Ognir/docker-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: Infraestructura OgnirNAS estabilizada

Browse Source
This commit is contained in:
Ognir
2026-01-05 14:28:03 +01:00
commit 368f16c6a5
10 changed files with 297 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
adguard/docker-compose.yml Executable file
View File

@@ -0,0 +1,22 @@
version: '3.8'
services:
adguard:
image: adguard/adguardhome
container_name: adguard
restart: unless-stopped
networks:
- services-internal-net
volumes:
- /volume1/docker/data/adguard/config:/opt/adguardhome/conf
- /volume1/docker/data/adguard/data:/opt/adguardhome/work
labels:
- "traefik.enable=true"
- "traefik.http.routers.adguard.rule=Host(`adguard.ognir-server.synology.me`)"
- "traefik.http.routers.adguard.entrypoints=websecure"
- "traefik.http.routers.adguard.tls.certresolver=letsencrypt"
- "traefik.http.services.adguard.loadbalancer.server.port=80"
networks:
services-internal-net:
external: true

42
gitea/docker-compose.yml Executable file
View File

@@ -0,0 +1,42 @@
# ==============================================================================
# GITEA - CONFIGURACIÓN DE PRODUCCIÓN PARA SYNOLOGY DSM
# ==============================================================================
# Este servicio corre bajo el UID 1032 y GID 100 gestionado internamente por s6.
# Se conecta a Traefik v3 a través de la red interna de servicios.
# ==============================================================================
version: "3.9"
services:
server:
image: gitea/gitea:latest
container_name: gitea
restart: always
networks:
- services-internal-net # Red compartida con el Proxy
volumes:
- /volume1/docker/data/gitea:/data # Persistencia de datos, SSH y DB
environment:
# IDs de usuario confirmados para evitar conflictos de permisos en el NAS
- USER_UID=1032
- USER_GID=100
- TZ=Europe/Madrid
# URL externa para evitar el redireccionamiento a localhost:3000
- GITEA__server__ROOT_URL=https://gitea.ognir-server.synology.me/
- GITEA__database__DB_TYPE=sqlite3
labels:
- "traefik.enable=true"
# Enrutamiento mediante Host
- "traefik.http.routers.gitea.rule=Host(`gitea.ognir-server.synology.me`)"
- "traefik.http.routers.gitea.entrypoints=websecure"
- "traefik.http.routers.gitea.tls=true"
- "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
# Forzamos a Traefik a usar la red interna para evitar errores de gateway
- "traefik.docker.network=services-internal-net"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
# Uso del middleware de seguridad definido en el proveedor de archivos (@file)
- "traefik.http.routers.gitea.middlewares=seguridad-general@file"
networks:
services-internal-net:
external: true

11
init-net/docker-compose.yml Executable file
View File

@@ -0,0 +1,11 @@
version: "3.8"
services:
init-net:
image: alpine:latest
container_name: init-macvlan-shim
network_mode: host # CRÍTICO: Para ver las interfaces del NAS
privileged: true # CRÍTICO: Para poder crear interfaces
restart: "no" # Solo queremos que corra al arrancar el motor Docker
volumes:
- /volume1/docker/.bin/macvlan-shim.sh:/script.sh:ro
entrypoint: ["/bin/sh", "-c", "apk add --no-cache iproute2 > /dev/null 2>&1 && /bin/sh /script.sh"]

30
portainer/docker-compose.yml Normal file
View File

@@ -0,0 +1,30 @@
version: '3.8'
services:
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
restart: always
user: "1032:100"
group_add:
- "65538"
networks:
- services-internal-net
# Importante: mantenemos los puertos por si falla el proxy, pero Traefik irá por el 9000 interno
ports:
- "8000:8000"
- "9443:9443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /volume1/docker/configs/portainer:/config
- /volume1/docker/data/portainer:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`portainer.ognir-server.synology.me`)"
- "traefik.http.routers.portainer.entrypoints=websecure"
- "traefik.http.routers.portainer.tls=true"
- "traefik.http.routers.portainer.tls.certresolver=myresolver" # Cambia 'myresolver' por el nombre que tengas en tu Traefik
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
networks:
services-internal-net:
external: true

70
traefik/docker-compose.yml Executable file
View File

@@ -0,0 +1,70 @@
# ==============================================================================
# DOCKER COMPOSE - INFRAESTRUCTURA TRAEFIK (ESTÁNDAR OGNIR)
# ==============================================================================
version: "3.9"
services:
traefik-socket-proxy:
image: tecnativa/docker-socket-proxy:latest
container_name: traefik-socket-proxy
restart: always
networks:
- services-internal-net
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- NETWORKS=1
- SERVICES=1
- VERSION=1
- EVENTS=1
# Recuperado del original para estabilidad del socket
- CONNECT_TIMEOUT=30
- SERVER_TIMEOUT=30
- CLIENT_TIMEOUT=30
traefik:
image: traefik:v3.0
container_name: traefik
restart: always
user: "1032:100"
depends_on:
traefik-socket-proxy:
condition: service_started
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-dash.rule=Host(`traefik.ognir-server.synology.me`)"
- "traefik.http.routers.traefik-dash.entrypoints=websecure"
- "traefik.http.routers.traefik-dash.tls=true"
- "traefik.http.routers.traefik-dash.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik-dash.service=api@internal"
# Middleware de seguridad (debe existir en /dynamic/middlewares.yml)
- "traefik.http.routers.traefik-dash.middlewares=seguridad-general@file"
networks:
proxy-macvlan-net:
ipv4_address: 192.168.178.25
services-internal-net:
# Recuperado íntegramente del original
healthcheck:
test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:8080/ping"]
interval: 30s
timeout: 10s
retries: 3
start_period: 20s
volumes:
- /volume1/docker/configs/traefik:/etc/traefik:ro
- /volume1/docker/data/traefik:/letsencrypt
- /volume1/docker/data/traefik/logs:/var/log/traefik
command:
# Única instrucción necesaria: cargar el archivo documentado
- "--configFile=/etc/traefik/traefik.yml"
networks:
proxy-macvlan-net:
external: true
services-internal-net:
external: true

11
traefik/dynamic/dashboard.yml Executable file
View File

@@ -0,0 +1,11 @@
http:
routers:
api:
rule: "Host(`traefik.ognir-server.synology.me`) || Host(`ognir-server.synology.me`)"
service: api@internal
middlewares:
- auth-dashboard@file
entryPoints:
- websecure
tls:
certResolver: letsencrypt

15
traefik/dynamic/external_services.yml Executable file
View File

@@ -0,0 +1,15 @@
http:
routers:
router-fritz:
rule: "Host(`fritz.ognir-server.synology.me`)"
entryPoints:
- "websecure"
service: "fritz-service"
tls:
certResolver: "letsencrypt"
services:
fritz-service:
loadBalancer:
servers:
- url: "http://192.168.178.1"

17
traefik/dynamic/middlewares.yml Executable file
View File

@@ -0,0 +1,17 @@
# ==============================================================================
# MIDDLEWARES DE SEGURIDAD (CONFIGURACIÓN DINÁMICA)
# ==============================================================================
http:
middlewares:
seguridad-general:
headers:
# Cabeceras de seguridad recomendadas (HSTS, XSS, etc.)
forceSTSHeader: true
stsSeconds: 31536000
stsIncludeSubdomains: true
stsPreload: true
contentTypeNosniff: true
browserXssFilter: true
frameDeny: true # Evita que tu sitio sea cargado en un iframe (protección clickjacking)
referrerPolicy: "same-origin"

53
traefik/traefik.yml Executable file
View File

@@ -0,0 +1,53 @@
# ==============================================================================
# CONFIGURACIÓN ESTÁTICA - MIGRACIÓN DESDE COMMANDS
# ==============================================================================
global:
checkNewVersion: false
sendAnonymousUsage: false
api:
dashboard: true
insecure: true # Mantiene puerto 8080 para debug y healthcheck
# Recuperado del original: Necesario para el Healthcheck del Docker-compose
ping: true
log:
level: ERROR
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"
# --- Entrypoints: Puertos de red y Redirección Global ---
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
# --- Proveedores: Docker (vía Proxy) y Archivos Locales ---
providers:
docker:
endpoint: "tcp://traefik-socket-proxy:2375"
exposedByDefault: false
network: services-internal-net
file:
# Ruta donde se encuentran tus middlewares y servicios externos
directory: "/etc/traefik/dynamic"
watch: true
# --- Certificados ACME (Let's Encrypt) ---
certificatesResolvers:
letsencrypt:
acme:
email: "tortosaantonio@gmail.com"
# Ruta exacta validada en tu original
storage: "/letsencrypt/data/acme.json"
tlsChallenge: {}

26
vaultwarden/docker-compose.yml Executable file
View File

@@ -0,0 +1,26 @@
version: '3.8'
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
user: "1032:100"
networks:
- services-internal-net
volumes:
- /volume1/docker/data/vaultwarden:/data
environment:
- SIGNUPS_ALLOWED=false
- INVITATIONS_ALLOWED=false
- DOMAIN=https://vaultwarden.ognir-server.synology.me
labels:
- "traefik.enable=true"
- "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.ognir-server.synology.me`)"
- "traefik.http.routers.vaultwarden.entrypoints=websecure"
- "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
- "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
networks:
services-internal-net:
external: true