replace stirling pdf, sso for multiple app, cleanup

clean up and add loki and ntfy
update uptime
2025-12-19 15:33:26 +01:00 · 2025-11-13 18:38:45 +01:00 · 2025-11-03 22:40:32 +01:00 · 2025-10-17 17:18:47 +02:00 · 2025-10-11 15:52:07 +02:00 · 2025-09-28 23:09:59 +02:00
31 changed files with 470 additions and 149 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -18,6 +18,7 @@ include:
      - ${INFRA_PATH}/authelia/authelia.yml
      - ${INFRA_PATH}/crowdsec/crowdsec.yml
      - ${INFRA_PATH}/homepage/homepage.yml
+      - ${INFRA_PATH}/ntfy/ntfy.yml
      - ${INFRA_PATH}/speedtest/speedtest.yml
      - ${INFRA_PATH}/syncthing/syncthing.yml
      - ${INFRA_PATH}/traefik/traefik.yml
@@ -28,15 +29,22 @@ include:
  - path:
      - ${MONITORING_PATH}/dozzle/dozzle.yml
      - ${MONITORING_PATH}/grafana/grafana.yml
+      - ${MONITORING_PATH}/loki/loki.yml
      - ${MONITORING_PATH}/prometheus/prometheus.yml
    env_file: ${MONITORING_PATH}/.env

  - path:
      - ${MEDIA_PATH}/audiobookshelf/audiobookshelf.yml
+      - ${MEDIA_PATH}/calibre/calibre.yml
      - ${MEDIA_PATH}/immich/immich.yml
+      - ${MEDIA_PATH}/kiwix/kiwix.yml
+      - ${MEDIA_PATH}/lidarr/lidarr.yml
+      - ${MEDIA_PATH}/navidrome/navidrome.yml
      - ${MEDIA_PATH}/prowlarr/prowlarr.yml
      - ${MEDIA_PATH}/qbittorrent/qbittorrent.yml
      - ${MEDIA_PATH}/readarr/readarr.yml
+      - ${MEDIA_PATH}/slskd/slskd.yml
+      - ${MEDIA_PATH}/soularr/soularr.yml
    env_file: ${MEDIA_PATH}/.env

  - path:
@@ -44,15 +52,16 @@ include:
      - ${SERVICE_PATH}/gitea/gitea.yml
      - ${SERVICE_PATH}/home-assistant/home-assistant.yml
      - ${SERVICE_PATH}/ghost/ghost.yml
-      - ${SERVICE_PATH}/home-assistant/ha-addon/ha-ewelink-addon.yml
      - ${SERVICE_PATH}/it-tools/it-tools.yml
      - ${SERVICE_PATH}/jupyter-notebook/jupyter-notebook.yml
+      - ${SERVICE_PATH}/linkwarden/linkwarden.yml
      - ${SERVICE_PATH}/mealie/mealie.yml
+      - ${SERVICE_PATH}/n8n/n8n.yml
+      # - ${SERVICE_PATH}/ollama/ollama.yml
      - ${SERVICE_PATH}/paperless-ngx/paperless-ngx.yml
      - ${SERVICE_PATH}/radicale/radicale.yml
-      - ${SERVICE_PATH}/shlink/shlink.yml
-      - ${SERVICE_PATH}/sponsorblock/sponsorblock.yml
-      - ${SERVICE_PATH}/stirling-pdf/stirling-pdf.yml
+      - ${SERVICE_PATH}/pdf/pdf.yml
+      - ${SERVICE_PATH}/vaultwarden/vaultwarden.yml
      - ${SERVICE_PATH}/vikunja/vikunja.yml
    env_file: ${SERVICE_PATH}/.env

@@ -72,4 +81,4 @@ networks:
      # config: 
      #   # - subnet: "2a04:ee41:86:9397::/64"
      #   - subnet: "2001:db8:2:/64"
-      #   - gateway: "2001:db8:2::1"
+      #   - gateway: "2001:db8:2::1"
--- a/project/infrastructure/authelia/authelia.yml
+++ b/project/infrastructure/authelia/authelia.yml
@@ -26,10 +26,9 @@ services:
      AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
      AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY
-      AUTHELIA_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN} # this does not work for access control or openID yet
-      AUTHELIA_LOCAL_DOMAIN: ${LOCAL_DOMAIN} # this does not work for access control or openID yet
+      # AUTHELIA_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN} # this does not work for access control or openID yet
+      # AUTHELIA_LOCAL_DOMAIN: ${LOCAL_DOMAIN} # this does not work for access control or openID yet
    volumes:
-      - ${INFRA_PATH}/authelia/config:/config
      - ${INFRA_PATH}/authelia/config:/config
      - "/var/log/authelia/:/config/log"
    labels:
@@ -44,4 +43,4 @@ services:
      - 'traefik.http.routers.authelia.service=authelia-svc'
      - 'traefik.http.services.authelia-svc.loadbalancer.server.port=9091'
      # Middleware
-      - "traefik.http.routers.authelia.middlewares=crowdsec-bouncer@file"
+      - "traefik.http.routers.authelia.middlewares=crowdsec-bouncer@file"
--- a/project/infrastructure/homepage/homepage.yml
+++ b/project/infrastructure/homepage/homepage.yml
@@ -12,6 +12,7 @@ services:
    environment:
      HOMEPAGE_VAR_LOCAL_DOMAIN: ${LOCAL_DOMAIN}
      HOMEPAGE_VAR_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
+      HOMEPAGE_ALLOWED_HOSTS: homepage.${LOCAL_DOMAIN}, 192.168.178.35:3030
    volumes:
      - ${INFRA_PATH}/homepage/config:/app/config
      - ${INFRA_PATH}/homepage/data/images:/app/public/images
@@ -25,4 +26,4 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.homepage.rule=Host(`homepage.${LOCAL_DOMAIN}`)"
      - "traefik.http.routers.homepage.entrypoints=https"
-      - "traefik.http.routers.homepage.tls=true"
+      - "traefik.http.routers.homepage.tls=true"
--- a/project/infrastructure/ntfy/ntfy.yml
+++ b/project/infrastructure/ntfy/ntfy.yml
@@ -0,0 +1,27 @@
+services:
+  ntfy:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: ntfy 
+    image: binwiederhier/ntfy 
+    ports:
+      - "4023:80"
+    networks: 
+      - ip4net
+    command:
+      - serve
+    volumes:
+      - /var/cache/ntfy:/var/cache/ntfy
+      - ${INFRA_PATH}/ntfy/config:/etc/ntfy
+      - ${INFRA_PATH}/ntfy/data:/var/lib/ntfy
+    labels:
+      # Watchtower
+      - 'com.centurylinklabs.watchtower.enable=true'
+      # Traefik
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.ntfy.rule=Host(`ntfy.${PUBLIC_DOMAIN}`)'
+      - 'traefik.http.routers.ntfy.entrypoints=https'
+      - 'traefik.http.routers.ntfy.tls=true'
+      # Middlewares
+      - "traefik.http.routers.ntfy.middlewares=crowdsec-bouncer@file"
--- a/project/infrastructure/syncthing/syncthing.yml
+++ b/project/infrastructure/syncthing/syncthing.yml
@@ -6,6 +6,8 @@ services:
    image: syncthing/syncthing
    container_name: syncthing
    volumes:
+      - ${EXTERNAL_STORAGE}/notes/Obsidian-sync:/var/syncthing-data/Obsidian-sync
+      - ${EXTERNAL_STORAGE}/media/pictures/to-sort:/var/syncthing-data/picture-phone
      - ${INFRA_PATH}/syncthing/data:/var/syncthing
    ports:
      - 8384:8384 # Web UI
@@ -26,4 +28,4 @@ services:
      - "traefik.http.routers.syncthing.service=syncthing-svc"
      - "traefik.http.services.syncthing-svc.loadbalancer.server.port=8384"
      # Middlewares
-      #- "traefik.http.routers.syncthing.middlewares=crowdsec-bouncer@file"
+      #- "traefik.http.routers.syncthing.middlewares=crowdsec-bouncer@file"
--- a/project/infrastructure/traefik/traefik.yml
+++ b/project/infrastructure/traefik/traefik.yml
@@ -18,6 +18,7 @@ services:
      TRAEFIK_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN}
      TRAEFIK_AUTH_PUBLIC_DOMAIN: auth.${PUBLIC_DOMAIN}
      TRAEFIK_CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
+      INFOMANIAK_ACCESS_TOKEN: ${INFOMANIAK_CERTIFICATE_ACCESS_TOKEN}
    volumes:
      - "/var/log/crowdsec/:/var/log/crowdsec/"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
@@ -51,4 +52,4 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.${LOCAL_DOMAIN}`)"
      - "traefik.http.routers.whoami.entrypoints=https"
-      - 'traefik.http.routers.whoami.tls=true'
+      - 'traefik.http.routers.whoami.tls=true'
--- a/project/infrastructure/uptime-kuma/uptime-kuma.yml
+++ b/project/infrastructure/uptime-kuma/uptime-kuma.yml
@@ -5,7 +5,7 @@ services:
    # extends:
    #   file: ${TEMPLATES_PATH}
    #   service: default
-    image: louislam/uptime-kuma:latest
+    image: louislam/uptime-kuma
    container_name: uptime-kuma
    restart: unless-stopped
    security_opt:
@@ -14,6 +14,7 @@ services:
      TZ: ${TZ}
    volumes:
      - ${INFRA_PATH}/uptime-kuma/config:/app/data
+      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - 5001:3001
    networks:
@@ -26,4 +27,4 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.uptime-kuma.rule=Host(`uptime-kuma.${LOCAL_DOMAIN}`)"
      - "traefik.http.routers.uptime-kuma.entrypoints=https"
-      - "traefik.http.routers.uptime-kuma.tls=true"
+      - "traefik.http.routers.uptime-kuma.tls=true"
--- a/project/media/audiobookshelf/audiobookshelf.yml
+++ b/project/media/audiobookshelf/audiobookshelf.yml
@@ -10,9 +10,7 @@ services:
    networks:
      - ip6net
    volumes:
-      # - ${AUDIOBOOKSHELF_EXTERNAL_PATH}/audiobooks:/audiobooks
-      # - ${AUDIOBOOKSHELF_EXTERNAL_PATH}/podcasts:/podcasts
-      - ${MEDIA_PATH}/data/media/audiobooks:/audiobooks
+      - ${AUDIOBOOKSHELF_EXTERNAL_PATH}:/audiobooks
      - ${MEDIA_PATH}/audiobookshelf/config:/config
      - ${MEDIA_PATH}/audiobookshelf/data/metadata:/metadata
    labels:
@@ -25,4 +23,4 @@ services:
      - "traefik.http.routers.audiobookshelf.tls.certresolver=myresolver"
      - 'traefik.http.routers.audiobookshelf.tls=true'
      # Middlewares
-      - "traefik.http.routers.audiobookshelf.middlewares=crowdsec-bouncer@file"
+      - "traefik.http.routers.audiobookshelf.middlewares=crowdsec-bouncer@file"
--- a/project/media/calibre/calibre.yml
+++ b/project/media/calibre/calibre.yml
@@ -0,0 +1,53 @@
+services:
+  calibre:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: lscr.io/linuxserver/calibre:latest
+    container_name: calibre
+    environment:
+      - PASSWORD= #optional
+      - CLI_ARGS= #optional
+    volumes:
+      - ${EXTERNAL_STORAGE}/media/books:/config/library
+      - ${MEDIA_PATH}/data/downloaded/books:/config/tosync
+    ports:
+      - 2005:8080 # gui
+      - 2006:8181 # gui https
+      - 2007:8081 # webserver ui
+    networks:
+      - ip4net
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.calibre.rule=Host(`calibre.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.calibre.entrypoints=https"
+      - 'traefik.http.routers.calibre.tls=true'
+      - 'traefik.http.services.calibre.loadbalancer.server.port=8080'
+
+  calibre-web:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: lscr.io/linuxserver/calibre-web:latest
+    container_name: calibre-web
+    environment:
+      - DOCKER_MODS=linuxserver/mods:universal-calibre #optional
+      #      - OAUTHLIB_RELAX_TOKEN_SCOPE=1 #optional
+    volumes:
+      - ${EXTERNAL_STORAGE}/media/books:/books
+      - ${MEDIA_PATH}/calibre/data:/config
+    ports:
+      - 2008:8083
+    networks:
+      - ip6net
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.calibre-web.rule=Host(`calibre-web.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.calibre-web.entrypoints=https"
+      - 'traefik.http.routers.calibre-web.tls=true'
--- a/project/media/immich/immich.yml
+++ b/project/media/immich/immich.yml
@@ -12,7 +12,7 @@ services:
      DB_DATABASE_NAME: immich
      REDIS_HOSTNAME: redis
    volumes:
-      # to mount the trueNas external library: sudo mount 192.168.1.212:/mnt/hdd-storage/vm-external-storage/immich /mnt/external-storage/immich/
+      # to mount the trueNas external library: sudo mount 192.168.178.36:/mnt/hdd-storage/vm-external-storage/immich /mnt/external-storage/immich/
      - ${IMMICH_EXTERNAL_PATH}:/usr/src/app/external:ro
      - ${MEDIA_PATH}/immich/data/library:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
@@ -38,6 +38,8 @@ services:
      service: default
    container_name: immich_machine_learning
    image: ghcr.io/immich-app/immich-machine-learning:release
+    ports:
+      - 3003:3003
    volumes:
      - ${MEDIA_PATH}/immich/data/model-cache:/cache
    labels:
@@ -46,7 +48,7 @@ services:

  # https://github.com/Salvoxia/immich-folder-album-creator
  # one time run: 
-  # docker run -e API_URL="https://immich.crescentec.xyz/api/" -e API_KEY="qTaebdVMtph9yD0pSJRJDQJkDEpexiXNMJ5V5HBEnA" -e ROOT_PATH="/usr/src/app/external" -e LOG_LEVEL="DEBUG" salvoxia/immich-folder-album-creator:latest /script/immich_auto_album.sh
+  # docker run -e -e API_URL="https://immich.crescentec.xyz/api/" -e API_KEY="qTaebdVMtph9yD0pSJRJDQJkDEpexiXNMJ5V5HBEnA" -e ROOT_PATH="/usr/src/app/external" -e LOG_LEVEL="DEBUG" salvoxia/immich-folder-album-creator:latest /script/immich_auto_album.sh
  immich-folder-album-creator:
    extends:
      file: ${TEMPLATES_PATH}
@@ -58,6 +60,11 @@ services:
      API_KEY: qTaebdVMtph9yD0pSJRJDQJkDEpexiXNMJ5V5HBEnA
      ROOT_PATH: /usr/src/app/external
      CRON_EXPRESSION: "0 * * * *"
+      LOG_LEVEL: DEBUG
+      #RUN_IMMEDIATELY: true
+      #UNATTENDED: 1
+    volumes:
+      - /usr/src/app/external:/usr/src/app/external
    labels:
      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
+      - "com.centurylinklabs.watchtower.enable=true"
--- a/project/media/kiwix/kiwix.yml
+++ b/project/media/kiwix/kiwix.yml
@@ -0,0 +1,24 @@
+services:
+  kiwix:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: ghcr.io/kiwix/kiwix-serve
+    container_name: kiwix 
+    ports:
+      - 2009:8080
+    networks:
+      - ip4net
+    volumes:
+      - ${EXTERNAL_STORAGE}/wikipedia/:/data
+    command:
+      - '*.zim'
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.kiwix.rule=Host(`wikipedia.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.kiwix.entrypoints=https"
+      - 'traefik.http.routers.kiwix.tls=true'
+      - 'traefik.http.services.kiwix.loadbalancer.server.port=8080'
--- a/project/media/lidarr/lidarr.yml
+++ b/project/media/lidarr/lidarr.yml
@@ -0,0 +1,26 @@
+services:
+  lidarr:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: lscr.io/linuxserver/lidarr 
+    container_name: lidarr 
+    ports:
+      - 2010:8686
+    networks:
+      - ip4net
+    dns: 
+      - 8.8.8.8
+      - 1.1.1.1
+    volumes:
+      - ${MEDIA_PATH}/lidarr/config:/config
+      - ${MEDIA_PATH}/data:/data
+      - ${EXTERNAL_STORAGE}/media/music:/music
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.lidarr.rule=Host(`lidarr.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.lidarr.entrypoints=https"
+      - 'traefik.http.routers.lidarr.tls=true'
--- a/project/media/navidrome/navidrome.yml
+++ b/project/media/navidrome/navidrome.yml
@@ -0,0 +1,31 @@
+services:
+  navidrome:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: deluan/navidrome 
+    container_name: navidrome
+    ports:
+      - 2011:4533
+    networks:
+      - ip4net
+    volumes:
+      - ${MEDIA_PATH}/navidrome/data:/data
+      - ${EXTERNAL_STORAGE}/media/music:/music:ro
+    environment:
+      ND_REVERSEPROXYWHITELIST: 0.0.0.0/0
+      ND_ENABLEUSEREDITING: false
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.navidrome.rule=Host(`navidrome.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.navidrome.entrypoints=https"
+      - 'traefik.http.routers.navidrome.tls=true'
+      # Middlewares
+      - "traefik.http.routers.navidrome.middlewares=crowdsec-bouncer@file, authelia@file"
+      # Subsonic endpoint use basic authentication middleware from authelia
+      - "traefik.http.routers.navidrome-subsonic.rule=Host(`navidrome.${PUBLIC_DOMAIN}`) && PathPrefix(`/rest/`) && !Query(`c`, `NavidromeUI`)"
+      - "traefik.http.routers.navidrome-subsonic.entrypoints=https"
+      - "traefik.http.routers.navidrome-subsonic.middlewares=crowdsec-bouncer@file, authelia-basicauth@file, subsonic-basicauth@file"
--- a/project/media/qbittorrent/qbittorrent.yml
+++ b/project/media/qbittorrent/qbittorrent.yml
@@ -7,17 +7,20 @@ services:
    container_name: qbittorrent
    ports:
      - 2002:2002
-      - 6881:6881
-      - 6881:6881/udp
+      - 50059:6881
+      - 50059:6881/udp
    networks:
      - ip4net
+      - ip6net
    environment:
      - WEBUI_PORT=2002
-      - TORRENTING_PORT=6881
+      - TORRENTING_PORT=50059
    volumes:
      - ${MEDIA_PATH}/qbittorrent/config:/config
-      - ${MEDIA_PATH}/qbittorrent/downloads:/downloads # do not use this folder, see https://wiki.servarr.com/docker-guide#consistent-and-well-planned-paths -> issues
      - ${MEDIA_PATH}/data/torrents:/data/torrents
+      - ${MEDIA_PATH}/data/downloaded/books:/data/downloaded/books
+      - ${EXTERNAL_STORAGE}/media/audiobooks:/data/downloaded/audiobooks
+      - ${EXTERNAL_STORAGE}/media/music:/data/downloaded/music
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
@@ -25,4 +28,4 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.qbittorrent.rule=Host(`qbittorrent.${LOCAL_DOMAIN}`)"
      - "traefik.http.routers.qbittorrent.entrypoints=https"
-      - 'traefik.http.routers.qbittorrent.tls=true'
+      - 'traefik.http.routers.qbittorrent.tls=true'
--- a/project/media/readarr/readarr.yml
+++ b/project/media/readarr/readarr.yml
@@ -11,7 +11,9 @@ services:
      - ip4net
    volumes:
      - ${MEDIA_PATH}/readarr/config:/config
-      - ${MEDIA_PATH}/data:/data
+      - ${MEDIA_PATH}/data/torrents:/data/torrents
+      - ${EXTERNAL_STORAGE}/media/audiobooks:/data/media/audiobooks
+      - ${EXTERNAL_STORAGE}/media/books:/data/media/books
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
@@ -19,4 +21,4 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.readarr.rule=Host(`readarr.${LOCAL_DOMAIN}`)"
      - "traefik.http.routers.readarr.entrypoints=https"
-      - 'traefik.http.routers.readarr.tls=true'
+      - 'traefik.http.routers.readarr.tls=true'
--- a/project/media/slskd/slskd.yml
+++ b/project/media/slskd/slskd.yml
@@ -0,0 +1,29 @@
+services:
+  slskd:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: slskd/slskd 
+    container_name: slskd
+    user: ${PUID}:${PGID}  
+    ports:
+      - 2013:5031 # http
+      - 2014:5030 # https
+      - 50300:50300 # incoming connections
+    networks:
+      - ip4net
+    environment:
+      - SLSKD_REMOTE_CONFIGURATION=true
+    volumes:
+      - ${MEDIA_PATH}/slskd/config/slskd.yml:/app/slskd.yml
+      - ${MEDIA_PATH}/data/slskd_downloads:/app/downloads
+      - ${EXTERNAL_STORAGE}/media/music:/app/library
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.slskd.rule=Host(`slskd.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.slskd.entrypoints=https"
+      - 'traefik.http.routers.slskd.tls=true'
+      - 'traefik.http.services.slskd.loadbalancer.server.port=5030'
--- a/project/media/soularr/soularr.yml
+++ b/project/media/soularr/soularr.yml
@@ -0,0 +1,13 @@
+services:
+  soularr:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: mrusse08/soularr 
+    container_name: soularr
+    user: ${PUID}:${PGID}  
+    networks:
+      - ip4net
+    volumes:
+      - ${MEDIA_PATH}/soularr/data:/data
+      - ${MEDIA_PATH}/data/slskd_downloads:/downloads
--- a/project/monitoring/loki/loki.yml
+++ b/project/monitoring/loki/loki.yml
@@ -0,0 +1,37 @@
+services:
+  loki:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: loki
+    image: grafana/loki
+    ports:
+      - 8094:3100
+    networks:
+      - ip4net
+    volumes:
+      - ${MONITORING_PATH}/loki/config/loki-config.yml:/etc/loki/local-config.yaml
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.loki.rule=Host(`loki.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.loki.entrypoints=https"
+      - "traefik.http.routers.loki.tls=true"
+
+  promtail:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: promtail 
+    image: grafana/promtail
+    networks:
+      - ip4net
+    volumes:
+      - ${MONITORING_PATH}/loki/config/promtail-config.yml:/etc/promtail/config.yml
+      - /var/log:/var/log
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
--- a/project/service/freshrss/freshrss.yml
+++ b/project/service/freshrss/freshrss.yml
@@ -8,7 +8,7 @@ services:
    ports:
      - 4014:80
    networks:
-      - ip4net
+      - ip6net
    volumes:
      - ${SERVICE_PATH}/freshrss/data:/var/www/FreshRSS/data
      - ${SERVICE_PATH}/freshrss/extensions:/var/www/FreshRSS/extensions
@@ -20,9 +20,9 @@ services:
      - "com.centurylinklabs.watchtower.enable=true"
      # Traefik
      - "traefik.enable=true"
-      - "traefik.http.routers.freshrss.rule=Host(`rss.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.freshrss.rule=Host(`rss.${PUBLIC_DOMAIN}`)"
      - "traefik.http.routers.freshrss.entrypoints=https"
      - "traefik.http.routers.freshrss.tls=true"
-      #- "traefik.http.routers.freshrss.tls.certresolver=myresolver"
+      - "traefik.http.routers.freshrss.tls.certresolver=myresolver"
      # Middlewares
-      #- "traefik.http.routers.freshrss.middlewares=crowdsec-bouncer@file"
+      - "traefik.http.routers.freshrss.middlewares=crowdsec-bouncer@file"
--- a/project/service/home-assistant/ha-addon
+++ b/project/service/home-assistant/ha-addon
--- a/project/service/linkwarden/linkwarden.yml
+++ b/project/service/linkwarden/linkwarden.yml
@@ -0,0 +1,49 @@
+services:
+  linkwarden:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: ghcr.io/linkwarden/linkwarden:latest  
+    container_name: linkwarden 
+    ports:
+      - 4020:3000
+    networks:
+      - ip4net
+      - ip6net
+    volumes:
+      - ${SERVICE_PATH}/linkwarden/data:/data/data
+    environment:
+      - DATABASE_URL=postgresql://linkwarden:${LINKWARDEN_DATABASE_PASSWORD}@postgres:5432/linkwarden
+      - NEXTAUTH_URL=https://linkwarden.${PUBLIC_DOMAIN}/api/v1/auth
+      - NEXTAUTH_SECRET=${LINKWARDEN_NEXTAUTH_SECRET}
+      - MEILI_MASTER_KEY=${LINKWARDEN_MEILI_MASTER_KEY}
+      - MEILI_HOST=http://meilisearch:7700
+      - NEXT_PUBLIC_DISABLE_REGISTRATION=true
+      - NEXT_PUBLIC_AUTHELIA_ENABLED=true
+      - AUTHELIA_WELLKNOWN_URL=https://auth.${PUBLIC_DOMAIN}/.well-known/openid-configuration
+      - AUTHELIA_CLIENT_ID=linkwarden
+      - AUTHELIA_CLIENT_SECRET=${LINKWARDEN_OIDC_CLIENT_SECRET}
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.linkwarden.rule=Host(`linkwarden.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.linkwarden.entrypoints=https"
+      - "traefik.http.routers.linkwarden.tls=true"
+
+  meilisearch:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: getmeili/meilisearch:latest
+    container_name: linkwarden_meili
+    networks:
+      - ip4net
+      - ip6net
+    ports:
+      - 4021:7700
+    environment:
+      - MEILI_MASTER_KEY=${LINKWARDEN_MEILI_MASTER_KEY}
+    volumes:
+      - ${SERVICE_PATH}/linkwarden/meili_data:/meili_data
--- a/project/service/mealie/mealie.yml
+++ b/project/service/mealie/mealie.yml
@@ -21,18 +21,13 @@ services:
      POSTGRES_SERVER: postgres
      POSTGRES_PORT: 5432
      POSTGRES_DB: mealie
-      # LDAP Authentication
-      LDAP_AUTH_ENABLED: true
-      LDAP_SERVER_URL: ldap://lldap:3890
-      LDAP_BASE_DN: ou=people,dc=${SECOND_LEVEL_DOMAIN},dc=${TOP_LEVEL_DOMAIN}
-      LDAP_ID_ATTRIBUTE: uid
-      LDAP_NAME_ATTRIBUTE: displayName
-      LDAP_MAIL_ATTRIBUTE: mail
-      LDAP_QUERY_BIND: cn=readonly_user,ou=people,dc=${SECOND_LEVEL_DOMAIN},dc=${TOP_LEVEL_DOMAIN}
-      LDAP_QUERY_PASSWORD: ${LLDAP_READONLY_USER_PASSWORD}
-      # LDAP_USER_FILTER: (memberof=cn=mealie,ou=groups,dc=example,dc=com)
-      # LDAP_ADMIN_FILTER: (memberof=cn=mealie-admin,ou=groups,dc=example,dc=com)
-
+      # OIDC using authelia
+      OIDC_AUTH_ENABLED: true
+      OIDC_SIGNUP_ENABLED: false 
+      OIDC_CONFIGURATION_URL: https://auth.${PUBLIC_DOMAIN}/.well-known/openid-configuration
+      OIDC_CLIENT_ID: mealie
+      OIDC_CLIENT_SECRET: ${MEALIE_OIDC_CLIENT_SECRET} 
+      OIDC_AUTO_REDIRECT: false
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
@@ -43,4 +38,4 @@ services:
      - "traefik.http.routers.mealie.tls.certresolver=myresolver"
      - "traefik.http.routers.mealie.tls=true"
      # Middlewares
-      - "traefik.http.routers.mealie.middlewares=crowdsec-bouncer@file"
+      - "traefik.http.routers.mealie.middlewares=crowdsec-bouncer@file"
--- a/project/service/n8n/n8n.yml
+++ b/project/service/n8n/n8n.yml
@@ -0,0 +1,32 @@
+services:
+  n8n:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: docker.n8n.io/n8nio/n8n
+    container_name: n8n 
+    ports:
+      - 4022:5678
+    networks:
+      - ip4net
+    environment:
+      - N8N_BLOCK_ENV_ACCESS_IN_NODE=false
+      - MAM_USERNAME=${N8N_MAM_USERNAME}
+      - MAM_PASSWORD=${N8N_MAM_PASSWORD}
+      - PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true
+      - PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser
+    user: root
+    volumes:
+      - ${SERVICE_PATH}/n8n/data:/home/node/.n8n
+    entrypoint: /home/node/.n8n/script/entrypoint.sh 
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.n8n.rule=Host(`n8n.${LOCAL_DOMAIN}`)"
+      - "traefik.http.routers.n8n.entrypoints=https"
+      - "traefik.http.routers.n8n.tls=true"
+      - "traefik.http.routers.n8n.tls.certresolver=myresolver"
+      # Middlewares
+      - "traefik.http.routers.n8n.middlewares=crowdsec-bouncer@file"
--- a/project/service/ollama/ollama.yml
+++ b/project/service/ollama/ollama.yml
@@ -0,0 +1,24 @@
+services:
+  ollama:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: ollama/ollama 
+    container_name: ollama 
+    ports:
+      - 4019:11434
+    networks:
+      - ip6net
+    volumes:
+      - ${SERVICE_PATH}/ollama/data:/root/.ollama
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.ollama.rule=Host(`ollama.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.ollama.entrypoints=https"
+      - "traefik.http.routers.ollama.tls=true"
+      - "traefik.http.routers.ollama.tls.certresolver=myresolver"
+      # Middlewares
+      - "traefik.http.routers.ollama.middlewares=crowdsec-bouncer@file"
--- a/project/service/paperless-ngx/paperless-ngx.yml
+++ b/project/service/paperless-ngx/paperless-ngx.yml
@@ -10,8 +10,8 @@ services:
    networks:
      - ip6net
    volumes:
-      - ${EXTERNAL_STORAGE}/paperless-ngx/data:/usr/src/paperless/data
-      - ${EXTERNAL_STORAGE}/paperless-ngx/media:/usr/src/paperless/media
+      - ${EXTERNAL_STORAGE}/documents/data:/usr/src/paperless/data
+      - ${EXTERNAL_STORAGE}/documents/media:/usr/src/paperless/media
      - ${SERVICE_PATH}/paperless-ngx/data/export:/usr/src/paperless/export
      - ${SERVICE_PATH}/paperless-ngx/data/consume:/usr/src/paperless/consume
    environment:
@@ -46,4 +46,4 @@ services:
      - "traefik.http.routers.paperless.tls.certresolver=myresolver"
      - "traefik.http.routers.paperless.tls=true"
      # Middlewares
-      - "traefik.http.routers.paperless.middlewares=crowdsec-bouncer@file"
+      - "traefik.http.routers.paperless.middlewares=crowdsec-bouncer@file"
--- a/project/service/pdf/pdf.yml
+++ b/project/service/pdf/pdf.yml
@@ -0,0 +1,22 @@
+services:
+  pdf:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: bentopdf/bentopdf-simple
+    container_name: pdf
+    ports:
+      - '4003:8080'
+    networks:
+      - ip6net
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.pdf.rule=Host(`pdf.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.pdf.entrypoints=https"
+      - "traefik.http.routers.pdf.tls.certresolver=myresolver"
+      - "traefik.http.routers.pdf.tls=true"
+      # Middlewares
+      - "traefik.http.routers.pdf.middlewares=crowdsec-bouncer@file, authelia@file"
--- a/project/service/radicale/radicale.yml
+++ b/project/service/radicale/radicale.yml
@@ -23,9 +23,8 @@ services:
    #   interval: 30s
    #   retries: 3
    volumes:
-      - ${SERVICE_PATH}/radicale/data:/data/
-      - ${SERVICE_PATH}/radicale/config:/data/
-
+      - ${SERVICE_PATH}/radicale/config:/config/
+      - ${EXTERNAL_STORAGE}/calendars-contacts:/data
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
@@ -36,4 +35,4 @@ services:
      - "traefik.http.routers.radicale.tls.certresolver=myresolver"
      - "traefik.http.routers.radicale.tls=true"
      # Middlewares
-      - "traefik.http.routers.radicale.middlewares=crowdsec-bouncer@file"
+      - "traefik.http.routers.radicale.middlewares=crowdsec-bouncer@file"
--- a/project/service/shlink/shlink.yml
+++ b/project/service/shlink/shlink.yml
@@ -1,59 +0,0 @@
-services:
-  shlink-backend:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: shlinkio/shlink:latest
-    container_name: shlink-backend
-    ports:
-      - '4004:8080'
-    networks:
-      - ip6net
-    volumes:
-      - ${SERVICE_PATH}/shlink/data:/usr/share/tesseract-ocr/4.00/tessdata #Required for extra OCR languages
-      - ${SERVICE_PATH}/shlink/config:/configs
-    environment:
-      DEFAULT_DOMAIN: shlink.${PUBLIC_DOMAIN}
-      IS_HTTPS_ENABLED: true
-      # GEOLITE_LICENSE_KEY: # optional, to geolocate visit, see https://shlink.io/documentation/geolite-license-key/
-      # DB
-      DB_DRIVER: postgres
-      DB_USER: shlink
-      DB_PASSWORD: ${SHLINK_DATABASE_PASSWORD}
-      DB_HOST: postgres
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
-      # Traefik
-      - "traefik.enable=true"
-      - "traefik.http.routers.shlink-backend.rule=Host(`shlink.${PUBLIC_DOMAIN}`)"
-      - "traefik.http.routers.shlink-backend.entrypoints=https"
-      - "traefik.http.routers.shlink-backend.tls.certresolver=myresolver"
-      - "traefik.http.routers.shlink-backend.tls=true"
-      - "traefik.http.routers.shlink-backend.service=shlink-backend-svc"
-      - "traefik.http.services.shlink-backend-svc.loadbalancer.server.port=8080"
-      # Middlewares
-      - "traefik.http.routers.shlink-backend.middlewares=crowdsec-bouncer@file"
-
-  shlink-frontend:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: shlinkio/shlink-web-client:latest
-    container_name: shlink-frontend
-    ports:
-      - '4005:8080'
-    networks: 
-      - ip6net
-    environment:
-      SHLINK_SERVER_URL: https://shlink.${PUBLIC_DOMAIN}
-      SHLINK_SERVER_API_KEY: ${SHLINK_SERVER_API_KEY}
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
-      # Traefik
-      - "traefik.enable=true"
-      - "traefik.http.routers.shlink-frontend.rule=Host(`shlink.${LOCAL_DOMAIN}`)"
-      - "traefik.http.routers.shlink-frontend.entrypoints=https"
-      - "traefik.http.routers.shlink-frontend.tls=true"
-  
--- a/project/service/sponsorblock/sponsorblock.yml
+++ b/project/service/sponsorblock/sponsorblock.yml
@@ -1,11 +0,0 @@
-services:
-  sponsorblock:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: ghcr.io/dmunozv04/isponsorblocktv
-    container_name: sponsorblock
-    networks:
-      - ip4net
-    volumes:
-    - ${SERVICE_PATH}/sponsorblock/data:/app/data
--- a/project/service/stirling-pdf/stirling-pdf.yml
+++ b/project/service/stirling-pdf/stirling-pdf.yml
@@ -1,26 +0,0 @@
-services:
-  stirling-pdf:
-    extends:
-      file: ${TEMPLATES_PATH}
-      service: default
-    image: frooodle/s-pdf:latest
-    container_name: stirling-pdf
-    ports:
-      - '4003:8080'
-    networks:
-      - ip6net
-    volumes:
-      - ${SERVICE_PATH}/stirling-pdf/data:/usr/share/tesseract-ocr/4.00/tessdata #Required for extra OCR languages
-      - ${SERVICE_PATH}/stirling-pdf/config:/configs
-    #  - /location/of/customFiles:/customFiles/
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
-      # Traefik
-      - "traefik.enable=true"
-      - "traefik.http.routers.stirling-pdf.rule=Host(`stirling-pdf.${PUBLIC_DOMAIN}`)"
-      - "traefik.http.routers.stirling-pdf.entrypoints=https"
-      - "traefik.http.routers.stirling-pdf.tls.certresolver=myresolver"
-      - "traefik.http.routers.stirling-pdf.tls=true"
-      # Middlewares
-      - "traefik.http.routers.stirling-pdf.middlewares=crowdsec-bouncer@file, authelia@file"
--- a/project/service/vaultwarden/vaultwarden.yml
+++ b/project/service/vaultwarden/vaultwarden.yml
@@ -0,0 +1,34 @@
+services:
+  vaultwarden:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: vaultwarden/server
+    container_name: vaultwarden 
+    ports:
+      - 4018:80
+    networks:
+      - ip6net
+    environment:
+      DOMAIN: "https://vaultwarden.${PUBLIC_DOMAIN}"
+      SIGNUPS_ALLOWED: false 
+      INVITATIONS_ALLOWED: false
+      SSO_ENABLED: false # for now sso does only help companies for role management and the master password is still necessary 
+      SSO_ONLY: false 
+      SSO_AUTHORITY: https://auth.${PUBLIC_DOMAIN}
+      SSO_SCOPES: profile email offline_access
+      SSO_CLIENT_ID: vaultwarden
+      SSO_CLIENT_SECRET: ${VAULTWARDEN_OIDC_CLIENT_SECRET}
+    volumes:
+      - ${EXTERNAL_STORAGE}/passwords:/data/
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.vaultwarden.entrypoints=https"
+      - "traefik.http.routers.vaultwarden.tls=true"
+      - "traefik.http.routers.vaultwarden.tls.certresolver=myresolver"
+      # Middlewares
+      - "traefik.http.routers.vaultwarden.middlewares=crowdsec-bouncer@file"
Author	SHA1	Message	Date
chris	d4061164a6	replace stirling pdf, sso for multiple app, cleanup	2025-12-19 15:33:26 +01:00
chris	7ec59a3b07	clean up and add loki and ntfy	2025-11-13 18:38:45 +01:00
chris	8a67598944	update uptime	2025-11-03 22:40:32 +01:00
chris	ebb0c20ee4	add n8n	2025-10-17 17:18:47 +02:00
chris	2bb4bfa337	music stack and general improvements	2025-10-11 15:52:07 +02:00
chris	4caf3f5266	media player	2025-09-28 23:09:59 +02:00
chris	5609944f02	improvements data stores and torrent pipeline	2025-09-25 22:59:22 +02:00
chris	c6f4b733b3	add linkwarden	2025-09-08 01:48:45 +02:00
chris	407594dd85	Modify config to externalize data to backup	2025-09-07 00:40:40 +02:00
chris	2862618816	Update domain, add kiwix and ollama	2025-09-02 20:40:57 +02:00
chris	e6ce62ae09	vaultwarden, calibre, cleanup	2025-08-03 19:00:42 +02:00
chris	f448f29a03	update	2025-06-09 12:29:21 +02:00