bbr+fq&swap脚本
wget -O box.sh https://raw.githubusercontent.com/BlueSkyXN/SKY-BOX/main/box.sh && chmod +x box.sh && clear && ./box.sh
安装docker和docker compose
curl -fsSL https://get.docker.com -o install-docker.sh \
&& sh -e install-docker.sh \
&& rm -f install-docker.sh
目前已不需要运行折叠框内命令
systemctl enable dockersudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
创建docker网络
docker network create dockernetwork创建并绑定docker网络是为了让npm在内网反代docker容器,而不需要保留docker容器到公网,以提升安全性。
更新:对于多容器vps,可以考虑创建多个bridge,提高安全性 【点击展开】
比如
docker network create safernet此时在npm的配置应为
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
- '80:80' # Public HTTP Port
- '443:443' # Public HTTPS Port
- '81:81' # Admin Web Port
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
networks:
- dockernetwork
- safernet
networks:
dockernetwork:
external: true
safernet:
external: true即,显式在容器和底部配置网络,而不是直接挂载在default。
另外,最好在npm的webui反代完81端口后,改为:
- '127.0.0.1:81:81' # Admin Web Port这样可以更好搭配cloudflare waf拦截非白名单请求,比如阻止
此时,对于vaultwarden这种需要隔离的容器,参考:
services:
vaultwarden:
image: vaultwarden/server:latest
restart: unless-stopped
container_name: pass
environment:
DOMAIN: 'https://vauletwarden.example.com/'
SIGNUPS_ALLOWED: 'false' #开启注册,自己注册后改成fale
WEBSOCKET_ENABLED: 'true'
volumes:
- ./data:/data
networks:
- safernet
networks:
safernet:
external: true对于多容器的项目,参考:
name: lobe-chat-database
services:
postgresql:
image: pgvector/pgvector:pg16
container_name: lobe-postgres
volumes:
- './sqldata:/var/lib/postgresql/data'
environment:
- 'POSTGRES_DB=lobe'
- 'POSTGRES_PASSWORD=password' # 修改
healthcheck:
test: ['CMD-SHELL', 'pg_isready -U postgres']
interval: 5s
timeout: 5s
retries: 5
restart: always
networks:
- internal
lobe:
image: lobehub/lobe-chat-database
container_name: lobe-chat-db
depends_on:
- postgresql
env_file:
- .env
restart: always
environment:
- 'SEARXNG_URL=http://searxng:8080'
networks:
- internal
searxng:
image: searxng/searxng
container_name: lobe-searxng
volumes:
- './searxng-settings.yml:/etc/searxng/settings.yml'
environment:
- 'SEARXNG_SETTINGS_FILE=/etc/searxng/settings.yml'
restart: always
env_file:
- .env
networks:
- internal
- dockernetwork
volumes:
sqldata:
driver: local
networks:
internal:
dockernetwork:
external: true此时dockernetwork中的其他容器无法和直接使用下面配置时那样直接访问lobe-postgres,internal会被结合name: lobe-chat-database 自动创建,类似 lobe-chat-database_internal ,如果不设置name,会使用当前文件夹名创建,因此多项目不会冲突
networks:
default:
external: true
name: dockernetwork安装NPM
mkdir docker docker/npm
cd docker/npm
vim docker-compose.ymlservices:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
# These ports are in format <host-port>:<container-port>
- '80:80' # Public HTTP Port
- '443:443' # Public HTTPS Port
- '81:81' # Admin Web Port
# Add any other Stream port you want to expose
# - '21:21' # FTP
# Uncomment the next line if you uncomment anything in the section
# environment:
# Uncomment this if you want to change the location of
# the SQLite DB file within the container
# DB_SQLITE_FILE: "/data/database.sqlite"
# Uncomment this if IPv6 is not enabled on your host
# DISABLE_IPV6: 'true'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
networks:
default:
external: true
name: dockernetworkdocker compose up -d默认管理员用户,登录ip:81后修改:
Email: admin@example.com
Password: changeme
安装watchtower
mkdir docker/watchtower
cd docker/watchtower
vim docker-compose.ymlservices:
watchtower:
image: containrrr/watchtower
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sockdocker compose up -d如果您需要排除某些容器,请将com.centurylinklabs.watchtower.enable标签设置为false。为清楚起见,应
在您希望忽略的容器上设置此标签,而不是在 watchtower 上设置。
LABEL com.centurylinklabs.watchtower.enable="false"
docker run -d --label=com.centurylinklabs.watchtower.enable=false someimageservices:
someimage:
container_name: someimage
labels:
- "com.centurylinklabs.watchtower.enable=false"© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
