commit 476f4ac30f262b5ac1f1ccef78faead9a1536f77 Author: akanealw Date: Fri May 19 11:12:03 2023 -0500 first commit diff --git a/.env b/.env new file mode 100644 index 0000000..3b06b03 --- /dev/null +++ b/.env @@ -0,0 +1,17 @@ +#GLOBAL SETTINGS +COMPOSE_HTTP_TIMEOUT=120 +COMPOSE_IGNORE_ORPHANS=1 +DOCKERCONFDIR=./appdata +DOCKERGID=999 +DOCKERHOSTNAME=DockerServer +DOCKERLOGGING_MAXFILE=10 +DOCKERLOGGING_MAXSIZE=200k +PGID=1000 +PUID=1000 +UMASK=000 +TZ=America/Chicago +ADMIN_USERNAME=wettsten +ADMIN_PASSWORD=benEatsBananas! + +#DIRECTORY PATHS +MEDIA_DIR=/mnt/media diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5728a2c --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +appdata/ diff --git a/admin/.gitignore b/admin/.gitignore new file mode 100644 index 0000000..5728a2c --- /dev/null +++ b/admin/.gitignore @@ -0,0 +1 @@ +appdata/ diff --git a/admin/docker-compose.yml b/admin/docker-compose.yml new file mode 100644 index 0000000..606d7e0 --- /dev/null +++ b/admin/docker-compose.yml @@ -0,0 +1,31 @@ +version: '3' + +services: + dozzle: + container_name: dozzle + image: amir20/dozzle:latest + environment: + - DOZZLE_ADDR=:1234 + networks: + - admin + ports: + - 9999:1234 + restart: always + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + + portainer: + container_name: portainer + image: portainer/portainer-ce:latest + networks: + - admin + ports: + - 9000:9000/tcp + restart: always + volumes: + - ./appdata/portainer/data:/data + - /var/run/docker.sock:/var/run/docker.sock + - /etc/localtime:/etc/localtime:ro + +networks: + admin: \ No newline at end of file diff --git a/authelia/add-to-protected-domains.conf b/authelia/add-to-protected-domains.conf new file mode 100644 index 0000000..693b139 --- /dev/null +++ b/authelia/add-to-protected-domains.conf @@ -0,0 +1,10 @@ +include /snippets/authelia-location.conf; + +location / { + include /snippets/authelia-proxy.conf; + include /snippets/authelia-authrequest.conf; + proxy_pass $forward_scheme://$server:$port; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; + proxy_set_header Accept-Encoding gzip; +} diff --git a/authelia/auth.domain.conf b/authelia/auth.domain.conf new file mode 100644 index 0000000..a814eb0 --- /dev/null +++ b/authelia/auth.domain.conf @@ -0,0 +1,4 @@ +location / { + include /snippets/authelia-proxy.conf; + proxy_pass $forward_scheme://$server:$port; +} diff --git a/authelia/configuration.yml b/authelia/configuration.yml new file mode 100644 index 0000000..c368363 --- /dev/null +++ b/authelia/configuration.yml @@ -0,0 +1,121 @@ +theme: dark +jwt_secret: yyArMUrcQx4KXJLZm454NS + +default_redirection_url: https://www.wettsten.duckdns.org + +server: + host: 0.0.0.0 + port: 9091 + path: "" + read_buffer_size: 4096 + write_buffer_size: 4096 + enable_pprof: false + enable_expvars: false + disable_healthcheck: false + tls: + key: "" + certificate: "" + +ntp: + address: "0.debian.pool.ntp.org:123" + version: 3 + max_desync: 3s + disable_startup_check: true + disable_failure: true + +log: + level: info + +totp: + disable: true + issuer: wettsten.duckdns.org + algorithm: sha1 + digits: 6 + period: 30 + skew: 1 + secret_size: 32 + +authentication_backend: + disable_reset_password: true + refresh_interval: 5m + file: + path: /config/users_database.yml + password: + algorithm: argon2id + iterations: 1 + salt_length: 16 + parallelism: 8 + memory: 65536 + +access_control: + default_policy: deny + rules: + ## bypass api for subdomains + - domain: "*.wettsten.duckdns.org" + resources: + - "^/api([/?].*)?$" + policy: bypass + # bypass subdomains + - domain: + - auth.wettsten.duckdns.org + - bitwarden.wettsten.duckdns.org + - overseerr.wettsten.duckdns.org + - plex.wettsten.duckdns.org + policy: bypass + # two_factor subdomains + - domain: + - wettsten.duckdns.org + - bazarr.wettsten.duckdns.org + - dozzle.wettsten.duckdns.org + - jackett.wettsten.duckdns.org + - jdownloader.wettsten.duckdns.org + - jellyfin.wettsten.duckdns.org + - lidarr.wettsten.duckdns.org + - metube.wettsten.duckdns.org + - monitorr.wettsten.duckdns.org + - mstream.wettsten.duckdns.org + - nzbhydra.wettsten.duckdns.org + - portainer.wettsten.duckdns.org + - prowlarr.wettsten.duckdns.org + - qbittorrent.wettsten.duckdns.org + - radarr.wettsten.duckdns.org + - sabnzbd.wettsten.duckdns.org + - sonarr.wettsten.duckdns.org + - www.wettsten.duckdns.org + policy: one_factor + +session: + name: authelia_session + domain: wettsten.duckdns.org + same_site: lax + secret: MEMPBs5aRRDfWNRJLX6E + expiration: 6h + inactivity: 5m + remember_me_duration: 1w + +regulation: + max_retries: 3 + find_time: 10m + ban_time: 12h + +storage: + local: + path: /config/db.sqlite3 + encryption_key: iY7wSMosjZFQDAunYob3oShTcYCHtXx9 + +notifier: + disable_startup_check: true + smtp: + username: akanealw@gmail.com + password: qlvmffuzpscltdgz + host: smtp.gmail.com + port: 587 + sender: akanealw@gmail.com + identifier: dockerserver + subject: "[Authelia] {title}" + startup_check_address: akanealw@gmail.com + disable_require_tls: false + disable_html_emails: false + tls: + skip_verify: false + minimum_version: TLS1.2 diff --git a/authelia/npnmsnippets/authelia-authrequest.conf b/authelia/npnmsnippets/authelia-authrequest.conf new file mode 100644 index 0000000..60029e3 --- /dev/null +++ b/authelia/npnmsnippets/authelia-authrequest.conf @@ -0,0 +1,25 @@ +## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. +auth_request /authelia; + +## Set the $target_url variable based on the original request. + +## Comment this line if you're using nginx without the http_set_misc module. +set_escape_uri $target_url $scheme://$http_host$request_uri; + +## Uncomment this line if you're using NGINX without the http_set_misc module. +# set $target_url $scheme://$http_host$request_uri; + +## Save the upstream response headers from Authelia to variables. +auth_request_set $user $upstream_http_remote_user; +auth_request_set $groups $upstream_http_remote_groups; +auth_request_set $name $upstream_http_remote_name; +auth_request_set $email $upstream_http_remote_email; + +## Inject the response headers from the variables into the request made to the backend. +proxy_set_header Remote-User $user; +proxy_set_header Remote-Groups $groups; +proxy_set_header Remote-Name $name; +proxy_set_header Remote-Email $email; + +## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. +error_page 401 =302 https://auth.wettsten.duckdns.org/?rd=$target_url; \ No newline at end of file diff --git a/authelia/npnmsnippets/authelia-location.conf b/authelia/npnmsnippets/authelia-location.conf new file mode 100644 index 0000000..62c874d --- /dev/null +++ b/authelia/npnmsnippets/authelia-location.conf @@ -0,0 +1,36 @@ +set $upstream_authelia http://authelia:9091/api/verify; + +## Virtual endpoint created by nginx to forward auth requests. +location /authelia { + ## Essential Proxy Configuration + internal; + proxy_pass $upstream_authelia; + + ## Headers + ## The headers starting with X-* are required. + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Original-Method $request_method; + proxy_set_header X-Forwarded-Method $request_method; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Content-Length ""; + proxy_set_header Connection ""; + + ## Basic Proxy Configuration + proxy_pass_request_body off; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 4 32k; + client_body_buffer_size 128k; + + ## Advanced Proxy Configuration + send_timeout 5m; + proxy_read_timeout 240; + proxy_send_timeout 240; + proxy_connect_timeout 240; +} \ No newline at end of file diff --git a/authelia/npnmsnippets/authelia-proxy.conf b/authelia/npnmsnippets/authelia-proxy.conf new file mode 100644 index 0000000..e42cecf --- /dev/null +++ b/authelia/npnmsnippets/authelia-proxy.conf @@ -0,0 +1,8 @@ +## Headers +proxy_set_header Host $host; +proxy_set_header X-Original-URL $scheme://$http_host$request_uri; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $http_host; +proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Forwarded-Ssl on; +proxy_set_header X-Forwarded-For $remote_addr; diff --git a/authelia/users_database.yml b/authelia/users_database.yml new file mode 100644 index 0000000..ab2335c --- /dev/null +++ b/authelia/users_database.yml @@ -0,0 +1,14 @@ +users: + akanealw: + displayname: "akanealw" + password: "$argon2id$v=19$m=65536,t=3,p=4$eVOj3zZy10f8rhtPEH32TQ$RN47v7E4He71IfeeMMCH977exliIyKjVipXHEDWgUh0" + email: akanealw@gmail.com + groups: + - admins + + wettsten: + displayname: "wettsten" + password: "$argon2id$v=19$m=65536,t=3,p=4$pdeSOsqnVZB7I03tvC5JvA$gfiVxDvz1NVQw2yqGwgcz/fOumms2+asiFi8QVk2D38" + email: scott.wettstein@gmail.com + groups: + - admins diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..0f903e3 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,371 @@ +version: '3' + +services: + authelia: + container_name: authelia + image: authelia/authelia + environment: + - TZ=${TZ} + ports: + - 9091:9091 + restart: always + volumes: + - ./appdata/authelia/config:/config + + bazarr: + container_name: bazarr + image: lscr.io/linuxserver/bazarr:latest + environment: + - PUID=${PUID} + - PGID=${PGID} + - TZ=${TZ} + ports: + - 6767:6767 + restart: unless-stopped + volumes: + - ./appdata/bazarr/config:/config + - ${MEDIA_DIR}:/media + + bitwarden: + container_name: bitwarden + image: vaultwarden/server:latest + environment: + - TZ=${TZ} + - ADMIN_TOKEN=x/7NNVrKQ4DwYhUGgZjMNWiZG32GZGH149xG2C8gYgIWkRDSOJvgpu4eNKsgt0Wf + - DATABASE_URL=data/db.sqlite3 + - DISABLE_ADMIN_TOKEN=false + - DOMAIN=https://bitwarden.wettsten.duckdns.org + - ENABLE_DB_WAL=true + - INVITATIONS_ALLOWED=false + - SHOW_PASSWORD_HINT=false + - SIGNUPS_ALLOWED=false + - SIGNUPS_VERIFY=false + - SMTP_PORT=587 + - SMTP_SSL=true + ports: + - 8089:80/tcp + restart: always + volumes: + - ./appdata/vaultwarden/data:/data + - /etc/localtime:/etc/localtime:ro + + duckdns: + container_name: duckdns + image: lscr.io/linuxserver/duckdns:latest + environment: + - PUID=${PUID} + - PGID=${PGID} + - TZ=${TZ} + - SUBDOMAINS=wettsten.duckdns.org + - TOKEN=b0567791-f8b7-4dcf-9fe6-9aaf01b5ca5b + - LOG_FILE=false + restart: unless-stopped + volumes: + - ./appdata/duckdns/config:/config + + gluetun: + container_name: gluetun + image: qmcgaw/gluetun + environment: + - VPN_SERVICE_PROVIDER=mullvad + - VPN_TYPE=wireguard + - WIREGUARD_PRIVATE_KEY=EF+kcKWzSCopilHEHcHsXsLVaS9JcF/3Fv/tJ8JLe1k= + - WIREGUARD_ADDRESSES=10.64.35.88/32 + - HTTPPROXY=on + - SERVER_CITIES=Chicago IL + - TZ=${TZ} + cap_add: + - NET_ADMIN + devices: + - /dev/net/tun:/dev/net/tun + ports: + - 3129:3129/tcp # Jdownloader + - 5800:5800/tcp # Jdownloader + - 5900:5900/tcp # Jdownloader + - 8888:8888/tcp # HTTP proxy + - 8181:8080/tcp # SABnzbd + - 8191:8090/tcp # SABnzbd + - 8282:8282/tcp # qBittorrent + - 56577:6881/tcp # qBittorrent + - 56577:6881/udp # qBittorrent + restart: unless-stopped + volumes: + - ./appdata/gluetun:/gluetun + + jackett: + container_name: jackett + image: binhex/arch-jackett:latest + environment: + - PGID=${PGID} + - PUID=${PUID} + - UMASK=${UMASK} + ports: + - 9117:9117/tcp + restart: unless-stopped + volumes: + - ./appdata/jackett/config:/config + - ${MEDIA_DIR}/downloads/torrents:/torrents + - /etc/localtime:/etc/localtime:ro + + jdownloader: + container_name: jdownloader + image: jlesage/jdownloader-2:latest + environment: + - PGID=${PGID} + - PUID=${PUID} + - UMASK=${UMASK} + - TZ=${TZ} + - KEEP_APP_RUNNING=1 + - CLEAN_TMP_DIR=1 + - XDG_DOWNLOAD_DIR=/downloads +# - MYJD_USER=akanealw@gmail.com +# - MYJD_PASSWORD=trUKY4X8wzGiCr75ZmC9 +# - MYJD_DEVICE_NAME=dockerserver + network_mode: "service:gluetun" + restart: unless-stopped + volumes: + - ./appdata/jdownloader/config:/config + - ${MEDIA_DIR}/downloads/jdownloader:/downloads + - /etc/localtime:/etc/localtime:ro + + jellyfin: + container_name: jellyfin + image: lscr.io/linuxserver/jellyfin:latest + environment: + - PUID=${PUID} + - PGID=${PGID} + - TZ=${TZ} + - JELLYFIN_PublishedServerUrl=192.168.1.33 + ports: + - 8096:8096 + restart: unless-stopped + volumes: + - ./appdata/jellyfin/config:/config + - ${MEDIA_DIR}/tvshows:/tvshows + - ${MEDIA_DIR}/movies:/movies + + lidarr: + container_name: lidarr + image: lscr.io/linuxserver/lidarr:latest + environment: + - PGID=${PGID} + - PUID=${PUID} + - TZ=${TZ} + ports: + - 8686:8686 + restart: unless-stopped + volumes: + - ./appdata/lidarr/config:/config + - ${MEDIA_DIR}/music/Albums:/music + - ${MEDIA_DIR}/downloads/music:/downloads + + metube: + container_name: metube + image: alexta69/metube + environment: + - STATE_DIR=/config + - PUID=${PUID} + - PGID=${PGID} + ports: + - 8082:8081 + restart: unless-stopped + volumes: + - ${MEDIA_DIR}/downloads/youtubedl:/downloads + - ./appdata/metube:/config + + monitorr: + container_name: monitorr + image: monitorr/monitorr:latest + environment: + - PGID=${PGID} + - PUID=${PUID} + - TZ=${TZ} + ports: + - 8084:80/tcp + restart: unless-stopped + volumes: + - ${MEDIA_DIR}:/HD:ro + - ./appdata/monitorr/app:/app + - ./appdata/monitorr/config:/config + - /etc/localtime:/etc/localtime:ro + + mstream: + container_name: mstream + image: lscr.io/linuxserver/mstream:latest + environment: + - PUID=${PUID} + - PGID=${PGID} + - TZ=${TZ} + ports: + - 3001:3000 + restart: unless-stopped + volumes: + - ./appdata/mstream:/config + - ${MEDIA_DIR}/music:/music + + nginxproxymanager: + container_name: nginxproxymanager + image: jc21/nginx-proxy-manager:2.9.22 + environment: + - X_FRAME_OPTIONS=sameorigin + - DB_SQLITE_FILE=/data/database.sqlite + ports: + - 443:443/tcp + - 80:80/tcp + - 81:81/tcp + restart: always + volumes: + - ./appdata/nginxproxymanager/data:/data + - ./appdata/nginxproxymanager/letsencrypt:/etc/letsencrypt + - ./appdata/nginxproxymanager/snippets:/snippets:ro + - /etc/localtime:/etc/localtime:ro + + nzbhydra: + container_name: nzbhydra + image: binhex/arch-nzbhydra2:latest + environment: + - PGID=${PGID} + - PUID=${PUID} + - UMASK=${UMASK} + ports: + - 5076:5076/tcp + restart: unless-stopped + volumes: + - ./appdata/nzbhydra/data:/data + - ./appdata/nzbhydra/config:/config + - ${MEDIA_DIR}/downloads:/downloads + - /etc/localtime:/etc/localtime:ro + + organizr: + container_name: organizr + image: organizr/organizr:latest + environment: + - PGID=${PGID} + - PUID=${PUID} + - FPM=true + ports: + - 8085:80/tcp + restart: unless-stopped + volumes: + - ./appdata/organizr/config:/config + - /etc/localtime:/etc/localtime:ro + + overseerr: + container_name: overseerr + image: sctx/overseerr:latest + environment: + - LOG_LEVEL=info + - TZ=${TZ} + ports: + - 5055:5055 + restart: unless-stopped + volumes: + - ./appdata/overseerr/config:/app/config + - /etc/localtime:/etc/localtime:ro + + plex: + container_name: plex + image: lscr.io/linuxserver/plex:latest + network_mode: host + environment: + - PUID=${PUID} + - PGID=${PGID} + - TZ=${TZ} + - VERSION=docker + - PLEX_CLAIM= #optional + restart: unless-stopped + volumes: + - ./appdata/plex/config:/config + - ${MEDIA_DIR}/tvshows:/tvshows + - ${MEDIA_DIR}/movies:/movies + + prowlarr: + container_name: prowlarr + image: ghcr.io/linuxserver/prowlarr:develop + environment: + - PUID=${PUID} + - PGID=${PGID} + - TZ=${TZ} + ports: + - 9696:9696 + restart: unless-stopped + volumes: + - ./appdata/prowlarr/config:/config + + qbittorrent: + container_name: qbittorrent + image: lscr.io/linuxserver/qbittorrent:latest + environment: + - PUID=${PUID} + - PGID=${PGID} + - TZ=${TZ} + - WEBUI_PORT=8282 + network_mode: "service:gluetun" + restart: unless-stopped + volumes: + - ./appdata/qbittorrent/config:/config + - ${MEDIA_DIR}:/media + - ${MEDIA_DIR}/downloads/torrents:/torrents + + radarr: + container_name: radarr + image: lscr.io/linuxserver/radarr:latest + environment: + - PUID=${PUID} + - PGID=${PGID} + - TZ=${TZ} + ports: + - 7878:7878 + restart: unless-stopped + volumes: + - ./appdata/radarr:/config + - ${MEDIA_DIR}:/media + + sabnzbd: + container_name: sabnzbd + image: lscr.io/linuxserver/sabnzbd:latest + environment: + - PUID=${PUID} + - PGID=${PGID} + - TZ=${TZ} + network_mode: "service:gluetun" + restart: unless-stopped + volumes: + - ./appdata/sabnzbd:/config + - ${MEDIA_DIR}:/media + - ${MEDIA_DIR}/downloads/nzbs:/nzbs + + sonarr: + container_name: sonarr + image: lscr.io/linuxserver/sonarr:latest + environment: + - PUID=${PUID} + - PGID=${PGID} + - TZ=${TZ} + ports: + - 8989:8989 + restart: unless-stopped + volumes: + - ./appdata/sonarr/config:/config + - ${MEDIA_DIR}:/media + +# swag: +# container_name: swag +# image: lscr.io/linuxserver/swag +# environment: +# - PUID=${PUID} +# - PGID=${PGID} +# - TZ=${TZ} +# - URL=wettsten.duckdns.org +# - SUBDOMAINS=wildcard +# - VALIDATION=duckdns +# - DUCKDNSTOKEN=b0567791-f8b7-4dcf-9fe6-9aaf01b5ca5b +# - EMAIL=scott.wettstein@gmail.com +# cap_add: +# - NET_ADMIN +# ports: +# - 443:443 +# - 80:80 +# restart: unless-stopped +# volumes: +# - ./appdata/swag/config:/config