the10thwiz/Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: the10thwiz:2bf9ef29acbcb932e2fef07197b8855815cf1d7a
Branches Tags
the10thwiz:main
..
compare: the10thwiz:main
Branches Tags
the10thwiz:main

22 Commits
2bf9ef29ac ... main

Author SHA1 Message Date
Matthew Pomes
e3d3ade4f7 Update build-certs to use verbose logging 2025-11-23 18:39:57 -06:00
Matthew Pomes
b41ad62aa1 Add mail and update gitea to use authelia sso 2025-11-23 18:38:26 -06:00
Matthew Pomes
0566bf8a2d Change policy to only apply to servarr 2025-11-23 18:37:27 -06:00
Matthew Pomes
46344bf719 Split authelia config so secrets aren't in repo 2025-11-23 13:25:07 -06:00
Matthew Pomes
e417287103 Add template auth secrets 2025-11-23 00:18:19 -06:00
Matthew Pomes
194173c32e Add second authelia config file 2025-11-23 00:10:14 -06:00
Matthew Pomes
57d6021be3 Add memos service 2025-11-22 23:41:43 -06:00
Matthew Pomes
d6f05752a6 Fix startup issues 2025-11-22 23:37:51 -06:00
Matthew Pomes
dd34d0ab22 Add tftp server 2025-10-11 09:07:31 -05:00
Matthew Pomes
698f16c819 Fix karakeep CSP to allow full-page archives to work properly 2025-10-08 00:52:11 -05:00
Matthew Pomes
80f278a74c Use nginx variable to build CSP 2025-10-08 00:45:42 -05:00
Matthew Pomes
816cca7f4f Add allows for data: urls in the CSP 2025-10-08 00:36:32 -05:00
Matthew Pomes
60a0239682 Fix container naming 2025-10-04 16:54:36 -05:00
Matthew Pomes
70c14f241e Add musl rustup runner 2025-10-04 16:20:10 -05:00
Matthew Pomes
756049f74e Add qbt dependency on vpn 2025-09-30 11:31:29 -05:00
Matthew Pomes
d4e6c7b732 Remove port publishing from qbt as well 2025-09-30 11:27:47 -05:00
Matthew Pomes
8076a49199 Remove networks config from qbt 2025-09-30 11:23:33 -05:00
Matthew Pomes
ba9d3d292c Add VPN config 2025-09-30 11:22:40 -05:00
Matthew Pomes
3ac2b710ba Fix gpodder port 2025-09-27 01:37:24 -05:00
Matthew Pomes
4d4289670e Add necessary env key 2025-09-27 01:31:49 -05:00
Matthew Pomes
865c02a3a4 Add gpodder-rs setup 2025-09-27 01:15:39 -05:00
Matthew Pomes
64ea7cb6e6 Add systemd and host act_runner to readme
Some checks are pending
Deploy homelab / Deploy (push) Waiting to run
Details
2025-09-24 23:18:20 -05:00
12 changed files with 344 additions and 56 deletions
Expand all files Collapse all files

25
README.md
View File

@@ -18,3 +18,28 @@ zfs create -o mountpoint=/data hdd/data
zfs set compression=on hdd/data
```
## act_runner
```bash
pushd /tmp
wget https://gitea.com/gitea/act_runner/releases/download/v0.2.13/act_runner-0.2.13-linux-amd64.xz
xz -d act_runner-0.2.13-linux-amd64.xz
mv act_runner-0.2.13-linux-amd64 /usr/bin/act_runner
chmod +x /usr/bin/act_runner
mkdir /home/matthew/act_runner
```
## Systemd
```bash
# Add services
ln -s $PWD/*.service /etc/systemd/system/
systemctl enable homelab
systemctl start homelab
cd ~/act_runner
/usr/bin/act_runner register --config /home/matthew/homelab/host-runner.yaml
systemctl enable act_runner
systemctl start act_runner
```

64
authelia/configuration.yml
View File

@@ -6,7 +6,7 @@ authentication_backend:
password_change:
disable: false
file:
path: '/config/users.yml'
path: '/data/users.yml'
watch: false
search:
email: false
@@ -37,18 +37,72 @@ session:
remember_me: '1d'
notifier:
disable_startup_check: false
filesystem:
filename: '/config/notification.txt'
# filesystem:
# filename: '/data/notification.txt'
smtp:
address: 'smtp://mail:25'
sender: 'Authelia <auth@loadingm.xyz>'
disable_require_tls: true # Determine if this is needed
disable_starttls: true
storage:
local:
path: '/config/db.sqlite3'
path: '/data/db.sqlite3'
access_control:
default_policy: deny
rules:
- domain: '*.loadingm.xyz'
- domain: 'servarr.loadingm.xyz'
subject:
- 'group:admins'
policy: one_factor
# - domain: '*.loadingm.xyz'
# policy: one_factor
server:
endpoints:
authz:
auth-request:
implementation: 'AuthRequest'
identity_providers:
oidc:
# enable_client_debug_messages: false
# minimum_parameter_entropy: 8
# enforce_pkce: 'public_clients_only'
# enable_pkce_plain_challenge: false
# enable_jwt_access_token_stateless_introspection: false
# discovery_signed_response_alg: 'none'
# discovery_signed_response_key_id: ''
# require_pushed_authorization_requests: false
# authorization_policies:
# policy_name:
# default_policy: 'two_factor'
# rules:
# - policy: 'deny'
# subject: 'group:services'
# networks:
# - '192.168.1.0/24'
# - '192.168.2.51'
lifespans:
access_token: '1h'
authorize_code: '1m'
id_token: '1h'
refresh_token: '90m'
# claims_policies:
# policy_name:
# id_token: []
# access_token: []
# id_token_audience_mode: 'specification'
# custom_claims:
# claim_name:
# name: 'claim_name'
# attribute: 'attribute_name'
# scopes:
# scope_name:
# claims: []
# cors:
# endpoints:
# - 'authorization'
# - 'token'
# - 'revocation'
# - 'introspection'
# allowed_origins:
# - 'https://example.com'
# allowed_origins_from_client_redirect_uris: false

31
authelia/secret-template.yml Normal file
View File

@@ -0,0 +1,31 @@
# rand() {
# docker run --rm authelia/authelia:latest authelia crypto rand --length $1 --charset rfc3986
# }
# hash() {
# docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length $1 --random.charset rfc3986
# }
identity_providers:
oidc:
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
clients:
- client_name: 'Gitea'
client_id: '$(rand 72)'
client_secret: '$(hash 72)'
public: false
authorization_policy: 'two_factor'
require_pkce: false
pkce_challenge_method: ''
redirect_uris:
- 'https://gitea.loadingm.xyz/user/oauth2/authelia/callback'
scopes:
- 'openid'
- 'email'
- 'profile'
response_types:
- 'code'
grant_types:
- 'authorization_code'
access_token_signed_response_alg: 'none'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'

3
build-certs.sh
View File

@@ -1,5 +1,5 @@
docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ \
docker compose run --rm certbot certonly -v --webroot --webroot-path /var/www/certbot/ \
-d loadingm.xyz \
-d gitea.loadingm.xyz \
-d auth.loadingm.xyz \
@@ -8,4 +8,5 @@ docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certb
-d servarr.loadingm.xyz \
-d karakeep.loadingm.xyz \
-d ollama.loadingm.xyz \
-d memos.loadingm.xyz \
-d gpodder.loadingm.xyz

81
docker-compose.yaml
View File

@@ -3,13 +3,13 @@ include:
- ./jellyfin-compose.yaml
secrets:
JWT_SECRET:
file: './authelia/secrets/JWT_SECRET'
file: '/data/authelia/secrets/JWT_SECRET'
SESSION_SECRET:
file: './authelia/secrets/SESSION_SECRET'
file: '/data/authelia/secrets/SESSION_SECRET'
STORAGE_PASSWORD:
file: './authelia/secrets/STORAGE_PASSWORD'
file: '/data/authelia/secrets/STORAGE_PASSWORD'
STORAGE_ENCRYPTION_KEY:
file: './authelia/secrets/STORAGE_ENCRYPTION_KEY'
file: '/data/authelia/secrets/STORAGE_ENCRYPTION_KEY'
volumes:
meilisearch:
karakeep:
@@ -30,6 +30,12 @@ networks:
external: false
gitea:
external: false
gpodder:
external: false
memos:
external: false
mail:
external: false
services:
web:
image: "nginx"
@@ -50,6 +56,8 @@ services:
- jellyfin-int
- auth
- gitea
- gpodder
- memos
depends_on:
- jellyfin
- ollama-webui
@@ -57,6 +65,8 @@ services:
- authelia
- qbittorrent
- gitea
- gpodder
- memos
logging: &logging
options:
max-size: "50m"
@@ -71,18 +81,23 @@ services:
- /data/certbot/www/:/var/www/certbot/:rw
- /data/certbot/conf/:/etc/letsencrypt/:rw
authelia:
container_name: 'authelia'
image: 'docker.io/authelia/authelia:latest'
command:
- 'authelia'
- '--config=/config/configuration.yml'
- '--config=/data/configuration.yml'
restart: 'unless-stopped'
secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_PASSWORD', 'STORAGE_ENCRYPTION_KEY']
networks:
- auth
- mail
environment:
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
volumes:
- './authelia/:/config'
- './authelia/:/config:ro'
- '/data/authelia/:/data'
logging: *logging
minecraft:
image: itzg/minecraft-server:latest
@@ -116,18 +131,24 @@ services:
gitea:
image: docker.gitea.com/gitea:1.24
environment:
- USER_UID=1000
- USER_GID=1000
- USER_UID=106
- USER_GID=110
- ENABLE_NOTIFY_MAIL=true
# -
restart: unless-stopped
networks:
- gitea
- mail
volumes:
- /data/gitea/data:/data
- /home/git/.ssh/:/data/git/.ssh
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "222:22"
logging: *logging
depends_on:
- authelia
gitea-runner:
image: docker.gitea.com/act_runner:latest
restart: unless-stopped
@@ -144,6 +165,50 @@ services:
logging: *logging
depends_on:
- gitea
gpodder:
image: gitea.loadingm.xyz/the10thwiz/gpodder-rs:latest
restart: unless-stopped
environment:
- ROCKET_SECRET_KEY=${GPODDER_SECRET_KEY}
networks:
- gpodder
volumes:
- /data/gpodder:/data
logging: *logging
tftp:
image: kaczmar2/tftp-server
restart: unless-stopped
environment:
- ENABLE_WEB_SERVER=false
network_mode: host
volumes:
- /data/tftp:/srv/tftp:ro
- /etc/localtime:/etc/localtime:ro
logging: *logging
memos:
image: neosmemo/memos:stable
networks:
- memos
volumes:
- /data/memos:/var/opt/memos
environment:
- MEMOS_MODE=prod
- MEMOS_PORT=5230
restart: unless-stopped
logging: *logging
mail:
image: boky/postfix
restart: unless-stopped
logging: *logging
environment:
- ALLOWED_SENDER_DOMAINS=loadingm.xyz
- POSTFIX_myhostname=mail
volumes:
- /data/mail:/etc/opendkim/keys
networks:
- mail
ports:
- 127.0.0.1:25:25
# calibre:
# image: "linuxserver/calibre-web"
# 5d-diplomacy-frontend:

1
gitea-runner.yaml
View File

@@ -45,6 +45,7 @@ runner:
- "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
- "ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04"
- "rustup-all:docker://gitea.loadingm.xyz/the10thwiz/rustup:latest"
- "rustup-all-musl:docker://gitea.loadingm.xyz/the10thwiz/rustup:musl-latest"
- "rustup-stable:docker://gitea.loadingm.xyz/the10thwiz/rustup:stable"
- "rustup-beta:docker://gitea.loadingm.xyz/the10thwiz/rustup:beta"
- "rustup-nightly:docker://gitea.loadingm.xyz/the10thwiz/rustup:nightly"

71
jellyfin-compose.yaml
View File

@@ -1,7 +1,37 @@
services:
gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
ports:
- 8080:8080
- 51820:51820
- 51820:51820/udp
- 46931:46931
- 46931:46931/udp
networks:
- jellyfin-int
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- VPN_ENDPOINT_IP=${ENDPOINT_IP}
- VPN_ENDPOINT_PORT=${ENDPOINT_PORT}
- WIREGUARD_ADDRESSES=${WIREGUARD_ADDR}
- VPN_DNS_ADDRESS=${DNS_ADDRESS}
- WIREGUARD_PUBLIC_KEY=${PUBLIC_KEY}
- WIREGUARD_PRIVATE_KEY=${PRIVATE_KEY}
- VPN_PORT_FORWARDING=on
- VPN_PORT_FORWARDING_PROVIDER=protonvpn
- VPN_PORT_FORWARDING_STATUS_FILE=/tmp/gluetun/forwarded_port
- TZ=${TZ}
- UPDATER_PERIOD=24h
restart: always
volumes:
- /data/jellyfin:/data/jellyfin
- /data/jellyfin/gluetun:/tmp/gluetun
qbittorrent:
image: lscr.io/linuxserver/qbittorrent:latest
container_name: qbittorrent
network_mode: service:gluetun
environment:
- WEBUI_PORT=8080
- PUID=0
@@ -12,16 +42,17 @@ services:
- /data/jellyfin:/data/jellyfin
- /data/jellyfin/configs/qbittorrent:/config
# - /data/jellyfin/qbittorrent/downloads:/data/jellyfin/qbittorrent/downloads
ports:
- 8080:8080
- 6881:6881
- 6881:6881/udp
networks:
- jellyfin-int
# ports:
# - 8080:8080
# - 6881:6881
# - 6881:6881/udp
# networks:
# - jellyfin-int
depends_on:
- gluetun
restart: unless-stopped
flaresolverr:
image: ghcr.io/flaresolverr/flaresolverr:latest
container_name: flaresolverr
environment:
- LOG_LEVEL=${LOG_LEVEL:-info}
- LOG_HTML=${LOG_HTML:-false}
@@ -36,7 +67,6 @@ services:
restart: unless-stopped
prowlarr:
image: lscr.io/linuxserver/prowlarr:latest
container_name: prowlarr
environment:
- PUID=0
- PGID=0
@@ -50,7 +80,6 @@ services:
restart: unless-stopped
jackett:
image: lscr.io/linuxserver/jackett:latest
container_name: jackett
environment:
- PUID=0
- PGID=0
@@ -64,7 +93,6 @@ services:
restart: unless-stopped
sonarr:
image: lscr.io/linuxserver/sonarr:latest
container_name: sonarr
environment:
- PUID=0
- PGID=0
@@ -81,7 +109,6 @@ services:
restart: unless-stopped
radarr:
image: lscr.io/linuxserver/radarr:latest
container_name: radarr
environment:
- PUID=0
- PGID=0
@@ -98,7 +125,6 @@ services:
restart: unless-stopped
jellyfin:
image: lscr.io/linuxserver/jellyfin:latest
container_name: jellyfin
environment:
- PUID=0
- PGID=0
@@ -121,17 +147,20 @@ services:
- /data/jellyfin/radarr/movies:/data/movies
- /data/jellyfin/qbittorrent/downloads:/data/media_downloads
restart: unless-stopped
runtime: nvidia
deploy:
resources:
reservations:
group_add:
- '993'
devices:
- driver: nvidia
count: all
capabilities: [gpu]
- /dev/dri/renderD128:/dev/dri/renderD128
# runtime: nvidia
# deploy:
# resources:
# reservations:
# devices:
# - driver: intel
# count: all
# capabilities: [gpu]
jellyseerr:
image: fallenbagel/jellyseerr:latest
container_name: jellyseerr
environment:
- LOG_LEVEL=debug
- TZ=${TZ}

2
karakeep-compose.yaml
View File

@@ -56,7 +56,6 @@ services:
volumes:
- .:/code
- /data/library/ollama/ollama:/root/.ollama
container_name: ollama
pull_policy: always
tty: true
restart: always
@@ -69,7 +68,6 @@ services:
ollama-webui:
image: ghcr.io/open-webui/open-webui:main
container_name: ollama-webui
volumes:
- /data/library/ollama/ollama-webui:/app/backend/data
depends_on:

38
nginx/sites-enabled/gpodder
View File

@@ -48,23 +48,33 @@ server {
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
root /data/site;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
location /hosted {
index index.html;
autoindex on;
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# Proxy main karakeep traffic
proxy_pass http://gpodder:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
}

13
nginx/sites-enabled/karakeep
View File

@@ -40,7 +40,17 @@ server {
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
set $CSP "default-src https: data: blob:";
set $CSP "$CSP; img-src 'self' https://* data:";
set $CSP "$CSP; style-src 'self' 'unsafe-inline' data:";
set $CSP "$CSP; style-src-elem 'self' 'unsafe-inline' data:";
set $CSP "$CSP; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:";
set $CSP "$CSP; worker-src 'self' blob: data:";
set $CSP "$CSP; connect-src 'self' data:";
set $CSP "$CSP; object-src 'none' data:";
set $CSP "$CSP; frame-ancestors 'self' data:";
set $CSP "$CSP; font-src 'self' data:";
add_header Content-Security-Policy $CSP;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
@@ -55,6 +65,7 @@ server {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_hide_header Content-Security-Policy;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;

62
nginx/sites-enabled/memos Normal file
View File

@@ -0,0 +1,62 @@
server {
listen 80;
listen [::]:80;
server_name memos.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name memos.loadingm.xyz;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://memos:5230;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
}

3
nginx/sites-enabled/servarr
View File

@@ -13,7 +13,8 @@ server {
location /qbt/ {
# include /etc/nginx/snippets/proxy.conf;
include /etc/nginx/snippets/authelia-authrequest.conf;
proxy_pass http://qbittorrent:8080/;
# proxy_pass http://qbittorrent:8080/;
proxy_pass http://gluetun:8080/;
proxy_http_version 1.1;
proxy_set_header Host $proxy_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;