From f7de6d2b6a96ccfbf5c8c6a6c5ac775c8a8a24dd Mon Sep 17 00:00:00 2001 From: Thomas Dehaeze Date: Sun, 3 Jan 2021 22:54:40 +0100 Subject: [PATCH] Add nas file --- docs/index.html | 16 +- docs/nas.html | 1965 +++++++++++++++++++++++++++++++++++++++++++++++ index.org | 11 +- nas.org | 1890 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 3871 insertions(+), 11 deletions(-) create mode 100644 docs/nas.html create mode 100644 nas.org diff --git a/docs/index.html b/docs/index.html index bba42e7..a8e087b 100644 --- a/docs/index.html +++ b/docs/index.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + Dotfiles - Manjaro Linux @@ -38,13 +38,13 @@ There are Specific configuration files for:
  • Editors: Neovim and Emacs (Doom) (library of babel, snippets)
  • Shell: Bash
  • Terminal Emulator: Termite
  • -
  • Terminal Multiplexer TMUX
  • -
  • Image Setup: SXIV
  • -
  • Music Setup: NCMPCPP, Mopidy and Beets
  • -
  • Video Setup: MPV
  • +
  • Terminal Multiplexer Tmux
  • +
  • Image Setup: Sxiv
  • +
  • Music Setup: Ncmpcpp, Mopidy and Beets
  • +
  • Video Setup: Mpv
  • Web Browser: Qutebrowser
  • PDF Reader: Zathura
  • -
  • GUI File Manager: Pcmanfm
  • +
  • GUI File Manager: PCManFM
  • Terminal File Manager: Ranger
  • Calendar: Vdirsyncer and Khal
  • Mails: Mbsync, Msmtp, Mu and Neomutt
  • @@ -57,6 +57,10 @@ There are Specific configuration files for:
  • GUI Toolkit: GTK
  • Other Config
  • + +

    +I also have a nice Home-Server which configuration files can be found here. +

    diff --git a/docs/nas.html b/docs/nas.html new file mode 100644 index 0000000..c5d0e9e --- /dev/null +++ b/docs/nas.html @@ -0,0 +1,1965 @@ + + + + + + +Home Server + + + + + + +
    + UP + | + HOME +
    +

    Home Server

    + + +
    +

    Installation

    +
    +
    +
    +

    Hardware

    +
    + + + +++ ++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Table 1: Home Server Hardware
    PartModel
    CaseFractal Design Node 804
    MotherboardASUS PRIME B450M-A
    CPUAMD Ryzen 3 3200G
    RAMCorsair Vengeance LPX 16Go (2x8Go) DDR4 3200MHz
    CoolerARCTIC Freezer 34 eSports DUO
    PSUCorsair SF450
    SSD M.2Samsung 970 EVO Plus 250Gb
    Disk DrivesVarious drives ranging from 3Tb to 8Tb
    +
    +
    + +
    +

    Ubuntu

    +
    +
      +
    • Download Ubuntu Server 20.04 LTS (link).
    • +
    • Activate OpenSSH and add SSH Keys
    • +
    • Account: thomas, hostname: homelab
    • +
    +
    +
    + +
    +

    Install Important software

    +
    +
    +
      sudo apt install neovim tmux fd-find ripgrep apache2-utils unrar ranger fzf stow
    +
    +
    +
    +
    + +
    +

    Terminal Problem

    +
    +

    +On the local host, using Termite: +

    +
    +
      infocmp > termite.terminfo  # export Termite's Terminfo
    +  scp termite.terminfo user@remote-host:~/  # or any other method to copy to the remote host
    +
    +
    + +

    +On the remote host, in the directory where you copied termite.terminfo: +

    +
    +
      tic -x termite.terminfo  # import Terminfo for current user
    +  rm termite.terminfo  # optional: remove Terminfo file
    +
    +
    +
    +
    + +
    +

    Minor Modifications of ~/.inputrc

    +
    +

    +Modify ~/.inputrc, like so: +

    +
    +
      "\e[A": history-search-backward            # arrow up
    +  "\e[B": history-search-forward             # arrow down
    +
    +
    +
    +
    + +
    +

    Partition and Format Disk Drives

    +
    +

    +A nice tutorial is available here. +

    + +
    +
      lsblk
    +
    +
    + +
    +
      sudo parted /dev/sda mklabel gpt
    +
    +
    + +
    +
      sudo parted -a opt /dev/sda mkpart "partitionname" ext4 0% 100%
    +
    +
    + +
    +
      sudo mkfs.ext4 -L partitionname /dev/sda1
    +
    +
    +
    +
    + +
    +

    MergerFS and FStab

    +
    +

    +MergerFS is a transparent layer that sits on top of the data drives providing a single mount point for reads / writes (link). +

    + + +
    +
      sudo apt install mergerfs
    +
    +
    + +

    +Create mount points +

    +
    +
      sudo mkdir /mnt/disk0
    +  sudo mkdir /mnt/disk1
    +  sudo mkdir /mnt/parity
    +
    +
    + +

    +Create folder where disks will be merged. +

    +
    +
      sudo mkdir /srv/storage
    +
    +
    + +

    +Edit /etc/fstab. +

    +
    +
      /dev/disk/by-uuid/7fb7873c-83bd-4805-98ab-506e6c7b56fa /mnt/disk0  ext4 defaults 0 0
    +  /dev/disk/by-uuid/6574b7ae-321c-4078-9793-bc41a4fa5588 /mnt/disk1  ext4 defaults 0 0
    +  /dev/disk/by-uuid/6fcd38b9-0886-46bd-900d-cb1f170dbcee /mnt/parity ext4 defaults 0 0
    +
    +  /mnt/disk* /srv/storage fuse.mergerfs direct_io,defaults,allow_other,minfreespace=50G,fsname=mergerfs 0 0
    +
    +
    +
    +
    + +
    +

    Automating with SnapRAID Runner

    +
    +

    +SnapRAID is a snapshot parity calculation tool which acts at the block level independent of filesystem (link). +

    + +

    +SnapRAID is here used inside a Docker container (link). +

    +
    +
    + +
    +

    Install Docker

    +
    +

    +The procedure is well explained here. +

    + +

    +If docker is already installed, remove it: +

    +
    +
      sudo apt remove docker
    +
    +
    +
    +
    + +
    +

    Executing the Docker Command Without Sudo

    +
    +
    +
      sudo usermod -aG docker ${USER}
    +
    +
    + +

    +To apply the new group membership, log out of the server and back in, or type the following: +

    +
    +
      su - ${USER}
    +
    +
    +
    +
    + +
    +

    Install Docker-Compose

    +
    +
    +
      sudo apt install docker-compose
    +
    +
    +
    +
    + +
    +

    Setup Docker Networks

    +
    +
    +
      docker network create --gateway 192.168.90.1 --subnet 192.168.90.0/24 t2_proxy
    +  docker network create docker_default
    +
    +
    +
    +
    + +
    +

    Change Timezone

    +
    +
    +
      sudo timedatectl set-timezone Europe/Paris
    +
    +
    +
    +
    + +
    +

    Secure the Web Server

    +
    +

    +Most of it comes from here. +

    + +
      +
    • Set PasswordAuthentication no in /etc/ssh/sshd_config
    • +
    +
    +
    + +
    +

    Automatic Security Updates

    +
    +

    +The procedure is well explained here. +

    +
    +
      sudo apt install unattended-upgrades update-notifier-common
    +
    +
    + +

    +Edit /etc/apt/apt.conf.d/50unattended-upgrades, and change the following lines: +

    +
    +
    Unattended-Upgrade::Remove-Unused-Dependencies "true";
    +Unattended-Upgrade::Automatic-Reboot "true";
    +Unattended-Upgrade::Automatic-Reboot-Time "04:00";
    +
    +
    + +

    +Edit /etc/apt/apt.conf.d/20auto-upgrades: +

    +
    +
    APT::Periodic::Update-Package-Lists "1";
    +APT::Periodic::Unattended-Upgrade "1";
    +
    +
    +
    +
    + +
    +

    Setup cronjobs

    +
    +

    +Create a folder ~/cron with all the scripts and logs related to cron. +

    + +

    +To edit the cron jobs, type crontab -e and add a line like: +

    +
    +
      */5 * * * * /home/thomas/cron/caddy_update.sh >> /home/thomas/cron/caddy_update.log 2>&1
    +
    +
    + +

    +That will run every 5 minutes. +To check how the first part of the crontab works, check this website. +

    +
    +
    + +
    +

    Run docker-compose

    +
    +
    +
      cd ~/docker && docker-compose up -d
    +
    +
    +
    +
    +
    + +
    +

    Maintenance - How To

    +
    +
    +
    +

    Update System/Packages

    +
    +
    +
      sudo -- sh -c 'apt-get update; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y; apt-get autoclean -y'
    +
    +
    +
    +
    + +
    +

    Docker Commands

    +
    +
      +
    • Starting a container: $ docker start homeassistant
    • +
    • Stopping a container: $ docker stop homeassistant
    • +
    • Restarting a container: $ docker restart homeassistant
    • +
    • Listing the running containers: $ docker ps or $ cd ~/docker/ && docker-compose ps
    • +
    • View the logs of a container: $ docker logs -f homeassistant
    • +
    • Drop a shell into a container: $ docker exec -it homeassistant /bin/bash
    • +
    • Update specific container: docker-compose pull --ignore-pull-failures homeassistant
    • +
    + +

    +Update All Containers +

    +
    +
      cd ~/docker/ && docker-compose pull --ignore-pull-failures && docker-compose up -d
    +
    +
    + +

    +Clean up Docker environment +This will delete all unused images, volumes and networks. +

    +
    +
      docker system prune -f && docker image prune -f && docker volume prune -f
    +
    +
    +
    +
    + +
    +

    Add User and Password for Basic Authentication

    +
    + +
    +
    + +
    +

    Snapraid

    +
    +

    +To see all files “backed up” by snapraid, use: +

    +
    +
      docker exec -ti snapraid snapraid list | fzf
    +
    +
    + +

    +In reality, snapraid in ran from the docker container: +

    +
    +
      docker exec -ti snapraid snapraid fix -f <path_to_file>
    +
    +
    + +

    +The path to file should be relative: /srv/storage/Cloud/org/file.org -> /Cloud/org/file.org +

    +
    +
    + +
    +

    Restore Online backup with restic

    +
    +

    +To list backups: +

    +
    +
      docker exec restic restic snapshots
    +
    +
    + +
    +ID        Time                 Host          Tags        Paths
    +--------------------------------------------------------------------------------
    +a7b98408  2020-09-03 21:18:00  4803c2af7d4e              /data/documents/manuals
    +088e31a4  2020-09-03 21:50:26  4803c2af7d4e              /data/documents/manuals
    +9cf0b480  2020-09-03 22:05:47  4803c2af7d4e              /data/documents/manuals
    +--------------------------------------------------------------------------------
    +3 snapshots
    +
    + + +

    +Force backup of folder: +

    +
    +
      docker exec restic restic backup /data/documents/manuals
    +
    +
    + +
    +
    +Files:           0 new,     2 changed,  8475 unmodified
    +Dirs:            0 new,     2 changed,     0 unmodified
    +Added to the repo: 1.010 KiB
    +
    +processed 8477 files, 589.800 MiB in 0:02
    +snapshot 9cf0b480 saved
    +
    + + +

    +Find the path to the file within the snapshot: +

    +
    +
      docker exec restic restic find file_name
    +
    +
    + +

    +Find files only for a specific snapshot: +

    +
    +
      docker exec restic restic find -s latest file_name
    +
    +
    + +

    +Backup files/folders: +

    +
    +
      docker exec restic restic restore --include /data/documents/manuals --target / 088e31a4
    +
    +
    + +

    +You can use latest instead of the ID. +

    +
    +
    +
    + +
    +

    Docker-Compose

    +
    +
    +
    version: "3.2"
    +
    +
    +
    + +
    +

    Networks

    +
    +
    +
    networks:
    +  t2_proxy:
    +    external:
    +      name: t2_proxy
    +  backend:
    +    external: false
    +  default:
    +    driver: bridge
    +
    +
    +
    +
    + +
    +

    Traefik

    +
    +
    +
    services:
    +
    +
    + +
    +
      traefik:
    +    container_name: traefik
    +    image: traefik:2.2.1
    +    restart: unless-stopped
    +    command:
    +      - --global.checkNewVersion=true
    +      - --global.sendAnonymousUsage=false
    +      - --entryPoints.http.address=:80
    +      - --entryPoints.https.address=:443
    +      - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
    +      - --entryPoints.traefik.address=:8080
    +      - --api=true
    +      - --api.dashboard=true
    +      - --log=true
    +      - --log.level=ERROR # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
    +      - --accessLog=true
    +      - --accessLog.filePath=/var/log/access.log
    +      - --accessLog.filters.statusCodes=400-499
    +      - --providers.docker=true
    +      - --providers.docker.endpoint=unix:///var/run/docker.sock
    +      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
    +      - --providers.docker.exposedByDefault=false
    +      - --providers.docker.network=t2_proxy
    +      - --providers.docker.swarmMode=false
    +      - --providers.file.directory=/rules
    +      - --providers.file.watch=true
    +      # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
    +      - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
    +      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
    +      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
    +      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
    +    networks:
    +      t2_proxy:
    +        ipv4_address: 192.168.90.254 # You can specify a static IP
    +    security_opt:
    +      - no-new-privileges:true
    +    ports:
    +      - 80:80
    +      - 443:443
    +      - 8080:8080
    +    volumes:
    +      - $CONFIGDIR/traefik2/rules:/rules
    +      - $CONFIGDIR/traefik2/acme/acme.json:/acme.json
    +      - $CONFIGDIR/traefik2/shared:/shared
    +      - /var/log/traefik:/var/log
    +      - /var/run/docker.sock:/var/run/docker.sock:ro
    +    environment:
    +      - CF_API_EMAIL=$CLOUDFLARE_EMAIL
    +      - CF_API_KEY=$CLOUDFLARE_API_KEY
    +    labels:
    +      - "traefik.enable=true"
    +      # HTTP-to-HTTPS Redirect
    +      - "traefik.http.routers.http-catchall.entrypoints=http"
    +      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
    +      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
    +      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
    +      # HTTP Routers
    +      - "traefik.http.routers.traefik-rtr.entrypoints=https"
    +      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
    +      - "traefik.http.routers.traefik-rtr.tls=true"
    +      # - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
    +      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
    +      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
    +      # Services - API
    +      - "traefik.http.routers.traefik-rtr.service=api@internal"
    +      # Middlewares
    +      - "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth@file"
    +      - "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit@file,middlewares-basic-auth@file"
    +      - "traefik.http.middlewares.traefik-auth.basicauth.users=tdehaeze:$$apr1$$d.JmbY5J$$K8btOi1fwwVYOkCnicCVi."
    +      # Authelia
    +      # - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.$DOMAINNAME/'
    +      # - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
    +      # - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups'
    +
    +
    +
    +
    + +
    +

    Portainer

    +
    +
    +
      portainer:
    +    container_name: portainer
    +    image: portainer/portainer
    +    restart: unless-stopped
    +    command: -H unix:///var/run/docker.sock
    +    command: --no-auth
    +    networks:
    +      - t2_proxy
    +    security_opt:
    +      - no-new-privileges:true
    +    volumes:
    +      - /var/run/docker.sock:/var/run/docker.sock:ro
    +      - $CONFIGDIR/portainer:/data
    +    environment:
    +      - TZ=$TZ
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.portainer-rtr.entrypoints=https"
    +      - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME`)"
    +      - "traefik.http.routers.portainer-rtr.tls=true"
    +      - "traefik.http.routers.portainer-rtr.service=portainer-svc"
    +      - "traefik.http.routers.portainer-rtr.middlewares=traefik-auth"
    +      - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"
    +
    +
    +
    +
    + +
    +

    Jellyfin

    +
    +
    +
      jellyfin:
    +    container_name: jellyfin
    +    image: linuxserver/jellyfin
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +    volumes:
    +      - $CONFIGDIR/jellyfin:/config
    +      - /srv/storage/TVShows:/data/tvshows
    +      - /srv/storage/LiveMusic:/data/livemusic
    +      - /srv/storage/Animes:/data/animes
    +      - /srv/storage/Movies:/data/movies
    +      - /srv/storage/Music:/data/music
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.jellyfin-rtr.entrypoints=https"
    +      - "traefik.http.routers.jellyfin-rtr.rule=Host(`jellyfin.$DOMAINNAME`)"
    +      - "traefik.http.routers.jellyfin-rtr.tls=true"
    +      - "traefik.http.routers.jellyfin-rtr.service=jellyfin-svc"
    +      - "traefik.http.services.jellyfin-svc.loadbalancer.server.port=8096"
    +
    +
    +
    +
    + +
    +

    Gitea

    +
    +
    +
      gitea:
    +    container_name: git
    +    image: gitea/gitea:1.12.4
    +    depends_on:
    +      - gitea_db
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +      - backend
    +    volumes:
    +      - $CONFIGDIR/gitea:/data
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +      - SSH_PORT=$GITEA_SSH_PORT
    +    ports:
    +      - "2222:22"
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.git-rtr.entrypoints=https"
    +      - "traefik.http.routers.git-rtr.rule=Host(`git.$DOMAINNAME`)"
    +      - "traefik.http.routers.git-rtr.tls=true"
    +      - "traefik.http.routers.git-rtr.service=git-svc"
    +      - "traefik.http.services.git-svc.loadbalancer.server.port=3000"
    +
    +
    + +
    +
      gitea_db:
    +    container_name: gitea_db
    +    image: mariadb:10
    +    restart: unless-stopped
    +    networks:
    +      - backend
    +    ports:
    +      - 3306:3306
    +    environment:
    +      - MYSQL_ROOT_PASSWORD=$GITEA_DB_MYSQL_ROOT_PASSWORD
    +      - MYSQL_DATABASE=gitea
    +      - MYSQL_USER=gitea
    +      - MYSQL_PASSWORD=$GITEA_DB_MYSQL_PASSWORD
    +    volumes:
    +      - $CONFIGDIR/mariadb:/var/lib/mysql
    +
    +
    +
    +
    + +
    +

    Transfer.sh

    +
    +
    +
      transfer:
    +    container_name: transfer
    +    image: dutchcoders/transfer.sh
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +      - UMASK_SET=022
    +      - BASEDIR=/tmp/
    +      - PROVIDER=local
    +    volumes:
    +      - /srv/storage/Uploads:/tmp/
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.transfer-rtr.entrypoints=https"
    +      - "traefik.http.routers.transfer-rtr.rule=Host(`file.$DOMAINNAME`)"
    +      - "traefik.http.routers.transfer-rtr.tls=true"
    +      - "traefik.http.routers.transfer-rtr.service=transfer-svc"
    +      - "traefik.http.services.transfer-svc.loadbalancer.server.port=8080"
    +
    +
    +
    +
    + +
    +

    Caddy

    +
    +
    +
      caddy:
    +    container_name: caddy
    +    image: abiosoft/caddy:1.0.3-no-stats
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +      - PLUGINS=git
    +    volumes:
    +      - $CONFIGDIR/caddy/Caddyfile:/etc/Caddyfile
    +      - $CONFIGDIR/web:/srv
    +        # - ~/.ssh:/root/.ssh
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.caddy-rtr.entrypoints=https"
    +      - "traefik.http.routers.caddy-rtr.rule=Host(`research.$DOMAINNAME`)"
    +      - "traefik.http.routers.caddy-rtr.tls=true"
    +      - "traefik.http.routers.caddy-rtr.service=caddy-svc"
    +      - "traefik.http.services.caddy-svc.loadbalancer.server.port=2015"
    +
    +
    +
    +
    + +
    +

    Syncthing

    +
    +
    +
      syncthing:
    +    container_name: syncthing
    +    image: linuxserver/syncthing
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +      - UMASK_SET=022
    +    volumes:
    +      - $CONFIGDIR/syncthing:/config
    +      - /srv/storage/Cloud:/Cloud
    +      - /srv/storage/Cloud/pictures/phone:/Pictures
    +      - /srv/storage/Cloud/pdfs:/Onyx/Download
    +      - /srv/storage/Cloud/pdfs-notes:/Onyx/note
    +      - /srv/storage/Cloud/.stfolder:/Onyx/.stfolder
    +      - /srv/storage/.password-store:/.password-store
    +    ports:
    +      - 22000:22000
    +      - 21027:21027/udp
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.syncthing-rtr.entrypoints=https"
    +      - "traefik.http.routers.syncthing-rtr.rule=Host(`syncthing.$DOMAINNAME`)"
    +      - "traefik.http.routers.syncthing-rtr.tls=true"
    +      - "traefik.http.routers.syncthing-rtr.service=syncthing-svc"
    +      - "traefik.http.routers.syncthing-rtr.middlewares=traefik-auth"
    +      - "traefik.http.services.syncthing-svc.loadbalancer.server.port=8384"
    +
    +
    +
    +
    + +
    +

    Aria2

    +
    +
    +
      aria2:
    +    container_name: aria2
    +    image: p3terx/aria2-pro
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +    volumes:
    +      - $CONFIGDIR/aria2:/config
    +      - /srv/storage/Downloads:/downloads
    +    ports:
    +      - 6800:6800
    +
    +
    +
    +
    + +
    +

    Miniflux

    +
    +
    +
      miniflux:
    +    container_name: miniflux
    +    image: miniflux/miniflux:latest
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +      - backend
    +    depends_on:
    +      - miniflux_db
    +    environment:
    +      - DATABASE_URL=postgres://miniflux:SCJWWXqHwehP7f8g@miniflux_db/miniflux?sslmode=disable
    +      - RUN_MIGRATIONS=1
    +      - CREATE_ADMIN=1
    +      - ADMIN_USERNAME=$MINIFLUX_ADMIN_NAME
    +      - ADMIN_PASSWORD=$MINIFLUX_ADMIN_PASS
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.miniflux-rtr.entrypoints=https"
    +      - "traefik.http.routers.miniflux-rtr.rule=Host(`rss.$DOMAINNAME`)"
    +      - "traefik.http.routers.miniflux-rtr.tls=true"
    +      # - 'traefik.http.routers.miniflux-rtr.middlewares=traefik-auth'
    +      # - 'traefik.http.routers.miniflux-rtr.middlewares=authelia@docker'
    +      - "traefik.http.routers.miniflux-rtr.service=miniflux-svc"
    +      - "traefik.http.services.miniflux-svc.loadbalancer.server.port=8080"
    +
    +  miniflux_db:
    +    container_name: miniflux_db
    +    image: postgres:12
    +    restart: unless-stopped
    +    networks:
    +      - backend
    +    environment:
    +      - POSTGRES_USER=miniflux
    +      - POSTGRES_PASSWORD=$MINIFLUX_POSTGRES_PASSWORD
    +    volumes:
    +      - $CONFIGDIR/miniflux_db:/var/lib/postgresql/data
    +
    +
    +
    +
    + +
    +

    Wireguard

    +
    +
    +
      wireguard:
    +    container_name: wireguard
    +    image: linuxserver/wireguard
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +    cap_add:
    +      - NET_ADMIN
    +      - SYS_MODULE
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +      - SERVERURL=wireguard.tdehaeze.xyz
    +      - SERVERPORT=51820
    +      - PEERS=3
    +      - PEERDNS=auto
    +    volumes:
    +      - $CONFIGDIR/wireguard:/config
    +      - /lib/modules:/lib/modules
    +    ports:
    +      - 51820:51820/udp
    +
    +
    +
    +
    + +
    +

    Snapraid

    +
    +
    +
      snapraid:
    +    container_name: snapraid
    +    image: xagaba/snapraid
    +    restart: unless-stopped
    +    privileged: true
    +    volumes:
    +      - /mnt:/mnt
    +      - $CONFIGDIR/snapraid:/config
    +      - type: "bind"
    +        source: /dev/disk
    +        target: /dev/disk
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +
    +
    +
    +
    + +
    +

    Home Assistant

    +
    +
    +
      homeassistant:
    +    container_name: homeassistant
    +    image: homeassistant/home-assistant
    +    restart: unless-stopped
    +    #networks:
    +    #  - t2_proxy
    +    #ports:
    +    #  - target: 8123
    +    #    published: 8123
    +    #    protocol: tcp
    +    #    mode: host
    +    privileged: true
    +    network_mode: host
    +    volumes:
    +      - $CONFIGDIR/homeassistant:/config
    +      - /etc/localtime:/etc/localtime:ro
    +      - /dev/bus/usb:/dev/bus/usb
    +        # - ${USERDIR}/docker/shared:/shared
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +    logging:
    +      options:
    +        max-size: 10m
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.homeassistant-rtr.entrypoints=https,http"
    +      - "traefik.http.routers.homeassistant-rtr.rule=Host(`home.$DOMAINNAME`)"
    +      - "traefik.http.routers.homeassistant-rtr.tls=true"
    +      - "traefik.http.routers.homeassistant-rtr.service=homeassistant-svc"
    +      - "traefik.http.services.homeassistant-svc.loadbalancer.servers.url=http://172.17.0.1:8123"
    +      #- "traefik.http.services.homeassistant-svc.loadbalancer.server.port=8123"
    +
    +
    +
    +
    + +
    +

    Jackett

    +
    +
    +
      jackett:
    +    container_name: jackett
    +    image: linuxserver/jackett
    +    restart: unless-stopped
    +    networks:
    +      - backend
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +      - AUTO_UPDATE=true
    +    # - RUN_OPTS=
    +    volumes:
    +      - $CONFIGDIR/jackett:/config
    +      - /srv/storage/Downloads:/downloads
    +    ports:
    +      - 9117:9117
    +
    +
    +
    +
    + +
    +

    Radarr

    +
    +
    +
      radarr:
    +    container_name: radarr
    +    image: linuxserver/radarr
    +    restart: unless-stopped
    +    networks:
    +      - backend
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +      - UMASK_SET=022
    +    volumes:
    +      - $CONFIGDIR/radarr:/config
    +      - /srv/storage/Movies:/movies
    +      - /srv/storage/Downloads:/downloads
    +    ports:
    +      - 7878:7878
    +
    +
    +
    +
    + +
    +

    Sonarr

    +
    +
    +
      sonarr:
    +    container_name: sonarr
    +    image: linuxserver/sonarr
    +    restart: unless-stopped
    +    networks:
    +      - backend
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +      - UMASK_SET=022
    +    volumes:
    +      - $CONFIGDIR/sonarr:/config
    +      - /srv/storage/TVShows:/tv
    +      - /srv/storage/Downloads:/downloads
    +    ports:
    +      - 8989:8989
    +
    +
    +
    +
    + +
    +

    Ombi

    +
    +
    +
      ombi:
    +    container_name: ombi
    +    image: linuxserver/ombi
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +      # - BASE_URL=/ombi #optional
    +    volumes:
    +      - $CONFIGDIR/ombi:/config
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.ombi-rtr.entrypoints=https"
    +      - "traefik.http.routers.ombi-rtr.rule=Host(`ombi.$DOMAINNAME`)"
    +      - "traefik.http.routers.ombi-rtr.tls=true"
    +      - "traefik.http.routers.ombi-rtr.service=ombi-svc"
    +      - "traefik.http.services.ombi-svc.loadbalancer.server.port=3579"
    +
    +
    +
    +
    + +
    +

    Transmission

    +
    +
    +
      transmission-openvpn:
    +    container_name: transmission
    +    image: haugene/transmission-openvpn:2.13
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +      - backend
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - CREATE_TUN_DEVICE=true
    +      - ENABLE_UFW=true
    +      - WEBPROXY_ENABLED=false
    +      - TRANSMISSION_WEB_UI=combustion
    +      - OPENVPN_PROVIDER=NORDVPN
    +      - OPENVPN_USERNAME=$NORDVPN_NAME
    +      - OPENVPN_PASSWORD=$NORDVPN_PASS
    +      - NORDVPN_COUNTRY=FR
    +      - NORDVPN_CATEGORY=P2P
    +      - NORDVPN_PROTOCOL=tcp
    +      - LOCAL_NETWORK=192.168.0.0/16
    +    volumes:
    +      - /srv/storage/Downloads:/data
    +      - /etc/localtime:/etc/localtime:ro
    +    cap_add:
    +      - NET_ADMIN
    +    ports:
    +      - 9091:9091
    +      - 51413:51413
    +      - 51413:51413/udp
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.transmission-rtr.entrypoints=https"
    +      - "traefik.http.routers.transmission-rtr.rule=Host(`torrent.$DOMAINNAME`)"
    +      - "traefik.http.routers.transmission-rtr.tls=true"
    +      - "traefik.http.routers.transmission-rtr.service=transmission-svc"
    +      - "traefik.http.routers.transmission-rtr.middlewares=traefik-auth"
    +      - "traefik.http.services.transmission-svc.loadbalancer.server.port=9091"
    +
    +
    +
    +
    + +
    +

    Bazarr

    +
    +
    +
      bazarr:
    +    container_name: bazarr
    +    image: linuxserver/bazarr
    +    restart: unless-stopped
    +    networks:
    +      - backend
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +      - UMASK_SET=022 #optional
    +    volumes:
    +      - $CONFIGDIR/bazarr:/config
    +      - /srv/storage/TVShows:/tv
    +      - /srv/storage/Movies:/movies
    +    ports:
    +      - 6767:6767
    +
    +
    +
    +
    + +
    +

    Hugo

    +
    +
    +
      hugo:
    +    container_name: hugo
    +    image: muninn/hugo-caddy
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +    environment:
    +        - REPO=git.tdehaeze.xyz/tdehaeze/digital-brain
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.hugo-rtr.entrypoints=https"
    +      - "traefik.http.routers.hugo-rtr.rule=Host(`brain.$DOMAINNAME`)"
    +      - "traefik.http.routers.hugo-rtr.tls=true"
    +      - "traefik.http.routers.hugo-rtr.service=hugo-svc"
    +      - "traefik.http.services.hugo-svc.loadbalancer.server.port=2015"
    +
    +
    +
    +
    + +
    +

    Bitwarden

    +
    +
    +
      bitwarden:
    +    container_name: bitwarden
    +    image: bitwardenrs/server
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +    volumes:
    +      - $CONFIGDIR/bitwarden:/data
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.bitwarden-rtr.entrypoints=https"
    +      - "traefik.http.routers.bitwarden-rtr.rule=Host(`bw.$DOMAINNAME`)"
    +      - "traefik.http.routers.bitwarden-rtr.tls=true"
    +      - "traefik.http.routers.bitwarden-rtr.service=bitwarden-svc"
    +      - "traefik.http.services.bitwarden-svc.loadbalancer.server.port=80"
    +
    +
    +
    +
    + +
    +

    Homer

    +
    +
    +
      homer:
    +    container_name: homer
    +    image: b4bz/homer
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +    environment:
    +      - UID=$PUID
    +      - GID=$PGID
    +      - TZ=$TZ
    +    volumes:
    +      - $CONFIGDIR/homer/assets/:/www/assets
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.homer-rtr.entrypoints=https"
    +      - "traefik.http.routers.homer-rtr.rule=Host(`homer.$DOMAINNAME`)"
    +      - "traefik.http.routers.homer-rtr.tls=true"
    +      - "traefik.http.routers.homer-rtr.service=homer-svc"
    +      - "traefik.http.services.homer-svc.loadbalancer.server.port=8080"
    +
    +
    +
    +
    + +
    +

    Restic

    +
    +
    +
      restic:
    +    container_name: restic
    +    image: mazzolino/restic
    +    restart: "no"
    +    networks:
    +      - t2_proxy
    +    environment:
    +      - RUN_ON_STARTUP=true
    +      - BACKUP_CRON=0 30 0 * * *
    +      - RESTIC_REPOSITORY=rclone:mega:mega
    +      - RESTIC_PASSWORD="$RESTIC_PASSWORD"
    +      - RESTIC_BACKUP_SOURCES=/data
    +      - RESTIC_FORGET_ARGS=--keep-daily 7 --keep-weekly 4 --keep-monthly 12
    +      - UID=$PUID
    +      - GID=$PGID
    +      - TZ=$TZ
    +    volumes:
    +      - $CONFIGDIR/restic:/root/.config/rclone
    +      - /srv/storage/Cloud/thesis:/data/thesis
    +
    +
    +
    +
    + +
    +

    CloudCMD

    +
    +
    +
      cloudcmd:
    +    container_name: cloudcmd
    +    image: coderaiser/cloudcmd
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +      - CLOUDCMD_ROOT=/mnt/fs
    +      - CLOUDCMD_VIM=true
    +      - CLOUDCMD_ONE_FILE_PANEL=true
    +    volumes:
    +      - /srv/storage/Downloads:/mnt/fs/Downloads
    +      - /srv/storage/Cloud:/mnt/fs/Cloud
    +      - /srv/storage/TVShows:/mnt/fs/TVShows
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.cloudcmd-rtr.entrypoints=https"
    +      - "traefik.http.routers.cloudcmd-rtr.rule=Host(`cloud.$DOMAINNAME`)"
    +      - "traefik.http.routers.cloudcmd-rtr.tls=true"
    +      - "traefik.http.routers.cloudcmd-rtr.service=cloudcmd-svc"
    +      - "traefik.http.routers.cloudcmd-rtr.middlewares=traefik-auth"
    +      - "traefik.http.services.cloudcmd-svc.loadbalancer.server.port=8000"
    +
    +
    +
    +
    + +
    +

    Gotify

    +
    +
    +
      gotify:
    +    container_name: gotify
    +    image: gotify/server
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +      - GOTIFY_DEFAULTUSER_NAME=$GOTIFY_DEFAULTUSER_NAME
    +      - GOTIFY_DEFAULTUSER_PASS=$GOTIFY_DEFAULTUSER_PASS
    +    volumes:
    +      - $CONFIGDIR/gotify:/app/data
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.gotify-rtr.entrypoints=https"
    +      - "traefik.http.routers.gotify-rtr.rule=Host(`notify.$DOMAINNAME`)"
    +      - "traefik.http.routers.gotify-rtr.tls=true"
    +      - "traefik.http.routers.gotify-rtr.service=gotify-svc"
    +      - "traefik.http.services.gotify-svc.loadbalancer.server.port=80"
    +
    +
    +
    +
    + +
    +

    Scrutiny

    +
    +
    +
      scrutiny:
    +    container_name: scrutiny
    +    image: linuxserver/scrutiny
    +    restart: unless-stopped
    +    networks:
    +      - backend
    +    cap_add:
    +      - SYS_RAWIO
    +      - SYS_ADMIN
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - SCRUTINY_API_ENDPOINT=http://localhost:8080
    +      - TZ=$TZ
    +      - SCRUTINY_WEB=true
    +      - SCRUTINY_COLLECTOR=true
    +    volumes:
    +      - $CONFIGDIR/scrutiny:/config
    +      - /run/udev:/run/udev:ro
    +    devices:
    +      - /dev/sda:/dev/sda
    +      - /dev/sdb:/dev/sdb
    +      - /dev/sdc:/dev/sdc
    +      - /dev/sdd:/dev/sdd
    +      - /dev/nvme0n1:/dev/nvme0n1
    +    ports:
    +      - 8089:8080
    +
    +
    +
    +
    + +
    +

    Guacamole

    +
    +
    +
      guacamole:
    +    image: oznu/guacamole
    +    container_name: guacamole
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +      - backend
    +    environment:
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - TZ=$TZ
    +    volumes:
    +      - $CONFIGDIR/guacamole:/config
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.guacamole-rtr.entrypoints=https"
    +      - "traefik.http.routers.guacamole-rtr.rule=Host(`guacamole.$DOMAINNAME`)"
    +      - "traefik.http.routers.guacamole-rtr.tls=true"
    +      - "traefik.http.routers.guacamole-rtr.service=guacamole-svc"
    +      - "traefik.http.services.guacamole-svc.loadbalancer.server.port=8080"
    +
    +
    +
    +
    + +
    +

    Mail-CLI

    +
    +
    +
      mail-cli:
    +    image: tdehaeze/docker-mail-cli
    +    container_name: mail-cli
    +    restart: unless-stopped
    +    volumes:
    +      - $CONFIGDIR/mail-cli:/config
    +      - /srv/storage/mail:/mail
    +      - /srv/storage/Downloads:/data
    +    environment:
    +      - TZ=$TZ
    +      - PUID=$PUID
    +      - PGID=$PGID
    +    tty: true
    +
    +
    +
    +
    + +
    +

    Deemix

    +
    +
    +
      deemix:
    +    image: registry.gitlab.com/bockiii/deemix-docker
    +    container_name: deemix
    +    restart: unless-stopped
    +    networks:
    +      - t2_proxy
    +    volumes:
    +      - /srv/storage/Downloads:/downloads
    +      - $CONFIGDIR/deemix:/config
    +    environment:
    +      - TZ=$TZ
    +      - PUID=$PUID
    +      - PGID=$PGID
    +      - ARL=$DEEMIX_ARL
    +    labels:
    +      - "traefik.enable=true"
    +      - "traefik.http.routers.deemix-rtr.entrypoints=https"
    +      - "traefik.http.routers.deemix-rtr.rule=Host(`deemix.$DOMAINNAME`)"
    +      - "traefik.http.routers.deemix-rtr.tls=true"
    +      - "traefik.http.routers.deemix-rtr.service=deemix-svc"
    +      - "traefik.http.routers.deemix-rtr.middlewares=traefik-auth"
    +      - "traefik.http.services.deemix-svc.loadbalancer.server.port=6595"
    +
    +
    +
    +
    +
    + +
    +

    .env - Variable used for Docker Compose

    +
    +
    +
    PUID=1000
    +PGID=1000
    +TZ=Europe/Paris
    +CONFIGDIR=/home/thomas/docker/config
    +DOMAINNAME=tdehaeze.xyz
    +
    +
    + +
    +
    CLOUDFLARE_EMAIL=dehaeze.thomas@gmail.com
    +CLOUDFLARE_API_KEY=<<get-password(passname="nas/cloudflare_api_key")>>
    +
    +
    + +
    +
    MINIFLUX_ADMIN_NAME=tdehaeze
    +MINIFLUX_ADMIN_PASS=<<get-password(passname="nas/miniflux_admin_pass")>>
    +MINIFLUX_POSTGRES_PASSWORD=<<get-password(passname="nas/miniflux_postgres_pass")>>
    +
    +
    + +
    +
    RESTIC_PASSWORD=<<get-password(passname="nas/restic_pass")>>
    +
    +
    + +
    +
    GITEA_DB_MYSQL_ROOT_PASSWORD=<<get-password(passname="nas/gitea_mysql_root_pass")>>
    +GITEA_DB_MYSQL_PASSWORD=<<get-password(passname="nas/gitea_mysql_pass")>>
    +GITEA_SSH_PORT=2222
    +
    +
    + +
    +
    NORDVPN_NAME=dehaeze.thomas@gmail.com
    +NORDVPN_PASS=<<get-password(passname="nordvpn.com/dehaeze.thomas@gmail.com")>>
    +
    +
    + +
    +
    GOTIFY_DEFAULTUSER_NAME=tdehaeze
    +GOTIFY_DEFAULTUSER_PASS=<<get-password(passname="nas/gotify_pass")>>
    +
    +
    + +
    +
    GUACAMOLE_POSTGRES_PASSWORD=<<get-password(passname="nas/guacamole_postgres_pass")>>
    +
    +
    + +
    +
    DEEMIX_ARL=<<get-password(passname="nas/deemix_arl")>>
    +
    +
    +
    +
    + +
    +

    Cron Jobs

    +
    +
    +
    +

    Caddy Update

    +
    +

    +Create a script ~/cron/caddy_update.sh with: +

    +
    +
    docker exec caddy /bin/sh -c "cd /srv/www && echo -e \"Update repo $(date)\" && git submodule update --recursive --remote --merge"
    +
    +
    + +

    +Type crontab -e and add this line: +

    +
    +
      */5 * * * * /home/thomas/cron/caddy_update.sh >> /home/thomas/cron/caddy_update.log 2>&1
    +
    +
    +
    +
    +
    + +
    +

    Config

    +
    +
    +
    +

    Caddy

    +
    +
    +
    0.0.0.0:2015 {
    +    root /srv/www/
    +
    +    git {
    +        repo     https://git.tdehaeze.xyz/tdehaeze/research-home-page
    +        path     /srv/www/
    +        interval -1
    +        hook     /research-home-page/webhook QHZgAKjD8q2v54Ru
    +        then     git submodule update --init --recursive --merge
    +    }
    +}
    +
    +
    +
    +
    + +
    +

    Homer

    +
    +
    +
    ---
    +title: "Homepage"
    +subtitle: "Homer"
    +logo: "assets/homer.png"
    +header: false
    +footer: false
    +
    +columns: "auto"
    +connectivityCheck: false
    +
    +theme: default
    +
    +links: []
    +
    +services:
    +  - name: "Websites"
    +    icon: "fas fa-desktop"
    +    items:
    +    - name: "Wiki"
    +      logo: "/assets/tools/brain.png"
    +      subtitle: "Digital Brain"
    +      url: "https://brain.tdehaeze.xyz"
    +    - name: "Research"
    +      logo: "/assets/tools/orgmode.png"
    +      subtitle: "Research Pages"
    +      url: "https://research.tdehaeze.xyz"
    +  - name: "Utilities"
    +    icon: "fas fa-rss"
    +    items:
    +    - name: "Miniflux"
    +      logo: "/assets/tools/miniflux.png"
    +      subtitle: "RSS Feeds"
    +      url: "https://rss.tdehaeze.xyz"
    +    - name: "Bitwarden"
    +      logo: "/assets/tools/bitwarden.png"
    +      subtitle: "Password Manager"
    +      url: "https://bw.tdehaeze.xyz"
    +    - name: "Home Assistant"
    +      logo: "/assets/tools/homeassistant.png"
    +      subtitle: "Home Assistant"
    +      url: "http://home.tdehaeze.xyz:8123"
    +    - name: "Guacamole"
    +      logo: "/assets/tools/guacamole.png"
    +      subtitle: "SSH Access"
    +      url: "https://guacamole.tdehaeze.xyz/"
    +  - name: "Cloud"
    +    icon: "fas fa-cloud"
    +    items:
    +    - name: "Cloud"
    +      logo: "/assets/tools/cloud.png"
    +      subtitle: "Simple Personnal Could"
    +      url: "https://cloud.tdehaeze.xyz"
    +    - name: "Syncthing"
    +      logo: "/assets/tools/syncthing.png"
    +      subtitle: "P2P Sync"
    +      url: "https://syncthing.tdehaeze.xyz"
    +    - name: "Gitea"
    +      logo: "/assets/tools/gitea.png"
    +      subtitle: "Git Server"
    +      url: "https://git.tdehaeze.xyz"
    +  - name: "Download"
    +    icon: "fas fa-download"
    +    items:
    +    - name: "Transmission"
    +      logo: "/assets/tools/transmission.png"
    +      subtitle: "Torrents"
    +      url: "https://torrent.tdehaeze.xyz/transmission/web/"
    +    - name: "transfer"
    +      logo: "/assets/tools/transfer.png"
    +      subtitle: "Transfer.sh"
    +      url: "https://file.tdehaeze.xyz"
    +    - name: "deemix"
    +      subtitle: "Download Music"
    +      logo: "/assets/tools/deezer.png"
    +      url: "https://deemix.tdehaeze.xyz"
    +      #    - name: "Aria2"
    +      #      logo: "/assets/tools/aria2.png"
    +      #      subtitle: "Direct Downloads"
    +      #      url: "https://dl.tdehaeze.xyz"
    +  - name: "Media"
    +    icon: "fas fa-film"
    +    items:
    +    - name: "Jellyfin"
    +      logo: "/assets/tools/jellyfin.png"
    +      subtitle: "Media Library"
    +      url: "https://jellyfin.tdehaeze.xyz"
    +  - name: "Config"
    +    icon: "fas fa-cog"
    +    items:
    +    - name: "Portainer"
    +      logo: "/assets/tools/portainer.png"
    +      subtitle: "Manger Docker"
    +      url: "https://portainer.tdehaeze.xyz"
    +    - name: "Traefik"
    +      logo: "/assets/tools/traefik.png"
    +      subtitle: "Reverse Proxy"
    +      url: "https://traefik.tdehaeze.xyz"
    +  - name: "Local"
    +    icon: "fas fa-home"
    +    items:
    +    - name: "Jackett"
    +      logo: "/assets/tools/jackett.png"
    +      subtitle: "Download API"
    +      url: "http://192.168.1.150:9117/"
    +    - name: "Radarr"
    +      logo: "/assets/tools/radarr.png"
    +      subtitle: "Movie Manager"
    +      url: "http://192.168.1.150:7878/"
    +    - name: "Sonarr"
    +      logo: "/assets/tools/sonarr.png"
    +      subtitle: "TV Shows Manager"
    +      url: "http://192.168.1.150:8989/"
    +    - name: "Ombi"
    +      logo: "/assets/tools/ombi.png"
    +      subtitle: "Request Content"
    +      url: "https://ombi.tdehaeze.xyz/"
    +    - name: "Bazarr"
    +      logo: "/assets/tools/bazarr.png"
    +      subtitle: "Subtitles Manager"
    +      url: "http://192.168.1.150:6767/"
    +    - name: "Scrutiny"
    +      logo: "/assets/tools/scrutiny.png"
    +      subtitle: "S.M.A.R.T"
    +      url: "http://192.168.1.150:8089/web/dashboard"
    +    - name: "OctoPrint"
    +      logo: "/assets/tools/octoprint.png"
    +      subtitle: "3D-Printing"
    +      url: "http://192.168.1.56/"
    +
    +
    +
    +
    + +
    +

    Restic

    +
    +
    +
    [mega]
    +type = mega
    +user = dehaeze.thomas@gmail.com
    +pass = <<get-password(passname="nas/rclone_mega_pass")>>
    +
    +
    +
    +
    + +
    +

    Snapraid

    +
    +
    +
    +

    snapraid.conf

    +
    +
    +
    # Defines the file to use as parity storage
    +# It must NOT be in a data disk
    +# Format: "parity FILE_PATH"
    +parity /mnt/parity/snapraid.parity
    +
    +# Defines the files to use as content list
    +# You can use multiple specification to store more copies
    +# You must have least one copy for each parity file plus one. Some more don't
    +# hurt
    +# They can be in the disks used for data, parity or boot,
    +# but each file must be in a different disk
    +# Format: "content FILE_PATH"
    +content /var/snapraid.content
    +content /mnt/disk0/.snapraid.content
    +content /mnt/disk1/.snapraid.content
    +
    +# Defines the data disks to use
    +# The order is relevant for parity, do not change it
    +# Format: "disk DISK_NAME DISK_MOUNT_POINT"
    +disk d0 /mnt/disk0
    +disk d1 /mnt/disk1
    +
    +# Excludes hidden files and directories (uncomment to enable).
    +#nohidden
    +
    +# Defines files and directories to exclude
    +# Remember that all the paths are relative at the mount points
    +# Format: "exclude FILE"
    +# Format: "exclude DIR/"
    +# Format: "exclude /PATH/FILE"
    +# Format: "exclude /PATH/DIR/"
    +exclude *.unrecoverable
    +exclude /tmp/
    +exclude /lost+found/
    +exclude *.!sync
    +exclude .AppleDouble
    +exclude ._AppleDouble
    +exclude .DS_Store
    +exclude ._.DS_Store
    +exclude .Thumbs.db
    +exclude .fseventsd
    +exclude .Spotlight-V100
    +exclude .TemporaryItems
    +exclude .Trashes
    +exclude .AppleDB
    +
    +
    +
    +
    + +
    +

    snapraid-runner.conf

    +
    +
    +
    [snapraid]
    +; path to the snapraid executable (e.g. /bin/snapraid)
    +executable = /usr/bin/snapraid
    +; path to the snapraid config to be used
    +config = /config/snapraid.conf
    +; abort operation if there are more deletes than this, set to -1 to disable
    +deletethreshold = -1
    +; if you want touch to be ran each time
    +touch = false
    +
    +[logging]
    +; logfile to write to, leave empty to disable
    +file = /config/snapraid.log
    +; maximum logfile size in KiB, leave empty for infinite
    +maxsize = 5000
    +
    +; [email]
    +; ; when to send an email, comma-separated list of [success, error]
    +; sendon = success,error
    +; ; set to false to get full programm output via email
    +; short = true
    +; subject = [SnapRAID] Status Report:
    +; from =
    +; to =
    +; ; maximum email size in KiB
    +; maxsize = 500
    +;
    +; [smtp]
    +; host =
    +; ; leave empty for default port
    +; port =
    +; ; set to "true" to activate
    +; ssl = false
    +; tls = false
    +; user =
    +; password =
    +
    +[scrub]
    +; set to true to run scrub after sync
    +enabled = false
    +percentage = 12
    +older-than = 10
    +
    +
    +
    +
    +
    +
    +
    +
    +

    Author: Dehaeze Thomas

    +

    Created: 2021-01-03 dim. 22:51

    +
    + + diff --git a/index.org b/index.org index 1fa6f5a..21d60c4 100644 --- a/index.org +++ b/index.org @@ -18,13 +18,13 @@ There are Specific configuration files for: - *Editors*: [[file:vim.org][Neovim]] and [[./doom.org][Emacs (Doom)]] ([[file:emacs-library-babel.org][library of babel]], [[file:emacs-snippets.org][snippets]]) - *Shell*: [[file:bash.org][Bash]] - *Terminal Emulator*: [[file:termite.org][Termite]] -- *Terminal Multiplexer* [[file:tmux.org][TMUX]] -- *Image Setup*: [[file:image.org][SXIV]] -- *Music Setup*: [[file:music.org][NCMPCPP, Mopidy and Beets]] -- *Video Setup*: [[file:video.org][MPV]] +- *Terminal Multiplexer* [[file:tmux.org][Tmux]] +- *Image Setup*: [[file:image.org][Sxiv]] +- *Music Setup*: [[file:music.org][Ncmpcpp, Mopidy and Beets]] +- *Video Setup*: [[file:video.org][Mpv]] - *Web Browser*: [[file:qutebrowser.org][Qutebrowser]] - *PDF Reader*: [[file:zathura.org][Zathura]] -- *GUI File Manager*: [[file:pcmanfm.org][Pcmanfm]] +- *GUI File Manager*: [[file:pcmanfm.org][PCManFM]] - *Terminal File Manager*: [[file:ranger.org][Ranger]] - *Calendar*: [[file:calendar.org][Vdirsyncer and Khal]] - *Mails*: [[file:mail.org][Mbsync, Msmtp, Mu and Neomutt]] @@ -37,3 +37,4 @@ There are Specific configuration files for: - *GUI Toolkit*: [[file:gtk.org][GTK]] - [[file:config.org][Other Config]] +I also have a nice Home-Server which configuration files can be found [[file:nas.org][here]]. diff --git a/nas.org b/nas.org new file mode 100644 index 0000000..91bad01 --- /dev/null +++ b/nas.org @@ -0,0 +1,1890 @@ +#+TITLE: Home Server +#+SETUPFILE: ./setup/org-setup-file.org + +#+NAME: startblock +#+BEGIN_SRC emacs-lisp :results none :exports none + (setq org-src-preserve-indentation t) +#+END_SRC + +* Installation +** Hardware + +#+name: tab:home_server_hardware +#+caption: Home Server Hardware +| *Part* | *Model* | +|-------------+-------------------------------------------------| +| Case | Fractal Design Node 804 | +| Motherboard | ASUS PRIME B450M-A | +| CPU | AMD Ryzen 3 3200G | +| RAM | Corsair Vengeance LPX 16Go (2x8Go) DDR4 3200MHz | +| Cooler | ARCTIC Freezer 34 eSports DUO | +| PSU | Corsair SF450 | +| SSD M.2 | Samsung 970 EVO Plus 250Gb | +| Disk Drives | Various drives ranging from 3Tb to 8Tb | + +** Ubuntu +- Download *Ubuntu Server 20.04 LTS* ([[https://ubuntu.com/download/server][link]]). +- Activate OpenSSH and add SSH Keys +- Account: =thomas=, hostname: =homelab= + +** Install Important software +#+begin_src bash :eval no + sudo apt install neovim tmux fd-find ripgrep apache2-utils unrar ranger fzf stow +#+end_src + +** Terminal Problem +On the local host, using Termite: +#+begin_src bash :eval no + infocmp > termite.terminfo # export Termite's Terminfo + scp termite.terminfo user@remote-host:~/ # or any other method to copy to the remote host +#+end_src + +On the remote host, in the directory where you copied =termite.terminfo=: +#+begin_src bash :eval no + tic -x termite.terminfo # import Terminfo for current user + rm termite.terminfo # optional: remove Terminfo file +#+end_src + +** Minor Modifications of =~/.inputrc= +Modify =~/.inputrc=, like so: +#+begin_src conf + "\e[A": history-search-backward # arrow up + "\e[B": history-search-forward # arrow down +#+end_src + +** Partition and Format Disk Drives +A nice tutorial is available [[https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux][here]]. + +#+begin_src bash :eval no + lsblk +#+end_src + +#+begin_src bash :eval no + sudo parted /dev/sda mklabel gpt +#+end_src + +#+begin_src bash :eval no + sudo parted -a opt /dev/sda mkpart "partitionname" ext4 0% 100% +#+end_src + +#+begin_src bash :eval no + sudo mkfs.ext4 -L partitionname /dev/sda1 +#+end_src + +** MergerFS and FStab +*MergerFS* is a transparent layer that sits on top of the data drives providing a single mount point for reads / writes ([[https://selfhostedhome.com/combining-different-sized-drives-with-mergerfs-and-snapraid/][link]]). + + +#+begin_src bash :eval no + sudo apt install mergerfs +#+end_src + +Create mount points +#+begin_src bash :eval no + sudo mkdir /mnt/disk0 + sudo mkdir /mnt/disk1 + sudo mkdir /mnt/parity +#+end_src + +Create folder where disks will be merged. +#+begin_src bash :eval no + sudo mkdir /srv/storage +#+end_src + +Edit =/etc/fstab=. +#+begin_src conf :eval no + /dev/disk/by-uuid/7fb7873c-83bd-4805-98ab-506e6c7b56fa /mnt/disk0 ext4 defaults 0 0 + /dev/disk/by-uuid/6574b7ae-321c-4078-9793-bc41a4fa5588 /mnt/disk1 ext4 defaults 0 0 + /dev/disk/by-uuid/6fcd38b9-0886-46bd-900d-cb1f170dbcee /mnt/parity ext4 defaults 0 0 + + /mnt/disk* /srv/storage fuse.mergerfs direct_io,defaults,allow_other,minfreespace=50G,fsname=mergerfs 0 0 +#+end_src + +** Automating with SnapRAID Runner +*SnapRAID* is a snapshot parity calculation tool which acts at the block level independent of filesystem ([[https://selfhostedhome.com/combining-different-sized-drives-with-mergerfs-and-snapraid/][link]]). + +SnapRAID is here used inside a Docker container ([[https://hub.docker.com/r/xagaba/snapraid][link]]). + +** Install Docker +The procedure is well explained [[https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04][here]]. + +If docker is already installed, remove it: +#+begin_src bash + sudo apt remove docker +#+end_src + +** Executing the Docker Command Without Sudo +#+begin_src bash + sudo usermod -aG docker ${USER} +#+end_src + +To apply the new group membership, log out of the server and back in, or type the following: +#+begin_src bash + su - ${USER} +#+end_src + +** Install Docker-Compose +#+begin_src bash + sudo apt install docker-compose +#+end_src + +** Setup Docker Networks +#+begin_src bash + docker network create --gateway 192.168.90.1 --subnet 192.168.90.0/24 t2_proxy + docker network create docker_default +#+end_src + +** Change Timezone +#+begin_src bash :exec no + sudo timedatectl set-timezone Europe/Paris +#+end_src + +** Secure the Web Server +Most of it comes from [[https://github.com/imthenachoman/How-To-Secure-A-Linux-Server][here]]. + +- Set =PasswordAuthentication= no in =/etc/ssh/sshd_config= + +** Automatic Security Updates +The procedure is well explained [[https://www.linuxbabe.com/ubuntu/automatic-security-update-unattended-upgrades-ubuntu][here]]. +#+begin_src bash + sudo apt install unattended-upgrades update-notifier-common +#+end_src + +Edit =/etc/apt/apt.conf.d/50unattended-upgrades=, and change the following lines: +#+begin_src conf +Unattended-Upgrade::Remove-Unused-Dependencies "true"; +Unattended-Upgrade::Automatic-Reboot "true"; +Unattended-Upgrade::Automatic-Reboot-Time "04:00"; +#+end_src + +Edit =/etc/apt/apt.conf.d/20auto-upgrades=: +#+begin_src conf +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; +#+end_src + +** Setup cronjobs +Create a folder =~/cron= with all the scripts and logs related to cron. + +To edit the cron jobs, type =crontab -e= and add a line like: +#+begin_src conf + */5 * * * * /home/thomas/cron/caddy_update.sh >> /home/thomas/cron/caddy_update.log 2>&1 +#+end_src + +That will run every 5 minutes. +To check how the first part of the crontab works, check [[https://crontab.guru/][this website]]. + +** Run =docker-compose= +#+begin_src bash + cd ~/docker && docker-compose up -d +#+end_src + +* Maintenance - How To +** Update System/Packages +#+begin_src bash + sudo -- sh -c 'apt-get update; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y; apt-get autoclean -y' +#+end_src + +** Docker Commands +- Starting a container: =$ docker start homeassistant= +- Stopping a container: =$ docker stop homeassistant= +- Restarting a container: =$ docker restart homeassistant= +- Listing the running containers: =$ docker ps or $ cd ~/docker/ && docker-compose ps= +- View the logs of a container: =$ docker logs -f homeassistant= +- Drop a shell into a container: =$ docker exec -it homeassistant /bin/bash= +- Update specific container: =docker-compose pull --ignore-pull-failures homeassistant= + +Update All Containers +#+begin_src bash :eval no + cd ~/docker/ && docker-compose pull --ignore-pull-failures && docker-compose up -d +#+end_src + +Clean up Docker environment +This will delete all unused images, volumes and networks. +#+begin_src bash :eval no + docker system prune -f && docker image prune -f && docker volume prune -f +#+end_src + +** Add User and Password for Basic Authentication +- Go to https://www.web2generators.com/apache-tools/htpasswd-generator and type the username and password +- Alternatively, type =htpasswd -nb username mystrongpassword= in the shell +- Paste the output in =~/docker/shared/.htpasswd= + +** Snapraid +To see all files "backed up" by snapraid, use: +#+begin_src bash + docker exec -ti snapraid snapraid list | fzf +#+end_src + +In reality, snapraid in ran from the docker container: +#+begin_src bash + docker exec -ti snapraid snapraid fix -f +#+end_src + +The path to file should be relative: =/srv/storage/Cloud/org/file.org= -> =/Cloud/org/file.org= + +** Restore Online backup with =restic= + +To list backups: +#+begin_src bash :dir /ssh:thomas@grenoble:/ :results output replace + docker exec restic restic snapshots +#+end_src + +#+RESULTS: +: ID Time Host Tags Paths +: -------------------------------------------------------------------------------- +: a7b98408 2020-09-03 21:18:00 4803c2af7d4e /data/documents/manuals +: 088e31a4 2020-09-03 21:50:26 4803c2af7d4e /data/documents/manuals +: 9cf0b480 2020-09-03 22:05:47 4803c2af7d4e /data/documents/manuals +: -------------------------------------------------------------------------------- +: 3 snapshots + +Force backup of folder: +#+begin_src bash :dir /ssh:thomas@grenoble:/ :results output replace + docker exec restic restic backup /data/documents/manuals +#+end_src + +#+RESULTS: +: +: Files: 0 new, 2 changed, 8475 unmodified +: Dirs: 0 new, 2 changed, 0 unmodified +: Added to the repo: 1.010 KiB +: +: processed 8477 files, 589.800 MiB in 0:02 +: snapshot 9cf0b480 saved + +Find the path to the file within the snapshot: +#+begin_src bash :dir /ssh:thomas@grenoble:/ :results output replace + docker exec restic restic find file_name +#+end_src + +Find files only for a specific snapshot: +#+begin_src bash :dir /ssh:thomas@grenoble:/ :results output replace + docker exec restic restic find -s latest file_name +#+end_src + +Backup files/folders: +#+begin_src bash :dir /ssh:thomas@grenoble:/ :results output replace + docker exec restic restic restore --include /data/documents/manuals --target / 088e31a4 +#+end_src + +You can use =latest= instead of the ID. + +* Docker-Compose +:PROPERTIES: +:header-args: :tangle /ssh:thomas@grenoble:~/docker/test.yaml +:header-args+: :comments none :mkdirp yes +:END: + +#+begin_src yaml +version: "3.2" +#+end_src + +** Networks +#+begin_src yaml +networks: + t2_proxy: + external: + name: t2_proxy + backend: + external: false + default: + driver: bridge +#+end_src + +** Traefik +#+begin_src yaml +services: +#+end_src + +#+begin_src yaml + traefik: + container_name: traefik + image: traefik:2.2.1 + restart: unless-stopped + command: + - --global.checkNewVersion=true + - --global.sendAnonymousUsage=false + - --entryPoints.http.address=:80 + - --entryPoints.https.address=:443 + - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22 + - --entryPoints.traefik.address=:8080 + - --api=true + - --api.dashboard=true + - --log=true + - --log.level=ERROR # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC + - --accessLog=true + - --accessLog.filePath=/var/log/access.log + - --accessLog.filters.statusCodes=400-499 + - --providers.docker=true + - --providers.docker.endpoint=unix:///var/run/docker.sock + - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`) + - --providers.docker.exposedByDefault=false + - --providers.docker.network=t2_proxy + - --providers.docker.swarmMode=false + - --providers.file.directory=/rules + - --providers.file.watch=true + # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing + - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL + - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json + - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare + - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53 + networks: + t2_proxy: + ipv4_address: 192.168.90.254 # You can specify a static IP + security_opt: + - no-new-privileges:true + ports: + - 80:80 + - 443:443 + - 8080:8080 + volumes: + - $CONFIGDIR/traefik2/rules:/rules + - $CONFIGDIR/traefik2/acme/acme.json:/acme.json + - $CONFIGDIR/traefik2/shared:/shared + - /var/log/traefik:/var/log + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + - CF_API_EMAIL=$CLOUDFLARE_EMAIL + - CF_API_KEY=$CLOUDFLARE_API_KEY + labels: + - "traefik.enable=true" + # HTTP-to-HTTPS Redirect + - "traefik.http.routers.http-catchall.entrypoints=http" + - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" + - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" + - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" + # HTTP Routers + - "traefik.http.routers.traefik-rtr.entrypoints=https" + - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)" + - "traefik.http.routers.traefik-rtr.tls=true" + # - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs + - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME" + - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME" + # Services - API + - "traefik.http.routers.traefik-rtr.service=api@internal" + # Middlewares + - "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth@file" + - "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit@file,middlewares-basic-auth@file" + - "traefik.http.middlewares.traefik-auth.basicauth.users=tdehaeze:$$apr1$$d.JmbY5J$$K8btOi1fwwVYOkCnicCVi." + # Authelia + # - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.$DOMAINNAME/' + # - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true' + # - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups' +#+end_src + +** Portainer +#+begin_src yaml + portainer: + container_name: portainer + image: portainer/portainer + restart: unless-stopped + command: -H unix:///var/run/docker.sock + command: --no-auth + networks: + - t2_proxy + security_opt: + - no-new-privileges:true + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - $CONFIGDIR/portainer:/data + environment: + - TZ=$TZ + labels: + - "traefik.enable=true" + - "traefik.http.routers.portainer-rtr.entrypoints=https" + - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME`)" + - "traefik.http.routers.portainer-rtr.tls=true" + - "traefik.http.routers.portainer-rtr.service=portainer-svc" + - "traefik.http.routers.portainer-rtr.middlewares=traefik-auth" + - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" +#+end_src + +** Jellyfin +#+begin_src yaml + jellyfin: + container_name: jellyfin + image: linuxserver/jellyfin + restart: unless-stopped + networks: + - t2_proxy + volumes: + - $CONFIGDIR/jellyfin:/config + - /srv/storage/TVShows:/data/tvshows + - /srv/storage/LiveMusic:/data/livemusic + - /srv/storage/Animes:/data/animes + - /srv/storage/Movies:/data/movies + - /srv/storage/Music:/data/music + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + labels: + - "traefik.enable=true" + - "traefik.http.routers.jellyfin-rtr.entrypoints=https" + - "traefik.http.routers.jellyfin-rtr.rule=Host(`jellyfin.$DOMAINNAME`)" + - "traefik.http.routers.jellyfin-rtr.tls=true" + - "traefik.http.routers.jellyfin-rtr.service=jellyfin-svc" + - "traefik.http.services.jellyfin-svc.loadbalancer.server.port=8096" +#+end_src + +** Gitea +#+begin_src yaml + gitea: + container_name: git + image: gitea/gitea:1.12.4 + depends_on: + - gitea_db + restart: unless-stopped + networks: + - t2_proxy + - backend + volumes: + - $CONFIGDIR/gitea:/data + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + - SSH_PORT=$GITEA_SSH_PORT + ports: + - "2222:22" + labels: + - "traefik.enable=true" + - "traefik.http.routers.git-rtr.entrypoints=https" + - "traefik.http.routers.git-rtr.rule=Host(`git.$DOMAINNAME`)" + - "traefik.http.routers.git-rtr.tls=true" + - "traefik.http.routers.git-rtr.service=git-svc" + - "traefik.http.services.git-svc.loadbalancer.server.port=3000" +#+end_src + +#+begin_src yaml + gitea_db: + container_name: gitea_db + image: mariadb:10 + restart: unless-stopped + networks: + - backend + ports: + - 3306:3306 + environment: + - MYSQL_ROOT_PASSWORD=$GITEA_DB_MYSQL_ROOT_PASSWORD + - MYSQL_DATABASE=gitea + - MYSQL_USER=gitea + - MYSQL_PASSWORD=$GITEA_DB_MYSQL_PASSWORD + volumes: + - $CONFIGDIR/mariadb:/var/lib/mysql +#+end_src + +** Transfer.sh +#+begin_src yaml + transfer: + container_name: transfer + image: dutchcoders/transfer.sh + restart: unless-stopped + networks: + - t2_proxy + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + - UMASK_SET=022 + - BASEDIR=/tmp/ + - PROVIDER=local + volumes: + - /srv/storage/Uploads:/tmp/ + labels: + - "traefik.enable=true" + - "traefik.http.routers.transfer-rtr.entrypoints=https" + - "traefik.http.routers.transfer-rtr.rule=Host(`file.$DOMAINNAME`)" + - "traefik.http.routers.transfer-rtr.tls=true" + - "traefik.http.routers.transfer-rtr.service=transfer-svc" + - "traefik.http.services.transfer-svc.loadbalancer.server.port=8080" +#+end_src + +** Caddy +#+begin_src yaml + caddy: + container_name: caddy + image: abiosoft/caddy:1.0.3-no-stats + restart: unless-stopped + networks: + - t2_proxy + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + - PLUGINS=git + volumes: + - $CONFIGDIR/caddy/Caddyfile:/etc/Caddyfile + - $CONFIGDIR/web:/srv + # - ~/.ssh:/root/.ssh + labels: + - "traefik.enable=true" + - "traefik.http.routers.caddy-rtr.entrypoints=https" + - "traefik.http.routers.caddy-rtr.rule=Host(`research.$DOMAINNAME`)" + - "traefik.http.routers.caddy-rtr.tls=true" + - "traefik.http.routers.caddy-rtr.service=caddy-svc" + - "traefik.http.services.caddy-svc.loadbalancer.server.port=2015" +#+end_src + +** Syncthing +#+begin_src yaml + syncthing: + container_name: syncthing + image: linuxserver/syncthing + restart: unless-stopped + networks: + - t2_proxy + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + - UMASK_SET=022 + volumes: + - $CONFIGDIR/syncthing:/config + - /srv/storage/Cloud:/Cloud + - /srv/storage/Cloud/pictures/phone:/Pictures + - /srv/storage/Cloud/pdfs:/Onyx/Download + - /srv/storage/Cloud/pdfs-notes:/Onyx/note + - /srv/storage/Cloud/.stfolder:/Onyx/.stfolder + - /srv/storage/.password-store:/.password-store + ports: + - 22000:22000 + - 21027:21027/udp + labels: + - "traefik.enable=true" + - "traefik.http.routers.syncthing-rtr.entrypoints=https" + - "traefik.http.routers.syncthing-rtr.rule=Host(`syncthing.$DOMAINNAME`)" + - "traefik.http.routers.syncthing-rtr.tls=true" + - "traefik.http.routers.syncthing-rtr.service=syncthing-svc" + - "traefik.http.routers.syncthing-rtr.middlewares=traefik-auth" + - "traefik.http.services.syncthing-svc.loadbalancer.server.port=8384" +#+end_src + +** Aria2 +#+begin_src yaml + aria2: + container_name: aria2 + image: p3terx/aria2-pro + restart: unless-stopped + networks: + - t2_proxy + environment: + - PUID=$PUID + - PGID=$PGID + volumes: + - $CONFIGDIR/aria2:/config + - /srv/storage/Downloads:/downloads + ports: + - 6800:6800 +#+end_src + +** Miniflux +#+begin_src yaml + miniflux: + container_name: miniflux + image: miniflux/miniflux:latest + restart: unless-stopped + networks: + - t2_proxy + - backend + depends_on: + - miniflux_db + environment: + - DATABASE_URL=postgres://miniflux:SCJWWXqHwehP7f8g@miniflux_db/miniflux?sslmode=disable + - RUN_MIGRATIONS=1 + - CREATE_ADMIN=1 + - ADMIN_USERNAME=$MINIFLUX_ADMIN_NAME + - ADMIN_PASSWORD=$MINIFLUX_ADMIN_PASS + labels: + - "traefik.enable=true" + - "traefik.http.routers.miniflux-rtr.entrypoints=https" + - "traefik.http.routers.miniflux-rtr.rule=Host(`rss.$DOMAINNAME`)" + - "traefik.http.routers.miniflux-rtr.tls=true" + # - 'traefik.http.routers.miniflux-rtr.middlewares=traefik-auth' + # - 'traefik.http.routers.miniflux-rtr.middlewares=authelia@docker' + - "traefik.http.routers.miniflux-rtr.service=miniflux-svc" + - "traefik.http.services.miniflux-svc.loadbalancer.server.port=8080" + + miniflux_db: + container_name: miniflux_db + image: postgres:12 + restart: unless-stopped + networks: + - backend + environment: + - POSTGRES_USER=miniflux + - POSTGRES_PASSWORD=$MINIFLUX_POSTGRES_PASSWORD + volumes: + - $CONFIGDIR/miniflux_db:/var/lib/postgresql/data +#+end_src + +** Wireguard +#+begin_src yaml + wireguard: + container_name: wireguard + image: linuxserver/wireguard + restart: unless-stopped + networks: + - t2_proxy + cap_add: + - NET_ADMIN + - SYS_MODULE + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + - SERVERURL=wireguard.tdehaeze.xyz + - SERVERPORT=51820 + - PEERS=3 + - PEERDNS=auto + volumes: + - $CONFIGDIR/wireguard:/config + - /lib/modules:/lib/modules + ports: + - 51820:51820/udp +#+end_src + +** Snapraid +#+begin_src yaml + snapraid: + container_name: snapraid + image: xagaba/snapraid + restart: unless-stopped + privileged: true + volumes: + - /mnt:/mnt + - $CONFIGDIR/snapraid:/config + - type: "bind" + source: /dev/disk + target: /dev/disk + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ +#+end_src + +** Home Assistant +#+begin_src yaml + homeassistant: + container_name: homeassistant + image: homeassistant/home-assistant + restart: unless-stopped + #networks: + # - t2_proxy + #ports: + # - target: 8123 + # published: 8123 + # protocol: tcp + # mode: host + privileged: true + network_mode: host + volumes: + - $CONFIGDIR/homeassistant:/config + - /etc/localtime:/etc/localtime:ro + - /dev/bus/usb:/dev/bus/usb + # - ${USERDIR}/docker/shared:/shared + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + logging: + options: + max-size: 10m + labels: + - "traefik.enable=true" + - "traefik.http.routers.homeassistant-rtr.entrypoints=https,http" + - "traefik.http.routers.homeassistant-rtr.rule=Host(`home.$DOMAINNAME`)" + - "traefik.http.routers.homeassistant-rtr.tls=true" + - "traefik.http.routers.homeassistant-rtr.service=homeassistant-svc" + - "traefik.http.services.homeassistant-svc.loadbalancer.servers.url=http://172.17.0.1:8123" + #- "traefik.http.services.homeassistant-svc.loadbalancer.server.port=8123" +#+end_src + +** Jackett +#+begin_src yaml + jackett: + container_name: jackett + image: linuxserver/jackett + restart: unless-stopped + networks: + - backend + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + - AUTO_UPDATE=true + # - RUN_OPTS= + volumes: + - $CONFIGDIR/jackett:/config + - /srv/storage/Downloads:/downloads + ports: + - 9117:9117 +#+end_src + +** Radarr +#+begin_src yaml + radarr: + container_name: radarr + image: linuxserver/radarr + restart: unless-stopped + networks: + - backend + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + - UMASK_SET=022 + volumes: + - $CONFIGDIR/radarr:/config + - /srv/storage/Movies:/movies + - /srv/storage/Downloads:/downloads + ports: + - 7878:7878 +#+end_src + +** Sonarr +#+begin_src yaml + sonarr: + container_name: sonarr + image: linuxserver/sonarr + restart: unless-stopped + networks: + - backend + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + - UMASK_SET=022 + volumes: + - $CONFIGDIR/sonarr:/config + - /srv/storage/TVShows:/tv + - /srv/storage/Downloads:/downloads + ports: + - 8989:8989 +#+end_src + +** Ombi +#+begin_src yaml + ombi: + container_name: ombi + image: linuxserver/ombi + restart: unless-stopped + networks: + - t2_proxy + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + # - BASE_URL=/ombi #optional + volumes: + - $CONFIGDIR/ombi:/config + labels: + - "traefik.enable=true" + - "traefik.http.routers.ombi-rtr.entrypoints=https" + - "traefik.http.routers.ombi-rtr.rule=Host(`ombi.$DOMAINNAME`)" + - "traefik.http.routers.ombi-rtr.tls=true" + - "traefik.http.routers.ombi-rtr.service=ombi-svc" + - "traefik.http.services.ombi-svc.loadbalancer.server.port=3579" +#+end_src + +** Transmission +#+begin_src yaml + transmission-openvpn: + container_name: transmission + image: haugene/transmission-openvpn:2.13 + restart: unless-stopped + networks: + - t2_proxy + - backend + environment: + - PUID=$PUID + - PGID=$PGID + - CREATE_TUN_DEVICE=true + - ENABLE_UFW=true + - WEBPROXY_ENABLED=false + - TRANSMISSION_WEB_UI=combustion + - OPENVPN_PROVIDER=NORDVPN + - OPENVPN_USERNAME=$NORDVPN_NAME + - OPENVPN_PASSWORD=$NORDVPN_PASS + - NORDVPN_COUNTRY=FR + - NORDVPN_CATEGORY=P2P + - NORDVPN_PROTOCOL=tcp + - LOCAL_NETWORK=192.168.0.0/16 + volumes: + - /srv/storage/Downloads:/data + - /etc/localtime:/etc/localtime:ro + cap_add: + - NET_ADMIN + ports: + - 9091:9091 + - 51413:51413 + - 51413:51413/udp + labels: + - "traefik.enable=true" + - "traefik.http.routers.transmission-rtr.entrypoints=https" + - "traefik.http.routers.transmission-rtr.rule=Host(`torrent.$DOMAINNAME`)" + - "traefik.http.routers.transmission-rtr.tls=true" + - "traefik.http.routers.transmission-rtr.service=transmission-svc" + - "traefik.http.routers.transmission-rtr.middlewares=traefik-auth" + - "traefik.http.services.transmission-svc.loadbalancer.server.port=9091" +#+end_src + +** Bazarr +#+begin_src yaml + bazarr: + container_name: bazarr + image: linuxserver/bazarr + restart: unless-stopped + networks: + - backend + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + - UMASK_SET=022 #optional + volumes: + - $CONFIGDIR/bazarr:/config + - /srv/storage/TVShows:/tv + - /srv/storage/Movies:/movies + ports: + - 6767:6767 +#+end_src + +** Hugo +#+begin_src yaml + hugo: + container_name: hugo + image: muninn/hugo-caddy + restart: unless-stopped + networks: + - t2_proxy + environment: + - REPO=git.tdehaeze.xyz/tdehaeze/digital-brain + labels: + - "traefik.enable=true" + - "traefik.http.routers.hugo-rtr.entrypoints=https" + - "traefik.http.routers.hugo-rtr.rule=Host(`brain.$DOMAINNAME`)" + - "traefik.http.routers.hugo-rtr.tls=true" + - "traefik.http.routers.hugo-rtr.service=hugo-svc" + - "traefik.http.services.hugo-svc.loadbalancer.server.port=2015" +#+end_src + +** Bitwarden +#+begin_src yaml + bitwarden: + container_name: bitwarden + image: bitwardenrs/server + restart: unless-stopped + networks: + - t2_proxy + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + volumes: + - $CONFIGDIR/bitwarden:/data + labels: + - "traefik.enable=true" + - "traefik.http.routers.bitwarden-rtr.entrypoints=https" + - "traefik.http.routers.bitwarden-rtr.rule=Host(`bw.$DOMAINNAME`)" + - "traefik.http.routers.bitwarden-rtr.tls=true" + - "traefik.http.routers.bitwarden-rtr.service=bitwarden-svc" + - "traefik.http.services.bitwarden-svc.loadbalancer.server.port=80" +#+end_src + +** Homer +#+begin_src yaml + homer: + container_name: homer + image: b4bz/homer + restart: unless-stopped + networks: + - t2_proxy + environment: + - UID=$PUID + - GID=$PGID + - TZ=$TZ + volumes: + - $CONFIGDIR/homer/assets/:/www/assets + labels: + - "traefik.enable=true" + - "traefik.http.routers.homer-rtr.entrypoints=https" + - "traefik.http.routers.homer-rtr.rule=Host(`homer.$DOMAINNAME`)" + - "traefik.http.routers.homer-rtr.tls=true" + - "traefik.http.routers.homer-rtr.service=homer-svc" + - "traefik.http.services.homer-svc.loadbalancer.server.port=8080" +#+end_src + +** Restic +#+begin_src yaml + restic: + container_name: restic + image: mazzolino/restic + restart: "no" + networks: + - t2_proxy + environment: + - RUN_ON_STARTUP=true + - BACKUP_CRON=0 30 0 * * * + - RESTIC_REPOSITORY=rclone:mega:mega + - RESTIC_PASSWORD="$RESTIC_PASSWORD" + - RESTIC_BACKUP_SOURCES=/data + - RESTIC_FORGET_ARGS=--keep-daily 7 --keep-weekly 4 --keep-monthly 12 + - UID=$PUID + - GID=$PGID + - TZ=$TZ + volumes: + - $CONFIGDIR/restic:/root/.config/rclone + - /srv/storage/Cloud/thesis:/data/thesis +#+end_src + +** CloudCMD +#+begin_src yaml + cloudcmd: + container_name: cloudcmd + image: coderaiser/cloudcmd + restart: unless-stopped + networks: + - t2_proxy + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + - CLOUDCMD_ROOT=/mnt/fs + - CLOUDCMD_VIM=true + - CLOUDCMD_ONE_FILE_PANEL=true + volumes: + - /srv/storage/Downloads:/mnt/fs/Downloads + - /srv/storage/Cloud:/mnt/fs/Cloud + - /srv/storage/TVShows:/mnt/fs/TVShows + labels: + - "traefik.enable=true" + - "traefik.http.routers.cloudcmd-rtr.entrypoints=https" + - "traefik.http.routers.cloudcmd-rtr.rule=Host(`cloud.$DOMAINNAME`)" + - "traefik.http.routers.cloudcmd-rtr.tls=true" + - "traefik.http.routers.cloudcmd-rtr.service=cloudcmd-svc" + - "traefik.http.routers.cloudcmd-rtr.middlewares=traefik-auth" + - "traefik.http.services.cloudcmd-svc.loadbalancer.server.port=8000" +#+end_src + +** Gotify +#+begin_src yaml + gotify: + container_name: gotify + image: gotify/server + restart: unless-stopped + networks: + - t2_proxy + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + - GOTIFY_DEFAULTUSER_NAME=$GOTIFY_DEFAULTUSER_NAME + - GOTIFY_DEFAULTUSER_PASS=$GOTIFY_DEFAULTUSER_PASS + volumes: + - $CONFIGDIR/gotify:/app/data + labels: + - "traefik.enable=true" + - "traefik.http.routers.gotify-rtr.entrypoints=https" + - "traefik.http.routers.gotify-rtr.rule=Host(`notify.$DOMAINNAME`)" + - "traefik.http.routers.gotify-rtr.tls=true" + - "traefik.http.routers.gotify-rtr.service=gotify-svc" + - "traefik.http.services.gotify-svc.loadbalancer.server.port=80" +#+end_src + +** Scrutiny +#+begin_src yaml + scrutiny: + container_name: scrutiny + image: linuxserver/scrutiny + restart: unless-stopped + networks: + - backend + cap_add: + - SYS_RAWIO + - SYS_ADMIN + environment: + - PUID=$PUID + - PGID=$PGID + - SCRUTINY_API_ENDPOINT=http://localhost:8080 + - TZ=$TZ + - SCRUTINY_WEB=true + - SCRUTINY_COLLECTOR=true + volumes: + - $CONFIGDIR/scrutiny:/config + - /run/udev:/run/udev:ro + devices: + - /dev/sda:/dev/sda + - /dev/sdb:/dev/sdb + - /dev/sdc:/dev/sdc + - /dev/sdd:/dev/sdd + - /dev/nvme0n1:/dev/nvme0n1 + ports: + - 8089:8080 +#+end_src + +** Guacamole +#+begin_src yaml + guacamole: + image: oznu/guacamole + container_name: guacamole + restart: unless-stopped + networks: + - t2_proxy + - backend + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + volumes: + - $CONFIGDIR/guacamole:/config + labels: + - "traefik.enable=true" + - "traefik.http.routers.guacamole-rtr.entrypoints=https" + - "traefik.http.routers.guacamole-rtr.rule=Host(`guacamole.$DOMAINNAME`)" + - "traefik.http.routers.guacamole-rtr.tls=true" + - "traefik.http.routers.guacamole-rtr.service=guacamole-svc" + - "traefik.http.services.guacamole-svc.loadbalancer.server.port=8080" +#+end_src + +** Mail-CLI +#+begin_src yaml + mail-cli: + image: tdehaeze/docker-mail-cli + container_name: mail-cli + restart: unless-stopped + volumes: + - $CONFIGDIR/mail-cli:/config + - /srv/storage/mail:/mail + - /srv/storage/Downloads:/data + environment: + - TZ=$TZ + - PUID=$PUID + - PGID=$PGID + tty: true +#+end_src + +** Deemix +#+begin_src yaml + deemix: + image: registry.gitlab.com/bockiii/deemix-docker + container_name: deemix + restart: unless-stopped + networks: + - t2_proxy + volumes: + - /srv/storage/Downloads:/downloads + - $CONFIGDIR/deemix:/config + environment: + - TZ=$TZ + - PUID=$PUID + - PGID=$PGID + - ARL=$DEEMIX_ARL + labels: + - "traefik.enable=true" + - "traefik.http.routers.deemix-rtr.entrypoints=https" + - "traefik.http.routers.deemix-rtr.rule=Host(`deemix.$DOMAINNAME`)" + - "traefik.http.routers.deemix-rtr.tls=true" + - "traefik.http.routers.deemix-rtr.service=deemix-svc" + - "traefik.http.routers.deemix-rtr.middlewares=traefik-auth" + - "traefik.http.services.deemix-svc.loadbalancer.server.port=6595" +#+end_src + +* Docker-Compose OLD :noexport: +** Wallabag +#+begin_src yaml + wallabag: + container_name: wallabag + image: wallabag/wallabag + restart: unless-stopped + depends_on: + - wallabag_db + networks: + - t2_proxy + - backend + environment: + - MYSQL_ROOT_PASSWORD=$WALLABAG_MYSQL_ROOT_PASSWORD + - SYMFONY__ENV__DATABASE_DRIVER=pdo_mysql + - SYMFONY__ENV__DATABASE_HOST=wallabag_db + - SYMFONY__ENV__DATABASE_PORT=3308 + - SYMFONY__ENV__DATABASE_NAME=symfony + - SYMFONY__ENV__DATABASE_USER=root + - SYMFONY__ENV__DATABASE_PASSWORD=$WALLABAG_MYSQL_PASSWORD + - SYMFONY__ENV__DATABASE_CHARSET=utf8mb4 + - SYMFONY__ENV__DOMAIN_NAME=https://wallabag.tdehaeze.xyz + volumes: + - $CONFIGDIR/wallabag/images:/var/www/wallabag/web/assets/images + labels: + - "traefik.enable=true" + - "traefik.http.routers.wallabag-rtr.entrypoints=https" + - "traefik.http.routers.wallabag-rtr.rule=Host(`wallabag.$DOMAINNAME`)" + - "traefik.http.routers.wallabag-rtr.tls=true" + - "traefik.http.routers.wallabag-rtr.service=wallabag-svc" + - "traefik.http.services.wallabag-svc.loadbalancer.server.port=80" + + wallabag_db: + container_name: wallabag_db + image: mariadb + restart: unless-stopped + networks: + - backend + ports: + - 3308:3306 + environment: + - MYSQL_ROOT_PASSWORD=$WALLABAG_MYSQL_ROOT_PASSWORD + - MYSQL_DATABASE=wallabag + - MYSQL_USER=wallabag + - MYSQL_PASSWORD=$WALLABAG_MYSQL_PASSWORD + volumes: + - $CONFIGDIR/wallabag/data:/var/lib/mysql +#+end_src + +** Transmission +#+begin_src yaml + transmission: + container_name: transmission + image: linuxserver/transmission + restart: unless-stopped + networks: + - t2_proxy + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + volumes: + - $CONFIGDIR/transmission:/config + - /srv/storage/Downloads:/downloads + - /srv/storage/Downloads/watch:/watch + ports: + - 9091:9091 + - 51413:51413 + - 51413:51413/udp + labels: + - "traefik.enable=true" + - "traefik.http.routers.transmission-rtr.entrypoints=https" + - "traefik.http.routers.transmission-rtr.rule=Host(`torrent.$DOMAINNAME`)" + - "traefik.http.routers.transmission-rtr.tls=true" + - "traefik.http.routers.transmission-rtr.service=transmission-svc" + - "traefik.http.routers.transmission-rtr.middlewares=traefik-auth" + - "traefik.http.services.transmission-svc.loadbalancer.server.port=9091" +#+end_src + +** Navodrome +#+begin_src yaml + navidrome: + container_name: navidrome + image: deluan/navidrome + restart: unless-stopped + networks: + - t2_proxy + environment: + ND_MUSICFOLDER: /music + ND_DATAFOLDER: /data + ND_SCANINTERVAL: 10m + ND_LOGLEVEL: info + ND_PORT: 4533 + ND_TRANSCODINGCACHESIZE: 100MB + ND_SESSIONTIMEOUT: 24h + ND_BASEURL: "" + volumes: + - $CONFIGDIR/navidrome:/data + - /srv/storage/Music:/music:ro + labels: + - "traefik.enable=true" + - "traefik.http.routers.navidrome-rtr.entrypoints=https" + - "traefik.http.routers.navidrome-rtr.rule=Host(`music.$DOMAINNAME`)" + - "traefik.http.routers.navidrome-rtr.tls=true" + - "traefik.http.routers.navidrome-rtr.service=navidrome-svc" + - "traefik.http.services.navidrome-svc.loadbalancer.server.port=4533" +#+end_src + +** Buku +#+begin_src yaml + buku: + container_name: buku + image: bukuserver/bukuserver + restart: unless-stopped + networks: + - t2_proxy + environment: + - UID=$PUID + - GID=$PGID + - TZ=$TZ + - BUKUSERVER_PER_PAGE=100 + - BUKUSERVER_OPEN_IN_NEW_TAB=true + # - BUKUSERVER_SECRET_KEY=123456789012345678901234 + # - BUKUSERVER_URL_RENDER_MODE=full + # - BUKUSERVER_DISABLE_FAVICON=false + volumes: + - $CONFIGDIR/buku:/root/.local/share/buku + labels: + - "traefik.enable=true" + - "traefik.http.routers.buku-rtr.entrypoints=https" + - "traefik.http.routers.buku-rtr.rule=Host(`bookmarks.$DOMAINNAME`)" + - "traefik.http.routers.buku-rtr.tls=true" + - "traefik.http.routers.buku-rtr.service=buku-svc" + - "traefik.http.routers.buku-rtr.middlewares=traefik-auth" + - "traefik.http.services.buku-svc.loadbalancer.server.port=5001" +#+end_src + +** Watchtower +#+begin_src yaml + watchtower: + container_name: watchtower + image: containrrr/watchtower + restart: unless-stopped + networks: + - backend + environment: + - TZ=$TZ + - WATCHTOWER_SCHEDULE=0 0 4 * * MON + - WATCHTOWER_CLEANUP=true + - WATCHTOWER_TIMEOUT=30s + - WATCHTOWER_DEBUG=false + - WATCHTOWER_INCLUDE_STOPPED=false + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro +#+end_src + +** Filebrowser +#+begin_src yaml + filebrowser: + container_name: filebrowser + image: filebrowser/filebrowser + restart: unless-stopped + networks: + - t2_proxy + volumes: + - $CONFIGDIR/filebrowser/database.db:/filebrowser.db + - $CONFIGDIR/filebrowser/.filebrowser.json:/.filebrowser.json + - /srv/storage/Cloud:/srv + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + labels: + - "traefik.enable=true" + - "traefik.http.routers.filebrowser-rtr.entrypoints=https" + - "traefik.http.routers.filebrowser-rtr.rule=Host(`cloud.$DOMAINNAME`)" + - "traefik.http.routers.filebrowser-rtr.tls=true" + - "traefik.http.routers.filebrowser-rtr.service=filebrowser-svc" + - "traefik.http.services.filebrowser-svc.loadbalancer.server.port=80" +#+end_src + +** Gossa +#+begin_src yaml + gossa: + container_name: gossa + image: pldubouilh/gossa + restart: unless-stopped + networks: + - t2_proxy + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + volumes: + - /srv/storage/Downloads:/shared + labels: + - "traefik.enable=true" + - "traefik.http.routers.gossa-rtr.entrypoints=https" + - "traefik.http.routers.gossa-rtr.rule=Host(`cloud.$DOMAINNAME`)" + - "traefik.http.routers.gossa-rtr.tls=true" + - "traefik.http.routers.gossa-rtr.service=gossa-svc" + - "traefik.http.routers.gossa-rtr.middlewares=traefik-auth" + - "traefik.http.services.gossa-svc.loadbalancer.server.port=8001" +#+end_src + +** Duplicati +#+begin_src yaml + duplicati: + container_name: duplicati + image: linuxserver/duplicati + restart: unless-stopped + networks: + - t2_proxy + environment: + - UID=$PUID + - GID=$PGID + - TZ=$TZ + # - CLI_ARGS= #optional + volumes: + - $CONFIGDIR/duplicati:/config + - /srv/storage/Backups:/backups + - /srv/storage/Cloud/thesis:/source + labels: + - "traefik.enable=true" + - "traefik.http.routers.duplicati-rtr.entrypoints=https" + - "traefik.http.routers.duplicati-rtr.rule=Host(`backup.$DOMAINNAME`)" + - "traefik.http.routers.duplicati-rtr.tls=true" + - "traefik.http.routers.duplicati-rtr.service=duplicati-svc" + - "traefik.http.routers.duplicati-rtr.middlewares=traefik-auth" + - "traefik.http.services.duplicati-svc.loadbalancer.server.port=8200" +#+end_src + +** Pyload +#+begin_src yaml + pyload: + image: linuxserver/pyload + container_name: pyload + restart: unless-stopped + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + volumes: + - $CONFIGDIR/pyload:/config + - /srv/storage/Downloads:/downloads + labels: + - "traefik.enable=true" + - "traefik.http.routers.pyload-rtr.entrypoints=https" + - "traefik.http.routers.pyload-rtr.rule=Host(`dl.$DOMAINNAME`)" + - "traefik.http.routers.pyload-rtr.tls=true" + - "traefik.http.routers.pyload-rtr.service=pyload-svc" + - "traefik.http.routers.pyload-rtr.middlewares=traefik-auth" + # - 'traefik.http.routers.pyload-rtr.middlewares=authelia@docker' + - "traefik.http.services.pyload-svc.loadbalancer.server.port=8000" +#+end_src + +** Aria2 +#+begin_src yaml + aria2: + container_name: aria2 + image: lukasmrtvy/lsiobase-aria2-webui + restart: unless-stopped + networks: + - t2_proxy + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + - WEBUI=ariang + - SKIP_SSL=true + - CUSTOM_RPC_TOKEN=P@ssword123 + volumes: + - $CONFIGDIR/aria2:/data/config + - /srv/storage/Downloads:/data/downloads + ports: + - 6800:6800 + labels: + - "traefik.enable=true" + - "traefik.http.routers.aria2-rtr.entrypoints=https" + - "traefik.http.routers.aria2-rtr.rule=Host(`dl.$DOMAINNAME`)" + - "traefik.http.routers.aria2-rtr.tls=true" + - "traefik.http.routers.aria2-rtr.service=aria2-svc" + - "traefik.http.routers.aria2-rtr.middlewares=traefik-auth" + - "traefik.http.services.aria2-svc.loadbalancer.server.port=4040" +#+end_src + +** Droppy +#+begin_src yaml + droppy: + container_name: droppy + image: silverwind/droppy + restart: unless-stopped + networks: + - t2_proxy + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + volumes: + - $CONFIGDIR/droppy:/config + - /home/thomas/docker/test:/files + labels: + - "traefik.enable=true" + - "traefik.http.routers.droppy-rtr.entrypoints=https" + - "traefik.http.routers.droppy-rtr.rule=Host(`test.$DOMAINNAME`)" + - "traefik.http.routers.droppy-rtr.tls=true" + - "traefik.http.routers.droppy-rtr.service=droppy-svc" + - "traefik.http.services.droppy-svc.loadbalancer.server.port=8989" +#+end_src + +** Synapse +#+begin_src yaml + synapse: + container_name: synapse + image: matrixdotorg/synapse + restart: unless-stopped + depends_on: + - synapse_db + networks: + - t2_proxy + - backend + environment: + - PUID=$PUID + - PGID=$PGID + - TZ=$TZ + - SYNAPSE_SERVER_NAME=matrix.tdehaeze.xyz + - SYNAPSE_REPORT_STATS=no + ports: + - 8448:8448 + # - 3478:3478 + volumes: + - $CONFIGDIR/synapse:/data + - $CONFIGDIR/mautrix-facebook:/data/mautrix-facebook + labels: + - "traefik.enable=true" + - "traefik.http.routers.synapse-rtr.entrypoints=https" + - "traefik.http.routers.synapse-rtr.rule=Host(`matrix.$DOMAINNAME`)" + - "traefik.http.routers.synapse-rtr.tls=true" + - "traefik.http.routers.synapse-rtr.service=synapse-svc" + - "traefik.http.services.synapse-svc.loadbalancer.server.port=8008" + + synapse_db: + container_name: synapse_db + image: postgres + restart: unless-stopped + networks: + - backend + ports: + - 5432:5432 + environment: + - POSTGRES_DB=synapse + - POSTGRES_INITDB_ARGS=--encoding='UTF8' --lc-collate='C' --lc-ctype='C' + - POSTGRES_USER=synapse_user + - POSTGRES_PASSWORD=$SYNAPSE_POSTGRES_PASSWORD + volumes: + - $CONFIGDIR/synapse_db:/var/lib/postgresql/data +#+end_src + +** Mautrix-Facebook +#+begin_src yaml + mautrix-facebook: + container_name: mautrix-facebook + image: dock.mau.dev/tulir/mautrix-facebook + restart: unless-stopped + depends_on: + - synapse + networks: + - t2_proxy + - backend + ports: + - 29319:29319 + volumes: + - $CONFIGDIR/mautrix-facebook:/data +#+end_src + +** Matrix-Slack +#+begin_src yaml + matrix-slack: + container_name: matrix-slack + image: matrixdotorg/matrix-appservice-slack + restart: unless-stopped + depends_on: + - synapse + - matrix_slack_db + networks: + - t2_proxy + - backend + ports: + - 9898:9898 + volumes: + - $CONFIGDIR/matrix-slack:/config + + matrix_slack_db: + container_name: matrix_slack_db + image: postgres:latest + restart: unless-stopped + networks: + - backend + environment: + - POSTGRES_DB=slack_bridge + - POSTGRES_USER=slackbridge_user + - POSTGRES_PASSWORD=test + volumes: + - $CONFIGDIR/matrix_slack_db:/var/lib/postgresql/data +#+end_src + +** Netdata +#+begin_src yaml + netdata: + image: netdata/netdata + container_name: netdata + restart: unless-stopped + hostname: netdata.tdehaeze.xyz + networks: + - t2_proxy + - backend + environment: + - PUID=$PUID + - PGID=998 + - TZ=$TZ + cap_add: + - SYS_PTRACE + security_opt: + - apparmor:unconfined + volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + - $CONFIGDIR/netdata:/etc/netdata + labels: + - "traefik.enable=true" + - "traefik.http.routers.netdata-rtr.entrypoints=https" + - "traefik.http.routers.netdata-rtr.rule=Host(`netdata.$DOMAINNAME`)" + - "traefik.http.routers.netdata-rtr.tls=true" + - "traefik.http.routers.netdata-rtr.service=netdata-svc" + - "traefik.http.services.netdata-svc.loadbalancer.server.port=19999" +#+end_src + +** Fail2ban +#+begin_src yaml + fail2ban: + image: crazymax/fail2ban:latest + container_name: fail2ban + restart: unless-stopped + network_mode: "host" + cap_add: + - NET_ADMIN + - NET_RAW + volumes: + - $CONFIGDIR/fail2ban:/data + - /var/log:/var/log:ro + environment: + - TZ=$TZ + - PUID=$PUID + - PGID=$PGID +#+end_src + +** Authelia +#+begin_src yaml + authelia: + image: authelia/authelia + container_name: authelia + restart: unless-stopped + networks: + - t2_proxy + volumes: + - $CONFIGDIR/authelia:/config + expose: + - 9091 + environment: + - UID=$PUID + - GID=$PGID + - TZ=$TZ + labels: + - "traefik.enable=true" + - "traefik.http.routers.authelia-rtr.entrypoints=https" + - "traefik.http.routers.authelia-rtr.rule=Host(`login.$DOMAINNAME`)" + - "traefik.http.routers.authelia-rtr.tls=true" + - "traefik.http.routers.authelia-rtr.service=authelia-svc" +#+end_src + +* =.env= - Variable used for Docker Compose +:PROPERTIES: +:header-args: :tangle /ssh:thomas@grenoble:~/docker/.env.test +:header-args+: :comments none :mkdirp yes :noweb yes +:END: + +#+begin_src conf +PUID=1000 +PGID=1000 +TZ=Europe/Paris +CONFIGDIR=/home/thomas/docker/config +DOMAINNAME=tdehaeze.xyz +#+end_src + +#+begin_src conf +CLOUDFLARE_EMAIL=dehaeze.thomas@gmail.com +CLOUDFLARE_API_KEY=<> +#+end_src + +#+begin_src conf +MINIFLUX_ADMIN_NAME=tdehaeze +MINIFLUX_ADMIN_PASS=<> +MINIFLUX_POSTGRES_PASSWORD=<> +#+end_src + +#+begin_src conf +RESTIC_PASSWORD=<> +#+end_src + +#+begin_src conf +GITEA_DB_MYSQL_ROOT_PASSWORD=<> +GITEA_DB_MYSQL_PASSWORD=<> +GITEA_SSH_PORT=2222 +#+end_src + +#+begin_src conf +NORDVPN_NAME=dehaeze.thomas@gmail.com +NORDVPN_PASS=<> +#+end_src + +#+begin_src conf +GOTIFY_DEFAULTUSER_NAME=tdehaeze +GOTIFY_DEFAULTUSER_PASS=<> +#+end_src + +#+begin_src conf +GUACAMOLE_POSTGRES_PASSWORD=<> +#+end_src + +#+begin_src conf +DEEMIX_ARL=<> +#+end_src + +* Cron Jobs +** Caddy Update +Create a script =~/cron/caddy_update.sh= with: +#+begin_src bash :tangle /ssh:thomas@grenoble:~/cron/caddy_update.sh :shebang "#!/usr/bin/env bash" +docker exec caddy /bin/sh -c "cd /srv/www && echo -e \"Update repo $(date)\" && git submodule update --recursive --remote --merge" +#+end_src + +Type =crontab -e= and add this line: +#+begin_src conf + */5 * * * * /home/thomas/cron/caddy_update.sh >> /home/thomas/cron/caddy_update.log 2>&1 +#+end_src + +* Config +** Caddy +#+begin_src conf :tangle /ssh:thomas@grenoble:~/docker/config/caddy/Caddyfile +0.0.0.0:2015 { + root /srv/www/ + + git { + repo https://git.tdehaeze.xyz/tdehaeze/research-home-page + path /srv/www/ + interval -1 + hook /research-home-page/webhook QHZgAKjD8q2v54Ru + then git submodule update --init --recursive --merge + } +} +#+end_src + +** Homer +#+begin_src yaml :tangle /ssh:thomas@grenoble:~/docker/config/homer/assets +--- +title: "Homepage" +subtitle: "Homer" +logo: "assets/homer.png" +header: false +footer: false + +columns: "auto" +connectivityCheck: false + +theme: default + +links: [] + +services: + - name: "Websites" + icon: "fas fa-desktop" + items: + - name: "Wiki" + logo: "/assets/tools/brain.png" + subtitle: "Digital Brain" + url: "https://brain.tdehaeze.xyz" + - name: "Research" + logo: "/assets/tools/orgmode.png" + subtitle: "Research Pages" + url: "https://research.tdehaeze.xyz" + - name: "Utilities" + icon: "fas fa-rss" + items: + - name: "Miniflux" + logo: "/assets/tools/miniflux.png" + subtitle: "RSS Feeds" + url: "https://rss.tdehaeze.xyz" + - name: "Bitwarden" + logo: "/assets/tools/bitwarden.png" + subtitle: "Password Manager" + url: "https://bw.tdehaeze.xyz" + - name: "Home Assistant" + logo: "/assets/tools/homeassistant.png" + subtitle: "Home Assistant" + url: "http://home.tdehaeze.xyz:8123" + - name: "Guacamole" + logo: "/assets/tools/guacamole.png" + subtitle: "SSH Access" + url: "https://guacamole.tdehaeze.xyz/" + - name: "Cloud" + icon: "fas fa-cloud" + items: + - name: "Cloud" + logo: "/assets/tools/cloud.png" + subtitle: "Simple Personnal Could" + url: "https://cloud.tdehaeze.xyz" + - name: "Syncthing" + logo: "/assets/tools/syncthing.png" + subtitle: "P2P Sync" + url: "https://syncthing.tdehaeze.xyz" + - name: "Gitea" + logo: "/assets/tools/gitea.png" + subtitle: "Git Server" + url: "https://git.tdehaeze.xyz" + - name: "Download" + icon: "fas fa-download" + items: + - name: "Transmission" + logo: "/assets/tools/transmission.png" + subtitle: "Torrents" + url: "https://torrent.tdehaeze.xyz/transmission/web/" + - name: "transfer" + logo: "/assets/tools/transfer.png" + subtitle: "Transfer.sh" + url: "https://file.tdehaeze.xyz" + - name: "deemix" + subtitle: "Download Music" + logo: "/assets/tools/deezer.png" + url: "https://deemix.tdehaeze.xyz" + # - name: "Aria2" + # logo: "/assets/tools/aria2.png" + # subtitle: "Direct Downloads" + # url: "https://dl.tdehaeze.xyz" + - name: "Media" + icon: "fas fa-film" + items: + - name: "Jellyfin" + logo: "/assets/tools/jellyfin.png" + subtitle: "Media Library" + url: "https://jellyfin.tdehaeze.xyz" + - name: "Config" + icon: "fas fa-cog" + items: + - name: "Portainer" + logo: "/assets/tools/portainer.png" + subtitle: "Manger Docker" + url: "https://portainer.tdehaeze.xyz" + - name: "Traefik" + logo: "/assets/tools/traefik.png" + subtitle: "Reverse Proxy" + url: "https://traefik.tdehaeze.xyz" + - name: "Local" + icon: "fas fa-home" + items: + - name: "Jackett" + logo: "/assets/tools/jackett.png" + subtitle: "Download API" + url: "http://192.168.1.150:9117/" + - name: "Radarr" + logo: "/assets/tools/radarr.png" + subtitle: "Movie Manager" + url: "http://192.168.1.150:7878/" + - name: "Sonarr" + logo: "/assets/tools/sonarr.png" + subtitle: "TV Shows Manager" + url: "http://192.168.1.150:8989/" + - name: "Ombi" + logo: "/assets/tools/ombi.png" + subtitle: "Request Content" + url: "https://ombi.tdehaeze.xyz/" + - name: "Bazarr" + logo: "/assets/tools/bazarr.png" + subtitle: "Subtitles Manager" + url: "http://192.168.1.150:6767/" + - name: "Scrutiny" + logo: "/assets/tools/scrutiny.png" + subtitle: "S.M.A.R.T" + url: "http://192.168.1.150:8089/web/dashboard" + - name: "OctoPrint" + logo: "/assets/tools/octoprint.png" + subtitle: "3D-Printing" + url: "http://192.168.1.56/" +#+end_src + +** Restic +#+begin_src conf :tangle /ssh:thomas@grenoble:~/docker/config/restic/rclone.conf +[mega] +type = mega +user = dehaeze.thomas@gmail.com +pass = <> +#+end_src + +** Snapraid +*** =snapraid.conf= +#+begin_src conf :tangle /ssh:thomas@grenoble:~/docker/config/snapraid/snapraid.conf +# Defines the file to use as parity storage +# It must NOT be in a data disk +# Format: "parity FILE_PATH" +parity /mnt/parity/snapraid.parity + +# Defines the files to use as content list +# You can use multiple specification to store more copies +# You must have least one copy for each parity file plus one. Some more don't +# hurt +# They can be in the disks used for data, parity or boot, +# but each file must be in a different disk +# Format: "content FILE_PATH" +content /var/snapraid.content +content /mnt/disk0/.snapraid.content +content /mnt/disk1/.snapraid.content + +# Defines the data disks to use +# The order is relevant for parity, do not change it +# Format: "disk DISK_NAME DISK_MOUNT_POINT" +disk d0 /mnt/disk0 +disk d1 /mnt/disk1 + +# Excludes hidden files and directories (uncomment to enable). +#nohidden + +# Defines files and directories to exclude +# Remember that all the paths are relative at the mount points +# Format: "exclude FILE" +# Format: "exclude DIR/" +# Format: "exclude /PATH/FILE" +# Format: "exclude /PATH/DIR/" +exclude *.unrecoverable +exclude /tmp/ +exclude /lost+found/ +exclude *.!sync +exclude .AppleDouble +exclude ._AppleDouble +exclude .DS_Store +exclude ._.DS_Store +exclude .Thumbs.db +exclude .fseventsd +exclude .Spotlight-V100 +exclude .TemporaryItems +exclude .Trashes +exclude .AppleDB +#+end_src + +*** =snapraid-runner.conf= +#+begin_src conf :tangle /ssh:thomas@grenoble:~/docker/config/snapraid/snapraid-runner.conf +[snapraid] +; path to the snapraid executable (e.g. /bin/snapraid) +executable = /usr/bin/snapraid +; path to the snapraid config to be used +config = /config/snapraid.conf +; abort operation if there are more deletes than this, set to -1 to disable +deletethreshold = -1 +; if you want touch to be ran each time +touch = false + +[logging] +; logfile to write to, leave empty to disable +file = /config/snapraid.log +; maximum logfile size in KiB, leave empty for infinite +maxsize = 5000 + +; [email] +; ; when to send an email, comma-separated list of [success, error] +; sendon = success,error +; ; set to false to get full programm output via email +; short = true +; subject = [SnapRAID] Status Report: +; from = +; to = +; ; maximum email size in KiB +; maxsize = 500 +; +; [smtp] +; host = +; ; leave empty for default port +; port = +; ; set to "true" to activate +; ssl = false +; tls = false +; user = +; password = + +[scrub] +; set to true to run scrub after sync +enabled = false +percentage = 12 +older-than = 10 +#+end_src