Update n8nio/n8n Docker tag to v2.12.2

Reviewed-on: #150

.gitignore

@@ -0,0 +1,18 @@
+ # ignore ALL .log files
+*.env
+*.log
+
+# ignore submodules
+project/service/overleaf-toolkit
+project/service/superset
+
+# ignore ALL files in ANY directory named temp
+data/
+secrets/
+letsencrypt/ 
+config/
+certs/
+init/
+meili_data/
+log-dashboard/
+mousehole/

LICENSE

@@ -0,0 +1,7 @@
+Copyright 2025 chriswin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,3 @@
+## Home network:
+
+![Alt text](Crescentec-network.excalidraw.svg?raw=true "Title")

docker-compose.yml

@@ -3,14 +3,13 @@
 
 # Here I will include all "child" docker compose files that I need.
 # The paths can relative to this file or absolue. I've used INCLUDE_PATH variable to make it more cofigurable.
-# Whenever I need to remove some service then I can comment out the lines here. 
+# Whenever I need to remove some service then I can comment out the lines here.
 include:
   - path:
       - ${DB_PATH}/adminer/adminer.yml
+      - ${DB_PATH}/databasus/databasus.yml
       - ${DB_PATH}/lldap/lldap.yml
       - ${DB_PATH}/mariadb/mariadb.yml
-      - ${DB_PATH}/mongodb/mongodb.yml
-      - ${DB_PATH}/mongo-express/mongo-express.yml
       - ${DB_PATH}/postgres/postgres.yml
       - ${DB_PATH}/pgadmin/pgadmin.yml
       - ${DB_PATH}/redis/redis.yml
@@ -18,48 +17,67 @@ include:
 
   - path:
       - ${INFRA_PATH}/authelia/authelia.yml
-      - ${INFRA_PATH}/crowdsec/crowdsec.yml
       - ${INFRA_PATH}/homepage/homepage.yml
+      - ${INFRA_PATH}/ntfy/ntfy.yml
       - ${INFRA_PATH}/speedtest/speedtest.yml
       - ${INFRA_PATH}/syncthing/syncthing.yml
       - ${INFRA_PATH}/traefik/traefik.yml
       - ${INFRA_PATH}/uptime-kuma/uptime-kuma.yml
-      - ${INFRA_PATH}/watchtower/watchtower.yml
     env_file: ${INFRA_PATH}/.env
 
   - path:
       - ${MONITORING_PATH}/dozzle/dozzle.yml
       - ${MONITORING_PATH}/grafana/grafana.yml
+      - ${MONITORING_PATH}/loki/loki.yml
       - ${MONITORING_PATH}/prometheus/prometheus.yml
     env_file: ${MONITORING_PATH}/.env
 
   - path:
+      - ${MEDIA_PATH}/audiobookshelf/audiobookshelf.yml
+      - ${MEDIA_PATH}/calibre/calibre.yml
       - ${MEDIA_PATH}/immich/immich.yml
+      - ${MEDIA_PATH}/kiwix/kiwix.yml
+      - ${MEDIA_PATH}/lidarr/lidarr.yml
+      - ${MEDIA_PATH}/navidrome/navidrome.yml
+      - ${MEDIA_PATH}/prowlarr/prowlarr.yml
+      - ${MEDIA_PATH}/qbittorrent/qbittorrent.yml
+      - ${MEDIA_PATH}/readarr/readarr.yml
+      - ${MEDIA_PATH}/slskd/slskd.yml
+      - ${MEDIA_PATH}/soularr/soularr.yml
     env_file: ${MEDIA_PATH}/.env
 
   - path:
+      - ${SERVICE_PATH}/freshrss/freshrss.yml
       - ${SERVICE_PATH}/gitea/gitea.yml
+      - ${SERVICE_PATH}/home-assistant/home-assistant.yml
+      - ${SERVICE_PATH}/ghost/ghost.yml
       - ${SERVICE_PATH}/it-tools/it-tools.yml
+      - ${SERVICE_PATH}/jupyter-notebook/jupyter-notebook.yml
+      - ${SERVICE_PATH}/linkwarden/linkwarden.yml
       - ${SERVICE_PATH}/mealie/mealie.yml
-      - ${SERVICE_PATH}/overleaf/overleaf.yml
+      - ${SERVICE_PATH}/n8n/n8n.yml
+      # - ${SERVICE_PATH}/ollama/ollama.yml
       - ${SERVICE_PATH}/paperless-ngx/paperless-ngx.yml
-      - ${SERVICE_PATH}/shlink/shlink.yml
-      - ${SERVICE_PATH}/stirling-pdf/stirling-pdf.yml
+      - ${SERVICE_PATH}/radicale/radicale.yml
+      - ${SERVICE_PATH}/pdf/pdf.yml
+      - ${SERVICE_PATH}/vaultwarden/vaultwarden.yml
       - ${SERVICE_PATH}/vikunja/vikunja.yml
     env_file: ${SERVICE_PATH}/.env
 
 networks:
-  private:
+  ip4net:
     driver: bridge
-    name: private
-    ipam:
-      config:
-        - subnet: 10.5.0.0/16
-          gateway: 10.5.0.1
-  public:
-    driver: bridge
-    name: public
+    name: ip4net
     ipam:
       config:
         - subnet: 10.6.0.0/16
-          gateway: 10.6.0.1
+  ip6net:
+    driver: bridge
+    name: ip6net
+    enable_ipv6: true
+    ipam:
+      driver: default
+      # config:
+      #   # - subnet: "2a04:ee41:86:9397::/64"
+      #   - subnet: "2001:db8:2:/64"
+      #   - gateway: "2001:db8:2::1"

project/db/adminer/adminer.yml

@@ -3,15 +3,15 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: adminer:latest
+    image: adminer:5.4.2
     container_name: adminer
     ports:
       - 8085:8080
+    networks:
+      - ip4net
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.adminer.rule=Host(`adminer.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.adminer.entrypoints=https"
-      - "traefik.http.routers.adminer.tls=true"
+      - "traefik.http.routers.adminer.tls=true"

project/db/databasus/databasus.yml

@@ -0,0 +1,19 @@
+services:
+  databasus:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: databasus/databasus:v3.19.2
+    container_name: databasus
+    ports:
+      - 8086:4005
+    networks:
+      - ip4net
+    volumes:
+      - ${DB_PATH}/databasus/data:/databasus-data
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.databasus.rule=Host(`databasus.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.databasus.entrypoints=https"
+      - "traefik.http.routers.databasus.tls=true"

project/db/lldap/lldap.yml

@@ -10,7 +10,7 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: lldap
-    image: lldap/lldap:latest
+    image: lldap/lldap:2025-12-24
     ports:
       # For LDAP, not recommended to expose, see Usage section.
       - "3890:3890"
@@ -18,6 +18,9 @@ services:
       # - "6360:6360"
       # For the web front-end
       - "17170:17170"
+    networks:
+      - ip6net
+      - ip4net
     volumes:
       - "${DB_PATH}/lldap/data:/data"
     environment:
@@ -31,16 +34,11 @@ services:
       # You can also set a different database:
       - LLDAP_DATABASE_URL=postgres://lldap:${LLDAP_DB_PASSWORD}@postgres/lldap
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.lldap.rule=Host(`ldap.${PUBLIC_DOMAIN}`)"
       - "traefik.http.routers.lldap.entrypoints=https"
       - "traefik.http.routers.lldap.tls=true"
-      - "traefik.http.routers.lldap.tls.certresolver=myresolver"
       - "traefik.http.routers.lldap.service=lldap-service"
       - "traefik.http.services.lldap-service.loadbalancer.server.port=17170"
       - "traefik.http.services.lldap-service.loadbalancer.server.scheme=http"
-      # middlewares
-      - "traefik.http.routers.lldap.middlewares=crowdsec-bouncer@file"

project/db/mariadb/mariadb.yml

@@ -3,15 +3,14 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: mariadb:latest
+    image: mariadb:12.2.2
     container_name: mariadb
     command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+    networks:
+      - ip4net
     environment:
       MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
     volumes:
       - ${DB_PATH}/mariadb/data:/var/lib/mysql
       # init db
       - ${DB_PATH}/mariadb/init:/docker-entrypoint-initdb.d
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"

project/db/mongo-express/mongo-express.yml

@@ -1,23 +0,0 @@
-services:
-  mongo-express:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: mongo-express
-    container_name: mongo-express
-    ports:
-      - 8086:8081
-    environment:
-      ME_CONFIG_BASICAUTH_USERNAME: ${MONGO_EXPRESS_USERNAME}
-      ME_CONFIG_BASICAUTH_PASSWORD: ${MONGO_EXPRESS_PASSWORD}
-      ME_CONFIG_MONGODB_ADMINUSERNAME: ${MONGO_EXPRESS_USERNAME}
-      ME_CONFIG_MONGODB_ADMINPASSWORD: ${MONGO_EXPRESS_PASSWORD}
-      ME_CONFIG_MONGODB_URL: mongodb://${MONGO_DB_USERNAME}:${MONGO_DB_ROOT_PASSWORD}@mongodb:27017/
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
-      # Traefik
-      - "traefik.enable=true"
-      - "traefik.http.routers.mongo-express.rule=Host(`mongo-express.${LOCAL_DOMAIN}`)"
-      - "traefik.http.routers.mongo-express.entrypoints=https"
-      - "traefik.http.routers.mongo-express.tls=true"

project/db/mongodb/mongodb.yml

@@ -1,18 +0,0 @@
-services:
-  mongodb:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: mongo:latest
-    container_name: mongodb
-    expose:
-      - 27017
-    environment:
-      MONGO_INITDB_ROOT_USERNAME: ${MONGO_DB_USERNAME}
-      MONGO_INITDB_ROOT_PASSWORD: ${MONGO_DB_ROOT_PASSWORD}
-    volumes:
-      - ${DB_PATH}/mongodb/data:/data/db
-      - ${DB_PATH}/mongodb/init/mongo-init.sh:/docker-entrypoint-initdb.d/mongo-init.sh:ro
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"

project/db/pgadmin/pgadmin.yml

@@ -7,9 +7,11 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: pgadmin
-    image: dpage/pgadmin4:latest
+    image: dpage/pgadmin4:9.13.0
     ports:
       - 8082:80
+    networks:
+      - ip4net
     secrets: [pgadmin_default_password]
     volumes:
       - ${DB_PATH}/pgadmin/data:/var/lib/pgadmin
@@ -17,10 +19,8 @@ services:
       PGADMIN_DEFAULT_EMAIL: ${EMAIL}
       PGADMIN_DEFAULT_PASSWORD_FILE: /run/secrets/pgadmin_default_password
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.pgadmin.rule=Host(`pgadmin.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.pgadmin.entrypoints=https"
-      - "traefik.http.routers.pgadmin.tls=true"
+      - "traefik.http.routers.pgadmin.tls=true"

project/db/postgres/postgres.yml

@@ -1,4 +1,4 @@
-secrets:  
+secrets:
   postgres_default_password:
     file: ${DB_PATH}/postgres/secrets/default_password.txt
 services:
@@ -7,9 +7,12 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: postgres
-    image: postgres:latest
+    image: postgres:16.11
     ports:
       - 5432:5432
+    networks:
+      - ip4net
+      - ip6net
     secrets: [postgres_default_password]
     environment:
       POSTGRES_PASSWORD_FILE: /run/secrets/postgres_default_password
@@ -20,18 +23,18 @@ services:
     volumes:
       - ${DB_PATH}/postgres/data/postgres:/var/lib/postgresql/data
       - ${DB_PATH}/postgres/init/postgres:/docker-entrypoint-initdb.d
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
 
   postgres-with-pg-vector:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: postgres-with-pg-vector
-    image: tensorchord/pgvecto-rs:pg16-v0.1.11
+    image: tensorchord/pgvecto-rs:pg16-v0.3.0
     ports:
       - 5433:5432
+    networks:
+      - ip4net
+      - ip6net
     secrets: [postgres_default_password]
     environment:
       POSTGRES_PASSWORD_FILE: /run/secrets/postgres_default_password
@@ -42,6 +45,3 @@ services:
     volumes:
       - ${DB_PATH}/postgres/data/postgres-with-pg-vector:/var/lib/postgresql/data
       - ${DB_PATH}/postgres/init/postgres-with-pg-vector:/docker-entrypoint-initdb.d
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"

project/db/redis/redis.yml

@@ -4,9 +4,9 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: redis
-    image: redis:latest
+    image: redis:8.6.1
+    networks:
+      - ip4net
+      - ip6net
     volumes:
       - ${DB_PATH}/redis/data:/data
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"

project/infrastructure/authelia/authelia.yml

@@ -13,29 +13,30 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: authelia
-    image: authelia/authelia:latest
+    image: authelia/authelia:4.39.15
+    ports:
+      - 9959:9959 # metrics prometheus
+    networks:
+      - ip6net
     expose:
       - 9091
-    secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
+    secrets:
+      [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
     environment:
       AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET
       AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
       AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
       AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY
-      AUTHELIA_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN} # this does not work for access control or openID yet
-      AUTHELIA_LOCAL_DOMAIN: ${LOCAL_DOMAIN} # this does not work for access control or openID yet
+      # AUTHELIA_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN} # this does not work for access control or openID yet
+      # AUTHELIA_LOCAL_DOMAIN: ${LOCAL_DOMAIN} # this does not work for access control or openID yet
     volumes:
       - ${INFRA_PATH}/authelia/config:/config
+      - "/var/log/authelia/:/config/log"
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
-      - 'traefik.enable=true'
-      - 'traefik.http.routers.authelia.rule=Host(`auth.${PUBLIC_DOMAIN}`)'
-      - "traefik.http.routers.authelia.tls.certresolver=myresolver"
-      - 'traefik.http.routers.authelia.entryPoints=https'
-      - 'traefik.http.routers.authelia.tls=true'
-      - 'traefik.http.routers.authelia.service=authelia-svc'
-      - 'traefik.http.services.authelia-svc.loadbalancer.server.port=9091'
-      # Middleware
-      - "traefik.http.routers.authelia.middlewares=crowdsec-bouncer@file"
+      - "traefik.enable=true"
+      - "traefik.http.routers.authelia.rule=Host(`auth.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.authelia.entryPoints=https"
+      - "traefik.http.routers.authelia.tls=true"
+      - "traefik.http.routers.authelia.service=authelia-svc"
+      - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"

project/infrastructure/crowdsec/crowdsec.yml

@@ -4,36 +4,21 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: crowdsec
-    image: crowdsecurity/crowdsec:latest
-    environment:
-      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve"
-    expose:
-      - 8080
-    ports:
-      - 6060:6060
-    volumes:
-      - ${INFRA_PATH}/crowdsec/data:/var/lib/crowdsec/data
-      - ${INFRA_PATH}/crowdsec/config:/etc/crowdsec
-      - /var/log/auth.log:/var/log/auth.log:ro
-      - /var/log/crowdsec:/var/log/crowdsec:ro
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
-
-  crowdsec-traefik-bouncer:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: fbonalair/traefik-crowdsec-bouncer:latest
-    container_name: bouncer-traefik
+    image: crowdsecurity/crowdsec:v1.7.6
     environment:
+      COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/http-cve
       CROWDSEC_BOUNCER_API_KEY: ${CROWDSEC_API_KEY}
-      CROWDSEC_AGENT_HOST: crowdsec:8080
-      GIN_MODE: release
-    expose:
-      - 8080
-    depends_on:
-      - crowdsec
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
+      CUSTOM_HOSTNAME: crowdsec
+    ports:
+      - 6061:8080
+      - 6060:6060
+    networks:
+      - ip4net
+      - ip6net
+    volumes:
+      - ${INFRA_PATH}/crowdsec/config/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
+      - ${INFRA_PATH}/crowdsec/config:/etc/crowdsec
+      - ${INFRA_PATH}/crowdsec/data:/var/lib/crowdsec/data
+      - /var/log/crowdsec:/var/log/crowdsec:ro
+      - /var/log/syslog:/var/log/syslog:ro
+      - /var/log/kern.log:/var/log/kern.log:ro

project/infrastructure/homepage/homepage.yml

@@ -3,23 +3,26 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: ghcr.io/gethomepage/homepage:latest
+    image: ghcr.io/gethomepage/homepage:v1.10.1
     container_name: homepage
     ports:
       - 3030:3000
+    networks:
+      - ip4net
     environment:
       HOMEPAGE_VAR_LOCAL_DOMAIN: ${LOCAL_DOMAIN}
       HOMEPAGE_VAR_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
+      HOMEPAGE_VAR_LOCAL_VPS_DOMAIN: ${VPS_DOMAIN}
+      HOMEPAGE_ALLOWED_HOSTS: homepage.${LOCAL_DOMAIN}, 192.168.178.35:3030
     volumes:
       - ${INFRA_PATH}/homepage/config:/app/config
       - ${INFRA_PATH}/homepage/data/images:/app/public/images
       - ${INFRA_PATH}/homepage/data/icons:/app/public/icons
+      - ${EXTERNAL_STORAGE}:/disks/e
       - /var/run/docker.sock:/var/run/docker.sock:ro # optional, for docker integrations
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.homepage.rule=Host(`homepage.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.homepage.entrypoints=https"
-      - "traefik.http.routers.homepage.tls=true"
+      - "traefik.http.routers.homepage.tls=true"

project/infrastructure/ntfy/ntfy.yml

@@ -0,0 +1,23 @@
+services:
+  ntfy:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: ntfy
+    image: binwiederhier/ntfy:v2.18.0
+    ports:
+      - "4023:80"
+    networks:
+      - ip4net
+    command:
+      - serve
+    volumes:
+      - /var/cache/ntfy:/var/cache/ntfy
+      - ${INFRA_PATH}/ntfy/config:/etc/ntfy
+      - ${INFRA_PATH}/ntfy/data:/var/lib/ntfy
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.ntfy.rule=Host(`ntfy.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.ntfy.entrypoints=https"
+      - "traefik.http.routers.ntfy.tls=true"

project/infrastructure/speedtest/speedtest.yml

@@ -4,25 +4,16 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: speedtest
-    image: ghcr.io/librespeed/speedtest:latest
-    environment:
-      MODE: standalone
-      TITLE: "LibreSpeed"
-      #TELEMETRY: "false"
-      #ENABLE_ID_OBFUSCATION: "false"
-      #REDACT_IP_ADDRESSES: "false"
-      #PASSWORD:
-      #EMAIL:
-      #DISABLE_IPINFO: "false"
-      #DISTANCE: "km"
-      #WEBPORT: 80
+    image: openspeedtest/latest:v2.0.6
     ports:
-      - "4001:80" # webport mapping (host:container)
+      - "4001:3001" # webport mapping (host:container)
+      - "3999:3001" # webport mapping (host:container)
+    networks:
+      - ip4net
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.speedtest.rule=Host(`speedtest.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.speedtest.entrypoints=https"
-      - 'traefik.http.routers.speedtest.tls=true'
+      - "traefik.http.routers.speedtest.tls=true"
+      - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=10000000000"

project/infrastructure/syncthing/syncthing.yml

@@ -3,25 +3,25 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: syncthing/syncthing
+    image: syncthing/syncthing:2.0.15
     container_name: syncthing
     volumes:
+      - ${EXTERNAL_STORAGE}/notes/Obsidian-sync:/var/syncthing-data/Obsidian-sync
+      - ${EXTERNAL_STORAGE}/media/pictures/to-sort:/var/syncthing-data/picture-phone
       - ${INFRA_PATH}/syncthing/data:/var/syncthing
     ports:
       - 8384:8384 # Web UI
       - 22000:22000/tcp # TCP file transfers
       - 22000:22000/udp # QUIC file transfers
       - 21027:21027/udp # Receive local discovery broadcasts
+    networks:
+      - ip4net
+      - ip6net
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
-      - "traefik.http.routers.syncthing.rule=Host(`syncthing.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.syncthing.rule=Host(`syncthing.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.syncthing.entrypoints=https"
-      - "traefik.http.routers.syncthing.tls.certresolver=myresolver"
       - "traefik.http.routers.syncthing.tls=true"
       - "traefik.http.routers.syncthing.service=syncthing-svc"
       - "traefik.http.services.syncthing-svc.loadbalancer.server.port=8384"
-      # Middlewares
-      - "traefik.http.routers.syncthing.middlewares=crowdsec-bouncer@file"

project/infrastructure/traefik/traefik.yml

@@ -3,25 +3,31 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: "traefik:latest"
-    container_name: "traefik"
+    image: traefik:v3.6.10
+    container_name: traefik
     ports:
       - "80:80"
       - "443:443"
       - "8079:8080"
+    networks:
+      - ip6net
+      - ip4net
     environment:
+      TRAEFIK_EMAIL: ${EMAIL}
       TRAEFIK_LOCAL_DOMAIN: ${LOCAL_DOMAIN}
+      TRAEFIK_VPS_DOMAIN: ${VPS_DOMAIN}
       TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
       TRAEFIK_AUTH_PUBLIC_DOMAIN: auth.${PUBLIC_DOMAIN}
+      INFOMANIAK_ACCESS_TOKEN: ${INFOMANIAK_CERTIFICATE_ACCESS_TOKEN}
     volumes:
-      - "/var/log/crowdsec/:/var/log/crowdsec/"
+      - "/var/log/traefik/:/var/log/traefik/"
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - "${INFRA_PATH}/traefik/letsencrypt:/letsencrypt"
       - "${INFRA_PATH}/traefik/config:/etc/traefik"
       - "${INFRA_PATH}/traefik/certs:/etc/certs"
+      - "${INFRA_PATH}/traefik/html/ban.html:/ban.html"
+      - "${INFRA_PATH}/traefik/html/captcha.html:/captcha.html"
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.traefik.service=api@internal"
@@ -33,15 +39,13 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: traefik/whoami:latest
-    container_name: "traefik-whoami"
+    image: traefik/whoami:v1.11
+    container_name: traefik-whoami
+    networks:
+      - ip4net
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # traefik
       - "traefik.enable=true"
-      - "traefik.http.routers.whoami.rule=Host(`whoami.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.whoami.rule=Host(`whoami.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.whoami.entrypoints=https"
-      - 'traefik.http.routers.whoami.tls=true'
-      - "traefik.http.routers.whoami.tls.certresolver=myresolver"
-      - "traefik.http.routers.whoami.middlewares=authelia@file,crowdsec-bouncer@file"
+      - "traefik.http.routers.whoami.tls=true"

project/infrastructure/uptime-kuma/uptime-kuma.yml

@@ -1,19 +1,28 @@
 services:
   uptime-kuma:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: louislam/uptime-kuma:latest
+    # not using the template because ncsd is not configured to support changing PUID/PGID
+    # https://github.com/louislam/uptime-kuma/issues/4743
+    # extends:
+    #   file: ${TEMPLATES_PATH}
+    #   service: default
+    image: louislam/uptime-kuma:2.2.1
     container_name: uptime-kuma
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges=true
+    environment:
+      TZ: ${TZ}
     volumes:
       - ${INFRA_PATH}/uptime-kuma/config:/app/data
+      - /var/run/docker.sock:/var/run/docker.sock
     ports:
       - 5001:3001
+    networks:
+      - ip4net
+      - ip6net
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.uptime-kuma.rule=Host(`uptime-kuma.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.uptime-kuma.entrypoints=https"
-      - "traefik.http.routers.uptime-kuma.tls=true"
+      - "traefik.http.routers.uptime-kuma.tls=true"

project/infrastructure/watchtower/watchtower.yml

@@ -1,24 +0,0 @@
-services:
-  watchtower:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: containrrr/watchtower:latest
-    container_name: watchtower
-    environment:
-      - WATCHTOWER_CLEANUP=true
-      - WATCHTOWER_POLL_INTERVAL=43200 # 12h
-      - WATCHTOWER_INCLUDE_RESTARTING=true
-      - WATCHTOWER_LABEL_ENABLE=true
-      - WATCHTOWER_HTTP_API_METRICS=true
-      - WATCHTOWER_HTTP_API_TOKEN=mytoken
-      - WATCHTOWER_HTTP_API_UPDATE=true
-      - WATCHTOWER_HTTP_API_PERIODIC_POLLS=true
-    ports:
-      - 7999:8080
-    volumes:
-      # - ${INFRA_PATH}/watchtower/config:/config.json
-      - /var/run/docker.sock:/var/run/docker.sock
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"

project/media/audiobookshelf/audiobookshelf.yml

@@ -0,0 +1,21 @@
+services:
+  audiobookshelf:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: ghcr.io/advplyr/audiobookshelf:2.33.0
+    container_name: audiobookshelf
+    ports:
+      - 13378:80
+    networks:
+      - ip6net
+    volumes:
+      - ${AUDIOBOOKSHELF_EXTERNAL_PATH}:/audiobooks
+      - ${MEDIA_PATH}/audiobookshelf/config:/config
+      - ${MEDIA_PATH}/audiobookshelf/data/metadata:/metadata
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.audiobookshelf.rule=Host(`audiobookshelf.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.audiobookshelf.entrypoints=https"
+      - "traefik.http.routers.audiobookshelf.tls=true"

project/media/calibre/calibre.yml

@@ -0,0 +1,49 @@
+services:
+  calibre:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: lscr.io/linuxserver/calibre:9.4.0
+    container_name: calibre
+    environment:
+      - PASSWORD= #optional
+      - CLI_ARGS= #optional
+    volumes:
+      - ${EXTERNAL_STORAGE}/media/books:/config/library
+      - ${MEDIA_PATH}/data/downloaded/books:/config/tosync
+    ports:
+      - 2005:8080 # gui
+      - 2006:8181 # gui https
+      - 2007:8081 # webserver ui
+    networks:
+      - ip4net
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.calibre.rule=Host(`calibre.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.calibre.entrypoints=https"
+      - "traefik.http.routers.calibre.tls=true"
+      - "traefik.http.services.calibre.loadbalancer.server.port=8080"
+
+  calibre-web:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: lscr.io/linuxserver/calibre-web:0.6.26
+    container_name: calibre-web
+    environment:
+      - DOCKER_MODS=linuxserver/mods:universal-calibre #optional
+      #      - OAUTHLIB_RELAX_TOKEN_SCOPE=1 #optional
+    volumes:
+      - ${EXTERNAL_STORAGE}/media/books:/books
+      - ${MEDIA_PATH}/calibre/data:/config
+    ports:
+      - 2008:8083
+    networks:
+      - ip6net
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.calibre-web.rule=Host(`calibre-web.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.calibre-web.entrypoints=https"
+      - "traefik.http.routers.calibre-web.tls=true"

project/media/immich/immich.yml

@@ -4,8 +4,7 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: immich_server
-    image: ghcr.io/immich-app/immich-server:release
-    command: [ "start.sh", "immich" ]
+    image: ghcr.io/immich-app/immich-server:v2.5.6
     environment:
       DB_PASSWORD: ${IMMICH_DB_PASSWORD}
       DB_HOSTNAME: postgres-with-pg-vector
@@ -13,52 +12,48 @@ services:
       DB_DATABASE_NAME: immich
       REDIS_HOSTNAME: redis
     volumes:
-      - ${IMMICH_EXTERNAL_PATH}:/usr/src/app/external
+      # to mount the trueNas external library: sudo mount 192.168.178.36:/mnt/hdd-storage/vm-external-storage/immich /mnt/external-storage/immich/
+      - ${IMMICH_EXTERNAL_PATH}:/usr/src/app/external:ro
       - ${MEDIA_PATH}/immich/data/library:/usr/src/app/upload
       - /etc/localtime:/etc/localtime:ro
     ports:
       - 2283:3001
+    networks:
+      - ip6net
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.immich-server.rule=Host(`immich.${PUBLIC_DOMAIN}`)"
       - "traefik.http.routers.immich-server.entrypoints=https"
-      - "traefik.http.routers.immich-server.tls.certresolver=myresolver"
-      - 'traefik.http.routers.immich-server.tls=true'
-      # Middlewares
-      - "traefik.http.routers.immich-server.middlewares=crowdsec-bouncer@file"
-
-  immich-microservices:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    container_name: immich_microservices
-    image: ghcr.io/immich-app/immich-server:release
-    command: [ "start.sh", "microservices" ]
-    environment:
-      DB_PASSWORD: ${IMMICH_DB_PASSWORD}
-      DB_HOSTNAME: postgres-with-pg-vector
-      DB_USERNAME: immich
-      DB_DATABASE_NAME: immich
-      REDIS_HOSTNAME: redis
-    volumes:
-      - ${IMMICH_EXTERNAL_PATH}:/usr/src/app/external
-      - ${MEDIA_PATH}/immich/data/library:/usr/src/app/upload
-      - /etc/localtime:/etc/localtime:ro
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
+      - "traefik.http.routers.immich-server.tls=true"
 
   immich-machine-learning:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: immich_machine_learning
-    image: ghcr.io/immich-app/immich-machine-learning:release
+    image: ghcr.io/immich-app/immich-machine-learning:v2.5.6
+    ports:
+      - 3003:3003
     volumes:
       - ${MEDIA_PATH}/immich/data/model-cache:/cache
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
+
+  # https://github.com/Salvoxia/immich-folder-album-creator
+  # one time run:
+  # docker run -e -e API_URL="https://immich.${PUBLIC_DOMAIN}/api/" -e API_KEY="qTaebdVMtph9yD0pSJRJDQJkDEpexiXNMJ5V5HBEnA" -e ROOT_PATH="/usr/src/app/external" -e LOG_LEVEL="DEBUG" salvoxia/immich-folder-album-creator:latest /script/immich_auto_album.sh
+  immich-folder-album-creator:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: immich_folder_album_creator
+    image: salvoxia/immich-folder-album-creator:0.25.1
+    environment:
+      API_URL: https://immich.${PUBLIC_DOMAIN}/api
+      API_KEY: qTaebdVMtph9yD0pSJRJDQJkDEpexiXNMJ5V5HBEnA
+      ROOT_PATH: /usr/src/app/external
+      CRON_EXPRESSION: "0 * * * *"
+      LOG_LEVEL: DEBUG
+      #RUN_IMMEDIATELY: true
+      #UNATTENDED: 1
+    volumes:
+      - /usr/src/app/external:/usr/src/app/external

project/media/kiwix/kiwix.yml

@@ -0,0 +1,22 @@
+services:
+  kiwix:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: ghcr.io/kiwix/kiwix-serve:3.8.1
+    container_name: kiwix
+    ports:
+      - 2009:8080
+    networks:
+      - ip4net
+    volumes:
+      - ${EXTERNAL_STORAGE}/wikipedia/:/data
+    command:
+      - "*.zim"
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.kiwix.rule=Host(`wikipedia.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.kiwix.entrypoints=https"
+      - "traefik.http.routers.kiwix.tls=true"
+      - "traefik.http.services.kiwix.loadbalancer.server.port=8080"

project/media/lidarr/lidarr.yml

@@ -0,0 +1,24 @@
+services:
+  lidarr:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: lscr.io/linuxserver/lidarr:3.1.0
+    container_name: lidarr
+    ports:
+      - 2010:8686
+    networks:
+      - ip4net
+    dns:
+      - 8.8.8.8
+      - 1.1.1.1
+    volumes:
+      - ${MEDIA_PATH}/lidarr/config:/config
+      - ${MEDIA_PATH}/data:/data
+      - ${EXTERNAL_STORAGE}/media/music:/music
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.lidarr.rule=Host(`lidarr.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.lidarr.entrypoints=https"
+      - "traefik.http.routers.lidarr.tls=true"

project/media/navidrome/navidrome.yml

@@ -0,0 +1,29 @@
+services:
+  navidrome:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: deluan/navidrome:0.60.3
+    container_name: navidrome
+    ports:
+      - 2011:4533
+    networks:
+      - ip4net
+    volumes:
+      - ${MEDIA_PATH}/navidrome/data:/data
+      - ${EXTERNAL_STORAGE}/media/music:/music:ro
+    environment:
+      ND_REVERSEPROXYWHITELIST: 0.0.0.0/0
+      ND_ENABLEUSEREDITING: false
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.navidrome.rule=Host(`navidrome.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.navidrome.entrypoints=https"
+      - "traefik.http.routers.navidrome.tls=true"
+      # Middlewares
+      - "traefik.http.routers.navidrome.middlewares=authelia@file"
+      # Subsonic endpoint use basic authentication middleware from authelia
+      - "traefik.http.routers.navidrome-subsonic.rule=Host(`navidrome.${PUBLIC_DOMAIN}`) && PathPrefix(`/rest/`) && !Query(`c`, `NavidromeUI`)"
+      - "traefik.http.routers.navidrome-subsonic.entrypoints=https"
+      - "traefik.http.routers.navidrome-subsonic.middlewares=authelia-basicauth@file, subsonic-basicauth@file"

project/media/prowlarr/prowlarr.yml

@@ -0,0 +1,29 @@
+services:
+  prowlarr:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: lscr.io/linuxserver/prowlarr:2.3.0
+    container_name: prowlarr
+    ports:
+      - 2004:9696
+    networks:
+      - ip4net
+    volumes:
+      - ${MEDIA_PATH}/prowlarr/config:/config
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.prowlarr.rule=Host(`prowlarr.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.prowlarr.entrypoints=https"
+      - "traefik.http.routers.prowlarr.tls=true"
+
+  mousehole:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    ports:
+      - 5010:5010
+    image: tmmrtn/mousehole:0.2.0
+    volumes:
+      - ${MEDIA_PATH}/prowlarr/mousehole:/srv/mousehole

project/media/qbittorrent/qbittorrent.yml

@@ -0,0 +1,29 @@
+services:
+  qbittorrent:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: lscr.io/linuxserver/qbittorrent:5.1.4
+    container_name: qbittorrent
+    ports:
+      - 2002:2002
+      - 50059:6881
+      - 50059:6881/udp
+    networks:
+      - ip4net
+      - ip6net
+    environment:
+      - WEBUI_PORT=2002
+      - TORRENTING_PORT=50059
+    volumes:
+      - ${MEDIA_PATH}/qbittorrent/config:/config
+      - ${MEDIA_PATH}/data/torrents:/data/torrents
+      - ${MEDIA_PATH}/data/downloaded/books:/data/downloaded/books
+      - ${EXTERNAL_STORAGE}/media/audiobooks:/data/downloaded/audiobooks
+      - ${EXTERNAL_STORAGE}/media/music:/data/downloaded/music
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.qbittorrent.rule=Host(`qbittorrent.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.qbittorrent.entrypoints=https"
+      - "traefik.http.routers.qbittorrent.tls=true"

project/media/readarr/readarr.yml

@@ -0,0 +1,22 @@
+services:
+  readarr:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: lscr.io/linuxserver/readarr:develop
+    container_name: readarr
+    ports:
+      - 2003:8787
+    networks:
+      - ip4net
+    volumes:
+      - ${MEDIA_PATH}/readarr/config:/config
+      - ${MEDIA_PATH}/data/torrents:/data/torrents
+      - ${EXTERNAL_STORAGE}/media/audiobooks:/data/media/audiobooks
+      - ${EXTERNAL_STORAGE}/media/books:/data/media/books
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.readarr.rule=Host(`readarr.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.readarr.entrypoints=https"
+      - "traefik.http.routers.readarr.tls=true"

project/media/slskd/slskd.yml

@@ -0,0 +1,27 @@
+services:
+  slskd:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: slskd/slskd:0.24.5
+    container_name: slskd
+    user: ${PUID}:${PGID}
+    ports:
+      - 2013:5031 # http
+      - 2014:5030 # https
+      - 50300:50300 # incoming connections
+    networks:
+      - ip4net
+    environment:
+      - SLSKD_REMOTE_CONFIGURATION=true
+    volumes:
+      - ${MEDIA_PATH}/slskd/config/slskd.yml:/app/slskd.yml
+      - ${MEDIA_PATH}/data/slskd_downloads:/app/downloads
+      - ${EXTERNAL_STORAGE}/media/music:/app/library
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.slskd.rule=Host(`slskd.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.slskd.entrypoints=https"
+      - "traefik.http.routers.slskd.tls=true"
+      - "traefik.http.services.slskd.loadbalancer.server.port=5030"

project/media/soularr/soularr.yml

@@ -0,0 +1,13 @@
+services:
+  soularr:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: mrusse08/soularr:latest
+    container_name: soularr
+    user: ${PUID}:${PGID}
+    networks:
+      - ip4net
+    volumes:
+      - ${MEDIA_PATH}/soularr/data:/data
+      - ${MEDIA_PATH}/data/slskd_downloads:/downloads

project/monitoring/dozzle/dozzle.yml

@@ -4,16 +4,16 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: dozzle
-    image: amir20/dozzle:latest
+    image: amir20/dozzle:v10.1.1
     ports:
       - 8083:8080
+    networks:
+      - ip4net
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.dozzle.rule=Host(`dozzle.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.dozzle.entrypoints=https"
-      - "traefik.http.routers.dozzle.tls=true"
+      - "traefik.http.routers.dozzle.tls=true"

project/monitoring/grafana/grafana.yml

@@ -4,16 +4,17 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: grafana
-    image: grafana/grafana-oss:latest
+    image: grafana/grafana-oss:12.4.1
     ports:
       - 8090:3000
+    networks:
+      - ip4net
     volumes:
       - ${MONITORING_PATH}/grafana/data:/var/lib/grafana
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.grafana.rule=Host(`grafana.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.grafana.entrypoints=https"
-      - "traefik.http.routers.grafana.tls=true"
+      - "traefik.http.routers.grafana.tls=true"
+

project/monitoring/loki/loki.yml

@@ -0,0 +1,32 @@
+services:
+  loki:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: loki
+    image: grafana/loki:3.6.7
+    ports:
+      - 8094:3100
+    networks:
+      - ip4net
+    volumes:
+      - ${MONITORING_PATH}/loki/config/loki-config.yml:/etc/loki/local-config.yaml
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.loki.rule=Host(`loki.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.loki.entrypoints=https"
+      - "traefik.http.routers.loki.tls=true"
+
+  promtail:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: promtail
+    image: grafana/promtail:3.6.7
+    networks:
+      - ip4net
+    volumes:
+      - ${MONITORING_PATH}/loki/config/promtail-config.yml:/etc/promtail/config.yml
+      - /var/log:/var/log
+      - /var/run/docker.sock:/var/run/docker.sock:ro

project/monitoring/prometheus/prometheus.yml

@@ -4,16 +4,16 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: prometheus
-    image: prom/prometheus:latest
+    image: prom/prometheus:v3.10.0
     ports:
       - 9090:9090
+    networks:
+      - ip4net
     volumes:
       - ${MONITORING_PATH}/prometheus/config:/etc/prometheus
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.prometheus.rule=Host(`prometheus.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.prometheus.entrypoints=https"
-      - "traefik.http.routers.prometheus.tls=true"
+      - "traefik.http.routers.prometheus.tls=true"

project/service/freshrss/freshrss.yml

@@ -0,0 +1,23 @@
+services:
+  freshrss:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: freshrss/freshrss:1.28.1
+    container_name: freshrss
+    ports:
+      - 4014:80
+    networks:
+      - ip6net
+    volumes:
+      - ${SERVICE_PATH}/freshrss/data:/var/www/FreshRSS/data
+      - ${SERVICE_PATH}/freshrss/extensions:/var/www/FreshRSS/extensions
+    environment:
+      CRON_MIN: "3,33"
+      TRUSTED_PROXY: 172.16.0.1/12 192.168.0.1/16
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.freshrss.rule=Host(`rss.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.freshrss.entrypoints=https"
+      - "traefik.http.routers.freshrss.tls=true"

project/service/ghost/ghost.yml

@@ -0,0 +1,34 @@
+services:
+  ghost:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: ghost:6.20.0-alpine
+    container_name: ghost
+    ports:
+      - 4016:2368
+    environment:
+      # see https://ghost.org/docs/config/#configuration-options
+      database__client: mysql
+      database__connection__host: mysql-ghost
+      database__connection__user: root
+      database__connection__password: example
+      database__connection__database: ghost
+      # this url value is just an example, and is likely wrong for your environment!
+      url: http://192.168.1.38:4016
+      # contrary to the default mentioned in the linked documentation, this image defaults to NODE_ENV=production (so development mode needs to be explicitly specified if desired)
+      NODE_ENV: development
+    volumes:
+      - ${SERVICE_PATH}/ghost/data/ghost:/var/lib/ghost/content
+
+  mysql-ghost:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: mysql:8.0
+    container_name: mysql-ghost
+    environment:
+      MYSQL_ROOT_PASSWORD: example
+    volumes:
+      - ${SERVICE_PATH}/ghost/data/db:/var/lib/mysql
+

project/service/gitea/gitea.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: gitea/gitea:latest
+    image: gitea/gitea:1.25
     container_name: gitea
     environment:
       - APP_NAME="Gitea"
@@ -32,19 +32,33 @@ services:
       - /etc/localtime:/etc/localtime:ro
     ports:
       - 2001:22
+    networks:
+      - ip6net
     expose:
       - 4002
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.gitea.rule=Host(`gitea.${PUBLIC_DOMAIN}`)"
       - "traefik.http.routers.gitea.entrypoints=https"
-      - "traefik.http.routers.gitea.tls.certresolver=myresolver"
       - "traefik.http.routers.gitea.tls=true"
       - "traefik.http.routers.gitea.service=gitea-service"
       - "traefik.http.services.gitea-service.loadbalancer.server.port=4002"
 
-      # Middlewares
-      - "traefik.http.routers.gitea.middlewares=crowdsec-bouncer@file"
+  gitea-runner:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: gitea/act_runner:0.3.0
+    container_name: gitea_runner
+    depends_on:
+      - gitea
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ${SERVICE_PATH}/gitea/config/runner-config.yaml:/config.yaml
+      - ${SERVICE_PATH}/gitea/data/runner-data:/data
+    environment:
+      - CONFIG_FILE=/config.yaml
+      - GITEA_INSTANCE_URL=gitea
+      - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_TOKEN}
+      - GITEA_RUNNER_NAME=gitea-runner

project/service/home-assistant/home-assistant.yml

@@ -0,0 +1,22 @@
+services:
+  home-assistant:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: ghcr.io/home-assistant/home-assistant:2026.3.1
+    container_name: home-assistant
+    networks:
+      - ip4net
+    ports:
+      - 4012:8123
+    volumes:
+      - ${SERVICE_PATH}/home-assistant/config:/config
+      - /etc/localtime:/etc/localtime:ro
+      - /run/dbus:/run/dbus:ro
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.home-assistant.rule=Host(`ha.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.home-assistant.entrypoints=https"
+      - "traefik.http.routers.home-assistant.tls=true"
+

project/service/it-tools/it-tools.yml

@@ -3,17 +3,16 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: corentinth/it-tools:latest
+    image: corentinth/it-tools:2024.10.22-7ca5933
     container_name: it-tools
     ports:
-      - '4007:80'
+      - "4007:80"
+    networks:
+      - ip4net
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.it-tools.rule=Host(`it-tools.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.it-tools.entrypoints=https"
       - "traefik.http.routers.it-tools.tls=true"
-      # Middlewares
-      - "traefik.http.routers.it-tools.middlewares=crowdsec-bouncer@file"
+

project/service/jupyter-notebook/jupyter-notebook.yml

@@ -0,0 +1,20 @@
+services:
+  jupyter:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: quay.io/jupyter/base-notebook:ubuntu-24.04
+    container_name: jupyter
+    volumes:
+      - ${SERVICE_PATH}/jupyter-notebook/data:/home/jovyan/work
+    ports:
+      - 4013:8888 # Web UI
+    networks:
+      - ip4net
+    command: start-notebook.py --NotebookApp.token='aToken1234'
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.jupyter.rule=Host(`jupyter.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.jupyter.entrypoints=https"
+      - "traefik.http.routers.jupyter.tls=true"

project/service/linkwarden/linkwarden.yml

@@ -0,0 +1,53 @@
+services:
+  linkwarden:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: ghcr.io/linkwarden/linkwarden:v2.13.5
+    container_name: linkwarden
+    ports:
+      - 4020:3000
+    networks:
+      - ip4net
+      - ip6net
+    volumes:
+      - ${SERVICE_PATH}/linkwarden/data:/data/data
+    environment:
+      - DATABASE_URL=postgresql://linkwarden:${LINKWARDEN_DATABASE_PASSWORD}@postgres:5432/linkwarden
+      - NEXTAUTH_URL=https://linkwarden.${PUBLIC_DOMAIN}/api/v1/auth
+      - NEXTAUTH_SECRET=${LINKWARDEN_NEXTAUTH_SECRET}
+      - MEILI_MASTER_KEY=${LINKWARDEN_MEILI_MASTER_KEY}
+      - MEILI_HOST=http://meilisearch:7700
+      - NEXT_PUBLIC_DISABLE_REGISTRATION=true
+      - NEXT_PUBLIC_AUTHELIA_ENABLED=true
+      - AUTHELIA_WELLKNOWN_URL=https://auth.${PUBLIC_DOMAIN}/.well-known/openid-configuration
+      - AUTHELIA_CLIENT_ID=linkwarden
+      - AUTHELIA_CLIENT_SECRET=${LINKWARDEN_OIDC_CLIENT_SECRET}
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.linkwarden.rule=Host(`linkwarden.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.linkwarden.entrypoints=https"
+      - "traefik.http.routers.linkwarden.tls=true"
+
+  meilisearch:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: getmeili/meilisearch:v1.31.0
+    container_name: linkwarden_meili
+    networks:
+      - ip4net
+      - ip6net
+    ports:
+      - 4021:7700
+    environment:
+      - MEILI_MASTER_KEY=${LINKWARDEN_MEILI_MASTER_KEY}
+    volumes:
+      - ${SERVICE_PATH}/linkwarden/meili_data:/meili_data
+    # command:
+    #   [
+    #     "--master-key=${LINKWARDEN_MEILI_MASTER_KEY}",
+    #     "--env=production",
+    #     "--import-dump=${SERVICE_PATH}/linkwarden/meili_data/dumps/20260115-183317235.dump",
+    #   ]

project/service/mealie/mealie.yml

@@ -3,10 +3,12 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: ghcr.io/mealie-recipes/mealie:latest
+    image: ghcr.io/mealie-recipes/mealie:v3.12.0
     container_name: mealie
     ports:
       - "4006:9000"
+    networks:
+      - ip6net
     volumes:
       - ${SERVICE_PATH}/mealie/data:/app/data/
     environment:
@@ -19,26 +21,16 @@ services:
       POSTGRES_SERVER: postgres
       POSTGRES_PORT: 5432
       POSTGRES_DB: mealie
-      # LDAP Authentication
-      LDAP_AUTH_ENABLED: true
-      LDAP_SERVER_URL: ldap://lldap:3890
-      LDAP_BASE_DN: ou=people,dc=${SECOND_LEVEL_DOMAIN},dc=${TOP_LEVEL_DOMAIN}
-      LDAP_ID_ATTRIBUTE: uid
-      LDAP_NAME_ATTRIBUTE: displayName
-      LDAP_MAIL_ATTRIBUTE: mail
-      LDAP_QUERY_BIND: cn=readonly_user,ou=people,dc=${SECOND_LEVEL_DOMAIN},dc=${TOP_LEVEL_DOMAIN}
-      LDAP_QUERY_PASSWORD: ${LLDAP_READONLY_USER_PASSWORD}
-      # LDAP_USER_FILTER: (memberof=cn=mealie,ou=groups,dc=example,dc=com)
-      # LDAP_ADMIN_FILTER: (memberof=cn=mealie-admin,ou=groups,dc=example,dc=com)
-
+      # OIDC using authelia
+      OIDC_AUTH_ENABLED: true
+      OIDC_SIGNUP_ENABLED: false
+      OIDC_CONFIGURATION_URL: https://auth.${PUBLIC_DOMAIN}/.well-known/openid-configuration
+      OIDC_CLIENT_ID: mealie
+      OIDC_CLIENT_SECRET: ${MEALIE_OIDC_CLIENT_SECRET}
+      OIDC_AUTO_REDIRECT: false
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.mealie.rule=Host(`mealie.${PUBLIC_DOMAIN}`)"
       - "traefik.http.routers.mealie.entrypoints=https"
-      - "traefik.http.routers.mealie.tls.certresolver=myresolver"
       - "traefik.http.routers.mealie.tls=true"
-      # Middlewares
-      - "traefik.http.routers.mealie.middlewares=crowdsec-bouncer@file"

project/service/n8n/Dockerfile

@@ -0,0 +1,51 @@
+# Start with the official n8n image
+FROM n8nio/n8n:2.12.2
+
+# Copy apk and its deps from Alpine 3.23
+COPY --from=alpine:3.23 /sbin/apk /sbin/apk
+COPY --from=alpine:3.23 /usr/lib/libapk.so* /usr/lib/
+
+# Switch to root to install dependencies
+USER root
+
+# Install Chromium and necessary dependencies for Puppeteer
+RUN set -x \
+    && apk update \
+    && apk upgrade \
+    && apk add --no-cache \
+    udev \
+    chromium \
+    nss \
+    freetype \
+    harfbuzz \
+    ca-certificates \
+    ttf-freefont \
+    wget \
+    nodejs \
+    npm
+
+# Set environment variable for Puppeteer to find Chromium
+ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser
+ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true
+ENV XDG_CONFIG_HOME=/tmp/.chromium
+ENV XDG_CACHE_HOME=/tmp/.chromium
+
+# Install Puppeteer
+RUN npm install puppeteer
+
+# Install restic and rclone for backups
+RUN apk add --no-cache \
+    restic \
+    curl \
+    unzip
+
+# Download and install rclone
+RUN curl -O https://downloads.rclone.org/rclone-current-linux-amd64.zip \
+    && unzip rclone-current-linux-amd64.zip \
+    && cd rclone-*-linux-amd64 \
+    && cp rclone /usr/local/bin/ \
+    && chmod 755 /usr/local/bin/rclone \
+    && cd .. && rm -rf rclone-*-linux-amd64*
+
+# Revert back to non-root (default n8n user)
+USER node

project/service/n8n/n8n.yml

@@ -0,0 +1,38 @@
+services:
+  n8n:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    build:
+      context: .
+      dockerfile: ${SERVICE_PATH}/n8n/Dockerfile
+    container_name: n8n
+    ports:
+      - 4022:5678
+    networks:
+      - ip4net
+    environment:
+      - N8N_BLOCK_ENV_ACCESS_IN_NODE=false
+      - MAM_USERNAME=${N8N_MAM_USERNAME}
+      - MAM_PASSWORD=${N8N_MAM_PASSWORD}
+      - RESTIC_PASSWORD=${N8N_RESTIC_PASSWORD}
+      - NODES_EXCLUDE=[]
+      - DB_TYPE=postgresdb
+      - DB_POSTGRESDB_HOST=postgres
+      - DB_POSTGRESDB_PORT=5432
+      - DB_POSTGRESDB_DATABASE=n8n
+      - DB_POSTGRESDB_USER=n8n
+      - DB_POSTGRESDB_PASSWORD=${N8N_DB_PASSWORD}
+      - DB_POSTGRESDB_SCHEMA=public
+    volumes:
+      - ${SERVICE_PATH}/n8n/data:/home/node/.n8n
+      - ${SERVICE_PATH}/n8n/data/rclone.conf:/home/node/.config/rclone/rclone.conf
+      - ${PWD}/scripts:/home/node/.n8n/external-scripts
+      - ${DB_PATH}/databasus/data/backups:/home/node/.n8n/database
+      - ${EXTERNAL_STORAGE}/:/home/node/.n8n/data
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.n8n.rule=Host(`n8n.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.n8n.entrypoints=https"
+      - "traefik.http.routers.n8n.tls=true"

project/service/ollama/ollama.yml

@@ -0,0 +1,19 @@
+services:
+  ollama:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: ollama/ollama:0.17.7
+    container_name: ollama
+    ports:
+      - 4019:11434
+    networks:
+      - ip6net
+    volumes:
+      - ${SERVICE_PATH}/ollama/data:/root/.ollama
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.ollama.rule=Host(`ollama.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.ollama.entrypoints=https"
+      - "traefik.http.routers.ollama.tls=true"

project/service/overleaf/overleaf.yml

@@ -1,68 +0,0 @@
-services:
-  overleaf:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: sharelatex/sharelatex
-    container_name: overleaf
-    ports:
-      - 4008:80
-    volumes:
-      - ${SERVICE_PATH}/overleaf/config:/configs
-    environment:
-      OVERLEAF_APP_NAME: Overleaf on ${SECOND_LEVEL_DOMAIN}
-      OVERLEAF_NAV_TITLE: Overleaf
-      ENABLED_LINKED_FILE_TYPES: 'project_file,project_output_file'
-      # Enables Thumbnail generation using ImageMagick
-      ENABLE_CONVERSIONS: 'true'
-      # Disables email confirmation requirement
-      EMAIL_CONFIRMATION_DISABLED: 'true'
-      # temporary fix for LuaLaTex compiles, see https://github.com/overleaf/overleaf/issues/695
-      TEXMFVAR: /var/lib/overleaf/tmp/texmf-var
-      OVERLEAF_SITE_URL: https://overleaf.${LOCAL_DOMAIN}
-      # OVERLEAF_HEADER_IMAGE_URL: http://example.com/mylogo.png
-      OVERLEAF_ADMIN_EMAIL: ${EMAIL}
-      # OVERLEAF_LEFT_FOOTER: '[{"text": "Another page I want to link to can be found <a href=\"here\">here</a>"} ]'
-      # OVERLEAF_RIGHT_FOOTER: '[{"text": "Hello I am on the Right"} ]'
-      # OVERLEAF_EMAIL_FROM_ADDRESS: "hello@example.com"
-      # ENABLE_CRON_RESOURCE_DELETION: true
-      # OVERLEAF_TEMPLATES_USER_ID: "578773160210479700917ee5"
-      # OVERLEAF_NEW_PROJECT_TEMPLATE_LINKS: '[ {"name":"All Templates","url":"/templates/all"}]'
-      # OVERLEAF_PROXY_LEARN: "true"
-
-      # DB
-      OVERLEAF_MONGO_URL: mongodb://overleaf:${OVERLEAF_DB_PASSWORD}@mongodb:27017/overleaf
-      # Redis
-      OVERLEAF_REDIS_HOST: redis
-      REDIS_HOST: redis
-      # LDAP
-      LDAP_SERVER_URL: ldap://lldap:3890
-      OVERLEAF_LDAP_SEARCH_BASE: ou=people,dc=${SECOND_LEVEL_DOMAIN},dc=${TOP_LEVEL_DOMAIN}
-      OVERLEAF_LDAP_SEARCH_FILTER: '(uid={{username}})'
-      OVERLEAF_LDAP_BIND_DN: cn=readonly_user,ou=people,dc=${SECOND_LEVEL_DOMAIN},dc=${TOP_LEVEL_DOMAIN}
-      OVERLEAF_LDAP_BIND_CREDENTIALS: ${LLDAP_READONLY_USER_PASSWORD}
-      OVERLEAF_LDAP_EMAIL_ATT: mail
-      OVERLEAF_LDAP_NAME_ATT: firstName
-      OVERLEAF_LDAP_LAST_NAME_ATT: lastName
-      OVERLEAF_LDAP_UPDATE_USER_DETAILS_ON_LOGIN: false
-      ## SMTP
-      # OVERLEAF_EMAIL_SMTP_HOST: smtp.example.com
-      # OVERLEAF_EMAIL_SMTP_PORT: 587
-      # OVERLEAF_EMAIL_SMTP_SECURE: false
-      # OVERLEAF_EMAIL_SMTP_USER:
-      # OVERLEAF_EMAIL_SMTP_PASS:
-      # OVERLEAF_EMAIL_SMTP_TLS_REJECT_UNAUTH: true
-      # OVERLEAF_EMAIL_SMTP_IGNORE_TLS: false
-      # OVERLEAF_EMAIL_SMTP_NAME: '127.0.0.1'
-      # OVERLEAF_EMAIL_SMTP_LOGGER: true
-      # OVERLEAF_CUSTOM_EMAIL_FOOTER: "This system is run by department x"
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
-      # Traefik
-      - "traefik.enable=true"
-      - "traefik.http.routers.overleaf.rule=Host(`overleaf.${LOCAL_DOMAIN}`)"
-      - "traefik.http.routers.overleaf.entrypoints=https"
-      - "traefik.http.routers.overleaf.tls=true"
-      # Middlewares
-      - "traefik.http.routers.overleaf.middlewares=crowdsec-bouncer@file"

project/service/paperless-ngx/paperless-ngx.yml

@@ -3,15 +3,17 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: ghcr.io/paperless-ngx/paperless-ngx:latest
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.10
     container_name: paperless-ngx
     ports:
       - "4009:8000"
+    networks:
+      - ip6net
     volumes:
-      - ${EXTERNAL_STORAGE}/paperless-ngx/data:/usr/src/paperless/data
-      - ${EXTERNAL_STORAGE}/paperless-ngx/media:/usr/src/paperless/media
-      - ${SERVICE_PATH}/paperless-ngx/export:/usr/src/paperless/export
-      - ${SERVICE_PATH}/paperless-ngx/consume:/usr/src/paperless/consume
+      - ${EXTERNAL_STORAGE}/documents/data:/usr/src/paperless/data
+      - ${EXTERNAL_STORAGE}/documents/media:/usr/src/paperless/media
+      - ${SERVICE_PATH}/paperless-ngx/data/export:/usr/src/paperless/export
+      - ${SERVICE_PATH}/paperless-ngx/data/consume:/usr/src/paperless/consume
     environment:
       # REDIS
       PAPERLESS_REDIS: redis://redis:6379
@@ -21,20 +23,22 @@ services:
       PAPERLESS_DBUSER: paperless
       PAPERLESS_DBPASS: ${PAPERLESS_DB_PASSWORD}
       # Paperless var
-      PAPERLESS_URL: https://paperless.${LOCAL_DOMAIN}
-      PAPERLESS_ALLOWED_HOSTS: ${LOCAL_DOMAIN}
+      PAPERLESS_URL: https://paperless.${PUBLIC_DOMAIN}
+      PAPERLESS_ALLOWED_HOSTS: ${PUBLIC_DOMAIN},192.168.1.38,"2a04:ee41:86:9397:844f:f9ff:fe5c:e416"
       PAPERLESS_OCR_LANGUAGE: fra+eng+deu
+      # Admin user when not OIDC
+      PAPERLESS_ADMIN_USER: chris
+      PAPERLESS_ADMIN_PASSWORD: ${PAPERLESS_ADMIN_PASSWORD}
       # OIDC
-      PAPERLESS_ENABLE_HTTP_REMOTE_USER: true
-      PAPERLESS_ACCOUNT_ALLOW_SIGNUPS: false
-      PAPERLESS_LOGOUT_REDIRECT_URL: https://auth.${PUBLIC_DOMAIN}
+      # PAPERLESS_DISABLE_REGULAR_LOGIN: true
+      # PAPERLESS_ENABLE_HTTP_REMOTE_USER: true
+      # PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME: HTTP_REMOTE_USER
+      # PAPERLESS_LOGOUT_REDIRECT_URL: https://auth.${PUBLIC_DOMAIN}/logout
+      # PAPERLESS_APPS: "allauth.socialaccount.providers.openid_connect"
+      # PAPERLESS_SOCIALACCOUNT_PROVIDERS: '{"openid_connect":{"SCOPE":["openid","profile","email"],"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authelia","name":"Authelia","client_id":"paperless","secret":"jzO0JYA35oOojGqxFJUaDXdgdXhuACyq4b3lvOx233wtoSyv19prQfCKah1mwyDv","settings":{"server_url":"https://auth.${PUBLIC_DOMAIN}","token_auth_method":"client_secret_basic"}}]}}'
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
-      - "traefik.http.routers.paperless.rule=Host(`paperless.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.paperless.rule=Host(`paperless.${PUBLIC_DOMAIN}`)"
       - "traefik.http.routers.paperless.entrypoints=https"
       - "traefik.http.routers.paperless.tls=true"
-      # Middlewares
-      - "traefik.http.routers.paperless.middlewares=authelia@file"

project/service/pdf/pdf.yml

@@ -0,0 +1,17 @@
+services:
+  pdf:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: ghcr.io/alam00000/bentopdf-simple:2.5.0
+    container_name: pdf
+    ports:
+      - "4003:8080"
+    networks:
+      - ip6net
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.pdf.rule=Host(`pdf.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.pdf.entrypoints=https"
+      - "traefik.http.routers.pdf.tls=true"

project/service/radicale/radicale.yml

@@ -0,0 +1,33 @@
+services:
+  radicale:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: tomsquest/docker-radicale:3.6.1.0
+    container_name: radicale
+    ports:
+      - 4017:5232
+    networks:
+      - ip6net
+    init: true
+    read_only: true
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETUID
+      - CHOWN
+      - SETGID
+      - KILL
+    # healthcheck:
+    #   test: curl -f http://127.0.0.1:5232 || exit 1
+    #   interval: 30s
+    #   retries: 3
+    volumes:
+      - ${SERVICE_PATH}/radicale/config:/config/
+      - ${EXTERNAL_STORAGE}/calendars-contacts:/data
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.radicale.rule=Host(`radicale.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.radicale.entrypoints=https"
+      - "traefik.http.routers.radicale.tls=true"

project/service/shlink/shlink.yml

@@ -1,50 +0,0 @@
-services:
-  shlink-backend:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: shlinkio/shlink:latest
-    container_name: shlink-backend
-    ports:
-      - '4004:8080'
-    volumes:
-      - ${SERVICE_PATH}/shlink/data:/usr/share/tesseract-ocr/4.00/tessdata #Required for extra OCR languages
-      - ${SERVICE_PATH}/shlink/config:/configs
-    environment:
-      DEFAULT_DOMAIN: ${PUBLIC_DOMAIN}
-      IS_HTTPS_ENABLED: true
-#      GEOLITE_LICENSE_KEY: # optional, to geolocate visit, see https://shlink.io/documentation/geolite-license-key/
-      # DB
-      DB_DRIVER: postgres
-      DB_USER: shlink
-      DB_PASSWORD: ${SHLINK_DATABASE_PASSWORD}
-      DB_HOST: postgres
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
-      # Traefik
-      - "traefik.enable=true"
-      - "traefik.http.routers.shlink-backend.rule=Host(`shlink-backend.${LOCAL_DOMAIN}`)"
-      - "traefik.http.routers.shlink-backend.entrypoints=https"
-      - "traefik.http.routers.shlink-backend.tls=true"
-
-  shlink-frontend:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: shlinkio/shlink-web-client:latest
-    container_name: shlink-frontend
-    ports:
-      - '4005:8080'
-    environment:
-      SHLINK_SERVER_URL: https://shlink-backend.${LOCAL_DOMAIN}
-      SHLINK_SERVER_API_KEY: ${SHLINK_SERVER_API_KEY}
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
-      # Traefik
-      - "traefik.enable=true"
-      - "traefik.http.routers.shlink-frontend.rule=Host(`shlink.${LOCAL_DOMAIN}`)"
-      - "traefik.http.routers.shlink-frontend.entrypoints=https"
-      - "traefik.http.routers.shlink-frontend.tls=true"
-  

project/service/stirling-pdf/stirling-pdf.yml

@@ -1,24 +0,0 @@
-services:
-  stirling-pdf:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: frooodle/s-pdf:latest
-    container_name: stirling-pdf
-    ports:
-      - '4003:8080'
-    volumes:
-      - ${SERVICE_PATH}/stirling-pdf/data:/usr/share/tesseract-ocr/4.00/tessdata #Required for extra OCR languages
-      - ${SERVICE_PATH}/stirling-pdf/config:/configs
-#      - /location/of/customFiles:/customFiles/
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
-      # Traefik
-      - "traefik.enable=true"
-      - "traefik.http.routers.stirling-pdf.rule=Host(`stirling-pdf.${PUBLIC_DOMAIN}`)"
-      - "traefik.http.routers.stirling-pdf.entrypoints=https"
-      - "traefik.http.routers.stirling-pdf.tls.certresolver=myresolver"
-      - "traefik.http.routers.stirling-pdf.tls=true"
-      # Middlewares
-      - "traefik.http.routers.stirling-pdf.middlewares=crowdsec-bouncer@file,authelia@file"

project/service/vaultwarden/vaultwarden.yml

@@ -0,0 +1,29 @@
+services:
+  vaultwarden:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: vaultwarden/server:1.35.4
+    container_name: vaultwarden
+    ports:
+      - 4018:80
+    networks:
+      - ip6net
+    environment:
+      DOMAIN: "https://vaultwarden.${PUBLIC_DOMAIN}"
+      SIGNUPS_ALLOWED: false
+      INVITATIONS_ALLOWED: false
+      SSO_ENABLED: false # for now sso does only help companies for role management and the master password is still necessary
+      SSO_ONLY: false
+      SSO_AUTHORITY: https://auth.${PUBLIC_DOMAIN}
+      SSO_SCOPES: profile email offline_access
+      SSO_CLIENT_ID: vaultwarden
+      SSO_CLIENT_SECRET: ${VAULTWARDEN_OIDC_CLIENT_SECRET}
+    volumes:
+      - ${EXTERNAL_STORAGE}/passwords:/data/
+    labels:
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.vaultwarden.entrypoints=https"
+      - "traefik.http.routers.vaultwarden.tls=true"

project/service/vikunja/vikunja.yml

@@ -1,4 +1,4 @@
-secrets:  
+secrets:
   vikunja_jwt_secret:
     file: ${SERVICE_PATH}/vikunja/secrets/vikunja_jwt_secret.txt
 services:
@@ -6,7 +6,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: vikunja/vikunja:latest
+    image: vikunja/vikunja:2.1.0
     container_name: vikunja
     secrets: [vikunja_jwt_secret]
     environment:
@@ -17,17 +17,14 @@ services:
       VIKUNJA_DATABASE_DATABASE: vikunja
       VIKUNJA_SERVICE_JWTSECRET: /run/secrets/vikunja_jwt_secret
       VIKUNJA_SERVICE_PUBLICURL: https://vikunja.${PUBLIC_DOMAIN}
-    volumes: 
+    networks:
+      - ip6net
+    volumes:
       - ${SERVICE_PATH}/vikunja/data:/app/vikunja/files
       - ${SERVICE_PATH}/vikunja/config:/etc/vikunja
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.vikunja.rule=Host(`vikunja.${PUBLIC_DOMAIN}`)"
       - "traefik.http.routers.vikunja.entrypoints=https"
-      - "traefik.http.routers.vikunja.tls.certresolver=myresolver"
-      - 'traefik.http.routers.vikunja.tls=true'
-      # Middlewares
-      - "traefik.http.routers.vikunja.middlewares=crowdsec-bouncer@file"
+      - "traefik.http.routers.vikunja.tls=true"

renovate.json

@@ -0,0 +1,78 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "schedule:automergeDaily"
+    ],
+    "dependencyDashboard": true,
+    "dependencyDashboardTitle": "Renovate Dashboard",
+    "assignees": [
+        "chriswin"
+    ],
+    "labels": [
+        "renovate"
+    ],
+    "configMigration": true,
+    "prHourlyLimit": 0,
+    "packageRules": [
+        {
+            "matchCategories": [
+                "docker"
+            ],
+            "enabled": true,
+            "managerFilePatterns": [
+                "/(^|/)project/db/*\\Dockerfile$/",
+                "/(^|/)project/infrastructure/.*\\Dockerfile$/",
+                "/(^|/)project/media/.*\\Dockerfile$/",
+                "/(^|/)project/monitoring/.*\\Dockerfile$/",
+                "/(^|/)project/service/.*\\Dockerfile$/"
+            ]
+        },
+        {
+            "matchUpdateTypes": [
+                "minor",
+                "patch"
+            ],
+            "automerge": true,
+            "automergeType": "pr"
+        },
+        {
+            "matchUpdateTypes": [
+                "major"
+            ],
+            "automerge": false
+        }
+    ],
+    "docker-compose": {
+        "enabled": true,
+        "managerFilePatterns": [
+            "/(^|/)docker-compose\\.yml$/",
+            "/(^|/)project/db/.*\\.yml$/",
+            "/(^|/)project/infrastructure/.*\\.yml$/",
+            "/(^|/)project/media/.*\\.yml$/",
+            "/(^|/)project/monitoring/.*\\.yml$/",
+            "/(^|/)project/service/.*\\.yml$/"
+        ],
+        "packageRules": [
+            {
+                "matchPackageNames": "tensorchord/pgvecto-rs",
+                "enabled": false
+            },
+            {
+                "matchPackageNames": "mysql",
+                "enabled": false
+            },
+            {
+                "matchPackageNames": "postgres",
+                "enabled": false
+            },
+            {
+                "matchPackageNames": "mrusse08/soularr",
+                "enabled": false
+            },
+            {
+                "matchPackageNames": "getmeili/meilisearch",
+                "enabled": false
+            }
+        ]
+    }
+}

scripts/certificates/generate_certificate.sh

@@ -0,0 +1,26 @@
+# https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
+# generate all the certificates
+# import certificate root-ca.crt in firefox
+# in the config of traefik set the server.key and server.crt in the tls store 
+
+openssl req -x509 -nodes \
+ -newkey RSA:2048       \
+ -keyout root-ca.key    \
+ -days 365              \
+ -out root-ca.crt       \
+ -subj '/C=CH/ST=Denial/L=Earth/O=Crescentec/CN=root_CA_crescentec'
+
+openssl req -nodes   \
+ -newkey rsa:2048   \
+ -keyout server.key \
+ -out server.csr    \
+ -subj '/C=CH/ST=Denial/L=Earth/O=Crescentec/CN=server_crescentec'
+
+openssl x509 -req    \
+ -CA root-ca.crt    \
+ -CAkey root-ca.key \
+ -in server.csr     \
+ -out server.crt    \
+ -days 365          \
+ -CAcreateserial    \
+ -extfile <(printf "subjectAltName = DNS:*.${LOCAL_DOMAIN}\nauthorityKeyIdentifier = keyid,issuer\nbasicConstraints = CA:FALSE\nkeyUsage = digitalSignature, keyEncipherment\nextendedKeyUsage=serverAuth")

scripts/data-backup/README.md

@@ -0,0 +1,17 @@
+Inspired by the [blog](https://www.ericbette.com/configuring-a-remote-backup-solution-using-restic-and-rclone)
+
+# List of commands: 
+
+## Installation
+- Install restic and rclone baremetal
+
+## Setting up rclone:
+- run: rclone config or follow the instructions on the provider (infomaniak in my case)
+- run: rclone listremotes to confirm the server link creation
+
+## Setting up backup repository with restic
+- Save password in env variable, by running: echo export RESTIC_PASSWORD=my_password >> ~/.zshrc 
+- Initialize repository: restic -r rclone:example-remote:example-repo init
+- Run the backup: restic -r rclone:example-remote:example-repo --verbose backup /path/to/backup
+- List the snapshots: restic -r rclone:example-remote:example-repo snapshots
+- Restore the backup: restic -r rclone:example-remote:example-repo restore latest --target /target --path "/target"

scripts/data-backup/backup-infomaniak-calendars-contacts.sh

@@ -0,0 +1,5 @@
+LOG_FILE="/home/node/.n8n/external-scripts/data-backup/logs/log.log"
+echo "------------------------------------------------------------------------" >> "$LOG_FILE"
+echo "$(date) - Script for calendars-contact started" >> "$LOG_FILE"
+restic -r rclone:sb_project_SBI-CW231949:calendars-contacts backup /home/node/.n8n/data/calendars-contacts >> "$LOG_FILE"
+restic -r rclone:sb_project_SBI-CW231949:calendars-contacts forget --keep-last 3 --group-by '' --prune >> "$LOG_FILE"

scripts/data-backup/backup-infomaniak-databases.sh

@@ -0,0 +1,5 @@
+LOG_FILE="/home/node/.n8n/external-scripts/data-backup/logs/log.log"
+echo "------------------------------------------------------------------------" >> "$LOG_FILE"
+echo "$(date) - Script for databases started"  >> "$LOG_FILE"
+restic -r rclone:sb_project_SBI-CW231949:databases backup /home/node/.n8n/database >> "$LOG_FILE"
+restic -r rclone:sb_project_SBI-CW231949:databases forget --keep-last 3 --group-by '' --prune >> "$LOG_FILE"

scripts/data-backup/backup-infomaniak-documents.sh

@@ -0,0 +1,6 @@
+LOG_FILE="/home/node/.n8n/external-scripts/data-backup/logs/log.log"
+echo "------------------------------------------------------------------------" >> "$LOG_FILE"
+echo "$(date) - Script for documents started"  >> "$LOG_FILE"
+restic -r rclone:sb_project_SBI-CW231949:documents backup /home/node/.n8n/data/documents >> "$LOG_FILE"
+restic -r rclone:sb_project_SBI-CW231949:documents forget --keep-last 3 --group-by '' --prune >> "$LOG_FILE"
+

scripts/data-backup/backup-infomaniak-music.sh

@@ -0,0 +1,5 @@
+LOG_FILE="/home/node/.n8n/external-scripts/data-backup/logs/log.log"
+echo "------------------------------------------------------------------------" >> "$LOG_FILE"
+echo "$(date) - Script for music started" >> "$LOG_FILE"
+restic -r rclone:sb_project_SBI-CW231949:music backup /home/node/.n8n/data/media/music >> "$LOG_FILE"
+restic -r rclone:sb_project_SBI-CW231949:music forget --keep-last 3 --group-by '' --prune >> "$LOG_FILE"

scripts/data-backup/backup-infomaniak-notes.sh

@@ -0,0 +1,5 @@
+LOG_FILE="/home/node/.n8n/external-scripts/data-backup/logs/log.log"
+echo "------------------------------------------------------------------------" >> "$LOG_FILE"
+echo "$(date) - Script for notes started"  >> "$LOG_FILE"
+restic -r rclone:sb_project_SBI-CW231949:notes backup /home/node/.n8n/data/notes >> "$LOG_FILE"
+restic -r rclone:sb_project_SBI-CW231949:notes forget --keep-last 3 --group-by '' --prune >> "$LOG_FILE"

scripts/data-backup/backup-infomaniak-passwords.sh

@@ -0,0 +1,5 @@
+LOG_FILE="/home/node/.n8n/external-scripts/data-backup/logs/log.log"
+echo "------------------------------------------------------------------------" >> "$LOG_FILE"
+echo "$(date) - Script for passwords started"  >> "$LOG_FILE"
+restic -r rclone:sb_project_SBI-CW231949:passwords backup /home/node/.n8n/data/passwords >> "$LOG_FILE"
+restic -r rclone:sb_project_SBI-CW231949:passwords forget --keep-last 3 --group-by '' --prune >> "$LOG_FILE"

scripts/data-backup/backup-infomaniak-pictures.sh

@@ -0,0 +1,5 @@
+LOG_FILE="/home/node/.n8n/external-scripts/data-backup/logs/log.log"
+echo "------------------------------------------------------------------------" >> "$LOG_FILE"
+echo "$(date) - Script for pictures started" >> "$LOG_FILE"
+restic -r rclone:sb_project_SBI-CW231949:pictures backup /home/node/.n8n/data/media/pictures >> "$LOG_FILE"
+restic -r rclone:sb_project_SBI-CW231949:pictures forget --keep-last 3 --group-by '' --prune >> "$LOG_FILE"

scripts/data-backup/backup-overleaf-cleanup.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+BACKUP_DIR="$HOME/docker/compose/project/service/overleaf-toolkit/backup"
+ls -t "$BACKUP_DIR" | tail -n +6 | xargs -I {} rm -rf "$BACKUP_DIR/{}"
+

scripts/database-backup/db_backup_script.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+
+# Cron job check the logs
+
+## Executing the script
+# bash db_backup_script.sh
+
+## command used to back up
+# docker exec DOCKER_CONTAINER pg_dump -U postgres -Fc DATABASE_NAME > BACKUP_FILE.DUMP
+
+## command used to restore
+# directory where the backup is saved in in the docker container: /var/lib/postgresql/data
+# for example: docker exec postgres pg_restore -U postgres -d vikunja-backup /var/lib/postgresql/data/backup/vikunja-2024-01-31.dump
+# docker exec DOCKER_CONTAINER pg_restore -U postgres -d DATABASE_NAME /var/lib/postgresql/data/backup/BACKUP_FILE.DUMP
+
+# Date format
+YEAR=$(date +"%Y")
+MONTH=$(date +"%m")
+DAY=$(date +"%d")
+NOW=$(date +"%Y-%m-%d")
+
+BACKUP_DIRECTORY="/home/debian/docker/compose/project/db/postgres/data"
+
+# Docker container with DB to backup
+DB_1="postgres"
+DB_2="postgres-with-pg-vector"
+
+back_up_db() {
+
+    # sql to list all databases
+    DATABASE_NAME=$(docker exec $1 psql -U postgres -t -c 'SELECT datname FROM pg_database WHERE datistemplate = false;')
+
+    # pg_dump command
+    PGDUMP="docker exec $1 pg_dump -U postgres -Fc"
+
+    for i in $DATABASE_NAME; do
+
+        # ignoring postgres db
+        if [[ "$i" != "postgres" ]]; then
+
+            echo "Backing up database $i"
+            # backup path to file
+            BACKFILE="$BACKUP_DIRECTORY/backup/$i-$NOW.dump"
+            $PGDUMP $i > $BACKFILE
+
+        fi
+
+    done
+}
+
+clean_up_backups() {
+
+    echo "Looking for dumps to prune in folder: $BACKUP_DIRECTORY/backup/"
+
+    # keep one backup per year, month and last two days
+    BACKUP_YEAR="*-$YEAR-02-01.dump"
+    BACKUP_MONTH="*-$YEAR-$MONTH-01.dump"
+    BACKUP_DAY="*-$YEAR-$MONTH-$DAY.dump"
+    BACKUP_DAY_1="*-$YEAR-$MONTH-$((DAY-1)).dump"
+    FILE_TO_DELETE=$(find $BACKUP_DIRECTORY/backup/ -type f \( ! -name $BACKUP_YEAR -a ! -name $BACKUP_MONTH -a ! -name $BACKUP_DAY -a ! -name $BACKUP_DAY_1 \))
+
+    # delete such files
+    for i in $FILE_TO_DELETE; do
+        echo "Pruning $i"
+        rm $i
+    done
+}
+
+back_up_db $DB_1
+back_up_db $DB_2
+
+clean_up_backups

scripts/database-backup/overleaf_backup_script.sh

@@ -0,0 +1,25 @@
+# Date format
+NOW=$(date +"%Y-%m-%d")
+
+OVERLEAF_DIRECTORY="/home/debian/docker/compose/project/service/overleaf-toolkit"
+
+# Backup config
+$OVERLEAF_DIRECTORY/bin/backup-config -m tar $OVERLEAF_DIRECTORY/backup/$NOW-overleaf-config-backup.tar
+# Backup mongo
+tar --create --file $OVERLEAF_DIRECTORY/backup/$NOW-overleaf-mongo-backup.tar $OVERLEAF_DIRECTORY/data/mongo
+# Backup sharelatex
+tar --create --file $OVERLEAF_DIRECTORY/backup/$NOW-overleaf-sharelatex-backup.tar $OVERLEAF_DIRECTORY/data/sharelatex
+
+# Pruning
+clean_up_backups() {
+
+    # list all files older than 3 days
+    FILE_TO_DELETE=$(find $OVERLEAF_DIRECTORY/backup/ -type f -mtime 3)
+
+    # delete such files
+    for i in $FILE_TO_DELETE; do
+        rm $i
+    done
+}
+
+clean_up_backups

scripts/mam/mam-login.js

@@ -0,0 +1,47 @@
+const puppeteer = require('puppeteer');
+
+async function loginToMAM(username, password) {
+    try {
+        const browser = await puppeteer.launch({
+            executablePath: '/usr/bin/chromium-browser',
+            headless: true,
+            args: ['--no-sandbox', '--disable-setuid-sandbox', '--disable-gpu', 'diable-dev-shm-usage']
+        });
+        const page = await browser.newPage();
+
+        console.log("Navigating to MAM login...");
+        await page.goto('https://www.myanonamouse.net/login.php', {
+            waitUntil: 'networkidle2',
+            timeout: 10000
+        });
+
+        const pageTitle = await page.title();
+
+        console.log("Filling in login form...");
+        await page.type('input[name="email"]', username);
+        await page.type('input[name="password"]', password);
+
+        console.log("Submitting login form...");
+        await page.click('input[type="submit"]');
+        await page.waitForNavigation({
+            waitUntil: 'domcontentloaded',
+            timeout: 10000
+        });
+
+        console.log("Login attempt completed.");
+        const cookies = await page.cookies();
+        await browser.close();
+
+        console.log(JSON.stringify(cookies));
+    } catch (err) {
+        console.error("Login failed: ", err);
+        process.exit(1);
+    }
+}
+
+const username = process.env.MAM_USERNAME;
+const password = process.env.MAM_PASSWORD;
+
+loginToMAM(username, password)
+    .then(cookies => ({ result: 'Success', cookies }))
+    .catch(err => ({ result: 'Error', error: err.message }));