I'm trying to launch 1 docker compose file that lists out every container, along with Routers, Middlewares, etc. Along with that, I'm trying to issue 1 certificate that would cover all subdomains (which I thought was the purpose of Wildcard cert). Unfortunately, from the Traefik logs, it looks like each subdomain is attempting to get it's own certificate, although it frequently fails. I'm new to all of this, so the below docker-compose has been adapted from the Smart Home Beginner tutorial, using the modification for Traefik 2.0 listed on gitHub.
docker-compose.yml
version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge
########################### SERVICES
services:
############################# FRONTENDS
# Traefik - Reverse Proxy
# docker network create --gateway 192.168.90.1 --subnet 192.168.20.0/24 t2_proxy
# Subnet range 192.168.0.0/16 covers 192.168.0.0 to 192.168.255.255
# touch ${APPDATA}/traefik/acme/acme.json
# chmod 600 ${APPDATA}/traefik/acme/acme.json
# touch ${APPDATA}/traefik/traefik.log
traefik:
container_name: traefik
image: traefik:latest
restart: always
command: # CLI arguments #https://docs.traefik.io/v2.0/reference/static-configuration/cli/
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
## Entrypoints Settings - https://docs.traefik.io/routing/entrypoints/#configuration ##
- --entryPoints.http.address=:80
# https://www.reddit.com/r/docker/comments/c1wrep/traefik_reverse_proxy_question_docker_overlay/
- --entrypoints.http.forwardedHeaders.trustedIPs=127.0.0.1/31, 192.168.20.1/24
- --entrypoints.http.proxyProtocol=true
- --entrypoints.http.proxyProtocol.trustedIPs=127.0.0.1/31, 192.168.20.1/24
- --entryPoints.https.address=:443
- --entryPoints.traefik.address=:8080
## API Settings - https://docs.traefik.io/operations/api/, endpoints - https://docs.traefik.io/operations/api/#endpoints ##
- --api=true
- --api.insecure=true # <== Enabling insecure api, NOT RECOMMENDED FOR PRODUCTION
- --serversTransport.insecureSkipVerify=true
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/var/log/docker/traefik.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=400-499
## Provider Settings - https://docs.traefik.io/providers/docker/#provider-configuration ##
- --providers.docker=true
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
- --providers.file.watch=true # Only works on top level files in the rules folder
## Certificate Settings (Let's Encrypt) - https://docs.traefik.io/https/acme/#configuration-examples ##
# Enable a dns challenge named "le"
- --certificatesResolvers.le.acme.dnsChallenge=true
- --certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # uncomment when testing
- --certificatesResolvers.le.acme.email=$EMAIL
- --certificatesResolvers.le.acme.storage=/acme.json
- --certificatesResolvers.le.acme.dnsChallenge.provider=duckdns
- --certificatesResolvers.le.acme.dnsChallenge.delayBeforeCheck=30
networks:t
t2_proxy:
ipv4_address: 192.168.20.123
ports:
# https://www.reddit.com/r/docker/comments/c1wrep/traefik_reverse_proxy_question_docker_overlay/
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
volumes:
- ${APPDATA}/traefik/rules:/rules # file provider directory
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${APPDATA}/traefik/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
- ${APPDATA}/traefik/traefik.log:/var/log/docker/traefik.log # for fail2ban - make sure to touch file before starting container
- ${APPDATA}/shared:/shared
# - ${APPDATA}/traefik:/etc/traefik
environment:
- DUCKDNS_TOKEN=$DUCKDNS_TOKEN
labels:
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
- "traefik.http.routers.traefik-rtr.tls=true"
- "traefik.http.routers.traefik-rtr.tls.certresolver=le"
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=traefik-headers,rate-limit@file,oauth@file" #basic-auth@file
- "traefik.http.middlewares.traefik-headers.headers.accesscontrolallowmethods=GET, OPTIONS, PUT"
- "traefik.http.middlewares.traefik-headers.headers.accesscontrolalloworigin=https://$DOMAINNAME"
- "traefik.http.middlewares.traefik-headers.headers.accesscontrolmaxage=100"
- "traefik.http.middlewares.traefik-headers.headers.addvaryheader=true"
- "traefik.http.middlewares.traefik-headers.headers.allowedhosts=traefik.$DOMAINNAME"
- "traefik.http.middlewares.traefik-headers.headers.hostsproxyheaders=X-Forwarded-Host"
- "traefik.http.middlewares.traefik-headers.headers.sslredirect=true"
- "traefik.http.middlewares.traefik-headers.headers.sslhost=traefik.$DOMAINNAME"
- "traefik.http.middlewares.traefik-headers.headers.sslforcehost=true"
- "traefik.http.middlewares.traefik-headers.headers.sslproxyheaders.X-Forwarded-Proto=https"
- "traefik.http.middlewares.traefik-headers.headers.stsseconds=63072000"
- "traefik.http.middlewares.traefik-headers.headers.stsincludesubdomains=true"
- "traefik.http.middlewares.traefik-headers.headers.stspreload=true"
- "traefik.http.middlewares.traefik-headers.headers.forcestsheader=true"
- "traefik.http.middlewares.traefik-headers.headers.framedeny=true"
- "traefik.http.middlewares.traefik-headers.headers.customFrameOptionsValue='allow-from https:$DOMAINNAME'"
# - "traefik.http.middlewares.traefik-headers.headers.customframeoptionsvalue=SAMEORIGIN" # This option overrides FrameDeny
- "traefik.http.middlewares.traefik-headers.headers.contenttypenosniff=true"
- "traefik.http.middlewares.traefik-headers.headers.browserxssfilter=true"
# - "traefik.http.middlewares.traefik-headers.headers.contentsecuritypolicy=frame-ancestors 'none'; object-src 'none'; base-uri 'none';"
- "traefik.http.middlewares.traefik-headers.headers.referrerpolicy=same-origin"
- "traefik.http.middlewares.traefik-headers.headers.featurepolicy=camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
- "traefik.http.middlewares.traefik-headers.headers.customresponseheaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex,"
## Services - API
- "traefik.http.routers.traefik-rtr.service=api@internal"
# Duck DNS
#https://hub.docker.com/r/linuxserver/duckdns/
duckdns:
container_name: duckdns
image: linuxserver/duckdns:latest
environment:
- TZ:${TZ}
- PUID=${PUID} #optional
- PGID=${PGID} #optional
- SUBDOMAINS=${SUBDOMAIN}
- TOKEN=${DUCKDNS_TOKEN}
- LOG_FILE=false #optional
# # Volumes store your data between container upgrades
volumes:
- ${APPDATA}/duckdns/config:/config
restart: always
labels:
## HTTP Routers
- "traefik.http.routers.duckdns-rtr.entrypoints=https"
- "traefik.http.routers.duckdns-rtr.rule=Host(`duckdns.$DOMAINNAME`)"
- "traefik.http.routers.duckdns-rtr.tls=true"
- "traefik.http.routers.duckdns-rtr.tls.certresolver=le"
## Middlewares
- "traefik.http.routers.duckdns-rtr.middlewares=secure-chain@file"
## HTTP Services
- "traefik.http.routers.duckdns-rtr.service=duckdns-svc"
- "traefik.http.services.duckdns-svc.loadbalancer.server.port=80"
# Portainer - WebUI for Containers
portainer:
container_name: portainer
image: portainer/portainer:latest
restart: always
command: -H unix:///var/run/docker.sock
networks:
- t2_proxy
ports:
- "$PORTAINER_PORT:9000"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${APPDATA}/portainer/data:/data # Change to local directory if you want to save/transfer config locally
environment:
- TZ=${TZ}
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.portainer-rtr.entrypoints=https"
- "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME`)"
- "traefik.http.routers.portainer-rtr.tls=true"
- "traefik.http.routers.portainer-rtr.tls.certresolver=le"
## Middlewares
- "traefik.http.routers.portainer-rtr.middlewares=secure-chain@file"
## HTTP Services
- "traefik.http.routers.portainer-rtr.service=portainer-svc"
- "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"
# Organizr - Unified Frontend
organizr:
container_name: organizr
image: organizrtools/organizr-v2:latest
restart: unless-stopped
networks:
- t2_proxy
ports:
- "$ORGANIZR_PORT:80"
volumes:
- ${APPDATA}/organizr:/config
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.organizr-rtr.entrypoints=https"
- "traefik.http.routers.organizr-rtr.rule=Host(`$DOMAINNAME`,`www.$DOMAINNAME`)"
- "traefik.http.routers.organizr-rtr.tls=true"
- "traefik.http.routers.organizr-rtr.tls.certresolver=le"
## Middlewares
- "traefik.http.routers.organizr-rtr.middlewares=noauth-chain@file"
# - "traefik.http.middlewares.organizr-headers.headers.customResponseHeaders.sslHost=$DOMAINNAME"
# - "traefik.http.middlewares.organizr-headers.headers.customResponseHeaders='X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex'"
# - "traefik.http.middlewares.organizr-headers.headers.browserxssfilter=true"
# - "traefik.http.middlewares.organizr-headers.headers.contentsecuritypolicy=frame-ancestors 'none'; object-src 'none'; script-src 'none'; base-uri 'none';"
# - "traefik.http.middlewares.organizr-headers.headers.referrerpolicy=same-origin"
## HTTP Services
- "traefik.http.routers.organizr-rtr.service=organizr-svc"
- "traefik.http.services.organizr-svc.loadbalancer.server.port=80"
## Heimdall - Homepage
heimdall:
container_name: heimdall
image: linuxserver/heimdall:latest
restart: always
networks:
- t2_proxy
ports:
- "$HEIMDALL_PORT:80"
volumes:
- ${APPDATA}/heimdall:/config
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.heimdall-rtr.entrypoints=https"
- "traefik.http.routers.heimdall-rtr.rule=Host(`heimdall.$DOMAINNAME`)"
- "traefik.http.routers.heimdall-rtr.tls=true"
- "traefik.http.routers.heimdall-rtr.tls.certresolver=le"
## Middlewares
- "traefik.http.routers.heimdall-rtr.middlewares=secure-chain@file"
## HTTP Services
- "traefik.http.routers.heimdall-rtr.service=heimdall-svc"
- "traefik.http.services.heimdall-svc.loadbalancer.server.port=80"
## Autoindex - Simple Directory Index
autoindex:
container_name: autoindex
image: dceoy/nginx-autoindex:latest
restart: always
networks:
- t2_proxy
ports:
- "${AUTOINDEX_PORT}:80"
volumes:
- /media:/var/lib/nginx/html:ro # Location you want to index
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.autoindex-rtr.entrypoints=https"
- "traefik.http.routers.autoindex-rtr.rule=Host(`index.$DOMAINNAME`)"
- "traefik.http.routers.autoindex-rtr.tls=true"
- "traefik.http.routers.autoindex-rtr.tls.certresolver=le"
## Middlewares
- "traefik.http.routers.autoindex-rtr.middlewares=secure-chain@file"
## HTTP Services
- "traefik.http.routers.autoindex-rtr.service=autoindex-svc"
- "traefik.http.services.autoindex-svc.loadbalancer.server.port=80"
############################# SMART HOME
# Mosquitto - MQTT Broker
# Create mosquitto.conf, passwd, mosquitto.log files and set permissions to 775 user:docker
# dexec mosquitto /bin/sh -> mosquitto_passwd -b /mosquitto/config/passwd username passwd
mosquitto:
image: eclipse-mosquitto
container_name: mosquitto
hostname: mosquitto
restart: unless-stopped
ports:
- "${MOSQUITTO_HTTP_PORT}:1883" #http
- "${MOSQUITTO_WEBSOCKETS_PORT}:9001" #websockets
- "${MOSQUITTO_HTTPS_PORT}:8883" #https
volumes:
- ${APPDATA}/mosquitto/config/mosquitto.conf:/mosquitto/config/mosquitto.conf
- ${APPDATA}/mosquitto/config/passwd:/mosquitto/config/passwd
- ${APPDATA}/shared:/shared
environment:
PUID: ${PUID}
PGID: ${PGID}
TZ: ${TZ}
# ZoneMinder - Video Surveillance
# Create the database and initial tables using the init script. Database zm, username zmuser, and password zmpass - cannot customize zm, zmuser, or zmpass.
zoneminder:
image: quantumobject/docker-zoneminder
# image: adc3c7a0ca0a
container_name: zoneminder
hostname: zoneminder
restart: unless-stopped
networks:
- t2_proxy
ports:
- "$ZONEMINDER_HTTP_PORT:80"
- "$ZONEMINDER_HTTPS_PORT:443"
- "$ZONEMINDER_EVENT_NOTIF_PORT:9000" # Event Notification Port
privileged: true
shm_size: 4096m
volumes:
- /var/empty
- ${APPDATA}/shared:/shared
- ${APPDATA}/zoneminder/backups:/var/backups
- ${APPDATA}/zoneminder/zoneminder:/var/cache/zoneminder
- ${APPDATA}/zoneminder/config:/config
- type: tmpfs
target: /dev/shm
environment:
SHMEM: "50%"
PUID: ${PUID}
PGID: ${PGID}
TZ: ${TZ}
PHP_TZ: ${TZ}
ZM_DB_HOST: ${DB_HOST}
ZM_DB_PORT: ${DB_PORT}
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
MYSQL_ROOT: ${USER}
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.zoneminder-rtr.entrypoints=https"
- "traefik.http.routers.zoneminder-rtr.rule=Host(`zone.$DOMAINNAME`)"
- "traefik.http.routers.zoneminder-rtr.tls=true"
- "traefik.http.routers.zoneminder-rtr.tls.certresolver=le"
## Middlewares
- "traefik.http.routers.zoneminder-rtr.middlewares=secure-chain@file"
## HTTP Services
- "traefik.http.routers.zoneminder-rtr.service=zoneminder-svc"
- "traefik.http.services.zoneminder-svc.loadbalancer.server.port=80"
############################# DATABASE
# MariaDB - MySQL Database
mariadb:
container_name: mariadb
image: linuxserver/mariadb:latest
restart: always
networks:
- default
# - t2_proxy:
# ipv4_address: 192.168.12.123
ports:
- "3306:3306"
volumes:
- ${APPDATA}/mariadb/data:/config
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
- PUID=${PUID}
- PGID=${PGID}
- MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD
# InfluxDB - Database for sensor data
# Create influxdb.conf
influxdb:
image: influxdb
container_name: influxdb
hostname: influxdb
restart: always
ports:
- "${INFLUXDB_PORT}:8086"
volumes:
# - ${APPDATA}/influxdb/influxdb.conf:/etc/influxdb/influxdb.conf:ro
- ${APPDATA}/influxdb/db:/var/lib/influxdb
command: -config /etc/influxdb/influxdb.conf
# Postgres - Database
postgres:
image: postgres
container_name: postgres
hostname: postgres
restart: always
volumes:
- ${APPDATA}/postgres:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${STATPING_DB_PASS}
POSTGRES_USER: ${STATPING_DB_USER}
POSTGRES_DB: ${STATPING_DB}
# phpMyAdmin - Database management
# Create a new user with admin privileges. Cannot login as root.
phpmyadmin:
image: phpmyadmin/phpmyadmin
container_name: phpmyadmin
hostname: phpmyadmin
restart: unless-stopped
networks:
- t2_proxy
- default
ports:
- "$PHPMYADMIN_PORT:80"
depends_on:
- mariadb
links:
- mariadb:db
volumes:
- ${APPDATA}/phpmyadmin:/etc/phpmyadmin
environment:
PMA_HOST: ${DB_HOST}
PMA_PORT: ${DB_PORT}
# PMA_ARBITRARY: 1
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.phpmyadmin-rtr.entrypoints=https"
- "traefik.http.routers.phpmyadmin-rtr.rule=Host(`pma.$DOMAINNAME`)"
- "traefik.http.routers.phpmyadmin-rtr.tls=true"
- "traefik.http.routers.phpmyadmin-rtr.tls.certresolver=le"
## Middlewares
- "traefik.http.routers.phpmyadmin-rtr.middlewares=secure-chain@file"
## HTTP Services
- "traefik.http.routers.phpmyadmin-rtr.service=phpmyadmin-svc"
- "traefik.http.services.phpmyadmin-svc.loadbalancer.server.port=80"
# Grafana - Graphical data visualization for InfluxDB data
grafana:
image: grafana/grafana
container_name: grafana
hostname: grafana
restart: unless-stopped
networks:
- t2_proxy
- default
ports:
- "${GRAFANA_PORT}:3000"
depends_on:
- "influxdb"
user: "0"
volumes:
- ${APPDATA}/grafana:/var/lib/grafana
environment:
GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel"
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.grafana-rtr.entrypoints=https"
- "traefik.http.routers.grafana-rtr.rule=Host(`grafana.$DOMAINNAME`)"
- "traefik.http.routers.grafana-rtr.tls=true"
- "traefik.http.routers.grafana-rtr.tls.certresolver=le"
## Middlewares
- "traefik.http.routers.grafana-rtr.middlewares=secure-chain@file"
## HTTP Services
- "traefik.http.routers.grafana-rtr.service=grafana-svc"
- "traefik.http.services.grafana-svc.loadbalancer.server.port=3000"
# Bazarr - Subtitle Management
bazarr:
image: linuxserver/bazarr
container_name: bazarr
hostname: bazarr
restart: unless-stopped
networks:
- t2_proxy
ports:
- "${BAZARR_PORT}:6767"
volumes:
- ${APPDATA}/bazarr:/config
# - /media:/nas
environment:
PUID: ${PUID}
PGID: ${PGID}
TZ: ${TZ}
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.bazarr-rtr.entrypoints=https"
- "traefik.http.routers.bazarr-rtr.rule=Host(`bazarr.$DOMAINNAME`)"
- "traefik.http.routers.bazarr-rtr.tls=true"
- "traefik.http.routers.bazarr-rtr.tls.certresolver=le"
## Middlewares
- "traefik.http.routers.bazarr-rtr.middlewares=secure-chain@file"
## HTTP Services
- "traefik.http.routers.bazarr-rtr.service=bazarr-svc"
- "traefik.http.services.bazarr-svc.loadbalancer.server.port=6767"
# Picard - Music Library Tagging and Management
picard:
image: mikenye/picard
container_name: picard
hostname: picard
restart: unless-stopped
networks:
- t2_proxy
ports:
- "${PICARD_PORT}:5800"
volumes:
- ${APPDATA}/Downloads/wip_media:/wip_media:rw
- ${APPDATA}/picard:/config:rw
# - /media/ds918/media/music:/music:rw
- /dev/shm:/dev/shm
environment:
USER_ID: ${PUID}
GROUP_ID: ${PGID}
TZ: ${TZ}
UMASK: 002
DISPLAY_WIDTH: 1600
DISPLAY_HEIGHT: 960
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.picard-rtr.entrypoints=https"
- "traefik.http.routers.picard-rtr.rule=Host(`picard.$DOMAINNAME`)"
- "traefik.http.routers.picard-rtr.tls=true"
- "traefik.http.routers.picard-rtr.tls.certresolver=le"
## Middlewares
- "traefik.http.routers.picard-rtr.middlewares=secure-chain@file"
## HTTP Services
- "traefik.http.routers.picard-rtr.service=picard-svc"
- "traefik.http.services.picard-svc.loadbalancer.server.port=5800"
# MKVToolNix - Video Editing (Remuxing - changing media container while keeping original source quality)
mkvtoolnix:
image: jlesage/mkvtoolnix
container_name: mkvtoolnix
hostname: mkvtoolnix
restart: unless-stopped
networks:
- t2_proxy
ports:
- "${MKVTOOLNIX_PORT}:5800"
volumes:
- ${APPDATA}/Downloads:/downloads:rw
- ${APPDATA}/mkvtoolnix/config:/config:rw
environment:
USER_ID: ${PUID}
GROUP_ID: ${PGID}
UMASK: 002
TZ: ${TZ}
KEEP_APP_RUNNING: 1
CLEAN_TMP_DIR: 1
DISPLAY_WIDTH: 1600
DISPLAY_HEIGHT: 960
VNC_PASSWORD: ${MKVTOOLNIX_VNC_PASSWD}
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.mkvtoolnix-rtr.entrypoints=https"
- "traefik.http.routers.mkvtoolnix-rtr.rule=Host(`mkvtoolnix.$DOMAINNAME`)"
- "traefik.http.routers.mkvtoolnix-rtr.tls=true"
- "traefik.http.routers.mkvtoolnix-rtr.tls.certresolver=le"
## Middlewares
- "traefik.http.routers.mkvtoolnix-rtr.middlewares=secure-chain@file"
## HTTP Services
- "traefik.http.routers.mkvtoolnix-rtr.service=mkvtoolnix-svc"
- "traefik.http.services.mkvtoolnix-svc.loadbalancer.server.port=5800"
# MakeMKV - Video Editing (Ripping from Disks)
makemkv:
image: jlesage/makemkv
container_name: makemkv
hostname: makemkv
restart: unless-stopped
networks:
- t2_proxy
ports:
- "${MAKEMKV_PORT}:5800"
volumes:
- ${APPDATA}/Downloads:/Downloads:rw
- ${APPDATA}/makemkv/config:/config:rw
- ${APPDATA}/Downloads/wip_media:/output:rw
- /dev/shm:/dev/shm
environment:
USER_ID: ${PUID}
GROUP_ID: ${PGID}
UMASK: 002
TZ: ${TZ}
KEEP_APP_RUNNING: 1
CLEAN_TMP_DIR: 1
DISPLAY_WIDTH: 1600
DISPLAY_HEIGHT: 960
VNC_PASSWORD: ${MAKEMKV_VNC_PASSWD}
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.makemkv-rtr.entrypoints=https"
- "traefik.http.routers.makemkv-rtr.rule=Host(`makemkv.$DOMAINNAME`)"
- "traefik.http.routers.makemkv-rtr.tls=true"
- "traefik.http.routers.makemkv-rtr.tls.certresolver=le"
## Middlewares
- "traefik.http.routers.makemkv-rtr.middlewares=secure-chain@file"
## HTTP Services
- "traefik.http.routers.makemkv-rtr.service=makemkv-svc"
- "traefik.http.services.makemkv-svc.loadbalancer.server.port=5800"
############################# FILE MANAGEMENT
# Nextcloud
nextcloud:
image: linuxserver/nextcloud
hostname: nextcloud
container_name: nextcloud
restart: unless-stopped
# network_mode: host
networks:
- t2_proxy
ports:
- "${NEXTCLOUD_PORT}:443"
volumes:
- ${SHAREDFOLDERS}/user/nextcloud-data:/data:rw
- ${APPDATA}/nextcloud:/config:rw
- ${APPDATA}/shared:/shared:rw
environment:
USER_ID: ${PUID}
GROUP_ID: ${PGID}
TZ: ${TZ}
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.nextcloud-rtr.entrypoints=https"
- "traefik.http.routers.nextcloud-rtr.rule=Host(`nextcloud.$DOMAINNAME`)"
- "traefik.http.routers.nextcloud-rtr.tls=true"
- "traefik.http.routers.nextcloud-rtr.tls.certresolver=le"
## Middlewares
- "traefik.http.routers.nextcloud-rtr.middlewares=secure-chain@file"
## HTTP Services
- "traefik.http.routers.nextcloud-rtr.service=nextcloud-svc"
- "traefik.http.services.nextcloud-svc.loadbalancer.server.port=4433"
############################# UTILITIES
# Firefox - Web Broswer
firefox:
image: jlesage/firefox
container_name: firefox
hostname: firefox
restart: unless-stopped
networks:
- t2_proxy
ports:
- "${FIREFOX_PORT}:5800"
volumes:
- ${APPDATA}/firefox:/config
- ${APPDATA}/Downloads/completed:/config/downloads
- /dev/shm:/dev/shm
- ${APPDATA}/shared:/shared
environment:
USER_ID: ${PUID}
GROUP_ID: ${PGID}
TZ: ${TZ}
UMASK: 002
KEEP_APP_RUNNING: 1
CLEAN_TMP_DIR: 1
DISPLAY_WIDTH: 1600
DISPLAY_HEIGHT: 960
VNC_PASSWD: ${FIREFOX_VNC_PASSWD}
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.firefox-rtr.entrypoints=https"
- "traefik.http.routers.firefox-rtr.rule=Host(`firefox.$DOMAINNAME`)"
- "traefik.http.routers.firefox-rtr.tls=true"
- "traefik.http.routers.firefox-rtr.tls.certresolver=le"
## Middlewares
- "traefik.http.routers.firefox-rtr.middlewares=secure-chain@file"
## HTTP Services
- "traefik.http.routers.firefox-rtr.service=firefox-svc"
- "traefik.http.services.firefox-svc.loadbalancer.server.port=5800"
# Glances - System Information
glances:
image: nicolargo/glances
hostname: glances
container_name: glances
restart: unless-stopped
privileged: true
# network_mode: host
networks:
- t2_proxy
ports:
- "${GLANCES_PORT}:61208"
pid: host
volumes:
- ${APPDATA}/glances/glances.conf:/glances/conf/glances.conf # Use this if you want to add a glances.conf file
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
# GLANCES_OPT: "-C /glances/conf/glances.conf --quiet --export influxdb"
GLANCES_OPT: "-w"
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.glances-rtr.entrypoints=https"
- "traefik.http.routers.glances-rtr.rule=Host(`glances.$DOMAINNAME`)"
- "traefik.http.routers.glances-rtr.tls=true"
- "traefik.http.routers.glances-rtr.tls.certresolver=le"
## Middlewares
- "traefik.http.routers.glances-rtr.middlewares=secure-chain@file"
## HTTP Services
- "traefik.http.routers.glances-rtr.service=glances-svc"
- "traefik.http.services.glances-svc.loadbalancer.server.port=61208"
# APCUPSD - APC UPS Management
#https://github.com/gersilex/apcupsd-docker
# create the apcupsd.conf file
apcupsd:
image: gersilex/apcupsd
container_name: apcupsd
hostname: apcupsd
restart: unless-stopped
networks:
- t2_proxy
ports:
- "${APCUPSD_PORT}:3551"
privileged: true
tty: true
volumes:
- /tmp/apcupsd-docker:/tmp/apcupsd-docker
- ${APPDATA}/apcupsd/apcupsd.conf:/etc/apcupsd/apcupsd.conf
- ${APPDATA}/apcupsd/doshutdown:/etc/apcupsd/doshutdown
- ${APPDATA}/apcupsd/apcupsd.events:/var/log/apcupsd.events
# StatPing - Status Page & Monitoring Server
statping:
image: hunterlong/statping
container_name: statping
hostname: statping
restart: unless-stopped
networks:
- t2_proxy
ports:
- "${STATPING_PORT}:8080"
volumes:
- ${APPDATA}/statping:/app
environment:
VIRTUAL_HOST: localhost
VIRTUAL_PORT: 8080
DB_CONN: postgres
DB_HOST: postgres
DB_USER: ${STATPING_DB_USER}
DB_PASS: ${STATPING_DB_PASS}
DB_DATABASE: ${STATPING_DB}
IS_DOCKER: "true"
DISABLE_LOGS: "false"
NAME: StatPing
DESCRIPTION: Monitor web services
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.statping-rtr.entrypoints=https"
- "traefik.http.routers.statping-rtr.rule=Host(`statping.$DOMAINNAME`)"
- "traefik.http.routers.statping-rtr.tls=true"
- "traefik.http.routers.statping-rtr.tls.certresolver=le"
## Middlewares
- "traefik.http.routers.statping-rtr.middlewares=noauth-chain@file"
## HTTP Services
- "traefik.http.routers.statping-rtr.service=statping-svc"
- "traefik.http.services.statping-svc.loadbalancer.server.port=8080"
############################# MAINTENANCE
# Ouroboros - Automatic Docker Container Updates
ouroboros:
image: pyouroboros/ouroboros
container_name: ouroboros
hostname: ouroboros
restart: unless-stopped
networks:
- default
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
TZ: ${TZ}
INTERVAL: 86400
LOG_LEVEL: debug
SELF_UPDATE: "true"
CLEANUP: "true"
IGNORE: traefik influxdb hassio_dns homeassistant hassio_supervisor addon_core_check_config addon_62c7908d_autobackup plexms
NOTIFIERS: 'tgram://${TGRAM_BOT_TOKEN}/${TGRAM_CHAT_ID}/'
This setup (trimmed for this post) has given me the following:
`traefik | 2020-02-06T17:14:47.032745466Z time="2020-02-06T17:14:47Z" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.duckdns.org,*.mydomain.duckdns.org\" : unable to generate a certificate for the domains [mydomain.duckdns.org *.mydomain.duckdns.org]: acme: Error -> One or more domains had a problem:\n[*.mydomain.duckdns.org] time limit exceeded: last error: NS ns3.duckdns.org. did not return the expected TXT record [fqdn: _acme-challenge.mydomain.duckdns.org., value: --value redacted--\n[mydomain.duckdns.org] time limit exceeded: last error: NS ns1.duckdns.org. did not return the expected TXT record [fqdn: _acme-challenge.mydomain.duckdns.org., value: --value redacted-- \n" providerName=le.acme
I've tried modifying
- --certificatesResolvers.le.acme.dnsChallenge.delayBeforeCheck=30
but, no matter how many times, I still end up with issues. Sometimes no TXT is found, other times it's not the right TXT. I've looked through docs on traefik, letsencrypt, lego, duckdns, as well as many forums with no dice. 
Help!