init

.github/workflows/update-homelab.yml

@@ -0,0 +1,45 @@
+name: Update Homelab Files
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: "self-hosted"
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/checkout@v4  
+        with:
+          repository: LegitCamper/homelab-secrets
+          path: 'secrets'
+          sparse-checkout: |
+            homelab.env
+          sparse-checkout-cone-mode: false
+          token: ${{ secrets.ACCESS_TOKEN }}
+
+      - name: Run a multi-line script
+        run: ls $GITHUB_WORKSPACE && ls -la ~ && pwd
+
+      - name: Copy folder content recursively to remote
+        uses: garygrossgarten/[email protected]
+        with:
+          local: ${{ github.workspace }}
+          remote: /home/${{ secrets.SSH_USER }}/stacks/homelab/
+          host: ${{ secrets.HOST }}
+          username: ${{ secrets.SSH_USER }}
+          password: ${{ secrets.PASSWORD }}
+
+      - name: multiple command
+        uses: appleboy/[email protected]
+        with:
+          host: ${{ secrets.HOST }}
+          username: ${{ secrets.SSH_USER }}
+          password: ${{ secrets.PASSWORD }}
+          script: |
+            cd ~/stacks/homelab/
+            docker compose --env-file ./secrets/homelab.env -f network.yml -f media.yml -f utilities.yml up -d --remove-orphans

media.yml

@@ -0,0 +1,73 @@
+# My homelab media file
+version: "3.9"
+
+networks:
+  web:
+    external: true
+  internal:
+    external: false
+
+services:
+  jellyfin:
+    image: lscr.io/linuxserver/jellyfin
+    container_name: jellyfin
+    restart: always
+    networks:
+      - web
+    ports:
+      - 8096:8096/tcp
+      - 8920:8920
+    volumes:
+      - ${DRIVE}/shows/:/data/tvshows/
+      - ${DRIVE}/movies/:/data/movies/
+      - ${DRIVE}/certbot/certificates/:/data/certs/
+      - ${DRIVE}/jellyfin-conf/:/config/:rw
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=web"
+      - "traefik.http.routers.jellyfin.entrypoints=http"
+      - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.${DOMAIN}`)"
+      - "traefik.http.middlewares.jellyfin-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.routers.jellyfin.middlewares=jellyfin-https-redirect"
+      - "traefik.http.routers.jellyfin-secure.entrypoints=https"
+      - "traefik.http.routers.jellyfin-secure.rule=Host(`jellyfin.${DOMAIN}`)"
+      - "traefik.http.routers.jellyfin-secure.tls=true"
+      - "traefik.http.routers.jellyfin-secure.tls.certresolver=${DNS}"
+      - "traefik.http.services.jellyfin-secure.loadbalancer.server.port=8096"
+    deploy:
+      resources:
+        reservations:
+          devices:
+            - driver: nvidia
+              capabilities: [gpu]
+
+  transmission-openvpn:
+    image: haugene/transmission-openvpn
+    container_name: transmission
+    restart: always
+    networks:
+      - web
+    cap_add:
+        - NET_ADMIN
+    volumes:
+      - ${DRIVE}/:/data
+    env_file:
+      - ./secrets/homelab.env
+    environment:
+      - OPENVPN_OPTS=--pull-filter ignore ifconfig-ipv6
+    ports:
+      - 9091:9091
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=web"
+      - "traefik.http.routers.transmission.entrypoints=http"
+      - "traefik.http.routers.transmission.rule=Host(`transmission.${DOMAIN}`) || Host(`torrent.${DOMAIN}`) "
+      - "traefik.http.middlewares.transmission-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.routers.transmission.middlewares=transmission-https-redirect"
+      - "traefik.http.routers.transmission-secure.entrypoints=https"
+      - "traefik.http.routers.transmission-secure.rule=Host(`transmission.${DOMAIN}`) || Host(`torrent.${DOMAIN}`) "
+      - "traefik.http.routers.transmission-secure.tls=true"
+      - "traefik.http.routers.transmission-secure.tls.certresolver=${DNS}"
+      - "traefik.http.services.transmission-secure.loadbalancer.server.port=9091"

network.yml

@@ -0,0 +1,114 @@
+# My homelab network file
+version: "3.9"
+
+networks:
+  web:
+    external: true
+  internal:
+    external: false
+
+services:
+  tailscale:
+    image: tailscale/tailscale
+    container_name: tailscale
+    restart: always
+    env_file:
+      - ./secrets/homelab.env
+    environment:
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_USERSPACE=0
+    volumes:
+      - ${DRIVE}/tailscale_state:/var/lib/tailscale
+      - /dev/net/tun:/dev/net/tun
+    network_mode: host
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    labels:      
+      - "traefik.enable=false"
+
+  traefik:
+    image: traefik
+    container_name: traefik
+    restart: always
+    command: | 
+      traefik 
+      --log=true --log.level=INFO
+      --api.dashboard=true --api.insecure=true
+      --entrypoints.http --entrypoints.http.address=:80
+      --entrypoints.https --entrypoints.https.address=:443
+      --entrypoints.dnsovertls --entrypoints.dnsovertls.address=:853
+      --serverstransport.insecureskipverify=true 
+      --entrypoints.http.http.redirections.entrypoint.to=https
+      --entrypoints.http.http.redirections.entrypoint.scheme=https
+      --providers.docker=true --providers.docker.exposedbydefault=false
+      --certificatesresolvers.${DNS}.acme.email=${CF_API_EMAIL}
+      --certificatesresolvers.${DNS}.acme.storage=acme.json
+      --certificatesresolvers.${DNS}.acme.dnschallenge
+      --certificatesresolvers.${DNS}.acme.dnschallenge.disablepropagationcheck=false
+      --certificatesresolvers.${DNS}.acme.dnschallenge.provider=${DNS}
+      --certificatesresolvers.${DNS}.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
+      --certificatesresolvers.${DNS}.acme.httpchallenge.entrypoint=http
+    env_file:
+      - ./secrets/homelab.env
+    volumes:
+      - /etc/localtime:/etc/localtime:ro      
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - "${DRIVE}/acme/acme.json:/acme.json" 
+    networks:
+      - web
+    ports:
+      - "80:80"
+      - "443:443"
+      - "853:853"
+      - "8080:8080"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=web"
+      - "traefik.http.routers.traefik.entrypoints=http"
+      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
+      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
+      - "traefik.http.routers.traefik-secure.entrypoints=https"
+      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.${DOMAIN}`)"
+      - "traefik.http.routers.traefik-secure.tls=true"
+      - "traefik.http.routers.traefik-secure.tls.certresolver=${DNS}"
+      - "traefik.http.routers.traefik-secure.service=api@internal"
+
+  adguardhome:
+    image: adguard/adguardhome
+    container_name: adguardhome
+    restart: always
+    env_file:
+      - ./secrets/homelab.env
+    networks:
+      - web
+    volumes:
+      - ${DRIVE}/adguardhome/work:/opt/adguardhome/work
+      - ${DRIVE}/adguardhome/conf:/opt/adguardhome/conf
+      - ${DRIVE}/certbot/certificates/:/opt/adguardhome/certs/    
+    ports:
+      - 3000:3000/tcp
+      - "53:53/tcp"
+      - "53:53/udp"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=web"
+      - "traefik.http.routers.adguard.entrypoints=http"
+      - "traefik.http.routers.adguardng.rule=Host(`adguard.${DOMAIN}`) || Host(`adguardhome.${DOMAIN}`)"
+      - "traefik.http.middlewares.adguard-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.routers.adguard.middlewares=adguard-https-redirect"
+      - "traefik.http.routers.adguard-secure.entrypoints=https"
+      - "traefik.http.services.adguard-secure.loadbalancer.server.port=3000"
+      - "traefik.http.routers.adguard-secure.rule=Host(`adguard.${DOMAIN}`) || Host(`adguardhome.${DOMAIN}`)"
+      - "traefik.http.routers.adguard-secure.tls=true"
+      - "traefik.http.routers.adguard-secure.tls.certresolver=${DNS}"
+
+      # DNS-over-TLS
+      - traefik.tcp.routers.adguard-dot.rule=HostSNI(`dns.${DOMAIN}`) 
+      - traefik.tcp.routers.adguard-dot.entrypoints=dnsovertls
+      - traefik.tcp.routers.adguard-dot.tls=true
+      - traefik.tcp.routers.adguard-dot.service=adguard
+      - traefik.tcp.services.adguard.loadbalancer.server.port=53

registry/config.yml

@@ -0,0 +1,13 @@
+version: 0.1
+delete:
+  enabled: true
+compatibility:
+  schema1:
+    enabled: true
+storage:
+  filesystem:
+    rootdirectory: /var/lib/registry
+http:
+  addr: localhost:5000
+  prefix: /
+auth:

searxng/settings.yml

@@ -0,0 +1,21 @@
+use_default_settings: true
+
+server:
+  limiter: false 
+
+ui:
+  query_in_title: false
+  infinite_scroll: true
+  center_alignment: true
+  default_theme: simple
+  theme_args:
+    simple_style: dark
+  results_on_new_tab: true
+
+general:
+  debug: false
+  instance_name:  "Sawyer Search"
+  privacypolicy_url: false
+  contact_url: false
+  enable_metrics: false
+  donation_url: false

searxng/uwsgi.ini

@@ -0,0 +1,50 @@
+[uwsgi]
+# Who will run the code
+uid = searxng
+gid = searxng
+
+# Number of workers (usually CPU count)
+# default value: %k (= number of CPU core, see Dockerfile)
+workers = %k
+
+# Number of threads per worker
+# default value: 4 (see Dockerfile)
+threads = 4
+
+# The right granted on the created socket
+chmod-socket = 666
+
+# Plugin to use and interpreter config
+single-interpreter = true
+master = true
+plugin = python3
+lazy-apps = true
+enable-threads = 4
+
+# Module to import
+module = searx.webapp
+
+# Virtualenv and python path
+pythonpath = /usr/local/searxng/
+chdir = /usr/local/searxng/searx/
+
+# automatically set processes name to something meaningful
+auto-procname = true
+
+# Disable request logging for privacy
+disable-logging = true
+log-5xx = true
+
+# Set the max size of a request (request-body excluded)
+buffer-size = 8192
+
+# No keep alive
+# See https://github.com/searx/searx-docker/issues/24
+add-header = Connection: close
+
+# uwsgi serves the static files
+static-map = /static=/usr/local/searxng/searx/static
+# expires set to one day
+static-expires = /* 86400
+static-gzip-all = True
+offload-threads = 4