Add Pi-hole with AdGuard DOH/DOT integration, reorganize swarm stacks, add DNS/n8n docs

services/swarm/stacks/tools/gitea-stack.env

@@ -0,0 +1,2 @@
+# Please provide the following secret in Portainer before deploying the stack.
+GITEA_DB_PASSWORD=Windstar713!

services/swarm/stacks/tools/gitea-stack.yml

@@ -0,0 +1,107 @@
+version: '3.8'
+
+networks:
+  traefik-public:
+    external: true
+  gitea-internal:
+    driver: overlay
+    attachable: true
+
+volumes:
+  gitea_data:
+  gitea_db_data:
+
+secrets:
+  gitea_db_password:
+    external: true
+
+services:
+  gitea:
+    image: gitea/gitea:latest
+    volumes:
+      - gitea_data:/data
+    networks:
+      - traefik-public
+      - gitea-internal
+    ports:
+      - "2222:22"
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=gitea-db:5432
+      - GITEA__database__NAME=gitea
+      - GITEA__database__USER=gitea
+      - GITEA__database__PASSWD_FILE=/run/secrets/gitea_db_password
+      - GITEA__server__DOMAIN=git.sterl.xyz
+      - GITEA__server__ROOT_URL=https://git.sterl.xyz
+      - GITEA__server__SSH_DOMAIN=git.sterl.xyz
+      - GITEA__server__SSH_PORT=2222
+      - GITEA__service__DISABLE_REGISTRATION=false
+    secrets:
+      - gitea_db_password
+    depends_on:
+      - gitea-db
+    healthcheck:
+      test: ["CMD-SHELL", "wget -q --spider http://localhost:3000 || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+      resources:
+        limits:
+          memory: 1G
+          cpus: '1.0'
+        reservations:
+          memory: 256M
+          cpus: '0.2'
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.gitea.rule=Host(`git.sterl.xyz`)"
+        - "traefik.http.routers.gitea.entrypoints=websecure"
+        - "traefik.http.routers.gitea.tls.certresolver=cfresolver"
+        - "traefik.http.services.gitea.loadbalancer.server.port=3000"
+        - "traefik.swarm.network=traefik-public"
+        - "tsdproxy.enable=true"
+        - "tsdproxy.name=gitea"
+        - "tsdproxy.container_port=3000"
+
+  gitea-db:
+    image: postgres:15-alpine
+    volumes:
+      - gitea_db_data:/var/lib/postgresql/data
+    networks:
+      - gitea-internal
+    environment:
+      - POSTGRES_USER=gitea
+      - POSTGRES_PASSWORD_FILE=/run/secrets/gitea_db_password
+      - POSTGRES_DB=gitea
+    secrets:
+      - gitea_db_password
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U gitea"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+      resources:
+        limits:
+          memory: 512M
+          cpus: '0.5'
+        reservations:
+          memory: 128M
+          cpus: '0.1'
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3

services/swarm/stacks/tools/portainer-stack.yml

@@ -0,0 +1,143 @@
+version: '3.8'
+
+networks:
+  traefik-public:
+    external: true
+  portainer-agent:
+    driver: overlay
+    attachable: true
+
+volumes:
+  portainer_data:
+
+services:
+  portainer:
+    image: portainer/portainer-ce:latest
+    command:
+      - "-H"
+      - "tcp://tasks.agent:9001"
+      - "--tlsskipverify"
+    ports:
+      - "9000:9000"
+      - "9443:9443"
+    volumes:
+      - portainer_data:/data
+    networks:
+      - traefik-public
+      - portainer-agent
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:9000/api/status"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    deploy:
+      mode: replicated
+      replicas: 1
+      placement:
+        constraints:
+          - node.role == manager
+      resources:
+        limits:
+          memory: 512M
+          cpus: '0.5'
+        reservations:
+          memory: 256M
+          cpus: '0.25'
+      restart_policy:
+        condition: on-failure
+        delay: 10s
+        max_attempts: 3
+      update_config:
+        parallelism: 1
+        delay: 10s
+        failure_action: rollback
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.portainer.rule=Host(`portainer.sterl.xyz`)"
+        - "traefik.http.routers.portainer.entrypoints=websecure"
+        - "traefik.http.routers.portainer.tls.certresolver=cfresolver"
+        - "traefik.http.routers.portainer.service=portainer"
+        - "traefik.http.routers.portainer.tls=true"
+        - "traefik.http.services.portainer.loadbalancer.server.port=9000"
+        - "traefik.http.services.portainer.loadbalancer.sticky.cookie=true"
+        - "traefik.swarm.network=traefik-public"
+        - "traefik.docker.network=traefik-public"
+        - "tsdproxy.enable=true"
+        - "tsdproxy.name=portainer"
+        - "tsdproxy.container_port=9000"
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  # Linux agent
+  agent:
+    image: portainer/agent:latest
+    environment:
+      AGENT_CLUSTER_ADDR: tasks.agent
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+    networks:
+      - portainer-agent
+    deploy:
+      mode: global
+      placement:
+        constraints:
+          - node.platform.os == linux
+      resources:
+        limits:
+          memory: 128M
+          cpus: '0.25'
+        reservations:
+          memory: 64M
+          cpus: '0.1'
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "5m"
+        max-file: "2"
+
+  # Windows agent (optional - only deploys if Windows node exists)
+  agent-windows:
+    image: portainer/agent:latest
+    environment:
+      AGENT_CLUSTER_ADDR: tasks.agent
+    volumes:
+      - type: npipe
+        source: \\\\.\\pipe\\docker_engine
+        target: \\\\.\\pipe\\docker_engine
+      - type: bind
+        source: C:\\ProgramData\\docker\\volumes
+        target: C:\\ProgramData\\docker\\volumes
+    networks:
+      portainer-agent:
+        aliases:
+          - agent
+    deploy:
+      mode: global
+      placement:
+        constraints:
+          - node.platform.os == windows
+      resources:
+        limits:
+          memory: 128M
+          cpus: '0.25'
+        reservations:
+          memory: 64M
+          cpus: '0.1'
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "5m"
+        max-file: "2"

services/swarm/stacks/tools/tools-stack.yml

@@ -0,0 +1,52 @@
+version: '3.8'
+
+networks:
+  traefik-public:
+    external: true
+
+services:
+  dozzle:
+    image: amir20/dozzle:latest
+    user: "0:0"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - traefik-public
+    environment:
+      - DOZZLE_MODE=swarm
+      - DOZZLE_LEVEL=debug
+      - DOZZLE_NO_ANALYTICS=true
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "5m"
+        max-file: "2"
+    deploy:
+      mode: global
+      resources:
+        limits:
+          memory: 256M
+          cpus: '0.25'
+        reservations:
+          memory: 64M
+          cpus: '0.05'
+      restart_policy:
+        condition: any
+        delay: 5s
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.dozzle.rule=Host(`dozzle.sterl.xyz`)"
+        - "traefik.http.routers.dozzle.entrypoints=websecure"
+        - "traefik.http.routers.dozzle.tls.certresolver=cfresolver"
+        - "traefik.http.services.dozzle.loadbalancer.server.port=8080"
+        - "traefik.swarm.network=traefik-public"
+        - "tsdproxy.enable=true"
+        - "tsdproxy.name=logs"
+        - "tsdproxy.container_port=8080"
+    healthcheck:
+      test: ["CMD-SHELL", "if [ -S /var/run/docker.sock ]; then exit 0; else exit 1; fi"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+