diff --git a/.gitignore b/.gitignore index 702c9da..655843d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,14 +1,26 @@ + +core + cloudflare/tailscale/ -nginxproxymanager/*/ media/audiobookshelf/ ntfy/*/ vaultwarden/*/ -standard-notes/ -pinchflat/ +pinchflat/config/ homepage/config/logs/ speedtest/config/ -caddy/ts-caddy/ -pdf/stirling +caddy/caddy* +diun/data/ +filebrowser/*.db +nginxproxymanager/data +nginxproxymanager/letsencrypt +nginxproxymanager/mysql + +# stirling +pdf/stirling/latest/data/ +pdf/stirling/latest/logs/ +pdf/stirling/latest/config/db/backup/ +pdf/stirling/latest/config/*.db # ignore environment files .env +memos/.memos/memos_prod.db diff --git a/adguard/docker-compose.yml b/adguard/docker-compose.yml index 5f66ba0..dda44ea 100644 --- a/adguard/docker-compose.yml +++ b/adguard/docker-compose.yml @@ -11,9 +11,10 @@ services: - config:/opt/adguardhome/conf # app configuration - work:/opt/adguardhome/work # app working directory restart: always + labels: + - diun.enable=true volumes: config: driver: local work: driver: local -networks: {} diff --git a/caddy/.env.example b/caddy/.env.example new file mode 100644 index 0000000..3f48675 --- /dev/null +++ b/caddy/.env.example @@ -0,0 +1,8 @@ + +# create the API token in https://dash.cloudflare.com/profile/api-tokens +# create auth tokens - +# `Zone.Zone:Read` for all zones, and +# `Zone.DNS:Edit` permissions for ptrwd.com +# https://github.com/caddy-dns/cloudflare +CF_ZONE_READ= +CF_DNS_EDIT= \ No newline at end of file diff --git a/caddy/Caddyfile b/caddy/Caddyfile new file mode 100644 index 0000000..41cc073 --- /dev/null +++ b/caddy/Caddyfile @@ -0,0 +1,155 @@ +{ + # debug + email peter@peterwood.dev +} + +ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # this is the the wiki + reverse_proxy ts-racknerd.whale-woodpecker.ts.net:8300 +} + +wiki.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Route ACME challenges explicitly to be handled internally by Caddy + route /.well-known/acme-challenge/* { + # No directive needed here; Caddy's internal handler takes precedence. + # This prevents the challenge requests from being proxied. + } + + # Proxy all other requests to the wiki + route { + reverse_proxy ts-racknerd.whale-woodpecker.ts.net:8300 + } +} + +jellyfin.peterwood.rocks { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + reverse_proxy host.docker.internal:8096 +} + +# Serve a simple text message for home.ptrwd.com +home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Debugging: Log all requests + log { + output stdout + format console + } + # Allow connections only from private ranges and home IP using Cf-Connecting-Ip header + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + respond "Welcome home!" 200 { + close # Close the connection after responding + } + } + handle { + respond "Access denied" 403 + } +} + +# Reverse proxy for sonarr.home.ptrwd.com +sonarr.home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Allow connections only from private ranges and home IP + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + reverse_proxy ts-io.whale-woodpecker.ts.net:8989 + } + handle { + respond 403 + } +} + +radarr.home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Allow connections only from private ranges and home IP + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + reverse_proxy ts-io.whale-woodpecker.ts.net:7878 + } + handle { + respond 403 + } +} + +io.docker.home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Allow connections only from private ranges and home IP + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + reverse_proxy ts-io.whale-woodpecker.ts.net:5001 + } + handle { + respond 403 + } +} + +europa.docker.home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Allow connections only from private ranges and home IP + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + reverse_proxy ts-europa.whale-woodpecker.ts.net:5001 + } + handle { + respond 403 + } +} + +racknerd.docker.home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Allow connections only from private ranges and home IP + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + reverse_proxy ts-racknerd.whale-woodpecker.ts.net:5001 + } + handle { + respond 403 + } +} diff --git a/caddy/Dockerfile b/caddy/Dockerfile new file mode 100644 index 0000000..130c1e3 --- /dev/null +++ b/caddy/Dockerfile @@ -0,0 +1,9 @@ + +FROM caddy:2.10-builder AS builder + +RUN xcaddy build \ + --with github.com/caddy-dns/cloudflare + +FROM caddy:2.10 + +COPY --from=builder /usr/bin/caddy /usr/bin/caddy diff --git a/caddy/docker-compose.yml b/caddy/docker-compose.yml index fd94519..20d8188 100644 --- a/caddy/docker-compose.yml +++ b/caddy/docker-compose.yml @@ -1,18 +1,23 @@ services: - ts-caddy: - image: tailscale/tailscale:latest - container_name: ts-caddy - hostname: ts-caddy - environment: - - TS_AUTHKEY:${TAILSCALE_AUTHKEY} - - TS_SOCKET:/var/run/tailscale/tailscaled.sock - volumes: - - ${PWD}/ts-caddy/state:/var/lib/tailscale - - /dev/net/tun:/dev/net/tun - cap_add: - - net_admin - - sys_module - restart: unless-stopped + caddy: - image: caddy/caddy:latest - network_mode: service:ts-caddy \ No newline at end of file + image: caddy-cloudflare + restart: always + ports: + - 80:80 + - 443:443 + - 443:443/udp + volumes: + - ./Caddyfile:/etc/caddy/Caddyfile + - caddy_data:/data + - caddy_config:/config + environment: + CF_ZONE_READ: ${CF_ZONE_READ} + CF_DNS_EDIT: ${CF_DNS_EDIT} + extra_hosts: + - host.docker.internal:host-gateway + labels: + - diun.enable=true +volumes: + caddy_data: + caddy_config: diff --git a/cloudflare/docker-compose.yml b/cloudflare/docker-compose.yml index 1cebafc..2a178a7 100644 --- a/cloudflare/docker-compose.yml +++ b/cloudflare/docker-compose.yml @@ -6,6 +6,8 @@ services: command: tunnel --no-autoupdate run --token ${CLOUDFLARE_TUNNEL_TOKEN} depends_on: - tailscale + labels: + - diun.enable=true tailscale: container_name: tailscale image: tailscale/tailscale:stable @@ -22,4 +24,6 @@ services: command: tailscaled privileged: true restart: unless-stopped + labels: + - diun.enable=true networks: {} diff --git a/database/docker-compose.yml b/database/docker-compose.yml index 9e3753e..55a8497 100644 --- a/database/docker-compose.yml +++ b/database/docker-compose.yml @@ -13,6 +13,8 @@ services: networks: - postgres restart: unless-stopped + labels: + - diun.enable=true pgadmin: container_name: pgadmin_container @@ -28,6 +30,8 @@ services: networks: - postgres restart: unless-stopped + labels: + - diun.enable=true networks: postgres: diff --git a/diun/compose.yaml b/diun/compose.yaml new file mode 100644 index 0000000..f99ad1d --- /dev/null +++ b/diun/compose.yaml @@ -0,0 +1,23 @@ +services: + diun: + image: crazymax/diun:latest + command: serve + hostname: diun + volumes: + - ./data:/data + - /var/run/docker.sock:/var/run/docker.sock + environment: + - TZ=America/New_York + - DIUN_WATCH_WORKERS=20 + - DIUN_WATCH_SCHEDULE=0 */2 * * * + - DIUN_WATCH_JITTER=30s + - DIUN_DEFAULTS_NOTIFYON=new,update + - DIUN_PROVIDERS_DOCKER=true + - DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT=true + - DIUN_NOTIF_TELEGRAM_TOKEN=${TELEGRAM_TOKEN} + - DIUN_NOTIF_TELEGRAM_CHATIDS=${TELEGRAM_CHAT_ID} + #- DIUN_NOTIF_TELEGRAM_TEMPLATEBODY=${TELEGRAM_TEMPLATE} + labels: + - diun.enable=true + restart: unless-stopped +networks: {} diff --git a/docmost/compose.yaml b/docmost/compose.yaml new file mode 100644 index 0000000..3ba9421 --- /dev/null +++ b/docmost/compose.yaml @@ -0,0 +1,35 @@ +services: + docmost: + image: docmost/docmost:latest + depends_on: + - db + - redis + environment: + APP_URL: http://localhost:3000 + APP_SECRET: ${APP_SECRET} + DATABASE_URL: ${POSTGRES_URL} + REDIS_URL: redis://redis:6379 + ports: + - 9380:3000 + restart: unless-stopped + volumes: + - docmost:/app/data/storage + db: + image: postgres:16-alpine + environment: + POSTGRES_DB: docmost + POSTGRES_USER: docmost + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} + restart: unless-stopped + volumes: + - db_data:/var/lib/postgresql/data + redis: + image: redis:7.2-alpine + restart: unless-stopped + volumes: + - redis_data:/data +volumes: + docmost: null + db_data: null + redis_data: null +networks: {} diff --git a/dozzle/docker-compose.yml b/dozzle/docker-compose.yml index 01de5a0..536c41b 100644 --- a/dozzle/docker-compose.yml +++ b/dozzle/docker-compose.yml @@ -6,9 +6,13 @@ services: ports: - 9999:8080 environment: - # DOZZLE_REMOTE_HOST: tcp://ts-vperanda:2375|vperanda,tcp://ts-svr-office:2375 + # DOZZLE_REMOTE_HOST: tcp://ts-rackerd:2375|racknerd,tcp://ts-svr-office:2375|svr-office DOZZLE_HOSTNAME: ${HOSTNAME} + DOZZLE_ENABLE_ACTIONS: true + DOZZLE_AUTH_PROVIDER: forward-proxy + DOZZLE_AUTH_HEADER_USER: ${DOZZLE_AUTH_HEADER_USER} + DOZZLE_AUTH_HEADER_EMAIL: ${DOZZLE_AUTH_HEADER_EMAIL} + DOZZLE_AUTH_HEADER_NAME: ${DOZZLE_AUTH_HEADER_NAME} restart: unless-stopped -networks: - cloudflare_default: - external: true + labels: + - diun.enable=true diff --git a/filebrowser/compose.yaml b/filebrowser/compose.yaml new file mode 100644 index 0000000..e2e647f --- /dev/null +++ b/filebrowser/compose.yaml @@ -0,0 +1,14 @@ +services: + filebrowser: + image: filebrowser/filebrowser:latest + container_name: filebrowser + restart: unless-stopped + volumes: + - /mnt/share/media/tv:/srv + - ./database.db:/database.db + environment: + - PUID=1000 + - PGID=1000 + ports: + - 8212:80 +networks: {} diff --git a/golinks/docker-compose.yml b/golinks/docker-compose.yml index 6d086d0..e209e2b 100644 --- a/golinks/docker-compose.yml +++ b/golinks/docker-compose.yml @@ -5,6 +5,8 @@ services: image: ghcr.io/tailscale/golink:main volumes: - golinks_data:/home/nonroot + labels: + - diun.enable=true volumes: golinks_data: diff --git a/hoarder/docker-compose.yml b/hoarder/docker-compose.yml index b32f918..e6379cc 100644 --- a/hoarder/docker-compose.yml +++ b/hoarder/docker-compose.yml @@ -1,6 +1,7 @@ +name: hoarder services: hoarder: - image: ghcr.io/hoarder-app/hoarder:${HOARDER_VERSION:-release} + image: ghcr.io/karakeep-app/karakeep:${HOARDER_VERSION:-release} restart: unless-stopped volumes: - data:/data @@ -14,9 +15,13 @@ services: NEXTAUTH_URL: ${NEXTAUTH_URL} MEILI_MASTER_KEY: ${MEILI_MASTER_KEY} DATA_DIR: /data + labels: + - diun.enable=true chrome: image: gcr.io/zenika-hub/alpine-chrome:123 restart: unless-stopped + labels: + - diun.enable=true command: - --no-sandbox - --disable-gpu @@ -31,7 +36,9 @@ services: MEILI_NO_ANALYTICS: true volumes: - meilisearch:/meili_data - + labels: + - diun.enable=true volumes: - meilisearch: - data: + meilisearch: null + data: null +networks: {} diff --git a/homepage/config/services.yaml b/homepage/config/services.yaml index af314dd..2b25c00 100644 --- a/homepage/config/services.yaml +++ b/homepage/config/services.yaml @@ -56,21 +56,25 @@ - racknerd: icon: docker.png href: http://ts-racknerd:5001 - description: racknerd docker containers. + description: racknerd docker containers. - Stocks: - Stocks: - icon: stock.png + icon: stocks.png widget: type: stocks provider: finnhub color: true cache: 1 watchlist: + - ACHR - AAPL - AMZN - DIS - GOOG + - JEPQ - META - MSFT - NVDA + - RDW + diff --git a/homepage/config/widgets.yaml b/homepage/config/widgets.yaml index 23c8d61..a2612b8 100644 --- a/homepage/config/widgets.yaml +++ b/homepage/config/widgets.yaml @@ -8,5 +8,5 @@ disk: / - search: - provider: duckduckgo + provider: google target: _blank diff --git a/homepage/docker-compose.yml b/homepage/docker-compose.yml index e152370..3ce447d 100644 --- a/homepage/docker-compose.yml +++ b/homepage/docker-compose.yml @@ -12,6 +12,5 @@ services: - ./config:/app/config - /var/run/docker.sock:/var/run/docker.sock:ro restart: unless-stopped -networks: - cloudflare_default: - external: true + labels: + - diun.enable=true \ No newline at end of file diff --git a/immich/docker-compose.yml b/immich/docker-compose.yml new file mode 100644 index 0000000..518f99a --- /dev/null +++ b/immich/docker-compose.yml @@ -0,0 +1,79 @@ +# +# WARNING: Make sure to use the docker-compose.yml of the current release: +# +# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml +# +# The compose file on main may not be compatible with the latest release. +# + +name: immich +services: + immich-server: + container_name: immich_server + image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} + # extends: + # file: hwaccel.transcoding.yml + # service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding + volumes: + # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file + - ${UPLOAD_LOCATION}:/usr/src/app/upload + - /etc/localtime:/etc/localtime:ro + env_file: + - .env + ports: + - 2283:2283 + depends_on: + - redis + - database + restart: always + healthcheck: + disable: false + immich-machine-learning: + container_name: immich_machine_learning + # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag. + # Example tag: ${IMMICH_VERSION:-release}-cuda + image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release} + # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration + # file: hwaccel.ml.yml + # service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable + volumes: + - model-cache:/cache + env_file: + - .env + restart: always + healthcheck: + disable: false + redis: + container_name: immich_redis + image: docker.io/redis:6.2-alpine@sha256:905c4ee67b8e0aa955331960d2aa745781e6bd89afc44a8584bfd13bc890f0ae + healthcheck: + test: redis-cli ping || exit 1 + restart: always + database: + container_name: immich_postgres + image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0 + environment: + POSTGRES_PASSWORD: ${DB_PASSWORD} + POSTGRES_USER: ${DB_USERNAME} + POSTGRES_DB: ${DB_DATABASE_NAME} + POSTGRES_INITDB_ARGS: --data-checksums + volumes: + # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file + - ${DB_DATA_LOCATION}:/var/lib/postgresql/data + healthcheck: + test: pg_isready --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" || + exit 1; Chksum="$$(psql --dbname="$${POSTGRES_DB}" + --username="$${POSTGRES_USER}" --tuples-only --no-align + --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM + pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ + "$$Chksum" = '0' ] || exit 1 + interval: 5m + start_interval: 30s + start_period: 5m + command: postgres -c shared_preload_libraries=vectors.so -c + 'search_path="$$user", public, vectors' -c logging_collector=on -c + max_wal_size=2GB -c shared_buffers=512MB -c wal_compression=on + restart: always +volumes: + model-cache: null +networks: {} diff --git a/mealie/docker-compose.yml b/mealie/docker-compose.yml deleted file mode 100644 index 6ddb578..0000000 --- a/mealie/docker-compose.yml +++ /dev/null @@ -1,55 +0,0 @@ -services: - mealie: - image: ghcr.io/mealie-recipes/mealie:latest - container_name: mealie - restart: always - ports: - - 9925:9000 - deploy: - resources: - limits: - memory: 1000M - volumes: - - mealie-data:/app/data/ - environment: - ALLOW_SIGNUP: false - PUID: 1000 - PGID: 1000 - TZ: America/New_York - MAX_WORKERS: 1 - WEB_CONCURRENCY: 1 - BASE_URL: ${BASE_URL} - # Database Settings - DB_ENGINE: ${DATABASE_TYPE} - POSTGRES_USER: ${POSTGRES_USER} - POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} - POSTGRES_SERVER: ${POSTGRES_SERVER} - POSTGRES_PORT: ${POSTGRES_PORT} - POSTGRES_DB: ${POSTGRES_DB} - depends_on: - postgres: - condition: service_healthy - postgres: - container_name: postgres - image: postgres:15 - restart: always - volumes: - - mealie-pgdata:/var/lib/postgresql/data - environment: - POSTGRES_PASSWORD: ${POSTGRES_USER} - POSTGRES_USER: ${POSTGRES_PASSWORD} - healthcheck: - test: - - CMD - - pg_isready - interval: 30s - timeout: 20s - retries: 3 -volumes: - mealie-data: null - mealie-pgdata: null -networks: - cloudflare_default: - external: true -x-dockge: - urls: [] diff --git a/media/docker-compose.yml b/media/docker-compose.yml index d9dda3b..9516f71 100644 --- a/media/docker-compose.yml +++ b/media/docker-compose.yml @@ -16,14 +16,16 @@ services: - gluetun_data:/gluetun environment: # See https://github.com/qdm12/gluetun/wiki - - VPN_SERVICE_PROVIDER=protonvpn - - OPENVPN_USER=${OPENVPN_USER} - - OPENVPN_PASSWORD=${OPENVPN_PASSWORD} + - VPN_SERVICE_PROVIDER=airvpn + - VPN_TYPE=wireguard + - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY} + - WIREGUARD_PRESHARED_KEY=${WIREGUARD_PRESHARED_KEY} + - WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES} - TZ=America/New_York # Timezone for accurate log times - SERVER_COUNTRIES=United States - # - SERVER_CITIES=Stockholm - # - SERVER_HOSTNAMES: Comma separated list of server hostnames restart: always + labels: + - diun.enable=true sabnzbd: image: lscr.io/linuxserver/sabnzbd:latest container_name: sabnzbd @@ -39,6 +41,8 @@ services: # network_mode: "service:gluetun" forces sabnzbd to connect to the internet through the VPN defined in the gluetun container above network_mode: service:gluetun restart: always + labels: + - diun.enable=true sonarr: image: lscr.io/linuxserver/sonarr:latest container_name: sonarr @@ -55,9 +59,9 @@ services: - /data/usenet/downloads:/downloads ports: - 8989:8989 - networks: - - cloudflare_default restart: always + labels: + - diun.enable=true radarr: image: lscr.io/linuxserver/radarr:latest container_name: radarr @@ -74,8 +78,6 @@ services: - /data/usenet/downloads:/downloads ports: - 7878:7878 - networks: - - cloudflare_default restart: always prowlarr: image: lscr.io/linuxserver/prowlarr:latest @@ -88,9 +90,22 @@ services: - /docker/config/prowlarr:/config ports: - 9696:9696 - networks: - - cloudflare_default restart: always + labels: + - diun.enable=true + jellyseerr: + image: fallenbagel/jellyseerr:latest + container_name: jellyseerr + environment: + - LOG_LEVEL=debug + - TZ=America/New_York + ports: + - 5055:5055 + volumes: + - /docker/config/jellyseerr/:/app/config + restart: unless-stopped + labels: + - diun.enable=true tautulli: image: lscr.io/linuxserver/tautulli:latest container_name: tautulli @@ -102,9 +117,9 @@ services: - tautulli:/config ports: - 8181:8181 - networks: - - cloudflare_default restart: always + labels: + - diun.enable=true audiobookshelf: image: ghcr.io/advplyr/audiobookshelf:latest container_name: audiobookshelf @@ -118,12 +133,11 @@ services: - ./audiobookshelf/metadata:/metadata environment: - TZ=America/New_York - + restart: always + labels: + - diun.enable=true volumes: gluetun_data: null sabnzbd_data: null tautulli: null - -networks: - cloudflare_default: - external: true +networks: {} diff --git a/memos/docker-compose.yml b/memos/docker-compose.yml index 70f1b85..fee700a 100644 --- a/memos/docker-compose.yml +++ b/memos/docker-compose.yml @@ -6,10 +6,7 @@ services: - ./.memos/:/var/opt/memos ports: - 5230:5230 - networks: - - cloudflare_default restart: unless-stopped - -networks: - cloudflare_default: - external: true \ No newline at end of file + labels: + - diun.enable=true +networks: {} diff --git a/metube/docker-compose.yml b/metube/docker-compose.yml index c3a05f5..9ce9cea 100644 --- a/metube/docker-compose.yml +++ b/metube/docker-compose.yml @@ -13,4 +13,5 @@ services: - 7081:8081 volumes: - /mnt/share/media/metube:/downloads -networks: {} + labels: + - diun.enable=true diff --git a/nginxproxymanager/docker-compose.yml b/nginxproxymanager/docker-compose.yml index 10f697a..40c7c00 100644 --- a/nginxproxymanager/docker-compose.yml +++ b/nginxproxymanager/docker-compose.yml @@ -25,13 +25,13 @@ services: DB_MYSQL_USER: npm DB_MYSQL_PASSWORD: npm DB_MYSQL_NAME: npm - networks: - - cloudflare_default volumes: - ./data:/data - ./letsencrypt:/etc/letsencrypt depends_on: - db + labels: + - diun.enable=true db: image: jc21/mariadb-aria:latest restart: unless-stopped @@ -42,6 +42,5 @@ services: MYSQL_PASSWORD: npm volumes: - ./mysql:/var/lib/mysql -networks: - cloudflare_default: - external: true + labels: + - diun.enable=true diff --git a/ntfy/docker-compose.yml b/ntfy/docker-compose.yml index 1544d67..6612588 100644 --- a/ntfy/docker-compose.yml +++ b/ntfy/docker-compose.yml @@ -15,3 +15,5 @@ services: - 4080:80 - 4443:443 restart: unless-stopped + labels: + - diun.enable=true diff --git a/pdf/docker-compose.yml b/pdf/docker-compose.yml index 9878c6e..2d806a5 100644 --- a/pdf/docker-compose.yml +++ b/pdf/docker-compose.yml @@ -13,12 +13,16 @@ services: - ./stirling/latest/config:/configs:rw - ./stirling/latest/logs:/logs:rw environment: - DOCKER_ENABLE_SECURITY: "false" - SECURITY_ENABLELOGIN: "false" - LANGS: en_US - SYSTEM_DEFAULTLOCALE: en-US - UI_APPNAME: Stirling-PDF - UI_HOMEDESCRIPTION: Demo site for Stirling-PDF Latest - UI_APPNAMENAVBAR: Stirling-PDF Latest + SECURITY_ENABLELOGIN: true + DOCKER_ENABLE_SECURITY: true + # SECURITY_INITIALLOGIN_USERNAME: ${SECURITY_INITIALLOGIN_USERNAME} + # SECURITY_INITIALLOGIN_PASSWORD: ${SECURITY_INITIALLOGIN_PASSWORD} + LANGS: "en-US" + SYSTEM_DEFAULTLOCALE: "en-US" + UI_APPNAME: "Stirling PDF" + UI_HOMEDESCRIPTION: "" + UI_APPNAMENAVBAR: "" SYSTEM_MAXFILESIZE: "100" - restart: unless-stopped \ No newline at end of file + restart: unless-stopped + labels: + - diun.enable=true \ No newline at end of file diff --git a/pdf/stirling/latest/config/custom_settings.yml b/pdf/stirling/latest/config/custom_settings.yml new file mode 100755 index 0000000..c22714e --- /dev/null +++ b/pdf/stirling/latest/config/custom_settings.yml @@ -0,0 +1,134 @@ +############################################################################################################# +# Welcome to settings file from # +# ____ _____ ___ ____ _ ___ _ _ ____ ____ ____ _____ # +# / ___|_ _|_ _| _ \| | |_ _| \ | |/ ___| | _ \| _ \| ___| # +# \___ \ | | | || |_) | | | || \| | | _ _____| |_) | | | | |_ # +# ___) || | | || _ <| |___ | || |\ | |_| |_____| __/| |_| | _| # +# |____/ |_| |___|_| \_\_____|___|_| \_|\____| |_| |____/|_| # +# # +# Do not comment out any entry, it will be removed on next startup # +# If you want to override with environment parameter follow parameter naming SECURITY_INITIALLOGIN_USERNAME # +############################################################################################################# + + +security: + enableLogin: 'true' # set to 'true' to enable login + csrfDisabled: 'false' # set to 'true' to disable CSRF protection (not recommended for production) + loginAttemptCount: 5 # lock user account after 5 tries; when using e.g. Fail2Ban you can deactivate the function with -1 + loginResetTimeMinutes: 120 # lock account for 2 hours after x attempts + loginMethod: normal # Accepts values like 'all' and 'normal'(only Login with Username/Password), 'oauth2'(only Login with OAuth2) or 'saml2'(only Login with SAML2) + initialLogin: + username: admin # initial username for the first login + password: changeme!1 # initial password for the first login + oauth2: + enabled: false # set to 'true' to enable login (Note: enableLogin must also be 'true' for this to work) + client: + keycloak: + issuer: '' # URL of the Keycloak realm's OpenID Connect Discovery endpoint + clientId: '' # client ID for Keycloak OAuth2 + clientSecret: '' # client secret for Keycloak OAuth2 + scopes: openid, profile, email # scopes for Keycloak OAuth2 + useAsUsername: preferred_username # field to use as the username for Keycloak OAuth2 + google: + clientId: '' # client ID for Google OAuth2 + clientSecret: '' # client secret for Google OAuth2 + scopes: https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile # scopes for Google OAuth2 + useAsUsername: email # field to use as the username for Google OAuth2 + github: + clientId: '' # client ID for GitHub OAuth2 + clientSecret: '' # client secret for GitHub OAuth2 + scopes: read:user # scope for GitHub OAuth2 + useAsUsername: login # field to use as the username for GitHub OAuth2 + issuer: '' # set to any provider that supports OpenID Connect Discovery (/.well-known/openid-configuration) endpoint + clientId: '' # client ID from your provider + clientSecret: '' # client secret from your provider + autoCreateUser: true # set to 'true' to allow auto-creation of non-existing users + blockRegistration: false # set to 'true' to deny login with SSO without prior registration by an admin + useAsUsername: email # default is 'email'; custom fields can be used as the username + scopes: openid, profile, email # specify the scopes for which the application will request permissions + provider: google # set this to your OAuth provider's name, e.g., 'google' or 'keycloak' + saml2: + enabled: false # Only enabled for paid enterprise clients (enterpriseEdition.enabled must be true) + autoCreateUser: true # set to 'true' to allow auto-creation of non-existing users + blockRegistration: false # set to 'true' to deny login with SSO without prior registration by an admin + registrationId: stirling + idpMetadataUri: https://dev-XXXXXXXX.okta.com/app/externalKey/sso/saml/metadata + idpSingleLogoutUrl: https://dev-XXXXXXXX.okta.com/app/dev-XXXXXXXX_stirlingpdf_1/externalKey/slo/saml + idpSingleLoginUrl: https://dev-XXXXXXXX.okta.com/app/dev-XXXXXXXX_stirlingpdf_1/externalKey/sso/saml + idpIssuer: http://www.okta.com/externalKey + idpCert: classpath:okta.crt + privateKey: classpath:saml-private-key.key + spCert: classpath:saml-public-cert.crt + +enterpriseEdition: + enabled: false # set to 'true' to enable enterprise edition + key: 00000000-0000-0000-0000-000000000000 + SSOAutoLogin: false # Enable to auto login to first provided SSO + CustomMetadata: + autoUpdateMetadata: false # set to 'true' to automatically update metadata with below values + author: username # supports text such as 'John Doe' or types such as username to autopopulate with user's username + creator: Stirling-PDF # supports text such as 'Company-PDF' + producer: Stirling-PDF # supports text such as 'Company-PDF' + +legal: + termsAndConditions: https://www.stirlingpdf.com/terms-and-conditions # URL to the terms and conditions of your application (e.g. https://example.com/terms). Empty string to disable or filename to load from local file in static folder + privacyPolicy: https://www.stirlingpdf.com/privacy-policy # URL to the privacy policy of your application (e.g. https://example.com/privacy). Empty string to disable or filename to load from local file in static folder + accessibilityStatement: '' # URL to the accessibility statement of your application (e.g. https://example.com/accessibility). Empty string to disable or filename to load from local file in static folder + cookiePolicy: '' # URL to the cookie policy of your application (e.g. https://example.com/cookie). Empty string to disable or filename to load from local file in static folder + impressum: '' # URL to the impressum of your application (e.g. https://example.com/impressum). Empty string to disable or filename to load from local file in static folder + +system: + defaultLocale: en-US # set the default language (e.g. 'de-DE', 'fr-FR', etc) + googlevisibility: false # 'true' to allow Google visibility (via robots.txt), 'false' to disallow + enableAlphaFunctionality: false # set to enable functionality which might need more testing before it fully goes live (this feature might make no changes) + showUpdate: false # see when a new update is available + showUpdateOnlyAdmin: false # only admins can see when a new update is available, depending on showUpdate it must be set to 'true' + customHTMLFiles: false # enable to have files placed in /customFiles/templates override the existing template HTML files + tessdataDir: /usr/share/tessdata # path to the directory containing the Tessdata files. This setting is relevant for Windows systems. For Windows users, this path should be adjusted to point to the appropriate directory where the Tessdata files are stored. + enableAnalytics: 'true' # set to 'true' to enable analytics, set to 'false' to disable analytics; for enterprise users, this is set to true + datasource: + enableCustomDatabase: false # Enterprise users ONLY, set this property to 'true' if you would like to use your own custom database configuration + customDatabaseUrl: '' # eg jdbc:postgresql://localhost:5432/postgres, set the url for your own custom database connection. If provided, the type, hostName, port and name are not necessary and will not be used + username: postgres # set the database username + password: postgres # set the database password + type: postgresql # the type of the database to set (e.g. 'h2', 'postgresql') + hostName: localhost # the host name to use for the database url. Set to 'localhost' when running the app locally. Set to match the name of the container name of your database container when running the app on a server (Docker configuration) + port: 5432 # set the port number of the database. Ensure this matches the port the database is listening to + name: postgres # set the name of your database. Should match the name of the database you create + +ui: + appName: '' # application's visible name + homeDescription: '' # short description or tagline shown on the homepage + appNameNavbar: '' # name displayed on the navigation bar + +endpoints: + toRemove: [] # list endpoints to disable (e.g. ['img-to-pdf', 'remove-pages']) + groupsToRemove: [] # list groups to disable (e.g. ['LibreOffice']) + +metrics: + enabled: 'false' # 'true' to enable Info APIs (`/api/*`) endpoints, 'false' to disable + +# Automatically Generated Settings (Do Not Edit Directly) +AutomaticallyGenerated: + key: 241af3aa-bb38-4e14-a593-939b64d1d7a3 + UUID: 78ddd78f-688c-4b07-a351-edb8580f1fbd + appVersion: 0.39.0 + +processExecutor: + sessionLimit: # Process executor instances limits + libreOfficeSessionLimit: 1 + pdfToHtmlSessionLimit: 1 + qpdfSessionLimit: 4 + tesseractSessionLimit: 1 + pythonOpenCvSessionLimit: 8 + weasyPrintSessionLimit: 16 + installAppSessionLimit: 1 + calibreSessionLimit: 1 + timeoutMinutes: # Process executor timeout in minutes + libreOfficetimeoutMinutes: 30 + pdfToHtmltimeoutMinutes: 20 + pythonOpenCvtimeoutMinutes: 30 + weasyPrinttimeoutMinutes: 30 + installApptimeoutMinutes: 60 + calibretimeoutMinutes: 30 + tesseractTimeoutMinutes: 30 diff --git a/pdf/stirling/latest/config/settings.yml b/pdf/stirling/latest/config/settings.yml new file mode 100755 index 0000000..25df2ec --- /dev/null +++ b/pdf/stirling/latest/config/settings.yml @@ -0,0 +1,135 @@ +############################################################################################################# +# Welcome to settings file from # +# ____ _____ ___ ____ _ ___ _ _ ____ ____ ____ _____ # +# / ___|_ _|_ _| _ \| | |_ _| \ | |/ ___| | _ \| _ \| ___| # +# \___ \ | | | || |_) | | | || \| | | _ _____| |_) | | | | |_ # +# ___) || | | || _ <| |___ | || |\ | |_| |_____| __/| |_| | _| # +# |____/ |_| |___|_| \_\_____|___|_| \_|\____| |_| |____/|_| # +# # +# Do not comment out any entry, it will be removed on next startup # +# If you want to override with environment parameter follow parameter naming SECURITY_INITIALLOGIN_USERNAME # +############################################################################################################# + + +security: + enableLogin: 'true' # set to 'true' to enable login + csrfDisabled: 'false' # set to 'true' to disable CSRF protection (not recommended for production) + loginAttemptCount: 5 # lock user account after 5 tries; when using e.g. Fail2Ban you can deactivate the function with -1 + loginResetTimeMinutes: 120 # lock account for 2 hours after x attempts + loginMethod: normal # Accepts values like 'all' and 'normal'(only Login with Username/Password), 'oauth2'(only Login with OAuth2) or 'saml2'(only Login with SAML2) + initialLogin: + username: admin # initial username for the first login + password: changeme!1 # initial password for the first login + oauth2: + enabled: false # set to 'true' to enable login (Note: enableLogin must also be 'true' for this to work) + client: + keycloak: + issuer: '' # URL of the Keycloak realm's OpenID Connect Discovery endpoint + clientId: '' # client ID for Keycloak OAuth2 + clientSecret: '' # client secret for Keycloak OAuth2 + scopes: openid, profile, email # scopes for Keycloak OAuth2 + useAsUsername: preferred_username # field to use as the username for Keycloak OAuth2 + google: + clientId: '' # client ID for Google OAuth2 + clientSecret: '' # client secret for Google OAuth2 + scopes: https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile # scopes for Google OAuth2 + useAsUsername: email # field to use as the username for Google OAuth2 + github: + clientId: '' # client ID for GitHub OAuth2 + clientSecret: '' # client secret for GitHub OAuth2 + scopes: read:user # scope for GitHub OAuth2 + useAsUsername: login # field to use as the username for GitHub OAuth2 + issuer: '' # set to any provider that supports OpenID Connect Discovery (/.well-known/openid-configuration) endpoint + clientId: '' # client ID from your provider + clientSecret: '' # client secret from your provider + autoCreateUser: true # set to 'true' to allow auto-creation of non-existing users + blockRegistration: false # set to 'true' to deny login with SSO without prior registration by an admin + useAsUsername: email # default is 'email'; custom fields can be used as the username + scopes: openid, profile, email # specify the scopes for which the application will request permissions + provider: google # set this to your OAuth provider's name, e.g., 'google' or 'keycloak' + saml2: + enabled: false # Only enabled for paid enterprise clients (enterpriseEdition.enabled must be true) + autoCreateUser: true # set to 'true' to allow auto-creation of non-existing users + blockRegistration: false # set to 'true' to deny login with SSO without prior registration by an admin + registrationId: stirling + idpMetadataUri: https://dev-XXXXXXXX.okta.com/app/externalKey/sso/saml/metadata + idpSingleLogoutUrl: https://dev-XXXXXXXX.okta.com/app/dev-XXXXXXXX_stirlingpdf_1/externalKey/slo/saml + idpSingleLoginUrl: https://dev-XXXXXXXX.okta.com/app/dev-XXXXXXXX_stirlingpdf_1/externalKey/sso/saml + idpIssuer: http://www.okta.com/externalKey + idpCert: classpath:okta.crt + privateKey: classpath:saml-private-key.key + spCert: classpath:saml-public-cert.crt + +enterpriseEdition: + enabled: false # set to 'true' to enable enterprise edition + key: 00000000-0000-0000-0000-000000000000 + SSOAutoLogin: false # Enable to auto login to first provided SSO + CustomMetadata: + autoUpdateMetadata: false # set to 'true' to automatically update metadata with below values + author: username # supports text such as 'John Doe' or types such as username to autopopulate with user's username + creator: Stirling-PDF # supports text such as 'Company-PDF' + producer: Stirling-PDF # supports text such as 'Company-PDF' + +legal: + termsAndConditions: https://www.stirlingpdf.com/terms-and-conditions # URL to the terms and conditions of your application (e.g. https://example.com/terms). Empty string to disable or filename to load from local file in static folder + privacyPolicy: https://www.stirlingpdf.com/privacy-policy # URL to the privacy policy of your application (e.g. https://example.com/privacy). Empty string to disable or filename to load from local file in static folder + accessibilityStatement: '' # URL to the accessibility statement of your application (e.g. https://example.com/accessibility). Empty string to disable or filename to load from local file in static folder + cookiePolicy: '' # URL to the cookie policy of your application (e.g. https://example.com/cookie). Empty string to disable or filename to load from local file in static folder + impressum: '' # URL to the impressum of your application (e.g. https://example.com/impressum). Empty string to disable or filename to load from local file in static folder + +system: + defaultLocale: en-US # set the default language (e.g. 'de-DE', 'fr-FR', etc) + googlevisibility: false # 'true' to allow Google visibility (via robots.txt), 'false' to disallow + enableAlphaFunctionality: false # set to enable functionality which might need more testing before it fully goes live (this feature might make no changes) + showUpdate: false # see when a new update is available + showUpdateOnlyAdmin: false # only admins can see when a new update is available, depending on showUpdate it must be set to 'true' + customHTMLFiles: false # enable to have files placed in /customFiles/templates override the existing template HTML files + tessdataDir: /usr/share/tessdata # path to the directory containing the Tessdata files. This setting is relevant for Windows systems. For Windows users, this path should be adjusted to point to the appropriate directory where the Tessdata files are stored. + enableAnalytics: 'true' # set to 'true' to enable analytics, set to 'false' to disable analytics; for enterprise users, this is set to true + disableSanitize: false # set to true to disable Sanitize HTML; (can lead to injections in HTML) + datasource: + enableCustomDatabase: false # Enterprise users ONLY, set this property to 'true' if you would like to use your own custom database configuration + customDatabaseUrl: '' # eg jdbc:postgresql://localhost:5432/postgres, set the url for your own custom database connection. If provided, the type, hostName, port and name are not necessary and will not be used + username: postgres # set the database username + password: postgres # set the database password + type: postgresql # the type of the database to set (e.g. 'h2', 'postgresql') + hostName: localhost # the host name to use for the database url. Set to 'localhost' when running the app locally. Set to match the name of the container name of your database container when running the app on a server (Docker configuration) + port: 5432 # set the port number of the database. Ensure this matches the port the database is listening to + name: postgres # set the name of your database. Should match the name of the database you create + +ui: + appName: '' # application's visible name + homeDescription: '' # short description or tagline shown on the homepage + appNameNavbar: '' # name displayed on the navigation bar + +endpoints: + toRemove: [] # list endpoints to disable (e.g. ['img-to-pdf', 'remove-pages']) + groupsToRemove: [] # list groups to disable (e.g. ['LibreOffice']) + +metrics: + enabled: 'false' # 'true' to enable Info APIs (`/api/*`) endpoints, 'false' to disable + +# Automatically Generated Settings (Do Not Edit Directly) +AutomaticallyGenerated: + key: 241af3aa-bb38-4e14-a593-939b64d1d7a3 + UUID: 78ddd78f-688c-4b07-a351-edb8580f1fbd + appVersion: 0.40.1 + +processExecutor: + sessionLimit: # Process executor instances limits + libreOfficeSessionLimit: 1 + pdfToHtmlSessionLimit: 1 + qpdfSessionLimit: 4 + tesseractSessionLimit: 1 + pythonOpenCvSessionLimit: 8 + weasyPrintSessionLimit: 16 + installAppSessionLimit: 1 + calibreSessionLimit: 1 + timeoutMinutes: # Process executor timeout in minutes + libreOfficetimeoutMinutes: 30 + pdfToHtmltimeoutMinutes: 20 + pythonOpenCvtimeoutMinutes: 30 + weasyPrinttimeoutMinutes: 30 + installApptimeoutMinutes: 60 + calibretimeoutMinutes: 30 + tesseractTimeoutMinutes: 30 diff --git a/pinchflat/docker-compose.yml b/pinchflat/docker-compose.yml index 8057001..8f2ab66 100644 --- a/pinchflat/docker-compose.yml +++ b/pinchflat/docker-compose.yml @@ -8,6 +8,6 @@ services: - ./config:/config - /mnt/share/media/youtube:/downloads image: ghcr.io/kieraneglin/pinchflat:latest -networks: - cloudflare_default: - external: true + restart: unless-stopped + labels: + - diun.enable=true diff --git a/speedtest/docker-compose.yml b/speedtest/docker-compose.yml index c03b9a1..98d9ad1 100644 --- a/speedtest/docker-compose.yml +++ b/speedtest/docker-compose.yml @@ -14,8 +14,10 @@ services: - SPEEDTEST_SERVERS=${SPEEDTEST_SERVERS} - SPEEDTEST_PING_URL=${SPEEDTEST_PING_URL} - PRUNE_RESULTS_OLDER_THAN=${PRUNE_RESULTS_OLDER_THAN} - - TZ=${APP_TIMEZONE} + - DISPLAY_TIMEZONE=${APP_TIMEZONE} volumes: - ./config:/config restart: unless-stopped + labels: + - diun.enable=true networks: {} diff --git a/uptime-kuma/docker-compose.yml b/uptime-kuma/docker-compose.yml index 08ae47f..4325f11 100644 --- a/uptime-kuma/docker-compose.yml +++ b/uptime-kuma/docker-compose.yml @@ -7,8 +7,9 @@ services: ports: - 6001:3001 restart: unless-stopped - + labels: + - diun.enable=true volumes: - uptime-kuma: + uptime-kuma: name: uptime-kuma external: true diff --git a/vaultwarden/docker-compose.yml b/vaultwarden/docker-compose.yml index 389df35..8c93f5f 100644 --- a/vaultwarden/docker-compose.yml +++ b/vaultwarden/docker-compose.yml @@ -14,7 +14,8 @@ services: - ROCKET_PORT=80 - ROCKET_PROFILE=release restart: always - + labels: + - diun.enable=true volumes: vaultwarden_data: name: vaultwarden_data