This commit is contained in:
Brieuc Dubois 2023-09-26 09:53:42 +02:00 committed by shp
parent 7677dace65
commit 0bb0cd575c
28 changed files with 1531 additions and 0 deletions

View File

@ -0,0 +1,23 @@
services:
baikal:
container_name: baikal
image: ckulka/baikal:nginx
restart: on-failure
environment:
- TZ=Europe/Paris
volumes:
- $DATA/baikal/config:/var/www/baikal/config
- $DATA/baikal/data:/var/www/baikal/Specific
labels:
- "traefik.enable=true"
- "traefik.http.routers.baikal.rule=Host(`baikal.bxl.bhasher.com`)"
- "traefik.http.services.baikal.loadbalancer.server.port=80"
- "traefik.http.routers.baikal.tls=true"
- "traefik.http.routers.baikal.tls.certresolver=http"
- "traefik.http.routers.baikal.entrypoints=internalsecure,externalsecure"
networks:
- external
networks:
external:
external: true

View File

@ -0,0 +1,29 @@
services:
dashy:
container_name: dashy
image: dashy
environment:
- NODE_ENV=production
restart: unless-stopped
volumes:
- $CONFIG/dashy/config.yml:/app/public/conf.yml
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashy.rule=Host(`hub.bhasher.com`)"
- "traefik.http.routers.dashy.entrypoints=internalsecure"
- "traefik.http.services.dashy.loadbalancer.server.port=80"
- "traefik.http.routers.dashy.tls=true"
- "traefik.http.routers.dashy.tls.certresolver=http"
- "traefik.http.routers.dashy.middlewares=authelia@docker"
- "com.centurylinklabs.watchtower.enable=false"
healthcheck:
test: ['CMD', 'node', '/app/services/healthcheck']
interval: 1m30s
timeout: 10s
retries: 3
networks:
- external
networks:
external:
external: true

View File

@ -0,0 +1,79 @@
services:
# invoicenginx:
# container_name: invoice_nginx
# image: nginx:latest
# restart: on-failure
# volumes:
# - $CONFIG/invoiceninja/in-vhost.conf:/etc/nginx/conf.d/in-vhost.conf:ro
# - $DATA/invoiceninja/public:/var/www/app/public:ro
# environment:
# - TRUSTED_PROXIES='*'
# depends_on:
# - invoiceninja
# networks:
# - invoice
# - external
# #labels:
# #- "traefik.enable=true"
# #- "traefik.http.routers.invoice.rule=Host(`invoice.bhasher.com`)"
# #- "traefik.http.services.invoice.loadbalancer.server.port=80"
# #- "traefik.http.routers.invoice.tls=true"
# #- "traefik.http.routers.invoice.tls.certresolver=http"
# #- "traefik.http.routers.invoice.entrypoints=internalsecure"
#
# invoiceninja:
# image: invoiceninja/invoiceninja:5
# container_name: invoice_ninja
# environment:
# - APP_URL=https://invoice.bhasher.com
# - APP_KEY=${INVOICENINJA_APIKEY}
# - REQUIRE_HTTPS=true
# - PHANTOMJS_PDF_GENERATION=false
# - PDF_GENERATOR=snappdf
# - QUEUE_CONNECTION=database
# - DB_HOST=mariadb
# - DB_DATABASE=invoiceninja
# - DB_USERNAME=root
# - DB_PASSWORD=${MARIADB_ROOT}
# - IN_USER_EMAIL=invoice@bhasher.com
# - IN_PASSWORD=${INVOICENINJA_PASSWORD}
# - TRUSTED_PROXIES='*'
# restart: unless-stopped
# volumes:
# - $DATA/invoiceninja/public:/var/www/app/public:rw
# - $DATA/invoiceninja/storage:/var/www/app/storage:rw
# networks:
# - invoice
# - storage
invoiceplane:
container_name: invoiceplane
image: mhzawadi/invoiceplane:latest
volumes:
- $DATA/invoiceplane/uploads:/var/www/html/uploads
- $DATA/invoiceplane/ipconfig.php:/var/www/html/ipconfig.php
- /etc/localtime:/etc/localtime:ro
environment:
- IP_URL=https://invoice.bhasher.com
#- MYSQL_HOST=mariadb
#- MYSQL_USER=root
#- MYSQL_PASSWORD=${MARIADB_ROOT}
#- MYSQL_DB=InvoicePlane
#- DISABLE_SETUP=false
labels:
- "traefik.enable=true"
- "traefik.http.routers.invoice.rule=Host(`invoice.bhasher.com`)"
- "traefik.http.services.invoice.loadbalancer.server.port=80"
- "traefik.http.routers.invoice.tls=true"
- "traefik.http.routers.invoice.tls.certresolver=http"
- "traefik.http.routers.invoice.entrypoints=internalsecure"
networks:
- external
- storage
networks:
invoice:
external:
external: true
storage:
external: true

View File

@ -0,0 +1,39 @@
services:
matrix-synapse:
container_name: matrix-synapse
image: matrixdotorg/synapse:latest
restart: unless-stopped
environment:
- SYNAPSE_SERVER_NAME=matrix.bhasher.com
- SYNAPSE_REPORT_STATS=no
volumes:
- $DATA/matrix/synapse:/data:rw
labels:
- "traefik.enable=true"
- "traefik.http.routers.matrix-synapse.rule=Host(`matrix.bhasher.com`)"
- "traefik.http.routers.matrix-synapse.tls=true"
- "traefik.http.routers.matrix-synapse.tls.certresolver=http"
- "traefik.http.routers.matrix-synapse.entrypoints=internalsecure,externalsecure"
- "traefik.http.services.matrix-synapse.loadbalancer.server.port=8008"
networks:
- external
matrix-riot:
container_name: matrix-element
image: ghcr.io/bubuntux/element-web
restart: unless-stopped
volumes:
- $CONFIG/riot/config.json:/etc/element-web/config.json:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.matrix-riot.rule=Host(`element.bhasher.com`)"
- "traefik.http.routers.matrix-riot.tls=true"
- "traefik.http.routers.matrix-riot.tls.certresolver=http"
- "traefik.http.routers.matrix-riot.entrypoints=internalsecure,externalsecure"
- "traefik.http.services.matrix-riot.loadbalancer.server.port=80"
networks:
- external
networks:
external:
external: true

View File

@ -0,0 +1,30 @@
services:
mealie:
container_name: mealie
image: hkotel/mealie:latest
restart: always
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Paris
- RECIPE_PUBLIC=true
- RECIPE_SHOW_NUTRITION=true
- RECIPE_SHOW_ASSETS=true
- RECIPE_LANDSCAPE_VIEW=true
- RECIPE_DISABLE_COMMENTS=true
- RECIPE_DISABLE_AMOUNT=false
labels:
- "traefik.enable=true"
- "traefik.http.routers.mealie.rule=Host(`mealie.bhasher.com`)"
- "traefik.http.services.mealie.loadbalancer.server.port=80"
- "traefik.http.routers.mealie.tls=true"
- "traefik.http.routers.mealie.tls.certresolver=http"
- "traefik.http.routers.mealie.entrypoints=internalsecure,externalsecure"
volumes:
- $DATA/mealie/:/app/data
networks:
- external
networks:
external:
external: true

View File

@ -0,0 +1,211 @@
services:
jellyfin:
container_name: jellyfin
image: linuxserver/jellyfin:latest
volumes:
- $DATA/mediaserver/jellyfin:/config
- /mnt/movies/series:/data/tvshows
- /mnt/movies/movies:/data/movies
- /mnt/movies/musics:/data/musics
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Paris
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.jellyfin.rule=Host(`jellyfin.bhasher.com`)"
- "traefik.http.routers.jellyfin.entrypoints=internalsecure,externalsecure"
- "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
- "traefik.http.routers.jellyfin.tls=true"
- "traefik.http.routers.jellyfin.tls.certresolver=http"
networks:
- auth
- external
radarr:
container_name: radarr
image: lscr.io/linuxserver/radarr:latest
environment:
- TZ=Europe/Paris
- PUID=1000
- PGID=1000
volumes:
- $DATA/mediaserver/radarr:/config
- /mnt/movies/movies:/movies
- /mnt/movies/tmp:/downloads
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.radarr.rule=Host(`radarr.bhasher.com`)"
- "traefik.http.services.radarr.loadbalancer.server.port=7878"
- "traefik.http.routers.radarr.tls=true"
- "traefik.http.routers.radarr.tls.certresolver=http"
- "traefik.http.routers.radarr.entrypoints=internalsecure"
- "traefik.http.routers.radarr.middlewares=authelia@docker"
networks:
- mediaserver
- external
sonarr:
container_name: sonarr
image: lscr.io/linuxserver/sonarr:latest
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Paris
volumes:
- $DATA/mediaserver/sonarr:/config
- /mnt/movies/series:/tv
- /mnt/movies/tmp:/downloads
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.sonarr.rule=Host(`sonarr.bhasher.com`)"
- "traefik.http.services.sonarr.loadbalancer.server.port=8989"
- "traefik.http.routers.sonarr.tls=true"
- "traefik.http.routers.sonarr.tls.certresolver=http"
- "traefik.http.routers.sonarr.entrypoints=internalsecure"
- "traefik.http.routers.sonarr.middlewares=authelia@docker"
networks:
- mediaserver
- external
lidarr:
container_name: lidarr
image: lscr.io/linuxserver/lidarr:latest
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Paris
volumes:
- $DATA/mediaserver/lidarr:/config
- /mnt/movies/musics:/music
- /mnt/movies/tmp:/downloads
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.lidarr.rule=Host(`lidarr.bhasher.com`)"
- "traefik.http.services.lidarr.loadbalancer.server.port=8686"
- "traefik.http.routers.lidarr.tls=true"
- "traefik.http.routers.lidarr.tls.certresolver=http"
- "traefik.http.routers.lidarr.entrypoints=internalsecure"
- "traefik.http.routers.lidarr.middlewares=authelia@docker"
networks:
- mediaserver
- external
transmission:
container_name: transmission
image: lscr.io/linuxserver/transmission:latest
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Paris
volumes:
- $DATA/mediaserver/transmission:/config
- /mnt/movies/tmp:/downloads
- /mnt/movies/torrents:/watch
ports:
- 51413:51413/tcp
- 51413:51413/udp
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.transmission.rule=Host(`transmission.bhasher.com`)"
- "traefik.http.services.transmission.loadbalancer.server.port=9091"
- "traefik.http.routers.transmission.tls=true"
- "traefik.http.routers.transmission.tls.certresolver=http"
- "traefik.http.routers.transmission.entrypoints=internalsecure"
- "traefik.http.routers.transmission.middlewares=authelia@docker"
networks:
- mediaserver
- external
# jackett:
# container_name: jackett
# image: lscr.io/linuxserver/jackett:latest
# environment:
# - PUID=1000
# - PGID=1000
# - TZ=Europe/Paris
# - AUTO_UPDATE=true
# volumes:
# - $DATA/mediaserver/jackett:/config
# - /mnt/movies/torrents:/downloads
# restart: unless-stopped
# labels:
# - "traefik.enable=true"
# - "traefik.http.routers.jackett.rule=Host(`jackett.bhasher.com`)"
# - "traefik.http.services.jackett.loadbalancer.server.port=9117"
# - "traefik.http.routers.jackett.tls=true"
# - "traefik.http.routers.jackett.tls.certresolver=http"
# - "traefik.http.routers.jackett.entrypoints=internalsecure"
# - "traefik.http.routers.jackett.middlewares=authelia@docker"
# networks:
# - mediaserver
# - external
prowlarr:
container_name: prowlarr
image: lscr.io/linuxserver/prowlarr:latest
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Paris
volumes:
- $DATA/mediaserver/prowlarr:/config
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.prowlarr.rule=Host(`prowlarr.bhasher.com`)"
- "traefik.http.services.prowlarr.loadbalancer.server.port=9696"
- "traefik.http.routers.prowlarr.tls=true"
- "traefik.http.routers.prowlarr.tls.certresolver=http"
- "traefik.http.routers.prowlarr.entrypoints=internalsecure"
- "traefik.http.routers.prowlarr.middlewares=authelia@docker"
networks:
- mediaserver
- external
flaresolverr:
container_name: flaresolverr
image: ghcr.io/flaresolverr/flaresolverr:latest
environment:
- LOG_LEVEL=info
- LOG_HTML=false
- CAPTCHA_SOLVER=none
- TZ=Europe/Paris
restart: unless-stopped
networks:
- mediaserver
bazarr:
container_name: bazarr
image: lscr.io/linuxserver/bazarr
environment:
- TZ=Europe/Paris
- PUID=1000
- PGID=1000
volumes:
- $DATA/mediaserver/bazarr:/config
- /mnt/movies/movies:/movies
- /mnt/movies/series:/tv
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.bazarr.rule=Host(`bazarr.bhasher.com`)"
- "traefik.http.services.bazarr.loadbalancer.server.port=6767"
- "traefik.http.routers.bazarr.tls=true"
- "traefik.http.routers.bazarr.tls.certresolver=http"
- "traefik.http.routers.bazarr.entrypoints=internalsecure"
- "traefik.http.routers.bazarr.middlewares=authelia@docker"
networks:
- mediaserver
- external
networks:
mediaserver:
external:
external: true

View File

@ -0,0 +1,38 @@
services:
pihole:
container_name: pihole
image: cbcrowe/pihole-unbound:latest
ports:
- 53:53/tcp
- 53:53/udp
environment:
- TZ=Europe/Paris
- WEBPASSWORD=
- WEBTHEME=default-dark
- REV_SERVER=false
- PIHOLE_DNS_=127.0.0.1#5335
- DNSSEC=true
- DNSMASQ_LISTENING=all
- FTLCONF_LOCAL_IPV4=192.168.1.220
- FTLCONF_RATE_LIMIT=0/0
- FTL_CMD=debug
- DNSMASQ_USER=root
volumes:
- $DATA/pihole/config:/etc/pihole
- $DATA/pihole/dnsmasq.d:/etc/dnsmasq.d
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.pihole.rule=Host(`pihole.bhasher.com`)"
- "traefik.http.routers.pihole.entrypoints=internalsecure"
- "traefik.http.services.pihole.loadbalancer.server.port=80"
- "traefik.http.routers.pihole.tls=true"
- "traefik.http.routers.pihole.tls.certresolver=http"
- "traefik.http.routers.pihole.middlewares=pihole-strip,authelia@docker"
- "traefik.http.middlewares.pihole-strip.addprefix.prefix=/admin"
networks:
- external
networks:
external:
external: true

View File

@ -0,0 +1,73 @@
services:
hass:
container_name: hass
image: ghcr.io/home-assistant/home-assistant:stable
volumes:
- $DATA/hass:/config
- /etc/localtime:/etc/localtime:ro
networks:
- smarthome
- external
restart: on-failure
labels:
- "traefik.enable=true"
- "traefik.http.routers.hass.rule=Host(`hass.bhasher.com`)"
- "traefik.http.routers.hass.entrypoints=internalsecure"
- "traefik.http.services.hass.loadbalancer.server.port=8123"
- "traefik.http.routers.hass.tls=true"
- "traefik.http.routers.hass.tls.certresolver=http"
mosquitto:
container_name: mosquitto
image: eclipse-mosquitto:latest
volumes:
- $CONFIG/smarthome/mosquitto.conf:/mosquitto/config/mosquitto.conf:ro
- $DATA/mosquitto/data:/mosquitto/data
- $DATA/mosquitto/passwordfile:/mosquitto/passwordfile
- /etc/localtime:/etc/localtime:ro
ports:
- 1883:1883
- 9001:9001
networks:
- smarthome
- external
restart: on-failure
zigbee2mqtt:
container_name: zigbee2mqtt
restart: unless-stopped
image: koenkk/zigbee2mqtt:latest
volumes:
- $DATA/zigbee2mqtt:/app/data
- /run/udev:/run/udev:ro
- /etc/localtime:/etc/localtime:ro
devices:
- /dev/ttyACM0:/dev/ttyACM0
networks:
- smarthome
nodered:
container_name: nodered
restart: on-failure
image: nodered/node-red:latest
volumes:
- $DATA/nodered:/data
- /etc/localtime:/etc/localtime:ro
networks:
- smarthome
- external
labels:
- "traefik.enable=true"
- "traefik.http.routers.nodered.rule=Host(`nodered.bhasher.com`)"
- "traefik.http.routers.nodered.entrypoints=internalsecure"
- "traefik.http.services.nodered.loadbalancer.server.port=1880"
- "traefik.http.routers.nodered.tls=true"
- "traefik.http.routers.nodered.tls.certresolver=http"
- "traefik.http.routers.nodered.middlewares=authelia@docker"
networks:
smarthome:
external:
external: true

View File

@ -0,0 +1,31 @@
services:
syncthing:
container_name: syncthing
image: syncthing/syncthing:latest
hostname: snode0
environment:
- PUID=33
- PGID=33
volumes:
- $DATA/syncthing:/var/syncthing:rw
- /mnt/syncDocuments:/mnt/SyncDocuments:rw
- /mnt/brieuc-pictures:/mnt/pictures:rw
labels:
- "traefik.enable=true"
- "traefik.http.routers.syncthing.rule=Host(`syncthing.bhasher.com`)"
- "traefik.http.routers.syncthing.entrypoints=internalsecure"
- "traefik.http.services.syncthing.loadbalancer.server.port=8384"
- "traefik.http.routers.syncthing.tls=true"
- "traefik.http.routers.syncthing.tls.certresolver=http"
- "traefik.http.routers.syncthing.middlewares=authelia@docker"
ports:
- 22000:22000/tcp # TCP file transfers
- 22000:22000/udp # QUIC file transfers
- 21027:21027/udp # Receive local discovery broadcasts
restart: unless-stopped
networks:
- external
networks:
external:
external: true

View File

@ -0,0 +1,14 @@
services:
tg2:
container_name: tg2
image: tg2:latest
restart: on-failure
environment:
- TGTG_EMAIL=tgtg.trash@bhasher.com
- TELEGRAM_TOKEN=${TELEGRAM_TOKEN}
- TELEGRAM_ID=${TELEGRAM_ID}
volumes:
- $DATA/tg2:/data
labels:
- "com.centurylinklabs.watchtower.enable=false"

View File

@ -0,0 +1,23 @@
services:
wireguard:
container_name: wireguard
image: lscr.io/linuxserver/wireguard:latest
restart: always
volumes:
- $DATA/wireguard:/config
- /lib/modules:/lib/modules
ports:
- 51822:51820/udp
environment:
- TZ=Europe/Paris
- SERVERURL=vpn.bhasher.com
- SERVERPORT=51822
- PEERS=10
- PEERDNS=auto
- INTERNAL_SUBNET=10.13.14.0
- ALLOWEDIPS=0.0.0.0/0
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.conf.all.src_valid_mark=1

View File

@ -0,0 +1,14 @@
[Unit]
Description=Start Borg Backup Container
After=docker.service
ConditionPathExists=/mnt/borg
[Service]
Type=oneshot
ExecStart=/usr/bin/docker start borg
User=pi
Group=pi
Restart=no
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,9 @@
[Unit]
Description=Run Borg Backup at 4 a.m. every day
[Timer]
OnCalendar=*-*-* 04:00:00
Persistent=true
[Install]
WantedBy=timers.target

View File

@ -0,0 +1,227 @@
pageInfo:
title: Homelab
description: Welcome to bhasher's homelab dashboard!
navLinks:
- title: GitHub
path: https://github.com/BhasherBEL
appConfig:
theme: one-dark
layout: auto
iconSize: small
language: en
statusCheck: true
colCount: 8
sections:
- name: Public services
icon: fa-server
displayData:
sortBy: most-used
rows: 1
cols: 3
collapsed: false
hideForGuests: false
items:
- title: Jellyfin
icon: hl-jellyfin
url: https://jellyfin.bhasher.com
statusCheckUrl: http://jellyfin:8096
id: 0_1507_jellyfin
- title: Authelia
icon: hl-authelia
url: https://idp.bhasher.com
statusCheckUrl: http://authelia:9091
id: 1_1507_authelia
- title: Mealie
icon: hl-mealie
url: https://mealie.bhasher.com
statusCheckUrl: http://mealie
id: 2_1507_mealie
- title: Baikal
icon: hl-baikal
url: https://baikal.bxl.bhasher.com
statusCheckUrl: http://baikal
id: 3_1507_baikal
- title: Element web
icon: hl-element
url: https://element.bhasher.com
statusCheckUrl: http://matrix-riot
id: 4_1507_elementweb
- title: Shlink
icon: hl-shlink
url: https://shlink.bhasher.com
statusCheckUrl: https://shlink_ui
id: 5_1507_shlink
- name: Private services
displayData:
sortBy: most-used
rows: 1
cols: 3
collapsed: false
hideForGuests: false
items:
- title: Bazarr
icon: hl-bazarr
url: https://bazarr.bhasher.com
statusCheckUrl: http://bazarr:6767
id: 0_1631_bazarr
- title: Radarr
icon: hl-radarr
url: https://radarr.bhasher.com
statusCheckUrl: http://radarr:7878
id: 1_1631_radarr
- title: Sonarr
icon: hl-sonarr
url: https://sonarr.bhasher.com
statusCheckUrl: http://sonarr:8989
id: 2_1631_sonarr
- title: Lidarr
icon: hl-lidarr
url: https://lidarr.bhasher.com
statusCheckUrl: http://lidarr:8686
id: 3_1631_lidarr
- title: Transmission
icon: hl-transmission
url: https://transmission.bhasher.com
statusCheckUrl: http://transmission:9091
id: 4_1631_transmission
- title: Prowlarr
icon: hl-prowlarr
url: https://prowlarr.bhasher.com
statusCheckUrl: http://prowlarr:9696
id: 5_1631_prowlarr
- title: Grafana
icon: hl-grafana
url: https://grafana.bhasher.com
statusCheckUrl: http://grafana:3000
id: 6_1631_grafana
- title: Portainer
icon: hl-portainer
url: https://portainer.bxl.bhasher.com
statusCheckUrl: http://portainer:9000
id: 7_1631_portainer
- title: InvoiceNinja
icon: hl-invoiceninja
url: https://invoice.bhasher.com
statusCheckUrl: http://invoicenginx
id: 8_1631_invoiceninja
- title: Dashboard
icon: hl-dashy
url: https://hub.bhasher.com
statusCheckUrl: http://dashy
id: 9_1631_dashboard
- title: Syncthing
icon: hl-syncthing
url: https://syncthing.bhasher.com
statusCheckUrl: http://syncthing:8384
id: 10_1631_syncthing
- title: Portainer (VPS)
icon: hl-portainer
url: https://portainer.vps.bhasher.com
id: 11_1631_portainervps
- title: Portainer (LLN)
icon: hl-portainer
url: https://portainer.lln.bhasher.com
id: 12_1631_portainerlln
- title: Home assistant
icon: hl-home-assistant
url: https://hass.bhasher.com
statusCheckUrl: http://hass:8123
id: 13_1631_homeassistant
- title: Node-red
icon: hl-node-red
url: https://nodered.bhasher.com
statusCheckUrl: http://nodered:1880
id: 14_1631_nodered
- title: Planka
icon: hl-planka
url: https://planka.bhasher.com
statusCheckUrl: http://planka:1337
id: 15_1631_planka
- name: System services
displayData:
sortBy: most-used
rows: 1
cols: 2
collapsed: false
hideForGuests: false
items:
- title: Prometeus
icon: hl-prometheus
url: https://prometheus.bhasher.com
statusCheckUrl: http://prometheus:9090
id: 0_1545_prometeus
- title: Traefik
icon: hl-traefik
url: https://traefik.bhasher.com
statusCheckUrl: http://traefik:8080
id: 1_1545_traefik
- title: User manager
icon: hl-phpldapadmin
url: https://lum.bhasher.com
statusCheckUrl: http://ldapusermanager
id: 2_1545_usermanager
- title: Mikrotik router
icon: hl-mikrotik
url: http://192.168.1.1:8080/
id: 3_1545_mikrotikrouter
- name: Real life survey
widgets:
- type: clock
options:
timezone: Europe/Brussels
format: fr-FR
hideDate: false
id: 0_1554_clock
- type: public-holidays
options:
country: BE
holidayType: all
monthsToShow: 4
lang: fr
id: 1_1554_publicholidays
displayData:
sortBy: default
rows: 1
cols: 2
collapsed: false
hideForGuests: false
- name: Online survey
displayData:
sortBy: default
rows: 1
cols: 2
collapsed: false
hideForGuests: false
widgets:
- type: public-ip
id: 0_1331_publicip
- type: github-profile-stats
options:
username: BhasherBEL
hideLanguagesCard: true
id: 1_1331_githubprofilestats
- type: crypto-watch-list
options:
currency: USD
sortBy: marketCap
assets:
- bitcoin
- ethereum
id: 2_1331_cryptowatchlist
- name: Random
widgets:
- type: joke
options:
language: en
category: all
id: 0_609_joke
- type: xkcd-comic
options:
comic: random
id: 1_609_xkcdcomic
displayData:
sortBy: default
rows: 1
cols: 4
collapsed: false
hideForGuests: false

View File

@ -0,0 +1,167 @@
default_redirection_url: https://hub.bhasher.com
theme: dark
server:
host: 0.0.0.0
port: 9091
log:
level: info
totp:
disable: false
issuer: idp.bhasher.com
algorithm: sha256
digits: 6
period: 30
skew: 1
secret_size: 32
ntp:
disable_startup_check: true
authentication_backend:
password_reset:
disable: false
refresh_interval: 5m
ldap:
user: cn=readonly,dc=bhasher,dc=com
implementation: custom
url: ldap://openldap
timeout: 5s
start_tls: false
base_dn: DC=bhasher,DC=com
username_attribute: uid
additional_users_dn: ou=users
users_filter: (&({username_attribute}={input})(objectClass=inetOrgPerson))
additional_groups_dn: ou=groups
groups_filter: (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: cn
permit_referrals: false
access_control:
default_policy: deny
rules:
- domain: 'radarr.bhasher.com'
policy: one_factor
subject:
- "group:mediaserver"
- domain: 'sonarr.bhasher.com'
policy: one_factor
subject:
- "group:mediaserver"
- domain: 'jellyfin.bhasher.com'
policy: one_factor
subject:
- "group:mediaserver"
- domain: 'lum.bhasher.com'
policy: two_factor
subject:
- "group:admin"
- domain: '*.bhasher.com'
policy: one_factor
subject:
- "group:admin"
session:
name: auth_session
domain: bhasher.com
same_site: lax
expiration: 1d
inactivity: 3h
remember_me_duration: 1w
redis:
host: redis
port: 6379
regulation:
max_retries: 3
find_time: 1m
ban_time: 5m
storage:
# local:
# path: /data/db.sqlite3
postgres:
host: postgres
port: 5432
database: authelia
schema: public
username: postgres
notifier:
smtp:
host: bdubois.io
port: 587
sender: no-reply@bhasher.com
password_policy:
standard:
enabled: true
min_length: 8
max_length: 0
require_uppercase: false
require_lowercase: false
require_number: false
require_special: false
telemetry:
metrics:
enabled: true
address: "tcp://0.0.0.0:9959"
buffers:
read: 4096
write: 4096
timeouts:
read: 6s
write: 6s
idle: 30s
identity_providers:
oidc:
enforce_pkce: public_clients_only
clients:
- id: grafana
description: Grafana
secret: '$argon2id$v=19$m=65536,t=3,p=4$dQfNyInvlh1Lgw3JXi7G6A$M/WaNpHJkAyaQcXIMsOTl0+gBWGPPVBoCm7NpEQfTpI'
public: false
authorization_policy: one_factor
redirect_uris:
- https://grafana.bhasher.com/login/generic_oauth
consent_mode: implicit
scopes:
- openid
- profile
- groups
- email
userinfo_signing_algorithm: none
- id: matrix_synapse
description: Matrix Synapse
secret: '$argon2id$v=19$m=65536,t=3,p=4$Z+6HONrjDp54s+MhXuq1cA$bjc5tMGD3gR6AaBYIDx3S2mz/UfPv6a0n1Vf3q2Ifik'
public: false
authorization_policy: one_factor
redirect_uris:
- https://matrix.bhasher.com/_synapse/client/oidc/callback
consent_mode: implicit
scopes:
- openid
- profile
- email
userinfo_signing_algorithm: none
- id: portainer
description: Portainer
secret: '$argon2id$v=19$m=65536,t=3,p=4$7bqhx/sMH6Hes4ggVwpEPg$uue9QyGkROpAihkGpbDV6YjKCJlZVXj1JBkJfyLj2MI'
public: false
authorization_policy: two_factor
redirect_uris:
- https://portainer.bxl.bhasher.com
consent_mode: implicit
scopes:
- openid
- profile
- groups
- email
userinfo_signing_algorithm: none

View File

@ -0,0 +1,28 @@
server {
listen 80 default_server;
server_name _;
client_max_body_size 100M;
root /var/www/app/public/;
index index.php;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass invoiceninja:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
}

View File

@ -0,0 +1,42 @@
devices:
- name: router
address: 192.168.1.1
username: prometheus
password: ck1Jm25pcgW4IbnrHa3VCkxVR5H19fbO
features:
bgp: true #
dhcp: true
dhcpv6: true #
dhcpl: true
dhcp_leases: true
routes: true #
pools: true #
optics: true #
wlansta: true
wlanif: true
ipsec: true #
ipsec-peers: true #
monitor: true
health: true
conntrack: true
pool: true #
resource: true
features:
bgp: true #
dhcp: true
dhcpv6: true #
dhcpl: true
dhcp_leases: true
routes: true #
pools: true #
optics: true #
wlansta: true
wlanif: true
ipsec: true #
ipsec-peers: true #
monitor: true
health: true
conntrack: true
pool: true #
resource: true

View File

@ -0,0 +1,40 @@
global:
scrape_interval: 60s # By default, scrape targets every 15 seconds.
# Attach these labels to any time series or alerts when communicating with
# external systems (federation, remote storage, Alertmanager).
external_labels:
monitor: 'monitor'
# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: 'prometheus'
static_configs:
- targets: ['localhost:9090']
- job_name: "Docker Job"
static_configs:
- targets: ["host.docker.internal:9323"]
- job_name: 'cadvisor'
static_configs:
- targets: ['cadvisor:8080']
- job_name: 'node-exporter'
static_configs:
- targets: ['node-exporter:9100']
- job_name: 'treafik'
static_configs:
- targets: ['traefik:8080']
- job_name: 'authelia'
static_configs:
- targets: ['authelia:9959']
- job_name: 'mikrotik'
static_configs:
- targets: ['mikrotik:9436']

View File

@ -0,0 +1,7 @@
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://matrix.bhasher.com"
}
}
}

View File

@ -0,0 +1,3 @@
listener 1883
allow_anonymous false
password_file /mosquitto/passwordfile

5
bxl-shp/deploy.sh Executable file
View File

@ -0,0 +1,5 @@
cd ~/homelab/bxl-shp
cmd=$(find . -type f \( -name "docker-compose.*.yaml" \) | awk '{printf "-f %s \0", $0}' | xargs -0 -I{} echo "docker compose {} --env-file .env up -d")
echo $cmd
eval $cmd
# -name "docker-compose.yaml" -o

View File

@ -0,0 +1,99 @@
services:
openldap:
container_name: openldap
image: osixia/openldap:1.5.0
restart: unless-stopped
environment:
- LDAP_ADMIN_USERNAME=admin
- LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD}
- LDAP_READONLY_USER=true
- LDAP_READONLY_USER_USERNAME=readonly
- LDAP_READONLY_USER_PASSWORD=${LDAP_READONLY_PASSWORD}
- LDAP_DOMAIN=bhasher.com
- LDAP_ORGANISATION=Bhasher
- LDAP_RFC2307BIS_SCHEMA=true
- LDAP_TLS=false
volumes:
- $DATA/openldap/ldap:/var/lib/ldap
- $DATA/openldap/slapd.d:/etc/ldap/slapd.d
networks:
- auth
ldapusermanager:
container_name: ldapusermanager
image: wheelybird/ldap-user-manager:latest
restart: unless-stopped
environment:
- LDAP_URI=ldap://openldap
- LDAP_BASE_DN=dc=bhasher,dc=com
- LDAP_ADMIN_BIND_DN=cn=admin,dc=bhasher,dc=com
- LDAP_ADMINS_GROUP=admin
- SERVER_HOSTNAME=lum.bhasher.com
- NO_HTTPS=true
- ORGANISATION_NAME=Bhasher
- LDAP_REQUIRE_STARTTLS=false
- FORCE_RFC2307BIS=true
- SHOW_POSIX_ATTRIBUTES=false
- LDAP_ADMIN_BIND_PWD=${LDAP_ADMIN_PASSWORD}
- LDAP_USER_OU=users
- LDAP_GROUP_OU=groups
- LDAP_ACCOUNT_ATTRIBUTE=uid
- LDAP_GROUP_ATTRIBUTE=cn
- USERNAME_FORMAT={first_name}.{last_name}
- ENFORCE_SAFE_SYSTEM_NAMES=false
- PASSWORD_HASH=SHA512CRYPT
- ACCEPT_WEAK_PASSWORDS=false
- LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES=jpegPhoto^:Profile picture,sshpubkey^+:SSH public key
#- REMOTE_HTTP_HEADERS_LOGIN=true
labels:
- "traefik.enable=true"
- "traefik.http.routers.lum.rule=Host(`lum.bhasher.com`)"
- "traefik.http.routers.lum.entrypoints=internalsecure"
- "traefik.http.services.lum.loadbalancer.server.port=80"
- "traefik.http.routers.lum.tls=true"
- "traefik.http.routers.lum.tls.certresolver=http"
#- "traefik.http.routers.lum.middlewares=authelia@docker"
networks:
- auth
- external
authelia:
container_name: authelia
image: authelia/authelia:latest
restart: unless-stopped
environment:
- TZ=Europe/Paris
- AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD=${LDAP_READONLY_PASSWORD}
- AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
- AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
- AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_ENCRYPTION_KEY}
- AUTHELIA_STORAGE_POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- AUTHELIA_NOTIFIER_SMTP_PASSWORD=${SMTP_PASSWORD}
- AUTHELIA_NOTIFIER_SMTP_USERNAME=${SMTP_USER}
- AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/secrets/oidc_certificate.pem
- AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=${AUTHELIA_OIDC_HMAC}
labels:
- "traefik.enable=true"
- "traefik.http.routers.authelia.rule=Host(`idp.bhasher.com`)"
- "traefik.http.routers.authelia.entrypoints=internalsecure,externalsecure"
- "traefik.http.services.authelia.loadbalancer.server.port=9091"
- "traefik.http.routers.authelia.tls=true"
- "traefik.http.routers.authelia.tls.certresolver=http"
- 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https%3A%2F%2Fidp.bhasher.com%2F'
- 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
volumes:
- $CONFIG/idp/authelia.configuration.yaml:/config/configuration.yml:ro
- $DATA/authelia:/secrets:ro
networks:
- auth
- storage
- external
networks:
auth:
name: auth
external:
external: true
storage:
external: true

View File

@ -0,0 +1,19 @@
services:
borg:
container_name: borg
image: pschiffe/borg
volumes:
- /mnt/borg:/borg/repo
- $DATA/borg/config:/root
- $DATA:/borg/data/docker-data:ro
- /etc/localtime:/etc/localtime:ro
environment:
- BORG_REPO=/borg/repo
- BORG_PASSPHRASE=${BORG_PASSPHRASE}
- BACKUP_DIRS=/borg/data
- COMPRESSION=lz4
- PRUNE=1
restart: "no"
profiles:
- dnr

View File

@ -0,0 +1,134 @@
services:
prometheus:
container_name: prometheus
image: prom/prometheus:latest
restart: unless-stopped
user: root
labels:
- "traefik.enable=true"
- "traefik.http.routers.prom.rule=Host(`prometheus.bhasher.com`)"
- "traefik.http.routers.prom.entrypoints=internalsecure"
- "traefik.http.services.prom.loadbalancer.server.port=9090"
- "traefik.http.routers.prom.tls=true"
- "traefik.http.routers.prom.tls.certresolver=http"
- "traefik.http.routers.prom.middlewares=authelia@docker"
extra_hosts:
- "host.docker.internal:host-gateway"
volumes:
- $CONFIG/monitoring/prometheus.yaml:/etc/prometheus/prometheus.yml:ro
- $DATA/monitoring/prometheus:/prometheus
- /etc/localtime:/etc/localtime:ro
networks:
- monitoring
- external
grafana:
container_name: grafana
image: grafana/grafana
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.grafana.rule=Host(`grafana.bhasher.com`)"
- "traefik.http.routers.grafana.entrypoints=internalsecure"
- "traefik.http.services.grafana.loadbalancer.server.port=3000"
- "traefik.http.routers.grafana.tls=true"
- "traefik.http.routers.grafana.tls.certresolver=http"
environment:
- GF_SERVER_ROOT_URL=https://grafana.bhasher.com
- GF_SMTP_ENABLED=true
- GF_SMTP_HOST=bdubois.io:465
- GF_SMTP_USER=${SMTP_USER}
- GF_SMTP_PASSWORD=${SMTP_PASSWORD}
- GF_SMTP_FROM_ADDRESS=grafana@bhasher.com
- GF_AUTH_LOGIN_DISABLE_LOGIN_FORM=true
- GF_AUTH_DISABLE_SIGNOUT_MENU=true
- GF_AUTH_OAUTH_AUTO_LOGIN=true
- GF_AUTH_GENERIC_OAUTH_ENABLED=true
- GF_AUTH_GENERIC_OAUTH_ICON=signin
- GF_AUTH_GENERIC_OAUTH_NAME=Authelia
- GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana
- GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=${GRAFANA_OAUTH}
- GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email groups
- GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES=false
- GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://idp.bhasher.com/api/oidc/authorization
- GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://idp.bhasher.com/api/oidc/token
- GF_AUTH_GENERIC_OAUTH_API_URL=https://idp.bhasher.com/api/oidc/userinfo
- GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username
- GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH=groups
- GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=name
- GF_AUTH_GENERIC_OAUTH_USE_PKCE=false
- GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(roles[*], 'admin') && 'Admin' || 'Viewer'
- GF_AUTH_GENERIC_OAUTH_GROUPS_PATH=groups
- GF_AUTH_GENERIC_OAUTH_ALLOWED_GROUPS=admin
volumes:
- $DATA/monitoring/grafana:/var/lib/grafana
- /etc/localtime:/etc/localtime:ro
networks:
- external
- monitoring
cadvisor:
container_name: cadvisor
image: gcr.io/cadvisor/cadvisor:v0.47.0 #v0.47.1
volumes:
- /:/rootfs:ro
- /var/run:/var/run:rw
- /sys:/sys:ro
- /var/lib/docker/:/var/lib/docker:ro
- /etc/localtime:/etc/localtime:ro
restart: always
command:
- "--housekeeping_interval=60s"
- "--docker_only=true"
- "--store_container_labels=false"
- "--disable_metrics=percpu,sched,tcp,udp,disk,diskIO,hugetlb,referenced_memory,cpu_topology,resctrl"
networks:
- monitoring
healthcheck:
test: wget --quiet --tries=1 --spider http://localhost:8080/healthz || exit 1
interval: 15s
timeout: 15s
retries: 5
start_period: 30s
node-exporter:
container_name: node-exporter
image: quay.io/prometheus/node-exporter:latest
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /:/rootfs:ro
- /:/host:ro,rslave
- /etc/localtime:/etc/localtime:ro
command:
- '--path.rootfs=/host'
- '--path.procfs=/host/proc'
- '--path.sysfs=/host/sys'
- '--collector.filesystem.ignored-mount-points'
- "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)"
restart: always
networks:
- monitoring
mikrotik:
container_name: mikrotik
image: ogi4i/mikrotik-exporter:latest
#image: nshttpd/mikrotik-exporter-linux-arm64:1.0.12-DEVEL
command:
- -config-file
- /config.yaml
restart: unless-stopped
environment:
- CONFIG_FILE=/config.yaml
volumes:
- $CONFIG/monitoring/mikrotik.yaml:/config.yaml:ro
- /etc/localtime:/etc/localtime:ro
networks:
- monitoring
networks:
monitoring:
name: monitoring
external:
external: true

View File

@ -0,0 +1,23 @@
services:
portainer:
container_name: portainer
image: portainer/portainer-ce:latest
ports:
- "9443:9443"
volumes:
- $DATA/portainer:/data:rw
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`portainer.bxl.bhasher.com`)"
- "traefik.http.routers.portainer.entrypoints=externalsecure,internalsecure"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
- "traefik.http.routers.portainer.tls=true"
- "traefik.http.routers.portainer.tls.certresolver=http"
restart: unless-stopped
networks:
- external
networks:
external:
external: true

View File

@ -0,0 +1,35 @@
services:
postgres:
container_name: postgres
image: postgres:15
restart: unless-stopped
environment:
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
volumes:
- $DATA/postgres:/var/lib/postgresql/data
networks:
- storage
redis:
container_name: redis
image: redis:latest
restart: unless-stopped
networks:
- storage
mariadb:
container_name: mariadb
image: mariadb:latest
restart: on-failure
environment:
- MARIADB_ROOT_PASSWORD=${MARIADB_ROOT}
volumes:
- $DATA/mariadb:/var/lib/mysql:rw
networks:
- storage
networks:
storage:
name: storage

View File

@ -0,0 +1,57 @@
services:
traefik:
container_name: traefik
image: traefik:v2.9
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.network=external"
- "--entrypoints.internal.address=:80"
- "--entrypoints.internalsecure.address=:443"
- "--entrypoints.internal.http.redirections.entryPoint.to=internalsecure"
- "--entrypoints.internal.http.redirections.entryPoint.scheme=https"
- "--entrypoints.internal.http.redirections.entryPoint.permanent=true"
- "--certificatesresolvers.http.acme.httpchallenge=true"
- "--certificatesresolvers.http.acme.httpchallenge.entrypoint=external"
- "--certificatesresolvers.http.acme.email=acme@bhasher.com"
- "--certificatesresolvers.http.acme.storage=acme.json"
- "--entrypoints.external.address=:81"
- "--entrypoints.externalsecure.address=:444"
- "--entrypoints.external.http.redirections.entryPoint.to=externalsecure"
- "--entrypoints.external.http.redirections.entryPoint.scheme=https"
- "--entrypoints.external.http.redirections.entryPoint.permanent=true"
#- "--log.level=DEBUG"
- "--metrics.prometheus=true"
- "--api.dashboard=true"
environment:
- TZ=Europe/Paris
ports:
- "80:80"
- "443:443"
- "81:81"
- "444:444"
#- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- type: bind
source: $DATA/traefik/acme.json
target: /acme.json
- type: bind
source: $DATA/traefik/rules.toml
target: /rules.toml
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`traefik.bhasher.com`)"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=http"
- "traefik.http.routers.traefik.entrypoints=internalsecure"
- "traefik.http.routers.traefik.middlewares=authelia@docker"
networks:
- external
networks:
external:
name: external

View File

@ -0,0 +1,32 @@
services:
watchtower:
container_name: watchtower
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /etc/localtime:/etc/localtime:ro
command:
- "--cleanup"
- "--schedule=0 0 3 * * SAT"
- "--label-enable"
#- "--monitor-only"
- "--http-api-metrics=true"
- "--http-api-token=watchtower"
#- "--run-once=true"
# emails notification
- "--notifications=email"
- "--notifications-level=trace"
- "--notification-email-from=watchtower.noreply@bhasher.com"
- "--notification-email-to=watchtower.homelab@bhasher.com"
- "--notification-email-server=bdubois.io"
- "--notification-email-server-port=465"
- "--notification-email-server-user=${SMTP_USER}"
- "--notification-email-server-password=${SMTP_PASSWORD}"
networks:
- monitoring
labels:
- "com.centurylinklabs.watchtower.enable=false"
networks:
monitoring:
external: true