adguard compose

adguard/docker-compose.yml

@@ -0,0 +1,42 @@
+services:
+  adguardhome:
+    image: ${ADGUARD_IMAGE}
+    restart: unless-stopped
+
+    volumes:
+      - ${ADGUARD_WORK_PATH}:/opt/adguardhome/work:Z
+      - ${ADGUARD_CONF_PATH}:/opt/adguardhome/conf:Z
+      - ${ADGUARD_CERT_CRT_PATH}:/certs/adguard.crt:ro,Z
+      - ${ADGUARD_CERT_KEY_PATH}:/certs/adguard.key:ro,Z
+
+    # Solo DNS/DoT expuestos en el host
+    ports:
+      # - "53:53/tcp"
+      # - "53:53/udp"
+      - "${ADGUARD_DOT_PORT}:853/tcp"   # DoT para Android (DNS privado)
+      # - "81:80/tcp"
+
+    networks:
+      proxy:
+        ipv4_address: ${ADGUARD_IPV4}
+
+    labels:
+      traefik.enable: "true"
+      traefik.docker.network: "${TRAEFIK_DOCKER_NETWORK}"
+
+      # Router HTTPS para el panel web
+      traefik.http.routers.adguard.rule: "Host(`${ADGUARD_DOMAIN}`)"
+      traefik.http.routers.adguard.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
+      traefik.http.routers.adguard.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
+
+      # Panel interno de AdGuard (HTTP en el contenedor)
+      # OJO: si es la primera vez y el panel escucha en 3000, cambia a 3000
+      traefik.http.services.adguard.loadbalancer.server.port: "80"
+
+      # Proteger el panel con Authentik (middleware definido en authentik-server)
+      traefik.http.routers.adguard.middlewares: "${TRAEFIK_AUTH_MIDDLEWARE}"
+
+networks:
+  proxy:
+    external: true
+

adguard/stack.env

@@ -0,0 +1,16 @@
+##### AdGuard #####
+ADGUARD_IMAGE=
+ADGUARD_WORK_PATH=
+ADGUARD_CONF_PATH=
+ADGUARD_CERT_CRT_PATH=
+ADGUARD_CERT_KEY_PATH=
+ADGUARD_DOT_PORT=
+ADGUARD_IPV4=
+
+##### Traefik / red #####
+TRAEFIK_DOCKER_NETWORK=
+ADGUARD_DOMAIN=
+TRAEFIK_ENTRYPOINT_SECURE=
+TRAEFIK_CERTRESOLVER=
+TRAEFIK_AUTH_MIDDLEWARE=
+