Core Infrastructure ServicesΒΆ
Essential networking stack including DNS resolution, reverse proxy, and cloud tunneling.
π οΈ Service ConfigurationΒΆ
- This setup uses the shared Docker Compose anchors for:
- Logging (
default-logging) - Labels (
default-labels) - Resource limits (
resource-limits)
Core ServicesΒΆ
cloudflared:
container_name: cloudflared
hostname: cloudflared
image: cloudflare/cloudflared:latest
command: tunnel --no-autoupdate run --token ${CLOUDFLARE_TOKEN:?CLOUDFLARE_TOKEN required}
restart: always
<<: *resource-limits
logging:
<<: *default-logging
options:
<<: *default-logging-options
loki-external-labels: job=cloudflared
environment:
UID: ${UID_NAS_ADMIN:-1026} # (1)
GID: ${GID_NAS_ADMIN:-100} # (2)
TUNNEL_METRICS: ${TUNNEL_METRICS:-0.0.0.0:8080} # (3)
volumes:
- type: bind
source: /etc/localtime
target: /etc/localtime
read_only: true
networks:
dockerization:
labels:
<<: *default-labels
monitoring: cloudflared
- β User ID for volume permissions (default: 1026)
- β Group ID for volume permissions (default: 100)
- β Metrics endpoint (default: 0.0.0.0:8080)
pihole:
container_name: pihole
hostname: pihole
image: pihole/pihole
restart: always
cap_add:
- NET_ADMIN
security_opt:
- no-new-privileges=false
deploy:
resources:
limits:
memory: 512MB
ulimits:
nofile:
soft: 65536
hard: 65536
healthcheck:
test: ["CMD", "dig", "@127.0.0.1", "-p53", "pi.hole"]
interval: 1m
timeout: 10s
retries: 3
start_period: 30s
logging:
<<: *default-logging
options:
<<: *default-logging-options
loki-external-labels: job=pihole
environment:
UID: ${UID_NAS_ADMIN:-1026} # (1)
GID: ${GID_NAS_ADMIN:-100} # (2)
FTLCONF_LOCAL_IPV4: ${FTLCONF_LOCAL_IPV4:-0.0.0.0} # (3)
FTLCONF_LOCAL_IPV6: ${FTLCONF_LOCAL_IPV6:-::} # (4)
PIHOLE_UID: ${PIHOLE_UID:-1000} # (5)
PIHOLE_GID: ${PIHOLE_GID:-1000} # (6)
DNSMASQ_USER: ${DNSMASQ_USER:-pihole} # (7)
FTLCONF_dns_listeningMode: ${FTLCONF_dns_listeningMode:-all} # (8)
FTLCONF_webserver_port: ${FTLCONF_webserver_port:-80} # (9)
FTLCONF_webserver_api_password: ${PI_HOLE_PASSWORD:?Password is Missing} # (10)
WEBTHEME: ${WEBTHEME:-dark} # (11)
FTLCONF_dns_upstreams: ${FTLCONF_dns_upstreams:-1.1.1.1;1.0.0.1;8.8.8.8;8.8.4.4} # (12)
FTLCONF_QUERY_LOGGING: ${FTLCONF_QUERY_LOGGING:-true} # (13)
FTLCONF_MAXDBDAYS: ${FTLCONF_MAXDBDAYS:-30} # (14)
FTLCONF_PRIVACYLEVEL: ${FTLCONF_PRIVACYLEVEL:-0} # (15)
VIRTUAL_HOST: pihole.${SYNOLOGY_BASIC_URL} # (16)
ports:
- "53:53/tcp"
- "53:53/udp"
- "81:80/tcp"
volumes:
- type: bind
source: ${MOUNT_PATH_DOCKER_ROOT:?path required}/config/dnsmasq.d
target: /etc/dnsmasq.d
- type: bind
source: ${MOUNT_PATH_DOCKER_ROOT}/pihole
target: /etc/pihole
- type: bind
source: ${MOUNT_PATH_DOCKER_ROOT}/logs/pihole
target: /var/log/pihole
- type: bind
source: /etc/localtime
target: /etc/localtime
read_only: true
networks:
dockerization:
labels:
<<: *default-labels
monitoring: pihole
- β User ID for permissions (default: 1026)
- β Group ID for permissions (default: 100)
- β IPv4 listening address (default: 0.0.0.0)
- β IPv6 listening address (default: ::)
- β Pi-hole user ID (default: 1000)
- β Pi-hole group ID (default: 1000)
- β DNSMasq user (default: pihole)
- β DNS listening mode (default: all)
- β Web interface port (default: 80)
- β Required admin password
- β Web UI theme (default: dark)
- β Upstream DNS servers
- β Query logging (default: true)
- β Log retention (default: 30 days)
- β Privacy level (default: 0)
- β Virtual host URL
npm-proxy:
container_name: npm-proxy
hostname: npm-proxy
image: jc21/nginx-proxy-manager:latest
restart: always
healthcheck:
test:
- CMD
- curl
- -f
- http://localhost:81/ping
interval: 30s
timeout: 10s
retries: 3
start_period: 20s
<<: *resource-limits
logging:
<<: *default-logging
options:
<<: *default-logging-options
loki-external-labels: job=npm-proxy
ports:
- ${NGNIX_PROXY_MANAGER_PORT:-84}:81
environment:
UID: ${UID_NAS_ADMIN:-1026} # (1)
GID: ${GID_NAS_ADMIN:-100} # (2)
INITIAL_ADMIN_EMAIL: ${EMAIL} # (3)
INITIAL_ADMIN_PASSWORD: ${INITIAL_ADMIN_PASSWORD:?Password is missing} # (4)
volumes:
- type: bind
source: ${MOUNT_PATH_DOCKER_ROOT}/ngx/data
target: /data
- type: bind
source: ${MOUNT_PATH_DOCKER_ROOT}/development/config/ngx.json
target: /app/config/production.json
- type: bind
source: ${MOUNT_PATH_DOCKER_ROOT}/ngx/letsencrypt
target: /etc/letsencrypt
- type: bind
source: /var/run/docker.sock
target: /var/run/docker.sock
read_only: true
- type: bind
source: /etc/localtime
target: /etc/localtime
read_only: true
networks:
dockerization:
labels:
<<: *default-labels
monitoring: npm-proxy
- β User ID for permissions (default: 1026)
- β Group ID for permissions (default: 100)
- β Admin email address
- β Required admin password
π Required Environment VariablesΒΆ
Refer to Environment Variables documentation for:
| Variable | Description | Required |
|---|---|---|
CLOUDFLARE_TOKEN |
Cloudflare Tunnel token | β |
PI_HOLE_PASSWORD |
Pi-hole admin password | β |
INITIAL_ADMIN_PASSWORD |
NPM admin password | β |
MOUNT_PATH_DOCKER_ROOT |
Storage path | β |
SYNOLOGY_BASIC_URL |
Base domain for services | β |
UID_NAS_ADMIN |
User ID for volume permissions | β οΈ Recommended |
GID_NAS_ADMIN |
Group ID for volume permissions | β οΈ Recommended |
Security Notice
- Be stored in
.envfiles - Have restricted permissions (
chmod 600) - Never be committed to version control
- Be rotated periodically
π DeploymentΒΆ
- Create
.envfile with required variables - Initialize volumes
- Start services
π MaintenanceΒΆ
- Backups
- Regularly backup volume directories
- Updates
- Logs