jamie/dao_hades
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync

Browse Source
This commit is contained in:
Jamie Albert
2025-12-11 21:06:25 +00:00
parent 9c3274881e
commit a35414bd50
45 changed files with 60 additions and 4311 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
.gitignore vendored
View File

@@ -3,23 +3,6 @@ cradle/home/.config/aerc/accounts.conf
cradle/home/.mbsyncrc
storage/harpocrates/*
storage/*
servers/hephaestus/docker/data
servers/hephaestus/docker/letsencrypt
servers/hestia/.ssh/*
servers/hestia/storage/*
servers/hestia/.config
servers/hestia/.local
servers/hestia/.ssh
servers/hestia/.terminfo
servers/hestia/dao/servers
servers/hestia/dao/storage
servers/hestia/dao/docker/data
servers/hestia/dao/docker/letsencrypt
servers/pan/.local
servers/pan/.ssh
servers/pan/.terminfo
servers/pan/.X.d
servers/pan/rtl8761bu
servers/pan/Tidal-Connect-Armv7
servers/*
in_progress/things_to_do
servers/pan/.cifs.cred

16
scripts/on_demand/deploy.sh
View File

@@ -1,16 +0,0 @@
#!/usr/bin/env bash
# ---
# @file_name: deploy.sh
# @description: deploy files into their relevant directories
# @date: 2025-11-11
# @version: 0.01
# @usage: ./deploy.sh [-h|--help]
#
# @author: Jamie Albert
# @author_contact: <mailto:jamie.albert@flatmail.me
# @license: GNU Affero General Public License v3.0 (Included in LICENSE)
# Copyright (C) 2025, Jamie Albert
# ---
set -euo pipefail
cd cradle

2
scripts/reboot/mount.sh
View File

@@ -17,7 +17,7 @@ declare -A RCLONE_MOUNTS=(
declare -A SSHFS_MOUNTS=(
["hephaestus"]="/home/oc/dao:/home/jamie/dao/servers/hephaestus"
["pan_lms"]="/home/tc:/home/jamie/dao/servers/pan"
["hestia"]="/home/jamie:/home/jamie/dao/servers/hestia"
["hestia"]="/home/jamie/dao:/home/jamie/dao/servers/hestia"
)
# Options

76
servers/hephaestus/docker/.env
View File

@@ -1,76 +0,0 @@
# ---
# Baikal
# ---
BAIKAL_ADMIN_TOKEN="TTQH95LKDM9VQVZS"
BAIKAL_EMAIL="mail@do-bbs.com"
BAIKAL_HOST="dav.do-bbs.com"
BAIKAL_HC="https://hc-ping.com/d15fee2e-17ad-42bb-a573-591f45d3532b"
# ---
# Calibre Web
# ---
CALIBRE_WEB_HOST="cwa.do-bbs.com"
CALIBRE_WEB_D_HOST="cwabd.do-bbs.com"
CALIBRE_WEB_HC="https://hc-ping.com/313b09fb-f4c6-4fe8-b3d8-47929974c247"
HARD_API="eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJIYXJkY292ZXIiLCJ2ZXJzaW9uIjoiOCIsImp0aSI6ImEwZmZkNDk1LWM1ODMtNGEwMS1iYjBkLWYyNTNlMTEwMjU5ZSIsImFwcGxpY2F0aW9uSWQiOjIsInN1YiI6IjUxMDU5IiwiYXVkIjoiMSIsImlkIjoiNTEwNTkiLCJsb2dnZWRJbiI6dHJ1ZSwiaWF0IjoxNzYwOTIzOTM3LCJleHAiOjE3OTI0NTk5MzcsImh0dHBzOi8vaGFzdXJhLmlvL2p3dC9jbGFpbXMiOnsieC1oYXN1cmEtYWxsb3dlZC1yb2xlcyI6WyJ1c2VyIl0sIngtaGFzdXJhLWRlZmF1bHQtcm9sZSI6InVzZXIiLCJ4LWhhc3VyYS1yb2xlIjoidXNlciIsIlgtaGFzdXJhLXVzZXItaWQiOiI1MTA1OSJ9LCJ1c2VyIjp7ImlkIjo1MTA1OX19.26e1ZMA8p3ovr9d1wLJuZpXb72sTUXIjkEuoCrwPO90"
AA_KEY="5uWJKXVXJSpJhCvTo22XfVLVeMYEY#"
# ---
# Immich
# ---
IMMICH_HOST_DOMAIN=photos.do-bbs.com
UPLOAD_LOCATION=/mnt/athena/photos
DB_DATA_LOCATION=./data/immich/postgres
IMMICH_VERSION=release
DB_PASSWORD=poss8asdfhoNisdg97SDd!
DB_USERNAME=postgres
DB_DATABASE_NAME=immich
IMMICH_HC=https://hc-ping.com/583d761e-8899-4b15-be2c-d0a11f6c3f6a
# ---
# Traefik
# ---
TRAEFIK_WEBMASTER="webmaster@flatmail.me"
# ---
# Obsidian
# ---
OBSIDIAN_DB_HOST="obsidiandb.do-bbs.com"
OBSIDIAN_DB_HC="https://hc-ping.com/abbaa192-dadc-4241-b1a5-b2e4dbb50735"
OBSIDIAN_DB_USER=GelatoMadness
OBSIDIAN_DB_PASS=kangaroo-proof-breeze-tent-medal-oblige-require-good1
# ---
# Vaultwarden
# ---
VAULT_ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$OStJdThqUWRMbHUxSkVzM1pQbzAvMGk1bGxmK2wyRUJJM0t4K2xyNlI1TT0$KuXsTTUW0GJqOoaGWxP8W2u5AthQ5gmdjC/VzS5tDQI'
VAULT_HOST="vault.do-bbs.com"
# ---
# Gitea
# ---
DATA_PATH=/data
GITEA_VOLUME_LOCATION=./data/gitea
GITEA_HOSTNAME=gitea.do-bbs.com
GITEA_URL=https://gitea.do-bbs.com
GITEA_POSTGRES_IMAGE_TAG=postgres:latest
GITEA_IMAGE_TAG=gitea/gitea:latest
GITEA_DB_NAME=giteadb
GITEA_DB_USER=giteadbuser
GITEA_DB_PASSWORD=Dls8dnaPSmsgoA!
GITEA_ADMIN_USERNAME=giteaadmin
GITEA_ADMIN_PASSWORD=M8ajdl!lsmd3
GITEA_ADMIN_EMAIL=root@do-bbs.com
GITEA_SHELL_SSH_PORT=748
# Backup Variables
BACKUP_INIT_SLEEP=30m
BACKUP_INTERVAL=24h
POSTGRES_BACKUP_PRUNE_DAYS=7
DATA_BACKUP_PRUNE_DAYS=7
POSTGRES_BACKUPS_PATH=/srv/gitea-postgres/backups
DATA_BACKUPS_PATH=/srv/gitea-application-data/backups
POSTGRES_BACKUP_NAME=gitea-postgres-backup
DATA_BACKUP_NAME=gitea-application-data-backup

320
servers/hephaestus/docker/backup.compose.yml
View File

@@ -1,320 +0,0 @@
services:
traefik:
image: traefik:v3.2
container_name: traefik
command:
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.email=webmaster@do-bbs.com"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--accesslog.filepath=/data/access.log"
- "--accesslog.format=json"
- --providers.file.filename=/dynamic.yml
- --providers.file.watch=true
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- external
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
- ./data/traefik:/data
- ./dynamic.yml:/dynamic.yml:ro
- ./data/calibre/htpasswd.list:/htpasswd.list
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.service=api@internal"
- "traefik.http.routers.traefik-dashboard.tls=true"
restart: unless-stopped
dav:
image: ckulka/baikal:nginx
container_name: baikal
environment:
MSMTPRC: |
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
account default
host smtp.protonmail.ch
port 587
from mail@do-bbs.com
user mail@do-bbs.com
password ${BAIKAL_ADMIN_TOKEN}
networks:
- external
volumes:
- ./data/baikal/Specific:/var/www/baikal/Specific
- ./data/baikal/config:/var/www/baikal/config
- ./data/baikal/50-add-sharing-plugin.sh:/docker-entrypoint.d/50-add-sharing-plugin.sh
labels:
- "traefik.enable=true"
- "traefik.http.routers.baikal.entrypoints=websecure"
- "traefik.http.routers.baikal.rule=Host(`dav.do-bbs.com`)"
- "traefik.http.routers.baikal.tls=true"
- "traefik.http.routers.baikal.tls.certresolver=letsencrypt"
- "traefik.http.services.baikal.loadbalancer.server.port=80"
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/d15fee2e-17ad-42bb-a573-591f45d3532b"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
environment:
- SIGNUPS_ALLOWED=false
- INVITES_ALLOWED=false
# - ADMIN_TOKEN=${VAULT_ADMIN_TOKEN}
- ADMIN_TOKEN=IFdsg.ORGOTARON123nsl
- DOMAIN=https://vault.do-bbs.com
- LOG_LEVEL=warn
- LOG_FILE=/data/vaultwarden.log
- TZ=Europe/London
networks:
- external
volumes:
- ./data/vaultwarden:/data
labels:
- traefik.enable=true
- traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
- traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
- traefik.http.routers.vaultwarden-https.rule=Host(`vault.do-bbs.com`)
- traefik.http.routers.vaultwarden-https.entrypoints=websecure
- traefik.http.routers.vaultwarden-https.tls=true
- traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt
- traefik.http.routers.vaultwarden-https.service=vaultwarden
- traefik.http.routers.vaultwarden-http.rule=Host(`vault.do-bbs.com`)
- traefik.http.routers.vaultwarden-http.entrypoints=web
- traefik.http.routers.vaultwarden-http.middlewares=redirect-https
- traefik.http.routers.vaultwarden-http.service=vaultwarden
- traefik.http.services.vaultwarden.loadbalancer.server.port=80
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/8d7c299a-9594-4f5b-bc1f-9d916ef530e6"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
vaultwarden_backup:
image: ttionya/vaultwarden-backup:latest
container_name: vaultwarden-backup
restart: always
environment:
RCLONE_REMOTE_DIR: '/system/backups/vaultwarden/'
PING_URL_WHEN_SUCCESS: 'https://hc-ping.com/c03ac1a9-076a-415b-a378-bca245118672'
labels:
- traefik.enable=false
volumes:
- ./data/vaultwarden:/bitwarden/data/
- vaultwarden-rclone-data:/config/
immich_server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
volumes:
- ${UPLOAD_LOCATION}:/data
- /etc/localtime:/etc/localtime:ro
env_file:
.env
environment:
- REDIS_HOSTNAME=immich_redis
- DB_HOSTNAME=immich_database
networks:
- external
- internal
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.immich.rule=Host(`photos.do-bbs.com`)"
- "traefik.http.routers.immich.entrypoints=websecure"
- "traefik.http.services.immich.loadbalancer.server.port=2283"
- "traefik.http.routers.immich.tls=true"
- "traefik.http.routers.immich.tls.certresolver=letsencrypt"
depends_on:
- immich_redis
- immich_database
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/583d761e-8899-4b15-be2c-d0a11f6c3f6a"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always
immich_machine_learning:
container_name: immich-machine-learning
image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
volumes:
- model-cache:/cache
env_file:
- .env
networks:
- internal
restart: always
immich_redis:
container_name: immich_redis
image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
healthcheck:
test: redis-cli ping || exit 1
networks:
- internal
restart: always
immich_database:
container_name: immich_postgres
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:41eacbe83eca995561fe43814fd4891e16e39632806253848efaf04d3c8a8b84
environment:
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_USER: ${DB_USERNAME}
POSTGRES_DB: ${DB_DATABASE_NAME}
POSTGRES_INITDB_ARGS: '--data-checksums'
volumes:
- ${DB_DATA_LOCATION}:/var/lib/postgresql/data
shm_size: 128mb
networks:
- internal
restart: always
obsidian_db:
image: couchdb:latest
container_name: couchdb-ols
env_file:
.env
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.couchdb.rule=Host(`couchdb.do-bbs.com`)"
- "traefik.http.routers.couchdb.entrypoints=websecure"
- "traefik.http.services.couchdb.loadbalancer.server.port=5984"
- "traefik.http.routers.couchdb.tls=true"
- "traefik.http.routers.couchdb.tls.certresolver=letsencrypt"
- "traefik.http.routers.couchdb.middlewares=obsidiancors"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowmethods=GET,PUT,POST,HEAD,DELETE"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowheaders=accept,authorization,content-type,origin,referer"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolalloworiginlist=app://obsidian.md,capacitor://localhost,http://localhost"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolmaxage=3600"
- "traefik.http.middlewares.obsidiancors.headers.addvaryheader=true"
- "traefik.http.middlewares.obsidiancors.headers.accessControlAllowCredentials=true"
environment:
- COUCHDB_USER=${COUCHDB_USER}
- COUCHDB_PASSWORD=${COUCHDB_PASSWORD}
volumes:
- ./data/couchdb/couchdb-data:/opt/couchdb/data
- ./data/couchdb/couchdb-etc:/opt/couchdb/etc/local.d
networks:
- external
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/abbaa192-dadc-4241-b1a5-b2e4dbb50735"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always
calibre_web:
image: crocodilestick/calibre-web-automated:dev
container_name: calibre-web-automated
env_file:
- .env
environment:
- PUID=33
- PGID=33
- TZ=UTC
- HARDCOVER_TOKEN=${HARD_API}
- NETWORK_SHARE_MODE=true
- CWA_PORT_OVERRIDE=8083
- DOCKER_MODS=lscr.io/linuxserver/mods:universal-calibre-v8.7.0
volumes:
- ./data/calibre-web/data:/config
- ./data/calibre-web/meta:/calibre-library
- /mnt/athena/books/library:/calibre-library/athena
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/plugins:/config/.config/calibre/plugins
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwa.rule=Host(`cwa.do-bbs.com`)"
- "traefik.http.routers.cwa.entrypoints=websecure"
- "traefik.http.services.cwa.loadbalancer.server.port=8083"
- "traefik.http.routers.cwa.tls=true"
- "traefik.http.routers.cwa.tls.certresolver=letsencrypt"
networks:
- external
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/313b09fb-f4c6-4fe8-b3d8-47929974c247"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
calibre_web_downloader:
image: ghcr.io/calibrain/calibre-web-automated-book-downloader:latest
container_name: calibre-web-automated-book-downloader
env_file:
.env
environment:
FLASK_PORT: 8084
FLASK_DEBUG: false
LOG_LEVEL: info
BOOK_LANGUAGE: en
USE_BOOK_TITLE: true
TZ: UTC
APP_ENV: prod
UID: 33
GID: 33
CWA_DB_PATH: /auth/app.db
INGEST_DIR: /cwa-book-ingest
MAX_CONCURRENT_DOWNLOADS: 3
DOWNLOAD_PROGRESS_UPDATE_INTERVAL: 5
AA_DONATOR_KEY: ${AA_KEY}
USE_CF_BYPASS: false
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwabd.rule=Host(`cwabd.do-bbs.com`)"
- "traefik.http.routers.cwabd.entrypoints=websecure"
- "traefik.http.services.cwabd.loadbalancer.server.port=8084"
- "traefik.http.routers.cwabd.tls=true"
- "traefik.http.routers.cwabd.tls.certresolver=letsencrypt"
volumes:
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/data/app.db:/auth/app.db:ro
networks:
- external
- internal
restart: unless-stopped
flaresolverr:
image: ghcr.io/flaresolverr/flaresolverr:latest
networks:
- internal
volumes:
model-cache:
vaultwarden-rclone-data:
external: true
name: vaultwarden-rclone-data
networks:
external:
name: external
internal:
name: internal

38
servers/hephaestus/docker/baikal.yml
View File

@@ -1,38 +0,0 @@
services:
dav:
image: ckulka/baikal:nginx
container_name: baikal
env_file:
- path: .env
environment:
MSMTPRC: |
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
account default
host smtp.protonmail.ch
port 587
from ${BAIKAL_EMAIL}
user ${BAIKAL_EMAIL}
password ${BAIKAL_ADMIN_TOKEN}
networks:
- external
volumes:
- ./data/baikal/Specific:/var/www/baikal/Specific
- ./data/baikal/config:/var/www/baikal/config
- ./data/baikal/50-add-sharing-plugin.sh:/docker-entrypoint.d/50-add-sharing-plugin.sh
labels:
- "traefik.enable=true"
- "traefik.http.routers.baikal.entrypoints=websecure"
- "traefik.http.routers.baikal.rule=Host(`${BAIKAL_HOST}`)"
- "traefik.http.routers.baikal.tls=true"
- "traefik.http.routers.baikal.tls.certresolver=letsencrypt"
- "traefik.http.services.baikal.loadbalancer.server.port=80"
healthcheck:
test: ["CMD", "curl", "-f", "${BAIKAL_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped

78
servers/hephaestus/docker/calibre_web.yml
View File

@@ -1,78 +0,0 @@
services:
calibre_web:
image: crocodilestick/calibre-web-automated:dev
container_name: calibre-web-automated
env_file:
- path: .env
environment:
- PUID=33
- PGID=33
- TZ=UTC
- HARDCOVER_TOKEN=${HARD_API}
- NETWORK_SHARE_MODE=true
- CWA_PORT_OVERRIDE=8083
- DOCKER_MODS=lscr.io/linuxserver/mods:universal-calibre-v8.7.0
volumes:
- ./data/calibre-web/data:/config
- ./data/calibre-web/meta:/calibre-library
- /mnt/athena/books/library:/calibre-library/athena
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/plugins:/config/.config/calibre/plugins
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwa.rule=Host(`${CALIBRE_WEB_HOST}`)"
- "traefik.http.routers.cwa.entrypoints=websecure"
- "traefik.http.services.cwa.loadbalancer.server.port=8083"
- "traefik.http.routers.cwa.tls=true"
- "traefik.http.routers.cwa.tls.certresolver=letsencrypt"
networks:
- external
healthcheck:
test: ["CMD", "curl", "-f", "${CALIBRE_WEB_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
calibre_web_downloader:
image: ghcr.io/calibrain/calibre-web-automated-book-downloader:latest
container_name: calibre-web-automated-book-downloader
env_file:
- path: .env
environment:
FLASK_PORT: 8084
FLASK_DEBUG: false
LOG_LEVEL: info
BOOK_LANGUAGE: en
USE_BOOK_TITLE: true
TZ: UTC
APP_ENV: prod
UID: 33
GID: 33
CWA_DB_PATH: /auth/app.db
INGEST_DIR: /cwa-book-ingest
MAX_CONCURRENT_DOWNLOADS: 3
DOWNLOAD_PROGRESS_UPDATE_INTERVAL: 5
AA_DONATOR_KEY: ${AA_KEY}
USE_CF_BYPASS: false
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwabd.rule=Host(`${CALIBRE_WEB_D_HOST}`)"
- "traefik.http.routers.cwabd.entrypoints=websecure"
- "traefik.http.services.cwabd.loadbalancer.server.port=8084"
- "traefik.http.routers.cwabd.tls=true"
- "traefik.http.routers.cwabd.tls.certresolver=letsencrypt"
volumes:
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/data/app.db:/auth/app.db:ro
networks:
- external
restart: unless-stopped
flaresolverr:
image: ghcr.io/flaresolverr/flaresolverr:latest
networks:
- external

20
servers/hephaestus/docker/compose.yml
View File

@@ -1,20 +0,0 @@
include:
- traefik.yml
- baikal.yml
- vaultwarden.yml
- immich.yml
- obsidian_db.yml
- calibre_web.yml
- gitea.yml
networks:
external:
name: external
internal:
name: internal
volumes:
model-cache:
vaultwarden-rclone-data:
external: true
name: vaultwarden-rclone-data

4
servers/hephaestus/docker/dynamic.yml
View File

@@ -1,4 +0,0 @@
http:
serversTransports:
ignorecert:
insecureSkipVerify: true

109
servers/hephaestus/docker/gitea.yml
View File

@@ -1,109 +0,0 @@
services:
gitea_postgres:
image: ${GITEA_POSTGRES_IMAGE_TAG}
container_name: gitea_postgres
volumes:
- ${GITEA_VOLUME_LOCATION}/postgres:/var/lib/postgresql
env_file:
- .env
environment:
POSTGRES_DB: ${GITEA_DB_NAME}
POSTGRES_USER: ${GITEA_DB_USER}
POSTGRES_PASSWORD: ${GITEA_DB_PASSWORD}
networks:
- internal
healthcheck:
test: [ "CMD", "pg_isready", "-q", "-d", "${GITEA_DB_NAME}", "-U", "${GITEA_DB_USER}" ]
interval: 10s
timeout: 5s
retries: 3
start_period: 60s
restart: unless-stopped
gitea:
image: ${GITEA_IMAGE_TAG}
container_name: gitea
volumes:
- ${GITEA_VOLUME_LOCATION}/data:/${DATA_PATH}
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
GITEA_DATABASE_HOST: postgres
GITEA_DATABASE_NAME: ${GITEA_DB_NAME}
GITEA_DATABASE_USERNAME: ${GITEA_DB_USER}
GITEA_DATABASE_PASSWORD: ${GITEA_DB_PASSWORD}
GITEA_ADMIN_USER: ${GITEA_ADMIN_USERNAME}
GITEA_ADMIN_PASSWORD: ${GITEA_ADMIN_PASSWORD}
GITEA_ADMIN_EMAIL: ${GITEA_ADMIN_EMAIL}
GITEA_RUN_MODE: prod
GITEA_DOMAIN: ${GITEA_HOSTNAME}
GITEA_SSH_DOMAIN: ${GITEA_HOSTNAME}
GITEA_ROOT_URL: ${GITEA_URL}
GITEA_HTTP_PORT: 3000
GITEA_SSH_PORT: ${GITEA_SHELL_SSH_PORT}
GITEA_SSH_LISTEN_PORT: 22
networks:
- external
- internal
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000/"]
interval: 10s
timeout: 5s
retries: 3
start_period: 90s
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea.rule=Host(`${GITEA_HOSTNAME}`)"
- "traefik.http.routers.gitea.service=gitea"
- "traefik.http.routers.gitea.entrypoints=websecure"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
- "traefik.http.routers.gitea.tls=true"
- "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
- "traefik.http.services.gitea.loadbalancer.passhostheader=true"
- "traefik.http.middlewares.gitea.compress=true"
- "traefik.http.routers.gitea.middlewares=gitea"
- "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)"
- "traefik.tcp.routers.gitea-ssh.service=gitea-ssh"
- "traefik.tcp.routers.gitea-ssh.entrypoints=ssh"
- "traefik.tcp.services.gitea-ssh.loadbalancer.server.port=22"
- "traefik.docker.network=external"
restart: unless-stopped
depends_on:
gitea_postgres:
condition: service_healthy
gitea_backups:
image: ${GITEA_POSTGRES_IMAGE_TAG}
container_name: gitea_backups
command: >-
sh -c 'sleep $BACKUP_INIT_SLEEP &&
while true; do
pg_dump -h postgres -p 5432 -d $GITEA_DB_NAME -U $GITEA_DB_USER | gzip > $POSTGRES_BACKUPS_PATH/$POSTGRES_BACKUP_NAME-$(date "+%Y-%m-%d_%H-%M").gz &&
tar -zcpf $DATA_BACKUPS_PATH/$DATA_BACKUP_NAME-$(date "+%Y-%m-%d_%H-%M").tar.gz $DATA_PATH &&
find $POSTGRES_BACKUPS_PATH -type f -mtime +$POSTGRES_BACKUP_PRUNE_DAYS | xargs rm -f &&
find $DATA_BACKUPS_PATH -type f -mtime +$DATA_BACKUP_PRUNE_DAYS | xargs rm -f;
sleep $BACKUP_INTERVAL; done'
volumes:
- ${GITEA_VOLUME_LOCATION}/postgres_backup:/var/lib/postgresql/data
- ${GITEA_VOLUME_LOCATION}/data:${DATA_PATH}
- ${GITEA_VOLUME_LOCATION}/data_backup:${DATA_BACKUPS_PATH}
- ${GITEA_VOLUME_LOCATION}/database_backup:${POSTGRES_BACKUPS_PATH}
environment:
GITEA_DB_NAME: ${GITEA_DB_NAME}
GITEA_DB_USER: ${GITEA_DB_USER}
PGPASSWORD: ${GITEA_DB_PASSWORD}
BACKUP_INIT_SLEEP: ${BACKUP_INIT_SLEEP}
BACKUP_INTERVAL: ${BACKUP_INTERVAL}
POSTGRES_BACKUP_PRUNE_DAYS: ${POSTGRES_BACKUP_PRUNE_DAYS}
DATA_BACKUP_PRUNE_DAYS: ${DATA_BACKUP_PRUNE_DAYS}
POSTGRES_BACKUPS_PATH: ${POSTGRES_BACKUPS_PATH}
DATA_BACKUPS_PATH: ${DATA_BACKUPS_PATH}
DATA_PATH: ${DATA_PATH}
POSTGRES_BACKUP_NAME: ${POSTGRES_BACKUP_NAME}
DATA_BACKUP_NAME: ${DATA_BACKUP_NAME}
networks:
- internal
restart: unless-stopped
depends_on:
gitea_postgres:
condition: service_healthy

68
servers/hephaestus/docker/immich.yml
View File

@@ -1,68 +0,0 @@
services:
immich_server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
volumes:
- ${UPLOAD_LOCATION}:/data
- /etc/localtime:/etc/localtime:ro
env_file:
- path: .env
environment:
- REDIS_HOSTNAME=immich_redis
- DB_HOSTNAME=immich_database
networks:
- external
- internal
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.immich.rule=Host(`${IMMICH_HOST_DOMAIN}`)"
- "traefik.http.routers.immich.entrypoints=websecure"
- "traefik.http.services.immich.loadbalancer.server.port=2283"
- "traefik.http.routers.immich.tls=true"
- "traefik.http.routers.immich.tls.certresolver=letsencrypt"
depends_on:
- immich_redis
- immich_database
healthcheck:
test: ["CMD", "curl", "-f", "${IMMICH_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always
immich_machine_learning:
container_name: immich-machine-learning
image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
volumes:
- model-cache:/cache
env_file:
- .env
networks:
- internal
restart: always
immich_redis:
container_name: immich_redis
image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
healthcheck:
test: redis-cli ping || exit 1
networks:
- internal
restart: always
immich_database:
container_name: immich_postgres
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:41eacbe83eca995561fe43814fd4891e16e39632806253848efaf04d3c8a8b84
environment:
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_USER: ${DB_USERNAME}
POSTGRES_DB: ${DB_DATABASE_NAME}
POSTGRES_INITDB_ARGS: '--data-checksums'
volumes:
- ${DB_DATA_LOCATION}:/var/lib/postgresql/data
shm_size: 128mb
networks:
- internal
restart: always

36
servers/hephaestus/docker/obsidian_db.yml
View File

@@ -1,36 +0,0 @@
services:
obsidian_db:
image: couchdb:latest
container_name: obsidian_db
env_file:
- path: .env
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.couchdb.rule=Host(`${OBSIDIAN_DB_HOST}`)"
- "traefik.http.routers.couchdb.entrypoints=websecure"
- "traefik.http.services.couchdb.loadbalancer.server.port=5984"
- "traefik.http.routers.couchdb.tls=true"
- "traefik.http.routers.couchdb.tls.certresolver=letsencrypt"
- "traefik.http.routers.couchdb.middlewares=obsidiancors"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowmethods=GET,PUT,POST,HEAD,DELETE"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowheaders=accept,authorization,content-type,origin,referer"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolalloworiginlist=app://obsidian.md,capacitor://localhost,http://localhost"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolmaxage=3600"
- "traefik.http.middlewares.obsidiancors.headers.addvaryheader=true"
- "traefik.http.middlewares.obsidiancors.headers.accessControlAllowCredentials=true"
environment:
- COUCHDB_USER=${OBSIDIAN_DB_USER}
- COUCHDB_PASSWORD=${OBSIDIAN_DB_PASS}
volumes:
- ./data/couchdb/couchdb-data:/opt/couchdb/data
- ./data/couchdb/couchdb-etc:/opt/couchdb/etc/local.d
networks:
- external
healthcheck:
test: ["CMD", "curl", "-f", "${OBSIDIAN_DB_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always

42
servers/hephaestus/docker/traefik.yml
View File

@@ -1,42 +0,0 @@
services:
traefik:
image: traefik:latest
container_name: traefik
env_file:
- path: .env
command:
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# Add SSH entrypoint
- "--entrypoints.ssh.address=:748"
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.email=${TRAEFIK_WEBMASTER}"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--accesslog.filepath=/data/access.log"
- "--accesslog.format=json"
- --providers.file.filename=/dynamic.yml
- --providers.file.watch=true
ports:
- "80:80"
- "443:443"
- "748:748" # Add SSH port mapping
- "8080:8080"
networks:
- external
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
- ./data/traefik:/data
- ./dynamic.yml:/dynamic.yml:ro
- ./data/calibre/htpasswd.list:/htpasswd.list
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.service=api@internal"
- "traefik.http.routers.traefik-dashboard.tls=true"
restart: unless-stopped

52
servers/hephaestus/docker/vaultwarden.yml
View File

@@ -1,52 +0,0 @@
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
env_file:
- path: .env
environment:
- SIGNUPS_ALLOWED=false
- INVITES_ALLOWED=false
# - ADMIN_TOKEN=${VAULT_ADMIN_TOKEN}
- DOMAIN=https://${VAULT_HOST}
- LOG_LEVEL=warn
- LOG_FILE=/data/vaultwarden.log
- TZ=Europe/London
networks:
- external
volumes:
- ./data/vaultwarden:/data
labels:
- traefik.enable=true
- traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
- traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
- traefik.http.routers.vaultwarden-https.rule=Host(`${VAULT_HOST}`)
- traefik.http.routers.vaultwarden-https.entrypoints=websecure
- traefik.http.routers.vaultwarden-https.tls=true
- traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt
- traefik.http.routers.vaultwarden-https.service=vaultwarden
- traefik.http.routers.vaultwarden-http.rule=Host(`${VAULT_HOST}`)
- traefik.http.routers.vaultwarden-http.entrypoints=web
- traefik.http.routers.vaultwarden-http.middlewares=redirect-https
- traefik.http.routers.vaultwarden-http.service=vaultwarden
- traefik.http.services.vaultwarden.loadbalancer.server.port=80
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/8d7c299a-9594-4f5b-bc1f-9d916ef530e6"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
vaultwarden_backup:
image: ttionya/vaultwarden-backup:latest
container_name: vaultwarden-backup
restart: always
environment:
RCLONE_REMOTE_DIR: '/system/backups/vaultwarden/'
PING_URL_WHEN_SUCCESS: 'https://hc-ping.com/c03ac1a9-076a-415b-a378-bca245118672'
labels:
- traefik.enable=false
volumes:
- ./data/vaultwarden:/bitwarden/data/
- vaultwarden-rclone-data:/config/

2000
servers/hestia/.bash_history
View File

File diff suppressed because it is too large Load Diff

7
servers/hestia/.bash_logout
View File

@@ -1,7 +0,0 @@
# ~/.bash_logout: executed by bash(1) when login shell exits.
# when leaving the console clear the screen to increase privacy
if [ "$SHLVL" = 1 ]; then
[ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q
fi

114
servers/hestia/.bashrc
View File

@@ -1,114 +0,0 @@
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)
#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color|*-256color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it's compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi
color_prompt=yes
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'
#alias grep='grep --color=auto'
#alias fgrep='fgrep --color=auto'
#alias egrep='egrep --color=auto'
fi
# colored GCC warnings and errors
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
# some more ls aliases
alias ll='ls -l'
#alias la='ls -A'
#alias l='ls -CF'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
. /usr/local/bin/prompt.sh

3
servers/hestia/.boot.sh
View File

@@ -1,3 +0,0 @@
#!/bin/bash
NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ")
sudo ethtool -K "${NETDEV}" rx-udp-gro-forwarding on rx-gro-list off

1
servers/hestia/.lesshst
View File

@@ -1 +0,0 @@
.less-history-file:

27
servers/hestia/.profile
View File

@@ -1,27 +0,0 @@
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/.local/bin" ] ; then
PATH="$HOME/.local/bin:$PATH"
fi

2
servers/hestia/.selected_editor
View File

@@ -1,2 +0,0 @@
# Generated by /usr/bin/select-editor
SELECTED_EDITOR="/bin/nano"

0
servers/hestia/.sudo_as_admin_successful
View File

4
servers/hestia/.wget-hsts
View File

@@ -1,4 +0,0 @@
# HSTS 1.0 Known Hosts database for GNU Wget.
# Edit at your own risk.
# <hostname> <port> <incl. subdomains> <created> <max-age>
raw.githubusercontent.com 0 0 1763946027 31536000

76
servers/hestia/dao/docker/.env
View File

@@ -1,76 +0,0 @@
# ---
# Baikal
# ---
BAIKAL_ADMIN_TOKEN="TTQH95LKDM9VQVZS"
BAIKAL_EMAIL="mail@do-bbs.com"
BAIKAL_HOST="dav.do-bbs.com"
BAIKAL_HC="https://hc-ping.com/d15fee2e-17ad-42bb-a573-591f45d3532b"
# ---
# Calibre Web
# ---
CALIBRE_WEB_HOST="cwa.do-bbs.com"
CALIBRE_WEB_D_HOST="cwabd.do-bbs.com"
CALIBRE_WEB_HC="https://hc-ping.com/313b09fb-f4c6-4fe8-b3d8-47929974c247"
HARD_API="eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJIYXJkY292ZXIiLCJ2ZXJzaW9uIjoiOCIsImp0aSI6ImEwZmZkNDk1LWM1ODMtNGEwMS1iYjBkLWYyNTNlMTEwMjU5ZSIsImFwcGxpY2F0aW9uSWQiOjIsInN1YiI6IjUxMDU5IiwiYXVkIjoiMSIsImlkIjoiNTEwNTkiLCJsb2dnZWRJbiI6dHJ1ZSwiaWF0IjoxNzYwOTIzOTM3LCJleHAiOjE3OTI0NTk5MzcsImh0dHBzOi8vaGFzdXJhLmlvL2p3dC9jbGFpbXMiOnsieC1oYXN1cmEtYWxsb3dlZC1yb2xlcyI6WyJ1c2VyIl0sIngtaGFzdXJhLWRlZmF1bHQtcm9sZSI6InVzZXIiLCJ4LWhhc3VyYS1yb2xlIjoidXNlciIsIlgtaGFzdXJhLXVzZXItaWQiOiI1MTA1OSJ9LCJ1c2VyIjp7ImlkIjo1MTA1OX19.26e1ZMA8p3ovr9d1wLJuZpXb72sTUXIjkEuoCrwPO90"
AA_KEY="5uWJKXVXJSpJhCvTo22XfVLVeMYEY#"
# ---
# Immich
# ---
IMMICH_HOST_DOMAIN=photos.do-bbs.com
UPLOAD_LOCATION=./data/immich/photos
DB_DATA_LOCATION=./data/immich/postgres
IMMICH_VERSION=release
DB_PASSWORD=poss8asdfhoNisdg97SDd!
DB_USERNAME=postgres
DB_DATABASE_NAME=immich
IMMICH_HC=https://hc-ping.com/583d761e-8899-4b15-be2c-d0a11f6c3f6a
# ---
# Traefik
# ---
TRAEFIK_WEBMASTER="webmaster@flatmail.me"
# ---
# Obsidian
# ---
OBSIDIAN_DB_HOST="obsidiandb.do-bbs.com"
OBSIDIAN_DB_HC="https://hc-ping.com/abbaa192-dadc-4241-b1a5-b2e4dbb50735"
OBSIDIAN_DB_USER=GelatoMadness
OBSIDIAN_DB_PASS=kangaroo-proof-breeze-tent-medal-oblige-require-good1
# ---
# Vaultwarden
# ---
VAULT_ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$OStJdThqUWRMbHUxSkVzM1pQbzAvMGk1bGxmK2wyRUJJM0t4K2xyNlI1TT0$KuXsTTUW0GJqOoaGWxP8W2u5AthQ5gmdjC/VzS5tDQI'
VAULT_HOST="vault.do-bbs.com"
# ---
# Gitea
# ---
DATA_PATH=/data
GITEA_VOLUME_LOCATION=./data/gitea
GITEA_HOSTNAME=gitea.do-bbs.com
GITEA_URL=https://gitea.do-bbs.com
GITEA_POSTGRES_IMAGE_TAG=postgres:latest
GITEA_IMAGE_TAG=gitea/gitea:latest
GITEA_DB_NAME=giteadb
GITEA_DB_USER=giteadbuser
GITEA_DB_PASSWORD=Dls8dnaPSmsgoA!
GITEA_ADMIN_USERNAME=giteaadmin
GITEA_ADMIN_PASSWORD=M8ajdl!lsmd3
GITEA_ADMIN_EMAIL=root@do-bbs.com
GITEA_SHELL_SSH_PORT=748
# Backup Variables
BACKUP_INIT_SLEEP=30m
BACKUP_INTERVAL=24h
POSTGRES_BACKUP_PRUNE_DAYS=7
DATA_BACKUP_PRUNE_DAYS=7
POSTGRES_BACKUPS_PATH=/srv/gitea-postgres/backups
DATA_BACKUPS_PATH=/srv/gitea-application-data/backups
POSTGRES_BACKUP_NAME=gitea-postgres-backup
DATA_BACKUP_NAME=gitea-application-data-backup

320
servers/hestia/dao/docker/backup.compose.yml
View File

@@ -1,320 +0,0 @@
services:
traefik:
image: traefik:v3.2
container_name: traefik
command:
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.email=webmaster@do-bbs.com"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--accesslog.filepath=/data/access.log"
- "--accesslog.format=json"
- --providers.file.filename=/dynamic.yml
- --providers.file.watch=true
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- external
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
- ./data/traefik:/data
- ./dynamic.yml:/dynamic.yml:ro
- ./data/calibre/htpasswd.list:/htpasswd.list
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.service=api@internal"
- "traefik.http.routers.traefik-dashboard.tls=true"
restart: unless-stopped
dav:
image: ckulka/baikal:nginx
container_name: baikal
environment:
MSMTPRC: |
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
account default
host smtp.protonmail.ch
port 587
from mail@do-bbs.com
user mail@do-bbs.com
password ${BAIKAL_ADMIN_TOKEN}
networks:
- external
volumes:
- ./data/baikal/Specific:/var/www/baikal/Specific
- ./data/baikal/config:/var/www/baikal/config
- ./data/baikal/50-add-sharing-plugin.sh:/docker-entrypoint.d/50-add-sharing-plugin.sh
labels:
- "traefik.enable=true"
- "traefik.http.routers.baikal.entrypoints=websecure"
- "traefik.http.routers.baikal.rule=Host(`dav.do-bbs.com`)"
- "traefik.http.routers.baikal.tls=true"
- "traefik.http.routers.baikal.tls.certresolver=letsencrypt"
- "traefik.http.services.baikal.loadbalancer.server.port=80"
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/d15fee2e-17ad-42bb-a573-591f45d3532b"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
environment:
- SIGNUPS_ALLOWED=false
- INVITES_ALLOWED=false
# - ADMIN_TOKEN=${VAULT_ADMIN_TOKEN}
- ADMIN_TOKEN=IFdsg.ORGOTARON123nsl
- DOMAIN=https://vault.do-bbs.com
- LOG_LEVEL=warn
- LOG_FILE=/data/vaultwarden.log
- TZ=Europe/London
networks:
- external
volumes:
- ./data/vaultwarden:/data
labels:
- traefik.enable=true
- traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
- traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
- traefik.http.routers.vaultwarden-https.rule=Host(`vault.do-bbs.com`)
- traefik.http.routers.vaultwarden-https.entrypoints=websecure
- traefik.http.routers.vaultwarden-https.tls=true
- traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt
- traefik.http.routers.vaultwarden-https.service=vaultwarden
- traefik.http.routers.vaultwarden-http.rule=Host(`vault.do-bbs.com`)
- traefik.http.routers.vaultwarden-http.entrypoints=web
- traefik.http.routers.vaultwarden-http.middlewares=redirect-https
- traefik.http.routers.vaultwarden-http.service=vaultwarden
- traefik.http.services.vaultwarden.loadbalancer.server.port=80
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/8d7c299a-9594-4f5b-bc1f-9d916ef530e6"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
vaultwarden_backup:
image: ttionya/vaultwarden-backup:latest
container_name: vaultwarden-backup
restart: always
environment:
RCLONE_REMOTE_DIR: '/system/backups/vaultwarden/'
PING_URL_WHEN_SUCCESS: 'https://hc-ping.com/c03ac1a9-076a-415b-a378-bca245118672'
labels:
- traefik.enable=false
volumes:
- ./data/vaultwarden:/bitwarden/data/
- vaultwarden-rclone-data:/config/
immich_server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
volumes:
- ${UPLOAD_LOCATION}:/data
- /etc/localtime:/etc/localtime:ro
env_file:
.env
environment:
- REDIS_HOSTNAME=immich_redis
- DB_HOSTNAME=immich_database
networks:
- external
- internal
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.immich.rule=Host(`photos.do-bbs.com`)"
- "traefik.http.routers.immich.entrypoints=websecure"
- "traefik.http.services.immich.loadbalancer.server.port=2283"
- "traefik.http.routers.immich.tls=true"
- "traefik.http.routers.immich.tls.certresolver=letsencrypt"
depends_on:
- immich_redis
- immich_database
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/583d761e-8899-4b15-be2c-d0a11f6c3f6a"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always
immich_machine_learning:
container_name: immich-machine-learning
image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
volumes:
- model-cache:/cache
env_file:
- .env
networks:
- internal
restart: always
immich_redis:
container_name: immich_redis
image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
healthcheck:
test: redis-cli ping || exit 1
networks:
- internal
restart: always
immich_database:
container_name: immich_postgres
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:41eacbe83eca995561fe43814fd4891e16e39632806253848efaf04d3c8a8b84
environment:
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_USER: ${DB_USERNAME}
POSTGRES_DB: ${DB_DATABASE_NAME}
POSTGRES_INITDB_ARGS: '--data-checksums'
volumes:
- ${DB_DATA_LOCATION}:/var/lib/postgresql/data
shm_size: 128mb
networks:
- internal
restart: always
obsidian_db:
image: couchdb:latest
container_name: couchdb-ols
env_file:
.env
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.couchdb.rule=Host(`couchdb.do-bbs.com`)"
- "traefik.http.routers.couchdb.entrypoints=websecure"
- "traefik.http.services.couchdb.loadbalancer.server.port=5984"
- "traefik.http.routers.couchdb.tls=true"
- "traefik.http.routers.couchdb.tls.certresolver=letsencrypt"
- "traefik.http.routers.couchdb.middlewares=obsidiancors"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowmethods=GET,PUT,POST,HEAD,DELETE"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowheaders=accept,authorization,content-type,origin,referer"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolalloworiginlist=app://obsidian.md,capacitor://localhost,http://localhost"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolmaxage=3600"
- "traefik.http.middlewares.obsidiancors.headers.addvaryheader=true"
- "traefik.http.middlewares.obsidiancors.headers.accessControlAllowCredentials=true"
environment:
- COUCHDB_USER=${COUCHDB_USER}
- COUCHDB_PASSWORD=${COUCHDB_PASSWORD}
volumes:
- ./data/couchdb/couchdb-data:/opt/couchdb/data
- ./data/couchdb/couchdb-etc:/opt/couchdb/etc/local.d
networks:
- external
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/abbaa192-dadc-4241-b1a5-b2e4dbb50735"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always
calibre_web:
image: crocodilestick/calibre-web-automated:dev
container_name: calibre-web-automated
env_file:
- .env
environment:
- PUID=33
- PGID=33
- TZ=UTC
- HARDCOVER_TOKEN=${HARD_API}
- NETWORK_SHARE_MODE=true
- CWA_PORT_OVERRIDE=8083
- DOCKER_MODS=lscr.io/linuxserver/mods:universal-calibre-v8.7.0
volumes:
- ./data/calibre-web/data:/config
- ./data/calibre-web/meta:/calibre-library
- /mnt/athena/books/library:/calibre-library/athena
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/plugins:/config/.config/calibre/plugins
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwa.rule=Host(`cwa.do-bbs.com`)"
- "traefik.http.routers.cwa.entrypoints=websecure"
- "traefik.http.services.cwa.loadbalancer.server.port=8083"
- "traefik.http.routers.cwa.tls=true"
- "traefik.http.routers.cwa.tls.certresolver=letsencrypt"
networks:
- external
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/313b09fb-f4c6-4fe8-b3d8-47929974c247"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
calibre_web_downloader:
image: ghcr.io/calibrain/calibre-web-automated-book-downloader:latest
container_name: calibre-web-automated-book-downloader
env_file:
.env
environment:
FLASK_PORT: 8084
FLASK_DEBUG: false
LOG_LEVEL: info
BOOK_LANGUAGE: en
USE_BOOK_TITLE: true
TZ: UTC
APP_ENV: prod
UID: 33
GID: 33
CWA_DB_PATH: /auth/app.db
INGEST_DIR: /cwa-book-ingest
MAX_CONCURRENT_DOWNLOADS: 3
DOWNLOAD_PROGRESS_UPDATE_INTERVAL: 5
AA_DONATOR_KEY: ${AA_KEY}
USE_CF_BYPASS: false
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwabd.rule=Host(`cwabd.do-bbs.com`)"
- "traefik.http.routers.cwabd.entrypoints=websecure"
- "traefik.http.services.cwabd.loadbalancer.server.port=8084"
- "traefik.http.routers.cwabd.tls=true"
- "traefik.http.routers.cwabd.tls.certresolver=letsencrypt"
volumes:
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/data/app.db:/auth/app.db:ro
networks:
- external
- internal
restart: unless-stopped
flaresolverr:
image: ghcr.io/flaresolverr/flaresolverr:latest
networks:
- internal
volumes:
model-cache:
vaultwarden-rclone-data:
external: true
name: vaultwarden-rclone-data
networks:
external:
name: external
internal:
name: internal

45
servers/hestia/dao/docker/baikal.yml
View File

@@ -1,45 +0,0 @@
services:
dav:
image: ckulka/baikal:nginx
container_name: baikal
env_file:
- path: .env
environment:
MSMTPRC: |
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
account default
host smtp.protonmail.ch
port 587
from ${BAIKAL_EMAIL}
user ${BAIKAL_EMAIL}
password ${BAIKAL_ADMIN_TOKEN}
HTTPS: "on"
SERVER_PORT: "443"
networks:
- external
volumes:
- ./data/baikal/Specific:/var/www/baikal/Specific
- ./data/baikal/config:/var/www/baikal/config
- ./data/baikal/50-add-sharing-plugin.sh:/docker-entrypoint.d/50-add-sharing-plugin.sh
security_opt:
- no-new-privileges:true
labels:
- "traefik.enable=true"
- "traefik.http.routers.baikal-http.entrypoints=web"
- "traefik.http.routers.baikal-http.rule=Host(`${BAIKAL_HOST}`)"
- "traefik.http.routers.baikal-http.service=baikal"
- "traefik.http.routers.baikal-https.entrypoints=websecure"
- "traefik.http.routers.baikal-https.rule=Host(`${BAIKAL_HOST}`)"
- "traefik.http.services.baikal.loadbalancer.server.port=80"
- "traefik.http.middlewares.baikal-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.baikal-https.middlewares=baikal-headers"
healthcheck:
test: ["CMD", "curl", "-f", "${BAIKAL_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped

83
servers/hestia/dao/docker/calibre_web.yml
View File

@@ -1,83 +0,0 @@
services:
calibre_web:
image: crocodilestick/calibre-web-automated:dev
container_name: calibre-web-automated
env_file:
- path: .env
environment:
- PUID=33
- PGID=33
- TZ=UTC
- HARDCOVER_TOKEN=${HARD_API}
- NETWORK_SHARE_MODE=true
- CWA_PORT_OVERRIDE=8083
- DOCKER_MODS=lscr.io/linuxserver/mods:universal-calibre-v8.7.0
volumes:
- ./data/calibre-web/data:/config
- ./data/calibre-web/meta:/calibre-library
- /mnt/athena/books/library:/calibre-library/athena
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/plugins:/config/.config/calibre/plugins
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwa.rule=Host(`${CALIBRE_WEB_HOST}`)" # Fixed missing (
- "traefik.http.routers.cwa.entrypoints=websecure"
- "traefik.http.services.cwa.loadbalancer.server.port=8083"
networks:
- external
security_opt:
- no-new-privileges:true
healthcheck:
test: ["CMD", "curl", "-f", "${CALIBRE_WEB_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
calibre_web_downloader:
image: ghcr.io/calibrain/calibre-web-automated-book-downloader:latest
container_name: calibre-web-automated-book-downloader
env_file:
- path: .env
environment:
FLASK_PORT: 8084
FLASK_DEBUG: false
LOG_LEVEL: info
BOOK_LANGUAGE: en
USE_BOOK_TITLE: true
TZ: UTC
APP_ENV: prod
UID: 33
GID: 33
CWA_DB_PATH: /auth/app.db
INGEST_DIR: /cwa-book-ingest
MAX_CONCURRENT_DOWNLOADS: 3
DOWNLOAD_PROGRESS_UPDATE_INTERVAL: 5
AA_DONATOR_KEY: ${AA_KEY}
USE_CF_BYPASS: false
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwabd.rule=Host(`${CALIBRE_WEB_D_HOST}`)" # Fixed missing (
- "traefik.http.routers.cwabd.entrypoints=websecure"
- "traefik.http.services.cwabd.loadbalancer.server.port=8084"
# Removed tls and certresolver lines
volumes:
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/data/app.db:/auth/app.db:ro
networks:
- external
security_opt:
- no-new-privileges:true
restart: unless-stopped
flaresolverr:
image: ghcr.io/flaresolverr/flaresolverr:latest
container_name: flaresolverr
networks:
- external
security_opt:
- no-new-privileges:true
restart: unless-stopped

20
servers/hestia/dao/docker/compose.yml
View File

@@ -1,20 +0,0 @@
include:
- traefik.yml
- baikal.yml
- vaultwarden.yml
- immich.yml
- obsidian_db.yml
- calibre_web.yml
- gitea.yml
networks:
external:
name: external
internal:
name: internal
volumes:
model-cache:
vaultwarden-rclone-data:
external: true
name: vaultwarden-rclone-data

4
servers/hestia/dao/docker/dynamic.yml
View File

@@ -1,4 +0,0 @@
http:
serversTransports:
ignorecert:
insecureSkipVerify: true

114
servers/hestia/dao/docker/gitea.yml
View File

@@ -1,114 +0,0 @@
services:
gitea_postgres:
image: ${GITEA_POSTGRES_IMAGE_TAG}
container_name: gitea_postgres
volumes:
- ${GITEA_VOLUME_LOCATION}/postgres:/var/lib/postgresql
env_file:
- .env
environment:
POSTGRES_DB: ${GITEA_DB_NAME}
POSTGRES_USER: ${GITEA_DB_USER}
POSTGRES_PASSWORD: ${GITEA_DB_PASSWORD}
networks:
- internal
security_opt:
- no-new-privileges:true
healthcheck:
test: [ "CMD", "pg_isready", "-q", "-d", "${GITEA_DB_NAME}", "-U", "${GITEA_DB_USER}" ]
interval: 10s
timeout: 5s
retries: 3
start_period: 60s
restart: unless-stopped
gitea:
image: ${GITEA_IMAGE_TAG}
container_name: gitea
volumes:
- ${GITEA_VOLUME_LOCATION}/data:/${DATA_PATH}
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
GITEA_DATABASE_HOST: postgres
GITEA_DATABASE_NAME: ${GITEA_DB_NAME}
GITEA_DATABASE_USERNAME: ${GITEA_DB_USER}
GITEA_DATABASE_PASSWORD: ${GITEA_DB_PASSWORD}
GITEA_ADMIN_USER: ${GITEA_ADMIN_USERNAME}
GITEA_ADMIN_PASSWORD: ${GITEA_ADMIN_PASSWORD}
GITEA_ADMIN_EMAIL: ${GITEA_ADMIN_EMAIL}
GITEA_RUN_MODE: prod
GITEA_DOMAIN: ${GITEA_HOSTNAME}
GITEA_SSH_DOMAIN: ${GITEA_HOSTNAME}
GITEA_ROOT_URL: ${GITEA_URL}
GITEA_HTTP_PORT: 3000
GITEA_SSH_PORT: ${GITEA_SHELL_SSH_PORT}
GITEA_SSH_LISTEN_PORT: 22
networks:
- external
- internal
ports:
- "127.0.0.1:2222:22"
security_opt:
- no-new-privileges:true
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000/"]
interval: 10s
timeout: 5s
retries: 3
start_period: 90s
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea.rule=Host(`${GITEA_HOSTNAME}`)"
- "traefik.http.routers.gitea.service=gitea"
- "traefik.http.routers.gitea.entrypoints=websecure"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
- "traefik.http.services.gitea.loadbalancer.passhostheader=true"
- "traefik.http.middlewares.gitea.compress=true"
- "traefik.http.routers.gitea.middlewares=gitea"
- "traefik.docker.network=external"
- "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)"
- "traefik.tcp.routers.gitea-ssh.service=gitea-ssh"
- "traefik.tcp.routers.gitea-ssh.entrypoints=ssh"
- "traefik.tcp.services.gitea-ssh.loadbalancer.server.port=22"
depends_on:
gitea_postgres:
condition: service_healthy
gitea_backups:
image: ${GITEA_POSTGRES_IMAGE_TAG}
container_name: gitea_backups
command: >-
sh -c 'sleep $BACKUP_INIT_SLEEP &&
while true; do
pg_dump -h postgres -p 5432 -d $GITEA_DB_NAME -U $GITEA_DB_USER | gzip > $POSTGRES_BACKUPS_PATH/$POSTGRES_BACKUP_NAME-$(date "+%Y-%m-%d_%H-%M").gz &&
tar -zcpf $DATA_BACKUPS_PATH/$DATA_BACKUP_NAME-$(date "+%Y-%m-%d_%H-%M").tar.gz $DATA_PATH &&
find $POSTGRES_BACKUPS_PATH -type f -mtime +$POSTGRES_BACKUP_PRUNE_DAYS | xargs rm -f &&
find $DATA_BACKUPS_PATH -type f -mtime +$DATA_BACKUP_PRUNE_DAYS | xargs rm -f;
sleep $BACKUP_INTERVAL; done'
volumes:
- ${GITEA_VOLUME_LOCATION}/postgres_backup:/var/lib/postgresql/data
- ${GITEA_VOLUME_LOCATION}/data:${DATA_PATH}
- ${GITEA_VOLUME_LOCATION}/data_backup:${DATA_BACKUPS_PATH}
- ${GITEA_VOLUME_LOCATION}/database_backup:${POSTGRES_BACKUPS_PATH}
environment:
GITEA_DB_NAME: ${GITEA_DB_NAME}
GITEA_DB_USER: ${GITEA_DB_USER}
PGPASSWORD: ${GITEA_DB_PASSWORD}
BACKUP_INIT_SLEEP: ${BACKUP_INIT_SLEEP}
BACKUP_INTERVAL: ${BACKUP_INTERVAL}
POSTGRES_BACKUP_PRUNE_DAYS: ${POSTGRES_BACKUP_PRUNE_DAYS}
DATA_BACKUP_PRUNE_DAYS: ${DATA_BACKUP_PRUNE_DAYS}
POSTGRES_BACKUPS_PATH: ${POSTGRES_BACKUPS_PATH}
DATA_BACKUPS_PATH: ${DATA_BACKUPS_PATH}
DATA_PATH: ${DATA_PATH}
POSTGRES_BACKUP_NAME: ${POSTGRES_BACKUP_NAME}
DATA_BACKUP_NAME: ${DATA_BACKUP_NAME}
networks:
- internal
security_opt:
- no-new-privileges:true
restart: unless-stopped
depends_on:
gitea_postgres:
condition: service_healthy

74
servers/hestia/dao/docker/immich.yml
View File

@@ -1,74 +0,0 @@
services:
immich_server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
volumes:
- ${UPLOAD_LOCATION}:/data
- /etc/localtime:/etc/localtime:ro
env_file:
- path: .env
environment:
- REDIS_HOSTNAME=immich_redis
- DB_HOSTNAME=immich_database
networks:
- external
- internal
security_opt:
- no-new-privileges:true
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.immich.rule=Host(`${IMMICH_HOST_DOMAIN}`)"
- "traefik.http.routers.immich.entrypoints=websecure"
- "traefik.http.services.immich.loadbalancer.server.port=2283"
depends_on:
- immich_redis
- immich_database
healthcheck:
test: ["CMD", "curl", "-f", "${IMMICH_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always
immich_machine_learning:
container_name: immich-machine-learning
image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
volumes:
- model-cache:/cache
env_file:
- .env
networks:
- internal
security_opt:
- no-new-privileges:true
restart: always
immich_redis:
container_name: immich_redis
image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
healthcheck:
test: redis-cli ping || exit 1
networks:
- internal
security_opt:
- no-new-privileges:true
restart: always
immich_database:
container_name: immich_postgres
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:41eacbe83eca995561fe43814fd4891e16e39632806253848efaf04d3c8a8b84
environment:
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_USER: ${DB_USERNAME}
POSTGRES_DB: ${DB_DATABASE_NAME}
POSTGRES_INITDB_ARGS: '--data-checksums'
volumes:
- ${DB_DATA_LOCATION}:/var/lib/postgresql/data
shm_size: 128mb
networks:
- internal
security_opt:
- no-new-privileges:true
restart: always

36
servers/hestia/dao/docker/obsidian_db.yml
View File

@@ -1,36 +0,0 @@
services:
obsidian_db:
image: couchdb:latest
container_name: obsidian_db
env_file:
- path: .env
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.couchdb.rule=Host(`${OBSIDIAN_DB_HOST}`)"
- "traefik.http.routers.couchdb.entrypoints=websecure"
- "traefik.http.services.couchdb.loadbalancer.server.port=5984"
- "traefik.http.routers.couchdb.middlewares=obsidiancors"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowmethods=GET,PUT,POST,HEAD,DELETE"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowheaders=accept,authorization,content-type,origin,referer"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolalloworiginlist=app://obsidian.md,capacitor://localhost,http://localhost"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolmaxage=3600"
- "traefik.http.middlewares.obsidiancors.headers.addvaryheader=true"
- "traefik.http.middlewares.obsidiancors.headers.accessControlAllowCredentials=true"
environment:
- COUCHDB_USER=${OBSIDIAN_DB_USER}
- COUCHDB_PASSWORD=${OBSIDIAN_DB_PASS}
volumes:
- ./data/couchdb/couchdb-data:/opt/couchdb/data
- ./data/couchdb/couchdb-etc:/opt/couchdb/etc/local.d
networks:
- external
security_opt:
- no-new-privileges:true
healthcheck:
test: ["CMD", "curl", "-f", "${OBSIDIAN_DB_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always

25
servers/hestia/dao/docker/traefik.yml
View File

@@ -1,25 +0,0 @@
# traefik.yml on home server
services:
traefik:
image: traefik:latest
container_name: traefik
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.ssh.address=:748" # ADD THIS LINE
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.email=${TRAEFIK_WEBMASTER}"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
ports:
- "0.0.0.0:80:80" # Listen on ALL interfaces (including wg0)
- "0.0.0.0:443:443" # Listen on ALL interfaces
- "127.0.0.1:8080:8080" # Dashboard stays local only
- "0.0.0.0:748:748" # Explicit binding
networks:
- external
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
restart: unless-stopped

51
servers/hestia/dao/docker/vaultwarden.yml
View File

@@ -1,51 +0,0 @@
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
env_file:
- path: .env
environment:
- SIGNUPS_ALLOWED=false
- INVITES_ALLOWED=false
- DOMAIN=https://${VAULT_HOST}
- LOG_LEVEL=warn
- LOG_FILE=/data/vaultwarden.log
- TZ=Europe/London
networks:
- external
volumes:
- ./data/vaultwarden:/data
security_opt:
- no-new-privileges:true
labels:
- traefik.enable=true
- traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
- traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
- traefik.http.routers.vaultwarden-https.rule=Host(`${VAULT_HOST}`)
- traefik.http.routers.vaultwarden-https.entrypoints=websecure
- traefik.http.routers.vaultwarden-https.service=vaultwarden
- traefik.http.routers.vaultwarden-http.rule=Host(`${VAULT_HOST}`)
- traefik.http.routers.vaultwarden-http.entrypoints=web
- traefik.http.routers.vaultwarden-http.middlewares=redirect-https
- traefik.http.routers.vaultwarden-http.service=vaultwarden
- traefik.http.services.vaultwarden.loadbalancer.server.port=80
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/8d7c299a-9594-4f5b-bc1f-9d916ef530e6"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
vaultwarden_backup:
image: ttionya/vaultwarden-backup:latest
container_name: vaultwarden-backup
restart: always
environment:
RCLONE_REMOTE_DIR: '/system/backups/vaultwarden/'
PING_URL_WHEN_SUCCESS: 'https://hc-ping.com/c03ac1a9-076a-415b-a378-bca245118672'
labels:
- traefik.enable=false
volumes:
- ./data/vaultwarden:/bitwarden/data/
- vaultwarden-rclone-data:/config/

2
servers/hestia/dao/scripts/dim_screen.sh
View File

@@ -1,2 +0,0 @@
#!/bin/bash
echo 0 >> /sys/class/backlight/intel_backlight/brightness

203
servers/hestia/dao/scripts/mount.sh
View File

@@ -1,203 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# shellcheck disable=1091
. /usr/local/share/dao/config/dao.conf
readonly LOG_PREFIX="[dao_am.service]"
readonly MAX_RETRIES=90
readonly RETRY_DELAY=2
# Configuration
declare -A RCLONE_MOUNTS=(
["koofr"]="${DAO_STORAGE_DIR}/koofr:false"
["koofr_vault"]="${DAO_STORAGE_DIR}/vault:true"
)
declare -A SSHFS_MOUNTS=(
["hephaestus"]="/home/oc/dao:/home/jamie/dao/servers/hephaestus"
["pan_lms"]="/home/tc:/home/jamie/dao/servers/pan"
)
# Options
readonly BASE_RCLONE_OPTS=(
--vfs-cache-mode writes
--cache-dir /tmp/rclone-cache
--dir-cache-time 5m
--poll-interval 1m
--timeout 1h
--low-level-retries 10
--retries 3
--vfs-cache-max-size 10G
--vfs-cache-max-age 24h
--buffer-size 256M
--transfers 8
--checkers 8
--allow-non-empty
--allow-other
--umask 000
)
readonly CRYPT_RCLONE_OPTS=(
--buffer-size 256M
--transfers 8
--vfs-read-ahead 256M
--vfs-read-chunk-size 128M
--vfs-read-chunk-size-limit 2G
)
readonly SSHFS_OPTS=(
-o allow_other
-o reconnect
-o ServerAliveInterval=30
-o ServerAliveCountMax=3
)
# Track mount attempts and failures
declare -A RCLONE_ATTEMPTS
declare -A SSHFS_ATTEMPTS
log() {
echo "${LOG_PREFIX} $*" >&2
}
is_mounted() {
local mount_point="$1"
grep -q " ${mount_point} " /proc/mounts
}
mount_rclone() {
local remote="$1" mount_point="$2" is_crypt="$3"
if is_mounted "$mount_point"; then
log "rclone $remote already mounted at $mount_point"
return 0
fi
local opts=("${BASE_RCLONE_OPTS[@]}")
[[ "$is_crypt" == "true" ]] && opts+=("${CRYPT_RCLONE_OPTS[@]}")
log "Mounting rclone: $remote -> $mount_point (attempt $((RCLONE_ATTEMPTS[$remote] + 1)))"
/usr/bin/rclone mount "$remote:" "$mount_point" "${opts[@]}" &
# Give it a moment to attempt the mount
sleep 2
if is_mounted "$mount_point"; then
log "Successfully mounted rclone: $remote"
return 0
else
log "Failed to mount rclone: $remote"
return 1
fi
}
mount_sshfs() {
local remote="$1" mount_point="$2"
if is_mounted "$mount_point"; then
log "sshfs $remote already mounted at $mount_point"
return 0
fi
log "Mounting sshfs: $remote -> $mount_point (attempt $((SSHFS_ATTEMPTS[$remote] + 1)))"
if /usr/bin/sshfs "$remote" "$mount_point" "${SSHFS_OPTS[@]}" 2>/dev/null; then
log "Successfully mounted sshfs: $remote"
return 0
else
log "Failed to mount sshfs: $remote"
return 1
fi
}
ensure_mounts() {
local failed_rclone=()
local failed_sshfs=()
# First pass: attempt all mounts
log "First pass: attempting all mounts"
# Handle rclone mounts
for remote in "${!RCLONE_MOUNTS[@]}"; do
IFS=':' read -r mount_point is_crypt <<<"${RCLONE_MOUNTS[$remote]}"
RCLONE_ATTEMPTS[$remote]=0
if ! mount_rclone "$remote" "$mount_point" "$is_crypt"; then
failed_rclone+=("$remote")
fi
done
# Handle sshfs mounts
for remote in "${!SSHFS_MOUNTS[@]}"; do
IFS=':' read -r remote_path mount_point <<<"${SSHFS_MOUNTS[$remote]}"
SSHFS_ATTEMPTS[$remote]=0
if ! mount_sshfs "${remote}:${remote_path}" "$mount_point"; then
failed_sshfs+=("$remote")
fi
done
# Retry failed mounts
while [[ ${#failed_rclone[@]} -gt 0 || ${#failed_sshfs[@]} -gt 0 ]]; do
log "Retrying failed mounts in ${RETRY_DELAY} seconds..."
sleep "$RETRY_DELAY"
# Clear failed arrays for this round
local current_failed_rclone=()
local current_failed_sshfs=()
# Retry rclone mounts
for remote in "${failed_rclone[@]}"; do
IFS=':' read -r mount_point is_crypt <<<"${RCLONE_MOUNTS[$remote]}"
RCLONE_ATTEMPTS[$remote]=$((RCLONE_ATTEMPTS[$remote] + 1))
if [[ ${RCLONE_ATTEMPTS[$remote]} -ge $MAX_RETRIES ]]; then
log "rclone $remote: reached max retries ($MAX_RETRIES), giving up"
continue
fi
if mount_rclone "$remote" "$mount_point" "$is_crypt"; then
log "rclone $remote: mount successful on retry"
else
current_failed_rclone+=("$remote")
fi
done
# Retry sshfs mounts
for remote in "${failed_sshfs[@]}"; do
IFS=':' read -r remote_path mount_point <<<"${SSHFS_MOUNTS[$remote]}"
SSHFS_ATTEMPTS[$remote]=$((SSHFS_ATTEMPTS[$remote] + 1))
if [[ ${SSHFS_ATTEMPTS[$remote]} -ge $MAX_RETRIES ]]; then
log "sshfs $remote: reached max retries ($MAX_RETRIES), giving up"
continue
fi
if mount_sshfs "${remote}:${remote_path}" "$mount_point"; then
log "sshfs $remote: mount successful on retry"
else
current_failed_sshfs+=("$remote")
fi
done
# Update failed arrays for next iteration
failed_rclone=("${current_failed_rclone[@]}")
failed_sshfs=("${current_failed_sshfs[@]}")
# If both arrays are empty, we're done
if [[ ${#failed_rclone[@]} -eq 0 && ${#failed_sshfs[@]} -eq 0 ]]; then
log "All mounts successful"
break
fi
done
}
main() {
log "Starting mount daemon"
ensure_mounts
log "Mount operations completed, sleeping"
while true; do
sleep 3600 # Sleep for an hour, then check again if needed
done
}
main "$@"

19
servers/hestia/dao/scripts/wg0_keepalive.sh
View File

@@ -1,19 +0,0 @@
#!/bin/bash
# Check if WireGuard tunnel is up, restart if down
PING=/bin/ping
SERVICE=/usr/bin/systemctl
tries=0
while [[ $tries -lt 3 ]]
do
if $PING -c 1 10.10.10.1 &> /dev/null
then
exit 0
fi
tries=$((tries+1))
sleep 2
done
# Failed 3 times, restart
$SERVICE restart wg-quick@wg0

40
servers/hestia/sh/cron.sh
View File

@@ -1,40 +0,0 @@
#!/bin/bash
set -e
# Validate number of arguments
if [ "$#" -ne 3 ]; then
echo "Usage: $0 <job-name> <command> <frequency>"
exit 1
fi
JOB_NAME=$1
COMMAND=$2
FREQUENCY=$3
LOG_DIR="$HOME/.logs"
LOG_FILE="$LOG_DIR/$JOB_NAME.log"
# Ensure crontab for current user
if ! crontab -l &>/dev/null; then
echo "# Empty crontab created on $(date)" > /tmp/crontab$$
crontab /tmp/crontab$$
rm -f /tmp/crontab$$
echo "Crontab created"
fi
# Ensure log directory exists
mkdir -p "$LOG_DIR"
# Build entry
ENTRY="$FREQUENCY CRON=1 $COMMAND >> $LOG_FILE 2>&1 # $JOB_NAME"
# Check if there's an existing job with the same name
if crontab -l 2>/dev/null | grep -q "# $JOB_NAME$"; then
# Job exists, update it
(crontab -l 2>/dev/null | grep -v "# $JOB_NAME$"; echo "$ENTRY") | crontab -
echo "Updated cron job: $JOB_NAME"
else
# No job found, adding it
(crontab -l 2>/dev/null; echo $ENTRY) | crontab -
echo "Added new cron job: $JOB_NAME"
fi

46
servers/hestia/sh/update.sh
View File

@@ -1,46 +0,0 @@
#!/usr/bin/env bash
CUSTOM_LOCK="/tmp/update_script.lock"
if [ -n "$CRON" ] && ! sudo -n true 2>/dev/null; then
echo "This script requires passwordless sudo to run while in cron context."
exit 1
fi
cleanup() {
flock -u "$LOCK_FD"
exec {LOCK_FD}>&-
sudo rm -f "$CUSTOM_LOCK"
}
wait_for_locks() {
local LOCK
for LOCK in /var/lib/dpkg/lock-frontend /var/lib/apt/lists/lock /var/cache/apt/archives/lock; do
while sudo fuser $LOCK >/dev/null 2>&1; do
sleep 1
done
done
}
sudo touch "$CUSTOM_LOCK"
sudo chmod 666 "$CUSTOM_LOCK"
exec {LOCK_FD}>"$CUSTOM_LOCK" || exit 1
flock "$LOCK_FD" || exit 1
trap cleanup EXIT INT TERM
wait_for_locks
echo "Updating system..."
sudo apt-get -qq update -u -y --allow-releaseinfo-change
sudo apt-get -qq --fix-broken install
sudo dpkg --configure -a
sudo apt-get -qq full-upgrade -y
sudo apt-get -qq clean -y
sudo apt-get -qq --purge autoremove -y
sudo apt-get -qq autoclean -y
# sudo python3 -m pip install --upgrade pip > /dev/null 2>&1
echo "System update complete"

BIN
servers/pan/.alsaequal.bin
View File

Binary file not shown.

4
servers/pan/.alsaequal.presets
View File

@@ -1,6 +1,4 @@
RESET="66 66 66 66 66 66 66 66 66 66"
Flat="66 66 66 66 66 66 66 66 66 66"
Bass_Vibrant="66 69 69 68 66 66 69 66 74 68"
Tamed_Bass_Depth="63 68 66 69 66 66 71 66 74 69"
Sleep="58 63 61 64 66 66 71 66 74 69"
TREBLE="66 66 66 66 66 66 66 71 76 76"
BASS="76 76 71 66 66 66 66 66 66 66"

56
servers/pan/.bash_history
View File

@@ -117,3 +117,59 @@ sudo su-
sudo su
tail -f /var/log/pcp_squeezelite.log
sudo tail -f /var/log/pcp_squeezelite.log
amixer -c 1 scontrols | grep Digital
amixer -c 1 set 'Digital Volume Level Left' 0%
amixer -c 1 set 'Digital Volume Level Left' 100%
amixer -c 1 scontrols
amixer -c 1 get 'Digital'
amixer -c 1 set 'Digital' 0%,0%
amixer -c 1 set 'Digital' 100%,100%
amixer -c 1 set 'Digital' 100%,0%
amixer -c 1 set 'Digital' 100%,30%
amixer -c 1 set 'Digital' 100%,70%
amixer -c 1 set 'Digital' 100%,100%
amixer -c 1 set 'Digital' 100%,90%
amixer -c 1 set 'Digital' 100%,95%
amixer -c 1 set 'Digital' 100%,92%
amixer -c 1 set 'Digital' 100%,100%
amixer -c 1 set 'Digital' 100%,99%
amixer -c 1 set 'Digital' 100%,98%
amixer -c 1 set 'Digital' 100%,97%
amixer -c 1 set 'Digital' 100%,100%
chmod +x speakers.sh
mkdir -p .local/bin/
mv speakers.sh .local/bin/
speakers.sh mute right
speakers.sh mute left
speakers.sh unmute
mv speakers.sh .local/bin/
speakers.sh unmute
sudo chown tc:tc .local/bin/speakers.sh
sudo chown tc .local/bin/speakers.sh
speakers.sh unmute
ls -la /home/tc/.local/bin/
chmod +x .local/bin/speakers.sh
speakers.sh unmute
speakers.sh unmute
speakers.sh unmute
speaker mute right
speakers.sh mute right
speakers.sh unmute
sudo su
exit
sudo su -
exic
exit
sudo nano /etc/asound.conf
sudo nano /etc/asound.conf
sudo alsactl restore
sudo alsactl restore
sudo alsactl restore
sudo alsactl restore
sudo alsactl restore
sudo alsactl restore
sudo alsactl restore
pkill squeezelite
sudo pkill squeezelite
sudo alsactl restore
sudo su

2
servers/pan/.boot.sh
View File

@@ -8,4 +8,4 @@ sudo pkill tidal_connect
rm -f /tmp/tisoc-controller
sudo /usr/local/etc/init.d/avahi start
sudo /home/tc/Tidal-Connect-Armv7/tidal.sh start &
#sudo /home/tc/Tidal-Connect-Armv7/tidal.sh start &

45
servers/pan/asound.conf
View File

@@ -1,45 +0,0 @@
# Optimized ALSA config for piCorePlayer - Syntax-fixed plug for format/resampling quality
pcm.!default {
type plug
slave.pcm "equal" # Routes to EQ chain (equal -> plugequal -> plugdefault -> hw:0,0)
ttable.0.0 1
ttable.1.1 1
rate 44100 # Default; auto-resamples sources (up to 192kHz) with dither for stable bass/highs
}
ctl.!default {
type hw
card 0
}
# Intermediate plug PCM for EQ compatibility/resampling (explicit format in slave)
pcm.plugdefault {
type plug
slave {
pcm "hw:0,0" # Direct to bcm2835 headphone jack (3.5mm)
rate 44100
format S16_LE # Native Pi format only here; dither reduces artifacts on conversion
}
}
# ALSA 10-band Equalizer (your working LADSPA - unchanged)
ctl.equal {
type equal;
controls "/home/tc/.alsaequal.bin"
library "/usr/local/lib/ladspa/caps.so"
}
pcm.plugequal {
type equal;
slave.pcm "plugdefault";
controls "/home/tc/.alsaequal.bin"
library "/usr/local/lib/ladspa/caps.so"
}
pcm.equal {
type plug;
slave.pcm plugequal;
ttable.0.0 1
ttable.1.1 1
}

68
servers/pan/asound.conf.bak
View File

@@ -1,68 +0,0 @@
# default - Generated by piCorePlayer
pcm.!default {
type hw
slave.pcm "hw:0,0"
}
pcm.pcpinput {
type plug
card 0
device 0
}
#---ALSA EQ Below--------
pcm.sound_device {
type hw
slave.pcm {
type hw
card
device 0
}
}
ctl.equal {
type equal;
controls "/home/tc/.alsaequal.bin"
library "/usr/local/lib/ladspa/caps.so"
}
pcm.plugequal {
type equal;
slave.pcm "sound_device";
controls "/home/tc/.alsaequal.bin"
library "/usr/local/lib/ladspa/caps.so"
}
pcm.equal {
type plug;
slave.pcm plugequal;
}
#Bluetooth bt_W-King - Generated by pCP
pcm.bt_W-King {
type plug
slave.pcm {
type bluealsa
service "org.bluealsa"
device F4:4E:FC:1A:52:ED
profile "a2dp"
}
}
ctl.equal_bt_W-King {
type equal;
controls "/home/tc/.alsaequal.bin.bt_W-King"
library "/usr/local/lib/ladspa/caps.so"
}
pcm.plugequal_bt_W-King {
type equal;
slave.pcm "bt_W-King";
controls "/home/tc/.alsaequal.bin.bt_W-King"
library "/usr/local/lib/ladspa/caps.so"
}
pcm.equal_bt_W-King {
type plug;
slave.pcm plugequal_bt_W-King;
}