Mirrors/JimsGarage
1
0
Fork 0
mirror of https://github.com/JamesTurland/JimsGarage.git synced 2025-08-13 17:02:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

popup-homelab

Browse Source
This commit is contained in:
James Turland 2025-03-05 13:12:52 +00:00
parent 9d973c4823
commit 56e191f45f
8 changed files with 829 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
Popup-Homelab/.env Normal file
View File

@ -0,0 +1,60 @@
###############################################################################################################
###############################################################################################################
# GENERAL
###############################################################################################################
###############################################################################################################
# Docker machine username
HOST_USER=ubuntu
# Where container data will be stored (note user above)
WORKING_DIR=/home/${HOST_USER}/docker
# Your domain, including TLD (e.g., jimgarage.co.uk - not just jimsgarage)
DOMAIN=jimsgarage.co.uk
###############################################################################################################
###############################################################################################################
# TRAEFIK
###############################################################################################################
###############################################################################################################
TRAEFIK_DASHBOARD_CREDENTIALS=admin:$$2y$$05$$3A1ctqF6JF4F4Jk2UsMhnevo6DHogXKb5IrnJyz53F3xUqoWvVx.i
###############################################################################################################
###############################################################################################################
# AUTHENTIK
###############################################################################################################
###############################################################################################################
PG_PASS=JXIwsF3fHJ2tTbqIgfXkUV/LrX1O51b3bNVTQ+Khx1BNCRWq
AUTHENTIK_SECRET_KEY=RrgGRY9hcUj/LE99uiAc7aRFZXh5GH+jUpwl2yHDQ6HD8Sv2sN+yweQ2MlWfvMNBOfklzLGEY6+PsY4a
AUTHENTIK_ERROR_REPORTING__ENABLED=true
# SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST=localhost
AUTHENTIK_EMAIL__PORT=25
# Optionally authenticate (don't add quotation marks to your password)
AUTHENTIK_EMAIL__USERNAME=
AUTHENTIK_EMAIL__PASSWORD=
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS=false
# Use SSL
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM=authentik@localhost
###############################################################################################################
###############################################################################################################
# MIROTALK
###############################################################################################################
###############################################################################################################
# OIDC - OpenID Connect
# 1. Sign up for an account at https://auth0.com.
# 2. Navigate to https://manage.auth0.com/ to create a new application tailored to your specific requirements.
# For those seeking an open-source solution, check out: https://github.com/panva/node-oidc-provider
OIDC_ENABLED=true # true or false
OIDC_ISSUER_BASE_URL='https://authentik.$DOMAIN/application/o/mirotalk/'
OIDC_BASE_URL='https://mirotalk.${DOMAIN}' # https://p2p.mirotalk.com
OIDC_CLIENT_ID='JQsgccwyOHsPMFiQXmCgh3tcrmdatqwJXezxx4gG'
OIDC_CLIENT_SECRET='FqXHbAxsAvCYMYTRKiKyyhuEe3M3lUrT1i9txC0powVbCebDe7NywMpH68kmZGcMlqqYZsSP8fo8BtFrebIjAW00Zp3vCNHSyAHNnTljhwx7tio0AV910y7B5MNceafh'
OIDC_AUTH_REUIRED=true # set to true if authentication is required for all routes
SESSION_SECRET='mirotalk-p2p-oidc-secret'

4
Popup-Homelab/acquis.yaml Normal file
View File

@ -0,0 +1,4 @@
filenames:
- /var/log/traefik/*
labels:
type: traefik

1
Popup-Homelab/cf-token Normal file
View File

@ -0,0 +1 @@
cf-token-here

2
Popup-Homelab/custom.list Normal file
View File

@ -0,0 +1,2 @@
192.168.200.118 traefik.jimsgarge.co.uk
192.168.200.118 portainer.jimsgarge.co.uk

672
Popup-Homelab/docker-compose.yaml Normal file
View File

@ -0,0 +1,672 @@
secrets:
cf-token:
file: ./cf-token
services:
###############################################################################################################
###############################################################################################################
# TRAEFIK
# See video: https://youtu.be/CmUzMi5QLzI
# DUE TO COMPLEXITY, THIS WILL PULL A TEST CERTIFICATE. TO CHANGE, EDIT THE TRAEFIK.YAML FILE
###############################################################################################################
###############################################################################################################
traefik:
image: traefik:latest # or traefik:v3.3 to pin a version
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true # helps to increase security
secrets:
- cf-token # the secret at the top of this file
env_file:
- .env # store other secrets e.g., dashboard password
networks:
proxy:
ports:
- 80:80
- 443:443
environment:
# DUE TO COMPLEXITY, THIS WILL PULL A TEST CERTIFICATE. TO CHANGE, EDIT THE TRAEFIK.YAML FILE
- TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS}
# - CF_API_EMAIL=your@email.com # Cloudflare email
# - CF_DNS_API_TOKEN=YOUR-TOKEN # Cloudflare API Token
- CF_DNS_API_TOKEN_FILE=/run/secrets/cf-token # see https://doc.traefik.io/traefik/https/acme/#providers
# token file is the proper way to do it
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${WORKING_DIR}/traefik/traefik.yaml:/traefik.yaml:ro
# you will need to create the below acem.json before running and set permissions to 600
- ${WORKING_DIR}/traefik/acme.json:/acme.json
- ${WORKING_DIR}/traefik/config.yaml:/config.yaml:ro
- ${WORKING_DIR}/traefik/logs:/var/log/traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik-docker.$DOMAIN`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik-docker.$DOMAIN`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=$DOMAIN"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.$DOMAIN"
- "traefik.http.routers.traefik-secure.service=api@internal"
###############################################################################################################
###############################################################################################################
# CROWDSEC
# See video: https://youtu.be/bGOANkuxRNA
###############################################################################################################
###############################################################################################################
crowdsec:
image: crowdsecurity/crowdsec:latest
container_name: crowdsec
environment:
GID: "${GID-1000}"
COLLECTIONS: "crowdsecurity/traefik"
depends_on:
- 'traefik'
volumes:
- ./acquis.yaml:/etc/crowdsec/acquis.yaml
- ${WORKING_DIR}/crowdsec/db:/var/lib/crowdsec/data/
- ${WORKING_DIR}/crowdsec/config:/etc/crowdsec/
- ${WORKING_DIR}/traefik/logs:/var/log/traefik/:ro
networks:
- proxy
restart: unless-stopped
bouncer-traefik:
image: docker.io/fbonalair/traefik-crowdsec-bouncer:latest
container_name: bouncer-traefik
environment:
CROWDSEC_BOUNCER_API_KEY: a946jLUgh8AAoThQFEAfaTa5YkI5LSNhGWkzkdtTIns # generate in crowdsec container - cscli bouncer add - then add here and redeploy
CROWDSEC_AGENT_HOST: crowdsec:8080
networks:
- proxy # same network as traefik + crowdsec
depends_on:
- crowdsec
restart: unless-stopped
###############################################################################################################
###############################################################################################################
# PIHOLE & CLOUDFLARED
# See video: https://youtu.be/mnry95ay0Bk
###############################################################################################################
###############################################################################################################
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
cloudflared:
container_name: cloudflared
# Restart on crashes and on reboots
restart: unless-stopped
image: cloudflare/cloudflared:latest
command: proxy-dns
environment:
- "TUNNEL_DNS_UPSTREAM=https://1.1.1.1/dns-query,https://1.0.0.1/dns-query,https://9.9.9.9/dns-query,https://149.112.112.9/dns-query"
# Listen on an unprivileged port
- "TUNNEL_DNS_PORT=5053"
# Listen on all interfaces
- "TUNNEL_DNS_ADDRESS=0.0.0.0"
# Attach cloudflared only to the private network
networks:
pihole_internal:
ipv4_address: 172.70.9.2
security_opt:
- no-new-privileges:true
pihole:
container_name: pihole
image: pihole/pihole:latest
ports:
# On Ubuntu port 53 is in use by resolved. Edit the file at /etc/systemd/resolved.conf and change the line DNSStubListener=yes to no, then use command sudo service systemd-resolved restart
- "53:53/tcp"
- "53:53/udp"
# - "67:67/udp" DHCP - uncomment if using it
- "500:80/tcp" # left port 500 open in case you need to connect via IP:500
# - "443:443/tcp"
networks:
pihole_internal:
ipv4_address: 172.70.9.3
proxy:
environment:
TZ: 'Europe/London'
# Set a password to access the web interface. Not setting one will result in a random password being assigned
FTLCONF_webserver_api_password: 'correct horse battery staple'
# If using Docker's default `bridge` network setting the dns listening mode should be set to 'all'3
FTLCONF_dns_listeningMode: 'all'
FTLCONF_dns_upstreams: '172.70.9.2#5053'
# Volumes store your data between container upgrades
volumes:
# - './custom.list:/etc/pihole/hosts/custom.list' # remember to add your domains to this
- '${WORKING_DIR}/pihole/:/etc/pihole/'
- '${WORKING_DIR}/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/'
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
#cap_add:
# - NET_ADMIN
restart: unless-stopped
depends_on:
- cloudflared
labels:
- "traefik.enable=true"
- "traefik.http.routers.pihole.entrypoints=http"
- "traefik.http.routers.pihole.rule=Host(`piholev6.$DOMAIN`)"
- "traefik.http.middlewares.pihole-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.pihole.middlewares=pihole-https-redirect"
- "traefik.http.routers.pihole-secure.entrypoints=https"
- "traefik.http.routers.pihole-secure.rule=Host(`piholev6.$DOMAIN`)"
- "traefik.http.routers.pihole-secure.tls=true"
- "traefik.http.routers.pihole-secure.service=pihole"
- "traefik.http.services.pihole.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
###############################################################################################################
###############################################################################################################
# AUTHENTIK
# See video: https://youtu.be/1bTSOdYiIOQ
###############################################################################################################
###############################################################################################################
postgresql:
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${PG_PASS:?database password required}
POSTGRES_USER: ${PG_USER:-authentik}
POSTGRES_DB: ${PG_DB:-authentik}
env_file:
- .env
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
volumes:
- ${WORKING_DIR}/authentik/media:/media
- ${WORKING_DIR}/authentik/custom-templates:/templates
env_file:
- .env
#ports:
# - "${COMPOSE_PORT_HTTP:-9000}:9000"
# - "${COMPOSE_PORT_HTTPS:-9443}:9443"
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
networks:
proxy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.authentik.entrypoints=http"
- "traefik.http.routers.authentik.rule=Host(`authentik.$DOMAIN`)"
- "traefik.http.middlewares.authentik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.authentik.middlewares=authentik-https-redirect"
- "traefik.http.routers.authentik-secure.entrypoints=https"
- "traefik.http.routers.authentik-secure.rule=Host(`authentik.$DOMAIN`)"
- "traefik.http.routers.authentik-secure.tls=true"
- "traefik.http.routers.authentik-secure.service=authentik"
- "traefik.http.services.authentik.loadbalancer.server.scheme=https"
- "traefik.http.services.authentik.loadbalancer.server.port=9443"
- "traefik.docker.network=proxy"
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${WORKING_DIR}/authentik/media:/media
- ${WORKING_DIR}/authentik/certs:/certs
- ${WORKING_DIR}/authentik/custom-templates:/templates
env_file:
- .env
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
###############################################################################################################
###############################################################################################################
# PORTAINER
###############################################################################################################
###############################################################################################################
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
ports:
- 8000:8000
- 9443:9443
volumes:
- portainer_data:/data
- /var/run/docker.sock:/var/run/docker.sock
restart: unless-stopped
networks:
proxy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.entrypoints=http"
- "traefik.http.routers.portainer.rule=Host(`portainer.$DOMAIN`)"
- "traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.portainer.middlewares=portainer-https-redirect"
- "traefik.http.routers.portainer-secure.entrypoints=https"
- "traefik.http.routers.portainer-secure.rule=Host(`portainer.$DOMAIN`)"
- "traefik.http.routers.portainer-secure.tls=true"
- "traefik.http.routers.portainer-secure.service=portainer"
- "traefik.http.services.portainer.loadbalancer.server.scheme=https"
- "traefik.http.services.portainer.loadbalancer.server.port=9443"
- "traefik.docker.network=proxy"
###############################################################################################################
###############################################################################################################
# GOTIFY
# See video: https://youtu.be/Ft69PY7iitw
###############################################################################################################
###############################################################################################################
gotify:
image: gotify/server
container_name: gotify
volumes:
- ${WORKING_DIR}/gotify:/app/data
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
proxy:
environment:
- TZ=Europe/London
labels:
- "traefik.enable=true"
- "traefik.http.routers.gotify.entrypoints=http"
- "traefik.http.routers.gotify.rule=Host(`gotify.$DOMAIN`)"
- "traefik.http.middlewares.gotify-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.gotify.middlewares=gotify-https-redirect"
- "traefik.http.routers.gotify-secure.entrypoints=https"
- "traefik.http.routers.gotify-secure.rule=Host(`gotify.$DOMAIN`)"
- "traefik.http.routers.gotify-secure.tls=true"
- "traefik.http.routers.gotify-secure.service=gotify"
- "traefik.http.services.gotify.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
###############################################################################################################
###############################################################################################################
# HOMEPAGE
# See video: https://youtu.be/4AwUNy2eztA
###############################################################################################################
###############################################################################################################
homepage:
image: ghcr.io/benphelps/homepage:latest
container_name: homepage
# uncomment if you do not want to run as root
#user: 1000:1000
# uncomment if you are not using a reverse proxy
#ports:
# - 3000:3000
volumes:
- ${WORKING_DIR}/homepage/config:/app/config # Make sure your local config directory exists
- /var/run/docker.sock:/var/run/docker.sock # (optional) For docker integrations
networks:
proxy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.homepage.entrypoints=http"
- "traefik.http.routers.homepage.rule=Host(`homepage.$DOMAIN`)"
- "traefik.http.middlewares.homepage-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.homepage.middlewares=homepage-https-redirect"
- "traefik.http.routers.homepage-secure.entrypoints=https"
- "traefik.http.routers.homepage-secure.rule=Host(`homepage.$DOMAIN`)"
- "traefik.http.routers.homepage-secure.tls=true"
- "traefik.http.routers.homepage-secure.service=homepage"
- "traefik.http.services.homepage.loadbalancer.server.port=3000"
- "traefik.docker.network=proxy"
security_opt:
- no-new-privileges:true
###############################################################################################################
###############################################################################################################
# IT-TOOLS
# See video: https://youtu.be/CbIASgzUIUU
###############################################################################################################
###############################################################################################################
it-tools:
image: 'corentinth/it-tools:latest'
#ports:
# - '8080:80'
restart: unless-stopped
container_name: it-tools
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.routers.it-tools.entrypoints=http"
- "traefik.http.routers.it-tools.rule=Host(`it-tools.$DOMAIN`)"
- "traefik.http.middlewares.it-tools-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.it-tools.middlewares=it-tools-https-redirect"
- "traefik.http.routers.it-tools-secure.entrypoints=https"
- "traefik.http.routers.it-tools-secure.rule=Host(`it-tools.$DOMAIN`)"
- "traefik.http.routers.it-tools-secure.tls=true"
- "traefik.http.routers.it-tools-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.it-tools-secure.service=it-tools"
- "traefik.http.services.it-tools.loadbalancer.server.port=80"
###############################################################################################################
###############################################################################################################
# JELLYFIN
# See video: https://youtu.be/VHXefJ7Ne6I
###############################################################################################################
###############################################################################################################
jellyfin:
image: jellyfin/jellyfin
container_name: jellyfin
user: 1000:1000
#group_add:
# - '109' # This needs to be the group id of running `stat -c '%g' /dev/dri/renderD128` on the docker host
environment:
- TZ=Europe/London
volumes:
- ${WORKING_DIR}/jellyfin/config:/config
- ${WORKING_DIR}/jellyfin/cache:/cache
# You will need to map your NAS first (mount), then uncomment and reference below
# - /home/ubuntu/YOUR_NAS/Films:/Films:ro
# - /home/ubuntu/YOUR_NAS/TVShows:/TVShows:ro
# - /home/ubuntu/YOUR_NAS/Audiobooks:/Audiobooks:ro
# - /home/ubuntu/YOUR_NAS/Music:/Music:ro
#ports: You will need to uncomment if you aren't running through a proxy
# - 8096:8096
# - 8920:8920 #optional
# - 7359:7359/udp #optional
# - 1900:1900/udp #optional
#devices: uncomment these and amend if you require GPU accelerated transcoding - this is for Intel
# - /dev/dri/renderD128:/dev/dri/renderD128
# - /dev/dri/card0:/dev/dri/card0
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.jellyfin.entrypoints=http"
- "traefik.http.routers.jellyfin.rule=Host(`jellyfin.$DOMAIN`)"
- "traefik.http.middlewares.jellyfin-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.jellyfin.middlewares=jellyfin-https-redirect"
- "traefik.http.routers.jellyfin-secure.entrypoints=https"
- "traefik.http.routers.jellyfin-secure.rule=Host(`jellyfin.$DOMAIN`)"
- "traefik.http.routers.jellyfin-secure.tls=true"
- "traefik.http.routers.jellyfin-secure.service=jellyfin"
- "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
- "traefik.docker.network=proxy"
networks:
proxy:
security_opt:
- no-new-privileges:true
###############################################################################################################
###############################################################################################################
# MIROTALK
# See video: https://youtu.be/LuLzStcvia0
###############################################################################################################
###############################################################################################################
mirotalk:
image: mirotalk/p2p:latest
container_name: mirotalk
hostname: mirotalk
volumes:
- .env:/src/.env:ro
# These volumes are not mandatory, uncomment if you want to use it
# - ./app/:/src/app/:ro # useful for changing the UI JS
# - ./public/:/src/public/:ro
restart: unless-stopped
networks:
proxy:
# Uncomment ports and comment labels if you're not using a reverse proxy
#ports:
# - '${PORT}:${PORT}'
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.routers.mirotalk.entrypoints=http"
- "traefik.http.routers.mirotalk.rule=Host(`mirotalk.$DOMAIN`)"
- "traefik.http.middlewares.mirotalk-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.mirotalk.middlewares=mirotalk-https-redirect"
- "traefik.http.routers.mirotalk-secure.entrypoints=https"
- "traefik.http.routers.mirotalk-secure.rule=Host(`mirotalk.$DOMAIN`)"
- "traefik.http.routers.mirotalk-secure.tls=true"
- "traefik.http.routers.mirotalk-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.mirotalk-secure.service=mirotalk"
- "traefik.http.services.mirotalk.loadbalancer.server.port=3000" # make sure the loadbalancer is the last line!!!
###############################################################################################################
###############################################################################################################
# RESTIC
# See video: https://youtu.be/WBBTC5WfGis
###############################################################################################################
###############################################################################################################
backup:
image: mazzolino/restic
container_name: restic
hostname: your_host_name
environment:
RUN_ON_STARTUP: "true" #change as you wish
BACKUP_CRON: "0 */12 * * *" #this is twice daily, i.e., every 12 hours
RESTIC_REPOSITORY: /restic
RESTIC_PASSWORD: MY_SUPER_LONG_PASSWORD
RESTIC_BACKUP_SOURCES: /mnt/volumes
RESTIC_COMPRESSION: auto
RESTIC_BACKUP_ARGS: >-
--tag restic-proxmox #add tags, whatever you need to mark backups
--verbose
RESTIC_FORGET_ARGS: >- #change as required
--keep-last 10
--keep-daily 7
--keep-weekly 5
--keep-monthly 12
TZ: Europe/London
volumes:
# this will store locally
- ${WORKING_DIR}/restic:/restic
- ${WORKING_DIR}/restic-restore:/tmp-for-restore
# recommend to store on a NAS or other device - uncomment below
# - /home/ubuntu/truenas/Restic-Proxmox-Backup:/restic #change the left hand side to where you want to store the backups. As you can see I'm storing it on my NAS that is mounted to the host /home/truenas
# - /home/ubuntu/truenas/Restic-Proxmox-Backup/tmp-for-restore:/tmp-for-restore #USE THIS FOLDER FOR RESTORE - CAN VIEW EACH CONTAINER
# The data of your existing containers (i.e., all of the containers in here /docker)
- ${WORKING_DIR}:/mnt/volumes:ro
security_opt:
- no-new-privileges:true
prune:
image: mazzolino/restic
container_name: restic-prune
hostname: your_host_name
environment:
RUN_ON_STARTUP: "true"
PRUNE_CRON: "0 0 4 * * *"
RESTIC_REPOSITORY: /restic
RESTIC_PASSWORD: USE_SAME_PASSWORD_AS_ABOVE
TZ: Europe/London
security_opt:
- no-new-privileges:true
check:
image: mazzolino/restic
container_name: restic-check
hostname: your_host_name
environment:
RUN_ON_STARTUP: "false"
CHECK_CRON: "0 15 5 * * *"
RESTIC_CHECK_ARGS: >-
--read-data-subset=10%
RESTIC_REPOSITORY: /restic
RESTIC_PASSWORD: USE_SAME_PASSWORD_AS_ABOVE
TZ: Europe/London
security_opt:
- no-new-privileges:true
###############################################################################################################
###############################################################################################################
# UPTIME_KUMA
# See video: https://youtu.be/0FId6vahLAI
###############################################################################################################
###############################################################################################################
uptime-kuma:
image: louislam/uptime-kuma:1
container_name: uptime-kuma
volumes:
- ${WORKING_DIR}/uptime-kuma:/app/data
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
proxy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.uptime-kuma.entrypoints=http"
- "traefik.http.routers.uptime-kuma.rule=Host(`uptime-kuma.$DOMAIN`)"
- "traefik.http.middlewares.uptime-kuma-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.uptime-kuma.middlewares=uptime-kuma-https-redirect"
- "traefik.http.routers.uptime-kuma-secure.entrypoints=https"
- "traefik.http.routers.uptime-kuma-secure.rule=Host(`uptime-kuma.$DOMAIN`)"
- "traefik.http.routers.uptime-kuma-secure.tls=true"
- "traefik.http.routers.uptime-kuma-secure.service=uptime-kuma"
- "traefik.http.services.uptime-kuma.loadbalancer.server.port=3001"
- "traefik.docker.network=proxy"
###############################################################################################################
###############################################################################################################
# VAULTWARDEN
# See video: https://youtu.be/DnAOiYhdiII
###############################################################################################################
###############################################################################################################
vaultwarden:
container_name: vaultwarden
image: vaultwarden/server:latest
volumes:
- '${WORKING_DIR}/vaultwarden/:/data/'
restart: unless-stopped
networks:
proxy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.vaultwarden.entrypoints=http"
- "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.$DOMAIN`)"
- "traefik.http.middlewares.vaultwarden-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.vaultwarden.middlewares=vaultwarden-https-redirect"
- "traefik.http.routers.vaultwarden-secure.entrypoints=https"
- "traefik.http.routers.vaultwarden-secure.rule=Host(`vaultwarden.$DOMAIN`)"
- "traefik.http.routers.vaultwarden-secure.tls=true"
- "traefik.http.routers.vaultwarden-secure.service=vaultwarden"
- "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
security_opt:
- no-new-privileges:true
###############################################################################################################
###############################################################################################################
# WIREGUARD
# See video: https://youtu.be/C59dOinNurk
###############################################################################################################
###############################################################################################################
wireguard-easy:
image: ghcr.io/wg-easy/wg-easy
container_name: wg-easy
volumes:
- ${WORKING_DIR}/wireguard-easy/etc_wireguard:/etc/wireguard
ports:
- "51820:51820/udp"
# - "51821:51821/tcp"
restart: unless-stopped
networks:
- proxy
cap_add:
- NET_ADMIN
- SYS_MODULE
# - NET_RAW # ?? Uncomment if using Podman
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.routers.wireguard.entrypoints=http"
- "traefik.http.routers.wireguard.rule=Host(`wireguard.$DOMAIN`)"
- "traefik.http.middlewares.wireguard-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.wireguard.middlewares=wireguard-https-redirect"
- "traefik.http.routers.wireguard-secure.entrypoints=https"
- "traefik.http.routers.wireguard-secure.rule=Host(`wireguard.$DOMAIN`)"
- "traefik.http.routers.wireguard-secure.tls=true"
- "traefik.http.routers.wireguard-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.wireguard-secure.service=wireguard"
- "traefik.http.services.wireguard.loadbalancer.server.port=51821"
volumes:
portainer_data:
database:
driver: local
redis:
driver: local
networks:
proxy:
name: proxy
driver: bridge
ipam:
config:
- subnet: 10.8.250.0/24
pihole_internal:
name: pihole_internal
driver: bridge
ipam:
config:
- subnet: 172.70.9.0/29

1
Popup-Homelab/docker/traefik/acme.json Normal file
View File

@ -0,0 +1 @@
remember to chmod this to 600!!!

40
Popup-Homelab/docker/traefik/config.yaml Normal file
View File

@ -0,0 +1,40 @@
http:
middlewares:
crowdsec-bouncer:
forwardauth:
address: http://bouncer-traefik:8080/api/v1/forwardAuth
trustForwardHeader: true
# https://github.com/goauthentik/authentik/issues/2366
middlewares-authentik:
forwardAuth:
address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
default-security-headers:
headers:
customBrowserXSSValue: 0 # X-XSS-Protection=1; mode=block
contentTypeNosniff: true # X-Content-Type-Options=nosniff
forceSTSHeader: true # Add the Strict-Transport-Security header even when the connection is HTTP
frameDeny: false # X-Frame-Options=deny
referrerPolicy: "strict-origin-when-cross-origin"
stsIncludeSubdomains: true # Add includeSubdomains to the Strict-Transport-Security header
stsPreload: true # Add preload flag appended to the Strict-Transport-Security header
stsSeconds: 3153600 # Set the max-age of the Strict-Transport-Security header (63072000 = 2 years)
contentSecurityPolicy: "default-src 'self'"
customRequestHeaders:
X-Forwarded-Proto: https
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true

49
Popup-Homelab/docker/traefik/traefik.yaml Normal file
View File

@ -0,0 +1,49 @@
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
middlewares:
- crowdsec-bouncer@file
redirections:
entrypoint:
to: https
scheme: https
https:
address: ":443"
http:
middlewares:
- crowdsec-bouncer@file
tcp:
address: ":10000"
apis:
address: ":33073"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yaml
certificatesResolvers:
cloudflare:
acme:
# caServer: https://acme-v02.api.letsencrypt.org/directory # production (default)
caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging (testing)
email: your@email.com
storage: acme.json
dnsChallenge:
provider: cloudflare
# disablePropagationCheck: true # Some people using Cloudflare note this can solve DNS propagation issues.
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
log:
level: "INFO"
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"