Initial commit

2025-10-22 19:59:09 +00:00
commit 67996ade86
34 changed files with 905 additions and 0 deletions
--- a/mgmt/adminer/compose.yml
+++ b/mgmt/adminer/compose.yml
@@ -0,0 +1,35 @@
+services:
+  adminer:
+    image: adminer:5.4.0
+    container_name: $SUBDOMAIN
+    restart: always
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.$SUBDOMAIN.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
+      - traefik.http.routers.$SUBDOMAIN.tls=true
+      - traefik.http.routers.$SUBDOMAIN.entrypoints=web,websecure
+      - traefik.http.routers.$SUBDOMAIN.tls.certresolver=cloudflare
+      - traefik.http.middlewares.$SUBDOMAIN.headers.SSLRedirect=true
+      - traefik.http.middlewares.$SUBDOMAIN.headers.STSSeconds=315360000
+      - traefik.http.middlewares.$SUBDOMAIN.headers.browserXSSFilter=true
+      - traefik.http.middlewares.$SUBDOMAIN.headers.contentTypeNosniff=true
+      - traefik.http.middlewares.$SUBDOMAIN.headers.forceSTSHeader=true
+      - traefik.http.middlewares.$SUBDOMAIN.headers.SSLHost=${DOMAIN_NAME}
+      - traefik.http.middlewares.$SUBDOMAIN.headers.STSIncludeSubdomains=true
+      - traefik.http.middlewares.$SUBDOMAIN.headers.STSPreload=true
+      - traefik.http.middlewares.$SUBDOMAIN.headers.frameDeny=true
+      - traefik.http.routers.$SUBDOMAIN.middlewares=$SUBDOMAIN@docker
+      - traefik.http.services.$SUBDOMAIN.loadbalancer.server.port=8080
+      - traefik.docker.network=webapp
+    env_file:
+      - .env
+    networks:
+      - webapp
+      - db
+networks:
+  webapp:
+    external:
+      true
+  db:
+    external:
+      true
--- a/mgmt/authentik/.env.example
+++ b/mgmt/authentik/.env.example
@@ -0,0 +1,31 @@
+DOMAIN_NAME=
+SUBDOMAIN=
+
+# Authentik Configuration
+AUTHENTIK_SECRET_KEY=file:///run/secrets/SECRET_KEY
+AUTHENTIK_TAG=
+
+# PostgreSQL Configuration
+PG_HOST=postgres
+PG_PORT=5432
+PG_USER=
+PG_PASS=file:///run/secrets/DB_PASS
+PG_DB=
+
+# Redis Configuration
+REDIS_HOST=redis
+REDIS_PORT=6379
+
+# Optional: Custom ports
+COMPOSE_PORT_HTTP=9000
+COMPOSE_PORT_HTTPS=9443
+
+# Environment Variables for Docker Compose
+AUTHENTIK_REDIS__HOST=$REDIS_HOST
+AUTHENTIK_REDIS__PORT=$REDIS_PORT
+AUTHENTIK_POSTGRESQL__HOST=$PG_HOST
+AUTHENTIK_POSTGRESQL__PORT=$PG_PORT
+AUTHENTIK_POSTGRESQL__USER=$PG_USER
+AUTHENTIK_POSTGRESQL__NAME=$PG_DB
+AUTHENTIK_POSTGRESQL__PASSWORD=$PG_PASS
+AUTHENTIK_HOST_BROWSER="https://$SUBDOMAIN.$DOMAIN_NAME"
--- a/mgmt/authentik/compose.yml
+++ b/mgmt/authentik/compose.yml
@@ -0,0 +1,83 @@
+services:
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG}
+    restart: unless-stopped
+    command: server
+    env_file:
+      - .env
+    secrets:
+      - SECRET_KEY
+      - DB_PASS
+    volumes:
+      - ./media:/media
+      - ./custom-templates:/templates
+    networks:
+      - webapp
+      - db
+    # ports:
+    #   - "${COMPOSE_PORT_HTTP:-9000}:9000"
+    #   - "${COMPOSE_PORT_HTTPS:-9443}:9443"
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.$SUBDOMAIN.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
+      - traefik.http.routers.$SUBDOMAIN.tls=true
+      - traefik.http.routers.$SUBDOMAIN.entrypoints=web,websecure
+      - traefik.http.routers.$SUBDOMAIN.tls.certresolver=cloudflare
+      - traefik.http.middlewares.$SUBDOMAIN.headers.SSLRedirect=true
+      - traefik.http.middlewares.$SUBDOMAIN.headers.STSSeconds=315360000
+      - traefik.http.middlewares.$SUBDOMAIN.headers.browserXSSFilter=true
+      - traefik.http.middlewares.$SUBDOMAIN.headers.contentTypeNosniff=true
+      - traefik.http.middlewares.$SUBDOMAIN.headers.forceSTSHeader=true
+      - traefik.http.middlewares.$SUBDOMAIN.headers.SSLHost=${DOMAIN_NAME}
+      - traefik.http.middlewares.$SUBDOMAIN.headers.STSIncludeSubdomains=true
+      - traefik.http.middlewares.$SUBDOMAIN.headers.STSPreload=true
+      - traefik.http.middlewares.$SUBDOMAIN.headers.frameDeny=true
+      # - traefik.http.routers.$SUBDOMAIN.middlewares=$SUBDOMAIN@docker
+      - traefik.http.routers.$SUBDOMAIN.service=$SUBDOMAIN
+      - traefik.http.services.$SUBDOMAIN.loadbalancer.server.port=9000
+      - traefik.docker.network=webapp
+      - "traefik.http.routers.authentik-output-rtr.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.${DOMAIN_NAME}`) && PathPrefix(`/outpost.goauthentik.io/`)"
+
+      # ForwardAuth middleware definition
+      - "traefik.http.middlewares.authentik-forwardauth.forwardauth.address=http://authentik-server-1:9000/outpost.goauthentik.io/auth/traefik"
+      - "traefik.http.middlewares.authentik-forwardauth.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.authentik-forwardauth.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
+      # Outpost router for /outpost.goauthentik.io paths
+      - "traefik.http.routers.$SUBDOMAIN-outpost.rule=Host(`authentik.jojops.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      # - "traefik.http.routers.authentik-outpost.entrypoints=websecure"
+      # - "traefik.http.routers.authentik-outpost.tls=true"
+      - traefik.http.routers.$SUBDOMAIN.priority=15
+      # - "traefik.http.routers.authentik-outpost.service=authentik-svc"
+      - "traefik.http.routers.authentik-outpost.rule=HostRegexp(`{$SUBDOMAIN:[a-z0-9-]+}.$DOMAIN_NAME`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      - "traefik.http.routers.authentik-outpost.entrypoints=websecure"
+      - "traefik.http.routers.authentik-outpost.tls=true"
+      - "traefik.http.routers.authentik-outpost.priority=15"
+      - "traefik.http.routers.authentik-outpost.service=authentik"
+
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG}
+    restart: unless-stopped
+    command: worker
+    env_file:
+      - .env
+    secrets:
+      - SECRET_KEY
+      - DB_PASS
+    user: root
+    networks:
+      - db
+    volumes:
+      # - /var/run/docker.sock:/var/run/docker.sock
+      - ./media:/media
+      - ./certs:/certs
+      - ./custom-templates:/templates
+networks:
+  webapp:
+    external: true
+  db:
+    external: true
+secrets:
+  SECRET_KEY:
+    file: .secrets/SECRET_KEY
+  DB_PASS:
+    file: .secrets/DB_PASS
--- a/mgmt/gitea/.env.example
+++ b/mgmt/gitea/.env.example
@@ -0,0 +1,8 @@
+DOMAIN_NAME=
+SUBDOMAIN=
+
+GITEA__database__DB_TYPE=
+GITEA__database__HOST=
+GITEA__database__NAME=
+GITEA__database__USER=
+GITEA__database__PASSWD__FILE=/run/secrets/DB_PASS
--- a/mgmt/gitea/compose.yml
+++ b/mgmt/gitea/compose.yml
@@ -0,0 +1,49 @@
+services:
+  gitea:
+    image: docker.gitea.com/gitea:1.24.6-rootless
+    container_name: gitea
+    restart: always
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.gitea.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
+      - traefik.http.routers.gitea.tls=true
+      - traefik.http.routers.gitea.entrypoints=web,websecure
+      - traefik.http.routers.gitea.tls.certresolver=cloudflare
+      - traefik.http.middlewares.gitea.headers.SSLRedirect=true
+      - traefik.http.middlewares.gitea.headers.STSSeconds=315360000
+      - traefik.http.middlewares.gitea.headers.browserXSSFilter=true
+      - traefik.http.middlewares.gitea.headers.contentTypeNosniff=true
+      - traefik.http.middlewares.gitea.headers.forceSTSHeader=true
+      - traefik.http.middlewares.gitea.headers.SSLHost=${DOMAIN_NAME}
+      - traefik.http.middlewares.gitea.headers.STSIncludeSubdomains=true
+      - traefik.http.middlewares.gitea.headers.STSPreload=true
+      - traefik.http.middlewares.gitea.headers.frameDeny=true
+      - traefik.http.routers.gitea.middlewares=gitea@docker
+      - traefik.http.services.gitea.loadbalancer.server.port=3000
+      - traefik.docker.network=webapp
+    env_file:
+      - .env
+    secrets:
+      - DB_PASS
+    volumes:
+      - gitea-data:/var/lib/gitea
+      - ./config:/etc/gitea
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    # ports:
+    #   - "3000:3000"
+    #   - "2222:2222"
+    networks:
+      - webapp
+      - db
+volumes:
+  gitea-data:
+    name: gitea-data
+networks:
+  webapp:
+    external: true
+  db:
+    external: true
+secrets:
+  DB_PASS:
+    file: .secrets/DB_PASS
--- a/mgmt/portainer/.env.example
+++ b/mgmt/portainer/.env.example
@@ -0,0 +1,2 @@
+DOMAIN_NAME=
+SUBDOMAIN=
--- a/mgmt/portainer/docker-compose.yml
+++ b/mgmt/portainer/docker-compose.yml
@@ -0,0 +1,35 @@
+services:
+  portainer:
+    image: portainer/portainer-ce:lts
+    container_name: portainer
+    restart: always
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.portainer.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
+      - traefik.docker.network=webapp
+      - traefik.http.services.portainer.loadbalancer.server.port=9000
+      - traefik.http.routers.portainer.tls=true
+      - traefik.http.routers.portainer.entrypoints=web,websecure
+      - traefik.http.routers.portainer.tls.certresolver=cloudflare
+      - traefik.http.middlewares.portainer.headers.SSLRedirect=true
+      - traefik.http.middlewares.portainer.headers.STSSeconds=315360000
+      - traefik.http.middlewares.portainer.headers.browserXSSFilter=true
+      - traefik.http.middlewares.portainer.headers.contentTypeNosniff=true
+      - traefik.http.middlewares.portainer.headers.forceSTSHeader=true
+      - traefik.http.middlewares.portainer.headers.SSLHost=${DOMAIN_NAME}
+      - traefik.http.middlewares.portainer.headers.STSIncludeSubdomains=true
+      - traefik.http.middlewares.portainer.headers.STSPreload=true
+      - traefik.http.routers.portainer.middlewares=portainer@docker
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./data:/data
+    networks:
+      # - webapp
+      - mgmt
+networks:
+  # webapp:
+  #   external:
+  #     true
+  mgmt:
+    external:
+      true
--- a/mgmt/redis-commander/compose.yml
+++ b/mgmt/redis-commander/compose.yml
@@ -0,0 +1,17 @@
+services:
+  redis-commander:
+    container_name: redis-commander
+    # hostname: redis-commander
+    image: ghcr.io/joeferner/redis-commander:latest
+    # build: .
+    restart: always
+    environment:
+      - REDIS_HOSTS=local:redis:6379
+    # ports:
+    #   - "8081:8081"
+    user: redis
+networks:
+  db:
+    external: true
+  web:
+    external: true
--- a/mgmt/vaultwarden/.env.example
+++ b/mgmt/vaultwarden/.env.example
@@ -0,0 +1,4 @@
+DOMAIN_NAME=
+SUBDOMAIN=
+DOMAIN=https://${SUBDOMAIN}.${DOMAIN_NAME}
+# SIGNUPS_ALLOWED=false # Uncomment to disable signups
--- a/mgmt/vaultwarden/compose.yml
+++ b/mgmt/vaultwarden/compose.yml
@@ -0,0 +1,35 @@
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    container_name: vaultwarden
+    restart: always
+    env_file:
+      - .env
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.vw.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
+      - traefik.http.routers.vw.tls=true
+      - traefik.http.routers.vw.entrypoints=web,websecure
+      - traefik.http.routers.vw.tls.certresolver=cloudflare
+      - traefik.http.middlewares.vw.headers.SSLRedirect=true
+      - traefik.http.middlewares.vw.headers.STSSeconds=315360000
+      - traefik.http.middlewares.vw.headers.browserXSSFilter=true
+      - traefik.http.middlewares.vw.headers.contentTypeNosniff=true
+      - traefik.http.middlewares.vw.headers.forceSTSHeader=true
+      - traefik.http.middlewares.vw.headers.SSLHost=${DOMAIN_NAME}
+      - traefik.http.middlewares.vw.headers.STSIncludeSubdomains=true
+      - traefik.http.middlewares.vw.headers.STSPreload=true
+      - traefik.http.middlewares.vw.headers.frameDeny=true
+      - traefik.http.routers.vw.middlewares=vw@docker
+      - traefik.http.services.vw.loadbalancer.server.port=80
+    volumes:
+      - vw-data:/data/
+    networks:
+      - mgmt
+volumes:
+  vw-data:
+    name: vw-data
+networks:
+  mgmt:
+    external:
+      true