node is host

2022-11-29 16:22:35 +00:00 · 2022-11-29 16:22:35 +00:00 · b938dd0ffd
parent 2b20a33133
commit b938dd0ffd
105 changed files with 687 additions and 704 deletions
--- a/.env.dist
+++ b/.env.dist
@ -1,3 +1,2 @@
-APP_LOAD=myos
-APP_NAME=myos
 DOMAIN=localhost
+STACK=
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,9 @@
 # CHANGELOG

+## v1.0-alpha - 2022-11-29
+
+* node is host
+
 ## v0.9.9 - 2022-11-22

 * node name is `hostname`
@ -15,7 +19,6 @@ Beta release, welcome ipfs
 * add arm64 support
 * add ipfs stack
 * add x2go with ssh ecryptfs homedir
-* add zen stack
 * update docker-compose to v2.5.0

 ## v0.1-alpha - 2021-07-14
@ -29,12 +32,10 @@ Public release, code is doc
 Initial import

 * import previous `infra` project
-* remove any reference to previous project
 * rename project to myos - make your own stack

 ## 2020

-* integration with drone.io
 * makefile can be included in any project
 * multi user/environment

--- a/README.md
+++ b/README.md
@ -46,13 +46,13 @@ help                                    This help
 $ make bootstrap DOMAIN=domain.tld STACK=default
 ```

-* Start myos stack `node`
+* Start myos stack `host`

 ```shell
-$ make node
+$ make host
 ```

-`make node` starts the stack `node` with docker host services :
+`make host` starts the stack `host` with docker host services :
 - consul (service discovery)
 - fabio (load balancer)
 - registrator (docker/consul bridge)
@ -127,33 +127,33 @@ acme.${DOMAIN}.                 IN NS ${DOMAIN}.
 This will point domain ${DOMAIN} to the IP address ${DOCKER_HOST_INET4} of this server, and point all subdomains *.{DOMAIN} to the ip address pointed by ${DOMAIN}.

 At this point, you should be able to generate a valid certificate for *.${DOMAIN} using certbot [dns standalone](https://github.com/siilike/certbot-dns-standalone) plugin.
-This task is done automatically when creating the node stack if SETUP_LETSENCRYPT variable is not empty.
+This task is done automatically when creating the host stack if SETUP_LETSENCRYPT variable is not empty.

-If you already launched myos node stack before, the ${DOMAIN} certificates has been automatically generated by openssl and you should remove them before trying to generate them with letsencrypt.
+If you already launched myos host stack before, the ${DOMAIN} certificates has been automatically generated by openssl and you should remove them before trying to generate them with letsencrypt.

 ```
-$ make node-down
-$ docker volume rm node_myos
+$ make host-down
+$ docker volume rm $(hostname)
 ```

 You can then test the letsencrypt certificate generation using DEBUG mode that force to use the letsencrypt staging server.

 ```
-$ make node SETUP_LETSENCRYPT=true DEBUG=true
+$ make host SETUP_LETSENCRYPT=true DEBUG=true
 ```

 If letsencrypt certificate generation fails, you can retry the generation of a staging certificate.

 ```
-$ make node-certbot-staging
+$ make host-certbot-staging
 ```

 Once the certificate generation is working, you can ask for a valid certificate.

 ```
-$ make node-down
-$ docker volume rm node_myos
-$ make node SETUP_LETSENCRYPT=true
+$ make host-down
+$ docker volume rm $(hostname)
+$ make host SETUP_LETSENCRYPT=true
 ```

 ### Debug
@ -165,7 +165,7 @@ $ make config
 ```

 `make config` show docker compose yaml config for stack `STACK`
-`make node-config` show docker compose yaml config for stack `node`
+`make host-config` show docker compose yaml config for stack `host`
 `make user-config` show docker compose yaml config for stack `User`
 `make stack-elastic-config` show docker compose yaml config for stack `elastic`

--- a/docker/prometheus/prometheus/Dockerfile
+++ b/docker/prometheus/prometheus/Dockerfile
@ -8,8 +8,8 @@ CMD []

 FROM dist as master
 ARG DOCKER_BUILD_DIR
-ARG MONITORING_PRIMARY_TARGETS_BLACKBOX
-ARG MONITORING_SECONDARY_TARGETS_BLACKBOX
+ARG BLACKBOX_PRIMARY_TARGETS
+ARG BLACKBOX_SECONDARY_TARGETS

 COPY ${DOCKER_BUILD_DIR}/prometheus.tmpl /etc/prometheus/prometheus.tmpl
 COPY ${DOCKER_BUILD_DIR}/alert-rules.yml /etc/prometheus/alert-rules.yml
@ -17,5 +17,5 @@ COPY ${DOCKER_BUILD_DIR}/alert-rules.yml /etc/prometheus/alert-rules.yml
 # Creating the config file.
 # The last -e instruction cleans the file from quotes in the lists
 RUN sed \
-    -e 's|MONITORING_PRIMARY_TARGETS_BLACKBOX|'"        - ${MONITORING_PRIMARY_TARGETS_BLACKBOX// /\\n        - }"'|; s|MONITORING_SECONDARY_TARGETS_BLACKBOX|'"        - ${MONITORING_SECONDARY_TARGETS_BLACKBOX// /\\n        - }"'|' \
+    -e 's|BLACKBOX_PRIMARY_TARGETS|'"        - ${BLACKBOX_PRIMARY_TARGETS// /\\n        - }"'|; s|BLACKBOX_SECONDARY_TARGETS|'"        - ${BLACKBOX_SECONDARY_TARGETS// /\\n        - }"'|' \
    /etc/prometheus/prometheus.tmpl > /etc/prometheus/prometheus.yml
--- a/docker/prometheus/prometheus/prometheus.tmpl
+++ b/docker/prometheus/prometheus/prometheus.tmpl
@ -59,7 +59,7 @@ scrape_configs:

    static_configs:
      - targets:
-MONITORING_PRIMARY_TARGETS_BLACKBOX
+BLACKBOX_PRIMARY_TARGETS

    relabel_configs:
      - source_labels: [__address__]
@ -89,7 +89,7 @@ MONITORING_PRIMARY_TARGETS_BLACKBOX

    static_configs:
      - targets:
-MONITORING_SECONDARY_TARGETS_BLACKBOX
+BLACKBOX_SECONDARY_TARGETS

    relabel_configs:
      - source_labels: [__address__]
--- a/make/apps/common.mk
+++ b/make/apps/common.mk
@ -101,10 +101,10 @@ exec@%: SERVICE ?= $(DOCKER_SERVICE)
 exec@%:
 	$(call make,ssh-exec,$(MYOS),APP ARGS SERVICE)

-# target force-%: Fire targets %, stack-user-% and stack-node-%
+# target force-%: Fire targets %, stack-user-% and stack-host-%
 # on local host
 .PHONY: force-%
-force-%: % stack-user-% stack-node-%;
+force-%: % stack-user-% stack-host-%;

 # target install app-install: Install application
 # on local host
@ -177,7 +177,7 @@ run@%:
 .PHONY: scale
 scale: docker-compose-scale ## Scale SERVICE application to NUM dockers

-# target shutdown: remove application, node and user dockers
+# target shutdown: remove application, host and user dockers
 # on local host
 .PHONY: shutdown
 shutdown: force-down ## Shutdown all dockers
@ -197,14 +197,14 @@ stack:
 # target stack-%: Call docker-compose-% target on STACK
 ## it splits % on dashes and extracts stack from the beginning and command from
 ## the last part of %
-## ex: stack-node-up will fire the docker-compose-up target in the node stack
+## ex: stack-host-up will fire the docker-compose-up target in the host stack
 .PHONY: stack-%
 stack-%:
 	$(eval stack   := $(subst -$(lastword $(subst -, ,$*)),,$*))
 	$(eval command := $(lastword $(subst -, ,$*)))
 	$(if $(findstring -,$*), \
 		$(if $(filter $(command),$(filter-out %-%,$(patsubst docker-compose-%,%,$(filter docker-compose-%,$(MAKE_TARGETS))))), \
-		$(call make,$(command) STACK="$(stack)",,ARGS COMPOSE_IGNORE_ORPHANS DOCKER_COMPOSE_PROJECT_NAME SERVICE User node)))
+		$(call make,$(command) STACK="$(stack)",,ARGS COMPOSE_IGNORE_ORPHANS DOCKER_COMPOSE_PROJECT_NAME SERVICE User host)))

 # target start app-start: Start application dockers
 # on local host
--- a/make/apps/def.docker.mk
+++ b/make/apps/def.docker.mk
@ -20,7 +20,7 @@ CONTEXT_DEBUG                   += DOCKER_BUILD_TARGET DOCKER_COMPOSE_PROJECT_NA
 DOCKER_AUTHOR                   ?= $(DOCKER_AUTHOR_NAME) <$(DOCKER_AUTHOR_EMAIL)>
 DOCKER_AUTHOR_EMAIL             ?= $(subst +git,+docker,$(GIT_AUTHOR_EMAIL))
 DOCKER_AUTHOR_NAME              ?= $(GIT_AUTHOR_NAME)
-DOCKER_BUILD_ARGS               ?= $(if $(filter true,$(DOCKER_BUILD_NO_CACHE)),--pull --no-cache) $(foreach var,$(DOCKER_BUILD_VARS),$(if $($(var)),--build-arg $(var)='$($(var))')) --build-arg GID='$(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_GID),$(GID))' --build-arg UID='$(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_UID),$(UID))'
+DOCKER_BUILD_ARGS               ?= $(if $(filter true,$(DOCKER_BUILD_NO_CACHE)),--pull --no-cache) $(foreach var,$(DOCKER_BUILD_VARS),$(if $($(var)),--build-arg $(var)='$($(var))')) --build-arg GID='$(if $(filter host,$(firstword $(subst /, ,$(STACK)))),$(HOST_GID),$(GID))' --build-arg UID='$(if $(filter host,$(firstword $(subst /, ,$(STACK)))),$(HOST_UID),$(UID))'
 DOCKER_BUILD_CACHE              ?= true
 DOCKER_BUILD_LABEL              ?= $(foreach var,$(filter $(BUILD_LABEL_VARS),$(MAKE_FILE_VARS)),$(if $($(var)),--label $(var)='$($(var))'))
 DOCKER_BUILD_NO_CACHE           ?= false
@ -30,7 +30,7 @@ DOCKER_BUILD_TARGETS            ?= $(ENV_DEPLOY)
 DOCKER_BUILD_VARS               ?= APP BRANCH COMPOSE_VERSION DOCKER_GID DOCKER_MACHINE DOCKER_REPOSITORY DOCKER_SYSTEM GIT_AUTHOR_EMAIL GIT_AUTHOR_NAME SSH_REMOTE_HOSTS USER VERSION
 DOCKER_COMPOSE                  ?= $(if $(DOCKER_RUN),docker/compose:$(COMPOSE_VERSION),$(or $(shell docker compose >/dev/null 2>&1 && printf 'docker compose\n'),docker-compose)) $(COMPOSE_ARGS)
 DOCKER_COMPOSE_DOWN_OPTIONS     ?=
-DOCKER_COMPOSE_PROJECT_NAME     ?= $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME)))
+DOCKER_COMPOSE_PROJECT_NAME     ?= $(if $(filter host,$(firstword $(subst /, ,$(STACK)))),$(HOST_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME)))
 DOCKER_COMPOSE_RUN_OPTIONS      ?= --rm
 DOCKER_COMPOSE_SERVICE_NAME     ?= $(subst _,-,$(DOCKER_COMPOSE_PROJECT_NAME))
 DOCKER_COMPOSE_UP_OPTIONS       ?= -d
--- a/make/apps/def.mk
+++ b/make/apps/def.mk
@ -15,6 +15,7 @@ APP_REQUIRED                    ?= $(APP_REPOSITORY)
 APP_SCHEME                      ?= https
 APP_UPSTREAM_REPOSITORY         ?= $(or $(shell git config --get remote.upstream.url 2>/dev/null),$(GIT_UPSTREAM_REPOSITORY))
 APP_URI                         ?= $(APP_HOST)/$(APP_PATH)
+APP_URIS                        ?= $(APP_URI)
 APP_URL                         ?= $(APP_SCHEME)://$(APP_URI)
 CMDARGS                         += exec exec:% exec@% run run:% run@%
 CONTEXT                         += APP APPS BRANCH DOMAIN VERSION RELEASE
--- a/make/apps/docker.mk
+++ b/make/apps/docker.mk
@ -9,10 +9,9 @@ docker-build: docker-images-myos
 # target docker-build-%: Call docker-build for each Dockerfile in docker/% folder
 .PHONY: docker-build-%
 docker-build-%:
-	if grep -q DOCKER_REPOSITORY docker/$*/Dockerfile 2>/dev/null; then $(eval DOCKER_BUILD_ARGS:=$(subst $(DOCKER_REPOSITORY),$(USER_DOCKER_REPOSITORY),$(DOCKER_BUILD_ARGS))) true; fi
 	$(if $(wildcard docker/$*/Dockerfile),$(call docker-build,docker/$*))
 	$(if $(findstring :,$*),$(eval DOCKER_FILE := $(wildcard docker/$(subst :,/,$*)/Dockerfile)),$(eval DOCKER_FILE := $(wildcard docker/$*/*/Dockerfile)))
-	$(foreach dockerfile,$(DOCKER_FILE),$(call docker-build,$(dir $(dockerfile)),$(DOCKER_REPOSITORY)/$(word 2,$(subst /, ,$(dir $(dockerfile)))):$(lastword $(subst /, ,$(dir $(dockerfile)))),"") && true)
+	$(foreach dockerfile,$(DOCKER_FILE),$(call docker-build,$(dir $(dockerfile)),$(DOCKER_REPOSITORY)/$(word 2,$(subst /, ,$(dir $(dockerfile)))):$(lastword $(subst /, ,$(dir $(dockerfile)))),""))

 # target docker-commit: Call docker-commit for each SERVICES
 .PHONY: docker-commit
--- a/make/apps/myos/def.ufw.mk
+++ b/make/apps/myos/def.ufw.mk
@ -7,7 +7,7 @@ ifeq ($(SETUP_UFW),true)
 define ufw
 	$(call INFO,ufw,$(1)$(comma))
 	$(call app-bootstrap,ufw-docker)
-	$(eval COMPOSE_PROJECT_NAME := $(NODE_COMPOSE_PROJECT_NAME))
+	$(eval COMPOSE_PROJECT_NAME := $(HOST_COMPOSE_PROJECT_NAME))
 	$(call app-exec,,$(if $(DOCKER_RUN),,$(SUDO)) ufw $(1))
 endef

@ -15,7 +15,7 @@ endef
 define ufw-docker
 	$(call INFO,ufw-docker,$(1)$(comma))
 	$(call app-bootstrap,ufw-docker)
-	$(eval COMPOSE_PROJECT_NAME := $(NODE_COMPOSE_PROJECT_NAME))
+	$(eval COMPOSE_PROJECT_NAME := $(HOST_COMPOSE_PROJECT_NAME))
 	$(call app-exec,,$(if $(DOCKER_RUN),,$(SUDO)) ufw-docker $(1))
 endef

--- a/make/apps/myos/setup.mk
+++ b/make/apps/myos/setup.mk
@ -43,7 +43,7 @@ setup-ufw:
 ifeq ($(SETUP_UFW),true)
 	$(call app-install,$(SETUP_UFW_REPOSITORY))
 	$(call app-bootstrap,$(lastword $(subst /, ,$(SETUP_UFW_REPOSITORY))))
-	$(eval COMPOSE_PROJECT_NAME := $(NODE_COMPOSE_PROJECT_NAME))
+	$(eval COMPOSE_PROJECT_NAME := $(HOST_COMPOSE_PROJECT_NAME))
 	$(call app-build)
 	$(eval DOCKER_RUN_OPTIONS := --rm --cap-add NET_ADMIN -v /etc/ufw:/etc/ufw --network host)
 	$(call app-up)
--- a/make/apps/myos/ufw.mk
+++ b/make/apps/myos/ufw.mk
@ -26,7 +26,7 @@ ufw-update: debug-UFW_UPDATE
 	  ) \
 	)

-## ex: ufw-node-update will update ufw rules for stack node
+## ex: ufw-host-update will update ufw rules for stack host
 .PHONY: stack-%
 ufw-%:
 	$(eval stack   := $(subst -$(lastword $(subst -, ,$*)),,$*))
--- a/make/def.docker.mk
+++ b/make/def.docker.mk
@ -16,13 +16,13 @@ DOCKER_RUN_OPTIONS              += --rm --network $(DOCKER_NETWORK)
 DOCKER_RUN_VOLUME               += -v /var/run/docker.sock:/var/run/docker.sock
 DOCKER_RUN_WORKDIR              ?= -w $(PWD)
 DOCKER_SYSTEM                   ?= $(shell docker run --rm alpine uname -s 2>/dev/null)
-ENV_VARS                        += DOCKER_MACHINE DOCKER_NETWORK DOCKER_NETWORK_PRIVATE DOCKER_NETWORK_PUBLIC DOCKER_SYSTEM NODE_COMPOSE_PROJECT_NAME NODE_COMPOSE_SERVICE_NAME NODE_DOCKER_REPOSITORY NODE_DOCKER_VOLUME NODE_GID NODE_UID USER_COMPOSE_PROJECT_NAME USER_COMPOSE_SERVICE_NAME USER_DOCKER_IMAGE USER_DOCKER_NAME USER_DOCKER_REPOSITORY USER_DOCKER_VOLUME
-NODE_COMPOSE_PROJECT_NAME       ?= $(HOSTNAME)
-NODE_COMPOSE_SERVICE_NAME       ?= $(subst _,-,$(NODE_COMPOSE_PROJECT_NAME))
-NODE_DOCKER_REPOSITORY          ?= $(subst -,/,$(subst _,/,$(NODE_COMPOSE_PROJECT_NAME)))
-NODE_DOCKER_VOLUME              ?= $(NODE_COMPOSE_PROJECT_NAME)
-NODE_GID                        ?= 100
-NODE_UID                        ?= 123
+ENV_VARS                        += DOCKER_MACHINE DOCKER_NETWORK DOCKER_NETWORK_PRIVATE DOCKER_NETWORK_PUBLIC DOCKER_SYSTEM HOST_COMPOSE_PROJECT_NAME HOST_COMPOSE_SERVICE_NAME HOST_DOCKER_REPOSITORY HOST_DOCKER_VOLUME HOST_GID HOST_UID USER_COMPOSE_PROJECT_NAME USER_COMPOSE_SERVICE_NAME USER_DOCKER_IMAGE USER_DOCKER_NAME USER_DOCKER_REPOSITORY USER_DOCKER_VOLUME
+HOST_COMPOSE_PROJECT_NAME       ?= $(HOSTNAME)
+HOST_COMPOSE_SERVICE_NAME       ?= $(subst _,-,$(HOST_COMPOSE_PROJECT_NAME))
+HOST_DOCKER_REPOSITORY          ?= $(subst -,/,$(subst _,/,$(HOST_COMPOSE_PROJECT_NAME)))
+HOST_DOCKER_VOLUME              ?= $(HOST_COMPOSE_PROJECT_NAME)
+HOST_GID                        ?= 100
+HOST_UID                        ?= 123
 RESU_DOCKER_REPOSITORY          ?= $(subst -,/,$(subst _,/,$(USER_COMPOSE_PROJECT_NAME)))
 USER_COMPOSE_PROJECT_NAME       ?= $(strip $(RESU))
 USER_COMPOSE_SERVICE_NAME       ?= $(subst _,-,$(subst .,-,$(USER_COMPOSE_PROJECT_NAME)))
--- a/make/def.mk
+++ b/make/def.mk
@ -68,6 +68,7 @@ GIT_UPSTREAM_USER               ?= $(lastword $(subst /, ,$(call pop,$(MYOS_REPO
 GIT_USER                        ?= $(USER)
 GIT_VERSION                     ?= $(shell git describe --tags $(BRANCH) 2>/dev/null || git rev-parse $(BRANCH) 2>/dev/null)
 GROUP                           ?= $(shell id -ng 2>/dev/null)
+HOST                            ?= $(HOSTNAME).$(DOMAIN)
 HOSTNAME                        ?= $(call LOWERCASE,$(shell hostname 2>/dev/null |sed 's/\..*//'))
 IGNORE_DRYRUN                   ?= false
 IGNORE_VERBOSE                  ?= false
--- a/stack/User/User.mk
+++ b/stack/User/User.mk
--- a/stack/User/ipfs.mk
+++ b/stack/User/ipfs.mk
@ -1,4 +1,4 @@
 ENV_VARS                                  += USER_IPFS_API_HTTPHEADERS_ACA_ORIGIN USER_IPFS_SERVICE_5001_TAGS USER_IPFS_SERVICE_8080_TAGS
 USER_IPFS_API_HTTPHEADERS_ACA_ORIGIN      ?= ["https://ipfs.$(user_domain).$(DOMAIN)"]
-USER_IPFS_SERVICE_5001_TAGS               ?= urlprefix-ipfs.$(user_domain).$(DOMAIN)/api/
+USER_IPFS_SERVICE_5001_TAGS               ?= $(if $(filter localhost,$(DOMAIN)),urlprefix-ipfs.$(user_domain).$(DOMAIN)/api/)
 USER_IPFS_SERVICE_8080_TAGS               ?= urlprefix-ipfs.$(user_domain).$(DOMAIN)/
--- a/stack/cloud/.env.dist
+++ b/stack/cloud/.env.dist
@ -1,5 +0,0 @@
-NEXTCLOUD_MYSQL_DATABASE=${USER}-nextcloud-${ENV}
-NEXTCLOUD_MYSQL_HOST=mysql
-NEXTCLOUD_MYSQL_PASSWORD=nextcloud
-NEXTCLOUD_MYSQL_USER=${USER}-nextcloud-${ENV}
-NEXTCLOUD_SERVICE_80_TAGS=urlprefix-nextcloud.${APP_DOMAIN}/
--- a/stack/cloud/nextcloud.mk
+++ b/stack/cloud/nextcloud.mk
@ -0,0 +1,5 @@
+ENV_VARS                                  += NEXTCLOUD_MYSQL_DATABASE NEXTCLOUD_MYSQL_USER NEXTCLOUD_SERVICE_80_TAGS
+NEXTCLOUD_SERVICE_80_TAGS                 ?= $(patsubst %,urlprefix-%,$(NEXTCLOUD_SERVICE_80_URIS))
+NEXTCLOUD_SERVICE_80_URIS                 ?= $(patsubst %,nextcloud.%,$(APP_URIS))
+NEXTCLOUD_MYSQL_DATABASE                  ?= $(COMPOSE_SERVICE_NAME)-nextcloud
+NEXTCLOUD_MYSQL_USER                      ?= $(NEXTCLOUD_MYSQL_DATABASE)
--- a/stack/cloud/nextcloud.yml
+++ b/stack/cloud/nextcloud.yml
@ -4,14 +4,14 @@ services:
  nextcloud:
    image: nextcloud:production-apache
    environment:
-    - MYSQL_DATABASE=${NEXTCLOUD_MYSQL_DATABASE}
-    - MYSQL_HOST=${NEXTCLOUD_MYSQL_HOST}
-    - MYSQL_PASSWORD=${NEXTCLOUD_MYSQL_PASSWORD}
-    - MYSQL_USER=${NEXTCLOUD_MYSQL_USER}
+    - MYSQL_DATABASE=${NEXTCLOUD_MYSQL_DATABASE:-nextcloud}
+    - MYSQL_HOST=${NEXTCLOUD_MYSQL_HOST:-mysql}
+    - MYSQL_PASSWORD=${NEXTCLOUD_MYSQL_PASSWORD:-nextcloud}
+    - MYSQL_USER=${NEXTCLOUD_MYSQL_USER:-nextcloud}
    labels:
    - SERVICE_80_CHECK_TCP=true
    - SERVICE_80_NAME=${COMPOSE_SERVICE_NAME}-nextcloud-80
-    - SERVICE_80_TAGS=${NEXTCLOUD_SERVICE_80_TAGS}
+    - SERVICE_80_TAGS=${NEXTCLOUD_SERVICE_80_TAGS:-}
    networks:
    - private
    - public
--- a/stack/drone.mk
+++ b/stack/drone.mk
@ -1 +0,0 @@
-drone                           ?= drone/drone drone/drone-runner-docker drone/gc
--- a/stack/drone/.env.dist
+++ b/stack/drone/.env.dist
@ -1,9 +0,0 @@
-DRONE_GITHUB_CLIENT_ID=github_client_id
-DRONE_GITHUB_CLIENT_SECRET=github_client_secret
-DRONE_RPC_SECRET=drone_rpc_secret
-DRONE_RUNNER_CAPACITY=1
-DRONE_SERVER_HOST=drone.${APP_DOMAIN}
-DRONE_SERVER_PROTO=http
-DRONE_SERVER_SERVICE_80_TAGS=urlprefix-${DRONE_SERVER_HOST}/
-DRONE_USER_CREATE=username:gitaccount,admin:true
-DRONE_USER_FILTER=gitaccount
--- a/stack/drone/drone-runner-docker.yml
+++ b/stack/drone/drone-runner-docker.yml
@ -6,10 +6,10 @@ services:
    - drone
    environment:
    - DRONE_RPC_SECRET=${DRONE_RPC_SECRET}
-    - DRONE_RPC_HOST=drone
-    - DRONE_RPC_PROTO=http
-    - DRONE_RUNNER_CAPACITY=${DRONE_RUNNER_CAPACITY}
-    - DRONE_RUNNER_NAME=${HOSTNAME}
+    - DRONE_RPC_HOST=${DRONE_RPC_HOST:-drone}
+    - DRONE_RPC_PROTO=${DRONE_RPC_PROTO:-http}
+    - DRONE_RUNNER_CAPACITY=${DRONE_RUNNER_CAPACITY:-1}
+    - DRONE_RUNNER_NAME=${DRONE_RUNNER_NAME:-drone-runner}
    labels:
    - SERVICE_3000_IGNORE=true
    networks:
--- a/stack/drone/drone.mk
+++ b/stack/drone/drone.mk
@ -0,0 +1,8 @@
+drone                                     ?= drone/drone drone/drone-runner-docker drone/gc
+DRONE_RUNNER_NAME                         ?= drone-runner.${APP_HOST}
+DRONE_SERVER_HOST                         ?= drone.${APP_HOST}
+DRONE_SERVICE_80_TAGS                     ?= $(patsubst %,urlprefix-%,$(DRONE_SERVICE_80_URIS))
+DRONE_SERVICE_80_URIS                     ?= $(patsubst %,drone.%,$(APP_URIS))
+DRONE_USER_CREATE                         ?= $(USER):$(GIT_USER),admin:true
+DRONE_USER_FILTER                         ?= $(GIT_USER)
+ENV_VARS                                  += DRONE_RUNNER_NAME DRONE_SERVER_HOST DRONE_USER_CREATE DRONE_USER_FILTER DRONE_SERVICE_80_TAGS
--- a/stack/drone/drone.yml
+++ b/stack/drone/drone.yml
@ -3,23 +3,23 @@ version: '3.6'
 services:
  drone:
    environment:
-    - DRONE_GIT_ALWAYS_AUTH=false
-    - DRONE_GITHUB_SERVER=https://github.com
+    - DRONE_GIT_ALWAYS_AUTH=${DRONE_GIT_ALWAYS_AUTH:-false}
+    - DRONE_GITHUB_SERVER=${DRONE_GITHUB_SERVER:-https://github.com}
    - DRONE_GITHUB_CLIENT_ID=${DRONE_GITHUB_CLIENT_ID}
    - DRONE_GITHUB_CLIENT_SECRET=${DRONE_GITHUB_CLIENT_SECRET}
-    - DRONE_LOGS_COLOR=true
-    - DRONE_LOGS_PRETTY=true
-    - DRONE_PROMETHEUS_ANONYMOUS_ACCESS=true
+    - DRONE_LOGS_COLOR=${DRONE_LOGS_COLOR:-true}
+    - DRONE_LOGS_PRETTY=${DRONE_LOGS_PRETTY:-true}
+    - DRONE_PROMETHEUS_ANONYMOUS_ACCESS=${DRONE_PROMETHEUS_ANONYMOUS_ACCESS:-true}
    - DRONE_RPC_SECRET=${DRONE_RPC_SECRET}
-    - DRONE_SERVER_HOST=${DRONE_SERVER_HOST}
-    - DRONE_SERVER_PROTO=${DRONE_SERVER_PROTO}
-    - DRONE_TLS_AUTOCERT=true
+    - DRONE_SERVER_HOST=${DRONE_SERVER_HOST:-drone}
+    - DRONE_SERVER_PROTO=${DRONE_SERVER_PROTO:-http}
+    - DRONE_TLS_AUTOCERT=${DRONE_TLS_AUTOCERT:-true}
    - DRONE_USER_CREATE=${DRONE_USER_CREATE}
    - DRONE_USER_FILTER=${DRONE_USER_FILTER}
    labels:
    - SERVICE_80_CHECK_TCP=true
    - SERVICE_80_NAME=${COMPOSE_SERVICE_NAME}-drone-80
-    - SERVICE_80_TAGS=${DRONE_SERVER_SERVICE_80_TAGS}
+    - SERVICE_80_TAGS=${DRONE_SERVICE_80_TAGS:-}
    - SERVICE_443_IGNORE=true
    networks:
     - private
--- a/stack/drone/gc.yml
+++ b/stack/drone/gc.yml
@ -4,8 +4,8 @@ services:
  drone-gc:
    image: drone/gc:latest
    environment:
-    - GC_CACHE=20gb
-    - GC_INTERVAL=5m
+    - GC_CACHE=${DRONE_GC_CACHE:-20gb}
+    - GC_INTERVAL=${DRONE_GC_INTERVAL:-5m}
    networks:
    - private
    restart: always
--- a/stack/elastic.mk
+++ b/stack/elastic.mk
@ -1,11 +0,0 @@
-ELASTICSEARCH_HOST              ?= elasticsearch
-ELASTICSEARCH_PORT              ?= 9200
-ELASTICSEARCH_PROTOCOL          ?= http
-ENV_VARS                        += ELASTICSEARCH_HOST ELASTICSEARCH_PASSWORD ELASTICSEARCH_PORT ELASTICSEARCH_PROTOCOL ELASTICSEARCH_USERNAME 
-
-elastic                         ?= elastic/curator elastic/elasticsearch elastic/kibana
-
-# target elasticsearch-delete-%: delete elasticsearch index %
-.PHONY: elasticsearch-delete-%
-elasticsearch-delete-%:
-	docker ps |awk '$$NF ~ /$(USER)-myos-$(ENV)-elasticsearch/' |sed 's/^.*:\([0-9]*\)->9200\/tcp.*$$/\1/' |while read port; do echo -e "DELETE /$* HTTP/1.0\n\n" |nc localhost $$port; done
--- a/stack/elastic/.env.dist
+++ b/stack/elastic/.env.dist
@ -1,11 +0,0 @@
-APM_SERVER_SERVICE_8200_TAGS=urlprefix-apm.${APP_DOMAIN}/
-CURATOR_LOGFORMAT=default
-CURATOR_LOGLEVEL=INFO
-CURATOR_MASTER_ONLY=False
-CURATOR_TIMEOUT=30
-CURATOR_USE_SSL=False
-ELASTICSEARCH_HOST=elasticsearch
-ELASTICSEARCH_PORT=9200
-ELASTICSEARCH_PROTOCOL=http
-ELASTICSEARCH_SERVICE_9200_TAGS=urlprefix-elasticsearch.${APP_DOMAIN}/
-KIBANA_SERVICE_5601_TAGS=urlprefix-kibana.${APP_DOMAIN}/
--- a/stack/elastic/apm-server-oss.yml
+++ b/stack/elastic/apm-server-oss.yml
@ -8,11 +8,11 @@ services:
      context: ../..
      dockerfile: docker/elastic/apm-server-oss/Dockerfile
    image: ${DOCKER_REPOSITORY}/apm-server-oss:${DOCKER_IMAGE_TAG}
-    command: -c apm-server.yml --strict.perms=false -e -E output.elasticsearch.hosts=["${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}"] -E output.elasticsearch.protocol=${ELASTICSEARCH_PROTOCOL} -E output.elasticsearch.username=${ELASTICSEARCH_USERNAME} -E output.elasticsearch.password=${ELASTICSEARCH_PASSWORD} -E apm-server.register.ingest.pipeline.enabled=false
+    command: -c apm-server.yml --strict.perms=false -e -E output.elasticsearch.hosts=["${ELASTICSEARCH_HOST:-elasticsearch}:${ELASTICSEARCH_PORT:-9200}"] -E output.elasticsearch.protocol=${ELASTICSEARCH_PROTOCOL:-http} -E output.elasticsearch.username=${ELASTICSEARCH_USERNAME} -E output.elasticsearch.password=${ELASTICSEARCH_PASSWORD} -E apm-server.register.ingest.pipeline.enabled=false
    labels:
    - SERVICE_8200_CHECK_HTTP=/
    - SERVICE_8200_NAME=${COMPOSE_SERVICE_NAME}-apm-server-oss-8200
-    - SERVICE_8200_TAGS=${APM_SERVER_SERVICE_8200_TAGS}
+    - SERVICE_8200_TAGS=${APM_SERVER_OSS_SERVICE_8200_TAGS}
    networks:
    - private
    - public
--- a/stack/elastic/apm-server.yml
+++ b/stack/elastic/apm-server.yml
@ -3,7 +3,7 @@ version: '3.6'
 services:
  apm-server:
    image: docker.elastic.co/apm/apm-server:7.4.2
-    command: -c apm-server.yml --strict.perms=false -e -E output.elasticsearch.hosts=["${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}"] -E output.elasticsearch.protocol=${ELASTICSEARCH_PROTOCOL} -E output.elasticsearch.username=${ELASTICSEARCH_USERNAME} -E output.elasticsearch.password=${ELASTICSEARCH_PASSWORD}
+    command: -c apm-server.yml --strict.perms=false -e -E output.elasticsearch.hosts=["${ELASTICSEARCH_HOST:-elasticsearch}:${ELASTICSEARCH_PORT:-9200}"] -E output.elasticsearch.protocol=${ELASTICSEARCH_PROTOCOL:-http} -E output.elasticsearch.username=${ELASTICSEARCH_USERNAME} -E output.elasticsearch.password=${ELASTICSEARCH_PASSWORD}
    labels:
    - SERVICE_8200_CHECK_HTTP=/
    - SERVICE_8200_NAME=${COMPOSE_SERVICE_NAME}-apm-server-8200
@ -12,7 +12,6 @@ services:
      private:
        aliases:
        - apm.${DOCKER_NETWORK_PRIVATE}
-        - apm.elastic.${DOCKER_NETWORK_PRIVATE}
      public:
    ports:
    - 8200
--- a/stack/elastic/curator.yml
+++ b/stack/elastic/curator.yml
@ -8,14 +8,14 @@ services:
      context: ../..
      dockerfile: docker/elastic/curator/Dockerfile
    environment:
-    - DEPLOY=${DEPLOY}
-    - HOSTS=${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_HOST}
-    - LOGFORMAT=${CURATOR_LOGFORMAT}
-    - LOGLEVEL=${CURATOR_LOGLEVEL}
-    - MASTER_ONLY=${CURATOR_MASTER_ONLY}
-    - PORT=${ELASTICSEARCH_PORT}
-    - TIMEOUT=${CURATOR_TIMEOUT}
-    - USE_SSL=${CURATOR_USE_SSL}
+    - DEPLOY=${DEPLOY:-}
+    - HOSTS=${ELASTICSEARCH_PROTOCOL:-http}://${ELASTICSEARCH_HOST:-9200}
+    - LOGFORMAT=${CURATOR_LOGFORMAT:-default}
+    - LOGLEVEL=${CURATOR_LOGLEVEL:-INFO}
+    - MASTER_ONLY=${CURATOR_MASTER_ONLY:-False}
+    - PORT=${ELASTICSEARCH_PORT:-9200}
+    - TIMEOUT=${CURATOR_TIMEOUT:-30}
+    - USE_SSL=${CURATOR_USE_SSL:-False}
    networks:
    - private
    restart: always
--- a/stack/elastic/elastic.mk
+++ b/stack/elastic/elastic.mk
@ -0,0 +1,14 @@
+APM_SERVER_SERVICE_8200_TAGS              ?= $(patsubst %,urlprefix-%,$(APM_SERVER_SERVICE_8200_URIS))
+APM_SERVER_SERVICE_8200_URIS              ?= $(patsubst %,apm-server.%,$(APP_URIS))
+ELASTICSEARCH_SERVICE_9200_TAGS           ?= $(patsubst %,urlprefix-%,$(ELASTICSEARCH_SERVICE_9200_URIS))
+ELASTICSEARCH_SERVICE_9200_URIS           ?= $(patsubst %,elasticsearch.%,$(APP_URIS))
+ENV_VARS                                  += APM_SERVER_SERVICE_8200_TAGS ELASTICSEARCH_SERVICE_9200_TAGS KIBANA_SERVICE_5601_TAGS
+KIBANA_SERVICE_5601_TAGS                  ?= $(patsubst %,urlprefix-%,$(KIBANA_SERVICE_5601_URIS))
+KIBANA_SERVICE_5601_URIS                  ?= $(patsubst %,kibana.%,$(APP_URIS))
+
+elastic                                   ?= elastic/curator elastic/elasticsearch elastic/kibana
+
+# target elasticsearch-delete-%: delete elasticsearch index %
+.PHONY: elasticsearch-delete-%
+elasticsearch-delete-%:
+	docker ps |awk '$$NF ~ /$(COMPOSE_PROJECT_NAME)-elasticsearch/' |sed 's/^.*:\([0-9]*\)->9200\/tcp.*$$/\1/' |while read port; do echo -e "DELETE /$* HTTP/1.0\n\n" |nc localhost $$port; done
--- a/stack/elastic/elasticsearch.yml
+++ b/stack/elastic/elasticsearch.yml
@ -8,7 +8,7 @@ services:
    - xpack.monitoring.enabled=false
    - xpack.graph.enabled=false
    - xpack.watcher.enabled=false
-    - cluster.name=elasticsearch-${ENV}
+    - cluster.name=${COMPOSE_SERVICE_NAME}
    - network.host=0.0.0.0
    - http.cors.enabled=true
    - http.cors.allow-credentials=true
--- a/stack/elastic/kibana-oss.7.4.yml
+++ b/stack/elastic/kibana-oss.7.4.yml
@ -4,6 +4,6 @@ services:
  kibana-oss:
    image: docker.elastic.co/kibana/kibana-oss:7.4.2
    environment:
-    - ELASTICSEARCH_HOSTS="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}"
-    - KIBANA_INDEX=.kibana-oss.${ENV}
-    - SERVER_NAME=kibana.${APP_DOMAIN}
+    - ELASTICSEARCH_HOSTS="${ELASTICSEARCH_PROTOCOL:-http}://${ELASTICSEARCH_HOST:-elasticsearch}:${ELASTICSEARCH_PORT:-9200}"
+    - KIBANA_INDEX=.kibana-oss.${COMPOSE_SERVICE_NAME}
+    - SERVER_NAME=kibana-oss.${APP_HOST}
--- a/stack/elastic/kibana-oss.latest.yml
+++ b/stack/elastic/kibana-oss.latest.yml
@ -4,6 +4,6 @@ services:
  kibana-oss:
    image: docker.elastic.co/kibana/kibana-oss:7.7.1
    environment:
-    - ELASTICSEARCH_HOSTS="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}"
-    - KIBANA_INDEX=.kibana-oss.${ENV}
-    - SERVER_NAME=kibana.${APP_DOMAIN}
+    - ELASTICSEARCH_HOSTS="${ELASTICSEARCH_PROTOCOL:-http}://${ELASTICSEARCH_HOST:-elasticsearch}:${ELASTICSEARCH_PORT:-9200}"
+    - KIBANA_INDEX=.kibana-oss.${COMPOSE_SERVICE_NAME}
+    - SERVER_NAME=kibana-oss.${APP_HOST}
--- a/stack/elastic/kibana-oss.yml
+++ b/stack/elastic/kibana-oss.yml
@ -5,7 +5,7 @@ services:
    labels:
    - SERVICE_5601_CHECK_HTTP=/app/kibana
    - SERVICE_5601_NAME=${COMPOSE_SERVICE_NAME}-kibana-oss-5601
-    - SERVICE_5601_TAGS=${KIBANA_SERVICE_5601_TAGS}
+    - SERVICE_5601_TAGS=${KIBANA_OSS_SERVICE_5601_TAGS}
    networks:
    - private
    - public
--- a/stack/elastic/kibana.5.3.yml
+++ b/stack/elastic/kibana.5.3.yml
@ -4,4 +4,4 @@ services:
  kibana:
    image: docker.elastic.co/kibana/kibana:5.3.3
    environment:
-    - ELASTICSEARCH_URL="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}"
+    - ELASTICSEARCH_URL="${ELASTICSEARCH_PROTOCOL:-http}://${ELASTICSEARCH_HOST:-elasticsearch}:${ELASTICSEARCH_PORT:-9200}"
--- a/stack/elastic/kibana.7.4.yml
+++ b/stack/elastic/kibana.7.4.yml
@ -4,6 +4,6 @@ services:
  kibana:
    image: docker.elastic.co/kibana/kibana:7.4.2
    environment:
-    - ELASTICSEARCH_HOSTS="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}"
-    - KIBANA_INDEX=.kibana.${ENV}
-    - SERVER_NAME=kibana.${APP_DOMAIN}
+    - ELASTICSEARCH_HOSTS="${ELASTICSEARCH_PROTOCOL:-http}://${ELASTICSEARCH_HOST:-elasticsearch}:${ELASTICSEARCH_PORT:-9200}"
+    - KIBANA_INDEX=.kibana.${COMPOSE_SERVICE_NAME}
+    - SERVER_NAME=kibana.${APP_HOST}
--- a/stack/elastic/kibana.latest.yml
+++ b/stack/elastic/kibana.latest.yml
@ -4,6 +4,6 @@ services:
  kibana:
    image: docker.elastic.co/kibana/kibana:7.7.1
    environment:
-    - ELASTICSEARCH_HOSTS="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}"
-    - KIBANA_INDEX=.kibana.${ENV}
-    - SERVER_NAME=kibana.${APP_DOMAIN}
+    - ELASTICSEARCH_HOSTS="${ELASTICSEARCH_PROTOCOL:-http}://${ELASTICSEARCH_HOST:-elasticsearch}:${ELASTICSEARCH_PORT:-9200}"
+    - KIBANA_INDEX=.kibana.${COMPOSE_SERVICE_NAME}
+    - SERVER_NAME=kibana.${APP_HOST}
--- a/stack/elastic/oss.mk
+++ b/stack/elastic/oss.mk
@ -0,0 +1,7 @@
+APM_SERVER_OSS_SERVICE_8200_TAGS          ?= $(patsubst %,urlprefix-%,$(APM_SERVER_OSS_SERVICE_8200_URIS))
+APM_SERVER_OSS_SERVICE_8200_URIS          ?= $(patsubst %,apm-server-oss.%,$(APP_URIS))
+ENV_VARS                                  += APM_SERVER_OSS_SERVICE_8200_TAGS KIBANA_OSS_SERVICE_5601_TAGS
+KIBANA_OSS_SERVICE_5601_TAGS              ?= $(patsubst %,urlprefix-%,$(KIBANA_OSS_SERVICE_5601_URIS))
+KIBANA_OSS_SERVICE_5601_URIS              ?= $(patsubst %,kibana-oss.%,$(APP_URIS))
+
+elastic-oss                               ?= elastic/apm-server-oss elastic/curator elastic/elasticsearch elastic/kibana-oss
--- a/stack/grafana/.env.dist
+++ b/stack/grafana/.env.dist
@ -1,6 +0,0 @@
-GRAFANA_AWS_ACCESS_KEY=${AWS_ACCESS_KEY_ID}
-GRAFANA_AWS_SECRET_KEY=${AWS_SECRET_ACCESS_KEY}
-GRAFANA_MYSQL_DB=grafana
-GRAFANA_MYSQL_PASSWORD=grafana
-GRAFANA_MYSQL_USER=grafana
-GRAFANA_SERVICE_3000_TAGS=urlprefix-grafana.${APP_DOMAIN}/
--- a/stack/grafana/grafana.mk
+++ b/stack/grafana/grafana.mk
@ -0,0 +1,4 @@
+ENV_VARS                                  += GRAFANA_SERVICE_3000_TAGS
+GRAFANA_SERVICE_3000_TAGS                 ?= $(patsubst %,urlprefix-%,$(GRAFANA_SERVICE_3000_URIS))
+GRAFANA_SERVICE_3000_URIS                 ?= $(patsubst %,kibana.%,$(APP_URIS))
+
--- a/stack/grafana/grafana.yml
+++ b/stack/grafana/grafana.yml
@ -4,12 +4,12 @@ services:
  grafana:
    build:
      args:
-      - AWS_ACCESS_KEY=${GRAFANA_AWS_ACCESS_KEY}
-      - AWS_SECRET_KEY=${GRAFANA_AWS_SECRET_KEY}
+      - AWS_ACCESS_KEY=${GRAFANA_AWS_ACCESS_KEY:-${AWS_ACCESS_KEY_ID}}
+      - AWS_SECRET_KEY=${GRAFANA_AWS_SECRET_KEY:-${AWS_SECRET_ACCESS_KEY}}
      - DOCKER_BUILD_DIR=docker/grafana
-      - MYSQL_GRAFANA_DB=${GRAFANA_MYSQL_DB}
-      - MYSQL_GRAFANA_PASSWORD=${GRAFANA_MYSQL_PASSWORD}
-      - MYSQL_GRAFANA_USER=${GRAFANA_MYSQL_USER}
+      - MYSQL_GRAFANA_DB=${GRAFANA_MYSQL_GRAFANA_DB:-grafana}
+      - MYSQL_GRAFANA_PASSWORD=${GRAFANA_MYSQL_GRAFANA_PASSWORD:-grafana}
+      - MYSQL_GRAFANA_USER=${GRAFANA_MYSQL_GRAFANA_USER:-grafana}
      context:  ../..
      dockerfile: docker/grafana/Dockerfile
    environment:
--- a/stack/host/autoheal.yml
+++ b/stack/host/autoheal.yml
@ -2,7 +2,7 @@ version: '3.6'

 services:
  autoheal:
-    container_name: ${NODE_COMPOSE_PROJECT_NAME}-autoheal
+    container_name: ${HOST_COMPOSE_PROJECT_NAME}-autoheal
    image: willfarrell/autoheal:latest
    environment:
    - AUTOHEAL_CONTAINER_LABEL=all
--- a/stack/host/backup/restic.yml
+++ b/stack/host/backup/restic.yml
@ -6,12 +6,12 @@ services:
    hostname: ${HOSTNAME}
    environment:
      BACKUP_CRON: "30 3 * * *"
-      RESTIC_REPOSITORY: ${NODE_RESTIC_REPOSITORY}
-      RESTIC_PASSWORD: ${NODE_RESTIC_PASSWORD}
-      RESTIC_BACKUP_SOURCES: ${NODE_RESTIC_BACKUP_SOURCES:-/var/lib/docker/volumes}
-      RESTIC_BACKUP_TAGS: ${NODE_RESTIC_BACKUP_TAGS:-docker-volumes}
-      RESTIC_FORGET_ARGS: ${NODE_RESTIC_FORGET_ARGS:---prune --keep-last 14 --keep-daily 1}
-      TZ: ${NODE_TZ:-${TZ}}
+      RESTIC_REPOSITORY: ${HOST_RESTIC_REPOSITORY}
+      RESTIC_PASSWORD: ${HOST_RESTIC_PASSWORD}
+      RESTIC_BACKUP_SOURCES: ${HOST_RESTIC_BACKUP_SOURCES:-/var/lib/docker/volumes}
+      RESTIC_BACKUP_TAGS: ${HOST_RESTIC_BACKUP_TAGS:-docker-volumes}
+      RESTIC_FORGET_ARGS: ${HOST_RESTIC_FORGET_ARGS:---prune --keep-last 14 --keep-daily 1}
+      TZ: ${HOST_TZ:-${TZ}}
    volumes:
      - restic:/root/.config
      - /var/lib/docker/volumes:/var/lib/docker/volumes:ro
--- a/stack/host/certbot.mk
+++ b/stack/host/certbot.mk
@ -0,0 +1 @@
+HOST_CERTBOT_UFW_UPDATE                   ?= 53/udp
--- a/stack/host/certbot.yml
+++ b/stack/host/certbot.yml
@ -8,17 +8,17 @@ services:
      context: ../..
      dockerfile: docker/certbot/Dockerfile
    command: start
-    container_name: ${NODE_COMPOSE_PROJECT_NAME}-certbot
-    image: ${NODE_DOCKER_REPOSITORY}/certbot:${DOCKER_IMAGE_TAG}
+    container_name: ${HOST_COMPOSE_PROJECT_NAME}-certbot
+    image: ${HOST_DOCKER_REPOSITORY}/certbot:${DOCKER_IMAGE_TAG}
    network_mode: host
    restart: always
    volumes:
-    - node:/etc/letsencrypt
+    - host:/etc/letsencrypt

 volumes:
-  node:
+  host:
    external: true
-    name: ${NODE_DOCKER_VOLUME}
+    name: ${HOST_DOCKER_VOLUME}

 networks:
  public:
--- a/stack/host/consul.mk
+++ b/stack/host/consul.mk
@ -0,0 +1,5 @@
+ENV_VARS                                  += HOST_CONSUL_ACL_TOKENS_MASTER HOST_CONSUL_HTTP_TOKEN HOST_CONSUL_SERVICE_8500_TAGS
+HOST_CONSUL_ACL_TOKENS_MASTER             ?= 01234567-89ab-cdef-0123-456789abcdef
+HOST_CONSUL_HTTP_TOKEN                    ?= $(HOST_CONSUL_ACL_TOKENS_MASTER)
+HOST_CONSUL_SERVICE_8500_TAGS             ?= urlprefix-consul.${DOMAIN}/
+HOST_CONSUL_UFW_UPDATE                    ?= 8500
--- a/stack/host/consul.yml
+++ b/stack/host/consul.yml
@ -8,20 +8,20 @@ services:
      - DOCKER_BUILD_DIR=docker/consul
      context: ../..
      dockerfile: docker/consul/Dockerfile
-    container_name: ${NODE_COMPOSE_PROJECT_NAME}-consul
-    image: ${NODE_DOCKER_REPOSITORY}/consul:${DOCKER_IMAGE_TAG}
+    container_name: ${HOST_COMPOSE_PROJECT_NAME}-consul
+    image: ${HOST_DOCKER_REPOSITORY}/consul:${DOCKER_IMAGE_TAG}
    environment:
      CONSUL_BIND_INTERFACE: '${DOCKER_HOST_IFACE}'
      CONSUL_CLIENT_INTERFACE: '${DOCKER_HOST_IFACE}'
-      CONSUL_HTTP_TOKEN: '${NODE_CONSUL_HTTP_TOKEN}'
+      CONSUL_HTTP_TOKEN: '${HOST_CONSUL_HTTP_TOKEN}'
      CONSUL_LOCAL_CONFIG: '{ "log_level": "warn"
                            , "enable_script_checks": true
                            , "acl": { "enabled": true
                                     , "default_policy": "deny"
                                     , "down_policy": "extend-cache"
                                     , "enable_token_persistence": true
-                                     , "tokens": { "initial_management": "${NODE_CONSUL_ACL_TOKENS_MASTER}"
-                                                 , "agent": "${NODE_CONSUL_HTTP_TOKEN}"
+                                     , "tokens": { "initial_management": "${HOST_CONSUL_ACL_TOKENS_MASTER}"
+                                                 , "agent": "${HOST_CONSUL_HTTP_TOKEN}"
                                                 }
                                     }
                            }'
@ -31,8 +31,8 @@ services:
    - SERVICE_8301_IGNORE=true
    - SERVICE_8302_IGNORE=true
    - SERVICE_8500_CHECK_HTTP=/v1/health/service/consul
-    - SERVICE_8500_NAME=${NODE_COMPOSE_SERVICE_NAME}-consul-8500
-    - SERVICE_8500_TAGS=${NODE_CONSUL_SERVICE_8500_TAGS}
+    - SERVICE_8500_NAME=${HOST_COMPOSE_SERVICE_NAME}-consul-8500
+    - SERVICE_8500_TAGS=${HOST_CONSUL_SERVICE_8500_TAGS}
    - SERVICE_8600_IGNORE=true
    - SERVICE_ADDRESS=${DOCKER_HOST_INET4}
    network_mode: host
--- a/stack/host/exporter.mk
+++ b/stack/host/exporter.mk
@ -0,0 +1,3 @@
+ENV_VARS                                  += HOST_EXPORTER_CADVISOR_SERVICE_8080_TAGS HOST_EXPORTER_HOST_SERVICE_9100_TAGS
+HOST_EXPORTER_CADVISOR_SERVICE_8080_TAGS  ?= urlprefix-cadvisor-exporter.${DOMAIN}/
+HOST_EXPORTER_HOST_SERVICE_9100_TAGS      ?= urlprefix-node-exporter.${DOMAIN}/
--- a/stack/host/exporter/cadvisor.yml
+++ b/stack/host/exporter/cadvisor.yml
@ -2,13 +2,13 @@ version: '3.6'

 services:
  exporter-cadvisor:
-    container_name: ${NODE_COMPOSE_PROJECT_NAME}-exporter-cadvisor
+    container_name: ${HOST_COMPOSE_PROJECT_NAME}-exporter-cadvisor
    hostname: ${HOSTNAME}
    image: google/cadvisor:latest
    labels:
    - SERVICE_8080_CHECK_TCP=true
-    - SERVICE_8080_NAME=${NODE_COMPOSE_SERVICE_NAME}-exporter-cadvisor-8080
-    - SERVICE_8080_TAGS=${NODE_EXPORTER_CADVISOR_SERVICE_8080_TAGS}
+    - SERVICE_8080_NAME=${HOST_COMPOSE_SERVICE_NAME}-exporter-cadvisor-8080
+    - SERVICE_8080_TAGS=${HOST_EXPORTER_CADVISOR_SERVICE_8080_TAGS}
    - SERVICE_9200_IGNORE=true
    networks:
    - public
--- a/stack/host/exporter/node.yml
+++ b/stack/host/exporter/node.yml
@ -7,13 +7,13 @@ services:
    - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)"
    - '--path.procfs=/host/proc'
    - '--path.sysfs=/host/sys'
-    container_name: ${NODE_COMPOSE_PROJECT_NAME}-exporter-node
+    container_name: ${HOST_COMPOSE_PROJECT_NAME}-exporter-node
    hostname: ${HOSTNAME}
    image: prom/node-exporter:latest
    labels:
    - SERVICE_9100_CHECK_TCP=true
-    - SERVICE_9100_NAME=${NODE_COMPOSE_SERVICE_NAME}-exporter-node-9100
-    - SERVICE_9100_TAGS=${NODE_EXPORTER_NODE_SERVICE_9100_TAGS}
+    - SERVICE_9100_NAME=${HOST_COMPOSE_SERVICE_NAME}-exporter-node-9100
+    - SERVICE_9100_TAGS=${HOST_EXPORTER_HOST_SERVICE_9100_TAGS}
    networks:
    - public
    ports:
--- a/stack/host/fabio.mk
+++ b/stack/host/fabio.mk
@ -0,0 +1,3 @@
+ENV_VARS                                  += HOST_FABIO_SERVICE_9998_TAGS
+HOST_FABIO_SERVICE_9998_TAGS              ?= urlprefix-fabio.${DOMAIN}/
+HOST_FABIO_UFW_UPDATE                     ?= 80/tcp 443/tcp
--- a/stack/host/fabio.yml
+++ b/stack/host/fabio.yml
@ -10,9 +10,9 @@ services:
      - FABIO_VERSION=1.6.2
      context: ../..
      dockerfile: docker/fabio/Dockerfile
-    container_name: ${NODE_COMPOSE_PROJECT_NAME}-fabio
-    image: ${NODE_DOCKER_REPOSITORY}/fabio:${DOCKER_IMAGE_TAG}
-    command: -registry.backend "consul" -registry.consul.addr "consul:8500" -registry.consul.token "${NODE_CONSUL_HTTP_TOKEN}" -proxy.addr ":80,:443;cs=local" -proxy.cs "cs=local;type=file;cert=/etc/letsencrypt/live/${DOMAIN}/fullchain.pem;key=/etc/letsencrypt/live/${DOMAIN}/privkey.pem"
+    container_name: ${HOST_COMPOSE_PROJECT_NAME}-fabio
+    image: ${HOST_DOCKER_REPOSITORY}/fabio:${DOCKER_IMAGE_TAG}
+    command: -registry.backend "consul" -registry.consul.addr "consul:8500" -registry.consul.token "${HOST_CONSUL_HTTP_TOKEN}" -proxy.addr ":80,:443;cs=local" -proxy.cs "cs=local;type=file;cert=/etc/letsencrypt/live/${DOMAIN}/fullchain.pem;key=/etc/letsencrypt/live/${DOMAIN}/privkey.pem"
    depends_on:
    - consul
    extra_hosts:
@ -20,12 +20,12 @@ services:
    hostname: ${HOSTNAME}
    labels:
    - SERVICE_80_CHECK_TCP=true
-    - SERVICE_80_NAME=${NODE_COMPOSE_SERVICE_NAME}-fabio-80
+    - SERVICE_80_NAME=${HOST_COMPOSE_SERVICE_NAME}-fabio-80
    - SERVICE_443_CHECK_TCP=true
-    - SERVICE_443_NAME=${NODE_COMPOSE_SERVICE_NAME}-fabio-443
+    - SERVICE_443_NAME=${HOST_COMPOSE_SERVICE_NAME}-fabio-443
    - SERVICE_9998_CHECK_HTTP=/routes
-    - SERVICE_9998_NAME=${NODE_COMPOSE_SERVICE_NAME}-fabio-9998
-    - SERVICE_9998_TAGS=${NODE_FABIO_SERVICE_9998_TAGS}
+    - SERVICE_9998_NAME=${HOST_COMPOSE_SERVICE_NAME}-fabio-9998
+    - SERVICE_9998_TAGS=${HOST_FABIO_SERVICE_9998_TAGS}
    - SERVICE_9999_IGNORE=true
    ports:
    - 80:80/tcp
@ -35,12 +35,12 @@ services:
    - public
    restart: always
    volumes:
-    - node:/etc/letsencrypt:ro
+    - host:/etc/letsencrypt:ro

 volumes:
-  node:
+  host:
    external: true
-    name: ${NODE_DOCKER_VOLUME}
+    name: ${HOST_DOCKER_VOLUME}

 networks:
  public:
--- a/stack/host/host.mk
+++ b/stack/host/host.mk
@ -0,0 +1,95 @@
+CMDARGS                         += host-exec stack-host-exec host-exec:% host-exec@% host-run host-run:% host-run@%
+host                            ?= $(patsubst stack/%,%,$(patsubst %.yml,%,$(wildcard stack/host/*.yml)))
+ENV_VARS                        += DOCKER_HOST_IFACE DOCKER_HOST_INET4 DOCKER_INTERNAL_DOCKER_HOST
+SETUP_LETSENCRYPT               ?=
+
+# target bootstrap-stack-host: Fire host-certbot host-ssl-certs
+.PHONY: bootstrap-stack-host
+bootstrap-stack-host: $(if $(SETUP_LETSENCRYPT),host-certbot$(if $(DEBUG),-staging)) host-ssl-certs
+
+# target host: Fire stack-host-up
+.PHONY: host
+host: stack-host-up
+
+# target host-%; Fire target stack-host-%
+.PHONY: host-%
+host-%: stack-host-%;
+
+# target host-ssl-certs: Create invalid ${DOMAIN} certificate files with openssl
+.PHONY: host-ssl-certs
+host-ssl-certs:
+	docker run --rm --mount source=$(HOST_DOCKER_VOLUME),target=/certs alpine \
+	 [ -f /certs/live/$(DOMAIN)/fullchain.pem -a -f /certs/live/$(DOMAIN)/privkey.pem ] \
+	|| $(RUN) docker run --rm \
+	 -e DOMAIN=$(DOMAIN) \
+	 --mount source=$(HOST_DOCKER_VOLUME),target=/certs \
+	 alpine sh -c "\
+	  apk --no-cache add openssl \
+	  && mkdir -p /certs/live/${DOMAIN} \
+	  && { [ -f /certs/live/${DOMAIN}/privkey.pem ] || openssl genrsa -out /certs/live/${DOMAIN}/privkey.pem 2048; } \
+	  && openssl req -key /certs/live/${DOMAIN}/privkey.pem -out /certs/live/${DOMAIN}/cert.pem \
+	   -addext extendedKeyUsage=serverAuth \
+	   -addext subjectAltName=DNS:${DOMAIN},DNS:*.${DOMAIN} \
+	   -subj \"/C=/ST=/L=/O=/CN=${DOMAIN}\" \
+	   -x509 -days 365 \
+	  && rm -f /certs/live/${DOMAIN}/fullchain.pem \
+	  && ln -s cert.pem /certs/live/${DOMAIN}/fullchain.pem \
+	 "
+
+# target host-certbot: Create ${DOMAIN} certificate files with letsencrypt
+.PHONY: host-certbot
+host-certbot: host-docker-build-certbot
+	docker run --rm --mount source=$(HOST_DOCKER_VOLUME),target=/certs alpine \
+	 [ -f /certs/live/$(DOMAIN)/cert.pem -a -f /certs/live/$(DOMAIN)/privkey.pem ] \
+	|| $(RUN) docker run --rm \
+	 --mount source=$(HOST_DOCKER_VOLUME),target=/etc/letsencrypt/ \
+	 --mount source=$(HOST_DOCKER_VOLUME),target=/var/log/letsencrypt/ \
+	 -e DOMAIN=$(DOMAIN) \
+	 --network host \
+	 $(HOST_DOCKER_REPOSITORY)/certbot \
+	  --non-interactive --agree-tos --email hostmaster@$(DOMAIN) certonly \
+	  --preferred-challenges dns --authenticator dns-standalone \
+	  --dns-standalone-address=0.0.0.0 \
+	  --dns-standalone-port=53 \
+	  -d ${DOMAIN} \
+	  -d *.${DOMAIN}
+
+# target host-certbot-certificates: List letsencrypt certificates
+.PHONY: host-certbot-certificates
+host-certbot-certificates: host-docker-build-certbot
+	docker run --rm --mount source=$(HOST_DOCKER_VOLUME),target=/etc/letsencrypt/ $(HOST_DOCKER_REPOSITORY)/certbot certificates
+
+# target host-certbot-renew: Renew letsencrypt certificates
+.PHONY: host-certbot-renew
+host-certbot-renew: host-docker-build-certbot
+	docker run --rm --mount source=$(HOST_DOCKER_VOLUME),target=/etc/letsencrypt/ --network host $(HOST_DOCKER_REPOSITORY)/certbot renew
+
+# target host-certbot-staging: Create staging ${DOMAIN} certificate files with letsencrypt
+.PHONY: host-certbot-staging
+host-certbot-staging: host-docker-build-certbot
+	docker run --rm --mount source=$(HOST_DOCKER_VOLUME),target=/certs alpine \
+	 [ -f /certs/live/$(DOMAIN)/cert.pem -a -f /certs/live/$(DOMAIN)/privkey.pem ] \
+	|| $(RUN) docker run --rm \
+	 --mount source=$(HOST_DOCKER_VOLUME),target=/etc/letsencrypt/ \
+	 --mount source=$(HOST_DOCKER_VOLUME),target=/var/log/letsencrypt/ \
+	 -e DOMAIN=$(DOMAIN) \
+	 --network host \
+	 $(HOST_DOCKER_REPOSITORY)/certbot \
+	  --non-interactive --agree-tos --email hostmaster@$(DOMAIN) certonly \
+	  --preferred-challenges dns --authenticator dns-standalone \
+	  --dns-standalone-address=0.0.0.0 \
+	  --dns-standalone-port=53 \
+	  --staging \
+	  -d ${DOMAIN} \
+	  -d *.${DOMAIN}
+
+# target host-docker-build-%: Build % docker
+.PHONY: host-docker-build-%
+host-docker-build-%:
+	$(call docker-build,docker/$*,host/$*:$(DOCKER_IMAGE_TAG))
+
+# target host-docker-rebuild-%: Rebuild % docker
+.PHONY: host-docker-rebuild-%
+host-docker-rebuild-%:
+	$(call make,host-docker-build-$* DOCKER_BUILD_CACHE=false)
+
--- a/stack/host/ipfs.mk
+++ b/stack/host/ipfs.mk
@ -0,0 +1,4 @@
+ENV_VARS                                  += HOST_IPFS_API_HTTPHEADERS_ACA_ORIGIN HOST_IPFS_SERVICE_5001_TAGS HOST_IPFS_SERVICE_8080_TAGS
+HOST_IPFS_API_HTTPHEADERS_ACA_ORIGIN      ?= ["https://ipfs.$(DOMAIN)"]
+HOST_IPFS_SERVICE_5001_TAGS               ?= urlprefix-ipfs.$(DOMAIN)/api
+HOST_IPFS_SERVICE_8080_TAGS               ?= urlprefix-ipfs.$(DOMAIN)/,urlprefix-*.ipfs.$(DOMAIN),urlprefix-ipns.$(DOMAIN)/,urlprefix-*.ipns.$(DOMAIN)/
--- a/stack/host/ipfs.yml
+++ b/stack/host/ipfs.yml
@ -0,0 +1,96 @@
+version: '3.6'
+
+services:
+  ipfs:
+    build:
+      args:
+      - DOCKER_BUILD_DIR=docker/ipfs
+      - GID=${HOST_GID}
+      - IPFS_VERSION=${IPFS_VERSION}
+      - UID=${HOST_UID}
+      context: ../..
+      dockerfile: docker/ipfs/Dockerfile
+    command: daemon --agent-version-suffix=${HOST_COMPOSE_PROJECT_NAME} ${HOST_IPFS_DAEMON_ARGS:---migrate}
+    container_name: ${HOST_COMPOSE_PROJECT_NAME}-ipfs
+    cpus: 0.5
+    environment:
+    - IPFS_ADDRESSES_API=${HOST_IPFS_ADDRESSES_API:-}
+    - IPFS_ADDRESSES_API_DOMAIN=${HOST_IPFS_ADDRESSES_API_DOMAIN:-${DOCKER_NETWORK_PUBLIC}}
+    - IPFS_ADDRESSES_API_INET4=${HOST_IPFS_ADDRESSES_API_INET4:-}
+    - IPFS_ADDRESSES_API_PORT=${HOST_IPFS_ADDRESSES_API_PORT:-}
+    - IPFS_ADDRESSES_GATEWAY=${HOST_IPFS_ADDRESSES_GATEWAY:-}
+    - IPFS_ADDRESSES_GATEWAY_DOMAIN=${HOST_IPFS_ADDRESSES_GATEWAY_DOMAIN:-}
+    - IPFS_ADDRESSES_GATEWAY_INET4=${HOST_IPFS_ADDRESSES_GATEWAY_INET4:-0.0.0.0}
+    - IPFS_ADDRESSES_GATEWAY_PORT=${HOST_IPFS_ADDRESSES_GATEWAY_PORT:-}
+    - IPFS_ADDRESSES_NOANNOUNCE=${HOST_IPFS_ADDRESSES_NOANNOUNCE:-}
+    - IPFS_API_HTTPHEADERS=${HOST_IPFS_API_HTTPHEADERS:-}
+    - IPFS_API_HTTPHEADERS_ACA_CREDENTIALS=${HOST_IPFS_API_HTTPHEADERS_ACA_CREDENTIALS:-["true"]}
+    - IPFS_API_HTTPHEADERS_ACA_HEADERS=${HOST_IPFS_API_HTTPHEADERS_ACA_HEADERS:-["X-Requested-With", "Range", "User-Agent"]}
+    - IPFS_API_HTTPHEADERS_ACA_METHODS=${HOST_IPFS_API_HTTPHEADERS_ACA_METHODS:-["OPTIONS", "POST"]}
+    - IPFS_API_HTTPHEADERS_ACA_ORIGIN=${HOST_IPFS_API_HTTPHEADERS_ACA_ORIGIN:-}
+    - IPFS_BOOTSTRAP=${HOST_IPFS_BOOTSTRAP:-}
+    - IPFS_DATASTORE_GCPERIOD=${HOST_IPFS_DATASTORE_GCPERIOD:-}
+    - IPFS_DISK_USAGE_PERCENT=${HOST_IPFS_DISK_USAGE_PERCENT:-}
+    - IPFS_EXPERIMENTAL_ACCELERATEDDHTCLIENT=${HOST_IPFS_EXPERIMENTAL_ACCELERATEDDHTCLIENT:-}
+    - IPFS_EXPERIMENTAL_FILESTOREENABLED=${HOST_IPFS_EXPERIMENTAL_FILESTOREENABLED:-}
+    - IPFS_EXPERIMENTAL_GRAPHSYNCENABLED=${HOST_IPFS_EXPERIMENTAL_GRAPHSYNCENABLED:-}
+    - IPFS_EXPERIMENTAL_LIBP2PSTREAMMOUNTING=${HOST_IPFS_EXPERIMENTAL_LIBP2PSTREAMMOUNTING:-}
+    - IPFS_EXPERIMENTAL_P2PHTTPPROXY=${HOST_IPFS_EXPERIMENTAL_P2PHTTPPROXY:-}
+    - IPFS_EXPERIMENTAL_STRATEGICPROVIDING=${HOST_IPFS_EXPERIMENTAL_STRATEGICPROVIDING:-}
+    - IPFS_EXPERIMENTAL_URLSTOREENABLED=${HOST_IPFS_EXPERIMENTAL_URLSTOREENABLED:-}
+    - IPFS_IDENTITY_PEERID=${HOST_IPFS_IDENTITY_PEERID:-}
+    - IPFS_IDENTITY_PRIVKEY=${HOST_IPFS_IDENTITY_PRIVKEY:-}
+    - IPFS_IPNS_REPUBLISHPERIOD=${HOST_IPFS_IPNS_REPUBLISHPERIOD:-}
+    - IPFS_IPNS_RECORDLIFETIME=${HOST_IPFS_IPNS_RECORDLIFETIME:-}
+    - IPFS_IPNS_USEPUBSUB=${HOST_IPFS_IPNS_USEPUBSUB:-true}
+    - IPFS_LOGGING=${HOST_IPFS_LOGGING:-error}
+    - IPFS_NETWORK=${HOST_IPFS_NETWORK:-public}
+    - IPFS_PROFILE=${HOST_IPFS_PROFILE:-${IPFS_PROFILE}}
+    - IPFS_PUBSUB_ENABLE=${HOST_IPFS_PUBSUB_ENABLE:-true}
+    - IPFS_PUBSUB_ROUTER=${HOST_IPFS_PUBSUB_ROUTER:-gossipsub}
+    - IPFS_ROUTING_TYPE=${HOST_IPFS_ROUTING_TYPE:-dht}
+    - IPFS_REPROVIDER_INTERVAL=${HOST_IPFS_REPROVIDER_INTERVAL:-}
+    - IPFS_REPROVIDER_STRATEGY=${HOST_IPFS_REPROVIDER_STRATEGY:-}
+    - IPFS_SWARM_CONNMGR_HIGHWATER=${HOST_IPFS_SWARM_CONNMGR_HIGHWATER:-}
+    - IPFS_SWARM_CONNMGR_LOWWATER=${HOST_IPFS_SWARM_CONNMGR_LOWWATER:-}
+    - IPFS_SWARM_CONNMGR_TYPE=${HOST_IPFS_SWARM_CONNMGR_TYPE:-}
+    - IPFS_SWARM_DISABLENATPORTMAP=${HOST_IPFS_SWARM_DISABLENATPORTMAP:-}
+    - IPFS_SWARM_ENABLEHOLEPUNCHING=${HOST_IPFS_SWARM_ENABLEHOLEPUNCHING:-}
+    - IPFS_SWARM_KEY=${HOST_IPFS_SWARM_KEY:-}
+    - IPFS_SWARM_RELAYCLIENT_ENABLED=${HOST_IPFS_SWARM_RELAYCLIENT_ENABLED:-}
+    - IPFS_SWARM_RELAYSERVICE_ENABLED=${HOST_IPFS_SWARM_RELAYSERVICE_ENABLED:-}
+    - IPFS_SWARM_TRANSPORTS_NETWORK_RELAY=${HOST_IPFS_SWARM_TRANSPORTS_NETWORK_RELAY:-}
+    image: ${HOST_DOCKER_REPOSITORY}/ipfs:${DOCKER_IMAGE_TAG}
+    labels:
+    - SERVICE_4001_CHECK_TCP=true
+    - SERVICE_4001_NAME=${HOST_COMPOSE_SERVICE_NAME}-ipfs-4001
+    - SERVICE_5001_CHECK_HTTP=${HOST_IPFS_SERVICE_5001_CHECK_HTTP:-/api/v0/diag/sys}
+    - SERVICE_5001_CHECK_HTTP_METHOD=${HOST_IPFS_SERVICE_5001_CHECK_HTTP_METHOD:-POST}
+    - SERVICE_5001_NAME=${HOST_COMPOSE_SERVICE_NAME}-ipfs-5001
+    - SERVICE_5001_TAGS=${HOST_IPFS_SERVICE_5001_TAGS:-}
+    - SERVICE_8080_CHECK_HTTP=${HOST_IPFS_SERVICE_8080_CHECK_HTTP:-/ipfs/QmYwAPJzv5CZsnA625s3Xf2nemtYgPpHdWEz79ojWnPbdG/readme}
+    - SERVICE_8080_NAME=${HOST_COMPOSE_SERVICE_NAME}-ipfs-8080
+    - SERVICE_8080_TAGS=${HOST_IPFS_SERVICE_8080_TAGS:-}
+    - SERVICE_8081_IGNORE=true
+    networks:
+    - public
+    ports:
+    - 4001:4001/tcp
+    - 4001:4001/udp
+    - 5001:5001/tcp
+    - 8080:8080/tcp
+    restart: always
+    ulimits:
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+    - ipfs:/data/ipfs:delegated
+
+volumes:
+  ipfs:
+
+networks:
+  public:
+    external: true
+    name: ${DOCKER_NETWORK_PUBLIC}
--- a/stack/host/mail.mk
+++ b/stack/host/mail.mk
@ -0,0 +1,6 @@
+# ENV_VARS                                  += HOST_MAILSERVER_ENABLE_MANAGESIEVE HOST_MAILSERVER_SPOOF_PROTECTION HOST_MAILSERVER_SSL_TYPE HOST_MAILSERVER_ENABLE_UPDATE_CHECK
+HOST_MAILSERVER_ENABLE_MANAGESIEVE        ?= 1
+HOST_MAILSERVER_SPOOF_PROTECTION          ?= 1
+HOST_MAILSERVER_SSL_TYPE                  ?= letsencrypt
+HOST_MAILSERVER_ENABLE_UPDATE_CHECK       ?= 0
+HOST_MAILSERVER_UFW_DOCKER                ?= 25/tcp 465/tcp 587/tcp 993/tcp
--- a/stack/host/mail/mailserver.yml
+++ b/stack/host/mail/mailserver.yml
@ -0,0 +1,166 @@
+version: '2'
+services:
+  mailserver:
+    image: mailserver/docker-mailserver:11.2
+    cap_add:
+    - NET_ADMIN
+    container_name: ${HOST_COMPOSE_PROJECT_NAME}-mailserver
+    cpus: 0.5
+    domainname: ${DOMAIN}
+    environment:
+    - OVERRIDE_HOSTNAME=${HOST_MAILSERVER_OVERRIDE_HOSTNAME:-}
+    - DMS_DEBUG=${HOST_MAILSERVER_DMS_DEBUG:-0}
+    - LOG_LEVEL=${HOST_MAILSERVER_LOG_LEVEL:-info}
+    - SUPERVISOR_LOGLEVEL=${HOST_MAILSERVER_SUPERVISOR_LOGLEVEL:-}
+    - ONE_DIR=${HOST_MAILSERVER_ONE_DIR:-1}
+    - ACCOUNT_PROVISIONER=${HOST_MAILSERVER_ACCOUNT_PROVISIONER:-}
+    - POSTMASTER_ADDRESS=${HOST_MAILSERVER_POSTMASTER_ADDRESS:-}
+    - ENABLE_UPDATE_CHECK=${HOST_MAILSERVER_ENABLE_UPDATE_CHECK:-0}
+    - UPDATE_CHECK_INTERVAL=${HOST_MAILSERVER_UPDATE_CHECK_INTERVAL:-1d}
+    - PERMIT_DOCKER=${HOST_MAILSERVER_PERMIT_DOCKER:-none}
+    - TZ=${HOST_MAILSERVER_TZ:-${TZ}}
+    - NETWORK_INTERFACE=${HOST_MAILSERVER_NETWORK_INTERFACE:-}
+    - TLS_LEVEL=${HOST_MAILSERVER_TLS_LEVEL:-}
+    - SPOOF_PROTECTION=${HOST_MAILSERVER_SPOOF_PROTECTION:-1}
+    - ENABLE_SRS=${HOST_MAILSERVER_ENABLE_SRS:-0}
+    - ENABLE_POP3=${HOST_MAILSERVER_ENABLE_POP3:-}
+    - ENABLE_CLAMAV=${HOST_MAILSERVER_ENABLE_CLAMAV:-0}
+    - ENABLE_AMAVIS=${HOST_MAILSERVER_ENABLE_AMAVIS:-1}
+    - AMAVIS_LOGLEVEL=${HOST_MAILSERVER_AMAVIS_LOGLEVEL:-0}
+    - ENABLE_DNSBL=${HOST_MAILSERVER_ENABLE_DNSBL:-0}
+    - ENABLE_FAIL2BAN=${HOST_MAILSERVER_ENABLE_FAIL2BAN:-0}
+    - FAIL2BAN_BLOCKTYPE=${HOST_MAILSERVER_FAIL2BAN_BLOCKTYPE:-drop}
+    - ENABLE_MANAGESIEVE=${HOST_MAILSERVER_ENABLE_MANAGESIEVE:-1}
+    - POSTSCREEN_ACTION=${HOST_MAILSERVER_POSTSCREEN_ACTION:-enforce}
+    - SMTP_ONLY=${HOST_MAILSERVER_SMTP_ONLY:-}
+    - SSL_TYPE=${HOST_MAILSERVER_SSL_TYPE:-letsencrypt}
+    - SSL_CERT_PATH=${HOST_MAILSERVER_SSL_CERT_PATH:-}
+    - SSL_KEY_PATH=${HOST_MAILSERVER_SSL_KEY_PATH:-}
+    - SSL_ALT_CERT_PATH=${HOST_MAILSERVER_SSL_ALT_CERT_PATH:-}
+    - SSL_ALT_KEY_PATH=${HOST_MAILSERVER_SSL_ALT_KEY_PATH:-}
+    - VIRUSMAILS_DELETE_DELAY=${HOST_MAILSERVER_VIRUSMAILS_DELETE_DELAY:-}
+    - ENABLE_POSTFIX_VIRTUAL_TRANSPORT=${HOST_MAILSERVER_ENABLE_POSTFIX_VIRTUAL_TRANSPORT:-}
+    - POSTFIX_DAGENT=${HOST_MAILSERVER_POSTFIX_DAGENT:-}
+    - POSTFIX_MAILBOX_SIZE_LIMIT=${HOST_MAILSERVER_POSTFIX_MAILBOX_SIZE_LIMIT:-}
+    - ENABLE_QUOTAS=${HOST_MAILSERVER_ENABLE_QUOTAS:-1}
+    - POSTFIX_MESSAGE_SIZE_LIMIT=${HOST_MAILSERVER_POSTFIX_MESSAGE_SIZE_LIMIT:-}
+    - CLAMAV_MESSAGE_SIZE_LIMIT=${HOST_MAILSERVER_CLAMAV_MESSAGE_SIZE_LIMIT:-}
+    - PFLOGSUMM_TRIGGER=${HOST_MAILSERVER_PFLOGSUMM_TRIGGER:-}
+    - PFLOGSUMM_RECIPIENT=${HOST_MAILSERVER_PFLOGSUMM_RECIPIENT:-}
+    - PFLOGSUMM_SENDER=${HOST_MAILSERVER_PFLOGSUMM_SENDER:-}
+    - LOGWATCH_INTERVAL=${HOST_MAILSERVER_LOGWATCH_INTERVAL:-}
+    - LOGWATCH_RECIPIENT=${HOST_MAILSERVER_LOGWATCH_RECIPIENT:-}
+    - LOGWATCH_SENDER=${HOST_MAILSERVER_LOGWATCH_SENDER:-}
+    - REPORT_RECIPIENT=${HOST_MAILSERVER_REPORT_RECIPIENT:-}
+    - REPORT_SENDER=${HOST_MAILSERVER_REPORT_SENDER:-}
+    - LOGROTATE_INTERVAL=${HOST_MAILSERVER_LOGROTATE_INTERVAL:-weekly}
+    - POSTFIX_INET_PROTOCOLS=${HOST_MAILSERVER_POSTFIX_INET_PROTOCOLS:-all}
+    - DOVECOT_INET_PROTOCOLS=${HOST_MAILSERVER_DOVECOT_INET_PROTOCOLS:-all}
+    - ENABLE_SPAMASSASSIN=${HOST_MAILSERVER_ENABLE_SPAMASSASSIN:-0}
+    - SPAMASSASSIN_SPAM_TO_INBOX=${HOST_MAILSERVER_SPAMASSASSIN_SPAM_TO_INBOX:-1}
+    - ENABLE_SPAMASSASSIN_KAM=${HOST_MAILSERVER_ENABLE_SPAMASSASSIN_KAM:-0}
+    - MOVE_SPAM_TO_JUNK=${HOST_MAILSERVER_MOVE_SPAM_TO_JUNK:-1}
+    - SA_TAG=${HOST_MAILSERVER_SA_TAG:-2.0}
+    - SA_TAG2=${HOST_MAILSERVER_SA_TAG2:-6.31}
+    - SA_KILL=${HOST_MAILSERVER_SA_KILL:-6.31}
+    - SA_SPAM_SUBJECT=${HOST_MAILSERVER_SA_SPAM_SUBJECT:-***SPAM*****}
+    - ENABLE_FETCHMAIL=${HOST_MAILSERVER_ENABLE_FETCHMAIL:-0}
+    - FETCHMAIL_POLL=${HOST_MAILSERVER_FETCHMAIL_POLL:-300}
+    - ENABLE_LDAP=${HOST_MAILSERVER_ENABLE_LDAP:-}
+    - LDAP_START_TLS=${HOST_MAILSERVER_LDAP_START_TLS:-}
+    - LDAP_SERVER_HOST=${HOST_MAILSERVER_LDAP_SERVER_HOST:-}
+    - LDAP_SEARCH_BASE=${HOST_MAILSERVER_LDAP_SEARCH_BASE:-}
+    - LDAP_BIND_DN=${HOST_MAILSERVER_LDAP_BIND_DN:-}
+    - LDAP_BIND_PW=${HOST_MAILSERVER_LDAP_BIND_PW:-}
+    - LDAP_QUERY_FILTER_USER=${HOST_MAILSERVER_LDAP_QUERY_FILTER_USER:-}
+    - LDAP_QUERY_FILTER_GROUP=${HOST_MAILSERVER_LDAP_QUERY_FILTER_GROUP:-}
+    - LDAP_QUERY_FILTER_ALIAS=${HOST_MAILSERVER_LDAP_QUERY_FILTER_ALIAS:-}
+    - LDAP_QUERY_FILTER_DOMAIN=${HOST_MAILSERVER_LDAP_QUERY_FILTER_DOMAIN:-}
+    - DOVECOT_TLS=${HOST_MAILSERVER_DOVECOT_TLS:-}
+    - DOVECOT_USER_FILTER=${HOST_MAILSERVER_DOVECOT_USER_FILTER:-}
+    - DOVECOT_PASS_FILTER=${HOST_MAILSERVER_DOVECOT_PASS_FILTER:-}
+    - DOVECOT_MAILBOX_FORMAT=${HOST_MAILSERVER_DOVECOT_MAILBOX_FORMAT:-maildir}
+    - DOVECOT_AUTH_BIND=${HOST_MAILSERVER_DOVECOT_AUTH_BIND:-}
+    - ENABLE_POSTGREY=${HOST_MAILSERVER_ENABLE_POSTGREY:-0}
+    - POSTGREY_DELAY=${HOST_MAILSERVER_POSTGREY_DELAY:-300}
+    - POSTGREY_MAX_AGE=${HOST_MAILSERVER_POSTGREY_MAX_AGE:-35}
+    - POSTGREY_TEXT=${HOST_MAILSERVER_POSTGREY_TEXT:-"Delayed by Postgrey"}
+    - POSTGREY_AUTO_WHITELIST_CLIENTS=${HOST_MAILSERVER_POSTGREY_AUTO_WHITELIST_CLIENTS:-5}
+    - ENABLE_SASLAUTHD=${HOST_MAILSERVER_ENABLE_SASLAUTHD:-0}
+    - SASLAUTHD_MECHANISMS=${HOST_MAILSERVER_SASLAUTHD_MECHANISMS:-}
+    - SASLAUTHD_MECH_OPTIONS=${HOST_MAILSERVER_SASLAUTHD_MECH_OPTIONS:-}
+    - SASLAUTHD_LDAP_SERVER=${HOST_MAILSERVER_SASLAUTHD_LDAP_SERVER:-}
+    - SASLAUTHD_LDAP_BIND_DN=${HOST_MAILSERVER_SASLAUTHD_LDAP_BIND_DN:-}
+    - SASLAUTHD_LDAP_PASSWORD=${HOST_MAILSERVER_SASLAUTHD_LDAP_PASSWORD:-}
+    - SASLAUTHD_LDAP_SEARCH_BASE=${HOST_MAILSERVER_SASLAUTHD_LDAP_SEARCH_BASE:-}
+    - SASLAUTHD_LDAP_FILTER=${HOST_MAILSERVER_SASLAUTHD_LDAP_FILTER:-}
+    - SASLAUTHD_LDAP_START_TLS=${HOST_MAILSERVER_SASLAUTHD_LDAP_START_TLS:-}
+    - SASLAUTHD_LDAP_TLS_CHECK_PEER=${HOST_MAILSERVER_SASLAUTHD_LDAP_TLS_CHECK_PEER:-}
+    - SASLAUTHD_LDAP_TLS_CACERT_FILE=${HOST_MAILSERVER_SASLAUTHD_LDAP_TLS_CACERT_FILE:-}
+    - SASLAUTHD_LDAP_TLS_CACERT_DIR=${HOST_MAILSERVER_SASLAUTHD_LDAP_TLS_CACERT_DIR:-}
+    - SASLAUTHD_LDAP_PASSWORD_ATTR=${HOST_MAILSERVER_SASLAUTHD_LDAP_PASSWORD_ATTR:-}
+    - SASL_PASSWD=${HOST_MAILSERVER_SASL_PASSWD:-}
+    - SASLAUTHD_LDAP_AUTH_METHOD=${HOST_MAILSERVER_SASLAUTHD_LDAP_AUTH_METHOD:-}
+    - SASLAUTHD_LDAP_MECH=${HOST_MAILSERVER_SASLAUTHD_LDAP_MECH:-}
+    - SRS_SENDER_CLASSES=${HOST_MAILSERVER_SRS_SENDER_CLASSES:-envelope_sender}
+    - SRS_EXCLUDE_DOMAINS=${HOST_MAILSERVER_SRS_EXCLUDE_DOMAINS:-}
+    - SRS_SECRET=${HOST_MAILSERVER_SRS_SECRET:-}
+    - DEFAULT_RELAY_HOST=${HOST_MAILSERVER_DEFAULT_RELAY_HOST:-}
+    - RELAY_HOST=${HOST_MAILSERVER_RELAY_HOST:-}
+    - RELAY_PORT=${HOST_MAILSERVER_RELAY_PORT:-25}
+    - RELAY_USER=${HOST_MAILSERVER_RELAY_USER:-}
+    - RELAY_PASSWORD=${HOST_MAILSERVER_RELAY_PASSWORD:-}
+    healthcheck:
+      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
+      timeout: 3s
+      retries: 0
+    hostname: ${HOSTNAME}
+    labels:
+    - SERVICE_25_CHECK_TCP=true
+    - SERVICE_25_NAME=${HOST_COMPOSE_SERVICE_NAME}-mailserver-25
+    - SERVICE_110_IGNORE=true
+    - SERVICE_143_CHECK_TCP=true
+    - SERVICE_143_NAME=${HOST_COMPOSE_SERVICE_NAME}-mailserver-143
+    - SERVICE_465_CHECK_TCP=true
+    - SERVICE_465_NAME=${HOST_COMPOSE_SERVICE_NAME}-mailserver-465
+    - SERVICE_587_CHECK_TCP=true
+    - SERVICE_587_NAME=${HOST_COMPOSE_SERVICE_NAME}-mailserver-587
+    - SERVICE_993_CHECK_TCP=true
+    - SERVICE_993_NAME=${HOST_COMPOSE_SERVICE_NAME}-mailserver-993
+    - SERVICE_995_IGNORE=true
+    - SERVICE_4190_CHECK_TCP=true
+    - SERVICE_4190_NAME=${HOST_COMPOSE_SERVICE_NAME}-mailserver-4190
+    networks:
+    - private
+    - public
+    ports:
+    - "25:25"
+    - "143:143"
+    - "465:465"
+    - "587:587"
+    - "993:993"
+    volumes:
+    - /etc/localtime:/etc/localtime:ro
+    - mailserver-config:/tmp/docker-mailserver/
+    - mailserver-data:/var/mail
+    - mailserver-logs:/var/log/mail
+    - mailserver-state:/var/mail-state
+    - host:/etc/letsencrypt:ro
+    restart: always
+    stop_grace_period: 1m
+volumes:
+  mailserver-config:
+  mailserver-data:
+  mailserver-logs:
+  mailserver-state:
+  host:
+    external: true
+    name: ${HOST_DOCKER_VOLUME}
+
+networks:
+  private:
+    external: true
+    name: ${DOCKER_NETWORK_PRIVATE}
+  public:
+    external: true
+    name: ${DOCKER_NETWORK_PUBLIC}
--- a/stack/host/pdns/recursor.yml
+++ b/stack/host/pdns/recursor.yml
@ -8,8 +8,8 @@ services:
      context: ../..
      dockerfile: docker/pdns-server/Dockerfile
    command: /usr/local/sbin/pdns_recursor --allow-from='127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16'
-    container_name: ${NODE_COMPOSE_PROJECT_NAME}-pdns-recursor
+    container_name: ${HOST_COMPOSE_PROJECT_NAME}-pdns-recursor
    hostname: ${HOSTNAME}
-    image: ${NODE_DOCKER_REPOSITORY}/pdns-recursor:${DOCKER_IMAGE_TAG}
+    image: ${HOST_DOCKER_REPOSITORY}/pdns-recursor:${DOCKER_IMAGE_TAG}
    network_mode: host
    restart: always
--- a/stack/host/portainer.mk
+++ b/stack/host/portainer.mk
@ -0,0 +1,2 @@
+ENV_VARS                                  += HOST_PORTAINER_SERVICE_9000_TAGS
+HOST_PORTAINER_SERVICE_9000_TAGS          ?= urlprefix-portainer.${DOMAIN}/
--- a/stack/host/portainer.yml
+++ b/stack/host/portainer.yml
@ -2,13 +2,13 @@ version: '3.6'

 services:
  portainer:
-    container_name: ${NODE_COMPOSE_PROJECT_NAME}-portainer
+    container_name: ${HOST_COMPOSE_PROJECT_NAME}-portainer
    image: portainer/portainer:latest
    labels:
    - SERVICE_8000_IGNORE=true
    - SERVICE_9000_CHECK_HTTP=/
-    - SERVICE_9000_NAME=${NODE_COMPOSE_SERVICE_NAME}-portainer-9000
-    - SERVICE_9000_TAGS=${NODE_PORTAINER_SERVICE_9000_TAGS}
+    - SERVICE_9000_NAME=${HOST_COMPOSE_SERVICE_NAME}-portainer-9000
+    - SERVICE_9000_TAGS=${HOST_PORTAINER_SERVICE_9000_TAGS}
    networks:
    - public
    ports:
--- a/stack/host/registrator.yml
+++ b/stack/host/registrator.yml
@ -9,13 +9,13 @@ services:
      - GIT_AUTHOR_EMAIL=${GIT_AUTHOR_EMAIL}
      context: ../..
      dockerfile: docker/registrator/Dockerfile
-    container_name: ${NODE_COMPOSE_PROJECT_NAME}-registrator
-    image: ${NODE_DOCKER_REPOSITORY}/registrator:${DOCKER_IMAGE_TAG}
+    container_name: ${HOST_COMPOSE_PROJECT_NAME}-registrator
+    image: ${HOST_DOCKER_REPOSITORY}/registrator:${DOCKER_IMAGE_TAG}
    command: -internal -cleanup -deregister always -resync=30 -useIpFromNetwork "${DOCKER_NETWORK_PUBLIC}" -useIpFromLabel SERVICE_ADDRESS consul://consul:8500
    depends_on:
    - consul
    environment:
-    - CONSUL_HTTP_TOKEN=${NODE_CONSUL_HTTP_TOKEN}
+    - CONSUL_HTTP_TOKEN=${HOST_CONSUL_HTTP_TOKEN}
    - GL_DISABLE_VERSION_CHECK=true
    extra_hosts:
    - consul:${DOCKER_INTERNAL_DOCKER_HOST}
--- a/stack/host/vdi/vdi.yml
+++ b/stack/host/vdi/vdi.yml
@ -5,7 +5,7 @@ services:
    build:
      args:
      - DOCKER_BUILD_DIR=docker/x2go/xfce-debian
-      - SSH_PORT=${NODE_SSH_PORT:-${SSH_PORT}}
+      - SSH_PORT=${HOST_SSH_PORT:-${SSH_PORT}}
      context: ../..
      dockerfile: docker/x2go/xfce-debian/Dockerfile
    cap_add:
@ -13,23 +13,23 @@ services:
    - NET_ADMIN # iptables
    - NET_RAW # iptables
    - SYS_ADMIN # ecryptfs
-    container_name: ${NODE_COMPOSE_PROJECT_NAME}-vdi
+    container_name: ${HOST_COMPOSE_PROJECT_NAME}-vdi
    cpus: 0.5
    environment:
    - DEBUG=${VDI_DEBUG:-}
-    - ECRYPTERS=${NODE_VDI_ECRYPTERS:-${USER}}
-    - LANG=${NODE_VDI_LANG:-C.UTF-8}
-    - SSH_PORT=${NODE_SSH_PORT:-${SSH_PORT}}
+    - ECRYPTERS=${HOST_VDI_ECRYPTERS:-${USER}}
+    - LANG=${HOST_VDI_LANG:-C.UTF-8}
+    - SSH_PORT=${HOST_SSH_PORT:-${SSH_PORT}}
    - SSH_AUTHORIZED_KEYS=${SSH_AUTHORIZED_KEYS:-}
-    - SSH_PUBLIC_HOSTS=${NODE_SSH_PUBLIC_HOSTS:-${SSH_PUBLIC_HOSTS}}
-    - SUDOERS=${NODE_VDI_SUDOERS:-${USER}}
-    - TZ=${NODE_VDI_TZ:-}
-    - USERS=${NODE_VDI_USERS:-${USER}}
-    image: ${NODE_DOCKER_REPOSITORY}/vdi:${DOCKER_IMAGE_TAG}
+    - SSH_PUBLIC_HOSTS=${HOST_SSH_PUBLIC_HOSTS:-${SSH_PUBLIC_HOSTS}}
+    - SUDOERS=${HOST_VDI_SUDOERS:-${USER}}
+    - TZ=${HOST_VDI_TZ:-}
+    - USERS=${HOST_VDI_USERS:-${USER}}
+    image: ${HOST_DOCKER_REPOSITORY}/vdi:${DOCKER_IMAGE_TAG}
    networks:
    - public
    ports:
-    - ${NODE_VDI_PORT:-22}:${SSH_PORT:-22}
+    - ${HOST_VDI_PORT:-22}:${SSH_PORT:-22}
    restart: unless-stopped
    security_opt:
    - apparmor=unconfined # ecryptfs
--- a/stack/host/vsftpd/s3.yml
+++ b/stack/host/vsftpd/s3.yml
@ -0,0 +1,38 @@
+version: '3.6'
+
+services:
+  vsftpd-s3:
+    build:
+      args:
+      - DOCKER_BUILD_DIR=docker/vsftpd-s3
+      context: ../..
+      dockerfile: docker/vsftpd-s3/Dockerfile
+    cap_add:
+    - sys_admin
+    container_name: ${HOST_COMPOSE_PROJECT_NAME}-vsftpd-s3
+    devices:
+    - /dev/fuse
+    environment:
+    - AWS_ACCESS_KEY_ID=${HOST_VSFTPD_S3_AWS_ACCESS_KEY_ID:-${AWS_ACCESS_KEY_ID}}
+    - AWS_SECRET_ACCESS_KEY=${HOST_VSFTPD_S3_AWS_SECRET_ACCESS_KEY:-${AWS_SECRET_ACCESS_KEY}}
+    - DIR_REMOTE=${HOST_VSFTPD_S3_DIR_REMOTE}
+    - FTP_HOST=${HOST_VSFTPD_S3_FTP_HOST}
+    - FTP_PASS=${HOST_VSFTPD_S3_FTP_PASS}
+    - FTP_SYNC=${HOST_VSFTPD_S3_FTP_SYNC}
+    - FTP_USER=${HOST_VSFTPD_S3_FTP_USER}
+    - FTPD_USER=${HOST_VSFTPD_S3_FTPD_USER}
+    - FTPD_USERS=${HOST_VSFTPD_S3_FTPD_USERS}
+    - PASV_MAX_PORT=${HOST_VSFTPD_S3_PASV_MAX_PORT}
+    - PASV_MIN_PORT=${HOST_VSFTPD_S3_PASV_MIN_PORT}
+    hostname: ${HOSTNAME}
+    image: ${HOST_DOCKER_REPOSITORY}/vsftpd-s3:${DOCKER_IMAGE_TAG}
+    labels:
+    - SERVICE_21_CHECK_TCP=true
+    - SERVICE_21_NAME=${HOST_COMPOSE_SERVICE_NAME}-vsftpd-s3-21
+    - SERVICE_22_CHECK_TCP=true
+    - SERVICE_22_NAME=${HOST_COMPOSE_SERVICE_NAME}-vsftpd-s3-22
+    - SERVICE_65000_IGNORE=true
+    security_opt:
+    - apparmor:unconfined
+    network_mode: host
+    restart: always
--- a/stack/ipfs/ipfs.mk
+++ b/stack/ipfs/ipfs.mk
--- a/stack/monitoring.mk
+++ b/stack/monitoring.mk
@ -1 +1 @@
-monitoring                      ?= grafana prometheus/alertmanager prometheus/blackbox-exporter prometheus/es-exporter prometheus/prometheus
+monitoring                      ?= grafana prometheus/alertmanager prometheus/blackbox prometheus/es-exporter prometheus/prometheus
--- a/stack/mysql/.env.dist
+++ b/stack/mysql/.env.dist
@ -1 +0,0 @@
-MYSQL_ROOT_PASSWORD=root
--- a/stack/mysql/mysql.yml
+++ b/stack/mysql/mysql.yml
@ -3,7 +3,7 @@ version: '3.6'
 services:
  mysql:
    environment:
-    - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
+    - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD:-root}
    labels:
    - SERVICE_3306_NAME=${COMPOSE_SERVICE_NAME}-mysql-3306
    - SERVICE_CHECK_SCRIPT=docker-healthcheck $$SERVICE_IP
--- a/stack/newrelic/newrelic.mk
+++ b/stack/newrelic/newrelic.mk
--- a/stack/nginx/.env.dist
+++ b/stack/nginx/.env.dist
@ -1 +0,0 @@
-STATIC_SERVICE_80_TAGS=urlprefix-static.${APP_DOMAIN}/
--- a/stack/nginx/static.mk
+++ b/stack/nginx/static.mk
@ -0,0 +1,4 @@
+ENV_VARS                                  += STATIC_SERVICE_80_TAGS
+STATIC_SERVICE_80_TAGS                    ?= $(patsubst %,urlprefix-%,$(STATIC_SERVICE_80_URIS))
+STATIC_SERVICE_80_URIS                    ?= $(patsubst %,static.%,$(APP_URIS))
+
--- a/stack/node.mk
+++ b/stack/node.mk
@ -1,95 +0,0 @@
-CMDARGS                         += node-exec stack-node-exec node-exec:% node-exec@% node-run node-run:% node-run@%
-node                            ?= $(patsubst stack/%,%,$(patsubst %.yml,%,$(wildcard stack/node/*.yml)))
-ENV_VARS                        += DOCKER_HOST_IFACE DOCKER_HOST_INET4 DOCKER_INTERNAL_DOCKER_HOST
-SETUP_LETSENCRYPT               ?=
-
-# target bootstrap-stack-node: Fire node-certbot node-ssl-certs
-.PHONY: bootstrap-stack-node
-bootstrap-stack-node: $(if $(SETUP_LETSENCRYPT),node-certbot$(if $(DEBUG),-staging)) node-ssl-certs
-
-# target node: Fire stack-node-up
-.PHONY: node
-node: stack-node-up
-
-# target node-%; Fire target stack-node-%
-.PHONY: node-%
-node-%: stack-node-%;
-
-# target node-ssl-certs: Create invalid ${DOMAIN} certificate files with openssl
-.PHONY: node-ssl-certs
-node-ssl-certs:
-	docker run --rm --mount source=$(NODE_DOCKER_VOLUME),target=/certs alpine \
-	 [ -f /certs/live/$(DOMAIN)/fullchain.pem -a -f /certs/live/$(DOMAIN)/privkey.pem ] \
-	|| $(RUN) docker run --rm \
-	 -e DOMAIN=$(DOMAIN) \
-	 --mount source=$(NODE_DOCKER_VOLUME),target=/certs \
-	 alpine sh -c "\
-	  apk --no-cache add openssl \
-	  && mkdir -p /certs/live/${DOMAIN} \
-	  && { [ -f /certs/live/${DOMAIN}/privkey.pem ] || openssl genrsa -out /certs/live/${DOMAIN}/privkey.pem 2048; } \
-	  && openssl req -key /certs/live/${DOMAIN}/privkey.pem -out /certs/live/${DOMAIN}/cert.pem \
-	   -addext extendedKeyUsage=serverAuth \
-	   -addext subjectAltName=DNS:${DOMAIN},DNS:*.${DOMAIN} \
-	   -subj \"/C=/ST=/L=/O=/CN=${DOMAIN}\" \
-	   -x509 -days 365 \
-	  && rm -f /certs/live/${DOMAIN}/fullchain.pem \
-	  && ln -s cert.pem /certs/live/${DOMAIN}/fullchain.pem \
-	 "
-
-# target node-certbot: Create ${DOMAIN} certificate files with letsencrypt
-.PHONY: node-certbot
-node-certbot: node-docker-build-certbot
-	docker run --rm --mount source=$(NODE_DOCKER_VOLUME),target=/certs alpine \
-	 [ -f /certs/live/$(DOMAIN)/cert.pem -a -f /certs/live/$(DOMAIN)/privkey.pem ] \
-	|| $(RUN) docker run --rm \
-	 --mount source=$(NODE_DOCKER_VOLUME),target=/etc/letsencrypt/ \
-	 --mount source=$(NODE_DOCKER_VOLUME),target=/var/log/letsencrypt/ \
-	 -e DOMAIN=$(DOMAIN) \
-	 --network host \
-	 node/certbot \
-	  --non-interactive --agree-tos --email hostmaster@${DOMAIN} certonly \
-	  --preferred-challenges dns --authenticator dns-standalone \
-	  --dns-standalone-address=0.0.0.0 \
-	  --dns-standalone-port=53 \
-	  -d ${DOMAIN} \
-	  -d *.${DOMAIN}
-
-# target node-certbot-certificates: List letsencrypt certificates
-.PHONY: node-certbot-certificates
-node-certbot-certificates: node-docker-build-certbot
-	docker run --rm --mount source=$(NODE_DOCKER_VOLUME),target=/etc/letsencrypt/ node/certbot certificates
-
-# target node-certbot-renew: Renew letsencrypt certificates
-.PHONY: node-certbot-renew
-node-certbot-renew: node-docker-build-certbot
-	docker run --rm --mount source=$(NODE_DOCKER_VOLUME),target=/etc/letsencrypt/ --network host node/certbot renew
-
-# target node-certbot-staging: Create staging ${DOMAIN} certificate files with letsencrypt
-.PHONY: node-certbot-staging
-node-certbot-staging: node-docker-build-certbot
-	docker run --rm --mount source=$(NODE_DOCKER_VOLUME),target=/certs alpine \
-	 [ -f /certs/live/$(DOMAIN)/cert.pem -a -f /certs/live/$(DOMAIN)/privkey.pem ] \
-	|| $(RUN) docker run --rm \
-	 --mount source=$(NODE_DOCKER_VOLUME),target=/etc/letsencrypt/ \
-	 --mount source=$(NODE_DOCKER_VOLUME),target=/var/log/letsencrypt/ \
-	 -e DOMAIN=$(DOMAIN) \
-	 --network host \
-	 node/certbot \
-	  --non-interactive --agree-tos --email hostmaster@${DOMAIN} certonly \
-	  --preferred-challenges dns --authenticator dns-standalone \
-	  --dns-standalone-address=0.0.0.0 \
-	  --dns-standalone-port=53 \
-	  --staging \
-	  -d ${DOMAIN} \
-	  -d *.${DOMAIN}
-
-# target node-docker-build-%: Build % docker
-.PHONY: node-docker-build-%
-node-docker-build-%:
-	$(call docker-build,docker/$*,node/$*:$(DOCKER_IMAGE_TAG))
-
-# target node-docker-rebuild-%: Rebuild % docker
-.PHONY: node-docker-rebuild-%
-node-docker-rebuild-%:
-	$(call make,node-docker-build-$* DOCKER_BUILD_CACHE=false)
-
--- a/stack/node/certbot.mk
+++ b/stack/node/certbot.mk
@ -1 +0,0 @@
-NODE_CERTBOT_UFW_UPDATE                   ?= 53/udp
--- a/stack/node/consul.mk
+++ b/stack/node/consul.mk
@ -1,5 +0,0 @@
-ENV_VARS                                  += NODE_CONSUL_ACL_TOKENS_MASTER NODE_CONSUL_HTTP_TOKEN NODE_CONSUL_SERVICE_8500_TAGS
-NODE_CONSUL_ACL_TOKENS_MASTER             ?= 01234567-89ab-cdef-0123-456789abcdef
-NODE_CONSUL_HTTP_TOKEN                    ?= $(NODE_CONSUL_ACL_TOKENS_MASTER)
-NODE_CONSUL_SERVICE_8500_TAGS             ?= urlprefix-consul.${DOMAIN}/
-NODE_CONSUL_UFW_UPDATE                    ?= 8500
--- a/stack/node/exporter.mk
+++ b/stack/node/exporter.mk
@ -1,3 +0,0 @@
-ENV_VARS                                  += NODE_EXPORTER_CADVISOR_SERVICE_8080_TAGS NODE_EXPORTER_NODE_SERVICE_9100_TAGS
-NODE_EXPORTER_CADVISOR_SERVICE_8080_TAGS  ?= urlprefix-cadvisor-exporter.${DOMAIN}/
-NODE_EXPORTER_NODE_SERVICE_9100_TAGS      ?= urlprefix-node-exporter.${DOMAIN}/
--- a/stack/node/fabio.mk
+++ b/stack/node/fabio.mk
@ -1,3 +0,0 @@
-ENV_VARS                                  += NODE_FABIO_SERVICE_9998_TAGS
-NODE_FABIO_SERVICE_9998_TAGS              ?= urlprefix-fabio.${DOMAIN}/
-NODE_FABIO_UFW_UPDATE                     ?= 80/tcp 443/tcp
--- a/stack/node/ipfs.mk
+++ b/stack/node/ipfs.mk
@ -1,4 +0,0 @@
-ENV_VARS                                  += NODE_IPFS_API_HTTPHEADERS_ACA_ORIGIN NODE_IPFS_SERVICE_5001_TAGS NODE_IPFS_SERVICE_8080_TAGS
-NODE_IPFS_API_HTTPHEADERS_ACA_ORIGIN      ?= ["https://ipfs.$(DOMAIN)"]
-NODE_IPFS_SERVICE_5001_TAGS               ?= urlprefix-ipfs.$(DOMAIN)/api
-NODE_IPFS_SERVICE_8080_TAGS               ?= urlprefix-ipfs.$(DOMAIN)/,urlprefix-*.ipfs.$(DOMAIN),urlprefix-ipns.$(DOMAIN)/,urlprefix-*.ipns.$(DOMAIN)/
--- a/stack/node/ipfs.yml
+++ b/stack/node/ipfs.yml
@ -1,96 +0,0 @@
-version: '3.6'
-
-services:
-  ipfs:
-    build:
-      args:
-      - DOCKER_BUILD_DIR=docker/ipfs
-      - GID=${NODE_GID}
-      - IPFS_VERSION=${IPFS_VERSION}
-      - UID=${NODE_UID}
-      context: ../..
-      dockerfile: docker/ipfs/Dockerfile
-    command: daemon --agent-version-suffix=${NODE_COMPOSE_PROJECT_NAME} ${NODE_IPFS_DAEMON_ARGS:---migrate}
-    container_name: ${NODE_COMPOSE_PROJECT_NAME}-ipfs
-    cpus: 0.5
-    environment:
-    - IPFS_ADDRESSES_API=${NODE_IPFS_ADDRESSES_API:-}
-    - IPFS_ADDRESSES_API_DOMAIN=${NODE_IPFS_ADDRESSES_API_DOMAIN:-${DOCKER_NETWORK_PUBLIC}}
-    - IPFS_ADDRESSES_API_INET4=${NODE_IPFS_ADDRESSES_API_INET4:-}
-    - IPFS_ADDRESSES_API_PORT=${NODE_IPFS_ADDRESSES_API_PORT:-}
-    - IPFS_ADDRESSES_GATEWAY=${NODE_IPFS_ADDRESSES_GATEWAY:-}
-    - IPFS_ADDRESSES_GATEWAY_DOMAIN=${NODE_IPFS_ADDRESSES_GATEWAY_DOMAIN:-}
-    - IPFS_ADDRESSES_GATEWAY_INET4=${NODE_IPFS_ADDRESSES_GATEWAY_INET4:-0.0.0.0}
-    - IPFS_ADDRESSES_GATEWAY_PORT=${NODE_IPFS_ADDRESSES_GATEWAY_PORT:-}
-    - IPFS_ADDRESSES_NOANNOUNCE=${NODE_IPFS_ADDRESSES_NOANNOUNCE:-}
-    - IPFS_API_HTTPHEADERS=${NODE_IPFS_API_HTTPHEADERS:-}
-    - IPFS_API_HTTPHEADERS_ACA_CREDENTIALS=${NODE_IPFS_API_HTTPHEADERS_ACA_CREDENTIALS:-["true"]}
-    - IPFS_API_HTTPHEADERS_ACA_HEADERS=${NODE_IPFS_API_HTTPHEADERS_ACA_HEADERS:-["X-Requested-With", "Range", "User-Agent"]}
-    - IPFS_API_HTTPHEADERS_ACA_METHODS=${NODE_IPFS_API_HTTPHEADERS_ACA_METHODS:-["OPTIONS", "POST"]}
-    - IPFS_API_HTTPHEADERS_ACA_ORIGIN=${NODE_IPFS_API_HTTPHEADERS_ACA_ORIGIN:-}
-    - IPFS_BOOTSTRAP=${NODE_IPFS_BOOTSTRAP:-}
-    - IPFS_DATASTORE_GCPERIOD=${NODE_IPFS_DATASTORE_GCPERIOD:-}
-    - IPFS_DISK_USAGE_PERCENT=${NODE_IPFS_DISK_USAGE_PERCENT:-}
-    - IPFS_EXPERIMENTAL_ACCELERATEDDHTCLIENT=${NODE_IPFS_EXPERIMENTAL_ACCELERATEDDHTCLIENT:-}
-    - IPFS_EXPERIMENTAL_FILESTOREENABLED=${NODE_IPFS_EXPERIMENTAL_FILESTOREENABLED:-}
-    - IPFS_EXPERIMENTAL_GRAPHSYNCENABLED=${NODE_IPFS_EXPERIMENTAL_GRAPHSYNCENABLED:-}
-    - IPFS_EXPERIMENTAL_LIBP2PSTREAMMOUNTING=${NODE_IPFS_EXPERIMENTAL_LIBP2PSTREAMMOUNTING:-}
-    - IPFS_EXPERIMENTAL_P2PHTTPPROXY=${NODE_IPFS_EXPERIMENTAL_P2PHTTPPROXY:-}
-    - IPFS_EXPERIMENTAL_STRATEGICPROVIDING=${NODE_IPFS_EXPERIMENTAL_STRATEGICPROVIDING:-}
-    - IPFS_EXPERIMENTAL_URLSTOREENABLED=${NODE_IPFS_EXPERIMENTAL_URLSTOREENABLED:-}
-    - IPFS_IDENTITY_PEERID=${NODE_IPFS_IDENTITY_PEERID:-}
-    - IPFS_IDENTITY_PRIVKEY=${NODE_IPFS_IDENTITY_PRIVKEY:-}
-    - IPFS_IPNS_REPUBLISHPERIOD=${NODE_IPFS_IPNS_REPUBLISHPERIOD:-}
-    - IPFS_IPNS_RECORDLIFETIME=${NODE_IPFS_IPNS_RECORDLIFETIME:-}
-    - IPFS_IPNS_USEPUBSUB=${NODE_IPFS_IPNS_USEPUBSUB:-true}
-    - IPFS_LOGGING=${NODE_IPFS_LOGGING:-error}
-    - IPFS_NETWORK=${NODE_IPFS_NETWORK:-public}
-    - IPFS_PROFILE=${NODE_IPFS_PROFILE:-${IPFS_PROFILE}}
-    - IPFS_PUBSUB_ENABLE=${NODE_IPFS_PUBSUB_ENABLE:-true}
-    - IPFS_PUBSUB_ROUTER=${NODE_IPFS_PUBSUB_ROUTER:-gossipsub}
-    - IPFS_ROUTING_TYPE=${NODE_IPFS_ROUTING_TYPE:-dht}
-    - IPFS_REPROVIDER_INTERVAL=${NODE_IPFS_REPROVIDER_INTERVAL:-}
-    - IPFS_REPROVIDER_STRATEGY=${NODE_IPFS_REPROVIDER_STRATEGY:-}
-    - IPFS_SWARM_CONNMGR_HIGHWATER=${NODE_IPFS_SWARM_CONNMGR_HIGHWATER:-}
-    - IPFS_SWARM_CONNMGR_LOWWATER=${NODE_IPFS_SWARM_CONNMGR_LOWWATER:-}
-    - IPFS_SWARM_CONNMGR_TYPE=${NODE_IPFS_SWARM_CONNMGR_TYPE:-}
-    - IPFS_SWARM_DISABLENATPORTMAP=${NODE_IPFS_SWARM_DISABLENATPORTMAP:-}
-    - IPFS_SWARM_ENABLEHOLEPUNCHING=${NODE_IPFS_SWARM_ENABLEHOLEPUNCHING:-}
-    - IPFS_SWARM_KEY=${NODE_IPFS_SWARM_KEY:-}
-    - IPFS_SWARM_RELAYCLIENT_ENABLED=${NODE_IPFS_SWARM_RELAYCLIENT_ENABLED:-}
-    - IPFS_SWARM_RELAYSERVICE_ENABLED=${NODE_IPFS_SWARM_RELAYSERVICE_ENABLED:-}
-    - IPFS_SWARM_TRANSPORTS_NETWORK_RELAY=${NODE_IPFS_SWARM_TRANSPORTS_NETWORK_RELAY:-}
-    image: ${NODE_DOCKER_REPOSITORY}/ipfs:${DOCKER_IMAGE_TAG}
-    labels:
-    - SERVICE_4001_CHECK_TCP=true
-    - SERVICE_4001_NAME=${NODE_COMPOSE_SERVICE_NAME}-ipfs-4001
-    - SERVICE_5001_CHECK_HTTP=${NODE_IPFS_SERVICE_5001_CHECK_HTTP:-/api/v0/diag/sys}
-    - SERVICE_5001_CHECK_HTTP_METHOD=${NODE_IPFS_SERVICE_5001_CHECK_HTTP_METHOD:-POST}
-    - SERVICE_5001_NAME=${NODE_COMPOSE_SERVICE_NAME}-ipfs-5001
-    - SERVICE_5001_TAGS=${NODE_IPFS_SERVICE_5001_TAGS:-}
-    - SERVICE_8080_CHECK_HTTP=${NODE_IPFS_SERVICE_8080_CHECK_HTTP:-/ipfs/QmYwAPJzv5CZsnA625s3Xf2nemtYgPpHdWEz79ojWnPbdG/readme}
-    - SERVICE_8080_NAME=${NODE_COMPOSE_SERVICE_NAME}-ipfs-8080
-    - SERVICE_8080_TAGS=${NODE_IPFS_SERVICE_8080_TAGS:-}
-    - SERVICE_8081_IGNORE=true
-    networks:
-    - public
-    ports:
-    - 4001:4001/tcp
-    - 4001:4001/udp
-    - 5001:5001/tcp
-    - 8080:8080/tcp
-    restart: always
-    ulimits:
-      nofile:
-        soft: 65536
-        hard: 65536
-    volumes:
-    - ipfs:/data/ipfs:delegated
-
-volumes:
-  ipfs:
-
-networks:
-  public:
-    external: true
-    name: ${DOCKER_NETWORK_PUBLIC}
--- a/stack/node/mail.mk
+++ b/stack/node/mail.mk
@ -1,6 +0,0 @@
-# ENV_VARS                                  += NODE_MAILSERVER_ENABLE_MANAGESIEVE NODE_MAILSERVER_SPOOF_PROTECTION NODE_MAILSERVER_SSL_TYPE NODE_MAILSERVER_ENABLE_UPDATE_CHECK
-NODE_MAILSERVER_ENABLE_MANAGESIEVE        ?= 1
-NODE_MAILSERVER_SPOOF_PROTECTION          ?= 1
-NODE_MAILSERVER_SSL_TYPE                  ?= letsencrypt
-NODE_MAILSERVER_ENABLE_UPDATE_CHECK       ?= 0
-NODE_MAILSERVER_UFW_DOCKER                ?= 25/tcp 465/tcp 587/tcp 993/tcp
--- a/stack/node/mail/mailserver.yml
+++ b/stack/node/mail/mailserver.yml
@ -1,166 +0,0 @@
-version: '2'
-services:
-  mailserver:
-    image: mailserver/docker-mailserver:11.2
-    cap_add:
-    - NET_ADMIN
-    container_name: ${NODE_COMPOSE_PROJECT_NAME}-mailserver
-    cpus: 0.5
-    domainname: ${DOMAIN}
-    environment:
-    - OVERRIDE_HOSTNAME=${NODE_MAILSERVER_OVERRIDE_HOSTNAME:-}
-    - DMS_DEBUG=${NODE_MAILSERVER_DMS_DEBUG:-0}
-    - LOG_LEVEL=${NODE_MAILSERVER_LOG_LEVEL:-info}
-    - SUPERVISOR_LOGLEVEL=${NODE_MAILSERVER_SUPERVISOR_LOGLEVEL:-}
-    - ONE_DIR=${NODE_MAILSERVER_ONE_DIR:-1}
-    - ACCOUNT_PROVISIONER=${NODE_MAILSERVER_ACCOUNT_PROVISIONER:-}
-    - POSTMASTER_ADDRESS=${NODE_MAILSERVER_POSTMASTER_ADDRESS:-}
-    - ENABLE_UPDATE_CHECK=${NODE_MAILSERVER_ENABLE_UPDATE_CHECK:-0}
-    - UPDATE_CHECK_INTERVAL=${NODE_MAILSERVER_UPDATE_CHECK_INTERVAL:-1d}
-    - PERMIT_DOCKER=${NODE_MAILSERVER_PERMIT_DOCKER:-none}
-    - TZ=${NODE_MAILSERVER_TZ:-${TZ}}
-    - NETWORK_INTERFACE=${NODE_MAILSERVER_NETWORK_INTERFACE:-}
-    - TLS_LEVEL=${NODE_MAILSERVER_TLS_LEVEL:-}
-    - SPOOF_PROTECTION=${NODE_MAILSERVER_SPOOF_PROTECTION:-1}
-    - ENABLE_SRS=${NODE_MAILSERVER_ENABLE_SRS:-0}
-    - ENABLE_POP3=${NODE_MAILSERVER_ENABLE_POP3:-}
-    - ENABLE_CLAMAV=${NODE_MAILSERVER_ENABLE_CLAMAV:-0}
-    - ENABLE_AMAVIS=${NODE_MAILSERVER_ENABLE_AMAVIS:-1}
-    - AMAVIS_LOGLEVEL=${NODE_MAILSERVER_AMAVIS_LOGLEVEL:-0}
-    - ENABLE_DNSBL=${NODE_MAILSERVER_ENABLE_DNSBL:-0}
-    - ENABLE_FAIL2BAN=${NODE_MAILSERVER_ENABLE_FAIL2BAN:-0}
-    - FAIL2BAN_BLOCKTYPE=${NODE_MAILSERVER_FAIL2BAN_BLOCKTYPE:-drop}
-    - ENABLE_MANAGESIEVE=${NODE_MAILSERVER_ENABLE_MANAGESIEVE:-1}
-    - POSTSCREEN_ACTION=${NODE_MAILSERVER_POSTSCREEN_ACTION:-enforce}
-    - SMTP_ONLY=${NODE_MAILSERVER_SMTP_ONLY:-}
-    - SSL_TYPE=${NODE_MAILSERVER_SSL_TYPE:-letsencrypt}
-    - SSL_CERT_PATH=${NODE_MAILSERVER_SSL_CERT_PATH:-}
-    - SSL_KEY_PATH=${NODE_MAILSERVER_SSL_KEY_PATH:-}
-    - SSL_ALT_CERT_PATH=${NODE_MAILSERVER_SSL_ALT_CERT_PATH:-}
-    - SSL_ALT_KEY_PATH=${NODE_MAILSERVER_SSL_ALT_KEY_PATH:-}
-    - VIRUSMAILS_DELETE_DELAY=${NODE_MAILSERVER_VIRUSMAILS_DELETE_DELAY:-}
-    - ENABLE_POSTFIX_VIRTUAL_TRANSPORT=${NODE_MAILSERVER_ENABLE_POSTFIX_VIRTUAL_TRANSPORT:-}
-    - POSTFIX_DAGENT=${NODE_MAILSERVER_POSTFIX_DAGENT:-}
-    - POSTFIX_MAILBOX_SIZE_LIMIT=${NODE_MAILSERVER_POSTFIX_MAILBOX_SIZE_LIMIT:-}
-    - ENABLE_QUOTAS=${NODE_MAILSERVER_ENABLE_QUOTAS:-1}
-    - POSTFIX_MESSAGE_SIZE_LIMIT=${NODE_MAILSERVER_POSTFIX_MESSAGE_SIZE_LIMIT:-}
-    - CLAMAV_MESSAGE_SIZE_LIMIT=${NODE_MAILSERVER_CLAMAV_MESSAGE_SIZE_LIMIT:-}
-    - PFLOGSUMM_TRIGGER=${NODE_MAILSERVER_PFLOGSUMM_TRIGGER:-}
-    - PFLOGSUMM_RECIPIENT=${NODE_MAILSERVER_PFLOGSUMM_RECIPIENT:-}
-    - PFLOGSUMM_SENDER=${NODE_MAILSERVER_PFLOGSUMM_SENDER:-}
-    - LOGWATCH_INTERVAL=${NODE_MAILSERVER_LOGWATCH_INTERVAL:-}
-    - LOGWATCH_RECIPIENT=${NODE_MAILSERVER_LOGWATCH_RECIPIENT:-}
-    - LOGWATCH_SENDER=${NODE_MAILSERVER_LOGWATCH_SENDER:-}
-    - REPORT_RECIPIENT=${NODE_MAILSERVER_REPORT_RECIPIENT:-}
-    - REPORT_SENDER=${NODE_MAILSERVER_REPORT_SENDER:-}
-    - LOGROTATE_INTERVAL=${NODE_MAILSERVER_LOGROTATE_INTERVAL:-weekly}
-    - POSTFIX_INET_PROTOCOLS=${NODE_MAILSERVER_POSTFIX_INET_PROTOCOLS:-all}
-    - DOVECOT_INET_PROTOCOLS=${NODE_MAILSERVER_DOVECOT_INET_PROTOCOLS:-all}
-    - ENABLE_SPAMASSASSIN=${NODE_MAILSERVER_ENABLE_SPAMASSASSIN:-0}
-    - SPAMASSASSIN_SPAM_TO_INBOX=${NODE_MAILSERVER_SPAMASSASSIN_SPAM_TO_INBOX:-1}
-    - ENABLE_SPAMASSASSIN_KAM=${NODE_MAILSERVER_ENABLE_SPAMASSASSIN_KAM:-0}
-    - MOVE_SPAM_TO_JUNK=${NODE_MAILSERVER_MOVE_SPAM_TO_JUNK:-1}
-    - SA_TAG=${NODE_MAILSERVER_SA_TAG:-2.0}
-    - SA_TAG2=${NODE_MAILSERVER_SA_TAG2:-6.31}
-    - SA_KILL=${NODE_MAILSERVER_SA_KILL:-6.31}
-    - SA_SPAM_SUBJECT=${NODE_MAILSERVER_SA_SPAM_SUBJECT:-***SPAM*****}
-    - ENABLE_FETCHMAIL=${NODE_MAILSERVER_ENABLE_FETCHMAIL:-0}
-    - FETCHMAIL_POLL=${NODE_MAILSERVER_FETCHMAIL_POLL:-300}
-    - ENABLE_LDAP=${NODE_MAILSERVER_ENABLE_LDAP:-}
-    - LDAP_START_TLS=${NODE_MAILSERVER_LDAP_START_TLS:-}
-    - LDAP_SERVER_HOST=${NODE_MAILSERVER_LDAP_SERVER_HOST:-}
-    - LDAP_SEARCH_BASE=${NODE_MAILSERVER_LDAP_SEARCH_BASE:-}
-    - LDAP_BIND_DN=${NODE_MAILSERVER_LDAP_BIND_DN:-}
-    - LDAP_BIND_PW=${NODE_MAILSERVER_LDAP_BIND_PW:-}
-    - LDAP_QUERY_FILTER_USER=${NODE_MAILSERVER_LDAP_QUERY_FILTER_USER:-}
-    - LDAP_QUERY_FILTER_GROUP=${NODE_MAILSERVER_LDAP_QUERY_FILTER_GROUP:-}
-    - LDAP_QUERY_FILTER_ALIAS=${NODE_MAILSERVER_LDAP_QUERY_FILTER_ALIAS:-}
-    - LDAP_QUERY_FILTER_DOMAIN=${NODE_MAILSERVER_LDAP_QUERY_FILTER_DOMAIN:-}
-    - DOVECOT_TLS=${NODE_MAILSERVER_DOVECOT_TLS:-}
-    - DOVECOT_USER_FILTER=${NODE_MAILSERVER_DOVECOT_USER_FILTER:-}
-    - DOVECOT_PASS_FILTER=${NODE_MAILSERVER_DOVECOT_PASS_FILTER:-}
-    - DOVECOT_MAILBOX_FORMAT=${NODE_MAILSERVER_DOVECOT_MAILBOX_FORMAT:-maildir}
-    - DOVECOT_AUTH_BIND=${NODE_MAILSERVER_DOVECOT_AUTH_BIND:-}
-    - ENABLE_POSTGREY=${NODE_MAILSERVER_ENABLE_POSTGREY:-0}
-    - POSTGREY_DELAY=${NODE_MAILSERVER_POSTGREY_DELAY:-300}
-    - POSTGREY_MAX_AGE=${NODE_MAILSERVER_POSTGREY_MAX_AGE:-35}
-    - POSTGREY_TEXT=${NODE_MAILSERVER_POSTGREY_TEXT:-"Delayed by Postgrey"}
-    - POSTGREY_AUTO_WHITELIST_CLIENTS=${NODE_MAILSERVER_POSTGREY_AUTO_WHITELIST_CLIENTS:-5}
-    - ENABLE_SASLAUTHD=${NODE_MAILSERVER_ENABLE_SASLAUTHD:-0}
-    - SASLAUTHD_MECHANISMS=${NODE_MAILSERVER_SASLAUTHD_MECHANISMS:-}
-    - SASLAUTHD_MECH_OPTIONS=${NODE_MAILSERVER_SASLAUTHD_MECH_OPTIONS:-}
-    - SASLAUTHD_LDAP_SERVER=${NODE_MAILSERVER_SASLAUTHD_LDAP_SERVER:-}
-    - SASLAUTHD_LDAP_BIND_DN=${NODE_MAILSERVER_SASLAUTHD_LDAP_BIND_DN:-}
-    - SASLAUTHD_LDAP_PASSWORD=${NODE_MAILSERVER_SASLAUTHD_LDAP_PASSWORD:-}
-    - SASLAUTHD_LDAP_SEARCH_BASE=${NODE_MAILSERVER_SASLAUTHD_LDAP_SEARCH_BASE:-}
-    - SASLAUTHD_LDAP_FILTER=${NODE_MAILSERVER_SASLAUTHD_LDAP_FILTER:-}
-    - SASLAUTHD_LDAP_START_TLS=${NODE_MAILSERVER_SASLAUTHD_LDAP_START_TLS:-}
-    - SASLAUTHD_LDAP_TLS_CHECK_PEER=${NODE_MAILSERVER_SASLAUTHD_LDAP_TLS_CHECK_PEER:-}
-    - SASLAUTHD_LDAP_TLS_CACERT_FILE=${NODE_MAILSERVER_SASLAUTHD_LDAP_TLS_CACERT_FILE:-}
-    - SASLAUTHD_LDAP_TLS_CACERT_DIR=${NODE_MAILSERVER_SASLAUTHD_LDAP_TLS_CACERT_DIR:-}
-    - SASLAUTHD_LDAP_PASSWORD_ATTR=${NODE_MAILSERVER_SASLAUTHD_LDAP_PASSWORD_ATTR:-}
-    - SASL_PASSWD=${NODE_MAILSERVER_SASL_PASSWD:-}
-    - SASLAUTHD_LDAP_AUTH_METHOD=${NODE_MAILSERVER_SASLAUTHD_LDAP_AUTH_METHOD:-}
-    - SASLAUTHD_LDAP_MECH=${NODE_MAILSERVER_SASLAUTHD_LDAP_MECH:-}
-    - SRS_SENDER_CLASSES=${NODE_MAILSERVER_SRS_SENDER_CLASSES:-envelope_sender}
-    - SRS_EXCLUDE_DOMAINS=${NODE_MAILSERVER_SRS_EXCLUDE_DOMAINS:-}
-    - SRS_SECRET=${NODE_MAILSERVER_SRS_SECRET:-}
-    - DEFAULT_RELAY_HOST=${NODE_MAILSERVER_DEFAULT_RELAY_HOST:-}
-    - RELAY_HOST=${NODE_MAILSERVER_RELAY_HOST:-}
-    - RELAY_PORT=${NODE_MAILSERVER_RELAY_PORT:-25}
-    - RELAY_USER=${NODE_MAILSERVER_RELAY_USER:-}
-    - RELAY_PASSWORD=${NODE_MAILSERVER_RELAY_PASSWORD:-}
-    healthcheck:
-      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
-      timeout: 3s
-      retries: 0
-    hostname: ${HOSTNAME}
-    labels:
-    - SERVICE_25_CHECK_TCP=true
-    - SERVICE_25_NAME=${NODE_COMPOSE_SERVICE_NAME}-mailserver-25
-    - SERVICE_110_IGNORE=true
-    - SERVICE_143_CHECK_TCP=true
-    - SERVICE_143_NAME=${NODE_COMPOSE_SERVICE_NAME}-mailserver-143
-    - SERVICE_465_CHECK_TCP=true
-    - SERVICE_465_NAME=${NODE_COMPOSE_SERVICE_NAME}-mailserver-465
-    - SERVICE_587_CHECK_TCP=true
-    - SERVICE_587_NAME=${NODE_COMPOSE_SERVICE_NAME}-mailserver-587
-    - SERVICE_993_CHECK_TCP=true
-    - SERVICE_993_NAME=${NODE_COMPOSE_SERVICE_NAME}-mailserver-993
-    - SERVICE_995_IGNORE=true
-    - SERVICE_4190_CHECK_TCP=true
-    - SERVICE_4190_NAME=${NODE_COMPOSE_SERVICE_NAME}-mailserver-4190
-    networks:
-    - private
-    - public
-    ports:
-    - "25:25"
-    - "143:143"
-    - "465:465"
-    - "587:587"
-    - "993:993"
-    volumes:
-    - /etc/localtime:/etc/localtime:ro
-    - mailserver-config:/tmp/docker-mailserver/
-    - mailserver-data:/var/mail
-    - mailserver-logs:/var/log/mail
-    - mailserver-state:/var/mail-state
-    - node:/etc/letsencrypt:ro
-    restart: always
-    stop_grace_period: 1m
-volumes:
-  mailserver-config:
-  mailserver-data:
-  mailserver-logs:
-  mailserver-state:
-  node:
-    external: true
-    name: ${NODE_DOCKER_VOLUME}
-
-networks:
-  private:
-    external: true
-    name: ${DOCKER_NETWORK_PRIVATE}
-  public:
-    external: true
-    name: ${DOCKER_NETWORK_PUBLIC}
--- a/stack/node/portainer.mk
+++ b/stack/node/portainer.mk
@ -1,2 +0,0 @@
-ENV_VARS                                  += NODE_PORTAINER_SERVICE_9000_TAGS
-NODE_PORTAINER_SERVICE_9000_TAGS          ?= urlprefix-portainer.${DOMAIN}/
--- a/stack/node/vsftpd/s3.yml
+++ b/stack/node/vsftpd/s3.yml
@ -1,38 +0,0 @@
-version: '3.6'
-
-services:
-  vsftpd-s3:
-    build:
-      args:
-      - DOCKER_BUILD_DIR=docker/vsftpd-s3
-      context: ../..
-      dockerfile: docker/vsftpd-s3/Dockerfile
-    cap_add:
-    - sys_admin
-    container_name: ${NODE_COMPOSE_PROJECT_NAME}-vsftpd-s3
-    devices:
-    - /dev/fuse
-    environment:
-    - AWS_ACCESS_KEY_ID=${NODE_VSFTPD_S3_AWS_ACCESS_KEY_ID:-${AWS_ACCESS_KEY_ID}}
-    - AWS_SECRET_ACCESS_KEY=${NODE_VSFTPD_S3_AWS_SECRET_ACCESS_KEY:-${AWS_SECRET_ACCESS_KEY}}
-    - DIR_REMOTE=${NODE_VSFTPD_S3_DIR_REMOTE}
-    - FTP_HOST=${NODE_VSFTPD_S3_FTP_HOST}
-    - FTP_PASS=${NODE_VSFTPD_S3_FTP_PASS}
-    - FTP_SYNC=${NODE_VSFTPD_S3_FTP_SYNC}
-    - FTP_USER=${NODE_VSFTPD_S3_FTP_USER}
-    - FTPD_USER=${NODE_VSFTPD_S3_FTPD_USER}
-    - FTPD_USERS=${NODE_VSFTPD_S3_FTPD_USERS}
-    - PASV_MAX_PORT=${NODE_VSFTPD_S3_PASV_MAX_PORT}
-    - PASV_MIN_PORT=${NODE_VSFTPD_S3_PASV_MIN_PORT}
-    hostname: ${HOSTNAME}
-    image: ${NODE_DOCKER_REPOSITORY}/vsftpd-s3:${DOCKER_IMAGE_TAG}
-    labels:
-    - SERVICE_21_CHECK_TCP=true
-    - SERVICE_21_NAME=${NODE_COMPOSE_SERVICE_NAME}-vsftpd-s3-21
-    - SERVICE_22_CHECK_TCP=true
-    - SERVICE_22_NAME=${NODE_COMPOSE_SERVICE_NAME}-vsftpd-s3-22
-    - SERVICE_65000_IGNORE=true
-    security_opt:
-    - apparmor:unconfined
-    network_mode: host
-    restart: always
--- a/stack/portainer/.env.dist
+++ b/stack/portainer/.env.dist
@ -1 +0,0 @@
-PORTAINER_SERVICE_9000_TAGS=urlprefix-portainer.${APP_DOMAIN}/
--- a/stack/portainer/portainer.mk
+++ b/stack/portainer/portainer.mk
@ -0,0 +1,3 @@
+ENV_VARS                                  += PORTAINER_SERVICE_9000_TAGS
+PORTAINER_SERVICE_9000_TAGS               ?= $(patsubst %,urlprefix-%,$(PORTAINER_SERVICE_9000_URIS))
+PORTAINER_SERVICE_9000_URIS               ?= $(patsubst %,portainer.%,$(APP_URIS))
--- a/stack/postgres/.env.dist
+++ b/stack/postgres/.env.dist
@ -1,3 +0,0 @@
-POSTGRES_DB=postgres
-POSTGRES_PASSWORD=postgres
-POSTGRES_USER=postgres
--- a/stack/postgres/postgres.yml
+++ b/stack/postgres/postgres.yml
@ -3,9 +3,9 @@ version: '3.6'
 services:
  postgres:
    environment:
-    - POSTGRES_DB=${POSTGRES_DB}
-    - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
-    - POSTGRES_USER=${POSTGRES_USER}
+    - POSTGRES_DB=${POSTGRES_DB:-postgres}
+    - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-postgres}
+    - POSTGRES_USER=${POSTGRES_USER:-postgres}
    labels:
    - SERVICE_5432_CHECK_TCP=true
    - SERVICE_5432_NAME=${COMPOSE_SERVICE_NAME}-postgres-5432
--- a/stack/prometheus/.env.dist
+++ b/stack/prometheus/.env.dist
@ -1,8 +0,0 @@
-ALERTMANAGER_SERVICE_9093_TAGS=urlprefix-alertmanager.${APP_DOMAIN}/
-ALERTMANAGER_SLACK_WEBHOOK_ID=https://hooks.slack.com/services/123456789/123456789/ABCDEFGHIJKLMNOPQRSTUVWX
-BLACKBOX_SERVICE_9115_TAGS=urlprefix-blackbox.${APP_DOMAIN}/
-ES_EXPORTER_ELASTICSEARCH_URL=elasticsearch:9200
-ES_EXPORTER_SERVICE_9206_TAGS=urlprefix-es-exporter.${APP_DOMAIN}/
-PROMETHEUS_MONITORING_PRIMARY_TARGETS_BLACKBOX=https://www.google.com
-PROMETHEUS_MONITORING_SECONDARY_TARGETS_BLACKBOX=
-PROMETHEUS_SERVICE_9090_TAGS=urlprefix-prometheus.${APP_DOMAIN}/
--- a/stack/prometheus/alertmanager.mk
+++ b/stack/prometheus/alertmanager.mk
@ -0,0 +1,4 @@
+ENV_VARS                                  += ALERTMANAGER_SLACK_WEBHOOK_ID ALERTMANAGER_SERVICE_9093_TAGS
+ALERTMANAGER_SERVICE_9093_TAGS            ?= $(patsubst %,urlprefix-%,$(ALERTMANAGER_SERVICE_9093_URIS))
+ALERTMANAGER_SERVICE_9093_URIS            ?= $(patsubst %,alertmanager.%,$(APP_URIS))
+
--- a/stack/prometheus/alertmanager.yml
+++ b/stack/prometheus/alertmanager.yml
@ -5,14 +5,14 @@ services:
    build:
      args:
      - DOCKER_BUILD_DIR=docker/prometheus/alertmanager
-      - SLACK_WEBHOOK_ID=${ALERTMANAGER_SLACK_WEBHOOK_ID}
+      - SLACK_WEBHOOK_ID=${ALERTMANAGER_SLACK_WEBHOOK_ID:-https://hooks.slack.com/services/123456789/123456789/ABCDEFGHIJKLMNOPQRSTUVWX}
      context: ../..
      dockerfile: docker/prometheus/alertmanager/Dockerfile
    image: ${DOCKER_REPOSITORY}/alertmanager:${DOCKER_IMAGE_TAG}
    labels:
    - SERVICE_9093_CHECK_TCP=true
    - SERVICE_9093_NAME=${COMPOSE_SERVICE_NAME}-alertmanager-9093
-    - SERVICE_9093_TAGS=${ALERTMANAGER_SERVICE_9093_TAGS}
+    - SERVICE_9093_TAGS=${ALERTMANAGER_SERVICE_9093_TAGS:-}
    networks:
    - private
    - public
--- a/stack/prometheus/blackbox.mk
+++ b/stack/prometheus/blackbox.mk
@ -0,0 +1,6 @@
+ENV_VARS                                  += BLACKBOX_SERVICE_9115_TAGS
+BLACKBOX_PRIMARY_TARGETS                  ?= $(PROMETHEUS_BLACKBOX_PRIMARY_TARGETS)
+BLACKBOX_SECONDARY_TARGETS                ?= $(PROMETHEUS_BLACKBOX_SECONDARY_TARGETS)
+BLACKBOX_SERVICE_9115_TAGS                ?= $(patsubst %,urlprefix-%,$(BLACKBOX_SERVICE_9115_URIS))
+BLACKBOX_SERVICE_9115_URIS                ?= $(patsubst %,blackbox.%,$(APP_URIS))
+
--- a/stack/prometheus/blackbox-exporter.yml
+++ b/stack/prometheus/blackbox-exporter.yml
--- a/stack/prometheus/es-exporter.mk
+++ b/stack/prometheus/es-exporter.mk
@ -0,0 +1,3 @@
+ENV_VARS                                  += ES_EXPORTER_SERVICE_9206_TAGS
+ES_EXPORTER_SERVICE_9206_TAGS             ?= $(patsubst %,urlprefix-%,$(ES_EXPORTER_SERVICE_9206_URIS))
+ES_EXPORTER_SERVICE_9206_URIS             ?= $(patsubst %,es-exporter.%,$(APP_URIS))
--- a/stack/prometheus/es-exporter.yml
+++ b/stack/prometheus/es-exporter.yml
@ -7,12 +7,12 @@ services:
      - DOCKER_BUILD_DIR=docker/prometheus/es-exporter
      context: ../..
      dockerfile: docker/prometheus/es-exporter/Dockerfile
-    command: -e ${ES_EXPORTER_ELASTICSEARCH_URL}
+    command: -e ${ES_EXPORTER_ELASTICSEARCH_URL:-elasticsearch:9200}
    image: ${DOCKER_REPOSITORY}/es-exporter:${DOCKER_IMAGE_TAG}
    labels:
    - SERVICE_9206_CHECK_TCP=true
    - SERVICE_9206_NAME=${COMPOSE_SERVICE_NAME}-es-exporter-9206
-    - SERVICE_9206_TAGS=${ES_EXPORTER_SERVICE_9206_TAGS}
+    - SERVICE_9206_TAGS=${ES_EXPORTER_SERVICE_9206_TAGS:-}
    networks:
    - private
    - public
--- a/stack/prometheus/prometheus.mk
+++ b/stack/prometheus/prometheus.mk
@ -0,0 +1,5 @@
+ENV_VARS                                  += PROMETHEUS_BLACKBOX_PRIMARY_TARGETS PROMETHEUS_BLACKBOX_SECONDARY_TARGETS PROMETHEUS_SERVICE_9090_TAGS
+PROMETHEUS_BLACKBOX_PRIMARY_TARGETS       ?= https://$(DOMAIN)
+PROMETHEUS_BLACKBOX_SECONDARY_TARGETS     ?= $(patsubst %,https://%,$(APP_URIS))
+PROMETHEUS_SERVICE_9090_TAGS              ?= $(patsubst %,urlprefix-%,$(PROMETHEUS_SERVICE_9090_URIS))
+PROMETHEUS_SERVICE_9090_URIS              ?= $(patsubst %,alertmanager.%,$(APP_URIS))
--- a/stack/prometheus/prometheus.yml
+++ b/stack/prometheus/prometheus.yml
@ -5,8 +5,8 @@ services:
    build:
      args:
      - DOCKER_BUILD_DIR=docker/prometheus/prometheus
-      - MONITORING_PRIMARY_TARGETS_BLACKBOX=${PROMETHEUS_MONITORING_PRIMARY_TARGETS_BLACKBOX}
-      - MONITORING_SECONDARY_TARGETS_BLACKBOX=${PROMETHEUS_MONITORING_SECONDARY_TARGETS_BLACKBOX}
+      - BLACKBOX_PRIMARY_TARGETS=${PROMETHEUS_BLACKBOX_PRIMARY_TARGETS}
+      - BLACKBOX_SECONDARY_TARGETS=${PROMETHEUS_BLACKBOX_SECONDARY_TARGETS}
      context: ../..
      dockerfile: docker/prometheus/prometheus/Dockerfile
    image: ${DOCKER_REPOSITORY}/prometheus:${DOCKER_IMAGE_TAG}
--- a/stack/rabbitmq/.env.dist
+++ b/stack/rabbitmq/.env.dist
@ -1 +0,0 @@
-RABBITMQ_SERVICE_15672_TAGS=urlprefix-rabbitmq.${APP_DOMAIN}/
--- a/stack/rabbitmq/rabbitmq.mk
+++ b/stack/rabbitmq/rabbitmq.mk
@ -0,0 +1,3 @@
+ENV_VARS                                  += RABBITMQ_SERVICE_15672_TAGS
+RABBITMQ_SERVICE_15672_TAGS               ?= $(patsubst %,urlprefix-%,$(RABBITMQ_SERVICE_15672_URIS))
+RABBITMQ_SERVICE_15672_URIS               ?= $(patsubst %,rabbitmq.%,$(APP_URIS))
--- a/stack/redmine/.env.dist
+++ b/stack/redmine/.env.dist
@ -1,33 +0,0 @@
-REDMINE_DB_HOST=mysql
-REDMINE_DB_NAME=redmine
-REDMINE_DB_PASS=redmine
-REDMINE_DB_USER=redmine
-REDMINE_IMAP_ENABLED=false
-REDMINE_IMAP_HOST=imap.gmail.com
-REDMINE_IMAP_INTERVAL=30
-REDMINE_IMAP_USER=imap_user
-REDMINE_IMAP_PASS=imap_pass
-REDMINE_INCOMING_EMAIL_ALLOW_OVERRIDE=project,tracker,category,priority,status
-REDMINE_INCOMING_EMAIL_PROJECT=incoming_email_project
-REDMINE_FETCH_COMMITS=hourly
-REDMINE_SECRET_TOKEN=redmine_secret_token
-REDMINE_SERVICE_80_TAGS=urlprefix-redmine.${APP_DOMAIN}/
-REDMINE_SMTP_DOMAIN=redmine_smtp_domain
-REDMINE_SMTP_USER=redmine_smtp_user
-REDMINE_SMTP_PASS=redmine_smtp_pass
-REDMINE3_DB_HOST=mysql
-REDMINE3_DB_NAME=redmine3
-REDMINE3_DB_PASS=redmine
-REDMINE3_DB_USER=redmine
-REDMINE3_IMAP_ENABLED=false
-REDMINE3_IMAP_HOST=imap.gmail.com
-REDMINE3_IMAP_INTERVAL=30
-REDMINE3_IMAP_USER=imap_user
-REDMINE3_IMAP_PASS=imap_pass
-REDMINE3_INCOMING_EMAIL_ALLOW_OVERRIDE=project,tracker,category,priority,status
-REDMINE3_INCOMING_EMAIL_PROJECT=incoming_email_project
-REDMINE3_REDMINE_SECRET_TOKEN=redmine_secret_token
-REDMINE3_SERVICE_80_TAGS=urlprefix-redmine3.${APP_DOMAIN}/
-REDMINE3_SMTP_DOMAIN=redmine_smtp_domain
-REDMINE3_SMTP_USER=redmine_smtp_user
-REDMINE3_SMTP_PASS=redmine_smtp_pass
--- a/stack/redmine/redmine.mk
+++ b/stack/redmine/redmine.mk
@ -0,0 +1,5 @@
+ENV_VARS                                  += REDMINE_DB_NAME REDMINE_DB_USER REDMINE_SERVICE_80_TAGS
+REDMINE_SERVICE_80_TAGS                   ?= $(patsubst %,urlprefix-%,$(REDMINE_SERVICE_80_URIS))
+REDMINE_SERVICE_80_URIS                   ?= $(patsubst %,redmine.%,$(APP_URIS))
+REDMINE_DB_NAME                           ?= $(COMPOSE_SERVICE_NAME)-redmine
+REDMINE_DB_USER                           ?= $(REDMINE_DB_NAME)
--- a/stack/redmine/redmine.yml
+++ b/stack/redmine/redmine.yml
@ -3,24 +3,24 @@ version: '3.6'
 services:
  redmine:
    environment:
-    - DB_ADAPTER=mysql2
-    - DB_HOST=${REDMINE_DB_HOST}
-    - DB_NAME=${REDMINE_DB_NAME}
-    - DB_USER=${REDMINE_DB_USER}
-    - DB_PASS=${REDMINE_DB_PASS}
-    - IMAP_ENABLED=${REDMINE_IMAP_ENABLED}
-    - IMAP_HOST=${REDMINE_IMAP_HOST}
-    - IMAP_INTERVAL=${REDMINE_IMAP_INTERVAL}
+    - DB_ADAPTER=${REDMINE_DB_ADAPTER:-mysql2}
+    - DB_HOST=${REDMINE_DB_HOST:-mysql}
+    - DB_NAME=${REDMINE_DB_NAME:-redmine}
+    - DB_USER=${REDMINE_DB_USER:-redmine}
+    - DB_PASS=${REDMINE_DB_PASS:-redmine}
+    - IMAP_ENABLED=${REDMINE_IMAP_ENABLED:-false}
+    - IMAP_HOST=${REDMINE_IMAP_HOST:-imap.gmail.com}
+    - IMAP_INTERVAL=${REDMINE_IMAP_INTERVAL:-30}
    - IMAP_USER=${REDMINE_IMAP_USER}
    - IMAP_PASS=${REDMINE_IMAP_PASS}
+    - INCOMING_EMAIL_ALLOW_OVERRIDE=${REDMINE_INCOMING_EMAIL_ALLOW_OVERRIDE:-project,tracker,category,priority,status}
    - INCOMING_EMAIL_PROJECT=${REDMINE_INCOMING_EMAIL_PROJECT}
-    - INCOMING_EMAIL_ALLOW_OVERRIDE=${REDMINE_INCOMING_EMAIL_ALLOW_OVERRIDE}
-    - REDMINE_FETCH_COMMITS=${REDMINE_FETCH_COMMITS}
+    - REDMINE_FETCH_COMMITS=${REDMINE_FETCH_COMMITS:-hourly}
    - REDMINE_SECRET_TOKEN=${REDMINE_SECRET_TOKEN}
    - SMTP_DOMAIN=${REDMINE_SMTP_DOMAIN}
    - SMTP_USER=${REDMINE_SMTP_USER}
    - SMTP_PASS=${REDMINE_SMTP_PASS}
-    - TZ=Europe/Paris
+    - TZ=${REDMINE_TZ:-Europe/Paris}
    labels:
    - SERVICE_80_CHECK_TCP=true
    - SERVICE_80_NAME=${COMPOSE_SERVICE_NAME}-redmine-80
--- a/Show More
+++ b/Show More
				`@ -1 +0,0 @@`
				`drone ?= drone/drone drone/drone-runner-docker drone/gc`
				`@ -1 +0,0 @@`
				`STATIC_SERVICE_80_TAGS=urlprefix-static.${APP_DOMAIN}/`
				`@ -1 +0,0 @@`
				`PORTAINER_SERVICE_9000_TAGS=urlprefix-portainer.${APP_DOMAIN}/`
				`@ -1 +0,0 @@`
				`RABBITMQ_SERVICE_15672_TAGS=urlprefix-rabbitmq.${APP_DOMAIN}/`