├── main.network.disabled ├── Caddyfile ├── grafana.container ├── uptime-kuma.container ├── vaultwarden.container.disabled ├── forgejo.container ├── jellyfin.container ├── homeassistant.container ├── caddy.container.disabled ├── syncthing.container ├── renovate.json ├── orches.container ├── homarr.container ├── pi-hole.container.disabled └── README.md /main.network.disabled: -------------------------------------------------------------------------------- 1 | [Network] 2 | -------------------------------------------------------------------------------- /Caddyfile: -------------------------------------------------------------------------------- 1 | { 2 | default_sni {YOUR_IP_ADDRESS} 3 | } 4 | 5 | https://{YOUR_IP_ADDRESS} { 6 | reverse_proxy systemd-vaultwarden:80 7 | } 8 | -------------------------------------------------------------------------------- /grafana.container: -------------------------------------------------------------------------------- 1 | [Container] 2 | Image=docker.io/grafana/grafana-oss:12.0.1 3 | Volume=grafana-data:/var/lib/grafana:Z 4 | PublishPort=8081:3000 5 | 6 | [Service] 7 | Restart=on-failure 8 | 9 | [Install] 10 | WantedBy=default.target 11 | -------------------------------------------------------------------------------- /uptime-kuma.container: -------------------------------------------------------------------------------- 1 | [Container] 2 | Image=docker.io/louislam/uptime-kuma:1.23.16 3 | Volume=uptimekuma-data:/app/data:Z 4 | PublishPort=3001:3001 5 | 6 | [Service] 7 | Restart=on-failure 8 | 9 | [Install] 10 | WantedBy=default.target 11 | -------------------------------------------------------------------------------- /vaultwarden.container.disabled: -------------------------------------------------------------------------------- 1 | [Container] 2 | Image=docker.io/vaultwarden/server:1.34.1 3 | Volume=vaultwarden-data:/data:Z 4 | Network=main.network 5 | 6 | [Service] 7 | Restart=on-failure 8 | 9 | [Install] 10 | WantedBy=default.target 11 | -------------------------------------------------------------------------------- /forgejo.container: -------------------------------------------------------------------------------- 1 | [Container] 2 | Image=codeberg.org/forgejo/forgejo:11.0.1 3 | PublishPort=8080:3000 4 | PublishPort=2222:22 5 | Volume=forgejo-data:/data:Z 6 | 7 | [Service] 8 | Restart=on-failure 9 | 10 | [Install] 11 | WantedBy=default.target 12 | -------------------------------------------------------------------------------- /jellyfin.container: -------------------------------------------------------------------------------- 1 | [Container] 2 | Image=docker.io/jellyfin/jellyfin:10.10.7 3 | Volume=jellyfin-config:/config:Z 4 | Volume=jellyfin-cache:/cache:Z 5 | Volume=media:/media:Z 6 | PublishPort=8096:8096 7 | 8 | [Service] 9 | Restart=on-failure 10 | 11 | [Install] 12 | WantedBy=default.target 13 | -------------------------------------------------------------------------------- /homeassistant.container: -------------------------------------------------------------------------------- 1 | # This container uses host networking. The web interface will be available on port 8123. 2 | [Container] 3 | Image=ghcr.io/home-assistant/home-assistant:2025.5.3 4 | Volume=homeassistant-config:/config:Z 5 | PodmanArgs=--network=host 6 | 7 | [Service] 8 | Restart=on-failure 9 | 10 | [Install] 11 | WantedBy=default.target 12 | -------------------------------------------------------------------------------- /caddy.container.disabled: -------------------------------------------------------------------------------- 1 | [Container] 2 | Image=docker.io/caddy:2.10.0-alpine 3 | Network=main.network 4 | PublishPort=4443:443 5 | PublishPort=4443:443/udp 6 | Volume=caddy-data:/data:Z 7 | Volume=%h/.config/orches/repo/Caddyfile:/etc/caddy/Caddyfile:z 8 | 9 | [Service] 10 | Restart=on-failure 11 | X-Version=1 12 | 13 | [Install] 14 | WantedBy=default.target 15 | -------------------------------------------------------------------------------- /syncthing.container: -------------------------------------------------------------------------------- 1 | [Container] 2 | Image=lscr.io/linuxserver/syncthing:1.29.7 3 | Volume=syncthing-config:/config:Z 4 | Volume=syncthing-data:/data:Z 5 | PublishPort=8384:8384 6 | PublishPort=22000:22000/tcp 7 | PublishPort=22000:22000/udp 8 | PublishPort=21027:21027/udp 9 | 10 | [Service] 11 | Restart=on-failure 12 | 13 | [Install] 14 | WantedBy=default.target 15 | 16 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "config:recommended" 5 | ], 6 | "customManagers": [ 7 | { 8 | "customType": "regex", 9 | "description": "Update quadlet container images", 10 | "fileMatch": [ 11 | "[.]container([.]disabled)?$" 12 | ], 13 | "matchStrings": [ 14 | "Image=(?\\S*):(?\\S*)" 15 | ], 16 | "datasourceTemplate": "docker" 17 | } 18 | ] 19 | } 20 | -------------------------------------------------------------------------------- /orches.container: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Orches: container orchestrator 3 | 4 | [Container] 5 | Image=ghcr.io/orches-team/orches:0.1.0 6 | Exec=run 7 | Environment=XDG_RUNTIME_DIR=/run/user/%U 8 | Volume=%h/.config/orches:/var/lib/orches 9 | Volume=%h/.config/containers/systemd:/etc/containers/systemd 10 | Mount=type=bind,source=/run/user/%U/systemd,destination=/run/user/%U/systemd,rw=true 11 | UserNS=keep-id 12 | PodmanArgs=--pid host 13 | 14 | [Service] 15 | Restart=always 16 | 17 | [Install] 18 | WantedBy=default.target 19 | 20 | -------------------------------------------------------------------------------- /homarr.container: -------------------------------------------------------------------------------- 1 | [Container] 2 | Image=ghcr.io/homarr-labs/homarr:v1.23.0 3 | Volume=homarr-configs:/app/data/configs:Z 4 | Volume=homarr-icons:/app/public/icons:Z 5 | Volume=homarr-data:/app/data:Z 6 | EnvironmentFile=%h/homarr.key 7 | PublishPort=7575:7575 8 | 9 | [Service] 10 | Restart=on-failure 11 | # Generate a random encryption key if it doesn't exist 12 | ExecStartPre=sh -c '[ -f %h/homarr.key ] || echo SECRET_ENCRYPTION_KEY=$(head -c 32 /dev/urandom | od -An -tx1 | tr -d " \n") > %h/homarr.key' 13 | 14 | [Install] 15 | WantedBy=default.target 16 | -------------------------------------------------------------------------------- /pi-hole.container.disabled: -------------------------------------------------------------------------------- 1 | # The web interface will be available on port 8081. 2 | # You must set a password by changing `changeme` below. 3 | # Using NET_ADMIN is optional and only required for DHCP server functionality. 4 | [Container] 5 | Image=docker.io/pihole/pihole:2025.06.1 6 | PublishPort=53:53/tcp 7 | PublishPort=53:53/udp 8 | PublishPort=8082:80/tcp 9 | Volume=pihole-etc:/etc/pihole:Z 10 | Volume=pihole-dnsmasq.d:/etc/dnsmasq.d:Z 11 | Environment=WEBPASSWORD=changeme 12 | PodmanArgs=--cap-add=NET_ADMIN 13 | 14 | [Service] 15 | Restart=on-failure 16 | 17 | [Install] 18 | WantedBy=default.target 19 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![orches logo](https://raw.githubusercontent.com/orches-team/common/main/orches-logo-text.png) 2 | 3 | # [orches](https://github.com/orches-team/orches) example deployment 4 | 5 | Feel free to [fork this repository](https://github.com/orches-team/example/fork), or use the [minimal rootless template](https://github.com/orches-team/orches-config-rootless), or the [rootful template](https://github.com/orches-team/orches-config-rootful) to get started quickly. 6 | 7 | ## Quick Start 8 | 9 | To run this example deployment with orches, execute the following commands: 10 | 11 | ```bash 12 | loginctl enable-linger $(whoami) 13 | 14 | mkdir -p ~/.config/orches ~/.config/containers/systemd 15 | 16 | podman run --rm -it --userns=keep-id --pid=host --pull=newer \ 17 | --mount \ 18 | type=bind,source=/run/user/$(id -u)/systemd,destination=/run/user/$(id -u)/systemd \ 19 | -v ~/.config/orches:/var/lib/orches \ 20 | -v ~/.config/containers/systemd:/etc/containers/systemd \ 21 | --env XDG_RUNTIME_DIR=/run/user/$(id -u) \ 22 | ghcr.io/orches-team/orches init \ 23 | https://github.com/orches-team/example.git 24 | ``` 25 | 26 | This will initialize orches with the contents of this repository and start all defined services as user units. 27 | 28 | ## Included Services 29 | 30 | The following services are installed and managed by default: 31 | 32 | ### [forgejo](https://forgejo.org/) 33 | Self-hosted Git service 34 | 35 | **Ports:** web: `8080`, ssh: `2222` 36 | 37 | ### [grafana](https://grafana.com/) 38 | Analytics and monitoring dashboard 39 | 40 | **Port:** `8081` 41 | 42 | ### [homarr](https://homarr.dev/) 43 | Simple and customizable homepage for your server 44 | 45 | **Port:** `7575` 46 | 47 | ### [homeassistant](https://www.home-assistant.io/) 48 | Open-source home automation platform 49 | 50 | **Port:** `8123` 51 | 52 | ### [jellyfin](https://jellyfin.org/) 53 | Media server for streaming movies, TV, music, and more 54 | 55 | **Port:** `8096` 56 | 57 | ### [syncthing](https://syncthing.net/) 58 | Continuous file synchronization 59 | 60 | **Ports:** web: `8384`, sync: `22000/tcp+udp`, discovery: `21027/udp` 61 | 62 | ### [uptime-kuma](https://github.com/louislam/uptime-kuma) 63 | Self-hosted monitoring tool 64 | 65 | **Port:** `3001` 66 | 67 | You can customize this deployment by editing or adding unit files in this repository. For more information, see the [orches documentation](https://github.com/orches-team/orches#readme). 68 | 69 | ## Enabling Extra Services 70 | 71 | Some services are included but disabled by default. To enable them: 72 | 73 | 1. **Fork this repository** to your own GitHub account. 74 | 2. **Clone your fork** locally and make the desired changes (such as adding or modifying configuration files for the extra services). 75 | 3. **Push your changes** to your forked repository. 76 | 4. On your orches host, **switch orches to use your fork** by running: 77 | 78 | ```bash 79 | podman exec systemd-orches orches switch 80 | ``` 81 | 82 | 5. orches will automatically apply the changes and start the newly enabled services. 83 | 84 | For more details, see the [orches documentation](https://github.com/orches-team/orches#readme). 85 | 86 | ### Disabled Services 87 | 88 | - **vaultwarden** – Self-hosted password manager 89 | - **pi-hole** – Network-wide ad blocker 90 | 91 | #### Enabling vaultwarden 92 | To enable **vaultwarden** with HTTPS using Caddy, enable the required unit files: 93 | 94 | ```bash 95 | mv caddy.container.disabled caddy.container 96 | mv main.network.disabled main.network 97 | mv vaultwarden.container.disabled vaultwarden.container 98 | ``` 99 | 100 | 2. **Edit the `Caddyfile`** and replace `{YOUR_IP_ADDRESS}` with your node's actual IP address. 101 | > **Note:** Using a domain name is recommended for production, but this quick start uses your IP for simplicity. 102 | 103 | Example diff for `Caddyfile`: 104 | 105 | ```diff 106 | { 107 | - default_sni {YOUR_IP_ADDRESS} 108 | + default_sni 192.168.1.42 109 | } 110 | 111 | -https://{YOUR_IP_ADDRESS} { 112 | +https://192.168.1.42 { 113 | reverse_proxy systemd-vaultwarden:80 114 | } 115 | ``` 116 | 117 | 3. **Sync orches** to apply the changes: 118 | 119 | ```bash 120 | podman exec systemd-orches orches sync 121 | ``` 122 | 123 | You can now access vaultwarden at `https://:4443/`. 124 | 125 | #### Enabling pi-hole 126 | 127 | To enable **pi-hole** (which requires binding to port 53): 128 | 129 | 1. **Allow unprivileged users to bind to port 53** (required for rootless Podman): 130 | Allow non-root users to bind to port 53 and above by running: 131 | 132 | ```bash 133 | echo "net.ipv4.ip_unprivileged_port_start=53" | sudo tee /etc/sysctl.d/50-unprivileged-ports.conf 134 | sudo sysctl --system 135 | ``` 136 | 137 | 2. **Remove the `.disabled` suffix** from the following file: 138 | - `pihole.container.disabled` → `pihole.container` 139 | 140 | 3. **Sync orches** to apply the changes: 141 | 142 | ```bash 143 | podman exec systemd-orches orches sync 144 | ``` 145 | 146 | Pi-hole should now be running and accessible on your server. The dashboard is available at http://:8082/. 147 | --------------------------------------------------------------------------------