diff --git a/.vpnenv b/.vpnenv new file mode 100644 index 0000000..bd81d06 --- /dev/null +++ b/.vpnenv @@ -0,0 +1,25 @@ +TZ=America/Menominee + +# # Probably US-IL#152 +# VPN_ENDPOINT_IP=87.249.134.138 +# VPN_ENDPOINT_PORT=51820 +# WIREGUARD_ADDRESSES=10.2.0.2/32 +# VPN_DNS_ADDRESS=10.2.0.1 +# WIREGUARD_PUBLIC_KEY=WNLAmQkeAvdg9QRFMXq7EuwpEWWkltWwiS/DGIcjHjs= +# WIREGUARD_PRIVATE_KEY=MEvccGuRDyqlbpMdqUlCdGwlAD/LD4iTvx+6LG/0/0k= + +# US-IL#156 +VPN_ENDPOINT_IP=87.249.134.139 +VPN_ENDPOINT_PORT=51820 +WIREGUARD_ADDRESSES=10.2.0.2/32 +VPN_DNS_ADDRESS=10.2.0.1 +WIREGUARD_PUBLIC_KEY=xuqP9uEGryELhamLSK9IDRNhljo3lA1zL9/gS7yj2WQ= +WIREGUARD_PRIVATE_KEY=wHp5gAjV9qznCbk702bq/Az/qXrnb8PKMiNhWQ5mw2I= + +# # US-IL#156 +# VPN_ENDPOINT_IP=87.249.134.139 +# VPN_ENDPOINT_PORT=51820 +# WIREGUARD_ADDRESSES=10.2.0.2/32 +# VPN_DNS_ADDRESS=10.2.0.1 +# WIREGUARD_PUBLIC_KEY=xuqP9uEGryELhamLSK9IDRNhljo3lA1zL9/gS7yj2WQ= +# WIREGUARD_PRIVATE_KEY=wHp5gAjV9qznCbk702bq/Az/qXrnb8PKMiNhWQ5mw2I= diff --git a/authelia/secret-template.yml b/authelia/secret-template.yml index ab9d4ec..979c4df 100644 --- a/authelia/secret-template.yml +++ b/authelia/secret-template.yml @@ -1,17 +1,23 @@ -# rand() { +# au rand() { # docker run --rm authelia/authelia:latest authelia crypto rand --length $1 --charset rfc3986 # } -# hash() { +# au hash() { # docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length $1 --random.charset rfc3986 # } identity_providers: oidc: + hmac_secret: '$(au rand 72)' + jwks: + - key: $(openssl genrsa -out - 2048) + claims_policies: + karakeep: + id_token: ['email'] ## The other portions of the mandatory OpenID Connect 1.0 configuration go here. ## See: https://www.authelia.com/c/oidc clients: - client_name: 'Gitea' - client_id: '$(rand 72)' - client_secret: '$(hash 72)' + client_id: '$(au rand 72)' + client_secret: '$(au hash 72)' public: false authorization_policy: 'two_factor' require_pkce: false @@ -29,3 +35,105 @@ identity_providers: access_token_signed_response_alg: 'none' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_basic' + - client_name: 'Memos' + client_id: '$(au rand 72)' + client_secret: '$(au hash 72)' + public: false + authorization_policy: 'two_factor' + require_pkce: false + pkce_challenge_method: '' + redirect_uris: + - 'https://memos.loadingm.xyz/auth/callback' + scopes: + - 'openid' + - 'email' + - 'profile' + response_types: + - 'code' + grant_types: + - 'authorization_code' + access_token_signed_response_alg: 'none' + userinfo_signed_response_alg: 'none' + token_endpoint_auth_method: 'client_secret_basic' + - client_name: 'Open WebUI' + client_id: '$(au rand 72)' + client_secret: '$(au hash 72)' + public: false + authorization_policy: 'two_factor' + require_pkce: false + pkce_challenge_method: '' + redirect_uris: + - 'https://ollama.loadingm.xyz/oauth/oidc/callback' + scopes: + - 'openid' + - 'email' + - 'groups' + - 'profile' + response_types: + - 'code' + grant_types: + - 'authorization_code' + access_token_signed_response_alg: 'none' + userinfo_signed_response_alg: 'none' + token_endpoint_auth_method: 'client_secret_basic' + - client_name: 'Karakeep' + client_id: '$(au rand 72)' + client_secret: '$(au hash 72)' + public: false + authorization_policy: 'two_factor' + require_pkce: false + pkce_challenge_method: '' + redirect_uris: + - 'https://karakeep.loadingm.xyz/api/auth/callback/custom' + scopes: + - 'openid' + - 'email' + - 'profile' + claims_policy: 'karakeep' + response_types: + - 'code' + grant_types: + - 'authorization_code' + access_token_signed_response_alg: 'none' + userinfo_signed_response_alg: 'none' + token_endpoint_auth_method: 'client_secret_basic' + # - client_name: 'Jellyseerr' + # client_id: '$(au rand 72)' + # client_secret: '$(au hash 72)' + # public: false + # authorization_policy: 'two_factor' + # require_pkce: false + # pkce_challenge_method: '' + # redirect_uris: + # - 'https://memos.loadingm.xyz/auth/callback' + # scopes: + # - 'openid' + # - 'email' + # - 'profile' + # response_types: + # - 'code' + # grant_types: + # - 'authorization_code' + # access_token_signed_response_alg: 'none' + # userinfo_signed_response_alg: 'none' + # token_endpoint_auth_method: 'client_secret_basic' + # - client_name: 'Jellyfin' + # client_id: '$(au rand 72)' + # client_secret: '$(au hash 72)' + # public: false + # authorization_policy: 'two_factor' + # require_pkce: false + # pkce_challenge_method: '' + # redirect_uris: + # - 'https://memos.loadingm.xyz/auth/callback' + # scopes: + # - 'openid' + # - 'email' + # - 'profile' + # response_types: + # - 'code' + # grant_types: + # - 'authorization_code' + # access_token_signed_response_alg: 'none' + # userinfo_signed_response_alg: 'none' + # token_endpoint_auth_method: 'client_secret_basic' diff --git a/jellyfin-compose.yaml b/jellyfin-compose.yaml index 7e2c6a1..aab5559 100644 --- a/jellyfin-compose.yaml +++ b/jellyfin-compose.yaml @@ -11,15 +11,16 @@ services: - 46931:46931/udp networks: - jellyfin-int + env_file: .vpnenv environment: - VPN_SERVICE_PROVIDER=custom - VPN_TYPE=wireguard - - VPN_ENDPOINT_IP=${ENDPOINT_IP} - - VPN_ENDPOINT_PORT=${ENDPOINT_PORT} - - WIREGUARD_ADDRESSES=${WIREGUARD_ADDR} - - VPN_DNS_ADDRESS=${DNS_ADDRESS} - - WIREGUARD_PUBLIC_KEY=${PUBLIC_KEY} - - WIREGUARD_PRIVATE_KEY=${PRIVATE_KEY} + # - VPN_ENDPOINT_IP=${ENDPOINT_IP} + # - VPN_ENDPOINT_PORT=${ENDPOINT_PORT} + # - WIREGUARD_ADDRESSES=${WIREGUARD_ADDR} + # - VPN_DNS_ADDRESS=${DNS_ADDRESS} + # - WIREGUARD_PUBLIC_KEY=${PUBLIC_KEY} + # - WIREGUARD_PRIVATE_KEY=${PRIVATE_KEY} - VPN_PORT_FORWARDING=on - VPN_PORT_FORWARDING_PROVIDER=protonvpn - VPN_PORT_FORWARDING_STATUS_FILE=/tmp/gluetun/forwarded_port @@ -84,6 +85,7 @@ services: - PUID=0 - PGID=0 - TZ=${TZ} + # - RUN_OPTS=-l -t volumes: - /data/jellyfin/configs/jackett:/config ports: @@ -129,7 +131,7 @@ services: - PUID=0 - PGID=0 - TZ=${TZ} - - NVIDIA_VISIBLE_DEVICES=all + # - NVIDIA_VISIBLE_DEVICES=all ports: - 8096:8096 - 8920:8920 @@ -149,8 +151,8 @@ services: restart: unless-stopped group_add: - '993' - devices: - - /dev/dri/renderD128:/dev/dri/renderD128 + # devices: + # - /dev/dri/renderD128:/dev/dri/renderD128 # runtime: nvidia # deploy: # resources: diff --git a/karakeep-compose.yaml b/karakeep-compose.yaml index 3ca98ac..36910d1 100644 --- a/karakeep-compose.yaml +++ b/karakeep-compose.yaml @@ -10,7 +10,8 @@ services: # ports: # - 3000:3000 env_file: - - .env + # - .env + - /data/secrets/karakeep environment: MEILI_ADDR: http://meilisearch:7700 BROWSER_WEB_URL: http://karakeep-chrome:9222 @@ -20,7 +21,7 @@ services: INFERENCE_OUTPUT_SCHEMA: json INFERENCE_CONTEXT_LENGTH: 1024 INFERENCE_JOB_TIMEOUT_SEC: 120 - + LOG_LEVEL: debug # You almost never want to change the value of the DATA_DIR variable. # If you want to mount a custom directory, change the volume mapping above instead. DATA_DIR: /data # DON'T CHANGE THIS @@ -65,7 +66,6 @@ services: - OLLAMA_DEBUG=1 networks: - ollama-int - ollama-webui: image: ghcr.io/open-webui/open-webui:main volumes: @@ -73,12 +73,24 @@ services: depends_on: - ollama environment: # https://docs.openwebui.com/getting-started/env-configuration#default_models - - OLLAMA_BASE_URLS=http://host.docker.internal:7869 #comma separated ollama hosts + - OLLAMA_BASE_URLS=http://ollama:7869 #comma separated ollama hosts + - ENABLE_OPENAI_API=False + - WEBUI_URL=https://ollama.loadingm.xyz - ENV=dev - - WEBUI_AUTH=True - - WEBUI_NAME=valiantlynx AI - - WEBUI_URL=http://localhost:8080 - - WEBUI_SECRET_KEY=t0p-s3cr3t + - ENABLE_OAUTH_SIGNUP=true + - OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true + - OPENID_PROVIDER_URL=https://auth.loadingm.xyz/.well-known/openid-configuration + - OAUTH_PROVIDER_NAME=Authelia + - OAUTH_SCOPES=openid email profile groups + - ENABLE_OAUTH_ROLE_MANAGEMENT=true + - OAUTH_ALLOWED_ROLES=openwebui,openwebui-admin + - OAUTH_ADMIN_ROLES=openwebui-admin + - OAUTH_ROLES_CLAIM=groups + - OAUTH_CODE_CHALLENGE_METHOD=S256 + env_file: /data/secrets/ollama-webui + # - WEBUI_AUTH=True + # - WEBUI_NAME=valiantlynx AI + # - WEBUI_SECRET_KEY=t0p-s3cr3t extra_hosts: - host.docker.internal:host-gateway restart: unless-stopped