server/docker-compose.yml

version: '3'

# Environment variables are replaced with definitions in .env, when run with:
#
#  env $(cat .env | grep ^[A-Z] | xargs) docker stack deploy --compose-file docker-compose.yml server

networks:
  default:
    driver: overlay

services:
  traefik:
    image: traefik:v2.2
    ports:
      - 80:80
      - 443:443
    deploy:
      replicas: 2  # https://youtu.be/btHpHjabRcc
      placement:
        constraints:
          - node.role == manager
      labels:
        - traefik.enable=true

        # Enable the dashboard UI
        - traefik.http.routers.api.rule=Host(`board.${DOMAIN}`)
        - traefik.http.routers.api.service=api@internal
        - traefik.http.routers.api.middlewares=auth
        - traefik.http.routers.api.tls=true
        - "traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_API_USERS}"
        # Dummy service for Swarm port detection. The port can be any valid integer value.
        - traefik.http.services.dummy-svc.loadbalancer.server.port=9999

        - traefik.http.routers.traefik.tls=true

        # Use LS to get/renew certs for the TLD & subdomains
        - traefik.http.routers.traefik.tls.certresolver=le
        - traefik.http.routers.traefik.tls.domains[0].main=${DOMAIN}
        - traefik.http.routers.traefik.tls.domains[1].sans=*.${DOMAIN}

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${CONTAINERS_DIR}/traefik:/certificates
    command:
      # Require a "traefik.enable=true" label
      - --providers.docker.exposedbydefault=false

      - --providers.docker.swarmmode=true

      # HTTP redirects to HTTPS
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.permanent=false
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https

      - --entrypoints.websecure.address=:443

      # Auto cert renewal via cloudflare
      - --certificatesresolvers.le.acme.email=${LETSENCRYPT_EMAIL}
      - --certificatesresolvers.le.acme.storage=/certificates/acme.json
      - --certificatesresolvers.le.acme.dnschallenge.provider=cloudflare

      - --accesslog=true
      - --log=true

      # Enable the traefik dashboard
      - --api=true

      - --providers.file.filename=/certificates/static.toml
    environment:
      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
      - CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY}

  jekyll:
    image: jibby0/docker-jekyll-webhook
    deploy:
      replicas: 2
      labels:
        - traefik.enable=true
        - traefik.http.routers.jekyll.tls=true
        - traefik.http.routers.jekyll.rule=Host(`${DOMAIN}`)
        - traefik.http.services.jekyll.loadbalancer.server.port=80
    environment:
      - TZ=America/New_York
      - WEBHOOK_SECRET=${WEBHOOK_SECRET}
      - REPO=https://github.com/jibby0/blog.git
    restart: always
    volumes:
      - ${CONTAINERS_DIR}/jekyll/vendor_cache:/vendor

  postgres:
    image: postgres:10.5
    volumes:
      - ${CONTAINERS_DIR}/postgres/data:/var/lib/postgresql/data
      - ${CONTAINERS_DIR}/postgres/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
    environment:
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
    restart: always

  nextcloud:
    image: nextcloud:20.0.4
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.nextcloud.tls=true
        - traefik.http.routers.nextcloud.rule=Host(`nextcloud.${DOMAIN}`)
        - traefik.http.services.nextcloud.loadbalancer.server.port=80
    expose:
      - "80"
    links:
      - postgres
    volumes:
      - ${CONTAINERS_DIR}/nextcloud:/var/www/html
    restart: always

  gogs:
    image: gogs/gogs:0.12.0
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.gogs.tls=true
        - traefik.http.routers.gogs.rule=Host(`gogs.${DOMAIN}`)
        - traefik.http.services.gogs.loadbalancer.server.port=3000
    expose:
      - "3000"
    volumes:
      - ${CONTAINERS_DIR}/gogs:/data
    # NOTE: My gogs instance isn't happy with postgres. For now, it's a small server
    # and sqlite is fine, but I should fix this eventually.
    #links:
    #  - postgres
    restart: always

  matrix:
    image: matrixdotorg/synapse:v1.25.0
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.matrix.tls=true
        - traefik.http.routers.matrix.rule=Host(`matrix.${DOMAIN}`)
        - traefik.http.services.matrix.loadbalancer.server.port=8008
    expose:
      - "8008"
    links:
      - postgres
    # NOTE: These don't directly configure anything anymore.
    #  They can be used with `migrate_config` to build
    #  homeserver.yaml
    # environment:
    #   - SYNAPSE_SERVER_NAME=matrix.jibby.org
    #   - SYNAPSE_REPORT_STATS=no
    #   - SYNAPSE_NO_TLS=true
    #   - SYNAPSE_ENABLE_REGISTRATION=no
    #   - SYNAPSE_LOG_LEVEL=INFO
    #   - SYNAPSE_REGISTRATION_SHARED_SECRET=${POSTGRES_PASSWORD}
    #   - POSTGRES_DB=synapse
    #   - POSTGRES_HOST=postgres
    #   - POSTGRES_USER=synapse
    #   - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
    volumes:
      - ${CONTAINERS_DIR}/matrix:/data
    restart: always

  selfoss:
    image: hardware/selfoss
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.selfoss.tls=true
        - traefik.http.routers.selfoss.rule=Host(`selfoss.${DOMAIN}`)
        - traefik.http.services.selfoss.loadbalancer.server.port=8888
    expose:
      - "8888"
    links:
      - postgres
    volumes:
      - ${CONTAINERS_DIR}/selfoss:/selfoss/data
    environment:
      - CRON_PERIOD=5m
    restart: always

  jellyfin:
    # 10.6.4 can't use Chromecasts properly: https://github.com/jellyfin/jellyfin/issues/3852
    #  The "jellyfixer" service below fixes that for now. Assumes jellyfin's
    #  baseURL is set to the default of `/jellyfin`
    image: jellyfin/jellyfin:10.6.4
    deploy:
      placement:
        constraints:
          - node.labels.media-encoding == true
      labels:
        - traefik.enable=true
        - traefik.http.routers.jellyfin.tls=true
        - traefik.http.routers.jellyfin.rule=Host(`jellyfin.${DOMAIN}`)
        - traefik.http.services.jellyfin.loadbalancer.server.port=8096
    expose:
      - "8096"
    volumes:
      - ${CONTAINERS_DIR}/jellyfin:/config
      - ${MEDIA_DIR}:/media
      #- /dev/shm/jellyfin-transcodes:/transcodes
      #- /dev/shm/jellyfin-cache:/cache
    restart: always

  jellyfixer:
    image: quay.io/xsteadfastx/jellyfixer:latest
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.jellyfixer-secured.tls=true
        - traefik.http.routers.jellyfixer-secured.rule=Host(`jellyfin.${DOMAIN}`) && Path(`/jellyfin/System/Info/Public`)
        - traefik.http.services.jellyfixer-secured.loadbalancer.server.port=8088
    command: http://jellyfin:8096/jellyfin
    environment:
      - JELLYFIXER_INTERNAL_URL=http://jellyfin:8096/jellyfin
      - JELLYFIXER_EXTERNAL_URL=https://jellyfin.${DOMAIN}/jellyfin

  # An example of a static HTTP file hosting site
  #camera:
  #  image: nginx
  #  deploy:
  #    labels:
  #      - traefik.enable=true
  #      - traefik.http.routers.camera.tls=true
  #      - traefik.http.routers.camera.rule=Host(`camera.${DOMAIN}`)
  #      - traefik.http.services.camera.loadbalancer.server.port=80
  #  volumes:
  #    - ${MEDIA_DIR}/Camera:/home/app:ro
  #    - ./conf.d/static.conf:/etc/nginx/sites-enabled/default
  #    - ./conf.d/static.conf:/etc/nginx/conf.d/default.conf
  #  restart: always