Sanitized mirror from private repository - 2026-04-20 01:32:01 UTC

hosts/synology/atlantis/watchtower.yml

@@ -0,0 +1,148 @@
+# =============================================================================
+# WATCHTOWER - AUTOMATED DOCKER CONTAINER UPDATES
+# =============================================================================
+#
+# SERVICE OVERVIEW:
+# - Automatically updates Docker containers to latest versions
+# - Monitors Docker Hub for image updates every 2 hours
+# - Gracefully restarts containers with new images
+# - Cleans up old images to save disk space
+# - Provides metrics for Prometheus monitoring
+#
+# DISASTER RECOVERY PRIORITY: MEDIUM
+# - Helpful for maintaining updated containers
+# - Not critical for immediate disaster recovery
+# - Can be disabled during recovery operations
+#
+# RECOVERY TIME OBJECTIVE (RTO): 1 hour
+# RECOVERY POINT OBJECTIVE (RPO): N/A (stateless service)
+#
+# DEPENDENCIES:
+# - Docker socket access (read-only)
+# - Network connectivity to Docker Hub
+# - Prometheus network for metrics
+# - Sufficient disk space for image downloads
+#
+# SECURITY CONSIDERATIONS:
+# - Read-only Docker socket access
+# - No new privileges security option
+# - Read-only container filesystem
+# - Automatic cleanup of old images
+#
+# =============================================================================
+
+services:
+  watchtower:
+    # CONTAINER IMAGE:
+    # - containrrr/watchtower:latest: Official Watchtower image
+    # - Community-maintained Docker container updater
+    # - Regular updates with new features and security patches
+    image: containrrr/watchtower:latest
+
+    # CONTAINER IDENTIFICATION:
+    # - WATCHTOWER: Clear identification for logs and monitoring
+    # - watchtower: Internal hostname for service communication
+    container_name: WATCHTOWER
+    hostname: watchtower
+
+    # PORT CONFIGURATION:
+    # - 8082:8080: HTTP API for metrics (8082 to avoid conflicts)
+    # - Allows Prometheus to scrape metrics endpoint
+    ports:
+      - "8082:8080"
+
+    # NETWORK CONFIGURATION:
+    # - prometheus-net: Connected to monitoring network
+    # - Allows Prometheus to scrape metrics
+    # - Isolated from other services for security
+    networks:
+      - prometheus-net
+
+    # RESOURCE ALLOCATION:
+    # - mem_limit: 128MB maximum (lightweight service)
+    # - mem_reservation: 50MB guaranteed memory
+    # - cpu_shares: 256 (low priority, background task)
+    mem_limit: 128m
+    mem_reservation: 50m
+    cpu_shares: 256
+
+    # SECURITY CONFIGURATION:
+    # - no-new-privileges: Prevents privilege escalation
+    # - read_only: Container filesystem is read-only
+    # - Minimal attack surface for automated service
+    security_opt:
+      - no-new-privileges=true
+    read_only: true
+
+    # DOCKER SOCKET ACCESS:
+    # - /var/run/docker.sock: Read-only access to Docker daemon
+    # - Required for monitoring and updating containers
+    # - SECURITY: Read-only prevents malicious container creation
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+    environment:
+      # TIMEZONE CONFIGURATION:
+      # - TZ: Timezone for scheduling and logging
+      # - Must match system timezone for accurate scheduling
+      TZ: America/Los_Angeles
+
+      # IMAGE CLEANUP CONFIGURATION:
+      # - WATCHTOWER_CLEANUP: true - Remove old images after updating
+      # - Prevents disk space issues from accumulated old images
+      # - CRITICAL: Saves significant disk space over time
+      WATCHTOWER_CLEANUP: true # Remove old images after updating
+
+      # VOLUME HANDLING:
+      # - WATCHTOWER_REMOVE_VOLUMES: false - Preserve data volumes
+      # - CRITICAL: Prevents data loss during container updates
+      # - Volumes contain persistent application data
+      WATCHTOWER_REMOVE_VOLUMES: false # Remove attached volumes after updating
+
+      # DOCKER API CONFIGURATION:
+      # - DOCKER_API_VERSION: 1.43 - Docker API version compatibility
+      # - Must match or be compatible with Docker daemon version
+      DOCKER_API_VERSION: 1.43 # Synology DSM max supported API version
+
+      # UPDATE BEHAVIOR:
+      # - WATCHTOWER_INCLUDE_RESTARTING: true - Update restarting containers
+      # - WATCHTOWER_INCLUDE_STOPPED: false - Skip stopped containers
+      # - Ensures only active services are automatically updated
+      WATCHTOWER_INCLUDE_RESTARTING: true # Restart containers after update
+      WATCHTOWER_INCLUDE_STOPPED: false # Update stopped containers
+
+      # SCHEDULING CONFIGURATION:
+      # - WATCHTOWER_SCHEDULE: "0 0 */2 * * *" - Every 2 hours
+      # - Cron format: second minute hour day month weekday
+      # - Frequent enough for security updates, not too disruptive
+      WATCHTOWER_SCHEDULE: "0 0 */2 * * *" # Update & Scan containers every 2 hours
+
+      # LABEL-BASED FILTERING:
+      # - WATCHTOWER_LABEL_ENABLE: false - Update all containers
+      # - Alternative: true (only update containers with watchtower labels)
+      WATCHTOWER_LABEL_ENABLE: false
+
+      # RESTART BEHAVIOR:
+      # - WATCHTOWER_ROLLING_RESTART: true - Restart containers one by one
+      # - Minimizes service disruption during updates
+      # - WATCHTOWER_TIMEOUT: 30s - Wait time for graceful shutdown
+      WATCHTOWER_ROLLING_RESTART: false # Disabled due to dependent containers
+      WATCHTOWER_TIMEOUT: 30s
+
+      # MONITORING INTEGRATION:
+      # - WATCHTOWER_HTTP_API_METRICS: true - Enable Prometheus metrics
+      # - WATCHTOWER_HTTP_API_TOKEN: "REDACTED_HTTP_TOKEN" token for metrics endpoint
+      # - Allows monitoring of update frequency and success rates
+      # - HTTP_API_UPDATE disabled to allow scheduled runs
+      WATCHTOWER_HTTP_API_METRICS: true # Metrics for Prometheus
+      WATCHTOWER_HTTP_API_TOKEN: "REDACTED_HTTP_TOKEN" # Token for Prometheus
+
+    # RESTART POLICY:
+    # - on-failure:5: Restart up to 5 times on failure
+    # - Ensures automatic updates continue even after failures
+    # - Prevents infinite restart loops
+    restart: on-failure:5
+
+networks:
+  prometheus-net:
+    external: true