add docker stacks

Authentik/docker-compose.yaml

@@ -0,0 +1,104 @@
+---
+version: "3.4"
+
+services:
+  postgresql:
+    image: docker.io/library/postgres:12-alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
+      POSTGRES_USER: ${PG_USER:-authentik}
+      POSTGRES_DB: ${PG_DB:-authentik}
+    env_file:
+      - stack.env
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - redis:/data
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.7}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+    volumes:
+      - ./media:/media
+      - ./custom-templates:/templates
+    env_file:
+      - stack.env
+    ports:
+      - "${AUTHENTIK_PORT_HTTP}:9000"
+      - "${AUTHENTIK_PORT_HTTPS}:9443"
+    depends_on:
+      - postgresql
+      - redis
+    labels:
+      - traefik.enable=true
+
+      # HTTP redirection to HTTPS
+      - traefik.http.routers.authentik.entrypoints=web
+      - traefik.http.routers.authentik.rule=Host(`${AUTHENTIK_URL}`)
+      - traefik.http.middlewares.authentik-https-redirect.redirectscheme.scheme=https
+      - traefik.http.routers.authentik.middlewares=authentik-https-redirect
+
+      # HTTPS config
+      - traefik.http.routers.authentik-secure.entrypoints=websecure
+      - traefik.http.routers.authentik-secure.rule=Host(`${AUTHENTIK_URL}`)
+      - traefik.http.routers.authentik-secure.tls=true
+      - traefik.http.routers.authentik-secure.tls.certresolver=myresolver
+      - traefik.http.services.authentik-secure.loadbalancer.server.port=9000
+      
+      - traefik.docker.network=proxy
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.7}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./media:/media
+      - ./certs:/certs
+      - ./custom-templates:/templates
+    env_file:
+      - stack.env
+    depends_on:
+      - postgresql
+      - redis
+
+volumes:
+  database:
+    driver: local
+  redis:
+    driver: local

Authentik/stack.env

@@ -0,0 +1,7 @@
+PG_PASS=YOUR_VERY_LONG_DB_PASSWORD
+AUTHENTIK_SECRET_KEY=YOUR_VERY_LONG_SECRET_KEY
+AUTHENTIK_ERROR_REPORTING__ENABLED=true
+AUTHENTIK_PORT_HTTP=9000
+AUTHENTIK_PORT_HTTPS=9443
+
+AUTHENTIK_URL=auth.example.com

Gitea/docker-compose.yaml

@@ -0,0 +1,54 @@
+version: "3"
+
+services:
+  server:
+    image: gitea/gitea:1.21.4
+    container_name: gitea
+    restart: always
+    networks:
+      - gitea
+      - backend
+    env_file:
+      - stack.env
+    volumes:
+      - ${GITEA_DIR}:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - ${GITEA_PORT_HTTP}:3000
+      - ${GITEA_PORT_SSH}:22
+    depends_on:
+      - db
+    labels:
+      - traefik.enable=true
+
+      # HTTP redirection to HTTPS
+      - traefik.http.routers.gitea.entrypoints=web
+      - traefik.http.routers.gitea.rule=Host(`${GITEA_URL}`)
+      - traefik.http.middlewares.gitea-https-redirect.redirectscheme.scheme=https
+      - traefik.http.routers.gitea.middlewares=gitea-https-redirect
+
+      # HTTPS config
+      - traefik.http.routers.gitea-secure.entrypoints=websecure
+      - traefik.http.routers.gitea-secure.rule=Host(`${GITEA_URL}`)
+      - traefik.http.routers.gitea-secure.tls=true
+      - traefik.http.routers.gitea-secure.tls.certresolver=myresolver
+      - traefik.http.services.gitea-secure.loadbalancer.server.port=3000
+      
+      - traefik.docker.network=proxy
+
+  db:
+    image: postgres:14
+    restart: always
+    env_file:
+      - stack.env
+    networks:
+      - gitea
+    volumes:
+      - ${GITEA_DB_DIR}:/var/lib/postgresql/data
+
+networks:
+  gitea:
+    external: false
+  backend:
+    external: true

Gitea/stack.env

@@ -0,0 +1,18 @@
+USER_UID=1000
+USER_GID=1000
+
+GITEA_PORT_HTTP=3000
+GITEA_PORT_SSH=22
+GITEA_URL=git.example.com
+
+GITEA_DIR=/path/to/gitea
+GITEA_DB_DIR=/path/to/gitea/db
+
+GITEA__database__DB_TYPE=postgres
+GITEA__database__HOST=db:5432
+GITEA__database__NAME=gitea
+GITEA__database__USER=gitea
+GITEA__database__PASSWD=YOUR_DB_PASSWORD
+POSTGRES_USER=gitea
+POSTGRES_PASSWORD=YOUR_DB_PASSWORD
+POSTGRES_DB=gitea

Immich/docker-compose.yaml

@@ -0,0 +1,98 @@
+version: "3.8"
+
+#
+# WARNING: Make sure to use the docker-compose.yml of the current release:
+#
+# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
+#
+# The compose file on main may not be compatible with the latest release.
+#
+
+name: immich
+
+services:
+  immich-server:
+    container_name: immich_server
+    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
+    command: [ "start.sh", "immich" ]
+    volumes:
+      - ${IMMICH_UPLOAD_DIR}:/usr/src/app/upload
+      - /etc/localtime:/etc/localtime:ro
+      - ${IMMICH_EXTERNAL_DIR}:/mnt/media:ro
+    env_file:
+      - stack.env
+    ports:
+      - ${IMMICH_PORT_HTTP}:3001
+      - ${IMMICH_PORT_HTTPS}:443
+    expose:
+      - ${IMMICH_PORT_HTTP}
+      - ${IMMICH_PORT_HTTPS}
+    depends_on:
+      - redis
+      - database
+    restart: always
+    labels:
+      - traefik.enable=true
+
+      - traefik.http.routers.immich.entrypoints=web
+      - traefik.http.routers.immich.rule=Host(`${IMMICH_URL}`)
+      - traefik.http.routers.immich.middlewares=immich-https-redirect
+      - traefik.http.middlewares.immich-https-redirect.redirectscheme.scheme=https
+      
+      - traefik.http.routers.immich-secure.entrypoints=websecure
+      - traefik.http.routers.immich-secure.rule=Host(`${IMMICH_URL}`)
+      - traefik.http.routers.immich-secure.tls=true
+      - traefik.http.routers.immich-secure.tls.certresolver=myresolver
+      - traefik.http.services.immich-secure.loadbalancer.server.port=3001
+      - traefik.http.services.immich-secure.loadbalancer.server.scheme=http
+
+      - traefik.docker.network=proxy
+
+  immich-microservices:
+    container_name: immich_microservices
+    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
+    # extends:
+    #   file: hwaccel.yml
+    #   service: hwaccel
+    command: [ "start.sh", "microservices" ]
+    volumes:
+      - ${IMMICH_UPLOAD_DIR}:/usr/src/app/upload
+      - ${IMMICH_EXTERNAL_DIR}:/mnt/media:ro
+      - /etc/localtime:/etc/localtime:ro
+    env_file:
+      - stack.env
+    depends_on:
+      - redis
+      - database
+    restart: always
+
+  immich-machine-learning:
+    container_name: immich_machine_learning
+    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
+    volumes:
+      - model-cache:/cache
+    env_file:
+      - stack.env
+    restart: always
+
+  redis:
+    container_name: immich_redis
+    image: redis:6.2-alpine@sha256:c5a607fb6e1bb15d32bbcf14db22787d19e428d59e31a5da67511b49bb0f1ccc
+    restart: always
+
+  database:
+    container_name: immich_postgres
+    image: tensorchord/pgvecto-rs:pg14-v0.1.11@sha256:0335a1a22f8c5dd1b697f14f079934f5152eaaa216c09b61e293be285491f8ee
+    env_file:
+      - stack.env
+    environment:
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGRES_USER: ${DB_USERNAME}
+      POSTGRES_DB: ${DB_DATABASE_NAME}
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+    restart: always
+
+volumes:
+  pgdata:
+  model-cache:

Immich/stack.env

@@ -0,0 +1,13 @@
+IMMICH_PORT_HTTP=3001
+IMMICH_PORT_HTTPS=443
+
+IMMICH_URL=immich.example.com
+IMMICH_EXTERNAL_DIR=/path/to/external/libraries
+IMMICH_UPLOAD_DIR=/path/to/immich/upload
+
+IMMICH_VERSION=release
+DB_PASSWORD=YOUR_DB_PASSWORD
+DB_HOSTNAME=immich_postgres
+DB_USERNAME=postgres
+DB_DATABASE_NAME=immich
+REDIS_HOSTNAME=immich_redis

Jellyfin/docker-compose.yaml

@@ -0,0 +1,34 @@
+version: '3'
+
+services:
+  jellyfin:
+    image: jellyfin/jellyfin:latest
+    restart: unless-stopped
+    ports:
+      - 1900:1900
+      - 7359:7359
+      - ${JELLYFIN_PORT_HTTP}:8096
+      - ${JELLYFIN_PORT_HTTPS}:8920
+    volumes:
+      - ./cache:/cache
+      - ${JELLYFIN_DIR}:/config:r
+      - ${JELLYFIN_MEDIA_DIR}:/data/media:ro
+    env_file:
+      - stack.env
+    labels:
+      - traefik.enable=true
+
+      # HTTP redirection to HTTPS
+      - traefik.http.routers.jellyfin.entrypoints=web
+      - traefik.http.routers.jellyfin.rule=Host(`${JELLYFIN_URL}`)
+      - traefik.http.middlewares.jellyfin-https-redirect.redirectscheme.scheme=https
+      - traefik.http.routers.jellyfin.middlewares=jellyfin-https-redirect
+
+      # HTTPS config
+      - traefik.http.routers.jellyfin-secure.entrypoints=websecure
+      - traefik.http.routers.jellyfin-secure.rule=Host(`${JELLYFIN_URL}`)
+      - traefik.http.routers.jellyfin-secure.tls=true
+      - traefik.http.routers.jellyfin-secure.tls.certresolver=myresolver
+      - traefik.http.services.jellyfin-secure.loadbalancer.server.port=8096
+      
+      - traefik.docker.network=proxy

Jellyfin/stack.env

@@ -0,0 +1,10 @@
+JELLYFIN_PORT_HTTP=8096
+JELLYFIN_PORT_HTTPS=8920
+JELLYFIN_URL=jellyfin.example.com
+
+JELLYFIN_DIR=/path/to/jelly
+JELLYFIN_MEDIA_DIR=/path/to/media
+
+TZ=America/Toronto
+PUID=1000
+PGID=1000

Nextcloud/docker-compose.yaml

@@ -0,0 +1,135 @@
+services:
+  aio-apache:
+    depends_on:
+      aio-nextcloud:
+        condition: service_started
+        required: false
+      aio-notify-push:
+        condition: service_started
+        required: false
+    image: nextcloud/aio-apache:latest
+    init: true
+    ports:
+      - ${APACHE_IP_BINDING}:${APACHE_PORT}:${APACHE_PORT}/tcp
+      - ${APACHE_IP_BINDING}:${APACHE_PORT}:${APACHE_PORT}/udp
+    env_file:
+      - stack.env
+    volumes:
+      - nextcloud_aio_nextcloud:/var/www/html:ro
+      - nextcloud_aio_apache:/mnt/data:rw
+    restart: unless-stopped
+    networks:
+      - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/log/supervisord
+      - /var/run/supervisord
+      - /usr/local/apache2/logs
+      - /tmp
+      - /home/www-data
+    labels:
+      - traefik.enable=true
+
+      # HTTP redirection to HTTPS
+      - traefik.http.routers.nextcloud.entrypoints=web
+      - traefik.http.routers.nextcloud.rule=Host(`${NEXTCLOUD_URL}`)
+      - traefik.http.middlewares.nextcloud-https-redirect.redirectscheme.scheme=https
+      - traefik.http.routers.nextcloud.middlewares=nextcloud-https-redirect
+
+      # HTTPS config
+      - traefik.http.routers.nextcloud-secure.entrypoints=websecure
+      - traefik.http.routers.nextcloud-secure.rule=Host(`${NEXTCLOUD_URL}`)
+      - traefik.http.routers.nextcloud-secure.tls=true
+      - traefik.http.routers.nextcloud-secure.tls.certresolver=myresolver
+      - traefik.http.services.nextcloud-secure.loadbalancer.server.port=21000
+      
+      - traefik.docker.network=proxy
+
+  aio-database:
+    image: nextcloud/aio-postgresql:latest
+    init: true
+    expose:
+      - "5432"
+    volumes:
+      - nextcloud_aio_database:/var/lib/postgresql/data:rw
+      - nextcloud_aio_database_dump:/mnt/data:rw
+    env_file:
+      - stack.env
+    stop_grace_period: 1800s
+    restart: unless-stopped
+    shm_size: 268435456
+    networks:
+      - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/run/postgresql
+
+  aio-nextcloud:
+    depends_on:
+      aio-database:
+        condition: service_started
+        required: false
+      aio-redis:
+        condition: service_started
+        required: false
+    image: nextcloud/aio-nextcloud:latest
+    init: true
+    expose:
+      - "9000"
+      - "9001"
+    volumes:
+      - nextcloud_aio_nextcloud:/var/www/html:rw
+      - ${NEXTCLOUD_USER_DIR}:/mnt/ncdata:rw
+      - ${NEXTCLOUD_DOCKER_DIR}:/mnt:rw
+      - ${NEXTCLOUD_TRUSTED_CACERTS_DIR}:/usr/local/share/ca-certificates:ro
+    env_file:
+      - stack.env
+    stop_grace_period: 600s
+    restart: unless-stopped
+    networks:
+      - nextcloud-aio
+
+  aio-notify-push:
+    image: nextcloud/aio-notify-push:latest
+    init: true
+    expose:
+      - "7867"
+    volumes:
+      - nextcloud_aio_nextcloud:/nextcloud:ro
+    env_file:
+      - stack.env
+    restart: unless-stopped
+    networks:
+      - nextcloud-aio
+    read_only: true
+
+  aio-redis:
+    image: nextcloud/aio-redis:latest
+    init: true
+    expose:
+      - "6379"
+    env_file:
+      - stack.env
+    volumes:
+      - nextcloud_aio_redis:/data:rw
+    restart: unless-stopped
+    networks:
+      - nextcloud-aio
+    read_only: true
+
+volumes:
+  nextcloud_aio_apache:
+    name: nextcloud_aio_apache
+  nextcloud_aio_database:
+    name: nextcloud_aio_database
+  nextcloud_aio_database_dump:
+    name: nextcloud_aio_database_dump
+  nextcloud_aio_nextcloud:
+    name: nextcloud_aio_nextcloud
+  nextcloud_aio_redis:
+    name: nextcloud_aio_redis
+
+networks:
+  nextcloud-aio:
+    name: nextcloud-aio
+    driver: bridge

Nextcloud/stack.env

@@ -0,0 +1,36 @@
+NEXTCLOUD_URL=nextcloud.example.com
+TZ=America/Toronto
+
+NEXTCLOUD_DOCKER_DIR=/path/to/nextcloud
+NEXTCLOUD_DATA_DIR=/path/to/users/data
+NEXTCLOUD_TRUSTED_CACERTS_DIR=./certificates
+
+ADMIN_USER=admin
+ADMIN_PASSWORD=YOUR_ADMIN_PASSWORD
+
+APACHE_IP_BINDING=0.0.0.0
+APACHE_PORT=21000
+APACHE_MAX_TIME=3600
+APACHE_MAX_SIZE=10737418240
+
+NEXTCLOUD_UPLOAD_LIMIT=10G
+POSTGRES_DB=nextcloud_database
+POSTGRES_HOST=aio-database
+POSTGRES_PASSWORD=YOUR_DB_PASSWORD
+POSTGRES_USER=nextcloud
+
+CLAMAV_ENABLED=false
+COLLABORA_ENABLED=false
+FULLTEXTSEARCH_ENABLED=false
+IMAGINARY_ENABLED=false
+TALK_ENABLED=false
+ONLYOFFICE_ENABLED=false
+
+NEXTCLOUD_HOST=aio-nextcloud
+NOTIFY_PUSH_HOST=aio-notify-push
+REDIS_HOST=aio-redis
+REDIS_HOST_PASSWORD=YOUR_REDIS_PASSWORD
+
+NC_DOMAIN=${NEXTCLOUD_URL}
+OVERWRITEHOST=${NC_DOMAIN}
+OVERWRITEPROTOCOL=https

README.md

@@ -0,0 +1,27 @@
+# Docker Services
+
+## Traefik
+
+Traefik is the routing point between user request and backend services. It also handles SSL certificates automatically.
+It forwards requests from service.example.com to your service running behind.
+Make sure that TRAEFIK_CERT_DIR exists on disk otherwise Traefik will requests certificates to your subdomains every time it restarts and you will get timed out by Letsencrypt.
+
+## Authentik
+
+Authentik is the credentials provider used by all the services. You just need to create accounts and assign permissions through authentik UI, then all accounts will be able to access your services without having to manage users for each.
+
+## Gitea
+
+A small, nice Git server.
+
+## Jellyfin
+
+At-home netflix
+
+## Nextcloud
+
+Google drive replacement
+
+## Immich
+
+Google photos replacement

Traefik/docker-compose.yaml

@@ -0,0 +1,33 @@
+version: '3.3'
+
+services:
+  reverse-proxy:
+    # The official v2 Traefik docker image
+    image: traefik:v2.10
+    # Enables the web UI and tells Traefik to listen to docker
+    command:
+      #- "--log.level=DEBUG"
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--providers.file.directory=/traefik/conf"
+      - "--providers.file.watch=true"
+      - "--entrypoints.websecure.address=:443"
+      - "--entrypoints.web.address=:80"
+      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
+      - "--certificatesresolvers.myresolver.acme.email=${TRAEFIK_ADMIN_EMAIL}"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+    networks:
+      - backend
+    ports:
+      - ${TRAEFIK_PORT_HTTP}:80 # The HTTP port
+      - ${TRAEFIK_PORT_HTTPS}:443 # The HTTP port
+      - ${TRAEFIK_BACKEND_PORT}:8080 # The Web UI (enabled by --api.insecure=true)
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
+      - ${TRAEFIK_DIR}:/traefik
+      - ${TRAEFIK_CERT_DIR}:/letsencrypt # For SSL certificates
+
+networks:
+  backend:
+    external: true

Traefik/stack.env

@@ -0,0 +1,8 @@
+TRAEFIK_PORT_HTTP=80
+TRAEFIK_PORT_HTTPS=443
+TRAEFIK_BACKEND_PORT=8080
+
+TRAEFIK_ADMIN_EMAIL=admin@example.com
+
+TRAEFIK_DIR=/path/to/traefik
+TRAEFIK_CERT_DIR=/path/to/traefik/certs