From 602efb113d2912140598227f59427bdb02d8a7d3 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Sat, 25 Jan 2025 23:13:13 +0000 Subject: [PATCH 01/28] replaced protonvpn with airvpn --- media/docker-compose.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/media/docker-compose.yml b/media/docker-compose.yml index d9dda3b..0efcaeb 100644 --- a/media/docker-compose.yml +++ b/media/docker-compose.yml @@ -16,13 +16,13 @@ services: - gluetun_data:/gluetun environment: # See https://github.com/qdm12/gluetun/wiki - - VPN_SERVICE_PROVIDER=protonvpn - - OPENVPN_USER=${OPENVPN_USER} - - OPENVPN_PASSWORD=${OPENVPN_PASSWORD} + - VPN_SERVICE_PROVIDER=airvpn + - VPN_TYPE=wireguard + - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY} + - WIREGUARD_PRESHARED_KEY=${WIREGUARD_PRESHARED_KEY} + - WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES} - TZ=America/New_York # Timezone for accurate log times - SERVER_COUNTRIES=United States - # - SERVER_CITIES=Stockholm - # - SERVER_HOSTNAMES: Comma separated list of server hostnames restart: always sabnzbd: image: lscr.io/linuxserver/sabnzbd:latest From 14c0be924419d981a765617608663efd95ea5224 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Wed, 12 Feb 2025 13:18:32 +0000 Subject: [PATCH 02/28] removed cloudflare network --- homepage/docker-compose.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/homepage/docker-compose.yml b/homepage/docker-compose.yml index e152370..bc892d9 100644 --- a/homepage/docker-compose.yml +++ b/homepage/docker-compose.yml @@ -12,6 +12,3 @@ services: - ./config:/app/config - /var/run/docker.sock:/var/run/docker.sock:ro restart: unless-stopped -networks: - cloudflare_default: - external: true From 324e7b252820d6dca1a9dcbe8f0d37476e0507e0 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Wed, 12 Feb 2025 13:19:44 +0000 Subject: [PATCH 03/28] enable security features and update environment variables in docker-compose.yml --- pdf/docker-compose.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/pdf/docker-compose.yml b/pdf/docker-compose.yml index 9878c6e..d11546a 100644 --- a/pdf/docker-compose.yml +++ b/pdf/docker-compose.yml @@ -13,12 +13,14 @@ services: - ./stirling/latest/config:/configs:rw - ./stirling/latest/logs:/logs:rw environment: - DOCKER_ENABLE_SECURITY: "false" - SECURITY_ENABLELOGIN: "false" - LANGS: en_US - SYSTEM_DEFAULTLOCALE: en-US - UI_APPNAME: Stirling-PDF - UI_HOMEDESCRIPTION: Demo site for Stirling-PDF Latest - UI_APPNAMENAVBAR: Stirling-PDF Latest + SECURITY_ENABLELOGIN: true + DOCKER_ENABLE_SECURITY: true + # SECURITY_INITIALLOGIN_USERNAME: ${SECURITY_INITIALLOGIN_USERNAME} + # SECURITY_INITIALLOGIN_PASSWORD: ${SECURITY_INITIALLOGIN_PASSWORD} + LANGS: "en-US" + SYSTEM_DEFAULTLOCALE: "en-US" + UI_APPNAME: "Stirling PDF" + UI_HOMEDESCRIPTION: "" + UI_APPNAMENAVBAR: "" SYSTEM_MAXFILESIZE: "100" restart: unless-stopped \ No newline at end of file From 681b1eb0b07720a3f3cdf3c07b6fc11e99ccbe44 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Wed, 12 Feb 2025 13:30:45 +0000 Subject: [PATCH 04/28] update search provider to Google, enhance .gitignore for stirling, and add custom settings for security configuration --- .gitignore | 8 +- homepage/config/services.yaml | 8 +- homepage/config/widgets.yaml | 2 +- .../latest/config/custom_settings.yml | 134 +++++++++++++++++ pdf/stirling/latest/config/settings.yml | 135 ++++++++++++++++++ 5 files changed, 283 insertions(+), 4 deletions(-) create mode 100755 pdf/stirling/latest/config/custom_settings.yml create mode 100755 pdf/stirling/latest/config/settings.yml diff --git a/.gitignore b/.gitignore index 702c9da..b3b4d84 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ + cloudflare/tailscale/ nginxproxymanager/*/ media/audiobookshelf/ @@ -8,7 +9,12 @@ pinchflat/ homepage/config/logs/ speedtest/config/ caddy/ts-caddy/ -pdf/stirling + +# stirling +pdf/stirling/latest/data +pdf/stirling/latest/logs +pdf/stirling/latest/config/db/backup +pdf/stirling/latest/config/*.db # ignore environment files .env diff --git a/homepage/config/services.yaml b/homepage/config/services.yaml index af314dd..2b25c00 100644 --- a/homepage/config/services.yaml +++ b/homepage/config/services.yaml @@ -56,21 +56,25 @@ - racknerd: icon: docker.png href: http://ts-racknerd:5001 - description: racknerd docker containers. + description: racknerd docker containers. - Stocks: - Stocks: - icon: stock.png + icon: stocks.png widget: type: stocks provider: finnhub color: true cache: 1 watchlist: + - ACHR - AAPL - AMZN - DIS - GOOG + - JEPQ - META - MSFT - NVDA + - RDW + diff --git a/homepage/config/widgets.yaml b/homepage/config/widgets.yaml index 23c8d61..a2612b8 100644 --- a/homepage/config/widgets.yaml +++ b/homepage/config/widgets.yaml @@ -8,5 +8,5 @@ disk: / - search: - provider: duckduckgo + provider: google target: _blank diff --git a/pdf/stirling/latest/config/custom_settings.yml b/pdf/stirling/latest/config/custom_settings.yml new file mode 100755 index 0000000..c22714e --- /dev/null +++ b/pdf/stirling/latest/config/custom_settings.yml @@ -0,0 +1,134 @@ +############################################################################################################# +# Welcome to settings file from # +# ____ _____ ___ ____ _ ___ _ _ ____ ____ ____ _____ # +# / ___|_ _|_ _| _ \| | |_ _| \ | |/ ___| | _ \| _ \| ___| # +# \___ \ | | | || |_) | | | || \| | | _ _____| |_) | | | | |_ # +# ___) || | | || _ <| |___ | || |\ | |_| |_____| __/| |_| | _| # +# |____/ |_| |___|_| \_\_____|___|_| \_|\____| |_| |____/|_| # +# # +# Do not comment out any entry, it will be removed on next startup # +# If you want to override with environment parameter follow parameter naming SECURITY_INITIALLOGIN_USERNAME # +############################################################################################################# + + +security: + enableLogin: 'true' # set to 'true' to enable login + csrfDisabled: 'false' # set to 'true' to disable CSRF protection (not recommended for production) + loginAttemptCount: 5 # lock user account after 5 tries; when using e.g. Fail2Ban you can deactivate the function with -1 + loginResetTimeMinutes: 120 # lock account for 2 hours after x attempts + loginMethod: normal # Accepts values like 'all' and 'normal'(only Login with Username/Password), 'oauth2'(only Login with OAuth2) or 'saml2'(only Login with SAML2) + initialLogin: + username: admin # initial username for the first login + password: changeme!1 # initial password for the first login + oauth2: + enabled: false # set to 'true' to enable login (Note: enableLogin must also be 'true' for this to work) + client: + keycloak: + issuer: '' # URL of the Keycloak realm's OpenID Connect Discovery endpoint + clientId: '' # client ID for Keycloak OAuth2 + clientSecret: '' # client secret for Keycloak OAuth2 + scopes: openid, profile, email # scopes for Keycloak OAuth2 + useAsUsername: preferred_username # field to use as the username for Keycloak OAuth2 + google: + clientId: '' # client ID for Google OAuth2 + clientSecret: '' # client secret for Google OAuth2 + scopes: https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile # scopes for Google OAuth2 + useAsUsername: email # field to use as the username for Google OAuth2 + github: + clientId: '' # client ID for GitHub OAuth2 + clientSecret: '' # client secret for GitHub OAuth2 + scopes: read:user # scope for GitHub OAuth2 + useAsUsername: login # field to use as the username for GitHub OAuth2 + issuer: '' # set to any provider that supports OpenID Connect Discovery (/.well-known/openid-configuration) endpoint + clientId: '' # client ID from your provider + clientSecret: '' # client secret from your provider + autoCreateUser: true # set to 'true' to allow auto-creation of non-existing users + blockRegistration: false # set to 'true' to deny login with SSO without prior registration by an admin + useAsUsername: email # default is 'email'; custom fields can be used as the username + scopes: openid, profile, email # specify the scopes for which the application will request permissions + provider: google # set this to your OAuth provider's name, e.g., 'google' or 'keycloak' + saml2: + enabled: false # Only enabled for paid enterprise clients (enterpriseEdition.enabled must be true) + autoCreateUser: true # set to 'true' to allow auto-creation of non-existing users + blockRegistration: false # set to 'true' to deny login with SSO without prior registration by an admin + registrationId: stirling + idpMetadataUri: https://dev-XXXXXXXX.okta.com/app/externalKey/sso/saml/metadata + idpSingleLogoutUrl: https://dev-XXXXXXXX.okta.com/app/dev-XXXXXXXX_stirlingpdf_1/externalKey/slo/saml + idpSingleLoginUrl: https://dev-XXXXXXXX.okta.com/app/dev-XXXXXXXX_stirlingpdf_1/externalKey/sso/saml + idpIssuer: http://www.okta.com/externalKey + idpCert: classpath:okta.crt + privateKey: classpath:saml-private-key.key + spCert: classpath:saml-public-cert.crt + +enterpriseEdition: + enabled: false # set to 'true' to enable enterprise edition + key: 00000000-0000-0000-0000-000000000000 + SSOAutoLogin: false # Enable to auto login to first provided SSO + CustomMetadata: + autoUpdateMetadata: false # set to 'true' to automatically update metadata with below values + author: username # supports text such as 'John Doe' or types such as username to autopopulate with user's username + creator: Stirling-PDF # supports text such as 'Company-PDF' + producer: Stirling-PDF # supports text such as 'Company-PDF' + +legal: + termsAndConditions: https://www.stirlingpdf.com/terms-and-conditions # URL to the terms and conditions of your application (e.g. https://example.com/terms). Empty string to disable or filename to load from local file in static folder + privacyPolicy: https://www.stirlingpdf.com/privacy-policy # URL to the privacy policy of your application (e.g. https://example.com/privacy). Empty string to disable or filename to load from local file in static folder + accessibilityStatement: '' # URL to the accessibility statement of your application (e.g. https://example.com/accessibility). Empty string to disable or filename to load from local file in static folder + cookiePolicy: '' # URL to the cookie policy of your application (e.g. https://example.com/cookie). Empty string to disable or filename to load from local file in static folder + impressum: '' # URL to the impressum of your application (e.g. https://example.com/impressum). Empty string to disable or filename to load from local file in static folder + +system: + defaultLocale: en-US # set the default language (e.g. 'de-DE', 'fr-FR', etc) + googlevisibility: false # 'true' to allow Google visibility (via robots.txt), 'false' to disallow + enableAlphaFunctionality: false # set to enable functionality which might need more testing before it fully goes live (this feature might make no changes) + showUpdate: false # see when a new update is available + showUpdateOnlyAdmin: false # only admins can see when a new update is available, depending on showUpdate it must be set to 'true' + customHTMLFiles: false # enable to have files placed in /customFiles/templates override the existing template HTML files + tessdataDir: /usr/share/tessdata # path to the directory containing the Tessdata files. This setting is relevant for Windows systems. For Windows users, this path should be adjusted to point to the appropriate directory where the Tessdata files are stored. + enableAnalytics: 'true' # set to 'true' to enable analytics, set to 'false' to disable analytics; for enterprise users, this is set to true + datasource: + enableCustomDatabase: false # Enterprise users ONLY, set this property to 'true' if you would like to use your own custom database configuration + customDatabaseUrl: '' # eg jdbc:postgresql://localhost:5432/postgres, set the url for your own custom database connection. If provided, the type, hostName, port and name are not necessary and will not be used + username: postgres # set the database username + password: postgres # set the database password + type: postgresql # the type of the database to set (e.g. 'h2', 'postgresql') + hostName: localhost # the host name to use for the database url. Set to 'localhost' when running the app locally. Set to match the name of the container name of your database container when running the app on a server (Docker configuration) + port: 5432 # set the port number of the database. Ensure this matches the port the database is listening to + name: postgres # set the name of your database. Should match the name of the database you create + +ui: + appName: '' # application's visible name + homeDescription: '' # short description or tagline shown on the homepage + appNameNavbar: '' # name displayed on the navigation bar + +endpoints: + toRemove: [] # list endpoints to disable (e.g. ['img-to-pdf', 'remove-pages']) + groupsToRemove: [] # list groups to disable (e.g. ['LibreOffice']) + +metrics: + enabled: 'false' # 'true' to enable Info APIs (`/api/*`) endpoints, 'false' to disable + +# Automatically Generated Settings (Do Not Edit Directly) +AutomaticallyGenerated: + key: 241af3aa-bb38-4e14-a593-939b64d1d7a3 + UUID: 78ddd78f-688c-4b07-a351-edb8580f1fbd + appVersion: 0.39.0 + +processExecutor: + sessionLimit: # Process executor instances limits + libreOfficeSessionLimit: 1 + pdfToHtmlSessionLimit: 1 + qpdfSessionLimit: 4 + tesseractSessionLimit: 1 + pythonOpenCvSessionLimit: 8 + weasyPrintSessionLimit: 16 + installAppSessionLimit: 1 + calibreSessionLimit: 1 + timeoutMinutes: # Process executor timeout in minutes + libreOfficetimeoutMinutes: 30 + pdfToHtmltimeoutMinutes: 20 + pythonOpenCvtimeoutMinutes: 30 + weasyPrinttimeoutMinutes: 30 + installApptimeoutMinutes: 60 + calibretimeoutMinutes: 30 + tesseractTimeoutMinutes: 30 diff --git a/pdf/stirling/latest/config/settings.yml b/pdf/stirling/latest/config/settings.yml new file mode 100755 index 0000000..25df2ec --- /dev/null +++ b/pdf/stirling/latest/config/settings.yml @@ -0,0 +1,135 @@ +############################################################################################################# +# Welcome to settings file from # +# ____ _____ ___ ____ _ ___ _ _ ____ ____ ____ _____ # +# / ___|_ _|_ _| _ \| | |_ _| \ | |/ ___| | _ \| _ \| ___| # +# \___ \ | | | || |_) | | | || \| | | _ _____| |_) | | | | |_ # +# ___) || | | || _ <| |___ | || |\ | |_| |_____| __/| |_| | _| # +# |____/ |_| |___|_| \_\_____|___|_| \_|\____| |_| |____/|_| # +# # +# Do not comment out any entry, it will be removed on next startup # +# If you want to override with environment parameter follow parameter naming SECURITY_INITIALLOGIN_USERNAME # +############################################################################################################# + + +security: + enableLogin: 'true' # set to 'true' to enable login + csrfDisabled: 'false' # set to 'true' to disable CSRF protection (not recommended for production) + loginAttemptCount: 5 # lock user account after 5 tries; when using e.g. Fail2Ban you can deactivate the function with -1 + loginResetTimeMinutes: 120 # lock account for 2 hours after x attempts + loginMethod: normal # Accepts values like 'all' and 'normal'(only Login with Username/Password), 'oauth2'(only Login with OAuth2) or 'saml2'(only Login with SAML2) + initialLogin: + username: admin # initial username for the first login + password: changeme!1 # initial password for the first login + oauth2: + enabled: false # set to 'true' to enable login (Note: enableLogin must also be 'true' for this to work) + client: + keycloak: + issuer: '' # URL of the Keycloak realm's OpenID Connect Discovery endpoint + clientId: '' # client ID for Keycloak OAuth2 + clientSecret: '' # client secret for Keycloak OAuth2 + scopes: openid, profile, email # scopes for Keycloak OAuth2 + useAsUsername: preferred_username # field to use as the username for Keycloak OAuth2 + google: + clientId: '' # client ID for Google OAuth2 + clientSecret: '' # client secret for Google OAuth2 + scopes: https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile # scopes for Google OAuth2 + useAsUsername: email # field to use as the username for Google OAuth2 + github: + clientId: '' # client ID for GitHub OAuth2 + clientSecret: '' # client secret for GitHub OAuth2 + scopes: read:user # scope for GitHub OAuth2 + useAsUsername: login # field to use as the username for GitHub OAuth2 + issuer: '' # set to any provider that supports OpenID Connect Discovery (/.well-known/openid-configuration) endpoint + clientId: '' # client ID from your provider + clientSecret: '' # client secret from your provider + autoCreateUser: true # set to 'true' to allow auto-creation of non-existing users + blockRegistration: false # set to 'true' to deny login with SSO without prior registration by an admin + useAsUsername: email # default is 'email'; custom fields can be used as the username + scopes: openid, profile, email # specify the scopes for which the application will request permissions + provider: google # set this to your OAuth provider's name, e.g., 'google' or 'keycloak' + saml2: + enabled: false # Only enabled for paid enterprise clients (enterpriseEdition.enabled must be true) + autoCreateUser: true # set to 'true' to allow auto-creation of non-existing users + blockRegistration: false # set to 'true' to deny login with SSO without prior registration by an admin + registrationId: stirling + idpMetadataUri: https://dev-XXXXXXXX.okta.com/app/externalKey/sso/saml/metadata + idpSingleLogoutUrl: https://dev-XXXXXXXX.okta.com/app/dev-XXXXXXXX_stirlingpdf_1/externalKey/slo/saml + idpSingleLoginUrl: https://dev-XXXXXXXX.okta.com/app/dev-XXXXXXXX_stirlingpdf_1/externalKey/sso/saml + idpIssuer: http://www.okta.com/externalKey + idpCert: classpath:okta.crt + privateKey: classpath:saml-private-key.key + spCert: classpath:saml-public-cert.crt + +enterpriseEdition: + enabled: false # set to 'true' to enable enterprise edition + key: 00000000-0000-0000-0000-000000000000 + SSOAutoLogin: false # Enable to auto login to first provided SSO + CustomMetadata: + autoUpdateMetadata: false # set to 'true' to automatically update metadata with below values + author: username # supports text such as 'John Doe' or types such as username to autopopulate with user's username + creator: Stirling-PDF # supports text such as 'Company-PDF' + producer: Stirling-PDF # supports text such as 'Company-PDF' + +legal: + termsAndConditions: https://www.stirlingpdf.com/terms-and-conditions # URL to the terms and conditions of your application (e.g. https://example.com/terms). Empty string to disable or filename to load from local file in static folder + privacyPolicy: https://www.stirlingpdf.com/privacy-policy # URL to the privacy policy of your application (e.g. https://example.com/privacy). Empty string to disable or filename to load from local file in static folder + accessibilityStatement: '' # URL to the accessibility statement of your application (e.g. https://example.com/accessibility). Empty string to disable or filename to load from local file in static folder + cookiePolicy: '' # URL to the cookie policy of your application (e.g. https://example.com/cookie). Empty string to disable or filename to load from local file in static folder + impressum: '' # URL to the impressum of your application (e.g. https://example.com/impressum). Empty string to disable or filename to load from local file in static folder + +system: + defaultLocale: en-US # set the default language (e.g. 'de-DE', 'fr-FR', etc) + googlevisibility: false # 'true' to allow Google visibility (via robots.txt), 'false' to disallow + enableAlphaFunctionality: false # set to enable functionality which might need more testing before it fully goes live (this feature might make no changes) + showUpdate: false # see when a new update is available + showUpdateOnlyAdmin: false # only admins can see when a new update is available, depending on showUpdate it must be set to 'true' + customHTMLFiles: false # enable to have files placed in /customFiles/templates override the existing template HTML files + tessdataDir: /usr/share/tessdata # path to the directory containing the Tessdata files. This setting is relevant for Windows systems. For Windows users, this path should be adjusted to point to the appropriate directory where the Tessdata files are stored. + enableAnalytics: 'true' # set to 'true' to enable analytics, set to 'false' to disable analytics; for enterprise users, this is set to true + disableSanitize: false # set to true to disable Sanitize HTML; (can lead to injections in HTML) + datasource: + enableCustomDatabase: false # Enterprise users ONLY, set this property to 'true' if you would like to use your own custom database configuration + customDatabaseUrl: '' # eg jdbc:postgresql://localhost:5432/postgres, set the url for your own custom database connection. If provided, the type, hostName, port and name are not necessary and will not be used + username: postgres # set the database username + password: postgres # set the database password + type: postgresql # the type of the database to set (e.g. 'h2', 'postgresql') + hostName: localhost # the host name to use for the database url. Set to 'localhost' when running the app locally. Set to match the name of the container name of your database container when running the app on a server (Docker configuration) + port: 5432 # set the port number of the database. Ensure this matches the port the database is listening to + name: postgres # set the name of your database. Should match the name of the database you create + +ui: + appName: '' # application's visible name + homeDescription: '' # short description or tagline shown on the homepage + appNameNavbar: '' # name displayed on the navigation bar + +endpoints: + toRemove: [] # list endpoints to disable (e.g. ['img-to-pdf', 'remove-pages']) + groupsToRemove: [] # list groups to disable (e.g. ['LibreOffice']) + +metrics: + enabled: 'false' # 'true' to enable Info APIs (`/api/*`) endpoints, 'false' to disable + +# Automatically Generated Settings (Do Not Edit Directly) +AutomaticallyGenerated: + key: 241af3aa-bb38-4e14-a593-939b64d1d7a3 + UUID: 78ddd78f-688c-4b07-a351-edb8580f1fbd + appVersion: 0.40.1 + +processExecutor: + sessionLimit: # Process executor instances limits + libreOfficeSessionLimit: 1 + pdfToHtmlSessionLimit: 1 + qpdfSessionLimit: 4 + tesseractSessionLimit: 1 + pythonOpenCvSessionLimit: 8 + weasyPrintSessionLimit: 16 + installAppSessionLimit: 1 + calibreSessionLimit: 1 + timeoutMinutes: # Process executor timeout in minutes + libreOfficetimeoutMinutes: 30 + pdfToHtmltimeoutMinutes: 20 + pythonOpenCvtimeoutMinutes: 30 + weasyPrinttimeoutMinutes: 30 + installApptimeoutMinutes: 60 + calibretimeoutMinutes: 30 + tesseractTimeoutMinutes: 30 From 8b4b5aa78ae96e1642f8c9bf6670120b7b3aa0ff Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Wed, 12 Feb 2025 14:01:40 +0000 Subject: [PATCH 05/28] update .gitignore for stirling and add diun service configuration in compose.yaml --- .gitignore | 8 ++++---- diun/compose.yaml | 19 +++++++++++++++++++ 2 files changed, 23 insertions(+), 4 deletions(-) create mode 100644 diun/compose.yaml diff --git a/.gitignore b/.gitignore index b3b4d84..5c25d0d 100644 --- a/.gitignore +++ b/.gitignore @@ -4,16 +4,16 @@ nginxproxymanager/*/ media/audiobookshelf/ ntfy/*/ vaultwarden/*/ -standard-notes/ pinchflat/ homepage/config/logs/ speedtest/config/ caddy/ts-caddy/ +diun/data/ # stirling -pdf/stirling/latest/data -pdf/stirling/latest/logs -pdf/stirling/latest/config/db/backup +pdf/stirling/latest/data/ +pdf/stirling/latest/logs/ +pdf/stirling/latest/config/db/backup/ pdf/stirling/latest/config/*.db # ignore environment files diff --git a/diun/compose.yaml b/diun/compose.yaml new file mode 100644 index 0000000..352317a --- /dev/null +++ b/diun/compose.yaml @@ -0,0 +1,19 @@ + +services: + diun: + image: crazymax/diun:latest + command: serve + volumes: + - ./data:/data + - /var/run/docker.sock:/var/run/docker.sock + environment: + - TZ=America/New_York + - DIUN_WATCH_WORKERS=20 + - DIUN_WATCH_SCHEDULE=0 */6 * * * + - DIUN_WATCH_JITTER=30s + - DIUN_PROVIDERS_DOCKER=true + - DIUN_NOTIF_TELEGRAM_TOKEN=${TELEGRAM_TOKEN} + - DIUN_NOTIF_TELEGRAM_CHATIDS=${TELEGRAM_CHAT_ID} + labels: + - diun.enable=true + restart: always From 44ff38a765e88140c4511568a8b6295f93a5953a Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Thu, 13 Feb 2025 18:10:36 +0000 Subject: [PATCH 06/28] update .gitignore and add diun service labels in multiple docker-compose files --- .gitignore | 3 +-- adguard/docker-compose.yml | 2 ++ caddy/docker-compose.yml | 2 ++ cloudflare/docker-compose.yml | 4 ++++ database/docker-compose.yml | 4 ++++ diun/compose.yaml | 9 ++++++--- dozzle/docker-compose.yml | 5 ++--- golinks/docker-compose.yml | 2 ++ hoarder/docker-compose.yml | 6 ++++++ homepage/docker-compose.yml | 2 ++ mealie/docker-compose.yml | 9 ++++----- media/docker-compose.yml | 24 ++++++++++++------------ memos/docker-compose.yml | 6 ++---- metube/docker-compose.yml | 3 ++- nginxproxymanager/docker-compose.yml | 9 ++++----- ntfy/docker-compose.yml | 2 ++ pdf/docker-compose.yml | 4 +++- pinchflat/docker-compose.yml | 6 +++--- speedtest/docker-compose.yml | 3 ++- uptime-kuma/docker-compose.yml | 5 +++-- vaultwarden/docker-compose.yml | 3 ++- 21 files changed, 70 insertions(+), 43 deletions(-) diff --git a/.gitignore b/.gitignore index 5c25d0d..41e55ba 100644 --- a/.gitignore +++ b/.gitignore @@ -1,10 +1,9 @@ cloudflare/tailscale/ -nginxproxymanager/*/ media/audiobookshelf/ ntfy/*/ vaultwarden/*/ -pinchflat/ +pinchflat/config/ homepage/config/logs/ speedtest/config/ caddy/ts-caddy/ diff --git a/adguard/docker-compose.yml b/adguard/docker-compose.yml index 5f66ba0..6a8b54c 100644 --- a/adguard/docker-compose.yml +++ b/adguard/docker-compose.yml @@ -11,6 +11,8 @@ services: - config:/opt/adguardhome/conf # app configuration - work:/opt/adguardhome/work # app working directory restart: always + labels: + - diun.enable=true volumes: config: driver: local diff --git a/caddy/docker-compose.yml b/caddy/docker-compose.yml index fd94519..b533477 100644 --- a/caddy/docker-compose.yml +++ b/caddy/docker-compose.yml @@ -13,6 +13,8 @@ services: - net_admin - sys_module restart: unless-stopped + labels: + - diun.enable=true caddy: image: caddy/caddy:latest network_mode: service:ts-caddy \ No newline at end of file diff --git a/cloudflare/docker-compose.yml b/cloudflare/docker-compose.yml index 1cebafc..2a178a7 100644 --- a/cloudflare/docker-compose.yml +++ b/cloudflare/docker-compose.yml @@ -6,6 +6,8 @@ services: command: tunnel --no-autoupdate run --token ${CLOUDFLARE_TUNNEL_TOKEN} depends_on: - tailscale + labels: + - diun.enable=true tailscale: container_name: tailscale image: tailscale/tailscale:stable @@ -22,4 +24,6 @@ services: command: tailscaled privileged: true restart: unless-stopped + labels: + - diun.enable=true networks: {} diff --git a/database/docker-compose.yml b/database/docker-compose.yml index 9e3753e..55a8497 100644 --- a/database/docker-compose.yml +++ b/database/docker-compose.yml @@ -13,6 +13,8 @@ services: networks: - postgres restart: unless-stopped + labels: + - diun.enable=true pgadmin: container_name: pgadmin_container @@ -28,6 +30,8 @@ services: networks: - postgres restart: unless-stopped + labels: + - diun.enable=true networks: postgres: diff --git a/diun/compose.yaml b/diun/compose.yaml index 352317a..6202394 100644 --- a/diun/compose.yaml +++ b/diun/compose.yaml @@ -1,19 +1,22 @@ - services: diun: image: crazymax/diun:latest command: serve + hostname: diun volumes: - ./data:/data - /var/run/docker.sock:/var/run/docker.sock environment: - TZ=America/New_York - DIUN_WATCH_WORKERS=20 - - DIUN_WATCH_SCHEDULE=0 */6 * * * + - DIUN_WATCH_SCHEDULE=0 */2 * * * - DIUN_WATCH_JITTER=30s + - DIUN_DEFAULTS_NOTIFYON=new,update - DIUN_PROVIDERS_DOCKER=true - DIUN_NOTIF_TELEGRAM_TOKEN=${TELEGRAM_TOKEN} - DIUN_NOTIF_TELEGRAM_CHATIDS=${TELEGRAM_CHAT_ID} + - LOG_LEVEL=debug + - LOG_JSON=false labels: - diun.enable=true - restart: always + restart: unless-stopped diff --git a/dozzle/docker-compose.yml b/dozzle/docker-compose.yml index 01de5a0..8fddeeb 100644 --- a/dozzle/docker-compose.yml +++ b/dozzle/docker-compose.yml @@ -9,6 +9,5 @@ services: # DOZZLE_REMOTE_HOST: tcp://ts-vperanda:2375|vperanda,tcp://ts-svr-office:2375 DOZZLE_HOSTNAME: ${HOSTNAME} restart: unless-stopped -networks: - cloudflare_default: - external: true + labels: + - diun.enable=true diff --git a/golinks/docker-compose.yml b/golinks/docker-compose.yml index 6d086d0..e209e2b 100644 --- a/golinks/docker-compose.yml +++ b/golinks/docker-compose.yml @@ -5,6 +5,8 @@ services: image: ghcr.io/tailscale/golink:main volumes: - golinks_data:/home/nonroot + labels: + - diun.enable=true volumes: golinks_data: diff --git a/hoarder/docker-compose.yml b/hoarder/docker-compose.yml index b32f918..c2883bc 100644 --- a/hoarder/docker-compose.yml +++ b/hoarder/docker-compose.yml @@ -14,9 +14,13 @@ services: NEXTAUTH_URL: ${NEXTAUTH_URL} MEILI_MASTER_KEY: ${MEILI_MASTER_KEY} DATA_DIR: /data + labels: + - diun.enable=true chrome: image: gcr.io/zenika-hub/alpine-chrome:123 restart: unless-stopped + labels: + - diun.enable=true command: - --no-sandbox - --disable-gpu @@ -31,6 +35,8 @@ services: MEILI_NO_ANALYTICS: true volumes: - meilisearch:/meili_data + labels: + - diun.enable=true volumes: meilisearch: diff --git a/homepage/docker-compose.yml b/homepage/docker-compose.yml index bc892d9..3ce447d 100644 --- a/homepage/docker-compose.yml +++ b/homepage/docker-compose.yml @@ -12,3 +12,5 @@ services: - ./config:/app/config - /var/run/docker.sock:/var/run/docker.sock:ro restart: unless-stopped + labels: + - diun.enable=true \ No newline at end of file diff --git a/mealie/docker-compose.yml b/mealie/docker-compose.yml index 6ddb578..c969417 100644 --- a/mealie/docker-compose.yml +++ b/mealie/docker-compose.yml @@ -29,6 +29,8 @@ services: depends_on: postgres: condition: service_healthy + labels: + - diun.enable=true postgres: container_name: postgres image: postgres:15 @@ -45,11 +47,8 @@ services: interval: 30s timeout: 20s retries: 3 + labels: + - diun.enable=true volumes: mealie-data: null mealie-pgdata: null -networks: - cloudflare_default: - external: true -x-dockge: - urls: [] diff --git a/media/docker-compose.yml b/media/docker-compose.yml index 0efcaeb..176a95b 100644 --- a/media/docker-compose.yml +++ b/media/docker-compose.yml @@ -24,6 +24,8 @@ services: - TZ=America/New_York # Timezone for accurate log times - SERVER_COUNTRIES=United States restart: always + labels: + - diun.enable=true sabnzbd: image: lscr.io/linuxserver/sabnzbd:latest container_name: sabnzbd @@ -39,6 +41,8 @@ services: # network_mode: "service:gluetun" forces sabnzbd to connect to the internet through the VPN defined in the gluetun container above network_mode: service:gluetun restart: always + labels: + - diun.enable=true sonarr: image: lscr.io/linuxserver/sonarr:latest container_name: sonarr @@ -55,9 +59,9 @@ services: - /data/usenet/downloads:/downloads ports: - 8989:8989 - networks: - - cloudflare_default restart: always + labels: + - diun.enable=true radarr: image: lscr.io/linuxserver/radarr:latest container_name: radarr @@ -74,8 +78,6 @@ services: - /data/usenet/downloads:/downloads ports: - 7878:7878 - networks: - - cloudflare_default restart: always prowlarr: image: lscr.io/linuxserver/prowlarr:latest @@ -88,9 +90,9 @@ services: - /docker/config/prowlarr:/config ports: - 9696:9696 - networks: - - cloudflare_default restart: always + labels: + - diun.enable=true tautulli: image: lscr.io/linuxserver/tautulli:latest container_name: tautulli @@ -102,9 +104,9 @@ services: - tautulli:/config ports: - 8181:8181 - networks: - - cloudflare_default restart: always + labels: + - diun.enable=true audiobookshelf: image: ghcr.io/advplyr/audiobookshelf:latest container_name: audiobookshelf @@ -118,12 +120,10 @@ services: - ./audiobookshelf/metadata:/metadata environment: - TZ=America/New_York - + labels: + - diun.enable=true volumes: gluetun_data: null sabnzbd_data: null tautulli: null -networks: - cloudflare_default: - external: true diff --git a/memos/docker-compose.yml b/memos/docker-compose.yml index 70f1b85..40bd34a 100644 --- a/memos/docker-compose.yml +++ b/memos/docker-compose.yml @@ -9,7 +9,5 @@ services: networks: - cloudflare_default restart: unless-stopped - -networks: - cloudflare_default: - external: true \ No newline at end of file + labels: + - diun.enable=true \ No newline at end of file diff --git a/metube/docker-compose.yml b/metube/docker-compose.yml index c3a05f5..9ce9cea 100644 --- a/metube/docker-compose.yml +++ b/metube/docker-compose.yml @@ -13,4 +13,5 @@ services: - 7081:8081 volumes: - /mnt/share/media/metube:/downloads -networks: {} + labels: + - diun.enable=true diff --git a/nginxproxymanager/docker-compose.yml b/nginxproxymanager/docker-compose.yml index 10f697a..40c7c00 100644 --- a/nginxproxymanager/docker-compose.yml +++ b/nginxproxymanager/docker-compose.yml @@ -25,13 +25,13 @@ services: DB_MYSQL_USER: npm DB_MYSQL_PASSWORD: npm DB_MYSQL_NAME: npm - networks: - - cloudflare_default volumes: - ./data:/data - ./letsencrypt:/etc/letsencrypt depends_on: - db + labels: + - diun.enable=true db: image: jc21/mariadb-aria:latest restart: unless-stopped @@ -42,6 +42,5 @@ services: MYSQL_PASSWORD: npm volumes: - ./mysql:/var/lib/mysql -networks: - cloudflare_default: - external: true + labels: + - diun.enable=true diff --git a/ntfy/docker-compose.yml b/ntfy/docker-compose.yml index 1544d67..6612588 100644 --- a/ntfy/docker-compose.yml +++ b/ntfy/docker-compose.yml @@ -15,3 +15,5 @@ services: - 4080:80 - 4443:443 restart: unless-stopped + labels: + - diun.enable=true diff --git a/pdf/docker-compose.yml b/pdf/docker-compose.yml index d11546a..2d806a5 100644 --- a/pdf/docker-compose.yml +++ b/pdf/docker-compose.yml @@ -23,4 +23,6 @@ services: UI_HOMEDESCRIPTION: "" UI_APPNAMENAVBAR: "" SYSTEM_MAXFILESIZE: "100" - restart: unless-stopped \ No newline at end of file + restart: unless-stopped + labels: + - diun.enable=true \ No newline at end of file diff --git a/pinchflat/docker-compose.yml b/pinchflat/docker-compose.yml index 8057001..8f2ab66 100644 --- a/pinchflat/docker-compose.yml +++ b/pinchflat/docker-compose.yml @@ -8,6 +8,6 @@ services: - ./config:/config - /mnt/share/media/youtube:/downloads image: ghcr.io/kieraneglin/pinchflat:latest -networks: - cloudflare_default: - external: true + restart: unless-stopped + labels: + - diun.enable=true diff --git a/speedtest/docker-compose.yml b/speedtest/docker-compose.yml index c03b9a1..f12a1f9 100644 --- a/speedtest/docker-compose.yml +++ b/speedtest/docker-compose.yml @@ -18,4 +18,5 @@ services: volumes: - ./config:/config restart: unless-stopped -networks: {} + labels: + - diun.enable=true diff --git a/uptime-kuma/docker-compose.yml b/uptime-kuma/docker-compose.yml index 08ae47f..4325f11 100644 --- a/uptime-kuma/docker-compose.yml +++ b/uptime-kuma/docker-compose.yml @@ -7,8 +7,9 @@ services: ports: - 6001:3001 restart: unless-stopped - + labels: + - diun.enable=true volumes: - uptime-kuma: + uptime-kuma: name: uptime-kuma external: true diff --git a/vaultwarden/docker-compose.yml b/vaultwarden/docker-compose.yml index 389df35..8c93f5f 100644 --- a/vaultwarden/docker-compose.yml +++ b/vaultwarden/docker-compose.yml @@ -14,7 +14,8 @@ services: - ROCKET_PORT=80 - ROCKET_PROFILE=release restart: always - + labels: + - diun.enable=true volumes: vaultwarden_data: name: vaultwarden_data From d0276fbf09afdaa96ff6e28bdc35e433a0363180 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Fri, 21 Feb 2025 19:04:28 -0500 Subject: [PATCH 07/28] added immich finally --- immich/docker-compose.yml | 88 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 immich/docker-compose.yml diff --git a/immich/docker-compose.yml b/immich/docker-compose.yml new file mode 100644 index 0000000..711ce63 --- /dev/null +++ b/immich/docker-compose.yml @@ -0,0 +1,88 @@ +# +# WARNING: Make sure to use the docker-compose.yml of the current release: +# +# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml +# +# The compose file on main may not be compatible with the latest release. +# + +name: immich + +services: + immich-server: + container_name: immich_server + image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} + # extends: + # file: hwaccel.transcoding.yml + # service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding + volumes: + # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file + - ${UPLOAD_LOCATION}:/usr/src/app/upload + - /etc/localtime:/etc/localtime:ro + env_file: + - .env + ports: + - 2283:2283 + depends_on: + - redis + - database + restart: always + healthcheck: + disable: false + + immich-machine-learning: + container_name: immich_machine_learning + # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag. + # Example tag: ${IMMICH_VERSION:-release}-cuda + image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release} + # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration + # file: hwaccel.ml.yml + # service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable + volumes: + - model-cache:/cache + env_file: + - .env + restart: always + healthcheck: + disable: false + + redis: + container_name: immich_redis + image: docker.io/redis:6.2-alpine@sha256:905c4ee67b8e0aa955331960d2aa745781e6bd89afc44a8584bfd13bc890f0ae + healthcheck: + test: redis-cli ping || exit 1 + restart: always + + database: + container_name: immich_postgres + image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0 + environment: + POSTGRES_PASSWORD: ${DB_PASSWORD} + POSTGRES_USER: ${DB_USERNAME} + POSTGRES_DB: ${DB_DATABASE_NAME} + POSTGRES_INITDB_ARGS: '--data-checksums' + volumes: + # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file + - ${DB_DATA_LOCATION}:/var/lib/postgresql/data + healthcheck: + test: >- + pg_isready --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" || exit 1; + Chksum="$$(psql --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" --tuples-only --no-align + --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; + echo "checksum failure count is $$Chksum"; + [ "$$Chksum" = '0' ] || exit 1 + interval: 5m + start_interval: 30s + start_period: 5m + command: >- + postgres + -c shared_preload_libraries=vectors.so + -c 'search_path="$$user", public, vectors' + -c logging_collector=on + -c max_wal_size=2GB + -c shared_buffers=512MB + -c wal_compression=on + restart: always + +volumes: + model-cache: From dbe9ff89695e5cd56d25cb399c1c5f2abc8ebb74 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Fri, 21 Feb 2025 19:04:40 -0500 Subject: [PATCH 08/28] cleanup --- adguard/docker-compose.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/adguard/docker-compose.yml b/adguard/docker-compose.yml index 5f66ba0..4d69b76 100644 --- a/adguard/docker-compose.yml +++ b/adguard/docker-compose.yml @@ -16,4 +16,3 @@ volumes: driver: local work: driver: local -networks: {} From 2b0b730a36d855fc8b09d5ca723c47c867ca0a84 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Fri, 21 Feb 2025 19:07:56 -0500 Subject: [PATCH 09/28] better ignorance of caddy --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 5c25d0d..8e78380 100644 --- a/.gitignore +++ b/.gitignore @@ -7,7 +7,7 @@ vaultwarden/*/ pinchflat/ homepage/config/logs/ speedtest/config/ -caddy/ts-caddy/ +caddy/caddy* diun/data/ # stirling From 6eb27e52e9c883fc6d46024c64700995c08f8f46 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Sat, 22 Feb 2025 21:28:09 -0500 Subject: [PATCH 10/28] add Caddy configuration and update docker-compose for improved service management --- caddy/Caddyfile | 9 +++++++++ caddy/docker-compose.yml | 28 +++++++++++++--------------- 2 files changed, 22 insertions(+), 15 deletions(-) create mode 100644 caddy/Caddyfile diff --git a/caddy/Caddyfile b/caddy/Caddyfile new file mode 100644 index 0000000..6161786 --- /dev/null +++ b/caddy/Caddyfile @@ -0,0 +1,9 @@ +{ + debug + email peter@peterwood.devdev +} + +jellyfin.peterwood.rocks { + encode gzip + reverse_proxy https://localhost:8920 +} diff --git a/caddy/docker-compose.yml b/caddy/docker-compose.yml index fd94519..943406e 100644 --- a/caddy/docker-compose.yml +++ b/caddy/docker-compose.yml @@ -1,18 +1,16 @@ services: - ts-caddy: - image: tailscale/tailscale:latest - container_name: ts-caddy - hostname: ts-caddy - environment: - - TS_AUTHKEY:${TAILSCALE_AUTHKEY} - - TS_SOCKET:/var/run/tailscale/tailscaled.sock - volumes: - - ${PWD}/ts-caddy/state:/var/lib/tailscale - - /dev/net/tun:/dev/net/tun - cap_add: - - net_admin - - sys_module - restart: unless-stopped caddy: image: caddy/caddy:latest - network_mode: service:ts-caddy \ No newline at end of file + restart: always + ports: + - 80:80 + - 443:443 + - 443:443/udp + volumes: + - ./Caddyfile:/etc/caddy/Caddyfile + - caddy_data:/data + - caddy_config:/config + +volumes: + caddy_data: + caddy_config: From 74eae0169e2c7f8bc6dc14c9c9e9d31f9c19a8a2 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Sat, 22 Feb 2025 21:28:47 -0500 Subject: [PATCH 11/28] add filebrowser service configuration to docker-compose --- filebrowser/compose.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 filebrowser/compose.yaml diff --git a/filebrowser/compose.yaml b/filebrowser/compose.yaml new file mode 100644 index 0000000..e2e647f --- /dev/null +++ b/filebrowser/compose.yaml @@ -0,0 +1,14 @@ +services: + filebrowser: + image: filebrowser/filebrowser:latest + container_name: filebrowser + restart: unless-stopped + volumes: + - /mnt/share/media/tv:/srv + - ./database.db:/database.db + environment: + - PUID=1000 + - PGID=1000 + ports: + - 8212:80 +networks: {} From 36983ee53eb4cc87e0665cfc4da80bd577452df0 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Sat, 22 Feb 2025 21:30:24 -0500 Subject: [PATCH 12/28] add filebrowser database files to .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 8e78380..456e5ce 100644 --- a/.gitignore +++ b/.gitignore @@ -9,6 +9,7 @@ homepage/config/logs/ speedtest/config/ caddy/caddy* diun/data/ +filebrowser/*.db # stirling pdf/stirling/latest/data/ From 2c370db732b0cd03f81f400759cf423ce27add5f Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Sat, 22 Feb 2025 21:32:03 -0500 Subject: [PATCH 13/28] corrected email in Caddyfil --- caddy/Caddyfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/caddy/Caddyfile b/caddy/Caddyfile index 6161786..47ed626 100644 --- a/caddy/Caddyfile +++ b/caddy/Caddyfile @@ -1,6 +1,6 @@ { debug - email peter@peterwood.devdev + email peter@peterwood.dev } jellyfin.peterwood.rocks { From 6611cd2deeb2963e4665f215fe4de14f999eae5a Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Wed, 5 Mar 2025 14:30:46 +0000 Subject: [PATCH 14/28] add restart policy to media service in docker-compose.yml --- media/docker-compose.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/media/docker-compose.yml b/media/docker-compose.yml index 176a95b..6c993bd 100644 --- a/media/docker-compose.yml +++ b/media/docker-compose.yml @@ -120,10 +120,11 @@ services: - ./audiobookshelf/metadata:/metadata environment: - TZ=America/New_York + restart: always labels: - diun.enable=true volumes: gluetun_data: null sabnzbd_data: null tautulli: null - + From fde90b6722a88326d1b8c9e27fe925b52b7d684d Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Wed, 5 Mar 2025 09:44:55 -0500 Subject: [PATCH 15/28] update Caddyfile reverse proxy and add extra_hosts to docker-compose for improved connectivity --- caddy/Caddyfile | 2 +- caddy/docker-compose.yml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/caddy/Caddyfile b/caddy/Caddyfile index 47ed626..44b0068 100644 --- a/caddy/Caddyfile +++ b/caddy/Caddyfile @@ -5,5 +5,5 @@ jellyfin.peterwood.rocks { encode gzip - reverse_proxy https://localhost:8920 + reverse_proxy host.docker.internal:8096 } diff --git a/caddy/docker-compose.yml b/caddy/docker-compose.yml index 943406e..feec6b6 100644 --- a/caddy/docker-compose.yml +++ b/caddy/docker-compose.yml @@ -10,6 +10,8 @@ services: - ./Caddyfile:/etc/caddy/Caddyfile - caddy_data:/data - caddy_config:/config + extra_hosts: + - host.docker.internal:host-gateway volumes: caddy_data: From 271b308b637c1e44a56c200f066ebde5789c3b2e Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Wed, 5 Mar 2025 09:45:51 -0500 Subject: [PATCH 16/28] update dozzle service configuration in docker-compose for enhanced authentication and actions support --- dozzle/docker-compose.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/dozzle/docker-compose.yml b/dozzle/docker-compose.yml index 01de5a0..889b891 100644 --- a/dozzle/docker-compose.yml +++ b/dozzle/docker-compose.yml @@ -6,9 +6,12 @@ services: ports: - 9999:8080 environment: - # DOZZLE_REMOTE_HOST: tcp://ts-vperanda:2375|vperanda,tcp://ts-svr-office:2375 + # DOZZLE_REMOTE_HOST: tcp://ts-rackerd:2375|racknerd,tcp://ts-svr-office:2375|svr-office DOZZLE_HOSTNAME: ${HOSTNAME} + DOZZLE_ENABLE_ACTIONS: true + DOZZLE_AUTH_PROVIDER: forward-proxy + DOZZLE_AUTH_HEADER_USER: ${DOZZLE_AUTH_HEADER_USER} + DOZZLE_AUTH_HEADER_EMAIL: ${DOZZLE_AUTH_HEADER_EMAIL} + DOZZLE_AUTH_HEADER_NAME: ${DOZZLE_AUTH_HEADER_NAME} restart: unless-stopped -networks: - cloudflare_default: - external: true +networks: {} From b2e8f084e71aaf05e0eca124ed6fbd179743fd31 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Wed, 5 Mar 2025 10:19:41 -0500 Subject: [PATCH 17/28] refactor docker-compose.yml for improved readability and formatting --- immich/docker-compose.yml | 33 ++++++++++++--------------------- 1 file changed, 12 insertions(+), 21 deletions(-) diff --git a/immich/docker-compose.yml b/immich/docker-compose.yml index 711ce63..518f99a 100644 --- a/immich/docker-compose.yml +++ b/immich/docker-compose.yml @@ -7,7 +7,6 @@ # name: immich - services: immich-server: container_name: immich_server @@ -29,7 +28,6 @@ services: restart: always healthcheck: disable: false - immich-machine-learning: container_name: immich_machine_learning # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag. @@ -45,14 +43,12 @@ services: restart: always healthcheck: disable: false - redis: container_name: immich_redis image: docker.io/redis:6.2-alpine@sha256:905c4ee67b8e0aa955331960d2aa745781e6bd89afc44a8584bfd13bc890f0ae healthcheck: test: redis-cli ping || exit 1 restart: always - database: container_name: immich_postgres image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0 @@ -60,29 +56,24 @@ services: POSTGRES_PASSWORD: ${DB_PASSWORD} POSTGRES_USER: ${DB_USERNAME} POSTGRES_DB: ${DB_DATABASE_NAME} - POSTGRES_INITDB_ARGS: '--data-checksums' + POSTGRES_INITDB_ARGS: --data-checksums volumes: # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file - ${DB_DATA_LOCATION}:/var/lib/postgresql/data healthcheck: - test: >- - pg_isready --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" || exit 1; - Chksum="$$(psql --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" --tuples-only --no-align - --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; - echo "checksum failure count is $$Chksum"; - [ "$$Chksum" = '0' ] || exit 1 + test: pg_isready --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" || + exit 1; Chksum="$$(psql --dbname="$${POSTGRES_DB}" + --username="$${POSTGRES_USER}" --tuples-only --no-align + --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM + pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ + "$$Chksum" = '0' ] || exit 1 interval: 5m start_interval: 30s start_period: 5m - command: >- - postgres - -c shared_preload_libraries=vectors.so - -c 'search_path="$$user", public, vectors' - -c logging_collector=on - -c max_wal_size=2GB - -c shared_buffers=512MB - -c wal_compression=on + command: postgres -c shared_preload_libraries=vectors.so -c + 'search_path="$$user", public, vectors' -c logging_collector=on -c + max_wal_size=2GB -c shared_buffers=512MB -c wal_compression=on restart: always - volumes: - model-cache: + model-cache: null +networks: {} From deb83806369cea44afb52302fbf4260f9a1a2c48 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Wed, 5 Mar 2025 10:19:49 -0500 Subject: [PATCH 18/28] update .gitignore to include additional directories for exclusion --- .gitignore | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.gitignore b/.gitignore index 7d51608..c54a96c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,6 @@ +core + cloudflare/tailscale/ media/audiobookshelf/ ntfy/*/ @@ -9,6 +11,9 @@ speedtest/config/ caddy/caddy* diun/data/ filebrowser/*.db +nginxproxymanager/data +nginxproxymanager/letsencrypt +nginxproxymanager/mysql # stirling pdf/stirling/latest/data/ From dd3adbcb91772e1618faa4a2d452622b5c880b87 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Sat, 29 Mar 2025 18:57:02 +0000 Subject: [PATCH 19/28] corrected remote hosts --- dozzle/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dozzle/docker-compose.yml b/dozzle/docker-compose.yml index 8fddeeb..8d3d760 100644 --- a/dozzle/docker-compose.yml +++ b/dozzle/docker-compose.yml @@ -6,7 +6,7 @@ services: ports: - 9999:8080 environment: - # DOZZLE_REMOTE_HOST: tcp://ts-vperanda:2375|vperanda,tcp://ts-svr-office:2375 + # DOZZLE_REMOTE_HOST: tcp://ts-racknerd:2375|vperanda,tcp://ts-europa:2375 DOZZLE_HOSTNAME: ${HOSTNAME} restart: unless-stopped labels: From cc27fc070b116549b5e1f77a4652b2fa5f3950df Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Sat, 29 Mar 2025 18:57:30 +0000 Subject: [PATCH 20/28] added jellyseer --- media/docker-compose.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/media/docker-compose.yml b/media/docker-compose.yml index 6c993bd..9516f71 100644 --- a/media/docker-compose.yml +++ b/media/docker-compose.yml @@ -93,6 +93,19 @@ services: restart: always labels: - diun.enable=true + jellyseerr: + image: fallenbagel/jellyseerr:latest + container_name: jellyseerr + environment: + - LOG_LEVEL=debug + - TZ=America/New_York + ports: + - 5055:5055 + volumes: + - /docker/config/jellyseerr/:/app/config + restart: unless-stopped + labels: + - diun.enable=true tautulli: image: lscr.io/linuxserver/tautulli:latest container_name: tautulli @@ -127,4 +140,4 @@ volumes: gluetun_data: null sabnzbd_data: null tautulli: null - +networks: {} From 1fe01ec141a86e962d3908c6cfcd5d34dba1d9b8 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Sat, 29 Mar 2025 18:58:41 +0000 Subject: [PATCH 21/28] corrected timezones env variable --- speedtest/docker-compose.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/speedtest/docker-compose.yml b/speedtest/docker-compose.yml index f12a1f9..98d9ad1 100644 --- a/speedtest/docker-compose.yml +++ b/speedtest/docker-compose.yml @@ -14,9 +14,10 @@ services: - SPEEDTEST_SERVERS=${SPEEDTEST_SERVERS} - SPEEDTEST_PING_URL=${SPEEDTEST_PING_URL} - PRUNE_RESULTS_OLDER_THAN=${PRUNE_RESULTS_OLDER_THAN} - - TZ=${APP_TIMEZONE} + - DISPLAY_TIMEZONE=${APP_TIMEZONE} volumes: - ./config:/config restart: unless-stopped labels: - diun.enable=true +networks: {} From 995de6199721c865718582faa845dcf63fc3d0b9 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Sat, 29 Mar 2025 19:02:55 +0000 Subject: [PATCH 22/28] add default watch setting for Docker provider in diun compose file --- diun/compose.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/diun/compose.yaml b/diun/compose.yaml index 6202394..f99ad1d 100644 --- a/diun/compose.yaml +++ b/diun/compose.yaml @@ -13,10 +13,11 @@ services: - DIUN_WATCH_JITTER=30s - DIUN_DEFAULTS_NOTIFYON=new,update - DIUN_PROVIDERS_DOCKER=true + - DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT=true - DIUN_NOTIF_TELEGRAM_TOKEN=${TELEGRAM_TOKEN} - DIUN_NOTIF_TELEGRAM_CHATIDS=${TELEGRAM_CHAT_ID} - - LOG_LEVEL=debug - - LOG_JSON=false + #- DIUN_NOTIF_TELEGRAM_TEMPLATEBODY=${TELEGRAM_TEMPLATE} labels: - diun.enable=true restart: unless-stopped +networks: {} From 964a0e1f5943803f1fe907901cb6a58c59b4f892 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Sat, 29 Mar 2025 19:04:35 +0000 Subject: [PATCH 23/28] remove unused networks section from docker-compose.yml --- memos/docker-compose.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/memos/docker-compose.yml b/memos/docker-compose.yml index 40bd34a..fee700a 100644 --- a/memos/docker-compose.yml +++ b/memos/docker-compose.yml @@ -6,8 +6,7 @@ services: - ./.memos/:/var/opt/memos ports: - 5230:5230 - networks: - - cloudflare_default restart: unless-stopped labels: - - diun.enable=true \ No newline at end of file + - diun.enable=true +networks: {} From 894ee838108864fb5e72aff9667be09400d4ba98 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Mon, 21 Apr 2025 11:49:39 -0400 Subject: [PATCH 24/28] updated image name --- hoarder/docker-compose.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/hoarder/docker-compose.yml b/hoarder/docker-compose.yml index c2883bc..e6379cc 100644 --- a/hoarder/docker-compose.yml +++ b/hoarder/docker-compose.yml @@ -1,6 +1,7 @@ +name: hoarder services: hoarder: - image: ghcr.io/hoarder-app/hoarder:${HOARDER_VERSION:-release} + image: ghcr.io/karakeep-app/karakeep:${HOARDER_VERSION:-release} restart: unless-stopped volumes: - data:/data @@ -37,7 +38,7 @@ services: - meilisearch:/meili_data labels: - diun.enable=true - volumes: - meilisearch: - data: + meilisearch: null + data: null +networks: {} From 5f9bfe5b8cfef858a4b80616623991fc1df3551b Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Fri, 25 Apr 2025 12:48:30 -0400 Subject: [PATCH 25/28] added example env file --- caddy/.env.example | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 caddy/.env.example diff --git a/caddy/.env.example b/caddy/.env.example new file mode 100644 index 0000000..d5468d2 --- /dev/null +++ b/caddy/.env.example @@ -0,0 +1,4 @@ + +# create the API token in https://dash.cloudflare.com/profile/api-tokens +# provide access to ptrwd.com for DNS zone +CLOUDFLARE_TOKEN= From 85979c37016db81fa683a2ed9696babc67a9a230 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Tue, 29 Apr 2025 14:34:25 -0400 Subject: [PATCH 26/28] Add Cloudflare DNS support to Caddy configuration - Updated .env.example to include CF_ZONE_READ and CF_DNS_EDIT variables. - Enhanced Caddyfile to utilize Cloudflare DNS for TLS. - Created Dockerfile for building Caddy with Cloudflare DNS support. - Modified docker-compose.yml to use the new caddy-cloudflare image and set environment variables. --- caddy/.env.example | 8 +- caddy/Caddyfile | 154 ++++++++++++++++++++++++++++++++++++++- caddy/Dockerfile | 9 +++ caddy/docker-compose.yml | 5 +- 4 files changed, 169 insertions(+), 7 deletions(-) create mode 100644 caddy/Dockerfile diff --git a/caddy/.env.example b/caddy/.env.example index d5468d2..3f48675 100644 --- a/caddy/.env.example +++ b/caddy/.env.example @@ -1,4 +1,8 @@ # create the API token in https://dash.cloudflare.com/profile/api-tokens -# provide access to ptrwd.com for DNS zone -CLOUDFLARE_TOKEN= +# create auth tokens - +# `Zone.Zone:Read` for all zones, and +# `Zone.DNS:Edit` permissions for ptrwd.com +# https://github.com/caddy-dns/cloudflare +CF_ZONE_READ= +CF_DNS_EDIT= \ No newline at end of file diff --git a/caddy/Caddyfile b/caddy/Caddyfile index 44b0068..41cc073 100644 --- a/caddy/Caddyfile +++ b/caddy/Caddyfile @@ -1,9 +1,155 @@ { - debug - email peter@peterwood.dev + # debug + email peter@peterwood.dev +} + +ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # this is the the wiki + reverse_proxy ts-racknerd.whale-woodpecker.ts.net:8300 +} + +wiki.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Route ACME challenges explicitly to be handled internally by Caddy + route /.well-known/acme-challenge/* { + # No directive needed here; Caddy's internal handler takes precedence. + # This prevents the challenge requests from being proxied. + } + + # Proxy all other requests to the wiki + route { + reverse_proxy ts-racknerd.whale-woodpecker.ts.net:8300 + } } jellyfin.peterwood.rocks { - encode gzip - reverse_proxy host.docker.internal:8096 + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + reverse_proxy host.docker.internal:8096 +} + +# Serve a simple text message for home.ptrwd.com +home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Debugging: Log all requests + log { + output stdout + format console + } + # Allow connections only from private ranges and home IP using Cf-Connecting-Ip header + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + respond "Welcome home!" 200 { + close # Close the connection after responding + } + } + handle { + respond "Access denied" 403 + } +} + +# Reverse proxy for sonarr.home.ptrwd.com +sonarr.home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Allow connections only from private ranges and home IP + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + reverse_proxy ts-io.whale-woodpecker.ts.net:8989 + } + handle { + respond 403 + } +} + +radarr.home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Allow connections only from private ranges and home IP + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + reverse_proxy ts-io.whale-woodpecker.ts.net:7878 + } + handle { + respond 403 + } +} + +io.docker.home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Allow connections only from private ranges and home IP + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + reverse_proxy ts-io.whale-woodpecker.ts.net:5001 + } + handle { + respond 403 + } +} + +europa.docker.home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Allow connections only from private ranges and home IP + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + reverse_proxy ts-europa.whale-woodpecker.ts.net:5001 + } + handle { + respond 403 + } +} + +racknerd.docker.home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Allow connections only from private ranges and home IP + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + reverse_proxy ts-racknerd.whale-woodpecker.ts.net:5001 + } + handle { + respond 403 + } } diff --git a/caddy/Dockerfile b/caddy/Dockerfile new file mode 100644 index 0000000..130c1e3 --- /dev/null +++ b/caddy/Dockerfile @@ -0,0 +1,9 @@ + +FROM caddy:2.10-builder AS builder + +RUN xcaddy build \ + --with github.com/caddy-dns/cloudflare + +FROM caddy:2.10 + +COPY --from=builder /usr/bin/caddy /usr/bin/caddy diff --git a/caddy/docker-compose.yml b/caddy/docker-compose.yml index 6106a0c..20d8188 100644 --- a/caddy/docker-compose.yml +++ b/caddy/docker-compose.yml @@ -1,7 +1,7 @@ services: caddy: - image: caddy/caddy:latest + image: caddy-cloudflare restart: always ports: - 80:80 @@ -11,6 +11,9 @@ services: - ./Caddyfile:/etc/caddy/Caddyfile - caddy_data:/data - caddy_config:/config + environment: + CF_ZONE_READ: ${CF_ZONE_READ} + CF_DNS_EDIT: ${CF_DNS_EDIT} extra_hosts: - host.docker.internal:host-gateway labels: From 6ee74cfe15f7bf3eb66479663ca3671fa38c0fdd Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Tue, 29 Apr 2025 14:34:42 -0400 Subject: [PATCH 27/28] Remove mealie service from docker-compose.yml and add memos_prod.db to .gitignore --- .gitignore | 1 + mealie/docker-compose.yml | 54 --------------------------------------- 2 files changed, 1 insertion(+), 54 deletions(-) delete mode 100644 mealie/docker-compose.yml diff --git a/.gitignore b/.gitignore index c54a96c..655843d 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,4 @@ pdf/stirling/latest/config/*.db # ignore environment files .env +memos/.memos/memos_prod.db diff --git a/mealie/docker-compose.yml b/mealie/docker-compose.yml deleted file mode 100644 index c969417..0000000 --- a/mealie/docker-compose.yml +++ /dev/null @@ -1,54 +0,0 @@ -services: - mealie: - image: ghcr.io/mealie-recipes/mealie:latest - container_name: mealie - restart: always - ports: - - 9925:9000 - deploy: - resources: - limits: - memory: 1000M - volumes: - - mealie-data:/app/data/ - environment: - ALLOW_SIGNUP: false - PUID: 1000 - PGID: 1000 - TZ: America/New_York - MAX_WORKERS: 1 - WEB_CONCURRENCY: 1 - BASE_URL: ${BASE_URL} - # Database Settings - DB_ENGINE: ${DATABASE_TYPE} - POSTGRES_USER: ${POSTGRES_USER} - POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} - POSTGRES_SERVER: ${POSTGRES_SERVER} - POSTGRES_PORT: ${POSTGRES_PORT} - POSTGRES_DB: ${POSTGRES_DB} - depends_on: - postgres: - condition: service_healthy - labels: - - diun.enable=true - postgres: - container_name: postgres - image: postgres:15 - restart: always - volumes: - - mealie-pgdata:/var/lib/postgresql/data - environment: - POSTGRES_PASSWORD: ${POSTGRES_USER} - POSTGRES_USER: ${POSTGRES_PASSWORD} - healthcheck: - test: - - CMD - - pg_isready - interval: 30s - timeout: 20s - retries: 3 - labels: - - diun.enable=true -volumes: - mealie-data: null - mealie-pgdata: null From c8f57a1cd78fa495258524e681901febae148324 Mon Sep 17 00:00:00 2001 From: Peter Wood Date: Tue, 29 Apr 2025 14:35:01 -0400 Subject: [PATCH 28/28] Add Docker Compose configuration for docmost service with PostgreSQL and Redis --- docmost/compose.yaml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 docmost/compose.yaml diff --git a/docmost/compose.yaml b/docmost/compose.yaml new file mode 100644 index 0000000..3ba9421 --- /dev/null +++ b/docmost/compose.yaml @@ -0,0 +1,35 @@ +services: + docmost: + image: docmost/docmost:latest + depends_on: + - db + - redis + environment: + APP_URL: http://localhost:3000 + APP_SECRET: ${APP_SECRET} + DATABASE_URL: ${POSTGRES_URL} + REDIS_URL: redis://redis:6379 + ports: + - 9380:3000 + restart: unless-stopped + volumes: + - docmost:/app/data/storage + db: + image: postgres:16-alpine + environment: + POSTGRES_DB: docmost + POSTGRES_USER: docmost + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} + restart: unless-stopped + volumes: + - db_data:/var/lib/postgresql/data + redis: + image: redis:7.2-alpine + restart: unless-stopped + volumes: + - redis_data:/data +volumes: + docmost: null + db_data: null + redis_data: null +networks: {}