diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1876084..a7fd06a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -29,7 +29,7 @@ jobs: - name: "Check compose" run: make check - name: "Update server image" - run: make image-update + run: make pull - name: "Build server" run: make build # - name: "Start server" diff --git a/DockerCompose.mk b/DockerCompose.mk index ed86b90..db11435 100644 --- a/DockerCompose.mk +++ b/DockerCompose.mk @@ -29,8 +29,9 @@ COMPOSE_DIR ?= --project-directory ./$(PROJECT_DIRECTORY) UID ?= 1000 GID ?= 1000 +TZ ?= Europe/Paris -ENV_ARG_VAR ?= PUID=$(UID) PGID=$(GID) +ENV_ARG_VAR ?= PUID=$(UID) PGID=$(GID) TZ=$(TZ) DOCKER_COMPOSE_COMMAND ?= $(ENV_ARG_VAR) $(DOCKER_EXEC) compose $(COMPOSE_DIR) $(COMPOSE_FILES) $(PROFILE_CMD) @@ -66,11 +67,11 @@ git-update: git pull --recurse-submodules --all --progress .PHONY: update -update: image-update git-update +update: git-update .PHONY: clean clean: - docker system prune -f + $(ENV_ARG_VAR) $(DOCKER_EXEC) system prune -f .PHONY: purge purge: diff --git a/README.md b/README.md index c06dfb4..02cfd5d 100644 --- a/README.md +++ b/README.md @@ -1,36 +1,30 @@ # Infrastructure -_Open source, decentralized and self-hosted infrastructure for many local services._ - -## About - -It uses caddy and docker-compose to run my services (And many other things). -It's a **work in progress**, and I'm still learning a lot about it. -If you have any **questions** or **suggestions**, feel free to open an issue or a pull request. +_Open source, decentralized and self-hosted infrastructure for many local services and authentication with Authelia._ ## Features - [x] caddy 2 HTTP/S reverse proxy +- [x] Authelia (SSO / authentication middleware) +- [x] Open-WebUI + Ollama (Local chatGPT) +- [x] qbittorrent and transmission (Torrent client/server) - [x] Docker / docker-compose - [x] Homepage (Dashboard) +- [x] SearXNG (Self-hosted search engine) - [x] Jellyfin (Eg Netflix, Disney+) - [x] Forgejo (Git server, fork of Gitea) - [x] Uptime Kuma (Monitoring) - [x] Argus (Application update monitoring) -- [x] qbittorrent and transmission (Torrent client/server) - [x] SyncThing (File synchronization) - [x] Dufs (File server) - [x] PsiTransfer, ProjectSend, Picoshare (File sharing) - [x] it-tools, omni-tools and cyberchef (Tools for IT) -- [x] Open-WebUI + Ollama (Local chatGPT) -- [x] Privatebin (Pastebin) +- [x] Privatebin - [x] Memos (Note-taking) - [x] Stirling PDF (PDF tools) - [x] Wordpress (Via FASTCGI/caddy) -- [X] Satisfactory -- [x] 7 days to die -- [x] Minecraft -- [x] Team Fortress 2 +- [x] Dependency-Track (SBOM / vulnerability tracking) +- [X] Game (Satisfactory, Minecraft, 7 Days to Die, Team Fortress 2 etc...) ## Architecture @@ -50,7 +44,7 @@ The homepage is a dashboard with many widgets and services. - [Docker Compose](https://docs.docker.com/compose/install/) - [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) - [Web domain](https://www.ovh.com/world/domains/) (I use OVH) -- [Open port 80, 443, 22, 2222 and 5555 on your router](http://192.168.1.1/) +- [Open port 80, 443, 22 and 2222 on your router](http://192.168.1.1/) - For games server, you need to open these ports (7777, 8888, 25565, 26900, 26901, 26903) List of ports used by the services in this infrastructure: @@ -87,7 +81,29 @@ Go to the folder cd infrastructure ``` -Change services you want to enable in the [Makefile](Makefile) file, by default all services are enabled (games servers included). +### Start the infrastructure + +Start the website with: + +```sh +make up +``` + +Stop the website with: + +```sh +make stop +``` + +Remove containers with: + +```sh +make down +``` + +Services are enabled via **preset configuration files** in the [`presets/`](presets/) directory. + +The active presets are declared in the [`Makefile`](Makefile) via the `CONFIGS` variable, for example, `CONFIGS := chatgpt` loads `presets/chatgpt.conf` which activates the `main_infrastructure`, `caddy`, `openssh`, and `openwebui` profiles. ### Configure the domain @@ -97,7 +113,7 @@ For all **bensuperpc.org**, you need to replace it with your domain, example: ** find . \( -type d -name .git -prune \) -o -type f -print0 | xargs -0 sed -i 's/bensuperpc.org/mydomain.com/g' ``` -Check if all bensuperpc.* are replaced by your domain in [Caddyfile](caddy/services/wordpress/Caddyfile) +Check if all bensuperpc.* are replaced by your domain in [Caddyfile](infrastructure/services/caddy/config/Caddyfile) And then, caddy will generate the certificate for you and renew it automatically :D @@ -105,26 +121,29 @@ And then, caddy will generate the certificate for you and renew it automatically | ------------------------------------------------------------------ | ---- | ------------------------------------------------------------ | | [bensuperpc.org](https://bensuperpc.org) | Main | Redirect to [www.bensuperpc.org](https://www.bensuperpc.org) | | [www.bensuperpc.org](https://www.bensuperpc.org) | Main | Homepage | -| [open-webui.bensuperpc.org](https://open-webui.bensuperpc.org) | Sub | For local chatGPT | -| [wordpress.bensuperpc.org](https://wordpress.bensuperpc.org) | Sub | Wordpress website | +| [openwebui.bensuperpc.org](https://openwebui.bensuperpc.org) | Sub | For local chatGPT with ollama and openweb-ui | +| [authelia.bensuperpc.org](https://authelia.bensuperpc.org) | Sub | Authelia for authentication | | [uptimekuma.bensuperpc.org](https://uptimekuma.bensuperpc.org) | Sub | Uptime Kuma for monitoring | | [qbittorrent.bensuperpc.org](https://qbittorrent.bensuperpc.org) | Sub | Torrent client/server | +| [dozzle.bensuperpc.org](https://dozzle.bensuperpc.org) | Sub | Dozzle for docker logs | | [transmission.bensuperpc.org](https://transmission.bensuperpc.org) | Sub | Torrent client/server | | [forgejo.bensuperpc.org](https://forgejo.bensuperpc.org/) | Sub | Fork of Gitea for git | | [git.bensuperpc.org](https://git.bensuperpc.org) | Sub | Fork of Gitea for git | -| [link.bensuperpc.org](https://link.bensuperpc.org) | Sub | For link shortener | | [jellyfin.bensuperpc.org](https://jellyfin.bensuperpc.org) | Sub | Jellyfin for media server | | [syncthing.bensuperpc.org](https://syncthing.bensuperpc.org) | Sub | SyncThing for file synchronization | | [psitransfer.bensuperpc.org](https://psitransfer.bensuperpc.org) | Sub | PsiTransfer for file sharing | | [it-tools.bensuperpc.org](https://it-tools.bensuperpc.org) | Sub | Tools for IT | | [omni-tools.bensuperpc.org](https://omni-tools.bensuperpc.org) | Sub | Tools for IT | -| [privatebin.bensuperpc.org](https://privatebin.bensuperpc.org) | Sub | Pastebin | +| [privatebin.bensuperpc.org](https://privatebin.bensuperpc.org) | Sub | Privatebin | | [projectsend.bensuperpc.org](https://projectsend.bensuperpc.org) | Sub | ProjectSend for file sharing | | [picoshare.bensuperpc.org](https://picoshare.bensuperpc.org) | Sub | Picoshare for file sharing | | [dufs.bensuperpc.org](https://dufs.bensuperpc.org) | Sub | Dufs for file sharing | | [memos.bensuperpc.org](https://memos.bensuperpc.org) | Sub | Memos note-taking app | | [stirlingpdf.bensuperpc.org](https://stirlingpdf.bensuperpc.org) | Sub | Stirling PDF tools | -| [argus.bensuperpc.org](https://argus.bensuperpc.org) | Sub | Argus for monitoring application updates | +| [argus.bensuperpc.org](https://argus.bensuperpc.org) | Sub | Argus for monitoring application updates | +| [searxng.bensuperpc.org](https://searxng.bensuperpc.org) | Sub | SearXNG self-hosted search engine | +| [dependency-track.bensuperpc.org](https://dependency-track.bensuperpc.org) | Sub | SBOM / vulnerability analysis | +| [wordpress.bensuperpc.org](https://wordpress.bensuperpc.org) | Sub | Wordpress website | ### Configure the infrastructure @@ -146,27 +165,52 @@ For [caddy_backup.env](infrastructure/services/caddy/env/caddy_backup.env) file, RESTIC_PASSWORD=7L1Ncbquax0B2TCOmrjaQl9n5mnY88bQ ``` -#### Wordpress - -For the [wordpress.env](infrastructure/services/wordpress/env/wordpress.env) file, you need to change the password and user for the database. +On [caddy.env](infrastructure/services/caddy/env/caddy.env) file, you need to update some variables, like the main domain, mail domain and scheme (http or https). ```sh -WORDPRESS_DB_USER=bensuperpc -WORDPRESS_DB_PASSWORD=lEOEf8cndnDjp84O4Uv5D9zJLJDFatLw +MAIN_DOMAIN=bensuperpc.org +MAIL_DOMAIN=bensuperpc@gmail.com +# Scheme +SCHEME=https +# ignore_loaded_certs off +AUTO_HTTPS_OPTIONS=ignore_loaded_certs ``` -For [wordpress_db.env](infrastructure/services/wordpress/env/wordpress_db.env) file, you need to change the password(s) and user for the database. +#### Authelia + +For [authelia.env](infrastructure/services/authelia/env/authelia.env) file, you need to change the password(s) and secret key: ```sh -MARIADB_ROOT_PASSWORD=7L1Ncbquax0B2TCOmrjaQl9n5mnY88bQ -MARIADB_USER=bensuperpc -MARIADB_PASSWORD=lEOEf8cndnDjp84O4Uv5D9zJLJDFatLw +AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET=ht87MVnXkXhBpDkMUHqKDqdg8UGBJt+Fx5jNIqXnN2k= +AUTHELIA_SESSION_SECRET=nsvbXKGRXVZUCUkOapntlq/Zh+d75WacTK5Jgyh8zYk= +AUTHELIA_STORAGE_ENCRYPTION_KEY=aWeIT74xIhGVd9nUOr4YTToTl5rpBEbzc/fv4jemuos= +AUTHELIA_STORAGE_POSTGRES_HOST=authelia-postgres +AUTHELIA_STORAGE_POSTGRES_PORT=5432 +AUTHELIA_STORAGE_POSTGRES_DATABASE=authelia_db +AUTHELIA_STORAGE_POSTGRES_USERNAME=authelia +AUTHELIA_STORAGE_POSTGRES_PASSWORD=sAdkxFW6k3GiMOrlBpl6OV76eb9cQz/uk95jmA2UpI8= ``` -For [wordpress_backup.env](infrastructure/services/wordpress/env/wordpress_backup.env) file, you need to change the password(s) for the restic backup. +Same for [authelia_postgres.env](infrastructure/services/authelia/env/authelia_postgres.env) file, you need to change the password(s) and user for the database. ```sh -RESTIC_PASSWORD=7L1Ncbquax0B2TCOmrjaQl9n5mnY88bQ +POSTGRES_USER=authelia +POSTGRES_PASSWORD=sAdkxFW6k3GiMOrlBpl6OV76eb9cQz/uk95jmA2UpI8= +POSTGRES_DB=authelia_db +``` + +You also need to update [users_database.yml](infrastructure/services/authelia/config/users_database.yml) + +```sh +docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'MyPassword' +``` + +#### Dozzle + +To generate a new user for dozzle, you can use the following command [users.yml](infrastructure/services/dozzle/config/users.yml): + +```sh +docker run -it --rm amir20/dozzle generate bensuperpc --password mypassword --email bensuperpc@gmail.com --name "bensuperpc" ``` #### PsiTransfer @@ -233,37 +277,32 @@ USER_PASSWORD=rdUwf36C11PLmpU9Lvq7tP5pfFBKAuCh #### Open-WebUI -For [open-webui.env](infrastructure/services/open-webui/env/open-webui.env) file, entirely optional. +For [open-webui.env](infrastructure/services/open-webui/env/open-webui.env) file, you must change the secret key for the webui and configure its PostgreSQL backend. -To download the model, you can use: +```sh +WEBUI_SECRET_KEY=7d83b15a417d090ba5c6b899270a05dd215c60848354c0c7574226d6ff02f39e +``` + +Also update [openwebui-postgres.env](infrastructure/services/open-webui/env/openwebui-postgres.env) with your own credentials. + +To download the model, through open-webui GUI or you can use the following command: ```sh docker exec -it ollama ollama run deepseek-r1:8b ``` -### Start the infrastructure +#### Dependency-Track -Start the website with: +For [dependency-track.env](infrastructure/services/dependency-track/env/dependency-track.env) file, you need to set the database credentials and the API server URL. ```sh -make start-detached +POSTGRES_USER=dtrack +POSTGRES_PASSWORD= +POSTGRES_DB=dtrack_db +ALPINE_DATA_DIRECTORY=/data ``` -Stop the website with: - -```sh -make stop -``` - -Remove countainers with: - -```sh -make down -``` - -You can disable some services by removing the service name in PROFILES variable in the [Makefile](Makefile) file. - -To enable the gitea CI: [how-to-build-docker-containers-using-gitea-runners](https://medium.com/@lokanx/how-to-build-docker-containers-using-gitea-runners-600729555e07) +The frontend is available at `https://dependency-track.bensuperpc.org` and the API server at `/api/*`. Default credentials are `admin` / `admin`, **change them on first login**. ### Homepage @@ -335,7 +374,7 @@ This infrastructure uses docker volumes to store data, all configuration/data fo ### SSH access -The default port for ssh/rsync is is 2222. +The default port for SSH/rsync is 2222. You can access to the server with: @@ -347,6 +386,72 @@ ssh -p 2222 admin@bensuperpc.org To activate the alternative webui theme (VueTorrent), you need to go in the qbittorrent settings, then in the `webui` section, check the `Use alternative webui` and add `/vuetorrent` to text field. +#### Local testing + +If you want to test the infrastructure locally, you can add these lines in your `/etc/hosts` file: + +```sh +127.0.0.1 openwebui.bensuperpc.org +127.0.0.1 authelia.bensuperpc.org +127.0.0.1 memos.bensuperpc.org +127.0.0.1 stirlingpdf.bensuperpc.org +127.0.0.1 public.bensuperpc.org +127.0.0.1 private.bensuperpc.org +127.0.0.1 jellyfin.bensuperpc.org +127.0.0.1 syncthing.bensuperpc.org +127.0.0.1 psitransfer.bensuperpc.org +127.0.0.1 projectsend.bensuperpc.org +127.0.0.1 picoshare.bensuperpc.org +127.0.0.1 dufs.bensuperpc.org +127.0.0.1 it-tools.bensuperpc.org +127.0.0.1 omni-tools.bensuperpc.org +127.0.0.1 privatebin.bensuperpc.org +127.0.0.1 forgejo.bensuperpc.org +127.0.0.1 git.bensuperpc.org +127.0.0.1 qbittorrent.bensuperpc.org +127.0.0.1 transmission.bensuperpc.org +127.0.0.1 uptimekuma.bensuperpc.org +127.0.0.1 wordpress.bensuperpc.org +127.0.0.1 searxng.bensuperpc.org +127.0.0.1 dependency-track.bensuperpc.org +127.0.0.1 homepage.bensuperpc.org +``` + +Then update the [caddy.env](infrastructure/services/caddy/env/caddy.env) file with your local domain to disable the letsencrypt certificate generation and auto redirect to https: + +```sh +MAIN_DOMAIN=bensuperpc.org +# Scheme +SCHEME=https +# ignore_loaded_certs off +AUTO_HTTPS_OPTIONS=ignore_loaded_certs +``` + +And remove all the `import authelia_middleware` in the caddyfiles, authelia need https to work. + +#### Wordpress + +For the [wordpress.env](infrastructure/services/wordpress/env/wordpress.env) file, you need to change the password and user for the database. + +```sh +WORDPRESS_DB_USER=bensuperpc +WORDPRESS_DB_PASSWORD=lEOEf8cndnDjp84O4Uv5D9zJLJDFatLw +``` + +For [wordpress_db.env](infrastructure/services/wordpress/env/wordpress_db.env) file, you need to change the password(s) and user for the database. + +```sh +MARIADB_ROOT_PASSWORD=7L1Ncbquax0B2TCOmrjaQl9n5mnY88bQ +MARIADB_USER=bensuperpc +MARIADB_PASSWORD=lEOEf8cndnDjp84O4Uv5D9zJLJDFatLw +``` + +For [wordpress_backup.env](infrastructure/services/wordpress/env/wordpress_backup.env) file, you need to change the password(s) for the restic backup. + +```sh +RESTIC_PASSWORD=7L1Ncbquax0B2TCOmrjaQl9n5mnY88bQ +``` + ## Sources - [Wordpress](https://wordpress.org/) @@ -362,6 +467,7 @@ To activate the alternative webui theme (VueTorrent), you need to go in the qbit - [Letsencrypt](https://letsencrypt.org/) - [Caddy](https://caddyserver.com/) - [Adminer](https://www.adminer.org/) +- [self-hosted-ai-stack](https://triedandtestedbuilds.com/self-hosted-ai-stack-part-1) - [Uptime Kuma](https://uptime-kuma.com/) - [qbittorrent](https://www.qbittorrent.org/) - [Transmission](https://transmissionbt.com/) @@ -385,7 +491,9 @@ To activate the alternative webui theme (VueTorrent), you need to go in the qbit - [Forgejo-runner](https://huijzer.xyz/posts/55) - [Forgejo](https://nickcunningh.am/blog/how-to-setup-and-configure-forgejo-with-support-for-forgejo-actions-and-more) - [Argus](https://github.com/release-argus/Argus) -- [Forgejo-runner](https://huijzer.xyz/posts/55) +- [SearXNG](https://github.com/searxng/searxng) +- [Dependency-Track](https://dependencytrack.org/) +- [Authelia](https://www.authelia.com/) ## License diff --git a/infrastructure/docker-compose.yml b/infrastructure/docker-compose.yml index a4e99b4..bdf15ee 100644 --- a/infrastructure/docker-compose.yml +++ b/infrastructure/docker-compose.yml @@ -49,6 +49,10 @@ include: - services/dependency-track/docker-compose.dependency-track.yml # Searxng - services/searxng/docker-compose.searxng.yml +# Authelia + - services/authelia/docker-compose.authelia.yml +# Dozzle + - services/dozzle/docker-compose.dozzle.yml # Minecraft - services/minecraft-server/docker-compose.yml # 7daystodie diff --git a/infrastructure/services/7daystodie-server/7daystodie/docker-compose.7daystodie.yml b/infrastructure/services/7daystodie-server/7daystodie/docker-compose.7daystodie.yml index b91d874..970d45a 100644 --- a/infrastructure/services/7daystodie-server/7daystodie/docker-compose.7daystodie.yml +++ b/infrastructure/services/7daystodie-server/7daystodie/docker-compose.7daystodie.yml @@ -5,7 +5,7 @@ services: container_name: 7daystodie_server profiles: - 7daystodie_server - restart: on-failure:5 + restart: on-failure:7 ports: - "26900:26900" - "26901:26901" @@ -25,6 +25,7 @@ services: environment: - PUID=${PUID:-1000} - PGID=${PGID:-1000} + - TZ=${TZ:-Europe/Paris} # security_opt: # - no-new-privileges:true # cap_drop: diff --git a/infrastructure/services/7daystodie-server/backup/docker-compose.backup.yml b/infrastructure/services/7daystodie-server/backup/docker-compose.backup.yml index 1756558..161dbbc 100644 --- a/infrastructure/services/7daystodie-server/backup/docker-compose.backup.yml +++ b/infrastructure/services/7daystodie-server/backup/docker-compose.backup.yml @@ -6,7 +6,7 @@ services: - 7daystodie_backup depends_on: - 7daystodie_server - restart: on-failure:5 + restart: on-failure:7 env_file: - ./env/7daystodie_backup.env volumes: diff --git a/infrastructure/services/argus/docker-compose.argus.yml b/infrastructure/services/argus/docker-compose.argus.yml index 50922bd..07e84af 100644 --- a/infrastructure/services/argus/docker-compose.argus.yml +++ b/infrastructure/services/argus/docker-compose.argus.yml @@ -6,13 +6,14 @@ services: profiles: - argus environment: - ARGUS_UID: ${PUID:-1000} - ARGUS_GID: ${PGID:-1000} - restart: on-failure:5 + - ARGUS_UID=${PUID:-1000} + - ARGUS_GID=${PGID:-1000} + - TZ=${TZ:-Europe/Paris} + restart: on-failure:7 depends_on: - caddy networks: - - argus-network + - caddy-infra volumes: - argus_data:/app/data/ - ./config/config.yml:/app/config.yml @@ -28,6 +29,6 @@ volumes: name: argus_data networks: - argus-network: + caddy-infra: driver: bridge - name: argus-network + name: caddy-infra diff --git a/infrastructure/services/authelia/config/configuration.yml b/infrastructure/services/authelia/config/configuration.yml new file mode 100644 index 0000000..cb8d8b0 --- /dev/null +++ b/infrastructure/services/authelia/config/configuration.yml @@ -0,0 +1,64 @@ +theme: auto + +server: + address: "tcp://0.0.0.0:9091" + +log: + level: info + +authentication_backend: + file: + path: /config/users_database.yml + +access_control: + default_policy: deny + rules: + - domain: + - "authelia.bensuperpc.org" + - "www.bensuperpc.org" + - "public.bensuperpc.org" + - "it-tools.bensuperpc.org" + - "omni-tools.bensuperpc.org" + - "cyberchef.bensuperpc.org" + - "wordpress.bensuperpc.org" + - "homepage.bensuperpc.org" + policy: bypass + - domain: + - "jellyfin.bensuperpc.org" + - "openwebui.bensuperpc.org" + - "searxng.bensuperpc.org" + subject: + - 'group:admins' + - 'group:users' + policy: one_factor + - domain: + - "*.bensuperpc.org" + subject: + - 'group:admins' + policy: one_factor + # - domain: "dependency-track.bensuperpc.org" + # resources: + # - "^/api/.*" + # policy: bypass +# - domain: "*.bensuperpc.org" +# policy: two_factor + +session: + expiration: 72h + inactivity: 60m + remember_me: 1M + cookies: + - domain: "bensuperpc.org" + authelia_url: "https://authelia.bensuperpc.org" + +regulation: + max_retries: 5 + find_time: 3m + ban_time: 15m + +storage: + postgres: {} + +notifier: + filesystem: + filename: /config/notification.txt \ No newline at end of file diff --git a/infrastructure/services/authelia/config/users_database.yml b/infrastructure/services/authelia/config/users_database.yml new file mode 100644 index 0000000..07eab2b --- /dev/null +++ b/infrastructure/services/authelia/config/users_database.yml @@ -0,0 +1,8 @@ +users: + bensuperpc: + displayname: "Bensuperpc" + password: "$argon2id$v=19$m=65536,t=3,p=4$1T+CwoeP6hcoddG8l1iilg$omcB+SICmNQzmZIXhE54S5+J68AU32f60a5ctYoEObU" + email: "bensuperpc@gmail.com" + groups: + - admins + - users \ No newline at end of file diff --git a/infrastructure/services/authelia/docker-compose.authelia.yml b/infrastructure/services/authelia/docker-compose.authelia.yml new file mode 100644 index 0000000..d603ecd --- /dev/null +++ b/infrastructure/services/authelia/docker-compose.authelia.yml @@ -0,0 +1,56 @@ +services: + authelia: + container_name: authelia + image: authelia/authelia:latest + profiles: + - authelia + - caddy + depends_on: + authelia-postgres: + condition: service_healthy + # environment: + # - TZ=America/New_York +# - PUID=${PUID:-1000} +# - PGID=${PGID:-1000} + env_file: + - ./env/authelia.env + environment: + - TZ=${TZ:-Europe/Paris} + volumes: + - ./config:/config + networks: + - caddy-infra + - authelia-internal + restart: on-failure:7 + + authelia-postgres: + image: postgres:17-alpine + container_name: authelia-postgres + restart: on-failure:7 + volumes: + - authelia_db_data:/var/lib/postgresql/data + env_file: + - ./env/authelia_postgres.env + profiles: + - authelia + - caddy + environment: + - TZ=${TZ:-Europe/Paris} + healthcheck: + test: [ "CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}" ] + interval: 5s + timeout: 3s + retries: 5 + networks: + - authelia-internal + +networks: + caddy-infra: + driver: bridge + name: caddy-infra + authelia-internal: + driver: bridge + name: authelia-internal + +volumes: + authelia_db_data: {} \ No newline at end of file diff --git a/infrastructure/services/authelia/env/authelia.env b/infrastructure/services/authelia/env/authelia.env new file mode 100644 index 0000000..b0a78f9 --- /dev/null +++ b/infrastructure/services/authelia/env/authelia.env @@ -0,0 +1,8 @@ +AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET=ht87MVnXkXhBpDkMUHqKDqdg8UGBJt+Fx5jNIqXnN2k= +AUTHELIA_SESSION_SECRET=nsvbXKGRXVZUCUkOapntlq/Zh+d75WacTK5Jgyh8zYk= +AUTHELIA_STORAGE_ENCRYPTION_KEY=aWeIT74xIhGVd9nUOr4YTToTl5rpBEbzc/fv4jemuos= +AUTHELIA_STORAGE_POSTGRES_HOST=authelia-postgres +AUTHELIA_STORAGE_POSTGRES_PORT=5432 +AUTHELIA_STORAGE_POSTGRES_DATABASE=authelia_db +AUTHELIA_STORAGE_POSTGRES_USERNAME=authelia +AUTHELIA_STORAGE_POSTGRES_PASSWORD=sAdkxFW6k3GiMOrlBpl6OV76eb9cQz/uk95jmA2UpI8= \ No newline at end of file diff --git a/infrastructure/services/authelia/env/authelia_postgres.env b/infrastructure/services/authelia/env/authelia_postgres.env new file mode 100644 index 0000000..b857242 --- /dev/null +++ b/infrastructure/services/authelia/env/authelia_postgres.env @@ -0,0 +1,3 @@ +POSTGRES_USER=authelia +POSTGRES_PASSWORD=sAdkxFW6k3GiMOrlBpl6OV76eb9cQz/uk95jmA2UpI8= +POSTGRES_DB=authelia_db diff --git a/infrastructure/services/caddy/config/Caddyfile b/infrastructure/services/caddy/config/Caddyfile index a89d2b4..3918c12 100644 --- a/infrastructure/services/caddy/config/Caddyfile +++ b/infrastructure/services/caddy/config/Caddyfile @@ -10,13 +10,13 @@ } format json } + + auto_https {$AUTO_HTTPS_OPTIONS} } -# import website/* - - # Common settings import website/header.caddy +import website/authelia_middleware.caddy # All website configurations import website/main.caddy @@ -25,7 +25,7 @@ import website/forgejo.caddy import website/homepage.caddy import website/jellyfin.caddy import website/memos.caddy -import website/open-webui.caddy +import website/openwebui.caddy import website/privatebin.caddy import website/psitransfer.caddy import website/stirlingpdf.caddy @@ -42,3 +42,5 @@ import website/uptimekuma.caddy import website/argus.caddy import website/dependency-track.caddy import website/searxng.caddy +import website/authelia.caddy +import website/dozzle.caddy \ No newline at end of file diff --git a/infrastructure/services/caddy/config/website/argus.caddy b/infrastructure/services/caddy/config/website/argus.caddy index 0265c86..9a18cf3 100644 --- a/infrastructure/services/caddy/config/website/argus.caddy +++ b/infrastructure/services/caddy/config/website/argus.caddy @@ -1,3 +1,4 @@ -argus.{$MAIN_DOMAIN} { +{$SCHEME}://argus.{$MAIN_DOMAIN} { + import authelia_middleware reverse_proxy {$ARGUS_ADDRESS} } diff --git a/infrastructure/services/caddy/config/website/authelia.caddy b/infrastructure/services/caddy/config/website/authelia.caddy new file mode 100644 index 0000000..a861b57 --- /dev/null +++ b/infrastructure/services/caddy/config/website/authelia.caddy @@ -0,0 +1,3 @@ +{$SCHEME}://authelia.{$MAIN_DOMAIN} { + reverse_proxy {$AUTHELIA_ADDRESS} +} diff --git a/infrastructure/services/caddy/config/website/authelia_middleware.caddy b/infrastructure/services/caddy/config/website/authelia_middleware.caddy new file mode 100644 index 0000000..e1e36d9 --- /dev/null +++ b/infrastructure/services/caddy/config/website/authelia_middleware.caddy @@ -0,0 +1,6 @@ +(authelia_middleware) { + forward_auth authelia:9091 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Name Remote-Email + } +} \ No newline at end of file diff --git a/infrastructure/services/caddy/config/website/cyberchef.caddy b/infrastructure/services/caddy/config/website/cyberchef.caddy index b4249e2..072f672 100644 --- a/infrastructure/services/caddy/config/website/cyberchef.caddy +++ b/infrastructure/services/caddy/config/website/cyberchef.caddy @@ -1,4 +1,5 @@ -cyberchef.{$MAIN_DOMAIN} { +{$SCHEME}://cyberchef.{$MAIN_DOMAIN} { + import authelia_middleware # Load balance between 2 instances reverse_proxy { to cyberchef0:8000 cyberchef1:8000 diff --git a/infrastructure/services/caddy/config/website/dependency-track.caddy b/infrastructure/services/caddy/config/website/dependency-track.caddy index 323b174..3299fd7 100644 --- a/infrastructure/services/caddy/config/website/dependency-track.caddy +++ b/infrastructure/services/caddy/config/website/dependency-track.caddy @@ -1,4 +1,5 @@ -dependency-track.{$MAIN_DOMAIN} { +{$SCHEME}://dependency-track.{$MAIN_DOMAIN} { + import authelia_middleware reverse_proxy /api/* {$DEPENDENCY_TRACK_APISERVER_ADDRESS} reverse_proxy {$DEPENDENCY_TRACK_FRONTEND_ADDRESS} } diff --git a/infrastructure/services/caddy/config/website/dozzle.caddy b/infrastructure/services/caddy/config/website/dozzle.caddy new file mode 100644 index 0000000..d607293 --- /dev/null +++ b/infrastructure/services/caddy/config/website/dozzle.caddy @@ -0,0 +1,4 @@ +{$SCHEME}://dozzle.{$MAIN_DOMAIN} { + import authelia_middleware + reverse_proxy {$DOZZLE_ADDRESS} +} diff --git a/infrastructure/services/caddy/config/website/dufs.caddy b/infrastructure/services/caddy/config/website/dufs.caddy index e7f469e..a1a4fe5 100644 --- a/infrastructure/services/caddy/config/website/dufs.caddy +++ b/infrastructure/services/caddy/config/website/dufs.caddy @@ -1,3 +1,4 @@ -dufs.{$MAIN_DOMAIN} { +{$SCHEME}://dufs.{$MAIN_DOMAIN} { + import authelia_middleware reverse_proxy dufs:5000 } diff --git a/infrastructure/services/caddy/config/website/forgejo.caddy b/infrastructure/services/caddy/config/website/forgejo.caddy index cadefd0..c8378f2 100644 --- a/infrastructure/services/caddy/config/website/forgejo.caddy +++ b/infrastructure/services/caddy/config/website/forgejo.caddy @@ -1,7 +1,9 @@ -git.{$MAIN_DOMAIN} { +{$SCHEME}://git.{$MAIN_DOMAIN} { + import authelia_middleware reverse_proxy {$FORGEJO_ADDRESS} } -forgejo.{$MAIN_DOMAIN} { +{$SCHEME}://forgejo.{$MAIN_DOMAIN} { + import authelia_middleware redir https://git.{$MAIN_DOMAIN}{uri} permanent } diff --git a/infrastructure/services/caddy/config/website/homepage.caddy b/infrastructure/services/caddy/config/website/homepage.caddy index abe8412..0b934a3 100644 --- a/infrastructure/services/caddy/config/website/homepage.caddy +++ b/infrastructure/services/caddy/config/website/homepage.caddy @@ -1,3 +1,4 @@ -homepage.{$MAIN_DOMAIN} { - reverse_proxy {$HOMEPAGE_ADDRESS} +{$SCHEME}://homepage.{$MAIN_DOMAIN} { + import authelia_middleware + redir https://www.{$MAIN_DOMAIN}{uri} permanent } diff --git a/infrastructure/services/caddy/config/website/it-tools.caddy b/infrastructure/services/caddy/config/website/it-tools.caddy index 47ca4ab..5bb0dac 100644 --- a/infrastructure/services/caddy/config/website/it-tools.caddy +++ b/infrastructure/services/caddy/config/website/it-tools.caddy @@ -1,4 +1,5 @@ -it-tools.{$MAIN_DOMAIN} { +{$SCHEME}://it-tools.{$MAIN_DOMAIN} { + import authelia_middleware # Load balance between 2 instances reverse_proxy { to it-tools0:8080 it-tools1:8080 diff --git a/infrastructure/services/caddy/config/website/jellyfin.caddy b/infrastructure/services/caddy/config/website/jellyfin.caddy index 41dcee0..f93ece7 100644 --- a/infrastructure/services/caddy/config/website/jellyfin.caddy +++ b/infrastructure/services/caddy/config/website/jellyfin.caddy @@ -1,4 +1,5 @@ -jellyfin.{$MAIN_DOMAIN} { +{$SCHEME}://jellyfin.{$MAIN_DOMAIN} { + import authelia_middleware reverse_proxy {$JELLYFIN_ADDRESS} header { import header_common diff --git a/infrastructure/services/caddy/config/website/main.caddy b/infrastructure/services/caddy/config/website/main.caddy index de05cf5..b32819f 100644 --- a/infrastructure/services/caddy/config/website/main.caddy +++ b/infrastructure/services/caddy/config/website/main.caddy @@ -1,4 +1,5 @@ -www.{$MAIN_DOMAIN} { +{$SCHEME}://www.{$MAIN_DOMAIN} { + import authelia_middleware header { Cache-Control "public, max-age=10" import header_common @@ -12,11 +13,11 @@ www.{$MAIN_DOMAIN} { reverse_proxy homepage:3000 } -{$MAIN_DOMAIN} { - redir https://www.{host}{uri} permanent +{$SCHEME}://{$MAIN_DOMAIN} { + redir https://www.{$MAIN_DOMAIN}{uri} permanent } -public.{$MAIN_DOMAIN} { +{$SCHEME}://public.{$MAIN_DOMAIN} { root * /public_data file_server browse diff --git a/infrastructure/services/caddy/config/website/memos.caddy b/infrastructure/services/caddy/config/website/memos.caddy index 275cd81..d603884 100644 --- a/infrastructure/services/caddy/config/website/memos.caddy +++ b/infrastructure/services/caddy/config/website/memos.caddy @@ -1,3 +1,4 @@ -memos.{$MAIN_DOMAIN} { +{$SCHEME}://memos.{$MAIN_DOMAIN} { + import authelia_middleware reverse_proxy {$MEMOS_ADDRESS} } diff --git a/infrastructure/services/caddy/config/website/omni-tools.caddy b/infrastructure/services/caddy/config/website/omni-tools.caddy index 8fff24b..14bb981 100644 --- a/infrastructure/services/caddy/config/website/omni-tools.caddy +++ b/infrastructure/services/caddy/config/website/omni-tools.caddy @@ -1,4 +1,5 @@ -omni-tools.{$MAIN_DOMAIN} { +{$SCHEME}://omni-tools.{$MAIN_DOMAIN} { + import authelia_middleware # Load balance between 2 instances reverse_proxy { to omni-tools0:80 omni-tools1:80 diff --git a/infrastructure/services/caddy/config/website/open-webui.caddy b/infrastructure/services/caddy/config/website/open-webui.caddy deleted file mode 100644 index de1096c..0000000 --- a/infrastructure/services/caddy/config/website/open-webui.caddy +++ /dev/null @@ -1,3 +0,0 @@ -open-webui.{$MAIN_DOMAIN} { - reverse_proxy {$OPEN_WEBUI_ADDRESS} -} diff --git a/infrastructure/services/caddy/config/website/openwebui.caddy b/infrastructure/services/caddy/config/website/openwebui.caddy new file mode 100644 index 0000000..4a35602 --- /dev/null +++ b/infrastructure/services/caddy/config/website/openwebui.caddy @@ -0,0 +1,4 @@ +{$SCHEME}://openwebui.{$MAIN_DOMAIN} { + import authelia_middleware + reverse_proxy {$OPEN_WEBUI_ADDRESS} +} diff --git a/infrastructure/services/caddy/config/website/picoshare.caddy b/infrastructure/services/caddy/config/website/picoshare.caddy index 3920850..6d36b17 100644 --- a/infrastructure/services/caddy/config/website/picoshare.caddy +++ b/infrastructure/services/caddy/config/website/picoshare.caddy @@ -1,3 +1,4 @@ -picoshare.{$MAIN_DOMAIN} { +{$SCHEME}://picoshare.{$MAIN_DOMAIN} { + import authelia_middleware reverse_proxy {$PICOSHARE_ADDRESS} } diff --git a/infrastructure/services/caddy/config/website/privatebin.caddy b/infrastructure/services/caddy/config/website/privatebin.caddy index f2d0d42..a03889a 100644 --- a/infrastructure/services/caddy/config/website/privatebin.caddy +++ b/infrastructure/services/caddy/config/website/privatebin.caddy @@ -1,7 +1,4 @@ -privatebin.{$MAIN_DOMAIN} { +{$SCHEME}://privatebin.{$MAIN_DOMAIN} { + import authelia_middleware reverse_proxy {$PRIVATEBIN_ADDRESS} } - -pastebin.{$MAIN_DOMAIN} { - redir https://privatebin.{$MAIN_DOMAIN} permanent -} diff --git a/infrastructure/services/caddy/config/website/projectsend.caddy b/infrastructure/services/caddy/config/website/projectsend.caddy index 11bcb04..354aacc 100644 --- a/infrastructure/services/caddy/config/website/projectsend.caddy +++ b/infrastructure/services/caddy/config/website/projectsend.caddy @@ -1,3 +1,4 @@ -projectsend.{$MAIN_DOMAIN} { +{$SCHEME}://projectsend.{$MAIN_DOMAIN} { + import authelia_middleware reverse_proxy {$PROJECTSEND_ADDRESS} } diff --git a/infrastructure/services/caddy/config/website/psitransfer.caddy b/infrastructure/services/caddy/config/website/psitransfer.caddy index adf9514..04e61b6 100644 --- a/infrastructure/services/caddy/config/website/psitransfer.caddy +++ b/infrastructure/services/caddy/config/website/psitransfer.caddy @@ -1,7 +1,9 @@ -transfer.{$MAIN_DOMAIN} { +{$SCHEME}://transfer.{$MAIN_DOMAIN} { + import authelia_middleware reverse_proxy {$PSITRANSFER_ADDRESS} } -psitransfer.{$MAIN_DOMAIN} { +{$SCHEME}://psitransfer.{$MAIN_DOMAIN} { + import authelia_middleware redir https://transfer.{$MAIN_DOMAIN}{uri} permanent } diff --git a/infrastructure/services/caddy/config/website/qbittorrent.caddy b/infrastructure/services/caddy/config/website/qbittorrent.caddy index 85d4dd4..7869213 100644 --- a/infrastructure/services/caddy/config/website/qbittorrent.caddy +++ b/infrastructure/services/caddy/config/website/qbittorrent.caddy @@ -1,11 +1,15 @@ -torrent.{$MAIN_DOMAIN} { - reverse_proxy {$QBITTORRENT_ADDRESS} +{$SCHEME}://torrent.{$MAIN_DOMAIN} { + import authelia_middleware + reverse_proxy {$QBITTORRENT_ADDRESS} { + header_up Referer "{$SCHEME}://torrent.{$MAIN_DOMAIN}" + } header { Cache-Control "no-store" import header_common } } -qbittorrent.{$MAIN_DOMAIN} { +{$SCHEME}://qbittorrent.{$MAIN_DOMAIN} { + import authelia_middleware redir https://torrent.{$MAIN_DOMAIN} permanent } diff --git a/infrastructure/services/caddy/config/website/searxng.caddy b/infrastructure/services/caddy/config/website/searxng.caddy index 1a76a0e..804e805 100644 --- a/infrastructure/services/caddy/config/website/searxng.caddy +++ b/infrastructure/services/caddy/config/website/searxng.caddy @@ -1,3 +1,4 @@ -searxng.{$MAIN_DOMAIN} { +{$SCHEME}://searxng.{$MAIN_DOMAIN} { + import authelia_middleware reverse_proxy {$SEARXNG_ADDRESS} } diff --git a/infrastructure/services/caddy/config/website/stirlingpdf.caddy b/infrastructure/services/caddy/config/website/stirlingpdf.caddy index 73203e4..129bbd8 100644 --- a/infrastructure/services/caddy/config/website/stirlingpdf.caddy +++ b/infrastructure/services/caddy/config/website/stirlingpdf.caddy @@ -1,3 +1,4 @@ -stirlingpdf.{$MAIN_DOMAIN} { +{$SCHEME}://stirlingpdf.{$MAIN_DOMAIN} { + import authelia_middleware reverse_proxy {$STIRLINGPDF_ADDRESS} } diff --git a/infrastructure/services/caddy/config/website/syncthing.caddy b/infrastructure/services/caddy/config/website/syncthing.caddy index 45c9673..dbdc233 100644 --- a/infrastructure/services/caddy/config/website/syncthing.caddy +++ b/infrastructure/services/caddy/config/website/syncthing.caddy @@ -1,4 +1,5 @@ -syncthing.{$MAIN_DOMAIN} { +{$SCHEME}://syncthing.{$MAIN_DOMAIN} { + import authelia_middleware reverse_proxy {$SYNCTHING_ADDRESS} { header_up Host {upstream_hostport} } diff --git a/infrastructure/services/caddy/config/website/transmission.caddy b/infrastructure/services/caddy/config/website/transmission.caddy index 75e384c..a4c17d5 100644 --- a/infrastructure/services/caddy/config/website/transmission.caddy +++ b/infrastructure/services/caddy/config/website/transmission.caddy @@ -1,3 +1,4 @@ -transmission.{$MAIN_DOMAIN} { +{$SCHEME}://transmission.{$MAIN_DOMAIN} { + import authelia_middleware reverse_proxy {$TRANSMISSION_ADDRESS} } diff --git a/infrastructure/services/caddy/config/website/uptimekuma.caddy b/infrastructure/services/caddy/config/website/uptimekuma.caddy index 7518e93..3d8500a 100644 --- a/infrastructure/services/caddy/config/website/uptimekuma.caddy +++ b/infrastructure/services/caddy/config/website/uptimekuma.caddy @@ -1,4 +1,5 @@ -uptimekuma.{$MAIN_DOMAIN} { +{$SCHEME}://uptimekuma.{$MAIN_DOMAIN} { + import authelia_middleware reverse_proxy {$UPTIMEKUMA_ADDRESS} header { Cache-Control "no-store" diff --git a/infrastructure/services/caddy/config/website/wordpress.caddy b/infrastructure/services/caddy/config/website/wordpress.caddy index 6289a89..70c05fc 100644 --- a/infrastructure/services/caddy/config/website/wordpress.caddy +++ b/infrastructure/services/caddy/config/website/wordpress.caddy @@ -1,4 +1,5 @@ -wordpress.{$MAIN_DOMAIN} { +{$SCHEME}://wordpress.{$MAIN_DOMAIN} { + import authelia_middleware root * /var/www/html php_fastcgi {$WORDPRESS_ADDRESS} @@ -16,9 +17,6 @@ wordpress.{$MAIN_DOMAIN} { respond /uploads/*.php 404 header { - # disable FLoC tracking - Permissions-Policy interest-cohort=() - # enable HSTS Strict-Transport-Security max-age=31536000; @@ -29,6 +27,6 @@ wordpress.{$MAIN_DOMAIN} { # X-Frame-Options DENY # Disable powerful features we don't need - Permissions-Policy "geolocation=(), camera=(), microphone=() interest-cohort=()" + Permissions-Policy "geolocation=(), camera=(), microphone=()" } } diff --git a/infrastructure/services/caddy/docker-compose.caddy.yml b/infrastructure/services/caddy/docker-compose.caddy.yml index b2f4999..4cfbed7 100644 --- a/infrastructure/services/caddy/docker-compose.caddy.yml +++ b/infrastructure/services/caddy/docker-compose.caddy.yml @@ -9,7 +9,7 @@ services: depends_on: main_infrastructure: condition: service_completed_successfully - restart: on-failure:5 + restart: on-failure:7 ports: - 80:80/tcp - 80:80/udp @@ -23,35 +23,17 @@ services: - public_data:/public_data:ro networks: - - qbittorrent-network - - syncthing-network - - jellyfin-network - - forgejo-network - - argus-network - - it-tools-network - - homepage-network - - dufs-network - - cyberchef-network - - open-webui-network - - uptimekuma-network - - stirlingpdf-network - - psitransfer-network - - transmission-network - - projectsend-network - - omni-tools-network - - privatebin-network - - picoshare-network - - memos-network - - dependency-track-network - - searxng-network - - wordpress-network -# - satisfactory-network -# - teamfortress2-network -# - minecraft-network -# - 7daystodie-network -# - openssh-network + - caddy-infra + - caddy-media + - caddy-tools + - caddy-files + - caddy-dev + - caddy-ai + - caddy-web env_file: - ./env/caddy.env + environment: + - TZ=${TZ:-Europe/Paris} security_opt: - no-new-privileges:true healthcheck: @@ -67,9 +49,11 @@ services: - caddy depends_on: - caddy - restart: on-failure:5 + restart: on-failure:7 env_file: - ./env/caddy_backup.env + environment: + - TZ=${TZ:-Europe/Paris} volumes: - caddy_backup:/mnt/restic - caddy_data:/data:ro @@ -90,3 +74,26 @@ volumes: name: wordpress public_data: name: public_data + +networks: + caddy-infra: + driver: bridge + name: caddy-infra + caddy-media: + driver: bridge + name: caddy-media + caddy-tools: + driver: bridge + name: caddy-tools + caddy-files: + driver: bridge + name: caddy-files + caddy-dev: + driver: bridge + name: caddy-dev + caddy-ai: + driver: bridge + name: caddy-ai + caddy-web: + driver: bridge + name: caddy-web diff --git a/infrastructure/services/caddy/env/caddy.env b/infrastructure/services/caddy/env/caddy.env index ece1a14..c435683 100644 --- a/infrastructure/services/caddy/env/caddy.env +++ b/infrastructure/services/caddy/env/caddy.env @@ -8,7 +8,7 @@ FORGEJO_ADDRESS=forgejo:3000 UPTIMEKUMA_ADDRESS=uptime-kuma:3001 MEMOS_ADDRESS=memos:5230 HOMEPAGE_ADDRESS=homepage:3000 -OPEN_WEBUI_ADDRESS=open-webui:8080 +OPEN_WEBUI_ADDRESS=openwebui:8080 PICOSHARE_ADDRESS=picoshare:4001 PRIVATEBIN_ADDRESS=privatebin:8080 PROJECTSEND_ADDRESS=projectsend:80 @@ -20,3 +20,9 @@ WORDPRESS_ADDRESS=wordpress:9000 DEPENDENCY_TRACK_FRONTEND_ADDRESS=dependency-track-frontend:8080 DEPENDENCY_TRACK_APISERVER_ADDRESS=dependency-track-apiserver:8080 SEARXNG_ADDRESS=searxng:8080 +AUTHELIA_ADDRESS=authelia:9091 +DOZZLE_ADDRESS=dozzle:8080 +# Scheme +SCHEME=https +# ignore_loaded_certs off +AUTO_HTTPS_OPTIONS=ignore_loaded_certs diff --git a/infrastructure/services/cyberchef/docker-compose.cyberchef.yml b/infrastructure/services/cyberchef/docker-compose.cyberchef.yml index 981dc45..9e19abd 100644 --- a/infrastructure/services/cyberchef/docker-compose.cyberchef.yml +++ b/infrastructure/services/cyberchef/docker-compose.cyberchef.yml @@ -5,11 +5,11 @@ services: container_name: cyberchef0 profiles: - cyberchef - restart: on-failure:5 + restart: on-failure:7 depends_on: - caddy networks: - - cyberchef-network + - caddy-tools read_only: false security_opt: - no-new-privileges:true @@ -30,11 +30,11 @@ services: container_name: cyberchef1 profiles: - cyberchef - restart: on-failure:5 + restart: on-failure:7 depends_on: - caddy networks: - - cyberchef-network + - caddy-tools read_only: false security_opt: - no-new-privileges:true @@ -51,6 +51,6 @@ services: memory: 20M networks: - cyberchef-network: + caddy-tools: driver: bridge - name: cyberchef-network + name: caddy-tools diff --git a/infrastructure/services/dependency-track/docker-compose.dependency-track.yml b/infrastructure/services/dependency-track/docker-compose.dependency-track.yml index f90820e..2488333 100644 --- a/infrastructure/services/dependency-track/docker-compose.dependency-track.yml +++ b/infrastructure/services/dependency-track/docker-compose.dependency-track.yml @@ -9,9 +9,10 @@ services: condition: service_healthy env_file: - ./env/dependency-track.env - restart: on-failure:5 + restart: on-failure:7 networks: - - dependency-track-network + - caddy-web + - dependency-track-internal deploy: resources: limits: @@ -26,9 +27,10 @@ services: container_name: dependency-track-frontend profiles: - dependency-track - restart: on-failure:5 + restart: on-failure:7 networks: - - dependency-track-network + - caddy-web + - dependency-track-internal depends_on: dependency-track-apiserver: condition: service_healthy @@ -45,15 +47,15 @@ services: profiles: - dependency-track env_file: - - ./env/dependency-track.env - restart: on-failure:5 + - ./env/postgres.env + restart: on-failure:7 networks: - - dependency-track-network + - dependency-track-internal healthcheck: test: [ "CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}" ] interval: 5s timeout: 3s - retries: 3 + retries: 5 volumes: - "dtrack-postgres-data:/var/lib/postgresql/data" @@ -64,6 +66,9 @@ volumes: name: dtrack-postgres-data networks: - dependency-track-network: + caddy-web: driver: bridge - name: dependency-track-network + name: caddy-web + dependency-track-internal: + driver: bridge + name: dependency-track-internal diff --git a/infrastructure/services/dependency-track/env/dependency-track.env b/infrastructure/services/dependency-track/env/dependency-track.env index 3cce4df..9593033 100644 --- a/infrastructure/services/dependency-track/env/dependency-track.env +++ b/infrastructure/services/dependency-track/env/dependency-track.env @@ -1,114 +1,7 @@ -# apiserver - - # The Dependency-Track container can be configured using any of the - # available configuration properties defined in: - # https://docs.dependencytrack.org/getting-started/configuration/ - # All properties are upper case with periods replaced by underscores. - # - # Database Properties - # ALPINE_DATABASE_MODE: "external" - # ALPINE_DATABASE_URL: "jdbc:postgresql://postgres10:5432/dtrack" - # ALPINE_DATABASE_DRIVER: "org.postgresql.Driver" - # ALPINE_DATABASE_USERNAME: "dtrack" - # ALPINE_DATABASE_PASSWORD: "changeme" - # ALPINE_DATABASE_POOL_ENABLED: "true" - # ALPINE_DATABASE_POOL_MAX_SIZE: "20" - # ALPINE_DATABASE_POOL_MIN_IDLE: "10" - # ALPINE_DATABASE_POOL_IDLE_TIMEOUT: "300000" - # ALPINE_DATABASE_POOL_MAX_LIFETIME: "600000" - # - # Optional LDAP Properties - # ALPINE_LDAP_ENABLED: "true" - # ALPINE_LDAP_SERVER_URL: "ldap://ldap.example.com:389" - # ALPINE_LDAP_BASEDN: "dc=example,dc=com" - # ALPINE_LDAP_SECURITY_AUTH: "simple" - # ALPINE_LDAP_BIND_USERNAME: "" - # ALPINE_LDAP_BIND_PASSWORD: "" - # ALPINE_LDAP_AUTH_USERNAME_FORMAT: "%s@example.com" - # ALPINE_LDAP_ATTRIBUTE_NAME: "userPrincipalName" - # ALPINE_LDAP_ATTRIBUTE_MAIL: "mail" - # ALPINE_LDAP_GROUPS_FILTER: "(&(objectClass=group)(objectCategory=Group))" - # ALPINE_LDAP_USER_GROUPS_FILTER: "(member:1.2.840.113556.1.4.1941:={USER_DN})" - # ALPINE_LDAP_GROUPS_SEARCH_FILTER: "(&(objectClass=group)(objectCategory=Group)(cn=*{SEARCH_TERM}*))" - # ALPINE_LDAP_USERS_SEARCH_FILTER: "(&(objectClass=user)(objectCategory=Person)(cn=*{SEARCH_TERM}*))" - # ALPINE_LDAP_USER_PROVISIONING: "false" - # ALPINE_LDAP_TEAM_SYNCHRONIZATION: "false" - # - # Optional OpenID Connect (OIDC) Properties - # ALPINE_OIDC_ENABLED: "true" - # ALPINE_OIDC_ISSUER: "https://auth.example.com/auth/realms/example" - # ALPINE_OIDC_CLIENT_ID: "" - # ALPINE_OIDC_USERNAME_CLAIM: "preferred_username" - # ALPINE_OIDC_TEAMS_CLAIM: "groups" - # ALPINE_OIDC_USER_PROVISIONING: "true" - # ALPINE_OIDC_TEAM_SYNCHRONIZATION: "true" - # - # Optional HTTP Proxy Settings - # ALPINE_HTTP_PROXY_ADDRESS: "proxy.example.com" - # ALPINE_HTTP_PROXY_PORT: "8888" - # ALPINE_HTTP_PROXY_USERNAME: "" - # ALPINE_HTTP_PROXY_PASSWORD: "" - # ALPINE_NO_PROXY: "" - # - # Optional HTTP Outbound Connection Timeout Settings. All values are in seconds. - # ALPINE_HTTP_TIMEOUT_CONNECTION: "30" - # ALPINE_HTTP_TIMEOUT_SOCKET: "30" - # ALPINE_HTTP_TIMEOUT_POOL: "60" - # - # Optional Cross-Origin Resource Sharing (CORS) Headers - # ALPINE_CORS_ENABLED: "true" - # ALPINE_CORS_ALLOW_ORIGIN: "*" - # ALPINE_CORS_ALLOW_METHODS: "GET, POST, PUT, DELETE, OPTIONS" - # ALPINE_CORS_ALLOW_HEADERS: "Origin, Content-Type, Authorization, X-Requested-With, Content-Length, Accept, Origin, X-Api-Key, X-Total-Count, *" - # ALPINE_CORS_EXPOSE_HEADERS: "Origin, Content-Type, Authorization, X-Requested-With, Content-Length, Accept, Origin, X-Api-Key, X-Total-Count" - # ALPINE_CORS_ALLOW_CREDENTIALS: "true" - # ALPINE_CORS_MAX_AGE: "3600" - # - # Optional logging configuration - # LOGGING_LEVEL: "INFO" - # LOGGING_CONFIG_PATH: "logback.xml" - # - # Optional metrics properties - # ALPINE_METRICS_ENABLED: "true" - # ALPINE_METRICS_AUTH_USERNAME: "" - # ALPINE_METRICS_AUTH_PASSWORD: "" - # - # Optional environmental variables to enable default notification publisher templates override and set the base directory to search for templates - # DEFAULT_TEMPLATES_OVERRIDE_ENABLED: "false" - # DEFAULT_TEMPLATES_OVERRIDE_BASE_DIRECTORY: "/data" - # - # Optional configuration for the Snyk analyzer - # SNYK_THREAD_BATCH_SIZE: "10" - # - # Optional environmental variables to provide more JVM arguments to the API Server JVM, i.e. "-XX:ActiveProcessorCount=8" - # EXTRA_JAVA_OPTIONS: "" ALPINE_DATABASE_MODE="external" ALPINE_DATABASE_URL="jdbc:postgresql://dependency-track-postgres:5432/dtrack" ALPINE_DATABASE_DRIVER="org.postgresql.Driver" ALPINE_DATABASE_USERNAME="dtrack" ALPINE_DATABASE_PASSWORD="dtrack" - - -# frontend - - - # The base URL of the API server. - # NOTE: - # * This URL must be reachable by the browsers of your users. - # * The frontend container itself does NOT communicate with the API server directly, it just serves static files. - # * When deploying to dedicated servers, please use the external IP or domain of the API server. - # OIDC_ISSUER: "" - # OIDC_CLIENT_ID: "" - # OIDC_SCOPE: "" - # OIDC_FLOW: "" - # OIDC_LOGIN_BUTTON_TEXT: "" - # volumes: - # - "/host/path/to/config.json:/app/static/config.json" - API_BASE_URL="https://dependency-track.bensuperpc.org" - -# postgres -POSTGRES_DB="dtrack" -POSTGRES_USER="dtrack" -POSTGRES_PASSWORD="dtrack" diff --git a/infrastructure/services/dependency-track/env/postgres.env b/infrastructure/services/dependency-track/env/postgres.env new file mode 100644 index 0000000..b45a53e --- /dev/null +++ b/infrastructure/services/dependency-track/env/postgres.env @@ -0,0 +1,3 @@ +POSTGRES_DB="dtrack" +POSTGRES_USER="dtrack" +POSTGRES_PASSWORD="dtrack" diff --git a/infrastructure/services/dozzle/config/users.yml b/infrastructure/services/dozzle/config/users.yml new file mode 100644 index 0000000..42164c6 --- /dev/null +++ b/infrastructure/services/dozzle/config/users.yml @@ -0,0 +1,7 @@ +users: + bensuperpc: + email: bensuperpc@gmail.com + name: bensuperpc + password: $2a$11$w56N4NICh5xD5Bbq6Z2Z2ef9/QUaa/YKleMiawn/Bru9hYsQOJyrm + filter: "" + roles: "" \ No newline at end of file diff --git a/infrastructure/services/dozzle/docker-compose.dozzle.yml b/infrastructure/services/dozzle/docker-compose.dozzle.yml new file mode 100644 index 0000000..4deb538 --- /dev/null +++ b/infrastructure/services/dozzle/docker-compose.dozzle.yml @@ -0,0 +1,56 @@ +services: + dozzle: + image: amir20/dozzle:latest + container_name: dozzle + profiles: + - dozzle + restart: on-failure:7 + depends_on: + - caddy + - dozzle-dockerproxy + env_file: + - ./env/dozzle.env + environment: + - TZ=${TZ:-Europe/Paris} + volumes: + - dozzle_data:/data + secrets: + - source: dozzle_users + target: /data/users.yml + networks: + - caddy-infra + - dozzle-internal + + dozzle-dockerproxy: + image: tecnativa/docker-socket-proxy:latest + container_name: dozzle-dockerproxy + profiles: + - dozzle + restart: on-failure:7 + environment: + - CONTAINERS=1 + - POST=0 + - PING=1 + - VERSION=1 + - EVENTS=1 + - INFO=1 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + networks: + - dozzle-internal + +networks: + caddy-infra: + driver: bridge + name: caddy-infra + dozzle-internal: + driver: bridge + name: dozzle-internal + +volumes: + dozzle_data: + name: dozzle_data + +secrets: + dozzle_users: + file: ./config/users.yml \ No newline at end of file diff --git a/infrastructure/services/dozzle/env/dozzle.env b/infrastructure/services/dozzle/env/dozzle.env new file mode 100644 index 0000000..9eccff9 --- /dev/null +++ b/infrastructure/services/dozzle/env/dozzle.env @@ -0,0 +1,2 @@ +DOZZLE_AUTH_PROVIDER=simple +DOZZLE_REMOTE_HOST=tcp://dozzle-dockerproxy:2375 diff --git a/infrastructure/services/dufs/docker-compose.dufs.yml b/infrastructure/services/dufs/docker-compose.dufs.yml index 513961e..0258c2f 100644 --- a/infrastructure/services/dufs/docker-compose.dufs.yml +++ b/infrastructure/services/dufs/docker-compose.dufs.yml @@ -6,7 +6,7 @@ services: profiles: - dufs # user: ${PUID:-1000}:${PGID:-1000} - restart: on-failure:5 + restart: on-failure:7 depends_on: - caddy env_file: @@ -14,7 +14,7 @@ services: volumes: - public_data:/data networks: - - dufs-network + - caddy-files security_opt: - no-new-privileges:true @@ -25,6 +25,6 @@ volumes: name: private_data networks: - dufs-network: + caddy-files: driver: bridge - name: dufs-network \ No newline at end of file + name: caddy-files \ No newline at end of file diff --git a/infrastructure/services/forgejo/docker-compose.forgejo.yml b/infrastructure/services/forgejo/docker-compose.forgejo.yml index e4ba373..1ca93e8 100644 --- a/infrastructure/services/forgejo/docker-compose.forgejo.yml +++ b/infrastructure/services/forgejo/docker-compose.forgejo.yml @@ -5,7 +5,7 @@ services: container_name: forgejo profiles: - forgejo - restart: on-failure:5 + restart: on-failure:7 depends_on: - database_forgejo - caddy @@ -18,7 +18,8 @@ services: - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro networks: - - forgejo-network + - caddy-dev + - forgejo-internal # user: ${PUID:-1000}:${PGID:-1000} security_opt: - no-new-privileges:true @@ -31,14 +32,14 @@ services: - forgejo depends_on: - caddy - restart: on-failure:5 + restart: on-failure:7 volumes: - forgejo_db:/var/lib/mysql:rw env_file: - ./env/forgejo_db.env command: '--default-authentication-plugin=mysql_native_password' networks: - - forgejo-network + - forgejo-internal security_opt: - no-new-privileges:true @@ -48,7 +49,7 @@ services: container_name: 'docker_dind' hostname: docker networks: - - forgejo-network + - forgejo-internal profiles: - forgejo-runner privileged: true @@ -61,7 +62,7 @@ services: forgejo_runner: image: data.forgejo.org/forgejo/runner:12 networks: - - forgejo-network + - forgejo-internal profiles: - forgejo-runner depends_on: @@ -91,6 +92,9 @@ volumes: name: forgejo_runner networks: - forgejo-network: + caddy-dev: driver: bridge - name: forgejo-network + name: caddy-dev + forgejo-internal: + driver: bridge + name: forgejo-internal diff --git a/infrastructure/services/homepage/config/docker.yaml b/infrastructure/services/homepage/config/docker.yaml index d5d3ec0..073a435 100644 --- a/infrastructure/services/homepage/config/docker.yaml +++ b/infrastructure/services/homepage/config/docker.yaml @@ -2,9 +2,6 @@ # For configuration options and examples, please see: # https://gethomepage.dev/configs/docker -#jellyfin: -# host: jellyfin -# port: 8096 - -#my-docker: -# socket: /var/run/docker.sock +my-docker: + host: homepage-dockerproxy + port: 2375 diff --git a/infrastructure/services/homepage/config/services.yaml b/infrastructure/services/homepage/config/services.yaml index e8ab53f..9c63248 100644 --- a/infrastructure/services/homepage/config/services.yaml +++ b/infrastructure/services/homepage/config/services.yaml @@ -2,112 +2,135 @@ # For configuration options and examples, please see: # https://gethomepage.dev/configs/services/ -- Personal: - - wordpress: - icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/wordpress.png - href: https://wordpress.bensuperpc.org/ - description: Wordpress - ping: wordpress.bensuperpc.org - # container: wordpress - - jellyfin: - icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/jellyfin.png - href: https://jellyfin.bensuperpc.org/ - description: Jellyfin - ping: jellyfin.bensuperpc.org - # container: jellyfin - - projectsend: - icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/projectsend.png - href: https://projectsend.bensuperpc.org/ - description: ProjectSend - ping: projectsend.bensuperpc.org - # container: projectsend -- Sharing: - - psitransfer: - icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/psitransfer.png - href: https://psitransfer.bensuperpc.org/ - description: PsiTransfer - ping: psitransfer.bensuperpc.org - # container: psitransfer - - picoshare: -# icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/picoshare.png - href: https://picoshare.bensuperpc.org/ - description: PicoShare - ping: picoshare.bensuperpc.org - # container: picoshare - - privatebin: - icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/privatebin.png - href: https://privatebin.bensuperpc.org/ - description: PrivateBin - ping: privatebin.bensuperpc.org - # container: privatebin - - qbittorrent: - icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/qbittorrent.png - href: https://qbittorrent.bensuperpc.org/ - description: qBittorrent - ping: qbittorrent.bensuperpc.org - # container: qbittorrent - - syncthing: - icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/syncthing.png - href: https://syncthing.bensuperpc.org/ - description: Syncthing - ping: syncthing.bensuperpc.org - # container: syncthing - - transmission: - icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/transmission.png - href: https://transmission.bensuperpc.org/ - description: Transmission - ping: transmission.bensuperpc.org - # container: transmission - - dufs: -# icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/dufs.png - href: https://dufs.bensuperpc.org/ - description: Dufs - ping: dufs.bensuperpc.org - # container: dufs -# - caddy: -# icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/caddy.png -# href: https://public.bensuperpc.org/ -# description: File browser -# ping: public.bensuperpc.org -# # container: caddy - -- Utils: +- Public: - it-tools: icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/it-tools.png href: https://it-tools.bensuperpc.org/ description: IT Tools - ping: it-tools.bensuperpc.org - # container: it-tools0 + # ping: it-tools.bensuperpc.org + container: it-tools0 + server: my-docker - omni-tools: icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/it-tools.png href: https://omni-tools.bensuperpc.org/ description: Omni Tools - ping: omni-tools.bensuperpc.org - # container: omni-tools0 + # ping: omni-tools.bensuperpc.org + container: omni-tools0 + server: my-docker - cyberchef: icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/cyberchef.png href: https://cyberchef.bensuperpc.org/ description: CyberChef - ping: cyberchef.bensuperpc.org - # container: cyberchef0 + # ping: cyberchef.bensuperpc.org + container: cyberchef0 + server: my-docker + - caddy: + icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/caddy.png + href: https://public.bensuperpc.org/ + description: File browser + # ping: public.bensuperpc.org + container: caddy + server: my-docker + - psitransfer: + icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/psitransfer.png + href: https://psitransfer.bensuperpc.org/ + description: PsiTransfer + # ping: psitransfer.bensuperpc.org + container: psitransfer + server: my-docker - stirlingpdf: #icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/stirlingpdf.png href: https://stirlingpdf.bensuperpc.org/ description: StirlingPDF - ping: stirlingpdf.bensuperpc.org - # container: stirlingpdf + # ping: stirlingpdf.bensuperpc.org + container: stirlingpdf + server: my-docker + - privatebin: + icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/privatebin.png + href: https://privatebin.bensuperpc.org/ + description: PrivateBin + # ping: privatebin.bensuperpc.org + container: privatebin + server: my-docker - forgejo: icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/forgejo.png href: https://forgejo.bensuperpc.org/ description: Forgejo - ping: forgejo.bensuperpc.org - # container: forgejo + # ping: forgejo.bensuperpc.org + container: forgejo + server: my-docker + - wordpress: + icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/wordpress.png + href: https://wordpress.bensuperpc.org/ + description: Wordpress + # ping: wordpress.bensuperpc.org + container: wordpress + server: my-docker + - dufs: +# icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/dufs.png + href: https://dufs.bensuperpc.org/ + description: Dufs + # ping: dufs.bensuperpc.org + container: dufs + server: my-docker + +- Personal: + - jellyfin: + icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/jellyfin.png + href: https://jellyfin.bensuperpc.org/ + description: Jellyfin + # ping: jellyfin.bensuperpc.org + container: jellyfin + server: my-docker + - projectsend: + icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/projectsend.png + href: https://projectsend.bensuperpc.org/ + description: ProjectSend + # ping: projectsend.bensuperpc.org + container: projectsend + server: my-docker + - searxng: + icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/searxng.png + href: https://searxng.bensuperpc.org/ + description: SearXNG + # ping: searxng.bensuperpc.org + container: searxng + server: my-docker - open-webui: icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/open-webui.png - href: https://open-webui.bensuperpc.org/ + href: https://openwebui.bensuperpc.org/ description: ChatGPT local - ping: open-webui.bensuperpc.org - # container: open-webui + # ping: openwebui.bensuperpc.org + container: openwebui + server: my-docker + - picoshare: +# icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/picoshare.png + href: https://picoshare.bensuperpc.org/ + description: PicoShare + # ping: picoshare.bensuperpc.org + container: picoshare + server: my-docker + - qbittorrent: + icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/qbittorrent.png + href: https://qbittorrent.bensuperpc.org/ + description: qBittorrent + # ping: qbittorrent.bensuperpc.org + container: qbittorrent + server: my-docker + - syncthing: + icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/syncthing.png + href: https://syncthing.bensuperpc.org/ + description: Syncthing + # ping: syncthing.bensuperpc.org + container: syncthing + server: my-docker + - transmission: + icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/transmission.png + href: https://transmission.bensuperpc.org/ + description: Transmission + # ping: transmission.bensuperpc.org + container: transmission + server: my-docker - Games: - minecraft: @@ -116,18 +139,21 @@ description: Minecraft server # ping: minecraft.bensuperpc.org # container: minecraft-server + #server: my-docker - 7dtd: # icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/7dtd.png # href: https://7dtd.bensuperpc.org/ description: 7 Days to Die server # ping: 7dtd.bensuperpc.org # container: 7daystodie_server + #server: my-docker - satisfactory: # icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/7dtd.png # href: https://7dtd.bensuperpc.org/ description: Satisfactory server # ping: 7dtd.bensuperpc.org # container: satisfactory_server + #server: my-docker - Admin: - uptime-kuma: @@ -135,5 +161,19 @@ href: https://uptimekuma.bensuperpc.org/ description: Uptime Kuma ping: uptimekuma.bensuperpc.org - # container: uptime-kuma - + container: uptime-kuma + server: my-docker + - authelia: + icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/authelia.png + href: https://authelia.bensuperpc.org/ + description: Authelia + # ping: authelia.bensuperpc.org + container: authelia + server: my-docker + - dozzle: + icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/dozzle.png + href: https://dozzle.bensuperpc.org/ + description: Dozzle + # ping: dozzle.bensuperpc.org + container: dozzle + server: my-docker \ No newline at end of file diff --git a/infrastructure/services/homepage/config/settings.yaml b/infrastructure/services/homepage/config/settings.yaml index a9b0ddd..fe2fe74 100644 --- a/infrastructure/services/homepage/config/settings.yaml +++ b/infrastructure/services/homepage/config/settings.yaml @@ -24,19 +24,15 @@ color: slate language: en layout: - Personal: + Public: style: row columns: 6 - Sharing: + Personal: style: row columns: 6 Admin: style: row columns: 6 - Utils: - style: row - columns: 6 - initiallyCollapsed: false Games: style: row columns: 6 diff --git a/infrastructure/services/homepage/config/widgets.yaml b/infrastructure/services/homepage/config/widgets.yaml index 83975bc..e28b41d 100644 --- a/infrastructure/services/homepage/config/widgets.yaml +++ b/infrastructure/services/homepage/config/widgets.yaml @@ -1,7 +1,6 @@ --- # For configuration options and examples, please see: # https://gethomepage.dev/widgets/services/ -# https://gethomepage.dev/widgets/services/qbittorrent/ #- logo: # icon: /image/daisy.jpg diff --git a/infrastructure/services/homepage/docker-compose.homepage.yml b/infrastructure/services/homepage/docker-compose.homepage.yml index 82677f9..c858bc3 100644 --- a/infrastructure/services/homepage/docker-compose.homepage.yml +++ b/infrastructure/services/homepage/docker-compose.homepage.yml @@ -5,34 +5,49 @@ services: container_name: homepage profiles: - homepage - restart: on-failure:5 + restart: on-failure:7 # environment: # - PUID=${PUID:-1000} # - PGID=${PGID:-1000} depends_on: - caddy + - homepage-dockerproxy env_file: - ./env/homepage.env + environment: + - TZ=${TZ:-Europe/Paris} volumes: - homepage_log:/app/logs - ./config:/app/config - ./image:/app/public/image:ro - # - /var/run/docker.sock:/var/run/docker.sock:ro -# develop: -# watch: -# - action: sync+restart -# path: ./homepage/image -# target: /app/public/image networks: - - homepage-network + - caddy-infra + - homepage-internal security_opt: - no-new-privileges:true + homepage-dockerproxy: + image: tecnativa/docker-socket-proxy:latest + container_name: homepage-dockerproxy + profiles: + - homepage + restart: on-failure:7 + environment: + - CONTAINERS=1 + - POST=0 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + networks: + - homepage-internal + volumes: homepage_log: name: homepage_log networks: - homepage-network: + caddy-infra: driver: bridge - name: homepage-network + name: caddy-infra + homepage-internal: + driver: bridge + name: homepage-internal diff --git a/infrastructure/services/homepage/env/homepage.env b/infrastructure/services/homepage/env/homepage.env index 2758c7b..f64306e 100644 --- a/infrastructure/services/homepage/env/homepage.env +++ b/infrastructure/services/homepage/env/homepage.env @@ -1,3 +1 @@ -PSITRANSFER_ADMIN_PASS=n9jLVNT9QUotTJTT91JqH4GyBTg9pvEn -#PSITRANSFER_PORT=3000 -HOMEPAGE_ALLOWED_HOSTS=www.bensuperpc.org +HOMEPAGE_ALLOWED_HOSTS=www.bensuperpc.org,homepage.bensuperpc.org diff --git a/infrastructure/services/it-tools/docker-compose.it-tools.yml b/infrastructure/services/it-tools/docker-compose.it-tools.yml index 5132f07..645c530 100644 --- a/infrastructure/services/it-tools/docker-compose.it-tools.yml +++ b/infrastructure/services/it-tools/docker-compose.it-tools.yml @@ -5,16 +5,18 @@ services: container_name: it-tools0 profiles: - it-tools - restart: on-failure:5 + restart: on-failure:7 depends_on: - caddy networks: - - it-tools-network + - caddy-tools read_only: false security_opt: - no-new-privileges:true cap_drop: - SYS_ADMIN + environment: + - TZ=${TZ:-Europe/Paris} deploy: resources: @@ -30,16 +32,18 @@ services: container_name: it-tools1 profiles: - it-tools - restart: on-failure:5 + restart: on-failure:7 depends_on: - caddy networks: - - it-tools-network + - caddy-tools read_only: false security_opt: - no-new-privileges:true cap_drop: - SYS_ADMIN + environment: + - TZ=${TZ:-Europe/Paris} deploy: resources: @@ -51,6 +55,6 @@ services: memory: 20M networks: - it-tools-network: + caddy-tools: driver: bridge - name: it-tools-network + name: caddy-tools diff --git a/infrastructure/services/jellyfin/docker-compose.jellyfin.yml b/infrastructure/services/jellyfin/docker-compose.jellyfin.yml index 9494662..dc91ef3 100644 --- a/infrastructure/services/jellyfin/docker-compose.jellyfin.yml +++ b/infrastructure/services/jellyfin/docker-compose.jellyfin.yml @@ -5,10 +5,11 @@ services: container_name: jellyfin profiles: - jellyfin - restart: on-failure:5 + restart: on-failure:7 environment: - PUID=${PUID:-1000} - PGID=${PGID:-1000} + - TZ=${TZ:-Europe/Paris} depends_on: - caddy env_file: @@ -22,7 +23,7 @@ services: devices: - /dev/dri:/dev/dri networks: - - jellyfin-network + - caddy-media security_opt: - no-new-privileges:true @@ -37,6 +38,6 @@ volumes: name: private_data networks: - jellyfin-network: + caddy-media: driver: bridge - name: jellyfin-network + name: caddy-media diff --git a/infrastructure/services/jellyfin/env/jellyfin.env b/infrastructure/services/jellyfin/env/jellyfin.env index 238bd92..34f5b0e 100644 --- a/infrastructure/services/jellyfin/env/jellyfin.env +++ b/infrastructure/services/jellyfin/env/jellyfin.env @@ -1,2 +1 @@ -TZ=Etc/UTC -DOCKER_MODS=linuxserver/mods:jellyfin-opencl-intel \ No newline at end of file +DOCKER_MODS=linuxserver/mods:jellyfin-opencl-intel diff --git a/infrastructure/services/main/docker-compose.main.yml b/infrastructure/services/main/docker-compose.main.yml index 8fe108e..8a5d962 100644 --- a/infrastructure/services/main/docker-compose.main.yml +++ b/infrastructure/services/main/docker-compose.main.yml @@ -23,12 +23,42 @@ services: profiles: - main_infrastructure image: nickfedor/watchtower:latest + environment: + - TZ=${TZ:-Europe/Paris} volumes: - /var/run/docker.sock:/var/run/docker.sock - restart: unless-stopped + restart: on-failure:7 + networks: + - watchtower-network volumes: public_data: name: public_data private_data: name: private_data + +networks: + watchtower-network: + driver: bridge + name: watchtower-network + caddy-infra: + driver: bridge + name: caddy-infra + caddy-media: + driver: bridge + name: caddy-media + caddy-tools: + driver: bridge + name: caddy-tools + caddy-files: + driver: bridge + name: caddy-files + caddy-dev: + driver: bridge + name: caddy-dev + caddy-ai: + driver: bridge + name: caddy-ai + caddy-web: + driver: bridge + name: caddy-web diff --git a/infrastructure/services/memos/docker-compose.memos.yml b/infrastructure/services/memos/docker-compose.memos.yml index dc716e3..60d9bd1 100644 --- a/infrastructure/services/memos/docker-compose.memos.yml +++ b/infrastructure/services/memos/docker-compose.memos.yml @@ -5,7 +5,7 @@ services: container_name: memos profiles: - memos - restart: on-failure:5 + restart: on-failure:7 depends_on: - caddy env_file: @@ -13,7 +13,7 @@ services: volumes: - memos_config:/var/opt/memos networks: - - memos-network + - caddy-tools security_opt: - no-new-privileges:true @@ -22,6 +22,6 @@ volumes: name: memos_config networks: - memos-network: + caddy-tools: driver: bridge - name: memos-network + name: caddy-tools diff --git a/infrastructure/services/minecraft-server/backup/docker-compose.backup.yml b/infrastructure/services/minecraft-server/backup/docker-compose.backup.yml index 76438a6..39af09c 100644 --- a/infrastructure/services/minecraft-server/backup/docker-compose.backup.yml +++ b/infrastructure/services/minecraft-server/backup/docker-compose.backup.yml @@ -7,14 +7,13 @@ services: depends_on: - mc-server - minecraft_proxy - restart: on-failure:3 + restart: on-failure:7 env_file: - ./env/backup.env volumes: - minecraft_server_backup:/mnt/restic - minecraft_server_data:/data/minecraft_server_data:ro - minecraft_proxy_data:/data/minecraft_proxy_data:ro - - minecraft_rcon_data:/data/minecraft_rcon_data:ro security_opt: - no-new-privileges:true network_mode: none @@ -30,5 +29,3 @@ volumes: name: minecraft_server_data minecraft_proxy_data: name: minecraft_proxy_data - minecraft_rcon_data: - name: minecraft_rcon_data diff --git a/infrastructure/services/minecraft-server/minecraft-server/docker-compose.minecraft.yml b/infrastructure/services/minecraft-server/minecraft-server/docker-compose.minecraft.yml index 8464db5..33ec1bf 100644 --- a/infrastructure/services/minecraft-server/minecraft-server/docker-compose.minecraft.yml +++ b/infrastructure/services/minecraft-server/minecraft-server/docker-compose.minecraft.yml @@ -5,7 +5,7 @@ services: profiles: - minecraft_proxy - minecraft_server - restart: on-failure:3 + restart: on-failure:7 env_file: - ./env/proxy.env environment: @@ -32,7 +32,7 @@ services: - minecraft_server depends_on: - minecraft_proxy - restart: on-failure:3 + restart: on-failure:7 ports: # Server Minecraft port (Disable if you use proxy) # - "25565:25565" @@ -65,40 +65,11 @@ services: reservations: cpus: '0.01' memory: 20M - - rcon-web: - image: itzg/rcon:latest - container_name: minecraft_rcon_web - profiles: - - mc-web - restart: on-failure:3 - depends_on: - - minecraft_server - - minecraft_proxy - environment: - RWA_USERNAME: admin - RWA_PASSWORD: admin - RWA_ADMIN: "TRUE" - # is referring to the hostname of 'minecraft_server' compose service below - RWA_RCON_HOST: minecraft_server - RWA_RCON_PASSWORD: 6hxU3Oxmh2Q8e6S9fjkdWJikRCON_PASSWORD - ports: - # web UI port - - "4326:4326" - # websocket access from UI - - "4327:4327" - volumes: - - minecraft_rcon_data:/opt/rcon-web-admin/db - networks: - - minecraft-network - volumes: minecraft_server_data: name: minecraft_server_data minecraft_proxy_data: name: minecraft_proxy_data - minecraft_rcon_data: - name: minecraft_rcon_data networks: minecraft-network: diff --git a/infrastructure/services/omni-tools/docker-compose.omni-tools.yml b/infrastructure/services/omni-tools/docker-compose.omni-tools.yml index c964ac5..55903d6 100644 --- a/infrastructure/services/omni-tools/docker-compose.omni-tools.yml +++ b/infrastructure/services/omni-tools/docker-compose.omni-tools.yml @@ -5,16 +5,18 @@ services: container_name: omni-tools0 profiles: - omni-tools - restart: on-failure:5 + restart: on-failure:7 depends_on: - caddy networks: - - omni-tools-network + - caddy-tools read_only: false security_opt: - no-new-privileges:true cap_drop: - SYS_ADMIN + environment: + - TZ=${TZ:-Europe/Paris} deploy: resources: @@ -30,16 +32,18 @@ services: container_name: omni-tools1 profiles: - omni-tools - restart: on-failure:5 + restart: on-failure:7 depends_on: - caddy networks: - - omni-tools-network + - caddy-tools read_only: false security_opt: - no-new-privileges:true cap_drop: - SYS_ADMIN + environment: + - TZ=${TZ:-Europe/Paris} deploy: resources: @@ -51,6 +55,6 @@ services: memory: 20M networks: - omni-tools-network: + caddy-tools: driver: bridge - name: omni-tools-network + name: caddy-tools diff --git a/infrastructure/services/open-webui/docker-compose.open-webui.yml b/infrastructure/services/open-webui/docker-compose.open-webui.yml index 2a1233f..f885338 100644 --- a/infrastructure/services/open-webui/docker-compose.open-webui.yml +++ b/infrastructure/services/open-webui/docker-compose.open-webui.yml @@ -1,14 +1,15 @@ +name: openwebui + services: ollama: image: ollama/ollama:${OLLAMA_DOCKER_TAG-latest} - #platform: linux/amd64 container_name: ollama profiles: - - open-webui + - openwebui - ollama depends_on: - caddy - restart: on-failure:5 + restart: on-failure:7 tty: true volumes: - ollama:/root/.ollama @@ -16,42 +17,89 @@ services: # - ${OLLAMA_PORT-11434}:11434 env_file: - ./env/ollama.env + environment: + - TZ=${TZ:-Europe/Paris} security_opt: - no-new-privileges:true networks: - - open-webui-network - devices: - - /dev/dri - - /dev/kfd + - openwebui-internal + # devices: + # - /dev/dri + # - /dev/kfd - open-webui: - image: ghcr.io/open-webui/open-webui:${WEBUI_DOCKER_TAG-main} - container_name: open-webui + openwebui-postgres: + image: postgres:17-alpine + container_name: openwebui-postgres profiles: - - open-webui + - openwebui + env_file: + - ./env/openwebui-postgres.env + environment: + - TZ=${TZ:-Europe/Paris} volumes: - - open-webui:/app/backend/data + - openwebui-postgres:/var/lib/postgresql/data + restart: on-failure:7 + networks: + - openwebui-internal + healthcheck: + test: [ "CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}" ] + interval: 5s + timeout: 3s + retries: 5 + + # pgadmin: + # image: dpage/pgadmin4:latest + # container_name: pgadmin + # profiles: + # - openwebui + # env_file: + # - ./env/openwebui-pgadmin.env + # volumes: + # - openwebui-pgadmin:/var/lib/pgadmin + # restart: on-failure:7 + # depends_on: + # openwebui-postgres: + # condition: service_healthy + # networks: + # - openwebui-network + + + openwebui: + image: ghcr.io/open-webui/open-webui:${WEBUI_DOCKER_TAG-main} + container_name: openwebui + profiles: + - openwebui + volumes: + - openwebui:/app/backend/data depends_on: - ollama - caddy + - openwebui-postgres env_file: - - ./env/open-webui.env - #environment: + - ./env/openwebui.env + environment: + - TZ=${TZ:-Europe/Paris} # - UID=${PUID:-1000} # - GID=${PGID:-1000} # ports: # - ${OPEN_WEBUI_PORT-3000}:8080 - restart: on-failure:5 + restart: on-failure:7 networks: - - open-webui-network + - caddy-ai + - openwebui-internal security_opt: - no-new-privileges:true volumes: ollama: {} - open-webui: {} + openwebui: {} + openwebui-postgres: {} + openwebui-pgadmin: {} networks: - open-webui-network: + caddy-ai: driver: bridge - name: open-webui-network + name: caddy-ai + openwebui-internal: + driver: bridge + name: openwebui-internal diff --git a/infrastructure/services/open-webui/env/openwebui-pgadmin.env b/infrastructure/services/open-webui/env/openwebui-pgadmin.env new file mode 100644 index 0000000..bca5178 --- /dev/null +++ b/infrastructure/services/open-webui/env/openwebui-pgadmin.env @@ -0,0 +1,4 @@ +PGADMIN_DEFAULT_EMAIL=admin@local.ai +PGADMIN_DEFAULT_PASSWORD=admin123 +PGADMIN_CONFIG_SERVER_MODE=False +PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED=False \ No newline at end of file diff --git a/infrastructure/services/open-webui/env/openwebui-postgres.env b/infrastructure/services/open-webui/env/openwebui-postgres.env new file mode 100644 index 0000000..3c96482 --- /dev/null +++ b/infrastructure/services/open-webui/env/openwebui-postgres.env @@ -0,0 +1,3 @@ +POSTGRES_DB=openwebui +POSTGRES_USER=postgres +POSTGRES_PASSWORD=securepassword123 diff --git a/infrastructure/services/open-webui/env/open-webui.env b/infrastructure/services/open-webui/env/openwebui.env similarity index 79% rename from infrastructure/services/open-webui/env/open-webui.env rename to infrastructure/services/open-webui/env/openwebui.env index 5b3e02e..218da23 100644 --- a/infrastructure/services/open-webui/env/open-webui.env +++ b/infrastructure/services/open-webui/env/openwebui.env @@ -10,6 +10,9 @@ ANONYMIZED_TELEMETRY=false #OPENAI_API_BASE_URL= #OPENAI_API_KEY= +# Database configuration +DATABASE_URL=postgresql://postgres:securepassword123@openwebui-postgres:5432/openwebui + # Only with stable-diffusion-webui #ENABLE_IMAGE_GENERATION=true #AUTOMATIC1111_BASE_URL=http://stable-diffusion-webui:7860 diff --git a/infrastructure/services/openssh/docker-compose.openssh.yml b/infrastructure/services/openssh/docker-compose.openssh.yml index 0e6d222..5a58e9e 100644 --- a/infrastructure/services/openssh/docker-compose.openssh.yml +++ b/infrastructure/services/openssh/docker-compose.openssh.yml @@ -5,12 +5,13 @@ services: container_name: openssh profiles: - openssh - restart: on-failure:5 + restart: on-failure:7 env_file: - ./env/openssh.env environment: - PUID=${PUID:-1000} - PGID=${PGID:-1000} + - TZ=${TZ:-Europe/Paris} volumes: - openssh_config:/config:rw - ./config/authorized_keys:/authorized_ssh_keys:ro @@ -29,7 +30,6 @@ services: - minecraft_server_backup:/minecraft_server_backup:rw - minecraft_server_data:/minecraft_server_data:rw - minecraft_proxy_data:/minecraft_proxy_data:rw - - minecraft_rcon_data:/minecraft_rcon_data:rw - forgejo_data:/forgejo_data:rw - forgejo_db:/forgejo_db:rw - teamfortress2_backup:/teamfortress2_backup:rw @@ -78,8 +78,6 @@ volumes: name: minecraft_server_data minecraft_proxy_data: name: minecraft_proxy_data - minecraft_rcon_data: - name: minecraft_rcon_data # teamfortress2 teamfortress2_backup: name: teamfortress2_backup diff --git a/infrastructure/services/openssh/env/openssh.env b/infrastructure/services/openssh/env/openssh.env index ecc109b..1a32161 100644 --- a/infrastructure/services/openssh/env/openssh.env +++ b/infrastructure/services/openssh/env/openssh.env @@ -1,4 +1,3 @@ -TZ=Etc/UTC SUDO_ACCESS=true PASSWORD_ACCESS=false DOCKER_MODS=linuxserver/mods:openssh-server-rsync diff --git a/infrastructure/services/picoshare/docker-compose.picoshare.yml b/infrastructure/services/picoshare/docker-compose.picoshare.yml index fe56d15..12ef943 100644 --- a/infrastructure/services/picoshare/docker-compose.picoshare.yml +++ b/infrastructure/services/picoshare/docker-compose.picoshare.yml @@ -5,15 +5,17 @@ services: container_name: picoshare profiles: - picoshare - restart: on-failure:5 + restart: on-failure:7 depends_on: - caddy env_file: - ./env/picoshare.env + environment: + - TZ=${TZ:-Europe/Paris} volumes: - picoshare_data:/data networks: - - picoshare-network + - caddy-files security_opt: - no-new-privileges:true read_only: false @@ -35,6 +37,6 @@ volumes: name: picoshare_data networks: - picoshare-network: + caddy-files: driver: bridge - name: picoshare-network + name: caddy-files diff --git a/infrastructure/services/privatebin/config/conf.php b/infrastructure/services/privatebin/config/conf.php index ef30926..8cd89e7 100644 --- a/infrastructure/services/privatebin/config/conf.php +++ b/infrastructure/services/privatebin/config/conf.php @@ -274,6 +274,17 @@ dir = PATH "data" ;version = "latest" ;bucket = "my-bucket" +;[shlink] +; - Shlink requires you to make a post call with a generated API key. +; use this section to setup the API key and URL. In order to use this section, +; "urlshortener" needs to point to the base URL of your PrivateBin +; instance with "?shortenviashlink&link=" appended. For example: +; urlshortener = "${basepath}?shortenviashlink&link=" +; This URL will in turn call Shlink on the server side, using the URL from +; "apiurl" and the API Key from the "apikey" parameters below. +; apiurl = "https://shlink.example.com/rest/v3/short-urls" +; apikey = "your_api_key" + ;[yourls] ; When using YOURLS as a "urlshortener" config item: ; - By default, "urlshortener" will point to the YOURLS API URL, with or without diff --git a/infrastructure/services/privatebin/docker-compose.privatebin.yml b/infrastructure/services/privatebin/docker-compose.privatebin.yml index 6aad775..2e3d0d2 100644 --- a/infrastructure/services/privatebin/docker-compose.privatebin.yml +++ b/infrastructure/services/privatebin/docker-compose.privatebin.yml @@ -5,14 +5,16 @@ services: container_name: privatebin profiles: - privatebin - restart: on-failure:5 + restart: on-failure:7 depends_on: - caddy volumes: - privatebin_data:/srv/data - ./config/conf.php:/srv/cfg/conf.php:ro + environment: + - TZ=${TZ:-Europe/Paris} networks: - - privatebin-network + - caddy-tools security_opt: - no-new-privileges:true read_only: true @@ -30,6 +32,6 @@ volumes: name: privatebin_data networks: - privatebin-network: + caddy-tools: driver: bridge - name: privatebin-network + name: caddy-tools diff --git a/infrastructure/services/projectsend/docker-compose.projectsend.yml b/infrastructure/services/projectsend/docker-compose.projectsend.yml index 6e41585..8a81d43 100644 --- a/infrastructure/services/projectsend/docker-compose.projectsend.yml +++ b/infrastructure/services/projectsend/docker-compose.projectsend.yml @@ -5,7 +5,7 @@ services: container_name: projectsend profiles: - projectsend - restart: on-failure:5 + restart: on-failure:7 depends_on: - caddy env_file: @@ -14,7 +14,8 @@ services: - projectsend_config:/config - projectsend_share:/data networks: - - projectsend-network + - caddy-files + - projectsend-internal security_opt: - no-new-privileges:true cap_drop: @@ -29,14 +30,16 @@ services: - projectsend depends_on: - caddy - restart: on-failure:5 + restart: on-failure:7 volumes: - projectsend_db:/var/lib/mysql:rw env_file: - ./env/projectsend_db.env + environment: + - TZ=${TZ:-Europe/Paris} command: '--default-authentication-plugin=mysql_native_password' networks: - - projectsend-network + - projectsend-internal security_opt: - no-new-privileges:true @@ -50,6 +53,9 @@ volumes: networks: - projectsend-network: + caddy-files: driver: bridge - name: projectsend-network + name: caddy-files + projectsend-internal: + driver: bridge + name: projectsend-internal diff --git a/infrastructure/services/psitransfer/docker-compose.psitransfer.yml b/infrastructure/services/psitransfer/docker-compose.psitransfer.yml index c22fdc9..889abe3 100644 --- a/infrastructure/services/psitransfer/docker-compose.psitransfer.yml +++ b/infrastructure/services/psitransfer/docker-compose.psitransfer.yml @@ -5,16 +5,18 @@ services: container_name: psitransfer profiles: - psitransfer - restart: on-failure:5 + restart: on-failure:7 # user: ${PUID:-1000}:${PGID:-1000} depends_on: - caddy env_file: - ./env/psitransfer.env + environment: + - TZ=${TZ:-Europe/Paris} volumes: - psitransfer_data:/data networks: - - psitransfer-network + - caddy-files security_opt: - no-new-privileges:true read_only: true @@ -32,6 +34,6 @@ volumes: name: psitransfer_data networks: - psitransfer-network: + caddy-files: driver: bridge - name: psitransfer-network \ No newline at end of file + name: caddy-files \ No newline at end of file diff --git a/infrastructure/services/qbittorrent/docker-compose.qbittorrent.yml b/infrastructure/services/qbittorrent/docker-compose.qbittorrent.yml index bb1ff4e..51b48e9 100644 --- a/infrastructure/services/qbittorrent/docker-compose.qbittorrent.yml +++ b/infrastructure/services/qbittorrent/docker-compose.qbittorrent.yml @@ -5,7 +5,7 @@ services: container_name: qbittorrent profiles: - qbittorrent - restart: on-failure:5 + restart: on-failure:7 depends_on: - caddy env_file: @@ -13,6 +13,7 @@ services: environment: - PUID=${PUID:-1000} - PGID=${PGID:-1000} + - TZ=${TZ:-Europe/Paris} ports: - 6881:6881 - 6881:6881/udp @@ -21,7 +22,7 @@ services: - public_data:/downloads - private_data:/private_downloads networks: - - qbittorrent-network + - caddy-media security_opt: - no-new-privileges:true @@ -34,6 +35,6 @@ volumes: name: private_data networks: - qbittorrent-network: + caddy-media: driver: bridge - name: qbittorrent-network \ No newline at end of file + name: caddy-media \ No newline at end of file diff --git a/infrastructure/services/qbittorrent/env/qbittorrent.env b/infrastructure/services/qbittorrent/env/qbittorrent.env index bcf5277..a9d1fe8 100644 --- a/infrastructure/services/qbittorrent/env/qbittorrent.env +++ b/infrastructure/services/qbittorrent/env/qbittorrent.env @@ -1,4 +1,3 @@ -TZ=Etc/UTC WEBUI_PORT=8080 TORRENTING_PORT=6881 # Use alternative WebUI: /vuetorrent diff --git a/infrastructure/services/satisfactory-server/backup/docker-compose.backup.yml b/infrastructure/services/satisfactory-server/backup/docker-compose.backup.yml index b9ab3cd..1b38aa7 100644 --- a/infrastructure/services/satisfactory-server/backup/docker-compose.backup.yml +++ b/infrastructure/services/satisfactory-server/backup/docker-compose.backup.yml @@ -6,7 +6,7 @@ services: - satisfactory_backup depends_on: - satisfactory_server - restart: on-failure:5 + restart: on-failure:7 env_file: - ./env/satisfactory_backup.env volumes: diff --git a/infrastructure/services/satisfactory-server/satisfactory/docker-compose.satisfactory.yml b/infrastructure/services/satisfactory-server/satisfactory/docker-compose.satisfactory.yml index 2ed3833..a73ecdc 100644 --- a/infrastructure/services/satisfactory-server/satisfactory/docker-compose.satisfactory.yml +++ b/infrastructure/services/satisfactory-server/satisfactory/docker-compose.satisfactory.yml @@ -5,7 +5,7 @@ services: container_name: satisfactory_server profiles: - satisfactory_server - restart: on-failure:5 + restart: on-failure:7 ports: - 7777:7777/udp - 7777:7777/tcp @@ -19,6 +19,7 @@ services: environment: - PUID=${PUID:-1000} - PGID=${PGID:-1000} + - TZ=${TZ:-Europe/Paris} security_opt: - no-new-privileges:true healthcheck: diff --git a/infrastructure/services/searxng/docker-compose.searxng.yml b/infrastructure/services/searxng/docker-compose.searxng.yml index d95b12c..b862527 100644 --- a/infrastructure/services/searxng/docker-compose.searxng.yml +++ b/infrastructure/services/searxng/docker-compose.searxng.yml @@ -1,17 +1,20 @@ +name: searxng + services: searxng: container_name: searxng image: docker.io/searxng/searxng:${SEARXNG_VERSION:-latest} - restart: always + restart: on-failure:7 depends_on: - caddy profiles: - searxng - # ports: - # - ${SEARXNG_PORT-8080}:8080 env_file: ./config/searxng.env + environment: + - TZ=${TZ:-Europe/Paris} networks: - - searxng-network + - caddy-tools + - searxng-internal volumes: - searxng-config:/etc/searxng/ - searxng-data:/var/cache/searxng/ @@ -25,16 +28,21 @@ services: - searxng image: docker.io/valkey/valkey:9-alpine command: valkey-server --save 30 1 --loglevel warning - restart: always + restart: on-failure:7 + environment: + - TZ=${TZ:-Europe/Paris} networks: - - searxng-network + - searxng-internal volumes: - valkey-data:/data/ networks: - searxng-network: + caddy-tools: driver: bridge - name: searxng-network + name: caddy-tools + searxng-internal: + driver: bridge + name: searxng-internal volumes: searxng-data: {} diff --git a/infrastructure/services/stirlingpdf/docker-compose.stirlingpdf.yml b/infrastructure/services/stirlingpdf/docker-compose.stirlingpdf.yml index 4b4f1f1..030adb6 100644 --- a/infrastructure/services/stirlingpdf/docker-compose.stirlingpdf.yml +++ b/infrastructure/services/stirlingpdf/docker-compose.stirlingpdf.yml @@ -5,16 +5,18 @@ services: container_name: stirlingpdf profiles: - stirlingpdf - restart: on-failure:5 + restart: on-failure:7 depends_on: - caddy env_file: - ./env/stirlingpdf.env + environment: + - TZ=${TZ:-Europe/Paris} volumes: - stirlingpdf_config:/configs - stirlingpdf_tessdata:/usr/share/tessdata networks: - - stirlingpdf-network + - caddy-tools security_opt: - no-new-privileges:true read_only: false @@ -26,6 +28,6 @@ volumes: name: stirlingpdf_tessdata networks: - stirlingpdf-network: + caddy-tools: driver: bridge - name: stirlingpdf-network \ No newline at end of file + name: caddy-tools \ No newline at end of file diff --git a/infrastructure/services/syncthing/docker-compose.syncthing.yml b/infrastructure/services/syncthing/docker-compose.syncthing.yml index 3b5ef51..f6d4a4d 100644 --- a/infrastructure/services/syncthing/docker-compose.syncthing.yml +++ b/infrastructure/services/syncthing/docker-compose.syncthing.yml @@ -7,18 +7,19 @@ services: - syncthing depends_on: - caddy - restart: on-failure:5 + restart: on-failure:7 env_file: - ./env/syncthing.env environment: - PUID=${PUID:-1000} - PGID=${PGID:-1000} + - TZ=${TZ:-Europe/Paris} volumes: - syncthing_config:/config - public_data:/data1 - private_data:/data2 networks: - - syncthing-network + - caddy-media security_opt: - no-new-privileges:true @@ -31,6 +32,6 @@ volumes: name: private_data networks: - syncthing-network: + caddy-media: driver: bridge - name: syncthing-network + name: caddy-media diff --git a/infrastructure/services/syncthing/env/syncthing.env b/infrastructure/services/syncthing/env/syncthing.env index 24e3832..e69de29 100644 --- a/infrastructure/services/syncthing/env/syncthing.env +++ b/infrastructure/services/syncthing/env/syncthing.env @@ -1 +0,0 @@ -TZ=Etc/UTC diff --git a/infrastructure/services/teamfortress2-server/backup/docker-compose.backup.yml b/infrastructure/services/teamfortress2-server/backup/docker-compose.backup.yml index d87eaa3..7ce47b5 100644 --- a/infrastructure/services/teamfortress2-server/backup/docker-compose.backup.yml +++ b/infrastructure/services/teamfortress2-server/backup/docker-compose.backup.yml @@ -6,7 +6,7 @@ services: - teamfortress2_backup depends_on: - teamfortress2_server - restart: on-failure:5 + restart: on-failure:7 env_file: - ./env/teamfortress2_backup.env volumes: diff --git a/infrastructure/services/teamfortress2-server/teamfortress2/docker-compose.teamfortress2.yml b/infrastructure/services/teamfortress2-server/teamfortress2/docker-compose.teamfortress2.yml index f02fc67..5c31a99 100644 --- a/infrastructure/services/teamfortress2-server/teamfortress2/docker-compose.teamfortress2.yml +++ b/infrastructure/services/teamfortress2-server/teamfortress2/docker-compose.teamfortress2.yml @@ -5,7 +5,7 @@ services: container_name: teamfortress2_server profiles: - teamfortress2_server - restart: on-failure:5 + restart: on-failure:7 ports: - "27015:27015/tcp" - "27015:27015/udp" @@ -15,9 +15,11 @@ services: - teamfortress2-network env_file: - ./env/teamfortress2.env -# environment: + environment: + - TZ=${TZ:-Europe/Paris} # - PUID=${PUID:-1000} # - PGID=${PGID:-1000} + security_opt: - no-new-privileges:true cap_drop: diff --git a/infrastructure/services/transmission/docker-compose.transmission.yml b/infrastructure/services/transmission/docker-compose.transmission.yml index efc12f7..3fed8ec 100644 --- a/infrastructure/services/transmission/docker-compose.transmission.yml +++ b/infrastructure/services/transmission/docker-compose.transmission.yml @@ -5,7 +5,7 @@ services: container_name: transmission profiles: - transmission - restart: on-failure:5 + restart: on-failure:7 depends_on: - caddy env_file: @@ -18,7 +18,7 @@ services: - public_data:/downloads - transmission_watch:/watch networks: - - transmission-network + - caddy-media security_opt: - no-new-privileges:true @@ -33,6 +33,6 @@ volumes: name: private_data networks: - transmission-network: + caddy-media: driver: bridge - name: transmission-network \ No newline at end of file + name: caddy-media \ No newline at end of file diff --git a/infrastructure/services/uptime-kuma/docker-compose.uptime-kuma.yml b/infrastructure/services/uptime-kuma/docker-compose.uptime-kuma.yml index 4071c2a..797c00a 100644 --- a/infrastructure/services/uptime-kuma/docker-compose.uptime-kuma.yml +++ b/infrastructure/services/uptime-kuma/docker-compose.uptime-kuma.yml @@ -7,12 +7,13 @@ services: - uptime-kuma volumes: - uptimekuma_data:/app/data - # - /var/run/docker.sock:/var/run/docker.sock:ro - restart: on-failure:5 + environment: + - TZ=${TZ:-Europe/Paris} + restart: on-failure:7 depends_on: - caddy networks: - - uptimekuma-network + - caddy-infra security_opt: - no-new-privileges:true cap_drop: @@ -23,6 +24,6 @@ volumes: name: uptimekuma_data networks: - uptimekuma-network: + caddy-infra: driver: bridge - name: uptimekuma-network + name: caddy-infra diff --git a/infrastructure/services/wordpress/docker-compose.wordpress.yml b/infrastructure/services/wordpress/docker-compose.wordpress.yml index 92bb4b3..fad3d00 100644 --- a/infrastructure/services/wordpress/docker-compose.wordpress.yml +++ b/infrastructure/services/wordpress/docker-compose.wordpress.yml @@ -5,17 +5,20 @@ services: container_name: wordpress profiles: - wordpress - restart: on-failure:5 + restart: on-failure:7 depends_on: - wordpress_db - caddy env_file: - ./env/wordpress.env + environment: + - TZ=${TZ:-Europe/Paris} volumes: - ./config/wordpress/php.ini:/usr/local/etc/php/conf.d/custom.ini:ro - wordpress:/var/www/html:rw networks: - - wordpress-network + - caddy-web + - wordpress-internal security_opt: - no-new-privileges:true @@ -28,14 +31,16 @@ services: - wordpress depends_on: - caddy - restart: on-failure:5 + restart: on-failure:7 volumes: - wordpress_db:/var/lib/mysql:rw env_file: - ./env/wordpress_db.env + environment: + - TZ=${TZ:-Europe/Paris} command: '--default-authentication-plugin=mysql_native_password' networks: - - wordpress-network + - wordpress-internal security_opt: - no-new-privileges:true @@ -46,9 +51,11 @@ services: - wordpress depends_on: - wordpress - restart: on-failure:5 + restart: on-failure:7 env_file: - ./env/wordpress_backup.env + environment: + - TZ=${TZ:-Europe/Paris} volumes: - wordpress_backup:/mnt/restic - wordpress_db:/data/wordpress_db:ro @@ -68,6 +75,9 @@ volumes: name: wordpress_backup networks: - wordpress-network: + caddy-web: driver: bridge - name: wordpress-network + name: caddy-web + wordpress-internal: + driver: bridge + name: wordpress-internal diff --git a/presets/chatgpt.conf b/presets/chatgpt.conf new file mode 100644 index 0000000..4235bb9 --- /dev/null +++ b/presets/chatgpt.conf @@ -0,0 +1,3 @@ +DOCKER_PROFILES += main_infrastructure caddy +DOCKER_PROFILES += openssh +DOCKER_PROFILES += openwebui ollama diff --git a/presets/torrent.conf b/presets/torrent.conf index 6be10bf..bd45a21 100644 --- a/presets/torrent.conf +++ b/presets/torrent.conf @@ -1,4 +1,4 @@ DOCKER_PROFILES += main_infrastructure caddy DOCKER_PROFILES += qbittorrent openssh -DOCKER_PROFILES += uptime-kuma +DOCKER_PROFILES += uptime-kuma dozzle # transmission diff --git a/presets/utils.conf b/presets/utils.conf index 1f788bb..ecf7c4f 100644 --- a/presets/utils.conf +++ b/presets/utils.conf @@ -1,3 +1,2 @@ DOCKER_PROFILES += main_infrastructure caddy homepage DOCKER_PROFILES += it-tools omni-tools cyberchef -DOCKER_PROFILES += qbittorrent openssh diff --git a/ressources/Arch.drawio b/ressources/Arch.drawio index e3fa7a7..4a76c25 100644 --- a/ressources/Arch.drawio +++ b/ressources/Arch.drawio @@ -1,71 +1,71 @@ - + - + - + - - + + - + - - + + - + - - + + - + - - + + - + - + - - + + - + - - + + - - + + - + - + @@ -74,101 +74,111 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + + + - - + + + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + + + + + + + diff --git a/ressources/arch_infra.png b/ressources/arch_infra.png index 0ae6f78..6749d11 100644 Binary files a/ressources/arch_infra.png and b/ressources/arch_infra.png differ diff --git a/tools/docker_volumes_export.sh b/tools/docker_volumes_export.sh index 7b0ade0..6435696 100755 --- a/tools/docker_volumes_export.sh +++ b/tools/docker_volumes_export.sh @@ -13,7 +13,6 @@ volumes=( forgejo_data wordpress_db minecraft_proxy_data - minecraft_rcon_data minecraft_server_data minecraft_server_backup stirlingpdf_tessdata