diff --git a/authelia/configuration.yml b/authelia/configuration.yml index 6e37d82..b0f072e 100644 --- a/authelia/configuration.yml +++ b/authelia/configuration.yml @@ -52,7 +52,7 @@ access_control: rules: - domain: 'servarr.loadingm.xyz' subject: - - 'group:admins' + - 'group:admin' policy: one_factor # - domain: '*.loadingm.xyz' # policy: one_factor diff --git a/docker-compose.yaml b/docker-compose.yaml index 4a55846..6121918 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -2,6 +2,7 @@ include: - ./karakeep-compose.yaml - ./jellyfin-compose.yaml - ./immich-compose.yaml + - ./matrix-compose.yaml secrets: JWT_SECRET: file: '/data/authelia/secrets/JWT_SECRET' @@ -54,9 +55,12 @@ networks: bitwarden: external: false enable_ipv6: true - # host: - # external: true - # enable_ipv6: true + immich: + external: false + enable_ipv6: true + matrix: + external: false + enable_ipv6: true services: web: build: @@ -79,6 +83,8 @@ services: - gpodder - memos - bitwarden + - matrix + - immich depends_on: - jellyfin - ollama-webui @@ -88,6 +94,7 @@ services: - gitea - gpodder - memos + - matrix-server logging: &logging options: max-size: "50m" @@ -218,13 +225,46 @@ services: logging: *logging environment: - ALLOWED_SENDER_DOMAINS=loadingm.xyz - - POSTFIX_myhostname=mail + # - POSTFIX_myhostname=mail + - POSTFIX_myhostname=loadingm.xyz + - POSTFIX_mydestination=loadingm.xyz,loading-hpdl380g10.loadingm.xyz + - MASQUERADED_DOMAINS=loadingm.xyz,loading-hpdl380g10.loadingm.xyz + - SMTPD_SASL_USERS="a:123,b:123" volumes: - /data/mail:/etc/opendkim/keys networks: - mail ports: - 127.0.0.1:25:25 + # mail: + # image: ghcr.io/docker-mailserver/docker-mailserver:latest + # container_name: mailserver + # # Provide the FQDN of your mail server here (Your DNS MX record should point to this value) + # hostname: mail.loadingm.xyz + # env_file: mailserver.env + # # More information about the mail-server ports: + # # https://docker-mailserver.github.io/docker-mailserver/latest/config/security/understanding-the-ports/ + # ports: + # - "25:25" # SMTP (explicit TLS => STARTTLS, Authentication is DISABLED => use port 465/587 instead) + # - "143:143" # IMAP4 (explicit TLS => STARTTLS) + # - "465:465" # ESMTP (implicit TLS) + # - "587:587" # ESMTP (explicit TLS => STARTTLS) + # - "993:993" # IMAP4 (implicit TLS) + # volumes: + # - /data/dms/mail-data/:/var/mail/ + # - /data/dms/mail-state/:/var/mail-state/ + # - /data/dms/mail-logs/:/var/log/mail/ + # - /data/dms/config/:/tmp/docker-mailserver/ + # - /etc/localtime:/etc/localtime:ro + # restart: always + # stop_grace_period: 1m + # # Uncomment if using `ENABLE_FAIL2BAN=1`: + # # cap_add: + # # - NET_ADMIN + # healthcheck: + # test: "ss --listening --ipv4 --tcp | grep --silent ':smtp' || exit 1" + # timeout: 3s + # retries: 0 bitwarden: # env_file: # - bitwarden.env diff --git a/immich-compose.yaml b/immich-compose.yaml index 75c748b..70a3c0f 100644 --- a/immich-compose.yaml +++ b/immich-compose.yaml @@ -5,20 +5,19 @@ services: # file: hwaccel.transcoding.yml # service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding volumes: - # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file - /data/immich/uploads:/data - /etc/localtime:/etc/localtime:ro environment: DB_USERNAME: postgres DB_PASSWORD: nVmwTyOKlcEa6VUc DB_DATABASE_NAME: immich - # env_file: - # - .env - ports: - - '2283:2283' + DB_HOSTNAME: immich-db + REDIS_HOSTNAME: immich-redis + networks: + - immich depends_on: - - redis - - database + - immich-redis + - immich-db restart: always healthcheck: disable: false @@ -36,19 +35,21 @@ services: DB_USERNAME: postgres DB_PASSWORD: nVmwTyOKlcEa6VUc DB_DATABASE_NAME: immich - # env_file: - # - .env + networks: + - immich restart: always healthcheck: disable: false - redis: + immich-redis: image: docker.io/valkey/valkey:9@sha256:fb8d272e529ea567b9bf1302245796f21a2672b8368ca3fcb938ac334e613c8f healthcheck: test: redis-cli ping || exit 1 + networks: + - immich restart: always - database: + immich-db: image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23 environment: POSTGRES_USER: postgres @@ -58,7 +59,8 @@ services: # Uncomment the DB_STORAGE_TYPE: 'HDD' var if your database isn't stored on SSDs # DB_STORAGE_TYPE: 'HDD' volumes: - # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file - /data/immich/postgres:/var/lib/postgresql/data + networks: + - immich shm_size: 128mb restart: always diff --git a/jellyfin-compose.yaml b/jellyfin-compose.yaml index 3f19e48..13ccbda 100644 --- a/jellyfin-compose.yaml +++ b/jellyfin-compose.yaml @@ -24,6 +24,8 @@ services: - VPN_PORT_FORWARDING=on - VPN_PORT_FORWARDING_PROVIDER=protonvpn - VPN_PORT_FORWARDING_STATUS_FILE=/tmp/gluetun/forwarded_port + - VPN_PORT_FORWARDING_UP_COMMAND=/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":{{PORT}},\"current_network_interface\":\"{{VPN_INTERFACE}}\",\"random_port\":false,\"upnp\":false}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1' + - VPN_PORT_FORWARDING_DOWN_COMMAND=/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":0,\"current_network_interface\":\"lo"}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1' - TZ=${TZ} - UPDATER_PERIOD=24h restart: always @@ -61,6 +63,8 @@ services: - TZ=${TZ} #- LANG=fr_FR #- LANG=en_US + # volumes: + # - /tmp/flaresolver:/tmp ports: - 8191:8191 networks: @@ -104,8 +108,8 @@ services: - /data/jellyfin/configs/sonarr:/config - /data/jellyfin/sonarr/tv:/tv - /data/jellyfin/qbittorrent/downloads:/downloads - ports: - - 8989:8989 + # ports: + # - 8989:8989 networks: - jellyfin-int restart: unless-stopped @@ -120,8 +124,8 @@ services: - /data/jellyfin/configs/radarr:/config - /data/jellyfin/radarr/movies:/movies - /data/jellyfin/qbittorrent/downloads:/downloads - ports: - - 7878:7878 + # ports: + # - 7878:7878 networks: - jellyfin-int restart: unless-stopped @@ -133,10 +137,9 @@ services: - TZ=${TZ} # - NVIDIA_VISIBLE_DEVICES=all ports: - - 8096:8096 - - 8920:8920 + # - 8096:8096 + # - 8920:8920 - 7359:7359/udp - - 1900:1900/udp networks: - jellyfin - jellyfin-int @@ -166,8 +169,8 @@ services: environment: - LOG_LEVEL=debug - TZ=${TZ} - ports: - - 5055:5055 + # ports: + # - 5055:5055 volumes: - /data/jellyfin/configs/jellyseerr:/app/config restart: unless-stopped diff --git a/matrix-compose.yaml b/matrix-compose.yaml new file mode 100644 index 0000000..57554a5 --- /dev/null +++ b/matrix-compose.yaml @@ -0,0 +1,27 @@ +services: + matrix-server: + image: forgejo.ellis.link/continuwuation/continuwuity + restart: unless-stopped + environment: + CONTINUWUITY_SERVER_NAME: "matrix.loadingm.xyz" + CONTINUWUITY_WELL_KNOWN__SERVER: "matrix.loadingm.xyz:443" + CONTINUWUITY_ALLOW_REGISTRATION: true + CONTINUWUITY_REGISTRATION_TOKEN: "qFz7aekKxgXdd6SpQ09llv52+S4=" + CONTINUWUITY_ALLOW_FEDERATION: 'true' + CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true' + CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org", "mozilla.org"]' + CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity + CONTINUWUITY_PORT: 6167 + CONTINUWUITY_ADDRESS: 0.0.0.0 + volumes: + - /data/matrix/db:/var/lib/continuwuity + networks: + - matrix + # ports: + # - 8448:6167 + turn: + image: docker.io/coturn/coturn + restart: unless-stopped + network_mode: "host" + volumes: + - ./coturn.conf:/etc/coturn/turnserver.conf:ro diff --git a/nginx/sites-enabled/immich b/nginx/sites-enabled/immich index e652f7a..077b9a5 100644 --- a/nginx/sites-enabled/immich +++ b/nginx/sites-enabled/immich @@ -24,10 +24,22 @@ server { # Enforces https content and restricts JS/CSS to origin # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; + location /api/socket.io { + proxy_pass http://immich-server:2283; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + } location / { # Proxy main karakeep traffic - proxy_pass http://immich:2283; + proxy_pass http://immich-server:2283; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/nginx/sites-enabled/matrix b/nginx/sites-enabled/matrix new file mode 100644 index 0000000..dffb288 --- /dev/null +++ b/nginx/sites-enabled/matrix @@ -0,0 +1,53 @@ +server { + # Nginx versions 1.25+ + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + + server_name matrix.loadingm.xyz; + acme_certificate letsencrypt; + ssl_certificate $acme_certificate; + ssl_certificate_key $acme_certificate_key; + ssl_certificate_cache max=2; + + ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. + client_max_body_size 200G; + + # Security / XSS Mitigation Headers + add_header X-Content-Type-Options "nosniff"; + + # Permissions policy. May cause issues with some clients + add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; + + # Content Security Policy + # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP + # Enforces https content and restricts JS/CSS to origin + # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. + add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; + # location /api/socket.io { + # proxy_pass http://matrix-server:6167; + # proxy_http_version 1.1; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "upgrade"; + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + # proxy_set_header X-Forwarded-Protocol $scheme; + # proxy_set_header X-Forwarded-Host $http_host; + # } + + location / { + # Proxy main karakeep traffic + proxy_pass http://matrix-server:6167; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + + # Disable buffering when the nginx proxy gets very resource heavy upon streaming + proxy_buffering off; + } +}