# Options for building certificates x-certs: &certs image: paulczar/omgwtfssl restart: "no" volumes: - /opt/ssl:/certs x-logging: &logging logging: driver: "local" options: max-size: "5m" max-file: "2" version: "3.4" services: foundry: <<: *logging image: felddy/foundryvtt:release volumes: - /mnt/tower/foundry:/data - /opt/scarif/foundry/patches:/data/patches restart: always environment: - "FOUNDRY_PASSWORD=${FOUNDRY_PASSWORD}" - "FOUNDRY_USERNAME=${FOUNDRY_USER}" - FOUNDRY_ADMIN_KEY=${FOUNDRY_ADMIN_KEY} - FOUNDRY_HOSTNAME=https://rec.${DOMAIN} - FOUNDRY_PROXY_PORT=443 - FOUNDRY_PORT=443 - FOUNDRY_PROXY_SSL=true - FOUNDRY_ROUTE_PREFIX=foundry - CONTAINER_CACHE=/data/container_cache - CONTAINER_PATCHES=/data/patches - FOUNDRY_UID=1000 - FOUNDRY_GID=1000 networks: - nginx nextcloud: <<: *logging build: ./nextcloud image: nextcloud restart: unless-stopped user: 1000:1000 volumes: - nextcloud:/var/www/html - /mnt/tower/stardust:/var/www/html/data - /mnt/tower/foundry:/var/www/foundry environment: - REDIS_HOST=redis - MYSQL_HOST=db - MYSQL_PASSWORD=${DB_PASSWORD} - MYSQL_DATABASE=nextcloud - MYSQL_USER=${DB_USER} - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD} - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} - MAIL_FROM_ADDRESS=${MAIL_FROM} - SMTP_HOST=${MAIL_HOST} - SMTP_PORT=${MAIL_PORT} - SMTP_USER=${MAIL_USER} - SMTP_PASSWORD=${MAIL_PASSWORD} - "NEXTCLOUD_TRUSTED_DOMAINS=tower.${DOMAIN} 127.0.0.1" - USER_UID=1000 - USER_GID=1000 - APACHE_RUN_USER=1000 - APACHE_RUN_GROUP=1000 depends_on: - db - redis networks: - db - redis - nginx extra_hosts: - "tower.${DOMAIN}:${LOCAL_IP}" - "office.${DOMAIN}:${LOCAL_IP}" collabora: <<: *logging image: collabora/code restart: unless-stopped cap_add: - MKNOD environment: - "DONT_GEN_SSL_CERT=True" - domain=tower.${DOMAIN} - cert_domain=office.${DOMAIN} - server_name=office.${DOMAIN} - username=${COLLABORA_USER} - password=${COLLABORA_PASSWORD} - "extra_params=-o:ssl.enable=false --o:ssl.termination=true" - "dictionaries=de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru ro" networks: - nginx extra_hosts: - "tower.${DOMAIN}:${LOCAL_IP}" - "office.${DOMAIN}:${LOCAL_IP}" homebox: <<: *logging image: ghcr.io/hay-kot/homebox:latest restart: unless-stopped environment: - HBOX_LOG_LEVEL=info - HBOX_LOG_FORMAT=text - HBOX_WEB_MAX_UPLOAD_SIZE=10 - HBOX_OPTIONS_ALLOW_REGISTRATION=false - HBOX_MAILER_HOST=${MAIL_HOST} - HBOX_MAILER_PORT=${MAIL_PORT} - HBOX_MAILER_USERNAME=${MAIL_USER} - HBOX_MAILER_PASSWORD=${MAIL_PASSWORD} volumes: - homebox:/data/ networks: - nginx gitea: <<: *logging image: gitea/gitea:1 environment: - "APP_NAME=Labs: Where the good stuff happens" - RUN_MODE=prod - DOMAIN=labs.${DOMAIN} - ROOT_URL=https://labs.${DOMAIN} - DB_TYPE=mysql - DB_HOST=db - DB_NAME=gitea - DB_USER=${DB_USER} - DB_PASSWD=${DB_PASSWORD} - USER_UID=1200 - USER_GID=1200 - DISABLE_REGISTRATION=true restart: always volumes: - gitea:/data - /mnt/tower/labs:/data/git - /home/git/.ssh/:/data/git/.ssh/ - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro ports: - "127.0.0.1:2222:22" networks: - db - nginx depends_on: - db tt-rss: <<: *logging image: cthulhoo/ttrss-fpm-pgsql-static:latest restart: unless-stopped environment: - TTRSS_SELF_URL_PATH=https://intel.${DOMAIN} - TTRSS_DB_USER=${DB_USER} - TTRSS_DB_NAME=scarif - TTRSS_DB_PASS=${DB_PASSWORD} - TTRSS_DB_HOST=psqldb #- AUTO_CREATE_USER=${TTRSS_USER} #- AUTO_CREATE_USER_PASS=${TTRSS_USER_PASS} #- ADMIN_USER_ACCESS_LEVEL=-2 volumes: - tt-rss:/var/www/html - ./tt-rss/config.d:/opt/tt-rss/config.d:ro depends_on: - psqldb networks: - db - nginx tt-rss-updater: <<: *logging image: cthulhoo/ttrss-fpm-pgsql-static:latest restart: unless-stopped environment: - TTRSS_SELF_URL_PATH=https://intel.${DOMAIN} - TTRSS_DB_USER=${DB_USER} - TTRSS_DB_NAME=scarif - TTRSS_DB_PASS=${DB_PASSWORD} - TTRSS_DB_HOST=psqldb volumes: - tt-rss:/var/www/html - ./tt-rss/config.d:/opt/tt-rss/config.d:ro depends_on: - tt-rss - psqldb command: /opt/tt-rss/updater.sh networks: - db pihole: <<: *logging image: pihole/pihole:latest ports: - "53:53/tcp" - "53:53/udp" environment: TZ: "Europe/London" WEBPASSWORD: ${PIHOLE_PASSWORD} VIRTUAL_HOST: net.${DOMAIN} volumes: - "/docker/pihole/etc-pihole:/etc/pihole" - "/docker/pihole/etc-dnsmasq.d:/etc/dnsmasq.d" restart: unless-stopped networks: - nginx jitsi: <<: *logging image: jitsi/web:stable restart: unless-stopped volumes: - ${CONFIG}/web:/config:Z - ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z environment: - AMPLITUDE_ID - ANALYTICS_SCRIPT_URLS - ANALYTICS_WHITELISTED_EVENTS - AUDIO_QUALITY_OPUS_BITRATE - AUTO_CAPTION_ON_RECORD - BRANDING_DATA_URL - CALLSTATS_CUSTOM_SCRIPT_URL - CALLSTATS_ID - CALLSTATS_SECRET - CHROME_EXTENSION_BANNER_JSON - CONFCODE_URL - CONFIG_EXTERNAL_CONNECT - DEFAULT_LANGUAGE - DEPLOYMENTINFO_ENVIRONMENT - DEPLOYMENTINFO_ENVIRONMENT_TYPE - DEPLOYMENTINFO_REGION - DEPLOYMENTINFO_SHARD - DEPLOYMENTINFO_USERREGION - DESKTOP_SHARING_FRAMERATE_MIN - DESKTOP_SHARING_FRAMERATE_MAX - DIALIN_NUMBERS_URL - DIALOUT_AUTH_URL - DIALOUT_CODES_URL - DISABLE_AUDIO_LEVELS - DISABLE_DEEP_LINKING - DISABLE_GRANT_MODERATOR - DISABLE_HTTPS - DISABLE_KICKOUT - DISABLE_LOCAL_RECORDING - DISABLE_POLLS - DISABLE_PRIVATE_CHAT - DISABLE_PROFILE - DISABLE_REACTIONS - DISABLE_REMOTE_VIDEO_MENU - DISABLE_START_FOR_ALL - DROPBOX_APPKEY - DROPBOX_REDIRECT_URI - DYNAMIC_BRANDING_URL - ENABLE_AUDIO_PROCESSING - ENABLE_AUTH - ENABLE_BREAKOUT_ROOMS - ENABLE_CALENDAR - ENABLE_COLIBRI_WEBSOCKET - ENABLE_E2EPING - ENABLE_FILE_RECORDING_SHARING - ENABLE_GUESTS - ENABLE_HSTS - ENABLE_HTTP_REDIRECT - ENABLE_IPV6 - ENABLE_LETS_ENCRYPT - ENABLE_LIPSYNC - ENABLE_NO_AUDIO_DETECTION - ENABLE_NOISY_MIC_DETECTION - ENABLE_OCTO - ENABLE_OPUS_RED - ENABLE_PREJOIN_PAGE - ENABLE_P2P - ENABLE_WELCOME_PAGE - ENABLE_CLOSE_PAGE - ENABLE_LIVESTREAMING - ENABLE_LOCAL_RECORDING_NOTIFY_ALL_PARTICIPANT - ENABLE_LOCAL_RECORDING_SELF_START - ENABLE_RECORDING - ENABLE_REMB - ENABLE_REQUIRE_DISPLAY_NAME - ENABLE_SERVICE_RECORDING - ENABLE_SIMULCAST - ENABLE_STATS_ID - ENABLE_STEREO - ENABLE_SUBDOMAINS - ENABLE_TALK_WHILE_MUTED - ENABLE_TCC - ENABLE_TRANSCRIPTIONS - ENABLE_XMPP_WEBSOCKET - ENABLE_JAAS_COMPONENTS - ETHERPAD_PUBLIC_URL - ETHERPAD_URL_BASE - E2EPING_NUM_REQUESTS - E2EPING_MAX_CONFERENCE_SIZE - E2EPING_MAX_MESSAGE_PER_SECOND - GOOGLE_ANALYTICS_ID - GOOGLE_API_APP_CLIENT_ID - HIDE_PREMEETING_BUTTONS - HIDE_PREJOIN_DISPLAY_NAME - HIDE_PREJOIN_EXTRA_BUTTONS - INVITE_SERVICE_URL - LETSENCRYPT_DOMAIN - LETSENCRYPT_EMAIL - LETSENCRYPT_USE_STAGING - MATOMO_ENDPOINT - MATOMO_SITE_ID - MICROSOFT_API_APP_CLIENT_ID - NGINX_RESOLVER - NGINX_WORKER_PROCESSES - NGINX_WORKER_CONNECTIONS - PEOPLE_SEARCH_URL - PREFERRED_LANGUAGE - PUBLIC_URL - P2P_PREFERRED_CODEC - RESOLUTION - RESOLUTION_MIN - RESOLUTION_WIDTH - RESOLUTION_WIDTH_MIN - START_AUDIO_MUTED - START_AUDIO_ONLY - START_BITRATE - START_SILENT - START_WITH_AUDIO_MUTED - START_VIDEO_MUTED - START_WITH_VIDEO_MUTED - TESTING_CAP_SCREENSHARE_BITRATE - TESTING_OCTO_PROBABILITY - TOKEN_AUTH_URL - TOOLBAR_BUTTONS - TRANSLATION_LANGUAGES - TRANSLATION_LANGUAGES_HEAD - TZ - USE_APP_LANGUAGE - VIDEOQUALITY_BITRATE_H264_LOW - VIDEOQUALITY_BITRATE_H264_STANDARD - VIDEOQUALITY_BITRATE_H264_HIGH - VIDEOQUALITY_BITRATE_VP8_LOW - VIDEOQUALITY_BITRATE_VP8_STANDARD - VIDEOQUALITY_BITRATE_VP8_HIGH - VIDEOQUALITY_BITRATE_VP9_LOW - VIDEOQUALITY_BITRATE_VP9_STANDARD - VIDEOQUALITY_BITRATE_VP9_HIGH - VIDEOQUALITY_ENFORCE_PREFERRED_CODEC - VIDEOQUALITY_PREFERRED_CODEC - XMPP_AUTH_DOMAIN - XMPP_BOSH_URL_BASE - XMPP_DOMAIN - XMPP_GUEST_DOMAIN - XMPP_MUC_DOMAIN - XMPP_RECORDER_DOMAIN - XMPP_PORT - WHITEBOARD_ENABLED - WHITEBOARD_COLLAB_SERVER_PUBLIC_URL networks: nginx: meet.jitsi: # XMPP server prosody: <<: *logging image: jitsi/prosody:stable restart: unless-stopped expose: - '${XMPP_PORT:-52222}' - '5347' - '5280' volumes: - ${CONFIG}/prosody/config:/config:Z - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z environment: - AUTH_TYPE - DISABLE_POLLS - ENABLE_AUTH - ENABLE_AV_MODERATION - ENABLE_BREAKOUT_ROOMS - ENABLE_END_CONFERENCE - ENABLE_GUESTS - ENABLE_IPV6 - ENABLE_LOBBY - ENABLE_RECORDING - ENABLE_XMPP_WEBSOCKET - ENABLE_JAAS_COMPONENTS - GC_TYPE - GC_INC_TH - GC_INC_SPEED - GC_INC_STEP_SIZE - GC_GEN_MIN_TH - GC_GEN_MAX_TH - GLOBAL_CONFIG - GLOBAL_MODULES - JIBRI_RECORDER_USER - JIBRI_RECORDER_PASSWORD - JIBRI_XMPP_USER - JIBRI_XMPP_PASSWORD - JICOFO_AUTH_PASSWORD - JICOFO_COMPONENT_SECRET - JIGASI_XMPP_USER - JIGASI_XMPP_PASSWORD - JVB_AUTH_USER - JVB_AUTH_PASSWORD - JWT_APP_ID - JWT_APP_SECRET - JWT_ACCEPTED_ISSUERS - JWT_ACCEPTED_AUDIENCES - JWT_ASAP_KEYSERVER - JWT_ALLOW_EMPTY - JWT_AUTH_TYPE - JWT_ENABLE_DOMAIN_VERIFICATION - JWT_TOKEN_AUTH_MODULE - MATRIX_UVS_URL - MATRIX_UVS_ISSUER - MATRIX_UVS_AUTH_TOKEN - MATRIX_UVS_SYNC_POWER_LEVELS - LOG_LEVEL - LDAP_AUTH_METHOD - LDAP_BASE - LDAP_BINDDN - LDAP_BINDPW - LDAP_FILTER - LDAP_VERSION - LDAP_TLS_CIPHERS - LDAP_TLS_CHECK_PEER - LDAP_TLS_CACERT_FILE - LDAP_TLS_CACERT_DIR - LDAP_START_TLS - LDAP_URL - LDAP_USE_TLS - MAX_PARTICIPANTS - PROSODY_RESERVATION_ENABLED - PROSODY_RESERVATION_REST_BASE_URL - PUBLIC_URL - TURN_CREDENTIALS - TURN_HOST - TURNS_HOST - TURN_PORT - TURNS_PORT - TURN_TRANSPORT - TZ - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_GUEST_DOMAIN - XMPP_MUC_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - XMPP_MODULES - XMPP_MUC_MODULES - XMPP_MUC_CONFIGURATION - XMPP_INTERNAL_MUC_MODULES - XMPP_RECORDER_DOMAIN - XMPP_PORT networks: meet.jitsi: aliases: - ${XMPP_SERVER:-xmpp.meet.jitsi} # Focus component jicofo: <<: *logging image: jitsi/jicofo:stable restart: unless-stopped volumes: - ${CONFIG}/jicofo:/config:Z environment: - AUTH_TYPE - BRIDGE_AVG_PARTICIPANT_STRESS - BRIDGE_STRESS_THRESHOLD - ENABLE_AUTH - ENABLE_AUTO_OWNER - ENABLE_CODEC_VP8 - ENABLE_CODEC_VP9 - ENABLE_CODEC_H264 - ENABLE_OCTO - ENABLE_RECORDING - ENABLE_SCTP - ENABLE_AUTO_LOGIN - JICOFO_AUTH_PASSWORD - JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS - JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT - JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT - JICOFO_ENABLE_HEALTH_CHECKS - JIBRI_BREWERY_MUC - JIBRI_REQUEST_RETRIES - JIBRI_PENDING_TIMEOUT - JIGASI_BREWERY_MUC - JIGASI_SIP_URI - JVB_BREWERY_MUC - MAX_BRIDGE_PARTICIPANTS - OCTO_BRIDGE_SELECTION_STRATEGY - SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}" - SENTRY_ENVIRONMENT - SENTRY_RELEASE - TZ - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - XMPP_MUC_DOMAIN - XMPP_RECORDER_DOMAIN - XMPP_SERVER - XMPP_PORT depends_on: - prosody networks: meet.jitsi: # Video bridge jvb: <<: *logging image: jitsi/jvb:stable restart: unless-stopped ports: - '${JVB_PORT:-10000}:${JVB_PORT:-10000}/udp' - '127.0.0.1:${JVB_COLIBRI_PORT:-8080}:8080' volumes: - ${CONFIG}/jvb:/config:Z environment: - DOCKER_HOST_ADDRESS - ENABLE_COLIBRI_WEBSOCKET - ENABLE_OCTO - JVB_ADVERTISE_IPS - JVB_ADVERTISE_PRIVATE_CANDIDATES - JVB_AUTH_USER - JVB_AUTH_PASSWORD - JVB_BREWERY_MUC - JVB_DISABLE_STUN - JVB_PORT - JVB_MUC_NICKNAME - JVB_STUN_SERVERS - JVB_OCTO_BIND_ADDRESS - JVB_OCTO_REGION - JVB_OCTO_RELAY_ID - JVB_WS_DOMAIN - JVB_WS_SERVER_ID - PUBLIC_URL - SENTRY_DSN="${JVB_SENTRY_DSN:-0}" - SENTRY_ENVIRONMENT - SENTRY_RELEASE - COLIBRI_REST_ENABLED - SHUTDOWN_REST_ENABLED - TZ - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - XMPP_SERVER - XMPP_PORT depends_on: - prosody networks: meet.jitsi: aliases: - jvb.meet.jitsi db: <<: *logging image: mariadb command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --skip-innodb-read-only-compressed environment: - MYSQL_ROOT_PASSWORD=${DB_PASSWORD} - MYSQL_USER=${DB_USER} - MYSQL_PASSWORD=${DB_PASSWORD} volumes: - db:/var/lib/mysql - ./db/init:/docker-entrypoint-initdb.d restart: always networks: - db redis: image: redis:alpine restart: always networks: - redis nginx: <<: *logging image: nginx:alpine restart: always volumes: - /opt/ssl:/etc/nginx/certs:ro - ./nginx/nginx.conf.template:/etc/nginx/conf.d/nginx.conf.template - ./nginx/generate_conf.sh:/docker-entrypoint.d/generate_conf.sh - nextcloud:/var/www/html/nextcloud:ro - ./christmas:/var/www/html/christmas:ro - tt-rss:/var/www/html/tt-rss:ro environment: - DOMAIN=${DOMAIN} depends_on: - nextcloud - gitea - collabora - pihole - foundry - tt-rss - homebox ports: - 443:443 networks: - nginx certs: <<: *certs environment: - SSL_SUBJECT=${DOMAIN} - CA_SUBJECT=chris@${DOMAIN} - SSL_KEY=/certs/${DOMAIN}.key - SSL_CSR=/certs/${DOMAIN}.csr - SSL_CERT=/certs/${DOMAIN}.crt psqldb: <<: *logging image: postgres:12-alpine restart: unless-stopped environment: - POSTGRES_USER=${DB_USER} - POSTGRES_PASSWORD=${DB_PASSWORD} - POSTGRES_DB=scarif volumes: - psqldb:/var/lib/postgresql/data networks: - db volumes: db: psqldb: tt-rss: gitea: nextcloud: foundry: homebox: networks: db: nginx: redis: meet.jitsi: