Production-ready Docker Compose stacks, published as OCI artifacts.
BeeCompose provides curated Docker Compose configurations for 30+ self-hosted services. Each service is published as an OCI artifact to GitHub Container Registry, enabling one-command deployment without cloning repositories.
Note: This README appears on all package pages because GitHub Container Registry doesn't support per-package READMEs. For detailed documentation, see the service-specific README linked in the table below.
Click on a service name to view its detailed README with configuration options, environment variables, and deployment instructions.
| Service | Description | OCI Artifact |
|---|---|---|
| bitwarden | Self-hosted password manager (Vaultwarden) | ghcr.io/beevelop/bitwarden |
| cabot | Monitoring and alerting platform | ghcr.io/beevelop/cabot |
| cloudflared | Cloudflare Tunnel for zero-trust access | ghcr.io/beevelop/cloudflared |
| confluence | Atlassian team collaboration and wiki | ghcr.io/beevelop/confluence |
| crowd | Atlassian SSO and identity management | ghcr.io/beevelop/crowd |
| dependency-track | OWASP component analysis platform | ghcr.io/beevelop/dependency-track |
| directus | Headless CMS and REST/GraphQL API | ghcr.io/beevelop/directus |
| duckling | NLP text parser for structured data | ghcr.io/beevelop/duckling |
| gitlab | Complete DevOps platform with CI/CD | ghcr.io/beevelop/gitlab |
| graylog | Centralized log management | ghcr.io/beevelop/graylog |
| huginn | Self-hosted IFTTT/Zapier alternative | ghcr.io/beevelop/huginn |
| jira | Atlassian issue tracking and projects | ghcr.io/beevelop/jira |
| keycloak | Identity and access management | ghcr.io/beevelop/keycloak |
| metabase | Business intelligence and analytics | ghcr.io/beevelop/metabase |
| minio | S3-compatible object storage | ghcr.io/beevelop/minio |
| monica | Personal relationship management | ghcr.io/beevelop/monica |
| mysql | MySQL database server | ghcr.io/beevelop/mysql |
| nexus | Sonatype artifact repository manager | ghcr.io/beevelop/nexus |
| openvpn | VPN server (UDP and TCP) | ghcr.io/beevelop/openvpn |
| phpmyadmin | MySQL web administration | ghcr.io/beevelop/phpmyadmin |
| redash | Data visualization and dashboards | ghcr.io/beevelop/redash |
| registry | Private Docker registry | ghcr.io/beevelop/registry |
| rundeck | Job scheduler and runbook automation | ghcr.io/beevelop/rundeck |
| sentry | Error tracking and performance monitoring | ghcr.io/beevelop/sentry |
| shields | Self-hosted badge generation | ghcr.io/beevelop/shields |
| sonarqube | Code quality inspection | ghcr.io/beevelop/sonarqube |
| statping | Status page and uptime monitoring | ghcr.io/beevelop/statping |
| traefik | Reverse proxy with automatic HTTPS | ghcr.io/beevelop/traefik |
| traefik-tunnel | Traefik for Cloudflare Tunnel (no exposed ports) | ghcr.io/beevelop/traefik-tunnel |
| tus | Resumable file upload server | ghcr.io/beevelop/tus |
| weblate | Continuous localization platform | ghcr.io/beevelop/weblate |
| zabbix | Enterprise monitoring solution | ghcr.io/beevelop/zabbix |
Deploy any service directly from GitHub Container Registry without cloning the repository:
# 1. Create your environment file (check service README for required variables)
cat > .env << 'EOF'
COMPOSE_PROJECT_NAME=gitlab
SERVICE_DOMAIN=gitlab.example.com
DB_PASS=your-secure-password
# ... see service README for all options
EOF
# 2. Deploy from OCI artifact
docker compose -f oci://ghcr.io/beevelop/gitlab:latest --env-file .env up -d
# 3. Check status
docker compose -f oci://ghcr.io/beevelop/gitlab:latest --env-file .env psFor customization or development:
git clone https://github.com/beevelop/beecompose.git
cd beecompose/services/gitlab
# Configure environment
cp .env.example .env.production
# Edit .env.production with your settings
# Deploy
docker compose --env-file .env.production up -d| Requirement | Minimum Version | Notes |
|---|---|---|
| Docker | 25.0+ | Required for OCI artifact support |
| Docker Compose | v2.24+ | Bundled with Docker Desktop |
Optional: CloudFlare account for DNS-01 Let's Encrypt challenge (used by Traefik).
Note: OCI artifact deployment (
docker compose -f oci://...) requires Docker 25.0 or later. For older Docker versions, use the "Clone and Customize" method.
| Task | Command |
|---|---|
| Start service | docker compose --env-file .env up -d |
| Stop service | docker compose --env-file .env down |
| View logs | docker compose --env-file .env logs -f |
| Check status | docker compose --env-file .env ps |
| Update images | docker compose --env-file .env pull && docker compose --env-file .env up -d |
When deploying from GHCR, include the OCI URL in each command:
# Define convenience alias
alias dc="docker compose -f oci://ghcr.io/beevelop/gitlab:latest --env-file .env"
# Now use it for all operations
dc up -d
dc logs -f
dc ps
dc downAll services are pre-configured for:
- Traefik v3 reverse proxy with automatic Let's Encrypt SSL (DNS-01 via CloudFlare)
- Named volumes for data persistence (no bind mounts for OCI compatibility)
- Health checks for container monitoring
- JSON logging with size limits (500k max, 50 files)
- Restart policy
unless-stoppedfor reliability
Deploy Traefik first, then other services automatically connect via the traefik_default network:
# Deploy Traefik
docker compose -f oci://ghcr.io/beevelop/traefik:latest --env-file .env.traefik up -d
# Then deploy other services
docker compose -f oci://ghcr.io/beevelop/gitlab:latest --env-file .env.gitlab up -dBeeCompose supports two networking modes for Traefik. Choose based on your security requirements and infrastructure setup.
Standard deployment with ports directly exposed to the internet. Traefik handles TLS termination using Let's Encrypt certificates via CloudFlare DNS-01 challenge.
Internet -> Traefik:443 (TLS) -> Services
|
Let's Encrypt certificates
| Aspect | Details |
|---|---|
| Ports exposed | 80, 443, 8080 |
| TLS provider | Let's Encrypt (ACME DNS-01) |
| Requires | CloudFlare API credentials |
| Best for | Direct server access, traditional hosting |
# Deploy Traefik (exposed mode)
docker compose -f oci://ghcr.io/beevelop/traefik:latest --env-file .env.traefik up -d
# Deploy services
docker compose -f oci://ghcr.io/beevelop/gitlab:latest --env-file .env.gitlab up -dSee traefik README for configuration details.
Security-hardened deployment with zero public port exposure. All traffic flows through Cloudflare Tunnel, with TLS terminated at Cloudflare's edge network.
Internet -> Cloudflare Edge (TLS) -> cloudflared -> traefik:80 -> Services
|
(Docker internal network only)
| Aspect | Details |
|---|---|
| Ports exposed | None |
| TLS provider | Cloudflare Edge |
| Requires | Cloudflare Tunnel token |
| Best for | Zero-trust security, hiding origin IP, NAT/firewall environments |
# 1. Deploy Traefik (tunnel mode - no exposed ports)
docker compose -f oci://ghcr.io/beevelop/traefik-tunnel:latest --env-file .env.traefik up -d
# 2. Deploy cloudflared (configure tunnel token in .env)
docker compose -f oci://ghcr.io/beevelop/cloudflared:latest --env-file .env.cloudflared up -d
# 3. Deploy services as normal
docker compose -f oci://ghcr.io/beevelop/gitlab:latest --env-file .env.gitlab up -dSee traefik-tunnel README and cloudflared README for setup instructions.
| Feature | Exposed Mode | Tunnel Mode |
|---|---|---|
| Host ports | 80, 443, 8080 | None |
| TLS certificates | Let's Encrypt (auto-managed) | Cloudflare Edge (no management) |
| Origin IP visible | Yes | No (hidden behind Cloudflare) |
| CloudFlare API required | Yes | No |
| Tunnel token required | No | Yes |
| Service labels | Identical | Identical |
Important: Service labels work unchanged in both modes. Do not include tls=true or tls.certresolver in service labels - TLS is configured at the Traefik entrypoint level.
beecompose/
├── services/
│ └── <service>/
│ ├── docker-compose.yml # Compose configuration
│ ├── README.md # Service documentation (START HERE)
│ ├── .env # Version tags (committed)
│ ├── .env.example # Example configuration (committed)
│ └── .env.<environ> # Your secrets (gitignored)
├── docs/
│ ├── BACKUP.md # Backup and restore procedures
│ ├── DEPLOYMENT.md # Deployment guide
│ └── ...
└── .github/
└── workflows/
└── publish-oci.yml # OCI artifact publishing
| Document | Description |
|---|---|
| Deployment Guide | Complete deployment walkthrough |
| Backup Guide | Backup and restore procedures |
| Migration Guide | Migrate from legacy bee scripts |
| Testing Guide | Testing procedures and validation |
| CI/CD Pipeline | Pipeline architecture and usage |
The repository includes GitHub Actions pipelines that:
- Lint - Validates all docker-compose.yml files with DCLint
- Validate OCI - Ensures all services are OCI-compatible (no bind mounts)
- CVE Scan - Scans images for vulnerabilities using Trivy
- Test - Validates each service starts correctly
- Publish - Publishes OCI artifacts to GHCR on main branch
Pull requests are welcome! Please:
- Follow existing docker-compose patterns
- Include
.env.examplewith placeholder values - Use named volumes (no bind mounts for OCI compatibility)
- Include native Docker healthcheck directives
- Add a comprehensive README.md for your service
- Run DCLint before submitting
- Placeholder Values: Examples use
example.com,bee(username), andSwordfish(password) - OCI artifacts are compose files, not container images - they define how to deploy services
- Service READMEs contain all configuration details - always check them before deploying