the10thwiz/Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: the10thwiz:main
Branches Tags
the10thwiz:main
..
compare: the10thwiz:62b2c11d586c5be7a8f6b62b5377c6eabc93c183
Branches Tags
the10thwiz:main

1 Commits
main ... 62b2c11d58

Author SHA1 Message Date
Matthew Pomes
62b2c11d58 Pull latest changes from main before redeploying
Some checks failed
Deploy homelab / Deploy (push) Has been cancelled
Details
2025-09-02 23:33:39 -05:00
33 changed files with 305 additions and 1049 deletions
Expand all files Collapse all files

28
.gitea/workflows/certificates.yaml
View File

@@ -1,28 +0,0 @@
name: "Build certificates"
on:
workflow_dispatch:
inputs:
# Note: this doesn't work on current gitea for some reason?
build_certs:
description: "Build certificates from scratch"
type: "boolean"
required: true
default: false
schedule: "@weekly"
env:
TZ: "America/Chicago"
jobs:
deploy:
name: "Setup/Renew certificates"
runs-on: "homelab"
steps:
- name: "Build certificates"
if: inputs.build_certs
run: |
cd /home/matthew/homelab
bash ./build-certs.sh
- name: "Renew certificates"
run: |
cd /home/matthew/homelab
docker compose run --rm certbot renew
docker restart homelab-web-1

6
.gitea/workflows/deploy.yaml
View File

@@ -10,12 +10,8 @@ jobs:
name: Deploy
runs-on: homelab
steps:
- name: "Pull latest code"
run: |
- run: |
cd /home/matthew/homelab
git checkout main
git pull
- name: "Deploy containers"
run: |
cd /home/matthew/homelab
docker compose up -d --remove-orphans

1
.gitignore vendored
View File

@@ -1,5 +1,4 @@
.env
*.env
authelia/secrets/
authelia/notification.txt
authelia/db.sqlite3

25
.vpnenv
View File

@@ -1,25 +0,0 @@
TZ=America/Menominee
# # Probably US-IL#152
# VPN_ENDPOINT_IP=87.249.134.138
# VPN_ENDPOINT_PORT=51820
# WIREGUARD_ADDRESSES=10.2.0.2/32
# VPN_DNS_ADDRESS=10.2.0.1
# WIREGUARD_PUBLIC_KEY=WNLAmQkeAvdg9QRFMXq7EuwpEWWkltWwiS/DGIcjHjs=
# WIREGUARD_PRIVATE_KEY=MEvccGuRDyqlbpMdqUlCdGwlAD/LD4iTvx+6LG/0/0k=
# US-IL#156
VPN_ENDPOINT_IP=87.249.134.139
VPN_ENDPOINT_PORT=51820
WIREGUARD_ADDRESSES=10.2.0.2/32
VPN_DNS_ADDRESS=10.2.0.1
WIREGUARD_PUBLIC_KEY=xuqP9uEGryELhamLSK9IDRNhljo3lA1zL9/gS7yj2WQ=
WIREGUARD_PRIVATE_KEY=wHp5gAjV9qznCbk702bq/Az/qXrnb8PKMiNhWQ5mw2I=
# # US-IL#156
# VPN_ENDPOINT_IP=87.249.134.139
# VPN_ENDPOINT_PORT=51820
# WIREGUARD_ADDRESSES=10.2.0.2/32
# VPN_DNS_ADDRESS=10.2.0.1
# WIREGUARD_PUBLIC_KEY=xuqP9uEGryELhamLSK9IDRNhljo3lA1zL9/gS7yj2WQ=
# WIREGUARD_PRIVATE_KEY=wHp5gAjV9qznCbk702bq/Az/qXrnb8PKMiNhWQ5mw2I=

45
README.md
View File

@@ -1,45 +0,0 @@
# My personal homelab setup
Currently running on a Debian host
## Raw data
Raw data is stored in `/data`, a ZFS data set
```bash
# Install ZFS
apt update
apt install linux-headers-amd64
apt install zfsutils-linux zfs-dkms
zpool create hdd raidz2 <disks...>
mkdir -p /data
zfs create -o mountpoint=/data hdd/data
zfs set compression=on hdd/data
```
## act_runner
```bash
pushd /tmp
wget https://gitea.com/gitea/act_runner/releases/download/v0.2.13/act_runner-0.2.13-linux-amd64.xz
xz -d act_runner-0.2.13-linux-amd64.xz
mv act_runner-0.2.13-linux-amd64 /usr/bin/act_runner
chmod +x /usr/bin/act_runner
mkdir /home/matthew/act_runner
```
## Systemd
```bash
# Add services
ln -s $PWD/*.service /etc/systemd/system/
systemctl enable homelab
systemctl start homelab
cd ~/act_runner
/usr/bin/act_runner register --config /home/matthew/homelab/host-runner.yaml
systemctl enable act_runner
systemctl start act_runner
```

16
act_runner.service
View File

@@ -1,16 +0,0 @@
[Unit]
Description=Gitea Actions runner
Documentation=https://gitea.com/gitea/act_runner
After=docker.service
[Service]
ExecStart=/usr/bin/act_runner daemon --config /home/matthew/homelab/host-runner.yaml
ExecReload=/bin/kill -s HUP $MAINPID
WorkingDirectory=/home/matthew/act_runner
TimeoutSec=0
RestartSec=10
Restart=always
User=matthew
[Install]
WantedBy=multi-user.target

64
authelia/configuration.yml
View File

@@ -6,7 +6,7 @@ authentication_backend:
password_change:
disable: false
file:
path: '/data/users.yml'
path: '/config/users.yml'
watch: false
search:
email: false
@@ -37,72 +37,18 @@ session:
remember_me: '1d'
notifier:
disable_startup_check: false
# filesystem:
# filename: '/data/notification.txt'
smtp:
address: 'smtp://mail:25'
sender: 'Authelia <auth@loadingm.xyz>'
disable_require_tls: true # Determine if this is needed
disable_starttls: true
filesystem:
filename: '/config/notification.txt'
storage:
local:
path: '/data/db.sqlite3'
path: '/config/db.sqlite3'
access_control:
default_policy: deny
rules:
- domain: 'servarr.loadingm.xyz'
subject:
- 'group:admin'
- domain: '*.loadingm.xyz'
policy: one_factor
# - domain: '*.loadingm.xyz'
# policy: one_factor
server:
endpoints:
authz:
auth-request:
implementation: 'AuthRequest'
identity_providers:
oidc:
# enable_client_debug_messages: false
# minimum_parameter_entropy: 8
# enforce_pkce: 'public_clients_only'
# enable_pkce_plain_challenge: false
# enable_jwt_access_token_stateless_introspection: false
# discovery_signed_response_alg: 'none'
# discovery_signed_response_key_id: ''
# require_pushed_authorization_requests: false
# authorization_policies:
# policy_name:
# default_policy: 'two_factor'
# rules:
# - policy: 'deny'
# subject: 'group:services'
# networks:
# - '192.168.1.0/24'
# - '192.168.2.51'
lifespans:
access_token: '1h'
authorize_code: '1m'
id_token: '1h'
refresh_token: '90m'
# claims_policies:
# policy_name:
# id_token: []
# access_token: []
# id_token_audience_mode: 'specification'
# custom_claims:
# claim_name:
# name: 'claim_name'
# attribute: 'attribute_name'
# scopes:
# scope_name:
# claims: []
# cors:
# endpoints:
# - 'authorization'
# - 'token'
# - 'revocation'
# - 'introspection'
# allowed_origins:
# - 'https://example.com'
# allowed_origins_from_client_redirect_uris: false

139
authelia/secret-template.yml
View File

@@ -1,139 +0,0 @@
# au rand() {
# docker run --rm authelia/authelia:latest authelia crypto rand --length $1 --charset rfc3986
# }
# au hash() {
# docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length $1 --random.charset rfc3986
# }
identity_providers:
oidc:
hmac_secret: '$(au rand 72)'
jwks:
- key: $(openssl genrsa -out - 2048)
claims_policies:
karakeep:
id_token: ['email']
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
clients:
- client_name: 'Gitea'
client_id: '$(au rand 72)'
client_secret: '$(au hash 72)'
public: false
authorization_policy: 'two_factor'
require_pkce: false
pkce_challenge_method: ''
redirect_uris:
- 'https://gitea.loadingm.xyz/user/oauth2/authelia/callback'
scopes:
- 'openid'
- 'email'
- 'profile'
response_types:
- 'code'
grant_types:
- 'authorization_code'
access_token_signed_response_alg: 'none'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
- client_name: 'Memos'
client_id: '$(au rand 72)'
client_secret: '$(au hash 72)'
public: false
authorization_policy: 'two_factor'
require_pkce: false
pkce_challenge_method: ''
redirect_uris:
- 'https://memos.loadingm.xyz/auth/callback'
scopes:
- 'openid'
- 'email'
- 'profile'
response_types:
- 'code'
grant_types:
- 'authorization_code'
access_token_signed_response_alg: 'none'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
- client_name: 'Open WebUI'
client_id: '$(au rand 72)'
client_secret: '$(au hash 72)'
public: false
authorization_policy: 'two_factor'
require_pkce: false
pkce_challenge_method: ''
redirect_uris:
- 'https://ollama.loadingm.xyz/oauth/oidc/callback'
scopes:
- 'openid'
- 'email'
- 'groups'
- 'profile'
response_types:
- 'code'
grant_types:
- 'authorization_code'
access_token_signed_response_alg: 'none'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
- client_name: 'Karakeep'
client_id: '$(au rand 72)'
client_secret: '$(au hash 72)'
public: false
authorization_policy: 'two_factor'
require_pkce: false
pkce_challenge_method: ''
redirect_uris:
- 'https://karakeep.loadingm.xyz/api/auth/callback/custom'
scopes:
- 'openid'
- 'email'
- 'profile'
claims_policy: 'karakeep'
response_types:
- 'code'
grant_types:
- 'authorization_code'
access_token_signed_response_alg: 'none'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
# - client_name: 'Jellyseerr'
# client_id: '$(au rand 72)'
# client_secret: '$(au hash 72)'
# public: false
# authorization_policy: 'two_factor'
# require_pkce: false
# pkce_challenge_method: ''
# redirect_uris:
# - 'https://memos.loadingm.xyz/auth/callback'
# scopes:
# - 'openid'
# - 'email'
# - 'profile'
# response_types:
# - 'code'
# grant_types:
# - 'authorization_code'
# access_token_signed_response_alg: 'none'
# userinfo_signed_response_alg: 'none'
# token_endpoint_auth_method: 'client_secret_basic'
# - client_name: 'Jellyfin'
# client_id: '$(au rand 72)'
# client_secret: '$(au hash 72)'
# public: false
# authorization_policy: 'two_factor'
# require_pkce: false
# pkce_challenge_method: ''
# redirect_uris:
# - 'https://memos.loadingm.xyz/auth/callback'
# scopes:
# - 'openid'
# - 'email'
# - 'profile'
# response_types:
# - 'code'
# grant_types:
# - 'authorization_code'
# access_token_signed_response_alg: 'none'
# userinfo_signed_response_alg: 'none'
# token_endpoint_auth_method: 'client_secret_basic'

10
build-certs.sh Normal file
View File

@@ -0,0 +1,10 @@
docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ \
-d loadingm.xyz \
-d gitea.loadingm.xyz \
-d auth.loadingm.xyz \
-d jellyfin.loadingm.xyz \
-d jellyseerr.loadingm.xyz \
-d servarr.loadingm.xyz \
-d karakeep.loadingm.xyz \
-d ollama.loadingm.xyz

212
docker-compose.yaml
View File

@@ -1,70 +1,38 @@
include:
- ./karakeep-compose.yaml
- ./jellyfin-compose.yaml
- ./immich-compose.yaml
- ./matrix-compose.yaml
secrets:
JWT_SECRET:
file: '/data/authelia/secrets/JWT_SECRET'
file: './authelia/secrets/JWT_SECRET'
SESSION_SECRET:
file: '/data/authelia/secrets/SESSION_SECRET'
file: './authelia/secrets/SESSION_SECRET'
STORAGE_PASSWORD:
file: '/data/authelia/secrets/STORAGE_PASSWORD'
file: './authelia/secrets/STORAGE_PASSWORD'
STORAGE_ENCRYPTION_KEY:
file: '/data/authelia/secrets/STORAGE_ENCRYPTION_KEY'
file: './authelia/secrets/STORAGE_ENCRYPTION_KEY'
volumes:
meilisearch:
karakeep:
bitwarden:
immich-model-cache:
nginx:
networks:
karakeep:
external: false
enable_ipv6: true
karakeep-int:
external: false
enable_ipv6: true
ollama:
external: false
enable_ipv6: true
ollama-int:
external: false
enable_ipv6: true
jellyfin:
external: false
enable_ipv6: true
jellyfin-int:
external: false
enable_ipv6: true
auth:
external: false
enable_ipv6: true
gitea:
external: false
enable_ipv6: true
gpodder:
external: false
enable_ipv6: true
memos:
external: false
enable_ipv6: true
mail:
external: false
enable_ipv6: true
bitwarden:
external: false
enable_ipv6: true
immich:
external: false
enable_ipv6: true
matrix:
external: false
enable_ipv6: true
services:
web:
build:
dockerfile: ./nginx-dockerfile
image: "nginx"
restart: unless-stopped
ports:
- 80:80
@@ -72,7 +40,9 @@ services:
volumes:
- ./nginx:/etc/nginx:ro
- /data/site:/data/site:ro
- nginx:/var/cache/nginx/
- /data/certbot/www/:/var/www/certbot/:ro
# - /etc/letsencrypt:/etc/letsencrypt:ro
- /data/certbot/conf:/etc/letsencrypt:ro
networks:
- karakeep
- ollama
@@ -80,11 +50,6 @@ services:
- jellyfin-int
- auth
- gitea
- gpodder
- memos
- bitwarden
- matrix
- immich
depends_on:
- jellyfin
- ollama-webui
@@ -92,36 +57,31 @@ services:
- authelia
- qbittorrent
- gitea
- gpodder
- memos
- matrix-server
logging: &logging
options:
max-size: "50m"
# Optional - extra fonts to be used during transcoding with subtitle burn-in
# - type: bind
# source: /usr/local/share/fonts/cu
# target: /usr/local/share/fonts/custom
# read_only: true
certbot:
image: certbot/certbot:latest
volumes:
- /data/certbot/www/:/var/www/certbot/:rw
- /data/certbot/conf/:/etc/letsencrypt/:rw
authelia:
container_name: 'authelia'
image: 'docker.io/authelia/authelia:latest'
command:
- 'authelia'
- '--config=/config/configuration.yml'
- '--config=/data/configuration.yml'
restart: 'unless-stopped'
secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_PASSWORD', 'STORAGE_ENCRYPTION_KEY']
networks:
- auth
- mail
environment:
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
volumes:
- './authelia/:/config:ro'
- '/data/authelia/:/data'
logging: *logging
- './authelia/:/config'
# webdav:
# image: ""
minecraft:
image: itzg/minecraft-server:latest
tty: true
@@ -129,60 +89,39 @@ services:
restart: unless-stopped
ports:
- "25565:25565"
- "24454:24454/udp"
environment:
EULA: "TRUE"
TYPE: "FABRIC"
MEMORY: "4G"
MEMORY: "2048M"
MOTD: "Loading server..."
# VERSION: "1.21.11"
VERSION: "26.1.1"
# LEVEL: "world"
LEVEL: "house"
SEED: "881949285698121329"
# USE_MEOWICE_FLAGS: "true"
DIFFICULTY: "normal"
MODE: "survival"
LEVEL: "world"
USE_MEOWICE_FLAGS: "true"
DIFFICULTY: "3"
OPS: |-
187eca31-2e33-4199-97e0-2286bf35f7f8
ENABLE_WHITELIST: "true"
WHITELIST: |-
187eca31-2e33-4199-97e0-2286bf35f7f8,
5d341a01-506c-4473-a530-1ae9188c03c7,
34586a37-772e-4da4-86a1-6704f286d4c6,
1ff2724b-168f-4b17-8cf2-850894b34ead
187eca31-2e33-4199-97e0-2286bf35f7f8
PAUSE_WHEN_EMPTY_SECONDS: "20"
ENABLE_ROLLING_LOGS: "true"
REMOVE_OLD_MODS: "TRUE"
logging: *logging
volumes:
- "/data/minecraft/data:/data"
- "/data/minecraft/mods:/mods"
- "/data/minecraft/plugins:/plugins"
- "/data/minecraft/config:/config"
- "/opt/minecraft:/data"
gitea:
image: docker.gitea.com/gitea:1.24
image: gitea/gitea:latest
environment:
- USER_UID=106
- USER_GID=110
- ENABLE_NOTIFY_MAIL=true
# -
- USER_UID=1000
- USER_GID=1000
restart: unless-stopped
networks:
- gitea
- mail
volumes:
- /data/gitea/data:/data
- /home/git/.ssh/:/data/git/.ssh
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "222:22"
logging: *logging
depends_on:
- authelia
gitea-runner:
image: docker.gitea.com/act_runner:latest
image: docker.io/gitea/act_runner:nightly
restart: unless-stopped
networks:
- gitea
@@ -194,103 +133,6 @@ services:
- /var/run/docker.sock:/var/run/docker.sock
- /data/gitea/runner/:/data
- ./gitea-runner.yaml:/config.yaml
logging: *logging
depends_on:
- gitea
gpodder:
image: gitea.loadingm.xyz/the10thwiz/gpodder-rs:latest
restart: unless-stopped
environment:
- ROCKET_SECRET_KEY=${GPODDER_SECRET_KEY}
networks:
- gpodder
volumes:
- /data/gpodder:/data
logging: *logging
tftp:
image: kaczmar2/tftp-server
restart: unless-stopped
environment:
- ENABLE_WEB_SERVER=false
network_mode: host
volumes:
- /data/tftp:/srv/tftp:ro
- /etc/localtime:/etc/localtime:ro
logging: *logging
memos:
image: neosmemo/memos:stable
networks:
- memos
volumes:
- /data/memos:/var/opt/memos
environment:
- MEMOS_MODE=prod
- MEMOS_PORT=5230
restart: unless-stopped
logging: *logging
mail:
image: boky/postfix
restart: unless-stopped
logging: *logging
environment:
- ALLOWED_SENDER_DOMAINS=loadingm.xyz
# - POSTFIX_myhostname=mail
- POSTFIX_myhostname=loadingm.xyz
- POSTFIX_mydestination=loadingm.xyz,loading-hpdl380g10.loadingm.xyz
- MASQUERADED_DOMAINS=loadingm.xyz,loading-hpdl380g10.loadingm.xyz
- SMTPD_SASL_USERS="a:123,b:123"
volumes:
- /data/mail:/etc/opendkim/keys
networks:
- mail
ports:
- 127.0.0.1:25:25
# mail:
# image: ghcr.io/docker-mailserver/docker-mailserver:latest
# container_name: mailserver
# # Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
# hostname: mail.loadingm.xyz
# env_file: mailserver.env
# # More information about the mail-server ports:
# # https://docker-mailserver.github.io/docker-mailserver/latest/config/security/understanding-the-ports/
# ports:
# - "25:25" # SMTP (explicit TLS => STARTTLS, Authentication is DISABLED => use port 465/587 instead)
# - "143:143" # IMAP4 (explicit TLS => STARTTLS)
# - "465:465" # ESMTP (implicit TLS)
# - "587:587" # ESMTP (explicit TLS => STARTTLS)
# - "993:993" # IMAP4 (implicit TLS)
# volumes:
# - /data/dms/mail-data/:/var/mail/
# - /data/dms/mail-state/:/var/mail-state/
# - /data/dms/mail-logs/:/var/log/mail/
# - /data/dms/config/:/tmp/docker-mailserver/
# - /etc/localtime:/etc/localtime:ro
# restart: always
# stop_grace_period: 1m
# # Uncomment if using `ENABLE_FAIL2BAN=1`:
# # cap_add:
# # - NET_ADMIN
# healthcheck:
# test: "ss --listening --ipv4 --tcp | grep --silent ':smtp' || exit 1"
# timeout: 3s
# retries: 0
bitwarden:
# env_file:
# - bitwarden.env
environment:
DOMAIN: "https://bitwarden.loadingm.xyz"
SMTP_HOST: mail
SMTP_FROM: bitwarden@loadingm.xyz
SMTP_SECURITY: off
SIGNUPS_ALLOWED: false
# ADMIN_TOKEN: "google straining barracuda prescribe augmented bucket"
networks:
- bitwarden
- mail
image: vaultwarden/server:latest
restart: always
volumes:
- /data/bitwarden:/data
# calibre:
# image: "linuxserver/calibre-web"
# 5d-diplomacy-frontend:

8
gitea-runner.yaml
View File

@@ -45,8 +45,6 @@ runner:
- "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
- "ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04"
- "rustup-all:docker://gitea.loadingm.xyz/the10thwiz/rustup:latest"
- "rustup-wasm:docker://gitea.loadingm.xyz/the10thwiz/rustup:wasm-stable"
- "rustup-all-musl:docker://gitea.loadingm.xyz/the10thwiz/rustup:musl-latest"
- "rustup-stable:docker://gitea.loadingm.xyz/the10thwiz/rustup:stable"
- "rustup-beta:docker://gitea.loadingm.xyz/the10thwiz/rustup:beta"
- "rustup-nightly:docker://gitea.loadingm.xyz/the10thwiz/rustup:nightly"
@@ -77,7 +75,7 @@ container:
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: false
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options: '-v /data/site:/data/site'
options:
# The parent directory of a job's working directory.
# NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically.
# If the path starts with '/', the '/' will be trimmed.
@@ -93,12 +91,12 @@ container:
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes: ['**']
valid_volumes: []
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: "-"
docker_host: ""
# Pull docker image(s) even if already present
force_pull: false
# Rebuild docker image(s) even if already present

20
homelab.service
View File

@@ -1,20 +0,0 @@
[Unit]
Description=Homelab services
Requires=docker.service
After=docker.service
[Service]
Restart=always
User=root
Group=docker
TimeoutStopSec=15
WorkingDirectory=/home/matthew/homelab
# Shutdown container (if running) when unit is started
ExecStartPre=/usr/bin/docker compose -f docker-compose.yaml down
# Start container when unit is started
ExecStart=/usr/bin/docker compose -f docker-compose.yaml up
# Stop container when unit is stopped
ExecStop=/usr/bin/docker compose -f docker-compose.yaml down
[Install]
WantedBy=multi-user.target

66
immich-compose.yaml
View File

@@ -1,66 +0,0 @@
services:
immich-server:
image: ghcr.io/immich-app/immich-server:v2
# extends:
# file: hwaccel.transcoding.yml
# service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
volumes:
- /data/immich/uploads:/data
- /etc/localtime:/etc/localtime:ro
environment:
DB_USERNAME: postgres
DB_PASSWORD: nVmwTyOKlcEa6VUc
DB_DATABASE_NAME: immich
DB_HOSTNAME: immich-db
REDIS_HOSTNAME: immich-redis
networks:
- immich
depends_on:
- immich-redis
- immich-db
restart: always
healthcheck:
disable: false
immich-machine-learning:
# For hardware acceleration, add one of -[armnn, cuda, rocm, openvino, rknn] to the image tag.
# Example tag: ${IMMICH_VERSION:-v2}-cuda
image: ghcr.io/immich-app/immich-machine-learning:v2
# extends: # uncomment this section for hardware acceleration - see https://docs.immich.app/features/ml-hardware-acceleration
# file: hwaccel.ml.yml
# service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
volumes:
- immich-model-cache:/cache
environment:
DB_USERNAME: postgres
DB_PASSWORD: nVmwTyOKlcEa6VUc
DB_DATABASE_NAME: immich
networks:
- immich
restart: always
healthcheck:
disable: false
immich-redis:
image: docker.io/valkey/valkey:9@sha256:fb8d272e529ea567b9bf1302245796f21a2672b8368ca3fcb938ac334e613c8f
healthcheck:
test: redis-cli ping || exit 1
networks:
- immich
restart: always
immich-db:
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: nVmwTyOKlcEa6VUc
POSTGRES_DB: immich
POSTGRES_INITDB_ARGS: '--data-checksums'
# Uncomment the DB_STORAGE_TYPE: 'HDD' var if your database isn't stored on SSDs
# DB_STORAGE_TYPE: 'HDD'
volumes:
- /data/immich/postgres:/var/lib/postgresql/data
networks:
- immich
shm_size: 128mb
restart: always

100
jellyfin-compose.yaml
View File

@@ -1,40 +1,7 @@
services:
gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
ports:
- 8080:8080
- 51820:51820
- 51820:51820/udp
- 46931:46931
- 46931:46931/udp
networks:
- jellyfin-int
env_file: .vpnenv
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
# - VPN_ENDPOINT_IP=${ENDPOINT_IP}
# - VPN_ENDPOINT_PORT=${ENDPOINT_PORT}
# - WIREGUARD_ADDRESSES=${WIREGUARD_ADDR}
# - VPN_DNS_ADDRESS=${DNS_ADDRESS}
# - WIREGUARD_PUBLIC_KEY=${PUBLIC_KEY}
# - WIREGUARD_PRIVATE_KEY=${PRIVATE_KEY}
- VPN_PORT_FORWARDING=on
- VPN_PORT_FORWARDING_PROVIDER=protonvpn
- VPN_PORT_FORWARDING_STATUS_FILE=/tmp/gluetun/forwarded_port
- VPN_PORT_FORWARDING_UP_COMMAND=/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":{{PORT}},\"current_network_interface\":\"{{VPN_INTERFACE}}\",\"random_port\":false,\"upnp\":false}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1'
- VPN_PORT_FORWARDING_DOWN_COMMAND=/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":0,\"current_network_interface\":\"lo"}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1'
- TZ=${TZ}
- UPDATER_PERIOD=24h
restart: always
volumes:
- /data/jellyfin:/data/jellyfin
- /data/jellyfin/gluetun:/tmp/gluetun
qbittorrent:
image: lscr.io/linuxserver/qbittorrent:latest
network_mode: service:gluetun
container_name: qbittorrent
environment:
- WEBUI_PORT=8080
- PUID=0
@@ -44,18 +11,17 @@ services:
volumes:
- /data/jellyfin:/data/jellyfin
- /data/jellyfin/configs/qbittorrent:/config
# - /data/jellyfin/qbittorrent/downloads:/data/jellyfin/qbittorrent/downloads
# ports:
# - 8080:8080
# - 6881:6881
# - 6881:6881/udp
# networks:
# - jellyfin-int
depends_on:
- gluetun
- /data/jellyfin/qbittorrent/downloads:/downloads
ports:
- 8080:8080
- 6881:6881
- 6881:6881/udp
networks:
- jellyfin-int
restart: unless-stopped
flaresolverr:
image: ghcr.io/flaresolverr/flaresolverr:latest
container_name: flaresolverr
environment:
- LOG_LEVEL=${LOG_LEVEL:-info}
- LOG_HTML=${LOG_HTML:-false}
@@ -63,8 +29,6 @@ services:
- TZ=${TZ}
#- LANG=fr_FR
#- LANG=en_US
# volumes:
# - /tmp/flaresolver:/tmp
ports:
- 8191:8191
networks:
@@ -72,6 +36,7 @@ services:
restart: unless-stopped
prowlarr:
image: lscr.io/linuxserver/prowlarr:latest
container_name: prowlarr
environment:
- PUID=0
- PGID=0
@@ -85,11 +50,11 @@ services:
restart: unless-stopped
jackett:
image: lscr.io/linuxserver/jackett:latest
container_name: jackett
environment:
- PUID=0
- PGID=0
- TZ=${TZ}
# - RUN_OPTS=-l -t
volumes:
- /data/jellyfin/configs/jackett:/config
ports:
@@ -99,6 +64,7 @@ services:
restart: unless-stopped
sonarr:
image: lscr.io/linuxserver/sonarr:latest
container_name: sonarr
environment:
- PUID=0
- PGID=0
@@ -108,13 +74,14 @@ services:
- /data/jellyfin/configs/sonarr:/config
- /data/jellyfin/sonarr/tv:/tv
- /data/jellyfin/qbittorrent/downloads:/downloads
# ports:
# - 8989:8989
ports:
- 8989:8989
networks:
- jellyfin-int
restart: unless-stopped
radarr:
image: lscr.io/linuxserver/radarr:latest
container_name: radarr
environment:
- PUID=0
- PGID=0
@@ -124,59 +91,44 @@ services:
- /data/jellyfin/configs/radarr:/config
- /data/jellyfin/radarr/movies:/movies
- /data/jellyfin/qbittorrent/downloads:/downloads
# ports:
# - 7878:7878
ports:
- 7878:7878
networks:
- jellyfin-int
restart: unless-stopped
jellyfin:
image: lscr.io/linuxserver/jellyfin:latest
container_name: jellyfin
environment:
- PUID=0
- PGID=0
- TZ=${TZ}
- JELLYFIN_DATA_DIR=/config/data
- JELLYFIN_CONFIG_DIR=/config
- JELLYFIN_LOG_DIR=/config/log
- JELLYFIN_CACHE_DIR=/config/cache
# - NVIDIA_VISIBLE_DEVICES=all
- NVIDIA_VISIBLE_DEVICES=all
ports:
# - 8096:8096
# - 8920:8920
- 8096:8096
- 8920:8920
- 7359:7359/udp
- 1900:1900/udp
networks:
- jellyfin
- jellyfin-int
volumes:
- /data/library:/data/library:ro
- /data/jellyfin:/data/jellyfin
- /backup:/data/jellyfin/backups
# - /data/jellyfin/configs/jellyfin:/config
- /srv/jellyfin:/config
- /data/jellyfin/configs/jellyfin:/config
- /data/jellyfin/jellyfin/cache:/cache
- /data/jellyfin/sonarr/tv:/data/tvshows
- /data/jellyfin/radarr/movies:/data/movies
- /data/jellyfin/qbittorrent/downloads:/data/media_downloads
restart: unless-stopped
group_add:
- '993'
devices:
- /dev/dri/renderD128:/dev/dri/renderD128
# runtime: nvidia
# deploy:
# resources:
# reservations:
# devices:
# - driver: intel
# count: all
# capabilities: [gpu]
jellyseerr:
image: fallenbagel/jellyseerr:latest
container_name: jellyseerr
environment:
- LOG_LEVEL=debug
- TZ=${TZ}
# ports:
# - 5055:5055
ports:
- 5055:5055
volumes:
- /data/jellyfin/configs/jellyseerr:/app/config
restart: unless-stopped

39
karakeep-compose.yaml
View File

@@ -10,8 +10,7 @@ services:
# ports:
# - 3000:3000
env_file:
# - .env
- /data/secrets/karakeep
- .env
environment:
MEILI_ADDR: http://meilisearch:7700
BROWSER_WEB_URL: http://karakeep-chrome:9222
@@ -21,9 +20,7 @@ services:
INFERENCE_OUTPUT_SCHEMA: json
INFERENCE_CONTEXT_LENGTH: 1024
INFERENCE_JOB_TIMEOUT_SEC: 120
CRAWLER_FULL_PAGE_ARCHIVE: true
BROWSER_COOKIE_PATH: /data/cookies.json
LOG_LEVEL: info
# You almost never want to change the value of the DATA_DIR variable.
# If you want to mount a custom directory, change the volume mapping above instead.
DATA_DIR: /data # DON'T CHANGE THIS
@@ -55,14 +52,12 @@ services:
networks:
- karakeep-int
ollama:
image: docker.io/ollama/ollama:rocm
image: docker.io/ollama/ollama:latest
volumes:
- .:/code
- /data/library/ollama/ollama:/root/.ollama
devices:
- /dev/dri:/dev/dri
- /dev/kfd:/dev/kfd
# pull_policy: always
container_name: ollama
pull_policy: always
tty: true
restart: always
environment:
@@ -71,31 +66,21 @@ services:
- OLLAMA_DEBUG=1
networks:
- ollama-int
ollama-webui:
image: ghcr.io/open-webui/open-webui:main
container_name: ollama-webui
volumes:
- /data/library/ollama/ollama-webui:/app/backend/data
depends_on:
- ollama
environment: # https://docs.openwebui.com/getting-started/env-configuration#default_models
- OLLAMA_BASE_URLS=http://ollama:7869 #comma separated ollama hosts
- ENABLE_OPENAI_API=False
- WEBUI_URL=https://ollama.loadingm.xyz
- OLLAMA_BASE_URLS=http://host.docker.internal:7869 #comma separated ollama hosts
- ENV=dev
- ENABLE_OAUTH_SIGNUP=true
- OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true
- OPENID_PROVIDER_URL=https://auth.loadingm.xyz/.well-known/openid-configuration
- OAUTH_PROVIDER_NAME=Authelia
- OAUTH_SCOPES=openid email profile groups
- ENABLE_OAUTH_ROLE_MANAGEMENT=true
- OAUTH_ALLOWED_ROLES=openwebui,openwebui-admin
- OAUTH_ADMIN_ROLES=openwebui-admin
- OAUTH_ROLES_CLAIM=groups
- OAUTH_CODE_CHALLENGE_METHOD=S256
env_file: /data/secrets/ollama-webui
# - WEBUI_AUTH=True
# - WEBUI_NAME=valiantlynx AI
# - WEBUI_SECRET_KEY=t0p-s3cr3t
- WEBUI_AUTH=True
- WEBUI_NAME=valiantlynx AI
- WEBUI_URL=http://localhost:8080
- WEBUI_SECRET_KEY=t0p-s3cr3t
extra_hosts:
- host.docker.internal:host-gateway
restart: unless-stopped

27
matrix-compose.yaml
View File

@@ -1,27 +0,0 @@
services:
matrix-server:
image: forgejo.ellis.link/continuwuation/continuwuity
restart: unless-stopped
environment:
CONTINUWUITY_SERVER_NAME: "matrix.loadingm.xyz"
CONTINUWUITY_WELL_KNOWN__SERVER: "matrix.loadingm.xyz:443"
CONTINUWUITY_ALLOW_REGISTRATION: true
CONTINUWUITY_REGISTRATION_TOKEN: "qFz7aekKxgXdd6SpQ09llv52+S4="
CONTINUWUITY_ALLOW_FEDERATION: 'true'
CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org", "mozilla.org"]'
CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
CONTINUWUITY_PORT: 6167
CONTINUWUITY_ADDRESS: 0.0.0.0
volumes:
- /data/matrix/db:/var/lib/continuwuity
networks:
- matrix
# ports:
# - 8448:6167
# turn:
# image: docker.io/coturn/coturn
# restart: unless-stopped
# network_mode: "host"
# volumes:
# - ./coturn.conf:/etc/coturn/turnserver.conf:ro

2
nginx-dockerfile
View File

@@ -1,2 +0,0 @@
FROM nginx
RUN apt install nginx-module-acme

15
nginx/nginx.conf
View File

@@ -3,7 +3,6 @@ worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
load_module /usr/lib/nginx/modules/ngx_http_acme_module.so;
events {
worker_connections 768;
@@ -11,14 +10,6 @@ events {
}
http {
resolver 127.0.0.11:53;
acme_issuer letsencrypt {
uri https://acme-v02.api.letsencrypt.org/directory;
contact matthew.pomes@pm.me;
state_path /var/cache/nginx/acme-letsencrypt;
accept_terms_of_service;
}
##
# Basic Settings
@@ -66,12 +57,6 @@ http {
##
include /etc/nginx/sites-enabled/*;
server {
listen 80;
location / {
return 301 https://$host$request_uri;
}
}
}

19
nginx/sites-available/5d-diplomacy
View File

@@ -1,8 +1,17 @@
server {
if ($host = 5d-diplomacy.loadingm.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name 5d-diplomacy.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
@@ -16,14 +25,16 @@ server {
http2 on;
server_name 5d-diplomacy.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";

29
nginx/sites-enabled/auth
View File

@@ -1,3 +1,18 @@
server {
listen 80;
listen [::]:80;
server_name auth.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -5,14 +20,16 @@ server {
http2 on;
server_name auth.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -25,6 +42,10 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://authelia:9091;

63
nginx/sites-enabled/bitwarden
View File

@@ -1,63 +0,0 @@
server {
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name bitwarden.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# set $CSP "default-src https: data: blob:";
# set $CSP "$CSP; img-src 'self' https://* data:";
# set $CSP "$CSP; style-src 'self' 'unsafe-inline' data:";
# set $CSP "$CSP; style-src-elem 'self' 'unsafe-inline' data:";
# set $CSP "$CSP; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:";
# set $CSP "$CSP; worker-src 'self' blob: data:";
# set $CSP "$CSP; connect-src 'self' data:";
# set $CSP "$CSP; object-src 'none' data:";
# set $CSP "$CSP; frame-ancestors 'self' data:";
# set $CSP "$CSP; font-src 'self' data:";
# add_header Content-Security-Policy $CSP;
location /notifications/hub {
proxy_pass http://bitwarden:80;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
location / {
# Proxy main bitwarden traffic
proxy_pass http://bitwarden:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
}

29
nginx/sites-enabled/gitea
View File

@@ -1,3 +1,18 @@
server {
listen 80;
listen [::]:80;
server_name gitea.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -5,14 +20,16 @@ server {
http2 on;
server_name gitea.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -25,6 +42,10 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://gitea:3000;

38
nginx/sites-enabled/gpodder
View File

@@ -1,38 +0,0 @@
server {
# SSL configuration
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name gpodder.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location / {
# Proxy main karakeep traffic
proxy_pass http://gpodder:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
}

53
nginx/sites-enabled/immich
View File

@@ -1,53 +0,0 @@
server {
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name immich.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /api/socket.io {
proxy_pass http://immich-server:2283;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://immich-server:2283;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
}

29
nginx/sites-enabled/jellyfin
View File

@@ -1,3 +1,18 @@
server {
listen 80;
listen [::]:80;
server_name jellyfin.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -5,14 +20,16 @@ server {
http2 on;
server_name jellyfin.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -25,6 +42,10 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main Jellyfin traffic
proxy_pass http://jellyfin:8096;

29
nginx/sites-enabled/jellyseerr
View File

@@ -1,3 +1,18 @@
server {
listen 80;
listen [::]:80;
server_name jellyseerr.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -5,20 +20,26 @@ server {
http2 on;
server_name jellyseerr.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin

42
nginx/sites-enabled/karakeep
View File

@@ -1,3 +1,18 @@
server {
listen 80;
listen [::]:80;
server_name karakeep.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -5,14 +20,16 @@ server {
http2 on;
server_name karakeep.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -23,17 +40,11 @@ server {
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
set $CSP "default-src https: data: blob:";
set $CSP "$CSP; img-src 'self' https://* data:";
set $CSP "$CSP; style-src 'self' 'unsafe-inline' data:";
set $CSP "$CSP; style-src-elem 'self' 'unsafe-inline' data:";
set $CSP "$CSP; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:";
set $CSP "$CSP; worker-src 'self' blob: data:";
set $CSP "$CSP; connect-src 'self' data:";
set $CSP "$CSP; object-src 'none' data:";
set $CSP "$CSP; frame-ancestors 'self' data:";
set $CSP "$CSP; font-src 'self' data:";
add_header Content-Security-Policy $CSP;
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main karakeep traffic
@@ -44,7 +55,6 @@ server {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_hide_header Content-Security-Policy;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;

53
nginx/sites-enabled/matrix
View File

@@ -1,53 +0,0 @@
server {
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name matrix.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
# location /api/socket.io {
# proxy_pass http://matrix-server:6167;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Protocol $scheme;
# proxy_set_header X-Forwarded-Host $http_host;
# }
location / {
# Proxy main karakeep traffic
proxy_pass http://matrix-server:6167;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
}

41
nginx/sites-enabled/memos
View File

@@ -1,41 +0,0 @@
server {
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name memos.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location / {
# Proxy main karakeep traffic
proxy_pass http://memos:5230;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
}

18
nginx/sites-enabled/ollama
View File

@@ -5,23 +5,9 @@ server {
http2 on;
server_name ollama.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
location /ws/ {
proxy_pass http://ollama-webui:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
include /etc/nginx/snippets/letsencrypt.conf;
# include /etc/nginx/snippets/authelia-location.conf;
location / {
include /etc/nginx/snippets/proxy.conf;

53
nginx/sites-enabled/primary
View File

@@ -1,14 +1,52 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
server {
listen 80 default_server;
listen [::]:80;
server_name loadingm.xyz *.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# Default server configuration
#
server {
# SSL configuration
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
server_name loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
root /data/site;
@@ -22,4 +60,11 @@ server {
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

10
nginx/sites-enabled/servarr
View File

@@ -1,21 +1,19 @@
server {
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name servarr.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
include /etc/nginx/snippets/letsencrypt.conf;
include /etc/nginx/snippets/authelia-location.conf;
location /qbt/ {
# include /etc/nginx/snippets/proxy.conf;
include /etc/nginx/snippets/authelia-authrequest.conf;
# proxy_pass http://qbittorrent:8080/;
proxy_pass http://gluetun:8080/;
proxy_pass http://qbittorrent:8080/;
proxy_http_version 1.1;
proxy_set_header Host $proxy_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

25
nginx/snippets/letsencrypt.conf Normal file
View File

@@ -0,0 +1,25 @@
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}