initial docker setup

project/db/adminer/adminer.yml

@@ -0,0 +1,17 @@
+services:
+  adminer:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: adminer:latest
+    container_name: adminer
+    ports:
+      - 8085:8080
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.adminer.rule=Host(`adminer.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.adminer.entrypoints=https"
+      - "traefik.http.routers.adminer.tls=true"

project/db/lldap/lldap.yml

@@ -0,0 +1,46 @@
+secrets:
+  LLDAP_JWT_SECRET:
+    file: ${DB_PATH}/lldap/secrets/LLDAP_JWT_SECRET
+  LLDAP_KEY_SEED:
+    file: ${DB_PATH}/lldap/secrets/LLDAP_KEY_SEED
+
+services:
+  lldap:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: lldap
+    image: lldap/lldap:latest
+    ports:
+      # For LDAP, not recommended to expose, see Usage section.
+      - "3890:3890"
+      # For LDAPS (LDAP Over SSL), enable port if LLDAP_LDAPS_OPTIONS__ENABLED set true, look env below
+      # - "6360:6360"
+      # For the web front-end
+      - "17170:17170"
+    volumes:
+      - "${DB_PATH}/lldap/data:/data"
+    environment:
+      - LLDAP_JWT_SECRET=/run/secrets/LLDAP_JWT_SECRET
+      - LLDAP_KEY_SEED=/run/secrets/LLDAP_KEY_SEED
+      - LLDAP_LDAP_BASE_DN=dc=${SECOND_LEVEL_DOMAIN},dc=${TOP_LEVEL_DOMAIN}
+      # If using LDAPS, set enabled true and configure cert and key path
+      # - LLDAP_LDAPS_OPTIONS__ENABLED=true
+      # - LLDAP_LDAPS_OPTIONS__CERT_FILE=/data/certfile.crt
+      # - LLDAP_LDAPS_OPTIONS__KEY_FILE=/data/keyfile.key
+      # You can also set a different database:
+      - LLDAP_DATABASE_URL=postgres://lldap:${LLDAP_DB_PASSWORD}@postgres/lldap
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.lldap.rule=Host(`ldap.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.lldap.entrypoints=https"
+      - "traefik.http.routers.lldap.tls=true"
+      - "traefik.http.routers.lldap.tls.certresolver=myresolver"
+      - "traefik.http.routers.lldap.service=lldap-service"
+      - "traefik.http.services.lldap-service.loadbalancer.server.port=17170"
+      - "traefik.http.services.lldap-service.loadbalancer.server.scheme=http"
+      # middlewares
+      - "traefik.http.routers.lldap.middlewares=crowdsec-bouncer@file"

project/db/mariadb/mariadb.yml

@@ -0,0 +1,17 @@
+services:
+  mariadb:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: mariadb:latest
+    container_name: mariadb
+    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+    environment:
+      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
+    volumes:
+      - ${DB_PATH}/mariadb/data:/var/lib/mysql
+      # init db
+      - ${DB_PATH}/mariadb/init:/docker-entrypoint-initdb.d
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"

project/db/pgadmin/pgadmin.yml

@@ -0,0 +1,26 @@
+secrets:
+  pgadmin_default_password:
+    file: ${DB_PATH}/pgadmin/secrets/default_password.txt
+services:
+  pgAdmin:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: pgadmin
+    image: dpage/pgadmin4:latest
+    ports:
+      - 8082:80
+    secrets: [pgadmin_default_password]
+    volumes:
+      - ${DB_PATH}/pgadmin/data:/var/lib/pgadmin
+    environment:
+      PGADMIN_DEFAULT_EMAIL: ${EMAIL}
+      PGADMIN_DEFAULT_PASSWORD_FILE: /run/secrets/pgadmin_default_password
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.pgadmin.rule=Host(`pgadmin.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.pgadmin.entrypoints=https"
+      - "traefik.http.routers.pgadmin.tls=true"

project/db/postgres/postgres.yml

@@ -0,0 +1,45 @@
+secrets:  
+  postgres_default_password:
+    file: ${DB_PATH}/postgres/secrets/default_password.txt
+services:
+  postgres:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: postgres
+    image: postgres:latest
+    ports:
+      - 5432:5432
+    secrets: [postgres_default_password]
+    environment:
+      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_default_password
+      # PGDATA: /var/lib/postgresql/data
+      # see https://www.pgadmin.org/docs/pgadmin4/latest/container_deployment.html
+      PUID: 5050
+      PGID: 5050
+    volumes:
+      - ${DB_PATH}/postgres/data/postgres:/var/lib/postgresql/data
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+
+  postgres-with-pg-vector:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: postgres-with-pg-vector
+    image: tensorchord/pgvecto-rs:pg16-v0.1.11
+    ports:
+      - 5433:5432
+    secrets: [postgres_default_password]
+    environment:
+      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_default_password
+      # PGDATA: /var/lib/postgresql/data
+      # see https://www.pgadmin.org/docs/pgadmin4/latest/container_deployment.html
+      PUID: 5050
+      PGID: 5050
+    volumes:
+      - ${DB_PATH}/postgres/data/postgres-with-pg-vector:/var/lib/postgresql/data
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"

project/db/redis/redis.yml

@@ -0,0 +1,12 @@
+services:
+  redis:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: redis
+    image: redis:latest
+    volumes:
+      - ${DB_PATH}/redis/data:/data
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"

project/infrastructure/authelia/authelia.yml

@@ -0,0 +1,41 @@
+secrets:
+  JWT_SECRET:
+    file: ${INFRA_PATH}/authelia/secrets/JWT_SECRET
+  SESSION_SECRET:
+    file: ${INFRA_PATH}/authelia/secrets/SESSION_SECRET
+  STORAGE_PASSWORD:
+    file: ${INFRA_PATH}/authelia/secrets/STORAGE_PASSWORD
+  STORAGE_ENCRYPTION_KEY:
+    file: ${INFRA_PATH}/authelia/secrets/STORAGE_ENCRYPTION_KEY
+services:
+  authelia:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: authelia
+    image: authelia/authelia:latest
+    expose:
+      - 9091
+    secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
+    environment:
+      AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET
+      AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
+      AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
+      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY
+      AUTHELIA_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN} # this does not work for access control or openID yet
+      AUTHELIA_LOCAL_DOMAIN: ${LOCAL_DOMAIN} # this does not work for access control or openID yet
+    volumes:
+      - ${INFRA_PATH}/authelia/config:/config
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.authelia.rule=Host(`auth.${PUBLIC_DOMAIN}`)'
+      - "traefik.http.routers.authelia.tls.certresolver=myresolver"
+      - 'traefik.http.routers.authelia.entryPoints=https'
+      - 'traefik.http.routers.authelia.tls=true'
+      - 'traefik.http.routers.authelia.service=authelia-svc'
+      - 'traefik.http.services.authelia-svc.loadbalancer.server.port=9091'
+      # Middleware
+      - "traefik.http.routers.authelia.middlewares=crowdsec-bouncer@file"

project/infrastructure/crowdsec/crowdsec.yml

@@ -0,0 +1,39 @@
+services:
+  crowdsec:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: crowdsec
+    image: crowdsecurity/crowdsec:latest
+    environment:
+      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve"
+    expose:
+      - 8080
+    ports:
+      - 6060:6060
+    volumes:
+      - ${INFRA_PATH}/crowdsec/data:/var/lib/crowdsec/data
+      - ${INFRA_PATH}/crowdsec/config:/etc/crowdsec
+      - /var/log/auth.log:/var/log/auth.log:ro
+      - /var/log/crowdsec:/var/log/crowdsec:ro
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+
+  crowdsec-traefik-bouncer:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: fbonalair/traefik-crowdsec-bouncer:latest
+    container_name: bouncer-traefik
+    environment:
+      CROWDSEC_BOUNCER_API_KEY: ${CROWDSEC_API_KEY}
+      CROWDSEC_AGENT_HOST: crowdsec:8080
+      GIN_MODE: release
+    expose:
+      - 8080
+    depends_on:
+      - crowdsec
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"

project/infrastructure/homepage/homepage.yml

@@ -0,0 +1,25 @@
+services:
+  homepage:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: ghcr.io/gethomepage/homepage:latest
+    container_name: homepage
+    ports:
+      - 3030:3000
+    environment:
+      HOMEPAGE_VAR_LOCAL_DOMAIN: ${LOCAL_DOMAIN}
+      HOMEPAGE_VAR_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
+    volumes:
+      - ${INFRA_PATH}/homepage/config:/app/config
+      - ${INFRA_PATH}/homepage/data/images:/app/public/images
+      - ${INFRA_PATH}/homepage/data/icons:/app/public/icons
+      - /var/run/docker.sock:/var/run/docker.sock:ro # optional, for docker integrations
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.homepage.rule=Host(`homepage.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.homepage.entrypoints=https"
+      - "traefik.http.routers.homepage.tls=true"

project/infrastructure/speedtest/speedtest.yml

@@ -0,0 +1,28 @@
+services:
+  speedtest:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: speedtest
+    image: ghcr.io/librespeed/speedtest:latest
+    environment:
+      MODE: standalone
+      TITLE: "LibreSpeed"
+      #TELEMETRY: "false"
+      #ENABLE_ID_OBFUSCATION: "false"
+      #REDACT_IP_ADDRESSES: "false"
+      #PASSWORD:
+      #EMAIL:
+      #DISABLE_IPINFO: "false"
+      #DISTANCE: "km"
+      #WEBPORT: 80
+    ports:
+      - "4001:80" # webport mapping (host:container)
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.speedtest.rule=Host(`speedtest.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.speedtest.entrypoints=https"
+      - 'traefik.http.routers.speedtest.tls=true'

project/infrastructure/traefik/traefik.yml

@@ -0,0 +1,47 @@
+services:
+  traefik:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: "traefik:latest"
+    container_name: "traefik"
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8079:8080"
+    environment:
+      TRAEFIK_LOCAL_DOMAIN: ${LOCAL_DOMAIN}
+      TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
+      TRAEFIK_AUTH_PUBLIC_DOMAIN: auth.${PUBLIC_DOMAIN}
+    volumes:
+      - "/var/log/crowdsec/:/var/log/crowdsec/"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "${INFRA_PATH}/traefik/letsencrypt:/letsencrypt"
+      - "${INFRA_PATH}/traefik/config:/etc/traefik"
+      - "${INFRA_PATH}/traefik/certs:/etc/certs"
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.routers.traefik.rule=Host(`traefik.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.traefik.entrypoints=https"
+      - "traefik.http.routers.traefik.tls=true"
+
+  whoami:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: traefik/whoami:latest
+    container_name: "traefik-whoami"
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.whoami.rule=Host(`whoami.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.whoami.entrypoints=https"
+      - 'traefik.http.routers.whoami.tls=true'
+      - "traefik.http.routers.whoami.tls.certresolver=myresolver"
+      - "traefik.http.routers.whoami.middlewares=authelia@file,crowdsec-bouncer@file"

project/infrastructure/uptime-kuma/uptime-kuma.yml

@@ -0,0 +1,19 @@
+services:
+  uptime-kuma:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: louislam/uptime-kuma:latest
+    container_name: uptime-kuma
+    volumes:
+      - ${INFRA_PATH}/uptime-kuma/config:/app/data
+    ports:
+      - 5001:3001
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.uptime-kuma.rule=Host(`uptime-kuma.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.uptime-kuma.entrypoints=https"
+      - "traefik.http.routers.uptime-kuma.tls=true"

project/infrastructure/watchtower/watchtower.yml

@@ -0,0 +1,24 @@
+services:
+  watchtower:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: containrrr/watchtower:latest
+    container_name: watchtower
+    environment:
+      - WATCHTOWER_CLEANUP=true
+      - WATCHTOWER_POLL_INTERVAL=43200 # 12h
+      - WATCHTOWER_INCLUDE_RESTARTING=true
+      - WATCHTOWER_LABEL_ENABLE=true
+      - WATCHTOWER_HTTP_API_METRICS=true
+      - WATCHTOWER_HTTP_API_TOKEN=mytoken
+      - WATCHTOWER_HTTP_API_UPDATE=true
+      - WATCHTOWER_HTTP_API_PERIODIC_POLLS=true
+    ports:
+      - 7999:8080
+    volumes:
+      # - ${INFRA_PATH}/watchtower/config:/config.json
+      - /var/run/docker.sock:/var/run/docker.sock
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"

project/media/immich/immich.yml

@@ -0,0 +1,62 @@
+services:
+  immich-server:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: immich_server
+    image: ghcr.io/immich-app/immich-server:release
+    command: [ "start.sh", "immich" ]
+    environment:
+      DB_PASSWORD: ${IMMICH_DB_PASSWORD}
+      DB_HOSTNAME: postgres-with-pg-vector
+      DB_USERNAME: immich
+      DB_DATABASE_NAME: immich
+      REDIS_HOSTNAME: redis
+    volumes:
+      - ${MEDIA_PATH}/immich/data/library:/usr/src/app/upload
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - 2283:3001
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.immich-server.rule=Host(`immich.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.immich-server.entrypoints=https"
+      - "traefik.http.routers.immich-server.tls.certresolver=myresolver"
+      - 'traefik.http.routers.immich-server.tls=true'
+      # Middlewares
+      - "traefik.http.routers.immich-server.middlewares=authelia@file,crowdsec-bouncer@file"
+
+  immich-microservices:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: immich_microservices
+    image: ghcr.io/immich-app/immich-server:release
+    command: [ "start.sh", "microservices" ]
+    environment:
+      DB_PASSWORD: ${IMMICH_DB_PASSWORD}
+      DB_HOSTNAME: postgres-with-pg-vector
+      DB_USERNAME: immich
+      DB_DATABASE_NAME: immich
+      REDIS_HOSTNAME: redis
+    volumes:
+      - ${MEDIA_PATH}/immich/data/library:/usr/src/app/upload
+      - /etc/localtime:/etc/localtime:ro
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+
+  immich-machine-learning:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: immich_machine_learning
+    image: ghcr.io/immich-app/immich-machine-learning:release
+    volumes:
+      - ${MEDIA_PATH}/immich/data/model-cache:/cache
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"

project/monitoring/dozzle/dozzle.yml

@@ -0,0 +1,19 @@
+services:
+  dozzle:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: dozzle
+    image: amir20/dozzle:latest
+    ports:
+      - 8083:8080
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.dozzle.rule=Host(`dozzle.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.dozzle.entrypoints=https"
+      - "traefik.http.routers.dozzle.tls=true"

project/monitoring/grafana/grafana.yml

@@ -0,0 +1,19 @@
+services:
+  grafana:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: grafana
+    image: grafana/grafana-oss:latest
+    ports:
+      - 8090:3000
+    volumes:
+      - ${MONITORING_PATH}/grafana/data:/var/lib/grafana
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.grafana.rule=Host(`grafana.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.grafana.entrypoints=https"
+      - "traefik.http.routers.grafana.tls=true"

project/monitoring/prometheus/prometheus.yml

@@ -0,0 +1,19 @@
+services:
+  prometheus:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: prometheus
+    image: prom/prometheus:latest
+    ports:
+      - 9090:9090
+    volumes:
+      - ${MONITORING_PATH}/prometheus/config:/etc/prometheus
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.prometheus.rule=Host(`prometheus.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.prometheus.entrypoints=https"
+      - "traefik.http.routers.prometheus.tls=true"

project/service/gitea/gitea.yml

@@ -0,0 +1,50 @@
+services:
+  gitea:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: gitea/gitea:latest
+    container_name: gitea
+    environment:
+      - APP_NAME="Gitea"
+      - USER=git
+      - RUN_MODE=prod
+      - DOMAIN=gitea.${PUBLIC_DOMAIN}
+      - SSH_DOMAIN=gitea.${PUBLIC_DOMAIN}
+      - HTTP_PORT=4002
+      - ROOT_URL=https://gitea.${PUBLIC_DOMAIN}
+      - SSH_PORT=2001
+      - SSH_LISTEN_PORT=22
+      # Database postgres
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=postgres
+      - GITEA__database__NAME=gitea
+      - GITEA__database__USER=gitea
+      - GITEA__database__PASSWD=${GITEA_DATABASE_PASSWORD}
+      # Cache redis
+      - GITEA__cache__ENABLED=true
+      - GITEA__cache__ADAPTER=redis
+      - GITEA__cache__HOST=redis://redis:6379/0?pool_size=100&idle_timeout=180s
+      - GITEA__cache__ITEM_TTL=24h
+    volumes:
+      - ${SERVICE_PATH}/gitea/data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - 2001:22
+    expose:
+      - 4002
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.gitea.rule=Host(`gitea.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.gitea.entrypoints=https"
+      - "traefik.http.routers.gitea.tls.certresolver=myresolver"
+      - "traefik.http.routers.gitea.tls=true"
+      - "traefik.http.routers.gitea.service=gitea-service"
+      - "traefik.http.services.gitea-service.loadbalancer.server.port=4002"
+
+      # Middlewares
+      - "traefik.http.routers.gitea.middlewares=crowdsec-bouncer@file,authelia@file"

project/service/vikunja/vikunja.yml

@@ -0,0 +1,33 @@
+secrets:  
+  vikunja_jwt_secret:
+    file: ${SERVICE_PATH}/vikunja/secrets/vikunja_jwt_secret.txt
+services:
+  vikunja:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: vikunja/vikunja:latest
+    container_name: vikunja
+    secrets: [vikunja_jwt_secret]
+    environment:
+      VIKUNJA_DATABASE_HOST: postgres
+      VIKUNJA_DATABASE_PASSWORD: ${VIKUNJA_DATABASE_PASSWORD}
+      VIKUNJA_DATABASE_TYPE: postgres
+      VIKUNJA_DATABASE_USER: vikunja
+      VIKUNJA_DATABASE_DATABASE: vikunja
+      VIKUNJA_SERVICE_JWTSECRET: /run/secrets/vikunja_jwt_secret
+      VIKUNJA_SERVICE_PUBLICURL: https://vikunja.${PUBLIC_DOMAIN}
+    volumes: 
+      - ${SERVICE_PATH}/vikunja/data:/app/vikunja/files
+      - ${SERVICE_PATH}/vikunja/config:/etc/vikunja
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.vikunja.rule=Host(`vikunja.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.vikunja.entrypoints=https"
+      - "traefik.http.routers.vikunja.tls.certresolver=myresolver"
+      - 'traefik.http.routers.vikunja.tls=true'
+      # Middlewares
+      - "traefik.http.routers.vikunja.middlewares=crowdsec-bouncer@file,authelia@file"