homelab/docker-compose-templates
1
0
Fork 0
Code Pull Requests Activity

Compare commits

base: homelab/docker-compose-templates:e43c1e5fb0716dee1b98b33d6cd90740ac6e68fd
Branches Tags
homelab/docker-compose-templates:main
..
compare: homelab/docker-compose-templates:d35a9cf6725ebec321c0aade3bf21ecbd9d1d033
Branches Tags
homelab/docker-compose-templates:main

17 Commits
e43c1e5fb0 .. d35a9cf672

Author SHA1 Message Date
lukas d35a9cf672 navidrome: auth workaround 2026-06-12 11:51:36 +02:00
lukas 72406c0000 polaris: add 2026-06-12 11:51:27 +02:00
lukas 2fece90ad2 yamtrack: update 2026-06-12 11:51:23 +02:00
lukas ef214f03aa slskd: update 2026-06-12 11:51:18 +02:00
lukas b20474b7b5 authentik: update 2026-06-12 11:51:12 +02:00
lukas 41c92dc6e7 use different chrome image 2026-06-12 11:51:07 +02:00
lukas e107be3474 karakeep: update ai conf 2026-06-12 11:50:58 +02:00
lukas ab1a6336aa rss-bridge: use labels 2026-06-12 11:50:48 +02:00
lukas 913e7ba387 add qui 2026-06-12 11:50:38 +02:00
lukas 5d8d51949d add framework13 host record 2026-06-12 11:50:29 +02:00
lukas e563af37a4 cwa: switch to next gen fork 2026-06-12 11:50:16 +02:00
lukas 2ff03d8934 cwa: use secrets 2026-06-12 11:50:08 +02:00
lukas 987eed082d shelfmark: use secrets 2026-06-12 11:50:00 +02:00
lukas 3a3050ff86 shelfmark: update to 1.3.0 2026-06-12 11:49:34 +02:00
lukas 15f02adc22 miniflux: make it work with custom cert 2026-06-12 11:49:14 +02:00
lukas 6eeaf836be miniflux: update to 2.3.0 2026-06-12 11:49:02 +02:00
lukas f4f68793b7 kavita: update to 0.9.0.2 2026-06-12 11:48:44 +02:00
5 changed files with 126 additions and 29 deletions
Expand all files Collapse all files
docker-compose.yml
+109 -21
View File
@@ -62,6 +62,31 @@ configs:
root * /data/caddy/pki/authorities/local/ root * /data/caddy/pki/authorities/local/
file_server browse file_server browse
} }
music.home.arpa {
@ui_redirect {
not path /api/* /share/* /rest/*
}
# 1. API Auth: Use the new replace_status directive
forward_auth /api/* authentik-server:9000 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-Authentik-Username
# Define a matcher for the 302 redirect from Authentik
@redir status 302
# Use the new Caddy 2.8 directive to swap it for a 401
replace_status @redir 401
}
# 2. Main UI Auth: Standard 302 redirects for human login
forward_auth @ui_redirect authentik-server:9000 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-Authentik-Username
}
reverse_proxy navidrome:4533
}
dnsmasq: dnsmasq:
content: | content: |
log-facility=- log-facility=-
@@ -78,6 +103,7 @@ configs:
host-record=nas.${DOMAIN_LOCAL},192.168.0.106 host-record=nas.${DOMAIN_LOCAL},192.168.0.106
host-record=nixos.${DOMAIN_LOCAL},192.168.0.203 host-record=nixos.${DOMAIN_LOCAL},192.168.0.203
host-record=oldguy.${DOMAIN_LOCAL},192.168.0.168 host-record=oldguy.${DOMAIN_LOCAL},192.168.0.168
host-record=framework13.${DOMAIN_LOCAL},192.168.0.235
ptr-record=106.0.168.192.in-addr.arpa,nas.${DOMAIN_LOCAL} ptr-record=106.0.168.192.in-addr.arpa,nas.${DOMAIN_LOCAL}
host-record=suma.${DOMAIN_LOCAL},192.168.0.159 host-record=suma.${DOMAIN_LOCAL},192.168.0.159
host-record=suma-proxy3.${DOMAIN_LOCAL},192.168.0.176 host-record=suma-proxy3.${DOMAIN_LOCAL},192.168.0.176
@@ -354,7 +380,7 @@ services:
restart: unless-stopped restart: unless-stopped
navidrome: navidrome:
image: deluan/navidrome:0.61.2 image: ghcr.io/navidrome/navidrome:pr-5459
container_name: navidrome container_name: navidrome
user: "${PUID}:${PGID}" user: "${PUID}:${PGID}"
volumes: volumes:
@@ -363,13 +389,20 @@ services:
networks: networks:
public: public:
ipv4_address: 192.168.240.14 ipv4_address: 192.168.240.14
labels: # labels:
caddy: music.${DOMAIN_LOCAL} # caddy: music.${DOMAIN_LOCAL}
caddy.reverse_proxy: "{{ upstreams 4533 }}" # caddy.reverse_proxy: "{{ upstreams 4533 }}"
caddy.@protected.not.path: "/share/* /rest/*" # caddy.@protected.not.path: "/share/* /rest/*"
caddy.forward_auth_0: "@protected authentik-server:9000" # caddy.@authredir.path: "/api/*"
caddy.forward_auth_0.uri: "/outpost.goauthentik.io/auth/caddy" # caddy.@authredir.path: "/api/*"
caddy.forward_auth_0.copy_headers: "X-Authentik-Username" # caddy.forward_auth_0: "@protected authentik-server:9000"
# caddy.forward_auth_0.uri: "/outpost.goauthentik.io/auth/caddy"
# caddy.forward_auth_0.copy_headers: "X-Authentik-Username"
# caddy.intercept: "/api/*"
# caddy.@api_expiry.path: "/api/*"
# caddy.@api_expiry.status: "3xx"
# caddy.forward_auth_0.handle_response_0: "path /api/*"
# caddy.forward_auth_0.handle_response_1: "replace_status 401"
environment: environment:
ND_LASTFM_APIKEY: 29e22ee836a0cb51cfaacb72d605e30d ND_LASTFM_APIKEY: 29e22ee836a0cb51cfaacb72d605e30d
ND_LASTFM_SECRET: 10aa58294eeffa142685e78a0cd78ad6 ND_LASTFM_SECRET: 10aa58294eeffa142685e78a0cd78ad6
@@ -722,6 +755,28 @@ services:
caddy.reverse_proxy: "{{ upstreams $QBITTORRENT_WEBUI_INTERNAL_PORT }}" caddy.reverse_proxy: "{{ upstreams $QBITTORRENT_WEBUI_INTERNAL_PORT }}"
restart: unless-stopped restart: unless-stopped
qui:
image: ghcr.io/autobrr/qui:latest
container_name: qui
depends_on:
- qbittorrent
volumes:
- ${DOCKER_STORAGE_PATH}/qbittorrent/qui:/config
# for automations that move/delete torrent files
- ${TORRENTS_SEED_PATH}:/seed
networks:
public:
ipv4_address: 192.168.240.71
labels:
caddy: qui.${DOMAIN_LOCAL}
caddy.reverse_proxy: "{{ upstreams 7476 }}"
environment:
QUI__AUTH_DISABLED: true
QUI__I_ACKNOWLEDGE_THIS_IS_A_BAD_IDEA: true
QUI__AUTH_DISABLED_ALLOWED_CIDRS: 192.168.240.0/24
restart: unless-stopped
# see https://github.com/FarisZR/Privacy-OCI # see https://github.com/FarisZR/Privacy-OCI
breezewiki: breezewiki:
container_name: breezewiki container_name: breezewiki
@@ -748,9 +803,10 @@ services:
ipv4_address: 192.168.240.57 ipv4_address: 192.168.240.57
volumes: volumes:
- ./config:/config - ./config:/config
ports:
- 3002:80
restart: unless-stopped restart: unless-stopped
labels:
caddy: rss-bridge.${DOMAIN_LOCAL}
caddy.reverse_proxy: "{{ upstreams 80 }}"
karakeep: karakeep:
container_name: karakeep container_name: karakeep
@@ -778,12 +834,12 @@ services:
CRAWLER_FULL_PAGE_SCREENSHOT: TRUE CRAWLER_FULL_PAGE_SCREENSHOT: TRUE
CRAWLER_FULL_PAGE_ARCHIVE: TRUE CRAWLER_FULL_PAGE_ARCHIVE: TRUE
OPENAI_BASE_URL: http://100.84.157.12:8081/v1 OPENAI_BASE_URL: http://100.84.157.12:8081/v1
OPENAI_API_KEY: "sk-llama-swap" OPENAI_API_KEY: "sk-experimental"
INFERENCE_TEXT_MODEL: gemma-4-26B-A4B-it-UD-Q4_K_M INFERENCE_TEXT_MODEL: gemma-4-26B
INFERENCE_IMAGE_MODEL: qwen2.5-vl-7b INFERENCE_IMAGE_MODEL: Qwen2.5-VL-7B
INFERENCE_ENABLE_AUTO_TAGGING: TRUE INFERENCE_ENABLE_AUTO_TAGGING: TRUE
INFERENCE_ENABLE_AUTO_SUMMARIZATION: TRUE INFERENCE_ENABLE_AUTO_SUMMARIZATION: TRUE
INFERENCE_CONTEXT_LENGTH: 32000 INFERENCE_CONTEXT_LENGTH: 65536
# You almost never want to change the value of the DATA_DIR variable. # You almost never want to change the value of the DATA_DIR variable.
# If you want to mount a custom directory, change the volume mapping above instead. # If you want to mount a custom directory, change the volume mapping above instead.
@@ -796,14 +852,14 @@ services:
caddy.reverse_proxy: "{{ upstreams 3000 }}" caddy.reverse_proxy: "{{ upstreams 3000 }}"
chrome: chrome:
image: gcr.io/zenika-hub/alpine-chrome:124 image: chromedp/headless-shell:latest
restart: unless-stopped restart: unless-stopped
command: command:
- --no-sandbox - --no-sandbox
- --disable-gpu - --disable-gpu
- --disable-dev-shm-usage - --disable-dev-shm-usage
- --remote-debugging-address=0.0.0.0 # - --remote-debugging-address=0.0.0.0
- --remote-debugging-port=9222 # - --remote-debugging-port=9222
- --hide-scrollbars - --hide-scrollbars
networks: networks:
public: public:
@@ -848,7 +904,7 @@ services:
AUTHENTIK_EMAIL__USE_SSL: false AUTHENTIK_EMAIL__USE_SSL: false
AUTHENTIK_EMAIL__TIMEOUT: 60 AUTHENTIK_EMAIL__TIMEOUT: 60
AUTHENTIK_EMAIL__FROM: lukas@kucharczyk.xyz AUTHENTIK_EMAIL__FROM: lukas@kucharczyk.xyz
image: ghcr.io/goauthentik/server:2026.2.2 image: ghcr.io/goauthentik/server:2026.2.3
ports: ports:
- 9002:9000 - 9002:9000
- 9443:9443 - 9443:9443
@@ -892,7 +948,7 @@ services:
AUTHENTIK_EMAIL__USE_SSL: false AUTHENTIK_EMAIL__USE_SSL: false
AUTHENTIK_EMAIL__TIMEOUT: 60 AUTHENTIK_EMAIL__TIMEOUT: 60
AUTHENTIK_EMAIL__FROM: file:///run/secrets/email_username AUTHENTIK_EMAIL__FROM: file:///run/secrets/email_username
image: ghcr.io/goauthentik/server:2026.2.2 image: ghcr.io/goauthentik/server:2026.2.3
restart: unless-stopped restart: unless-stopped
user: root user: root
volumes: volumes:
@@ -956,7 +1012,7 @@ services:
- gpu - gpu
slskd: slskd:
image: slskd/slskd:0.24.0 image: slskd/slskd:0.25.1
container_name: slskd container_name: slskd
user: 1000:100 user: 1000:100
networks: networks:
@@ -974,6 +1030,7 @@ services:
- SLSKD_SHARED_DIR=/shares - SLSKD_SHARED_DIR=/shares
- SLSKD_SLSK_ADDRESS=server.slsknet.org - SLSKD_SLSK_ADDRESS=server.slsknet.org
- SLSKD_SLSK_PORT=2242 - SLSKD_SLSK_PORT=2242
- SLSKD_DEBUG=True
# from slskd_secrets.env # from slskd_secrets.env
# - SLSKD_USERNAME # - SLSKD_USERNAME
# - SLSKD_PASSWORD # - SLSKD_PASSWORD
@@ -1030,7 +1087,7 @@ services:
yamtrack: yamtrack:
container_name: yamtrack container_name: yamtrack
image: ghcr.io/fuzzygrim/yamtrack:0.25.2 image: ghcr.io/fuzzygrim/yamtrack:0.25.3
restart: unless-stopped restart: unless-stopped
depends_on: depends_on:
- redis - redis
@@ -1067,6 +1124,37 @@ services:
caddy: yamtrack.${DOMAIN_LOCAL} caddy: yamtrack.${DOMAIN_LOCAL}
caddy.reverse_proxy: "{{ upstreams 8000 }}" caddy.reverse_proxy: "{{ upstreams 8000 }}"
polaris:
image: registry.gitlab.com/connectical/container/polaris:latest
container_name: polaris
restart: unless-stopped
user: "${PUID}:${PGID}"
networks:
public:
ipv4_address: 192.168.240.70
ports:
- 5050:5050
labels:
caddy: polaris.${DOMAIN_LOCAL}
caddy.reverse_proxy: "{{ upstreams 5050 }}"
volumes:
- ${MUSIC_PATH}:/music:ro
- ${DOCKER_STORAGE_PATH}/polaris/cache:/var/cache/polaris
- ${DOCKER_STORAGE_PATH}/polaris/data:/var/lib/polaris
signal-cli:
image: bbernhard/signal-cli-rest-api
container_name: signal-cli
restart: unless-stopped
networks:
public:
ipv4_address: 192.168.240.72
ports:
- 8091:8080
volumes:
- ${DOCKER_STORAGE_PATH}/signal-cli:/home/.local/share/signal-cli
environment:
MODE: native
networks: networks:
secrets/shelfmark.env
BIN
View File
Binary file not shown.
services/calibre-web-automated.yml
+10 -6
View File
@@ -1,11 +1,12 @@
--- ---
secrets: secrets:
hardcover_api_token: hardcover_api_token:
file: ../secretes/hardcover_api_token file: ../secrets/hardcover_api_token
services: services:
calibre-web-automated: calibre-web-automated:
image: crocodilestick/calibre-web-automated:v4.0.6 image: ghcr.io/new-usemame/calibre-web-nextgen:latest
#image: crocodilestick/calibre-web-automated:v4.0.6
container_name: calibre-web-automated container_name: calibre-web-automated
ports: ports:
- 8090:8083 - 8090:8083
@@ -23,7 +24,8 @@ services:
- PUID=${PUID} - PUID=${PUID}
- PGID=${PGID} - PGID=${PGID}
- TZ=${TZ} - TZ=${TZ}
- HARDCOVER_TOKEN=Bearer eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJIYXJkY292ZXIiLCJ2ZXJzaW9uIjoiOCIsImp0aSI6IjU2ZjQ5OWU2LWU1MGQtNDY3Mi05ZTRiLTlkODk4ZGNlMzQ3YyIsImFwcGxpY2F0aW9uSWQiOjIsInN1YiI6IjM0NTIyIiwiYXVkIjoiMSIsImlkIjoiMzQ1MjIiLCJsb2dnZWRJbiI6dHJ1ZSwiaWF0IjoxNzcwMDQzNzg5LCJleHAiOjE4MDE1Nzk3ODksImh0dHBzOi8vaGFzdXJhLmlvL2p3dC9jbGFpbXMiOnsieC1oYXN1cmEtYWxsb3dlZC1yb2xlcyI6WyJ1c2VyIl0sIngtaGFzdXJhLWRlZmF1bHQtcm9sZSI6InVzZXIiLCJ4LWhhc3VyYS1yb2xlIjoidXNlciIsIlgtaGFzdXJhLXVzZXItaWQiOiIzNDUyMiJ9LCJ1c2VyIjp7ImlkIjozNDUyMn19.kfoxQotcFvuoPYBiLCJV3YCpV-iEVMV-TYq-Ywodv40 # LinuxServer baseimage reads the value from the secret file
- FILE__HARDCOVER_TOKEN=/run/secrets/hardcover_api_token
volumes: volumes:
- ${CWA_CONFIG_DIR}:/config - ${CWA_CONFIG_DIR}:/config
# calibre-web-automated only supports one library as of 2026-01-12 # calibre-web-automated only supports one library as of 2026-01-12
@@ -34,8 +36,10 @@ services:
restart: unless-stopped restart: unless-stopped
shelfmark: shelfmark:
image: ghcr.io/calibrain/shelfmark:1.2.3 image: ghcr.io/calibrain/shelfmark:1.3.0
container_name: shelfmark container_name: shelfmark
env_file:
- ../secrets/shelfmark.env
environment: environment:
TZ: ${TZ} TZ: ${TZ}
PUID: ${PUID} PUID: ${PUID}
@@ -45,8 +49,8 @@ services:
OIDC_AUTO_REDIRECT: true OIDC_AUTO_REDIRECT: true
AUTH_METHOD: oidc AUTH_METHOD: oidc
OIDC_DISCOVERY_URL: https://authentik.kucharczyk.xyz/application/o/shelfmark/.well-known/openid-configuration OIDC_DISCOVERY_URL: https://authentik.kucharczyk.xyz/application/o/shelfmark/.well-known/openid-configuration
OIDC_CLIENT_ID: ke4aOPqcmal0MIhbMAZutFtpaNQjQwXegMzKCmrW # shelfmark has no _FILE/secret support; OIDC_CLIENT_ID and
OIDC_CLIENT_SECRET: 4EbpJ1P0yAIpy6WcUUPFC4kSFo1Rkvf2hjAl9IlulR6vpZouaHgUNeFHBaiHtTCWSnjlyy2iGTwtDwL12PfETabzdYCCe0s7GL2Hx4XaoRffqk3dI7ApPCcQONIhuIo0 # OIDC_CLIENT_SECRET come from secrets/shelfmark.env (env_file below)
OIDC_BUTTON_LABEL: Sign in with Authentik OIDC_BUTTON_LABEL: Sign in with Authentik
networks: networks:
public: public:
services/kavita.yml
+1 -1
View File
@@ -1,7 +1,7 @@
--- ---
services: services:
kavita: kavita:
image: ghcr.io/kareadita/kavita:0.9.0 image: ghcr.io/kareadita/kavita:0.9.0.2
container_name: kavita container_name: kavita
networks: networks:
public: public:
services/miniflux.yml
+6 -1
View File
@@ -9,7 +9,7 @@ secrets:
services: services:
miniflux: miniflux:
image: miniflux/miniflux:2.2.16 image: miniflux/miniflux:2.3.0
container_name: miniflux container_name: miniflux
depends_on: depends_on:
- authentik-server - authentik-server
@@ -17,6 +17,9 @@ services:
networks: networks:
public: public:
ipv4_address: 192.168.240.35 ipv4_address: 192.168.240.35
volumes:
# mount local CA to avoid "failed to verify certificate" errors
- /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
labels: labels:
caddy: miniflux.${DOMAIN_LOCAL} caddy: miniflux.${DOMAIN_LOCAL}
caddy.reverse_proxy: "{{ upstreams 8080 }}" caddy.reverse_proxy: "{{ upstreams 8080 }}"
@@ -38,4 +41,6 @@ services:
- OAUTH2_OIDC_DISCOVERY_ENDPOINT=https://authentik.${DOMAIN}/application/o/miniflux/ - OAUTH2_OIDC_DISCOVERY_ENDPOINT=https://authentik.${DOMAIN}/application/o/miniflux/
- OAUTH2_USER_CREATION=1 - OAUTH2_USER_CREATION=1
- OAUTH2_OIDC_PROVIDER_NAME=authentik - OAUTH2_OIDC_PROVIDER_NAME=authentik
- INTEGRATION_ALLOW_PRIVATE_NETWORKS=1
- FETCHER_ALLOW_PRIVATE_NETWORKS=1
restart: unless-stopped restart: unless-stopped