## Please email [email protected] with any questions about this file, or setting up any services therein
## The actual files are not a monolith like this one; this page is generated as a convenient reference

## The following variables should be set in a file named .env in the same directory as docker-compose.yml (alter as needed):
# - CLOUDFLARE_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# - TIMEZONE=America/Chicago
# - UID=1000
# - GID=1000

## The firewall is configured as follows:

# Allow traffic from traefik to other containers
# $ sudo iptables -A DOCKER-USER -s 10.160.3.254/32 -d 10.160.0.0/22 -i br_traefik -o br_traefik -j ACCEPT

# Allow other containers to reply to traefik
# $ sudo iptables -A DOCKER-USER -s 10.160.0.0/22 -d 10.160.3.254/32 -i br_traefik -o br_traefik -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Block all other traffic between containers not sharing an internal network
# $ sudo iptables -A DOCKER-USER -i br_traefik -o br_traefik -j REJECT

version: "3.9"

services:

  ### https://github.com/traefik/traefik
  ## Files for basicauth middleware should be generated with the following:
  # $ htpasswd -c "${filename}" "${username}"
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    environment:
      - "CF_DNS_API_TOKEN=${CLOUDFLARE_API_TOKEN:?not set}"
      - "TZ=${TIMEZONE:?not set}"
    command:
      - "--accesslog=true"
      - "--accesslog.bufferingsize=100"
      - "--accesslog.fields.names.StartUTC=drop"
      - "--accesslog.filepath=/var/log/access.log"
      - "--api"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.letsencrypt.acme.storage=/certs/acme.json"
      - "--entrypoints.http.address=:80"
      - "--entrypoints.http.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.http.http.redirections.entryPoint.to=https"
      - "--entrypoints.https.address=:443"
      - "--entrypoints.https.http3"
      - "--entrypoints.metrics.address=:8082"
      - "--experimental.http3=true"
      - "--log.filePath=/var/log/traefik.log"
      - "--log.level=ERROR"
      - "--metrics.prometheus=true"
      - "--metrics.prometheus.addentrypointslabels=true"
      - "--metrics.prometheus.addserviceslabels=true"
      - "--metrics.prometheus.entrypoint=metrics"
      - "--providers.docker=true"
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.network=traefik"
      - "--providers.file.directory=/conf"
      - "--providers.file.watch=true"
      - "--serverstransport.insecureskipverify=true"
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.compress.compress=true"
      - "traefik.http.middlewares.adminauth.basicauth.usersfile=/conf/auth/admin"
      - "traefik.http.middlewares.familyauth.basicauth.usersfile=/conf/auth/family"
      - "traefik.http.middlewares.friendsauth.basicauth.usersfile=/conf/auth/friends"
      - "traefik.http.middlewares.ratelimit.ratelimit.average=3"
      - "traefik.http.middlewares.ratelimit.ratelimit.burst=1"
      - "traefik.http.middlewares.ratelimit.ratelimit.period=1"
      - "traefik.http.middlewares.ratelimit.ratelimit.sourcecriterion.requestheadername=Cf-Connecting-Ip"
      - "traefik.http.middlewares.secure.headers.browserxssfilter=true"
      - "traefik.http.middlewares.secure.headers.contenttypenosniff=true"
      - "traefik.http.middlewares.secure.headers.customframeoptionsvalue=SAMEORIGIN"
      - "traefik.http.middlewares.secure.headers.customresponseheaders.Expect-CT=enforce,max-age=86400"
      - "traefik.http.middlewares.secure.headers.customresponseheaders.Permissions-Policy=geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(), payment=()"
      - "traefik.http.middlewares.secure.headers.customresponseheaders.Server=GNU-Netcat/0.7.1"
      - "traefik.http.middlewares.secure.headers.customresponseheaders.X-Clacks-Overhead=GNU Terry Pratchett"
      - "traefik.http.middlewares.secure.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.secure.headers.forcestsheader=true"
      - "traefik.http.middlewares.secure.headers.framedeny=true"
      - "traefik.http.middlewares.secure.headers.referrerpolicy=strict-origin"
      - "traefik.http.middlewares.secure.headers.sslredirect=true"
      - "traefik.http.middlewares.secure.headers.stsincludesubdomains=true"
      - "traefik.http.middlewares.secure.headers.stspreload=true"
      - "traefik.http.middlewares.secure.headers.stsseconds=63072000"
      - "traefik.http.routers.traefik.rule=Host(`dashboard.crimson.seedno.de`)"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "[email protected]"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.middlewares=adminauth"
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    networks:
      traefik:
        ipv4_address: 10.160.3.254
      prometheus:
    volumes:
      - type: bind
        source: /docker/traefik/certs
        target: /certs
      - type: bind
        source: /docker/traefik/config
        target: /conf
        read_only: true
      - type: bind
        source: /docker/traefik/logs
        target: /var/log
      - type: bind
        source: /var/run/docker.sock
        target: /var/run/docker.sock
        read_only: true

  ### https://github.com/ArchiveBox/ArchiveBox
  ## To add superuser:
  # $ docker exec -it archivebox /bin/sh -c 'su archivebox && cd /data && archivebox manage createsuperuser'
  ## To install additional dependencies:
  # $ docker exec -it archivebox /bin/sh -c 'su archivebox && cd /data && archivebox setup'
  archivebox:
    image: archivebox/archivebox:master
    container_name: archivebox
    restart: unless-stopped
    command: server --quick-init 0.0.0.0:8000
    depends_on:
      - archivebox-sonic
    environment:
      - "CHECK_SSL_VALIDITY=True"
      - "CHROME_HEADLESS=True"
      - "CHROME_SANDBOX=False"
      - "FOOTER_INFO=Contact [email protected] with questions or concerns."
      - "IN_DOCKER=True"
      - "ONLY_NEW=False"
      - "OUTPUT_PERMISSIONS=775"
      - "PGID=${GID:?not set}"
      - "PUID=${UID:?not set}"
      - "PUBLIC_ADD_VIEW=False"
      - "PUBLIC_INDEX=False"
      - "PUBLIC_SNAPSHOTS=False"
      - "RESOLUTION=1920,1080"
      - "SAVE_ARCHIVE_DOT_ORG=False"
      - "SAVE_DOM=True"
      - "SAVE_FAVICON=True"
      - "SAVE_GIT=True"
      - "SAVE_HEADERS=True"
      - "SAVE_MEDIA=True"
      - "SAVE_MERCURY=True"
      - "SAVE_PDF=True"
      - "SAVE_READABILITY=True"
      - "SAVE_SCREENSHOT=True"
      - "SAVE_SINGLEFILE=True"
      - "SAVE_TITLE=True"
      - "SAVE_WARC=True"
      - "SAVE_WGET=True"
      - "SAVE_WGET_REQUISITES=True"
      - "SEARCH_BACKEND_ENGINE=sonic"
      - "SEARCH_BACKEND_HOST_NAME=sonic"
      - "SEARCH_BACKEND_PASSWORD=${ARCHIVEBOX_SEARCH_BACKEND_PASSWORD:?not set}"
      - "SHOW_PROGRESS=False"
      - "SNAPSHOTS_PER_PAGE=40"
      - "TIME_ZONE=UTC"
      - "USE_COLOR=False"
    labels:
      - "flame.type=application"
      - "flame.name=ArchiveBox"
      - "flame.url=https://wayback.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.routers.archivebox.rule=Host(`wayback.seedno.de`)"
      - "traefik.http.routers.archivebox.entrypoints=https"
      - "traefik.http.routers.archivebox.service=archivebox"
      - "traefik.http.routers.archivebox.tls=true"
      - "traefik.http.routers.archivebox.tls.certresolver=letsencrypt"
      - "traefik.http.routers.archivebox.middlewares=compress,secure,[email protected]"
      - "traefik.http.services.archivebox.loadbalancer.server.port=8000"
    networks:
      - traefik
      - archivebox
    volumes:
      - type: bind
        source: /docker/archivebox/data
        target: /data

  archivebox-sonic:
    image: valeriansaliou/sonic:v1.3.0
    container_name: archivebox-sonic
    restart: unless-stopped
    environment:
      - "SEARCH_BACKEND_PASSWORD=${ARCHIVEBOX_SEARCH_BACKEND_PASSWORD:?not set}"
    networks:
      - archivebox
    volumes:
      - type: bind
        source: /docker/archivebox/config/sonic.cfg
        target: /etc/sonic.cfg
        read_only: true
      - type: bind
        source: /docker/archivebox/sonic
        target: /var/lib/sonic/store

  ### https://wiki.archiveteam.org/index.php/ArchiveTeam_Warrior
  archiveteam:
    image: atdr.meo.ws/archiveteam/warrior-dockerfile
    container_name: archiveteam
    restart: unless-stopped
    environment:
      - "CONCURRENT_ITEMS=6"
      - "DOWNLOADER=Seednode"
      - "HTTP_USERNAME=${ARCHIVETEAM_USERNAME:?not set}"
      - "HTTP_PASSWORD=${ARCHIVETEAM_PASSWORD:?not set}"
      - "SELECTED_PROJECT=auto"
    labels:
      - "flame.type=application"
      - "flame.name=ArchiveTeam"
      - "flame.url=https://warrior.crimson.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.routers.archiveteam.rule=Host(`warrior.crimson.seedno.de`)"
      - "traefik.http.routers.archiveteam.entrypoints=https"
      - "traefik.http.routers.archiveteam.service=archiveteam"
      - "traefik.http.routers.archiveteam.tls=true"
      - "traefik.http.routers.archiveteam.tls.certresolver=letsencrypt"
      - "traefik.http.routers.archiveteam.middlewares=compress,secure,[email protected]"
      - "traefik.http.services.archiveteam.loadbalancer.server.port=8001"
    networks:
      - traefik

  ### https://github.com/BookStackApp/BookStack
  bookstack:
    image: ghcr.io/linuxserver/bookstack:latest
    container_name: bookstack
    restart: unless-stopped
    depends_on:
      - bookstack-db
    environment:
      - "PUID=${UID:?not set}"
      - "PGID=${GID:?not set}"
      - "APP_URL=https://bookstack.seedno.de"
      - "DB_HOST=bookstack-db"
      - "DB_USER=${BOOKSTACK_DATABASE_USER:?not set}"
      - "DB_PASS=${BOOKSTACK_DATABASE_PASS:?not set}"
      - "DB_DATABASE=${BOOKSTACK_DATABASE_NAME:?not set}"
    labels:
      - "flame.type=application"
      - "flame.name=Bookstack"
      - "flame.url=https://bookstack.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.bookstack.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'"
      - "traefik.http.routers.bookstack.rule=Host(`bookstack.seedno.de`)"
      - "traefik.http.routers.bookstack.entrypoints=https"
      - "traefik.http.routers.bookstack.service=bookstack"
      - "traefik.http.routers.bookstack.tls=true"
      - "traefik.http.routers.bookstack.tls.certresolver=letsencrypt"
      - "traefik.http.routers.bookstack.middlewares=compress,secure,bookstack,[email protected]"
      - "traefik.http.services.bookstack.loadbalancer.server.port=80"
    networks:
      - traefik
      - bookstack
    volumes:
      - type: bind
        source: /docker/bookstack/config
        target: /config

  bookstack-db:
    image: ghcr.io/linuxserver/mariadb
    container_name: bookstack-db
    restart: unless-stopped
    environment:
      - "MYSQL_ROOT_PASSWORD=${BOOKSTACK_DATABASE_ROOT_PASS:?not set}"
      - "PUID=${UID:?not set}"
      - "PGID=${GID:?not set}"
      - "TZ=${TIMEZONE:?not set}"
      - "MYSQL_DATABASE=${BOOKSTACK_DATABASE_NAME:?not set}"
      - "MYSQL_USER=${BOOKSTACK_DATABASE_USER:?not set}"
      - "MYSQL_PASSWORD=${BOOKSTACK_DATABASE_PASS:?not set}"
    networks:
      - bookstack
    volumes:
      - type: bind
        source: /docker/bookstack/database
        target: /config

  ### https://github.com/cockroachdb/cockroach
  cockroach-db:
    image: cockroachdb/cockroach:v21.2.10
    container_name: cockroach-db
    hostname: cockroach.crimson.seedno.de
    restart: unless-stopped
    command:
      - "start"
      - "--cache=.25"
      - "--max-sql-memory=.25"
      - "--join=cockroach.casa.seedno.de,cockroach.crimson.seedno.de,cockroach.storage.seedno.de"
      - "--advertise-addr=cockroach.crimson.seedno.de"
      - "--cluster-name=logging"
      - "--certs-dir=/certs"
    labels:
      - "flame.type=application"
      - "flame.name=CockroachDB"
      - "flame.url=https://cockroach.crimson.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.routers.cockroachdb.rule=Host(`cockroach.crimson.seedno.de`)"
      - "traefik.http.routers.cockroachdb.entrypoints=https"
      - "traefik.http.routers.cockroachdb.service=cockroachdb"
      - "traefik.http.routers.cockroachdb.tls=true"
      - "traefik.http.routers.cockroachdb.tls.certresolver=letsencrypt"
      - "traefik.http.routers.cockroachdb.middlewares=compress,secure,[email protected]"
      - "traefik.http.services.cockroachdb.loadbalancer.server.port=8080"
      - "traefik.http.services.cockroachdb.loadbalancer.server.scheme=https"
    ports:
      - "26257:26257"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/cockroachdb/certs
        target: /certs
        read_only: true
      - type: bind
        source: /docker/cockroachdb/data
        target: /cockroach/cockroach-data

  ### https://git.seedno.de/seednode/commands
  commands:
    image: docker.seedno.de/seednode/commands:latest
    container_name: commands
    restart: unless-stopped
    labels:
      - "flame.type=application"
      - "flame.name=Commands"
      - "flame.url=https://commands.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.commands.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'"
      - "traefik.http.routers.commands.rule=Host(`commands.seedno.de`)"
      - "traefik.http.routers.commands.entrypoints=https"
      - "traefik.http.routers.commands.service=commands"
      - "traefik.http.routers.commands.tls=true"
      - "traefik.http.routers.commands.tls.certresolver=letsencrypt"
      - "traefik.http.routers.commands.middlewares=adminauth,compress,secure,commands,[email protected]"
      - "traefik.http.services.commands.loadbalancer.server.port=8080"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/commands/config
        target: /home/nonroot/.config/commands

  ### https://github.com/gchq/CyberChef
  cyberchef:
    image: mpepping/cyberchef:latest
    container_name: cyberchef
    restart: unless-stopped
    labels:
      - "flame.type=application"
      - "flame.name=CyberChef"
      - "flame.url=https://tools.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.cyberchef.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'self' data:; frame-src 'self' data:; worker-src 'self' blob: data:"
      - "traefik.http.routers.cyberchef.rule=Host(`tools.seedno.de`)"
      - "traefik.http.routers.cyberchef.entrypoints=https"
      - "traefik.http.routers.cyberchef.service=cyberchef"
      - "traefik.http.routers.cyberchef.tls=true"
      - "traefik.http.routers.cyberchef.tls.certresolver=letsencrypt"
      - "traefik.http.routers.cyberchef.middlewares=compress,secure,cyberchef"
      - "traefik.http.services.cyberchef.loadbalancer.server.port=8000"
    networks:
      - traefik

  ### https://github.com/jgraph/drawio
  drawio:
    image: jgraph/drawio:latest
    container_name: drawio
    restart: unless-stopped
    environment:
      - "KEYSTORE_PASS=${DRAWIO_KEYSTORE_PASS:?not set}"
      - "KEY_PASS=${DRAWIO_KEY_PASS:?not set}"
    labels:
      - "flame.type=application"
      - "flame.name=Draw.io"
      - "flame.url=https://draw.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.drawio.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https://www.draw.io/notifications"
      - "traefik.http.routers.drawio.rule=Host(`draw.seedno.de`)"
      - "traefik.http.routers.drawio.entrypoints=https"
      - "traefik.http.routers.drawio.service=drawio"
      - "traefik.http.routers.drawio.tls=true"
      - "traefik.http.routers.drawio.tls.certresolver=letsencrypt"
      - "traefik.http.routers.drawio.middlewares=compress,secure,drawio"
      - "traefik.http.services.drawio.loadbalancer.server.port=8080"
    networks:
      - traefik

  ### https://github.com/elastic/elasticsearch
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.1.3
    container_name: elasticsearch
    restart: unless-stopped
    environment:
      - "discovery.type=single-node"
      - "ES_JAVA_OPTS=-Xms1G -Xmx4G"
      - "xpack.security.enabled=false"
    networks:
      - elasticsearch
    volumes:
      - type: bind
        source: /docker/elasticsearch/data
        target: /usr/share/elasticsearch/data

  ### https://github.com/skeeto/endlessh
  endlessh:
    image: ghcr.io/linuxserver/endlessh
    container_name: endlessh
    restart: unless-stopped
    environment:
      - "PUID=${UID:?not set}"
      - "PGID=${GID:?not set}"
      - "TZ=${TIMEZONE:?not set}"
      - "MSDELAY=10000"
      - "MAXLINES=32"
      - "MAXCLIENTS=4096"
      - "LOGFILE=true"
      - "BINDFAMILY=4"
    ports:
      - "22:2222"
    networks:
      - endlessh
    volumes:
      - type: bind
        source: /docker/endlessh/config
        target: /config

  ### https://github.com/pawelmalak/flame
  flame:
    image: pawelmalak/flame:latest
    container_name: flame
    restart: unless-stopped
    environment:
      - "PASSWORD=${FLAME_PASSWORD:?not set}"
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.flame.headers.contentSecurityPolicy=default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self' https://raw.githubusercontent.com/"
      - "traefik.http.routers.flame.rule=Host(`flame.seedno.de`)"
      - "traefik.http.routers.flame.entrypoints=https"
      - "traefik.http.routers.flame.service=flame"
      - "traefik.http.routers.flame.tls=true"
      - "traefik.http.routers.flame.tls.certresolver=letsencrypt"
      - "traefik.http.routers.flame.middlewares=compress,secure,flame,[email protected]"
      - "traefik.http.services.flame.loadbalancer.server.port=5005"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/flame/data
        target: /app/data
      - type: bind
        source: /var/run/docker.sock
        target: /var/run/docker.sock
        read_only: true

  ### https://github.com/go-gitea/gitea
  gitea:
    image: gitea/gitea:latest
    container_name: gitea
    restart: unless-stopped
    depends_on:
      - gitea-db
    environment:
      - "TMPDIR=/data/backups"
      - "USER_UID=${UID:?not set}"
      - "USER_GID=${GID:?not set}"
    labels:
      - "flame.type=application"
      - "flame.name=Gitea"
      - "flame.url=https://git.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.gitea.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' https: data:; manifest-src 'self' data:"
      - "traefik.http.routers.gitea.rule=Host(`git.seedno.de`)"
      - "traefik.http.routers.gitea.entrypoints=https"
      - "traefik.http.routers.gitea.service=gitea"
      - "traefik.http.routers.gitea.tls=true"
      - "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
      - "traefik.http.routers.gitea.middlewares=compress,secure,gitea"
      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
    ports:
      - "9023:22"
    networks:
      - traefik
      - gitea
    volumes:
      - type: bind
        source: /docker/gitea/data
        target: /data
      - type: bind
        source: /etc/localtime
        target: /etc/localtime
        read_only: true
      - type: bind
        source: /docker/gitea/conf/sshd_config
        target: /etc/ssh/sshd_config
        read_only: true

  gitea-db:
    image: postgres:13-alpine
    container_name: gitea-db
    restart: unless-stopped
    environment:
      - "POSTGRES_DB=${GITEA_DATABASE_NAME:?not set}"
      - "POSTGRES_USER=${GITEA_DATABASE_USER:?not set}"
      - "POSTGRES_PASSWORD=${GITEA_DATABASE_PASS:?not set}"
    networks:
      - gitea
    volumes:
      - type: bind
        source: /docker/gitea/database
        target: /var/lib/postgresql/data

  ### https://github.com/grafana/grafana
  ## Set data source to "http://prometheus:9090"
  grafana-renderer:
    image: grafana/grafana-image-renderer:latest
    container_name: grafana-renderer
    restart: unless-stopped
    depends_on:
      - grafana
    environment:
      - "BROWSER_TZ=${TIMEZONE}"
      - "HTTP_HOST=0.0.0.0"
      - "HTTP_PORT=8081"
    networks:
      - grafana

  grafana:
    image: grafana/grafana:latest
    container_name: grafana
    restart: unless-stopped
    depends_on:
      - prometheus
    environment:
      - "GF_ALERTING_ENABLED=false"
      - "GF_AUTH_ANONYMOUS_ENABLED=false"
      - "GF_DEFAULT_INSTANCE_NAME=grafana.crimson.seedno.de"
      - "GF_INSTALL_PLUGINS=grafana-piechart-panel,grafana-clock-panel"
      - "GF_LOG_FILTERS=rendering:debug"
      - "GF_METRICS_ENABLED=true"
      - "GF_PATHS_TEMP_DATA_LIFETIME=0"
      - "GF_RENDERING_SERVER_URL=http://grafana-renderer:8081/render"
      - "GF_RENDERING_CALLBACK_URL=http://grafana:3000/"
      - "GF_SECURITY_COOKIE_SECURE=true"
      - "GF_SECURITY_DISABLE_GRAVATAR=true"
      - "GF_SECURITY_ALLOW_EMBEDDING=false"
      - "GF_SERVER_DOMAIN=grafana.crimson.seedno.de"
      - "GF_SERVER_ENFORCE_DOMAIN=true"
      - "GF_SERVER_HTTP_PORT=3000"
      - "GF_SERVER_HTTP_PROTOCOL=https"
      - "GF_SERVER_ROOT_URL=https://grafana.crimson.seedno.de/"
      - "GF_SERVER_SERVE_FROM_SUB_PATH=false"
      - "GF_SNAPSHOTS_EXTERNAL_ENABLED=false"
      - "GF_USERS_ALLOW_SIGN_UP=false"
      - "GF_USERS_VIEWERS_CAN_EDIT=false"
    labels:
      - "flame.type=application"
      - "flame.name=Grafana"
      - "flame.url=https://grafana.crimson.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.grafana.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:"
      - "traefik.http.routers.grafana.rule=Host(`grafana.crimson.seedno.de`)"
      - "traefik.http.routers.grafana.entrypoints=https"
      - "traefik.http.routers.grafana.service=grafana"
      - "traefik.http.routers.grafana.tls=true"
      - "traefik.http.routers.grafana.tls.certresolver=letsencrypt"
      - "traefik.http.routers.grafana.middlewares=grafana,compress,secure,[email protected]"
      - "traefik.http.services.grafana.loadbalancer.server.port=3000"
    networks:
      - traefik
      - prometheus
      - grafana
    volumes:
      - type: bind
        source: /docker/grafana/data
        target: /var/lib/grafana

  ### https://github.com/apache/guacamole-server
  ## To generate the database schema:
  # $ docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > /tmp/initdb.sql
  # $ docker cp /tmp/initdb.sql guac-db:/tmp/initdb.sql
  # $ docker exec -it guac-db /bin/sh -c "cat /tmp/initdb.sql | psql --dbname=${GUACAMOLE_DATABASE_NAME} --user=${GUACAMOLE_DATABASE_USER} -f -"
  ## When configuring a connection, set the following for guacd parameters:
  # - Hostname: guacd-internal
  # - Port: 4822
  # - Encryption: None (unencrypted)
  ## RDP sessions should have a security mode of "NLA (Network Level Authentication)"
  guacamole:
    image: guacamole/guacamole:latest
    container_name: guacamole
    restart: unless-stopped
    environment:
      - "GUACD_HOSTNAME=guacd-internal"
      - "POSTGRES_HOSTNAME=guacamole-db"
      - "POSTGRES_DATABASE=${GUACAMOLE_DATABASE_NAME:?not set}"
      - "POSTGRES_USER=${GUACAMOLE_DATABASE_USER:?not set}"
      - "POSTGRES_PASSWORD=${GUACAMOLE_DATABASE_PASS:?not set}"
    labels:
      - "flame.type=application"
      - "flame.name=Guacamole"
      - "flame.url=https://guacamole.seedno.de/guacamole/"
      - "traefik.enable=true"
      - "traefik.http.middlewares.guacamole.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; img-src 'self' data:"
      - "traefik.http.routers.guacamole.rule=Host(`guacamole.seedno.de`) && PathPrefix(`/guacamole/`)"
      - "traefik.http.routers.guacamole.entrypoints=https"
      - "traefik.http.routers.guacamole.service=guacamole"
      - "traefik.http.routers.guacamole.tls=true"
      - "traefik.http.routers.guacamole.tls.certresolver=letsencrypt"
      - "traefik.http.routers.guacamole.middlewares=compress,secure,guacamole,[email protected]"
      - "traefik.http.services.guacamole.loadbalancer.server.port=8080"
    networks:
      - traefik
      - guacamole

  guacamole-db:
    image: postgres:13-alpine
    container_name: guacamole-db
    restart: unless-stopped
    environment:
      - "POSTGRES_DB=${GUACAMOLE_DATABASE_NAME:?not set}"
      - "POSTGRES_USER=${GUACAMOLE_DATABASE_USER:?not set}"
      - "POSTGRES_PASSWORD=${GUACAMOLE_DATABASE_PASS:?not set}"
    networks:
      - guacamole
    volumes:
      - type: bind
        source: /docker/guacamole/database
        target: /var/lib/postgresql/data

  guacd:
    image: linuxserver/guacd:latest
    container_name: guacd
    restart: unless-stopped
    networks:
      traefik:
      guacamole:
        aliases:
          - guacd-internal

  ### https://github.com/toptal/haste-server
  hastebin:
    image: angristan/hastebin:latest
    container_name: hastebin
    restart: unless-stopped
    environment:
      - "UID=${UID:?not set}"
      - "GID=${GID:?not set}"
    labels:
      - "flame.type=application"
      - "flame.name=Hastebin"
      - "flame.url=https://haste.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.hastebin.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' ajax.googleapis.com"
      - "traefik.http.routers.hastebin.rule=Host(`haste.seedno.de`)"
      - "traefik.http.routers.hastebin.entrypoints=https"
      - "traefik.http.routers.hastebin.service=hastebin"
      - "traefik.http.routers.hastebin.tls=true"
      - "traefik.http.routers.hastebin.tls.certresolver=letsencrypt"
      - "traefik.http.routers.hastebin.middlewares=compress,secure,hastebin"
      - "traefik.http.services.hastebin.loadbalancer.server.port=7777"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/hastebin/data
        target: /app/data

  ### https://github.com/zelon88/HRConvert2
  hrconvert2:
    image: dwaaan/hrconvert2-docker:latest
    container_name: hrconvert2
    restart: unless-stopped
    labels:
      - "flame.type=application"
      - "flame.name=HRConvert2"
      - "flame.url=https://convert.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.hrconvert2.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:"
      - "traefik.http.routers.hrconvert2.rule=Host(`convert.seedno.de`)"
      - "traefik.http.routers.hrconvert2.entrypoints=https"
      - "traefik.http.routers.hrconvert2.service=hrconvert2"
      - "traefik.http.routers.hrconvert2.tls=true"
      - "traefik.http.routers.hrconvert2.tls.certresolver=letsencrypt"
      - "traefik.http.routers.hrconvert2.middlewares=adminauth,compress,secure,hrconvert2,[email protected]"
      - "traefik.http.services.hrconvert2.loadbalancer.server.port=80"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/hrconvert2/data/config.php
        target: /var/www/html/HRProprietary/HRConvert2/config.php
        read_only: true
      - type: bind
        source: /docker/hrconvert2/logs
        target: /var/www/html/HRProprietary/HRConvert2/Logs

  ### https://github.com/imgproxy/imgproxy
  imgproxy:
    image: darthsim/imgproxy:latest
    container_name: imgproxy
    restart: unless-stopped
    environment:
      - "IMGPROXY_KEY=${IMGPROXY_KEY:?not set}"
      - "IMGPROXY_SALT=${IMGPROXY_SALT:?not set}"
    labels:
      - "flame.type=application"
      - "flame.name=Imgproxy"
      - "flame.url=https://imgproxy.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.imgproxy.headers.contentSecurityPolicy=default-src 'self'"
      - "traefik.http.routers.imgproxy.rule=Host(`imgproxy.seedno.de`)"
      - "traefik.http.routers.imgproxy.entrypoints=https"
      - "traefik.http.routers.imgproxy.service=imgproxy"
      - "traefik.http.routers.imgproxy.tls=true"
      - "traefik.http.routers.imgproxy.tls.certresolver=letsencrypt"
      - "traefik.http.routers.imgproxy.middlewares=compress,secure,imgproxy"
      - "traefik.http.services.imgproxy.loadbalancer.server.port=8080"
    networks:
      - traefik

  ### https://github.com/jellyfin/jellyfin
  jellyfin:
    image: ghcr.io/linuxserver/jellyfin
    container_name: jellyfin
    restart: unless-stopped
    environment:
      - "PUID=${UID:?not set}"
      - "PGID=${GID:?not set}"
      - "TZ=${TIMEZONE:?not set}"
      - "JELLYFIN_PublishedServerUrl=watch.seedno.de"
    labels:
      - "flame.type=application"
      - "flame.name=Jellyfin"
      - "flame.url=https://jellyfin.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.routers.jellyfin.rule=Host(`watch.seedno.de`)"
      - "traefik.http.routers.jellyfin.entrypoints=https"
      - "traefik.http.routers.jellyfin.service=jellyfin"
      - "traefik.http.routers.jellyfin.tls=true"
      - "traefik.http.routers.jellyfin.tls.certresolver=letsencrypt"
      - "traefik.http.routers.jellyfin.middlewares=compress,secure,[email protected]"
      - "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
    devices:
      - /dev/dri/renderD128:/dev/dri/renderD128
      - /dev/dri/card0:/dev/dri/card0
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/jellyfin/config
        target: /config
      - type: bind
        source: /storage
        target: /data
        read_only: true

  ## https://github.com/danmanners/memegen
  memegen:
    image: docker.seedno.de/seednode/memegen:latest
    container_name: memegen
    restart: unless-stopped
    labels:
      - "flame.type=application"
      - "flame.name=MemeGen"
      - "flame.url=https://memegen.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.memegen.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data: https://validator.swagger.io"
      - "traefik.http.routers.memegen.rule=Host(`memegen.seedno.de`)"
      - "traefik.http.routers.memegen.entrypoints=https"
      - "traefik.http.routers.memegen.service=memegen"
      - "traefik.http.routers.memegen.tls=true"
      - "traefik.http.routers.memegen.tls.certresolver=letsencrypt"
      - "traefik.http.routers.memegen.middlewares=compress,secure,memegen"
      - "traefik.http.services.memegen.loadbalancer.server.port=5000"
    networks:
      - traefik

  ### https://github.com/itzg/docker-minecraft-server
  ## To automatically install mods, create a file called mods.txt
  ## and bind mount it, setting MODS_FILE accordingly, with one
  ## URL per line. For example, to install WorldEdit and WorldGuard:
  ## https://dev.bukkit.org/projects/worldedit/files/latest
  ## https://dev.bukkit.org/projects/worldguard/files/latest
  minecraft1:
    image: itzg/minecraft-server:latest
    container_name: minecraft1
    restart: unless-stopped
    environment:
      - "AUTOPAUSE_PERIOD=10"
      - "AUTOPAUSE_TIMEOUT_EST=300"
      - "AUTOPAUSE_TIMEOUT_INIT=300"
      - "AUTOPAUSE_TIMEOUT_KN=60"
      - "ENABLE_AUTOPAUSE=true"
      - "ENABLE_COMMAND_BLOCK=false"
      - "ENABLE_ROLLING_LOGS=true"
      - "EULA=TRUE"
      - "FORCE_GAMEMODE=true"
      - "ICON=https://cdn.seedno.de/img/seednode.jpg"
      - "JVM_DD_OPTS=disable.watchdog:true"
      - "MAX_PLAYERS=16"
      - "MAX_TICK_TIME=-1"
      - "MEMORY=4G"
      - "MODE=survival"
      - "MODS_FILE=/mods.txt"
      - "MOTD=§cWelcome to Hell!§r"
      - "ONLINE_MODE=true"
      - "OVERRIDE_SERVER_PROPERTIES=true"
      - "PLAYER_IDLE_TIMEOUT=0"
      - "PREVENT_PROXY_CONNECTIONS=true"
      - "REMOVE_OLD_MODS=true"
      - "SERVER_PORT=25565"
      - "SNOOPER_ENABLED=false"
      - "TYPE=SPIGOT"
      - "USE_AIKAR_FLAGS=true"
      - "VERSION=LATEST"
      - "VIEW_DISTANCE=12"
      - "UID=${UID:?not set}"
      - "GID=${GID:?not set}"
      - "TZ=${TIMEZONE:?not set}"
    ports:
      - "25565:25565"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/minecraft/server1
        target: /data
      - type: bind
        source: /docker/minecraft/config/mods.txt
        target: /mods.txt
        read_only: true

  ### https://github.com/minio/minio
  ## Set up minio-client alias
  # $ mc alias set minio https://minio.seedno.de  
  ## Generate JWT bearer token
  # $ mc admin prometheus generate minio
  minio:
    image: minio/minio:latest
    container_name: minio
    restart: unless-stopped
    command:
      - "server"
      - "/data"
      - "--console-address"
      - ":9001"
    environment:
      - "MINIO_BROWSER_REDIRECT_URL=https://s3.seedno.de"
      - "MINIO_PROMETHEUS_AUTH_TYPE=jwt"
      - "MINIO_PROMETHEUS_JOB_ID=minio-job"
      - "MINIO_PROMETHEUS_URL=http://prometheus:9090"
      - "MINIO_ROOT_USER=${MINIO_ROOT_USER:?not set}"
      - "MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASS:?not set}"
    labels:
      - "flame.type=application"
      - "flame.name=Minio"
      - "flame.url=https://console.minio.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.routers.minio-server.rule=Host(`minio.crimson.seedno.de`)"
      - "traefik.http.routers.minio-server.entrypoints=https"
      - "traefik.http.routers.minio-server.service=minio-server"
      - "traefik.http.routers.minio-server.tls=true"
      - "traefik.http.routers.minio-server.tls.certresolver=letsencrypt"
      - "traefik.http.routers.minio-server.middlewares=compress,secure,[email protected]"
      - "traefik.http.services.minio-server.loadbalancer.server.port=9000"
      - "traefik.http.routers.minio-console.rule=Host(`s3.seedno.de`)"
      - "traefik.http.routers.minio-console.entrypoints=https"
      - "traefik.http.routers.minio-console.service=minio-console"
      - "traefik.http.routers.minio-console.tls=true"
      - "traefik.http.routers.minio-console.tls.certresolver=letsencrypt"
      - "traefik.http.routers.minio-console.middlewares=compress,secure,[email protected]"
      - "traefik.http.services.minio-console.loadbalancer.server.port=9001"
    networks:
      - traefik
      - prometheus
    volumes:
      - type: bind
        source: /docker/minio/data
        target: /data

  ### https://git.seedno.de/seednode/docker-site-naughty
  naughty:
    image: docker.seedno.de/seednode/naughty:latest
    container_name: naughty
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.naughty.rule=PathPrefix(`/{path:.*(\\.env|\\.git|\\.aws|xmlrpc|wp-admin|wp-login).*}`)"
      - "traefik.http.routers.naughty.priority=255"
      - "traefik.http.routers.naughty.entrypoints=https"
      - "traefik.http.routers.naughty.service=naughty"
      - "traefik.http.routers.naughty.tls=true"
      - "traefik.http.routers.naughty.tls.certresolver=letsencrypt"
      - "traefik.http.routers.naughty.middlewares=compress,secure"
      - "traefik.http.services.naughty.loadbalancer.server.port=8080"
    networks:
      - traefik

  ### https://github.com/m1k1o/neko
  neko:
    image: m1k1o/neko:firefox
    container_name: neko
    restart: unless-stopped
    shm_size: 4gb
    environment:
      - "NEKO_AUDIO_BITRATE=192"
      - "NEKO_CONTROL_PROTECTION=true"
      - "NEKO_EPR=52000-52100"
      - "NEKO_ICELITE=1"
      - "NEKO_IMPLICIT_CONTROL=true"
      - "NEKO_LOCKS=controls"
      - "NEKO_MAX_FPS=60"
      - "NEKO_OPUS=true"
      - "NEKO_PASSWORD=${NEKO_PASS:?not set}"
      - "NEKO_PASSWORD_ADMIN=${NEKO_ADMIN_PASS:?not set}"
      - "[email protected]"
      - "NEKO_VIDEO_BITRATE=3500"
      - "NEKO_VP8=true"
    labels:
      - "flame.type=application"
      - "flame.name=Neko"
      - "flame.url=https://neko.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.neko.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src 'self' wss:"
      - "traefik.http.routers.neko.rule=Host(`neko.seedno.de`)"
      - "traefik.http.routers.neko.entrypoints=https"
      - "traefik.http.routers.neko.service=neko"
      - "traefik.http.routers.neko.tls=true"
      - "traefik.http.routers.neko.tls.certresolver=letsencrypt"
      - "traefik.http.routers.neko.middlewares=compress,secure,neko"
      - "traefik.http.services.neko.loadbalancer.server.port=8080"
    ports:
      - "52000-52100:52000-52100/udp"
    networks:
      - traefik

  ### https://github.com/netdata/netdata
  netdata:
    image: netdata/netdata:latest
    container_name: netdata
    hostname: netdata.crimson.seedno.de
    restart: unless-stopped
    cap_add:
      - "SYS_PTRACE"
    security_opt:
      - "apparmor:unconfined"
    labels:
      - "flame.type=application"
      - "flame.name=Netdata"
      - "flame.url=https://netdata.crimson.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.netdata.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com; img-src 'self' data:; connect-src 'self' https://registry.my-netdata.io https://www.googleapis.com; frame-src 'self' https://app.netdata.cloud"
      - "traefik.http.routers.netdata.rule=Host(`netdata.crimson.seedno.de`)"
      - "traefik.http.routers.netdata.entrypoints=https"
      - "traefik.http.routers.netdata.service=netdata"
      - "traefik.http.routers.netdata.tls=true"
      - "traefik.http.routers.netdata.tls.certresolver=letsencrypt"
      - "traefik.http.routers.netdata.middlewares=compress,secure,netdata,[email protected]"
      - "traefik.http.services.netdata.loadbalancer.server.port=19999"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /proc
        target: /host/proc
        read_only: true
      - type: bind
        source: /sys
        target: /host/sys
        read_only: true

  ### https://git.seedno.de/seednode/docker-nginx
  ## All my sites are configured via the file provider
  ## An example is available here:
  ## https://cdn.seedno.de/txt/access.seedno.de.yaml
  nginx:
    image: docker.seedno.de/seednode/nginx:latest
    container_name: nginx
    restart: unless-stopped
    depends_on:
      - nginx-php-fpm
    networks:
      - traefik
      - php
    volumes:
      - type: bind
        source: /docker/nginx/config
        target: /etc/nginx
        read_only: true
      - type: bind
        source: /docker/nginx/logs
        target: /var/log/nginx
      - type: bind
        source: /storage
        target: /storage
        read_only: true
      - type: bind
        source: /var/www/html
        target: /var/www/html
        read_only: true

  nginx-php-fpm:
    image: php:8-fpm-alpine
    container_name: nginx-php-fpm
    restart: unless-stopped
    networks:
      - php
    volumes:
      - type: bind
        source: /storage
        target: /storage
        read_only: true
      - type: bind
        source: /var/www/html
        target: /var/www/html
        read_only: true

  ### https://github.com/Luzifer/ots
  ots:
    image: docker.seedno.de/seednode/ots:latest
    container_name: ots
    restart: unless-stopped
    labels:
      - "flame.type=application"
      - "flame.name=OTS"
      - "flame.url=https://ots.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.ots.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com"
      - "traefik.http.routers.ots.rule=Host(`secrets.seedno.de`)"
      - "traefik.http.routers.ots.entrypoints=https"
      - "traefik.http.routers.ots.service=ots"
      - "traefik.http.routers.ots.tls=true"
      - "traefik.http.routers.ots.tls.certresolver=letsencrypt"
      - "traefik.http.routers.ots.middlewares=compress,secure,ots"
      - "traefik.http.services.ots.loadbalancer.server.port=3000"
    networks:
      - traefik

  ### https://git.seedno.de/seednode/docker-oui
  oui:
    image: docker.seedno.de/seednode/oui-web:latest
    container_name: oui
    restart: unless-stopped
    labels:
      - "flame.type=application"
      - "flame.name=OUI Web Lookup"
      - "flame.url=https://oui.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.oui.headers.contentSecurityPolicy=default-src 'self'"
      - "traefik.http.routers.oui.rule=Host(`oui.seedno.de`)"
      - "traefik.http.routers.oui.entrypoints=https"
      - "traefik.http.routers.oui.service=oui"
      - "traefik.http.routers.oui.tls=true"
      - "traefik.http.routers.oui.tls.certresolver=letsencrypt"
      - "traefik.http.routers.oui.middlewares=compress,secure,ratelimit,oui"
      - "traefik.http.services.oui.loadbalancer.server.port=8080"
    networks:
      - traefik

  ### https://github.com/owncast/owncast
  owncast:
    image: gabekangas/owncast:latest
    container_name: owncast
    restart: unless-stopped
    labels:
      - "flame.type=application"
      - "flame.name=Owncast"
      - "flame.url=https://stream.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.owncast.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' blob:; img-src 'self' data:; font-src 'self' data:; media-src 'self' blob:"
      - "traefik.http.routers.owncast.rule=Host(`stream.seedno.de`)"
      - "traefik.http.routers.owncast.entrypoints=https"
      - "traefik.http.routers.owncast.service=owncast"
      - "traefik.http.routers.owncast.tls=true"
      - "traefik.http.routers.owncast.tls.certresolver=letsencrypt"
      - "traefik.http.routers.owncast.middlewares=compress,secure,owncast"
      - "traefik.http.services.owncast.loadbalancer.server.port=8080"
    ports:
      - "1935:1935"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/owncast/data
        target: /app/data

  ### https://github.com/jonaswinkler/paperless-ng
  paperless-ng:
    image: ghcr.io/linuxserver/paperless-ng:latest
    container_name: paperless-ng
    restart: unless-stopped
    depends_on:
      - paperless-ng-redis
    environment:
      - "PUID=${UID:?not set}"
      - "PGID=${GID:?not set}"
      - "TZ=${TIMEZONE:?not set}"
      - "REDIS_URL=paperless-ng-redis:6379"
    labels:
      - "flame.type=application"
      - "flame.name=Paperless-ng"
      - "flame.url=https://paperless.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.paperless-ng.headers.contentSecurityPolicy=default-src 'self'; img-src 'self' data:"
      - "traefik.http.routers.paperless-ng.rule=Host(`paperless.seedno.de`)"
      - "traefik.http.routers.paperless-ng.entrypoints=https"
      - "traefik.http.routers.paperless-ng.service=paperless-ng"
      - "traefik.http.routers.paperless-ng.tls=true"
      - "traefik.http.routers.paperless-ng.tls.certresolver=letsencrypt"
      - "traefik.http.routers.paperless-ng.middlewares=compress,secure,paperless-ng,[email protected]"
      - "traefik.http.services.paperless-ng.loadbalancer.server.port=8000"
    networks:
      - traefik
      - paperless-ng
    volumes:
      - type: bind
        source: /docker/paperless-ng/config
        target: /config
      - type: bind
        source: /docker/paperless-ng/data
        target: /data

  paperless-ng-redis:
    image: redis
    container_name: paperless-ng-redis
    restart: unless-stopped
    networks:
      - paperless-ng

  ### https://github.com/mkaczanowski/pastebin
  pastebin:
    image: mkaczanowski/pastebin
    container_name: pastebin
    restart: unless-stopped
    command:
      - "--address=0.0.0.0"
      - "--port=8000"
      - "--db=/data/pastebin.db"
      - "--uri=https://paste.seedno.de"
      - "--slug-len=12"
    labels:
      - "flame.type=application"
      - "flame.name=Pastebin"
      - "flame.url=https://paste.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.pastebin.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' https://cdnjs.cloudflare.com; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; font-src 'self' https://cdnjs.cloudflare.com; img-src 'self' data:"
      - "traefik.http.routers.pastebin.rule=Host(`paste.seedno.de`)"
      - "traefik.http.routers.pastebin.entrypoints=https"
      - "traefik.http.routers.pastebin.service=pastebin"
      - "traefik.http.routers.pastebin.tls=true"
      - "traefik.http.routers.pastebin.tls.certresolver=letsencrypt"
      - "traefik.http.routers.pastebin.middlewares=compress,secure,pastebin"
      - "traefik.http.services.pastebin.loadbalancer.server.port=8000"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/pastebin/data
        target: /data

  ### https://github.com/akhilrex/podgrab
  podgrab:
    image: akhilrex/podgrab:latest
    container_name: podgrab
    restart: unless-stopped
    environment:
      - "CHECK_FREQUENCY=60"
    labels:
      - "flame.type=application"
      - "flame.name=Podgrab"
      - "flame.url=https://podcasts.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.podgrab.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"
      - "traefik.http.routers.podgrab.rule=Host(`podcasts.seedno.de`)"
      - "traefik.http.routers.podgrab.entrypoints=https"
      - "traefik.http.routers.podgrab.service=podgrab"
      - "traefik.http.routers.podgrab.tls=true"
      - "traefik.http.routers.podgrab.tls.certresolver=letsencrypt"
      - "traefik.http.routers.podgrab.middlewares=compress,secure,podgrab,[email protected]"
      - "traefik.http.services.podgrab.loadbalancer.server.port=8080"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/podgrab/config
        target: /config
      - type: bind
        source: /docker/podgrab/data
        target: /assets

  ### https://github.com/agersant/polaris
  polaris:
    image: ogarcia/polaris:latest
    container_name: polaris
    restart: unless-stopped
    labels:
      - "flame.type=application"
      - "flame.name=Polaris"
      - "flame.url=https://music.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.polaris.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data: https://*.swagger.io"
      - "traefik.http.routers.polaris.rule=Host(`music.seedno.de`)"
      - "traefik.http.routers.polaris.entrypoints=https"
      - "traefik.http.routers.polaris.service=polaris"
      - "traefik.http.routers.polaris.tls=true"
      - "traefik.http.routers.polaris.tls.certresolver=letsencrypt"
      - "traefik.http.routers.polaris.middlewares=compress,secure,polaris,[email protected]"
      - "traefik.http.services.polaris.loadbalancer.server.port=5050"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/polaris/data
        target: /var/lib/polaris
      - type: bind
        source: /storage/audio
        target: /music
        read_only: true

  ## https://github.com/prometheus/prometheus
  prometheus:
    image: prom/prometheus:latest
    container_name: prometheus
    restart: unless-stopped
    command:
      - "--config.file=/etc/prometheus/prometheus.yml"
      - "--storage.tsdb.path=/prometheus"
      - "--storage.tsdb.retention.time=30d"
      - "--web.console.libraries=/usr/share/prometheus/console_libraries"
      - "--web.console.templates=/usr/share/prometheus/consoles"
    networks:
      - prometheus
    volumes:
      - type: bind
        source: /docker/prometheus/config/prometheus.yml
        target: /etc/prometheus/prometheus.yml
        read_only: true
      - type: bind
        source: /docker/prometheus/data
        target: /prometheus

  ### https://github.com/kgretzky/pwndrop
  pwndrop:
    image: ghcr.io/linuxserver/pwndrop:latest
    container_name: pwndrop
    restart: unless-stopped
    environment:
      - "PUID=${UID:?not set}"
      - "PGID=${GID:?not set}"
      - "TZ=${TIMEZONE:?not set}"
      - "SECRET_PATH=${PWNDROP_SECRET_PATH:?not set}"
    labels:
      - "flame.type=application"
      - "flame.name=Pwndrop"
      - "flame.url=https://files.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.pwndrop.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' https://fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' data: https://fonts.gstatic.com/"
      - "traefik.http.routers.pwndrop-admin.rule=Host(`files.seedno.de`) && PathPrefix(`${PWNDROP_SECRET_PATH}`)"
      - "traefik.http.routers.pwndrop-admin.entrypoints=https"
      - "traefik.http.routers.pwndrop-admin.service=pwndrop"
      - "traefik.http.routers.pwndrop-admin.tls=true"
      - "traefik.http.routers.pwndrop-admin.tls.certresolver=letsencrypt"
      - "traefik.http.routers.pwndrop-admin.middlewares=compress,secure,pwndrop"
      - "traefik.http.routers.pwndrop.rule=Host(`files.seedno.de`)"
      - "traefik.http.routers.pwndrop.entrypoints=https"
      - "traefik.http.routers.pwndrop.service=pwndrop"
      - "traefik.http.routers.pwndrop.tls=true"
      - "traefik.http.routers.pwndrop.tls.certresolver=letsencrypt"
      - "traefik.http.routers.pwndrop.middlewares=compress,secure,pwndrop"
      - "traefik.http.services.pwndrop.loadbalancer.server.port=8080"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/pwndrop/config
        target: /config

  ### https://github.com/qbittorrent/qBittorrent
  qbittorrent:
    image: ghcr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    restart: unless-stopped
    environment:
      - "PUID=${UID:?not set}"
      - "PGID=${GID:?not set}"
      - "TZ=${TIMEZONE:?not set}"
      - "UMASK_SET=022"
      - "WEBUI_PORT=8080"
    labels:
      - "flame.type=application"
      - "flame.name=QBittorrent"
      - "flame.url=https://torrent.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.qbittorrent.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'"
      - "traefik.http.routers.qbittorrent.rule=Host(`torrent.seedno.de`)"
      - "traefik.http.routers.qbittorrent.entrypoints=https"
      - "traefik.http.routers.qbittorrent.service=qbittorrent"
      - "traefik.http.routers.qbittorrent.tls=true"
      - "traefik.http.routers.qbittorrent.tls.certresolver=letsencrypt"
      - "traefik.http.routers.qbittorrent.middlewares=compress,secure,qbittorrent,[email protected]ile"
      - "traefik.http.services.qbittorrent.loadbalancer.server.port=8080"
    ports:
      - "6881:6881"
      - "6881:6881/udp"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/qbittorrent/config
        target: /config
      - type: bind
        source: /storage/media/torrents
        target: /downloads

  ### https://hub.docker.com/_/registry
  registry:
    image: registry:2
    container_name: registry
    restart: unless-stopped
    environment:
      - "REGISTRY_HTTP_ADDR=0.0.0.0:5000"
      - "REGISTRY_HTTP_SECRET=${REGISTRY_SECRET:-not set}"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.registry.rule=Host(`docker.seedno.de`)"
      - "traefik.http.routers.registry.entrypoints=https"
      - "traefik.http.routers.registry.service=registry"
      - "traefik.http.routers.registry.tls=true"
      - "traefik.http.routers.registry.tls.certresolver=letsencrypt"
      - "traefik.http.routers.registry.middlewares=compress,secure,[email protected]"
      - "traefik.http.services.registry.loadbalancer.server.port=5000"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/registry/data
        target: /var/lib/registry

  ### https://github.com/ekzhang/rustpad
  rustpad:
    image: ekzhang/rustpad:latest
    container_name: rustpad
    restart: unless-stopped
    environment:
      - "EXPIRY_DAYS=1"
      - "SQLITE_URI=file:/app/db.sqlite"
    labels:
      - "flame.type=application"
      - "flame.name=Rustpad"
      - "flame.url=https://rustpad.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.rustpad.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net; font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; worker-src 'self' blob:"
      - "traefik.http.routers.rustpad.rule=Host(`rustpad.seedno.de`)"
      - "traefik.http.routers.rustpad.entrypoints=https"
      - "traefik.http.routers.rustpad.service=rustpad"
      - "traefik.http.routers.rustpad.tls=true"
      - "traefik.http.routers.rustpad.tls.certresolver=letsencrypt"
      - "traefik.http.routers.rustpad.middlewares=compress,secure,rustpad"
      - "traefik.http.services.rustpad.loadbalancer.server.port=3030"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/rustpad/data
        target: /app

  ### https://hub.docker.com/r/sflow/prometheus
  sflow-collector:
    image: sflow/prometheus:latest
    container_name: sflow-collector
    restart: unless-stopped
    environment:
      - "RTMEM=2G"
    command:
      - "-Dsnmp.ifname=yes"
      - "-Dgeo.country=resources/config/GeoLite2-Country.mmdb"
    labels:
      - "flame.type=application"
      - "flame.name=sFlow Collector"
      - "flame.url=https://flows.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.sflow.headers.contentSecurityPolicy=default-src 'self'"
      - "traefik.http.routers.sflow.rule=Host(`flows.seedno.de`)"
      - "traefik.http.routers.sflow.entrypoints=https"
      - "traefik.http.routers.sflow.service=sflow"
      - "traefik.http.routers.sflow.tls=true"
      - "traefik.http.routers.sflow.tls.certresolver=letsencrypt"
      - "traefik.http.routers.sflow.middlewares=adminauth,compress,secure,sflow,[email protected]"
      - "traefik.http.services.sflow.loadbalancer.server.port=8008"
    ports:
      - "10.25.0.1:6343:6343/udp"
    networks:
      - traefik
      - prometheus

  ### https://github.com/sflow/host-sflow
  sflow-exporter:
    image: sflow/host-sflow:latest
    container_name: sflow-exporter
    restart: unless-stopped
    environment:
      - "COLLECTOR=flows.seedno.de"
      - "DROPMON=enable"
      - "NET=wan"
      - "POLLING=20"
      - "PORT=6343"
      - "SAMPLING=1000"
    network_mode: host

  ### https://github.com/oetiker/SmokePing
  smokeping:
    image: ghcr.io/linuxserver/smokeping:latest
    container_name: smokeping
    restart: unless-stopped
    environment:
      - "PUID=${UID:?not set}"
      - "PGID=${GID:?not set}"
      - "TZ=${TIMEZONE:?not set}"
    labels:
      - "flame.type=application"
      - "flame.name=Smokeping"
      - "flame.url=https://ping.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.smokeping.headers.contentSecurityPolicy=default-src 'self'; img-src 'self' data:"
      - "traefik.http.routers.smokeping.rule=Host(`ping.seedno.de`)"
      - "traefik.http.routers.smokeping.entrypoints=https"
      - "traefik.http.routers.smokeping.service=smokeping"
      - "traefik.http.routers.smokeping.tls=true"
      - "traefik.http.routers.smokeping.tls.certresolver=letsencrypt"
      - "traefik.http.routers.smokeping.middlewares=compress,secure,smokeping,[email protected]"
      - "traefik.http.services.smokeping.loadbalancer.server.port=80"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/smokeping/config
        target: /config
        read_only: true
      - type: bind
        source: /docker/smokeping/data
        target: /data

  ### https://github.com/RobinLinus/snapdrop
  ## Note: "proxy_set_header X-Forwarded-for $remote_addr;" must be commented out in /config/nginx/site-confs/default, due to how traefik handles the header value
  snapdrop:
    image: ghcr.io/linuxserver/snapdrop
    container_name: snapdrop
    restart: unless-stopped
    environment:
      - "PUID=${UID:?not set}"
      - "PGID=${GID:?not set}"
      - "TZ=${TIMEZONE:?not set}"
    labels:
      - "flame.type=application"
      - "flame.name=Snapdrop"
      - "flame.url=https://drop.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.snapdrop.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'sha256-biLFinpqYMtWHmXfkA1BPeCY0/fNt46SAZ+BBk5YUog='; style-src-attr 'self' 'unsafe-inline'"
      - "traefik.http.routers.snapdrop.rule=Host(`drop.seedno.de`)"
      - "traefik.http.routers.snapdrop.entrypoints=https"
      - "traefik.http.routers.snapdrop.service=snapdrop"
      - "traefik.http.routers.snapdrop.tls=true"
      - "traefik.http.routers.snapdrop.tls.certresolver=letsencrypt"
      - "traefik.http.routers.snapdrop.middlewares=compress,secure,snapdrop"
      - "traefik.http.services.snapdrop.loadbalancer.server.port=80"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/snapdrop/config
        target: /config

  ### https://github.com/syncthing/syncthing
  syncthing:
    image: ghcr.io/linuxserver/syncthing:amd64-latest
    container_name: syncthing
    restart: unless-stopped
    environment:
      - "PUID=${UID:?not set}"
      - "PGID=${GID:?not set}"
      - "TZ=${TIMEZONE:?not set}"
      - "UMASK_SET=022"
    labels:
      - "flame.type=application"
      - "flame.name=Syncthing"
      - "flame.url=https://sync.crimson.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.routers.syncthing.rule=Host(`sync.crimson.seedno.de`)"
      - "traefik.http.routers.syncthing.entrypoints=https"
      - "traefik.http.routers.syncthing.service=syncthing"
      - "traefik.http.routers.syncthing.tls=true"
      - "traefik.http.routers.syncthing.tls.certresolver=letsencrypt"
      - "traefik.http.routers.syncthing.middlewares=adminauth,compress,secure,[email protected]"
      - "traefik.http.services.syncthing.loadbalancer.server.port=8384"
    ports:
      - "22000:22000"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/syncthing/config
        target: /config
      - type: bind
        source: /home/sinc/Dropbox
        target: /home/sinc/Dropbox
      - type: bind
        source: /storage
        target: /storage
      - type: bind
        source: /var/www/html
        target: /var/www/html

  ### https://github.com/RblSb/SyncTube
  synctube:
    image: docker.seedno.de/seednode/synctube:latest
    container_name: synctube
    restart: unless-stopped
    labels:
      - "flame.type=application"
      - "flame.name=Synctube"
      - "flame.url=https://synctube.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.synctube.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline' https://rsms.me; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://www.youtube.com; font-src 'self' https://rsms.me; connect-src 'self' https://cdn.jsdelivr.net https://www.googleapis.com; media-src 'self' https://www.googleapis.com; frame-src 'self' https://www.youtube.com"
      - "traefik.http.routers.synctube.rule=Host(`synctube.seedno.de`)"
      - "traefik.http.routers.synctube.entrypoints=https"
      - "traefik.http.routers.synctube.service=synctube"
      - "traefik.http.routers.synctube.tls=true"
      - "traefik.http.routers.synctube.tls.certresolver=letsencrypt"
      - "traefik.http.routers.synctube.middlewares=compress,secure,synctube"
      - "traefik.http.services.synctube.loadbalancer.server.port=4200"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/synctube/config
        target: /usr/src/app/user

  ### https://github.com/TES3MP/server-container
  ## To make a player admin, edit /server/data/data/player/.json,
  ## and change "staffRank" to 2 and "consoleAllowed" to "true" under "settings"
  tes3mp:
    image: tes3mp/server:0.8.1
    container_name: tes3mp
    restart: unless-stopped
    environment:
      - "TES3MP_SERVER_HOSTNAME=Seedno.de"
      - "TES3MP_SERVER_MAXIMUM_PLAYERS=16"
      - "TES3MP_SERVER_PASSWORD=${TES3MP_SERVER_PASSWORD:?not set}"
      - "TES3MP_SERVER_PORT=25561"
    ports:
      - "25561:25561/udp"
    volumes:
      - type: bind
        source: /docker/tes3mp/data
        target: /server/data

  ### https://github.com/dutchcoders/transfer.sh
  transfer:
    image: dutchcoders/transfer.sh
    container_name: transfer
    restart: unless-stopped
    environment:
      - "BASEDIR=/files/"
      - "CLAMAV_HOST=none"
      - "HTTP_AUTH_USER=${TRANSFER_HTTP_AUTH_USER:?not set}"
      - "HTTP_AUTH_PASS=${TRANSFER_HTTP_AUTH_PASS:?not set}"
      - "LOG=/logs/transfer.sh.log"
      - "PURGE_DAYS=3"
      - "PURGE_INTERVALS=4"
    command:
      - "--provider=local"
    labels:
      - "flame.type=application"
      - "flame.name=Transfer.sh"
      - "flame.url=https://transfer.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.transfer.headers.contentSecurityPolicy=default-src 'self'; img-src 'self' data:"
      - "traefik.http.routers.transfer.rule=Host(`transfer.seedno.de`)"
      - "traefik.http.routers.transfer.entrypoints=https"
      - "traefik.http.routers.transfer.service=transfer"
      - "traefik.http.routers.transfer.tls=true"
      - "traefik.http.routers.transfer.tls.certresolver=letsencrypt"
      - "traefik.http.routers.transfer.middlewares=compress,secure,transfer"
      - "traefik.http.services.transfer.loadbalancer.server.port=8080"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/transfer/data
        target: /files
      - type: bind
        source: /docker/transfer/logs
        target: /logs

  ### https://github.com/linuxserver/docker-unifi-controller
  unifi:
    image: jacobalberty/unifi:latest
    container_name: unifi
    restart: unless-stopped
    environment:
    - "BIND_PRIV=false"
    - "RUNAS_UID0=false"
    - "UNIFI_UID=${UID:?not set}"
    - "UNIFI_GID=${GID:?not set}"
    - "TZ=${TIMEZONE:?not set}"
    labels:
      - "flame.type=application"
      - "flame.name=Unifi Controller"
      - "flame.url=https://unifi.seedno.de"
    networks:
      - traefik
    ports:
      - "3478:3478/udp"
      - "8080:8080"
    volumes:
      - type: bind
        source: /docker/unifi/data
        target: /unifi

  ### https://github.com/dani-garcia/vaultwarden
  vaultwarden:
    image: vaultwarden/server:alpine
    container_name: vaultwarden
    restart: unless-stopped
    depends_on:
      - vaultwarden-db
    environment:
      - "DATABASE_URL=postgresql://${VAULTWARDEN_DATABASE_USER:?not set}:${VAULTWARDEN_DATABASE_PASS:?not set}@vaultwarden-db:5432/${VAULTWARDEN_DATABASE_NAME:?not set}"
      - "DOMAIN=https://vault.seedno.de"
      - "WEBSOCKET_ENABLED=false"
      - "SIGNUPS_ALLOWED=false"
      - "INVITATIONS_ALLOWED=false"
      - "SHOW_PASSWORD_HINT=false"
      - "TRASH_AUTO_DELETE_DAYS=30"
      - "LOG_FILE=/data/vaultwarden.log"
      - "ROCKET_PORT=80"
    labels:
      - "flame.type=application"
      - "flame.name=Vaultwarden"
      - "flame.url=https://vault.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.vaultwarden.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; img-src 'self' data:"
      - "traefik.http.routers.vaultwarden.rule=Host(`vault.seedno.de`)"
      - "traefik.http.routers.vaultwarden.entrypoints=https"
      - "traefik.http.routers.vaultwarden.service=vaultwarden"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
      - "traefik.http.routers.vaultwarden.middlewares=compress,secure,vaultwarden"
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
    networks:
      - traefik
      - vaultwarden
    volumes:
      - type: bind
        source: /docker/vaultwarden/data
        target: /data

  vaultwarden-db:
    image: postgres:13-alpine
    container_name: vaultwarden-db
    restart: unless-stopped
    environment:
      - "POSTGRES_DB=${VAULTWARDEN_DATABASE_NAME:?not set}"
      - "POSTGRES_USER=${VAULTWARDEN_DATABASE_USER:?not set}"
      - "POSTGRES_PASSWORD=${VAULTWARDEN_DATABASE_PASS:?not set}"
    networks:
      - vaultwarden
    volumes:
      - type: bind
        source: /docker/vaultwarden/database
        target: /var/lib/postgresql/data

  ### https://github.com/lovasoa/whitebophir
  whitebophir:
    image: lovasoa/wbo:latest
    container_name: whitebophir
    restart: unless-stopped
    labels:
      - "flame.type=application"
      - "flame.name=Whitebophir"
      - "flame.url=https://whiteboard.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.whitebophir.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:"
      - "traefik.http.routers.whitebophir.rule=Host(`whiteboard.seedno.de`)"
      - "traefik.http.routers.whitebophir.entrypoints=https"
      - "traefik.http.routers.whitebophir.service=whitebophir"
      - "traefik.http.routers.whitebophir.tls=true"
      - "traefik.http.routers.whitebophir.tls.certresolver=letsencrypt"
      - "traefik.http.routers.whitebophir.middlewares=compress,secure,whitebophir"
      - "traefik.http.services.whitebophir.loadbalancer.server.port=80"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /docker/whitebophir/data
        target: /opt/app/server-data

  ### https://hub.docker.com/r/containous/whoami
  whoami:
    image: containous/whoami:latest
    container_name: whoami
    restart: unless-stopped
    labels:
      - "flame.type=application"
      - "flame.name=WhoAmI"
      - "flame.url=https://whoami.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.middlewares.whoami.headers.contentSecurityPolicy=default-src 'self'"
      - "traefik.http.routers.whoami.rule=Host(`whoami.seedno.de`)"
      - "traefik.http.routers.whoami.entrypoints=https"
      - "traefik.http.routers.whoami.service=whoami"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
      - "traefik.http.routers.whoami.middlewares=compress,secure,ratelimit,whoami"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"
    networks:
      - traefik

  ### https://www.xbrowsersync.org/
  xbrowsersync:
    image: xbrowsersync/api:latest
    container_name: xbrowsersync
    restart: unless-stopped
    depends_on:
      - xbrowsersync-db
    environment:
      - "XBROWSERSYNC_DB_PWD=${XBROWSERSYNC_DATABASE_PASS:?not set}"
      - "XBROWSERSYNC_DB_USER=${XBROWSERSYNC_DATABASE_USER:?not set}"
    healthcheck:
      test: [ "CMD", "node", "/usr/src/api/healthcheck.js" ]
      interval: "1m"
      timeout: "10s"
      retries: 5
      start_period: "30s"
    labels:
      - "flame.type=application"
      - "flame.name=xBrowserSync"
      - "flame.url=https://browser-sync.seedno.de"
      - "traefik.enable=true"
      - "traefik.http.routers.xbrowsersync.rule=Host(`browser-sync.seedno.de`)"
      - "traefik.http.routers.xbrowsersync.entrypoints=https"
      - "traefik.http.routers.xbrowsersync.service=xbrowsersync"
      - "traefik.http.routers.xbrowsersync.tls=true"
      - "traefik.http.routers.xbrowsersync.tls.certresolver=letsencrypt"
      - "traefik.http.routers.xbrowsersync.middlewares=compress,secure"
      - "traefik.http.services.xbrowsersync.loadbalancer.server.port=8080"
    networks:
      - traefik
      - xbrowsersync
    volumes:
      - type: bind
        source: /docker/xbrowsersync/config/settings.json
        target: /usr/src/api/config/settings.json
      - type: bind
        source: /docker/xbrowsersync/config/healthcheck.js
        target: /usr/src/api/healthcheck.js

  xbrowsersync-db:
    image: mongo:latest
    container_name: xbrowsersync-db
    restart: unless-stopped
    environment:
      - "MONGO_INITDB_DATABASE=${XBROWSERSYNC_DATABASE_NAME:?not set}"
      - "MONGO_INITDB_ROOT_PASSWORD=${XBROWSERSYNC_DATABASE_PASS:?not set}"
      - "MONGO_INITDB_ROOT_USERNAME=${XBROWSERSYNC_DATABASE_USER:?not set}"
      - "XBS_DB_NAME=${XBROWSERSYNC_DATABASE_NAME:?not set}"
      - "XBS_DB_PASSWORD=${XBROWSERSYNC_DATABASE_PASS:?not set}"
      - "XBS_DB_USERNAME=${XBROWSERSYNC_DATABASE_USER:?not set}"
    networks:
      - xbrowsersync
    volumes:
      - type: bind
        source: /docker/xbrowsersync/database
        target: /data/db
      - type: bind
        source: /docker/xbrowsersync/backups
        target: /data/backups
      - type: bind
        source: /docker/xbrowsersync/config/mongoconfig.js
        target: /docker-entrypoint-initdb.d/mongoconfig.js

networks:
  traefik:
    name: traefik
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: br_traefik
    ipam:
      driver: default
      config:
        - subnet: 10.160.0.0/22
  archivebox:
    name: archivebox
    internal: true
  bookstack:
    name: bookstack
    internal: true
  elasticsearch:
    name: elasticsearch
    internal: true
  endlessh:
    name: endlessh
  gitea:
    name: gitea
    internal: true
  grafana:
    name: grafana
    internal: true
  guacamole:
    name: guacamole
    internal: true
  paperless-ng:
    name: paperless-ng
    internal: true
  php:
    name: php
    internal: true
  prometheus:
    name: prometheus
    internal: true
  vaultwarden:
    name: vaultwarden
    internal: true
  xbrowsersync:
    name: xbrowsersync
    internal: true