Talteen

config/docker/current/mailrise/mailrise.conf

@@ -4,11 +4,18 @@ configs:
       - discord://1197077230531129365/Lg8HssUw5GhNIs4qYGyxp-52VFFtw17fMAlf-OYDSS3bOjJzGMpRsZ_KCZ5sxOHagK7R/
   gotify:
     urls:
-      - gotify://gotify.lab.gurulandia.eu/AP8JgsUIUm2M1B1
+      - gotify://10.0.6.177:8080/AP8JgsUIUm2M1B1
 
   gurulandia@outlook.com:
     urls:
       - gotify://gotify.lab.gurulandia.eu/AkNhzQxlA9sOsVJ
+      - mailto://gurul4nd14:okzwnrketthveaaz@gmail.com
+    
+  gurul4nd14@gmail.com:
+    urls:
+      - gotify://gotify.lab.gurulandia.eu/AkNhzQxlA9sOsVJ
+      - mailto://gurul4nd14:okzwnrketthveaaz@gmail.com      
+
 tls:
   mode: off
 

config/docker/current/private-bin/conf.php

@@ -0,0 +1,281 @@
+;<?php http_response_code(403) ; /*
+; config file for PrivateBin
+;
+; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
+
+[main]
+; (optional) set a project name to be displayed on the website
+; name = "PrivateBin"
+
+; The full URL, with the domain name and directories that point to the
+; PrivateBin files, including an ending slash (/). This URL is essential to
+; allow Opengraph images to be displayed on social networks.
+; basepath = "https://privatebin.example.com/"
+
+; enable or disable the discussion feature, defaults to true
+discussion = true
+
+; preselect the discussion feature, defaults to false
+opendiscussion = false
+
+; enable or disable the display of dates & times in the comments, defaults to true
+; Note that internally the creation time will still get tracked in order to sort
+; the comments by creation time, but you can choose not to display them.
+; discussiondatedisplay = false
+
+; enable or disable the password feature, defaults to true
+password = true
+
+; enable or disable the file upload feature, defaults to false
+fileupload = true
+
+; preselect the burn-after-reading feature, defaults to false
+burnafterreadingselected = false
+
+; which display mode to preselect by default, defaults to "plaintext"
+; make sure the value exists in [formatter_options]
+defaultformatter = "plaintext"
+
+; (optional) set a syntax highlighting theme, as found in css/prettify/
+; syntaxhighlightingtheme = "sons-of-obsidian"
+
+; size limit per paste or comment in bytes, defaults to 10 Mebibytes
+sizelimit = 10485760
+
+; template to include, default is "bootstrap" (tpl/bootstrap.php), also
+; available are "page" (tpl/page.php), the classic ZeroBin style and several
+; bootstrap variants: "bootstrap-dark", "bootstrap-compact", "bootstrap-page",
+; which can be combined with "-dark" and "-compact" for "bootstrap-dark-page"
+; and finally "bootstrap-compact-page" - previews at:
+; https://privatebin.info/screenshots.html
+template = "bootstrap"
+
+; (optional) info text to display
+; use single, instead of double quotes for HTML attributes
+;info = "More information on the <a href='https://privatebin.info/'>project page</a>."
+
+; (optional) notice to display
+; notice = "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service."
+
+; by default PrivateBin will guess the visitors language based on the browsers
+; settings. Optionally you can enable the language selection menu, which uses
+; a session cookie to store the choice until the browser is closed.
+languageselection = false
+
+; set the language your installs defaults to, defaults to English
+; if this is set and language selection is disabled, this will be the only language
+; languagedefault = "en"
+
+; (optional) URL shortener address to offer after a new paste is created.
+; It is suggested to only use this with self-hosted shorteners as this will leak
+; the pastes encryption key.
+; urlshortener = "https://shortener.example.com/api?link="
+
+; (optional) Let users create a QR code for sharing the paste URL with one click.
+; It works both when a new paste is created and when you view a paste.
+; qrcode = true
+
+; (optional) Let users send an email sharing the paste URL with one click.
+; It works both when a new paste is created and when you view a paste.
+; email = true
+
+; (optional) IP based icons are a weak mechanism to detect if a comment was from
+; a different user when the same username was used in a comment. It might get
+; used to get the IP of a comment poster if the server salt is leaked and a
+; SHA512 HMAC rainbow table is generated for all (relevant) IPs.
+; Can be set to one these values:
+; "none" / "identicon" (default) / "jdenticon" / "vizhash".
+; icon = "none"
+
+; Content Security Policy headers allow a website to restrict what sources are
+; allowed to be accessed in its context. You need to change this if you added
+; custom scripts from third-party domains to your templates, e.g. tracking
+; scripts or run your site behind certain DDoS-protection services.
+; Check the documentation at https://content-security-policy.com/
+; Notes:
+; - If you use any bootstrap theme, you can remove the allow-popups from the
+;   sandbox restrictions.
+; - If you use the bootstrap5 theme, you must change default-src to 'self' to
+;   enable display of the svg icons
+; - By default this disallows to load images from third-party servers, e.g. when
+;   they are embedded in pastes. If you wish to allow that, you can adjust the
+;   policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images
+;   for details.
+; - The 'wasm-unsafe-eval' is used to enable webassembly support (used for zlib
+;   compression). You can remove it if compression doesn't need to be supported.
+; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
+
+; stay compatible with PrivateBin Alpha 0.19, less secure
+; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
+; sha256 in HMAC for the deletion token
+; zerobincompatibility = false
+
+; Enable or disable the warning message when the site is served over an insecure
+; connection (insecure HTTP instead of HTTPS), defaults to true.
+; Secure transport methods like Tor and I2P domains are automatically whitelisted.
+; It is **strongly discouraged** to disable this.
+; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information.
+; httpwarning = true
+
+; Pick compression algorithm or disable it. Only applies to pastes/comments
+; created after changing the setting.
+; Can be set to one these values: "none" / "zlib" (default).
+; compression = "zlib"
+
+[expire]
+; expire value that is selected per default
+; make sure the value exists in [expire_options]
+default = "1week"
+
+[expire_options]
+; Set each one of these to the number of seconds in the expiration period,
+; or 0 if it should never expire
+5min = 300
+10min = 600
+1hour = 3600
+1day = 86400
+1week = 604800
+; Well this is not *exactly* one month, it's 30 days:
+1month = 2592000
+1year = 31536000
+never = 0
+
+[formatter_options]
+; Set available formatters, their order and their labels
+plaintext = "Plain Text"
+syntaxhighlighting = "Source Code"
+markdown = "Markdown"
+
+[traffic]
+; time limit between calls from the same IP address in seconds
+; Set this to 0 to disable rate limiting.
+limit = 10
+
+; (optional) Set IPs addresses (v4 or v6) or subnets (CIDR) which are exempted
+; from the rate-limit. Invalid IPs will be ignored. If multiple values are to
+; be exempted, the list needs to be comma separated. Leave unset to disable
+; exemptions.
+; exempted = "1.2.3.4,10.10.10/24"
+
+; (optional) If you want only some source IP addresses (v4 or v6) or subnets
+; (CIDR) to be allowed to create pastes, set these here. Invalid IPs will be
+; ignored. If multiple values are to be exempted, the list needs to be comma
+; separated. Leave unset to allow anyone to create pastes.
+; creators = "1.2.3.4,10.10.10/24"
+
+; (optional) if your website runs behind a reverse proxy or load balancer,
+; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
+; header = "X_FORWARDED_FOR"
+
+[purge]
+; minimum time limit between two purgings of expired pastes, it is only
+; triggered when pastes are created
+; Set this to 0 to run a purge every time a paste is created.
+limit = 300
+
+; maximum amount of expired pastes to delete in one purge
+; Set this to 0 to disable purging. Set it higher, if you are running a large
+; site
+batchsize = 10
+
+;[model]
+; name of data model class to load and directory for storage
+; the default model "Filesystem" stores everything in the filesystem
+;class = Filesystem
+;[model_options]
+;dir = PATH "data"
+
+;[model]
+; example of a Google Cloud Storage configuration
+;class = GoogleCloudStorage
+;[model_options]
+;bucket = "my-private-bin"
+;prefix = "pastes"
+;uniformacl = false
+
+;[model]
+; example of DB configuration for MySQL
+;class = Database
+;[model_options]
+;dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8"
+;tbl = "privatebin_"	; table prefix
+;usr = "privatebin"
+;pwd = "Z3r0P4ss"
+;opt[12] = true	  ; PDO::ATTR_PERSISTENT
+
+;[model]
+; example of DB configuration for SQLite
+;class = Database
+;[model_options]
+;dsn = "sqlite:" PATH "data/db.sq3"
+;usr = null
+;pwd = null
+;opt[12] = true	; PDO::ATTR_PERSISTENT
+
+[model]
+; example of DB configuration for PostgreSQL
+class = Database
+[model_options]
+dsn = "pgsql:host=10.0.6.178;dbname=privatebin"
+tbl = "privatebin_"     ; table prefix
+usr = "privatebin"
+pwd = "privatebin"
+opt[12] = true    ; PDO::ATTR_PERSISTENT
+
+;[model]
+; example of S3 configuration for Rados gateway / CEPH
+;class = S3Storage
+;[model_options]
+;region = ""
+;version = "2006-03-01"
+;endpoint = "https://s3.my-ceph.invalid"
+;use_path_style_endpoint = true
+;bucket = "my-bucket"
+;accesskey = "my-rados-user"
+;secretkey = "my-rados-pass"
+
+;[model]
+; example of S3 configuration for AWS
+;class = S3Storage
+;[model_options]
+;region = "eu-central-1"
+;version = "latest"
+;bucket = "my-bucket"
+;accesskey = "access key id"
+;secretkey = "secret access key"
+
+;[model]
+; example of S3 configuration for AWS using its SDK default credential provider chain
+; if relying on environment variables, the AWS SDK will look for the following:
+; - AWS_ACCESS_KEY_ID
+; - AWS_SECRET_ACCESS_KEY
+; - AWS_SESSION_TOKEN (if needed)
+; for more details, see https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials.html#default-credential-chain
+;class = S3Storage
+;[model_options]
+;region = "eu-central-1"
+;version = "latest"
+;bucket = "my-bucket"
+
+;[yourls]
+; When using YOURLS as a "urlshortener" config item:
+; - By default, "urlshortener" will point to the YOURLS API URL, with or without
+;   credentials, and will be visible in public on the PrivateBin web page.
+;   Only use this if you allow short URL creation without credentials.
+; - Alternatively, using the parameters in this section ("signature" and
+;   "apiurl"), "urlshortener" needs to point to the base URL of your PrivateBin
+;   instance with "?shortenviayourls&link=" appended. For example:
+;   urlshortener = "${basepath}?shortenviayourls&link="
+;   This URL will in turn call YOURLS on the server side, using the URL from
+;   "apiurl" and the "access signature" from the "signature" parameters below.
+
+; (optional) the "signature" (access key) issued by YOURLS for the using account
+; signature = ""
+; (optional) the URL of the YOURLS API, called to shorten a PrivateBin URL
+; apiurl = "https://yourls.example.com/yourls-api.php"
+
+;[sri]
+; Subresource integrity (SRI) hashes used in template files. Uncomment and set
+; these for all js files used. See:
+; https://github.com/PrivateBin/PrivateBin/wiki/FAQ#user-content-how-to-make-privatebin-work-when-i-have-changed-some-javascript-files
+;js/privatebin.js = "sha512-[…]"

config/docker/current/traefik/config/mw-authentik.yaml

@@ -0,0 +1,19 @@
+http:
+  middlewares:
+    middlewares-authentik:
+      forwardAuth:
+        address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-groups
+          - X-authentik-email
+          - X-authentik-name
+          - X-authentik-uid
+          - X-authentik-jwt
+          - X-authentik-meta-jwks
+          - X-authentik-meta-outpost
+          - X-authentik-meta-provider
+          - X-authentik-meta-app
+          - X-authentik-meta-version
+          

config/docker/current/traefik/config/mw-basic-auth.yaml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    middlewares-basic-auth:
+      basicAuth:
+        # users:
+        #   - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1"
+        usersFile: "/users" #be sure to mount the volume through docker-compose.yml
+        realm: "Traefik 3 Basic Auth"

config/docker/current/traefik/config/mw-buffering.yaml

@@ -0,0 +1,18 @@
+################################################################
+# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
+# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
+# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
+#
+# Dynamic configuration
+################################################################
+http:
+  middlewares:
+    # Prevent too large of a body
+    # https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik
+    middlewares-buffering:
+      buffering:
+        maxRequestBodyBytes: 10485760
+        memRequestBodyBytes: 2097152
+        maxResponseBodyBytes: 10485760
+        memResponseBodyBytes: 2097152
+        retryExpression: "IsNetworkError() && Attempts() <= 2"

config/docker/current/traefik/config/mw-chain-authentik.yaml

@@ -0,0 +1,9 @@
+http:
+  middlewares:        
+    chain-authentik:
+      chain:
+        middlewares:
+#          - middlewares-crowdsec-bouncer
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-authentik

config/docker/current/traefik/config/mw-chain-no-auth.yaml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    chain-no-auth:
+      chain:
+        middlewares:
+          - middlewares-default-whitelist
+          - middlewares-rate-limit
+          - middlewares-secure-headers

config/docker/current/traefik/config/mw-compress.yaml

@@ -0,0 +1,12 @@
+################################################################
+# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
+# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
+# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
+#
+# Dynamic configuration
+################################################################
+http:
+  middlewares:
+    # Compress to save bandwidth
+    middlewares-compress:
+      compress: {}

config/docker/current/traefik/config/mw-https-redirectscheme.yaml

@@ -0,0 +1,15 @@
+################################################################
+# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
+# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
+# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
+#
+# Dynamic configuration
+################################################################
+http:
+  middlewares:
+    # Middleware for Redirection
+    # This can be used instead of global redirection
+    middlewares-https-redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true

config/docker/current/traefik/config/mw-secure-headers.yaml

@@ -0,0 +1,38 @@
+################################################################
+# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
+# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
+# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
+#
+# Dynamic configuration
+################################################################
+http:
+  middlewares:
+    ################################################################
+    # Good Basic Security Practices
+    ################################################################
+    middlewares-secure-headers:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+        accessControlMaxAge: 100
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        stsSeconds: 63072000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr.
+        #customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+        contentTypeNosniff: true
+        browserXssFilter: true
+        # sslForceHost: true # add sslHost to all of the services
+        # sslHost: "{{env "DOMAINNAME"}}"
+        referrerPolicy: "same-origin"
+        # permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
+        customResponseHeaders:
+          # X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
+          # server: ""
+          # https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732
+          X-Forwarded-Proto: "https"

config/docker/current/traefik/config/tls-opts.yaml

@@ -0,0 +1,35 @@
+################################################################
+# TLS Options (https://jellyfin.org/docs/general/networking/traefik2.html#traefik-providertoml)
+# toml -> yml
+# 2024 updates to cipherSuites from (https://www.smarthomebeginner.com/traefik-v3-docker-compose-guide-2024/)
+#
+# Set secure options by disabling insecure older TLS/SSL versions
+# and insecure ciphers. SNIStrict disabled leaves TLS1.0 open.
+# If you have problems with older clients, you can may need to relax
+# these minimums. This configuration will give you an A+ SSL security
+# score supporting TLS1.2 and TLS1.3
+#
+# Dynamic configuration
+# https://doc.traefik.io/traefik/https/tls/
+################################################################
+tls:
+  options:
+    tls-opts:
+      sniStrict: true
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+        - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
+      curvePreferences:
+        - secp521r1 # CurveP521
+        - secp384r1 # CurveP384
+    mintls13:
+      minVersion: VersionTLS13

config/docker/current/traefik/old/config/mw-chain-basic-auth.yaml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    chain-basic-auth:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-basic-auth

config/docker/current/traefik/old/config/mw-crowdsec-bouncer.yaml

@@ -0,0 +1,6 @@
+http:
+  middlewares:    
+    middlewares-crowdsec-bouncer:
+      forwardauth:
+        address: http://bouncer-traefik:8080/api/v1/forwardAuth
+        trustForwardHeader: true

config/docker/current/traefik/old/config/mw-default-whitelist.yaml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    middlewares-default-whitelist:
+      ipWhiteList:
+        sourceRange:
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"

config/docker/current/traefik/old/config/mw-rate-limit.yaml

@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    middlewares-rate-limit:
+      rateLimit:
+        average: 100
+        burst: 50

config/docker/current/traefik/traefik.yaml

@@ -0,0 +1,141 @@
+# Traefik 3.x (YAML)
+# Updated 2024-June-04
+
+################################################################
+# Global configuration - https://doc.traefik.io/traefik/reference/static-configuration/file/
+################################################################
+global:
+  checkNewVersion: true #false
+  sendAnonymousUsage: false
+
+################################################################
+# Entrypoints - https://doc.traefik.io/traefik/routing/entrypoints/
+################################################################
+entryPoints:
+  web:
+    address: ":80"
+    # Global HTTP to HTTPS redirection
+    http:
+#      middlewares:
+#        - crowdsec-bouncer@file
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+          permanent: true
+
+  websecure:
+    address: ":443"
+    http:
+#      middlewares:
+#        - crowdsec-bouncer@file
+      tls:
+        options: tls-opts@file
+        certResolver: dns-cloudflare
+        domains:
+          - main: "{{env "DOMAINNAME0"}}"
+            sans:
+              - "*.{{env "DOMAINNAME0"}}"
+          - main: "{{env "DOMAINNAME1"}}"
+            sans:
+              - "*.{{env "DOMAINNAME1"}}"
+          - main: "{{env "DOMAINNAME2"}}"
+            sans:
+              - "*.{{env "DOMAINNAME2"}}"
+          - main: "{{env "DOMAINNAME3"}}"
+            sans:
+              - "*.{{env "DOMAINNAME3"}}"
+    forwardedHeaders:
+      trustedIPs:
+        # Cloudflare (https://www.cloudflare.com/ips-v4)
+        - "173.245.48.0/20"
+        - "103.21.244.0/22"
+        - "103.22.200.0/22"
+        - "103.31.4.0/22"
+        - "141.101.64.0/18"
+        - "108.162.192.0/18"
+        - "190.93.240.0/20"
+        - "188.114.96.0/20"
+        - "197.234.240.0/22"
+        - "198.41.128.0/17"
+        - "162.158.0.0/15"
+        - "104.16.0.0/13"
+        - "104.24.0.0/14"
+        - "172.64.0.0/13"
+        - "131.0.72.0/22"
+        - "104.16.0.0/13"
+        - "104.24.0.0/14"
+        # Local IPs
+        - "127.0.0.1/32"
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"
+
+################################################################
+# Logs - https://doc.traefik.io/traefik/observability/logs/
+################################################################
+log:
+  level: INFO # Options: DEBUG, PANIC, FATAL, ERROR (Default), WARN, and INFO
+  filePath: /logs/traefik-container.log # Default is to STDOUT
+  # format: json # Uses text format (common) by default
+  noColor: false # Recommended to be true when using common
+  maxSize: 100 # In megabytes
+  compress: true # gzip compression when rotating
+
+################################################################
+# Access logs - https://doc.traefik.io/traefik/observability/access-logs/
+################################################################
+accessLog:
+  addInternals: true  # things like ping@internal
+  filePath: /logs/traefik-access.log # In the Common Log Format (CLF) by default
+  bufferingSize: 100 # Number of log lines
+  fields:
+    names:
+      StartUTC: drop  # Write logs in Container Local Time instead of UTC
+  filters:
+    statusCodes:
+      - "204-299"
+      - "400-499"
+      - "500-599"
+
+################################################################
+# API and Dashboard
+################################################################
+api:
+  dashboard: true
+  # Rely on api@internal and Traefik with Middleware to control access
+  # insecure: true
+
+################################################################
+# Providers - https://doc.traefik.io/traefik/providers/docker/
+################################################################
+providers:
+  docker:
+    #endpoint: "unix:///var/run/docker.sock" # Comment if using socket-proxy
+    endpoint: "tcp://socket-proxy:2375" # Uncomment if using socket proxy
+    exposedByDefault: false
+    network: proxy  # network to use for connections to all containers
+    # defaultRule: TODO
+
+  # Enable auto loading of newly created rules by watching a directory
+  file:
+  # Apps, LoadBalancers, TLS Options, Middlewares, Middleware Chains
+    directory: /config
+    watch: true
+
+################################################################
+# Let's Encrypt (ACME)
+################################################################
+certificatesResolvers:
+  dns-cloudflare:
+    acme:
+      email: "{{env "CF_API_EMAIL"}}"
+      storage: "/acme.json"
+      #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
+      dnsChallenge:
+        provider: cloudflare
+        #delayBeforeCheck: 30 # Default is 2m0s.  This changes the delay (in seconds)
+        # Custom DNS server resolution
+        resolvers:
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"

docker/.env

@@ -29,7 +29,7 @@ DOMAINNAME3=home.gurulandia.fi
 ##### Traefik Container
 TRAEFIK_CONTAINER_NAME=traefik
 TRAEFIK_IMAGE=traefik
-TRAEFIK_VERSION=latest
+TRAEFIK_TAG=latest
 TRAEFIK_RESTART_POLICY=unless-stopped
 #TRAEFIK_IP0=192.168.91.254
 #TRAEFIK_IP1=192.168.92.252
@@ -37,7 +37,7 @@ TRAEFIK_RESTART_POLICY=unless-stopped
 ##### socket-proxy Container
 SOCKET_PROXY_CONTAINER_NAME=socket-proxy
 SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy
-SOCKET_PROXY_VERSION=latest
+SOCKET_PROXY_TAG=latest
 SOCKET_PROXY_RESTART_POLICY=always
 #SOCKET_PROXY_IP=192.168.92.254
 
@@ -61,7 +61,7 @@ RESOLVER1=1.0.0.1:53
 ##### Crowdsec Container
 CROWDSEC_CONTAINER_NAME=crowdsec
 CROWDSEC_IMAGE=crowdsecurity/crowdsec
-CROWDSEC_VERSION=latest
+CROWDSEC_TAG=latest
 CROWDSEC_RESTART_POLICY=unless-stopped
 #CROWDSEC_COLLECTIONS="crowdsecurity/linux crowdsecurity/traefik"
 CROWDSEC_COLLECTIONS="crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux fulljackz/proxmox"
@@ -70,7 +70,7 @@ CROWDSEC_COLLECTIONS="crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity
 ##### bouncer-traefik Container
 BT_CONTAINER_NAME=bouncer-traefik
 BT_IMAGE=docker.io/fbonalair/traefik-crowdsec-bouncer
-BT_VERSION=latest
+BT_TAG=latest
 BT_RESTART_POLICY=unless-stopped
 GIN_MODE=release
 #BT_IP=192.168.92.251

docker/.env.template

@@ -25,3 +25,111 @@ SOCKET_PROXY_VERSION=latest
 SOCKET_PROXY_RESTART_POLICY=always
 
 DOCKER_ENDPOINT=tcp://${SOCKET_PROXY_CONTAINER_NAME}:2375
+
+#Configure
+#COMPOSE_PROJECT_NAME
+#COMPOSE_FILE
+#Specifies the path to a Compose file. Specifying multiple Compose files is supported.
+
+#Default behavior: If not provided, Compose looks for a file named compose.yaml in the current directory and, if not found, then Compose searches each parent directory recursively until a file by that name is found.
+#When specifying multiple Compose files, the path separators are, by default, on:
+#Mac and Linux: : (colon)
+
+#Windows: ; (semicolon) For example:
+#COMPOSE_FILE=docker-compose.yml:docker-compose.prod.yml
+
+#The path separator can also be customized using COMPOSE_PATH_SEPARATOR.
+#See also the command-line options overview and using -f to specify name and path of one or more Compose files.
+
+#COMPOSE_PROFILES
+#Specifies one or more profiles to be enabled when docker compose up is run.
+#
+#Services with matching profiles are started as well as any services for which no profile has been defined.
+#
+#For example, calling docker compose upwith COMPOSE_PROFILES=frontend selects services with the frontend profile as well as any services without a profile specified.
+#
+#If specifying multiple profiles, use a comma as a separator.
+
+#This following example enables all services matching both the frontend and debug profiles and services without a profile.
+
+#COMPOSE_PROFILES=frontend,debug
+#See also Using profiles with Compose and the --profile command-line option.
+
+#COMPOSE_CONVERT_WINDOWS_PATHS
+#When enabled, Compose performs path conversion from Windows-style to Unix-style in volume definitions.
+
+#Supported values:
+#true or 1, to enable
+#false or 0, to disable
+#Defaults to: 0
+
+#COMPOSE_PATH_SEPARATOR
+#Specifies a different path separator for items listed in COMPOSE_FILE.
+
+#Defaults to:
+#On macOS and Linux to :
+#On Windows to;
+
+#COMPOSE_IGNORE_ORPHANS
+#When enabled, Compose doesn't try to detect orphaned containers for the project.
+
+#Supported values:
+#true or 1, to enable
+#false or 0, to disable
+#Defaults to: 0
+
+#COMPOSE_REMOVE_ORPHANS
+#When enabled, Compose automatically removes orphaned containers when updating a service or stack. Orphaned containers are those that were created by a previous configuration but are no longer defined in the current compose.yaml file.
+
+#Supported values:
+#true or 1, to enable automatic removal of orphaned containers
+#false or 0, to disable automatic removal. Compose displays a warning about orphaned containers instead.
+#Defaults to: 0
+
+#COMPOSE_PARALLEL_LIMIT
+#Specifies the maximum level of parallelism for concurrent engine calls.
+
+#COMPOSE_ANSI
+#Specifies when to print ANSI control characters.
+
+#Supported values:
+#auto, Compose detects if TTY mode can be used. Otherwise, use plain text mode
+#never, use plain text mode
+#always or 0, use TTY mode
+#Defaults to: auto
+
+#COMPOSE_STATUS_STDOUT
+#When enabled, Compose writes its internal status and progress messages to stdout instead of stderr. The default value is false to clearly separate the output streams between Compose messages and your container's logs.
+
+#Supported values:
+#true or 1, to enable
+#false or 0, to disable
+#Defaults to: 0
+
+#COMPOSE_ENV_FILES
+
+#Lets you specify which environment files Compose should use if --env-file isn't used.
+
+#When using multiple environment files, use a comma as a separator. For example:
+
+#COMPOSE_ENV_FILES=.env.envfile1, .env.envfile2
+#If COMPOSE_ENV_FILES is not set, and you don't provide --env-file in the CLI, Docker Compose uses the default behavior, which is to look for an .env file in the project directory.
+
+#COMPOSE_MENU
+#Requires:
+#Docker Compose 2.26.0 and later
+#When enabled, Compose displays a navigation menu where you can choose to open the Compose stack in Docker Desktop, switch on watch mode, or use Docker Debug.
+
+#Supported values:
+#true or 1, to enable
+#false or 0, to disable
+#Defaults to: 1 if you obtained Docker Compose through Docker Desktop, otherwise default is 0
+#COMPOSE_EXPERIMENTAL
+#Requires:
+#Docker Compose 2.26.0 and later
+#This is an opt-out variable. When turned off it deactivates the experimental features such as the navigation menu or Synchronized file shares.
+
+#Supported values:
+#true or 1, to enable
+#false or 0, to disable
+#Defaults to: 1

docker/Lenpaste/compose.yaml

@@ -0,0 +1,25 @@
+version: "3.4"
+
+services:
+  postgres:
+    image: docker.io/library/postgres:16.1
+    environment:
+      - PGDATA=/var/lib/postgresql/data/pgdata
+      - POSTGRES_USER=lenpaste
+      - POSTGRES_PASSWORD=pass
+    volumes:
+      - "${PWD}/data/postgres:/var/lib/postgresql/data"
+
+  lenpaste:
+    image: ghcr.io/lcomrade/lenpaste:1.3.1
+    restart: on-failure:10
+    environment:
+      - LENPASTE_DB_DRIVER=postgres
+      - LENPASTE_DB_SOURCE=postgres://lenpaste:lenpaste@10.0.6.178/lenpaste?sslmode=disable
+    #postgresql://[user[:password]@][netloc][:port][/dbname][?param1=value1&...]
+    volumes:
+      - "${PWD}/data:/data"
+    ports:
+      - "58080:80"
+    depends_on:
+      - postgres

docker/Netbootxyz/compose.yaml

@@ -0,0 +1,23 @@
+services:
+  netbootxyz:
+    # image: ghcr.io/netbootxyz/netbootxyz
+    image: lscr.io/linuxserver/netbootxyz:latest
+    container_name: netbootxyz
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Etc/UTC
+      #- MENU_VERSION=1.9.9 #optional
+      #- PORT_RANGE=30000:30010 #optional
+      #- SUBFOLDER=/ #optional
+      #- MENU_VERSION=2.0.47 # optional
+      - NGINX_PORT=80 # optional
+      - WEB_APP_PORT=3000 # optional
+    volumes:
+      - /gurulandia/data/netbootxyz/config:/config # optional
+      - /gurulandia/data/netbootxyz/assets:/assets # optional
+    ports:
+      - 3001:3000  # optional, destination should match ${WEB_APP_PORT} variable above.
+      - 69:69/udp
+      - 8080:80  # optional, destination should match ${NGINX_PORT} variable above.
+    restart: unless-stopped

docker/PrivateBin/behind-proxy-with-db/compose.override.yml

@@ -0,0 +1,24 @@
+services:
+    privatebin:
+        labels:
+        - "traefik.enable=true"
+        ## HTTP Routers
+        - "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.entrypoints=https"
+        - "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.rule=Host(`${PRIVATEBIN_HOSTNAME}.$DOMAINNAME1`)"
+        ## Middlewares
+    #      - "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.middlewares=chain-authelia@file"
+        - "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
+        ## HTTP Services
+        - "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.service=${PRIVATEBIN_HOSTNAME}-svc"
+        - "traefik.http.services.${PRIVATEBIN_HOSTNAME}-svc.loadbalancer.server.port=8080"
+        depends_on:
+            db:
+                condition: service_healthy
+        networks:
+            - ${PRIVATEBINDB_NETWORk_ID}
+    db:
+        image: ${PRIVATEBINDB_IMAGE}:${PRIVATEBINDB_TAG}
+        container_name: ${PRIVATEBINDB_CONTAINER_NAME}
+        restart: ${PRIVATEBINDB_RESTART_POLICY}
+        networks:
+            - ${PRIVATEBINDB_NETWORk_ID}

docker/PrivateBin/behind-proxy-with-db/compose.yaml

@@ -0,0 +1,10 @@
+name: privatebin
+# Docker Compose v2.20 or greater required to use "include"
+include:
+#################### NETWORKS ####################
+  - ../../compose/networks/${PRIVATEBIN_NETWORk_ID}.yaml
+  - ../../compose/networks/${PRIVATEBINDB_NETWORk_ID}.yaml
+#################### SERVICES ####################
+  - ../../compose/postgres.yaml
+  - ../../compose/privatebin.yaml
+  

docker/PrivateBin/behind-proxy-with-db/deploy.sh

@@ -0,0 +1,5 @@
+docker compose \
+--env-file ../../env/privatebin-stack.env \
+--env-file ../../env/privatebin-db.env \
+--env-file ../../env/common.env \
+$1

docker/PrivateBin/behind-proxy/compose.override.yml

@@ -0,0 +1,13 @@
+services:
+  privatebin:
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.entrypoints=https"
+      - "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.rule=Host(`${PRIVATEBIN_HOSTNAME}.$DOMAINNAME1`)"
+      ## Middlewares
+#      - "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.middlewares=chain-authelia@file"
+      - "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
+      ## HTTP Services
+      - "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.service=${PRIVATEBIN_HOSTNAME}-svc"
+      - "traefik.http.services.${PRIVATEBIN_HOSTNAME}-svc.loadbalancer.server.port=8080"

docker/PrivateBin/behind-proxy/compose.yaml

@@ -0,0 +1,7 @@
+name: privatebin
+# Docker Compose v2.20 or greater required to use "include"
+include:
+#################### NETWORKS ####################
+  - ../../compose/networks/${PRIVATEBIN_NETWORk_ID}.yaml
+#################### SERVICES ####################
+  - ../../compose/privatebin.yaml

docker/PrivateBin/behind-proxy/deploy.sh

@@ -0,0 +1,4 @@
+docker compose \
+--env-file ../../env/privatebin-stack.env \
+--env-file ../../env/common.env \
+$1

docker/PrivateBin/compose.override.yml

@@ -0,0 +1,4 @@
+services:
+    privatebin:
+        volumes:
+            - ${DOCKERDIR}/private-bin/conf.php:/srv/cfg/conf.php:ro

docker/PrivateBin/compose.yaml

@@ -0,0 +1,7 @@
+name: privatebin
+# Docker Compose v2.20 or greater required to use "include"
+include:
+#################### NETWORKS ####################
+  - ../../compose/networks/${PRIVATEBIN_NETWORk_ID}.yaml
+#################### SERVICES ####################
+  - ../../compose/privatebin.yaml

docker/PrivateBin/deploy.sh

@@ -0,0 +1,4 @@
+docker compose \
+--env-file ../env/privatebin-stack.env \
+--env-file ../env/common.env \
+$1

docker/PrivateBin/with-db/compose.override.yml

@@ -0,0 +1,13 @@
+services:
+    privatebin:
+        volumes:
+            - ${DOCKERDIR}/private-bin/conf.php:/srv/cfg/conf.php:ro
+        depends_on:
+            db:
+                condition: service_healthy
+    db:
+        image: ${PRIVATEBINDB_IMAGE}:${PRIVATEBINDB_TAG}
+        container_name: ${PRIVATEBINDB_CONTAINER_NAME}
+        restart: ${PRIVATEBINDB_RESTART_POLICY}
+        networks:
+            - ${PRIVATEBIN_NETWORk_ID}

docker/PrivateBin/with-db/compose.yml

@@ -0,0 +1,9 @@
+name: privatebin
+# Docker Compose v2.20 or greater required to use "include"
+include:
+#################### NETWORKS ####################
+  - ../../compose/networks/${PRIVATEBIN_NETWORk_ID}.yaml
+  - ../../compose/networks/${PRIVATEBINDB_NETWORk_ID}.yaml
+#################### SERVICES ####################
+  - ../../compose/postgres.yaml
+  - ../../compose/privatebin.yaml

docker/PrivateBin/with-db/deploy.sh

@@ -0,0 +1,5 @@
+docker compose \
+--env-file ../../env/privatebin-stack.env \
+--env-file ../../env/privatebin-db.env \
+--env-file ../../env/common.env \
+$1

docker/YeetFile/behind-proxy-with-db/compose.override.yml

@@ -0,0 +1,37 @@
+services:
+    api:
+        environment:
+            YEETFILE_DB_HOST: db
+            YEETFILE_DOMAIN: "${YEETFILE_HOSTNAME}.$DOMAINNAME1"
+        labels:
+        - "traefik.enable=true"
+        ## HTTP Routers
+        - "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.entrypoints=https"
+        - "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.rule=Host(`${YEETFILE_HOSTNAME}.$DOMAINNAME1`)"
+        ## Middlewares
+    #             - "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.middlewares=chain-authelia@file"
+        - "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
+        ## HTTP Services
+        - "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.service=${YEETFILE_HOSTNAME}-svc"
+        - "traefik.http.services.${YEETFILE_HOSTNAME}-svc.loadbalancer.server.port=8090"
+        networks:            
+         - ${YEETFILEDB_NETWORk_ID}
+        depends_on:
+            db:
+                condition: service_healthy
+    db:
+        image: ${YEETFILEDB_IMAGE}:${YEETFILEDB_TAG}
+        container_name: ${YEETFILEDB_CONTAINER_NAME}
+        restart: ${YEETFILEDB_RESTART_POLICY}
+        environment:
+            POSTGRES_HOST_AUTH_METHOD: ${POSTGRES_HOST_AUTH_METHOD:-md5}
+            POSTGRES_USER: ${YEETFILE_DB_USER:-postgres}
+            POSTGRES_PASSWORD: ${YEETFILE_DB_PASS:-postgres}
+            POSTGRES_DB: ${YEETFILE_DB_NAME:-yeetfile}
+        expose:
+        - 5432
+        healthcheck:
+         test: [ "CMD-SHELL", "pg_isready -U postgres" ]
+         interval: 3s
+        networks:            
+            - ${YEETFILEDB_NETWORk_ID}

docker/YeetFile/behind-proxy-with-db/compose.yml

@@ -0,0 +1,10 @@
+name: yeetfile
+# Docker Compose v2.20 or greater required to use "include"
+include:
+#################### NETWORKS ####################
+  - ../../compose/networks/${YEETFILE_NETWORk_ID}.yaml  
+  - ../../compose/networks/${YEETFILEDB_NETWORk_ID}.yaml  
+#################### SERVICES ####################
+  - ../../compose/postgres.yaml
+  - ../../compose/yeetfile.yaml
+  

docker/YeetFile/behind-proxy-with-db/deploy.sh

@@ -0,0 +1,6 @@
+#docker create network -d brigde proxy
+#docker create network -d bridge backend
+docker compose --env-file ../../env/YeetFile-stack.env \
+--env-file ../../env/YeetFile-db.env \
+--env-file ../../env/YeetFile.env \
+--env-file ../../env/common.env $1

docker/YeetFile/behind-proxy/compose.override.yml

@@ -0,0 +1,15 @@
+services:
+  api:
+    environment:
+      YEETFILE_DOMAIN: "${YEETFILE_HOSTNAME}.$DOMAINNAME1"
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.entrypoints=https"
+      - "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.rule=Host(`${YEETFILE_HOSTNAME}.$DOMAINNAME1`)"
+      ## Middlewares
+#             - "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.middlewares=chain-authentik@file"
+      - "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
+      ## HTTP Services
+      - "traefik.http.routers.${YEETFILE_HOSTNAME}-rtr.service=${YEETFILE_HOSTNAME}-svc"
+      - "traefik.http.services.${YEETFILE_HOSTNAME}-svc.loadbalancer.server.port=8090"

docker/YeetFile/behind-proxy/compose.yml

@@ -0,0 +1,7 @@
+name: yeetfile
+# Docker Compose v2.20 or greater required to use "include"
+include:
+#################### NETWORKS ####################
+  - ../../compose/networks/${YEETFILE_NETWORk_ID}.yaml
+#################### SERVICES ####################
+  - ../../compose/yeetfile.yaml

docker/YeetFile/behind-proxy/deploy.sh

@@ -0,0 +1,2 @@
+#docker create network -d brigde proxy
+docker compose --env-file ../../env/YeetFile-stack.env --env-file ../../env/common.env $1

docker/YeetFile/compose..override.yaml

@@ -0,0 +1,18 @@
+services:
+  api:
+    image: ${YEETFILE_IMAGE}:${YEETFILE_TAG}
+    container_name: ${YEETFILE_CONTAINER_NAME}
+    restart: ${YEETFILE_RESTART_POLICY}
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - ${YEETFILE_NETWORk_ID}    
+    ports:
+      - 8090:${YEETFILE_PORT:-8090}    
+    environment:
+      UID: ${UID:-1000}
+      GID: ${GID:-1000}
+      TZ: ${TZ}
+      YEETFILE_ALLOW_INSECURE_LINKS: 1
+      YEETFILE_SERVER_SECRET: 2N1oTtwOHTyEbTFtz0yDLuzq3DhgjIWmSKw4gNcH8Vk=
+    

docker/YeetFile/compose.yml

@@ -0,0 +1,7 @@
+name: yeetfile
+# Docker Compose v2.20 or greater required to use "include"
+include:
+#################### NETWORKS ####################
+  - ../compose/networks/${YEETFILE_NETWORk_ID}.yaml
+#################### SERVICES ####################
+  - ../compose/yeetfile.yaml

docker/YeetFile/deploy.sh

@@ -0,0 +1,2 @@
+#docker create network -d bridge yeetfile
+docker compose --env-file ../env/YeetFile-stack.env --env-file ../env/common.env $1

docker/YeetFile/with-db/compose.override.yml

@@ -0,0 +1,21 @@
+services:
+    api:
+        environment:
+            YEETFILE_ALLOW_INSECURE_LINKS: 1
+            YEETFILE_DB_HOST: db
+        depends_on:
+            db:
+              condition: service_healthy
+    db:
+        image: ${YEETFILEDB_IMAGE}:${YEETFILEDB_TAG}
+        container_name: ${YEETFILEDB_CONTAINER_NAME}
+        restart: ${YEETFILEDB_RESTART_POLICY}
+        environment:
+            POSTGRES_HOST_AUTH_METHOD: ${POSTGRES_HOST_AUTH_METHOD:-md5}
+            POSTGRES_USER: ${YEETFILE_DB_USER:-postgres}
+            POSTGRES_PASSWORD: ${YEETFILE_DB_PASS:-postgres}
+            POSTGRES_DB: ${YEETFILE_DB_NAME:-yeetfile}
+        expose:
+        - 5432
+        networks:
+            - ${YEETFILE_NETWORk_ID}

docker/YeetFile/with-db/compose.yml

@@ -0,0 +1,9 @@
+name: yeetfile
+# Docker Compose v2.20 or greater required to use "include"
+include:
+#################### NETWORKS ####################
+  - ../../compose/networks/${YEETFILE_NETWORk_ID}.yaml
+#################### SERVICES ####################
+  - ../../compose/postgres.yaml
+  - ../../compose/yeetfile.yaml
+  

docker/YeetFile/with-db/deploy.sh

@@ -0,0 +1,6 @@
+#docker create network -d bridge yeetfile
+#docker create network -d bridge backend
+docker compose --env-file ../../env/YeetFile-stack.env \
+--env-file ../../env/YeetFile.env \
+--env-file ../../env/YeetFile-db.env \
+--env-file ../../env/common.env $1

docker/compose/ferretdb.yaml

@@ -0,0 +1,21 @@
+services:
+  ferretdb:
+    container_name: ${FERRETDB_CONTAINER_NAME}
+    image: ${FERRETDB_IMAGE}
+    restart: ${FERRETDB_RESTART_POLICY}
+    security_opt:
+      - no-new-privileges:true
+    labels:
+      - "komodo.skip=" # Prevent Komodo from stopping with StopAllContainers            
+    #depends_on:
+    #  - postgres
+    logging:
+      driver: ${COMPOSE_LOGGING_DRIVER:-local}
+    networks:
+      - komodo
+    # ports:
+    #   - 27017:27017
+    env_file: ../env/komodo.env
+    environment:
+      #- FERRETDB_POSTGRESQL_URL=postgres://komodo:komodo@10.0.6.178/komodo?sslmode=disable
+      - FERRETDB_POSTGRESQL_URL=postgres://${PSQL_HOST}:${PSQL_PORT}/${KOMODO_DATABASE_DB_NAME:-komodo}?sslmode=disable

docker/compose/flatnotes.yaml

@@ -0,0 +1,21 @@
+services:
+  flatnotes:
+    image: ${FLATNOTES_IMAGE}:${FLATNOTES_TAG}
+    container_name: ${FLATNOTES_CONTAINER_NAME}
+    restart: ${FLATNOTES_RESTART_POLICY}
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - ${FLATNOTES_NETWORk_ID}
+#    ports:
+#      - "8080:8080"
+    environment:
+      PUID: ${UID:-1000}
+      PGID: ${GID:-1000}
+      TZ: ${TZ}      
+    env_file:
+      - path: ../env/flatnotes.env
+    volumes:
+      - ${DOCKERDIR}/flatnotes:/data
+      # Optional. Allows you to save the search index in a different location: 
+      # - "./index:/data/.flatnotes"

docker/compose/homepage.yaml

@@ -0,0 +1,18 @@
+services:
+  homepage:
+    image: ${HOMEPAGE_IMAGE}:${HOMEPAGE_TAG}
+    container_name: ${HOMEPAGE_CONTAINER_NAME}
+    restart: ${FLATNOTES_RESTART_POLICY}
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - ${HOMEPAGE_NETWORK_ID}    
+#    ports:
+#      - 3000:3000
+    volumes:
+      - ${DOCKERDIR}/homepage:/app/config # Make sure your local config directory exists
+#      - /var/run/docker.sock:/var/run/docker.sock:ro # (optional) For docker integrations
+    environment:
+      PUID: ${UID:-1000}
+      PGID: ${GID:-1000}
+      TZ: ${TZ}  

docker/compose/joplin-server.yaml

@@ -0,0 +1,18 @@
+services:
+  joplin-server:
+    image: ${JOPLIN_IMAGE}:${JOPLIN_TAG}
+    container_name: ${JOPLIN_CONTAINER_NAME}
+    restart: ${JOPLIN_RESTART_POLICY}
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - ${JOPLIN_NETWORk_ID}
+#    ports:
+#        - "22300:22300"
+    environment:
+      UID: ${UID:-1000}
+      GID: ${GID:-1000}
+      TZ: ${TZ}
+    env_file:
+      - path: ../env/joplin-srv.env
+      - path: ../env/joplin-srv-db.env

docker/compose/komodo-core.yaml

@@ -0,0 +1,59 @@
+secrets:
+  komodo_passkey:
+    file: ${SECRETSDIR}/komodo/komodo_passkey
+  komodo_webhook_secret:
+    file: ${SECRETSDIR}/komodo/komodo_webhook_secret
+  komodo_jwt_secret:
+    file: ${SECRETSDIR}/komodo/komodo_jwt_secret
+  komodo_oidc_client_id:
+    file: ${SECRETSDIR}/komodo/komodo_oidc_client_id
+  komodo_oidc_client_secret:
+    file: ${SECRETSDIR}/komodo/komodo_oidc_client_secret
+services:
+  core:
+    container_name: ${KOMODO_CORE_CONTAINER_NAME}
+    image: ${KOMODO_CORE_IMAGE}:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
+    restart: ${KOMODO_RESTART_POLICY}
+    secrets:      
+      - komodo_passkey
+      - komodo_webhook_secret
+      - komodo_jwt_secret
+      - komodo_oidc_client_id
+      - komodo_oidc_client_secret
+    labels:                
+      - "komodo.skip=" # Prevent Komodo from stopping with StopAllContainers            
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.${KOMODO_HOSTNAME}-rtr.entrypoints=https"
+      - "traefik.http.routers.${KOMODO_HOSTNAME}-rtr.rule=Host(`${KOMODO_HOSTNAME}.${DOMAINNAME1}`)"
+      ## Middlewares
+      - "traefik.http.routers.${KOMODO_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
+      ## HTTP Services
+      - "traefik.http.routers.${KOMODO_HOSTNAME}-rtr.service=${KOMODO_HOSTNAME}-svc"
+      - "traefik.http.services.${KOMODO_HOSTNAME}-svc.loadbalancer.server.port=9120"
+    depends_on:
+      - ferretdb
+    logging:
+      driver: ${COMPOSE_LOGGING_DRIVER:-local}
+    networks:
+      - ${KOMODO_NETWORk_ID}
+      - komodo      
+#    ports:
+#      - 9120:9120
+    env_file: ../env/komodo.env
+    environment:
+      KOMODO_DATABASE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb:27017/${KOMODO_DATABASE_DB_NAME:-komodo}?authMechanism=PLAIN      
+    volumes:
+      ## Core cache for repos for latest commit hash / contents
+      - repo-cache:/repo-cache
+      ## Store sync files on server
+      # - /path/to/syncs:/syncs
+      ## Optionally mount a custom core.config.toml
+      # - /path/to/core.config.toml:/config/config.toml
+    ## Allows for systemd Periphery connection at 
+    ## "http://host.docker.internal:8120"
+    # extra_hosts:
+    #   - host.docker.internal:host-gateway
+volumes:
+  # Core
+  repo-cache:

docker/compose/komodo-periphery.yaml

@@ -0,0 +1,35 @@
+secrets:
+  komodo_passkey:
+    file: ${SECRETSDIR}/komodo/komodo_passkey
+services:
+  ## Deploy Periphery container using this block,
+  ## or deploy the Periphery binary with systemd using 
+  ## https://github.com/mbecker20/komodo/tree/main/scripts
+  periphery:
+    container_name: ${KOMODO_PERTIPHERY_CONTAINER_NAME}
+    image: ${KOMODO_PERTIPHERY_IMAGE}:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
+    restart: ${KOMODO_RESTART_POLICY}    
+    labels:
+      - "komodo.skip=" # Prevent Komodo from stopping with StopAllContainers                  
+    logging:
+      driver: ${COMPOSE_LOGGING_DRIVER:-local}
+    networks:
+      - komodo
+    env_file: ../env/komodo.env
+    environment:
+      PERIPHERY_REPO_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/repos
+      PERIPHERY_STACK_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/stacks
+      PERIPHERY_SSL_KEY_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/key.pem
+      PERIPHERY_SSL_CERT_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/cert.pem
+    volumes:
+      ## Mount external docker socket
+      - /var/run/docker.sock:/var/run/docker.sock
+      ## Allow Periphery to see processes outside of container
+      - /proc:/proc
+      ## Specify the Periphery agent root directory.
+      ## Must be the same inside and outside the container,
+      ## or docker will get confused. See https://github.com/mbecker20/komodo/discussions/180.
+      ## Default: /etc/komodo.
+      - ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}:${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}
+    secrets:
+      - komodo_passkey

docker/compose/netbootxyz.yaml

@@ -0,0 +1,23 @@
+services:
+  netbootxyz:
+    # image: ghcr.io/netbootxyz/netbootxyz
+    image: lscr.io/linuxserver/netbootxyz:latest
+    container_name: netbootxyz
+    environment:
+      - PUID=${UID:-1000}
+      - PGID=${GID:-1000}
+      - TZ=${TZ}
+      #- MENU_VERSION=1.9.9 #optional
+      #- PORT_RANGE=30000:30010 #optional
+      #- SUBFOLDER=/ #optional
+      #- MENU_VERSION=2.0.47 # optional
+      - NGINX_PORT=80 # optional
+      - WEB_APP_PORT=3000 # optional
+    volumes:
+      - ${DOCKERDIR}/netbootxyz/config:/config # optional
+      - ${DOCKERDIR}/netbootxyz/assets:/assets # optional
+    ports:
+      - 3001:3000  # optional, destination should match ${WEB_APP_PORT} variable above.
+      - 69:69/udp
+      - 8080:80  # optional, destination should match ${NGINX_PORT} variable above.
+    restart: unless-stopped

docker/compose/networks.yaml

@@ -0,0 +1,20 @@
+networks:
+  proy:
+    driver: bridge
+  #backendd:
+  #  driver: bridge
+  socket_proxy:
+    driver: bridge
+  default:
+    driver: bridge
+#networks:
+#  network1:
+#    external: true
+#    name: "${NETWORK_ID}"
+
+#networks:
+#  mynet1:
+#    labels:
+#      com.example.description: "Financial transaction network"
+#      com.example.department: "Finance"
+#      com.example.label-with-empty-value: ""

docker/compose/networks/backend.yaml

@@ -0,0 +1,4 @@
+networks:
+  backend:
+    name: backend
+    external: true

docker/compose/networks/default.yaml

@@ -0,0 +1,4 @@
+networks:
+  default:
+    name: default
+    driver: bridge

docker/compose/networks/komodo.yaml

@@ -0,0 +1,4 @@
+networks:
+  komodo:
+    name: komodo
+    driver: bridge

docker/compose/networks/proxy.yaml

@@ -0,0 +1,4 @@
+networks:
+  proxy:
+    name: proxy
+    # external: true	

docker/compose/networks/socket-proxy.yaml

@@ -0,0 +1,4 @@
+networks:
+  socket_proxy:
+    name: socket_proxy
+    driver: bridge

docker/compose/postgres.yaml

@@ -0,0 +1,13 @@
+services:
+  db:
+    image: postgres:16
+    restart: unless-stopped        
+    security_opt:
+      - no-new-privileges:true
+    volumes:
+        - ${DOCKERDIR}/${COMPOSE_PROJECT_NAME}/db:/var/lib/postgresql/data
+    #ports:
+    #    - "5432:5432"
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready -U postgres" ]
+      interval: 3s

docker/compose/privatebin.yaml

@@ -0,0 +1,15 @@
+services:
+  privatebin:
+    image: ${PRIVATEBIN_IMAGE}:${PRIVATEBIN_TAG}
+    container_name: ${PRIVATEBIN_CONTAINER_NAME}
+    restart: ${PRIVATEBIN_RESTART_POLICY}
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - ${PRIVATEBIN_NETWORk_ID}
+    read_only: true
+    user: "${UID}:${GID}"  # Run the container with the UID:GID of your Docker user
+#    ports:
+#      - 8080:8080
+    volumes:
+      - ${DOCKERDIR}/private-bin:/srv/data

docker/compose/yeetfile.yaml

@@ -0,0 +1,19 @@
+services:
+  api:
+    image: ${YEETFILE_IMAGE}:${YEETFILE_TAG}
+    container_name: ${YEETFILE_CONTAINER_NAME}
+    restart: ${YEETFILE_RESTART_POLICY}
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - ${YEETFILE_NETWORk_ID}    
+    #ports:
+    #  - 8090:${YEETFILE_PORT:-8090}    
+    environment:
+      - UID=${UID:-1000}
+      - GID=${GID:-1000}
+      - TZ=${TZ}      
+    env_file:
+      - path: ../env/YeetFile.env
+    volumes:
+      - ${DOCKERDIR}/yeetfile/uploads:/app/uploads

docker/docker-compose.yml

@@ -28,10 +28,10 @@ networks:
 # Docker Compose v2.20 or greater required to use "include"
 include:
 ########################### SERVICES
-  - compose/dc-traefik.yml
-  - compose/dc-socket-proxy.yml
-  - compose/dc-crowdsec.yml
-  - compose/dc-traefik-bouncer.yml
+  - services/dc-traefik.yml
+  - services/dc-socket-proxy.yml
+  - services/dc-crowdsec.yml
+  - services/dc-traefik-bouncer.yml
 
   # Portainer - WebUI for Containers
  # portainer:

docker/env/.env.proxy

@@ -0,0 +1,14 @@
+# BASICAUTHUSER=gurulandia:$$apr1$$kBqxEDFb$$aOgGWvLwFUDhSymDy430m.
+# create basic auth with: echo $(htpasswd -nb "<USER>" "<PASSWORD>") | sed -e s/\\$/\\$\\$/g
+
+##### trustedIPs
+CLOUDFLARE_IPS=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,172.64.0.0/13,131.0.72.0/22,104.16.0.0/13,104.24.0.0/14
+LOCAL_IPS=127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
+
+##### Certificate
+CF_API_EMAIL=gurulandia@outlook.com
+
+CERTRESOLVER=dns-cloudflare
+DNS_PROVIDER=cloudflare
+RESOLVER0=1.1.1.1:53
+RESOLVER1=1.0.0.1:53

docker/env/.env.stack.proxy

@@ -0,0 +1,33 @@
+COMPOSE_PROJECT_NAME=proxy
+
+##### ProxyName
+PROXYNAME=proxy
+
+##### Traefik Container
+TRAEFIK_CONTAINER_NAME=traefik
+TRAEFIK_IMAGE=traefik
+TRAEFIK_TAG=latest
+TRAEFIK_RESTART_POLICY=always
+
+##### socket-proxy Container
+SOCKET_PROXY_CONTAINER_NAME=socket-proxy
+#SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy
+SOCKET_PROXY_IMAGE=lscr.io/linuxserver/socket-proxy
+SOCKET_PROXY_TAG=latest
+SOCKET_PROXY_RESTART_POLICY=always
+
+##### Crowdsec Container
+CROWDSEC_CONTAINER_NAME=crowdsec
+CROWDSEC_IMAGE=crowdsecurity/crowdsec
+CROWDSEC_TAG=latest
+CROWDSEC_RESTART_POLICY=unless-stopped
+
+##### bouncer-traefik Container
+BT_CONTAINER_NAME=bouncer-traefik
+BT_IMAGE=docker.io/fbonalair/traefik-crowdsec-bouncer
+BT_TAG=latest
+BT_RESTART_POLICY=unless-stopped
+
+GIN_MODE=release
+
+DOCKER_ENDPOINT=tcp://${SOCKET_PROXY_CONTAINER_NAME}:2375

docker/env/YeetFile-db.env

@@ -0,0 +1,7 @@
+YEETFILEDB_NETWORk_ID=backend
+
+##### YeetFile DB Container
+YEETFILEDB_CONTAINER_NAME=yeetfiledb
+YEETFILEDB_IMAGE=postgres
+YEETFILEDB_TAG=16-alpine
+YEETFILEDB_RESTART_POLICY=unless-stopped

docker/env/YeetFile-stack.env

@@ -0,0 +1,8 @@
+YEETFILE_NETWORk_ID=proxy
+YEETFILE_HOSTNAME=yeetfile
+
+##### YeetFile Container
+YEETFILE_CONTAINER_NAME=yeetfile
+YEETFILE_IMAGE=ghcr.io/benbusby/yeetfile
+YEETFILE_TAG=latest
+YEETFILE_RESTART_POLICY=unless-stopped

docker/env/YeetFile.env

@@ -0,0 +1,71 @@
+# Enable (1) or disable (0) debug mode on the server (do not use in production)
+YEETFILE_DEBUG=0
+
+# Store files in B2 or locally on the machine running the server
+# b2 or local
+YEETFILE_STORAGE=local
+
+#  The host for running the YeetFile server
+YEETFILE_HOST=0.0.0.0
+
+# The port for running the YeetFile server
+YEETFILE_PORT=8090
+
+# Database
+
+# The YeetFile PostgreSQL database host
+YEETFILE_DB_HOST=10.0.6.178
+
+# The YeetFile PostgreSQL database port
+YEETFILE_DB_PORT=5432
+
+# The PostgreSQL user to access the YeetFile database
+YEETFILE_DB_USER=yeetfile
+
+# The password for the PostgreSQL user
+YEETFILE_DB_PASS=yeetfile
+
+# The name of the database that YeetFile will use
+YEETFILE_DB_NAME=yeetfile
+
+# Unlimited storage and send
+YEETFILE_DEFAULT_USER_STORAGE=-1
+YEETFILE_DEFAULT_USER_SEND=-1
+
+# The secret value used for encrypting user password hints
+# 32-byte value, base64 encoded
+YEETFILE_SERVER_SECRET=2N1oTtwOHTyEbTFtz0yDLuzq3DhgjIWmSKw4gNcH8Vk=
+
+# The domain that the YeetFile instance is hosted on
+# A valid domain string beginning with http:// or https://
+#YEETFILE_DOMAIN=yeetfile.lab.gurulandia.eu
+
+# The user ID or email of the user to set as admin 
+# A valid YeetFile email or account ID
+YEETFILE_INSTANCE_ADMIN=8322619287182227
+
+# Allows YeetFile Send links to include the key in a URL param
+# 0 (disabled) or 1 (enabled)
+YEETFILE_ALLOW_INSECURE_LINKS=0
+
+# Disables anonymous (not logged in) interactions 	
+#1 to enable lockdown, 0 to allow anonymous usage
+YEETFILE_LOCKDOWN=0
+
+# The email address to use for correspondence
+YEETFILE_EMAIL_ADDR=yeetfile@mail.gurulandia.eu
+
+# The host of the email address being used
+YEETFILE_EMAIL_HOST=smtp.eu.mailgun.org
+
+# The port of the email host
+YEETFILE_EMAIL_PORT=587
+
+# The SMTP login for the email address
+YEETFILE_EMAIL_USER=sender@mail.gurulandia.eu
+
+# The SMTP password for the email address
+YEETFILE_EMAIL_PASSWORD=fd2481f27f76e35110ddf9b7b04ad09f-667818f5-87cb2de3
+
+# The no-reply email address for correspondence
+YEETFILE_EMAIL_NO_REPLY=noreply@mail.gurulandia.eu

docker/env/common.env

@@ -0,0 +1,16 @@
+##### SYSTEM
+UID=1000
+GID=1000
+PUID=1000
+PGID=1000
+TZ=Europe/HelsinkI
+
+#USERDIR=/home/gurulandia
+DOCKERDIR=/gurulandia/data
+SECRETSDIR=/gurulandia/docker-shared/secrets
+
+##### DOMAIN
+DOMAINNAME0=gurulandia.eu
+DOMAINNAME1=lab.gurulandia.eu
+DOMAINNAME2=gurulandia.fi
+DOMAINNAME3=home.gurulandia.fi

docker/env/flatnotes-stack.env

@@ -0,0 +1,8 @@
+FLATNOTES_NETWORk_ID=proxy
+FLATNOTES_HOSTNAME=flatnotes
+
+##### flatnotes Container
+FLATNOTES_CONTAINER_NAME=flatnotes
+FLATNOTES_IMAGE=dullage/flatnotes
+FLATNOTES_TAG=latest
+FLATNOTES_RESTART_POLICY=unless-stopped

docker/env/flatnotes.env

@@ -0,0 +1,72 @@
+FLATNOTES_AUTH_TYPE=none
+# There are currently 3 types of authentication supported:
+
+# none - No authentication.
+# read_only - As above but note creation, modification and deletion is disabled.
+# password - A username and password is required to access flatnotes. See FLATNOTES_USERNAME and FLATNOTES_PASSWORD below.
+# totp - In addition to a username and password, a time based one-time-password is also required to access flatnotes.
+# Defaults to password if not provided.
+
+# totp
+# To use the totp authentication type you will also need to supply a FLATNOTES_TOTP_KEY (see below). Upon startup, flatnotes will print a QR code which can be used to add flatnotes to an authentication app such as Authy or Google Authenticator. Docker users can view this QR code by looking at the containers logs e.g. docker logs flatnotes.
+# If for any reason you are unable to scan the QR code, you can also manually enter the secret key into your authentication app. This will be printed underneath the QR code in the logs.
+# When using the API with totp enabled, you'll need to append the current totp code to your password (e.g. changeMe!123456) when calling the /api/token endpoint.
+
+#FLATNOTES_USERNAME=
+#FLATNOTES_PASSWORD=
+# The username and password used to access flatnotes.
+# Required when FLATNOTES_AUTH_TYPE is set to password or totp. Not applicable when FLATNOTES_AUTH_TYPE is set to none or read_only.
+
+FLATNOTES_SECRET_KEY=aLongRandomSeriesOfCharacters
+# The secret key used to generate access tokens. Changing this will invalidate all existing access tokens.
+# I recommend using a password generator to generate random 32 character string.
+# Required when FLATNOTES_AUTH_TYPE is set to password or totp. Not applicable when FLATNOTES_AUTH_TYPE is set to none or read_only.
+
+#FLATNOTES_SESSION_EXPIRY_DAYS=
+# Defines how many days an access token is valid for (before a username, password and (possibly) a totp code is required to login again).
+# Defaults to 30 if not provided.
+
+#FLATNOTES_TOTP_KEY=
+# The secret key used to generate totp codes. Changing this will invalidate the totp configuration.
+# I recommend using a password generator to generate random 32 character string.
+# Required when FLATNOTES_AUTH_TYPE is totp. Not applicable for other authentication types.
+
+#FLATNOTES_PATH_PREFIX=
+# Useful if you want to host flatnotes at a sub-path on your domain (e.g. www.example.com/flatnotes).
+# Value must start with a / but not end with one e.g. /flatnotes.
+# Defaults to no prefix if not provided.
+
+#FLATNOTES_QUICK_ACCESS_HIDE=
+# If set to true, hides the quick access notes on the home page.
+# Defaults to false (show quick access notes).
+# Note: This replaced the now deprecated FLATNOTES_HIDE_RECENTLY_MODIFIED environment variable.
+
+#FLATNOTES_QUICK_ACCESS_TITLE=
+# The title of the quick access notes section.
+# Defaults to RECENTLY MODIFIED.
+
+#FLATNOTES_QUICK_ACCESS_TERM=
+# The search term that defines which notes to show in the quick access notes section.
+# A good example is to set this to #pinned to show only notes that include the "#pinned" tag or NOT tags:work to exclude notes tagged with "#work".
+# Defaults to *.
+
+#FLATNOTES_QUICK_ACCESS_SORT=
+# The field by which to order the quick access notes section.
+# Value must be one of score, title, lastModified.
+# Defaults to lastModified.
+
+#FLATNOTES_QUICK_ACCESS_LIMIT=
+#The maximum number of notes to show in the quick access notes section.
+# Defaults to 4.
+
+#FLATNOTES_PORT=
+# Applicable to the Docker image only.
+# Defines the port flatnotes will bind to inside the container.
+# Defaults to 8080 if not provided.
+
+#PUID=
+#PGID=
+# These are applicable to the Docker image only.
+# They allow you to specify the user and group that flatnotes will run as inside the Docker container. This is useful to avoid permission issues when mounting a directory from the host.
+# Both default to 1000.
+# Values are ignored if the container is not run as root (e.g. when using the docker --user flag).

docker/env/homepage-stack.env

@@ -0,0 +1,8 @@
+HOMEPAGE_NETWORK_ID=proxy
+HOMEPAGE_HOSTNAME=homepage
+
+##### Homepage Container
+HOMEPAGE_CONTAINER_NAME=homepage
+HOMEPAGE_IMAGE=ghcr.io/gethomepage/homepage
+HOMEPAGE_TAG=latest
+HOMEPAGE_RESTART_POLICY=unless-stopped

docker/env/joplin-srv-db-cred.env

@@ -0,0 +1,3 @@
+POSTGRES_PASSWORD=joplinsrv
+POSTGRES_DATABASE=joplin
+POSTGRES_USER=joplinsrv

docker/env/joplin-srv-db.env

@@ -0,0 +1,8 @@
+JOPLINDB_NETWORk_ID=backend
+
+##### Joplin Server DB Container
+
+JOPLINDB_CONTAINER_NAME=joplindb
+JOPLINDB_IMAGE=postgres
+JOPLINDB_TAG=16-alpine
+JOPLINDB_RESTART_POLICY=unless-stopped

docker/env/joplin-srv-stack.env

@@ -0,0 +1,14 @@
+JOPLIN_NETWORk_ID=proxy
+JOPLIN_HOSTNAME=joplin
+
+##### Joplin Server Container
+JOPLIN_CONTAINER_NAME=joplinsrv
+JOPLIN_IMAGE=joplin/server
+JOPLIN_TAG=latest
+JOPLIN_RESTART_POLICY=unless-stopped
+
+##### Joplin Server DB Container
+JOPLINDB_CONTAINER_NAME=joplindb
+JOPLINDB_IMAGE=postgres
+JOPLINDB_TAG=16-alpine
+JOPLINDB_RESTART_POLICY=unless-stopped

docker/env/joplin-srv-withdb.env

@@ -0,0 +1,2 @@
+# Database
+POSTGRES_HOST=db

docker/env/joplin-srv.env

@@ -0,0 +1,27 @@
+# APP_BASE_URL: This is the base public URL where the service will be running.
+#	- If Joplin Server needs to be accessible over the internet, configure APP_BASE_URL as follows: https://example.com/joplin. 
+#	- If Joplin Server does not need to be accessible over the internet, set the APP_BASE_URL to your server's hostname. 
+#     For Example: http://[hostname]:22300. The base URL can include the port.
+# APP_PORT: The local port on which the Docker container will listen. 
+#	- This would typically be mapped to port to 443 (TLS) with a reverse proxy.
+#	- If Joplin Server does not need to be accessible over the internet, the port can be mapped to 22300.
+#- APP_BASE_URL=http://10.0.6.177:22300
+
+APP_BASE_URL=https://joplin.lab.gurulandia.eu
+APP_PORT=53014 #22300
+# Database
+DB_CLIENT=pg
+POSTGRES_PORT=5432
+POSTGRES_HOST=10.0.6.178
+
+#- STORAGE_DRIVER=Type=S3; Region=us-east-1; Path=http://192.168.55.30:53008; AccessKeyId=joplinsrv; SecretAccessKeyId=joplinsrv; Bucket=joplin
+
+# Mai8ler
+MAILER_ENABLED=1
+MAILER_HOST=mailrise.lab.gurulandia.eu
+MAILER_PORT=465
+MAILER_SECURITY=tls
+MAILER_AUTH_USER=gurulandia
+MAILER_AUTH_PASSWORD=gurulandia
+MAILER_NOREPLY_NAME=JoplinServer
+MAILER_NOREPLY_EMAIL=no-reply@mail.gurulandia.eu

docker/env/komodo-stack.env

@@ -0,0 +1,17 @@
+KOMODO_NETWORk_ID=proxy
+KOMODO_HOSTNAME=komodo
+
+KOMODO_RESTART_POLICY=unless-stopped
+
+##### Komodo Core Container
+KOMODO_CORE_CONTAINER_NAME=komodo-core
+KOMODO_CORE_IMAGE=ghcr.io/mbecker20/komodo
+
+##### Komodo Periphery Container
+KOMODO_PERTIPHERY_CONTAINER_NAME=komodo-periphery
+KOMODO_PERTIPHERY_IMAGE=ghcr.io/mbecker20/periphery
+
+##### FerretDB Core Container
+FERRETDB_CONTAINER_NAME=komodo-ferretdb
+FERRETDB_IMAGE=ghcr.io/ferretdb/ferretdb:1
+FERRETDB_RESTART_POLICY=${KOMODO_RESTART_POLICY}

docker/env/komodo.env

@@ -0,0 +1,133 @@
+####################################
+# 🦎 KOMODO COMPOSE - VARIABLES 🦎 #
+####################################
+## These compose variables can be used with all Komodo deployment options.
+## Pass these variables to the compose up command using `--env-file komodo/compose.env`.
+## Additionally, they are passed to both Komodo Core and Komodo Periphery with `env_file: ./compose.env`,
+## so you can pass any additional environment variables to Core / Periphery directly in this file as well.
+
+PSQL_HOST=10.0.6.178
+PSQL_PORT=5432
+## Stick to a specific version, or use `latest`
+COMPOSE_KOMODO_IMAGE_TAG=latest
+
+## Note: 🚨 Podman does NOT support local logging driver 🚨. See Podman options here:
+## `https://docs.podman.io/en/v4.6.1/markdown/podman-run.1.html#log-driver-driver`
+COMPOSE_LOGGING_DRIVER=local # Enable log rotation with the local driver.
+
+## DB credentials - Ignored for Sqlite
+KOMODO_DB_USERNAME=komodo
+KOMODO_DB_PASSWORD=komodo
+
+## Configure a secure passkey to authenticate between Core / Periphery.
+KOMODO_PASSKEY_FILE=/run/secrets/komodo_passkey
+
+#=-------------------------=#
+#= Komodo Core Environment =#
+#=-------------------------=#
+
+## Full variable list + descriptions are available here:
+## 🦎 https://github.com/mbecker20/komodo/blob/main/config/core.config.toml 🦎
+
+## Note. Secret variables also support `${VARIABLE}_FILE` syntax to pass docker compose secrets.
+## Docs: https://docs.docker.com/compose/how-tos/use-secrets/#examples
+
+## Used for Oauth / Webhook url suggestion / Caddy reverse proxy.
+KOMODO_HOST=https://komodo.lab.gurulandia.eu
+
+## Displayed in the browser tab.
+KOMODO_TITLE=Komodo by Gurulandia
+#Komodo
+## Create a server matching this address as the "first server".
+## Use `https://host.docker.internal:8120` when using systemd-managed Periphery.
+KOMODO_FIRST_SERVER=https://periphery:8120
+## Make all buttons just double-click, rather than the full confirmation dialog.
+KOMODO_DISABLE_CONFIRM_DIALOG=true
+
+## Rate Komodo polls your servers for
+## status / container status / system stats / alerting.
+## Options: 1-sec, 5-sec, 15-sec, 1-min, 5-min.
+## Default: 15-sec
+KOMODO_MONITORING_INTERVAL="15-sec"
+## Rate Komodo polls Resources for updates,
+## like outdated commit hash.
+## Options: 1-min, 5-min, 15-min, 30-min, 1-hr.
+## Default: 5-min
+KOMODO_RESOURCE_POLL_INTERVAL="5-min"
+
+## Used to auth incoming webhooks. Alt: KOMODO_WEBHOOK_SECRET_FILE
+KOMODO_WEBHOOK_SECRET_FILE=/run/secrets/komodo_webhook_secret
+## Used to generate jwt. Alt: KOMODO_JWT_SECRET_FILE
+KOMODO_JWT_SECRET_FILE=/run/secrets/komodo_jwt_secret
+
+## Enable login with username + password.
+KOMODO_LOCAL_AUTH=true
+## Disable new user signups.
+KOMODO_DISABLE_USER_REGISTRATION=false
+## All new logins are auto enabled
+KOMODO_ENABLE_NEW_USERS=true
+## Disable non-admins from creating new resources.
+KOMODO_DISABLE_NON_ADMIN_CREATE=false
+## Allows all users to have Read level access to all resources.
+KOMODO_TRANSPARENT_MODE=false
+
+## Time to live for jwt tokens.
+## Options: 1-hr, 12-hr, 1-day, 3-day, 1-wk, 2-wk
+KOMODO_JWT_TTL="1-day"
+
+## OIDC Login
+KOMODO_OIDC_ENABLED=true
+## Must reachable from Komodo Core container
+KOMODO_OIDC_PROVIDER=https://authentik.lab.gurulandia.eu/application/o/komodo/
+## Change the host to one reachable be reachable by users (optional if it is the same as above).
+## DO NOT include the `path` part of the URL.
+KOMODO_OIDC_REDIRECT_HOST=https://authentik.lab.gurulandia.eu
+## Your client credentials
+KOMODO_OIDC_CLIENT_ID_FILE=/run/secrets/komodo_oidc_client_id
+KOMODO_OIDC_CLIENT_SECRET_FILE=/run/secrets/komodo_oidc_client_secret
+## Make usernames the full email.
+KOMODO_OIDC_USE_FULL_EMAIL=true
+## Add additional trusted audiences for token claims verification.
+## Supports comma separated list, and passing with _FILE (for compose secrets).
+# KOMODO_OIDC_ADDITIONAL_AUDIENCES=abc,123 # Alt: KOMODO_OIDC_ADDITIONAL_AUDIENCES_FILE
+
+## Github Oauth
+KOMODO_GITHUB_OAUTH_ENABLED=false
+# KOMODO_GITHUB_OAUTH_ID= # Alt: KOMODO_GITHUB_OAUTH_ID_FILE
+# KOMODO_GITHUB_OAUTH_SECRET= # Alt: KOMODO_GITHUB_OAUTH_SECRET_FILE
+
+## Google Oauth
+KOMODO_GOOGLE_OAUTH_ENABLED=false
+# KOMODO_GOOGLE_OAUTH_ID= # Alt: KOMODO_GOOGLE_OAUTH_ID_FILE
+# KOMODO_GOOGLE_OAUTH_SECRET= # Alt: KOMODO_GOOGLE_OAUTH_SECRET_FILE
+
+## Aws - Used to launch Builder instances and ServerTemplate instances.
+KOMODO_AWS_ACCESS_KEY_ID= # Alt: KOMODO_AWS_ACCESS_KEY_ID_FILE
+KOMODO_AWS_SECRET_ACCESS_KEY= # Alt: KOMODO_AWS_SECRET_ACCESS_KEY_FILE
+
+## Hetzner - Used to launch ServerTemplate instances
+## Hetzner Builder not supported due to Hetzner pay-by-the-hour pricing model
+KOMODO_HETZNER_TOKEN= # Alt: KOMODO_HETZNER_TOKEN_FILE
+
+#=------------------------------=#
+#= Komodo Periphery Environment =#
+#=------------------------------=#
+
+## Full variable list + descriptions are available here:
+## 🦎 https://github.com/mbecker20/komodo/blob/main/config/periphery.config.toml 🦎
+
+## Periphery passkeys must include KOMODO_PASSKEY to authenticate.
+PERIPHERY_PASSKEYS_FILE=/run/secrets/komodo_passkey
+## Specify the root directory used by Periphery agent.
+PERIPHERY_ROOT_DIRECTORY=/etc/komodo
+
+## Enable SSL using self signed certificates.
+## Connect to Periphery at https://address:8120.
+PERIPHERY_SSL_ENABLED=true
+
+## If the disk size is overreporting, can use one of these to 
+## whitelist / blacklist the disks to filter them, whichever is easier.
+## Accepts comma separated list of paths.
+## Usually whitelisting just /etc/hostname gives correct size.
+PERIPHERY_INCLUDE_DISK_MOUNTS=/etc/hostname
+# PERIPHERY_EXCLUDE_DISK_MOUNTS=/snap,/etc/repos

docker/env/privatebin-db.env

@@ -0,0 +1,7 @@
+PRIVATEBINDB_NETWORk_ID=backend
+
+##### Privatebin DB Container
+PRIVATEBINDB_CONTAINER_NAME=yeetfiledb
+PRIVATEBINDB_IMAGE=postgres
+PRIVATEBINDB_TAG=16-alpine
+PRIVATEBINDB_RESTART_POLICY=unless-stopped

docker/env/privatebin-stack.env

@@ -0,0 +1,9 @@
+PRIVATEBIN_NETWORk_ID=proxy
+PRIVATEBIN_HOSTNAME=privatebin
+
+##### Privatebin Container
+PRIVATEBIN_CONTAINER_NAME=privatebin
+PRIVATEBIN_IMAGE=privatebin/nginx-fpm-alpine
+#PRIVATEBIN_IMAGE=privatebin/pdo
+PRIVATEBIN_TAG=stable
+PRIVATEBIN_RESTART_POLICY=unless-stopped

docker/env/technitum-dns-stack.env

@@ -0,0 +1,9 @@
+TECHNITUM_DNS_NETWORk_ID=proxy
+TECHNITUM_DNS_HOSTNAME=komodo
+
+TECHNITUM_DNS_RESTART_POLICY=unless-stopped
+
+##### Komodo Core Container
+TECHNITUM_DNS_CONTAINER_NAME=dns-server
+TECHNITUM_DNS_IMAGE=technitium/dns-server
+TECHNITUM_DNS_TAG=latest

docker/env/technitum-dns.env

@@ -0,0 +1,66 @@
+# The primary domain name used by this DNS Server to identify itself.
+DNS_SERVER_DOMAIN=lab.gurulandia.eu
+
+# DNS web console admin user password.
+# DNS_SERVER_ADMIN_PASSWORD=password
+
+# The path to a file that contains a plain text password for the DNS web console admin user.
+DNS_SERVER_ADMIN_PASSWORD_FILE = /run/secrets/technitium_admin_password
+
+# DNS Server will use IPv6 for querying whenever possible with this option enabled.
+# DNS_SERVER_PREFER_IPV6=false
+
+# Comma separated list of network interface IP addresses that you want the web service to listen on for requests. 
+# The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified. 
+# Note! This must be used only with "host" network mode.      
+# DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1
+
+# The TCP port number for the DNS web console over HTTP protocol.
+# DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 
+
+# The TCP port number for the DNS web console over HTTPS protocol.
+# DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
+
+# Enables HTTPS for the DNS web console.
+# DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false
+
+# Enables self signed TLS certificate for the DNS web console.
+# DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false 
+
+# Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
+# DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false 
+
+# Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL.
+# DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks 
+
+# Comma separated list of IP addresses or network addresses to allow access.
+# Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet.
+# The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback.
+# Valid only for `UseSpecifiedNetworkACL` recursion option.
+# DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2
+
+# Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option.
+# This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
+# DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24
+
+# Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option.
+# This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
+# DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24
+
+# Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
+# DNS_SERVER_ENABLE_BLOCKING=false 
+
+# Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
+# DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false
+
+# A comma separated list of block list URLs.
+# DNS_SERVER_BLOCK_LIST_URLS= 
+
+# Comma separated list of forwarder addresses.
+# DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8
+
+# Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
+# DNS_SERVER_FORWARDER_PROTOCOL=Tcp
+
+# Enable this option to use local time instead of UTC for logging.
+DNS_SERVER_LOG_USING_LOCAL_TIME=true

docker/flatnotes/behind-proxy/compose.override.yaml

@@ -0,0 +1,13 @@
+services:
+  flatnotes:        
+    labels:
+        - "traefik.enable=true"
+        ## HTTP Routers
+        - "traefik.http.routers.${FLATNOTES_HOSTNAME}-rtr.entrypoints=https"
+        - "traefik.http.routers.${FLATNOTES_HOSTNAME}-rtr.rule=Host(`${FLATNOTES_HOSTNAME}.$DOMAINNAME1`)"
+        ## Middlewares
+#             - "traefik.http.routers.${FLATNOTES_HOSTNAME}-rtr.middlewares=chain-authelia@file"
+        - "traefik.http.routers.${FLATNOTES_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
+        ## HTTP Services
+        - "traefik.http.routers.${FLATNOTES_HOSTNAME}-rtr.service=${FLATNOTES_HOSTNAME}-svc"
+        - "traefik.http.services.${FLATNOTES_HOSTNAME}-svc.loadbalancer.server.port=8080"

docker/flatnotes/behind-proxy/compose.yaml

@@ -0,0 +1,7 @@
+name: flatnotes
+# Docker Compose v2.20 or greater required to use "include"
+include:
+#################### NETWORKS ####################
+  -  ../../compose/networks/${FLATNOTES_NETWORk_ID}.yaml
+#################### SERVICES ####################
+  - ../../compose/flatnotes.yaml