kriszcode/cloud-swarm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cloud-swarm/base/docker-compose.yml
krisz 806723f03d
All checks were successful
Portainer Stack Update / update_stack (push) Successful in 32s
Details
add swarm cronjob and swarm node prune
2025-08-20 17:36:20 +02:00

284 lines
8.2 KiB
YAML
Raw Blame History

version: '3.8'
services:
openvpn:
cap_add:
- NET_ADMIN
image: kylemanna/openvpn
networks:
- public
deploy:
mode: replicated
replicas: 1
update_config:
parallelism: 1
delay: 5s
order: start-first
failure_action: rollback
rollback_config:
order: start-first
placement:
constraints:
- node.role == manager
ports:
- "1194:1194/udp"
- "1194:1194"
volumes:
- openvpn:/etc/openvpn
#-p 127.0.0.1:2375:2375
docker-socket-proxy:
image: tecnativa/docker-socket-proxy
environment:
- SERVICES=1
- NETWORKS=1
- TASKS=1
cap_add:
- NET_ADMIN
networks:
- local
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
deploy:
placement:
constraints:
- node.role == manager
traefik:
image: traefik:v3.3
environment:
- TZ=Europe/Berlin
ports:
# Listen on port 443, default for HTTPS
- "8443:443"
- "8080:80"
networks:
- traefik
- local
deploy:
labels:
# Enable Traefik for this service, to make it available in the public network
- traefik.enable=true
# Use the custom label "traefik.constraint-label=traefik"
# This public Traefik will only use services with this label
# That way you can add other internal Traefik instances per stack if needed
- traefik.constraint-label=traefik
# IP white list middleware
- traefik.http.middlewares.local.ipallowlist.sourcerange=10.0.0.0/12, 192.168.255.0/24, 172.35.0.0/24, 172.30.0.0/16
- traefik.http.middlewares.local.ipallowlist.ipstrategy.depth=0
- traefik.http.middlewares.admin-auth.basicauth.usersfile=/run/secrets/traefik-admin-user
# traefik frontend
- traefik.http.routers.traefik-https.rule=Host(`traefik.szabolcsi.dev`)
- traefik.http.routers.traefik-https.entrypoints=https
- traefik.http.routers.traefik-https.tls=true
- traefik.http.routers.traefik-https.tls.certresolver=letsencrypt
# Use the special Traefik service api@internal with the web UI/Dashboard
- traefik.http.routers.traefik-https.service=api@internal
- traefik.http.routers.traefik-https.middlewares=admin-auth,local
# Use the "le" (Let's Encrypt) resolver created below
- traefik.http.services.traefik.loadbalancer.server.port=8080
# Prometheus
- traefik.http.routers.traefik-metrics.rule=(Host(`traefik.szabolcsi.dev`) && PathPrefix(`/metrics`))
- traefik.http.routers.traefik-metrics.entrypoints=https
- traefik.http.routers.traefik-metrics.middlewares=local
- traefik.http.routers.traefik-metrics.service=prometheus@internal
update_config:
order: "start-first"
parallelism: 1
rollback_config:
parallelism: 1
order: "start-first"
volumes:
# Add Docker as a mounted volume, so that Traefik can read the labels of other services
- traefik-certificates:/certificates
- traefik-config:/etc/traefik/dynamic_conf
- traefik-letsencrypt:/letsencrypt
# Mount the volume to store the certificates
secrets:
- traefik-admin-user
command:
- --providers.swarm.endpoint=tcp://docker-socket-proxy:2375
- --providers.swarm.exposedByDefault=false
- --providers.swarm.network=traefik
# Add a constraint to only use services with the label "traefik.constraint-label=traefik"
- --providers.swarm.constraints=Label(`traefik.constraint-label`, `traefik`)
# Create an entrypoint "http" listening on port 80
- --entrypoints.http.address=:80
- --entrypoints.http.http.encodequerysemicolons=true
- --entrypoints.http.http.redirections.entryPoint.to=https
- --entrypoints.http.http.redirections.entryPoint.scheme=https
# Create an entrypoint "https" listening on port 443
- --entrypoints.https.address=:443
- --entrypoints.https.transport.respondingTimeouts.readTimeout=600s
- --entrypoints.https.transport.respondingTimeouts.idleTimeout=600s
- --entrypoints.https.transport.respondingTimeouts.writeTimeout=600s
- --entryPoints.https.proxyProtocol.trustedIPs=10.0.0.0/24,172.35.0.0/24,192.168.255.0/24,172.30.0.0/16
- --entrypoints.https.http.encodequerysemicolons=true
# dynamic config
- --providers.file.directory=/etc/traefik/dynamic_conf
- --providers.file.watch=true
# Enable the access log, with HTTP requests
- --accesslog
- --accesslog.fields.names.StartUTC=drop
# Acme
- --certificatesresolvers.letsencrypt.acme.tlschallenge=true
- --certificatesresolvers.letsencrypt.acme.email=letsencrypt@szabolcsi.eu
- --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
# Enable Prometheus metrics
- --entryPoints.metrics.address=:8082
- --metrics.prometheus=true
- --metrics.prometheus.addServicesLabels=true
- --metrics.prometheus.entryPoint=metrics
- --metrics.prometheus.manualrouting=true
# Enable the Traefik log, for configurations and errors
- --log
- --log.level=WARN
- --api
# dns:
# image: ubuntu/bind9:9.18-22.04_beta
# environment:
# - TZ=Europe/Berlin
# networks:
# - dns
# deploy:
# mode: replicated
# replicas: 1
# restart_policy:
# condition: any
# ports:
# - "53:53"
# - "53:53/udp"
# volumes:
# - dns-config:/etc/bind
# - dns-cache:/var/cache/bind
# - dns-records:/var/lib/bind
swarm-cronjob:
image: crazymax/swarm-cronjob:1.14.0
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
- "TZ=Europe/Berlin"
- "LOG_LEVEL=info"
- "LOG_JSON=false"
deploy:
mode: replicated
replicas: 1
update_config:
order: "stop-first"
parallelism: 1
rollback_config:
parallelism: 1
order: "stop-first"
resources:
limits:
cpus: '0.25'
placement:
constraints:
- node.role == manager
prune-nodes:
image: docker:27.3.1-alpine3.20
command: [ "docker", "system", "prune", "-af" ]
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
deploy:
resources:
limits:
cpus: '0.25'
mode: global
labels:
- swarm.cronjob.enable=true
- swarm.cronjob.schedule=0 0 * * * *
- swarm.cronjob.skip-running=true
restart_policy:
condition: none
networks:
public:
name: base-public
driver: overlay
internal: false
ipam:
config:
- subnet: 172.30.4.0/24
local:
name: base-network
driver: overlay
internal: true
ipam:
config:
- subnet: 172.30.5.0/24
traefik:
name: traefik
external: true
volumes:
#dns-config:
# name: dns-config
# driver: local
# driver_opts:
# type: nfs
# device: ":/nfs_share/base/dns/config"
# o: "addr=10.0.0.3,rw,soft,nfsvers=4"
#dns-cache:
# name: dns-cache
# driver: local
# driver_opts:
# type: nfs
# device: ":/nfs_share/base/dns/cache"
# o: "addr=10.0.0.3,rw,soft,nfsvers=4"
#dns-records:
# name: dns-records
# driver: local
# driver_opts:
# type: nfs
# device: ":/nfs_share/base/dns/records"
# o: "addr=10.0.0.3,rw,soft,nfsvers=4"
openvpn:
name: open-vpn
driver: local
driver_opts:
type: nfs
device: ":/nfs_share/base/open-vpn"
o: "addr=10.0.0.3,rw,soft,nfsvers=4"
traefik-certificates:
name: traefik-certificates
driver: local
driver_opts:
type: nfs
device: ":/nfs_share/base/traefik/certificates"
o: "addr=10.0.0.3,rw,soft,nfsvers=4"
traefik-config:
name: traefik-config
driver: local
driver_opts:
type: nfs
device: ":/nfs_share/base/traefik/config"
o: "addr=10.0.0.3,rw,soft,nfsvers=4"
traefik-letsencrypt:
name: traefik-letsencrypt
driver: local
driver_opts:
type: nfs
device: ":/nfs_share/base/traefik/letsencrypt"
o: "addr=10.0.0.3,rw,soft,nfsvers=4"
secrets:
traefik-admin-user:
name: ${TRAEFIK_USER_SECRET_NAME}
external: true
Reference in New Issue View Git Blame Copy Permalink