kelin/EZ-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: kelin:v0.1.1
Branches Tags
kelin:main kelin:copilot/scan-and-replace-personal-data
kelin:v0.2.1 kelin:v0.2.0 kelin:v0.1.2 kelin:v0.1.1 kelin:v0.1.0
..
compare: kelin:v0.1.2
Branches Tags
kelin:main kelin:copilot/scan-and-replace-personal-data
kelin:v0.2.1 kelin:v0.2.0 kelin:v0.1.2 kelin:v0.1.1 kelin:v0.1.0

44 Commits
v0.1.1 ... v0.1.2

Author SHA1 Message Date
Kelin
73cb274160 v0.1.2: Multi-server architecture + security cleanup 
- Implement multi-server Traefik + Sablier architecture
- Add label-based automatic service discovery
- Create separate Sablier stack deployment
- Add remote server deployment workflow (Option 3)
- Add 9 new functions for multi-server management
- Remove deprecated config-templates folder
- Replace hardcoded private data with placeholders
- Update backup timestamp format to YY_MM_DD_hh_mm
- Add markup.yml to .gitignore

Breaking changes:
- Removed Sablier from core docker-compose.yml (now separate stack)
- Config templates moved from config-templates/ to docker-compose/core/
- REQUIRED_VARS now dynamic based on deployment type
 2026-02-04 19:36:18 -05:00
Kelin Fox
75e66586d1 Fix Authelia password hash generation to remove 'digest:' prefix 
- Use awk to extract only the argon2 hash from Authelia command output
- Prevent 'Digest:' or 'digest:' prefixes from being included in password hashes
- Apply fix to both password generation locations in the script
 2026-02-03 23:43:31 -05:00
Kelin
5a4360bc53 Fix Docker Compose variable substitution for password hashes 
- Escape $ characters in AUTHELIA_ADMIN_PASSWORD_HASH in deployed .env file
- Prevent Docker Compose from interpreting password hash as environment variables
- Update ez-homelab.sh to source common.sh and use specialized users_database.yml processing
 2026-02-03 22:58:52 -05:00
Kelin
59cd225e0e Fix variable substitution in users_database.yml 
- Update localize_users_database_file to properly resolve nested variables in AUTHELIA_ADMIN_EMAIL
- Fix template to use correct AUTHELIA_* variables instead of DEFAULT_* variables
- Update deploy-core.sh to only process files containing variables and fix .env path
- Fix file permissions for authelia config files
 2026-02-03 22:48:27 -05:00
Kelin
e2a654b3f4 Refactor docker-compose configurations and add new services 
- Reorganize Authelia configuration files
- Add new dynamic routing files for Traefik
- Update various service docker-compose files
- Remove outdated templates and scripts
 2026-02-03 22:20:09 -05:00
Kelin
ed17bf295a Fix variable substitution in users_database.yml to preserve password hashes 
- Modified load_env_file_safely to prevent expansion of $ in .env values
- Updated localize_users_database_file to handle nested variables correctly
- Added fresh template copying in deploy-core.sh to ensure reliable processing
- Fixed password hash corruption during deployment
 2026-02-03 21:07:36 -05:00
Kelin
3d5979b5f1 Implement fixes from test results 
- Update Docker install to use curl method
- Rename ADMIN_PASSWORD to AUTHELIA_ADMIN_PASSWORD
- Fix Authelia password hash generation (remove grep, no quotes)
- Revert compose labels to single quotes
- Ensure users_database.yml has unquoted password placeholder
 2026-02-02 20:59:07 -05:00
Kelin
7e4799f27e Update media docker-compose.yml 2026-02-02 18:48:15 -05:00
Kelin
5b5df8960b Fix variable replacement logic for nested variables and remove repo file modification 
- Remove localize_deployment call from main flow to avoid modifying repo files
- Enhance localize_yml_file to recursively expand nested variables using envsubst
- Ensure config files contain actual values, not variable names
 2026-02-02 17:30:24 -05:00
Kelin
fd15c18389 Strip carriage returns from .env values to handle DOS line endings 2026-02-02 14:48:28 -05:00
Kelin
10338f2de5 Fix subshell issue in config file processing loops to allow env var replacement 2026-02-02 14:45:13 -05:00
Kelin
98f6b55fdf Fix load_env_file_safely to actually export environment variables 2026-02-02 14:37:23 -05:00
Kelin
457d803f57 Strip inline comments from .env values before parsing to prevent xargs quote issues 2026-02-02 14:11:14 -05:00
Kelin
e5d678ebbe Replace sed-based variable replacement with envsubst for universal handling of special characters 2026-02-02 14:06:26 -05:00
Kelin
cd9dc925f3 Add logging of missing variables and trim keys in .env parsing 2026-02-02 13:56:27 -05:00
Kelin
80b44f8bef Trim whitespace from .env values to ensure proper secret generation 2026-02-02 13:52:28 -05:00
Kelin
4fd30340ef Quote Authelia password hash to prevent Docker expansion warnings, fix variable trimming with xargs, and update comment exclusion pattern 2026-02-02 13:46:44 -05:00
Kelin
1be1ecb264 Fix variable trimming, reload .env after secret generation, and improve comment exclusion in validation 2026-02-02 13:42:22 -05:00
Kelin
faaf39002a Replace personal URLs with placeholders and fix variable replacement logic 2026-02-02 13:19:22 -05:00
Kelin
0041b15cc2 Fix Authelia password copying and update menu logic 
- Fix password hash copying to user_database.yml by removing premature env cleanup
- Update menu case logic to match display options (1-4)
- Add input validation loop for better user experience
- Handle special menu options (prerequisites, NVIDIA drivers) appropriately
 2026-02-01 01:12:03 -05:00
Kelin
ea5e34935b Resolve merge conflicts and restore local configuration 
- Keep local DuckDNS subdomain and token customizations
- Preserve user-specific Authelia configuration
- Maintain local docker-compose customizations
 2026-01-31 23:32:42 -05:00
EZ-Homelab Assistant
6c4a3362e0 feat: Major UI improvements to ez-homelab.sh 
- Add professional ASCII box styling to main menu
- Implement interactive variable configuration with validation
- Add icons to all prompts (🌐 🌍 🦆 🔑 👤 🔒 📧 🏠)
- Create vanishing prompts that replace with status confirmations
- Add comprehensive menu system with proceed/review/quit options
- Show current configuration values before deployment choices
- Implement proper error handling for invalid inputs
- Add immediate quit functionality with 'q' during any prompt
- Improve spacing and visual hierarchy throughout interface
- Fix deployment flow to prevent accidental starts on invalid input
 2026-01-31 05:41:30 -05:00
EZ-Homelab Assistant
41d9a4cd7f feat: standardize traefik.docker.network labels across all docker-compose files 
- Add traefik.docker.network=traefik-network label to all local services with traefik.enable=true
- Ensures consistent network selection for Traefik IP discovery
- Prevents routing conflicts when services are on multiple networks
- Updated 12 docker-compose files with 32+ service labels
- Maintains dual network access (homelab-network + traefik-network) for web UIs
 2026-01-30 23:45:55 -05:00
EZ-Homelab Assistant
90a26a9ac4 Fix homepage Traefik network routing and update configurations 
- Add traefik.docker.network=traefik-network label to homepage service
- Prevent Traefik from using wrong IP from homelab-network
- Resolve 504 Gateway Timeout issues after authentication
- Update various docker-compose configurations and templates
- Clean up unused configuration files
 2026-01-30 23:29:00 -05:00
EZ-Homelab Assistant
465c10ae42 fix: ensure script properly configures Traefik and Authelia 
- Move Traefik traefik.yml to config/ directory for correct Docker mounting
- Remove invalid session.cookies section from Authelia template and config processing
- Ensure all configuration files are placed in correct locations for Docker containers
- Prevent configuration validation errors that cause service restarts
 2026-01-30 19:42:05 -05:00
EZ-Homelab Assistant
072a3384fd fix: update Authelia template with valid password hash 
- Replace CHANGEME placeholder with proper argon2 hash
- Default password is 'admin123' for initial setup
- Prevents argon2 decode errors on first startup
 2026-01-30 19:18:04 -05:00
EZ-Homelab Assistant
c6fbcb785e fix: move Authelia config files to correct Docker mount location 
- Move configuration.yml and users_database.yml to authelia/config/ directory
- Ensure files are in the correct location for Docker volume mount ./authelia/config:/config
- Prevent Authelia from using default configuration instead of processed template
 2026-01-30 19:12:49 -05:00
EZ-Homelab Assistant
ea75ea9829 fix: remove REMOTE_SERVER_HOSTNAME dependencies for local deployments 
- Remove local-host-production.yml for single-server setups
- Remove remote server sections from sablier.yml for local deployments
- Remove remote server entries from homepage services files when no REMOTE_SERVER_HOSTNAME is set
- Prevent placeholder replacement failures on files not needed for local deployments
 2026-01-30 19:06:30 -05:00
EZ-Homelab Assistant
437eb37aff fix: resolve ez-homelab.sh issues for local deployments 
- Fix variable substitution in prompt_for_values() to properly display DEFAULT_USER
- Only rename external-host-production.yml for multi-server setups (option 3)
- Prevent REMOTE_SERVER_HOSTNAME validation errors for local deployments (options 1-2)
- Ensure local deployments don't fail on missing remote server variables
 2026-01-30 19:03:21 -05:00
EZ-Homelab Assistant
1dd6664968 feat: reorganize .env.example in alphabetical order 
- Reorganize OTHER OPTIONAL CONFIGURATIONS section alphabetically by service name
- Improve user experience for finding specific service configurations
- Add clarifying comments for Authelia admin account variables
- Generalize AUTHELIA_ADMIN_PASSWORD to use DEFAULT_PASSWORD variable
 2026-01-30 18:39:08 -05:00
Kelin
1225564694 Add UI tool availability check before running wizard 
- Menu now checks for whiptail/dialog before launching wizard
- Prevents wizard crashes due to missing UI dependencies
- Provides clear error message and installation instructions
 2026-01-29 22:41:31 -05:00
Kelin
8b89575bbb Fix pre-deployment wizard execution and return handling 
- Changed menu to run wizard as subprocess instead of exec
- Removed wizard's exec of menu since it now returns naturally
- Wizard now properly returns to menu on completion or error
- Prevents terminal freezing when wizard crashes
 2026-01-29 22:41:25 -05:00
Kelin
0bbed196ed Remove legacy Python virtual environment setup 
- Removed setup_python_environment function and its call
- Commented out PYTHON_PACKAGES array as it's no longer needed
- Docker Compose V2 is built into Docker CLI, no Python package needed
- Streamlines setup process by removing unnecessary Python setup
 2026-01-29 22:19:54 -05:00
Kelin
ea06ac1f92 Improve system package installation error handling 
- Added sudo access check before attempting package installation
- Better error messages for apt update/install failures
- Graceful handling of package installation failures in main setup flow
- Provides specific guidance when package installation fails
 2026-01-29 22:11:15 -05:00
Kelin
497965473c Fix dependency handling in preflight and setup scripts 
- Changed required packages to warnings in preflight.sh (setup.sh installs them)
- Modified setup.sh to proceed with warnings from preflight checks
- Ensures Docker installation installs all dependencies automatically
- Preflight no longer fails on missing jq, tmux, etc.
 2026-01-29 22:06:53 -05:00
Kelin
04050454f7 Add support for Debian 13 (Trixie) in OS validation 
- Updated validate_os() function to accept Debian 13
- Enables testing on newer Debian versions including Raspberry Pi OS
 2026-01-29 21:50:43 -05:00
Kelin
b2436bd81d Fix menu system error handling and OS detection 
- Add comprehensive error handling to menu.sh to prevent crashes when scripts fail
- Fix OS detection in common.sh for lsb_release output parsing
- Modify preflight.sh to run all checks without early exit on failures
- Ensure menu navigation remains stable during testing phase
 2026-01-29 21:42:37 -05:00
Kelin
9d320bf9f9 Fix menu.sh service counting robustness 
- Add error handling to prevent script crashes during service enumeration
- Make service counting more robust against parsing failures
- Ensure menu displays properly even with docker-compose parsing issues
- Menu now shows complete interface with all 8 main options
 2026-01-29 19:59:13 -05:00
Kelin
ea72ad7023 Add comprehensive README for enhanced setup system 
- Complete documentation for the bash-based setup system
- Quick start guide with menu and manual usage options
- Architecture overview of all 4 phases
- Feature highlights and environment configuration
- Development guidelines and troubleshooting section
- Clear instructions for fresh installs and existing setups
 2026-01-29 19:55:58 -05:00
Kelin
92c4002c18 Add unified menu interface for EZ-Homelab setup 
- New menu.sh script provides single entry point for all functionality
- Interactive menu system with 7 main categories:
  * System Setup & Validation
  * Configuration Management
  * Deployment & Services
  * Monitoring & Maintenance
  * Backup & Recovery
  * Updates & Maintenance
  * Advanced Options
- Real-time system status display
- User-friendly navigation with clear instructions
- Integrates all existing scripts into cohesive interface
 2026-01-29 19:55:49 -05:00
Kelin
f141848a10 Add EZ-Homelab Enhanced Setup System 
- Complete modular bash-based setup system replacing Python TUI
- Phase 1-4 implementation: Core Infrastructure, Configuration Management, Deployment Engine, Service Orchestration & Management
- 9 production-ready scripts: preflight.sh, setup.sh, pre-deployment-wizard.sh, localize.sh, generalize.sh, validate.sh, deploy.sh, service.sh, monitor.sh, backup.sh, update.sh
- Shared libraries: common.sh (utilities), ui.sh (text interface)
- Template-based configuration system with environment variable substitution
- Comprehensive documentation: PRD, standards, and quick reference guides
- Automated backup, monitoring, and update management capabilities
- Cross-platform compatibility with robust error handling and logging
 2026-01-29 19:53:36 -05:00
Kelin Reij
dd4ff47048 Add Raspberry Pi 4 test run summary 
- Document ARM64-specific challenges and lessons learned
- Detail script improvements needed for ARM64 deployment
- Include performance considerations and testing recommendations
 2026-01-29 17:57:54 -05:00
kelinfoxy
53f96c8422 feat: Add EZ-Homelab TUI deployment script 
- Move ez-homelab.py to scripts/ folder for better organization
- Add working directory detection to ensure script works from any location
- Update README-TUI.md with correct script paths
- First commit of the new Python TUI for EZ-Homelab deployment
 2026-01-29 16:43:42 -05:00
kelinfoxy
9c9762c700 docs: Update script references from ez-homelab-tui.py to ez-homelab.py 
- Update README-TUI.md to reference the new simplified script name
- Change all command examples to use ez-homelab.py
- Update syntax check examples to use new filename
 2026-01-28 22:14:18 -05:00
193 changed files with 8802 additions and 18056 deletions
Expand all files Collapse all files

210
.env.example
View File

@@ -1,131 +1,92 @@
# Environment Variables Template
# Copy this file to .env and fill in your values
# EZ-Homelab .env template file - Copy to .env and fill in your values
# User and Group IDs for file permissions (get with: id -u and id -g)
PUID=1000
# ################################
# #### REQUIRED CONFIGURATION ####
# User and Group IDs for file permissions (get with: id -u and id -g)
PUID=1000
PGID=1000
TZ=America/New_York
# Configuration for this server
SERVER_IP=192.168.1.100
SERVER_HOSTNAME=debian # used for Sablier group naming
# Servers configuration
SERVER_IP=192.168.1.100 # This server
SERVER_HOSTNAME=debian
# Optional configuration for a second server
REMOTE_SERVER_IP=your.remote.ip.address
# If deploying with option 3: Remote Core Server
# the REMOTE_SERVER is where the Core Stack (Traefik) is running
REMOTE_SERVER_IP=your.remote.ip.address
REMOTE_SERVER_HOSTNAME=your-remote-server
REMOTE_SERVER_USER=${DEFAULT_USER}
REMOTE_SERVER_PASSWORD=${DEFAULT_PASSWORD}
# Domain & DuckDNS Configuration
DUCKDNS_SUBDOMAINS=yourdomain # Without .duckdns.org
DOMAIN=${DUCKDNS_SUBDOMAINS}.duckdns.org
# Domain Configuration
DUCKDNS_SUBDOMAINS=yourdomain # Without .duckdns.org
DUCKDNS_TOKEN=your-duckdns-token
DOMAIN=${DUCKDNS_SUBDOMAINS}.duckdns.org
# Default credentials (used by multiple services for easier setup)
DEFAULT_USER=admin
DEFAULT_USER=admin
DEFAULT_PASSWORD=changeme
DEFAULT_EMAIL=admin@example.com
# DIRECTORY PATHS
# FOLDER PATHS
USERDIR=/opt/stacks # all docker-compose stacks
MEDIADIR=/mnt/media # Large media files on separate drive
DOWNLOADDIR=/mnt/downloads # Downloads on separate drive
PROJECTDIR=~/projects # User's projects folder
# ##########################################
# #### NOTEABLE OPTIONAL CONFIGURATIONS ####
###################################################
# ==== Everything above this line is required ====
###################################################
# Surfshark OpenVPN (RECOMMENDED - Default)
# Surfshark OpenVPN (RECOMMENDED)
# Wireguard options are below and commented out
SURFSHARK_USERNAME=your-surfshark-username
SURFSHARK_PASSWORD=your-surfshark-password
VPN_SERVER_COUNTRIES=Netherlands # Preferred VPN server location
# Optional: Email credentials for services that need SMTP
SMTP_EMAIL_SERVER=smtp.gmail.com
SMTP_EMAIL_PORT=587
# Email credentials for services that need SMTP
SMTP_EMAIL_PASSWORD=your-email-app-password
SMTP_EMAIL_SERVER=smtp.gmail.com # change if not using Gmail
SMTP_EMAIL_PORT=587
SMTP_EMAIL_FROM=${DEFAULT_EMAIL}
SMTP_EMAIL_SECURITY=starttls
##################################################
# #### Individual Service Configurations ####
# The default values should work as a starting point
##################################################
# ACME Email for Let's Encrypt certificates
ACME_EMAIL=${DEFAULT_EMAIL}
# Let's Encrypt / ACME (for SSL certificates)
ACME_EMAIL=${DEFAULT_EMAIL}
# Authelia Admin Account
# These 4 Used by ez-homelab.sh for easy deployment
# Not used by the Authelia container directly
ADMIN_EMAIL=${DEFAULT_EMAIL} # Used for admin user account
AUTHELIA_ADMIN_USER=${DEFAULT_USER}
AUTHELIA_ADMIN_EMAIL=${DEFAULT_EMAIL}
AUTHELIA_ADMIN_PASSWORD=${DEFAULT_PASSWORD}
AUTHELIA_ADMIN_PASSWORD_HASH=generate-with-openssl-rand-hex-64
# AUTHELIA SSO CONFIGURATION
# The setup script will auto-generate these if not set
# SMTP for Authelia Notifications
SMTP_USERNAME=${SMTP_EMAIL_FROM}
SMTP_PASSWORD=${SMTP_EMAIL_PASSWORD}
AUTHELIA_JWT_SECRET=generate-with-openssl-rand-hex-64
# Let ez-homelab.sh generate these 3 unless you know what your doing
AUTHELIA_JWT_SECRET=generate-with-openssl-rand-hex-64
AUTHELIA_SESSION_SECRET=generate-with-openssl-rand-hex-64
AUTHELIA_STORAGE_ENCRYPTION_KEY=generate-with-openssl-rand-hex-64
# #### Authelia Admin Credentials ####
# These will be auto-generated by EZ-Homelab.sh
# AUTHELIA_ADMIN_USER=${DEFAULT_USER}
# AUTHELIA_ADMIN_EMAIL=${DEFAULT_EMAIL}
# AUTHELIA_ADMIN_PASSWORD=${DEFAULT_PASSWORD}
# SMTP for Authelia Notifications (OPTIONAL)
# If not configured, notifications are saved to file instead
# SMTP_USERNAME=${SMTP_EMAIL_FROM}
# SMTP_PASSWORD=${SMTP_EMAIL_PASSWORD}
# #### VPN OPTIONAL WIREGUARD CONFIGURATION (GLUETUN) ####
# Surfshark WireGuard (OPTIONAL - Advanced users only)
# Get WireGuard details from Surfshark dashboard
# SURFSHARK_PRIVATE_KEY=your-wireguard-private-key
# SURFSHARK_ADDRESSES=10.14.0.2/16
# #### ALTERNATIVE SERVICES (OPTIONAL) ####
# Deploy alternatives.yml stack if you want these
# What domains Homepage will accept requests from
# comma separated list NO SPACES!!!
HOMEPAGE_ALLOWED_HOSTS=homepage.${DOMAIN},${SERVER_IP}:3003
# Authentik SSO (alternative to Authelia with web UI)
# WARNING: Do not run both Authelia and Authentik at the same time
# Generate secrets with: openssl rand -hex 50
# AUTHENTIK_SECRET_KEY=your-authentik-secret-key-here-100-chars
# AUTHENTIK_DB_USER=authentik
# AUTHENTIK_DB_PASSWORD=changeme-authentik-db-password
# AUTHENTIK_DB_NAME=authentik
# PLEX_CLAIM=claim-xxxxxxxxxx # Uncomment to user Plex instead of Jellyfin
# #######################################
# #### OTHER OPTIONAL CONFIGURATIONS ####
# #### INFRASTRUCTURE SERVICES ####
# Pi-hole
PIHOLE_PASSWORD=${DEFAULT_PASSWORD}
# Watchtower Notifications (optional)
# If not set, Watchtower will still update containers but without notifications
# Supports various notification services via Shoutrrr URL format
# WATCHTOWER_NOTIFICATION_URL=
# #### Other Services ####
# qBittorrent
QBITTORRENT_USER=admin
QBITTORRENT_PASS=${DEFAULT_PASSWORD}
# GRAFANA
GRAFANA_ADMIN_PASSWORD=${DEFAULT_PASSWORD}
# VS Code Server
CODE_SERVER_PASSWORD=${DEFAULT_PASSWORD}
CODE_SERVER_SUDO_PASSWORD=${DEFAULT_PASSWORD}
# Jupyter Notebook
JUPYTER_TOKEN=${DEFAULT_PASSWORD}
# BookStack
BOOKSTACK_DB_PASSWORD=${DEFAULT_PASSWORD}
BOOKSTACK_DB_ROOT_PASSWORD=${DEFAULT_PASSWORD}
# DATABASES - GENERAL
POSTGRES_USER=${DEFAULT_USER}
@@ -134,66 +95,55 @@ POSTGRES_DB=homelab
PGADMIN_EMAIL=${DEFAULT_EMAIL}
PGADMIN_PASSWORD=${DEFAULT_PASSWORD}
# Form.io
FORMIO_JWT_SECRET=${DEFAULT_PASSWORD}
FORMIO_DB_SECRET=${DEFAULT_PASSWORD}
# Gitea
GITEA_DB_PASSWORD=${DEFAULT_PASSWORD}
# GRAFANA
GRAFANA_ADMIN_PASSWORD=${DEFAULT_PASSWORD}
# Jupyter Notebook
JUPYTER_TOKEN=${DEFAULT_PASSWORD}
# MediaWiki
MEDIAWIKI_DB_PASSWORD=${DEFAULT_PASSWORD}
MEDIAWIKI_DB_ROOT_PASSWORD=${DEFAULT_PASSWORD}
# Nextcloud
NEXTCLOUD_ADMIN_USER=${DEFAULT_USER}
NEXTCLOUD_ADMIN_PASSWORD=${DEFAULT_PASSWORD}
NEXTCLOUD_DB_PASSWORD=${DEFAULT_PASSWORD}
NEXTCLOUD_DB_ROOT_PASSWORD=${DEFAULT_PASSWORD}
# Gitea
GITEA_DB_PASSWORD=${DEFAULT_PASSWORD}
# Pi-hole
PIHOLE_PASSWORD=${DEFAULT_PASSWORD}
# WordPress
WORDPRESS_DB_PASSWORD=${DEFAULT_PASSWORD}
WORDPRESS_DB_ROOT_PASSWORD=${DEFAULT_PASSWORD}
# qBittorrent
QBITTORRENT_USER=admin
QBITTORRENT_PASS=${DEFAULT_PASSWORD}
# BookStack
BOOKSTACK_DB_PASSWORD=${DEFAULT_PASSWORD}
BOOKSTACK_DB_ROOT_PASSWORD=${DEFAULT_PASSWORD}
# MediaWiki
MEDIAWIKI_DB_PASSWORD=${DEFAULT_PASSWORD}
MEDIAWIKI_DB_ROOT_PASSWORD=${DEFAULT_PASSWORD}
# Bitwarden (Vaultwarden)
# Vaultwarden
BITWARDEN_ADMIN_TOKEN=${DEFAULT_PASSWORD}
BITWARDEN_SIGNUPS_ALLOWED=true # Set to false after creating accounts
BITWARDEN_INVITATIONS_ALLOWED=true
SMTP_HOST=${SMTP_EMAIL_SERVER}
SMTP_FROM=${SMTP_EMAIL_FROM}
SMTP_PORT=${SMTP_EMAIL_PORT}
SMTP_SECURITY=${SMTP_EMAIL_SECURITY}
# Form.io
FORMIO_JWT_SECRET=${DEFAULT_PASSWORD}
FORMIO_DB_SECRET=${DEFAULT_PASSWORD}
# #### IMPORTANT ****************************
# #### SET TO FALSE AFTER CREATING USERS ####
BITWARDEN_SIGNUPS_ALLOWED=true
####################################
# HOMEPAGE DASHBOARD - API KEYS
####################################
# VS Code Server
CODE_SERVER_PASSWORD=${DEFAULT_PASSWORD}
CODE_SERVER_SUDO_PASSWORD=${DEFAULT_PASSWORD}
# HOMEPAGE_VAR_DOMAIN=${DOMAIN}
# HOMEPAGE_VAR_SERVER_IP=${SERVER_IP}
# HOMEPAGE_VAR_PORTAINER_KEY=your-portainer-api-key
# HOMEPAGE_VAR_PIHOLE_KEY=your-pihole-api-key
# HOMEPAGE_VAR_PLEX_KEY=your-plex-token
# HOMEPAGE_VAR_JELLYFIN_KEY=your-jellyfin-api-key
# HOMEPAGE_VAR_SONARR_KEY=your-sonarr-api-key
# HOMEPAGE_VAR_RADARR_KEY=your-radarr-api-key
# HOMEPAGE_VAR_LIDARR_KEY=your-lidarr-api-key
# HOMEPAGE_VAR_READARR_KEY=your-readarr-api-key
# HOMEPAGE_VAR_PROWLARR_KEY=your-prowlarr-api-key
# HOMEPAGE_VAR_JELLYSEERR_KEY=your-jellyseerr-api-key
# HOMEPAGE_VAR_QBITTORRENT_USER=${QBITTORRENT_USER}
# HOMEPAGE_VAR_QBITTORRENT_PASS=${QBITTORRENT_PASS}
# HOMEPAGE_VAR_HA_KEY=your-home-assistant-long-lived-token
# HOMEPAGE_VAR_NEXTCLOUD_USER=${NEXTCLOUD_ADMIN_USER}
# HOMEPAGE_VAR_NEXTCLOUD_PASS=${NEXTCLOUD_ADMIN_PASSWORD}
# HOMEPAGE_VAR_GRAFANA_USER=admin
# HOMEPAGE_VAR_GRAFANA_PASS=${GRAFANA_ADMIN_PASSWORD}
# HOMEPAGE_VAR_BOOKSTACK_KEY=your-bookstack-api-token
# HOMEPAGE_VAR_UPTIMEKUMA_SLUG=your-uptime-kuma-slug
# HOMEPAGE_VAR_OPENWEATHER_KEY=your-openweather-api-key
# HOMEPAGE_VAR_WEATHERAPI_KEY=your-weatherapi-key
# HOMEPAGE_VAR_UNIFI_USER=your-unifi-username
# HOMEPAGE_VAR_UNIFI_PASS=your-unifi-password
# Watchtower Notifications (optional)
# WATCHTOWER_NOTIFICATION_URL=
# WordPress
WORDPRESS_DB_PASSWORD=${DEFAULT_PASSWORD}
WORDPRESS_DB_ROOT_PASSWORD=${DEFAULT_PASSWORD}

3
.gitignore vendored
View File

@@ -36,6 +36,9 @@ tmp/
temp/
*.tmp
# Test/debug files with hardcoded values
markup.yml
# Docker volumes (if locally mounted)
volumes/

366
EZ-Homelab TUI-Deployment-Script.md
View File

@@ -1,366 +0,0 @@
# EZ-Homelab TUI Deployment Script
## Script Launch Options
**Command Line Arguments:**
- No arguments: Interactive TUI mode
- `--yes` or `-y`: Automated deployment using complete .env file
- `--save-only`: Answer questions and save .env without deploying
- `--help`: Show help information
## .env File Structure Enhancement
Add deployment configuration section to .env:
```bash
# ... existing configuration ...
##################################################
# DEPLOYMENT CONFIGURATION (Optional - for automated deployment)
# Set these values to skip the TUI and use --yes for automated install
##################################################
# Deployment Type: SINGLE_SERVER, CORE_SERVER, REMOTE_SERVER
DEPLOYMENT_TYPE=SINGLE_SERVER
# Service Selection (true/false)
DEPLOY_DOCKGE=true
DEPLOY_CORE=true
DEPLOY_INFRASTRUCTURE=true
DEPLOY_DASHBOARDS=true
PREPARE_VPN=true
PREPARE_MEDIA=true
PREPARE_MEDIA_MGMT=true
PREPARE_TRANSCODERS=true
PREPARE_HOMEASSISTANT=true
PREPARE_PRODUCTIVITY=true
PREPARE_MONITORING=true
PREPARE_UTILITIES=true
PREPARE_WIKIS=true
PREPARE_ALTERNATIVES=false
# System Configuration
INSTALL_DOCKER=true
INSTALL_NVIDIA=true
AUTO_REBOOT=true
```
## Pre-Flight Checks (Before TUI)
**System Prerequisites Check:**
- Check OS compatibility (Ubuntu/Debian)
- Check if running as root or with sudo
- Check internet connectivity
- Check available disk space (>10GB)
- Check system architecture (amd64/arm64)
**Docker Check:**
- Check if Docker is installed and running
- Check if user is in docker group
- If not installed: Prompt to install Docker
- If installed but user not in group: Add user to group
**NVIDIA GPU Detection:**
- Check for NVIDIA GPU presence (`lspci | grep -i nvidia`)
- If GPU detected: Check for existing drivers
- Check for NVIDIA Container Toolkit
- If missing: Prompt to install drivers and toolkit
- Detect GPU model for correct driver version
**Dependency Installation:**
- Install required packages: `curl wget git htop nano ufw fail2ban unattended-upgrades apt-listchanges sshpass`
- Update system packages
- Install Python dependencies for TUI: `rich questionary python-dotenv`
## Enhanced Question Flow
## Initial Setup Check
**Question 0: Environment File Check**
- Type: `confirm`
- Message: "Found existing .env file with configuration. Use existing values where available?"
- Default: true
- Condition: Only show if .env exists and has valid values
**Question 0.5: Complete Configuration Check**
- Type: `confirm`
- Message: "Your .env file appears to be complete. Skip questions and proceed with deployment?"
- Default: true
- Condition: Only show if all required values are present and valid
## System Setup Questions
**Question 0.6: Docker Installation**
- Type: `confirm`
- Message: "Docker is not installed. Install Docker now?"
- Default: true
- Condition: Only show if Docker not detected
**Question 0.7: NVIDIA Setup**
- Type: `confirm`
- Message: "NVIDIA GPU detected. Install NVIDIA drivers and Container Toolkit?"
- Default: true
- Condition: Only show if GPU detected but drivers/toolkit missing
**Question 0.8: Auto Reboot**
- Type: `confirm`
- Message: "Some installations require a system reboot. Reboot automatically when needed?"
- Default: false
- Note: Warns about potential logout requirement for docker group changes
## Initial Setup Check
## Deployment Scenario Selection
**Question 1: Deployment Type**
- Type: `select` (single choice)
- Message: "Choose your Deployment Scenario"
- Choices:
- "🚀 Single Server Full Deployment - Deploy everything (Dockge, Core, Infrastructure, Dashboards) and prepare all stacks for Dockge"
- "🏗️ Core Server Deployment - Deploy only core infrastructure (Dockge, Core, Dashboards) and prepare all stacks for Dockge"
- "🔧 Remote Server Deployment - Deploy infrastructure tools (Dockge, Infrastructure, Dashboards) without core services and prepare all stacks for Dockge"
- Default: First option
## Basic Configuration (Conditional - skip if valid values exist)
**Question 2: Domain Setup**
- Type: `text`
- Message: "Enter your DuckDNS subdomain (without .duckdns.org)"
- Default: From .env or "example"
- Validation: Required, alphanumeric + hyphens only
- Condition: Skip if valid DOMAIN exists in .env
**Question 3: DuckDNS Token**
- Type: `password`
- Message: "Enter your DuckDNS token"
- Validation: Required
- Condition: Skip if valid DUCKDNS_TOKEN exists in .env
**Question 4: Server IP Address**
- Type: `text`
- Message: "Enter this server's IP address"
- Default: From .env or auto-detected local IP
- Validation: Valid IP address format
- Condition: Skip if valid SERVER_IP exists in .env
**Question 5: Server Hostname**
- Type: `text`
- Message: "Enter this server's hostname"
- Default: From .env or auto-detected hostname
- Validation: Required
- Condition: Skip if valid SERVER_HOSTNAME exists in .env
**Question 6: Timezone**
- Type: `text`
- Message: "Enter your timezone"
- Default: From .env or "America/New_York"
- Validation: Valid timezone format
- Condition: Skip if valid TZ exists in .env
## Admin Credentials (Conditional - only for deployments with Core, skip if valid)
**Question 7: Admin Username**
- Type: `text`
- Message: "Enter admin username for Authelia SSO"
- Default: From .env or "admin"
- Validation: Required, alphanumeric only
- Condition: Only show if deployment includes core services AND no valid AUTHELIA_ADMIN_USER exists
**Question 8: Admin Email**
- Type: `text`
- Message: "Enter admin email for Authelia SSO"
- Default: From .env or "admin@{domain}"
- Validation: Valid email format
- Condition: Only show if deployment includes core services AND no valid AUTHELIA_ADMIN_EMAIL exists
**Question 9: Admin Password**
- Type: `password`
- Message: "Enter admin password for Authelia SSO (will be hashed)"
- Validation: Minimum 8 characters
- Condition: Only show if deployment includes core services AND no valid AUTHELIA_ADMIN_PASSWORD exists
## Multi-Server Configuration (Conditional - only for Remote Server Deployment, skip if valid)
**Question 10: Core Server IP**
- Type: `text`
- Message: "Enter the IP address of your core server (for shared TLS CA)"
- Default: From .env
- Validation: Valid IP address format
- Condition: Only show for Remote Server Deployment AND no valid REMOTE_SERVER_IP exists
**Question 11: Core Server SSH User**
- Type: `text`
- Message: "Enter SSH username for core server access"
- Default: From .env or current user
- Validation: Required
- Condition: Only show for Remote Server Deployment AND no valid REMOTE_SERVER_USER exists
**Question 12: Core Server SSH Password**
- Type: `password`
- Message: "Enter SSH password for core server (leave empty if using SSH keys)"
- Validation: Optional
- Condition: Only show for Remote Server Deployment AND no valid REMOTE_SERVER_PASSWORD exists
## Optional Advanced Configuration (skip if valid values exist)
**Question 13: VPN Setup**
- Type: `confirm`
- Message: "Would you like to configure VPN for download services?"
- Default: true if VPN credentials exist in .env, false otherwise
- Condition: Skip if user explicitly chooses to configure later
**Question 14: Surfshark Username** (Conditional)
- Type: `text`
- Message: "Enter your Surfshark VPN username"
- Default: From .env
- Validation: Required
- Condition: Only show if VPN setup = true AND no valid SURFSHARK_USERNAME exists
**Question 15: Surfshark Password** (Conditional)
- Type: `password`
- Message: "Enter your Surfshark VPN password"
- Validation: Required
- Condition: Only show if VPN setup = true AND no valid SURFSHARK_PASSWORD exists
**Question 16: VPN Server Country**
- Type: `text`
- Message: "Preferred VPN server country"
- Default: From .env or "Netherlands"
- Condition: Only show if VPN setup = true AND no valid VPN_SERVER_COUNTRIES exists
**Question 17: Custom User/Group IDs**
- Type: `confirm`
- Message: "Use custom PUID/PGID for file permissions? (Default: 1000/1000)"
- Default: true if custom PUID/PGID exist in .env, false otherwise
**Question 18: PUID** (Conditional)
- Type: `text`
- Message: "Enter PUID (user ID)"
- Default: From .env or "1000"
- Validation: Numeric
- Condition: Only show if custom IDs = true AND no valid PUID exists
**Question 19: PGID** (Conditional)
- Type: `text`
- Message: "Enter PGID (group ID)"
- Default: From .env or "1000"
- Validation: Numeric
- Condition: Only show if custom IDs = true AND no valid PGID exists
## Service Selection Summary (for all deployment types)
**Question 20: Core Services Selection**
- Type: `checkbox` (multi-select)
- Message: "Select which core services to deploy:"
- Choices: (based on deployment type)
- Single Server: [✓] DuckDNS, [✓] Traefik, [✓] Authelia, [✓] Sablier, [✓] Dockge
- Core Server: [✓] DuckDNS, [✓] Traefik, [✓] Authelia, [✓] Sablier, [✓] Dockge
- Remote Server: [ ] DuckDNS, [ ] Traefik, [ ] Authelia, [ ] Sablier, [✓] Dockge
- Default: All enabled for selected deployment type
- Note: Core services are required for the selected deployment type
**Question 21: Infrastructure Services Selection**
- Type: `checkbox` (multi-select)
- Message: "Select which infrastructure services to deploy:"
- Choices:
- [✓] Pi-hole (DNS + Ad blocking)
- [✓] Watchtower (Auto container updates)
- [✓] Dozzle (Docker log viewer)
- [✓] Glances (System monitoring)
- [✓] Code Server (VS Code in browser)
- [✓] Docker Proxy (Secure socket access)
- Default: All enabled
- Condition: Always shown, but some may be pre-selected based on deployment type
**Question 22: Dashboard Services Selection**
- Type: `checkbox` (multi-select)
- Message: "Select which dashboard services to deploy:"
- Choices:
- [✓] Homepage (App dashboard)
- [ ] Homarr (Modern dashboard)
- Default: Homepage enabled, Homarr disabled
- Condition: Always shown
**Question 23: Additional Stacks to Prepare**
- Type: `checkbox` (multi-select)
- Message: "Select which additional service stacks to prepare for Dockge:"
- Choices:
- [✓] VPN (qBittorrent with VPN)
- [✓] Media (Jellyfin, Calibre-Web)
- [✓] Media Management (*arr services, Prowlarr)
- [✓] Transcoders (Tdarr, Unmanic)
- [✓] Home Automation (Home Assistant, Node-RED, Zigbee2MQTT)
- [✓] Productivity (Nextcloud, Gitea, Mealie)
- [✓] Monitoring (Prometheus, Grafana, Uptime Kuma)
- [✓] Utilities (Vaultwarden, Backrest, Duplicati)
- [✓] Wikis (DokuWiki, BookStack, MediaWiki)
- [ ] Alternatives (Portainer, Authentik, Plex)
- Default: All enabled except Alternatives
- Note: These stacks will be copied to /opt/stacks/ but not started
## Confirmation and Summary
**Question 24: Configuration Review**
- Type: `confirm`
- Message: "Review and confirm the following configuration:\n\n[Display formatted summary of all settings and selected services]\n\nProceed with deployment?"
- Default: true
**Question 25: Deployment Action**
- Type: `select`
- Message: "What would you like to do?"
- Choices:
- "🚀 Proceed with deployment"
- "💾 Save configuration to .env and exit (no deployment)"
- "🔄 Change configuration values"
- "❌ Exit without saving"
- Default: First option
- Condition: Only show if user declines deployment confirmation in Question 24
**Question 26: Save Location** (Conditional)
- Type: `text`
- Message: "Enter filename to save configuration (leave empty for .env)"
- Default: ".env"
- Validation: Valid filename
- Condition: Only show if user chooses "Save configuration" in Question 25
## Post-Deployment Options
**Auto-Reboot Handling:**
- If AUTO_REBOOT=true and reboot required: Automatically reboot at end
- If AUTO_REBOOT=false and reboot required: Display manual reboot instructions
- If no reboot required: Display success message and access URLs
## One-Step Installation Strategy
**Installation Order (to minimize reboots):**
1. System updates and package installation (no reboot needed)
2. Docker installation and user group addition (may require logout)
3. NVIDIA driver installation (requires reboot)
4. NVIDIA Container Toolkit (no additional reboot)
5. Python dependencies (no reboot)
6. EZ-Homelab deployment (no reboot)
**Reboot Optimization:**
- Detect what requires reboot vs logout vs nothing
- Perform all non-reboot actions first
- Group reboot-requiring actions together
- Use `newgrp docker` or similar to avoid logout for group changes
- Only reboot once at the end if needed
**Logout Avoidance Techniques:**
- Use `sg docker -c "command"` to run commands as docker group member
- Reload systemd without full reboot for some services
- Update environment variables in current session
- Use `exec su -l $USER` to reload user environment
This approach ensures maximum convenience for users while handling all the complex system setup requirements.
This question flow ensures:
- **Logical progression**: Basic setup first, then conditional advanced options
- **Clear validation**: Each question validates input appropriately
- **Conditional logic**: Questions only appear when relevant to the selected deployment type
- **Security**: Passwords are properly masked
- **User experience**: Clear messages and sensible defaults
- **Error prevention**: Validation prevents common configuration mistakes
The TUI would then proceed to perform the actual deployment based on the collected configuration.

397
EZ-Homelab TUI-PRD.md
View File

@@ -1,397 +0,0 @@
# EZ-Homelab TUI Deployment Script - Product Requirements Document
## Executive Summary
The EZ-Homelab TUI Deployment Script is a modern, user-friendly replacement for the existing complex bash deployment script. It provides an interactive terminal user interface (TUI) for deploying and managing a comprehensive homelab infrastructure using Docker Compose stacks, with support for automated deployment via configuration files.
## Objectives
### Primary Objectives
- Replace the complex 1000+ line bash script with a maintainable Python TUI application
- Provide three distinct deployment scenarios: Single Server Full, Core Server, and Remote Server
- Enable both interactive and fully automated deployment workflows
- Handle complete system setup including Docker and NVIDIA GPU configuration
- Ensure maximum user convenience by minimizing required logouts/reboots
### Secondary Objectives
- Improve user experience with modern TUI design using Rich + Questionary
- Provide flexible service selection and configuration options
- Support save-only mode for configuration preparation
- Include comprehensive validation and error handling
- Maintain backward compatibility with existing .env configurations
## Target Users
### Primary Users
- **Homelab Enthusiasts**: Users setting up personal server infrastructure
- **Self-Hosters**: Individuals deploying media servers, productivity tools, and monitoring
- **System Administrators**: Those managing small-scale server deployments
### User Personas
1. **Alex the Homelab Beginner**: New to self-hosting, needs guided setup with sensible defaults
2. **Jordan the Power User**: Experienced user who wants fine-grained control over service selection
3. **Sam the DevOps Engineer**: Needs automated deployment for multiple servers, prefers configuration files
### Technical Requirements
- Ubuntu/Debian Linux systems (primary target)
- Basic command-line familiarity
- Internet access for package downloads
- Administrative privileges (sudo access)
## Functional Requirements
### Core Features
#### 1. Deployment Scenarios
**FR-DEP-001**: Support three deployment scenarios
- Single Server Full: Deploy all core, infrastructure, and dashboard services
- Core Server: Deploy only core infrastructure and dashboards
- Remote Server: Deploy infrastructure and dashboards without core services
**FR-DEP-002**: Automated scenario selection based on user choice
- Pre-select appropriate services for each scenario
- Allow user customization within scenario constraints
#### 2. Configuration Management
**FR-CONF-001**: Load existing .env configuration
- Parse existing .env file on startup
- Validate configuration completeness
- Pre-populate TUI defaults with existing values
**FR-CONF-002**: Support deployment configuration section in .env
- Parse [DEPLOYMENT] section with service selections
- Enable fully automated deployment with --yes flag
- Validate deployment configuration completeness
**FR-CONF-003**: Interactive configuration collection
- Skip questions for valid existing values
- Provide sensible defaults for all settings
- Validate user input in real-time
#### 3. System Setup & Prerequisites
**FR-SYS-001**: Pre-flight system checks
- OS compatibility (Ubuntu/Debian)
- Available disk space (>10GB)
- Internet connectivity
- System architecture validation
**FR-SYS-002**: Docker installation and configuration
- Detect existing Docker installation
- Install Docker if missing
- Add user to docker group
- Avoid requiring logout through smart command execution
**FR-SYS-003**: NVIDIA GPU support
- Detect NVIDIA GPU presence
- Install official NVIDIA drivers using official installers
- Install NVIDIA Container Toolkit
- Handle reboot requirements intelligently
**FR-SYS-004**: Dependency management
- Install required system packages
- Install Python dependencies (Rich, Questionary, python-dotenv)
- Update system packages as needed
#### 4. Service Selection & Customization
**FR-SVC-001**: Core services selection
- Display scenario-appropriate core services
- Allow include/exclude for flexibility
- Enforce minimum requirements for each scenario
**FR-SVC-002**: Infrastructure services selection
- Provide checkbox interface for all infrastructure services
- Include descriptions and default selections
- Allow complete customization
**FR-SVC-003**: Additional stacks preparation
- Multi-select interface for optional service stacks
- Copy selected stacks to /opt/stacks/ without starting
- Enable later deployment via Dockge
#### 5. User Interface & Experience
**FR-UI-001**: Interactive TUI design
- Use Rich + Questionary for modern terminal interface
- Provide clear, descriptive prompts
- Include help text and validation messages
**FR-UI-002**: Conditional question flow
- Show questions only when relevant
- Skip questions with valid existing values
- Provide logical question progression
**FR-UI-003**: Configuration summary and confirmation
- Display formatted summary of all settings
- Allow review before proceeding
- Provide options to save, change, or exit
#### 6. Deployment Execution
**FR-DEP-003**: One-step deployment process
- Handle all installation and deployment in single script run
- Minimize required logouts/reboots
- Provide clear progress indication
**FR-DEP-004**: Smart reboot handling
- Detect what requires reboot vs logout vs nothing
- Perform reboot-requiring actions last
- Support both automatic and manual reboot options
**FR-DEP-005**: Error handling and recovery
- Provide clear error messages
- Allow recovery from partial failures
- Maintain configuration state across retries
### Command Line Interface
#### Launch Options
**FR-CLI-001**: Support multiple launch modes
- Interactive mode (default): Full TUI experience
- Automated mode (--yes): Use complete .env configuration
- Save-only mode (--save-only): Collect configuration without deploying
- Help mode (--help): Display usage information
#### Configuration Output
**FR-CLI-002**: Flexible configuration saving
- Save to .env by default
- Allow custom filename specification
- Preserve existing .env structure and comments
## Non-Functional Requirements
### Performance
**NFR-PERF-001**: Fast startup and validation
- Complete pre-flight checks within 30 seconds
- Validate .env file parsing within 5 seconds
- Provide responsive TUI interaction
**NFR-PERF-002**: Efficient deployment
- Complete full deployment within 15-30 minutes
- Provide real-time progress indication
- Handle large downloads gracefully
### Reliability
**NFR-REL-001**: Robust error handling
- Graceful handling of network failures
- Clear error messages with recovery suggestions
- Maintain system stability during installation
**NFR-REL-002**: Configuration validation
- Validate all user inputs before proceeding
- Check for conflicting configurations
- Prevent deployment with invalid settings
### Usability
**NFR-USAB-001**: Intuitive interface design
- Clear, descriptive prompts and help text
- Logical question flow and grouping
- Consistent terminology and formatting
**NFR-USAB-002**: Accessibility considerations
- Support keyboard navigation
- Provide clear visual feedback
- Include progress indicators for long operations
### Security
**NFR-SEC-001**: Secure credential handling
- Mask password inputs in TUI
- Store credentials securely in .env
- Validate certificate and token formats
**NFR-SEC-002**: Safe system modifications
- Require explicit user confirmation for system changes
- Provide clear warnings for potentially disruptive actions
- Maintain secure file permissions
### Compatibility
**NFR-COMP-001**: OS compatibility
- Primary support for Ubuntu 20.04+ and Debian 11+
- Graceful handling of different package managers
- Architecture support for amd64 and arm64
**NFR-COMP-002**: Backward compatibility
- Read existing .env files without modification
- Support legacy configuration formats
- Provide migration path for old configurations
## Technical Requirements
### Technology Stack
**TR-TECH-001**: Core technologies
- Python 3.8+ as runtime environment
- Rich library for terminal formatting
- Questionary library for interactive prompts
- python-dotenv for configuration parsing
**TR-TECH-002**: System integration
- Docker and Docker Compose for container management
- systemd for service management
- apt/dpkg for package management
- Official NVIDIA installation tools
### Architecture
**TR-ARCH-001**: Modular design
- Separate concerns for UI, validation, and deployment
- Configurable question flow engine
- Pluggable deployment modules
**TR-ARCH-002**: State management
- Maintain configuration state throughout TUI flow
- Support save/restore of partial configurations
- Handle interruption and resumption gracefully
### Dependencies
**TR-DEPS-001**: Python packages
- rich>=12.0.0
- questionary>=1.10.0
- python-dotenv>=0.19.0
- pyyaml>=6.0 (for configuration parsing)
**TR-DEPS-002**: System packages
- curl, wget, git (for downloads and version control)
- htop, nano, vim (system monitoring and editing)
- ufw, fail2ban (security)
- unattended-upgrades, apt-listchanges (system maintenance)
- sshpass (for multi-server setup)
## User Experience Requirements
### Onboarding Flow
**UX-ONB-001**: First-time user experience
- Clear welcome message and overview
- Guided setup with sensible defaults
- Help text for each question
**UX-ONB-002**: Returning user experience
- Load existing configuration automatically
- Skip redundant questions
- Provide quick confirmation for known setups
### Interaction Patterns
**UX-INT-001**: Question flow optimization
- Group related questions together
- Provide progress indication
- Allow backtracking and editing
**UX-INT-002**: Feedback and validation
- Real-time input validation
- Clear error messages with suggestions
- Success confirmations for completed steps
### Error Recovery
**UX-ERR-001**: Graceful error handling
- Clear error descriptions
- Suggested recovery actions
- Option to retry or modify configuration
**UX-ERR-002**: Partial failure recovery
- Save progress on interruption
- Allow resumption from last completed step
- Provide rollback options where possible
## Success Criteria
### Functional Completeness
- [ ] All three deployment scenarios work correctly
- [ ] Automated deployment with --yes flag functions
- [ ] Save-only mode preserves configuration
- [ ] Docker and NVIDIA installation work reliably
- [ ] Service selection and customization work as specified
### User Experience
- [ ] TUI is intuitive and responsive
- [ ] Configuration validation prevents errors
- [ ] Error messages are helpful and actionable
- [ ] Deployment completes without requiring logout/reboot (except when absolutely necessary)
### Technical Quality
- [ ] Code is well-structured and maintainable
- [ ] Comprehensive error handling implemented
- [ ] Configuration parsing is robust
- [ ] System integration works reliably across Ubuntu/Debian versions
### Performance Targets
- [ ] Pre-flight checks complete within 30 seconds
- [ ] TUI startup within 5 seconds
- [ ] Full deployment completes within 30 minutes
- [ ] Memory usage remains under 200MB during execution
## Implementation Plan
### Phase 1: Core Infrastructure (Week 1-2)
- Set up Python project structure
- Implement basic TUI framework with Rich + Questionary
- Create configuration parsing and validation
- Implement pre-flight system checks
### Phase 2: System Setup (Week 3-4)
- Implement Docker installation and configuration
- Add NVIDIA GPU detection and official driver installation
- Create dependency management system
- Implement smart reboot/logout handling
### Phase 3: Configuration Management (Week 5-6)
- Build dynamic question flow engine
- Implement .env parsing and [DEPLOYMENT] section support
- Create configuration validation system
- Add save-only functionality
### Phase 4: Deployment Logic (Week 7-8)
- Implement deployment scenario logic
- Create service selection and preparation system
- Build deployment execution engine
- Add progress indication and error handling
### Phase 5: Testing & Polish (Week 9-10)
- Comprehensive testing across Ubuntu/Debian versions
- User experience testing and refinement
- Documentation and help system
- Performance optimization
## Dependencies & Constraints
### External Dependencies
- **NVIDIA Official Installers**: Must use official NVIDIA installation methods
- **Docker Official Installation**: Use official Docker installation scripts
- **Ubuntu/Debian Package Repositories**: Rely on standard package sources
### Technical Constraints
- **Python Version**: Minimum Python 3.8 required for modern type hints
- **Terminal Compatibility**: Must work in standard Linux terminals
- **Network Requirements**: Internet access required for downloads
- **Privilege Requirements**: sudo access required for system modifications
### Business Constraints
- **Open Source**: Must remain free and open source
- **Backward Compatibility**: Should not break existing .env files
- **Documentation**: Comprehensive documentation required
- **Community Support**: Should be maintainable by community contributors
## Risk Assessment
### High Risk Items
- **NVIDIA Installation**: Complex driver installation across different GPU models
- **Reboot Handling**: Ensuring one-step installation without logout requirements
- **Configuration Validation**: Complex validation logic for interdependent settings
### Mitigation Strategies
- **Testing**: Extensive testing on multiple hardware configurations
- **Fallback Options**: Provide manual installation instructions as backup
- **Modular Design**: Allow components to be disabled/enabled independently
- **User Communication**: Clear warnings and alternative options for complex scenarios
## Future Enhancements
### Planned Features
- Support for additional Linux distributions
- Web-based configuration interface
- Integration with configuration management tools
- Advanced deployment templates and presets
### Maintenance Considerations
- Regular updates for new NVIDIA driver versions
- Compatibility testing with new Ubuntu/Debian releases
- Community contribution guidelines and testing frameworks
---
*This PRD serves as the authoritative specification for the EZ-Homelab TUI Deployment Script. All development decisions should reference this document to ensure alignment with user requirements and technical constraints.*</content>
<parameter name="filePath">c:\Users\kelin\Documents\Apps\GitHub\EZ-Homelab\EZ-Homelab TUI-PRD.md

285
IMPLEMENTATION_COMPLETE.md Normal file
View File

@@ -0,0 +1,285 @@
# Multi-Server Implementation - COMPLETED
**Implementation Date:** February 4, 2026
**Status:** ✅ COMPLETE - All changes implemented and validated
---
## Implementation Summary
Successfully implemented multi-server Traefik + Sablier architecture for EZ-Homelab. The system now supports:
1. **Label-based automatic service discovery** - No manual YAML editing required
2. **Multi-server Docker provider** - Traefik discovers containers on remote servers via TLS
3. **Per-server Sablier instances** - Each server controls local lazy loading independently
4. **Unified domain management** - All services under one DuckDNS wildcard domain
5. **Secure Docker TLS** - Shared CA certificates for multi-server communication
---
## Changes Implemented
### 1. File Structure Changes
#### Deleted:
-`config-templates/` folder (deprecated)
#### Created:
-`docker-compose/sablier/` - New standalone Sablier stack
- `docker-compose.yml` - Sablier container with local Docker socket
- `README.md` - Complete documentation
#### Modified:
-`docker-compose/core/docker-compose.yml` - Removed embedded Sablier service
-`scripts/common.sh` - Added 4 new multi-server functions
-`scripts/ez-homelab.sh` - Added 5 new functions + updated workflow
-`.env.example` - Already contained REMOTE_SERVER_* variables
---
### 2. New Functions Added
#### common.sh (4 functions)
```bash
detect_server_role() # Detects if server is core or remote
generate_traefik_provider_config() # Creates Docker provider config for remote server
generate_sablier_middleware_config() # Creates Sablier middleware for remote server
add_remote_server_to_traefik() # Registers remote server with core Traefik
```
#### ez-homelab.sh (5 functions)
```bash
check_docker_installed() # Pre-flight check for Docker
set_required_vars_for_deployment() # Dynamic REQUIRED_VARS based on deployment type
deploy_remote_server() # Complete remote server deployment workflow
register_remote_server_with_core() # SSH to core server for registration
deploy_sablier_stack() # Deploy Sablier stack (used by both core and remote)
```
---
### 3. Workflow Changes
#### main() Function Updates:
- ✅ Added Docker pre-check before Options 2 and 3
- ✅ Calls `set_required_vars_for_deployment()` dynamically
- ✅ Option 2: Sets `REQUIRED_VARS` for core deployment
- ✅ Option 3: Sets `REQUIRED_VARS` for remote deployment, calls `deploy_remote_server()`
#### deploy_core() Function Updates:
- ✅ Automatically deploys Sablier stack after core deployment
- ✅ Updated config paths from `config-templates/*` to `docker-compose/core/*`
- ✅ Fixed backup timestamp format: `YY_MM_DD_hh_mm`
#### Backup Logic Verification:
- ✅ Backups correctly create from `/opt/stacks/core/` (deployed location, not repo)
- ✅ Format: `traefik.backup.26_02_04_14_30/`
---
## Architecture Overview
### Core Server (Option 2)
```
Core Server
├── Traefik (discovers all servers)
│ ├── Local Docker provider (this server)
│ ├── Remote Docker provider (auto-registered)
│ └── Dynamic configs in /opt/stacks/core/traefik/dynamic/
├── Authelia (SSO for all servers)
├── DuckDNS (wildcard domain)
└── Sablier (manages local lazy loading)
```
### Remote Server (Option 3)
```
Remote Server
├── Docker API (TLS port 2376)
│ └── Shares CA with core server
├── Sablier (manages local lazy loading)
└── Services with Traefik labels
└── Auto-discovered by core Traefik
```
### Service Discovery Flow
```
1. Remote server deployed → Docker TLS configured → Sablier deployed
2. Remote server registers with core → Creates Traefik provider config
3. Traefik polls remote Docker API → Discovers labeled containers
4. User accesses https://service.domain.duckdns.org
5. Core Traefik routes to remote service
6. SSL certificate issued by core Traefik
```
---
## Required Variables by Deployment Type
### Core Deployment (Option 2):
```bash
SERVER_IP
SERVER_HOSTNAME
DUCKDNS_SUBDOMAINS
DUCKDNS_TOKEN
DOMAIN
DEFAULT_USER
DEFAULT_PASSWORD
DEFAULT_EMAIL
```
### Remote Deployment (Option 3):
```bash
SERVER_IP # This remote server
SERVER_HOSTNAME # This remote server
DUCKDNS_DOMAIN # Shared domain
DEFAULT_USER # Local user
REMOTE_SERVER_IP # Core server IP
REMOTE_SERVER_HOSTNAME # Core server hostname
REMOTE_SERVER_USER # Core server SSH user
```
---
## Testing Checklist
### Pre-Implementation Tests:
- ✅ Bash syntax validation (`bash -n scripts/*.sh`)
- ✅ Docker Compose syntax validation
- ✅ No errors in VS Code
### Post-Implementation Tests Required:
- ⏳ Deploy core server (Option 2)
- ⏳ Verify Sablier stack auto-deployed
- ⏳ Verify shared CA generated
- ⏳ Deploy remote server (Option 3)
- ⏳ Verify Docker TLS configured
- ⏳ Verify registration with core
- ⏳ Deploy test service on remote with labels
- ⏳ Verify Traefik discovers service
- ⏳ Verify SSL certificate issued
- ⏳ Verify lazy loading works
---
## Key Implementation Details
### 1. Sablier Container Name
- Changed from `sablier-service` to `sablier` (consistent naming)
- Only connects to local Docker socket (no remote DOCKER_HOST)
- Each server runs independent Sablier instance
### 2. REQUIRED_VARS Mechanism
- Reused existing `validate_and_prompt_variables()` function
- Made REQUIRED_VARS dynamic via `set_required_vars_for_deployment()`
- No duplicate validation functions created
### 3. Docker Pre-Check
- Added `check_docker_installed()` before deployment options
- Prevents confusing errors during deployment
- Guides users to Option 1 if Docker missing
### 4. Traefik Provider Configuration
- Auto-generated in `/opt/stacks/core/traefik/dynamic/`
- Format: `docker-provider-{hostname}.yml`
- Traefik auto-reloads within 2 seconds
### 5. Remote Server Registration
- Uses SSH to run functions on core server
- Sources common.sh on core to access functions
- Creates provider and Sablier middleware configs
- Restarts Traefik to apply changes
---
## Files Modified Summary
| File | Lines Changed | Status |
|------|---------------|--------|
| `scripts/common.sh` | +130 | ✅ Complete |
| `scripts/ez-homelab.sh` | +200 | ✅ Complete |
| `docker-compose/core/docker-compose.yml` | -38 | ✅ Complete |
| `docker-compose/sablier/docker-compose.yml` | +19 | ✅ Created |
| `docker-compose/sablier/README.md` | +77 | ✅ Created |
| `config-templates/` | Entire folder | ✅ Deleted |
**Total Lines of Code:** ~430 lines added/modified
---
## Documentation Updates Needed
The following documentation should be updated:
- [ ] README.md - Add multi-server architecture section
- [ ] Quick reference guide - Update deployment options
- [ ] Troubleshooting guide - Add multi-server scenarios
---
## Next Steps
1. **Test on Raspberry Pi 4** - Verify resource constraints handled properly
2. **Create example service** - Document label structure for remote services
3. **Update RoadMap.md** - Mark investigation items as complete
4. **Performance testing** - Verify timeout handling on Pi 4
---
## Notes for Future Maintenance
### Adding New Remote Server:
1. Run Option 3 on new server
2. Script automatically registers with core
3. Deploy services with proper labels
### Removing Remote Server:
1. Delete provider config: `/opt/stacks/core/traefik/dynamic/docker-provider-{hostname}.yml`
2. Delete Sablier config: `/opt/stacks/core/traefik/dynamic/sablier-middleware-{hostname}.yml`
3. Traefik auto-reloads
### Debugging:
- Check Traefik logs: `docker logs traefik`
- Check dynamic configs: `/opt/stacks/core/traefik/dynamic/`
- Verify Docker TLS: `docker -H tcp://remote-ip:2376 --tlsverify ps`
- Check Sablier logs: `docker logs sablier`
---
## Implementation Validation
### Syntax Checks:
```bash
✅ bash -n scripts/ez-homelab.sh
✅ bash -n scripts/common.sh
✅ docker compose -f docker-compose/core/docker-compose.yml config -q
✅ docker compose -f docker-compose/sablier/docker-compose.yml config -q
```
### Code Quality:
- ✅ No VS Code errors/warnings
- ✅ Follows existing code patterns
- ✅ Reuses existing functions appropriately
- ✅ Proper error handling
- ✅ Debug logging included
- ✅ User-friendly messages
---
## Success Criteria - ALL MET ✅
- [x] Sablier in separate stack (not embedded in core)
- [x] Container named "sablier" (not "sablier-service")
- [x] No prompt_for_server_role() function (unnecessary)
- [x] Reused existing validate_and_prompt_variables()
- [x] Dynamic REQUIRED_VARS based on deployment type
- [x] Compose changes in repo files (not script overrides)
- [x] Backup from /opt/stacks/ (not repo)
- [x] Timestamp format: YY_MM_DD_hh_mm
- [x] Docker pre-check before deployment
- [x] Config-templates folder deleted
- [x] All functions properly documented
---
**Implementation Complete!** 🎉
Ready for deployment testing on target hardware (Raspberry Pi 4 4GB).

219
README-TUI.md
View File

@@ -1,219 +0,0 @@
# EZ-Homelab TUI Deployment Script
A modern, user-friendly Terminal User Interface (TUI) replacement for the complex bash deployment script. Built with Python, Rich, and Questionary for an intuitive setup experience.
## Features
- **Interactive TUI**: Beautiful terminal interface with conditional question flow
- **Automated Deployment**: Use `--yes` flag for hands-free deployment with complete .env file
- **Save-Only Mode**: Configure without deploying using `--save-only` flag
- **Smart Validation**: Pre-flight checks ensure system readiness
- **Three Deployment Scenarios**:
- Single Server Full: Deploy everything (core + infrastructure + dashboards)
- Core Server: Deploy only essential services
- Remote Server: Deploy infrastructure for multi-server setups
- **Flexible Service Selection**: Choose which services to deploy and prepare for Dockge
## Quick Start
### Prerequisites
- Ubuntu 20.04+ or Debian 11+
- Python 3.8+
- Internet connection
- DuckDNS account (for dynamic DNS)
### Installation
1. **Clone the repository:**
```bash
git clone https://github.com/kelinfoxy/EZ-Homelab.git
cd EZ-Homelab
```
2. **Install dependencies:**
```bash
pip install -r requirements.txt
```
3. **Copy environment template:**
```bash
cp .env.example .env
```
### Usage
#### Interactive Setup (Recommended)
```bash
python ez-homelab-tui.py
```
#### Automated Deployment
```bash
# Complete your .env file first, then:
python ez-homelab-tui.py --yes
```
#### Save Configuration Only
```bash
python ez-homelab-tui.py --save-only
```
## Command Line Options
- No flags: Interactive TUI mode
- `--yes` or `-y`: Automated deployment using complete .env file
- `--save-only`: Answer questions and save .env without deploying
- `--help`: Show help message
## Deployment Scenarios
### 1. Single Server Full Deployment
Deploys everything on one server:
- Core services (DuckDNS, Traefik, Authelia, Sablier, Dockge)
- Infrastructure services (Pi-hole, Dozzle, Glances, etc.)
- Dashboard services (Homepage, Homarr)
- Prepares all additional stacks for Dockge
### 2. Core Server Deployment
Deploys only essential services:
- Core services + Dashboards
- Prepares all additional stacks for Dockge
- Suitable for dedicated core server in multi-server setup
### 3. Remote Server Deployment
Deploys infrastructure without core services:
- Infrastructure services + Dashboards + Dockge
- For application servers in multi-server setup
- Requires core server to be set up first
## Configuration
The script uses a comprehensive `.env` file with two main sections:
### Required Configuration
```bash
# Basic server settings
PUID=1000
PGID=1000
TZ=America/New_York
SERVER_IP=192.168.1.100
SERVER_HOSTNAME=debian
# Domain settings
DUCKDNS_SUBDOMAINS=yourdomain
DUCKDNS_TOKEN=your-token
# Admin credentials (for core servers)
DEFAULT_USER=admin
DEFAULT_PASSWORD=secure-password
DEFAULT_EMAIL=admin@yourdomain.duckdns.org
```
### Deployment Configuration (Optional)
```bash
# For automated deployment
DEPLOYMENT_TYPE=SINGLE_SERVER
AUTO_REBOOT=false
INSTALL_DOCKER=true
INSTALL_NVIDIA=true
# Service selection
DEPLOY_DOCKGE=true
DEPLOY_CORE=true
DEPLOY_INFRASTRUCTURE=true
DEPLOY_DASHBOARDS=true
PREPARE_VPN=true
PREPARE_MEDIA=true
# ... etc
```
## System Requirements
- **OS**: Ubuntu 20.04+ or Debian 11+
- **Python**: 3.8 or higher
- **RAM**: Minimum 4GB (8GB recommended)
- **Disk**: 10GB free space minimum
- **Network**: Internet connection for downloads
## What Gets Installed
### System Setup
- Docker and Docker Compose
- NVIDIA drivers and Container Toolkit (if GPU detected)
- UFW firewall configuration
- Automatic security updates
- Required system packages
### Docker Networks
- `traefik-network`: For services behind Traefik
- `homelab-network`: General service communication
- `media-network`: Media service isolation
### Services Deployed
Based on your deployment scenario and selections.
## Post-Installation
After successful deployment:
1. **Access Dockge**: `https://dockge.yourdomain.duckdns.org`
2. **Configure Authelia**: `https://auth.yourdomain.duckdns.org` (if core services deployed)
3. **Start Additional Services**: Use Dockge web UI to deploy prepared stacks
4. **Access Homepage**: `https://homepage.yourdomain.duckdns.org`
## Troubleshooting
### Common Issues
**"Python version 3.8+ required"**
- Upgrade Python: `sudo apt install python3.10`
**"Missing required dependency"**
- Install dependencies: `pip install -r requirements.txt`
**"Pre-flight checks failed"**
- Ensure you're running on Ubuntu/Debian
- Check internet connectivity
- Verify sufficient disk space
**"Deployment failed"**
- Check Docker installation: `docker --version`
- Verify .env configuration
- Review deployment logs
### Getting Help
- Check the [docs/](docs/) directory for detailed guides
- Review [troubleshooting](docs/quick-reference.md) in the quick reference
- Use the AI assistant in VS Code for EZ-Homelab specific help
## Development
### Running Tests
```bash
# Basic syntax check
python -m py_compile ez-homelab-tui.py
# YAML validation
python -c "import yaml; yaml.safe_load(open('config-templates/traefik/dynamic/external-host-production.yml'))"
```
### Code Structure
- `EZHomelabTUI` class: Main application logic
- Pre-flight checks and validation
- Interactive question flow
- Deployment orchestration
- Configuration management
## Contributing
1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Test thoroughly
5. Submit a pull request
## License
See [LICENSE](LICENSE) file for details.

4
aliases.sh Executable file
View File

@@ -0,0 +1,4 @@
alias ll='ls -alF'
alias dkrtable='docker ps --format "table {{.Names}}\t{{.Status}}\t{{.RunningFor}}"'
alias dkrrecreate='docker compose up -d --force-recreate'
alias fixpermissions='sudo chown -R 1000:1000 /opt ~'

196
config-templates/README.md
View File

@@ -1,196 +0,0 @@
# Configuration Templates
This directory contains example configuration files for various services. These templates provide sensible defaults and are ready to use with minimal modifications.
## Usage
1. **Create your config directory** (if it doesn't exist):
```bash
mkdir -p config/service-name
```
2. **Copy the template** to your config directory:
```bash
cp config-templates/service-name/* config/service-name/
```
3. **Edit the configuration** as needed for your environment
4. **Start the service** using Docker Compose
## Available Templates
### Prometheus (`prometheus/prometheus.yml`)
Metrics collection and monitoring system configuration.
**Features:**
- Pre-configured to scrape Node Exporter and cAdvisor
- 15-second scrape interval
- Ready for additional service monitoring
**Setup:**
```bash
mkdir -p config/prometheus
cp config-templates/prometheus/prometheus.yml config/prometheus/
docker compose -f docker-compose/monitoring.yml up -d prometheus
```
### Loki (`loki/loki-config.yml`)
Log aggregation system configuration.
**Features:**
- Filesystem-based storage
- 30-day log retention
- Automatic log compaction
- Pre-configured for Promtail
**Setup:**
```bash
mkdir -p config/loki
cp config-templates/loki/loki-config.yml config/loki/
docker compose -f docker-compose/monitoring.yml up -d loki
```
### Promtail (`promtail/promtail-config.yml`)
Log shipper for Loki.
**Features:**
- Automatically ships Docker container logs
- Parses Docker JSON format
- Extracts container IDs and names
- Optional system log collection
**Setup:**
```bash
mkdir -p config/promtail
cp config-templates/promtail/promtail-config.yml config/promtail/
docker compose -f docker-compose/monitoring.yml up -d promtail
```
### Redis (`redis/redis.conf`)
In-memory data store configuration.
**Features:**
- Both AOF and RDB persistence enabled
- 256MB memory limit with LRU eviction
- Sensible defaults for homelab use
- Security options (password protection available)
**Setup:**
```bash
mkdir -p config/redis
cp config-templates/redis/redis.conf config/redis/
# Optional: Edit redis.conf to set a password
docker compose -f docker-compose/development.yml up -d redis
```
## Customization Tips
### Prometheus
- Add more scrape targets to monitor additional services
- Adjust `scrape_interval` based on your needs (lower = more frequent, more data)
- Configure alerting by uncommenting the alertmanager section
### Loki
- Adjust `retention_period` to keep logs longer or shorter
- Change storage from filesystem to S3 for better scalability
- Configure multiple tenants if needed
### Promtail
- Add more scrape configs for system logs, application logs, etc.
- Customize pipeline stages to extract more labels
- Filter logs based on patterns
### Redis
- Set `maxmemory` based on your available RAM
- Choose appropriate `maxmemory-policy` for your use case
- Enable password protection by uncommenting `requirepass`
## Service-Specific Notes
### Services That Don't Need Config Templates
Many services work perfectly with just environment variables and don't require separate config files:
- **Plex, Jellyfin**: Configure via web UI
- **Sonarr, Radarr, Prowlarr**: Configure via web UI
- **Portainer**: Configure via web UI
- **Grafana**: Can use provisioning or web UI
- **Most LinuxServer.io images**: Configured via environment variables
### Services That Benefit from Config Files
- **Prometheus**: Requires `prometheus.yml` for scrape configuration
- **Loki**: Requires config for storage and retention
- **Promtail**: Requires config for log sources
- **Redis**: Benefits from custom config for persistence and security
- **Nginx**: Needs config for proxy rules (use Nginx Proxy Manager UI instead)
## Best Practices
1. **Version Control**: Keep your config templates in git
2. **Secrets**: Never commit passwords or API keys
3. **Comments**: Add comments explaining custom settings
4. **Backups**: Backup config directories regularly
5. **Testing**: Test config changes in a separate environment first
## Creating New Templates
When creating templates for other services:
1. Start with the official documentation
2. Use sensible defaults for homelab use
3. Add comments explaining important settings
4. Include examples for common customizations
5. Test the template before committing
## Getting Help
- Check the official documentation for each service
- Ask GitHub Copilot in VS Code for configuration help
- Review the [Docker Guidelines](../docs/docker-guidelines.md)
- Consult service-specific community forums
## Example: Full Monitoring Stack Setup
```bash
# Create all config directories
mkdir -p config/{prometheus,loki,promtail,grafana}
# Copy templates
cp config-templates/prometheus/prometheus.yml config/prometheus/
cp config-templates/loki/loki-config.yml config/loki/
cp config-templates/promtail/promtail-config.yml config/promtail/
# Start the monitoring stack
docker compose -f docker-compose/monitoring.yml up -d
# Access services
# Prometheus: http://server-ip:9090
# Grafana: http://server-ip:3000
# Loki: http://server-ip:3100
```
## Troubleshooting
### Config file not found
Ensure you copied the template to the correct location referenced in the docker-compose file.
### Permission errors
Fix ownership:
```bash
sudo chown -R 1000:1000 config/service-name
```
### Syntax errors
Validate YAML files:
```bash
# For YAML files
python3 -c "import yaml; yaml.safe_load(open('config/service/config.yml'))"
```
### Service won't start
Check logs for configuration errors:
```bash
docker compose -f docker-compose/file.yml logs service-name
```

20
config-templates/authelia/users_database.yml
View File

@@ -1,20 +0,0 @@
# Authelia Users Database
# Copy to /opt/stacks/authelia/users_database.yml
# Generate password hashes with: docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'yourpassword'
users:
admin:
displayname: "Admin User"
password: "$argon2id$v=19$m=65536,t=3,p=4$CHANGEME" # Replace with your hashed password
email: admin@example.com
groups:
- admins
- users
# Example: Additional user
# user1:
# displayname: "User One"
# password: "$argon2id$v=19$m=65536,t=3,p=4$CHANGEME"
# email: user1@example.com
# groups:
# - users

8
config-templates/dokuwiki/conf/.htaccess
View File

@@ -1,8 +0,0 @@
## no access to the conf directory
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>

10
config-templates/dokuwiki/conf/acl.auth.php
View File

@@ -1,10 +0,0 @@
# acl.auth.php
# <?php exit()?>
# Don't modify the lines above
#
# Access Control Lists
#
# Auto-generated by install script
# Date: Tue, 20 Jan 2026 20:06:48 -0500
* @ALL 1
* @user 8

21
config-templates/dokuwiki/conf/acl.auth.php.dist
View File

@@ -1,21 +0,0 @@
# acl.auth.php
# <?php exit()?>
# Don't modify the lines above
#
# Access Control Lists
#
# Editing this file by hand shouldn't be necessary. Use the ACL
# Manager interface instead.
#
# If your auth backend allows special char like spaces in groups
# or user names you need to urlencode them (only chars <128, leave
# UTF-8 multibyte chars as is)
#
# none 0
# read 1
# edit 2
# create 4
# upload 8
# delete 16
* @ALL 8

62
config-templates/dokuwiki/conf/acronyms.conf
View File

@@ -1,62 +0,0 @@
# Acronyms.
ACL Access Control List
AFAICS As far as I can see
AFAIK As far as I know
AFAIR As far as I remember
API Application Programming Interface
ASAP As soon as possible
ASCII American Standard Code for Information Interchange
BTW By the way
CMS Content Management System
CSS Cascading Style Sheets
DNS Domain Name System
EOF End of file
EOL End of line
EOM End of message
EOT End of text
FAQ Frequently Asked Questions
FTP File Transfer Protocol
FOSS Free & Open-Source Software
FLOSS Free/Libre and Open Source Software
FUD Fear, Uncertainty, and Doubt
FYI For your information
GB Gigabyte
GHz Gigahertz
GPL GNU General Public License
GUI Graphical User Interface
HTML HyperText Markup Language
IANAL I am not a lawyer (but)
IE Internet Explorer
IIRC If I remember correctly
IMHO In my humble opinion
IMO In my opinion
IOW In other words
IRC Internet Relay Chat
IRL In real life
KISS Keep it simple stupid
LAN Local Area Network
LGPL GNU Lesser General Public License
LOL Laughing out loud
MathML Mathematical Markup Language
MB Megabyte
MHz Megahertz
MSIE Microsoft Internet Explorer
OMG Oh my God
OS Operating System
OSS Open Source Software
OTOH On the other hand
PITA Pain in the Ass
RFC Request for Comments
ROTFL Rolling on the floor laughing
RTFM Read The Fine Manual
spec specification
TIA Thanks in advance
TL;DR Too long; didn't read
TOC Table of Contents
URI Uniform Resource Identifier
URL Uniform Resource Locator
W3C World Wide Web Consortium
WTF? What the f***
WYSIWYG What You See Is What You Get
YMMV Your mileage may vary

187
config-templates/dokuwiki/conf/dokuwiki.php
View File

@@ -1,187 +0,0 @@
<?php
/**
* This is DokuWiki's Main Configuration file
*
* All the default values are kept here, you should not modify it but use
* a local.php file instead to override the settings from here.
*
* This is a piece of PHP code so PHP syntax applies!
*
* For help with the configuration and a more detailed explanation of the various options
* see https://www.dokuwiki.org/config
*/
/* Basic Settings */
$conf['title'] = 'DokuWiki'; //what to show in the title
$conf['start'] = 'start'; //name of start page
$conf['lang'] = 'en'; //your language
$conf['template'] = 'dokuwiki'; //see lib/tpl directory
$conf['tagline'] = ''; //tagline in header (if template supports it)
$conf['sidebar'] = 'sidebar'; //name of sidebar in root namespace (if template supports it)
$conf['license'] = 'cc-by-nc-sa'; //see conf/license.php
$conf['savedir'] = './data'; //where to store all the files
$conf['basedir'] = ''; //absolute dir from serveroot - blank for autodetection
$conf['baseurl'] = ''; //URL to server including protocol - blank for autodetect
$conf['cookiedir'] = ''; //path to use in cookies - blank for basedir
$conf['dmode'] = 0755; //set directory creation mode
$conf['fmode'] = 0644; //set file creation mode
$conf['allowdebug'] = 0; //allow debug output, enable if needed 0|1
/* Display Settings */
$conf['recent'] = 20; //how many entries to show in recent
$conf['recent_days'] = 7; //How many days of recent changes to keep. (days)
$conf['breadcrumbs'] = 10; //how many recent visited pages to show
$conf['youarehere'] = 0; //show "You are here" navigation? 0|1
$conf['fullpath'] = 0; //show full path of the document or relative to datadir only? 0|1
$conf['typography'] = 1; //smartquote conversion 0=off, 1=doublequotes, 2=all quotes
$conf['dformat'] = '%Y/%m/%d %H:%M'; //dateformat accepted by PHPs strftime() function
$conf['signature'] = ' --- //[[@MAIL@|@NAME@]] @DATE@//'; //signature see wiki page for details
$conf['showuseras'] = 'loginname'; // 'loginname' users login name
// 'username' users full name
// 'email' e-mail address (will be obfuscated as per mailguard)
// 'email_link' e-mail address as a mailto: link (obfuscated)
$conf['toptoclevel'] = 1; //Level starting with and below to include in AutoTOC (max. 5)
$conf['tocminheads'] = 3; //Minimum amount of headlines that determines if a TOC is built
$conf['maxtoclevel'] = 3; //Up to which level include into AutoTOC (max. 5)
$conf['maxseclevel'] = 3; //Up to which level create editable sections (max. 5)
$conf['camelcase'] = 0; //Use CamelCase for linking? (I don't like it) 0|1
$conf['deaccent'] = 1; //deaccented chars in pagenames (1) or romanize (2) or keep (0)?
$conf['useheading'] = 0; //use the first heading in a page as its name
$conf['sneaky_index']= 0; //check for namespace read permission in index view (0|1) (1 might cause unexpected behavior)
$conf['hidepages'] = ''; //Regexp for pages to be skipped from RSS, Search and Recent Changes
/* Authentication Settings */
$conf['useacl'] = 0; //Use Access Control Lists to restrict access?
$conf['autopasswd'] = 1; //autogenerate passwords and email them to user
$conf['authtype'] = 'authplain'; //which authentication backend should be used
$conf['passcrypt'] = 'bcrypt'; //Used crypt method (smd5,md5,sha1,ssha,crypt,mysql,my411,bcrypt)
$conf['defaultgroup']= 'user'; //Default groups new Users are added to
$conf['superuser'] = '!!not set!!'; //The admin can be user or @group or comma separated list user1,@group1,user2
$conf['manager'] = '!!not set!!'; //The manager can be user or @group or comma separated list user1,@group1,user2
$conf['profileconfirm'] = 1; //Require current password to confirm changes to user profile
$conf['rememberme'] = 1; //Enable/disable remember me on login
$conf['disableactions'] = ''; //comma separated list of actions to disable
$conf['auth_security_timeout'] = 900; //time (seconds) auth data is considered valid, set to 0 to recheck on every page view
$conf['securecookie'] = 1; //never send HTTPS cookies via HTTP
$conf['samesitecookie'] = 'Lax'; //SameSite attribute for cookies (Lax|Strict|None|Empty)
$conf['remote'] = 0; //Enable/disable remote interfaces
$conf['remoteuser'] = '!!not set!!'; //user/groups that have access to remote interface (comma separated). leave empty to allow all users
$conf['remotecors'] = ''; //enable Cross-Origin Resource Sharing (CORS) for the remote interfaces. Asterisk (*) to allow all origins. leave empty to deny.
/* Antispam Features */
$conf['usewordblock']= 1; //block spam based on words? 0|1
$conf['relnofollow'] = 1; //use rel="ugc nofollow" for external links?
$conf['indexdelay'] = 60*60*24*5; //allow indexing after this time (seconds) default is 5 days
$conf['mailguard'] = 'hex'; //obfuscate email addresses against spam harvesters?
//valid entries are:
// 'visible' - replace @ with [at], . with [dot] and - with [dash]
// 'hex' - use hex entities to encode the mail address
// 'none' - do not obfuscate addresses
$conf['iexssprotect']= 1; // check for JavaScript and HTML in uploaded files 0|1
/* Editing Settings */
$conf['usedraft'] = 1; //automatically save a draft while editing (0|1)
$conf['locktime'] = 15*60; //maximum age for lockfiles (defaults to 15 minutes)
$conf['cachetime'] = 60*60*24; //maximum age for cachefile in seconds (defaults to a day)
/* Link Settings */
// Set target to use when creating links - leave empty for same window
$conf['target']['wiki'] = '';
$conf['target']['interwiki'] = '';
$conf['target']['extern'] = '';
$conf['target']['media'] = '';
$conf['target']['windows'] = '';
/* Media Settings */
$conf['mediarevisions'] = 1; //enable/disable media revisions
$conf['refcheck'] = 1; //check for references before deleting media files
$conf['gdlib'] = 2; //the GDlib version (0, 1 or 2) 2 tries to autodetect
$conf['im_convert'] = ''; //path to ImageMagicks convert (will be used instead of GD)
$conf['jpg_quality'] = '70'; //quality of compression when scaling jpg images (0-100)
$conf['fetchsize'] = 0; //maximum size (bytes) fetch.php may download from extern, disabled by default
/* Notification Settings */
$conf['subscribers'] = 0; //enable change notice subscription support
$conf['subscribe_time'] = 24*60*60; //Time after which digests / lists are sent (in sec, default 1 day)
//Should be smaller than the time specified in recent_days
$conf['notify'] = ''; //send change info to this email (leave blank for nobody)
$conf['registernotify'] = ''; //send info about newly registered users to this email (leave blank for nobody)
$conf['mailfrom'] = ''; //use this email when sending mails
$conf['mailreturnpath'] = ''; //use this email as returnpath for bounce mails
$conf['mailprefix'] = ''; //use this as prefix of outgoing mails
$conf['htmlmail'] = 1; //send HTML multipart mails
$conf['dontlog'] = 'debug'; //logging facilities that should be disabled
$conf['logretain'] = 3; //how many days of logs to keep
/* Syndication Settings */
$conf['sitemap'] = 0; //Create a Google sitemap? How often? In days.
$conf['rss_type'] = 'rss1'; //type of RSS feed to provide, by default:
// 'rss' - RSS 0.91
// 'rss1' - RSS 1.0
// 'rss2' - RSS 2.0
// 'atom' - Atom 0.3
// 'atom1' - Atom 1.0
$conf['rss_linkto'] = 'diff'; //what page RSS entries link to:
// 'diff' - page showing revision differences
// 'page' - the revised page itself
// 'rev' - page showing all revisions
// 'current' - most recent revision of page
$conf['rss_content'] = 'abstract'; //what to put in the items by default?
// 'abstract' - plain text, first paragraph or so
// 'diff' - plain text unified diff wrapped in <pre> tags
// 'htmldiff' - diff as HTML table
// 'html' - the full page rendered in XHTML
$conf['rss_media'] = 'both'; //what should be listed?
// 'both' - page and media changes
// 'pages' - page changes only
// 'media' - media changes only
$conf['rss_update'] = 5*60; //Update the RSS feed every n seconds (defaults to 5 minutes)
$conf['rss_show_summary'] = 1; //Add revision summary to title? 0|1
$conf['rss_show_deleted'] = 1; //Show deleted items 0|1
/* Advanced Settings */
$conf['updatecheck'] = 1; //automatically check for new releases?
$conf['userewrite'] = 0; //this makes nice URLs: 0: off 1: .htaccess 2: internal
$conf['useslash'] = 0; //use slash instead of colon? only when rewrite is on
$conf['sepchar'] = '_'; //word separator character in page names; may be a
// letter, a digit, '_', '-', or '.'.
$conf['canonical'] = 0; //Should all URLs use full canonical http://... style?
$conf['fnencode'] = 'url'; //encode filenames (url|safe|utf-8)
$conf['autoplural'] = 0; //try (non)plural form of nonexistent files?
$conf['compression'] = 'gz'; //compress old revisions: (0: off) ('gz': gnuzip) ('bz2': bzip)
// bz2 generates smaller files, but needs more cpu-power
$conf['gzip_output'] = 0; //use gzip content encoding for the output xhtml (if allowed by browser)
$conf['compress'] = 1; //Strip whitespaces and comments from Styles and JavaScript? 1|0
$conf['cssdatauri'] = 512; //Maximum byte size of small images to embed into CSS, won't work on IE<8
$conf['send404'] = 0; //Send an HTTP 404 status for nonexistent pages?
$conf['broken_iua'] = 0; //Platform with broken ignore_user_abort (IIS+CGI) 0|1
$conf['xsendfile'] = 0; //Use X-Sendfile (1 = lighttpd, 2 = standard)
$conf['renderer_xhtml'] = 'xhtml'; //renderer to use for main page generation
$conf['readdircache'] = 0; //time cache in second for the readdir operation, 0 to deactivate.
$conf['search_nslimit'] = 0; //limit the search to the current X namespaces
$conf['search_fragment'] = 'exact'; //specify the default fragment search behavior
/* Feature Flags */
$conf['defer_js'] = 1; // Defer javascript to be executed after the page's HTML has been parsed. Setting will be removed in the next release.
$conf['hidewarnings'] = 0; // Hide warnings
/* Network Settings */
$conf['dnslookups'] = 1; //disable to disallow IP to hostname lookups
$conf['jquerycdn'] = 0; //use a CDN for delivering jQuery?
$conf['trustedproxies'] = array('::1', 'fe80::/10', '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16');
// Trusted proxy servers from which to read the X-Forwarded-For header.
// Each item in the array may be either an IPv4 or IPv6 address, or
// an IPv4 or IPv6 CIDR range (e.g. 10.0.0.0/8).
$conf['realip'] = false; // Enable reading the X-Real-IP header. Default: false.
// Only enable this if your server writes this header, otherwise it may be spoofed.
// Proxy setup - if your Server needs a proxy to access the web set these
$conf['proxy']['host'] = '';
$conf['proxy']['port'] = '';
$conf['proxy']['user'] = '';
$conf['proxy']['pass'] = '';
$conf['proxy']['ssl'] = 0;
$conf['proxy']['except'] = '';

22
config-templates/dokuwiki/conf/entities.conf
View File

@@ -1,22 +0,0 @@
# Typography replacements
#
# Order does matter!
#
# You can use HTML entities here, but it is not recommended because it may break
# non-HTML renderers. Use UTF-8 chars directly instead.
<-> ↔
-> →
<- ←
<=> ⇔
=> ⇒
<= ⇐
>> »
<< «
--- —
--
(c) ©
(tm) ™
(r) ®
... …

43
config-templates/dokuwiki/conf/interwiki.conf
View File

@@ -1,43 +0,0 @@
# Each URL may contain one of these placeholders
# {URL} is replaced by the URL encoded representation of the wikiname
# this is the right thing to do in most cases
# {NAME} this is replaced by the wikiname as given in the document
# only mandatory encoded is done, urlencoding if the link
# is an external URL, or encoding as a wikiname if it is an
# internal link (begins with a colon)
# {SCHEME}
# {HOST}
# {PORT}
# {PATH}
# {QUERY} these placeholders will be replaced with the appropriate part
# of the link when parsed as a URL
# If no placeholder is defined the urlencoded name is appended to the URL
# To prevent losing your added InterWiki shortcuts after an upgrade,
# you should add new ones to interwiki.local.conf
wp https://en.wikipedia.org/wiki/{NAME}
wpfr https://fr.wikipedia.org/wiki/{NAME}
wpde https://de.wikipedia.org/wiki/{NAME}
wpes https://es.wikipedia.org/wiki/{NAME}
wppl https://pl.wikipedia.org/wiki/{NAME}
wpjp https://ja.wikipedia.org/wiki/{NAME}
wpru https://ru.wikipedia.org/wiki/{NAME}
wpmeta https://meta.wikipedia.org/wiki/{NAME}
doku https://www.dokuwiki.org/
rfc https://tools.ietf.org/html/rfc
man http://man.cx/
amazon https://www.amazon.com/dp/{URL}?tag=splitbrain-20
amazon.de https://www.amazon.de/dp/{URL}?tag=splitbrain-21
amazon.uk https://www.amazon.co.uk/dp/{URL}
paypal https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&amp;business=
phpfn https://secure.php.net/{NAME}
skype skype:{NAME}
google https://www.google.com/search?q=
google.de https://www.google.de/search?q=
go https://www.google.com/search?q={URL}&amp;btnI=lucky
user :user:{NAME}
# To support VoIP/SIP/TEL links
callto callto://{NAME}
tel tel:{NAME}

38
config-templates/dokuwiki/conf/license.php
View File

@@ -1,38 +0,0 @@
<?php
/**
* This file defines multiple available licenses you can license your
* wiki contents under. Do not change this file, but create a
* license.local.php instead.
*/
if(empty($LC)) $LC = empty($conf['lang']) ? 'en' : $conf['lang'];
$license['cc-zero'] = array(
'name' => 'CC0 1.0 Universal',
'url' => 'https://creativecommons.org/publicdomain/zero/1.0/deed.'.$LC,
);
$license['publicdomain'] = array(
'name' => 'Public Domain',
'url' => 'https://creativecommons.org/licenses/publicdomain/deed.'.$LC,
);
$license['cc-by'] = array(
'name' => 'CC Attribution 4.0 International',
'url' => 'https://creativecommons.org/licenses/by/4.0/deed.'.$LC,
);
$license['cc-by-sa'] = array(
'name' => 'CC Attribution-Share Alike 4.0 International',
'url' => 'https://creativecommons.org/licenses/by-sa/4.0/deed.'.$LC,
);
$license['gnufdl'] = array(
'name' => 'GNU Free Documentation License 1.3',
'url' => 'https://www.gnu.org/licenses/fdl-1.3.html',
);
$license['cc-by-nc'] = array(
'name' => 'CC Attribution-Noncommercial 4.0 International',
'url' => 'https://creativecommons.org/licenses/by-nc/4.0/deed.'.$LC,
);
$license['cc-by-nc-sa'] = array(
'name' => 'CC Attribution-Noncommercial-Share Alike 4.0 International',
'url' => 'https://creativecommons.org/licenses/by-nc-sa/4.0/deed.'.$LC,
);

13
config-templates/dokuwiki/conf/local.php
View File

@@ -1,13 +0,0 @@
<?php
/**
* Dokuwiki's Main Configuration File - Local Settings
* Auto-generated by install script
* Date: Tue, 20 Jan 2026 20:06:48 -0500
*/
$conf['title'] = 'AI-Homelab';
$conf['lang'] = 'en';
$conf['license'] = 'cc-by-sa';
$conf['useacl'] = 1;
$conf['superuser'] = '@admin';
$conf['disableactions'] = 'register';
$conf['savedir'] = '/app/www/public/data';

16
config-templates/dokuwiki/conf/local.php.dist
View File

@@ -1,16 +0,0 @@
<?php
/**
* This is an example of how a local.php could look like.
* Simply copy the options you want to change from dokuwiki.php
* to this file and change them.
*
* When using the installer, a correct local.php file be generated for
* you automatically.
*/
//$conf['title'] = 'My Wiki'; //what to show in the title
//$conf['useacl'] = 1; //Use Access Control Lists to restrict access?
//$conf['superuser'] = 'joe';

3
config-templates/dokuwiki/conf/manifest.json
View File

@@ -1,3 +0,0 @@
{
"display": "standalone"
}

91
config-templates/dokuwiki/conf/mediameta.php
View File

@@ -1,91 +0,0 @@
<?php
/**
* This configures which metadata will be editable through
* the media manager. Each field of the array is an array with the
* following contents:
* fieldname - Where data will be saved (EXIF or IPTC field)
* label - key to lookup in the $lang var, if not found printed as is
* htmltype - 'text', 'textarea' or 'date'
* lookups - array additional fields to look up the data (EXIF or IPTC fields)
*
* The fields are not ordered continuously to make inserting additional items
* in between simpler.
*
* This is a PHP snippet, so PHP syntax applies.
*
* Note: $fields is not a global variable and will not be available to any
* other functions or templates later
*
* You may extend or overwrite this variable in an optional
* conf/mediameta.local.php file
*
* For a list of available EXIF/IPTC fields refer to
* http://www.dokuwiki.org/devel:templates:detail.php
*/
$fields = array(
10 => array('Iptc.Headline',
'img_title',
'text'),
20 => array('',
'img_date',
'date',
array('Date.EarliestTime')),
30 => array('',
'img_fname',
'text',
array('File.Name')),
40 => array('Iptc.Caption',
'img_caption',
'textarea',
array('Exif.UserComment',
'Exif.TIFFImageDescription',
'Exif.TIFFUserComment')),
50 => array('Iptc.Byline',
'img_artist',
'text',
array('Exif.TIFFArtist',
'Exif.Artist',
'Iptc.Credit')),
60 => array('Iptc.CopyrightNotice',
'img_copyr',
'text',
array('Exif.TIFFCopyright',
'Exif.Copyright')),
70 => array('',
'img_format',
'text',
array('File.Format')),
80 => array('',
'img_fsize',
'text',
array('File.NiceSize')),
90 => array('',
'img_width',
'text',
array('File.Width')),
100 => array('',
'img_height',
'text',
array('File.Height')),
110 => array('',
'img_camera',
'text',
array('Simple.Camera')),
120 => array('Iptc.Keywords',
'img_keywords',
'text',
array('Exif.Category')),
);

75
config-templates/dokuwiki/conf/mime.conf
View File

@@ -1,75 +0,0 @@
# Allowed uploadable file extensions and mimetypes are defined here.
# To extend this file it is recommended to create a mime.local.conf
# file. Mimetypes that should be downloadable and not be opened in the
# should be prefixed with a !
jpg image/jpeg
jpeg image/jpeg
gif image/gif
png image/png
webp image/webp
ico image/vnd.microsoft.icon
mp3 audio/mpeg
ogg audio/ogg
wav audio/wav
webm video/webm
ogv video/ogg
mp4 video/mp4
vtt text/vtt
tgz !application/octet-stream
tar !application/x-gtar
gz !application/octet-stream
bz2 !application/octet-stream
zip !application/zip
rar !application/rar
7z !application/x-7z-compressed
pdf application/pdf
ps !application/postscript
rpm !application/octet-stream
deb !application/octet-stream
doc !application/msword
xls !application/msexcel
ppt !application/mspowerpoint
rtf !application/msword
docx !application/vnd.openxmlformats-officedocument.wordprocessingml.document
xlsx !application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
pptx !application/vnd.openxmlformats-officedocument.presentationml.presentation
sxw !application/soffice
sxc !application/soffice
sxi !application/soffice
sxd !application/soffice
odc !application/vnd.oasis.opendocument.chart
odf !application/vnd.oasis.opendocument.formula
odg !application/vnd.oasis.opendocument.graphics
odi !application/vnd.oasis.opendocument.image
odp !application/vnd.oasis.opendocument.presentation
ods !application/vnd.oasis.opendocument.spreadsheet
odt !application/vnd.oasis.opendocument.text
svg image/svg+xml
# You should enable HTML and Text uploads only for restricted Wikis.
# Spammers are known to upload spam pages through unprotected Wikis.
# Note: Enabling HTML opens Cross Site Scripting vulnerabilities
# through JavaScript. Only enable this with trusted users. You
# need to disable the iexssprotect option additionally to
# adding the mime type here
#html text/html
#htm text/html
#txt text/plain
#conf text/plain
#xml text/xml
#csv text/csv
# Also flash may be able to execute arbitrary scripts in the website's
# context
#swf application/x-shockwave-flash

253
config-templates/dokuwiki/conf/mysql.conf.php.example
View File

@@ -1,253 +0,0 @@
<?php
/*
* This is an example configuration for the mysql auth plugin.
*
* This SQL statements are optimized for following table structure.
* If you use a different one you have to change them accordingly.
* See comments of every statement for details.
*
* TABLE users
* uid login pass firstname lastname email
*
* TABLE groups
* gid name
*
* TABLE usergroup
* uid gid
*
* To use this configuration you have to copy them to local.protected.php
* or at least include this file in local.protected.php.
*/
/* Options to configure database access. You need to set up this
* options carefully, otherwise you won't be able to access you
* database.
*/
$conf['plugin']['authmysql']['server'] = '';
$conf['plugin']['authmysql']['user'] = '';
$conf['plugin']['authmysql']['password'] = '';
$conf['plugin']['authmysql']['database'] = '';
/* This option enables debug messages in the mysql plugin. It is
* mostly useful for system admins.
*/
$conf['plugin']['authmysql']['debug'] = 0;
/* Normally password encryption is done by DokuWiki (recommended) but for
* some reasons it might be useful to let the database do the encryption.
* Set 'forwardClearPass' to '1' and the cleartext password is forwarded to
* the database, otherwise the encrypted one.
*/
$conf['plugin']['authmysql']['forwardClearPass'] = 0;
/* Multiple table operations will be protected by locks. This array tells
* the plugin which tables to lock. If you use any aliases for table names
* these array must also contain these aliases. Any unnamed alias will cause
* a warning during operation. See the example below.
*/
$conf['plugin']['authmysql']['TablesToLock']= array("users", "users AS u","groups", "groups AS g", "usergroup", "usergroup AS ug");
/***********************************************************************/
/* Basic SQL statements for user authentication (required) */
/***********************************************************************/
/* This statement is used to grant or deny access to the wiki. The result
* should be a table with exact one line containing at least the password
* of the user. If the result table is empty or contains more than one
* row, access will be denied.
*
* The plugin accesses the password as 'pass' so an alias might be necessary.
*
* Following patters will be replaced:
* %{user} user name
* %{pass} encrypted or clear text password (depends on 'encryptPass')
* %{dgroup} default group name
*/
$conf['plugin']['authmysql']['checkPass'] = "SELECT pass
FROM usergroup AS ug
JOIN users AS u ON u.uid=ug.uid
JOIN groups AS g ON g.gid=ug.gid
WHERE login='%{user}'
AND name='%{dgroup}'";
/* This statement should return a table with exact one row containing
* information about one user. The field needed are:
* 'pass' containing the encrypted or clear text password
* 'name' the user's full name
* 'mail' the user's email address
*
* Keep in mind that Dokuwiki will access this information through the
* names listed above so aliases might be necessary.
*
* Following patters will be replaced:
* %{user} user name
*/
$conf['plugin']['authmysql']['getUserInfo'] = "SELECT pass, CONCAT(firstname,' ',lastname) AS name, email AS mail
FROM users
WHERE login='%{user}'";
/* This statement is used to get all groups a user is member of. The
* result should be a table containing all groups the given user is
* member of. The plugin accesses the group name as 'group' so an alias
* might be necessary.
*
* Following patters will be replaced:
* %{user} user name
*/
$conf['plugin']['authmysql']['getGroups'] = "SELECT name as `group`
FROM groups g, users u, usergroup ug
WHERE u.uid = ug.uid
AND g.gid = ug.gid
AND u.login='%{user}'";
/***********************************************************************/
/* Additional minimum SQL statements to use the user manager */
/***********************************************************************/
/* This statement should return a table containing all user login names
* that meet certain filter criteria. The filter expressions will be added
* case dependent by the plugin. At the end a sort expression will be added.
* Important is that this list contains no double entries for a user. Each
* user name is only allowed once in the table.
*
* The login name will be accessed as 'user' to an alias might be necessary.
* No patterns will be replaced in this statement but following patters
* will be replaced in the filter expressions:
* %{user} in FilterLogin user's login name
* %{name} in FilterName user's full name
* %{email} in FilterEmail user's email address
* %{group} in FilterGroup group name
*/
$conf['plugin']['authmysql']['getUsers'] = "SELECT DISTINCT login AS user
FROM users AS u
LEFT JOIN usergroup AS ug ON u.uid=ug.uid
LEFT JOIN groups AS g ON ug.gid=g.gid";
$conf['plugin']['authmysql']['FilterLogin'] = "login LIKE '%{user}'";
$conf['plugin']['authmysql']['FilterName'] = "CONCAT(firstname,' ',lastname) LIKE '%{name}'";
$conf['plugin']['authmysql']['FilterEmail'] = "email LIKE '%{email}'";
$conf['plugin']['authmysql']['FilterGroup'] = "name LIKE '%{group}'";
$conf['plugin']['authmysql']['SortOrder'] = "ORDER BY login";
/***********************************************************************/
/* Additional SQL statements to add new users with the user manager */
/***********************************************************************/
/* This statement should add a user to the database. Minimum information
* to store are: login name, password, email address and full name.
*
* Following patterns will be replaced:
* %{user} user's login name
* %{pass} password (encrypted or clear text, depends on 'encryptPass')
* %{email} email address
* %{name} user's full name
*/
$conf['plugin']['authmysql']['addUser'] = "INSERT INTO users
(login, pass, email, firstname, lastname)
VALUES ('%{user}', '%{pass}', '%{email}',
SUBSTRING_INDEX('%{name}',' ', 1),
SUBSTRING_INDEX('%{name}',' ', -1))";
/* This statement should add a group to the database.
* Following patterns will be replaced:
* %{group} group name
*/
$conf['plugin']['authmysql']['addGroup'] = "INSERT INTO groups (name)
VALUES ('%{group}')";
/* This statement should connect a user to a group (a user become member
* of that group).
* Following patterns will be replaced:
* %{user} user's login name
* %{uid} id of a user dataset
* %{group} group name
* %{gid} id of a group dataset
*/
$conf['plugin']['authmysql']['addUserGroup']= "INSERT INTO usergroup (uid, gid)
VALUES ('%{uid}', '%{gid}')";
/* This statement should remove a group fom the database.
* Following patterns will be replaced:
* %{group} group name
* %{gid} id of a group dataset
*/
$conf['plugin']['authmysql']['delGroup'] = "DELETE FROM groups
WHERE gid='%{gid}'";
/* This statement should return the database index of a given user name.
* The plugin will access the index with the name 'id' so an alias might be
* necessary.
* following patters will be replaced:
* %{user} user name
*/
$conf['plugin']['authmysql']['getUserID'] = "SELECT uid AS id
FROM users
WHERE login='%{user}'";
/***********************************************************************/
/* Additional SQL statements to delete users with the user manager */
/***********************************************************************/
/* This statement should remove a user fom the database.
* Following patterns will be replaced:
* %{user} user's login name
* %{uid} id of a user dataset
*/
$conf['plugin']['authmysql']['delUser'] = "DELETE FROM users
WHERE uid='%{uid}'";
/* This statement should remove all connections from a user to any group
* (a user quits membership of all groups).
* Following patterns will be replaced:
* %{uid} id of a user dataset
*/
$conf['plugin']['authmysql']['delUserRefs'] = "DELETE FROM usergroup
WHERE uid='%{uid}'";
/***********************************************************************/
/* Additional SQL statements to modify users with the user manager */
/***********************************************************************/
/* This statements should modify a user entry in the database. The
* statements UpdateLogin, UpdatePass, UpdateEmail and UpdateName will be
* added to updateUser on demand. Only changed parameters will be used.
*
* Following patterns will be replaced:
* %{user} user's login name
* %{pass} password (encrypted or clear text, depends on 'encryptPass')
* %{email} email address
* %{name} user's full name
* %{uid} user id that should be updated
*/
$conf['plugin']['authmysql']['updateUser'] = "UPDATE users SET";
$conf['plugin']['authmysql']['UpdateLogin'] = "login='%{user}'";
$conf['plugin']['authmysql']['UpdatePass'] = "pass='%{pass}'";
$conf['plugin']['authmysql']['UpdateEmail'] = "email='%{email}'";
$conf['plugin']['authmysql']['UpdateName'] = "firstname=SUBSTRING_INDEX('%{name}',' ', 1),
lastname=SUBSTRING_INDEX('%{name}',' ', -1)";
$conf['plugin']['authmysql']['UpdateTarget']= "WHERE uid=%{uid}";
/* This statement should remove a single connection from a user to a
* group (a user quits membership of that group).
*
* Following patterns will be replaced:
* %{user} user's login name
* %{uid} id of a user dataset
* %{group} group name
* %{gid} id of a group dataset
*/
$conf['plugin']['authmysql']['delUserGroup']= "DELETE FROM usergroup
WHERE uid='%{uid}'
AND gid='%{gid}'";
/* This statement should return the database index of a given group name.
* The plugin will access the index with the name 'id' so an alias might
* be necessary.
*
* Following patters will be replaced:
* %{group} group name
*/
$conf['plugin']['authmysql']['getGroupID'] = "SELECT gid AS id
FROM groups
WHERE name='%{group}'";

12
config-templates/dokuwiki/conf/plugins.local.php
View File

@@ -1,12 +0,0 @@
<?php
/*
* Local plugin enable/disable settings
*
* Auto-generated by install script
* Date: Tue, 20 Jan 2026 20:06:48 -0500
*/
$plugins['authad'] = 0;
$plugins['authldap'] = 0;
$plugins['authmysql'] = 0;
$plugins['authpgsql'] = 0;

6
config-templates/dokuwiki/conf/plugins.php
View File

@@ -1,6 +0,0 @@
<?php
/**
* This file configures the default states of available plugins. All settings in
* the plugins.*.php files will override those here.
*/
$plugins['testing'] = 0;

12
config-templates/dokuwiki/conf/plugins.required.php
View File

@@ -1,12 +0,0 @@
<?php
/**
* This file configures the enabled/disabled status of plugins, which are also protected
* from changes by the extension manager. These settings will override any local settings.
* It is not recommended to change this file, as it is overwritten on DokuWiki upgrades.
*/
$plugins['acl'] = 1;
$plugins['authplain'] = 1;
$plugins['extension'] = 1;
$plugins['config'] = 1;
$plugins['usermanager'] = 1;
$plugins['template:dokuwiki'] = 1; // not a plugin, but this should not be uninstalled either

11
config-templates/dokuwiki/conf/scheme.conf
View File

@@ -1,11 +0,0 @@
#Add URL schemes you want to be recognized as links here
http
https
telnet
gopher
wais
ftp
ed2k
irc
ldap

28
config-templates/dokuwiki/conf/smileys.conf
View File

@@ -1,28 +0,0 @@
# Smileys configured here will be replaced by the
# configured images in the smiley directory
8-) cool.svg
8-O eek.svg
8-o eek.svg
:-( sad.svg
:-) smile.svg
=) smile2.svg
:-/ doubt.svg
:-\ doubt2.svg
:-? confused.svg
:-D biggrin.svg
:-P razz.svg
:-o surprised.svg
:-O surprised.svg
:-x silenced.svg
:-X silenced.svg
:-| neutral.svg
;-) wink.svg
m( facepalm.svg
^_^ fun.svg
:?: question.svg
:!: exclaim.svg
LOL lol.svg
FIXME fixme.svg
DELETEME deleteme.svg

13
config-templates/dokuwiki/conf/users.auth.php
View File

@@ -1,13 +0,0 @@
# users.auth.php
# <?php exit()?>
# Don't modify the lines above
#
# Userfile
#
# Auto-generated by install script
# Date: Tue, 20 Jan 2026 20:06:48 -0500
#
# Format:
# login:passwordhash:Real Name:email:groups,comma,separated
admin:$2y$10$dX5ryEUsFKXDRNl6DAk5Zem.1KtI8Q45.z0EQ6NLI7HXJjJyx4hqS:Admin:admin@example.com:admin,user

10
config-templates/dokuwiki/conf/users.auth.php.dist
View File

@@ -1,10 +0,0 @@
# users.auth.php
# <?php exit()?>
# Don't modify the lines above
#
# Userfile
#
# Format:
#
# login:passwordhash:Real Name:email:groups,comma,separated

29
config-templates/dokuwiki/conf/wordblock.conf
View File

@@ -1,29 +0,0 @@
# This blacklist is maintained by the DokuWiki community
# patches welcome
#
https?:\/\/(\S*?)(-side-effects|top|pharm|pill|discount|discount-|deal|price|order|now|best|cheap|cheap-|online|buy|buy-|sale|sell)(\S*?)(cialis|viagra|prazolam|xanax|zanax|soma|vicodin|zenical|xenical|meridia|paxil|prozac|claritin|allegra|lexapro|wellbutrin|zoloft|retin|valium|levitra|phentermine)
https?:\/\/(\S*?)(bi\s*sex|gay\s*sex|fetish|incest|penis|\brape\b)
zoosex
gang\s*bang
facials
ladyboy
\btits\b
bolea\.com
52crystal
baida\.org
web-directory\.awardspace\.us
korsan-team\.com
BUDA TAMAMDIR
wow-powerleveling-wow\.com
wow gold
wow-gold\.dinmo\.cn
downgrade-vista\.com
downgradetowindowsxp\.com
elegantugg\.com
classicedhardy\.com
research-service\.com
https?:\/\/(\S*?)(2-pay-secure|911essay|academia-research|anypapers|applicationessay|bestbuyessay|bestdissertation|bestessay|bestresume|besttermpaper|businessessay|college-paper|customessay|custom-made-paper|custom-writing|degree-?result|dissertationblog|dissertation-service|dissertations?expert|essaybank|essay-?blog|essaycapital|essaylogic|essaymill|essayontime|essaypaper|essays?land|essaytownsucks|essay-?writ|fastessays|freelancercareers|genuinecontent|genuineessay|genuinepaper|goessay|grandresume|killer-content|ma-dissertation|managementessay|masterpaper|mightystudent|needessay|researchedge|researchpaper-blog|resumecvservice|resumesexperts|resumesplanet|rushessay|samedayessay|superiorcontent|superiorpaper|superiorthesis|term-paper|termpaper-blog|term-paper-research|thesisblog|universalresearch|valwriting|vdwriters|wisetranslation|writersassembly|writers\.com\.ph|writers\.ph)
flatsinmumbai\.co\.in
https?:\/\/(\S*?)penny-?stock
mattressreview\.biz
(just|simply) (my|a) profile (site|webpage|page)

293
config-templates/dokuwiki/data/pages/architecture/backup.txt
View File

@@ -1,293 +0,0 @@
====== Backup Strategy ======
The AI-Homelab implements a comprehensive backup strategy designed for data protection, disaster recovery, and business continuity.
===== Backup Principles =====
**3-2-1 Rule:**
* **3 Copies**: Original + 2 backups
* **2 Media Types**: Different storage technologies
* **1 Offsite**: Geographic separation
**Recovery Objectives:**
* **RTO (Recovery Time Objective)**: Time to restore service
* **RPO (Recovery Point Objective)**: Maximum data loss acceptable
* **RTO Target**: < 4 hours for critical services
* **RPO Target**: < 1 hour for critical data
**Backup Types:**
* **Full**: Complete system backup
* **Incremental**: Changes since last backup
* **Differential**: Changes since last full backup
* **Snapshot**: Point-in-time copy
===== Backup Architecture =====
**Primary Backup Solution (Backrest):**
```yaml
services:
backrest:
image: ghcr.io/garethflowers/docker-backrest:latest
volumes:
- ./config/backrest:/config
- /mnt/backups:/backups
- /opt/stacks:/opt/stacks:ro
- /mnt:/mnt:ro
environment:
- BACKREST_CONFIG=/config/config.yml
- BACKREST_SCHEDULE=0 0 * * *
```
**Alternative Solution (Duplicati):**
```yaml
services:
duplicati:
image: lscr.io/linuxserver/duplicati:latest
volumes:
- duplicati-config:/config
- duplicati-source:/source:ro
- duplicati-backup:/backup
```
===== Backup Categories =====
**Configuration Backups:**
* **Source**: `/opt/stacks/*/`
* **Frequency**: Daily
* **Retention**: 30 days
* **Type**: Incremental
* **Critical**: Yes (service definitions)
**User Data Backups:**
* **Source**: `/mnt/media/`, `/mnt/nextcloud/`
* **Frequency**: Daily
* **Retention**: 90 days
* **Type**: Incremental
* **Critical**: Yes (user files)
**Database Backups:**
* **Source**: Named Docker volumes
* **Frequency**: Hourly
* **Retention**: 7 days
* **Type**: Snapshot
* **Critical**: Yes (application data)
**SSL Certificate Backups:**
* **Source**: `/opt/stacks/core/traefik/acme.json`
* **Frequency**: After renewal
* **Retention**: 1 year
* **Type**: Full
* **Critical**: Yes (HTTPS access)
===== Backup Configuration =====
**Backrest Configuration:**
```yaml
version: 1
schedule: "0 2 * * *" # Daily at 2 AM
repositories:
- path: "/backups/local"
retention: "30d"
- path: "/backups/remote"
retention: "90d"
backups:
- name: "stacks-config"
paths:
- "/opt/stacks"
exclude:
- "*.log"
- "*/cache/*"
- name: "user-data"
paths:
- "/mnt/media"
- "/mnt/nextcloud"
exclude:
- "*/temp/*"
- "*/cache/*"
```
**Duplicati Configuration:**
* **Source**: Local directories
* **Destination**: Local/network/cloud storage
* **Encryption**: AES-256
* **Compression**: ZIP
* **Deduplication**: Block-level
===== Storage Destinations =====
**Local Storage:**
* **Path**: `/mnt/backups/`
* **Type**: External HDD/SSD
* **Encryption**: Filesystem level
* **Access**: Direct mount
**Network Storage:**
* **Protocol**: NFS/SMB/CIFS
* **Location**: NAS device
* **Redundancy**: RAID protection
* **Security**: VPN access
**Cloud Storage:**
* **Providers**: AWS S3, Backblaze B2, Google Cloud
* **Encryption**: Client-side
* **Cost**: Pay for storage used
* **Access**: Internet connection
**Offsite Storage:**
* **Location**: Different geographic location
* **Transport**: Encrypted drives
* **Frequency**: Weekly rotation
* **Security**: Physical security
===== Encryption & Security =====
**Encryption Methods:**
* **Symmetric**: AES-256-GCM
* **Asymmetric**: RSA key pairs
* **Key Management**: Secure key storage
* **Key Rotation**: Regular key updates
**Security Measures:**
* **Access Control**: Restricted backup access
* **Network Security**: VPN for remote backups
* **Integrity Checks**: SHA-256 verification
* **Audit Logging**: Backup operation logs
===== Automation & Scheduling =====
**Cron Schedules:**
```bash
# Daily backups at 2 AM
0 2 * * * /usr/local/bin/backrest backup
# Weekly full backup on Sunday
0 3 * * 0 /usr/local/bin/backrest backup --full
# Monthly archive
0 4 1 * * /usr/local/bin/backrest archive
```
**Monitoring:**
* **Success/Failure**: Email notifications
* **Size Tracking**: Storage usage monitoring
* **Performance**: Backup duration tracking
* **Health Checks**: Integrity verification
===== Recovery Procedures =====
**File-Level Recovery:**
```bash
# List snapshots
restic snapshots
# Restore specific file
restic restore latest --target /tmp/restore --path /opt/stacks/config.yml
# Restore to original location
restic restore latest --target / --path /opt/stacks
```
**Volume Recovery:**
```bash
# Stop service
docker compose down
# Restore volume
docker run --rm -v restored-volume:/data -v /backups:/backup busybox tar xzf /backup/volume.tar.gz -C /
# Restart service
docker compose up -d
```
**System Recovery:**
1. **Boot from installation media**
2. **Restore base system**
3. **Install Docker**
4. **Restore configurations**
5. **Restore user data**
6. **Verify services**
===== Testing & Validation =====
**Regular Testing:**
* **Monthly**: File restoration tests
* **Quarterly**: Volume recovery tests
* **Annually**: Full system recovery
* **After Changes**: Configuration updates
**Validation Checks:**
```bash
# Verify backup integrity
restic check
# List backup contents
restic ls latest
# Compare file counts
find /original -type f | wc -l
restic ls latest | wc -l
```
**Performance Monitoring:**
* **Backup Duration**: Track completion times
* **Success Rate**: Monitor failure rates
* **Storage Growth**: Track backup size trends
* **Recovery Time**: Measure restoration speed
===== Disaster Recovery =====
**Disaster Scenarios:**
* **Hardware Failure**: Drive/server replacement
* **Data Corruption**: File system damage
* **Cyber Attack**: Ransomware recovery
* **Site Disaster**: Complete site loss
**Recovery Strategies:**
* **Cold Standby**: Pre-configured backup server
* **Cloud Recovery**: Infrastructure as Code
* **Data Center**: Professional recovery services
* **Insurance**: Cyber liability coverage
**Business Continuity:**
* **Critical Services**: < 1 hour RTO
* **Important Services**: < 4 hours RTO
* **Standard Services**: < 24 hours RTO
* **Acceptable Data Loss**: < 1 hour RPO
===== Cost Optimization =====
**Storage Costs:**
* **Local**: Low initial cost, high maintenance
* **Network**: Medium cost, shared resources
* **Cloud**: Pay-as-you-go, scalable
* **Offsite**: Security vs accessibility trade-off
**Optimization Strategies:**
* **Compression**: Reduce storage requirements
* **Deduplication**: Eliminate redundant data
* **Tiering**: Move old data to cheaper storage
* **Retention Policies**: Delete unnecessary backups
===== Compliance & Auditing =====
**Regulatory Requirements:**
* **Data Retention**: Industry-specific rules
* **Encryption Standards**: FIPS compliance
* **Access Logging**: Audit trail requirements
* **Testing Frequency**: Regulatory testing schedules
**Audit Procedures:**
* **Backup Logs**: Operation history
* **Access Logs**: Who accessed backups
* **Change Logs**: Configuration changes
* **Test Results**: Recovery test documentation
**Documentation:**
* **Procedures**: Step-by-step recovery guides
* **Contacts**: Emergency contact information
* **Dependencies**: Required resources and access
* **Testing**: Regular test schedules and results
This backup strategy ensures your homelab data remains protected and recoverable in any scenario.
**Next:** Explore [[services:start|Service Management]] or learn about [[development:start|Contributing]].

329
config-templates/dokuwiki/data/pages/architecture/networking.txt
View File

@@ -1,329 +0,0 @@
====== Network Architecture ======
The AI-Homelab uses a sophisticated network architecture designed for security, performance, and scalability.
===== Network Topology =====
```
Internet
[Router/Firewall]
├── Port 80 (HTTP) → Traefik (Let's Encrypt)
├── Port 443 (HTTPS) → Traefik (SSL Termination)
└── Port 22 (SSH) → Server (Management)
[DuckDNS] Dynamic DNS
[Traefik] Reverse Proxy
├── Authelia SSO Middleware
├── Service Routing
└── SSL Termination
[Docker Networks]
├── traefik-network (Web Services)
├── homelab-network (Internal)
├── media-network (Media Services)
└── service-specific networks
```
===== Docker Networks =====
**traefik-network (Primary):**
* **Purpose**: All web-accessible services
* **Driver**: Bridge
* **IP Range**: 172.20.0.0/16
* **External Access**: Yes (via Traefik)
**homelab-network (Internal):**
* **Purpose**: Internal service communication
* **Driver**: Bridge
* **IP Range**: 172.21.0.0/16
* **External Access**: No
**media-network:**
* **Purpose**: Media service isolation
* **Driver**: Bridge
* **IP Range**: 172.22.0.0/16
* **External Access**: Via Traefik
**dockerproxy-network:**
* **Purpose**: Docker socket proxy
* **Driver**: Bridge
* **Security**: Restricted access
===== Traefik Routing =====
**Entry Points:**
```yaml
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
http:
tls:
certResolver: letsencrypt
```
**Router Configuration:**
```yaml
http:
routers:
service-router:
rule: "Host(`service.yourdomain.duckdns.org`)"
entryPoints:
- websecure
service: service-name
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
```
**Service Discovery:**
```yaml
http:
services:
service-name:
loadBalancer:
servers:
- url: "http://container-name:port"
```
===== SSL/TLS Configuration =====
**Certificate Resolver:**
```yaml
certificatesResolvers:
letsencrypt:
acme:
email: your-email@example.com
storage: /acme.json
dnsChallenge:
provider: duckdns
delayBeforeCheck: 30
```
**Wildcard Certificate:**
* **Domain**: `*.yourdomain.duckdns.org`
* **Provider**: Let's Encrypt
* **Challenge**: DNS-01 (DuckDNS)
* **Validity**: 90 days
* **Renewal**: Automatic
**Security Headers:**
```yaml
middlewares:
security-headers:
headers:
stsSeconds: 31536000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
contentTypeNosniff: true
browserXssFilter: true
referrerPolicy: "strict-origin-when-cross-origin"
permissionsPolicy: "geolocation=(), microphone=(), camera=()"
```
===== Authelia Integration =====
**SSO Middleware:**
```yaml
middlewares:
authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://auth.yourdomain.duckdns.org/"
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"
- "Remote-Name"
- "Remote-Email"
```
**Access Control Rules:**
```yaml
access_control:
default_policy: deny
rules:
- domain: "*.yourdomain.duckdns.org"
policy: two_factor
- domain: "jellyfin.yourdomain.duckdns.org"
policy: bypass
- domain: "plex.yourdomain.duckdns.org"
policy: bypass
```
===== VPN Integration =====
**Gluetun Network Mode:**
```yaml
services:
qbittorrent:
network_mode: "service:gluetun"
depends_on:
- gluetun
```
**Port Mapping:**
```yaml
gluetun:
ports:
- "8080:8080" # qBittorrent Web UI
- "6881:6881" # Torrent port
- "6881:6881/udp"
```
**VPN Routing:**
* **Provider**: Surfshark (configurable)
* **Protocol**: WireGuard/OpenVPN
* **Kill Switch**: Prevents IP leaks
* **Port Forwarding**: Automatic
===== Firewall Configuration =====
**UFW Rules (Automatic):**
```bash
# Allow SSH
sudo ufw allow ssh
# Allow HTTP/HTTPS
sudo ufw allow 80
sudo ufw allow 443
# Enable firewall
sudo ufw enable
# Default deny
sudo ufw default deny incoming
sudo ufw default allow outgoing
```
**Docker Security:**
* **No privileged containers**
* **Non-root user execution**
* **Minimal port exposure**
* **Network isolation**
===== External Service Proxying =====
**Traefik File Provider:**
```yaml
http:
routers:
external-service:
rule: "Host(`external.yourdomain.duckdns.org`)"
service: external-service
middlewares:
- authelia@docker
services:
external-service:
loadBalancer:
servers:
- url: "http://192.168.1.100:8123"
```
**Use Cases:**
* **Home Assistant** on Raspberry Pi
* **NAS devices** (TrueNAS, Unraid)
* **Network printers** and IoT devices
* **Legacy applications**
===== DNS Configuration =====
**DuckDNS Setup:**
* **Update Interval**: Every 5 minutes
* **API Token**: Stored in `.env`
* **Domains**: yourdomain.duckdns.org
* **Wildcard**: *.yourdomain.duckdns.org
**Pi-hole Integration:**
* **Upstream DNS**: Quad9, Cloudflare
* **Ad Blocking**: Enabled
* **Local DNS**: Service discovery
* **DHCP**: Optional
===== Network Troubleshooting =====
**Connectivity Issues:**
```bash
# Check network connectivity
ping -c 4 8.8.8.8
# Test DNS resolution
nslookup yourdomain.duckdns.org
# Check port forwarding
curl -I http://your-external-ip
```
**Docker Network Issues:**
```bash
# List networks
docker network ls
# Inspect network
docker network inspect traefik-network
# Check container connectivity
docker exec container-name ping traefik
```
**SSL Certificate Problems:**
```bash
# Check certificate
echo | openssl s_client -connect yourdomain.duckdns.org:443 -servername service.yourdomain.duckdns.org 2>/dev/null | openssl x509 -noout -subject -dates
# View Traefik logs
docker logs traefik | grep certificate
```
**Authelia Issues:**
```bash
# Check Authelia logs
docker logs authelia
# Test authentication
curl -k https://auth.yourdomain.duckdns.org/api/state
```
===== Performance Optimization =====
**Connection Pooling:**
* **Keep-Alive**: Persistent connections
* **Connection Reuse**: Reduce overhead
* **Load Balancing**: Distribute traffic
**Caching:**
* **Browser Caching**: Static assets
* **Reverse Proxy**: Dynamic content
* **DNS Caching**: Pi-hole
**Compression:**
* **Gzip**: Text compression
* **Brotli**: Advanced compression
* **Media**: No compression (already compressed)
===== Monitoring =====
**Network Monitoring:**
* **Traefik Dashboard**: Routing metrics
* **Authelia Logs**: Authentication events
* **Pi-hole Stats**: DNS queries
* **Uptime Kuma**: Service availability
**Traffic Analysis:**
* **Request Logs**: Access patterns
* **Error Rates**: Service health
* **Response Times**: Performance metrics
* **Bandwidth Usage**: Network utilization
This network architecture provides secure, efficient, and scalable connectivity for all homelab services.
**Next:** Learn about [[architecture:security|Security Architecture]] or [[architecture:storage|Storage Strategy]].

298
config-templates/dokuwiki/data/pages/architecture/overview.txt
View File

@@ -1,298 +0,0 @@
====== System Architecture ======
The AI-Homelab is built on a production-ready, scalable architecture designed for reliability, security, and ease of management.
===== Core Principles =====
**Infrastructure as Code:**
* All services defined in Docker Compose files
* Configuration managed through YAML files
* Version control with Git
* Reproducible deployments
**Security First:**
* SSO protection for admin interfaces
* Automatic HTTPS with Let's Encrypt
* VPN routing for downloads
* Network isolation and segmentation
**Scalability:**
* Resource limits prevent exhaustion
* Lazy loading reduces resource usage
* Modular service architecture
* Easy addition of new services
**Observability:**
* Comprehensive logging
* Metrics collection
* Health monitoring
* Alerting capabilities
===== Network Architecture =====
```
Internet
[Router] Port Forwarding (80, 443)
[DuckDNS] Dynamic DNS Updates
[Traefik] Reverse Proxy + SSL Termination
[Authelia] SSO Authentication
[Docker Services] Isolated Containers
```
**Network Layers:**
**External Access:**
* **DuckDNS**: Dynamic DNS service
* **Port Forwarding**: 80/443 to Traefik
* **SSL Termination**: Wildcard certificate
**Reverse Proxy:**
* **Traefik**: Routes traffic to services
* **Authelia**: SSO middleware
* **Load Balancing**: Service discovery
**Service Networks:**
* **traefik-network**: All web services
* **homelab-network**: Internal communication
* **media-network**: Media services
* **isolated networks**: Security segmentation
===== Service Architecture =====
**Core Stack (Essential Infrastructure):**
* **DuckDNS**: DNS updates every 5 minutes
* **Traefik**: HTTP routing and SSL
* **Authelia**: Authentication and authorization
* **Gluetun**: VPN client for downloads
* **Sablier**: Lazy loading service
**Infrastructure Stack:**
* **Dockge**: Primary management interface
* **Pi-hole**: Network-wide DNS and ad blocking
* **Dozzle**: Live Docker log viewer
* **Glances**: System resource monitoring
**Service Categories:**
**Media Services:**
* **Jellyfin/Plex**: Media servers with transcoding
* **qBittorrent**: Torrent client (VPN routed)
* **Sonarr/Radarr**: Download automation
* **Prowlarr**: Indexer management
**Productivity Services:**
* **Nextcloud**: File synchronization
* **Gitea**: Git service and CI/CD
* **BookStack**: Documentation platform
* **WordPress**: Blogging platform
**Monitoring & Observability:**
* **Grafana**: Dashboard and visualization
* **Prometheus**: Metrics collection
* **Uptime Kuma**: Status monitoring
* **Loki**: Log aggregation
===== Storage Architecture =====
**Configuration Storage:**
```
/opt/stacks/
├── core/ # Core infrastructure
├── infrastructure/ # Management tools
├── media/ # Media services
├── productivity/ # Office tools
└── monitoring/ # Observability
```
**Data Storage Strategy:**
**Small Data (< 50GB):**
* **Location**: `/opt/stacks/stack-name/config/`
* **Type**: Bind mounts
* **Backup**: Included in configuration backups
**Large Data (> 50GB):**
* **Location**: `/mnt/media/`, `/mnt/downloads/`, `/mnt/backups/`
* **Type**: External mounts
* **Backup**: Separate backup strategies
**Database Storage:**
* **Type**: Named Docker volumes
* **Location**: Docker managed
* **Backup**: Volume snapshots
===== Security Architecture =====
**Authentication & Authorization:**
**Authelia SSO:**
* **Protocol**: SAML, OpenID Connect
* **Storage**: File-based user database
* **2FA**: TOTP, WebAuthn support
* **Policies**: Domain-based access control
**Service Authentication:**
* **Admin Services**: Authelia protected
* **Media Services**: Bypass for app compatibility
* **APIs**: Token-based authentication
**Network Security:**
* **Firewall**: UFW with minimal ports
* **SSL/TLS**: End-to-end encryption
* **VPN**: Download traffic protection
* **Isolation**: Docker network segmentation
===== Deployment Architecture =====
**Two-Phase Deployment:**
**Phase 1: Setup**
```bash
sudo ./scripts/setup-homelab.sh
```
* System preparation
* Docker installation
* Authelia configuration
* Infrastructure setup
**Phase 2: Deployment**
```bash
sudo ./scripts/deploy-homelab.sh
```
* Core stack deployment
* SSL certificate generation
* Infrastructure services
* Health verification
**Service Deployment:**
* **Dockge**: Web-based stack management
* **Manual**: Docker Compose commands
* **Automated**: CI/CD pipelines
===== Resource Management =====
**Resource Limits:**
```yaml
deploy:
resources:
limits:
cpus: '2.0'
memory: 4G
reservations:
cpus: '0.5'
memory: 1G
```
**Resource Allocation Strategy:**
* **Core Services**: Minimal resources (0.1-0.5 CPU, 64MB-256MB RAM)
* **Web Services**: Moderate resources (1-2 CPU, 1-4GB RAM)
* **Media Services**: High resources (2-4 CPU, 4-8GB RAM)
* **Background Services**: Variable based on workload
**Lazy Loading:**
* **Sablier**: On-demand service startup
* **Resource Savings**: 50-80% reduction in idle usage
* **Automatic Scaling**: Services start when accessed
===== Monitoring Architecture =====
**Metrics Collection:**
* **Prometheus**: Time-series metrics
* **Node Exporter**: System metrics
* **cAdvisor**: Container metrics
* **Custom Exporters**: Service-specific metrics
**Logging:**
* **Dozzle**: Real-time log viewer
* **Loki**: Log aggregation
* **Promtail**: Log shipping
* **Structured Logging**: JSON format
**Alerting:**
* **Uptime Kuma**: Service availability
* **Grafana**: Threshold-based alerts
* **Email/SMS**: Notification channels
===== Backup Architecture =====
**Backup Strategy:**
* **Backrest**: Primary backup solution (Restic)
* **Duplicati**: Alternative encrypted backups
* **Automated**: Scheduled backups
* **Encrypted**: AES-256 encryption
**Backup Types:**
* **Configuration**: `/opt/stacks/` directories
* **User Data**: Service volumes and mounts
* **SSL Certificates**: `/opt/stacks/core/traefik/acme.json`
* **Databases**: Volume snapshots
**Recovery:**
* **Point-in-time**: Versioned backups
* **Bare metal**: Complete system recovery
* **Service-level**: Individual service restoration
===== High Availability =====
**Redundancy:**
* **Load Balancing**: Traefik distributes traffic
* **Health Checks**: Automatic service monitoring
* **Failover**: Automatic service restart
* **Backups**: Multiple backup locations
**Scalability:**
* **Horizontal**: Multiple service instances
* **Vertical**: Resource scaling
* **Storage**: Distributed storage options
* **Network**: High-bandwidth connections
===== Development Architecture =====
**AI Integration:**
* **GitHub Copilot**: Intelligent assistance
* **Copilot Instructions**: Context-aware guidance
* **Automated Configuration**: AI-generated compose files
* **Documentation**: AI-maintained wiki
**Version Control:**
* **Git**: Source code management
* **Branches**: Feature development
* **Tags**: Release versioning
* **CI/CD**: Automated testing and deployment
===== Performance Optimization =====
**Caching:**
* **Browser Caching**: Static asset optimization
* **Database Caching**: Query result caching
* **CDN**: Content delivery networks
* **Reverse Proxy**: Traefik caching
**Optimization Techniques:**
* **Compression**: Gzip/Brotli compression
* **Minification**: Asset optimization
* **Lazy Loading**: On-demand resource loading
* **Connection Pooling**: Database optimization
===== Compliance & Governance =====
**Security Standards:**
* **SSL/TLS**: Industry standard encryption
* **Access Control**: Least privilege principle
* **Audit Logging**: Comprehensive activity logs
* **Regular Updates**: Security patch management
**Data Protection:**
* **Encryption**: Data at rest and in transit
* **Backup Encryption**: Secure offsite storage
* **Privacy**: Minimal data collection
* **Retention**: Configurable data lifecycle
This architecture provides a solid foundation for a production-ready homelab that can scale with your needs while maintaining security and reliability.
**Next:** Learn about [[architecture:networking|Network Architecture]] or explore [[services:start|Available Services]].

299
config-templates/dokuwiki/data/pages/architecture/security.txt
View File

@@ -1,299 +0,0 @@
====== Security Architecture ======
The AI-Homelab implements a comprehensive security model based on defense in depth, zero trust principles, and industry best practices.
===== Security Principles =====
**Defense in Depth:**
* **Multiple Layers**: Network, application, and data security
* **Fail-Safe Defaults**: Secure by default, explicit opt-out
* **Least Privilege**: Minimal required permissions
* **Continuous Monitoring**: Real-time threat detection
**Zero Trust:**
* **Never Trust**: Verify every access request
* **Assume Breach**: Design for compromised systems
* **Micro-Segmentation**: Isolate services and data
* **Continuous Verification**: Ongoing authentication
**Compliance:**
* **Data Protection**: Encryption at rest and in transit
* **Access Control**: Role-based and attribute-based access
* **Audit Logging**: Comprehensive activity tracking
* **Regular Updates**: Security patch management
===== Authentication & Authorization =====
**Authelia SSO System:**
**Architecture:**
* **Protocol**: OpenID Connect, SAML 2.0
* **Storage**: File-based user database
* **Session Management**: Secure JWT tokens
* **Multi-Factor**: TOTP, WebAuthn, Push notifications
**User Management:**
```yaml
users:
admin:
displayname: Administrator
password: $argon2id$...
email: admin@yourdomain.duckdns.org
groups:
- admins
- dev
```
**Access Policies:**
```yaml
access_control:
default_policy: deny
rules:
# Admin services require 2FA
- domain: "*.yourdomain.duckdns.org"
policy: two_factor
subject:
- "group:admins"
# Media services bypass SSO
- domain: "jellyfin.yourdomain.duckdns.org"
policy: bypass
# API access with tokens
- domain: "*.yourdomain.duckdns.org"
policy: one_factor
resources:
- "^/api/.*"
```
**Session Security:**
* **Expiration**: 8 hour sessions
* **Inactivity Timeout**: 10 minute timeout
* **Secure Cookies**: HttpOnly, Secure, SameSite
* **CSRF Protection**: Token-based validation
===== SSL/TLS Encryption =====
**Certificate Management:**
* **Authority**: Let's Encrypt (trusted CA)
* **Type**: Wildcard ECDSA certificate
* **Domains**: *.yourdomain.duckdns.org
* **Renewal**: Automatic (30 days before expiry)
**SSL Configuration:**
```yaml
tls:
certificates:
- certFile: /ssl/cert.pem
keyFile: /ssl/private.key
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
sniStrict: true
```
**Security Headers:**
```yaml
headers:
# Prevent clickjacking
customResponseHeaders:
X-Frame-Options: "SAMEORIGIN"
X-Content-Type-Options: "nosniff"
Referrer-Policy: "strict-origin-when-cross-origin"
Permissions-Policy: "geolocation=(), microphone=(), camera=()"
# HSTS (HTTP Strict Transport Security)
stsSeconds: 31536000
stsIncludeSubdomains: true
stsPreload: true
```
===== Network Security =====
**Firewall Configuration:**
* **UFW**: Uncomplicated Firewall
* **Default Policy**: Deny all incoming
* **Allowed Ports**: 22 (SSH), 80 (HTTP), 443 (HTTPS)
* **Docker Isolation**: Container network segmentation
**Network Segmentation:**
* **traefik-network**: Web-facing services
* **homelab-network**: Internal services
* **media-network**: Media services
* **isolated-networks**: High-security services
**VPN Protection:**
* **Gluetun**: VPN client container
* **Provider**: Surfshark (configurable)
* **Protocol**: WireGuard (preferred)
* **Kill Switch**: Prevents IP leaks
===== Container Security =====
**Docker Security Best Practices:**
* **Non-root Users**: PUID/PGID environment variables
* **No Privileged Containers**: Minimal capabilities
* **Read-only Filesystems**: Where possible
* **Resource Limits**: CPU and memory constraints
**Security Scanning:**
```yaml
# Trivy vulnerability scanning
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
aquasec/trivy image your-image:latest
# Container security audit
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
docker/docker-bench-security
```
**Image Security:**
* **Official Images**: LinuxServer.io preferred
* **Version Pinning**: Specific version tags
* **SBOM**: Software Bill of Materials
* **Signature Verification**: Image signing
===== Data Protection =====
**Encryption at Rest:**
* **SSL Certificates**: Encrypted storage
* **User Data**: Service-specific encryption
* **Backups**: AES-256 encryption
* **Secrets**: Environment variable protection
**Encryption in Transit:**
* **HTTPS**: End-to-end encryption
* **API Communication**: TLS 1.2+
* **Database Connections**: SSL/TLS
* **VPN Tunneling**: WireGuard/OpenVPN
**Data Classification:**
* **Public**: No encryption required
* **Internal**: TLS encryption
* **Sensitive**: Additional encryption layers
* **Critical**: Multi-layer encryption
===== Access Control =====
**Role-Based Access Control (RBAC):**
```yaml
# Authelia groups
groups:
admins:
- admin
users:
- user1
- user2
media:
- family
```
**Service-Level Permissions:**
* **Nextcloud**: User and group permissions
* **Gitea**: Repository access control
* **Grafana**: Dashboard permissions
* **API Keys**: Scoped access tokens
**Network Access Control:**
* **IP Whitelisting**: Restrict by IP address
* **Geo-blocking**: Country-based restrictions
* **Rate Limiting**: Prevent brute force attacks
* **Fail2Ban**: SSH protection
===== Monitoring & Auditing =====
**Security Monitoring:**
* **Authentication Logs**: Authelia events
* **Access Logs**: Traefik requests
* **System Logs**: Docker and system events
* **Intrusion Detection**: Pattern matching
**Audit Logging:**
```yaml
# Loki log aggregation
scrape_configs:
- job_name: 'authelia'
static_configs:
- targets: ['authelia:9091']
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: localhost:3100
```
**Alerting:**
* **Failed Logins**: Brute force detection
* **Certificate Expiry**: SSL renewal warnings
* **Service Downtime**: Availability monitoring
* **Security Events**: Suspicious activity
===== Threat Mitigation =====
**Common Threats:**
* **Brute Force**: Rate limiting, 2FA
* **SQL Injection**: Parameterized queries
* **XSS**: Content Security Policy
* **CSRF**: Token validation
**Incident Response:**
1. **Detection**: Monitoring alerts
2. **Assessment**: Determine impact
3. **Containment**: Isolate affected systems
4. **Recovery**: Restore from backups
5. **Lessons Learned**: Update policies
**Backup Security:**
* **Encryption**: AES-256-GCM
* **Integrity**: SHA-256 checksums
* **Retention**: Configurable policies
* **Testing**: Regular restoration tests
===== Compliance & Governance =====
**Security Standards:**
* **OWASP**: Web application security
* **NIST**: Cybersecurity framework
* **ISO 27001**: Information security
* **GDPR**: Data protection
**Regular Assessments:**
* **Vulnerability Scanning**: Weekly
* **Penetration Testing**: Monthly
* **Security Audits**: Quarterly
* **Compliance Reviews**: Annual
**Documentation:**
* **Security Policies**: Access and usage rules
* **Incident Response**: Procedures and contacts
* **Change Management**: Update procedures
* **Training**: Security awareness
===== Advanced Security =====
**Zero Trust Network Access (ZTNA):**
* **Identity-Based**: User and device verification
* **Context-Aware**: Risk-based access
* **Micro-Segmentation**: Service isolation
* **Continuous Monitoring**: Real-time assessment
**Secrets Management:**
* **Environment Variables**: Runtime secrets
* **Docker Secrets**: Swarm mode secrets
* **External Vaults**: HashiCorp Vault integration
* **Key Rotation**: Automatic secret renewal
**Intrusion Detection:**
* **Network IDS**: Traffic analysis
* **Host IDS**: System monitoring
* **Log Analysis**: Pattern detection
* **SIEM Integration**: Centralized logging
This security architecture provides comprehensive protection for your homelab while maintaining usability and performance.
**Next:** Learn about [[architecture:storage|Storage Strategy]] or [[architecture:backup|Backup Strategy]].

291
config-templates/dokuwiki/data/pages/architecture/storage.txt
View File

@@ -1,291 +0,0 @@
====== Storage Architecture ======
The AI-Homelab implements a comprehensive storage strategy designed for performance, reliability, and scalability.
===== Storage Principles =====
**Data Classification:**
* **Configuration**: Application settings and metadata
* **User Data**: Files, documents, media
* **System Data**: Logs, caches, temporary files
* **Backup Data**: Archived copies and snapshots
**Storage Tiers:**
* **Hot**: Frequently accessed data (SSD)
* **Warm**: Regularly accessed data (HDD)
* **Cold**: Archive data (external storage)
* **Offline**: Long-term retention (tape/offsite)
**Performance Optimization:**
* **Caching**: In-memory data acceleration
* **Compression**: Storage space optimization
* **Deduplication**: Eliminate redundant data
* **Tiering**: Automatic data placement
===== Directory Structure =====
**System Storage (/opt/stacks/):**
```
/opt/stacks/
├── core/ # Core infrastructure
│ ├── traefik/ # Reverse proxy config
│ ├── authelia/ # SSO configuration
│ ├── duckdns/ # DNS updater
│ └── gluetun/ # VPN client
├── infrastructure/ # Management tools
├── media/ # Media services
├── productivity/ # Office applications
├── monitoring/ # Observability stack
└── utilities/ # Helper services
```
**Data Storage (/mnt/):**
```
/mnt/
├── media/ # Movies, TV, music
│ ├── movies/
│ ├── tv/
│ └── music/
├── downloads/ # Torrent downloads
│ ├── complete/
│ └── incomplete/
├── backups/ # Backup archives
├── nextcloud/ # Cloud storage
├── git/ # Git repositories
└── surveillance/ # Camera footage
```
===== Docker Storage =====
**Volume Types:**
**Named Volumes (Managed):**
```yaml
volumes:
database-data:
driver: local
```
* **Pros**: Docker managed, portable, backup-friendly
* **Cons**: Less direct access, filesystem overhead
* **Use**: Databases, application data
**Bind Mounts (Direct):**
```yaml
volumes:
- ./config:/config
- /mnt/media:/media
```
* **Pros**: Direct filesystem access, performance
* **Cons**: Host-dependent, permission management
* **Use**: Configuration, large media files
**tmpfs (Memory):**
```yaml
tmpfs:
- /tmp/cache
```
* **Pros**: High performance, automatic cleanup
* **Cons**: Volatile, memory usage
* **Use**: Caches, temporary files
**Storage Drivers:**
* **overlay2**: Modern union filesystem
* **btrfs**: Advanced features (snapshots, compression)
* **zfs**: Enterprise-grade (snapshots, deduplication)
===== Service Storage Patterns =====
**Configuration Storage:**
```yaml
services:
service-name:
volumes:
- ./config/service-name:/config
- service-data:/data
```
* **Config**: Bind mount in stack directory
* **Data**: Named volume for persistence
* **Permissions**: PUID/PGID for access control
**Media Storage:**
```yaml
services:
jellyfin:
volumes:
- ./config/jellyfin:/config
- jellyfin-cache:/cache
- /mnt/media:/media:ro
- /mnt/transcode:/transcode
```
* **Media**: Read-only external mount
* **Transcode**: Temporary processing space
* **Cache**: Named volume for performance
**Database Storage:**
```yaml
services:
postgres:
volumes:
- postgres-data:/var/lib/postgresql/data
environment:
- POSTGRES_DB=homelab
- POSTGRES_USER=homelab
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
```
* **Data**: Named volume for persistence
* **Backups**: Volume snapshots
* **Performance**: Proper indexing
===== Backup Storage =====
**Backrest (Primary):**
```yaml
services:
backrest:
volumes:
- ./config/backrest:/config
- /mnt/backups:/backups
- /opt/stacks:/opt/stacks:ro
- /mnt:/mnt:ro
```
* **Repository**: Local and remote storage
* **Encryption**: AES-256-GCM
* **Deduplication**: Space-efficient
* **Snapshots**: Point-in-time recovery
**Duplicati (Alternative):**
```yaml
services:
duplicati:
volumes:
- duplicati-config:/config
- duplicati-source:/source:ro
- duplicati-backup:/backup
```
* **Frontend**: Web-based interface
* **Destinations**: Multiple cloud providers
* **Encryption**: Built-in encryption
* **Scheduling**: Automated backups
===== Performance Optimization =====
**Filesystem Choice:**
* **ext4**: General purpose, reliable
* **btrfs**: Snapshots, compression, RAID
* **ZFS**: Advanced features, data integrity
* **XFS**: High performance, large files
**RAID Configuration:**
* **RAID 1**: Mirroring (2 drives)
* **RAID 5**: Striping with parity (3+ drives)
* **RAID 10**: Mirroring + striping (4+ drives)
* **RAID Z**: ZFS software RAID
**Caching Strategies:**
* **Page Cache**: OS-level caching
* **Application Cache**: Service-specific caching
* **CDN**: Content delivery networks
* **Reverse Proxy**: Traefik caching
===== Monitoring & Maintenance =====
**Storage Monitoring:**
```bash
# Disk usage
df -h
# Docker storage
docker system df
# Volume usage
docker volume ls
docker volume inspect volume-name
```
**Maintenance Tasks:**
* **Cleanup**: Remove unused volumes and images
* **Defragmentation**: Filesystem optimization
* **SMART Monitoring**: Drive health checks
* **Backup Verification**: Integrity testing
**Health Checks:**
* **Filesystem**: fsck, scrub operations
* **RAID**: Array status monitoring
* **SMART**: Drive error monitoring
* **Backup**: Restoration testing
===== Capacity Planning =====
**Storage Requirements:**
| Service | Typical Size | Growth Rate |
|---------|-------------|-------------|
| Nextcloud | 100GB+ | High (user files) |
| Jellyfin | 500GB+ | High (media library) |
| Gitea | 10GB+ | Medium (repositories) |
| Grafana | 5GB+ | Low (metrics) |
| Backups | 2x data size | Variable |
**Scaling Strategies:**
* **Vertical**: Larger drives, more RAM
* **Horizontal**: Multiple storage servers
* **Cloud**: Hybrid cloud storage
* **Archival**: Long-term retention solutions
===== Security Considerations =====
**Encryption:**
* **At Rest**: Filesystem encryption (LUKS)
* **In Transit**: TLS encryption
* **Backups**: Encrypted archives
* **Keys**: Secure key management
**Access Control:**
* **Permissions**: Proper file permissions
* **SELinux/AppArmor**: Mandatory access control
* **Network**: Isolated storage networks
* **Auditing**: Access logging
**Data Protection:**
* **RAID**: Redundancy protection
* **Snapshots**: Point-in-time copies
* **Backups**: Offsite copies
* **Testing**: Regular recovery tests
===== Disaster Recovery =====
**Recovery Strategies:**
* **File-level**: Individual file restoration
* **Volume-level**: Docker volume recovery
* **System-level**: Complete system restore
* **Bare-metal**: Full server recovery
**Business Continuity:**
* **RTO**: Recovery Time Objective
* **RPO**: Recovery Point Objective
* **Testing**: Regular DR exercises
* **Documentation**: Recovery procedures
**High Availability:**
* **Replication**: Data mirroring
* **Clustering**: Distributed storage
* **Load Balancing**: Access distribution
* **Failover**: Automatic switching
===== Migration Strategies =====
**Storage Migration:**
* **Live Migration**: Zero-downtime moves
* **Offline Migration**: Scheduled maintenance
* **Incremental**: Phased data movement
* **Verification**: Data integrity checks
**Technology Upgrades:**
* **Filesystem**: ext4 to btrfs/ZFS
* **RAID**: Hardware to software RAID
* **Storage**: Local to network storage
* **Cloud**: Hybrid cloud solutions
This storage architecture provides reliable, performant, and scalable data management for your homelab.
**Next:** Learn about [[architecture:backup|Backup Strategy]] or explore [[services:start|Service Management]].

3
config-templates/dokuwiki/data/pages/backup_recovery/start.txt
View File

@@ -1,3 +0,0 @@
====== Backup & Recovery ======
Coming soon...

3
config-templates/dokuwiki/data/pages/development/start.txt
View File

@@ -1,3 +0,0 @@
====== Development ======
Coming soon...

251
config-templates/dokuwiki/data/pages/getting_started/access.txt
View File

@@ -1,251 +0,0 @@
====== Access Services ======
After deployment, access your homelab services through secure HTTPS URLs.
===== Service URLs =====
All services are accessible at `https://service-name.yourdomain.duckdns.org`
| Category | Service | URL | Authentication | Purpose |
|----------|---------|-----|----------------|---------|
| **Management** | Dockge | `https://dockge.yourdomain.duckdns.org` | Authelia SSO | Stack management |
| **Management** | Homepage | `https://home.yourdomain.duckdns.org` | Authelia SSO | Service dashboard |
| **Security** | Authelia | `https://auth.yourdomain.duckdns.org` | Direct login | SSO authentication |
| **Infrastructure** | Traefik | `https://traefik.yourdomain.duckdns.org` | Authelia SSO | Reverse proxy dashboard |
| **Infrastructure** | Pi-hole | `http://pihole.yourdomain.duckdns.org` | Authelia SSO | DNS & ad blocking |
| **Infrastructure** | Dozzle | `https://dozzle.yourdomain.duckdns.org` | Authelia SSO | Log viewer |
| **Infrastructure** | Glances | `https://glances.yourdomain.duckdns.org` | Authelia SSO | System monitoring |
| **Media** | Jellyfin | `https://jellyfin.yourdomain.duckdns.org` | None (app access) | Media server |
| **Media** | Plex | `https://plex.yourdomain.duckdns.org` | None (app access) | Media server |
| **Media** | qBittorrent | `https://qbit.yourdomain.duckdns.org` | Authelia SSO | Torrent client |
| **Media Mgmt** | Sonarr | `https://sonarr.yourdomain.duckdns.org` | Authelia SSO | TV automation |
| **Media Mgmt** | Radarr | `https://radarr.yourdomain.duckdns.org` | Authelia SSO | Movie automation |
| **Productivity** | Nextcloud | `https://nextcloud.yourdomain.duckdns.org` | Authelia SSO | File sync |
| **Productivity** | Gitea | `https://git.yourdomain.duckdns.org` | Authelia SSO | Git service |
| **Productivity** | BookStack | `https://docs.yourdomain.duckdns.org` | Authelia SSO | Documentation |
| **Monitoring** | Grafana | `https://grafana.yourdomain.duckdns.org` | Authelia SSO | Dashboards |
| **Monitoring** | Prometheus | `https://prometheus.yourdomain.duckdns.org` | Authelia SSO | Metrics |
| **Monitoring** | Uptime Kuma | `https://status.yourdomain.duckdns.org` | Authelia SSO | Status monitoring |
| **Home Auto** | Home Assistant | `https://ha.yourdomain.duckdns.org` | None (built-in auth) | Home automation |
| **Utilities** | Backrest | `https://backrest.yourdomain.duckdns.org` | Authelia SSO | Backup management |
| **Development** | Code Server | `https://code.yourdomain.duckdns.org` | Authelia SSO | VS Code in browser |
===== Authentication =====
==== Authelia SSO (Single Sign-On) ====
**Protected Services:**
* Most admin interfaces require Authelia login
* One login grants access to all protected services
* Supports 2FA (Two-Factor Authentication)
**Login Process:**
1. Visit any protected service URL
2. Redirected to Authelia login page
3. Enter username and password
4. (Optional) Enter 2FA code
5. Redirected back to original service
**Default Credentials:**
* Username: `admin` (or custom from setup)
* Password: Secure password from setup
==== Service-Specific Authentication ====
**No SSO (Direct Access):**
* **Jellyfin/Plex**: Use service's built-in user management
* **Home Assistant**: Built-in authentication system
* **Nextcloud**: Can use Authelia or built-in auth
**VPN-Protected Services:**
* **qBittorrent**: Routes through Gluetun VPN
* Access via web UI after Authelia login
===== Security Features =====
==== SSL/TLS Encryption ====
**Wildcard Certificate:**
* Covers all `*.yourdomain.duckdns.org` subdomains
* Issued by Let's Encrypt (free)
* Automatic renewal every 90 days
* A+ SSL rating
**Certificate Details:**
* **Issuer**: Let's Encrypt Authority X3
* **Algorithm**: ECDSA P-256
* **Validity**: 90 days
* **Renewal**: Automatic via Traefik
==== Firewall Protection ====
**UFW Configuration:**
* Only ports 80, 443, and 22 (SSH) open
* All other ports blocked
* Docker containers isolated
**Network Security:**
* Services behind reverse proxy
* No direct container exposure
* VPN routing for downloads
==== Access Control ====
**Authelia Policies:**
* **One Factor**: Username + password
* **Two Factor**: Username + password + TOTP
* **Bypass**: No authentication required
**Default Policies:**
* Admin services: Two-factor recommended
* Media services: Bypass (app compatibility)
* Public services: Bypass when appropriate
===== First-Time Access =====
==== Configure Authelia ====
1. **Access Authelia:**
* URL: `https://auth.yourdomain.duckdns.org`
* Login with admin credentials
2. **Enable 2FA:**
* Go to **Settings** → **One-Time Password**
* Scan QR code with authenticator app
* Enter verification code
3. **Configure Access Rules:**
* Edit `/opt/stacks/core/authelia/configuration.yml`
* Modify access policies as needed
==== Set Up Homepage Dashboard ====
1. **Access Homepage:**
* URL: `https://home.yourdomain.duckdns.org`
2. **Initial Configuration:**
* Click settings icon (gear)
* Add deployed services
* Configure widgets
3. **API Integration:**
* Add API keys for enhanced widgets
* Configure service integrations
==== Test Service Access ====
**Verification Checklist:**
* [ ] Authelia login works
* [ ] Homepage loads correctly
* [ ] Dockge accessible
* [ ] SSL certificates valid
* [ ] No mixed content warnings
===== Troubleshooting Access =====
==== SSL Certificate Issues ====
**"Not Secure" warnings:**
* Wait 2-5 minutes after deployment
* Check DNS propagation: `nslookup yourdomain.duckdns.org`
* Verify ports 80/443 forwarded
* Check Traefik logs: `docker logs traefik`
**Certificate errors:**
```bash
# Check certificate status
echo | openssl s_client -connect yourdomain.duckdns.org:443 -servername dockge.yourdomain.duckdns.org 2>/dev/null | openssl x509 -noout -subject -dates
```
==== Authentication Problems ====
**Can't log in to Authelia:**
* Verify username/password
* Check 2FA setup
* Clear browser cache
* Check Authelia logs: `docker logs authelia`
**Redirect loops:**
* Check Traefik configuration
* Verify middleware labels
* Restart Traefik: `docker restart traefik`
==== Service Not Accessible ====
**404 errors:**
* Service not deployed
* Traefik route not configured
* Wrong subdomain
**Connection refused:**
* Service not running
* Port mapping issues
* Network connectivity problems
==== DNS Issues ====
**Domain not resolving:**
* Check DuckDNS configuration
* Verify token in `.env`
* Wait for DNS propagation
**Local network access:**
* Use internal IP for local access
* Configure local DNS overrides
===== Advanced Access =====
==== External Service Proxying ====
**Proxy non-Docker services:**
* Raspberry Pi Home Assistant
* NAS devices
* Other network services
**Configuration:**
* Add routes to `/opt/stacks/core/traefik/dynamic/external.yml`
* Include Authelia middleware
* Test connectivity
==== VPN Access ====
**Remote Access:**
* Configure VPN server (OpenVPN/WireGuard)
* Route traffic through VPN
* Access local services remotely
==== API Access ====
**Service APIs:**
* Most services expose REST APIs
* Use API keys for authentication
* Configure in Homepage widgets
===== Mobile Access =====
**Mobile Apps:**
* **Jellyfin/Plex**: Dedicated mobile apps
* **Nextcloud**: Mobile sync client
* **Home Assistant**: Mobile companion app
* **Bitwarden**: Password manager
**Browser Access:**
* All services work in mobile browsers
* Responsive design for most interfaces
* Authelia SSO works on mobile
===== Performance Optimization =====
**Loading Speed:**
* Enable HTTP/2 in Traefik
* Use CDN for static assets
* Optimize service configurations
**Resource Usage:**
* Monitor with Glances
* Set appropriate resource limits
* Use lazy loading for unused services
Ready to access your services? Start with the [[getting_started:security|Security Setup]] guide.
**Need help?** Check [[troubleshooting:networking|Network Troubleshooting]] or visit [[https://github.com/kelinfoxy/AI-Homelab/discussions|GitHub Discussions]].

284
config-templates/dokuwiki/data/pages/getting_started/deployment.txt
View File

@@ -1,284 +0,0 @@
====== Deployment ======
After setup, deploy your homelab services using Dockge or manual commands.
===== Using Dockge (Recommended) =====
**Access Dockge:**
* URL: `https://dockge.yourdomain.duckdns.org`
* Username: `admin` (or your custom username)
* Password: Your secure password from setup
**Deploy Services:**
1. Click **"Add Stack"** button
2. Choose **"From Docker Compose"**
3. Select a compose file from the repository
4. Click **"Deploy"**
5. Monitor deployment in the **"Logs"** tab
**Available Stacks:**
* `media.yml` - Media services (Jellyfin, qBittorrent)
* `media-management.yml` - Download automation (Sonarr, Radarr)
* `productivity.yml` - Office tools (Nextcloud, Gitea)
* `monitoring.yml` - Observability (Grafana, Prometheus)
* `homeassistant.yml` - Home automation
* `utilities.yml` - Backup and utilities
===== Manual Deployment =====
**Deploy Individual Stacks:**
```bash
# Navigate to repository
cd ~/AI-Homelab
# Deploy media services
docker compose -f docker-compose/media.yml up -d
# Deploy productivity stack
docker compose -f docker-compose/productivity.yml up -d
# Deploy monitoring
docker compose -f docker-compose/monitoring.yml up -d
```
**Check Deployment Status:**
```bash
# View all running containers
docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
# Check specific stack
docker compose -f docker-compose/media.yml ps
# View logs
docker compose -f docker-compose/media.yml logs -f
```
===== Service Access =====
After deployment, services are available at:
| Category | Service | URL | Notes |
|----------|---------|-----|-------|
| **Media** | Jellyfin | `https://jellyfin.yourdomain.duckdns.org` | No SSO (app access) |
| **Media** | qBittorrent | `https://qbit.yourdomain.duckdns.org` | VPN protected |
| **Productivity** | Nextcloud | `https://nextcloud.yourdomain.duckdns.org` | File sync |
| **Productivity** | Gitea | `https://git.yourdomain.duckdns.org` | Git service |
| **Monitoring** | Grafana | `https://grafana.yourdomain.duckdns.org` | Dashboards |
| **Development** | Code Server | `https://code.yourdomain.duckdns.org` | VS Code in browser |
===== Post-Deployment Configuration =====
==== Configure Homepage Dashboard ====
1. Visit `https://home.yourdomain.duckdns.org`
2. Click settings (gear icon)
3. Add services to dashboard
4. Configure widgets with API keys
**Example Widgets:**
* System monitoring (CPU, RAM, disk)
* Service status checks
* Weather information
* Calendar integration
==== Set Up Backups ====
1. Deploy Backrest service
2. Configure backup schedules
3. Set up encryption
4. Test backup restoration
==== Configure Monitoring ====
1. Deploy Grafana and Prometheus
2. Import dashboards
3. Set up alerts
4. Configure data sources
===== Deployment Order =====
**Recommended Deployment Sequence:**
1. **Core** (deployed automatically)
- DuckDNS, Traefik, Authelia, Gluetun
2. **Infrastructure** (deployed automatically)
- Dockge, Pi-hole, Dozzle, Glances
3. **Dashboards** (deployed automatically)
- Homepage, Homarr
4. **Media Services**
- Jellyfin or Plex
- qBittorrent (VPN routing)
- Sonarr, Radarr, Prowlarr
5. **Productivity**
- Nextcloud, Gitea, BookStack
6. **Monitoring**
- Grafana, Prometheus, Uptime Kuma
7. **Home Automation**
- Home Assistant, Node-RED
===== Resource Management =====
**Monitor Resource Usage:**
```bash
# Check container resources
docker stats
# View system resources
docker run --rm -v /proc:/host/proc:ro --net=host codenvy/glances
# Check disk space
df -h /opt/stacks/
```
**Resource Limits Applied:**
* CPU limits prevent resource exhaustion
* Memory limits protect system stability
* Automatic cleanup of unused resources
===== Troubleshooting Deployment =====
==== Service Won't Start ====
**Check Logs:**
```bash
# View service logs
docker compose -f docker-compose/stack.yml logs service-name
# Follow logs in real-time
docker compose -f docker-compose/stack.yml logs -f service-name
```
**Common Issues:**
* Port conflicts
* Missing environment variables
* Network connectivity problems
* Insufficient resources
==== SSL Certificate Issues ====
**Check Certificate Status:**
```bash
# View Traefik logs
docker logs traefik | grep certificate
# Check certificate file
ls -la /opt/stacks/core/traefik/acme.json
```
**Certificate Problems:**
* DNS propagation delay (wait 5-10 minutes)
* DuckDNS token incorrect
* Ports 80/443 not forwarded
* Rate limiting (Let's Encrypt limits)
==== Network Issues ====
**Verify Networks:**
```bash
# List Docker networks
docker network ls
# Inspect traefik-network
docker network inspect traefik-network
```
**Network Troubleshooting:**
* Services not on correct network
* Firewall blocking traffic
* DNS resolution problems
==== Permission Issues ====
**Check File Permissions:**
```bash
# Check stack directory permissions
ls -la /opt/stacks/stack-name/
# Check Docker socket permissions
ls -la /var/run/docker.sock
```
**Fix Permissions:**
```bash
# Set correct ownership
sudo chown -R $USER:$USER /opt/stacks/stack-name/
# Add user to docker group
sudo usermod -aG docker $USER
```
===== Scaling and Customization =====
==== Add Custom Services ====
1. Create new compose file
2. Add Traefik labels for routing
3. Include Authelia middleware
4. Deploy via Dockge
==== Modify Existing Services ====
1. Edit compose file
2. Update environment variables
3. Redeploy service
4. Test functionality
==== Remove Services ====
```bash
# Stop and remove service
docker compose -f docker-compose/stack.yml down
# Remove with volumes
docker compose -f docker-compose/stack.yml down -v
# Clean up unused resources
docker system prune
```
===== Performance Optimization =====
**Hardware Acceleration:**
* Enable NVIDIA GPU for transcoding
* Use SSD storage for databases
* Configure appropriate CPU/memory limits
**Network Optimization:**
* Use wired connections when possible
* Configure QoS for media streaming
* Optimize DNS resolution
**Service Optimization:**
* Enable lazy loading for unused services
* Configure appropriate resource limits
* Use efficient Docker images
===== Backup and Recovery =====
**Regular Backups:**
* Configuration files in `/opt/stacks/`
* SSL certificates in `/opt/stacks/core/traefik/`
* User data in service volumes
**Recovery Process:**
* Restore configuration files
* Redeploy services
* Restore user data from backups
**Disaster Recovery:**
* Keep backup scripts ready
* Document recovery procedures
* Test restoration regularly
Ready to deploy? Use Dockge to start deploying services!
**Need help?** See [[troubleshooting:services|Service Troubleshooting]] or check [[reference:commands|Command Reference]].

201
config-templates/dokuwiki/data/pages/getting_started/prerequisites.txt
View File

@@ -1,201 +0,0 @@
====== Prerequisites ======
Before deploying your AI-Homelab, ensure your system meets these requirements.
===== System Requirements =====
**Minimum Hardware:**
* **CPU**: 2-core processor (4+ cores recommended)
* **RAM**: 4GB minimum (8GB+ recommended)
* **Storage**: 50GB free space (SSD preferred)
* **Network**: Stable internet connection
**Recommended Hardware:**
* **CPU**: 4+ core processor with virtualization support
* **RAM**: 16GB+ for full stack deployment
* **Storage**: 500GB+ SSD for media and backups
* **GPU**: NVIDIA GPU (optional, for hardware transcoding)
===== Operating System =====
**Supported Systems:**
* **Ubuntu 20.04+** (recommended)
* **Debian 11+**
* **Ubuntu Server**
* **Raspberry Pi OS** (64-bit, for lightweight deployments)
**Fresh Installation Recommended:**
* Start with a clean OS install
* Avoid pre-installed Docker versions
* Use LTS (Long Term Support) releases
===== Network Requirements =====
**Domain & DNS:**
* **DuckDNS account**: [[https://duckdns.org|Create free account]]
* **Domain**: Choose your subdomain (e.g., `yourname.duckdns.org`)
* **Token**: Get your DuckDNS token from account settings
**Port Forwarding:**
* **Port 80**: Required for Let's Encrypt HTTP challenge
* **Port 443**: Required for HTTPS traffic
* **Router**: Configure port forwarding to your server
**Network Access:**
* **Outbound**: Full internet access for updates and services
* **Inbound**: Ports 80/443 forwarded from router
* **Local**: Access to router admin panel (for port forwarding)
===== Software Prerequisites =====
**Required Software:**
* **Git**: Version control system
* **curl/wget**: Download utilities
* **SSH server**: Remote access (usually pre-installed)
**Optional but Recommended:**
* **VS Code**: With GitHub Copilot extension
* **Docker Desktop**: For local testing (Windows/Mac)
* **NVIDIA drivers**: If using GPU acceleration
===== Account Setup =====
**Required Accounts:**
* **DuckDNS**: Free dynamic DNS service
* Visit [[https://duckdns.org]]
* Create account and subdomain
* Copy your token for configuration
**Optional Accounts (for specific services):**
* **Surfshark VPN**: For secure downloads
* **GitHub**: For repository access and Copilot
* **Cloud storage**: For offsite backups
===== Security Considerations =====
**Firewall Setup:**
* UFW (Uncomplicated Firewall) will be configured automatically
* Only necessary ports will be opened
* SSH access restricted to key-based authentication
**SSL Certificates:**
* Let's Encrypt provides free certificates
* Wildcard certificate covers all subdomains
* Automatic renewal every 90 days
**Access Control:**
* Authelia provides SSO (Single Sign-On)
* 2FA (Two-Factor Authentication) recommended
* Granular access control per service
===== Pre-Installation Checklist =====
**Hardware Check:**
* [ ] Server meets minimum requirements
* [ ] Sufficient storage space available
* [ ] Stable power supply
* [ ] Backup power (UPS) recommended
**Network Check:**
* [ ] Internet connection stable
* [ ] Router supports port forwarding
* [ ] Ports 80/443 available and forwarded
* [ ] Local IP address known and static
**Account Setup:**
* [ ] DuckDNS account created
* [ ] Domain chosen and configured
* [ ] DuckDNS token obtained
* [ ] Optional: VPN credentials prepared
**Software Preparation:**
* [ ] SSH access to server established
* [ ] VS Code installed (optional)
* [ ] GitHub Copilot configured (optional)
===== Environment Variables =====
Create a `.env` file with these variables:
```
# Domain Configuration
DOMAIN=yourdomain.duckdns.org
DUCKDNS_TOKEN=your-duckdns-token
# Optional: VPN Configuration
SURFSHARK_USERNAME=your-vpn-username
SURFSHARK_PASSWORD=your-vpn-password
# Authelia (auto-generated by setup script)
AUTHELIA_JWT_SECRET=64-char-random-string
AUTHELIA_SESSION_SECRET=64-char-random-string
AUTHELIA_STORAGE_ENCRYPTION_KEY=64-char-random-string
# User Configuration
PUID=1000
PGID=1000
TZ=America/New_York
```
**Note:** Authelia secrets are auto-generated by the setup script. Leave them with default values initially.
===== Testing Your Setup =====
**Network Connectivity:**
```bash
# Test internet connection
ping -c 4 8.8.8.8
# Test DNS resolution
nslookup duckdns.org
# Test port forwarding (from external network)
curl -I http://your-external-ip
```
**System Resources:**
```bash
# Check available space
df -h /
# Check memory
free -h
# Check CPU cores
nproc
```
**SSH Access:**
```bash
# Test SSH connection
ssh user@your-server-ip
# Test sudo access
sudo whoami
```
===== Troubleshooting Prerequisites =====
**"Permission denied" errors:**
* Ensure you have sudo access
* Check if user is in sudo group
* Try running commands with `sudo`
**Network connectivity issues:**
* Verify internet connection
* Check firewall settings
* Test DNS resolution
**Port forwarding problems:**
* Access router admin panel
* Verify ports 80/443 are forwarded
* Check if ISP blocks these ports
**DuckDNS issues:**
* Verify token is correct
* Check domain is available
* Test DNS updates manually
Ready to proceed? Continue to [[getting_started:setup|Automated Setup]].
**Need Help?** Check the [[troubleshooting:start|Troubleshooting Guide]] or visit [[https://github.com/kelinfoxy/AI-Homelab/discussions|GitHub Discussions]].

245
config-templates/dokuwiki/data/pages/getting_started/security.txt
View File

@@ -1,245 +0,0 @@
====== Security Setup ======
Secure your homelab with proper authentication, encryption, and access controls.
===== Two-Factor Authentication =====
**Enable 2FA for Authelia:**
1. **Access Authelia:**
* URL: `https://auth.yourdomain.duckdns.org`
* Login with admin credentials
2. **Configure TOTP:**
* Go to **Settings** → **One-Time Password**
* Install authenticator app (Google Authenticator, Authy, etc.)
* Scan QR code or enter secret manually
* Enter verification code to enable
3. **Backup Codes:**
* Generate backup codes for recovery
* Store securely (encrypted password manager)
* Use only for emergency access
**2FA Best Practices:**
* Use hardware security keys when possible
* Enable biometric authentication on mobile
* Regularly rotate backup codes
* Test recovery process
===== Access Control Policies =====
**Authelia Configuration:**
* Location: `/opt/stacks/core/authelia/configuration.yml`
**Default Policies:**
```yaml
access_control:
default_policy: deny
rules:
# Admin services - require 2FA
- domain: "*.yourdomain.duckdns.org"
policy: two_factor
# Media services - bypass SSO (app compatibility)
- domain: jellyfin.yourdomain.duckdns.org
policy: bypass
- domain: plex.yourdomain.duckdns.org
policy: bypass
# Home Assistant - bypass (built-in auth)
- domain: ha.yourdomain.duckdns.org
policy: bypass
```
**Policy Types:**
* **deny**: Block all access
* **one_factor**: Username + password only
* **two_factor**: Username + password + 2FA
* **bypass**: No authentication required
===== SSL/TLS Security =====
**Certificate Management:**
* **Issuer**: Let's Encrypt (trusted CA)
* **Type**: Wildcard certificate (*.yourdomain.duckdns.org)
* **Algorithm**: ECDSA P-256 with SHA-256
* **Validity**: 90 days with automatic renewal
**Security Headers:**
* **HSTS**: HTTP Strict Transport Security
* **CSP**: Content Security Policy
* **X-Frame-Options**: Clickjacking protection
* **X-Content-Type-Options**: MIME sniffing prevention
**Traefik Security:**
```yaml
# In traefik.yml
http:
middlewares:
security-headers:
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
customResponseHeaders:
X-Frame-Options: "SAMEORIGIN"
X-Content-Type-Options: "nosniff"
Referrer-Policy: "strict-origin-when-cross-origin"
Permissions-Policy: "geolocation=(), microphone=(), camera=()"
```
===== Firewall Configuration =====
**UFW Rules (automatically configured):**
```bash
# Allow SSH
sudo ufw allow ssh
# Allow HTTP/HTTPS
sudo ufw allow 80
sudo ufw allow 443
# Enable firewall
sudo ufw enable
```
**Docker Security:**
* Containers run as non-root users
* No privileged containers
* Minimal exposed ports
* Network isolation
===== Password Security =====
**Strong Password Requirements:**
* Minimum 12 characters
* Mix of uppercase, lowercase, numbers, symbols
* No dictionary words or common patterns
* Unique per service
**Password Manager Integration:**
* Use Bitwarden/Vaultwarden for password storage
* Enable auto-fill for services
* Regular password rotation
* Emergency access setup
===== VPN and Network Security =====
**Download Protection:**
* qBittorrent routes through Gluetun VPN
* All torrent traffic encrypted
* No IP leaks during downloads
**Network Segmentation:**
* Services isolated in Docker networks
* Database access restricted
* External services proxied through Traefik
===== Backup Security =====
**Encrypted Backups:**
* Use Backrest with encryption
* Store encryption keys securely
* Offsite backup storage
* Regular integrity checks
**Backup Verification:**
```bash
# Test backup restoration
restic restore latest --target /tmp/restore-test
restic check
```
===== Service-Specific Security =====
**Nextcloud Security:**
* Enable brute force protection
* Configure trusted domains
* Set up file encryption
* Regular security scans
**Gitea Security:**
* Disable public registration
* Enable SSH key authentication
* Configure access tokens
* Regular repository backups
**Database Security:**
* Strong database passwords
* Network isolation
* Regular updates
* Query logging
===== Monitoring and Alerts =====
**Security Monitoring:**
* Enable fail2ban for SSH protection
* Monitor authentication attempts
* Set up intrusion detection
* Log analysis with Loki/Promtail
**Alert Configuration:**
* Failed login notifications
* Certificate expiration warnings
* Service downtime alerts
* Security vulnerability notifications
===== Incident Response =====
**Security Breach Response:**
1. **Isolate**: Disconnect affected systems
2. **Assess**: Determine scope of breach
3. **Contain**: Change all passwords
4. **Recover**: Restore from clean backups
5. **Learn**: Update security policies
**Emergency Access:**
* Keep backup authentication methods
* Document recovery procedures
* Test incident response plans
* Regular security audits
===== Advanced Security =====
**Certificate Pinning:**
* Pin Let's Encrypt intermediate certificates
* Monitor certificate transparency logs
* Automated certificate validation
**Zero Trust Architecture:**
* Every access request verified
* Minimal privilege access
* Continuous authentication
* Network micro-segmentation
**Compliance Considerations:**
* Data encryption at rest and in transit
* Access logging and monitoring
* Regular security assessments
* Privacy-preserving configurations
===== Security Checklist =====
**Initial Setup:**
* [ ] 2FA enabled for all admin accounts
* [ ] Strong, unique passwords everywhere
* [ ] SSL certificates properly configured
* [ ] Firewall rules verified
* [ ] VPN configured for downloads
**Ongoing Security:**
* [ ] Regular password rotation
* [ ] Security updates applied
* [ ] Backup encryption verified
* [ ] Access logs reviewed
* [ ] Security scans performed
**Emergency Preparedness:**
* [ ] Backup authentication methods available
* [ ] Incident response plan documented
* [ ] Recovery procedures tested
* [ ] Contact information current
Your homelab is now secure! Continue to [[architecture:security|Security Architecture]] for detailed technical information.
**Need help?** Check [[troubleshooting:ssl|SSL Troubleshooting]] or visit [[https://github.com/kelinfoxy/AI-Homelab/discussions|GitHub Discussions]].

234
config-templates/dokuwiki/data/pages/getting_started/setup.txt
View File

@@ -1,234 +0,0 @@
====== Automated Setup ======
The AI-Homelab uses two automated scripts for deployment. This is the recommended approach for most users.
===== Quick Setup Commands =====
```bash
# 1. Clone the repository
git clone https://github.com/kelinfoxy/AI-Homelab.git
cd AI-Homelab
# 2. Configure environment
cp .env.example .env
nano .env # Edit with your domain and tokens
# 3. Run setup script
sudo ./scripts/setup-homelab.sh
# 4. Run deployment script
sudo ./scripts/deploy-homelab.sh
```
That's it! Your homelab will be ready in 10-15 minutes.
===== Detailed Setup Process =====
==== Step 1: Clone Repository ====
```bash
# Clone to your home directory
cd ~
git clone https://github.com/kelinfoxy/AI-Homelab.git
cd AI-Homelab
```
**What this provides:**
* Complete homelab configuration
* Docker compose files for all services
* Automated deployment scripts
* Configuration templates
* Documentation and guides
==== Step 2: Configure Environment ====
```bash
# Copy example configuration
cp .env.example .env
# Edit with your settings
nano .env
```
**Required variables:**
```
DOMAIN=yourdomain.duckdns.org
DUCKDNS_TOKEN=your-duckdns-token
ACME_EMAIL=your-email@example.com
```
**Optional variables:**
```
SURFSHARK_USERNAME=your-vpn-username
SURFSHARK_PASSWORD=your-vpn-password
TZ=America/New_York
PUID=1000
PGID=1000
```
==== Step 3: Run Setup Script ====
```bash
# Execute with sudo privileges
sudo ./scripts/setup-homelab.sh
```
**What the setup script does:**
**System Preparation:**
* Updates system packages
* Installs required dependencies (git, curl, etc.)
* Installs Docker Engine + Compose V2
* Configures user permissions
* Sets up UFW firewall
* Enables SSH server
**Authelia Configuration:**
* Generates cryptographic secrets (JWT, session, encryption keys)
* Prompts for admin username (default: admin)
* Prompts for secure password with confirmation
* Generates argon2id password hash
* Creates user database
**Infrastructure Setup:**
* Creates `/opt/stacks/` directory structure
* Sets up Docker networks (traefik-network, homelab-network, etc.)
* Detects NVIDIA GPU and offers driver installation
**Security Features:**
* Idempotent (safe to re-run)
* Comprehensive error handling
* Timeout protection for operations
* Clear troubleshooting messages
==== Step 4: Run Deployment Script ====
```bash
# Deploy all services
sudo ./scripts/deploy-homelab.sh
```
**What the deployment script does:**
**Prerequisites Check:**
* Validates environment configuration
* Verifies Docker installation
* Checks network connectivity
**Core Stack Deployment:**
* Deploys DuckDNS, Traefik, Authelia, Gluetun
* Obtains wildcard SSL certificate (*.yourdomain.duckdns.org)
* Configures reverse proxy routing
**Infrastructure Deployment:**
* Deploys Dockge, Pi-hole, monitoring tools
* Sets up dashboards (Homepage, Homarr)
* Configures service discovery
**Health Checks:**
* Waits for services to become healthy
* Validates SSL certificate generation
* Opens Dockge in browser
===== Post-Setup Configuration =====
==== Access Your Services ====
After deployment, access services at:
| Service | URL | Status |
|---------|-----|--------|
| **Dockge** | `https://dockge.yourdomain.duckdns.org` | ✅ Primary management |
| **Homepage** | `https://home.yourdomain.duckdns.org` | ✅ Service dashboard |
| **Authelia** | `https://auth.yourdomain.duckdns.org` | ✅ SSO login |
| **Traefik** | `https://traefik.yourdomain.duckdns.org` | ✅ Proxy dashboard |
**Default Credentials:**
* Username: `admin` (or your custom username)
* Password: The secure password you created
==== Configure Two-Factor Authentication ====
1. Visit `https://auth.yourdomain.duckdns.org`
2. Log in with your admin credentials
3. Go to Settings → One-Time Password
4. Scan QR code with authenticator app
5. Enter verification code to enable 2FA
==== Customize Homepage Dashboard ====
1. Visit `https://home.yourdomain.duckdns.org`
2. Click the settings icon (gear)
3. Configure services and widgets
4. Add API keys for enhanced widgets
===== Troubleshooting Setup =====
==== Common Issues ====
**"Permission denied" when running scripts:**
```bash
# Ensure you're using sudo
sudo ./scripts/setup-homelab.sh
# Check if scripts are executable
ls -la scripts/
chmod +x scripts/*.sh
```
**Docker installation fails:**
```bash
# Remove conflicting packages
sudo apt remove docker docker-engine docker.io containerd runc
# Re-run setup script
sudo ./scripts/setup-homelab.sh
```
**SSL certificate generation fails:**
* Check DuckDNS token is correct in `.env`
* Verify ports 80/443 are forwarded
* Wait 2-5 minutes for DNS propagation
* Check Traefik logs: `docker logs traefik`
**Services not accessible:**
* Verify domain resolves: `nslookup yourdomain.duckdns.org`
* Check firewall: `sudo ufw status`
* View service logs: `docker compose -f /opt/stacks/core/docker-compose.yml logs`
==== NVIDIA GPU Setup ====
If you have an NVIDIA GPU and want hardware acceleration:
```bash
# During setup script, answer 'y' when prompted
# Or install manually after setup:
# Add NVIDIA package repository
distribution=$(. /etc/os-release;echo $ID$VERSION_ID)
curl -s -L https://nvidia.github.io/nvidia-docker/gpgkey | sudo apt-key add -
curl -s -L https://nvidia.github.io/nvidia-docker/$distribution/nvidia-docker.list | sudo tee /etc/apt/sources.list.d/nvidia-docker.list
# Install NVIDIA Docker
sudo apt-get update && sudo apt-get install -y nvidia-docker2
sudo systemctl restart docker
# Test GPU access
docker run --rm --gpus all nvidia/cuda:12.0.0-base-ubuntu22.04 nvidia-smi
```
==== Manual Setup Alternative ====
If automated scripts fail, see [[getting_started:manual|Manual Setup Guide]] for step-by-step instructions.
===== Next Steps =====
1. **Explore Services**: Use Dockge to deploy additional services
2. **Configure Backups**: Set up Backrest for automated backups
3. **Add Monitoring**: Deploy Grafana/Prometheus for observability
4. **Customize**: Modify services to fit your needs
5. **Contribute**: Help improve the project
**Ready to deploy?** Run the setup script and enjoy your new homelab!
**Need help?** Check [[troubleshooting:deployment|Deployment Troubleshooting]] or ask in [[https://github.com/kelinfoxy/AI-Homelab/discussions|GitHub Discussions]].

126
config-templates/dokuwiki/data/pages/getting_started/start.txt
View File

@@ -1,126 +0,0 @@
====== Getting Started ======
Welcome to your AI-powered homelab! This guide will walk you through setting up your production-ready infrastructure with Dockge, Traefik, Authelia, and 70+ services.
===== Quick Start Checklist =====
**Prerequisites:**
* [ ] Fresh Debian/Ubuntu server (or existing system)
* [ ] Root/sudo access
* [ ] Internet connection
* [ ] VS Code with GitHub Copilot (recommended)
**Setup Process:**
* [ ] Clone repository: `git clone https://github.com/kelinfoxy/AI-Homelab.git`
* [ ] Configure `.env` file with your domain and tokens
* [ ] Run setup script: `sudo ./scripts/setup-homelab.sh`
* [ ] Run deployment script: `sudo ./scripts/deploy-homelab.sh`
* [ ] Access Dockge at `https://dockge.yourdomain.duckdns.org`
**Post-Setup:**
* [ ] Set up 2FA with Authelia
* [ ] Configure Homepage dashboard
* [ ] Deploy additional services as needed
* [ ] Set up backups with Backrest
===== What You Get =====
Your homelab includes:
**Core Infrastructure (Deployed First):**
* **DuckDNS**: Dynamic DNS with Let's Encrypt wildcard SSL certificates
* **Traefik**: Reverse proxy with automatic HTTPS termination
* **Authelia**: SSO authentication protecting all services
* **Gluetun**: VPN client for secure downloads
* **Sablier**: Lazy loading service for resource management
**Management Tools:**
* **Dockge**: Web-based Docker stack manager (PRIMARY interface)
* **Pi-hole**: Network-wide ad blocking and DNS
* **Dozzle**: Live Docker log viewer
* **Glances**: System monitoring dashboard
**Dashboards:**
* **Homepage**: AI-configured service dashboard
* **Homarr**: Modern alternative dashboard
**70+ Available Services:**
* Media: Plex, Jellyfin, Sonarr, Radarr, qBittorrent
* Productivity: Nextcloud, Gitea, BookStack, WordPress
* Home Automation: Home Assistant, Node-RED, Zigbee2MQTT
* Monitoring: Grafana, Prometheus, Uptime Kuma
* Development: VS Code Server, GitLab, Jupyter
* And many more...
===== Architecture Overview =====
```
Internet → DuckDNS → Traefik → Authelia → Services
Wildcard SSL (*.yourdomain.duckdns.org)
```
**Key Features:**
* **File-based configuration**: AI-manageable YAML files
* **Automatic HTTPS**: Let's Encrypt wildcard certificates
* **SSO protection**: Authelia secures admin interfaces
* **VPN routing**: Downloads protected through Gluetun
* **Resource management**: Automatic container limits
* **Lazy loading**: Services start on-demand
===== Access Your Services =====
After deployment, access services at:
| Service | URL | Purpose |
|---------|-----|---------|
| **Dockge** | `https://dockge.yourdomain.duckdns.org` | Stack management |
| **Homepage** | `https://home.yourdomain.duckdns.org` | Service dashboard |
| **Authelia** | `https://auth.yourdomain.duckdns.org` | SSO login |
| **Traefik** | `https://traefik.yourdomain.duckdns.org` | Reverse proxy dashboard |
| **Pi-hole** | `http://pihole.yourdomain.duckdns.org` | DNS admin |
| **Dozzle** | `https://dozzle.yourdomain.duckdns.org` | Log viewer |
**Default Credentials:**
* Username: `admin` (or custom username from setup)
* Password: Secure password created during setup
===== Next Steps =====
1. **Complete Security Setup**
* Configure 2FA in Authelia
* Review service access policies
* Set up backup encryption
2. **Deploy Core Services**
* Use Dockge to deploy media services
* Configure Homepage widgets
* Set up monitoring dashboards
3. **Customize Your Stack**
* Add external service proxying
* Configure backup schedules
* Set up development environment
4. **Learn Advanced Features**
* Use AI Copilot for management
* Explore service customization
* Contribute to the project
===== Getting Help =====
**Documentation:**
* [[architecture:overview|Architecture Guide]]
* [[services:start|Service Reference]]
* [[troubleshooting:start|Troubleshooting]]
* [[reference:start|Quick Reference]]
**Community:**
* [[https://github.com/kelinfoxy/AI-Homelab/issues|GitHub Issues]]
* [[https://github.com/kelinfoxy/AI-Homelab/discussions|Discussions]]
**AI Assistance:**
* Use GitHub Copilot in VS Code
* Reference the [[development:copilot|Copilot Instructions]]
Ready to get started? Continue to [[getting_started:prerequisites|Prerequisites]] or jump straight to [[getting_started:setup|Automated Setup]].

420
config-templates/dokuwiki/data/pages/services/core/authelia.txt
View File

@@ -1,420 +0,0 @@
====== Authelia ======
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) capabilities to secure access to your homelab services.
===== Overview =====
**Purpose:** SSO authentication server
**URL:** `https://auth.yourdomain.duckdns.org`
**Authentication:** Direct login (username/password + 2FA)
**Deployment:** Automatic (core stack)
**Storage:** File-based user database
===== Key Features =====
**Authentication Methods:**
* **Username/Password**: Secure credential verification
* **TOTP (Time-based One-Time Password)**: RFC 6238 compliant
* **WebAuthn**: Hardware security key support
* **Push Notifications**: Mobile authentication
**Authorization:**
* **Domain-based policies**: Per-service access control
* **Group membership**: Role-based permissions
* **Bypass rules**: Direct access for media services
* **Session management**: Secure token handling
**Security:**
* **Argon2id hashing**: Memory-hard password hashing
* **JWT tokens**: Secure session management
* **CSRF protection**: Cross-site request forgery prevention
* **Brute force protection**: Rate limiting and account lockout
**Integration:**
* **Traefik middleware**: Reverse proxy authentication
* **LDAP support**: External user directory integration
* **SAML/OIDC**: Enterprise federation protocols
* **API access**: RESTful authentication API
===== Configuration =====
**Main Configuration (configuration.yml):**
```yaml
---
# Authelia configuration
host: 0.0.0.0
port: 9091
log:
level: info
format: json
jwt_secret: ${AUTHELIA_JWT_SECRET}
session:
name: authelia_session
secret: ${AUTHELIA_SESSION_SECRET}
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
domain: yourdomain.duckdns.org
storage:
encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
local:
path: /config/db.sqlite3
access_control:
default_policy: deny
rules:
# Admin services require 2FA
- domain: "*.yourdomain.duckdns.org"
policy: two_factor
subject:
- "group:admins"
# Media services bypass SSO
- domain: "jellyfin.yourdomain.duckdns.org"
policy: bypass
- domain: "plex.yourdomain.duckdns.org"
policy: bypass
api:
disable_bearer_token: false
authentication_backend:
file:
path: /config/users_database.yml
notifier:
filesystem:
filename: /config/notification.txt
```
**User Database (users_database.yml):**
```yaml
---
users:
admin:
displayname: Administrator
password: $argon2id$...
email: admin@yourdomain.duckdns.org
groups:
- admins
- dev
```
===== Docker Compose =====
```yaml
services:
authelia:
image: authelia/authelia:latest
container_name: authelia
restart: unless-stopped
networks:
- traefik-network
volumes:
- ./authelia/configuration.yml:/config/configuration.yml:ro
- ./authelia/users_database.yml:/config/users_database.yml
- ./authelia/db.sqlite3:/config/db.sqlite3
- ./authelia/notification.txt:/config/notification.txt
environment:
- AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
- AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
- AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
labels:
- "traefik.enable=true"
- "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)"
- "traefik.http.routers.authelia.entrypoints=websecure"
- "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
# No Authelia middleware for itself
- "traefik.http.services.authelia.loadbalancer.server.port=9091"
depends_on:
- authelia-redis # If using Redis
deploy:
resources:
limits:
cpus: '0.5'
memory: 256M
reservations:
cpus: '0.1'
memory: 64M
```
===== User Management =====
**Adding Users:**
```yaml
users:
newuser:
displayname: "New User"
password: "$argon2id$..." # Generate with authelia crypto hash generate argon2
email: newuser@example.com
groups:
- users
```
**Password Hashing:**
```bash
# Generate Argon2id hash
docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'mypassword'
```
**Group Management:**
```yaml
# Define groups
groups:
admins:
- admin
users:
- user1
- user2
media:
- family
```
===== Access Control Policies =====
**Policy Types:**
* **deny**: Block all access
* **one_factor**: Username + password only
* **two_factor**: Username + password + 2FA
* **bypass**: No authentication required
**Rule Structure:**
```yaml
rules:
- domain: "*.yourdomain.duckdns.org"
policy: two_factor
subject:
- "user:admin"
- "group:admins"
resources:
- "^/api/.*" # API endpoints
```
**Advanced Rules:**
```yaml
# Time-based access
- domain: "*.yourdomain.duckdns.org"
policy: two_factor
subject: "group:admins"
rules:
- operator: present
operand: http_request.header.Authorization
# IP-based restrictions
- domain: "admin.yourdomain.duckdns.org"
policy: deny
networks:
- "192.168.1.0/24" # Allow only local network
```
===== Two-Factor Authentication =====
**TOTP Setup:**
1. Access Authelia dashboard
2. Go to **Settings** → **One-Time Password**
3. Install authenticator app (Google Authenticator, Authy, etc.)
4. Scan QR code or enter secret manually
5. Enter verification code to enable
**WebAuthn (Hardware Keys):**
* **Supported**: YubiKey, Google Titan, etc.
* **Protocol**: FIDO2/WebAuthn
* **Benefits**: Phishing-resistant, no shared secrets
**Backup Codes:**
* Generate one-time use codes
* Store securely (encrypted password manager)
* Use only for emergency access
===== Integration with Traefik =====
**ForwardAuth Middleware:**
```yaml
# In Traefik dynamic configuration
middlewares:
authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://auth.yourdomain.duckdns.org/"
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"
- "Remote-Name"
- "Remote-Email"
```
**Service Protection:**
```yaml
# Add to service labels
labels:
- "traefik.http.routers.service.middlewares=authelia@docker"
```
**Bypass Configuration:**
```yaml
# In Authelia configuration.yml
access_control:
rules:
- domain: "jellyfin.yourdomain.duckdns.org"
policy: bypass
- domain: "plex.yourdomain.duckdns.org"
policy: bypass
```
===== Session Management =====
**Session Configuration:**
```yaml
session:
name: authelia_session
secret: ${AUTHELIA_SESSION_SECRET}
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
domain: yourdomain.duckdns.org
same_site: lax
secure: true
http_only: true
```
**Session Security:**
* **Secure cookies**: HTTPS only
* **HttpOnly**: JavaScript protection
* **SameSite**: CSRF protection
* **Expiration**: Automatic logout
===== Monitoring & Logging =====
**Log Configuration:**
```yaml
log:
level: info # debug, info, warn, error
format: json # json or text
file: /config/authelia.log
```
**Monitoring Integration:**
* **Prometheus metrics**: `/metrics` endpoint
* **Health checks**: `/api/health` endpoint
* **Log aggregation**: Loki integration
* **Alerting**: Failed authentication notifications
**Audit Logging:**
* **Authentication events**: Login/logout tracking
* **Authorization decisions**: Access control logging
* **Security events**: Failed attempts, lockouts
* **Compliance**: Audit trail for security reviews
===== Security Best Practices =====
**Password Policies:**
* **Complexity**: Minimum 12 characters, mixed case, numbers, symbols
* **Expiration**: Regular rotation (90-180 days)
* **History**: Prevent password reuse
* **Lockout**: Account lockout after failed attempts
**Session Security:**
* **Short sessions**: 1 hour maximum
* **Inactivity timeout**: 5-15 minutes
* **Secure cookies**: All security flags enabled
* **Token rotation**: Regular token refresh
**Network Security:**
* **HTTPS only**: No HTTP access
* **HSTS**: HTTP Strict Transport Security
* **CSP**: Content Security Policy
* **Rate limiting**: Brute force protection
===== Troubleshooting =====
**Login Issues:**
```bash
# Check Authelia logs
docker logs authelia
# Verify configuration
docker exec authelia authelia validate-config /config/configuration.yml
# Test authentication API
curl -k https://auth.yourdomain.duckdns.org/api/state
```
**2FA Problems:**
* Check system time synchronization
* Verify TOTP secret/code
* Clear browser cache
* Try different authenticator app
**Middleware Issues:**
```bash
# Check Traefik logs
docker logs traefik | grep authelia
# Test middleware
curl -H "Host: service.yourdomain.duckdns.org" http://localhost/
```
**Configuration Errors:**
* Validate YAML syntax
* Check file permissions
* Verify environment variables
* Test configuration with `authelia validate-config`
===== Advanced Features =====
**LDAP Integration:**
```yaml
authentication_backend:
ldap:
url: ldap://127.0.0.1
base_dn: dc=example,dc=com
username_attribute: uid
additional_users_dn: ou=users
users_filter: (&({username_attribute}={input})(objectClass=person))
groups_filter: (&(member={dn})(objectClass=groupOfNames))
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: displayName
```
**SAML/OIDC Identity Providers:**
```yaml
identity_providers:
oidc:
# OIDC configuration
saml:
# SAML configuration
```
**Custom Themes:**
```yaml
theme: dark # light, dark, grey, auto
```
**API Integration:**
* **REST API**: Programmatic authentication
* **Webhooks**: Event notifications
* **SCIM**: User provisioning
* **GraphQL**: Advanced queries
===== Backup & Recovery =====
**Configuration Backup:**
* **Files**: `configuration.yml`, `users_database.yml`
* **Database**: `db.sqlite3`
* **Secrets**: Environment variables
**Password Recovery:**
* **Backup codes**: One-time use recovery
* **Admin reset**: Administrative password reset
* **Self-service**: Password reset via email
**Disaster Recovery:**
* **Configuration restore**: YAML file recovery
* **Database recovery**: SQLite backup restoration
* **Secret rotation**: Emergency credential management
Authelia provides enterprise-grade authentication and authorization for your homelab, ensuring secure access to all your services.
**Next:** Learn about [[services:core:duckdns|DuckDNS]] or [[services:core:gluetun|Gluetun]].

289
config-templates/dokuwiki/data/pages/services/core/duckdns.txt
View File

@@ -1,289 +0,0 @@
====== DuckDNS ======
DuckDNS is a free dynamic DNS service that automatically updates your domain's IP address. In the AI-Homelab, DuckDNS provides the domain name that Traefik uses for SSL certificates and service routing.
===== Overview =====
**Purpose:** Dynamic DNS service
**URL:** https://duckdns.org (external service)
**Authentication:** Token-based
**Deployment:** Automatic (core stack)
**Update Interval:** Every 5 minutes
===== Key Features =====
**Dynamic DNS:**
* **Free service**: No cost for basic usage
* **Multiple domains**: Support for multiple subdomains
* **API integration**: RESTful API for updates
* **IPv4/IPv6**: Support for both IP versions
**SSL Integration:**
* **Wildcard certificates**: *.yourdomain.duckdns.org
* **Let's Encrypt**: Automatic certificate generation
* **DNS challenge**: Domain ownership verification
* **Certificate renewal**: Automatic 90-day renewal
**Reliability:**
* **High uptime**: 99.9%+ availability
* **Global CDN**: Fast DNS resolution worldwide
* **Redundant servers**: Multiple DNS servers
* **Monitoring**: Service status monitoring
===== Configuration =====
**DuckDNS Account Setup:**
1. Visit https://duckdns.org
2. Create free account
3. Choose domain name (your subdomain)
4. Get API token from account settings
**Environment Variables:**
```bash
# Required
DOMAIN=yourdomain.duckdns.org
DUCKDNS_TOKEN=your-api-token
# Optional
DUCKDNS_SUBDOMAINS=subdomain1,subdomain2
```
**Container Configuration:**
```yaml
services:
duckdns:
image: lscr.io/linuxserver/duckdns:latest
container_name: duckdns
restart: unless-stopped
environment:
- PUID=1000
- PGID=1000
- TZ=${TZ}
- SUBDOMAINS=${DUCKDNS_SUBDOMAINS:-yourdomain}
- TOKEN=${DUCKDNS_TOKEN}
deploy:
resources:
limits:
cpus: '0.1'
memory: 64M
reservations:
cpus: '0.01'
memory: 16M
```
===== How It Works =====
**DNS Update Process:**
1. **IP Detection**: Container detects current public IP
2. **API Call**: Sends update request to DuckDNS API
3. **DNS Update**: DuckDNS updates DNS records
4. **Propagation**: DNS changes propagate globally
5. **Verification**: Container verifies update success
**Update Frequency:**
* **Interval**: Every 5 minutes
* **Trigger**: Container startup + periodic updates
* **Condition**: IP address change detected
* **Logging**: Update success/failure logging
**API Integration:**
```bash
# Manual update (for testing)
curl "https://www.duckdns.org/update?domains=yourdomain&token=your-token&ip="
# Check current IP
curl "https://www.duckdns.org/update?domains=yourdomain&token=your-token&verbose=1"
```
===== SSL Certificate Integration =====
**Traefik Configuration:**
```yaml
certificatesResolvers:
letsencrypt:
acme:
email: your-email@example.com
storage: /acme.json
dnsChallenge:
provider: duckdns
delayBeforeCheck: 30
```
**Certificate Generation:**
* **Challenge Type**: DNS-01
* **Record**: `_acme-challenge.yourdomain.duckdns.org`
* **Value**: Generated by Let's Encrypt
* **TTL**: 60 seconds (temporary)
**Wildcard Certificate:**
* **Domain**: `*.yourdomain.duckdns.org`
* **Coverage**: All subdomains automatically
* **Type**: ECDSA P-256
* **Validity**: 90 days
* **Renewal**: Automatic (30 days before expiry)
===== Monitoring & Troubleshooting =====
**Container Logs:**
```bash
# View DuckDNS logs
docker logs duckdns
# Follow logs in real-time
docker logs -f duckdns
```
**DNS Verification:**
```bash
# Check DNS resolution
nslookup yourdomain.duckdns.org
# Check TXT record (during certificate generation)
dig TXT _acme-challenge.yourdomain.duckdns.org
# Verify IP address
curl -s https://api.ipify.org
```
**Common Issues:**
**DNS Not Updating:**
```bash
# Check token validity
curl "https://www.duckdns.org/update?domains=yourdomain&token=wrong-token"
# Verify internet connectivity
ping -c 4 8.8.8.8
# Check container status
docker ps | grep duckdns
```
**SSL Certificate Issues:**
* **Rate Limiting**: Let's Encrypt limits (20 certificates/week)
* **DNS Propagation**: Wait 5-10 minutes after DNS update
* **Token Issues**: Verify DuckDNS token is correct
* **Port Forwarding**: Ensure 80/443 are forwarded
**Troubleshooting Steps:**
1. **Check logs**: `docker logs duckdns`
2. **Verify token**: Test API manually
3. **Check IP**: Confirm current public IP
4. **Test DNS**: Verify domain resolution
5. **Restart container**: `docker restart duckdns`
===== Advanced Configuration =====
**Multiple Subdomains:**
```bash
# Environment variable
DUCKDNS_SUBDOMAINS=sub1,sub2,sub3
# Or in compose
environment:
- SUBDOMAINS=sub1,sub2,sub3
```
**IPv6 Support:**
```bash
# Enable IPv6 updates
environment:
- IPV6=1
```
**Custom Update Interval:**
```bash
# Modify container command
command: sh -c "while true; do /app/duckdns.sh; sleep 300; done"
# 300 seconds = 5 minutes (default)
```
===== Security Considerations =====
**Token Security:**
* **Storage**: Environment variables (not in code)
* **Access**: Limited to DuckDNS container only
* **Rotation**: Regular token renewal
* **Monitoring**: API usage monitoring
**DNS Security:**
* **DNSSEC**: Not supported by DuckDNS
* **Rate Limiting**: API call restrictions
* **Monitoring**: DNS query logging
* **Backup**: Secondary DNS provider consideration
===== Performance & Reliability =====
**Update Efficiency:**
* **Conditional Updates**: Only when IP changes
* **Fast API**: Quick response times
* **Error Handling**: Retry logic for failures
* **Logging**: Comprehensive update logging
**Global Distribution:**
* **Anycast**: Multiple global DNS servers
* **CDN**: Fast resolution worldwide
* **Caching**: DNS record caching
* **Redundancy**: Multiple server locations
===== Alternative DNS Providers =====
**If DuckDNS is insufficient:**
**Cloudflare:**
* **Free tier**: 100,000 DNS queries/month
* **API**: Full DNS management
* **DNSSEC**: Supported
* **Analytics**: Query statistics
**No-IP:**
* **Free tier**: 30-day renewal requirement
* **Multiple hosts**: Up to 3 free domains
* **Client software**: Windows/Mac/Linux clients
* **Groups**: Domain grouping
**Dynu:**
* **Free tier**: 1 domain, 30-day renewal
* **API**: RESTful API
* **IPv6**: Supported
* **Analytics**: Basic statistics
===== Migration Guide =====
**Switching DNS Providers:**
1. **Register**: Create account with new provider
2. **Configure**: Set up domain and get API token
3. **Update**: Modify environment variables
4. **Test**: Verify DNS resolution
5. **SSL**: Update Traefik certificate resolver
6. **Cleanup**: Remove old DuckDNS container
**Certificate Migration:**
* **Backup**: Save acme.json file
* **Update**: Change DNS provider in Traefik
* **Renew**: Force certificate renewal
* **Verify**: Test SSL certificate validity
===== Best Practices =====
**Domain Management:**
* **Choose wisely**: Select available, memorable domain
* **Documentation**: Record domain and token securely
* **Backup**: Include DNS settings in backup
* **Monitoring**: Monitor domain expiration
**SSL Management:**
* **Wildcard**: Use for all subdomains
* **Backup**: Regular acme.json backups
* **Monitoring**: Certificate expiry alerts
* **Testing**: Regular SSL validation
**Reliability:**
* **Redundancy**: Consider secondary DNS
* **Monitoring**: DNS and SSL health checks
* **Updates**: Keep container updated
* **Logging**: Monitor update success
DuckDNS provides the foundation for your homelab's domain name and SSL certificates, ensuring secure and reliable access to all your services.
**Next:** Learn about [[services:core:gluetun|Gluetun]] or explore [[architecture:networking|Network Architecture]].

404
config-templates/dokuwiki/data/pages/services/core/gluetun.txt
View File

@@ -1,404 +0,0 @@
====== Gluetun ======
Gluetun is a VPN client container that routes download services through VPN providers like Surfshark, NordVPN, or Mullvad. It provides network-level VPN protection for torrent clients and other download services.
===== Overview =====
**Purpose:** VPN client for download services
**Supported VPNs:** Surfshark, NordVPN, Mullvad, ExpressVPN, ProtonVPN, and 20+ others
**Network Mode:** Service-based routing
**Deployment:** Core stack (always running)
**Resource Usage:** Low (minimal CPU/memory)
===== Key Features =====
**VPN Providers:**
* **Surfshark**: Primary recommended provider
* **WireGuard/OpenVPN**: Multiple protocol support
* **Port Forwarding**: Automatic port forwarding
* **Kill Switch**: Network isolation when VPN fails
**Network Routing:**
* **Service Mode**: `network_mode: "service:gluetun"`
* **Port Mapping**: VPN ports mapped to host
* **DNS**: VPN provider DNS servers
* **Firewall**: Built-in firewall rules
**Security Features:**
* **IP Leak Protection**: Prevents IP exposure
* **DNS Leak Protection**: VPN DNS enforcement
* **Kill Switch**: Automatic connection blocking
* **Protocol Selection**: WireGuard/OpenVPN choice
===== Configuration =====
**Environment Variables:**
```bash
# VPN Provider (Surfshark recommended)
VPN_SERVICE_PROVIDER=surfshark
VPN_TYPE=wireguard
# Credentials
VPN_USERNAME=your-username
VPN_PASSWORD=your-password
# Optional: Specific server/country
SERVER_COUNTRIES=Netherlands
SERVER_CITIES=Amsterdam
# Optional: WireGuard specific
WIREGUARD_PRIVATE_KEY=your-private-key
WIREGUARD_ADDRESSES=10.0.0.0/8
```
**Container Configuration:**
```yaml
services:
gluetun:
image: qmcgaw/gluetun:latest
container_name: gluetun
restart: unless-stopped
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
environment:
- VPN_SERVICE_PROVIDER=${VPN_SERVICE_PROVIDER}
- VPN_TYPE=${VPN_TYPE}
- VPN_USERNAME=${VPN_USERNAME}
- VPN_PASSWORD=${VPN_PASSWORD}
- SERVER_COUNTRIES=${SERVER_COUNTRIES:-Netherlands}
volumes:
- ./gluetun/config:/config
ports:
- 8080:8080 # qBittorrent WebUI
- 6881:6881 # qBittorrent TCP
- 6881:6881/udp # qBittorrent UDP
networks:
- traefik-network
deploy:
resources:
limits:
cpus: '0.5'
memory: 256M
reservations:
cpus: '0.1'
memory: 64M
```
===== How VPN Routing Works =====
**Service-Based Routing:**
```yaml
# Download service configuration
services:
qbittorrent:
image: lscr.io/linuxserver/qbittorrent:latest
network_mode: "service:gluetun" # Routes through VPN
depends_on:
- gluetun
volumes:
- ./qbittorrent/config:/config
- /mnt/downloads:/downloads
environment:
- PUID=1000
- PGID=1000
- TZ=${TZ}
# No ports exposed - accessed via Gluetun
```
**Network Flow:**
1. **Gluetun Container**: Establishes VPN connection
2. **Service Mode**: Download service shares Gluetun's network stack
3. **VPN Routing**: All traffic from download service goes through VPN
4. **Port Mapping**: VPN ports mapped to Gluetun container ports
5. **Access**: Services access download client via Gluetun's IP/port
===== VPN Provider Setup =====
**Surfshark (Recommended):**
1. **Sign up**: https://surfshark.com
2. **Get credentials**: Username/password from account
3. **WireGuard**: Generate private key (optional, faster)
4. **Configure**: Use in environment variables
**WireGuard Setup (Optional but Recommended):**
```bash
# Generate private key
wg genkey
# Or use Surfshark app to get key
# Account -> Manual Setup -> WireGuard
```
**Other Providers:**
```yaml
# NordVPN
VPN_SERVICE_PROVIDER=nordvpn
VPN_TYPE=openvpn
# Mullvad
VPN_SERVICE_PROVIDER=mullvad
VPN_TYPE=wireguard
# ExpressVPN
VPN_SERVICE_PROVIDER=expressvpn
VPN_TYPE=openvpn
```
===== Port Management =====
**Port Forwarding:**
```yaml
# Gluetun ports (map download service ports)
ports:
- 8080:8080 # WebUI
- 6881:6881 # TCP torrent port
- 6881:6881/udp # UDP torrent port
- 51413:51413 # Alternative torrent port
- 51413:51413/udp
```
**Dynamic Port Forwarding:**
* **Automatic**: Some providers support automatic port forwarding
* **Manual**: Configure specific ports in VPN provider
* **Testing**: Verify port forwarding with online tools
**Port Forwarding Check:**
```bash
# Check if port is open
curl -s "https://portchecker.co/check" --data "port=6881"
# Or use online port checker
# Visit: https://www.yougetsignal.com/tools/open-ports/
```
===== Monitoring & Troubleshooting =====
**Container Logs:**
```bash
# View Gluetun logs
docker logs gluetun
# Follow logs in real-time
docker logs -f gluetun
```
**VPN Status Check:**
```bash
# Check VPN connection
docker exec gluetun sh -c "curl -s ifconfig.me"
# Verify VPN IP (should be different from your real IP)
docker exec gluetun sh -c "curl -s https://api.ipify.org"
```
**Kill Switch Testing:**
```bash
# Test kill switch (disconnect VPN)
docker exec gluetun sh -c "iptables -P OUTPUT DROP"
# Restore (reconnect VPN)
docker restart gluetun
```
**Common Issues:**
**VPN Connection Failed:**
```bash
# Check credentials
docker logs gluetun | grep -i "auth\|login\|password"
# Verify server selection
docker logs gluetun | grep -i "server\|country"
# Test VPN provider status
# Visit provider status page
```
**DNS Leaks:**
```bash
# Check DNS servers
docker exec gluetun sh -c "cat /etc/resolv.conf"
# Test DNS leak
# Visit: https://www.dnsleaktest.com
```
**Port Forwarding Issues:**
* **Provider Support**: Not all VPNs support port forwarding
* **Server Selection**: Choose servers that support port forwarding
* **Configuration**: Enable port forwarding in VPN account
* **Testing**: Use port checking tools
**Troubleshooting Steps:**
1. **Check logs**: `docker logs gluetun`
2. **Verify credentials**: Test with VPN provider app
3. **Test connection**: Manual VPN connection
4. **Check ports**: Verify port forwarding
5. **Restart**: `docker restart gluetun`
===== Security Considerations =====
**Kill Switch Protection:**
* **Automatic**: Blocks all traffic if VPN disconnects
* **Testing**: Regularly test kill switch functionality
* **Monitoring**: Monitor VPN connection status
* **Alerts**: Set up notifications for VPN failures
**IP Leak Prevention:**
* **WebRTC**: Disable WebRTC in browsers
* **IPv6**: Disable IPv6 if not needed
* **DNS**: Use VPN DNS servers only
* **Testing**: Regular leak testing
**Credential Security:**
* **Storage**: Environment variables (not in code)
* **Access**: Limited to Gluetun container
* **Rotation**: Regular password changes
* **2FA**: Enable 2FA on VPN account
===== Performance Optimization =====
**Protocol Selection:**
* **WireGuard**: Faster, more secure (recommended)
* **OpenVPN**: More compatible, slightly slower
* **IKEv2**: Mobile-optimized
**Server Selection:**
* **Location**: Choose closest servers
* **Load**: Select less crowded servers
* **Features**: Port forwarding capable servers
* **Testing**: Test different server locations
**Resource Limits:**
```yaml
deploy:
resources:
limits:
cpus: '0.5' # Low CPU usage
memory: 256M # Minimal memory
reservations:
cpus: '0.1'
memory: 64M
```
===== Advanced Configuration =====
**Custom VPN Configuration:**
```yaml
# Custom OpenVPN config
volumes:
- ./gluetun/config:/config
- ./custom-config:/custom
environment:
- VPN_TYPE=openvpn
- OPENVPN_CUSTOM_CONFIG=/custom/my-config.ovpn
```
**Multiple VPN Services:**
```yaml
# Separate Gluetun instances for different services
services:
gluetun-us:
# US-based VPN
environment:
- SERVER_COUNTRIES=United States
gluetun-nl:
# Netherlands-based VPN
environment:
- SERVER_COUNTRIES=Netherlands
```
**Health Checks:**
```yaml
healthcheck:
test: ["CMD", "curl", "-f", "https://api.ipify.org"]
interval: 30s
timeout: 10s
retries: 3
```
===== Integration with Download Services =====
**qBittorrent Configuration:**
```yaml
# In qbittorrent config
# Network settings
Connection Limits:
Global max number of upload slots: 20
Max number of upload slots per torrent: 5
# BitTorrent settings
Enable DHT: Yes
Enable PeX: Yes
Enable LSD: Yes
# WebUI settings
IP Address: 0.0.0.0
Port: 8080
```
**Transmission Configuration:**
```yaml
# transmission-daemon settings.json
{
"rpc-port": 9091,
"rpc-username": "admin",
"rpc-password": "password",
"rpc-whitelist-enabled": false,
"download-dir": "/downloads",
"incomplete-dir": "/downloads/incomplete"
}
```
===== Backup & Recovery =====
**Configuration Backup:**
```bash
# Backup Gluetun config
docker run --rm \
-v gluetun-config:/config \
-v $(pwd)/backup:/backup \
busybox tar czf /backup/gluetun-config.tar.gz /config
```
**VPN Credential Rotation:**
1. **Generate new credentials** in VPN provider
2. **Update environment variables** in .env
3. **Restart Gluetun**: `docker restart gluetun`
4. **Verify connection**: Check logs and IP
5. **Test downloads**: Verify torrent functionality
===== Best Practices =====
**VPN Selection:**
* **Reliability**: Choose reputable providers
* **Speed**: Test connection speeds
* **Features**: Port forwarding, kill switch
* **Privacy**: No-logs policy
* **Cost**: Balance features vs price
**Security:**
* **Kill Switch**: Always enabled
* **Regular Testing**: Monthly leak tests
* **Updates**: Keep Gluetun updated
* **Monitoring**: VPN status monitoring
**Performance:**
* **WireGuard**: Prefer over OpenVPN
* **Server Location**: Closest available
* **Load Balancing**: Distribute across servers
* **Monitoring**: Track connection quality
**Maintenance:**
* **Credential Rotation**: Regular password changes
* **Log Review**: Monitor connection logs
* **Update Checks**: Keep VPN client updated
* **Backup**: Regular configuration backups
Gluetun provides essential VPN protection for download services, ensuring your torrenting and file sharing activities remain private and secure.
**Next:** Learn about [[services:core:sablier|Sablier]] or explore [[architecture:security|Security Architecture]].

401
config-templates/dokuwiki/data/pages/services/core/sablier.txt
View File

@@ -1,401 +0,0 @@
====== Sablier ======
Sablier is a lazy loading service that starts Docker containers on-demand when accessed, then automatically stops them after a period of inactivity. This saves system resources by keeping unused services stopped until needed.
===== Overview =====
**Purpose:** On-demand container startup
**Integration:** Traefik middleware
**Resource Savings:** Significant CPU/memory reduction
**Deployment:** Core stack (always running)
**Configuration:** Label-based activation
===== Key Features =====
**Lazy Loading:**
* **On-Demand Startup**: Containers start when accessed
* **Automatic Shutdown**: Stop after inactivity timeout
* **Resource Efficiency**: Save CPU/memory when not used
* **Transparent**: No user experience changes
**Integration:**
* **Traefik Middleware**: HTTP request triggering
* **Label Configuration**: Simple Docker labels
* **Group Management**: Related services as groups
* **Health Checks**: Wait for service readiness
**Performance:**
* **Fast Startup**: Quick container initialization
* **Timeout Control**: Configurable inactivity periods
* **Queue Management**: Handle multiple concurrent requests
* **Monitoring**: Startup/shutdown tracking
===== Configuration =====
**Container Configuration:**
```yaml
services:
sablier:
image: acouvreur/sablier:latest
container_name: sablier
restart: unless-stopped
environment:
- SABLIER_STRATEGY=docker-api
- SABLIER_DOCKER_API_VERSION=1.41
- SABLIER_DOCKER_NETWORK=traefik-network
- SABLIER_TIMEOUT=5m
- SABLIER_SESSION_DURATION=168h
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- traefik-network
deploy:
resources:
limits:
cpus: '0.2'
memory: 128M
reservations:
cpus: '0.05'
memory: 32M
```
**Service Integration Labels:**
```yaml
# Enable Sablier for a service
labels:
- "sablier.enable=true"
- "sablier.group=my-service-group"
- "sablier.start-on-demand=true"
- "sablier.timeout=5m" # Optional: per-service timeout
```
===== How Lazy Loading Works =====
**Request Flow:**
1. **HTTP Request**: User accesses service URL
2. **Traefik Routing**: Request hits Traefik with Sablier middleware
3. **Sablier Check**: Sablier checks if target service is running
4. **Container Start**: If stopped, Sablier starts the container
5. **Health Wait**: Waits for service to be ready
6. **Request Forward**: Forwards request to running service
7. **Timeout Reset**: Resets inactivity timer
**Automatic Shutdown:**
* **Inactivity Detection**: No requests for timeout period
* **Graceful Shutdown**: Container stopped cleanly
* **Resource Recovery**: CPU/memory freed up
* **Restart Ready**: Ready for next access
===== Service Configuration =====
**Basic Setup:**
```yaml
services:
my-service:
image: my-service:latest
labels:
# Traefik labels (normal)
- "traefik.enable=true"
- "traefik.http.routers.my-service.rule=Host(`my-service.${DOMAIN}`)"
- "traefik.http.routers.my-service.entrypoints=websecure"
- "traefik.http.routers.my-service.tls.certresolver=letsencrypt"
- "traefik.http.routers.my-service.middlewares=authelia@docker"
# Sablier labels (lazy loading)
- "sablier.enable=true"
- "sablier.group=my-service"
- "sablier.start-on-demand=true"
```
**Advanced Configuration:**
```yaml
labels:
# Custom timeout (overrides global)
- "sablier.timeout=10m"
# Custom session duration
- "sablier.session-duration=24h"
# Group multiple services
- "sablier.group=media-stack"
```
===== Timeout Management =====
**Global Timeout:**
```yaml
environment:
- SABLIER_TIMEOUT=5m # Default 5 minutes
```
**Per-Service Timeout:**
```yaml
labels:
- "sablier.timeout=15m" # Override for this service
```
**Session Duration:**
```yaml
environment:
- SABLIER_SESSION_DURATION=168h # 7 days default
```
**Timeout Behavior:**
* **Activity Reset**: Each request resets the timer
* **Graceful Shutdown**: Clean container stop
* **Resource Recovery**: Memory/CPU freed
* **Quick Restart**: Fast startup on next access
===== Group Management =====
**Service Groups:**
```yaml
# Related services in same group
services:
sonarr:
labels:
- "sablier.group=media-management"
radarr:
labels:
- "sablier.group=media-management"
prowlarr:
labels:
- "sablier.group=media-management"
```
**Group Benefits:**
* **Coordinated Startup**: Start related services together
* **Shared Timeout**: Group timeout applies to all
* **Resource Management**: Better resource planning
* **Dependency Handling**: Handle service dependencies
===== Monitoring & Troubleshooting =====
**Sablier Logs:**
```bash
# View Sablier logs
docker logs sablier
# Follow logs in real-time
docker logs -f sablier
```
**Startup Monitoring:**
```bash
# Check service startup
docker logs sablier | grep "Starting container"
# Monitor shutdowns
docker logs sablier | grep "Stopping container"
```
**Debug Mode:**
```yaml
environment:
- SABLIER_LOG_LEVEL=debug
```
**Common Issues:**
**Service Not Starting:**
```bash
# Check Sablier logs
docker logs sablier | grep -i "error\|failed"
# Verify Docker socket access
docker exec sablier ls -la /var/run/docker.sock
# Check network connectivity
docker exec sablier ping -c 2 traefik
```
**Timeout Issues:**
* **Too Short**: Services stopping too quickly
* **Too Long**: Resources not freed timely
* **Per-Service**: Override global timeout
* **Testing**: Monitor actual usage patterns
**Middleware Issues:**
* **Traefik Config**: Verify middleware order
* **Label Format**: Check label syntax
* **Network Access**: Ensure Sablier can reach Docker API
**Troubleshooting Steps:**
1. **Check logs**: `docker logs sablier`
2. **Verify labels**: Check service configuration
3. **Test startup**: Manual container start
4. **Check network**: Verify Docker API access
5. **Restart Sablier**: `docker restart sablier`
===== Performance Optimization =====
**Resource Limits:**
```yaml
deploy:
resources:
limits:
cpus: '0.2' # Low CPU usage
memory: 128M # Minimal memory
reservations:
cpus: '0.05'
memory: 32M
```
**Timeout Tuning:**
* **Frequent Access**: Longer timeouts (15-30m)
* **Infrequent Access**: Shorter timeouts (2-5m)
* **Resource Intensive**: Consider manual management
* **User Patterns**: Monitor and adjust based on usage
**Startup Optimization:**
* **Health Checks**: Fast health check endpoints
* **Dependencies**: Minimize startup dependencies
* **Caching**: Use persistent volumes for data
* **Pre-warming**: Keep critical services running
===== Security Considerations =====
**Docker Socket Access:**
* **Read-Only**: Mount socket as read-only
* **Limited Access**: Only Sablier container access
* **Network Isolation**: Separate network for Sablier
* **Monitoring**: Monitor Docker API usage
**Service Security:**
* **No Direct Access**: Services only accessible via Traefik
* **Authentication**: Authelia protection maintained
* **SSL**: HTTPS encryption preserved
* **Timeout Security**: Automatic cleanup prevents exposure
===== Advanced Configuration =====
**Custom Strategies:**
```yaml
environment:
- SABLIER_STRATEGY=docker-api # Default
# Alternative: kubernetes, swarm
```
**Queue Management:**
```yaml
environment:
- SABLIER_QUEUE_SIZE=10 # Concurrent startups
- SABLIER_QUEUE_TIMEOUT=30s # Queue wait timeout
```
**Health Check Configuration:**
```yaml
environment:
- SABLIER_HEALTH_CHECK=true
- SABLIER_HEALTH_CHECK_TIMEOUT=30s
- SABLIER_HEALTH_CHECK_INTERVAL=5s
```
**Dynamic Configuration:**
```yaml
# Via environment variables
environment:
- SABLIER_SERVICES=my-service:5m,other-service:10m
```
===== Integration Examples =====
**Media Management Stack:**
```yaml
services:
sonarr:
labels:
- "sablier.enable=true"
- "sablier.group=media-mgmt"
- "sablier.timeout=15m"
radarr:
labels:
- "sablier.enable=true"
- "sablier.group=media-mgmt"
- "sablier.timeout=15m"
prowlarr:
labels:
- "sablier.enable=true"
- "sablier.group=media-mgmt"
- "sablier.timeout=10m"
```
**Development Tools:**
```yaml
services:
code-server:
labels:
- "sablier.enable=true"
- "sablier.group=dev-tools"
- "sablier.timeout=2h" # Longer for development
jupyter:
labels:
- "sablier.enable=true"
- "sablier.group=dev-tools"
- "sablier.timeout=1h"
```
===== Best Practices =====
**Service Selection:**
* **Infrequently Used**: Perfect for rarely accessed services
* **Resource Intensive**: Save resources on heavy services
* **Development Tools**: Good for dev environments
* **Always-On**: Keep critical services running
**Timeout Configuration:**
* **Monitor Usage**: Track actual access patterns
* **Adjust Gradually**: Start conservative, adjust based on logs
* **Per-Service**: Different timeouts for different services
* **User Feedback**: Consider user experience
**Resource Management:**
* **Capacity Planning**: Calculate resource savings
* **Monitoring**: Track startup/shutdown patterns
* **Optimization**: Tune based on system resources
* **Backup Plan**: Manual startup if needed
**Maintenance:**
* **Log Review**: Regular log analysis
* **Performance Monitoring**: Track resource usage
* **Configuration Updates**: Update timeouts as needed
* **Documentation**: Document lazy-loaded services
===== Monitoring & Alerts =====
**Log Analysis:**
```bash
# Startup events
docker logs sablier | grep "Starting"
# Shutdown events
docker logs sablier | grep "Stopping"
# Errors
docker logs sablier | grep -i "error"
```
**Performance Metrics:**
* **Startup Time**: Time to service readiness
* **Resource Usage**: CPU/memory before/after
* **Access Patterns**: Frequency of service access
* **Timeout Effectiveness**: Actual vs configured timeouts
**Health Monitoring:**
```yaml
# Add health check
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:10000/health"]
interval: 30s
timeout: 10s
retries: 3
```
Sablier significantly reduces resource usage by keeping unused services stopped until needed, while maintaining a seamless user experience through automatic on-demand startup.
**Next:** Explore [[architecture:storage|Storage Architecture]] or return to [[services:start|Services Overview]].

366
config-templates/dokuwiki/data/pages/services/core/traefik.txt
View File

@@ -1,366 +0,0 @@
====== Traefik ======
Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. In the AI-Homelab, Traefik serves as the main entry point for all services, providing automatic HTTPS, load balancing, and routing.
===== Overview =====
**Purpose:** HTTP reverse proxy and load balancer
**URL:** `https://traefik.yourdomain.duckdns.org`
**Authentication:** Authelia SSO
**Deployment:** Automatic (core stack)
**Configuration:** File-based (YAML)
===== Key Features =====
**Automatic HTTPS:**
* Let's Encrypt integration
* Wildcard SSL certificates
* Automatic renewal (90 days)
* A+ SSL rating
**Service Discovery:**
* Docker label-based routing
* Dynamic configuration reloading
* Zero-downtime deployments
* Health check integration
**Load Balancing:**
* Round-robin distribution
* Weighted load balancing
* Session stickiness
* Circuit breaker protection
**Security:**
* HTTP security headers
* Rate limiting
* IP whitelisting
* CORS protection
===== Configuration =====
**Static Configuration (traefik.yml):**
```yaml
global:
checkNewVersion: false
sendAnonymousUsage: false
api:
dashboard: true
insecure: false
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
http:
tls:
certResolver: letsencrypt
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: traefik-network
file:
directory: /dynamic
watch: true
certificatesResolvers:
letsencrypt:
acme:
email: your-email@example.com
storage: /acme.json
dnsChallenge:
provider: duckdns
delayBeforeCheck: 30
```
**Dynamic Configuration (external.yml):**
```yaml
http:
middlewares:
authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://auth.yourdomain.duckdns.org/"
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"
- "Remote-Name"
- "Remote-Email"
security-headers:
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
customResponseHeaders:
X-Frame-Options: "SAMEORIGIN"
X-Content-Type-Options: "nosniff"
Referrer-Policy: "strict-origin-when-cross-origin"
Permissions-Policy: "geolocation=(), microphone=(), camera=()"
stsSeconds: 31536000
stsIncludeSubdomains: true
stsPreload: true
```
===== Docker Compose =====
```yaml
services:
traefik:
image: traefik:v3.0
container_name: traefik
restart: unless-stopped
networks:
- traefik-network
ports:
- "80:80"
- "443:443"
volumes:
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./dynamic:/dynamic:ro
- ./acme.json:/acme.json
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik.middlewares=authelia@docker"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
deploy:
resources:
limits:
cpus: '0.5'
memory: 256M
reservations:
cpus: '0.1'
memory: 64M
```
===== Service Routing =====
**Standard Service Labels:**
```yaml
labels:
- "traefik.enable=true"
- "traefik.http.routers.service.rule=Host(`service.${DOMAIN}`)"
- "traefik.http.routers.service.entrypoints=websecure"
- "traefik.http.routers.service.tls.certresolver=letsencrypt"
- "traefik.http.routers.service.middlewares=authelia@docker"
- "traefik.http.services.service.loadbalancer.server.port=8080"
```
**Router Components:**
* **Rule**: Host matching (e.g., `Host(`service.domain.org`)`)
* **EntryPoint**: HTTP/HTTPS endpoint
* **TLS**: Certificate resolver
* **Middlewares**: Authentication, security headers
* **Service**: Backend service definition
**Advanced Routing:**
```yaml
# Path-based routing
- "traefik.http.routers.api.rule=Host(`api.${DOMAIN}`) && PathPrefix(`/v1`)"
- "traefik.http.routers.web.rule=Host(`app.${DOMAIN}`)"
# Header-based routing
- "traefik.http.routers.mobile.rule=Host(`app.${DOMAIN}`) && Headers(`User-Agent`, `*Mobile*`)"
# Priority routing
- "traefik.http.routers.specific.rule=Host(`service.${DOMAIN}`) && Path(`/api`)"
- "traefik.http.routers.specific.priority=100"
```
===== SSL Certificate Management =====
**Certificate Generation:**
* **Challenge**: DNS-01 (DuckDNS)
* **Provider**: Let's Encrypt
* **Type**: ECDSA P-256
* **Validity**: 90 days
* **Renewal**: Automatic (30 days before expiry)
**Certificate Storage:**
* **File**: `/opt/stacks/core/traefik/acme.json`
* **Permissions**: 600 (owner read/write only)
* **Backup**: Include in backup strategy
* **Format**: JSON with encrypted private keys
**Troubleshooting SSL:**
```bash
# Check certificate status
echo | openssl s_client -connect yourdomain.duckdns.org:443 -servername service.yourdomain.duckdns.org 2>/dev/null | openssl x509 -noout -subject -dates
# View Traefik logs
docker logs traefik | grep certificate
# Check DNS TXT record
dig TXT _acme-challenge.yourdomain.duckdns.org
```
===== Monitoring & Logging =====
**Dashboard Access:**
* URL: `https://traefik.yourdomain.duckdns.org`
* Features: Real-time routing, health status, metrics
* Authentication: Authelia SSO required
**Log Configuration:**
```yaml
log:
level: INFO
format: json
accessLog:
filePath: /var/log/traefik/access.log
format: json
filters:
statusCodes: ["200-299", "400-499", "500-599"]
```
**Metrics Integration:**
* **Prometheus**: `/metrics` endpoint
* **Health Checks**: Service health monitoring
* **Performance**: Response time tracking
===== Security Features =====
**Authentication Middleware:**
* **Authelia Integration**: SSO for protected services
* **Bypass Rules**: Direct access for media services
* **Session Management**: Secure cookie handling
**Rate Limiting:**
```yaml
middlewares:
rate-limit:
rateLimit:
burst: 100
average: 50
```
**IP Whitelisting:**
```yaml
middlewares:
ip-whitelist:
ipWhiteList:
sourceRange:
- "192.168.1.0/24"
- "10.0.0.0/8"
```
===== Performance Optimization =====
**Caching:**
```yaml
middlewares:
cache:
inFlightReq:
amount: 64
```
**Compression:**
* **Gzip**: Automatic text compression
* **Brotli**: Advanced compression (if supported)
**Connection Pooling:**
* **Keep-Alive**: Persistent connections
* **Connection Reuse**: Reduced latency
* **Timeout Management**: Connection limits
===== Troubleshooting =====
**Service Not Accessible:**
```bash
# Check if service is running
docker ps | grep service-name
# Verify Traefik labels
docker inspect service-name | grep traefik
# Check Traefik logs
docker logs traefik | grep service-name
```
**SSL Issues:**
* Verify DuckDNS token
* Check DNS propagation
* Confirm port forwarding
* Review certificate logs
**Routing Problems:**
* Validate router rules
* Check middleware configuration
* Test service connectivity
* Review access logs
**Performance Issues:**
* Monitor resource usage
* Check connection limits
* Review middleware stack
* Analyze access patterns
===== External Service Proxying =====
**Proxying Non-Docker Services:**
```yaml
# In dynamic/external.yml
http:
routers:
external-service:
rule: "Host(`external.yourdomain.duckdns.org`)"
service: external-service
middlewares:
- authelia@docker
services:
external-service:
loadBalancer:
servers:
- url: "http://192.168.1.100:8123"
```
**Use Cases:**
* Raspberry Pi Home Assistant
* NAS devices
* Legacy applications
* Network printers
===== Best Practices =====
**Configuration Management:**
* Use version control for config files
* Test changes in staging
* Document custom routing rules
* Regular backup of acme.json
**Security:**
* Keep Traefik updated
* Monitor access logs
* Use strong authentication
* Regular security audits
**Performance:**
* Implement appropriate caching
* Use connection pooling
* Monitor resource usage
* Optimize middleware stack
**Monitoring:**
* Set up alerts for failures
* Monitor certificate expiry
* Track performance metrics
* Regular log analysis
Traefik is the backbone of your homelab's networking infrastructure, providing secure, efficient, and reliable service routing.
**Next:** Learn about [[services:core:authelia|Authelia]] or [[services:core:duckdns|DuckDNS]].

428
config-templates/dokuwiki/data/pages/services/infrastructure/code-server.txt
View File

@@ -1,428 +0,0 @@
====== Code Server ======
Code Server is a web-based version of Visual Studio Code that runs in your browser, providing a full development environment accessible from anywhere. It includes all VS Code features, extensions, and integrates with your homelab development workflow.
===== Overview =====
**Purpose:** Browser-based code editor
**URL:** https://code.yourdomain.duckdns.org
**Authentication:** Authelia SSO protected
**Deployment:** Infrastructure stack
**Interface:** Full VS Code web interface
===== Key Features =====
**VS Code Features:**
* **Full IDE**: Complete Visual Studio Code experience
* **Extensions**: Access to VS Code marketplace
* **Themes**: All VS Code themes and customization
* **Git Integration**: Built-in Git version control
**Web Access:**
* **Browser-based**: Access from any device
* **Responsive Design**: Works on desktop and mobile
* **Persistent Sessions**: Maintain work sessions
* **File Synchronization**: Sync across devices
**Development Tools:**
* **Terminal Integration**: Built-in terminal access
* **Debugging**: Full debugging capabilities
* **Extensions**: Python, Docker, GitHub Copilot
* **Language Support**: 50+ programming languages
===== Configuration =====
**Container Configuration:**
```yaml
services:
code-server:
image: lscr.io/linuxserver/code-server:latest
container_name: code-server
restart: unless-stopped
environment:
- PUID=1000
- PGID=1000
- TZ=${TZ}
- PASSWORD=${CODE_SERVER_PASSWORD}
- SUDO_PASSWORD=${CODE_SERVER_PASSWORD}
- PROXY_DOMAIN=${DOMAIN}
- DEFAULT_WORKSPACE=/config/workspace
volumes:
- ./code-server/config:/config
- /opt/stacks:/opt/stacks:ro
- /home/kelin/AI-Homelab:/workspace
networks:
- traefik-network
deploy:
resources:
limits:
cpus: '1.0'
memory: 1G
reservations:
cpus: '0.2'
memory: 256M
labels:
- "traefik.enable=true"
- "traefik.http.routers.code-server.rule=Host(`code.${DOMAIN}`)"
- "traefik.http.routers.code-server.entrypoints=websecure"
- "traefik.http.routers.code-server.tls.certresolver=letsencrypt"
- "traefik.http.routers.code-server.middlewares=authelia@docker"
- "traefik.http.services.code-server.loadbalancer.server.port=8443"
- "x-dockge.url=https://code.${DOMAIN}"
```
**Environment Variables:**
```bash
# User permissions
PUID=1000
PGID=1000
# Authentication
PASSWORD=your-secure-password
SUDO_PASSWORD=your-secure-password
# Domain configuration
PROXY_DOMAIN=yourdomain.duckdns.org
# Default workspace
DEFAULT_WORKSPACE=/config/workspace
```
===== Getting Started =====
**Initial Access:**
1. **Access URL**: Visit https://code.yourdomain.duckdns.org
2. **Authelia Login**: Authenticate with SSO
3. **Password Setup**: Enter container password
4. **Workspace Setup**: Configure your workspace
**Interface Overview:**
* **Explorer**: File and folder navigation
* **Editor**: Code editing with syntax highlighting
* **Terminal**: Integrated command line access
* **Extensions**: VS Code extension marketplace
* **Settings**: Full VS Code configuration
===== Workspace Configuration =====
**Directory Mounting:**
```yaml
volumes:
# AI-Homelab repository
- /home/kelin/AI-Homelab:/workspace
# Stack configurations
- /opt/stacks:/opt/stacks:ro
# User configuration
- ./code-server/config:/config
```
**Workspace Settings:**
```json
// .vscode/settings.json in workspace
{
"python.defaultInterpreterPath": "/usr/bin/python3",
"git.enableSmartCommit": true,
"editor.formatOnSave": true,
"terminal.integrated.shell.linux": "/bin/bash"
}
```
**Recommended Extensions:**
* **GitHub Copilot**: AI-powered code completion
* **Python**: Python language support
* **Docker**: Container management
* **GitLens**: Enhanced Git capabilities
* **Remote SSH**: Remote development
===== Development Workflow =====
**Homelab Development:**
* **Stack Editing**: Edit docker-compose.yml files
* **Configuration Management**: Modify service configurations
* **Script Development**: Create automation scripts
* **Documentation**: Edit wiki and documentation
**AI Integration:**
* **GitHub Copilot**: AI-powered code suggestions
* **AI Toolkit**: Access to AI development tools
* **Model Testing**: Test AI models and integrations
* **Workflow Development**: Create AI agent workflows
**Version Control:**
* **Git Integration**: Full Git repository management
* **Branch Management**: Create and manage branches
* **Commit Management**: Stage, commit, and push changes
* **Conflict Resolution**: Handle merge conflicts
===== Extensions & Customization =====
**Essential Extensions:**
```json
{
"recommendations": [
"ms-python.python",
"ms-vscode.vscode-json",
"ms-vscode-remote.remote-ssh",
"GitHub.copilot",
"ms-vscode.vscode-docker",
"eamodio.gitlens",
"ms-vscode.vscode-yaml",
"redhat.vscode-yaml"
]
}
```
**Theme Configuration:**
```json
// Dark theme with high contrast
{
"workbench.colorTheme": "Default Dark Modern",
"editor.fontSize": 14,
"editor.lineHeight": 1.6,
"terminal.integrated.fontSize": 13
}
```
**Keybindings:**
```json
// Custom keybindings
[
{
"key": "ctrl+shift+t",
"command": "workbench.action.terminal.new"
},
{
"key": "ctrl+shift+g",
"command": "gitlens.showCommitSearch"
}
]
```
===== Terminal Integration =====
**Terminal Configuration:**
```json
{
"terminal.integrated.shell.linux": "/bin/bash",
"terminal.integrated.cwd": "/workspace",
"terminal.integrated.env.linux": {
"PATH": "/usr/local/bin:/usr/bin:/bin"
}
}
```
**Docker Commands:**
```bash
# Access from terminal
docker ps
docker logs container-name
docker exec -it container-name /bin/bash
```
**Development Commands:**
```bash
# Python development
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
# Git operations
git status
git add .
git commit -m "Update"
git push origin main
```
===== Security Considerations =====
**Access Control:**
* **Authelia Protection**: SSO authentication required
* **Password Protection**: Additional container password
* **Network Isolation**: Container network restrictions
* **File Permissions**: Proper user permission mapping
**Data Protection:**
* **Workspace Security**: Secure workspace access
* **Git Credentials**: Secure Git authentication
* **Extension Security**: Verify extension sources
* **Session Security**: Secure web sessions
===== Performance Optimization =====
**Resource Management:**
```yaml
deploy:
resources:
limits:
cpus: '1.0'
memory: 1G
reservations:
cpus: '0.2'
memory: 256M
```
**Performance Tuning:**
* **Extension Management**: Limit active extensions
* **File Watching**: Configure file watcher limits
* **Memory Usage**: Monitor memory consumption
* **Caching**: Enable appropriate caching
===== Troubleshooting =====
**Connection Issues:**
```bash
# Check service status
docker ps | grep code-server
# View logs
docker logs code-server
# Test web access
curl -k https://code.yourdomain.duckdns.org
```
**Extension Problems:**
* **Installation Failures**: Check network connectivity
* **Compatibility Issues**: Verify VS Code version compatibility
* **Permission Errors**: Check file permissions
* **Cache Issues**: Clear extension cache
**Workspace Issues:**
* **File Access**: Verify volume mount permissions
* **Git Problems**: Check Git configuration
* **Python Issues**: Verify Python interpreter path
* **Extension Sync**: Check settings synchronization
**Performance Issues:**
* **High CPU Usage**: Reduce active extensions
* **Memory Problems**: Increase memory limits
* **Slow Loading**: Clear browser cache
* **Network Latency**: Check network performance
**Troubleshooting Steps:**
1. **Check logs**: `docker logs code-server`
2. **Verify configuration**: Check environment variables
3. **Test connectivity**: Access web interface
4. **Clear cache**: Clear browser and extension cache
5. **Restart service**: `docker restart code-server`
===== Integration with Homelab =====
**Stack Management:**
* **Compose Editing**: Edit docker-compose.yml files
* **Configuration Management**: Modify service settings
* **Script Development**: Create deployment scripts
* **Documentation**: Update wiki and docs
**AI Development:**
* **Model Testing**: Test AI models in isolated environment
* **Workflow Development**: Create AI agent workflows
* **API Integration**: Develop API integrations
* **Tool Development**: Build custom tools and extensions
**Monitoring & Debugging:**
* **Log Analysis**: Analyze service logs
* **Performance Monitoring**: Monitor system performance
* **Network Debugging**: Debug network connectivity
* **Container Debugging**: Debug containerized applications
===== Best Practices =====
**Workspace Organization:**
* **Project Structure**: Maintain clean project structure
* **Version Control**: Use Git for all projects
* **Documentation**: Document code and configurations
* **Backup**: Regular workspace backups
**Development Workflow:**
* **Branch Strategy**: Use feature branches
* **Code Reviews**: Review code changes
* **Testing**: Test changes before deployment
* **Documentation**: Update documentation
**Security:**
* **Access Control**: Limit workspace access
* **Credential Management**: Secure sensitive credentials
* **Extension Verification**: Only trusted extensions
* **Session Management**: Proper session handling
**Performance:**
* **Resource Limits**: Appropriate resource allocation
* **Extension Management**: Keep extensions updated
* **Cache Management**: Regular cache cleanup
* **Optimization**: Optimize for your use case
===== Use Cases =====
**Homelab Management:**
* **Service Configuration**: Edit service configurations
* **Script Development**: Create automation scripts
* **Documentation**: Maintain project documentation
* **Troubleshooting**: Debug homelab issues
**Development Work:**
* **Code Development**: Full-stack development
* **API Development**: Build and test APIs
* **Testing**: Unit and integration testing
* **Debugging**: Application debugging
**Remote Development:**
* **Mobile Development**: Code on mobile devices
* **Travel Access**: Access code while traveling
* **Collaborative Work**: Share development environment
* **Backup Access**: Access code from any location
**Education & Learning:**
* **Tutorial Following**: Follow coding tutorials
* **Experimentation**: Test new technologies
* **Documentation**: Create learning materials
* **Project Development**: Build personal projects
===== Advanced Configuration =====
**Custom Extensions:**
```json
// Install custom extensions
{
"extensions": {
"recommendations": [
"ms-python.python",
"GitHub.copilot"
]
}
}
```
**Remote Development:**
```json
// SSH configuration for remote development
{
"remote.SSH.configFile": "~/.ssh/config",
"remote.SSH.remotePlatform": {
"homelab-server": "linux"
}
}
```
**Task Automation:**
```json
// tasks.json for automation
{
"version": "2.0.0",
"tasks": [
{
"label": "Deploy Stack",
"type": "shell",
"command": "docker-compose",
"args": ["up", "-d"],
"group": "build"
}
]
}
```
Code Server provides a full-featured development environment in your browser, perfectly integrated with your homelab workflow and AI development tools.
**Next:** Learn about [[services:infrastructure:docker-proxy|Docker Proxy]] or explore [[getting_started:access|Access Guide]].

384
config-templates/dokuwiki/data/pages/services/infrastructure/docker-proxy.txt
View File

@@ -1,384 +0,0 @@
====== Docker Proxy ======
Docker Proxy provides secure remote access to the Docker daemon socket, enabling safe Docker API access from external tools and services. It acts as a secure proxy between Docker clients and the Docker daemon.
===== Overview =====
**Purpose:** Secure Docker socket proxy
**Deployment:** Infrastructure stack
**Access Method:** TCP socket (no web UI)
**Security:** TLS encryption and authentication
**Integration:** External Docker tool access
===== Key Features =====
**Secure Access:**
* **TLS Encryption**: Encrypted Docker API communication
* **Authentication**: Client certificate authentication
* **Access Control**: Granular permission control
* **Audit Logging**: Comprehensive access logging
**Proxy Features:**
* **Socket Proxy**: TCP proxy for Docker socket
* **API Compatibility**: Full Docker API support
* **Connection Pooling**: Efficient connection management
* **Load Balancing**: Distribute requests across instances
**Monitoring:**
* **Request Logging**: Log all Docker API requests
* **Performance Metrics**: Monitor proxy performance
* **Health Checks**: Proxy health monitoring
* **Error Tracking**: Track and report errors
===== Configuration =====
**Container Configuration:**
```yaml
services:
docker-proxy:
image: tecnativa/docker-socket-proxy:latest
container_name: docker-proxy
restart: unless-stopped
environment:
- CONTAINERS=1
- SERVICES=1
- TASKS=1
- NODES=0
- SWARM=0
- NETWORKS=0
- VOLUMES=0
- IMAGES=0
- EXEC=0
- INFO=1
- VERSION=1
- PING=1
- BUILD=0
- COMMIT=0
- CONFIGS=0
- DISTRIBUTION=0
- EVENTS=1
- GRPC=0
- LOGS=1
- PLUGINS=0
- POST=0
- SECRETS=0
- SESSION=0
- SYSTEM=0
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
ports:
- 2376:2376
networks:
- traefik-network
deploy:
resources:
limits:
cpus: '0.2'
memory: 64M
reservations:
cpus: '0.01'
memory: 16M
```
**Permission Levels:**
```bash
# Read-only access (recommended)
CONTAINERS=1 # List containers
SERVICES=1 # List services
TASKS=1 # List tasks
INFO=1 # System info
VERSION=1 # Version info
PING=1 # Health checks
EVENTS=1 # Docker events
LOGS=1 # Container logs
# Write access (use carefully)
IMAGES=1 # Pull/push images
NETWORKS=1 # Network management
VOLUMES=1 # Volume management
EXEC=1 # Execute commands
BUILD=1 # Build images
POST=1 # Create resources
```
===== Security Configuration =====
**TLS Setup:**
```yaml
# Generate certificates
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=US/ST=State/L=City/O=Organization/CN=docker-proxy" \
-keyout docker-proxy.key -out docker-proxy.crt
# Mount certificates
volumes:
- ./certs/docker-proxy.crt:/certs/server.crt:ro
- ./certs/docker-proxy.key:/certs/server.key:ro
```
**Client Authentication:**
```bash
# Client certificate authentication
environment:
- AUTH=1
- CERTS_PATH=/certs
volumes:
- ./certs:/certs:ro
```
**Access Control:**
* **IP Whitelisting**: Restrict access by IP address
* **Certificate Validation**: Require valid client certificates
* **Permission Levels**: Granular API permission control
* **Rate Limiting**: Prevent abuse and DoS attacks
===== Usage Examples =====
**Docker Client Connection:**
```bash
# Connect using TCP
export DOCKER_HOST=tcp://localhost:2376
docker ps
# With TLS
export DOCKER_HOST=tcp://localhost:2376
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=/path/to/certs
docker ps
```
**External Tool Integration:**
```python
# Python Docker client
import docker
client = docker.DockerClient(base_url='tcp://localhost:2376')
containers = client.containers.list()
```
**CI/CD Integration:**
```yaml
# GitHub Actions example
- name: Connect to Docker
run: |
echo "DOCKER_HOST=tcp://docker-proxy:2376" >> $GITHUB_ENV
docker ps
```
**Monitoring Integration:**
```bash
# Prometheus metrics
curl http://localhost:2376/metrics
# Health check
curl http://localhost:2376/_ping
```
===== Monitoring & Troubleshooting =====
**Proxy Logs:**
```bash
# View proxy logs
docker logs docker-proxy
# Follow logs in real-time
docker logs -f docker-proxy
```
**Connection Testing:**
```bash
# Test basic connectivity
telnet localhost 2376
# Test Docker API
curl http://localhost:2376/_ping
# Test with Docker client
DOCKER_HOST=tcp://localhost:2376 docker version
```
**Permission Issues:**
* **Access Denied**: Check permission environment variables
* **Certificate Errors**: Verify TLS certificate configuration
* **Network Issues**: Check firewall and network connectivity
* **Socket Access**: Verify Docker socket permissions
**Performance Issues:**
* **High Latency**: Check network configuration
* **Connection Limits**: Monitor concurrent connections
* **Resource Usage**: Check CPU/memory usage
* **Rate Limiting**: Adjust rate limiting settings
**Troubleshooting Steps:**
1. **Check logs**: `docker logs docker-proxy`
2. **Test connectivity**: Verify TCP connection
3. **Validate permissions**: Check environment variables
4. **Test Docker client**: Verify Docker API access
5. **Restart service**: `docker restart docker-proxy`
===== Advanced Configuration =====
**High Availability:**
```yaml
# Multiple proxy instances
services:
docker-proxy-1:
# Configuration for instance 1
docker-proxy-2:
# Configuration for instance 2
load-balancer:
# Load balancer configuration
```
**Custom TLS Configuration:**
```yaml
environment:
- TLS_CERT=/certs/custom.crt
- TLS_KEY=/certs/custom.key
- TLS_CA=/certs/ca.crt
```
**Rate Limiting:**
```yaml
environment:
- RATE_LIMIT=100 # Requests per minute
- BURST_LIMIT=20 # Burst allowance
```
**Audit Logging:**
```yaml
environment:
- LOG_LEVEL=debug
- AUDIT_LOG=/logs/audit.log
volumes:
- ./logs:/logs
```
===== Security Best Practices =====
**Access Control:**
* **Principle of Least Privilege**: Grant minimal required permissions
* **Network Segmentation**: Isolate proxy network access
* **Certificate Management**: Regular certificate rotation
* **Monitoring**: Continuous access monitoring
**TLS Security:**
* **Strong Ciphers**: Use modern TLS cipher suites
* **Certificate Validation**: Enable client certificate validation
* **Perfect Forward Secrecy**: Enable PFS cipher suites
* **Regular Updates**: Keep TLS libraries updated
**Operational Security:**
* **Log Analysis**: Regular security log review
* **Intrusion Detection**: Monitor for suspicious activity
* **Backup Security**: Secure configuration backups
* **Incident Response**: Have security incident procedures
===== Integration Patterns =====
**CI/CD Pipelines:**
```yaml
# Jenkins pipeline
pipeline {
agent any
stages {
stage('Build') {
steps {
script {
docker.withServer('tcp://docker-proxy:2376') {
docker.build('my-app')
}
}
}
}
}
}
```
**Monitoring Integration:**
```yaml
# Prometheus configuration
scrape_configs:
- job_name: 'docker-proxy'
static_configs:
- targets: ['docker-proxy:2376']
metrics_path: '/metrics'
```
**Backup Integration:**
```bash
# Backup Docker configurations
DOCKER_HOST=tcp://localhost:2376 docker system info > system-info.json
DOCKER_HOST=tcp://localhost:2376 docker config ls > configs.json
```
===== Performance Optimization =====
**Resource Management:**
```yaml
deploy:
resources:
limits:
cpus: '0.2'
memory: 64M
reservations:
cpus: '0.01'
memory: 16M
```
**Connection Optimization:**
* **Connection Pooling**: Reuse connections efficiently
* **Timeout Configuration**: Appropriate request timeouts
* **Concurrent Limits**: Control simultaneous connections
* **Caching**: Cache frequently accessed data
===== Use Cases =====
**Development Environments:**
* **Remote Docker Access**: Access Docker from development machines
* **CI/CD Integration**: Integrate with build pipelines
* **Testing Environments**: Isolated testing environments
* **Container Management**: Manage containers from external tools
**Production Management:**
* **Monitoring Tools**: Connect monitoring tools to Docker API
* **Management Platforms**: Integrate with Docker management platforms
* **Backup Solutions**: Connect backup tools to Docker
* **Security Scanning**: Integrate security scanning tools
**Homelab Management:**
* **Portainer Integration**: Connect Portainer to Docker API
* **External Tools**: Use Docker CLI from external machines
* **Automation Scripts**: Run Docker automation scripts
* **Monitoring Integration**: Connect monitoring stacks
**Enterprise Integration:**
* **Centralized Management**: Connect to enterprise Docker platforms
* **Compliance Monitoring**: Meet compliance requirements
* **Audit Trails**: Maintain Docker operation audit logs
* **Security Integration**: Integrate with security platforms
===== Backup & Recovery =====
**Configuration Backup:**
```bash
# Backup proxy configuration
docker run --rm \
-v docker-proxy-config:/config \
-v $(pwd)/backup:/backup \
busybox tar czf /backup/docker-proxy-config.tar.gz /config
```
**Certificate Management:**
* **Certificate Backup**: Regular certificate backups
* **Key Rotation**: Periodic key rotation procedures
* **Certificate Monitoring**: Monitor certificate expiration
* **Renewal Process**: Automated certificate renewal
Docker Proxy provides secure, controlled access to the Docker daemon, enabling safe integration with external tools and services while maintaining security and audit capabilities.
**Next:** Explore [[services:media:start|Media Services]] or return to [[services:start|Services Overview]].

313
config-templates/dokuwiki/data/pages/services/infrastructure/dockge.txt
View File

@@ -1,313 +0,0 @@
====== Dockge ======
Dockge is the primary web-based interface for managing Docker stacks in your homelab. It provides a clean, intuitive way to deploy, monitor, and manage all your services through a web UI, making it the central hub for homelab management.
===== Overview =====
**Purpose:** Docker stack management interface
**URL:** https://dockge.yourdomain.duckdns.org
**Authentication:** Authelia SSO protected
**Deployment:** Infrastructure stack
**Interface:** Modern web UI with drag-and-drop
===== Key Features =====
**Stack Management:**
* **Visual Interface**: Web-based stack management
* **Compose File Editing**: Direct YAML editing
* **One-Click Deploy**: Deploy stacks with single click
* **Real-time Monitoring**: Live container status
**Container Operations:**
* **Start/Stop/Restart**: Individual container control
* **Log Viewing**: Integrated log viewer
* **Resource Monitoring**: CPU/memory usage
* **Network Inspection**: Container networking info
**File Management:**
* **Directory Browser**: Navigate stack directories
* **File Editor**: Edit configuration files
* **Upload/Download**: File transfer capabilities
* **Backup Integration**: Stack backup/restore
===== Configuration =====
**Container Configuration:**
```yaml
services:
dockge:
image: louislam/dockge:1
container_name: dockge
restart: unless-stopped
environment:
- DOCKGE_STACKS_DIR=/opt/stacks
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /opt/stacks:/opt/stacks
- ./dockge/data:/app/data
ports:
- 5001:5001
networks:
- traefik-network
deploy:
resources:
limits:
cpus: '0.5'
memory: 256M
reservations:
cpus: '0.1'
memory: 64M
labels:
- "traefik.enable=true"
- "traefik.http.routers.dockge.rule=Host(`dockge.${DOMAIN}`)"
- "traefik.http.routers.dockge.entrypoints=websecure"
- "traefik.http.routers.dockge.tls.certresolver=letsencrypt"
- "traefik.http.routers.dockge.middlewares=authelia@docker"
- "traefik.http.services.dockge.loadbalancer.server.port=5001"
- "x-dockge.url=https://dockge.${DOMAIN}"
```
**Directory Structure:**
```
/opt/stacks/
├── core/ # Core infrastructure
├── infrastructure/ # Management tools
├── media/ # Media services
├── media-management/ # Download automation
├── dashboards/ # Dashboard services
├── homeassistant/ # Home automation
├── productivity/ # Office tools
├── monitoring/ # Observability
├── utilities/ # Backup/utilities
└── development/ # Dev tools
```
===== Getting Started =====
**Initial Access:**
1. **Deploy Infrastructure Stack**: Run deploy script or manual deployment
2. **Access URL**: Visit https://dockge.yourdomain.duckdns.org
3. **Authelia Login**: Authenticate with your credentials
4. **First Stack**: Create your first stack
**Interface Overview:**
* **Left Sidebar**: Stack categories and navigation
* **Main Panel**: Stack list with status indicators
* **Top Bar**: Search, settings, and actions
* **Stack Cards**: Individual stack management
===== Stack Operations =====
**Creating a New Stack:**
1. **Click "Compose"**: Open compose file editor
2. **Enter Stack Name**: Choose directory name
3. **Paste YAML**: Copy docker-compose.yml content
4. **Deploy**: Click deploy button
5. **Monitor**: Watch deployment progress
**Managing Existing Stacks:**
* **Start/Stop**: Control stack lifecycle
* **Update**: Pull new images and restart
* **Edit**: Modify compose files
* **Logs**: View container logs
* **Terminal**: Access container shells
**Stack Status Indicators:**
* **🟢 Running**: All containers healthy
* **🟡 Partial**: Some containers issues
* **🔴 Stopped**: Stack not running
* **🔵 Updating**: Stack being updated
===== File Management =====
**Directory Navigation:**
* **Browse Stacks**: Navigate /opt/stacks directory
* **File Editor**: Edit YAML, config files
* **Upload Files**: Drag-and-drop file uploads
* **Download**: Download files from containers
**Configuration Editing:**
* **Syntax Highlighting**: YAML, JSON, text files
* **Save Changes**: Auto-save or manual save
* **Version Control**: Track file changes
* **Backup**: Automatic file backups
===== Container Management =====
**Individual Container Control:**
* **Start/Stop/Restart**: Container lifecycle
* **Logs**: Real-time log streaming
* **Exec**: Run commands in containers
* **Inspect**: View container details
**Resource Monitoring:**
* **CPU Usage**: Real-time CPU monitoring
* **Memory Usage**: RAM consumption tracking
* **Network I/O**: Traffic monitoring
* **Disk Usage**: Storage utilization
===== Advanced Features =====
**Environment Variables:**
```yaml
# Global environment file
# /opt/stacks/.env
DOMAIN=yourdomain.duckdns.org
PUID=1000
PGID=1000
TZ=America/New_York
```
**Stack Dependencies:**
* **Service Dependencies**: depends_on configuration
* **Network Dependencies**: Shared networks
* **Volume Dependencies**: Shared storage
* **Health Checks**: Service readiness
**Backup & Restore:**
* **Stack Export**: Download compose files
* **Configuration Backup**: Environment files
* **Volume Backup**: Data persistence
* **Full Restore**: Complete stack recovery
===== Integration with AI Assistant =====
**AI-Powered Management:**
* **Service Creation**: AI generates compose files
* **Configuration Help**: AI assists with setup
* **Troubleshooting**: AI analyzes logs and issues
* **Documentation**: AI maintains service docs
**Workflow Integration:**
* **VS Code**: Direct file editing
* **GitHub Copilot**: AI assistance for configurations
* **Automated Deployments**: Script-based stack management
* **Monitoring Integration**: Health check automation
===== Security Considerations =====
**Access Control:**
* **Authelia Protection**: SSO authentication required
* **User Permissions**: Container user mapping (PUID/PGID)
* **Docker Socket**: Read-only access to Docker API
* **Network Isolation**: Container network segmentation
**Data Protection:**
* **Encrypted Connections**: HTTPS via Traefik
* **Secure Storage**: Sensitive data in environment files
* **Backup Security**: Encrypted backup storage
* **Access Logging**: User action auditing
===== Performance Optimization =====
**Resource Management:**
```yaml
deploy:
resources:
limits:
cpus: '0.5'
memory: 256M
reservations:
cpus: '0.1'
memory: 64M
```
**Container Optimization:**
* **Image Updates**: Regular security updates
* **Log Rotation**: Prevent disk space issues
* **Cache Management**: Docker layer caching
* **Network Efficiency**: Optimized container networking
===== Troubleshooting =====
**Common Issues:**
**Cannot Connect to Docker:**
```bash
# Check Docker socket permissions
ls -la /var/run/docker.sock
# Verify Docker is running
docker ps
# Check container logs
docker logs dockge
```
**Stack Deployment Fails:**
* **YAML Syntax**: Validate compose file syntax
* **Port Conflicts**: Check for port usage conflicts
* **Network Issues**: Verify network connectivity
* **Permission Errors**: Check file/directory permissions
**Web Interface Issues:**
* **Traefik Routing**: Verify Traefik configuration
* **Authelia Access**: Check SSO authentication
* **SSL Certificates**: Validate certificate status
* **Browser Cache**: Clear browser cache
**Troubleshooting Steps:**
1. **Check logs**: `docker logs dockge`
2. **Validate configuration**: Test compose file syntax
3. **Network connectivity**: Verify Docker network access
4. **Restart service**: `docker restart dockge`
5. **Check dependencies**: Ensure required services running
===== Best Practices =====
**Stack Organization:**
* **Logical Grouping**: Group related services
* **Naming Convention**: Consistent naming patterns
* **Documentation**: Comment complex configurations
* **Version Control**: Track configuration changes
**Maintenance:**
* **Regular Updates**: Keep images updated
* **Backup Routine**: Regular configuration backups
* **Log Monitoring**: Review logs for issues
* **Performance Tuning**: Optimize resource usage
**Security:**
* **Access Control**: Limit user permissions
* **Network Security**: Use secure networks
* **Data Encryption**: Encrypt sensitive data
* **Audit Logging**: Monitor access and changes
**Workflow:**
* **Testing**: Test changes in development first
* **Documentation**: Document custom configurations
* **Automation**: Use scripts for repetitive tasks
* **Monitoring**: Monitor stack health continuously
===== Integration Examples =====
**Adding a New Service:**
```yaml
# 1. Create new stack directory
# 2. Add docker-compose.yml
# 3. Configure environment variables
# 4. Deploy via Dockge UI
# 5. Test service functionality
```
**Service Updates:**
```yaml
# 1. Edit compose file in Dockge
# 2. Update image version
# 3. Deploy changes
# 4. Monitor startup logs
# 5. Verify functionality
```
**Backup Strategy:**
```yaml
# 1. Export stack configurations
# 2. Backup environment files
# 3. Backup persistent volumes
# 4. Store backups securely
# 5. Test restore procedures
```
Dockge serves as the central nervous system of your homelab, providing intuitive management of all your Docker services through a modern web interface.
**Next:** Learn about [[services:infrastructure:pihole|Pi-hole]] or explore [[getting_started:deployment|Deployment Guide]].

343
config-templates/dokuwiki/data/pages/services/infrastructure/dozzle.txt
View File

@@ -1,343 +0,0 @@
====== Dozzle ======
Dozzle is a real-time log viewer for Docker containers, providing a web-based interface to monitor and search through container logs. It offers live log streaming, filtering capabilities, and multi-container log management.
===== Overview =====
**Purpose:** Real-time Docker log viewer
**URL:** https://dozzle.yourdomain.duckdns.org
**Authentication:** Authelia SSO protected
**Deployment:** Infrastructure stack
**Interface:** Modern web UI with live updates
===== Key Features =====
**Log Viewing:**
* **Real-time Streaming**: Live log updates
* **Multi-container**: View multiple containers simultaneously
* **Search & Filter**: Advanced log filtering
* **Color Coding**: Syntax highlighting for different log levels
**Container Management:**
* **Container List**: All running containers
* **Status Indicators**: Container health status
* **Quick Actions**: Start/stop/restart containers
* **Resource Monitoring**: Basic CPU/memory stats
**Search & Filtering:**
* **Text Search**: Search within logs
* **Regex Support**: Regular expression filtering
* **Date Filtering**: Time-based log filtering
* **Container Filtering**: Filter by specific containers
===== Configuration =====
**Container Configuration:**
```yaml
services:
dozzle:
image: amir20/dozzle:latest
container_name: dozzle
restart: unless-stopped
environment:
- DOZZLE_USERNAME=${DOZZLE_USERNAME:-admin}
- DOZZLE_PASSWORD=${DOZZLE_PASSWORD}
- DOZZLE_LEVEL=info
- DOZZLE_TAILSIZE=100
- DOZZLE_FILTER_CONTAINERS=${DOZZLE_FILTER_CONTAINERS}
- DOZZLE_NO_ANALYTICS=true
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- traefik-network
deploy:
resources:
limits:
cpus: '0.3'
memory: 128M
reservations:
cpus: '0.05'
memory: 32M
labels:
- "traefik.enable=true"
- "traefik.http.routers.dozzle.rule=Host(`dozzle.${DOMAIN}`)"
- "traefik.http.routers.dozzle.entrypoints=websecure"
- "traefik.http.routers.dozzle.tls.certresolver=letsencrypt"
- "traefik.http.routers.dozzle.middlewares=authelia@docker"
- "traefik.http.services.dozzle.loadbalancer.server.port=8080"
- "x-dockge.url=https://dozzle.${DOMAIN}"
```
**Environment Variables:**
```bash
# Authentication (optional, Authelia handles SSO)
DOZZLE_USERNAME=admin
DOZZLE_PASSWORD=your-secure-password
# Logging configuration
DOZZLE_LEVEL=info # debug, info, warn, error
DOZZLE_TAILSIZE=100 # Lines to show initially
# Container filtering (optional)
DOZZLE_FILTER_CONTAINERS=container1,container2
# Privacy
DOZZLE_NO_ANALYTICS=true
```
===== Interface Overview =====
**Main Dashboard:**
* **Container List**: Left sidebar with all containers
* **Log Viewer**: Main panel showing selected logs
* **Search Bar**: Top search and filter controls
* **Status Bar**: Connection and filter status
**Container Selection:**
* **Single Container**: Click to view individual logs
* **Multiple Containers**: Hold Ctrl/Cmd to select multiple
* **All Containers**: View logs from all containers
* **Container Groups**: Filter by stack or service type
**Log Display:**
* **Live Updates**: Real-time log streaming
* **Color Coding**: Different colors for log levels
* **Timestamps**: Show log timestamps
* **Line Numbers**: Reference specific log lines
===== Search & Filtering =====
**Text Search:**
```bash
# Basic search
error warning
# Case-sensitive search
/Error|Warning/
# Complex patterns
"connection refused" OR "timeout"
```
**Advanced Filtering:**
* **Container Name**: Filter by specific containers
* **Log Level**: Filter by severity (ERROR, WARN, INFO, DEBUG)
* **Time Range**: Show logs from specific time periods
* **Regex Patterns**: Use regular expressions for complex matching
**Saved Filters:**
* **Custom Filters**: Save frequently used search patterns
* **Filter Presets**: Pre-configured filter combinations
* **Quick Filters**: One-click common filters (errors only, etc.)
===== Container Management =====
**Quick Actions:**
* **Start/Stop**: Control container lifecycle
* **Restart**: Restart individual containers
* **Logs**: Jump to detailed logs
* **Exec**: Open terminal in container
**Container Information:**
* **Status**: Running, stopped, paused
* **Uptime**: How long container has been running
* **Image**: Container image and version
* **Ports**: Exposed ports and mappings
**Resource Monitoring:**
* **CPU Usage**: Real-time CPU percentage
* **Memory Usage**: RAM consumption
* **Network I/O**: Data transfer rates
* **Disk I/O**: Storage read/write operations
===== Advanced Features =====
**Log Analysis:**
* **Pattern Recognition**: Identify common error patterns
* **Anomaly Detection**: Flag unusual log patterns
* **Trend Analysis**: Track log volume over time
* **Alert Integration**: Send alerts for specific log patterns
**Export & Sharing:**
* **Log Export**: Download logs as text files
* **Share Links**: Generate shareable log links
* **API Access**: Programmatic log access
* **Integration**: Connect with other monitoring tools
**Customization:**
* **Themes**: Light/dark mode switching
* **Layout**: Customizable interface layout
* **Shortcuts**: Keyboard shortcuts for common actions
* **Notifications**: Browser notifications for events
===== Security Considerations =====
**Access Control:**
* **Authelia Protection**: SSO authentication required
* **User Permissions**: Container access restrictions
* **Log Privacy**: Sensitive data in logs
* **Network Security**: Secure Docker socket access
**Data Protection:**
* **Log Encryption**: Secure log transmission
* **Access Logging**: Audit log access
* **Data Retention**: Log retention policies
* **Privacy Controls**: Filter sensitive information
===== Performance Optimization =====
**Resource Management:**
```yaml
deploy:
resources:
limits:
cpus: '0.3'
memory: 128M
reservations:
cpus: '0.05'
memory: 32M
```
**Log Optimization:**
* **Tail Size**: Limit initial log display
* **Buffer Management**: Efficient log buffering
* **Compression**: Log compression for storage
* **Cleanup**: Automatic old log cleanup
**Container Filtering:**
```yaml
# Limit visible containers
environment:
- DOZZLE_FILTER_CONTAINERS=traefik,authelia,dockge
```
===== Troubleshooting =====
**Connection Issues:**
```bash
# Check Docker socket access
ls -la /var/run/docker.sock
# Verify Docker is running
docker ps
# Check container logs
docker logs dozzle
```
**Log Display Problems:**
* **No Logs Showing**: Check container permissions
* **Logs Not Updating**: Verify real-time connection
* **Search Not Working**: Check search syntax
* **Performance Issues**: Reduce number of containers
**Authentication Issues:**
* **Login Problems**: Verify credentials
* **Authelia Integration**: Check SSO configuration
* **Session Timeout**: Adjust session settings
* **Permission Denied**: Check user permissions
**Web Interface Issues:**
* **Page Not Loading**: Check Traefik routing
* **SSL Errors**: Verify certificate status
* **JavaScript Errors**: Clear browser cache
* **Mobile Issues**: Check responsive design
**Troubleshooting Steps:**
1. **Check logs**: `docker logs dozzle`
2. **Test connectivity**: Verify Docker socket access
3. **Validate configuration**: Check environment variables
4. **Browser testing**: Test in different browsers
5. **Restart service**: `docker restart dozzle`
===== Integration with Monitoring =====
**Prometheus Integration:**
```yaml
# Expose metrics for monitoring
environment:
- DOZZLE_ENABLE_METRICS=true
- DOZZLE_METRICS_PORT=8081
```
**Grafana Dashboards:**
* **Log Volume**: Track log generation rates
* **Error Rates**: Monitor error log frequency
* **Container Health**: Track container status
* **Performance Metrics**: CPU/memory usage trends
**Alert Integration:**
* **Error Alerts**: Alert on specific error patterns
* **Container Alerts**: Notify on container failures
* **Performance Alerts**: Alert on resource issues
* **Log Volume Alerts**: Alert on unusual log activity
===== Best Practices =====
**Log Management:**
* **Regular Monitoring**: Daily log review routine
* **Search Optimization**: Use efficient search patterns
* **Filter Usage**: Create useful filter presets
* **Export Strategy**: Regular log exports for analysis
**Container Organization:**
* **Naming Convention**: Consistent container naming
* **Grouping**: Logical container grouping
* **Tagging**: Use labels for better organization
* **Documentation**: Document container purposes
**Security:**
* **Access Control**: Limit log access to authorized users
* **Data Protection**: Be aware of sensitive data in logs
* **Network Security**: Secure Docker socket access
* **Audit Logging**: Track log access and searches
**Performance:**
* **Resource Limits**: Appropriate CPU/memory limits
* **Container Filtering**: Limit visible containers
* **Log Tail Size**: Optimize initial log display
* **Caching**: Use browser caching for better performance
===== Use Cases =====
**Development & Debugging:**
* **Application Logs**: Monitor application behavior
* **Error Tracking**: Quickly identify and fix errors
* **Performance Monitoring**: Track application performance
* **Integration Testing**: Verify service interactions
**Production Monitoring:**
* **Service Health**: Monitor service availability
* **Error Detection**: Catch errors before they escalate
* **User Issue Investigation**: Debug user-reported problems
* **Security Monitoring**: Watch for suspicious activity
**Maintenance & Troubleshooting:**
* **Update Monitoring**: Watch for issues during updates
* **Configuration Changes**: Monitor impact of changes
* **Network Issues**: Debug connectivity problems
* **Resource Problems**: Identify resource bottlenecks
===== Keyboard Shortcuts =====
**Navigation:**
* **Ctrl/Cmd + K**: Focus search bar
* **Arrow Keys**: Navigate container list
* **Enter**: Select container
* **Esc**: Clear selection
**Search:**
* **Ctrl/Cmd + F**: Start search
* **F3**: Find next occurrence
* **Shift + F3**: Find previous occurrence
* **Ctrl/Cmd + G**: Go to line
**Actions:**
* **Ctrl/Cmd + R**: Refresh logs
* **Ctrl/Cmd + S**: Save current filter
* **Ctrl/Cmd + E**: Export logs
* **Ctrl/Cmd + T**: Open terminal
Dozzle provides essential log monitoring capabilities with an intuitive interface, making it easy to track and troubleshoot your containerized services in real-time.
**Next:** Learn about [[services:infrastructure:glances|Glances]] or explore [[architecture:monitoring|Monitoring Architecture]].

394
config-templates/dokuwiki/data/pages/services/infrastructure/glances.txt
View File

@@ -1,394 +0,0 @@
====== Glances ======
Glances is a cross-platform system monitoring tool that provides real-time information about your system's performance, resources, and running processes. It offers a web-based interface for monitoring system health and performance metrics.
===== Overview =====
**Purpose:** System and container monitoring
**URL:** https://glances.yourdomain.duckdns.org
**Authentication:** Authelia SSO protected
**Deployment:** Infrastructure stack
**Interface:** Web-based monitoring dashboard
===== Key Features =====
**System Monitoring:**
* **CPU Usage**: Real-time CPU utilization
* **Memory Usage**: RAM and swap monitoring
* **Disk I/O**: Storage read/write operations
* **Network I/O**: Network traffic monitoring
**Container Monitoring:**
* **Docker Stats**: Container resource usage
* **Container Health**: Status and health checks
* **Process Monitoring**: Running processes
* **Service Status**: Application service monitoring
**Performance Metrics:**
* **Load Average**: System load over time
* **Temperature**: CPU and system temperatures
* **Fan Speed**: Cooling system monitoring
* **Power Usage**: System power consumption
===== Configuration =====
**Container Configuration:**
```yaml
services:
glances:
image: nicolargo/glances:latest
container_name: glances
restart: unless-stopped
pid: host
environment:
- GLANCES_OPT=-w
- GLANCES_OPT_WEBserver=true
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/os-release:/etc/os-release:ro
- /proc:/host/proc:ro
- /sys:/host/sys:ro
networks:
- traefik-network
deploy:
resources:
limits:
cpus: '0.3'
memory: 128M
reservations:
cpus: '0.05'
memory: 32M
labels:
- "traefik.enable=true"
- "traefik.http.routers.glances.rule=Host(`glances.${DOMAIN}`)"
- "traefik.http.routers.glances.entrypoints=websecure"
- "traefik.http.routers.glances.tls.certresolver=letsencrypt"
- "traefik.http.routers.glances.middlewares=authelia@docker"
- "traefik.http.services.glances.loadbalancer.server.port=61208"
- "x-dockge.url=https://glances.${DOMAIN}"
```
**Command Line Options:**
```bash
# Web server mode
GLANCES_OPT=-w
# Additional options
GLANCES_OPT=-w --disable-webui-password --enable-process-extended
# Custom refresh interval
GLANCES_OPT=-w --time 5
# Disable specific plugins
GLANCES_OPT=-w --disable cpu --disable mem
```
===== Interface Overview =====
**Main Dashboard:**
* **System Overview**: CPU, memory, disk, network
* **Container List**: Docker container statistics
* **Process List**: Top running processes
* **Alerts Panel**: System alerts and warnings
**Navigation Tabs:**
* **System**: Core system metrics
* **Docker**: Container monitoring
* **Processes**: Process management
* **Alerts**: System alerts and thresholds
* **Filesystem**: Disk usage and I/O
**Real-time Updates:**
* **Auto-refresh**: Configurable update intervals
* **Live Charts**: Real-time performance graphs
* **Color Coding**: Status-based color indicators
* **Threshold Alerts**: Configurable warning levels
===== System Monitoring =====
**CPU Monitoring:**
* **Usage Percentage**: Overall CPU utilization
* **Per-Core Usage**: Individual core monitoring
* **Load Average**: 1, 5, 15-minute averages
* **CPU Frequency**: Current clock speeds
**Memory Monitoring:**
* **RAM Usage**: Physical memory utilization
* **Swap Usage**: Swap file/page file usage
* **Memory Pressure**: System memory pressure
* **Cache Statistics**: Buffer and cache usage
**Disk Monitoring:**
* **Usage Percentage**: Filesystem utilization
* **I/O Operations**: Read/write operations per second
* **Transfer Rates**: Data transfer speeds
* **Disk Health**: S.M.A.R.T. status (if available)
**Network Monitoring:**
* **Interface Statistics**: Per-interface traffic
* **Connection Count**: Active network connections
* **Bandwidth Usage**: Upload/download rates
* **Network Errors**: Packet loss and errors
===== Container Monitoring =====
**Docker Integration:**
* **Container List**: All running containers
* **Resource Usage**: CPU, memory per container
* **Network Stats**: Container network traffic
* **Health Status**: Container health checks
**Container Details:**
* **Image Information**: Base image and version
* **Port Mappings**: Exposed ports
* **Volume Mounts**: Attached volumes
* **Environment Variables**: Container configuration
**Performance Metrics:**
* **CPU Shares**: CPU allocation and usage
* **Memory Limits**: Memory constraints and usage
* **Network I/O**: Container network traffic
* **Disk I/O**: Container storage operations
===== Process Monitoring =====
**Process List:**
* **Top Processes**: Most resource-intensive processes
* **Process Tree**: Parent-child process relationships
* **User Processes**: Per-user process listing
* **System Processes**: Kernel and system processes
**Process Details:**
* **CPU Usage**: Per-process CPU consumption
* **Memory Usage**: RAM and virtual memory
* **I/O Operations**: Disk read/write activity
* **Network Activity**: Network connections
**Process Management:**
* **Kill Process**: Terminate problematic processes
* **Change Priority**: Adjust process nice levels
* **Resource Limits**: Set process resource limits
* **Process Groups**: Group related processes
===== Alert System =====
**Threshold Configuration:**
```yaml
# Alert thresholds (environment variables)
GLANCES_OPT=-w --alert cpu>80,mem>90,disk>85
```
**Alert Types:**
* **CPU Alerts**: High CPU usage warnings
* **Memory Alerts**: Memory pressure alerts
* **Disk Alerts**: Storage space warnings
* **Network Alerts**: Bandwidth threshold alerts
**Alert Actions:**
* **Visual Indicators**: Color-coded alerts
* **Sound Alerts**: Audio notifications
* **Email Notifications**: SMTP alerts
* **Webhook Integration**: External alert systems
===== Advanced Configuration =====
**Custom Plugins:**
```yaml
# Enable additional plugins
GLANCES_OPT=-w --enable-plugin sensors --enable-plugin gpu
```
**Export Options:**
```yaml
# Export to various formats
GLANCES_OPT=-w --export csv --export-csv-file /data/stats.csv
GLANCES_OPT=-w --export influxdb --export-influxdb-host localhost
```
**Remote Monitoring:**
```yaml
# Monitor remote systems
GLANCES_OPT=-w --client localhost:61209
```
**Configuration File:**
```yaml
# glances.conf
[main]
refresh=2
history_size=1200
[cpu]
user_careful=50
user_warning=70
user_critical=90
```
===== Security Considerations =====
**Access Control:**
* **Authelia Protection**: SSO authentication required
* **Network Isolation**: Container network restrictions
* **Read-only Access**: Limited system access
* **Audit Logging**: Monitor access patterns
**Data Protection:**
* **Sensitive Data**: Avoid exposing sensitive information
* **Encryption**: Secure data transmission
* **Access Logging**: Track monitoring access
* **Privacy Controls**: Limit exposed system information
===== Performance Optimization =====
**Resource Management:**
```yaml
deploy:
resources:
limits:
cpus: '0.3'
memory: 128M
reservations:
cpus: '0.05'
memory: 32M
```
**Monitoring Optimization:**
* **Refresh Rate**: Balance between real-time and performance
* **Data Retention**: Configure historical data limits
* **Plugin Selection**: Enable only needed monitoring plugins
* **Caching**: Use efficient data caching
===== Troubleshooting =====
**Connection Issues:**
```bash
# Check web interface
curl -k https://glances.yourdomain.duckdns.org
# Verify port accessibility
netstat -tlnp | grep 61208
# Check container logs
docker logs glances
```
**Monitoring Problems:**
* **No Data Showing**: Check system permissions
* **High Resource Usage**: Adjust refresh rates
* **Missing Metrics**: Enable required plugins
* **Inaccurate Data**: Verify system compatibility
**Docker Integration Issues:**
* **Socket Access**: Verify Docker socket permissions
* **Container Detection**: Check Docker API access
* **Permission Errors**: Adjust container privileges
* **Network Issues**: Check container networking
**Performance Issues:**
* **High CPU Usage**: Reduce refresh frequency
* **Memory Leaks**: Monitor memory consumption
* **Disk I/O**: Optimize data storage
* **Network Latency**: Check network performance
**Troubleshooting Steps:**
1. **Check logs**: `docker logs glances`
2. **Verify configuration**: Test command line options
3. **Test connectivity**: Check web interface access
4. **Monitor resources**: Track system resource usage
5. **Restart service**: `docker restart glances`
===== Integration with Monitoring Stack =====
**Prometheus Integration:**
```yaml
# Export metrics to Prometheus
GLANCES_OPT=-w --export prometheus --export-prometheus-port 9091
```
**Grafana Dashboards:**
* **System Overview**: CPU, memory, disk, network
* **Container Metrics**: Docker container statistics
* **Process Monitoring**: Top processes and resource usage
* **Historical Trends**: Performance over time
**Alert Manager Integration:**
* **Threshold Alerts**: Configurable alert rules
* **Notification Channels**: Email, Slack, webhook alerts
* **Escalation Policies**: Multi-level alert handling
* **Silence Management**: Alert suppression rules
===== Best Practices =====
**Monitoring Strategy:**
* **Key Metrics**: Focus on critical system metrics
* **Alert Thresholds**: Set appropriate warning levels
* **Baseline Establishment**: Understand normal system behavior
* **Trend Analysis**: Monitor performance trends
**Alert Configuration:**
* **Avoid Alert Fatigue**: Set meaningful thresholds
* **Escalation Paths**: Define alert escalation procedures
* **Maintenance Windows**: Suppress alerts during maintenance
* **Testing**: Regularly test alert functionality
**Performance:**
* **Resource Limits**: Appropriate CPU/memory allocation
* **Refresh Rates**: Balance real-time vs performance
* **Data Retention**: Configure appropriate history
* **Optimization**: Enable only needed features
**Security:**
* **Access Control**: Limit monitoring access
* **Data Protection**: Secure monitoring data
* **Network Security**: Secure monitoring traffic
* **Compliance**: Meet monitoring compliance requirements
===== Use Cases =====
**System Administration:**
* **Performance Monitoring**: Track system health
* **Capacity Planning**: Plan for resource upgrades
* **Troubleshooting**: Diagnose system issues
* **Maintenance Planning**: Schedule maintenance windows
**Container Orchestration:**
* **Resource Allocation**: Monitor container resources
* **Health Checks**: Track container health
* **Scaling Decisions**: Inform scaling decisions
* **Optimization**: Optimize container performance
**Development & Testing:**
* **Application Monitoring**: Monitor application performance
* **Resource Usage**: Track development environment usage
* **Debugging**: Identify performance bottlenecks
* **Testing**: Validate system performance
**Production Monitoring:**
* **SLA Monitoring**: Ensure service level agreements
* **Incident Response**: Quick issue identification
* **Root Cause Analysis**: Analyze system incidents
* **Reporting**: Generate performance reports
===== Keyboard Shortcuts =====
**Navigation:**
* **Tab**: Switch between sections
* **Arrow Keys**: Navigate lists and menus
* **Enter**: Select item or open details
* **Esc**: Close dialogs or return to main view
**Actions:**
* **R**: Refresh data
* **S**: Sort current list
* **F**: Filter/search
* **H**: Show help
**Views:**
* **1-9**: Switch to specific tabs
* **C**: Container view
* **P**: Process view
* **A**: Alerts view
Glances provides comprehensive system and container monitoring with an intuitive web interface, essential for maintaining your homelab's health and performance.
**Next:** Learn about [[services:infrastructure:watchtower|Watchtower]] or explore [[architecture:monitoring|Monitoring Architecture]].

376
config-templates/dokuwiki/data/pages/services/infrastructure/pihole.txt
View File

@@ -1,376 +0,0 @@
====== Pi-hole ======
Pi-hole is a network-wide ad blocker that acts as a DNS sinkhole, blocking advertisements and tracking domains at the network level. It provides DNS-based ad blocking, DHCP server capabilities, and comprehensive network statistics.
===== Overview =====
**Purpose:** Network-wide ad blocking and DNS
**URL:** http://pihole.yourdomain.duckdns.org (HTTP only)
**Authentication:** Authelia SSO protected
**Deployment:** Infrastructure stack
**Protocol:** DNS (port 53), DHCP (optional)
===== Key Features =====
**Ad Blocking:**
* **DNS Sinkhole**: Blocks ad/tracking domains
* **Network Wide**: Protects all devices on network
* **Custom Lists**: Support for custom blocklists
* **Whitelist/Blacklist**: Fine-grained control
**DNS Services:**
* **Recursive DNS**: Full DNS resolution
* **DNSSEC**: DNS security extensions
* **Conditional Forwarding**: Local hostname resolution
* **Rate Limiting**: Query rate limiting
**DHCP Server:**
* **IP Address Assignment**: Dynamic IP allocation
* **Static Leases**: Reserved IP addresses
* **Network Configuration**: Gateway and DNS settings
* **Client Management**: Device tracking
===== Configuration =====
**Container Configuration:**
```yaml
services:
pihole:
image: pihole/pihole:latest
container_name: pihole
restart: unless-stopped
environment:
- TZ=${TZ}
- WEBPASSWORD=${PIHOLE_PASSWORD}
- PIHOLE_DNS_=1.1.1.1;1.0.0.1;8.8.8.8;8.8.4.4
- DHCP_ACTIVE=false # Set to true to enable DHCP
- DHCP_START=192.168.1.100
- DHCP_END=192.168.1.200
- DHCP_ROUTER=192.168.1.1
- DHCP_LEASETIME=24
volumes:
- ./pihole/etc-pihole:/etc/pihole
- ./pihole/etc-dnsmasq.d:/etc/dnsmasq.d
ports:
- 53:53/tcp
- 53:53/udp
- 8082:80/tcp # Web interface
networks:
- traefik-network
deploy:
resources:
limits:
cpus: '0.5'
memory: 256M
reservations:
cpus: '0.1'
memory: 64M
labels:
- "traefik.enable=true"
- "traefik.http.routers.pihole.rule=Host(`pihole.${DOMAIN}`)"
- "traefik.http.routers.pihole.entrypoints=websecure"
- "traefik.http.routers.pihole.tls.certresolver=letsencrypt"
- "traefik.http.routers.pihole.middlewares=authelia@docker"
- "traefik.http.services.pihole.loadbalancer.server.port=80"
- "x-dockge.url=http://pihole.${DOMAIN}"
dns:
- 127.0.0.1
- 1.1.1.1
```
**Environment Variables:**
```bash
# Required
PIHOLE_PASSWORD=your-secure-password
# Optional DNS servers (comma-separated)
PIHOLE_DNS_=1.1.1.1;1.0.0.1;8.8.8.8;8.8.4.4
# DHCP Configuration (if enabled)
DHCP_ACTIVE=true
DHCP_START=192.168.1.100
DHCP_END=192.168.1.200
DHCP_ROUTER=192.168.1.1
DHCP_LEASETIME=24
```
===== DNS Configuration =====
**Upstream DNS Servers:**
* **Cloudflare**: 1.1.1.1, 1.0.0.1 (default)
* **Google**: 8.8.8.8, 8.8.4.4
* **Quad9**: 9.9.9.9, 149.112.112.112
* **OpenDNS**: 208.67.222.222, 208.67.220.220
**DNS Settings:**
```bash
# In Pi-hole admin interface
# Settings > DNS
# Enable DNSSEC for enhanced security
# Configure conditional forwarding for local network
```
**Client Configuration:**
* **Router DNS**: Set router to use Pi-hole IP
* **Device DNS**: Configure individual devices
* **DHCP**: Enable DHCP server in Pi-hole
* **IPv6**: Configure IPv6 DNS if needed
===== Ad Blocking Setup =====
**Blocklists:**
* **Default Lists**: Pre-configured ad/tracking lists
* **Custom Lists**: Add your own blocklists
* **Gravity Update**: Regular list updates
* **Regex Filtering**: Advanced pattern matching
**Whitelist/Blacklist:**
* **Whitelist**: Allow specific domains
* **Blacklist**: Block additional domains
* **Regex**: Pattern-based filtering
* **Client Groups**: Per-device rules
**Group Management:**
```bash
# Create client groups for different policies
# Assign devices to groups
# Apply different filtering rules per group
```
===== DHCP Server Configuration =====
**DHCP Setup:**
```yaml
environment:
- DHCP_ACTIVE=true
- DHCP_START=192.168.1.100
- DHCP_END=192.168.1.200
- DHCP_ROUTER=192.168.1.1
- DHCP_LEASETIME=24
```
**Static Leases:**
* **MAC Address**: Device hardware address
* **IP Address**: Reserved static IP
* **Hostname**: Device name
* **Description**: Device description
**DHCP Options:**
* **Domain Name**: Local domain suffix
* **NTP Servers**: Time synchronization
* **PXE Boot**: Network boot options
* **Vendor Options**: Device-specific options
===== Monitoring & Statistics =====
**Dashboard Overview:**
* **Total Queries**: DNS query volume
* **Blocked Domains**: Ad blocking statistics
* **Top Clients**: Most active devices
* **Top Domains**: Frequently queried domains
**Query Log:**
* **Real-time Monitoring**: Live query feed
* **Filtering**: Search and filter queries
* **Blocking Status**: See what's blocked/allowed
* **Client Tracking**: Per-device statistics
**Long-term Statistics:**
* **Historical Data**: Query trends over time
* **Blocking Efficiency**: Ad blocking performance
* **Client Usage**: Device activity patterns
* **Domain Analysis**: Popular domain tracking
===== Security Features =====
**Access Control:**
* **Web Interface**: Password protected
* **Authelia Integration**: SSO authentication
* **IP Restrictions**: Limit admin access
* **Session Management**: Secure login sessions
**DNS Security:**
* **DNSSEC**: Domain signature validation
* **Query Logging**: Audit trail of requests
* **Rate Limiting**: Prevent DNS amplification
* **Cache Poisoning**: Protection against attacks
**Network Security:**
* **Firewall Integration**: UFW/iptables rules
* **Port Protection**: Restrict unnecessary ports
* **Traffic Monitoring**: Network traffic analysis
* **Intrusion Detection**: Suspicious activity alerts
===== Performance Optimization =====
**DNS Performance:**
```yaml
# Optimize DNS settings
# Settings > DNS > Interface Settings
# Enable cache optimization
# Configure upstream server timeout
```
**Resource Limits:**
```yaml
deploy:
resources:
limits:
cpus: '0.5'
memory: 256M
reservations:
cpus: '0.1'
memory: 64M
```
**Caching:**
* **DNS Cache**: Local query caching
* **Blocklist Cache**: Efficient blocklist lookups
* **Negative Cache**: Failed query caching
* **TTL Management**: Cache expiration handling
===== Troubleshooting =====
**DNS Resolution Issues:**
```bash
# Check DNS resolution
nslookup google.com 127.0.0.1
# Test Pi-hole DNS
dig @127.0.0.1 google.com
# Check upstream connectivity
dig @8.8.8.8 google.com
```
**Ad Blocking Problems:**
* **Test Blocking**: Visit ad-heavy sites
* **Check Lists**: Verify blocklists are updating
* **Whitelist Issues**: Check whitelist configuration
* **Client Bypass**: Some apps bypass DNS
**DHCP Issues:**
* **IP Conflicts**: Check for IP address conflicts
* **Lease Problems**: Clear DHCP leases
* **Router Settings**: Verify router DHCP disabled
* **Network Issues**: Check network connectivity
**Web Interface Problems:**
* **Login Issues**: Reset admin password
* **SSL Problems**: Check certificate validity
* **Authelia**: Verify SSO configuration
* **Browser Cache**: Clear browser cache
**Troubleshooting Steps:**
1. **Check logs**: `docker logs pihole`
2. **Test DNS**: Verify DNS resolution works
3. **Check configuration**: Validate environment variables
4. **Network connectivity**: Test upstream DNS
5. **Restart service**: `docker restart pihole`
===== Advanced Configuration =====
**Custom DNS Records:**
```bash
# Add local DNS records
# Settings > Local DNS > DNS Records
# Add A, AAAA, CNAME, PTR records
```
**Conditional Forwarding:**
```bash
# Forward local queries to router
# Settings > DNS > Advanced Settings
# Enable conditional forwarding
# Set router IP and local domain
```
**Regex Blocking:**
```bash
# Advanced blocking patterns
# Settings > DNS > Group Management
# Create regex filters for complex patterns
```
**API Access:**
```bash
# Enable API for external tools
# Settings > API > Show API token
# Use token for programmatic access
```
===== Integration with Other Services =====
**Router Integration:**
* **DNS Settings**: Configure router to use Pi-hole
* **DHCP Disable**: Disable router DHCP if using Pi-hole
* **Port Forwarding**: Forward port 53 to Pi-hole
* **Static IP**: Give Pi-hole static IP address
**Monitoring Integration:**
* **Prometheus**: Export metrics for monitoring
* **Grafana**: Create dashboards for Pi-hole stats
* **Uptime Kuma**: Monitor Pi-hole availability
* **Alerting**: Set up alerts for service issues
**Backup Integration:**
* **Configuration Backup**: Backup Pi-hole settings
* **Blocklist Backup**: Save custom lists
* **DHCP Backup**: Backup DHCP leases
* **Automated Backups**: Schedule regular backups
===== Best Practices =====
**DNS Configuration:**
* **Multiple Upstream**: Use multiple DNS servers
* **DNSSEC**: Enable DNS security
* **Conditional Forwarding**: Enable for local network
* **Rate Limiting**: Prevent abuse
**Ad Blocking:**
* **Regular Updates**: Keep blocklists current
* **Custom Lists**: Add domain-specific blocks
* **Whitelist Carefully**: Only whitelist necessary sites
* **Test Blocking**: Verify blocking effectiveness
**DHCP Management:**
* **IP Planning**: Plan IP address ranges
* **Static Leases**: Reserve IPs for servers
* **Lease Time**: Appropriate lease durations
* **Monitoring**: Track DHCP usage
**Security:**
* **Strong Password**: Secure admin password
* **Access Control**: Limit admin access
* **Updates**: Keep Pi-hole updated
* **Monitoring**: Monitor for security issues
**Maintenance:**
* **Log Rotation**: Manage log file sizes
* **Database Optimization**: Regular database maintenance
* **Backup Routine**: Regular configuration backups
* **Performance Monitoring**: Track resource usage
===== Common Use Cases =====
**Home Network:**
* **Ad Blocking**: Block ads on all devices
* **Parental Controls**: Block inappropriate content
* **Device Management**: Track and manage devices
* **Network Monitoring**: Monitor network activity
**Small Office:**
* **Content Filtering**: Block productivity-draining sites
* **Guest Network**: Separate guest DNS
* **Device Control**: Manage corporate devices
* **Reporting**: Generate usage reports
**Development:**
* **Local DNS**: Resolve development domains
* **Testing**: Test ad blocking effectiveness
* **Network Simulation**: Simulate network conditions
* **Debugging**: Debug DNS-related issues
Pi-hole provides essential network services with powerful ad blocking capabilities, serving as the DNS backbone of your homelab network.
**Next:** Learn about [[services:infrastructure:dozzle|Dozzle]] or explore [[architecture:networking|Network Architecture]].

59
config-templates/dokuwiki/data/pages/services/infrastructure/start.txt
View File

@@ -1,59 +0,0 @@
====== Infrastructure Services ======
This section covers management, monitoring, and development tools for your homelab infrastructure.
===== Available Services =====
**Dockge** - Docker Compose Manager
* Access: https://dockge.${DOMAIN}
* Description: Web-based Docker Compose stack manager
* Stack: infrastructure.yml
**Pi-hole** - Network-wide ad blocker
* Access: http://pihole.${DOMAIN} (or https via Traefik)
* Description: DNS-based ad blocking and network monitoring
* Stack: infrastructure.yml
**Dozzle** - Real-time log viewer
* Access: https://dozzle.${DOMAIN}
* Description: Web interface for viewing Docker container logs
* Stack: infrastructure.yml
**Glances** - System monitoring
* Access: https://glances.${DOMAIN}
* Description: Cross-platform system monitoring tool
* Stack: infrastructure.yml
**Watchtower** - Automatic updates
* Description: Automatically updates Docker containers
* Stack: infrastructure.yml
**Code Server** - VS Code in browser
* Access: https://code.${DOMAIN}
* Description: Run VS Code in your browser
* Stack: infrastructure.yml
**Docker Proxy** - Secure Docker access
* Description: Provides secure access to Docker socket
* Stack: infrastructure.yml
===== Quick Start =====
1. Deploy the infrastructure stack:
docker-compose -f infrastructure.yml up -d
2. Access Dockge at https://dockge.${DOMAIN} to manage stacks
3. Configure Pi-hole for network-wide ad blocking
4. Use Dozzle to monitor container logs in real-time
5. Set up Glances for system monitoring
===== Integration =====
Infrastructure services integrate with:
* **Traefik** - Automatic SSL and routing
* **Authelia** - SSO authentication
* **Docker** - Container management and monitoring
* **System** - Hardware and OS monitoring

404
config-templates/dokuwiki/data/pages/services/infrastructure/watchtower.txt
View File

@@ -1,404 +0,0 @@
====== Watchtower ======
Watchtower is an automated container update service that monitors running Docker containers and automatically updates them when new images are available. It ensures your homelab services stay up-to-date with the latest security patches and features.
===== Overview =====
**Purpose:** Automated container updates
**Deployment:** Infrastructure stack (currently disabled)
**Monitoring:** Passive background service
**Update Strategy:** Rolling updates with health checks
===== Key Features =====
**Automated Updates:**
* **Image Monitoring**: Checks for new image versions
* **Scheduled Updates**: Configurable update intervals
* **Rolling Updates**: Updates containers one by one
* **Health Checks**: Waits for container health before proceeding
**Update Control:**
* **Include/Exclude**: Control which containers to update
* **Update Notifications**: Email/Slack notifications
* **Rollback Support**: Revert to previous versions
* **Dry Run Mode**: Test updates without applying
**Safety Features:**
* **Health Monitoring**: Ensures containers start successfully
* **Timeout Control**: Prevents hanging updates
* **Resource Limits**: Controls update resource usage
* **Backup Integration**: Coordinates with backup services
===== Configuration =====
**Container Configuration:**
```yaml
services:
watchtower:
image: containrrr/watchtower:latest
container_name: watchtower
restart: unless-stopped
environment:
- WATCHTOWER_CLEANUP=true
- WATCHTOWER_POLL_INTERVAL=3600
- WATCHTOWER_TIMEOUT=30s
- WATCHTOWER_NOTIFICATIONS=shoutrrr
- WATCHTOWER_NOTIFICATION_URL=discord://token@webhook
- WATCHTOWER_INCLUDE_STOPPED=false
- WATCHTOWER_REVIVE_STOPPED=false
- WATCHTOWER_REMOVE_VOLUMES=false
- WATCHTOWER_LABEL_ENABLE=true
- WATCHTOWER_MONITOR_ONLY=false
- WATCHTOWER_RUN_ONCE=false
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
command: --interval 3600 --cleanup --label-enable
deploy:
resources:
limits:
cpus: '0.2'
memory: 64M
reservations:
cpus: '0.01'
memory: 16M
```
**Environment Variables:**
```bash
# Update interval (seconds)
WATCHTOWER_POLL_INTERVAL=3600
# Update timeout
WATCHTOWER_TIMEOUT=30s
# Cleanup old images
WATCHTOWER_CLEANUP=true
# Notification settings
WATCHTOWER_NOTIFICATIONS=shoutrrr
WATCHTOWER_NOTIFICATION_URL=discord://token@webhook
# Container control
WATCHTOWER_INCLUDE_STOPPED=false
WATCHTOWER_REVIVE_STOPPED=false
WATCHTOWER_REMOVE_VOLUMES=false
# Label-based control
WATCHTOWER_LABEL_ENABLE=true
# Monitoring mode
WATCHTOWER_MONITOR_ONLY=false
# One-time run
WATCHTOWER_RUN_ONCE=false
```
===== Update Process =====
**Monitoring Phase:**
1. **Image Check**: Queries Docker registry for new versions
2. **Version Comparison**: Compares current vs latest versions
3. **Update Decision**: Determines if update is needed
4. **Schedule Planning**: Plans update timing
**Update Execution:**
1. **Container Stop**: Gracefully stops current container
2. **Image Pull**: Downloads new image version
3. **Container Start**: Starts container with new image
4. **Health Check**: Verifies container health
5. **Cleanup**: Removes old images (if enabled)
**Post-Update:**
* **Notification**: Sends update notifications
* **Logging**: Records update details
* **Monitoring**: Continues monitoring for next updates
* **Error Handling**: Handles update failures
===== Container Selection =====
**Label-Based Control:**
```yaml
# Enable updates for specific containers
labels:
- "com.centurylinklabs.watchtower.enable=true"
# Disable updates for specific containers
labels:
- "com.centurylinklabs.watchtower.enable=false"
```
**Include/Exclude Patterns:**
```bash
# Include only specific containers
command: --include=traefik,authelia,dockge
# Exclude specific containers
command: --exclude=plex,jellyfin
# Use regex patterns
command: --include="^media-.*"
```
**Scope Control:**
* **All Containers**: Update all running containers
* **Specific Services**: Update only selected services
* **Stack-Based**: Update containers in specific stacks
* **Label-Based**: Use Docker labels for control
===== Notification System =====
**Supported Notifications:**
* **Email**: SMTP email notifications
* **Slack**: Slack channel notifications
* **Discord**: Discord webhook notifications
* **Gotify**: Gotify push notifications
* **Telegram**: Telegram bot notifications
**Notification Configuration:**
```yaml
environment:
- WATCHTOWER_NOTIFICATIONS=shoutrrr
- WATCHTOWER_NOTIFICATION_URL=slack://token@channel
# Or for Discord
- WATCHTOWER_NOTIFICATION_URL=discord://token@webhook
# Or for email
- WATCHTOWER_NOTIFICATION_URL=smtp://user:pass@host:port
```
**Notification Content:**
* **Update Started**: Container update beginning
* **Update Completed**: Successful update confirmation
* **Update Failed**: Error details and troubleshooting
* **Rollback Performed**: Automatic rollback notifications
===== Safety & Reliability =====
**Health Checks:**
```yaml
# Wait for health checks
command: --interval 3600 --cleanup --label-enable --enable-healthchecks
```
**Timeout Management:**
```yaml
# Set update timeouts
environment:
- WATCHTOWER_TIMEOUT=60s
```
**Rollback Capability:**
```yaml
# Enable automatic rollback on failure
command: --rollback-on-failure
```
**Resource Protection:**
* **CPU Limits**: Prevent update resource exhaustion
* **Memory Limits**: Control memory usage during updates
* **Network Limits**: Manage download bandwidth
* **Concurrent Updates**: Limit simultaneous updates
===== Scheduling =====
**Update Intervals:**
```bash
# Check every hour
command: --interval 3600
# Check every 24 hours
command: --interval 86400
# Check at specific times
command: --schedule "0 0 4 * * *" # Daily at 4 AM
```
**Maintenance Windows:**
* **Off-hours Updates**: Schedule updates during low-usage times
* **Weekend Updates**: Perform updates on weekends
* **Manual Control**: Trigger updates manually when needed
* **Holiday Scheduling**: Avoid updates during holidays
===== Troubleshooting =====
**Update Failures:**
```bash
# Check Watchtower logs
docker logs watchtower
# Manual update test
docker pull image:latest
docker stop container
docker rm container
docker run -d --name container image:latest
```
**Permission Issues:**
* **Docker Socket**: Verify socket access permissions
* **Registry Access**: Check Docker registry authentication
* **Network Issues**: Verify internet connectivity
* **Disk Space**: Ensure sufficient space for image downloads
**Notification Problems:**
* **Webhook URLs**: Verify notification endpoint URLs
* **Authentication**: Check API tokens and credentials
* **Network Access**: Ensure outbound connectivity
* **Rate Limits**: Check service rate limiting
**Performance Issues:**
* **Resource Usage**: Monitor CPU/memory during updates
* **Update Frequency**: Adjust polling intervals
* **Concurrent Updates**: Limit simultaneous container updates
* **Network Bandwidth**: Control download speeds
**Troubleshooting Steps:**
1. **Check logs**: `docker logs watchtower`
2. **Test manually**: Perform manual container updates
3. **Verify configuration**: Check environment variables
4. **Test notifications**: Send test notifications
5. **Restart service**: `docker restart watchtower`
===== Advanced Configuration =====
**Custom Update Logic:**
```bash
# Use custom update script
command: --script /path/to/update-script.sh
```
**Lifecycle Hooks:**
```yaml
# Pre/post update hooks
command: --pre-check /path/to/pre-check.sh --post-check /path/to/post-check.sh
```
**Advanced Filtering:**
```bash
# Complex filtering rules
command: --filter-by-label=com.example.version=latest --filter-by-label=com.example.tier=frontend
```
**Monitoring Integration:**
```yaml
# Export metrics
command: --metrics
environment:
- WATCHTOWER_METRICS_PORT=8080
```
===== Security Considerations =====
**Access Control:**
* **Docker Socket Security**: Read-only socket access
* **Registry Authentication**: Secure registry credentials
* **Network Security**: Secure update traffic
* **Audit Logging**: Track all update activities
**Update Security:**
* **Image Verification**: Verify image authenticity
* **Vulnerability Scanning**: Check for security issues
* **Trusted Sources**: Only update from trusted registries
* **Rollback Security**: Secure rollback procedures
===== Integration with Backup =====
**Backup Coordination:**
```yaml
# Coordinate with backup services
command: --pre-check /scripts/backup-check.sh --post-check /scripts/backup-verify.sh
```
**Backup Scripts:**
```bash
#!/bin/bash
# Pre-update backup
docker exec backup-service backup-now
# Post-update verification
docker exec backup-service verify-backup
```
**Automated Backup:**
* **Pre-update Backup**: Backup before each update
* **Post-update Verification**: Verify backup integrity
* **Rollback Backup**: Maintain rollback capability
* **Retention Policy**: Manage backup retention
===== Best Practices =====
**Update Strategy:**
* **Staged Updates**: Update non-critical services first
* **Monitoring**: Monitor updates closely initially
* **Testing**: Test updates in development first
* **Documentation**: Document update procedures
**Safety Measures:**
* **Health Checks**: Always enable health checks
* **Timeouts**: Set appropriate update timeouts
* **Notifications**: Enable comprehensive notifications
* **Rollback**: Have rollback procedures ready
**Performance:**
* **Resource Limits**: Appropriate CPU/memory limits
* **Update Windows**: Schedule during low-usage times
* **Concurrent Limits**: Limit simultaneous updates
* **Network Management**: Control bandwidth usage
**Monitoring:**
* **Update Tracking**: Monitor update success/failure
* **Performance Impact**: Track update performance impact
* **Error Analysis**: Analyze update failure patterns
* **Success Metrics**: Track update success rates
===== Use Cases =====
**Production Environments:**
* **Security Updates**: Automatic security patch deployment
* **Feature Updates**: Deploy new features automatically
* **Compliance**: Maintain compliance with update policies
* **Stability**: Ensure service stability through updates
**Development Environments:**
* **Testing Updates**: Test update procedures safely
* **CI/CD Integration**: Integrate with development pipelines
* **Version Control**: Manage container versions
* **Rollback Testing**: Test rollback capabilities
**Homelab Management:**
* **Convenience**: Hands-off update management
* **Security**: Maintain security through updates
* **Stability**: Prevent version drift issues
* **Monitoring**: Track update status and health
**Enterprise Deployments:**
* **Policy Compliance**: Enforce update policies
* **Change Management**: Manage change through updates
* **Audit Trails**: Maintain update audit logs
* **Reporting**: Generate update compliance reports
===== Manual Update Process =====
**When Watchtower is Disabled:**
```bash
# Manual update procedure
# 1. Identify containers to update
docker ps --format "table {{.Names}}\t{{.Image}}"
# 2. Check for updates
docker pull image:latest
# 3. Backup current state
docker tag current-image backup-image
# 4. Stop and update container
docker stop container
docker rm container
docker run -d --name container image:latest
# 5. Verify update
docker logs container
docker ps | grep container
```
Watchtower provides automated container updates with safety features and monitoring, ensuring your homelab services remain current and secure.
**Next:** Learn about [[services:infrastructure:code-server|Code Server]] or explore [[architecture:backup|Backup Architecture]].

393
config-templates/dokuwiki/data/pages/services/media/calibre-web.txt
View File

@@ -1,393 +0,0 @@
====== Calibre-Web ======
Calibre-Web is a web application that provides a clean web interface for browsing, reading, and downloading eBooks stored in a Calibre database. It allows you to access your eBook library from any device with a web browser.
===== Overview =====
**Purpose:** Web interface for Calibre eBook library
**URL:** https://calibre.yourdomain.duckdns.org
**Authentication:** Built-in user management
**Deployment:** Media stack
**Database:** SQLite (Calibre database)
===== Key Features =====
**Library Management:**
* **Browse Books**: Browse your eBook collection
* **Search & Filter**: Advanced search and filtering
* **Categories**: Organize by author, genre, series
* **Metadata Display**: Rich book information display
**Reading Features:**
* **Online Reading**: Read books directly in browser
* **Download Options**: Download in multiple formats
* **Reading Progress**: Track reading progress
* **Bookmarks**: Save reading positions
**User Management:**
* **Multiple Users**: Separate accounts for users
* **Access Control**: Configure user permissions
* **Reading Statistics**: Track reading habits
* **Personal Shelves**: Create custom book collections
===== Configuration =====
**Container Configuration:**
```yaml
services:
calibre-web:
image: lscr.io/linuxserver/calibre-web:latest
container_name: calibre-web
restart: unless-stopped
environment:
- PUID=1000
- PGID=1000
- TZ=${TZ}
- DOCKER_MODS=linuxserver/mods:universal-calibre # Calibre integration
volumes:
- ./calibre-web/config:/config
- /mnt/media/books:/books # Calibre library location
networks:
- traefik-network
deploy:
resources:
limits:
cpus: '1.0'
memory: 512M
reservations:
cpus: '0.2'
memory: 128M
labels:
- "traefik.enable=true"
- "traefik.http.routers.calibre-web.rule=Host(`calibre.${DOMAIN}`)"
- "traefik.http.routers.calibre-web.entrypoints=websecure"
- "traefik.http.routers.calibre-web.tls.certresolver=letsencrypt"
- "traefik.http.routers.calibre-web.middlewares=authelia@docker"
- "traefik.http.services.calibre-web.loadbalancer.server.port=8083"
- "x-dockge.url=https://calibre.${DOMAIN}"
```
**Environment Variables:**
```bash
# User permissions
PUID=1000
PGID=1000
# Timezone
TZ=America/New_York
# Calibre integration (optional)
DOCKER_MODS=linuxserver/mods:universal-calibre
```
===== Calibre Database Setup =====
**Calibre Library Structure:**
```
/mnt/media/books/
├── metadata.db # Calibre database
├── metadata_db_prefs_backup.json
├── books/ # Book files
│ ├── Author Name/
│ │ ├── Book Title (Year)/
│ │ │ ├── book.epub
│ │ │ ├── cover.jpg
│ │ │ └── metadata.opf
│ └── Another Author/
└── covers/ # Cover images
```
**Database Connection:**
* **Path**: `/books` (mounted Calibre library)
* **Auto-Detection**: Automatically finds metadata.db
* **Metadata Access**: Full access to Calibre metadata
* **Cover Images**: Access to book covers
**Initial Setup:**
1. **Place Calibre Library**: Mount existing Calibre library
2. **Database Detection**: Calibre-Web finds metadata.db
3. **Admin Account**: Create administrator account
4. **Library Scan**: Scan and index books
===== User Management =====
**Administrator Setup:**
1. **First Access**: Visit Calibre-Web URL
2. **Create Admin**: Set up administrator account
3. **Configure Library**: Point to Calibre database
4. **User Settings**: Configure application settings
**User Accounts:**
* **User Creation**: Add user accounts
* **Permission Levels**: Admin, User, Guest
* **Library Access**: Control book access per user
* **Download Rights**: Configure download permissions
**Authentication:**
* **Username/Password**: Standard authentication
* **LDAP Integration**: External user directory (optional)
* **Guest Access**: Allow anonymous browsing
* **Session Management**: Configurable session timeouts
===== Library Features =====
**Browse & Search:**
* **Book Grid/List**: Multiple viewing modes
* **Advanced Search**: Search by title, author, genre
* **Filters**: Filter by language, format, rating
* **Sorting**: Sort by various criteria
**Book Details:**
* **Metadata Display**: Title, author, description
* **Cover Images**: High-quality book covers
* **File Information**: Format, size, pages
* **Ratings & Reviews**: User ratings and reviews
**Reading Interface:**
* **EPUB Reader**: Built-in EPUB reader
* **PDF Viewer**: PDF document viewer
* **Progress Tracking**: Reading progress saving
* **Bookmarking**: Save reading positions
===== Download & Formats =====
**Supported Formats:**
* **EPUB**: Most common eBook format
* **PDF**: Portable document format
* **MOBI**: Kindle format
* **AZW3**: Amazon format
* **TXT**: Plain text
* **RTF**: Rich text format
**Download Options:**
* **Direct Download**: Download original format
* **Format Conversion**: Convert to other formats
* **Bulk Download**: Download multiple books
* **ZIP Archives**: Download as compressed archives
**Conversion Features:**
* **Calibre Integration**: Use Calibre for conversion
* **Format Support**: Convert between supported formats
* **Quality Settings**: Adjust conversion quality
* **Metadata Preservation**: Maintain book metadata
===== Customization =====
**Interface Themes:**
* **Light Theme**: Clean, bright interface
* **Dark Theme**: Easy on the eyes
* **Custom CSS**: Advanced customization
* **Responsive Design**: Mobile-friendly interface
**Language Support:**
* **Multiple Languages**: 20+ supported languages
* **Interface Translation**: Full UI translation
* **Metadata Languages**: Support for various languages
* **RTL Support**: Right-to-left language support
**Display Options:**
* **Books per Page**: Configure pagination
* **Cover Sizes**: Adjust cover image sizes
* **Metadata Fields**: Customize displayed fields
* **Grid/List Views**: Choose viewing preferences
===== Advanced Features =====
**Shelves & Collections:**
* **Custom Shelves**: Create personal book collections
* **Public Shelves**: Share collections with others
* **Smart Shelves**: Dynamic collections based on criteria
* **Shelf Management**: Organize and categorize shelves
**Reading Statistics:**
* **Reading Progress**: Track reading progress
* **Reading Time**: Monitor reading duration
* **Books Read**: Track completed books
* **Reading Goals**: Set reading targets
**Social Features:**
* **User Reviews**: Write and read book reviews
* **Ratings**: Rate books and see averages
* **Recommendations**: Book recommendation system
* **User Activity**: See what others are reading
===== Integration Features =====
**Calibre Integration:**
* **Database Sync**: Sync with Calibre desktop
* **Metadata Updates**: Update from Calibre
* **Cover Downloads**: Download covers from Calibre
* **Format Conversion**: Use Calibre conversion tools
**External Services:**
* **Goodreads**: Import ratings and reviews
* **Google Books**: Enhanced metadata
* **Open Library**: Additional book information
* **ISBN Lookup**: Automatic ISBN resolution
**API Access:**
* **REST API**: Programmatic access
* **Webhook Support**: Event notifications
* **Third-party Integration**: Connect with other services
* **Automation**: Script-based automation
===== Security Considerations =====
**Access Control:**
* **User Authentication**: Secure user authentication
* **Permission Levels**: Granular access control
* **IP Restrictions**: Limit access by IP address
* **Session Security**: Secure session management
**Data Protection:**
* **File Permissions**: Proper file system permissions
* **Database Security**: SQLite database protection
* **Backup Security**: Secure backup procedures
* **Encryption**: Data encryption options
===== Performance Optimization =====
**Resource Management:**
```yaml
deploy:
resources:
limits:
cpus: '1.0'
memory: 512M
reservations:
cpus: '0.2'
memory: 128M
```
**Database Optimization:**
* **Index Maintenance**: Regular database maintenance
* **Query Optimization**: Efficient database queries
* **Cache Management**: Metadata and cover caching
* **Search Optimization**: Fast search capabilities
===== Troubleshooting =====
**Database Connection Issues:**
```bash
# Check database file permissions
ls -la /mnt/media/books/metadata.db
# Verify database integrity
docker exec calibre-web sqlite3 /books/metadata.db ".tables"
# Check Calibre-Web logs
docker logs calibre-web
```
**Book Display Problems:**
* **Cover Images**: Check cover file permissions
* **Metadata Issues**: Verify database integrity
* **File Permissions**: Check book file access
* **Format Support**: Verify supported formats
**User Authentication Issues:**
* **Login Problems**: Check user credentials
* **Permission Errors**: Verify user permissions
* **Session Issues**: Clear browser cookies
* **Password Reset**: Administrator password reset
**Reading Interface Issues:**
* **EPUB Display**: Check EPUB file validity
* **PDF Viewer**: Verify PDF compatibility
* **Progress Saving**: Check database write permissions
* **Bookmark Issues**: Clear browser cache
**Troubleshooting Steps:**
1. **Check logs**: `docker logs calibre-web`
2. **Verify database**: Test database connectivity
3. **Check permissions**: Validate file permissions
4. **Test access**: Verify web interface access
5. **Restart service**: `docker restart calibre-web`
===== Backup & Recovery =====
**Configuration Backup:**
```bash
# Backup Calibre-Web configuration
docker run --rm \
-v calibre-web-config:/config \
-v $(pwd)/backup:/backup \
busybox tar czf /backup/calibre-web-config.tar.gz /config
```
**Database Backup:**
```bash
# Backup Calibre database
docker run --rm \
-v /mnt/media/books:/books \
-v $(pwd)/backup:/backup \
busybox tar czf /backup/calibre-library.tar.gz /books
```
**Recovery Process:**
1. **Restore Configuration**: Restore config directory
2. **Restore Database**: Restore Calibre library
3. **Verify Integrity**: Check database and files
4. **Update Permissions**: Fix file permissions
5. **Test Access**: Verify web interface works
===== Best Practices =====
**Library Management:**
* **Consistent Naming**: Follow Calibre naming conventions
* **Metadata Quality**: Maintain accurate metadata
* **File Organization**: Proper folder structure
* **Regular Backups**: Frequent library backups
**User Management:**
* **Permission Planning**: Plan user access levels
* **Regular Audits**: Review user permissions
* **Password Policies**: Enforce strong passwords
* **Activity Monitoring**: Monitor user activity
**Performance:**
* **Resource Allocation**: Appropriate CPU/memory limits
* **Database Maintenance**: Regular database optimization
* **Cache Management**: Optimize caching settings
* **Network Optimization**: Fast network access
**Maintenance:**
* **Regular Updates**: Keep Calibre-Web updated
* **Database Maintenance**: Regular database cleanup
* **File System Checks**: Verify file integrity
* **Security Updates**: Apply security patches
===== Advanced Configuration =====
**Reverse Proxy Configuration:**
```nginx
# Nginx configuration for additional features
location /calibre {
proxy_pass http://calibre-web:8083;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
```
**LDAP Integration:**
```python
# LDAP configuration in config files
LDAP_URL = "ldap://your-ldap-server"
LDAP_USER_DN = "ou=users,dc=example,dc=com"
LDAP_GROUP_DN = "ou=groups,dc=example,dc=com"
```
**API Usage Examples:**
```bash
# Get library information
curl -u username:password https://calibre.yourdomain.duckdns.org/api/books
# Search books
curl -u username:password "https://calibre.yourdomain.duckdns.org/api/books?search=author:smith"
```
Calibre-Web provides a beautiful, user-friendly web interface for your Calibre eBook library, making it easy to browse, read, and manage your digital book collection from any device.
**Next:** Learn about [[services:media:qbittorrent|qBittorrent]] or explore [[architecture:backup|Backup Architecture]].

424
config-templates/dokuwiki/data/pages/services/media/jellyfin.txt
View File

@@ -1,424 +0,0 @@
====== Jellyfin ======
Jellyfin is a free, open-source media server that allows you to organize, manage, and stream your personal media collection. It provides a modern, user-friendly interface for accessing movies, TV shows, music, and photos from any device.
===== Overview =====
**Purpose:** Media server and streaming platform
**URL:** https://jellyfin.yourdomain.duckdns.org
**Authentication:** Built-in user management (no SSO)
**Deployment:** Media stack
**Features:** Multi-device streaming, transcoding, metadata management
===== Key Features =====
**Media Management:**
* **Library Organization**: Automatic media organization
* **Metadata Fetching**: Rich metadata from online sources
* **Poster Art**: High-quality artwork and posters
* **Collections**: Custom media collections and playlists
**Streaming Capabilities:**
* **Multi-Device Support**: Stream to any device
* **Adaptive Streaming**: Automatic quality adjustment
* **Transcoding**: Real-time video transcoding
* **Direct Play**: Direct streaming when supported
**User Management:**
* **Multiple Users**: Separate accounts for family members
* **Parental Controls**: Content restrictions and ratings
* **Viewing History**: Track watched content
* **Personal Libraries**: User-specific content access
===== Configuration =====
**Container Configuration:**
```yaml
services:
jellyfin:
image: lscr.io/linuxserver/jellyfin:latest
container_name: jellyfin
restart: unless-stopped
environment:
- PUID=1000
- PGID=1000
- TZ=${TZ}
- JELLYFIN_PublishedServerUrl=https://jellyfin.${DOMAIN}
volumes:
- ./jellyfin/config:/config
- /mnt/media/movies:/data/movies
- /mnt/media/tv:/data/tv
- /mnt/media/music:/data/music
- /mnt/transcode:/config/transcodes
devices:
- /dev/dri:/dev/dri # Hardware acceleration (optional)
networks:
- traefik-network
deploy:
resources:
limits:
cpus: '2.0'
memory: 2G
reservations:
cpus: '0.5'
memory: 512M
labels:
- "traefik.enable=true"
- "traefik.http.routers.jellyfin.rule=Host(`jellyfin.${DOMAIN}`)"
- "traefik.http.routers.jellyfin.entrypoints=websecure"
- "traefik.http.routers.jellyfin.tls.certresolver=letsencrypt"
# No Authelia middleware - direct access for app compatibility
- "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
- "x-dockge.url=https://jellyfin.${DOMAIN}"
```
**Environment Variables:**
```bash
# User permissions
PUID=1000
PGID=1000
# Timezone
TZ=America/New_York
# Public URL (for external access)
JELLYFIN_PublishedServerUrl=https://jellyfin.yourdomain.duckdns.org
```
===== Media Library Setup =====
**Directory Structure:**
```
/mnt/media/
├── movies/ # Movie files
│ ├── Movie1 (2023)/
│ └── Movie2 (2023)/
├── tv/ # TV show files
│ ├── Show1/
│ │ ├── Season 01/
│ │ └── Season 02/
│ └── Show2/
├── music/ # Music files
│ ├── Artist1/
│ └── Artist2/
└── photos/ # Photo collections
```
**Library Configuration:**
* **Movie Library**: Point to `/data/movies`
* **TV Library**: Point to `/data/tv`
* **Music Library**: Point to `/data/music`
* **Photo Library**: Point to `/data/photos`
**Naming Conventions:**
```
Movies: "Movie Name (Year)/Movie Name (Year).mkv"
TV: "Show Name/Season 01/Show Name - S01E01.mkv"
Music: "Artist/Album/01 - Song Title.mp3"
```
===== Hardware Acceleration =====
**Intel Quick Sync:**
```yaml
devices:
- /dev/dri:/dev/dri
environment:
- JELLYFIN_FFmpeg__probesize=1G
- JELLYFIN_FFmpeg__analyzeduration=200M
```
**NVIDIA GPU:**
```yaml
deploy:
resources:
reservations:
devices:
- driver: nvidia
count: 1
capabilities: [gpu]
environment:
- NVIDIA_VISIBLE_DEVICES=all
- NVIDIA_DRIVER_CAPABILITIES=all
```
**VAAPI (Software):**
```yaml
environment:
- JELLYFIN_FFmpeg__hwaccel=vaapi
- JELLYFIN_FFmpeg__hwaccel_device=/dev/dri/renderD128
- JELLYFIN_FFmpeg__hwaccel_output_format=vaapi
```
===== User Management =====
**Administrator Setup:**
1. **First Access**: Visit Jellyfin URL
2. **Create Admin Account**: Set up administrator account
3. **Configure Libraries**: Add media libraries
4. **Set Preferences**: Configure server settings
**User Accounts:**
* **User Creation**: Add family member accounts
* **Access Levels**: Configure library access per user
* **Parental Controls**: Set content ratings and restrictions
* **Device Limits**: Control simultaneous streams
**Authentication:**
* **Local Users**: Username/password authentication
* **Easy PIN**: Simple PIN for quick access
* **Auto Login**: Remember login on trusted devices
===== Transcoding Configuration =====
**Transcoding Settings:**
```yaml
# Transcode location
volumes:
- /mnt/transcode:/config/transcodes
```
**Quality Settings:**
* **Video Quality**: Adjust bitrate and resolution
* **Audio Quality**: Configure audio encoding
* **Container Format**: Choose output format
* **Hardware Acceleration**: Enable GPU transcoding
**Performance Tuning:**
* **Concurrent Streams**: Limit simultaneous transcodes
* **Buffer Size**: Adjust transcoding buffer
* **Thread Count**: Configure encoding threads
* **Quality Presets**: Balance quality vs speed
===== Metadata Management =====
**Metadata Sources:**
* **The Movie Database (TMDb)**: Movie and TV metadata
* **TheTVDB**: TV show information
* **MusicBrainz**: Music metadata
* **FanArt.tv**: Artwork and posters
**Metadata Refresh:**
* **Automatic Updates**: Regular metadata updates
* **Manual Refresh**: Force metadata refresh
* **Image Downloads**: Download posters and artwork
* **Language Settings**: Configure metadata language
**Custom Metadata:**
* **Override Information**: Manually edit metadata
* **Custom Images**: Upload custom artwork
* **Collections**: Create custom collections
* **Tags**: Add custom tags and genres
===== Client Applications =====
**Official Apps:**
* **Android/iOS**: Mobile apps for streaming
* **Roku**: TV streaming device support
* **Fire TV**: Amazon Fire TV support
* **Android TV**: Android TV support
**Third-Party Clients:**
* **Kodi**: Media center integration
* **Plex**: Alternative media server
* **Emby**: Similar media server
* **Infuse**: iOS/macOS media player
**Web Client:**
* **Modern Interface**: Responsive web player
* **Keyboard Shortcuts**: Full keyboard navigation
* **Cast Support**: Chromecast and DLNA
* **Offline Sync**: Download for offline viewing
===== Plugins & Extensions =====
**Official Plugins:**
* **Open Subtitles**: Subtitle downloading
* **MusicBrainz**: Enhanced music metadata
* **AniList**: Anime tracking integration
* **Trakt**: Watch history synchronization
**Community Plugins:**
* **Kodi Sync**: Sync with Kodi library
* **FanArt**: Additional artwork sources
* **Theme Videos**: Movie theme videos
* **Trailer**: Trailer playback
**Plugin Installation:**
1. **Dashboard > Plugins**: Access plugin catalog
2. **Browse Repository**: Find desired plugins
3. **Install**: Click install button
4. **Configure**: Set plugin preferences
===== Backup & Recovery =====
**Configuration Backup:**
```bash
# Backup Jellyfin configuration
docker run --rm \
-v jellyfin-config:/config \
-v $(pwd)/backup:/backup \
busybox tar czf /backup/jellyfin-config.tar.gz /config
```
**Database Backup:**
```bash
# Backup Jellyfin database
docker exec jellyfin sqlite3 /config/data/library.db .dump > jellyfin-backup.sql
```
**Media Backup:**
* **File System**: Backup media files separately
* **Metadata**: Configuration includes metadata
* **User Data**: User preferences and watch history
* **Plugins**: Plugin configurations
===== Performance Optimization =====
**Resource Management:**
```yaml
deploy:
resources:
limits:
cpus: '2.0'
memory: 2G
reservations:
cpus: '0.5'
memory: 512M
```
**Optimization Tips:**
* **Library Scanning**: Schedule scans during off-hours
* **Transcoding Limits**: Limit concurrent transcodes
* **Cache Management**: Configure appropriate cache sizes
* **Network Optimization**: Use appropriate network settings
===== Troubleshooting =====
**Playback Issues:**
```bash
# Check transcoding logs
docker logs jellyfin | grep -i ffmpeg
# Verify hardware acceleration
docker exec jellyfin vainfo # VAAPI
docker exec jellyfin nvidia-smi # NVIDIA
```
**Library Scanning Problems:**
* **Permission Issues**: Check file permissions
* **Naming Problems**: Verify file naming conventions
* **Metadata Errors**: Check metadata provider status
* **Network Issues**: Verify internet connectivity
**Web Interface Issues:**
* **Loading Problems**: Clear browser cache
* **SSL Errors**: Check certificate validity
* **CORS Issues**: Verify reverse proxy configuration
* **JavaScript Errors**: Check browser compatibility
**Transcoding Issues:**
* **Hardware Acceleration**: Verify GPU access
* **Codec Support**: Check supported codecs
* **Resource Limits**: Monitor CPU/memory usage
* **Quality Settings**: Adjust transcoding parameters
**Troubleshooting Steps:**
1. **Check logs**: `docker logs jellyfin`
2. **Verify configuration**: Check environment variables
3. **Test access**: Verify web interface access
4. **Check permissions**: Validate file permissions
5. **Restart service**: `docker restart jellyfin`
===== Security Considerations =====
**Access Control:**
* **User Authentication**: Strong password requirements
* **Network Security**: Restrict network access
* **HTTPS Only**: Force secure connections
* **Session Management**: Configure session timeouts
**Media Security:**
* **File Permissions**: Proper file system permissions
* **Network Shares**: Secure network share access
* **Backup Security**: Encrypt backup data
* **Access Logging**: Monitor access patterns
===== Integration with Media Stack =====
**Sonarr/Radarr Integration:**
* **Automatic Downloads**: Integration with download clients
* **Library Updates**: Automatic library refreshes
* **Quality Profiles**: Match download quality to playback
* **Naming Conventions**: Consistent file naming
**qBittorrent Integration:**
* **Download Monitoring**: Track download progress
* **Category Management**: Organize downloads by type
* **Completion Notifications**: Notify when downloads complete
* **File Management**: Automatic file organization
**Hardware Acceleration:**
* **GPU Utilization**: Leverage available GPU resources
* **Transcoding Efficiency**: Optimize transcoding performance
* **Power Management**: Balance performance and power usage
* **Resource Monitoring**: Monitor hardware utilization
===== Best Practices =====
**Library Management:**
* **Consistent Naming**: Follow naming conventions
* **Quality Standards**: Maintain consistent quality
* **Metadata Accuracy**: Keep metadata up-to-date
* **Regular Maintenance**: Periodic library cleanup
**Performance:**
* **Resource Allocation**: Appropriate CPU/memory limits
* **Transcoding Settings**: Balance quality and performance
* **Caching Strategy**: Optimize cache usage
* **Network Configuration**: Optimize network settings
**User Experience:**
* **Interface Customization**: Customize user interfaces
* **Device Profiles**: Optimize for different devices
* **Subtitle Management**: Configure subtitle preferences
* **Audio Settings**: Configure audio preferences
**Maintenance:**
* **Regular Updates**: Keep Jellyfin updated
* **Library Scans**: Regular library maintenance
* **Backup Routine**: Regular configuration backups
* **Performance Monitoring**: Monitor system performance
===== Advanced Configuration =====
**Custom CSS:**
```css
/* Custom theme modifications */
.dashboardHeader {
background-color: #your-color;
}
.libraryCard {
border-radius: 10px;
}
```
**API Access:**
```bash
# Access Jellyfin API
curl -H "X-MediaBrowser-Token: your-api-key" \
https://jellyfin.yourdomain.duckdns.org/Items
```
**Webhook Integration:**
* **Playback Events**: Trigger actions on media events
* **User Actions**: Monitor user activities
* **System Events**: Respond to system events
* **External Integration**: Connect with other services
Jellyfin provides a powerful, free alternative to proprietary media servers, offering comprehensive media management and streaming capabilities with excellent client support across all platforms.
**Next:** Learn about [[services:media:calibre-web|Calibre-Web]] or explore [[architecture:storage|Storage Architecture]].

391
config-templates/dokuwiki/data/pages/services/media/qbittorrent.txt
View File

@@ -1,391 +0,0 @@
====== qBittorrent ======
qBittorrent is a free and open-source BitTorrent client that provides a web-based interface for downloading and managing torrent files. In the AI-Homelab, it's configured to route all traffic through Gluetun VPN for enhanced privacy and security.
===== Overview =====
**Purpose:** Torrent downloading with VPN protection
**URL:** https://qbit.yourdomain.duckdns.org
**Authentication:** Built-in web UI authentication
**Deployment:** Media stack (VPN-routed through Gluetun)
**VPN Integration:** Routes through Gluetun container
===== Key Features =====
**Torrent Management:**
* **Web Interface**: Clean, responsive web UI
* **Torrent Creation**: Create torrents from files/folders
* **Magnet Links**: Support for magnet link downloads
* **Batch Downloads**: Download multiple torrents
* **RSS Feeds**: Automatic RSS feed monitoring
**Download Control:**
* **Speed Limits**: Set download/upload speed limits
* **Bandwidth Management**: Per-torrent bandwidth allocation
* **Queue Management**: Priority-based download queuing
* **Auto-Management**: Automatic torrent management
**Privacy & Security:**
* **VPN Routing**: All traffic through Gluetun VPN
* **IP Binding**: Bind to VPN interface only
* **Encryption**: Protocol encryption support
* **Proxy Support**: SOCKS5/HTTP proxy support
===== Configuration =====
**Container Configuration:**
```yaml
services:
qbittorrent:
image: lscr.io/linuxserver/qbittorrent:latest
container_name: qbittorrent
network_mode: "service:gluetun" # Route through VPN
depends_on:
- gluetun
environment:
- PUID=1000
- PGID=1000
- TZ=${TZ}
- WEBUI_PORT=8080
volumes:
- ./qbittorrent/config:/config
- /mnt/downloads:/downloads
restart: unless-stopped
deploy:
resources:
limits:
cpus: '2.0'
memory: 1G
reservations:
cpus: '0.5'
memory: 256M
```
**Gluetun Configuration (Update):**
```yaml
# In gluetun service, add port mapping
gluetun:
ports:
- 8080:8080 # qBittorrent WebUI
- 6881:6881 # Torrent ports (TCP)
- 6881:6881/udp # Torrent ports (UDP)
```
**Environment Variables:**
```bash
# User permissions
PUID=1000
PGID=1000
# Timezone
TZ=America/New_York
# Web UI port
WEBUI_PORT=8080
```
===== VPN Integration =====
**Network Mode:**
```yaml
network_mode: "service:gluetun"
```
**Benefits:**
* **IP Protection**: All torrent traffic through VPN
* **ISP Protection**: Hide torrenting from ISP
* **Geographic Access**: Access geo-restricted content
* **Privacy**: Enhanced download privacy
**Port Mapping:**
* **WebUI**: 8080 (internal to Gluetun)
* **Torrent TCP**: 6881
* **Torrent UDP**: 6881
**VPN Verification:**
```bash
# Check if qBittorrent is using VPN IP
docker exec gluetun curl -s ifconfig.me
# Verify qBittorrent is accessible through VPN
curl -k https://qbit.yourdomain.duckdns.org
```
===== Initial Setup =====
**First Access:**
1. **Navigate**: Visit qBittorrent URL
2. **Default Credentials**: admin/adminadmin
3. **Change Password**: Immediately change default password
4. **Configure Settings**: Set up download preferences
**Basic Configuration:**
* **Download Location**: Set to `/downloads`
* **Temporary Files**: Configure temp directory
* **Auto-Management**: Enable automatic torrent management
* **WebUI Settings**: Configure interface preferences
===== Download Management =====
**Adding Torrents:**
* **Torrent Files**: Upload .torrent files
* **Magnet Links**: Paste magnet links
* **URLs**: Add torrent URLs
* **Batch Operations**: Add multiple torrents
**Download Categories:**
* **Category Creation**: Create download categories
* **Path Assignment**: Assign paths per category
* **Automatic Sorting**: Auto-assign categories
* **Category Management**: Organize downloads
**Queue Management:**
* **Priority Setting**: Set download priorities
* **Queue Limits**: Limit concurrent downloads
* **Speed Allocation**: Allocate bandwidth per torrent
* **Sequential Downloads**: Download files in order
===== Advanced Features =====
**RSS Integration:**
* **RSS Feeds**: Add RSS torrent feeds
* **Automatic Downloads**: Auto-download matching torrents
* **Filters**: Set download filters and rules
* **Smart Filtering**: Advanced filtering options
**Search Integration:**
* **Built-in Search**: Search torrent sites
* **Search Plugins**: Install additional search plugins
* **Plugin Management**: Manage search engines
* **Search History**: Track search history
**Automation:**
* **Watch Folders**: Monitor folders for new torrents
* **Auto-Tagging**: Automatic torrent tagging
* **Script Integration**: Execute scripts on completion
* **API Integration**: REST API for automation
===== Performance Optimization =====
**Speed Settings:**
```yaml
# Recommended settings for VPN
Global maximum number of upload slots: 20
Global maximum number of half-open connections: 500
Maximum number of upload slots per torrent: 4
Maximum number of connections per torrent: 100
```
**Disk Settings:**
* **Disk Cache**: Set to 64-128 MB
* **Disk Cache Expiry**: 60 seconds
* **OS Cache**: Enable OS cache
* **Coalesce Reads**: Enable for SSDs
**Connection Settings:**
* **Global Max Connections**: 500
* **Max Per Torrent**: 100
* **Max Upload Slots**: 20
* **Max Half-Open**: 500
===== Security Configuration =====
**WebUI Security:**
* **Authentication**: Enable username/password
* **HTTPS**: Force HTTPS connections
* **IP Filtering**: Restrict access by IP
* **Session Timeout**: Configure session limits
**Network Security:**
* **Encryption**: Enable protocol encryption
* **DHT**: Enable DHT for peer discovery
* **PEX**: Enable peer exchange
* **LSD**: Enable local service discovery
**VPN Security:**
* **Kill Switch**: Gluetun provides kill switch
* **DNS Leak Protection**: VPN DNS protection
* **IPv6 Blocking**: Block IPv6 leaks
* **Port Forwarding**: VPN port forwarding
===== Integration with Media Stack =====
**Sonarr/Radarr Integration:**
```yaml
# In Sonarr/Radarr settings
Download Client: qBittorrent
Host: qbittorrent # Container name
Port: 8080
Username: your-username
Password: your-password
Category: sonarr # Use categories for organization
```
**Category Setup:**
* **sonarr**: For TV show downloads
* **radarr**: For movie downloads
* **manual**: For manual downloads
* **books**: For book downloads
**Path Mapping:**
* **/downloads/complete/sonarr**: TV shows
* **/downloads/complete/radarr**: Movies
* **/downloads/complete/manual**: Manual downloads
===== Monitoring & Maintenance =====
**Health Checks:**
```yaml
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080"]
interval: 30s
timeout: 10s
retries: 3
```
**Log Monitoring:**
```bash
# View qBittorrent logs
docker logs qbittorrent
# View Gluetun logs (VPN)
docker logs gluetun
```
**Performance Monitoring:**
* **Download Speed**: Monitor download/upload speeds
* **Connection Count**: Track peer connections
* **Disk I/O**: Monitor disk usage
* **Memory Usage**: Track memory consumption
===== Troubleshooting =====
**VPN Connection Issues:**
```bash
# Check VPN status
docker exec gluetun sh -c "curl -s ifconfig.me"
# Verify Gluetun is running
docker ps | grep gluetun
# Check Gluetun logs
docker logs gluetun | grep -i wireguard
```
**WebUI Access Issues:**
* **Port Mapping**: Verify port 8080 is mapped in Gluetun
* **Network Mode**: Confirm `network_mode: "service:gluetun"`
* **Firewall**: Check firewall rules
* **Traefik**: Verify Traefik routing
**Download Problems:**
* **Port Forwarding**: Check if VPN supports port forwarding
* **Speed Limits**: Remove artificial speed limits
* **Tracker Issues**: Check tracker status
* **Peer Connections**: Verify peer connectivity
**Common Issues:**
* **No Downloads**: Check VPN connection and port forwarding
* **Slow Speeds**: Verify VPN server selection and speed
* **Connection Errors**: Check firewall and network settings
* **Authentication**: Verify username/password credentials
**Troubleshooting Steps:**
1. **Check VPN**: Verify Gluetun is connected
2. **Test Access**: Access WebUI directly
3. **Check Logs**: Review container logs
4. **Verify Ports**: Confirm port mappings
5. **Test Downloads**: Try a known working torrent
===== Backup & Recovery =====
**Configuration Backup:**
```bash
# Backup qBittorrent configuration
docker run --rm \
-v qbittorrent-config:/config \
-v $(pwd)/backup:/backup \
busybox tar czf /backup/qbittorrent-config.tar.gz /config
```
**Download Recovery:**
* **Resume Downloads**: qBittorrent auto-resumes
* **Torrent Files**: Backup .torrent files
* **Fast Resume**: Use fast resume data
* **Re-add Torrents**: Re-add from backup
**Migration:**
1. **Stop Container**: Stop qBittorrent
2. **Backup Config**: Backup configuration directory
3. **Restore Config**: Restore to new location
4. **Update Paths**: Update download paths if changed
5. **Start Container**: Restart qBittorrent
===== Best Practices =====
**VPN Usage:**
* **Dedicated Server**: Use VPN server optimized for P2P
* **Port Forwarding**: Enable port forwarding when available
* **Kill Switch**: Always use VPN kill switch
* **IP Rotation**: Rotate VPN servers periodically
**Download Management:**
* **Category Organization**: Use categories for organization
* **Speed Limits**: Set reasonable speed limits
* **Queue Management**: Limit concurrent downloads
* **Disk Space**: Monitor available disk space
**Security:**
* **Strong Passwords**: Use strong WebUI passwords
* **IP Restrictions**: Limit WebUI access
* **Regular Updates**: Keep qBittorrent updated
* **VPN Always**: Never disable VPN routing
**Performance:**
* **Resource Allocation**: Appropriate CPU/memory limits
* **Disk I/O**: Use fast storage for downloads
* **Network Optimization**: Optimize VPN server selection
* **Cache Settings**: Optimize disk cache settings
===== Advanced Configuration =====
**qBittorrent.conf Settings:**
```ini
[Preferences]
WebUI\Username=your-username
WebUI\Password_PBKDF2="encrypted-password"
WebUI\Port=8080
Downloads\SavePath=/downloads
Downloads\TempPath=/downloads/temp
```
**API Usage:**
```bash
# Get torrent list
curl -u username:password "http://localhost:8080/api/v2/torrents/info"
# Add magnet link
curl -X POST \
-u username:password \
-d "urls=magnet:?..." \
http://localhost:8080/api/v2/torrents/add
```
**Integration Scripts:**
```bash
#!/bin/bash
# Auto-organize completed downloads
QB_HOST="http://localhost:8080"
QB_USER="username"
QB_PASS="password"
# Get completed torrents
completed=$(curl -s -u $QB_USER:$QB_PASS "$QB_HOST/api/v2/torrents/info?filter=completed")
# Process completed torrents
# Add your organization logic here
```
qBittorrent provides a powerful, privacy-focused torrent downloading solution that integrates seamlessly with your media automation stack while maintaining security through VPN routing.
**Next:** Explore [[services:media-management:start|Media Management Services]] or return to [[services:media:start|Media Services Overview]].

194
config-templates/dokuwiki/data/pages/services/media/start.txt
View File

@@ -1,194 +0,0 @@
====== Media Services ======
The Media Services stack provides comprehensive media management, streaming, and downloading capabilities for your homelab. These services handle everything from media library organization to automated downloading and streaming.
===== Overview =====
**Stack Components:**
* **[[services:media:jellyfin|Jellyfin]]**: Media server for streaming movies, TV shows, and music
* **[[services:media:calibre-web|Calibre-Web]]**: Web interface for eBook library management
* **[[services:media:qbittorrent|qBittorrent]]**: Torrent client with VPN protection
**Key Features:**
* **Unified Media Access**: Stream media from any device
* **EBook Management**: Browse and read digital books
* **Secure Downloading**: VPN-protected torrent downloads
* **Cross-Platform**: Works on all devices and platforms
===== Service Details =====
^ Service ^ Purpose ^ URL ^ Authentication ^ Storage ^
| [[services:media:jellyfin|Jellyfin]] | Media streaming server | https://jellyfin.${DOMAIN} | Apps/devices | /mnt/media |
| [[services:media:calibre-web|Calibre-Web]] | eBook web interface | https://calibre.${DOMAIN} | Built-in users | /mnt/media/books |
| [[services:media:qbittorrent|qBittorrent]] | Torrent downloads | https://qbit.${DOMAIN} | Web UI auth | /mnt/downloads |
===== Architecture =====
**Storage Layout:**
```
/mnt/media/
├── movies/ # Movie files
├── tv/ # TV show files
├── music/ # Music files
├── books/ # Calibre eBook library
│ ├── metadata.db
│ └── books/
└── photos/ # Photo collections
/mnt/downloads/
├── complete/ # Completed downloads
├── incomplete/ # Active downloads
└── temp/ # Temporary files
```
**Network Configuration:**
* **Jellyfin**: Direct access (no SSO for app compatibility)
* **Calibre-Web**: Authelia SSO protection
* **qBittorrent**: Authelia SSO + VPN routing through Gluetun
===== Deployment =====
**Docker Compose (media.yml):**
```yaml
services:
jellyfin:
image: lscr.io/linuxserver/jellyfin:latest
# ... Jellyfin configuration
calibre-web:
image: lscr.io/linuxserver/calibre-web:latest
# ... Calibre-Web configuration
qbittorrent:
image: lscr.io/linuxserver/qbittorrent:latest
network_mode: "service:gluetun" # VPN routing
# ... qBittorrent configuration
```
**Prerequisites:**
* **Core Stack**: Traefik, Authelia, Gluetun must be running
* **Storage**: /mnt/media and /mnt/downloads mounted
* **VPN**: Gluetun configured with torrent-friendly provider
* **Permissions**: Proper PUID/PGID for file access
===== Integration =====
**With Media Management:**
* **Sonarr/Radarr**: Auto-download TV/movies
* **qBittorrent**: Download client for automation
* **Jellyfin**: Media library scanning and streaming
* **Prowlarr**: Indexer management
**With Home Automation:**
* **Home Assistant**: Media control integration
* **Node-RED**: Custom media workflows
* **MotionEye**: Security camera integration
**With Monitoring:**
* **Uptime Kuma**: Service availability monitoring
* **Grafana**: Performance dashboards
* **Prometheus**: Resource monitoring
===== Security Considerations =====
**Access Control:**
* **Jellyfin**: No SSO (device/app compatibility)
* **Calibre-Web**: SSO protected
* **qBittorrent**: SSO protected + VPN isolation
**Network Security:**
* **VPN Routing**: qBittorrent traffic through VPN
* **Firewall Rules**: Restrict external access
* **SSL/TLS**: All services use HTTPS
* **Authentication**: Strong passwords required
===== Performance Optimization =====
**Hardware Acceleration:**
* **Jellyfin**: GPU transcoding support
* **Intel Quick Sync**: Hardware encoding/decoding
* **NVIDIA NVENC**: GPU-accelerated transcoding
* **VAAPI**: Linux video acceleration
**Storage Optimization:**
* **SSD Storage**: Fast access for media files
* **RAID Arrays**: Data redundancy and performance
* **Network Storage**: NAS integration for large libraries
* **Caching**: Metadata and thumbnail caching
**Resource Allocation:**
```yaml
# Recommended limits
jellyfin:
cpus: '2.0'
memory: 4G
calibre-web:
cpus: '1.0'
memory: 512M
qbittorrent:
cpus: '2.0'
memory: 1G
```
===== Maintenance =====
**Regular Tasks:**
* **Library Scans**: Regular media library scanning
* **Database Optimization**: Calibre database maintenance
* **Download Cleanup**: Remove completed torrents
* **Update Checks**: Keep services updated
**Backup Strategy:**
* **Configuration**: Backup service configurations
* **Databases**: Backup Calibre and Jellyfin databases
* **Metadata**: Preserve media metadata
* **Automation**: Automated backup scripts
===== Troubleshooting =====
**Common Issues:**
* **Media Not Showing**: Check file permissions and paths
* **Slow Streaming**: Verify transcoding settings
* **Download Issues**: Check VPN connection and ports
* **Authentication**: Verify SSO configuration
**Diagnostic Commands:**
```bash
# Check service status
docker compose -f media.yml ps
# View logs
docker compose -f media.yml logs -f service-name
# Test VPN connection
docker exec gluetun curl -s ifconfig.me
# Check file permissions
ls -la /mnt/media/
```
===== Best Practices =====
**Library Organization:**
* **Consistent Naming**: Follow media naming conventions
* **Folder Structure**: Logical folder hierarchy
* **Metadata Quality**: Accurate media information
* **Regular Maintenance**: Keep libraries organized
**Security:**
* **VPN Always**: Never disable VPN for downloads
* **Strong Passwords**: Use strong authentication
* **Access Logging**: Monitor access patterns
* **Regular Updates**: Keep services current
**Performance:**
* **Resource Monitoring**: Track CPU/memory usage
* **Storage Optimization**: Use appropriate storage types
* **Network Optimization**: Fast network connections
* **Caching**: Enable appropriate caching
The Media Services stack provides a complete media entertainment solution with streaming, eBook management, and secure downloading capabilities.
**Next:** Explore [[services:media-management:start|Media Management Services]] for automated downloading or return to [[services:start|Services Overview]].

53
config-templates/dokuwiki/data/pages/services/monitoring/start.txt
View File

@@ -1,53 +0,0 @@
====== Monitoring Services ======
This section covers monitoring and observability tools for your homelab.
===== Available Services =====
**Grafana** - Dashboard and visualization platform
* Access: https://grafana.${DOMAIN}
* Description: Create dashboards for metrics, logs, and alerts
* Stack: monitoring.yml
**Prometheus** - Metrics collection and alerting
* Access: https://prometheus.${DOMAIN}
* Description: Time-series database for monitoring metrics
* Stack: monitoring.yml
**Node Exporter** - System metrics exporter
* Description: Exports hardware and OS metrics for Prometheus
* Stack: monitoring.yml
**cAdvisor** - Container metrics
* Description: Provides container metrics for Prometheus
* Stack: monitoring.yml
**Loki** - Log aggregation
* Access: https://loki.${DOMAIN}
* Description: Log aggregation system for Docker containers
* Stack: monitoring.yml
**Promtail** - Log shipping agent
* Description: Ships logs from Docker containers to Loki
* Stack: monitoring.yml
===== Quick Start =====
1. Deploy the monitoring stack:
docker-compose -f monitoring.yml up -d
2. Access Grafana at https://grafana.${DOMAIN}
- Default credentials: admin/admin
- Change password on first login
3. Configure Prometheus data sources in Grafana
4. Set up dashboards for your services
===== Integration =====
Monitoring services integrate with:
* **Traefik** - Automatic SSL and routing
* **Authelia** - SSO authentication
* **Docker** - Container metrics via cAdvisor
* **System** - Hardware metrics via Node Exporter

3
config-templates/dokuwiki/data/pages/services/productivity/start.txt
View File

@@ -1,3 +0,0 @@
====== Productivity Services ======
Coming soon...

294
config-templates/dokuwiki/data/pages/services/start.txt
View File

@@ -1,294 +0,0 @@
====== Services Overview ======
The AI-Homelab provides 70+ pre-configured services organized into logical stacks. All services follow consistent patterns for deployment, security, and management.
===== Service Categories =====
| Category | Services | Description | Deployment |
|----------|----------|-------------|------------|
| **Core** | 4 services | Essential infrastructure | Automatic |
| **Infrastructure** | 8 services | Management and monitoring | Automatic |
| **Media** | 3 services | Media servers and downloaders | Manual |
| **Media Management** | 10 services | Download automation | Manual |
| **Productivity** | 8+6 services | Office and collaboration | Manual |
| **Home Automation** | 7 services | Smart home integration | Manual |
| **Monitoring** | 8 services | Observability and alerting | Manual |
| **Utilities** | 6 services | Backup and miscellaneous | Manual |
| **Development** | 6 services | Development tools | Manual |
| **Alternatives** | 6+3 services | Alternative implementations | Optional |
===== Core Infrastructure =====
**Deployed automatically with setup scripts.**
| Service | URL | Purpose | SSO | Documentation |
|---------|-----|---------|-----|---------------|
| **[[services:core:duckdns|DuckDNS]]** | - | Dynamic DNS updates | - | [[services:core:duckdns|Details]] |
| **[[services:core:traefik|Traefik]]** | `https://traefik.yourdomain.duckdns.org` | Reverse proxy | ✓ | [[services:core:traefik|Details]] |
| **[[services:core:authelia|Authelia]]** | `https://auth.yourdomain.duckdns.org` | SSO authentication | - | [[services:core:authelia|Details]] |
| **[[services:core:gluetun|Gluetun]]** | - | VPN client | - | [[services:core:gluetun|Details]] |
| **[[services:core:sablier|Sablier]]** | `http://sablier.yourdomain.duckdns.org:10000` | Lazy loading | - | [[services:core:sablier|Details]] |
===== Infrastructure Services =====
**Management and monitoring tools.**
| Service | URL | Purpose | SSO | Documentation |
|---------|-----|---------|-----|---------------|
| **[[services:infrastructure:dockge|Dockge]]** | `https://dockge.yourdomain.duckdns.org` | Stack manager | ✓ | [[services:infrastructure:dockge|Details]] |
| **[[services:infrastructure:pihole|Pi-hole]]** | `http://pihole.yourdomain.duckdns.org` | DNS & ad blocking | ✓ | [[services:infrastructure:pihole|Details]] |
| **[[services:infrastructure:dozzle|Dozzle]]** | `https://dozzle.yourdomain.duckdns.org` | Log viewer | ✓ | [[services:infrastructure:dozzle|Details]] |
| **[[services:infrastructure:glances|Glances]]** | `https://glances.yourdomain.duckdns.org` | System monitor | ✓ | [[services:infrastructure:glances|Details]] |
| **[[services:infrastructure:watchtower|Watchtower]]** | - | Auto updates | - | [[services:infrastructure:watchtower|Details]] |
| **[[services:infrastructure:code-server|Code Server]]** | `https://code.yourdomain.duckdns.org` | VS Code in browser | ✓ | [[services:infrastructure:code-server|Details]] |
| **[[services:infrastructure:docker-proxy|Docker Proxy]]** | - | Secure socket access | - | [[services:infrastructure:docker-proxy|Details]] |
===== Monitoring Services =====
**Observability and alerting tools.**
See [[services:monitoring:start|Monitoring Services Overview]]
===== Utilities Services =====
**Backup, development, and miscellaneous tools.**
See [[services:utilities:start|Utilities Services Overview]]
===== Media Services =====
**Media servers, eBook management, and secure downloading.**
| Service | URL | Purpose | SSO | Documentation |
|---------|-----|---------|-----|---------------|
| **[[services:media:jellyfin|Jellyfin]]** | `https://jellyfin.yourdomain.duckdns.org` | Media streaming server | ✗ | [[services:media:jellyfin|Details]] |
| **[[services:media:calibre-web|Calibre-Web]]** | `https://calibre.yourdomain.duckdns.org` | eBook web interface | ✓ | [[services:media:calibre-web|Details]] |
| **[[services:media:qbittorrent|qBittorrent]]** | `https://qbit.yourdomain.duckdns.org` | Torrent client (VPN) | ✓ | [[services:media:qbittorrent|Details]] |
===== Media Management =====
**Download automation and organization.**
| Service | URL | Purpose | SSO |
|---------|-----|---------|-----|
| **Sonarr** | `https://sonarr.yourdomain.duckdns.org` | TV automation | ✓ |
| **Radarr** | `https://radarr.yourdomain.duckdns.org` | Movie automation | ✓ |
| **Prowlarr** | `https://prowlarr.yourdomain.duckdns.org` | Indexer manager | ✓ |
| **Readarr** | `https://readarr.yourdomain.duckdns.org` | Book automation | ✓ |
| **Lidarr** | `https://lidarr.yourdomain.duckdns.org` | Music automation | ✓ |
| **Lazy Librarian** | `https://lazylibrarian.yourdomain.duckdns.org` | Book manager | ✓ |
| **Mylar3** | `https://mylar.yourdomain.duckdns.org` | Comic manager | ✓ |
| **Jellyseerr** | `https://jellyseerr.yourdomain.duckdns.org` | Media requests | ✓ |
| **FlareSolverr** | - | Cloudflare bypass | - |
| **Tdarr Server** | `https://tdarr.yourdomain.duckdns.org` | Transcoding | ✓ |
| **Tdarr Node** | - | Transcoding worker | - |
| **Unmanic** | `https://unmanic.yourdomain.duckdns.org` | Library optimizer | ✓ |
| **Bazarr** | `https://bazarr.yourdomain.duckdns.org` | Subtitle manager | ✓ |
===== Productivity Services =====
**Office, collaboration, and content management.**
| Service | URL | Purpose | SSO | Database |
|---------|-----|---------|-----|----------|
| **Nextcloud** | `https://nextcloud.yourdomain.duckdns.org` | File sync | ✓ | MariaDB |
| **Mealie** | `https://mealie.yourdomain.duckdns.org` | Recipe manager | ✗ | - |
| **WordPress** | `https://blog.yourdomain.duckdns.org` | Blog platform | ✗ | MariaDB |
| **Gitea** | `https://git.yourdomain.duckdns.org` | Git service | ✓ | PostgreSQL |
| **DokuWiki** | `https://wiki.yourdomain.duckdns.org` | Documentation | ✓ | - |
| **BookStack** | `https://docs.yourdomain.duckdns.org` | Documentation | ✓ | MariaDB |
| **MediaWiki** | `https://mediawiki.yourdomain.duckdns.org` | Wiki platform | ✓ | MariaDB |
| **Form.io** | `https://forms.yourdomain.duckdns.org` | Form builder | ✓ | MongoDB |
===== Home Automation =====
**Smart home integration and monitoring.**
| Service | URL | Purpose | SSO |
|---------|-----|---------|-----|
| **Home Assistant** | `https://ha.yourdomain.duckdns.org` | Home automation | ✗ |
| **ESPHome** | `https://esphome.yourdomain.duckdns.org` | ESP firmware | ✓ |
| **TasmoAdmin** | `https://tasmoadmin.yourdomain.duckdns.org` | Tasmota manager | ✓ |
| **Node-RED** | `https://nodered.yourdomain.duckdns.org` | Automation flows | ✓ |
| **Mosquitto** | - | MQTT broker | - |
| **Zigbee2MQTT** | `https://zigbee2mqtt.yourdomain.duckdns.org` | Zigbee bridge | ✓ |
| **MotionEye** | `https://motioneye.yourdomain.duckdns.org` | Video surveillance | ✓ |
===== Monitoring Services =====
**Observability, metrics, and alerting.**
| Service | URL | Purpose | SSO |
|---------|-----|---------|-----|
| **Prometheus** | `https://prometheus.yourdomain.duckdns.org` | Metrics collection | ✓ |
| **Grafana** | `https://grafana.yourdomain.duckdns.org` | Dashboard platform | ✓ |
| **Loki** | - | Log aggregation | - |
| **Promtail** | - | Log shipping | - |
| **Node Exporter** | - | System metrics | - |
| **cAdvisor** | - | Container metrics | - |
| **Uptime Kuma** | `https://status.yourdomain.duckdns.org` | Status monitoring | ✓ |
===== Utility Services =====
**Backup, password management, and miscellaneous.**
| Service | URL | Purpose | SSO |
|---------|-----|---------|-----|
| **Vaultwarden** | `https://bitwarden.yourdomain.duckdns.org` | Password manager | ✗ |
| **Backrest** | `https://backrest.yourdomain.duckdns.org` | Backup manager | ✓ |
| **Duplicati** | `https://duplicati.yourdomain.duckdns.org` | Encrypted backups | ✓ |
| **FreshRSS** | `https://rss.yourdomain.duckdns.org` | RSS reader | ✓ |
| **Wallabag** | `https://wallabag.yourdomain.duckdns.org` | Read-it-later | ✓ |
| **Authelia Redis** | - | Session storage | - |
===== Development Services =====
**Development tools and environments.**
| Service | URL | Purpose | SSO |
|---------|-----|---------|-----|
| **GitLab CE** | `https://gitlab.yourdomain.duckdns.org` | DevOps platform | ✓ |
| **PostgreSQL** | - | SQL database | - |
| **Redis** | - | In-memory store | - |
| **pgAdmin** | `https://pgadmin.yourdomain.duckdns.org` | Database admin | ✓ |
| **Jupyter Lab** | `https://jupyter.yourdomain.duckdns.org` | Notebooks | ✓ |
| **Code Server** | `https://code.yourdomain.duckdns.org` | VS Code | ✓ |
===== Alternative Services =====
**Alternative implementations and additional options.**
| Service | URL | Purpose | SSO | Database |
|---------|-----|---------|-----|----------|
| **Plex** | `https://plex.yourdomain.duckdns.org` | Media server (Alt) | ✗ | - |
| **Portainer** | `https://portainer.yourdomain.duckdns.org` | Container manager | ✓ | - |
| **Authentik** | `https://authentik.yourdomain.duckdns.org` | SSO platform | ✓ | PostgreSQL |
| **Authentik Worker** | - | Background tasks | - | - |
| **Authentik DB** | - | Authentik database | - | - |
| **Authentik Redis** | - | Caching | - | - |
**Legend:** ✓ = Protected by Authelia SSO | ✗ = Bypasses SSO | - = No web interface
===== Service Management =====
**Deploying Services:**
**Via Dockge (Recommended):**
1. Access `https://dockge.yourdomain.duckdns.org`
2. Click **"Add Stack"**
3. Choose **"From Docker Compose"**
4. Select compose file from repository
5. Click **"Deploy"**
**Via Command Line:**
```bash
# Deploy media services
docker compose -f docker-compose/media.yml up -d
# Deploy productivity stack
docker compose -f docker-compose/productivity.yml up -d
```
**Managing Services:**
```bash
# View service status
docker compose -f docker-compose/stack.yml ps
# View logs
docker compose -f docker-compose/stack.yml logs -f service-name
# Restart service
docker compose -f docker-compose/stack.yml restart service-name
# Stop service
docker compose -f docker-compose/stack.yml stop service-name
```
===== SSO Configuration =====
**Enabling SSO Protection:**
```yaml
labels:
- "traefik.http.routers.service.middlewares=authelia@docker"
```
**Disabling SSO (for media apps):**
```yaml
# Comment out the middleware line
# - "traefik.http.routers.service.middlewares=authelia@docker"
```
**Bypass Rules in Authelia:**
```yaml
access_control:
rules:
- domain: jellyfin.yourdomain.duckdns.org
policy: bypass
- domain: plex.yourdomain.duckdns.org
policy: bypass
```
===== Resource Management =====
**Default Resource Limits:**
```yaml
deploy:
resources:
limits:
cpus: '2.0'
memory: 4G
reservations:
cpus: '0.5'
memory: 1G
```
**Service Categories:**
* **Core**: 0.1-0.5 CPU, 64MB-256MB RAM
* **Web Services**: 1-2 CPU, 1-4GB RAM
* **Media Services**: 2-4 CPU, 4-8GB RAM
* **Databases**: 1-2 CPU, 2-4GB RAM
===== Storage Requirements =====
**Configuration Storage (/opt/stacks/):**
* Small configs and metadata
* Automatic backups
* Version controlled
**Data Storage (/mnt/):**
* Large media libraries
* User uploaded content
* Database files
**Backup Storage:**
* Configuration backups
* User data archives
* SSL certificates
===== Troubleshooting =====
**Service Won't Start:**
```bash
# Check logs
docker compose -f docker-compose/stack.yml logs service-name
# Validate configuration
docker compose -f docker-compose/stack.yml config
# Check resource usage
docker stats
```
**Access Issues:**
* Verify Traefik labels
* Check Authelia policies
* Confirm DNS resolution
* Test SSL certificates
**Performance Problems:**
* Monitor resource usage
* Check network connectivity
* Review service logs
* Adjust resource limits
**Next:** Explore individual [[services:core:start|Core Services]] or learn about [[troubleshooting:start|Troubleshooting]].

63
config-templates/dokuwiki/data/pages/services/utilities/start.txt
View File

@@ -1,63 +0,0 @@
====== Utilities Services ======
This section covers utility and development tools for your homelab.
===== Available Services =====
**Code Server** - VS Code in the browser
* Access: https://code.${DOMAIN}
* Description: Web-based VS Code for development and file editing
* Stack: utilities.yml
**File Browser** - Web file manager
* Access: https://files.${DOMAIN}
* Description: Simple web interface for managing files
* Stack: utilities.yml
**Speedtest Tracker** - Internet speed monitoring
* Access: https://speedtest.${DOMAIN}
* Description: Automated internet speed tests with history
* Stack: utilities.yml
**SmokePing** - Network latency monitoring
* Access: https://smokeping.${DOMAIN}
* Description: Network latency and packet loss monitoring
* Stack: utilities.yml
**NetData** - Real-time system monitoring
* Access: https://netdata.${DOMAIN}
* Description: Real-time health monitoring and performance metrics
* Stack: utilities.yml
**Restic Rest Server** - Backup repository server
* Description: REST server for Restic backups
* Stack: utilities.yml
**Duplicati** - Backup solution
* Access: https://backup.${DOMAIN}
* Description: Encrypted backup to various storage providers
* Stack: utilities.yml
**Kopia** - Fast and secure backups
* Access: https://kopia.${DOMAIN}
* Description: Fast, secure, and efficient backup solution
* Stack: utilities.yml
===== Quick Start =====
1. Deploy the utilities stack:
docker-compose -f utilities.yml up -d
2. Access services via their respective URLs
3. Configure backup destinations and schedules
4. Set up monitoring alerts if needed
===== Integration =====
Utilities services integrate with:
* **Traefik** - Automatic SSL and routing
* **Authelia** - SSO authentication
* **File systems** - Direct access to host storage
* **External services** - Cloud storage for backups

84
config-templates/dokuwiki/data/pages/sidebar.txt
View File

@@ -1,84 +0,0 @@
====== Navigation ======
**AI-Homelab Wiki**
==== Getting Started ====
* [[getting_started:start|Overview]]
* [[getting_started:prerequisites|Prerequisites]]
* [[getting_started:setup|Automated Setup]]
* [[getting_started:deployment|Deployment]]
* [[getting_started:access|Access Services]]
* [[getting_started:security|Security Setup]]
==== Architecture ====
* [[architecture:overview|System Overview]]
* [[architecture:networking|Network Architecture]]
* [[architecture:security|Security Model]]
* [[architecture:storage|Storage Strategy]]
* [[architecture:backup|Backup Strategy]]
==== Services ====
* [[services:start|Service Overview]]
* **Core Infrastructure**
* [[services:core:traefik|Traefik]]
* [[services:core:authelia|Authelia]]
* [[services:core:duckdns|DuckDNS]]
* [[services:core:gluetun|Gluetun]]
* [[services:core:sablier|Sablier]]
* **Infrastructure**
* [[services:infrastructure:dockge|Dockge]]
* [[services:infrastructure:pihole|Pi-hole]]
* [[services:infrastructure:dozzle|Dozzle]]
* [[services:infrastructure:glances|Glances]]
* **Media Services**
* [[services:media:jellyfin|Jellyfin]]
* [[services:media:plex|Plex]]
* [[services:media:qbittorrent|qBittorrent]]
* [[services:media:sonarr|Sonarr]]
* [[services:media:radarr|Radarr]]
* **Productivity**
* [[services:productivity:nextcloud|Nextcloud]]
* [[services:productivity:gitea|Gitea]]
* [[services:productivity:bookstack|BookStack]]
* **Monitoring**
* [[services:monitoring:grafana|Grafana]]
* [[services:monitoring:prometheus|Prometheus]]
* [[services:monitoring:uptime_kuma|Uptime Kuma]]
* **Utilities**
* [[services:utilities:backrest|Backrest]]
* [[services:utilities:duplicati|Duplicati]]
* [[services:utilities:vaultwarden|Vaultwarden]]
==== Backup & Recovery ====
* [[backup_recovery:start|Overview]]
* [[backup_recovery:backrest|Backrest (Default)]]
* [[backup_recovery:duplicati|Duplicati (Alternative)]]
* [[backup_recovery:strategy|Backup Strategy]]
* [[backup_recovery:restoration|Restoration]]
==== Troubleshooting ====
* [[troubleshooting:start|Common Issues]]
* [[troubleshooting:deployment|Deployment Problems]]
* [[troubleshooting:services|Service Issues]]
* [[troubleshooting:networking|Network Problems]]
* [[troubleshooting:ssl|SSL Certificate Issues]]
==== Development ====
* [[development:start|Contributing]]
* [[development:copilot|AI Copilot Integration]]
* [[development:customization|Customization]]
* [[development:deployment|Advanced Deployment]]
==== Reference ====
* [[reference:start|Quick Reference]]
* [[reference:commands|Command Reference]]
* [[reference:environment|Environment Variables]]
* [[reference:ports|Port Reference]]
* [[reference:scripts|Deployment Scripts]]
==== External Links ====
* [[https://github.com/kelinfoxy/AI-Homelab|GitHub Repository]]
* [[https://github.com/kelinfoxy/AI-Homelab/issues|Issue Tracker]]
* [[https://github.com/kelinfoxy/AI-Homelab/discussions|Discussions]]
* [[https://doc.traefik.io/traefik/|Traefik Documentation]]
* [[https://www.authelia.com/|Authelia Documentation]]

105
config-templates/dokuwiki/data/pages/start.txt
View File

@@ -1,105 +0,0 @@
====== AI-Homelab Documentation Wiki ======
===== Welcome to AI-Homelab =====
**AI-Homelab** is a production-ready homelab infrastructure that deploys 70+ services through a file-based, AI-manageable architecture using Dockge for visual management.
**Key Features:**
* **Automated SSL** - Wildcard certificates via Let's Encrypt
* **Single Sign-On** - Authelia authentication across all services
* **VPN Routing** - Secure downloads through Gluetun
* **Lazy Loading** - Sablier enables on-demand container startup
* **Resource Limits** - Prevent resource exhaustion
* **AI Management** - GitHub Copilot integration for service management
**Quick Access:**
* [[getting_started:start|🚀 Getting Started]] - Setup and deployment guide
* [[architecture:overview|🏗️ Architecture]] - System design and components
* [[services:start|📦 Services]] - All available services and stacks
* [[backup_recovery:start|💾 Backup & Recovery]] - Data protection strategies
* [[troubleshooting:start|🔧 Troubleshooting]] - Common issues and solutions
* [[development:start|👨‍💻 Development]] - Contributing and customization
===== Quick Start Checklist =====
Complete these steps to get your homelab running:
* [ ] [[getting_started:prerequisites|Review prerequisites and requirements]]
* [ ] [[getting_started:setup|Run automated setup script]]
* [ ] [[getting_started:deployment|Deploy core infrastructure]]
* [ ] [[getting_started:access|Access your services]]
* [ ] [[getting_started:security|Configure security (2FA, access rules)]]
* [ ] [[services:deployment|Deploy additional services as needed]]
===== Architecture Overview =====
**Core Components:**
* **[[services:core:traefik|Traefik]]** - Reverse proxy with automatic SSL
* **[[services:core:authelia|Authelia]]** - Single sign-on authentication
* **[[services:core:duckdns|DuckDNS]]** - Dynamic DNS updates
* **[[services:core:gluetun|Gluetun]]** - VPN client for secure downloads
* **[[services:core:sablier|Sablier]]** - Lazy loading service
**Service Categories:**
* **[[services:infrastructure:start|Infrastructure]]** - Management and monitoring tools
* **[[services:media:start|Media]]** - Streaming, automation, and content management
* **[[services:productivity:start|Productivity]]** - Collaboration and workflow tools
* **[[services:monitoring:start|Monitoring]]** - Observability and alerting
* **[[services:utilities:start|Utilities]]** - Backup, security, and system tools
===== Service Access =====
After deployment, access your services at:
^ Service ^ URL ^ Authentication ^
| **Dockge** | https://dockge.{{DOMAIN}} | Authelia SSO |
| **Homepage** | https://home.{{DOMAIN}} | Authelia SSO |
| **Traefik Dashboard** | https://traefik.{{DOMAIN}} | Authelia SSO |
| **Authelia Login** | https://auth.{{DOMAIN}} | Direct access |
===== Getting Help =====
**Documentation Navigation:**
* Use the sidebar for quick navigation
* Search functionality is available in the top-right
* All pages include cross-references to related topics
**Community Resources:**
* [[https://github.com/kelinfoxy/AI-Homelab|GitHub Repository]]
* [[https://github.com/kelinfoxy/AI-Homelab/issues|Issue Tracker]]
* [[https://github.com/kelinfoxy/AI-Homelab/discussions|Discussions]]
**AI Assistance:**
* This wiki is designed to work with AI agents
* Use GitHub Copilot in VS Code for intelligent management
* See [[development:copilot|Copilot Instructions]] for details
===== Recent Updates =====
**January 20, 2026:**
* Updated service count to 70+ services
* Enhanced Sablier lazy loading documentation
* Improved backup strategy with Backrest as default
* Standardized service documentation format
* Added comprehensive troubleshooting guides
**Key Improvements:**
* Better navigation and cross-linking
* Comprehensive service documentation
* Enhanced security configurations
* Improved deployment automation
===== Navigation =====
{{:navigation-tree.png?300|Documentation Structure}}
**Main Sections:**
* [[getting_started:start|Getting Started]] - Setup and deployment
* [[architecture:start|Architecture]] - System design
* [[services:start|Services]] - Available services
* [[backup_recovery:start|Backup & Recovery]] - Data protection
* [[troubleshooting:start|Troubleshooting]] - Problem solving
* [[development:start|Development]] - Contributing and customization
* [[reference:start|Reference]] - Quick reference guides
This wiki serves as the comprehensive documentation hub for AI-Homelab. All content is maintained and regularly updated to reflect the latest features and best practices.

3
config-templates/dokuwiki/data/pages/troubleshooting/start.txt
View File

@@ -1,3 +0,0 @@
====== Troubleshooting ======
Coming soon...

35
config-templates/dokuwiki/docker-compose.yml
View File

@@ -1,35 +0,0 @@
# Dokuwiki - Self-hosted Wiki Platform
# Place in /opt/stacks/productivity/dokuwiki/docker-compose.yml
services:
dokuwiki:
image: lscr.io/linuxserver/dokuwiki:latest
container_name: dokuwiki
restart: unless-stopped
networks:
- traefik-network
ports:
- "80:80"
volumes:
- ./config:/config
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
labels:
- "homelab.category=productivity"
- "homelab.description=Self-hosted wiki platform"
- "traefik.enable=true"
- "traefik.http.routers.dokuwiki.rule=Host(`wiki.${DOMAIN}`)"
- "traefik.http.routers.dokuwiki.entrypoints=websecure"
- "traefik.http.routers.dokuwiki.tls.certresolver=letsencrypt"
- "traefik.http.routers.dokuwiki.middlewares=authelia@docker"
- "traefik.http.services.dokuwiki.loadbalancer.server.port=80"
- "x-dockge.url=https://wiki.${DOMAIN}"
volumes:
dokuwiki-config:
networks:
traefik-network:
external: true

493
config-templates/homepage/bookmarks.yaml
View File

@@ -1,493 +0,0 @@
---
# Homepage Bookmarks - Comprehensive EZ-Homelab Resources
- EZ-Homelab Project:
- EZ-Homelab GitHub:
- icon: github.png
href: https://github.com/kelinfoxy/EZ-Homelab
description: EZ-Homelab Repository & Documentation
- EZ-Homelab Wiki:
- icon: si-readthedocs
href: https://github.com/kelinfoxy/EZ-Homelab/wiki
description: Comprehensive Documentation Wiki
- Homepage Dashboard:
- icon: homepage.png
href: https://gethomepage.dev
description: Homepage Dashboard Documentation
- Infrastructure & Core Services:
- Traefik:
- icon: si-traefikproxy
href: https://traefik.io
description: Traefik Reverse Proxy
- icon: github.png
href: https://github.com/traefik/traefik
description: Traefik GitHub
- icon: docker.png
href: https://hub.docker.com/_/traefik
description: Traefik Docker Image
- Authelia:
- icon: si-authelia
href: https://www.authelia.com
description: Authelia SSO Authentication
- icon: github.png
href: https://github.com/authelia/authelia
description: Authelia GitHub
- icon: docker.png
href: https://hub.docker.com/r/authelia/authelia
description: Authelia Docker Image
- DuckDNS:
- icon: si-duckduckgo
href: https://www.duckdns.org
description: Dynamic DNS Service
- Docker:
- icon: docker.png
href: https://www.docker.com
description: Docker Official Website
- icon: docker.png
href: https://hub.docker.com
description: Docker Hub Registry
- icon: si-docker
href: https://docs.docker.com
description: Docker Documentation
- Portainer:
- icon: si-portainer
href: https://www.portainer.io
description: Portainer Container Management
- icon: github.png
href: https://github.com/portainer/portainer
description: Portainer GitHub
- icon: docker.png
href: https://hub.docker.com/r/portainer/portainer-ce
description: Portainer Docker Image
- Pi-hole:
- icon: si-raspberrypi
href: https://pi-hole.net
description: Pi-hole Network-wide Ad Blocking
- icon: github.png
href: https://github.com/pi-hole/pi-hole
description: Pi-hole GitHub
- icon: docker.png
href: https://hub.docker.com/r/pihole/pihole
description: Pi-hole Docker Image
- LinuxServer.io:
- icon: si-linux
href: https://www.linuxserver.io
description: LinuxServer.io Container Images
- icon: github.png
href: https://github.com/linuxserver
description: LinuxServer GitHub Organization
- Media Services:
- Plex:
- icon: si-plex
href: https://www.plex.tv
description: Plex Media Server
- icon: github.png
href: https://github.com/plexinc/pms-docker
description: Plex Docker GitHub
- icon: docker.png
href: https://hub.docker.com/r/plexinc/pms-docker
description: Plex Docker Image
- Jellyfin:
- icon: si-jellyfin
href: https://jellyfin.org
description: Jellyfin Media Server (Open Source)
- icon: github.png
href: https://github.com/jellyfin/jellyfin
description: Jellyfin GitHub
- icon: docker.png
href: https://hub.docker.com/r/jellyfin/jellyfin
description: Jellyfin Docker Image
- Sonarr:
- icon: si-sonarr
href: https://sonarr.tv
description: Sonarr TV Show Manager
- icon: github.png
href: https://github.com/Sonarr/Sonarr
description: Sonarr GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/sonarr
description: Sonarr Docker Image
- Radarr:
- icon: si-radarr
href: https://radarr.video
description: Radarr Movie Manager
- icon: github.png
href: https://github.com/Radarr/Radarr
description: Radarr GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/radarr
description: Radarr Docker Image
- Prowlarr:
- icon: si-prowlarr
href: https://prowlarr.com
description: Prowlarr Indexer Manager
- icon: github.png
href: https://github.com/Prowlarr/Prowlarr
description: Prowlarr GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/prowlarr
description: Prowlarr Docker Image
- qBittorrent:
- icon: si-qbittorrent
href: https://www.qbittorrent.org
description: qBittorrent Torrent Client
- icon: github.png
href: https://github.com/qbittorrent/qBittorrent
description: qBittorrent GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/qbittorrent
description: qBittorrent Docker Image
- Readarr:
- icon: si-readarr
href: https://readarr.com
description: Readarr Book Manager
- icon: github.png
href: https://github.com/Readarr/Readarr
description: Readarr GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/readarr
description: Readarr Docker Image
- Lidarr:
- icon: si-lidarr
href: https://lidarr.audio
description: Lidarr Music Manager
- icon: github.png
href: https://github.com/Lidarr/Lidarr
description: Lidarr GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/lidarr
description: Lidarr Docker Image
- Jellyseerr:
- icon: si-jellyseerr
href: https://jellyseerr.dev
description: Jellyseerr Media Requests
- icon: github.png
href: https://github.com/Fallenbagel/jellyseerr
description: Jellyseerr GitHub
- icon: docker.png
href: https://hub.docker.com/r/fallenbagel/jellyseerr
description: Jellyseerr Docker Image
- Tdarr:
- icon: si-tdarr
href: https://tdarr.io
description: Tdarr Media Transcoding
- icon: github.png
href: https://github.com/HaveAGitGat/Tdarr
description: Tdarr GitHub
- icon: docker.png
href: https://hub.docker.com/r/haveagitgat/tdarr
description: Tdarr Docker Image
- Unmanic:
- icon: si-unmanic
href: https://docs.unmanic.app
description: Unmanic Media Optimizer
- icon: github.png
href: https://github.com/Unmanic/unmanic
description: Unmanic GitHub
- icon: docker.png
href: https://hub.docker.com/r/josh5/unmanic
description: Unmanic Docker Image
- Calibre-Web:
- icon: si-calibre
href: https://github.com/janeczku/calibre-web
description: Calibre-Web Ebook Reader
- icon: github.png
href: https://github.com/janeczku/calibre-web
description: Calibre-Web GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/calibre-web
description: Calibre-Web Docker Image
- Productivity & Collaboration:
- Nextcloud:
- icon: si-nextcloud
href: https://nextcloud.com
description: Nextcloud File Sync & Collaboration
- icon: github.png
href: https://github.com/nextcloud/server
description: Nextcloud GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/nextcloud
description: Nextcloud Docker Image
- Gitea:
- icon: si-gitea
href: https://gitea.io
description: Gitea Git Service
- icon: github.png
href: https://github.com/go-gitea/gitea
description: Gitea GitHub
- icon: docker.png
href: https://hub.docker.com/r/gitea/gitea
description: Gitea Docker Image
- BookStack:
- icon: si-bookstack
href: https://www.bookstackapp.com
description: BookStack Documentation Platform
- icon: github.png
href: https://github.com/BookStackApp/BookStack
description: BookStack GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/bookstack
description: BookStack Docker Image
- DokuWiki:
- icon: si-dokuwiki
href: https://www.dokuwiki.org
description: DokuWiki File-based Wiki
- icon: github.png
href: https://github.com/dokuwiki/dokuwiki
description: DokuWiki GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/dokuwiki
description: DokuWiki Docker Image
- MediaWiki:
- icon: si-mediawiki
href: https://www.mediawiki.org
description: MediaWiki Wiki Platform
- icon: github.png
href: https://github.com/wikimedia/mediawiki
description: MediaWiki GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/mediawiki
description: MediaWiki Docker Image
- WordPress:
- icon: si-wordpress
href: https://wordpress.org
description: WordPress Blog/CMS Platform
- icon: github.png
href: https://github.com/WordPress/WordPress
description: WordPress GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/wordpress
description: WordPress Docker Image
- Mealie:
- icon: si-mealie
href: https://hay-kot.github.io/mealie
description: Mealie Recipe Manager
- icon: github.png
href: https://github.com/hay-kot/mealie
description: Mealie GitHub
- icon: docker.png
href: https://hub.docker.com/r/hkotel/mealie
description: Mealie Docker Image
- Form.io:
- icon: si-formio
href: https://www.form.io
description: Form.io Form Builder
- icon: github.png
href: https://github.com/formio/formio
description: Form.io GitHub
- icon: docker.png
href: https://hub.docker.com/r/formio/formio-enterprise
description: Form.io Docker Image
- Home Automation:
- Home Assistant:
- icon: si-homeassistant
href: https://www.home-assistant.io
description: Home Assistant Smart Home Platform
- icon: github.png
href: https://github.com/home-assistant/core
description: Home Assistant GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/homeassistant
description: Home Assistant Docker Image
- ESPHome:
- icon: si-esphome
href: https://esphome.io
description: ESPHome ESP32/ESP8266 Firmware
- icon: github.png
href: https://github.com/esphome/esphome
description: ESPHome GitHub
- icon: docker.png
href: https://hub.docker.com/r/esphome/esphome
description: ESPHome Docker Image
- Node-RED:
- icon: si-nodered
href: https://nodered.org
description: Node-RED Flow-based Programming
- icon: github.png
href: https://github.com/node-red/node-red
description: Node-RED GitHub
- icon: docker.png
href: https://hub.docker.com/r/nodered/node-red
description: Node-RED Docker Image
- Zigbee2MQTT:
- icon: si-zigbee2mqtt
href: https://www.zigbee2mqtt.io
description: Zigbee2MQTT Zigbee Bridge
- icon: github.png
href: https://github.com/Koenkk/zigbee2mqtt
description: Zigbee2MQTT GitHub
- icon: docker.png
href: https://hub.docker.com/r/koenkk/zigbee2mqtt
description: Zigbee2MQTT Docker Image
- MotionEye:
- icon: si-motioneye
href: https://github.com/motioneye-project/motioneye
description: MotionEye Video Surveillance
- icon: github.png
href: https://github.com/motioneye-project/motioneye
description: MotionEye GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/motioneye
description: MotionEye Docker Image
- TasmoAdmin:
- icon: si-tasmota
href: https://github.com/reloxx13/TasmoAdmin
description: TasmoAdmin Tasmota Device Manager
- icon: github.png
href: https://github.com/reloxx13/TasmoAdmin
description: TasmoAdmin GitHub
- icon: docker.png
href: https://hub.docker.com/r/raymondmm/tasmoadmin
description: TasmoAdmin Docker Image
- Development & Utilities:
- Code Server:
- icon: si-visualstudiocode
href: https://github.com/coder/code-server
description: Code Server (VS Code in Browser)
- icon: github.png
href: https://github.com/coder/code-server
description: Code Server GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/code-server
description: Code Server Docker Image
- Jupyter Lab:
- icon: si-jupyter
href: https://jupyter.org
description: Jupyter Lab Notebooks
- icon: github.png
href: https://github.com/jupyterlab/jupyterlab
description: Jupyter Lab GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/jupyterlab
description: Jupyter Lab Docker Image
- Vaultwarden:
- icon: si-bitwarden
href: https://github.com/dani-garcia/vaultwarden
description: Vaultwarden Password Manager
- icon: github.png
href: https://github.com/dani-garcia/vaultwarden
description: Vaultwarden GitHub
- icon: docker.png
href: https://hub.docker.com/r/vaultwarden/server
description: Vaultwarden Docker Image
- Duplicati:
- icon: si-duplicati
href: https://www.duplicati.com
description: Duplicati Backup Solution
- icon: github.png
href: https://github.com/duplicati/duplicati
description: Duplicati GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/duplicati
description: Duplicati Docker Image
- pgAdmin:
- icon: si-postgresql
href: https://www.pgadmin.org
description: pgAdmin PostgreSQL Management
- icon: github.png
href: https://github.com/pgadmin-org/pgadmin4
description: pgAdmin GitHub
- icon: docker.png
href: https://hub.docker.com/r/dpage/pgadmin4
description: pgAdmin Docker Image
- GitLab CE:
- icon: si-gitlab
href: https://about.gitlab.com
description: GitLab DevOps Platform
- icon: github.png
href: https://gitlab.com/gitlab-org/gitlab
description: GitLab GitHub
- icon: docker.png
href: https://hub.docker.com/r/gitlab/gitlab-ce
description: GitLab CE Docker Image
- Monitoring & Observability:
- Grafana:
- icon: si-grafana
href: https://grafana.com
description: Grafana Visualization Platform
- icon: github.png
href: https://github.com/grafana/grafana
description: Grafana GitHub
- icon: docker.png
href: https://hub.docker.com/r/grafana/grafana
description: Grafana Docker Image
- Prometheus:
- icon: si-prometheus
href: https://prometheus.io
description: Prometheus Metrics Collection
- icon: github.png
href: https://github.com/prometheus/prometheus
description: Prometheus GitHub
- icon: docker.png
href: https://hub.docker.com/r/prom/prometheus
description: Prometheus Docker Image
- Uptime Kuma:
- icon: si-uptimekuma
href: https://uptime.kuma.pet
description: Uptime Kuma Status Monitoring
- icon: github.png
href: https://github.com/louislam/uptime-kuma
description: Uptime Kuma GitHub
- icon: docker.png
href: https://hub.docker.com/r/louislam/uptime-kuma
description: Uptime Kuma Docker Image
- Glances:
- icon: si-glances
href: https://nicolargo.github.io/glances
description: Glances System Monitoring
- icon: github.png
href: https://github.com/nicolargo/glances
description: Glances GitHub
- icon: docker.png
href: https://hub.docker.com/r/linuxserver/glances
description: Glances Docker Image
- Dozzle:
- icon: si-dozzle
href: https://dozzle.dev
description: Dozzle Docker Log Viewer
- icon: github.png
href: https://github.com/amir20/dozzle
description: Dozzle GitHub
- icon: docker.png
href: https://hub.docker.com/r/amir20/dozzle
description: Dozzle Docker Image
- External Resources & Communities:
- Awesome Docker Compose:
- icon: docker.png
href: https://awesome-docker-compose.com
description: Curated Docker Compose Examples
- Servarr Wiki:
- icon: si-servarr
href: https://wiki.servarr.com
description: Servarr Applications Documentation
- Docker Compose Documentation:
- icon: docker.png
href: https://docs.docker.com/compose
description: Docker Compose Official Docs
- Let's Encrypt:
- icon: si-letsencrypt
href: https://letsencrypt.org
description: Free SSL Certificates
- Awesome Selfhosted:
- icon: si-awesome
href: https://awesome-selfhosted.net
description: Self-hosted Software List
- Homelab Wiki:
- icon: si-wikipedia
href: https://homelab.wiki
description: Homelab Community Wiki
- Reddit r/selfhosted:
- icon: si-reddit
href: https://reddit.com/r/selfhosted
description: Self-hosted Community
- Reddit r/homelab:
- icon: si-reddit
href: https://reddit.com/r/homelab
description: Homelab Community

31
config-templates/homepage/custom.css
View File

@@ -1,31 +0,0 @@
.information-widgets {
max-width: 1500px;
}
.services-group {
max-width: 250px;
}
#services {
margin: 0px;
}
.service {
height: 70px;
max-height: 80px;
margin-bottom: 0px;
margin-right: 3px;
}
#services #bookmarks {
margin: 0px 0px 0px 20px;
}
.text-sm {
font-size: 16px;
}
.bookmark-group {
min-width: 250px;
max-width: 250px;
}

18
config-templates/homepage/docker.yaml
View File

@@ -1,18 +0,0 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/configs/docker/
# my-docker:
# host: 127.0.0.1
# port: 2375
# my-docker:
# socket: /var/run/docker.sock
# home-assistant:
# host: 192.168.4.5
# port: 2375
#${SERVER_HOSTNAME}:
# host: 192.168.4.11
# port: 2375

2
config-templates/homepage/kubernetes.yaml
View File

@@ -1,2 +0,0 @@
---
# sample kubernetes config

5
config-templates/homepage/proxmox.yaml
View File

@@ -1,5 +0,0 @@
---
# pve:
# url: https://proxmox.host.or.ip:8006
# token: username@pam!Token ID
# secret: secret

7
config-templates/homepage/settings.yaml
View File

@@ -1,7 +0,0 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/configs/settings/
providers:
openweathermap: openweathermapapikey
weatherapi: weatherapiapikey

19
config-templates/homepage/widgets.yaml
View File

@@ -1,19 +0,0 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/configs/info-widgets/
- resources:
cpu: true
memory: true
disk: /
- datetime:
text_size: xl
format:
dateStyle: long
timeStyle: short
hourCycle: h23
- greeting:
text_size: 4xl
text: EZ Homelab

399
config-templates/traefik/dynamic/local-host-production.yml
View File

@@ -1,399 +0,0 @@
http:
routers:
# Remote Server Services (${REMOTE_SERVER_HOSTNAME})
dockge-${REMOTE_SERVER_HOSTNAME}:
rule: "Host(`dockge.${REMOTE_SERVER_HOSTNAME}.${DOMAIN}`)"
entryPoints:
- websecure
service: dockge-${REMOTE_SERVER_HOSTNAME}
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
dozzle-${REMOTE_SERVER_HOSTNAME}:
rule: "Host(`dozzle.${REMOTE_SERVER_HOSTNAME}.${DOMAIN}`)"
entryPoints:
- websecure
service: dozzle-${REMOTE_SERVER_HOSTNAME}
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
glances-${REMOTE_SERVER_HOSTNAME}:
rule: "Host(`glances.${REMOTE_SERVER_HOSTNAME}.${DOMAIN}`)"
entryPoints:
- websecure
service: glances-${REMOTE_SERVER_HOSTNAME}
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
backrest-${REMOTE_SERVER_HOSTNAME}:
rule: "Host(`backrest.${REMOTE_SERVER_HOSTNAME}.${DOMAIN}`)"
entryPoints:
- websecure
service: backrest-${REMOTE_SERVER_HOSTNAME}
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
duplicati-${REMOTE_SERVER_HOSTNAME}:
rule: "Host(`duplicati.${REMOTE_SERVER_HOSTNAME}.${DOMAIN}`)"
entryPoints:
- websecure
service: duplicati-${REMOTE_SERVER_HOSTNAME}
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
homepage-${REMOTE_SERVER_HOSTNAME}:
rule: "Host(`homepage.${REMOTE_SERVER_HOSTNAME}.${DOMAIN}`)"
entryPoints:
- websecure
service: homepage-${REMOTE_SERVER_HOSTNAME}
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
homarr-${REMOTE_SERVER_HOSTNAME}:
rule: "Host(`homarr.${REMOTE_SERVER_HOSTNAME}.${DOMAIN}`)"
entryPoints:
- websecure
service: homarr-${REMOTE_SERVER_HOSTNAME}
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
grafana-${REMOTE_SERVER_HOSTNAME}:
rule: "Host(`grafana.${REMOTE_SERVER_HOSTNAME}.${DOMAIN}`)"
entryPoints:
- websecure
service: grafana-${REMOTE_SERVER_HOSTNAME}
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
prometheus-${REMOTE_SERVER_HOSTNAME}:
rule: "Host(`prometheus.${REMOTE_SERVER_HOSTNAME}.${DOMAIN}`)"
entryPoints:
- websecure
service: prometheus-${REMOTE_SERVER_HOSTNAME}
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
uptime-kuma-${REMOTE_SERVER_HOSTNAME}:
rule: "Host(`status.${REMOTE_SERVER_HOSTNAME}.${DOMAIN}`)"
entryPoints:
- websecure
service: uptime-kuma-${REMOTE_SERVER_HOSTNAME}
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
# Service Definitions
services:
backrest-${SERVER_HOSTNAME}:
loadBalancer:
servers:
- url: "http://${SERVER_IP}:9898"
passHostHeader: true
vaultwarden-${SERVER_HOSTNAME}:
loadBalancer:
servers:
- url: "http://${SERVER_IP}:8091"
passHostHeader: true
bookstack-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:6875"
passHostHeader: true
calibre-web-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8083"
passHostHeader: true
code-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8079"
passHostHeader: true
dockge-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:5001"
passHostHeader: true
dockhand-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:3003"
passHostHeader: true
dokuwiki-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8087"
passHostHeader: true
dozzle-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8085"
passHostHeader: true
duplicati-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8200"
passHostHeader: true
ez-assistant-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:18789" # Internal IP of ${SERVER_HOSTNAME} server
passHostHeader: true
formio-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:3002"
passHostHeader: true
gitea-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:3010"
passHostHeader: true
glances-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:61208"
passHostHeader: true
homarr-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:7575"
passHostHeader: true
homepage-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:3000"
passHostHeader: true
jellyfin-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8096"
passHostHeader: true
jupyter-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8890"
passHostHeader: true
kopia-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:51515"
passHostHeader: true
mealie-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:9000"
passHostHeader: true
mediawiki-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8086"
passHostHeader: true
motioneye-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8081"
passHostHeader: true
nextcloud-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8089"
passHostHeader: true
openkm-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:18080"
passHostHeader: true
openwebui-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:3000"
passHostHeader: true
qbittorrent-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8081"
passHostHeader: true
tdarr-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8265"
passHostHeader: true
unmanic-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8889"
passHostHeader: true
wordpress-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8088"
passHostHeader: true
# Arr Services
jellyseerr-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:5055"
passHostHeader: true
prowlarr-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:9696"
passHostHeader: true
radarr-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:7878"
passHostHeader: true
sonarr-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8989"
passHostHeader: true
lidarr-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8686"
passHostHeader: true
readarr-${SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${SERVER_IP}:8787"
passHostHeader: true
mylar3-${SERVER_HOSTNAME}:
loadBalancer:
servers:
- url: "http://${SERVER_IP}:8090"
passHostHeader: true
# Remote Server Service Definitions (${REMOTE_SERVER_HOSTNAME})
dockge-${REMOTE_SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${REMOTE_SERVER_IP}:5001"
passHostHeader: true
dozzle-${REMOTE_SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${REMOTE_SERVER_IP}:8085"
passHostHeader: true
glances-${REMOTE_SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${REMOTE_SERVER_IP}:61208"
passHostHeader: true
backrest-${REMOTE_SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${REMOTE_SERVER_IP}:9898"
passHostHeader: true
duplicati-${REMOTE_SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${REMOTE_SERVER_IP}:8200"
passHostHeader: true
homepage-${REMOTE_SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${REMOTE_SERVER_IP}:3000"
passHostHeader: true
homarr-${REMOTE_SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${REMOTE_SERVER_IP}:7575"
passHostHeader: true
grafana-${REMOTE_SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${REMOTE_SERVER_IP}:3000"
passHostHeader: true
prometheus-${REMOTE_SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${REMOTE_SERVER_IP}:9090"
passHostHeader: true
uptime-kuma-${REMOTE_SERVER_HOSTNAME}:
loadbalancer:
servers:
- url: "http://${REMOTE_SERVER_IP}:3001"
passHostHeader: true
# Middleware Definitions
middlewares:
ez-assistant-websocket:
headers:
accessControlAllowHeaders:
- "Connection"
- "Upgrade"
accessControlAllowMethods:
- "GET"
- "POST"
- "OPTIONS"
accessControlMaxAge: 86400

43
config-templates/traefik/traefik.yml
View File

@@ -1,43 +0,0 @@
# Traefik Static Configuration
# Copy to /opt/stacks/traefik/traefik.yml
experimental:
plugins:
sablier:
moduleName: github.com/sablierapp/sablier-traefik-plugin
version: v1.1.0
providers:
docker:
exposedByDefault: false
file:
directory: /dynamic
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
traefik:
address: ":8080"
certificatesResolvers:
letsencrypt:
acme:
dnsChallenge:
provider: duckdns
email: ${DEFAULT_EMAIL}
storage: /letsencrypt/acme.json
log:
level: DEBUG
accessLog:
format: json
api:
dashboard: true
insecure: true
ping:
manualRouting: true

19
docker-compose/README.md
View File

@@ -17,10 +17,23 @@ docker-compose/
├── nextcloud/ # Nextcloud stack
├── productivity/ # Productivity tools
├── utilities/ # Utility services
└── README.md # This file
```
## ⚠️ Important: Core Services First
## Usage
**Before deploying any other stacks, ensure the `core/` services are running:**
- **Traefik**: Reverse proxy and SSL termination
- **Authelia**: Single sign-on authentication
- **DuckDNS**: Dynamic DNS for domain resolution
These services provide the foundation for all other services. Most stacks depend on Traefik for routing and Authelia for authentication.
### Quick Start Core Services
```bash
cd core
cp .env.template .env # Edit with your values
cp docker-compose.yml.template docker-compose.yml # Or use the pre-configured version
docker compose up -d
```
### Starting Services

88
docker-compose/alternatives/docker-compose.yml
View File

@@ -1,8 +1,5 @@
# Alternative Services Stack
# This stack contains alternative/optional services that are not deployed by default
# Deploy manually through Dockge if you want to use these alternatives
# Place in /opt/stacks/alternatives/docker-compose.yml
# RESTART POLICY GUIDE:
# - unless-stopped: Core infrastructure services that should always run
# - no: Services with Sablier lazy loading (start on-demand)
@@ -10,8 +7,6 @@
services:
# Portainer - Docker management UI (Alternative to Dockge)
# Access at: https://portainer.${DOMAIN}
# NOTE: Dockge is the default Docker management UI. Deploy Portainer only if you prefer its interface
# Docker management interface should always run when deployed
portainer:
image: portainer/portainer-ce:2.19.4
@@ -21,7 +16,7 @@ services:
- homelab-network
- traefik-network
ports:
- "9000:9000"
- '9000:9000'
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- portainer-data:/data
@@ -31,14 +26,15 @@ services:
# TRAEFIK CONFIGURATION
# ==========================================
# Service metadata
- "homelab.category=alternatives"
- "homelab.description=Docker container management UI (Alternative to Dockge)"
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`portainer.${DOMAIN}`)"
- "traefik.http.routers.portainer.entrypoints=websecure"
- "traefik.http.routers.portainer.tls.certresolver=letsencrypt"
- "traefik.http.routers.portainer.middlewares=authelia@docker"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
- 'homelab.category=alternatives'
- 'homelab.description=Docker container management UI (Alternative to Dockge)'
- 'traefik.enable=true'
- 'traefik.docker.network=traefik-network'
- 'traefik.http.routers.portainer.rule=Host(`portainer.${DOMAIN}`)'
- 'traefik.http.routers.portainer.entrypoints=websecure'
- 'traefik.http.routers.portainer.tls.certresolver=letsencrypt'
- 'traefik.http.routers.portainer.middlewares=authelia@docker'
- 'traefik.http.services.portainer.loadbalancer.server.port=9000'
# Authentik - Alternative SSO/Identity Provider with Web UI
# Access at: https://authentik.${DOMAIN}
@@ -54,7 +50,7 @@ services:
- homelab-network
- traefik-network
ports:
- "9000:9000"
- '9000:9000'
volumes:
- /opt/stacks/authentik/media:/media
- /opt/stacks/authentik/custom-templates:/templates
@@ -70,14 +66,15 @@ services:
# TRAEFIK CONFIGURATION
# ==========================================
# Service metadata
- "homelab.category=alternatives"
- "homelab.description=SSO/Identity provider with web UI (Alternative to Authelia)"
- "traefik.enable=true"
- "traefik.http.routers.authentik.rule=Host(`authentik.${DOMAIN}`)"
- "traefik.http.routers.authentik.entrypoints=websecure"
- "traefik.http.routers.authentik.tls.certresolver=letsencrypt"
- "traefik.http.routers.authentik.middlewares=authelia@docker"
- "traefik.http.services.authentik.loadbalancer.server.port=9000"
- 'homelab.category=alternatives'
- 'homelab.description=SSO/Identity provider with web UI (Alternative to Authelia)'
- 'traefik.enable=true'
- 'traefik.docker.network=traefik-network'
- 'traefik.http.routers.authentik.rule=Host(`authentik.${DOMAIN}`)'
- 'traefik.http.routers.authentik.entrypoints=websecure'
- 'traefik.http.routers.authentik.tls.certresolver=letsencrypt'
- 'traefik.http.routers.authentik.middlewares=authelia@docker'
- 'traefik.http.services.authentik.loadbalancer.server.port=9000'
depends_on:
- authentik-db
- authentik-redis
@@ -107,8 +104,8 @@ services:
# TRAEFIK CONFIGURATION
# ==========================================
# Service metadata
- "homelab.category=alternatives"
- "homelab.description=Authentik background worker"
- 'homelab.category=alternatives'
- 'homelab.description=Authentik background worker'
depends_on:
- authentik-db
- authentik-redis
@@ -131,10 +128,10 @@ services:
# TRAEFIK CONFIGURATION
# ==========================================
# Service metadata
- "homelab.category=alternatives"
- "homelab.description=Authentik database"
- 'homelab.category=alternatives'
- 'homelab.description=Authentik database'
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${AUTHENTIK_DB_USER}"]
test: ['CMD-SHELL', 'pg_isready -U ${AUTHENTIK_DB_USER}']
interval: 10s
timeout: 5s
retries: 5
@@ -154,18 +151,16 @@ services:
# TRAEFIK CONFIGURATION
# ==========================================
# Service metadata
- "homelab.category=alternatives"
- "homelab.description=Authentik cache and messaging"
- 'homelab.category=alternatives'
- 'homelab.description=Authentik cache and messaging'
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
test: ['CMD-SHELL', 'redis-cli ping | grep PONG']
interval: 10s
timeout: 3s
retries: 5
# Plex Media Server - Alternative to Jellyfin
# Access at: https://plex.yourdomain.duckdns.org
# NOTE: No Authelia - allows app access from Roku, Fire TV, mobile, etc.
# Media server should always run when deployed as alternative to Jellyfin
plex:
image: plexinc/pms-docker:1.40.0.7998-f68041501
container_name: plex
@@ -175,15 +170,15 @@ services:
- homelab-network
- traefik-network
ports:
- "32400:32400"
- '32400:32400'
volumes:
- ./plex/config:/config
- /mnt/media:/media:ro # Large media files on separate drive
- plex-transcode:/transcode
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- PUID=1000
- PGID=1000
- TZ=America/New_York
- PLEX_CLAIM=${PLEX_CLAIM}
# Hardware transcoding support
# Uncomment ONE of the following options:
@@ -207,16 +202,17 @@ services:
# TRAEFIK CONFIGURATION
# ==========================================
# Service metadata
- "homelab.category=alternatives"
- "homelab.description=Alternative media streaming server to Jellyfin"
- 'homelab.category=alternatives'
- 'homelab.description=Alternative media streaming server to Jellyfin'
# Traefik labels - NO Authelia for app access
- "traefik.enable=true"
- "traefik.http.routers.plex.rule=Host(`plex.${DOMAIN}`)"
- "traefik.http.routers.plex.entrypoints=websecure"
- "traefik.http.routers.plex.tls.certresolver=letsencrypt"
- "traefik.http.services.plex.loadbalancer.server.port=32400"
- "x-dockge.url=https://plex.${DOMAIN}"
- "x-dockge.url=https://plex.${DOMAIN}"
- 'traefik.enable=true'
- 'traefik.docker.network=traefik-network'
- 'traefik.http.routers.plex.rule=Host(`plex.${DOMAIN}`)'
- 'traefik.http.routers.plex.entrypoints=websecure'
- 'traefik.http.routers.plex.tls.certresolver=letsencrypt'
- 'traefik.http.services.plex.loadbalancer.server.port=32400'
- 'x-dockge.url=https://plex.${DOMAIN}'
- 'x-dockge.url=https://plex.${DOMAIN}'
volumes:
portainer-data:

171
docker-compose/core/README.md Normal file
View File

@@ -0,0 +1,171 @@
# Core Infrastructure Services
This directory contains the core infrastructure services that form the foundation of the homelab. These services should always be running and are critical for the operation of other services.
## Services
### Traefik (v3)
- **Purpose**: Reverse proxy and SSL termination
- **Ports**: 80 (HTTP), 443 (HTTPS), 8080 (Dashboard)
- **Configuration**: Located in `traefik/config/traefik.yml`
- **SSL**: Let's Encrypt with DNS-01 challenge (configurable provider)
- **Dashboard**: Available at configured domain
### Authelia (v4.37.5)
- **Purpose**: Single sign-on authentication service
- **Port**: 9091 (internal)
- **Access**: Configured authentication domain
- **Configuration**: Located in `authelia/config/`
- **Database**: SQLite database in `authelia/config/db.sqlite3`
### DuckDNS
- **Purpose**: Dynamic DNS service for domain resolution
- **Subdomain**: Configurable via environment variables
- **Token**: Configured in environment variables
## ⚠️ Version Pinning & Breaking Changes
### Authelia Version Pinning
**Current Version**: `authelia/authelia:4.37.5`
**Breaking Changes Identified**:
- Authelia v4.39.15+ has breaking configuration changes that are incompatible with the current setup
- Database schema changes may require migration or recreation
- Configuration file format changes may break existing setups
**Action Taken**:
- Pinned to v4.37.5 which is confirmed working
- Database recreated from scratch to ensure compatibility
- Configuration files verified and working
**Upgrade Path**:
- Test upgrades in a separate environment first
- Backup configuration and database before upgrading
- Check Authelia changelog for breaking changes
- Consider using Authelia's migration tools if available
### Traefik Version Pinning
**Current Version**: `traefik:v3`
**Notes**:
- Traefik v3 is stable and working with current configuration
- Configuration format is compatible
- No breaking changes identified in current setup
## Configuration Requirements
### File Structure
```
core/
├── docker-compose.yml # Main service definitions
├── .env # Environment variables
├── authelia/
│ └── config/
│ ├── configuration.yml # Authelia main config
│ ├── users_database.yml # User credentials
│ └── db.sqlite3 # SQLite database
└── traefik/
├── config/
│ └── traefik.yml # Traefik static config
├── dynamic/ # Dynamic configurations
│ ├── routes.yml
│ ├── sablier.yml
│ └── external-host-*.yml
└── letsencrypt/
└── acme.json # SSL certificates
```
### Environment Variables (.env)
```bash
# Required for proper operation
DUCKDNS_TOKEN=your_duckdns_token_here
DUCKDNS_SUBDOMAINS=your_subdomain
DOMAIN=yourdomain.duckdns.org
TZ=America/New_York
PUID=1000
PGID=1000
```
### Network Requirements
- Docker network: `traefik-network`
- External ports: 80, 443 must be accessible
- DNS resolution: Domain must point to server IP
## Deployment
### Prerequisites
1. Docker and Docker Compose installed
2. Ports 80/443 forwarded to server
3. DuckDNS account with valid token
4. Domain configured in DuckDNS
### Startup Order
1. `duckdns` - For DNS updates
2. `traefik` - Reverse proxy
3. `authelia` - Authentication service
### Commands
```bash
# Start all services
docker-compose up -d
# Check status
docker-compose ps
# View logs
docker-compose logs -f [service-name]
# Restart specific service
docker-compose restart [service-name]
```
## Troubleshooting
### Common Issues
1. **Connection Refused**: Check if Traefik config file is in correct location (`traefik/config/traefik.yml`)
2. **SSL Certificate Issues**: Verify DuckDNS token and domain configuration
3. **Authelia Login Issues**: Check database file exists and configuration is valid
4. **Service Not Starting**: Check Docker logs for error messages
### Backup Strategy
- Configuration files are backed up automatically (see backup directories)
- Database should be backed up regularly
- SSL certificates are stored in `letsencrypt/acme.json`
- Use `backup.sh` script for automated backups
## Security Notes
- Authelia provides authentication for protected services
- All external traffic goes through Traefik with SSL termination
- Internal services communicate via Docker networks
- Dashboard access is protected by Authelia middleware
## Maintenance
- Monitor SSL certificate expiration (Let's Encrypt auto-renews)
- Keep Authelia version pinned until tested upgrades are available
- Regularly backup configuration and database files
- Check logs for security issues or errors
- Run `./backup.sh` regularly to backup critical files
## Customization
### Domain Configuration
Update the following files with your domain:
- `docker-compose.yml`: Traefik labels and Authelia configuration
- `authelia/config/configuration.yml`: Domain settings
- `.env`: Domain environment variables
### SSL Certificate Provider
Modify `traefik/config/traefik.yml` to use different DNS providers:
```yaml
certificatesResolvers:
letsencrypt:
acme:
dnsChallenge:
provider: cloudflare # or other supported provider
```
### Adding New Services
1. Add service definition to `docker-compose.yml`
2. Configure Traefik labels for routing
3. Add middleware for authentication if needed
4. Update network configuration

31
config-templates/authelia/configuration.yml → docker-compose/core/authelia/config/configuration.yml
View File

@@ -11,18 +11,18 @@ log:
theme: dark
jwt_secret: ${AUTHELIA_JWT_SECRET}
jwt_secret: 4f263cdfa9929d007551fd5a5a6b552f7e17127cc4bb425b375a8532631d527b6b591a560a784552a33767699391973799e7472b679e7f94fcf4aca2ce5b2efc
default_redirection_url: https://auth.${DOMAIN}
default_redirection_url: https://auth.kelinreij.duckdns.org
totp:
issuer: ${DOMAIN}
issuer: kelinreij.duckdns.org
period: 30
skew: 1
authentication_backend:
file:
path: /config/users_database.yml
path: /secrets/users_database.yml
password:
algorithm: argon2id
iterations: 1
@@ -36,39 +36,34 @@ access_control:
rules:
# Bypass Authelia for Jellyfin (allow app access)
- domain: jellyfin.${DOMAIN}
- domain: jellyfin.kelinreij.duckdns.org
policy: bypass
# Bypass for Plex (allow app access)
- domain: plex.${DOMAIN}
- domain: plex.kelinreij.duckdns.org
policy: bypass
# Bypass for Home Assistant (has its own auth)
- domain: ha.${DOMAIN}
- domain: ha.kelinreij.duckdns.org
policy: bypass
# Protected: All other services require authentication
- domain: "*.${DOMAIN}"
- domain: "*.kelinreij.duckdns.org"
policy: one_factor
# Two-factor for admin services (optional)
# - domain:
# - "admin.${DOMAIN}"
# - "portainer.${DOMAIN}"
# - "admin.kelinreij.duckdns.org"
# - "portainer.kelinreij.duckdns.org"
# policy: two_factor
session:
name: authelia_session
secret: ${AUTHELIA_SESSION_SECRET}
secret: 3ba018547a24dfd49ae55f23b5b75377ec93f5957707e2a669b0a49966df745a5b062eee3f7356e0abae21452915bdd30a32f404ec0a2a7a957c93a2fa2a94c8
expiration: 24h # Session expires after 24 hours
inactivity: 24h # Session expires after 24 hours of inactivity
remember_me_duration: 1M
domain: ${DOMAIN}
cookies:
- name: authelia_session
domain: ${DOMAIN}
secure: true
same_site: lax
domain: kelinreij.duckdns.org
regulation:
max_retries: 3
@@ -76,7 +71,7 @@ regulation:
ban_time: 5m
storage:
encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
encryption_key: dd23db430500eb630e469d5cf0f77dd597649bd4d1a90c02ad673286d8eb9aa8f55435655435d40033751003fc764a173944dbc3ad89d57330e185269792a4b7
local:
path: /config/db.sqlite3

0
docker-compose/core/authelia/configuration.yml → docker-compose/core/authelia/config/configuration.yml.template
View File

BIN
docker-compose/core/authelia/config/db.sqlite3 Normal file
View File

Binary file not shown.

0
config-templates/homepage/custom.js → docker-compose/core/authelia/config/notification.txt
View File

8
docker-compose/core/authelia/users_database.yml → docker-compose/core/authelia/config/users_database.yml
View File

@@ -3,10 +3,10 @@
###############################################################
users:
kelin:
displayname: "Admin User"
password: "$argon2id$v=19$m=65536,t=3,p=4$a+3pIrywP/li9wy9J6UkMA$+3THyJiAnS/gNYnLaYtlsRCaYfgnnxsUyGZ4D3xGnUg"
email: ${DEFAULT_EMAIL}
admin:
displayname: "admin"
password: "generate-with-openssl-rand-hex-64"
email: admin@example.com
groups:
- admins
- users

12
docker-compose/core/authelia/config/users_database.yml.template Normal file
View File

@@ -0,0 +1,12 @@
###############################################################
# Users Database #
###############################################################
users:
${AUTHELIA_ADMIN_USER}:
displayname: "${AUTHELIA_ADMIN_USER}"
password: "${AUTHELIA_ADMIN_PASSWORD_HASH}"
email: ${AUTHELIA_ADMIN_EMAIL}
groups:
- admins
- users

19
docker-compose/core/authelia/secrets/users_database.yml Normal file
View File

@@ -0,0 +1,19 @@
# yamllint disable rule:line-length
---
###############################################################
# Users Database #
###############################################################
# This file can be used if you do not have an LDAP set up.
users:
authelia:
disabled: false
displayname: "Test User"
password: "$argon2id$v=19$m=32768,t=1,p=8$eUhVT1dQa082YVk2VUhDMQ$E8QI4jHbUBt3EdsU1NFDu4Bq5jObKNx7nBKSn1EYQxk" # Password is 'authelia'
email: authelia@authelia.com
groups:
- admins
- dev
...
# yamllint enable rule:line-length

48
docker-compose/core/backup.sh Executable file
View File

@@ -0,0 +1,48 @@
#!/bin/bash
# Core Services Backup Script
# Run this script to backup critical configuration files and database
BACKUP_DIR="/opt/stacks/core/backups"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
BACKUP_NAME="core_backup_${TIMESTAMP}"
echo "Creating backup: ${BACKUP_NAME}"
# Create backup directory
mkdir -p "${BACKUP_DIR}/${BACKUP_NAME}"
# Backup Authelia configuration and database
echo "Backing up Authelia..."
cp -r /opt/stacks/core/authelia/config "${BACKUP_DIR}/${BACKUP_NAME}/"
# Backup Traefik configuration (excluding certificates for security)
echo "Backing up Traefik configuration..."
mkdir -p "${BACKUP_DIR}/${BACKUP_NAME}/traefik"
cp -r /opt/stacks/core/traefik/config "${BACKUP_DIR}/${BACKUP_NAME}/traefik/"
cp -r /opt/stacks/core/traefik/dynamic "${BACKUP_DIR}/${BACKUP_NAME}/traefik/"
# Note: letsencrypt/acme.json contains private keys - backup separately if needed
# Backup docker-compose.yml
echo "Backing up docker-compose.yml..."
cp /opt/stacks/core/docker-compose.yml "${BACKUP_DIR}/${BACKUP_NAME}/"
# Backup environment file (contains sensitive data - handle carefully)
echo "Backing up .env file..."
cp /opt/stacks/core/.env "${BACKUP_DIR}/${BACKUP_NAME}/"
# Create archive
echo "Creating compressed archive..."
cd "${BACKUP_DIR}"
tar -czf "${BACKUP_NAME}.tar.gz" "${BACKUP_NAME}"
# Cleanup uncompressed backup
rm -rf "${BACKUP_NAME}"
echo "Backup completed: ${BACKUP_DIR}/${BACKUP_NAME}.tar.gz"
echo "Backup size: $(du -h "${BACKUP_DIR}/${BACKUP_NAME}.tar.gz" | cut -f1)"
# Keep only last 10 backups
echo "Cleaning up old backups..."
ls -t "${BACKUP_DIR}"/*.tar.gz | tail -n +11 | xargs -r rm -f
echo "Backup script completed successfully"

58
docker-compose/core/deploy-core.sh Executable file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
# Deploy core stack script
# Run from /opt/stacks/core/
set -e
# Source common functions
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_DIR="$HOME/EZ-Homelab"
source "$REPO_DIR/scripts/common.sh"
log_info "Deploying core stack..."
# Load environment
load_env_file_safely "$REPO_DIR/.env"
# Copy fresh templates
# cp "$REPO_DIR/docker-compose/core/authelia/secrets/users_database.yml" "./authelia/secrets/users_database.yml"
# Localize labels in compose file (only replaces variables in labels, not environment sections)
localize_compose_labels docker-compose.yml
# Localize config files - Process all YAML config files (excluding docker-compose.yml)
# This performs FULL variable replacement on config files like:
# - authelia/config/configuration.yml
# - authelia/config/users_database.yml <- HANDLED SPECIALLY to preserve password hashes
# - traefik/dynamic/*.yml
#
# Why exclude docker-compose.yml?
# - It was already processed above with localize_compose_labels (labels-only replacement)
# - Config files need full replacement (including nested variables) while compose labels
# should only have selective replacement to avoid Docker interpreting $ characters
#
# The localize_config_file function uses envsubst with recursive expansion to handle
# nested variables like ${AUTHELIA_ADMIN_PASSWORD_HASH} or ${SERVICE_NAME}.${DOMAIN}
# The localize_users_database_file function handles password hashes specially to avoid corruption
for config_file in $(find . -name "*.yml" -o -name "*.yaml" | grep -v docker-compose.yml); do
# Only process files that contain variables (have ${ in them)
if grep -q '\${' "$config_file"; then
if [[ "$config_file" == *"users_database.yml" ]]; then
localize_users_database_file "$config_file"
else
localize_config_file "$config_file"
fi
fi
done
# Deploy
run_cmd docker compose up -d
# Validate
if docker ps | grep -q traefik && docker ps | grep -q authelia; then
log_success "Core stack deployed successfully"
exit 0
else
log_error "Core stack deployment failed"
exit 1
fi

101
docker-compose/core/docker-compose.yml
View File

@@ -1,7 +1,4 @@
# Core Infrastructure Services
# These services form the foundation of the homelab and should always be running
# Place in /opt/stacks/core/docker-compose.yml
# RESTART POLICY GUIDE:
# - unless-stopped: Core infrastructure services that should always run
# - no: Services with Sablier lazy loading (start on-demand)
@@ -15,11 +12,11 @@ services:
container_name: duckdns
restart: unless-stopped
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- SUBDOMAINS=${DUCKDNS_SUBDOMAINS}
- TOKEN=${DUCKDNS_TOKEN}
- PUID=1000
- PGID=1000
- TZ=America/New_York
- SUBDOMAINS=yourdomain
- TOKEN=your-duckdns-token
volumes:
- ./duckdns/config:/config
networks:
@@ -30,9 +27,9 @@ services:
image: traefik:v3
container_name: traefik
restart: unless-stopped
command: ["--configFile=/config/traefik.yml"]
command: ['--configFile=/config/traefik.yml']
environment:
- DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
- DUCKDNS_TOKEN=your-duckdns-token
ports:
- 80:80
- 443:443
@@ -48,17 +45,14 @@ services:
# TRAEFIK CONFIGURATION
# ==========================================
# Service metadata
- "homelab.category=core"
- "homelab.description=Reverse proxy and SSL termination"
# Traefik reverse proxy (comment/uncomment to disable/enable)
# If Traefik is on a remote server: these labels are NOT USED;
# configure external yml files in /traefik/dynamic folder instead.
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik.middlewares=authelia@docker"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
- 'homelab.category=core'
- 'homelab.description=Reverse proxy and SSL termination'
- 'traefik.enable=true'
- 'traefik.http.routers.traefik.rule=Host(`traefik.yourdomain.duckdns.org`)'
- 'traefik.http.routers.traefik.entrypoints=websecure'
- 'traefik.http.routers.traefik.tls.certresolver=letsencrypt'
- 'traefik.http.routers.traefik.middlewares=authelia@docker'
- 'traefik.http.services.traefik.loadbalancer.server.port=8080'
authelia:
# Single sign-on authentication service - must always run for user authentication
@@ -66,9 +60,9 @@ services:
container_name: authelia
restart: unless-stopped
environment:
- TZ=${TZ}
- TZ=America/New_York
ports:
- "9091:9091"
- '9091:9091'
volumes:
- ./authelia/config:/config
- ./authelia/secrets:/secrets
@@ -80,52 +74,21 @@ services:
# TRAEFIK CONFIGURATION
# ==========================================
# Service metadata
- "homelab.category=core"
- "homelab.description=Single sign-on authentication"
- 'homelab.category=core'
- 'homelab.description=Single sign-on authentication'
# Traefik reverse proxy (comment/uncomment to disable/enable)
# If Traefik is on a remote server: these labels are NOT USED;
# configure external yml files in /traefik/dynamic folder instead.
- "traefik.enable=true"
- "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)"
- "traefik.http.routers.authelia.entrypoints=websecure"
- "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
- "traefik.http.routers.authelia.service=authelia"
- "traefik.http.services.authelia.loadbalancer.server.port=9091"
- 'traefik.enable=true'
- 'traefik.http.routers.authelia.rule=Host(`auth.yourdomain.duckdns.org`)'
- 'traefik.http.routers.authelia.entrypoints=websecure'
- 'traefik.http.routers.authelia.tls.certresolver=letsencrypt'
- 'traefik.http.routers.authelia.service=authelia'
- 'traefik.http.services.authelia.loadbalancer.server.port=9091'
# Authelia forward auth middleware configuration
- "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/"
- "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=X-Secret"
- "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
# Sablier - Lazy loading service for Docker containers
# Controls startup/shutdown of lazy-loaded services, must always run
# REQUIREMENTS FOR DOCKER API ACCESS:
# 1. Docker daemon must be configured to listen on TCP port 2376 with TLS
# 2. DOCKER_HOST environment variable must point to accessible Docker API endpoint
# 3. Firewall must allow TCP connections to Docker API port (2376)
# 4. TLS certificates must be mounted and environment variables set
# 5. Ensure dockerproxy service is running and accessible
sablier-service:
image: sablierapp/sablier:latest
container_name: sablier-service
restart: unless-stopped
networks:
- traefik-network
environment:
- SABLIER_PROVIDER=docker
- SABLIER_DOCKER_API_VERSION=1.51
- SABLIER_DOCKER_NETWORK=traefik-network
- SABLIER_LOG_LEVEL=debug
- DOCKER_HOST=tcp://${SERVER_IP}:2376
- DOCKER_TLS_VERIFY=1
- DOCKER_CERT_PATH=/certs
volumes:
- ./shared-ca:/certs:ro
ports:
- 10000:10000
labels:
# Service metadata
- "homelab.category=core"
- "homelab.description=Lazy loading service for Docker containers"
- 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.yourdomain.duckdns.org/'
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=X-Secret'
- 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
networks:
traefik-network:
@@ -133,7 +96,7 @@ networks:
x-dockge:
urls:
- https://auth.${DOMAIN}
- http://${SERVER_IP}:9091
- https://traefik.${DOMAIN}
- http://${SERVER_IP}:8080
- https://auth.yourdomain.duckdns.org
- http://192.168.1.100:9091
- https://traefik.yourdomain.duckdns.org
- http://192.168.1.100:8080

5
docker-compose/core/duckdns/config/logrotate.conf Normal file
View File

@@ -0,0 +1,5 @@
/config/duck.log {
rotate 5
size 100k
compress
}

16
docker-compose/core/traefik/acme.json
View File

@@ -1,16 +0,0 @@
{
"letsencrypt": {
"Account": {
"Email": "kelinfoxy@gmail.com",
"Registration": {
"body": {
"status": "valid"
},
"uri": "https://acme-v02.api.letsencrypt.org/acme/acct/2959423246"
},
"PrivateKey": "MIIJJwIBAAKCAgEAtmlI6xzuaJKm8y8lU2CkLsVEB5QEZx777DDUMH7I3kt2zpIBjWFOxp3u+IppzDqC8ih8+2tzkAzIjF34kb45tgKah+gwTPUg20IoqTyg5/YaN/Otnda7Ioo9CS24k6lZ21DDrReT616BIa45dvtxYld8SES0Qx9x+jDTL8os0y2taMn3bX/0OMIE8jerrkzTYpLZ5PLMxKZFvoDClkfs4wAX4VpLh9oN1H45BqzhFZqsuZ2RZSvt/H91QFJWz38FDS0sRNEX83revbNdXEtJIQs+r45nHXiX6ivvfwtCXeGx2+hluCg/QpESCpCYj/JReQ1r2CCbTsfcpqrtIS1/eoLdal+AhrxGM5OlU6yeyclLHNfcZDIJkM54tr+0bPkweMwdqjoXkXWtEyFYE0Ol1CYQek8wHZLof8YYHwoo/zrLAu05igzSOxcaGRO3Inu1cW3TEvQM7nn2KfnWWPdY+u/Is0H2MqodokbzC9xpmPZlEzrnfGkngtcDtTOSNALUbANbFv4Zu9qBj8VtHUz2AYzkMUF5BKyFf4TSRrELEvXz3dMWpWY1Esjft4XaaeYXUnMCemrzuYPjC+gWyHvfNHXzui0bs5fY914cc4Q318x6JX+R/gKCxUfscuiwDRR9ufIilQCHPDw/hIJtZ9dAHeF66JREwdUQBH2tyBP+hvMCAwEAAQKCAgARbNBS6WIa6jt5ipzpsJcugpijkq+y/CI7p1R1x36/wXy5cfgk/dEtJwQfiPVfVY2RvW1nBRY2ggocYpOutHnF2czSQ8ttZpM7br/8nraOQhOyGZyRseQRghwfhtcVf/199mKi49g1CUOTqJWDuLRVnR7Ztnpz2QqlyEk8TPdoOvpQQs7YjnsRevNHAitrzJn61iVregg2lt2du6Ya/gbyjl05oUsK0Lk2fdJLwXMFAdATMSqk/APRdYmJWfRCARPF9PVAI6tCjo+9lmdKPEThm7XixlsyVQVKEOVhgP1Xg4peg/5Hj8yvOrV6/eIdChxfUHlnXYIIjg4Ve8mIPFTrgS4fv1wwIe0+RcLiimkC0+jTPaAqnMY1xEDU8sisVvB7vU9UevnXIR6XHGkGwsxD1Ga48PW5LvtWHG1YfjfxPEU0cHESsGejgCMPl1WT6UPeOYNmKx1I1gQiOQKixJt4fHXghAPmLBZTPZFrmhyFVSRb/wpVY+J4t61s3fzinqjox8P9xDx6I9bLl/2SI5rQ55a2MrGtRK/0l1zQxTE1U+3qVDD8BV0mbkDrPTtUAvoyHSzAAiwQIIdksSNZzTK7fdDSc/T84WbvSd3dcC6n272g5vfAhOycLEetzdigMc9ht8cCjr16UyHL4Br2adWneAwOxBffTVfVKnuAxshDJQKCAQEAx1idLIRlEGBXSC9x8fwIdsbUtH6y5ajE/ahmQ6L2fV+6A8uvlx/0uhMUkyLIjg30zh0Cnb05Cirzqao7EXSYmMUT6HgctPqNGgk0EvsXLa5NffbhOnPWQNPUKbmEZBf1HdG4K3wOv1/ISQ3fitIVsPrD88/OD3TOafXJLCzeRe8rxnoQlKoztszOwJmE28TMBZTYkvRGQZM6FiqvXzJoJFPeudp+8j0yE78fQPbl1uXNq/p9U5xkYid5PIjturrznoL1fy5KLgxHWrSAJd6JqVvajnch8DdEmsGI9MSLDyRszWHhXp7BeG5tl/+aHHdNxkA4y/38lukCETfORIH3jwKCAQEA6kCTzxHTHVXfxTU4YtcLoAUai94U3wBKf5l9yZfY19P9ITcPijw+daXiYaGLaBUtubMXM+KkjSKq7qx1HNB5hBfbHnSLzt0aAxhOlqfVdRaOi6Fn0tmvOPOLuORjlSVLa4Rng/eRE6yFSjEZ79DTAKYREND2Xxnzfqb573wLro/aFY0IcnZyjm9dO33SF3qBoZPuCoI1yPd+cTGYA7lyKIeNqWemXgCtg/tsxmjADgo9JCVxfc/TtQB8dwHN5GN2pw2jA7MGkCSI43F3QvKlXNEF1OI0jZOxOAphpAAyfWxLUUDsUWmCaDcc7keCFsl+41RqOFVaPewF/SCaybLoXQKCAQAFyp1GXdJR13qxri8xSJE2YjBrzgKEiZKvi+Tssh9XJSDSW2iOi28guM0wOSJ6fg1Or6kTzBuMIBNUKo3sw+ZrCc66QkMTPvQ6fWn14zWZLicyMan5eMQQvha735fpEIkehKlFGiWTicTX2n9UGSZoLeDjhHYIHOyiR3HAxszuWzR6X7F7oDZAaVLYZZ1mhSEoSFrCajZgUVauri7KJTzBUW53F9H4V67MxBC0Ynfq9mIzTOO3OiPwdhUfnRrLAgNx53waZc3h6JlqGTRf5Uc6lGCVIwDpabGkjVrdQZiIqBZBIUba6OHWDd9BOzvO9+haiiMcShS8jahxt51WgDAhAoIBAD+Iuk4sSHUpaGLFd4CfUMDbAYMz/bcqDgqjp9E4hRCsp3gNxgI5Kruf/VF7jiLxs5AtObrR2s2IvJG1ZqIlDQA9tCmDdLPrlfWG7zG/XY6/SnQml9FBR1wL+jZwg23dSqJjq+vIBqouXYxs2tsHaWNAp1pHQrsyf683PIyuuUBkNcMomETrSVDGdaQAES5bBLO9Oo/RFyNltP6gc9l2v7asZUiwGxhd2LH2TF9X49crAcA/A5Qa/RGXiyp/68bpDzJp6W/Ea6BGuHXvvWgEBcOx0YIWxCguCZ/oeOkRQKBx8c+c6zt9gWggopEiBe+GQQsJRzH2PF6VGF66LCFOi+UCggEAFEoujlC54OZHcHnJYT9Jb7JU9K/3F7007g23YPrN4ATE+UPT/6Uiod4BCQ5tTauu6EjofHUjImk1NT9dmc+zCnFexsgfJXLbU83qfRunoDATlueWCRCTzeWMkAEwjReabNQrK7xT0Rk4rGKsH0p0SDmUSP5jnt+uctNSMfLZ/SykihuydGrtQOY/lh87Y4/MX4pY5L03ogleDPAXxWpd+ea+0l8fUz3EX+VtWlTVzSuDFPL5zEFxpZrZeDflR+vxhzCw/Taiyz5/K6kUzaRQxwJq6Wvqv9lgngtfHavauWHFtL2pNs6WySk93M0JVmVpTzItf+bObJTvXuZVt+HbPw==",
"KeyType": "4096"
},
"Certificates": null
}
}

4
config-templates/traefik/dynamic/external-host-homeassistant.yml → docker-compose/core/traefik/dynamic/external-host-homeassistant.yml
View File

@@ -2,7 +2,7 @@ http:
routers:
# Individual Services
homeassistant:
rule: "Host(`hass.${DOMAIN}`)"
rule: "Host(`hass.kelinreij.duckdns.org`)"
entryPoints:
- websecure
service: homeassistant
@@ -15,5 +15,5 @@ http:
homeassistant:
loadBalancer:
servers:
- url: "http://${HOMEASSISTANT_IP}:8123"
- url: "http://:8123"
passHostHeader: true

399
docker-compose/core/traefik/dynamic/local-host-production.yml Normal file
View File

@@ -0,0 +1,399 @@
http:
routers:
# Remote Server Services (your-remote-server)
dockge-your-remote-server:
rule: "Host(`dockge.your-remote-server.kelinreij.duckdns.org`)"
entryPoints:
- websecure
service: dockge-your-remote-server
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
dozzle-your-remote-server:
rule: "Host(`dozzle.your-remote-server.kelinreij.duckdns.org`)"
entryPoints:
- websecure
service: dozzle-your-remote-server
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
glances-your-remote-server:
rule: "Host(`glances.your-remote-server.kelinreij.duckdns.org`)"
entryPoints:
- websecure
service: glances-your-remote-server
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
backrest-your-remote-server:
rule: "Host(`backrest.your-remote-server.kelinreij.duckdns.org`)"
entryPoints:
- websecure
service: backrest-your-remote-server
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
duplicati-your-remote-server:
rule: "Host(`duplicati.your-remote-server.kelinreij.duckdns.org`)"
entryPoints:
- websecure
service: duplicati-your-remote-server
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
homepage-your-remote-server:
rule: "Host(`homepage.your-remote-server.kelinreij.duckdns.org`)"
entryPoints:
- websecure
service: homepage-your-remote-server
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
homarr-your-remote-server:
rule: "Host(`homarr.your-remote-server.kelinreij.duckdns.org`)"
entryPoints:
- websecure
service: homarr-your-remote-server
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
grafana-your-remote-server:
rule: "Host(`grafana.your-remote-server.kelinreij.duckdns.org`)"
entryPoints:
- websecure
service: grafana-your-remote-server
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
prometheus-your-remote-server:
rule: "Host(`prometheus.your-remote-server.kelinreij.duckdns.org`)"
entryPoints:
- websecure
service: prometheus-your-remote-server
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
uptime-kuma-your-remote-server:
rule: "Host(`status.your-remote-server.kelinreij.duckdns.org`)"
entryPoints:
- websecure
service: uptime-kuma-your-remote-server
tls:
certResolver: letsencrypt
middlewares:
- authelia@docker
# Service Definitions
services:
backrest-jasper:
loadBalancer:
servers:
- url: "http://192.168.4.4:9898"
passHostHeader: true
vaultwarden-jasper:
loadBalancer:
servers:
- url: "http://192.168.4.4:8091"
passHostHeader: true
bookstack-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:6875"
passHostHeader: true
calibre-web-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8083"
passHostHeader: true
code-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8079"
passHostHeader: true
dockge-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:5001"
passHostHeader: true
dockhand-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:3003"
passHostHeader: true
dokuwiki-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8087"
passHostHeader: true
dozzle-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8085"
passHostHeader: true
duplicati-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8200"
passHostHeader: true
ez-assistant-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:18789" # Internal IP of jasper server
passHostHeader: true
formio-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:3002"
passHostHeader: true
gitea-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:3010"
passHostHeader: true
glances-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:61208"
passHostHeader: true
homarr-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:7575"
passHostHeader: true
homepage-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:3000"
passHostHeader: true
jellyfin-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8096"
passHostHeader: true
jupyter-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8890"
passHostHeader: true
kopia-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:51515"
passHostHeader: true
mealie-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:9000"
passHostHeader: true
mediawiki-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8086"
passHostHeader: true
motioneye-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8081"
passHostHeader: true
nextcloud-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8089"
passHostHeader: true
openkm-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:18080"
passHostHeader: true
openwebui-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:3000"
passHostHeader: true
qbittorrent-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8081"
passHostHeader: true
tdarr-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8265"
passHostHeader: true
unmanic-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8889"
passHostHeader: true
wordpress-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8088"
passHostHeader: true
# Arr Services
jellyseerr-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:5055"
passHostHeader: true
prowlarr-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:9696"
passHostHeader: true
radarr-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:7878"
passHostHeader: true
sonarr-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8989"
passHostHeader: true
lidarr-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8686"
passHostHeader: true
readarr-jasper:
loadbalancer:
servers:
- url: "http://192.168.4.4:8787"
passHostHeader: true
mylar3-jasper:
loadBalancer:
servers:
- url: "http://192.168.4.4:8090"
passHostHeader: true
# Remote Server Service Definitions (your-remote-server)
dockge-your-remote-server:
loadbalancer:
servers:
- url: "http://your.remote.ip.address:5001"
passHostHeader: true
dozzle-your-remote-server:
loadbalancer:
servers:
- url: "http://your.remote.ip.address:8085"
passHostHeader: true
glances-your-remote-server:
loadbalancer:
servers:
- url: "http://your.remote.ip.address:61208"
passHostHeader: true
backrest-your-remote-server:
loadbalancer:
servers:
- url: "http://your.remote.ip.address:9898"
passHostHeader: true
duplicati-your-remote-server:
loadbalancer:
servers:
- url: "http://your.remote.ip.address:8200"
passHostHeader: true
homepage-your-remote-server:
loadbalancer:
servers:
- url: "http://your.remote.ip.address:3000"
passHostHeader: true
homarr-your-remote-server:
loadbalancer:
servers:
- url: "http://your.remote.ip.address:7575"
passHostHeader: true
grafana-your-remote-server:
loadbalancer:
servers:
- url: "http://your.remote.ip.address:3000"
passHostHeader: true
prometheus-your-remote-server:
loadbalancer:
servers:
- url: "http://your.remote.ip.address:9090"
passHostHeader: true
uptime-kuma-your-remote-server:
loadbalancer:
servers:
- url: "http://your.remote.ip.address:3001"
passHostHeader: true
# Middleware Definitions
middlewares:
ez-assistant-websocket:
headers:
accessControlAllowHeaders:
- "Connection"
- "Upgrade"
accessControlAllowMethods:
- "GET"
- "POST"
- "OPTIONS"
accessControlMaxAge: 86400

0
config-templates/traefik/dynamic/routes.yml → docker-compose/core/traefik/dynamic/routes.yml
View File

172
config-templates/traefik/dynamic/sablier.yml → docker-compose/core/traefik/dynamic/sablier.yml
View File

@@ -3,16 +3,16 @@ http:
middlewares:
authelia:
forwardauth:
address: http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/
address: http://authelia:9091/api/verify?rd=https://auth.kelinreij.duckdns.org/
authResponseHeaders:
- X-Secret
trustForwardHeader: true
sablier-${SERVER_HOSTNAME}-arr:
sablier-jasper-arr:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-arr
group: jasper-arr
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -20,11 +20,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-backrest:
sablier-jasper-backrest:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-backrest
group: jasper-backrest
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -32,11 +32,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-vaultwarden:
sablier-jasper-vaultwarden:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-vaultwarden
group: jasper-vaultwarden
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -44,11 +44,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-bookstack:
sablier-jasper-bookstack:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-bookstack
group: jasper-bookstack
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -56,11 +56,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-calibre-web:
sablier-jasper-calibre-web:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-calibre-web
group: jasper-calibre-web
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -68,11 +68,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-code-server:
sablier-jasper-code-server:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-code-server
group: jasper-code-server
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -80,11 +80,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-dozzle:
sablier-jasper-dozzle:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-dozzle
group: jasper-dozzle
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -92,11 +92,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-dokuwiki:
sablier-jasper-dokuwiki:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-dokuwiki
group: jasper-dokuwiki
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -104,11 +104,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-duplicati:
sablier-jasper-duplicati:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-duplicati
group: jasper-duplicati
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -116,11 +116,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-assistant:
sablier-jasper-assistant:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-assistant
group: jasper-assistant
sessionDuration: 30m
ignoreUserAgent: curl
dynamic:
@@ -128,11 +128,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-formio:
sablier-jasper-formio:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-formio
group: jasper-formio
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -140,11 +140,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-gitea:
sablier-jasper-gitea:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-gitea
group: jasper-gitea
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -152,11 +152,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-glances:
sablier-jasper-glances:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-glances
group: jasper-glances
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -164,11 +164,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-homarr:
sablier-jasper-homarr:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-homarr
group: jasper-homarr
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -176,11 +176,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-jellyfin:
sablier-jasper-jellyfin:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-jellyfin
group: jasper-jellyfin
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -188,11 +188,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-jupyter:
sablier-jasper-jupyter:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-jupyter
group: jasper-jupyter
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -200,11 +200,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-komodo:
sablier-jasper-komodo:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-komodo
group: jasper-komodo
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -212,11 +212,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-kopia:
sablier-jasper-kopia:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-kopia
group: jasper-kopia
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -224,11 +224,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-mealie:
sablier-jasper-mealie:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-mealie
group: jasper-mealie
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -236,11 +236,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-mediawiki:
sablier-jasper-mediawiki:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-mediawiki
group: jasper-mediawiki
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -248,11 +248,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-nextcloud:
sablier-jasper-nextcloud:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-nextcloud
group: jasper-nextcloud
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -260,11 +260,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-openkm:
sablier-jasper-openkm:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-openkm
group: jasper-openkm
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -272,11 +272,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-openwebui:
sablier-jasper-openwebui:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-openwebui
group: jasper-openwebui
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -284,11 +284,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-pulse:
sablier-jasper-pulse:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-pulse
group: jasper-pulse
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -296,11 +296,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-tdarr:
sablier-jasper-tdarr:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-tdarr
group: jasper-tdarr
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -308,11 +308,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-unmanic:
sablier-jasper-unmanic:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-unmanic
group: jasper-unmanic
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -320,11 +320,11 @@ http:
theme: ghost
show-details-by-default: true
sablier-${SERVER_HOSTNAME}-wordpress:
sablier-jasper-wordpress:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${SERVER_HOSTNAME}-wordpress
group: jasper-wordpress
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
@@ -332,123 +332,123 @@ http:
theme: ghost
show-details-by-default: true
# Remote Server (${REMOTE_SERVER_HOSTNAME}) Sablier Middlewares
sablier-${REMOTE_SERVER_HOSTNAME}-dockge:
# Remote Server (your-remote-server) Sablier Middlewares
sablier-your-remote-server-dockge:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${REMOTE_SERVER_HOSTNAME}-dockge
group: your-remote-server-dockge
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
displayName: Dockge (${REMOTE_SERVER_HOSTNAME})
displayName: Dockge (your-remote-server)
theme: ghost
show-details-by-default: true
sablier-${REMOTE_SERVER_HOSTNAME}-dozzle:
sablier-your-remote-server-dozzle:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${REMOTE_SERVER_HOSTNAME}-dozzle
group: your-remote-server-dozzle
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
displayName: Dozzle (${REMOTE_SERVER_HOSTNAME})
displayName: Dozzle (your-remote-server)
theme: ghost
show-details-by-default: true
sablier-${REMOTE_SERVER_HOSTNAME}-glances:
sablier-your-remote-server-glances:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${REMOTE_SERVER_HOSTNAME}-glances
group: your-remote-server-glances
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
displayName: Glances (${REMOTE_SERVER_HOSTNAME})
displayName: Glances (your-remote-server)
theme: ghost
show-details-by-default: true
sablier-${REMOTE_SERVER_HOSTNAME}-backrest:
sablier-your-remote-server-backrest:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${REMOTE_SERVER_HOSTNAME}-backrest
group: your-remote-server-backrest
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
displayName: Backrest (${REMOTE_SERVER_HOSTNAME})
displayName: Backrest (your-remote-server)
theme: ghost
show-details-by-default: true
sablier-${REMOTE_SERVER_HOSTNAME}-duplicati:
sablier-your-remote-server-duplicati:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${REMOTE_SERVER_HOSTNAME}-duplicati
group: your-remote-server-duplicati
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
displayName: Duplicati (${REMOTE_SERVER_HOSTNAME})
displayName: Duplicati (your-remote-server)
theme: ghost
show-details-by-default: true
sablier-${REMOTE_SERVER_HOSTNAME}-homepage:
sablier-your-remote-server-homepage:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${REMOTE_SERVER_HOSTNAME}-homepage
group: your-remote-server-homepage
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
displayName: Homepage (${REMOTE_SERVER_HOSTNAME})
displayName: Homepage (your-remote-server)
theme: ghost
show-details-by-default: true
sablier-${REMOTE_SERVER_HOSTNAME}-homarr:
sablier-your-remote-server-homarr:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${REMOTE_SERVER_HOSTNAME}-homarr
group: your-remote-server-homarr
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
displayName: Homarr (${REMOTE_SERVER_HOSTNAME})
displayName: Homarr (your-remote-server)
theme: ghost
show-details-by-default: true
sablier-${REMOTE_SERVER_HOSTNAME}-grafana:
sablier-your-remote-server-grafana:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${REMOTE_SERVER_HOSTNAME}-grafana
group: your-remote-server-grafana
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
displayName: Grafana (${REMOTE_SERVER_HOSTNAME})
displayName: Grafana (your-remote-server)
theme: ghost
show-details-by-default: true
sablier-${REMOTE_SERVER_HOSTNAME}-prometheus:
sablier-your-remote-server-prometheus:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${REMOTE_SERVER_HOSTNAME}-prometheus
group: your-remote-server-prometheus
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
displayName: Prometheus (${REMOTE_SERVER_HOSTNAME})
displayName: Prometheus (your-remote-server)
theme: ghost
show-details-by-default: true
sablier-${REMOTE_SERVER_HOSTNAME}-uptime-kuma:
sablier-your-remote-server-uptime-kuma:
plugin:
sablier:
sablierUrl: http://sablier-service:10000
group: ${REMOTE_SERVER_HOSTNAME}-uptime-kuma
group: your-remote-server-uptime-kuma
sessionDuration: 5m
ignoreUserAgent: curl
dynamic:
displayName: Uptime Kuma (${REMOTE_SERVER_HOSTNAME})
displayName: Uptime Kuma (your-remote-server)
theme: ghost
show-details-by-default: true

6
docker-compose/core/traefik/traefik.yml
View File

@@ -27,9 +27,9 @@ entryPoints:
certificatesResolvers:
letsencrypt:
acme:
email: kelinfoxy@gmail.com # Will be replaced by deploy script
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
storage: /acme.json
email: admin@example.com # Your email for Let's Encrypt notifications
caServer: https://acme-v02.api.letsencrypt.org/directory # Use staging for testing
storage: /letsencrypt/acme.json
# DNS challenge - For wildcard certificates (*.yourdomain.duckdns.org)
# Works with DuckDNS - requires DUCKDNS_TOKEN in environment
dnsChallenge:

35
docker-compose/dashboards/deploy-dashboards.sh Executable file
View File

@@ -0,0 +1,35 @@
#!/bin/bash
# Deploy dashboards stack script
# Run from /opt/stacks/dashboards/
set -e
# Source common functions
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_DIR="/home/kelin/EZ-Homelab" # Fixed repo path since script runs from /opt/stacks/dashboards
source "$REPO_DIR/scripts/common.sh"
log_info "Deploying dashboards stack..."
# Load environment
load_env_file_safely .env
# Localize labels in compose file
localize_compose_labels docker-compose.yml
# Localize config files
for config_file in $(find . -name "*.yml" -o -name "*.yaml" | grep -v docker-compose.yml); do
localize_config_file "$config_file"
done
# Deploy
run_cmd docker compose up -d
# Validate
if docker ps | grep -q homepage; then
log_success "Dashboards stack deployed successfully"
exit 0
else
log_error "Dashboards stack deployment failed"
exit 1
fi

76
docker-compose/dashboards/docker-compose.yml
View File

@@ -1,11 +1,9 @@
# Dashboard Services
# Homepage and Homarr for homelab dashboards
# SABLIER SESSION DURATION: Set to 5m for testing. Increase to 30m for production in config-templates/traefik/dynamic/sablier.yml
# Service Access URLs:
# - Homepage: https://homepage.${DOMAIN}
# - Homarr: https://homarr.${DOMAIN}
# RESTART POLICY GUIDE:
# - unless-stopped: Core infrastructure services that should always run
# - no: Services with Sablier lazy loading (start on-demand)
# - See individual service comments for specific reasoning
services:
# Homepage - Default Application Dashboard
@@ -26,41 +24,41 @@ services:
- homelab-network
- traefik-network
ports:
- "3003:3000"
- '3003:3000'
volumes:
- ./homepage:/app/config
- /var/run/docker.sock:/var/run/docker.sock # For Docker integration do not mount RO
- /opt/stacks:/opt/stacks # To discover other stacks
environment:
- PUID=995 # Must be set to the docker user ID
- PGID=995 # Must be set to the docker group ID
- PUID=${PUID} # Must be set to the docker user ID
- PGID=${PGID} # Must be set to the docker group ID
- TZ=${TZ}
- HOMEPAGE_ALLOWED_HOSTS=homepage.${DOMAIN}
- HOMEPAGE_ALLOWED_HOSTS=${HOMEPAGE_ALLOWED_HOSTS}
labels:
# TRAEFIK CONFIGURATION
# ==========================================
# Service metadata
- "homelab.category=dashboard"
- "homelab.description=Application dashboard"
- 'homelab.category=dashboard'
- 'homelab.description=Application dashboard'
# Traefik reverse proxy (comment/uncomment to disable/enable)
# IMPORTANT: On REMOTE SERVERS (where Traefik runs elsewhere):
# - COMMENT OUT all traefik.* labels below (don't delete them)
# - Routes are configured via external YAML files on the core server
# - This prevents conflicts between Docker labels and file provider
- "traefik.enable=true"
- "traefik.http.routers.homepage.rule=Host(`homepage.${DOMAIN}`)"
- "traefik.http.routers.homepage.entrypoints=websecure"
- "traefik.http.routers.homepage.tls=true"
- "traefik.http.routers.homepage.middlewares=authelia@docker"
- "traefik.http.services.homepage.loadbalancer.server.port=3003"
- 'traefik.enable=true'
- 'traefik.docker.network=traefik-network'
- 'traefik.http.routers.homepage.rule=Host(`homepage.${DOMAIN}`)'
- 'traefik.http.routers.homepage.entrypoints=websecure'
- 'traefik.http.routers.homepage.tls=true'
- 'traefik.http.routers.homepage.middlewares=authelia@docker'
- 'traefik.http.services.homepage.loadbalancer.server.port=3000'
# Sablier lazy loading (disabled by default - uncomment to enable)
# - "sablier.enable=true"
# - "sablier.group=${SERVER_HOSTNAME}-homarr"
# - "sablier.start-on-demand=true"
# - 'sablier.enable=true'
# - 'sablier.group=jasper-homarr'
# - 'sablier.start-on-demand=true'
# Homarr - Modern dashboard
# Uses Sablier lazy loading - starts on-demand, stops after 5min inactivity
homarr:
image: ghcr.io/ajnart/homarr:latest
deploy:
@@ -78,16 +76,16 @@ services:
- homelab-network
- traefik-network
ports:
- "7575:7575"
- '7575:7575'
volumes:
- ./homarr/config:/app/config/configs
- ./homarr/data:/data
- ./homarr/icons:/app/public/icons
- /var/run/docker.sock:/var/run/docker.sock
environment:
- TZ=${TZ}
- TZ=America/New_York
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:7575/"]
test: ['CMD', 'curl', '-f', 'http://localhost:7575/']
interval: 30s
timeout: 10s
retries: 3
@@ -95,30 +93,30 @@ services:
labels:
# TRAEFIK CONFIGURATION
# Service metadata
- "com.centurylinklabs.watchtower.enable=true"
- "homelab.category=dashboard"
- "homelab.description=Modern homelab dashboard"
- "traefik.enable=true"
- 'com.centurylinklabs.watchtower.enable=true'
- 'homelab.category=dashboard'
- 'homelab.description=Modern homelab dashboard'
- 'traefik.enable=true'
# Router configuration
- "traefik.http.routers.homarr.rule=Host(`homarr.${DOMAIN}`)"
- "traefik.http.routers.homarr.entrypoints=websecure"
- "traefik.http.routers.homarr.tls=true"
- "traefik.http.routers.homarr.middlewares=authelia@docker"
- 'traefik.http.routers.homarr.rule=Host(`homarr.${DOMAIN}`)'
- 'traefik.http.routers.homarr.entrypoints=websecure'
- 'traefik.http.routers.homarr.tls=true'
- 'traefik.http.routers.homarr.middlewares=authelia@docker'
# Service configuration
- "traefik.http.services.homarr.loadbalancer.server.port=7575"
- 'traefik.http.services.homarr.loadbalancer.server.port=7575'
# Sablier configuration
- "sablier.enable=true"
- "sablier.group=${SERVER_HOSTNAME}-homarr"
- "sablier.start-on-demand=true"
- 'sablier.enable=true'
- 'sablier.group=jasper-homarr'
- 'sablier.start-on-demand=true'
# DOCKGE URL CONFIGURATION
x-dockge:
urls:
# Proxied URLs (through Traefik)
- https://homepage.${DOMAIN}
- https://${SERVER_IP}:3003
- https://192.168.4.4:3003
- https://homarr.${DOMAIN}
- https://${SERVER_IP}:7575
- https://192.168.4.4:7575
networks:
homelab-network:

Some files were not shown because too many files have changed in this diff Show More