Compare commits
14 Commits
756049f74e
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| e3d3ade4f7 | |||
| b41ad62aa1 | |||
| 0566bf8a2d | |||
| 46344bf719 | |||
e417287103
|
|||
|
194173c32e
|
|||
|
57d6021be3
|
|||
| d6f05752a6 | |||
|
dd34d0ab22
|
|||
| 698f16c819 | |||
|
80f278a74c
|
|||
|
816cca7f4f
|
|||
| 60a0239682 | |||
|
70c14f241e
|
@@ -6,7 +6,7 @@ authentication_backend:
|
||||
password_change:
|
||||
disable: false
|
||||
file:
|
||||
path: '/config/users.yml'
|
||||
path: '/data/users.yml'
|
||||
watch: false
|
||||
search:
|
||||
email: false
|
||||
@@ -37,18 +37,72 @@ session:
|
||||
remember_me: '1d'
|
||||
notifier:
|
||||
disable_startup_check: false
|
||||
filesystem:
|
||||
filename: '/config/notification.txt'
|
||||
# filesystem:
|
||||
# filename: '/data/notification.txt'
|
||||
smtp:
|
||||
address: 'smtp://mail:25'
|
||||
sender: 'Authelia <auth@loadingm.xyz>'
|
||||
disable_require_tls: true # Determine if this is needed
|
||||
disable_starttls: true
|
||||
storage:
|
||||
local:
|
||||
path: '/config/db.sqlite3'
|
||||
path: '/data/db.sqlite3'
|
||||
access_control:
|
||||
default_policy: deny
|
||||
rules:
|
||||
- domain: '*.loadingm.xyz'
|
||||
- domain: 'servarr.loadingm.xyz'
|
||||
subject:
|
||||
- 'group:admins'
|
||||
policy: one_factor
|
||||
# - domain: '*.loadingm.xyz'
|
||||
# policy: one_factor
|
||||
server:
|
||||
endpoints:
|
||||
authz:
|
||||
auth-request:
|
||||
implementation: 'AuthRequest'
|
||||
identity_providers:
|
||||
oidc:
|
||||
# enable_client_debug_messages: false
|
||||
# minimum_parameter_entropy: 8
|
||||
# enforce_pkce: 'public_clients_only'
|
||||
# enable_pkce_plain_challenge: false
|
||||
# enable_jwt_access_token_stateless_introspection: false
|
||||
# discovery_signed_response_alg: 'none'
|
||||
# discovery_signed_response_key_id: ''
|
||||
# require_pushed_authorization_requests: false
|
||||
# authorization_policies:
|
||||
# policy_name:
|
||||
# default_policy: 'two_factor'
|
||||
# rules:
|
||||
# - policy: 'deny'
|
||||
# subject: 'group:services'
|
||||
# networks:
|
||||
# - '192.168.1.0/24'
|
||||
# - '192.168.2.51'
|
||||
lifespans:
|
||||
access_token: '1h'
|
||||
authorize_code: '1m'
|
||||
id_token: '1h'
|
||||
refresh_token: '90m'
|
||||
# claims_policies:
|
||||
# policy_name:
|
||||
# id_token: []
|
||||
# access_token: []
|
||||
# id_token_audience_mode: 'specification'
|
||||
# custom_claims:
|
||||
# claim_name:
|
||||
# name: 'claim_name'
|
||||
# attribute: 'attribute_name'
|
||||
# scopes:
|
||||
# scope_name:
|
||||
# claims: []
|
||||
# cors:
|
||||
# endpoints:
|
||||
# - 'authorization'
|
||||
# - 'token'
|
||||
# - 'revocation'
|
||||
# - 'introspection'
|
||||
# allowed_origins:
|
||||
# - 'https://example.com'
|
||||
# allowed_origins_from_client_redirect_uris: false
|
||||
|
||||
31
authelia/secret-template.yml
Normal file
31
authelia/secret-template.yml
Normal file
@@ -0,0 +1,31 @@
|
||||
# rand() {
|
||||
# docker run --rm authelia/authelia:latest authelia crypto rand --length $1 --charset rfc3986
|
||||
# }
|
||||
# hash() {
|
||||
# docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length $1 --random.charset rfc3986
|
||||
# }
|
||||
identity_providers:
|
||||
oidc:
|
||||
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
|
||||
## See: https://www.authelia.com/c/oidc
|
||||
clients:
|
||||
- client_name: 'Gitea'
|
||||
client_id: '$(rand 72)'
|
||||
client_secret: '$(hash 72)'
|
||||
public: false
|
||||
authorization_policy: 'two_factor'
|
||||
require_pkce: false
|
||||
pkce_challenge_method: ''
|
||||
redirect_uris:
|
||||
- 'https://gitea.loadingm.xyz/user/oauth2/authelia/callback'
|
||||
scopes:
|
||||
- 'openid'
|
||||
- 'email'
|
||||
- 'profile'
|
||||
response_types:
|
||||
- 'code'
|
||||
grant_types:
|
||||
- 'authorization_code'
|
||||
access_token_signed_response_alg: 'none'
|
||||
userinfo_signed_response_alg: 'none'
|
||||
token_endpoint_auth_method: 'client_secret_basic'
|
||||
@@ -1,5 +1,5 @@
|
||||
|
||||
docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ \
|
||||
docker compose run --rm certbot certonly -v --webroot --webroot-path /var/www/certbot/ \
|
||||
-d loadingm.xyz \
|
||||
-d gitea.loadingm.xyz \
|
||||
-d auth.loadingm.xyz \
|
||||
@@ -8,4 +8,5 @@ docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certb
|
||||
-d servarr.loadingm.xyz \
|
||||
-d karakeep.loadingm.xyz \
|
||||
-d ollama.loadingm.xyz \
|
||||
-d memos.loadingm.xyz \
|
||||
-d gpodder.loadingm.xyz
|
||||
|
||||
@@ -3,13 +3,13 @@ include:
|
||||
- ./jellyfin-compose.yaml
|
||||
secrets:
|
||||
JWT_SECRET:
|
||||
file: './authelia/secrets/JWT_SECRET'
|
||||
file: '/data/authelia/secrets/JWT_SECRET'
|
||||
SESSION_SECRET:
|
||||
file: './authelia/secrets/SESSION_SECRET'
|
||||
file: '/data/authelia/secrets/SESSION_SECRET'
|
||||
STORAGE_PASSWORD:
|
||||
file: './authelia/secrets/STORAGE_PASSWORD'
|
||||
file: '/data/authelia/secrets/STORAGE_PASSWORD'
|
||||
STORAGE_ENCRYPTION_KEY:
|
||||
file: './authelia/secrets/STORAGE_ENCRYPTION_KEY'
|
||||
file: '/data/authelia/secrets/STORAGE_ENCRYPTION_KEY'
|
||||
volumes:
|
||||
meilisearch:
|
||||
karakeep:
|
||||
@@ -32,6 +32,10 @@ networks:
|
||||
external: false
|
||||
gpodder:
|
||||
external: false
|
||||
memos:
|
||||
external: false
|
||||
mail:
|
||||
external: false
|
||||
services:
|
||||
web:
|
||||
image: "nginx"
|
||||
@@ -53,6 +57,7 @@ services:
|
||||
- auth
|
||||
- gitea
|
||||
- gpodder
|
||||
- memos
|
||||
depends_on:
|
||||
- jellyfin
|
||||
- ollama-webui
|
||||
@@ -61,6 +66,7 @@ services:
|
||||
- qbittorrent
|
||||
- gitea
|
||||
- gpodder
|
||||
- memos
|
||||
logging: &logging
|
||||
options:
|
||||
max-size: "50m"
|
||||
@@ -75,18 +81,23 @@ services:
|
||||
- /data/certbot/www/:/var/www/certbot/:rw
|
||||
- /data/certbot/conf/:/etc/letsencrypt/:rw
|
||||
authelia:
|
||||
container_name: 'authelia'
|
||||
image: 'docker.io/authelia/authelia:latest'
|
||||
command:
|
||||
- 'authelia'
|
||||
- '--config=/config/configuration.yml'
|
||||
- '--config=/data/configuration.yml'
|
||||
restart: 'unless-stopped'
|
||||
secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_PASSWORD', 'STORAGE_ENCRYPTION_KEY']
|
||||
networks:
|
||||
- auth
|
||||
- mail
|
||||
environment:
|
||||
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
|
||||
AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
|
||||
volumes:
|
||||
- './authelia/:/config'
|
||||
- './authelia/:/config:ro'
|
||||
- '/data/authelia/:/data'
|
||||
logging: *logging
|
||||
minecraft:
|
||||
image: itzg/minecraft-server:latest
|
||||
@@ -120,18 +131,24 @@ services:
|
||||
gitea:
|
||||
image: docker.gitea.com/gitea:1.24
|
||||
environment:
|
||||
- USER_UID=1000
|
||||
- USER_GID=1000
|
||||
- USER_UID=106
|
||||
- USER_GID=110
|
||||
- ENABLE_NOTIFY_MAIL=true
|
||||
# -
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
- gitea
|
||||
- mail
|
||||
volumes:
|
||||
- /data/gitea/data:/data
|
||||
- /home/git/.ssh/:/data/git/.ssh
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
ports:
|
||||
- "222:22"
|
||||
logging: *logging
|
||||
depends_on:
|
||||
- authelia
|
||||
gitea-runner:
|
||||
image: docker.gitea.com/act_runner:latest
|
||||
restart: unless-stopped
|
||||
@@ -150,6 +167,7 @@ services:
|
||||
- gitea
|
||||
gpodder:
|
||||
image: gitea.loadingm.xyz/the10thwiz/gpodder-rs:latest
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- ROCKET_SECRET_KEY=${GPODDER_SECRET_KEY}
|
||||
networks:
|
||||
@@ -157,6 +175,40 @@ services:
|
||||
volumes:
|
||||
- /data/gpodder:/data
|
||||
logging: *logging
|
||||
tftp:
|
||||
image: kaczmar2/tftp-server
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- ENABLE_WEB_SERVER=false
|
||||
network_mode: host
|
||||
volumes:
|
||||
- /data/tftp:/srv/tftp:ro
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
logging: *logging
|
||||
memos:
|
||||
image: neosmemo/memos:stable
|
||||
networks:
|
||||
- memos
|
||||
volumes:
|
||||
- /data/memos:/var/opt/memos
|
||||
environment:
|
||||
- MEMOS_MODE=prod
|
||||
- MEMOS_PORT=5230
|
||||
restart: unless-stopped
|
||||
logging: *logging
|
||||
mail:
|
||||
image: boky/postfix
|
||||
restart: unless-stopped
|
||||
logging: *logging
|
||||
environment:
|
||||
- ALLOWED_SENDER_DOMAINS=loadingm.xyz
|
||||
- POSTFIX_myhostname=mail
|
||||
volumes:
|
||||
- /data/mail:/etc/opendkim/keys
|
||||
networks:
|
||||
- mail
|
||||
ports:
|
||||
- 127.0.0.1:25:25
|
||||
# calibre:
|
||||
# image: "linuxserver/calibre-web"
|
||||
# 5d-diplomacy-frontend:
|
||||
|
||||
@@ -45,6 +45,7 @@ runner:
|
||||
- "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
|
||||
- "ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04"
|
||||
- "rustup-all:docker://gitea.loadingm.xyz/the10thwiz/rustup:latest"
|
||||
- "rustup-all-musl:docker://gitea.loadingm.xyz/the10thwiz/rustup:musl-latest"
|
||||
- "rustup-stable:docker://gitea.loadingm.xyz/the10thwiz/rustup:stable"
|
||||
- "rustup-beta:docker://gitea.loadingm.xyz/the10thwiz/rustup:beta"
|
||||
- "rustup-nightly:docker://gitea.loadingm.xyz/the10thwiz/rustup:nightly"
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
services:
|
||||
gluetun:
|
||||
container_name: GlueTun-VPN
|
||||
image: qmcgaw/gluetun
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
@@ -10,6 +9,8 @@ services:
|
||||
- 51820:51820/udp
|
||||
- 46931:46931
|
||||
- 46931:46931/udp
|
||||
networks:
|
||||
- jellyfin-int
|
||||
environment:
|
||||
- VPN_SERVICE_PROVIDER=custom
|
||||
- VPN_TYPE=wireguard
|
||||
@@ -30,7 +31,6 @@ services:
|
||||
- /data/jellyfin/gluetun:/tmp/gluetun
|
||||
qbittorrent:
|
||||
image: lscr.io/linuxserver/qbittorrent:latest
|
||||
container_name: qbittorrent
|
||||
network_mode: service:gluetun
|
||||
environment:
|
||||
- WEBUI_PORT=8080
|
||||
@@ -53,7 +53,6 @@ services:
|
||||
restart: unless-stopped
|
||||
flaresolverr:
|
||||
image: ghcr.io/flaresolverr/flaresolverr:latest
|
||||
container_name: flaresolverr
|
||||
environment:
|
||||
- LOG_LEVEL=${LOG_LEVEL:-info}
|
||||
- LOG_HTML=${LOG_HTML:-false}
|
||||
@@ -68,7 +67,6 @@ services:
|
||||
restart: unless-stopped
|
||||
prowlarr:
|
||||
image: lscr.io/linuxserver/prowlarr:latest
|
||||
container_name: prowlarr
|
||||
environment:
|
||||
- PUID=0
|
||||
- PGID=0
|
||||
@@ -82,7 +80,6 @@ services:
|
||||
restart: unless-stopped
|
||||
jackett:
|
||||
image: lscr.io/linuxserver/jackett:latest
|
||||
container_name: jackett
|
||||
environment:
|
||||
- PUID=0
|
||||
- PGID=0
|
||||
@@ -96,7 +93,6 @@ services:
|
||||
restart: unless-stopped
|
||||
sonarr:
|
||||
image: lscr.io/linuxserver/sonarr:latest
|
||||
container_name: sonarr
|
||||
environment:
|
||||
- PUID=0
|
||||
- PGID=0
|
||||
@@ -113,7 +109,6 @@ services:
|
||||
restart: unless-stopped
|
||||
radarr:
|
||||
image: lscr.io/linuxserver/radarr:latest
|
||||
container_name: radarr
|
||||
environment:
|
||||
- PUID=0
|
||||
- PGID=0
|
||||
@@ -130,7 +125,6 @@ services:
|
||||
restart: unless-stopped
|
||||
jellyfin:
|
||||
image: lscr.io/linuxserver/jellyfin:latest
|
||||
container_name: jellyfin
|
||||
environment:
|
||||
- PUID=0
|
||||
- PGID=0
|
||||
@@ -153,17 +147,20 @@ services:
|
||||
- /data/jellyfin/radarr/movies:/data/movies
|
||||
- /data/jellyfin/qbittorrent/downloads:/data/media_downloads
|
||||
restart: unless-stopped
|
||||
runtime: nvidia
|
||||
deploy:
|
||||
resources:
|
||||
reservations:
|
||||
group_add:
|
||||
- '993'
|
||||
devices:
|
||||
- driver: nvidia
|
||||
count: all
|
||||
capabilities: [gpu]
|
||||
- /dev/dri/renderD128:/dev/dri/renderD128
|
||||
# runtime: nvidia
|
||||
# deploy:
|
||||
# resources:
|
||||
# reservations:
|
||||
# devices:
|
||||
# - driver: intel
|
||||
# count: all
|
||||
# capabilities: [gpu]
|
||||
jellyseerr:
|
||||
image: fallenbagel/jellyseerr:latest
|
||||
container_name: jellyseerr
|
||||
environment:
|
||||
- LOG_LEVEL=debug
|
||||
- TZ=${TZ}
|
||||
|
||||
@@ -56,7 +56,6 @@ services:
|
||||
volumes:
|
||||
- .:/code
|
||||
- /data/library/ollama/ollama:/root/.ollama
|
||||
container_name: ollama
|
||||
pull_policy: always
|
||||
tty: true
|
||||
restart: always
|
||||
@@ -69,7 +68,6 @@ services:
|
||||
|
||||
ollama-webui:
|
||||
image: ghcr.io/open-webui/open-webui:main
|
||||
container_name: ollama-webui
|
||||
volumes:
|
||||
- /data/library/ollama/ollama-webui:/app/backend/data
|
||||
depends_on:
|
||||
|
||||
@@ -40,7 +40,17 @@ server {
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
|
||||
# Enforces https content and restricts JS/CSS to origin
|
||||
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
||||
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
|
||||
set $CSP "default-src https: data: blob:";
|
||||
set $CSP "$CSP; img-src 'self' https://* data:";
|
||||
set $CSP "$CSP; style-src 'self' 'unsafe-inline' data:";
|
||||
set $CSP "$CSP; style-src-elem 'self' 'unsafe-inline' data:";
|
||||
set $CSP "$CSP; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:";
|
||||
set $CSP "$CSP; worker-src 'self' blob: data:";
|
||||
set $CSP "$CSP; connect-src 'self' data:";
|
||||
set $CSP "$CSP; object-src 'none' data:";
|
||||
set $CSP "$CSP; frame-ancestors 'self' data:";
|
||||
set $CSP "$CSP; font-src 'self' data:";
|
||||
add_header Content-Security-Policy $CSP;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
@@ -55,6 +65,7 @@ server {
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_hide_header Content-Security-Policy;
|
||||
|
||||
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
|
||||
proxy_buffering off;
|
||||
|
||||
62
nginx/sites-enabled/memos
Normal file
62
nginx/sites-enabled/memos
Normal file
@@ -0,0 +1,62 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name memos.loadingm.xyz;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
# Uncomment to redirect HTTP to HTTPS
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
# Nginx versions 1.25+
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
|
||||
server_name memos.loadingm.xyz;
|
||||
|
||||
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
|
||||
client_max_body_size 200G;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
|
||||
# include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
|
||||
|
||||
# Security / XSS Mitigation Headers
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
||||
# Permissions policy. May cause issues with some clients
|
||||
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
|
||||
|
||||
# Content Security Policy
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
|
||||
# Enforces https content and restricts JS/CSS to origin
|
||||
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
||||
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
location / {
|
||||
# Proxy main karakeep traffic
|
||||
proxy_pass http://memos:5230;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
|
||||
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
|
||||
proxy_buffering off;
|
||||
}
|
||||
}
|
||||
@@ -13,7 +13,8 @@ server {
|
||||
location /qbt/ {
|
||||
# include /etc/nginx/snippets/proxy.conf;
|
||||
include /etc/nginx/snippets/authelia-authrequest.conf;
|
||||
proxy_pass http://qbittorrent:8080/;
|
||||
# proxy_pass http://qbittorrent:8080/;
|
||||
proxy_pass http://gluetun:8080/;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $proxy_host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
Reference in New Issue
Block a user