From 86035dcb005d1d026d5d414f27c843c3b4845715 Mon Sep 17 00:00:00 2001 From: sawyer bristol Date: Tue, 27 Feb 2024 20:42:12 -0700 Subject: [PATCH] init --- .github/workflows/update-homelab.yml | 45 ++++++++ media.yml | 73 ++++++++++++ network.yml | 114 +++++++++++++++++++ registry/config.yml | 13 +++ searxng/settings.yml | 21 ++++ searxng/uwsgi.ini | 50 +++++++++ utilities.yml | 161 +++++++++++++++++++++++++++ 7 files changed, 477 insertions(+) create mode 100644 .github/workflows/update-homelab.yml create mode 100644 media.yml create mode 100644 network.yml create mode 100644 registry/config.yml create mode 100644 searxng/settings.yml create mode 100644 searxng/uwsgi.ini create mode 100644 utilities.yml diff --git a/.github/workflows/update-homelab.yml b/.github/workflows/update-homelab.yml new file mode 100644 index 0000000..f95e359 --- /dev/null +++ b/.github/workflows/update-homelab.yml @@ -0,0 +1,45 @@ +name: Update Homelab Files + +on: + push: + branches: + - main + workflow_dispatch: + +jobs: + deploy: + runs-on: "self-hosted" + + steps: + - uses: actions/checkout@v4 + + - uses: actions/checkout@v4 + with: + repository: LegitCamper/homelab-secrets + path: 'secrets' + sparse-checkout: | + homelab.env + sparse-checkout-cone-mode: false + token: ${{ secrets.ACCESS_TOKEN }} + + - name: Run a multi-line script + run: ls $GITHUB_WORKSPACE && ls -la ~ && pwd + + - name: Copy folder content recursively to remote + uses: garygrossgarten/github-action-scp@v0.8.0 + with: + local: ${{ github.workspace }} + remote: /home/${{ secrets.SSH_USER }}/stacks/homelab/ + host: ${{ secrets.HOST }} + username: ${{ secrets.SSH_USER }} + password: ${{ secrets.PASSWORD }} + + - name: multiple command + uses: appleboy/ssh-action@v1.0.3 + with: + host: ${{ secrets.HOST }} + username: ${{ secrets.SSH_USER }} + password: ${{ secrets.PASSWORD }} + script: | + cd ~/stacks/homelab/ + docker compose --env-file ./secrets/homelab.env -f network.yml -f media.yml -f utilities.yml up -d --remove-orphans diff --git a/media.yml b/media.yml new file mode 100644 index 0000000..fa044e0 --- /dev/null +++ b/media.yml @@ -0,0 +1,73 @@ +# My homelab media file +version: "3.9" + +networks: + web: + external: true + internal: + external: false + +services: + jellyfin: + image: lscr.io/linuxserver/jellyfin + container_name: jellyfin + restart: always + networks: + - web + ports: + - 8096:8096/tcp + - 8920:8920 + volumes: + - ${DRIVE}/shows/:/data/tvshows/ + - ${DRIVE}/movies/:/data/movies/ + - ${DRIVE}/certbot/certificates/:/data/certs/ + - ${DRIVE}/jellyfin-conf/:/config/:rw + labels: + - "traefik.enable=true" + - "traefik.docker.network=web" + - "traefik.http.routers.jellyfin.entrypoints=http" + - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.${DOMAIN}`)" + - "traefik.http.middlewares.jellyfin-https-redirect.redirectscheme.scheme=https" + - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.routers.jellyfin.middlewares=jellyfin-https-redirect" + - "traefik.http.routers.jellyfin-secure.entrypoints=https" + - "traefik.http.routers.jellyfin-secure.rule=Host(`jellyfin.${DOMAIN}`)" + - "traefik.http.routers.jellyfin-secure.tls=true" + - "traefik.http.routers.jellyfin-secure.tls.certresolver=${DNS}" + - "traefik.http.services.jellyfin-secure.loadbalancer.server.port=8096" + deploy: + resources: + reservations: + devices: + - driver: nvidia + capabilities: [gpu] + + transmission-openvpn: + image: haugene/transmission-openvpn + container_name: transmission + restart: always + networks: + - web + cap_add: + - NET_ADMIN + volumes: + - ${DRIVE}/:/data + env_file: + - ./secrets/homelab.env + environment: + - OPENVPN_OPTS=--pull-filter ignore ifconfig-ipv6 + ports: + - 9091:9091 + labels: + - "traefik.enable=true" + - "traefik.docker.network=web" + - "traefik.http.routers.transmission.entrypoints=http" + - "traefik.http.routers.transmission.rule=Host(`transmission.${DOMAIN}`) || Host(`torrent.${DOMAIN}`) " + - "traefik.http.middlewares.transmission-https-redirect.redirectscheme.scheme=https" + - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.routers.transmission.middlewares=transmission-https-redirect" + - "traefik.http.routers.transmission-secure.entrypoints=https" + - "traefik.http.routers.transmission-secure.rule=Host(`transmission.${DOMAIN}`) || Host(`torrent.${DOMAIN}`) " + - "traefik.http.routers.transmission-secure.tls=true" + - "traefik.http.routers.transmission-secure.tls.certresolver=${DNS}" + - "traefik.http.services.transmission-secure.loadbalancer.server.port=9091" diff --git a/network.yml b/network.yml new file mode 100644 index 0000000..2927034 --- /dev/null +++ b/network.yml @@ -0,0 +1,114 @@ +# My homelab network file +version: "3.9" + +networks: + web: + external: true + internal: + external: false + +services: + tailscale: + image: tailscale/tailscale + container_name: tailscale + restart: always + env_file: + - ./secrets/homelab.env + environment: + - TS_STATE_DIR=/var/lib/tailscale + - TS_USERSPACE=0 + volumes: + - ${DRIVE}/tailscale_state:/var/lib/tailscale + - /dev/net/tun:/dev/net/tun + network_mode: host + cap_add: + - NET_ADMIN + - NET_RAW + labels: + - "traefik.enable=false" + + traefik: + image: traefik + container_name: traefik + restart: always + command: | + traefik + --log=true --log.level=INFO + --api.dashboard=true --api.insecure=true + --entrypoints.http --entrypoints.http.address=:80 + --entrypoints.https --entrypoints.https.address=:443 + --entrypoints.dnsovertls --entrypoints.dnsovertls.address=:853 + --serverstransport.insecureskipverify=true + --entrypoints.http.http.redirections.entrypoint.to=https + --entrypoints.http.http.redirections.entrypoint.scheme=https + --providers.docker=true --providers.docker.exposedbydefault=false + --certificatesresolvers.${DNS}.acme.email=${CF_API_EMAIL} + --certificatesresolvers.${DNS}.acme.storage=acme.json + --certificatesresolvers.${DNS}.acme.dnschallenge + --certificatesresolvers.${DNS}.acme.dnschallenge.disablepropagationcheck=false + --certificatesresolvers.${DNS}.acme.dnschallenge.provider=${DNS} + --certificatesresolvers.${DNS}.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53 + --certificatesresolvers.${DNS}.acme.httpchallenge.entrypoint=http + env_file: + - ./secrets/homelab.env + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + - "${DRIVE}/acme/acme.json:/acme.json" + networks: + - web + ports: + - "80:80" + - "443:443" + - "853:853" + - "8080:8080" + labels: + - "traefik.enable=true" + - "traefik.docker.network=web" + - "traefik.http.routers.traefik.entrypoints=http" + - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)" + - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https" + - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.routers.traefik.middlewares=traefik-https-redirect" + - "traefik.http.routers.traefik-secure.entrypoints=https" + - "traefik.http.routers.traefik-secure.rule=Host(`traefik.${DOMAIN}`)" + - "traefik.http.routers.traefik-secure.tls=true" + - "traefik.http.routers.traefik-secure.tls.certresolver=${DNS}" + - "traefik.http.routers.traefik-secure.service=api@internal" + + adguardhome: + image: adguard/adguardhome + container_name: adguardhome + restart: always + env_file: + - ./secrets/homelab.env + networks: + - web + volumes: + - ${DRIVE}/adguardhome/work:/opt/adguardhome/work + - ${DRIVE}/adguardhome/conf:/opt/adguardhome/conf + - ${DRIVE}/certbot/certificates/:/opt/adguardhome/certs/ + ports: + - 3000:3000/tcp + - "53:53/tcp" + - "53:53/udp" + labels: + - "traefik.enable=true" + - "traefik.docker.network=web" + - "traefik.http.routers.adguard.entrypoints=http" + - "traefik.http.routers.adguardng.rule=Host(`adguard.${DOMAIN}`) || Host(`adguardhome.${DOMAIN}`)" + - "traefik.http.middlewares.adguard-https-redirect.redirectscheme.scheme=https" + - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.routers.adguard.middlewares=adguard-https-redirect" + - "traefik.http.routers.adguard-secure.entrypoints=https" + - "traefik.http.services.adguard-secure.loadbalancer.server.port=3000" + - "traefik.http.routers.adguard-secure.rule=Host(`adguard.${DOMAIN}`) || Host(`adguardhome.${DOMAIN}`)" + - "traefik.http.routers.adguard-secure.tls=true" + - "traefik.http.routers.adguard-secure.tls.certresolver=${DNS}" + + # DNS-over-TLS + - traefik.tcp.routers.adguard-dot.rule=HostSNI(`dns.${DOMAIN}`) + - traefik.tcp.routers.adguard-dot.entrypoints=dnsovertls + - traefik.tcp.routers.adguard-dot.tls=true + - traefik.tcp.routers.adguard-dot.service=adguard + - traefik.tcp.services.adguard.loadbalancer.server.port=53 diff --git a/registry/config.yml b/registry/config.yml new file mode 100644 index 0000000..31a46ad --- /dev/null +++ b/registry/config.yml @@ -0,0 +1,13 @@ +version: 0.1 +delete: + enabled: true +compatibility: + schema1: + enabled: true +storage: + filesystem: + rootdirectory: /var/lib/registry +http: + addr: localhost:5000 + prefix: / +auth: \ No newline at end of file diff --git a/searxng/settings.yml b/searxng/settings.yml new file mode 100644 index 0000000..bb08874 --- /dev/null +++ b/searxng/settings.yml @@ -0,0 +1,21 @@ +use_default_settings: true + +server: + limiter: false + +ui: + query_in_title: false + infinite_scroll: true + center_alignment: true + default_theme: simple + theme_args: + simple_style: dark + results_on_new_tab: true + +general: + debug: false + instance_name: "Sawyer Search" + privacypolicy_url: false + contact_url: false + enable_metrics: false + donation_url: false diff --git a/searxng/uwsgi.ini b/searxng/uwsgi.ini new file mode 100644 index 0000000..dd1247a --- /dev/null +++ b/searxng/uwsgi.ini @@ -0,0 +1,50 @@ +[uwsgi] +# Who will run the code +uid = searxng +gid = searxng + +# Number of workers (usually CPU count) +# default value: %k (= number of CPU core, see Dockerfile) +workers = %k + +# Number of threads per worker +# default value: 4 (see Dockerfile) +threads = 4 + +# The right granted on the created socket +chmod-socket = 666 + +# Plugin to use and interpreter config +single-interpreter = true +master = true +plugin = python3 +lazy-apps = true +enable-threads = 4 + +# Module to import +module = searx.webapp + +# Virtualenv and python path +pythonpath = /usr/local/searxng/ +chdir = /usr/local/searxng/searx/ + +# automatically set processes name to something meaningful +auto-procname = true + +# Disable request logging for privacy +disable-logging = true +log-5xx = true + +# Set the max size of a request (request-body excluded) +buffer-size = 8192 + +# No keep alive +# See https://github.com/searx/searx-docker/issues/24 +add-header = Connection: close + +# uwsgi serves the static files +static-map = /static=/usr/local/searxng/searx/static +# expires set to one day +static-expires = /* 86400 +static-gzip-all = True +offload-threads = 4 diff --git a/utilities.yml b/utilities.yml new file mode 100644 index 0000000..a575798 --- /dev/null +++ b/utilities.yml @@ -0,0 +1,161 @@ +# My homelab utilities file +version: "3.9" + +networks: + web: + external: true + internal: + external: false + +services: + registry: # My own docker registry + container_name: registry + image: registry + restart: always + networks: + - web + ports: + - 5000:5000 + env_file: + - ./secrets/homelab.env + labels: + - "traefik.enable=true" + - "traefik.docker.network=web" + - "traefik.http.routers.registry.entrypoints=http" + - "traefik.http.routers.registry.rule=Host(`registry.${DOMAIN}`)" + - "traefik.http.middlewares.registry-https-redirect.redirectscheme.scheme=https" + - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.routers.registry.middlewares=registry-https-redirect" + - "traefik.http.routers.registry-secure.entrypoints=https" + - "traefik.http.routers.registry-secure.rule=Host(`registry.${DOMAIN}`)" + - "traefik.http.routers.registry-secure.tls=true" + - "traefik.http.routers.registry-secure.tls.certresolver=${DNS}" + + searxng: + image: searxng/searxng + container_name: searxng + restart: always + networks: + - web + ports: + - 9001:8080 + volumes: + - ./searxng:/etc/searxng:rw + env_file: + - ./secrets/homelab.env + labels: + - "traefik.enable=true" + - "traefik.docker.network=web" + - "traefik.http.routers.searxng.entrypoints=http" + - "traefik.http.routers.searxng.rule=Host(`searxng.${DOMAIN}`) || Host(`searx.${DOMAIN}`) || Host(`search.${DOMAIN}`)" + - "traefik.http.middlewares.searxng-https-redirect.redirectscheme.scheme=https" + - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.routers.searxng.middlewares=searxng-https-redirect" + - "traefik.http.routers.searxng-secure.entrypoints=https" + - "traefik.http.routers.searxng-secure.rule=Host(`searxng.${DOMAIN}`) || Host(`searx.${DOMAIN}`) || Host(`search.${DOMAIN}`)" + - "traefik.http.routers.searxng-secure.tls=true" + - "traefik.http.routers.searxng-secure.tls.certresolver=${DNS}" + + filebrowser: + image: filebrowser/filebrowser + container_name: filebrowser + restart: always + command: "--noauth" + networks: + - web + env_file: + - ./secrets/homelab.env + volumes: + - ${DRIVE}/media/shows:/srv/shows + - ${DRIVE}/media/movies:/srv/movies + - ${DRIVE}/media/music:/srv/music + - ${DRIVE}/media/complete:/srv/complete + - ${DRIVE}/media/else:/srv/else + - ${DRIVE}/incomplete:/srv/incomplete + ports: + - 9003:80 + labels: + - "traefik.enable=true" + - "traefik.docker.network=web" + - "traefik.http.routers.files.entrypoints=http" + - "traefik.http.routers.files.rule=Host(`files.${DOMAIN}`) || Host(`filebrowser.${DOMAIN}`) " + - "traefik.http.middlewares.files-https-redirect.redirectscheme.scheme=https" + - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.routers.files.middlewares=files-https-redirect" + - "traefik.http.routers.files-secure.entrypoints=https" + - "traefik.http.routers.files-secure.rule=Host(`files.${DOMAIN}`) || Host(`filebrowser.${DOMAIN}`) " + - "traefik.http.routers.files-secure.tls=true" + - "traefik.http.routers.files-secure.tls.certresolver=${DNS}" + + smokeping: + image: lscr.io/linuxserver/smokeping + container_name: smokeping + restart: always + networks: + - web + ports: + - 2003:80 + env_file: + - ./secrets/homelab.env + labels: + - "traefik.enable=true" + - "traefik.docker.network=web" + - "traefik.http.routers.ping.entrypoints=http" + - "traefik.http.routers.ping.rule=Host(`ping.${DOMAIN}`) || Host(`smokeping.${DOMAIN}`) " + - "traefik.http.middlewares.ping-https-redirect.redirectscheme.scheme=https" + - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.routers.ping.middlewares=ping-https-redirect" + - "traefik.http.routers.ping-secure.entrypoints=https" + - "traefik.http.routers.ping-secure.rule=Host(`ping.${DOMAIN}`) || Host(`smokeping.${DOMAIN}`) " + - "traefik.http.routers.ping-secure.tls=true" + - "traefik.http.routers.ping-secure.tls.certresolver=${DNS}" + + watchtower: + image: containrrr/watchtower + container_name: watchtower + networks: + - internal + volumes: + - /var/run/docker.sock:/var/run/docker.sock + env_file: + - ./secrets/homelab.env + environment: + WATCHTOWER_CLEANUP: true + WATCHTOWER_REVIVE_STOPPED: true + restart: always + labels: + - "traefik.enable=false" + + # prometheus: + # image: prom/prometheus + # container_name: prometheus + # ports: + # - 9004:9090 + # command: + # - --config.file=/etc/prometheus/prometheus.yml + # volumes: + # - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro + # - ${DRIVE}/prometheus-data:/prometheus + # depends_on: + # - cadvisor + # restart: always + + # cadvisor: + # image: gcr.io/cadvisor/cadvisor + # container_name: cadvisor + # ports: + # - 9005:8080 + # volumes: + # - /:/rootfs:ro + # - /var/run:/var/run:rw + # - /sys:/sys:ro + # - /var/lib/docker/:/var/lib/docker:ro + # restart: always + + # grafana: + # image: grafana/grafana + # container_name: grafana + # ports: + # - 9006:3000 + # restart: always +