Talteen

Add Homarr
Traefik config
2025-03-05 10:47:20 +02:00 · 2025-03-05 10:29:42 +02:00 · 2025-03-05 10:00:59 +02:00 · 2025-03-05 09:37:36 +02:00 · 2025-03-05 09:37:09 +02:00 · 2025-03-05 09:36:40 +02:00
91 changed files with 1177453 additions and 100 deletions
--- a/config/docker/current/traefik/config/mw-authentik.yaml
+++ b/config/docker/current/traefik/config/mw-authentik.yaml
@@ -0,0 +1,19 @@
 http:
  middlewares:
    middlewares-authentik:
      forwardAuth:
        address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version
--- a/config/docker/current/traefik/config/mw-basic-auth.yaml
+++ b/config/docker/current/traefik/config/mw-basic-auth.yaml
@@ -5,4 +5,4 @@ http:
        # users:
        #   - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1"
        usersFile: "/users" #be sure to mount the volume through docker-compose.yml
-        realm: "Traefik 2 Basic Auth"
+        realm: "Traefik 3 Basic Auth"
--- a/config/docker/current/traefik/config/mw-buffering.yaml
+++ b/config/docker/current/traefik/config/mw-buffering.yaml
@@ -0,0 +1,18 @@
 ################################################################
 # Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
 # 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
 # https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
 #
 # Dynamic configuration
 ################################################################
 http:
  middlewares:
    # Prevent too large of a body
    # https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik
    middlewares-buffering:
      buffering:
        maxRequestBodyBytes: 10485760
        memRequestBodyBytes: 2097152
        maxResponseBodyBytes: 10485760
        memResponseBodyBytes: 2097152
        retryExpression: "IsNetworkError() && Attempts() <= 2"
--- a/config/docker/current/traefik/config/mw-chain-authentik.yaml
+++ b/config/docker/current/traefik/config/mw-chain-authentik.yaml
@@ -0,0 +1,9 @@
 http:
  middlewares:        
    chain-authentik:
      chain:
        middlewares:
 #          - middlewares-crowdsec-bouncer
          - middlewares-rate-limit
          - middlewares-secure-headers
          - middlewares-authentik
--- a/config/docker/current/traefik/config/mw-chain-no-auth.yaml
+++ b/config/docker/current/traefik/config/mw-chain-no-auth.yaml
@@ -3,7 +3,6 @@ http:
    chain-no-auth:
      chain:
        middlewares:
          - middlewares-crowdsec-bouncer
          - middlewares-default-whitelist
          - middlewares-rate-limit
          - middlewares-secure-headers
--- a/config/docker/current/traefik/config/mw-compress.yaml
+++ b/config/docker/current/traefik/config/mw-compress.yaml
@@ -0,0 +1,12 @@
 ################################################################
 # Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
 # 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
 # https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
 #
 # Dynamic configuration
 ################################################################
 http:
  middlewares:
    # Compress to save bandwidth
    middlewares-compress:
      compress: {}
--- a/config/docker/current/traefik/config/mw-https-redirectscheme.yaml
+++ b/config/docker/current/traefik/config/mw-https-redirectscheme.yaml
@@ -0,0 +1,15 @@
 ################################################################
 # Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
 # 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
 # https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
 #
 # Dynamic configuration
 ################################################################
 http:
  middlewares:
    # Middleware for Redirection
    # This can be used instead of global redirection
    middlewares-https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true
--- a/config/docker/current/traefik/config/mw-secure-headers.yaml
+++ b/config/docker/current/traefik/config/mw-secure-headers.yaml
@@ -1,5 +1,15 @@
 ################################################################
 # Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
 # 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
 # https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
 #
 # Dynamic configuration
 ################################################################
 http:
  middlewares:
    ################################################################
    # Good Basic Security Practices
    ################################################################
    middlewares-secure-headers:
      headers:
        accessControlAllowMethods:
@@ -9,23 +19,20 @@ http:
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        sslRedirect: true
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
-        # frameDeny: true #overwritten by customFrameOptionsValue
+        customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr.
-        customFrameOptionsValue: "allow-from https:gurulandia.eu" #CSP takes care of this but may be needed for organizr.
+        #customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
        contentTypeNosniff: true
        browserXssFilter: true
        # sslForceHost: true # add sslHost to all of the services
-        # sslHost: "example.com"
+        # sslHost: "{{env "DOMAINNAME"}}"
        referrerPolicy: "same-origin"
-        # Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
+        # permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
        # the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
        # contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
        customResponseHeaders:
-          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
+          # X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
-          server: ""
+          # server: ""
-          
+          # https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732
          X-Forwarded-Proto: "https"
--- a/config/docker/current/traefik/config/tls-opts.yaml
+++ b/config/docker/current/traefik/config/tls-opts.yaml
@@ -1,6 +1,21 @@
 ################################################################
 # TLS Options (https://jellyfin.org/docs/general/networking/traefik2.html#traefik-providertoml)
 # toml -> yml
 # 2024 updates to cipherSuites from (https://www.smarthomebeginner.com/traefik-v3-docker-compose-guide-2024/)
 #
 # Set secure options by disabling insecure older TLS/SSL versions
 # and insecure ciphers. SNIStrict disabled leaves TLS1.0 open.
 # If you have problems with older clients, you can may need to relax
 # these minimums. This configuration will give you an A+ SSL security
 # score supporting TLS1.2 and TLS1.3
 #
 # Dynamic configuration
 # https://doc.traefik.io/traefik/https/tls/
 ################################################################
 tls:
  options:
    tls-opts:
      sniStrict: true
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
@@ -14,6 +29,7 @@ tls:
        - TLS_CHACHA20_POLY1305_SHA256
        - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
      curvePreferences:
-        - CurveP521
+        - secp521r1 # CurveP521
-        - CurveP384
+        - secp384r1 # CurveP384
-      sniStrict: true
+    mintls13:
      minVersion: VersionTLS13
--- a/config/docker/current/traefik/logs/access.log
+++ b/config/docker/current/traefik/logs/access.log
--- a/config/docker/current/traefik/logs/traefik-access.log
+++ b/config/docker/current/traefik/logs/traefik-access.log
--- a/config/docker/current/traefik/logs/traefik-container.log
+++ b/config/docker/current/traefik/logs/traefik-container.log
--- a/config/docker/current/traefik/old/acme.json
+++ b/config/docker/current/traefik/old/acme.json
--- a/config/docker/current/traefik/old/config/mw-authelia.yaml
+++ b/config/docker/current/traefik/old/config/mw-authelia.yaml
--- a/config/docker/current/traefik/old/config/mw-basic-auth.yaml
+++ b/config/docker/current/traefik/old/config/mw-basic-auth.yaml
@@ -0,0 +1,8 @@
 http:
  middlewares:
    middlewares-basic-auth:
      basicAuth:
        # users:
        #   - "user:$apsdfs.$EntPC0w3FtswWvC/6fTVJ7IUVtX1"
        usersFile: "/users" #be sure to mount the volume through docker-compose.yml
        realm: "Traefik 2 Basic Auth"
--- a/config/docker/current/traefik/old/config/mw-chain-authelia.yaml
+++ b/config/docker/current/traefik/old/config/mw-chain-authelia.yaml
--- a/config/docker/current/traefik/old/config/mw-chain-basic-auth.yaml
+++ b/config/docker/current/traefik/old/config/mw-chain-basic-auth.yaml
@@ -0,0 +1,8 @@
 http:
  middlewares:
    chain-basic-auth:
      chain:
        middlewares:
          - middlewares-rate-limit
          - middlewares-secure-headers
          - middlewares-basic-auth
--- a/config/docker/current/traefik/old/config/mw-chain-no-auth.yaml
+++ b/config/docker/current/traefik/old/config/mw-chain-no-auth.yaml
@@ -0,0 +1,9 @@
 http:
  middlewares:
    chain-no-auth:
      chain:
        middlewares:
          - middlewares-crowdsec-bouncer
          - middlewares-default-whitelist
          - middlewares-rate-limit
          - middlewares-secure-headers
--- a/config/docker/current/traefik/old/config/mw-chain-oauth.yaml
+++ b/config/docker/current/traefik/old/config/mw-chain-oauth.yaml
--- a/config/docker/current/traefik/old/config/mw-crowdsec-bouncer.yaml
+++ b/config/docker/current/traefik/old/config/mw-crowdsec-bouncer.yaml
@@ -0,0 +1,6 @@
 http:
  middlewares:    
    middlewares-crowdsec-bouncer:
      forwardauth:
        address: http://bouncer-traefik:8080/api/v1/forwardAuth
        trustForwardHeader: true
--- a/config/docker/current/traefik/old/config/mw-default-whitelist.yaml
+++ b/config/docker/current/traefik/old/config/mw-default-whitelist.yaml
@@ -0,0 +1,8 @@
 http:
  middlewares:
    middlewares-default-whitelist:
      ipWhiteList:
        sourceRange:
        - "10.0.0.0/8"
        - "192.168.0.0/16"
        - "172.16.0.0/12"
--- a/config/docker/current/traefik/old/config/mw-rate-limit.yaml
+++ b/config/docker/current/traefik/old/config/mw-rate-limit.yaml
@@ -0,0 +1,6 @@
 http:
  middlewares:
    middlewares-rate-limit:
      rateLimit:
        average: 100
        burst: 50
--- a/config/docker/current/traefik/old/config/mw-secure-headers.yaml
+++ b/config/docker/current/traefik/old/config/mw-secure-headers.yaml
@@ -0,0 +1,31 @@
 http:
  middlewares:
    middlewares-secure-headers:
      headers:
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        sslRedirect: true
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        # frameDeny: true #overwritten by customFrameOptionsValue
        customFrameOptionsValue: "allow-from https:gurulandia.eu" #CSP takes care of this but may be needed for organizr.
        contentTypeNosniff: true
        browserXssFilter: true
        # sslForceHost: true # add sslHost to all of the services
        # sslHost: "example.com"
        referrerPolicy: "same-origin"
        # Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
        # the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
        # contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
          server: ""
--- a/config/docker/current/traefik/old/config/tls-opts.yaml
+++ b/config/docker/current/traefik/old/config/tls-opts.yaml
@@ -0,0 +1,19 @@
 tls:
  options:
    tls-opts:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
        - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: true
--- a/config/docker/current/traefik/old/logs/access.log
+++ b/config/docker/current/traefik/old/logs/access.log
--- a/config/docker/current/traefik/old/logs/traefik.log
+++ b/config/docker/current/traefik/old/logs/traefik.log
--- a/config/docker/current/traefik/traefik.yaml
+++ b/config/docker/current/traefik/traefik.yaml
@@ -0,0 +1,141 @@
 # Traefik 3.x (YAML)
 # Updated 2024-June-04
 ################################################################
 # Global configuration - https://doc.traefik.io/traefik/reference/static-configuration/file/
 ################################################################
 global:
  checkNewVersion: true #false
  sendAnonymousUsage: false
 ################################################################
 # Entrypoints - https://doc.traefik.io/traefik/routing/entrypoints/
 ################################################################
 entryPoints:
  web:
    address: ":80"
    # Global HTTP to HTTPS redirection
    http:
 #      middlewares:
 #        - crowdsec-bouncer@file
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: ":443"
    http:
 #      middlewares:
 #        - crowdsec-bouncer@file
      tls:
        options: tls-opts@file
        certResolver: dns-cloudflare
        domains:
          - main: "{{env "DOMAINNAME0"}}"
            sans:
              - "*.{{env "DOMAINNAME0"}}"
          - main: "{{env "DOMAINNAME1"}}"
            sans:
              - "*.{{env "DOMAINNAME1"}}"
          - main: "{{env "DOMAINNAME2"}}"
            sans:
              - "*.{{env "DOMAINNAME2"}}"
          - main: "{{env "DOMAINNAME3"}}"
            sans:
              - "*.{{env "DOMAINNAME3"}}"
    forwardedHeaders:
      trustedIPs:
        # Cloudflare (https://www.cloudflare.com/ips-v4)
        - "173.245.48.0/20"
        - "103.21.244.0/22"
        - "103.22.200.0/22"
        - "103.31.4.0/22"
        - "141.101.64.0/18"
        - "108.162.192.0/18"
        - "190.93.240.0/20"
        - "188.114.96.0/20"
        - "197.234.240.0/22"
        - "198.41.128.0/17"
        - "162.158.0.0/15"
        - "104.16.0.0/13"
        - "104.24.0.0/14"
        - "172.64.0.0/13"
        - "131.0.72.0/22"
        - "104.16.0.0/13"
        - "104.24.0.0/14"
        # Local IPs
        - "127.0.0.1/32"
        - "10.0.0.0/8"
        - "192.168.0.0/16"
        - "172.16.0.0/12"
 ################################################################
 # Logs - https://doc.traefik.io/traefik/observability/logs/
 ################################################################
 log:
  level: INFO # Options: DEBUG, PANIC, FATAL, ERROR (Default), WARN, and INFO
  filePath: /logs/traefik-container.log # Default is to STDOUT
  # format: json # Uses text format (common) by default
  noColor: false # Recommended to be true when using common
  maxSize: 100 # In megabytes
  compress: true # gzip compression when rotating
 ################################################################
 # Access logs - https://doc.traefik.io/traefik/observability/access-logs/
 ################################################################
 accessLog:
  addInternals: true  # things like ping@internal
  filePath: /logs/traefik-access.log # In the Common Log Format (CLF) by default
  bufferingSize: 100 # Number of log lines
  fields:
    names:
      StartUTC: drop  # Write logs in Container Local Time instead of UTC
  filters:
    statusCodes:
      - "204-299"
      - "400-499"
      - "500-599"
 ################################################################
 # API and Dashboard
 ################################################################
 api:
  dashboard: true
  # Rely on api@internal and Traefik with Middleware to control access
  # insecure: true
 ################################################################
 # Providers - https://doc.traefik.io/traefik/providers/docker/
 ################################################################
 providers:
  docker:
    #endpoint: "unix:///var/run/docker.sock" # Comment if using socket-proxy
    endpoint: "tcp://socket-proxy:2375" # Uncomment if using socket proxy
    exposedByDefault: false
    network: proxy  # network to use for connections to all containers
    # defaultRule: TODO
  # Enable auto loading of newly created rules by watching a directory
  file:
  # Apps, LoadBalancers, TLS Options, Middlewares, Middleware Chains
    directory: /config
    watch: true
 ################################################################
 # Let's Encrypt (ACME)
 ################################################################
 certificatesResolvers:
  dns-cloudflare:
    acme:
      email: "{{env "CF_API_EMAIL"}}"
      storage: "/acme.json"
      #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
      dnsChallenge:
        provider: cloudflare
        #delayBeforeCheck: 30 # Default is 2m0s.  This changes the delay (in seconds)
        # Custom DNS server resolution
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
--- a/docker/Lenpaste/compose.yaml
+++ b/docker/Lenpaste/compose.yaml
@@ -0,0 +1,25 @@
 version: "3.4"
 services:
  postgres:
    image: docker.io/library/postgres:16.1
    environment:
      - PGDATA=/var/lib/postgresql/data/pgdata
      - POSTGRES_USER=lenpaste
      - POSTGRES_PASSWORD=pass
    volumes:
      - "${PWD}/data/postgres:/var/lib/postgresql/data"
  lenpaste:
    image: ghcr.io/lcomrade/lenpaste:1.3.1
    restart: on-failure:10
    environment:
      - LENPASTE_DB_DRIVER=postgres
      - LENPASTE_DB_SOURCE=postgres://lenpaste:lenpaste@10.0.6.178/lenpaste?sslmode=disable
    #postgresql://[user[:password]@][netloc][:port][/dbname][?param1=value1&...]
    volumes:
      - "${PWD}/data:/data"
    ports:
      - "58080:80"
    depends_on:
      - postgres
--- a/docker/Netbootxyz/compose.yaml
+++ b/docker/Netbootxyz/compose.yaml
@@ -0,0 +1,23 @@
 services:
  netbootxyz:
    # image: ghcr.io/netbootxyz/netbootxyz
    image: lscr.io/linuxserver/netbootxyz:latest
    container_name: netbootxyz
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      #- MENU_VERSION=1.9.9 #optional
      #- PORT_RANGE=30000:30010 #optional
      #- SUBFOLDER=/ #optional
      #- MENU_VERSION=2.0.47 # optional
      - NGINX_PORT=80 # optional
      - WEB_APP_PORT=3000 # optional
    volumes:
      - /gurulandia/data/netbootxyz/config:/config # optional
      - /gurulandia/data/netbootxyz/assets:/assets # optional
    ports:
      - 3001:3000  # optional, destination should match ${WEB_APP_PORT} variable above.
      - 69:69/udp
      - 8080:80  # optional, destination should match ${NGINX_PORT} variable above.
    restart: unless-stopped
--- a/docker/compose/ferretdb.yaml
+++ b/docker/compose/ferretdb.yaml
@@ -0,0 +1,21 @@
 services:
  ferretdb:
    container_name: ${FERRETDB_CONTAINER_NAME}
    image: ${FERRETDB_IMAGE}
    restart: ${FERRETDB_RESTART_POLICY}
    security_opt:
      - no-new-privileges:true
    labels:
      - "komodo.skip=" # Prevent Komodo from stopping with StopAllContainers            
    #depends_on:
    #  - postgres
    logging:
      driver: ${COMPOSE_LOGGING_DRIVER:-local}
    networks:
      - komodo
    # ports:
    #   - 27017:27017
    env_file: ../env/komodo.env
    environment:
      #- FERRETDB_POSTGRESQL_URL=postgres://komodo:komodo@10.0.6.178/komodo?sslmode=disable
      - FERRETDB_POSTGRESQL_URL=postgres://${PSQL_HOST}:${PSQL_PORT}/${KOMODO_DATABASE_DB_NAME:-komodo}?sslmode=disable
--- a/docker/compose/homepage.yaml
+++ b/docker/compose/homepage.yaml
@@ -0,0 +1,18 @@
 services:
  homepage:
    image: ${HOMEPAGE_IMAGE}:${HOMEPAGE_TAG}
    container_name: ${HOMEPAGE_CONTAINER_NAME}
    restart: ${FLATNOTES_RESTART_POLICY}
    security_opt:
      - no-new-privileges:true
    networks:
      - ${HOMEPAGE_NETWORK_ID}    
 #    ports:
 #      - 3000:3000
    volumes:
      - ${DOCKERDIR}/homepage:/app/config # Make sure your local config directory exists
 #      - /var/run/docker.sock:/var/run/docker.sock:ro # (optional) For docker integrations
    environment:
      PUID: ${UID:-1000}
      PGID: ${GID:-1000}
      TZ: ${TZ}  
--- a/docker/compose/joplin-server.yaml
+++ b/docker/compose/joplin-server.yaml
@@ -14,5 +14,5 @@ services:
      GID: ${GID:-1000}
      TZ: ${TZ}
    env_file:
-      - path: ../env/.env.joplin-srv     
+      - path: ../env/joplin-srv.env
-      - path: ../env/.env.joplin-srv.db-cred   
+      - path: ../env/joplin-srv-db.env
--- a/docker/compose/komodo-core.yaml
+++ b/docker/compose/komodo-core.yaml
@@ -0,0 +1,59 @@
 secrets:
  komodo_passkey:
    file: ${SECRETSDIR}/komodo/komodo_passkey
  komodo_webhook_secret:
    file: ${SECRETSDIR}/komodo/komodo_webhook_secret
  komodo_jwt_secret:
    file: ${SECRETSDIR}/komodo/komodo_jwt_secret
  komodo_oidc_client_id:
    file: ${SECRETSDIR}/komodo/komodo_oidc_client_id
  komodo_oidc_client_secret:
    file: ${SECRETSDIR}/komodo/komodo_oidc_client_secret
 services:
  core:
    container_name: ${KOMODO_CORE_CONTAINER_NAME}
    image: ${KOMODO_CORE_IMAGE}:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
    restart: ${KOMODO_RESTART_POLICY}
    secrets:      
      - komodo_passkey
      - komodo_webhook_secret
      - komodo_jwt_secret
      - komodo_oidc_client_id
      - komodo_oidc_client_secret
    labels:                
      - "komodo.skip=" # Prevent Komodo from stopping with StopAllContainers            
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.${KOMODO_HOSTNAME}-rtr.entrypoints=https"
      - "traefik.http.routers.${KOMODO_HOSTNAME}-rtr.rule=Host(`${KOMODO_HOSTNAME}.${DOMAINNAME1}`)"
      ## Middlewares
      - "traefik.http.routers.${KOMODO_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
      ## HTTP Services
      - "traefik.http.routers.${KOMODO_HOSTNAME}-rtr.service=${KOMODO_HOSTNAME}-svc"
      - "traefik.http.services.${KOMODO_HOSTNAME}-svc.loadbalancer.server.port=9120"
    depends_on:
      - ferretdb
    logging:
      driver: ${COMPOSE_LOGGING_DRIVER:-local}
    networks:
      - ${KOMODO_NETWORk_ID}
      - komodo      
 #    ports:
 #      - 9120:9120
    env_file: ../env/komodo.env
    environment:
      KOMODO_DATABASE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb:27017/${KOMODO_DATABASE_DB_NAME:-komodo}?authMechanism=PLAIN      
    volumes:
      ## Core cache for repos for latest commit hash / contents
      - repo-cache:/repo-cache
      ## Store sync files on server
      # - /path/to/syncs:/syncs
      ## Optionally mount a custom core.config.toml
      # - /path/to/core.config.toml:/config/config.toml
    ## Allows for systemd Periphery connection at 
    ## "http://host.docker.internal:8120"
    # extra_hosts:
    #   - host.docker.internal:host-gateway
 volumes:
  # Core
  repo-cache:
--- a/docker/compose/komodo-periphery.yaml
+++ b/docker/compose/komodo-periphery.yaml
@@ -0,0 +1,35 @@
 secrets:
  komodo_passkey:
    file: ${SECRETSDIR}/komodo/komodo_passkey
 services:
  ## Deploy Periphery container using this block,
  ## or deploy the Periphery binary with systemd using 
  ## https://github.com/mbecker20/komodo/tree/main/scripts
  periphery:
    container_name: ${KOMODO_PERTIPHERY_CONTAINER_NAME}
    image: ${KOMODO_PERTIPHERY_IMAGE}:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
    restart: ${KOMODO_RESTART_POLICY}    
    labels:
      - "komodo.skip=" # Prevent Komodo from stopping with StopAllContainers                  
    logging:
      driver: ${COMPOSE_LOGGING_DRIVER:-local}
    networks:
      - komodo
    env_file: ../env/komodo.env
    environment:
      PERIPHERY_REPO_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/repos
      PERIPHERY_STACK_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/stacks
      PERIPHERY_SSL_KEY_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/key.pem
      PERIPHERY_SSL_CERT_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/cert.pem
    volumes:
      ## Mount external docker socket
      - /var/run/docker.sock:/var/run/docker.sock
      ## Allow Periphery to see processes outside of container
      - /proc:/proc
      ## Specify the Periphery agent root directory.
      ## Must be the same inside and outside the container,
      ## or docker will get confused. See https://github.com/mbecker20/komodo/discussions/180.
      ## Default: /etc/komodo.
      - ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}:${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}
    secrets:
      - komodo_passkey
--- a/docker/compose/netbootxyz.yaml
+++ b/docker/compose/netbootxyz.yaml
@@ -0,0 +1,23 @@
 services:
  netbootxyz:
    # image: ghcr.io/netbootxyz/netbootxyz
    image: lscr.io/linuxserver/netbootxyz:latest
    container_name: netbootxyz
    environment:
      - PUID=${UID:-1000}
      - PGID=${GID:-1000}
      - TZ=${TZ}
      #- MENU_VERSION=1.9.9 #optional
      #- PORT_RANGE=30000:30010 #optional
      #- SUBFOLDER=/ #optional
      #- MENU_VERSION=2.0.47 # optional
      - NGINX_PORT=80 # optional
      - WEB_APP_PORT=3000 # optional
    volumes:
      - ${DOCKERDIR}/netbootxyz/config:/config # optional
      - ${DOCKERDIR}/netbootxyz/assets:/assets # optional
    ports:
      - 3001:3000  # optional, destination should match ${WEB_APP_PORT} variable above.
      - 69:69/udp
      - 8080:80  # optional, destination should match ${NGINX_PORT} variable above.
    restart: unless-stopped
--- a/docker/compose/networks/default.yaml
+++ b/docker/compose/networks/default.yaml
@@ -1,4 +1,4 @@
 networks:
  default:
-#    name: default
+    name: default
    driver: bridge
--- a/docker/compose/networks/komodo.yaml
+++ b/docker/compose/networks/komodo.yaml
@@ -0,0 +1,4 @@
 networks:
  komodo:
    name: komodo
    driver: bridge
--- a/docker/compose/networks/proxy.yaml
+++ b/docker/compose/networks/proxy.yaml
@@ -1,4 +1,4 @@
 networks:
  proxy:
    name: proxy
-    external: true
+    # external: true	
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -28,10 +28,10 @@ networks:
 # Docker Compose v2.20 or greater required to use "include"
 include:
 ########################### SERVICES
-  - compose/dc-traefik.yml
+  - services/dc-traefik.yml
-  - compose/dc-socket-proxy.yml
+  - services/dc-socket-proxy.yml
-  - compose/dc-crowdsec.yml
+  - services/dc-crowdsec.yml
-  - compose/dc-traefik-bouncer.yml
+  - services/dc-traefik-bouncer.yml
  # Portainer - WebUI for Containers
 # portainer:
--- a/docker/env/.env.proxy
+++ b/docker/env/.env.proxy
@@ -1,4 +1,4 @@
-BASICAUTHUSER=gurulandia:$$apr1$$kBqxEDFb$$aOgGWvLwFUDhSymDy430m.
+# BASICAUTHUSER=gurulandia:$$apr1$$kBqxEDFb$$aOgGWvLwFUDhSymDy430m.
 # create basic auth with: echo $(htpasswd -nb "<USER>" "<PASSWORD>") | sed -e s/\\$/\\$\\$/g
 ##### trustedIPs
--- a/docker/env/.env.stack.proxy
+++ b/docker/env/.env.stack.proxy
@@ -7,11 +7,12 @@ PROXYNAME=proxy
 TRAEFIK_CONTAINER_NAME=traefik
 TRAEFIK_IMAGE=traefik
 TRAEFIK_TAG=latest
-TRAEFIK_RESTART_POLICY=unless-stopped
+TRAEFIK_RESTART_POLICY=always
 ##### socket-proxy Container
 SOCKET_PROXY_CONTAINER_NAME=socket-proxy
-SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy
+#SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy
 SOCKET_PROXY_IMAGE=lscr.io/linuxserver/socket-proxy
 SOCKET_PROXY_TAG=latest
 SOCKET_PROXY_RESTART_POLICY=always
--- a/docker/env/common.env
+++ b/docker/env/common.env
@@ -1,6 +1,8 @@
 ##### SYSTEM
 UID=1000
 GID=1000
 PUID=1000
 PGID=1000
 TZ=Europe/HelsinkI
 #USERDIR=/home/gurulandia
--- a/docker/env/homepage-stack.env
+++ b/docker/env/homepage-stack.env
@@ -0,0 +1,8 @@
 HOMEPAGE_NETWORK_ID=proxy
 HOMEPAGE_HOSTNAME=homepage
 ##### Homepage Container
 HOMEPAGE_CONTAINER_NAME=homepage
 HOMEPAGE_IMAGE=ghcr.io/gethomepage/homepage
 HOMEPAGE_TAG=latest
 HOMEPAGE_RESTART_POLICY=unless-stopped
--- a/docker/env/.env.joplin-srv.db-cred
+++ b/docker/env/.env.joplin-srv.db-cred
--- a/docker/env/joplin-srv-db.env
+++ b/docker/env/joplin-srv-db.env
@@ -0,0 +1,8 @@
 JOPLINDB_NETWORk_ID=backend
 ##### Joplin Server DB Container
 JOPLINDB_CONTAINER_NAME=joplindb
 JOPLINDB_IMAGE=postgres
 JOPLINDB_TAG=16-alpine
 JOPLINDB_RESTART_POLICY=unless-stopped
--- a/docker/env/.env.stack.joplin-srv
+++ b/docker/env/.env.stack.joplin-srv
@@ -1,5 +1,3 @@
 COMPOSE_PROJECT_NAME=joplinserver
 JOPLIN_NETWORk_ID=proxy
 JOPLIN_HOSTNAME=joplin
--- a/docker/env/.env.joplin-srv.withdb
+++ b/docker/env/.env.joplin-srv.withdb
--- a/docker/env/.env.joplin-srv
+++ b/docker/env/.env.joplin-srv
--- a/docker/env/komodo-stack.env
+++ b/docker/env/komodo-stack.env
@@ -0,0 +1,17 @@
 KOMODO_NETWORk_ID=proxy
 KOMODO_HOSTNAME=komodo
 KOMODO_RESTART_POLICY=unless-stopped
 ##### Komodo Core Container
 KOMODO_CORE_CONTAINER_NAME=komodo-core
 KOMODO_CORE_IMAGE=ghcr.io/mbecker20/komodo
 ##### Komodo Periphery Container
 KOMODO_PERTIPHERY_CONTAINER_NAME=komodo-periphery
 KOMODO_PERTIPHERY_IMAGE=ghcr.io/mbecker20/periphery
 ##### FerretDB Core Container
 FERRETDB_CONTAINER_NAME=komodo-ferretdb
 FERRETDB_IMAGE=ghcr.io/ferretdb/ferretdb:1
 FERRETDB_RESTART_POLICY=${KOMODO_RESTART_POLICY}
--- a/docker/env/komodo.env
+++ b/docker/env/komodo.env
@@ -0,0 +1,133 @@
 ####################################
 # 🦎 KOMODO COMPOSE - VARIABLES 🦎 #
 ####################################
 ## These compose variables can be used with all Komodo deployment options.
 ## Pass these variables to the compose up command using `--env-file komodo/compose.env`.
 ## Additionally, they are passed to both Komodo Core and Komodo Periphery with `env_file: ./compose.env`,
 ## so you can pass any additional environment variables to Core / Periphery directly in this file as well.
 PSQL_HOST=10.0.6.178
 PSQL_PORT=5432
 ## Stick to a specific version, or use `latest`
 COMPOSE_KOMODO_IMAGE_TAG=latest
 ## Note: 🚨 Podman does NOT support local logging driver 🚨. See Podman options here:
 ## `https://docs.podman.io/en/v4.6.1/markdown/podman-run.1.html#log-driver-driver`
 COMPOSE_LOGGING_DRIVER=local # Enable log rotation with the local driver.
 ## DB credentials - Ignored for Sqlite
 KOMODO_DB_USERNAME=komodo
 KOMODO_DB_PASSWORD=komodo
 ## Configure a secure passkey to authenticate between Core / Periphery.
 KOMODO_PASSKEY_FILE=/run/secrets/komodo_passkey
 #=-------------------------=#
 #= Komodo Core Environment =#
 #=-------------------------=#
 ## Full variable list + descriptions are available here:
 ## 🦎 https://github.com/mbecker20/komodo/blob/main/config/core.config.toml 🦎
 ## Note. Secret variables also support `${VARIABLE}_FILE` syntax to pass docker compose secrets.
 ## Docs: https://docs.docker.com/compose/how-tos/use-secrets/#examples
 ## Used for Oauth / Webhook url suggestion / Caddy reverse proxy.
 KOMODO_HOST=https://komodo.lab.gurulandia.eu
 ## Displayed in the browser tab.
 KOMODO_TITLE=Komodo by Gurulandia
 #Komodo
 ## Create a server matching this address as the "first server".
 ## Use `https://host.docker.internal:8120` when using systemd-managed Periphery.
 KOMODO_FIRST_SERVER=https://periphery:8120
 ## Make all buttons just double-click, rather than the full confirmation dialog.
 KOMODO_DISABLE_CONFIRM_DIALOG=true
 ## Rate Komodo polls your servers for
 ## status / container status / system stats / alerting.
 ## Options: 1-sec, 5-sec, 15-sec, 1-min, 5-min.
 ## Default: 15-sec
 KOMODO_MONITORING_INTERVAL="15-sec"
 ## Rate Komodo polls Resources for updates,
 ## like outdated commit hash.
 ## Options: 1-min, 5-min, 15-min, 30-min, 1-hr.
 ## Default: 5-min
 KOMODO_RESOURCE_POLL_INTERVAL="5-min"
 ## Used to auth incoming webhooks. Alt: KOMODO_WEBHOOK_SECRET_FILE
 KOMODO_WEBHOOK_SECRET_FILE=/run/secrets/komodo_webhook_secret
 ## Used to generate jwt. Alt: KOMODO_JWT_SECRET_FILE
 KOMODO_JWT_SECRET_FILE=/run/secrets/komodo_jwt_secret
 ## Enable login with username + password.
 KOMODO_LOCAL_AUTH=true
 ## Disable new user signups.
 KOMODO_DISABLE_USER_REGISTRATION=false
 ## All new logins are auto enabled
 KOMODO_ENABLE_NEW_USERS=true
 ## Disable non-admins from creating new resources.
 KOMODO_DISABLE_NON_ADMIN_CREATE=false
 ## Allows all users to have Read level access to all resources.
 KOMODO_TRANSPARENT_MODE=false
 ## Time to live for jwt tokens.
 ## Options: 1-hr, 12-hr, 1-day, 3-day, 1-wk, 2-wk
 KOMODO_JWT_TTL="1-day"
 ## OIDC Login
 KOMODO_OIDC_ENABLED=true
 ## Must reachable from Komodo Core container
 KOMODO_OIDC_PROVIDER=https://authentik.lab.gurulandia.eu/application/o/komodo/
 ## Change the host to one reachable be reachable by users (optional if it is the same as above).
 ## DO NOT include the `path` part of the URL.
 KOMODO_OIDC_REDIRECT_HOST=https://authentik.lab.gurulandia.eu
 ## Your client credentials
 KOMODO_OIDC_CLIENT_ID_FILE=/run/secrets/komodo_oidc_client_id
 KOMODO_OIDC_CLIENT_SECRET_FILE=/run/secrets/komodo_oidc_client_secret
 ## Make usernames the full email.
 KOMODO_OIDC_USE_FULL_EMAIL=true
 ## Add additional trusted audiences for token claims verification.
 ## Supports comma separated list, and passing with _FILE (for compose secrets).
 # KOMODO_OIDC_ADDITIONAL_AUDIENCES=abc,123 # Alt: KOMODO_OIDC_ADDITIONAL_AUDIENCES_FILE
 ## Github Oauth
 KOMODO_GITHUB_OAUTH_ENABLED=false
 # KOMODO_GITHUB_OAUTH_ID= # Alt: KOMODO_GITHUB_OAUTH_ID_FILE
 # KOMODO_GITHUB_OAUTH_SECRET= # Alt: KOMODO_GITHUB_OAUTH_SECRET_FILE
 ## Google Oauth
 KOMODO_GOOGLE_OAUTH_ENABLED=false
 # KOMODO_GOOGLE_OAUTH_ID= # Alt: KOMODO_GOOGLE_OAUTH_ID_FILE
 # KOMODO_GOOGLE_OAUTH_SECRET= # Alt: KOMODO_GOOGLE_OAUTH_SECRET_FILE
 ## Aws - Used to launch Builder instances and ServerTemplate instances.
 KOMODO_AWS_ACCESS_KEY_ID= # Alt: KOMODO_AWS_ACCESS_KEY_ID_FILE
 KOMODO_AWS_SECRET_ACCESS_KEY= # Alt: KOMODO_AWS_SECRET_ACCESS_KEY_FILE
 ## Hetzner - Used to launch ServerTemplate instances
 ## Hetzner Builder not supported due to Hetzner pay-by-the-hour pricing model
 KOMODO_HETZNER_TOKEN= # Alt: KOMODO_HETZNER_TOKEN_FILE
 #=------------------------------=#
 #= Komodo Periphery Environment =#
 #=------------------------------=#
 ## Full variable list + descriptions are available here:
 ## 🦎 https://github.com/mbecker20/komodo/blob/main/config/periphery.config.toml 🦎
 ## Periphery passkeys must include KOMODO_PASSKEY to authenticate.
 PERIPHERY_PASSKEYS_FILE=/run/secrets/komodo_passkey
 ## Specify the root directory used by Periphery agent.
 PERIPHERY_ROOT_DIRECTORY=/etc/komodo
 ## Enable SSL using self signed certificates.
 ## Connect to Periphery at https://address:8120.
 PERIPHERY_SSL_ENABLED=true
 ## If the disk size is overreporting, can use one of these to 
 ## whitelist / blacklist the disks to filter them, whichever is easier.
 ## Accepts comma separated list of paths.
 ## Usually whitelisting just /etc/hostname gives correct size.
 PERIPHERY_INCLUDE_DISK_MOUNTS=/etc/hostname
 # PERIPHERY_EXCLUDE_DISK_MOUNTS=/snap,/etc/repos
--- a/docker/env/technitum-dns-stack.env
+++ b/docker/env/technitum-dns-stack.env
@@ -0,0 +1,9 @@
 TECHNITUM_DNS_NETWORk_ID=proxy
 TECHNITUM_DNS_HOSTNAME=komodo
 TECHNITUM_DNS_RESTART_POLICY=unless-stopped
 ##### Komodo Core Container
 TECHNITUM_DNS_CONTAINER_NAME=dns-server
 TECHNITUM_DNS_IMAGE=technitium/dns-server
 TECHNITUM_DNS_TAG=latest
--- a/docker/env/technitum-dns.env
+++ b/docker/env/technitum-dns.env
@@ -0,0 +1,66 @@
 # The primary domain name used by this DNS Server to identify itself.
 DNS_SERVER_DOMAIN=lab.gurulandia.eu
 # DNS web console admin user password.
 # DNS_SERVER_ADMIN_PASSWORD=password
 # The path to a file that contains a plain text password for the DNS web console admin user.
 DNS_SERVER_ADMIN_PASSWORD_FILE = /run/secrets/technitium_admin_password
 # DNS Server will use IPv6 for querying whenever possible with this option enabled.
 # DNS_SERVER_PREFER_IPV6=false
 # Comma separated list of network interface IP addresses that you want the web service to listen on for requests. 
 # The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified. 
 # Note! This must be used only with "host" network mode.      
 # DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1
 # The TCP port number for the DNS web console over HTTP protocol.
 # DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 
 # The TCP port number for the DNS web console over HTTPS protocol.
 # DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
 # Enables HTTPS for the DNS web console.
 # DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false
 # Enables self signed TLS certificate for the DNS web console.
 # DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false 
 # Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
 # DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false 
 # Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL.
 # DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks 
 # Comma separated list of IP addresses or network addresses to allow access.
 # Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet.
 # The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback.
 # Valid only for `UseSpecifiedNetworkACL` recursion option.
 # DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2
 # Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option.
 # This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
 # DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24
 # Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option.
 # This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
 # DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24
 # Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
 # DNS_SERVER_ENABLE_BLOCKING=false 
 # Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
 # DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false
 # A comma separated list of block list URLs.
 # DNS_SERVER_BLOCK_LIST_URLS= 
 # Comma separated list of forwarder addresses.
 # DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8
 # Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
 # DNS_SERVER_FORWARDER_PROTOCOL=Tcp
 # Enable this option to use local time instead of UTC for logging.
 DNS_SERVER_LOG_USING_LOCAL_TIME=true
--- a/docker/homarr/compose.yaml
+++ b/docker/homarr/compose.yaml
@@ -0,0 +1,22 @@
 #---------------------------------------------------------------------#
 #     Homarr - A simple, yet powerful dashboard for your server.      #
 #---------------------------------------------------------------------#
 services:
  homarr:
    container_name: homarr
    image: ghcr.io/homarr-labs/homarr:latest
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock # Optional, only if you want docker integration
      - /gurulandia/data/homarr/appdata:/appdata
    environment:
      - SECRET_ENCRYPTION_KEY=9a3fb9c060d3ff37ac0e0785177979ec48620144b8fd3e5883c02e27f68b2dba  # <--- can be generated with `openssl rand -hex 32`
      - DB_DRIVER=mysql2
      - DB_DIALECT=mysql
      - DB_HOST=10.0.6.180
      - DB_PORT=3306
      - DB_NAME=homarr
      - DB_USER=homarr
      - DB_PASSWORD=homarr
    ports:
      - 7575:7575
--- a/docker/homepage/behind-proxy/compose.override.yaml
+++ b/docker/homepage/behind-proxy/compose.override.yaml
@@ -0,0 +1,55 @@
 secrets:
    title:
      file: /gurulandia/data/homepage/secrets/title
 services:
  homepage:
    image: ghcr.io/gethomepage/homepage:latest
    container_name: homepage
    ports:
      - 3000:3000
    volumes:
      - /gurulandia/data/homepage:/app/config # Make sure your local config directory exists
      - /var/run/docker.sock:/var/run/docker.sock:ro # (optional) For docker integrations
    environment:
      - PUID=1000
      - PGID=1000
      - HOMEPAGE_VAR_BASE="https://homepage.lab.gurulandia.eu/"
      #- HOMEPAGE_VAR_TITLE="Gurulandia's Awesome Homepage"
      - HOMEPAGE_FILE_TITLE=/run/secrets/title
    networks:
      - proxy
      - socket_proxy
    labels:
      traefik.enable: true
      ## HTTP Routers
      traefik.http.routers.homepage-rtr.entrypoints: https
      traefik.http.routers.homepage-rtr.rule: Host(`homepage.lab.gurulandia.eu`)
      ## Middlewares
      #- "traefik.http.routers.${GOTIFY_HOST_NAME}-rtr.middlewares=chain-authelia@file"
      traefik.http.routers.homepage-rtr.middlewares: chain-authentik@file
      #traefik.http.routers.homepage-rtr.middlewares: chain-no-auth@file
      ## HTTP Services
      traefik.http.routers.homepage-rtr.service: homepage-svc
      traefik.http.services.homepage-svc.loadbalancer.server.port: 3000     
    secrets:
      - title
 networks:
  proxy:
    external: true
  socket_proxy:
    external: true
 #services:
 #  homepage:        
 #    labels:
 #      - "traefik.enable=true"
      ## HTTP Routers
 #      - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.entrypoints=https"
 #      - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.rule=Host(`${HOMEPAGE_HOSTNAME}.$DOMAINNAME1`)"
      ## Middlewares
 #      - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.middlewares=chain-authelia@file"
 #      - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.middlewares=chain-no-auth@file"
      ## HTTP Services
 #      - "traefik.http.routers.${HOMEPAGE_HOSTNAME}-rtr.service=${HOMEPAGE_HOSTNAME}-svc"
 #      - "traefik.http.services.${HOMEPAGE_HOSTNAME}-svc.loadbalancer.server.port=22300"
--- a/docker/homepage/behind-proxy/compose.yaml
+++ b/docker/homepage/behind-proxy/compose.yaml
@@ -0,0 +1,7 @@
 name: homepagee
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################
  - ../../compose/networks/${HOMEPAGR_NETWORk_ID}.yaml
 #################### SERVICES ####################
  - ../../compose/homepage.yaml
--- a/docker/homepage/behind-proxy/deploy.sh
+++ b/docker/homepage/behind-proxy/deploy.sh
@@ -0,0 +1,4 @@
 docker compose \
 --env-file ../../env/homepage-stack.env \
 --env-file ../../env/common.env \
 $1
--- a/docker/homepage/compose.yaml
+++ b/docker/homepage/compose.yaml
@@ -0,0 +1,7 @@
 name: homepagee
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################
  - ../compose/networks/${HOMEPAGR_NETWORk_ID}.yaml
 #################### SERVICES ####################
  - ../compose/homepage.yaml
--- a/docker/homepage/deploy.sh
+++ b/docker/homepage/deploy.sh
@@ -0,0 +1,4 @@
 docker compose \
 --env-file ../env/homepage-stack.env \
 --env-file ../env/common.env \
 $1
--- a/docker/jemma/komodo/compose.env
+++ b/docker/jemma/komodo/compose.env
@@ -0,0 +1,133 @@
 ####################################
 # 🦎 KOMODO COMPOSE - VARIABLES 🦎 #
 ####################################
 ## These compose variables can be used with all Komodo deployment options.
 ## Pass these variables to the compose up command using `--env-file komodo/compose.env`.
 ## Additionally, they are passed to both Komodo Core and Komodo Periphery with `env_file: ./compose.env`,
 ## so you can pass any additional environment variables to Core / Periphery directly in this file as well.
 PSQL_HOST=10.0.6.178
 PSQL_PORT=5432
 ## Stick to a specific version, or use `latest`
 COMPOSE_KOMODO_IMAGE_TAG=latest
 ## Note: 🚨 Podman does NOT support local logging driver 🚨. See Podman options here:
 ## `https://docs.podman.io/en/v4.6.1/markdown/podman-run.1.html#log-driver-driver`
 COMPOSE_LOGGING_DRIVER=local # Enable log rotation with the local driver.
 ## DB credentials - Ignored for Sqlite
 KOMODO_DB_USERNAME=komodo
 KOMODO_DB_PASSWORD=komodo
 ## Configure a secure passkey to authenticate between Core / Periphery.
 KOMODO_PASSKEY_FILE=/run/secrets/komodo_passkey
 #=-------------------------=#
 #= Komodo Core Environment =#
 #=-------------------------=#
 ## Full variable list + descriptions are available here:
 ## 🦎 https://github.com/mbecker20/komodo/blob/main/config/core.config.toml 🦎
 ## Note. Secret variables also support `${VARIABLE}_FILE` syntax to pass docker compose secrets.
 ## Docs: https://docs.docker.com/compose/how-tos/use-secrets/#examples
 ## Used for Oauth / Webhook url suggestion / Caddy reverse proxy.
 KOMODO_HOST=https://komodo.lab.gurulandia.eu
 ## Displayed in the browser tab.
 KOMODO_TITLE=Komodo by Gurulandia
 #Komodo
 ## Create a server matching this address as the "first server".
 ## Use `https://host.docker.internal:8120` when using systemd-managed Periphery.
 KOMODO_FIRST_SERVER=https://periphery:8120
 ## Make all buttons just double-click, rather than the full confirmation dialog.
 KOMODO_DISABLE_CONFIRM_DIALOG=true
 ## Rate Komodo polls your servers for
 ## status / container status / system stats / alerting.
 ## Options: 1-sec, 5-sec, 15-sec, 1-min, 5-min.
 ## Default: 15-sec
 KOMODO_MONITORING_INTERVAL="15-sec"
 ## Rate Komodo polls Resources for updates,
 ## like outdated commit hash.
 ## Options: 1-min, 5-min, 15-min, 30-min, 1-hr.
 ## Default: 5-min
 KOMODO_RESOURCE_POLL_INTERVAL="5-min"
 ## Used to auth incoming webhooks. Alt: KOMODO_WEBHOOK_SECRET_FILE
 KOMODO_WEBHOOK_SECRET_FILE=/run/secrets/komodo_webhook_secret
 ## Used to generate jwt. Alt: KOMODO_JWT_SECRET_FILE
 KOMODO_JWT_SECRET_FILE=/run/secrets/komodo_jwt_secret
 ## Enable login with username + password.
 KOMODO_LOCAL_AUTH=true
 ## Disable new user signups.
 KOMODO_DISABLE_USER_REGISTRATION=false
 ## All new logins are auto enabled
 KOMODO_ENABLE_NEW_USERS=true
 ## Disable non-admins from creating new resources.
 KOMODO_DISABLE_NON_ADMIN_CREATE=false
 ## Allows all users to have Read level access to all resources.
 KOMODO_TRANSPARENT_MODE=false
 ## Time to live for jwt tokens.
 ## Options: 1-hr, 12-hr, 1-day, 3-day, 1-wk, 2-wk
 KOMODO_JWT_TTL="1-day"
 ## OIDC Login
 KOMODO_OIDC_ENABLED=true
 ## Must reachable from Komodo Core container
 KOMODO_OIDC_PROVIDER=https://authentik.lab.gurulandia.eu/application/o/komodo/
 ## Change the host to one reachable be reachable by users (optional if it is the same as above).
 ## DO NOT include the `path` part of the URL.
 KOMODO_OIDC_REDIRECT_HOST=https://authentik.lab.gurulandia.eu
 ## Your client credentials
 KOMODO_OIDC_CLIENT_ID_FILE=/run/secrets/komodo_oidc_client_id
 KOMODO_OIDC_CLIENT_SECRET_FILE=/run/secrets/komodo_oidc_client_secret
 ## Make usernames the full email.
 KOMODO_OIDC_USE_FULL_EMAIL=true
 ## Add additional trusted audiences for token claims verification.
 ## Supports comma separated list, and passing with _FILE (for compose secrets).
 # KOMODO_OIDC_ADDITIONAL_AUDIENCES=abc,123 # Alt: KOMODO_OIDC_ADDITIONAL_AUDIENCES_FILE
 ## Github Oauth
 KOMODO_GITHUB_OAUTH_ENABLED=false
 # KOMODO_GITHUB_OAUTH_ID= # Alt: KOMODO_GITHUB_OAUTH_ID_FILE
 # KOMODO_GITHUB_OAUTH_SECRET= # Alt: KOMODO_GITHUB_OAUTH_SECRET_FILE
 ## Google Oauth
 KOMODO_GOOGLE_OAUTH_ENABLED=false
 # KOMODO_GOOGLE_OAUTH_ID= # Alt: KOMODO_GOOGLE_OAUTH_ID_FILE
 # KOMODO_GOOGLE_OAUTH_SECRET= # Alt: KOMODO_GOOGLE_OAUTH_SECRET_FILE
 ## Aws - Used to launch Builder instances and ServerTemplate instances.
 KOMODO_AWS_ACCESS_KEY_ID= # Alt: KOMODO_AWS_ACCESS_KEY_ID_FILE
 KOMODO_AWS_SECRET_ACCESS_KEY= # Alt: KOMODO_AWS_SECRET_ACCESS_KEY_FILE
 ## Hetzner - Used to launch ServerTemplate instances
 ## Hetzner Builder not supported due to Hetzner pay-by-the-hour pricing model
 KOMODO_HETZNER_TOKEN= # Alt: KOMODO_HETZNER_TOKEN_FILE
 #=------------------------------=#
 #= Komodo Periphery Environment =#
 #=------------------------------=#
 ## Full variable list + descriptions are available here:
 ## 🦎 https://github.com/mbecker20/komodo/blob/main/config/periphery.config.toml 🦎
 ## Periphery passkeys must include KOMODO_PASSKEY to authenticate.
 PERIPHERY_PASSKEYS_FILE=/run/secrets/komodo_passkey
 ## Specify the root directory used by Periphery agent.
 PERIPHERY_ROOT_DIRECTORY=/etc/komodo
 ## Enable SSL using self signed certificates.
 ## Connect to Periphery at https://address:8120.
 PERIPHERY_SSL_ENABLED=true
 ## If the disk size is overreporting, can use one of these to 
 ## whitelist / blacklist the disks to filter them, whichever is easier.
 ## Accepts comma separated list of paths.
 ## Usually whitelisting just /etc/hostname gives correct size.
 PERIPHERY_INCLUDE_DISK_MOUNTS=/etc/hostname
 # PERIPHERY_EXCLUDE_DISK_MOUNTS=/snap,/etc/repos
--- a/docker/jemma/komodo/compose.yaml
+++ b/docker/jemma/komodo/compose.yaml
@@ -0,0 +1,161 @@
 ###################################
 # 🦎 KOMODO COMPOSE - POSTGRES 🦎 #
 ###################################
 ## This compose file will deploy:
 ##   1. Postgres + FerretDB Mongo adapter (https://www.ferretdb.com)
 ##   2. Komodo Core
 ##   3. Komodo Periphery
 name: komodo
 secrets:
  komodo_db_user:
    file: ${SECRETSDIR}/komodo/komodo_db_user
  komodo_db_password:
    file: ${SECRETSDIR}/komodo/komodo_db_password
  komodo_passkey:
    file: ${SECRETSDIR}/komodo/komodo_passkey
  komodo_webhook_secret:
    file: ${SECRETSDIR}/komodo/komodo_webhook_secret
  komodo_jwt_secret:
    file: ${SECRETSDIR}/komodo/komodo_jwt_secret
  komodo_oidc_client_id:
    file: ${SECRETSDIR}/komodo/komodo_oidc_client_id
  komodo_oidc_client_secret:
    file: ${SECRETSDIR}/komodo/komodo_oidc_client_secret
 services:
  #postgres:
  #  image: postgres
  #  labels:
  #    komodo.skip: # Prevent Komodo from stopping with StopAllContainers
  #  restart: unless-stopped
  #  logging:
  #    driver: ${COMPOSE_LOGGING_DRIVER:-local}
  #  networks:
  #    - default
    # ports:
    #   - 5432:5432
  #  volumes:
  #    - pg-data:/var/lib/postgresql/data
  #  environment:
  #    - POSTGRES_USER=${KOMODO_DB_USERNAME}
  #    - POSTGRES_PASSWORD=${KOMODO_DB_PASSWORD}
  #    - POSTGRES_DB=${KOMODO_DATABASE_DB_NAME:-komodo}
  ferretdb:
    #container_name: ${TRAEFIK_CONTAINER_NAME}
    #image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
    #restart: ${TRAEFIK_RESTART_POLICY}
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    image: ghcr.io/ferretdb/ferretdb
    labels:
      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
    #depends_on:
    #  - postgres
    logging:
      driver: ${COMPOSE_LOGGING_DRIVER:-local}
    networks:
      - default
    # ports:
    #   - 27017:27017
    env_file: ./compose.env
    environment:
      #- FERRETDB_POSTGRESQL_URL=postgres://komodo:komodo@10.0.6.178/komodo?sslmode=disable
      - FERRETDB_POSTGRESQL_URL=postgres://${PSQL_HOST}:${PSQL_PORT}/${KOMODO_DATABASE_DB_NAME:-komodo}?sslmode=disable
  core:
    #container_name: ${TRAEFIK_CONTAINER_NAME}
    #image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
    #restart: ${TRAEFIK_RESTART_POLICY}
    restart: unless-stopped
    image: ghcr.io/mbecker20/komodo:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
    secrets:
      - komodo_db_user
      - komodo_db_password
      - komodo_passkey
      - komodo_webhook_secret
      - komodo_jwt_secret
      - komodo_oidc_client_id
      - komodo_oidc_client_secret
    labels:
      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
      traefik.enable: true
      ## HTTP Routers
      traefik.http.routers.komodo-rtr.entrypoints: https
      traefik.http.routers.komodo-rtr.rule: Host(`komodo.lab.gurulandia.eu`)
      ## Middlewares
 #      - "traefik.http.routers.${PRIVATEBIN_HOSTNAME}-rtr.middlewares=chain-authelia@file"
      traefik.http.routers.komodo-rtr.middlewares: chain-no-auth@file
      ## HTTP Services
      traefik.http.routers.komodo-rtr.service: komodo-svc
      traefik.http.services.komodo-svc.loadbalancer.server.port: 9120
    depends_on:
      - ferretdb
    logging:
      driver: ${COMPOSE_LOGGING_DRIVER:-local}
    networks:
      - default
      - proxy
    ports:
      - 9120:9120
    env_file: ./compose.env  
    environment:
      KOMODO_DATABASE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb:27017/${KOMODO_DATABASE_DB_NAME:-komodo}?authMechanism=PLAIN      
    volumes:
      ## Core cache for repos for latest commit hash / contents
      - repo-cache:/repo-cache
      ## Store sync files on server
      # - /path/to/syncs:/syncs
      ## Optionally mount a custom core.config.toml
      # - /path/to/core.config.toml:/config/config.toml
    ## Allows for systemd Periphery connection at 
    ## "http://host.docker.internal:8120"
    # extra_hosts:
    #   - host.docker.internal:host-gateway
  ## Deploy Periphery container using this block,
  ## or deploy the Periphery binary with systemd using 
  ## https://github.com/mbecker20/komodo/tree/main/scripts
  periphery:
    #container_name: ${TRAEFIK_CONTAINER_NAME}
    #image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
    #restart: ${TRAEFIK_RESTART_POLICY}
    restart: unless-stopped
    image: ghcr.io/mbecker20/periphery:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
    labels:
      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
    logging:
      driver: ${COMPOSE_LOGGING_DRIVER:-local}
    networks:
      - default
    env_file: ./compose.env
    environment:
      PERIPHERY_REPO_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/repos
      PERIPHERY_STACK_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/stacks
      PERIPHERY_SSL_KEY_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/key.pem
      PERIPHERY_SSL_CERT_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/cert.pem
    volumes:
      ## Mount external docker socket
      - /var/run/docker.sock:/var/run/docker.sock
      ## Allow Periphery to see processes outside of container
      - /proc:/proc
      ## Specify the Periphery agent root directory.
      ## Must be the same inside and outside the container,
      ## or docker will get confused. See https://github.com/mbecker20/komodo/discussions/180.
      ## Default: /etc/komodo.
      - ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}:${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}
    secrets:
      - komodo_passkey
 volumes:
  # Postgres
  #pg-data:
  # Core
  repo-cache:
 networks:
  default: {}
  proxy: 
    external: true
--- a/docker/joplin-server/behind-proxy-with-db/compose.override.yaml
+++ b/docker/joplin-server/behind-proxy-with-db/compose.override.yaml
@@ -13,13 +13,15 @@ services:
        - "traefik.http.services.${JOPLIN_HOSTNAME}-svc.loadbalancer.server.port=22300"
    depends_on:
        - db    
    networks:
        - ${JOPLINDB_NETWORk_ID}
    env_file:
-        - path: ../../env/.env.joplin-srv.withdb
+        - path: ../../env/joplin-srv-withdb.env
  db:
    image: ${JOPLINDB_IMAGE}:${JOPLINDB_TAG}
    container_name: ${JOPLINDB_CONTAINER_NAME}
    restart: ${JOPLINDB_RESTART_POLICY}
    env_file:
-        - path: ../../env/.env.joplin-srv.db-cred       
+        - path: ../../env/joplin-srv-db-cred.env
    networks:
-        - ${JOPLIN_NETWORk_ID}
+        - ${JOPLINDB_NETWORk_ID}
--- a/docker/joplin-server/behind-proxy-with-db/compose.yaml
+++ b/docker/joplin-server/behind-proxy-with-db/compose.yaml
@@ -1,8 +1,9 @@
 name: joplinserver
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################
-  - ../../compose/networks/proxy.yaml
+  - ../../compose/networks/${JOPLIN_NETWORk_ID}.yaml
-  - ../../compose/networks/socket-proxy.yaml
+  - ../../compose/networks/${JOPLINDB_NETWORk_ID}.yaml
 #################### SERVICES ####################
  - ../../compose/postgres.yaml
  - ../../compose/joplin-server.yaml
--- a/docker/joplin-server/behind-proxy-with-db/dcc.sh
+++ b/docker/joplin-server/behind-proxy-with-db/dcc.sh
@@ -1 +0,0 @@
 docker compose --env-file ../../env/.env.stack.joplin-srv --env-file ../../env/.env.common config
--- a/docker/joplin-server/behind-proxy-with-db/deploy.sh
+++ b/docker/joplin-server/behind-proxy-with-db/deploy.sh
@@ -0,0 +1,6 @@
 docker compose \
 --env-file ../../env/joplin-srv-stack.env \
 --env-file ../../env/joplin-srv-db.env \
 --env-file ../../env/common.env \
 $1
--- a/docker/joplin-server/behind-proxy/compose.yaml
+++ b/docker/joplin-server/behind-proxy/compose.yaml
@@ -1,7 +1,7 @@
 name: joplinserver
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################
-  - ../../compose/networks/proxy.yaml
+  - ../../compose/networks/${JOPLIN_NETWORk_ID}.yaml
  - ../../compose/networks/socket-proxy.yaml
 #################### SERVICES ####################
  - ../../compose/joplin-server.yaml
--- a/docker/joplin-server/behind-proxy/dcc.sh
+++ b/docker/joplin-server/behind-proxy/dcc.sh
@@ -1 +0,0 @@
 docker compose --env-file ../../env/.env.stack.joplin-srv --env-file ../../env/.env.common config
--- a/docker/joplin-server/behind-proxy/deploy.sh
+++ b/docker/joplin-server/behind-proxy/deploy.sh
@@ -0,0 +1,4 @@
 docker compose \
 --env-file ../../env/joplin-srv-stack.env \
 --env-file ../../env/common.env \
 $1
--- a/docker/joplin-server/compose.yaml
+++ b/docker/joplin-server/compose.yaml
@@ -1,7 +1,7 @@
 name: joplinserver
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################
-  - ../../compose/networks/proxy.yaml
+  - ../../compose/networks/${JOPLIN_NETWORk_ID}.yaml
  - ../../compose/networks/socket-proxy.yaml
 #################### SERVICES ####################
  - ../../compose/joplin-server.yaml
--- a/docker/joplin-server/dcc.sh
+++ b/docker/joplin-server/dcc.sh
@@ -1 +0,0 @@
 docker compose --env-file ../env/.env.stack.joplin-srv --env-file ../env/.env.common config
--- a/docker/joplin-server/deploy.sh
+++ b/docker/joplin-server/deploy.sh
@@ -0,0 +1,4 @@
 docker compose \
 --env-file ../env/joplin-srv-stack.env \
 --env-file ../env/common.env \
 $1
--- a/docker/joplin-server/with-db/compose.override.yaml
+++ b/docker/joplin-server/with-db/compose.override.yaml
@@ -5,14 +5,16 @@ services:
 #    ports:
 #        - "22300:22300"
    env_file:
-        - path: ../../env/.env.joplin-srv.withdb
+        - path: ../../env/joplin-srv-withdb.env
    networks:
        - ${JOPLINDB_NETWORk_ID}
  db:
    image: ${JOPLINDB_IMAGE}:${JOPLINDB_TAG}
    container_name: ${JOPLINDB_CONTAINER_NAME}
    restart: ${JOPLINDB_RESTART_POLICY}
    env_file:
-        - path: ../../env/.env.joplin-srv.db-cred       
+        - path: ../../env/joplin-srv-db-cred.env
 #    ports:
 #        - "5432:5432"
    networks:
-        - ${JOPLIN_NETWORk_ID}
+        - ${JOPLINDB_NETWORk_ID}
--- a/docker/joplin-server/with-db/compose.yaml
+++ b/docker/joplin-server/with-db/compose.yaml
@@ -1,8 +1,8 @@
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################
-  - ../../compose/networks/proxy.yaml
+  - ../../compose/networks/${JOPLIN_NETWORk_ID}.yaml
-  - ../../compose/networks/socket-proxy.yaml
+  - ../../compose/networks/${JOPLINDB_NETWORk_ID}.yaml
 #################### SERVICES ####################
  - ../../compose/postgres.yaml
  - ../../compose/joplin-server.yaml
--- a/docker/joplin-server/with-db/dcc.sh
+++ b/docker/joplin-server/with-db/dcc.sh
@@ -1 +0,0 @@
 docker compose --env-file ../../env/.env.stack.joplin-srv --env-file ../../env/.env.common config
--- a/docker/joplin-server/with-db/deploy.sh
+++ b/docker/joplin-server/with-db/deploy.sh
@@ -0,0 +1,5 @@
 docker compose \
 --env-file ../../env/joplin-srv-stack.env \
 --env-file ../../env/joplin-srv-db.env \
 --env-file ../../env/common.env \
 $1
--- a/docker/komodo/compose.yaml
+++ b/docker/komodo/compose.yaml
@@ -0,0 +1,10 @@
 name: komodo
 # Docker Compose v2.20 or greater required to use "include"
 include:
 #################### NETWORKS ####################
  - ../compose/networks/${KOMODO_NETWORk_ID}.yaml
  - ../compose/networks/komodo.yaml
 #################### SERVICES ####################
  - ../compose/ferretdb.yaml
  - ../compose/komodo-core.yaml
  - ../compose/komodo-periphery.yaml
--- a/docker/komodo/deploy.sh
+++ b/docker/komodo/deploy.sh
@@ -0,0 +1,5 @@
 docker compose \
 --env-file ../env/komodo-stack.env \
 --env-file ../env/komodo.env \
 --env-file ../env/common.env \
 $1 $2 $3
--- a/docker/memos/compose.yaml
+++ b/docker/memos/compose.yaml
@@ -0,0 +1,21 @@
 services:
  memos:
    image: neosmemo/memos:stable
    restart: always
 #    depends_on:
 #      - db
    ports:
      - 5230:5230
    environment:
      - MEMOS_DRIVER=postgres
      - MEMOS_DSN=user=memos password=memos dbname=memos host=10.0.6.178 sslmode=disable
 #  db:
 #    image: postgres:16.1
 #    restart: unless-stopped
 #    volumes:
 #      - "./database:/var/lib/postgresql/data/"
 #    environment:
 #      POSTGRES_USER: memos
 #      POSTGRES_PASSWORD: secret
 #      POSTGRES_DB: memosdb
--- a/docker/nginx/compose.yaml
+++ b/docker/nginx/compose.yaml
@@ -0,0 +1,35 @@
 services:
  web:
    image: nginx:latest
    container_name: jimsgarage
    volumes:
     - /gurulandia/data/nginx/templates:/etc/nginx/templates
     - /gurulandia/data/nginx/web:/usr/share/nginx/html
    environment:
     - NGINX_HOST=nginx.lab.gurulandia.eu
     - NGINX_PORT=80
    ports:
     - 8089:80
    labels:
      - "traefik.enable=true"
      #- "traefik.http.routers.nginx.entrypoints=http"
      #- "traefik.http.routers.nginx.rule=Host(`nginx.jimsgarage.co.uk`)"
      #- "traefik.http.middlewares.nginx-https-redirect.redirectscheme.scheme=https"
      #- "traefik.http.routers.nginx.middlewares=nginx-https-redirect"
      - "traefik.http.routers.nginx-secure.entrypoints=https"
      - "traefik.http.routers.nginx-secure.rule=Host(`nginx.lab.gurulandia.eu`)"
      #- "traefik.http.routers.nginx-secure.tls=true"
      #- "traefik.http.routers.nginx-secure.service=nginx"
      - "traefik.http.services.nginx.loadbalancer.server.port=80"
      #- "traefik.http.routers.nginx-secure.middlewares=chain-no-auth@file" 
      #- "traefik.http.routers.nginx-secure.middlewares=chain-authentik@file" #add this to any container you want to use the Authentik web proxy
      - "traefik.http.routers.nginx-secure.middlewares=middlewares-authentik@file" #add this to any container you want to use the Authentik web proxy
     # - "traefik.docker.network=proxy"
    networks:
      proxy:
    security_opt:
      - no-new-privileges:true
 networks:
  proxy:
    external: true
--- a/docker/pgweb/compose.yaml
+++ b/docker/pgweb/compose.yaml
@@ -0,0 +1,22 @@
 services:
  pgweb:
    container_name: pgweb
    image: sosedoff/pgweb:latest
    #build: .
    #environment:
    #  PGWEB_DATABASE_URL: postgres://pgweb:pgweb@pgweb-postgres:5432/pgweb?sslmode=disable
    ports:
      - 58081:8081
    networks:
      - pgweb
    #depends_on:
    #  postgres:
    #    condition: service_healthy
    healthcheck:
      test: ["CMD", "nc", "-vz", "127.0.0.1", "58081"]
      interval: 5s
    volumes:
      - /gurulandia/data/pgweb:/home/pgweb/.pgweb/bookmarks
 networks:
  pgweb:
    name: pgweb
--- a/docker/proxy/docker-compose.yml
+++ b/docker/proxy/docker-compose.yml
--- a/docker/redis/compose.yaml
+++ b/docker/redis/compose.yaml
@@ -0,0 +1,34 @@
 services:
  redis:
    container_name: redis
    image: redis:latest
    command: redis-server
    volumes:
      - redis:/var/lib/redis
      - redis-config:/usr/local/etc/redis/redis.conf
    ports:
      - 6379:6379
    networks:
      - redis-network
  redis-commander:
    container_name: redis-commander
    image: rediscommander/redis-commander:latest
    environment:
      - REDIS_HOSTS=local:redis:6379
      - HTTP_USER=root
      - HTTP_PASSWORD=qwerty
    ports:
      - 8081:8081
    networks:
      - redis-network
    depends_on:
      - redis
 volumes:
  redis:
  redis-config:
 networks:
  redis-network:
    driver: bridge
--- a/docker/services/dc-traefik.yml
+++ b/docker/services/dc-traefik.yml
@@ -1,94 +1,120 @@
 ########################### SECRETS
 secrets:
-  cloudflare_email:
+  #cloudflare_email:
-    file: ${SECRETSDIR}/cloudflare_email
+  #  file: ${SECRETSDIR}/cloudflare_email
-  cloudflare_api_key:
+  #cloudflare_api_key:
-    file: ${SECRETSDIR}/cloudflare_api_key
+  #  file: ${SECRETSDIR}/cloudflare_api_key
  basic_auth_credentials:
    file: $DOCKERDIR/secrets/basic_auth_credentials
  cloudflare_api_token:
    file: ${SECRETSDIR}/cloudflare_dns_api_token
 services:
-  # Traefik 2 - Reverse Proxy
+  # Traefik 3 - Reverse Proxy
  # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
  # touch $DOCKERDIR/traefik2/acme/acme.json
  # chmod 600 $DOCKERDIR/traefik2/acme/acme.json
  # touch $DOCKERDIR/traefik2/traefik.log
  traefik:
-    container_name: ${TRAEFIK_CONTAINER_NAME}
+    container_name: ${TRAEFIK_CONTAINER_NAME:-traefik}
-    image: ${TRAEFIK_IMAGE}:${TRAEFIK_TAG}
+    image: ${TRAEFIK_IMAGE:-traefik}:${TRAEFIK_TAG:-latest}
-    restart: ${TRAEFIK_RESTART_POLICY}
+    restart: ${TRAEFIK_RESTART_POLICY:-always}
    security_opt:
      - no-new-privileges:true
    user: ${UID:-1000}:${GID:-1000}
    networks:
      proxy:
      socket_proxy:
    ports:
-      - 80:80
+      - target: 80
-      - 443:443
+        published: 80
-      - 465:465
+        protocol: tcp
-      - 587:587
+        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      #- target: 465
      #  published: 465
      #  protocol: tcp
      #  mode: host
      #- target: 587
      #  published: 587
      #  protocol: tcp
      #  mode: host
      #- 465:465
      #- 587:587
    #env_file:
    #- path: ./traefik.env
    #  required: true # default
    #- path: ./override.env
    #  required: false
    environment:
-      - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
+      #- CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
-      - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
+      #- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
      - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
      - HTPASSWD_FILE=/run/secrets/basic_auth_credentials # HTTP Basic Auth Credentials
      - DOMAINNAME0 # Passing the domain name to traefik container to be able to use the variable in rules. 
      - DOMAINNAME1
      - DOMAINNAME2
      - DOMAINNAME3
      - CF_API_EMAIL
    command: # CLI arguments
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=false #true
-      - --entryPoints.http.address=:80
+      - --entrypoints.web.address=:80
-      - --entrypoints.http.http.redirections.entryPoint.to=https
+      - --entrypoints.websecure.address=:443
-      - --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
+      - --entrypoints.traefik.address=:8080
-      - --entryPoints.https.address=:443
+      - --entrypoints.web.http.redirections.entrypoint.to=websecure
-      - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
+      - --entrypoints.web.http.redirections.entrypoint.scheme=https
-      - --entrypoints.mailsecure.address=:465
+      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - --entrypoints.maildefault.address=:587
 #      - --entryPoints.traefik.address=:8080
 #      - --entryPoints.ping.address=:8081
      - --api=true
 #      - --api.insecure=true)
      - --api.dashboard=true
-#      - --ping=true)
+      # - --serversTransport.insecureSkipVerify=true
-#      - --pilot.token=$TRAEFIK_PILOT_TOKEN)
+      # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
-      - --serversTransport.insecureSkipVerify=true
+      - --entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
      - --log=true
      - --log.filePath=/logs/traefik.log
      - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --log.filePath= /var/log/traefik/traefik.log
      - --accessLog=true
-      - --accessLog.filePath=/var/log/traefik/access.log
+      - --accessLog.filePath=/logs/access.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
-      - --accessLog.filters.statusCodes=400-499
+      - --accessLog.filters.statusCodes=204-299,400-499,500-599
      - --providers.docker=true
      - --providers.docker.endpoint=${DOCKER_ENDPOINT} # Use Docker Socket Proxy instead for improved security
      # Automatically set Host rule for services
 #      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`)
      - --providers.docker.exposedByDefault=false
 #      - --providers.redis=true
 #      - --providers.redis.endpoints=redis:6379
      - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file
      - --entrypoints.https.http.tls.options=tls-opts@file
      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
      - --entrypoints.https.http.tls.certresolver=${CERTRESOLVER}
      - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0
      - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0
      - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain
      - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain
      - --entrypoints.https.http.tls.domains[2].main=$DOMAINNAME2
      - --entrypoints.https.http.tls.domains[2].sans=*.$DOMAINNAME2
      - --entrypoints.https.http.tls.domains[3].main=$DOMAINNAME3 # Pulls main cert for second domain
      - --entrypoints.https.http.tls.domains[3].sans=*.$DOMAINNAME3 # Pulls wildcard cert for second domain
      - --providers.docker.network=proxy
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.options=tls-opts@file
      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
      - --entrypoints.websecure.http.tls.certresolver=${CERTRESOLVER}
      - --entrypoints.websecure.http.tls.domains[0].main=$DOMAINNAME0
      - --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAINNAME0
      - --entrypoints.websecure.http.tls.domains[1].main=$DOMAINNAME1
      - --entrypoints.websecure.http.tls.domains[1].sans=*.$DOMAINNAME1
      - --entrypoints.websecure.http.tls.domains[2].main=$DOMAINNAME2
      - --entrypoints.websecure.http.tls.domains[2].sans=*.$DOMAINNAME2
      - --entrypoints.websecure.http.tls.domains[3].main=$DOMAINNAME3
      - --entrypoints.websecure.http.tls.domains[3].sans=*.$DOMAINNAME3
      - --providers.file.directory=/config # Load dynamic configuration from one or more .toml or .yml files in a directory
      - --providers.file.watch=true # Only works on top level files in the rules folder
 #      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.$CERTRESOLVER.acme.email=${CF_API_EMAIL}
      - --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json
      - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=${DNS_PROVIDER}
-      - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0} #,$RESOLVER1
+      - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0},${RESOLVER1}
      - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
 #      - --certificatesResolvers.$CERTRESOLVER.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
 #      - --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
 #      - --entrypoints.mailsecure.address=:465
 #      - --entrypoints.maildefault.address=:587
 #      - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file      
 #      - --entryPoints.ping.address=:8081
 #      - --api.insecure=true)
 #      - --ping=true)
 #      - --providers.redis=true
 #      - --providers.redis.endpoints=redis:6379
 #      - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file      
 #    healthcheck:
 #      test: ["CMD", "traefik", "healthcheck", "--ping"]
 #      interval: 5s
@@ -100,18 +126,19 @@ services:
      - ${DOCKERDIR}/traefik/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
      - ${DOCKERDIR}/traefik/logs:/var/log/traefik # for crowdsec - make sure to touch file before starting container
    secrets:
-      - cloudflare_email
+      #- cloudflare_email
-      - cloudflare_api_key
+      #- cloudflare_api_key
      - cloudflare_api_token
      - basic_auth_credentials
    labels:
      traefik.enable: true
-      traefik.http.routers.traefik.entrypoints: http
+      traefik.http.routers.traefik.entrypoints: web
      traefik.http.routers.traefik.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
      traefik.http.middlewares.traefik-auth.basicauth.users: ${BASICAUTHUSER}
      traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme: https
      traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto: https
      traefik.http.routers.traefik.middlewares: traefik-https-redirect
-      traefik.http.routers.traefik-secure.entrypoints: https
+      traefik.http.routers.traefik-secure.entrypoints: websecure
      traefik.http.routers.traefik-secure.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
      traefik.http.routers.traefik-secure.middlewares: chain-no-auth@file
 #      traefik.http.routers.traefik-secure.middlewares: traefik-auth
--- a/docker/snibox/.env
+++ b/docker/snibox/.env
@@ -0,0 +1,20 @@
 # Secrets
 SECRET_KEY_BASE=580b4894107e15810dd7100132ad18905d3b218bea2812a6c35662e783443c912f8454c479afcf5aaf4fdac0fa0c52308ef062a440f5360cf9161f2b1d9e0834
 # SSL
 FORCE_SSL=false
 # Database
 DB_NAME=snibox
 DB_USER=snibox
 DB_PASS=snibox
 DB_HOST=10.0.6.178
 DB_PORT=5432
 # Mailgun. Required by 'Reset password feature'. Feel free to start without this setup.
 MAILGUN_SMTP_PORT=587
 MAILGUN_SMTP_SERVER=smtp.eu.mailgun.org
 MAILGUN_SMTP_LOGIN=sender@mail.gurulandia.eu
 MAILGUN_SMTP_PASSWORD=fd2481f27f76e35110ddf9b7b04ad09f-667818f5-87cb2de
 MAILGUN_API_KEY=0bbddf40b4f522902c3566ac64d6843f-667818f5-f7e29b98
 MAILGUN_DOMAIN=mail.gurulandia.eu
 MAILGUN_PUBLIC_KEY=pubkey-1d7092746ca1272cb49c7c16615663d1
--- a/docker/snibox/compose.yaml
+++ b/docker/snibox/compose.yaml
@@ -0,0 +1,41 @@
 services:
  frontend:
    image: snibox/nginx-puma:1.15.9
    ports:
      - "8000:80"
    volumes:
      - static-files:/var/www/html
    depends_on:
      - backend
  backend:
    image: snibox/snibox:latest
    command: sh -c "rm -rf tmp/pids && ./bin/rails s -p 3000 -b '0.0.0.0'"
    environment:
      DB_NAME: "${DB_NAME}"
      DB_USER: "${DB_USER}"
      DB_PASS: "${DB_PASS}"
      DB_HOST: "${DB_HOST}"
      DB_PORT: "${DB_PORT}"
      FORCE_SSL: "${FORCE_SSL}"
      MAILGUN_SMTP_PORT: "${MAILGUN_SMTP_PORT}"
      MAILGUN_SMTP_SERVER: "${MAILGUN_SMTP_SERVER}"
      MAILGUN_SMTP_LOGIN: "${MAILGUN_SMTP_LOGIN}"
      MAILGUN_SMTP_PASSWORD: "${MAILGUN_SMTP_PASSWORD}"
      MAILGUN_API_KEY: "${MAILGUN_API_KEY}"
      MAILGUN_DOMAIN: "${MAILGUN_DOMAIN}"
      MAILGUN_PUBLIC_KEY: "${MAILGUN_PUBLIC_KEY}"
      SECRET_KEY_BASE: "${SECRET_KEY_BASE}"
    volumes:
      - static-files:/app/public
 #    depends_on:
 #      - database
 # database:
 #   image: postgres:10.7-alpine
 #   volumes:
 #     - pg-data:/var/lib/postgresql/data
 volumes:
 # pg-data:
  static-files:
--- a/docker/snibox/setup
+++ b/docker/snibox/setup
@@ -0,0 +1,56 @@
 #!/bin/bash
 set -e
 GREEN='\033[0;32m'
 RED='\033[0;31m'
 YELLOW='\033[0;33m'
 NC='\033[0m'
 DEFAULT_SECRET='paste_your_key'
 function report_status() {
  if [ $? -eq 0 ]
  then
    echo -e "${GREEN}Done${NC}"
  else
    echo -e "${RED}Unable to complete task${NC}"
    exit 1
  fi
 }
 echo -e "Copy .env.sample to .env:"
 if [ ! -f .env ]
 then
  cp .env.sample .env
  report_status
 else
  echo -e "${GREEN}File .env already exists${NC}"
 fi
 echo -e "\nPull images:"
 docker compose pull
 report_status
 echo -e "\nInject secret key:"
 if grep -Rq "$DEFAULT_SECRET" .env
 then
  secret=$(docker compose run --rm --no-deps backend ./bin/rake secret)
  echo "$secret"
  # based on https://stackoverflow.com/a/22084103
  sed -i.bak "s/$DEFAULT_SECRET/$secret/" .env
  rm .env.bak
  report_status
 else
  echo -e "${GREEN}Personal secret key exists${NC}"
 fi
 echo -e "\nCreate database:"
 docker compose run --rm backend ./bin/rake db:create
 report_status
 echo -e "\nRun migrations:"
 docker compose run --rm backend ./bin/rake db:migrate
 report_status
 echo -e "\n${GREEN}Setup completed!${NC}"
--- a/docker/technitum-dns/compose.yaml
+++ b/docker/technitum-dns/compose.yaml
@@ -0,0 +1,60 @@
 secrets:
  technitium_admin_password:
    file: ${SECRETSDIR}/technitum-dns/admin_password
 services:
  dns-server:
    container_name: ${TECHNITUM_DNS_CONTAINER_NAME}
    image: ${TECHNITUM_DNS_IMAGE}:${TECHNITUM_DNS_TAG}
    restart: ${TECHNITUM_DNS_RESTART_POLICY}
    security_opt:
      - no-new-privileges:true
    networks:
      - dns
    # For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting them
    # network_mode: "host"
    ports:
      - "5380:5380/tcp" #DNS web console (HTTP)
      # - "53443:53443/tcp" #DNS web console (HTTPS)
      - "53:53/udp" #DNS service
      - "53:53/tcp" #DNS service
      # - "853:853/udp" #DNS-over-QUIC service
      # - "853:853/tcp" #DNS-over-TLS service
      # - "443:443/udp" #DNS-over-HTTPS service (HTTP/3)
      # - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2)
      # - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal)
      # - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy)
      # - "67:67/udp" #DHCP service
    environment:
      - DNS_SERVER_DOMAIN
      # - DNS_SERVER_ADMIN_PASSWORD=password #DNS web console admin user password.
      # - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user.
      - DNS_SERVER_ADMIN_PASSWORD_FILE
      # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled.
      # - DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1 #Comma separated list of network interface IP addresses that you want the web service to listen on for requests. The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified. Note! This must be used only with "host" network mode.
      # - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol.
      # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
      # - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console.
      # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console.
      # - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
      # - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL.
      # - DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2 #Comma separated list of IP addresses or network addresses to allow access. Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback. Valid only for `UseSpecifiedNetworkACL` recursion option.
      # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
      # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option.  This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
      # - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
      # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
      # - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs.
      # - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses.
      # - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
      - DNS_SERVER_LOG_USING_LOCAL_TIME
    volumes:
      - config:/etc/dns
    sysctls:
      - net.ipv4.ip_local_port_range=1024 65000
    secrets:
      - technitium_admin_password
 volumes:
    config:
 networks:
  dns:
    name: dns
--- a/docker/vaultwarden/.env.template
+++ b/docker/vaultwarden/.env.template
@@ -0,0 +1,581 @@
 # shellcheck disable=SC2034,SC2148
 ## Vaultwarden Configuration File
 ## Uncomment any of the following lines to change the defaults
 ##
 ## Be aware that most of these settings will be overridden if they were changed
 ## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json .
 ##
 ## By default, Vaultwarden expects for this file to be named ".env" and located
 ## in the current working directory. If this is not the case, the environment
 ## variable ENV_FILE can be set to the location of this file prior to starting
 ## Vaultwarden.
 ####################
 ### Data folders ###
 ####################
 ## Main data folder
 # DATA_FOLDER=data
 ## Individual folders, these override %DATA_FOLDER%
 # RSA_KEY_FILENAME=data/rsa_key
 # ICON_CACHE_FOLDER=data/icon_cache
 # ATTACHMENTS_FOLDER=data/attachments
 # SENDS_FOLDER=data/sends
 # TMP_FOLDER=data/tmp
 ## Templates data folder, by default uses embedded templates
 ## Check source code to see the format
 # TEMPLATES_FOLDER=data/templates
 ## Automatically reload the templates for every request, slow, use only for development
 # RELOAD_TEMPLATES=false
 ## Web vault settings
 # WEB_VAULT_FOLDER=web-vault/
 # WEB_VAULT_ENABLED=true
 #########################
 ### Database settings ###
 #########################
 ## Database URL
 ## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
 # DATABASE_URL=data/db.sqlite3
 ## When using MySQL, specify an appropriate connection URI.
 ## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html
 # DATABASE_URL=mysql://user:password@host[:port]/database_name
 ## When using PostgreSQL, specify an appropriate connection URI (recommended)
 ## or keyword/value connection string.
 ## Details:
 ## - https://docs.diesel.rs/2.1.x/diesel/pg/struct.PgConnection.html
 ## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
 # DATABASE_URL=postgresql://user:password@host[:port]/database_name
 ## Enable WAL for the DB
 ## Set to false to avoid enabling WAL during startup.
 ## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
 ## this setting only prevents Vaultwarden from automatically enabling it on start.
 ## Please read project wiki page about this setting first before changing the value as it can
 ## cause performance degradation or might render the service unable to start.
 # ENABLE_DB_WAL=true
 ## Database connection retries
 ## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely
 # DB_CONNECTION_RETRIES=15
 ## Database timeout
 ## Timeout when acquiring database connection
 # DATABASE_TIMEOUT=30
 ## Database max connections
 ## Define the size of the connection pool used for connecting to the database.
 # DATABASE_MAX_CONNS=10
 ## Database connection initialization
 ## Allows SQL statements to be run whenever a new database connection is created.
 ## This is mainly useful for connection-scoped pragmas.
 ## If empty, a database-specific default is used:
 ## - SQLite: "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;"
 ## - MySQL: ""
 ## - PostgreSQL: ""
 # DATABASE_CONN_INIT=""
 #################
 ### WebSocket ###
 #################
 ## Enable websocket notifications
 # ENABLE_WEBSOCKET=true
 ##########################
 ### Push notifications ###
 ##########################
 ## Enables push notifications (requires key and id from https://bitwarden.com/host)
 ## Details about mobile client push notification:
 ## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification
 # PUSH_ENABLED=false
 # PUSH_INSTALLATION_ID=CHANGEME
 # PUSH_INSTALLATION_KEY=CHANGEME
 # WARNING: Do not modify the following settings unless you fully understand their implications!
 # Default Push Relay and Identity URIs
 # PUSH_RELAY_URI=https://push.bitwarden.com
 # PUSH_IDENTITY_URI=https://identity.bitwarden.com
 # European Union Data Region Settings
 # If you have selected "European Union" as your data region, use the following URIs instead.
 # PUSH_RELAY_URI=https://api.bitwarden.eu
 # PUSH_IDENTITY_URI=https://identity.bitwarden.eu
 #####################
 ### Schedule jobs ###
 #####################
 ## Job scheduler settings
 ##
 ## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron),
 ## and are always in terms of UTC time (regardless of your local time zone settings).
 ##
 ## The schedule format is a bit different from crontab as crontab does not contains seconds.
 ## You can test the the format here: https://crontab.guru, but remove the first digit!
 ## SEC  MIN   HOUR   DAY OF MONTH    MONTH   DAY OF WEEK
 ## "0   30   9,12,15     1,15       May-Aug  Mon,Wed,Fri"
 ## "0   30     *          *            *          *     "
 ## "0   30     1          *            *          *     "
 ##
 ## How often (in ms) the job scheduler thread checks for jobs that need running.
 ## Set to 0 to globally disable scheduled jobs.
 # JOB_POLL_INTERVAL_MS=30000
 ##
 ## Cron schedule of the job that checks for Sends past their deletion date.
 ## Defaults to hourly (5 minutes after the hour). Set blank to disable this job.
 # SEND_PURGE_SCHEDULE="0 5 * * * *"
 ##
 ## Cron schedule of the job that checks for trashed items to delete permanently.
 ## Defaults to daily (5 minutes after midnight). Set blank to disable this job.
 # TRASH_PURGE_SCHEDULE="0 5 0 * * *"
 ##
 ## Cron schedule of the job that checks for incomplete 2FA logins.
 ## Defaults to once every minute. Set blank to disable this job.
 # INCOMPLETE_2FA_SCHEDULE="30 * * * * *"
 ##
 ## Cron schedule of the job that sends expiration reminders to emergency access grantors.
 ## Defaults to hourly (3 minutes after the hour). Set blank to disable this job.
 # EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 3 * * * *"
 ##
 ## Cron schedule of the job that grants emergency access requests that have met the required wait time.
 ## Defaults to hourly (7 minutes after the hour). Set blank to disable this job.
 # EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 7 * * * *"
 ##
 ## Cron schedule of the job that cleans old events from the event table.
 ## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start.
 # EVENT_CLEANUP_SCHEDULE="0 10 0 * * *"
 ## Number of days to retain events stored in the database.
 ## If unset (the default), events are kept indefinitely and the scheduled job is disabled!
 # EVENTS_DAYS_RETAIN=
 ##
 ## Cron schedule of the job that cleans old auth requests from the auth request.
 ## Defaults to every minute. Set blank to disable this job.
 # AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *"
 ##
 ## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
 ## Defaults to every minute. Set blank to disable this job.
 # DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *"
 ########################
 ### General settings ###
 ########################
 ## Domain settings
 ## The domain must match the address from where you access the server
 ## It's recommended to configure this value, otherwise certain functionality might not work,
 ## like attachment downloads, email links and U2F.
 ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
 ## To use HTTPS, the recommended way is to put Vaultwarden behind a reverse proxy
 ## Details:
 ## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS
 ## - https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
 ## For development
 # DOMAIN=http://localhost
 ## For public server
 # DOMAIN=https://vw.domain.tld
 ## For public server (URL with port number)
 # DOMAIN=https://vw.domain.tld:8443
 ## For public server (URL with path)
 # DOMAIN=https://domain.tld/vw
 ## Controls whether users are allowed to create Bitwarden Sends.
 ## This setting applies globally to all users.
 ## To control this on a per-org basis instead, use the "Disable Send" org policy.
 # SENDS_ALLOWED=true
 ## HIBP Api Key
 ## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key
 # HIBP_API_KEY=
 ## Per-organization attachment storage limit (KB)
 ## Max kilobytes of attachment storage allowed per organization.
 ## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization.
 # ORG_ATTACHMENT_LIMIT=
 ## Per-user attachment storage limit (KB)
 ## Max kilobytes of attachment storage allowed per user.
 ## When this limit is reached, the user will not be allowed to upload further attachments.
 # USER_ATTACHMENT_LIMIT=
 ## Per-user send storage limit (KB)
 ## Max kilobytes of send storage allowed per user.
 ## When this limit is reached, the user will not be allowed to upload further sends.
 # USER_SEND_LIMIT=
 ## Number of days to wait before auto-deleting a trashed item.
 ## If unset (the default), trashed items are not auto-deleted.
 ## This setting applies globally, so make sure to inform all users of any changes to this setting.
 # TRASH_AUTO_DELETE_DAYS=
 ## Number of minutes to wait before a 2FA-enabled login is considered incomplete,
 ## resulting in an email notification. An incomplete 2FA login is one where the correct
 ## master password was provided but the required 2FA step was not completed, which
 ## potentially indicates a master password compromise. Set to 0 to disable this check.
 ## This setting applies globally to all users.
 # INCOMPLETE_2FA_TIME_LIMIT=3
 ## Disable icon downloading
 ## Set to true to disable icon downloading in the internal icon service.
 ## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external
 ## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons
 ## will be deleted eventually, but won't be downloaded again.
 # DISABLE_ICON_DOWNLOAD=false
 ## Controls if new users can register
 # SIGNUPS_ALLOWED=true
 ## Controls if new users need to verify their email address upon registration
 ## Note that setting this option to true prevents logins until the email address has been verified!
 ## The welcome email will include a verification link, and login attempts will periodically
 ## trigger another verification email to be sent.
 # SIGNUPS_VERIFY=false
 ## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time
 ## an email verification link has been sent another verification email will be sent
 # SIGNUPS_VERIFY_RESEND_TIME=3600
 ## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification
 ## email will be re-sent upon an attempted login.
 # SIGNUPS_VERIFY_RESEND_LIMIT=6
 ## Controls if new users from a list of comma-separated domains can register
 ## even if SIGNUPS_ALLOWED is set to false
 # SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org
 ## Controls whether event logging is enabled for organizations
 ## This setting applies to organizations.
 ## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings.
 # ORG_EVENTS_ENABLED=false
 ## Controls which users can create new orgs.
 ## Blank or 'all' means all users can create orgs (this is the default):
 # ORG_CREATION_USERS=
 ## 'none' means no users can create orgs:
 # ORG_CREATION_USERS=none
 ## A comma-separated list means only those users can create orgs:
 # ORG_CREATION_USERS=admin1@example.com,admin2@example.com
 ## Invitations org admins to invite users, even when signups are disabled
 # INVITATIONS_ALLOWED=true
 ## Name shown in the invitation emails that don't come from a specific organization
 # INVITATION_ORG_NAME=Vaultwarden
 ## The number of hours after which an organization invite token, emergency access invite token,
 ## email verification token and deletion request token will expire (must be at least 1)
 # INVITATION_EXPIRATION_HOURS=120
 ## Controls whether users can enable emergency access to their accounts.
 ## This setting applies globally to all users.
 # EMERGENCY_ACCESS_ALLOWED=true
 ## Controls whether users can change their email.
 ## This setting applies globally to all users
 # EMAIL_CHANGE_ALLOWED=true
 ## Number of server-side passwords hashing iterations for the password hash.
 ## The default for new users. If changed, it will be updated during login for existing users.
 # PASSWORD_ITERATIONS=600000
 ## Controls whether users can set or show password hints. This setting applies globally to all users.
 # PASSWORD_HINTS_ALLOWED=true
 ## Controls whether a password hint should be shown directly in the web page if
 ## SMTP service is not configured and password hints are allowed.
 ## Not recommended for publicly-accessible instances because this provides
 ## unauthenticated access to potentially sensitive data.
 # SHOW_PASSWORD_HINT=false
 #########################
 ### Advanced settings ###
 #########################
 ## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP"
 ## Set to the string "none" (without quotes), to disable any headers and just use the remote IP
 # IP_HEADER=X-Real-IP
 ## Icon service
 ## The predefined icon services are: internal, bitwarden, duckduckgo, google.
 ## To specify a custom icon service, set a URL template with exactly one instance of `{}`,
 ## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`.
 ##
 ## `internal` refers to Vaultwarden's built-in icon fetching implementation.
 ## If an external service is set, an icon request to Vaultwarden will return an HTTP
 ## redirect to the corresponding icon at the external service. An external service may
 ## be useful if your Vaultwarden instance has no external network connectivity, or if
 ## you are concerned that someone may probe your instance to try to detect whether icons
 ## for certain sites have been cached.
 # ICON_SERVICE=internal
 ## Icon redirect code
 ## The HTTP status code to use for redirects to an external icon service.
 ## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent).
 ## Temporary redirects are useful while testing different icon services, but once a service
 ## has been decided on, consider using permanent redirects for cacheability. The legacy codes
 ## are currently better supported by the Bitwarden clients.
 # ICON_REDIRECT_CODE=302
 ## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
 ## Default: 2592000 (30 days)
 # ICON_CACHE_TTL=2592000
 ## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
 ## Default: 2592000 (3 days)
 # ICON_CACHE_NEGTTL=259200
 ## Icon download timeout
 ## Configure the timeout value when downloading the favicons.
 ## The default is 10 seconds, but this could be to low on slower network connections
 # ICON_DOWNLOAD_TIMEOUT=10
 ## Block HTTP domains/IPs by Regex
 ## Any domains or IPs that match this regex won't be fetched by the internal HTTP client.
 ## Useful to hide other servers in the local network. Check the WIKI for more details
 ## NOTE: Always enclose this regex withing single quotes!
 # HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
 ## Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address.
 ## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
 # HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true
 ## Client Settings
 ## Enable experimental feature flags for clients.
 ## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3".
 ##
 ## The following flags are available:
 ## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
 ## - "autofill-v2": Use the new autofill implementation.
 ## - "browser-fileless-import": Directly import credentials from other providers without a file.
 ## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
 ## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
 ## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
 ## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
 ## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
 # EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
 ## Require new device emails. When a user logs in an email is required to be sent.
 ## If sending the email fails the login attempt will fail!!
 # REQUIRE_DEVICE_EMAIL=false
 ## Enable extended logging, which shows timestamps and targets in the logs
 # EXTENDED_LOGGING=true
 ## Timestamp format used in extended logging.
 ## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime
 # LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f"
 ## Logging to Syslog
 ## This requires extended logging
 # USE_SYSLOG=false
 ## Logging to file
 # LOG_FILE=/path/to/log
 ## Log level
 ## Change the verbosity of the log output
 ## Valid values are "trace", "debug", "info", "warn", "error" and "off"
 ## Setting it to "trace" or "debug" would also show logs for mounted routes and static file, websocket and alive requests
 ## For a specific module append a comma separated `path::to::module=log_level`
 ## For example, to only see debug logs for icons use: LOG_LEVEL="info,vaultwarden::api::icons=debug"
 # LOG_LEVEL=info
 ## Token for the admin interface, preferably an Argon2 PCH string
 ## Vaultwarden has a built-in generator by calling `vaultwarden hash`
 ## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
 ## If not set, the admin panel is disabled
 ## New Argon2 PHC string
 ## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$`
 ## Also, use single quotes (') instead of double quotes (") to enclose the string when needed
 # ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78'
 ## Old plain text string (Will generate warnings in favor of Argon2)
 # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
 ## Enable this to bypass the admin panel security. This option is only
 ## meant to be used with the use of a separate auth layer in front
 # DISABLE_ADMIN_TOKEN=false
 ## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in.
 # ADMIN_RATELIMIT_SECONDS=300
 ## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
 # ADMIN_RATELIMIT_MAX_BURST=3
 ## Set the lifetime of admin sessions to this value (in minutes).
 # ADMIN_SESSION_LIFETIME=20
 ## Allowed iframe ancestors (Know the risks!)
 ## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
 ## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
 ## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value.
 ## Multiple values must be separated with a whitespace.
 # ALLOWED_IFRAME_ANCESTORS=
 ## Allowed connect-src (Know the risks!)
 ## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
 ## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
 ## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value.
 ## Multiple values must be separated with a whitespace. And only HTTPS values are allowed.
 ## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld"
 # ALLOWED_CONNECT_SRC=""
 ## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
 # LOGIN_RATELIMIT_SECONDS=60
 ## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
 ## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2.
 # LOGIN_RATELIMIT_MAX_BURST=10
 ## BETA FEATURE: Groups
 ## Controls whether group support is enabled for organizations
 ## This setting applies to organizations.
 ## Disabled by default because this is a beta feature, it contains known issues!
 ## KNOW WHAT YOU ARE DOING!
 # ORG_GROUPS_ENABLED=false
 ## Increase secure note size limit (Know the risks!)
 ## Sets the secure note size limit to 100_000 instead of the default 10_000.
 ## WARNING: This could cause issues with clients. Also exports will not work on Bitwarden servers!
 ## KNOW WHAT YOU ARE DOING!
 # INCREASE_NOTE_SIZE_LIMIT=false
 ## Enforce Single Org with Reset Password Policy
 ## Enforce that the Single Org policy is enabled before setting the Reset Password policy
 ## Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available.
 ## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
 # ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false
 ########################
 ### MFA/2FA settings ###
 ########################
 ## Yubico (Yubikey) Settings
 ## Set your Client ID and Secret Key for Yubikey OTP
 ## You can generate it here: https://upgrade.yubico.com/getapikey/
 ## You can optionally specify a custom OTP server
 # YUBICO_CLIENT_ID=11111
 # YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
 # YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
 ## Duo Settings
 ## You need to configure the DUO_IKEY, DUO_SKEY, and DUO_HOST options to enable global Duo support.
 ## Otherwise users will need to configure it themselves.
 ## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
 ## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
 ## Then set the following options, based on the values obtained from the last step:
 # DUO_IKEY=<Client ID>
 # DUO_SKEY=<Client Secret>
 # DUO_HOST=<API Hostname>
 ## After that, you should be able to follow the rest of the guide linked above,
 ## ignoring the fields that ask for the values that you already configured beforehand.
 ##
 ## If you want to attempt to use Duo's 'Traditional Prompt' (deprecated, iframe based) set DUO_USE_IFRAME to 'true'.
 ## Duo no longer supports this, but it still works for some integrations.
 ## If you aren't sure, leave this alone.
 # DUO_USE_IFRAME=false
 ## Email 2FA settings
 ## Email token size
 ## Number of digits in an email 2FA token (min: 6, max: 255).
 ## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting!
 # EMAIL_TOKEN_SIZE=6
 ##
 ## Token expiration time
 ## Maximum time in seconds a token is valid. The time the user has to open email client and copy token.
 # EMAIL_EXPIRATION_TIME=600
 ##
 ## Maximum attempts before an email token is reset and a new email will need to be sent.
 # EMAIL_ATTEMPTS_LIMIT=3
 ##
 ## Setup email 2FA regardless of any organization policy
 # EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false
 ## Automatically setup email 2FA as fallback provider when needed
 # EMAIL_2FA_AUTO_FALLBACK=false
 ## Other MFA/2FA settings
 ## Disable 2FA remember
 ## Enabling this would force the users to use a second factor to login every time.
 ## Note that the checkbox would still be present, but ignored.
 # DISABLE_2FA_REMEMBER=false
 ##
 ## Authenticator Settings
 ## Disable authenticator time drifted codes to be valid.
 ## TOTP codes of the previous and next 30 seconds will be invalid
 ##
 ## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
 ## we allow by default the TOTP code which was valid one step back and one in the future.
 ## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
 ## You can disable this, so that only the current TOTP Code is allowed.
 ## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
 ## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
 # AUTHENTICATOR_DISABLE_TIME_DRIFT=false
 ###########################
 ### SMTP Email settings ###
 ###########################
 ## Mail specific settings, set SMTP_FROM and either SMTP_HOST or USE_SENDMAIL to enable the mail service.
 ## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
 ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
 # SMTP_HOST=smtp.domain.tld
 # SMTP_FROM=vaultwarden@domain.tld
 # SMTP_FROM_NAME=Vaultwarden
 # SMTP_USERNAME=username
 # SMTP_PASSWORD=password
 # SMTP_TIMEOUT=15
 ## Choose the type of secure connection for SMTP. The default is "starttls".
 ## The available options are:
 ## - "starttls": The default port is 587.
 ## - "force_tls": The default port is 465.
 ## - "off": The default port is 25.
 ## Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS).
 # SMTP_SECURITY=starttls
 # SMTP_PORT=587
 # Whether to send mail via the `sendmail` command
 # USE_SENDMAIL=false
 # Which sendmail command to use. The one found in the $PATH is used if not specified.
 # SENDMAIL_COMMAND="/path/to/sendmail"
 ## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.
 ## Possible values: ["Plain", "Login", "Xoauth2"].
 ## Multiple options need to be separated by a comma ','.
 # SMTP_AUTH_MECHANISM=
 ## Server name sent during the SMTP HELO
 ## By default this value should be is on the machine's hostname,
 ## but might need to be changed in case it trips some anti-spam filters
 # HELO_NAME=
 ## Embed images as email attachments
 # SMTP_EMBED_IMAGES=true
 ## SMTP debugging
 ## When set to true this will output very detailed SMTP messages.
 ## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting!
 # SMTP_DEBUG=false
 ## Accept Invalid Certificates
 ## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
 ## Only use this as a last resort if you are not able to use a valid certificate.
 ## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead.
 # SMTP_ACCEPT_INVALID_CERTS=false
 ## Accept Invalid Hostnames
 ## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
 ## Only use this as a last resort if you are not able to use a valid certificate.
 # SMTP_ACCEPT_INVALID_HOSTNAMES=false
 #######################
 ### Rocket settings ###
 #######################
 ## Rocket specific settings
 ## See https://rocket.rs/v0.5/guide/configuration/ for more details.
 # ROCKET_ADDRESS=0.0.0.0
 ## The default port is 8000, unless running in a Docker container, in which case it is 80.
 # ROCKET_PORT=8000
 # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
 # vim: syntax=ini
--- a/docker/vaultwarden/compose.yaml
+++ b/docker/vaultwarden/compose.yaml
@@ -0,0 +1,40 @@
 services:
  # Vaultwarden Password Manager
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    security_opt:
      - no-new-privileges:true
    restart: unless-stopped
    # profiles: ["core", "all"]
    networks:
      - proxy
    environment:
        # This is required to allow vaultwarden to verify the TLS certificate!
      - DOMAIN=https://${DOMAIN}
      - DATABASE_URL=${DATABASE_URL}
      - ADMIN_TOKEN=${ADMIN_TOKEN}
      - ICON_SERVICE=${ICON_SERVICE}
      - SMTP_HOST=${SMTP_HOST}
      - SMTP_SECURITY=${SMTP_SECURITY}
      - SMTP_PORT=${SMTP_PORT}
      - SMTP_FROM=vaultwarden@mail.gurulandia.eu
      - SMTP_USERNAME=${SMTP_USERNAME}
      - SMTP_PASSWORD=${SMTP_PASSWORD}
    volumes:
      - /gurulandia/data/vaultwarden/data:/data
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.vaultwarden-rtr.entrypoints=https"
      - "traefik.http.routers.vaultwarden-rtr.rule=Host(`${DOMAIN}`)"
      - "traefik.http.routers.vaultwarden-rtr.tls=true"
      ## Middlewares
      - "traefik.http.routers.vaultwarden-rtr.middlewares=chain-no-auth@file"
      ## HTTP Services
      - "traefik.http.routers.vaultwarden-rtr.service=vaultwarden-svc"
      - "traefik.http.services.vaultwarden-svc.loadbalancer.server.port=80"
 networks:
  proxy:
    name: proxy
    external: true
--- a/docker/whoami/compose.yaml
+++ b/docker/whoami/compose.yaml
@@ -0,0 +1,29 @@
 name: whoami # Project Name
 services:
  whoami:
    image: traefik/whoami:latest
    container_name: whoami
    restart: unless-stopped
    security_opt:
      - no-new-privileges=true
    #depends_on:
    #  - traefik
    networks:
      - proxy
    environment:
      - TZ=${TZ}
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.whoami-rtr.entrypoints=https"
      - "traefik.http.routers.whoami-rtr.rule=Host(`whoami.lab.gurulandia.eu`)"    
      ## Middlewares
 #             - "traefik.http.routers.authentik-rtr.middlewares=chain-authelia@file"
 #        - "traefik.http.routers.authentik-rtr.middlewares=chain-no-auth@file"
      - "traefik.http.routers.whoami-rtr.middlewares=chain-authentik@file"
      ## HTTP Services
      - "traefik.http.routers.whoami-rtr.service=whoami-svc"
      - "traefik.http.services.whoami-svc.loadbalancer.server.port=80"
 networks:
  proxy:
    external: true
--- a/komodo/smtp.toml
+++ b/komodo/smtp.toml
@@ -0,0 +1,24 @@
 [[variable]]
 name = "SMTP_HOST"
 value = "smtp.eu.mailgun.org"
 is_secret = false
 [[variable]]
 name = "SMTP_USERNAME"
 value = "sender@mail.gurulandia.eu"
 is_secret = false
 [[variable]]
 name = "SMTP_PASSWORD"
 value = "fd2481f27f76e35110ddf9b7b04ad09f-667818f5-87cb2de3"
 is_secret = true
 [[variable]]
 name = "SMTP_PORT"
 value = "587"
 is_secret = false
 [[variable]]
 name = "SMTP_SECURITY"
 value = "starttls"
 is_secret = false
--- a/setup/powershell_install.sh
+++ b/setup/powershell_install.sh
@@ -0,0 +1,24 @@
 ###################################
 # Prerequisites
 # Update the list of packages
 sudo apt-get update
 # Install pre-requisite packages.
 sudo apt-get install -y wget
 # Download the PowerShell package file
 wget https://github.com/PowerShell/PowerShell/releases/download/v7.5.0/powershell_7.5.0-1.deb_amd64.deb
 ###################################
 # Install the PowerShell package
 sudo dpkg -i powershell_7.5.0-1.deb_amd64.deb
 # Resolve missing dependencies and finish the install (if necessary)
 sudo apt-get install -f
 # Delete the downloaded package file
 rm powershell_7.5.0-1.deb_amd64.deb
 # Start PowerShell
 pwsh
Author	SHA1	Message	Date
Gurulandia	de98a0d48d	Talteen	2025-03-05 10:47:20 +02:00
Gurulandia	bdf14f68e9	Add Homarr	2025-03-05 10:29:42 +02:00
Gurulandia	6e9e27110d	Traefik config	2025-03-05 10:00:59 +02:00
Gurulandia	9d0dd4bdcf	add tag to ferretdb image	2025-03-05 09:37:36 +02:00
Gurulandia	861007b3a2	docker-compose,yml -> compose.yml	2025-03-05 09:37:09 +02:00
Gurulandia	89278bfecf	Modified	2025-03-05 09:36:40 +02:00
Gurulandia	352ddeb5fd	Modify	2025-03-04 21:00:45 +02:00
Gurulandia	030c5d2025	Initial commit	2025-03-04 20:59:29 +02:00
Gurulandia	09db1a8d08	Initial commit	2025-03-04 20:58:17 +02:00
Gurulandia	ef2e780434	Add Technitum DNS	2025-03-04 20:50:41 +02:00
Gurulandia	947ab4f86e	Fix rule	2025-02-16 10:28:06 +02:00
Gurulandia	9245d8eacd	Added parameters	2025-02-16 10:20:57 +02:00
Gurulandia	212a3a1620	Clean files	2025-02-16 10:18:25 +02:00
Gurulandia	a5612d74c3	Initial komodo commit	2025-02-16 09:44:34 +02:00
Gurulandia	71033032a4	Initial commit	2025-02-16 09:44:10 +02:00
Gurulandia	2dcef3a1f9	Komodo initial commit	2025-02-16 09:43:02 +02:00
Gurulandia	216371ea59	Initial commit	2025-02-09 20:47:02 +02:00
Gurulandia	d291fa594b	Correct env files name	2025-02-09 19:24:11 +02:00
Gurulandia	a05c48c672	change filename	2025-02-09 19:23:46 +02:00
Gurulandia	b2dde87abe	moved to own file	2025-02-09 19:21:49 +02:00
Gurulandia	394ce1cbd4	edited	2025-02-09 19:21:02 +02:00
Gurulandia	60d7915697	dcc.sh > deploy.sh	2025-02-09 19:19:48 +02:00
Gurulandia	7f527a0522	file renamed	2025-02-09 19:18:54 +02:00
		`@@ -1 +0,0 @@`
			`docker compose --env-file ../../env/.env.stack.joplin-srv --env-file ../../env/.env.common config`
		`@@ -1 +0,0 @@`
			`docker compose --env-file ../env/.env.stack.joplin-srv --env-file ../env/.env.common config`