Tips-Of-Mine/Docker
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Hubert Cornet 2024-04-01 10:50:54 +02:00
parent 4626df312b
commit dd3a4ae500
40 changed files with 3665 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
Install/README.md → 00_Install/README.md
View File

38
00_Install/portainer-agent-stack.yml Normal file
View File

@ -0,0 +1,38 @@
version: '3.2'
services:
agent:
image: portainer/agent:2.19.4
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/lib/docker/volumes:/var/lib/docker/volumes
networks:
- agent_network
deploy:
mode: global
placement:
constraints: [node.platform.os == linux]
portainer:
image: portainer/portainer-ce:2.19.4
command: -H tcp://tasks.agent:9001 --tlsskipverify
ports:
- "9443:9443"
- "9000:9000"
- "8000:8000"
volumes:
- type: bind
source: /mnt/Portainer
target: /data
networks:
- agent_network
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
networks:
agent_network:
driver: overlay
attachable: true

171
00_Install/swarm-3-nodes.sh Normal file
View File

@ -0,0 +1,171 @@
#!/bin/bash
echo -e " \033[33;5m __ _ _ ___ \033[0m"
echo -e " \033[33;5m \ \(_)_ __ ___( )__ / _ \__ _ _ __ __ _ __ _ ___ \033[0m"
echo -e " \033[33;5m \ \ | '_ \` _ \/ __| / /_\/ _\` | '__/ _\` |/ _\` |/ _ \ \033[0m"
echo -e " \033[33;5m /\_/ / | | | | | \__ \ / /_\\ (_| | | | (_| | (_| | __/ \033[0m"
echo -e " \033[33;5m \___/|_|_| |_| |_|___/ \____/\__,_|_| \__,_|\__, |\___| \033[0m"
echo -e " \033[33;5m |___/ \033[0m"
echo -e " \033[36;5m ___ _ ___ \033[0m"
echo -e " \033[36;5m | \ ___ __| |_____ _ _ / __|_ __ ____ _ _ _ _ __ \033[0m"
echo -e " \033[36;5m | |) / _ \/ _| / / -_) '_| \__ \ V V / _\` | '_| ' \ \033[0m"
echo -e " \033[36;5m |___/\___/\__|_\_\___|_| |___/\_/\_/\__,_|_| |_|_|_| \033[0m"
echo -e " \033[36;5m \033[0m"
echo -e " \033[32;5m https://youtube.com/@jims-garage \033[0m"
echo -e " \033[32;5m \033[0m"
#############################################
# YOU SHOULD ONLY NEED TO EDIT THIS SECTION #
#############################################
# Set the IP addresses of the admin, managers, and workers nodes
admin=192.168.3.5
manager1=192.168.3.21
manager2=192.168.3.22
manager3=192.168.3.23
worker1=192.168.3.24
worker2=192.168.3.25
# Set the workers' hostnames (if using cloud-init in Proxmox it's the name of the VM)
workerHostname1=dockerSwarm-04
workerHostname2=dockerSwarm-05
# User of remote machines
user=ubuntu
# Interface used on remotes
interface=eth0
# Array of all manager nodes
allmanagers=($manager1 $manager2 $manager3)
# Array of manager nodes
managers=($manager2 $manager3)
# Array of worker nodes
workers=($worker1 $worker2)
# Array of all
all=($manager1 $worker1 $worker2)
#ssh certificate name variable
certName=id_rsa
#############################################
# DO NOT EDIT BELOW #
#############################################
# For testing purposes - in case time is wrong due to VM snapshots
sudo timedatectl set-ntp off
sudo timedatectl set-ntp on
# Move SSH certs to ~/.ssh and change permissions
cp /home/$user/{$certName,$certName.pub} /home/$user/.ssh
chmod 600 /home/$user/.ssh/$certName
chmod 644 /home/$user/.ssh/$certName.pub
# Create SSH Config file to ignore checking (don't use in production!)
echo "StrictHostKeyChecking no" > ~/.ssh/config
#add ssh keys for all nodes
for node in "${all[@]}"; do
ssh-copy-id $user@$node
done
# Copy SSH keys to MN1 to copy tokens back later
scp -i /home/$user/.ssh/$certName /home/$user/$certName $user@$manager1:~/.ssh
scp -i /home/$user/.ssh/$certName /home/$user/$certName.pub $user@$manager1:~/.ssh
# Install dependencies for each node (Docker, GlusterFS)
for newnode in "${all[@]}"; do
ssh $user@$newnode -i ~/.ssh/$certName sudo su <<EOF
iptables -F
iptables -P INPUT ACCEPT
# Add Docker's official GPG key:
apt-get update
NEEDRESTART_MODE=a apt install ca-certificates curl gnupg -y
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
NEEDRESTART_MODE=a apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
NEEDRESTART_MODE=a apt install software-properties-common glusterfs-server -y
systemctl start glusterd
systemctl enable glusterd
mkdir -p /gluster/volume1
exit
EOF
echo -e " \033[32;5m$newnode - Docker & GlusterFS installed!\033[0m"
done
# Step 1: Create Swarm on first node
ssh -tt $user@$manager1 -i ~/.ssh/$certName sudo su <<EOF
docker swarm init --advertise-addr $manager1 --default-addr-pool 10.20.0.0/16 --default-addr-pool-mask-length 26
docker swarm join-token manager | sed -n 3p | grep -Po 'docker swarm join --token \\K[^\\s]*' > manager.txt
docker swarm join-token worker | sed -n 3p | grep -Po 'docker swarm join --token \\K[^\\s]*' > worker.txt
echo "StrictHostKeyChecking no" > ~/.ssh/config
ssh-copy-id -i /home/$user/.ssh/$certName $user@$admin
scp -i /home/$user/.ssh/$certName /home/$user/manager.txt $user@$admin:~/manager
scp -i /home/$user/.ssh/$certName /home/$user/worker.txt $user@$admin:~/worker
exit
EOF
echo -e " \033[32;5mManager1 Completed\033[0m"
# Step 2: Set variables
managerToken=`cat manager`
workerToken=`cat worker`
# Step 3: Connect additional worker
for newnode in "${workers[@]}"; do
ssh -tt $user@$newnode -i ~/.ssh/$certName sudo su <<EOF
docker swarm join \
--token $workerToken \
$manager1
exit
EOF
echo -e " \033[32;5m$newnode - Worker node joined successfully!\033[0m"
done
# Step 4: Create GlusterFS Cluster across all nodes (connect to Manager1) - we will also label our nodes to restrict deployment of services to workers only
ssh -tt $user@$manager1 -i ~/.ssh/$certName sudo su <<EOF
gluster peer probe $manager1; gluster peer probe $worker1; gluster peer probe $worker2;
gluster volume create staging-gfs replica 3 $manager1:/gluster/volume1 $worker1:/gluster/volume1 $worker2:/gluster/volume1 force
gluster volume start staging-gfs
chmod 666 /var/run/docker.sock
docker node update --label-add worker=true $workerHostname1
docker node update --label-add worker=true $workerHostname2
exit
EOF
echo -e " \033[32;5mGlusterFS created\033[0m"
# Step 5: Connect to all machines to ensure that GlusterFS mount restarts after boot
for newnode in "${all[@]}"; do
ssh $user@$newnode -i ~/.ssh/$certName sudo su <<EOF
echo 'localhost:/staging-gfs /mnt glusterfs defaults,_netdev,backupvolfile-server=localhost 0 0' >> /etc/fstab
mount.glusterfs localhost:/staging-gfs /mnt
chown -R root:docker /mnt
exit
EOF
echo -e " \033[32;5m$newnode - GlusterFS mounted on reboot\033[0m"
done
# OPTIONAL #
# Step 6: Add Portainer
ssh -tt $user@$manager1 -i ~/.ssh/$certName sudo su <<EOF
mkdir /mnt/Portainer
curl -L https://raw.githubusercontent.com/JamesTurland/JimsGarage/main/Docker-Swarm/portainer-agent-stack.yml -o portainer-agent-stack.yml
docker stack deploy -c portainer-agent-stack.yml portainer
docker node ls
docker service ls
gluster pool list
exit
EOF
echo -e " \033[32;5mPortainer deployed\033[0m"

182
00_Install/swarm.sh Normal file
View File

@ -0,0 +1,182 @@
#!/bin/bash
echo -e " \033[33;5m __ _ _ ___ \033[0m"
echo -e " \033[33;5m \ \(_)_ __ ___( )__ / _ \__ _ _ __ __ _ __ _ ___ \033[0m"
echo -e " \033[33;5m \ \ | '_ \` _ \/ __| / /_\/ _\` | '__/ _\` |/ _\` |/ _ \ \033[0m"
echo -e " \033[33;5m /\_/ / | | | | | \__ \ / /_\\ (_| | | | (_| | (_| | __/ \033[0m"
echo -e " \033[33;5m \___/|_|_| |_| |_|___/ \____/\__,_|_| \__,_|\__, |\___| \033[0m"
echo -e " \033[33;5m |___/ \033[0m"
echo -e " \033[36;5m ___ _ ___ \033[0m"
echo -e " \033[36;5m | \ ___ __| |_____ _ _ / __|_ __ ____ _ _ _ _ __ \033[0m"
echo -e " \033[36;5m | |) / _ \/ _| / / -_) '_| \__ \ V V / _\` | '_| ' \ \033[0m"
echo -e " \033[36;5m |___/\___/\__|_\_\___|_| |___/\_/\_/\__,_|_| |_|_|_| \033[0m"
echo -e " \033[36;5m \033[0m"
echo -e " \033[32;5m https://youtube.com/@jims-garage \033[0m"
echo -e " \033[32;5m \033[0m"
#############################################
# YOU SHOULD ONLY NEED TO EDIT THIS SECTION #
#############################################
# Set the IP addresses of the admin, managers, and workers nodes
admin=192.168.3.5
manager1=192.168.3.21
manager2=192.168.3.22
manager3=192.168.3.23
worker1=192.168.3.24
worker2=192.168.3.25
# Set the workers' hostnames (if using cloud-init in Proxmox it's the name of the VM)
workerHostname1=dockerSwarm-04
workerHostname2=dockerSwarm-05
# User of remote machines
user=ubuntu
# Interface used on remotes
interface=eth0
# Array of all manager nodes
allmanagers=($manager1 $manager2 $manager3)
# Array of extra managers
managers=($manager2 $manager3)
# Array of worker nodes
workers=($worker1 $worker2)
# Array of all
all=($manager1 $manager2 $manager3 $worker1 $worker2)
#ssh certificate name variable
certName=id_rsa
#############################################
# DO NOT EDIT BELOW #
#############################################
# For testing purposes - in case time is wrong due to VM snapshots
sudo timedatectl set-ntp off
sudo timedatectl set-ntp on
# Move SSH certs to ~/.ssh and change permissions
cp /home/$user/{$certName,$certName.pub} /home/$user/.ssh
chmod 600 /home/$user/.ssh/$certName
chmod 644 /home/$user/.ssh/$certName.pub
# Create SSH Config file to ignore checking (don't use in production!)
echo "StrictHostKeyChecking no" > ~/.ssh/config
#add ssh keys for all nodes
for node in "${all[@]}"; do
ssh-copy-id $user@$node
done
# Copy SSH keys to MN1 to copy tokens back later
scp -i /home/$user/.ssh/$certName /home/$user/$certName $user@$manager1:~/.ssh
scp -i /home/$user/.ssh/$certName /home/$user/$certName.pub $user@$manager1:~/.ssh
# Install dependencies for each node (Docker, GlusterFS)
for newnode in "${all[@]}"; do
ssh $user@$newnode -i ~/.ssh/$certName sudo su <<EOF
iptables -F
iptables -P INPUT ACCEPT
# Add Docker's official GPG key:
apt-get update
NEEDRESTART_MODE=a apt install ca-certificates curl gnupg -y
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
NEEDRESTART_MODE=a apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
NEEDRESTART_MODE=a apt install software-properties-common glusterfs-server -y
systemctl start glusterd
systemctl enable glusterd
mkdir -p /gluster/volume1
exit
EOF
echo -e " \033[32;5m$newnode - Docker & GlusterFS installed!\033[0m"
done
# Step 1: Create Swarm on first node
ssh -tt $user@$manager1 -i ~/.ssh/$certName sudo su <<EOF
docker swarm init --advertise-addr $manager1
docker swarm join-token manager | sed -n 3p | grep -Po 'docker swarm join --token \\K[^\\s]*' > manager.txt
docker swarm join-token worker | sed -n 3p | grep -Po 'docker swarm join --token \\K[^\\s]*' > worker.txt
echo "StrictHostKeyChecking no" > ~/.ssh/config
ssh-copy-id -i /home/$user/.ssh/$certName $user@$admin
scp -i /home/$user/.ssh/$certName /home/$user/manager.txt $user@$admin:~/manager
scp -i /home/$user/.ssh/$certName /home/$user/worker.txt $user@$admin:~/worker
exit
EOF
echo -e " \033[32;5mManager1 Completed\033[0m"
# Step 2: Set variables
managerToken=`cat manager`
workerToken=`cat worker`
# Step 3: Connect additional managers
for newnode in "${managers[@]}"; do
ssh -tt $user@$newnode -i ~/.ssh/$certName sudo su <<EOF
docker swarm join \
--token $managerToken \
$manager1
exit
EOF
echo -e " \033[32;5m$newnode - Manager node joined successfully!\033[0m"
done
# Step 4: Connect additional worker
for newnode in "${workers[@]}"; do
ssh -tt $user@$newnode -i ~/.ssh/$certName sudo su <<EOF
docker swarm join \
--token $workerToken \
$manager1
exit
EOF
echo -e " \033[32;5m$newnode - Worker node joined successfully!\033[0m"
done
# Step 5: Create GlusterFS Cluster across all nodes (connect to Manager1) - we will also label our nodes to restrict deployment of services to workers only
ssh -tt $user@$manager1 -i ~/.ssh/$certName sudo su <<EOF
gluster peer probe $manager1; gluster peer probe $manager2; gluster peer probe $manager3; gluster peer probe $worker1; gluster peer probe $worker2;
gluster volume create staging-gfs replica 5 $manager1:/gluster/volume1 $manager2:/gluster/volume1 $manager3:/gluster/volume1 $worker1:/gluster/volume1 $worker2:/gluster/volume1 force
gluster volume start staging-gfs
chmod 666 /var/run/docker.sock
docker node update --label-add worker=true $workerHostname1
docker node update --label-add worker=true $workerHostname2
exit
EOF
echo -e " \033[32;5mGlusterFS created\033[0m"
# Step 6: Connect to all machines to ensure that GlusterFS mount restarts after boot
for newnode in "${all[@]}"; do
ssh $user@$newnode -i ~/.ssh/$certName sudo su <<EOF
echo 'localhost:/staging-gfs /mnt glusterfs defaults,_netdev,backupvolfile-server=localhost 0 0' >> /etc/fstab
mount.glusterfs localhost:/staging-gfs /mnt
chown -R root:docker /mnt
exit
EOF
echo -e " \033[32;5m$newnode - GlusterFS mounted on reboot\033[0m"
done
# OPTIONAL #
# Step 7: Add Portainer
ssh -tt $user@$manager1 -i ~/.ssh/$certName sudo su <<EOF
mkdir /mnt/Portainer
curl -L https://raw.githubusercontent.com/JamesTurland/JimsGarage/main/Docker-Swarm/portainer-agent-stack.yml -o portainer-agent-stack.yml
docker stack deploy -c portainer-agent-stack.yml portainer
docker node ls
docker service ls
gluster pool list
exit
EOF
echo -e " \033[32;5mPortainer deployed\033[0m"

1442
Authelia/Authelia/configuration.yml Normal file
View File

File diff suppressed because it is too large Load Diff

49
Authelia/Authelia/docker-compose.yaml Normal file
View File

@ -0,0 +1,49 @@
version: '3'
services:
authelia:
image: authelia/authelia
container_name: authelia
volumes:
- /home/ubuntu/docker/authelia/config:/config
networks:
- proxy
security_opt:
- no-new-privileges:true
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.authelia.rule=Host(`auth.jimsgarage.co.uk`)'
- 'traefik.http.routers.authelia.entrypoints=https'
- 'traefik.http.routers.authelia.tls=true'
- 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https://auth.jimsgarage.co.uk'
- 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
- 'traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia:9091/api/verify?auth=basic'
- 'traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
- 'traefik.http.services.authelia.loadbalancer.server.port=9091'
ports:
- 9091:9091
restart: unless-stopped
environment:
- TZ=Europe/London
healthcheck:
disable: true
redis:
image: redis:alpine
container_name: redis
volumes:
- /home/ubuntu/docker/redis:/data
networks:
- proxy
expose:
- 6379
restart: unless-stopped
environment:
- TZ=Europe/London
networks:
proxy:
external: true

19
Authelia/Authelia/users_database.yml Normal file
View File

@ -0,0 +1,19 @@
---
###############################################################
# Users Database #
###############################################################
# This file can be used if you do not have an LDAP set up.
# List of users
users:
authelia:
disabled: false
displayname: "Authelia User"
# Password is authelia
password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length
email: authelia@authelia.com
groups:
- admins
- dev
...

31
Authelia/Nginx/docker-compose.yaml Normal file
View File

@ -0,0 +1,31 @@
version: "3.9"
services:
web:
image: nginx
container_name: nginx
volumes:
- /home/ubuntu/docker/nginx:/etc/nginx/templates
environment:
- NGINX_HOST=nginx.jimsgarage.co.uk
- NGINX_PORT=80
labels:
- "traefik.enable=true"
- "traefik.http.routers.nginx.entrypoints=http"
- "traefik.http.routers.nginx.rule=Host(`nginx.jimsgarage.co.uk`)"
- "traefik.http.middlewares.nginx-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.nginx.middlewares=nginx-https-redirect"
- "traefik.http.routers.nginx-secure.entrypoints=https"
- "traefik.http.routers.nginx-secure.rule=Host(`nginx.jimsgarage.co.uk`)"
- "traefik.http.routers.nginx-secure.tls=true"
- "traefik.http.routers.nginx-secure.service=nginx"
- "traefik.http.services.nginx.loadbalancer.server.port=80"
- "traefik.http.routers.nginx-secure.middlewares=authelia@docker"
- "traefik.docker.network=proxy"
networks:
proxy:
security_opt:
- no-new-privileges:true
networks:
proxy:
external: true

46
Authelia/Traefik/docker-compose.yaml Normal file
View File

@ -0,0 +1,46 @@
version: '3.5'
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
proxy:
ports:
- 80:80
- 443:443
environment:
- CF_API_EMAIL=your@email.com
- CF_DNS_API_TOKEN=your-api-key
# - CF_API_KEY=YOU_API_KEY
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /home/ubuntu/docker/traefik/traefik.yml:/traefik.yml:ro
- /home/ubuntu/docker/traefik/acme.json:/acme.json
- /home/ubuntu/docker/traefik/config.yml:/config.yml:ro
- /home/ubuntu/docker/traefik/logs:/var/log/traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.yourdomain.co.uk`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=YOUR_USERNAME_PASSWORD"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.yourdomain.co.uk`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=yourdomain.co.uk"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.yourdomain.co.uk"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.routers.api.middlewares=authelia@docker"
networks:
proxy:
name: proxy

15
Authentik/.env
View File

@ -1,3 +1,18 @@
PG_PASS=UaXg4bygCAIBx3aIegkYk22LE5bOBWLpAuv60eGk
AUTHENTIK_SECRET_KEY=ThB3GtCJgHxkoFhyorQ4s5jMznqM13nebhHadJvbp5F2E11wA0
AUTHENTIK_ERROR_REPORTING__ENABLED=true
COMPOSE_PORT_HTTPS=1443
COMPOSE_PORT_HTTP=7000
# SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST=localhost
AUTHENTIK_EMAIL__PORT=25
# Optionally authenticate (don't add quotation marks to your password)
AUTHENTIK_EMAIL__USERNAME=admin@tips-of-mine.fr
AUTHENTIK_EMAIL__PASSWORD=password
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS=false
# Use SSL
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM=authentik@localhost

0
Authentik/docker-compose.yml → Authentik/docker-compose-traefik.yml
View File

87
Authentik/docker-compose.yaml Normal file
View File

@ -0,0 +1,87 @@
---
version: "3.4"
services:
postgresql:
image: docker.io/library/postgres:12-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${PG_PASS:?database password required}
POSTGRES_USER: ${PG_USER:-authentik}
POSTGRES_DB: ${PG_DB:-authentik}
env_file:
- .env
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.8.3}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
volumes:
- ./media:/media
- ./custom-templates:/templates
env_file:
- .env
ports:
- "${COMPOSE_PORT_HTTP:-9000}:9000"
- "${COMPOSE_PORT_HTTPS:-9443}:9443"
depends_on:
- postgresql
- redis
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.8.3}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
env_file:
- .env
depends_on:
- postgresql
- redis
volumes:
database:
driver: local
redis:
driver: local

16
Cloudflare-Tunnel/docker-compose.yaml Normal file
View File

@ -0,0 +1,16 @@
version: "3.9"
services:
tunnel:
container_name: cloudflared-tunnel
image: cloudflare/cloudflared
restart: unless-stopped
command: tunnel run
environment:
- TUNNEL_TOKEN=YOUR_KEY_HERE
networks:
macvlan4: # change name to whatever you like
ipv4_address: 192.168.4.20 # change to your IP in your vLAN subnet
networks:
macvlan4:
external: true

5
Cloudflare-Tunnel/macvlan Normal file
View File

@ -0,0 +1,5 @@
docker network create -d macvlan \
--subnet=192.168.4.0/24 \
--gateway=192.168.4.1 \
-o parent=eth0.4 \
macvlan4

37
Code-Server/docker-compose.yaml Normal file
View File

@ -0,0 +1,37 @@
---
version: "2.1"
services:
code-server:
image: lscr.io/linuxserver/code-server:latest
container_name: code-server
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- PASSWORD=password #optional
- HASHED_PASSWORD= #optional
- SUDO_PASSWORD=password #optional
- SUDO_PASSWORD_HASH= #optional
- PROXY_DOMAIN=code-server.jimsgarage.co.uk #optional
- DEFAULT_WORKSPACE=/config/workspace #optional
volumes:
- /home/ubuntu/docker/code-server/config:/config
networks:
proxy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.code-server.entrypoints=http"
- "traefik.http.routers.code-server.rule=Host(`code-server.yourdomain.com`)"
- "traefik.http.middlewares.code-server-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.code-server.middlewares=code-server-https-redirect"
- "traefik.http.routers.code-server-secure.entrypoints=https"
- "traefik.http.routers.code-server-secure.rule=Host(`code-server.yourdomain.com`)"
- "traefik.http.routers.code-server-secure.tls=true"
- "traefik.http.routers.code-server-secure.service=code-server"
- "traefik.http.services.code-server.loadbalancer.server.port=8443"
- "traefik.docker.network=proxy"
restart: unless-stopped
networks:
proxy:
external: true

6
Crowdsec/Traefik/config.yaml Normal file
View File

@ -0,0 +1,6 @@
http:
middlewares:
crowdsec-bouncer:
forwardauth:
address: http://bouncer-traefik:8080/api/v1/forwardAuth
trustForwardHeader: true

41
Crowdsec/Traefik/traefik.yaml Normal file
View File

@ -0,0 +1,41 @@
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
middlewares:
- crowdsec-bouncer@file
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
http:
middlewares:
- crowdsec-bouncer@file
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
certificatesResolvers:
cloudflare:
acme:
email: your@email.com #add your email
storage: acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
log:
level: "INFO"
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"

4
Crowdsec/acquis.yaml Normal file
View File

@ -0,0 +1,4 @@
filenames:
- /var/log/traefik/*
labels:
type: traefik

35
Crowdsec/docker-compose.yml Normal file
View File

@ -0,0 +1,35 @@
version: '3.8'
services:
crowdsec:
image: crowdsecurity/crowdsec:latest
container_name: crowdsec
environment:
GID: "${GID-1000}"
COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik"
volumes:
- /home/ubuntu/docker/crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
- /home/ubuntu/docker/crowdsec/db:/var/lib/crowdsec/data/
- /home/ubuntu/docker/crowdsec/config:/etc/crowdsec/
- /home/ubuntu/docker/traefik/logs:/var/log/traefik/:ro
networks:
- proxy
security_opt:
- no-new-privileges:true
restart: unless-stopped
bouncer-traefik:
image: docker.io/fbonalair/traefik-crowdsec-bouncer:latest
container_name: bouncer-traefik
environment:
CROWDSEC_BOUNCER_API_KEY: create_a_random_api_key
CROWDSEC_AGENT_HOST: crowdsec:8080
networks:
- proxy
depends_on:
- crowdsec
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
proxy:
external: true

96
Frigate/config.yml Normal file
View File

@ -0,0 +1,96 @@
cameras:
garden:
ffmpeg:
inputs:
- path: rtsp://cameraIP:554/s0
roles:
- detect
- rtmp
detect:
width: 1920 # <---- update for your camera's resolution
height: 1080 # <---- update for your camera's resolution
fps: 25
garage:
ffmpeg:
inputs:
- path: rtsp://cameraIP:554/s0
roles:
- detect
- rtmp
detect:
width: 1920 # <---- update for your camera's resolution
height: 1080 # <---- update for your camera's resolution
fps: 25
motion:
mask:
- 0,0,1920,0,1920,393,297,241,314,464,0,541
# Optional: Database configuration
database:
# The path to store the SQLite DB (default: shown below)
path: /media/frigate/frigate.db
detectors:
coral1:
type: edgetpu
device: pci:0
coral2:
type: edgetpu
device: pci:1
objects:
track:
- person
- dog
- cat
- bird
snapshots:
enabled: True
timestamp: true
bounding_box: true
retain:
default: 30
mqtt:
host: 192.168.200.14
ffmpeg:
#hwaccel_args:
# - -hwaccel
# - vaapi
# - -hwaccel_device
# - /dev/dri/renderD128
# - -hwaccel_output_format
# - yuv420p
output_args:
record: -f segment -segment_time 10 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c:v copy -c:a aac
record:
enabled: True
events:
pre_capture: 5
post_capture: 5
retain:
default: 30
mode: active_objects
objects:
- person
- bird
- cat
- dog
birdseye:
# Optional: Enable birdseye view (default: shown below)
enabled: True
# Optional: Width of the output resolution (default: shown below)
width: 1280
# Optional: Height of the output resolution (default: shown below)
height: 720
# Optional: Encoding quality of the mpeg1 feed (default: shown below)
# 1 is the highest quality, and 31 is the lowest. Lower quality feeds utilize less CPU resources.
quality: 8
# Optional: Mode of the view. Available options are: objects, motion, and continuous
# objects - cameras are included if they have had a tracked object within the last 30 seconds
# motion - cameras are included if motion was detected in the last 30 seconds
# continuous - all cameras are included always
mode: continuous

46
Frigate/docker-compose.yaml Normal file
View File

@ -0,0 +1,46 @@
version: "3.9"
services:
frigate:
container_name: frigate
# privileged: true # this may not be necessary for all setups
restart: unless-stopped
image: ghcr.io/blakeblackshear/frigate:stable
devices:
#- /dev/bus/usb:/dev/bus/usb
- /dev/apex_0:/dev/apex_0
- /dev/apex_1:/dev/apex_1
#- /dev/dri/renderD128:/dev/dri/renderD128 # for intel hwaccel, needs to be updated for your hardware
volumes:
- /etc/localtime:/etc/localtime:ro
- /home/ubuntu/docker/frigate/config.yml:/config/config.yml:ro
- /home/ubuntu/freenas/Frigate/media/clips:/media/frigate/clips
- /home/ubuntu/freenas/Frigate/media/recordings:/media/frigate/recordings
- /home/ubuntu/docker/frigate/database:/media/frigate
- type: tmpfs # Optional: 1GB of memory, reduces SSD/SD Card wear
target: /tmp/cache
tmpfs:
size: 2000000000
ports:
- "5000:5000"
- "1935:1935" # RTMP feeds (deprecated)
- "8554:8554" # RTSP feeds
environment:
FRIGATE_RTSP_PASSWORD: "password"
security_opt:
- no-new-privileges:true
labels:
- "traefik.enable=true"
- "traefik.http.routers.frigate.entrypoints=http"
- "traefik.http.routers.frigate.rule=Host(`frigate.jimsgarage.co.uk`)"
- "traefik.http.middlewares.frigate-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.frigate.middlewares=frigate-https-redirect"
- "traefik.http.routers.frigate-secure.entrypoints=https"
- "traefik.http.routers.frigate-secure.rule=Host(`frigate.jimsgarage.co.uk`)"
- "traefik.http.routers.frigate-secure.tls=true"
- "traefik.http.routers.frigate-secure.service=frigate"
- "traefik.http.services.frigate.loadbalancer.server.port=5000"
- "traefik.docker.network=proxy"
networks:
proxy:
external: true

49
Gitea/docker-compose.yaml Normal file
View File

@ -0,0 +1,49 @@
version: "3"
services:
server:
image: gitea/gitea:1.21.4
container_name: gitea
environment:
- USER_UID=1000
- USER_GID=1000
- GITEA__database__DB_TYPE=postgres
- GITEA__database__HOST=db:5432
- GITEA__database__NAME=gitea
- GITEA__database__USER=gitea
- GITEA__database__PASSWD=gitea
restart: always
volumes:
- ./gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
depends_on:
- db
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea-secure.entrypoints=https"
- "traefik.http.routers.gitea-secure.rule=Host(`gitea.jimsgarage.co.uk`)"
- "traefik.http.routers.gitea-secure.tls=true"
- "traefik.http.routers.gitea-secure.service=gitea@docker"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
- "traefik.docker.network=proxy"
security_opt:
- no-new-privileges:true
db:
image: postgres:14
restart: always
environment:
- POSTGRES_USER=gitea
- POSTGRES_PASSWORD=gitea
- POSTGRES_DB=gitea
volumes:
- ./postgres:/var/lib/postgresql/data
networks:
- proxy
networks:
proxy:
external: true

30
Gotify/docker-compose.yaml Normal file
View File

@ -0,0 +1,30 @@
version: '3.3'
services:
gotify:
image: gotify/server
container_name: gotify
volumes:
- /home/ubuntu/docker/gotify:/app/data
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
proxy:
environment:
- TZ=Europe/London
labels:
- "traefik.enable=true"
- "traefik.http.routers.gotify.entrypoints=http"
- "traefik.http.routers.gotify.rule=Host(`gotify.yourdomain.com`)"
- "traefik.http.middlewares.gotify-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.gotify.middlewares=gotify-https-redirect"
- "traefik.http.routers.gotify-secure.entrypoints=https"
- "traefik.http.routers.gotify-secure.rule=Host(`gotify.yourdomain.com`)"
- "traefik.http.routers.gotify-secure.tls=true"
- "traefik.http.routers.gotify-secure.service=gotify"
- "traefik.http.services.gotify.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
networks:
proxy:
external: true

22
Immich/.env Normal file
View File

@ -0,0 +1,22 @@
# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables
# The location where your uploaded files are stored
UPLOAD_LOCATION=/home/ubuntu/docker/immich/upload
# The Immich version to use. You can pin this to a specific version like "v1.71.0"
IMMICH_VERSION=release
# Connection secrets for postgres and typesense. You should change these to random passwords
TYPESENSE_API_KEY=some-random-text
DB_PASSWORD=postgres
# The values below this line do not need to be changed
###################################################################################
DB_HOSTNAME=immich_postgres
DB_USERNAME=postgres
DB_DATABASE_NAME=immich
REDIS_HOSTNAME=immich_redis
IMMICH_SERVER_URL=https://immich.yourdomain.com
IMMICH_WEB_URL=https://immich.yourdomain.com

62
Immich/docker-compose.yaml Normal file
View File

@ -0,0 +1,62 @@
version: "3.8"
services:
immich-server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
command: [ "start.sh", "immich" ]
volumes:
- /home/ubuntu/docker/immich/upload:/usr/src/app/upload
env_file:
- .env
ports:
- 2283:3001
depends_on:
- redis
- database
restart: always
immich-microservices:
container_name: immich_microservices
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
extends:
file: hwaccel.yml
service: hwaccel
command: [ "start.sh", "microservices" ]
volumes:
- /home/ubuntu/docker/immich/upload:/usr/src/app/upload
env_file:
- .env
depends_on:
- redis
- database
restart: always
immich-machine-learning:
container_name: immich_machine_learning
image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
volumes:
- /home/ubuntu/docker/immich/model-cache:/cache
env_file:
- .env
restart: always
redis:
container_name: immich_redis
image: redis:6.2-alpine@sha256:70a7a5b641117670beae0d80658430853896b5ef269ccf00d1827427e3263fa3
restart: always
database:
container_name: immich_postgres
image: tensorchord/pgvecto-rs:pg14-v0.1.11
env_file:
- .env
environment:
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_USER: ${DB_USERNAME}
POSTGRES_DB: ${DB_DATABASE_NAME}
volumes:
- /home/ubuntu/docker/immich/pgdata:/var/lib/postgresql/data
restart: always
## there is a known issue with Traefik: see here https://github.com/immich-app/immich/discussions/437#discussioncomment-3609797

23
Immich/hwaccel.yml Normal file
View File

@ -0,0 +1,23 @@
version: "3.8"
# Hardware acceleration for transcoding - Optional
# This is only needed if you want to use hardware acceleration for transcoding.
# Depending on your hardware, you should uncomment the relevant lines below.
services:
hwaccel:
devices:
- /dev/dri:/dev/dri # If using Intel QuickSync or VAAPI
# volumes:
# - /usr/lib/wsl:/usr/lib/wsl # If using VAAPI in WSL2
# environment:
# - NVIDIA_DRIVER_CAPABILITIES=all # If using NVIDIA GPU
# - LD_LIBRARY_PATH=/usr/lib/wsl/lib # If using VAAPI in WSL2
# - LIBVA_DRIVER_NAME=d3d12 # If using VAAPI in WSL2
# deploy: # Uncomment this section if using NVIDIA GPU
# resources:
# reservations:
# devices:
# - driver: nvidia
# count: 1
# capabilities: [gpu,video]

25
Jellyfin/docker-compose.yaml Normal file
View File

@ -0,0 +1,25 @@
version: "2"
services:
jellyfin:
image: jellyfin/jellyfin
container_name: jellyfin
group_add:
- '107' # This needs to be the group id of your GPU, e.g., `stat -c '%g' /dev/dri/renderD128` on the docker host for iGPU
environment:
- TZ=Europe/London
volumes:
- ./jellyfin/config:/config
- ./jellyfin/cache:/cache
- /films:/films
# - /home/ubuntu/YOUR_NAS/Films:/Films:ro
# - /home/ubuntu/YOUR_NAS/TVShows:/TVShows:ro
# - /home/ubuntu/YOUR_NAS/Audiobooks:/Audiobooks:ro
# - /home/ubuntu/YOUR_NAS/Music:/Music:ro
ports: # You will need to uncomment if you aren't running through a proxy
- 8096:8096
- 8920:8920 #optional
- 7359:7359/udp #optional
- 1900:1900/udp #optional
devices: # uncomment these and amend if you require GPU accelerated transcoding
- /dev/dri/renderD128:/dev/dri/renderD128
restart: unless-stopped

46
Jellyfin/docker-compose.yml Normal file
View File

@ -0,0 +1,46 @@
version: "2"
services:
jellyfin:
image: jellyfin/jellyfin
container_name: jellyfin
user: 1000:1000
#group_add:
# - '109' # This needs to be the group id of running `stat -c '%g' /dev/dri/renderD128` on the docker host
environment:
- TZ=Europe/London
volumes:
- /home/ubuntu/docker/jellyfin/config:/config
- /home/ubuntu/docker/jellyfin/cache:/cache
- /home/ubuntu/YOUR_NAS/Films:/Films:ro
- /home/ubuntu/YOUR_NAS/TVShows:/TVShows:ro
- /home/ubuntu/YOUR_NAS/Audiobooks:/Audiobooks:ro
- /home/ubuntu/YOUR_NAS/Music:/Music:ro
#ports: You will need to uncomment if you aren't running through a proxy
# - 8096:8096
# - 8920:8920 #optional
# - 7359:7359/udp #optional
# - 1900:1900/udp #optional
#devices: uncomment these and amend if you require GPU accelerated transcoding
# - /dev/dri/renderD128:/dev/dri/renderD128
# - /dev/dri/card0:/dev/dri/card0
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.jellyfin.entrypoints=http"
- "traefik.http.routers.jellyfin.rule=Host(`jellyfin.YOUR_DOMAIN.co.uk`)"
- "traefik.http.middlewares.jellyfin-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.jellyfin.middlewares=jellyfin-https-redirect"
- "traefik.http.routers.jellyfin-secure.entrypoints=https"
- "traefik.http.routers.jellyfin-secure.rule=Host(`jellyfin.YOUR_DOMAIN.co.uk`)"
- "traefik.http.routers.jellyfin-secure.tls=true"
- "traefik.http.routers.jellyfin-secure.service=jellyfin"
- "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
- "traefik.docker.network=proxy"
networks:
proxy:
security_opt:
- no-new-privileges:true
networks:
proxy:
external: true

55
Jellyfin/readme.md Normal file
View File

@ -0,0 +1,55 @@
# Find Device Numbers
```
ls -l /dev/dri
```
# Find Group Numbers
```
cat /etc/group
```
# Add Group Numbers Values to subgid
Change values to map the to above ^^
```
nano /etc/subgid
```
Paste at the bottom, for example:
```
root:44:1
root:104:1
```
# Create CT Using Wizard. Edit .conf In /etc/pve/lxc
Edit your device IDs and renderD***
Ensure you match the idmap values
```
arch: amd64
cores: 2
cpulimit: 2
features: nesting=1
hostname: test-gpu-04
memory: 3000
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=BC:24:11:06:18:78,ip=dhcp,type=veth
ostype: debian
rootfs: local-lvm:vm-104-disk-0,size=20G
swap: 512
unprivileged: 1
lxc.cgroup2.devices.allow: c 226:0 rwm
lxc.cgroup2.devices.allow: c 226:128 rwm
lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 44
lxc.idmap: g 44 44 1
lxc.idmap: g 45 100045 62
lxc.idmap: g 107 104 1
lxc.idmap: g 108 100108 65428
```
# Add Root to Groups
Do this on your Proxmox Host
```
usermod -aG render,video root
```
# Whatever You Want...
Install Docker, run apps, even change your LXC for a Linux Desktop!!!

218
Jitsi/.env Normal file
View File

@ -0,0 +1,218 @@
# shellcheck disable=SC2034
################################################################################
################################################################################
# Welcome to the Jitsi Meet Docker setup!
#
# This sample .env file contains some basic options to get you started.
# The full options reference can be found here:
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker
################################################################################
################################################################################
#
# Basic configuration options
#
# Directory where all configuration will be stored
CONFIG=~/.jitsi-meet-cfg
# Exposed HTTP port
HTTP_PORT=8000
# Exposed HTTPS port
HTTPS_PORT=8443
# System time zone
TZ=UTC
# Public URL for the web service (required)
PUBLIC_URL=https://meet.yourdomain.com
# Media IP addresses to advertise by the JVB
# This setting deprecates DOCKER_HOST_ADDRESS, and supports a comma separated list of IPs
# See the "Running behind NAT or on a LAN environment" section in the Handbook:
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
JVB_ADVERTISE_IPS=192.168.x.x # Add your Docker Host IP here
#
# JaaS Components (beta)
# https://jaas.8x8.vc
#
# Enable JaaS Components (hosted Jigasi)
# NOTE: if Let's Encrypt is enabled a JaaS account will be automatically created, using the provided email in LETSENCRYPT_EMAIL
#ENABLE_JAAS_COMPONENTS=0
#
# Let's Encrypt configuration
#
# Enable Let's Encrypt certificate generation
#ENABLE_LETSENCRYPT=1
# Domain for which to generate the certificate
#LETSENCRYPT_DOMAIN=meet.example.com
# E-Mail for receiving important account notifications (mandatory)
#LETSENCRYPT_EMAIL=alice@atlanta.net
# Use the staging server (for avoiding rate limits while testing)
#LETSENCRYPT_USE_STAGING=1
#
# Etherpad integration (for document sharing)
#
# Set etherpad-lite URL in docker local network (uncomment to enable)
#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
# Set etherpad-lite public URL, including /p/ pad path fragment (uncomment to enable)
#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain/p/
# Name your etherpad instance!
ETHERPAD_TITLE=Video Chat
# The default text of a pad
ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n"
# Name of the skin for etherpad
ETHERPAD_SKIN_NAME=colibris
# Skin variants for etherpad
ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor"
#
# Basic Jigasi configuration options (needed for SIP gateway support)
#
# SIP URI for incoming / outgoing calls
#JIGASI_SIP_URI=test@sip2sip.info
# Password for the specified SIP account as a clear text
#JIGASI_SIP_PASSWORD=passw0rd
# SIP server (use the SIP account domain if in doubt)
#JIGASI_SIP_SERVER=sip2sip.info
# SIP server port
#JIGASI_SIP_PORT=5060
# SIP server transport
#JIGASI_SIP_TRANSPORT=UDP
#
# Authentication configuration (see handbook for details)
#
# Enable authentication
ENABLE_AUTH=1
# Enable guest access
ENABLE_GUESTS=1
# Select authentication type: internal, jwt, ldap or matrix
AUTH_TYPE=internal
# JWT authentication
#
# Application identifier
#JWT_APP_ID=my_jitsi_app_id
# Application secret known only to your token generator
#JWT_APP_SECRET=my_jitsi_app_secret
# (Optional) Set asap_accepted_issuers as a comma separated list
#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
# (Optional) Set asap_accepted_audiences as a comma separated list
#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
#
# LDAP url for connection
#LDAP_URL=ldaps://ldap.domain.com/
# LDAP base DN. Can be empty
#LDAP_BASE=DC=example,DC=domain,DC=com
# LDAP user DN. Do not specify this parameter for the anonymous bind
#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
# LDAP user password. Do not specify this parameter for the anonymous bind
#LDAP_BINDPW=LdapUserPassw0rd
# LDAP filter. Tokens example:
# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
# %s - %s is replaced by the complete service string
# %r - %r is replaced by the complete realm string
#LDAP_FILTER=(sAMAccountName=%u)
# LDAP authentication method
#LDAP_AUTH_METHOD=bind
# LDAP version
#LDAP_VERSION=3
# LDAP TLS using
#LDAP_USE_TLS=1
# List of SSL/TLS ciphers to allow
#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
# Require and verify server certificate
#LDAP_TLS_CHECK_PEER=1
# Path to CA cert file. Used when server certificate verify is enabled
#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
# Path to CA certs directory. Used when server certificate verify is enabled
#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
# LDAP_START_TLS=1
#
# Security
#
# Set these to strong passwords to avoid intruders from impersonating a service account
# The service(s) won't start unless these are specified
# Running ./gen-passwords.sh will update .env with strong passwords
# You may skip the Jigasi and Jibri passwords if you are not using those
# DO NOT reuse passwords
#
# ENSURE YOU CHANGE THE BELOW!!!!!!!!
# XMPP password for Jicofo client connections
JICOFO_AUTH_PASSWORD=8fbfebe1142fac3efee956d7d65d0146
# XMPP password for JVB client connections
JVB_AUTH_PASSWORD=0a192f85b439288b54f520faacdf209d
# XMPP password for Jigasi MUC client connections
JIGASI_XMPP_PASSWORD=141b73ad8050cee2fe72c74ab1a86282
# XMPP recorder password for Jibri client connections
JIBRI_RECORDER_PASSWORD=45f6506538b556d3bfa4c04291fddad3
# XMPP password for Jibri client connections
JIBRI_XMPP_PASSWORD=7798d3b72dbffca6eb0e0ea384e816b7
#
# Docker Compose options
#
# Container restart policy
#RESTART_POLICY=unless-stopped
# Jitsi image version (useful for local development)
#JITSI_IMAGE_VERSION=latest

400
Jitsi/docker-compose.yml Normal file
View File

@ -0,0 +1,400 @@
version: '3.5'
services:
# Frontend
web:
image: jitsi/web:${JITSI_IMAGE_VERSION:-stable-8922}
restart: ${RESTART_POLICY:-unless-stopped}
# remember to uncomment below if you do not plan on using a reverse proxy
# ports:
# - '${HTTP_PORT}:80'
# - '${HTTPS_PORT}:443'
volumes:
- ${CONFIG}/web:/config:Z
- ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z
- ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
environment:
- AMPLITUDE_ID
- ANALYTICS_SCRIPT_URLS
- ANALYTICS_WHITELISTED_EVENTS
- AUDIO_QUALITY_OPUS_BITRATE
- AUTO_CAPTION_ON_RECORD
- BRANDING_DATA_URL
- CALLSTATS_CUSTOM_SCRIPT_URL
- CALLSTATS_ID
- CALLSTATS_SECRET
- CHROME_EXTENSION_BANNER_JSON
- COLIBRI_WEBSOCKET_PORT
- CONFCODE_URL
- CONFIG_EXTERNAL_CONNECT
- DEFAULT_LANGUAGE
- DEPLOYMENTINFO_ENVIRONMENT
- DEPLOYMENTINFO_ENVIRONMENT_TYPE
- DEPLOYMENTINFO_REGION
- DEPLOYMENTINFO_SHARD
- DEPLOYMENTINFO_USERREGION
- DESKTOP_SHARING_FRAMERATE_MIN
- DESKTOP_SHARING_FRAMERATE_MAX
- DIALIN_NUMBERS_URL
- DIALOUT_AUTH_URL
- DIALOUT_CODES_URL
- DISABLE_AUDIO_LEVELS
- DISABLE_DEEP_LINKING
- DISABLE_GRANT_MODERATOR
- DISABLE_HTTPS
- DISABLE_KICKOUT
- DISABLE_LOCAL_RECORDING
- DISABLE_POLLS
- DISABLE_PRIVATE_CHAT
- DISABLE_PROFILE
- DISABLE_REACTIONS
- DISABLE_REMOTE_VIDEO_MENU
- DISABLE_START_FOR_ALL
- DROPBOX_APPKEY
- DROPBOX_REDIRECT_URI
- DYNAMIC_BRANDING_URL
- ENABLE_AUDIO_PROCESSING
- ENABLE_AUTH
- ENABLE_BREAKOUT_ROOMS
- ENABLE_CALENDAR
- ENABLE_COLIBRI_WEBSOCKET
- ENABLE_E2EPING
- ENABLE_FILE_RECORDING_SHARING
- ENABLE_GUESTS
- ENABLE_HSTS
- ENABLE_HTTP_REDIRECT
- ENABLE_IPV6
- ENABLE_LETSENCRYPT
- ENABLE_LIPSYNC
- ENABLE_NO_AUDIO_DETECTION
- ENABLE_NOISY_MIC_DETECTION
- ENABLE_OCTO
- ENABLE_OPUS_RED
- ENABLE_PREJOIN_PAGE
- ENABLE_P2P
- ENABLE_WELCOME_PAGE
- ENABLE_CLOSE_PAGE
- ENABLE_LIVESTREAMING
- ENABLE_LIVESTREAMING_DATA_PRIVACY_LINK
- ENABLE_LIVESTREAMING_HELP_LINK
- ENABLE_LIVESTREAMING_TERMS_LINK
- ENABLE_LIVESTREAMING_VALIDATOR_REGEXP_STRING
- ENABLE_LOCAL_RECORDING_NOTIFY_ALL_PARTICIPANT
- ENABLE_LOCAL_RECORDING_SELF_START
- ENABLE_RECORDING
- ENABLE_REMB
- ENABLE_REQUIRE_DISPLAY_NAME
- ENABLE_SERVICE_RECORDING
- ENABLE_SIMULCAST
- ENABLE_STATS_ID
- ENABLE_STEREO
- ENABLE_SUBDOMAINS
- ENABLE_TALK_WHILE_MUTED
- ENABLE_TCC
- ENABLE_TRANSCRIPTIONS
- ENABLE_XMPP_WEBSOCKET
- ENABLE_JAAS_COMPONENTS
- ETHERPAD_PUBLIC_URL
- ETHERPAD_URL_BASE
- E2EPING_NUM_REQUESTS
- E2EPING_MAX_CONFERENCE_SIZE
- E2EPING_MAX_MESSAGE_PER_SECOND
- GOOGLE_ANALYTICS_ID
- GOOGLE_API_APP_CLIENT_ID
- HIDE_PREMEETING_BUTTONS
- HIDE_PREJOIN_DISPLAY_NAME
- HIDE_PREJOIN_EXTRA_BUTTONS
- INVITE_SERVICE_URL
- LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL
- LETSENCRYPT_USE_STAGING
- MATOMO_ENDPOINT
- MATOMO_SITE_ID
- MICROSOFT_API_APP_CLIENT_ID
- NGINX_RESOLVER
- NGINX_WORKER_PROCESSES
- NGINX_WORKER_CONNECTIONS
- PEOPLE_SEARCH_URL
- PREFERRED_LANGUAGE
- PUBLIC_URL
- P2P_PREFERRED_CODEC
- RESOLUTION
- RESOLUTION_MIN
- RESOLUTION_WIDTH
- RESOLUTION_WIDTH_MIN
- START_AUDIO_MUTED
- START_AUDIO_ONLY
- START_BITRATE
- START_SILENT
- START_WITH_AUDIO_MUTED
- START_VIDEO_MUTED
- START_WITH_VIDEO_MUTED
- TESTING_CAP_SCREENSHARE_BITRATE
- TESTING_OCTO_PROBABILITY
- TOKEN_AUTH_URL
- TOOLBAR_BUTTONS
- TRANSLATION_LANGUAGES
- TRANSLATION_LANGUAGES_HEAD
- TZ
- USE_APP_LANGUAGE
- VIDEOQUALITY_BITRATE_H264_LOW
- VIDEOQUALITY_BITRATE_H264_STANDARD
- VIDEOQUALITY_BITRATE_H264_HIGH
- VIDEOQUALITY_BITRATE_VP8_LOW
- VIDEOQUALITY_BITRATE_VP8_STANDARD
- VIDEOQUALITY_BITRATE_VP8_HIGH
- VIDEOQUALITY_BITRATE_VP9_LOW
- VIDEOQUALITY_BITRATE_VP9_STANDARD
- VIDEOQUALITY_BITRATE_VP9_HIGH
- VIDEOQUALITY_ENFORCE_PREFERRED_CODEC
- VIDEOQUALITY_PREFERRED_CODEC
- XMPP_AUTH_DOMAIN
- XMPP_BOSH_URL_BASE
- XMPP_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN
- XMPP_PORT
- WHITEBOARD_ENABLED
- WHITEBOARD_COLLAB_SERVER_PUBLIC_URL
networks:
meet.jitsi:
proxy: # remove if you're not using a reverse proxy (including labels below)
labels:
- "traefik.enable=true"
- "traefik.http.routers.jitsi.entrypoints=http"
- "traefik.http.routers.jitsi.rule=Host(`meet2.jimsgarage.co.uk`)"
- "traefik.http.middlewares.jitsi-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.jitsi.middlewares=jitsi-https-redirect"
- "traefik.http.routers.jitsi-secure.entrypoints=https"
- "traefik.http.routers.jitsi-secure.rule=Host(`meet2.jimsgarage.co.uk`)"
- "traefik.http.routers.jitsi-secure.tls=true"
- "traefik.http.routers.jitsi-secure.service=jitsi"
- "traefik.http.services.jitsi.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
# XMPP server
prosody:
image: jitsi/prosody:${JITSI_IMAGE_VERSION:-stable-8922}
restart: ${RESTART_POLICY:-unless-stopped}
expose:
- '${XMPP_PORT:-5222}'
- '5347'
- '5280'
volumes:
- ${CONFIG}/prosody/config:/config:Z
- ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
environment:
- AUTH_TYPE
- DISABLE_POLLS
- ENABLE_AUTH
- ENABLE_AV_MODERATION
- ENABLE_BREAKOUT_ROOMS
- ENABLE_END_CONFERENCE
- ENABLE_GUESTS
- ENABLE_IPV6
- ENABLE_LOBBY
- ENABLE_RECORDING
- ENABLE_XMPP_WEBSOCKET
- ENABLE_JAAS_COMPONENTS
- GC_TYPE
- GC_INC_TH
- GC_INC_SPEED
- GC_INC_STEP_SIZE
- GC_GEN_MIN_TH
- GC_GEN_MAX_TH
- GLOBAL_CONFIG
- GLOBAL_MODULES
- JIBRI_RECORDER_USER
- JIBRI_RECORDER_PASSWORD
- JIBRI_XMPP_USER
- JIBRI_XMPP_PASSWORD
- JICOFO_AUTH_PASSWORD
- JICOFO_COMPONENT_SECRET
- JIGASI_XMPP_USER
- JIGASI_XMPP_PASSWORD
- JVB_AUTH_USER
- JVB_AUTH_PASSWORD
- JWT_APP_ID
- JWT_APP_SECRET
- JWT_ACCEPTED_ISSUERS
- JWT_ACCEPTED_AUDIENCES
- JWT_ASAP_KEYSERVER
- JWT_ALLOW_EMPTY
- JWT_AUTH_TYPE
- JWT_ENABLE_DOMAIN_VERIFICATION
- JWT_TOKEN_AUTH_MODULE
- MATRIX_UVS_URL
- MATRIX_UVS_ISSUER
- MATRIX_UVS_AUTH_TOKEN
- MATRIX_UVS_SYNC_POWER_LEVELS
- LOG_LEVEL
- LDAP_AUTH_METHOD
- LDAP_BASE
- LDAP_BINDDN
- LDAP_BINDPW
- LDAP_FILTER
- LDAP_VERSION
- LDAP_TLS_CIPHERS
- LDAP_TLS_CHECK_PEER
- LDAP_TLS_CACERT_FILE
- LDAP_TLS_CACERT_DIR
- LDAP_START_TLS
- LDAP_URL
- LDAP_USE_TLS
- MAX_PARTICIPANTS
- PROSODY_AUTH_TYPE
- PROSODY_RESERVATION_ENABLED
- PROSODY_RESERVATION_REST_BASE_URL
- PROSODY_ENABLE_RATE_LIMITS
- PROSODY_RATE_LIMIT_LOGIN_RATE
- PROSODY_RATE_LIMIT_SESSION_RATE
- PROSODY_RATE_LIMIT_TIMEOUT
- PROSODY_RATE_LIMIT_ALLOW_RANGES
- PROSODY_RATE_LIMIT_CACHE_SIZE
- PUBLIC_URL
- TURN_CREDENTIALS
- TURN_HOST
- TURNS_HOST
- TURN_PORT
- TURNS_PORT
- TURN_TRANSPORT
- TZ
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MODULES
- XMPP_MUC_MODULES
- XMPP_MUC_CONFIGURATION
- XMPP_INTERNAL_MUC_MODULES
- XMPP_RECORDER_DOMAIN
- XMPP_PORT
networks:
meet.jitsi:
aliases:
- ${XMPP_SERVER:-xmpp.meet.jitsi}
# Focus component
jicofo:
image: jitsi/jicofo:${JITSI_IMAGE_VERSION:-stable-8922}
restart: ${RESTART_POLICY:-unless-stopped}
ports:
- '127.0.0.1:${JICOFO_REST_PORT:-8888}:8888'
volumes:
- ${CONFIG}/jicofo:/config:Z
environment:
- AUTH_TYPE
- BRIDGE_AVG_PARTICIPANT_STRESS
- BRIDGE_STRESS_THRESHOLD
- ENABLE_AUTH
- ENABLE_AUTO_OWNER
- ENABLE_CODEC_VP8
- ENABLE_CODEC_VP9
- ENABLE_CODEC_H264
- ENABLE_CODEC_OPUS_RED
- ENABLE_JVB_XMPP_SERVER
- ENABLE_OCTO
- ENABLE_RECORDING
- ENABLE_SCTP
- ENABLE_AUTO_LOGIN
- JICOFO_AUTH_LIFETIME
- JICOFO_AUTH_PASSWORD
- JICOFO_AUTH_TYPE
- JICOFO_BRIDGE_REGION_GROUPS
- JICOFO_ENABLE_AUTH
- JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS
- JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT
- JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT
- JICOFO_CONF_SOURCE_SIGNALING_DELAYS
- JICOFO_CONF_MAX_AUDIO_SENDERS
- JICOFO_CONF_MAX_VIDEO_SENDERS
- JICOFO_CONF_STRIP_SIMULCAST
- JICOFO_CONF_SSRC_REWRITING
- JICOFO_ENABLE_HEALTH_CHECKS
- JICOFO_ENABLE_REST
- JICOFO_HEALTH_CHECKS_USE_PRESENCE
- JICOFO_MULTI_STREAM_BACKWARD_COMPAT
- JICOFO_OCTO_REGION
- JIBRI_BREWERY_MUC
- JIBRI_REQUEST_RETRIES
- JIBRI_PENDING_TIMEOUT
- JIGASI_BREWERY_MUC
- JIGASI_SIP_URI
- JVB_BREWERY_MUC
- JVB_XMPP_AUTH_DOMAIN
- JVB_XMPP_INTERNAL_MUC_DOMAIN
- JVB_XMPP_PORT
- JVB_XMPP_SERVER
- MAX_BRIDGE_PARTICIPANTS
- OCTO_BRIDGE_SELECTION_STRATEGY
- SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}"
- SENTRY_ENVIRONMENT
- SENTRY_RELEASE
- TZ
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN
- XMPP_SERVER
- XMPP_PORT
depends_on:
- prosody
networks:
meet.jitsi:
# Video bridge
jvb:
image: jitsi/jvb:${JITSI_IMAGE_VERSION:-stable-8922}
restart: ${RESTART_POLICY:-unless-stopped}
ports:
- '${JVB_PORT:-10000}:${JVB_PORT:-10000}/udp'
- '127.0.0.1:${JVB_COLIBRI_PORT:-8080}:8080'
volumes:
- ${CONFIG}/jvb:/config:Z
environment:
- DOCKER_HOST_ADDRESS
- ENABLE_COLIBRI_WEBSOCKET
- ENABLE_JVB_XMPP_SERVER
- ENABLE_OCTO
- JVB_ADVERTISE_IPS
- JVB_ADVERTISE_PRIVATE_CANDIDATES
- JVB_AUTH_USER
- JVB_AUTH_PASSWORD
- JVB_BREWERY_MUC
- JVB_DISABLE_STUN
- JVB_PORT
- JVB_MUC_NICKNAME
- JVB_STUN_SERVERS
- JVB_OCTO_BIND_ADDRESS
- JVB_OCTO_REGION
- JVB_OCTO_RELAY_ID
- JVB_WS_DOMAIN
- JVB_WS_SERVER_ID
- JVB_XMPP_AUTH_DOMAIN
- JVB_XMPP_INTERNAL_MUC_DOMAIN
- JVB_XMPP_PORT
- JVB_XMPP_SERVER
- PUBLIC_URL
- SENTRY_DSN="${JVB_SENTRY_DSN:-0}"
- SENTRY_ENVIRONMENT
- SENTRY_RELEASE
- COLIBRI_REST_ENABLED
- SHUTDOWN_REST_ENABLED
- TZ
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_SERVER
- XMPP_PORT
depends_on:
- prosody
networks:
meet.jitsi:
# Custom network so all services can communicate using a FQDN
networks:
meet.jitsi:
proxy: # remove if you're not using a proxy
external: true

19
Jitsi/gen-passwords.sh Normal file
View File

@ -0,0 +1,19 @@
#!/usr/bin/env bash
function generatePassword() {
openssl rand -hex 16
}
JICOFO_AUTH_PASSWORD=$(generatePassword)
JVB_AUTH_PASSWORD=$(generatePassword)
JIGASI_XMPP_PASSWORD=$(generatePassword)
JIBRI_RECORDER_PASSWORD=$(generatePassword)
JIBRI_XMPP_PASSWORD=$(generatePassword)
sed -i.bak \
-e "s#JICOFO_AUTH_PASSWORD=.*#JICOFO_AUTH_PASSWORD=${JICOFO_AUTH_PASSWORD}#g" \
-e "s#JVB_AUTH_PASSWORD=.*#JVB_AUTH_PASSWORD=${JVB_AUTH_PASSWORD}#g" \
-e "s#JIGASI_XMPP_PASSWORD=.*#JIGASI_XMPP_PASSWORD=${JIGASI_XMPP_PASSWORD}#g" \
-e "s#JIBRI_RECORDER_PASSWORD=.*#JIBRI_RECORDER_PASSWORD=${JIBRI_RECORDER_PASSWORD}#g" \
-e "s#JIBRI_XMPP_PASSWORD=.*#JIBRI_XMPP_PASSWORD=${JIBRI_XMPP_PASSWORD}#g" \
"$(dirname "$0")/.env"

53
Keycloak/docker-compose.yaml Normal file
View File

@ -0,0 +1,53 @@
version: '3'
services:
postgresql:
image: postgres:16
environment:
- POSTGRES_USER=keycloak
- POSTGRES_DB=keycloak
- POSTGRES_PASSWORD=SUPERsecret
volumes:
- '/home/ubuntu/docker/keycloak/postgresql_data:/var/lib/postgresql/data'
networks:
keycloak:
keycloak:
image: quay.io/keycloak/keycloak:22.0.3
restart: always
command: start
depends_on:
- postgresql
environment:
- KC_PROXY_ADDRESS_FORWARDING=true
- KC_HOSTNAME_STRICT=false
- KC_HOSTNAME=keycloak.jimsgarage.co.uk
- KC_PROXY=edge
- KC_HTTP_ENABLED=true
- KC_DB=postgres
- KC_DB_USERNAME=keycloak
- KC_DB_PASSWORD=SUPERsecret
- KC_DB_URL_HOST=postgres
- KC_DB_URL_PORT=5432
- KC_DB_URL_DATABASE=keycloak
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=password
networks:
proxy:
keycloak:
labels:
- "traefik.enable=true"
- "traefik.http.routers.keycloak.entrypoints=http"
- "traefik.http.routers.keycloak.rule=Host(`keycloak.yourdomain.com`)"
- "traefik.http.middlewares.keycloak-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.keycloak.middlewares=keycloak-https-redirect"
- "traefik.http.routers.keycloak-secure.entrypoints=https"
- "traefik.http.routers.keycloak-secure.rule=Host(`keycloak.yourdomain.com`)"
- "traefik.http.routers.keycloak-secure.tls=true"
- "traefik.http.routers.keycloak-secure.service=keycloak"
- "traefik.http.services.keycloak.loadbalancer.server.port=8080"
- "traefik.docker.network=proxy"
networks:
proxy:
external: true
keycloak:

33
Nextcloud/docker-compose.yaml Normal file
View File

@ -0,0 +1,33 @@
version: "2.1"
services:
nextcloud:
image: lscr.io/linuxserver/nextcloud:latest
container_name: nextcloud
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
volumes:
- /home/ubuntu/docker/nextcloud/appdata:/config
- /home/ubuntu/docker/nextcloud/data:/data
# ports:
# - 443:443
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.nextcloud.entrypoints=http"
- "traefik.http.routers.nextcloud.rule=Host(`nextcloud.jimsgarage.co.uk`)"
- "traefik.http.middlewares.nextcloud-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.nextcloud.middlewares=nextcloud-https-redirect"
- "traefik.http.routers.nextcloud-secure.entrypoints=https"
- "traefik.http.routers.nextcloud-secure.rule=Host(`nextcloud.jimsgarage.co.uk`)"
- "traefik.http.routers.nextcloud-secure.tls=true"
- "traefik.http.routers.nextcloud-secure.service=nextcloud"
- "traefik.http.services.nextcloud.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
networks:
proxy:
networks:
proxy:
external: true

44
Ollama/docker-compose.yml Normal file
View File

@ -0,0 +1,44 @@
version: '3.6'
services:
ollama:
# Uncomment below for GPU support
# deploy:
# resources:
# reservations:
# devices:
# - driver: nvidia
# count: 1
# capabilities:
# - gpu
volumes:
- ollama:/root/.ollama
# Uncomment below to expose Ollama API outside the container stack
# ports:
# - 11434:11434
container_name: ollama
pull_policy: always
tty: true
restart: unless-stopped
image: ollama/ollama:latest
ollama-webui:
build:
context: .
args:
OLLAMA_API_BASE_URL: '/ollama/api'
dockerfile: Dockerfile
image: ollama-webui:latest
container_name: ollama-webui
depends_on:
- ollama
ports:
- 3000:8080
environment:
- "OLLAMA_API_BASE_URL=http://ollama:11434/api"
extra_hosts:
- host.docker.internal:host-gateway
restart: unless-stopped
volumes:
ollama: {}

5
Ollama/readme.md Normal file
View File

@ -0,0 +1,5 @@
1. Clone the repo from: https://github.com/ollama-webui/ollama-webui
2. Tweak the docker-compose to your liking
3. Run the container: sudo docker compose up -d
Let it build :)

1
Paperless-ngx/.env Normal file
View File

@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=paperless

129
Paperless-ngx/docker-compose.yaml Normal file
View File

@ -0,0 +1,129 @@
# Docker Compose file for running paperless from the docker container registry.
# This file contains everything paperless needs to run.
# Paperless supports amd64, arm and arm64 hardware.
#
# All compose files of paperless configure paperless in the following way:
#
# - Paperless is (re)started on system boot, if it was running before shutdown.
# - Docker volumes for storing data are managed by Docker.
# - Folders for importing and exporting files are created in the same directory
# as this file and mounted to the correct folders inside the container.
# - Paperless listens on port 8000.
#
# In addition to that, this Docker Compose file adds the following optional
# configurations:
#
# - Instead of SQLite (default), PostgreSQL is used as the database server.
# - Apache Tika and Gotenberg servers are started with paperless and paperless
# is configured to use these services. These provide support for consuming
# Office documents (Word, Excel, Power Point and their LibreOffice counter-
# parts.
#
# To install and update paperless with this file, do the following:
#
# - Copy this file as 'docker-compose.yml' and the files 'docker-compose.env'
# and '.env' into a folder.
# - Run 'docker compose pull'.
# - Run 'docker compose run --rm webserver createsuperuser' to create a user.
# - Run 'docker compose up -d'.
#
# For more extensive installation and update instructions, refer to the
# documentation.
version: "3.4"
services:
broker:
image: docker.io/library/redis:7
restart: unless-stopped
volumes:
- redisdata:/data
networks:
paperless:
db:
image: docker.io/library/postgres:15
restart: unless-stopped
volumes:
- pgdata:/var/lib/postgresql/data
environment:
POSTGRES_DB: paperless
POSTGRES_USER: paperless
POSTGRES_PASSWORD: paperless
networks:
paperless:
webserver:
image: ghcr.io/paperless-ngx/paperless-ngx:latest
restart: unless-stopped
depends_on:
- db
- broker
- gotenberg
- tika
# Not needed as we're using Traefik
#ports:
# - "8005:8000"
volumes:
- data:/usr/src/paperless/data
- media:/usr/src/paperless/media
- ./export:/usr/src/paperless/export
- ./consume:/usr/src/paperless/consume
env_file: .env
environment:
PAPERLESS_REDIS: redis://broker:6379
PAPERLESS_DBHOST: db
PAPERLESS_TIKA_ENABLED: 1
PAPERLESS_TIKA_GOTENBERG_ENDPOINT: http://gotenberg:3000
PAPERLESS_TIKA_ENDPOINT: http://tika:9998
PAPERLESS_URL: https://paperless.jimsgarage.co.uk
PAPERLESS_ADMIN_USER: paperless
PAPERLESS_ADMIN_PASSWORD: paperless
PAPERLESS_APPS: "allauth.socialaccount.providers.openid_connect"
# Find out how to configure Authentik: https://youtu.be/enwFWELCYJo
PAPERLESS_SOCIALACCOUNT_PROVIDERS: '{"openid_connect": {"APPS": [{"provider_id": "authentik","name": "Authentik SSO","client_id": "BnxpFXvscduU2PdAdPaCelphhDYpAXo9upbAUS3F","secret": "0JcyunvA0Ra25i49zULTbro0jdbH9gHrdnSDExT9Ze2TNoB8so9B8AbdB7riYjYHPZfwuWtAeTCpwPAi2Sct7M8w3y8VTPPxwgFG1JzdoWdxLgUz0NO6l3L2UFBmzQ5m","settings": { "server_url": "https://authentik.jimsgarage.co.uk/application/o/paperless-ngx/.well-known/openid-configuration"}}]}}'
networks:
paperless:
proxy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.paperless.entrypoints=http"
- "traefik.http.routers.paperless.rule=Host(`paperless.jimsgarage.co.uk`)"
- "traefik.http.middlewares.paperless-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.paperless.middlewares=paperless-https-redirect"
- "traefik.http.routers.paperless-secure.entrypoints=https"
- "traefik.http.routers.paperless-secure.rule=Host(`paperless.jimsgarage.co.uk`)"
- "traefik.http.routers.paperless-secure.tls=true"
- "traefik.http.routers.paperless-secure.tls.certresolver=cloudflare" # change this to your cert resolver
- "traefik.http.routers.paperless-secure.service=paperless"
- "traefik.http.services.paperless.loadbalancer.server.port=8000"
- "traefik.docker.network=proxy"
gotenberg:
image: docker.io/gotenberg/gotenberg:7.10
restart: unless-stopped
# The gotenberg chromium route is used to convert .eml files. We do not
# want to allow external content like tracking pixels or even javascript.
command:
- "gotenberg"
- "--chromium-disable-javascript=true"
- "--chromium-allow-list=file:///tmp/.*"
networks:
paperless:
tika:
image: ghcr.io/paperless-ngx/tika:latest
restart: unless-stopped
networks:
paperless:
volumes:
data:
media:
pgdata:
redisdata:
networks:
paperless:
proxy:
external: true

78
Pihole/docker-compose.yml Normal file
View File

@ -0,0 +1,78 @@
version: "3.6"
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
cloudflared:
container_name: cloudflared
# Restart on crashes and on reboots
restart: unless-stopped
image: cloudflare/cloudflared:latest
command: proxy-dns
environment:
- "TUNNEL_DNS_UPSTREAM=https://1.1.1.1/dns-query,https://1.0.0.1/dns-query,https://9.9.9.9/dns-query,https://149.112.112.9/dns-query"
# Listen on an unprivileged port
- "TUNNEL_DNS_PORT=5053"
# Listen on all interfaces
- "TUNNEL_DNS_ADDRESS=0.0.0.0"
# Attach cloudflared only to the private network
networks:
pihole_internal:
ipv4_address: 172.70.9.2
security_opt:
- no-new-privileges:true
pihole:
container_name: pihole
image: pihole/pihole:latest
ports:
- "53:53/tcp"
- "53:53/udp"
- "67:67/udp"
- "500:80/tcp"
# - "443:443/tcp"
networks:
pihole_internal:
ipv4_address: 172.70.9.3
proxy:
environment:
TZ: 'Europe/London'
WEBPASSWORD: 'password'
PIHOLE_DNS_: '172.70.9.2#5053'
DNSMASQ_LISTENING: 'all'
VIRTUAL_HOST: pihole.yourdomain.com
# Volumes store your data between container upgrades
volumes:
- '/home/ubuntu/docker/pihole/:/etc/pihole/'
- '/home/ubuntu/docker/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/'
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
#cap_add:
# - NET_ADMIN
restart: unless-stopped
depends_on:
- cloudflared
labels:
- "traefik.enable=true"
- "traefik.http.routers.pihole.entrypoints=http"
- "traefik.http.routers.pihole.rule=Host(`pihole.yourdomain.com`)"
- "traefik.http.middlewares.pihole-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.pihole.middlewares=pihole-https-redirect"
- "traefik.http.routers.pihole-secure.entrypoints=https"
- "traefik.http.routers.pihole-secure.rule=Host(`pihole.yourdomain.com`)"
- "traefik.http.routers.pihole-secure.tls=true"
- "traefik.http.routers.pihole-secure.service=pihole"
- "traefik.http.services.pihole.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
networks:
pihole_internal:
ipam:
config:
- subnet: 172.70.9.0/29
name: pihole_internal
proxy:
external: true

7
Pihole/ubuntu port 53 fix Normal file
View File

@ -0,0 +1,7 @@
#run these commands to fix port bind error
sudo sed -r -i.orig 's/#?DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf
sudo sh -c 'rm /etc/resolv.conf && ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf'
systemctl restart systemd-resolved