infra/docker-compose.yml

455 lines
17 KiB
YAML

version: "3.9"
# varios contenedores tienen el dns especificado porque usamos gVisor, otros
# tienen network_mode bridge y links por la misma razón
# https://github.com/google/gvisor/blob/241fd5344fa8de9bbb20eb43d85bd481c050e718/g3doc/user_guide/tutorials/docker-compose.md
services:
dlbot:
image: gitea.nulo.in/nulo/dlbot4
restart: always
network_mode: bridge
dns: 8.8.8.8
environment:
TELEGRAM_TOKEN: "${DLBOT_TELEGRAM_TOKEN}"
ddnser:
image: gitea.nulo.in/nulo/ddnser
restart: always
network_mode: bridge
dns: 8.8.8.8
volumes:
- ./ddnser.json:/config/ddnser.json:ro
entrypoint: ddnser /config/ddnser.json
# https://docs.gitea.io/en-us/install-with-docker/
forgejo:
image: gitea.nulo.in/nulo/forgejo:v1.21.3-0
restart: always
# la performance es MUY mala en gVisor
runtime: runc
network_mode: bridge
dns: 8.8.8.8
ports:
- "993:993/tcp"
- "420:993/tcp"
environment:
USER_UID: "1000"
USER_GID: "1000"
# !!!!!!!!! si se cambia algo acá, hay que borrar /data/gitea/conf/app.ini
SSH_PORT: "993"
APP_NAME: "cat /dev/null"
DOMAIN: "gitea.nulo.in"
SSH_DOMAIN: "gitea.nulo.in"
ROOT_URL: "https://gitea.nulo.in/"
FORGEJO__server__SSH_EXPOSE_ANONYMOUS: "true"
FORGEJO__server__OFFLINE_MODE: "true"
LFS_START_SERVER: "true"
INSTALL_LOCK: "true"
FORGEJO__security__PASSWORD_HASH_ALGO: "argon2"
DISABLE_REGISTRATION: "true"
FORGEJO__service__REGISTER_EMAIL_CONFIRM: "true"
FORGEJO__service__ENABLE_NOTIFY_MAIL: "true"
FORGEJO__service__DEFAULT_KEEP_EMAIL_PRIVATE: "true"
# TODO: migrar secretos a env variables.. o no? https://docs.gitea.com/installation/install-with-docker-rootless?_highlight=env#managing-deployments-with-environment-variables
FORGEJO__secret__SECRET_KEY: "${FORGEJO__secret__SECRET_KEY}"
FORGEJO__repository__DEFAULT_BRANCH: "antifascista"
FORGEJO__repository__ENABLE_PUSH_CREATE_USER: "true"
FORGEJO__repository__ENABLE_PUSH_CREATE_ORG: "true"
FORGEJO__session__SESSION_LIFE_TIME: "604800"
FORGEJO__time__DEFAULT_UI_LOCATION: "America/Argentina/Buenos_Aires"
FORGEJO__indexer__REPO_INDEXER_ENABLED: "true"
FORGEJO__indexer__REPO_INDEXER_EXCLUDE: "**.mp4,**.jpg"
FORGEJO__mailer__ENABLED: "${FORGEJO__mailer__ENABLED}"
FORGEJO__mailer__FROM: "${FORGEJO__mailer__FROM}"
FORGEJO__mailer__PROTOCOL: "${FORGEJO__mailer__PROTOCOL}"
FORGEJO__mailer__SMTP_ADDR: "${FORGEJO__mailer__SMTP_ADDR}"
FORGEJO__mailer__SMTP_PORT: "465"
FORGEJO__mailer__USER: "${FORGEJO__mailer__USER}"
FORGEJO__mailer__PASSWD: "${FORGEJO__mailer__PASSWD}"
FORGEJO__email_0x2E_incoming__ENABLED: "${FORGEJO__email_incoming__ENABLED}"
FORGEJO__email_0x2E_incoming__REPLY_TO_ADDRESS: "${FORGEJO__email_incoming__REPLY_TO_ADDRESS}"
FORGEJO__email_0x2E_incoming__HOST: "${FORGEJO__email_incoming__HOST}"
FORGEJO__email_0x2E_incoming__PORT: "${FORGEJO__email_incoming__PORT}"
FORGEJO__email_0x2E_incoming__USE_TLS: "${FORGEJO__email_incoming__USE_TLS}"
FORGEJO__email_0x2E_incoming__USERNAME: "${FORGEJO__email_incoming__USERNAME}"
FORGEJO__email_0x2E_incoming__PASSWORD: "${FORGEJO__email_incoming__PASSWORD}"
volumes:
- forgejo-data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
woodpecker-server:
image: docker.io/woodpeckerci/woodpecker-server:v2.3.0
restart: always
network_mode: bridge
ports:
- 9000:9000/tcp
environment:
WOODPECKER_OPEN: true
WOODPECKER_ADMIN: Nulo,fauno,mati
WOODPECKER_HOST: https://ci.nulo.in
WOODPECKER_GITEA: true
WOODPECKER_GITEA_URL: https://gitea.nulo.in
WOODPECKER_GITEA_CLIENT: "${WOODPECKER_GITEA_CLIENT}"
WOODPECKER_GITEA_SECRET: "${WOODPECKER_GITEA_SECRET}"
WOODPECKER_SESSION_EXPIRES: 168h
WOODPECKER_AGENT_SECRET: "${WOODPECKER_AGENT_SECRET}"
WOODPECKER_LOG_LEVEL: trace
volumes:
- woodpecker-data:/var/lib/woodpecker
vaultwarden:
image: docker.io/vaultwarden/server:latest
restart: always
network_mode: bridge
dns: 8.8.8.8
environment:
WEBSOCKET_ENABLED: "true"
DOMAIN: "https://vaultwarden.nulo.in"
ADMIN_TOKEN: "${VAULTWARDEN_ADMIN_TOKEN}"
volumes:
- vaultwarden-data:/data
nftmachin:
image: gitea.nulo.in/nulo/nftmashin
restart: always
network_mode: bridge
dns: 8.8.8.8
volumes:
- /var/lib/nftmachin:/usr/share/nftmachin/nfts
checkin-bot:
image: gitea.nulo.in/nulo/zulip-checkin-cyborg
restart: always
network_mode: bridge
dns: 8.8.8.8
environment:
ZULIP_URL: https://sutty.zulipchat.com
ZULIP_BOT_EMAIL: checkin-bot@sutty.zulipchat.com
ZULIP_BOT_KEY: "${ZULIP_BOT_KEY}"
ZULIP_STREAM: "Check-in"
ZULIP_MESSAGE: |
¡Hola Suttis! :sun_face: @**all**
Unas preguntas para empezar la semana:
1. ¿Que hicieron esta semana pasada?
2. ¿Como se sienten? ¿Están como para hacer cosas esta semana?
3. ¿Que ven que tienen que hacer esta semana?
localfirstrelay:
image: gitea.nulo.in/nulo/localfirst-relay
restart: always
network_mode: bridge
nextcloud:
image: gitea.nulo.in/nulo/nextcloud
restart: always
network_mode: bridge
dns: 8.8.8.8
environment:
NEXTCLOUD_TRUSTED_DOMAINS: nube2.nulo.ar
APACHE_DISABLE_REWRITE_IP: 1
TRUSTED_PROXIES: caddy
OVERWRITEPROTOCOL: https
volumes:
- nextcloud:/var/www/html
radicale-personal:
image: gitea.nulo.in/nulo/infra/radicale:latest-amd64
restart: always
network_mode: bridge
volumes:
- radicale-personal-collections:/collections
- ./radicale.htpasswd:/htpasswd
hedgedoc:
# Make sure to use the latest release from https://hedgedoc.org/latest-release
image: quay.io/hedgedoc/hedgedoc:1.9.7
restart: always
network_mode: bridge
dns: 8.8.8.8
environment:
CMD_DB_URL: sqlite:/database/db.sqlite3
CMD_DOMAIN: hedgedoc.nulo.ar
CMD_PROTOCOL_USESSL: true
CMD_ALLOW_ANONYMOUS: false
CMD_ALLOW_ANONYMOUS_EDITS: true
CMD_ALLOW_FREEURL: true
CMD_REQUIRE_FREEURL_AUTHENTICATION: true
CMD_ALLOW_EMAIL_REGISTER: false
CMD_DEFAULT_PERMISSION: limited
CMD_SESSION_SECRET: "${HEDGEDOC_SESSION_SECRET}"
volumes:
- hedgedoc-uploads:/hedgedoc/public/uploads
- hedgedoc-database:/database
caddy:
# image: docker.io/caddy:2
build:
context: .
dockerfile: containers/caddy.Dockerfile
restart: always
network_mode: bridge
environment:
SYNCTHING_PASSWORD_HASH: "${SYNCTHING_PASSWORD_HASH}"
links:
- hedgedoc
- nextcloud
- localfirstrelay
- nftmachin
- vaultwarden
- radicale-personal
- forgejo
- woodpecker-server
- hnrd-backend
- notificaciones-mati-lol
- kerberos-agent
- photoprism
- syncthing
dns: 8.8.8.8
ports:
- "80:80"
- "443:443"
- "443:443/udp"
volumes:
- $PWD/Caddyfile:/etc/caddy/Caddyfile
- caddy_data:/data
- caddy_config:/config
- sitio-beta_enprogreso_nulo_ar:/www/beta.enprogreso.nulo.ar:ro
- sitio-nulo_ar:/www/nulo.ar:ro
- sitio-nulex:/www/nulex:ro
- sitio-beta_schreiben_nulo_ar:/www/beta.schreiben.nulo.ar:ro
- sitio-mati_lol:/www/mati.lol:ro
- sitio-subir_mati_lol:/www/subir.mati.lol:ro
- sitio-tareas_nulo_in:/www/tareas.nulo.in:ro
- sitio-app_tareas_nulo_in:/www/app.tareas.nulo.in:ro
- /var/archivos:/www/archivos.nulo.ar:ro
restic:
image: gitea.nulo.in/nulo/infra/restic:latest-amd64
network_mode: bridge
dns: 8.8.8.8
# restic cachea a partir del hostname
# https://forum.restic.net/t/restic-never-finds-a-parent-snapshot-when-the-snapshot-exists/4312/2
hostname: "${RESTIC_HOSTNAME}"
# I/O en gVisor es lento
runtime: runc
environment:
RESTIC_PASSWORD: "${RESTIC_PASSWORD}"
AWS_ACCESS_KEY_ID: "${AWS_ACCESS_KEY_ID}"
AWS_SECRET_ACCESS_KEY: "${AWS_SECRET_ACCESS_KEY}"
volumes:
- hedgedoc-uploads:/data/hedgedoc-uploads:ro
- hedgedoc-database:/data/hedgedoc-database:ro
- nextcloud:/data/nextcloud:ro
- vaultwarden-data:/data/vaultwarden-data:ro
- forgejo-data:/data/forgejo-data:ro
- woodpecker-data:/data/woodpecker-data:ro
- radicale-personal-collections:/data/radicale-personal-collections:ro
- restic-cache:/.cache
static-recv-enprogreso:
image: gitea.nulo.in/nulo/infra/static-recv:latest-amd64
network_mode: bridge
ports:
- 2222:2222
volumes:
- static-recv-keys:/etc/dropbear
- ./static-recv/enprogreso_authorized_keys:/root/.ssh/authorized_keys:ro
- sitio-beta_enprogreso_nulo_ar:/data/beta_enprogreso_nulo_ar
static-recv-nulo_ar:
image: gitea.nulo.in/nulo/infra/static-recv:latest-amd64
network_mode: bridge
ports:
- 2223:2222
volumes:
- static-recv-nulo_ar-keys:/etc/dropbear
- ./static-recv/nulo_ar_authorized_keys:/root/.ssh/authorized_keys:ro
- sitio-nulo_ar:/data/nulo_ar
- sitio-beta_schreiben_nulo_ar:/data/beta_schreiben_nulo_ar
- sitio-tareas_nulo_in:/data/tareas_nulo_in
- sitio-app_tareas_nulo_in:/data/app_tareas_nulo_in
- sitio-nulex:/data/nulex
static-recv-mati_lol:
image: gitea.nulo.in/nulo/infra/static-recv:latest-amd64
network_mode: bridge
ports:
- 2224:2222
volumes:
- static-recv-mati_lol-keys:/etc/dropbear
- ./static-recv/mati_lol_authorized_keys:/root/.ssh/authorized_keys:ro
- sitio-mati_lol:/data/mati_lol
- sitio-subir_mati_lol:/data/subir_mati_lol
hnrd-backend:
image: gitea.nulo.in/nulo/hnrd-backend:latest
network_mode: bridge
environment:
DATABASE_URL: "postgres://postgres:${HNRD_POSTGRES_PASSWORD}@hnrd-postgres/postgres"
links:
- hnrd-postgres
volumes:
- hnrd-image-uploads:/image_uploads
hnrd-postgres:
image: docker.io/postgres:13
network_mode: bridge
environment:
POSTGRES_PASSWORD: "${HNRD_POSTGRES_PASSWORD}"
volumes:
- hnrd-postgres:/var/lib/postgresql/data/
notificaciones-mati-lol:
image: gitea.nulo.in/mati/mati.lol/notificaciones-backend:latest-amd64
network_mode: bridge
dns: 8.8.8.8
environment:
PUSH_SECRET: "${MATI_LOL_PUSH_SECRET}"
DATA_PATH: /data
volumes:
- notificaciones-mati-lol-data:/data
kerberos-agent:
image: docker.io/kerberos/agent:latest
network_mode: bridge
dns: 8.8.8.8
environment:
# find full list of environment variables here: https://github.com/kerberos-io/agent#override-with-environment-variables
AGENT_NAME: agent1
AGENT_PASSWORD: "${KERBEROS_SECRET}"
AGENT_CAPTURE_IPCAMERA_RTSP: "${KERBEROS_RTSP_ENDPOINT}/videoMain"
AGENT_CAPTURE_IPCAMERA_SUB_RTSP: "${KERBEROS_RTSP_ENDPOINT}/videoSub"
AGENT_CAPTURE_CONTINUOUS: "true"
AGENT_TIMEZONE: America/Argentina/Buenos_Aires
# AGENT_CAPTURE_MAXLENGTH: "600"
AGENT_AUTO_CLEAN_MAX_SIZE: "3000"
AGENT_OFFLINE: "true"
volumes:
# - ./agent1/config:/home/agent/data/config
- kerberos-recordings:/home/agent/data/recordings
photoprism:
image: docker.io/photoprism/photoprism:latest
# restart: unless-stopped
stop_grace_period: 10s
runtime: runc
network_mode: bridge
dns: 8.8.8.8
# security_opt:
# - seccomp:unconfined
# - apparmor:unconfined
# ports:
# - "2342:2342"
environment:
PHOTOPRISM_ADMIN_USER: "admin"
PHOTOPRISM_ADMIN_PASSWORD: "${PHOTOPRISM_ADMIN_PASSWORD}"
PHOTOPRISM_AUTH_MODE: "password"
PHOTOPRISM_SITE_URL: "https://photoprism.nulo.in/" # server URL in the format "http(s)://domain.name(:port)/(path)"
PHOTOPRISM_DISABLE_TLS: "true"
PHOTOPRISM_ORIGINALS_LIMIT: 5000 # file size limit for originals in MB (increase for high-res video)
PHOTOPRISM_HTTP_COMPRESSION: "gzip"
PHOTOPRISM_LOG_LEVEL: "info" # log level: trace, debug, info, warning, error, fatal, or panic
PHOTOPRISM_READONLY: "false" # do not modify originals directory (reduced functionality)
PHOTOPRISM_EXPERIMENTAL: "false" # enables experimental features
PHOTOPRISM_DISABLE_CHOWN: "false" # disables updating storage permissions via chmod and chown on startup
PHOTOPRISM_DISABLE_WEBDAV: "false" # disables built-in WebDAV server
PHOTOPRISM_DISABLE_SETTINGS: "false" # disables settings UI and API
PHOTOPRISM_DISABLE_TENSORFLOW: "false"
PHOTOPRISM_DISABLE_FACES: "false" # (requires TensorFlow)
PHOTOPRISM_DISABLE_CLASSIFICATION: "false" # (requires TensorFlow)
PHOTOPRISM_DISABLE_VECTORS: "false" # disables vector graphics support
PHOTOPRISM_DISABLE_RAW: "false"
PHOTOPRISM_RAW_PRESETS: "false" # enables applying user presets when converting RAW images (reduces performance)
PHOTOPRISM_JPEG_QUALITY: 85 # a higher value increases the quality and file size of JPEG images and thumbnails (25-100)
PHOTOPRISM_DETECT_NSFW: "false" # automatically flags photos as private that MAY be offensive (requires TensorFlow)
PHOTOPRISM_UPLOAD_NSFW: "true" # allows uploads that MAY be offensive (no effect without TensorFlow)
PHOTOPRISM_DATABASE_DRIVER: "sqlite"
PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
PHOTOPRISM_SITE_DESCRIPTION: "" # meta site description
PHOTOPRISM_SITE_AUTHOR: "" # meta site author
## Video Transcoding (https://docs.photoprism.app/getting-started/advanced/transcoding/):
# PHOTOPRISM_FFMPEG_ENCODER: "software" # H.264/AVC encoder (software, intel, nvidia, apple, raspberry, or vaapi)
# PHOTOPRISM_FFMPEG_SIZE: "1920" # video size limit in pixels (720-7680) (default: 3840)
# PHOTOPRISM_FFMPEG_BITRATE: "32" # video bitrate limit in Mbit/s (default: 50)
## Run/install on first startup (options: update https gpu tensorflow davfs clitools clean):
# PHOTOPRISM_INIT: "https gpu tensorflow"
## Run as a non-root user after initialization (supported: 0, 33, 50-99, 500-600, and 900-1200):
# PHOTOPRISM_UID: 1000
# PHOTOPRISM_GID: 1000
# PHOTOPRISM_UMASK: 0000
## Start as non-root user before initialization (supported: 0, 33, 50-99, 500-600, and 900-1200):
# user: "1000:1000"
## Share hardware devices with FFmpeg and TensorFlow (optional):
# devices:
# - "/dev/dri:/dev/dri" # Intel QSV
# - "/dev/nvidia0:/dev/nvidia0" # Nvidia CUDA
# - "/dev/nvidiactl:/dev/nvidiactl"
# - "/dev/nvidia-modeset:/dev/nvidia-modeset"
# - "/dev/nvidia-nvswitchctl:/dev/nvidia-nvswitchctl"
# - "/dev/nvidia-uvm:/dev/nvidia-uvm"
# - "/dev/nvidia-uvm-tools:/dev/nvidia-uvm-tools"
# - "/dev/video11:/dev/video11" # Video4Linux Video Encode Device (h264_v4l2m2m)
working_dir: "/photoprism" # do not change or remove
volumes:
- "/var/photos:/photoprism/originals" # Original media files (DO NOT REMOVE)
# - "/example/family:/photoprism/originals/family" # *Additional* media folders can be mounted like this
# - "~/Import:/photoprism/import" # *Optional* base folder from which files can be imported to originals
- "photoprism-storage:/photoprism/storage" # *Writable* storage folder for cache, database, and sidecar files (DO NOT REMOVE)
syncthing:
image: docker.io/syncthing/syncthing:latest
hostname: dorsiblanco
runtime: runc
network_mode: bridge
dns: 8.8.8.8
environment:
- PUID=0
- PGID=0
volumes:
- syncthing-state:/var/syncthing
- "/var/photos/2021-2023 - FotosPixel7/:/var/syncthing/FotosPixel7"
- "/var/photos/2023- - FotosPixel8/:/var/syncthing/FotosPixel8"
- "/var/photos/2023- - FotosPixel8-2/:/var/syncthing/FotosPixel8-2"
- "/var/pictures:/var/syncthing/pictures"
ports:
- 22000:22000/tcp # TCP file transfers
- 22000:22000/udp # QUIC file transfers
- 21027:21027/udp # Receive local discovery broadcasts
restart: unless-stopped
volumes:
# cosas relativamente temporales
caddy_data:
caddy_config:
restic-cache:
static-recv-keys:
static-recv-nulo_ar-keys:
static-recv-mati_lol-keys:
sitio-beta_enprogreso_nulo_ar:
sitio-nulo_ar:
sitio-nulex:
sitio-mati_lol:
sitio-subir_mati_lol:
sitio-beta_schreiben_nulo_ar:
sitio-tareas_nulo_in:
sitio-app_tareas_nulo_in:
# datos importantes
nextcloud:
hedgedoc-database:
hedgedoc-uploads:
forgejo-data:
woodpecker-data:
vaultwarden-data:
radicale-personal-collections:
hnrd-postgres:
hnrd-image-uploads:
notificaciones-mati-lol-data:
kerberos-recordings:
photoprism-storage:
syncthing-state: