Compare commits
17 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 lukas
|
d35a9cf672 | ||
|
lukas
|
72406c0000 | ||
|
lukas
|
2fece90ad2 | ||
|
lukas
|
ef214f03aa | ||
|
lukas
|
b20474b7b5 | ||
|
lukas
|
41c92dc6e7 | ||
|
lukas
|
e107be3474 | ||
|
lukas
|
ab1a6336aa | ||
|
lukas
|
913e7ba387 | ||
|
lukas
|
5d8d51949d | ||
|
lukas
|
e563af37a4 | ||
|
lukas
|
2ff03d8934 | ||
|
lukas
|
987eed082d | ||
|
lukas
|
3a3050ff86 | ||
|
lukas
|
15f02adc22 | ||
|
lukas
|
6eeaf836be | ||
|
lukas
|
f4f68793b7 |
+109
-21
@@ -62,6 +62,31 @@ configs:
|
||||
root * /data/caddy/pki/authorities/local/
|
||||
file_server browse
|
||||
}
|
||||
music.home.arpa {
|
||||
@ui_redirect {
|
||||
not path /api/* /share/* /rest/*
|
||||
}
|
||||
|
||||
# 1. API Auth: Use the new replace_status directive
|
||||
forward_auth /api/* authentik-server:9000 {
|
||||
uri /outpost.goauthentik.io/auth/caddy
|
||||
copy_headers X-Authentik-Username
|
||||
|
||||
# Define a matcher for the 302 redirect from Authentik
|
||||
@redir status 302
|
||||
# Use the new Caddy 2.8 directive to swap it for a 401
|
||||
replace_status @redir 401
|
||||
}
|
||||
|
||||
# 2. Main UI Auth: Standard 302 redirects for human login
|
||||
forward_auth @ui_redirect authentik-server:9000 {
|
||||
uri /outpost.goauthentik.io/auth/caddy
|
||||
copy_headers X-Authentik-Username
|
||||
}
|
||||
|
||||
reverse_proxy navidrome:4533
|
||||
}
|
||||
|
||||
dnsmasq:
|
||||
content: |
|
||||
log-facility=-
|
||||
@@ -78,6 +103,7 @@ configs:
|
||||
host-record=nas.${DOMAIN_LOCAL},192.168.0.106
|
||||
host-record=nixos.${DOMAIN_LOCAL},192.168.0.203
|
||||
host-record=oldguy.${DOMAIN_LOCAL},192.168.0.168
|
||||
host-record=framework13.${DOMAIN_LOCAL},192.168.0.235
|
||||
ptr-record=106.0.168.192.in-addr.arpa,nas.${DOMAIN_LOCAL}
|
||||
host-record=suma.${DOMAIN_LOCAL},192.168.0.159
|
||||
host-record=suma-proxy3.${DOMAIN_LOCAL},192.168.0.176
|
||||
@@ -354,7 +380,7 @@ services:
|
||||
restart: unless-stopped
|
||||
|
||||
navidrome:
|
||||
image: deluan/navidrome:0.61.2
|
||||
image: ghcr.io/navidrome/navidrome:pr-5459
|
||||
container_name: navidrome
|
||||
user: "${PUID}:${PGID}"
|
||||
volumes:
|
||||
@@ -363,13 +389,20 @@ services:
|
||||
networks:
|
||||
public:
|
||||
ipv4_address: 192.168.240.14
|
||||
labels:
|
||||
caddy: music.${DOMAIN_LOCAL}
|
||||
caddy.reverse_proxy: "{{ upstreams 4533 }}"
|
||||
caddy.@protected.not.path: "/share/* /rest/*"
|
||||
caddy.forward_auth_0: "@protected authentik-server:9000"
|
||||
caddy.forward_auth_0.uri: "/outpost.goauthentik.io/auth/caddy"
|
||||
caddy.forward_auth_0.copy_headers: "X-Authentik-Username"
|
||||
# labels:
|
||||
# caddy: music.${DOMAIN_LOCAL}
|
||||
# caddy.reverse_proxy: "{{ upstreams 4533 }}"
|
||||
# caddy.@protected.not.path: "/share/* /rest/*"
|
||||
# caddy.@authredir.path: "/api/*"
|
||||
# caddy.@authredir.path: "/api/*"
|
||||
# caddy.forward_auth_0: "@protected authentik-server:9000"
|
||||
# caddy.forward_auth_0.uri: "/outpost.goauthentik.io/auth/caddy"
|
||||
# caddy.forward_auth_0.copy_headers: "X-Authentik-Username"
|
||||
# caddy.intercept: "/api/*"
|
||||
# caddy.@api_expiry.path: "/api/*"
|
||||
# caddy.@api_expiry.status: "3xx"
|
||||
# caddy.forward_auth_0.handle_response_0: "path /api/*"
|
||||
# caddy.forward_auth_0.handle_response_1: "replace_status 401"
|
||||
environment:
|
||||
ND_LASTFM_APIKEY: 29e22ee836a0cb51cfaacb72d605e30d
|
||||
ND_LASTFM_SECRET: 10aa58294eeffa142685e78a0cd78ad6
|
||||
@@ -722,6 +755,28 @@ services:
|
||||
caddy.reverse_proxy: "{{ upstreams $QBITTORRENT_WEBUI_INTERNAL_PORT }}"
|
||||
restart: unless-stopped
|
||||
|
||||
qui:
|
||||
image: ghcr.io/autobrr/qui:latest
|
||||
container_name: qui
|
||||
depends_on:
|
||||
- qbittorrent
|
||||
volumes:
|
||||
- ${DOCKER_STORAGE_PATH}/qbittorrent/qui:/config
|
||||
# for automations that move/delete torrent files
|
||||
- ${TORRENTS_SEED_PATH}:/seed
|
||||
networks:
|
||||
public:
|
||||
ipv4_address: 192.168.240.71
|
||||
labels:
|
||||
caddy: qui.${DOMAIN_LOCAL}
|
||||
caddy.reverse_proxy: "{{ upstreams 7476 }}"
|
||||
environment:
|
||||
QUI__AUTH_DISABLED: true
|
||||
QUI__I_ACKNOWLEDGE_THIS_IS_A_BAD_IDEA: true
|
||||
QUI__AUTH_DISABLED_ALLOWED_CIDRS: 192.168.240.0/24
|
||||
restart: unless-stopped
|
||||
|
||||
|
||||
# see https://github.com/FarisZR/Privacy-OCI
|
||||
breezewiki:
|
||||
container_name: breezewiki
|
||||
@@ -748,9 +803,10 @@ services:
|
||||
ipv4_address: 192.168.240.57
|
||||
volumes:
|
||||
- ./config:/config
|
||||
ports:
|
||||
- 3002:80
|
||||
restart: unless-stopped
|
||||
labels:
|
||||
caddy: rss-bridge.${DOMAIN_LOCAL}
|
||||
caddy.reverse_proxy: "{{ upstreams 80 }}"
|
||||
|
||||
karakeep:
|
||||
container_name: karakeep
|
||||
@@ -778,12 +834,12 @@ services:
|
||||
CRAWLER_FULL_PAGE_SCREENSHOT: TRUE
|
||||
CRAWLER_FULL_PAGE_ARCHIVE: TRUE
|
||||
OPENAI_BASE_URL: http://100.84.157.12:8081/v1
|
||||
OPENAI_API_KEY: "sk-llama-swap"
|
||||
INFERENCE_TEXT_MODEL: gemma-4-26B-A4B-it-UD-Q4_K_M
|
||||
INFERENCE_IMAGE_MODEL: qwen2.5-vl-7b
|
||||
OPENAI_API_KEY: "sk-experimental"
|
||||
INFERENCE_TEXT_MODEL: gemma-4-26B
|
||||
INFERENCE_IMAGE_MODEL: Qwen2.5-VL-7B
|
||||
INFERENCE_ENABLE_AUTO_TAGGING: TRUE
|
||||
INFERENCE_ENABLE_AUTO_SUMMARIZATION: TRUE
|
||||
INFERENCE_CONTEXT_LENGTH: 32000
|
||||
INFERENCE_CONTEXT_LENGTH: 65536
|
||||
|
||||
# You almost never want to change the value of the DATA_DIR variable.
|
||||
# If you want to mount a custom directory, change the volume mapping above instead.
|
||||
@@ -796,14 +852,14 @@ services:
|
||||
caddy.reverse_proxy: "{{ upstreams 3000 }}"
|
||||
|
||||
chrome:
|
||||
image: gcr.io/zenika-hub/alpine-chrome:124
|
||||
image: chromedp/headless-shell:latest
|
||||
restart: unless-stopped
|
||||
command:
|
||||
- --no-sandbox
|
||||
- --disable-gpu
|
||||
- --disable-dev-shm-usage
|
||||
- --remote-debugging-address=0.0.0.0
|
||||
- --remote-debugging-port=9222
|
||||
# - --remote-debugging-address=0.0.0.0
|
||||
# - --remote-debugging-port=9222
|
||||
- --hide-scrollbars
|
||||
networks:
|
||||
public:
|
||||
@@ -848,7 +904,7 @@ services:
|
||||
AUTHENTIK_EMAIL__USE_SSL: false
|
||||
AUTHENTIK_EMAIL__TIMEOUT: 60
|
||||
AUTHENTIK_EMAIL__FROM: lukas@kucharczyk.xyz
|
||||
image: ghcr.io/goauthentik/server:2026.2.2
|
||||
image: ghcr.io/goauthentik/server:2026.2.3
|
||||
ports:
|
||||
- 9002:9000
|
||||
- 9443:9443
|
||||
@@ -892,7 +948,7 @@ services:
|
||||
AUTHENTIK_EMAIL__USE_SSL: false
|
||||
AUTHENTIK_EMAIL__TIMEOUT: 60
|
||||
AUTHENTIK_EMAIL__FROM: file:///run/secrets/email_username
|
||||
image: ghcr.io/goauthentik/server:2026.2.2
|
||||
image: ghcr.io/goauthentik/server:2026.2.3
|
||||
restart: unless-stopped
|
||||
user: root
|
||||
volumes:
|
||||
@@ -956,7 +1012,7 @@ services:
|
||||
- gpu
|
||||
|
||||
slskd:
|
||||
image: slskd/slskd:0.24.0
|
||||
image: slskd/slskd:0.25.1
|
||||
container_name: slskd
|
||||
user: 1000:100
|
||||
networks:
|
||||
@@ -974,6 +1030,7 @@ services:
|
||||
- SLSKD_SHARED_DIR=/shares
|
||||
- SLSKD_SLSK_ADDRESS=server.slsknet.org
|
||||
- SLSKD_SLSK_PORT=2242
|
||||
- SLSKD_DEBUG=True
|
||||
# from slskd_secrets.env
|
||||
# - SLSKD_USERNAME
|
||||
# - SLSKD_PASSWORD
|
||||
@@ -1030,7 +1087,7 @@ services:
|
||||
|
||||
yamtrack:
|
||||
container_name: yamtrack
|
||||
image: ghcr.io/fuzzygrim/yamtrack:0.25.2
|
||||
image: ghcr.io/fuzzygrim/yamtrack:0.25.3
|
||||
restart: unless-stopped
|
||||
depends_on:
|
||||
- redis
|
||||
@@ -1067,6 +1124,37 @@ services:
|
||||
caddy: yamtrack.${DOMAIN_LOCAL}
|
||||
caddy.reverse_proxy: "{{ upstreams 8000 }}"
|
||||
|
||||
polaris:
|
||||
image: registry.gitlab.com/connectical/container/polaris:latest
|
||||
container_name: polaris
|
||||
restart: unless-stopped
|
||||
user: "${PUID}:${PGID}"
|
||||
networks:
|
||||
public:
|
||||
ipv4_address: 192.168.240.70
|
||||
ports:
|
||||
- 5050:5050
|
||||
labels:
|
||||
caddy: polaris.${DOMAIN_LOCAL}
|
||||
caddy.reverse_proxy: "{{ upstreams 5050 }}"
|
||||
volumes:
|
||||
- ${MUSIC_PATH}:/music:ro
|
||||
- ${DOCKER_STORAGE_PATH}/polaris/cache:/var/cache/polaris
|
||||
- ${DOCKER_STORAGE_PATH}/polaris/data:/var/lib/polaris
|
||||
|
||||
signal-cli:
|
||||
image: bbernhard/signal-cli-rest-api
|
||||
container_name: signal-cli
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
public:
|
||||
ipv4_address: 192.168.240.72
|
||||
ports:
|
||||
- 8091:8080
|
||||
volumes:
|
||||
- ${DOCKER_STORAGE_PATH}/signal-cli:/home/.local/share/signal-cli
|
||||
environment:
|
||||
MODE: native
|
||||
|
||||
|
||||
networks:
|
||||
|
||||
Binary file not shown.
@@ -1,11 +1,12 @@
|
||||
---
|
||||
secrets:
|
||||
hardcover_api_token:
|
||||
file: ../secretes/hardcover_api_token
|
||||
file: ../secrets/hardcover_api_token
|
||||
|
||||
services:
|
||||
calibre-web-automated:
|
||||
image: crocodilestick/calibre-web-automated:v4.0.6
|
||||
image: ghcr.io/new-usemame/calibre-web-nextgen:latest
|
||||
#image: crocodilestick/calibre-web-automated:v4.0.6
|
||||
container_name: calibre-web-automated
|
||||
ports:
|
||||
- 8090:8083
|
||||
@@ -23,7 +24,8 @@ services:
|
||||
- PUID=${PUID}
|
||||
- PGID=${PGID}
|
||||
- TZ=${TZ}
|
||||
- HARDCOVER_TOKEN=Bearer eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJIYXJkY292ZXIiLCJ2ZXJzaW9uIjoiOCIsImp0aSI6IjU2ZjQ5OWU2LWU1MGQtNDY3Mi05ZTRiLTlkODk4ZGNlMzQ3YyIsImFwcGxpY2F0aW9uSWQiOjIsInN1YiI6IjM0NTIyIiwiYXVkIjoiMSIsImlkIjoiMzQ1MjIiLCJsb2dnZWRJbiI6dHJ1ZSwiaWF0IjoxNzcwMDQzNzg5LCJleHAiOjE4MDE1Nzk3ODksImh0dHBzOi8vaGFzdXJhLmlvL2p3dC9jbGFpbXMiOnsieC1oYXN1cmEtYWxsb3dlZC1yb2xlcyI6WyJ1c2VyIl0sIngtaGFzdXJhLWRlZmF1bHQtcm9sZSI6InVzZXIiLCJ4LWhhc3VyYS1yb2xlIjoidXNlciIsIlgtaGFzdXJhLXVzZXItaWQiOiIzNDUyMiJ9LCJ1c2VyIjp7ImlkIjozNDUyMn19.kfoxQotcFvuoPYBiLCJV3YCpV-iEVMV-TYq-Ywodv40
|
||||
# LinuxServer baseimage reads the value from the secret file
|
||||
- FILE__HARDCOVER_TOKEN=/run/secrets/hardcover_api_token
|
||||
volumes:
|
||||
- ${CWA_CONFIG_DIR}:/config
|
||||
# calibre-web-automated only supports one library as of 2026-01-12
|
||||
@@ -34,8 +36,10 @@ services:
|
||||
restart: unless-stopped
|
||||
|
||||
shelfmark:
|
||||
image: ghcr.io/calibrain/shelfmark:1.2.3
|
||||
image: ghcr.io/calibrain/shelfmark:1.3.0
|
||||
container_name: shelfmark
|
||||
env_file:
|
||||
- ../secrets/shelfmark.env
|
||||
environment:
|
||||
TZ: ${TZ}
|
||||
PUID: ${PUID}
|
||||
@@ -45,8 +49,8 @@ services:
|
||||
OIDC_AUTO_REDIRECT: true
|
||||
AUTH_METHOD: oidc
|
||||
OIDC_DISCOVERY_URL: https://authentik.kucharczyk.xyz/application/o/shelfmark/.well-known/openid-configuration
|
||||
OIDC_CLIENT_ID: ke4aOPqcmal0MIhbMAZutFtpaNQjQwXegMzKCmrW
|
||||
OIDC_CLIENT_SECRET: 4EbpJ1P0yAIpy6WcUUPFC4kSFo1Rkvf2hjAl9IlulR6vpZouaHgUNeFHBaiHtTCWSnjlyy2iGTwtDwL12PfETabzdYCCe0s7GL2Hx4XaoRffqk3dI7ApPCcQONIhuIo0
|
||||
# shelfmark has no _FILE/secret support; OIDC_CLIENT_ID and
|
||||
# OIDC_CLIENT_SECRET come from secrets/shelfmark.env (env_file below)
|
||||
OIDC_BUTTON_LABEL: Sign in with Authentik
|
||||
networks:
|
||||
public:
|
||||
|
||||
+1
-1
@@ -1,7 +1,7 @@
|
||||
---
|
||||
services:
|
||||
kavita:
|
||||
image: ghcr.io/kareadita/kavita:0.9.0
|
||||
image: ghcr.io/kareadita/kavita:0.9.0.2
|
||||
container_name: kavita
|
||||
networks:
|
||||
public:
|
||||
|
||||
@@ -9,7 +9,7 @@ secrets:
|
||||
|
||||
services:
|
||||
miniflux:
|
||||
image: miniflux/miniflux:2.2.16
|
||||
image: miniflux/miniflux:2.3.0
|
||||
container_name: miniflux
|
||||
depends_on:
|
||||
- authentik-server
|
||||
@@ -17,6 +17,9 @@ services:
|
||||
networks:
|
||||
public:
|
||||
ipv4_address: 192.168.240.35
|
||||
volumes:
|
||||
# mount local CA to avoid "failed to verify certificate" errors
|
||||
- /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
|
||||
labels:
|
||||
caddy: miniflux.${DOMAIN_LOCAL}
|
||||
caddy.reverse_proxy: "{{ upstreams 8080 }}"
|
||||
@@ -38,4 +41,6 @@ services:
|
||||
- OAUTH2_OIDC_DISCOVERY_ENDPOINT=https://authentik.${DOMAIN}/application/o/miniflux/
|
||||
- OAUTH2_USER_CREATION=1
|
||||
- OAUTH2_OIDC_PROVIDER_NAME=authentik
|
||||
- INTEGRATION_ALLOW_PRIVATE_NETWORKS=1
|
||||
- FETCHER_ALLOW_PRIVATE_NETWORKS=1
|
||||
restart: unless-stopped
|
||||
|
||||
Reference in New Issue
Block a user