Setup host mounts properly

authelia/configuration.yml

@@ -52,7 +52,7 @@ access_control:
   rules:
     - domain: 'servarr.loadingm.xyz'
       subject:
-        - 'group:admins'
+        - 'group:admin'
       policy: one_factor
     # - domain: '*.loadingm.xyz'
     #   policy: one_factor

docker-compose.yaml

@@ -2,6 +2,7 @@ include:
   - ./karakeep-compose.yaml
   - ./jellyfin-compose.yaml
   - ./immich-compose.yaml
+  - ./matrix-compose.yaml
 secrets:
   JWT_SECRET:
     file: '/data/authelia/secrets/JWT_SECRET'
@@ -54,9 +55,12 @@ networks:
   bitwarden:
     external: false
     enable_ipv6: true
-  # host:
-  #   external: true
-  #   enable_ipv6: true
+  immich:
+    external: false
+    enable_ipv6: true
+  matrix:
+    external: false
+    enable_ipv6: true
 services:
   web:
     build:
@@ -79,6 +83,8 @@ services:
       - gpodder
       - memos
       - bitwarden
+      - matrix
+      - immich
     depends_on:
       - jellyfin
       - ollama-webui
@@ -88,6 +94,7 @@ services:
       - gitea
       - gpodder
       - memos
+      - matrix-server
     logging: &logging
       options:
         max-size: "50m"
@@ -122,28 +129,37 @@ services:
     restart: unless-stopped
     ports:
       - "25565:25565"
+      - "24454:24454/udp"
     environment:
       EULA: "TRUE"
       TYPE: "FABRIC"
-      MEMORY: "2048M"
+      MEMORY: "4G"
       MOTD: "Loading server..."
-      LEVEL: "world"
-      USE_MEOWICE_FLAGS: "true"
-      DIFFICULTY: "3"
+      # VERSION: "1.21.11"
+      VERSION: "26.1.1"
+      # LEVEL: "world"
+      LEVEL: "house"
+      SEED: "881949285698121329"
+      # USE_MEOWICE_FLAGS: "true"
+      DIFFICULTY: "normal"
+      MODE: "survival"
       OPS: |-
         187eca31-2e33-4199-97e0-2286bf35f7f8
       ENABLE_WHITELIST: "true"
       WHITELIST: |-
-        187eca31-2e33-4199-97e0-2286bf35f7f8
+        187eca31-2e33-4199-97e0-2286bf35f7f8,
+        5d341a01-506c-4473-a530-1ae9188c03c7,
+        34586a37-772e-4da4-86a1-6704f286d4c6,
+        1ff2724b-168f-4b17-8cf2-850894b34ead
       PAUSE_WHEN_EMPTY_SECONDS: "20"
       ENABLE_ROLLING_LOGS: "true"
       REMOVE_OLD_MODS: "TRUE"
     logging: *logging
     volumes:
       - "/data/minecraft/data:/data"
-      - "/data/mincraft/mods:/mods"
-      - "/data/mincraft/plugins:/plugins"
-      - "/data/mincraft/config:/config"
+      - "/data/minecraft/mods:/mods"
+      - "/data/minecraft/plugins:/plugins"
+      - "/data/minecraft/config:/config"
   gitea:
     image: docker.gitea.com/gitea:1.24
     environment:
@@ -218,13 +234,46 @@ services:
     logging: *logging
     environment:
       - ALLOWED_SENDER_DOMAINS=loadingm.xyz
-      - POSTFIX_myhostname=mail
+      # - POSTFIX_myhostname=mail
+      - POSTFIX_myhostname=loadingm.xyz
+      - POSTFIX_mydestination=loadingm.xyz,loading-hpdl380g10.loadingm.xyz
+      - MASQUERADED_DOMAINS=loadingm.xyz,loading-hpdl380g10.loadingm.xyz
+      - SMTPD_SASL_USERS="a:123,b:123"
     volumes:
       - /data/mail:/etc/opendkim/keys
     networks:
       - mail
     ports:
       - 127.0.0.1:25:25
+  # mail:
+  #   image: ghcr.io/docker-mailserver/docker-mailserver:latest
+  #   container_name: mailserver
+  #   # Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
+  #   hostname: mail.loadingm.xyz
+  #   env_file: mailserver.env
+  #   # More information about the mail-server ports:
+  #   # https://docker-mailserver.github.io/docker-mailserver/latest/config/security/understanding-the-ports/
+  #   ports:
+  #     - "25:25"    # SMTP  (explicit TLS => STARTTLS, Authentication is DISABLED => use port 465/587 instead)
+  #     - "143:143"  # IMAP4 (explicit TLS => STARTTLS)
+  #     - "465:465"  # ESMTP (implicit TLS)
+  #     - "587:587"  # ESMTP (explicit TLS => STARTTLS)
+  #     - "993:993"  # IMAP4 (implicit TLS)
+  #   volumes:
+  #     - /data/dms/mail-data/:/var/mail/
+  #     - /data/dms/mail-state/:/var/mail-state/
+  #     - /data/dms/mail-logs/:/var/log/mail/
+  #     - /data/dms/config/:/tmp/docker-mailserver/
+  #     - /etc/localtime:/etc/localtime:ro
+  #   restart: always
+  #   stop_grace_period: 1m
+  #   # Uncomment if using `ENABLE_FAIL2BAN=1`:
+  #   # cap_add:
+  #   #   - NET_ADMIN
+  #   healthcheck:
+  #     test: "ss --listening --ipv4 --tcp | grep --silent ':smtp' || exit 1"
+  #     timeout: 3s
+  #     retries: 0
   bitwarden:
     # env_file:
     #   - bitwarden.env

gitea-runner.yaml

@@ -45,6 +45,7 @@ runner:
     - "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
     - "ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04"
     - "rustup-all:docker://gitea.loadingm.xyz/the10thwiz/rustup:latest"
+    - "rustup-wasm:docker://gitea.loadingm.xyz/the10thwiz/rustup:wasm-stable"
     - "rustup-all-musl:docker://gitea.loadingm.xyz/the10thwiz/rustup:musl-latest"
     - "rustup-stable:docker://gitea.loadingm.xyz/the10thwiz/rustup:stable"
     - "rustup-beta:docker://gitea.loadingm.xyz/the10thwiz/rustup:beta"
@@ -76,7 +77,7 @@ container:
   # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
   privileged: false
   # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
-  options:
+  options: '-v /data/site:/data/site'
   # The parent directory of a job's working directory.
   # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. 
   # If the path starts with '/', the '/' will be trimmed.
@@ -92,12 +93,12 @@ container:
   # If you want to allow any volume, please use the following configuration:
   # valid_volumes:
   #   - '**'
-  valid_volumes: []
+  valid_volumes: ['**']
   # overrides the docker client host with the specified one.
   # If it's empty, act_runner will find an available docker host automatically.
   # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
   # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
-  docker_host: ""
+  docker_host: "-"
   # Pull docker image(s) even if already present
   force_pull: false
   # Rebuild docker image(s) even if already present

immich-compose.yaml

@@ -5,20 +5,19 @@ services:
     #   file: hwaccel.transcoding.yml
     #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
     volumes:
-      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
       - /data/immich/uploads:/data
       - /etc/localtime:/etc/localtime:ro
     environment:
       DB_USERNAME: postgres
       DB_PASSWORD: nVmwTyOKlcEa6VUc
       DB_DATABASE_NAME: immich
-    # env_file:
-    #   - .env
-    ports:
-      - '2283:2283'
+      DB_HOSTNAME: immich-db
+      REDIS_HOSTNAME: immich-redis
+    networks:
+      - immich
     depends_on:
-      - redis
-      - database
+      - immich-redis
+      - immich-db
     restart: always
     healthcheck:
       disable: false
@@ -36,19 +35,21 @@ services:
       DB_USERNAME: postgres
       DB_PASSWORD: nVmwTyOKlcEa6VUc
       DB_DATABASE_NAME: immich
-    # env_file:
-    #   - .env
+    networks:
+      - immich
     restart: always
     healthcheck:
       disable: false
 
-  redis:
+  immich-redis:
     image: docker.io/valkey/valkey:9@sha256:fb8d272e529ea567b9bf1302245796f21a2672b8368ca3fcb938ac334e613c8f
     healthcheck:
       test: redis-cli ping || exit 1
+    networks:
+      - immich
     restart: always
 
-  database:
+  immich-db:
     image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
     environment:
       POSTGRES_USER: postgres
@@ -58,7 +59,8 @@ services:
       # Uncomment the DB_STORAGE_TYPE: 'HDD' var if your database isn't stored on SSDs
       # DB_STORAGE_TYPE: 'HDD'
     volumes:
-      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
       - /data/immich/postgres:/var/lib/postgresql/data
+    networks:
+      - immich
     shm_size: 128mb
     restart: always

jellyfin-compose.yaml

@@ -24,6 +24,8 @@ services:
       - VPN_PORT_FORWARDING=on
       - VPN_PORT_FORWARDING_PROVIDER=protonvpn
       - VPN_PORT_FORWARDING_STATUS_FILE=/tmp/gluetun/forwarded_port
+      - VPN_PORT_FORWARDING_UP_COMMAND=/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":{{PORT}},\"current_network_interface\":\"{{VPN_INTERFACE}}\",\"random_port\":false,\"upnp\":false}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1'
+      - VPN_PORT_FORWARDING_DOWN_COMMAND=/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":0,\"current_network_interface\":\"lo"}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1'
       - TZ=${TZ}
       - UPDATER_PERIOD=24h
     restart: always
@@ -61,6 +63,8 @@ services:
       - TZ=${TZ}
       #- LANG=fr_FR
       #- LANG=en_US
+    # volumes:
+    #   - /tmp/flaresolver:/tmp
     ports:
       - 8191:8191
     networks:
@@ -104,8 +108,8 @@ services:
       - /data/jellyfin/configs/sonarr:/config
       - /data/jellyfin/sonarr/tv:/tv
       - /data/jellyfin/qbittorrent/downloads:/downloads
-    ports:
-      - 8989:8989
+    # ports:
+    #   - 8989:8989
     networks:
       - jellyfin-int
     restart: unless-stopped
@@ -120,8 +124,8 @@ services:
       - /data/jellyfin/configs/radarr:/config
       - /data/jellyfin/radarr/movies:/movies
       - /data/jellyfin/qbittorrent/downloads:/downloads
-    ports:
-      - 7878:7878
+    # ports:
+    #   - 7878:7878
     networks:
       - jellyfin-int
     restart: unless-stopped
@@ -131,19 +135,24 @@ services:
       - PUID=0
       - PGID=0
       - TZ=${TZ}
+      - JELLYFIN_DATA_DIR=/config/data
+      - JELLYFIN_CONFIG_DIR=/config
+      - JELLYFIN_LOG_DIR=/config/log
+      - JELLYFIN_CACHE_DIR=/config/cache
       # - NVIDIA_VISIBLE_DEVICES=all
     ports:
-      - 8096:8096
-      - 8920:8920
+      # - 8096:8096
+      # - 8920:8920
       - 7359:7359/udp
-      - 1900:1900/udp
     networks:
       - jellyfin
       - jellyfin-int
     volumes:
       - /data/library:/data/library:ro
       - /data/jellyfin:/data/jellyfin
-      - /data/jellyfin/configs/jellyfin:/config
+      - /backup:/data/jellyfin/backups
+      # - /data/jellyfin/configs/jellyfin:/config
+      - /srv/jellyfin:/config
       - /data/jellyfin/jellyfin/cache:/cache
       - /data/jellyfin/sonarr/tv:/data/tvshows
       - /data/jellyfin/radarr/movies:/data/movies
@@ -166,8 +175,8 @@ services:
     environment:
       - LOG_LEVEL=debug
       - TZ=${TZ}
-    ports:
-      - 5055:5055
+    # ports:
+    #   - 5055:5055
     volumes:
       - /data/jellyfin/configs/jellyseerr:/app/config
     restart: unless-stopped

matrix-compose.yaml

@@ -0,0 +1,27 @@
+services:
+  matrix-server:
+    image: forgejo.ellis.link/continuwuation/continuwuity
+    restart: unless-stopped
+    environment:
+      CONTINUWUITY_SERVER_NAME: "matrix.loadingm.xyz"
+      CONTINUWUITY_WELL_KNOWN__SERVER: "matrix.loadingm.xyz:443"
+      CONTINUWUITY_ALLOW_REGISTRATION: true
+      CONTINUWUITY_REGISTRATION_TOKEN: "qFz7aekKxgXdd6SpQ09llv52+S4="
+      CONTINUWUITY_ALLOW_FEDERATION: 'true'
+      CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+      CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org", "mozilla.org"]'
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      CONTINUWUITY_PORT: 6167
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+    volumes:
+      - /data/matrix/db:/var/lib/continuwuity
+    networks:
+      - matrix
+    # ports:
+    #   - 8448:6167
+  # turn:
+  #   image: docker.io/coturn/coturn
+  #   restart: unless-stopped
+  #   network_mode: "host"
+  #   volumes:
+  #     - ./coturn.conf:/etc/coturn/turnserver.conf:ro

nginx/sites-enabled/immich

@@ -24,10 +24,22 @@ server {
     # Enforces https content and restricts JS/CSS to origin
     # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
         add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
+    location /api/socket.io {
+        proxy_pass http://immich-server:2283;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+    }
 
     location / {
         # Proxy main karakeep traffic
-        proxy_pass http://immich:2283;
+        proxy_pass http://immich-server:2283;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

nginx/sites-enabled/matrix

@@ -0,0 +1,53 @@
+server {
+    # Nginx versions 1.25+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    server_name matrix.loadingm.xyz;
+    acme_certificate      letsencrypt;
+    ssl_certificate       $acme_certificate; 
+    ssl_certificate_key   $acme_certificate_key; 
+    ssl_certificate_cache max=2;
+
+    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
+    client_max_body_size 200G;
+
+    # Security / XSS Mitigation Headers
+    add_header X-Content-Type-Options "nosniff";
+
+    # Permissions policy. May cause issues with some clients
+    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+    # Content Security Policy
+    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+    # Enforces https content and restricts JS/CSS to origin
+    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+        add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
+    # location /api/socket.io {
+    #     proxy_pass http://matrix-server:6167;
+    #     proxy_http_version 1.1;
+    #     proxy_set_header Upgrade $http_upgrade;
+    #     proxy_set_header Connection "upgrade";
+    #     proxy_set_header Host $host;
+    #     proxy_set_header X-Real-IP $remote_addr;
+    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    #     proxy_set_header X-Forwarded-Proto $scheme;
+    #     proxy_set_header X-Forwarded-Protocol $scheme;
+    #     proxy_set_header X-Forwarded-Host $http_host;
+    # }
+
+    location / {
+        # Proxy main karakeep traffic
+        proxy_pass http://matrix-server:6167;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+
+        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+        proxy_buffering off;
+    }
+}