From d4061164a6904050cd103557e4b547fd8cd1a60a Mon Sep 17 00:00:00 2001
From: chris <chris.windler0322@gmail.com>
Date: Fri, 19 Dec 2025 15:33:26 +0100
Subject: [PATCH] replace stirling pdf, sso for multiple app, cleanup

---
 docker-compose.yml                            |  2 +-
 project/media/navidrome/navidrome.yml         |  9 ++++++-
 project/service/freshrss/freshrss.yml         |  8 +++---
 project/service/linkwarden/linkwarden.yml     |  8 +++++-
 project/service/mealie/mealie.yml             | 21 ++++++---------
 project/service/pdf/pdf.yml                   | 22 ++++++++++++++++
 project/service/stirling-pdf/stirling-pdf.yml | 26 -------------------
 project/service/vaultwarden/vaultwarden.yml   |  2 +-
 8 files changed, 51 insertions(+), 47 deletions(-)
 create mode 100644 project/service/pdf/pdf.yml
 delete mode 100644 project/service/stirling-pdf/stirling-pdf.yml

diff --git a/docker-compose.yml b/docker-compose.yml
index 0332a59..fb3f881 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -60,7 +60,7 @@ include:
       # - ${SERVICE_PATH}/ollama/ollama.yml
       - ${SERVICE_PATH}/paperless-ngx/paperless-ngx.yml
       - ${SERVICE_PATH}/radicale/radicale.yml
-      - ${SERVICE_PATH}/stirling-pdf/stirling-pdf.yml
+      - ${SERVICE_PATH}/pdf/pdf.yml
       - ${SERVICE_PATH}/vaultwarden/vaultwarden.yml
       - ${SERVICE_PATH}/vikunja/vikunja.yml
     env_file: ${SERVICE_PATH}/.env
diff --git a/project/media/navidrome/navidrome.yml b/project/media/navidrome/navidrome.yml
index 7ad4257..ab26c8d 100644
--- a/project/media/navidrome/navidrome.yml
+++ b/project/media/navidrome/navidrome.yml
@@ -12,6 +12,9 @@ services:
     volumes:
       - ${MEDIA_PATH}/navidrome/data:/data
       - ${EXTERNAL_STORAGE}/media/music:/music:ro
+    environment:
+      ND_REVERSEPROXYWHITELIST: 0.0.0.0/0
+      ND_ENABLEUSEREDITING: false
     labels:
       # Watchtower
       - "com.centurylinklabs.watchtower.enable=true"
@@ -21,4 +24,8 @@ services:
       - "traefik.http.routers.navidrome.entrypoints=https"
       - 'traefik.http.routers.navidrome.tls=true'
       # Middlewares
-      - "traefik.http.routers.navidrome.middlewares=crowdsec-bouncer@file"
+      - "traefik.http.routers.navidrome.middlewares=crowdsec-bouncer@file, authelia@file"
+      # Subsonic endpoint use basic authentication middleware from authelia
+      - "traefik.http.routers.navidrome-subsonic.rule=Host(`navidrome.${PUBLIC_DOMAIN}`) && PathPrefix(`/rest/`) && !Query(`c`, `NavidromeUI`)"
+      - "traefik.http.routers.navidrome-subsonic.entrypoints=https"
+      - "traefik.http.routers.navidrome-subsonic.middlewares=crowdsec-bouncer@file, authelia-basicauth@file, subsonic-basicauth@file"
diff --git a/project/service/freshrss/freshrss.yml b/project/service/freshrss/freshrss.yml
index 62c89a6..0aa744c 100644
--- a/project/service/freshrss/freshrss.yml
+++ b/project/service/freshrss/freshrss.yml
@@ -8,7 +8,7 @@ services:
     ports:
       - 4014:80
     networks:
-      - ip4net
+      - ip6net
     volumes:
       - ${SERVICE_PATH}/freshrss/data:/var/www/FreshRSS/data
       - ${SERVICE_PATH}/freshrss/extensions:/var/www/FreshRSS/extensions
@@ -20,9 +20,9 @@ services:
       - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
-      - "traefik.http.routers.freshrss.rule=Host(`rss.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.freshrss.rule=Host(`rss.${PUBLIC_DOMAIN}`)"
       - "traefik.http.routers.freshrss.entrypoints=https"
       - "traefik.http.routers.freshrss.tls=true"
-      #- "traefik.http.routers.freshrss.tls.certresolver=myresolver"
+      - "traefik.http.routers.freshrss.tls.certresolver=myresolver"
       # Middlewares
-      #- "traefik.http.routers.freshrss.middlewares=crowdsec-bouncer@file"
\ No newline at end of file
+      - "traefik.http.routers.freshrss.middlewares=crowdsec-bouncer@file"
diff --git a/project/service/linkwarden/linkwarden.yml b/project/service/linkwarden/linkwarden.yml
index 02f2314..22d438c 100644
--- a/project/service/linkwarden/linkwarden.yml
+++ b/project/service/linkwarden/linkwarden.yml
@@ -14,10 +14,15 @@ services:
       - ${SERVICE_PATH}/linkwarden/data:/data/data
     environment:
       - DATABASE_URL=postgresql://linkwarden:${LINKWARDEN_DATABASE_PASSWORD}@postgres:5432/linkwarden
-      - NEXTAUTH_URL=https://linkwarden.${PUBLIC_DOMAIN}
+      - NEXTAUTH_URL=https://linkwarden.${PUBLIC_DOMAIN}/api/v1/auth
       - NEXTAUTH_SECRET=${LINKWARDEN_NEXTAUTH_SECRET}
       - MEILI_MASTER_KEY=${LINKWARDEN_MEILI_MASTER_KEY}
       - MEILI_HOST=http://meilisearch:7700
+      - NEXT_PUBLIC_DISABLE_REGISTRATION=true
+      - NEXT_PUBLIC_AUTHELIA_ENABLED=true
+      - AUTHELIA_WELLKNOWN_URL=https://auth.${PUBLIC_DOMAIN}/.well-known/openid-configuration
+      - AUTHELIA_CLIENT_ID=linkwarden
+      - AUTHELIA_CLIENT_SECRET=${LINKWARDEN_OIDC_CLIENT_SECRET}
     labels:
       # Watchtower
       - "com.centurylinklabs.watchtower.enable=true"
@@ -26,6 +31,7 @@ services:
       - "traefik.http.routers.linkwarden.rule=Host(`linkwarden.${PUBLIC_DOMAIN}`)"
       - "traefik.http.routers.linkwarden.entrypoints=https"
       - "traefik.http.routers.linkwarden.tls=true"
+
   meilisearch:
     extends:
       file: ${TEMPLATES_PATH}
diff --git a/project/service/mealie/mealie.yml b/project/service/mealie/mealie.yml
index e54b859..72322f0 100644
--- a/project/service/mealie/mealie.yml
+++ b/project/service/mealie/mealie.yml
@@ -21,18 +21,13 @@ services:
       POSTGRES_SERVER: postgres
       POSTGRES_PORT: 5432
       POSTGRES_DB: mealie
-      # LDAP Authentication
-      LDAP_AUTH_ENABLED: true
-      LDAP_SERVER_URL: ldap://lldap:3890
-      LDAP_BASE_DN: ou=people,dc=${SECOND_LEVEL_DOMAIN},dc=${TOP_LEVEL_DOMAIN}
-      LDAP_ID_ATTRIBUTE: uid
-      LDAP_NAME_ATTRIBUTE: displayName
-      LDAP_MAIL_ATTRIBUTE: mail
-      LDAP_QUERY_BIND: cn=readonly_user,ou=people,dc=${SECOND_LEVEL_DOMAIN},dc=${TOP_LEVEL_DOMAIN}
-      LDAP_QUERY_PASSWORD: ${LLDAP_READONLY_USER_PASSWORD}
-      # LDAP_USER_FILTER: (memberof=cn=mealie,ou=groups,dc=example,dc=com)
-      # LDAP_ADMIN_FILTER: (memberof=cn=mealie-admin,ou=groups,dc=example,dc=com)
-
+      # OIDC using authelia
+      OIDC_AUTH_ENABLED: true
+      OIDC_SIGNUP_ENABLED: false 
+      OIDC_CONFIGURATION_URL: https://auth.${PUBLIC_DOMAIN}/.well-known/openid-configuration
+      OIDC_CLIENT_ID: mealie
+      OIDC_CLIENT_SECRET: ${MEALIE_OIDC_CLIENT_SECRET} 
+      OIDC_AUTO_REDIRECT: false
     labels:
       # Watchtower
       - "com.centurylinklabs.watchtower.enable=true"
@@ -43,4 +38,4 @@ services:
       - "traefik.http.routers.mealie.tls.certresolver=myresolver"
       - "traefik.http.routers.mealie.tls=true"
       # Middlewares
-      - "traefik.http.routers.mealie.middlewares=crowdsec-bouncer@file"
\ No newline at end of file
+      - "traefik.http.routers.mealie.middlewares=crowdsec-bouncer@file"
diff --git a/project/service/pdf/pdf.yml b/project/service/pdf/pdf.yml
new file mode 100644
index 0000000..2ba3108
--- /dev/null
+++ b/project/service/pdf/pdf.yml
@@ -0,0 +1,22 @@
+services:
+  pdf:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: bentopdf/bentopdf-simple
+    container_name: pdf
+    ports:
+      - '4003:8080'
+    networks:
+      - ip6net
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.pdf.rule=Host(`pdf.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.pdf.entrypoints=https"
+      - "traefik.http.routers.pdf.tls.certresolver=myresolver"
+      - "traefik.http.routers.pdf.tls=true"
+      # Middlewares
+      - "traefik.http.routers.pdf.middlewares=crowdsec-bouncer@file, authelia@file"
diff --git a/project/service/stirling-pdf/stirling-pdf.yml b/project/service/stirling-pdf/stirling-pdf.yml
deleted file mode 100644
index 0d3bc8b..0000000
--- a/project/service/stirling-pdf/stirling-pdf.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-services:
-  stirling-pdf:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: frooodle/s-pdf:latest
-    container_name: stirling-pdf
-    ports:
-      - '4003:8080'
-    networks:
-      - ip6net
-    volumes:
-      - ${SERVICE_PATH}/stirling-pdf/data:/usr/share/tesseract-ocr/4.00/tessdata #Required for extra OCR languages
-      - ${SERVICE_PATH}/stirling-pdf/config:/configs
-    #  - /location/of/customFiles:/customFiles/
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
-      # Traefik
-      - "traefik.enable=true"
-      - "traefik.http.routers.stirling-pdf.rule=Host(`stirling-pdf.${PUBLIC_DOMAIN}`)"
-      - "traefik.http.routers.stirling-pdf.entrypoints=https"
-      - "traefik.http.routers.stirling-pdf.tls.certresolver=myresolver"
-      - "traefik.http.routers.stirling-pdf.tls=true"
-      # Middlewares
-      - "traefik.http.routers.stirling-pdf.middlewares=crowdsec-bouncer@file, authelia@file"
\ No newline at end of file
diff --git a/project/service/vaultwarden/vaultwarden.yml b/project/service/vaultwarden/vaultwarden.yml
index d56f8eb..8187f78 100644
--- a/project/service/vaultwarden/vaultwarden.yml
+++ b/project/service/vaultwarden/vaultwarden.yml
@@ -18,7 +18,7 @@ services:
       SSO_AUTHORITY: https://auth.${PUBLIC_DOMAIN}
       SSO_SCOPES: profile email offline_access
       SSO_CLIENT_ID: vaultwarden
-      SSO_CLIENT_SECRET: ${VAULTWARDEN_SSO_SECRET}
+      SSO_CLIENT_SECRET: ${VAULTWARDEN_OIDC_CLIENT_SECRET}
     volumes:
       - ${EXTERNAL_STORAGE}/passwords:/data/
     labels: