIR/docker/glances/glances.conf:/glances/conf/glances.conf # Use this if you want to add a glances.conf file
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
#      GLANCES_OPT: "-C /glances/conf/glances.conf --quiet --export influxdb"
      GLANCES_OPT: "-w"
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.glances-rtr.entrypoints=https"
      - "traefik.http.routers.glances-rtr.rule=Host(`glances.${DOMAINNAME}`)"
      - "traefik.http.routers.glances-rtr.tls=true"
 #     - "traefik.http.routers.glances-rtr.tls.certresolver=dns-cloudflare"
      ## Middlewares
      - "traefik.http.routers.glances-rtr.middlewares=chain-basic-auth@file"
      ## HTTP Services
      - "traefik.http.routers.glances-rtr.service=glances-svc"
      - "traefik.http.services.glances-svc.loadbalancer.server.port=61208"

############################# MONITORING

# Netdata - realtime Docker host monitoring
  netdata:
    container_name: netdata
    image: netdata/netdata
    restart: unless-stopped
    hostname: netdata
#    ports:
#      - 19999:19999
    environment:
      PGID: 998 #docker group
      NETDATA_PORT: 19999
      VIRTUALIZATION: kvm
      TELEGRAM_BOT_TOKEN: $TGRAM_BOT_TOKEN
      TELEGRAM_CHAT_ID: $TGRAM_CHAT_ID
    cap_add:
      - SYS_PTRACE
    security_opt:
      - apparmor:unconfined
      - no-new-privileges:true
    networks:
      t2_proxy:
        ipv4_address: 192.168.90.150 # You can specify a static IP
    volumes:
      - ${USERDIR}/docker/netdata:/etc/netdata:ro
      # For monitoring:
      - /etc/passwd:/host/etc/passwd:ro
      - /etc/group:/host/etc/group:ro
      - /etc/os-release:/etc/os-release:ro
      - /proc:/host/proc:ro
      - /sys:/host/sys:ro
      - /var/log/smartd:/var/log/smartd:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.netdata-rtr.entrypoints=https"
      - "traefik.http.routers.netdata-rtr.rule=Host(`netdata.${DOMAINNAME}`)"
      - "traefik.http.routers.netdata-rtr.tls=true"
 #     - "traefik.http.routers.netdata-rtr.tls.certresolver=dns-cloudflare"
      ## Middlewares
      - "traefik.http.routers.netdata-rtr.middlewares=chain-basic-auth@file"
      ## HTTP Services
      - "traefik.http.routers.netdata-rtr.service=netdata-svc"
      - "traefik.http.services.netdata-svc.loadbalancer.server.port=19999"


############################# MAINTENANCE
# Traefik Certs Dumper - Extract LetsEncrypt Certificates - Traefik2 Compatible
  certdumper:
    container_name: certdumper
    image: humenius/traefik-certs-dumper:latest
#    command: --restart-containers container1,container2,container3
    volumes:
    - $USERDIR/docker/traefik2/acme:/traefik:ro
    - $USERDIR/docker/shared/certs:/output:rw
#    - /var/run/docker.sock:/var/run/docker.sock:ro # only needed if restarting containers
    environment:
      DOMAIN: ${DOMAINNAME}