base.yml

#The Docker Compose file defines how different services provided by containerized docker servers relate to one-another,
#how each should be configured, and in what order they should be started.  For more information about this file's
#function and syntax, refer to https://docs.docker.com/compose/compose-file/

#**********************************************************************************************************************
#NOTE:Do not use tabs to indent in this file.  The use of spaces instead of tabs is INTENTIONAL and SYNTACTICALLY
#REQUIRED to differentiate between sections.  It is not just for looks!
#**********************************************************************************************************************

#This file requires you have already downloaded
#Docker https://www.docker.com/community-edition
#and
#Docker Compose https://docs.docker.com/compose/install/
#Note: Docker compose is already bundled with Docker for Windows and Docker for Mac.  For Linux systems, please do
#not use the docker/docker-compose packages provided by your distro.  They are often extremely out-of-date and will not
#be compatible with most applications or this file.  Follow the installation instructions provided on the above sites.
#Also note: Docker for Windows depends on Microsoft Hyper-V, which is only available in Windows Professional and
#Enterprise versions and not available in Home versions.  If you wish to setup a Docker server, but only have Windows
#Home editions, I recommend you either repurpose an old, 64-bit capable PC and install Linux on it, or buy a
#Raspberry Pi and setup Docker on it.  This file assumes you are on an x86_64 architecture.  It would need to be
#rewritten to build the services from scratch (using the container's Dockerfile i.e. a recipe of how to build the
#container image) on the Raspberry Pi's ARMv7 processor architecture where/*IF* a pre-built ARM build is not available
#for a particular service.  You could also run Docker on a Linux Virtual Machine in Oracle VirtualBox, however, this
#negates the advantage of using lightweight, OS-level virtualization that doesn't require reserving memory for the VM
#and emulating hardware and also adds complexity for getting ports forwarded from your router, to your machine, to
#your virtual machine, to your service.  You could try running Docker for Linux on Windows using the Windows
#Subsystem for Linux https://docs.microsoft.com/en-us/windows/wsl/install-win10 regardless of your Windows version,
#but I have no idea if that will work.

#The version section is mandatory.  It tells docker-compose which syntax version to use
version: '3.7'

#The services section is where you define which services your application will use.  Some applications are packaged
#as a single container that contains everything necessary to run your application, others are more modular requiring
#a separate database server from the application or web server, for example.  You can find available containers on
#https://store.docker.com.  Most (but not all) are 100% free.  Some are 'official' meaning they are published by the
#organization or team who wrote the code for the application, others are unofficial, community builds maintained by
#other users/developers.  Quality of unofficial containers cannot always be guaranteed

services:
#Free Dynamic DNS services provided by duckDNS.  https://www.duckdns.org/
#You must register with DuckDNS and set up a subdomain before filling out this section.
#This service provides you with a domain name which always points to your home server, even if your home
#ip address changes.  Your domain will be a subdomain of duckdns.org.  See https://www.duckdns.org/faqs.jsp for more
#info, inluding how to use duckDNS with a custom domain name (purchased separately)
  dynamic-dns: #Our name for the service we are defining, used to reference it by name w/in compose file(s)
    image: linuxserver/duckdns:latest #which container from the docker store to use
    container_name: duckdns #optional, but recommended, otherwise defaults to a generated name
    environment: #configuration options defined by environment variables go here
      - TZ=${TZ}
      - SUBDOMAINS=${DUCKDNS_SUBDOMAIN:?Please copy template.env to .env and provide provide a value for DUCKDNS_SUBDOMAIN}
      - TOKEN=${DUCKDNS_TOKEN:?Please copy template.env to .env and provide provide a value for DUCKDNS_TOKEN}
    #Container metadata can be put in labels.  This is sometimes used to communicate information to other containers
    #or services e.g. to docker compose about what other services depend on this service, or to traefik reverse
    #proxy about how or if to proxy requests to this service
    labels:
      - "traefik.enable=false" #tells traefik reverse proxy to ignore this container, do not proxy requests to it
      - "com.ouroboros.enable=true"
    restart: always #if this container stops for any reason, docker will restart it automatically
    volumes:
      - duckdns-config:/config

#A reverse proxy takes all requests it receives and, based on predfined rules, forwards the request to the appropriate
#destination.  Since we may be hosting many servers with different names, but all competing for HTTP ports 80 and 8080
#and HTTPS port 443, we put a reverse proxy in front of them to handle the requests on their behalf.  NGinX is a
#popular reverse proxy, but we will use Traefik https://traefik.io/ because it is easier to use, native to Docker,
#can be configured automatically, and will respond to changes in the environment as services are added or
#removed instead of hanging.  Traefik supports LetsEncrypt https://letsencrypt.org out-of-the-box and can
#automatically obtain and manage free, secure certificats for securing HTTPS connections
  reverse-proxy:
    image: traefik:v1.7-alpine
    restart: unless-stopped #Docker will automatically restart this container unless you intentionally stopped it
    container_name: traefik
    ports:
    #The ports section defines which ports on the host machine (left) are connected to which ports on the service's
    #container (right)
      - 80:80
      - 443:443
    expose:
      - "8080" #admin web UI port
    labels:
      - "com.ouroboros.enable=true" #enables watchtower for auto updates
      - "traefik.enable=true" #set to false to disable admin dashboard
      - "traefik.frontend.rule=Host:${TRAEFIK_DASHBOARD_DOMAIN:?Please set the value of TRAEFIK_DASHBOARD_DOMAIN in .env or comment this line out}"
      - "traefik.port=8080"
      - "traefik.frontend.auth.digest.usersFile=/etc/traefik/dashboard-users-passwd"
    volumes:
    #allows traefik to monitor for changes and to read labels (Mac/Linux ONLY).
      - /var/run/docker.sock:/var/run/docker.sock  ###Comment this line out in Windows, make sure to update traefik.toml
      - ./configs/traefik/traefik.toml:/etc/traefik/traefik.toml #traefik config file
      - traefik-cert:/etc/traefik/acme/ #volume for storing LetsEncrypt cets
      #comment out the next line if you disable the dashboard
      - ${TRAEFIK_DASHBOARD_USERS_PASSWORD_FILE:?Run htdigest -c /path/to/new/password/file traefik yourusername to create a username/password for the traefik dashboard and set TRAEFIK_USERS_PASSWORD_FILE in .env to the path of the file}:/etc/traefik/dashboard-users-passwd
    #The following section allows you to deifne services which must be started before this service can start
    depends_on:
      - dynamic-dns
    environment:
      DUCKDNS_TOKEN: ${DUCKDNS_TOKEN}
    networks:
    #containers will default to the default bridge network if none is specified
      - docker-gui-network
#Optional: this service will watch specified containers (defaults to all containers) and automatically recreate them
#with an updated image if it detects that the upstream image has been updated.  Pros: you don't have to do it manually
#Cons: You don't control the updates anymore, even if they happen quickly and seamlessly, but if an update breaks
#something, you'll have to manually recreate the container with the specific version you wanted by replacing the tag
#(to the right of : in the image line) with the tag corresponding to the version you want.  My recommendation is to
#use it for everything, but if you want to change that, change all com.ouroboros.enable labels to
#"false"
  auto-updater:
    image: pyouroboros/ouroboros:latest
    container_name: ouroboros
    restart: unless-stopped
    environment:
    #For a full list of options for ouroboros, see https://github.com/pyouroboros/ouroboros/wiki/Usage
      - CLEANUP=true #delete old images after update
      - DOCKER_SOCKETS="unix://var/run/docker.sock" #comment this line out on windows
      #- DOCKER_SOCKETS="npipe:////./pipe/docker_engine tcp://localhost:2375" #uncomment this line on windows
      # Define how often to check for updates, defaults to a minimum of 300 (30 seconds)
      - INTERVAL=300
      - LOG_LEVEL=info
      #make ouroboros self-updating
      - SELF_UPDATE=true
      #get auto-update config from labels and only labels.  If a container is not labeled to auto update, don't autoupdate
      - LABEL_ENABLE=true
      - LABELS_ONLY=true
      - TZ=${TZ}
      #optional alternative way to check interval (overriding INTERVAL)
      #Specify how often to check for updates using a cron string (see https://devhints.io/cron)
      #this string means every 30 minutes of every hour of every day of every month at every day of the week
      - CRON="*/30 * * * *"
    labels:
      - "traefik.enable=false"
      - "com.ouroboros.enable=true" #Yes, it can watch and update itself
    #Docker images are a base file system with deltas (changes) representing the steps to go from a base to the
    #finished product overlayed on top of it.  As such, changes you make to data in an image is really happening
    #in yet another delta layer on top of the rest.  This layer is considered temporary and really only something
    #you use if you're building your own image from an existing one as a base.  Any data you need to persist
    #should be stored in a Docker volume.  Docker volums can either be named storage locations that can be defined
    #here in the compose file, or bind mounts to directories on the host machine both of which you can use
    #to store data that persists between runs of a container and can be shared between multipe containers.
    #see https://docs.docker.com/compose/compose-file/#volumes for more information
    volumes:
      #allows ouroboros to monitor for changes and to read labels
      - /var/run/docker.sock:/var/run/docker.sock ###Comment this line out in Windows

  docker-gui:
    image: portainer/portainer-ce:alpine
    #ports:
      #by mapping this port to the host, we are also making this service available even if
      #traefik is not running at http://localhost:9000 on your host pc or
      #http://yourhostPCsnetworkname:9000 from other PCs on your network
      #note that it is an insecure http connection.  Comment out the ports section if
      #you do not trust the other devices on your network to not spy on you
    #  - "9000:9000"
    expose:
      - "9000"
    container_name: portainer-docker-gui
    labels:
      #tells Traefik to proxy requests to this container
      - traefik.enable=true
      #the rule traefik will use to match a request to this service
      #in this case, the hostname of the requested source matches what you put here
      - traefik.frontend.rule=Host:${PORTAINER_DOMAIN:?Please copy template.env to .env and provide provide a value for PORTAINER_DOMAIN}
      #the target port of the service that traefik should forward
      - traefik.port=9000
      - com.ouroboros.enable=true
    networks:
      - docker-gui-network
    volumes:
      - portainer-data:/data #map named volume to directory in container
      #allows portainer to control docker (Linux/Mac only)
      - /var/run/docker.sock:/var/run/docker.sock ###Comment this line out in Windows
    #this section allows us to modify arguments passed to the default command executed inside this container (AKA the entrypoint)
    #when it starts
###    command: -d /data -H npipe:////./pipe/docker_engine #uncomment this line in windows
###    command: -d /data -H tcp://localhost:2375 #alternative to the last line, pick only 1!
    restart: unless-stopped
    #a healthcheck adds a command that is run inside a container to check that it is working properly, for example, checking
    #that the server can be reached without errors, as shown below.  Healthchecks also will cause any containers that depend on
    #this container to wait for indicate that it is in status "healthy" before begining to start themselves, which is useful to
    #guarantee a database server is up and responding to connections before starting the application server.
    #healthcheck:
    #  test: ["CMD-SHELL", "curl -f http://portainer-docker-gui:9000 || exit 1"]
    #  interval: 1m30s
    #  timeout: 10s
    #  retries: 5
    #  start_period: 5s

#this mail relay will work with any smtp server, however, as written, it is ready for use with mailgun
#you could reconfigure this to work with google smtp per the instructions linked from README.md
#this mail relay will ALWAYS be available to containers whose network it's on at host mail-relay, port 25
#(sometimes written as mail-relay:25 when there isn't a separate field for port), no TLS, no STARTTLS, no
#login credentials of any kind.  This relay only accepts emails from your containers and forwards them to
#the SMTP server it's configured for.
  mail-relay:
    image: mwader/postfix-relay:latest
    container_name: mail-relay
    restart: unless-stopped
    environment:
      #if you use mailgun, you cannot use your duckdns domain, it will not validate it
      - POSTFIX_myhostname=${REGISTERED_DOMAIN:?Please copy template.env to .env and provide provide a value for REGISTERED_DOMAIN}
      #reluctantly adding 192.168.0.0/16 to allowed networks.  This address range is typically used on routers and, if the mail relay
      #port were mapped to the host, this would be a HUGE security risk (anyone could send email through the relay, including others
      #on the same router).  The "expose" section, as I understand it only makes the port available to other docker services
      #and does not map it to the host, which is the only reason why I think its ok to allow the 192.168.0.0/16 range, otherwise
      #you can't use the mail relay after you've exhausted the private addresses 172.16.0.0-> 172.31.0.0 with many services on your
      #stack
      - "POSTFIX_mynetworks=127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.0.0.0/8 192.168.0.0/16"
      - POSTFIX_mydestination=${REGISTERED_DOMAIN:?Please copy template.env to .env and provide provide a value for REGISTERED_DOMAIN},localhost
      - POSTFIX_smtp_tls_security_level=may
      - POSTFIX_smtpd_tls_security_level=none
      - POSTFIX_smtp_sasl_auth_enable=yes
      - "POSTFIX_smtp_sasl_password_maps=hash:/etc/postfix/sasl/sasl_passwd"
      - POSTFIX_smtp_sasl_security_options=noanonymous
      - POSTFIX_relayhost=${UPSTREAM_SMTP_HOST:?Please copy template.env to .env and provide provide a value for UPSTREAM_SMTP_HOST}
      - relayhost_username=${UPSTREAM_SMTP_USERNAME:?Please copy template.env to .env and provide provide a value for UPSTREAM_SMTP_USERNAME}
      - relayhost_passwd=${UPSTREAM_SMTP_PASSWORD:?Please copy template.env to .env and provide provide a value for UPSTREAM_SMTP_PASSWORD}
      - POSTFIX_smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt #might need to change if not on Debian-based linux, uesd to validate secure connection to SMTP
      - POSTFIX_smtp_tls_note_starttls_offer=yes
      - POSTFIX_smtp_use_tls=yes
    expose:
      - "25"
    labels:
      - "com.ouroboros.enable=true"
      - "traefik.enable=false"
    volumes:
      - mail-relay-lib-postfix:/var/lib/postfix
      - mail-relay-mail:/var/mail
      - mail-relay-spool-postfix:/var/spool/postfix
      - mail-relay-opendkim-keys:/etc/opendkim/keys
      - mail-relay-sasl:/etc/postfix/sasl
      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro #use host's CAs to validate remote SMTP certs, may need to change if not on debian-based linux
    #override the default command with one that stores smtp credentials, since the image doesn't do this natively
    command: '/bin/bash -c "echo $$POSTFIX_relayhost $$relayhost_username:$$relayhost_passwd > /etc/postfix/sasl/sasl_passwd && /usr/sbin/postmap /etc/postfix/sasl/sasl_passwd && /root/run"'



#This section allows you to define networks.  We will only be using basic configuration here.  For Advanced
#Configuration options, refer to the docker-compose file documentation linked in the header.  Networks
#are just a way to group services that work together so that they can "talk" to each other directly and
#reference one another by their internal hostname, which can either be explicitly named with a hostname:
#section under the service, or allowed to default to the name: which defaults to the service's name if not
#specified.
networks:
  docker-gui-network:
    name: docker-gui-network #docker compose will generate a name if not specified

#This section is for defining name volumes, which are where a container can store data for persisting
#between instances/runs of the container
volumes:
  portainer-data: #persistent storage for portainer's configuration settings
  traefik-cert: #storage for the acme.json file that will hold your LetsEncrypt certs
  duckdns-config:
  mail-relay-lib-postfix: #persistant storage for the mail-relay
  mail-relay-mail:
  mail-relay-spool-postfix:
  mail-relay-opendkim-keys:
  mail-relay-sasl: