├── .env.example ├── .github └── FUNDING.yml ├── .gitignore ├── CHANGELOG.md ├── LICENSE ├── README.md ├── appdata ├── authelia │ ├── configuration.yml.example │ └── users.yml.example ├── nginx │ ├── common │ │ ├── nonwp-common-php7.conf.example │ │ ├── nonwp-locations-php7.conf.example │ │ ├── nonwp-nfc-php7.conf.example │ │ ├── wp-common-php7.conf.example │ │ ├── wp-locations-php7.conf.example │ │ └── wp-nfc-php7.conf.example │ ├── conf.d │ │ ├── fastcgi.conf.example │ │ ├── optimizations.conf.example │ │ └── upstream.conf.example │ ├── fastcgi.conf.example │ ├── mime.types.example │ ├── nginx.conf.example │ └── sites │ │ ├── dash.conf.example │ │ ├── khub.conf.example │ │ └── wordpress.conf.example ├── php │ └── php7 │ │ ├── conf.d │ │ ├── extensions.ini.example │ │ └── opcache.ini.example │ │ └── php.ini.example ├── picard │ └── filenaming_script.example ├── rclone │ ├── rclone-logrotate.conf.example │ └── rclone.conf.example ├── traefik2 │ └── rules │ │ ├── ds918 │ │ ├── app-ds918-dsm-oauth.yml.example │ │ ├── app-ds918-video-oauth.yml.example │ │ ├── chain-basic-auth.yml │ │ ├── chain-no-auth.yml │ │ ├── chain-oauth-external.yml │ │ ├── chain-oauth.yml │ │ ├── middlewares-basic-auth.yml │ │ ├── middlewares-buffering.yml │ │ ├── middlewares-compress.yml │ │ ├── middlewares-oauth-external.yml │ │ ├── middlewares-oauth.yml │ │ ├── middlewares-rate-limit.yml │ │ ├── middlewares-secure-headers.yml │ │ └── tls-opts.yml │ │ ├── hs │ │ ├── app-adguard-home-authelia.yml.example │ │ ├── app-adguard-home-oauth.yml.example │ │ ├── app-haos-no-auth.yml.example │ │ ├── app-pihole-oauth.yml.example │ │ ├── app-plex-no-auth.yml.example │ │ ├── app-proxmox-ve-oauth.yml.example │ │ ├── app-tautulli-with-auth-bypass.yml.example │ │ ├── app-unifi-controller-authelia.example │ │ ├── chain-authelia.yml │ │ ├── chain-basic-auth.yml │ │ ├── chain-no-auth-no-crowdsec.yml │ │ ├── chain-no-auth.yml │ │ ├── chain-oauth-external.yml │ │ ├── chain-oauth-no-crowdsec.yml │ │ ├── chain-oauth.yml │ │ ├── domain-passthrough.yml.example │ │ ├── middlewares-authelia.yml │ │ ├── middlewares-basic-auth.yml │ │ ├── middlewares-buffering.yml │ │ ├── middlewares-compress.yml │ │ ├── middlewares-oauth-external.yml │ │ ├── middlewares-oauth.yml │ │ ├── middlewares-rate-limit.yml │ │ ├── middlewares-secure-headers.yml │ │ ├── middlewares-traefik-bouncer.yml │ │ └── tls-opts.yml │ │ ├── toml │ │ ├── app-hassio.toml.example │ │ ├── app-pihole.toml.example │ │ ├── app-unifi.toml.example │ │ ├── middlewares-chains.toml.example │ │ ├── middlewares-nextcloud.toml.example │ │ └── middlewares.toml.example │ │ └── ws │ │ ├── chain-authelia-wp.yml │ │ ├── chain-authelia.yml │ │ ├── chain-basic-auth.yml │ │ ├── chain-no-auth-crowdsec-wp.yml │ │ ├── chain-no-auth-wp.yml │ │ ├── chain-no-auth.yml │ │ ├── chain-oauth-no-crowdsec.yml │ │ ├── chain-oauth.yml │ │ ├── middlewares-authelia.yml │ │ ├── middlewares-basic-auth.yml │ │ ├── middlewares-compress.yml │ │ ├── middlewares-oauth.yml │ │ ├── middlewares-rate-limit.yml │ │ ├── middlewares-secure-headers-wp.yml │ │ ├── middlewares-secure-headers.yml │ │ ├── middlewares-traefik-bouncer.yml │ │ └── tls-opts.yml └── traefik3 │ └── rules │ └── hs │ ├── app-adguard-home-authelia.yml.example │ ├── app-adguard-home-oauth.yml.example │ ├── app-haos-no-auth.yml.example │ ├── app-pihole-oauth.yml.example │ ├── app-plex-no-auth.yml.example │ ├── app-proxmox-ve-oauth.yml.example │ ├── app-tautulli-with-auth-bypass.yml.example │ ├── app-unifi-controller-authelia.example │ ├── chain-authelia.yml │ ├── chain-basic-auth.yml │ ├── chain-no-auth-no-crowdsec.yml │ ├── chain-no-auth-webos.yml │ ├── chain-no-auth.yml │ ├── chain-oauth-external.yml │ ├── chain-oauth-no-crowdsec.yml │ ├── chain-oauth.yml │ ├── domain-passthrough-template.yml.example │ ├── middlewares-authelia.yml │ ├── middlewares-basic-auth.yml │ ├── middlewares-buffering.yml │ ├── middlewares-oauth-external.yml │ ├── middlewares-oauth.yml │ ├── middlewares-rate-limit.yml │ ├── middlewares-secure-headers-webos.yml │ ├── middlewares-secure-headers.yml │ ├── middlewares-traefik-bouncer.yml │ └── tls-opts.yml ├── archives └── traefik_v1 │ ├── docker-compose-npm.yml │ ├── docker-compose-t1-obsolete.yml │ ├── docker-compose-t1-swarm.yml │ ├── docker-compose-t1-synology.yml │ ├── docker-compose-t1-vpn.yml │ ├── docker-compose-t1.yml │ ├── traefik1-swarm │ └── rules │ │ ├── backcam.toml │ │ ├── dsmfiles.toml │ │ ├── frontcam.toml │ │ ├── hassio.toml │ │ ├── hassio_nodered.toml │ │ ├── hassio_ssh_terminal.toml │ │ ├── hassio_vscode.toml │ │ ├── pihole.toml │ │ ├── plex.toml │ │ ├── plexwebtools.toml │ │ ├── portainer.toml │ │ ├── printer.toml │ │ ├── shellinabox.toml │ │ ├── synology.toml │ │ ├── transmission.toml │ │ ├── webmin.toml │ │ └── xiaofang1.toml │ └── traefik1 │ ├── rules.toml │ ├── rules │ ├── app.toml.example │ ├── dafang1.toml │ ├── hassio.toml │ ├── pihole.toml │ ├── plexwebtools.toml │ ├── shellinabox.toml │ ├── synology.toml │ ├── synplex.toml │ ├── unifi.toml │ ├── webmin.toml │ └── xiaofang1.toml │ ├── traefik.toml │ ├── traefik.toml.crab │ ├── traefik.toml.example │ ├── traefik.toml.singledomain │ └── traefik.toml.wcddns ├── compose ├── archives │ ├── adguardhome-sync.yml │ ├── ampache.yml │ ├── apcupsd.yml │ ├── autoindex.yml │ ├── autoscan.yml │ ├── cadvisor.yml │ ├── cf-companion.yml │ ├── cloud-commander.yml │ ├── cloud9.yml │ ├── cloudflare-ddns.yml │ ├── cloudplow.yml │ ├── crowdsec-blocklist.yml │ ├── crowdsec-metabase.yml │ ├── dashy.yml │ ├── digikam.yml │ ├── dupeguru.yml │ ├── emby.yml │ ├── filebrowser.yml │ ├── firefox.yml │ ├── flaresolverr.yml │ ├── funkwhale.yml │ ├── glances.yml │ ├── gonic.yml │ ├── ha-dockermon.yml │ ├── handbrake.yml │ ├── headscale.yml │ ├── heimdall.yml │ ├── homeassistant.yml │ ├── homepage.yml │ ├── jackett.yml │ ├── loki.yml │ ├── makemkv.yml │ ├── mergerfs.yml │ ├── metube.yml │ ├── miflora.yml │ ├── mkvtoolnix.yml │ ├── mosquitto.yml │ ├── motioneye.yml │ ├── musicbrainz.yml │ ├── navidrome.yml │ ├── node-exporter.yml │ ├── nzbget.yml │ ├── nzbhydra.yml │ ├── ombi.yml │ ├── ouroboros.yml │ ├── photoprism.yml │ ├── photoshow.yml │ ├── plex-sync.yml │ ├── plex-trakt-sync.yml │ ├── postgres.yml │ ├── promtail.yml │ ├── pyrenamer.yml │ ├── readarr.yml │ ├── redis-commander.yml │ ├── smokeping.yml │ ├── smtp-to-telegram.yml │ ├── statping.yml │ ├── tdarr-node.yml │ ├── tiny-media-manager.yml │ ├── traefik-certs-dumper.yml │ ├── traefik-error-pages.yml │ ├── transmission-vpn.yml │ ├── unifi-controller.yml │ ├── unmanic.yml │ ├── varken.yml │ ├── watchtower.yml │ ├── xteve.yml │ └── youtubedl-material.yml ├── dns │ ├── adguardhome-sync.yml │ ├── adguardhome.yml │ ├── ddns-updater.yml │ ├── socket-proxy.yml │ ├── traefik.yml │ ├── unbound.yml │ └── wg-easy.yml ├── ds918 │ ├── adguardhome.yml │ ├── certdumper.yml │ ├── ddns-updater.yml │ ├── docker-gc.yml │ ├── glances.yml │ ├── mergerfs.yml │ ├── oauth.yml │ ├── plex-sync.yml │ ├── plex.yml │ ├── portainer.yml │ ├── qdirstat.yml │ ├── rclone-gcrypt.yml │ ├── rclone-gdrive.yml │ ├── socket-proxy.yml │ ├── syncthing.yml │ ├── tdarr.yml │ ├── traefik.yml │ ├── vscode.yml │ └── zerotier.yml ├── hs │ ├── authelia.yml │ ├── autoindex.yml │ ├── bazarr.yml │ ├── crowdsec.yml │ ├── deunhealth.yml │ ├── docker-gc.yml │ ├── dockge.yml │ ├── dozzle.yml │ ├── firefly.yml │ ├── firefox.yml │ ├── gluetun.yml │ ├── grafana.yml │ ├── guacamole.yml │ ├── homepage.yml │ ├── it-tools.yml │ ├── jdownloader.yml │ ├── kasm.yml │ ├── lidarr-exporter.yml │ ├── lidarr.yml │ ├── makemkv.yml │ ├── mkvtoolnix.yml │ ├── node-exporter.yml │ ├── notifiarr.yml │ ├── oauth.yml │ ├── phpmyadmin.yml │ ├── picard.yml │ ├── portainer.yml │ ├── prowlarr-exporter.yml │ ├── prowlarr.yml │ ├── qbittorrent.yml │ ├── radarr-exporter.yml │ ├── radarr.yml │ ├── sabnzbd-exporter.yml │ ├── sabnzbd.yml │ ├── scrutiny.yml │ ├── sitespeed.yml │ ├── socket-proxy.yml │ ├── sonarr-exporter.yml │ ├── sonarr.yml │ ├── traefik-bouncer.yml │ ├── traefik.yml │ ├── uptime-kuma.yml │ ├── vscode.yml │ └── whoami.yml ├── mds │ ├── airsonic-advanced.yml │ ├── influxdb.yml │ ├── jellyfin.yml │ ├── mariadb.yml │ ├── node-exporter.yml │ ├── plex-image-cleanup.yml │ ├── plex-meta-manager.yml │ ├── plex.yml │ ├── prometheus.yml │ └── tautulli.yml └── ws │ ├── autoindex.yml │ ├── certdumper.yml │ ├── cloudflare-bouncer.yml │ ├── crowdsec.yml │ ├── docker-gc.yml │ ├── glances.yml │ ├── mariadb.yml │ ├── nginx.yml │ ├── node-exporter.yml │ ├── oauth.yml │ ├── php7.yml │ ├── phpmyadmin.yml │ ├── portainer.yml │ ├── redis.yml │ ├── socket-proxy.yml │ ├── traefik-bouncer.yml │ ├── traefik.yml │ ├── vscode.yml │ ├── wg-easy.yml │ └── whoami.yml ├── custom ├── Dockerfile-csdash └── Dockerfile-php7 ├── docker-compose-dns.yml ├── docker-compose-ds918.yml ├── docker-compose-hs.yml ├── docker-compose-mds.yml ├── docker-compose-ws.yml ├── scripts ├── ds918 │ ├── change_perms_plex_hw.sh.example │ ├── increase_inotify_limits_syncthing.sh.example │ └── switch_ports.sh.example ├── hs │ ├── check-mounts.sh.example │ └── start-media-after-boot.sh.example └── systemd │ └── rclone-ds918.service.example ├── secrets_example ├── basic_auth_credentials ├── cf_dns_api_token └── traefik_forward_auth └── shared └── config ├── bash_aliases └── bash_aliases.env.example /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: # [htpcbeginner] 4 | patreon: smarthomebeginner 5 | open_collective: # Replace with a single Open Collective username 6 | ko_fi: smarthomebeginner # Replace with a single Ko-fi username 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | liberapay: # Replace with a single Liberapay username 10 | issuehunt: # Replace with a single IssueHunt username 11 | otechie: # Replace with a single Otechie username 12 | lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry 13 | custom: ['https://www.buymeacoffee.com/smarthomebeginr', 'https://mee6.gg/m/shb-discord-membership'] # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] 14 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 SmartHomeBeginner 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /appdata/authelia/users.yml.example: -------------------------------------------------------------------------------- 1 | ############################################################### 2 | # Users Database # 3 | ############################################################### 4 | 5 | # This file can be used if you do not have an LDAP set up. 6 | 7 | # CREATE NEW HASHED PASSWORD 8 | # sudo docker run -it authelia/authelia:latest authelia crypto hash generate argon2 --password 'STRONG_PASSWORD' 9 | # https://www.authelia.com/reference/guides/passwords/ 10 | 11 | # List of users 12 | users: 13 | user1: 14 | displayname: "John_Doe_1" 15 | password: "HASHED_PASSWORD" 16 | email: USER_EMAIL 17 | groups: 18 | - admins 19 | # user2: 20 | # displayname: "John_Doe_2" 21 | # password: "HASHED_PASSWORD" 22 | # email: USER_EMAIL 23 | # groups: 24 | # - users -------------------------------------------------------------------------------- /appdata/nginx/common/nonwp-common-php7.conf.example: -------------------------------------------------------------------------------- 1 | # WordPress COMMON SETTINGS 2 | # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) 3 | # Limit access to avoid brute force attack 4 | 5 | # Disable WP Login 6 | location = /wp-login.php { 7 | deny all; 8 | access_log off; 9 | log_not_found off; 10 | } 11 | 12 | # Disable wp-config.txt 13 | location = /wp-config.txt { 14 | deny all; 15 | access_log off; 16 | log_not_found off; 17 | } 18 | 19 | # Disable xmlrpc 20 | location = /xmlrpc.php { 21 | deny all; 22 | access_log off; 23 | log_not_found off; 24 | } 25 | 26 | # Disallow php in upload folder 27 | #location /wp-content/uploads/ { 28 | location /images/ { 29 | location ~ \.php$ { 30 | #Prevent Direct Access Of PHP Files From Web Browsers 31 | deny all; 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /appdata/nginx/common/nonwp-locations-php7.conf.example: -------------------------------------------------------------------------------- 1 | # NGINX CONFIGURATION FOR COMMON LOCATION 2 | # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) 3 | # Basic locations files 4 | 5 | location = /favicon.ico { 6 | access_log off; 7 | log_not_found off; 8 | expires max; 9 | } 10 | 11 | location = /robots.txt { 12 | # Refer #340 issue 13 | try_files $uri $uri/ /index.php?$args; 14 | access_log off; 15 | log_not_found off; 16 | } 17 | 18 | # Cache static files 19 | location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ { 20 | add_header "Access-Control-Allow-Origin" "*"; 21 | access_log off; 22 | log_not_found off; 23 | expires max; 24 | } 25 | 26 | # Security settings for better privacy 27 | # Deny hidden files 28 | location ~ /\.well-known { 29 | allow all; 30 | } 31 | 32 | location ~ /\. { 33 | deny all; 34 | access_log off; 35 | log_not_found off; 36 | } 37 | 38 | # Deny backup extensions & log files 39 | location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { 40 | deny all; 41 | access_log off; 42 | log_not_found off; 43 | } 44 | 45 | # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) 46 | if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") { 47 | return 403; 48 | } 49 | -------------------------------------------------------------------------------- /appdata/nginx/common/nonwp-nfc-php7.conf.example: -------------------------------------------------------------------------------- 1 | # WPFC NGINX CONFIGURATION 2 | # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) 3 | 4 | # Enable Nginx FastCGI Cache 5 | set $skip_cache 1; 6 | # Disable Nginx FastCGI Cache 7 | #set $skip_cache 1; 8 | 9 | # POST requests and URL with a query string should always go to php 10 | if ($request_method = POST) { 11 | set $skip_cache 1; 12 | } 13 | if ($query_string != "") { 14 | set $skip_cache 1; 15 | } 16 | 17 | # Use cached or actual file if they exists, Otherwise pass request to WordPress 18 | location / { 19 | try_files $uri $uri/ /index.php?$args; 20 | } 21 | 22 | location ~ \.php$ { 23 | # include common/hbgauthor.conf; 24 | try_files $uri =404; 25 | include fastcgi.conf; 26 | fastcgi_pass php7; 27 | fastcgi_cache_bypass $skip_cache; 28 | fastcgi_no_cache $skip_cache; 29 | fastcgi_cache WORDPRESS; #WORDPRESS cannot be changed here. 30 | } 31 | 32 | # Not available - Nginx Commercial Subscription Required 33 | # location ~ /purge(/.*) { 34 | # fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1"; 35 | # access_log off; 36 | #} 37 | -------------------------------------------------------------------------------- /appdata/nginx/common/wp-common-php7.conf.example: -------------------------------------------------------------------------------- 1 | # WordPress COMMON SETTINGS 2 | # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) 3 | # Limit access to avoid brute force attack 4 | location = /wp-login.php { 5 | #include common/acl.conf; 6 | limit_req zone=one burst=1 nodelay; 7 | include fastcgi.conf; 8 | fastcgi_pass php7; 9 | } 10 | # Disable wp-config.txt 11 | location = /wp-config.txt { 12 | deny all; 13 | access_log off; 14 | log_not_found off; 15 | } 16 | 17 | # Disable xmlrpc 18 | location = /xmlrpc.php { 19 | deny all; 20 | access_log off; 21 | log_not_found off; 22 | } 23 | 24 | # Disallow php in upload folder 25 | location /wp-content/uploads/ { 26 | location ~ \.php$ { 27 | #Prevent Direct Access Of PHP Files From Web Browsers 28 | deny all; 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /appdata/nginx/conf.d/fastcgi.conf.example: -------------------------------------------------------------------------------- 1 | # FastCGI cache settings 2 | fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:50m inactive=60m; 3 | fastcgi_cache_key "$scheme$request_method$host$request_uri"; 4 | fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503; 5 | fastcgi_cache_valid 200 301 302 404 1h; 6 | fastcgi_buffers 16 16k; 7 | fastcgi_buffer_size 32k; 8 | fastcgi_param SERVER_NAME $http_host; 9 | fastcgi_ignore_headers Cache-Control Expires Set-Cookie; 10 | fastcgi_keep_conn on; 11 | -------------------------------------------------------------------------------- /appdata/nginx/conf.d/upstream.conf.example: -------------------------------------------------------------------------------- 1 | upstream php7 { 2 | server php7:9000; 3 | } 4 | 5 | #upstream php5 { 6 | # server php5:9000; 7 | #} 8 | #upstream debug7 { 9 | #server 127.0.0.1:9170; 10 | #} 11 | -------------------------------------------------------------------------------- /appdata/nginx/fastcgi.conf.example: -------------------------------------------------------------------------------- 1 | fastcgi_param QUERY_STRING $query_string; 2 | fastcgi_param REQUEST_METHOD $request_method; 3 | fastcgi_param CONTENT_TYPE $content_type; 4 | fastcgi_param CONTENT_LENGTH $content_length; 5 | 6 | fastcgi_param SCRIPT_FILENAME $request_filename; 7 | fastcgi_param SCRIPT_NAME $fastcgi_script_name; 8 | fastcgi_param REQUEST_URI $request_uri; 9 | fastcgi_param DOCUMENT_URI $document_uri; 10 | fastcgi_param DOCUMENT_ROOT $document_root; 11 | fastcgi_param SERVER_PROTOCOL $server_protocol; 12 | fastcgi_param HTTPS $https if_not_empty; 13 | 14 | fastcgi_param GATEWAY_INTERFACE CGI/1.1; 15 | fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; 16 | 17 | fastcgi_param REMOTE_ADDR $remote_addr; 18 | fastcgi_param REMOTE_PORT $remote_port; 19 | fastcgi_param SERVER_ADDR $server_addr; 20 | fastcgi_param SERVER_PORT $server_port; 21 | fastcgi_param SERVER_NAME $server_name; 22 | 23 | # PHP only, required if PHP was built with --enable-force-cgi-redirect 24 | fastcgi_param REDIRECT_STATUS 200; 25 | 26 | # To fix CGI application vulnerability - https://httpoxy.org 27 | fastcgi_param HTTP_PROXY ""; 28 | -------------------------------------------------------------------------------- /appdata/nginx/sites/dash.conf.example: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name dash.domain.com; 4 | 5 | root /var/www/html/dash; 6 | index index.php; 7 | 8 | access_log off; 9 | #access_log /var/log/nginx/dash-access.log; 10 | error_log /var/log/nginx/dash-error.log; 11 | 12 | # Turn on directory listing 13 | autoindex on; 14 | 15 | include common/nonwp-nfc-php7.conf; 16 | include common/nonwp-common-php7.conf; 17 | include common/nonwp-locations-php7.conf; 18 | } -------------------------------------------------------------------------------- /appdata/nginx/sites/khub.conf.example: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name domain2.com; 4 | return 301 $scheme://www.domain2.com$request_uri; 5 | } 6 | 7 | server { 8 | listen 80; 9 | server_name www.domain2.com; 10 | 11 | root /var/www/html/khub; 12 | index index.php; 13 | 14 | access_log off; 15 | #access_log /var/log/nginx/khub-access.log; 16 | error_log /var/log/nginx/khub-error.log; 17 | 18 | include common/nonwp-nfc-php7.conf; 19 | include common/nonwp-common-php7.conf; 20 | include common/nonwp-locations-php7.conf; 21 | } -------------------------------------------------------------------------------- /appdata/nginx/sites/wordpress.conf.example: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name domain.com; 4 | return 301 $scheme://www.domain.com$request_uri; 5 | } 6 | 7 | server { 8 | listen 80; 9 | server_name www.domain.com; 10 | 11 | root /var/www/html/shb; 12 | index index.php; 13 | 14 | access_log off; 15 | #access_log /var/log/nginx/wordpress-access.log; 16 | error_log /var/log/nginx/wordpress-error.log; 17 | 18 | include common/wp-nfc-php7.conf; 19 | include common/wp-common-php7.conf; 20 | include common/wp-locations-php7.conf; 21 | } -------------------------------------------------------------------------------- /appdata/php/php7/conf.d/extensions.ini.example: -------------------------------------------------------------------------------- 1 | extension=gd 2 | extension=mysqli 3 | extension=sodium 4 | extension=pdo_mysql 5 | extension=exif 6 | extension=zip 7 | extension=imagick 8 | extension=mcrypt 9 | extension=pspell 10 | extension=redis 11 | extension=sockets 12 | extension=ssh2 13 | 14 | zend_extension=opcache -------------------------------------------------------------------------------- /appdata/php/php7/conf.d/opcache.ini.example: -------------------------------------------------------------------------------- 1 | opcache.enable=1 2 | 3 | ; 0 means it will check on every request 4 | ;Development = 0. Production = 1 or comment out (default 1) 5 | opcache.revalidate_freq=0 6 | ; 0 is irrelevant if opcache.validate_timestamps=0 which is desirable in production 7 | ;Development = 1. Production = 0 or comment out (default 0) 8 | opcache.validate_timestamps=1 9 | ;Development = 1. Production0 or comment out (default 0) 10 | opcache.consistency_checks=1 11 | 12 | opcache.max_accelerated_files=20000 13 | opcache.memory_consumption=192 14 | opcache.max_wasted_percentage=10 15 | opcache.interned_strings_buffer=16 16 | opcache.fast_shutdown=1 -------------------------------------------------------------------------------- /appdata/rclone/rclone-logrotate.conf.example: -------------------------------------------------------------------------------- 1 | /home/USER/docker/appdata/rclone/logs/*.log { 2 | daily 3 | rotate 7 4 | notifempty 5 | missingok 6 | compress 7 | delaycompress 8 | su USER USER 9 | create 0664 USER USER 10 | size 20M 11 | } -------------------------------------------------------------------------------- /appdata/rclone/rclone.conf.example: -------------------------------------------------------------------------------- 1 | [shb-drive] 2 | type = drive 3 | scope = drive 4 | token = {"access_token":"blah_blah_blah","expiry":"2021-02-12T22:37:02.490073796-05:00"} 5 | root_folder_id = blah_blah_blah 6 | client_id = blah_blah_blah 7 | client_secret = blah_blah_blah 8 | 9 | [shb-crypt] 10 | type = crypt 11 | remote = shb-drive:crypt 12 | password = blah_blah_blah 13 | password2 = blah_blah_blah 14 | 15 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/app-ds918-dsm-oauth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | synology-rtr: 4 | rule: "Host(`dsm.{{env "DOMAINNAME_DS918"}}`)" 5 | entryPoints: 6 | - https 7 | middlewares: 8 | - chain-oauth 9 | service: synology-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | synology-svc: 15 | loadBalancer: 16 | servers: 17 | - url: "http://192.168.1.254:5000" 18 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/app-ds918-video-oauth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | synology-video-rtr: 4 | rule: "Host(`video.{{env "DOMAINNAME_DS918"}}`)" 5 | entryPoints: 6 | - https 7 | middlewares: 8 | - chain-oauth 9 | service: synology-video-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | synology-video-svc: 15 | loadBalancer: 16 | servers: 17 | - url: "http://192.168.1.254:5003" 18 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/chain-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-basic-auth: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | - middlewares-basic-auth 9 | - middlewares-compress -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/chain-no-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | - middlewares-compress -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/chain-oauth-external.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth-external: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | - middlewares-oauth-external 9 | - middlewares-compress 10 | 11 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/chain-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | - middlewares-oauth 9 | - middlewares-compress -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/middlewares-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-basic-auth: 4 | basicAuth: 5 | # users: 6 | # - "user:$apsdfswWvC/6.$E3FtsfTntPC0wVJ7IUVtX1" 7 | usersFile: "/run/secrets/basic_auth_credentials" 8 | realm: "Traefik 2 Basic Auth" -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/middlewares-buffering.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-buffering: 4 | buffering: 5 | maxResponseBodyBytes: 2000000 6 | maxRequestBodyBytes: 10485760 7 | memRequestBodyBytes: 2097152 8 | memResponseBodyBytes: 2097152 9 | retryExpression: "IsNetworkError() && Attempts() <= 2" 10 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/middlewares-compress.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-compress: 4 | compress: {} -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/middlewares-oauth-external.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-oauth-external: 4 | forwardAuth: 5 | address: "https://oauth.{{env "DOMAINNAME_DS918"}}" 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "X-Forwarded-User" -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/middlewares-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-oauth: 4 | forwardAuth: 5 | address: "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "X-Forwarded-User" -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/middlewares-rate-limit.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-rate-limit: 4 | rateLimit: 5 | average: 100 6 | burst: 50 -------------------------------------------------------------------------------- /appdata/traefik2/rules/ds918/tls-opts.yml: -------------------------------------------------------------------------------- 1 | tls: 2 | options: 3 | tls-opts: 4 | minVersion: VersionTLS12 5 | cipherSuites: 6 | - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 7 | - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 8 | - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 9 | - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 10 | - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 11 | - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 12 | - TLS_AES_128_GCM_SHA256 13 | - TLS_AES_256_GCM_SHA384 14 | - TLS_CHACHA20_POLY1305_SHA256 15 | - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507 16 | curvePreferences: 17 | - CurveP521 18 | - CurveP384 19 | sniStrict: true 20 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/app-adguard-home-authelia.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | adguard-rtr: 4 | rule: "Host(`ag.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-authelia 9 | service: adguard-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | adguard-svc: 15 | loadBalancer: 16 | servers: 17 | - url: "http://ADGUARD-CLOUD-SERVER-IP:80" 18 | 19 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/app-adguard-home-oauth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | adguard-rtr: 4 | rule: "Host(`ag.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-oauth 9 | service: adguard-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | adguard-svc: 15 | loadBalancer: 16 | servers: 17 | - url: "http://ADGUARD-CLOUD-SERVER-IP:80" 18 | 19 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/app-haos-no-auth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | haos-rtr: 4 | rule: "Host(`haos.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-no-auth 9 | service: haos-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | services: 13 | haos-svc: 14 | loadBalancer: 15 | servers: 16 | - url: "http://192.168.1.123:8123" # or whatever your external host's IP:port is 17 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/app-pihole-oauth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | pihole-rtr: 4 | rule: "Host(`pihole.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-oauth 9 | - pihole-add-admin 10 | service: pihole-svc 11 | tls: 12 | certResolver: dns-cloudflare 13 | middlewares: 14 | pihole-add-admin: 15 | addPrefix: 16 | prefix: "/admin" 17 | services: 18 | pihole-svc: 19 | loadBalancer: 20 | servers: 21 | - url: "http://192.168.1.26:80" # or whatever your external host's IP:port is 22 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/app-plex-no-auth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | splex-rtr: 4 | rule: "Host(`splex.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-oauth 9 | service: splex-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | splex-svc: 15 | loadBalancer: 16 | servers: 17 | - url: "http://192.168.1.238:32400" 18 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/app-proxmox-ve-oauth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | proxmox-rtr: 4 | rule: "Host(`pve.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-oauth 9 | service: proxmox-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | proxmox-svc: 15 | loadBalancer: 16 | passHostHeader: true 17 | serversTransport: "pve" 18 | servers: 19 | - url: "https://192.168.1.100:8006/" 20 | serversTransports: 21 | pve: 22 | insecureSkipVerify: true 23 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/app-tautulli-with-auth-bypass.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | tautulli-rtr: 4 | rule: "Host(`tautulli.{{env "DOMAINNAME_HS"}}`)" 5 | priority: 99 6 | entryPoints: 7 | - websecure 8 | middlewares: 9 | - chain-oauth 10 | service: tautulli-svc 11 | tautulli-rtr-bypass: 12 | # rule: "Host(`tautulli.$DOMAINNAME_HS`) && Header(`traefik-auth-bypass-key`, `$TRAEFIK_AUTH_BYPASS_KEY`)" # Bypass Auth for LunaSea on iOS 13 | rule: "Host(`tautulli.$DOMAINNAME_HS`) && (Header(`X-Api-Key`, `$TAUTULLI_API_KEY`) || Query(`apikey`, `$TAUTULLI_API_KEY`))" 14 | priority: 100 15 | entryPoints: 16 | - websecure 17 | middlewares: 18 | - chain-no-auth 19 | service: tautulli-svc 20 | services: 21 | tautulli-svc: 22 | loadBalancer: 23 | servers: 24 | - url: "http://192.168.1.111:8181" 25 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/app-unifi-controller-authelia.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | unifi-rtr: 4 | rule: "Host(`unifi.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-authelia 9 | service: unifi-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | unifi-svc: 15 | loadBalancer: 16 | passHostHeader: true 17 | serversTransport: "pve" 18 | servers: 19 | - url: "https://192.168.1.100:8443/" 20 | serversTransports: 21 | pve: 22 | insecureSkipVerify: true 23 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/chain-authelia.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-authelia: 4 | chain: 5 | middlewares: 6 | # - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-authelia -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/chain-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-basic-auth: 4 | chain: 5 | middlewares: 6 | - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-basic-auth 10 | #- middlewares-compress -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/chain-no-auth-no-crowdsec.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth-no-crowdsec: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | #- middlewares-compress -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/chain-no-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth: 4 | chain: 5 | middlewares: 6 | #- middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | #- middlewares-compress 10 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/chain-oauth-external.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth-external: 4 | chain: 5 | middlewares: 6 | - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-oauth-external 10 | #- middlewares-compress -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/chain-oauth-no-crowdsec.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth-no-crowdsec: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | - middlewares-oauth 9 | #- middlewares-compress -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/chain-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth: 4 | chain: 5 | middlewares: 6 | #- middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-oauth 10 | - middlewares-compress -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/domain-passthrough.yml.example: -------------------------------------------------------------------------------- 1 | tcp: 2 | routers: 3 | synology-traefik-rtr: 4 | entryPoints: 5 | - websecure 6 | rule: "HostSNIRegexp(`{{env "DOMAINNAME_DS918"}}`, `{subdomain:[a-z]+}.{{env "DOMAINNAME_DS918"}}`)" 7 | service: synology-traefik-svc 8 | tls: 9 | passthrough: true 10 | services: 11 | synology-traefik-svc: 12 | loadBalancer: 13 | servers: 14 | - address: "192.168.1.254:443" -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-authelia.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-authelia: 4 | forwardAuth: 5 | address: "http://authelia:9091/api/verify?rd=https://authelia.{{env "DOMAINNAME_HS"}}" 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "Remote-User" 9 | - "Remote-Groups" -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-basic-auth: 4 | basicAuth: 5 | # users: 6 | # - "user:$apsdfswWvC/6.$E3FtsfTntPC0wVJ7IUVtX1" 7 | usersFile: "/run/secrets/basic_auth_credentials" 8 | realm: "Traefik 2 Basic Auth" -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-buffering.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-buffering: 4 | buffering: 5 | maxResponseBodyBytes: 2000000 6 | maxRequestBodyBytes: 10485760 7 | memRequestBodyBytes: 2097152 8 | memResponseBodyBytes: 2097152 9 | retryExpression: "IsNetworkError() && Attempts() <= 2" 10 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-compress.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-compress: 4 | compress: {} 5 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-oauth-external.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-oauth-external: 4 | forwardAuth: 5 | address: "https://oauth.{{env "DOMAINNAME_HS"}}" # Make sure you have the OAuth service in a remote server 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "X-Forwarded-User" -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-oauth: 4 | forwardAuth: 5 | address: "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "X-Forwarded-User" -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-rate-limit.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-rate-limit: 4 | rateLimit: 5 | average: 100 6 | burst: 50 7 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-secure-headers.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-secure-headers: 4 | headers: 5 | accessControlAllowMethods: 6 | - GET 7 | - OPTIONS 8 | - PUT 9 | accessControlMaxAge: 100 10 | hostsProxyHeaders: 11 | - "X-Forwarded-Host" 12 | stsSeconds: 63072000 13 | stsIncludeSubdomains: true 14 | stsPreload: true 15 | # forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works. 16 | customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options 17 | contentTypeNosniff: true 18 | browserXssFilter: true 19 | referrerPolicy: "same-origin" 20 | permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()" 21 | customResponseHeaders: 22 | X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # disable search engines from indexing home server 23 | server: "" # hide server info from visitors 24 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/middlewares-traefik-bouncer.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-traefik-bouncer: 4 | forwardAuth: 5 | address: "http://traefik-bouncer:8080/api/v1/forwardAuth" # Make sure you have the traefik-bouncer service in docker-compose.yml 6 | trustForwardHeader: true -------------------------------------------------------------------------------- /appdata/traefik2/rules/hs/tls-opts.yml: -------------------------------------------------------------------------------- 1 | tls: 2 | options: 3 | tls-opts: 4 | minVersion: VersionTLS12 5 | cipherSuites: 6 | - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 7 | - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 8 | - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 9 | - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 10 | - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 11 | - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 12 | - TLS_AES_128_GCM_SHA256 13 | - TLS_AES_256_GCM_SHA384 14 | - TLS_CHACHA20_POLY1305_SHA256 15 | - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507 16 | curvePreferences: 17 | - CurveP521 18 | - CurveP384 19 | sniStrict: true 20 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/toml/app-hassio.toml.example: -------------------------------------------------------------------------------- 1 | [http.routers] 2 | [http.routers.hassio-rtr] 3 | entryPoints = ["https"] 4 | rule = "HostHeader(`hassio.example.com`)" 5 | service = "hassio-svc" 6 | middlewares = ["chain-no-auth"] 7 | [http.routers.hassio-rtr.tls] 8 | certresolver = "dns-cloudflare" 9 | 10 | [http.services] 11 | [http.services.hassio-svc] 12 | [http.services.hassio-svc.loadBalancer] 13 | passHostHeader = true 14 | [[http.services.hassio-svc.loadBalancer.servers]] 15 | url = "http://HASSIO-IP:8123" # or whatever your external host's IP:port is 16 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/toml/app-pihole.toml.example: -------------------------------------------------------------------------------- 1 | [http.routers] 2 | [http.routers.pihole-rtr] 3 | entryPoints = ["https"] 4 | rule = "HostHeader(`pihole.example.com`)" 5 | service = "pihole-svc" 6 | middlewares = ["chain-authelia", "pihole-add-admin"] 7 | [http.routers.pihole-rtr.tls] 8 | certresolver = "dns-cloudflare" 9 | 10 | [http.middlewares] 11 | [http.middlewares.pihole-add-admin.addPrefix] 12 | prefix = "/admin" 13 | 14 | [http.services] 15 | [http.services.pihole-svc] 16 | [http.services.pihole-svc.loadBalancer] 17 | passHostHeader = true 18 | [[http.services.pihole-svc.loadBalancer.servers]] 19 | url = "http://PIHOLE-IP:80" # or whatever your external host's IP:port is 20 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/toml/app-unifi.toml.example: -------------------------------------------------------------------------------- 1 | [http.routers] 2 | [http.routers.unifi-rtr] 3 | entryPoints = ["https"] 4 | rule = "Host(`unifi.example.com`)" # will only work with cloudflare Full SSL (not Strict) 5 | service = "unifi-svc" 6 | middlewares = ["chain-authelia"] 7 | [http.routers.unifi-rtr.tls] 8 | certresolver = "dns-cloudflare" 9 | [http.services] 10 | [http.services.unifi-svc] 11 | [http.services.unifi-svc.loadBalancer] 12 | passHostHeader = true 13 | [[http.services.unifi-svc.loadBalancer.servers]] 14 | "https://192.168.5.254:8443" # or whatever your external host's IP:port is 15 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/toml/middlewares-chains.toml.example: -------------------------------------------------------------------------------- 1 | [http.middlewares] 2 | [http.middlewares.chain-no-auth] 3 | [http.middlewares.chain-no-auth.chain] 4 | middlewares = [ "middlewares-rate-limit", "middlewares-https-redirectscheme", "middlewares-secure-headers"] 5 | 6 | [http.middlewares.chain-basic-auth] 7 | [http.middlewares.chain-basic-auth.chain] 8 | middlewares = [ "middlewares-rate-limit", "middlewares-https-redirectscheme", "middlewares-secure-headers", "middlewares-basic-auth"] 9 | 10 | [http.middlewares.chain-oauth] 11 | [http.middlewares.chain-oauth.chain] 12 | middlewares = [ "middlewares-rate-limit", "middlewares-https-redirectscheme", "middlewares-secure-headers", "middlewares-oauth"] 13 | 14 | [http.middlewares.chain-authelia] 15 | [http.middlewares.chain-authelia.chain] 16 | middlewares = [ "middlewares-rate-limit", "middlewares-https-redirectscheme", "middlewares-secure-headers", "middlewares-authelia"] 17 | 18 | [http.middlewares.chain-nextcloud] 19 | [http.middlewares.chain-nextcloud.chain] 20 | middlewares = [ "middlewares-rate-limit", "middlewares-https-redirectscheme", "nextcloud-middlewares-secure-headers", "nextcloud-redirect"] 21 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/chain-authelia-wp.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-authelia-wp: 4 | chain: 5 | middlewares: 6 | - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers-wp 9 | - middlewares-authelia 10 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/chain-authelia.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-authelia: 4 | chain: 5 | middlewares: 6 | - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-authelia -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/chain-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-basic-auth: 4 | chain: 5 | middlewares: 6 | - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-basic-auth -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/chain-no-auth-crowdsec-wp.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth-crowdsec-wp: 4 | chain: 5 | middlewares: 6 | - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers-wp -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/chain-no-auth-wp.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth-wp: 4 | chain: 5 | middlewares: 6 | # - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers-wp 9 | -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/chain-no-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth: 4 | chain: 5 | middlewares: 6 | # - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/chain-oauth-no-crowdsec.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth-no-crowdsec: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers-wp 8 | - middlewares-oauth -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/chain-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth: 4 | chain: 5 | middlewares: 6 | - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-oauth -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/middlewares-authelia.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-authelia: 4 | forwardAuth: 5 | address: "http://authelia:9091/api/verify?rd=https://authelia.{{env "DOMAINNAME_WS"}}" 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "Remote-User" 9 | - "Remote-Groups" -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/middlewares-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-basic-auth: 4 | basicAuth: 5 | # users: 6 | # - "user:$apsdfswWvC/6.$E3FtsfTntPC0wVJ7IUVtX1" 7 | usersFile: "/run/secrets/basic_auth_credentials" 8 | realm: "Traefik 2 Basic Auth" -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/middlewares-compress.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-compress: 4 | compress: {} -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/middlewares-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-oauth: 4 | forwardAuth: 5 | address: "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "X-Forwarded-User" -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/middlewares-rate-limit.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-rate-limit: 4 | rateLimit: 5 | average: 100 6 | burst: 50 -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/middlewares-secure-headers-wp.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-secure-headers-wp: 4 | headers: 5 | hostsProxyHeaders: 6 | - "X-Forwarded-Host" 7 | stsSeconds: 31536000 8 | stsIncludeSubdomains: true 9 | stsPreload: true 10 | #frameDeny: true # Popups like plugin details etc. wont't open with this. 11 | customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME_WS"}}" 12 | contentTypeNosniff: true 13 | browserXssFilter: true -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/middlewares-traefik-bouncer.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-traefik-bouncer: 4 | forwardAuth: 5 | address: "http://traefik-bouncer:8080/api/v1/forwardAuth" # Make sure you have the traefik-bouncer service in docker-compose.yml 6 | trustForwardHeader: true -------------------------------------------------------------------------------- /appdata/traefik2/rules/ws/tls-opts.yml: -------------------------------------------------------------------------------- 1 | tls: 2 | options: 3 | tls-opts: 4 | minVersion: VersionTLS12 5 | cipherSuites: 6 | - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 7 | - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 8 | - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 9 | - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 10 | - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 11 | - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 12 | - TLS_AES_128_GCM_SHA256 13 | - TLS_AES_256_GCM_SHA384 14 | - TLS_CHACHA20_POLY1305_SHA256 15 | - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507 16 | curvePreferences: 17 | - CurveP521 18 | - CurveP384 19 | sniStrict: true 20 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/app-adguard-home-authelia.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | adguard-rtr: 4 | rule: "Host(`ag.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-authelia 9 | service: adguard-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | adguard-svc: 15 | loadBalancer: 16 | servers: 17 | - url: "http://ADGUARD-CLOUD-SERVER-IP:80" 18 | 19 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/app-adguard-home-oauth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | adguard-rtr: 4 | rule: "Host(`ag.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-oauth 9 | service: adguard-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | adguard-svc: 15 | loadBalancer: 16 | servers: 17 | - url: "http://ADGUARD-CLOUD-SERVER-IP:80" 18 | 19 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/app-haos-no-auth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | haos-rtr: 4 | rule: "Host(`haos.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-no-auth 9 | service: haos-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | services: 13 | haos-svc: 14 | loadBalancer: 15 | servers: 16 | - url: "http://192.168.1.123:8123" # or whatever your external host's IP:port is 17 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/app-pihole-oauth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | pihole-rtr: 4 | rule: "Host(`pihole.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-oauth 9 | - pihole-add-admin 10 | service: pihole-svc 11 | tls: 12 | certResolver: dns-cloudflare 13 | middlewares: 14 | pihole-add-admin: 15 | addPrefix: 16 | prefix: "/admin" 17 | services: 18 | pihole-svc: 19 | loadBalancer: 20 | servers: 21 | - url: "http://192.168.1.26:80" # or whatever your external host's IP:port is 22 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/app-plex-no-auth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | splex-rtr: 4 | rule: "Host(`splex.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-oauth 9 | service: splex-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | splex-svc: 15 | loadBalancer: 16 | servers: 17 | - url: "http://192.168.1.238:32400" 18 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/app-proxmox-ve-oauth.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | proxmox-rtr: 4 | rule: "Host(`pve.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-oauth 9 | service: proxmox-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | proxmox-svc: 15 | loadBalancer: 16 | passHostHeader: true 17 | serversTransport: "pve" 18 | servers: 19 | - url: "https://192.168.1.100:8006/" 20 | serversTransports: 21 | pve: 22 | insecureSkipVerify: true 23 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/app-tautulli-with-auth-bypass.yml.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | tautulli-rtr: 4 | rule: "Host(`tautulli.{{env "DOMAINNAME_HS"}}`)" 5 | priority: 99 6 | entryPoints: 7 | - websecure 8 | middlewares: 9 | - chain-oauth 10 | service: tautulli-svc 11 | tautulli-rtr-bypass: 12 | # rule: "Host(`tautulli.$DOMAINNAME_HS`) && Headers(`traefik-auth-bypass-key`, `$TRAEFIK_AUTH_BYPASS_KEY`)" # Bypass Auth for LunaSea on iOS 13 | rule: "Host(`tautulli.$DOMAINNAME_HS`) && (Headers(`X-Api-Key`, `$TAUTULLI_API_KEY`) || Query(`apikey`, `$TAUTULLI_API_KEY`))" 14 | priority: 100 15 | entryPoints: 16 | - websecure 17 | middlewares: 18 | - chain-no-auth 19 | service: tautulli-svc 20 | services: 21 | tautulli-svc: 22 | loadBalancer: 23 | servers: 24 | - url: "http://192.168.1.111:8181" 25 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/app-unifi-controller-authelia.example: -------------------------------------------------------------------------------- 1 | http: 2 | routers: 3 | unifi-rtr: 4 | rule: "Host(`unifi.{{env "DOMAINNAME_HS"}}`)" 5 | entryPoints: 6 | - websecure 7 | middlewares: 8 | - chain-authelia 9 | service: unifi-svc 10 | tls: 11 | certResolver: dns-cloudflare 12 | options: tls-opts@file 13 | services: 14 | unifi-svc: 15 | loadBalancer: 16 | passHostHeader: true 17 | serversTransport: "pve" 18 | servers: 19 | - url: "https://192.168.1.100:8443/" 20 | serversTransports: 21 | pve: 22 | insecureSkipVerify: true 23 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/chain-authelia.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-authelia: 4 | chain: 5 | middlewares: 6 | # - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-authelia -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/chain-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-basic-auth: 4 | chain: 5 | middlewares: 6 | - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-basic-auth 10 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/chain-no-auth-no-crowdsec.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth-no-crowdsec: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/chain-no-auth-webos.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth-webos: 4 | chain: 5 | middlewares: 6 | #- middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers-webos 9 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/chain-no-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-no-auth: 4 | chain: 5 | middlewares: 6 | #- middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/chain-oauth-external.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth-external: 4 | chain: 5 | middlewares: 6 | - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-oauth-external -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/chain-oauth-no-crowdsec.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth-no-crowdsec: 4 | chain: 5 | middlewares: 6 | - middlewares-rate-limit 7 | - middlewares-secure-headers 8 | - middlewares-oauth -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/chain-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | chain-oauth: 4 | chain: 5 | middlewares: 6 | #- middlewares-traefik-bouncer # leave this out if you are not using CrowdSec 7 | - middlewares-rate-limit 8 | - middlewares-secure-headers 9 | - middlewares-oauth 10 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/domain-passthrough-template.yml.example: -------------------------------------------------------------------------------- 1 | tcp: 2 | routers: 3 | synology-traefik-rtr: 4 | entryPoints: 5 | - websecure 6 | # rule: "HostSNIRegexp(`example.com`) || HostSNIRegexp(`{subdomain:[a-z]+}.example.com`)" 7 | rule: "HostSNIRegexp(`{{env "DOMAINNAME_DS918"}}`) || HostSNIRegexp(`{subdomain:[a-z]+}.{{env "DOMAINNAME_DS918"}}`)" 8 | service: synology-traefik-svc 9 | tls: 10 | passthrough: true 11 | services: 12 | synology-traefik-svc: 13 | loadBalancer: 14 | servers: 15 | - address: "192.168.1.254:443" -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/middlewares-authelia.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-authelia: 4 | forwardAuth: 5 | address: "http://authelia:9091/api/verify?rd=https://authelia.{{env "DOMAINNAME_HS"}}" 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "Remote-User" 9 | - "Remote-Groups" -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/middlewares-basic-auth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-basic-auth: 4 | basicAuth: 5 | # users: 6 | # - "user:$apsdfswWvC/6.$E3FtsfTntPC0wVJ7IUVtX1" 7 | usersFile: "/run/secrets/basic_auth_credentials" 8 | realm: "Traefik 3 Basic Auth" -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/middlewares-buffering.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-buffering: 4 | buffering: 5 | maxResponseBodyBytes: 2000000 6 | maxRequestBodyBytes: 10485760 7 | memRequestBodyBytes: 2097152 8 | memResponseBodyBytes: 2097152 9 | retryExpression: "IsNetworkError() && Attempts() <= 2" 10 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/middlewares-oauth-external.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-oauth-external: 4 | forwardAuth: 5 | address: "https://oauth.{{env "DOMAINNAME_HS"}}" # Make sure you have the OAuth service in a remote server 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "X-Forwarded-User" -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/middlewares-oauth.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-oauth: 4 | forwardAuth: 5 | address: "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml 6 | trustForwardHeader: true 7 | authResponseHeaders: 8 | - "X-Forwarded-User" -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/middlewares-rate-limit.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-rate-limit: 4 | rateLimit: 5 | average: 100 6 | burst: 50 7 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/middlewares-secure-headers-webos.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-secure-headers-webos: 4 | headers: 5 | accessControlAllowMethods: 6 | - GET 7 | - OPTIONS 8 | - PUT 9 | accessControlMaxAge: 100 10 | hostsProxyHeaders: 11 | - "X-Forwarded-Host" 12 | stsSeconds: 63072000 13 | stsIncludeSubdomains: true 14 | stsPreload: true 15 | # forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works. 16 | # X-Frame-Options interferes with Jellyfin on WebOS 17 | # customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options 18 | contentTypeNosniff: true 19 | browserXssFilter: true 20 | referrerPolicy: "same-origin" 21 | permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()" 22 | customResponseHeaders: 23 | X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # disable search engines from indexing home server 24 | server: "" # hide server info from visitors 25 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/middlewares-secure-headers.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-secure-headers: 4 | headers: 5 | accessControlAllowMethods: 6 | - GET 7 | - OPTIONS 8 | - PUT 9 | accessControlMaxAge: 100 10 | hostsProxyHeaders: 11 | - "X-Forwarded-Host" 12 | stsSeconds: 63072000 13 | stsIncludeSubdomains: true 14 | stsPreload: true 15 | # forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works. 16 | customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options 17 | contentTypeNosniff: true 18 | browserXssFilter: true 19 | referrerPolicy: "same-origin" 20 | permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()" 21 | customResponseHeaders: 22 | X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # disable search engines from indexing home server 23 | server: "" # hide server info from visitors 24 | -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/middlewares-traefik-bouncer.yml: -------------------------------------------------------------------------------- 1 | http: 2 | middlewares: 3 | middlewares-traefik-bouncer: 4 | forwardAuth: 5 | address: "http://traefik-bouncer:8080/api/v1/forwardAuth" # Make sure you have the traefik-bouncer service in docker-compose.yml 6 | trustForwardHeader: true -------------------------------------------------------------------------------- /appdata/traefik3/rules/hs/tls-opts.yml: -------------------------------------------------------------------------------- 1 | tls: 2 | options: 3 | tls-opts: 4 | minVersion: VersionTLS12 5 | cipherSuites: 6 | - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 7 | - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 8 | - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 9 | - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 10 | - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 11 | - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 12 | - TLS_AES_128_GCM_SHA256 13 | - TLS_AES_256_GCM_SHA384 14 | - TLS_CHACHA20_POLY1305_SHA256 15 | - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507 16 | curvePreferences: 17 | - CurveP521 18 | - CurveP384 19 | sniStrict: true 20 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/backcam.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-backcam.servers] 3 | [backends.backend-backcam.servers.server-backcam-ext] 4 | url = "http://192.168.1.93" 5 | weight = 0 6 | 7 | [frontends] 8 | [frontends.frontend-backcam] 9 | backend = "backend-backcam" 10 | passHostHeader = true 11 | basicAuth = [ 12 | "user:HASHED_PASSWORD", 13 | ] 14 | [frontends.frontend-backcam.routes] 15 | [frontends.frontend-backcam.routes.route-backcam-ext] 16 | rule = "Host:backcam.example.com" 17 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/dsmfiles.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-dsmfiles] 3 | [backends.backend-dsmfiles.servers] 4 | [backends.backend-dsmfiles.servers.server-dsmfiles-ext] 5 | url = "http://192.168.1.254:7000" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-dsmfiles] 10 | backend = "backend-dsmfiles" 11 | passHostHeader = true 12 | basicAuth = [ 13 | "user:HASHED_PASSWORD", 14 | ] 15 | [frontends.frontend-dsmfiles.routes] 16 | [frontends.frontend-dsmfiles.routes.route-dsmfiles-ext] 17 | rule = "Host:dsmfiles.example.com" -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/frontcam.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-frontcam.servers] 3 | [backends.backend-frontcam.servers.server-frontcam-ext] 4 | url = "http://192.168.1.92" 5 | weight = 0 6 | 7 | [frontends] 8 | [frontends.frontend-frontcam] 9 | backend = "backend-frontcam" 10 | passHostHeader = true 11 | basicAuth = [ 12 | "user:HASHED_PASSWORD", 13 | ] 14 | [frontends.frontend-frontcam.routes] 15 | [frontends.frontend-frontcam.routes.route-frontcam-ext] 16 | rule = "Host:frontcam.example.com" 17 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/hassio.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-hassio] 3 | [backends.backend-hassio.servers] 4 | [backends.backend-hassio.servers.server-hassio-ext] 5 | url = "http://192.168.1.908888" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-hassio] 10 | backend = "backend-hassio" 11 | passHostHeader = true 12 | # basicAuth = [ 13 | # "user:HASHED_PASSWORD", 14 | # ] 15 | [frontends.frontend-hassio.routes] 16 | [frontends.frontend-hassio.routes.route-hassio-ext] 17 | rule = "Host:hassio.example.com" 18 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/hassio_nodered.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-node.servers] 3 | [backends.backend-node.servers.server-node-ext] 4 | url = "http://192.168.1.90:1880" 5 | weight = 0 6 | 7 | [frontends] 8 | [frontends.frontend-node] 9 | backend = "backend-node" 10 | passHostHeader = true 11 | 12 | [frontends.frontend-node.routes] 13 | [frontends.frontend-node.routes.route-node-ext] 14 | rule = "Host:node.example.com" 15 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/hassio_ssh_terminal.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-hassterm] 3 | [backends.backend-hassterm.servers] 4 | [backends.backend-hassterm.servers.server-hassterm-ext] 5 | url = "http://192.168.1.90:7681" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-hassterm] 10 | backend = "backend-hassterm" 11 | passHostHeader = true 12 | # basicAuth = [ 13 | # "user:HASHED_PASSWORD", 14 | # ] 15 | [frontends.frontend-hassterm.routes] 16 | [frontends.frontend-hassterm.routes.route-hassterm-ext] 17 | rule = "Host:hassterm.example.com" 18 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/hassio_vscode.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-vscode] 3 | [backends.backend-vscode.servers] 4 | [backends.backend-vscode.servers.server-vscode-ext] 5 | url = "http://192.168.1.90:1337" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-vscode] 10 | backend = "backend-vscode" 11 | passHostHeader = true 12 | # basicAuth = [ 13 | # "user:HASHED_PASSWORD", 14 | # ] 15 | [frontends.frontend-vscode.routes] 16 | [frontends.frontend-vscode.routes.route-vscode-ext] 17 | rule = "Host:vscode.example.com" 18 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/pihole.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-pihole] 3 | [backends.backend-pihole.servers] 4 | [backends.backend-pihole.servers.server-pihole-ext] 5 | url = "http://192.168.1.26" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-pihole] 10 | backend = "backend-pihole" 11 | passHostHeader = true 12 | # basicAuth = [ 13 | # "user:HASHED_PASSWORD", 14 | # ] 15 | [frontends.frontend-pihole.routes] 16 | [frontends.frontend-pihole.routes.route-pihole-ext] 17 | rule = "Host:pi.example.com" -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/plex.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-plex] 3 | [backends.backend-plex.servers] 4 | [backends.backend-plex.servers.server-plex-ext] 5 | url = "http://192.168.1.254:32400" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-plex] 10 | backend = "backend-plex" 11 | passHostHeader = true 12 | [frontends.frontend-plex.routes] 13 | [frontends.frontend-plex.routes.route-plex-ext] 14 | rule = "Host:plex.example.com" 15 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/plexwebtools.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-plexwebtools] 3 | [backends.backend-plexwebtools.servers] 4 | [backends.backend-plexwebtools.servers.server-plexwebtools-ext] 5 | url = "http://192.168.1.254:33400/" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-plexwebtools] 10 | backend = "backend-plexwebtools" 11 | passHostHeader = true 12 | # basicAuth = [ 13 | # "user:HASHED_PASSWORD", 14 | # ] 15 | [frontends.frontend-plexwebtools.routes] 16 | [frontends.frontend-plexwebtools.routes.route-plexwebtools-ext] 17 | rule = "Host:pwt.example.com" -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/portainer.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-portainer] 3 | [backends.backend-portainer.servers] 4 | [backends.backend-portainer.servers.server-portainer-ext] 5 | url = "http://192.168.1.90:8146" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-portainer] 10 | backend = "backend-portainer" 11 | passHostHeader = true 12 | # basicAuth = [ 13 | # "user:HASHED_PASSWORD", 14 | # ] 15 | [frontends.frontend-portainer.routes] 16 | [frontends.frontend-portainer.routes.route-portainer-ext] 17 | rule = "Host:portainer.example.com" 18 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/printer.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-printer] 3 | [backends.backend-printer.servers] 4 | [backends.backend-printer.servers.server-printer-ext] 5 | url = "http://192.168.1.23" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-printer] 10 | backend = "backend-printer" 11 | passHostHeader = true 12 | basicAuth = [ 13 | "user:HASHED_PASSWORD", 14 | ] 15 | [frontends.frontend-printer.routes] 16 | [frontends.frontend-printer.routes.route-printer-ext] 17 | rule = "Host:printer.example.com" -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/shellinabox.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-shellinabox] 3 | [backends.backend-shellinabox.servers] 4 | [backends.backend-shellinabox.servers.server-shellinabox-ext] 5 | url = "https://192.168.1.904200" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-shellinabox] 10 | backend = "backend-shellinabox" 11 | passHostHeader = true 12 | basicAuth = [ 13 | "user:HASHED_PASSWORD", 14 | ] 15 | [frontends.frontend-shellinabox.routes] 16 | [frontends.frontend-shellinabox.routes.route-shellinabox-ext] 17 | rule = "Host:shell.example.com" 18 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/synology.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-synology.servers] 3 | [backends.backend-synology.servers.server-synology-ext] 4 | url = "http://192.168.1.254:5000" 5 | weight = 0 6 | 7 | [frontends] 8 | [frontends.frontend-synology] 9 | backend = "backend-synology" 10 | passHostHeader = true 11 | 12 | [frontends.frontend-synology.routes] 13 | [frontends.frontend-synology.routes.route-synology-ext] 14 | rule = "Host:syno.example.com" 15 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/transmission.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-trans] 3 | [backends.backend-trans.servers] 4 | [backends.backend-trans.servers.server-trans-ext] 5 | url = "http://192.168.1.90:8169" 6 | weight = 0 7 | 8 | [frontends] 9 | [frontends.frontend-trans] 10 | backend = "backend-trans" 11 | passHostHeader = true 12 | # basicAuth = [ 13 | # "user:HASHED_PASSWORD", 14 | # ] 15 | [frontends.frontend-trans.routes] 16 | [frontends.frontend-trans.routes.route-trans-ext] 17 | rule = "Host:trans.example.com" 18 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/webmin.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-webmin.servers] 3 | [backends.backend-webmin.servers.server-webmin-ext] 4 | url = "http://192.168.1.90:8110" 5 | weight = 0 6 | 7 | [frontends] 8 | [frontends.frontend-webmin] 9 | backend = "backend-webmin" 10 | passHostHeader = true 11 | basicAuth = [ 12 | "user:HASHED_PASSWORD", 13 | ] 14 | [frontends.frontend-webmin.routes] 15 | [frontends.frontend-webmin.routes.route-webmin-ext] 16 | rule = "Host:webmin.example.com" 17 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1-swarm/rules/xiaofang1.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-xiaofang1.servers] 3 | [backends.backend-xiaofang1.servers.server-xiaofang1-ext] 4 | url = "https://192.168.1.83" 5 | weight = 0 6 | 7 | [frontends] 8 | [frontends.frontend-xiaofang1] 9 | backend = "backend-xiaofang1" 10 | passHostHeader = true 11 | 12 | [frontends.frontend-xiaofang1.routes] 13 | [frontends.frontend-xiaofang1.routes.route-xiaofang1-ext] 14 | rule = "Host:xiaofang1.example.com" -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1/rules.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SimpleHomelab/Docker-Traefik/9855b677aac36ab3095f625e1ab8a3f8d16777e0/archives/traefik_v1/traefik1/rules.toml -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1/rules/app.toml.example: -------------------------------------------------------------------------------- 1 | # Replace APPNAME, LAN-IP, PORT, example.com 2 | [backends] 3 | [backends.backend-APPNAME] 4 | [backends.backend-APPNAME.servers] 5 | [backends.backend-APPNAME.servers.server-APPNAME-ext] 6 | url = "http://LAN-IP:PORT" 7 | weight = 0 8 | [frontends] 9 | [frontends.frontend-APPNAME] 10 | backend = "backend-APPNAME" 11 | passHostHeader = true 12 | [frontends.frontend-APPNAME.routes] 13 | [frontends.frontend-APPNAME.routes.route-APPNAME-ext] 14 | rule = "Host:APPNAME.example.com" 15 | [frontends.frontend-APPNAME.headers] 16 | SSLRedirect = true 17 | SSLHost = "APPNAME.example.com" 18 | SSLForceHost = true 19 | STSSeconds = 315360000 20 | STSIncludeSubdomains = true 21 | STSPreload = true 22 | forceSTSHeader = true 23 | frameDeny = true 24 | contentTypeNosniff = true 25 | browserXSSFilter = true 26 | customFrameOptionsValue="allow-from https:example.com" 27 | [frontends.frontend-APPNAME.auth] 28 | headerField = "X-WebAuth-User" 29 | [frontends.frontend-APPNAME.auth.forward] 30 | address = "http://oauth:4181" 31 | trustForwardHeader = true 32 | authResponseHeaders = ["X-Forwarded-User"] -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1/rules/dafang1.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-dafang1] 3 | [backends.backend-dafang1.servers] 4 | [backends.backend-dafang1.servers.server-dafang1-ext] 5 | url = "https://192.168.5.246" 6 | weight = 0 7 | [frontends] 8 | [frontends.frontend-dafang1] 9 | backend = "backend-dafang1" 10 | passHostHeader = true 11 | [frontends.frontend-dafang1.routes] 12 | [frontends.frontend-dafang1.routes.route-dafang1-ext] 13 | rule = "Host:dafang1.example.com" 14 | [frontends.frontend-dafang1.headers] 15 | SSLRedirect = true 16 | SSLHost = "dafang1.example.com" 17 | SSLForceHost = true 18 | STSSeconds = 315360000 19 | STSIncludeSubdomains = true 20 | STSPreload = true 21 | forceSTSHeader = true 22 | frameDeny = true 23 | contentTypeNosniff = true 24 | browserXSSFilter = true 25 | customFrameOptionsValue="allow-from https:example.com" 26 | [frontends.frontend-dafang1.auth] 27 | headerField = "X-WebAuth-User" 28 | [frontends.frontend-dafang1.auth.forward] 29 | address = "http://oauth:4181" 30 | trustForwardHeader = true 31 | authResponseHeaders = ["X-Forwarded-User"] -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1/rules/hassio.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-hassio] 3 | [backends.backend-hassio.servers] 4 | [backends.backend-hassio.servers.server-hassio-ext] 5 | url = "http://192.168.5.908888" 6 | weight = 0 7 | [frontends] 8 | [frontends.frontend-hassio] 9 | backend = "backend-hassio" 10 | passHostHeader = true 11 | [frontends.frontend-hassio.routes] 12 | [frontends.frontend-hassio.routes.route-hassio-ext] 13 | rule = "Host:hassio.example.com" 14 | [frontends.frontend-hassio.headers] 15 | SSLRedirect = true 16 | SSLHost = "hassio.example.com" 17 | SSLForceHost = true 18 | STSSeconds = 315360000 19 | STSIncludeSubdomains = true 20 | STSPreload = true 21 | forceSTSHeader = true 22 | frameDeny = true 23 | contentTypeNosniff = true 24 | browserXSSFilter = true 25 | customFrameOptionsValue="allow-from https:example.com" 26 | # ENABLING AUTH CAUSES ISSUES WITH SERVICES THAT RELY ON REACHING HASSIO.example.COM (EG. TELEGRAM, GOOGLE ASSISTANT, ETC.) 27 | # [frontends.frontend-hassio.auth] 28 | # headerField = "X-WebAuth-User" 29 | # [frontends.frontend-hassio.auth.forward] 30 | # address = "http://oauth:4181" 31 | # trustForwardHeader = true 32 | # authResponseHeaders = ["X-Forwarded-User"] -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1/rules/pihole.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-pihole] 3 | [backends.backend-pihole.servers] 4 | [backends.backend-pihole.servers.server-pihole-ext] 5 | url = "http://192.168.1.26" 6 | weight = 0 7 | [frontends] 8 | [frontends.frontend-pihole] 9 | backend = "backend-pihole" 10 | passHostHeader = true 11 | [frontends.frontend-pihole.routes] 12 | [frontends.frontend-pihole.routes.route-pihole-ext] 13 | rule = "Host:pi.example.com;AddPrefix:/admin" 14 | [frontends.frontend-pihole.headers] 15 | SSLRedirect = true 16 | SSLHost = "pi.example.com" 17 | SSLForceHost = true 18 | STSSeconds = 315360000 19 | STSIncludeSubdomains = true 20 | STSPreload = true 21 | forceSTSHeader = true 22 | frameDeny = true 23 | contentTypeNosniff = true 24 | browserXSSFilter = true 25 | customFrameOptionsValue="allow-from https:example.com" 26 | [frontends.frontend-pihole.auth] 27 | headerField = "X-WebAuth-User" 28 | [frontends.frontend-pihole.auth.forward] 29 | address = "http://oauth:4181" 30 | trustForwardHeader = true 31 | authResponseHeaders = ["X-Forwarded-User"] -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1/rules/plexwebtools.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-plexwebtools] 3 | [backends.backend-plexwebtools.servers] 4 | [backends.backend-plexwebtools.servers.server-plexwebtools-ext] 5 | url = "http://192.168.5.90:33400/" 6 | weight = 0 7 | [frontends] 8 | [frontends.frontend-plexwebtools] 9 | backend = "backend-plexwebtools" 10 | passHostHeader = true 11 | [frontends.frontend-plexwebtools.routes] 12 | [frontends.frontend-plexwebtools.routes.route-plexwebtools-ext] 13 | rule = "Host:pwt.example.com" 14 | [frontends.frontend-plexwebtools.headers] 15 | SSLRedirect = true 16 | SSLHost = "pwt.example.com" 17 | SSLForceHost = true 18 | STSSeconds = 315360000 19 | STSIncludeSubdomains = true 20 | STSPreload = true 21 | forceSTSHeader = true 22 | frameDeny = true 23 | contentTypeNosniff = true 24 | browserXSSFilter = true 25 | customFrameOptionsValue="allow-from https:example.com" 26 | [frontends.frontend-plexwebtools.auth] 27 | headerField = "X-WebAuth-User" 28 | [frontends.frontend-plexwebtools.auth.forward] 29 | address = "http://oauth:4181" 30 | trustForwardHeader = true 31 | authResponseHeaders = ["X-Forwarded-User"] -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1/rules/shellinabox.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-shellinabox] 3 | [backends.backend-shellinabox.servers] 4 | [backends.backend-shellinabox.servers.server-shellinabox-ext] 5 | url = "http://192.168.5.904200" 6 | weight = 0 7 | [frontends] 8 | [frontends.frontend-shellinabox] 9 | backend = "backend-shellinabox" 10 | passHostHeader = true 11 | [frontends.frontend-shellinabox.routes] 12 | [frontends.frontend-shellinabox.routes.route-shellinabox-ext] 13 | rule = "Host:shell.example.com" 14 | [frontends.frontend-shellinabox.headers] 15 | SSLRedirect = true 16 | SSLHost = "shell.example.com" 17 | SSLForceHost = true 18 | STSSeconds = 315360000 19 | STSIncludeSubdomains = true 20 | STSPreload = true 21 | forceSTSHeader = true 22 | frameDeny = true 23 | contentTypeNosniff = true 24 | browserXSSFilter = true 25 | customFrameOptionsValue="allow-from https:example.com" 26 | [frontends.frontend-shellinabox.auth] 27 | headerField = "X-WebAuth-User" 28 | [frontends.frontend-shellinabox.auth.forward] 29 | address = "http://oauth:4181" 30 | trustForwardHeader = true 31 | authResponseHeaders = ["X-Forwarded-User"] 32 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1/rules/synology.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-synology] 3 | [backends.backend-synology.servers] 4 | [backends.backend-synology.servers.server-synology-ext] 5 | url = "http://192.168.5.254:5000" 6 | weight = 0 7 | [frontends] 8 | [frontends.frontend-synology] 9 | backend = "backend-synology" 10 | passHostHeader = true 11 | [frontends.frontend-synology.routes] 12 | [frontends.frontend-synology.routes.route-synology-ext] 13 | rule = "Host:syno.example.com" 14 | [frontends.frontend-synology.headers] 15 | SSLRedirect = true 16 | SSLHost = "syno.example.com" 17 | SSLForceHost = true 18 | STSSeconds = 315360000 19 | STSIncludeSubdomains = true 20 | STSPreload = true 21 | forceSTSHeader = true 22 | frameDeny = true 23 | contentTypeNosniff = true 24 | browserXSSFilter = true 25 | customFrameOptionsValue="allow-from https:example.com" 26 | [frontends.frontend-synology.auth] 27 | headerField = "X-WebAuth-User" 28 | [frontends.frontend-synology.auth.forward] 29 | address = "http://oauth:4181" 30 | trustForwardHeader = true 31 | authResponseHeaders = ["X-Forwarded-User"] 32 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1/rules/synplex.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-plex] 3 | [backends.backend-plex.servers] 4 | [backends.backend-plex.servers.server-plex-ext] 5 | url = "http://192.168.5.238:32400" 6 | weight = 0 7 | [frontends] 8 | [frontends.frontend-plex] 9 | backend = "backend-plex" 10 | passHostHeader = true 11 | [frontends.frontend-plex.routes] 12 | [frontends.frontend-plex.routes.route-plex-ext] 13 | rule = "Host:synplex.example.com" 14 | 15 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1/rules/unifi.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-ufi] 3 | [backends.backend-ufi.servers] 4 | [backends.backend-ufi.servers.server-ufi-ext] 5 | url = "https://192.168.5.254:8443" 6 | weight = 0 7 | [frontends] 8 | [frontends.frontend-ufi] 9 | backend = "backend-ufi" 10 | passHostHeader = true 11 | [frontends.frontend-ufi.routes] 12 | [frontends.frontend-ufi.routes.route-ufi-ext] 13 | rule = "Host:ufi.example.com" 14 | [frontends.frontend-ufi.headers] 15 | SSLRedirect = true 16 | SSLHost = "ufi.example.com" 17 | SSLForceHost = true 18 | STSSeconds = 315360000 19 | STSIncludeSubdomains = true 20 | STSPreload = true 21 | forceSTSHeader = true 22 | frameDeny = true 23 | contentTypeNosniff = true 24 | browserXSSFilter = true 25 | customFrameOptionsValue="allow-from https:example.com" 26 | [frontends.frontend-ufi.auth] 27 | headerField = "X-WebAuth-User" 28 | [frontends.frontend-ufi.auth.forward] 29 | address = "http://oauth:4181" 30 | trustForwardHeader = true 31 | authResponseHeaders = ["X-Forwarded-User"] 32 | -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1/rules/webmin.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-webmin] 3 | [backends.backend-webmin.servers] 4 | [backends.backend-webmin.servers.server-webmin-ext] 5 | url = "http://192.168.5.90:8110" 6 | weight = 0 7 | [frontends] 8 | [frontends.frontend-webmin] 9 | backend = "backend-webmin" 10 | passHostHeader = true 11 | [frontends.frontend-webmin.routes] 12 | [frontends.frontend-webmin.routes.route-webmin-ext] 13 | rule = "Host:webmin.example.com" 14 | [frontends.frontend-webmin.headers] 15 | SSLRedirect = true 16 | SSLHost = "webmin.example.com" 17 | SSLForceHost = true 18 | STSSeconds = 315360000 19 | STSIncludeSubdomains = true 20 | STSPreload = true 21 | forceSTSHeader = true 22 | frameDeny = true 23 | contentTypeNosniff = true 24 | browserXSSFilter = true 25 | customFrameOptionsValue="allow-from https:example.com" 26 | [frontends.frontend-webmin.auth] 27 | headerField = "X-WebAuth-User" 28 | [frontends.frontend-webmin.auth.forward] 29 | address = "http://oauth:4181" 30 | trustForwardHeader = true 31 | authResponseHeaders = ["X-Forwarded-User"] -------------------------------------------------------------------------------- /archives/traefik_v1/traefik1/rules/xiaofang1.toml: -------------------------------------------------------------------------------- 1 | [backends] 2 | [backends.backend-xiaofang1] 3 | [backends.backend-xiaofang1.servers] 4 | [backends.backend-xiaofang1.servers.server-xiaofang1-ext] 5 | url = "https://192.168.15.4" 6 | weight = 0 7 | [frontends] 8 | [frontends.frontend-xiaofang1] 9 | backend = "backend-xiaofang1" 10 | passHostHeader = true 11 | [frontends.frontend-xiaofang1.routes] 12 | [frontends.frontend-xiaofang1.routes.route-xiaofang1-ext] 13 | rule = "Host:xiaofang1.example.com" 14 | [frontends.frontend-xiaofang1.headers] 15 | SSLRedirect = true 16 | SSLHost = "xiaofang1.example.com" 17 | SSLForceHost = true 18 | STSSeconds = 315360000 19 | STSIncludeSubdomains = true 20 | STSPreload = true 21 | forceSTSHeader = true 22 | frameDeny = true 23 | contentTypeNosniff = true 24 | browserXSSFilter = true 25 | customFrameOptionsValue="allow-from https:example.com" 26 | [frontends.frontend-xiaofang1.auth] 27 | headerField = "X-WebAuth-User" 28 | [frontends.frontend-xiaofang1.auth.forward] 29 | address = "http://oauth:4181" 30 | trustForwardHeader = true 31 | authResponseHeaders = ["X-Forwarded-User"] 32 | -------------------------------------------------------------------------------- /compose/archives/adguardhome-sync.yml: -------------------------------------------------------------------------------- 1 | # AdGuard Home Sync - Sync Settings between AdGuard Homes 2 | adguardhome-sync: 3 | <<: *common-keys-core # See EXTENSION FIELDS at the top 4 | image: lscr.io/linuxserver/adguardhome-sync:latest 5 | container_name: adguardhome-sync 6 | environment: 7 | <<: *default-tz-puid-pgid 8 | CONFIGFILE: /config/adguardhome-sync.yaml #optional 9 | volumes: 10 | - $DOCKERDIR/appdata/adguard-home/config:/config 11 | -------------------------------------------------------------------------------- /compose/archives/ampache.yml: -------------------------------------------------------------------------------- 1 | # Ampache - Music Server 2 | ampache: 3 | container_name: ampache 4 | image: ampache/ampache:nosql 5 | restart: "no" 6 | # profiles: 7 | # - media 8 | networks: 9 | - t2_proxy 10 | - default 11 | security_opt: 12 | - no-new-privileges:true 13 | # ports: 14 | # - "$AMPACHE_PORT:80" 15 | volumes: 16 | - $DOCKERDIR/appdata/ampache/config:/var/www/config 17 | - $DOCKERDIR/appdata/ampache/log:/var/log/ampache 18 | - $DATADIR/media/music:/media 19 | labels: 20 | - "traefik.enable=true" 21 | ## HTTP Routers 22 | - "traefik.http.routers.ampache-rtr.entrypoints=https" 23 | - "traefik.http.routers.ampache-rtr.rule=Host(`amp.$DOMAINNAME0`)" 24 | ## Middlewares 25 | - "traefik.http.routers.ampache-rtr.middlewares=chain-no-auth@file" 26 | ## HTTP Services 27 | - "traefik.http.routers.ampache-rtr.service=ampache-svc" 28 | - "traefik.http.services.ampache-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/archives/apcupsd.yml: -------------------------------------------------------------------------------- 1 | # APCUPSD - APC UPS Management 2 | # create the apcupsd.conf file 3 | apcupsd: 4 | image: gersilex/apcupsd:latest 5 | container_name: apcupsd 6 | restart: unless-stopped 7 | networks: 8 | - t2_proxy 9 | security_opt: 10 | - no-new-privileges:true 11 | ports: 12 | - "$APCUPSD_PORT:3551" 13 | privileged: true 14 | tty: true 15 | volumes: 16 | - /tmp/apcupsd-docker:/tmp/apcupsd-docker 17 | - $DOCKERDIR/apcupsd/apcupsd.conf:/etc/apcupsd/apcupsd.conf 18 | - $DOCKERDIR/apcupsd/doshutdown:/etc/apcupsd/doshutdown 19 | - $DOCKERDIR/apcupsd/apcupsd.events:/var/log/apcupsd.events -------------------------------------------------------------------------------- /compose/archives/autoindex.yml: -------------------------------------------------------------------------------- 1 | # Autoindex - Simple Directory Index 2 | autoindex: 3 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 4 | container_name: autoindex 5 | image: dceoy/nginx-autoindex:latest 6 | # ports: 7 | # - "$AUTOINDEX_PORT:80" 8 | volumes: 9 | - /volume1:/var/lib/nginx/html:ro # Location you want to index 10 | labels: 11 | - "traefik.enable=true" 12 | ## HTTP Routers 13 | - "traefik.http.routers.autoindex-rtr.entrypoints=https" 14 | - "traefik.http.routers.autoindex-rtr.rule=Host(`indexh.$DOMAINNAME0`)" 15 | ## Middlewares 16 | - "traefik.http.routers.autoindex-rtr.middlewares=chain-oauth@file" 17 | ## HTTP Services 18 | - "traefik.http.routers.autoindex-rtr.service=autoindex-svc" 19 | - "traefik.http.services.autoindex-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/archives/autoscan.yml: -------------------------------------------------------------------------------- 1 | # Plex AutoScan - On demand/specific folder scanning for Plex 2 | autoscan: 3 | image: hotio/autoscan 4 | container_name: autoscan 5 | restart: "no" 6 | # profiles: 7 | # - media 8 | # - testing 9 | networks: 10 | - t2_proxy 11 | security_opt: 12 | - no-new-privileges:true 13 | #ports: 14 | # - "3030:3030" 15 | environment: 16 | PUID: $PUID 17 | PGID: $PGID 18 | TZ: $TZ 19 | UMASK: 002 20 | #PLEX_LOGIN: "" 21 | #PLEX_PASSWORD: "" 22 | volumes: 23 | - $DOCKERDIR/appdata/autoscan:/config -------------------------------------------------------------------------------- /compose/archives/cadvisor.yml: -------------------------------------------------------------------------------- 1 | # cAdvisor - Container Advisor 2 | cadvisor: 3 | <<: *common-keys-monitoring # See EXTENSION FIELDS at the top 4 | container_name: cadvisor 5 | image: gcr.io/cadvisor/cadvisor:latest 6 | ports: 7 | - "$CADVISOR_PORT:8080" 8 | #privileged: true # Only needed for CentOS, Fedora, Red Hat, etc. 9 | #devices: 10 | # - /dev/kmsg 11 | volumes: 12 | - /:/rootfs:ro 13 | - /var/run:/var/run:rw 14 | - /sys:/sys:ro 15 | - /var/lib/docker/:/var/lib/docker:ro 16 | - /dev/disk/:/dev/disk:ro 17 | labels: 18 | - "traefik.enable=true" 19 | ## HTTP Routers 20 | - "traefik.http.routers.cadvisor-rtr.entrypoints=https" 21 | - "traefik.http.routers.cadvisor-rtr.rule=HostHeader(`cad.$DOMAINNAME1`)" 22 | ## Middlewares 23 | - "traefik.http.routers.cadvisor-rtr.middlewares=chain-oauth@file" 24 | ## HTTP Services 25 | - "traefik.http.routers.cadvisor-rtr.service=cadvisor-svc" 26 | - "traefik.http.services.cadvisor-svc.loadbalancer.server.port=8080" 27 | -------------------------------------------------------------------------------- /compose/archives/cf-companion.yml: -------------------------------------------------------------------------------- 1 | # Cloudflare-Companion - Automatic CNAME DNS Creation 2 | cf-companion: 3 | <<: *common-keys-core # See EXTENSION FIELDS at the top 4 | container_name: cf-companion 5 | image: tiredofit/traefik-cloudflare-companion:latest 6 | networks: 7 | - socket_proxy 8 | environment: 9 | - TIMEZONE=$TZ 10 | - TRAEFIK_VERSION=2 11 | - CF_TOKEN__FILE=/run/secrets/cf_token 12 | - TARGET_DOMAIN=cdoc.$DOMAINNAME_CLOUD_SERVER # Edit this. Either a subdomain or just $DOMAINNAME_CLOUD_SERVER pointing to the IP will work. See: https://github.com/htpcBeginner/docker-traefik/issues/244. 13 | - DOMAIN1=$DOMAINNAME_CLOUD_SERVER 14 | - DOMAIN1_ZONE_ID=$CLOUDFLARE_ZONEID # Copy from Cloudflare Overview page 15 | - DOMAIN1_PROXIED=TRUE 16 | - DOCKER_HOST=tcp://socket-proxy:2375 17 | secrets: 18 | - cf_token 19 | labels: 20 | # Add hosts specified in rules here to force cf-companion to create the CNAMEs 21 | # Since cf-companion creates CNAMEs based on host rules, this a workaround for non-docker/external apps 22 | - "traefik.http.routers.cf-companion-rtr.rule=Host(Host(`webmin.$DOMAINNAME_CLOUD_SERVER`) || Host(`shell.$DOMAINNAME_CLOUD_SERVER`) || Host(`stcdoc.$DOMAINNAME_CLOUD_SERVER`) || Host(`ag.$DOMAINNAME_CLOUD_SERVER`)" 23 | -------------------------------------------------------------------------------- /compose/archives/cloud-commander.yml: -------------------------------------------------------------------------------- 1 | # Cloud Commander - web file manager 2 | cloudcmd: 3 | image: coderaiser/cloudcmd 4 | container_name: cloudcmd 5 | restart: unless-stopped 6 | networks: 7 | - t2_proxy 8 | security_opt: 9 | - no-new-privileges:true 10 | volumes: 11 | - $USERDIR/docker/cloudcmd:/root 12 | - $USERDIR:/mnt/fs 13 | environment: 14 | PUID: $PUID 15 | PGID: $PGID 16 | TZ: $TZ 17 | labels: 18 | - "traefik.enable=true" 19 | ## HTTP Routers 20 | - "traefik.http.routers.cloudcmd-rtr.entrypoints=https" 21 | - "traefik.http.routers.cloudcmd-rtr.rule=Host(`cloudcmd.$DOMAINNAME`)" 22 | - "traefik.http.routers.cloudcmd-rtr.tls=true" 23 | ## Middlewares 24 | - "traefik.http.routers.cloudcmd-rtr.middlewares=chain-authelia@file" 25 | ## HTTP Services 26 | - "traefik.http.routers.cloudcmd-rtr.service=cloudcmd-svc" 27 | - "traefik.http.services.cloudcmd-svc.loadbalancer.server.port=8000" -------------------------------------------------------------------------------- /compose/archives/cloud9.yml: -------------------------------------------------------------------------------- 1 | # Cloud IDE - Editing 2 | cloud9: 3 | image: linuxserver/cloud9 4 | container_name: cloud9 5 | restart: unless-stopped 6 | networks: 7 | - t2_proxy 8 | security_opt: 9 | - no-new-privileges:true 10 | ports: 11 | - "$CLOUD9_PORT:8000" 12 | volumes: 13 | - $USERDIR/server/scripts:/code 14 | - /var/run/docker.sock:/var/run/docker.sock 15 | environment: 16 | PUID: $PUID 17 | PGID: $PGID 18 | TZ: $TZ 19 | # PASSWORD: $CLOUD9_PASSWORD 20 | # USERNAME: $CLOUD9_USERNAME 21 | labels: 22 | - "traefik.enable=true" 23 | ## HTTP Routers 24 | - "traefik.http.routers.cloud9-rtr.entrypoints=https" 25 | - "traefik.http.routers.cloud9-rtr.rule=Host(`cloud9.$DOMAINNAME`)" 26 | - "traefik.http.routers.cloud9-rtr.tls=true" 27 | ## Middlewares 28 | - "traefik.http.routers.cloud9-rtr.middlewares=chain-authelia@file" 29 | ## HTTP Services 30 | - "traefik.http.routers.cloud9-rtr.service=cloud9-svc" 31 | - "traefik.http.services.cloud9-svc.loadbalancer.server.port=8000" -------------------------------------------------------------------------------- /compose/archives/cloudflare-ddns.yml: -------------------------------------------------------------------------------- 1 | # Cloudflare DDNS - Dynamic DNS Updater 2 | cloudddns: 3 | container_name: cloudddns 4 | restart: always 5 | image: joshava/cloudflare-ddns 6 | volumes: 7 | - $USERDIR/docker/cloudflare-ddns/config.yaml:/app/config.yaml 8 | environment: 9 | - PUID=$PUID 10 | - PGID=$PGID 11 | - TZ=$TZ -------------------------------------------------------------------------------- /compose/archives/cloudplow.yml: -------------------------------------------------------------------------------- 1 | # CloudPlow - Rclone remote uploader/syncer 2 | cloudplow: 3 | image: sabrsorensen/alpine-cloudplow 4 | container_name: cloudplow 5 | restart: "no" 6 | security_opt: 7 | - no-new-privileges:true 8 | volumes: 9 | - $DOCKERDIR/appdata/cloudplow:/config/:rw 10 | - $DOCKERDIR/appdata/rclone:/rclone_config/:rw 11 | #- /home//google_drive_service_accounts:/service_accounts/:rw 12 | - $DATADIR/media:/data/media:rw 13 | - /etc/localtime:/etc/localtime:ro 14 | environment: 15 | - PUID=$PUID 16 | - PGID=$PGID 17 | - CLOUDPLOW_CONFIG=/config/config.json 18 | - CLOUDPLOW_LOGFILE=/config/cloudplow.log 19 | - CLOUDPLOW_LOGLEVEL=DEBUG 20 | - CLOUDPLOW_CACHEFILE=/config/cache.db -------------------------------------------------------------------------------- /compose/archives/crowdsec-blocklist.yml: -------------------------------------------------------------------------------- 1 | # CrowdSec Blocklist Mirror - For PiHole/AdGuard Use 2 | # sudo docker exec crowdsec cscli bouncer add cloudflare-bouncer 3 | crowdsec-blocklist: 4 | image: crowdsecurity/blocklist-mirror 5 | container_name: crowdsec-blocklist 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t2_proxy 12 | volumes: 13 | - $DOCKERDIR/appdata/crowdsec-blocklist/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-blocklist-mirror.yaml 14 | labels: 15 | - "traefik.enable=true" 16 | ## HTTP Routers 17 | - "traefik.http.routers.crowdsec-blocklist-rtr.entrypoints=https" 18 | - "traefik.http.routers.crowdsec-blocklist-rtr.rule=Host(`blocklist.$DOMAINNAME_SHB`)" # https://domain.com/security/blocklist 19 | ## Middlewares 20 | - "traefik.http.routers.crowdsec-blocklist-rtr.middlewares=chain-oauth@file" 21 | ## HTTP Services 22 | - "traefik.http.routers.crowdsec-blocklist-rtr.service=crowdsec-blocklist-svc" 23 | - "traefik.http.services.crowdsec-blocklist-svc.loadbalancer.server.port=41412" -------------------------------------------------------------------------------- /compose/archives/crowdsec-metabase.yml: -------------------------------------------------------------------------------- 1 | # CrowdSec Dashboard 2 | # Uses a lot of resources. May be crowdsec's cloud dashboard or Prometheus Grafana may be a better option. 3 | csdash: 4 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 5 | container_name: crowdsec-dashboard 6 | build: 7 | context: $DOCKERDIR/custom/ 8 | dockerfile: Dockerfile-csdash 9 | depends_on: 10 | - crowdsec 11 | environment: 12 | - MB_DB_FILE=/data/metabase.db 13 | - MGID=1000 14 | volumes: 15 | - $DOCKERDIR/appdata/crowdsec/data:/metabase-data/ 16 | labels: 17 | - "traefik.enable=true" 18 | ## HTTP Routers 19 | - "traefik.http.routers.csdash-rtr.entrypoints=https" 20 | - "traefik.http.routers.csdash-rtr.rule=Host(`csdash.$DOMAINNAME_CLOUD_SERVER`)" 21 | ## Middlewares 22 | - "traefik.http.routers.csdash-rtr.middlewares=chain-oauth@file" 23 | ## HTTP Services 24 | - "traefik.http.routers.csdash-rtr.service=csdash-svc" 25 | - "traefik.http.services.csdash-svc.loadbalancer.server.port=3000" -------------------------------------------------------------------------------- /compose/archives/dashy.yml: -------------------------------------------------------------------------------- 1 | # Dashy - Application Dashboard 2 | dashy: 3 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 4 | container_name: dashy 5 | image: lissy93/dashy 6 | healthcheck: 7 | test: ['CMD', 'node', '/app/services/healthcheck'] 8 | interval: 1m30s 9 | timeout: 10s 10 | retries: 3 11 | start_period: 40s 12 | ports: 13 | - 4000:80 14 | volumes: 15 | - $DOCKERDIR/appdata/dashy/conf.yml:/app/public/conf.yml 16 | - $DOCKERDIR/appdata/dashy:/app/public/item-icons 17 | environment: 18 | - NODE_ENV=production 19 | - UID=$PUID 20 | - GID=$PGID 21 | labels: 22 | - "traefik.enable=true" 23 | ## HTTP Routers 24 | - "traefik.http.routers.dashy-rtr.entrypoints=https" 25 | - "traefik.http.routers.dashy-rtr.rule=Host(`$DOMAINNAME_HOME_SYNOLOGY`,`www.$DOMAINNAME_HOME_SYNOLOGY`)" 26 | ## Middlewares 27 | - "traefik.http.routers.dashy-rtr.middlewares=chain-oauth@file" 28 | ## HTTP Services 29 | - "traefik.http.routers.dashy-rtr.service=dashy-svc" 30 | - "traefik.http.services.dashy-svc.loadbalancer.server.port=80" 31 | -------------------------------------------------------------------------------- /compose/archives/digikam.yml: -------------------------------------------------------------------------------- 1 | # digikam - Photo Management 2 | digikam: 3 | image: ghcr.io/linuxserver/digikam 4 | container_name: digikam 5 | restart: unless-stopped 6 | networks: 7 | - t2_proxy 8 | volumes: 9 | - $DOCKERDIR/appdata/digikam:/config 10 | - $DATADIR/photos:/data/photos 11 | #ports: 12 | # - 3000:3000 13 | environment: 14 | PUID: $PUID 15 | PGID: $PGID 16 | TZ: $TZ 17 | labels: 18 | - "traefik.enable=true" 19 | ## HTTP Routers 20 | - "traefik.http.routers.digikam-rtr.entrypoints=https" 21 | - "traefik.http.routers.digikam-rtr.rule=Host(`digikam.$DOMAINNAME0`)" 22 | ## Middlewares 23 | - "traefik.http.routers.digikam-rtr.middlewares=chain-oauth@file" 24 | ## HTTP Services 25 | - "traefik.http.routers.digikam-rtr.service=digikam-svc" 26 | - "traefik.http.services.digikam-svc.loadbalancer.server.port=3000" -------------------------------------------------------------------------------- /compose/archives/dupeguru.yml: -------------------------------------------------------------------------------- 1 | # DupeGuru - Duplicate File/Folder Remover 2 | dupeguru: 3 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 4 | image: jlesage/dupeguru:latest 5 | container_name: dupeguru 6 | # ports: 7 | # - "$dupeguru_PORT:5800" 8 | volumes: 9 | - $USERDIR:/data/home:ro 10 | - $DOCKERDIR/appdata/dupeguru/config:/config:rw 11 | - /media/data:/data/data:rw 12 | environment: 13 | USER_ID: $PUID 14 | GROUP_ID: $PGID 15 | UMASK: 002 16 | TZ: $TZ 17 | KEEP_APP_RUNNING: 1 18 | CLEAN_TMP_DIR: 1 19 | DISPLAY_WIDTH: 1600 20 | DISPLAY_HEIGHT: 960 21 | VNC_PASSWORD: $DUPEGURU_VNC_PASSWD 22 | labels: 23 | - "traefik.enable=true" 24 | ## HTTP Routers 25 | - "traefik.http.routers.dupeguru-rtr.entrypoints=https" 26 | - "traefik.http.routers.dupeguru-rtr.rule=Host(`dupe.$DOMAINNAME0`)" 27 | ## Middlewares 28 | - "traefik.http.routers.dupeguru-rtr.middlewares=chain-oauth@file" 29 | ## HTTP Services 30 | - "traefik.http.routers.dupeguru-rtr.service=dupeguru-svc" 31 | - "traefik.http.services.dupeguru-svc.loadbalancer.server.port=5800" 32 | -------------------------------------------------------------------------------- /compose/archives/emby.yml: -------------------------------------------------------------------------------- 1 | # Emby - Media Server 2 | embyms: 3 | image: emby/embyserver:latest 4 | container_name: embyms 5 | restart: unless-stopped 6 | networks: 7 | - t2_proxy 8 | devices: 9 | - /dev/dri:/dev/dri # for harware transcoding 10 | security_opt: 11 | - no-new-privileges:true 12 | ports: 13 | - "$EMBY_PORT:8096/tcp" 14 | - "8920:8920/tcp" 15 | volumes: 16 | - /etc/localtime:/etc/localtime:ro 17 | - $DOCKERDIR/appdata/embyms:/config 18 | - /dev/shm:/data/transcode 19 | - $DATADIR/media:/data/media 20 | - $DATADIR/Downloads:/data/downloads 21 | environment: 22 | TZ: $TZ 23 | HOSTNAME: "nucEmby" 24 | UID: $PUID 25 | GID: $PGID 26 | labels: 27 | - "traefik.enable=true" 28 | ## HTTP Routers 29 | - "traefik.http.routers.embyms-rtr.entrypoints=https" 30 | - "traefik.http.routers.embyms-rtr.rule=Host(`nucemby.$DOMAINNAME`)" 31 | ## Middlewares 32 | - "traefik.http.routers.embyms-rtr.middlewares=chain-no-auth@file" 33 | ## HTTP Services 34 | - "traefik.http.routers.embyms-rtr.service=embyms-svc" 35 | - "traefik.http.services.embyms-svc.loadbalancer.server.port=8096" -------------------------------------------------------------------------------- /compose/archives/filebrowser.yml: -------------------------------------------------------------------------------- 1 | # File Browser - Explorer 2 | filebrowser: 3 | image: filebrowser/filebrowser:s6 4 | container_name: filebrowser 5 | security_opt: 6 | - no-new-privileges:true 7 | restart: unless-stopped 8 | profiles: ["apps", "all"] 9 | networks: 10 | - t2_proxy 11 | ports: 12 | - "81:80" 13 | volumes: 14 | - $DOCKERDIR/appdata/filebrowser:/config 15 | - $EXTDRIVE:/data/media 16 | - $USERDIR:/data/home 17 | environment: 18 | TZ: $TZ 19 | PUID: $PUID 20 | PGID: $PGID 21 | labels: 22 | - "traefik.enable=true" 23 | ## HTTP Routers 24 | - "traefik.http.routers.filebrowser-rtr.entrypoints=https" 25 | - "traefik.http.routers.filebrowser-rtr.rule=Host(`fb.$DOMAINNAME_CLOUD_SERVER`)" 26 | ## Middlewares 27 | - "traefik.http.routers.filebrowser-rtr.middlewares=chain-oauth@file" 28 | ## HTTP Services 29 | - "traefik.http.routers.filebrowser-rtr.service=filebrowser-svc" 30 | - "traefik.http.services.filebrowser-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/archives/flaresolverr.yml: -------------------------------------------------------------------------------- 1 | # FlareSolverr - Proxy server to bypass Cloudflare protection 2 | # Not sure if I need this or not. Just testing. 3 | flaresolverr: 4 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 5 | image: ghcr.io/flaresolverr/flaresolverr:latest 6 | container_name: flaresolverr 7 | networks: 8 | t2_proxy: 9 | ipv4_address: 192.168.90.160 10 | environment: 11 | LOG_LEVEL: info 12 | LOG_HTML: false 13 | CAPTCHA_SOLVER: none 14 | TZ: $TZ 15 | #ports: 16 | # - "8191:8191" 17 | restart: unless-stopped -------------------------------------------------------------------------------- /compose/archives/funkwhale.yml: -------------------------------------------------------------------------------- 1 | # FunkWhale - Music Server 2 | funkwhale: 3 | <<: *common-keys-media # See EXTENSION FIELDS at the top 4 | container_name: funkwhale 5 | image: thetarkus/funkwhale 6 | # ports: 7 | # - "$FUNKWHALE_PORT:80" 8 | volumes: 9 | - $DOCKERDIR/appdata/funkwhale:/data 10 | - $DATADIR/media/music:/music:ro 11 | environment: 12 | - PUID=$PUID 13 | - PGID=$PGID 14 | - FUNKWHALE_HOSTNAME=proxfw.$DOMAINNAME0 15 | - NESTED_PROXY=1 16 | labels: 17 | - "traefik.enable=true" 18 | ## HTTP Routers 19 | - "traefik.http.routers.funkwhale-rtr.entrypoints=https" 20 | - "traefik.http.routers.funkwhale-rtr.rule=Host(`proxfw.$DOMAINNAME0`)" 21 | ## Middlewares 22 | - "traefik.http.routers.funkwhale-rtr.middlewares=chain-no-auth@file" 23 | ## HTTP Services 24 | - "traefik.http.routers.funkwhale-rtr.service=funkwhale-svc" 25 | - "traefik.http.services.funkwhale-svc.loadbalancer.server.port=80" 26 | 27 | -------------------------------------------------------------------------------- /compose/archives/gonic.yml: -------------------------------------------------------------------------------- 1 | # Gonic - Music Server 2 | gonic: 3 | container_name: gonic 4 | image: sentriz/gonic:latest 5 | restart: "no" 6 | # profiles: 7 | # - media 8 | networks: 9 | - t2_proxy 10 | security_opt: 11 | - no-new-privileges:true 12 | # ports: 13 | # - "$GONIC_PORT:80" 14 | volumes: 15 | - $DOCKERDIR/appdata/gonic/data:/data 16 | - $DOCKERDIR/appdata/gonic/podcasts:/podcasts 17 | - $DATADIR/transcode/gonic:/cache 18 | - $DATADIR/media/music:/music:ro 19 | environment: 20 | - PUID=$PUID 21 | - PGID=$PGID 22 | - TZ=$TZ 23 | labels: 24 | - "traefik.enable=true" 25 | ## HTTP Routers 26 | - "traefik.http.routers.gonic-rtr.entrypoints=https" 27 | - "traefik.http.routers.gonic-rtr.rule=Host(`gonic.$DOMAINNAME0`)" 28 | ## Middlewares 29 | - "traefik.http.routers.gonic-rtr.middlewares=chain-no-auth@file" 30 | ## HTTP Services 31 | - "traefik.http.routers.gonic-rtr.service=gonic-svc" 32 | - "traefik.http.services.gonic-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/archives/ha-dockermon.yml: -------------------------------------------------------------------------------- 1 | # HA-Dockermon - Manage Docker containers in Home Assistant 2 | ha-dockermon: 3 | image: philhawthorne/ha-dockermon:latest 4 | container_name: ha-dockermon 5 | restart: unless-stopped 6 | networks: 7 | - socket_proxy 8 | security_opt: 9 | - no-new-privileges:true 10 | ports: 11 | - "$HA_DOCKERMON_PORT:8126" 12 | volumes: 13 | - $DOCKERDIR/ha-dockermon:/config 14 | # - /var/run/docker.sock:/var/run/docker.sock 15 | environment: 16 | PUID: $PUID 17 | PGID: $PGID 18 | TZ: $TZ 19 | DOCKER_HOST: tcp://socket-proxy:2375 -------------------------------------------------------------------------------- /compose/archives/handbrake.yml: -------------------------------------------------------------------------------- 1 | # Handbrake - Video Conversion (Transcoding and compression) 2 | handbrake: 3 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 4 | image: jlesage/handbrake:latest 5 | container_name: handbrake 6 | # ports: 7 | # - "$HANDBRAKE_PORT:5800" 8 | volumes: 9 | - $DATADIR/downloads:/data/downloads 10 | - $DOCKERDIR/appdata/handbrake/config:/config 11 | - $DOCKERDIR/appdata/handbrake/watch:/watch 12 | environment: 13 | USER_ID: $PUID 14 | GROUP_ID: $PGID 15 | UMASK: 002 16 | TZ: $TZ 17 | KEEP_APP_RUNNING: 1 18 | CLEAN_TMP_DIR: 1 19 | DISPLAY_WIDTH: 1600 20 | DISPLAY_HEIGHT: 960 21 | AUTOMATED_CONVERSION_KEEP_SOURCE: 1 22 | VNC_PASSWORD: $HANDBRAKE_VNC_PASSWD 23 | labels: 24 | - "traefik.enable=true" 25 | ## HTTP Routers 26 | - "traefik.http.routers.handbrake-rtr.entrypoints=https" 27 | - "traefik.http.routers.handbrake-rtr.rule=Host(`handbrake.$DOMAINNAME_CLOUD_SERVER`)" 28 | ## Middlewares 29 | - "traefik.http.routers.handbrake-rtr.middlewares=chain-oauth@file" 30 | ## HTTP Services 31 | - "traefik.http.routers.handbrake-rtr.service=handbrake-svc" 32 | - "traefik.http.services.handbrake-svc.loadbalancer.server.port=5800" -------------------------------------------------------------------------------- /compose/archives/headscale.yml: -------------------------------------------------------------------------------- 1 | # HeadScale - SDN 2 | headscale: 3 | <<: *common-keys-core # See EXTENSION FIELDS at the top 4 | image: headscale/headscale:latest 5 | container_name: headscale 6 | volumes: 7 | - $DOCKERDIR/appdata/headscale/config:/etc/headscale 8 | - $DOCKERDIR/appdata/headscale/data:/var/lib/headscale 9 | #ports: 10 | # - 27896:8080 11 | command: headscale serve 12 | labels: 13 | - "traefik.enable=true" 14 | ## HTTP Routers 15 | - "traefik.http.routers.headscale-rtr.entrypoints=https" 16 | - "traefik.http.routers.headscale-rtr.rule=Host(`headscale.$DOMAINNAME_SHB`)" 17 | ## Middlewares 18 | #- "traefik.http.routers.headscale-rtr.middlewares=chain-no-auth@file" 19 | ## HTTP Services 20 | - "traefik.http.routers.headscale-rtr.service=headscale-svc" 21 | - "traefik.http.services.headscale-svc.loadbalancer.server.port=8080" 22 | 23 | -------------------------------------------------------------------------------- /compose/archives/heimdall.yml: -------------------------------------------------------------------------------- 1 | # Heimdall - Application Dashboard 2 | heimdall: 3 | <<: *common-keys-core # See EXTENSION FIELDS at the top 4 | image: lscr.io/linuxserver/heimdall 5 | container_name: heimdall 6 | # ports: 7 | # - "$HEIMDALL_PORT:80" # 80 to 82 already taken by other services 8 | # - "444:443" # 443 used by Traefik/Nginx Proxy Manager. Disabled because we will put Heimdall behind proxy. 9 | volumes: 10 | - $DOCKERDIR/appdata/heimdall:/config 11 | environment: 12 | <<: *default-tz-puid-pgid 13 | labels: 14 | - "traefik.enable=true" 15 | ## HTTP Routers 16 | - "traefik.http.routers.heimdall-rtr.entrypoints=https" 17 | - "traefik.http.routers.heimdall-rtr.rule=Host(`$DOMAINNAME_CLOUD_SERVER`,`www.$DOMAINNAME_CLOUD_SERVER`)" 18 | ## Middlewares 19 | - "traefik.http.routers.heimdall-rtr.middlewares=chain-oauth@file" 20 | ## HTTP Services 21 | - "traefik.http.routers.heimdall-rtr.service=heimdall-svc" 22 | - "traefik.http.services.heimdall-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/archives/homepage.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Homepage - Application Dashboard 3 | homepage: 4 | image: ghcr.io/gethomepage/homepage:latest 5 | container_name: homepage 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t2_proxy 12 | - socket_proxy 13 | # ports: 14 | # - "3000:3000" 15 | volumes: 16 | - $DOCKERDIR/appdata/homepage:/app/config 17 | environment: 18 | TZ: $TZ 19 | PUID: $PUID 20 | PGID: $PGID 21 | labels: 22 | - "traefik.enable=true" 23 | ## HTTP Routers 24 | - "traefik.http.routers.homepage-rtr.entrypoints=websecure" 25 | - "traefik.http.routers.homepage-rtr.rule=Host(`$DOMAINNAME_1`,`www.$DOMAINNAME_1`)" # Both domain.com and www.domain.com 26 | ## Middlewares 27 | - "traefik.http.routers.homepage-rtr.middlewares=chain-no-auth@file" 28 | ## HTTP Services 29 | - "traefik.http.routers.homepage-rtr.service=homepage-svc" 30 | - "traefik.http.services.homepage-svc.loadbalancer.server.port=3000" -------------------------------------------------------------------------------- /compose/archives/jackett.yml: -------------------------------------------------------------------------------- 1 | # Jackett - Torrent proxy 2 | # Set url_base in Jackett settings if using PathPrefix 3 | jackett: 4 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 5 | image: lscr.io/linuxserver/jackett:latest 6 | container_name: jackett 7 | # network_mode: container:transmission-vpn 8 | networks: 9 | t2_proxy: 10 | ipv4_address: 192.168.90.161 11 | # ports: 12 | # - "$JACKETT_PORT:9117" 13 | volumes: 14 | - $DOCKERDIR/appdata/jackett:/config 15 | - $DATADIR/downloads:/data/downloads 16 | - "/etc/localtime:/etc/localtime:ro" 17 | environment: 18 | <<: *default-tz-puid-pgid 19 | labels: 20 | - "traefik.enable=true" 21 | ## HTTP Routers 22 | - "traefik.http.routers.jackett-rtr.entrypoints=https" 23 | - "traefik.http.routers.jackett-rtr.rule=Host(`jackett.$DOMAINNAME0`)" 24 | ## Middlewares 25 | - "traefik.http.routers.jackett-rtr.middlewares=chain-oauth@file" 26 | ## HTTP Services 27 | - "traefik.http.routers.jackett-rtr.service=jackett-svc" 28 | - "traefik.http.services.jackett-svc.loadbalancer.server.port=9117" -------------------------------------------------------------------------------- /compose/archives/loki.yml: -------------------------------------------------------------------------------- 1 | # Loki - Log Aggregation 2 | loki: 3 | <<: *common-keys-monitoring # See EXTENSION FIELDS at the top 4 | container_name: loki 5 | image: grafana/loki:latest 6 | volumes: 7 | - $DOCKERDIR/appdata/loki:/etc/loki 8 | ports: 9 | - "$LOKI_PORT:3100" 10 | command: -config.file=/etc/loki/config.yml -------------------------------------------------------------------------------- /compose/archives/makemkv.yml: -------------------------------------------------------------------------------- 1 | # MakeMKV - Video Editing (Ripping from Disks) 2 | makemkv: 3 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 4 | image: jlesage/makemkv:latest 5 | container_name: makemkv 6 | # ports: 7 | # - "$MAKEMKV_PORT:5800" 8 | volumes: 9 | - $DATADIR/downloads:/data/downloads 10 | - $DOCKERDIR/appdata/makemkv/config:/config 11 | - /dev/shm:/dev/shm 12 | environment: 13 | USER_ID: $PUID 14 | GROUP_ID: $PGID 15 | UMASK: 002 16 | TZ: $TZ 17 | KEEP_APP_RUNNING: 1 18 | CLEAN_TMP_DIR: 1 19 | DISPLAY_WIDTH: 1600 20 | DISPLAY_HEIGHT: 960 21 | VNC_PASSWORD: $MAKEMKV_VNC_PASSWD 22 | labels: 23 | - "traefik.enable=true" 24 | ## HTTP Routers 25 | - "traefik.http.routers.makemkv-rtr.entrypoints=https" 26 | - "traefik.http.routers.makemkv-rtr.rule=Host(`makemkv.$DOMAINNAME_CLOUD_SERVER`)" 27 | ## Middlewares 28 | - "traefik.http.routers.makemkv-rtr.middlewares=chain-oauth@file" 29 | ## HTTP Services 30 | - "traefik.http.routers.makemkv-rtr.service=makemkv-svc" 31 | - "traefik.http.services.makemkv-svc.loadbalancer.server.port=5800" -------------------------------------------------------------------------------- /compose/archives/mergerfs.yml: -------------------------------------------------------------------------------- 1 | # MergerFS - A featureful union filesystem 2 | mergerfs: 3 | container_name: mergerfs 4 | hostname: mergerfs 5 | image: hotio/mergerfs:latest 6 | restart: always 7 | depends_on: 8 | - rclone-drive 9 | - rclone-crypt 10 | user: $PUID:$PGID 11 | command: "/data/media-local:/data/media-crypt:/data/media-drive=RO \ 12 | /data/media \ 13 | -o rw,\ 14 | use_ino,\ 15 | allow_other,\ 16 | func.getattr=newest,\ 17 | category.action=all,\ 18 | category.create=ff,\ 19 | statfs_ignore=nc,\ 20 | cache.files=auto-full,\ 21 | func.getattr=newest,\ 22 | dropcacheonclose=true,\ 23 | nonempty" 24 | cap_add: 25 | - SYS_ADMIN 26 | security_opt: 27 | - apparmor:unconfined 28 | devices: 29 | - /dev/fuse 30 | environment: 31 | - TZ=$TZ 32 | volumes: 33 | - /etc/passwd:/etc/passwd:ro 34 | - /etc/group:/etc/group:ro 35 | - /etc/fuse.conf:/etc/fuse.conf:shared 36 | #- $DATADIR:/data:slave # creates local-media and shb-media on host 37 | - $DATADIR/local/media:/data/media-local:rshared 38 | - /media/shb-drive/media:/data/media-drive:rshared 39 | - /media/shb-crypt/media:/data/media-crypt:rshared 40 | - $DATADIR/media:/data/media:rshared -------------------------------------------------------------------------------- /compose/archives/metube.yml: -------------------------------------------------------------------------------- 1 | # MeTube - Youtube downloader 2 | # Could not get this to work - "Could not resolve name" error 3 | metube: 4 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 5 | image: alexta69/metube 6 | container_name: metube 7 | user: $PUID:$PGID 8 | volumes: 9 | - $DATADIR/downloads/youtube:/downloads 10 | - $DOCKERDIR/appdata/metube/config:/config 11 | - $DOCKERDIR/appdata/metube/cookies:/cookies 12 | environment: 13 | - STATE_DIR=/config 14 | - YTDL_OPTIONS={"cookiefile":"/cookies/cookies.txt"} 15 | labels: 16 | - "traefik.enable=true" 17 | ## HTTP Routers 18 | - "traefik.http.routers.metube-rtr.entrypoints=https" 19 | - "traefik.http.routers.metube-rtr.rule=Host(`metube.$DOMAINNAME0`)" 20 | ## Middlewares 21 | - "traefik.http.routers.metube-rtr.middlewares=chain-oauth@file" 22 | ## HTTP Services 23 | - "traefik.http.routers.metube-rtr.service=metube-svc" 24 | - "traefik.http.services.metube-svc.loadbalancer.server.port=8081" -------------------------------------------------------------------------------- /compose/archives/miflora.yml: -------------------------------------------------------------------------------- 1 | # MiFlora MQTT Daemon - BT to MQTT Daemon for MiFlora Sensors 2 | miflora: 3 | image: raymondmm/miflora-mqtt 4 | container_name: miflora-mqtt 5 | environment: 6 | - TZ=$TZ 7 | network_mode: host 8 | # user: "0" 9 | volumes: 10 | - $USERDIR/docker/miflora-mqtt/config:/config 11 | restart: unless-stopped -------------------------------------------------------------------------------- /compose/archives/mkvtoolnix.yml: -------------------------------------------------------------------------------- 1 | # MKVToolNix - Video Editing (Remuxing - changing media container while keeping original source quality) 2 | mkvtoolnix: 3 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 4 | image: jlesage/mkvtoolnix:latest 5 | container_name: mkvtoolnix 6 | # ports: 7 | # - "$MKVTOOLNIX_PORT:5800" 8 | volumes: 9 | - $DATADIR/downloads:/data/downloads 10 | - $DOCKERDIR/appdata/mkvtoolnix/config:/config:rw 11 | environment: 12 | USER_ID: $PUID 13 | GROUP_ID: $PGID 14 | UMASK: 002 15 | TZ: $TZ 16 | KEEP_APP_RUNNING: 1 17 | CLEAN_TMP_DIR: 1 18 | DISPLAY_WIDTH: 1600 19 | DISPLAY_HEIGHT: 960 20 | VNC_PASSWORD: $MKVTOOLNIX_VNC_PASSWD 21 | labels: 22 | - "traefik.enable=true" 23 | ## HTTP Routers 24 | - "traefik.http.routers.mkvtoolnix-rtr.entrypoints=https" 25 | - "traefik.http.routers.mkvtoolnix-rtr.rule=Host(`mkvtoolnix.$DOMAINNAME_CLOUD_SERVER`)" 26 | ## Middlewares 27 | - "traefik.http.routers.mkvtoolnix-rtr.middlewares=chain-oauth@file" 28 | ## HTTP Services 29 | - "traefik.http.routers.mkvtoolnix-rtr.service=mkvtoolnix-svc" 30 | - "traefik.http.services.mkvtoolnix-svc.loadbalancer.server.port=5800" -------------------------------------------------------------------------------- /compose/archives/mosquitto.yml: -------------------------------------------------------------------------------- 1 | # Mosquitto - MQTT Broker 2 | # Create mosquitto.conf, passwd, mosquitto.log files and set permissions to 775 user:docker 3 | # dexec mosquitto /bin/sh -> mosquitto_passwd -b /mosquitto/config/passwd username passwd 4 | mosquitto: 5 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 6 | image: eclipse-mosquitto:latest 7 | container_name: mosquitto 8 | ports: 9 | - "$MOSQUITTO_HTTP_PORT:1883" #http 10 | - "9001:9001" #websockets 11 | # - "$MOSQUITTO_HTTPS_PORT:8883" #https 12 | volumes: 13 | - $DOCKERDIR/appdata/mosquitto/config/mosquitto.conf:/mosquitto/config/mosquitto.conf 14 | - $DOCKERDIR/appdata/mosquitto/config/passwd:/mosquitto/config/passwd 15 | - $DOCKERDIR/shared:/shared 16 | environment: 17 | PUID: $PUID 18 | PGID: $PGID 19 | TZ: $TZ -------------------------------------------------------------------------------- /compose/archives/musicbrainz.yml: -------------------------------------------------------------------------------- 1 | # MusicBrainz - Music Library Tagging and Management 2 | musicbrainz: 3 | image: ghcr.io/linuxserver/musicbrainz 4 | container_name: musicbrainz 5 | restart: "no" 6 | # profiles: 7 | # - media 8 | networks: 9 | - t2_proxy 10 | security_opt: 11 | - no-new-privileges:true 12 | # ports: 13 | # - "$MUSICBRAINZ_PORT:5000" 14 | volumes: 15 | - $DOCKERDIR/appdata/musicbrainz/config:/config 16 | - $DATADIR/temp/docker/appdata/musicbrainz/data:/data 17 | environment: 18 | PUID: $PUID 19 | PGID: $PGID 20 | TZ: $TZ 21 | FILE__BRAINZCODE: /run/secrets/brainzcode 22 | WEBADDRESS: $SERVER_IP 23 | #NPROC: #optional 24 | secrets: 25 | - brainzcode 26 | labels: 27 | - "traefik.enable=true" 28 | ## HTTP Routers 29 | - "traefik.http.routers.musicbrainz-rtr.entrypoints=https" 30 | - "traefik.http.routers.musicbrainz-rtr.rule=Host(`brainz.$DOMAINNAME0`)" 31 | ## Middlewares 32 | - "traefik.http.routers.musicbrainz-rtr.middlewares=chain-oauth@file" 33 | ## HTTP Services 34 | - "traefik.http.routers.musicbrainz-rtr.service=musicbrainz-svc" 35 | - "traefik.http.services.musicbrainz-svc.loadbalancer.server.port=5000" -------------------------------------------------------------------------------- /compose/archives/navidrome.yml: -------------------------------------------------------------------------------- 1 | # Navidrome - Music Server 2 | navidrome: 3 | <<: *common-keys-media # See EXTENSION FIELDS at the top 4 | container_name: navidrome 5 | image: deluan/navidrome:latest 6 | # ports: 7 | # - "$FUNKWHALE_PORT:4533" 8 | user: $PUID:$PGID 9 | volumes: 10 | - $DOCKERDIR/appdata/navidrome:/data 11 | - $DATADIR/media/music/English:/music/English:ro 12 | - $DATADIR/media/music/Kids:/music/Kids:ro 13 | environment: 14 | - TZ=$TZ 15 | - ND_SCANSCHEDULE=1h 16 | - ND_LOGLEVEL=info 17 | #- ND_BASEURL="" 18 | - ND_SESSIONTIMEOUT=24h 19 | labels: 20 | - "traefik.enable=true" 21 | ## HTTP Routers 22 | - "traefik.http.routers.navidrome-rtr.entrypoints=https" 23 | - "traefik.http.routers.navidrome-rtr.rule=Host(`proxnd.$DOMAINNAME0`)" 24 | ## Middlewares 25 | - "traefik.http.routers.navidrome-rtr.middlewares=chain-no-auth@file" 26 | ## HTTP Services 27 | - "traefik.http.routers.navidrome-rtr.service=navidrome-svc" 28 | - "traefik.http.services.navidrome-svc.loadbalancer.server.port=4533" -------------------------------------------------------------------------------- /compose/archives/node-exporter.yml: -------------------------------------------------------------------------------- 1 | # Node Exporter - Metrics to Prometheus 2 | node-exporter: 3 | <<: *common-keys-monitoring # See EXTENSION FIELDS at the top 4 | container_name: node-exporter 5 | image: prom/node-exporter:latest 6 | ports: 7 | - "$NODE_EXPORTER_PORT:9100" 8 | volumes: 9 | - /proc:/host/proc:ro 10 | - /sys:/host/sys:ro 11 | - /:/rootfs:ro 12 | command: 13 | - '--path.procfs=/host/proc' 14 | - '--path.sysfs=/host/sys' 15 | - --collector.filesystem.ignored-mount-points 16 | - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)" -------------------------------------------------------------------------------- /compose/archives/nzbhydra.yml: -------------------------------------------------------------------------------- 1 | # NZBHydra2 - NZB meta search 2 | hydra: 3 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 4 | image: linuxserver/nzbhydra2:latest 5 | container_name: hydra 6 | ports: 7 | - "$NZBHYDRA_PORT:5076" 8 | volumes: 9 | - $DOCKERDIR/appdata/hydra2:/config 10 | - $DATADIR/downloads:/data/downloads 11 | environment: 12 | <<: *default-tz-puid-pgid 13 | labels: 14 | - "traefik.enable=true" 15 | ## HTTP Routers 16 | - "traefik.http.routers.hydra-rtr.entrypoints=https" 17 | - "traefik.http.routers.hydra-rtr.rule=Host(`hydra.$DOMAINNAME0`)" 18 | ## Middlewares 19 | - "traefik.http.routers.hydra-rtr.middlewares=chain-oauth@file" 20 | ## HTTP Services 21 | - "traefik.http.routers.hydra-rtr.service=hydra-svc" 22 | - "traefik.http.services.hydra-svc.loadbalancer.server.port=5076" -------------------------------------------------------------------------------- /compose/archives/ombi.yml: -------------------------------------------------------------------------------- 1 | # Ombi - Media Requests 2 | ombi: 3 | image: linuxserver/ombi:latest 4 | container_name: ombi 5 | restart: unless-stopped 6 | networks: 7 | - t2_proxy 8 | # ports: 9 | # - "$OMBI_PORT:3579" 10 | security_opt: 11 | - no-new-privileges:true 12 | volumes: 13 | - $DOCKERDIR/appdata/ombi:/config 14 | environment: 15 | PUID: $PUID 16 | PGID: $PGID 17 | TZ: $TZ 18 | BASE_URL: /ombi #optional 19 | labels: 20 | - "traefik.enable=true" 21 | ## HTTP Routers 22 | - "traefik.http.routers.ombi-rtr.entrypoints=https" 23 | - "traefik.http.routers.ombi-rtr.rule=Host(`ombi.$DOMAINNAME`)" 24 | ## Middlewares 25 | - "traefik.http.routers.ombi-rtr.middlewares=chain-no-auth@file" 26 | ## HTTP Services 27 | - "traefik.http.routers.ombi-rtr.service=ombi-svc" 28 | - "traefik.http.services.ombi-svc.loadbalancer.server.port=3579" -------------------------------------------------------------------------------- /compose/archives/ouroboros.yml: -------------------------------------------------------------------------------- 1 | # Ouroboros - Automatic Docker Container Updates 2 | ouroboros: 3 | image: pyouroboros/ouroboros:latest 4 | container_name: ouroboros 5 | restart: unless-stopped 6 | networks: 7 | - default 8 | - socket_proxy 9 | # depends_on: 10 | # - socket-proxy 11 | volumes: 12 | # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security 13 | - $DOCKERDIR/ouroboros/config.json:/root/.docker/config.json:ro 14 | environment: 15 | TZ: $TZ 16 | INTERVAL: 86400 17 | LOG_LEVEL: info 18 | SELF_UPDATE: "true" 19 | CLEANUP: "true" 20 | IGNORE: traefik influxdb hassio_dns homeassistant hassio_supervisor addon_core_check_config addon_62c7908d_autobackup plexms 21 | NOTIFIERS: "tgram://$TGRAM_BOT_TOKEN/$TGRAM_CHAT_ID/" 22 | DOCKER_SOCKETS: tcp://socket-proxy:2375 # POST to be enabled on Socket Proxy -------------------------------------------------------------------------------- /compose/archives/photoshow.yml: -------------------------------------------------------------------------------- 1 | # Photoshow - Simple Photo Viewer 2 | photoshow: 3 | <<: *common-keys-media # See EXTENSION FIELDS at the top 4 | image: lscr.io/linuxserver/photoshow 5 | container_name: photoshow 6 | volumes: 7 | - $DATADIR/media/misc:/Pictures 8 | - $DOCKERDIR/appdata/photoshow:/config 9 | - $DATADIR/temp/appdata/photoshow:/Thumbs 10 | environment: 11 | <<: *default-tz-puid-pgid 12 | labels: 13 | - "traefik.enable=true" 14 | ## HTTP Routers 15 | - "traefik.http.routers.photoshow-rtr.entrypoints=https" 16 | - "traefik.http.routers.photoshow-rtr.rule=Host(`photoshow.$DOMAINNAME0`)" 17 | ## Middlewares 18 | - "traefik.http.routers.photoshow-rtr.middlewares=chain-oauth@file" 19 | ## HTTP Services 20 | - "traefik.http.routers.photoshow-rtr.service=photoshow-svc" 21 | - "traefik.http.services.photoshow-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/archives/plex-sync.yml: -------------------------------------------------------------------------------- 1 | # Plex-Sync - For Syncing watched status between plex servers 2 | plex-sync: 3 | image: patsissons/plex-sync:develop 4 | container_name: plex-sync 5 | security_opt: 6 | - no-new-privileges:true 7 | environment: 8 | INITIAL_RUN: "true" 9 | # DRY_RUN: 0 10 | CRON_SCHEDULE: "*/5 * * * *" 11 | SECTION_MAPS: $SYN_PLEX/$SYN_PLEX_HOLLYWOOD $NUC_PLEX/$NUC_PLEX_HOLLYWOOD | $SYN_PLEX/$SYN_PLEX_TVSHOWS $NUC_PLEX/$NUC_PLEX_TVSHOWS | $SYN_PLEX/$SYN_PLEX_INDIAN $NUC_PLEX/$NUC_PLEX_INDIAN | $SYN_PLEX/$SYN_PLEX_KOLLYWOOD $NUC_PLEX/$NUC_PLEX_KOLLYWOOD | $SYN_PLEX/$SYN_PLEX_DOCMOVIES $NUC_PLEX/$NUC_PLEX_DOCMOVIES | $SYN_PLEX/$SYN_PLEX_DOCSHOWS $NUC_PLEX/$NUC_PLEX_DOCSHOWS | $SYN_PLEX/$SYN_PLEX_KIDSMOVIES $NUC_PLEX/$NUC_PLEX_KIDSMOVIES | $SYN_PLEX/$SYN_PLEX_INTERNATIONAL $NUC_PLEX/$NUC_PLEX_INTERNATIONAL 12 | restart: unless-stopped 13 | -------------------------------------------------------------------------------- /compose/archives/plex-trakt-sync.yml: -------------------------------------------------------------------------------- 1 | # PlexTraktSync 2 | # Create Trakt Application https://github.com/Taxel/PlexTraktSync 3 | # Had to run this first before starting compose 4 | # git clone -b plexmovieagent-fixed https://github.com/Taxel/PlexTraktSync.git /home/USER/docker/apps/ 5 | # sudo docker run -it --name ptsync -v /home/USER/docker/apps/PlexTraktSync:/usr/src/app -e TZ="America/New_York" --restart on-failure:2 twolaw/plextraktsync:latest 6 | # change permissions of .env and .pytrakt.json to 600 and root:root 7 | ptsync: 8 | image: twolaw/plextraktsync:latest 9 | container_name: ptsync 10 | restart: unless-stopped 11 | networks: 12 | - t2_proxy 13 | security_opt: 14 | - no-new-privileges:true 15 | environment: 16 | TZ: $TZ 17 | volumes: 18 | - $DOCKERDIR/apps/pts-mafixed:/usr/src/app # plexmovieagent-fixed branch -------------------------------------------------------------------------------- /compose/archives/postgres.yml: -------------------------------------------------------------------------------- 1 | # Postgres - Database 2 | postgres: 3 | image: postgres 4 | container_name: postgres 5 | restart: always 6 | security_opt: 7 | - no-new-privileges:true 8 | volumes: 9 | - $DOCKERDIR/postgres:/var/lib/postgresql/data 10 | environment: 11 | POSTGRES_PASSWORD: $STATPING_DB_PASS 12 | POSTGRES_USER: $STATPING_DB_USER 13 | POSTGRES_DB: $STATPING_DB -------------------------------------------------------------------------------- /compose/archives/promtail.yml: -------------------------------------------------------------------------------- 1 | # Promtail - Log Scraping/Shipping Agent 2 | promtail: 3 | <<: *common-keys-monitoring # See EXTENSION FIELDS at the top 4 | container_name: promtail 5 | image: grafana/promtail:latest 6 | volumes: 7 | - /var/log:/var/log 8 | - /media/cbox/log:/data/logs/cbox 9 | - $DOCKERDIR/logs/homeserver:/data/logs/scripts 10 | - $DOCKERDIR/appdata/promtail:/etc/promtail 11 | # ports: 12 | # - "1514:1514" # this is only needed if you are going to send syslogs 13 | command: -config.file=/etc/promtail/config.yml 14 | -------------------------------------------------------------------------------- /compose/archives/pyrenamer.yml: -------------------------------------------------------------------------------- 1 | #PyRenamer - Easily Rename Your Files 2 | pyrenamer: 3 | image: mikenye/pyrenamer:latest 4 | container_name: pyrenamer 5 | restart: "no" 6 | networks: 7 | - t2_proxy 8 | security_opt: 9 | - no-new-privileges:true 10 | # ports: 11 | # - "$PYRENAMER_PORT:5800" 12 | volumes: 13 | - $USERDIR/Downloads:/data/downloads:rw 14 | - $DOCKERDIR/appdata/pyrenamer:/config:rw 15 | - /media/shb-drive/data/media:/data/shb:rw 16 | - /media/ds918/data/media:/data/ds918:rw 17 | - /dev/shm:/dev/shm 18 | environment: 19 | USER_ID: $PUID 20 | GROUP_ID: $PGID 21 | TZ: $TZ 22 | UMASK: 002 23 | DISPLAY_WIDTH: 1600 24 | DISPLAY_HEIGHT: 960 25 | labels: 26 | - "traefik.enable=true" 27 | ## HTTP Routers 28 | - "traefik.http.routers.pyrenamer-rtr.entrypoints=https" 29 | - "traefik.http.routers.pyrenamer-rtr.rule=Host(`pyrenamer.$DOMAINNAME`)" 30 | ## Middlewares 31 | - "traefik.http.routers.pyrenamer-rtr.middlewares=chain-oauth@file" 32 | ## HTTP Services 33 | - "traefik.http.routers.pyrenamer-rtr.service=pyrenamer-svc" 34 | - "traefik.http.services.pyrenamer-svc.loadbalancer.server.port=5800" -------------------------------------------------------------------------------- /compose/archives/readarr.yml: -------------------------------------------------------------------------------- 1 | # Readarr - Books management 2 | # Set url_base in readarr settings if using PathPrefix 3 | readarr: 4 | image: hotio/readarr:nightly 5 | container_name: readarr 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: "no" 9 | profiles: ["media","arrs", "all"] 10 | networks: 11 | - t2_proxy 12 | ports: 13 | - "8787:8787" 14 | volumes: 15 | - $DOCKERDIR/appdata/readarr:/config 16 | - $DATADIR:/data 17 | - "/etc/localtime:/etc/localtime:ro" 18 | environment: 19 | TZ: $TZ 20 | PUID: $PUID 21 | PGID: $PGID 22 | UMASK: 002 23 | #ARGS: "" 24 | labels: 25 | - "traefik.enable=true" 26 | ## HTTP Routers Auth 27 | - "traefik.http.routers.readarr-rtr.entrypoints=https" 28 | - "traefik.http.routers.readarr-rtr.rule=Host(`readarr.$DOMAINNAME_CLOUD_SERVER`)" 29 | ## Middlewares 30 | - "traefik.http.routers.readarr-rtr.middlewares=chain-oauth@file" 31 | ## HTTP Services 32 | - "traefik.http.routers.readarr-rtr.service=readarr-svc" 33 | - "traefik.http.services.readarr-svc.loadbalancer.server.port=8787" -------------------------------------------------------------------------------- /compose/archives/redis-commander.yml: -------------------------------------------------------------------------------- 1 | # Redis Commander - Redis Management Tool 2 | rediscommander: 3 | container_name: rediscommander 4 | image: rediscommander/redis-commander:latest 5 | restart: unless-stopped 6 | networks: 7 | - t2_proxy 8 | security_opt: 9 | - no-new-privileges:true 10 | environment: 11 | - REDIS_HOST=redis 12 | - REDIS_PASSWORD=$REDIS_PASSWORD 13 | labels: 14 | - "traefik.enable=true" 15 | ## HTTP Routers 16 | - "traefik.http.routers.rediscommander-rtr.entrypoints=https" 17 | - "traefik.http.routers.rediscommander-rtr.rule=HostHeader(`rediscom.$DOMAINNAME`)" 18 | ## Middlewares 19 | - "traefik.http.routers.rediscommander-rtr.middlewares=chain-oauth@file" 20 | ## HTTP Services 21 | - "traefik.http.routers.rediscommander-rtr.service=rediscommander-svc" 22 | - "traefik.http.services.rediscommander-svc.loadbalancer.server.port=8081" -------------------------------------------------------------------------------- /compose/archives/smokeping.yml: -------------------------------------------------------------------------------- 1 | # SmokePing - Network latency Monitoring 2 | smokeping: 3 | image: linuxserver/smokeping:latest 4 | container_name: smokeping 5 | restart: unless-stopped 6 | networks: 7 | - t2_proxy 8 | security_opt: 9 | - no-new-privileges:true 10 | # ports: 11 | # - "$SMOKEPING_PORT:80" 12 | volumes: 13 | - $DOCKERDIR/smokeping/config:/config 14 | - $DOCKERDIR/smokeping/data:/data 15 | environment: 16 | PUID: $PUID 17 | PGID: $PGID 18 | TZ: $TZ 19 | labels: 20 | - "traefik.enable=true" 21 | ## HTTP Routers 22 | - "traefik.http.routers.smokeping-rtr.entrypoints=https" 23 | - "traefik.http.routers.smokeping-rtr.rule=HostHeader(`smokeping.$DOMAINNAME`)" 24 | ## Middlewares 25 | - "traefik.http.routers.smokeping-rtr.middlewares=chain-authelia@file" 26 | ## HTTP Services 27 | - "traefik.http.routers.smokeping-rtr.service=smokeping-svc" 28 | - "traefik.http.services.smokeping-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/archives/smtp-to-telegram.yml: -------------------------------------------------------------------------------- 1 | # SMTP to Telegram - Send SMTP Notifications as Telegram Message 2 | # Use case: https://github.com/htpcBeginner/docker-traefik/issues/78 3 | smtp_to_telegram: 4 | image: kostyaesmukov/smtp_to_telegram 5 | container_name: smtp_to_telegram 6 | restart: always 7 | networks: 8 | - default 9 | environment: 10 | TZ: $TZ 11 | ST_TELEGRAM_CHAT_IDS: $TGRAM_CHAT_ID 12 | ST_TELEGRAM_BOT_TOKEN: $TGRAM_BOT_TOKEN 13 | ST_TELEGRAM_MESSAGE_TEMPLATE: "{subject}\\n{body}" -------------------------------------------------------------------------------- /compose/archives/tdarr-node.yml: -------------------------------------------------------------------------------- 1 | # Tdarr Node - Transcoder Node 2 | tdarr-node1: 3 | image: haveagitgat/tdarr_node:latest 4 | container_name: tdarr-node1 5 | security_opt: 6 | - no-new-privileges:true 7 | restart: unless-stopped 8 | # profiles: ["media", "all"] 9 | networks: 10 | - t2_proxy 11 | 12 | environment: 13 | TZ: $TZ 14 | PUID: $PUID 15 | PGID: $PGID 16 | UMASK_SET: 002 17 | nodeID: Node1 18 | nodeIP: tdarr-node1 # or hostname 19 | nodePort: 8267 20 | serverIP: tdarr # or hostname 21 | serverPort: 8266 22 | volumes: 23 | - $DOCKERDIR/appdata/tdarr/configs:/app/configs 24 | - $DOCKERDIR/appdata/tdarr/logs:/app/logs 25 | - $DOWNLOADSDIR/transcode/tdarr:/data/temp 26 | - $ZDATADIR/Photos/zVideos:/data/media:ro 27 | - $DATADIR2/media/zvideos:/data/output -------------------------------------------------------------------------------- /compose/archives/tiny-media-manager.yml: -------------------------------------------------------------------------------- 1 | # Tiny Media Manager - Media and Metadata Management Tool 2 | tinymm: 3 | image: romancin/tinymediamanager:latest 4 | container_name: tinymm 5 | restart: "no" 6 | networks: 7 | - t2_proxy 8 | security_opt: 9 | - no-new-privileges:true 10 | # ports: 11 | # - "$TINYMM_PORT:5800" 12 | volumes: 13 | - $DOCKERDIR/appdata/tinymm:/config 14 | - $DATADIR/media:/data/media 15 | - $DATADIR/downloads:/data/downloads 16 | environment: 17 | USER_ID: $PUID 18 | GROUP_ID: $PGID 19 | TZ: $TZ 20 | UMASK: 002 21 | KEEP_APP_RUNNING: 1 22 | CLEAN_TMP_DIR: 1 23 | DISPLAY_WIDTH: 1600 24 | DISPLAY_HEIGHT: 960 25 | VNC_PASSWD: $TINYMM_VNC_PASSWD 26 | labels: 27 | - "traefik.enable=true" 28 | ## HTTP Routers 29 | - "traefik.http.routers.tinymm-rtr.entrypoints=https" 30 | - "traefik.http.routers.tinymm-rtr.rule=Host(`tmm.$DOMAINNAME0`)" 31 | ## Middlewares 32 | - "traefik.http.routers.tinymm-rtr.middlewares=chain-oauth@file" 33 | ## HTTP Services 34 | - "traefik.http.routers.tinymm-rtr.service=tinymm-svc" 35 | - "traefik.http.services.tinymm-svc.loadbalancer.server.port=5800" -------------------------------------------------------------------------------- /compose/archives/traefik-certs-dumper.yml: -------------------------------------------------------------------------------- 1 | # Traefik Certs Dumper - Extract LetsEncrypt Certificates - Traefik2 Compatible 2 | certdumper: 3 | container_name: traefik_certdumper 4 | image: humenius/traefik-certs-dumper:latest 5 | network_mode: none 6 | # profiles: 7 | # - core 8 | security_opt: 9 | - no-new-privileges:true 10 | # command: --restart-containers container1,container2,container3 11 | volumes: 12 | - $DOCKERDIR/appdata/traefik2/acme:/traefik:ro 13 | - $DOCKERDIR/shared/certs/home:/output:rw 14 | # - /var/run/docker.sock:/var/run/docker.sock:ro # Only needed if restarting containers (use Docker Socket Proxy instead) 15 | environment: 16 | DOMAIN: $DOMAINNAME0 -------------------------------------------------------------------------------- /compose/archives/traefik-error-pages.yml: -------------------------------------------------------------------------------- 1 | # Traefik - Custom Error Pages 2 | # Obsoleted because I did not spend any more time on it to customize and don't see the value 3 | traefik-error-pages: 4 | container_name: traefik-error-pages 5 | image: guillaumebriday/traefik-custom-error-pages 6 | restart: unless-stopped 7 | networks: 8 | - t2_proxy 9 | labels: 10 | - "traefik.enable=true" 11 | # HTTP Routers 12 | - "traefik.http.routers.traefik-error-pages-rtr.entrypoints=https" 13 | - "traefik.http.routers.traefik-error-pages-rtr.rule=HostRegexp(`{host:.+}`)" 14 | - "traefik.http.routers.traefik-error-pages-rtr.priority=1" 15 | # Middlewares 16 | - "traefik.http.routers.traefik-error-pages-rtr.middlewares=traefik-error-pages" 17 | - "traefik.http.middlewares.traefik-error-pages.errors.service=traefik-error-pages-svc" 18 | - "traefik.http.middlewares.traefik-error-pages.errors.status=401,403,404,429,500,502,503" 19 | - "traefik.http.middlewares.traefik-error-pages.errors.query=/{status}.html" 20 | # HTTP Services 21 | - "traefik.http.routers.traefik-error-pages-rtr.service=traefik-error-pages-svc" 22 | - "traefik.http.services.traefik-error-pages-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/archives/unmanic.yml: -------------------------------------------------------------------------------- 1 | # Unmanic - Library Optimizer 2 | unmanic: 3 | container_name: unmanic 4 | image: josh5/unmanic:latest 5 | privileged: true 6 | ports: 7 | - 8888:8888 8 | environment: 9 | - PUID=$PUID 10 | - PGID=$PGID 11 | - LIBVA_DRIVER_NAME=i965 12 | - LIBVA_DRIVERS_PATH=/usr/lib/x86_64-linux-gnu/dri 13 | - TZ=$TZ 14 | # devices: 15 | # - /dev/dri:/dev/dri # for hardware transcoding 16 | volumes: 17 | - $DOCKERDIR/appdata/unmanic:/config 18 | - $DATADIR2/media/zvideos:/data/x265 19 | - $ZDATADIR/Photos/zVideos/Test:/data/source 20 | - $DATADIR2/media/zvideos:/data/transcode 21 | - /dev/shm:/dev/shm 22 | labels: 23 | - "traefik.enable=true" 24 | ## HTTP Routers 25 | - "traefik.http.routers.unmanic-rtr.entrypoints=https" 26 | - "traefik.http.routers.unmanic-rtr.rule=Host(`unmaic.$DOMAINNAME_HOME_SYNOLOGY`)" 27 | ## Middlewares 28 | - "traefik.http.routers.unmanic-rtr.middlewares=chain-oauth@file" 29 | ## HTTP Services 30 | - "traefik.http.routers.unmanic-rtr.service=vscode-svc" 31 | - "traefik.http.services.unmanic-svc.loadbalancer.server.port=8888" -------------------------------------------------------------------------------- /compose/archives/watchtower.yml: -------------------------------------------------------------------------------- 1 | # WatchTower - Automatic Docker Container Updates 2 | watchtower: 3 | image: containrrr/watchtower 4 | container_name: watchtower 5 | restart: unless-stopped 6 | networks: 7 | - socket_proxy 8 | depends_on: 9 | - socket-proxy 10 | environment: 11 | TZ: $TZ 12 | WATCHTOWER_CLEANUP: "true" 13 | WATCHTOWER_REMOVE_VOLUMES: "true" 14 | WATCHTOWER_INCLUDE_STOPPED: "true" 15 | WATCHTOWER_NO_STARTUP_MESSAGE: "false" 16 | WATCHTOWER_SCHEDULE: "0 30 12 * * *" # Everyday at 12:30 17 | WATCHTOWER_NOTIFICATIONS: shoutrrr 18 | WATCHTOWER_NOTIFICATION_URL: "telegram://$TGRAM_BOT_TOKEN@telegram?channels=$TGRAM_CHAT_ID" 19 | WATCHTOWER_NOTIFICATIONS_LEVEL: info 20 | DOCKER_HOST: tcp://socket-proxy:2375 21 | DOCKER_API_VERSION: "1.40" -------------------------------------------------------------------------------- /compose/archives/xteve.yml: -------------------------------------------------------------------------------- 1 | # xTeve - IPTV proxy for Plex 2 | xteve: 3 | image: alturismo/xteve 4 | container_name: xteve 5 | restart: unless-stopped 6 | # network_mode: host 7 | networks: 8 | - t2_proxy 9 | ports: 10 | - "34400:34400" 11 | - "1901:1900" 12 | # user: "0" 13 | # logging: 14 | # options: 15 | # max-size: "10m" 16 | # max-files: 3 17 | environment: 18 | TZ: $TZ 19 | volumes: 20 | - $USERDIR/docker/xteve:/config:rw 21 | - /dev/shm:/tmp/xteve 22 | labels: 23 | - "traefik.enable=true" 24 | ## HTTP Routers 25 | - "traefik.http.routers.xteve-rtr.entrypoints=https" 26 | - "traefik.http.routers.xteve-rtr.rule=Host(`xteve.$DOMAINNAME`)" 27 | - "traefik.http.routers.xteve-rtr.tls=true" 28 | ## Middlewares 29 | - "traefik.http.routers.xteve-rtr.middlewares=chain-authelia@file" 30 | ## HTTP Services 31 | - "traefik.http.routers.xteve-rtr.service=xteve-svc" 32 | - "traefik.http.services.xteve-svc.loadbalancer.server.port=34400" -------------------------------------------------------------------------------- /compose/archives/youtubedl-material.yml: -------------------------------------------------------------------------------- 1 | youtubedl-material: 2 | <<: *common-keys-apps # See EXTENSION FIELDS at the top 3 | image: tzahi12345/youtubedl-material:latest 4 | container_name: youtubedl-material 5 | # ports: 6 | # - "$YOUTUBEDLMATERIAL_PORT:17442" 7 | volumes: 8 | - $DOCKERDIR/appdata/youtubedl-material/config:/app/appdata 9 | - $DATADIR/downloads/youtubedl-material/audio:/app/audio 10 | - $DATADIR/downloads/youtubedl-material/video:/app/video 11 | - $DATADIR/downloads/youtubedl-material/subscriptions:/app/subscriptions 12 | - $DOCKERDIR/appdata/youtubedl-material/users:/app/users 13 | environment: 14 | UID: $PUID 15 | GID: $PGID 16 | labels: 17 | - "traefik.enable=true" 18 | ## HTTP Routers 19 | - "traefik.http.routers.youtubedl-material-rtr.entrypoints=https" 20 | - "traefik.http.routers.youtubedl-material-rtr.rule=Host(`ytdl.$DOMAINNAME_CLOUD_SERVER`)" 21 | ## Middlewares 22 | - "traefik.http.routers.youtubedl-material-rtr.middlewares=chain-oauth@file" 23 | ## HTTP Services 24 | - "traefik.http.routers.youtubedl-material-rtr.service=youtubedl-material-svc" 25 | - "traefik.http.services.youtubedl-material-svc.loadbalancer.server.port=17442" 26 | -------------------------------------------------------------------------------- /compose/dns/adguardhome-sync.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # AdGuard Home Sync - Sync Settings between AdGuard Homes 3 | adguardhome-sync: 4 | image: lscr.io/linuxserver/adguardhome-sync:latest 5 | container_name: adguardhome-sync 6 | restart: unless-stopped 7 | profiles: ["core", "all", "dns"] 8 | environment: 9 | TZ: $TZ 10 | PUID: $PUID 11 | PGID: $PGID 12 | CONFIGFILE: /config/adguardhome-sync.yaml #optional 13 | volumes: 14 | - $DOCKERDIR/appdata/adguardhome-sync:/config -------------------------------------------------------------------------------- /compose/dns/adguardhome.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # AdGuard Home - DNS AdBlocking 3 | adguardhome: 4 | container_name: adguardhome 5 | image: adguard/adguardhome 6 | restart: unless-stopped 7 | profiles: ["core", "all", "dns"] 8 | network_mode: host 9 | # networks: 10 | # - default 11 | # ports: 12 | # - 53:53/udp 13 | # - 67:67/udp 14 | # - 68:68/tcp 15 | # - 1068:68/udp # port conflict with Raspbery PI OS DHCPD https://github.com/AdguardTeam/AdGuardHome/issues/1049 16 | # - 81:80/tcp 17 | # - 444:443/tcp 18 | # - 853:853/tcp 19 | # # - 3000:3000/tcp 20 | volumes: 21 | - $DOCKERDIR/appdata/adguardhome/conf:/opt/adguardhome/conf 22 | - $DOCKERDIR/appdata/adguardhome/work:/opt/adguardhome/work 23 | # - $DOCKERDIR/shared/certs/$DOMAINNAME_SHB:/certs # optional: if you have your own SSL certs -------------------------------------------------------------------------------- /compose/dns/ddns-updater.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Cloudflare DDNS - Dynamic DNS Updater 3 | ddns-updater: 4 | image: qmcgaw/ddns-updater 5 | container_name: ddns-updater 6 | restart: unless-stopped 7 | profiles: ["core", "all", "dns"] 8 | networks: 9 | - t2_proxy 10 | ports: 11 | - 8000:8000/tcp 12 | volumes: 13 | - $DOCKERDIR/appdata/ddns-updater:/updater/data # Owned by UID 1000 14 | environment: 15 | TZ: $TZ 16 | PERIOD: 4h 17 | UPDATE_COOLDOWN_PERIOD: 5m 18 | PUBLICIP_DNS_TIMEOUT: 3s 19 | HTTP_TIMEOUT: 10s 20 | DATADIR: /updater/data 21 | # Web UI 22 | LISTENING_PORT: 8000 23 | # Backup 24 | BACKUP_PERIOD: 96h # 0 to disable 25 | BACKUP_DIRECTORY: /updater/data/backups 26 | # Other 27 | LOG_LEVEL: warning 28 | SHOUTRRR_ADDRESSES: $DISCORD_SHOUTRRR_ADDRESS -------------------------------------------------------------------------------- /compose/dns/unbound.yml: -------------------------------------------------------------------------------- 1 | services: 2 | unbound: 3 | container_name: unbound 4 | image: mvance/unbound-rpi:latest 5 | network_mode: host 6 | volumes: 7 | - $DOCKERDIR/appdata/unbound:/opt/unbound/etc/unbound 8 | healthcheck: 9 | disable: true 10 | restart: unless-stopped 11 | profiles: ["core", "all", "dns"] -------------------------------------------------------------------------------- /compose/dns/wg-easy.yml: -------------------------------------------------------------------------------- 1 | # services: 2 | # # WG-EASY - WireGuard Easy 3 | # wg-easy: 4 | # image: weejewel/wg-easy 5 | # container_name: wg-easy 6 | # restart: unless-stopped 7 | # profiles: ["core", "all"] 8 | # network_mode: host 9 | # # networks: 10 | # # - rpi4b 11 | # cap_add: 12 | # - NET_ADMIN 13 | # - SYS_MODULE 14 | # # sysctls: 15 | # # - net.ipv4.ip_forward=1 16 | # # - net.ipv4.conf.all.src_valid_mark=1 17 | # # ports: 18 | # # - "51822:51822/udp" 19 | # # - "51821:51821/tcp" # WebUI 20 | # volumes: 21 | # - $DOCKERDIR/appdata/wireguard:/etc/wireguard 22 | # environment: 23 | # - WG_HOST=$DOMAINNAME_CLOUD_SERVER 24 | # - PASSWORD=$WGEASY_PASSWORD 25 | # # Optional: 26 | # # - WG_PORT=18205 # does not work in host mode 27 | # - WG_DEFAULT_ADDRESS=192.168.20.x 28 | # - WG_DEFAULT_DNS=192.168.1.101,192.168.1.102 29 | # # - WG_MTU=1420 30 | # - WG_ALLOWED_IPS=0.0.0.0/0, ::/0 31 | # # - WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt 32 | # # - WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt 33 | # # - WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt 34 | # # - WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt -------------------------------------------------------------------------------- /compose/ds918/adguardhome.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # AdGuard Home - DNS AdBlocking 3 | adguardhome: 4 | container_name: adguardhome 5 | image: adguard/adguardhome 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | # profiles: ["core", "all"] 10 | networks: 11 | dockervlan: 12 | ipv4_address: 192.168.1.25 # IP address inside defined range 13 | ports: 14 | - 53/udp 15 | - 67/udp 16 | - 68/tcp 17 | - 68/udp 18 | - 80/tcp 19 | - 443/tcp 20 | - 853/tcp 21 | - 3000/tcp 22 | volumes: 23 | - $DOCKERDIR/appdata/adguard/conf:/opt/adguardhome/conf 24 | - $DOCKERDIR/appdata/adguard/work:/opt/adguardhome/work 25 | - $DOCKERDIR/shared/certs/$DOMAINNAME_DS918:/certs -------------------------------------------------------------------------------- /compose/ds918/certdumper.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Traefik Certs Dumper - Extract LetsEncrypt Certificates - Traefik2 Compatible 3 | certdumper: 4 | container_name: traefik_certdumper 5 | image: humenius/traefik-certs-dumper:latest 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | # profiles: ["apps", "all"] 10 | networks: 11 | - default 12 | # command: --restart-containers container1,container2,container3 13 | volumes: 14 | - $DOCKERDIR/appdata/traefik2/acme:/traefik:ro 15 | - $DOCKERDIR/shared/certs/$DOMAINNAME_DS918:/output:rw 16 | # - /var/run/docker.sock:/var/run/docker.sock:ro # Only needed if restarting containers (use Docker Socket Proxy instead) 17 | environment: 18 | DOMAIN: $DOMAINNAME_DS918 -------------------------------------------------------------------------------- /compose/ds918/ddns-updater.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Cloudflare DDNS - Dynamic DNS Updater 3 | ddns-updater: 4 | image: qmcgaw/ddns-updater 5 | container_name: ddns-updater 6 | restart: unless-stopped 7 | network_mode: bridge 8 | ports: 9 | - 8000:8000/tcp 10 | volumes: 11 | - $DOCKERDIR/appdata/ddns-updater:/updater/data # Owned by UID 1000 12 | environment: 13 | TZ: $TZ 14 | PUID: $PUID 15 | PGID: $PGID 16 | PERIOD: 12h 17 | UPDATE_COOLDOWN_PERIOD: 5m 18 | PUBLICIP_DNS_TIMEOUT: 3s 19 | HTTP_TIMEOUT: 10s 20 | # Web UI 21 | LISTENING_PORT: 8000 22 | # Backup 23 | BACKUP_PERIOD: 96h # 0 to disable 24 | BACKUP_DIRECTORY: /updater/data/backups 25 | # Other 26 | LOG_LEVEL: info 27 | SHOUTRRR_ADDRESSES: $DISCORD_SHOUTRRR_ADDRESS -------------------------------------------------------------------------------- /compose/ds918/docker-gc.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Docker-GC - Automatic Docker Garbage Collection 3 | # Create docker-gc-exclude file 4 | docker-gc: 5 | image: clockworksoul/docker-gc-cron:latest 6 | container_name: docker-gc 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | # profiles: ["apps", "all"] 11 | networks: 12 | - socket_proxy 13 | volumes: 14 | # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security 15 | - $DOCKERDIR/appdata/docker-gc/docker-gc-exclude:/etc/docker-gc-exclude 16 | environment: 17 | CRON: 0 0 0 * * ? # Everyday at midnight. Previously 0 0 * * * 18 | FORCE_IMAGE_REMOVAL: 1 19 | FORCE_CONTAINER_REMOVAL: 0 20 | GRACE_PERIOD_SECONDS: 604800 21 | DRY_RUN: 0 22 | CLEAN_UP_VOLUMES: 1 23 | TZ: $TZ 24 | DOCKER_HOST: tcp://socket-proxy:2375 25 | -------------------------------------------------------------------------------- /compose/ds918/mergerfs.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # MergerFS - A featureful union filesystem 3 | mergerfs: 4 | container_name: mergerfs 5 | hostname: mergerfs 6 | image: hotio/mergerfs:latest 7 | restart: always 8 | # depends_on: 9 | # - gdrive # if using rclone 10 | # - gcrypt # if using rclone 11 | user: $PUID:$PGID 12 | command: "/data/media1:/data/media2 \ 13 | /data/media \ 14 | -o rw,\ 15 | use_ino,\ 16 | allow_other,\ 17 | func.getattr=newest,\ 18 | category.action=all,\ 19 | category.create=ff,\ 20 | statfs_ignore=nc,\ 21 | cache.files=auto-full,\ 22 | func.getattr=newest,\ 23 | dropcacheonclose=true,\ 24 | nonempty" 25 | cap_add: 26 | - SYS_ADMIN 27 | security_opt: 28 | - apparmor:unconfined 29 | devices: 30 | - /dev/fuse 31 | environment: 32 | - TZ=$TZ 33 | volumes: 34 | - /etc/passwd:/etc/passwd:ro 35 | - /etc/group:/etc/group:ro 36 | - /etc/fuse.conf:/etc/fuse.conf:shared 37 | #- $DATADIR:/data:slave # creates local-media and shb-media on host 38 | - $DATADIR1/test:/data/media1:rshared 39 | - $DATADIR2/test:/data/media2:rshared 40 | - $DATADIR1/mnt/media:/data/media:rshared -------------------------------------------------------------------------------- /compose/ds918/qdirstat.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # qDirStat - Directory Statistics 3 | qdirstat: 4 | image: jlesage/qdirstat:latest 5 | container_name: qdirstat 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | # profiles: ["apps", "all"] 10 | networks: 11 | - traefik_proxy 12 | ports: 13 | - "5800:5800" 14 | volumes: 15 | - /volume1:/storage:ro 16 | - $DOCKERDIR/appdata/qdirstat/config:/config:rw 17 | environment: 18 | USER_ID: $PUID 19 | GROUP_ID: $PGID 20 | UMASK: 002 21 | TZ: $TZ 22 | KEEP_APP_RUNNING: 1 23 | CLEAN_TMP_DIR: 1 24 | DISPLAY_WIDTH: 1600 25 | DISPLAY_HEIGHT: 960 26 | VNC_PASSWORD: $QDIRSTAT_VNC_PASSWD 27 | labels: 28 | - "traefik.enable=true" 29 | # HTTP Routers 30 | - "traefik.http.routers.qdirstat-rtr.entrypoints=https" 31 | - "traefik.http.routers.qdirstat-rtr.rule=Host(`qdir.$DOMAINNAME_DS918`)" 32 | # Middlewares 33 | - "traefik.http.routers.qdirstat-rtr.middlewares=chain-oauth@file" 34 | # HTTP Services 35 | - "traefik.http.routers.qdirstat-rtr.service=qdirstat-svc" 36 | - "traefik.http.services.qdirstat-svc.loadbalancer.server.port=5800" -------------------------------------------------------------------------------- /compose/ds918/syncthing.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # SyncThing - Keep folders in Sync 3 | syncthing: 4 | image: lscr.io/linuxserver/syncthing 5 | container_name: syncthing 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | # profiles: ["core", "all"] 10 | networks: 11 | - traefik_proxy 12 | ports: 13 | - "8384:8384" 14 | - "22000:22000/tcp" 15 | - "22000:22000/udp" 16 | - "21027:21027/udp" 17 | volumes: 18 | - /volume1:/data/volume1 19 | - $DOCKERDIR/appdata/syncthing:/config 20 | environment: 21 | TZ: $TZ 22 | PUID: $PUID 23 | PGID: $PGID 24 | labels: 25 | - "traefik.enable=true" 26 | # HTTP Routers 27 | - "traefik.http.routers.syncthing-rtr.entrypoints=https" 28 | - "traefik.http.routers.syncthing-rtr.rule=Host(`stnas.$DOMAINNAME_DS918`)" 29 | # Middlewares 30 | - "traefik.http.routers.syncthing-rtr.middlewares=chain-oauth@file" 31 | # HTTP Services 32 | - "traefik.http.routers.syncthing-rtr.service=syncthing-svc" 33 | - "traefik.http.services.syncthing-svc.loadbalancer.server.port=8384" -------------------------------------------------------------------------------- /compose/ds918/zerotier.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # ZeroTier-One - Private Network over Internet 3 | zerotier: 4 | image: zerotier/zerotier-synology:latest 5 | container_name: zerotier 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | # profiles: ["core", "all"] 10 | network_mode: host 11 | cap_add: 12 | - NET_ADMIN 13 | - SYS_ADMIN 14 | devices: 15 | - /dev/net/tun 16 | volumes: 17 | - $DOCKERDIR/appdata/zerotier:/var/lib/zerotier-one -------------------------------------------------------------------------------- /compose/hs/autoindex.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Autoindex - Simple Directory Index 3 | autoindex: 4 | container_name: autoindex 5 | image: dceoy/nginx-autoindex:latest 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t3_proxy 12 | # ports: 13 | # - "$AUTOINDEX_PORT:80" 14 | volumes: 15 | #- $USERDIR:/var/lib/nginx/html:ro # Location you want to index 16 | - $EXTDRIVE:/var/lib/nginx/html:ro # Location you want to index 17 | labels: 18 | - "traefik.enable=true" 19 | # HTTP Routers 20 | - "traefik.http.routers.autoindex-rtr.entrypoints=websecure" 21 | - "traefik.http.routers.autoindex-rtr.rule=Host(`index.$DOMAINNAME_HS`)" 22 | # Middlewares 23 | - "traefik.http.routers.autoindex-rtr.middlewares=chain-oauth@file" 24 | # HTTP Services 25 | - "traefik.http.routers.autoindex-rtr.service=autoindex-svc" 26 | - "traefik.http.services.autoindex-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/hs/bazarr.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Bazarr - Subtitle Management 3 | bazarr: 4 | image: lscr.io/linuxserver/bazarr 5 | container_name: bazarr 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: "no" 9 | profiles: ["media", "arrs", "all"] 10 | networks: 11 | - t3_proxy 12 | ports: 13 | - "6767:6767" 14 | volumes: 15 | - $DOCKERDIR/appdata/bazarr:/config 16 | - $DATADIR/media:/data/media 17 | environment: 18 | TZ: $TZ 19 | PUID: $PUID 20 | PGID: $PGID 21 | labels: 22 | - "traefik.enable=true" 23 | # HTTP Routers Auth 24 | - "traefik.http.routers.bazarr-rtr.entrypoints=websecure" 25 | - "traefik.http.routers.bazarr-rtr.rule=Host(`bazarr.$DOMAINNAME_HS`)" 26 | # Middlewares 27 | - "traefik.http.routers.bazarr-rtr.middlewares=chain-oauth@file" 28 | # HTTP Services 29 | - "traefik.http.routers.bazarr-rtr.service=bazarr-svc" 30 | - "traefik.http.services.bazarr-svc.loadbalancer.server.port=6767" -------------------------------------------------------------------------------- /compose/hs/crowdsec.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # CrowdSec - Open-source & collaborative security IPS 3 | crowdsec: 4 | image: crowdsecurity/crowdsec 5 | container_name: crowdsec 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | ports: 11 | - "8080:8080" 12 | - "$ZEROTIER_IP_CLOUDSERVER:6060:6060" # Exposing metrics via Zerotier IP 13 | environment: 14 | COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux fulljackz/proxmox" 15 | GID: "${GID-1000}" 16 | CUSTOM_HOSTNAME: home-server 17 | DISABLE_LOCAL_API: "true" # Only after successfully registering and validating remote agent below. 18 | # For the following, check local_api_credentials.yaml after cscli lapi register (secondary machine) and cscli machine validate (on primary machine) 19 | AGENT_USERNAME: $CROWDSEC_AGENT_USERNAME 20 | AGENT_PASSWORD: $CROWDSEC_AGENT_PASSWORD 21 | LOCAL_API_URL: $CROWDSEC_LOCAL_API_URL 22 | volumes: 23 | - $DOCKERDIR/logs/cloudserver:/logs/cloudserver:ro 24 | - /var/log:/var/log:ro 25 | - $EXTDRIVE/zbox/var/log:/logs/zbox:ro 26 | - $DOCKERDIR/appdata/crowdsec/data:/var/lib/crowdsec/data 27 | - $DOCKERDIR/appdata/crowdsec/config:/etc/crowdsec -------------------------------------------------------------------------------- /compose/hs/deunhealth.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # DeUnhealth - Restart your unhealthy containers safely (e.g. containers depending on VPN and VPN reconnects) 3 | deunhealth: 4 | image: qmcgaw/deunhealth 5 | container_name: deunhealth 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - socket_proxy 12 | environment: 13 | LOG_LEVEL: info 14 | HEALTH_SERVER_ADDRESS: 127.0.0.1:9999 15 | TZ: $TZ 16 | DOCKER_HOST: tcp://socket-proxy:2375 -------------------------------------------------------------------------------- /compose/hs/docker-gc.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Docker-GC - Automatic Docker Garbage Collection 3 | # Create docker-gc-exclude file 4 | docker-gc: 5 | image: clockworksoul/docker-gc-cron:latest 6 | container_name: docker-gc 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | profiles: ["apps", "all"] 11 | networks: 12 | - socket_proxy 13 | volumes: 14 | # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security 15 | - $DOCKERDIR/appdata/docker-gc/docker-gc-exclude:/etc/docker-gc-exclude 16 | environment: 17 | CRON: 0 0 0 * * ? # Everyday at midnight. Previously 0 0 * * * 18 | FORCE_IMAGE_REMOVAL: 1 19 | FORCE_CONTAINER_REMOVAL: 0 20 | GRACE_PERIOD_SECONDS: 604800 21 | DRY_RUN: 0 22 | CLEAN_UP_VOLUMES: 1 23 | TZ: $TZ 24 | DOCKER_HOST: tcp://socket-proxy:2375 -------------------------------------------------------------------------------- /compose/hs/dockge.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Dockge - Docker Compose Manager 3 | dockge: 4 | image: louislam/dockge 5 | container_name: dockge 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | # ports: 11 | # - "5001:5001" 12 | networks: 13 | - t3_proxy 14 | - socket_proxy 15 | volumes: 16 | - $DOCKERDIR/appdata/dockge:/app/data 17 | - $USERDIR/test:/opt/stacks 18 | environment: 19 | - DOCKGE_STACKS_DIR=/opt/stacks 20 | - DOCKER_HOST=tcp://socket-proxy:2375 21 | labels: 22 | - "traefik.enable=true" 23 | # HTTP Routers 24 | - "traefik.http.routers.dockge-rtr.entrypoints=websecure" 25 | - "traefik.http.routers.dockge-rtr.rule=Host(`dockge.$DOMAINNAME_HS`)" 26 | # Middlewares 27 | - "traefik.http.routers.dockge-rtr.middlewares=chain-oauth@file" 28 | # HTTP Services 29 | - "traefik.http.routers.dockge-rtr.service=dockge-svc" 30 | - "traefik.http.services.dockge-svc.loadbalancer.server.port=5001" 31 | -------------------------------------------------------------------------------- /compose/hs/dozzle.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Dozzle - Real-time Docker Log Viewer 3 | dozzle: 4 | image: amir20/dozzle:latest 5 | container_name: dozzle 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t3_proxy 12 | - socket_proxy 13 | ports: 14 | - "8082:8080" 15 | environment: 16 | DOZZLE_LEVEL: info 17 | DOZZLE_TAILSIZE: 300 18 | DOZZLE_FILTER: "status=running" 19 | # DOZZLE_FILTER: "label=log_me" # limits logs displayed to containers with this label 20 | DOCKER_HOST: tcp://socket-proxy:2375 21 | # volumes: 22 | # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security 23 | labels: 24 | - "traefik.enable=true" 25 | # HTTP Routers 26 | - "traefik.http.routers.dozzle-rtr.entrypoints=websecure" 27 | - "traefik.http.routers.dozzle-rtr.rule=Host(`dozzle.$DOMAINNAME_HS`)" 28 | # Middlewares 29 | - "traefik.http.routers.dozzle-rtr.middlewares=chain-oauth@file" 30 | # HTTP Services 31 | - "traefik.http.routers.dozzle-rtr.service=dozzle-svc" 32 | - "traefik.http.services.dozzle-svc.loadbalancer.server.port=8080" -------------------------------------------------------------------------------- /compose/hs/grafana.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Grafana - Graphical data visualization for InfluxDB data 3 | grafana: 4 | image: grafana/grafana:latest 5 | container_name: grafana 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t3_proxy 12 | ports: 13 | - "3000:3000" 14 | user: "$PUID:$PGID" 15 | volumes: 16 | - $DOCKERDIR/appdata/grafana:/var/lib/grafana 17 | environment: 18 | GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel" 19 | labels: 20 | - "traefik.enable=true" 21 | # HTTP Routers 22 | - "traefik.http.routers.grafana-rtr.entrypoints=websecure" 23 | - "traefik.http.routers.grafana-rtr.rule=Host(`grafana.$DOMAINNAME_HS`)" 24 | # Middlewares 25 | - "traefik.http.routers.grafana-rtr.middlewares=chain-oauth@file" 26 | # HTTP Services 27 | - "traefik.http.routers.grafana-rtr.service=grafana-svc" 28 | - "traefik.http.services.grafana-svc.loadbalancer.server.port=3000" -------------------------------------------------------------------------------- /compose/hs/homepage.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Homepage - Application Dashboard 3 | homepage: 4 | image: ghcr.io/benphelps/homepage:latest 5 | container_name: homepage 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t3_proxy 12 | - socket_proxy 13 | # ports: 14 | # - "$HOMEPAGE_PORT:3000" 15 | volumes: 16 | - $DOCKERDIR/appdata/homepage:/app/config 17 | environment: 18 | TZ: $TZ 19 | PUID: $PUID 20 | PGID: $PGID 21 | labels: 22 | - "traefik.enable=true" 23 | # HTTP Routers 24 | - "traefik.http.routers.homepage-rtr.entrypoints=websecure" 25 | - "traefik.http.routers.homepage-rtr.rule=Host(`$DOMAINNAME_HS`) || Host(`www.$DOMAINNAME_HS`)" 26 | # Middlewares 27 | - "traefik.http.routers.homepage-rtr.middlewares=chain-oauth@file" 28 | # HTTP Services 29 | - "traefik.http.routers.homepage-rtr.service=homepage-svc" 30 | - "traefik.http.services.homepage-svc.loadbalancer.server.port=3000" -------------------------------------------------------------------------------- /compose/hs/it-tools.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # IT-Tools - Status Page & Monitoring Server 3 | it-tools: 4 | image: corentinth/it-tools 5 | container_name: it-tools 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t3_proxy 12 | labels: 13 | - "traefik.enable=true" 14 | # HTTP Routers 15 | - "traefik.http.routers.it-tools-rtr.entrypoints=websecure" 16 | - "traefik.http.routers.it-tools-rtr.rule=Host(`tools.$DOMAINNAME_HS`)" 17 | # Middlewares 18 | - "traefik.http.routers.it-tools-rtr.middlewares=chain-oauth@file" 19 | # HTTP Services 20 | - "traefik.http.routers.it-tools-rtr.service=it-tools-svc" 21 | - "traefik.http.services.it-tools-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/hs/jdownloader.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # jDownloader - Download management 3 | jdownloader: 4 | image: jlesage/jdownloader-2:latest 5 | container_name: jdownloader 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t3_proxy 12 | # ports: 13 | # - "$JDOWNLOADER_PORT:5800" 14 | volumes: 15 | - $DATADIR/downloads:/data/downloads 16 | - $DOCKERDIR/appdata/jdownloader:/config 17 | environment: 18 | USER_ID: $PUID 19 | GROUP_ID: $PGID 20 | TZ: $TZ 21 | UMASK: 002 22 | KEEP_APP_RUNNING: 1 23 | CLEAN_TMP_DIR: 1 24 | DISPLAY_WIDTH: 1600 25 | DISPLAY_HEIGHT: 960 26 | VNC_PASSWORD: $JDOWN_VNC_PASSWD 27 | labels: 28 | - "traefik.enable=true" 29 | # HTTP Routers 30 | - "traefik.http.routers.jdownloader-rtr.entrypoints=websecure" 31 | - "traefik.http.routers.jdownloader-rtr.rule=Host(`jdown.$DOMAINNAME_HS`)" 32 | # Middlewares 33 | - "traefik.http.routers.jdownloader-rtr.middlewares=chain-oauth@file" 34 | # HTTP Services 35 | - "traefik.http.routers.jdownloader-rtr.service=jdownloader-svc" 36 | - "traefik.http.services.jdownloader-svc.loadbalancer.server.port=5800" -------------------------------------------------------------------------------- /compose/hs/lidarr-exporter.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Lidarr Exporter - Lidarr metrics for Prometheus 3 | lidarr-exporter: 4 | image: ghcr.io/onedr0p/exportarr:latest 5 | container_name: lidarr-exporter 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: "no" 9 | profiles: ["all", "media", "arrs"] 10 | networks: 11 | - t3_proxy 12 | ports: 13 | - "9709:9709" 14 | environment: 15 | PORT: 9709 16 | URL: "http://lidarr:8686" 17 | APIKEY: $LIDARR_API_KEY 18 | ENABLE_ADDITIONAL_METRICS: TRUE 19 | command: ["lidarr"] -------------------------------------------------------------------------------- /compose/hs/makemkv.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # MakeMKV - Video Editing (Ripping from Disks) 3 | makemkv: 4 | image: jlesage/makemkv:latest 5 | container_name: makemkv 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: "no" 9 | profiles: ["media","all"] 10 | networks: 11 | - t3_proxy 12 | # ports: 13 | # - "$MAKEMKV_PORT:5800" 14 | volumes: 15 | - $DOWNLOADSDIR:/data/downloads 16 | - $DOCKERDIR/appdata/makemkv/config:/config 17 | - /dev/shm:/dev/shm 18 | environment: 19 | USER_ID: $PUID 20 | GROUP_ID: $PGID 21 | UMASK: 002 22 | TZ: $TZ 23 | KEEP_APP_RUNNING: 1 24 | CLEAN_TMP_DIR: 1 25 | DISPLAY_WIDTH: 1600 26 | DISPLAY_HEIGHT: 960 27 | # VNC_PASSWORD: $MAKEMKV_VNC_PASSWD 28 | labels: 29 | - "traefik.enable=true" 30 | # HTTP Routers 31 | - "traefik.http.routers.makemkv-rtr.entrypoints=websecure" 32 | - "traefik.http.routers.makemkv-rtr.rule=Host(`makemkv.$DOMAINNAME_HS`)" 33 | # Middlewares 34 | - "traefik.http.routers.makemkv-rtr.middlewares=chain-oauth@file" 35 | # HTTP Services 36 | - "traefik.http.routers.makemkv-rtr.service=makemkv-svc" 37 | - "traefik.http.services.makemkv-svc.loadbalancer.server.port=5800" -------------------------------------------------------------------------------- /compose/hs/mkvtoolnix.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # MKVToolNix - Video Editing (Remuxing - changing media container while keeping original source quality) 3 | mkvtoolnix: 4 | image: jlesage/mkvtoolnix:latest 5 | container_name: mkvtoolnix 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: "no" 9 | profiles: ["media","all"] 10 | networks: 11 | - t3_proxy 12 | # ports: 13 | # - "$MKVTOOLNIX_PORT:5800" 14 | volumes: 15 | - $DOWNLOADSDIR:/data/downloads 16 | - $DOCKERDIR/appdata/mkvtoolnix/config:/config:rw 17 | environment: 18 | USER_ID: $PUID 19 | GROUP_ID: $PGID 20 | UMASK: 002 21 | TZ: $TZ 22 | KEEP_APP_RUNNING: 1 23 | CLEAN_TMP_DIR: 1 24 | DISPLAY_WIDTH: 1600 25 | DISPLAY_HEIGHT: 960 26 | # VNC_PASSWORD: $MKVTOOLNIX_VNC_PASSWD 27 | labels: 28 | - "traefik.enable=true" 29 | # HTTP Routers 30 | - "traefik.http.routers.mkvtoolnix-rtr.entrypoints=websecure" 31 | - "traefik.http.routers.mkvtoolnix-rtr.rule=Host(`mkvtoolnix.$DOMAINNAME_HS`)" 32 | # Middlewares 33 | - "traefik.http.routers.mkvtoolnix-rtr.middlewares=chain-oauth@file" 34 | # HTTP Services 35 | - "traefik.http.routers.mkvtoolnix-rtr.service=mkvtoolnix-svc" 36 | - "traefik.http.services.mkvtoolnix-svc.loadbalancer.server.port=5800" -------------------------------------------------------------------------------- /compose/hs/node-exporter.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Node Exporter - Metrics to Prometheus 3 | node-exporter: 4 | container_name: node-exporter 5 | image: prom/node-exporter:latest 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["monitoring", "all"] 10 | networks: 11 | - t3_proxy 12 | ports: 13 | - "9100:9100" 14 | volumes: 15 | - /proc:/host/proc:ro 16 | - /sys:/host/sys:ro 17 | - /:/rootfs:ro 18 | command: 19 | - '--path.procfs=/host/proc' 20 | - '--path.sysfs=/host/sys' 21 | - --collector.filesystem.ignored-mount-points 22 | - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)" 23 | -------------------------------------------------------------------------------- /compose/hs/notifiarr.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Client for Notifiarr.com 3 | notifiarr: 4 | image: golift/notifiarr 5 | container_name: notifiarr 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: "no" 9 | profiles: ["media", "all"] 10 | networks: 11 | - t3_proxy 12 | # t3_proxy: 13 | # ipv4_address: 192.168.90.3 # You can specify a static IP 14 | ports: 15 | - "5454:5454" 16 | volumes: 17 | - $DOCKERDIR/appdata/notifiarr:/config 18 | - /var/run/utmp:/var/run/utmp 19 | - /etc/machine-id:/etc/machine-id 20 | environment: 21 | DN_API_KEY: $NOTIFIARR_API_KEY 22 | DN_AUTO_UPDATE: off 23 | labels: 24 | - "traefik.enable=true" 25 | # HTTP Routers Auth 26 | - "traefik.http.routers.notifiarr-rtr.entrypoints=websecure" 27 | - "traefik.http.routers.notifiarr-rtr.rule=Host(`notifiarr.$DOMAINNAME_HS`)" 28 | # Middlewares 29 | - "traefik.http.routers.notifiarr-rtr.middlewares=chain-oauth@file" 30 | # HTTP Services 31 | - "traefik.http.routers.notifiarr-rtr.service=notifiarr-svc" 32 | - "traefik.http.services.notifiarr-svc.loadbalancer.server.port=5454" -------------------------------------------------------------------------------- /compose/hs/phpmyadmin.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # phpMyAdmin - Database management 3 | # Create a new user with admin privileges. Cannot login as MySQL root for some reason. 4 | phpmyadmin: 5 | image: phpmyadmin/phpmyadmin:latest 6 | container_name: phpmyadmin 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | profiles: ["apps", "all"] 11 | networks: 12 | - t3_proxy 13 | environment: 14 | - PMA_HOST=$MARIADB_HOST 15 | - PMA_PORT=$MARIADB_PORT 16 | #- PMA_ARBITRARY=1 17 | - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password 18 | secrets: 19 | - mysql_root_password 20 | labels: 21 | - "traefik.enable=true" 22 | # HTTP Routers 23 | - "traefik.http.routers.phpmyadmin-rtr.entrypoints=websecure" 24 | - "traefik.http.routers.phpmyadmin-rtr.rule=Host(`pma.$DOMAINNAME_HS`)" 25 | # Middlewares 26 | - "traefik.http.routers.phpmyadmin-rtr.middlewares=chain-oauth@file" 27 | # HTTP Services 28 | - "traefik.http.routers.phpmyadmin-rtr.service=phpmyadmin-svc" 29 | - "traefik.http.services.phpmyadmin-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/hs/picard.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Picard - Music Library Tagging and Management 3 | picard: 4 | image: mikenye/picard:latest 5 | container_name: picard 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: "no" 9 | profiles: ["media", "all"] 10 | networks: 11 | - t3_proxy 12 | # ports: 13 | # - "$PICARD_PORT:5800" 14 | volumes: 15 | - $DATADIR:/data:rw 16 | - $DOCKERDIR/appdata/picard:/config:rw 17 | - /dev/shm:/dev/shm 18 | environment: 19 | USER_ID: $PUID 20 | GROUP_ID: $PGID 21 | TZ: $TZ 22 | UMASK: 002 23 | DISPLAY_WIDTH: 1600 24 | DISPLAY_HEIGHT: 960 25 | labels: 26 | - "traefik.enable=true" 27 | # HTTP Routers 28 | - "traefik.http.routers.picard-rtr.entrypoints=websecure" 29 | - "traefik.http.routers.picard-rtr.rule=Host(`picard.$DOMAINNAME_HS`)" 30 | # Middlewares 31 | - "traefik.http.routers.picard-rtr.middlewares=chain-oauth@file" 32 | # HTTP Services 33 | - "traefik.http.routers.picard-rtr.service=picard-svc" 34 | - "traefik.http.services.picard-svc.loadbalancer.server.port=5800" -------------------------------------------------------------------------------- /compose/hs/portainer.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Portainer - WebUI for Containers 3 | portainer: 4 | container_name: portainer 5 | image: portainer/portainer-ee:latest # Use portainer-ce if you do no have a Business Edition license key 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | networks: 11 | - t3_proxy 12 | - socket_proxy 13 | # command: -H unix:///var/run/docker.sock # # Use Docker Socket Proxy instead for improved security 14 | command: -H tcp://socket-proxy:2375 15 | ports: 16 | - "9000:9000" 17 | volumes: 18 | # - /var/run/docker.sock:/var/run/docker.sock:ro # # Use Docker Socket Proxy instead for improved security 19 | - $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfer config locally 20 | environment: 21 | - TZ=$TZ 22 | labels: 23 | - "traefik.enable=true" 24 | # HTTP Routers 25 | - "traefik.http.routers.portainer-rtr.entrypoints=websecure" 26 | - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME_HS`)" 27 | # Middlewares 28 | - "traefik.http.routers.portainer-rtr.middlewares=chain-oauth@file" 29 | # HTTP Services 30 | - "traefik.http.routers.portainer-rtr.service=portainer-svc" 31 | - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" -------------------------------------------------------------------------------- /compose/hs/prowlarr-exporter.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Prowlarr Exporter - Prowlarr metrics for Prometheus 3 | prowlarr-exporter: 4 | image: ghcr.io/onedr0p/exportarr:latest 5 | container_name: prowlarr-exporter 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["all", "apps"] 10 | networks: 11 | - t3_proxy 12 | ports: 13 | - "9710:9710" 14 | environment: 15 | PORT: 9710 16 | URL: "http://prowlarr:9696" 17 | APIKEY: $PROWLARR_API_KEY 18 | ENABLE_ADDITIONAL_METRICS: TRUE 19 | command: ["prowlarr"] -------------------------------------------------------------------------------- /compose/hs/prowlarr.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Prowlarr - Torrent proxy 3 | prowlarr: 4 | image: ghcr.io/linuxserver/prowlarr:develop 5 | container_name: prowlarr 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t3_proxy 12 | ports: 13 | - "9696:9696" 14 | volumes: 15 | - $DOCKERDIR/appdata/prowlarr:/config 16 | - "/etc/localtime:/etc/localtime:ro" 17 | environment: 18 | TZ: $TZ 19 | PUID: $PUID 20 | PGID: $PGID 21 | labels: 22 | - "traefik.enable=true" 23 | # HTTP Routers 24 | - "traefik.http.routers.prowlarr-rtr.entrypoints=websecure" 25 | - "traefik.http.routers.prowlarr-rtr.rule=Host(`prowlarr.$DOMAINNAME_HS`)" 26 | # Middlewares 27 | - "traefik.http.routers.prowlarr-rtr.middlewares=chain-oauth@file" 28 | # HTTP Services 29 | - "traefik.http.routers.prowlarr-rtr.service=prowlarr-svc" 30 | - "traefik.http.services.prowlarr-svc.loadbalancer.server.port=9696" -------------------------------------------------------------------------------- /compose/hs/qbittorrent.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # qBittorrent - Torrent downloader 3 | # Needs trailing / if using PathPrefixStrip 4 | qbittorrent: 5 | image: lscr.io/linuxserver/qbittorrent:latest 6 | container_name: qbittorrent 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | profiles: ["apps", "downloads", "all"] 11 | network_mode: "service:gluetun" 12 | # ports: 13 | # - "8081:8080" # Explosed via gluetun. 8081 because crowdsec is using port 8080 14 | volumes: 15 | - $DOCKERDIR/appdata/qbittorrent:/config 16 | - $DOWNLOADSDIR:/data/downloads # Ensure that downloads folder is set to /data/downloads in qBittorrent 17 | environment: 18 | TZ: $TZ 19 | PUID: $PUID 20 | PGID: $PGID 21 | UMASK_SET: 002 22 | healthcheck: # https://github.com/qdm12/gluetun/issues/641#issuecomment-933856220 23 | test: "curl -sf https://example.com || exit 1" 24 | interval: 1m 25 | timeout: 10s 26 | retries: 1 27 | labels: # Traefik labels added via glueten 28 | - "deunhealth.restart.on.unhealthy=true" -------------------------------------------------------------------------------- /compose/hs/radarr-exporter.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Radarr Exporter - Radarr metrics for Prometheus 3 | radarr-exporter: 4 | image: ghcr.io/onedr0p/exportarr:latest 5 | container_name: radarr-exporter 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: "no" 9 | profiles: ["all", "media", "arrs"] 10 | networks: 11 | - t3_proxy 12 | ports: 13 | - "9707:9707" 14 | environment: 15 | PORT: 9707 16 | URL: "http://radarr:7878" 17 | APIKEY: $RADARR_API_KEY 18 | ENABLE_ADDITIONAL_METRICS: TRUE 19 | command: ["radarr"] -------------------------------------------------------------------------------- /compose/hs/sabnzbd-exporter.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # SABnzbd Exporter - SABnzbd metrics for Prometheus 3 | sabnzbd-exporter: 4 | image: ghcr.io/onedr0p/exportarr:latest 5 | container_name: sabnzbd-exporter 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: "unless-stopped" 9 | profiles: ["all", "downloads"] 10 | networks: 11 | - t3_proxy 12 | ports: 13 | - "9712:9712" 14 | environment: 15 | PORT: 9712 16 | URL: "http://sabnzbd:8080" 17 | APIKEY: $SABNZBD_API_KEY 18 | ENABLE_ADDITIONAL_METRICS: TRUE 19 | command: ["sabnzbd"] -------------------------------------------------------------------------------- /compose/hs/scrutiny.yml: -------------------------------------------------------------------------------- 1 | services: 2 | scrutiny: 3 | image: ghcr.io/analogj/scrutiny:master-web 4 | container_name: scrutiny 5 | security_opt: 6 | - no-new-privileges:true 7 | restart: unless-stopped 8 | profiles: ["core", "all"] 9 | networks: 10 | - t3_proxy 11 | ports: 12 | - 8090:8080 13 | volumes: 14 | - $DOCKERDIR/appdata/scrutiny:/opt/scrutiny/config 15 | labels: 16 | - "traefik.enable=true" 17 | # HTTP Routers 18 | - "traefik.http.routers.scrutiny-rtr.entrypoints=websecure" 19 | - "traefik.http.routers.scrutiny-rtr.rule=Host(`scrutiny.$DOMAINNAME_HS`)" 20 | # Middlewares 21 | - "traefik.http.routers.scrutiny-rtr.middlewares=chain-oauth@file" 22 | # HTTP Services 23 | - "traefik.http.routers.scrutiny-rtr.service=scrutiny-svc" 24 | - "traefik.http.services.scrutiny-svc.loadbalancer.server.port=8080" -------------------------------------------------------------------------------- /compose/hs/sitespeed.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Autoindex - Simple Directory Index (for Sitespeed.io Results) 3 | sitespeed: 4 | container_name: sitespeed 5 | image: dceoy/nginx-autoindex:latest 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t3_proxy 12 | volumes: 13 | - $EXTDRIVE/ssd/sitespeed:/var/lib/nginx/html:ro # Location you want to index 14 | labels: 15 | - "traefik.enable=true" 16 | # HTTP Routers 17 | - "traefik.http.routers.sitespeed-rtr.entrypoints=websecure" 18 | - "traefik.http.routers.sitespeed-rtr.rule=Host(`sitespeed.$DOMAINNAME_HS`)" 19 | # Middlewares 20 | - "traefik.http.routers.sitespeed-rtr.middlewares=chain-oauth@file" 21 | # HTTP Services 22 | - "traefik.http.routers.sitespeed-rtr.service=sitespeed-svc" 23 | - "traefik.http.services.sitespeed-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/hs/sonarr-exporter.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Sonarr Exporter - Sonarr metrics for Prometheus 3 | sonarr-exporter: 4 | image: ghcr.io/onedr0p/exportarr:latest 5 | container_name: sonarr-exporter 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: "no" 9 | profiles: ["all", "media", "arrs"] 10 | networks: 11 | - t3_proxy 12 | ports: 13 | - "9708:9708" 14 | environment: 15 | PORT: 9708 16 | URL: "http://sonarr:8989" 17 | APIKEY: $SONARR_API_KEY 18 | ENABLE_ADDITIONAL_METRICS: TRUE 19 | command: ["sonarr"] -------------------------------------------------------------------------------- /compose/hs/traefik-bouncer.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # CrowdSec Bouncer - Traefik 3 | traefik-bouncer: 4 | image: fbonalair/traefik-crowdsec-bouncer 5 | container_name: traefik-bouncer 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | networks: 11 | - t3_proxy 12 | environment: 13 | GIN_MODE: release # default is debug (more logs) 14 | CROWDSEC_BOUNCER_API_KEY: $CROWDSEC_BOUNCER_TRAEFIK_API_KEY 15 | CROWDSEC_AGENT_HOST: $CROWDSEC_LAPI_HOST:$CROWDSEC_LAPI_PORT # CrowdSec host and port -------------------------------------------------------------------------------- /compose/hs/uptime-kuma.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Uptime Kuma - Status Page & Monitoring Server 3 | uptime-kuma: 4 | image: louislam/uptime-kuma 5 | container_name: uptime-kuma 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | networks: 11 | - t3_proxy 12 | - default 13 | volumes: 14 | - $DOCKERDIR/appdata/uptime-kuma:/app/data 15 | labels: 16 | - "traefik.enable=true" 17 | # HTTP Routers 18 | - "traefik.http.routers.uptime-kuma-rtr.entrypoints=websecure" 19 | - "traefik.http.routers.uptime-kuma-rtr.rule=Host(`kuma.$DOMAINNAME_HS`)" 20 | # Middlewares 21 | - "traefik.http.routers.uptime-kuma-rtr.middlewares=chain-oauth@file" 22 | # HTTP Services 23 | - "traefik.http.routers.uptime-kuma-rtr.service=uptime-kuma-svc" 24 | - "traefik.http.services.uptime-kuma-svc.loadbalancer.server.port=3001" -------------------------------------------------------------------------------- /compose/hs/whoami.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # WhoAmI - For Testing and Troubleshooting 3 | whoami: 4 | image: traefik/whoami 5 | container_name: whoami 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t3_proxy 12 | labels: 13 | - "traefik.enable=true" 14 | # HTTP Routers 15 | - "traefik.http.routers.whoami-rtr.entrypoints=websecure" 16 | - "traefik.http.routers.whoami-rtr.rule=Host(`whoami.$DOMAINNAME_HS`)" 17 | # Middlewares 18 | - "traefik.http.routers.whoami-rtr.middlewares=chain-oauth@file" 19 | # HTTP Services 20 | - "traefik.http.routers.whoami-rtr.service=whoami-svc" 21 | - "traefik.http.services.whoami-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/mds/airsonic-advanced.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Airsonic Advanced - Music Server 3 | airsonic-advanced: 4 | image: lscr.io/linuxserver/airsonic-advanced 5 | container_name: airsonic-advanced 6 | networks: 7 | - default 8 | security_opt: 9 | - no-new-privileges:true 10 | restart: "no" 11 | profiles: ["media", "all"] 12 | volumes: 13 | - $DOCKERDIR/appdata/airsonic/podcasts:/data/podcasts 14 | - $DOCKERDIR/appdata/airsonic/playlists:/data/playlists 15 | - $DOCKERDIR/appdata/airsonic/config:/config 16 | - $DATADIR/data/media/music:/data/music 17 | ports: 18 | - "4040:4040" 19 | environment: 20 | TZ: $TZ 21 | PUID: $PUID 22 | PGID: $PGID 23 | JAVA_OPTS: '-Dserver.forward-headers-strategy=native' # optional - if you use a reverse-proxy -------------------------------------------------------------------------------- /compose/mds/influxdb.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # InfluxDB - Database for sensor data 3 | influxdb: 4 | image: influxdb:latest 5 | container_name: influxdb 6 | networks: 7 | - default 8 | security_opt: 9 | - no-new-privileges:true 10 | restart: unless-stopped 11 | profiles: ["dbs", "all"] 12 | ports: 13 | - "8086:8086" 14 | volumes: 15 | - $DOCKERDIR/appdata/influxdb2/config:/etc/influxdb2 16 | - $DOCKERDIR/appdata/influxdb2/db:/var/lib/influxdb2 -------------------------------------------------------------------------------- /compose/mds/jellyfin.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Jellyfin - Media Server 3 | jellyfin: 4 | image: jellyfin/jellyfin:latest 5 | container_name: jellyfin 6 | networks: 7 | - default 8 | security_opt: 9 | - no-new-privileges:true 10 | restart: "no" 11 | profiles: ["media", "all"] 12 | user: $PUID:$PGID 13 | devices: 14 | - /dev/dri:/dev/dri # for harware transcoding 15 | ports: 16 | - "8096:8096" 17 | # - "8920:8920" # Emby also uses same port if running both 18 | environment: 19 | UMASK_SET: 022 20 | TZ: $TZ 21 | volumes: 22 | - $DOCKERDIR/appdata/jellyfin:/config 23 | - $DATADIR/data/media:/data/media1 24 | - $DATADIR/data2/media:/data/media2 25 | - $EXTDIR/ssd/downloads:/data/downloads 26 | - /dev/shm:/data/transcode # Offload transcoding to RAM if you have enough RAM -------------------------------------------------------------------------------- /compose/mds/mariadb.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # MariaDB - MySQL Database 3 | # After starting container for first time dexec and mysqladmin -u root password 4 | mariadb: 5 | container_name: mariadb 6 | image: lscr.io/linuxserver/mariadb 7 | networks: 8 | - default 9 | security_opt: 10 | - no-new-privileges:true 11 | restart: unless-stopped 12 | profiles: ["dbs", "all"] 13 | ports: 14 | - "3306:3306" 15 | volumes: 16 | - $DOCKERDIR/appdata/mariadb/data:/config 17 | environment: 18 | TZ: $TZ 19 | PUID: $PUID 20 | PGID: $PGID 21 | FILE__MYSQL_ROOT_PASSWORD: /run/secrets/mysql_root_password # Note FILE__ (double underscore) - Issue #127 22 | secrets: 23 | - mysql_root_password -------------------------------------------------------------------------------- /compose/mds/node-exporter.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Node Exporter - Metrics to Prometheus 3 | node-exporter: 4 | container_name: node-exporter 5 | image: prom/node-exporter:latest 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["monitoring", "all"] 10 | networks: 11 | - default 12 | ports: 13 | - "9100:9100" 14 | volumes: 15 | - /proc:/host/proc:ro 16 | - /sys:/host/sys:ro 17 | - /:/rootfs:ro 18 | command: 19 | - '--path.procfs=/host/proc' 20 | - '--path.sysfs=/host/sys' 21 | - --collector.filesystem.ignored-mount-points 22 | - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)" 23 | -------------------------------------------------------------------------------- /compose/mds/plex-image-cleanup.yml: -------------------------------------------------------------------------------- 1 | services: 2 | pic: 3 | image: meisnate12/plex-image-cleanup 4 | container_name: pic 5 | environment: 6 | - TZ=$TZ #optional 7 | volumes: 8 | - $DOCKERDIR/appdata/plex-image-cleanup:/config 9 | - $DOCKERDIR/appdata/plex/Library/Application Support/Plex Media Server:/plex 10 | restart: unless-stopped -------------------------------------------------------------------------------- /compose/mds/plex-meta-manager.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Plex Meta Manager - Automatic Metadata Manager for Plex 3 | plexmm: 4 | image: lscr.io/linuxserver/plex-meta-manager:latest 5 | container_name: plexmm 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: "no" 9 | profiles: ["media", "all"] 10 | environment: 11 | TZ: $TZ 12 | PUID: $PUID 13 | PGID: $PGID 14 | PMM_CONFIG: /config/config.yml #optional 15 | PMM_TIME: 03:00 #optional 16 | PMM_RUN: "True" #optional 17 | PMM_TEST: "False" #optional 18 | PMM_NO_MISSING: "False" #optional 19 | volumes: 20 | - $DOCKERDIR/appdata/plex-meta-manager:/config -------------------------------------------------------------------------------- /compose/mds/plex.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Plex - Media Server 3 | plex: 4 | image: plexinc/pms-docker:plexpass 5 | container_name: plex 6 | networks: 7 | - default 8 | security_opt: 9 | - no-new-privileges:true 10 | restart: "no" 11 | profiles: ["media", "all"] 12 | devices: 13 | - /dev/dri:/dev/dri # for harware transcoding 14 | ports: 15 | - "32400:32400/tcp" 16 | - "3005:3005/tcp" 17 | - "8324:8324/tcp" 18 | - "32469:32469/tcp" 19 | - "1900:1900/udp" 20 | - "32410:32410/udp" 21 | - "32412:32412/udp" 22 | - "32413:32413/udp" 23 | - "32414:32414/udp" 24 | #- "33400:33400/tcp" 25 | volumes: 26 | - $DOCKERDIR/appdata/plex:/config 27 | - $DATADIR/data/media:/data/media1 28 | - $DATADIR/data2/media:/data/media2 29 | # - $DATADIR/media:/data/media 30 | - $EXTDIR/ssd/downloads:/data/downloads 31 | - /dev/shm:/data/transcode # Offload transcoding to RAM if you have enough RAM 32 | environment: 33 | TZ: $TZ 34 | HOSTNAME: "zPlex" 35 | PLEX_CLAIM_FILE: /run/secrets/plex_claim 36 | PLEX_UID: $PUID 37 | PLEX_GID: $PGID 38 | ADVERTISE_IP: "http://$MEDIASERVER_IP:32400/,http://$ZEROTIER_IP_MEDIASERVER:32400/,https://proxplex.$DOMAINNAME_HS" 39 | ALLOWED_NETWORKS: $LOCAL_IPS 40 | secrets: 41 | - plex_claim -------------------------------------------------------------------------------- /compose/mds/prometheus.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Prometheus - Database for sensor data 3 | prometheus: 4 | image: prom/prometheus:latest 5 | container_name: prometheus 6 | networks: 7 | - default 8 | security_opt: 9 | - no-new-privileges:true 10 | restart: unless-stopped 11 | profiles: ["dbs", "all"] 12 | ports: 13 | - "9090:9090" 14 | volumes: 15 | - $DOCKERDIR/appdata/prometheus/config:/etc/prometheus 16 | - $DOCKERDIR/appdata/prometheus/data:/prometheus 17 | user: $PUID:$PGID 18 | command: 19 | - '--config.file=/etc/prometheus/prometheus.yml' 20 | - '--storage.tsdb.path=/prometheus' 21 | - '--web.console.libraries=/usr/share/prometheus/console_libraries' 22 | - '--web.console.templates=/usr/share/prometheus/consoles' 23 | - '--web.enable-lifecycle' 24 | - '--web.enable-admin-api' -------------------------------------------------------------------------------- /compose/mds/tautulli.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Tautulli - Plex statistics and monitoring 3 | # Set HTTP Root in Tautulli settings if using PathPrefix 4 | tautulli: 5 | image: lscr.io/linuxserver/tautulli:latest 6 | container_name: tautulli 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: "no" 10 | profiles: ["media", "all"] 11 | networks: 12 | - default 13 | ports: 14 | - "8181:8181" 15 | volumes: 16 | - $DOCKERDIR/appdata/tautulli/config:/config 17 | - $DOCKERDIR/appdata/plex/Library/Application Support/Plex Media Server/Logs:/logs:ro # For tautulli Plex log viewer 18 | environment: 19 | TZ: $TZ 20 | PUID: $PUID 21 | PGID: $PGID 22 | -------------------------------------------------------------------------------- /compose/ws/autoindex.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Autoindex - Simple Directory Index 3 | autoindex: 4 | container_name: autoindex 5 | image: dceoy/nginx-autoindex:latest 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t2_proxy 12 | # ports: 13 | # - "$AUTOINDEX_PORT:80" 14 | volumes: 15 | - $USERDIR:/var/lib/nginx/html:ro # Location you want to index 16 | labels: 17 | - "traefik.enable=true" 18 | # HTTP Routers 19 | - "traefik.http.routers.autoindex-rtr.entrypoints=websecure" 20 | - "traefik.http.routers.autoindex-rtr.rule=Host(`index.$DOMAINNAME_WS`)" 21 | # Middlewares 22 | - "traefik.http.routers.autoindex-rtr.middlewares=chain-oauth@file" 23 | # HTTP Services 24 | - "traefik.http.routers.autoindex-rtr.service=autoindex-svc" 25 | - "traefik.http.services.autoindex-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/ws/certdumper.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Traefik Certs Dumper - Extract LetsEncrypt Certificates - Traefik2 Compatible 3 | certdumper: 4 | container_name: traefik_certdumper 5 | image: humenius/traefik-certs-dumper:latest 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | network_mode: none 11 | # command: --restart-containers container1,container2,container3 12 | volumes: 13 | - $DOCKERDIR/appdata/traefik2/acme:/traefik:ro 14 | - $DOCKERDIR/shared/certs/$DOMAINNAME_WS:/output:rw 15 | # - /var/run/docker.sock:/var/run/docker.sock:ro # Only needed if restarting containers (use Docker Socket Proxy instead) 16 | environment: 17 | DOMAIN: $DOMAINNAME_WS -------------------------------------------------------------------------------- /compose/ws/cloudflare-bouncer.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # CrowdSec Bouncer - Cloudflare 3 | # sudo docker exec crowdsec cscli bouncer add cloudflare-bouncer 4 | # Set max ip number right the first time (max 10000). Recreating container deletes all ips and readds them causing cloudflare 429 rate limiting. 5 | cloudflare-bouncer: 6 | image: crowdsecurity/cloudflare-bouncer 7 | container_name: cloudflare-bouncer 8 | security_opt: 9 | - no-new-privileges:true 10 | restart: unless-stopped 11 | profiles: ["core", "all"] 12 | networks: 13 | - t2_proxy 14 | volumes: 15 | - $DOCKERDIR/appdata/cloudflare-bouncer/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml -------------------------------------------------------------------------------- /compose/ws/crowdsec.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # CrowdSec - Open-source & collaborative security IPS 3 | crowdsec: 4 | image: crowdsecurity/crowdsec 5 | container_name: crowdsec 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | networks: 11 | - t2_proxy 12 | ports: 13 | - "$CROWDSEC_API_PORT:8080" 14 | - "$ZEROTIER_IP_WEBSERVER:$CROWDSEC_PROMETHEUS_EXPORT:6060" # If you don't use ZeroTier remove use just $CROWDSEC_PROMETHEUS_EXPORT:6060 15 | environment: 16 | COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux crowdsecurity/nginx crowdsecurity/discord-crawler-whitelist crowdsecurity/sshd crowdsecurity/wordpress" 17 | GID: "${GID-1000}" 18 | CUSTOM_HOSTNAME: dSHB 19 | volumes: 20 | - $DOCKERDIR/logs/ws:/logs/ws:ro 21 | - /var/log:/var/log:ro 22 | - $DOCKERDIR/appdata/crowdsec/data:/var/lib/crowdsec/data 23 | - $DOCKERDIR/appdata/crowdsec/config:/etc/crowdsec -------------------------------------------------------------------------------- /compose/ws/docker-gc.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Docker-GC - Automatic Docker Garbage Collection 3 | # Create docker-gc-exclude file 4 | docker-gc: 5 | image: clockworksoul/docker-gc-cron:latest 6 | container_name: docker-gc 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | profiles: ["apps", "all"] 11 | networks: 12 | - socket_proxy 13 | volumes: 14 | # - /var/run/docker.sock:/var/run/docker.sock # Use Docker Socket Proxy instead for improved security 15 | - $DOCKERDIR/appdata/docker-gc/docker-gc-exclude:/etc/docker-gc-exclude 16 | environment: 17 | CRON: 12 0 0 * * ? # Everyday at midnight. 18 | FORCE_IMAGE_REMOVAL: 1 19 | FORCE_CONTAINER_REMOVAL: 0 20 | GRACE_PERIOD_SECONDS: 604800 21 | DRY_RUN: 0 22 | CLEAN_UP_VOLUMES: 1 23 | TZ: $TZ 24 | DOCKER_HOST: tcp://socket-proxy:2375 -------------------------------------------------------------------------------- /compose/ws/mariadb.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # MariaDB - MySQL Database 3 | # After starting container for first time dexec and mysqladmin -u root password 4 | mariadb: 5 | container_name: mariadb 6 | image: lscr.io/linuxserver/mariadb:10.11.6 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | profiles: ["core", "all"] 11 | networks: 12 | - t2_proxy 13 | ports: 14 | - "$MARIADB_PORT:3306" 15 | volumes: 16 | # - $DOCKERDIR/appdata/mariadb:/var/lib/mysql 17 | - $DOCKERDIR/appdata/mariadb/data:/config 18 | environment: 19 | TZ: $TZ 20 | PUID: $PUID 21 | PGID: $PGID 22 | #FILE__MYSQL_ROOT_PASSWORD: /run/secrets/mysql_root_password # Note FILE__ (double underscore) - Issue #127 23 | secrets: 24 | - mysql_root_password -------------------------------------------------------------------------------- /compose/ws/node-exporter.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Node Exporter - Metrics to Prometheus 3 | node-exporter: 4 | container_name: node-exporter 5 | image: prom/node-exporter:latest 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["monitoring", "all"] 10 | networks: 11 | - t2_proxy 12 | ports: 13 | - "9100:9100" 14 | volumes: 15 | - /proc:/host/proc:ro 16 | - /sys:/host/sys:ro 17 | - /:/rootfs:ro 18 | command: 19 | - '--path.procfs=/host/proc' 20 | - '--path.sysfs=/host/sys' 21 | - --collector.filesystem.ignored-mount-points 22 | - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)" 23 | -------------------------------------------------------------------------------- /compose/ws/php7.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # PHP - Hypertext Preprocessor 3 | php7: 4 | container_name: php7 5 | image: php:7.4-fpm-custom 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | networks: 11 | - t2_proxy 12 | build: 13 | context: $DOCKERDIR/custom/ 14 | dockerfile: Dockerfile-php7 15 | user: $PUID:$PGID # allows upgrading WP and plugins 16 | volumes: 17 | - $DOCKERDIR/appdata/sites/shb/html:/var/www/html/shb 18 | - $DOCKERDIR/appdata/sites/shb/beta:/var/www/html/beta 19 | - $DOCKERDIR/appdata/php/php7:/usr/local/etc/php 20 | - $DOCKERDIR/appdata/sites/khub/html:/var/www/html/khub 21 | - $DOCKERDIR/appdata/sites/dash/html:/var/www/html/dash -------------------------------------------------------------------------------- /compose/ws/phpmyadmin.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # phpMyAdmin - Database management 3 | # Create a new user with admin privileges. Cannot login as MySQL root for some reason. 4 | phpmyadmin: 5 | image: phpmyadmin/phpmyadmin:latest 6 | container_name: phpmyadmin 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | profiles: ["apps", "all"] 11 | networks: 12 | - t2_proxy 13 | environment: 14 | - PMA_HOST=$MARIADB_HOST 15 | - PMA_PORT=$MARIADB_PORT 16 | #- PMA_ARBITRARY=1 17 | - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password 18 | secrets: 19 | - mysql_root_password 20 | labels: 21 | - "traefik.enable=true" 22 | # HTTP Routers 23 | - "traefik.http.routers.phpmyadmin-rtr.entrypoints=websecure" 24 | - "traefik.http.routers.phpmyadmin-rtr.rule=Host(`pma.$DOMAINNAME_WS`)" 25 | # Middlewares 26 | - "traefik.http.routers.phpmyadmin-rtr.middlewares=chain-oauth@file" 27 | # HTTP Services 28 | - "traefik.http.routers.phpmyadmin-rtr.service=phpmyadmin-svc" 29 | - "traefik.http.services.phpmyadmin-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /compose/ws/portainer.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Portainer - WebUI for Containers 3 | portainer: 4 | container_name: portainer 5 | image: portainer/portainer-ee:latest # Use portainer-ce if you do no have a Business Edition license key 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | networks: 11 | - t2_proxy 12 | - socket_proxy 13 | # command: -H unix:///var/run/docker.sock # # Use Docker Socket Proxy instead for improved security 14 | command: -H tcp://socket-proxy:2375 15 | volumes: 16 | # - /var/run/docker.sock:/var/run/docker.sock:ro # # Use Docker Socket Proxy instead for improved security 17 | - $DOCKERDIR/appdata/portainer/data:/data # Change to local directory if you want to save/transfer config locally 18 | environment: 19 | - TZ=$TZ 20 | labels: 21 | - "traefik.enable=true" 22 | # HTTP Routers 23 | - "traefik.http.routers.portainer-rtr.entrypoints=websecure" 24 | - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME_WS`)" 25 | # Middlewares 26 | - "traefik.http.routers.portainer-rtr.middlewares=chain-oauth@file" 27 | # HTTP Services 28 | - "traefik.http.routers.portainer-rtr.service=portainer-svc" 29 | - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" -------------------------------------------------------------------------------- /compose/ws/redis.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # Redis - Key-value Store 3 | redis: 4 | container_name: redis 5 | image: redis:latest 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | networks: 11 | - t2_proxy 12 | entrypoint: redis-server --appendonly yes --requirepass $REDIS_PASSWORD --maxmemory 512mb --maxmemory-policy allkeys-lru 13 | ports: 14 | - "6379:6379" 15 | volumes: 16 | - $DOCKERDIR/appdata/redis/data:/data 17 | - /etc/timezone:/etc/timezone:ro 18 | - /etc/localtime:/etc/localtime:ro -------------------------------------------------------------------------------- /compose/ws/traefik-bouncer.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # CrowdSec Bouncer - Traefik 3 | # sudo docker exec crowdsec cscli bouncer add traefik-bouncer 4 | traefik-bouncer: 5 | image: fbonalair/traefik-crowdsec-bouncer 6 | container_name: traefik-bouncer 7 | security_opt: 8 | - no-new-privileges:true 9 | restart: unless-stopped 10 | profiles: ["core", "all"] 11 | networks: 12 | - t2_proxy 13 | environment: 14 | GIN_MODE: release # default is debug (more logs) 15 | CROWDSEC_BOUNCER_API_KEY: $CROWDSEC_BOUNCER_TRAEFIK_API_KEY # sudo docker exec crowdsec cscli bouncers add traefik-bouncer 16 | CROWDSEC_AGENT_HOST: crowdsec:8080 # CrowdSec host and port 17 | CROWDSEC_BOUNCER_LOG_LEVEL: 2 # https://pkg.go.dev/github.com/rs/zerolog#readme-leveled-logging 18 | -------------------------------------------------------------------------------- /compose/ws/vscode.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # VSCode - VSCode Editing 3 | vscode: 4 | image: lscr.io/linuxserver/code-server:latest 5 | container_name: vscode 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t2_proxy 12 | volumes: 13 | - $DOCKERDIR:/data/docker 14 | - $USERDIR/server:/data/server 15 | - $DATADIR:/data/data 16 | - $DOCKERDIR/appdata/vscode:/config 17 | environment: 18 | TZ: $TZ 19 | PUID: $PUID 20 | PGID: $PGID 21 | # DOCKER_HOST: tcp://socket-proxy:2375 22 | # PASSWORD: $VSCODE_PASSWORD 23 | # HASHED_PASSWORD: #optional 24 | # SUDO_PASSWORD: password #optional 25 | # SUDO_PASSWORD_HASH: #optional 26 | # PROXY_DOMAIN: code-server.my.domain #optional 27 | DEFAULT_WORKSPACE: /config/data/User/Workspaces/AZ.code-workspace #optional 28 | labels: 29 | - "traefik.enable=true" 30 | # HTTP Routers 31 | - "traefik.http.routers.vscode-rtr.entrypoints=websecure" 32 | - "traefik.http.routers.vscode-rtr.rule=Host(`code.$DOMAINNAME_WS`)" 33 | # Middlewares 34 | - "traefik.http.routers.vscode-rtr.middlewares=chain-oauth@file" 35 | # HTTP Services 36 | - "traefik.http.routers.vscode-rtr.service=vscode-svc" 37 | - "traefik.http.services.vscode-svc.loadbalancer.server.port=8443" -------------------------------------------------------------------------------- /compose/ws/wg-easy.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # WG-EASY - WireGuard Easy 3 | wg-easy: 4 | image: ghcr.io/wg-easy/wg-easy 5 | container_name: wg-easy 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["core", "all"] 10 | networks: 11 | - default 12 | - t2_proxy 13 | cap_add: 14 | - NET_ADMIN 15 | - SYS_MODULE 16 | sysctls: 17 | - net.ipv4.ip_forward=1 18 | - net.ipv4.conf.all.src_valid_mark=1 19 | ports: 20 | - "51820:51820/udp" 21 | - "51821:51821/tcp" 22 | volumes: 23 | - $DOCKERDIR/appdata/wireguard:/etc/wireguard 24 | environment: 25 | # ⚠️ Required: 26 | # Change this to your host's public address 27 | - WG_HOST=$SERVER_IP 28 | - PASSWORD=$WGEASY_PASSWORD 29 | # Optional: 30 | # - WG_PORT=51820 31 | - WG_DEFAULT_ADDRESS=192.168.20.x 32 | - WG_DEFAULT_DNS=1.1.1.1 33 | # - WG_MTU=1420 34 | # - WG_ALLOWED_IPS=0.0.0.0/0 35 | # - WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt 36 | # - WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt 37 | # - WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt 38 | # - WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt -------------------------------------------------------------------------------- /compose/ws/whoami.yml: -------------------------------------------------------------------------------- 1 | services: 2 | # WhoAmI - For Testing and Troubleshooting 3 | whoami: 4 | image: traefik/whoami 5 | container_name: whoami 6 | security_opt: 7 | - no-new-privileges:true 8 | restart: unless-stopped 9 | profiles: ["apps", "all"] 10 | networks: 11 | - t2_proxy 12 | labels: 13 | - "traefik.enable=true" 14 | # HTTP Routers 15 | - "traefik.http.routers.whoami-rtr.entrypoints=websecure" 16 | - "traefik.http.routers.whoami-rtr.rule=Host(`whoami.$DOMAINNAME_WS`)" 17 | # Middlewares 18 | - "traefik.http.routers.whoami-rtr.middlewares=chain-oauth@file" 19 | # HTTP Services 20 | - "traefik.http.routers.whoami-rtr.service=whoami-svc" 21 | - "traefik.http.services.whoami-svc.loadbalancer.server.port=80" -------------------------------------------------------------------------------- /custom/Dockerfile-csdash: -------------------------------------------------------------------------------- 1 | FROM metabase/metabase 2 | 3 | RUN mkdir /data/ && wget https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip && unzip metabase_sqlite.zip -d /data/ -------------------------------------------------------------------------------- /custom/Dockerfile-php7: -------------------------------------------------------------------------------- 1 | # https://github.com/mlocati/docker-php-extension-installer 2 | 3 | # https://www.php.net/ChangeLog-7.php 4 | FROM php:7.4-fpm 5 | 6 | # ADD https://raw.githubusercontent.com/mlocati/docker-php-extension-installer/master/install-php-extensions /usr/local/bin/ 7 | ADD https://github.com/mlocati/docker-php-extension-installer/releases/latest/download/install-php-extensions /usr/local/bin/ 8 | 9 | 10 | RUN chmod uga+x /usr/local/bin/install-php-extensions && sync && \ 11 | install-php-extensions gd mysqli pdo_mysql opcache imagick exif zip mcrypt pspell redis sockets ssh2 bcmath intl calendar 12 | 13 | # ADDED AUGUST 18, 2022 BECAUSE ERRORS IN PHP7 DOCKER LOGS TO INCREASE MAX_CHILDREN 14 | # https://serverfault.com/questions/884256/how-and-where-to-configure-pm-max-children-for-php-fpm-with-docker 15 | # SETUP PHP-FPM CONFIG SETTINGS (max_children / max_requests) 16 | RUN echo 'pm.max_children = 15' >> /usr/local/etc/php-fpm.d/zz-docker.conf && \ 17 | echo 'pm.max_requests = 500' >> /usr/local/etc/php-fpm.d/zz-docker.conf -------------------------------------------------------------------------------- /scripts/ds918/change_perms_plex_hw.sh.example: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Change permissions of GPU so Plex on Docker can do Hardware transcoding. 4 | 5 | chmod 777 /dev/dri* -------------------------------------------------------------------------------- /scripts/ds918/increase_inotify_limits_syncthing.sh.example: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Synology default is 8192. This is very low and Synthing warns to "increase inotify limits". 4 | # Synology keeps overwriting custom values with default values. 5 | # Run this script as root at boot and periodically through Task Scheduler on DSM 6 | 7 | # echo "fs.inotify.max_user_watches=204800" | tee -a /etc/sysctl.conf 8 | 9 | echo 524288 | tee /proc/sys/fs/inotify/max_user_watches -------------------------------------------------------------------------------- /scripts/ds918/switch_ports.sh.example: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | # Save this script in one of your shares and schedule it to run as root at boot 4 | # through Control Panel -> Task Scheduler 5 | # DSM upgrades will reset these changes, which is why we schedule them to happen automatically 6 | 7 | # NGINX Ports - CUSTOMIZE THIS 8 | # Several Synology services use port 80 and 443 via Nginx. This conflicts with Traefik, Nginx Proxy Manager, Caddy, etc. 9 | # This script reconfigures Nginx to use non-default ports, leaving ports 80 and 443 free for reverse proxy. 10 | 11 | DEFAULT_HTTP_PORT=80 # typically left as-is, 80. 12 | DEFAULT_HTTPS_PORT=443 # typically left as-is, 443. 13 | NEW_HTTP_PORT=81 14 | NEW_HTTPS_PORT=444 15 | 16 | ################ DO NOT EDIT BEYOND THIS LINE ########################### 17 | sed -i "s/^\([ \t]\+listen[ \t]\+[]:[]*\)$DEFAULT_HTTP_PORT\([^0-9]\)/\1$NEW_HTTP_PORT\2/" /usr/syno/share/nginx/*.mustache 18 | sed -i "s/^\([ \t]\+listen[ \t]\+[]:[]*\)$DEFAULT_HTTPS_PORT\([^0-9]\)/\1$NEW_HTTPS_PORT\2/" /usr/syno/share/nginx/*.mustache 19 | 20 | synosystemctl restart nginx 21 | -------------------------------------------------------------------------------- /secrets_example/basic_auth_credentials: -------------------------------------------------------------------------------- 1 | users:hashed-password -------------------------------------------------------------------------------- /secrets_example/cf_dns_api_token: -------------------------------------------------------------------------------- 1 | h_P8lkjsdADDjf_plsadlksjdfD894SXsdlkjdfikwj52 2 | -------------------------------------------------------------------------------- /secrets_example/traefik_forward_auth: -------------------------------------------------------------------------------- 1 | ### EXAMPLE OF REQUIRED FILE TO ALLOW DOCKER SECRETS TO FUNCTION WITH GOOGLE OAUTH 2 | ### FOR FURTHER DETAILS SEE https://github.com/thomseddon/traefik-forward-auth 3 | # Guide: https://www.smarthomebeginner.com/google-oauth-with-traefik-2-docker/ 4 | 5 | providers.google.client-id=yourGOOGLEclientID 6 | providers.google.client-secret=yourCLIENTsecret 7 | secret=yourOAUTHsecret 8 | whitelist=yourEMAILaddress1 9 | whitelist=yourEMAILaddress2 10 | -------------------------------------------------------------------------------- /shared/config/bash_aliases.env.example: -------------------------------------------------------------------------------- 1 | BA_USERNAME=your_username 2 | BA_MYEMAIL1=your_email 3 | BA_MOSQUITTO_HOST=example_mosquitto_host_ip 4 | BA_MOSQUITTO_USERNAME=example_mosquitto_username 5 | BA_MOSQUITTO_PASSWORD=example_mosquitto_password 6 | 7 | # DOMAIN 8 | # I am sure there is a better way than using $HOSTNAME - if you do, feel free to share/contribute 9 | case $HOSTNAME in 10 | cDoc|zDoc|zSyn) 11 | BA_DOMAINNAME='example1.com' 12 | ;; 13 | cSHB|zSHB) 14 | BA_DOMAINNAME='example2.com' 15 | ;; 16 | *) 17 | esac --------------------------------------------------------------------------------