the10thwiz/Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add matrix a few minor changes

Browse Source
This commit is contained in:
Matthew Pomes
2026-02-11 21:19:18 -06:00
parent 4b572faf1d
commit 710722b77e
7 changed files with 164 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
authelia/configuration.yml
View File

@@ -52,7 +52,7 @@ access_control:
rules:
- domain: 'servarr.loadingm.xyz'
subject:
- 'group:admins'
- 'group:admin'
policy: one_factor
# - domain: '*.loadingm.xyz'
# policy: one_factor

48
docker-compose.yaml
View File

@@ -2,6 +2,7 @@ include:
- ./karakeep-compose.yaml
- ./jellyfin-compose.yaml
- ./immich-compose.yaml
- ./matrix-compose.yaml
secrets:
JWT_SECRET:
file: '/data/authelia/secrets/JWT_SECRET'
@@ -54,9 +55,12 @@ networks:
bitwarden:
external: false
enable_ipv6: true
# host:
# external: true
# enable_ipv6: true
immich:
external: false
enable_ipv6: true
matrix:
external: false
enable_ipv6: true
services:
web:
build:
@@ -79,6 +83,8 @@ services:
- gpodder
- memos
- bitwarden
- matrix
- immich
depends_on:
- jellyfin
- ollama-webui
@@ -88,6 +94,7 @@ services:
- gitea
- gpodder
- memos
- matrix-server
logging: &logging
options:
max-size: "50m"
@@ -218,13 +225,46 @@ services:
logging: *logging
environment:
- ALLOWED_SENDER_DOMAINS=loadingm.xyz
- POSTFIX_myhostname=mail
# - POSTFIX_myhostname=mail
- POSTFIX_myhostname=loadingm.xyz
- POSTFIX_mydestination=loadingm.xyz,loading-hpdl380g10.loadingm.xyz
- MASQUERADED_DOMAINS=loadingm.xyz,loading-hpdl380g10.loadingm.xyz
- SMTPD_SASL_USERS="a:123,b:123"
volumes:
- /data/mail:/etc/opendkim/keys
networks:
- mail
ports:
- 127.0.0.1:25:25
# mail:
# image: ghcr.io/docker-mailserver/docker-mailserver:latest
# container_name: mailserver
# # Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
# hostname: mail.loadingm.xyz
# env_file: mailserver.env
# # More information about the mail-server ports:
# # https://docker-mailserver.github.io/docker-mailserver/latest/config/security/understanding-the-ports/
# ports:
# - "25:25" # SMTP (explicit TLS => STARTTLS, Authentication is DISABLED => use port 465/587 instead)
# - "143:143" # IMAP4 (explicit TLS => STARTTLS)
# - "465:465" # ESMTP (implicit TLS)
# - "587:587" # ESMTP (explicit TLS => STARTTLS)
# - "993:993" # IMAP4 (implicit TLS)
# volumes:
# - /data/dms/mail-data/:/var/mail/
# - /data/dms/mail-state/:/var/mail-state/
# - /data/dms/mail-logs/:/var/log/mail/
# - /data/dms/config/:/tmp/docker-mailserver/
# - /etc/localtime:/etc/localtime:ro
# restart: always
# stop_grace_period: 1m
# # Uncomment if using `ENABLE_FAIL2BAN=1`:
# # cap_add:
# # - NET_ADMIN
# healthcheck:
# test: "ss --listening --ipv4 --tcp | grep --silent ':smtp' || exit 1"
# timeout: 3s
# retries: 0
bitwarden:
# env_file:
# - bitwarden.env

26
immich-compose.yaml
View File

@@ -5,20 +5,19 @@ services:
# file: hwaccel.transcoding.yml
# service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
volumes:
# Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
- /data/immich/uploads:/data
- /etc/localtime:/etc/localtime:ro
environment:
DB_USERNAME: postgres
DB_PASSWORD: nVmwTyOKlcEa6VUc
DB_DATABASE_NAME: immich
# env_file:
# - .env
ports:
- '2283:2283'
DB_HOSTNAME: immich-db
REDIS_HOSTNAME: immich-redis
networks:
- immich
depends_on:
- redis
- database
- immich-redis
- immich-db
restart: always
healthcheck:
disable: false
@@ -36,19 +35,21 @@ services:
DB_USERNAME: postgres
DB_PASSWORD: nVmwTyOKlcEa6VUc
DB_DATABASE_NAME: immich
# env_file:
# - .env
networks:
- immich
restart: always
healthcheck:
disable: false
redis:
immich-redis:
image: docker.io/valkey/valkey:9@sha256:fb8d272e529ea567b9bf1302245796f21a2672b8368ca3fcb938ac334e613c8f
healthcheck:
test: redis-cli ping || exit 1
networks:
- immich
restart: always
database:
immich-db:
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
environment:
POSTGRES_USER: postgres
@@ -58,7 +59,8 @@ services:
# Uncomment the DB_STORAGE_TYPE: 'HDD' var if your database isn't stored on SSDs
# DB_STORAGE_TYPE: 'HDD'
volumes:
# Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
- /data/immich/postgres:/var/lib/postgresql/data
networks:
- immich
shm_size: 128mb
restart: always

21
jellyfin-compose.yaml
View File

@@ -24,6 +24,8 @@ services:
- VPN_PORT_FORWARDING=on
- VPN_PORT_FORWARDING_PROVIDER=protonvpn
- VPN_PORT_FORWARDING_STATUS_FILE=/tmp/gluetun/forwarded_port
- VPN_PORT_FORWARDING_UP_COMMAND=/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":{{PORT}},\"current_network_interface\":\"{{VPN_INTERFACE}}\",\"random_port\":false,\"upnp\":false}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1'
- VPN_PORT_FORWARDING_DOWN_COMMAND=/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":0,\"current_network_interface\":\"lo"}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1'
- TZ=${TZ}
- UPDATER_PERIOD=24h
restart: always
@@ -61,6 +63,8 @@ services:
- TZ=${TZ}
#- LANG=fr_FR
#- LANG=en_US
# volumes:
# - /tmp/flaresolver:/tmp
ports:
- 8191:8191
networks:
@@ -104,8 +108,8 @@ services:
- /data/jellyfin/configs/sonarr:/config
- /data/jellyfin/sonarr/tv:/tv
- /data/jellyfin/qbittorrent/downloads:/downloads
ports:
- 8989:8989
# ports:
# - 8989:8989
networks:
- jellyfin-int
restart: unless-stopped
@@ -120,8 +124,8 @@ services:
- /data/jellyfin/configs/radarr:/config
- /data/jellyfin/radarr/movies:/movies
- /data/jellyfin/qbittorrent/downloads:/downloads
ports:
- 7878:7878
# ports:
# - 7878:7878
networks:
- jellyfin-int
restart: unless-stopped
@@ -133,10 +137,9 @@ services:
- TZ=${TZ}
# - NVIDIA_VISIBLE_DEVICES=all
ports:
- 8096:8096
- 8920:8920
# - 8096:8096
# - 8920:8920
- 7359:7359/udp
- 1900:1900/udp
networks:
- jellyfin
- jellyfin-int
@@ -166,8 +169,8 @@ services:
environment:
- LOG_LEVEL=debug
- TZ=${TZ}
ports:
- 5055:5055
# ports:
# - 5055:5055
volumes:
- /data/jellyfin/configs/jellyseerr:/app/config
restart: unless-stopped

27
matrix-compose.yaml Normal file
View File

@@ -0,0 +1,27 @@
services:
matrix-server:
image: forgejo.ellis.link/continuwuation/continuwuity
restart: unless-stopped
environment:
CONTINUWUITY_SERVER_NAME: "matrix.loadingm.xyz"
CONTINUWUITY_WELL_KNOWN__SERVER: "matrix.loadingm.xyz:443"
CONTINUWUITY_ALLOW_REGISTRATION: true
CONTINUWUITY_REGISTRATION_TOKEN: "qFz7aekKxgXdd6SpQ09llv52+S4="
CONTINUWUITY_ALLOW_FEDERATION: 'true'
CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org", "mozilla.org"]'
CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
CONTINUWUITY_PORT: 6167
CONTINUWUITY_ADDRESS: 0.0.0.0
volumes:
- /data/matrix/db:/var/lib/continuwuity
networks:
- matrix
# ports:
# - 8448:6167
turn:
image: docker.io/coturn/coturn
restart: unless-stopped
network_mode: "host"
volumes:
- ./coturn.conf:/etc/coturn/turnserver.conf:ro

14
nginx/sites-enabled/immich
View File

@@ -24,10 +24,22 @@ server {
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /api/socket.io {
proxy_pass http://immich-server:2283;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://immich:2283;
proxy_pass http://immich-server:2283;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

53
nginx/sites-enabled/matrix Normal file
View File

@@ -0,0 +1,53 @@
server {
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name matrix.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
# location /api/socket.io {
# proxy_pass http://matrix-server:6167;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Protocol $scheme;
# proxy_set_header X-Forwarded-Host $http_host;
# }
location / {
# Proxy main karakeep traffic
proxy_pass http://matrix-server:6167;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
}