kelin/EZ-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Bitwarden, setup script, remove redundant files, update disk requirements, and add LinuxServer preference

Browse Source 
- Add Vaultwarden (Bitwarden) password manager to utilities.yml
  - Self-hosted password manager with web UI
  - SMTP configuration for email notifications
  - Admin token for management
  - Access at bitwarden.${DOMAIN}
  - Protected by Authelia SSO

- Create automated first-run setup script (scripts/setup-homelab.sh)
  - Installs Docker Engine and Compose V2
  - Configures user groups (sudo, docker)
  - Enables SSH for remote management
  - Detects NVIDIA GPU and provides manual driver installation instructions
  - Creates directory structure and Docker networks
  - Comprehensive instructions for post-setup deployment

- Remove redundant compose files (now in core.yml)
  - Deleted authelia.yml, duckdns.yml, gluetun.yml, traefik.yml
  - All services consolidated into unified core.yml stack
  - Eliminates confusion and duplication

- Update disk space requirements across documentation
  - Changed from "100GB+ system, 1TB+ media" to:
  - "120GB+ system drive (NVMe or SSD highly recommended)"
  - "2TB+ for media & additional disks for services like Nextcloud"
  - Updated in README.md and getting-started.md

- Add preference for LinuxServer.io images
  - Updated copilot-instructions.md
  - LinuxServer images support PUID/PGID for proper file permissions
  - Preference noted in consistency guidelines

- Update core stack documentation
  - Emphasize unified core.yml deployment
  - Add both deployment methods (cd to directory vs full path)
  - Update getting-started.md with correct deployment steps
  - Note removal of separate stack files

- Add Bitwarden environment variables to .env.example
  - BITWARDEN_ADMIN_TOKEN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED
  - SMTP configuration for email notifications
  - Generation instructions included

- Update services-reference.md
  - Add Vaultwarden to utilities section (now 7 services)
  - Update service count and access URLs

All documentation now consistent with unified core stack approach and includes all requested features.

Co-authored-by: kelinfoxy <67766943+kelinfoxy@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-01-12 03:47:53 +00:00
parent c7ca73fe78
commit 32974a5820
12 changed files with 380 additions and 233 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
docker-compose/authelia.yml
View File

@@ -1,39 +0,0 @@
# Authelia SSO Stack
# Single Sign-On authentication for all services
# Place in /opt/stacks/authelia/docker-compose.yml
services:
authelia:
image: authelia/authelia:4.37
container_name: authelia
restart: unless-stopped
networks:
- traefik-network
volumes:
- /opt/stacks/authelia/configuration.yml:/config/configuration.yml:ro
- /opt/stacks/authelia/users_database.yml:/config/users_database.yml
- authelia-data:/config
environment:
- TZ=${TZ}
- AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
- AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
- AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
- AUTHELIA_NOTIFIER_SMTP_PASSWORD=${SMTP_PASSWORD} # If using email notifications
labels:
- "traefik.enable=true"
- "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)"
- "traefik.http.routers.authelia.entrypoints=websecure"
- "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
- "traefik.http.services.authelia.loadbalancer.server.port=9091"
# Authelia middleware for other services
- "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}"
- "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
volumes:
authelia-data:
driver: local
networks:
traefik-network:
external: true

21
docker-compose/duckdns.yml
View File

@@ -1,21 +0,0 @@
# DuckDNS Dynamic DNS Stack
# Updates your DuckDNS domain with current public IP
# Place in /opt/stacks/duckdns/docker-compose.yml
services:
duckdns:
image: lscr.io/linuxserver/duckdns:latest
container_name: duckdns
restart: unless-stopped
environment:
- PUID=${PUID:-1000}
- PGID=${PGID:-1000}
- TZ=${TZ}
- SUBDOMAINS=${DUCKDNS_SUBDOMAINS} # Your subdomain(s), comma separated
- TOKEN=${DUCKDNS_TOKEN} # Your DuckDNS token
- UPDATE_IP=ipv4 # or ipv6, or both
volumes:
- /opt/stacks/duckdns/config:/config
labels:
- "homelab.category=infrastructure"
- "homelab.description=Dynamic DNS updater"

81
docker-compose/gluetun.yml
View File

@@ -1,81 +0,0 @@
# Gluetun VPN Stack
# VPN client for routing services through Surfshark (or other VPN providers)
# Place in /opt/stacks/gluetun/docker-compose.yml
# Services that need VPN use: network_mode: "service:gluetun"
services:
gluetun:
image: qmcgaw/gluetun:latest
container_name: gluetun
restart: unless-stopped
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
networks:
- gluetun-network
- traefik-network
ports:
# qBittorrent ports (service runs through Gluetun)
- "8080:8080" # qBittorrent WebUI
- "6881:6881" # qBittorrent TCP
- "6881:6881/udp" # qBittorrent UDP
environment:
- VPN_SERVICE_PROVIDER=surfshark
- VPN_TYPE=wireguard # or openvpn
- WIREGUARD_PRIVATE_KEY=${SURFSHARK_PRIVATE_KEY}
- WIREGUARD_ADDRESSES=${SURFSHARK_ADDRESSES}
- SERVER_COUNTRIES=${VPN_COUNTRY:-Netherlands} # Preferred VPN server country
- TZ=${TZ}
# For OpenVPN instead of WireGuard:
# - OPENVPN_USER=${SURFSHARK_USERNAME}
# - OPENVPN_PASSWORD=${SURFSHARK_PASSWORD}
volumes:
- /opt/stacks/gluetun/config:/gluetun
labels:
- "homelab.category=infrastructure"
- "homelab.description=VPN client for secure routing (Surfshark)"
# qBittorrent - Torrent client routing through VPN
# Access at: https://qbit.yourdomain.duckdns.org
qbittorrent:
image: lscr.io/linuxserver/qbittorrent:4.6.2
container_name: qbittorrent
network_mode: "service:gluetun" # Routes all traffic through VPN
depends_on:
- gluetun
volumes:
- /opt/stacks/qbittorrent/config:/config
- /mnt/downloads:/downloads # Large downloads on separate drive
environment:
- PUID=${PUID:-1000}
- PGID=${PGID:-1000}
- TZ=${TZ}
- WEBUI_PORT=8080
labels:
- "homelab.category=media"
- "homelab.description=Torrent download client (via VPN)"
# Traefik labels (applied to Gluetun since qBittorrent uses its network)
# Configure these on the Gluetun container instead:
# Traefik routing for qBittorrent (via Gluetun)
# Since qBittorrent uses Gluetun's network, we add a sidecar label container
qbit-labels:
image: alpine:latest
container_name: qbit-labels
command: tail -f /dev/null
networks:
- traefik-network
labels:
- "traefik.enable=true"
- "traefik.http.routers.qbittorrent.rule=Host(`qbit.${DOMAIN}`)"
- "traefik.http.routers.qbittorrent.entrypoints=websecure"
- "traefik.http.routers.qbittorrent.tls.certresolver=letsencrypt"
- "traefik.http.routers.qbittorrent.middlewares=authelia@docker"
- "traefik.http.services.qbittorrent.loadbalancer.server.url=http://gluetun:8080"
networks:
gluetun-network:
driver: bridge
traefik-network:
external: true

43
docker-compose/traefik.yml
View File

@@ -1,43 +0,0 @@
# Traefik Reverse Proxy Stack
# Main reverse proxy with Let's Encrypt SSL automation
# Place in /opt/stacks/traefik/docker-compose.yml
services:
traefik:
image: traefik:v2.11
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- traefik-network
ports:
- "80:80" # HTTP
- "443:443" # HTTPS
- "8080:8080" # Dashboard (protect with Authelia)
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /opt/stacks/traefik/traefik.yml:/traefik.yml:ro
- /opt/stacks/traefik/dynamic:/dynamic:ro
- /opt/stacks/traefik/acme.json:/acme.json
environment:
- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN} # If using Cloudflare DNS challenge
- DUCKDNS_TOKEN=${DUCKDNS_TOKEN} # If using DuckDNS
labels:
- "traefik.enable=true"
# Dashboard
- "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik.middlewares=authelia@docker"
- "traefik.http.routers.traefik.service=api@internal"
# Global HTTP to HTTPS redirect
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
networks:
traefik-network:
external: true

32
docker-compose/utilities.yml
View File

@@ -126,6 +126,38 @@ services:
- "homelab.category=utilities"
- "homelab.description=Form.io database"
# Bitwarden (Vaultwarden) - Password manager
# Access at: https://bitwarden.${DOMAIN}
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
networks:
- homelab-network
- traefik-network
volumes:
- /opt/stacks/vaultwarden/data:/data
environment:
- DOMAIN=https://bitwarden.${DOMAIN}
- SIGNUPS_ALLOWED=${BITWARDEN_SIGNUPS_ALLOWED:-true}
- INVITATIONS_ALLOWED=${BITWARDEN_INVITATIONS_ALLOWED:-true}
- ADMIN_TOKEN=${BITWARDEN_ADMIN_TOKEN}
- SMTP_HOST=${SMTP_HOST}
- SMTP_FROM=${SMTP_FROM}
- SMTP_PORT=${SMTP_PORT:-587}
- SMTP_SECURITY=${SMTP_SECURITY:-starttls}
- SMTP_USERNAME=${SMTP_USERNAME}
- SMTP_PASSWORD=${SMTP_PASSWORD}
labels:
- "homelab.category=utilities"
- "homelab.description=Self-hosted password manager (Bitwarden)"
- "traefik.enable=true"
- "traefik.http.routers.vaultwarden.rule=Host(`bitwarden.${DOMAIN}`)"
- "traefik.http.routers.vaultwarden.entrypoints=websecure"
- "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
- "traefik.http.routers.vaultwarden.middlewares=authelia@docker"
- "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
# Authelia Redis - Session storage for Authelia
# No web UI - backend service
authelia-redis: