kelin/EZ-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Arcane stack and clean up deprecated files

Browse Source 
- Add new Arcane application stack
- Move aliases.sh to scripts/ directory
- Remove deprecated files (IMPLEMENTATION_COMPLETE.md, markup.yml, release notes)
- Remove standalone traefik docker-compose (now part of core stack)
- Update documentation (ai-vscode-setup.md, docker-guidelines.md, core README)
This commit is contained in:
Kelin
2026-02-09 22:22:40 -05:00
parent 33336c75ff
commit 377ba6dc20
11 changed files with 136 additions and 764 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
docker-compose/arcane/docker-compose.yml Normal file
View File

@@ -0,0 +1,43 @@
services:
arcane:
image: ghcr.io/getarcaneapp/arcane:latest
container_name: arcane
ports:
- '3552:3552'
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- arcane-data:/app/data
- /opt/stacks:/opt/stacks
environment:
- APP_URL=http://192.168.4.12:3552
- PROJECTS_DIRECTORY=/opt/stacks
- PUID=1000
- PGID=1000
- ENCRYPTION_KEY=5Db7OZ8TtiRNnXi09oh4WN27igS8YohGo45bnBycN7U=
- JWT_SECRET=xwe+pZrRvv18OprdQS+8O5R3fhNekn4pOmikSTJzQIg=
restart: unless-stopped
networks:
- traefik-network
# arcane-agent:
# image: ghcr.io/getarcaneapp/arcane-headless:latest
# container_name: arcane-agent
# restart: unless-stopped
# environment:
# - AGENT_MODE=true
# - AGENT_TOKEN=
# - MANAGER_API_URL=http://192.168.4.4:3552
# ports:
# - "3553:3553"
# volumes:
# - /var/run/docker.sock:/var/run/docker.sock
# - arcane-data:/app/data
# networks:
# - traefik-network
volumes:
arcane-data:
networks:
traefik-network:
external: true

144
docker-compose/core/README.md
View File

@@ -1,6 +1,6 @@
# Core Infrastructure Services
This directory contains the core infrastructure services that form the foundation of the homelab. These services should be deployed **on the main server only** and are critical for the operation of all other services across all servers.
This directory contains the core infrastructure services that form the foundation of the homelab. These services should be deployed **on the core server only** and are critical for the operation of all other services across all servers.
## Services
@@ -18,9 +18,7 @@ This directory contains the core infrastructure services that form the foundatio
- **Multi-Server**: Discovers services on all servers via Docker providers
- **SSL**: Let's Encrypt with DNS-01 challenge (wildcard certificate)
- **Dashboard**: Available at configured domain
- **Deploy**: Core server (multi-provider), Remote servers (local-only)
**Note**: Sablier has been moved to its own stack (`/opt/stacks/sablier/`) and should be deployed on each server individually. See [Sablier documentation](../../docs/service-docs/sablier.md) for details.
- **Deploy**: Core server only
### Authelia (v4.37.5)
- **Purpose**: Single sign-on authentication service for all services across all servers
@@ -30,30 +28,24 @@ This directory contains the core infrastructure services that form the foundatio
- **Database**: SQLite database in `authelia/config/db.sqlite3`
- **Deploy**: Core server only
### DuckDNS
- **Purpose**: Dynamic DNS service for domain resolution and wildcard SSL certificates
- **Subdomain**: Configurable via environment variables
- **Token**: Configured in environment variables
- **SSL Certificates**: Generates wildcard cert used by all services on all servers
- **Deploy**: Core server only
## Multi-Server Architecture
The core stack on the main server provides centralized services for the entire homelab:
**Core Server Responsibilities:**
**Core Server:**
- Receives all external traffic (ports 80/443 forwarded from router)
- Runs DuckDNS for domain management and SSL certificates
- Runs Authelia for centralized authentication
- Runs multi-provider Traefik that discovers services on all servers
- Generates shared CA for Docker TLS communication
- Runs Sablier for lazyloading local containers
- Traefik lables route servies on the core server
- Traekif external-host-servername.yml defines routes for Remote Servers
**Remote Server Setup:**
- Remote servers run their own Traefik instance (local Docker provider only)
- Remote servers run their own Sablier instance (local container management)
- Remote servers expose Docker API on port 2376 with TLS
- Core server Traefik connects to remote Docker APIs to discover services
- No port forwarding needed on remote servers
**Remote Server:**
- Each container exposes ports
- No port forwarding from router needed
- No Traefik lables
- Traefik configured by an external-host yaml file on Core Server
- Runs Sablier for lazyloading local containers
**Service Access:**
- All services accessible via: `https://service.yourdomain.duckdns.org`
@@ -98,10 +90,11 @@ core/
├── docker-compose.yml # Main service definitions
├── .env # Environment variables
├── authelia/
── config/
├── configuration.yml # Authelia main config
── users_database.yml # User credentials
└── db.sqlite3 # SQLite database
── config/
| ├── configuration.yml # Authelia main config
| ── notification.txt
| └── secrets/
| └── users_database.yml # User credentials
├── duckdns/
│ └── config/ # DuckDNS configuration
├── traefik/
@@ -113,106 +106,5 @@ core/
│ │ └── external-host-*.yml # Remote server routing
│ └── letsencrypt/
│ └── acme.json # SSL certificates
└── shared-ca/ # TLS certificates for multi-server
├── ca.pem # Certificate Authority
├── ca-key.pem # CA private key
├── cert.pem # Client certificate
└── key.pem # Client key
```
### Environment Variables (.env)
```bash
# Required for proper operation
DUCKDNS_TOKEN=your_duckdns_token_here
DUCKDNS_SUBDOMAINS=your_subdomain
DOMAIN=yourdomain.duckdns.org
TZ=America/New_York
PUID=1000
PGID=1000
```
### Network Requirements
- Docker network: `traefik-network`
- External ports: 80, 443 must be accessible
- DNS resolution: Domain must point to server IP
## Deployment
### Prerequisites
1. Docker and Docker Compose installed
2. Ports 80/443 forwarded to server
3. DuckDNS account with valid token
4. Domain configured in DuckDNS
### Startup Order
1. `duckdns` - For DNS updates and SSL certificate generation
2. `traefik` - Reverse proxy (waits for SSL certificates)
3. `authelia` - Authentication service
**Note**: Sablier is now deployed separately in `/opt/stacks/sablier/` after core stack is running.
### Commands
```bash
# Start all services
docker-compose up -d
# Check status
docker-compose ps
# View logs
docker-compose logs -f [service-name]
# Restart specific service
docker-compose restart [service-name]
```
## Troubleshooting
### Common Issues
1. **Connection Refused**: Check if Traefik config file is in correct location (`traefik/config/traefik.yml`)
2. **SSL Certificate Issues**: Verify DuckDNS token and domain configuration
3. **Authelia Login Issues**: Check database file exists and configuration is valid
4. **Service Not Starting**: Check Docker logs for error messages
### Backup Strategy
- Configuration files are backed up automatically (see backup directories)
- Database should be backed up regularly
- SSL certificates are stored in `letsencrypt/acme.json`
- Use `backup.sh` script for automated backups
## Security Notes
- Authelia provides authentication for protected services
- All external traffic goes through Traefik with SSL termination
- Internal services communicate via Docker networks
- Dashboard access is protected by Authelia middleware
## Maintenance
- Monitor SSL certificate expiration (Let's Encrypt auto-renews)
- Keep Authelia version pinned until tested upgrades are available
- Regularly backup configuration and database files
- Check logs for security issues or errors
- Run `./backup.sh` regularly to backup critical files
## Customization
### Domain Configuration
Update the following files with your domain:
- `docker-compose.yml`: Traefik labels and Authelia configuration
- `authelia/config/configuration.yml`: Domain settings
- `.env`: Domain environment variables
### SSL Certificate Provider
Modify `traefik/config/traefik.yml` to use different DNS providers:
```yaml
certificatesResolvers:
letsencrypt:
acme:
dnsChallenge:
provider: cloudflare # or other supported provider
```
### Adding New Services
1. Add service definition to `docker-compose.yml`
2. Configure Traefik labels for routing
3. Add middleware for authentication if needed
4. Update network configuration

42
docker-compose/traefik/docker-compose.yml
View File

@@ -1,42 +0,0 @@
# Traefik Service for Remote Servers
# This standalone Traefik instance runs on remote servers to discover local containers
# and communicate with the core Traefik on the core server via Docker TLS
services:
traefik:
# Local Traefik instance for container discovery on this remote server
image: traefik:v3
container_name: traefik
restart: unless-stopped
command:
- '--api.dashboard=true'
- '--api.insecure=true' # Allow API access on port 8080
- '--providers.docker=true'
- '--providers.docker.exposedbydefault=false'
- '--providers.docker.network=traefik-network'
- '--providers.file.directory=/dynamic'
- '--providers.file.watch=true'
- '--log.level=INFO'
- '--accesslog=true'
- '--entrypoints.web.address=:80'
- '--entrypoints.websecure.address=:443'
environment:
- TZ=America/New_York
ports:
- '80:80' # HTTP entrypoint
- '443:443' # HTTPS entrypoint
- '8080:8080' # Dashboard (optional, for debugging)
volumes:
- ./config:/config
- ./dynamic:/dynamic
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- traefik-network
labels:
- 'homelab.category=infrastructure'
- 'homelab.description=Local reverse proxy for container discovery'
- 'traefik.enable=false' # This Traefik doesn't route itself
networks:
traefik-network:
external: true