Split docker compose file into individual service files

.gitignore

@@ -190,6 +190,10 @@ backup-scripts/*
 !backups
 backups/*
 
+# Include the compose directory
+!compose
+!compose/*
+
 # Include the .github directory
 !.github
 !.github/*

appdata/traefik2/rules/middlewares-chains.yml

@@ -48,3 +48,11 @@ http:
           - middlewares-rate-limit
           - nextcloud-middlewares-secure-headers
           - nextcloud-redirect
+
+    chain-audiobookshelf:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-secure-headers-audiobookshelf
+          ## Need to use audiobookshelf authentication
+          # - middlewares-authelia

appdata/traefik2/rules/middlewares.yml

@@ -46,6 +46,39 @@ http:
           X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
           server: ""
 
+    middlewares-secure-headers-audiobookshelf:
+      headers:
+        ## Disable per https://github.com/advplyr/audiobookshelf/blob/32da0f12242602ae18b858eaf8a4faa48cffb7a9/readme.md?plain=1#L246-L254
+        # accessControlAllowMethods:
+        #   - GET
+        #   - OPTIONS
+        #   - PUT
+        # accessControlMaxAge: 100
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        stsSeconds: 63072000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        # frameDeny: true  # Overwritten by customFrameOptionsValue
+        ## CSP takes care of this but may be needed for organizr.
+        customFrameOptionsValue: 'allow-from https:{{env "DOMAINNAME0"}}'
+        contentTypeNosniff: true
+        browserXssFilter: true
+        # sslForceHost: true  # Add sslHost to all of the services
+        # sslHost: "{{env "DOMAINNAME0"}}"
+        referrerPolicy: "same-origin"
+        ## Setting contentSecurityPolicy is more secure but it can break
+        ## things. Proper auth will reduce the risk. The below line also breaks
+        ## some apps due to 'none' - sonarr, radarr, etc.
+        ## yamllint disable-line rule:line-length
+        # contentSecurityPolicy: "frame-ancestors '*.{{env "DOMAINNAME0"}}:*';object-src 'none';script-src 'none';"
+        ## yamllint disable-line rule:line-length
+        permissionsPolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
+          server: ""
+
     ## Documentation: https://www.authelia.com/integration/proxies/traefik/
     middlewares-authelia:
       forwardAuth:

compose/adminer.yml

@@ -0,0 +1,26 @@
+---
+services:
+  ## Adminer - Database management in a single PHP file.
+  adminer:
+    container_name: adminer
+    image: adminer:latest
+    networks:
+      - t2_proxy
+    security_opt:
+      - no-new-privileges:true
+    restart: unless-stopped
+    environment:
+      ## https://github.com/vrana/adminer/tree/master/designs
+      # ADMINER_DESIGN: 'nette'
+      ADMINER_DEFAULT_SERVER: postgres
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.adminer-rtr.entrypoints=https"
+      - "traefik.http.routers.adminer-rtr.rule=Host(`adminer.$DOMAINNAME0`)"
+      - "traefik.http.routers.adminer-rtr.tls.options=tls-opts@file"
+      ## Middlewares
+      - "traefik.http.routers.adminer-rtr.middlewares=chain-authelia@file"
+      ## HTTP Services
+      - "traefik.http.routers.adminer-rtr.service=adminer-svc"
+      - "traefik.http.services.adminer-svc.loadbalancer.server.port=8080"

compose/audiobookshelf.yml

@@ -0,0 +1,33 @@
+---
+services:
+  # audiobookshelf - Self-hosted audiobook and podcast server
+  audiobookshelf:
+    image: ghcr.io/advplyr/audiobookshelf:latest
+    container_name: audiobookshelf
+    networks:
+      - t2_proxy
+    security_opt:
+      - no-new-privileges:true
+    restart: unless-stopped
+    volumes:
+      - $APPDIR/audiobookshelf/config:/config
+      - $DATADIR/media/audiobooks:/audiobooks
+      - $DATADIR/media/podcasts:/podcasts
+      ## Could be in $DATADIR to minimize storage usage on host
+      - $APPDIR/audiobookshelf/metadata:/metadata
+    environment:
+      # HOST: 127.0.0.1
+      PORT: $AUDIOBOOKSHELF_PORT
+      SOURCE: docker
+      ALLOW_CORS: 1
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.audiobookshelf-rtr.entrypoints=https"
+      - "traefik.http.routers.audiobookshelf-rtr.rule=Host(`abs.$DOMAINNAME0`)"
+      - "traefik.http.routers.audiobookshelf-rtr.tls.options=tls-opts@file"
+      ## Middlewares
+      - "traefik.http.routers.audiobookshelf-rtr.middlewares=chain-audiobookshelf@file"
+      ## HTTP Services
+      - "traefik.http.routers.audiobookshelf-rtr.service=audiobookshelf-svc"
+      - "traefik.http.services.audiobookshelf-svc.loadbalancer.server.port=$AUDIOBOOKSHELF_PORT"

compose/authelia.yml

@@ -0,0 +1,68 @@
+---
+secrets:
+  authelia_duo_api_secret_key:
+    file: $SECRETSDIR/authelia_duo_api_secret_key
+  authelia_identity_validation_reset_password_jwt_secret_file:
+    ## https://www.grc.com/passwords.htm
+    file: $SECRETSDIR/authelia_identity_validation_reset_password_jwt_secret_file
+  authelia_notifier_smtp_password:
+    file: $SECRETSDIR/authelia_notifier_smtp_password
+  authelia_session_redis_password:
+    file: $SECRETSDIR/authelia_session_redis_password
+  authelia_session_secret:
+    file: $SECRETSDIR/authelia_session_secret
+  authelia_storage_encryption_key:
+    file: $SECRETSDIR/authelia_storage_encryption_key
+  authelia_storage_mysql_password:
+    file: $SECRETSDIR/authelia_storage_mysql_password
+services:
+  ## Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication
+  ## For configuration file template see
+  ## https://github.com/authelia/authelia/blob/master/config.template.yml
+  authelia:
+    container_name: authelia
+    ## Check this before upgrading:
+    ## https://github.com/authelia/authelia#breaking-changes
+    image: ghcr.io/authelia/authelia:4.38
+    networks:
+      - t2_proxy
+    security_opt:
+      - no-new-privileges:true
+    restart: always
+    ## Allow for separate configuration and acl configuration files
+    ## See https://www.authelia.com/configuration/methods/files/#docker-compose
+    volumes:
+      - $APPDIR/authelia/config/configuration.yml:/config/configuration.yml
+      - $APPDIR/authelia/config/configuration.acl.yml:/config/configuration.acl.yml
+      - $APPDIR/authelia/config/users_database.yml:/config/users_database.yml
+    environment:
+      ## Using PUID:PGID causes container to be unable to read secrets
+      # <<: *default-tz-puid-pgid
+      TZ: $TZ
+      AUTHELIA_SESSION_SECRET_FILE: /run/secrets/authelia_session_secret
+      X_AUTHELIA_CONFIG: /config/configuration.yml,/config/configuration.acl.yml
+      AUTHELIA_DUO_API_SECRET_KEY_FILE: /run/secrets/authelia_duo_api_secret_key
+      AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: /run/secrets/authelia_identity_validation_reset_password_jwt_secret_file
+      AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/authelia_notifier_smtp_password
+      AUTHELIA_SESSION_REDIS_PASSWORD_FILE: /run/secrets/authelia_session_redis_password
+      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/authelia_storage_encryption_key
+      AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE: /run/secrets/authelia_storage_mysql_password
+    secrets:
+      - authelia_identity_validation_reset_password_jwt_secret_file
+      - authelia_session_secret
+      - authelia_session_redis_password
+      - authelia_storage_mysql_password
+      - authelia_notifier_smtp_password
+      - authelia_duo_api_secret_key
+      - authelia_storage_encryption_key
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.authelia-rtr.entrypoints=https"
+      - "traefik.http.routers.authelia-rtr.rule=Host(`auth.$DOMAINNAME0`)"
+      - "traefik.http.routers.authelia-rtr.tls.options=tls-opts@file"
+      ## Middlewares
+      - "traefik.http.routers.authelia-rtr.middlewares=chain-authelia@file"
+      ## HTTP Services
+      - "traefik.http.routers.authelia-rtr.service=authelia-svc"
+      - "traefik.http.services.authelia-svc.loadbalancer.server.port=$AUTHELIA_PORT"

compose/authentik.yml

@@ -0,0 +1,167 @@
+---
+secrets:
+  authentik_email__password:
+    file: $SECRETSDIR/authentik_email__password
+  authentik_postgresql__name:
+    file: $SECRETSDIR/authentik_postgresql__name
+  authentik_postgresql__user:
+    file: $SECRETSDIR/authentik_postgresql__user
+  authentik_postgresql__password:
+    file: $SECRETSDIR/authentik_postgresql__password
+  authentik_redis__password:
+    file: $SECRETSDIR/authentik_redis__password
+  authentik_secret_key:
+    file: $SECRETSDIR/authentik_secret_key
+  authentik_token_ldap:
+    file: $SECRETSDIR/authentik_token_ldap
+services:
+  ## Authentik - an open-source Identity Provider, focused on flexibility and
+  ## versatility
+  authentik:
+    container_name: authentik
+    image: ghcr.io/goauthentik/server:latest
+    networks:
+      - t2_proxy
+    security_opt:
+      - no-new-privileges:true
+    restart: always
+    command: server
+    # ports:
+    #   - "$AUTHENTIK_PORT:$AUTHENTIK_PORT"
+    volumes:
+      - $APPDIR/authentik/media:/media
+      - $APPDIR/authentik/templates:/templates
+    environment:
+      ## https://goauthentik.io/docs/installation/configuration
+      ## Test configuration with `dcrun2 run --rm authentik-server dump_config`
+      ## Use `file://` prefix to load from docker secret
+      ## https://goauthentik.io/docs/installation/configuration#about-authentik-configurations
+      COMPOSE_PORT_HTTP: $AUTHENTIK_PORT
+      # COMPOSE_PORT_HTTPS:
+      AUTHENTIK_POSTGRESQL__HOST: $POSTGRES_HOST
+      AUTHENTIK_POSTGRESQL__NAME: file:///run/secrets/authentik_postgresql__name
+      AUTHENTIK_POSTGRESQL__USER: file:///run/secrets/authentik_postgresql__user
+      AUTHENTIK_POSTGRESQL__PORT: $POSTGRES_PORT
+      AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/authentik_postgresql__password
+      AUTHENTIK_REDIS__HOST: $REDIS_HOST
+      AUTHENTIK_REDIS__PORT: $REDIS_PORT
+      # AUTHENTIK_REDIS__USERNAME: $REDIS_USER
+      AUTHENTIK_REDIS__PASSWORD: file:///run/secrets/authentik_redis__password
+      AUTHENTIK_LISTEN__HTTP: "0.0.0.0:${AUTHENTIK_PORT}"
+      # AUTHENTIK_LISTEN__HTTPS: "0.0.0.0:"
+      AUTHENTIK_LISTEN__LDAP: "0.0.0.0:${AUTHENTIK_LDAP_PORT}"
+      AUTHENTIK_LISTEN__LDAPS: "0.0.0.0:${AUTHENTIK_LDAPS_PORT}"
+      AUTHENTIK_LISTEN__METRICS: "0.0.0.0:${AUTHENTIK_METRICS_PORT}"
+      AUTHENTIK_LISTEN__DEBUG: "0.0.0.0:${AUTHENTIK_DEBUG_PORT}"
+      # AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS:
+      AUTHENTIK_SECRET_KEY: file:///run/secrets/authentik_secret_key
+      AUTHENTIK_LOG_LEVEL: info # trace, debug, info, warning, error
+      AUTHENTIK_COOKIE_DOMAIN: $DOMAINNAME0
+      # AUTHENTIK_ERROR_REPORTING__ENABLED: 'true'
+      AUTHENTIK_EMAIL__HOST: $EMAIL_SERVER
+      AUTHENTIK_EMAIL__PORT: $EMAIL_SERVER_PORT
+      AUTHENTIK_EMAIL__USERNAME: $EMAIL_SERVER_USER
+      AUTHENTIK_EMAIL__PASSWORD: file:///run/secrets/authentik_email__password
+      AUTHENTIK_EMAIL__USE_TLS: "false"
+      AUTHENTIK_EMAIL__USE_SSL: "true"
+      AUTHENTIK_EMAIL__TIMEOUT: 10
+      AUTHENTIK_EMAIL__FROM: server@authentik.$DOMAINNAME0
+      AUTHENTIK_AVATARS: initials
+      AUTHENTIK_DEFAULT_USER_CHANGE_NAME: "true"
+      AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: "true"
+      AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: "true"
+      AUTHENTIK_GDPR_COMPLIANCE: "true"
+      # AUTHENTIK_DEFAULT_TOKEN_LENGTH:
+      AUTHENTIK_IMPERSONATION: "true"
+      # AUTHENTIK_FOOTER_LINKS:
+      # COMPOSE_PORT_HTTPS:
+    secrets:
+      - authentik_postgresql__name
+      - authentik_postgresql__user
+      - authentik_postgresql__password
+      - authentik_redis__password
+      - authentik_secret_key
+      - authentik_email__password
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.authentik-rtr.entrypoints=https"
+      - "traefik.http.routers.authentik-rtr.rule=Host(`authentik.$DOMAINNAME0`)"
+      - "traefik.http.routers.authentik-rtr.tls.options=tls-opts@file"
+      ## Middlewares
+      ## Do not use authentication, but use rate limiting and secure headers
+      - "traefik.http.routers.authentik-rtr.middlewares=chain-no-auth@file"
+      ## HTTP Services
+      - "traefik.http.routers.authentik-rtr.service=authentik-svc"
+      - "traefik.http.services.authentik-svc.loadbalancer.server.port=$AUTHENTIK_PORT"
+
+  authentik-worker:
+    container_name: authentik-worker
+    image: ghcr.io/goauthentik/server:latest
+    networks:
+      - t2_proxy
+    security_opt:
+      - no-new-privileges:true
+    restart: always
+    command: worker
+    ## `user: root` and the docker socket volume are optional.
+    ## See more for the docker socket integration here:
+    ## https://goauthentik.io/docs/outposts/integrations/docker
+    ## Removing `user: root` also prevents the worker from fixing the
+    ## permissions on the mounted folders, so when removing this make sure the
+    ## folders have the correct UID/GID (1000:1000 by default)
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - $APPDIR/authentik/media:/media
+      - $APPDIR/authentik/certs:/certs
+      - $APPDIR/authentik/templates:/templates
+    environment:
+      ## https://goauthentik.io/docs/installation/configuration
+      ## Test configuration with `dcrun2 run --rm authentik-server dump_config`
+      ## Use `file://` prefix to load from docker secret
+      ## https://goauthentik.io/docs/installation/configuration#about-authentik-configurations
+      AUTHENTIK_POSTGRESQL__HOST: $POSTGRES_HOST
+      AUTHENTIK_POSTGRESQL__NAME: "file:///run/secrets/authentik_postgresql__name"
+      AUTHENTIK_POSTGRESQL__USER: "file:///run/secrets/authentik_postgresql__user"
+      AUTHENTIK_POSTGRESQL__PORT: $POSTGRES_PORT
+      AUTHENTIK_POSTGRESQL__PASSWORD: "file:///run/secrets/authentik_postgresql__password"
+      AUTHENTIK_REDIS__HOST: $REDIS_HOST
+      AUTHENTIK_REDIS__PORT: $REDIS_PORT
+      # AUTHENTIK_REDIS__USERNAME: $REDIS_USER
+      AUTHENTIK_REDIS__PASSWORD: "file:///run/secrets/authentik_redis__password"
+      AUTHENTIK_LISTEN__HTTP: "0.0.0.0:${AUTHENTIK_PORT}"
+      # AUTHENTIK_LISTEN__HTTPS: "0.0.0.0:"
+      AUTHENTIK_LISTEN__LDAP: "0.0.0.0:${AUTHENTIK_LDAP_PORT}"
+      AUTHENTIK_LISTEN__LDAPS: "0.0.0.0:${AUTHENTIK_LDAPS_PORT}"
+      AUTHENTIK_LISTEN__METRICS: "0.0.0.0:${AUTHENTIK_METRICS_PORT}"
+      AUTHENTIK_LISTEN__DEBUG: "0.0.0.0:${AUTHENTIK_DEBUG_PORT}"
+      # AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS:
+      AUTHENTIK_SECRET_KEY: "file:///run/secrets/authentik_secret_key"
+      AUTHENTIK_LOG_LEVEL: info # trace, debug, info, warning, error
+      AUTHENTIK_COOKIE_DOMAIN: authentik.$DOMAINNAME0
+      # AUTHENTIK_ERROR_REPORTING__ENABLED: 'true'
+      AUTHENTIK_EMAIL__HOST: $EMAIL_SERVER
+      AUTHENTIK_EMAIL__PORT: $EMAIL_SERVER_PORT
+      AUTHENTIK_EMAIL__USERNAME: $EMAIL_SERVER_USER
+      AUTHENTIK_EMAIL__PASSWORD: "file:///run/secrets/authentik_email__password"
+      AUTHENTIK_EMAIL__USE_TLS: "false"
+      AUTHENTIK_EMAIL__USE_SSL: "true"
+      AUTHENTIK_EMAIL__TIMEOUT: 10
+      AUTHENTIK_EMAIL__FROM: server@authentik.$DOMAINNAME0
+      AUTHENTIK_AVATARS: initials
+      AUTHENTIK_DEFAULT_USER_CHANGE_NAME: "true"
+      AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: "true"
+      AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: "true"
+      AUTHENTIK_GDPR_COMPLIANCE: "true"
+      # AUTHENTIK_DEFAULT_TOKEN_LENGTH:
+      AUTHENTIK_IMPERSONATION: "true"
+      # AUTHENTIK_FOOTER_LINKS:
+      # COMPOSE_PORT_HTTPS:
+    secrets:
+      - authentik_postgresql__name
+      - authentik_postgresql__user
+      - authentik_postgresql__password
+      - authentik_redis__password
+      - authentik_secret_key
+      - authentik_email__password

compose/bazarr.yml

@@ -0,0 +1,37 @@
+---
+services:
+  # Bazarr - Subtitle Management
+  bazarr:
+    image: lscr.io/linuxserver/bazarr
+    container_name: bazarr
+    networks:
+      - t2_proxy
+    security_opt:
+      - no-new-privileges:true
+    restart: unless-stopped
+    volumes:
+      - $APPDIR/bazarr/config:/config
+      - $DATADIR/media:/data/media
+    environment:
+      TZ: $TZ
+      PUID: $PUID
+      PGID: $PGID
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers API Auth Bypass
+      - "traefik.http.routers.bazarr-rtr-bypass.entrypoints=https"
+      - "traefik.http.routers.bazarr-rtr-bypass.rule=Host(`bazarr.$DOMAINNAME0`) && (Header(`X-Api-Key`, `$BAZARR_API_KEY`) || Query(`apikey`, `$BAZARR_API_KEY`))"
+      - "traefik.http.routers.bazarr-rtr-bypass.tls.options=tls-opts@file"
+      - "traefik.http.routers.bazarr-rtr-bypass.priority=100"
+      ## HTTP Routers
+      - "traefik.http.routers.bazarr-rtr.entrypoints=https"
+      - "traefik.http.routers.bazarr-rtr.rule=Host(`bazarr.$DOMAINNAME0`)"
+      - "traefik.http.routers.bazarr-rtr.tls.options=tls-opts@file"
+      - "traefik.http.routers.bazarr-rtr.priority=99"
+      ## Middlewares
+      - "traefik.http.routers.bazarr-rtr-bypass.middlewares=chain-no-auth@file"
+      - "traefik.http.routers.bazarr-rtr.middlewares=chain-authelia@file"
+      ## HTTP Services
+      - "traefik.http.routers.bazarr-rtr-bypass.service=bazarr-svc"
+      - "traefik.http.routers.bazarr-rtr.service=bazarr-svc"
+      - "traefik.http.services.bazarr-svc.loadbalancer.server.port=6767"