'All' stack

This stack, or a variation of it, is deployed to all of my docker hosts. This contains useful tools such as

The idea here is to have a standard list of containers deployed to all devices. For example, this stack will automatically enroll any new devices into Beszel for performance monitoring. Watchtower is used to update the Portainer agents

The below compose file is deployed to my VMs

https://github.com/trentnbauer/Homelab/blob/main/docker-compose/all/all-vm.yml

version: '3'
services:
  autoheal:
    deploy:
      replicas: 1
    environment:
      AUTOHEAL_CONTAINER_LABEL: autoheal
      AUTOHEAL_INTERVAL: 60
      AUTOHEAL_START_PERIOD: 240
      AUTOHEAL_DEFAULT_STOP_TIMEOUT: 60
      AUTOHEAL_ONLY_MONITOR_RUNNING: true
      WEBHOOK_URL: ${PUSHOVER_WEBHOOK:-""}
    image: willfarrell/autoheal@sha256:e50aef1dd3cf7ba053bda7bb6910af7804e34600c4677b8d07d29367270ab771
    network_mode: none
    restart: always
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock
    security_opt:
      - apparmor:unconfined
  
  prunemate-proxy:
    image: ghcr.io/tecnativa/docker-socket-proxy:v0.4.2
    restart: unless-stopped
    security_opt:
      - apparmor:unconfined
    ports:
      - 2375:2375
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - ALLOW_START=1
      - ALLOW_STOP=1
      - ALLOW_RESTART=1
      - IMAGES=1
      - CONTAINERS=1
      - VOLUMES=1
      - NETWORKS=1
      - POST=1
      - DOCKER_API_VERSION=1.44
    healthcheck:
      test: wget --spider http://localhost:2375/version || exit 1
      interval: "29s"
      timeout: "5s"
      retries: 3
      start_period: "21s"
    labels:
      - autoheal=true
      
  watchtower:
    image: ghcr.io/nicholas-fedor/watchtower:1.17.2
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - TZ=${TZ:-Australia/Melbourne}
      - WATCHTOWER_ROLLING_RESTART=true
      - WATCHTOWER_CLEANUP=true
      - WATCHTOWER_INCLUDE_STOPPED=true
      - WATCHTOWER_POLL_INTERVAL=86400
      - WATCHTOWER_LABEL_ENABLE=true

  beszel-agent:
    image: ghcr.io/henrygd/beszel/beszel-agent:0.18.7-alpine@sha256:e18f7bbed391d75f36c2f335a4f7e04d4f354feeac63d9a717af3576af6b9f1b
    restart: unless-stopped
    network_mode: host
    cap_add:
      - SYS_RAWIO # required for S.M.A.R.T. data
      - SYS_ADMIN # required for NVMe S.M.A.R.T. data
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /dev:/dev:ro
      - /run/udev:/run/udev:ro
    device_cgroup_rules:
      - 'b 8:* rwm'       # /dev/sd* (SCSI/SATA disks)
      - 'b 259:* rwm'     # /dev/nvme*n* (NVMe namespaces)
      - 'c 10:237 rwm'    # /dev/nvme* (NVMe character device, misc major 10, minor 237)
      - 'c 21:* rwm'      # /dev/sg* (SCSI generic, used by smartctl on some setups)
    environment:
      - LISTEN=${BESZELPORT:-45876}
      - KEY=$BESZELKEY
      - GPU="true"
    healthcheck:
      test: ['CMD', '/agent', 'health']
      start_period: 30s
      interval: 120s
      retries: 3
      timeout: 60s
    labels:
      - autoheal=true

  dockflare:
    image: alplat/dockflare:v2.0.4
    restart: unless-stopped
    security_opt:
      - apparmor:unconfined
    healthcheck:
      test: wget --no-verbose --tries=1 --spider http://localhost:5000 -O /dev/null || exit 1
      interval: 30s
      retries: 3
      start_period: 30s
      timeout: 20s 
    ports:
      - ${DOCKFLAREPORT:-5000}:5000
    environment:
      - TUNNEL_NAME=${HOSTNAME:-MissingHostname}
      - LABEL_PREFIX=dfgeneric
      - CLOUDFLARED_NETWORK_NAME=host
      - CLOUDFLARED_IMAGE=cloudflare/cloudflared:2025.11.1
      - TZ=${TZ:-Australia/Melbourne}
      - CF_API_TOKEN=${CF_APITOKEN}
      - CF_ACCOUNT_ID=${CF_ACCOUNTID}
      - AGENT_STATUS_UPDATE_INTERVAL_SECONDS=5
      - SYNC_ALL_CLOUDFLARE_POLICIES=true
      - TZ=${TZ:-Australia/Melbourne}
      - GRACE_PERIOD_SECONDS=28800
      - CLEANUP_INTERVAL_SECONDS=900
      - SCAN_ALL_NETWORKS=true
      - MAX_CONCURRENT_DNS_OPS=${DOCKFLARE_DNSOPS:-2}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - dockflare:/app/data
    labels:
      - autoheal=true
      - dfgeneric.enable=true
      - dfgeneric.0.hostname=${HOSTNAME:-MissingHostname}-dockflare.${URLTLD}
      - dfgeneric.0.service=http://${HOSTNAME_FQDN:-localhost}:${DOCKLAREPORT:-5000}
      - dfgeneric.0.access.policy=default_tld
      - dfgeneric.0.zonename=${URLTLD}
      #- dfgeneric.path=${URLPATH:-}

  blackbox-agent:
    image: ghcr.io/maxjb-xyz/blackbox-agent:0.5.0
    restart: unless-stopped
    volumes:
      - blackbox-agent:/data
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc:/watch/etc:ro
      - /run/log/journal:/run/log/journal:ro
      - /var/log/journal:/var/log/journal:ro
      - /etc/machine-id:/etc/machine-id:ro
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"
    environment:
      - TZ=${TZ:-Australia/Melbourne}
      - SERVER_URL=${BLACKBOX_SERVER_URL}
      - AGENT_TOKEN=${NODE_NAME}
      - NODE_NAME=${NODE_NAME}
      - WATCH_PATHS=${WATCH_PATHS:-/watch/etc}
      - WATCH_SYSTEMD=${WATCH_SYSTEMD:-true}

volumes:
  dockflare:
  portacker:
  blackbox-agent:

And you can find the other variants of the 'all' stack here:

HomelabPublic/docker-compose/all at main · trentnbauer/HomelabPublicGitHub

PreviousGitOps NextPlex Suite

Last updated 5 months ago

version: '3'
services:
  autoheal:
    deploy:
      replicas: 1
    environment:
      AUTOHEAL_CONTAINER_LABEL: autoheal
      AUTOHEAL_INTERVAL: 60
      AUTOHEAL_START_PERIOD: 240
      AUTOHEAL_DEFAULT_STOP_TIMEOUT: 60
      AUTOHEAL_ONLY_MONITOR_RUNNING: true
      WEBHOOK_URL: ${PUSHOVER_WEBHOOK:-""}
    image: willfarrell/autoheal@sha256:e50aef1dd3cf7ba053bda7bb6910af7804e34600c4677b8d07d29367270ab771
    network_mode: none
    restart: always
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock
    security_opt:
      - apparmor:unconfined
  
  prunemate-proxy:
    image: ghcr.io/tecnativa/docker-socket-proxy:v0.4.2
    restart: unless-stopped
    security_opt:
      - apparmor:unconfined
    ports:
      - 2375:2375
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - ALLOW_START=1
      - ALLOW_STOP=1
      - ALLOW_RESTART=1
      - IMAGES=1
      - CONTAINERS=1
      - VOLUMES=1
      - NETWORKS=1
      - POST=1
      - DOCKER_API_VERSION=1.44
    healthcheck:
      test: wget --spider http://localhost:2375/version || exit 1
      interval: "29s"
      timeout: "5s"
      retries: 3
      start_period: "21s"
    labels:
      - autoheal=true
      
  watchtower:
    image: ghcr.io/nicholas-fedor/watchtower:1.17.2
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - TZ=${TZ:-Australia/Melbourne}
      - WATCHTOWER_ROLLING_RESTART=true
      - WATCHTOWER_CLEANUP=true
      - WATCHTOWER_INCLUDE_STOPPED=true
      - WATCHTOWER_POLL_INTERVAL=86400
      - WATCHTOWER_LABEL_ENABLE=true

  beszel-agent:
    image: ghcr.io/henrygd/beszel/beszel-agent:0.18.7-alpine@sha256:e18f7bbed391d75f36c2f335a4f7e04d4f354feeac63d9a717af3576af6b9f1b
    restart: unless-stopped
    network_mode: host
    cap_add:
      - SYS_RAWIO # required for S.M.A.R.T. data
      - SYS_ADMIN # required for NVMe S.M.A.R.T. data
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /dev:/dev:ro
      - /run/udev:/run/udev:ro
    device_cgroup_rules:
      - 'b 8:* rwm'       # /dev/sd* (SCSI/SATA disks)
      - 'b 259:* rwm'     # /dev/nvme*n* (NVMe namespaces)
      - 'c 10:237 rwm'    # /dev/nvme* (NVMe character device, misc major 10, minor 237)
      - 'c 21:* rwm'      # /dev/sg* (SCSI generic, used by smartctl on some setups)
    environment:
      - LISTEN=${BESZELPORT:-45876}
      - KEY=$BESZELKEY
      - GPU="true"
    healthcheck:
      test: ['CMD', '/agent', 'health']
      start_period: 30s
      interval: 120s
      retries: 3
      timeout: 60s
    labels:
      - autoheal=true

  dockflare:
    image: alplat/dockflare:v2.0.4
    restart: unless-stopped
    security_opt:
      - apparmor:unconfined
    healthcheck:
      test: wget --no-verbose --tries=1 --spider http://localhost:5000 -O /dev/null || exit 1
      interval: 30s
      retries: 3
      start_period: 30s
      timeout: 20s 
    ports:
      - ${DOCKFLAREPORT:-5000}:5000
    environment:
      - TUNNEL_NAME=${HOSTNAME:-MissingHostname}
      - LABEL_PREFIX=dfgeneric
      - CLOUDFLARED_NETWORK_NAME=host
      - CLOUDFLARED_IMAGE=cloudflare/cloudflared:2025.11.1
      - TZ=${TZ:-Australia/Melbourne}
      - CF_API_TOKEN=${CF_APITOKEN}
      - CF_ACCOUNT_ID=${CF_ACCOUNTID}
      - AGENT_STATUS_UPDATE_INTERVAL_SECONDS=5
      - SYNC_ALL_CLOUDFLARE_POLICIES=true
      - TZ=${TZ:-Australia/Melbourne}
      - GRACE_PERIOD_SECONDS=28800
      - CLEANUP_INTERVAL_SECONDS=900
      - SCAN_ALL_NETWORKS=true
      - MAX_CONCURRENT_DNS_OPS=${DOCKFLARE_DNSOPS:-2}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - dockflare:/app/data
    labels:
      - autoheal=true
      - dfgeneric.enable=true
      - dfgeneric.0.hostname=${HOSTNAME:-MissingHostname}-dockflare.${URLTLD}
      - dfgeneric.0.service=http://${HOSTNAME_FQDN:-localhost}:${DOCKLAREPORT:-5000}
      - dfgeneric.0.access.policy=default_tld
      - dfgeneric.0.zonename=${URLTLD}
      #- dfgeneric.path=${URLPATH:-}

  blackbox-agent:
    image: ghcr.io/maxjb-xyz/blackbox-agent:0.5.0
    restart: unless-stopped
    volumes:
      - blackbox-agent:/data
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc:/watch/etc:ro
      - /run/log/journal:/run/log/journal:ro
      - /var/log/journal:/var/log/journal:ro
      - /etc/machine-id:/etc/machine-id:ro
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"
    environment:
      - TZ=${TZ:-Australia/Melbourne}
      - SERVER_URL=${BLACKBOX_SERVER_URL}
      - AGENT_TOKEN=${NODE_NAME}
      - NODE_NAME=${NODE_NAME}
      - WATCH_PATHS=${WATCH_PATHS:-/watch/etc}
      - WATCH_SYSTEMD=${WATCH_SYSTEMD:-true}

volumes:
  dockflare:
  portacker:
  blackbox-agent: