Update build-certs to use verbose logging

authelia/configuration.yml

@@ -6,7 +6,7 @@ authentication_backend:
   password_change:
     disable: false
   file:
-    path: '/config/users.yml'
+    path: '/data/users.yml'
     watch: false
     search:
       email: false
@@ -37,18 +37,72 @@ session:
       remember_me: '1d'
 notifier:
   disable_startup_check: false
-  filesystem:
+  # filesystem:
-    filename: '/config/notification.txt'
+  #   filename: '/data/notification.txt'
+  smtp:
+    address: 'smtp://mail:25'
+    sender: 'Authelia <auth@loadingm.xyz>'
+    disable_require_tls: true # Determine if this is needed
+    disable_starttls: true
 storage:
   local:
-    path: '/config/db.sqlite3'
+    path: '/data/db.sqlite3'
 access_control:
   default_policy: deny
   rules:
-    - domain: '*.loadingm.xyz'
+    - domain: 'servarr.loadingm.xyz'
+      subject:
+        - 'group:admins'
       policy: one_factor
+    # - domain: '*.loadingm.xyz'
+    #   policy: one_factor
 server:
   endpoints:
     authz:
       auth-request:
         implementation: 'AuthRequest'
+identity_providers:
+  oidc:
+    # enable_client_debug_messages: false
+    # minimum_parameter_entropy: 8
+    # enforce_pkce: 'public_clients_only'
+    # enable_pkce_plain_challenge: false
+    # enable_jwt_access_token_stateless_introspection: false
+    # discovery_signed_response_alg: 'none'
+    # discovery_signed_response_key_id: ''
+    # require_pushed_authorization_requests: false
+    # authorization_policies:
+    #   policy_name:
+    #     default_policy: 'two_factor'
+    #     rules:
+    #       - policy: 'deny'
+    #         subject: 'group:services'
+    #         networks:
+    #           - '192.168.1.0/24'
+    #           - '192.168.2.51'
+    lifespans:
+      access_token: '1h'
+      authorize_code: '1m'
+      id_token: '1h'
+      refresh_token: '90m'
+    # claims_policies:
+    #   policy_name:
+    #     id_token: []
+    #     access_token: []
+    #     id_token_audience_mode: 'specification'
+    #     custom_claims:
+    #       claim_name:
+    #         name: 'claim_name'
+    #         attribute: 'attribute_name'
+    # scopes:
+    #   scope_name:
+    #     claims: []
+    # cors:
+    #   endpoints:
+    #     - 'authorization'
+    #     - 'token'
+    #     - 'revocation'
+    #     - 'introspection'
+    #   allowed_origins:
+    #     - 'https://example.com'
+    #   allowed_origins_from_client_redirect_uris: false

authelia/secret-template.yml

@@ -0,0 +1,31 @@
+# rand() {
+#   docker run --rm authelia/authelia:latest authelia crypto rand --length $1 --charset rfc3986
+# }
+# hash() {
+#   docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length $1 --random.charset rfc3986
+# }
+identity_providers:
+  oidc:
+    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
+    ## See: https://www.authelia.com/c/oidc
+    clients:
+      - client_name: 'Gitea'
+        client_id: '$(rand 72)'
+        client_secret: '$(hash 72)'
+        public: false
+        authorization_policy: 'two_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://gitea.loadingm.xyz/user/oauth2/authelia/callback'
+        scopes:
+          - 'openid'
+          - 'email'
+          - 'profile'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'

build-certs.sh

@@ -1,5 +1,5 @@
 
-docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ \
+docker compose run --rm certbot certonly -v --webroot --webroot-path /var/www/certbot/ \
   -d loadingm.xyz \
   -d gitea.loadingm.xyz \
   -d auth.loadingm.xyz \
@@ -8,4 +8,5 @@ docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certb
   -d servarr.loadingm.xyz \
   -d karakeep.loadingm.xyz \
   -d ollama.loadingm.xyz \
+  -d memos.loadingm.xyz \
   -d gpodder.loadingm.xyz

docker-compose.yaml

@@ -3,13 +3,13 @@ include:
   - ./jellyfin-compose.yaml
 secrets:
   JWT_SECRET:
-    file: './authelia/secrets/JWT_SECRET'
+    file: '/data/authelia/secrets/JWT_SECRET'
   SESSION_SECRET:
-    file: './authelia/secrets/SESSION_SECRET'
+    file: '/data/authelia/secrets/SESSION_SECRET'
   STORAGE_PASSWORD:
-    file: './authelia/secrets/STORAGE_PASSWORD'
+    file: '/data/authelia/secrets/STORAGE_PASSWORD'
   STORAGE_ENCRYPTION_KEY:
-    file: './authelia/secrets/STORAGE_ENCRYPTION_KEY'
+    file: '/data/authelia/secrets/STORAGE_ENCRYPTION_KEY'
 volumes:
   meilisearch:
   karakeep:
@@ -32,6 +32,10 @@ networks:
     external: false
   gpodder:
     external: false
+  memos:
+    external: false
+  mail:
+    external: false
 services:
   web:
     image: "nginx"
@@ -53,6 +57,7 @@ services:
       - auth
       - gitea
       - gpodder
+      - memos
     depends_on:
       - jellyfin
       - ollama-webui
@@ -61,6 +66,7 @@ services:
       - qbittorrent
       - gitea
       - gpodder
+      - memos
     logging: &logging
       options:
         max-size: "50m"
@@ -75,18 +81,23 @@ services:
       - /data/certbot/www/:/var/www/certbot/:rw
       - /data/certbot/conf/:/etc/letsencrypt/:rw
   authelia:
-    container_name: 'authelia'
     image: 'docker.io/authelia/authelia:latest'
+    command:
+      - 'authelia'
+      - '--config=/config/configuration.yml'
+      - '--config=/data/configuration.yml'
     restart: 'unless-stopped'
     secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_PASSWORD', 'STORAGE_ENCRYPTION_KEY']
     networks:
       - auth
+      - mail
     environment:
       AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
       AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
       AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
     volumes:
-      - './authelia/:/config'
+      - './authelia/:/config:ro'
+      - '/data/authelia/:/data'
     logging: *logging
   minecraft:
     image: itzg/minecraft-server:latest
@@ -120,18 +131,24 @@ services:
   gitea:
     image: docker.gitea.com/gitea:1.24
     environment:
-      - USER_UID=1000
+      - USER_UID=106
-      - USER_GID=1000
+      - USER_GID=110
+      - ENABLE_NOTIFY_MAIL=true
+      # - 
     restart: unless-stopped
     networks:
       - gitea
+      - mail
     volumes:
       - /data/gitea/data:/data
+      - /home/git/.ssh/:/data/git/.ssh
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
     ports:
       - "222:22"
     logging: *logging
+    depends_on:
+      - authelia
   gitea-runner:
     image: docker.gitea.com/act_runner:latest
     restart: unless-stopped
@@ -150,6 +167,7 @@ services:
       - gitea
   gpodder:
     image: gitea.loadingm.xyz/the10thwiz/gpodder-rs:latest
+    restart: unless-stopped
     environment:
       - ROCKET_SECRET_KEY=${GPODDER_SECRET_KEY}
     networks:
@@ -157,6 +175,40 @@ services:
     volumes:
       - /data/gpodder:/data
     logging: *logging
+  tftp:
+    image: kaczmar2/tftp-server
+    restart: unless-stopped
+    environment:
+      - ENABLE_WEB_SERVER=false
+    network_mode: host
+    volumes:
+      - /data/tftp:/srv/tftp:ro
+      - /etc/localtime:/etc/localtime:ro
+    logging: *logging
+  memos:
+    image: neosmemo/memos:stable
+    networks:
+      - memos
+    volumes:
+      - /data/memos:/var/opt/memos
+    environment:
+      - MEMOS_MODE=prod
+      - MEMOS_PORT=5230
+    restart: unless-stopped
+    logging: *logging
+  mail:
+    image: boky/postfix
+    restart: unless-stopped
+    logging: *logging
+    environment:
+      - ALLOWED_SENDER_DOMAINS=loadingm.xyz
+      - POSTFIX_myhostname=mail
+    volumes:
+      - /data/mail:/etc/opendkim/keys
+    networks:
+      - mail
+    ports:
+      - 127.0.0.1:25:25
   # calibre:
   #   image: "linuxserver/calibre-web"
   # 5d-diplomacy-frontend:

gitea-runner.yaml

@@ -45,6 +45,7 @@ runner:
     - "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
     - "ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04"
     - "rustup-all:docker://gitea.loadingm.xyz/the10thwiz/rustup:latest"
+    - "rustup-all-musl:docker://gitea.loadingm.xyz/the10thwiz/rustup:musl-latest"
     - "rustup-stable:docker://gitea.loadingm.xyz/the10thwiz/rustup:stable"
     - "rustup-beta:docker://gitea.loadingm.xyz/the10thwiz/rustup:beta"
     - "rustup-nightly:docker://gitea.loadingm.xyz/the10thwiz/rustup:nightly"

jellyfin-compose.yaml

@@ -1,6 +1,5 @@
 services:
   gluetun:
-    container_name: GlueTun-VPN
     image: qmcgaw/gluetun
     cap_add:
       - NET_ADMIN
@@ -10,12 +9,14 @@ services:
       - 51820:51820/udp
       - 46931:46931
       - 46931:46931/udp
+    networks:
+      - jellyfin-int
     environment:
       - VPN_SERVICE_PROVIDER=custom
       - VPN_TYPE=wireguard
       - VPN_ENDPOINT_IP=${ENDPOINT_IP}
-      - WIREGUARD_ADDRESSES=${WIREGUARD_ADDR}
       - VPN_ENDPOINT_PORT=${ENDPOINT_PORT}
+      - WIREGUARD_ADDRESSES=${WIREGUARD_ADDR}
       - VPN_DNS_ADDRESS=${DNS_ADDRESS}
       - WIREGUARD_PUBLIC_KEY=${PUBLIC_KEY}
       - WIREGUARD_PRIVATE_KEY=${PRIVATE_KEY}
@@ -30,7 +31,6 @@ services:
       - /data/jellyfin/gluetun:/tmp/gluetun
   qbittorrent:
     image: lscr.io/linuxserver/qbittorrent:latest
-    container_name: qbittorrent
     network_mode: service:gluetun
     environment:
       - WEBUI_PORT=8080
@@ -42,16 +42,17 @@ services:
       - /data/jellyfin:/data/jellyfin
       - /data/jellyfin/configs/qbittorrent:/config
       # - /data/jellyfin/qbittorrent/downloads:/data/jellyfin/qbittorrent/downloads
-    ports:
+    # ports:
-      - 8080:8080
+    #   - 8080:8080
-      - 6881:6881
+    #   - 6881:6881
-      - 6881:6881/udp
+    #   - 6881:6881/udp
     # networks:
     #   - jellyfin-int
+    depends_on:
+      - gluetun
     restart: unless-stopped
   flaresolverr:
     image: ghcr.io/flaresolverr/flaresolverr:latest
-    container_name: flaresolverr
     environment:
       - LOG_LEVEL=${LOG_LEVEL:-info}
       - LOG_HTML=${LOG_HTML:-false}
@@ -66,7 +67,6 @@ services:
     restart: unless-stopped
   prowlarr:
     image: lscr.io/linuxserver/prowlarr:latest
-    container_name: prowlarr
     environment:
       - PUID=0
       - PGID=0
@@ -80,7 +80,6 @@ services:
     restart: unless-stopped
   jackett:
     image: lscr.io/linuxserver/jackett:latest
-    container_name: jackett
     environment:
       - PUID=0
       - PGID=0
@@ -94,7 +93,6 @@ services:
     restart: unless-stopped
   sonarr:
     image: lscr.io/linuxserver/sonarr:latest
-    container_name: sonarr
     environment:
       - PUID=0
       - PGID=0
@@ -111,7 +109,6 @@ services:
     restart: unless-stopped
   radarr:
     image: lscr.io/linuxserver/radarr:latest
-    container_name: radarr
     environment:
       - PUID=0
       - PGID=0
@@ -128,7 +125,6 @@ services:
     restart: unless-stopped
   jellyfin:
     image: lscr.io/linuxserver/jellyfin:latest
-    container_name: jellyfin
     environment:
       - PUID=0
       - PGID=0
@@ -151,17 +147,20 @@ services:
       - /data/jellyfin/radarr/movies:/data/movies
       - /data/jellyfin/qbittorrent/downloads:/data/media_downloads
     restart: unless-stopped
-    runtime: nvidia
+    group_add:
-    deploy:
+      - '993'
-      resources:
-        reservations:
     devices:
-            - driver: nvidia
+      - /dev/dri/renderD128:/dev/dri/renderD128
-              count: all
+    # runtime: nvidia
-              capabilities: [gpu]
+    # deploy:
+    #   resources:
+    #     reservations:
+    #       devices:
+    #         - driver: intel
+    #           count: all
+    #           capabilities: [gpu]
   jellyseerr:
     image: fallenbagel/jellyseerr:latest
-    container_name: jellyseerr
     environment:
       - LOG_LEVEL=debug
       - TZ=${TZ}

karakeep-compose.yaml

@@ -56,7 +56,6 @@ services:
     volumes:
       - .:/code
       - /data/library/ollama/ollama:/root/.ollama
-    container_name: ollama
     pull_policy: always
     tty: true
     restart: always
@@ -69,7 +68,6 @@ services:
 
   ollama-webui:
     image: ghcr.io/open-webui/open-webui:main
-    container_name: ollama-webui
     volumes:
       - /data/library/ollama/ollama-webui:/app/backend/data
     depends_on:

nginx/sites-enabled/karakeep

@@ -40,7 +40,17 @@ server {
     # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
     # Enforces https content and restricts JS/CSS to origin
     # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
-    add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
+    set $CSP "default-src https: data: blob:";
+    set $CSP "$CSP; img-src 'self' https://* data:";
+    set $CSP "$CSP; style-src 'self' 'unsafe-inline' data:";
+    set $CSP "$CSP; style-src-elem 'self' 'unsafe-inline' data:";
+    set $CSP "$CSP; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:";
+    set $CSP "$CSP; worker-src 'self' blob: data:";
+    set $CSP "$CSP; connect-src 'self' data:";
+    set $CSP "$CSP; object-src 'none' data:";
+    set $CSP "$CSP; frame-ancestors 'self' data:";
+    set $CSP "$CSP; font-src 'self' data:";
+    add_header Content-Security-Policy $CSP;
 
     location /.well-known/acme-challenge/ {
         root /var/www/certbot;
@@ -55,6 +65,7 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Protocol $scheme;
         proxy_set_header X-Forwarded-Host $http_host;
+        proxy_hide_header Content-Security-Policy;
 
         # Disable buffering when the nginx proxy gets very resource heavy upon streaming
         proxy_buffering off;

nginx/sites-enabled/memos

@@ -0,0 +1,62 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name memos.loadingm.xyz;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # Uncomment to redirect HTTP to HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    # Nginx versions 1.25+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    server_name memos.loadingm.xyz;
+
+    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
+    client_max_body_size 200G;
+
+    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
+    # include /etc/letsencrypt/options-ssl-nginx.conf;
+    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
+
+    # Security / XSS Mitigation Headers
+    add_header X-Content-Type-Options "nosniff";
+
+    # Permissions policy. May cause issues with some clients
+    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+    # Content Security Policy
+    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+    # Enforces https content and restricts JS/CSS to origin
+    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+        add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        # Proxy main karakeep traffic
+        proxy_pass http://memos:5230;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+
+        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+        proxy_buffering off;
+    }
+}

nginx/sites-enabled/servarr

@@ -13,7 +13,8 @@ server {
     location /qbt/ {
         # include /etc/nginx/snippets/proxy.conf;
         include /etc/nginx/snippets/authelia-authrequest.conf;
-        proxy_pass http://qbittorrent:8080/;
+        # proxy_pass http://qbittorrent:8080/;
+        proxy_pass http://gluetun:8080/;
         proxy_http_version 1.1;
         proxy_set_header   Host               $proxy_host;
         proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;