mapletree/core/docker-compose.yml

services:
  periphery:
    image: ghcr.io/moghtech/komodo-periphery:latest
    container_name: komodo-periphery
    cpus: 2.0
    mem_limit: "2048m"
    mem_reservation: "512m"
    ports:
      - "8120:8120"
    user: root
    labels:
      - "komodo.skip=true"
    restart: unless-stopped
    #env_file: ./.env
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /root/.docker/config.json:/root/.docker/config.json:ro
      - /proc:/proc
      - /docker/periphery/etc:/etc/komodo
    environment:
      - PERIPHERY_ID=${HOSTNAME}

  dns:
    image: technitium/dns-server:latest
    container_name: dns-${NODE_ID}  # Becomes dns-1 or dns-2
    restart: unless-stopped
    ports:
      - "53:53/udp"
      - "53:53/tcp"
      - "5381:5380/tcp" 
    environment:
      - TZ=America/Edmonton
      - DNS_SERVER_DOMAIN=dns${NODE_ID}.mapletree.email # dns1... or dns2...
      - DNS_SERVER_ADMIN_PASSWORD=${DNS_ADMIN_PASSWORD}
    volumes:
      # Updated path to match your new 'infrastructure' folder structure
      - /docker/core/dns/config:/etc/dns
    networks:
      - dns_external
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=dns_external"
      # Dynamic Router Name (dns1 vs dns2)
      - "traefik.http.routers.dns${NODE_ID}.rule=Host(`dns${NODE_ID}.mapletree.email`)"
      - "traefik.http.routers.dns${NODE_ID}.entrypoints=web,websecure"
      - "traefik.http.routers.dns${NODE_ID}.tls.certresolver=myresolver"
      - "traefik.http.services.dns${NODE_ID}.loadbalancer.server.port=5380"

  traefik:
    image: traefik:latest
    container_name: traefik
    cpus: 1.0
    mem_limit: "1024m"
    mem_reservation: "128m"
    restart: always
    ports:
      - "80:80"     # HTTP
      - "443:443"   # HTTPS
      - "888:8080" # Traefik Dashboard (optional, password-protect in production!)
    command:
      - "--api.dashboard=true"
      - "--api.insecure=true"  # Remove or secure in prod
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--providers.docker.network=web,request"
      - "--providers.file.directory=/etc/traefik/dynamic"
      - "--providers.file.watch=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=desec"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=90"
      - "--certificatesresolvers.myresolver.acme.email=admin@mapletree.email"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    environment:
    # Pass the variables through
      - DESEC_TOKEN=${DESEC_TOKEN}
      - DESEC_DOMAIN=${DESEC_DOMAIN}
      # (Any other Traefik env vars you need)
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/docker/core/traefik/letsencrypt:/letsencrypt"
      - "/docker/core/traefik/dynamic:/etc/traefik/dynamic"
    networks:
      - guac_external
      - komodo_external
      - ansible_external
      - dns_external
      - homepage_external
  keepalived:
    image: osixia/keepalived:latest
    container_name: keepalived
    restart: unless-stopped
    # Must run on host network to manage the interface IP
    network_mode: host
    cap_add:
      - NET_ADMIN
      - NET_BROADCAST
      - NET_RAW
    environment:
      - KEEPALIVED_INTERFACE=eth0 # Check if your LXC interface is eth0
      - KEEPALIVED_ROUTER_ID=51
      - KEEPALIVED_VIRTUAL_IPS=172.16.201.2/24 # THE FLOATING IP
      - KEEPALIVED_PRIORITY=${KEEPALIVED_PRIORITY} # 150 for Master, 100 for Backup
      - KEEPALIVED_PASSWORD=${DNS_ADMIN_PASSWORD}
  # DDNS UPDATER (IP Updates)
  ddns:
    image: qmcgaw/ddns-updater
    container_name: ddns
    restart: unless-stopped
    ports:
      - "8000:8000/tcp"
    environment:
      - TZ=America/Edmonton
      - PERIOD=5m
     # --- NEW IP DISCOVERY SETTINGS ---
      - PUBLICIP_FETCHERS=http       # Use web services to find your IP
      - PUBLICIP_HTTP_PROVIDERS=all  # Use any available service (ipify, etc.)
      # ---------------------------------
      
      # The Variable Injection
      # Format: provider, host, username, password
      # For deSEC: username IS the domain name.
      - CONFIG=desec,${DESEC_DOMAIN},@,${DESEC_TOKEN}
      
    volumes:
      - /docker/core/ddns:/updater/data

networks:
  guac_external:
    external: true
  komodo_external:
    external: true
  ansible_external:
    external: true
  dns_external:
    external: true
  homepage_external:
    external: true