docker-compose.yml

version: "3.8"

services:
  traefik:
    image: "traefik:v2.10"

    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
        # We only look for containers in this dsuite project to avoid conflicts with
        # another traefik instance on the same host.
      - "--providers.docker.constraints=Label(`com.docker.compose.project`, `dsuite`)"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myresolver.acme.email=th.letsencrypt.org@tuxago.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
        # use this while testing to avoid getting rate limited by the prod lets encrypt server
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"

    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt:/letsencrypt"
    networks:
      - front
    restart: always

  code:
    image: gitea/gitea:1.17
    expose:
      - "3000"
    ports:
      - "22:22"
    volumes:
      - "code-data:/data"
    networks:
      - front
      - ldap
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=dsuite_front"
      - "traefik.http.routers.code.entrypoints=websecure"
      - "traefik.http.routers.code.tls.certresolver=myresolver"
      - "traefik.http.routers.code.rule=Host(`code.${DSUITE_FULL_DOMAIN}`)"
        # Since gitea exposes the port 22 on the host, we need to specify the web port ourselves
        # otherwise traefik doesn't select the right one
      - "traefik.http.services.code.loadbalancer.server.port=3000"

  registry:
    image: registry:2
    environment:
      REGISTRY_STORAGE_DELETE_ENABLED: "true"
    volumes:
      - "registry-data:/var/lib/registry"
    networks:
      - front
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=dsuite_front"
      - "traefik.http.routers.registry.entrypoints=websecure"
      - "traefik.http.routers.registry.tls.certresolver=myresolver"
      - "traefik.http.routers.registry.rule=Host(`registry.${DSUITE_FULL_DOMAIN}`)"

  drone:
    image: drone/drone:2
    environment:
      DRONE_SERVER_HOST:         ${DRONE_SERVER_HOST}
      DRONE_SERVER_PROTO:        ${DRONE_SERVER_PROTO}
      DRONE_RPC_SECRET:          ${DRONE_RPC_SECRET}

      DRONE_GITEA_SERVER:        ${DRONE_GITEA_SERVER}
      DRONE_GITEA_CLIENT_ID:     ${DRONE_GITEA_CLIENT_ID}
      DRONE_GITEA_CLIENT_SECRET: ${DRONE_GITEA_CLIENT_SECRET}

    volumes:
      - "drone-data:/var/lib/drone"
    networks:
      - front
      - drone
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=dsuite_front"
      - "traefik.http.routers.drone.entrypoints=websecure"
      - "traefik.http.routers.drone.tls.certresolver=myresolver"
      - "traefik.http.routers.drone.rule=Host(`ci.${DSUITE_FULL_DOMAIN}`)"
      - "traefik.http.services.drone.loadbalancer.server.port=80"

  drone-runner:
    image: drone/drone-runner-docker:1
    environment:
      DRONE_RPC_HOST:   ${DRONE_SERVER_HOST}
      DRONE_RPC_PROTO:  ${DRONE_SERVER_PROTO}
      DRONE_RPC_SECRET: ${DRONE_RPC_SECRET}

      DRONE_RUNNER_CAPACITY: ${DRONE_RUNNER_CAPACITY}
      DRONE_RUNNER_NAME:     ${DRONE_RUNNER_NAME}

    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    networks:
      - drone
    restart: always

  ldap:
    image: osixia/openldap:1.4.0
    environment:
      LDAP_ORGANIZATION:    ${LDAP_ORGANIZATION}
      LDAP_DOMAIN:          ${LDAP_DOMAIN}
      LDAP_ADMIN_PASSWORD:  ${LDAP_ADMIN_PASSWORD}
      LDAP_CONFIG_PASSWORD: ${LDAP_CONFIG_PASSWORD}
    volumes:
      - "ldap-config:/etc/ldap/slapd.d"
      - "ldap-data:/var/lib/ldap"
    networks:
      - ldap
    restart: always

  ldapadmin:
    image: osixia/phpldapadmin:0.8.0
    environment:
      PHPLDAPADMIN_LDAP_HOSTS:   ${PHPLDAPADMIN_LDAP_HOSTS}
      PHPLDAPADMIN_SERVER_ADMIN: ${PHPLDAPADMIN_SERVER_ADMIN}
    depends_on:
      - ldap
    networks:
      - front
      - ldap
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=dsuite_front"
      - "traefik.http.routers.ldapadmin.entrypoints=websecure"
      - "traefik.http.routers.ldapadmin.tls.certresolver=myresolver"
      - "traefik.http.routers.ldapadmin.rule=Host(`ldapadmin.${DSUITE_FULL_DOMAIN}`)"

  ldapweb:
    image: dolanor/ldapweb:latest
    environment:
      LDAPWEB_HOST:                ${LDAP_SERVER_HOST}
      LDAPWEB_PORT:                ${LDAP_SERVER_PORT}
      LDAPWEB_BASEDN:              ${LDAP_SEARCH_BASE}
      LDAPWEB_USERFILTER_TEMPLATE: ${LDAPWEB_USERFILTER_TEMPLATE}
      LDAPWEB_DN_TEMPLATE:         ${LDAPWEB_DN_TEMPLATE}
    networks:
      - front
      - ldap
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=dsuite_front"
      - "traefik.http.routers.ldapweb.entrypoints=websecure"
      - "traefik.http.routers.ldapweb.tls.certresolver=myresolver"
      - "traefik.http.routers.ldapweb.rule=Host(`id.${DSUITE_FULL_DOMAIN}`)"

  nextcloud:
    image: nextcloud:26-apache
    environment:
      NEXTCLOUD_ADMIN_USER:     ${NEXTCLOUD_ADMIN_USER}
      NEXTCLOUD_ADMIN_PASSWORD: ${NEXTCLOUD_ADMIN_PASSWORD}

      MYSQL_HOST:          nextcloud-db
      MYSQL_DATABASE:      ${MYSQL_DATABASE}
      MYSQL_USER:          ${MYSQL_USER}
      MYSQL_PASSWORD:      ${MYSQL_PASSWORD}
    depends_on:
      - nextcloud-db
    volumes:
      - "nextcloud-data:/var/www/html"
    networks:
      - front
      - nextcloud
      - ldap
    restart: always
    labels:
      - "traefik.docker.network=dsuite_front"
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
      - "traefik.http.routers.nextcloud.rule=Host(`cloud.${DSUITE_FULL_DOMAIN}`)"

  nextcloud-db:
    image: mariadb
    environment:
      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
      MYSQL_DATABASE:      ${MYSQL_DATABASE}
      MYSQL_USER:          ${MYSQL_USER}
      MYSQL_PASSWORD:      ${MYSQL_PASSWORD}
    volumes:
      - "nextcloud-db-data:/var/lib/mysql"
    networks:
      - nextcloud
    restart: always



  mail:
    image: tvial/docker-mailserver:stable
    hostname: mail
    domainname: mydomain.com
    container_name: mail
    ports:
      - "25:25"
      - "587:587"
      - "465:465"
      - "143:143"
      - "993:993"
    volumes:
      - "mail-data:/var/mail"
      - "mail-state:/var/mail-state"
      - "./mail/config/:/tmp/docker-mailserver/"
      - "${HOME}/.caddy/acme/acme-v02.api.letsencrypt.com/sites/mail.mydomain.com/mail.mydomain.com.crt:/etc/letsencrypt/live/mail.mydomain.com/fullchain.pem"
      - "${HOME}/.caddy/acme/acme-v02.api.letsencrypt.com/sites/mail.mydomain.com/mail.mydomain.com.crt:/etc/letsencrypt/live/mail.mydomain.com/cert.pem"
      - "${HOME}/.caddy/acme/acme-v02.api.letsencrypt.com/sites/mail.mydomain.com/mail.mydomain.com.key:/etc/letsencrypt/live/mail.mydomain.com/privkey.pem"
    environment:
      ENABLE_SPAMASSASSIN:        ${ENABLE_SPAMASSASSIN}
      ENABLE_CLAMAV:              ${ENABLE_CLAMAV}
      ENABLE_FAIL2BAN:            ${ENABLE_FAIL2BAN}
      ENABLE_POSTGREY:            ${ENABLE_POSTGREY}
      ENABLE_SASLAUTHD:           ${ENABLE_SASLAUTHD}
      ENABLE_LDAP:                ${ENABLE_LDAP}
      SSL_TYPE:                   ${SSL_TYPE}
      ONE_DIR:                    ${ONE_DIR}
      DMS_DEBUG:                  ${DMS_DEBUG}
      LDAP_SERVER_HOST:           ${LDAP_SERVER_HOST}
      LDAP_SEARCH_BASE:           ${LDAP_SEARCH_BASE}
      LDAP_BIND_DN:               ${LDAP_BIND_DN}
      LDAP_BIND_PW:               ${LDAP_BIND_PW}
      LDAP_QUERY_FILTER_USER:     ${LDAP_QUERY_FILTER_USER}
      LDAP_QUERY_FILTER_GROUP:    ${LDAP_QUERY_FILTER_GROUP}
      LDAP_QUERY_FILTER_ALIAS:    ${LDAP_QUERY_FILTER_ALIAS}
      LDAP_QUERY_FILTER_DOMAIN:   ${LDAP_QUERY_FILTER_DOMAIN}
      DOVECOT_PASS_FILTER:        ${DOVECOT_PASS_FILTER}
      DOVECOT_USER_FILTER:        ${DOVECOT_USER_FILTER}
      DOVECOT_USER_ATTRS:         ${DOVECOT_USER_ATTRS}
      SASLAUTHD_MECHANISMS:       ${SASLAUTHD_MECHANISMS}
      SASLAUTHD_LDAP_SERVER:      ${SASLAUTHD_LDAP_SERVER}
      SASLAUTHD_LDAP_SEARCH_BASE: ${SASLAUTHD_LDAP_SEARCH_BASE}
      SASLAUTHD_LDAP_BIND_DN:     ${SASLAUTHD_LDAP_BIND_DN}
      SASLAUTHD_LDAP_PASSWORD:    ${SASLAUTHD_LDAP_PASSWORD}
      SASLAUTHD_LDAP_FILTER:      ${SASLAUTHD_LDAP_FILTER}
      POSTMASTER_ADDRESS:         ${POSTMASTER_ADDRESS}
    cap_add:
      - NET_ADMIN
      - SYS_PTRACE
    networks:
      - front
      - ldap
    restart: always

  cadvisor:
    image: gcr.io/cadvisor/cadvisor:v0.47.2
    volumes:
      - "/:/rootfs:ro"
      - "/var/run:/var/run:ro"
      - "/sys:/sys:ro"
      - "/var/lib/docker:/var/lib/docker:ro"
      - "/dev/disk:/dev/disk:ro"
    devices:
      - "/dev/kmsg"
    expose:
      - "8080"
    networks:
      - monitoring
    restart: always

  node_exporter:
    image: quay.io/prometheus/node-exporter:v1.6.0
    command:
      - "--path.rootfs=/host"
    network_mode: host
    pid: host
    restart: unless-stopped
    volumes:
      - "/:/host:ro,rslave"


  prometheus:
    image: prom/prometheus:v2.45.0
    command:
      - "--config.file=/etc/prometheus/prometheus.yml"
      - "--storage.tsdb.path=/prometheus"
    volumes:
      - "./prometheus.yml:/etc/prometheus/prometheus.yml:ro"
      - "prometheus-data:/prometheus"
    expose:
      - "9090"
    depends_on:
      - cadvisor
      - node_exporter
    networks:
      - monitoring
    restart: always

  grafana:
    image: grafana/grafana:10.0.1
    volumes:
      - "grafana-data:/var/lib/grafana"
    expose:
      - "3000"
    networks:
      - front
      - monitoring
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=dsuite_front"
      - "traefik.http.routers.grafana.entrypoints=websecure"
      - "traefik.http.routers.grafana.tls.certresolver=myresolver"
      - "traefik.http.routers.grafana.rule=Host(`grafana.${DSUITE_FULL_DOMAIN}`)"

  bivac:
    image: dolanor/bivac:2.5.1-restic-0.14
    command: manager
    expose:
      - "8182"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "bivac-data:/backup"
    environment:
      BIVAC_AGENT_IMAGE: camptocamp/bivac:2.3

      RESTIC_PASSWORD:         ${RESTIC_PASSWORD}
      BIVAC_SERVER_PSK:        ${BIVAC_SERVER_PSK}
      BIVAC_VOLUMES_BLACKLIST: ${BIVAC_VOLUMES_BLACKLIST}

      # if backing up on a dedicated volume, don't forget to set it up
      # in the volumes section and make the URL just a direct fs URL (eg. `/backup`)
      # if backing up to S3, set AWS env var correctly
      BIVAC_TARGET_URL:      ${BIVAC_TARGET_URL}
      AWS_ACCESS_KEY_ID:     ${AWS_ACCESS_KEY_ID}
      AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}

networks:
  front:
    driver: bridge
  ldap:
  nextcloud:
  drone:
  monitoring:

volumes:
  caddy-data:
  code-data:
  registry-data:
  drone-data:
  mail-data:
  mail-state:
  nextcloud-data:
  nextcloud-db-data:
  ldap-data:
  ldap-config:
  perkeep-store:
  perkeep-config:
  prometheus-data:
  grafana-data:
  bivac-data: