replace stirling pdf, sso for multiple app, cleanup

docker-compose.yml

@@ -60,7 +60,7 @@ include:
       # - ${SERVICE_PATH}/ollama/ollama.yml
       - ${SERVICE_PATH}/paperless-ngx/paperless-ngx.yml
       - ${SERVICE_PATH}/radicale/radicale.yml
-      - ${SERVICE_PATH}/stirling-pdf/stirling-pdf.yml
+      - ${SERVICE_PATH}/pdf/pdf.yml
       - ${SERVICE_PATH}/vaultwarden/vaultwarden.yml
       - ${SERVICE_PATH}/vikunja/vikunja.yml
     env_file: ${SERVICE_PATH}/.env

project/media/navidrome/navidrome.yml

@@ -12,6 +12,9 @@ services:
     volumes:
       - ${MEDIA_PATH}/navidrome/data:/data
       - ${EXTERNAL_STORAGE}/media/music:/music:ro
+    environment:
+      ND_REVERSEPROXYWHITELIST: 0.0.0.0/0
+      ND_ENABLEUSEREDITING: false
     labels:
       # Watchtower
       - "com.centurylinklabs.watchtower.enable=true"
@@ -21,4 +24,8 @@ services:
       - "traefik.http.routers.navidrome.entrypoints=https"
       - 'traefik.http.routers.navidrome.tls=true'
       # Middlewares
-      - "traefik.http.routers.navidrome.middlewares=crowdsec-bouncer@file"
+      - "traefik.http.routers.navidrome.middlewares=crowdsec-bouncer@file, authelia@file"
+      # Subsonic endpoint use basic authentication middleware from authelia
+      - "traefik.http.routers.navidrome-subsonic.rule=Host(`navidrome.${PUBLIC_DOMAIN}`) && PathPrefix(`/rest/`) && !Query(`c`, `NavidromeUI`)"
+      - "traefik.http.routers.navidrome-subsonic.entrypoints=https"
+      - "traefik.http.routers.navidrome-subsonic.middlewares=crowdsec-bouncer@file, authelia-basicauth@file, subsonic-basicauth@file"

project/service/freshrss/freshrss.yml

@@ -8,7 +8,7 @@ services:
     ports:
       - 4014:80
     networks:
-      - ip4net
+      - ip6net
     volumes:
       - ${SERVICE_PATH}/freshrss/data:/var/www/FreshRSS/data
       - ${SERVICE_PATH}/freshrss/extensions:/var/www/FreshRSS/extensions
@@ -20,9 +20,9 @@ services:
       - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
-      - "traefik.http.routers.freshrss.rule=Host(`rss.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.freshrss.rule=Host(`rss.${PUBLIC_DOMAIN}`)"
       - "traefik.http.routers.freshrss.entrypoints=https"
       - "traefik.http.routers.freshrss.tls=true"
-      #- "traefik.http.routers.freshrss.tls.certresolver=myresolver"
+      - "traefik.http.routers.freshrss.tls.certresolver=myresolver"
       # Middlewares
-      #- "traefik.http.routers.freshrss.middlewares=crowdsec-bouncer@file"
+      - "traefik.http.routers.freshrss.middlewares=crowdsec-bouncer@file"

project/service/linkwarden/linkwarden.yml

@@ -14,10 +14,15 @@ services:
       - ${SERVICE_PATH}/linkwarden/data:/data/data
     environment:
       - DATABASE_URL=postgresql://linkwarden:${LINKWARDEN_DATABASE_PASSWORD}@postgres:5432/linkwarden
-      - NEXTAUTH_URL=https://linkwarden.${PUBLIC_DOMAIN}
+      - NEXTAUTH_URL=https://linkwarden.${PUBLIC_DOMAIN}/api/v1/auth
       - NEXTAUTH_SECRET=${LINKWARDEN_NEXTAUTH_SECRET}
       - MEILI_MASTER_KEY=${LINKWARDEN_MEILI_MASTER_KEY}
       - MEILI_HOST=http://meilisearch:7700
+      - NEXT_PUBLIC_DISABLE_REGISTRATION=true
+      - NEXT_PUBLIC_AUTHELIA_ENABLED=true
+      - AUTHELIA_WELLKNOWN_URL=https://auth.${PUBLIC_DOMAIN}/.well-known/openid-configuration
+      - AUTHELIA_CLIENT_ID=linkwarden
+      - AUTHELIA_CLIENT_SECRET=${LINKWARDEN_OIDC_CLIENT_SECRET}
     labels:
       # Watchtower
       - "com.centurylinklabs.watchtower.enable=true"
@@ -26,6 +31,7 @@ services:
       - "traefik.http.routers.linkwarden.rule=Host(`linkwarden.${PUBLIC_DOMAIN}`)"
       - "traefik.http.routers.linkwarden.entrypoints=https"
       - "traefik.http.routers.linkwarden.tls=true"
+
   meilisearch:
     extends:
       file: ${TEMPLATES_PATH}

project/service/mealie/mealie.yml

@@ -21,18 +21,13 @@ services:
       POSTGRES_SERVER: postgres
       POSTGRES_PORT: 5432
       POSTGRES_DB: mealie
-      # LDAP Authentication
+      # OIDC using authelia
-      LDAP_AUTH_ENABLED: true
+      OIDC_AUTH_ENABLED: true
-      LDAP_SERVER_URL: ldap://lldap:3890
+      OIDC_SIGNUP_ENABLED: false 
-      LDAP_BASE_DN: ou=people,dc=${SECOND_LEVEL_DOMAIN},dc=${TOP_LEVEL_DOMAIN}
+      OIDC_CONFIGURATION_URL: https://auth.${PUBLIC_DOMAIN}/.well-known/openid-configuration
-      LDAP_ID_ATTRIBUTE: uid
+      OIDC_CLIENT_ID: mealie
-      LDAP_NAME_ATTRIBUTE: displayName
+      OIDC_CLIENT_SECRET: ${MEALIE_OIDC_CLIENT_SECRET} 
-      LDAP_MAIL_ATTRIBUTE: mail
+      OIDC_AUTO_REDIRECT: false
-      LDAP_QUERY_BIND: cn=readonly_user,ou=people,dc=${SECOND_LEVEL_DOMAIN},dc=${TOP_LEVEL_DOMAIN}
-      LDAP_QUERY_PASSWORD: ${LLDAP_READONLY_USER_PASSWORD}
-      # LDAP_USER_FILTER: (memberof=cn=mealie,ou=groups,dc=example,dc=com)
-      # LDAP_ADMIN_FILTER: (memberof=cn=mealie-admin,ou=groups,dc=example,dc=com)
-
     labels:
       # Watchtower
       - "com.centurylinklabs.watchtower.enable=true"
@@ -43,4 +38,4 @@ services:
       - "traefik.http.routers.mealie.tls.certresolver=myresolver"
       - "traefik.http.routers.mealie.tls=true"
       # Middlewares
-      - "traefik.http.routers.mealie.middlewares=crowdsec-bouncer@file"
+      - "traefik.http.routers.mealie.middlewares=crowdsec-bouncer@file"

project/service/pdf/pdf.yml

@@ -0,0 +1,22 @@
+services:
+  pdf:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: bentopdf/bentopdf-simple
+    container_name: pdf
+    ports:
+      - '4003:8080'
+    networks:
+      - ip6net
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.pdf.rule=Host(`pdf.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.pdf.entrypoints=https"
+      - "traefik.http.routers.pdf.tls.certresolver=myresolver"
+      - "traefik.http.routers.pdf.tls=true"
+      # Middlewares
+      - "traefik.http.routers.pdf.middlewares=crowdsec-bouncer@file, authelia@file"

project/service/stirling-pdf/stirling-pdf.yml

@@ -1,26 +0,0 @@
-services:
-  stirling-pdf:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: frooodle/s-pdf:latest
-    container_name: stirling-pdf
-    ports:
-      - '4003:8080'
-    networks:
-      - ip6net
-    volumes:
-      - ${SERVICE_PATH}/stirling-pdf/data:/usr/share/tesseract-ocr/4.00/tessdata #Required for extra OCR languages
-      - ${SERVICE_PATH}/stirling-pdf/config:/configs
-    #  - /location/of/customFiles:/customFiles/
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
-      # Traefik
-      - "traefik.enable=true"
-      - "traefik.http.routers.stirling-pdf.rule=Host(`stirling-pdf.${PUBLIC_DOMAIN}`)"
-      - "traefik.http.routers.stirling-pdf.entrypoints=https"
-      - "traefik.http.routers.stirling-pdf.tls.certresolver=myresolver"
-      - "traefik.http.routers.stirling-pdf.tls=true"
-      # Middlewares
-      - "traefik.http.routers.stirling-pdf.middlewares=crowdsec-bouncer@file, authelia@file"

project/service/vaultwarden/vaultwarden.yml

@@ -18,7 +18,7 @@ services:
       SSO_AUTHORITY: https://auth.${PUBLIC_DOMAIN}
       SSO_SCOPES: profile email offline_access
       SSO_CLIENT_ID: vaultwarden
-      SSO_CLIENT_SECRET: ${VAULTWARDEN_SSO_SECRET}
+      SSO_CLIENT_SECRET: ${VAULTWARDEN_OIDC_CLIENT_SECRET}
     volumes:
       - ${EXTERNAL_STORAGE}/passwords:/data/
     labels: