luc/alpine-server
1
0
Fork 0
Code Issues Pull requests Wiki Activity

Updated repository to the new configuration.

Browse source
This commit is contained in:
Luc Bijl 2024-08-30 21:26:24 +02:00
parent 25dde6a119
commit 1945f193ea
31 changed files with 766 additions and 866 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

677
alpine-server-install.txt
View file

@ -1,677 +0,0 @@
Alpine Linux Musl += (btrfs + gummiboot) >> Eventually
Installation:
{
# setup-alpine: >> Will be replaced eventually with manual install with btrfs and gummiboot, instead of default ext4 and grub.
{
\
}
# reboot
$ doas vim /etc/apk/repositories:
{
> {v3.15/main}
> {v3.15/community}
> #{edge/main}
> #{edge/community}
> #{edge/testing}
}
}
Post install:
{
# apk add git
# git clone https://git.bijl.us/luc/alpine-server.git
ups(client):
{
# apk add nut build-base
# gcc alpine-server/config-files/ups.c -o /bin/ups
# gcc alpine-server/config-files/exec-ups.c -o /bin/exec-ups
# vim /etc/init.d/ups:
{
> #!/sbin/openrc-run
> name="ups"
> command="/bin/exec-ups"
}
# rc-update add ups
# rc-service ups start
}
acf:
{
# apk add acf
$ setup-acf
# vim /etc/mini_httpd/mini_httpd.conf:
{
> port=444
}
}
rsnapshot: << May be substituted with duplicati!
{
# apk add rsnapshot
# cp /etc/rsnapshot.conf.default /etc/rsnapshot.conf
# vim /etc/rsnapshot.conf:
{
> snapshot_root /media/data/backup
> retain daily 7
> retain weekly 4
> retain monthly 12
> backup /home/ localhost/
> backup /etc/ localhost/
> backup /usr/local/ /localhost
> backup /opt/ /localhost
> backup /var/lib/docker/ /localhost
}
# vim /etc/periodic/{*}/rsnapshot:
{
> #!/bin/sh
> exec /usr/bin/rsnapshot {*}
}
# chmod +x /etc/periodic/{*}/rsnapshot
# rc-update add crond
# rc-service crond start
}
apk-autoupdate : << Does not work possibly.
{
# apk add apk-autoupdate
# vim /etc/periodic/weekly/apk-autoupdate:
{
> #!/bin/sh
> exec /usr/sbin/apk-autoupdate
}
}
Samba:
{
# apk add samba
# vim /etc/samba/samba.conf:
{
> [global]
> allow insecure wide links = yes
> dos charset = cp866
> unix charset = utf-8
> workgroup = WORKGROUP
> server string = Samba Server
> [home{user}]
> comment = homedir{user}
> valid_users = {user}
> path = /home/{user}
> browseable = yes
> writable = yes
}
# rc-update add samba
# rc-service samba start
}
ssh:
{
# apk add openssh fail2ban
# rc-update add sshd
# rc-service sshd start
# rc-update add fail2ban
# rc-service fail2ban start
}
Docker:
{
# apk add docker docker-compose
# addgroup <user> docker
# rc-update add docker boot
# service docker start
portainer:
{
# cp alpine-server/config-files/portainer.yml /opt/docker-compose.yml
$ cd /opt/
$ docker-compose up -d
}
traefik:
{
+ Add stack << traefik.yml
}
watchtower:
{
Image: containerrr/watchtower:latest
Volumes:
{
/etc/localtime:/etc/localtime:ro
/var/run/docker.sock:/var/run/docker.sock
}
Network: bridge
Environment:
{
WATCHTOWER_NOTIFICATION_EMAIL_FROM = info@{domain}
WATCHTOWER_NOTIFICATION_EMAIL_TO=user@{domain}
WATCHTOWER_NOTIFICATION_EMAIL_SERVER=mail.{domain}
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT=465
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER=info
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD={passwd}
WATCHTOWER_NOTIFICATION_EMAIL_DELAY=2
WATCHTOWER_NOTIFICATIONS=email
WATCHTOWER_SCHEDULE=0 0 0 * * 6
WATCHTOWER_CLEANUP=true
WATCHTOWER_DEBUG=true
}
Restart: Unless-stopped
}
duplicati:
{
Image: linuxserver/duplicati:latest
Ports: 8200:8200/tcp
Volumes:
{
/backups:/var/backups
/source:duplicati-source - local
/config:/opt/duplicati
/source/host_home:/home:ro
/source/host_etc:/etc:ro
/source/host_opt:/opt:ro
/source/host_usr_local:/usr/local:ro
}
Network: bridge
Environment:
{
PIUD=0
PGID=0
TZ=Europe/Amsterdam
}
Restart: Unless-stopped
}
webserver:
{
Image: httpd:alpine
Volumes:
{
/usr/local/apache2/htdocs:/opt/{webserver}/html
/usr/local/apache2/conf:/opt/{webserver}/conf
/etc/httpd:/opt/{webserver}/httpd
/etc/localtime:/etc/localtime:ro
}
Network: proxy
Labels: << traefik.labels
Restart: Unless-stopped
}
postgres:
{
Image: postgres:alpine
Volumes:
{
/backup:/opt/postgres
/etc/localtime:/etc/localtime:ro
/var/lib/postgresql/data:postgres - local
}
Network: proxy
Environment:
{
POSTGRES_PASSWORD={passwd}
PGDATA=/var/lib/postgresql/data
}
Labels: com.centurylinklabs.watchtower.monitor-only: "true"
Restart: Unless-stopped
Manual backup database:
{
$ docker exec -it postgres sh -c "pg_dump -U postgres -d {database} |gzip /backup/{database}.gz"
}
Manual reload database:
{
$ # docker exec -it postgres sh -c "gunzip -c {dbname.gz} | psql -U postgres -d {dbname}"
}
}
postgresbackup:
{
Image: prodrigestivill/postgres-backup-local:alpine
Volumes:
{
/backups:/opt/postgresbackup
/var/lib/postgresql/data:postgresbackup - local
/etc/localtime:/etc/localtime:ro
}
Network: proxy
Environment:
{
POSTGRES_HOST=postgres
POSTGRES_DB={db0,db1,...,db{n}}
POSTGRES_USER=postgres
POSTGRES_PASSWORD={passwd}
SCHEDULE=@daily
BACKUP_KEEP_DAYS=1
BACKUP_KEEP_WEEKS=1
BACKUP_KEEP_MONTHS=1
BACKUP_DIR=/backups
}
Labels: com.centurylinklabs.watchtower.monitor-only: "true"
Restart: Unless-stopped
Reload database:
{
# mv /opt/postgresbackup/{dbname.sql.gz} /opt/postgres
$ docker exec -it postgres sh -c "zcat /backup/{dbname.sql.gz} | psql -U postgres -d {dbname}"
}
}
vaultwarden:
{
$ docker exec -it postgres /bin/bash
# psql -U postgres:
{
> create database vaultwarden;
}
Image: vaultwarden/server:alpine
Volumes:
{
/data:/opt/vaultwarden/data
/etc/localtime:/etc/localtime:ro
}
Network: proxy
Environment:
{
ADMIN_TOKEN={admin_token} >> Remove to disable admin page.
SIGNUPS_ALLOWED=true/false
DATABASE_URL=postgresql://postgres:{passwd}@postgres/vaultwarden
}
Labels: << traefik.labels
Restart: Unless-stopped
}
gitea:
{
$ docker exec -it postgres /bin/bash
# psql -U postgres:
{
> create database gitea;
}
Image: gitea/gitea:latest
Volumes:
{
/data:/opt/gitea
/etc/localtime:/etc/localtime:ro
/etc/timezone:/etc/timezone:ro
}
Network: proxy
Environment:
{
USER_UID=1000
USER_GID=1000
GITEA__database__DB_TYPE=postgres
GITEA__database__HOST=postgres
GITEA__database__NAME=gitea
GITEA__database__USER=postgres
GITEA__database__PASSWD={passwd}
USER=git
GITEA_CUSTOM=/data/gitea
}
Labels: << traefik.labels
Restart: Unless-stopped
}
picoshare:
{
Image: mtlynch/picoshare:latest
Volumes:
{
/data:picoshare - local
/etc/localtime:/etc/localtime:ro
}
Network: proxy
Environment:
{
PS_SHARED_SECRET={passwd}
}
Labels: << traefik.labels
Restart: Unless-stopped
}
hedgedoc:
{
$ docker exec -it postgres /bin/bash
# psql -U postgres:
{
> create database hedgedoc;
}
Image: quay.io/hedgedoc/hedgedoc:alpine
Volumes:
{
/hedgedoc/public/uploads:/opt/hedgedoc/uploads
/etc/localtime:/etc/localtime:ro
}
Network: proxy
Environment:
{
CMD_DB_URL= postgres://postgres:{passwd}@postgres/hedgedoc
CMD_DOMAIN={domain}
CMD_PROTOCOL_USESSL=true
CMD_URL_ADDPORT=false
CMD_ALLOW_EMAIL_REGISTER=true
NODE_ENV=production
}
Labels: << traefik.labels
Restart: Unless-stopped
}
}
matrix:
{
synapse:
{
$ docker exec -it postgres /bin/bash
# psql -U postgres:
{
> create database synapse with encoding='UTF8' lc_collate='C' lc_ctype='C' template=template0;
}
$ docker run -it --rm --mount type=volume,src=synapse-data,dst=/data -e SYNAPSE_SERVER_NAME=matrix.{domain} -e SYNAPSE_REPORT_STATS=no matrixdotorg/synapse:latest generate
$ docker run -d --name synapse --mount type=volume,src=synapse-data,dst=/data matrixdotorg/synapse:latest
>> May be improved!
Network: proxy
Labels: << traefik.labels
Restart: Unless-stopped
# vim /var/lib/docker/volumes/synapse-data/_data/homeserver.yaml:
{
> server_name: "matrix.{domain}"
> database:
> name: psycopg2
> txn_limit: 10000
> allow_unsafe_locale: false
> args:
> user: postgres
> password: "{passwd}"
> database: synapse
> host: postgres
> cp_min: 5
> cp_max: 10
> enable_registration: true/false
> enable_registration_without_verification: true
> app_server_config_files:
> - /data/mautrix/whatsapp/registration.yaml
> - /data/mautrix/signal/registration.yaml
}
}
mautrix-whatsapp:
{
$ docker exec -it postgres /bin/bash
# psql -U postgres:
{
> create database mautrixwhatsapp;
}
Image: dock.mau.dev/mautrix/whatsapp:latest
Volumes:
{
/data:/var/lib/docker/volumes/synapse-data/_data/mautrix/whatsapp
/etc/localtime:/etc/localtime:ro
}
Network: proxy
Restart: Unless-stopped
# vim /var/lib/docker/volumes/synapse-data/_data/mautrix/whatsapp/config.yaml:
{
> homeserver:
> address: http://synapse:8008
> domain: matrix.{domain}
> appservice:
> address: http://mautrix-whatsapp:29318
> hostname: 0.0.0.0
> port: 29318
>
> database:
> type: postgres
> uri: postgres://postgres:{passwd}@postgres/mautrixwhatsapp?sslmode=disable
> bridge:
> private_chat_portal_meta: true
> encryption:
> allow: true
> default: true
>
> permissions:
> "*": relay
> "matrix.{domain}": user
> "@admin:matrix.{domain}": admin
}
# vim /var/lib/docker/volumes/synapse-data/_data/mautrix/whatsapp/registration.yaml:
{
> url: http://mautrix-whatsapp:29318
> regex: << matrix.{domain}
}
}
mautrix-signal:
{
$ docker exec -it postgres /bin/bash
# psql -U postgres:
{
> create database mautrixsignal;
}
Image: dock.mau.dev/mautrix/signal:latest
Volumes:
{
/data:/var/lib/docker/volumes/synapse-data/_data/mautrix/signal
/etc/localtime:/etc/localtime:ro
}
Network: proxy
Restart: Unless-stopped
# vim /var/lib/docker/volumes/synapse-data/_data/mautrix/whatsapp/config.yaml:
{
> homeserver:
> address: http://synapse:8008
> domain: matrix.{domain}
> appservice:
> address: http://mautrix-signal:29328
> hostname: 0.0.0.0
> port: 29328
>
> database: postgres://postgres:{passwd}@postgres/mautrixsignal
> signal:
> socket_path: /data/signald/signald.sock
> bridge:
> private_chat_portal_meta: true
> encryption:
> allow: true
> default: true
>
> permissions:
> "*": relay
> "matrix.{domain}": user
> "@admin:matrix.{domain}: admin
}
# vim /var/lib/docker/volumes/synapse-data/_data/mautrix/whatsapp/registration.yaml:
{
> url: http://mautrix-signal:29328
> regex: << matrix.{domain}
}
}
signald:
{
>> postgres database not yet available! (sqlite database)
Image:docker.io/signald/signald:latest
Volumes:
{
/signald:/opt/matrix/mautrix-signal/signald
/etc/localtime:/etc/localtime:ro
}
Network: proxy
Restart: Unless-stopped
}
element:
{
Image: vectorim/element-web:latest
Volumes:
{
/app/config.json:/opt/matrix/element/config.json
/etc/localtime:/etc/localtime:ro
}
Network: proxy
Labels: << traefik.labels
Restart: Unless-stopped
# vim /opt/matrix/element/config.json:
{
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://matrix.{domain}",
"server_name": "matrix.{domain}"
},
"m.identity_server": {
"base_url": "https://vector.im"
}
},
"disable_custom_urls": true,
"room_directory": {
"servers": ["matrix.org", "matrix.{domain}"]
},
"default_theme": "dark"
}
}
}
}
homeassistant:
{
mosquitto:
{
Image: eclipse-mosquitto:latest
Volumes:
{
/mosquitto/data:/opt/mosquitto/data
/mosquitto/log:/opt/mosquitto/log
/mosquitto/config:/opt/mosquitto/config
}
Network:
{
proxy
ipv4: 172.21.0.12
}
Restart: Unless-stopped
# vim /opt/mosquitto/config/password.txt:
{
> {username}:{passwd}
}
# vim /opt/mosquitto/config/mosquitto.conf:
{
> persistence true
> persistence_location /mosquitto/data
> log_dest file /mosquitto/log/mosquitto.log
> listener 9001
> listener 1883
> connection_messages true
> allow_anonymous false
> password_file /mosquitto/config/password.txt
}
}
ecowitt:
{
Image: bachya/ecowitt2mqtt:latest
Ports: 8181:8181/tcp
Network: proxy
Environment:
{
COWITT2MQTT_MQTT_BROKER=mosquitto
ECOWITT2MQTT_MQTT_USERNAME={username}
ECOWITT2MQTT_MQTT_PASSWORD={passwd}
ECOWITT2MQTT_PORT=8181
ECOWITT2MQTT_HASS_DISCOVERY=true
ECOWITT2MQTT_INPUT_UNIT_SYSTEM=imperial
ECOWITT2MQTT_OUTPUT_UNIT_SYSTEM=metric
}
Restart: Unless-stopped
}
esphome:
{
Image: esphome/esphome:latest
Ports: 6052:6052/tcp
Volumes:
{
/config:/opt/esphome
/etc/localtime:/etc/localtime:ro
}
Network: host
Environment:
{
USERNAME={username}
PASSWORD={passwd}
}
Restart: Unless-stopped
}
homeassistant:
{
$ docker exec -it postgres /bin/bash
# psql -U postgres:
{
> create database homeassistant;
}
Image: homeassistant
Volumes:
{
/config:/opt/homeassistant/config
/etc/localtime:/etc/localtime:ro
}
Network: proxy
Labels: << traefik.labels
Restart: Unless-stopped
# vim /opt/homeassistant/config/configuration.yaml:
{
> python_script:
> shell_command:
> http:
> use_x_forwarded_for: true
> trusted_proxies:
> - 172.21.0.80
> panel_iframe:
> portainer:
> title: "Portainer"
> url: "http://{ip}:9000/#/containers"
> icon: mdi:docker
> require_admin: true
> esphome:
> title: "ESPHome"
> url: "http://{ip}:6052"
> icon: mdi:chip
> require_admin: true
> recorder:
> db_url: postgresql://postgres:{passwd}@postgres/homeassistant
}
}
}
}

13
bin/checkpod Normal file
View file

@ -0,0 +1,13 @@
#!/bin/sh
. ./conf
exec 2>&1
state=0
while [ $state == 0 ]
do
sleep 10
$command pod inspect ${name}-pod | grep -q '"State": "Running"' || state=1
done

23
bin/dump Normal file
View file

@ -0,0 +1,23 @@
#!/bin/sh
command="/usr/bin/podman"
# Dumps databases
postgres_databases=""
for database in $postgres_databases
do
$command exec -it ${database}-pod-postgres sh -c "pg_dumpall -U postgres | gzip > /dump/${database}.sql.gz"
done
# Exports volumes
volumes=""
for volume in $volumes
do
$command volume export $volume --output <home>/.volumes/${volume}.tar
done

23
bin/load Normal file
View file

@ -0,0 +1,23 @@
#!/bin/sh
command="/usr/bin/podman"
# Loads dumped databases
postgres_databases="gitea"
for database in $postgres_databases
do
exec $command exec -it ${database}-pod-postgres sh -c "gunzip -c /dump/${database}.sql.gz | psql -U postgres"
done
# Imports volumes
volumes="gitea-pod-gitea-data"
for volume in $volumes
do
exec $command volume import $volume <home>/.volumes/${volume}.tar
done

8
config-files/exec-ups.c
View file

@ -1,8 +0,0 @@
#include <stdlib.h>
#include <stdio.h>
int main()
{
system("/bin/ups &");
return 0;
}

6
config-files/traefik.labels
View file

@ -1,6 +0,0 @@
traefik.enable=true
traefik.http.routers..entrypoints={web,websecure,webfederation}
traefik.http.routers..rule=Host("")
traefik.http.routers..tls=true
traefik.http.routers..tls.certresolver={staging/production}
(optional) traefik.http.services..loadbalancer.server.port={port}

51
config-files/ups.c
View file

@ -1,51 +0,0 @@
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
int main()
{
unsigned int chargelim = 80;
unsigned int charge = 100;
unsigned int voltagelim = 210;
unsigned int voltage = 240;
FILE *fp;
char path[1024];
while(charge > chargelim || voltage > voltagelim)
{
sleep(20);
fp = popen("/usr/bin/upsc ups@{domain} battery.charge 2>&1 |grep -v 'Init SSL'", "r");
if(fgets(path, sizeof(path), fp) != NULL)
{
charge = atoi(path);
pclose(fp);
}
else
{
pclose(fp);
system("poweroff");
}
fp = popen("/usr/bin/upsc ups@{domain} input.voltage 2>&1 |grep -v 'Init SSL'", "r");
if(fgets(path, sizeof(path), fp) != NULL)
{
voltage = atoi(path);
pclose(fp);
}
else
{
pclose(fp);
system("poweroff");
}
}
system("poweroff");
return 0;
}

15
containerfiles/git-mkdocs-wiki/default.conf.env Normal file
View file

@ -0,0 +1,15 @@
server {
listen $PORT;
listen [::]:${PORT};
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50.html {
root /usr/share/nginx/html;
}
}

10
containerfiles/git-mkdocs-wiki/git-mkdocs-wiki Normal file
View file

@ -0,0 +1,10 @@
#!/bin/sh
exec 2>&1
find /mkdocs/repo || git clone $GIT_REPO_URL /mkdocs/repo
cd /mkdocs/repo && git pull
for lang in $WIKI_LANG
do
mkdocs build -f /mkdocs/repo/config/${lang}/mkdocs.yml -d /usr/share/nginx/html/${lang}
done

25
containerfiles/git-mkdocs-wiki/git-mkdocs-wiki.containerfile Normal file
View file

@ -0,0 +1,25 @@
FROM nginx:alpine
ENV PORT="80"
COPY default.conf.env /etc/nginx/conf.d/default.conf.env
RUN apk add envsubst \
&& touch /docker-entrypoint.d/port.sh \
&& echo "exec envsubst < /etc/nginx/conf.d/default.conf.env > /etc/nginx/conf.d/default.conf && nginx -s reload" > /docker-entrypoint.d/port.sh \
&& chmod 776 /docker-entrypoint.d/port.sh
RUN apk add git \
&& apk add mkdocs \
&& apk add mkdocs-material \
&& apk add py3-regex
RUN mkdir /mkdocs
WORKDIR /mkdocs
COPY root /etc/crontabs/root
COPY git-mkdocs-wiki /bin/git-mkdocs-wiki
RUN chmod 744 /bin/git-mkdocs-wiki
RUN touch /docker-entrypoint.d/cron.sh \
&& echo "exec crond" > /docker-entrypoint.d/cron.sh \
&& chmod 776 /docker-entrypoint.d/cron.sh

2
dockerfile/git-mkdocs/scripts/root → containerfiles/git-mkdocs-wiki/root
View file

@ -1,3 +1,3 @@
# do daily/weekly/monthly maintanance # do daily/weekly/monthly maintanance
# min hour day month weekday command # min hour day month weekday command
* * * * * git-mkdocs * * * * * git-mkdocs-wiki

15
containerfiles/git-mkdocs/default.conf.env Normal file
View file

@ -0,0 +1,15 @@
server {
listen $PORT;
listen [::]:${PORT};
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50.html {
root /usr/share/nginx/html;
}
}

6
containerfiles/git-mkdocs/git-mkdocs Normal file
View file

@ -0,0 +1,6 @@
#!/bin/sh
exec 2>&1
find /mkdocs/repo || git clone $GIT_REPO_URL /mkdocs/repo
cd /mkdocs/repo && git pull
exec mkdocs build -f /mkdocs/repo/mkdocs.yml -d /usr/share/nginx/html

25
containerfiles/git-mkdocs/git-mkdocs.containerfile Normal file
View file

@ -0,0 +1,25 @@
FROM nginx:alpine
ENV PORT="80"
COPY default.conf.env /etc/nginx/conf.d/default.conf.env
RUN apk add envsubst \
&& touch /docker-entrypoint.d/port.sh \
&& echo "exec envsubst < /etc/nginx/conf.d/default.conf.env > /etc/nginx/conf.d/default.conf && nginx -s reload" > /docker-entrypoint.d/port.sh \
&& chmod 776 /docker-entrypoint.d/port.sh
RUN apk add git \
&& apk add mkdocs \
&& apk add mkdocs-material \
&& apk add py3-regex
RUN mkdir /mkdocs
WORKDIR /mkdocs
COPY root /etc/crontabs/root
COPY git-mkdocs /bin/git-mkdocs
RUN chmod 744 /bin/git-mkdocs
RUN touch /docker-entrypoint.d/cron.sh \
&& echo "exec crond" > /docker-entrypoint.d/cron.sh \
&& chmod 776 /docker-entrypoint.d/cron.sh

3
containerfiles/git-mkdocs/root Normal file
View file

@ -0,0 +1,3 @@
# do daily/weekly/monthly maintanance
# min hour day month weekday command
* * * * * git-mkdocs

34
docker-compose/base.yaml
View file

@ -1,34 +0,0 @@
version: '3.0'
services:
portainer:
container_name: portainer
image: portainer/portainer-ce:alpine
network_mode: bridge
ports:
- "9000:9000/tcp"
volumes:
- /etc/localtime/:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock
- ~/docker/portainer:/data
restart: always
watchtower:
container_name: watchtower
image: containrrr/watchtower:latest
network_mode: bridge
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock
environment:
WATCHTOWER_NOTIFICATION_EMAIL_FROM = info@{domain}
WATCHTOWER_NOTIFICATION_EMAIL_TO=user@{domain}
WATCHTOWER_NOTIFICATION_EMAIL_SERVER=mail.{domain}
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT=465
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER=info
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD={passwd}
WATCHTOWER_NOTIFICATION_EMAIL_DELAY=2
WATCHTOWER_NOTIFICATIONS=email
WATCHTOWER_SCHEDULE=0 0 0 * * 6
WATCHTOWER_CLEANUP=true
restart: unless-stopped

45
docker-compose/traefik.yaml
View file

@ -1,45 +0,0 @@
version: '3.0'
services:
traefik:
container_name: traefik
image: traefik:latest
command:
#- --api.insecure=true
#- --api.dashboard=true
- --providers.docker=true
- --providers.docker.exposedByDefault=false
- --providers.docker.network=proxy
- --entryPoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entryPoints.websecure.address=:443
- --entryPoints.webfederation.address=:8448
- --certificatesresolvers.staging.acme.email={email}
- --certificatesresolvers.staging.acme.storage=/ssl-certs/acme.json
- --certificatesresolvers.staging.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.staging.acme.httpChallenge.entryPoint=web
- --certificatesresolvers.production.acme.email={email}
- --certificatesresolvers.production.acme.storage=/ssl-certs/acme.json
- --certificatesresolvers.production.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
- --certificatesresolvers.production.acme.httpChallenge.entryPoint=web
networks:
proxy:
ipv4_address: 172.21.0.80
ports:
- "80:80"
- "443:443"
#- "8080:8080"
- "8448:8448"
volumes:
- /etc/localtime:/etc/localtime:ro
- /opt/traefik/ssl-certs:/ssl-certs
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped
networks:
proxy:
external: true

15
dockerfile/git-mkdocs/dev-mkdocs.dockerfile
View file

@ -1,15 +0,0 @@
FROM python:3-alpine
ARG USER=1001
RUN adduser -h /usr/src/mkdocs -D -u $USER mkdocs
USER mkdocs
RUN mkdir -p /usr/src/mkdocs/build
WORKDIR /usr/src/mkdocs/build
RUN pip install --upgrade pip
RUN pip install pymdown-extensions \
&& pip install mkdocs \
&& pip install mkdocs-material

24
dockerfile/git-mkdocs/git-mkdocs.dockerfile
View file

@ -1,24 +0,0 @@
FROM nginx:alpine
RUN apk add git \
&& apk add python3 py3-pip
ENV GIT_REPO_URL='' \
GIT_REPO_NAME=''
RUN mkdir /mkdocs
WORKDIR /mkdocs
RUN pip install --upgrade pip
RUN pip install pymdown-extensions \
&& pip install mkdocs \
&& pip install mkdocs-material
COPY root /etc/crontabs/root
COPY git-mkdocs /bin/git-mkdocs
RUN chmod 744 /bin/git-mkdocs
RUN touch /docker-entrypoint.d/cron.sh \
&& echo "exec crond" > /docker-entrypoint.d/cron.sh \
&& chmod 776 /docker-entrypoint.d/cron.sh

5
dockerfile/git-mkdocs/scripts/git-mkdocs
View file

@ -1,5 +0,0 @@
#!/bin/sh
git clone $GIT_REPO_URL
cd /mkdocs/$GIT_REPO_NAME
git pull
mkdocs build -f /mkdocs/$GIT_REPO_NAME/mkdocs.yml -d /usr/share/nginx/html

60
pods/bitwarden/bitwarden-pod.yml Normal file
View file

@ -0,0 +1,60 @@
apiversion: v1
kind: Pod
metadata:
name: bitwarden-pod
annotations:
io.podman.annotations.infra.name: bitwarden-pod-infra
spec:
containers:
- name: vaultwarden
image: docker.io/vaultwarden/server:alpine
env:
- name: SIGNUPS_ALLOWED
value: false
- name: DATABASE_URL
value: "postgresql://postgres:<secret>@bitwarden-pod-postgres/vaultwarden"
- name: ROCKET_PORT
value: 3000
ports:
- containerport: 3000
hostport: 1080
protocol: TCP
volumemounts:
- mountpath: /data
name: vaultwarden-data
- mountpath: /etc/localtime
name: localtime
readonly: true
- name: postgres
image: docker.io/library/postgres:16-alpine
env:
- name: POSTGRES_PASSWORD
valuefrom:
secretkeyref:
name: bitwarden-secrets
key: postgres-password
volumemounts:
- mountpath: /dump
name: postgres-dump
- mountpath: /var/lib/postgresql/data
name: postgres-data
- mountpath: /etc/localtime
name: localtime
readonly: true
volumes:
- persistentvolumeclaim:
claimname: bitwarden-pod-vaultwarden-data
name: vaultwarden-data
- hostpath:
path: <home>/.dump/bitwarden
type: Directory
name: postgres-dump
- persistentvolumeclaim:
claimname: bitwarden-pod-postgres-data
name: postgres-data
- hostPath:
path: /etc/localtime
type: File
name: localtime

8
pods/bitwarden/bitwarden-secrets.yml Normal file
View file

@ -0,0 +1,8 @@
apiversion: v1
data:
postgres-password: <base64-secret>
postgres-url: <base64-secret>
kind: Secret
metadata:
creationtimestamp: null
name: bitwarden-secrets

101
pods/git/git-pod.yml Normal file
View file

@ -0,0 +1,101 @@
apiversion: v1
kind: Pod
metadata:
name: git-pod
annotations:
io.podman.annotations.infra.name: git-pod-infra
spec:
containers:
- name: gitea
image: docker.io/gitea/gitea:latest
env:
- name: USER_UID
value: "1000"
- name: USER_GID
value: "1000"
- name: GITEA__database__HOST
value: "git-pod-postgres"
- name: GITEA__database__USER
value: "postgres"
- name: GITEA__database__PASSWD
valuefrom:
secretkeyref:
name: git-secrets
key: postgres-password
- name: GITEA__database__NAME
value: "gitea"
ports:
- containerport: 3000
hostport: 2080
protocol: TCP
volumemounts:
- mountpath: /data
name: gitea-data
- mountpath: /etc/localtime
name: localtime
readonly: true
- name: documentation
image: git-mkdocs:latest
env:
- name: GIT_REPO_URL
value: "https://git.bijl.us/lnco/documentation.git"
- name: PORT
value: 3100
- containerport: 3100
hostport: 2180
protocol: TCP
volumemounts:
- mountpath: /etc/localtime
name: localtime
readonly: true
- name: wiki
image: git-mkdocs-wiki:latest
env:
- name: GIT_REPO_URL
value: "https://git.bijl.us/luc/mathematics-physics-wiki.git"
- name: WIKI_LANG
value: "en nl"
- name: PORT
value: 3200
- containerport: 3200
hostport: 2280
protocol: TCP
volumemounts:
- mountpath: /etc/localtime
name: localtime
readonly: true
- name: postgres
image: docker.io/library/postgres:16-alpine
env:
- name: POSTGRES_PASSWORD
valuefrom:
secretkeyref:
name: git-secrets
key: postgres-password
volumemounts:
- mountpath: /dump
name: postgres-dump
- mountpath: /var/lib/postgresql/data
name: postgres-data
- mountpath: /etc/localtime
name: localtime
readonly: true
volumes:
- persistentvolumeclaim:
claimname: git-pod-gitea-data
name: gitea-data
- hostpath:
path: <home>/.dump/git
type: Directory
name: postgres-dump
- persistentvolumeclaim:
claimname: git-pod-postgres-data
name: postgres-data
- hostpath:
path: /etc/localtime
type: File
name: localtime

7
pods/git/git-secrets.yml Normal file
View file

@ -0,0 +1,7 @@
apiversion: v1
data:
postgres-password: <base64-secret>
kind: Secret
metadata:
creationtimestamp: null
name: git-secrets

129
pods/matrix/matrix-pod.yml Normal file
View file

@ -0,0 +1,129 @@
apiversion: v1
kind: Pod
metadata:
name: matrix-pod
annotations:
io.podman.annotations.infra.name: matrix-pod-infra
spec:
containers:
- name: dendrite
image: matrixdotorg/dendrite-monolith:latest
ports:
- containerport: 8008
hostport: 3080
protocol: TCP
- containerport: 8448
hostport: 8448
protocol: TCP
volumemounts:
- mountpath: /etc/dendrite
name: dendrite-config
- mountpath: /var/dendrite/media
name: dendrite-media
- mountpath: /var/dendrite/jetstream
name: dendrite-jetstream
- mountpath: /var/dendrite/searchindex
name: dendrite-searchindex
- mountpath: /etc/localtime
name: localtime
readonly: true
- name: mautrix-whatsapp
image: dock.mau.dev/mautrix/whatsapp:latest
command:
- /usr/bin/mautrix-whatsapp
- -c
- /data/config.yaml
- -r
- /data/registration.yaml
- --ignore-unsupported-server
volumemounts:
- mountpath: /data
name: mautrix-whatsapp-config
- mountpath: /etc/localtime
name: localtime
readonly: true
- name: mautrix-signal
image: dock.mau.dev/mautrix/signal:latest
command:
- /usr/bin/mautrix-signal
- -c
- /data/config.yaml
- -r
- /data/registration.yaml
- --ignore-unsupported-server
volumemounts:
- mountpath: /data
name: mautrix-signal-config
- mountpath: /etc/localtime
name: localtime
readonly: true
- name: element
image: vectorim/element-web:latest
ports:
- containerport: 80
hostport: 3180
protocol: TCP
volumemounts:
- mountpath: /app/config.json
name: element-config
- mountpath: /etc/localtime
name: localtime
readonly: true
- name: postgres
image: docker.io/library/postgres:16-alpine
env:
- name: POSTGRES_PASSWORD
valuefrom:
secretkeyref:
name: matrix-secrets
key: postgres-password
volumemounts:
- mountpath: /dump
name: postgres-dump
- mountpath: /var/lib/postgresql/data
name: postgres-data
- mountpath: /etc/localtime
name: localtime
readonly: true
volumes:
- hostpath:
path: <home>/.config/pods/matrix/dendrite-config
type: Directory
name: dendrite-config
- persistentvolumeclaim:
claimname: matrix-pod-dendrite-media
name: dendrite-media
- persistentvolumeclaim:
claimname: matrix-pod-dendrite-jetstream
name: dendrite-jetstream
- persistentvolumeclaim:
claimname: matrix-pod-dendrite-searchindex
name: dendrite-searchindex
- hostpath:
path: <home>/.config/pods/matrix/mautrix-whatsapp-config
type: Directory
name: mautrix-whatsapp-config
- hostpath:
path: <home>/.config/pods/matrix/mautrix-signal-config
type: Directory
name: mautrix-signal-config
- hostpath:
path: <home>/.config/pods/matrix/element-config/config.json
type: File
name: element-config
- hostpath:
path: <home>/.dump/matrix
type: Directory
name: postgres-dump
- persistentvolumeclaim:
claimname: matrix-pod-postgres-data
name: postgres-data
- hostpath:
path: /etc/localtime
type: File
name: localtime

7
pods/matrix/matrix-secrets.yml Normal file
View file

@ -0,0 +1,7 @@
apiversion: v1
data:
postgres-password: <base64-secret>
kind: Secret
metadata:
creationtimestamp: null
name: matrix-secrets

73
pods/notes/notes-pod.yml Normal file
View file

@ -0,0 +1,73 @@
apiversion: v1
kind: Pod
metadata:
name: notes-pod
annotations:
io.podman.annotations.infra.name: notes-pod-infra
spec:
containers:
- name: hedgedoc
image: quay.io/hedgedoc/hedgedoc:alpine
env:
- name: CMD_DB_URL
valuefrom:
secretkeyref:
name: notes-secrets
key: postgres-url
- name: CMD_ALLOW_EMAIL_REGISTER
value: true
- name: CMD_DOMAIN
value: "notes.bijl.us"
- name: CMD_PROTOCOL_USESSL
value: true
- name: CMD_URL_ADDPORT
value: false
- name: NODE_ENV
value: production
- name: CMD_IMAGE_UPLOAD_TYPE
value: filesystem
- name: UPLOADS_MODE
value: 0700
ports:
- containerport: 3000
hostport: 4080
protocol: TCP
volumemounts:
- mountpath: /hedgedoc/public/uploads
name: hedgedoc-uploads
- mountpath: /etc/localtime
name: localtime
readonly: true
- name: postgres
image: docker.io/library/postgres:16-alpine
env:
- name: POSTGRES_PASSWORD
valuefrom:
secretkeyref:
name: notes-secrets
key: postgres-password
volumemounts:
- mountpath: /dump
name: postgres-dump
- mountpath: /var/lib/postgresql/data
name: postgres-data
- mountpath: /etc/localtime
name: localtime
readonly: true
volumes:
- persistentvolumeclaim:
claimname: notes-pod-hedgedoc-uploads
name: hedgedoc-uploads
- hostpath:
path: <home>/.dump/notes
type: Directory
name: postgres-dump
- persistentvolumeclaim:
claimname: notes-pod-postgres-data
name: postgres-data
- hostPath:
path: /etc/localtime
type: File
name: localtime

8
pods/notes/notes-secrets.yml Normal file
View file

@ -0,0 +1,8 @@
apiversion: v1
data:
postgres-password: <base64-secret>
postgres-url: <base64-url>
kind: Secret
metadata:
creationtimestamp: null
name: notes-secrets

34
pods/share/share-pod.yml Normal file
View file

@ -0,0 +1,34 @@
apiversion: v1
kind: Pod
metadata:
name: share-pod
annotations:
io.podman.annotations.infra.name: share-pod-infra
spec:
containers:
- name: picoshare
image: docker.io/mtlynch/picoshare:latest
env:
- name: PS_SHARED_SECRET
value: "<secret>"
- name: PORT
value: 3000
ports:
- containerport: 3000
hostport: 5080
protocol: TCP
volumemounts:
- mountpath: /data
name: picoshare-data
- mountpath: /etc/localtime
name: localtime
readonly: true
volumes:
- persistentvolumeclaim:
claimname: share-pod-picoshare-data
name: picoshare-data
- hostPath:
path: /etc/localtime
type: File
name: localtime

171
pods/smarthome/smarthome-pod.yml Normal file
View file

@ -0,0 +1,171 @@
apiversion: v1
kind: Pod
metadata:
name: smarthome-pod
annotations:
io.podman.annotations.infra.name: smarthome-pod-infra
run.oci.keep_original_groups: 1
spec:
containers:
- name: home-assistant
image: ghcr.io/home-assistant/home-assistant:latest
ports:
- containerport: 3000
hostport: 6080
protocol: TCP
volumemounts:
- mountpath: /config
name: home-assistant-config
- mountpath: /dev/ttyUSB0
name: home-assistant-usb0
- mountpath: /dev/ttyUSB1
name: home-assistant-usb1
- mountpath: /etc/localtime
name: localtime
readonly: true
- name: mosquitto
image: docker.io/eclipse-mosquitto:latest
ports:
- containerport: 1883
hostport: 1883
protocol: TCP
volumemounts:
- mountpath: /mosquitto/config
name: mosquitto-config
- mountpath: /mosquitto/data
name: mosquitto-data
- mountpath: /mosquitto/log
name: mosquitto-log
- mountpath: /etc/localtime
name: localtime
readonly: true
- name: esphome
image: docker.io/esphome/esphome:stable
env:
- name: USERNAME
value: "<username>"
- name: PASSWORD
value: "<secret>"
ports:
- containerport: 6052
hostport: 6052
protocol: TCP
volumemounts:
- mountpath: /config
name: esphome-config
- mountpath: /etc/localtime
name: localtime
readonly: true
- name: ecowitt
image: docker.io/bachya/ecowitt2mqtt:latest
env:
- name: ECOWITT2MQTT_MQTT_BROKER
value: "smarthome-pod-mosquitto"
- name: ECOWITT2MQTT_MQTT_USERNAME
value: "<username>"
- name: ECOWITT2MQTT_MQTT_PASSWORD
value: "<secret>"
- name: ECOWITT2MQTT_PORT
value: 8181
- name: ECOWITT2MQTT_HASS_DISCOVERY
value: true
- name: ECOWITT2MQTT_INPUT_UNIT_SYSTEM
value: "imperial"
- name: ECOWITT2MQTT_OUTPUT_UNIT_SYSTEM
value: "metric"
- name: ECOWITT2MQTT_PRECISION
value: 1
ports:
- containerport: 8181
hostport: 8181
protocol: TCP
volumemounts:
- mountpath: /etc/localtime
name: localtime
readonly: true
- name: volvo
image: ghcr.io/dielee/volvo2mqtt:latest
env:
- name: CONF_updateInterval
value: 300
- name: CONF_babelLocale
value: "nl"
- name: CONF_mqtt
valuefrom:
secretkeyref:
name: smarthome-secrets
key: volvo-mosquitto
- name: CONF_volvoData
valuefrom:
secretkeyref:
name: smarthome-secrets
key: volvo-url
volumemounts:
- mountpath: /volvoAAOS2mqtt
name: volvo-data
- mountpath: /etc/localtime
name: localtime
readonly: true
- name: postgres
image: docker.io/library/postgres:16-alpine
env:
- name: POSTGRES_PASSWORD
valuefrom:
secretkeyref:
name: smarthome-secrets
key: postgres-password
volumemounts:
- mountpath: /dump
name: postgres-dump
- mountpath: /var/lib/postgresql/data
name: postgres-data
- mountpath: /etc/localtime
name: localtime
readonly: true
volumes:
- hostpath:
path: <home>/.config/pods/smarthome/home-assistant-config
type: Directory
name: home-assistant-config
- hostpath:
path: /dev/ttyUSB0
type: File
name: home-assistant-usb0
- hostpath:
path: /dev/ttyUSB1
type: File
name: home-assistant-usb1
- hostpath:
path: <home>/.config/pods/smarthome/mosquitto-config
type: Directory
name: mosquitto-config
- persistentvolumeclaim:
claimname: smarthome-pod-mosquitto-data
name: mosquitto-data
- persistentvolumeclaim:
claimname: smarthome-pod-mosquitto-log
name: mosquitto-log
- hostpath:
path: <home>/.config/pods/smarthome/esphome-config
type: Directory
name: esphome-config
- persistentvolumeclaim:
claimname: smarthome-pod-volvo-data
name: volvo-data
- hostpath:
path: <home>/.dump/smarthome
type: Directory
name: postgres-dump
- persistentvolumeclaim:
claimname: smarthome-pod-postgres-data
name: postgres-data
- hostpath:
path: /etc/localtime
type: File
name: localtime

9
pods/smarthome/smarthome-secrets.yml Normal file
View file

@ -0,0 +1,9 @@
apiversion: v1
data:
volvo-mosquitto: <base64-secret>
volvo-url: <base64-secret>
postgres-password: <base64-secret>
kind: Secret
metadata:
creationtimestamp: null
name: smarthome-secrets