Update README.md

README.md

@@ -1,5 +1,29 @@
 # Home Infra
 
+`Homeinfra` offers a strong, dependable, and easily replicable configuration for your homelab, incorporating vital elements like HTTPS, NAT traversal, Security, CI/CD pipelines, Cronjobs, DDNS, Docker management, Automatic Backup, and more.
+
+Currently, the setup is being managed through docker-compose. Although migrating to K8s or k3s is a potential consideration, it has not been implemented at this time.
+
+
+<table>
+  <tr>
+    <td><img src="images/actions.png"></td>
+    <td><img src="images/dockge.png"></td>
+    <td><img src="images/homeassistant.png"></td>
+  </tr>
+  <tr>
+    <td><img src="images/homeassistant2.png"></td>
+    <td><img src="images/homepage.png"></td>
+    <td><img src="images/music.png"></td>
+  </tr>
+  <tr>
+    <td><img src="images/oauth-proxy.png"></td>
+    <td><img src="images/openvscode.png"></td>
+    <td><img src="images/uptime.png"></td>
+  </tr>
+</table>
+
+
 ## Modules
 
 ### Gateway & Security
@@ -40,7 +64,7 @@
 - msgpusher
 
 
-### backup
+### Backup
 
 - restic
   - Backup to S3 (Backblaze)

docker/dockge/.env.example

@@ -0,0 +1,3 @@
+OAUTH2_PROXY_COOKIE_SECRET=""
+OAUTH2_PROXY_CLIENT_ID=""
+OAUTH2_PROXY_CLIENT_SECRET=""

docker/dockge/docker-compose.yml

@@ -3,13 +3,12 @@ services:
   dockge:
     image: louislam/dockge:1
     restart: unless-stopped
-      #    ports:
-      # Host Port : Container Port
-      # - 5001:5001
+    # ports:
+    #   - 5001:5001
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - ./data:/app/data
-        
+      
       # If you want to use private registries, you need to share the auth file with Dockge:
       # - /root/.docker/:/root/.docker
 
@@ -17,12 +16,26 @@ services:
       # ⚠️ READ IT CAREFULLY. If you did it wrong, your data could end up writing into a WRONG PATH.
       # ⚠️ 1. FULL path only. No relative path (MUST)
       # ⚠️ 2. Left Stacks Path === Right Stacks Path (MUST)
-      - /root/homeinfra/docker:/root/homeinfra/docker
+      - ${DOCKGE_STACKS_DIR:-}:${DOCKGE_STACKS_DIR:-}
     environment:
       # Tell Dockge where is your stacks directory
-      - DOCKGE_STACKS_DIR=/root/homeinfra/docker
+      - DOCKGE_STACKS_DIR=${DOCKGE_STACKS_DIR:-}
+    networks:
+      - traefik_default
 
 
+  dockge-oauth:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
+    command: --config /oauth2-proxy.cfg
+    hostname: dockge-oauth2-proxy
+    volumes:
+      - "./oauth2-proxy.cfg:/oauth2-proxy.cfg"
+    restart: unless-stopped
+    
+    external_links:
+      - "traefik:git.homeinfra.org"
+    env_file:
+      - .env
     networks:
       - traefik_default
 

docker/dockge/oauth2-proxy.cfg

@@ -0,0 +1,18 @@
+http_address="0.0.0.0:80"
+# cookie_secret=""
+email_domains=["homeinfra.org"]
+cookie_secure="false"
+upstreams="http://dockge:5001"
+cookie_domains=[".homeinfra.org"] # Required so cookie can be read on all subdomains.
+whitelist_domains=[".homeinfra.org"] # Required to allow redirection back to original requested target.
+
+
+# gitea provider
+provider="github"
+provider_display_name="Gitea"
+# client_id=""
+# client_secret=""
+redirect_url="https://code.homeinfra.org/oauth2/callback"
+login_url="https://git.homeinfra.org/login/oauth/authorize"
+redeem_url="https://git.homeinfra.org/login/oauth/access_token"
+validate_url="https://git.homeinfra.org/api/v1/user/emails"

docker/dockge/setup.sh

@@ -0,0 +1 @@
+export DOCKGE_STACKS_DIR=$(dirname "$PWD")

docker/filebrowser/config.json

@@ -0,0 +1,8 @@
+{
+    "port": 80,
+    "baseURL": "",
+    "address": "",
+    "log": "stdout",
+    "database": "/database/filebrowser.db",
+    "root": "/srv"
+  }

docker/filebrowser/docker-compose.yml

@@ -0,0 +1,16 @@
+version: "3.8"
+services:
+  filebrowser:
+    volumes:
+      - ./data/srv:/srv
+      - ./data/database:/database
+      - ./config.json:/.filebrowser.json
+    # ports:
+    #   - 8080:80
+    image: filebrowser/filebrowser:v2.26.0-s6
+    restart: unless-stopped
+    networks:
+      - traefik_default
+networks:
+  traefik_default:
+    external: true

docker/gitea/.env.example

@@ -0,0 +1,2 @@
+GITEA_DB_PASSWORD=
+

docker/gitea/docker-compose.yml

@@ -1,6 +1,5 @@
-version: '3.3'
+version: "3.3"
 services:
-
   gitea:
     image: gitea/gitea:1.21.1
     container_name: gitea
@@ -11,8 +10,8 @@ services:
       - DB_HOST=db:5432
       - DB_NAME=demo
       - DB_USER=demo
-      - DB_PASSWD=demo
-    restart: always
+      - DB_PASSWD=${GITEA_DB_PASSWORD}
+    restart: unless-stopped
     networks:
       - traefik_default
       - gitea
@@ -20,26 +19,25 @@ services:
       - ./data/gitea:/data
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
-        #    ports:
-      # - "3000:3000"
-      # - "2222:22"
+    # ports:
+    #   - "3000:3000"
+    #   - "2222:22"
     depends_on:
-       - db
-
+      - db
+    env_file:
+      - .env
   db:
     image: postgres:13-alpine
-    restart: always
+    restart: unless-stopped
     environment:
       - POSTGRES_USER=demo
-      - POSTGRES_PASSWORD=demo
+      - POSTGRES_PASSWORD=${GITEA_DB_PASSWORD}
       - POSTGRES_DB=demo
     networks:
       - gitea
     volumes:
       - ./data/postgres:/var/lib/postgresql/data
-
 networks:
+  gitea: null
   traefik_default:
     external: true
-  gitea:
-

docker/gitea_runner/.env.example

@@ -0,0 +1 @@
+GITEA_RUNNER_REGISTRATION_TOKEN=

docker/gitea_runner/docker-compose.yml

@@ -3,8 +3,8 @@ services:
   runner:
     image: act_runner:latest
     build:
-        context: .
-        dockerfile: Dockerfile
+      context: .
+      dockerfile: Dockerfile
     restart: unless-stopped
     volumes:
       - ./config.yaml:/config.yaml
@@ -13,10 +13,11 @@ services:
     environment:
       - CONFIG_FILE=/config.yaml
       - GITEA_INSTANCE_URL=https://git.homeinfra.org
-      - GITEA_RUNNER_REGISTRATION_TOKEN=${TOKEN}
+      - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_REGISTRATION_TOKEN}
       - GITEA_RUNNER_NAME=runner1
       - GITEA_RUNNER_LABELS=linux
     container_name: gitea_runner
     env_file:
       - .env
-    privileged: true
+    privileged: false
+networks: {}

docker/homepage/docker-compose.yml

@@ -1,6 +1,5 @@
 version: "2"
 services:
-
   homepage:
     image: nginx:1.18.0-alpine
     #ports:
@@ -9,11 +8,9 @@ services:
       - ./public_html:/usr/share/nginx/html:ro
     environment:
       - TZ=Asia/Shanghai
-    restart: always
-
+    restart: unless-stopped
     networks:
       - traefik_default
-
 networks:
   traefik_default:
     external: true

docker/openvscode/.env.example

@@ -0,0 +1,6 @@
+OAUTH2_PROXY_COOKIE_SECRET=""
+OAUTH2_PROXY_CLIENT_ID=""
+OAUTH2_PROXY_CLIENT_SECRET=""
+CONNECTION_TOKEN=
+CONNECTION_SECRET=
+SUDO_PASSWORD=

docker/openvscode/docker-compose.yml

@@ -0,0 +1,42 @@
+version: "2.1"
+services:
+  openvscode-server:
+    image: linuxserver/openvscode-server:1.85.1
+    container_name: openvscode-server
+    user: 0:0
+    environment:
+      - PUID=0
+      - PGID=0
+      - TZ=Etc/UTC
+      - CONNECTION_TOKEN=${CONNECTION_TOKEN} #optional
+      - CONNECTION_SECRET=${CONNECTION_SECRET} #optional
+      - SUDO_PASSWORD=${SUDO_PASSWORD} #optional
+      - SUDO_PASSWORD_HASH=${SUDO_PASSWORD_HASH} #optional
+    volumes:
+      - ../..:/infra
+    env_file:
+      - .env
+    #ports:
+    #  - 3000:3000
+    restart: unless-stopped
+    networks:
+      - traefik_default
+
+
+  openvscode-oauth:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
+    command: --config /oauth2-proxy.cfg
+    hostname: openvscode-oauth2-proxy
+    volumes:
+      - "./oauth2-proxy.cfg:/oauth2-proxy.cfg"
+    restart: unless-stopped
+    
+    external_links:
+      - "traefik:git.homeinfra.org"
+    networks:
+      - traefik_default
+    env_file:
+      - .env
+networks:
+  traefik_default:
+    external: true

docker/openvscode/oauth2-proxy.cfg

@@ -0,0 +1,19 @@
+http_address="0.0.0.0:80"
+# cookie_secret=""
+email_domains=["homeinfra.org"]
+cookie_secure="false"
+upstreams="http://openvscode-server:3000"
+cookie_domains=[".homeinfra.org"] # Required so cookie can be read on all subdomains.
+whitelist_domains=[".homeinfra.org"] # Required to allow redirection back to original requested target.
+
+# client_id=""
+# client_secret=""
+redirect_url="https://code.homeinfra.org/oauth2/callback"
+
+
+# gitea provider
+provider="github"
+provider_display_name="Gitea"
+login_url="https://git.homeinfra.org/login/oauth/authorize"
+redeem_url="https://git.homeinfra.org/login/oauth/access_token"
+validate_url="https://git.homeinfra.org/api/v1/user/emails"

docker/portainer/.gitignore

@@ -1 +0,0 @@
-data

docker/portainer/docker-compose.yml

@@ -1,22 +0,0 @@
-version: '3.1'
-
-services:
-  portainer:
-    image: portainer/portainer-ce
-    container_name: portainer
-    volumes:
-      - ./data:/data
-      - /var/run/docker.sock:/var/run/docker.sock
-    restart: always
-    #    ports: 
-    #      - 3332:8000
-    #      - 3333:9000
-
-    networks:
-      - traefik_default
-      - net
-
-networks:
-  traefik_default:
-    external: true
-  net:

docker/restic/.env.example

@@ -0,0 +1,8 @@
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+
+RESTIC_REPOSITORY=s3:https://s3.region.backblazeb2.com/bucket
+RESTIC_PASSWORD=password
+BACKUP_CRON="0 */8 * * *"
+HEALTH_CHECK_URL=
+

docker/traefik/.env.example

@@ -0,0 +1 @@
+CLOUDFLARE_DNS_API_TOKEN=

docker/traefik/conf/apps/dockge.yaml

@@ -10,4 +10,5 @@ http:
     dockge:
       loadbalancer:
         servers:
-          - url: http://dockge:5001
+          # - url: http://dockge:5001
+          - url: http://dockge-oauth

docker/traefik/conf/apps/filebrowser.yaml

@@ -1,13 +1,13 @@
 http:
   routers:
-    codeserver:
+    file:
       entrypoints: websecure
-      rule: Host(`test.homeinfra.net`)
-      service: codeserver
+      rule: Host(`file.homeinfra.org`)
+      service: file
       tls:
         certresolver: cloudflare
   services:
-    codeserver:
+    file:
       loadbalancer:
         servers:
-          - url: http://1.1.1.1
+          - url: http://filebrowser

docker/traefik/conf/apps/openvscode.yaml

@@ -0,0 +1,15 @@
+http:
+  routers:
+    openvscode:
+      entrypoints: websecure
+      rule: Host(`code.homeinfra.org`)
+      service: openvscode
+      tls:
+        certresolver: cloudflare
+  services:
+    openvscode:
+      loadbalancer:
+        servers:
+          - url: http://openvscode-oauth
+#          - url: http://openvscode-server:3000
+

docker/traefik/conf/traefik.yml

@@ -25,6 +25,12 @@ entrypoints:
     address: :80
   websecure:
     address: :443
+    http:
+      tls:
+        domains:
+          - main: homeinfra.org
+            sans: "*.homeinfra.org"
+
 
 tls:
   stores:

docker/traefik/docker-compose.yml

@@ -1,36 +1,31 @@
 version: "2"
 services:
   web:
-    restart: always
+    restart: unless-stopped
     image: traefik:v2.9.7
     container_name: traefik
     networks:
       - traefik_default
       - net
     ports:
-      - "80:80"
-      - "443:443"
-      - "22:22"
+      - 80:80
+      - 443:443
+      - 22:22
       # - "8080:8080"
     command:
-      - "--configFile=/conf/traefik.yml"
+      - --configFile=/conf/traefik.yml
     environment:
-      - "CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_DNS_API_TOKEN}"
-      - "TZ=Asia/Shanghai"
+      - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_DNS_API_TOKEN}
+      - TZ=Asia/Shanghai
     volumes:
       - ./conf:/conf:ro
-      - "./data/letsencrypt:/letsencrypt"
-      - ./data/traefik_logs:/logs
+      - ./data/letsencrypt:/letsencrypt
+      - /var/log/traefik_logs:/logs
       - /var/run/docker.sock:/var/run/docker.sock
     env_file:
       - .env
-
 networks:
   net:
     driver: bridge
-
   traefik_default:
     external: true
-
-    
-

docker/uptime_kuma/docker-compose.yml

@@ -1,18 +1,18 @@
-version: '3.3'
+version: "3.3"
 services:
   uptime-kuma:
-    image: 'louislam/uptime-kuma:1'
+    image: louislam/uptime-kuma:1
     container_name: uptime-kuma
-    restart: always
+    restart: unless-stopped
       #    ports:
       #      - '3001:3001'
     volumes:
-      - './data:/app/data'
+      - ./data:/app/data
       - /var/run/docker.sock:/var/run/docker.sock
     networks:
       - traefik_default
       - net
 networks:
+  net: null
   traefik_default:
     external: true
-  net: