docker-apps/gluetun-arr/stacks/compose.yml

# gluetun for arr apps
# to use gluetun from apps in other projects, use network_mode: "container:gluetun-arr"
# access apps in this project with 127.0.0.1:PORT, e.g. to access qbittorrent use localhost:10095
# NB: Start gluetun-arr first, before starting depending apps in other projects
#     Stop & inactivate depending apps in other projects first, before stopping this gluetun-arr

# we will use 10.255.239.0/24 block of the traefik subnet for containers that have to connect to arr apps
# See .static-ips.yml for static ip addresses

name: gluetun-arr

networks:
  traefik-net:
    external: true

secrets:
  wireguard_private_key:
    file: ${SECRETSDIR}/wireguard_private_key

services:
#  qbittorrent:
#    image: lscr.io/linuxserver/qbittorrent:latest
#    env_file: .${QBIT_APP}.env
#    network_mode: "service:gluetun"
#    volumes:
#      - "${DATAROOT}/${QBIT_APP}/config:/config"
#      - "${DOWNLOADSDIR}:${CT_DOWNLOADS}"
#      - "${RECYCLINGDIR}/${QBIT_APP}:${CT_RECYCLINGBIN}:rw"
#    restart: unless-stopped
#    depends_on:
#      gluetun:
#        condition: service_healthy
#
#  flaresolverr:
#    # DockerHub mirror flaresolverr/flaresolverr:latest
#    image: ghcr.io/flaresolverr/flaresolverr:latest
##    container_name: flaresolverr
#    env_file: .${FLARESOLVERR_APP}.env
#    network_mode: "service:gluetun"
#    restart: unless-stopped

  prowlarr:
    image: lscr.io/linuxserver/prowlarr:latest
    env_file: .${PROWLARR_APP}.env
    network_mode: "service:gluetun"
    volumes:
      - "${DATAROOT}/${PROWLARR_APP}/config:/config"
      - "${DOWNLOADSDIR}:${CT_DOWNLOADS}"
      - "${MEDIADIR}:${CT_MEDIA}"
      - "${RECYCLINGDIR}/${PROWLARR_APP}:${CT_RECYCLINGBIN}:rw"
    restart: unless-stopped
#    depends_on:
#      qbittorrent:
#        condition: service_started

  radarr:
    image: lscr.io/linuxserver/radarr:latest
    env_file: .${RADARR_APP}.env
    network_mode: "service:gluetun"
    volumes:
      - "${DATAROOT}/${RADARR_APP}/config:/config"
      - "${DOWNLOADSDIR}:${CT_DOWNLOADS}"
      - "${MEDIADIR}:${CT_MEDIA}"
      - "${RECYCLINGDIR}/${RADARR_APP}:${CT_RECYCLINGBIN}:rw"
    restart: unless-stopped
    depends_on:
      prowlarr:
        condition: service_started

  lidarr:
    image: lscr.io/linuxserver/lidarr:latest
    env_file: .${LIDARR_APP}.env
    network_mode: "service:gluetun"
    volumes:
      - "${DATAROOT}/${LIDARR_APP}/config:/config"
      - "${DOWNLOADSDIR}:${CT_DOWNLOADS}"
      - "${MEDIADIR}:${CT_MEDIA}"
      - "${RECYCLINGDIR}/${LIDARR_APP}:${CT_RECYCLINGBIN}:rw"
    restart: unless-stopped
    depends_on:
      prowlarr:
        condition: service_started

  sonarr:
    image: lscr.io/linuxserver/sonarr:latest
    env_file: .${SONARR_APP}.env
    network_mode: "service:gluetun"
    volumes:
      - "${DATAROOT}/${SONARR_APP}/config:/config"
      - "${DOWNLOADSDIR}:${CT_DOWNLOADS}"
      - "${MEDIADIR}:${CT_MEDIA}"
      - "${RECYCLINGDIR}/${SONARR_APP}:${CT_RECYCLINGBIN}:rw"
    restart: unless-stopped
    depends_on:
      prowlarr:
        condition: service_started

  readarr:
    image: lscr.io/linuxserver/readarr:develop
    env_file: .${READARR_APP}.env
    network_mode: "service:gluetun"
    volumes:
      - "${DATAROOT}/${READARR_APP}/config:/config"
      - "${DOWNLOADSDIR}:${CT_DOWNLOADS}"
      - "${MEDIADIR}:${CT_MEDIA}"
      - "${RECYCLINGDIR}/${READARR_APP}:${CT_RECYCLINGBIN}:rw"
    restart: unless-stopped
    depends_on:
      prowlarr:
        condition: service_started

  gluetun:
    image: qmcgaw/gluetun:latest
    hostname: gluetun-arr # overseerr "Settings->Services->radarr/sonarr->Edit->Hostname or IP Address" should be set to this value
    env_file: .gluetun.env
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    volumes:
      - "${DATADIR}/appdata:/gluetun"
    secrets:
      - wireguard_private_key
    networks:
      traefik-net:
        ipv4_address: 10.255.239.1  # to access services in this project from other containers; hostnames and aliases will not work
    restart: always
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      ##################################################################################
      ################################# QBIT_APP ##################################
      #
      # http services
      # -------------
      - "traefik.http.services.${QBIT_APP}-gt-svc.loadbalancer.server.port=${QBIT_PORT}"
      #
      # http routers
      # ------------
#      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
#      - "traefik.http.routers.${QBIT_APP}-rtr.entrypoints=web"
#      # set match criteria for router
#      - "traefik.http.routers.${QBIT_APP}-rtr.rule=Host(`${QBIT_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
#      # attach middlewares to router
#      - "traefik.http.routers.${QBIT_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
#       # assign svc target to router
#      - "traefik.http.routers.${QBIT_APP}-rtr.service=${QBIT_APP}-gt-svc"
#      #
#      # limit router to websecure ":443" entrypoint
#      - "traefik.http.routers.${QBIT_APP}-secure-rtr.entrypoints=websecure"
#      # set match criteria for router
#      - "traefik.http.routers.${QBIT_APP}-secure-rtr.rule=Host(`${QBIT_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
#      # set router to be dedicated to secure requests only for the host specified in match criteria 
#      - "traefik.http.routers.${QBIT_APP}-secure-rtr.tls=true"
#      # apply tls options
#      - "traefik.http.routers.${QBIT_APP}-secure-rtr.tls.options=tls-options@file"
#      # generate certificates using following certresolver
#      - "traefik.http.routers.${QBIT_APP}-secure-rtr.tls.certresolver=solver-dns"
#      # attach middlewares to routers
#      #- "traefik.http.routers.${QBIT_APP}-secure-rtr.middlewares=${QBIT_APP}-auth"
#      - "traefik.http.routers.${QBIT_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
#      # assign svc target to router
#      - "traefik.http.routers.${QBIT_APP}-secure-rtr.service=${QBIT_APP}-gt-svc"
      
      ##################################################################################
      ################################# PROWLARR_APP ##################################
      #- "traefik.http.middlewares.${PROWLARR_APP}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
      #- "traefik.http.middlewares.${PROWLARR_APP}-auth.basicauth.usersfile=/mnt/users/${PROWLARR_APP}.txt"
      - "traefik.http.services.${PROWLARR_APP}-gt-svc.loadbalancer.server.port=${PROWLARR_PORT}"
      - "traefik.http.routers.${PROWLARR_APP}-rtr.entrypoints=web"
      - "traefik.http.routers.${PROWLARR_APP}-rtr.rule=Host(`${PROWLARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      - "traefik.http.routers.${PROWLARR_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
      - "traefik.http.routers.${PROWLARR_APP}-rtr.service=${PROWLARR_APP}-gt-svc"
      - "traefik.http.routers.${PROWLARR_APP}-secure-rtr.entrypoints=websecure"
      - "traefik.http.routers.${PROWLARR_APP}-secure-rtr.rule=Host(`${PROWLARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      - "traefik.http.routers.${PROWLARR_APP}-secure-rtr.tls=true"
      - "traefik.http.routers.${PROWLARR_APP}-secure-rtr.tls.options=tls-options@file"
      - "traefik.http.routers.${PROWLARR_APP}-secure-rtr.tls.certresolver=solver-dns"
      #- "traefik.http.routers.${PROWLARR_APP}-secure-rtr.middlewares=${PROWLARR_APP}-auth"
      - "traefik.http.routers.${PROWLARR_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
      - "traefik.http.routers.${PROWLARR_APP}-secure-rtr.service=${PROWLARR_APP}-gt-svc"
      
      ##################################################################################
      ################################# RADARR_APP ##################################
      #- "traefik.http.middlewares.${RADARR_APP}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
      #- "traefik.http.middlewares.${RADARR_APP}-auth.basicauth.usersfile=/mnt/users/${RADARR_APP}.txt"
      - "traefik.http.services.${RADARR_APP}-gt-svc.loadbalancer.server.port=${RADARR_PORT}"
      - "traefik.http.routers.${RADARR_APP}-rtr.entrypoints=web"
      - "traefik.http.routers.${RADARR_APP}-rtr.rule=Host(`${RADARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      - "traefik.http.routers.${RADARR_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
      - "traefik.http.routers.${RADARR_APP}-rtr.service=${RADARR_APP}-gt-svc"
      - "traefik.http.routers.${RADARR_APP}-secure-rtr.entrypoints=websecure"
      - "traefik.http.routers.${RADARR_APP}-secure-rtr.rule=Host(`${RADARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      - "traefik.http.routers.${RADARR_APP}-secure-rtr.tls=true"
      - "traefik.http.routers.${RADARR_APP}-secure-rtr.tls.options=tls-options@file"
      - "traefik.http.routers.${RADARR_APP}-secure-rtr.tls.certresolver=solver-dns"
      #- "traefik.http.routers.${RADARR_APP}-secure-rtr.middlewares=${RADARR_APP}-auth"
      - "traefik.http.routers.${RADARR_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
      - "traefik.http.routers.${RADARR_APP}-secure-rtr.service=${RADARR_APP}-gt-svc"
      
      ##################################################################################
      ################################# LIDARR_APP ##################################
      #- "traefik.http.middlewares.${LIDARR_APP}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
      #- "traefik.http.middlewares.${LIDARR_APP}-auth.basicauth.usersfile=/mnt/users/${LIDARR_APP}.txt"
      - "traefik.http.services.${LIDARR_APP}-gt-svc.loadbalancer.server.port=${LIDARR_PORT}"
      - "traefik.http.routers.${LIDARR_APP}-rtr.entrypoints=web"
      - "traefik.http.routers.${LIDARR_APP}-rtr.rule=Host(`${LIDARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      - "traefik.http.routers.${LIDARR_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
      - "traefik.http.routers.${LIDARR_APP}-rtr.service=${LIDARR_APP}-gt-svc"
      - "traefik.http.routers.${LIDARR_APP}-secure-rtr.entrypoints=websecure"
      - "traefik.http.routers.${LIDARR_APP}-secure-rtr.rule=Host(`${LIDARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      - "traefik.http.routers.${LIDARR_APP}-secure-rtr.tls=true"
      - "traefik.http.routers.${LIDARR_APP}-secure-rtr.tls.options=tls-options@file"
      - "traefik.http.routers.${LIDARR_APP}-secure-rtr.tls.certresolver=solver-dns"
      #- "traefik.http.routers.${LIDARR_APP}-secure-rtr.middlewares=${LIDARR_APP}-auth"
      - "traefik.http.routers.${LIDARR_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
      - "traefik.http.routers.${LIDARR_APP}-secure-rtr.service=${LIDARR_APP}-gt-svc"
      
      ##################################################################################
      ################################# SONARR_APP ##################################
      #- "traefik.http.middlewares.${SONARR_APP}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
      #- "traefik.http.middlewares.${SONARR_APP}-auth.basicauth.usersfile=/mnt/users/${SONARR_APP}.txt"
      - "traefik.http.services.${SONARR_APP}-gt-svc.loadbalancer.server.port=${SONARR_PORT}"
      - "traefik.http.routers.${SONARR_APP}-rtr.entrypoints=web"
      - "traefik.http.routers.${SONARR_APP}-rtr.rule=Host(`${SONARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      - "traefik.http.routers.${SONARR_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
      - "traefik.http.routers.${SONARR_APP}-rtr.service=${SONARR_APP}-gt-svc"
      - "traefik.http.routers.${SONARR_APP}-secure-rtr.entrypoints=websecure"
      - "traefik.http.routers.${SONARR_APP}-secure-rtr.rule=Host(`${SONARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      - "traefik.http.routers.${SONARR_APP}-secure-rtr.tls=true"
      - "traefik.http.routers.${SONARR_APP}-secure-rtr.tls.options=tls-options@file"
      - "traefik.http.routers.${SONARR_APP}-secure-rtr.tls.certresolver=solver-dns"
      #- "traefik.http.routers.${SONARR_APP}-secure-rtr.middlewares=${SONARR_APP}-auth"
      - "traefik.http.routers.${SONARR_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
      - "traefik.http.routers.${SONARR_APP}-secure-rtr.service=${SONARR_APP}-gt-svc"
      
      ##################################################################################
      ################################# READARR_APP ##################################
      #- "traefik.http.middlewares.${READARR_APP}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
      #- "traefik.http.middlewares.${READARR_APP}-auth.basicauth.usersfile=/mnt/users/${READARR_APP}.txt"
      - "traefik.http.services.${READARR_APP}-gt-svc.loadbalancer.server.port=${READARR_PORT}"
      - "traefik.http.routers.${READARR_APP}-rtr.entrypoints=web"
      - "traefik.http.routers.${READARR_APP}-rtr.rule=Host(`${READARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      - "traefik.http.routers.${READARR_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
      - "traefik.http.routers.${READARR_APP}-rtr.service=${READARR_APP}-gt-svc"
      - "traefik.http.routers.${READARR_APP}-secure-rtr.entrypoints=websecure"
      - "traefik.http.routers.${READARR_APP}-secure-rtr.rule=Host(`${READARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      - "traefik.http.routers.${READARR_APP}-secure-rtr.tls=true"
      - "traefik.http.routers.${READARR_APP}-secure-rtr.tls.options=tls-options@file"
      - "traefik.http.routers.${READARR_APP}-secure-rtr.tls.certresolver=solver-dns"
      #- "traefik.http.routers.${READARR_APP}-secure-rtr.middlewares=${READARR_APP}-auth"
      - "traefik.http.routers.${READARR_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
      - "traefik.http.routers.${READARR_APP}-secure-rtr.service=${READARR_APP}-gt-svc"
      
      ##################################################################################
      ################################# FLARESOLVERR_APP ##################################
#      - "traefik.http.services.${FLARESOLVERR_APP}-gt-svc.loadbalancer.server.port=${FLARESOLVERR_PORT}"
#      - "traefik.http.routers.${FLARESOLVERR_APP}-rtr.entrypoints=web"
#      - "traefik.http.routers.${FLARESOLVERR_APP}-rtr.rule=Host(`${FLARESOLVERR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
#      - "traefik.http.routers.${FLARESOLVERR_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
#      - "traefik.http.routers.${FLARESOLVERR_APP}-rtr.service=${FLARESOLVERR_APP}-gt-svc"
#      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.entrypoints=websecure"
#      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.rule=Host(`${FLARESOLVERR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
#      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.tls=true"
#      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.tls.options=tls-options@file"
#      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.tls.certresolver=solver-dns"
#      #- "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.middlewares=${FLARESOLVERR_APP}-auth"
#      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
#      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.service=${FLARESOLVERR_APP}-gt-svc"
#      
      ##################################################################################