LogviewR/docker-compose.yml at main · Erreur32/LogviewR · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# ===========================================
# LogviewR - Docker Compose (Fail2ban + Firewall)
# ===========================================
#
# Full setup: log viewer + Fail2ban management + IPTables/IPSet/NFTables tabs.
#
# Prerequisites:
#   1. Create .env:  echo "JWT_SECRET=$(openssl rand -base64 32)" > .env
#   2. Run setup:    curl -fsSL https://raw.githubusercontent.com/Erreur32/LogviewR/main/scripts/setup-fail2ban-access.sh | sudo bash
#      (creates fail2ban group, sets permissions, writes FAIL2BAN_GID to .env)
#   3. Start:        docker compose up -d
#
# ── Reverse proxy (required — network_mode: host exposes the port directly) ──
#   Nginx Proxy Manager : Forward Hostname = 127.0.0.1 / Port = 7500
#   Nginx manual        : proxy_pass http://127.0.0.1:7500;
#   Caddy               : reverse_proxy 127.0.0.1:7500
#   Traefik             : url = "http://127.0.0.1:7500"
#   To change port: set PORT=8080 in .env and update reverse proxy
#
# ===========================================

services:
  logviewr:
    image: ghcr.io/erreur32/logviewr:latest
    container_name: logviewr
    restart: unless-stopped

    # host network required for IPTables/IPSet/NFTables tabs
    # ⚠️ incompatible with ports: — use PORT env var instead
    network_mode: host
    cap_add:
      - NET_ADMIN                 # required for netfilter (iptables/ipset/nft)

    environment:
      JWT_SECRET: ${JWT_SECRET}
      PORT: ${PORT:-7500}         # direct listen port on host
      HOST_IP: ${HOST_IP:-}
      HOST_ROOT_PATH: ${HOST_ROOT_PATH:-/host}
      CONFIG_FILE_PATH: ${CONFIG_FILE_PATH:-/app/config/logviewr.conf}
      # Timezone — must match the host TZ so Apache/Nginx log timestamps
      # (written in host local time, without TZ info) are parsed correctly.
      # Override via TZ=... in your .env if your host is not in Europe/Paris.
      TZ: ${TZ:-Europe/Paris}
      # PUBLIC_URL: https://dashboard.example.com

    group_add:
      - "${ADM_GID:-4}"           # adm group (GID 4) — read /var/log files
      - "${FAIL2BAN_GID}"         # fail2ban group — set by setup script in .env

    volumes:
      - ./data:/app/data          # persistent data (SQLite DB + config)

      # Fail2ban socket — required for ban/unban commands
      - /var/run/fail2ban/fail2ban.sock:/var/run/fail2ban/fail2ban.sock

      # Host filesystem
      - /:/host:ro
      - /proc:/host/proc:ro
      - /sys:/host/sys:ro

      # Optional: enable Fail2ban SQLite VACUUM (rw override for /host/var/lib/fail2ban)
      # - type: bind
      #   source: /var/lib/fail2ban
      #   target: /host/var/lib/fail2ban
      #   bind:
      #     propagation: shared

      # Optional: enable Fail2ban config editing from the UI (jail.local / fail2ban.local)
      # - type: bind
      #   source: /etc/fail2ban
      #   target: /host/etc/fail2ban
      #   bind:
      #     propagation: shared

    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:${PORT:-7500}/api/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

    # ⚠️ no security_opt: no-new-privileges — incompatible with sudo (breaks firewall tabs)