Container Management Tools¶

Production-grade container monitoring, auto-healing and dashboard solutions.

🛠️ Service Configuration¶

Logging (default-logging)
Labels (default-labels)
Resource limits (resource-limits)

Core Services¶

WatchtowerAutohealDashyRoundcubeGuacamole

watchtower:
  image: containrrr/watchtower
  container_name: watchtower
  hostname: watchtower
  restart: always
  <<: *resource-limits
  logging:
    <<: *default-logging
    options:
      <<: *default-logging-options
      loki-external-labels: job=watchtower
  environment:
    UID: ${UID_NAS_ADMIN:-1026} # (1)
    GID: ${GID_NAS_ADMIN:-100} # (2)
    WATCHTOWER_CLEANUP: true # (3)
    WATCHTOWER_LABEL_ENABLE: true # (4)
    WATCHTOWER_DEBUG: true # (5)
    WATCHTOWER_ROLLING_RESTART: true # (6)
    WATCHTOWER_INCLUDE_STOPPED: true # (7)
    NO_COLOR: 1 # (8)
    WATCHTOWER_NO_SETUP_MESSAGE: true # (9)
    WATCHTOWER_TIMEOUT: 30s # (10)
    WATCHTOWER_NO_RESTART: false # (11)
    WATCHTOWER_POLL_INTERVAL: 30 # (12)
    WATCHTOWER_HTTP_API_UPDATE: true # (13)
    WATCHTOWER_HTTP_API_METRICS: true # (14)
    WATCHTOWER_HTTP_API_PERIODIC_POLLS: true # (15)
    DOCKER_TLS_VERIFY: true # (16)
    WATCHTOWER_LOG_LEVEL: info # (17)
    DOCKER_API_VERSION: 1.41 # (18)
    WATCHTOWER_REMOVE_VOLUMES: false # (19)
    WATCHTOWER_TRACE: true # (20)
    WATCHTOWER_HTTP_API_TOKEN: ${WATCHTOWER_HTTP_API_TOKEN:? Token is missing} # (21)
    WATCHTOWER_NOTIFICATIONS: gotify # (22)
    WATCHTOWER_NOTIFICATIONS_LEVEL: info # (23)
    WATCHTOWER_NOTIFICATION_GOTIFY_URL: https://gotify.${SYNOLOGY_BASIC_URL} # (24)
    WATCHTOWER_NOTIFICATION_GOTIFY_TOKEN: ${WATCHTOWER_NOTIFICATION_GOTIFY_TOKEN:?Token is Required} # (25)
  ports:
    - "8080:8080"
  volumes:
    - type: bind
      source: /var/run/docker.sock
      target: /var/run/docker.sock
      read_only: true
    - type: bind
      source: /etc/localtime
      target: /etc/localtime
      read_only: true
    - type: bind
      source: /root/.docker/config.json
      target: /root/.docker/config.json
      read_only: true
  networks:
    dockerization:
  labels:
    <<: *default-labels
    monitoring: watchtower

→ User ID for permissions (default: 1026)
→ Group ID for permissions (default: 100)
→ Automatically clean up old images
→ Enable container monitoring by label
→ Enable debug mode
→ Enable rolling restarts
→ Monitor stopped containers
→ Disable colored output
→ Disable setup message
→ Container stop timeout (30s)
→ Disable container restarts (false)
→ Check interval in seconds (30)
→ Enable HTTP API updates
→ Enable metrics endpoint
→ Enable periodic polls via API
→ Enable TLS verification
→ Log level (info)
→ Docker API version (1.41)
→ Remove volumes with containers (false)
→ Enable trace logging
→ Required API token
→ Notification service (gotify)
→ Notification level (info)
→ Gotify server URL
→ Gotify access token

autoheal:
  image: willfarrell/autoheal
  container_name: autoheal
  hostname: autoheal
  restart: always
  <<: *resource-limits
  logging:
    <<: *default-logging
    options:
      <<: *default-logging-options
      loki-external-labels: job=autoheal
  environment:
    UID: ${UID_NAS_ADMIN:-1026} # (1)
    GID: ${GID_NAS_ADMIN:-100} # (2)
    AUTOHEAL_INTERVAL: 60s # (3)
    AUTOHEAL_CONTAINER_LABEL: recreat.container # (4)
    DOCKER_HOST: unix:///var/run/docker.sock # (5)
    WEBHOOK_URL: https://gotify.${SYNOLOGY_BASIC_URL}/message?token=${WATCHTOWER_NOTIFICATION_GOTIFY_TOKEN} # (6)
    AUTOHEAL_ONLY_MONITOR_RUNNING: false # (7)
  volumes:
    - type: bind
      source: /var/run/docker.sock
      target: /var/run/docker.sock
      read_only: true
    - type: bind
      source: /etc/localtime
      target: /etc/localtime
      read_only: true
  networks:
    dockerization:
  labels:
    <<: *default-labels
    monitoring: autoheal

→ User ID for permissions (default: 1026)
→ Group ID for permissions (default: 100)
→ Health check interval (60s)
→ Label to identify containers to monitor
→ Docker socket path
→ Gotify webhook URL for notifications
→ Monitor only running containers (false)

dashy:
  container_name: dashy
  hostname: dashy
  image: lissy93/dashy:latest
  restart: always
  cap_drop:
    - ALL
  cap_add:
    - CHOWN
    - SETGID
    - SETUID
    - DAC_OVERRIDE
    - NET_BIND_SERVICE
  <<: *resource-limits
  logging:
    <<: *default-logging
    options:
      <<: *default-logging-options
      loki-external-labels: job=dashy
  environment:
    UID: ${UID_NAS_ADMIN:-1026} # (1)
    GID: ${GID_NAS_ADMIN:-100} # (2)
  ports:
    - "${DASHY_PORT:-90}:8080"
  volumes:
    - type: bind
      source: ${MOUNT_PATH_DOCKER_ROOT}/development/config/dashy.yml
      target: /app/user-data/conf.yml
    - type: bind
      source: /etc/localtime
      target: /etc/localtime
      read_only: true
  networks:
    - dockerization
  labels:
    <<: *default-labels
    monitoring: dashy

→ User ID for permissions (default: 1026)
→ Group ID for permissions (default: 100)

roundcube:
  image: roundcube/roundcubemail:latest
  container_name: roundcube
  hostname: roundcube
  restart: always
  ports:
    - "${ROUNDCUBE_PORT:-9002}:8080"
  volumes:
    - type: bind
      source: ${MOUNT_PATH_DOCKER_ROOT}/www:/var/www/html
      target: /var/roundcube/db
    - type: bind
      source: ${MOUNT_PATH_DOCKER_ROOT}/config
      target: /var/roundcube/config
    - type: bind
      source: ${MOUNT_PATH_DOCKER_ROOT}/db
      target: /var/www/html
    - type: bind
      source: /etc/localtime
      target: /etc/localtime
      read_only: true
  networks:
    dockerization:
  labels:
    <<: *default-labels
    monitoring: roundcube

guacamole:
  image: ${image_guacamole:-jwetzell/guacamole}
  container_name: guacamole
  hostname: guacamole
  restart: always
  <<: *resource-limits
  logging:
    <<: *default-logging
    options:
      <<: *default-logging-options
      loki-external-labels: job=guacamole
  ports:
    - "${GUACMOLE_PORT:-8348}:8080"
  environment:
    UID: ${UID_NAS_ADMIN:-1026} # (1)
    GID: ${GID_NAS_ADMIN:-100} # (2)
    GUACD_LOG_LEVEL: info # (3)
    GUACD_PORT: 80 # (4)
  volumes:
    - type: bind
      source: ${MOUNT_PATH_DOCKER_ROOT}/guacamole
      target: /config
    - type: bind
      source: ${MOUNT_PATH_DOCKER_ROOT}/logs/guacamole
      target: /var/log/
    - type: bind
      source: /etc/localtime
      target: /etc/localtime
      read_only: true
  networks:
    dockerization:
  labels:
    <<: *default-labels
    monitoring: guacamole

→ User ID for permissions (default: 1026)
→ Group ID for permissions (default: 100)
→ Log level (info)
→ Guacamole daemon port (80)

🔐 Required Environment Variables¶

Variable	Description	Required
`UID_NAS_ADMIN`	User ID for volume permissions	⚠️ Recommended
`GID_NAS_ADMIN`	Group ID for volume permissions	⚠️ Recommended
`WATCHTOWER_HTTP_API_TOKEN`	Watchtower API token	✅
`WATCHTOWER_NOTIFICATION_GOTIFY_TOKEN`	Gotify notification token	✅
`MOUNT_PATH_DOCKER_ROOT`	Base storage path	✅
`SYNOLOGY_BASIC_URL`	Base domain for services	✅
`DASHY_PORT`	Dashy web interface port	⚠️ Recommended
`ROUNDCUBE_PORT`	Roundcube web interface port	⚠️ Recommended
`GUACMOLE_PORT`	Guacamole web interface port	⚠️ Recommended
`image_guacamole`	Guacamole image override	⚠️ Optional

Security Notice

Be stored in .env files
Have restricted permissions (chmod 600)
Never be committed to version control
Be rotated periodically

🚀 Deployment¶

Create .env file with required variables

Initialize volumes

mkdir -p ${MOUNT_PATH_DOCKER_ROOT}/{guacamole,logs/guacamole,development/config,www,config,db}
chown -R ${UID_NAS_ADMIN:-1026}:${GID_NAS_ADMIN:-100} ${MOUNT_PATH_DOCKER_ROOT}

Start services
```
docker-compose up -d
```

🔄 Maintenance¶

Updates

docker-compose pull && docker-compose up -d

Logs
```
docker-compose logs -f
```