Merge remote updates, accepting remote versions for conflicted files

2026-01-17 20:22:10 -05:00
parent 15582a36ad
commit 21ee910267
9 changed files with 940 additions and 1972 deletions
--- a/docker-compose/core.yml
+++ b/docker-compose/core.yml
@@ -3,11 +3,6 @@
 # Deploy this stack FIRST before any other services
 # Place in /opt/stacks/core/docker-compose.yml

-# Service Access URLs:
-# - DuckDNS: No web UI (updates IP automatically)
-# - Traefik: https://traefik.${DOMAIN}
-# - Authelia: https://auth.${DOMAIN}
-
 services:
  # DuckDNS - Dynamic DNS updater
  # Updates your public IP automatically for Let's Encrypt SSL
@@ -23,7 +18,7 @@ services:
      - TOKEN=${DUCKDNS_TOKEN}            # Your DuckDNS token
      - UPDATE_IP=ipv4                    # or ipv6, or both
    volumes:
-      - ./duckdns:/config
+      - /opt/stacks/core/duckdns:/config
    labels:
      - "homelab.category=infrastructure"
      - "homelab.description=Dynamic DNS updater"
@@ -45,9 +40,9 @@ services:
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./traefik/traefik.yml:/traefik.yml:ro
-      - ./traefik/dynamic:/dynamic:ro
-      - ./traefik/acme.json:/acme.json
+      - /opt/stacks/core/traefik/traefik.yml:/traefik.yml:ro
+      - /opt/stacks/core/traefik/dynamic:/dynamic:ro
+      - /opt/stacks/core/traefik/acme.json:/acme.json
    environment:
      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}  # If using Cloudflare DNS challenge
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}        # If using DuckDNS
@@ -57,8 +52,6 @@ services:
      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.traefik.tls.domains[0].main=${DOMAIN}"
-      - "traefik.http.routers.traefik.tls.domains[0].sans=*.${DOMAIN}"
      - "traefik.http.routers.traefik.middlewares=authelia@docker"
      - "traefik.http.routers.traefik.service=api@internal"
      # Global HTTP to HTTPS redirect
@@ -78,29 +71,61 @@ services:
    networks:
      - traefik-network
    volumes:
-      - ./authelia/configuration.yml:/config/configuration.yml:ro
-      - ./authelia/users_database.yml:/config/users_database.yml
-      - authelia-data:/data
+      - /opt/stacks/core/authelia/configuration.yml:/config/configuration.yml:ro
+      - /opt/stacks/core/authelia/users_database.yml:/config/users_database.yml
+      - authelia-data:/config
    environment:
      - TZ=${TZ}
      - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
      - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
      - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
+      - AUTHELIA_NOTIFIER_SMTP_PASSWORD=${SMTP_PASSWORD}  # If using email notifications
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)"
      - "traefik.http.routers.authelia.entrypoints=websecure"
-      - "traefik.http.routers.authelia.tls=true"
+      - "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
      - "traefik.http.services.authelia.loadbalancer.server.port=9091"
      # Authelia middleware for other services
      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}"
      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
-      - "x-dockge.url=https://authelia.${DOMAIN}"
-      - "x-dockge.url=https://authelia.${DOMAIN}"
    depends_on:
      - traefik

+  # Gluetun - VPN client (Surfshark WireGuard)
+  # Routes download clients through VPN for security
+  gluetun:
+    image: qmcgaw/gluetun:latest
+    container_name: gluetun
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    networks:
+      - homelab-network
+      - traefik-network
+    ports:
+      - "8888:8888/tcp"  # HTTP proxy
+      - "8388:8388/tcp"  # Shadowsocks
+      - "8388:8388/udp"  # Shadowsocks
+      - "8081:8080"      # qBittorrent web UI (mapped to 8081 to avoid Traefik conflict)
+      - "6881:6881"      # qBittorrent
+      - "6881:6881/udp"  # qBittorrent
+    volumes:
+      - /opt/stacks/core/gluetun:/gluetun
+    environment:
+      - VPN_SERVICE_PROVIDER=surfshark
+      - VPN_TYPE=wireguard
+      - WIREGUARD_PRIVATE_KEY=${SURFSHARK_PRIVATE_KEY}
+      - WIREGUARD_ADDRESSES=${SURFSHARK_ADDRESSES}
+      - SERVER_COUNTRIES=${VPN_SERVER_COUNTRIES:-Netherlands}
+      - TZ=${TZ}
+    labels:
+      - "homelab.category=infrastructure"
+      - "homelab.description=VPN client for secure downloads"
+
 volumes:
  authelia-data:
    driver: local
@@ -108,3 +133,5 @@ volumes:
 networks:
  traefik-network:
    external: true
+  homelab-network:
+    external: true