Talteen

config/docker/current/traefik/config/mw-authentik.yaml

@@ -0,0 +1,19 @@
+http:
+  middlewares:
+    middlewares-authentik:
+      forwardAuth:
+        address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-groups
+          - X-authentik-email
+          - X-authentik-name
+          - X-authentik-uid
+          - X-authentik-jwt
+          - X-authentik-meta-jwks
+          - X-authentik-meta-outpost
+          - X-authentik-meta-provider
+          - X-authentik-meta-app
+          - X-authentik-meta-version
+          

config/docker/current/traefik/config/mw-basic-auth.yaml

@@ -5,4 +5,4 @@ http:
         # users:
         #   - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1"
         usersFile: "/users" #be sure to mount the volume through docker-compose.yml
-        realm: "Traefik 2 Basic Auth"
+        realm: "Traefik 3 Basic Auth"

config/docker/current/traefik/config/mw-buffering.yaml

@@ -0,0 +1,18 @@
+################################################################
+# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
+# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
+# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
+#
+# Dynamic configuration
+################################################################
+http:
+  middlewares:
+    # Prevent too large of a body
+    # https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik
+    middlewares-buffering:
+      buffering:
+        maxRequestBodyBytes: 10485760
+        memRequestBodyBytes: 2097152
+        maxResponseBodyBytes: 10485760
+        memResponseBodyBytes: 2097152
+        retryExpression: "IsNetworkError() && Attempts() <= 2"

config/docker/current/traefik/config/mw-chain-authentik.yaml

@@ -0,0 +1,9 @@
+http:
+  middlewares:        
+    chain-authentik:
+      chain:
+        middlewares:
+#          - middlewares-crowdsec-bouncer
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-authentik

config/docker/current/traefik/config/mw-chain-no-auth.yaml

@@ -3,7 +3,6 @@ http:
     chain-no-auth:
       chain:
         middlewares:
-          - middlewares-crowdsec-bouncer
           - middlewares-default-whitelist
           - middlewares-rate-limit
           - middlewares-secure-headers

config/docker/current/traefik/config/mw-compress.yaml

@@ -0,0 +1,12 @@
+################################################################
+# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
+# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
+# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
+#
+# Dynamic configuration
+################################################################
+http:
+  middlewares:
+    # Compress to save bandwidth
+    middlewares-compress:
+      compress: {}

config/docker/current/traefik/config/mw-https-redirectscheme.yaml

@@ -0,0 +1,15 @@
+################################################################
+# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
+# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
+# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
+#
+# Dynamic configuration
+################################################################
+http:
+  middlewares:
+    # Middleware for Redirection
+    # This can be used instead of global redirection
+    middlewares-https-redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true

config/docker/current/traefik/config/mw-secure-headers.yaml

@@ -1,5 +1,15 @@
+################################################################
+# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
+# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
+# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
+#
+# Dynamic configuration
+################################################################
 http:
   middlewares:
+    ################################################################
+    # Good Basic Security Practices
+    ################################################################
     middlewares-secure-headers:
       headers:
         accessControlAllowMethods:
@@ -9,23 +19,20 @@ http:
         accessControlMaxAge: 100
         hostsProxyHeaders:
           - "X-Forwarded-Host"
-        sslRedirect: true
         stsSeconds: 63072000
         stsIncludeSubdomains: true
         stsPreload: true
         forceSTSHeader: true
-        # frameDeny: true #overwritten by customFrameOptionsValue
+        customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr.
-        customFrameOptionsValue: "allow-from https:gurulandia.eu" #CSP takes care of this but may be needed for organizr.
+        #customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
         contentTypeNosniff: true
         browserXssFilter: true
         # sslForceHost: true # add sslHost to all of the services
-        # sslHost: "example.com"
+        # sslHost: "{{env "DOMAINNAME"}}"
         referrerPolicy: "same-origin"
-        # Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
+        # permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
-        # the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
-        # contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
-        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
         customResponseHeaders:
-          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
+          # X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
-          server: ""
+          # server: ""
-          
+          # https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732
+          X-Forwarded-Proto: "https"

config/docker/current/traefik/config/tls-opts.yaml

@@ -1,6 +1,21 @@
+################################################################
+# TLS Options (https://jellyfin.org/docs/general/networking/traefik2.html#traefik-providertoml)
+# toml -> yml
+# 2024 updates to cipherSuites from (https://www.smarthomebeginner.com/traefik-v3-docker-compose-guide-2024/)
+#
+# Set secure options by disabling insecure older TLS/SSL versions
+# and insecure ciphers. SNIStrict disabled leaves TLS1.0 open.
+# If you have problems with older clients, you can may need to relax
+# these minimums. This configuration will give you an A+ SSL security
+# score supporting TLS1.2 and TLS1.3
+#
+# Dynamic configuration
+# https://doc.traefik.io/traefik/https/tls/
+################################################################
 tls:
   options:
     tls-opts:
+      sniStrict: true
       minVersion: VersionTLS12
       cipherSuites:
         - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
@@ -14,6 +29,7 @@ tls:
         - TLS_CHACHA20_POLY1305_SHA256
         - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
       curvePreferences:
-        - CurveP521
+        - secp521r1 # CurveP521
-        - CurveP384
+        - secp384r1 # CurveP384
-      sniStrict: true
+    mintls13:
+      minVersion: VersionTLS13

config/docker/current/traefik/old/config/mw-basic-auth.yaml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    middlewares-basic-auth:
+      basicAuth:
+        # users:
+        #   - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1"
+        usersFile: "/users" #be sure to mount the volume through docker-compose.yml
+        realm: "Traefik 2 Basic Auth"

config/docker/current/traefik/old/config/mw-chain-basic-auth.yaml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    chain-basic-auth:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-basic-auth

config/docker/current/traefik/old/config/mw-chain-no-auth.yaml

@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    chain-no-auth:
+      chain:
+        middlewares:
+          - middlewares-crowdsec-bouncer
+          - middlewares-default-whitelist
+          - middlewares-rate-limit
+          - middlewares-secure-headers

config/docker/current/traefik/old/config/mw-crowdsec-bouncer.yaml

@@ -0,0 +1,6 @@
+http:
+  middlewares:    
+    middlewares-crowdsec-bouncer:
+      forwardauth:
+        address: http://bouncer-traefik:8080/api/v1/forwardAuth
+        trustForwardHeader: true

config/docker/current/traefik/old/config/mw-default-whitelist.yaml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    middlewares-default-whitelist:
+      ipWhiteList:
+        sourceRange:
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"

config/docker/current/traefik/old/config/mw-rate-limit.yaml

@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    middlewares-rate-limit:
+      rateLimit:
+        average: 100
+        burst: 50

config/docker/current/traefik/old/config/mw-secure-headers.yaml

@@ -0,0 +1,31 @@
+http:
+  middlewares:
+    middlewares-secure-headers:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+        accessControlMaxAge: 100
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        sslRedirect: true
+        stsSeconds: 63072000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        # frameDeny: true #overwritten by customFrameOptionsValue
+        customFrameOptionsValue: "allow-from https:gurulandia.eu" #CSP takes care of this but may be needed for organizr.
+        contentTypeNosniff: true
+        browserXssFilter: true
+        # sslForceHost: true # add sslHost to all of the services
+        # sslHost: "example.com"
+        referrerPolicy: "same-origin"
+        # Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
+        # the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
+        # contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
+        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
+          server: ""
+          

config/docker/current/traefik/old/config/tls-opts.yaml

@@ -0,0 +1,19 @@
+tls:
+  options:
+    tls-opts:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+        - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      sniStrict: true

config/docker/current/traefik/traefik.yaml

@@ -0,0 +1,141 @@
+# Traefik 3.x (YAML)
+# Updated 2024-June-04
+
+################################################################
+# Global configuration - https://doc.traefik.io/traefik/reference/static-configuration/file/
+################################################################
+global:
+  checkNewVersion: true #false
+  sendAnonymousUsage: false
+
+################################################################
+# Entrypoints - https://doc.traefik.io/traefik/routing/entrypoints/
+################################################################
+entryPoints:
+  web:
+    address: ":80"
+    # Global HTTP to HTTPS redirection
+    http:
+#      middlewares:
+#        - crowdsec-bouncer@file
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+          permanent: true
+
+  websecure:
+    address: ":443"
+    http:
+#      middlewares:
+#        - crowdsec-bouncer@file
+      tls:
+        options: tls-opts@file
+        certResolver: dns-cloudflare
+        domains:
+          - main: "{{env "DOMAINNAME0"}}"
+            sans:
+              - "*.{{env "DOMAINNAME0"}}"
+          - main: "{{env "DOMAINNAME1"}}"
+            sans:
+              - "*.{{env "DOMAINNAME1"}}"
+          - main: "{{env "DOMAINNAME2"}}"
+            sans:
+              - "*.{{env "DOMAINNAME2"}}"
+          - main: "{{env "DOMAINNAME3"}}"
+            sans:
+              - "*.{{env "DOMAINNAME3"}}"
+    forwardedHeaders:
+      trustedIPs:
+        # Cloudflare (https://www.cloudflare.com/ips-v4)
+        - "173.245.48.0/20"
+        - "103.21.244.0/22"
+        - "103.22.200.0/22"
+        - "103.31.4.0/22"
+        - "141.101.64.0/18"
+        - "108.162.192.0/18"
+        - "190.93.240.0/20"
+        - "188.114.96.0/20"
+        - "197.234.240.0/22"
+        - "198.41.128.0/17"
+        - "162.158.0.0/15"
+        - "104.16.0.0/13"
+        - "104.24.0.0/14"
+        - "172.64.0.0/13"
+        - "131.0.72.0/22"
+        - "104.16.0.0/13"
+        - "104.24.0.0/14"
+        # Local IPs
+        - "127.0.0.1/32"
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"
+
+################################################################
+# Logs - https://doc.traefik.io/traefik/observability/logs/
+################################################################
+log:
+  level: INFO # Options: DEBUG, PANIC, FATAL, ERROR (Default), WARN, and INFO
+  filePath: /logs/traefik-container.log # Default is to STDOUT
+  # format: json # Uses text format (common) by default
+  noColor: false # Recommended to be true when using common
+  maxSize: 100 # In megabytes
+  compress: true # gzip compression when rotating
+
+################################################################
+# Access logs - https://doc.traefik.io/traefik/observability/access-logs/
+################################################################
+accessLog:
+  addInternals: true  # things like ping@internal
+  filePath: /logs/traefik-access.log # In the Common Log Format (CLF) by default
+  bufferingSize: 100 # Number of log lines
+  fields:
+    names:
+      StartUTC: drop  # Write logs in Container Local Time instead of UTC
+  filters:
+    statusCodes:
+      - "204-299"
+      - "400-499"
+      - "500-599"
+
+################################################################
+# API and Dashboard
+################################################################
+api:
+  dashboard: true
+  # Rely on api@internal and Traefik with Middleware to control access
+  # insecure: true
+
+################################################################
+# Providers - https://doc.traefik.io/traefik/providers/docker/
+################################################################
+providers:
+  docker:
+    #endpoint: "unix:///var/run/docker.sock" # Comment if using socket-proxy
+    endpoint: "tcp://socket-proxy:2375" # Uncomment if using socket proxy
+    exposedByDefault: false
+    network: proxy  # network to use for connections to all containers
+    # defaultRule: TODO
+
+  # Enable auto loading of newly created rules by watching a directory
+  file:
+  # Apps, LoadBalancers, TLS Options, Middlewares, Middleware Chains
+    directory: /config
+    watch: true
+
+################################################################
+# Let's Encrypt (ACME)
+################################################################
+certificatesResolvers:
+  dns-cloudflare:
+    acme:
+      email: "{{env "CF_API_EMAIL"}}"
+      storage: "/acme.json"
+      #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
+      dnsChallenge:
+        provider: cloudflare
+        #delayBeforeCheck: 30 # Default is 2m0s.  This changes the delay (in seconds)
+        # Custom DNS server resolution
+        resolvers:
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"

docker/Lenpaste/compose.yaml

@@ -0,0 +1,25 @@
+version: "3.4"
+
+services:
+  postgres:
+    image: docker.io/library/postgres:16.1
+    environment:
+      - PGDATA=/var/lib/postgresql/data/pgdata
+      - POSTGRES_USER=lenpaste
+      - POSTGRES_PASSWORD=pass
+    volumes:
+      - "${PWD}/data/postgres:/var/lib/postgresql/data"
+
+  lenpaste:
+    image: ghcr.io/lcomrade/lenpaste:1.3.1
+    restart: on-failure:10
+    environment:
+      - LENPASTE_DB_DRIVER=postgres
+      - LENPASTE_DB_SOURCE=postgres://lenpaste:lenpaste@10.0.6.178/lenpaste?sslmode=disable
+    #postgresql://[user[:password]@][netloc][:port][/dbname][?param1=value1&...]
+    volumes:
+      - "${PWD}/data:/data"
+    ports:
+      - "58080:80"
+    depends_on:
+      - postgres

docker/Netbootxyz/compose.yaml

@@ -0,0 +1,23 @@
+services:
+  netbootxyz:
+    # image: ghcr.io/netbootxyz/netbootxyz
+    image: lscr.io/linuxserver/netbootxyz:latest
+    container_name: netbootxyz
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Etc/UTC
+      #- MENU_VERSION=1.9.9 #optional
+      #- PORT_RANGE=30000:30010 #optional
+      #- SUBFOLDER=/ #optional
+      #- MENU_VERSION=2.0.47 # optional
+      - NGINX_PORT=80 # optional
+      - WEB_APP_PORT=3000 # optional
+    volumes:
+      - /gurulandia/data/netbootxyz/config:/config # optional
+      - /gurulandia/data/netbootxyz/assets:/assets # optional
+    ports:
+      - 3001:3000  # optional, destination should match ${WEB_APP_PORT} variable above.
+      - 69:69/udp
+      - 8080:80  # optional, destination should match ${NGINX_PORT} variable above.
+    restart: unless-stopped

docker/PrivateBin/behind-proxy-with-db/compose.override.yml

@@ -14,9 +14,11 @@ services:
         depends_on:
             db:
                 condition: service_healthy
+        networks:
+            - ${PRIVATEBINDB_NETWORk_ID}
     db:
         image: ${PRIVATEBINDB_IMAGE}:${PRIVATEBINDB_TAG}
         container_name: ${PRIVATEBINDB_CONTAINER_NAME}
         restart: ${PRIVATEBINDB_RESTART_POLICY}
         networks:
-            - ${PRIVATEBIN_NETWORk_ID}
+            - ${PRIVATEBINDB_NETWORk_ID}

docker/PrivateBin/behind-proxy-with-db/compose.yaml

@@ -2,8 +2,8 @@ name: privatebin
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################
-  - ../../compose/networks/proxy.yaml
+  - ../../compose/networks/${PRIVATEBIN_NETWORk_ID}.yaml
-  - ../../compose/networks/socket-proxy.yaml
+  - ../../compose/networks/${PRIVATEBINDB_NETWORk_ID}.yaml
 #################### SERVICES ####################
   - ../../compose/postgres.yaml
   - ../../compose/privatebin.yaml

docker/PrivateBin/behind-proxy-with-db/dcc.sh

@@ -1 +0,0 @@
-docker compose --env-file ../../env/.env.stack.privatebin --env-file ../../env/.env.common config

docker/PrivateBin/behind-proxy-with-db/deploy.sh

@@ -0,0 +1,5 @@
+docker compose \
+--env-file ../../env/privatebin-stack.env \
+--env-file ../../env/privatebin-db.env \
+--env-file ../../env/common.env \
+$1

docker/PrivateBin/behind-proxy/compose.yaml

@@ -2,7 +2,6 @@ name: privatebin
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################
-  - ../../compose/networks/proxy.yaml
+  - ../../compose/networks/${PRIVATEBIN_NETWORk_ID}.yaml
-  - ../../compose/networks/socket-proxy.yaml
 #################### SERVICES ####################
   - ../../compose/privatebin.yaml

docker/PrivateBin/behind-proxy/dcc.sh

@@ -1 +0,0 @@
-docker compose --env-file ../../env/.env.stack.privatebin --env-file ../../env/.env.common config

docker/PrivateBin/behind-proxy/deploy.sh

@@ -0,0 +1,4 @@
+docker compose \
+--env-file ../../env/privatebin-stack.env \
+--env-file ../../env/common.env \
+$1

docker/PrivateBin/compose.yaml

@@ -2,6 +2,6 @@ name: privatebin
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################
-  - ../../compose/networks/proxy.yaml
+  - ../../compose/networks/${PRIVATEBIN_NETWORk_ID}.yaml
 #################### SERVICES ####################
   - ../../compose/privatebin.yaml

docker/PrivateBin/with-db/compose.yml

@@ -2,8 +2,8 @@ name: privatebin
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################
-  - ../../compose/networks/proxy.yaml
+  - ../../compose/networks/${PRIVATEBIN_NETWORk_ID}.yaml
-  - ../../compose/networks/socket-proxy.yaml
+  - ../../compose/networks/${PRIVATEBINDB_NETWORk_ID}.yaml
 #################### SERVICES ####################
   - ../../compose/postgres.yaml
   - ../../compose/privatebin.yaml

docker/PrivateBin/with-db/dcc.sh

@@ -1 +0,0 @@
-docker compose --env-file ../../env/.env.stack.privatebin --env-file ../../env/.env.common config

docker/PrivateBin/with-db/deploy.sh

@@ -0,0 +1,5 @@
+docker compose \
+--env-file ../../env/privatebin-stack.env \
+--env-file ../../env/privatebin-db.env \
+--env-file ../../env/common.env \
+$1

docker/YeetFile/with-db/compose.yml

@@ -3,7 +3,6 @@ name: yeetfile
 include:
 #################### NETWORKS ####################
   - ../../compose/networks/${YEETFILE_NETWORk_ID}.yaml
-  - ../compose/networks/${YEETFILEDB_NETWORk_ID}.yaml
 #################### SERVICES ####################
   - ../../compose/postgres.yaml
   - ../../compose/yeetfile.yaml

docker/compose/ferretdb.yaml

@@ -0,0 +1,21 @@
+services:
+  ferretdb:
+    container_name: ${FERRETDB_CONTAINER_NAME}
+    image: ${FERRETDB_IMAGE}
+    restart: ${FERRETDB_RESTART_POLICY}
+    security_opt:
+      - no-new-privileges:true
+    labels:
+      - "komodo.skip=" # Prevent Komodo from stopping with StopAllContainers            
+    #depends_on:
+    #  - postgres
+    logging:
+      driver: ${COMPOSE_LOGGING_DRIVER:-local}
+    networks:
+      - komodo
+    # ports:
+    #   - 27017:27017
+    env_file: ../env/komodo.env
+    environment:
+      #- FERRETDB_POSTGRESQL_URL=postgres://komodo:komodo@10.0.6.178/komodo?sslmode=disable
+      - FERRETDB_POSTGRESQL_URL=postgres://${PSQL_HOST}:${PSQL_PORT}/${KOMODO_DATABASE_DB_NAME:-komodo}?sslmode=disable

docker/compose/flatnotes.yaml

@@ -1,4 +1,3 @@
-name: flatnotes
 services:
   flatnotes:
     image: ${FLATNOTES_IMAGE}:${FLATNOTES_TAG}

docker/compose/homepage.yaml

@@ -0,0 +1,18 @@
+services:
+  homepage:
+    image: ${HOMEPAGE_IMAGE}:${HOMEPAGE_TAG}
+    container_name: ${HOMEPAGE_CONTAINER_NAME}
+    restart: ${FLATNOTES_RESTART_POLICY}
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - ${HOMEPAGE_NETWORK_ID}    
+#    ports:
+#      - 3000:3000
+    volumes:
+      - ${DOCKERDIR}/homepage:/app/config # Make sure your local config directory exists
+#      - /var/run/docker.sock:/var/run/docker.sock:ro # (optional) For docker integrations
+    environment:
+      PUID: ${UID:-1000}
+      PGID: ${GID:-1000}
+      TZ: ${TZ}  

docker/compose/joplin-server.yaml

@@ -14,5 +14,5 @@ services:
       GID: ${GID:-1000}
       TZ: ${TZ}
     env_file:
-      - path: ../env/.env.joplin-srv     
+      - path: ../env/joplin-srv.env
-      - path: ../env/.env.joplin-srv.db-cred   
+      - path: ../env/joplin-srv-db.env

docker/compose/komodo-core.yaml

@@ -0,0 +1,59 @@
+secrets:
+  komodo_passkey:
+    file: ${SECRETSDIR}/komodo/komodo_passkey
+  komodo_webhook_secret:
+    file: ${SECRETSDIR}/komodo/komodo_webhook_secret
+  komodo_jwt_secret:
+    file: ${SECRETSDIR}/komodo/komodo_jwt_secret
+  komodo_oidc_client_id:
+    file: ${SECRETSDIR}/komodo/komodo_oidc_client_id
+  komodo_oidc_client_secret:
+    file: ${SECRETSDIR}/komodo/komodo_oidc_client_secret
+services:
+  core:
+    container_name: ${KOMODO_CORE_CONTAINER_NAME}
+    image: ${KOMODO_CORE_IMAGE}:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
+    restart: ${KOMODO_RESTART_POLICY}
+    secrets:      
+      - komodo_passkey
+      - komodo_webhook_secret
+      - komodo_jwt_secret
+      - komodo_oidc_client_id
+      - komodo_oidc_client_secret
+    labels:                
+      - "komodo.skip=" # Prevent Komodo from stopping with StopAllContainers            
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.${KOMODO_HOSTNAME}-rtr.entrypoints=https"
+      - "traefik.http.routers.${KOMODO_HOSTNAME}-rtr.rule=Host(`${KOMODO_HOSTNAME}.${DOMAINNAME1}`)"
+      ## Middlewares
+      - "traefik.http.routers.${KOMODO_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
+      ## HTTP Services
+      - "traefik.http.routers.${KOMODO_HOSTNAME}-rtr.service=${KOMODO_HOSTNAME}-svc"
+      - "traefik.http.services.${KOMODO_HOSTNAME}-svc.loadbalancer.server.port=9120"
+    depends_on:
+      - ferretdb
+    logging:
+      driver: ${COMPOSE_LOGGING_DRIVER:-local}
+    networks:
+      - ${KOMODO_NETWORk_ID}
+      - komodo      
+#    ports:
+#      - 9120:9120
+    env_file: ../env/komodo.env
+    environment:
+      KOMODO_DATABASE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb:27017/${KOMODO_DATABASE_DB_NAME:-komodo}?authMechanism=PLAIN      
+    volumes:
+      ## Core cache for repos for latest commit hash / contents
+      - repo-cache:/repo-cache
+      ## Store sync files on server
+      # - /path/to/syncs:/syncs
+      ## Optionally mount a custom core.config.toml
+      # - /path/to/core.config.toml:/config/config.toml
+    ## Allows for systemd Periphery connection at 
+    ## "http://host.docker.internal:8120"
+    # extra_hosts:
+    #   - host.docker.internal:host-gateway
+volumes:
+  # Core
+  repo-cache:

docker/compose/komodo-periphery.yaml

@@ -0,0 +1,35 @@
+secrets:
+  komodo_passkey:
+    file: ${SECRETSDIR}/komodo/komodo_passkey
+services:
+  ## Deploy Periphery container using this block,
+  ## or deploy the Periphery binary with systemd using 
+  ## https://github.com/mbecker20/komodo/tree/main/scripts
+  periphery:
+    container_name: ${KOMODO_PERTIPHERY_CONTAINER_NAME}
+    image: ${KOMODO_PERTIPHERY_IMAGE}:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
+    restart: ${KOMODO_RESTART_POLICY}    
+    labels:
+      - "komodo.skip=" # Prevent Komodo from stopping with StopAllContainers                  
+    logging:
+      driver: ${COMPOSE_LOGGING_DRIVER:-local}
+    networks:
+      - komodo
+    env_file: ../env/komodo.env
+    environment:
+      PERIPHERY_REPO_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/repos
+      PERIPHERY_STACK_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/stacks
+      PERIPHERY_SSL_KEY_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/key.pem
+      PERIPHERY_SSL_CERT_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/cert.pem
+    volumes:
+      ## Mount external docker socket
+      - /var/run/docker.sock:/var/run/docker.sock
+      ## Allow Periphery to see processes outside of container
+      - /proc:/proc
+      ## Specify the Periphery agent root directory.
+      ## Must be the same inside and outside the container,
+      ## or docker will get confused. See https://github.com/mbecker20/komodo/discussions/180.
+      ## Default: /etc/komodo.
+      - ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}:${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}
+    secrets:
+      - komodo_passkey

docker/compose/netbootxyz.yaml

@@ -0,0 +1,23 @@
+services:
+  netbootxyz:
+    # image: ghcr.io/netbootxyz/netbootxyz
+    image: lscr.io/linuxserver/netbootxyz:latest
+    container_name: netbootxyz
+    environment:
+      - PUID=${UID:-1000}
+      - PGID=${GID:-1000}
+      - TZ=${TZ}
+      #- MENU_VERSION=1.9.9 #optional
+      #- PORT_RANGE=30000:30010 #optional
+      #- SUBFOLDER=/ #optional
+      #- MENU_VERSION=2.0.47 # optional
+      - NGINX_PORT=80 # optional
+      - WEB_APP_PORT=3000 # optional
+    volumes:
+      - ${DOCKERDIR}/netbootxyz/config:/config # optional
+      - ${DOCKERDIR}/netbootxyz/assets:/assets # optional
+    ports:
+      - 3001:3000  # optional, destination should match ${WEB_APP_PORT} variable above.
+      - 69:69/udp
+      - 8080:80  # optional, destination should match ${NGINX_PORT} variable above.
+    restart: unless-stopped

docker/compose/networks/default.yaml

@@ -1,4 +1,4 @@
 networks:
   default:
-#    name: default
+    name: default
     driver: bridge

docker/compose/networks/komodo.yaml

@@ -0,0 +1,4 @@
+networks:
+  komodo:
+    name: komodo
+    driver: bridge

docker/compose/networks/proxy.yaml

@@ -1,4 +1,4 @@
 networks:
   proxy:
     name: proxy
-    external: true
+    # external: true	

docker/docker-compose.yml

@@ -28,10 +28,10 @@ networks:
 # Docker Compose v2.20 or greater required to use "include"
 include:
 ########################### SERVICES
-  - compose/dc-traefik.yml
+  - services/dc-traefik.yml
-  - compose/dc-socket-proxy.yml
+  - services/dc-socket-proxy.yml
-  - compose/dc-crowdsec.yml
+  - services/dc-crowdsec.yml
-  - compose/dc-traefik-bouncer.yml
+  - services/dc-traefik-bouncer.yml
 
   # Portainer - WebUI for Containers
  # portainer:

docker/env/.env.proxy

@@ -1,4 +1,4 @@
-BASICAUTHUSER=gurulandia:$$apr1$$kBqxEDFb$$aOgGWvLwFUDhSymDy430m.
+# BASICAUTHUSER=gurulandia:$$apr1$$kBqxEDFb$$aOgGWvLwFUDhSymDy430m.
 # create basic auth with: echo $(htpasswd -nb "<USER>" "<PASSWORD>") | sed -e s/\\$/\\$\\$/g
 
 ##### trustedIPs

docker/env/.env.stack.proxy

@@ -7,11 +7,12 @@ PROXYNAME=proxy
 TRAEFIK_CONTAINER_NAME=traefik
 TRAEFIK_IMAGE=traefik
 TRAEFIK_TAG=latest
-TRAEFIK_RESTART_POLICY=unless-stopped
+TRAEFIK_RESTART_POLICY=always
 
 ##### socket-proxy Container
 SOCKET_PROXY_CONTAINER_NAME=socket-proxy
-SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy
+#SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy
+SOCKET_PROXY_IMAGE=lscr.io/linuxserver/socket-proxy
 SOCKET_PROXY_TAG=latest
 SOCKET_PROXY_RESTART_POLICY=always
 

docker/env/common.env

@@ -1,6 +1,8 @@
 ##### SYSTEM
 UID=1000
 GID=1000
+PUID=1000
+PGID=1000
 TZ=Europe/HelsinkI
 
 #USERDIR=/home/gurulandia

docker/env/homepage-stack.env

@@ -0,0 +1,8 @@
+HOMEPAGE_NETWORK_ID=proxy
+HOMEPAGE_HOSTNAME=homepage
+
+##### Homepage Container
+HOMEPAGE_CONTAINER_NAME=homepage
+HOMEPAGE_IMAGE=ghcr.io/gethomepage/homepage
+HOMEPAGE_TAG=latest
+HOMEPAGE_RESTART_POLICY=unless-stopped

docker/env/joplin-srv-db.env

@@ -0,0 +1,8 @@
+JOPLINDB_NETWORk_ID=backend
+
+##### Joplin Server DB Container
+
+JOPLINDB_CONTAINER_NAME=joplindb
+JOPLINDB_IMAGE=postgres
+JOPLINDB_TAG=16-alpine
+JOPLINDB_RESTART_POLICY=unless-stopped

docker/env/joplin-srv-stack.env

@@ -1,5 +1,3 @@
-COMPOSE_PROJECT_NAME=joplinserver
-
 JOPLIN_NETWORk_ID=proxy
 JOPLIN_HOSTNAME=joplin
 

docker/env/komodo-stack.env

@@ -0,0 +1,17 @@
+KOMODO_NETWORk_ID=proxy
+KOMODO_HOSTNAME=komodo
+
+KOMODO_RESTART_POLICY=unless-stopped
+
+##### Komodo Core Container
+KOMODO_CORE_CONTAINER_NAME=komodo-core
+KOMODO_CORE_IMAGE=ghcr.io/mbecker20/komodo
+
+##### Komodo Periphery Container
+KOMODO_PERTIPHERY_CONTAINER_NAME=komodo-periphery
+KOMODO_PERTIPHERY_IMAGE=ghcr.io/mbecker20/periphery
+
+##### FerretDB Core Container
+FERRETDB_CONTAINER_NAME=komodo-ferretdb
+FERRETDB_IMAGE=ghcr.io/ferretdb/ferretdb:1
+FERRETDB_RESTART_POLICY=${KOMODO_RESTART_POLICY}

docker/env/komodo.env

@@ -0,0 +1,133 @@
+####################################
+# 🦎 KOMODO COMPOSE - VARIABLES 🦎 #
+####################################
+## These compose variables can be used with all Komodo deployment options.
+## Pass these variables to the compose up command using `--env-file komodo/compose.env`.
+## Additionally, they are passed to both Komodo Core and Komodo Periphery with `env_file: ./compose.env`,
+## so you can pass any additional environment variables to Core / Periphery directly in this file as well.
+
+PSQL_HOST=10.0.6.178
+PSQL_PORT=5432
+## Stick to a specific version, or use `latest`
+COMPOSE_KOMODO_IMAGE_TAG=latest
+
+## Note: 🚨 Podman does NOT support local logging driver 🚨. See Podman options here:
+## `https://docs.podman.io/en/v4.6.1/markdown/podman-run.1.html#log-driver-driver`
+COMPOSE_LOGGING_DRIVER=local # Enable log rotation with the local driver.
+
+## DB credentials - Ignored for Sqlite
+KOMODO_DB_USERNAME=komodo
+KOMODO_DB_PASSWORD=komodo
+
+## Configure a secure passkey to authenticate between Core / Periphery.
+KOMODO_PASSKEY_FILE=/run/secrets/komodo_passkey
+
+#=-------------------------=#
+#= Komodo Core Environment =#
+#=-------------------------=#
+
+## Full variable list + descriptions are available here:
+## 🦎 https://github.com/mbecker20/komodo/blob/main/config/core.config.toml 🦎
+
+## Note. Secret variables also support `${VARIABLE}_FILE` syntax to pass docker compose secrets.
+## Docs: https://docs.docker.com/compose/how-tos/use-secrets/#examples
+
+## Used for Oauth / Webhook url suggestion / Caddy reverse proxy.
+KOMODO_HOST=https://komodo.lab.gurulandia.eu
+
+## Displayed in the browser tab.
+KOMODO_TITLE=Komodo by Gurulandia
+#Komodo
+## Create a server matching this address as the "first server".
+## Use `https://host.docker.internal:8120` when using systemd-managed Periphery.
+KOMODO_FIRST_SERVER=https://periphery:8120
+## Make all buttons just double-click, rather than the full confirmation dialog.
+KOMODO_DISABLE_CONFIRM_DIALOG=true
+
+## Rate Komodo polls your servers for
+## status / container status / system stats / alerting.
+## Options: 1-sec, 5-sec, 15-sec, 1-min, 5-min.
+## Default: 15-sec
+KOMODO_MONITORING_INTERVAL="15-sec"
+## Rate Komodo polls Resources for updates,
+## like outdated commit hash.
+## Options: 1-min, 5-min, 15-min, 30-min, 1-hr.
+## Default: 5-min
+KOMODO_RESOURCE_POLL_INTERVAL="5-min"
+
+## Used to auth incoming webhooks. Alt: KOMODO_WEBHOOK_SECRET_FILE
+KOMODO_WEBHOOK_SECRET_FILE=/run/secrets/komodo_webhook_secret
+## Used to generate jwt. Alt: KOMODO_JWT_SECRET_FILE
+KOMODO_JWT_SECRET_FILE=/run/secrets/komodo_jwt_secret
+
+## Enable login with username + password.
+KOMODO_LOCAL_AUTH=true
+## Disable new user signups.
+KOMODO_DISABLE_USER_REGISTRATION=false
+## All new logins are auto enabled
+KOMODO_ENABLE_NEW_USERS=true
+## Disable non-admins from creating new resources.
+KOMODO_DISABLE_NON_ADMIN_CREATE=false
+## Allows all users to have Read level access to all resources.
+KOMODO_TRANSPARENT_MODE=false
+
+## Time to live for jwt tokens.
+## Options: 1-hr, 12-hr, 1-day, 3-day, 1-wk, 2-wk
+KOMODO_JWT_TTL="1-day"
+
+## OIDC Login
+KOMODO_OIDC_ENABLED=true
+## Must reachable from Komodo Core container
+KOMODO_OIDC_PROVIDER=https://authentik.lab.gurulandia.eu/application/o/komodo/
+## Change the host to one reachable be reachable by users (optional if it is the same as above).
+## DO NOT include the `path` part of the URL.
+KOMODO_OIDC_REDIRECT_HOST=https://authentik.lab.gurulandia.eu
+## Your client credentials
+KOMODO_OIDC_CLIENT_ID_FILE=/run/secrets/komodo_oidc_client_id
+KOMODO_OIDC_CLIENT_SECRET_FILE=/run/secrets/komodo_oidc_client_secret
+## Make usernames the full email.
+KOMODO_OIDC_USE_FULL_EMAIL=true
+## Add additional trusted audiences for token claims verification.
+## Supports comma separated list, and passing with _FILE (for compose secrets).
+# KOMODO_OIDC_ADDITIONAL_AUDIENCES=abc,123 # Alt: KOMODO_OIDC_ADDITIONAL_AUDIENCES_FILE
+
+## Github Oauth
+KOMODO_GITHUB_OAUTH_ENABLED=false
+# KOMODO_GITHUB_OAUTH_ID= # Alt: KOMODO_GITHUB_OAUTH_ID_FILE
+# KOMODO_GITHUB_OAUTH_SECRET= # Alt: KOMODO_GITHUB_OAUTH_SECRET_FILE
+
+## Google Oauth
+KOMODO_GOOGLE_OAUTH_ENABLED=false
+# KOMODO_GOOGLE_OAUTH_ID= # Alt: KOMODO_GOOGLE_OAUTH_ID_FILE
+# KOMODO_GOOGLE_OAUTH_SECRET= # Alt: KOMODO_GOOGLE_OAUTH_SECRET_FILE
+
+## Aws - Used to launch Builder instances and ServerTemplate instances.
+KOMODO_AWS_ACCESS_KEY_ID= # Alt: KOMODO_AWS_ACCESS_KEY_ID_FILE
+KOMODO_AWS_SECRET_ACCESS_KEY= # Alt: KOMODO_AWS_SECRET_ACCESS_KEY_FILE
+
+## Hetzner - Used to launch ServerTemplate instances
+## Hetzner Builder not supported due to Hetzner pay-by-the-hour pricing model
+KOMODO_HETZNER_TOKEN= # Alt: KOMODO_HETZNER_TOKEN_FILE
+
+#=------------------------------=#
+#= Komodo Periphery Environment =#
+#=------------------------------=#
+
+## Full variable list + descriptions are available here:
+## 🦎 https://github.com/mbecker20/komodo/blob/main/config/periphery.config.toml 🦎
+
+## Periphery passkeys must include KOMODO_PASSKEY to authenticate.
+PERIPHERY_PASSKEYS_FILE=/run/secrets/komodo_passkey
+## Specify the root directory used by Periphery agent.
+PERIPHERY_ROOT_DIRECTORY=/etc/komodo
+
+## Enable SSL using self signed certificates.
+## Connect to Periphery at https://address:8120.
+PERIPHERY_SSL_ENABLED=true
+
+## If the disk size is overreporting, can use one of these to 
+## whitelist / blacklist the disks to filter them, whichever is easier.
+## Accepts comma separated list of paths.
+## Usually whitelisting just /etc/hostname gives correct size.
+PERIPHERY_INCLUDE_DISK_MOUNTS=/etc/hostname
+# PERIPHERY_EXCLUDE_DISK_MOUNTS=/snap,/etc/repos

docker/env/privatebin-db.env

@@ -0,0 +1,7 @@
+PRIVATEBINDB_NETWORk_ID=backend
+
+##### Privatebin DB Container
+PRIVATEBINDB_CONTAINER_NAME=yeetfiledb
+PRIVATEBINDB_IMAGE=postgres
+PRIVATEBINDB_TAG=16-alpine
+PRIVATEBINDB_RESTART_POLICY=unless-stopped

docker/env/privatebin-stack.env

@@ -1,17 +1,9 @@
-COMPOSE_PROJECT_NAME=privatebin
-
 PRIVATEBIN_NETWORk_ID=proxy
 PRIVATEBIN_HOSTNAME=privatebin
 
-##### YeetFile Container
+##### Privatebin Container
 PRIVATEBIN_CONTAINER_NAME=privatebin
 PRIVATEBIN_IMAGE=privatebin/nginx-fpm-alpine
 #PRIVATEBIN_IMAGE=privatebin/pdo
 PRIVATEBIN_TAG=stable
 PRIVATEBIN_RESTART_POLICY=unless-stopped
-
-##### YeetFile DB Container
-PRIVATEBINDB_CONTAINER_NAME=yeetfiledb
-PRIVATEBINDB_IMAGE=postgres
-PRIVATEBINDB_TAG=16-alpine
-PRIVATEBINDB_RESTART_POLICY=unless-stopped

docker/env/technitum-dns-stack.env

@@ -0,0 +1,9 @@
+TECHNITUM_DNS_NETWORk_ID=proxy
+TECHNITUM_DNS_HOSTNAME=komodo
+
+TECHNITUM_DNS_RESTART_POLICY=unless-stopped
+
+##### Komodo Core Container
+TECHNITUM_DNS_CONTAINER_NAME=dns-server
+TECHNITUM_DNS_IMAGE=technitium/dns-server
+TECHNITUM_DNS_TAG=latest

docker/env/technitum-dns.env

@@ -0,0 +1,66 @@
+# The primary domain name used by this DNS Server to identify itself.
+DNS_SERVER_DOMAIN=lab.gurulandia.eu
+
+# DNS web console admin user password.
+# DNS_SERVER_ADMIN_PASSWORD=password
+
+# The path to a file that contains a plain text password for the DNS web console admin user.
+DNS_SERVER_ADMIN_PASSWORD_FILE = /run/secrets/technitium_admin_password
+
+# DNS Server will use IPv6 for querying whenever possible with this option enabled.
+# DNS_SERVER_PREFER_IPV6=false
+
+# Comma separated list of network interface IP addresses that you want the web service to listen on for requests. 
+# The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified. 
+# Note! This must be used only with "host" network mode.      
+# DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1
+
+# The TCP port number for the DNS web console over HTTP protocol.
+# DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 
+
+# The TCP port number for the DNS web console over HTTPS protocol.
+# DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
+
+# Enables HTTPS for the DNS web console.
+# DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false
+
+# Enables self signed TLS certificate for the DNS web console.
+# DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false 
+
+# Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
+# DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false 
+
+# Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL.
+# DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks 
+
+# Comma separated list of IP addresses or network addresses to allow access.
+# Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet.
+# The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback.
+# Valid only for `UseSpecifiedNetworkACL` recursion option.
+# DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2
+
+# Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option.
+# This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
+# DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24
+
+# Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option.
+# This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
+# DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24
+
+# Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
+# DNS_SERVER_ENABLE_BLOCKING=false 
+
+# Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
+# DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false
+
+# A comma separated list of block list URLs.
+# DNS_SERVER_BLOCK_LIST_URLS= 
+
+# Comma separated list of forwarder addresses.
+# DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8
+
+# Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
+# DNS_SERVER_FORWARDER_PROTOCOL=Tcp
+
+# Enable this option to use local time instead of UTC for logging.
+DNS_SERVER_LOG_USING_LOCAL_TIME=true

docker/flatnotes/behind-proxy/compose.yaml

@@ -1,3 +1,4 @@
+name: flatnotes
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################

docker/flatnotes/compose.yaml

@@ -1,3 +1,4 @@
+name: flatnotes
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################

docker/homarr/compose.yaml

@@ -0,0 +1,22 @@
+#---------------------------------------------------------------------#
+#     Homarr - A simple, yet powerful dashboard for your server.      #
+#---------------------------------------------------------------------#
+services:
+  homarr:
+    container_name: homarr
+    image: ghcr.io/homarr-labs/homarr:latest
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock # Optional, only if you want docker integration
+      - /gurulandia/data/homarr/appdata:/appdata
+    environment:
+      - SECRET_ENCRYPTION_KEY=9a3fb9c060d3ff37ac0e0785177979ec48620144b8fd3e5883c02e27f68b2dba  # <--- can be generated with `openssl rand -hex 32`
+      - DB_DRIVER=mysql2
+      - DB_DIALECT=mysql
+      - DB_HOST=10.0.6.180
+      - DB_PORT=3306
+      - DB_NAME=homarr
+      - DB_USER=homarr
+      - DB_PASSWORD=homarr
+    ports:
+      - 7575:7575

docker/homepage/behind-proxy/compose.override.yaml

@@ -0,0 +1,55 @@
+secrets:
+    title:
+      file: /gurulandia/data/homepage/secrets/title
+services:
+  homepage:
+    image: ghcr.io/gethomepage/homepage:latest
+    container_name: homepage
+    ports:
+      - 3000:3000
+    volumes:
+      - /gurulandia/data/homepage:/app/config # Make sure your local config directory exists
+      - /var/run/docker.sock:/var/run/docker.sock:ro # (optional) For docker integrations
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - HOMEPAGE_VAR_BASE="https://homepage.lab.gurulandia.eu/"
+      #- HOMEPAGE_VAR_TITLE="Gurulandia's Awesome Homepage"
+      - HOMEPAGE_FILE_TITLE=/run/secrets/title
+    networks:
+      - proxy
+      - socket_proxy
+    labels:
+      traefik.enable: true
+      ## HTTP Routers
+      traefik.http.routers.homepage-rtr.entrypoints: https
+      traefik.http.routers.homepage-rtr.rule: Host(`homepage.lab.gurulandia.eu`)
+      ## Middlewares
+      #- "traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.middlewares=chain-authelia@file"
+      traefik.http.routers.homepage-rtr.middlewares: chain-authentik@file
+      #traefik.http.routers.homepage-rtr.middlewares: chain-no-auth@file
+      ## HTTP Services
+      traefik.http.routers.homepage-rtr.service: homepage-svc
+      traefik.http.services.homepage-svc.loadbalancer.server.port: 3000     
+    secrets:
+      - title
+networks:
+  proxy:
+    external: true
+  socket_proxy:
+    external: true
+
+
+#services:
+#  homepage:        
+#    labels:
+#      - "traefik.enable=true"
+      ## HTTP Routers
+#      - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.entrypoints=https"
+#      - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.rule=Host(`${HOMEPAGE_HOSTNAME}.$DOMAINNAME1`)"
+      ## Middlewares
+#      - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.middlewares=chain-authelia@file"
+#      - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
+      ## HTTP Services
+#      - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.service=${HOMEPAGE_HOSTNAME}-svc"
+#      - "traefik.http.services.${HOMEPAGE_HOSTNAME}-svc.loadbalancer.server.port=22300"

docker/homepage/behind-proxy/compose.yaml

@@ -0,0 +1,7 @@
+name: homepagee
+# Docker Compose v2.20 or greater required to use "include"
+include:
+#################### NETWORKS ####################
+  - ../../compose/networks/${HOMEPAGR_NETWORk_ID}.yaml
+#################### SERVICES ####################
+  - ../../compose/homepage.yaml

docker/homepage/behind-proxy/deploy.sh

@@ -0,0 +1,4 @@
+docker compose \
+--env-file ../../env/homepage-stack.env \
+--env-file ../../env/common.env \
+$1

docker/homepage/compose.yaml

@@ -0,0 +1,7 @@
+name: homepagee
+# Docker Compose v2.20 or greater required to use "include"
+include:
+#################### NETWORKS ####################
+  - ../compose/networks/${HOMEPAGR_NETWORk_ID}.yaml
+#################### SERVICES ####################
+  - ../compose/homepage.yaml

docker/homepage/deploy.sh

@@ -0,0 +1,4 @@
+docker compose \
+--env-file ../env/homepage-stack.env \
+--env-file ../env/common.env \
+$1

docker/jemma/komodo/compose.env

@@ -0,0 +1,133 @@
+####################################
+# 🦎 KOMODO COMPOSE - VARIABLES 🦎 #
+####################################
+## These compose variables can be used with all Komodo deployment options.
+## Pass these variables to the compose up command using `--env-file komodo/compose.env`.
+## Additionally, they are passed to both Komodo Core and Komodo Periphery with `env_file: ./compose.env`,
+## so you can pass any additional environment variables to Core / Periphery directly in this file as well.
+
+PSQL_HOST=10.0.6.178
+PSQL_PORT=5432
+## Stick to a specific version, or use `latest`
+COMPOSE_KOMODO_IMAGE_TAG=latest
+
+## Note: 🚨 Podman does NOT support local logging driver 🚨. See Podman options here:
+## `https://docs.podman.io/en/v4.6.1/markdown/podman-run.1.html#log-driver-driver`
+COMPOSE_LOGGING_DRIVER=local # Enable log rotation with the local driver.
+
+## DB credentials - Ignored for Sqlite
+KOMODO_DB_USERNAME=komodo
+KOMODO_DB_PASSWORD=komodo
+
+## Configure a secure passkey to authenticate between Core / Periphery.
+KOMODO_PASSKEY_FILE=/run/secrets/komodo_passkey
+
+#=-------------------------=#
+#= Komodo Core Environment =#
+#=-------------------------=#
+
+## Full variable list + descriptions are available here:
+## 🦎 https://github.com/mbecker20/komodo/blob/main/config/core.config.toml 🦎
+
+## Note. Secret variables also support `${VARIABLE}_FILE` syntax to pass docker compose secrets.
+## Docs: https://docs.docker.com/compose/how-tos/use-secrets/#examples
+
+## Used for Oauth / Webhook url suggestion / Caddy reverse proxy.
+KOMODO_HOST=https://komodo.lab.gurulandia.eu
+
+## Displayed in the browser tab.
+KOMODO_TITLE=Komodo by Gurulandia
+#Komodo
+## Create a server matching this address as the "first server".
+## Use `https://host.docker.internal:8120` when using systemd-managed Periphery.
+KOMODO_FIRST_SERVER=https://periphery:8120
+## Make all buttons just double-click, rather than the full confirmation dialog.
+KOMODO_DISABLE_CONFIRM_DIALOG=true
+
+## Rate Komodo polls your servers for
+## status / container status / system stats / alerting.
+## Options: 1-sec, 5-sec, 15-sec, 1-min, 5-min.
+## Default: 15-sec
+KOMODO_MONITORING_INTERVAL="15-sec"
+## Rate Komodo polls Resources for updates,
+## like outdated commit hash.
+## Options: 1-min, 5-min, 15-min, 30-min, 1-hr.
+## Default: 5-min
+KOMODO_RESOURCE_POLL_INTERVAL="5-min"
+
+## Used to auth incoming webhooks. Alt: KOMODO_WEBHOOK_SECRET_FILE
+KOMODO_WEBHOOK_SECRET_FILE=/run/secrets/komodo_webhook_secret
+## Used to generate jwt. Alt: KOMODO_JWT_SECRET_FILE
+KOMODO_JWT_SECRET_FILE=/run/secrets/komodo_jwt_secret
+
+## Enable login with username + password.
+KOMODO_LOCAL_AUTH=true
+## Disable new user signups.
+KOMODO_DISABLE_USER_REGISTRATION=false
+## All new logins are auto enabled
+KOMODO_ENABLE_NEW_USERS=true
+## Disable non-admins from creating new resources.
+KOMODO_DISABLE_NON_ADMIN_CREATE=false
+## Allows all users to have Read level access to all resources.
+KOMODO_TRANSPARENT_MODE=false
+
+## Time to live for jwt tokens.
+## Options: 1-hr, 12-hr, 1-day, 3-day, 1-wk, 2-wk
+KOMODO_JWT_TTL="1-day"
+
+## OIDC Login
+KOMODO_OIDC_ENABLED=true
+## Must reachable from Komodo Core container
+KOMODO_OIDC_PROVIDER=https://authentik.lab.gurulandia.eu/application/o/komodo/
+## Change the host to one reachable be reachable by users (optional if it is the same as above).
+## DO NOT include the `path` part of the URL.
+KOMODO_OIDC_REDIRECT_HOST=https://authentik.lab.gurulandia.eu
+## Your client credentials
+KOMODO_OIDC_CLIENT_ID_FILE=/run/secrets/komodo_oidc_client_id
+KOMODO_OIDC_CLIENT_SECRET_FILE=/run/secrets/komodo_oidc_client_secret
+## Make usernames the full email.
+KOMODO_OIDC_USE_FULL_EMAIL=true
+## Add additional trusted audiences for token claims verification.
+## Supports comma separated list, and passing with _FILE (for compose secrets).
+# KOMODO_OIDC_ADDITIONAL_AUDIENCES=abc,123 # Alt: KOMODO_OIDC_ADDITIONAL_AUDIENCES_FILE
+
+## Github Oauth
+KOMODO_GITHUB_OAUTH_ENABLED=false
+# KOMODO_GITHUB_OAUTH_ID= # Alt: KOMODO_GITHUB_OAUTH_ID_FILE
+# KOMODO_GITHUB_OAUTH_SECRET= # Alt: KOMODO_GITHUB_OAUTH_SECRET_FILE
+
+## Google Oauth
+KOMODO_GOOGLE_OAUTH_ENABLED=false
+# KOMODO_GOOGLE_OAUTH_ID= # Alt: KOMODO_GOOGLE_OAUTH_ID_FILE
+# KOMODO_GOOGLE_OAUTH_SECRET= # Alt: KOMODO_GOOGLE_OAUTH_SECRET_FILE
+
+## Aws - Used to launch Builder instances and ServerTemplate instances.
+KOMODO_AWS_ACCESS_KEY_ID= # Alt: KOMODO_AWS_ACCESS_KEY_ID_FILE
+KOMODO_AWS_SECRET_ACCESS_KEY= # Alt: KOMODO_AWS_SECRET_ACCESS_KEY_FILE
+
+## Hetzner - Used to launch ServerTemplate instances
+## Hetzner Builder not supported due to Hetzner pay-by-the-hour pricing model
+KOMODO_HETZNER_TOKEN= # Alt: KOMODO_HETZNER_TOKEN_FILE
+
+#=------------------------------=#
+#= Komodo Periphery Environment =#
+#=------------------------------=#
+
+## Full variable list + descriptions are available here:
+## 🦎 https://github.com/mbecker20/komodo/blob/main/config/periphery.config.toml 🦎
+
+## Periphery passkeys must include KOMODO_PASSKEY to authenticate.
+PERIPHERY_PASSKEYS_FILE=/run/secrets/komodo_passkey
+## Specify the root directory used by Periphery agent.
+PERIPHERY_ROOT_DIRECTORY=/etc/komodo
+
+## Enable SSL using self signed certificates.
+## Connect to Periphery at https://address:8120.
+PERIPHERY_SSL_ENABLED=true
+
+## If the disk size is overreporting, can use one of these to 
+## whitelist / blacklist the disks to filter them, whichever is easier.
+## Accepts comma separated list of paths.
+## Usually whitelisting just /etc/hostname gives correct size.
+PERIPHERY_INCLUDE_DISK_MOUNTS=/etc/hostname
+# PERIPHERY_EXCLUDE_DISK_MOUNTS=/snap,/etc/repos

docker/jemma/komodo/compose.yaml

@@ -0,0 +1,161 @@
+###################################
+# 🦎 KOMODO COMPOSE - POSTGRES 🦎 #
+###################################
+
+## This compose file will deploy:
+##   1. Postgres + FerretDB Mongo adapter (https://www.ferretdb.com)
+##   2. Komodo Core
+##   3. Komodo Periphery
+name: komodo
+secrets:
+  komodo_db_user:
+    file: ${SECRETSDIR}/komodo/komodo_db_user
+  komodo_db_password:
+    file: ${SECRETSDIR}/komodo/komodo_db_password
+  komodo_passkey:
+    file: ${SECRETSDIR}/komodo/komodo_passkey
+  komodo_webhook_secret:
+    file: ${SECRETSDIR}/komodo/komodo_webhook_secret
+  komodo_jwt_secret:
+    file: ${SECRETSDIR}/komodo/komodo_jwt_secret
+  komodo_oidc_client_id:
+    file: ${SECRETSDIR}/komodo/komodo_oidc_client_id
+  komodo_oidc_client_secret:
+    file: ${SECRETSDIR}/komodo/komodo_oidc_client_secret
+
+services:
+  #postgres:
+  #  image: postgres
+  #  labels:
+  #    komodo.skip: # Prevent Komodo from stopping with StopAllContainers
+  #  restart: unless-stopped
+  #  logging:
+  #    driver: ${COMPOSE_LOGGING_DRIVER:-local}
+  #  networks:
+  #    - default
+    # ports:
+    #   - 5432:5432
+  #  volumes:
+  #    - pg-data:/var/lib/postgresql/data
+  #  environment:
+  #    - POSTGRES_USER=${KOMODO_DB_USERNAME}
+  #    - POSTGRES_PASSWORD=${KOMODO_DB_PASSWORD}
+  #    - POSTGRES_DB=${KOMODO_DATABASE_DB_NAME:-komodo}
+
+  ferretdb:
+    #container_name: ${TRAEFIK_CONTAINER_NAME}
+    #image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
+    #restart: ${TRAEFIK_RESTART_POLICY}
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    image: ghcr.io/ferretdb/ferretdb
+    labels:
+      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
+    #depends_on:
+    #  - postgres
+    logging:
+      driver: ${COMPOSE_LOGGING_DRIVER:-local}
+    networks:
+      - default
+    # ports:
+    #   - 27017:27017
+    env_file: ./compose.env
+    environment:
+      #- FERRETDB_POSTGRESQL_URL=postgres://komodo:komodo@10.0.6.178/komodo?sslmode=disable
+      - FERRETDB_POSTGRESQL_URL=postgres://${PSQL_HOST}:${PSQL_PORT}/${KOMODO_DATABASE_DB_NAME:-komodo}?sslmode=disable
+  
+  core:
+    #container_name: ${TRAEFIK_CONTAINER_NAME}
+    #image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
+    #restart: ${TRAEFIK_RESTART_POLICY}
+    restart: unless-stopped
+    image: ghcr.io/mbecker20/komodo:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
+    secrets:
+      - komodo_db_user
+      - komodo_db_password
+      - komodo_passkey
+      - komodo_webhook_secret
+      - komodo_jwt_secret
+      - komodo_oidc_client_id
+      - komodo_oidc_client_secret
+    labels:
+      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
+      traefik.enable: true
+      ## HTTP Routers
+      traefik.http.routers.komodo-rtr.entrypoints: https
+      traefik.http.routers.komodo-rtr.rule: Host(`komodo.lab.gurulandia.eu`)
+      ## Middlewares
+#      - "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.middlewares=chain-authelia@file"
+      traefik.http.routers.komodo-rtr.middlewares: chain-no-auth@file
+      ## HTTP Services
+      traefik.http.routers.komodo-rtr.service: komodo-svc
+      traefik.http.services.komodo-svc.loadbalancer.server.port: 9120
+    depends_on:
+      - ferretdb
+    logging:
+      driver: ${COMPOSE_LOGGING_DRIVER:-local}
+    networks:
+      - default
+      - proxy
+    ports:
+      - 9120:9120
+    env_file: ./compose.env  
+    environment:
+      KOMODO_DATABASE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb:27017/${KOMODO_DATABASE_DB_NAME:-komodo}?authMechanism=PLAIN      
+    volumes:
+      ## Core cache for repos for latest commit hash / contents
+      - repo-cache:/repo-cache
+      ## Store sync files on server
+      # - /path/to/syncs:/syncs
+      ## Optionally mount a custom core.config.toml
+      # - /path/to/core.config.toml:/config/config.toml
+    ## Allows for systemd Periphery connection at 
+    ## "http://host.docker.internal:8120"
+    # extra_hosts:
+    #   - host.docker.internal:host-gateway
+
+  ## Deploy Periphery container using this block,
+  ## or deploy the Periphery binary with systemd using 
+  ## https://github.com/mbecker20/komodo/tree/main/scripts
+  periphery:
+    #container_name: ${TRAEFIK_CONTAINER_NAME}
+    #image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
+    #restart: ${TRAEFIK_RESTART_POLICY}
+    restart: unless-stopped
+    image: ghcr.io/mbecker20/periphery:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
+    labels:
+      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
+    logging:
+      driver: ${COMPOSE_LOGGING_DRIVER:-local}
+    networks:
+      - default
+    env_file: ./compose.env
+    environment:
+      PERIPHERY_REPO_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/repos
+      PERIPHERY_STACK_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/stacks
+      PERIPHERY_SSL_KEY_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/key.pem
+      PERIPHERY_SSL_CERT_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/cert.pem
+    volumes:
+      ## Mount external docker socket
+      - /var/run/docker.sock:/var/run/docker.sock
+      ## Allow Periphery to see processes outside of container
+      - /proc:/proc
+      ## Specify the Periphery agent root directory.
+      ## Must be the same inside and outside the container,
+      ## or docker will get confused. See https://github.com/mbecker20/komodo/discussions/180.
+      ## Default: /etc/komodo.
+      - ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}:${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}
+    secrets:
+      - komodo_passkey
+
+volumes:
+  # Postgres
+  #pg-data:
+  # Core
+  repo-cache:
+
+networks:
+  default: {}
+  proxy: 
+    external: true

docker/joplin-server/behind-proxy-with-db/compose.override.yaml

@@ -13,13 +13,15 @@ services:
         - "traefik.http.services.${JOPLIN_HOSTNAME}-svc.loadbalancer.server.port=22300"
     depends_on:
         - db    
+    networks:
+        - ${JOPLINDB_NETWORk_ID}
     env_file:
-        - path: ../../env/.env.joplin-srv.withdb
+        - path: ../../env/joplin-srv-withdb.env
   db:
     image: ${JOPLINDB_IMAGE}:${JOPLINDB_TAG}
     container_name: ${JOPLINDB_CONTAINER_NAME}
     restart: ${JOPLINDB_RESTART_POLICY}
     env_file:
-        - path: ../../env/.env.joplin-srv.db-cred       
+        - path: ../../env/joplin-srv-db-cred.env
     networks:
-        - ${JOPLIN_NETWORk_ID}
+        - ${JOPLINDB_NETWORk_ID}

docker/joplin-server/behind-proxy-with-db/compose.yaml

@@ -1,8 +1,9 @@
+name: joplinserver
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################
-  - ../../compose/networks/proxy.yaml
+  - ../../compose/networks/${JOPLIN_NETWORk_ID}.yaml
-  - ../../compose/networks/socket-proxy.yaml
+  - ../../compose/networks/${JOPLINDB_NETWORk_ID}.yaml
 #################### SERVICES ####################
   - ../../compose/postgres.yaml
   - ../../compose/joplin-server.yaml

docker/joplin-server/behind-proxy-with-db/dcc.sh

@@ -1 +0,0 @@
-docker compose --env-file ../../env/.env.stack.joplin-srv --env-file ../../env/.env.common config

docker/joplin-server/behind-proxy-with-db/deploy.sh

@@ -0,0 +1,6 @@
+docker compose \
+--env-file ../../env/joplin-srv-stack.env \
+--env-file ../../env/joplin-srv-db.env \
+--env-file ../../env/common.env \
+$1
+

docker/joplin-server/behind-proxy/compose.yaml

@@ -1,7 +1,7 @@
+name: joplinserver
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################
-  - ../../compose/networks/proxy.yaml
+  - ../../compose/networks/${JOPLIN_NETWORk_ID}.yaml
-  - ../../compose/networks/socket-proxy.yaml
 #################### SERVICES ####################
   - ../../compose/joplin-server.yaml

docker/joplin-server/behind-proxy/dcc.sh

@@ -1 +0,0 @@
-docker compose --env-file ../../env/.env.stack.joplin-srv --env-file ../../env/.env.common config

docker/joplin-server/behind-proxy/deploy.sh

@@ -0,0 +1,4 @@
+docker compose \
+--env-file ../../env/joplin-srv-stack.env \
+--env-file ../../env/common.env \
+$1

docker/joplin-server/compose.yaml

@@ -1,7 +1,7 @@
+name: joplinserver
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################
-  - ../../compose/networks/proxy.yaml
+  - ../../compose/networks/${JOPLIN_NETWORk_ID}.yaml
-  - ../../compose/networks/socket-proxy.yaml
 #################### SERVICES ####################
   - ../../compose/joplin-server.yaml

docker/joplin-server/dcc.sh

@@ -1 +0,0 @@
-docker compose --env-file ../env/.env.stack.joplin-srv --env-file ../env/.env.common config

docker/joplin-server/deploy.sh

@@ -0,0 +1,4 @@
+docker compose \
+--env-file ../env/joplin-srv-stack.env \
+--env-file ../env/common.env \
+$1

docker/joplin-server/with-db/compose.override.yaml

@@ -5,14 +5,16 @@ services:
 #    ports:
 #        - "22300:22300"
     env_file:
-        - path: ../../env/.env.joplin-srv.withdb
+        - path: ../../env/joplin-srv-withdb.env
+    networks:
+        - ${JOPLINDB_NETWORk_ID}
   db:
     image: ${JOPLINDB_IMAGE}:${JOPLINDB_TAG}
     container_name: ${JOPLINDB_CONTAINER_NAME}
     restart: ${JOPLINDB_RESTART_POLICY}
     env_file:
-        - path: ../../env/.env.joplin-srv.db-cred       
+        - path: ../../env/joplin-srv-db-cred.env
 #    ports:
 #        - "5432:5432"
     networks:
-        - ${JOPLIN_NETWORk_ID}
+        - ${JOPLINDB_NETWORk_ID}

docker/joplin-server/with-db/compose.yaml

@@ -1,8 +1,8 @@
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################
-  - ../../compose/networks/proxy.yaml
+  - ../../compose/networks/${JOPLIN_NETWORk_ID}.yaml
-  - ../../compose/networks/socket-proxy.yaml
+  - ../../compose/networks/${JOPLINDB_NETWORk_ID}.yaml
 #################### SERVICES ####################
   - ../../compose/postgres.yaml
   - ../../compose/joplin-server.yaml

docker/joplin-server/with-db/dcc.sh

@@ -1 +0,0 @@
-docker compose --env-file ../../env/.env.stack.joplin-srv --env-file ../../env/.env.common config

docker/joplin-server/with-db/deploy.sh

@@ -0,0 +1,5 @@
+docker compose \
+--env-file ../../env/joplin-srv-stack.env \
+--env-file ../../env/joplin-srv-db.env \
+--env-file ../../env/common.env \
+$1

docker/komodo/compose.yaml

@@ -0,0 +1,10 @@
+name: komodo
+# Docker Compose v2.20 or greater required to use "include"
+include:
+#################### NETWORKS ####################
+  - ../compose/networks/${KOMODO_NETWORk_ID}.yaml
+  - ../compose/networks/komodo.yaml
+#################### SERVICES ####################
+  - ../compose/ferretdb.yaml
+  - ../compose/komodo-core.yaml
+  - ../compose/komodo-periphery.yaml

docker/komodo/deploy.sh

@@ -0,0 +1,5 @@
+docker compose \
+--env-file ../env/komodo-stack.env \
+--env-file ../env/komodo.env \
+--env-file ../env/common.env \
+$1 $2 $3

docker/memos/compose.yaml

@@ -0,0 +1,21 @@
+services:
+  memos:
+    image: neosmemo/memos:stable
+    restart: always
+#    depends_on:
+#      - db
+    ports:
+      - 5230:5230
+    environment:
+      - MEMOS_DRIVER=postgres
+      - MEMOS_DSN=user=memos password=memos dbname=memos host=10.0.6.178 sslmode=disable
+
+#  db:
+#    image: postgres:16.1
+#    restart: unless-stopped
+#    volumes:
+#      - "./database:/var/lib/postgresql/data/"
+#    environment:
+#      POSTGRES_USER: memos
+#      POSTGRES_PASSWORD: secret
+#      POSTGRES_DB: memosdb

docker/nginx/compose.yaml

@@ -0,0 +1,35 @@
+services:
+  web:
+    image: nginx:latest
+    container_name: jimsgarage
+    volumes:
+     - /gurulandia/data/nginx/templates:/etc/nginx/templates
+     - /gurulandia/data/nginx/web:/usr/share/nginx/html
+    environment:
+     - NGINX_HOST=nginx.lab.gurulandia.eu
+     - NGINX_PORT=80
+    ports:
+     - 8089:80
+    labels:
+      - "traefik.enable=true"
+      #- "traefik.http.routers.nginx.entrypoints=http"
+      #- "traefik.http.routers.nginx.rule=Host(`nginx.jimsgarage.co.uk`)"
+      #- "traefik.http.middlewares.nginx-https-redirect.redirectscheme.scheme=https"
+      #- "traefik.http.routers.nginx.middlewares=nginx-https-redirect"
+      - "traefik.http.routers.nginx-secure.entrypoints=https"
+      - "traefik.http.routers.nginx-secure.rule=Host(`nginx.lab.gurulandia.eu`)"
+      #- "traefik.http.routers.nginx-secure.tls=true"
+      #- "traefik.http.routers.nginx-secure.service=nginx"
+      - "traefik.http.services.nginx.loadbalancer.server.port=80"
+      #- "traefik.http.routers.nginx-secure.middlewares=chain-no-auth@file" 
+      #- "traefik.http.routers.nginx-secure.middlewares=chain-authentik@file" #add this to any container you want to use the Authentik web proxy
+      - "traefik.http.routers.nginx-secure.middlewares=middlewares-authentik@file" #add this to any container you want to use the Authentik web proxy
+     # - "traefik.docker.network=proxy"
+    networks:
+      proxy:
+    security_opt:
+      - no-new-privileges:true
+
+networks:
+  proxy:
+    external: true

docker/pgweb/compose.yaml

@@ -0,0 +1,22 @@
+services:
+  pgweb:
+    container_name: pgweb
+    image: sosedoff/pgweb:latest
+    #build: .
+    #environment:
+    #  PGWEB_DATABASE_URL: postgres://pgweb:pgweb@pgweb-postgres:5432/pgweb?sslmode=disable
+    ports:
+      - 58081:8081
+    networks:
+      - pgweb
+    #depends_on:
+    #  postgres:
+    #    condition: service_healthy
+    healthcheck:
+      test: ["CMD", "nc", "-vz", "127.0.0.1", "58081"]
+      interval: 5s
+    volumes:
+      - /gurulandia/data/pgweb:/home/pgweb/.pgweb/bookmarks
+networks:
+  pgweb:
+    name: pgweb

docker/redis/compose.yaml

@@ -0,0 +1,34 @@
+services:
+  redis:
+    container_name: redis
+    image: redis:latest
+    command: redis-server
+    volumes:
+      - redis:/var/lib/redis
+      - redis-config:/usr/local/etc/redis/redis.conf
+    ports:
+      - 6379:6379
+    networks:
+      - redis-network
+
+  redis-commander:
+    container_name: redis-commander
+    image: rediscommander/redis-commander:latest
+    environment:
+      - REDIS_HOSTS=local:redis:6379
+      - HTTP_USER=root
+      - HTTP_PASSWORD=qwerty
+    ports:
+      - 8081:8081
+    networks:
+      - redis-network
+    depends_on:
+      - redis
+
+volumes:
+  redis:
+  redis-config:
+
+networks:
+  redis-network:
+    driver: bridge

docker/services/dc-traefik.yml

@@ -1,94 +1,120 @@
 ########################### SECRETS
 secrets:
-  cloudflare_email:
+  #cloudflare_email:
-    file: ${SECRETSDIR}/cloudflare_email
+  #  file: ${SECRETSDIR}/cloudflare_email
-  cloudflare_api_key:
+  #cloudflare_api_key:
-    file: ${SECRETSDIR}/cloudflare_api_key
+  #  file: ${SECRETSDIR}/cloudflare_api_key
+  basic_auth_credentials:
+    file: $DOCKERDIR/secrets/basic_auth_credentials
   cloudflare_api_token:
     file: ${SECRETSDIR}/cloudflare_dns_api_token
 services:
-  # Traefik 2 - Reverse Proxy
+  # Traefik 3 - Reverse Proxy
   # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
   # touch $DOCKERDIR/traefik2/acme/acme.json
   # chmod 600 $DOCKERDIR/traefik2/acme/acme.json
   # touch $DOCKERDIR/traefik2/traefik.log
   traefik:
-    container_name: ${TRAEFIK_CONTAINER_NAME}
+    container_name: ${TRAEFIK_CONTAINER_NAME:-traefik}
-    image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
+    image: ${TRAEFIK_IMAGE:-traefik}:${TRAEFIK_TAG:-latest}
-    restart: ${TRAEFIK_RESTART_POLICY}
+    restart: ${TRAEFIK_RESTART_POLICY:-always}
     security_opt:
       - no-new-privileges:true
+    user: ${UID:-1000}:${GID:-1000}
     networks:
       proxy:
       socket_proxy:
     ports:
-      - 80:80
+      - target: 80
-      - 443:443
+        published: 80
-      - 465:465
+        protocol: tcp
-      - 587:587
+        mode: host
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: host
+      #- target: 465
+      #  published: 465
+      #  protocol: tcp
+      #  mode: host
+      #- target: 587
+      #  published: 587
+      #  protocol: tcp
+      #  mode: host
+      #- 465:465
+      #- 587:587
     #env_file:
     #- path: ./traefik.env
     #  required: true # default
     #- path: ./override.env
     #  required: false
     environment:
-      - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
+      #- CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
-      - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
+      #- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
       - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
+      - HTPASSWD_FILE=/run/secrets/basic_auth_credentials # HTTP Basic Auth Credentials
+      - DOMAINNAME0 # Passing the domain name to traefik container to be able to use the variable in rules. 
+      - DOMAINNAME1
+      - DOMAINNAME2
+      - DOMAINNAME3
+      - CF_API_EMAIL
+
     command: # CLI arguments
       - --global.checkNewVersion=true
       - --global.sendAnonymousUsage=false #true
-      - --entryPoints.http.address=:80
+      - --entrypoints.web.address=:80
-      - --entrypoints.http.http.redirections.entryPoint.to=https
+      - --entrypoints.websecure.address=:443
-      - --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
+      - --entrypoints.traefik.address=:8080
-      - --entryPoints.https.address=:443
+      - --entrypoints.web.http.redirections.entrypoint.to=websecure
-      - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
+      - --entrypoints.web.http.redirections.entrypoint.scheme=https
-      - --entrypoints.mailsecure.address=:465
+      - --entrypoints.web.http.redirections.entrypoint.permanent=true
-      - --entrypoints.maildefault.address=:587
-#      - --entryPoints.traefik.address=:8080
-#      - --entryPoints.ping.address=:8081
       - --api=true
-#      - --api.insecure=true)
       - --api.dashboard=true
-#      - --ping=true)
+      # - --serversTransport.insecureSkipVerify=true
-#      - --pilot.token=$TRAEFIK_PILOT_TOKEN)
+      # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
-      - --serversTransport.insecureSkipVerify=true
+      - --entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
       - --log=true
+      - --log.filePath=/logs/traefik.log
       - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
-      - --log.filePath= /var/log/traefik/traefik.log
       - --accessLog=true
-      - --accessLog.filePath=/var/log/traefik/access.log
+      - --accessLog.filePath=/logs/access.log
       - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
-      - --accessLog.filters.statusCodes=400-499
+      - --accessLog.filters.statusCodes=204-299,400-499,500-599
       - --providers.docker=true
       - --providers.docker.endpoint=${DOCKER_ENDPOINT} # Use Docker Socket Proxy instead for improved security
-      # Automatically set Host rule for services
-#      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`)
       - --providers.docker.exposedByDefault=false
-#      - --providers.redis=true
-#      - --providers.redis.endpoints=redis:6379
-      - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file
-      - --entrypoints.https.http.tls.options=tls-opts@file
-      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
-      - --entrypoints.https.http.tls.certresolver=${CERTRESOLVER}
-      - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0
-      - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0
-      - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain
-      - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain
-      - --entrypoints.https.http.tls.domains[2].main=$DOMAINNAME2
-      - --entrypoints.https.http.tls.domains[2].sans=*.$DOMAINNAME2
-      - --entrypoints.https.http.tls.domains[3].main=$DOMAINNAME3 # Pulls main cert for second domain
-      - --entrypoints.https.http.tls.domains[3].sans=*.$DOMAINNAME3 # Pulls wildcard cert for second domain
-
       - --providers.docker.network=proxy
+      - --entrypoints.websecure.http.tls=true
+      - --entrypoints.websecure.http.tls.options=tls-opts@file
+      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
+      - --entrypoints.websecure.http.tls.certresolver=${CERTRESOLVER}
+      - --entrypoints.websecure.http.tls.domains[0].main=$DOMAINNAME0
+      - --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAINNAME0
+      - --entrypoints.websecure.http.tls.domains[1].main=$DOMAINNAME1
+      - --entrypoints.websecure.http.tls.domains[1].sans=*.$DOMAINNAME1
+      - --entrypoints.websecure.http.tls.domains[2].main=$DOMAINNAME2
+      - --entrypoints.websecure.http.tls.domains[2].sans=*.$DOMAINNAME2
+      - --entrypoints.websecure.http.tls.domains[3].main=$DOMAINNAME3
+      - --entrypoints.websecure.http.tls.domains[3].sans=*.$DOMAINNAME3
       - --providers.file.directory=/config # Load dynamic configuration from one or more .toml or .yml files in a directory
       - --providers.file.watch=true # Only works on top level files in the rules folder
-#      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
       - --certificatesResolvers.$CERTRESOLVER.acme.email=${CF_API_EMAIL}
       - --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json
       - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=${DNS_PROVIDER}
-      - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0} #,$RESOLVER1
+      - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0},${RESOLVER1}
       - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
+#      - --certificatesResolvers.$CERTRESOLVER.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
+
+#      - --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
+#      - --entrypoints.mailsecure.address=:465
+#      - --entrypoints.maildefault.address=:587
+#      - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file      
+#      - --entryPoints.ping.address=:8081
+#      - --api.insecure=true)
+#      - --ping=true)
+#      - --providers.redis=true
+#      - --providers.redis.endpoints=redis:6379
+#      - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file      
 #    healthcheck:
 #      test: ["CMD", "traefik", "healthcheck", "--ping"]
 #      interval: 5s
@@ -100,18 +126,19 @@ services:
       - ${DOCKERDIR}/traefik/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
       - ${DOCKERDIR}/traefik/logs:/var/log/traefik # for crowdsec - make sure to touch file before starting container
     secrets:
-      - cloudflare_email
+      #- cloudflare_email
-      - cloudflare_api_key
+      #- cloudflare_api_key
       - cloudflare_api_token
+      - basic_auth_credentials
     labels:
       traefik.enable: true
-      traefik.http.routers.traefik.entrypoints: http
+      traefik.http.routers.traefik.entrypoints: web
       traefik.http.routers.traefik.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
       traefik.http.middlewares.traefik-auth.basicauth.users: ${BASICAUTHUSER}
       traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme: https
       traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto: https
       traefik.http.routers.traefik.middlewares: traefik-https-redirect
-      traefik.http.routers.traefik-secure.entrypoints: https
+      traefik.http.routers.traefik-secure.entrypoints: websecure
       traefik.http.routers.traefik-secure.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
       traefik.http.routers.traefik-secure.middlewares: chain-no-auth@file
 #      traefik.http.routers.traefik-secure.middlewares: traefik-auth

docker/snibox/.env

@@ -0,0 +1,20 @@
+# Secrets
+SECRET_KEY_BASE=580b4894107e15810dd7100132ad18905d3b218bea2812a6c35662e783443c912f8454c479afcf5aaf4fdac0fa0c52308ef062a440f5360cf9161f2b1d9e0834
+# SSL
+FORCE_SSL=false
+
+# Database
+DB_NAME=snibox
+DB_USER=snibox
+DB_PASS=snibox
+DB_HOST=10.0.6.178
+DB_PORT=5432
+
+# Mailgun. Required by 'Reset password feature'. Feel free to start without this setup.
+MAILGUN_SMTP_PORT=587
+MAILGUN_SMTP_SERVER=smtp.eu.mailgun.org
+MAILGUN_SMTP_LOGIN=sender@mail.gurulandia.eu
+MAILGUN_SMTP_PASSWORD=fd2481f27f76e35110ddf9b7b04ad09f-667818f5-87cb2de
+MAILGUN_API_KEY=0bbddf40b4f522902c3566ac64d6843f-667818f5-f7e29b98
+MAILGUN_DOMAIN=mail.gurulandia.eu
+MAILGUN_PUBLIC_KEY=pubkey-1d7092746ca1272cb49c7c16615663d1