├── archives ├── traefik_v1 │ ├── traefik1-standalone │ │ ├── rules.toml │ │ └── rules │ │ │ └── synplex.toml │ └── traefik1-swarm │ │ └── rules │ │ ├── hassio_nodered.toml │ │ ├── plex.toml │ │ ├── synology.toml │ │ ├── xiaofang1.toml │ │ ├── webmin.toml │ │ ├── backcam.toml │ │ ├── frontcam.toml │ │ ├── pihole.toml │ │ ├── transmission.toml │ │ ├── hassio.toml │ │ ├── printer.toml │ │ ├── hassio_vscode.toml │ │ ├── dsmfiles.toml │ │ ├── hassio_ssh_terminal.toml │ │ ├── portainer.toml │ │ ├── shellinabox.toml │ │ └── plexwebtools.toml └── traefik_v3-pre-deployrr │ └── custom │ ├── Dockerfile-csdash │ └── Dockerfile-php7 ├── commits ├── 2020 │ ├── 2020_10_24.txt │ ├── 2020_10_06.txt │ ├── 2020_11_29.txt │ ├── 2020_10_20.txt │ ├── 2020_10_05.txt │ ├── 2020_10_14.txt │ └── 2020_08_21.txt ├── 2021 │ ├── 2021_04_08.txt │ ├── 2021_05_14.txt │ ├── 2021_08_09.txt │ ├── 2021_03_11.txt │ └── 2021_10_04.txt ├── 2022 │ ├── 2022_02_06.txt │ ├── 2022_06_19.txt │ ├── 2022_02_23.txt │ ├── 2022_06_26.txt │ ├── 2022_02_04.txt │ ├── 2022_05_19.txt │ ├── 2022_02_21.txt │ └── 2022_06_15.txt ├── 2023 │ ├── 2023_03_02.txt │ └── 2023_01_26.txt ├── 2024 │ ├── 2024_01_30.txt │ ├── 2024_05_30.txt │ ├── 2024_01_19.txt │ ├── 2024_01_22.txt │ └── 2024_05_01.txt └── 2025_10_15.txt ├── secrets_example ├── basic_auth_credentials ├── cf_dns_api_token └── traefik_forward_auth ├── appdata ├── nginx │ ├── conf.d │ │ ├── blockips.conf │ │ ├── upstream.conf │ │ ├── webp.conf │ │ └── fastcgi.conf │ ├── common │ │ ├── acl.conf │ │ ├── disabled │ │ │ ├── php5.conf.disabled │ │ │ ├── hack-protection.conf.disabled │ │ │ ├── shb-ssl.conf.disabled │ │ │ ├── selfhosted-cdn.conf.disabled │ │ │ └── commentspam.conf.disabled │ │ ├── hotlink.conf │ │ ├── wp-rankmath-sitemap-config.conf │ │ ├── php7 │ │ │ ├── wp-common-php.conf │ │ │ └── nonwp-nfc-php.conf │ │ ├── nonwp-common-php.conf │ │ ├── wp-yoast-sitemap-config.conf │ │ └── php8 │ │ │ ├── wp-common-php.conf │ │ │ └── nonwp-nfc-php.conf │ └── sites │ │ ├── dash.conf │ │ ├── khub.conf │ │ ├── deployrr.conf │ │ └── simplehomelab.conf ├── traefik2 │ └── rules │ │ ├── ws │ │ ├── middlewares-compress.yml │ │ ├── middlewares-rate-limit.yml │ │ ├── chain-oauth-no-crowdsec.yml │ │ ├── chain-no-auth.yml │ │ ├── middlewares-basic-auth.yml │ │ ├── chain-no-auth-wp.yml │ │ ├── middlewares-traefik-bouncer.yml │ │ ├── middlewares-oauth.yml │ │ ├── chain-no-auth-crowdsec-wp.yml │ │ ├── chain-authelia.yml │ │ ├── chain-basic-auth.yml │ │ ├── chain-oauth.yml │ │ ├── middlewares-authelia.yml │ │ ├── chain-authelia-wp.yml │ │ ├── middlewares-secure-headers-wp.yml │ │ └── tls-opts.yml │ │ ├── ds918 │ │ ├── middlewares-compress.yml │ │ ├── middlewares-rate-limit.yml │ │ ├── chain-no-auth.yml │ │ ├── chain-oauth.yml │ │ ├── chain-basic-auth.yml │ │ ├── middlewares-oauth-external.yml │ │ ├── middlewares-basic-auth.yml │ │ ├── chain-oauth-external.yml │ │ ├── middlewares-oauth.yml │ │ ├── middlewares-buffering.yml │ │ ├── app-ds918-dsm-oauth.yml.example │ │ ├── app-ds918-video-oauth.yml.example │ │ └── tls-opts.yml │ │ ├── hs │ │ ├── middlewares-compress.yml │ │ ├── middlewares-rate-limit.yml │ │ ├── chain-no-auth-no-crowdsec.yml │ │ ├── chain-oauth-no-crowdsec.yml │ │ ├── middlewares-basic-auth.yml │ │ ├── middlewares-traefik-bouncer.yml │ │ ├── middlewares-oauth.yml │ │ ├── chain-authelia.yml │ │ ├── middlewares-authelia.yml │ │ ├── chain-no-auth.yml │ │ ├── middlewares-oauth-external.yml │ │ ├── middlewares-buffering.yml │ │ ├── chain-oauth.yml │ │ ├── chain-basic-auth.yml │ │ ├── chain-oauth-external.yml │ │ ├── domain-passthrough.yml.example │ │ ├── app-plex-no-auth.yml.example │ │ ├── app-haos-no-auth.yml.example │ │ ├── app-adguard-home-oauth.yml.example │ │ ├── app-adguard-home-authelia.yml.example │ │ ├── app-pihole-oauth.yml.example │ │ ├── app-proxmox-ve-oauth.yml.example │ │ ├── app-unifi-controller-authelia.example │ │ ├── tls-opts.yml │ │ ├── app-tautulli-with-auth-bypass.yml.example │ │ └── middlewares-secure-headers.yml │ │ └── toml │ │ ├── app-hassio.toml.example │ │ ├── app-unifi.toml.example │ │ └── app-pihole.toml.example ├── php │ ├── php8 │ │ ├── php-fpm.d │ │ │ ├── zz-docker.conf │ │ │ ├── www.conf │ │ │ ├── wordpress.conf │ │ │ └── docker.conf │ │ ├── php │ │ │ ├── conf.d │ │ │ │ ├── extensions.ini.example │ │ │ │ ├── opcache.ini.new │ │ │ │ ├── extensions.ini │ │ │ │ ├── opcache.ini │ │ │ │ ├── opcache.ini.example │ │ │ │ └── opcache.ini.old │ │ │ └── php.ini │ │ └── pear.conf │ └── php7 │ │ └── conf.d │ │ ├── extensions.ini │ │ └── opcache.ini ├── traefik3 │ └── rules │ │ ├── hs │ │ ├── middlewares-rate-limit.yml │ │ ├── chain-oauth.yml │ │ ├── chain-no-auth.yml │ │ ├── chain-basic-auth.yml │ │ ├── middlewares-basic-auth.yml │ │ ├── middlewares-oauth.yml │ │ ├── middlewares-buffering.yml │ │ └── tls-opts.yml │ │ └── ws-arm │ │ ├── middlewares-rate-limit.yml │ │ ├── chain-no-auth.yml │ │ ├── chain-no-auth-simple.yml │ │ ├── chain-oauth.yml │ │ ├── chain-basic-auth.yml │ │ ├── middlewares-basic-auth.yml │ │ ├── chain-no-auth-wp.yml │ │ ├── middlewares-oauth.yml │ │ ├── chain-no-auth-crowdsec-wp.yml │ │ ├── middlewares-buffering.yml │ │ ├── middlewares-secure-headers-wp.yml │ │ └── tls-opts.yml ├── rclone │ ├── rclone-logrotate.conf.example │ └── rclone.conf.example └── authelia │ └── users.yml.example ├── scripts └── ds918 │ ├── change_perms_plex_hw.sh.example │ ├── increase_inotify_limits_syncthing.sh.example │ └── switch_ports.sh.example ├── compose ├── hs │ ├── custom.yml │ ├── it-tools.yml │ ├── adminer.yml │ ├── uptime-kuma.yml │ ├── firefly.yml │ ├── deunhealth.yml │ ├── maintainerr.yml │ ├── firefly-importer.yml │ ├── prowlarr.yml │ ├── bazarr.yml │ ├── notifiarr.yml │ ├── picard.yml │ ├── sabnzbd.yml │ ├── cloud-commander.yml │ ├── lidarr.yml │ ├── kometa.yml │ ├── radarr.yml │ ├── sonarr.yml │ ├── wud.yml │ ├── deployrr-dashboard.yml │ ├── dozzle.yml │ ├── makemkv.yml │ ├── cleanuparr.yml │ ├── mkvtoolnix.yml │ ├── stirling-pdf.yml │ ├── docker-gc.yml │ ├── glances.yml │ ├── qbittorrent-vpn.yml │ └── oauth.yml ├── mds │ ├── custom.yml │ ├── plex-image-cleanup.yml │ ├── influxdb.yml │ ├── plex-meta-manager.yml │ ├── tautulli.yml │ ├── mariadb.yml │ ├── node-exporter.yml │ ├── docker-gc.yml │ ├── pgsql-teslamate.yml │ ├── prometheus.yml │ ├── jellyfin.yml │ ├── airsonic-advanced.yml │ └── mosquitto.yml ├── ws-arm │ ├── custom.yml │ ├── traefik-error-log.yml │ ├── traefik-access-log.yml │ ├── adminer.yml │ ├── qdrant.yml │ ├── influxdb.yml │ ├── pgadmin.yml │ ├── wikidocs.yml │ ├── redis-disk.yml │ ├── sshwifty.yml │ ├── grafana.yml │ ├── open-webui.yml │ ├── ollama.yml │ ├── cloudflare-bouncer.yml │ ├── deployrr-dashboard.yml │ ├── phpmyadmin.yml │ ├── portchecker-api.yml │ ├── redis.yml │ ├── openhands.yml │ ├── remmina.yml │ ├── dozzle.yml │ ├── mariadb.yml │ ├── crawl4ai.yml │ ├── chromium.yml │ ├── postgresql.yml │ ├── php7.yml │ ├── prometheus.yml │ ├── portchecker.yml │ ├── vscode.yml │ ├── crowdsec.yml │ ├── glances.yml │ ├── php8.yml │ └── postgresql-vector.yml ├── archives │ ├── dns │ │ ├── unbound.yml │ │ ├── adguardhome-sync.yml │ │ ├── adguardhome.yml │ │ └── ddns-updater.yml │ ├── loki.yml │ ├── cloudflare-ddns.yml │ ├── miflora.yml │ ├── postgres.yml │ ├── adguardhome-sync.yml │ ├── smtp-to-telegram.yml │ ├── promtail.yml │ ├── flaresolverr.yml │ ├── autoscan.yml │ ├── ha-dockermon.yml │ ├── apcupsd.yml │ ├── node-exporter.yml │ ├── traefik-certs-dumper.yml │ ├── certdumper.yml │ ├── cloudplow.yml │ ├── watchtower.yml │ ├── mosquitto.yml │ ├── plex-trakt-sync.yml │ ├── tdarr-node.yml │ ├── plex-sync.yml │ ├── nzbhydra.yml │ ├── digikam.yml │ ├── headscale.yml │ ├── photoshow.yml │ ├── ouroboros.yml │ ├── redis-commander.yml │ ├── ombi.yml │ ├── autoindex.yml │ ├── cloud-commander.yml │ ├── funkwhale.yml │ ├── ampache.yml │ ├── smokeping.yml │ ├── metube.yml │ ├── cadvisor.yml │ ├── heimdall.yml │ ├── crowdsec-metabase.yml │ ├── xteve.yml │ ├── filebrowser.yml │ ├── gonic.yml │ ├── homepage.yml │ ├── cloud9.yml │ ├── navidrome.yml │ ├── jackett.yml │ ├── crowdsec-blocklist.yml │ ├── dashy.yml │ └── readarr.yml └── ds918 │ ├── zerotier.yml │ ├── certdumper.yml │ ├── adguardhome.yml │ ├── ddns-updater.yml │ ├── docker-gc.yml │ └── syncthing.yml ├── .github └── FUNDING.yml ├── .env.example └── LICENSE /archives/traefik_v1/traefik1-standalone/rules.toml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /commits/2020/2020_10_24.txt: -------------------------------------------------------------------------------- 1 | * Updated README with more details. -------------------------------------------------------------------------------- /secrets_example/basic_auth_credentials: -------------------------------------------------------------------------------- 1 | users:hashed-password -------------------------------------------------------------------------------- /appdata/nginx/conf.d/blockips.conf: -------------------------------------------------------------------------------- 1 | # Block IP Address 2 | # deny 1.1.1.1; 3 | -------------------------------------------------------------------------------- /secrets_example/cf_dns_api_token: -------------------------------------------------------------------------------- 1 | h_P8lkjsdADDjf_plsadlksjdfD894SXsdlkjdfikwj52 2 | -------------------------------------------------------------------------------- /commits/2020/2020_10_06.txt: -------------------------------------------------------------------------------- 1 | Connected to Traefik Pilot 2 | Added healthchecks, ping, and autoheal -------------------------------------------------------------------------------- /commits/2020/2020_11_29.txt: -------------------------------------------------------------------------------- 1 | * Modified socket proxy to allow portainer connections to 2375 from local network. -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/middlewares-compress.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-compress: 4 | compress: {} -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/middlewares-compress.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-compress: 4 | compress: {} -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-compress.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-compress: 4 | compress: {} 5 | -------------------------------------------------------------------------------- /appdata/nginx/conf.d/upstream.conf: -------------------------------------------------------------------------------- 1 | upstream php8 { 2 | server php8:9000; 3 | } 4 | 5 | upstream php8wp { 6 | server php8:9001; 7 | } 8 | -------------------------------------------------------------------------------- /appdata/php/php8/php-fpm.d/zz-docker.conf: -------------------------------------------------------------------------------- 1 | [global] 2 | daemonize = no 3 | 4 | [www] 5 | listen = 9000 6 | 7 | [wordpress] 8 | listen = 9001 -------------------------------------------------------------------------------- /commits/2020/2020_10_20.txt: -------------------------------------------------------------------------------- 1 | * Switched from Authelia to Google OAuth. Authelia seemed to have too much overhead for a single user environment. 2 | * updated README -------------------------------------------------------------------------------- /scripts/ds918/change_perms_plex_hw.sh.example: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Change permissions of GPU so Plex on Docker can do Hardware transcoding. 4 | 5 | chmod 777 /dev/dri* -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/middlewares-rate-limit.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-rate-limit: 4 | rateLimit: 5 | average: 100 6 | burst: 50 -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/middlewares-rate-limit.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-rate-limit: 4 | rateLimit: 5 | average: 100 6 | burst: 50 -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-rate-limit.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-rate-limit: 4 | rateLimit: 5 | average: 100 6 | burst: 50 7 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/middlewares-rate-limit.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-rate-limit: 4 | rateLimit: 5 | average: 100 6 | burst: 50 7 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/ws-arm/middlewares-rate-limit.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-rate-limit: 4 | rateLimit: 5 | average: 100 6 | burst: 50 7 | -------------------------------------------------------------------------------- /compose/hs/custom.yml: -------------------------------------------------------------------------------- 1 | # Add all your custom docker compose snippets here. Auto-Traefik will not modify this. 2 | # Uncomment services and the compose below it, following yaml syntax. 3 | 4 | # services: 5 | -------------------------------------------------------------------------------- /compose/mds/custom.yml: -------------------------------------------------------------------------------- 1 | # Add all your custom docker compose snippets here. Auto-Traefik will not modify this. 2 | # Uncomment services and the compose below it, following yaml syntax. 3 | 4 | # services: 5 | -------------------------------------------------------------------------------- /compose/ws-arm/custom.yml: -------------------------------------------------------------------------------- 1 | # Add all your custom docker compose snippets here. Auto-Traefik will not modify this. 2 | # Uncomment services and the compose below it, following yaml syntax. 3 | 4 | # services: 5 | -------------------------------------------------------------------------------- /appdata/nginx/conf.d/webp.conf: -------------------------------------------------------------------------------- 1 | # Insert this block before the server directive, which creates the $webp_suffix if the browser supports WebP 2 | map $http_accept $webp_suffix { 3 | default ""; 4 | "~*webp" ".webp"; 5 | } -------------------------------------------------------------------------------- /archives/traefik_v3-pre-deployrr/custom/Dockerfile-csdash: -------------------------------------------------------------------------------- 1 | FROM metabase/metabase 2 | 3 | RUN mkdir /data/ && wget https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip && unzip metabase_sqlite.zip -d /data/ -------------------------------------------------------------------------------- /commits/2021/2021_04_08.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2021_04_08. See full commit log. 2 | * Updated cloudflare IPs removed 104.16.0.0/12 and added 104.16.0.0/13,104.24.0.0/14 3 | * Updated traefik from picodon (v2.3.x) to livarot (v2.4.x) -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/chain-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | - middlewares-oauth -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/chain-no-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | - middlewares-compress -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/chain-no-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | # - middlewares-compress 9 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/ws-arm/chain-no-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | # - middlewares-compress 9 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/chain-oauth-no-crowdsec.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth-no-crowdsec: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers-wp 8 | - middlewares-oauth -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/chain-no-auth-no-crowdsec.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth-no-crowdsec: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | #- middlewares-compress -------------------------------------------------------------------------------- /appdata/traefik3/rules/ws-arm/chain-no-auth-simple.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth-simple: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | # - middlewares-secure-headers 8 | # - middlewares-compress 9 | -------------------------------------------------------------------------------- /appdata/nginx/common/acl.conf: -------------------------------------------------------------------------------- 1 | # EasyEngine (ee) protect locations using 2 | # HTTP authentication || IP address 3 | satisfy any; 4 | auth_basic "Restricted Area"; 5 | auth_basic_user_file /var/run/secrets/htpasswd; 6 | # Allowed IP Address List 7 | allow 127.0.0.1; 8 | deny all; 9 | -------------------------------------------------------------------------------- /appdata/rclone/rclone-logrotate.conf.example: -------------------------------------------------------------------------------- 1 | /home/USER/docker/appdata/rclone/logs/*.log { 2 | daily 3 | rotate 7 4 | notifempty 5 | missingok 6 | compress 7 | delaycompress 8 | su USER USER 9 | create 0664 USER USER 10 | size 20M 11 | } -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/chain-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | - middlewares-oauth 9 | - middlewares-compress -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/chain-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-basic-auth: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | - middlewares-basic-auth 9 | - middlewares-compress -------------------------------------------------------------------------------- /appdata/traefik3/rules/ws-arm/chain-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth: 4 | chain: 5 | middlewares: 6 | # - plugins-crowdsec-traefik-bouncer 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-oauth -------------------------------------------------------------------------------- /commits/2022/2022_02_06.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2022_02_06. See full commit log. 2 | * Moved homeserver rules and scripts (main docker-compose-t2.yml) to its own folders 3 | * Fixed oauth secrets. It works now. See https://github.com/htpcBeginner/docker-traefik/pull/229. 4 | * Fixed bugs in bash_aliases -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/chain-oauth-no-crowdsec.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth-no-crowdsec: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | - middlewares-oauth 9 | #- middlewares-compress -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/chain-no-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth: 4 | chain: 5 | middlewares: 6 | # - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/middlewares-oauth-external.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-oauth-external: 4 | forwardAuth: 5 | address: "https://oauth.{{env "DOMAINNAME_DS918"}}" 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "X-Forwarded-User" -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/chain-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-basic-auth: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | - middlewares-basic-auth 9 | # - middlewares-compress 10 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-basic-auth: 4 | basicAuth: 5 | # users: 6 | # - "user:$apsdfswWvC/6.$E3FtsfTntPC0wVJ7IUVtX1" 7 | usersFile: "/run/secrets/basic_auth_credentials" 8 | realm: "Traefik 2 Basic Auth" -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/middlewares-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-basic-auth: 4 | basicAuth: 5 | # users: 6 | # - "user:$apsdfswWvC/6.$E3FtsfTntPC0wVJ7IUVtX1" 7 | usersFile: "/run/secrets/basic_auth_credentials" 8 | realm: "Traefik 2 Basic Auth" -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/middlewares-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-basic-auth: 4 | basicAuth: 5 | # users: 6 | # - "user:$apsdfswWvC/6.$E3FtsfTntPC0wVJ7IUVtX1" 7 | usersFile: "/run/secrets/basic_auth_credentials" 8 | realm: "Traefik Basic Auth" -------------------------------------------------------------------------------- /appdata/traefik3/rules/ws-arm/chain-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-basic-auth: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | - middlewares-basic-auth 9 | # - middlewares-compress 10 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/middlewares-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-basic-auth: 4 | basicAuth: 5 | # users: 6 | # - "user:$apsdfswWvC/6.$E3FtsfTntPC0wVJ7IUVtX1" 7 | usersFile: "/run/secrets/basic_auth_credentials" 8 | realm: "Traefik 2 Basic Auth" -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-traefik-bouncer.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-traefik-bouncer: 4 | forwardAuth: 5 | address: "http://traefik-bouncer:8080/api/v1/forwardAuth" # Make sure you have the traefik-bouncer service in docker-compose.yml 6 | trustForwardHeader: true -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/chain-no-auth-wp.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth-wp: 4 | chain: 5 | middlewares: 6 | # - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers-wp 9 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/middlewares-traefik-bouncer.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-traefik-bouncer: 4 | forwardAuth: 5 | address: "http://traefik-bouncer:8080/api/v1/forwardAuth" # Make sure you have the traefik-bouncer service in docker-compose.yml 6 | trustForwardHeader: true -------------------------------------------------------------------------------- /appdata/traefik3/rules/ws-arm/middlewares-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-basic-auth: 4 | basicAuth: 5 | # users: 6 | # - "user:$apsdfswWvC/6.$E3FtsfTntPC0wVJ7IUVtX1" 7 | usersFile: "/run/secrets/basic_auth_credentials" 8 | realm: "Traefik Basic Auth" -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-oauth: 4 | forwardAuth: 5 | address: "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "X-Forwarded-User" -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/middlewares-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-oauth: 4 | forwardAuth: 5 | address: "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "X-Forwarded-User" -------------------------------------------------------------------------------- /appdata/traefik3/rules/ws-arm/chain-no-auth-wp.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth-wp: 4 | chain: 5 | middlewares: 6 | # - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers-wp 9 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/chain-oauth-external.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth-external: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | - middlewares-oauth-external 9 | - middlewares-compress 10 | 11 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/middlewares-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-oauth: 4 | forwardAuth: 5 | address: "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "X-Forwarded-User" -------------------------------------------------------------------------------- /appdata/traefik3/rules/ws-arm/middlewares-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-oauth: 4 | forwardAuth: 5 | address: "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "X-Forwarded-User" -------------------------------------------------------------------------------- /appdata/nginx/common/disabled/php5.conf.disabled: -------------------------------------------------------------------------------- 1 | # PHP NGINX CONFIGURATION 2 | # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) 3 | location / { 4 | try_files $uri $uri/ /index.php?$args; 5 | } 6 | location ~ \.php$ { 7 | try_files $uri =404; 8 | include fastcgi.conf; 9 | fastcgi_pass php5; 10 | } 11 | -------------------------------------------------------------------------------- /appdata/php/php8/php/conf.d/extensions.ini.example: -------------------------------------------------------------------------------- 1 | extension=gd 2 | extension=mysqli 3 | extension=sodium 4 | extension=pdo_mysql 5 | extension=exif 6 | extension=zip 7 | extension=imagick 8 | extension=mcrypt 9 | extension=pspell 10 | extension=redis 11 | extension=sockets 12 | extension=ssh2 13 | 14 | zend_extension=opcache -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/chain-no-auth-crowdsec-wp.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth-crowdsec-wp: 4 | chain: 5 | middlewares: 6 | # - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers-wp -------------------------------------------------------------------------------- /appdata/traefik3/rules/ws-arm/chain-no-auth-crowdsec-wp.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth-crowdsec-wp: 4 | chain: 5 | middlewares: 6 | # - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers-wp -------------------------------------------------------------------------------- /commits/2020/2020_10_05.txt: -------------------------------------------------------------------------------- 1 | Obsoleted Traefik error pages. Did not spend anymore time on it and don't see the value in doing so. 2 | Added TLS options. Changed HostHeader to Host rule. 3 | Added Host rule to certain services (auth bypass) 4 | Added GZIP compression middleware 5 | Upgrading Traefik from cheverotin (2.2.x) to 2.3.x (picodin) -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/chain-authelia.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-authelia: 4 | chain: 5 | middlewares: 6 | # - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-authelia -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/chain-authelia.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-authelia: 4 | chain: 5 | middlewares: 6 | - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-authelia -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/chain-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-basic-auth: 4 | chain: 5 | middlewares: 6 | - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-basic-auth -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/chain-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth: 4 | chain: 5 | middlewares: 6 | # - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-oauth 10 | -------------------------------------------------------------------------------- /commits/2021/2021_05_14.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2021_05_14. See full commit log. 2 | * Added TOML examples for Nextcloud middlewares - https://www.smarthomebeginner.com/traefik-docker-nextcloud/ 3 | * Obsoleted cloudplow - not using at this point/haven't set it up yet 4 | * Switched to radarr nightly. "latest" tag broke the UI. 5 | * Updated README.md -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-authelia.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-authelia: 4 | forwardAuth: 5 | address: "http://authelia:9091/api/verify?rd=https://authelia.{{env "DOMAINNAME_HS"}}" 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "Remote-User" 9 | - "Remote-Groups" -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/middlewares-authelia.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-authelia: 4 | forwardAuth: 5 | address: "http://authelia:9091/api/verify?rd=https://authelia.{{env "DOMAINNAME_WS"}}" 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "Remote-User" 9 | - "Remote-Groups" -------------------------------------------------------------------------------- /commits/2021/2021_08_09.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2021_08_09. See full commit log. 2 | * Updated auhelia to 4.30.0. Updated configuration.yml file based on https://www.authelia.com/docs/configuration/migration.html and https://github.com/authelia/authelia/blob/master/config.template.yml. 3 | * Updated redis to 6.2.5 4 | * Updated Traefik from 2.3.1 to 2.4.13 -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/chain-no-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth: 4 | chain: 5 | middlewares: 6 | #- middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | #- middlewares-compress 10 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-oauth-external.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-oauth-external: 4 | forwardAuth: 5 | address: "https://oauth.{{env "DOMAINNAME_HS"}}" # Make sure you have the OAuth service in a remote server 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "X-Forwarded-User" -------------------------------------------------------------------------------- /appdata/nginx/common/disabled/hack-protection.conf.disabled: -------------------------------------------------------------------------------- 1 | #http://serverfault.com/questions/811912/can-nginx-location-blocks-match-a-url-query-string 2 | if ( $args ~ "subid=" ) { return 403; } 3 | if ( $args ~ "link=" ) { return 403; } 4 | if ( $args ~ "q=" ) { return 403; } 5 | 6 | #location = /raio-raspberry-pi-easier/ { 7 | # return 403; 8 | #} 9 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/chain-authelia-wp.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-authelia-wp: 4 | chain: 5 | middlewares: 6 | - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers-wp 9 | - middlewares-authelia 10 | -------------------------------------------------------------------------------- /compose/archives/dns/unbound.yml: -------------------------------------------------------------------------------- 1 | services: 2 | unbound: 3 | container_name: unbound 4 | image: mvance/unbound-rpi:latest 5 | network_mode: host 6 | volumes: 7 | - $DOCKERDIR/appdata/unbound:/opt/unbound/etc/unbound 8 | healthcheck: 9 | disable: true 10 | restart: unless-stopped 11 | profiles: ["core", "all", "dns"] -------------------------------------------------------------------------------- /compose/archives/loki.yml: -------------------------------------------------------------------------------- 1 | # Loki - Log Aggregation 2 | loki: 3 | <<: *common-keys-monitoring # See EXTENSION FIELDS at the top 4 | container_name: loki 5 | image: grafana/loki:latest 6 | volumes: 7 | - $DOCKERDIR/appdata/loki:/etc/loki 8 | ports: 9 | - "$LOKI_PORT:3100" 10 | command: -config.file=/etc/loki/config.yml -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/middlewares-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-oauth: 4 | forwardAuth: 5 | address: "http://oauth:4181/portals/main" 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "X-Forwarded-User" 9 | - "X-Forwarded-Displayname" 10 | - "X-Authenticated-User" -------------------------------------------------------------------------------- /appdata/nginx/common/disabled/shb-ssl.conf.disabled: -------------------------------------------------------------------------------- 1 | ssl_certificate /etc/nginx/certs/shb/shb_com-unified.crt; 2 | ssl_certificate_key /etc/nginx/certs/shb/shb20180213.key; 3 | ssl_dhparam /etc/nginx/certs/shb/dhparam2048.pem; 4 | 5 | ssl_stapling on; 6 | ssl_stapling_verify on; 7 | ssl_trusted_certificate /etc/nginx/certs/shb/shb_com-ca-bundle-trusted.crt; -------------------------------------------------------------------------------- /compose/archives/cloudflare-ddns.yml: -------------------------------------------------------------------------------- 1 | # Cloudflare DDNS - Dynamic DNS Updater 2 | cloudddns: 3 | container_name: cloudddns 4 | restart: always 5 | image: joshava/cloudflare-ddns 6 | volumes: 7 | - $USERDIR/docker/cloudflare-ddns/config.yaml:/app/config.yaml 8 | environment: 9 | - PUID=$PUID 10 | - PGID=$PGID 11 | - TZ=$TZ -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/middlewares-buffering.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-buffering: 4 | buffering: 5 | maxResponseBodyBytes: 2000000 6 | maxRequestBodyBytes: 10485760 7 | memRequestBodyBytes: 2097152 8 | memResponseBodyBytes: 2097152 9 | retryExpression: "IsNetworkError() && Attempts() <= 2" 10 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-buffering.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-buffering: 4 | buffering: 5 | maxResponseBodyBytes: 2000000 6 | maxRequestBodyBytes: 10485760 7 | memRequestBodyBytes: 2097152 8 | memResponseBodyBytes: 2097152 9 | retryExpression: "IsNetworkError() && Attempts() <= 2" 10 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/middlewares-buffering.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-buffering: 4 | buffering: 5 | maxResponseBodyBytes: 2000000 6 | maxRequestBodyBytes: 10485760 7 | memRequestBodyBytes: 2097152 8 | memResponseBodyBytes: 2097152 9 | retryExpression: "IsNetworkError() && Attempts() <= 2" 10 | -------------------------------------------------------------------------------- /compose/mds/plex-image-cleanup.yml: -------------------------------------------------------------------------------- 1 | services: 2 | pic: 3 | image: meisnate12/plex-image-cleanup 4 | container_name: pic 5 | environment: 6 | - TZ=$TZ #optional 7 | volumes: 8 | - $DOCKERDIR/appdata/plex-image-cleanup:/config 9 | - $DOCKERDIR/appdata/plex/Library/Application Support/Plex Media Server:/plex 10 | restart: unless-stopped -------------------------------------------------------------------------------- /appdata/traefik3/rules/ws-arm/middlewares-buffering.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-buffering: 4 | buffering: 5 | maxResponseBodyBytes: 2000000 6 | maxRequestBodyBytes: 10485760 7 | memRequestBodyBytes: 2097152 8 | memResponseBodyBytes: 2097152 9 | retryExpression: "IsNetworkError() && Attempts() <= 2" 10 | -------------------------------------------------------------------------------- /compose/archives/miflora.yml: -------------------------------------------------------------------------------- 1 | # MiFlora MQTT Daemon - BT to MQTT Daemon for MiFlora Sensors 2 | miflora: 3 | image: raymondmm/miflora-mqtt 4 | container_name: miflora-mqtt 5 | environment: 6 | - TZ=$TZ 7 | network_mode: host 8 | # user: "0" 9 | volumes: 10 | - $USERDIR/docker/miflora-mqtt/config:/config 11 | restart: unless-stopped -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/chain-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth: 4 | chain: 5 | middlewares: 6 | #- middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-oauth 10 | - middlewares-compress -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/chain-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-basic-auth: 4 | chain: 5 | middlewares: 6 | - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-basic-auth 10 | #- middlewares-compress -------------------------------------------------------------------------------- /appdata/nginx/common/disabled/selfhosted-cdn.conf.disabled: -------------------------------------------------------------------------------- 1 | # Comment: The section below allows only images, JS, and CSS files to be available to self-hosted CDN subdomains. Avoids duplicate availability of other content through subdomains. 2 | if ($request_uri ~* "\.(jpe?g|gif|png)$") { 3 | rewrite ^(.*) https://cdn.simplehomelab.com$1 permanent; 4 | } 5 | 6 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/chain-oauth-external.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth-external: 4 | chain: 5 | middlewares: 6 | - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-oauth-external 10 | #- middlewares-compress -------------------------------------------------------------------------------- /commits/2024/2024_01_30.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2024_01_30. See full commit log. 2 | 3 | * Remove HTTPS redirect scheme middleware. Not used and redirects handled globally with CLI commands. 4 | * Changed entrypoint names from http/https to web/websecure to align with several online documentation. 5 | * Updated readme. 6 | * Changed basic auth secret from htpassd to basic_auth_credentials (just easier to understand) 7 | -------------------------------------------------------------------------------- /appdata/rclone/rclone.conf.example: -------------------------------------------------------------------------------- 1 | [shb-drive] 2 | type = drive 3 | scope = drive 4 | token = {"access_token":"blah_blah_blah","expiry":"2021-02-12T22:37:02.490073796-05:00"} 5 | root_folder_id = blah_blah_blah 6 | client_id = blah_blah_blah 7 | client_secret = blah_blah_blah 8 | 9 | [shb-crypt] 10 | type = crypt 11 | remote = shb-drive:crypt 12 | password = blah_blah_blah 13 | password2 = blah_blah_blah 14 | 15 | -------------------------------------------------------------------------------- /commits/2021/2021_03_11.txt: -------------------------------------------------------------------------------- 1 | * Several updates. See full commit log. 2 | * Moved nzblog back to docker folder, reversing previous commit. 3 | * Changed transmission logs to LOG_TO_STDOUT: "true". Log file was huge. 4 | * Disabled statping logs until i am not ready to use it. 5 | * Modified rclone logrotate to include .log files. 6 | * Added comments to clarify why MediaCover and Plex metadata folders were mounted as volumes. -------------------------------------------------------------------------------- /compose/hs/it-tools.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # IT-Tools - Status Page & Monitoring Server 3 | it-tools: 4 | image: corentinth/it-tools 5 | container_name: it-tools 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$ITTOOLS_PORT:80" 14 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /appdata/nginx/common/hotlink.conf: -------------------------------------------------------------------------------- 1 | #Prevent hotlinking 2 | location ~* \.(gif|png|jpe?g|apk|zip)$ { 3 | expires 7d; 4 | add_header Pragma public; 5 | add_header Cache-Control "public, must-revalidate, proxy-revalidate"; 6 | 7 | # prevent hotlink 8 | valid_referers none blocked ~.simplehomelab. ~.google. ~.bing. ~.yahoo. server_names ~($host); 9 | if ($invalid_referer) { 10 | return 403; 11 | } 12 | } -------------------------------------------------------------------------------- /compose/ws-arm/traefik-error-log.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Traefik Error Log (traefik.log) for Dozzle 3 | traefik-error-log: 4 | container_name: traefik-error-log 5 | image: alpine 6 | volumes: 7 | - $DOCKERDIR/logs/$HOSTNAME/traefik/traefik.log:/var/log/stream.log 8 | command: 9 | - tail 10 | - -f 11 | - /var/log/stream.log 12 | network_mode: none 13 | restart: unless-stopped -------------------------------------------------------------------------------- /compose/archives/postgres.yml: -------------------------------------------------------------------------------- 1 | # Postgres - Database 2 | postgres: 3 | image: postgres 4 | container_name: postgres 5 | restart: always 6 | security_opt: 7 | - no-new-privileges:true 8 | volumes: 9 | - $DOCKERDIR/postgres:/var/lib/postgresql/data 10 | environment: 11 | POSTGRES_PASSWORD: $STATPING_DB_PASS 12 | POSTGRES_USER: $STATPING_DB_USER 13 | POSTGRES_DB: $STATPING_DB -------------------------------------------------------------------------------- /compose/ws-arm/traefik-access-log.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Traefik Access Log (access.log) for Dozzle 3 | traefik-access-log: 4 | container_name: traefik-access-log 5 | image: alpine 6 | volumes: 7 | - $DOCKERDIR/logs/$HOSTNAME/traefik/access.log:/var/log/stream.log 8 | command: 9 | - tail 10 | - -f 11 | - /var/log/stream.log 12 | network_mode: none 13 | restart: unless-stopped -------------------------------------------------------------------------------- /compose/hs/adminer.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Adminer - Frontend for Various Databases (MariaDB, PostgreSQL, etc.) 3 | adminer: 4 | image: adminer:latest 5 | container_name: adminer 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$ADMINER_PORT:8080" 14 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/ws-arm/adminer.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Adminer - Frontend for Various Databases (MariaDB, PostgreSQL, etc.) 3 | adminer: 4 | image: adminer:latest 5 | container_name: adminer 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$ADMINER_PORT:8080" 14 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /appdata/php/php8/php/conf.d/opcache.ini.new: -------------------------------------------------------------------------------- 1 | ; Claude Sonnet 3.5 2 | opcache.enable=0 3 | opcache.memory_consumption=256 4 | opcache.interned_strings_buffer=16 5 | opcache.max_accelerated_files=20000 6 | opcache.revalidate_freq=3600 7 | opcache.validate_timestamps=0 8 | opcache.max_wasted_percentage=10 9 | opcache.enable_cli=0 10 | opcache.save_comments=1 11 | 12 | ; WordPress specific 13 | opcache.fast_shutdown=1 14 | opcache.consistency_checks=0 -------------------------------------------------------------------------------- /commits/2020/2020_10_14.txt: -------------------------------------------------------------------------------- 1 | * Fixed firefox https://github.com/jlesage/docker-firefox/blob/master/README.md#allowing-the-membarrier-system-call 2 | * Fixed Oauth - removed secrets and went back to environmental variables 3 | * Disabled traefik pilot and ping - did not see a need for it yet 4 | * Added duplicati - updated readme.md and change log 5 | * Fixed cf-companion. Went back to environmental variables with scoped token instead of secrets (not working) 6 | -------------------------------------------------------------------------------- /appdata/php/php8/php/conf.d/extensions.ini: -------------------------------------------------------------------------------- 1 | zend_extension=opcache 2 | extension=amqp 3 | extension=bcmath 4 | extension=bz2 5 | extension=calendar 6 | extension=exif 7 | extension=gd 8 | extension=gettext 9 | extension=imagick 10 | extension=intl 11 | extension=ldap 12 | extension=mysqli 13 | extension=pdo_mysql 14 | extension=pdo_pgsql 15 | extension=pgsql 16 | extension=redis 17 | extension=soap 18 | extension=sockets 19 | extension=xsl 20 | extension=zip -------------------------------------------------------------------------------- /scripts/ds918/increase_inotify_limits_syncthing.sh.example: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Synology default is 8192. This is very low and Synthing warns to "increase inotify limits". 4 | # Synology keeps overwriting custom values with default values. 5 | # Run this script as root at boot and periodically through Task Scheduler on DSM 6 | 7 | # echo "fs.inotify.max_user_watches=204800" | tee -a /etc/sysctl.conf 8 | 9 | echo 524288 | tee /proc/sys/fs/inotify/max_user_watches -------------------------------------------------------------------------------- /appdata/php/php8/php/conf.d/opcache.ini: -------------------------------------------------------------------------------- 1 | ; Claude Sonnet 3.5 - February 4, 2025 2 | opcache.enable=1 3 | opcache.memory_consumption=512 4 | opcache.interned_strings_buffer=16 5 | opcache.max_accelerated_files=20000 6 | opcache.revalidate_freq=3600 7 | opcache.validate_timestamps=0 8 | opcache.max_wasted_percentage=10 9 | opcache.enable_cli=0 10 | opcache.save_comments=1 11 | 12 | ; WordPress specific 13 | opcache.fast_shutdown=1 14 | opcache.consistency_checks=0 -------------------------------------------------------------------------------- /appdata/php/php7/conf.d/extensions.ini: -------------------------------------------------------------------------------- 1 | zend_extension=opcache 2 | extension=amqp 3 | extension=bcmath 4 | extension=bz2 5 | extension=calendar 6 | extension=event 7 | extension=exif 8 | extension=gd 9 | extension=gettext 10 | extension=imagick 11 | extension=intl 12 | extension=ldap 13 | extension=mysqli 14 | extension=pdo_mysql 15 | extension=pdo_pgsql 16 | extension=pgsql 17 | extension=redis 18 | extension=soap 19 | extension=sockets 20 | extension=xsl 21 | extension=zip -------------------------------------------------------------------------------- /commits/2022/2022_06_19.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2022_06_19. See full commit log. 2 | * Renamed "homeserver" to "cloudserver" wherever applicable (scripts, logs, traefik rules, etc.). "homeserver" actually referred to my Proxmox server in the cloud and Synology is my Docker-Traefik server at home. 3 | * Added domain name variables to Traefik environment, to pass the variable into container. This allows using {{env "DOMAINNAME_CLOUD_SERVER"}} in Traefik dynamic rules to refer to domain names. -------------------------------------------------------------------------------- /compose/ws-arm/qdrant.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Qdrant - A vector database and search engine 3 | qdrant: 4 | image: qdrant/qdrant 5 | container_name: qdrant 6 | restart: unless-stopped 7 | profiles: ["apps", "all"] 8 | networks: 9 | - default 10 | ports: 11 | - $QDRANT_PORT:6333 # HTTP API and dashboard 12 | - 6334:6334 # gRPC API 13 | volumes: 14 | - $DOCKERDIR/appdata/qdrant:/qdrant/storage 15 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/domain-passthrough.yml.example: -------------------------------------------------------------------------------- 1 | tcp: 2 | routers: 3 | synology-traefik-rtr: 4 | entryPoints: 5 | - websecure 6 | rule: "HostSNIRegexp(`{{env "DOMAINNAME_DS918"}}`, `{subdomain:[a-z]+}.{{env "DOMAINNAME_DS918"}}`)" 7 | service: synology-traefik-svc 8 | tls: 9 | passthrough: true 10 | services: 11 | synology-traefik-svc: 12 | loadBalancer: 13 | servers: 14 | - address: "192.168.1.254:443" -------------------------------------------------------------------------------- /secrets_example/traefik_forward_auth: -------------------------------------------------------------------------------- 1 | ### EXAMPLE OF REQUIRED FILE TO ALLOW DOCKER SECRETS TO FUNCTION WITH GOOGLE OAUTH 2 | ### FOR FURTHER DETAILS SEE https://github.com/thomseddon/traefik-forward-auth 3 | # Guide: https://www.smarthomebeginner.com/google-oauth-with-traefik-2-docker/ 4 | 5 | providers.google.client-id=yourGOOGLEclientID 6 | providers.google.client-secret=yourCLIENTsecret 7 | secret=yourOAUTHsecret 8 | whitelist=yourEMAILaddress1 9 | whitelist=yourEMAILaddress2 10 | -------------------------------------------------------------------------------- /compose/archives/adguardhome-sync.yml: -------------------------------------------------------------------------------- 1 | # AdGuard Home Sync - Sync Settings between AdGuard Homes 2 | adguardhome-sync: 3 | <<: *common-keys-core # See EXTENSION FIELDS at the top 4 | image: lscr.io/linuxserver/adguardhome-sync:latest 5 | container_name: adguardhome-sync 6 | environment: 7 | <<: *default-tz-puid-pgid 8 | CONFIGFILE: /config/adguardhome-sync.yaml #optional 9 | volumes: 10 | - $DOCKERDIR/appdata/adguard-home/config:/config 11 | -------------------------------------------------------------------------------- /appdata/nginx/sites/dash.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name dash.simplehomelab.com; 4 | 5 | root /var/www/html/dash; 6 | index index.php; 7 | 8 | access_log /var/log/nginx/dash-access.log; 9 | error_log /var/log/nginx/dash-error.log; 10 | 11 | # Turn on directory listing 12 | autoindex on; 13 | 14 | include common/php8/nonwp-nfc-php.conf; 15 | include common/nonwp-common-php.conf; 16 | include common/php8/nonwp-locations-php.conf; 17 | } -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/hassio_nodered.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-node.servers] 3 | [backends.backend-node.servers.server-node-ext] 4 | url = "http://192.168.1.90:1880" 5 | weight = 0 6 | 7 | [frontends] 8 | [frontends.frontend-node] 9 | backend = "backend-node" 10 | passHostHeader = true 11 | 12 | [frontends.frontend-node.routes] 13 | [frontends.frontend-node.routes.route-node-ext] 14 | rule = "Host:node.example.com" 15 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/app-plex-no-auth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | splex-rtr: 4 | rule: "Host(`splex.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-oauth 9 | service: splex-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | splex-svc: 15 | loadBalancer: 16 | servers: 17 | - url: "http://192.168.1.238:32400" 18 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/app-haos-no-auth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | haos-rtr: 4 | rule: "Host(`haos.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-no-auth 9 | service: haos-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | services: 13 | haos-svc: 14 | loadBalancer: 15 | servers: 16 | - url: "http://192.168.1.123:8123" # or whatever your external host's IP:port is 17 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/app-ds918-dsm-oauth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | synology-rtr: 4 | rule: "Host(`dsm.{{env "DOMAINNAME_DS918"}}`)" 5 | entryPoints: 6 | - https 7 | middlewares: 8 | - chain-oauth 9 | service: synology-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | synology-svc: 15 | loadBalancer: 16 | servers: 17 | - url: "http://192.168.1.254:5000" 18 | -------------------------------------------------------------------------------- /compose/ds918/zerotier.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # ZeroTier-One - Private Network over Internet 3 | zerotier: 4 | image: zerotier/zerotier-synology:latest 5 | container_name: zerotier 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | # profiles: ["core", "all"] 10 | network_mode: host 11 | cap_add: 12 | - NET_ADMIN 13 | - SYS_ADMIN 14 | devices: 15 | - /dev/net/tun 16 | volumes: 17 | - $DOCKERDIR/appdata/zerotier:/var/lib/zerotier-one -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/app-adguard-home-oauth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | adguard-rtr: 4 | rule: "Host(`ag.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-oauth 9 | service: adguard-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | adguard-svc: 15 | loadBalancer: 16 | servers: 17 | - url: "http://ADGUARD-CLOUD-SERVER-IP:80" 18 | 19 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/plex.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-plex] 3 | [backends.backend-plex.servers] 4 | [backends.backend-plex.servers.server-plex-ext] 5 | url = "http://192.168.1.254:32400" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-plex] 10 | backend = "backend-plex" 11 | passHostHeader = true 12 | [frontends.frontend-plex.routes] 13 | [frontends.frontend-plex.routes.route-plex-ext] 14 | rule = "Host:plex.example.com" 15 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/synology.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-synology.servers] 3 | [backends.backend-synology.servers.server-synology-ext] 4 | url = "http://192.168.1.254:5000" 5 | weight = 0 6 | 7 | [frontends] 8 | [frontends.frontend-synology] 9 | backend = "backend-synology" 10 | passHostHeader = true 11 | 12 | [frontends.frontend-synology.routes] 13 | [frontends.frontend-synology.routes.route-synology-ext] 14 | rule = "Host:syno.example.com" 15 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/xiaofang1.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-xiaofang1.servers] 3 | [backends.backend-xiaofang1.servers.server-xiaofang1-ext] 4 | url = "https://192.168.1.83" 5 | weight = 0 6 | 7 | [frontends] 8 | [frontends.frontend-xiaofang1] 9 | backend = "backend-xiaofang1" 10 | passHostHeader = true 11 | 12 | [frontends.frontend-xiaofang1.routes] 13 | [frontends.frontend-xiaofang1.routes.route-xiaofang1-ext] 14 | rule = "Host:xiaofang1.example.com" -------------------------------------------------------------------------------- /compose/archives/dns/adguardhome-sync.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # AdGuard Home Sync - Sync Settings between AdGuard Homes 3 | adguardhome-sync: 4 | image: lscr.io/linuxserver/adguardhome-sync:latest 5 | container_name: adguardhome-sync 6 | restart: unless-stopped 7 | profiles: ["core", "all", "dns"] 8 | environment: 9 | TZ: $TZ 10 | PUID: $PUID 11 | PGID: $PGID 12 | CONFIGFILE: /config/adguardhome-sync.yaml #optional 13 | volumes: 14 | - $DOCKERDIR/appdata/adguardhome-sync:/config -------------------------------------------------------------------------------- /compose/hs/uptime-kuma.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Uptime Kuma - Status Page & Monitoring Server 3 | uptime-kuma: 4 | image: louislam/uptime-kuma 5 | container_name: uptime-kuma 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | networks: 11 | - default 12 | - socket_proxy 13 | ports: 14 | - "$UPTIMEKUMA_PORT:3001" 15 | volumes: 16 | - $DOCKERDIR/appdata/uptime-kuma:/app/data 17 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /appdata/nginx/conf.d/fastcgi.conf: -------------------------------------------------------------------------------- 1 | # FastCGI cache settings 2 | fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:50m inactive=60m; 3 | fastcgi_cache_key "$scheme$request_method$host$request_uri"; 4 | fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503; 5 | fastcgi_cache_valid 200 301 302 404 1h; 6 | fastcgi_buffers 16 16k; 7 | fastcgi_buffer_size 32k; 8 | fastcgi_param SERVER_NAME $http_host; 9 | fastcgi_ignore_headers Cache-Control Expires Set-Cookie; 10 | fastcgi_keep_conn on; 11 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/app-adguard-home-authelia.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | adguard-rtr: 4 | rule: "Host(`ag.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-authelia 9 | service: adguard-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | adguard-svc: 15 | loadBalancer: 16 | servers: 17 | - url: "http://ADGUARD-CLOUD-SERVER-IP:80" 18 | 19 | -------------------------------------------------------------------------------- /commits/2024/2024_05_30.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2024_05_30. See full commit log. 2 | * Added MakeMKV, MKVToolNix, to homeserver 3 | * Authelia upgraded to 4.38.8 and example configuration.yml and users.yml updated. 4 | * Jellyfin does not work on WebOS via Traefik Proxy. Created new security headers (without SAMEORIGIN) to allow Jellyfin to work 5 | * Removed obsolete shell scripts. Will reupload them as I update them. 6 | * Updated start-media-after-boot.sh.example to start media containers after Rclone mounts load. 7 | * Updated bash_aliases -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/app-ds918-video-oauth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | synology-video-rtr: 4 | rule: "Host(`video.{{env "DOMAINNAME_DS918"}}`)" 5 | entryPoints: 6 | - https 7 | middlewares: 8 | - chain-oauth 9 | service: synology-video-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | synology-video-svc: 15 | loadBalancer: 16 | servers: 17 | - url: "http://192.168.1.254:5003" 18 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-standalone/rules/synplex.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-plex] 3 | [backends.backend-plex.servers] 4 | [backends.backend-plex.servers.server-plex-ext] 5 | url = "http://192.168.5.238:32400" 6 | weight = 0 7 | [frontends] 8 | [frontends.frontend-plex] 9 | backend = "backend-plex" 10 | passHostHeader = true 11 | [frontends.frontend-plex.routes] 12 | [frontends.frontend-plex.routes.route-plex-ext] 13 | rule = "Host:synplex.example.com" 14 | 15 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/middlewares-secure-headers-wp.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-secure-headers-wp: 4 | headers: 5 | hostsProxyHeaders: 6 | - "X-Forwarded-Host" 7 | stsSeconds: 31536000 8 | stsIncludeSubdomains: true 9 | stsPreload: true 10 | #frameDeny: true # Popups like plugin details etc. wont't open with this. 11 | customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME_WS"}}" 12 | contentTypeNosniff: true 13 | browserXssFilter: true -------------------------------------------------------------------------------- /compose/archives/smtp-to-telegram.yml: -------------------------------------------------------------------------------- 1 | # SMTP to Telegram - Send SMTP Notifications as Telegram Message 2 | # Use case: https://github.com/htpcBeginner/docker-traefik/issues/78 3 | smtp_to_telegram: 4 | image: kostyaesmukov/smtp_to_telegram 5 | container_name: smtp_to_telegram 6 | restart: always 7 | networks: 8 | - default 9 | environment: 10 | TZ: $TZ 11 | ST_TELEGRAM_CHAT_IDS: $TGRAM_CHAT_ID 12 | ST_TELEGRAM_BOT_TOKEN: $TGRAM_BOT_TOKEN 13 | ST_TELEGRAM_MESSAGE_TEMPLATE: "{subject}\\n{body}" -------------------------------------------------------------------------------- /compose/mds/influxdb.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # InfluxDB - Database for sensor data 3 | influxdb: 4 | image: influxdb:latest 5 | container_name: influxdb 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["dbs", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$INFLUXDB_PORT:8086" 14 | volumes: 15 | - $DOCKERDIR/appdata/influxdb2/config:/etc/influxdb2 16 | - $DOCKERDIR/appdata/influxdb2/db:/var/lib/influxdb2 17 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /appdata/traefik3/rules/ws-arm/middlewares-secure-headers-wp.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-secure-headers-wp: 4 | headers: 5 | hostsProxyHeaders: 6 | - "X-Forwarded-Host" 7 | stsSeconds: 31536000 8 | stsIncludeSubdomains: true 9 | stsPreload: true 10 | #frameDeny: true # Popups like plugin details etc. wont't open with this. 11 | customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME_1"}}" 12 | contentTypeNosniff: true 13 | browserXssFilter: true -------------------------------------------------------------------------------- /commits/2024/2024_01_19.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2024_01_19. See full commit log. 2 | 3 | * Biggest structural change in a long time to align with what Auto-Traefik does. 4 | - Renamed all Docker compose files (remove t2 suffix) 5 | - Now all docker compose files have their hostname as suffix (for my 5 Docker hosts) 6 | * Split the big long docker compose files into individual service YMLs using Docker include: /compose folder. 7 | * Moved all archived compose files into /compose/archives. 8 | * Updated bash aliases - docker commands simplified, and more. -------------------------------------------------------------------------------- /compose/ws-arm/influxdb.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # InfluxDB - Database for sensor data 3 | influxdb: 4 | image: influxdb:latest 5 | container_name: influxdb 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["dbs", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$INFLUXDB_PORT:8086" 14 | volumes: 15 | - $DOCKERDIR/appdata/influxdb2/config:/etc/influxdb2 16 | - $DOCKERDIR/appdata/influxdb2/db:/var/lib/influxdb2 17 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/ws-arm/pgadmin.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # pgAdmin - PostgreSQL Administration 3 | pgadmin: 4 | image: dpage/pgadmin4 5 | container_name: pgadmin 6 | restart: unless-stopped 7 | profiles: ["apps", "all"] 8 | networks: 9 | - default 10 | ports: 11 | - "$PGADMIN_PORT:80" 12 | volumes: 13 | - $DOCKERDIR/appdata/pgadmin:/var/lib/pgadmin 14 | environment: 15 | PGADMIN_DEFAULT_EMAIL: $PGADMIN_ADMIN_EMAIL 16 | PGADMIN_DEFAULT_PASSWORD: $PGADMIN_ADMIN_PASSWORD 17 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/ws-arm/wikidocs.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Wikidocs - Flat-file Markdown Wiki 3 | wikidocs: 4 | image: zavy86/wikidocs 5 | container_name: wikidocs 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$WIKIDOCS_PORT:80" 14 | volumes: 15 | - '$DOCKERDIR/appdata/wikidocs:/datasets' 16 | environment: 17 | PUID: $PUID 18 | PGID: $PGID 19 | # DOCKER-LABELS-PLACEHOLDER 20 | -------------------------------------------------------------------------------- /compose/hs/firefly.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Firefly III - Personal Finance Manager 3 | firefly: 4 | image: fireflyiii/core:latest 5 | container_name: firefly 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$FIREFLY_PORT:8080" 14 | volumes: 15 | - $DOCKERDIR/appdata/firefly:/var/www/html/storage/upload 16 | env_file: $DOCKERDIR/appdata/firefly/firefly.env 17 | # DOCKER-LABELS-PLACEHOLDER 18 | -------------------------------------------------------------------------------- /appdata/nginx/sites/khub.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name khub.info; 4 | return 301 $scheme://www.khub.info$request_uri; 5 | } 6 | 7 | server { 8 | listen 80; 9 | server_name www.khub.info; 10 | 11 | root /var/www/html/khub; 12 | index index.php; 13 | 14 | access_log /var/log/nginx/khub-access.log; 15 | error_log /var/log/nginx/khub-error.log; 16 | 17 | include common/php8/nonwp-nfc-php.conf; 18 | include common/nonwp-common-php.conf; 19 | include common/php8/nonwp-locations-php.conf; 20 | } -------------------------------------------------------------------------------- /appdata/nginx/sites/deployrr.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name deployrr.app; 4 | return 301 $scheme://www.deployrr.app$request_uri; 5 | } 6 | 7 | server { 8 | listen 80; 9 | server_name www.deployrr.app; 10 | 11 | root /var/www/html/deployrr; 12 | index index.php; 13 | 14 | access_log /var/log/nginx/deployrr-access.log; 15 | error_log /var/log/nginx/deployrr-error.log; 16 | 17 | include common/php8/nonwp-nfc-php.conf; 18 | include common/nonwp-common-php.conf; 19 | include common/php8/nonwp-locations-php.conf; 20 | } -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/webmin.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-webmin.servers] 3 | [backends.backend-webmin.servers.server-webmin-ext] 4 | url = "http://192.168.1.90:8110" 5 | weight = 0 6 | 7 | [frontends] 8 | [frontends.frontend-webmin] 9 | backend = "backend-webmin" 10 | passHostHeader = true 11 | basicAuth = [ 12 | "user:HASHED_PASSWORD", 13 | ] 14 | [frontends.frontend-webmin.routes] 15 | [frontends.frontend-webmin.routes.route-webmin-ext] 16 | rule = "Host:webmin.example.com" 17 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/backcam.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-backcam.servers] 3 | [backends.backend-backcam.servers.server-backcam-ext] 4 | url = "http://192.168.1.93" 5 | weight = 0 6 | 7 | [frontends] 8 | [frontends.frontend-backcam] 9 | backend = "backend-backcam" 10 | passHostHeader = true 11 | basicAuth = [ 12 | "user:HASHED_PASSWORD", 13 | ] 14 | [frontends.frontend-backcam.routes] 15 | [frontends.frontend-backcam.routes.route-backcam-ext] 16 | rule = "Host:backcam.example.com" 17 | -------------------------------------------------------------------------------- /commits/2022/2022_02_23.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2022_02_23. See full commit log. 2 | * Updated traefik to 2.6. 3 | * Updated Docker Compose to v2.1.1. Above this version, Cloudflare Companion was not working and I cannot figure out why. 4 | * Changed cloudflare secrets (from cloudflare prefix to cf) to make them work with Cloudflare Companion. 5 | * Obsoleted Navidrom. Added Airsonic Advanced - I was used to the features in Airsonic. 6 | * Added Mariadb support for Airsonic. 7 | * Fixed StatPing MariadB connection issue: https://github.com/statping/statping/issues/260#issuecomment-541041752 -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/frontcam.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-frontcam.servers] 3 | [backends.backend-frontcam.servers.server-frontcam-ext] 4 | url = "http://192.168.1.92" 5 | weight = 0 6 | 7 | [frontends] 8 | [frontends.frontend-frontcam] 9 | backend = "backend-frontcam" 10 | passHostHeader = true 11 | basicAuth = [ 12 | "user:HASHED_PASSWORD", 13 | ] 14 | [frontends.frontend-frontcam.routes] 15 | [frontends.frontend-frontcam.routes.route-frontcam-ext] 16 | rule = "Host:frontcam.example.com" 17 | -------------------------------------------------------------------------------- /compose/hs/deunhealth.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # DeUnhealth - Restart your unhealthy containers safely (e.g. containers depending on VPN and VPN reconnects) 3 | deunhealth: 4 | image: qmcgaw/deunhealth 5 | container_name: deunhealth 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - socket_proxy 12 | environment: 13 | - LOG_LEVEL=info 14 | - HEALTH_SERVER_ADDRESS=127.0.0.1:9999 15 | - TZ=$TZ 16 | - DOCKER_HOST 17 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/archives/promtail.yml: -------------------------------------------------------------------------------- 1 | # Promtail - Log Scraping/Shipping Agent 2 | promtail: 3 | <<: *common-keys-monitoring # See EXTENSION FIELDS at the top 4 | container_name: promtail 5 | image: grafana/promtail:latest 6 | volumes: 7 | - /var/log:/var/log 8 | - /media/cbox/log:/data/logs/cbox 9 | - $DOCKERDIR/logs/homeserver:/data/logs/scripts 10 | - $DOCKERDIR/appdata/promtail:/etc/promtail 11 | # ports: 12 | # - "1514:1514" # this is only needed if you are going to send syslogs 13 | command: -config.file=/etc/promtail/config.yml 14 | -------------------------------------------------------------------------------- /compose/hs/maintainerr.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Maintainerr - Manage Plex Media 3 | maintainerr: 4 | image: ghcr.io/jorenn92/maintainerr:latest 5 | container_name: maintainerr 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$MAINTAINERR_PORT:6246" 14 | user: $PUID:$PGID 15 | volumes: 16 | - $DOCKERDIR/appdata/maintainerr:/opt/data 17 | environment: 18 | TZ: $TZ 19 | DEBUG: true 20 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /appdata/nginx/common/wp-rankmath-sitemap-config.conf: -------------------------------------------------------------------------------- 1 | # Sitemap Config 2 | location ~ ([^/]*)sitemap(.*)\.x(m|s)l$ { 3 | # Basic Config 4 | rewrite ^.*/sitemap_index\.xml$ /index.php?sitemap=1 last; 5 | rewrite ^.*/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last; 6 | # Sitemap Styling - Blank Sitemap error or "Error loading stylesheet: Parsing an XSLT stylesheet failed." 7 | rewrite ^/([a-z]+)?-?sitemap\.xsl$ /index.php?xsl=$1 last; 8 | # Redirect sitemap to sitemap_index 9 | rewrite ^/sitemap\.xml$ /sitemap_index.xml permanent; 10 | access_log off; 11 | } -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/pihole.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-pihole] 3 | [backends.backend-pihole.servers] 4 | [backends.backend-pihole.servers.server-pihole-ext] 5 | url = "http://192.168.1.26" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-pihole] 10 | backend = "backend-pihole" 11 | passHostHeader = true 12 | # basicAuth = [ 13 | # "user:HASHED_PASSWORD", 14 | # ] 15 | [frontends.frontend-pihole.routes] 16 | [frontends.frontend-pihole.routes.route-pihole-ext] 17 | rule = "Host:pi.example.com" -------------------------------------------------------------------------------- /compose/archives/flaresolverr.yml: -------------------------------------------------------------------------------- 1 | # FlareSolverr - Proxy server to bypass Cloudflare protection 2 | # Not sure if I need this or not. Just testing. 3 | flaresolverr: 4 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 5 | image: ghcr.io/flaresolverr/flaresolverr:latest 6 | container_name: flaresolverr 7 | networks: 8 | t2_proxy: 9 | ipv4_address: 192.168.90.160 10 | environment: 11 | LOG_LEVEL: info 12 | LOG_HTML: false 13 | CAPTCHA_SOLVER: none 14 | TZ: $TZ 15 | #ports: 16 | # - "8191:8191" 17 | restart: unless-stopped -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/transmission.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-trans] 3 | [backends.backend-trans.servers] 4 | [backends.backend-trans.servers.server-trans-ext] 5 | url = "http://192.168.1.90:8169" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-trans] 10 | backend = "backend-trans" 11 | passHostHeader = true 12 | # basicAuth = [ 13 | # "user:HASHED_PASSWORD", 14 | # ] 15 | [frontends.frontend-trans.routes] 16 | [frontends.frontend-trans.routes.route-trans-ext] 17 | rule = "Host:trans.example.com" 18 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/hassio.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-hassio] 3 | [backends.backend-hassio.servers] 4 | [backends.backend-hassio.servers.server-hassio-ext] 5 | url = "http://192.168.1.908888" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-hassio] 10 | backend = "backend-hassio" 11 | passHostHeader = true 12 | # basicAuth = [ 13 | # "user:HASHED_PASSWORD", 14 | # ] 15 | [frontends.frontend-hassio.routes] 16 | [frontends.frontend-hassio.routes.route-hassio-ext] 17 | rule = "Host:hassio.example.com" 18 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/printer.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-printer] 3 | [backends.backend-printer.servers] 4 | [backends.backend-printer.servers.server-printer-ext] 5 | url = "http://192.168.1.23" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-printer] 10 | backend = "backend-printer" 11 | passHostHeader = true 12 | basicAuth = [ 13 | "user:HASHED_PASSWORD", 14 | ] 15 | [frontends.frontend-printer.routes] 16 | [frontends.frontend-printer.routes.route-printer-ext] 17 | rule = "Host:printer.example.com" -------------------------------------------------------------------------------- /compose/archives/autoscan.yml: -------------------------------------------------------------------------------- 1 | # Plex AutoScan - On demand/specific folder scanning for Plex 2 | autoscan: 3 | image: hotio/autoscan 4 | container_name: autoscan 5 | restart: "no" 6 | # profiles: 7 | # - media 8 | # - testing 9 | networks: 10 | - t2_proxy 11 | security_opt: 12 | - no-new-privileges:true 13 | #ports: 14 | # - "3030:3030" 15 | environment: 16 | PUID: $PUID 17 | PGID: $PGID 18 | TZ: $TZ 19 | UMASK: 002 20 | #PLEX_LOGIN: "" 21 | #PLEX_PASSWORD: "" 22 | volumes: 23 | - $DOCKERDIR/appdata/autoscan:/config -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/hassio_vscode.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-vscode] 3 | [backends.backend-vscode.servers] 4 | [backends.backend-vscode.servers.server-vscode-ext] 5 | url = "http://192.168.1.90:1337" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-vscode] 10 | backend = "backend-vscode" 11 | passHostHeader = true 12 | # basicAuth = [ 13 | # "user:HASHED_PASSWORD", 14 | # ] 15 | [frontends.frontend-vscode.routes] 16 | [frontends.frontend-vscode.routes.route-vscode-ext] 17 | rule = "Host:vscode.example.com" 18 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/dsmfiles.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-dsmfiles] 3 | [backends.backend-dsmfiles.servers] 4 | [backends.backend-dsmfiles.servers.server-dsmfiles-ext] 5 | url = "http://192.168.1.254:7000" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-dsmfiles] 10 | backend = "backend-dsmfiles" 11 | passHostHeader = true 12 | basicAuth = [ 13 | "user:HASHED_PASSWORD", 14 | ] 15 | [frontends.frontend-dsmfiles.routes] 16 | [frontends.frontend-dsmfiles.routes.route-dsmfiles-ext] 17 | rule = "Host:dsmfiles.example.com" -------------------------------------------------------------------------------- /appdata/traefik2/rules/toml/app-hassio.toml.example: -------------------------------------------------------------------------------- 1 | [http.routers] 2 | [http.routers.hassio-rtr] 3 | entryPoints = ["https"] 4 | rule = "HostHeader(`hassio.example.com`)" 5 | service = "hassio-svc" 6 | middlewares = ["chain-no-auth"] 7 | [http.routers.hassio-rtr.tls] 8 | certresolver = "dns-cloudflare" 9 | 10 | [http.services] 11 | [http.services.hassio-svc] 12 | [http.services.hassio-svc.loadBalancer] 13 | passHostHeader = true 14 | [[http.services.hassio-svc.loadBalancer.servers]] 15 | url = "http://HASSIO-IP:8123" # or whatever your external host's IP:port is 16 | -------------------------------------------------------------------------------- /compose/archives/ha-dockermon.yml: -------------------------------------------------------------------------------- 1 | # HA-Dockermon - Manage Docker containers in Home Assistant 2 | ha-dockermon: 3 | image: philhawthorne/ha-dockermon:latest 4 | container_name: ha-dockermon 5 | restart: unless-stopped 6 | networks: 7 | - socket_proxy 8 | security_opt: 9 | - no-new-privileges:true 10 | ports: 11 | - "$HA_DOCKERMON_PORT:8126" 12 | volumes: 13 | - $DOCKERDIR/ha-dockermon:/config 14 | # - /var/run/docker.sock:/var/run/docker.sock 15 | environment: 16 | PUID: $PUID 17 | PGID: $PGID 18 | TZ: $TZ 19 | DOCKER_HOST: tcp://socket-proxy:2375 -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/app-pihole-oauth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | pihole-rtr: 4 | rule: "Host(`pihole.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-oauth 9 | - pihole-add-admin 10 | service: pihole-svc 11 | tls: 12 | certResolver: dns-cloudflare 13 | middlewares: 14 | pihole-add-admin: 15 | addPrefix: 16 | prefix: "/admin" 17 | services: 18 | pihole-svc: 19 | loadBalancer: 20 | servers: 21 | - url: "http://192.168.1.26:80" # or whatever your external host's IP:port is 22 | -------------------------------------------------------------------------------- /appdata/php/php8/php/php.ini: -------------------------------------------------------------------------------- 1 | ; Memory 2 | memory_limit = 256M 3 | max_execution_time = 300 4 | max_input_time = 60 5 | max_input_vars = 3000 6 | 7 | ; File Upload 8 | upload_max_filesize = 8M 9 | post_max_size = 18M 10 | max_file_uploads = 20 11 | 12 | ; Error Handling 13 | error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT 14 | display_errors = Off 15 | display_startup_errors = Off 16 | log_errors = On 17 | error_log = /var/log/php/php-error.log 18 | 19 | ; Performance 20 | realpath_cache_size = 4096k 21 | realpath_cache_ttl = 120 22 | 23 | ; Session 24 | session.save_handler = files 25 | session.gc_probability = 1 26 | session.gc_divisor = 1000 -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/hassio_ssh_terminal.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-hassterm] 3 | [backends.backend-hassterm.servers] 4 | [backends.backend-hassterm.servers.server-hassterm-ext] 5 | url = "http://192.168.1.90:7681" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-hassterm] 10 | backend = "backend-hassterm" 11 | passHostHeader = true 12 | # basicAuth = [ 13 | # "user:HASHED_PASSWORD", 14 | # ] 15 | [frontends.frontend-hassterm.routes] 16 | [frontends.frontend-hassterm.routes.route-hassterm-ext] 17 | rule = "Host:hassterm.example.com" 18 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/portainer.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-portainer] 3 | [backends.backend-portainer.servers] 4 | [backends.backend-portainer.servers.server-portainer-ext] 5 | url = "http://192.168.1.90:8146" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-portainer] 10 | backend = "backend-portainer" 11 | passHostHeader = true 12 | # basicAuth = [ 13 | # "user:HASHED_PASSWORD", 14 | # ] 15 | [frontends.frontend-portainer.routes] 16 | [frontends.frontend-portainer.routes.route-portainer-ext] 17 | rule = "Host:portainer.example.com" 18 | -------------------------------------------------------------------------------- /compose/hs/firefly-importer.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Firefly Importer - Data Importer for Firefly III 3 | firefly-importer: 4 | image: fireflyiii/data-importer:latest 5 | container_name: firefly_importer 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$FIREFLYIMPORTER_PORT:8080" 14 | volumes: 15 | - $DOCKERDIR/appdata/firefly:/var/www/html/storage/upload 16 | depends_on: 17 | - firefly 18 | env_file: $DOCKERDIR/appdata/firefly/importer.env 19 | # DOCKER-LABELS-PLACEHOLDER 20 | -------------------------------------------------------------------------------- /compose/ws-arm/redis-disk.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Redis - Key-value Store 3 | redis: 4 | image: docker.io/library/redis:alpine 5 | container_name: redis 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | command: --save 60 1 --loglevel warning 11 | healthcheck: 12 | test: ["CMD-SHELL", "redis-cli ping | grep PONG"] 13 | start_period: 20s 14 | interval: 30s 15 | retries: 5 16 | timeout: 3s 17 | networks: 18 | - default 19 | ports: 20 | - "$REDIS_PORT:6379" 21 | volumes: 22 | - $DOCKERDIR/appdata/redis:/data -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/app-proxmox-ve-oauth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | proxmox-rtr: 4 | rule: "Host(`pve.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-oauth 9 | service: proxmox-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | proxmox-svc: 15 | loadBalancer: 16 | passHostHeader: true 17 | serversTransport: "pve" 18 | servers: 19 | - url: "https://192.168.1.100:8006/" 20 | serversTransports: 21 | pve: 22 | insecureSkipVerify: true 23 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/app-unifi-controller-authelia.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | unifi-rtr: 4 | rule: "Host(`unifi.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-authelia 9 | service: unifi-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | unifi-svc: 15 | loadBalancer: 16 | passHostHeader: true 17 | serversTransport: "pve" 18 | servers: 19 | - url: "https://192.168.1.100:8443/" 20 | serversTransports: 21 | pve: 22 | insecureSkipVerify: true 23 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/shellinabox.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-shellinabox] 3 | [backends.backend-shellinabox.servers] 4 | [backends.backend-shellinabox.servers.server-shellinabox-ext] 5 | url = "https://192.168.1.904200" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-shellinabox] 10 | backend = "backend-shellinabox" 11 | passHostHeader = true 12 | basicAuth = [ 13 | "user:HASHED_PASSWORD", 14 | ] 15 | [frontends.frontend-shellinabox.routes] 16 | [frontends.frontend-shellinabox.routes.route-shellinabox-ext] 17 | rule = "Host:shell.example.com" 18 | -------------------------------------------------------------------------------- /appdata/php/php7/conf.d/opcache.ini: -------------------------------------------------------------------------------- 1 | opcache.enable=0 2 | ; 0 means it will check on every request 3 | ;Development = 0. Production = 1 or comment out (default 1) 4 | #opcache.revalidate_freq=1 5 | ; 0 is irrelevant if opcache.validate_timestamps=0 which is desirable in production 6 | ;Development = 1. Production = 0 or comment out (default 0) 7 | #opcache.validate_timestamps=0 8 | ;Development = 1. Production =0 or comment out (default 0) 9 | #opcache.consistency_checks=0 10 | 11 | opcache.max_accelerated_files=20000 12 | opcache.memory_consumption=128 13 | opcache.max_wasted_percentage=10 14 | opcache.interned_strings_buffer=16 15 | opcache.fast_shutdown=1 16 | -------------------------------------------------------------------------------- /compose/hs/prowlarr.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Prowlarr - Index Manager 3 | prowlarr: 4 | image: ghcr.io/linuxserver/prowlarr:develop 5 | container_name: prowlarr 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "starr", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$PROWLARR_PORT:9696" 14 | volumes: 15 | - $DOCKERDIR/appdata/prowlarr:/config 16 | - $DOWNLOADSDIR:/data/downloads 17 | - "/etc/localtime:/etc/localtime:ro" 18 | environment: 19 | TZ: $TZ 20 | PUID: $PUID 21 | PGID: $PGID 22 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/ws-arm/sshwifty.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Sshwifty - Web SSH & Telnet Client 3 | sshwifty: 4 | image: niruix/sshwifty:latest 5 | container_name: sshwifty 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | network_mode: "host" 11 | user: "$PUID:$PGID" 12 | volumes: 13 | - $DOCKERDIR/appdata/sshwifty/conf.json:/sshwifty.conf.json 14 | environment: 15 | - TZ=$TZ 16 | - SSHWIFTY_LISTENPORT=$SSHWIFTY_PORT 17 | - SSHWIFTY_SHAREDKEY=$SSHWIFTY_PASSWORD 18 | - SSHWIFTY_CONFIG=/sshwifty.conf.json 19 | # DOCKER-LABELS-PLACEHOLDER 20 | -------------------------------------------------------------------------------- /appdata/php/php8/php/conf.d/opcache.ini.example: -------------------------------------------------------------------------------- 1 | opcache.enable=1 2 | 3 | ; 0 means it will check on every request 4 | ;Development = 0. Production = 1 or comment out (default 1) 5 | opcache.revalidate_freq=0 6 | ; 0 is irrelevant if opcache.validate_timestamps=0 which is desirable in production 7 | ;Development = 1. Production = 0 or comment out (default 0) 8 | opcache.validate_timestamps=1 9 | ;Development = 1. Production0 or comment out (default 0) 10 | opcache.consistency_checks=1 11 | 12 | opcache.max_accelerated_files=20000 13 | opcache.memory_consumption=192 14 | opcache.max_wasted_percentage=10 15 | opcache.interned_strings_buffer=16 16 | opcache.fast_shutdown=1 -------------------------------------------------------------------------------- /appdata/php/php8/php/conf.d/opcache.ini.old: -------------------------------------------------------------------------------- 1 | opcache.enable=1 2 | ; 0 means it will check on every request 3 | ;Development = 0. Production = 1 or comment out (default 1) 4 | opcache.revalidate_freq=1 5 | ; 0 is irrelevant if opcache.validate_timestamps=0 which is desirable in production 6 | ;Development = 1. Production = 0 or comment out (default 0) 7 | opcache.validate_timestamps=0 8 | ;Development = 1. Production =0 or comment out (default 0) 9 | opcache.consistency_checks=0 10 | 11 | opcache.max_accelerated_files=20000 12 | opcache.memory_consumption=128 13 | opcache.max_wasted_percentage=10 14 | opcache.interned_strings_buffer=16 15 | opcache.fast_shutdown=1 16 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/toml/app-unifi.toml.example: -------------------------------------------------------------------------------- 1 | [http.routers] 2 | [http.routers.unifi-rtr] 3 | entryPoints = ["https"] 4 | rule = "Host(`unifi.example.com`)" # will only work with cloudflare Full SSL (not Strict) 5 | service = "unifi-svc" 6 | middlewares = ["chain-authelia"] 7 | [http.routers.unifi-rtr.tls] 8 | certresolver = "dns-cloudflare" 9 | [http.services] 10 | [http.services.unifi-svc] 11 | [http.services.unifi-svc.loadBalancer] 12 | passHostHeader = true 13 | [[http.services.unifi-svc.loadBalancer.servers]] 14 | "https://192.168.5.254:8443" # or whatever your external host's IP:port is 15 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/plexwebtools.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-plexwebtools] 3 | [backends.backend-plexwebtools.servers] 4 | [backends.backend-plexwebtools.servers.server-plexwebtools-ext] 5 | url = "http://192.168.1.254:33400/" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-plexwebtools] 10 | backend = "backend-plexwebtools" 11 | passHostHeader = true 12 | # basicAuth = [ 13 | # "user:HASHED_PASSWORD", 14 | # ] 15 | [frontends.frontend-plexwebtools.routes] 16 | [frontends.frontend-plexwebtools.routes.route-plexwebtools-ext] 17 | rule = "Host:pwt.example.com" -------------------------------------------------------------------------------- /compose/hs/bazarr.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Bazarr - Subtitle Management 3 | bazarr: 4 | image: lscr.io/linuxserver/bazarr 5 | container_name: bazarr 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["media", "starr", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$BAZARR_PORT:6767" 14 | volumes: 15 | - $DOCKERDIR/appdata/bazarr:/config 16 | - $MEDIADIR1:/data/media1 17 | - $MEDIADIR2:/data/media2 18 | # - $MEDIADIR3:/data/media3 19 | environment: 20 | TZ: $TZ 21 | PUID: $PUID 22 | PGID: $PGID 23 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /commits/2022/2022_06_26.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2022_06_26. See full commit log. 2 | * Published my real middlewares.yml, middlewares-chains.yml, and tls-opts.yml, thanks to the previous commit that allowed usage of environmental variables in rules. 3 | * Added LOCAL_IPS and CLOUDFLARE_IPS variables to simplify Traefik compose. 4 | * Added CrowdSec, CrowdSec Dashboard, and Traefik Bouncer. This appears to be working well but will check for a few more days before publishing a separate guide on it. 5 | * Updated middlewares and chains to include crowdsec middleware. 6 | * Updated Traefik logs and its path to support parsing with Crowdsec. Also separated traefik log and access log. 7 | -------------------------------------------------------------------------------- /compose/archives/apcupsd.yml: -------------------------------------------------------------------------------- 1 | # APCUPSD - APC UPS Management 2 | # create the apcupsd.conf file 3 | apcupsd: 4 | image: gersilex/apcupsd:latest 5 | container_name: apcupsd 6 | restart: unless-stopped 7 | networks: 8 | - t2_proxy 9 | security_opt: 10 | - no-new-privileges:true 11 | ports: 12 | - "$APCUPSD_PORT:3551" 13 | privileged: true 14 | tty: true 15 | volumes: 16 | - /tmp/apcupsd-docker:/tmp/apcupsd-docker 17 | - $DOCKERDIR/apcupsd/apcupsd.conf:/etc/apcupsd/apcupsd.conf 18 | - $DOCKERDIR/apcupsd/doshutdown:/etc/apcupsd/doshutdown 19 | - $DOCKERDIR/apcupsd/apcupsd.events:/var/log/apcupsd.events -------------------------------------------------------------------------------- /commits/2022/2022_02_04.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2022_02_04. See full commit log. 2 | * Moved bash_aliases to /shared/config/ 3 | * Implemented bash_aliases.env to hide sensitive information, which will allow me to share my current bash_aliases which keeps evolving 4 | * Customized bash_aliases so i can share it among different hosts and yet tweak them automatically depending on the host (eg. aliases picking the right docker-compose files on various platforms) 5 | * Moved platform-specific traefik rules to specific folders so i can share the repo among several of my devices 6 | * Changed default domain to DOMAINNAME0 and the rest to $DOMAINNAME1 and 2 align the docker-compose files 7 | * Updated README -------------------------------------------------------------------------------- /compose/mds/plex-meta-manager.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Plex Meta Manager - Automatic Metadata Manager for Plex 3 | plexmm: 4 | image: lscr.io/linuxserver/plex-meta-manager:latest 5 | container_name: plexmm 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: "no" 9 | profiles: ["media", "all"] 10 | environment: 11 | TZ: $TZ 12 | PUID: $PUID 13 | PGID: $PGID 14 | PMM_CONFIG: /config/config.yml #optional 15 | PMM_TIME: 03:00 #optional 16 | PMM_RUN: "True" #optional 17 | PMM_TEST: "False" #optional 18 | PMM_NO_MISSING: "False" #optional 19 | volumes: 20 | - $DOCKERDIR/appdata/plex-meta-manager:/config -------------------------------------------------------------------------------- /compose/ws-arm/grafana.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Grafana - Graphical data visualization for InfluxDB data 3 | grafana: 4 | image: grafana/grafana:latest 5 | container_name: grafana 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$GRAFANA_PORT:3000" 14 | user: $PUID 15 | volumes: 16 | - $DOCKERDIR/appdata/grafana:/var/lib/grafana 17 | environment: 18 | GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel,cloudflare-app" 19 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/ws-arm/open-webui.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Open-WebUI - User-friendly AI Interface 3 | open-webui: 4 | image: ghcr.io/open-webui/open-webui:main 5 | container_name: open-webui 6 | restart: unless-stopped 7 | profiles: ["apps", "all"] 8 | networks: 9 | - default 10 | depends_on: 11 | - ollama 12 | ports: 13 | - "$OPENWEBUI_PORT:8080" 14 | environment: 15 | - OLLAMA_BASE_URL=http://10.0.0.71:$OLLAMA_PORT 16 | - WEBUI_SECRET_KEY=$OPENWEBUI_SECRET_KEY 17 | # - CORS_ALLOW_ORIGIN= 18 | - USER_AGENT=Open-WebUI 19 | volumes: 20 | - $DOCKERDIR/appdata/open-webui:/app/backend/data 21 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/ws-arm/ollama.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Ollama - A simple and lightweight web-based terminal 3 | ollama: 4 | image: ollama/ollama:latest 5 | container_name: ollama 6 | restart: unless-stopped 7 | profiles: ["apps", "all"] 8 | networks: 9 | - default 10 | ports: 11 | - "$OLLAMA_PORT:11434" 12 | volumes: 13 | - $DOCKERDIR/appdata/ollama:/root/.ollama 14 | # deploy: 15 | # resources: 16 | # reservations: 17 | # devices: 18 | # - driver: nvidia 19 | # device_ids: ['all'] 20 | # capabilities: [gpu] 21 | environment: 22 | - OLLAMA_KEEP_ALIVE=24h 23 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/archives/node-exporter.yml: -------------------------------------------------------------------------------- 1 | # Node Exporter - Metrics to Prometheus 2 | node-exporter: 3 | <<: *common-keys-monitoring # See EXTENSION FIELDS at the top 4 | container_name: node-exporter 5 | image: prom/node-exporter:latest 6 | ports: 7 | - "$NODE_EXPORTER_PORT:9100" 8 | volumes: 9 | - /proc:/host/proc:ro 10 | - /sys:/host/sys:ro 11 | - /:/rootfs:ro 12 | command: 13 | - '--path.procfs=/host/proc' 14 | - '--path.sysfs=/host/sys' 15 | - --collector.filesystem.ignored-mount-points 16 | - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)" -------------------------------------------------------------------------------- /compose/ws-arm/cloudflare-bouncer.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # CrowdSec Bouncer - Cloudflare 3 | # sudo docker exec crowdsec cscli bouncer add cloudflare-bouncer 4 | # Set max ip number right the first time (max 10000). Recreating container deletes all ips and readds them causing cloudflare 429 rate limiting. 5 | cloudflare-bouncer: 6 | image: crowdsecurity/cloudflare-bouncer 7 | container_name: cloudflare-bouncer 8 | security_opt: 9 | - no-new-privileges:true 10 | restart: unless-stopped 11 | profiles: ["core", "all"] 12 | networks: 13 | - default 14 | volumes: 15 | - $DOCKERDIR/appdata/cloudflare-bouncer/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml -------------------------------------------------------------------------------- /compose/mds/tautulli.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Tautulli - Plex Statistics and Monitoring 3 | tautulli: 4 | image: lscr.io/linuxserver/tautulli:latest 5 | container_name: tautulli 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["media", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$TAUTULLI_PORT:8181" 14 | volumes: 15 | - $DOCKERDIR/appdata/tautulli/config:/config 16 | - $DOCKERDIR/appdata/plex/Library/Application Support/Plex Media Server/Logs:/logs:ro # For tautulli Plex log viewer 17 | environment: 18 | TZ: $TZ 19 | PUID: $PUID 20 | PGID: $PGID 21 | # DOCKER-LABELS-PLACEHOLDER 22 | -------------------------------------------------------------------------------- /commits/2025_10_15.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2025_10_15. See full commit log. 2 | * Big update after several months. I was focussed on updating the UDMS guides and developing Deployrr. 3 | * Rebuilt Home Server (hs) and Web Server (ws-arm) from scratch using Deployrr and UDMS Series 2025. Synology will be updated at somepoint. 4 | * Traefik udpated to v3. 5 | * Updated .env.example to match Deployrr/UDMS standards. 6 | * Updated README.md with current information and links to latest UDMS guides and videos. 7 | * Manually switched Google OAuth (Traefik Forward Auth) from thomseddon/traefik-forward-auth:latest to italypaleale/traefik-forward-auth:4 (maintained regularly at this time + more features). Deployrr will be updated at some point. -------------------------------------------------------------------------------- /compose/hs/notifiarr.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Notifiarr - Client for Notifiarr.com 3 | notifiarr: 4 | image: golift/notifiarr 5 | container_name: notifiarr 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["media", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$NOTIFIARR_PORT:5454" 14 | volumes: 15 | - $DOCKERDIR/appdata/notifiarr:/config 16 | - /var/run/utmp:/var/run/utmp 17 | - /etc/machine-id:/etc/machine-id 18 | environment: 19 | DN_API_KEY: $NOTIFIARR_API_KEY 20 | #DN_AUTO_UPDATE: off 21 | TZ: $TZ 22 | PUID: $PUID 23 | PGID: $PGID 24 | # DOCKER-LABELS-PLACEHOLDER 25 | -------------------------------------------------------------------------------- /compose/hs/picard.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Picard - Music Library Tagging and Management 3 | picard: 4 | image: mikenye/picard:latest 5 | container_name: picard 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["media", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$PICARD_PORT:5800" 14 | volumes: 15 | - $DOCKERDIR/appdata/picard:/config:rw 16 | - $DOWNLOADSDIR:/downloads 17 | - /dev/shm:/dev/shm 18 | environment: 19 | USER_ID: $PUID 20 | GROUP_ID: $PGID 21 | TZ: $TZ 22 | UMASK: 002 23 | DISPLAY_WIDTH: 1600 24 | DISPLAY_HEIGHT: 960 25 | # DOCKER-LABELS-PLACEHOLDER 26 | -------------------------------------------------------------------------------- /commits/2021/2021_10_04.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2021_10_04. See full commit log. 2 | * Upgrade docker-compose to 1.29.2 (1.28.0 or up needed for compose profiles) 3 | * Change docker-compsose file version to 3.9 4 | * Upgraded traefik to v2.5.x (brie) 5 | * Added support for docker-compose profiles - thanks for the tip tomlawson.io. 6 | * Update bash aliases to support docker-compose profiles. 7 | * Added compose profiles to all services for testing. 8 | * Removed depends_on from dozzle and docker_gc 9 | * Replaced featurePolicy with permissionsPolicy in middlewares.yml - for Traefik v2.5.x 10 | * Replaced sslRedirect with RedirectScheme in middlewares.yml - for Traefik v2.5.x 11 | * Updated traefik middlewares example yml and toml files -------------------------------------------------------------------------------- /compose/archives/traefik-certs-dumper.yml: -------------------------------------------------------------------------------- 1 | # Traefik Certs Dumper - Extract LetsEncrypt Certificates - Traefik2 Compatible 2 | certdumper: 3 | container_name: traefik_certdumper 4 | image: humenius/traefik-certs-dumper:latest 5 | network_mode: none 6 | # profiles: 7 | # - core 8 | security_opt: 9 | - no-new-privileges:true 10 | # command: --restart-containers container1,container2,container3 11 | volumes: 12 | - $DOCKERDIR/appdata/traefik2/acme:/traefik:ro 13 | - $DOCKERDIR/shared/certs/home:/output:rw 14 | # - /var/run/docker.sock:/var/run/docker.sock:ro # Only needed if restarting containers (use Docker Socket Proxy instead) 15 | environment: 16 | DOMAIN: $DOMAINNAME0 -------------------------------------------------------------------------------- /compose/hs/sabnzbd.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # SABnzbd - Binary newsgrabber (NZB downloader) 3 | # Disable SABNnzbd's built-in HTTPS support for traefik proxy to work 4 | sabnzbd: 5 | image: lscr.io/linuxserver/sabnzbd:latest 6 | container_name: sabnzbd 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | profiles: ["apps", "downloads", "all"] 11 | networks: 12 | - default 13 | ports: 14 | - "$SABNZBD_PORT:8080" 15 | volumes: 16 | - $DOCKERDIR/appdata/sabnzbd:/config 17 | - $DOWNLOADSDIR:/data/downloads 18 | environment: 19 | PUID: $PUID 20 | PGID: $PGID 21 | TZ: $TZ 22 | UMASK_SET: 002 23 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /commits/2023/2023_03_02.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2023_03_02. See full commit log. 2 | 3 | * Converted by Synology M2 drives from cache device to a volume for docker. Significantly faster docker performance. Consequently few minor changes to paths (volume1 to volume3) 4 | * Updated traefik app yml for Home Assistant OS. 5 | * Replaced Transmission (with built in VPN killswitch) with Gluetun and Surfshark Wireguard VPN (https://bit.ly/shb-surfshark). 6 | * Replaced Transmission with qBittorrent (which I prefer) via Glueten VPN. 7 | * Added a whoami container on home server for testing purposes. 8 | * Replaced Dashy with Homepage. 9 | * Added deunhealth so qBittorrent heals after VPN disconnects/restarts 10 | * Updated docker and docker compose versions -------------------------------------------------------------------------------- /appdata/nginx/sites/simplehomelab.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name simplehomelab.com; 4 | return 301 $scheme://www.simplehomelab.com$request_uri; 5 | } 6 | 7 | server { 8 | listen 80; 9 | server_name www.simplehomelab.com; 10 | 11 | root /var/www/html/simplehomelab; 12 | index index.php; 13 | 14 | access_log /var/log/nginx/simplehomelab-access.log; 15 | error_log /var/log/nginx/simplehomelab-error.log; 16 | 17 | # #include common/hotlink.conf; 18 | include common/wp-rankmath-sitemap-config.conf; 19 | include common/wp-404-rewrites.conf; 20 | 21 | include common/php8/wp-nfc-php.conf; 22 | include common/php8/wp-common-php.conf; 23 | include common/wp-locations-php.conf; 24 | } 25 | -------------------------------------------------------------------------------- /compose/hs/cloud-commander.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Cloud Commander - web file manager 3 | cloud-commander: 4 | image: coderaiser/cloudcmd 5 | container_name: cloud-commander 6 | restart: unless-stopped 7 | security_opt: 8 | - no-new-privileges:true 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$CLOUDCOMMANDER_PORT:8000" 14 | volumes: 15 | - $DOCKERDIR/appdata/cloud-commander:/root 16 | - $USERDIR:/data/$PRIMARY_USERNAME 17 | - $MEDIADIR1:/data/media1 18 | - $MEDIADIR2:/data/media2 19 | # - $MEDIADIR3:/data/media3 20 | environment: 21 | PUID: $PUID 22 | PGID: $PGID 23 | TZ: $TZ 24 | # DOCKER-LABELS-PLACEHOLDER 25 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/tls-opts.yml: -------------------------------------------------------------------------------- 1 | tls: 2 | options: 3 | tls-opts: 4 | minVersion: VersionTLS12 5 | cipherSuites: 6 | - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 7 | - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 8 | - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 9 | - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 10 | - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 11 | - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 12 | - TLS_AES_128_GCM_SHA256 13 | - TLS_AES_256_GCM_SHA384 14 | - TLS_CHACHA20_POLY1305_SHA256 15 | - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507 16 | curvePreferences: 17 | - CurveP521 18 | - CurveP384 19 | sniStrict: true 20 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/tls-opts.yml: -------------------------------------------------------------------------------- 1 | tls: 2 | options: 3 | tls-opts: 4 | minVersion: VersionTLS12 5 | cipherSuites: 6 | - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 7 | - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 8 | - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 9 | - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 10 | - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 11 | - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 12 | - TLS_AES_128_GCM_SHA256 13 | - TLS_AES_256_GCM_SHA384 14 | - TLS_CHACHA20_POLY1305_SHA256 15 | - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507 16 | curvePreferences: 17 | - CurveP521 18 | - CurveP384 19 | sniStrict: true 20 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/toml/app-pihole.toml.example: -------------------------------------------------------------------------------- 1 | [http.routers] 2 | [http.routers.pihole-rtr] 3 | entryPoints = ["https"] 4 | rule = "HostHeader(`pihole.example.com`)" 5 | service = "pihole-svc" 6 | middlewares = ["chain-authelia", "pihole-add-admin"] 7 | [http.routers.pihole-rtr.tls] 8 | certresolver = "dns-cloudflare" 9 | 10 | [http.middlewares] 11 | [http.middlewares.pihole-add-admin.addPrefix] 12 | prefix = "/admin" 13 | 14 | [http.services] 15 | [http.services.pihole-svc] 16 | [http.services.pihole-svc.loadBalancer] 17 | passHostHeader = true 18 | [[http.services.pihole-svc.loadBalancer.servers]] 19 | url = "http://PIHOLE-IP:80" # or whatever your external host's IP:port is 20 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/tls-opts.yml: -------------------------------------------------------------------------------- 1 | tls: 2 | options: 3 | tls-opts: 4 | minVersion: VersionTLS12 5 | cipherSuites: 6 | - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 7 | - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 8 | - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 9 | - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 10 | - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 11 | - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 12 | - TLS_AES_128_GCM_SHA256 13 | - TLS_AES_256_GCM_SHA384 14 | - TLS_CHACHA20_POLY1305_SHA256 15 | - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507 16 | curvePreferences: 17 | - CurveP521 18 | - CurveP384 19 | sniStrict: true 20 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/tls-opts.yml: -------------------------------------------------------------------------------- 1 | tls: 2 | options: 3 | tls-opts: 4 | minVersion: VersionTLS12 5 | cipherSuites: 6 | - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 7 | - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 8 | - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 9 | - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 10 | - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 11 | - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 12 | - TLS_AES_128_GCM_SHA256 13 | - TLS_AES_256_GCM_SHA384 14 | - TLS_CHACHA20_POLY1305_SHA256 15 | - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507 16 | curvePreferences: 17 | - CurveP521 18 | - CurveP384 19 | sniStrict: true 20 | -------------------------------------------------------------------------------- /compose/hs/lidarr.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Lidarr - Music Management 3 | lidarr: 4 | image: lscr.io/linuxserver/lidarr:latest 5 | container_name: lidarr 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["media", "starr", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$LIDARR_PORT:8686" 14 | volumes: 15 | - $DOCKERDIR/appdata/lidarr:/config 16 | - $DATADIR1:/data 17 | # - $MEDIADIR2:/data/media2 18 | # - $MEDIADIR3:/data/media3 19 | - $DOWNLOADSDIR:/data/downloads 20 | - "/etc/localtime:/etc/localtime:ro" 21 | environment: 22 | TZ: $TZ 23 | PUID: $PUID 24 | PGID: $PGID 25 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /appdata/traefik3/rules/ws-arm/tls-opts.yml: -------------------------------------------------------------------------------- 1 | tls: 2 | options: 3 | tls-opts: 4 | minVersion: VersionTLS12 5 | cipherSuites: 6 | - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 7 | - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 8 | - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 9 | - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 10 | - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 11 | - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 12 | - TLS_AES_128_GCM_SHA256 13 | - TLS_AES_256_GCM_SHA384 14 | - TLS_CHACHA20_POLY1305_SHA256 15 | - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507 16 | curvePreferences: 17 | - CurveP521 18 | - CurveP384 19 | sniStrict: true 20 | -------------------------------------------------------------------------------- /compose/ws-arm/deployrr-dashboard.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Deployarr Dashboard - Homepage based Dashboard for Deployarr 3 | deployrr-dashboard: 4 | image: ghcr.io/gethomepage/homepage:v0.9.13 5 | container_name: deployrr-dashboard 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | - socket_proxy 13 | ports: 14 | - "$DEPLOYARRDASHBOARD_PORT:3000" 15 | volumes: 16 | - $DOCKERDIR/appdata/deployrr-dashboard/config:/app/config 17 | - $DOCKERDIR/appdata/deployrr-dashboard/images:/app/public/images 18 | environment: 19 | TZ: $TZ 20 | PUID: $PUID 21 | PGID: $PGID 22 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /commits/2020/2020_08_21.txt: -------------------------------------------------------------------------------- 1 | Downgraded synology watchtower docker api to 1.39 (max supported). Added some comments. 2 | * Upgrade docker-compose to 1.29.2 (1.28.0 or up needed for compose profiles) 3 | * Change docker-compsose file version to 3.9 4 | * Upgraded traefik to v2.5.x (brie) 5 | * Added support for docker-compose profiles - thanks for the tip tomlawson.io. 6 | * Update bash aliases to support docker-compose profiles. 7 | * Added compose profiles to all services for testing. 8 | * Removed depends_on from dozzle and docker_gc 9 | * Replaced featurePolicy with permissionsPolicy in middlewares.yml - for Traefik v2.5.x 10 | * Replaced sslRedirect with RedirectScheme in middlewares.yml - for Traefik v2.5.x 11 | * Updated traefik middlewares example yml and toml files -------------------------------------------------------------------------------- /compose/ws-arm/phpmyadmin.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # phpMyAdmin - Database management 3 | # Create a new user with admin privileges. Cannot login as MySQL root for some reason. 4 | phpmyadmin: 5 | image: lscr.io/linuxserver/phpmyadmin:latest 6 | container_name: phpmyadmin 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | profiles: ["apps", "all"] 11 | networks: 12 | - default 13 | ports: 14 | - "$PHPMYADMIN_PORT:80" 15 | environment: 16 | - PUID=$PUID 17 | - PGID=$PGID 18 | - TZ=$TZ 19 | - PMA_ARBITRARY=0 #optional 20 | - PMA_ABSOLUTE_URI=https://pma.$DOMAINNAME_1 #optional 21 | - PMA_HOST=mariadb 22 | - PMA_PORT=3306 23 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/ws-arm/portchecker-api.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Port Checker API - Backend API for the Port Checker 3 | portchecker-api: 4 | image: ghcr.io/dsgnr/portcheckerio-api:latest 5 | container_name: api 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - $PORTCHECKERAPI_PORT:8000 14 | healthcheck: 15 | test: ["CMD", "wget", "--spider", "-S", "http://10.0.0.71:$PORTCHECKERAPI_PORT/healthz"] 16 | interval: 30s 17 | timeout: 10s 18 | retries: 3 19 | start_period: 5s 20 | environment: 21 | - ALLOW_PRIVATE=false # Prevent usage of private IP addresses 22 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/ws-arm/redis.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Redis - Key-value Store 3 | # Add vm.overcommit_memory = 1 to /etc/sysctl.conf 4 | redis: 5 | image: docker.io/library/redis:alpine 6 | container_name: redis 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | profiles: ["core", "all"] 11 | command: redis-server --save "" --maxmemory 1gb --maxmemory-policy allkeys-lru 12 | healthcheck: 13 | test: ["CMD-SHELL", "redis-cli ping | grep PONG"] 14 | start_period: 20s 15 | interval: 30s 16 | retries: 5 17 | timeout: 3s 18 | networks: 19 | - default 20 | ports: 21 | - "$REDIS_PORT:6379" 22 | deploy: 23 | resources: 24 | limits: 25 | memory: 1GB -------------------------------------------------------------------------------- /compose/ws-arm/openhands.yml: -------------------------------------------------------------------------------- 1 | services: 2 | openhands: 3 | image: docker.all-hands.dev/all-hands-ai/openhands:0.26 4 | container_name: openhands 5 | security_opt: 6 | - no-new-privileges:true 7 | restart: unless-stopped 8 | profiles: ["core", "all"] 9 | networks: 10 | - default 11 | environment: 12 | - SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.all-hands.dev/all-hands-ai/runtime:0.26-nikolaik 13 | - LOG_ALL_EVENTS=true 14 | volumes: 15 | - /var/run/docker.sock:/var/run/docker.sock 16 | - $DOCKERDIR/appdata/openhands:/.openhands-state 17 | - /home/anand:/data/anand 18 | ports: 19 | - "3010:3000" 20 | extra_hosts: 21 | - "host.docker.internal:host-gateway" 22 | pull_policy: if_not_present -------------------------------------------------------------------------------- /appdata/nginx/common/php7/wp-common-php.conf: -------------------------------------------------------------------------------- 1 | # WordPress COMMON SETTINGS 2 | 3 | # Limit access to avoid brute force attack 4 | location = /wp-login.php { 5 | #include common/acl.conf; 6 | limit_req zone=one burst=1 nodelay; 7 | include fastcgi.conf; 8 | fastcgi_pass php7; 9 | } 10 | # Disable wp-config.txt 11 | location = /wp-config.txt { 12 | deny all; 13 | access_log off; 14 | log_not_found off; 15 | } 16 | 17 | # Disable xmlrpc 18 | location = /xmlrpc.php { 19 | deny all; 20 | access_log off; 21 | log_not_found off; 22 | } 23 | 24 | # Disallow php in upload folder 25 | #location /wp-content/uploads/ { 26 | location /images/ { 27 | location ~ \.php$ { 28 | #Prevent Direct Access Of PHP Files From Web Browsers 29 | deny all; 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /compose/archives/certdumper.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Traefik Certs Dumper - Extract LetsEncrypt Certificates - Traefik2 Compatible 3 | certdumper: 4 | container_name: traefik_certdumper 5 | image: humenius/traefik-certs-dumper:latest 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | network_mode: none 11 | # command: --restart-containers container1,container2,container3 12 | volumes: 13 | - $DOCKERDIR/appdata/traefik2/acme:/traefik:ro 14 | - $DOCKERDIR/shared/certs/$DOMAINNAME_WS:/output:rw 15 | # - /var/run/docker.sock:/var/run/docker.sock:ro # Only needed if restarting containers (use Docker Socket Proxy instead) 16 | environment: 17 | DOMAIN: $DOMAINNAME_WS -------------------------------------------------------------------------------- /compose/hs/kometa.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Kometa - Automatic Metadata Manager for Plex (formerly Plex Meta Mananger) 3 | kometa: 4 | image: lscr.io/linuxserver/kometa:latest 5 | container_name: kometa 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["media", "all"] 10 | networks: 11 | - default 12 | volumes: 13 | - $DOCKERDIR/appdata/kometa:/config 14 | environment: 15 | TZ: $TZ 16 | PUID: $PUID 17 | PGID: $PGID 18 | KOMETA_CONFIG: /config/config.yml #optional 19 | KOMETA_TIME: 03:00 #optional 20 | KOMETA_RUN: True #optional 21 | KOMETA_TEST: False #optional 22 | KOMETA_NO_MISSING: False #optional 23 | # DOCKER-LABELS-PLACEHOLDER 24 | 25 | -------------------------------------------------------------------------------- /compose/hs/radarr.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Radarr - Movies Management 3 | radarr: 4 | image: lscr.io/linuxserver/radarr:latest 5 | container_name: radarr 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["media", "starr", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$RADARR_PORT:7878" 14 | volumes: 15 | - $DOCKERDIR/appdata/radarr:/config 16 | - $MEDIADIR1/movies:/data/movies1 17 | - $MEDIADIR2/movies:/data/movies2 18 | # - $MEDIADIR3:/data/media3 19 | - $DOWNLOADSDIR:/data/downloads 20 | - "/etc/localtime:/etc/localtime:ro" 21 | environment: 22 | TZ: $TZ 23 | PUID: $PUID 24 | PGID: $PGID 25 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/hs/sonarr.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Sonarr - TV Shows Management 3 | sonarr: 4 | image: lscr.io/linuxserver/sonarr:develop 5 | container_name: sonarr 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["media", "starr", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$SONARR_PORT:8989" 14 | volumes: 15 | - $DOCKERDIR/appdata/sonarr:/config 16 | - $MEDIADIR1/shows:/data/shows1 17 | - $MEDIADIR2/shows:/data/shows2 18 | # - $MEDIADIR3:/data/media3 19 | - $DOWNLOADSDIR:/data/downloads 20 | - "/etc/localtime:/etc/localtime:ro" 21 | environment: 22 | TZ: $TZ 23 | PUID: $PUID 24 | PGID: $PGID 25 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/mds/mariadb.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # MariaDB - MySQL Database 3 | # After starting container for first time dexec and mysqladmin -u root password 4 | mariadb: 5 | container_name: mariadb 6 | image: lscr.io/linuxserver/mariadb 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | profiles: ["dbs", "all"] 11 | networks: 12 | - default 13 | ports: 14 | - "$MARIADB_PORT:3306" 15 | volumes: 16 | - $DOCKERDIR/appdata/mariadb/data:/config 17 | environment: 18 | TZ: $TZ 19 | PUID: $PUID 20 | PGID: $PGID 21 | FILE__MYSQL_ROOT_PASSWORD: /run/secrets/mysql_root_password # Note FILE__ (double underscore) - Issue #127 22 | secrets: 23 | - mysql_root_password -------------------------------------------------------------------------------- /compose/ws-arm/remmina.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Remmina - Remote Desktop Client 3 | remmina: 4 | image: lscr.io/linuxserver/remmina:latest 5 | container_name: remmina 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | networks: 11 | - default 12 | # DEVICES-GPU-PLACEHOLDER-DO-NOT-DELETE 13 | ports: 14 | - "$REMMINA_PORT:3000" 15 | # - "3001:3001" # HTTPS 16 | volumes: 17 | - $DOCKERDIR/appdata/remmina:/config 18 | environment: 19 | PUID: $PUID 20 | PGID: $PGID 21 | TZ: $TZ 22 | CUSTOM_USER: $REMMINA_HTTP_USER 23 | PASSWORD: $REMMINA_HTTP_PASSWORD 24 | # DRINODE: /dev/dri/renderD128 25 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/hs/wud.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # WUD (What's Up Docker) - Docker Image Update Notification 3 | wud: 4 | image: fmartinou/whats-up-docker 5 | container_name: wud 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - socket_proxy 12 | ports: 13 | - "$WUD_PORT:3000" 14 | volumes: 15 | - /var/run/docker.sock:/var/run/docker.sock 16 | environment: 17 | # - WUD_TRIGGER_DISCORD_1_URL=https://discord.com/api/webhooks/123/456 18 | # - WUD_TRIGGER_DISCORD_1_BOTUSERNAME=WUD 19 | - WUD_WATCHER_LOCAL_CRON=0 1 * * * 20 | - WUD_WATCHER_LOCAL_WATCHALL=true 21 | # - WUD_WATCHER_MYREMOTEHOST_HOST= 22 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /commits/2022/2022_05_19.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2022_05_19. See full commit log. 2 | * Added bash_aliases for monitoring stack - not fully implemented yet. 3 | * Changed cloudflare_email secret to cf_email 4 | * Increased inotify limits for syncthing to work properly on synology. 5 | * Updated Rclone media upload scripts. 6 | * Added docker-compose.yml (with Nginx Proxy Manager) - https://www.smarthomebeginner.com/docker-media-server-2022/ 7 | * Updated README. 8 | * Upgraded Traefik to 2.6, Docker Compose to v2.5.0. 9 | * Switched from Codercom to LinuxServer.io Visual Studio Code Server image. 10 | * Minor changes to Synology stack. 11 | * Moved authelia to obsolete. I will add it back at a later time. 12 | * Added some apps for log and resources monitoring - in testing. Not fully implemented. 13 | -------------------------------------------------------------------------------- /compose/archives/cloudplow.yml: -------------------------------------------------------------------------------- 1 | # CloudPlow - Rclone remote uploader/syncer 2 | cloudplow: 3 | image: sabrsorensen/alpine-cloudplow 4 | container_name: cloudplow 5 | restart: "no" 6 | security_opt: 7 | - no-new-privileges:true 8 | volumes: 9 | - $DOCKERDIR/appdata/cloudplow:/config/:rw 10 | - $DOCKERDIR/appdata/rclone:/rclone_config/:rw 11 | #- /home//google_drive_service_accounts:/service_accounts/:rw 12 | - $DATADIR/media:/data/media:rw 13 | - /etc/localtime:/etc/localtime:ro 14 | environment: 15 | - PUID=$PUID 16 | - PGID=$PGID 17 | - CLOUDPLOW_CONFIG=/config/config.json 18 | - CLOUDPLOW_LOGFILE=/config/cloudplow.log 19 | - CLOUDPLOW_LOGLEVEL=DEBUG 20 | - CLOUDPLOW_CACHEFILE=/config/cache.db -------------------------------------------------------------------------------- /compose/ds918/certdumper.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Traefik Certs Dumper - Extract LetsEncrypt Certificates - Traefik2 Compatible 3 | certdumper: 4 | container_name: traefik_certdumper 5 | image: humenius/traefik-certs-dumper:latest 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | # profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | # command: --restart-containers container1,container2,container3 13 | volumes: 14 | - $DOCKERDIR/appdata/traefik2/acme:/traefik:ro 15 | - $DOCKERDIR/shared/certs/$DOMAINNAME_DS918:/output:rw 16 | # - /var/run/docker.sock:/var/run/docker.sock:ro # Only needed if restarting containers (use Docker Socket Proxy instead) 17 | environment: 18 | DOMAIN: $DOMAINNAME_DS918 -------------------------------------------------------------------------------- /compose/hs/deployrr-dashboard.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Deployrr Dashboard - Homepage based Dashboard for Deployrr 3 | deployrr-dashboard: 4 | image: ghcr.io/gethomepage/homepage:v1.3.2 5 | container_name: deployrr-dashboard 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | - socket_proxy 13 | ports: 14 | - "$DEPLOYRRDASHBOARD_PORT:3000" 15 | volumes: 16 | - $DOCKERDIR/appdata/deployrr-dashboard/config:/app/config 17 | - $DOCKERDIR/appdata/deployrr-dashboard/images:/app/public/images 18 | environment: 19 | TZ: $TZ 20 | PUID: $PUID 21 | PGID: $PGID 22 | HOMEPAGE_ALLOWED_HOSTS: "*" 23 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/ds918/adguardhome.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # AdGuard Home - DNS AdBlocking 3 | adguardhome: 4 | container_name: adguardhome 5 | image: adguard/adguardhome 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | # profiles: ["core", "all"] 10 | networks: 11 | dockervlan: 12 | ipv4_address: 192.168.1.25 # IP address inside defined range 13 | ports: 14 | - 53/udp 15 | - 67/udp 16 | - 68/tcp 17 | - 68/udp 18 | - 80/tcp 19 | - 443/tcp 20 | - 853/tcp 21 | - 3000/tcp 22 | volumes: 23 | - $DOCKERDIR/appdata/adguard/conf:/opt/adguardhome/conf 24 | - $DOCKERDIR/appdata/adguard/work:/opt/adguardhome/work 25 | - $DOCKERDIR/shared/certs/$DOMAINNAME_DS918:/certs -------------------------------------------------------------------------------- /compose/hs/dozzle.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Dozzle - Real-time Docker Log Viewer 3 | dozzle: 4 | image: amir20/dozzle:latest 5 | container_name: dozzle 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | - socket_proxy 13 | ports: 14 | - "$DOZZLE_PORT:8080" 15 | environment: 16 | - DOZZLE_LEVEL=info 17 | - DOZZLE_TAILSIZE=300 18 | - DOZZLE_FILTER="status=running" 19 | # - DOZZLE_FILTER="label=log_me" # limits logs displayed to containers with this label 20 | - DOCKER_HOST 21 | # volumes: 22 | # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security 23 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /appdata/nginx/common/nonwp-common-php.conf: -------------------------------------------------------------------------------- 1 | # WordPress COMMON SETTINGS 2 | # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) 3 | # Limit access to avoid brute force attack 4 | 5 | # Disable WP Login 6 | location = /wp-login.php { 7 | deny all; 8 | access_log off; 9 | log_not_found off; 10 | } 11 | 12 | # Disable wp-config.txt 13 | location = /wp-config.txt { 14 | deny all; 15 | access_log off; 16 | log_not_found off; 17 | } 18 | 19 | # Disable xmlrpc 20 | location = /xmlrpc.php { 21 | deny all; 22 | access_log off; 23 | log_not_found off; 24 | } 25 | 26 | # Disallow php in upload folder 27 | #location /wp-content/uploads/ { 28 | location /images/ { 29 | location ~ \.php$ { 30 | #Prevent Direct Access Of PHP Files From Web Browsers 31 | deny all; 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /compose/mds/node-exporter.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Node Exporter - Metrics to Prometheus 3 | node-exporter: 4 | container_name: node-exporter 5 | image: prom/node-exporter:latest 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["monitoring", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "9100:9100" 14 | volumes: 15 | - /proc:/host/proc:ro 16 | - /sys:/host/sys:ro 17 | - /:/rootfs:ro 18 | command: 19 | - '--path.procfs=/host/proc' 20 | - '--path.sysfs=/host/sys' 21 | - --collector.filesystem.ignored-mount-points 22 | - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)" 23 | -------------------------------------------------------------------------------- /compose/ws-arm/dozzle.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Dozzle - Real-time Docker Log Viewer 3 | dozzle: 4 | image: amir20/dozzle:latest 5 | container_name: dozzle 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | # - socket_proxy 13 | ports: 14 | - "$DOZZLE_PORT:8080" 15 | environment: 16 | - DOZZLE_LEVEL=info 17 | - DOZZLE_TAILSIZE=300 18 | - DOZZLE_FILTER="status=running" 19 | # - DOZZLE_FILTER="label=log_me" # limits logs displayed to containers with this label 20 | # - DOCKER_HOST 21 | volumes: 22 | - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security 23 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /commits/2022/2022_02_21.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2022_02_21. See full commit log. 2 | * Cleaned up shared/config/bash_aliases - consolidated all my bash_aliases into one as I now syncthing this with all my servers. 3 | * Added a few more example scripts that are called in my bash_aliases file. 4 | * Moved authelia to web stack. 5 | * Moved homeserver stack to a unprivileged Proxmox LXC container (previously a Ubuntu VM). 6 | * Due to above move to LXC container, enabled /dev/net/tun for Transmission-vpn 7 | * Obsoleted Funkwhale, too complex to maintain for what I wanted. 8 | * Obsoleted PhotoShow. Added FileBrowser. 9 | * Moved some of the logs to a dedicated/central logs folder in docker root folder. 10 | * Moved Syncthing to a native app on Ubuntu guest container outside of docker. 11 | * Other minor improvements. -------------------------------------------------------------------------------- /appdata/nginx/common/wp-yoast-sitemap-config.conf: -------------------------------------------------------------------------------- 1 | # Yoast sitemap 2 | location ~ ([^/]*)sitemap(.*)\.x(m|s)l$ { 3 | rewrite ^/sitemap\.xml$ /sitemap_index.xml permanent; 4 | rewrite ^/([a-z]+)?-?sitemap\.xsl$ /index.php?xsl=$1 last; 5 | # Rules for yoast sitemap with wp|wpsubdir|wpsubdomain 6 | rewrite ^.*/sitemap_index\.xml$ /index.php?sitemap=1 last; 7 | rewrite ^.*/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last; 8 | # Following lines are options. Needed for WordPress seo addons 9 | rewrite ^/news_sitemap\.xml$ /index.php?sitemap=wpseo_news last; 10 | rewrite ^/locations\.kml$ /index.php?sitemap=wpseo_local_kml last; 11 | rewrite ^/geo_sitemap\.xml$ /index.php?sitemap=wpseo_local last; 12 | rewrite ^/video-sitemap\.xsl$ /index.php?xsl=video last; 13 | access_log off; 14 | } -------------------------------------------------------------------------------- /compose/ws-arm/mariadb.yml: -------------------------------------------------------------------------------- 1 | services: 2 | mariadb: 3 | container_name: mariadb 4 | image: mariadb:latest 5 | security_opt: 6 | - no-new-privileges:true 7 | restart: unless-stopped 8 | profiles: ["core", "all"] 9 | networks: 10 | - default 11 | ports: 12 | - "$MARIADB_PORT:3306" 13 | volumes: 14 | - $DOCKERDIR/appdata/mariadb/data:/var/lib/mysql 15 | - $DOCKERDIR/appdata/mariadb/config:/etc/mysql 16 | environment: 17 | MARIADB_ROOT_PASSWORD_FILE: /run/secrets/mariadb_root_password 18 | secrets: 19 | - mariadb_root_password 20 | healthcheck: 21 | test: [ "CMD", "healthcheck.sh", "--connect", "--innodb_initialized" ] 22 | start_period: 1m 23 | start_interval: 10s 24 | interval: 1m 25 | timeout: 5s 26 | retries: 3 -------------------------------------------------------------------------------- /appdata/nginx/common/disabled/commentspam.conf.disabled: -------------------------------------------------------------------------------- 1 | # Deny Access for comments to No Referrer Requests - spam protection 2 | location ~* (wp-comments-post)\.php$ { 3 | if ($http_cookie !~* "_gat"){ 4 | return 405; 5 | } 6 | if ($http_referer !~ ^(simplehomelab.com|www.simplehomelab.com) ) { 7 | return 405; 8 | } 9 | } 10 | 11 | #Return 410 for the 404s for spammy backlinks 12 | #http://webmasters.stackexchange.com/questions/84317/help-to-remove-spam-links-leading-to-404-page 13 | #http://serverfault.com/questions/646154/return-error-410-for-location-regex-in-nginx?rq=1 14 | location = / { 15 | if ($query_string ~ ^p=1459955773) { 16 | return 410; 17 | } 18 | if ($query_string ~ ^p=1461920860) { 19 | return 410; 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /compose/ws-arm/crawl4ai.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Crawl4AI - Web Scraper 3 | crawl4ai: 4 | image: unclecode/crawl4ai:basic-arm64 5 | container_name: crawl4ai 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "11235:11235" 14 | # - "8025:8000" 15 | # - "9222:9222" 16 | # - "8065:8080" 17 | environment: 18 | - CRAWL4AI_API_TOKEN=${CRAWL4AI_API_TOKEN:-} 19 | # - OPENAI_API_KEY=${OPENAI_API_KEY:-} 20 | # - CLAUDE_API_KEY=${CLAUDE_API_KEY:-} 21 | volumes: 22 | - /dev/shm:/dev/shm 23 | deploy: 24 | resources: 25 | limits: 26 | memory: 4G 27 | reservations: 28 | memory: 1G 29 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/hs/makemkv.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # MakeMKV - Video Editing (Ripping from Disks) 3 | makemkv: 4 | image: jlesage/makemkv:latest 5 | container_name: makemkv 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["media","all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$MAKEMKV_PORT:5800" 14 | volumes: 15 | - $DOWNLOADSDIR:/data/downloads 16 | - $DOCKERDIR/appdata/makemkv/config:/config 17 | - /dev/shm:/dev/shm 18 | environment: 19 | USER_ID: $PUID 20 | GROUP_ID: $PGID 21 | UMASK: 002 22 | TZ: $TZ 23 | KEEP_APP_RUNNING: 1 24 | CLEAN_TMP_DIR: 1 25 | DISPLAY_WIDTH: 1600 26 | DISPLAY_HEIGHT: 960 27 | # VNC_PASSWORD: $MAKEMKV_VNC_PASSWD 28 | # DOCKER-LABELS-PLACEHOLDER 29 | -------------------------------------------------------------------------------- /commits/2024/2024_01_22.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2024_01_22. See full commit log. 2 | 3 | * Changed domain name variables to align with hostnames (and their prefixes/suffixes) I implemented in the previous commit 4 | - DOMAINNAME_CLOUD_SERVER is now DOMAINNAME_HS 5 | - DOMAINNAME_HOME_SYNOLOGY is now DOMAINNAME_DS918 6 | - DOMAINNAME_SHB is now DOMAINNAME_WS 7 | * Replace Traefik/Cloudflare ACME validation from using Email and Global API Key to Scoped API Toekn (CF_DNS_API_TOKEN). Deleted unwated secrets. 8 | * Split middlewares.yml to individual middleware YML files - to align with Auto-Traefik. 9 | * Split middlewares-chains.yml to individual chain YML files - to align with Auto-Traefik. 10 | * Moved some of the media apps to Media Server docker stack (docker-compose-mds.yml) 11 | * Added more example file providers for various scenarios. -------------------------------------------------------------------------------- /compose/archives/watchtower.yml: -------------------------------------------------------------------------------- 1 | # WatchTower - Automatic Docker Container Updates 2 | watchtower: 3 | image: containrrr/watchtower 4 | container_name: watchtower 5 | restart: unless-stopped 6 | networks: 7 | - socket_proxy 8 | depends_on: 9 | - socket-proxy 10 | environment: 11 | TZ: $TZ 12 | WATCHTOWER_CLEANUP: "true" 13 | WATCHTOWER_REMOVE_VOLUMES: "true" 14 | WATCHTOWER_INCLUDE_STOPPED: "true" 15 | WATCHTOWER_NO_STARTUP_MESSAGE: "false" 16 | WATCHTOWER_SCHEDULE: "0 30 12 * * *" # Everyday at 12:30 17 | WATCHTOWER_NOTIFICATIONS: shoutrrr 18 | WATCHTOWER_NOTIFICATION_URL: "telegram://$TGRAM_BOT_TOKEN@telegram?channels=$TGRAM_CHAT_ID" 19 | WATCHTOWER_NOTIFICATIONS_LEVEL: info 20 | DOCKER_HOST: tcp://socket-proxy:2375 21 | DOCKER_API_VERSION: "1.40" -------------------------------------------------------------------------------- /compose/ds918/ddns-updater.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Cloudflare DDNS - Dynamic DNS Updater 3 | ddns-updater: 4 | image: qmcgaw/ddns-updater 5 | container_name: ddns-updater 6 | restart: unless-stopped 7 | network_mode: bridge 8 | ports: 9 | - 8000:8000/tcp 10 | volumes: 11 | - $DOCKERDIR/appdata/ddns-updater:/updater/data # Owned by UID 1000 12 | environment: 13 | TZ: $TZ 14 | PUID: $PUID 15 | PGID: $PGID 16 | PERIOD: 12h 17 | UPDATE_COOLDOWN_PERIOD: 5m 18 | PUBLICIP_DNS_TIMEOUT: 3s 19 | HTTP_TIMEOUT: 10s 20 | # Web UI 21 | LISTENING_PORT: 8000 22 | # Backup 23 | BACKUP_PERIOD: 96h # 0 to disable 24 | BACKUP_DIRECTORY: /updater/data/backups 25 | # Other 26 | LOG_LEVEL: info 27 | SHOUTRRR_ADDRESSES: $DISCORD_SHOUTRRR_ADDRESS -------------------------------------------------------------------------------- /appdata/php/php8/php-fpm.d/www.conf: -------------------------------------------------------------------------------- 1 | ; USE THE ONE BELOW IF IN FUTURE YOU DECIDE TO USE A SEPARATE PHP PROCESS FOR NON-WP SITES. REMEMBER TO CHANGE THE PORT 9000 TO AVOID CONFLICT. Also the name [WWW] 2 | ; Claude Sonnet 3.5 - February 4, 2025 3 | 4 | [www] 5 | user = www-data 6 | group = www-data 7 | listen = 127.0.0.1:9000 8 | 9 | pm = dynamic 10 | pm.max_children = 20 11 | pm.start_servers = 4 12 | pm.min_spare_servers = 2 13 | pm.max_spare_servers = 6 14 | ; pm.max_requests = 500 ; possibly causing slow down plugin activation/deactivation 15 | 16 | pm.process_idle_timeout = 10s ; possibly causing slow down plugin activation/deactivation 17 | request_terminate_timeout = 300s ; possibly causing slow down plugin activation/deactivation 18 | 19 | php_admin_value[error_log] = /var/log/php/www-error.log 20 | php_admin_flag[log_errors] = on 21 | 22 | 23 | -------------------------------------------------------------------------------- /appdata/php/php8/php-fpm.d/wordpress.conf: -------------------------------------------------------------------------------- 1 | ; USE THE ONE BELOW IF IN FUTURE YOU DECIDE TO USE A SEPARATE PHP PROCESS FOR NON-WP SITES. REMEMBER TO CHANGE THE PORT 9000 TO AVOID CONFLICT. Also the name [WWW] 2 | ; Claude Sonnet 3.5 - February 4, 2025 3 | 4 | [wordpress] 5 | user = www-data 6 | group = www-data 7 | listen = 127.0.0.1:9001 8 | 9 | pm = dynamic 10 | pm.max_children = 50 11 | pm.start_servers = 8 12 | pm.min_spare_servers = 4 13 | pm.max_spare_servers = 12 14 | ; pm.max_requests = 500 ; possibly causing slow down plugin activation/deactivation 15 | 16 | pm.process_idle_timeout = 10s ; possibly causing slow down plugin activation/deactivation 17 | request_terminate_timeout = 300s ; possibly causing slow down plugin activation/deactivation 18 | 19 | php_admin_value[error_log] = /var/log/php/wordpress-error.log 20 | php_admin_flag[log_errors] = on 21 | -------------------------------------------------------------------------------- /compose/archives/mosquitto.yml: -------------------------------------------------------------------------------- 1 | # Mosquitto - MQTT Broker 2 | # Create mosquitto.conf, passwd, mosquitto.log files and set permissions to 775 user:docker 3 | # dexec mosquitto /bin/sh -> mosquitto_passwd -b /mosquitto/config/passwd username passwd 4 | mosquitto: 5 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 6 | image: eclipse-mosquitto:latest 7 | container_name: mosquitto 8 | ports: 9 | - "$MOSQUITTO_HTTP_PORT:1883" #http 10 | - "9001:9001" #websockets 11 | # - "$MOSQUITTO_HTTPS_PORT:8883" #https 12 | volumes: 13 | - $DOCKERDIR/appdata/mosquitto/config/mosquitto.conf:/mosquitto/config/mosquitto.conf 14 | - $DOCKERDIR/appdata/mosquitto/config/passwd:/mosquitto/config/passwd 15 | - $DOCKERDIR/shared:/shared 16 | environment: 17 | PUID: $PUID 18 | PGID: $PGID 19 | TZ: $TZ -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: # [SimpleHomelab] 4 | custom: ['https://www.simplehomelab.com/geek-army/join/', 'https://www.buymeacoffee.com/simplehomelab'] # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] 5 | patreon: 6 | open_collective: # Replace with a single Open Collective username 7 | ko_fi: SimpleHomelab # Replace with a single Ko-fi username 8 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 9 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 10 | liberapay: # Replace with a single Liberapay username 11 | issuehunt: # Replace with a single IssueHunt username 12 | otechie: # Replace with a single Otechie username 13 | lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry 14 | -------------------------------------------------------------------------------- /appdata/nginx/common/php8/wp-common-php.conf: -------------------------------------------------------------------------------- 1 | # WordPress COMMON SETTINGS 2 | 3 | # Limit access to avoid brute force attack 4 | # Also Managed Challenge on Cloudflare WAF 5 | location = /wp-login.php { 6 | #include common/acl.conf; 7 | limit_req zone=one burst=1 nodelay; 8 | include fastcgi.conf; 9 | fastcgi_pass php8wp; 10 | } 11 | # Disable wp-config.txt 12 | location = /wp-config.txt { 13 | deny all; 14 | access_log off; 15 | log_not_found off; 16 | } 17 | 18 | # Managed challenge on Cloudflare WAF 19 | # Disable xmlrpc 20 | location = /xmlrpc.php { 21 | deny all; 22 | access_log off; 23 | log_not_found off; 24 | } 25 | 26 | # Disallow php in upload folder 27 | #location /wp-content/uploads/ { 28 | location /images/ { 29 | location ~ \.php$ { 30 | #Prevent Direct Access Of PHP Files From Web Browsers 31 | deny all; 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /compose/ws-arm/chromium.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Chromium - Web Browser 3 | chromium: 4 | image: lscr.io/linuxserver/chromium:latest 5 | container_name: chromium 6 | security_opt: 7 | - no-new-privileges:true 8 | - seccomp:unconfined #optional 9 | restart: "unless-stopped" 10 | profiles: ["apps", "all"] 11 | shm_size: "1gb" 12 | # DEVICES-GPU-PLACEHOLDER-DO-NOT-DELETE 13 | networks: 14 | - default 15 | ports: 16 | - "$CHROMIUM_PORT:3000" # HTTP 17 | # - 3001:3001 # HTTPS 18 | volumes: 19 | - $DOCKERDIR/appdata/chromium:/config 20 | environment: 21 | TZ: $TZ 22 | PUID: $PUID 23 | PGID: $PGID 24 | CUSTOM_USER: $CHROMIUM_HTTP_USER 25 | PASSWORD: $CHROMIUM_HTTP_PASSWORD 26 | # CHROME_CLI: https://www.deployarr.app/ #optional 27 | # DOCKER-LABELS-PLACEHOLDER 28 | -------------------------------------------------------------------------------- /compose/ws-arm/postgresql.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # PostgreSQL - Database 3 | postgresql: 4 | container_name: postgresql 5 | image: postgres:16-alpine 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | healthcheck: 11 | test: ["CMD-SHELL", "pg_isready -d postgres -U $${POSTGRES_USER}"] 12 | start_period: 20s 13 | interval: 30s 14 | retries: 5 15 | timeout: 5s 16 | networks: 17 | - default 18 | ports: 19 | - "$POSTGRESQL_PORT:5432" 20 | volumes: 21 | - $DOCKERDIR/appdata/postgresql:/var/lib/postgresql/data 22 | environment: 23 | # - POSTGRES_DB=$POSTGRES_DB 24 | - POSTGRES_USER=$POSTGRES_USER 25 | - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_default_password 26 | secrets: 27 | - postgres_default_password -------------------------------------------------------------------------------- /compose/archives/plex-trakt-sync.yml: -------------------------------------------------------------------------------- 1 | # PlexTraktSync 2 | # Create Trakt Application https://github.com/Taxel/PlexTraktSync 3 | # Had to run this first before starting compose 4 | # git clone -b plexmovieagent-fixed https://github.com/Taxel/PlexTraktSync.git /home/USER/docker/apps/ 5 | # sudo docker run -it --name ptsync -v /home/USER/docker/apps/PlexTraktSync:/usr/src/app -e TZ="America/New_York" --restart on-failure:2 twolaw/plextraktsync:latest 6 | # change permissions of .env and .pytrakt.json to 600 and root:root 7 | ptsync: 8 | image: twolaw/plextraktsync:latest 9 | container_name: ptsync 10 | restart: unless-stopped 11 | networks: 12 | - t2_proxy 13 | security_opt: 14 | - no-new-privileges:true 15 | environment: 16 | TZ: $TZ 17 | volumes: 18 | - $DOCKERDIR/apps/pts-mafixed:/usr/src/app # plexmovieagent-fixed branch -------------------------------------------------------------------------------- /compose/archives/tdarr-node.yml: -------------------------------------------------------------------------------- 1 | # Tdarr Node - Transcoder Node 2 | tdarr-node1: 3 | image: haveagitgat/tdarr_node:latest 4 | container_name: tdarr-node1 5 | security_opt: 6 | - no-new-privileges:true 7 | restart: unless-stopped 8 | # profiles: ["media", "all"] 9 | networks: 10 | - t2_proxy 11 | 12 | environment: 13 | TZ: $TZ 14 | PUID: $PUID 15 | PGID: $PGID 16 | UMASK_SET: 002 17 | nodeID: Node1 18 | nodeIP: tdarr-node1 # or hostname 19 | nodePort: 8267 20 | serverIP: tdarr # or hostname 21 | serverPort: 8266 22 | volumes: 23 | - $DOCKERDIR/appdata/tdarr/configs:/app/configs 24 | - $DOCKERDIR/appdata/tdarr/logs:/app/logs 25 | - $DOWNLOADSDIR/transcode/tdarr:/data/temp 26 | - $ZDATADIR/Photos/zVideos:/data/media:ro 27 | - $DATADIR2/media/zvideos:/data/output -------------------------------------------------------------------------------- /compose/hs/cleanuparr.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Cleanuparr - Arr Stack Cleanup Tool 3 | cleanuparr: 4 | image: ghcr.io/cleanuparr/cleanuparr:latest 5 | container_name: cleanuparr 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["all", "apps"] 10 | networks: 11 | - default 12 | ports: 13 | - "$CLEANUPARR_PORT:11011" 14 | volumes: 15 | - $DOCKERDIR/appdata/cleanuparr:/config 16 | environment: 17 | TZ: $TZ 18 | PORT: 11011 19 | PUID: $PUID 20 | PGID: $PGID 21 | UMASK: "022" 22 | stop_signal: SIGTERM 23 | stop_grace_period: 30s 24 | healthcheck: 25 | test: ["CMD", "curl", "-f", "http://localhost:11011/health"] 26 | interval: 30s 27 | timeout: 10s 28 | start_period: 30s 29 | retries: 3 30 | # DOCKER-LABELS-PLACEHOLDER 31 | -------------------------------------------------------------------------------- /.env.example: -------------------------------------------------------------------------------- 1 | PUID='1000' 2 | PGID='1000' 3 | PRIMARY_USERNAME='anand' 4 | TZ='Europe/Zurich' 5 | USERDIR='/home/anand' 6 | DOCKERDIR='/home/anand/docker' 7 | LOCAL_IPS='127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12' 8 | CLOUDFLARE_IPS='173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22' 9 | HOSTNAME='hs' 10 | SERVER_LAN_IP='192.168.5.112' 11 | DOCKER0_IP='172.17.0.1' 12 | DOMAINNAME_1='example.com' 13 | DOWNLOADSDIR='/media/ssd/downloads' 14 | DATADIR1='/media/nas/data' 15 | DATADIR2='/media/nas/data2' 16 | MEDIADIR1='/media/nas/data/media' 17 | MEDIADIR2='/media/nas/data2/media' 18 | DOCKER_HOST='tcp://socket-proxy:2375' 19 | DEPLOYRRDASHBOARD_PORT='3050' 20 | TRAEFIK_PORT='8080' 21 | ADMINER_PORT='8081' 22 | ... -------------------------------------------------------------------------------- /compose/hs/mkvtoolnix.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # MKVToolNix - Video Editing (Remuxing - changing media container while keeping original source quality) 3 | mkvtoolnix: 4 | image: jlesage/mkvtoolnix:latest 5 | container_name: mkvtoolnix 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["media","all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$MKVTOOLNIX_PORT:5800" 14 | volumes: 15 | - $DOWNLOADSDIR:/data/downloads 16 | - $DOCKERDIR/appdata/mkvtoolnix/config:/config:rw 17 | environment: 18 | USER_ID: $PUID 19 | GROUP_ID: $PGID 20 | UMASK: 002 21 | TZ: $TZ 22 | KEEP_APP_RUNNING: 1 23 | CLEAN_TMP_DIR: 1 24 | DISPLAY_WIDTH: 1600 25 | DISPLAY_HEIGHT: 960 26 | # VNC_PASSWORD: $MKVTOOLNIX_VNC_PASSWD 27 | # DOCKER-LABELS-PLACEHOLDER 28 | -------------------------------------------------------------------------------- /compose/archives/dns/adguardhome.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # AdGuard Home - DNS AdBlocking 3 | adguardhome: 4 | container_name: adguardhome 5 | image: adguard/adguardhome 6 | restart: unless-stopped 7 | profiles: ["core", "all", "dns"] 8 | network_mode: host 9 | # networks: 10 | # - default 11 | # ports: 12 | # - 53:53/udp 13 | # - 67:67/udp 14 | # - 68:68/tcp 15 | # - 1068:68/udp # port conflict with Raspbery PI OS DHCPD https://github.com/AdguardTeam/AdGuardHome/issues/1049 16 | # - 81:80/tcp 17 | # - 444:443/tcp 18 | # - 853:853/tcp 19 | # # - 3000:3000/tcp 20 | volumes: 21 | - $DOCKERDIR/appdata/adguardhome/conf:/opt/adguardhome/conf 22 | - $DOCKERDIR/appdata/adguardhome/work:/opt/adguardhome/work 23 | # - $DOCKERDIR/shared/certs/$DOMAINNAME_SHB:/certs # optional: if you have your own SSL certs -------------------------------------------------------------------------------- /compose/archives/dns/ddns-updater.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Cloudflare DDNS - Dynamic DNS Updater 3 | ddns-updater: 4 | image: qmcgaw/ddns-updater 5 | container_name: ddns-updater 6 | restart: unless-stopped 7 | profiles: ["core", "all", "dns"] 8 | networks: 9 | - t2_proxy 10 | ports: 11 | - 8000:8000/tcp 12 | volumes: 13 | - $DOCKERDIR/appdata/ddns-updater:/updater/data # Owned by UID 1000 14 | environment: 15 | TZ: $TZ 16 | PERIOD: 4h 17 | UPDATE_COOLDOWN_PERIOD: 5m 18 | PUBLICIP_DNS_TIMEOUT: 3s 19 | HTTP_TIMEOUT: 10s 20 | DATADIR: /updater/data 21 | # Web UI 22 | LISTENING_PORT: 8000 23 | # Backup 24 | BACKUP_PERIOD: 96h # 0 to disable 25 | BACKUP_DIRECTORY: /updater/data/backups 26 | # Other 27 | LOG_LEVEL: warning 28 | SHOUTRRR_ADDRESSES: $DISCORD_SHOUTRRR_ADDRESS -------------------------------------------------------------------------------- /compose/archives/plex-sync.yml: -------------------------------------------------------------------------------- 1 | # Plex-Sync - For Syncing watched status between plex servers 2 | plex-sync: 3 | image: patsissons/plex-sync:develop 4 | container_name: plex-sync 5 | security_opt: 6 | - no-new-privileges:true 7 | environment: 8 | INITIAL_RUN: "true" 9 | # DRY_RUN: 0 10 | CRON_SCHEDULE: "*/5 * * * *" 11 | SECTION_MAPS: $SYN_PLEX/$SYN_PLEX_HOLLYWOOD $NUC_PLEX/$NUC_PLEX_HOLLYWOOD | $SYN_PLEX/$SYN_PLEX_TVSHOWS $NUC_PLEX/$NUC_PLEX_TVSHOWS | $SYN_PLEX/$SYN_PLEX_INDIAN $NUC_PLEX/$NUC_PLEX_INDIAN | $SYN_PLEX/$SYN_PLEX_KOLLYWOOD $NUC_PLEX/$NUC_PLEX_KOLLYWOOD | $SYN_PLEX/$SYN_PLEX_DOCMOVIES $NUC_PLEX/$NUC_PLEX_DOCMOVIES | $SYN_PLEX/$SYN_PLEX_DOCSHOWS $NUC_PLEX/$NUC_PLEX_DOCSHOWS | $SYN_PLEX/$SYN_PLEX_KIDSMOVIES $NUC_PLEX/$NUC_PLEX_KIDSMOVIES | $SYN_PLEX/$SYN_PLEX_INTERNATIONAL $NUC_PLEX/$NUC_PLEX_INTERNATIONAL 12 | restart: unless-stopped 13 | -------------------------------------------------------------------------------- /compose/archives/nzbhydra.yml: -------------------------------------------------------------------------------- 1 | # NZBHydra2 - NZB meta search 2 | hydra: 3 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 4 | image: linuxserver/nzbhydra2:latest 5 | container_name: hydra 6 | ports: 7 | - "$NZBHYDRA_PORT:5076" 8 | volumes: 9 | - $DOCKERDIR/appdata/hydra2:/config 10 | - $DATADIR/downloads:/data/downloads 11 | environment: 12 | <<: *default-tz-puid-pgid 13 | labels: 14 | - "traefik.enable=true" 15 | ## HTTP Routers 16 | - "traefik.http.routers.hydra-rtr.entrypoints=https" 17 | - "traefik.http.routers.hydra-rtr.rule=Host(`hydra.$DOMAINNAME0`)" 18 | ## Middlewares 19 | - "traefik.http.routers.hydra-rtr.middlewares=chain-oauth@file" 20 | ## HTTP Services 21 | - "traefik.http.routers.hydra-rtr.service=hydra-svc" 22 | - "traefik.http.services.hydra-svc.loadbalancer.server.port=5076" -------------------------------------------------------------------------------- /compose/hs/stirling-pdf.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Stirling PDF - Self-hosted PDF Manipulation 3 | stirling-pdf: 4 | image: stirlingtools/stirling-pdf:latest 5 | container_name: stirling-pdf 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$STIRLINGPDF_PORT:8080" 14 | volumes: 15 | - $DOCKERDIR/appdata/stirling-pdf/trainingData:/usr/share/tessdata # Required for extra OCR languages 16 | - $DOCKERDIR/appdata/stirling-pdf/extraConfigs:/configs 17 | # - $DOCKERDIR/appdata/stirling-pdf/customFiles:/customFiles/ 18 | # - $DOCKERDIR/appdata/stirling-pdf/logs:/logs/ 19 | environment: 20 | DOCKER_ENABLE_SECURITY: false 21 | INSTALL_BOOK_AND_ADVANCED_HTML_OPS: false 22 | LANGS: en_US 23 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/ws-arm/php7.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # PHP - Hypertext Preprocessor 3 | # https://github.com/chialab/docker-php 4 | php7: 5 | container_name: php7 6 | image: chialab/php:7.4-fpm 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | profiles: ["core", "all"] 11 | networks: 12 | - t3_proxy 13 | - default 14 | user: $PUID:$PGID # allows upgrading WP and plugins 15 | volumes: 16 | - $DOCKERDIR/appdata/sites/simplehomelab/html:/var/www/html/simplehomelab 17 | - $DOCKERDIR/appdata/php/php7:/usr/local/etc/php 18 | - $DOCKERDIR/appdata/sites/khub/html:/var/www/html/khub 19 | - $DOCKERDIR/appdata/sites/dash/html:/var/www/html/dash 20 | - $DOCKERDIR/appdata/sites/deployrr/html:/var/www/html/deployrr 21 | - $DOCKERDIR/appdata/sites/deployarr/html:/var/www/html/deployarr # delete this line after 6/15/2025 -------------------------------------------------------------------------------- /compose/mds/docker-gc.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Docker-GC - Automatic Docker Garbage Collection 3 | # Create docker-gc-exclude file 4 | docker-gc: 5 | image: clockworksoul/docker-gc-cron:latest 6 | container_name: docker-gc 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | profiles: ["apps", "all"] 11 | networks: 12 | - socket_proxy 13 | volumes: 14 | # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security 15 | - $DOCKERDIR/appdata/docker-gc/docker-gc-exclude:/etc/docker-gc-exclude 16 | environment: 17 | - CRON=0 0 0 * * ? # Everyday at midnight. Previously 0 0 * * * 18 | - FORCE_IMAGE_REMOVAL=1 19 | - FORCE_CONTAINER_REMOVAL=0 20 | - GRACE_PERIOD_SECONDS=604800 21 | - DRY_RUN=0 22 | - CLEAN_UP_VOLUMES=1 23 | - TZ=$TZ 24 | - DOCKER_HOST -------------------------------------------------------------------------------- /compose/mds/pgsql-teslamate.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # PostgreSQL - Database fpr Teslamate 3 | pgsql-teslamate: 4 | container_name: pgsql-teslamate 5 | image: postgres:16-alpine 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | # healthcheck: 11 | # test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] 12 | # start_period: 20s 13 | # interval: 30s 14 | # retries: 5 15 | # timeout: 5s 16 | networks: 17 | - default 18 | ports: 19 | - "$PGSQLTESLAMATE_PORT:5432" 20 | volumes: 21 | - $DOCKERDIR/appdata/pgsql-teslamate:/var/lib/postgresql/data 22 | environment: 23 | - POSTGRES_DB=teslamate 24 | - POSTGRES_USER=$POSTGRES_USER 25 | - POSTGRES_PASSWORD_FILE=/run/secrets/pgsql_teslamate_passwd 26 | secrets: 27 | - pgsql_teslamate_passwd -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/app-tautulli-with-auth-bypass.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | tautulli-rtr: 4 | rule: "Host(`tautulli.{{env "DOMAINNAME_HS"}}`)" 5 | priority: 99 6 | entryPoints: 7 | - websecure 8 | middlewares: 9 | - chain-oauth 10 | service: tautulli-svc 11 | tautulli-rtr-bypass: 12 | # rule: "Host(`tautulli.$DOMAINNAME_HS`) && Header(`traefik-auth-bypass-key`, `$TRAEFIK_AUTH_BYPASS_KEY`)" # Bypass Auth for LunaSea on iOS 13 | rule: "Host(`tautulli.$DOMAINNAME_HS`) && (Header(`X-Api-Key`, `$TAUTULLI_API_KEY`) || Query(`apikey`, `$TAUTULLI_API_KEY`))" 14 | priority: 100 15 | entryPoints: 16 | - websecure 17 | middlewares: 18 | - chain-no-auth 19 | service: tautulli-svc 20 | services: 21 | tautulli-svc: 22 | loadBalancer: 23 | servers: 24 | - url: "http://192.168.1.111:8181" 25 | -------------------------------------------------------------------------------- /compose/mds/prometheus.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Prometheus - Database for sensor data 3 | prometheus: 4 | image: prom/prometheus:latest 5 | container_name: prometheus 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["dbs", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$PROMETHEUS_PORT:9090" 14 | volumes: 15 | - $DOCKERDIR/appdata/prometheus/config:/etc/prometheus 16 | - $DOCKERDIR/appdata/prometheus/data:/prometheus 17 | user: $PUID:$PGID 18 | command: 19 | - '--config.file=/etc/prometheus/prometheus.yml' 20 | - '--storage.tsdb.path=/prometheus' 21 | - '--web.console.libraries=/usr/share/prometheus/console_libraries' 22 | - '--web.console.templates=/usr/share/prometheus/consoles' 23 | - '--web.enable-lifecycle' 24 | - '--web.enable-admin-api' 25 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/ws-arm/prometheus.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Prometheus - Database for sensor data 3 | prometheus: 4 | image: prom/prometheus:latest 5 | container_name: prometheus 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["dbs", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$PROMETHEUS_PORT:9090" 14 | volumes: 15 | - $DOCKERDIR/appdata/prometheus/config:/etc/prometheus 16 | - $DOCKERDIR/appdata/prometheus/data:/prometheus 17 | user: $PUID:$PGID 18 | command: 19 | - '--config.file=/etc/prometheus/prometheus.yml' 20 | - '--storage.tsdb.path=/prometheus' 21 | - '--web.console.libraries=/usr/share/prometheus/console_libraries' 22 | - '--web.console.templates=/usr/share/prometheus/consoles' 23 | - '--web.enable-lifecycle' 24 | - '--web.enable-admin-api' 25 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/ds918/docker-gc.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Docker-GC - Automatic Docker Garbage Collection 3 | # Create docker-gc-exclude file 4 | docker-gc: 5 | image: clockworksoul/docker-gc-cron:latest 6 | container_name: docker-gc 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | # profiles: ["apps", "all"] 11 | networks: 12 | - socket_proxy 13 | volumes: 14 | # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security 15 | - $DOCKERDIR/appdata/docker-gc/docker-gc-exclude:/etc/docker-gc-exclude 16 | environment: 17 | CRON: 0 0 0 * * ? # Everyday at midnight. Previously 0 0 * * * 18 | FORCE_IMAGE_REMOVAL: 1 19 | FORCE_CONTAINER_REMOVAL: 0 20 | GRACE_PERIOD_SECONDS: 604800 21 | DRY_RUN: 0 22 | CLEAN_UP_VOLUMES: 1 23 | TZ: $TZ 24 | DOCKER_HOST: tcp://socket-proxy:2375 25 | -------------------------------------------------------------------------------- /compose/archives/digikam.yml: -------------------------------------------------------------------------------- 1 | # digikam - Photo Management 2 | digikam: 3 | image: ghcr.io/linuxserver/digikam 4 | container_name: digikam 5 | restart: unless-stopped 6 | networks: 7 | - t2_proxy 8 | volumes: 9 | - $DOCKERDIR/appdata/digikam:/config 10 | - $DATADIR/photos:/data/photos 11 | #ports: 12 | # - 3000:3000 13 | environment: 14 | PUID: $PUID 15 | PGID: $PGID 16 | TZ: $TZ 17 | labels: 18 | - "traefik.enable=true" 19 | ## HTTP Routers 20 | - "traefik.http.routers.digikam-rtr.entrypoints=https" 21 | - "traefik.http.routers.digikam-rtr.rule=Host(`digikam.$DOMAINNAME0`)" 22 | ## Middlewares 23 | - "traefik.http.routers.digikam-rtr.middlewares=chain-oauth@file" 24 | ## HTTP Services 25 | - "traefik.http.routers.digikam-rtr.service=digikam-svc" 26 | - "traefik.http.services.digikam-svc.loadbalancer.server.port=3000" -------------------------------------------------------------------------------- /appdata/authelia/users.yml.example: -------------------------------------------------------------------------------- 1 | ############################################################### 2 | # Users Database # 3 | ############################################################### 4 | 5 | # This file can be used if you do not have an LDAP set up. 6 | 7 | # CREATE NEW HASHED PASSWORD 8 | # sudo docker run -v /home/user/docker/appdata/authelia/configuration.yml:/configuration.yml -it authelia/authelia:4.39.4 authelia crypto hash generate --config /configuration.yml --password MYSTRONGPASSWORD 9 | 10 | # https://www.authelia.com/reference/guides/passwords/ 11 | 12 | # List of users 13 | users: 14 | user1: 15 | displayname: "John_Doe_1" 16 | password: "HASHED_PASSWORD" 17 | email: USER_EMAIL 18 | groups: 19 | - admins 20 | # user2: 21 | # displayname: "John_Doe_2" 22 | # password: "HASHED_PASSWORD" 23 | # email: USER_EMAIL 24 | # groups: 25 | # - users -------------------------------------------------------------------------------- /compose/archives/headscale.yml: -------------------------------------------------------------------------------- 1 | # HeadScale - SDN 2 | headscale: 3 | <<: *common-keys-core # See EXTENSION FIELDS at the top 4 | image: headscale/headscale:latest 5 | container_name: headscale 6 | volumes: 7 | - $DOCKERDIR/appdata/headscale/config:/etc/headscale 8 | - $DOCKERDIR/appdata/headscale/data:/var/lib/headscale 9 | #ports: 10 | # - 27896:8080 11 | command: headscale serve 12 | labels: 13 | - "traefik.enable=true" 14 | ## HTTP Routers 15 | - "traefik.http.routers.headscale-rtr.entrypoints=https" 16 | - "traefik.http.routers.headscale-rtr.rule=Host(`headscale.$DOMAINNAME_SHB`)" 17 | ## Middlewares 18 | #- "traefik.http.routers.headscale-rtr.middlewares=chain-no-auth@file" 19 | ## HTTP Services 20 | - "traefik.http.routers.headscale-rtr.service=headscale-svc" 21 | - "traefik.http.services.headscale-svc.loadbalancer.server.port=8080" 22 | 23 | -------------------------------------------------------------------------------- /compose/archives/photoshow.yml: -------------------------------------------------------------------------------- 1 | # Photoshow - Simple Photo Viewer 2 | photoshow: 3 | <<: *common-keys-media # See EXTENSION FIELDS at the top 4 | image: lscr.io/linuxserver/photoshow 5 | container_name: photoshow 6 | volumes: 7 | - $DATADIR/media/misc:/Pictures 8 | - $DOCKERDIR/appdata/photoshow:/config 9 | - $DATADIR/temp/appdata/photoshow:/Thumbs 10 | environment: 11 | <<: *default-tz-puid-pgid 12 | labels: 13 | - "traefik.enable=true" 14 | ## HTTP Routers 15 | - "traefik.http.routers.photoshow-rtr.entrypoints=https" 16 | - "traefik.http.routers.photoshow-rtr.rule=Host(`photoshow.$DOMAINNAME0`)" 17 | ## Middlewares 18 | - "traefik.http.routers.photoshow-rtr.middlewares=chain-oauth@file" 19 | ## HTTP Services 20 | - "traefik.http.routers.photoshow-rtr.service=photoshow-svc" 21 | - "traefik.http.services.photoshow-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/hs/docker-gc.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Docker-GC - Automatic Docker Garbage Collection 3 | # Create docker-gc-exclude file 4 | docker-gc: 5 | image: clockworksoul/docker-gc-cron:latest 6 | container_name: docker-gc 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | profiles: ["apps", "all"] 11 | networks: 12 | - socket_proxy 13 | volumes: 14 | # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security 15 | - $DOCKERDIR/appdata/docker-gc/docker-gc-exclude:/etc/docker-gc-exclude 16 | environment: 17 | - CRON=0 0 0 * * ? # Everyday at midnight. Previously 0 0 * * * 18 | - FORCE_IMAGE_REMOVAL=1 19 | - FORCE_CONTAINER_REMOVAL=0 20 | - GRACE_PERIOD_SECONDS=604800 21 | - DRY_RUN=0 22 | - CLEAN_UP_VOLUMES=1 23 | - TZ=$TZ 24 | - DOCKER_HOST 25 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/mds/jellyfin.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Jellyfin - Media Server 3 | jellyfin: 4 | image: jellyfin/jellyfin:latest 5 | container_name: jellyfin 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["media", "all"] 10 | networks: 11 | - default 12 | user: $PUID:$PGID 13 | devices: 14 | - /dev/dri:/dev/dri # for harware transcoding 15 | ports: 16 | - "$JELLYFIN_PORT:8096" 17 | # - "8920:8920" # Emby also uses same port if running both 18 | environment: 19 | UMASK_SET: 022 20 | TZ: $TZ 21 | volumes: 22 | - $DOCKERDIR/appdata/jellyfin:/config 23 | - $DOWNLOADSDIR:/data/downloads 24 | - $MEDIADIR1:/data/media1 25 | - $MEDIADIR2:/data/media2 26 | # - $MEDIADIR3:/data/media3 27 | - /dev/shm:/data/transcode # Offload transcoding to RAM if you have enough RAM 28 | # DOCKER-LABELS-PLACEHOLDER 29 | -------------------------------------------------------------------------------- /compose/archives/ouroboros.yml: -------------------------------------------------------------------------------- 1 | # Ouroboros - Automatic Docker Container Updates 2 | ouroboros: 3 | image: pyouroboros/ouroboros:latest 4 | container_name: ouroboros 5 | restart: unless-stopped 6 | networks: 7 | - default 8 | - socket_proxy 9 | # depends_on: 10 | # - socket-proxy 11 | volumes: 12 | # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security 13 | - $DOCKERDIR/ouroboros/config.json:/root/.docker/config.json:ro 14 | environment: 15 | TZ: $TZ 16 | INTERVAL: 86400 17 | LOG_LEVEL: info 18 | SELF_UPDATE: "true" 19 | CLEANUP: "true" 20 | IGNORE: traefik influxdb hassio_dns homeassistant hassio_supervisor addon_core_check_config addon_62c7908d_autobackup plexms 21 | NOTIFIERS: "tgram://$TGRAM_BOT_TOKEN/$TGRAM_CHAT_ID/" 22 | DOCKER_SOCKETS: tcp://socket-proxy:2375 # POST to be enabled on Socket Proxy -------------------------------------------------------------------------------- /compose/mds/airsonic-advanced.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Airsonic Advanced - Music Server 3 | airsonic-advanced: 4 | image: lscr.io/linuxserver/airsonic-advanced 5 | container_name: airsonic-advanced 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["media", "all"] 10 | networks: 11 | - default 12 | volumes: 13 | - $DOCKERDIR/appdata/airsonic-advanced/podcasts:/data/podcasts 14 | - $DOCKERDIR/appdata/airsonic-advanced/playlists:/data/playlists 15 | - $DOCKERDIR/appdata/airsonic-advanced/config:/config 16 | - $MEDIADIR1/music:/data/music 17 | # - $MEDIADIR3:/data/media3 18 | ports: 19 | - "$AIRSONICADVANCED_PORT:4040" 20 | environment: 21 | TZ: $TZ 22 | PUID: $PUID 23 | PGID: $PGID 24 | JAVA_OPTS: '-Dserver.forward-headers-strategy=native' # optional - if you use a reverse-proxy 25 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/ws-arm/portchecker.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Port Checker - Web UI for the Port Checker 3 | portchecker: 4 | image: ghcr.io/dsgnr/portcheckerio-web:latest 5 | container_name: portchecker 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - $PORTCHECKER_PORT:80 14 | healthcheck: 15 | test: ["CMD", "wget", "--spider", "-S", "http://10.0.0.71:$PORTCHECKER_PORT"] 16 | interval: 30s 17 | timeout: 10s 18 | retries: 3 19 | start_period: 5s 20 | depends_on: 21 | portchecker-api: 22 | condition: service_healthy 23 | environment: 24 | - DEFAULT_PORT=443 # Optional, Populates a default port value to be populataed in the in the UI input 25 | # - GOOGLE_ANALYTICS= # Optional, set for Google Analytics integration 26 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/archives/redis-commander.yml: -------------------------------------------------------------------------------- 1 | # Redis Commander - Redis Management Tool 2 | rediscommander: 3 | container_name: rediscommander 4 | image: rediscommander/redis-commander:latest 5 | restart: unless-stopped 6 | networks: 7 | - t2_proxy 8 | security_opt: 9 | - no-new-privileges:true 10 | environment: 11 | - REDIS_HOST=redis 12 | - REDIS_PASSWORD=$REDIS_PASSWORD 13 | labels: 14 | - "traefik.enable=true" 15 | ## HTTP Routers 16 | - "traefik.http.routers.rediscommander-rtr.entrypoints=https" 17 | - "traefik.http.routers.rediscommander-rtr.rule=HostHeader(`rediscom.$DOMAINNAME`)" 18 | ## Middlewares 19 | - "traefik.http.routers.rediscommander-rtr.middlewares=chain-oauth@file" 20 | ## HTTP Services 21 | - "traefik.http.routers.rediscommander-rtr.service=rediscommander-svc" 22 | - "traefik.http.services.rediscommander-svc.loadbalancer.server.port=8081" -------------------------------------------------------------------------------- /compose/archives/ombi.yml: -------------------------------------------------------------------------------- 1 | # Ombi - Media Requests 2 | ombi: 3 | image: linuxserver/ombi:latest 4 | container_name: ombi 5 | restart: unless-stopped 6 | networks: 7 | - t2_proxy 8 | # ports: 9 | # - "$OMBI_PORT:3579" 10 | security_opt: 11 | - no-new-privileges:true 12 | volumes: 13 | - $DOCKERDIR/appdata/ombi:/config 14 | environment: 15 | PUID: $PUID 16 | PGID: $PGID 17 | TZ: $TZ 18 | BASE_URL: /ombi #optional 19 | labels: 20 | - "traefik.enable=true" 21 | ## HTTP Routers 22 | - "traefik.http.routers.ombi-rtr.entrypoints=https" 23 | - "traefik.http.routers.ombi-rtr.rule=Host(`ombi.$DOMAINNAME`)" 24 | ## Middlewares 25 | - "traefik.http.routers.ombi-rtr.middlewares=chain-no-auth@file" 26 | ## HTTP Services 27 | - "traefik.http.routers.ombi-rtr.service=ombi-svc" 28 | - "traefik.http.services.ombi-svc.loadbalancer.server.port=3579" -------------------------------------------------------------------------------- /compose/ws-arm/vscode.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # VSCode - VSCode Editing 3 | vscode: 4 | image: lscr.io/linuxserver/code-server:latest 5 | container_name: vscode 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "$VSCODE_PORT:8443" 14 | volumes: 15 | - $DOCKERDIR/appdata/vscode:/config 16 | - $USERDIR:/data/$PRIMARY_USERNAME 17 | environment: 18 | - TZ=$TZ 19 | - PUID=$PUID 20 | - PGID=$PGID 21 | # - DOCKER_HOST 22 | - PASSWORD=$VSCODE_HTTP_PASSWORD 23 | # - HASHED_PASSWORD= #optional 24 | # - SUDO_PASSWORD= password #optional 25 | # - SUDO_PASSWORD_HASH= #optional 26 | # - PROXY_DOMAIN= code-server.my.domain #optional 27 | # - DEFAULT_WORKSPACE=/config/data/User/Workspaces/Default.code-workspace #optional 28 | # DOCKER-LABELS-PLACEHOLDER 29 | -------------------------------------------------------------------------------- /commits/2024/2024_05_01.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2024_05_01. See full commit log. 2 | 3 | * Updated Traefik to v3 (on home server - hs). The rest will be migrated over slowly. 4 | * Syntax updated for Traefik v3 compatibility - Headers to Header, HeadersRegexp to HeaderRegexp, HostSNIRegexp, etc. Check https://www.smarthomebeginner.com/traefik-v3-docker-compose-guide-2024/#Migrating_from_Traefik_v2_to_v3. 5 | * "t2_proxy" network is now "t3_proxy" to represent Traefik v3. Subnet 192.168.90.0/24 remains the same. 6 | * Continuing to maintain both Traefik v2 and Traefik v3 appdata folders (at least for a few more months). 7 | * Removed compress middleware - was causing unnessary log warnings about mime type. I could not find a solution. 8 | * Removed Docker Compose version tags. 9 | * Added Authelia, Scrutiny, Kasm (WIP), and Firefly + Importer. 10 | * Bash Aliases updates. 11 | * Nginx verion update to 1.24 in web server (ws). 12 | * docker-compose-dns.yml is work-in-progress. -------------------------------------------------------------------------------- /compose/archives/autoindex.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Autoindex - Simple Directory Index 3 | autoindex: 4 | container_name: autoindex 5 | image: dceoy/nginx-autoindex:latest 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t2_proxy 12 | # ports: 13 | # - "$AUTOINDEX_PORT:80" 14 | volumes: 15 | - $USERDIR:/var/lib/nginx/html:ro # Location you want to index 16 | labels: 17 | - "traefik.enable=true" 18 | # HTTP Routers 19 | - "traefik.http.routers.autoindex-rtr.entrypoints=websecure" 20 | - "traefik.http.routers.autoindex-rtr.rule=Host(`index.$DOMAINNAME_WS`)" 21 | # Middlewares 22 | - "traefik.http.routers.autoindex-rtr.middlewares=chain-oauth@file" 23 | # HTTP Services 24 | - "traefik.http.routers.autoindex-rtr.service=autoindex-svc" 25 | - "traefik.http.services.autoindex-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/hs/glances.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Glances - System Information 3 | glances: 4 | image: nicolargo/glances:latest-full 5 | container_name: glances 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["monitoring", "all"] 10 | # privileged: true # Only for VM 11 | networks: 12 | - default 13 | - socket_proxy 14 | ports: 15 | - "$GLANCES_PORT:61208" 16 | pid: host 17 | volumes: 18 | - $DOCKERDIR/appdata/glances/glances.conf:/glances/conf/glances.conf # Use this if you want to add a glances.conf file 19 | - $DOCKERDIR:/data/docker:ro 20 | # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security 21 | environment: 22 | # - GLANCES_OPT="-C /glances/conf/glances.conf --quiet --export influxdb" 23 | # - GLANCES_OPT="--export influxdb" 24 | - "GLANCES_OPT=-w" 25 | - DOCKER_HOST 26 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/archives/cloud-commander.yml: -------------------------------------------------------------------------------- 1 | # Cloud Commander - web file manager 2 | cloudcmd: 3 | image: coderaiser/cloudcmd 4 | container_name: cloudcmd 5 | restart: unless-stopped 6 | networks: 7 | - t2_proxy 8 | security_opt: 9 | - no-new-privileges:true 10 | volumes: 11 | - $USERDIR/docker/cloudcmd:/root 12 | - $USERDIR:/mnt/fs 13 | environment: 14 | PUID: $PUID 15 | PGID: $PGID 16 | TZ: $TZ 17 | labels: 18 | - "traefik.enable=true" 19 | ## HTTP Routers 20 | - "traefik.http.routers.cloudcmd-rtr.entrypoints=https" 21 | - "traefik.http.routers.cloudcmd-rtr.rule=Host(`cloudcmd.$DOMAINNAME`)" 22 | - "traefik.http.routers.cloudcmd-rtr.tls=true" 23 | ## Middlewares 24 | - "traefik.http.routers.cloudcmd-rtr.middlewares=chain-authelia@file" 25 | ## HTTP Services 26 | - "traefik.http.routers.cloudcmd-rtr.service=cloudcmd-svc" 27 | - "traefik.http.services.cloudcmd-svc.loadbalancer.server.port=8000" -------------------------------------------------------------------------------- /compose/ws-arm/crowdsec.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # CrowdSec - Open-source & Collaborative IPS 3 | crowdsec: 4 | image: crowdsecurity/crowdsec 5 | container_name: crowdsec 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | depends_on: 11 | mariadb: 12 | condition: service_healthy 13 | ports: 14 | - "$CROWDSEC_PORT:8080" # Local API port 15 | - "6060:6060" # Exposing metrics via Zerotier IP 16 | environment: 17 | COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux fulljackz/proxmox crowdsecurity/sshd crowdsecurity/wordpress" 18 | GID: $PGID 19 | CUSTOM_HOSTNAME: $HOSTNAME 20 | volumes: 21 | - $DOCKERDIR/logs/$HOSTNAME:/logs/$HOSTNAME:ro 22 | - /var/log:/var/log:ro 23 | - $DOCKERDIR/appdata/crowdsec/data:/var/lib/crowdsec/data 24 | - $DOCKERDIR/appdata/crowdsec/config:/etc/crowdsec -------------------------------------------------------------------------------- /compose/archives/funkwhale.yml: -------------------------------------------------------------------------------- 1 | # FunkWhale - Music Server 2 | funkwhale: 3 | <<: *common-keys-media # See EXTENSION FIELDS at the top 4 | container_name: funkwhale 5 | image: thetarkus/funkwhale 6 | # ports: 7 | # - "$FUNKWHALE_PORT:80" 8 | volumes: 9 | - $DOCKERDIR/appdata/funkwhale:/data 10 | - $DATADIR/media/music:/music:ro 11 | environment: 12 | - PUID=$PUID 13 | - PGID=$PGID 14 | - FUNKWHALE_HOSTNAME=proxfw.$DOMAINNAME0 15 | - NESTED_PROXY=1 16 | labels: 17 | - "traefik.enable=true" 18 | ## HTTP Routers 19 | - "traefik.http.routers.funkwhale-rtr.entrypoints=https" 20 | - "traefik.http.routers.funkwhale-rtr.rule=Host(`proxfw.$DOMAINNAME0`)" 21 | ## Middlewares 22 | - "traefik.http.routers.funkwhale-rtr.middlewares=chain-no-auth@file" 23 | ## HTTP Services 24 | - "traefik.http.routers.funkwhale-rtr.service=funkwhale-svc" 25 | - "traefik.http.services.funkwhale-svc.loadbalancer.server.port=80" 26 | 27 | -------------------------------------------------------------------------------- /compose/archives/ampache.yml: -------------------------------------------------------------------------------- 1 | # Ampache - Music Server 2 | ampache: 3 | container_name: ampache 4 | image: ampache/ampache:nosql 5 | restart: "no" 6 | # profiles: 7 | # - media 8 | networks: 9 | - t2_proxy 10 | - default 11 | security_opt: 12 | - no-new-privileges:true 13 | # ports: 14 | # - "$AMPACHE_PORT:80" 15 | volumes: 16 | - $DOCKERDIR/appdata/ampache/config:/var/www/config 17 | - $DOCKERDIR/appdata/ampache/log:/var/log/ampache 18 | - $DATADIR/media/music:/media 19 | labels: 20 | - "traefik.enable=true" 21 | ## HTTP Routers 22 | - "traefik.http.routers.ampache-rtr.entrypoints=https" 23 | - "traefik.http.routers.ampache-rtr.rule=Host(`amp.$DOMAINNAME0`)" 24 | ## Middlewares 25 | - "traefik.http.routers.ampache-rtr.middlewares=chain-no-auth@file" 26 | ## HTTP Services 27 | - "traefik.http.routers.ampache-rtr.service=ampache-svc" 28 | - "traefik.http.services.ampache-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/ws-arm/glances.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Glances - System Information 3 | glances: 4 | image: nicolargo/glances:latest-full 5 | container_name: glances 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["monitoring", "all"] 10 | privileged: true # Only for VM 11 | networks: 12 | - default 13 | - socket_proxy 14 | ports: 15 | - "$GLANCES_PORT:61208" 16 | pid: host 17 | volumes: 18 | - $DOCKERDIR/appdata/glances/glances.conf:/glances/conf/glances.conf # Use this if you want to add a glances.conf file 19 | - $DOCKERDIR:/data/docker:ro 20 | - /media/block50:/data/block50:ro 21 | # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security 22 | environment: 23 | # - GLANCES_OPT="-C /glances/conf/glances.conf --quiet --export influxdb" 24 | # - GLANCES_OPT="--export influxdb" 25 | - "GLANCES_OPT=-w" 26 | - DOCKER_HOST 27 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/ws-arm/php8.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # PHP - Hypertext Preprocessor 3 | # https://github.com/chialab/docker-php 4 | php8: 5 | container_name: php8 6 | image: chialab/php:8.4-fpm 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | profiles: ["core", "all"] 11 | networks: 12 | default: 13 | # ipv4_address: 172.18.0.9 # IP of of WP Crowdsec plugin kept changing 14 | t3_proxy: 15 | user: $PUID:$PGID # allows upgrading WP and plugins 16 | volumes: 17 | - $DOCKERDIR/appdata/sites/simplehomelab/html:/var/www/html/simplehomelab 18 | - $DOCKERDIR/logs/ws-arm/php/php8:/var/log/php 19 | - $DOCKERDIR/appdata/php/php8:/usr/local/etc 20 | - $DOCKERDIR/appdata/sites/khub/html:/var/www/html/khub 21 | - $DOCKERDIR/appdata/sites/dash/html:/var/www/html/dash 22 | - $DOCKERDIR/appdata/sites/deployrr/html:/var/www/html/deployrr 23 | - $DOCKERDIR/appdata/sites/deployarr/html:/var/www/html/deployarr # delete this line after 6/15/2025 -------------------------------------------------------------------------------- /compose/archives/smokeping.yml: -------------------------------------------------------------------------------- 1 | # SmokePing - Network latency Monitoring 2 | smokeping: 3 | image: linuxserver/smokeping:latest 4 | container_name: smokeping 5 | restart: unless-stopped 6 | networks: 7 | - t2_proxy 8 | security_opt: 9 | - no-new-privileges:true 10 | # ports: 11 | # - "$SMOKEPING_PORT:80" 12 | volumes: 13 | - $DOCKERDIR/smokeping/config:/config 14 | - $DOCKERDIR/smokeping/data:/data 15 | environment: 16 | PUID: $PUID 17 | PGID: $PGID 18 | TZ: $TZ 19 | labels: 20 | - "traefik.enable=true" 21 | ## HTTP Routers 22 | - "traefik.http.routers.smokeping-rtr.entrypoints=https" 23 | - "traefik.http.routers.smokeping-rtr.rule=HostHeader(`smokeping.$DOMAINNAME`)" 24 | ## Middlewares 25 | - "traefik.http.routers.smokeping-rtr.middlewares=chain-authelia@file" 26 | ## HTTP Services 27 | - "traefik.http.routers.smokeping-rtr.service=smokeping-svc" 28 | - "traefik.http.services.smokeping-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /appdata/php/php8/php-fpm.d/docker.conf: -------------------------------------------------------------------------------- 1 | [global] 2 | ; error_log = /proc/self/fd/2 3 | error_log = /var/log/php/error.log 4 | ; access_log = /var/log/php/access.log 5 | 6 | ; https://github.com/docker-library/php/pull/725#issuecomment-443540114 7 | log_limit = 8192 8 | 9 | [www] 10 | ; php-fpm closes STDOUT on startup, so sending logs to /proc/self/fd/1 does not work. 11 | ; https://bugs.php.net/bug.php?id=73886 12 | access.log = /proc/self/fd/2 13 | ; access.log = /var/log/php/www-access.log 14 | clear_env = no 15 | 16 | ; Ensure worker stdout and stderr are sent to the main error log. 17 | catch_workers_output = yes 18 | decorate_workers_output = no 19 | 20 | [wordpress] 21 | ; php-fpm closes STDOUT on startup, so sending logs to /proc/self/fd/1 does not work. 22 | ; https://bugs.php.net/bug.php?id=73886 23 | access.log = /proc/self/fd/2 24 | ; access.log = /var/log/php/wordpress-access.log 25 | 26 | clear_env = no 27 | 28 | ; Ensure worker stdout and stderr are sent to the main error log. 29 | catch_workers_output = yes 30 | decorate_workers_output = no -------------------------------------------------------------------------------- /compose/hs/qbittorrent-vpn.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # qBittorrent - Torrent downloader 3 | qbittorrent-vpn: 4 | image: lscr.io/linuxserver/qbittorrent:latest 5 | container_name: qbittorrent-vpn 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "downloads", "all"] 10 | network_mode: "service:gluetun" 11 | volumes: 12 | - $DOCKERDIR/appdata/qbittorrent-vpn:/config 13 | - $DOWNLOADSDIR:/data/downloads # Ensure that downloads folder is set to /data/downloads in qBittorrent 14 | environment: 15 | TZ: $TZ 16 | PUID: $PUID 17 | PGID: $PGID 18 | UMASK_SET: 002 19 | healthcheck: # https://github.com/qdm12/gluetun/issues/641#issuecomment-933856220 20 | test: "curl -sf https://example.com || exit 1" 21 | interval: 1m 22 | timeout: 10s 23 | retries: 1 24 | labels: # Traefik labels added via file provider app-qbittorrent.yml in rules folder 25 | - "deunhealth.restart.on.unhealthy=true" 26 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /compose/mds/mosquitto.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Mosquitto - MQTT Broker 3 | # Create mosquitto.conf, passwd, mosquitto.log files and set permissions to 775 user:docker 4 | # dexec mosquitto /bin/sh -> mosquitto_passwd -b /mosquitto/config/passwd username passwd 5 | mosquitto: 6 | container_name: mosquitto 7 | image: eclipse-mosquitto:latest 8 | security_opt: 9 | - no-new-privileges:true 10 | restart: unless-stopped 11 | profiles: ["apps", "all"] 12 | networks: 13 | - default 14 | ports: 15 | - "1833:1883" #http 16 | - "9001:9001" #websockets 17 | volumes: 18 | - $DOCKERDIR/appdata/mosquitto/config:/mosquitto/config 19 | - $DOCKERDIR/appdata/mosquitto/data:/mosquitto/data 20 | - $DOCKERDIR/appdata/mosquitto/log:/mosquitto/log 21 | - $DOCKERDIR/appdata/mosquitto/config/mosquitto.conf:/mosquitto/config/mosquitto.conf 22 | - $DOCKERDIR/appdata/mosquitto/config/passwd:/mosquitto/config/passwd 23 | environment: 24 | PUID: $PUID 25 | PGID: $PGID 26 | TZ: $TZ -------------------------------------------------------------------------------- /compose/archives/metube.yml: -------------------------------------------------------------------------------- 1 | # MeTube - Youtube downloader 2 | # Could not get this to work - "Could not resolve name" error 3 | metube: 4 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 5 | image: alexta69/metube 6 | container_name: metube 7 | user: $PUID:$PGID 8 | volumes: 9 | - $DATADIR/downloads/youtube:/downloads 10 | - $DOCKERDIR/appdata/metube/config:/config 11 | - $DOCKERDIR/appdata/metube/cookies:/cookies 12 | environment: 13 | - STATE_DIR=/config 14 | - YTDL_OPTIONS={"cookiefile":"/cookies/cookies.txt"} 15 | labels: 16 | - "traefik.enable=true" 17 | ## HTTP Routers 18 | - "traefik.http.routers.metube-rtr.entrypoints=https" 19 | - "traefik.http.routers.metube-rtr.rule=Host(`metube.$DOMAINNAME0`)" 20 | ## Middlewares 21 | - "traefik.http.routers.metube-rtr.middlewares=chain-oauth@file" 22 | ## HTTP Services 23 | - "traefik.http.routers.metube-rtr.service=metube-svc" 24 | - "traefik.http.services.metube-svc.loadbalancer.server.port=8081" -------------------------------------------------------------------------------- /compose/hs/oauth.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Traefik Forward Auth - Single Sign On using OAuth 2.0 3 | oauth: 4 | container_name: oauth 5 | image: ghcr.io/italypaleale/traefik-forward-auth:4 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | networks: 11 | - t3_proxy 12 | # ports: 13 | # - "4181:4181" 14 | volumes: 15 | - $DOCKERDIR/appdata/oauth/tfa_config.yaml:/etc/traefik-forward-auth/config.yaml:ro 16 | labels: 17 | - "traefik.enable=true" 18 | # HTTP Routers 19 | - "traefik.http.routers.oauth-rtr.entrypoints=websecure-internal,websecure-external" 20 | - "traefik.http.routers.oauth-rtr.rule=Host(`auth.$DOMAINNAME_1`)" 21 | # Middlewares 22 | - "traefik.http.routers.oauth-rtr.middlewares=chain-no-auth@file" 23 | # HTTP Services 24 | - "traefik.http.routers.oauth-rtr.service=oauth-svc" 25 | - "traefik.http.services.oauth-svc.loadbalancer.server.port=4181" 26 | # DOCKER-LABELS-PLACEHOLDER 27 | -------------------------------------------------------------------------------- /archives/traefik_v3-pre-deployrr/custom/Dockerfile-php7: -------------------------------------------------------------------------------- 1 | # https://github.com/mlocati/docker-php-extension-installer 2 | 3 | # https://www.php.net/ChangeLog-7.php 4 | FROM php:7.4-fpm 5 | 6 | # ADD https://raw.githubusercontent.com/mlocati/docker-php-extension-installer/master/install-php-extensions /usr/local/bin/ 7 | ADD https://github.com/mlocati/docker-php-extension-installer/releases/latest/download/install-php-extensions /usr/local/bin/ 8 | 9 | 10 | RUN chmod uga+x /usr/local/bin/install-php-extensions && sync && \ 11 | install-php-extensions gd mysqli pdo_mysql opcache imagick exif zip mcrypt pspell redis sockets ssh2 bcmath intl calendar 12 | 13 | # ADDED AUGUST 18, 2022 BECAUSE ERRORS IN PHP7 DOCKER LOGS TO INCREASE MAX_CHILDREN 14 | # https://serverfault.com/questions/884256/how-and-where-to-configure-pm-max-children-for-php-fpm-with-docker 15 | # SETUP PHP-FPM CONFIG SETTINGS (max_children / max_requests) 16 | RUN echo 'pm.max_children = 15' >> /usr/local/etc/php-fpm.d/zz-docker.conf && \ 17 | echo 'pm.max_requests = 500' >> /usr/local/etc/php-fpm.d/zz-docker.conf -------------------------------------------------------------------------------- /compose/archives/cadvisor.yml: -------------------------------------------------------------------------------- 1 | # cAdvisor - Container Advisor 2 | cadvisor: 3 | <<: *common-keys-monitoring # See EXTENSION FIELDS at the top 4 | container_name: cadvisor 5 | image: gcr.io/cadvisor/cadvisor:latest 6 | ports: 7 | - "$CADVISOR_PORT:8080" 8 | #privileged: true # Only needed for CentOS, Fedora, Red Hat, etc. 9 | #devices: 10 | # - /dev/kmsg 11 | volumes: 12 | - /:/rootfs:ro 13 | - /var/run:/var/run:rw 14 | - /sys:/sys:ro 15 | - /var/lib/docker/:/var/lib/docker:ro 16 | - /dev/disk/:/dev/disk:ro 17 | labels: 18 | - "traefik.enable=true" 19 | ## HTTP Routers 20 | - "traefik.http.routers.cadvisor-rtr.entrypoints=https" 21 | - "traefik.http.routers.cadvisor-rtr.rule=HostHeader(`cad.$DOMAINNAME1`)" 22 | ## Middlewares 23 | - "traefik.http.routers.cadvisor-rtr.middlewares=chain-oauth@file" 24 | ## HTTP Services 25 | - "traefik.http.routers.cadvisor-rtr.service=cadvisor-svc" 26 | - "traefik.http.services.cadvisor-svc.loadbalancer.server.port=8080" 27 | -------------------------------------------------------------------------------- /compose/archives/heimdall.yml: -------------------------------------------------------------------------------- 1 | # Heimdall - Application Dashboard 2 | heimdall: 3 | <<: *common-keys-core # See EXTENSION FIELDS at the top 4 | image: lscr.io/linuxserver/heimdall 5 | container_name: heimdall 6 | # ports: 7 | # - "$HEIMDALL_PORT:80" # 80 to 82 already taken by other services 8 | # - "444:443" # 443 used by Traefik/Nginx Proxy Manager. Disabled because we will put Heimdall behind proxy. 9 | volumes: 10 | - $DOCKERDIR/appdata/heimdall:/config 11 | environment: 12 | <<: *default-tz-puid-pgid 13 | labels: 14 | - "traefik.enable=true" 15 | ## HTTP Routers 16 | - "traefik.http.routers.heimdall-rtr.entrypoints=https" 17 | - "traefik.http.routers.heimdall-rtr.rule=Host(`$DOMAINNAME_CLOUD_SERVER`,`www.$DOMAINNAME_CLOUD_SERVER`)" 18 | ## Middlewares 19 | - "traefik.http.routers.heimdall-rtr.middlewares=chain-oauth@file" 20 | ## HTTP Services 21 | - "traefik.http.routers.heimdall-rtr.service=heimdall-svc" 22 | - "traefik.http.services.heimdall-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /appdata/nginx/common/php7/nonwp-nfc-php.conf: -------------------------------------------------------------------------------- 1 | # WPFC NGINX CONFIGURATION 2 | # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) 3 | 4 | # Enable Nginx FastCGI Cache 5 | #set $skip_cache 0; 6 | # Disable Nginx FastCGI Cache 7 | set $skip_cache 1; 8 | 9 | # POST requests and URL with a query string should always go to php 10 | if ($request_method = POST) { 11 | set $skip_cache 1; 12 | } 13 | if ($query_string != "") { 14 | set $skip_cache 1; 15 | } 16 | 17 | # Use cached or actual file if they exists, Otherwise pass request to WordPress 18 | location / { 19 | try_files $uri $uri/ /index.php?$args; 20 | } 21 | 22 | location ~ \.php$ { 23 | # include common/hbgauthor.conf; 24 | try_files $uri =404; 25 | include fastcgi.conf; 26 | fastcgi_pass php7; 27 | fastcgi_cache_bypass $skip_cache; 28 | fastcgi_no_cache $skip_cache; 29 | fastcgi_cache WORDPRESS; 30 | } 31 | 32 | # Not available - Nginx Commercial Subscription Required 33 | # location ~ /purge(/.*) { 34 | # fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1"; 35 | # access_log off; 36 | #} 37 | -------------------------------------------------------------------------------- /appdata/nginx/common/php8/nonwp-nfc-php.conf: -------------------------------------------------------------------------------- 1 | # WPFC NGINX CONFIGURATION 2 | # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) 3 | 4 | # Enable Nginx FastCGI Cache 5 | #set $skip_cache 0; 6 | # Disable Nginx FastCGI Cache 7 | set $skip_cache 1; 8 | 9 | # POST requests and URL with a query string should always go to php 10 | if ($request_method = POST) { 11 | set $skip_cache 1; 12 | } 13 | if ($query_string != "") { 14 | set $skip_cache 1; 15 | } 16 | 17 | # Use cached or actual file if they exists, Otherwise pass request to WordPress 18 | location / { 19 | try_files $uri $uri/ /index.php?$args; 20 | } 21 | 22 | location ~ \.php$ { 23 | # include common/hbgauthor.conf; 24 | try_files $uri =404; 25 | include fastcgi.conf; 26 | fastcgi_pass php8; 27 | fastcgi_cache_bypass $skip_cache; 28 | fastcgi_no_cache $skip_cache; 29 | fastcgi_cache WORDPRESS; 30 | } 31 | 32 | # Not available - Nginx Commercial Subscription Required 33 | # location ~ /purge(/.*) { 34 | # fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1"; 35 | # access_log off; 36 | #} 37 | -------------------------------------------------------------------------------- /compose/archives/crowdsec-metabase.yml: -------------------------------------------------------------------------------- 1 | # CrowdSec Dashboard 2 | # Uses a lot of resources. May be crowdsec's cloud dashboard or Prometheus Grafana may be a better option. 3 | csdash: 4 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 5 | container_name: crowdsec-dashboard 6 | build: 7 | context: $DOCKERDIR/custom/ 8 | dockerfile: Dockerfile-csdash 9 | depends_on: 10 | - crowdsec 11 | environment: 12 | - MB_DB_FILE=/data/metabase.db 13 | - MGID=1000 14 | volumes: 15 | - $DOCKERDIR/appdata/crowdsec/data:/metabase-data/ 16 | labels: 17 | - "traefik.enable=true" 18 | ## HTTP Routers 19 | - "traefik.http.routers.csdash-rtr.entrypoints=https" 20 | - "traefik.http.routers.csdash-rtr.rule=Host(`csdash.$DOMAINNAME_CLOUD_SERVER`)" 21 | ## Middlewares 22 | - "traefik.http.routers.csdash-rtr.middlewares=chain-oauth@file" 23 | ## HTTP Services 24 | - "traefik.http.routers.csdash-rtr.service=csdash-svc" 25 | - "traefik.http.services.csdash-svc.loadbalancer.server.port=3000" -------------------------------------------------------------------------------- /compose/archives/xteve.yml: -------------------------------------------------------------------------------- 1 | # xTeve - IPTV proxy for Plex 2 | xteve: 3 | image: alturismo/xteve 4 | container_name: xteve 5 | restart: unless-stopped 6 | # network_mode: host 7 | networks: 8 | - t2_proxy 9 | ports: 10 | - "34400:34400" 11 | - "1901:1900" 12 | # user: "0" 13 | # logging: 14 | # options: 15 | # max-size: "10m" 16 | # max-files: 3 17 | environment: 18 | TZ: $TZ 19 | volumes: 20 | - $USERDIR/docker/xteve:/config:rw 21 | - /dev/shm:/tmp/xteve 22 | labels: 23 | - "traefik.enable=true" 24 | ## HTTP Routers 25 | - "traefik.http.routers.xteve-rtr.entrypoints=https" 26 | - "traefik.http.routers.xteve-rtr.rule=Host(`xteve.$DOMAINNAME`)" 27 | - "traefik.http.routers.xteve-rtr.tls=true" 28 | ## Middlewares 29 | - "traefik.http.routers.xteve-rtr.middlewares=chain-authelia@file" 30 | ## HTTP Services 31 | - "traefik.http.routers.xteve-rtr.service=xteve-svc" 32 | - "traefik.http.services.xteve-svc.loadbalancer.server.port=34400" -------------------------------------------------------------------------------- /compose/archives/filebrowser.yml: -------------------------------------------------------------------------------- 1 | # File Browser - Explorer 2 | filebrowser: 3 | image: filebrowser/filebrowser:s6 4 | container_name: filebrowser 5 | security_opt: 6 | - no-new-privileges:true 7 | restart: unless-stopped 8 | profiles: ["apps", "all"] 9 | networks: 10 | - t2_proxy 11 | ports: 12 | - "81:80" 13 | volumes: 14 | - $DOCKERDIR/appdata/filebrowser:/config 15 | - $EXTDRIVE:/data/media 16 | - $USERDIR:/data/home 17 | environment: 18 | TZ: $TZ 19 | PUID: $PUID 20 | PGID: $PGID 21 | labels: 22 | - "traefik.enable=true" 23 | ## HTTP Routers 24 | - "traefik.http.routers.filebrowser-rtr.entrypoints=https" 25 | - "traefik.http.routers.filebrowser-rtr.rule=Host(`fb.$DOMAINNAME_CLOUD_SERVER`)" 26 | ## Middlewares 27 | - "traefik.http.routers.filebrowser-rtr.middlewares=chain-oauth@file" 28 | ## HTTP Services 29 | - "traefik.http.routers.filebrowser-rtr.service=filebrowser-svc" 30 | - "traefik.http.services.filebrowser-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /scripts/ds918/switch_ports.sh.example: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | # Save this script in one of your shares and schedule it to run as root at boot 4 | # through Control Panel -> Task Scheduler 5 | # DSM upgrades will reset these changes, which is why we schedule them to happen automatically 6 | 7 | # NGINX Ports - CUSTOMIZE THIS 8 | # Several Synology services use port 80 and 443 via Nginx. This conflicts with Traefik, Nginx Proxy Manager, Caddy, etc. 9 | # This script reconfigures Nginx to use non-default ports, leaving ports 80 and 443 free for reverse proxy. 10 | 11 | DEFAULT_HTTP_PORT=80 # typically left as-is, 80. 12 | DEFAULT_HTTPS_PORT=443 # typically left as-is, 443. 13 | NEW_HTTP_PORT=81 14 | NEW_HTTPS_PORT=444 15 | 16 | ################ DO NOT EDIT BEYOND THIS LINE ########################### 17 | sed -i "s/^\([ \t]\+listen[ \t]\+[]:[]*\)$DEFAULT_HTTP_PORT\([^0-9]\)/\1$NEW_HTTP_PORT\2/" /usr/syno/share/nginx/*.mustache 18 | sed -i "s/^\([ \t]\+listen[ \t]\+[]:[]*\)$DEFAULT_HTTPS_PORT\([^0-9]\)/\1$NEW_HTTPS_PORT\2/" /usr/syno/share/nginx/*.mustache 19 | 20 | synosystemctl restart nginx 21 | -------------------------------------------------------------------------------- /commits/2023/2023_01_26.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2023_01_26. See full commit log. 2 | 3 | * bash_aliases updates due to moving my proxmox server from the cloud back into my home - I now have fiber with 10 Gbps :-) 4 | * Added --drive-stop-on-upload-limit switch to stop rclone upload when google drive errors out due to quota. 5 | * Added crowdsec and traefik-bouncer to basic-services.txt as without them none of the service would be accessible and traefik won't start. 6 | * Remove cf-companion. I now just wildcard all CNAMEs to the root domain pointing to my IP. Much simpler this way and its not a big security risk. 7 | * Updated README with crowdsec related posts. 8 | * Obsoleted cf-companion (see above) and heimdall (replaced with homepage) 9 | * Updated traefik to v2.9 10 | * Updated docker and docker-compose versions. 11 | * Added crowdsecurity/blocklist-mirror to export all the blocked IPs as a list. 12 | * Added whoami container for testing purposes 13 | * Exposed some ports to the host now that my server is inside my home network. 14 | * Added AdGuard Home sync to sync all my instances of adguard home. 15 | -------------------------------------------------------------------------------- /compose/archives/gonic.yml: -------------------------------------------------------------------------------- 1 | # Gonic - Music Server 2 | gonic: 3 | container_name: gonic 4 | image: sentriz/gonic:latest 5 | restart: "no" 6 | # profiles: 7 | # - media 8 | networks: 9 | - t2_proxy 10 | security_opt: 11 | - no-new-privileges:true 12 | # ports: 13 | # - "$GONIC_PORT:80" 14 | volumes: 15 | - $DOCKERDIR/appdata/gonic/data:/data 16 | - $DOCKERDIR/appdata/gonic/podcasts:/podcasts 17 | - $DATADIR/transcode/gonic:/cache 18 | - $DATADIR/media/music:/music:ro 19 | environment: 20 | - PUID=$PUID 21 | - PGID=$PGID 22 | - TZ=$TZ 23 | labels: 24 | - "traefik.enable=true" 25 | ## HTTP Routers 26 | - "traefik.http.routers.gonic-rtr.entrypoints=https" 27 | - "traefik.http.routers.gonic-rtr.rule=Host(`gonic.$DOMAINNAME0`)" 28 | ## Middlewares 29 | - "traefik.http.routers.gonic-rtr.middlewares=chain-no-auth@file" 30 | ## HTTP Services 31 | - "traefik.http.routers.gonic-rtr.service=gonic-svc" 32 | - "traefik.http.services.gonic-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-secure-headers.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-secure-headers: 4 | headers: 5 | accessControlAllowMethods: 6 | - GET 7 | - OPTIONS 8 | - PUT 9 | accessControlMaxAge: 100 10 | hostsProxyHeaders: 11 | - "X-Forwarded-Host" 12 | stsSeconds: 63072000 13 | stsIncludeSubdomains: true 14 | stsPreload: true 15 | # forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works. 16 | customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options 17 | contentTypeNosniff: true 18 | browserXssFilter: true 19 | referrerPolicy: "same-origin" 20 | permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()" 21 | customResponseHeaders: 22 | X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # disable search engines from indexing home server 23 | server: "" # hide server info from visitors 24 | -------------------------------------------------------------------------------- /compose/archives/homepage.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Homepage - Application Dashboard 3 | homepage: 4 | image: ghcr.io/gethomepage/homepage:latest 5 | container_name: homepage 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t2_proxy 12 | - socket_proxy 13 | # ports: 14 | # - "3000:3000" 15 | volumes: 16 | - $DOCKERDIR/appdata/homepage:/app/config 17 | environment: 18 | TZ: $TZ 19 | PUID: $PUID 20 | PGID: $PGID 21 | labels: 22 | - "traefik.enable=true" 23 | ## HTTP Routers 24 | - "traefik.http.routers.homepage-rtr.entrypoints=websecure" 25 | - "traefik.http.routers.homepage-rtr.rule=Host(`$DOMAINNAME_1`,`www.$DOMAINNAME_1`)" # Both domain.com and www.domain.com 26 | ## Middlewares 27 | - "traefik.http.routers.homepage-rtr.middlewares=chain-no-auth@file" 28 | ## HTTP Services 29 | - "traefik.http.routers.homepage-rtr.service=homepage-svc" 30 | - "traefik.http.services.homepage-svc.loadbalancer.server.port=3000" -------------------------------------------------------------------------------- /compose/archives/cloud9.yml: -------------------------------------------------------------------------------- 1 | # Cloud IDE - Editing 2 | cloud9: 3 | image: linuxserver/cloud9 4 | container_name: cloud9 5 | restart: unless-stopped 6 | networks: 7 | - t2_proxy 8 | security_opt: 9 | - no-new-privileges:true 10 | ports: 11 | - "$CLOUD9_PORT:8000" 12 | volumes: 13 | - $USERDIR/server/scripts:/code 14 | - /var/run/docker.sock:/var/run/docker.sock 15 | environment: 16 | PUID: $PUID 17 | PGID: $PGID 18 | TZ: $TZ 19 | # PASSWORD: $CLOUD9_PASSWORD 20 | # USERNAME: $CLOUD9_USERNAME 21 | labels: 22 | - "traefik.enable=true" 23 | ## HTTP Routers 24 | - "traefik.http.routers.cloud9-rtr.entrypoints=https" 25 | - "traefik.http.routers.cloud9-rtr.rule=Host(`cloud9.$DOMAINNAME`)" 26 | - "traefik.http.routers.cloud9-rtr.tls=true" 27 | ## Middlewares 28 | - "traefik.http.routers.cloud9-rtr.middlewares=chain-authelia@file" 29 | ## HTTP Services 30 | - "traefik.http.routers.cloud9-rtr.service=cloud9-svc" 31 | - "traefik.http.services.cloud9-svc.loadbalancer.server.port=8000" -------------------------------------------------------------------------------- /compose/archives/navidrome.yml: -------------------------------------------------------------------------------- 1 | # Navidrome - Music Server 2 | navidrome: 3 | <<: *common-keys-media # See EXTENSION FIELDS at the top 4 | container_name: navidrome 5 | image: deluan/navidrome:latest 6 | # ports: 7 | # - "$FUNKWHALE_PORT:4533" 8 | user: $PUID:$PGID 9 | volumes: 10 | - $DOCKERDIR/appdata/navidrome:/data 11 | - $DATADIR/media/music/English:/music/English:ro 12 | - $DATADIR/media/music/Kids:/music/Kids:ro 13 | environment: 14 | - TZ=$TZ 15 | - ND_SCANSCHEDULE=1h 16 | - ND_LOGLEVEL=info 17 | #- ND_BASEURL="" 18 | - ND_SESSIONTIMEOUT=24h 19 | labels: 20 | - "traefik.enable=true" 21 | ## HTTP Routers 22 | - "traefik.http.routers.navidrome-rtr.entrypoints=https" 23 | - "traefik.http.routers.navidrome-rtr.rule=Host(`proxnd.$DOMAINNAME0`)" 24 | ## Middlewares 25 | - "traefik.http.routers.navidrome-rtr.middlewares=chain-no-auth@file" 26 | ## HTTP Services 27 | - "traefik.http.routers.navidrome-rtr.service=navidrome-svc" 28 | - "traefik.http.services.navidrome-svc.loadbalancer.server.port=4533" -------------------------------------------------------------------------------- /compose/ws-arm/postgresql-vector.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # pgVector - PostgreSQL with Vector Store 3 | postgresql-vector: 4 | container_name: postgresql-vector 5 | image: pgvector/pgvector:pg17 # PostgreSQL with pgvector support 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | healthcheck: 11 | test: ["CMD-SHELL", "pg_isready -d postgres -U $${POSTGRES_USER}"] 12 | start_period: 20s 13 | interval: 30s 14 | retries: 5 15 | timeout: 5s 16 | networks: 17 | - default 18 | ports: 19 | - "$POSTGRESQLVECTOR_PORT:5432" 20 | volumes: 21 | - $DOCKERDIR/appdata/postgresql-vector/data:/var/lib/postgresql/data 22 | - $DOCKERDIR/appdata/postgresql-vector/schema.sql:/docker-entrypoint-initdb.d/schema.sql # only first time 23 | environment: 24 | - POSTGRES_DB=postgres # default database 25 | - POSTGRES_USER=$POSTGRES_USER # root user 26 | - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_default_password 27 | secrets: 28 | - postgres_default_password 29 | # DOCKER-LABELS-PLACEHOLDER -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 SmartHomeBeginner 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /commits/2022/2022_06_15.txt: -------------------------------------------------------------------------------- 1 | * Several updates 2022_06_15. See full commit log. 2 | * There was lot of push back on the move to extension fields, which reduced readability. Simplified it a bit but not abandoning it at this point. 3 | * Moving smarthomebeginner.com to Proxmox VM on a unreliable dedicated server provider was a failure. So moved it back to digital ocean VPS so the website is not affected during my meddling with the homeserver. 4 | * Got a separate domain name for home server - previously shared domain name with my cloud proxmox server. This means CF-DDNS on Synology now does not use a subdomain any more. 5 | * Obsoleted Cloudflare Companion - resorted to just using a wildcard CNAME pointing to the root domain instead of creating CNAME DNS records on the fly. 6 | * Upgraded to the new Docker Compose V2, which is now built into Docker as a plugin. https://docs.docker.com/compose/#compose-v2-and-the-new-docker-compose-command. So from now on it is "docker compose" command instead of "docker-compose". Also there is no need to manually install and ugprade Docker Compose (except on Synology). 7 | * Minor changes with bash_aliases to reflect the changes in servers/hosts. -------------------------------------------------------------------------------- /compose/archives/jackett.yml: -------------------------------------------------------------------------------- 1 | # Jackett - Torrent proxy 2 | # Set url_base in Jackett settings if using PathPrefix 3 | jackett: 4 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 5 | image: lscr.io/linuxserver/jackett:latest 6 | container_name: jackett 7 | # network_mode: container:transmission-vpn 8 | networks: 9 | t2_proxy: 10 | ipv4_address: 192.168.90.161 11 | # ports: 12 | # - "$JACKETT_PORT:9117" 13 | volumes: 14 | - $DOCKERDIR/appdata/jackett:/config 15 | - $DATADIR/downloads:/data/downloads 16 | - "/etc/localtime:/etc/localtime:ro" 17 | environment: 18 | <<: *default-tz-puid-pgid 19 | labels: 20 | - "traefik.enable=true" 21 | ## HTTP Routers 22 | - "traefik.http.routers.jackett-rtr.entrypoints=https" 23 | - "traefik.http.routers.jackett-rtr.rule=Host(`jackett.$DOMAINNAME0`)" 24 | ## Middlewares 25 | - "traefik.http.routers.jackett-rtr.middlewares=chain-oauth@file" 26 | ## HTTP Services 27 | - "traefik.http.routers.jackett-rtr.service=jackett-svc" 28 | - "traefik.http.services.jackett-svc.loadbalancer.server.port=9117" -------------------------------------------------------------------------------- /compose/ds918/syncthing.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # SyncThing - Keep folders in Sync 3 | syncthing: 4 | image: lscr.io/linuxserver/syncthing 5 | container_name: syncthing 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | # profiles: ["core", "all"] 10 | networks: 11 | - traefik_proxy 12 | ports: 13 | - "8384:8384" 14 | - "22000:22000/tcp" 15 | - "22000:22000/udp" 16 | - "21027:21027/udp" 17 | volumes: 18 | - /volume1:/data/volume1 19 | - $DOCKERDIR/appdata/syncthing:/config 20 | environment: 21 | TZ: $TZ 22 | PUID: $PUID 23 | PGID: $PGID 24 | labels: 25 | - "traefik.enable=true" 26 | # HTTP Routers 27 | - "traefik.http.routers.syncthing-rtr.entrypoints=https" 28 | - "traefik.http.routers.syncthing-rtr.rule=Host(`stnas.$DOMAINNAME_DS918`)" 29 | # Middlewares 30 | - "traefik.http.routers.syncthing-rtr.middlewares=chain-oauth@file" 31 | # HTTP Services 32 | - "traefik.http.routers.syncthing-rtr.service=syncthing-svc" 33 | - "traefik.http.services.syncthing-svc.loadbalancer.server.port=8384" -------------------------------------------------------------------------------- /compose/archives/crowdsec-blocklist.yml: -------------------------------------------------------------------------------- 1 | # CrowdSec Blocklist Mirror - For PiHole/AdGuard Use 2 | # sudo docker exec crowdsec cscli bouncer add cloudflare-bouncer 3 | crowdsec-blocklist: 4 | image: crowdsecurity/blocklist-mirror 5 | container_name: crowdsec-blocklist 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t2_proxy 12 | volumes: 13 | - $DOCKERDIR/appdata/crowdsec-blocklist/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-blocklist-mirror.yaml 14 | labels: 15 | - "traefik.enable=true" 16 | ## HTTP Routers 17 | - "traefik.http.routers.crowdsec-blocklist-rtr.entrypoints=https" 18 | - "traefik.http.routers.crowdsec-blocklist-rtr.rule=Host(`blocklist.$DOMAINNAME_SHB`)" # https://domain.com/security/blocklist 19 | ## Middlewares 20 | - "traefik.http.routers.crowdsec-blocklist-rtr.middlewares=chain-oauth@file" 21 | ## HTTP Services 22 | - "traefik.http.routers.crowdsec-blocklist-rtr.service=crowdsec-blocklist-svc" 23 | - "traefik.http.services.crowdsec-blocklist-svc.loadbalancer.server.port=41412" -------------------------------------------------------------------------------- /compose/archives/dashy.yml: -------------------------------------------------------------------------------- 1 | # Dashy - Application Dashboard 2 | dashy: 3 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 4 | container_name: dashy 5 | image: lissy93/dashy 6 | healthcheck: 7 | test: ['CMD', 'node', '/app/services/healthcheck'] 8 | interval: 1m30s 9 | timeout: 10s 10 | retries: 3 11 | start_period: 40s 12 | ports: 13 | - 4000:80 14 | volumes: 15 | - $DOCKERDIR/appdata/dashy/conf.yml:/app/public/conf.yml 16 | - $DOCKERDIR/appdata/dashy:/app/public/item-icons 17 | environment: 18 | - NODE_ENV=production 19 | - UID=$PUID 20 | - GID=$PGID 21 | labels: 22 | - "traefik.enable=true" 23 | ## HTTP Routers 24 | - "traefik.http.routers.dashy-rtr.entrypoints=https" 25 | - "traefik.http.routers.dashy-rtr.rule=Host(`$DOMAINNAME_HOME_SYNOLOGY`,`www.$DOMAINNAME_HOME_SYNOLOGY`)" 26 | ## Middlewares 27 | - "traefik.http.routers.dashy-rtr.middlewares=chain-oauth@file" 28 | ## HTTP Services 29 | - "traefik.http.routers.dashy-rtr.service=dashy-svc" 30 | - "traefik.http.services.dashy-svc.loadbalancer.server.port=80" 31 | -------------------------------------------------------------------------------- /compose/archives/readarr.yml: -------------------------------------------------------------------------------- 1 | # Readarr - Books management 2 | # Set url_base in readarr settings if using PathPrefix 3 | readarr: 4 | image: hotio/readarr:nightly 5 | container_name: readarr 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: "no" 9 | profiles: ["media","arrs", "all"] 10 | networks: 11 | - t2_proxy 12 | ports: 13 | - "8787:8787" 14 | volumes: 15 | - $DOCKERDIR/appdata/readarr:/config 16 | - $DATADIR:/data 17 | - "/etc/localtime:/etc/localtime:ro" 18 | environment: 19 | TZ: $TZ 20 | PUID: $PUID 21 | PGID: $PGID 22 | UMASK: 002 23 | #ARGS: "" 24 | labels: 25 | - "traefik.enable=true" 26 | ## HTTP Routers Auth 27 | - "traefik.http.routers.readarr-rtr.entrypoints=https" 28 | - "traefik.http.routers.readarr-rtr.rule=Host(`readarr.$DOMAINNAME_CLOUD_SERVER`)" 29 | ## Middlewares 30 | - "traefik.http.routers.readarr-rtr.middlewares=chain-oauth@file" 31 | ## HTTP Services 32 | - "traefik.http.routers.readarr-rtr.service=readarr-svc" 33 | - "traefik.http.services.readarr-svc.loadbalancer.server.port=8787" -------------------------------------------------------------------------------- /appdata/php/php8/pear.conf: -------------------------------------------------------------------------------- 1 | #PEAR_Config 0.9 2 | a:33:{s:9:"cache_dir";s:15:"/tmp/pear/cache";s:15:"default_channel";s:12:"pear.php.net";s:16:"preferred_mirror";s:12:"pear.php.net";s:13:"remote_config";s:0:"";s:13:"auto_discover";i:0;s:13:"master_server";s:12:"pear.php.net";s:10:"http_proxy";s:0:"";s:7:"php_dir";s:18:"/usr/local/lib/php";s:7:"ext_dir";s:55:"/usr/local/lib/php/extensions/no-debug-non-zts-20240924";s:7:"doc_dir";s:22:"/usr/local/lib/php/doc";s:7:"bin_dir";s:14:"/usr/local/bin";s:8:"data_dir";s:23:"/usr/local/lib/php/data";s:7:"cfg_dir";s:22:"/usr/local/lib/php/cfg";s:7:"www_dir";s:25:"/usr/local/lib/php/htdocs";s:7:"man_dir";s:28:"/usr/local/lib/php/local/man";s:8:"test_dir";s:23:"/usr/local/lib/php/test";s:8:"temp_dir";s:14:"/tmp/pear/temp";s:12:"download_dir";s:18:"/tmp/pear/download";s:7:"php_bin";s:18:"/usr/local/bin/php";s:10:"php_prefix";s:0:"";s:10:"php_suffix";s:0:"";s:7:"php_ini";s:0:"";s:12:"metadata_dir";s:0:"";s:8:"username";s:0:"";s:8:"password";s:0:"";s:7:"verbose";i:1;s:15:"preferred_state";s:6:"stable";s:5:"umask";i:18;s:9:"cache_ttl";i:3600;s:8:"sig_type";s:3:"gpg";s:7:"sig_bin";s:18:"/usr/local/bin/gpg";s:9:"sig_keyid";s:0:"";s:10:"sig_keydir";s:23:"/usr/local/etc/pearkeys";} --------------------------------------------------------------------------------