ci: prevent multiline gitleaks false positives

.gitea/workflows/gitleaks.yml

@@ -0,0 +1,23 @@
+name: Gitleaks
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Gitleaks
+        run: |
+          wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.24.2/gitleaks_8.24.2_linux_x64.tar.gz
+          tar -xzf gitleaks_8.24.2_linux_x64.tar.gz
+          chmod +x gitleaks
+
+      - name: Run Gitleaks
+        run: ./gitleaks dir . --config .gitleaks.toml --verbose

.gitlab-ci.yml

@@ -1,15 +0,0 @@
----
-gitleaks_scan:
-  image:
-    name: zricethezav/gitleaks:latest
-    entrypoint: [""]
-  stage: test
-  tags: [gitleaks, scan]
-  script:
-    - gitleaks detect --source=. --config=gitleaks.toml --report-format=json --report-path=gitleaks-report.json
-  allow_failure: false
-  only: [main, testing, merge_requests]
-  artifacts:
-    when: always
-    paths: [gitleaks-report.json]
-    expire_in: 1 week

.gitleaks.toml

@@ -0,0 +1,36 @@
+title = "Gitleaks Docker Compose CI/CD Config"
+
+[allowlist]
+description = "Ignore sample/example files and placeholders"
+paths = ['''.*\.env\.sample$''', '''.*\.env\.example$''', '''.*example.*''']
+
+regexes = [
+   '''\$\{[A-Za-z0-9_]+\}''',
+   '''(?i)(my-password|my-super-secret-auth-token|super_secret_password|very_sensitive_secret)''',
+]
+
+[[rules]]
+id = "docker-env-password"
+description = "Hardcoded password in docker-compose environment"
+regex = '''(?im)^\s*-?\s*[A-Z0-9_]*(PASSWORD|PASS|PWD)\s*[:=]\s*['"]?([A-Za-z0-9][A-Za-z0-9!@#%^&+=.,_~/-]{7,})['"]?\s*(?:#.*)?$'''
+secretGroup = 2
+tags = ["docker", "compose", "password", "env"]
+
+[[rules]]
+id = "docker-env-secret"
+description = "Hardcoded secret, token, or API key in docker-compose environment"
+regex = '''(?im)^\s*-?\s*[A-Z0-9_]*(SECRET|TOKEN|API[_-]?KEY)\s*[:=]\s*['"]?([A-Za-z0-9][A-Za-z0-9_\-]{19,})['"]?\s*(?:#.*)?$'''
+secretGroup = 2
+tags = ["docker", "compose", "secret", "env"]
+
+[[rules]]
+id = "aws-credentials"
+description = "AWS Access Key or Secret"
+regex = '''AKIA[0-9A-Z]{16}|(?i)aws[_-]secret[_-]access[_-]key\s*[:=]\s*[A-Za-z0-9/+=]{40}'''
+tags = ["aws", "compose", "credentials"]
+
+[[rules]]
+id = "private-key"
+description = "Private key detected"
+regex = '''-----BEGIN( RSA| EC| DSA| OPENSSH)? PRIVATE KEY-----'''
+tags = ["key", "pem", "compose"]

README.md

@@ -14,14 +14,13 @@
 
 ## Description
 
-This is my collection of docker compose files that I'm either currently using or
-have used on my homelab at some point.
+This is my collection of docker compose files that I'm either currently using or have used on my homelab at some point.
 
 ## Usage
 
 ```sh
 git clone -n --depth=1 --filter=tree:0 \
-  https://git.danesi.dev/cdanesi/docker.git
+    https://git.danesi.dev/cdanesi/docker.git
 cd docker
 git sparse-checkout set --no-cone /<directory name>
 git checkout
@@ -32,8 +31,7 @@ git sparse-checkout add /<directory name>
 
 ## Support
 
-I offer no support for these files. This is what works for me. These are for
-reference purposes only.
+I offer no support for these files. This is what works for me. These are for reference purposes only.
 
 ## Contributing
 
@@ -43,5 +41,4 @@ reference purposes only.
 
 ## Project status
 
-This is an ongoing project. I probably don't update existing compose files, but
-I'll add new stuff as it gets added to my homelab.
+This is an ongoing project. I probably don't update existing compose files, but I'll add new stuff as it gets added to my homelab.

dashy/docker-compose.yml

@@ -14,7 +14,10 @@ services:
       - TZ=America/New_York
     restart: unless-stopped
     healthcheck:
-      test: ["CMD", "node", "/app/services/healthcheck"]
+      test:
+        - "CMD"
+        - "node"
+        - "/app/services/healthcheck"
       interval: 1m30s
       timeout: 10s
       retries: 3

gitea-runner/docker-compose.yml

@@ -0,0 +1,13 @@
+services:
+  runner:
+    image: docker.io/gitea/act_runner:0.6.1
+    container_name: gitea-runner
+    restart: unless-stopped
+    environment:
+      CONFIG_FILE: /data/config.yaml
+      GITEA_INSTANCE_URL: https://git.danesi.dev
+      GITEA_RUNNER_REGISTRATION_TOKEN: ${GITEA_RUNNER_REGISTRATION_TOKEN}
+      GITEA_RUNNER_NAME: charon-runner-1
+    volumes:
+      - /srv/gitea-runner/data:/data
+      - /var/run/docker.sock:/var/run/docker.sock

gitea/docker-compose.yml

@@ -0,0 +1,47 @@
+services:
+  server:
+    image: docker.gitea.com/gitea:1.26.2
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=db:5432
+      - GITEA__database__NAME=gitea
+      - GITEA__database__USER=gitea
+      - GITEA__database__PASSWD=${GITEA_DB_PASSWORD}
+      - GITEA__server__ROOT_URL=https://git.danesi.dev/
+      - GITEA__server__DOMAIN=git.danesi.dev
+      - GITEA__server__SSH_DOMAIN=git.danesi.dev
+      - GITEA__server__SSH_PORT=222
+    restart: unless-stopped
+    networks:
+      - gitea
+      - proxy
+    volumes:
+      - /srv/gitea/data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    expose:
+      - "3000"
+    ports:
+      - "222:22"
+    depends_on:
+      - db
+
+  db:
+    image: docker.io/library/postgres:14
+    restart: unless-stopped
+    environment:
+      - POSTGRES_USER=gitea
+      - POSTGRES_PASSWORD=${GITEA_DB_PASSWORD}
+      - POSTGRES_DB=gitea
+    networks:
+      - gitea
+    volumes:
+      - /srv/gitea/postgres:/var/lib/postgresql/data
+
+networks:
+  gitea:
+  proxy:
+    external: true

gitleaks.toml

@@ -1,25 +0,0 @@
-title = "Gitleaks Docker Compose CI/CD Config"
-
-[[rules]]
-id = "docker-env-password"
-description = "Possible password in docker-compose environment"
-regex = "(?i)([A-Z0-9_]*(PASSWORD|PASS|PWD))[=:]\\s*['\"]?[A-Za-z0-9!@#$%^&*()_+={}\\[\\]:;,.<>?~-]{6,}['\"]?"
-tags = ["docker", "compose", "password", "env"]
-
-[[rules]]
-id = "docker-env-secret"
-description = "Generic secret or token in docker-compose environment"
-regex = "(?i)(SECRET|TOKEN|API[_-]?KEY)[=:]\\s*['\"]?[A-Za-z0-9_\\-]{16,}['\"]?"
-tags = ["docker", "compose", "secret", "env"]
-
-[[rules]]
-id = "aws-credentials"
-description = "AWS Access Key or Secret"
-regex = "(AKIA[0-9A-Z]{16}|(?i)aws[_-]secret[_-]access[_-]key\\s*[:=]\\s*[A-Za-z0-9/+=]{40})"
-tags = ["aws", "compose", "credentials"]
-
-[[rules]]
-id = "private-key"
-description = "Private key detected"
-regex = "-----BEGIN( RSA| EC| DSA)? PRIVATE KEY-----"
-tags = ["key", "pem", "compose"]

internet-speed-logger/docker-compose.yml

@@ -34,11 +34,11 @@ services:
     expose:
       - 27017
     environment:
-      - MONGODB_ROOT_PASSWORD=speedtest
+      - MONGODB_ROOT_PASSWORD=${MONGODB_ROOT_PASSWORD}
       - MONGODB_USERNAME=speedtest
-      - MONGODB_PASSWORD=speedtest
+      - MONGODB_PASSWORD=${MONGODB_PASSWORD}
       - MONGODB_DATABASE=speedtest
       - PGID
       - PUID
     volumes:
-      - ./mongo-persistence:/bitnami
+      - ./mongo-persistence:/bitnami

invoiceninja/docker-compose.yml

@@ -4,23 +4,18 @@ services:
     image: nginx
     container_name: in_nginx
     restart: always
+    command: /bin/sh -c "rm -f /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"
     env_file: .env
     volumes:
-      # Vhost configuration
-      #- ./config/caddy/Caddyfile:/etc/caddy/Caddyfiledocker-com
-      - ./config/nginx/in-vhost.conf:/etc/nginx/conf.d/in-vhost.conf:ro
-      - ./data/public:/var/www/app/public:ro
+      - /srv/invoiceninja/config/nginx/in-vhost.conf:/etc/nginx/conf.d/in-vhost.conf:ro
+      - /srv/invoiceninja/docker/app/public:/var/www/app/public:ro
     depends_on:
       - app
-    # Run webserver nginx on port 80
-    # Feel free to modify depending what port is already occupied
-    ports:
-      - "80:80"
-      #- "443:443"
+    expose:
+      - "80"
     networks:
       - invoiceninja
-    extra_hosts:
-      - "in5.localhost:127.0.0.1" #host and ip
+      - proxy
 
   app:
     image: invoiceninja/invoiceninja:5
@@ -28,38 +23,27 @@ services:
     env_file: .env
     restart: always
     volumes:
-      - ./config/hosts:/etc/hosts:ro
-      - ./data/public:/var/www/app/public:rw,delegated
-      - ./data/storage:/var/www/app/storage:rw,delegated
-      - ./config/php/php.ini:/usr/local/etc/php/php.ini
-      - ./config/php/php-cli.ini:/usr/local/etc/php/php-cli.ini
-
+      - /srv/invoiceninja/config/hosts:/etc/hosts:ro
+      - /srv/invoiceninja/docker/app/public:/var/www/app/public:rw,delegated
+      - /srv/invoiceninja/docker/app/storage:/var/www/app/storage:rw,delegated
+      - /srv/invoiceninja/config/php/php.ini:/usr/local/etc/php/php.ini
+      - /srv/invoiceninja/config/php/php-cli.ini:/usr/local/etc/php/php-cli.ini
     depends_on:
       - db
     networks:
       - invoiceninja
-    extra_hosts:
-      - "in5.localhost:127.0.0.1" #host and ip
 
   db:
-    image: mariadb:10.4
+    image: mysql:8.4.0-oraclelinux8
     container_name: in_mysql
-    ports:
-      - "3305:3306"
     restart: always
     env_file: .env
     volumes:
-      - ./mysql/data:/var/lib/mysql:rw,delegated
-
-      # remove comments for next 4 lines if you want auto sql backups
-      #- ./mysql/bak:/backups:rw
-      #- ./config/mysql/backup-script:/etc/cron.daily/daily:ro
-      #- ./config/mysql/backup-script:/etc/cron.weekly/weekly:ro
-      #- ./config/mysql/backup-script:/etc/cron.monthly/monthly:ro
+      - /srv/invoiceninja/docker/mysql/data:/var/lib/mysql:rw,delegated
     networks:
       - invoiceninja
-    extra_hosts:
-      - "in5.localhost:127.0.0.1" #host and ip
 
 networks:
-  invoiceninja:
+  invoiceninja:
+  proxy:
+    external: true

linkstack/docker-compose.yml

@@ -1,10 +1,12 @@
 ---
 services:
   linkstack:
-    hostname: "linkstack"
     image: "linkstackorg/linkstack:latest"
+    container_name: linkstack
+    network_mode: bridge
     environment:
       TZ: "America/New_York"
+
       SERVER_ADMIN: ${SERVER_ADMIN} # admin email
       HTTP_SERVER_NAME: ${HTTP_SERVER_NAME} # fqdn, no protocol
       HTTPS_SERVER_NAME: ${HTTPS_SERVER_NAME} # fqdn, no protocol
@@ -12,9 +14,10 @@ services:
       PHP_MEMORY_LIMIT: "256M"
       UPLOAD_MAX_FILESIZE: "8M"
     volumes:
-      - "linkstack_data:/htdocs"
+      - linkstack_data:/htdocs
     ports:
-      - "8190:443"
+      - "127.0.0.1:8000:80"
+      # - '127.0.0.1:8190:443'
     restart: unless-stopped
 
 volumes:

linkwarden/docker-compose.yml

@@ -5,17 +5,35 @@ services:
     env_file: .env
     restart: always
     volumes:
-      - ./pgdata:/var/lib/postgresql/data
+      - /srv/linkwarden/pgdata:/var/lib/postgresql/data
+    networks:
+      - linkwarden_net
 
   linkwarden:
+    restart: "no"
+    mem_limit: 1024m
+    cpus: 0.75
+    # pids_limit: 150
+    container_name: linkwarden
     env_file: .env
     environment:
       - DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/postgres
-    restart: always
+    # restart: always
     image: ghcr.io/linkwarden/linkwarden:latest
     ports:
-      - 3000:3000
+      - 127.0.0.1:3000:3000
     volumes:
-      - ./data:/data/data
+      - /srv/linkwarden/data:/data/data
     depends_on:
-      - postgres
+      - postgres
+    networks:
+      - linkwarden_net
+
+networks:
+  linkwarden_net:
+    driver: bridge
+    driver_opts:
+      com.docker.network.driver.mtu: 1450
+    ipam:
+      config:
+        - subnet: 172.31.50.0/24

listmonk/docker-compose.yml

@@ -0,0 +1,70 @@
+# All LISTMONK_* env variables also support the LISTMONK_*_FILE pattern for loading secrets from files with Docker secrets and Podman
+# eg: LISTMONK_ADMIN_USER -> LISTMONK_ADMIN_USER_FILE=/path/to/file_with_value
+
+x-db-credentials: &db-credentials                             # Use the default POSTGRES_ credentials if they're available or simply default to "listmonk"
+  POSTGRES_USER: &db-user listmonk                            # for database user, password, and database name
+  POSTGRES_PASSWORD: &db-password listmonk
+  POSTGRES_DB: &db-name listmonk
+
+services:
+  # listmonk app
+  app:
+    image: listmonk/listmonk:latest
+    container_name: listmonk_app
+    restart: unless-stopped
+    ports:
+      - "9000:9000"                                           # To change the externally exposed port, change to: $custom_port:9000
+    networks:
+      - listmonk
+    hostname: listmonk.example.com                            # Recommend using FQDN for hostname
+    depends_on:
+      - db
+    command: [sh, -c, "./listmonk --install --idempotent --yes --config '' && ./listmonk --upgrade --yes --config '' && ./listmonk --config ''"]
+                                                              # --config (file) param is set to empty so that listmonk only uses the env vars (below) for config.
+                                                              # --install --idempotent ensures that DB installation happens only once on an empty DB, on the first ever start.
+                                                              # --upgrade automatically runs any DB migrations when a new image is pulled.
+
+    environment:                                              # The same params as in config.toml are passed as env vars here.
+      LISTMONK_app__address: 0.0.0.0:9000
+      LISTMONK_db__user: *db-user
+      LISTMONK_db__password: *db-password
+      LISTMONK_db__database: *db-name
+      LISTMONK_db__host: listmonk_db
+      LISTMONK_db__port: 5432
+      LISTMONK_db__ssl_mode: disable
+      LISTMONK_db__max_open: 25
+      LISTMONK_db__max_idle: 25
+      LISTMONK_db__max_lifetime: 300s
+      TZ: Etc/UTC
+      LISTMONK_ADMIN_USER: ${LISTMONK_ADMIN_USER:-}           # If these (optional) are set during the first `docker compose up`, then the Super Admin user is automatically created.
+      LISTMONK_ADMIN_PASSWORD: ${LISTMONK_ADMIN_PASSWORD:-}   # Otherwise, the user can be setup on the web app after the first visit to http://localhost:9000
+    volumes:
+      - ./uploads:/listmonk/uploads:rw                        # Mount an uploads directory on the host to /listmonk/uploads inside the container.
+                                                              # To use this, change directory path in Admin -> Settings -> Media to /listmonk/uploads
+
+  # Postgres database
+  db:
+    image: postgres:17-alpine
+    container_name: listmonk_db
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:5432:5432"                                 # Only bind on the local interface. To connect to Postgres externally, change this to 0.0.0.0
+    networks:
+      - listmonk
+    environment:
+      <<: *db-credentials
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U listmonk"]
+      interval: 10s
+      timeout: 5s
+      retries: 6
+    volumes:
+      - type: volume
+        source: listmonk-data
+        target: /var/lib/postgresql/data
+
+networks:
+  listmonk:
+
+volumes:
+  listmonk-data:

nginx-pm/docker-compose.yml

@@ -1,26 +1,36 @@
----
 services:
   app:
     image: "jc21/nginx-proxy-manager:latest"
+    container_name: nginx-proxy-manager
     restart: unless-stopped
+
     ports:
-      # These ports are in format <host-port>:<container-port>
       - "80:80" # Public HTTP Port
       - "443:443" # Public HTTPS Port
-      - "81:81" # Admin Web Port
-      - "22:22" # SSH
+      - "127.0.0.1:81:81" # Admin Web Port
       # Add any other Stream port you want to expose
       # - '21:21' # FTP
 
-    # Uncomment the next line if you uncomment anything in the section
-    # environment:
-    # Uncomment this if you want to change the location of
-    # the SQLite DB file within the container
-    # DB_SQLITE_FILE: "/data/database.sqlite"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
 
-    # Uncomment this if IPv6 is not enabled on your host
-    # DISABLE_IPV6: 'true'
+    networks:
+      - proxy
+      - default
+
+    environment:
+      TZ: "America/New_York"
+      DISABLE_IPV6: "true"
+
+    healthcheck:
+      test: ["CMD", "/usr/bin/check-health"]
+      interval: 10s
+      timeout: 3s
 
     volumes:
-      - ./data:/data
-      - ./letsencrypt:/etc/letsencrypt
+      - /srv/npm/data:/data
+      - /srv/npm/letsencrypt:/etc/letsencrypt
+
+networks:
+  proxy:
+    external: true

paperless-ngx/docker-compose.yml

@@ -1,62 +1,35 @@
-# Docker Compose file for running paperless from the docker container registry.
-# This file contains everything paperless needs to run.
-# Paperless supports amd64, arm and arm64 hardware.
-# All compose files of paperless configure paperless in the following way:
-#
-# - Paperless is (re)started on system boot, if it was running before shutdown.
-# - Docker volumes for storing data are managed by Docker.
-# - Folders for importing and exporting files are created in the same directory
-#   as this file and mounted to the correct folders inside the container.
-# - Paperless listens on port 8000.
-#
-# SQLite is used as the database. The SQLite file is stored in the data volume.
-#
-# In addition to that, this Docker Compose file adds the following optional
-# configurations:
-#
-# - Apache Tika and Gotenberg servers are started with paperless and paperless
-#   is configured to use these services. These provide support for consuming
-#   Office documents (Word, Excel, Power Point and their LibreOffice counter-
-#   parts.
-#
-# To install and update paperless with this file, do the following:
-#
-# - Copy this file as 'docker-compose.yml' and the files 'docker-compose.env'
-#   and '.env' into a folder.
-# - Run 'docker compose pull'.
-# - Run 'docker compose up -d'.
-#
-# For more extensive installation and update instructions, refer to the
-# documentation.
----
 services:
   broker:
     image: docker.io/library/redis:8
     restart: unless-stopped
     volumes:
       - redisdata:/data
+
   webserver:
     image: ghcr.io/paperless-ngx/paperless-ngx:latest
+    container_name: paperless-webserver
     restart: unless-stopped
     depends_on:
       - broker
       - gotenberg
       - tika
-    ports:
-      - "8000:8000"
     volumes:
       - /srv/paperless/data:/usr/src/paperless/data
       - /srv/paperless/media:/usr/src/paperless/media
-      - ./export:/usr/src/paperless/export
-      - ./consume:/usr/src/paperless/consume
-      - /etc/timezone:/etc/timezone
-      - /etc/localtime:/etc/localtime
+      - /srv/paperless/export:/usr/src/paperless/export
+      - /srv/paperless/consume:/usr/src/paperless/consume
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
     env_file: docker-compose.env
     environment:
       PAPERLESS_REDIS: redis://broker:6379
       PAPERLESS_TIKA_ENABLED: 1
       PAPERLESS_TIKA_GOTENBERG_ENDPOINT: http://gotenberg:3000
       PAPERLESS_TIKA_ENDPOINT: http://tika:9998
+    networks:
+      - default
+      - proxy
+
   gotenberg:
     image: docker.io/gotenberg/gotenberg:8.20
     restart: unless-stopped
@@ -66,10 +39,14 @@ services:
       - "gotenberg"
       - "--chromium-disable-javascript=true"
       - "--chromium-allow-list=file:///tmp/.*"
+
   tika:
     image: docker.io/apache/tika:latest
     restart: unless-stopped
+
 volumes:
-  data:
-  media:
-  redisdata:
+  redisdata:
+
+networks:
+  proxy:
+    external: true

semaphore/docker-compose.yml

@@ -21,6 +21,8 @@ services:
       SEMAPHORE_ADMIN: "${semaphore_admin}"
       SEMAPHORE_ACCESS_KEY_ENCRYPTION: "${encryption_key}"
       ANSIBLE_HOST_KEY_CHECKING: "false"
+      ANSIBLE_FORKS: 5
+      ANSIBLE_TIMEOUT: 20
     restart: unless-stopped
     volumes:
-      - ./config:/etc/semaphore:rw
+      - /srv/semaphore/config:/etc/semaphore:rw

uptime-kuma/docker-compose.yml

@@ -1,14 +1,17 @@
 ---
 services:
   uptime-kuma:
-    image: louislam/uptime-kuma:1
+    image: louislam/uptime-kuma:2
     container_name: uptime-kuma
+    network_mode: bridge
     volumes:
-      - ./data:/app/data
+      - /srv/uptime-kuma/data:/app/data
     ports:
-      - 3001:3001
+      - 127.0.0.1:3001:3001
     environment:
-      - UID
-      - GID
+      - UID=1000
+      - GID=1000
       - TZ=America/New_York
+      #- SSL_KEY=/data/privkey.pem
+      #- SSL_CERT=/etc/letsencrypt/live/status.charlesdanesi.com/fullchain.pem
     restart: unless-stopped

vaultwarden/docker-compose.yml

@@ -4,23 +4,24 @@ services:
     image: vaultwarden/server:latest
     container_name: vaultwarden
     restart: unless-stopped
+    network_mode: bridge
     environment:
       TZ: America/Detroit
       SIGNUPS_ALLOWED: "false"
       WEBSOCKET_ENABLED: "true"
-      ADMIN_TOKEN: "${ADMIN_TOKEN}"
+      # ADMIN_TOKEN: "${ADMIN_TOKEN}"
       DOMAIN: "${DOMAIN}"
       SHOW_PASSWORD_HINT: "false"
       USE_SYSLOG: "false"
       LOG_FILE: /var/log/vaultwarden/vaultwarden.log
-      LOG_LEVEL: "debug"
+      LOG_LEVEL: "warn"
       EXTENDED_LOGGING: "true"
     volumes:
-      - ./data/:/data
+      - /srv/vaultwarden/data/:/data
       - /var/log/vaultwarden:/var/log/vaultwarden
     ports:
-      - 8090:80
-      - 3012:3012
+      - 127.0.0.1:8090:80
+      - 127.0.0.1:3012:3012
     logging:
       driver: json-file
       options:

veloren/docker-compose.yml

@@ -10,7 +10,7 @@ services:
       - "14005:14005"
     restart: always
     volumes:
-      - "./userdata:/opt/userdata"
+      - "/srv/veloren/userdata:/opt/userdata"
     environment:
       - RUST_LOG=debug,common::net=info
 

zammad/docker-compose.yml

@@ -0,0 +1,227 @@
+---
+x-shared:
+  zammad-service: &zammad-service
+    environment: &zammad-environment
+      MEMCACHE_SERVERS: ${MEMCACHE_SERVERS:-zammad-memcached:11211}
+      POSTGRESQL_DB: ${POSTGRES_DB:-zammad_production}
+      POSTGRESQL_HOST: ${POSTGRES_HOST:-zammad-postgresql}
+      POSTGRESQL_USER: ${POSTGRES_USER:-zammad}
+      POSTGRESQL_PASS: ${POSTGRES_PASS:-zammad}
+      POSTGRESQL_PORT: ${POSTGRES_PORT:-5432}
+      POSTGRESQL_OPTIONS: ${POSTGRESQL_OPTIONS:-?pool=50}
+      POSTGRESQL_DB_CREATE:
+
+      REDIS_URL: ${REDIS_URL:-redis://zammad-redis:6379}
+      REDIS_SENTINELS:
+      REDIS_SENTINEL_NAME:
+      REDIS_USERNAME:
+      REDIS_PASSWORD:
+      REDIS_SENTINEL_USERNAME:
+      REDIS_SENTINEL_PASSWORD:
+
+      S3_URL:
+      BACKUP_DIR: "${BACKUP_DIR:-/var/tmp/zammad}"
+      BACKUP_TIME: "${BACKUP_TIME:-03:00}"
+      BACKUP_ON_START: "${BACKUP_ON_START:-true}"
+      HOLD_DAYS: "${HOLD_DAYS:-10}"
+      TZ: "${TZ:-Europe/Berlin}"
+
+      AUTOWIZARD_JSON:
+      AUTOWIZARD_RELATIVE_PATH:
+      ELASTICSEARCH_ENABLED:
+      ELASTICSEARCH_SCHEMA:
+      ELASTICSEARCH_HOST:
+      ELASTICSEARCH_PORT:
+      ELASTICSEARCH_USER:
+      ELASTICSEARCH_PASS:
+      ELASTICSEARCH_NAMESPACE:
+      ELASTICSEARCH_REINDEX:
+      NGINX_PORT:
+      NGINX_CLIENT_MAX_BODY_SIZE:
+      NGINX_SERVER_NAME:
+      NGINX_SERVER_SCHEME:
+      RAILS_TRUSTED_PROXIES:
+      ZAMMAD_HTTP_TYPE:
+      ZAMMAD_FQDN:
+      ZAMMAD_WEB_CONCURRENCY:
+      ZAMMAD_MANAGE_SESSIONS_JOBS_WORKERS:
+      ZAMMAD_PROCESS_SESSIONS_JOBS_WORKERS:
+      ZAMMAD_PROCESS_SCHEDULED_JOBS_WORKERS:
+      ZAMMAD_PROCESS_DELAYED_JOBS_WORKERS:
+      ZAMMAD_PROCESS_DELAYED_JOBS_WORKER_THREADS:
+      ZAMMAD_PROCESS_DELAYED_AI_JOBS_WORKERS:
+      ZAMMAD_PROCESS_DELAYED_AI_JOBS_WORKER_THREADS:
+      ZAMMAD_PROCESS_DELAYED_COMMUNICATION_INBOUND_JOBS_WORKERS:
+      ZAMMAD_PROCESS_DELAYED_COMMUNICATION_INBOUND_JOBS_WORKER_THREADS:
+      ZAMMAD_OTRS_IMPORT_READ_TIMEOUT:
+      ZAMMAD_OTRS_IMPORT_TOTAL_TIMEOUT:
+      ZAMMAD_HTTP_OPEN_TIMEOUT:
+      ZAMMAD_HTTP_READ_TIMEOUT:
+      ZAMMAD_HTTP_TOTAL_TIMEOUT:
+      ZAMMAD_HTTP_AI_READ_TIMEOUT:
+      ZAMMAD_HTTP_AI_TOTAL_TIMEOUT:
+      ZAMMAD_HTTP_ELASTICSEARCH_READ_TIMEOUT:
+      ZAMMAD_HTTP_ELASTICSEARCH_TOTAL_TIMEOUT:
+      ZAMMAD_HTTP_ELASTICSEARCH_REINDEX_READ_TIMEOUT:
+      ZAMMAD_HTTP_ELASTICSEARCH_REINDEX_TOTAL_TIMEOUT:
+      ZAMMAD_HTTP_IMPORT_ATTACHMENT_READ_TIMEOUT:
+      ZAMMAD_HTTP_IMPORT_ATTACHMENT_TOTAL_TIMEOUT:
+      ZAMMAD_HTTP_WEBHOOK_READ_TIMEOUT:
+      ZAMMAD_HTTP_WEBHOOK_TOTAL_TIMEOUT:
+
+      ZAMMAD_PROCESS_SESSIONS_JOBS_DISABLE:
+      ZAMMAD_MANAGE_SESSIONS_JOBS_DISABLE:
+      ZAMMAD_PROCESS_SCHEDULED_JOBS_DISABLE:
+      ZAMMAD_PROCESS_DELAYED_JOBS_DISABLE:
+      ZAMMAD_PROCESS_DELAYED_AI_JOBS_DISABLE:
+      ZAMMAD_PROCESS_DELAYED_COMMUNICATION_INBOUND_JOBS_DISABLE:
+
+      ZAMMAD_GRAPHQL_INTROSPECTION:
+      ZAMMAD_AI_API_URL:
+      ZAMMAD_AI_TOKEN:
+      ZAMMAD_UI_BULK_BACKGROUND_UPDATE_THRESHOLD:
+      ZAMMAD_SETTING_TTL:
+      ZAMMAD_SAFE_MODE:
+      ZAMMAD_WEBSOCKET_SESSION_STORE_FORCE_FS_BACKEND:
+      ZAMMAD_RAILSSERVER_PORT:
+
+      ZAMMAD_SESSION_JOBS_CONCURRENT:
+      VIRTUAL_HOST:
+      VIRTUAL_PORT:
+      LETSENCRYPT_HOST:
+      LETSENCRYPT_EMAIL:
+
+    # image: ${IMAGE_REPO:-ghcr.io/zammad/zammad}:${VERSION:-7.0.1-0053}
+    image: ghcr.io/zammad/zammad:6.5.0-101
+    restart: ${RESTART:-always}
+    env_file: .env
+    volumes:
+      - zammad-backup:/var/tmp/zammad:ro
+      - zammad-storage:/opt/zammad/storage
+    depends_on:
+      zammad-memcached:
+        condition: service_healthy
+      zammad-postgresql:
+        condition: service_healthy
+      zammad-redis:
+        condition: service_healthy
+
+services:
+  zammad-backup:
+    <<: *zammad-service
+    command: ["zammad-backup"]
+    volumes:
+      - zammad-backup:/var/tmp/zammad
+      - zammad-storage:/opt/zammad/storage
+    user: 0:0
+
+  zammad-elasticsearch:
+    image: elasticsearch:${ELASTICSEARCH_VERSION:-9.4.2}
+    restart: ${RESTART:-always}
+    volumes:
+      - elasticsearch-data:/usr/share/elasticsearch/data
+    environment:
+      discovery.type: single-node
+      xpack.security.enabled: "false"
+      ES_JAVA_OPTS: ${ELASTICSEARCH_JAVA_OPTS:--Xms1g -Xmx1g}
+
+  zammad-init:
+    <<: *zammad-service
+    command: ["zammad-init"]
+    depends_on:
+      zammad-postgresql:
+        condition: service_healthy
+    restart: on-failure
+    user: 0:0
+
+  zammad-memcached:
+    command: memcached -m 256M
+    image: memcached:${MEMCACHE_VERSION:-1.6.42-alpine}
+    restart: ${RESTART:-always}
+    healthcheck:
+      test: ["CMD", "nc", "-z", "127.0.0.1", "11211"]
+      interval: 10s
+      timeout: 5s
+      start_period: 10s
+      retries: 5
+
+  zammad-nginx:
+    <<: *zammad-service
+    command: ["zammad-nginx"]
+    expose:
+      - "${NGINX_PORT:-8080}"
+    networks:
+      - default
+      - proxy
+    depends_on:
+      zammad-railsserver:
+        condition: service_healthy
+
+  zammad-postgresql:
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB:-zammad_production}
+      POSTGRES_USER: ${POSTGRES_USER:-zammad}
+      POSTGRES_PASSWORD: ${POSTGRES_PASS:-zammad}
+    image: postgres:${POSTGRES_VERSION:-17.10-alpine}
+    restart: ${RESTART:-always}
+    volumes:
+      - postgresql-data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}"]
+      interval: 10s
+      timeout: 5s
+      start_period: 60s
+      retries: 5
+
+  zammad-railsserver:
+    <<: *zammad-service
+    command: ["zammad-railsserver"]
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "curl",
+          "-sf",
+          "http://127.0.0.1:${ZAMMAD_RAILSSERVER_PORT:-3000}",
+        ]
+      interval: 30s
+      timeout: 5s
+      start_period: 120s
+      retries: 3
+
+  zammad-redis:
+    image: redis:${REDIS_VERSION:-8.8.0-alpine}
+    restart: ${RESTART:-always}
+    volumes:
+      - redis-data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      start_period: 10s
+      retries: 5
+
+  zammad-scheduler:
+    <<: *zammad-service
+    command: ["zammad-scheduler"]
+
+  zammad-websocket:
+    <<: *zammad-service
+    command: ["zammad-websocket"]
+
+volumes:
+  elasticsearch-data:
+    driver: local
+  postgresql-data:
+    driver: local
+  redis-data:
+    driver: local
+  zammad-backup:
+    driver: local
+  zammad-storage:
+    driver: local
+
+networks:
+  proxy:
+    external: true
+