init

.gitignore

@@ -0,0 +1,3 @@
+**/.env
+**/.venv
+**/data

README.md

@@ -0,0 +1,49 @@
+# Home Infra
+
+## Modules
+
+### Gateway & Security
+
+- Traefik (*.homeinfra.org)
+  - Automatic HTTPS certificate by Let's Encrypt with DNS-01 challenge (Cloudflare)
+- SafeLine
+- FRP
+
+### Devops
+
+- [Gitea](https://git.homeinfra.org)
+  - Github OIDC
+  - Built-in Registry
+    - Docker / PyPI / go / npm / NuGet ... 
+  - Actions (compatible to GitHub Actions) 
+- [cronjobs](https://git.homeinfra.org/root/cronjobs/actions)
+
+### Docker Management
+
+- [Portainer](https://portainer.homeinfra.org)
+  - Gitea OIDC
+
+### Observability
+
+- [Uptime](https://uptime.homeinfra.org)
+- Prometheus
+- Loki
+- Grafana
+- msgpusher
+
+
+### backup
+
+- restic
+
+### Applications
+
+- File
+- Music
+- Photo
+- Movie
+
+### Integrations
+
+- [Github OAuth](https://github.com/settings/developers)
+

docker/gitea/docker-compose.yml

@@ -0,0 +1,45 @@
+version: '3.3'
+services:
+
+  gitea:
+    image: gitea/gitea:1.21.1
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+      - DB_TYPE=postgres
+      - DB_HOST=db:5432
+      - DB_NAME=demo
+      - DB_USER=demo
+      - DB_PASSWD=demo
+    restart: always
+    networks:
+      - traefik_default
+      - gitea
+    volumes:
+      - ./data/gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+        #    ports:
+      # - "3000:3000"
+      # - "2222:22"
+    depends_on:
+       - db
+
+  db:
+    image: postgres:13-alpine
+    restart: always
+    environment:
+      - POSTGRES_USER=demo
+      - POSTGRES_PASSWORD=demo
+      - POSTGRES_DB=demo
+    networks:
+      - gitea
+    volumes:
+      - ./data/postgres:/var/lib/postgresql/data
+
+networks:
+  traefik_default:
+    external: true
+  gitea:
+

docker/gitea_runner/Dockerfile

@@ -0,0 +1,3 @@
+FROM gitea/act_runner:0.2.6
+
+RUN apk add curl nodejs python3 py3-pip

docker/gitea_runner/config.yaml

@@ -0,0 +1,89 @@
+# Example configuration file, it's safe to copy this as the default config file without any modification.
+
+# You don't have to copy this file to your instance,
+# just run `./act_runner generate-config > config.yaml` to generate a config file.
+
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: info
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 1
+  # Extra environment variables to run jobs.
+  envs:
+    A_TEST_ENV_NAME_1: a_test_env_value_1
+    A_TEST_ENV_NAME_2: a_test_env_value_2
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `deamon`, will use labels in `.runner` file.
+  labels: []
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: ""
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 0
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: ""
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:

docker/gitea_runner/docker-compose.yml

@@ -0,0 +1,22 @@
+version: "2.0"
+services:
+  runner:
+    image: act_runner:latest
+    build:
+        context: .
+        dockerfile: Dockerfile
+    restart: unless-stopped
+    volumes:
+      - ./config.yaml:/config.yaml
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - CONFIG_FILE=/config.yaml
+      - GITEA_INSTANCE_URL=https://git.homeinfra.org
+      - GITEA_RUNNER_REGISTRATION_TOKEN=${TOKEN}
+      - GITEA_RUNNER_NAME=runner1
+      - GITEA_RUNNER_LABELS=linux
+    container_name: gitea_runner
+    env_file:
+      - .env
+    privileged: true

docker/grafana/.gitignore

@@ -0,0 +1 @@
+grafana.ini

docker/grafana/docker-compose.yml

@@ -0,0 +1,9 @@
+version: "3"
+services:
+  grafana:
+    ports:
+      - 3000:3000
+    container_name: grafana
+    image: grafana/grafana-enterprise:10.2.2-boringcrypto
+    volumns:
+      - ./data/grafana.ini:/etc/grafana/grafana.ini

docker/grafana/pre-up.sh

@@ -0,0 +1 @@
+docker run --rm --entrypoint "cat"  grafana/grafana-enterprise:10.2.2-boringcrypto "/etc/grafana/grafana.ini" > grafana.example.ini

docker/homepage/docker-compose.yml

@@ -0,0 +1,19 @@
+version: "2"
+services:
+
+  homepage:
+    image: nginx:1.18.0-alpine
+    #ports:
+    #  - "8080:80"
+    volumes:
+      - ./public_html:/usr/share/nginx/html:ro
+    environment:
+      - TZ=Asia/Shanghai
+    restart: always
+
+    networks:
+      - traefik_default
+
+networks:
+  traefik_default:
+    external: true

docker/portainer/.gitignore

@@ -0,0 +1 @@
+data

docker/portainer/docker-compose.yml

@@ -0,0 +1,22 @@
+version: '3.1'
+
+services:
+  portainer:
+    image: portainer/portainer-ce
+    container_name: portainer
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    restart: always
+    #    ports: 
+    #      - 3332:8000
+    #      - 3333:9000
+
+    networks:
+      - traefik_default
+      - net
+
+networks:
+  traefik_default:
+    external: true
+  net:

docker/ps.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+script_path=$(dirname "$(readlink -f "$0")")
+
+docker_folder=$script_path
+
+cd "$docker_folder"
+
+subfolders=$(find . -maxdepth 1 -type d -not -name '.')
+
+for subfolder in $subfolders; do
+    cd "$docker_folder"
+    cd "$subfolder"
+    
+    echo "文件夹名称: $subfolder"
+    
+    docker-compose ps
+
+    echo
+    echo
+    echo
+    
+done
+
+cd "$docker_folder"

docker/traefik/conf/apps/base.yml

@@ -0,0 +1,20 @@
+
+http:
+  middlewares:
+    redirect-to-https:
+      redirectscheme:
+        scheme: https
+  routers:
+#    traefik-api:
+#      middlewares: traefik-basic-auth
+#      rule: Host(`traefik-dashboard.homeinfra.org`)
+#      service: api@internal
+#      entrypoints: web
+
+    http_to_https:
+      entrypoints: web
+      middlewares: redirect-to-https
+      priority: 1
+      rule: HostRegexp(`{catchall:.*}`)
+      service: noop@internal
+

docker/traefik/conf/apps/code_server.yaml

@@ -0,0 +1,13 @@
+http:
+  routers:
+    codeserver:
+      entrypoints: websecure
+      rule: Host(`test.homeinfra.net`)
+      service: codeserver
+      tls:
+        certresolver: cloudflare
+  services:
+    codeserver:
+      loadbalancer:
+        servers:
+          - url: http://1.1.1.1

docker/traefik/conf/apps/gitea.yaml

@@ -0,0 +1,27 @@
+http:
+  routers:
+    docker_gitea:
+      entrypoints: websecure
+      rule: Host(`git.homeinfra.org`)
+      service: docker_gitea
+      tls:
+        certresolver: cloudflare
+  services:
+    docker_gitea:
+      loadbalancer:
+        servers:
+          - url: http://gitea:3000
+
+tcp:
+  routers:
+    gitea-ssh:
+      rule: HostSNI(`*`)
+      entrypoints: gitssh
+      service: gitea-ssh
+  services:
+    gitea-ssh:
+      loadbalancer:
+        servers:
+          - address: gitea:22
+
+

docker/traefik/conf/apps/grafana.yaml

@@ -0,0 +1,13 @@
+http:
+  routers:
+    grafana:
+      entrypoints: websecure
+      rule: Host(`grafana.homeinfra.org`)
+      service: grafana
+      tls:
+        certresolver: cloudflare
+  services:
+    grafana:
+      loadbalancer:
+        servers:
+          - url: http://grafana:3000

docker/traefik/conf/apps/homepage.yaml

@@ -0,0 +1,13 @@
+http:
+  routers:
+    homepage:
+      entrypoints: websecure
+      rule: Host(`www.homeinfra.org`)
+      service: homepage
+      tls:
+        certresolver: cloudflare
+  services:
+    homepage:
+      loadbalancer:
+        servers:
+          - url: http://homepage:80

docker/traefik/conf/apps/portainer.yaml

@@ -0,0 +1,13 @@
+http:
+  routers:
+    docker_portainer:
+      entrypoints: websecure
+      rule: Host(`portainer.homeinfra.org`)
+      service: docker_portainer
+      tls:
+        certresolver: cloudflare
+  services:
+    docker_portainer:
+      loadbalancer:
+        servers:
+          - url: http://portainer:9000

docker/traefik/conf/apps/uptime.yaml

@@ -0,0 +1,13 @@
+http:
+  routers:
+    uptime-kuma:
+      entrypoints: websecure
+      rule: Host(`uptime.homeinfra.org`)
+      service: uptime-kuma
+      tls:
+        certresolver: cloudflare
+  services:
+    uptime-kuma:
+      loadbalancer:
+        servers:
+          - url: http://uptime-kuma:3001

docker/traefik/conf/traefik.yml

@@ -0,0 +1,44 @@
+
+global:
+  checkNewVersion: false
+  sendAnonymousUsage: false
+log:
+  filepath: /logs/log.json
+  format: json
+  level: DEBUG
+accesslog:
+  filepath: /logs/access.json
+
+api:
+  dashboard: true
+  insecure: true
+
+providers:
+  file:
+    directory: /conf/apps/
+    watch: true
+
+entrypoints:
+  gitssh:
+    address: :22
+  web:
+    address: :80
+  websecure:
+    address: :443
+
+tls:
+  stores:
+    default:
+      defaultCertResolver: cloudflare
+      defaultCertDomain:
+        main: homeinfra.org
+        sans: 
+          - "*.homeinfra.org"
+
+certificatesResolvers:
+  cloudflare:
+    acme:
+      dnsChallenge:
+        provider: cloudflare
+      email: admin@homeinfra.org
+      storage: /letsencrypt/acme.json

docker/traefik/docker-compose.yml

@@ -0,0 +1,36 @@
+version: "2"
+services:
+  web:
+    restart: always
+    image: traefik:v2.9.7
+    container_name: traefik
+    networks:
+      - traefik_default
+      - net
+    ports:
+      - "80:80"
+      - "443:443"
+      - "22:22"
+      # - "8080:8080"
+    command:
+      - "--configFile=/conf/traefik.yml"
+    environment:
+      - "CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_DNS_API_TOKEN}"
+      - "TZ=Asia/Shanghai"
+    volumes:
+      - ./conf:/conf:ro
+      - "./data/letsencrypt:/letsencrypt"
+      - ./data/traefik_logs:/logs
+      - /var/run/docker.sock:/var/run/docker.sock
+    env_file:
+      - .env
+
+networks:
+  net:
+    driver: bridge
+
+  traefik_default:
+    external: true
+
+    
+

docker/traefik/make_network.sh

@@ -0,0 +1 @@
+docker network create  -d bridge --internal traefik_default

docker/uptime_kuma/docker-compose.yml

@@ -0,0 +1,18 @@
+version: '3.3'
+services:
+  uptime-kuma:
+    image: 'louislam/uptime-kuma:1'
+    container_name: uptime-kuma
+    restart: always
+      #    ports:
+      #      - '3001:3001'
+    volumes:
+      - './data:/app/data'
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      - traefik_default
+      - net
+networks:
+  traefik_default:
+    external: true
+  net:

setup.md

@@ -0,0 +1,29 @@
+# Setup
+
+- register a domain
+
+- hostname
+    - change ssh port
+
+- setup DNS
+    - cloudflare key
+
+- install docker docker-compose
+- create traefik network
+
+- Gitea
+    - create Gitea OAuth App
+    - create Github OAuth App
+    - setup Github as authentication source
+    - get gitea runner token
+    - setup gitea runner
+
+- Portainer
+    - setup Gitea as authentication source
+
+- uptime
+
+- setup homepage settings
+
+
+