add .gitignore

.gitignore

@@ -0,0 +1,15 @@
+.secrets
+.env
+
+
+
+webapp/nginx-test
+webapp/dad-domains
+webapp/qbittorrent
+webapp/openwebui
+webapp/wisemapping
+remote/rustdesk-server
+remote/ttyd-ubuntu
+mgmt/grafana
+mgmt/prometheus
+local/Y2JB-WebUI

AGENTS.md

@@ -1,5 +1,23 @@
 # Agent Guidelines for Docker Infrastructure Monorepo
 
+## CRITICAL: Forbidden Files
+
+**NEVER read, access, or attempt to open the following files under ANY circumstances:**
+
+- `.env` and ALL variants (`.env.local`, `.env.development`, `.env.production`, `.env.*`)
+- `.secrets/` directories at any level
+- Any file in a `secrets/` directory at any level
+- Credential files: `credentials.json`, `credentials.yml`, `credentials.yaml`
+- Key files: `*.pem`, `*.key`, `*.p12`, `*.pfx`, `id_rsa`, `id_ecdsa`, `id_ed25519`
+- Files named `token`, `tokens`, `.token`, `.tokens`, `password`, `passwords`
+
+**What to do instead:**
+- Use `.env.example` files to understand required environment variables
+- Ask the user to provide values explicitly if needed
+- Use placeholder values when demonstrating code
+
+This is a hard rule. No exceptions. No "just checking". If you need env info, read the `.env.example` file or ask the user.
+
 ## Repository Structure
 
 This is a Docker Compose monorepo for personal infrastructure hosting. The main focus is Docker services, with local tools in `local/`.
@@ -115,8 +133,7 @@ For full OpenClaw guidelines, see `local/openclaw/AGENTS.md`.
 
 ## Security Best Practices
 
-- **NEVER read, access, or attempt to open `.env` files or `.secrets/` directories** - These contain sensitive data
+- See **CRITICAL: Forbidden Files** section above — this is the highest priority rule in this repo
-- `.env` and `.secrets/` directories are gitignored everywhere
 - Never commit credentials, API keys, or certificates
 - Use Cloudflare Tunnel for external access (no port forwarding)
 - Placeholders in documentation (e.g., `user@example.com`)

backend/postgres/.gitignore

@@ -0,0 +1,3 @@
+.env
+.secrets/
+init-data.sh

backend/postgres/compose.yml

@@ -9,7 +9,7 @@ services:
       start_period: 20s
       test:
       - CMD-SHELL
-      - pg_isready -U $${POSTGRES_USER_FILE}
+      - pg_isready -U "$$(cat /run/secrets/POSTGRES_USER)"
       timeout: 5s
     env_file:
       - .env
@@ -19,16 +19,16 @@ services:
     volumes:
       - pgdata:/var/lib/postgresql
     networks:
-      - db
+      - backend
 volumes:
   pgdata:
     name: pgdata
 secrets:
   POSTGRES_USER:
-    file: ./.secrets/POSTGRES_USER
+    file: .secrets/POSTGRES_USER
   POSTGRES_PASS:
-    file: ./.secrets/POSTGRES_PASS
+    file: .secrets/POSTGRES_PASS
 networks:
-  db:
+  backend:
     external:
       true

backend/surrealdb/.env.example

@@ -0,0 +1,4 @@
+# SurrealDB Configuration
+# Root password is loaded from ./.secrets/SURREAL_ROOT_PASSWORD via Docker secrets
+# Timezone settings
+TZ=

backend/surrealdb/compose.yml

@@ -0,0 +1,28 @@
+services:
+  surrealdb:
+    image: surrealdb/surrealdb:v2
+    container_name: surrealdb
+    # entrypoint: ["/bin/sh"]
+    command: start --user root --pass $(cat /run/secrets/SURREAL_ROOT_PASSWORD) rocksdb:/mydata/mydatabase.db
+    user: root
+    restart: always
+    env_file:
+      - .env
+    secrets:
+      - SURREAL_ROOT_PASSWORD
+    volumes:
+      - surreal_data:/mydata
+    networks:
+      - db
+
+volumes:
+  surreal_data:
+    name: surreal_data
+
+secrets:
+  SURREAL_ROOT_PASSWORD:
+    file: ./.secrets/SURREAL_ROOT_PASSWORD
+
+networks:
+  db:
+    external: true

frontend/cloudflared/compose.yml

@@ -8,6 +8,8 @@ services:
       - traefik.enable=true
     env_file:
       - .env
+    expose:
+      - "7844"
     networks:
       - frontend
 networks:

mgmt/portainer/compose.yml

@@ -6,7 +6,7 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.portainer.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
-      - traefik.docker.network=webapp
+      - traefik.docker.network=mgmt
       - traefik.http.services.portainer.loadbalancer.server.port=9000
       - traefik.http.routers.portainer.tls=true
       - traefik.http.routers.portainer.entrypoints=web,websecure
@@ -25,6 +25,8 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - ./data:/data
+    expose:
+      - 9000
     networks:
       - mgmt
 networks:

myprojects/kimi/.env.example

@@ -0,0 +1,2 @@
+# No env vars required for basic kimi CLI usage
+# Add API keys or config here as needed

myprojects/kimi/Dockerfile

@@ -0,0 +1,18 @@
+FROM alpine:3.23
+
+RUN apk add --no-cache bash curl
+
+RUN addgroup -g 1000 kimi && \
+    adduser -D -u 1000 -G kimi kimi
+
+USER kimi
+WORKDIR /home/kimi
+
+RUN curl -fsSL https://astral.sh/uv/install.sh | sh
+RUN /home/kimi/.local/bin/uv tool install --python 3.13 kimi-cli
+
+ENV PATH="/home/kimi/.local/bin:${PATH}"
+
+WORKDIR /workspace
+
+ENTRYPOINT ["kimi"]

myprojects/kimi/compose.yml

@@ -0,0 +1,12 @@
+services:
+  kimi:
+    build:
+      context: .
+      network: host
+    image: kimi:alpine
+    container_name: kimi
+    hostname: kimi
+    stdin_open: true
+    tty: true
+    volumes:
+      - ./workspace:/workspace