Docker/truenas-docker
Docker/truenas-docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
root 2025-12-02 13:08:52 +02:00
commit 9610d10bb0
395 changed files with 10788 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.backup.sh Executable file
View File

@ -0,0 +1,2 @@
cd /mnt/SSD1/docker/stacks
tar -zcf /mnt/stpool1/Shared_Data/Chris/docker/backup-stacks-$(date -I).tar.gz ./

1
.secrets/smtp_destination Normal file
View File

@ -0,0 +1 @@
stuurmcp@telkomsa.net

1
.secrets/smtp_from Normal file
View File

@ -0,0 +1 @@
stuurman30@telkomsa.net

1
.secrets/smtp_host Normal file
View File

@ -0,0 +1 @@
smtp.telkomsa.net

1
.secrets/smtp_password Normal file
View File

@ -0,0 +1 @@
Saterdag!230@

1
.secrets/smtp_username Normal file
View File

@ -0,0 +1 @@
stuurman30@telkomsa.net

30
README.md Normal file
View File

@ -0,0 +1,30 @@
# Stacks folder on Truenas docker
## Create local Git Repository
git init
## Create a README file (And put an initial comment inside this file)
nano README.md
ls -la
## Get Local Git Repository status
git status
## Add all files to Local Git Repository
git add .
## Do Initial Git commit
git commit -m "first commit"
## Add Github Repository origin (xxxxxxx and yyyyyyy will be provided by Github)
git remote add origin https://github.com/xxxxxxx/yyyyyyyyy.git
## Add Github user email address
git config --global user.email "xyxyxyxyxyx@gmail.com"
## Add Github user name
git config --global user.name "xxxxxxxx"
## Set upstream origin and push to Github
git push --set-upstream origin master

16
audiobookshelf/.audiobookshelf.env Normal file
View File

@ -0,0 +1,16 @@
# https://www.audiobookshelf.org/docs/#env-configuration
PUID=${PUID}
PGID=${MEDIA_GID} # we assign media gid to process gid to enable to access media folders
TZ=${TZ}
#CONFIG_PATH=/config
#METADATA_PATH=/metadata
#FFMPEG_PATH=/usr/bin/ffmpeg
#FFPROBE_PATH=/usr/bin/ffprobe
#TONE_PATH=/usr/local/bin/tone
#HOST=
#PORT=
#TOKEN_SECRET=
SOURCE=docker

20
audiobookshelf/.env Normal file
View File

@ -0,0 +1,20 @@
APPLICATION_NAME=audiobookshelf
DOCKERDIR=/mnt/SSD1/docker/
MEDIADIR=/mnt/stpool1/NData1/Media
STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
SECRETSDIR=${STACKSDIR}/secrets
CT_DOWNLOADS=/Downloads
CT_MEDIA=/Media
DOMAINNAME=sthome.org
PUID=3030
PGID=3029
MEDIA_GID=3017
TZ=Africa/Johannesburg
WEBUI_PORT=80

54
audiobookshelf/compose.yml Normal file
View File

@ -0,0 +1,54 @@
name: audiobookshelf
networks:
traefik-net:
external: true
services:
audiobookshelf:
image: ghcr.io/advplyr/audiobookshelf:latest
env_file: .audiobookshelf.env
hostname: audiobookshelf
group_add:
- "${PGID}"
networks:
- traefik-net
volumes:
- "${DATADIR}/config:/config"
- "${DATADIR}/appdata:/metadata"
- "${MEDIADIR}/Books/audiobooks:/audiobooks"
- "${MEDIADIR}/Podcasts:/podcasts"
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik-net"
#
# http services
# -------------
- "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
#
# http routers
# ------------
# limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
- "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
# set match criteria for router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
# attach middlewares to router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=middlewares-https-redirectScheme@file"
# assign svc target to router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
#
# limit router to websecure ":443" entrypoint
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
# set match criteria for router
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
# attach middlewares to router
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=chain-no-auth@file"
# set router to be dedicated to secure requests only for the host specified in match criteria
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
# apply tls options
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-opts@file"
# generate certificates using certresolver specified
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
# assign svc target to router
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"

60
authentik/.env Executable file
View File

@ -0,0 +1,60 @@
################################################################
# .env
# When both env_file and environment are set for a service, values set by environment have precedence.
# https://docs.docker.com/compose/environment-variables/envvars-precedence/
#
# CANNOT MIX ARRAYS (KEY: VAL) AND MAPS (KEY=VAL)
# Ex: Cannot have .ENV var as TZ=US and then a var here as DB_ENGINE: sqlite, has to be DB_ENGINE=sqlite
# Otherwise unexpected type map[string]interface {} occurs
# https://github.com/docker/compose/issues/11567
#
################################################################
APPLICATION_NAME=authentik
DOCKERDIR=/mnt/SSD1/docker/
STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
SECRETSDIR=${STACKSDIR}/secrets
PUID=3014
PGID=3013
TZ=Africa/Johannesburg
DOMAINNAME=sthome.org
WEBUI_PORT=9000
################################################################
# Authentik (https://docs.goauthentik.io/docs/)
# Environment Variables (https://docs.goauthentik.io/docs/installation/configuration)
################################################################
POSTGRES_DB_PORT=5432
POSTGRES_PASSWORD_FILE=/run/secrets/authentik_postgresql_password
POSTGRES_USER_FILE=/run/secrets/authentik_postgresql_username
POSTGRES_DB_FILE=/run/secrets/authentik_postgresql_database
AUTHENTIK_POSTGRESQL__NAME_FILE=file:///run/secrets/authentik_postgresql_database
AUTHENTIK_POSTGRESQL__USER_FILE=file:///run/secrets/authentik_postgresql_username
AUTHENTIK_POSTGRESQL__PASSWORD_FILE=file:///run/secrets/authentik_postgresql_password
AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
AUTHENTIK_DISABLE_UPDATE_CHECK=false
AUTHENTIK_ERROR_REPORTING__ENABLED=false
AUTHENTIK_LOG_LEVEL=info # debug, info, warning, error, trace
AUTHENTIK_SECRET_KEY_FILE=file:///run/secrets/authentik_secret_key # openssl rand 60 | base64 -w 0
AUTHENTIK_COOKIE_DOMAIN=${DOMAINNAME}
AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS: 127.0.0.0/8, 10.0.0.0/24, 172.16.0.0/12, 192.168.2.0/124, fe80::/10, ::1/128
AUTHENTIK_EMAIL__PORT=25
AUTHENTIK_EMAIL__USE_TLS=false
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
AUTHENTIK_EMAIL__HOST_FILE=file:///run/secrets/smtp_host
AUTHENTIK_EMAIL__USERNAME_FILE=file:///run/secrets/smtp_username
AUTHENTIK_EMAIL__PASSWORD_FILE=file:///run/secrets/smtp_password
AUTHENTIK_EMAIL__FROM_FILE=file:///run/secrets/smtp_from
################################################################
# GeoIP ( https://github.com/maxmind/geoipupdate)
# Environment Variables (https://github.com/maxmind/geoipupdate/blob/main/doc/docker.md)
################################################################
GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN" # Space seperated
GEOIPUPDATE_FREQUENCY=8 # Frequency to check for updates, in hours
GEOIPUPDATE_ACCOUNT_ID_FILE=/run/secrets/geoip_acccount_id
GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/geoip_license_key

11
authentik/.postgresql.env Normal file
View File

@ -0,0 +1,11 @@
PUID=70
PGID=70
TZ=${TZ}
POSTGRES_DB_PORT=${POSTGRES_DB_PORT}
POSTGRES_DB_FILE=${POSTGRES_DB_FILE}
POSTGRES_USER_FILE=${POSTGRES_USER_FILE}
POSTGRES_PASSWORD_FILE=${POSTGRES_PASSWORD_FILE}

13
authentik/.server.env Normal file
View File

@ -0,0 +1,13 @@
TZ=${TZ}
AUTHENTIK_POSTGRESQL__NAME=${AUTHENTIK_POSTGRESQL__NAME_FILE}
AUTHENTIK_POSTGRESQL__USER=${AUTHENTIK_POSTGRESQL__USER_FILE}
AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD_FILE}
AUTHENTIK_DISABLE_STARTUP_ANALYTICS=${AUTHENTIK_DISABLE_STARTUP_ANALYTICS}
AUTHENTIK_DISABLE_UPDATE_CHECK=${AUTHENTIK_DISABLE_UPDATE_CHECK}
AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING__ENABLED}
AUTHENTIK_LOG_LEVEL=${AUTHENTIK_LOG_LEVEL}
AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY_FILE}
AUTHENTIK_COOKIE_DOMAIN=${DOMAINNAME}
# AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS=${AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS}

36
authentik/.socket-proxy.env Normal file
View File

@ -0,0 +1,36 @@
#
# environment variables for socket-proxy
#
LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
### 0 to revoke access.
### 1 to grant access.
## Granted by Default
EVENTS=1
PING=1
VERSION=1
## Revoked by Default
### Security critical
AUTH=0
SECRETS=0
POST=1 # Watchtower
### Not always needed
BUILD=0
COMMIT=0
CONFIGS=0
CONTAINERS=1 # Traefik, portainer, etc.
DISTRIBUTION=0
EXEC=0
IMAGES=1 # Portainer
INFO=1 # Portainer
NETWORKS=1 # Portainer
NODES=0
PLUGINS=0
SERVICES=1 # Portainer
SESSION=0
SWARM=0
SYSTEM=0
TASKS=1 # Portainer
VOLUMES=1 # Portainer

21
authentik/.worker.env Normal file
View File

@ -0,0 +1,21 @@
TZ=${TZ}
AUTHENTIK_POSTGRESQL__NAME=${AUTHENTIK_POSTGRESQL__NAME_FILE}
AUTHENTIK_POSTGRESQL__USER=${AUTHENTIK_POSTGRESQL__USER_FILE}
AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD_FILE}
AUTHENTIK_DISABLE_STARTUP_ANALYTICS=${AUTHENTIK_DISABLE_STARTUP_ANALYTICS}
AUTHENTIK_DISABLE_UPDATE_CHECK=${AUTHENTIK_DISABLE_UPDATE_CHECK}
AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING__ENABLED}
AUTHENTIK_LOG_LEVEL=${AUTHENTIK_LOG_LEVEL}
AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY_FILE}
AUTHENTIK_COOKIE_DOMAIN=${DOMAINNAME}
AUTHENTIK_EMAIL__HOST=${AUTHENTIK_EMAIL__HOST_FILE}
AUTHENTIK_EMAIL__PORT=${AUTHENTIK_EMAIL__PORT}
AUTHENTIK_EMAIL__USERNAME=${AUTHENTIK_EMAIL__USERNAME_FILE}
AUTHENTIK_EMAIL__PASSWORD=${AUTHENTIK_EMAIL__PASSWORD_FILE}
AUTHENTIK_EMAIL__USE_TLS=${AUTHENTIK_EMAIL__USE_TLS}
AUTHENTIK_EMAIL__USE_SSL=${AUTHENTIK_EMAIL__USE_SSL}
AUTHENTIK_EMAIL__TIMEOUT=${AUTHENTIK_EMAIL__TIMEOUT}
AUTHENTIK_EMAIL__FROM=${AUTHENTIK_EMAIL__FROM_FILE}

174
authentik/__config/traefik.yml Executable file
View File

@ -0,0 +1,174 @@
################################################################
# Global configuration - https://doc.traefik.io/traefik/reference/static-configuration/file/
################################################################
global:
checkNewVersion: false
sendAnonymousUsage: false
################################################################
# Entrypoints - https://doc.traefik.io/traefik/routing/entrypoints/
################################################################
entryPoints:
web:
address: ":80"
# Global HTTP to HTTPS redirection
http:
redirections:
entrypoint:
to: websecure
scheme: https
websecure:
address: ":443"
http:
tls:
options: tls-opts@file
certResolver: sthome-org
domains:
- main: "sthome.org"
sans:
- "*.sthome.org"
forwardedHeaders:
trustedIPs:
# Cloudflare (https://www.cloudflare.com/ips-v4)
- "173.245.48.0/20"
- "103.21.244.0/22"
- "103.22.200.0/22"
- "103.31.4.0/22"
- "141.101.64.0/18"
- "108.162.192.0/18"
- "190.93.240.0/20"
- "188.114.96.0/20"
- "197.234.240.0/22"
- "198.41.128.0/17"
- "162.158.0.0/15"
- "104.16.0.0/13"
- "104.24.0.0/14"
- "172.64.0.0/13"
- "131.0.72.0/22"
# Local IPs
- "127.0.0.1/32"
- "10.0.0.0/24"
- "192.168.2.0/24"
- "172.16.0.0/12"
################################################################
# Logs - https://doc.traefik.io/traefik/observability/logs/
################################################################
log:
level: INFO # Options: DEBUG, PANIC, FATAL, ERROR (Default), WARN, and INFO
filePath: /logs/traefik-container.log # Default is to STDOUT
# format: json # Uses text format (common) by default
noColor: false # Recommended to be true when using common
maxSize: 100 # In megabytes
compress: true # gzip compression when rotating
################################################################
# Access logs - https://doc.traefik.io/traefik/observability/access-logs/
################################################################
accessLog:
addInternals: true # things like ping@internal
filePath: /logs/traefik-access.log # In the Common Log Format (CLF) by default
bufferingSize: 100 # Number of log lines
fields:
names:
StartUTC: drop # Write logs in Container Local Time instead of UTC
filters:
statusCodes:
- "204-299"
- "400-499"
- "500-599"
################################################################
# API and Dashboard
################################################################
api:
dashboard: true
# disableDashboardAd: true
# Rely on api@internal and Traefik with Middleware to control access
# insecure: true
################################################################
# Providers - https://doc.traefik.io/traefik/providers/docker/
################################################################
providers:
docker:
#endpoint: "unix:///var/run/docker.sock" # Comment if using socket-proxy
endpoint: "tcp://socket-proxy:2375" # Uncomment if using socket proxy
exposedByDefault: false
network: traefik # network to use for connections to all containers
# defaultRule: TODO
# Enable auto loading of newly created rules by watching a directory
file:
# Apps, LoadBalancers, TLS Options, Middlewares, Middleware Chains
directory: /rules # /etc/traefik
watch: true
################################################################
# ACME
################################################################
certificatesResolvers:
sthomeresolver:
acme:
email: "stuurmcp@telkomsa.net"
storage: "/data/acme.json" # "/etc/traefik/letsencrypt/acme.json"
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
#caServer: "https://acme-v02.api.letsencrypt.org/directory" # production:
dnsChallenge:
provider: cloudflare
#delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
# Custom DNS server resolution
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
sthome-org:
acme:
email: "stuurmcp@telkomsa.net"
storage: "/data/acme.json" # "/etc/traefik/letsencrypt/acme.json"
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
#caServer: "https://acme-v02.api.letsencrypt.org/directory" # production:
dnsChallenge:
provider: cloudflare
#delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
# Custom DNS server resolution
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
#sthome-net:
# acme:
# email: "stuurmcp@telkomsa.net"
# storage: "/etc/traefik/local/acme.json" # "/data/acme.json"
# caServer: "https://upd.sthome.net/acme-v02.api" # production:
# dnsChallenge:
# provider: sthomelocal
#delayBeforeCheck: 30 # Default is 2m0s. This changes the delay (in seconds)
# Custom DNS server resolution
# resolvers:
# - "10.0.0.15:53"
# - "192.168.2.1:53"
# -- (Optional) Disable TLS Cert verification check
# serversTransport:
# insecureSkipVerify: true
# -- (Optional) Overwrite Default Certificates
# tls:
# stores:
# default:
# defaultCertificate:
# certFile: /etc/traefik/certs/cert.pem
# keyFile: /etc/traefik/certs/cert-key.pem
# -- (Optional) Disable TLS version 1.0 and 1.1
# options:
# default:
# minVersion: VersionTLS12

248
authentik/compose.yml Executable file
View File

@ -0,0 +1,248 @@
###############################################################
# ------------------------------
# -- authentik (Identity Provider / SSO)
# -- Updated/Created 2024-July-02
# Authentik configuration: https://docs.goauthentik.io/docs/installation/configuration
# ------------------------------
name: authentik # Project Name
###############################################################
# Networks
###############################################################
networks:
socket_proxy:
driver: bridge
driver_opts:
com.docker.network.bridge.name: "br-authentik_sx"
traefik-net:
external: true
authentik-net:
external: true
###############################################################
# Docker Secrets
# Owner (default): root:root
# Recommend Set Owner to match container user Example: UID=1100, GID=1100
# Permissions of files & directory on host to: 0400 (-r--)
###############################################################
secrets:
## Authentik
authentik_postgresql_database:
file: ${SECRETSDIR}/authentik_postgresql_database
authentik_postgresql_username:
file: ${SECRETSDIR}/authentik_postgresql_username
authentik_postgresql_password:
file: ${SECRETSDIR}/authentik_postgresql_password
authentik_secret_key:
file: ${SECRETSDIR}/authentik_secret_key
smtp_username:
file: ${SECRETSDIR}/smtp_username
smtp_password:
file: ${SECRETSDIR}/smtp_password
## GeoIP
geoip_account_id:
file: ${SECRETSDIR}/geoip_account_id
geoip_license_key:
file: ${SECRETSDIR}/geoip_license_key
##############################################################################
services:
# Use the embedded outpost (2021.8.1+) instead of the seperate Forward Auth / Proxy Provider container
server:
image: ghcr.io/goauthentik/server:latest
restart: unless-stopped
env_file: .server.env
environment:
- AUTHENTIK_REDIS__HOST=authentik_redis
- AUTHENTIK_POSTGRESQL__HOST=authentik_postgresql
command: server
user: ${PUID}:${PGID}
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
networks:
socket_proxy: {}
authentik-net: {}
traefik-net:
aliases: ["authentik_server"] # keep the same as forwardAuth address (hostname) in traefik middlewares "forwardAuth-authentik.yml"
secrets:
- authentik_postgresql_database
- authentik_postgresql_username
- authentik_postgresql_password
- authentik_secret_key
volumes:
- "${DATADIR}/appdata/media:/media"
- "${DATADIR}/appdata/custom-templates:/templates"
- "${DATADIR}/appdata/geoip/data:/geoip"
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
## HTTP Routers
- "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)"
## Individual Application forwardAuth regex (catch any subdomain using individual application forwardAuth)
- "traefik.http.routers.${APPLICATION_NAME}-output-rtr.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.${DOMAINNAME}`) && PathPrefix(`/outpost.goauthentik.io/`)"
## HTTP Services
- "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
- "traefik.http.services.${APPLICATION_NAME}-svc.loadBalancer.server.port=${WEBUI_PORT}"
worker:
image: ghcr.io/goauthentik/server:latest
restart: unless-stopped
env_file: .worker.env
environment:
- DOCKER_HOST=tcp://authentik_socket-proxy:2375 # Use this if you have Socket Proxy enabled.
- AUTHENTIK_REDIS__HOST=authentik_redis
- AUTHENTIK_POSTGRESQL__HOST=authentik_postgresql
user: ${PUID}:${PGID}
command: worker
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
networks:
- authentik-net
- socket_proxy
secrets:
- authentik_postgresql_database
- authentik_postgresql_username
- authentik_postgresql_password
- authentik_secret_key
- smtp_username
- smtp_password
volumes:
- "${DATADIR}/appdata/media:/media"
- "${DATADIR}/appdata/custom-templates:/templates"
- "${DATADIR}/appdata/geoip/data:/geoip"
# - /var/run/docker.sock:/var/run/docker.sock # Uncomment if NOT using socket-proxy
#- "${DATADIR}/appdata/traefik/cert_export:/certs:ro" # If NOT using reverse proxy, manually map in certificates
postgresql:
image: postgres:16-alpine
shm_size: 128mb # https://hub.docker.com/_/postgres
restart: unless-stopped
env_file: .postgresql.env
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
networks:
authentik-net:
aliases: ["authentik_postgresql"]
volumes:
- "${DATADIR}/pgdata:/var/lib/postgresql/data"
secrets:
- authentik_postgresql_database
- authentik_postgresql_username
# Generate the password with openssl rand 36 | base64 -w 0
- authentik_postgresql_password
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
networks:
authentik-net:
aliases: ["authentik_redis"]
volumes:
- "${DATADIR}/appdata/redis/data:/data"
# geoipupdate:
# image: ghcr.io/maxmind/geoipupdate:latest
# container_name: geoipupdate
# restart: unless-stopped
# user: ${PUID}:${PGID}
# volumes:
# - "${DATADIR}/appdata/geoip/data:/usr/share/GeoIP"
# networks:
# - authentik-net
# secrets:
# - geoip_account_id
# - geoip_license_key
# environment:
# - GEOIPUPDATE_EDITION_IDS
# - GEOIPUPDATE_FREQUENCY
# - GEOIPUPDATE_ACCOUNT_ID_FILE
# - GEOIPUPDATE_LICENSE_KEY_FILE
# - TZ
socket-proxy:
image: tecnativa/docker-socket-proxy:0.2.0 #0.1.2
restart: unless-stopped
env_file: .socket-proxy.env
security_opt:
- no-new-privileges=true
networks:
socket_proxy:
aliases: ["authentik_socket-proxy"]
privileged: true # true for VM. false for unprivileged LXC container.
# ports:
# - "127.0.0.1:2375:2375"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
image: traefik/whoami:latest
# container_name: whoami
restart: unless-stopped
security_opt:
- no-new-privileges=true
networks:
- traefik-net
environment:
- TZ
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
## HTTP Routers
- "traefik.http.routers.whoami-rtr.rule=Host(`whoami.${DOMAINNAME}`)"
whoami-individual:
image: traefik/whoami:latest
restart: unless-stopped
security_opt:
- no-new-privileges:true
depends_on:
- server
- worker
networks:
- traefik-net
environment:
- TZ
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
## HTTP Routers
- "traefik.http.routers.whoami-individual-rtr.rule=Host(`whoami-individual.${DOMAINNAME}`)"
## attach AUTHENTIK forwardauth middlewares to router; comment out if not using authentik
- "traefik.http.routers.whoami-individual-rtr.middlewares=forwardAuth-authentik@file"
whoami-catchall:
image: traefik/whoami:latest
restart: unless-stopped
security_opt:
- no-new-privileges:true
depends_on:
- server
- worker
networks:
- traefik-net
environment:
- TZ
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
## HTTP Routers
- "traefik.http.routers.whoami-catchall-rtr.rule=Host(`whoami-catchall.${DOMAINNAME}`)"
## attach AUTHENTIK forwardauth middlewares to router; comment out if not using authentik
- "traefik.http.routers.whoami-catchall-rtr.middlewares=forwardAuth-authentik@file"

8
authentik/rules/chain-no-auth.yaml Executable file
View File

@ -0,0 +1,8 @@
http:
middlewares:
chain-no-auth:
chain:
middlewares:
- middlewares-rate-limit
- middlewares-secure-headers
- middlewares-compress

30
authentik/rules/forwardAuth-authentik.yaml Executable file
View File

@ -0,0 +1,30 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
################################################################
# Forward Authentication - OAUTH / 2FA
################################################################
#
# https://github.com/goauthentik/authentik/issues/2366
forwardAuth-authentik:
forwardAuth:
address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

19
authentik/rules/middlewares-authentik.yaml Executable file
View File

@ -0,0 +1,19 @@
http:
middlewares:
# https://github.com/goauthentik/authentik/issues/2366
middlewares-authentik:
forwardAuth:
address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

18
authentik/rules/middlewares-buffering.yaml Executable file
View File

@ -0,0 +1,18 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Prevent too large of a body
# https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik
middlewares-buffering:
buffering:
maxRequestBodyBytes: 10485760
memRequestBodyBytes: 2097152
maxResponseBodyBytes: 10485760
memResponseBodyBytes: 2097152
retryExpression: "IsNetworkError() && Attempts() <= 2"

15
authentik/rules/middlewares-compress.yaml Executable file
View File

@ -0,0 +1,15 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Compress to save bandwidth
middlewares-compress:
compress: {}
-----------------------
middlewares-https-redirectscheme.yaml

15
authentik/rules/middlewares-https-redirectscheme.yaml Executable file
View File

@ -0,0 +1,15 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# Middleware for Redirection
# This can be used instead of global redirection
middlewares-https-redirectscheme:
redirectScheme:
scheme: https
permanent: true

14
authentik/rules/middlewares-rate-limit.yaml Executable file
View File

@ -0,0 +1,14 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
# DDoS Prevention
middlewares-rate-limit:
rateLimit:
average: 100
burst: 50

38
authentik/rules/middlewares-secure-headers.yaml Executable file
View File

@ -0,0 +1,38 @@
################################################################
# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
#
# Dynamic configuration
################################################################
http:
middlewares:
################################################################
# Good Basic Security Practices
################################################################
middlewares-secure-headers:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr.
# customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
contentTypeNosniff: true
browserXssFilter: true
# sslForceHost: true # add sslHost to all of the services
# sslHost: "{{env "DOMAINNAME"}}"
referrerPolicy: "same-origin"
permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
server: ""
# https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732
# X-Forwarded-Proto: "https"

35
authentik/rules/tls-opts.yaml Executable file
View File

@ -0,0 +1,35 @@
################################################################
# TLS Options (https://jellyfin.org/docs/general/networking/traefik2.html#traefik-providertoml)
# toml -> yml
# 2024 updates to cipherSuites from (https://www.smarthomebeginner.com/traefik-v3-docker-compose-guide-2024/)
#
# Set secure options by disabling insecure older TLS/SSL versions
# and insecure ciphers. SNIStrict disabled leaves TLS1.0 open.
# If you have problems with older clients, you can may need to relax
# these minimums. This configuration will give you an A+ SSL security
# score supporting TLS1.2 and TLS1.3
#
# Dynamic configuration
# https://doc.traefik.io/traefik/https/tls/
################################################################
tls:
options:
tls-opts:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
curvePreferences:
- secp521r1 # CurveP521
- secp384r1 # CurveP384
mintls13:
minVersion: VersionTLS13

1
authentik/secrets/authentik_postgresql_database Normal file
View File

@ -0,0 +1 @@
authentik

1
authentik/secrets/authentik_postgresql_password Normal file
View File

@ -0,0 +1 @@
xkUJWQesFd4CUuPnhWbvKmyT7rSolIV9bbtr0/qQ5Z36q3Ks

1
authentik/secrets/authentik_postgresql_username Normal file
View File

@ -0,0 +1 @@
authentik

1
authentik/secrets/authentik_secret_key Normal file
View File

@ -0,0 +1 @@
qgH4Lwa346849ei1+K3Mr0mvJOMy7OXV4/RtKbmWkGcsWgL0eGo3w00POWl9MvX9X5XKFo6UvGBPz8Ur

1
authentik/secrets/smtp_destination Symbolic link
View File

@ -0,0 +1 @@
/mnt/SSD1/docker/stacks/.secrets/smtp_destination

1
authentik/secrets/smtp_from Symbolic link
View File

@ -0,0 +1 @@
/mnt/SSD1/docker/stacks/.secrets/smtp_from

1
authentik/secrets/smtp_host Symbolic link
View File

@ -0,0 +1 @@
/mnt/SSD1/docker/stacks/.secrets/smtp_host

1
authentik/secrets/smtp_password Symbolic link
View File

@ -0,0 +1 @@
/mnt/SSD1/docker/stacks/.secrets/smtp_password

1
authentik/secrets/smtp_username Symbolic link
View File

@ -0,0 +1 @@
/mnt/SSD1/docker/stacks/.secrets/smtp_username

18
calibre/.calibre.env Normal file
View File

@ -0,0 +1,18 @@
PUID=${PUID}
PGID=${MEDIA_GID} # we assign media gid to process gid to enable to access media folders
TZ=${TZ}
CUSTOM_USER=admin
FILE__PASSWORD=/run/secrets/calibre_password
CLI_ARGS=
CUSTOM_PORT=8080
CUSTOM_HTTPS_PORT=8181
SUBFOLDER=
TITLE="Calibre"
FM_HOME="/config"
START_DOCKER=
DRINODE=
LC_ALL=
NO_DECOR=
NO_FULL=

21
calibre/.env Normal file
View File

@ -0,0 +1,21 @@
APPLICATION_NAME=calibre
MEDIADIR=/mnt/stpool1/NData1/Media
DOCKERDIR=/mnt/SSD1/docker/
STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
SECRETSDIR=${STACKSDIR}/secrets
CT_DOWNLOADS=/Downloads
CT_MEDIA=/Media
DOMAINNAME=sthome.org
PUID=3032
PGID=3031
MEDIA_GID=3017
TZ=Africa/Johannesburg
WEBUI_PORT=8080
WEBUI_SECPORT=8181

63
calibre/compose.yml Normal file
View File

@ -0,0 +1,63 @@
name: calibre
secrets:
calibre_password:
file: ${SECRETSDIR}/calibre_password
networks:
traefik-net:
external: true
services:
calibre:
image: lscr.io/linuxserver/calibre:latest
env_file: .calibre.env
hostname: calibre
group_add:
- "${PGID}"
security_opt:
- seccomp:unconfined #optional
networks:
- traefik-net
volumes:
- "${DATADIR}/config:/config"
- "${MEDIADIR}/Books:/Books"
restart: unless-stopped
secrets:
- calibre_password
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
#
# http middlewares
# ---------------------------
- "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"
#
# http services
# -------------
- "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
#
# http routers
# ------------
# limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
- "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
# set match criteria for router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
# attach middlewares to router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
# assign svc target to router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
#
# limit router to websecure ":443" entrypoint
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
# set match criteria for router
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
# set router to be dedicated to secure requests only for the host specified in match criteria
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
# generate certificates using following certresolver
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
## attach AUTHENTIK forwardauth middlewares to router; comment out if not using authentik
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=forwardAuth-authentik@file"
# assign svc target to router
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"

1
calibre/secrets/calibre_password Normal file
View File

@ -0,0 +1 @@
Saterdag!32#

25
cloudflareddns/.cloudflareddns.env Normal file
View File

@ -0,0 +1,25 @@
#
# environment variables for cloudflareddns
#
PUID=3033
PGID=3032
UMASK=002
TZ=Africa/Johannesburg
INTERVAL=300
DETECTION_MODE=dig-whoami.cloudflare
LOG_LEVEL=3
CF_APIKEY=
CF_APITOKEN_ZONE=
CF_RECORDTYPES=A;A
# cloudflareddns doesn't support secrets
#CF_USER_FILE=${CFDDNS_CF_USER_FILE}
#CF_APITOKEN_FILE=${CFDDNS_CF_API_TOKEN_FILE}
#CF_HOSTS_FILE=${CFDDNS_CF_HOSTS_FILE}
#CF_ZONES_FILE=${CFDDNS_CF_ZONES_FILE}
CF_USER=${CFDDNS_CF_USER}
CF_APITOKEN=${CFDDNS_CF_API_TOKEN}
CF_HOSTS=${CFDDNS_CF_HOSTS}
CF_ZONES=${CFDDNS_CF_ZONES}

26
cloudflareddns/.env Normal file
View File

@ -0,0 +1,26 @@
#
# values to be used for substitution by docker compose in compose.yml AND .*.env files
#
APPLICATION_NAME=cloudflareddns
DOCKERDIR=/mnt/SSD1/docker/
STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
SECRETSDIR=${STACKSDIR}/secrets
DOMAINNAME=sthome.org
# secrets
#CFDDNS_CF_USER_FILE=/run/secrets/cloudflareddns_cf_user
#CFDDNS_CF_API_TOKEN_FILE=/run/secrets/cloudflareddns_cf_api_token
#CFDDNS_CF_HOSTS_FILE=/run/secrets/cloudflareddns_cf_hosts
#CFDDNS_CF_ZONES_FILE=/run/secrets/cloudflareddns_cf_zones
# cloudflareddns doesn't support secrets, so we have to put it in the clear
CFDDNS_CF_USER=stuurmcp@telkomsa.net
CFDDNS_CF_API_TOKEN=cUB02hE0GYC5VnydAHSbPckRrIZ0eN3pJKoCgnIb
CFDDNS_CF_HOSTS=sthome.org;stokvis.co.za
CFDDNS_CF_ZONES=d4d41ece44b6eea658b4638b41c4b425;2d4f09713fb66fd7e03eea62d1474b98

33
cloudflareddns/compose.yml Normal file
View File

@ -0,0 +1,33 @@
# cloudflareddns doesn't support secrets
#secrets:
# cloudflareddns_cf_user:
# file: ${SECRETSDIR}/cloudflareddns_cf_user
# cloudflareddns_cf_api_token:
# file: ${SECRETSDIR}/cloudflareddns_cf_api_token
# cloudflareddns_cf_hosts:
# file: ${SECRETSDIR}/cloudflareddns_cf_hosts
# cloudflareddns_cf_zones:
# file: ${SECRETSDIR}/cloudflareddns_cf_zones
networks:
traefik-net:
external: true
services:
cloudflareddns:
image: ghcr.io/hotio/cloudflareddns
container_name: "${APPLICATION_NAME}"
networks:
- traefik-net
env_file: .cloudflareddns.env
# cloudflareddns doesn't support secrets
# secrets:
# - cloudflareddns_cf_user
# - cloudflareddns_cf_api_token
# - cloudflareddns_cf_hosts
# - cloudflareddns_cf_zones
volumes:
- ${DATADIR}/config:/config
restart: unless-stopped

1
cloudflareddns/secrets/cloudflareddns_cf_api_token Normal file
View File

@ -0,0 +1 @@
cUB02hE0GYC5VnydAHSbPckRrIZ0eN3pJKoCgnIb

1
cloudflareddns/secrets/cloudflareddns_cf_hosts Normal file
View File

@ -0,0 +1 @@
sthome.org;stokvis.co.za

1
cloudflareddns/secrets/cloudflareddns_cf_user Normal file
View File

@ -0,0 +1 @@
stuurmcp@telkomsa.net

1
cloudflareddns/secrets/cloudflareddns_cf_zones Normal file
View File

@ -0,0 +1 @@
d4d41ece44b6eea658b4638b41c4b425;2d4f09713fb66fd7e03eea62d1474b98

1
cloudflareddns/secrets/cloudflareddns_domain_1 Normal file
View File

@ -0,0 +1 @@
sthome.org

1
cloudflareddns/secrets/cloudflareddns_domain_1_zone Normal file
View File

@ -0,0 +1 @@
d4d41ece44b6eea658b4638b41c4b425

1
cloudflareddns/secrets/cloudflareddns_domain_2 Normal file
View File

@ -0,0 +1 @@
stokvis.co.za

1
cloudflareddns/secrets/cloudflareddns_domain_2_zone Normal file
View File

@ -0,0 +1 @@
2d4f09713fb66fd7e03eea62d1474b98

28
collabora/.collabora.env Normal file
View File

@ -0,0 +1,28 @@
# https://www.collabora.org/docs/#env-configuration
PUID=${PUID}
PGID=${MEDIA_GID} # we assign media gid to process gid to enable to access media folders
TZ=${TZ}
UMASK=0022
username=${USERNAME}
password=${PASSWORD}
#DONT_GEN_SSL_CERT=yes
cert_domain=${DOMAINNAME}
server_name=${APPLICATION_NAME}.${DOMAINNAME}
dictionaries="en_ZA en_US en_GB en_Afr"
# SSL terminates at the proxy
extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:user_interface.mode=compact --o:net.proto=IPv4 --o:hexify_embedded_urls=true --o:logging.level=warning #--o:welcome.enable=false
#aliasgroup1=${NEXTCLOUD1}
#aliasgroup2=${NEXTCLOUD2}
#aliasgroup3=${NEXTCLOUD3}
VIRTUAL_PROTO=http
VIRTUAL_PORT=9980
VIRTUAL_HOST=${APPLICATION_NAME}.${DOMAINNAME}
# letsencrypt_host=${APPLICATION_NAME}.${DOMAINNAME}

29
collabora/.env Normal file
View File

@ -0,0 +1,29 @@
APPLICATION_NAME=collabora
MEDIADIR=/mnt/stpool1/NData1/Media
DOCKERDIR=/mnt/SSD1/docker/
STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
SECRETSDIR=${STACKSDIR}/secrets
CT_DOWNLOADS=/Downloads
CT_MEDIA=/Media
DOMAINNAME=sthome.org
PUID=3034
PGID=3033
MEDIA_GID=3017
TZ=Africa/Johannesburg
WEBUI_PORT=9980
# collabora does not support docker secrets
USERNAME=admin
PASSWORD="Saterdag!32#"
NEXTCLOUD1=
NEXTCLOUD2=
NEXTCLOUD3=

69
collabora/compose.yml Normal file
View File

@ -0,0 +1,69 @@
# https://sdk.collaboraonline.com/docs/installation/CODE_Docker_image.html
# https://github.com/CollaboraOnline/online
name: collabora
secrets:
collabora_username:
file: ${SECRETSDIR}/collabora_username
collabora_password:
file: ${SECRETSDIR}/collabora_password
networks:
traefik-net:
external: true
services:
collabora:
image: collabora/code #:22.05.10.1.1
hostname: collabora
env_file: .collabora.env
#user: "${PUID}:${PGID}"
tty: true
group_add:
- "${PGID}"
cap_add:
- MKNOD
networks:
- traefik-net
volumes:
- /etc/localtime:/etc/localtime:ro
- "${DATADIR}/config:/config"
restart: unless-stopped
secrets:
- collabora_username
- collabora_password
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
#
# http middlewares
# ---------------------------
- "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"
#
# http services
# -------------
- "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
#
# http routers
# ------------
# limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
- "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
# set match criteria for router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
# attach middlewares to router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
# assign svc target to router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
#
# limit router to websecure ":443" entrypoint
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
# set match criteria for router
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
# set router to be dedicated to secure requests only for the host specified in match criteria
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
# generate certificates using following certresolver
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
# assign svc target to router
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"

1
collabora/secrets/collabora_password Normal file
View File

@ -0,0 +1 @@
Saterdag!32#

1
collabora/secrets/collabora_username Normal file
View File

@ -0,0 +1 @@
admin

7
dashy/.dashy.env Normal file
View File

@ -0,0 +1,7 @@
NODE_ENV=production
PUID=${PUID}
PGID=${PGID}
VUE_APP_pihole_ip=${VUE_APP_pihole_ip}
VUE_APP_pihole_key=${VUE_APP_pihole_key}

22
dashy/.env Normal file
View File

@ -0,0 +1,22 @@
################################################################
APPLICATION_NAME=dashy
DOCKERDIR=/mnt/SSD1/docker/
STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
DATAROOT=${DOCKERDIR}/data
DATADIR=${DATAROOT}/${APPLICATION_NAME}
SECRETSDIR=${STACKSDIR}/secrets
CERTSDIR=${DATAROOT}/traefik/certs
PUID=3057
PGID=3058
DOMAINNAME=sthome.org
DNS_RESOLVER=sthomeresolver
################################################################
WEBUI_PORT=8080
VUE_APP_pihole_ip=https://pihole.sthome.org
VUE_APP_pihole_key=48ab5845603098040b5d2455c2600cf14b643424f508d5aa30bb884ac11f55c3

57
dashy/compose.yml Normal file
View File

@ -0,0 +1,57 @@
networks:
traefik-net:
external: true
services:
dashy:
image: lissy93/dashy
# To build from source, replace 'image: lissy93/dashy' with 'build: .'
# build: .
env_file: .dashy.env
restart: unless-stopped
#user: "${PUID}:${PGID}"
healthcheck:
test: ['CMD', 'node', '/app/services/healthcheck']
interval: 1m30s
timeout: 10s
retries: 3
start_period: 40s
volumes:
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- "${DATADIR}/config/config.yml:/app/user-data/conf.yml"
- "${DATADIR}/config:/app/user-data"
- "${DATADIR}/appdata/icons:/app/user-data/item-icons/"
networks:
- traefik-net
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
#
# http service
# ------------
- "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
#
# http middlewares
# ----------------
#- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
# - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
# - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://truenas.sthome.org,https://dashy.sthome.org"
# - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
# - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
#
# http routers
# ------------
# http://appname.domainname/
- "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
- "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
- "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-redirectScheme@file"
- "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
# https://appname.domainname/
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
#- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders@file"
# - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"

12
digikam/.digikam.env Normal file
View File

@ -0,0 +1,12 @@
PUID=${PUID}
PGID=${MEDIA_PGID}
TZ=${TZ}
# POSTGRES_HOST=${POSTGRES_DB_HOST}
# POSTGRES_DB_PORT=${POSTGRES_DB_PORT}
# POSTGRES_DB_FILE=${POSTGRES_DB_FILE}
# POSTGRES_USER_FILE=${POSTGRES_USER_FILE}
# POSTGRES_PASSWORD_FILE=${POSTGRES_PASSWORD_FILE}
# DIGIKAM_ADMIN_PASSWORD_FILE=/run/secrets/digikam_admin_password
# DIGIKAM_ADMIN_USER_FILE=/run/secrets/digikam_admin_username

27
digikam/.env Normal file
View File

@ -0,0 +1,27 @@
APPLICATION_NAME=digikam
MEDIADIR=/mnt/stpool1/NData1/Media
DOCKERDIR=/mnt/SSD1/docker/
STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
SECRETSDIR=${STACKSDIR}/secrets
PUID=3044
PGID=3043
MEDIA_PGID=3017
MDB_PUID=3059
MDB_PGID=3060
TZ=Africa/Johannesburg
DOMAINNAME=sthome.org
WEBUI_PORT=3000
MARIADB_DB_PORT=3306
# MARIADB_DB_HOST=digikam_mariadb
MARIADB_DB_NAME_FILE=/run/secrets/digikam_mariadb_database_name
MARIADB_USER_FILE=/run/secrets/digikam_mariadb_username
MARIADB_PASSWORD_FILE=/run/secrets/digikam_mariadb_password
MARIADB_ROOT_PASSWORD_FILE=/run/secrets/digikam_mariadb_root_password

27
digikam/.mariadb.env Normal file
View File

@ -0,0 +1,27 @@
PUID=${MDB_PUID}
PGID=${MDB_PGID}
TZ=${TZ}
# FILE__MYSQL_ROOT_PASSWORD=${MARIADB_ROOT_PASSWORD_FILE}
# FILE__MYSQL_DATABASE=${MARIADB_DB_NAME_FILE}
# FILE__MYSQL_USER=${MARIADB_USER_FILE}
# FILE__MYSQL_PASSWORD=${MARIADB_PASSWORD_FILE}
MARIADB_ROOT_PASSWORD_FILE=${MARIADB_ROOT_PASSWORD_FILE}
MARIADB_DATABASE_FILE=${MARIADB_DB_NAME_FILE}
MARIADB_USER_FILE=${MARIADB_USER_FILE}
MARIADB_PASSWORD_FILE=${MARIADB_PASSWORD_FILE}
# MYSQL_ROOT_PASSWORD=X6r6YJB4uK
# MYSQL_DATABASE=digikam
# MYSQL_USER=digikam
# MYSQL_PASSWORD=wm0FeSRhII
#
# MARIADB_ROOT_PASSWORD=X6r6YJB4uK
# MARIADB_DATABASE=digikam
# MARIADB_USER=digikam
# MARIADB_PASSWORD=wm0FeSRhII
# REMOTE_SQL=http://URL1/your.sql,https://URL2/your.sql

100
digikam/compose.yml Normal file
View File

@ -0,0 +1,100 @@
name: digikam
secrets:
digikam_mariadb_database_name:
file: ${SECRETSDIR}/digikam_mariadb_database_name
digikam_mariadb_username:
file: ${SECRETSDIR}/digikam_mariadb_username
digikam_mariadb_password:
file: ${SECRETSDIR}/digikam_mariadb_password
digikam_mariadb_root_password:
file: ${SECRETSDIR}/digikam_mariadb_root_password
networks:
traefik-net:
external: true
digikam-net:
external: true
services:
digikam:
image: lscr.io/linuxserver/digikam:latest
hostname: ${APPLICATION_NAME}
env_file: .digikam.env
restart: unless-stopped
depends_on:
- mariadb
# https://github.com/linuxserver/docker-baseimage-kasmvnc
# deploy:
# resources:
# reservations:
# devices:
# - driver: nvidia
# count: 1
# #device_ids:
# # - "GPU-b9bf37c1-f8c9-201c-3456-0aa35381be42"
# capabilities: [compute,video,graphics,utility]
volumes:
- /etc/localtime:/etc/localtime:ro
- "${DATADIR}/config:/config"
- "${MEDIADIR}/Pictures:/config/Pictures"
networks:
- traefik-net
- digikam-net
# https://github.com/linuxserver/docker-baseimage-kasmvnc#lossless
# nginx config
# add_header 'Cross-Origin-Embedder-Policy' 'require-corp';
# add_header 'Cross-Origin-Opener-Policy' 'same-origin';
# add_header 'Cross-Origin-Resource-Policy' 'same-site';
#
# trying out following to see if they are working traefik equivalents with inspiration from https://community.traefik.io/t/setting-cross-origin-headers/22239/2
# https://doc.traefik.io/traefik/middlewares/http/headers/
# labels:
# - "traefik.http.middlewares.middleware-cross-origin.headers.customResponseHeaders.Cross-Origin-Embedder-Policy=require-corp"
# - "traefik.http.middlewares.middleware-cross-origin.headers.customResponseHeaders.Cross-Origin-Opener-Policy=same-origin"
# - "traefik.http.middlewares.middleware-cross-origin.headers.customResponseHeaders.Cross-Origin-Resource-Policy=same-site"
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
#
- "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"
- "traefik.http.middlewares.${APPLICATION_NAME}-cross-origin.headers.customResponseHeaders.Cross-Origin-Embedder-Policy=require-corp"
- "traefik.http.middlewares.${APPLICATION_NAME}-cross-origin.headers.customResponseHeaders.Cross-Origin-Opener-Policy=same-origin"
- "traefik.http.middlewares.${APPLICATION_NAME}-cross-origin.headers.customResponseHeaders.Cross-Origin-Resource-Policy=same-site"
#
- "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
#
- "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
- "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
- "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
#
- "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
#
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
#
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-cross-origin"
#
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
mariadb:
# image: lscr.io/linuxserver/mariadb:latest
image: mariadb:latest
restart: unless-stopped
env_file: .mariadb.env
hostname: mariadb
volumes:
- "${DATADIR}/mariadb:/config"
secrets:
- digikam_mariadb_database_name
- digikam_mariadb_username
- digikam_mariadb_password
- digikam_mariadb_root_password
networks:
- digikam-net

1
digikam/secrets/digikam_mariadb_database_name Normal file
View File

@ -0,0 +1 @@
digikam

1
digikam/secrets/digikam_mariadb_password Normal file
View File

@ -0,0 +1 @@
1vYmCKt8L7uc5nXpVNphURv3CJXF24HN

1
digikam/secrets/digikam_mariadb_root_password Normal file
View File

@ -0,0 +1 @@
9bME7U68xZJiv2S1kbQXYwMhj1qtZeoMS36Grvw4wU3Iyc4kWa4dclTz

1
digikam/secrets/digikam_mariadb_username Normal file
View File

@ -0,0 +1 @@
digikam

34
diun/.diun.env Normal file
View File

@ -0,0 +1,34 @@
PUID=${PUID}
PGID=${PGID}
TZ=${TZ}
DIUN_WATCH_WORKERS=20
DIUN_WATCH_SCHEDULE="0 */6 * * *"
DIUN_WATCH_JITTER=30s
DIUN_PROVIDERS_DOCKER=true
DIUN_NOTIF_MQTT_SCHEME=mqtt
DIUN_NOTIF_MQTT_HOST=mqtt.sthome.org
DIUN_NOTIF_MQTT_PORT=1883
DIUN_NOTIF_MQTT_USERNAME=mqtt_user
# DIUN_NOTIF_MQTT_USERNAMEFILE
DIUN_NOTIF_MQTT_PASSWORD=Saterdag!32#
# DIUN_NOTIF_MQTT_PASSWORDFILE
DIUN_NOTIF_MQTT_CLIENT=diun
DIUN_NOTIF_MQTT_TOPIC=docker/diun
DIUN_NOTIF_MQTT_QOS=0
# DIUN_NOTIF_MAIL_HOST=
# DIUN_NOTIF_MAIL_PORT=
# DIUN_NOTIF_MAIL_SSL=
# DIUN_NOTIF_MAIL_INSECURESKIPVERIFY=
# DIUN_NOTIF_MAIL_LOCALNAME=
# DIUN_NOTIF_MAIL_USERNAME=
# DIUN_NOTIF_MAIL_USERNAMEFILE=
# DIUN_NOTIF_MAIL_PASSWORD=
# DIUN_NOTIF_MAIL_PASSWORDFILE=
# DIUN_NOTIF_MAIL_FROM=
# DIUN_NOTIF_MAIL_TO= # comma separated
# DIUN_NOTIF_MAIL_TEMPLATETITLE={{ .Entry.Image }} {{ if (eq .Entry.Status "new") }}is available{{ else }}has been updated{{ end }}
# DIUN_NOTIF_MAIL_TEMPLATEBODY=

18
diun/.env Normal file
View File

@ -0,0 +1,18 @@
################################################################
APPLICATION_NAME=diun
DOCKERDIR=/mnt/SSD1/docker
STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
DATAROOT=${DOCKERDIR}/data
DATADIR=${DATAROOT}/${APPLICATION_NAME}
SECRETSDIR=${STACKSDIR}/secrets
CERTSDIR=${DATAROOT}/traefik/certs
PUID=3062
PGID=3063
DOMAINNAME=sthome.org
DNS_RESOLVER=sthomeresolver
################################################################

36
diun/.socket-proxy.env Normal file
View File

@ -0,0 +1,36 @@
#
# environment variables for socket-proxy
#
LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
### 0 to revoke access.
### 1 to grant access.
## Granted by Default
EVENTS=1
PING=1
VERSION=1
## Revoked by Default
### Security critical
AUTH=0
SECRETS=0
POST=1 # Watchtower
### Not always needed
BUILD=0
COMMIT=0
CONFIGS=0
CONTAINERS=1 # Traefik, portainer, etc.
DISTRIBUTION=0
EXEC=0
IMAGES=1 # Portainer
INFO=1 # Portainer
NETWORKS=1 # Portainer
NODES=0
PLUGINS=0
SERVICES=1 # Portainer
SESSION=0
SWARM=0
SYSTEM=0
TASKS=1 # Portainer
VOLUMES=1 # Portainer

50
diun/compose.yml Normal file
View File

@ -0,0 +1,50 @@
name: diun
networks:
# socket_proxy:
# driver: bridge
# driver_opts:
# com.docker.network.bridge.name: "br-diun_sx"
traefik-net:
external: true
services:
diun:
image: crazymax/diun:latest
command: serve
env_file: .diun.env
# depends_on:
# - socket-proxy # Comment out if not using socket-proxy
# environment:
# - DOCKER_HOST=tcp://diun_socket-proxy:2375
networks:
- traefik-net
# - socket_proxy
volumes:
- "${DATADIR}/appdata:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
labels:
- "diun.enable=true"
restart: always
###############################################################
# socket-proxy:
# image: tecnativa/docker-socket-proxy:0.2.0 #0.1.2
# hostname: diun_socket-proxy
# restart: unless-stopped
# env_file: .socket-proxy.env
# security_opt:
# - no-new-privileges=true
# networks:
# - socket_proxy
# privileged: true # true for VM. false for unprivileged LXC container.
# #depends_on:
# # - traefik
## ports:
## - "127.0.0.1:2375:2375"
# volumes:
# - "/var/run/docker.sock:/var/run/docker.sock:ro"
# # the following bind is to persist the non-zero setting of backend docker-events.timeout server
## - type: bind
## source: "${DATADIR}/haproxy/haproxy.cfg.template"
## target: /usr/local/etc/haproxy/haproxy.cfg.template

14
emby/.emby.env Normal file
View File

@ -0,0 +1,14 @@
#
# environment variables for emby
#
PUID=${PUID}
PGID=${MEDIA_GID}
TZ=Africa/Johannesburg
PORT=${WEBUI_PORT}
NVIDIA_VISIBLE_DEVICES=all

23
emby/.env Normal file
View File

@ -0,0 +1,23 @@
#
# values to be used for substitution by docker compose in compose.yml AND .*.env files
#
APPLICATION_NAME=emby
MEDIADIR=/mnt/stpool1/NData1/Media
DOCKERDIR=/mnt/SSD1/docker/
STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
SECRETSDIR=${STACKSDIR}/secrets
CT_MEDIA=/Media
MEDIA_GID=3017
PUID=3017
PGID=3016
DOMAINNAME=sthome.org
WEBUI_PORT=8096
GPU_DEVICE_ID=GPU-b9bf37c1-f8c9-201c-3456-0aa35381be42

66
emby/compose.yml Normal file
View File

@ -0,0 +1,66 @@
name: emby
networks:
traefik-net:
external: true
services:
emby:
image: lscr.io/linuxserver/emby:latest
hostname: "${APPLICATION_NAME}"
env_file: .emby.env
group_add:
- "${MEDIA_GID}" # not really needed if we have it as the primary gid
restart: unless-stopped
# this deploy section requires the installation of the nvidia-container-toolkit; comment out if the toolkit is not installed
deploy:
resources:
reservations:
devices:
- driver: nvidia
#count: 1
device_ids:
- "${GPU_DEVICE_ID}"
capabilities: [gpu]
volumes:
- /etc/localtime:/etc/localtime:ro
- ${DATADIR}/config:/config
- ${MEDIADIR}:${CT_MEDIA}
networks:
- traefik-net
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
#
# http services
# -------------
- "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
#
# http routers
# ------------
# limit router to web ":80" entrypoint
- "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
# set match criteria for router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
# attach middlewares to router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-redirect@file"
# assign svc target to router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
#
# limit router to websecure ":443" entrypoint
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
# set match criteria for router
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
# attach middlewares to router
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders@file"
# tls
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
# apply tls options
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
# generate certificates using following certresolver
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
# assign svc target to router
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"

21
esphome/.env Normal file
View File

@ -0,0 +1,21 @@
#
# values to be used for substitution by docker compose in compose.yml AND .*.env files
#
APPLICATION_NAME=esphome
DOCKERDIR=/mnt/SSD1/docker/
STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
SECRETSDIR=${STACKSDIR}/secrets
PUID=3066
PGID=3067
DOMAINNAME=sthome.org
WEBUI_PORT=6052
ESPHOME_LOCAL=10.0.2.254 # for mDNS
ESPH_APP=esphome
ESPH_URL=esphome.${DOMAINNAME}
ESPH_PORT=${WEBUI_PORT}

8
esphome/.esphome.env Normal file
View File

@ -0,0 +1,8 @@
#
# environment variables for emby
#
PUID=${PUID}
PGID=${PGID}
TZ=Africa/Johannesburg
ESPHOME_DASHBOARD_USE_PING="true"

38
esphome/.gluetun.env Normal file
View File

@ -0,0 +1,38 @@
##############################################################################################
# Environment variables for gluetun
##############################################################################################
PUID=3029
PGID=3028
TZ=Africa/Johannesburg
# VPN
VPN_SERVICE_PROVIDER=nordvpn
VPN_TYPE=wireguard
WIREGUARD_PRIVATE_KEY=file:///run/secrets/wireguard_private_key
#SERVER_COUNTRIES= # Comma separated list of countries
#SERVER_REGIONS= # Comma separated list of regions
#SERVER_CITIES= # Comma separated list of server cities
#SERVER_HOSTNAMES= # Comma separated list of server hostnames
#SERVER_CATEGORIES= # Comma separated list of server categories
#WIREGUARD_PRESHARED_KEY=
#WIREGUARD_ADDRESSES=
WIREGUARD_MTU=1400
WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL=30s
HTTP_CONTROL_SERVER_LOG=off
DOT=on
DOT_PROVIDERS=quad9
DOT_CACHING=off
DNS_UPDATE_PERIOD=24h
BLOCK_MALICIOUS=false
BLOCK_SURVEILLANCE=false
BLOCK_ADS=false
SHADOWSOCKS=off
#FIREWALL_VPN_INPUT_PORTS=
#FIREWALL_OUTBOUND_SUBNETS=10.0.0.0/20
HEALTH_TARGET_ADDRESS=9.9.9.9:443 #quad9.net:443
HEALTH_VPN_DURATION_INITIAL=120s
UPDATER_PERIOD=24h
FIREWALL_OUTBOUND_SUBNETS=10.0.0.0/20,192.168.0.0/24

3
esphome/Dockerfile Normal file
View File

@ -0,0 +1,3 @@
FROM ghcr.io/esphome/esphome
RUN apt update \
&& apt install -y avahi-daemon

109
esphome/compose.yml Normal file
View File

@ -0,0 +1,109 @@
name: esphome
networks:
traefik-net:
external: true
macvlan1:
external: true
#secrets:
# wireguard_private_key:
# file: ${SECRETSDIR}/wireguard_private_key
services:
esphome:
image: esphome/esphome:2025.11.0 #2025.9.1
env_file: .esphome.env
volumes:
- /etc/localtime:/etc/localtime:ro
- ${DATADIR}/config:/config
# - /var/run/avahi-daemon/socket:/var/run/avahi-daemon/socket
restart: unless-stopped
privileged: true
# added network_mode for VPN access
# network_mode: "service:gluetun"
# depends_on:
# gluetun:
# condition: service_healthy
# hostname, networks and labels removed for VPN access
# hostname: esphome
networks:
traefik-net: null
macvlan1:
ipv4_address: ${ESPHOME_LOCAL}
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
- traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}
- traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web
- traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&&
PathPrefix(`/`)
- traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-secureHeaders-redirect@file
- traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc
- traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure
- traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&&
PathPrefix(`/`)
- traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-secureHeaders@file
- traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true
- traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file
- traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns
- traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc
avahi-tools:
volumes:
- /run/dbus:/var/run/dbus
- /run/avahi-daemon:/var/run/avahi-daemon
image: ahasbini/avahi-tools:latest
command: avahi-publish -a esphome.local ${ESPHOME_LOCAL}
#command: avahi-publish-service -s esphome.local _http._tcp
# temporary VPN
# gluetun:
# image: qmcgaw/gluetun:latest
# #hostname: gluetun-qb
# env_file: .gluetun.env
# cap_add:
# - NET_ADMIN
# devices:
# - /dev/net/tun
# volumes:
# - "${DATADIR}/appdata:/gluetun"
# secrets:
# - wireguard_private_key
# networks:
# traefik-net:
# ipv4_address: 10.255.239.4 # to access services in this project from other containers; hostnames and aliases will not work
# restart: always
# labels:
# - traefik.enable=true
# - traefik.docker.network=traefik-net
# ##################################################################################
# ################################# ESPH_APP ##################################
# #
# # http services
# # -------------
# - "traefik.http.services.${ESPH_APP}-gt-svc.loadbalancer.server.port=${ESPH_PORT}"
# #
# # http routers
# # ------------
# # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
# - "traefik.http.routers.${ESPH_APP}-rtr.entrypoints=web"
# # set match criteria for router
# - "traefik.http.routers.${ESPH_APP}-rtr.rule=Host(`${ESPH_URL}`)&& PathPrefix(`/`)"
# # attach middlewares to router
# - "traefik.http.routers.${ESPH_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
# # assign svc target to router
# - "traefik.http.routers.${ESPH_APP}-rtr.service=${ESPH_APP}-gt-svc"
# #
# # limit router to websecure ":443" entrypoint
# - "traefik.http.routers.${ESPH_APP}-secure-rtr.entrypoints=websecure"
# # set match criteria for router
# - "traefik.http.routers.${ESPH_APP}-secure-rtr.rule=Host(`${ESPH_URL}`)&& PathPrefix(`/`)"
# # set router to be dedicated to secure requests only for the host specified in match criteria
# - "traefik.http.routers.${ESPH_APP}-secure-rtr.tls=true"
# # apply tls options
# - "traefik.http.routers.${ESPH_APP}-secure-rtr.tls.options=tls-options@file"
# # generate certificates using following certresolver
# - "traefik.http.routers.${ESPH_APP}-secure-rtr.tls.certresolver=solver-dns"
# # attach middlewares to routers
# #- "traefik.http.routers.${ESPH_APP}-secure-rtr.middlewares=${ESPH_APP}-auth"
# - "traefik.http.routers.${ESPH_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
# # assign svc target to router
# - "traefik.http.routers.${ESPH_APP}-secure-rtr.service=${ESPH_APP}-gt-svc"

1
esphome/secrets/wireguard_private_key Normal file
View File

@ -0,0 +1 @@
AL/ZCKyKh6CcRnUmwpP+0N+qXqXva939kfPYnqYn30I=

10
fireflyiii/.db.env Normal file
View File

@ -0,0 +1,10 @@
APPLICATION_NAME=firefly
STACKSDIR=/opt/stacks/fireflyiii
DATADIR=/mnt/data/fireflyiii
PUID=70
PGID=70
TZ=Africa/Johannesburg
POSTGRES_DB_FILE=/run/secrets/fireflyiii_postgresql_database
POSTGRES_USER_FILE=/run/secrets/fireflyiii_postgresql_username
POSTGRES_PASSWORD_FILE=/run/secrets/fireflyiii_postgresql_password

41
fireflyiii/.env Normal file
View File

@ -0,0 +1,41 @@
PROJECT_NAME=fireflyiii # distinguish between fireflyiii and firefly
APPLICATION_NAME=firefly
IMPORTER_NAME=firefly-importer
MEDIADIR=/mnt/stpool1/NData1/Media
DOCKERDIR=/mnt/SSD1/docker
STACKSDIR=${DOCKERDIR}/stacks/${PROJECT_NAME}
DATADIR=${DOCKERDIR}/data/${PROJECT_NAME}
SECRETSDIR=${STACKSDIR}/secrets
DOMAINNAME=sthome.org
WEBUI_PORT=8080
IMPORTER_WEBUI_PORT=8080
PUID=3035
PGID=3034
TZ=Africa/Johannesburg
FFIII_MAIL_PORT=25
FFIII_FQDN=${APPLICATION_NAME}.${DOMAINNAME}
FFIII_IMPORTER_FQDN=${IMPORTER_NAME}.${DOMAINNAME}
# secrets
FFIII_ACCESS_TOKEN_FILE=/run/secrets/fireflyiii_access_token
FFIII_APP_KEY_FILE=/run/secrets/fireflyiii_app_key
FFIII_MAP_DEFAULT_LAT_FILE=/run/secrets/fireflyiii_default_lat
FFIII_MAP_DEFAULT_LONG_FILE=/run/secrets/fireflyiii_default_long
FFIII_MAIL_DESTINATION_FILE=/run/secrets/fireflyiii_mail_destination
FFIII_MAIL_FROM_FILE=/run/secrets/fireflyiii_mail_from
FFIII_MAIL_HOST_FILE=/run/secrets/fireflyiii_mail_host
FFIII_MAIL_PASSWORD_FILE=/run/secrets/fireflyiii_mail_password
FFIII_MAIL_USERNAME_FILE=/run/secrets/fireflyiii_mail_username
FFIII_DB_NAME_FILE=/run/secrets/fireflyiii_postgresql_database
FFIII_DB_PASSWORD_FILE=/run/secrets/fireflyiii_postgresql_password
FFIII_DB_USER_FILE=/run/secrets/fireflyiii_postgresql_username
FFIII_SITE_OWNER_FILE=/run/secrets/fireflyiii_site_owner
FFIII_STATIC_CRON_TOKEN_FILE=/run/secrets/fireflyiii_static_cron_token

292
fireflyiii/.firefly-importer.env Normal file
View File

@ -0,0 +1,292 @@
PUID=3035
PGID=3034
TZ=Africa/Johannesburg
# Firefly Data Importer (FIDI) configuration file
# Where is Firefly III?
#
# 1) Make sure you ADD http:// or https://
# 2) Make sure you REMOVE any trailing slash from the end of the URL.
# 3) In case of Docker, refer to the internal IP of your Firefly III installation.
#
# Setting this value is not mandatory. But it is very useful.
#
# This variable can be set from a file if you append it with _FILE
#
FIREFLY_III_URL=http://${FFIII_FQDN}:8080
#
# Imagine Firefly III can be reached at "http://172.16.0.2:8082" (internal Docker network or something).
# But you have a fancy URL: "https://personal-finances.bill.microsoft.com/"
#
# In those cases, you can overrule the URL so when the data importer links back to Firefly III, it uses the correct URL.
#
# 1) Make sure you ADD http:// or https://
# 2) Make sure you REMOVE any trailing slash from the end of the URL.
#
# IF YOU SET THIS VALUE, YOU MUST ALSO SET THE FIREFLY_III_URL
#
# This variable can be set from a file if you append it with _FILE
#
VANITY_URL=http://${FFIII_FQDN}:8080 # https://${FFIII_FQDN}
#
# Set your Firefly III Personal Access Token (OAuth)
# You can create a Personal Access Token on the /profile page:
# go to the OAuth tab, then Personal Access Token and "Create token".
#
# - Do not use the "command line token". That's the WRONG one.
# - Do not use "APP_KEY" value from your Firefly III installation. That's the WRONG one.
#
# Setting this value is not mandatory. Instructions will follow if you omit this field.
#
# This variable can be set from a file if you append it with _FILE
#
FIREFLY_III_ACCESS_TOKEN_FILE=${FFIII_ACCESS_TOKEN_FILE}
#
# You can also use a public client ID. This is available in Firefly III 5.4.0-alpha.3 and higher.
# This is a number (1, 2, 3). If you use the client ID, you can leave the access token empty and vice versa.
#
# This value is not mandatory to set. Instructions will follow if you omit this field.
#
# This variable can be set from a file if you append it with _FILE
#
FIREFLY_III_CLIENT_ID=
#
# GoCardless information.
# The key and ID can be set from a file if you append it with _FILE
#
NORDIGEN_ID=
NORDIGEN_KEY=
#
# If you want to use the GoCardless sandbox, set this to true.
#
NORDIGEN_SANDBOX=false
#
# GoCardless has a rate limit in place. The data importer can wait it out, or exit.
# Valid values are "wait" or "exit"
#
RESPOND_TO_GOCARDLESS_LIMIT=wait
#
# The data importer collects account details, which are currently unused.
# This is disabled, since it costs a lot of API calls.
# You can enable it if you want to.
#
GOCARDLESS_GET_ACCOUNT_DETAILS=false
#
# The data importer also collects balances, which can be used for (manual)
# balance verification ("did the import go well?").
# This is disabled by default, since it costs a lot of API calls.
# You can enable it if you want to.
#
GOCARDLESS_GET_BALANCE_DETAILS=false
#
# Spectre information
#
# The ID and secret can be set from a file if you append it with _FILE
SPECTRE_APP_ID=
SPECTRE_SECRET=
#
# Use cache. No need to do this.
#
USE_CACHE=false
#
# If set to true, the data import will not complain about running into duplicates.
# This will give you cleaner import mails if you run regular imports.
#
# This means that the data importer will not import duplicates, but it will not complain about them either.
#
# This setting has no influence on the settings in your configuration(.json).
#
# Of course, if something goes wrong *because* the transaction is a duplicate you will
# NEVER know unless you start digging in your log files. So be careful with this.
#
IGNORE_DUPLICATE_ERRORS=false
#
# If you set this to true, the importer will not complain about transactions that can't be found after they've
# been imported. This happens when rule on the Firefly III side deletes the transaction immediately after creating it.
# This can be useful when you have a rule that immediately deletes GoCardless' "pending" transactions. Setting this
# to true reduces some noise.
#
IGNORE_NOT_FOUND_TRANSACTIONS=false
#
# Auto import settings. Due to security constraints, you MUST enable each feature individually.
# You must also set a secret. The secret is used for the web routes.
#
# The auto-import secret must be a string of at least 16 characters.
# Visit this page for inspiration: https://www.random.org/passwords/?num=1&len=16&format=html&rnd=new
#
# Submit it using ?secret=X
#
# This variable can be set from a file if you append it with _FILE
#
AUTO_IMPORT_SECRET=
#
# Is the /autoimport even endpoint enabled?
# By default it's disabled, and the secret alone will not enable it.
#
CAN_POST_AUTOIMPORT=false
#
# Is the /autoupload endpoint enabled?
# By default it's disabled, and the secret alone will not enable it.
#
CAN_POST_FILES=false
#
# Import directory white list. You need to set this before the auto importer will accept a directory to import from.
#
# This variable can be set from a file if you append it with _FILE
#
IMPORT_DIR_ALLOWLIST=
#
# If you import from a directory, you can save a fallback configuration file in the directory.
# This file must be called "_fallback.json" and will be used when your CSV or CAMT.053 file is not accompanied
# by a configuration file.
#
# This fallback configuration will only be used if this variable is set to true.
# https://docs.firefly-iii.org/how-to/data-importer/advanced/post/#importing-a-local-directory
#
FALLBACK_IN_DIR=false
#
# When you're running Firefly III under a (self-signed) certificate,
# the data importer may have trouble verifying the TLS connection.
#
# You have a few options to make sure the data importer can connect
# to Firefly III:
# - 'true': will verify all certificates. The most secure option and the default.
# - 'file.pem': refer to a file (you must provide it) to your custom root or intermediate certificates.
# - 'false': will verify NO certificates. Not very secure.
VERIFY_TLS_SECURITY=true
#
# If you want, you can set a directory here where the data importer will look for import configurations.
# This is a separate setting from the /import directory that the auto-import uses.
# Setting this variable isn't necessary. The default value is "storage/configurations".
#
# This variable can be set from a file if you append it with _FILE
#
JSON_CONFIGURATION_DIR=
#
# Time out when connecting with Firefly III.
# π*10 seconds is usually fine.
#
CONNECTION_TIMEOUT=31.41
# The following variables can be useful when debugging the application
APP_ENV=local
APP_DEBUG=false
LOG_CHANNEL=stack
#
# If you turn this on, expect massive logs with lots of privacy sensitive data
#
LOG_RETURN_JSON=false
# Log level. You can set this from least severe to most severe:
# debug, info, notice, warning, error, critical, alert, emergency
# If you set it to debug your logs will grow large, and fast. If you set it to emergency probably
# nothing will get logged, ever.
LOG_LEVEL=info
# TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy.
# Set it to ** and reverse proxies work just fine.
TRUSTED_PROXIES=**
#
# Email settings.
# The data importer can send you a message with all errors, warnings and messages
# after a successful import. This is disabled by default
#
ENABLE_MAIL_REPORT=false
#
# Force Firefly III URL to be secure?
#
#
EXPECT_SECURE_URL=false
# If enabled, define which mailer you want to use.
# Options include: smtp, mailgun, postmark, sendmail, log, array
# Amazon SES is not supported.
# log = drop mails in the logs instead of sending them
# array = debug mailer that does nothing.
MAIL_MAILER=
# where to send the report?
MAIL_DESTINATION=${FFIII_MAIL_DESTINATION_FILE}
# other mail settings
# These variables can be set from a file if you append it with _FILE
MAIL_FROM_ADDRESS_FILE=${FFIII_MAIL_FROM_FILE}
MAIL_HOST_FILE=${FFIII_MAIL_HOST_FILE}
MAIL_PORT=${FFIII_MAIL_PORT}
MAIL_USERNAME_FILE=${FFIII_MAIL_USERNAME_FILE}
MAIL_PASSWORD_FILE=${FFIII_MAIL_PASSWORD_FILE}
MAIL_ENCRYPTION=null
# Extra settings depending on your mail configuration above.
# These variables can be set from a file if you append it with _FILE
MAILGUN_DOMAIN=
MAILGUN_SECRET=
MAILGUN_ENDPOINT=
POSTMARK_TOKEN=
#
# You probably won't need to change these settings.
#
BROADCAST_DRIVER=log
CACHE_DRIVER=file
QUEUE_CONNECTION=sync
SESSION_DRIVER=file
SESSION_LIFETIME=120
IS_EXTERNAL=false
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379
# always use quotes
REDIS_DB="0"
REDIS_CACHE_DB="1"
#
# Use ASSET_URL when your data importer webpages are served from a URL with a subfolder path
# This pre-appends the subfolder path in front of URLs for browser-side assets such as CSS Files.
# Example: If your webserver (i.e. NGINX) is configured to serve the data importer webpages from
# http://localhost/ff3di, set ASSET_URL = /ff3di
# and it will pre-append that value to any requests for browser-side assets
# 1) Make sure you REMOVE any trailing slash from the end of the URL.
#
ASSET_URL=
# The only tracker supported is Matomo.
# This is used on the public instance over at https://data-importer.firefly-iii.org
TRACKER_SITE_ID=
TRACKER_URL=
APP_NAME=DataImporter
#
# The APP_URL environment variable is NOT used anywhere.
# Don't bother setting it to fix your reverse proxy problems. It won't help.
# Don't open issues telling me it doesn't help because it's not supposed to.
# Laravel uses this to generate links on the command line, which is a feature the data importer does not use.
#
APP_URL=http://localhost

325
fireflyiii/.firefly.env Normal file
View File

@ -0,0 +1,325 @@
PUID=${PUID}
PGID=${PGID}
TZ=${TZ}
# You can leave this on "local". If you change it to production most console commands will ask for extra confirmation.
# Never set it to "testing".
APP_ENV=local
# Set to true if you want to see debug information in error screens.
APP_DEBUG=false
# This should be your email address.
# If you use Docker or similar, you can set this variable from a file by using SITE_OWNER_FILE
# The variable is used in some errors shown to users who aren't admin.
SITE_OWNER_FILE=${FFIII_SITE_OWNER_FILE}
# The encryption key for your sessions. Keep this very secure.
# Change it to a string of exactly 32 chars or use something like `php artisan key:generate` to generate it.
# If you use Docker or similar, you can set this variable from a file by using APP_KEY_FILE
#
# Avoid the "#" character in your APP_KEY, it may break things.
#
APP_KEY_FILE=${FFIII_APP_KEY_FILE}
# Firefly III will launch using this language (for new users and unauthenticated visitors)
# For a list of available languages: https://github.com/firefly-iii/firefly-iii/tree/main/resources/lang
#
# If text is still in English, remember that not everything may have been translated.
DEFAULT_LANGUAGE=en_US
# The locale defines how numbers are formatted.
# by default this value is the same as whatever the language is.
DEFAULT_LOCALE=equal
# TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy.
# Set it to ** and reverse proxies work just fine.
TRUSTED_PROXIES=**
# The log channel defines where your log entries go to.
# Several other options exist. You can use 'single' for one big fat error log (not recommended).
# Also available are 'syslog', 'errorlog' and 'stdout' which will log to the system itself.
# A rotating log option is 'daily', creates 5 files that (surprise) rotate.
# A cool option is 'papertrail' for cloud logging
# Default setting 'stack' will log to 'daily' and to 'stdout' at the same time.
LOG_CHANNEL=stack
# Log level. You can set this from least severe to most severe:
# debug, info, notice, warning, error, critical, alert, emergency
# If you set it to debug your logs will grow large, and fast. If you set it to emergency probably
# nothing will get logged, ever.
APP_LOG_LEVEL=notice
# Audit log level.
# The audit log is used to log notable Firefly III events on a separate channel.
# These log entries may contain sensitive financial information.
# The audit log is disabled by default.
#
# To enable it, set AUDIT_LOG_LEVEL to "info"
# To disable it, set AUDIT_LOG_LEVEL to "emergency"
AUDIT_LOG_LEVEL=emergency
#
# If you want, you can redirect the audit logs to another channel.
# Set 'audit_stdout', 'audit_syslog', 'audit_errorlog' to log to the system itself.
# Use audit_daily to log to a rotating file.
# Use audit_papertrail to log to papertrail.
#
# If you do this, the audit logs may be mixed with normal logs because the settings for these channels
# are often the same as the settings for the normal logs.
AUDIT_LOG_CHANNEL=
#
# Used when logging to papertrail:
# Also used when audit logs log to papertrail:
#
PAPERTRAIL_HOST=
PAPERTRAIL_PORT=
# Database credentials. Make sure the database exists. I recommend a dedicated user for Firefly III
# For other database types, please see the FAQ: https://docs.firefly-iii.org/references/faq/install/#i-want-to-use-sqlite
# If you use Docker or similar, you can set these variables from a file by appending them with _FILE
# Use "pgsql" for PostgreSQL
# Use "mysql" for MySQL and MariaDB.
# Use "sqlite" for SQLite.
DB_CONNECTION=pgsql
DB_HOST=firefly_postgresql
DB_PORT=5432
DB_DATABASE_FILE=${FFIII_DB_NAME_FILE}
DB_USERNAME_FILE=${FFIII_DB_USER_FILE}
DB_PASSWORD_FILE=${FFIII_DB_PASSWORD_FILE}
# leave empty or omit when not using a socket connection
DB_SOCKET=
# MySQL supports SSL. You can configure it here.
# If you use Docker or similar, you can set these variables from a file by appending them with _FILE
MYSQL_USE_SSL=false
MYSQL_SSL_VERIFY_SERVER_CERT=true
# You need to set at least of these options
MYSQL_SSL_CAPATH=/etc/ssl/certs/
MYSQL_SSL_CA=
MYSQL_SSL_CERT=
MYSQL_SSL_KEY=
MYSQL_SSL_CIPHER=
# PostgreSQL supports SSL. You can configure it here.
# If you use Docker or similar, you can set these variables from a file by appending them with _FILE
PGSQL_SSL_MODE=prefer
PGSQL_SSL_ROOT_CERT=null
PGSQL_SSL_CERT=null
PGSQL_SSL_KEY=null
PGSQL_SSL_CRL_FILE=null
# For postgresql 15 and up, setting this to public will no longer work as expected, because the
# 'public' schema is without grants. This can be worked around by having a super user grant those
# necessary privileges, but in security conscious setups that's not viable.
# You will need to set this to the schema you want to use.
PGSQL_SCHEMA=public
# If you're looking for performance improvements, you could install memcached or redis
CACHE_DRIVER=file
SESSION_DRIVER=file
# If you set either of the options above to 'redis', you might want to update these settings too
# If you use Docker or similar, you can set REDIS_HOST_FILE, REDIS_PASSWORD_FILE or
# REDIS_PORT_FILE to set the value from a file instead of from an environment variable
# can be tcp or unix. http is not supported
REDIS_SCHEME=tcp
# use only when using 'unix' for REDIS_SCHEME. Leave empty otherwise.
REDIS_PATH=
# use only when using 'tcp' or 'http' for REDIS_SCHEME. Leave empty otherwise.
REDIS_HOST=127.0.0.1
REDIS_PORT=6379
# Use only with Redis 6+ with proper ACL set. Leave empty otherwise.
REDIS_USERNAME=
REDIS_PASSWORD=
# always use quotes and make sure redis db "0" and "1" exists. Otherwise change accordingly.
REDIS_DB="0"
REDIS_CACHE_DB="1"
# Cookie settings. Should not be necessary to change these.
# If you use Docker or similar, you can set COOKIE_DOMAIN_FILE to set
# the value from a file instead of from an environment variable
# Setting samesite to "strict" may give you trouble logging in.
COOKIE_PATH="/"
COOKIE_DOMAIN=
COOKIE_SECURE=false
COOKIE_SAMESITE=lax
# If you want Firefly III to email you, update these settings
# For instructions, see: https://docs.firefly-iii.org/how-to/firefly-iii/advanced/notifications/#email
# If you use Docker or similar, you can set these variables from a file by appending them with _FILE
MAIL_MAILER=log
MAIL_HOST_FILE=${FFIII_MAIL_HOST_FILE}
MAIL_PORT=${FFIII_MAIL_PORT}
MAIL_FROM_FILE=${FFIII_MAIL_FROM_FILE}
MAIL_USERNAME_FILE=${FFIII_MAIL_USERNAME_FILE}
MAIL_PASSWORD_FILE=${FFIII_MAIL_PASSWORD_FILE}
MAIL_ENCRYPTION=null
#MAIL_SENDMAIL_COMMAND=
# Other mail drivers:
# If you use Docker or similar, you can set these variables from a file by appending them with _FILE
MAILGUN_DOMAIN=
MAILGUN_SECRET=
# If you are on EU region in mailgun, use api.eu.mailgun.net, otherwise use api.mailgun.net
# If you use Docker or similar, you can set this variable from a file by appending it with _FILE
#MAILGUN_ENDPOINT=api.mailgun.net
# If you use Docker or similar, you can set these variables from a file by appending them with _FILE
MANDRILL_SECRET=
SPARKPOST_SECRET=
# Firefly III can send you the following messages.
SEND_ERROR_MESSAGE=true
# These messages contain (sensitive) transaction information:
SEND_REPORT_JOURNALS=true
# Set this value to true if you want to set the location of certain things, like transactions.
# Since this involves an external service, it's optional and disabled by default.
ENABLE_EXTERNAL_MAP=false
#
# Enable or disable exchange rate conversion. This function isn't used yet by Firefly III
#
ENABLE_EXCHANGE_RATES=false
# Set this value to true if you want Firefly III to download currency exchange rates
# from the internet. These rates are hosted by the creator of Firefly III inside
# an Azure Storage Container.
# Not all currencies may be available. Rates may be wrong.
ENABLE_EXTERNAL_RATES=false
# The map will default to this location:
MAP_DEFAULT_LAT_FILE=${FFIII_MAP_DEFAULT_LAT_FILE}
MAP_DEFAULT_LONG_FILE=${FFIII_MAP_DEFAULT_LONG_FILE}
MAP_DEFAULT_ZOOM=6
#
# Some objects have room for an URL, like transactions and webhooks.
# By default, the following protocols are allowed:
# http, https, ftp, ftps, mailto
#
# To change this, set your preferred comma separated set below.
# Be sure to include http, https and other default ones if you need to.
#
VALID_URL_PROTOCOLS=
#
# Firefly III authentication settings
#
#
# Firefly III supports a few authentication methods:
# - 'web' (default, uses built in DB)
# - 'remote_user_guard' for Authelia etc
# Read more about these settings in the documentation.
# https://docs.firefly-iii.org/how-to/firefly-iii/advanced/authentication/
#
# LDAP is no longer supported :(
#
AUTHENTICATION_GUARD=web
#
# Remote user guard settings
#
AUTHENTICATION_GUARD_HEADER=REMOTE_USER
AUTHENTICATION_GUARD_EMAIL=
#
# Firefly III generates a basic keypair for your OAuth tokens.
# If you want, you can overrule the key with your own (secure) value.
# It's also possible to set PASSPORT_PUBLIC_KEY_FILE or PASSPORT_PRIVATE_KEY_FILE
# if you're using Docker secrets or similar solutions for secret management
#
PASSPORT_PRIVATE_KEY=
PASSPORT_PUBLIC_KEY=
#
# Extra authentication settings
#
CUSTOM_LOGOUT_URL=
# You can disable the X-Frame-Options header if it interferes with tools like
# Organizr. This is at your own risk. Applications running in frames run the risk
# of leaking information to their parent frame.
DISABLE_FRAME_HEADER=false
# You can disable the Content Security Policy header when you're using an ancient browser
# or any version of Microsoft Edge / Internet Explorer (which amounts to the same thing really)
# This leaves you with the risk of not being able to stop XSS bugs should they ever surface.
# This is at your own risk.
DISABLE_CSP_HEADER=false
# If you wish to track your own behavior over Firefly III, set valid analytics tracker information here.
# Nobody uses this except for me on the demo site. But hey, feel free to use this if you want to.
# Do not prepend the TRACKER_URL with http:// or https://
# The only tracker supported is Matomo.
# You can set the following variables from a file by appending them with _FILE:
#TRACKER_SITE_ID=
#TRACKER_URL=
#
# Firefly III supports webhooks. These are security sensitive and must be enabled manually first.
#
ALLOW_WEBHOOKS=false
#
# The static cron job token can be useful when you use Docker and wish to manage cron jobs.
# 1. Set this token to any 32-character value (this is important!).
# 2. Use this token in the cron URL instead of a user's command line token that you can find in /profile
#
# For more info: https://docs.firefly-iii.org/how-to/firefly-iii/advanced/cron/
#
# You can set this variable from a file by appending it with _FILE
#
STATIC_CRON_TOKEN_FILE=${FFIII_STATIC_CRON_TOKEN_FILE}
# You can fine tune the start-up of a Docker container by editing these environment variables.
# Use this at your own risk. Disabling certain checks and features may result in lots of inconsistent data.
# However if you know what you're doing you can significantly speed up container start times.
# Set each value to true to enable, or false to disable.
# Set this to true to build all locales supported by Firefly III.
# This may take quite some time (several minutes) and is generally not recommended.
# If you wish to change or alter the list of locales, start your Docker container with
# `docker run -v locale.gen:/etc/locale.gen -e DKR_BUILD_LOCALE=true`
# and make sure your preferred locales are in your own locale.gen.
DKR_BUILD_LOCALE=false
# Check if the SQLite database exists. Can be skipped if you're not using SQLite.
# Won't significantly speed up things.
#DKR_CHECK_SQLITE=true
# Leave the following configuration vars as is.
# Unless you like to tinker and know what you're doing.
APP_NAME=FireflyIII
BROADCAST_DRIVER=log
QUEUE_DRIVER=sync
CACHE_PREFIX=firefly
PUSHER_KEY=
IPINFO_TOKEN=
PUSHER_SECRET=
PUSHER_ID=
DEMO_USERNAME=
DEMO_PASSWORD=
#
# The v2 layout is very experimental. If it breaks you get to keep both parts.
# Be wary of data loss.
#
FIREFLY_III_LAYOUT=v1
#
# Please make sure this URL matches the external URL of your Firefly III installation.
# It is used to validate specific requests and to generate URLs in emails.
#
APP_URL=https://${FFIII_FQDN}

8
fireflyiii/.firefly_postgresql.env Normal file
View File

@ -0,0 +1,8 @@
PUID=70
PGID=70
TZ=Africa/Johannesburg
POSTGRES_DB_FILE=${FFIII_DB_NAME_FILE}
POSTGRES_USER_FILE=${FFIII_DB_USER_FILE}
POSTGRES_PASSWORD_FILE=${FFIII_DB_PASSWORD_FILE}

292
fireflyiii/.importer.env Normal file
View File

@ -0,0 +1,292 @@
PUID=3035
PGID=3034
TZ=Africa/Johannesburg
# Firefly Data Importer (FIDI) configuration file
# Where is Firefly III?
#
# 1) Make sure you ADD http:// or https://
# 2) Make sure you REMOVE any trailing slash from the end of the URL.
# 3) In case of Docker, refer to the internal IP of your Firefly III installation.
#
# Setting this value is not mandatory. But it is very useful.
#
# This variable can be set from a file if you append it with _FILE
#
FIREFLY_III_URL=https://${FFIII_FQDN} # connects via traefik websecure entrypoint
#
# Imagine Firefly III can be reached at "http://172.16.0.2:8082" (internal Docker network or something).
# But you have a fancy URL: "https://personal-finances.bill.microsoft.com/"
#
# In those cases, you can overrule the URL so when the data importer links back to Firefly III, it uses the correct URL.
#
# 1) Make sure you ADD http:// or https://
# 2) Make sure you REMOVE any trailing slash from the end of the URL.
#
# IF YOU SET THIS VALUE, YOU MUST ALSO SET THE FIREFLY_III_URL
#
# This variable can be set from a file if you append it with _FILE
#
VANITY_URL=https://${FFIII_FQDN} # connects via traefik websecure entrypoint
#
# Set your Firefly III Personal Access Token (OAuth)
# You can create a Personal Access Token on the /profile page:
# go to the OAuth tab, then Personal Access Token and "Create token".
#
# - Do not use the "command line token". That's the WRONG one.
# - Do not use "APP_KEY" value from your Firefly III installation. That's the WRONG one.
#
# Setting this value is not mandatory. Instructions will follow if you omit this field.
#
# This variable can be set from a file if you append it with _FILE
#
FIREFLY_III_ACCESS_TOKEN_FILE=${FFIII_ACCESS_TOKEN_FILE}
#
# You can also use a public client ID. This is available in Firefly III 5.4.0-alpha.3 and higher.
# This is a number (1, 2, 3). If you use the client ID, you can leave the access token empty and vice versa.
#
# This value is not mandatory to set. Instructions will follow if you omit this field.
#
# This variable can be set from a file if you append it with _FILE
#
FIREFLY_III_CLIENT_ID=
#
# GoCardless information.
# The key and ID can be set from a file if you append it with _FILE
#
NORDIGEN_ID=
NORDIGEN_KEY=
#
# If you want to use the GoCardless sandbox, set this to true.
#
NORDIGEN_SANDBOX=false
#
# GoCardless has a rate limit in place. The data importer can wait it out, or exit.
# Valid values are "wait" or "exit"
#
RESPOND_TO_GOCARDLESS_LIMIT=wait
#
# The data importer collects account details, which are currently unused.
# This is disabled, since it costs a lot of API calls.
# You can enable it if you want to.
#
GOCARDLESS_GET_ACCOUNT_DETAILS=false
#
# The data importer also collects balances, which can be used for (manual)
# balance verification ("did the import go well?").
# This is disabled by default, since it costs a lot of API calls.
# You can enable it if you want to.
#
GOCARDLESS_GET_BALANCE_DETAILS=false
#
# Spectre information
#
# The ID and secret can be set from a file if you append it with _FILE
SPECTRE_APP_ID=
SPECTRE_SECRET=
#
# Use cache. No need to do this.
#
USE_CACHE=false
#
# If set to true, the data import will not complain about running into duplicates.
# This will give you cleaner import mails if you run regular imports.
#
# This means that the data importer will not import duplicates, but it will not complain about them either.
#
# This setting has no influence on the settings in your configuration(.json).
#
# Of course, if something goes wrong *because* the transaction is a duplicate you will
# NEVER know unless you start digging in your log files. So be careful with this.
#
IGNORE_DUPLICATE_ERRORS=false
#
# If you set this to true, the importer will not complain about transactions that can't be found after they've
# been imported. This happens when rule on the Firefly III side deletes the transaction immediately after creating it.
# This can be useful when you have a rule that immediately deletes GoCardless' "pending" transactions. Setting this
# to true reduces some noise.
#
IGNORE_NOT_FOUND_TRANSACTIONS=false
#
# Auto import settings. Due to security constraints, you MUST enable each feature individually.
# You must also set a secret. The secret is used for the web routes.
#
# The auto-import secret must be a string of at least 16 characters.
# Visit this page for inspiration: https://www.random.org/passwords/?num=1&len=16&format=html&rnd=new
#
# Submit it using ?secret=X
#
# This variable can be set from a file if you append it with _FILE
#
AUTO_IMPORT_SECRET=
#
# Is the /autoimport even endpoint enabled?
# By default it's disabled, and the secret alone will not enable it.
#
CAN_POST_AUTOIMPORT=false
#
# Is the /autoupload endpoint enabled?
# By default it's disabled, and the secret alone will not enable it.
#
CAN_POST_FILES=false
#
# Import directory white list. You need to set this before the auto importer will accept a directory to import from.
#
# This variable can be set from a file if you append it with _FILE
#
IMPORT_DIR_ALLOWLIST=
#
# If you import from a directory, you can save a fallback configuration file in the directory.
# This file must be called "_fallback.json" and will be used when your CSV or CAMT.053 file is not accompanied
# by a configuration file.
#
# This fallback configuration will only be used if this variable is set to true.
# https://docs.firefly-iii.org/how-to/data-importer/advanced/post/#importing-a-local-directory
#
FALLBACK_IN_DIR=false
#
# When you're running Firefly III under a (self-signed) certificate,
# the data importer may have trouble verifying the TLS connection.
#
# You have a few options to make sure the data importer can connect
# to Firefly III:
# - 'true': will verify all certificates. The most secure option and the default.
# - 'file.pem': refer to a file (you must provide it) to your custom root or intermediate certificates.
# - 'false': will verify NO certificates. Not very secure.
VERIFY_TLS_SECURITY=true
#
# If you want, you can set a directory here where the data importer will look for import configurations.
# This is a separate setting from the /import directory that the auto-import uses.
# Setting this variable isn't necessary. The default value is "storage/configurations".
#
# This variable can be set from a file if you append it with _FILE
#
JSON_CONFIGURATION_DIR=
#
# Time out when connecting with Firefly III.
# π*10 seconds is usually fine.
#
CONNECTION_TIMEOUT=31.41
# The following variables can be useful when debugging the application
APP_ENV=local
APP_DEBUG=false
LOG_CHANNEL=stack
#
# If you turn this on, expect massive logs with lots of privacy sensitive data
#
LOG_RETURN_JSON=false
# Log level. You can set this from least severe to most severe:
# debug, info, notice, warning, error, critical, alert, emergency
# If you set it to debug your logs will grow large, and fast. If you set it to emergency probably
# nothing will get logged, ever.
LOG_LEVEL=info
# TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy.
# Set it to ** and reverse proxies work just fine.
TRUSTED_PROXIES=**
#
# Email settings.
# The data importer can send you a message with all errors, warnings and messages
# after a successful import. This is disabled by default
#
ENABLE_MAIL_REPORT=false
#
# Force Firefly III URL to be secure?
#
#
EXPECT_SECURE_URL=false
# If enabled, define which mailer you want to use.
# Options include: smtp, mailgun, postmark, sendmail, log, array
# Amazon SES is not supported.
# log = drop mails in the logs instead of sending them
# array = debug mailer that does nothing.
MAIL_MAILER=
# where to send the report?
MAIL_DESTINATION=${FFIII_MAIL_DESTINATION_FILE}
# other mail settings
# These variables can be set from a file if you append it with _FILE
MAIL_FROM_ADDRESS_FILE=${FFIII_MAIL_FROM_FILE}
MAIL_HOST_FILE=${FFIII_MAIL_HOST_FILE}
MAIL_PORT=${FFIII_MAIL_PORT}
MAIL_USERNAME_FILE=${FFIII_MAIL_USERNAME_FILE}
MAIL_PASSWORD_FILE=${FFIII_MAIL_PASSWORD_FILE}
MAIL_ENCRYPTION=null
# Extra settings depending on your mail configuration above.
# These variables can be set from a file if you append it with _FILE
MAILGUN_DOMAIN=
MAILGUN_SECRET=
MAILGUN_ENDPOINT=
POSTMARK_TOKEN=
#
# You probably won't need to change these settings.
#
BROADCAST_DRIVER=log
CACHE_DRIVER=file
QUEUE_CONNECTION=sync
SESSION_DRIVER=file
SESSION_LIFETIME=120
IS_EXTERNAL=false
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379
# always use quotes
REDIS_DB="0"
REDIS_CACHE_DB="1"
#
# Use ASSET_URL when your data importer webpages are served from a URL with a subfolder path
# This pre-appends the subfolder path in front of URLs for browser-side assets such as CSS Files.
# Example: If your webserver (i.e. NGINX) is configured to serve the data importer webpages from
# http://localhost/ff3di, set ASSET_URL = /ff3di
# and it will pre-append that value to any requests for browser-side assets
# 1) Make sure you REMOVE any trailing slash from the end of the URL.
#
ASSET_URL=
# The only tracker supported is Matomo.
# This is used on the public instance over at https://data-importer.firefly-iii.org
TRACKER_SITE_ID=
TRACKER_URL=
APP_NAME=DataImporter
#
# The APP_URL environment variable is NOT used anywhere.
# Don't bother setting it to fix your reverse proxy problems. It won't help.
# Don't open issues telling me it doesn't help because it's not supposed to.
# Laravel uses this to generate links on the command line, which is a feature the data importer does not use.
#
APP_URL=http://localhost

8
fireflyiii/.postgresql.env Normal file
View File

@ -0,0 +1,8 @@
PUID=70
PGID=70
TZ=Africa/Johannesburg
POSTGRES_DB_FILE=${FFIII_DB_NAME_FILE}
POSTGRES_USER_FILE=${FFIII_DB_USER_FILE}
POSTGRES_PASSWORD_FILE=${FFIII_DB_PASSWORD_FILE}

183
fireflyiii/compose.yml Normal file
View File

@ -0,0 +1,183 @@
# https://docs.firefly-iii.org/how-to/firefly-iii/installation/docker/
#
# The Firefly III Data Importer will ask you for the Firefly III URL and a "Client ID".
# You can generate the Client ID at http://localhost/profile (after registering)
# The Firefly III URL is: http://app:8080
#
# Other URL's will give 500 | Server Error
#
name: fireflyiii
networks:
traefik-net:
external: true
fireflyiii-net:
external: true
secrets:
fireflyiii_access_token:
file: ${SECRETSDIR}/fireflyiii_access_token
fireflyiii_app_key:
file: ${SECRETSDIR}/fireflyiii_app_key
fireflyiii_default_lat:
file: ${SECRETSDIR}/fireflyiii_default_lat
fireflyiii_default_long:
file: ${SECRETSDIR}/fireflyiii_default_long
fireflyiii_mail_destination:
file: ${SECRETSDIR}/fireflyiii_mail_destination
fireflyiii_mail_from:
file: ${SECRETSDIR}/fireflyiii_mail_from
fireflyiii_mail_host:
file: ${SECRETSDIR}/fireflyiii_mail_host
fireflyiii_mail_password:
file: ${SECRETSDIR}/fireflyiii_mail_password
fireflyiii_mail_username:
file: ${SECRETSDIR}/fireflyiii_mail_username
fireflyiii_postgresql_database:
file: ${SECRETSDIR}/fireflyiii_postgresql_database
fireflyiii_postgresql_password:
file: ${SECRETSDIR}/fireflyiii_postgresql_password
fireflyiii_postgresql_username:
file: ${SECRETSDIR}/fireflyiii_postgresql_username
fireflyiii_site_owner:
file: ${SECRETSDIR}/fireflyiii_site_owner
fireflyiii_static_cron_token:
file: ${SECRETSDIR}/fireflyiii_static_cron_token
services:
firefly:
image: fireflyiii/core:latest
#image: fireflyiii/core:version-6.1.16
hostname: "${APPLICATION_NAME}"
# user: ${PUID}:${PGID}
volumes:
- ${DATADIR}/appdata:/var/www/html/storage/upload
- ${DATADIR}/config:/config
restart: unless-stopped
env_file: .firefly.env
networks:
fireflyiii-net:
aliases: ["fireflyiii", "${FFIII_FQDN}"]
traefik-net: {}
depends_on:
postgresql:
condition: service_healthy
secrets:
- fireflyiii_app_key
- fireflyiii_default_lat
- fireflyiii_default_long
- fireflyiii_mail_from
- fireflyiii_mail_host
- fireflyiii_mail_password
- fireflyiii_mail_username
- fireflyiii_postgresql_database
- fireflyiii_postgresql_password
- fireflyiii_postgresql_username
- fireflyiii_site_owner
- fireflyiii_static_cron_token
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
#
# http services
# -------------
- "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
#
# http routers
# ------------
# limit router to web ":80" entrypoint
- "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
# set match criteria for router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${FFIII_FQDN}`)&& PathPrefix(`/`)"
# attach middlewares to router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
# assign svc target to router
- "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
#
# limit router to websecure ":443" entrypoint
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
# set match criteria for router
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${FFIII_FQDN}`)&& PathPrefix(`/`)"
# set router to be dedicated to secure requests only for the host specified in match criteria
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
# apply tls options
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
# generate certificates using following certresolver
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
# attach middlewares to router
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
# assign svc target to router
- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
importer:
image: fireflyiii/data-importer:latest
hostname: "${IMPORTER_NAME}"
restart: unless-stopped
env_file: .importer.env
# user: ${PUID}:${PGID}
networks:
traefik-net: {}
# ipv4_address: ${FFIII_IMPORTER_IPV4_ADDRESS}
# aliases: ["${FFIII_IMPORTER_FQDN}"]
depends_on:
- firefly
secrets:
- fireflyiii_access_token
- fireflyiii_mail_from
- fireflyiii_mail_host
- fireflyiii_mail_password
- fireflyiii_mail_username
- fireflyiii_mail_destination
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
- "traefik.http.services.${IMPORTER_NAME}-svc.loadbalancer.server.port=${IMPORTER_WEBUI_PORT}"
- "traefik.http.routers.${IMPORTER_NAME}-rtr.entrypoints=web"
- "traefik.http.routers.${IMPORTER_NAME}-rtr.rule=Host(`${FFIII_IMPORTER_FQDN}`)&& PathPrefix(`/`)"
- "traefik.http.routers.${IMPORTER_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
- "traefik.http.routers.${IMPORTER_NAME}-rtr.service=${IMPORTER_NAME}-svc"
- "traefik.http.routers.${IMPORTER_NAME}-secure-rtr.entrypoints=websecure"
- "traefik.http.routers.${IMPORTER_NAME}-secure-rtr.rule=Host(`${FFIII_IMPORTER_FQDN}`)&& PathPrefix(`/`)"
- "traefik.http.routers.${IMPORTER_NAME}-secure-rtr.tls=true"
- "traefik.http.routers.${IMPORTER_NAME}-secure-rtr.tls.options=tls-options@file"
- "traefik.http.routers.${IMPORTER_NAME}-secure-rtr.tls.certresolver=solver-dns"
- "traefik.http.routers.${IMPORTER_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
- "traefik.http.routers.${IMPORTER_NAME}-secure-rtr.service=${IMPORTER_NAME}-svc"
postgresql:
image: postgres:16-alpine
hostname: "firefly_postgresql"
shm_size: 128mb # https://hub.docker.com/_/postgres
restart: unless-stopped
env_file: .postgresql.env
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
networks:
fireflyiii-net:
aliases: ["fireflyiii_postgresql"]
secrets:
- fireflyiii_postgresql_database
- fireflyiii_postgresql_password
- fireflyiii_postgresql_username
volumes:
- "${DATADIR}/pgdata:/var/lib/postgresql/data"
- "${DATADIR}/pgbackups:/mnt/backups"
cron:
#
# To make this work, set STATIC_CRON_TOKEN in your .env file or as an environment variable
# The STATIC_CRON_TOKEN must be *exactly* 32 characters long
# Generate the token with
# openssl rand 32 | base64 -w 0 | sed 's/[\$,\#,/,+,=]//g' | cut -c -32
#
image: alpine
restart: always
secrets:
- fireflyiii_static_cron_token
command: sh -c "echo \"0 3 * * * wget -qO- http://fireflyiii:8080/api/v1/cron/$${STATIC_CRON_TOKEN}\" | crontab - && crond -f -L /dev/stdout"
networks:
- fireflyiii-net

1
fireflyiii/secrets/fireflyiii_access_token Normal file
View File

@ -0,0 +1 @@
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiIxIiwianRpIjoiNDA2ZGU0M2I2YjQ3MmRlMDE1NGEzNjVmYWU4NDQ4OGQ5ZDI3NWQ3NWQzNjZmNzQ0NjAzMDJjN2FiNjRkZWE4OTQwNjQ0NGY1NWE5MjBkYzkiLCJpYXQiOjE3MjcyMDA2NDIuMTk3MjQ5LCJuYmYiOjE3MjcyMDA2NDIuMTk3MjUyLCJleHAiOjE3NTg3MzY2NDEuOTA4OCwic3ViIjoiMSIsInNjb3BlcyI6W119.nLTwZJGLcTwgUlC7KHuD4CMNc4N9ks609tF8dnADiaJiZz_5_LwElZv_r1uoQkUftHxUuAyLUILkdRZGP2aZ7Ob8IZSJ8tZeC4WIHhBHZSUwDb4GFhI6tryFu1us-2JHJH6SX-V_zzvBW9UhJkGmiuRvPBlvQqQGxcZqXGaSMymWnM04J-Va8CARaeECykV9FeKy_xyGX1ub8rq0Owgt-w-m00HqE9WMKhqibLaB04OAUnnopjaW-8zzI_v4k6wgjVPqRB_onLMXGfl1ZoFG6ihyg4_6AvBI3YJAXkTbN5MgwR-ZvDTMiLV1O7qWiUuJ9kcSwcy6d1420cO4fZaNuBGuSPbM8HXnmda2N_q4baXuZvGefDS1JeIkeRi6YGB2sVzvIX5w1hznVc7_VXY0K7dLioEhb-FfdMh2mEOmSuh-Nb24Knf66O4A8-JLpXUsJK8-Po_s3F5z8D18eMneHUj7m0V6L8qODpEn_fH1jSsra3y-ZXd737Bc0se_uj-wp2CPbxgerNK8vKsTTYBuL3jUszemi7sNOqP6S6fS3pKBYbvVQuNAq0uu1nr_Sk-b6Njh2gQKwk0OrudD0gKSbWN6Ww3v5fFBOHLe4_Wvs11epNJsrIPO5tU32y7oGKbmXosSieR8GECGiHApLO6IQh8mIISa9hXb4J50p2Ck5sY

1
fireflyiii/secrets/fireflyiii_app_key Normal file
View File

@ -0,0 +1 @@
p10tiPgUTaSUP61AFdg9jq2mWpKuY0VQ

1
fireflyiii/secrets/fireflyiii_default_lat Normal file
View File

@ -0,0 +1 @@
-28.4792625

1
fireflyiii/secrets/fireflyiii_default_long Normal file
View File

@ -0,0 +1 @@
24.6727135

1
fireflyiii/secrets/fireflyiii_mail_destination Normal file
View File

@ -0,0 +1 @@
stuurmcp@telkomsa.net

1
fireflyiii/secrets/fireflyiii_mail_from Normal file
View File

@ -0,0 +1 @@
stuurmcp@telkomsa.net

1
fireflyiii/secrets/fireflyiii_mail_host Normal file
View File

@ -0,0 +1 @@
smtp.telkomsa.net

1
fireflyiii/secrets/fireflyiii_mail_password Normal file
View File

@ -0,0 +1 @@
UltraM3!2024#

1
fireflyiii/secrets/fireflyiii_mail_username Normal file
View File

@ -0,0 +1 @@
stuurman30@telkomsa.net

1
fireflyiii/secrets/fireflyiii_postgresql_database Normal file
View File

@ -0,0 +1 @@
firefly

1
fireflyiii/secrets/fireflyiii_postgresql_password Normal file
View File

@ -0,0 +1 @@
MWw9e90pSrXuRbz0D/XcDRmxPuQ511gAceheROCsq9JFP0wj

1
fireflyiii/secrets/fireflyiii_postgresql_username Normal file
View File

@ -0,0 +1 @@
firefly

1
fireflyiii/secrets/fireflyiii_site_owner Normal file
View File

@ -0,0 +1 @@
stuurmcp@telkomsa.net

Some files were not shown because too many files have changed in this diff Show More