jamie/dao_hades
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

syncing servers

Browse Source
This commit is contained in:
Jamie Albert
2025-12-07 17:31:31 +00:00
parent f6e60b144d
commit 9c3274881e
54 changed files with 5048 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
servers/hephaestus/ark/usr/local/bin/backup.sh Executable file
View File

@@ -0,0 +1,44 @@
#!/bin/bash
# Set variables
backup=$(date +%Y%m%d%H%M)
RETENTION_DAYS=5
log_message() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
}
log_message "Starting backup process..."
# Stop Docker
log_message "Stopping Docker services..."
cd /home/oc/dao/docker
docker compose down
## Baikal backup
log_message "Backing up Baikal database..."
cd /home/oc/dao/docker/data/baikal/Specific/db
[[ -f ./db.sqlite ]] && echo .dump | sqlite3 db.sqlite | gzip > "dumps/${backup}_baikal.sql.gz" && log_message "Baikal dumped"
# tar docker folder
log_message "Creating Docker tarball..."
cd /home/oc/dao
tar -cf "/tmp/${backup}_docker.tar.gz" docker/
# rclone upload
log_message "Uploading to remote storage..."
cd /tmp
rclone copy "${backup}_docker.tar.gz" vault:/system/backups/docker/
rm -f ${backup}_docker.tar.gz
# Clean up old backups (keep last 5 days)
log_message "Cleaning up old backups..."
rclone delete vault:/system/backups/docker/ --min-age ${RETENTION_DAYS}d
# Start Docker
log_message "Starting Docker services..."
cd /home/oc/dao/docker
docker compose up -d
log_message "Backup process completed."

62
servers/hephaestus/ark/usr/local/bin/cleanup.sh Executable file
View File

@@ -0,0 +1,62 @@
#!/bin/bash
# System Cleanup Script
# Run this script via cron to maintain system cleanliness
# Set variables
LOG_FILE="/var/log/system-cleanup.log"
DATE=$(date '+%Y-%m-%d %H:%M:%S')
# Function to log messages to both console and file
log_message() {
echo "[$DATE] $1" | tee -a "$LOG_FILE"
}
log_message "Starting system cleanup..."
# Docker System Cleanup
log_message "Cleaning up Docker system..."
docker system prune -a -f --volumes | while read -r line; do
log_message "Docker: $line"
done
# Clean up old Docker images not used in last 30 days
log_message "Removing unused Docker images older than 30 days..."
docker image prune -a -f --filter "until=720h" | while read -r line; do
log_message "Docker images: $line"
done
# System Package Cleanup
log_message "Cleaning up apt packages..."
apt-get autoremove -y | while read -r line; do
log_message "APT autoremove: $line"
done
apt-get autoclean -y | while read -r line; do
log_message "APT autoclean: $line"
done
# Clean up old logs (keep last 7 days)
log_message "Cleaning up old system logs..."
find /var/log -name "*.log" -type f -mtime +7 -delete 2>/dev/null
find /var/log -name "*.log.*" -type f -mtime +7 -delete 2>/dev/null
# Clean up journal logs (keep last 7 days)
log_message "Cleaning up journal logs..."
journalctl --vacuum-time=7d | while read -r line; do
log_message "Journal cleanup: $line"
done
# Clean up temporary files
log_message "Cleaning up temporary files..."
find /tmp -type f -atime +7 -delete 2>/dev/null
find /var/tmp -type f -atime +7 -delete 2>/dev/null
# Show disk usage after cleanup
log_message "Disk usage after cleanup:"
df -h | while read -r line; do
log_message "Disk: $line"
done
log_message "System cleanup completed."

76
servers/hephaestus/docker/.env Normal file
View File

@@ -0,0 +1,76 @@
# ---
# Baikal
# ---
BAIKAL_ADMIN_TOKEN="TTQH95LKDM9VQVZS"
BAIKAL_EMAIL="mail@do-bbs.com"
BAIKAL_HOST="dav.do-bbs.com"
BAIKAL_HC="https://hc-ping.com/d15fee2e-17ad-42bb-a573-591f45d3532b"
# ---
# Calibre Web
# ---
CALIBRE_WEB_HOST="cwa.do-bbs.com"
CALIBRE_WEB_D_HOST="cwabd.do-bbs.com"
CALIBRE_WEB_HC="https://hc-ping.com/313b09fb-f4c6-4fe8-b3d8-47929974c247"
HARD_API="eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJIYXJkY292ZXIiLCJ2ZXJzaW9uIjoiOCIsImp0aSI6ImEwZmZkNDk1LWM1ODMtNGEwMS1iYjBkLWYyNTNlMTEwMjU5ZSIsImFwcGxpY2F0aW9uSWQiOjIsInN1YiI6IjUxMDU5IiwiYXVkIjoiMSIsImlkIjoiNTEwNTkiLCJsb2dnZWRJbiI6dHJ1ZSwiaWF0IjoxNzYwOTIzOTM3LCJleHAiOjE3OTI0NTk5MzcsImh0dHBzOi8vaGFzdXJhLmlvL2p3dC9jbGFpbXMiOnsieC1oYXN1cmEtYWxsb3dlZC1yb2xlcyI6WyJ1c2VyIl0sIngtaGFzdXJhLWRlZmF1bHQtcm9sZSI6InVzZXIiLCJ4LWhhc3VyYS1yb2xlIjoidXNlciIsIlgtaGFzdXJhLXVzZXItaWQiOiI1MTA1OSJ9LCJ1c2VyIjp7ImlkIjo1MTA1OX19.26e1ZMA8p3ovr9d1wLJuZpXb72sTUXIjkEuoCrwPO90"
AA_KEY="5uWJKXVXJSpJhCvTo22XfVLVeMYEY#"
# ---
# Immich
# ---
IMMICH_HOST_DOMAIN=photos.do-bbs.com
UPLOAD_LOCATION=/mnt/athena/photos
DB_DATA_LOCATION=./data/immich/postgres
IMMICH_VERSION=release
DB_PASSWORD=poss8asdfhoNisdg97SDd!
DB_USERNAME=postgres
DB_DATABASE_NAME=immich
IMMICH_HC=https://hc-ping.com/583d761e-8899-4b15-be2c-d0a11f6c3f6a
# ---
# Traefik
# ---
TRAEFIK_WEBMASTER="webmaster@flatmail.me"
# ---
# Obsidian
# ---
OBSIDIAN_DB_HOST="obsidiandb.do-bbs.com"
OBSIDIAN_DB_HC="https://hc-ping.com/abbaa192-dadc-4241-b1a5-b2e4dbb50735"
OBSIDIAN_DB_USER=GelatoMadness
OBSIDIAN_DB_PASS=kangaroo-proof-breeze-tent-medal-oblige-require-good1
# ---
# Vaultwarden
# ---
VAULT_ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$OStJdThqUWRMbHUxSkVzM1pQbzAvMGk1bGxmK2wyRUJJM0t4K2xyNlI1TT0$KuXsTTUW0GJqOoaGWxP8W2u5AthQ5gmdjC/VzS5tDQI'
VAULT_HOST="vault.do-bbs.com"
# ---
# Gitea
# ---
DATA_PATH=/data
GITEA_VOLUME_LOCATION=./data/gitea
GITEA_HOSTNAME=gitea.do-bbs.com
GITEA_URL=https://gitea.do-bbs.com
GITEA_POSTGRES_IMAGE_TAG=postgres:latest
GITEA_IMAGE_TAG=gitea/gitea:latest
GITEA_DB_NAME=giteadb
GITEA_DB_USER=giteadbuser
GITEA_DB_PASSWORD=Dls8dnaPSmsgoA!
GITEA_ADMIN_USERNAME=giteaadmin
GITEA_ADMIN_PASSWORD=M8ajdl!lsmd3
GITEA_ADMIN_EMAIL=root@do-bbs.com
GITEA_SHELL_SSH_PORT=748
# Backup Variables
BACKUP_INIT_SLEEP=30m
BACKUP_INTERVAL=24h
POSTGRES_BACKUP_PRUNE_DAYS=7
DATA_BACKUP_PRUNE_DAYS=7
POSTGRES_BACKUPS_PATH=/srv/gitea-postgres/backups
DATA_BACKUPS_PATH=/srv/gitea-application-data/backups
POSTGRES_BACKUP_NAME=gitea-postgres-backup
DATA_BACKUP_NAME=gitea-application-data-backup

320
servers/hephaestus/docker/backup.compose.yml Normal file
View File

@@ -0,0 +1,320 @@
services:
traefik:
image: traefik:v3.2
container_name: traefik
command:
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.email=webmaster@do-bbs.com"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--accesslog.filepath=/data/access.log"
- "--accesslog.format=json"
- --providers.file.filename=/dynamic.yml
- --providers.file.watch=true
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- external
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
- ./data/traefik:/data
- ./dynamic.yml:/dynamic.yml:ro
- ./data/calibre/htpasswd.list:/htpasswd.list
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.service=api@internal"
- "traefik.http.routers.traefik-dashboard.tls=true"
restart: unless-stopped
dav:
image: ckulka/baikal:nginx
container_name: baikal
environment:
MSMTPRC: |
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
account default
host smtp.protonmail.ch
port 587
from mail@do-bbs.com
user mail@do-bbs.com
password ${BAIKAL_ADMIN_TOKEN}
networks:
- external
volumes:
- ./data/baikal/Specific:/var/www/baikal/Specific
- ./data/baikal/config:/var/www/baikal/config
- ./data/baikal/50-add-sharing-plugin.sh:/docker-entrypoint.d/50-add-sharing-plugin.sh
labels:
- "traefik.enable=true"
- "traefik.http.routers.baikal.entrypoints=websecure"
- "traefik.http.routers.baikal.rule=Host(`dav.do-bbs.com`)"
- "traefik.http.routers.baikal.tls=true"
- "traefik.http.routers.baikal.tls.certresolver=letsencrypt"
- "traefik.http.services.baikal.loadbalancer.server.port=80"
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/d15fee2e-17ad-42bb-a573-591f45d3532b"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
environment:
- SIGNUPS_ALLOWED=false
- INVITES_ALLOWED=false
# - ADMIN_TOKEN=${VAULT_ADMIN_TOKEN}
- ADMIN_TOKEN=IFdsg.ORGOTARON123nsl
- DOMAIN=https://vault.do-bbs.com
- LOG_LEVEL=warn
- LOG_FILE=/data/vaultwarden.log
- TZ=Europe/London
networks:
- external
volumes:
- ./data/vaultwarden:/data
labels:
- traefik.enable=true
- traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
- traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
- traefik.http.routers.vaultwarden-https.rule=Host(`vault.do-bbs.com`)
- traefik.http.routers.vaultwarden-https.entrypoints=websecure
- traefik.http.routers.vaultwarden-https.tls=true
- traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt
- traefik.http.routers.vaultwarden-https.service=vaultwarden
- traefik.http.routers.vaultwarden-http.rule=Host(`vault.do-bbs.com`)
- traefik.http.routers.vaultwarden-http.entrypoints=web
- traefik.http.routers.vaultwarden-http.middlewares=redirect-https
- traefik.http.routers.vaultwarden-http.service=vaultwarden
- traefik.http.services.vaultwarden.loadbalancer.server.port=80
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/8d7c299a-9594-4f5b-bc1f-9d916ef530e6"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
vaultwarden_backup:
image: ttionya/vaultwarden-backup:latest
container_name: vaultwarden-backup
restart: always
environment:
RCLONE_REMOTE_DIR: '/system/backups/vaultwarden/'
PING_URL_WHEN_SUCCESS: 'https://hc-ping.com/c03ac1a9-076a-415b-a378-bca245118672'
labels:
- traefik.enable=false
volumes:
- ./data/vaultwarden:/bitwarden/data/
- vaultwarden-rclone-data:/config/
immich_server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
volumes:
- ${UPLOAD_LOCATION}:/data
- /etc/localtime:/etc/localtime:ro
env_file:
.env
environment:
- REDIS_HOSTNAME=immich_redis
- DB_HOSTNAME=immich_database
networks:
- external
- internal
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.immich.rule=Host(`photos.do-bbs.com`)"
- "traefik.http.routers.immich.entrypoints=websecure"
- "traefik.http.services.immich.loadbalancer.server.port=2283"
- "traefik.http.routers.immich.tls=true"
- "traefik.http.routers.immich.tls.certresolver=letsencrypt"
depends_on:
- immich_redis
- immich_database
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/583d761e-8899-4b15-be2c-d0a11f6c3f6a"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always
immich_machine_learning:
container_name: immich-machine-learning
image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
volumes:
- model-cache:/cache
env_file:
- .env
networks:
- internal
restart: always
immich_redis:
container_name: immich_redis
image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
healthcheck:
test: redis-cli ping || exit 1
networks:
- internal
restart: always
immich_database:
container_name: immich_postgres
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:41eacbe83eca995561fe43814fd4891e16e39632806253848efaf04d3c8a8b84
environment:
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_USER: ${DB_USERNAME}
POSTGRES_DB: ${DB_DATABASE_NAME}
POSTGRES_INITDB_ARGS: '--data-checksums'
volumes:
- ${DB_DATA_LOCATION}:/var/lib/postgresql/data
shm_size: 128mb
networks:
- internal
restart: always
obsidian_db:
image: couchdb:latest
container_name: couchdb-ols
env_file:
.env
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.couchdb.rule=Host(`couchdb.do-bbs.com`)"
- "traefik.http.routers.couchdb.entrypoints=websecure"
- "traefik.http.services.couchdb.loadbalancer.server.port=5984"
- "traefik.http.routers.couchdb.tls=true"
- "traefik.http.routers.couchdb.tls.certresolver=letsencrypt"
- "traefik.http.routers.couchdb.middlewares=obsidiancors"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowmethods=GET,PUT,POST,HEAD,DELETE"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowheaders=accept,authorization,content-type,origin,referer"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolalloworiginlist=app://obsidian.md,capacitor://localhost,http://localhost"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolmaxage=3600"
- "traefik.http.middlewares.obsidiancors.headers.addvaryheader=true"
- "traefik.http.middlewares.obsidiancors.headers.accessControlAllowCredentials=true"
environment:
- COUCHDB_USER=${COUCHDB_USER}
- COUCHDB_PASSWORD=${COUCHDB_PASSWORD}
volumes:
- ./data/couchdb/couchdb-data:/opt/couchdb/data
- ./data/couchdb/couchdb-etc:/opt/couchdb/etc/local.d
networks:
- external
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/abbaa192-dadc-4241-b1a5-b2e4dbb50735"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always
calibre_web:
image: crocodilestick/calibre-web-automated:dev
container_name: calibre-web-automated
env_file:
- .env
environment:
- PUID=33
- PGID=33
- TZ=UTC
- HARDCOVER_TOKEN=${HARD_API}
- NETWORK_SHARE_MODE=true
- CWA_PORT_OVERRIDE=8083
- DOCKER_MODS=lscr.io/linuxserver/mods:universal-calibre-v8.7.0
volumes:
- ./data/calibre-web/data:/config
- ./data/calibre-web/meta:/calibre-library
- /mnt/athena/books/library:/calibre-library/athena
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/plugins:/config/.config/calibre/plugins
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwa.rule=Host(`cwa.do-bbs.com`)"
- "traefik.http.routers.cwa.entrypoints=websecure"
- "traefik.http.services.cwa.loadbalancer.server.port=8083"
- "traefik.http.routers.cwa.tls=true"
- "traefik.http.routers.cwa.tls.certresolver=letsencrypt"
networks:
- external
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/313b09fb-f4c6-4fe8-b3d8-47929974c247"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
calibre_web_downloader:
image: ghcr.io/calibrain/calibre-web-automated-book-downloader:latest
container_name: calibre-web-automated-book-downloader
env_file:
.env
environment:
FLASK_PORT: 8084
FLASK_DEBUG: false
LOG_LEVEL: info
BOOK_LANGUAGE: en
USE_BOOK_TITLE: true
TZ: UTC
APP_ENV: prod
UID: 33
GID: 33
CWA_DB_PATH: /auth/app.db
INGEST_DIR: /cwa-book-ingest
MAX_CONCURRENT_DOWNLOADS: 3
DOWNLOAD_PROGRESS_UPDATE_INTERVAL: 5
AA_DONATOR_KEY: ${AA_KEY}
USE_CF_BYPASS: false
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwabd.rule=Host(`cwabd.do-bbs.com`)"
- "traefik.http.routers.cwabd.entrypoints=websecure"
- "traefik.http.services.cwabd.loadbalancer.server.port=8084"
- "traefik.http.routers.cwabd.tls=true"
- "traefik.http.routers.cwabd.tls.certresolver=letsencrypt"
volumes:
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/data/app.db:/auth/app.db:ro
networks:
- external
- internal
restart: unless-stopped
flaresolverr:
image: ghcr.io/flaresolverr/flaresolverr:latest
networks:
- internal
volumes:
model-cache:
vaultwarden-rclone-data:
external: true
name: vaultwarden-rclone-data
networks:
external:
name: external
internal:
name: internal

38
servers/hephaestus/docker/baikal.yml Normal file
View File

@@ -0,0 +1,38 @@
services:
dav:
image: ckulka/baikal:nginx
container_name: baikal
env_file:
- path: .env
environment:
MSMTPRC: |
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
account default
host smtp.protonmail.ch
port 587
from ${BAIKAL_EMAIL}
user ${BAIKAL_EMAIL}
password ${BAIKAL_ADMIN_TOKEN}
networks:
- external
volumes:
- ./data/baikal/Specific:/var/www/baikal/Specific
- ./data/baikal/config:/var/www/baikal/config
- ./data/baikal/50-add-sharing-plugin.sh:/docker-entrypoint.d/50-add-sharing-plugin.sh
labels:
- "traefik.enable=true"
- "traefik.http.routers.baikal.entrypoints=websecure"
- "traefik.http.routers.baikal.rule=Host(`${BAIKAL_HOST}`)"
- "traefik.http.routers.baikal.tls=true"
- "traefik.http.routers.baikal.tls.certresolver=letsencrypt"
- "traefik.http.services.baikal.loadbalancer.server.port=80"
healthcheck:
test: ["CMD", "curl", "-f", "${BAIKAL_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped

78
servers/hephaestus/docker/calibre_web.yml Normal file
View File

@@ -0,0 +1,78 @@
services:
calibre_web:
image: crocodilestick/calibre-web-automated:dev
container_name: calibre-web-automated
env_file:
- path: .env
environment:
- PUID=33
- PGID=33
- TZ=UTC
- HARDCOVER_TOKEN=${HARD_API}
- NETWORK_SHARE_MODE=true
- CWA_PORT_OVERRIDE=8083
- DOCKER_MODS=lscr.io/linuxserver/mods:universal-calibre-v8.7.0
volumes:
- ./data/calibre-web/data:/config
- ./data/calibre-web/meta:/calibre-library
- /mnt/athena/books/library:/calibre-library/athena
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/plugins:/config/.config/calibre/plugins
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwa.rule=Host(`${CALIBRE_WEB_HOST}`)"
- "traefik.http.routers.cwa.entrypoints=websecure"
- "traefik.http.services.cwa.loadbalancer.server.port=8083"
- "traefik.http.routers.cwa.tls=true"
- "traefik.http.routers.cwa.tls.certresolver=letsencrypt"
networks:
- external
healthcheck:
test: ["CMD", "curl", "-f", "${CALIBRE_WEB_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
calibre_web_downloader:
image: ghcr.io/calibrain/calibre-web-automated-book-downloader:latest
container_name: calibre-web-automated-book-downloader
env_file:
- path: .env
environment:
FLASK_PORT: 8084
FLASK_DEBUG: false
LOG_LEVEL: info
BOOK_LANGUAGE: en
USE_BOOK_TITLE: true
TZ: UTC
APP_ENV: prod
UID: 33
GID: 33
CWA_DB_PATH: /auth/app.db
INGEST_DIR: /cwa-book-ingest
MAX_CONCURRENT_DOWNLOADS: 3
DOWNLOAD_PROGRESS_UPDATE_INTERVAL: 5
AA_DONATOR_KEY: ${AA_KEY}
USE_CF_BYPASS: false
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwabd.rule=Host(`${CALIBRE_WEB_D_HOST}`)"
- "traefik.http.routers.cwabd.entrypoints=websecure"
- "traefik.http.services.cwabd.loadbalancer.server.port=8084"
- "traefik.http.routers.cwabd.tls=true"
- "traefik.http.routers.cwabd.tls.certresolver=letsencrypt"
volumes:
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/data/app.db:/auth/app.db:ro
networks:
- external
restart: unless-stopped
flaresolverr:
image: ghcr.io/flaresolverr/flaresolverr:latest
networks:
- external

20
servers/hephaestus/docker/compose.yml Normal file
View File

@@ -0,0 +1,20 @@
include:
- traefik.yml
- baikal.yml
- vaultwarden.yml
- immich.yml
- obsidian_db.yml
- calibre_web.yml
- gitea.yml
networks:
external:
name: external
internal:
name: internal
volumes:
model-cache:
vaultwarden-rclone-data:
external: true
name: vaultwarden-rclone-data

4
servers/hephaestus/docker/dynamic.yml Normal file
View File

@@ -0,0 +1,4 @@
http:
serversTransports:
ignorecert:
insecureSkipVerify: true

109
servers/hephaestus/docker/gitea.yml Normal file
View File

@@ -0,0 +1,109 @@
services:
gitea_postgres:
image: ${GITEA_POSTGRES_IMAGE_TAG}
container_name: gitea_postgres
volumes:
- ${GITEA_VOLUME_LOCATION}/postgres:/var/lib/postgresql
env_file:
- .env
environment:
POSTGRES_DB: ${GITEA_DB_NAME}
POSTGRES_USER: ${GITEA_DB_USER}
POSTGRES_PASSWORD: ${GITEA_DB_PASSWORD}
networks:
- internal
healthcheck:
test: [ "CMD", "pg_isready", "-q", "-d", "${GITEA_DB_NAME}", "-U", "${GITEA_DB_USER}" ]
interval: 10s
timeout: 5s
retries: 3
start_period: 60s
restart: unless-stopped
gitea:
image: ${GITEA_IMAGE_TAG}
container_name: gitea
volumes:
- ${GITEA_VOLUME_LOCATION}/data:/${DATA_PATH}
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
GITEA_DATABASE_HOST: postgres
GITEA_DATABASE_NAME: ${GITEA_DB_NAME}
GITEA_DATABASE_USERNAME: ${GITEA_DB_USER}
GITEA_DATABASE_PASSWORD: ${GITEA_DB_PASSWORD}
GITEA_ADMIN_USER: ${GITEA_ADMIN_USERNAME}
GITEA_ADMIN_PASSWORD: ${GITEA_ADMIN_PASSWORD}
GITEA_ADMIN_EMAIL: ${GITEA_ADMIN_EMAIL}
GITEA_RUN_MODE: prod
GITEA_DOMAIN: ${GITEA_HOSTNAME}
GITEA_SSH_DOMAIN: ${GITEA_HOSTNAME}
GITEA_ROOT_URL: ${GITEA_URL}
GITEA_HTTP_PORT: 3000
GITEA_SSH_PORT: ${GITEA_SHELL_SSH_PORT}
GITEA_SSH_LISTEN_PORT: 22
networks:
- external
- internal
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000/"]
interval: 10s
timeout: 5s
retries: 3
start_period: 90s
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea.rule=Host(`${GITEA_HOSTNAME}`)"
- "traefik.http.routers.gitea.service=gitea"
- "traefik.http.routers.gitea.entrypoints=websecure"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
- "traefik.http.routers.gitea.tls=true"
- "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
- "traefik.http.services.gitea.loadbalancer.passhostheader=true"
- "traefik.http.middlewares.gitea.compress=true"
- "traefik.http.routers.gitea.middlewares=gitea"
- "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)"
- "traefik.tcp.routers.gitea-ssh.service=gitea-ssh"
- "traefik.tcp.routers.gitea-ssh.entrypoints=ssh"
- "traefik.tcp.services.gitea-ssh.loadbalancer.server.port=22"
- "traefik.docker.network=external"
restart: unless-stopped
depends_on:
gitea_postgres:
condition: service_healthy
gitea_backups:
image: ${GITEA_POSTGRES_IMAGE_TAG}
container_name: gitea_backups
command: >-
sh -c 'sleep $BACKUP_INIT_SLEEP &&
while true; do
pg_dump -h postgres -p 5432 -d $GITEA_DB_NAME -U $GITEA_DB_USER | gzip > $POSTGRES_BACKUPS_PATH/$POSTGRES_BACKUP_NAME-$(date "+%Y-%m-%d_%H-%M").gz &&
tar -zcpf $DATA_BACKUPS_PATH/$DATA_BACKUP_NAME-$(date "+%Y-%m-%d_%H-%M").tar.gz $DATA_PATH &&
find $POSTGRES_BACKUPS_PATH -type f -mtime +$POSTGRES_BACKUP_PRUNE_DAYS | xargs rm -f &&
find $DATA_BACKUPS_PATH -type f -mtime +$DATA_BACKUP_PRUNE_DAYS | xargs rm -f;
sleep $BACKUP_INTERVAL; done'
volumes:
- ${GITEA_VOLUME_LOCATION}/postgres_backup:/var/lib/postgresql/data
- ${GITEA_VOLUME_LOCATION}/data:${DATA_PATH}
- ${GITEA_VOLUME_LOCATION}/data_backup:${DATA_BACKUPS_PATH}
- ${GITEA_VOLUME_LOCATION}/database_backup:${POSTGRES_BACKUPS_PATH}
environment:
GITEA_DB_NAME: ${GITEA_DB_NAME}
GITEA_DB_USER: ${GITEA_DB_USER}
PGPASSWORD: ${GITEA_DB_PASSWORD}
BACKUP_INIT_SLEEP: ${BACKUP_INIT_SLEEP}
BACKUP_INTERVAL: ${BACKUP_INTERVAL}
POSTGRES_BACKUP_PRUNE_DAYS: ${POSTGRES_BACKUP_PRUNE_DAYS}
DATA_BACKUP_PRUNE_DAYS: ${DATA_BACKUP_PRUNE_DAYS}
POSTGRES_BACKUPS_PATH: ${POSTGRES_BACKUPS_PATH}
DATA_BACKUPS_PATH: ${DATA_BACKUPS_PATH}
DATA_PATH: ${DATA_PATH}
POSTGRES_BACKUP_NAME: ${POSTGRES_BACKUP_NAME}
DATA_BACKUP_NAME: ${DATA_BACKUP_NAME}
networks:
- internal
restart: unless-stopped
depends_on:
gitea_postgres:
condition: service_healthy

68
servers/hephaestus/docker/immich.yml Normal file
View File

@@ -0,0 +1,68 @@
services:
immich_server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
volumes:
- ${UPLOAD_LOCATION}:/data
- /etc/localtime:/etc/localtime:ro
env_file:
- path: .env
environment:
- REDIS_HOSTNAME=immich_redis
- DB_HOSTNAME=immich_database
networks:
- external
- internal
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.immich.rule=Host(`${IMMICH_HOST_DOMAIN}`)"
- "traefik.http.routers.immich.entrypoints=websecure"
- "traefik.http.services.immich.loadbalancer.server.port=2283"
- "traefik.http.routers.immich.tls=true"
- "traefik.http.routers.immich.tls.certresolver=letsencrypt"
depends_on:
- immich_redis
- immich_database
healthcheck:
test: ["CMD", "curl", "-f", "${IMMICH_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always
immich_machine_learning:
container_name: immich-machine-learning
image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
volumes:
- model-cache:/cache
env_file:
- .env
networks:
- internal
restart: always
immich_redis:
container_name: immich_redis
image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
healthcheck:
test: redis-cli ping || exit 1
networks:
- internal
restart: always
immich_database:
container_name: immich_postgres
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:41eacbe83eca995561fe43814fd4891e16e39632806253848efaf04d3c8a8b84
environment:
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_USER: ${DB_USERNAME}
POSTGRES_DB: ${DB_DATABASE_NAME}
POSTGRES_INITDB_ARGS: '--data-checksums'
volumes:
- ${DB_DATA_LOCATION}:/var/lib/postgresql/data
shm_size: 128mb
networks:
- internal
restart: always

36
servers/hephaestus/docker/obsidian_db.yml Normal file
View File

@@ -0,0 +1,36 @@
services:
obsidian_db:
image: couchdb:latest
container_name: obsidian_db
env_file:
- path: .env
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.couchdb.rule=Host(`${OBSIDIAN_DB_HOST}`)"
- "traefik.http.routers.couchdb.entrypoints=websecure"
- "traefik.http.services.couchdb.loadbalancer.server.port=5984"
- "traefik.http.routers.couchdb.tls=true"
- "traefik.http.routers.couchdb.tls.certresolver=letsencrypt"
- "traefik.http.routers.couchdb.middlewares=obsidiancors"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowmethods=GET,PUT,POST,HEAD,DELETE"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowheaders=accept,authorization,content-type,origin,referer"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolalloworiginlist=app://obsidian.md,capacitor://localhost,http://localhost"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolmaxage=3600"
- "traefik.http.middlewares.obsidiancors.headers.addvaryheader=true"
- "traefik.http.middlewares.obsidiancors.headers.accessControlAllowCredentials=true"
environment:
- COUCHDB_USER=${OBSIDIAN_DB_USER}
- COUCHDB_PASSWORD=${OBSIDIAN_DB_PASS}
volumes:
- ./data/couchdb/couchdb-data:/opt/couchdb/data
- ./data/couchdb/couchdb-etc:/opt/couchdb/etc/local.d
networks:
- external
healthcheck:
test: ["CMD", "curl", "-f", "${OBSIDIAN_DB_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always

42
servers/hephaestus/docker/traefik.yml Normal file
View File

@@ -0,0 +1,42 @@
services:
traefik:
image: traefik:latest
container_name: traefik
env_file:
- path: .env
command:
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# Add SSH entrypoint
- "--entrypoints.ssh.address=:748"
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.email=${TRAEFIK_WEBMASTER}"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--accesslog.filepath=/data/access.log"
- "--accesslog.format=json"
- --providers.file.filename=/dynamic.yml
- --providers.file.watch=true
ports:
- "80:80"
- "443:443"
- "748:748" # Add SSH port mapping
- "8080:8080"
networks:
- external
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
- ./data/traefik:/data
- ./dynamic.yml:/dynamic.yml:ro
- ./data/calibre/htpasswd.list:/htpasswd.list
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.service=api@internal"
- "traefik.http.routers.traefik-dashboard.tls=true"
restart: unless-stopped

52
servers/hephaestus/docker/vaultwarden.yml Normal file
View File

@@ -0,0 +1,52 @@
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
env_file:
- path: .env
environment:
- SIGNUPS_ALLOWED=false
- INVITES_ALLOWED=false
# - ADMIN_TOKEN=${VAULT_ADMIN_TOKEN}
- DOMAIN=https://${VAULT_HOST}
- LOG_LEVEL=warn
- LOG_FILE=/data/vaultwarden.log
- TZ=Europe/London
networks:
- external
volumes:
- ./data/vaultwarden:/data
labels:
- traefik.enable=true
- traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
- traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
- traefik.http.routers.vaultwarden-https.rule=Host(`${VAULT_HOST}`)
- traefik.http.routers.vaultwarden-https.entrypoints=websecure
- traefik.http.routers.vaultwarden-https.tls=true
- traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt
- traefik.http.routers.vaultwarden-https.service=vaultwarden
- traefik.http.routers.vaultwarden-http.rule=Host(`${VAULT_HOST}`)
- traefik.http.routers.vaultwarden-http.entrypoints=web
- traefik.http.routers.vaultwarden-http.middlewares=redirect-https
- traefik.http.routers.vaultwarden-http.service=vaultwarden
- traefik.http.services.vaultwarden.loadbalancer.server.port=80
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/8d7c299a-9594-4f5b-bc1f-9d916ef530e6"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
vaultwarden_backup:
image: ttionya/vaultwarden-backup:latest
container_name: vaultwarden-backup
restart: always
environment:
RCLONE_REMOTE_DIR: '/system/backups/vaultwarden/'
PING_URL_WHEN_SUCCESS: 'https://hc-ping.com/c03ac1a9-076a-415b-a378-bca245118672'
labels:
- traefik.enable=false
volumes:
- ./data/vaultwarden:/bitwarden/data/
- vaultwarden-rclone-data:/config/

252
servers/hephaestus/homelab Normal file
View File

@@ -0,0 +1,252 @@
# Vaultwarden
server {
server_name vault.do-bbs.com;
location / {
proxy_pass http://10.10.10.2:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/vault.do-bbs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/vault.do-bbs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Immich
server {
server_name photos.do-bbs.com;
location / {
proxy_pass http://10.10.10.2:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Large file uploads
client_max_body_size 50000M;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/photos.do-bbs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/photos.do-bbs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Gitea
server {
server_name gitea.do-bbs.com;
location / {
proxy_pass http://10.10.10.2:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/gitea.do-bbs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/gitea.do-bbs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Baikal
server {
server_name dav.do-bbs.com;
location / {
proxy_pass http://10.10.10.2:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
# WebDAV specific headers
proxy_set_header Destination $http_destination;
proxy_pass_header Authorization;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/dav.do-bbs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dav.do-bbs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Obsidian/CouchDB
server {
server_name obsidiandb.do-bbs.com;
location / {
proxy_pass http://10.10.10.2:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/obsidiandb.do-bbs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/obsidiandb.do-bbs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Calibre Web
server {
server_name cwa.do-bbs.com;
location / {
proxy_pass http://10.10.10.2:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/cwa.do-bbs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/cwa.do-bbs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name cwabd.do-bbs.com;
location / {
proxy_pass http://10.10.10.2:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/cwabd.do-bbs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/cwabd.do-bbs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = vault.do-bbs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name vault.do-bbs.com;
return 404; # managed by Certbot
}
server {
if ($host = photos.do-bbs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name photos.do-bbs.com;
return 404; # managed by Certbot
}
server {
if ($host = gitea.do-bbs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name gitea.do-bbs.com;
return 404; # managed by Certbot
}
server {
if ($host = dav.do-bbs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name dav.do-bbs.com;
return 404; # managed by Certbot
}
server {
if ($host = obsidiandb.do-bbs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name obsidiandb.do-bbs.com;
return 404; # managed by Certbot
}
server {
if ($host = cwa.do-bbs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name cwa.do-bbs.com;
return 404; # managed by Certbot
}
server {
if ($host = cwabd.do-bbs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name cwabd.do-bbs.com;
return 404; # managed by Certbot
}