diff --git a/system/modules/server/common/docker-compose.yaml b/system/modules/server/common/docker-compose.yaml index ffefbb46..d0465b6f 100644 --- a/system/modules/server/common/docker-compose.yaml +++ b/system/modules/server/common/docker-compose.yaml @@ -31,6 +31,12 @@ services: WATCHTOWER_SCHEDULE: "0 42 4 * * *" volumes: - "/var/run/docker.sock:/var/run/docker.sock" + deploy: + resources: + limits: + memory: 100M + reservations: + memory: 20M traefik-cloudflare-companion: image: tiredofit/traefik-cloudflare-companion:${TRAEFIK_CLOUDFLARE_VERSION:-latest} container_name: traefik-cloudflare-companion @@ -52,6 +58,12 @@ services: - "/var/run/docker.sock:/var/run/docker.sock" secrets: - CF_TOKEN + deploy: + resources: + limits: + memory: 100M + reservations: + memory: 50M traefik: image: traefik container_name: traefik @@ -73,6 +85,12 @@ services: - "traefik.http.routers.api.service=api@internal" - "traefik.http.routers.api.middlewares=authelia@docker" - "traefik.http.routers.api.rule=Host(`traefik.${DOMAIN}`)" + deploy: + resources: + limits: + memory: 256M + reservations: + memory: 128M authelia: image: authelia/authelia:4.38.10 container_name: authelia @@ -110,3 +128,9 @@ services: - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true" - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:8080/api/authz/forward-auth" + deploy: + resources: + limits: + memory: 200M + reservations: + memory: 100M diff --git a/system/modules/server/files/docker/projects/backup.docker-compose.yaml b/system/modules/server/files/docker/projects/backup.docker-compose.yaml index bc89f952..ca29e35a 100644 --- a/system/modules/server/files/docker/projects/backup.docker-compose.yaml +++ b/system/modules/server/files/docker/projects/backup.docker-compose.yaml @@ -46,6 +46,12 @@ services: - switcheroo-db:/volumes/switcheroo-db:ro secrets: - SSH_KEY + deploy: + resources: + limits: + memory: 2G + reservations: + memory: 300M # Backup gdrive documents to home server gdrive-backup-from: @@ -64,6 +70,12 @@ services: sleep 1h; done ' + deploy: + resources: + limits: + memory: 200M + reservations: + memory: 20M # Backup home server documents to gdrive gdrive-backup-to: image: nikarh/fileserver-rclone @@ -91,3 +103,9 @@ services: rclone -vv sync "/backup" gdrive-rw:/BACKUP/ --exclude ".stignore" --exclude ".stfolder/"; done ' + deploy: + resources: + limits: + memory: 200M + reservations: + memory: 20M diff --git a/system/modules/server/files/docker/projects/ddns.docker-compose.yaml b/system/modules/server/files/docker/projects/ddns.docker-compose.yaml index 1214852e..58f7f85b 100644 --- a/system/modules/server/files/docker/projects/ddns.docker-compose.yaml +++ b/system/modules/server/files/docker/projects/ddns.docker-compose.yaml @@ -20,6 +20,12 @@ services: PROXIED: false secrets: - CF_TOKEN + deploy: + resources: + limits: + memory: 15M + reservations: + memory: 10M ddns-u8-lv: image: oznu/cloudflare-ddns:latest container_name: ddns-u8-lv @@ -31,3 +37,9 @@ services: PROXIED: true secrets: - CF_TOKEN + deploy: + resources: + limits: + memory: 15M + reservations: + memory: 10M diff --git a/system/modules/server/files/docker/projects/files.docker-compose.yaml b/system/modules/server/files/docker/projects/files.docker-compose.yaml index c86644dd..0457e99d 100644 --- a/system/modules/server/files/docker/projects/files.docker-compose.yaml +++ b/system/modules/server/files/docker/projects/files.docker-compose.yaml @@ -48,6 +48,12 @@ services: - "traefik.http.routers.netdata.rule=Host(`netdata.${DOMAIN}`)" - "traefik.http.routers.netdata.entrypoints=https" - "traefik.http.routers.netdata.middlewares=authelia@docker" + deploy: + resources: + limits: + memory: 2G + reservations: + memory: 512M # This is required at least for esphome mdns-repeater: image: angelnu/mdns_repeater @@ -57,6 +63,12 @@ services: environment: - hostNIC=eth0 - dockerNIC=${DOCKER_NIC} + deploy: + resources: + limits: + memory: 10M + reservations: + memory: 10M # Homer is served from GH pages on the outside world, # but we also serve it from here for internal access. homer: @@ -70,6 +82,12 @@ services: - "traefik.enable=true" - "traefik.http.routers.homer.rule=Host(`home.arhipov.net`) || Host(`u8.lv`)" - "traefik.http.routers.homer.entrypoints=https" + deploy: + resources: + limits: + memory: 10M + reservations: + memory: 10M samba: image: nikarh/fileserver-samba container_name: samba @@ -82,6 +100,12 @@ services: volumes: - /var/lib/docker-services/volumes/samba/create-shares.sh:/scripts/create-shares.sh:ro - /var/data/home:/home + deploy: + resources: + limits: + memory: 200M + reservations: + memory: 20M sftpd: # On 2023.03.15 alpine version started freezing on connection. # Migrated to ubuntu. @@ -101,6 +125,12 @@ services: - /var/lib/docker-services/volumes/sftpd/pam-sshd:/etc/pam.d/sshd:ro # Data - /var/data/home:/home + deploy: + resources: + limits: + memory: 100M + reservations: + memory: 50M filebrowser: image: filebrowser/filebrowser container_name: filebrowser @@ -120,6 +150,13 @@ services: - "-d=/mnt/data/filebrowser.db" - "-c=/mnt/data/filebrowser.json" - "-p=8080" + deploy: + resources: + limits: + # For making archives in-place + memory: 5G + reservations: + memory: 20M syncthing: image: lscr.io/linuxserver/syncthing container_name: syncthing @@ -139,6 +176,12 @@ services: - "traefik.http.routers.syncthing.rule=Host(`syncthing.${DOMAIN}`)" - "traefik.http.routers.syncthing.entrypoints=https" - "traefik.http.routers.syncthing.middlewares=authelia@docker" + deploy: + resources: + limits: + memory: 1G + reservations: + memory: 300M esphome: image: esphome/esphome container_name: esphome @@ -151,3 +194,9 @@ services: - "traefik.http.routers.esphome.rule=Host(`esphome.${DOMAIN}`)" - "traefik.http.routers.esphome.entrypoints=https" - "traefik.http.routers.esphome.middlewares=authelia@docker" + deploy: + resources: + limits: + memory: 2G + reservations: + memory: 50M diff --git a/system/modules/server/files/docker/projects/gitea.docker-compose.yaml b/system/modules/server/files/docker/projects/gitea.docker-compose.yaml index 27bdda4e..bb6c15b0 100644 --- a/system/modules/server/files/docker/projects/gitea.docker-compose.yaml +++ b/system/modules/server/files/docker/projects/gitea.docker-compose.yaml @@ -22,6 +22,12 @@ services: - gitea-data:/data - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro + deploy: + resources: + limits: + memory: 500M + reservations: + memory: 250M labels: - "traefik.enable=true" - "traefik.http.services.gitea.loadbalancer.server.port=3000" diff --git a/system/modules/server/files/docker/projects/immich.docker-compose.yaml b/system/modules/server/files/docker/projects/immich.docker-compose.yaml index 2ca831f7..8828155a 100644 --- a/system/modules/server/files/docker/projects/immich.docker-compose.yaml +++ b/system/modules/server/files/docker/projects/immich.docker-compose.yaml @@ -20,6 +20,12 @@ services: <<: *service-defaults command: > --requirepass ${IMMICH_REDIS_PASSWORD} + deploy: + resources: + limits: + memory: 200M + reservations: + memory: 20M immich-postgres: image: tensorchord/pgvecto-rs:pg14-v0.2.0 container_name: immich-postgres @@ -31,6 +37,12 @@ services: volumes: - immich-db-data:/var/lib/postgresql/data restart: always + deploy: + resources: + limits: + memory: 1G + reservations: + memory: 100M immich: image: ghcr.io/imagegenius/immich:latest container_name: immich @@ -68,3 +80,9 @@ services: - "traefik.http.middlewares.immich-redirect1.redirectregex.replacement=https://immich.${DOMAIN}/$$1" - "traefik.http.middlewares.immich-redirect2.redirectregex.regex=^https://photos.${DOMAIN}/(.*)" - "traefik.http.middlewares.immich-redirect2.redirectregex.replacement=https://immich.${DOMAIN}/$$1" + deploy: + resources: + limits: + memory: 2G + reservations: + memory: 512M diff --git a/system/modules/server/files/docker/projects/logging.docker-compose.yaml b/system/modules/server/files/docker/projects/logging.docker-compose.yaml index bf407037..d99ba7af 100644 --- a/system/modules/server/files/docker/projects/logging.docker-compose.yaml +++ b/system/modules/server/files/docker/projects/logging.docker-compose.yaml @@ -26,6 +26,12 @@ services: - "/var/run/docker.sock:/var/run/docker.sock" - /var/lib/docker-services/volumes/vector:/etc/vector - vector-logs:/out + deploy: + resources: + limits: + memory: 300M + reservations: + memory: 150M loki: image: grafana/loki:latest container_name: loki @@ -33,6 +39,12 @@ services: volumes: - /var/lib/docker-services/volumes/loki:/etc/loki:ro - loki-data:/loki + deploy: + resources: + limits: + memory: 600M + reservations: + memory: 300M grafana: image: grafana/grafana:latest container_name: grafana @@ -71,6 +83,12 @@ services: editable: false EOF /run.sh + deploy: + resources: + limits: + memory: 500M + reservations: + memory: 100M labels: - "traefik.enable=true" - "traefik.http.services.grafana.loadbalancer.server.port=3000" @@ -89,6 +107,12 @@ services: LOGROTATE_SIZE: "10M" volumes: - vector-logs:/logs + deploy: + resources: + limits: + memory: 40M + reservations: + memory: 10M init-fail2ban-volume: image: alpine command: > @@ -114,6 +138,12 @@ services: - /var/lib/docker-services/volumes/fail2ban/fail2ban.local:/config/fail2ban/fail2ban.local:ro - vector-logs:/remotelogs:ro - fail2ban-db:/db + deploy: + resources: + limits: + memory: 100M + reservations: + memory: 50M depends_on: init-fail2ban-volume: condition: service_completed_successfully diff --git a/system/modules/server/files/docker/projects/mail.docker-compose.yaml b/system/modules/server/files/docker/projects/mail.docker-compose.yaml index e8d313da..5cbb8979 100644 --- a/system/modules/server/files/docker/projects/mail.docker-compose.yaml +++ b/system/modules/server/files/docker/projects/mail.docker-compose.yaml @@ -25,6 +25,12 @@ services: - mail-data:/home secrets: - IMAP_AUTH + deploy: + resources: + limits: + memory: 50M + reservations: + memory: 10M dovecot: image: dovecot/dovecot container_name: dovecot @@ -42,6 +48,12 @@ services: /usr/sbin/dovecot -F; rm -rf /var/lib/apt/lists; ' + deploy: + resources: + limits: + memory: 50M + reservations: + memory: 10M roundcube: image: roundcube/roundcubemail container_name: roundcube @@ -57,3 +69,9 @@ services: - "traefik.http.routers.roundcube.rule=Host(`mail.${DOMAIN}`) || Host(`mail.u8.lv`)" - "traefik.http.routers.roundcube.entrypoints=https" - "traefik.http.routers.roundcube.middlewares=authelia@docker" + deploy: + resources: + limits: + memory: 300M + reservations: + memory: 100M diff --git a/system/modules/server/files/docker/projects/media.docker-compose.yaml b/system/modules/server/files/docker/projects/media.docker-compose.yaml index 92f69eb9..e096cf06 100644 --- a/system/modules/server/files/docker/projects/media.docker-compose.yaml +++ b/system/modules/server/files/docker/projects/media.docker-compose.yaml @@ -54,6 +54,12 @@ services: - "traefik.http.services.jellyfin.loadbalancer.server.port=8096" - "traefik.http.routers.jellyfin.rule=Host(`media.${DOMAIN}`) || Host(`j.u8.lv`)" - "traefik.http.routers.jellyfin.entrypoints=https" + deploy: + resources: + limits: + memory: 20G # Should be enough for transcoding + reservations: + memory: 1G feishin: image: 'ghcr.io/jeffvli/feishin:latest' <<: *service-defaults @@ -73,6 +79,12 @@ services: - "traefik.http.routers.feishin.rule=Host(`music.${DOMAIN}`) || Host(`u.u8.lv`)" - "traefik.http.routers.feishin.entrypoints=https" restart: unless-stopped + deploy: + resources: + limits: + memory: 100M + reservations: + memory: 20M # Book UI kavita: image: jvmilazz0/kavita @@ -91,6 +103,12 @@ services: # Has it's own auth, does not support any alternative auth or auto-login. # TODO: Pass constant authorization header? Does it expire? # - 'traefik.http.routers.kavita.middlewares=authelia@docker' + deploy: + resources: + limits: + memory: 500M + reservations: + memory: 256M tunnel: image: qmcgaw/gluetun:v3 container_name: tunnel @@ -120,6 +138,12 @@ services: - SHADOWSOCKS=on devices: - /dev/net/tun:/dev/net/tun + deploy: + resources: + limits: + memory: 1G + reservations: + memory: 300M # networks: # default: # bitmagnet-postgres: @@ -130,6 +154,12 @@ services: network_mode: "service:tunnel" depends_on: - tunnel + deploy: + resources: + limits: + memory: 20M + reservations: + memory: 10M qbittorrent: image: lscr.io/linuxserver/qbittorrent:libtorrentv1 container_name: qbittorrent @@ -149,6 +179,12 @@ services: network_mode: "service:tunnel" depends_on: - tunnel + deploy: + resources: + limits: + memory: 5G + reservations: + memory: 1G # bitmagnet: # image: ghcr.io/bitmagnet-io/bitmagnet:latest # container_name: bitmagnet @@ -214,6 +250,12 @@ services: - "traefik.http.routers.torrents-raw.rule=Host(`torrents-raw.${DOMAIN}`) && !Path(`/sw.js`) && !Path(`/registerSW.js`)" - "traefik.http.routers.torrents-raw.entrypoints=https" - "traefik.http.routers.torrents-raw.middlewares=authelia@docker" + deploy: + resources: + limits: + memory: 1G + reservations: + memory: 128M # Indexer manager prowlarr: image: lscr.io/linuxserver/prowlarr:develop @@ -228,6 +270,12 @@ services: - "traefik.http.routers.prowlarr.rule=Host(`prowlarr.${DOMAIN}`)" - "traefik.http.routers.prowlarr.entrypoints=https" - "traefik.http.routers.prowlarr.middlewares=authelia@docker" + deploy: + resources: + limits: + memory: 400M + reservations: + memory: 200M # Cloudflare solver for prowlarr flaresolverr: image: ghcr.io/flaresolverr/flaresolverr:latest @@ -238,6 +286,12 @@ services: LOG_LEVEL: info LOG_HTML: "false" CAPTCHA_SOLVER: none + deploy: + resources: + limits: + memory: 1G + reservations: + memory: 300M # Movie manager radarr: image: lscr.io/linuxserver/radarr:latest @@ -253,6 +307,12 @@ services: - "traefik.http.routers.radarr.rule=Host(`radarr.${DOMAIN}`)" - "traefik.http.routers.radarr.entrypoints=https" - "traefik.http.routers.radarr.middlewares=authelia@docker" + deploy: + resources: + limits: + memory: 500M + reservations: + memory: 160M # Show manager sonarr: image: lscr.io/linuxserver/sonarr:latest @@ -268,6 +328,12 @@ services: - "traefik.http.routers.sonarr.rule=Host(`sonarr.${DOMAIN}`)" - "traefik.http.routers.sonarr.entrypoints=https" - "traefik.http.routers.sonarr.middlewares=authelia@docker" + deploy: + resources: + limits: + memory: 500M + reservations: + memory: 250M # Subtitle manager bazarr: image: lscr.io/linuxserver/bazarr:latest @@ -283,6 +349,12 @@ services: - "traefik.http.routers.bazarr.rule=Host(`bazarr.${DOMAIN}`)" - "traefik.http.routers.bazarr.entrypoints=https" - "traefik.http.routers.bazarr.middlewares=authelia@docker" + deploy: + resources: + limits: + memory: 512M + reservations: + memory: 256M # Book manager readarr: image: hotio/readarr:testing @@ -298,6 +370,12 @@ services: - "traefik.http.routers.readarr.rule=Host(`readarr.${DOMAIN}`)" - "traefik.http.routers.readarr.entrypoints=https" - "traefik.http.routers.readarr.middlewares=authelia@docker" + deploy: + resources: + limits: + memory: 512M + reservations: + memory: 150M # Movie/show request manager jellyseerr: image: fallenbagel/jellyseerr:develop @@ -312,10 +390,12 @@ services: - "traefik.http.services.jellyseerr.loadbalancer.server.port=5055" - "traefik.http.routers.jellyseerr.rule=Host(`jellyseerr.${DOMAIN}`)" - "traefik.http.routers.jellyseerr.entrypoints=https" - # We leverage authelia, autologin here until https://github.com/Fallenbagel/jellyseerr/pull/184 is merged - # - 'traefik.http.routers.jellyseerr.middlewares=authelia@docker,jellyheaders' - # - 'traefik.http.middlewares.jellyheaders.headers.customrequestheaders.X-API-Key=MTY4OTIzMjU4NzYxOGY2ZjU5MDRkLWExZTctNDNiMy1iZTgwLWVhZTk5YTIxNjlmNw==' - # - 'traefik.http.middlewares.jellyheaders.headers.customrequestheaders.X-API-User=2' + deploy: + resources: + limits: + memory: 512M + reservations: + memory: 256M networks: bitmagnet-postgres: diff --git a/system/modules/server/files/docker/projects/mirrors.docker-compose.yaml b/system/modules/server/files/docker/projects/mirrors.docker-compose.yaml index 309f059f..eff92779 100644 --- a/system/modules/server/files/docker/projects/mirrors.docker-compose.yaml +++ b/system/modules/server/files/docker/projects/mirrors.docker-compose.yaml @@ -21,6 +21,12 @@ services: - "traefik.http.routers.libreddit.rule=Host(`r.u8.lv`)" - "traefik.http.routers.libreddit.entrypoints=https" - "traefik.http.routers.libreddit.middlewares=authelia@docker" + deploy: + resources: + limits: + memory: 100M + reservations: + memory: 50M nitter: image: ghcr.io/sekai-soft/nitter-self-contained container_name: nitter @@ -52,6 +58,12 @@ services: - no-new-privileges:true cap_drop: - ALL + deploy: + resources: + limits: + memory: 100M + reservations: + memory: 20M nitter-redis: image: redis:6-alpine container_name: nitter-redis @@ -69,3 +81,9 @@ services: - no-new-privileges:true cap_drop: - ALL + deploy: + resources: + limits: + memory: 50M + reservations: + memory: 20M diff --git a/system/modules/server/files/docker/projects/special.docker-compose.yaml b/system/modules/server/files/docker/projects/special.docker-compose.yaml index 8109a8c4..c109ff31 100644 --- a/system/modules/server/files/docker/projects/special.docker-compose.yaml +++ b/system/modules/server/files/docker/projects/special.docker-compose.yaml @@ -27,6 +27,12 @@ services: - "traefik.http.routers.miniserve.entrypoints=https" - "traefik.http.routers.miniserve.middlewares=miniserve-auth" - "traefik.http.middlewares.miniserve-auth.basicauth.users=${MINISERVE_AUTH}" + deploy: + resources: + limits: + memory: 512M + reservations: + memory: 32M switcheroo: image: nikarh/xcabczxabcz container_name: switcheroo @@ -34,3 +40,9 @@ services: volumes: - switcheroo-db:/db - /var/lib/docker-services/volumes/switcheroo/secrets/.env:/app/.env:ro + deploy: + resources: + limits: + memory: 100M + reservations: + memory: 50M