network/docker.md

# Docker Server

## Access

- **Hostname**: DOCKER
- **FQDN**: DOCKER.dohertylan.com
- **IP**: 10.100.0.35 (LAN_100) / 10.50.0.35 (DATA_50) / 10.200.0.35 (IOT_200)
- **OS**: Debian 13 (Trixie) 13.3, kernel 6.12.69+deb13-amd64
- **SSH**: `ssh dohertj2@10.100.0.35` (passwordless) — this is the local machine for Claude Code
- **Docker**: 29.2.1
- **Docker Compose**: v5.0.2

## Hardware (VM on ESXi)

- **CPU**: 22 vCPUs (Intel Xeon E5-2697 v4 @ 2.30GHz)
- **RAM**: 32 GB
- **Disk**: /dev/sda1 999 GB ext4 (930 GB free)

## Network

| Interface | MAC | IP | MTU | Port Group |
|-----------|-----|-----|-----|------------|
| ens192 | 00:0c:29:cf:bb:bb | 10.100.0.35/24 | 1500 | LAN_100 |
| ens256 | 00:0c:29:cf:bb:c5 | 10.50.0.35/24 | 9000 | DATA_50 |
| ens161 | 00:0c:29:cf:bb:cf | 10.200.0.35/24 | 1500 | IOT_200 |

- **Default gateway**: 10.100.0.1 (via ens192)
- **DNS**: 10.100.0.1
- **Domain**: dohertylan.com

### Docker Networks

| Network | Driver |
|---------|--------|
| traefik | bridge |
| semaphore_default | bridge |

## NFS Mounts (via TrueNAS DATA_50)

All mounts use NFS 4.2 with `nconnect=8,_netdev,nofail,x-systemd.automount`.

| Mount Point | NFS Export |
|-------------|-----------|
| /mnt/share | 10.50.0.25:/mnt/mypool/share |
| /mnt/other | 10.50.0.25:/mnt/mypool/Other |

## Reverse Proxy (Traefik)

Traefik handles HTTPS ingress on ports 80/443. All services below are accessed via `*.dohertylan.com` through Traefik, with Authelia providing SSO/2FA.

Cloudflare Companion auto-updates DNS records.

## Docker Containers

All 21 containers running. Most are on the `traefik` network.

### Infrastructure

| Container | Image | URL | Port | Purpose |
|-----------|-------|-----|------|---------|
| traefik | traefik:latest | traefik.dohertylan.com | 80, 443 | Reverse proxy |
| authelia | authelia/authelia:latest | auth.dohertylan.com | 9091 | SSO / 2FA |
| cloudflare-companion | tiredofit/traefik-cloudflare-companion:latest | — | — | Auto DNS updates |
| portainer | portainer/portainer-ce:latest | portainer.dohertylan.com | 9000, 9443 | Docker management UI |
| homepage | ghcr.io/gethomepage/homepage:latest | home.dohertylan.com | 3000 | Dashboard |
| uptime-kuma | louislam/uptime-kuma:latest | uptime.dohertylan.com | 3001 | Uptime monitoring |

### Media Management (Arr Stack)

| Container | Image | URL | Port | Purpose |
|-----------|-------|-----|------|---------|
| sonarr | lscr.io/linuxserver/sonarr:latest | sonarr.dohertylan.com | 8989 | TV show management |
| radarr | lscr.io/linuxserver/radarr:latest | radarr.dohertylan.com | 7878 | Movie management |
| whisparr | ghcr.io/hotio/whisparr:v3 | whisp.dohertylan.com | 6969 | Adult content management |
| prowlarr | lscr.io/linuxserver/prowlarr:latest | prowlarr.dohertylan.com | 9696 | Indexer manager |
| seerr | ghcr.io/seerr-team/seerr:latest | requests.dohertylan.com | 5055 | Media request UI |
| profilarr | santiagosayshey/profilarr:latest | profilarr.dohertylan.com | 6868 | Quality profile sync |
| tautulli | ghcr.io/tautulli/tautulli:latest | tautulli.dohertylan.com | 8181 | Plex analytics |

### Downloads

| Container | Image | URL | Port | Purpose |
|-----------|-------|-----|------|---------|
| nzbget | nzbgetcom/nzbget:latest | nzb.dohertylan.com | 6789 | Usenet downloader |
| gluetun | qmcgaw/gluetun:latest | — | 6881 | VPN container |
| qbittorrent | linuxserver/qbittorrent:latest | — (via gluetun) | — | Torrent client (VPN) |

### Utilities

| Container | Image | URL | Port | Purpose |
|-----------|-------|-----|------|---------|
| microbin | danielszabo99/microbin:latest | bin.dohertylan.com | 8080 | Pastebin |
| ittools | corentinth/it-tools:latest | ittools.dohertylan.com | 80 | IT utilities |
| stash | stashapp/stash:latest | stash.dohertylan.com | 9999 | Media organizer |
| ilo-fan | ilo_fan-ilo-fan | fan.dohertylan.com | 8000 | iLO fan control |

### Automation

| Container | Image | URL | Port | Purpose |
|-----------|-------|-----|------|---------|
| semaphore | semaphoreui/semaphore:latest | http://10.100.0.35:3000 | 3000 | Ansible UI |

### lmxopcua (carry `project=lmxopcua` label)

Stacks under `/opt/otopcua-*/` migrated from the Wonderware dev VM (DESKTOP-6JL3KKO) on 2026-04-28. Discoverable via `docker ps --filter label=project=lmxopcua`. Brought up on demand by the developer from WW via `lmxopcua-fix.ps1` (in `~/bin/` on WW), which SSHes here and runs compose.

| Container/Stack | Image | Port | Purpose |
|---|---|---|---|
| otopcua-mssql (always-on) | mcr.microsoft.com/mssql/server:2022-latest | 14330→1433 | Central config DB for OtOpcUa v2 |
| otopcua-pymodbus-* | otopcua-pymodbus:3.13.0 (local build) | 5020 | Modbus driver test fixture (5 profiles) |
| otopcua-ab-server-* | otopcua-ab-server:libplctag-release (local build) | 44818 | AB CIP driver test fixture (4 profiles) |
| otopcua-python-snap7-* | otopcua-python-snap7:1.0 (local build) | 1102 | S7 driver test fixture |
| otopcua-opc-plc | mcr.microsoft.com/iotedge/opc-plc:2.14.10 | 50000 | OPC UA reference simulator |

## Semaphore / Ansible

- **Semaphore UI**: http://10.100.0.35:3000
- **Data**: `/opt/semaphore/data/database.sqlite`
- **Compose file**: `/opt/semaphore/docker-compose.yml`

### Ansible Playbook

- **Location**: `/home/dohertj2/playbook/`
- **Main playbook**: `/home/dohertj2/playbook/site.yml`
- **Roles**: `/home/dohertj2/playbook/roles/`
- **Import tasks**: `/home/dohertj2/playbook/import/` (radarr, sonarr, nzbget, prowlarr, docker-compose-arr)
- **iLO fan playbook**: `/home/dohertj2/playbook/ilo_fan/`

## Docker Compose Locations

All compose files are under `/opt/<service>/docker-compose.yml`:

```
/opt/traefik/         /opt/portainer/       /opt/homepage/
/opt/sonarr/          /opt/radarr/          /opt/whisparr/
/opt/prowlarr/        /opt/seerr/           /opt/profilarr/
/opt/tautulli/        /opt/nzbget/          /opt/vpn_downloads/
/opt/uptime_kuma/     /opt/stash/           /opt/utilities/
/opt/semaphore/       /opt/ilo_fan/
/opt/otopcua-mssql/   /opt/otopcua-modbus/  /opt/otopcua-abcip/
/opt/otopcua-s7/      /opt/otopcua-opcuaclient/
```