docker-apps/plex/stacks/compose.yml

# See .static-ips.yml for static ip addresses

name: plex

networks:
  traefik-net:
    external: true

secrets:
  plex_claim:
    file: ${SECRETSDIR}/plex_claim

services:
  plex:
    image: lscr.io/linuxserver/plex:latest
    restart: unless-stopped
    env_file: .plex.env
    hostname: plex
    secrets:
      - plex_claim
    # this deploy section requires the installation of the nvidia-container-toolkit; comment out if the toolkit is not installed
    deploy:
      resources:
        reservations:
          devices:
            - driver: nvidia
              #count: 1
              device_ids:
                - "GPU-b9bf37c1-f8c9-201c-3456-0aa35381be42"
              capabilities: [gpu]
    volumes:
      - "${DATADIR}/config:/config"
      - "${DATADIR}/transcodes:/transcode"
      - "${CERTSDIR}:/certs"
      - "${MEDIADIR}:/data"
    networks:
      - traefik-net
#   Set plex network custom server access URLs setting to: https://plex.sthome.org,http://plex.sthome.org,http://plex.sthome.org:32400,http://10.0.0.61:32400
#   Enable hairpin / NAT Loopback at NAT setting for plex on router
#   Use ipaddr:32400 for WebUI access (insecure) / perform ipconfig /flushdns and restart browser 
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      #
      # tcp service
      # -----------
      - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc.loadbalancer.server.port=${SERVICE_PORT}"
      #
      # http service
      # ------------
      - "traefik.http.services.${APPLICATION_NAME}-http-svc.loadbalancer.server.port=${SERVICE_PORT}"
      #
      # tcp routers
      # -----------
      # limit router to plex ":32400" entrypoint
      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr.entrypoints=plex"
      # set match criteria for router, since this is not tls, header might not contain hostsni field; we're forced to use wildcard
      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr.rule=HostSNI(`*`)"
      # assign svc target to router
      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr.service=${APPLICATION_NAME}-tcp-svc" 
      #
      # limit router to plex ":32400" entrypoint
      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.entrypoints=plex"
      # set match criteria for router
      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.rule=HostSNI(`${APPLICATION_NAME}.${DOMAINNAME}`)"
      # set router to be dedicated to secure requests only for the hosts specified in match criteria
      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls=true"
      # forward requests "as is" keeping all data encrypted.
      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.passthrough=true"
      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.options=tls-options@file"
      # generate certificates using following certresolver
      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.certresolver=solver-dns"
      # assign svc target to router
      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.service=${APPLICATION_NAME}-tcp-svc" 
      #
      # http routers
      # ------------
      # limit router to web ":80" and plex ":32400" entrypoints
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=plex, web"
      # set match criteria for router
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      # attach secure headers middlewares
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-redirect@file"
      # assign svc target to router
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-http-svc"
      #
      # limit router to websecure ":443" entrypoint
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
      # set match criteria for router
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      # attach middlewares
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders@file"
      # set router to be dedicated to secure requests only for the hosts specified in match criteria
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
      # generate certificates using following certresolver
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
      # assign svc target to router
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-http-svc"