# https://hub.docker.com/r/atmoz/sftp/ # #sftp: # image: atmoz/sftp # volumes: # - /upload:/home/foo/upload # ports: # - "2222:22" # command: foo:pass:1001 # #https://docs.sftpgo.com/latest/docker/#container-shell-access-and-viewing-sftpgo-logs name: sftpgo secrets: sftpgo_postgresql_database: file: "${SECRETSDIR}/sftpgo_postgresql_database" sftpgo_postgresql_username: file: "${SECRETSDIR}/sftpgo_postgresql_username" sftpgo_postgresql_password: file: "${SECRETSDIR}/sftpgo_postgresql_password" networks: traefik-net: external: true postgres-net: external: true services: sftpgo: image: drakkan/sftpgo:latest env_file: .sftpgo.env hostname: sftpgo user: ${PUID}:${MEDIA_GID} networks: - postgres-net - traefik-net volumes: - ${DATADIR}/config:/etc/sftpgo - ${CERTSDIR}:/srv/sftpgo/certificates - ${CREDENTIALSDIR}:/srv/sftpgo/credentials - ${USERDATADIR}:/srv/sftpgo/data - ${USERTEMPDIR}:/srv/sftpgo/temp - ${USERSHAREDDIR}:/srv/sftpgo/shared - ${BACKUPDIR}:/srv/sftpgo/backups - ${HOMEDIR}:/var/lib/sftpgo - ${DATADIR}/webroot:/var/www restart: unless-stopped depends_on: postgresql: condition: service_healthy labels: - traefik.enable=true - traefik.docker.network=traefik-net # tcp service # ----------- # - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc.loadbalancer.server.port=${TCP_PORT1}, ${TCP_PORT2}, ${TCP_PORT3}, ${TCP_PORT4}, ${TCP_PORT5}, ${TCP_PORT6}, ${TCP_PORT7}, ${TCP_PORT7}" # - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc.loadbalancer.server.port=${TCP_PORT1}" - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc-1.loadbalancer.server.port=${TCP_PORT1}" - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc-2.loadbalancer.server.port=${TCP_PORT2}" - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc-3.loadbalancer.server.port=${TCP_PORT3}" - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc-4.loadbalancer.server.port=${TCP_PORT4}" - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc-5.loadbalancer.server.port=${TCP_PORT5}" - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc-6.loadbalancer.server.port=${TCP_PORT6}" - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc-7.loadbalancer.server.port=${TCP_PORT7}" - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc-8.loadbalancer.server.port=${TCP_PORT8}" # tcp routers # ----------- # limit router to sftp ":2022 - 2029" entrypoints - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-1.entrypoints=sftp1" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-2.entrypoints=sftp2" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-3.entrypoints=sftp3" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-4.entrypoints=sftp4" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-5.entrypoints=sftp5" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-6.entrypoints=sftp6" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-7.entrypoints=sftp7" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-8.entrypoints=sftp8" # set match criteria for router, since this is not tls, header might not contain hostsni field; we're forced to use wildcard - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-1.rule=HostSNI(`*`)" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-2.rule=HostSNI(`*`)" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-3.rule=HostSNI(`*`)" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-4.rule=HostSNI(`*`)" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-5.rule=HostSNI(`*`)" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-6.rule=HostSNI(`*`)" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-7.rule=HostSNI(`*`)" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-8.rule=HostSNI(`*`)" # assign svc target to router - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-1.service=${APPLICATION_NAME}-tcp-svc-1" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-2.service=${APPLICATION_NAME}-tcp-svc-2" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-3.service=${APPLICATION_NAME}-tcp-svc-3" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-4.service=${APPLICATION_NAME}-tcp-svc-4" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-5.service=${APPLICATION_NAME}-tcp-svc-5" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-6.service=${APPLICATION_NAME}-tcp-svc-6" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-7.service=${APPLICATION_NAME}-tcp-svc-7" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-8.service=${APPLICATION_NAME}-tcp-svc-8" # # limit router to sftp ":2022 - 2029" entrypoints - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-1.entrypoints=sftp1" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-2.entrypoints=sftp2" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-3.entrypoints=sftp3" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-4.entrypoints=sftp4" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-5.entrypoints=sftp5" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-6.entrypoints=sftp6" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-7.entrypoints=sftp7" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-8.entrypoints=sftp8" # set match criteria for router # - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-1.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-2.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-3.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-4.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-5.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-6.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-7.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-8.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)" # set router to be dedicated to secure requests only for the hosts specified in match criteria #- "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls=true" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-1.tls=true" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-2.tls=true" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-3.tls=true" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-4.tls=true" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-5.tls=true" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-6.tls=true" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-7.tls=true" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-8.tls=true" # forward requests "as is" keeping all data encrypted. # - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.passthrough=true" # - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.options=tls-opts@file" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-1.tls.passthrough=true" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-2.tls.passthrough=true" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-3.tls.passthrough=true" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-4.tls.passthrough=true" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-5.tls.passthrough=true" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-6.tls.passthrough=true" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-7.tls.passthrough=true" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-8.tls.passthrough=true" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-1.tls.options=tls-opts@file" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-2.tls.options=tls-opts@file" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-3.tls.options=tls-opts@file" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-4.tls.options=tls-opts@file" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-5.tls.options=tls-opts@file" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-6.tls.options=tls-opts@file" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-7.tls.options=tls-opts@file" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-8.tls.options=tls-opts@file" # generate certificates using following certresolver # - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.certresolver=solver-dns" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-1.tls.certresolver=solver-dns" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-2.tls.certresolver=solver-dns" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-3.tls.certresolver=solver-dns" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-4.tls.certresolver=solver-dns" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-5.tls.certresolver=solver-dns" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-6.tls.certresolver=solver-dns" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-7.tls.certresolver=solver-dns" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-8.tls.certresolver=solver-dns" # assign svc target to router # - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.service=${APPLICATION_NAME}-tcp-svc" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-1.service=${APPLICATION_NAME}-tcp-svc-1" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-2.service=${APPLICATION_NAME}-tcp-svc-2" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-3.service=${APPLICATION_NAME}-tcp-svc-3" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-4.service=${APPLICATION_NAME}-tcp-svc-4" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-5.service=${APPLICATION_NAME}-tcp-svc-5" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-6.service=${APPLICATION_NAME}-tcp-svc-6" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-7.service=${APPLICATION_NAME}-tcp-svc-7" - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-8.service=${APPLICATION_NAME}-tcp-svc-8" - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${SERVICE_PORT}" - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web" - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${SUBDOMAIN1}.${DOMAINNAME}`)&& PathPrefix(`/`)" - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=middlewares-secure-headers@file" - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc" - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure" - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${SUBDOMAIN1}.${DOMAINNAME}`)&& PathPrefix(`/`)" - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true" - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver" #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth" - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=middlewares-secure-headers@file" - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc" postgresql: image: postgres:16-alpine hostname: ${POSTGRES_DB_HOST} env_file: .postgresql.env shm_size: 128mb # https://hub.docker.com/_/postgres restart: unless-stopped healthcheck: test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] start_period: 20s interval: 30s retries: 5 timeout: 5s networks: postgres-net: secrets: - ${APPLICATION_NAME}_postgresql_database - ${APPLICATION_NAME}_postgresql_username - ${APPLICATION_NAME}_postgresql_password volumes: - "${DATADIR}/pgdata:/var/lib/postgresql/data" - "${DATADIR}/pgbackups:/mnt/backups"